Reasoning about Time and Reliability

Similar documents
Probabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford

Temporal Logic. Stavros Tripakis University of California, Berkeley. We have designed a system. We want to check that it is correct.

Theoretical Foundations of the UML

Probabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford

Alternating-Time Temporal Logic

Chapter 6: Computation Tree Logic

Computation Tree Logic (CTL) & Basic Model Checking Algorithms

Alan Bundy. Automated Reasoning LTL Model Checking

Temporal Logic. M φ. Outline. Why not standard logic? What is temporal logic? LTL CTL* CTL Fairness. Ralf Huuck. Kripke Structure

Chapter 4: Computation tree logic

Stochastic Model Checking

Comp487/587 - Boolean Formulas

Lecture Notes on Model Checking

Temporal logics and explicit-state model checking. Pierre Wolper Université de Liège

An Introduction to Temporal Logics

Overview. overview / 357

Automatic Verification of Real-time Systems with Discrete Probability Distributions

SFM-11:CONNECT Summer School, Bertinoro, June 2011

Lecture 16: Computation Tree Logic (CTL)

Models for Efficient Timed Verification

Computation Tree Logic (CTL)

T Reactive Systems: Temporal Logic LTL

Computer-Aided Program Design

Probabilistic Model Checking (1)

Decidability Results for Probabilistic Hybrid Automata

Introduction to Temporal Logic. The purpose of temporal logics is to specify properties of dynamic systems. These can be either

Propositional and Predicate Logic - IV

Model for reactive systems/software

Timo Latvala. February 4, 2004

Model Checking. Temporal Logic. Fifth International Symposium in Programming, volume. of concurrent systems in CESAR. In Proceedings of the

Polynomial-Time Verification of PCTL Properties of MDPs with Convex Uncertainties and its Application to Cyber-Physical Systems

CS256/Spring 2008 Lecture #11 Zohar Manna. Beyond Temporal Logics

LTL with Arithmetic and its Applications in Reasoning about Hierarchical Systems

Probabilistic Model Checking Michaelmas Term Dr. Dave Parker. Department of Computer Science University of Oxford

Temporal Logic Model Checking

On the Expressiveness and Complexity of ATL

FORMAL METHODS LECTURE IV: COMPUTATION TREE LOGIC (CTL)

Model Checking with CTL. Presented by Jason Simas

The State Explosion Problem

What is Temporal Logic? The Basic Paradigm. The Idea of Temporal Logic. Formulas

Deterministic ω-automata for LTL: A safraless, compositional, and mechanically verified construction

Unranked Tree Automata with Sibling Equalities and Disequalities

A Little Logic. Propositional Logic. Satisfiability Problems. Solving Sudokus. First Order Logic. Logic Programming

ESE601: Hybrid Systems. Introduction to verification

Lecture 3: Semantics of Propositional Logic

Algorithms for Modal µ-calculus Interpretation

Formal Verification. Lecture 1: Introduction to Model Checking and Temporal Logic¹

Introduction to Model Checking. Debdeep Mukhopadhyay IIT Madras

Syntax of propositional logic. Syntax tree of a formula. Semantics of propositional logic (I) Subformulas

Topics in Verification AZADEH FARZAN FALL 2017

PSPACE-completeness of LTL/CTL model checking

Chapter 5: Linear Temporal Logic

CS156: The Calculus of Computation

Tableau-Based Automata Construction for Dynamic Linear Time Temporal Logic

The Expressivity of Universal Timed CCP: Undecidability of Monadic FLTL and Closure Operators for Security

Reasoning about Strategies: From module checking to strategy logic

Finite-State Model Checking

Model-Checking Games: from CTL to ATL

First-Order Predicate Logic. Basics

Timo Latvala. March 7, 2004

A Compositional Automata-based Approach for Model Checking Multi-Agent Systems

Computation Tree Logic

Automata on Infinite words and LTL Model Checking

Computation Tree Logic

A Hierarchy for Accellera s Property Specification Language

Temporal & Modal Logic. Acronyms. Contents. Temporal Logic Overview Classification PLTL Syntax Semantics Identities. Concurrency Model Checking

