Verifying probabilistic system with EpCTL - CiteSeerX

Verifying probabilistic system with EpCTL Pedro Baltazar and Paulo Mateus SQIG-Intituto de Telecomunica¸co˜es and IST, Portugal∗

Abstract A temporal logic for reasoning about probabilistic systems is considered - exogenous probabilistic computation tree logic (EpCTL). Both a syntactic and a semantic approach to verify systems with EpCTL are introduced. For the first approach a (weakly) complete Hilbert calculus is given. The completeness result capitalizes in the decidability of the existential theory of the real numbers and in a PSPACE SAT algorithm for the state logic. For the model checking approach, the semantics is simplified to (probabilistic) Kripke structures where probability distributions are modeled with floating point arrays. In this case, the model-checking algorithm turns up to be polynomial in the size of the model. The results are illustrated with a simple asynchronous probabilistic programming language where some examples are specified and analyzed.

1

Introduction

Reasoning about probabilistic systems has been a very important research subject with applications in many fields such as security, performance analysis, system verification, traffic analysis and even bioinformatics. In this context, the use of formal methods, and in particular of logic, via syntactic (computer-aided proof systems) and semantic (model-checking tools) approaches, has been highly beneficial to the community. Herein we consider a temporal probabilistic logic, exogenous probabilistic computation tree logic (EpCTL) [1], as the base logic for reasoning about concurrent probabilistic systems. EpCTL is a temporal extension of the state logic EPPL [15]. The state logic allows for complex quantitative reasoning about probability distributions while its temporal extension allows to reason about the changes that the distributions suffer over time. In this paper we introduce both a syntactic and a semantic approach to verify systems with EpCTL namely a (weakly) complete Hilbert calculus and a polynomial-time model-checking algorithm. The contributions of this paper, taking into account the results presented in [15] for EPPL and in [1] for EpCTL, are very significant. Concerning the state ∗ This work was partially supported by FCT and EU FEDER through PTDC, namely via QSec PTDC/EIA/67661/2006 Project. Pedro Baltazar also supported by FCT and EU FEDER PhD fellowship SFRH/BD/22698/2005.

1

logic, we obtain a small model theorem with polynomial bound. To derive this theorem we use techniques from linear programming. Capitalizing in the small model theorem we are able to set a PSPACE bound to the SAT problem for EPPL, which was previously thought to be in EXPSPACE.1 Moreover, the SAT algorithm allows to obtain a simpler Hilbert calculus for EPPL than that presented in [15].2 Concerning the temporal logic EpCTL, we introduce a complete Hilbert calculus. Moreover, from the PSPACE bound of the SAT problem for EPPL we show that the SAT problem for EpCTL is EXPTIME complete. Finally, we improve the model-checking algorithm presented in [1], and detail its complexity. The logic described here is somewhat related with the logic PCTL proposed by Hansson and Jonsson [11]. PRISM [12, 13] is a well known symbolic modelchecker for PCTL. There is a fundamental difference between the semantics of the proposed logic EpCTL and PCTL; whereas PCTL enables reasoning about distributions over paths in a probabilistic transition system, EpCTL is designed for reasoning about how a probability distribution over a finite set of propositional symbols changes over time. For the sake of space, we do not give a detailed comparison between PCTL and EpCTL, and leave this task for future work. This paper is structured as follows. In Section 2 we present the state logic EPPL and obtain several relevant results: small model theorem; PSPACE SAT algorithm; (revisited) complete Hilbert calculus; and model-checking algorithm. In Section 3 we present EpCTL together with some relevant theorems: complete Hilbert calculus; a draft of the EXPTIME complete SAT algorithm; and the polynomial model-checking algorithm. In Section 4, we introduce a probabilistic concurrent programming language that can be used to specify models of EpCTL. Finally, we draw some conclusions in Section 5.

2

The probabilistic state logic

The logic used to reason about probabilistic states is a version of the Exogenous Probabilistic Propositional Logic (EPPL) [15]. This logic is an extension of the probabilistic logic proposed by Fagin et al [10], that was initially introduced in [14] to reason about quantum states and further developed in the context of a Hoare-like logic [5]. In this section, we present a complete Hoare calculus and a model-checking algorithm for EPPL. These results are essential to derive similar ones for EpCTL, which we detail in Section 3. 1 This technique can not be used to reduce the EXPSPACE bound for the similar quantum logic - EQPL [14]. 2 There is an small acknowledged error in the EPPL calculus presented in [15] that, thanks to the SAT algorithm introduced herein, was corrected.

2

Syntax Following the exogenous approach, the language of EPPL consists of formulas at two levels. The formulas of the first level – basic formulae – allow us to reason about program variables and states, that at this point we abstract as a finite set of propositional symbols Λ. The formulas of the second level – global formulae – allow us to perform probabilistic reason. We also consider probabilistic terms to denote real numbers used for quantitative reasoning at the global formulae level. The syntax of the language is given by mutual recursion as presented in Table 2. β := p 8 (¬β) 8 (β ⇒ β)

basic formulae

R t := z 8 0 8 1 8 ( β) 8 (t + t) 8 (t.t)

probabilistic terms

δ := (¤β) 8 (t ≤ t) 8 (∼δ) 8 (δ ⊃ δ)

global formulae

where p ∈ Λ, z ∈ Z. Concerning basic formulae, ranged over by β, β1 , . . ., we assume the usual propositional abbreviations for falsum ⊥, disjunction (β1 ∨ β2 ), conjunction (β1 ∧ β2 ) and equivalence (β1 ⇔ β2 ). The probability terms, ranged over by t, t1 , . . ., denote elements of the real numbers. We assume a finite set of (deterministic) real variables, Z, ranging over elements of algebraic real numbers. The probability terms also contain the 0 and 1 real constants that, together with addition, multiplication and the set of logical Rvariables, allow us to express all algebraic real numbers. The probability term ( β) denotes Rthe probability of the set of valuations that satisfy β. The terms of the kind ( β) shall henceforth be called measure terms. The global formulas, ranged over by δ, δ1 , . . ., are built from modal formulas (¤β), comparison formulas (t1 ≤ t2 ) and the connectives ∼, ⊃. The modal formula (¤β) allows us to impose restrictions on the probability space, namely to impose that all valuations of the sample space satisfy β. We shall also use (♦β) as an abbreviation for (∼(¤(¬β))). Intuitively, (♦β) is satisfied if there is at least one valuation in the probability measure that satisfies β. Observe that ¤ and ♦ are not full fledged modalities, since they cannot be nested3 . Other global connectives {⊥ ⊥, ∪, ∩, ≡} and comparison operators {=, ≥, } are introduced as abbreviations in the classical way. For instance, the global falsum ⊥ ⊥ stands for (¤p∩(∼¤p)) and (t1 = t2 ) stands for ((t1 ≤ t2 )∩(t2 ≤ t1 )). The notion of occurrence of a term t and a global formula δ1 in the global formula δ is defined as usual. The same holds for the notion of replacing zero or more occurrences of probability terms and global formulas. For the sake of clarity, we shall often drop parentheses in formulas and terms if it does not lead to ambiguity. 3 We

do not have formulas such as ¤(¤β).

