An Optimal Automata Approach to LTL Model

#1

An Optimal Automata Approach to LTL Model Checking of Probabilistic Systems


Jean-Michel Couvreur, Nasser Saheb, Grégoire Sutre

LSV, Ecole Normale Sup. de Cachan, France LaBRI, Bordeaux University, France

LPAR - 25 September 2003


#2

Outline 1. Introduction 2. Probabilistic systems 3. Linear Temporal Logic and ω -automata 4. LTL verification and evaluation problems 5. Our approach 6. Conclusion



#3




#4

Motivations (practical) Need for probabilistic modeling: randomized algorithms (distributed systems) message loss in protocols, stochastic delays... biological systems


#4


Motivations (practical) Need for probabilistic modeling: randomized algorithms (distributed systems) message loss in protocols, stochastic delays... biological systems Verification: is a given property almost surely satisfied by the system? Focus on linear time temporal properties


#4


Motivations (practical) Need for probabilistic modeling: randomized algorithms (distributed systems) message loss in protocols, stochastic delays... biological systems Verification: is a given property almost surely satisfied by the system? Focus on linear time temporal properties Evaluation: with which probability is a given property satisfied by the system?


#5


LTL verification on probabilistic systems The best known automata-based algorithm runs in double exponential time [Var85] There is a non-automata based algorithm running in single exponential time and polynomial space [CY95] Open problem [Var99]: automata-based algorithm running in single exponential time?


#5


LTL verification on probabilistic systems The best known automata-based algorithm runs in double exponential time [Var85] There is a non-automata based algorithm running in single exponential time and polynomial space [CY95] Open problem [Var99]: automata-based algorithm running in single exponential time? Yes On-the-fly implementation



#6




#7

Measuring sets of infinite words Σ : finite alphabet



#7

Measuring sets of infinite words Σ : finite alphabet CΣ : set of all basic cylindric sets w · Σω with w ∈ Σ∗



#7

Measuring sets of infinite words Σ : finite alphabet CΣ : set of all basic cylindric sets w · Σω with w ∈ Σ∗ BΣ : σ -algebra (on Σω ) generated by CΣ BΣ closed under complementation BΣ closed under countable union (and intersection)


#7


Measuring sets of infinite words Σ : finite alphabet CΣ : set of all basic cylindric sets w · Σω with w ∈ Σ∗ BΣ : σ -algebra (on Σω ) generated by CΣ BΣ closed under complementation BΣ closed under countable union (and intersection) (Σω , BΣ ) : considered measurable space (Σ will depend on the context)


#7


Measuring sets of infinite words Σ : finite alphabet CΣ : set of all basic cylindric sets w · Σω with w ∈ Σ∗ BΣ : σ -algebra (on Σω ) generated by CΣ BΣ closed under complementation BΣ closed under countable union (and intersection) (Σω , BΣ ) : considered measurable space (Σ will depend on the context)

probability measure defined on CΣ and extended to BΣ


#8


Probabilistic systems M = hS, T, α, β, λ, P0 , P i

1. hS, T, α, β, λi finite labeled graph over Σ S : states and T : transitions α : T → V and β : T → V : source and target mappings (• · and ·• ) λ : T → Σ : transition labeling


#8




2. P0 : S → [0, 1] : initial probability distribution s.t.

s∈S

P0 (s) = 1


#8




2. P0 : S → [0, 1] : initial probability distribution s.t. 3. P : T →]0, 1] is a transition probability function s.t.

s∈S

P0 (s) = 1

t∈s•

P (t) = 1


#8




2. P0 : S → [0, 1] : initial probability distribution s.t. 3. P : T →]0, 1] is a transition probability function s.t.

s∈S

P0 (s) = 1

t∈s•

P (t) = 1

µM probability measure over (T ω , BT ) defined by µM (T ω ) = 1, and ω

µM (t0 t1 · · · tn ·T ) =

P0 (• t0 )P (t0 )P (t1 ) · · · P (tn ) if t0 t1 · · · tn ∈ P ath∗ (M ) 0 otherwise.