PSL Model Checking and Run-time Verification via Testers

Strategy Logic. 1 Introduction. Krishnendu Chatterjee 1, Thomas A. Henzinger 1,2, and Nir Piterman 2

Summary. Computation Tree logic Vs. LTL. CTL at a glance. KM,s =! iff for every path " starting at s KM," =! COMPUTATION TREE LOGIC (CTL)

Probabilistic Model Checking and Strategy Synthesis for Robot Navigation

A Tableau-Based Decision Procedure for Right Propositional Neighborhood Logic (RPNL )

Helsinki University of Technology Laboratory for Theoretical Computer Science Research Reports 66

A tableau-based decision procedure for a branching-time interval temporal logic

Lecture Notes on Emptiness Checking, LTL Büchi Automata

Modal and Temporal Logics

Linear Temporal Logic and Büchi Automata

Overview. Discrete Event Systems Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for?

Normal Forms of Propositional Logic

Specifying and Verifying Systems of Communicating Agents in a Temporal Action Logic

Symmetry Reductions. A. Prasad Sistla University Of Illinois at Chicago

Using Counterfactuals in Knowledge-Based Programming

Lecture Notes on Classical Modal Logic

Timed Automata VINO 2011

Propositional Logic: Part II - Syntax & Proofs 0-0

From Liveness to Promptness

Strategy Logic with Imperfect Information

Automata and Reactive Systems

Quantitative Verification

Linear Temporal Logic (LTL)

A Sample State Machine

Causality & Concurrency. Time-Stamping Systems. Plausibility. Example TSS: Lamport Clocks. Example TSS: Vector Clocks

Model Checking Algorithms

An n! Lower Bound On Formula Size

Comparing LTL Semantics for Runtime Verification

On Real-time Monitoring with Imprecise Timestamps

Seamless Model Driven Development and Tool Support for Embedded Software-Intensive Systems

Monadic Second Order Logic and Automata on Infinite Words: Büchi s Theorem

On the satisfiability problem for a 4-level quantified syllogistic and some applications to modal logic

MODEL-CHECKING IN DENSE REAL-TIME SHANT HARUTUNIAN

Time and Timed Petri Nets

Transcription:

Reasoning about Time and Reliability Probabilistic CTL model checking Daniel Bruns Institut für theoretische Informatik Universität Karlsruhe 13. Juli 2007 Seminar Theorie und Anwendung von Model Checking

Outline 1 Probabilistic real time CTL 2 PCTL model checking 3 Calculation example

Motivation Communication networks need to be error free and reliable. In addition, they often operate under real time conditions, meaning they must meet certain deadlines in order to work correctly. Particularly, this becomes vital when wireless networks are used where significant packet loss is inevitable. In this talk, a temporal logic will be presented in which propositions such as There is a probability of at least 99% that a message is received at most 6ms after it is sent. can be expressed.

Motivation Communication networks need to be error free and reliable. In addition, they often operate under real time conditions, meaning they must meet certain deadlines in order to work correctly. Particularly, this becomes vital when wireless networks are used where significant packet loss is inevitable. In this talk, a temporal logic will be presented in which propositions such as There is a probability of at least 99% that a message is received at most 6ms after it is sent. can be expressed.

An extension to CTL with time and probability Probabilistic real time CTL (PCTL) is an extension to the well-known temporal logic CTL (Computation Tree Logic). PCTL extends this concept by both a discrete time structure allowing real time statements as well as probabilities for these events by which hard and soft deadlines can be modeled. There exist polynomial time model checking algorithms suitable for small structures.

