Quantitative Model Checking Radu Grosu SUNY at Stony Brook Joint work with Scott A. Smolka

Model Checking ? Is system S a model of formula φ?

Model Checking S is a nondeterministic/concurrent system.  is a temporal logic formula. –in our case Linear Temporal Logic (LTL). Basic idea: intelligently explore S ’s state space in attempt to establish S |= .

recurrence diameter computation tree Monte Carlo: N( ,  ) independent samples Error margin  and confidence ratio  Monte Carlo Approach LTL

Linear Temporal Logic An LTL formula is made up of atomic propositions p, boolean connectives , ,  and temporal modalities X (neXt) and U (Until). Safety: “nothing bad ever happens” E.g. G(  (pc 1 =cs  pc 2 =cs)) where G is a derived modality (Globally). Liveness: “something good eventually happens” E.g. G( req  F serviced ) where F is a derived modality (Finally).

LTL Model Checking Every LTL formula  can be translated to a Büchi automaton B  whose language is the set of infinite words satisfying . Automata-theoretic approach: S |=  iff L ( B S )  L ( B  ) iff L ( B S  B  )   Checking non-emptiness is equivalent to finding an accepting cycle reachable from initial state (lasso).

Bernoulli Random Variable (coin flip) Value of Bernoulli RV Z: Z = 1 (success) & Z = 0 (failure) Probability mass function: p(1) = Pr[Z=1] = p z p(0) = Pr[Z=0] = 1- p z = q z Expectation: E[Z] = p z

Monte Carlo Approximation Problem: Compute the mean value μ Z of a random variable Z distributed in [0,1] when exact computation of μ Z proves intractable. with error margin  and confidence ratio . Solution: Compute an ( ,  ) -approximation of  Z :

Naive Solution Compute as the mean value of N independent random variables (samples) identically distributed according to Z : Compute N using the Zero-One estimation theorem: Problems: is unknown and can be large.

Stopping Rule Algorithm (SRA) Innovation: compute correct N without using Problem: is in most interesting cases too large. Theorem: E[N]  4 ln(  /  ) /  Z   ;

Optimal Approx Algorithm (OOA) Compute N using generalized Zero-One estimation: Apply sequential analysis (prediction/correction): 1. Compute assuming with SRA( ) 2. Compute  using and 3. Compute using to correctly estimate N. Expected number of samples is optimal to within a constant factor!

Monte Carlo Model Checking Sample Space: lassos in B S  B  Bernoulli random variable Z : –Outcome = 1 if rand. chosen lasso is not accepting –Outcome = 0 otherwise  Z = p Z = ∑ p i Z i (expect. of a nonaccepting lasso) where p i is lasso prob. (uniform random walk).

Lassos Probability Space L 1 = 11 L2 = 1244 L 3 = 1231 L4 = Pr[L 1 ]= ½ Pr[L 2 ]= ¼ Pr[L 3 ]= ⅛ Pr[L 4 ]= ⅛ q Z = L 1 + L 3 = 5  8 p Z = L 3 + L 4 = 3 

QMC Algorithm input: ,  and Büchi automaton B; output: s.t. (1) = OAA( , , RL(B)); return where RL(B) performs a uniform random walk through B (storing states encountered in hash table) to obtain a random sample (lasso).

Properties of QMC Theorem: Given a Büchi automaton B, error margin ε, and confidence ratio δ, if QMC returns then with probabiliy 1- δ, the confidence interval (CI) [1 / (1+ε), 1 / (1- ε) ] covers the unknown lasso probability  Z. Corollary: In decision mode (DM) the CI is [1 / (1+ε), 1 ].

Properties of QMC Theorem: Given a Büchi automaton B having diameter D, error margin ε, and confidence ratio δ, QMC runs in DM in time O(N∙D) and uses space O(D), where N = 4 ln(2 / δ) / ε. Cf. DDFS which runs in O(2 |S|+|φ| ) time for B = B S  B .

Implementation Implemented DDFS and QMC in jMocha model checker for synchronous systems specified using Reactive Modules. Performance and scalability of QMC compares very favorably to DDFS.

(Deadlock freedom) DPh: Symmetric Unfair Version

(Starvation freedom) DPh: Symmetric Unfair Version

DPh: Asymmetric Fair Version (Deadlock freedom) δ = ε = 1.8*10 -4 N = 1257

DPh: Asymmetric Fair Version (Starvation freedom) δ = ε = 1.8*10 -4 N = 1257

Related Work Heimdahl et al.’s Lurch debugger. Mihail & Papadimitriou (and others) use random walks to sample system state space. Herault et al. use bounded model checking to compute an (ε,δ)-approx. for “positive LTL”. Probabilistic Model Checking of Markov Chains: ETMCC, PRISM, PIOAtool, and others.

Conclusions QMC is first randomized, Monte Carlo algorithm for the classical problem of temporal-logic MC. Future Work: Use BDDs to improve run time. Also, take samples in parallel! Open Problem: Branching-Time Temporal Logic (e.g. CTL, modal mu-calculus).

Model Checking ? Is system S a model of formula φ?

Talk Outline 1.Model Checking 2.Randomized Algorithms 3.LTL Model Checking 4.Optimal Monte Carlo Estimation 5.Quantitative Model-Checking (QMC) 6.Implementation & Results 7.Conclusions & Open Problem

diameter computation tree Size of S’s state transition graph is O(2 |s| )! Model Checking’s Fly in the Ointment: State Explosion Symbolic MC (OBDDs) Symmetry Reduction Partial Order Reduction Abstraction Refinement Bounded Model Checking

Randomized Algorithms Huge impact on CS: (distributed) algorithms, complexity theory, cryptography, etc. Takes of next step algorithm may depend on random choice (coin flip). Benefits of randomization include simplicity, efficiency, and symmetry breaking.

Randomized Algorithms Monte Carlo: may produce incorrect result but with bounded error probability. –Example: Rabin’s primality testing algorithm Las Vegas: always gives correct result but running time is a random variable. –Example: Randomized Quick Sort

Emptiness Checking Checking non-emptiness is equivalent to finding an accepting cycle reachable from initial state (lasso). Double Depth-First Search (DDFS) algorithm can be used to search for such cycles, and this can be done on-the-fly! s1s1 s2s2 s3s3 sksk s k-2 s k-1 s k+1 s k+2 s k+3 snsn DFS 2 DFS 1

Random Lasso (RL) Algorithm