#9

Properties initial states: S0 = {s ∈ S | P0 (s) 6= 0} P athω (M ) is measurable and µM (P athω (M )) = 1



#9


Notation. M [s] = M where P0 (s) = 1 (i.e. s unique initial state)



#9


Notation. M [s] = M where P0 (s) = 1 (i.e. s unique initial state) µM =

s∈S0

P0 (s) · µM [s]



#9



s∈S0

P0 (s) · µM [s]

when L measurable, µM [s] (L) =

t∈s•

P (t) · µM [t• ] (t−1 L)


#9




s∈S0

P0 (s) · µM [s]


t∈s•

P (t) · µM [t• ] (t−1 L)

Proposition Let P ath∗max denote the set of all finite paths ending in a maximal SCC. We have µM (P ath∗max · T ω ) = 1


#9




s∈S0

P0 (s) · µM [s]


t∈s•

P (t) · µM [t• ] (t−1 L)

Proposition Let P ath∗max denote the set of all finite paths ending in a maximal SCC. We have µM (P ath∗max · T ω ) = 1 Let ρ be a finite path contained in some maximal SCC C , and let s ∈ C . We have µM [s] ((T ∗ · ρ)ω ) = 1. LPAR - 25 September 2003


#10



#11


LTL f ::= a | f ∨ f | ¬f | Xf | f Uf

(with a ∈ Σ)


#11


LTL f ::= a | f ∨ f | ¬f | Xf | f Uf

(with a ∈ Σ)

models are in Σω ∨ and ¬ interpreted as usual


#11


LTL f ::= a | f ∨ f | ¬f | Xf | f Uf

(with a ∈ Σ)

models are in Σω ∨ and ¬ interpreted as usual abca · · · |= a

but

bbca · · · 6|= a


#11


LTL f ::= a | f ∨ f | ¬f | Xf | f Uf

(with a ∈ Σ)

models are in Σω ∨ and ¬ interpreted as usual abca · · · |= a abca · · · |= Xb

but but

bbca · · · 6|= a abca · · · 6|= Xc


#11


LTL f ::= a | f ∨ f | ¬f | Xf | f Uf

(with a ∈ Σ)


but but

bbca · · · 6|= a abca · · · 6|= Xc

aaaaaaaaabca · · · |= aUb

but

aaaaaaaaabca · · · 6|= aUc


#11


LTL f ::= a | f ∨ f | ¬f | Xf | f Uf

(with a ∈ Σ)


but but

bbca · · · 6|= a abca · · · 6|= Xc

aaaaaaaaabca · · · |= aUb

but

aaaaaaaaabca · · · 6|= aUc

L(f ) : set of words w ∈ Σω such that w |= f



#12

ω -automata A = hQ, T, α, β, λ, Q0 , Acci

1. hQ, T, α, β, λi finite labeled graph over Σ 2. Q0 ⊆ Q : initial locations 3. acc ⊆ 2T : acceptance condition



#12


1. hQ, T, α, β, λi finite labeled graph over Σ 2. Q0 ⊆ Q : initial locations 3. acc ⊆ 2T : acceptance condition a run ρ ∈ P athω (A) is accepting if {t | ρ ∈ (T ∗ · t)ω } ∈ Acc



#12


1. hQ, T, α, β, λi finite labeled graph over Σ 2. Q0 ⊆ Q : initial locations 3. acc ⊆ 2T : acceptance condition a run ρ ∈ P athω (A) is accepting if {t | ρ ∈ (T ∗ · t)ω } ∈ Acc a word w is accepted if w = λ(ρ) for some accepting run ρ



#12


1. hQ, T, α, β, λi finite labeled graph over Σ 2. Q0 ⊆ Q : initial locations 3. acc ⊆ 2T : acceptance condition a run ρ ∈ P athω (A) is accepting if {t | ρ ∈ (T ∗ · t)ω } ∈ Acc a word w is accepted if w = λ(ρ) for some accepting run ρ L(A) : set of accepted words



#12


1. hQ, T, α, β, λi finite labeled graph over Σ 2. Q0 ⊆ Q : initial locations 3. acc ⊆ 2T : acceptance condition a run ρ ∈ P athω (A) is accepting if {t | ρ ∈ (T ∗ · t)ω } ∈ Acc a word w is accepted if w = λ(ρ) for some accepting run ρ L(A) : set of accepted words

Theorem [Var85] For any ω -automaton A, L(A) is measurable. LPAR - 25 September 2003

#13


From LTL to ω -automata

Theorem [VW94] Given an LTL formula f , one can build a Büchi ω -automaton Af , with at most 2O(|f |) locations, such that L(f ) = L(Af ).



#14



#15


Verification and evaluation problems LTL probabilistic verification problem: Given M and f , does M almost surely satisfy f ?


