29
Counterexamples for Timed Probabilistic Reachability Husain Aljazzar Software Engineering University of Constance

Counterexamples for Timed Reachability Analysis...8 Analysis of Stochastic Models Various model checking approaches for stochastic models have been presented. Our point of reference:

  • Upload
    others

  • View
    5

  • Download
    0

Embed Size (px)

Citation preview

Page 1: Counterexamples for Timed Reachability Analysis...8 Analysis of Stochastic Models Various model checking approaches for stochastic models have been presented. Our point of reference:

Counterexamples for Timed Probabilistic Reachability

Husain AljazzarSoftware Engineering

University of Constance

Page 2: Counterexamples for Timed Reachability Analysis...8 Analysis of Stochastic Models Various model checking approaches for stochastic models have been presented. Our point of reference:

2

Joint work with

Holger Hermanns, Saarland UniversityStefan Leue, University of Constance

Page 3: Counterexamples for Timed Reachability Analysis...8 Analysis of Stochastic Models Various model checking approaches for stochastic models have been presented. Our point of reference:

3

Overview

Introduction(Directed) Explicit-State Model Checking (D)ESMC for Timed Probabilistic ReachabilityProbabilistic Quality Measure for (D)ESMCCase Study and Experimental ResultsConclusion & Future Work

Page 4: Counterexamples for Timed Reachability Analysis...8 Analysis of Stochastic Models Various model checking approaches for stochastic models have been presented. Our point of reference:

4

Overview

Introduction(Directed) Explicit-State Model Checking (D)ESMC for Timed Probabilistic ReachabilityProbabilistic Quality Measure for (D)ESMCCase Study and Experimental ResultsConclusion & Future Work

Page 5: Counterexamples for Timed Reachability Analysis...8 Analysis of Stochastic Models Various model checking approaches for stochastic models have been presented. Our point of reference:

5

Stochastic Models Stochastic models, e.g. DTMCs and CTMCs: modeling and analysis of system performance and dependability.

communication protocols, embedded systems, etc…

A DTMC is a quadruple (S, s0, P, L), where S is a finite set of states, ands0 ∈ S is an initial stateP : S × S → R is the transition probability matrix, L : S → 2AP is labeling function.

Page 6: Counterexamples for Timed Reachability Analysis...8 Analysis of Stochastic Models Various model checking approaches for stochastic models have been presented. Our point of reference:

6

Stochastic Models

A CTMC is a quintuple (S, s0, P, L, E), where (S, s0, P, L) is a DTMCE: S → R is a function assigning each state an exit rateExit times are exponentially distributed

E.g. E := {(s0, 3), (s1, 0), (s2, 5)} 3 5

0

Page 7: Counterexamples for Timed Reachability Analysis...8 Analysis of Stochastic Models Various model checking approaches for stochastic models have been presented. Our point of reference:

7

Runs and PathsIn a DTMC, we call a finite/infinite sequence of states finite/infinite RUN

In a CTMC, a finite/infinite PATH is a timed variant of a run in the underlying DTMC.

Infinite branching tree due to varying transition time durations of transitions.

Page 8: Counterexamples for Timed Reachability Analysis...8 Analysis of Stochastic Models Various model checking approaches for stochastic models have been presented. Our point of reference:

8

Analysis of Stochastic ModelsVarious model checking approaches for stochastic models have been presented. Our point of reference: CSL model checking

Baier, C., Haverkort, B., Hermanns, H., Katoen, J.P.“Model-Checking Algorithms for Continuous-Time Markov chains”

IEEE Transitions on Software Engineering 29, 2003Continuous Stochastic Logic (CSL): CSL model checking algorithms: efficient, approximate, numerical

Common weakness: Inability to give detailed debugging information (Counterexamples).

Problematic for debugging

Approach: Use explicit state space algorithms to select offending system runs (counterexamples).

Page 9: Counterexamples for Timed Reachability Analysis...8 Analysis of Stochastic Models Various model checking approaches for stochastic models have been presented. Our point of reference:

9

Timed Probabilistic Reachability Analysis

Timed Reachability Property: The probability to reach a state s violating a state proposition ϑ, i.e., satisfying ϕ := ¬ ϑ, within a given time period t does not exceed a probability bound p.