3

We shall also identify here a useful sublanguage of probabilistic state formulas which do not contain any occurrence of a measure term. κ α

:= (a ≤ a) 8 (∼κ) 8 (κ ⊃ κ) := z 8 0 8 1 8 (α + α) 8 (α.α)

The terms of this sublanguage will be called analytical terms and the formulas will be called analytical formulas. This language is relevant because it is possible to apply the SAT algorithm for the existential theory of the real numbers to any analytical formula.

Semantics The models of EPPL are tuples m = (Ω, F, µ, X) where (Ω, F, µ) is a probability space and X = (Xp )p∈Λ is a stochastic process over (Ω, F, µ) where each Xp is a Bernoulli random variable, that is, Xp ranges over 2 = {0, 1}. Observe that each basic EPPL formula β induces a Bernoulli random variable Xβ : Ω → 2 defined as follows: • X(¬β) (ω) = 1 − Xβ (ω); • X(β1 ⇒β2 ) (ω) = max((1 − Xβ1 (ω)), Xβ2 (ω)). So, each basic formula β will represent the measurable subset {ω ∈ Ω : Xβ (ω) = 1}. Moreover, each ω ∈ Ω induces a valuation vω over Λ such that vω (p) = Xp (ω), for all p ∈ Λ. Given an EPPL model m = (Ω, F, µ, X) and attribution γ for real variables, the semantics of global formulas is defined in the following way: • Denotation of probabilistic terms: – [[r]]m,γ = r; [[z]]m,γ = γ(z); [[0]]m,γ = 0; [[1]]m,γ = 1; – [[t1 + t2 ]]m,γ = [[t1 ]]m,γ + [[t2 ]]m,γ ; [[t1 .t2 ]]m,γ = [[t1 ]]m,γ .[[t2 ]]m,γ ; R R – [[( β)]]m,γ = Xβ dµ = µ(Xβ−1 (1)) is the expected value of Xβ , that is, the probability of observing an outcome ω such that vω satisfies β. • Satisfaction of global formulas: – m, γ ° (¤β) iff Ω = Xβ−1 (1); – m, γ ° (t1 ≤ t2 ) iff [[t1 ]]m,γ ≤ [[t2 ]]m,γ ; – m, γ ° (∼δ) iff m, γ 6° δ; – m, γ ° (δ1 ⊃ δ2 ) iff m, γ ° δ2 or m, γ 6° δ1 . Probabilistic terms without occurrences of real variables are called closed terms. A global formula only involving closed terms is called a closed global formula. Clearly, the denotation of closed terms is independent of the attribution. 4

Consequently, the satisfaction of closed global formulas are also independent of the attribution. So, in these cases, we drop the attribution from the notation. Remark 2.1 To design a SAT algorithm for EPPL it is important to make some observations on EPPL models. Let Vm = {vω : ω ∈ Ω} be the set of all valuations over Λ induced by m. The basic cylinders, also called rectangles, of an EPPL model m are the subsets B = {v ∈ Vm : v(p1 ) = b1 , . . . , v(pk ) = bk } for k ≥ 0, p1 , . . . , pk ∈ Λ and b1 , . . . , bk ∈ 2. Let Bm be the set of all basic cylinders of m. Observe that an EPPL model m = (Ω, F, µ, X) induces a probability space Pm = (Vm , Fm , µm ) over valuations, where Fm ⊆ 2Vm is the σ-algebra generated by the basic cylinders Bm and µm is defined over basic cylinders by µm (B) = µ({ω ∈ Ω : vω ∈ B}) for all B ∈ Bm . Moreover, given a probability space over valuations, P = (V, F, µ) we can construct an EPPL model mP = (V, F, µ, X) where Xp (v) = v(p). It is easy to see that m and mPm satisfy precisely the same formulas. This means that it is enough for a SAT algorithm to search for probability spaces over valuations. Example 2.2 A simple EPPL model is one describing the toss of two fair coins. Each coin represents a probabilistic bit, that is, the set of propositional symbols is Λ = {p1 , p2 } where p1 models one coin and p2 models the other coin. The outcome of tossing the two coins is described by m = ({00, 01, 10, 11}, 2{00,01,10,11} , µ, X) where µ(xy) = 41 , Xp1 (xy) R = x and Xp2 (xy) = y for all x, y ∈ {0, R1}. It is easy to see that m ° (1 + 1)( p1 ) = 1 (which we abbreviate to m ° ( p1 ) = 21 , as usual for formulas in real ordered fields).

Example 2.3 An EPPL model more complex than that in Example 2.2 can be obtained from a probabilistic cellular automaton. Let (X0 , . . . , X9 ) be the random Boolean vector representing the state of a one dimension probabilistic cellular automaton with 10 cells. Assume that the automaton starts at state 0110000101 and consider the probabilistic local rules of the automaton as described in the Table 1. It is possible to define an EPPL model representing the probabilistic behavior of the cells. To this end, we denote P(Xi = 1) = 1 − qi (0) by qi (1), for all i ∈ Z10 . Clearly, we have a propositional symbol describing the state of each position of the Boolean vector, that is Λ = {p0 , . . . , p9 }. The outcome space Ω is the set of all configurations with positve probability Ω ⊆ 210 and F = 2Ω . Given a configuration ω = x0 . . . x9 ∈ Ω its probability is given by µ(x0 . . . x9 ) = q0 (x0 ) × · · · × q9 (x9 ). Finally, the EPPL model representing the state of the cells after applying the rules to state

5

Table 1: Probabilistic local rules xi−1 xi xi+1 000 001 010 011

qi (0) = P(Xi = 0) 1/4 1 2/3 0

xi−1 xi xi+1 100 101 110 111

qi (0) = P(Xi = 0) 1/3 2/3 2/7 1/3

The index i in xi are taken module 10.

0110000101 is given by m = (Ω, F, µ, X) over Λ such that Xi (x0 . . . x9 ) = xi .

It is easy to check that m ° ¤(p1 ∧ (¬p6 )), which captures a deterministic behavior of the cellular automaton. For a quantitative example consider that R R m ° ( (p5 ∨ p8 )) < ( (p0 ⇒ p5 )) R R 11 since [[( (p5 ∨ p8 ))]]m < [[( (p0 ⇒ p5 ))]]m corresponds to 56 < 12 .

Given that we are working towards a complete Hilbert calculus for EPPL through a SAT algorithm, it is relevant to understand whether EPPL fulfills a small model theorem. If this is the case then an upper bound on the size of the satisfying models would imply the decidability of the logic (since it would be enough to search for models up to this bound).

