PRTS: An Approach for Model Checking Probabilistic Real ...pat/IWESSS12/iwesss2012 prts.pdf · features like real-time, hierarchy, concurrency, data structures as well as probability

MotivationLanguage Syntax of PRTS

Operational SemanticsVerificationEvaluation

Conclusion

PRTS: An Approach for Model CheckingProbabilistic Real-time Hierarchical Systems

Songzheng Song

Software Engineering Lab, NUS

IWESSS 2012February 23, 2012

Songzheng Song, IWESSS 2012 PRTS@PAT http://www.patroot.com



Conclusion

Outline

1 Motivation

2 Language Syntax of PRTS

3 Operational SemanticsConcrete ConfigurationsAbstraction

4 Verification

5 EvaluationMulti-lift SystemBenchmark Systems Compared with PRISM

6 Conclusion




Conclusion

Outline

1 Motivation



4 Verification


6 Conclusion




Conclusion

Motivation

Model checking real-life systems is usually difficult.

quantitative timing factorsunreliable/random environmentcomplex data operationshierarchical control flows




Conclusion

Motivation

Model checking real-life systems is usually difficult.

quantitative timing factorsunreliable/random environmentcomplex data operationshierarchical control flows




Conclusion

Multi-lift System

Serving time/responding timeRandom user behaviorsTask assign algorithmlifts/users/buttons...




Conclusion

Multi-lift System

Scenario : one user presses the lift button, but one lift travelingon the same direction passes by without serving him/her!




Conclusion

Existing Approach

Probabilistic Timed Automata (PTA) is widely used to specifysystems having stochastic and real-time characteristics.

1 PTA models often have a simple structure, e.g. a networkof automata without hierarchy;

2 Verifying PTA models is not very efficient.




Conclusion

Existing Approach

Probabilistic Timed Automata (PTA) is widely used to specifysystems having stochastic and real-time characteristics.

1 PTA models often have a simple structure, e.g. a networkof automata without hierarchy;

2 Verifying PTA models is not very efficient.




Conclusion

Our Approach

1 Design an expressive modeling language supportingfeatures like real-time, hierarchy, concurrency, datastructures as well as probability.

2 Build a model checker for this language in order to analyzethe behavior of such systems.

3 Verify widely used properties such as reachability checkingand LTL checking.

We propose PRTS for probabilistic real-time systems and it hasbeen integrated into our framework PAT.

http://www.patroot.com




Conclusion

Our Approach

1 Design an expressive modeling language supportingfeatures like real-time, hierarchy, concurrency, datastructures as well as probability.

2 Build a model checker for this language in order to analyzethe behavior of such systems.

3 Verify widely used properties such as reachability checkingand LTL checking.

We propose PRTS for probabilistic real-time systems and it hasbeen integrated into our framework PAT.

http://www.patroot.com




Conclusion

Outline

1 Motivation



4 Verification


6 Conclusion




Conclusion

Based on C. A. R. Hoare’s CSP

P = Stop – in-action| Skip – termination| e→ P – event prefixing| a{program} → P – data operation prefixing| [b]P – guard condition| if (b) {P} else {Q} – conditional choice| P 2 Q – external choice| P u Q – internal choice| P \ X – hiding| P; Q – sequential composition| P ‖ Q – parallel composition| Q – process referencing




Conclusion


P = Wait [d ] – delay| P timeout [d ] Q – timeout| P interrupt [d ] Q – timed interrupt| P within[d ] – timed responsiveness| P deadline[d ] – deadline

d is a non-negative integer.

P = pcase{pr0 : P0; pr1 : P1; · · · ; prk : Pk}

pri is defined as a positive integer. It means with probabilitypri

pr0+pr1+···+prk, P behaves as Pi .




Conclusion


P = Wait [d ] – delay| P timeout [d ] Q – timeout| P interrupt [d ] Q – timed interrupt| P within[d ] – timed responsiveness| P deadline[d ] – deadline

d is a non-negative integer.

P = pcase{pr0 : P0; pr1 : P1; · · · ; prk : Pk}

pri is defined as a positive integer. It means with probabilitypri

pr0+pr1+···+prk, P behaves as Pi .