Specification using Continuous Stochastic Logic (CSL)

P<p : Transient probability does not exceed p.♦· t : Timed reachability within [0, t]

Page 10: Counterexamples for Timed Reachability Analysis...8 Analysis of Stochastic Models Various model checking approaches for stochastic models have been presented. Our point of reference:

10

Overview

Introduction(Directed) Explicit-State Model Checking (D)ESMC for Timed Probabilistic ReachabilityProbabilistic Quality Measure for (D)ESMCCase Study and Experimental ResultsConclusion & Future Work

Page 11: Counterexamples for Timed Reachability Analysis...8 Analysis of Stochastic Models Various model checking approaches for stochastic models have been presented. Our point of reference:

11

What is a Counterexample?(of Timed Probabilistic Reachability)

In non-stochastic models: a counterexample is an offending run.In stochastic models:

DTMC: All offending runsCTMC: The infinite cylinder setcontaining all paths that reach an error state within the time period t.

A single path of the cylinder set?Runs in the underlying DTMC

A counterexample is an offending run in the (underlying) DTMC.

Page 12: Counterexamples for Timed Reachability Analysis...8 Analysis of Stochastic Models Various model checking approaches for stochastic models have been presented. Our point of reference:

12

(Directed) Explicit-State Model Checking (D)ESMC

ESMC (DFS)

ESMC (BFS) and DESMC (A*) with path-length as optimizing criterion search we want this!

A mass to measure the quality of runs is required.

Page 13: Counterexamples for Timed Reachability Analysis...8 Analysis of Stochastic Models Various model checking approaches for stochastic models have been presented. Our point of reference:

13

Overview

Introduction(Directed) Explicit-State Model Checking (D)ESMC for Timed Probabilistic ReachabilityProbabilistic Quality Measure for (D)ESMCCase Study and Experimental ResultsConclusion & Future Work

Page 14: Counterexamples for Timed Reachability Analysis...8 Analysis of Stochastic Models Various model checking approaches for stochastic models have been presented. Our point of reference:

14

Timed Run ProbabilityLet r = s0 → s1 → s2 → … → sn be a run. The timed run probability of r in the time period t.

Computation: In CT-case:

In DT-case:

s0 sn

Execution time · t

r =

Page 15: Counterexamples for Timed Reachability Analysis...8 Analysis of Stochastic Models Various model checking approaches for stochastic models have been presented. Our point of reference:

15

UniformizationUsing the uniformization we turn a CTMC A into a DTMCA´ for which we can efficiently compute the timed run probability γ´.

A´ is embedded into a Poisson process which describes the probability that a particular discrete number of events koccurs within a real time period t.

Page 16: Counterexamples for Timed Reachability Analysis...8 Analysis of Stochastic Models Various model checking approaches for stochastic models have been presented. Our point of reference:

16

Approximation for the Timed Run Probability in CTMC

We denote the expected value of the Poisson process after time period t as N.

We assume that the derived DTMC A´ makes N hops within the time period t.

γ(r, t) (in A) is approximated by γ´(r, N) (in A´), which is much easier to compute.

Our search algorithms use γ´(r, N) as a quality measure for runs of the CTMC (optimizing criterion).

Page 17: Counterexamples for Timed Reachability Analysis...8 Analysis of Stochastic Models Various model checking approaches for stochastic models have been presented. Our point of reference:

17

Intriguing Example

r2

r1

2

2 0

20 20 0

Page 18: Counterexamples for Timed Reachability Analysis...8 Analysis of Stochastic Models Various model checking approaches for stochastic models have been presented. Our point of reference:

18

Quality of Uniformization Approximation

r2

r1 2

220 20 0

0

Note: the run with optimal timed run probabilitychanges with the time bound t!

Time bound smaller than t r1 is optimalTime bound larger than t

r2 is optimal

Page 19: Counterexamples for Timed Reachability Analysis...8 Analysis of Stochastic Models Various model checking approaches for stochastic models have been presented. Our point of reference:

19

ESMC and DESMC for Stochastic Models

Now we are able toexplore CTMCs (and DTMCs) using optimizing algorithms, and select counterexamples which are approximating the optimal timed run probability values.