#15



“M |= f almost surely” = µM (P athω (M ) ∩ λ−1 (L(f ))) = 1


#15




“M |= f with positive probability” = µM (P athω (M ) ∩ λ−1 (L(f ))) > 0


#15





LTL probabilistic verification problem is PSPACE-complete [CY95]


#15





LTL probabilistic verification problem is PSPACE-complete [CY95] LTL probabilistic evaluation problem: Given M and f , compute µM (P athω (M ) ∩ λ−1 (L(f ))) LPAR - 25 September 2003

#16


Existing automata-based approach [Var85] To check whether M |= f with positive probability: compute a Büchi automaton Af with L(Af ) = L(f ) |Af | in 2O(|f |)


#16



compute a deterministic Street automaton A0f with L(A0f ) = L(f ) |A0f | in 22

O(|f |)


#16




O(|f |)

compute the probabilistic system M ⊗A0f (synchronized product) |M ⊗A0f |

in O(|M |) · 2

2O(|f |)


#16




O(|f |)

compute the probabilistic system M ⊗A0f (synchronized product) |M ⊗A0f |

in O(|M |) · 2

2O(|f |)

check whether M ⊗A0f has an accepted maximal SCC in time O(|M |) · 22

O(|f |)



#17



#18


Overview We use a similar approach: translate f into a non-deterministic ω -automaton |Af | in O(2|f | )


#18



compute the ω -automaton M ⊗Af (synchronized product) |M ⊗Af | in O(|M | · 2|f | )


#18




look for a “suitable” SCC in M ⊗Af in time O(|M | · 2|f | )


#18




look for a “suitable” SCC in M ⊗Af in time O(|M | · 2|f | ) based on properties of the translation from LTL to ω -automaton


#19


Properties of ω -automata coming from LTL Optimized tableau based translation (slight variation of [Cou00]) Proposition Given an LTL formula f , one can build a multi-Büchi ω -automaton Af such that L(f ) = L(Af ), and whose size and computation time are in O(|Σ|) · 2O(|f |) .

Moreover Af is unambiguous and separated on each SCC.


#19



Moreover Af is unambiguous and separated on each SCC. where:

A is unambiguous = t1 6= t2 ∧

•

t1 = • t2 ∧ λ(t1 ) = λ(t2 )

⇒

L(A[t1 • ]) ∩ L(A[t2 • ]) = ∅


#19



Moreover Af is unambiguous and separated on each SCC. where:

A is unambiguous = t1 6= t2 ∧

•

t1 = • t2 ∧ λ(t1 ) = λ(t2 )

A is separated = q1 6= q2

⇒

⇒

L(A[t1 • ]) ∩ L(A[t2 • ]) = ∅

L(A[q1 ]) ∩ L(A[q2 ]) = ∅ LPAR - 25 September 2003


#20

Synchronized product of M and Af M ⊗A = hS × Q, T⊗ , α⊗ , β⊗ , λ⊗ , S0 × Q0 , Acc⊗ i where: T⊗ = {(tM , tA ) ∈ TM × TA | λM (tM ) = λA (tA )} •

(tM , tA ) = (• tM , • tA ) and (tM , tA )• = (tM • , tA • )

λ⊗ is the projection from T⊗ to TM U ∈ Acc⊗ iff the projection of U on A is in Acc



#20




Proposition L(M ⊗A) = P athω (M ) ∩ λ−1 M (L(A))


#20





Proposition L(M ⊗A) = P athω (M ) ∩ λ−1 M (L(A)) M |= f with positive probability iff µM [s] (L(M ⊗A[s, q])) > 0 from an initial location (s, q) ∈ S0 × Q0 LPAR - 25 September 2003

#21


Synchronized product of M and Af (cont’d)

L(s, q) =

L(s, q) = L(M ⊗A[s, q]) (tM ,tA

)∈(s,q)•

tM · L(tM • , tA • )

V (s, q) = µM [s] (L(s, q)) V (s, q) > 0 iff V (s0 , q 0 ) > 0 for some (s0 , q 0 ) reachable from (s, q)


#21



L(s, q) =

L(s, q) = L(M ⊗A[s, q]) (tM ,tA

)∈(s,q)•

tM · L(tM • , tA • )


An SCC C of M ⊗A is called: null if V (s, q) = 0 for all (s, q) ∈ C persistent if C is an SCC which is maximal among the non null SCCs, transient otherwise.


