Presentation is loading. Please wait.

Presentation is loading. Please wait.

From Boolean to Quantitative System Specifications Tom Henzinger EPFL.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "From Boolean to Quantitative System Specifications Tom Henzinger EPFL."— Presentation transcript:

1 From Boolean to Quantitative System Specifications Tom Henzinger EPFL

2 Outline 1The Quantitative Agenda 2Some Basic Open Problems 3Some Promising Directions

3 The Boolean Agenda Property/ Specification Yes/No Analysis Program/ System

4 The Boolean Agenda Property/ Specification Yes/No -perhaps a proof -perhaps some counterexamples -perhaps even a proposed fix Analysis Program/ System

5 The Boolean Agenda Satisfaction Relation Property/ Specification Yes/No -perhaps a proof -perhaps some counterexamples -perhaps even a proposed fix Structure Formula Program/ System

6 The Boolean Agenda Program/ System Property/ Specification Yes/No -perhaps a proof -perhaps some counterexamples -perhaps even a proposed fix Analysis Every request is followed by a grant. Transition system.

7 The Boolean Agenda Quantitative Program/ System Quantitative Property/ Specification Yes/No -perhaps a proof -perhaps some counterexamples -perhaps even a proposed fix Analysis Every request is followed by a grant within 5 time units. Timed automaton.

8 The Boolean Agenda Quantitative Program/ System Quantitative Property/ Specification Yes/No -perhaps a proof -perhaps some counterexamples -perhaps even a proposed fix Analysis Every request is followed by a grant within probability 1/2. Markov process.

9 The Boolean Agenda Quantitative Program/ System Quantitative Property/ Specification B -perhaps a proof -perhaps some counterexamples -perhaps even a proposed fix Analysis Every request is followed by a grant within probability 1/2. Markov process.

10 The Quantitative Agenda Quantitative Program/ System Quantitative Property/ Specification R -measure of “fit” between system and spec -could be cost, quality, etc. Analysis

11 The Quantitative Agenda Quantitative Program/ System Quantitative Property/ Specification R -measure of “fit” between system and spec -could be cost, quality, etc. Analysis Every request is followed by a grant. The less time between requests and grants, the better.

12 The Quantitative Agenda Quantitative Program/ System Quantitative Property/ Specification R -measure of “fit” between system and spec -could be cost, quality, etc. Analysis Every request is followed by a grant. The fewer unnecessary grants, the better.

13 The Quantitative Agenda Q1Assigning values to behaviors Boolean case: correct vs. incorrect behaviors Q2Assigning values to systems/properties Boolean case: sets of behaviors (nondeterminism) Q3Assigning values to pairs of systems Boolean case: preorders on systems

14 Q1 Assigning Values To Behaviors a. Probabilities b.Resource use -worst case vs. average case (e.g. response time, QoS) -peak vs. accumulative (e.g. power consumption) c.Quality measures -discounting vs. long-run averaging (e.g. reliability)

15 Q1 Assigning Values To Behaviors a: ok b: fail Discounted value (0 < d < 1): aaaaaaaaaa...1 aaaaaaab... 1 - d 8 aab...1 - d 3 b... 0 Long-run average value: aaaaaaaaaa...1 aaabaaabaaab...1 – ¼ abaabaaab...1 babbabbba...0

16 Q2, Q3 Assigning Values To Systems x: behaviors w: observations A,B: systems A(w) = sup x { val(x) : obs(x) = w } B(w) = exp x { val(x) : obs(x) = w }

17 Q2, Q3 Assigning Values To Systems x: behaviors w: observations A,B: systems A(w) = sup x { val(x) : obs(x) = w } B(w) = exp x { val(x) : obs(x) = w } diff(A,B) = sup w { |A(w) – B(w)| } ? Compositionality: diff(A||B,A’||B) · f(diff(A,A’)) [AFHMS].

18 Is there a Quantitative Framework with -an appealing mathematical formulation, -useful expressive power, and -good algorithmic properties? (Like the boolean theory of  -regularity.)