Small model theorem To obtain a small model theorem we start by defining a quotient construction. Let δ be an EPPL formula. We denote the sets of inequalities and basic subformulas occurring in δ by iq(δ) and bsf (δ), respectively. Moreover, we denote the (finite) set of propositional symbols that appear in δ by prop(δ). Given a formula δ and an EPPL model m = (Ω, F, µ, X), we define the following relation on the sample space Ω: ω1 ∼δ ω2 iff Xp (ω1 ) = Xp (ω2 ) for all p ∈ prop(δ)

6

Lemma 2.4 The relation ∼δ is a finite index equivalence relation on Ω and if ω1 ∼δ ω2 then Xβ (ω1 ) = Xβ (ω2 ) for all β ∈ bsf (δ). Proof: Clearly ∼δ is an equivalence relation. The set prop(δ) is finite, so, it allows only a finite number of different ∼δ classes. The second part of the Lemma is straightforward by structural induction in β. Let ω1 , ω2 ∈ Ω such that ω1 ∼δ ω2 . Base: true by definition. Step: • In the case (¬β) we have X(¬β) (ω1 ) = 1 − Xβ (ω1 ) = 1 − Xβ (ω2 ) = X(¬β) (ω2 ); • In the case (β1 ⇒ β2 ) we have X(β1 ⇒β2 ) (ω1 ) = max(1−Xβ1 (ω1 ), Xβ2 (ω1 )) = max(1−Xβ1 (ω2 ), Xβ2 (ω2 )) = X(β1 ⇒β2 ) (ω2 ). QED

Let propω (δ) be the subset of propositional symbols of δ such that Xp (ω) = 1. We denote by [ω]δ the ∼δ class of ω. Lemma 2.5 Let ω ∈ Ω,    \ \ [ω]δ =  {ω 0 : Xp (ω 0 ) = 1}  p∈propω (δ)

 \

{w0 : Xp (ω 0 ) = 0} .

p∈prop(δ)\propω (δ)

Moreover, [ω]δ ∈ F. Proof: For the first claim, observe that if ω1 ∼δ ω2 then propω1 (δ) = propω2 (δ). Using the facts that (Xp )p∈Λ are random variables and F is closed to finite intersections we prove the last claim. QED

Taking an EPPL model m = (Ω, F, µ, X) and an EPPL formula δ, we define the quotient model m/ ∼δ = (Ω0 , F 0 , µ0 , X0 ) where: • Ω0 = Ω/ ∼δ 0 • F 0 = 2Ω • µ0 (B) = µ(∪B) • Xp0 ([ω]δ ) = Xp (ω)

is the finite set of ∼δ classes; is the power set σ-algebra; for all B ∈ F 0 ; for all p ∈ Λ.

Next, we check that the quotient model is well defined. 7

Proposition 2.6 Let m = (Ω, F, µ, X) be an EPPL model and δ an EPPL formula, then m/ ∼δ = (Ω0 , F 0 , µ0 , X0 ) is a finite EPPL model . Proof: By Lemma 2.4, Ω0 is a finite set. If B ∈ F 0 , then ∪B = ∪{[s]δ : [s]δ ∈ B} is in F by Lemma 2.5. By definition we get that µ0 ([s]δ ) = µ([s]δ ) and µ0 (Ω0 ) = µ(∪Ω0 ) = µ(Ω) = 1. So, µ0 is a finite probabilistic measure over Ω0 . QED

Now, we prove that satisfaction is preserved by the quotient construction and, consequentially, that any satisfiable formula has a finite discrete EPPL model of size bounded by the formula length. We take the length of a basic formula, probabilistic terms or global formula, to be the number of symbols required to write the formula or term. The length of a formula or term ξ is denoted by |ξ|. Theorem 2.7 (Small Model Theorem) If δ is a satisfiable EPPL formula then it has a finite model using at most 2|δ| + 1 algebraic real numbers. Proof: Let m = (Ω, F, µ, X) be an EPPL model of δ. We start by computing the quotient model m0 = m/ ∼δ that is a finite discrete EPPL model of size 2|prop(δ)| ∈ O(2|δ| ) and then we will reduce the model to use 2|δ|+1 real numbers. Observe that in the quotient model m0 we need a real number for each valuation over prop(δ), therefore we need at most 2|δ| real numbers. We start by proving that m0 satisfies δ. Note that m and m0 agree in the denotation R of probabilistic terms. The only non trivial case are the terms ( β). For β ∈ bsf (δ) and using Lemma 2.5 we get R R [[ β]]m0 ,γ = µ0 (Xβ0 = 1) = µ(∪{Xβ0 = 1}) = µ(Xβ = 1) = [[( β)]]m,γ , for any attribution γ of the real variables. By structural induction on terms of δ we get that m and m0 agree on inequations. For any subformula ¤β of δ we have that m, γ ° ¤β iff Ω = Xβ−1 (1) iff Ω0 = (Xβ0 )−1 (1) iff m0 , γ ° ¤β. Now, since m and m0 agree on inequations (t1 ≤ t2 ) and modal formulas ¤β, we get by structural induction that m0 is a model for δ. 00 Finally, we will simplify m0 to obtain a model m00 = (Ω00 , 2Ω , µ00 , X00 ) of δ −1 such that |Ω00 | ≤ 2|δ| + 1. Let bsf (δ) = {β1 , . . . , βk } and Ω0βi = X 0 βi (1) ⊆ Ω0 . Observe that k ≤ |δ|. Then, we can build a system of k+1 equations  P 0  ω∈Ω0β xω = µ (Xβ1 = 1)  1   .P .. 0  ω∈Ω0β xω = µ (Xβk = 1)   k  P ω∈Ω0 xω = 1 for which we know that there is a non-negative solution xω = µ0 ({ω}) for all ω ∈ Ω0 . From linear programming it is well known that if a system of k + 1 8

linear equations has a non-negative solution, then there is a solution ρ for the system with at most k + 1 variables taking positive values (see, for instance, Theorem 9.3 in [6]). Then, we can construct a model m000 such that Ω000 = {ω ∈ Ω0 : ρ(xω ) > 0} and µ000 ({ω}) = ρ(xω ). Observe that m000 ° (t1 ≤ t2 ) iff m0 ° (t1 ≤ t2 ) for each inequation (t1 ≤ t2 ) occurring in δ. However, it might be the case that m000 ° ¤β and m0 6° ¤β for some subformula ¤β of δ, since Ω000 ⊆ Ω0 . Then, for each subformula ¤β of δ such that m0 6° ¤β and m000 ° ¤β there exists ωβ ∈ Ω0 \ Ω000 such that vωβ 6° β. We can now construct the model m00 where Ω00 = Ω000 ∪ {ωβ ∈ Ω0 \ Ω000 : m0 ° 6 ¤β and m000 ° ¤β}, ½ 000 µ (ω) if ω ∈ Ω000 00 µ (ω) = 0 otherwise and Xp00 (ω) = Xp0 (ω) for all ω ∈ Ω00 . Clearly, |Ω00 | ≤ 2|δ| + 1 and m00 ° δ. Finally, from the first order theory if real ordered fields, if there is a model using real numbers for a real closed formula, then there is a model using only algebraic real numbers [2] (since the logic can not specify transcendental real numbers with a single formula – we need an infinite number of formulas to be able to specify a transcendental real number), so the solution of the system can be made just with algebraic real numbers. QED

The small model theorem does not put a bound on the size of the representation of the algebraic real numbers. Indeed, an algebraic real number can be represented as the root of a polynomial of integers, and this polynomial could increase without any bound. Fortunately, thanks to the fact that the existential theory of the real numbers can be decided in PSPACE [4], we find a bound on the size of the real representations in function of the size of the formula, which will lead to a SAT algorithm for EPPL.