Conclusion

Multi-lift System

1. #define NoOfFloors 2;2. #define NoOfLifts 2;3. #import "PAT.Lib.Lift";4. var<LiftControl> ctrl = new LiftControl(NoOfFloors,NoOfLifts);5. Users() = pcase {6. 1 : extreq.0.1{ctrl.Assign_External_Up_Request(0)} -> Skip7. 1 : intreq.0.0.1{ctrl.Add_Internal_Request(0,0)} -> Skip8. 1 : intreq.1.0.1{ctrl.Add_Internal_Request(1,0)} -> Skip9. 1 : extreq.1.0{ctrl.Assign_External_Down_Request(1)} -> Skip10. 1 : intreq.0.1.1{ctrl.Add_Internal_Request(0,1)} -> Skip11. 1 : intreq.1.1.1{ctrl.Add_Internal_Request(1,1)} -> Skip12. } within[1]; Users();13. Lift(i, level, direction) = ...;14. System = (||| x:{0..NoOfLifts-1} @ Lift(x, 0, 1)) ||| Users();

Property: what is the probability that a lift passes by?




Conclusion

Multi-lift System

1. #define NoOfFloors 2;2. #define NoOfLifts 2;3. #import "PAT.Lib.Lift";4. var<LiftControl> ctrl = new LiftControl(NoOfFloors,NoOfLifts);5. Users() = pcase {6. 1 : extreq.0.1{ctrl.Assign_External_Up_Request(0)} -> Skip7. 1 : intreq.0.0.1{ctrl.Add_Internal_Request(0,0)} -> Skip8. 1 : intreq.1.0.1{ctrl.Add_Internal_Request(1,0)} -> Skip9. 1 : extreq.1.0{ctrl.Assign_External_Down_Request(1)} -> Skip10. 1 : intreq.0.1.1{ctrl.Add_Internal_Request(0,1)} -> Skip11. 1 : intreq.1.1.1{ctrl.Add_Internal_Request(1,1)} -> Skip12. } within[1]; Users();13. Lift(i, level, direction) = ...;14. System = (||| x:{0..NoOfLifts-1} @ Lift(x, 0, 1)) ||| Users();

Property: what is the probability that a lift passes by?




Conclusion

Concrete ConfigurationsAbstraction

Outline

1 Motivation



4 Verification


6 Conclusion




Conclusion


Definition (Markov Decision Process)

An MDP is a tuple D = (S, init ,Act ,Pr) whereS is a set of states;init ∈ S is the initial state;Act is a set of actions and Actτ is Act ∪ τ ;Pr : S × (Actτ ∪ R+)× Distr(S) is a transition relation.

A Markov Chain can be defined given an MDP D and ascheduler δ, which is denoted as Dδ.

A path of Dδ is defined as ω = s0x0→ s1

x1→ s2x2→ ...




Conclusion






x1→ s2x2→ ...




Conclusion






x1→ s2x2→ ...




Conclusion


Given a property φ:

PmaxD (φ) = supδ PD({π ∈ paths(Dδ) | π satisfies φ})

PminD (φ) = infδ PD({π ∈ paths(Dδ) | π satisfies φ})




Conclusion


Definition (Concrete System Configuration)

A concrete system configuration is a tuple s = (σ,P) where σ isa variable valuation and P is a process.

The probabilistic transition relation of a model’s MDP semanticsis defined by a set of firing rules with every process construct.

Wait [d ]pcase




Conclusion


Definition (Concrete System Configuration)

A concrete system configuration is a tuple s = (σ,P) where σ isa variable valuation and P is a process.

The probabilistic transition relation of a model’s MDP semanticsis defined by a set of firing rules with every process construct.

Wait [d ]pcase




Conclusion


Wait [d ]

ε ≤ d[ wait1 ]

(σ,Wait [d ]) ε→ (σ,Wait [d − ε])

[ wait2 ](σ,Wait [0]) τ→ (σ,Skip)




Conclusion


pcase

[ pcase ](σ, pcase {pr0 : P0; pr1 : P1; · · · ; prk : Pk})

τ→ µ

µ((σ,Pi)) =pri

pr0+pr1+···+prkfor all i ∈ [0, k ]

pcase transitions are not time-consuming!




Conclusion


pcase

[ pcase ](σ, pcase {pr0 : P0; pr1 : P1; · · · ; prk : Pk})

τ→ µ

µ((σ,Pi)) =pri

pr0+pr1+···+prkfor all i ∈ [0, k ]





Conclusion


Using the firing rules, the transition relation of the MDP couldbe defined. However, since PRTS model has a dense-timesemantics, the underlying MDP has infinite states.

(σ, Wait [1]) 0.1→ (σ, Wait [0.9]) 0.01→ (σ, Wait [0.89]) 0.001→ ...

Abstraction is required!




Conclusion








Conclusion








Conclusion


Dynamic Zone Abstraction

The first step of abstraction is to associate timed processconstructs with implicit clocks.