Outline 1 Probabilistic real time CTL 2 PCTL model checking 3 Calculation example

Syntax Definition Atomic propositions are state formulae. If ϕ and ψ are state formulae, then so are ϕ, (ϕ ψ), (ϕ ψ) and (ϕ ψ). If ϕ and ψ are state formulae and τ N, then (ϕ U τ ψ) and (ϕ W τ ψ) are path formulae. If F is a path formula and ρ [0, 1], then [F ] ρ and [F] >ρ are state formulae. We will use ϕ U τ ρ ψ as shorthand for [ϕ U τ ϕ] ρ.

PCTL: some intuition ϕ U 4 0.99 ψ means there is a probability of at least 99% that both ψ will come true within 4 time units and ϕ holds till ψ comes true. ϕ W 4 0.99 ψ means there is a probability of at least 99% that either the above condition holds or ϕ holds for at least 4 time units. If the underlying structure is modelled wisely, time units can be substituted with real time units such as seconds or milliseconds.

PCTL: some intuition ϕ U 4 0.99 ψ means there is a probability of at least 99% that both ψ will come true within 4 time units and ϕ holds till ψ comes true. ϕ W 4 0.99 ψ means there is a probability of at least 99% that either the above condition holds or ϕ holds for at least 4 time units. If the underlying structure is modelled wisely, time units can be substituted with real time units such as seconds or milliseconds.

PCTL: some intuition ϕ U 4 0.99 ψ means there is a probability of at least 99% that both ψ will come true within 4 time units and ϕ holds till ψ comes true. ϕ W 4 0.99 ψ means there is a probability of at least 99% that either the above condition holds or ϕ holds for at least 4 time units. If the underlying structure is modelled wisely, time units can be substituted with real time units such as seconds or milliseconds.

Expressing CTL through PCTL Example Since PCTL extends CTL, its properties can be expressed by extreme values of time and probability. generally: Gϕ ϕ W false finally: Fϕ true U ϕ until operator: ϕuψ ϕ U ψ universal path quantifier: F [F ] 1 existential path quantifier: F [F ] >0

Logic structure The structure over which PCTL formulae are evaluated is a finite automaton with labels on states and probabilistic transitions. Each transition corresponds to one time step. Example 1 s 0 s 1 1 0.6 0.4 s 3 0.8 s 2 0.2

Formal definition of the structure Definition A structure K is a tuple (S, s, T, L) where S is a finite set of states, s S is the initial state, T is a probabilistic transition function T : S 2 [0, 1], such that t S T (s, t) = 1 for all states s S and L is a labeling function assigning sets of atomic formulae to states (L : S 2 {atom} ).

Formal definition of the structure Definition A structure K is a tuple (S, s, T, L) where S is a finite set of states, s S is the initial state, T is a probabilistic transition function T : S 2 [0, 1], such that t S T (s, t) = 1 for all states s S and L is a labeling function assigning sets of atomic formulae to states (L : S 2 {atom} ).

Formal definition of the structure Definition A structure K is a tuple (S, s, T, L) where S is a finite set of states, s S is the initial state, T is a probabilistic transition function T : S 2 [0, 1], such that t S T (s, t) = 1 for all states s S and L is a labeling function assigning sets of atomic formulae to states (L : S 2 {atom} ).

Prerequisites for semantics Definition 1 A path beginning in state s 0 is an infinite sequence (s 0, s 1,...). Let the set of paths (beginning in s 0 ) be P(s 0 ). 2 The n-th state of a path π is denoted π[n], a finite prefix of length n is denoted π n := (s 0,..., π[n]). 3 For each state s a probability measure µ s : P [0, 1] is defined for each finite sequence (s 0,..., s n ) by µ s ({π P : π n = (s 0,..., s n )}) = n T (s i 1, s i ) i=1

Prerequisites for semantics Definition 1 A path beginning in state s 0 is an infinite sequence (s 0, s 1,...). Let the set of paths (beginning in s 0 ) be P(s 0 ). 2 The n-th state of a path π is denoted π[n], a finite prefix of length n is denoted π n := (s 0,..., π[n]). 3 For each state s a probability measure µ s : P [0, 1] is defined for each finite sequence (s 0,..., s n ) by µ s ({π P : π n = (s 0,..., s n )}) = n T (s i 1, s i ) i=1