Decision algorithm for EPPL satisfaction The decision algorithm for EPPL satisfaction follows from the existential theory of the real numbers and the small model theorem. Before presenting the algorithm we introduce some notation. Like before, given an EPPL formula δ we will denote by iq(δ) the set of all subformulas of δ of the form (t1 ≤ t2 ). Moreover, we denote by bf¤ (δ) the set of all subformulas of δ of the form ¤β and by at(δ) the set of all global atoms of δ, that is, at(δ) = bf¤ (δ) ∪ iq(δ). By an exhaustive conjunction ε of literals of at(δ) we mean that ε is of the form α1 ∩ . . . ∩ αk where each αi is either a global atom or a negation of a global atom. Moreover, all global atoms or their negation occur in ε, so, k = |at(δ)|. Given a global formula δ, we denote by δpαα the propositional formula obtained by replacing in δ each global atom α with a fresh propositional symbol pα , and replacing the global connectives ∼ and ⊃ by the propositional connectives ¬

9

and ⇒, respectively. We denote by vε the valuation over propositional symbols pα such that v² (pα ) = 1 iff α occurs not negated in ε. Given an exhaustive conjunction ε of literals of at(δ), we denote by lbf¤ (ε) the set of basic formulas such that β ∈ lbf¤ (ε) if occurs positively in ε (that is, not negated). Similarly, the set of basic formulas that occur nested by a ∼¤ in ε is denoted by lbf♦¬ (ε). Finally, we denote all the inequality literals occurring R ( β) P in ε by liq(ε). Given a global formula α in liq(ε) we denote by α {xv :v∈V,v°β} R the analytical formula where all terms of the form ( β) are replaced in α by P x where each x is a fresh variable. v v∈V,v°β v We need the PSPACE SAT algorithm of the existential theory of the reals numbers [4], that we denote by SatReal. We assume that this algorithm either returns no model, if there is no solution for the input system of inequations, or a solution array ρ, where ρ(x) is the solution for variable x. We denote by var(δ) the set of real logical variables that occur in δ. Given a solution ρ for a system with X variables and a subset Y ⊆ X, we denote by ρ|Y the function that maps each element y of Y to ρ(y).

Algorithm 1: SatEPPL(δ) Input: EPPL formula δ Output: (V, µ) (denoting the EPPL model m = (V, 2V , µ, X)) and attribution γ or no model 1 2

3 4 5 6 7 8 9 10 11 12 13 14 15 16 17

compute bf¤ (δ), iq(δ) and at(δ); foreach exhaustive conjunction ε of literals of at(δ) such that vε ° δpαα do compute lbf¤ (ε), lbf♦¬ (ε) and liq(ε); foreach V ⊆ 2prop(δ) such that 0 < |V | ≤ 2|δ| + 1, V ° ∧lbf¤ (ε) and V 6° β for¡all ¢ do ¡T ¢ P β ∈ lbf♦¬ (ε) κ ←− x = 1 ∩ v v∈V v∈V 0 ≤ xv ; foreach α ∈ liq(ε) do R ( β) P κ ←− κ ∩ α {xv :v∈V,v°β}; end ρ ←− SatReal(κ); if ρ 6= no model then µρ ←− ρ|{xv :v∈V } ; γρ ←− ρ|var(δ) ; return (V, µρ ) and attribution γρ ; end end end return (no model); We now explain the algorithm and show its soundness. Given an EPPL 10

formula δ, we start by computing (line 1) its global atoms bf¤ (δ), iq(δ) and at(δ). Observe that computing these sets can be done in PSPACE. Next, we see δ as the propositional formula δpαα (which is obtained by replacing each global atom α with a propositional symbol pα ) and cycle over all exhaustive conjunctions ε such that vε ° δpαα (line 2). Observe that if δ has a model m, γ then this model will either satisfy or not all global atoms at(δ). Therefore, there is an exhaustive conjunction ε such that m, γ is a model of ε and, moreover, in this case, vε ° δpαα . On the other hand, if δ has no model, then all ε such vε ° δpαα have no model. Hence, to find a model for δ it is enough to find a model for an ε such that vε ° δpαα . Observe that at each step of the cycle of line 2 we only need to store one such ε, which requires only polynomial space. In the body of the cycle we check whether, given such ε, there is an EPPL model that satisfies all literals occurring in ε. To check if there is an EPPL model for ε we start by computing lbf¤ (ε), lbf♦¬ (ε) and liq(ε) (line 3), which can also be stored in polynomial space. Given Remark 2.1, it is enough to check for models where the outcome space Ω is given as a set of valuations of the basic propositional symbols. Moreover, thanks to the small model theorem (Theorem 2.7), it is enough to search for sets of valuations V such that |V | ≤ 2|δ| + 1. Observe that V has to satisfy the modal literals ¤β and ∼¤β occurring in ε, that is: (i) for all β ∈ lbf¤ (ε) and v ∈ V we have that v ° β; (ii) for all β ∈ lbf♦∼ (ε) there exists v ∈ V such that v 6° β. We can rewrite (i) as V ° ∧lbf¤ (ε) and (ii) as V 6° β for all β ∈ lbf♦¬ (ε). Hence, it is enough to construct a model with a set of valuations that fulfill the guard of the cycle of line 4. In the body of this cycle we will check if there is a model of ε taking such V a set of outcomes, that is, if there is a solution for the inequations in liq(²). Since we only have to store a set of valuations V with |V | ≤ 2|δ| + 1 at each step of the cycle, once again we need only polynomial space. Next, we search for a model of the inequations in liq(ε) having a set of outcomes V (line 5). To this end we consider a fresh real logical variable xv for each v ∈ V representing each probability. The idea behind this step is to build an analytical formula κ that contain the two probability constrains expressed inR line 5 and the inequations in liq(ε), joined to κ in line 7, where the terms P ( β) are rewritten by v∈V :v°β xv , that is, we rewrite the measure terms by the measure of its outcomes. In line 9 we call the SatReal algorithm for a solution (model) to κ. Since |κ| is polynomial on |δ| and the set of variables in κ is polynomially bounded by |δ|, the SatReal will compute the solution in PSPACE. If such solution ρ exists we have succeeded in finding a model for δ. Hence, we return (V, µρ ) and γρ , where µρ (v) is ρ(xv ) (line 11) and γρ is the restriction of ρ to var(δ) (line 12). As stated in Remark 2.1 this is enough to construct an EPPL model. If there is no solution ρ then we could not find a solution for this set V of valuations, and have to try with another V . Finally, if for all ε and V we are not able to find a solution, then there is no model for δ. We formalize the above result in the following theorem. Theorem 2.8 Algorithm 1 decides the satisfiability of an EPPL formula in 11

PSPACE.

Completeness of EPPL In [15] it is shown that a superset of axioms and inference rules in Table 2 is a sound and a (weakly) complete axiomatization of EPPL. Herein, and thanks to the EPPL SAT algorithm, we are able to show that the calculus presented in Table 2 is weakly complete.