P timeout [d ] Q → P timeout [d ]c QConstraint over clock : c ≤ 5 represents any processP timeout [d ′] Q with d ′ ≤ 5

A zone D is the conjunction of multiple primitive constraintsover a set of clocks.

c ∼ d or ci − cj ∼ d where c, ci , cj are values of clocks andd is a constant integer. ∼ represents ≥,≤,=




Conclusion


Dynamic Zone Abstraction

The first step of abstraction is to associate timed processconstructs with implicit clocks.

P timeout [d ] Q → P timeout [d ]c QConstraint over clock : c ≤ 5 represents any processP timeout [d ′] Q with d ′ ≤ 5

A zone D is the conjunction of multiple primitive constraintsover a set of clocks.

c ∼ d or ci − cj ∼ d where c, ci , cj are values of clocks andd is a constant integer. ∼ represents ≥,≤,=




Conclusion


Abstract Configurations

Definition (Abstract System Configuration)

Given a concrete system configuration (σ,P), thecorresponding abstract system configuration is a triple(σ,PT ,D) such that PT is a process obtained by associating Pwith a set of clocks; and D is a zone over the clocks.

Abstract firing rules are defined in order to get the abstractMDP. Wait [d ] and pcase are listed as examples.




Conclusion


Abstract Configurations

Definition (Abstract System Configuration)

Given a concrete system configuration (σ,P), thecorresponding abstract system configuration is a triple(σ,PT ,D) such that PT is a process obtained by associating Pwith a set of clocks; and D is a zone over the clocks.

Abstract firing rules are defined in order to get the abstractMDP. Wait [d ] and pcase are listed as examples.




Conclusion


Wait [d ]

[ await ](σ,Wait [d ]c ,D)

τ (σ,Skip,D↑ ∧ c = d)

D↑ denotes the zone obtained by delaying arbitrary amountof time. e.g. (c ≤ 5)↑ is c ≤ ∞.




Conclusion


pcase

[ apcase ](σ, pcase {pr0 : P0; pr1 : P1; · · · ; prk : Pk},D)

τ µ

µ((σ,Pi ,D)) = pripr0+pr1+···+prk

for i ∈ [0, k ]; zone is unchanged.




Conclusion

Outline

1 Motivation



4 Verification


6 Conclusion




Conclusion

verification

1 abstract model is suitable for standard probabilistic modelchecking techniques.

2 abstract model preserves the verification result of givenproperty φ in concrete model.

M : PRTS model;DM : concrete MDP of M;Da

M : abstract MDP of M.




Conclusion

Theorem 1

TheoremDa

M is finite for any model M. 2

1 Variable valuations are finite[by assumption].2 Process expressions are finite[by assumption and clock

reuse].3 Zones are finite.

J. Bengtsson and Y. Wang.Timed Automata: Semantics, Algorithms and Tools.In Lectures on Concurrency and Petri Nets, pages 87-124,2003.




Conclusion

Theorem 1

TheoremDa

M is finite for any model M. 2

1 Variable valuations are finite[by assumption].2 Process expressions are finite[by assumption and clock

reuse].3 Zones are finite.

J. Bengtsson and Y. Wang.Timed Automata: Semantics, Algorithms and Tools.In Lectures on Concurrency and Petri Nets, pages 87-124,2003.




Conclusion

Definition

A probabilistic time-abstract bi-simulation relation between aDTMC C = (Sc , initc ,Act ,Prc) and an abstract DTMCCa = (Sa, inita,Act ,Pra) is a relation R ⊆ Sc × Sa satisfying thefollowing condition.C1: If (sc , sa) ∈ R, then sc and sa have the same variable

valuation.C2: If (sc , sa) ∈ R and (sc , (ε,e,p), s′c) ∈ Prc for some ε ≥ 0,

e ∈ Actτ and p ∈ [0,1], then there exists s′a such that(sa, (e,p), s′a) ∈ Pra and (s′c , s′a) ∈ R;

C3: If (sc , sa) ∈ R and (sa, (e,p), s′a) ∈ Pra for some e ∈ Actτand p ∈ [0,1], then there exists some ε ≥ 0 and s′c suchthat (sc , (ε,e,p), s′c) ∈ Prc and (s′c , s′a) ∈ R;




Conclusion

Theorem 2

Theorem

PmaxDa

M(φ) = Pmax

DM(φ) and Pmin

DaM(φ) = Pmin

DM(φ). 2

1 For any scheduler δ in DaM , there is a scheduler ξ in DM

such that (DaM)δ and (DM)ξ are bisimilar Markov Chains.