Search AlgorithmsDijkstra (undirected, ESMC)Directed search algorithms (DESMC)

Z* and Greedy Best First Search (GBestFS)Directed search algorithms use knowledge about

the state space or/and the specification of the goal state

A heuristic function h is used in the state evaluation.Advantages of DESMC: Improving the performance

Memory consumptionRuntime

Page 20: Counterexamples for Timed Reachability Analysis...8 Analysis of Stochastic Models Various model checking approaches for stochastic models have been presented. Our point of reference:

20

Overview

Introduction(Directed) Explicit-State Model Checking (D)ESMC for Timed Probabilistic ReachabilityProbabilistic Quality Measure for (D)ESMCCase Study and Experimental ResultsConclusion & Future Work

Page 21: Counterexamples for Timed Reachability Analysis...8 Analysis of Stochastic Models Various model checking approaches for stochastic models have been presented. Our point of reference:

21

Case-Study: SCSI-2-Protocol

In our experiments: One ControllerOne main disk (frequently used)Two backup disks (rarely used)

LOTOS model Interactive Markov chain (IMC) CTMC

Page 22: Counterexamples for Timed Reachability Analysis...8 Analysis of Stochastic Models Various model checking approaches for stochastic models have been presented. Our point of reference:

22

SCSI-2-Protocol: A Timed Reachability Property

Main disk overload (MDOL): The main disk is overloaded while the backup disks are not accessed.Timed Reachability Property: The probability to reach a MDOL state within the time period t does not exceed 30%.

A heuristic function based on the status of the disk queues.

Page 23: Counterexamples for Timed Reachability Analysis...8 Analysis of Stochastic Models Various model checking approaches for stochastic models have been presented. Our point of reference:

23

SCSI-2-Protocol: Counterexample

The counterexample delivered by Z*

Page 24: Counterexamples for Timed Reachability Analysis...8 Analysis of Stochastic Models Various model checking approaches for stochastic models have been presented. Our point of reference:

24

SCSI-Protocol: Experimental ResultsFor each time bound from 1 to 10:

Probability to violate the propertyTimed run probability for the counterexamples delivered by the search algorithms.

0

0.05

0.1

0.15

0.2

0.25

0.3

0.35

1 2 3 4 5 6 7 8 9 10

Time bound

Prob

abili

ty

Model DFS BFS Dijkstra GBestFS Z*

Page 25: Counterexamples for Timed Reachability Analysis...8 Analysis of Stochastic Models Various model checking approaches for stochastic models have been presented. Our point of reference:

25

SCSI-Protocol: Experimental ResultsMemory consumption

The behavior of DFS and BFS is unacceptable. Dijkstra is OK but not excellentZ* and GBestFS bring significant improvementGBestFS has the best behavior.

Similar results for runtime

Page 26: Counterexamples for Timed Reachability Analysis...8 Analysis of Stochastic Models Various model checking approaches for stochastic models have been presented. Our point of reference:

26

Overview

Introduction(Directed) Explicit-State Model Checking (D)ESMC for Timed Probabilistic ReachabilityProbabilistic Quality Measure for (D)ESMCCase Study and Experimental ResultsConclusion & Future Work

Page 27: Counterexamples for Timed Reachability Analysis...8 Analysis of Stochastic Models Various model checking approaches for stochastic models have been presented. Our point of reference:

27

ConclusionCounterexamples

defined counterexamples for CTMCs, including their probability mass: timed run probabilitiesapproximate the computationally expensive timed run probabilities through uniformisation

Directed CTMC Explorationuse approximative timed run probability in determining generating path costscombine with domain specific information to compute admissible heuristic estimates (admissible in the approximated model)

Experimental Evaluation (SCSI-2)using approximated timed run probabilities allows Dijkstra and heuristic search algorithms to find meaningful counterexamplesheuristics guided search is computationally superior to uninformed search

Page 28: Counterexamples for Timed Reachability Analysis...8 Analysis of Stochastic Models Various model checking approaches for stochastic models have been presented. Our point of reference:

28

Future WorkThreats to Valitidy

more experimental dataconvergence to PRISM tool environment, more models availableuse randomly generated models

Underapproximation of Timed Probabilistic Reachabilityfind tree of offending system runs so that combined probability mass exceeds probability boundpotentially computationally much more efficient than precise solution of problem

Application to Other Stochastic ModelsContinuous Time Markov Decision Processes

contain non-determinism

Page 29: Counterexamples for Timed Reachability Analysis...8 Analysis of Stochastic Models Various model checking approaches for stochastic models have been presented. Our point of reference:

29

Thanks for your attention!