Table 2: Complete Hilbert calculus for EPPL Axioms: • [CTaut] `EPPL (¤β) for each valid propositional formula β; • [GTaut] `EPPL δ for each instantiation of a propositional tautology δ; • [Lift ⇒] `EPPL (¤(β1 ⇒ β2 ) ⊃ (¤β1 ⊃ ¤β2 )); • [Eqv ⊥] `EPPL (¤⊥⇔ ⊥ ⊥); • [RCF] `EPPL (t1 ≤ t2 ) for each instantiation of a valid analytical inequality; R • [Prob] `EPPL (( >) = 1); R R R R • [FAdd] `EPPL ((( (β1 ∧ β2 )) = 0) ⊃ (( (β1 ∨ β2 )) = ( β1 ) + ( β2 ))); R R • [Mon] `EPPL (¤(β1 ⇒ β2 ) ⊃ (( β1 ) ≤ ( β2 ))); Inference Rules: • [Mod] δ1 , (δ1 ⊃ δ2 ) `EPPL δ2 . It is impossible to obtain a strongly complete axiomatization (that is, if ∆ ° δ then ∆ ` δ, for arbitrary large ∆, eventually infinite) because the logic is not compact [15]. Nevertheless, weakly completeness is enough for software verification, since a program specification generates a finite number of hypothesis. We can simplify the proof in [15] thanks to the SAT algorithm presented before. The soundness of the calculus of Table 2 is straightforward, and so, we focus on the completeness. Theorem 2.9 The set of rules and axioms of Table 2 is a weakly complete axiomatization of EpCTL. Proof: To show completeness we use a contrapositive argument: if 6` δ then 6° δ. By definition, a formula δ is consistent if 6` ∼δ. So, if we prove that every

12

consistent formula δ has a model we get the completeness result. To check this fact, observe that if 6` δ then 6` ∼∼δ, that is, ∼δ is consistent. If ∼δ is consistent it has a model and therefore, 6° δ. So, we will prove that every consistent formula δ has a model. Assume by contradiction that δ is consistent and the SAT algorithm returns no model. Let A = {ε exhaustive conjunction of literals : vε ° δpαα }. By the completeness of α propositional logic it follows that ` (∨ε∈A εα pα ) ⇔ δpα , and by GTaut we have that ` ∪A≡δ. If δ is consistent then there is ε consistent, and if δ has no model, then the consistent ε has no model as well. If the SAT algorithm returns no model for ε it has to be for one of the following two reasons: (i) it can not find a V at line 4; (ii) for all viable V the SatReal algorithm returns no model at line 9. We will now show that for both cases we can contradict the consistency of ε. In case (i) – no V can be found at line 4 – it cannot be because |V | > 2|δ|+1, thanks to the small model theorem. This means that if we remove the bound 0 < |V | ≤ 2|δ| + 1 in line 4, and consider all possible sets of valuations the algorithm would also fail. In particular, take V = 2prop(δ) , it must happen (a) V 6° ∧lbf¤ (ε) or (b) V ° β for some β ∈ lbf♦¬ (ε). For case (a) we have that 6° ∧lbf¤ (ε) and so, 6° β for some β ∈ lbf¤ (ε), or equivalently ° β ⇒ ⊥. But by completeness of the propositional calculus we have that ` β ⇒ ⊥, by CTaut we have that ` ¤(β ⇒ ⊥) and by Lift⇒ and Eqv⊥ we have that ` ∼(¤β) from which follows ` ∼ε which contradicts the consistency of ε. In case (b) there is β ∈ lbf♦¬ (ε) such that β is a tautology. Then, by CTaut, ` ¤β. From the last derivation we get ` ∼ε, which contradicts the consistency of ε. In case (ii),the algorithm fails at line 9 for all viable V computed in line 4. Thanks to the small model theorem it means that the algorithm would also fail at line 9 for all V such that V ° ∧lbf¤ (ε) and V 6° β for all β ∈ lbf♦¬ (ε),

(1)

independently of the bound on the size of V . It is easy to see that the sets of valuations satisfying (1) are closed for unions, and therefore there is the largest V fulfilling (1), say Vmax , and for this set the algorithm would fail at line 9. Let V c = 2prop(δ) \ Vmax , since ε is consistent it is easy to see that ε0 = ε ∩v∈V c ¤¬βv is consistent, where βv is a propositional formula that is satisfied only by valuation v. Indeed, ` ∧lbf¤ (ε) ⇒ ¬βv for all v ∈ V c , from which we derive that ` (∩β∈lbf¤ (ε) ¤β) ⊃ (∩v∈V c ¤¬βv ) and so ` ε0 ≡ ε. Thus, if ε is consistent then ε0 is also consistent, and if there is no model for ε then there is no model for ε0 as well, and the algorithm will fail precisely in line 9. By RCF we have ` ∼κx(Rv βv ) , where κx(Rv βv ) is the formula κ where we replace R each variable xv by the term ( βv ) with βv a propositional formula R that is satisfied only by v. By Prob, FAdd and Mon we have ` (¤¬βv ) ⊃ (( βv ) = 0), 13

thus we can derive

R ` ε0 ⊃ (∩v∈V c (( βv ) = 0)).

(2)

From ` ∼κx(Rv βv ) and FAdd and RCF we obtain that R ` ∩v∈V c (( βv ) = 0) ⊃ ∼ ∩α∈liq(δ) α.

(3)

Finally, by CTaut we have ` ∼ ∩α∈liq(δ) α ⊃ ∼ε0 .

(4)

So, from (2), (3) and (4) we obtain with tautological reasoning ` ε0 ⊃ ∼ε0 from which we conclude ` ∼ε0 . This contradicts the consistency of ε0 and thus, the consistency of δ. For this reason there must be a model for ε0 and consequently, a model for δ. QED

Model Checking EPPL Given a finite set of propositional symbols Λ and using the small model theorem we can consider that all EPPL models are defined over a discrete and finite probability space. Since for the model-checking procedure we have to deal with computer representation and, in practice, probabilities are represented by floating points and not symbolically by algebraic real numbers, we store a finite EPPL model m = (Ω, F, µ, X) using floating point arrays. Hence, we represent an EPPL model as a |Λ| × |Ω|-matrix X of boolean values for the random variables and an |Ω|-array µ of real numbers for the probabilities. The size of Ω is at most 2|Λ| . So, an EPPL models is stored in memory by the record (µ, X). Let δ be an EPPL global formula. We define the arrays bsf (δ) = (β1 , . . . , βk ), pst(δ) = (t1 , . . . , ts ) and gsf (δ) = (δ1 , . . . , δm , δ) as the ordered tuples of basic subformulas, probabilistic subterms and global subformulas of δ, respectively, ordered by increasing length. An attribution γ for real logical variables is also represented by a finite array where the dimension is determined by the number of real logical variables in the formula |δ|, that is bounded by s. As usual for floating points, we assume that the basic arithmetical operations take O(1) time. Given an EPPL model m = (Ω, F, µ, X), an attribution γ and a global formula δ, the model-checking problem consists in determining whether m, γ ° δ. Model checking of EPPL is detailed in Algorithm 2.