19 Outline 1The Quantitative Agenda 2Some Basic Open Problems 3Some Promising Directions

20 Alphabet:   = {a,b,c} Language:L µ   L = (a + b) + (a  [c   [ (a + b)  abaabaaabccccc... 2 L abcabc...  L Property = Language

21 Alphabet:   = {a,b,c} Language:L µ   L = (a + b) + (a  [c   [ (a + b)  abaabaaabccccc... 2 L abcabc...  L L:   ! B Boolean Language

22 Q states : Q !  labeling q 0 2 Qinitial state  choices  : Q    Q transition function Specification = Automaton acb 0 1 0 1 0,1  = {0,1} A:

23 Q states : Q !  labeling q 0 2 Qinitial state  choices  : Q    Q transition function Specification = Automaton acb 0 1 0 1 0,1  = {0,1} L(A) = (a + b) + (a  [c   [ (a + b)  A:

24 Q states : Q !  labeling q 0 2 Qinitial state  choices  : Q    Q transition function Specification = Automaton acb 0 1 0 1 0,1 0101111... ! aababccc... A: “scheduler” “outcome”

25 Q states : Q !  labeling q 0 2 Qinitial state  choices  : Q    Q transition function Specification = Automaton Scheduler: x: Q + !  S... set of schedulers Outcome: f(x) = q 0 q 1 q 2... where 8 i : q i+1 =  (q i, x(q 0...q i )) Language: L = { (f(x)) : x 2 S }

26 Satisfaction = Language Inclusion Given two automata A and B, is L(A) µ L(B)? i.e. 8 w 2   : L(A)(w) · L(B)(w)

27 Satisfaction = Language Inclusion Given two automata A and B, is L(A) µ L(B)? i.e. 8 w 2   : L(A)(w) · L(B)(w) For finite automata, PSPACE-complete.

28 Word:element of   Probabilistic Word:probability space on   Probabilistic Language:set of probabilistic words Probabilistic Language w: ab   ! 1/2 aab   ! 1/4 aaab   ! 1/8...

29 Q states : Q !  labeling q 0 2 Qinitial state  choices  : Q    D(Q) transition function Markov Decision Process acb 0: 0.5 0: 0.5 1: 1 0: 0.5 0,1 A: 0: 0.5 1: 1

30 Q states : Q !  labeling q 0 2 Qinitial state  choices  : Q    D(Q) transition function Markov Decision Process acb 0: 0.5 0: 0.5 1: 1 0: 0.5 0,1 A: 0: 0.5 1: 1 0101111... ! abccc... ! 1/2 aabccc... ! 1/4...

31 Q states : Q !  labeling q 0 2 Qinitial state  choices  : Q    D(Q) transition function Markov Decision Process Pure scheduler:x: Q + !  Probabilistic scheduler:x: Q + ! D(  )

32 Q states : Q !  labeling q 0 2 Qinitial state  choices  : Q    D(Q) transition function Markov Decision Process acb 0: 0.5 0: 0.5 1: 1 0: 0.5 0,1 A: 0: 0.5 1: 1 {0: 0.5, 1: 0.5}  ! abccc... ! 9/16 aabccc... ! 9/64...

33 Probabilistic Language Inclusion Given two MDPs A and B, is L(A) µ L(B)?

34 Probabilistic Language Inclusion Given two MDPs A and B, is L(A) µ L(B)? ?

35 Probabilistic Language Inclusion Given two MDPs A and B, is L(A) µ L(B)? ? Open even if specification B is deterministic (i.e. |  | = 1) and implementation scheduler required to be pure. If both sides are deterministic, then it can be solved in polynomial time (equivalence of Rabin’s probabilistic automata) [Tzeng, DHR].

36 Language:L:   ! B Quantitative Language:L:   ! R Quantitative Language L(ab  ) = 1/2 L(aab  ) = 1/4 L(aaab  ) = 1/8...

37 Q states : Q !  labeling q 0 2 Qinitial state  choices  : Q    R £ Q transition function Weighted Automaton acb 0; 4 1; 2 0; 0 0,1; 0 A: 1; 1

38 Q states : Q !  labeling q 0 2 Qinitial state  choices  : Q    R £ Q transition function Weighted Automaton acb 0; 4 1; 2 0; 0 0,1; 0 A: 1; 1 0101111... ! aababccc...; 4 1111111... ! abccc...; 2 Max value:

39 Q states : Q !  labeling q 0 2 Qinitial state  choices  : Q    R £ Q transition function Weighted Automaton Outcome: f(x) = q 0 v 1 q 1 v 2 q 2... where 8 i : (v i+1,q i+1 ) =  (q i, x(q 0...q i )) Max value: val(q 0 v 1 q 1 v 2 q 2...) = sup{ v i : i ¸ 1 }

40 Q states : Q !  labeling q 0 2 Qinitial state  choices  : Q    R £ Q transition function Weighted Automaton Outcome: f(x) = q 0 v 1 q 1 v 2 q 2... where 8 i : (v i+1,q i+1 ) =  (q i, x(q 0...q i )) Max value: val(q 0 v 1 q 1 v 2 q 2...) = sup{ v i : i ¸ 1 } q-Language: L(w) = sup{ val(f(x)) : x 2 S s.t. (f(x)) = w }