#21



L(s, q) =

L(s, q) = L(M ⊗A[s, q]) (tM ,tA

)∈(s,q)•

tM · L(tM • , tA • )


An SCC C of M ⊗A is called: null if V (s, q) = 0 for all (s, q) ∈ C persistent if C is an SCC which is maximal among the non null SCCs, transient otherwise. Goal: check the existence of a reachable non null SCC LPAR - 25 September 2003


#22

Local notions on SCCs

M ⊗A)|C = “restriction of M ⊗A to C LC (s, q) = L((M ⊗A)|C [s, q]) VC (s, q) = µM [s] (LC (s, q))



#22


M ⊗A)|C = “restriction of M ⊗A to C LC (s, q) = L((M ⊗A)|C [s, q]) VC (s, q) = µM [s] (LC (s, q)) C is locally positive if VC (s, q) > 0 for all (s, q) ∈ C



#22



persistent ⇒ locally positive ⇒ non null


#22




persistent ⇒ locally positive ⇒ non null

M |= f with positive probability iff there is a locally positive SCC reachable from an initial location (s, q) in S0 × Q0


#23


Caracterisation of locally positive SCCs C is accepted if its set of transitions is in Acc⊗ C is complete if every finite path of M starting in C is contained in C


#23



Proposition If A is multi-Büchi or unambiguous, then locally positive

⇔

accepted ∧ complete


#23



Proposition If A is multi-Büchi or unambiguous, then locally positive

⇔

accepted ∧ complete

Proposition when A is multi-Büchi, acceptance checking is in O(|Acc| · |C|) when A is unambiguous and separated on each SCC, completeness checking is in O(|C|)


#24


Main result

Theorem Given an LTL formula f , checking whether M |= f with positive probability can be done in O(|M | · |f | · 2|f | ).



#25

Evaluation Proposition If A is unambiguous then P (tM ) · V (tM • , tA • )

V (s, q) = (tM ,tA )∈(s,q)•



#25


V (s, q) = (tM ,tA )∈(s,q)•

Moreover, for every persistent SCC C , if C is deterministic then V (s, q) = 1 for all s, q ∈ C if C is separated then

q:(s,q)∈C

V (s, q) = 1 for all s ∈ C


#25



V (s, q) = (tM ,tA )∈(s,q)•

Moreover, for every persistent SCC C , if C is deterministic then V (s, q) = 1 for all s, q ∈ C if C is separated then

q:(s,q)∈C

V (s, q) = 1 for all s ∈ C

Equation system decomposed and solved for each component



#26



#27


Experimentation: the ProbaTaf tool Probabilistic systems described by bounded Petri nets LTL formulas on the Petri net: transitions, markings and “dead” explicit description of the probabilistic system symbolic BDD-based representation of ω -automata on-the-fly verification algorithm [Cou99] simple Gauss elimination algorithm for evaluation application to several examples: biased dice game [KY76] randomized election algorithm [MSZ03] LPAR - 25 September 2003


#28

Experimentation: the ProbaTaf tool


#29


Conclusion and perspectives Optimal automata-based approach for LTL verification Allows evaluation Based on properties of ω -automata: separation and unambiguity Java implementation of the method


#29


Conclusion and perspectives Optimal automata-based approach for LTL verification Allows evaluation Based on properties of ω -automata: separation and unambiguity Java implementation of the method Future work precision of the solver infinite-state probabilistic systems stochastic systems LPAR - 25 September 2003

#30


References [Cou99]

Jean-Michel Couvreur. On-the-fly verification of linear temporal logic. In FM’99—Formal Methods, Volume I, volume 1708 of Lecture Notes in Computer Science, pages 253–271. Springer, 1999.

[Cou00]

Jean-Michel Couvreur. Un point de vue symbolique sur la logique temporelle linéaire. In Actes du Colloque LaCIM 2000, volume 27 of Publications du LaCIM, pages 131–140. Université du Québec à Montréal, August 2000.

[CY95]

Costas Courcoubetis and Mihalis Yannakakis. The complexity of probabilistic verification. Journal of the ACM, 42(4):857–907, July 1995.

[KY76]

Knuth and Yao. The complexity of nonuniform random number generation. In Algorithms and Complexity: New Directions and Recent Results, Ed. J. F. Traub. Academic Press, 1976.

[MSZ03] Yves Métivier, Nasser Saheb, and Akka Zemmari. A uniform randomized election in trees. In SIROCCO 10, volume 17 of Proceedings in Informatics, pages 259–274. Carleton Scientific, 2003. [Var85]

M. Y. Vardi. Automatic verification of probabilistic concurrent finite-state programs. In Proc. 26th IEEE Symp. Foundations of Computer Science (FOCS’85), Portland, OR, USA, Oct. 1985, pages 327–338, 1985.

[Var99]

M. Y. Vardi. Probabilistic linear-time model checking: An overview of the automata-theoretic approach. In Proc. 5th Int. AMAST Workshop Formal Methods for Real-Time and Probabilistic Systems (ARTS’99), Bamberg, Germany, May 1999, volume 1601 of Lecture Notes in Computer Science, pages 265–276. Springer, 1999.

[VW94]

Moshe Y. Vardi and Pierre Wolper. Reasoning about infinite computations. Information and Computation, 115(1):1–37, 1994. LPAR - 25 September 2003