14

Algorithm 2: CheckEPPL(m, γ, δ) Input: EPPL model m = (µ, X), attribution γ and a formula δ Output: Boolean value G(|gsf (δ)|) 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23

for i = 1 to |bsf (δ)| do /* this cycle iterates O(|δ|) times */ switch βi do /* each case takes O(|Ω|) time */ case p : B(i) = Xp ; case (¬βj ) : B(i) = 1 − B(j); case (βj ⇒ βl ) : B(i) = max(1 − B(j), B(l)); end end for i = 1 to |pst(δ)| do /* this cycle iterates O(|δ|) times */ switch ti do /* each case takes O(|Ω|) */ case z : T (i) = γ(z) :; case 0Ror 1 : T (i) = ti ; case ( βj ) : T (i) = B(j).µ ; /* this case takes O(2|Ω|) */ case (tj + tl ) : T (i) = T (j) + T (l); case (tj .tl ) : T (i) = T (j).T (l); end end for i = 1 to |gsf (δ)| do /* this cycle iterates O(|δ|) times */ switch δi do /* each case takes O(|Ω|) */ |Ω| case (¤βj ) : G(i) = Πl=1 B(j, l) ; /* this case takes O(|Ω| − 1) */ case (tj ≤ tl ) : G(i) = (T (j) ≤ T (l)); case (δj ⊃ δl ) : G(i) = max(1 − G(j), G(l)); end end

The first part of the model-checking algorithm (lines 1–7) consists in writing a Boolean |bsf (δ)| × |Ω|-matrix B where the entry B(i, j) is Xβi (ωj ), for all 1 ≤ i ≤ |bsf (δ)| and 1 ≤ j ≤ |Ω|. In the second part of the algorithm (lines 8– 16), we evaluate all the subterms to a real |pst(δ)|-array T , where R T (i) = [[ti ]]m,γ , for all 1 ≤ i ≤ |pst(δ)|. In this part, denotation of theR term ( βi ) is calculated in line 12 by the matrix product of the two arrays, [[( βi )]]m,γ = B(i).µ, for all 1 ≤ i ≤ |bsf (δ)|. Finally, in the third part of the algorithm (lines 17–23), we evaluate all global subformulas to a Boolean |gsf (δ)|-array G, where G(i) = 1 iff m, γ ° δi , for all 1 ≤ i ≤ |gsf (δ)|, and return as output G(|gsf |). Theorem 2.10 Assuming that all basic arithmetical operations take O(1) time, there is an algorithm O(|δ| · |Ω|) to decide if an EPPL model m = (Ω, F, µ, X) and attribution γ satisfy δ. Proof: Following the complexity analysis performed in Algorithm 2 for the

15

model-checking algorithm of EPPL we conclude that each of the three rounds takes O(|δ| · |Ω|). So, the all algorithm takes also O(|δ| · |Ω|). QED

3

EpCTL

In this section we present a complete calculus and a model-checking algorithm for EpCTL, a CTL [8] extension of EPPL. EpCTL was originally proposed in [1], where the syntax and the semantics of the logic was presented together with a draft of the model-checking procedure. Herein, we present a weakly complete Hilbert calculus for EpCTL, the basic idea on how to construct the SAT algorithm and to compute its complexity, and detail and analyze the modelchecking algorithm at the light of the results of the previous section.

Syntax The syntax of EpCTL consists on enriching CTL by taking as propositional symbols the global atoms of EPPL. The syntax is detailed in Table 3. Table 3: Syntax of EpCTL β := p 8 ¬β 8 (β ⇒ β)

basic formulae

R t := z 8 0 8 1 8 ( β) 8 (t + t) 8 (t.t)

probabilistic terms

δ := (¤β) 8 (t ≤ t) 8 ∼δ 8 (δ ⊃ δ) 8 (EXδ) 8 (AFδ) 8 (E[δUδ])

global temporal formulae

where p ∈ Λ, z ∈ Z. The basic formulas and probabilistic terms have the same intuitive meaning as in EPPL. Moreover, the global formulas with temporal connectives have the same meaning as in CTL. Recall that CTL formulas hold at a particular state s: (EXδ) holds if there exists a path starting at s such that δ holds in the next state along this path; (AFδ) holds if for all paths starting at s there exists a state in those paths where δ holds; (E[δ1 Uδ2 ]) if there exists a path leaving s such that there is a state s0 along this path where δ2 holds and δ1 holds in all states between s and s0 (excluding s0 ). We also consider the usual CTL abbreviations for the connectives {EF, EG, AX, AG, A[ U ]}. So, for instance AXδ ≡ ∼EX∼δ.

16

Semantics An EpCTL structure, or a probabilistic Kripke structure, consists of a tuple M = (S, R, L) where S is a non-empty set of states, R ⊆ S × S is the accessibility relation and L is a map that assigns an EPPL model to each state in S. Our models are closely related to the models of probability and knowledge in [9]. The EpCTL semantics mimics precisely that of CTL. In a Kripke structure, L maps each state to a valuation (or equivalently to a set of propositional symbols), that is a propositional model. For probabilistic Kripke structures, L maps each state to an EPPL model. Example 3.1 Consider the probabilistic experiment of non-deterministically tossing a fair coin or throwing a fair dice. Assume that the initial state of the coin and dice are heads and 1, respectively. We can model the outcome space with the set of propositional symbols Λ = {h, d1 , . . . , d6 } that will induce Bernoulli random variables. The experiment can be modeled by a probabilistic Kripke structure M = (S, R, L) with S = {s1 , s2 , s3 , s4 }, R = {(s1 , s2 ), (s1 , s3 ), (s3 , s4 ), (s2 , s4 )} and L(i) = (Ωi , 2Ωi , µi , X) for i = 1, . . . , 4 such that Ω1 = {(h, 1)} and µ1 (h, 1) = 1; Ω2 = {(h, 1), (t, 1)} and µ2 (h, 1) = µ2 (t, 1) = 1/2; Ω3 = {(h, 1), . . . , (h, 6)} and µ3 (h, i) = 1/6 for i = 1, . . . , 6; Ω4 = {(h, 1), . . . , (h, 6), (t, 1), . . . , (t, 6)} and µ4 (h, i) = µ4 (t, i) = 1/12 for i = 1, . . . , 6; where Xh (h, i) = 1 and Xh (t, i) = 0 for all i = 1, . . . , 6, and Xdi ( , j) = 1 if i = j and 0 otherwise.R The formula EF(( d3 ) = 16 ) states that there is some course of actions that will lead in the futureR to obtain 3 in the dice with probability 16 . With the formula AX((¤h) ⊃ (( d1 ) = 1/6)) we state that in the next future moment, for any course of actions, if the state of the coin is heads (and only heads) then the dice must have been thrown. The satisfaction relation is define as expected: • M, s ° ¤β iff L(s) ° ¤β; • M, s ° (t1 ≤ t2 ) iff L(s) ° (t1 ≤ t2 ); • M, s ° (∼δ) iff M, s 6° δ ; • M, s ° (δ1 ⊃ δ2 ) iff M, s 6° δ1 or M, s ° δ2 ; • M, s ° (EXδ) iff M, s0 ° δ with (s, s0 ) ∈ R;