41 Different Value Functions Max value: val(q 0 v 1 q 1 v 2 q 2...) = sup{ v i : i ¸ 1 } (only 0 and 1 costs: finite automaton) Limsup value: val = lim n!1 sup{ v i : i ¸ n } (only 0 and 1 costs: Buechi automaton)

42 Different Value Functions Max value: val(q 0 v 1 q 1 v 2 q 2...) = sup{ v i : i ¸ 1 } (only 0 and 1 costs: finite automaton) Limsup value: val = lim n!1 sup{ v i : i ¸ n } (only 0 and 1 costs: Buechi automaton) Limavg value: val = lim n!1 1/n ¢  1·i·n v i

43 Different Value Functions Max value: val(q 0 v 1 q 1 v 2 q 2...) = sup{ v i : i ¸ 1 } (only 0 and 1 costs: finite automaton) Limsup value: val = lim n!1 sup{ v i : i ¸ n } (only 0 and 1 costs: Buechi automaton) Limavg value: val = lim n!1 1/n ¢  1·i·n v i Discounted: val =  i¸ 1 d i ¢ v i for some 0<d<1

44 Weighted Automaton acb 0; 4 1; 2 0; 0 0,1; 0 A: 1; 1 01010101... ! aabababab...; 2 11111111... ! abccc...; 0 Limsup value: 01010101... ! aabababab...; 1 11111111... ! abccc...; 0 Limavg value: 01010101... ! aabababab...; 2.66... 11111111... ! abccc...; 1.25 Discounted: (d = 0.5)

45 Quantitative Language Inclusion Given two weighted automata A and B, is 8 w 2   : L(A)(w) · L(B)(w) ?

46 Quantitative Language Inclusion Given two weighted automata A and B, is 8 w 2   : L(A)(w) · L(B)(w) ? For max and limsup values: PSPACE. For limavg and discounted values: Open.

47 Quantitative Language Inclusion Given two weighted automata A and B, is 8 w 2   : L(A)(w) · L(B)(w) ? For max and limsup values: PSPACE. For limavg and discounted values: Open. If specification B is deterministic, then it can be solved in polynomial time [CDH].

48 Quantitative Simulation a 1 b 1 1 1 b 2 a 2 0 0 b 0 a 0 2 2 a 2 0 · A not simulated by B. Simulation game solvable in P for max, and in NP Å coNP for limsup, limavg, discounted [CDH]. A: B:

49 Quantitative Emptiness and Universality Emptiness: Given a weighted automaton A, is L(A)(w) ¸ 1 for some word w 2   ? In P for max, limsup, limavg, and discounted automata. Solvable by finding a path with maximal value [CDH].

50 Quantitative Emptiness and Universality Emptiness: Given a weighted automaton A, is L(A)(w) ¸ 1 for some word w 2   ? In P for max, limsup, limavg, and discounted automata. Solvable by finding a path with maximal value [CDH]. Universality: Given a weighted automaton A, is L(A)(w) ¸ 1 for all words w 2   ? As hard as language inclusion.

51 Quantitative Expressiveness [CDH CSL08, LICS09]

52 Quantitative Expressiveness ba,b 0 1 E.g. limavg automata not determinizable:  * b  expressible by a nondeterministic limavg automaton.  *b  not expressible by a deterministic limavg automaton. Every b-cycle would need weight 1. Consider w n = (ab n ) . Then val(w n )=1 for sufficiently large n, but w n  * b .

53 Quantitative Closure Properties

54 a 0 b 0 1 1 a 1 b 1 0 0 E.g. limavg automata not closed under min: min(L 1,L 2 ) not expressible by a limavg automaton. Consider w n = (a n b n )  for large n. Some a-cycle or b-cycle would need average positive weight. Then some word ua  or ub  would have a positive value. L1:L1: L2:L2:

55 Outline 1The Quantitative Agenda 2Some Basic Open Problems 3Some Promising Directions

56 The Boolean Agenda Specification Yes/No Analysis System

57 The Boolean Agenda Specification Correct System Synthesis

58 The Boolean Agenda  Regular Automaton Correct System = Winning Strategy Graph Game with  Regular Objective

59 3.1 Quantitative Synthesis Optimal System Synthesis Quantitative Specification

60 3.1 Quantitative Synthesis Optimal System = Optimal Strategy Weighted Automaton Graph Game with Quantitative Objective

61 3.1 Quantitative Synthesis Graph Game with Quantitative Objective Weighted Automaton Optimal System = Optimal Strategy -positional vs. finite-memory vs. unrestricted strategies -optimal vs.  -optimal strategies

62 Games for Quantitative Synthesis 1Constrained Resources -every weight is a resource cost (e.g. power consumption) -optimize peak resource use: max objective -optimize accumulative resource use: sum objective [Chakrabarti et al.]