Prerequisites for semantics Definition 1 A path beginning in state s 0 is an infinite sequence (s 0, s 1,...). Let the set of paths (beginning in s 0 ) be P(s 0 ). 2 The n-th state of a path π is denoted π[n], a finite prefix of length n is denoted π n := (s 0,..., π[n]). 3 For each state s a probability measure µ s : P [0, 1] is defined for each finite sequence (s 0,..., s n ) by µ s ({π P : π n = (s 0,..., s n )}) = n T (s i 1, s i ) i=1

Semantics Definition s = a s = ϕ s = ϕ ψ π = ϕ U τ ψ π = ϕ W τ ψ s = [F ] ρ iff a L(s) iff s = ϕ iff s = ϕ and s = ψ iff there is a ι τ with π[ι] = ψ and π[κ] = ϕ for all κ < ι iff π = ϕ U τ ψ or π[κ] = ϕ for all κ τ iff µ s ({π P(s) π = F }) ρ Finally, we define = K ϕ iff s = ϕ.

Semantics Definition s = a s = ϕ s = ϕ ψ π = ϕ U τ ψ π = ϕ W τ ψ s = [F ] ρ iff a L(s) iff s = ϕ iff s = ϕ and s = ψ iff there is a ι τ with π[ι] = ψ and π[κ] = ϕ for all κ < ι iff π = ϕ U τ ψ or π[κ] = ϕ for all κ τ iff µ s ({π P(s) π = F }) ρ Finally, we define = K ϕ iff s = ϕ.

Semantics Definition s = a s = ϕ s = ϕ ψ π = ϕ U τ ψ π = ϕ W τ ψ s = [F ] ρ iff a L(s) iff s = ϕ iff s = ϕ and s = ψ iff there is a ι τ with π[ι] = ψ and π[κ] = ϕ for all κ < ι iff π = ϕ U τ ψ or π[κ] = ϕ for all κ τ iff µ s ({π P(s) π = F }) ρ Finally, we define = K ϕ iff s = ϕ.

Semantics Definition s = a s = ϕ s = ϕ ψ π = ϕ U τ ψ π = ϕ W τ ψ s = [F ] ρ iff a L(s) iff s = ϕ iff s = ϕ and s = ψ iff there is a ι τ with π[ι] = ψ and π[κ] = ϕ for all κ < ι iff π = ϕ U τ ψ or π[κ] = ϕ for all κ τ iff µ s ({π P(s) π = F }) ρ Finally, we define = K ϕ iff s = ϕ.

Outline 1 Probabilistic real time CTL 2 PCTL model checking 3 Calculation example

A model checking algorithm for PCTL In this section a model checking algorithm will be presented, which determines whether a given structure K models some formula ϕ, i.e. = K ϕ. When it finishes, each state will be labeled with the complete set of subformulae of ϕ which hold in that state. If the initial state s is labeled with ϕ, then the structure is a model for ϕ. The algorithm is based on the original model checking algorithm for CTL.

A model checking algorithm for PCTL In this section a model checking algorithm will be presented, which determines whether a given structure K models some formula ϕ, i.e. = K ϕ. When it finishes, each state will be labeled with the complete set of subformulae of ϕ which hold in that state. If the initial state s is labeled with ϕ, then the structure is a model for ϕ. The algorithm is based on the original model checking algorithm for CTL.

A model checking algorithm for PCTL In this section a model checking algorithm will be presented, which determines whether a given structure K models some formula ϕ, i.e. = K ϕ. When it finishes, each state will be labeled with the complete set of subformulae of ϕ which hold in that state. If the initial state s is labeled with ϕ, then the structure is a model for ϕ. The algorithm is based on the original model checking algorithm for CTL.