17

• M, s ° (AFδ) iff for all path π over R starting in s there exists k ∈ N such that M, πk , L ° δ; • M, s ° (E[δ1 Uδ2 ]) iff there exists a path π over R starting in s and k ∈ N such that M, πk , ° δ2 and M, πi , ° δ1 for every i < k. To obtain a complete Hilbert calculus for EpCTL it will be useful to translate EpCTL formulas and models to the CTL framework. To translate formulas consider the subset of atomic EPPL formulas at(EPPL), that is, the set constituted by modal formulas ¤β and inequalities (t1 ≤ t2 ). Moreover take Ξ to be a countable set of propositional symbols used to write CTL formulas. Given a fixed bijective map λ : at(EPPL) → Ξ (that translates each global atom to a CTL propositional symbol) we can translate each EpCTL formula δ to a CTL formula λ(δ) by extending inductively λ on the structure of the formula δ (and e The map preserving all connectives). For simplicity, we denote λ(δ) just by δ. λ can also be used to translate a probabilistic Kripke structure M = (S, R, L) f = (S, R, L0 ), where ξi ∈ L0 (s) iff M, s ° λ−1 (ξi ). to the CTL model M Lemma 3.2 Let M = (S, R, L) be an EpCTL model. Then, M, s °EpCTL δ

iff

e f, s °CTL δ. M

Proof: The proof follows by induction on δ. f, s ° δe by definition. • Base: If δ is (¤β) or (t1 ≤ t2 ) then M, s ° δ iff M • Step: f, s 6° δe1 iff M f, s ° 1. If δ is (∼δ1 ) then M, s ° (∼δ1 ) iff M, s 6° δ1 iff M e e e (∼δ) and δ = (∼δ1 ). f, s 6° δe1 2. If δ is (δ1 ⊃ δ2 ) then M, s ° δ iff M, s 6° δ1 or M, s ° δ2 iff M f, s ° δe2 iff M f, s ° δe and δe = (δe1 ⊃ δe2 ). or M 3. If δ is EXδ 1 then M, s ° EXδ 1 iff there is (s, s0 ) ∈ R such that M, s0 ° f, s0 ° δe1 iff M f, s ° (EXδe1 ) and δ1 iff there is (s, s0 ) ∈ R such that M e e δ = (EXδ1 ). 4. If δ is (AFδ 1 ) then M, s ° (AFδ 1 ) iff for all path π in R starting in s there is i ≥ 0 such that M, πi ° δ1 iff for all path π in R starting in s f, πi ° δe1 iff M f, πi ° (AFδe1 ) and δe = (AFδe1 ). there is i ≥ 0 such that M 5. If δ is E[δ1 Uδ2 ] then M, s ° (E[δ1 Uδ2 ]) iff there is a path π in R starting in s and i ≥ 0 such that M, πi ° δ2 and M, πj ° δ1 for all 0 ≥ j < i iff there is a path π in R starting in s and i ≥ 0 such that f, πi ° δe2 and M f, πj ° δe1 for all 0 ≥ j < i iff M f, s ° E[δe1 Uδe2 ] and M e e e δ = E[δ1 Uδ2 ]. QED

18

Complete Axiomatization of EpCTL To construct a complete axiomatization for EpCTL it is enough to add the EPPL axioms to a CTL complete Hilbert calculus with Modus Ponens. This result seems trivial but this is not the case, since the ∼ and ⊃ connectives are shared between the EPPL and the CTL logics, and could create new theorems that would not be obtained just from adding the EPPL axioms. The weakly complete EpCTL calculus introduced in Table 4 capitalizes in the CTL calculus presented in [7]. Table 4: Complete Hilbert calculus HCEpCTL for EpCTL • Axioms – [EPPL] all valid EPPL formulas; – [Taut] all instantiations of propositional tautologies; – [EX] ` EpCTL EX(δ1 ∪ δ2 ) ⇔ EXδ1 ∪ EXδ2 – [X] `EpCTL AX(>) ∩ EX(>) – [EU] `EpCTL E[δ1 Uδ2 ] ≡ δ2 ∪ (δ1 ∩ EXE[δ1 Uδ2 ]) – [AU] `EpCTL A[δ1 Uδ2 ] ≡ δ2 ∪ (δ1 ∩ AXA[δ1 Uδ2 ]) – [AG1] `EpCTL AG(δ3 ⊃ ((∼δ2 ) ∩ EXδ3 )) ⊃ (δ3 ⊃ (∼A[δ1 Uδ2 ])) – [AG2] `EpCTL AG(δ3 ⊃ ((∼δ2 ) ∩ (δ1 ⊃ AXδ3 ))) ⊃ (δ3 ⊃ (∼E[δ1 Uδ2 ])) – [AG3] `EpCTL AG(δ1 ⊃ δ2 ) ⊃ (EXδ1 ⊃ EXδ2 ) • Inference rules – [MP] δ1 , (δ1 ⊃ δ2 ) `EpCTL δ2 – [AGen] δ1 `EpCTL AGδ1

It is straightforward to check the soundness of the calculus, for this reason we omit here the lengthy exercise of verifying that all axioms and inference rules are sound. Theorem 3.3 (Soundness) The axiomatization HCEpCTL is sound. The completeness result requires reasoning solo with CTL calculus. To this end, let HCCTL and HCEPPL be a sound and (weakly) complete Hilbert calculus for CTL and EPPL respectively. Clearly, HCEpCTL = HCCTL ∪ HCEPPL is our candidate for axiomatizing EpCTL. The method to prove completeness used in [9] can not be applied here because we do not allow the interleaving of the probabilistic and temporal connectives, and so we follows the technique introduced in [3]. 19

We start by showing a simple result, EpCTL can incorporate both CTL and EPPL reasoning. Lemma 3.4 1) `CTL δe then `EpCTL δ; 2) `EPPL δ then `EpCTL δ for all EPPL formula. Proof: This follows because HCCTL , HCEPPL ⊆ HCEpCTL .

QED

Indeed, if one restricts just to EPPL formulas, EpCTL reasoning coincides with that of EPPL. Theorem 3.5 (Conservativeness) Let δ be an EPPL formula. Then `EpCTL δ

iff

`EPPL δ.

Proof: If `EpCTL δ then ²EpCTL δ by soundness of EpCTL. Let m be an EPPL model and M = ({1}, R, L) a temporal model such that L(1) = (m, γ) for some attribution γ. Hence, M, 1 ° δ iff m, γ ° δ. So, ²EP P L δ. By completeness of EPPL we get that `EPPL δ. Using 2) from Lemma 3.4 we prove the claim. QED We now try to obtain something closer to the converse of Lemma 3.4, proposition 1). To this end we need to introduce some notation. Let δ be an EpCTL formula and atEPPL (δ) = {δ1 , . . . , δk } be the set of atomic EPPL formulas that are atoms of δ. Consider the EPPL formulas ½ k \ δj if j ∈ i φi = ϕj where ϕj = (∼δj ) otherwise j=1

for i S ∈ 2k . Let A ⊆ 2k be such that φi is an EPPL consistent formula and let Ψ = i∈A φi . Clearly, `EPPL Ψ and thus, `EpCTL Ψ. Lemma 3.6 Let δ be an EpCTL formula and Ψ as above. Then e e ⊃ δ) °CTL (AGΨ

iff

°EpCTL δ.