63 Games for Quantitative Synthesis 1Constrained Resources 2Preference between Different Implementations -boolean spec, but certain implementations preferred -formalized using lexicographic objectives [Jobstmann et al.] h f, g 1,... g n i boolean objective quantitative objectives

64 Request-Grant Limavg Automaton 1 r g 1 1 1 1 Following a request, all steps until the next grant are penalized.

65 Request-Grant Limavg Automaton 2 r g 1 1 Following a request, all repeated grants are penalized.

66 3.2 Robust Systems 1 Robustness as Mathematical Continuity: -small input changes should cause small output changes -only possible in a quantitative framework 8  >0. 9  >0. input-change ·  ) output-change · 

67 In general programs are not continuous. But they can less continuous: read sensor value x; if x · c then y = f1(x) else y = f2(x); f1 f2 c

68 In general programs are not continuous. But they can less continuous: read sensor value x; if x · c then y = f1(x) else y = f2(x); Or more continuous: if x · c -  then y = f1(x); if x ¸ c +  then y = f2(x) else y = (f2(c+  )-f1(c-  ))(x-c+  )/2  + f1(c-  ); [Majumdar et at., Gulwani et al.] f1 f2 c

69 3.2 Robust Systems 1 Robustness as Mathematical Continuity: -small input changes should cause small output changes -only possible in a quantitative framework 8  >0. 9  >0. input-change ·  ) output-change ·  Example of a Robustness Theorem [AHM]: If discountedBisimilarity(A,B) > 1 - , then 8w : |A(w) – B(w)| < f(  ).

70 3.2 Robust Systems 1 Robustness as Mathematical Continuity: -small input changes should cause small output changes -only possible in a quantitative framework 2Robustness w.r.t. Faulty Assumptions: -environment may violate assumptions -few environment mistakes should cause few system mistakes -ratio of system to environment mistakes as quantitative quality measure [Greimel et al.]

71 3.3 Resource Interfaces -Component interfaces expose resource requirements (e.g. time, memory, power). -Interfaces are compatible if their combined requirements do not exceed the available resources. -If the requirements are dynamic, then compatibility can be solved as a graph game with quantitative objectives. [Chakrabarti et al.]

72 2 99 5 9 5 1519 59 A B C D E F G H node limit = 20 Max Constraint minimizer maximizer

73 2 99 5 9 5 1519 59 A B C D E F G H node limit = 20 Max Constraint minimizer maximizer

74 -10 99 5 9 -9 1519 59 A B C D E F G H path limit = 10 Sum Constraint minimizer maximizer

75 -10 99 5 9 -9 1519 59 A B C D E F G H path limit = 10 Sum Constraint minimizer maximizer

76 3.4 System Reliability -assuming x% of periodic input values are valid, y% of periodic output values should be valid -hardware faulty, but can be replicated -compiler ensures specified reliability through replication [Ghosal et al.]

77 3.4 System Reliability a: ok b: fail Limit-average value: aaaaaaaaaa...1 aaabaaabaaab...3/4 ababbabbb...0 Want reliabitity of 1 – 10 -x.

78 Conclusions -“Quantitative” is more than “timed” and “probabilistic.” -We need to move from boolean correctness criteria to quantitative system preference metrics. -We have interesting point solutions, but no convincing overall framework.

Download ppt "From Boolean to Quantitative System Specifications Tom Henzinger EPFL."

Similar presentations

From Graph Models to Game Models Tom Henzinger EPFL.

From Graph Models to Game Models Tom Henzinger EPFL.
Black Box Checking Book: Chapter 9 Model Checking Finite state description of a system B. LTL formula. Translate into an automaton P. Check whether L(B)

Black Box Checking Book: Chapter 9 Model Checking Finite state description of a system B. LTL formula. Translate into an automaton P. Check whether L(B)
CSE 311 Foundations of Computing I

CSE 311 Foundations of Computing I
CSC 361NFA vs. DFA1. CSC 361NFA vs. DFA2 NFAs vs. DFAs NFAs can be constructed from DFAs using transitions: Called NFA- Suppose M 1 accepts L 1, M 2 accepts.