Labeling states with formulae 1 We define an extended labeling function L for every subformula of ϕ. Initially, all states are labeled with atomic propositions: s S : L(s) := L(s) 2 Suppose the subformulae of ϕ have been ordered in size (of logic connectives). Then from the smallest to ϕ itself change the labels of all states: For a subformula ψ set L(s) := L(s) { ψ} if ψ L(s) For a subformula (ϕ 1 ϕ 2 ) set L(s) := L(s) {ϕ 1 ϕ 2 } if ϕ 1, ϕ 2 L(s). For a subformula (ϕ 1 U τ ρ ϕ 2) use the following algorithm based on matrix multiplication.

Labeling states with formulae 1 We define an extended labeling function L for every subformula of ϕ. Initially, all states are labeled with atomic propositions: s S : L(s) := L(s) 2 Suppose the subformulae of ϕ have been ordered in size (of logic connectives). Then from the smallest to ϕ itself change the labels of all states: For a subformula ψ set L(s) := L(s) { ψ} if ψ L(s) For a subformula (ϕ 1 ϕ 2 ) set L(s) := L(s) {ϕ 1 ϕ 2 } if ϕ 1, ϕ 2 L(s). For a subformula (ϕ 1 U τ ρ ϕ 2) use the following algorithm based on matrix multiplication.

Labeling states with formulae 1 We define an extended labeling function L for every subformula of ϕ. Initially, all states are labeled with atomic propositions: s S : L(s) := L(s) 2 Suppose the subformulae of ϕ have been ordered in size (of logic connectives). Then from the smallest to ϕ itself change the labels of all states: For a subformula ψ set L(s) := L(s) { ψ} if ψ L(s) For a subformula (ϕ 1 ϕ 2 ) set L(s) := L(s) {ϕ 1 ϕ 2 } if ϕ 1, ϕ 2 L(s). For a subformula (ϕ 1 U τ ρ ϕ 2) use the following algorithm based on matrix multiplication.

Labeling states with formulae 1 We define an extended labeling function L for every subformula of ϕ. Initially, all states are labeled with atomic propositions: s S : L(s) := L(s) 2 Suppose the subformulae of ϕ have been ordered in size (of logic connectives). Then from the smallest to ϕ itself change the labels of all states: For a subformula ψ set L(s) := L(s) { ψ} if ψ L(s) For a subformula (ϕ 1 ϕ 2 ) set L(s) := L(s) {ϕ 1 ϕ 2 } if ϕ 1, ϕ 2 L(s). For a subformula (ϕ 1 U τ ρ ϕ 2) use the following algorithm based on matrix multiplication.

Labeling for (ϕ 1 U τ ρ ϕ 2) Assume τ <. Let s 1,..., s n be the states of S. Define a n n transition matrix A = (α ij ) by T (s i, s j ) if ϕ 1 L(s i ) and ϕ 2 L(s i ) α ij = 1 else if i = j 0 otherwise By this, some transition probabilities are given: Rows represent the from-states and columns represent the to-states. Thus, the matrix A τ intuitively gives transition probabilities for τ transition steps.

Labeling for (ϕ 1 U τ ρ ϕ 2) (contd.) Define a vector P = (p k ) of size n with { 1 if ϕ 2 L(s k ) p k = 0 otherwise Intuitively, this represents the set of states in which ϕ 2 (the postcondition) is true. Calculate the vector P := A τ P. This represents the probabilities of each state modeling the until-formula. Thus, for each state s k redefine L(s k ) := L(s k ) {ϕ 1 U τ ρ ϕ 2} if the k-th entry in P is at least ρ.

Labeling for (ϕ 1 U τ ρ ϕ 2) (contd.) Define a vector P = (p k ) of size n with { 1 if ϕ 2 L(s k ) p k = 0 otherwise Intuitively, this represents the set of states in which ϕ 2 (the postcondition) is true. Calculate the vector P := A τ P. This represents the probabilities of each state modeling the until-formula. Thus, for each state s k redefine L(s k ) := L(s k ) {ϕ 1 U τ ρ ϕ 2} if the k-th entry in P is at least ρ.