2 For any scheduler η in DM , there is a scheduler ϑ in DaM

such that (DM)η and (DaM)ϑ are bisimilar Markov Chains.





Conclusion

Theorem 2

Theorem

PmaxDa

M(φ) = Pmax

DM(φ) and Pmin

DaM(φ) = Pmin

DM(φ). 2









Conclusion

Theorem 2

Theorem

PmaxDa

M(φ) = Pmax

DM(φ) and Pmin

DaM(φ) = Pmin

DM(φ). 2









Conclusion

After abstraction, we obtain the finite states system andstandard probabilistic model checking are applied to solve thelinear program in MDP.

C. Baier and J. Katoen.Principles of Model checking.The MIT Press, 2008.




Conclusion

Multi-lift SystemBenchmark Systems Compared with PRISM

Outline

1 Motivation



4 Verification


6 Conclusion




Conclusion


Multi-lift System

Property: one user presses the lift button, but one lift travelingon the same direction passes by without serving him/her.

SystemRandom Nearest

Result(pmax) States Time(s) Result(pmax) States Time(s)lift=2; floor=2; user=2 0.21875 20120 1.47 0.13889 12070 1.33lift=2; floor=2; user=3 0.47656 173729 15.04 0.34722 83026 6.23lift=2; floor=2; user=4 0.6792 777923 90.66 0.53781 308602 28.31lift=2; floor=2; user=5 0.81372 2175271 406.29 0.68403 740997 85.29lift=2; floor=3; user=2 0.2551 72458 5.13 0.18 38593 2.89lift=2; floor=3; user=3 0.54009 1172800 150.20 0.427 500897 48.05lift=2; floor=4; user=2 0.27 170808 13.06 0.19898 86442 6.11lift=3; floor=2; user=2 0.22917 562309 86.88 0.10938 266621 34.25




Conclusion


Benchmark Systems Compared with PRISM

System ResultPAT PRISM

States Time(s) States Iterations Time(s)FA(10K) 0.94727 1352 0.15 1065 19 1.98FA(20K) 0.99849 5030 0.13 8663 34 65.08FA(30K) 0.99994 11023 0.45 34233 45 575.03FA(300K) >0.99999 726407 30.74 - - -ZC(100) 0.49934 404 0.15 135 0 0.28ZC(300) 0.01291 4813 0.65 2129 26 2.73ZC(500) 0.00027 12840 2.39 10484 44 63.19ZC(700) 1E-5 24058 5.78 31717 60 427.70

One is the firewire abstraction (FA) for IEEE 1394 FireWire rootcontention protocol and the other is zeroconf (ZC) for Zeroconfnetwork configuration protocol.




Conclusion

Outline

1 Motivation



4 Verification


6 Conclusion




Conclusion

Conclusion

1 Modeling language PRTS is proposed for hierarchicalprobabilistic real-time systems.

2 Zone abstraction is used in order to apply probabilisticmodel checking techniques. Evaluations demonstrate theefficiency of our approach.

3 Model checker PAT is extended to support PRTS.




Conclusion

References I

C. A. R. Hoare.Communicating Sequential Processes.Prentice-Hall, 1985.

R. Alur, C. Courcoubetis, and D. L. Dill.Model-checking for Probabilistic Real-time Systems.ICALP, pages 115-126, 1991.

A. Hinton, M. Kwiatkowska, G. Norman and D. Parker.PRISM: A Tool for Automatic Verification of ProbabilisticSystems.TACAS, pages 441-444, 2006.




Conclusion

References II

C. Baier and J. Katoen.Principles of Model checking.The MIT Press, 2008.

M. Kwiatkowska, G. Norman, R. Segala and J. Sproston.Automatic Verification of Real-time Systems with DiscreteProbability Distributions.Theoretical Computer Science, 282(1):101–150, 2002.

S. Schnerder.Concurrent and Real-time Systems.John Wiley and Sons, 2000.




Conclusion

References III

J. Ouaknine and J. Worrell.Timed CSP = Closed Timed Safety Automata.Electrical Notes Theoretical Computer Sciences, 68(2),2002.

J. Sun, Y. Liu, J. S. Dong and X. Zhang.Verifying Stateful Timed CSP Using Implicit Clocks andZone Abstraction.ICFEM, pages 581-600, 2009.

J. Sun, S. Song and Y. LiuModel Checking Hierarchical Probabilistic Systems.ICFEM, pages 388-403, 2010.




Conclusion

T HANK YOU !


Documents

PRTS: An Approach for Model Checking Probabilistic Real ...pat/IWESSS12/iwesss2012 prts.pdf · features like real-time, hierarchy, concurrency, data structures as well as probability