CSC 361NFA vs. DFA1. CSC 361NFA vs. DFA2 NFAs vs. DFAs NFAs can be constructed from DFAs using transitions: Called NFA- Suppose M 1 accepts L 1, M 2 accepts.
Lecture 24 MAS 714 Hartmut Klauck

Lecture 24 MAS 714 Hartmut Klauck
Interactive Configuration

Interactive Configuration
8/25/2009 Sofya Raskhodnikova Intro to Theory of Computation L ECTURE 1 Theory of Computation Course information Overview of the area Finite Automata Sofya.

8/25/2009 Sofya Raskhodnikova Intro to Theory of Computation L ECTURE 1 Theory of Computation Course information Overview of the area Finite Automata Sofya.
1 CD5560 FABER Formal Languages, Automata and Models of Computation Lecture 2 Mälardalen University 2005.

1 CD5560 FABER Formal Languages, Automata and Models of Computation Lecture 2 Mälardalen University 2005.
1 1 CDT314 FABER Formal Languages, Automata and Models of Computation Lecture 3 School of Innovation, Design and Engineering Mälardalen University 2012.

1 1 CDT314 FABER Formal Languages, Automata and Models of Computation Lecture 3 School of Innovation, Design and Engineering Mälardalen University 2012.
Energy and Mean-Payoff Parity Markov Decision Processes Laurent Doyen LSV, ENS Cachan & CNRS Krishnendu Chatterjee IST Austria MFCS 2011.

Energy and Mean-Payoff Parity Markov Decision Processes Laurent Doyen LSV, ENS Cachan & CNRS Krishnendu Chatterjee IST Austria MFCS 2011.
1 NP-Complete Problems. 2 We discuss some hard problems:  how hard? (computational complexity)  what makes them hard?  any solutions? Definitions 

1 NP-Complete Problems. 2 We discuss some hard problems:  how hard? (computational complexity)  what makes them hard?  any solutions? Definitions 
- 1 -  P. Marwedel, Univ. Dortmund, Informatik 12, 05/06 Universität Dortmund Hardware/Software Codesign.

- 1 -  P. Marwedel, Univ. Dortmund, Informatik 12, 05/06 Universität Dortmund Hardware/Software Codesign.
An Introduction to Markov Decision Processes Sarah Hickmott

An Introduction to Markov Decision Processes Sarah Hickmott
Discounting the Future in Systems Theory Chess Review May 11, 2005 Berkeley, CA Luca de Alfaro, UC Santa Cruz Tom Henzinger, UC Berkeley Rupak Majumdar,

Discounting the Future in Systems Theory Chess Review May 11, 2005 Berkeley, CA Luca de Alfaro, UC Santa Cruz Tom Henzinger, UC Berkeley Rupak Majumdar,
02/01/11CMPUT 671 Lecture 11 CMPUT 671 Hard Problems Winter 2002 Joseph Culberson Home Page.

02/01/11CMPUT 671 Lecture 11 CMPUT 671 Hard Problems Winter 2002 Joseph Culberson Home Page.
Complexity 15-1 Complexity Andrei Bulatov Hierarchy Theorem.

Complexity 15-1 Complexity Andrei Bulatov Hierarchy Theorem.
Convertibility Verification and Converter Synthesis: Two Faces of the Same Coin Jie-Hong Jiang EE249 Discussion 11/21/2002 Passerone et al., ICCAD ’ 02.

Convertibility Verification and Converter Synthesis: Two Faces of the Same Coin Jie-Hong Jiang EE249 Discussion 11/21/2002 Passerone et al., ICCAD ’ 02.
61 Nondeterminism and Nodeterministic Automata. 62 The computational machine models that we learned in the class are deterministic in the sense that the.

61 Nondeterminism and Nodeterministic Automata. 62 The computational machine models that we learned in the class are deterministic in the sense that the.
Games, Times, and Probabilities: Value Iteration in Verification and Control Krishnendu Chatterjee Tom Henzinger.

Games, Times, and Probabilities: Value Iteration in Verification and Control Krishnendu Chatterjee Tom Henzinger.
Models and Theory of Computation (MTC) EPFL Dirk Beyer, Jasmin Fisher, Nir Piterman Simon Kramer: Logic for cryptography Marc Schaub: Models for biological.

Models and Theory of Computation (MTC) EPFL Dirk Beyer, Jasmin Fisher, Nir Piterman Simon Kramer: Logic for cryptography Marc Schaub: Models for biological.

Similar presentations

Ads by Google