Labeling in special cases The case with τ = must be treated separately. Other extreme cases can be calculated with separate algorithms for optimization reasons. The weak until operator W can be transformed into a formula with just U. There is another algorithm for calculation of P with slightly different complexity.

Outline 1 Probabilistic real time CTL 2 PCTL model checking 3 Calculation example

Verification of a communication protocol As an example, we will now verify a simple (fictional) communication protocol. It provides error free communication from a sender to a receiver over a lossy medium. We assume that acknowledgements are never lost though. 1 in 1 send 0.9 out s 0 s 1 s 2 s 3 ack 1 to 0.1 1 s 4 rec We also assume the message loss probability to be 10%.

Properties of interest An interesting question to pose is, if the system is able to meet certain deadlines, for example if there is a probability of at least 99% that a message is received (s 4 ) at most 6 time units after it is send (s 0 ). For a single event, this can be expressed by s 0 F 6 0.99 s 4 where F is a generalized finally-operator with time and probability.

Properties of interest An interesting question to pose is, if the system is able to meet certain deadlines, for example if there is a probability of at least 99% that a message is received (s 4 ) at most 6 time units after it is send (s 0 ). For a single event, this can be expressed by s 0 F 6 0.99 s 4 where F is a generalized finally-operator with time and probability.

Proving the assertion First of all, we translate the formula into a pure until-formula and name the subformulae: ϕ = s }{{} 0 ϕ 1 true }{{} ϕ 2 U 6 0.99 s }{{} 4 ϕ 3 } {{ } ϕ 4 Now states will labeled with atomic propositions: Label s 0 with ϕ 1. Label every state with ϕ 2. Label s 4 with ϕ 3.

Proving the assertion First of all, we translate the formula into a pure until-formula and name the subformulae: ϕ = s }{{} 0 ϕ 1 true }{{} ϕ 2 U 6 0.99 s }{{} 4 ϕ 3 } {{ } ϕ 4 Now states will labeled with atomic propositions: Label s 0 with ϕ 1. Label every state with ϕ 2. Label s 4 with ϕ 3.

Construction of matrix A and vector P We construct the matrix A and the vector P according to the definition given earlier: 0 1 0 0 0 0 0 1 0 0 A = 0 0.1 0 0.9 0 0 0 0 0 1 0 0 0 0 1 0 0 P = 0 0 1

Labeling for ϕ 4 = ϕ 2 U 6 0.99 ϕ 3 Next, we calculate P = A 6 P: 0 0 0.01 0 0.99 A 6 0 0.001 0 0.009 0.99 = 0 0 0.01 0 0.99 0 0 0 0 1 0 0 0 0 1 0.99 P 0.99 = 0.99 1 1 Since every entry in P is at least 0.99, we conclude that every state is to be labeled with ϕ 4.

The initial state is labeled with ϕ Finally, every state is labeled with ϕ = (ϕ 1 ϕ 4 ) since every state is labeled with ϕ 4. ϕ 1 ϕ 2 ϕ 4 ϕ 1 1 ϕ 4 ϕ 2 ϕ 3 ϕ 4 ϕ ϕ 2 ϕ 1 0.1 ϕ 4 ϕ 2 ϕ 0.9 ϕ 4 1 ϕ 2 ϕ Since the initial state s 0 is labeled with ϕ, we have shown that the given protocol is a model for our assumption.

Summary The motivation for a logic like PCTL stems largely from an application view. We have seen practical usefulness for PCTL-expressible properties. The model checking algorithm shown is implemented in the PRISM model checking tool. H. Hansson and B. Jonsson. A logic for reasoning about time and reliability. Technical Report R90013, Swedish Institute of Computer Science and Department of Computer Systems, Uppsala University, Dec. 1994.

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback