Possibilistic and probabilistic abstraction-based model checking Michael Huth Computing Imperial College London, United Kingdom

Outline of talk  need for abstraction  modal quantitative systems  possibilistic semantics  probabilistic semantics  specification of abstractions  conclusions.

Need for abstraction LTL model checking for finite-state Markov decision processes is [Courcoubetis & Yannakakis’95]  polymonial in model (which are big) and  doubly exponential in formula. Infinite-state models occur in practice.  Aggressive abstraction techniques required for model checking real-world designs.

Abstraction loci Abstract the computation of a model check M |= , by approximating  the model M to M*; e.g. simulations [Larsen & Skou’91]  the satisfaction relation |= to |=*, e.g compositional conjunction [Baier et al.’00]  the property  to  *, e.g. bounded model checking [Clarke et al.’01] Combinations possible: e.g. make a probabilistic M non-probabilistic [Vardi’85].

Soudness needed  Valid verfication certificates: positive abstract check M* |=*  *  M |=  holds as well.  Valid refutation certificates: nevative abstract check M* |=* ¬    M |= ¬  holds, too.  Range of  : full logic for sound mix of fairness & abstraction, safety & liveness, verification & refutation, etc. Such a framework is well developed for qualitative systems: three-valued model checking [Larsen & Thomsen’88, Bruns & Godefroid’99].

Research aims  transfer two-valued & three-valued model checking to quantitative systems;  let probabilistic systems be a special instance of such a transfer; and  use transferred results to re-assess existing work on abstraction of probabilistic systems.

Modal quantitative systems  modal nature of non-determinism: “There are delays on the Bakerloo Line.” != “There are no delays on the remaining lines.”  transitions (s,  ) have type  x [ F  P] - P partial order of quantities - F  -algebra on state set  - [ F  P] = maps  F  P such that A in A’   (A)  (A’)  atomic observables and preimage operator are in F.

Examples  “neural” systems - each s in  is a stimulus w s in [0,  -  (A) is weighted sum of stimuli w s  Markov decision processes - P = [0,1] - all  in transitions are probability measures - complete: non-determinism fully specified  Choquet’s capacities, pCTL*, and weak bisimulation [Desharnais et al.’02].

Concrete and abstract model p pq q    s0s0 s3s3 s1s1 s2s /3.5 t 0 = { s 0, s 1, s 3 } p? q?  2/3 1/3 QQ QQ QQ QQ t 1 = { s 2 } 2/3 1/ /3 2/3.5 p  (p = tt) is valid p?  (p = tt) is satisfiable  Q  is special

Measurable navigation  a relation Q :  1   2 has measurable navigation: for all A in F 1 and B in F 2 A.Q in F 2 and Q.B in F 1  non-trivial property  basis for relational abstraction/refinement  works for finite quotients with measurable equivalence classes.

Lifting relations to measures For Q :    with measurable navigation, define Q ps : [ F  P]  [ F  P] by (  in Q ps iff for all A, B in F  (A)   (A.Q) and  (B)  (Q.B)  … a generalization of probabilistic (bi)simulation [Larsen & Skou’91].

Abstraction & refinement A relation Q :    with measurable navigation is a possibilistic refinement if (s,t) in Q implies  (t  in R a   (s  in R a such that  ) in Q ps  (s  in R c   (t  in R c such that  ) in Q ps R a = guaranteed transitions (e.g.  Q above), R c = possible transitions. //modal non-determinism

Possibilistic semantics Quantitative logic:   ::= tt | p | Z |  Z.  | ¬  |  &  | EX >r   assertion checks s|= a   consistency checks s|= c   usual semantics, except for - s|= a ¬  iff not s|= c  - s|= c ¬  iff not s|= a  ; and - s|= l EX >r  iff   (s  in R l :  ({t | t|= l  }) > r where l in {a, c}.

Soundness We prove { s in  | s|= l  } in F for l in {a, c} and  and use it to show: “Q possibilistic refinement with (s,t) in Q, then 1. t|= a   s|= a  2. s|= c   t|= c  // needed to prove 1. for all .”

Probabilistic semantics  probability measures for transitions   Z.  restricted to probabilistic EU  same semantics except for EU  possibilistic semantics “approximates” probabilistic one  sound probabilistic refinement: Q  Q pr [Larsen & Skou’91]  Q pr = Q ps for finite-state Markov decision processes.

Specification of abstraction  = state set of un-abstracted model,  = finite target state set of abstract model: 1.specify left/right-total relation Q :   A; 2.determines an abstract model over A with discrete  algebra … 3.… which makes Q into a refinement.

Understanding the lift  in [ F  P]   Q (B) =  (B.Q) well defined   Q ) in Q ps 3.(  in Q ps     Q 4. converse of 3. holds if Q is graph of a function  finite state set of Markov decision process  Q ps = Q pr & same abstractions … 4. holds if A is a finite set of measurable equivalence classes, e.g. predicate abstraction w.r.t. finitely many measurable predicates.

Example re-visited p pq q    s0s0 s3s3 s1s1 s2s /3.5 t 0 = { s 0, s 1, s 3 } |= a ¬EX >3/4 ¬EX >3/10 ¬p p? q?  2/3 1/3 QQ QQ QQ QQ t 1 = { s 2 } 2/3 1/ /3 2/3.5 Abstraction along the predicate ¬(¬p & ¬q) only  Q  in R a

Conclusions  transferred three-valued model checking to quantitative systems;  showed that probabilistic systems and Larsen & Skou simulations are a special instance of such a transfer;  re-assessed existing work on abstraction of probabilistic systems in this context; and  showed that this approach works for an important class of finite-state abstractions.