e Suppose there is a temporal EpCTL model M = e ⊃ δ). Proof: Let °CTL (AGΨ e From the hypotheses, f, s 6° δ. (S, R, L) such that M, s 6° δ. By Lemma 3.2, M e Hence, M f, s ° (AGΨ e ⊃ δ). f, s 6° (AGΨ). e M So, there is a s0 ∈ S such that f, s0 6° Ψ. e Now, applying Lemma 3.2 again we get that M, s0 6° Ψ, e which M contradicts `EpCTL Ψ. 20

Let °EpCTL δ and suppose that M = (S, R.L) is a CTL model such that e Then M, s ° AGΨ) e Consider the EpCTL e ⊃ δ). e and M, s 6° δ. M, s 6° (AGΨ 0 0 0 0 0 model M = ({s} ∪ S , R , L ) such that S = {s ∈ S : (s, s0 ) ∈ R} is the subset of states reachable from the state s, R0 is the restriction of R to {s} ∪ S 0 , and L0 (s0 ) is the EPPL model that satisfies one of the formulas φi with i ∈ A and such that M, s0 ° φei . The existence of the EPPL model is insured by the e in all s0 ∈ S 0 and by the consistency of all ψi , with i ∈ A. satisfiability of Ψ 0 Hence, M , s 6° (AG ⊃δ). But, `EpCTL Ψ and by soundness °EpCTL Ψ. So, M 0 , s 6° δ which contradicts the hypotheses. QED

We are now able to show the completeness of HCEpCTL . Theorem 3.7 The axiomatization HCEpCTL is complete. Proof: Let °EpCTL δ be a valid EpCTL formula. With Ψ as above and by Lemma e Using CTL completeness we have `CTL (AGΨ e Now, e ⊃ δ). e ⊃ δ). 3.6, °CTL (AGΨ from Lemma 3.4 we get `EpCTL (AGΨ ⊃ δ). Hence, we are able do the following derivation in EpCTL: 1) 2) 3) 4)

`Ψ ` (AGΨ) ` (AGΨ ⊃ δ) `δ

Tautology Rule AGen Tautology Modus Ponens 2, 3

Therefore, HCEpCTL is complete.

QED

Satisfaction algorithm for EpCTL For the sake of space we do not detail the algorithm for EpCTL satisfaction but it can be easily obtained from the CTL SAT algorithm [8], which runs in EXPTIME. Given a CTL formula δ, the algorithm tries to find a structure were the states are subsets of subformulas of δ. Next, iterating over CTL consistency rules the algorithm will remove states until no more states can be removed. If the final structure is not empty it can be transformed into a Kripke structure for δ, and no model exists otherwise. The satisfaction of an EpCTL formula δ can be established by adding to this algorithm the consistency rule of removing states that fail the SAT algorithm for the conjunction of the EPPL literals in the states. Moreover, the complexity will remain in EXPTIME, since each EPPL SAT application is in PSPACE and it is called an exponential number of times. Moreover, since EpCTL contains CTL and the SAT problem for CTL is EXPTIME complete, we get that the SAT problem for EpCTL is also EXPTIME complete.

21

Model-checking algorithm Model-checking EpCTL is similar to model-checking CTL. Herein we adapt the well known CTL model-checking algorithm, as presented in [7]. The idea behind the algorithm is to label each subformula δ 0 of δ with the set of states s ∈ S that satisfies δ 0 . In the end, the algorithm returns the set of states Label(δ) that satisfies δ. The difference between the CTL algorithm and ours is that we use CheckEP P L (Algorithm 2) to model check EPPL formulas instead of verifying if a propositional symbol belong to a set. Let LabelN eg, LabelImp, LabelEX, LabelEU and LabelAG be exactly the same labeling procedures in the CTL algorithm at [7] treating global atoms (formulas of the form ¤β and t1 ≤ t2 ) as propositional symbols. The model-checking algorithm for EpCTL is described below. Algorithm 3: CheckEpCTL(M, δ) Input: temporal model M = (S, R, L) and EpCTL formula δ Output: the set Label(δ) ⊆ S satisfying δ 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

for i = 1 to |subCTL (δ)| do switch δi do case (¤β) or (t1 ≤ t2 ) : forall s ∈ S do if CheckEP P L(L(s), δi ) then Label(βi ) = Label(βi ) ∪ {s}; end end case (∼δj ) : LabelN eg(δi ); case (δj ⊃ δl ) : LabelImp(δi ); case (EXδj ) : LabelEX(δi ); case (E[δj Uδl ]) : LabelEU (δi ); case (AGδj ) : LabelAG(δi ); end end

The set subCTL (δ) used in line 1 consists of the list of all CTL subformulas of δ, ordered by increasing length. The algorithm differs from the CTL algorithm just in line 5. While in the CTL model-checking algorithm this step takes O(1) (because it consists of verifying if a valuation gives 1 to some propositional symbol), in our case this step takes O(|δ| · |Ωs |) (see Theorem 2.10) where Ωs is the size of the EPPL model for state s. Indeed, we can always consider that all states have the same outcome space Ω such that |Ω| = maxs∈S |Ωs |. In this case the size of a probabilistic Kripke structure (S, R, L) is |S| · |Ω| + |R|. Theorem 3.8 Algorithm 3 decides if an EpCTL a probabilistic Kripke structure (S, R, L) satisfies an EpCTL formula δ in O(|δ| · (|δ| · |Ω| · |S| + |R|) time. Proof: The soundness follows from the soundness of the CTL algorithm in [7]. 22

The complexity follows by noticing that the cycle in line 1 iterates O(|δ|) and the atomic case (lines 3-8) takes O(|δ| · |Ω| · |S|) time and the remaining cases (lines 9-14) take O(|S| + |R|) time (like in the CTL algorithm). QED

4

Probabilistic programming language

We defined a simple concurrent programming language with a probabilistic fair coin toss operation to specify probabilistic systems, that run in concurrently and are capable of probabilistic behavior.

Syntax Let X = {x1 , . . . , xn , . . .} and L = {`1 , . . . , `n , . . .} be countable infinity sets of binary computational variables and labels, respectively. The programs are built from binary expressions and commands. Binary expressions:

b ::= x 8 (¬b) 8 (b ⇒ b)

where x ∈ X;

Commands: C ::= skip 8 x := b 8 x ∼ toss 8 request(x) 8 release(x)8 if b then C else C fi 8 while b do C od 8 C; C 8 (C k C) The intuitive semantics of the commands is self-explanatory. The commands request and release are synchronization commands that see binary variable as binary semaphores. The x ∼ toss command attributes to x the outcome of a fair Bernouli random variable. Observe that for programming purposes it is enough to consider fair Bernoulli random variable, since all computable probability distributions can be computed from independent fair Bernoulli random variables (see for instance how probabilistic Turing machines are defined). Finally, the command k corresponds to parallel composition. To establish the semantics of a program P , we need to place a label at each basic command occurring in P . The purpose of the labeling is to control program flow and to determine the possible transitions at each step. Having this in mind, we consider an outer labeling function λL and an auxiliary inner labeling λL as defined in Table 5. A program P is a triple: a declaration of initial values of the variables σ0 ; a limit for the number of fair tosses n0 ; and a labeled command C: P ::= [σ0 , n0 , C]. From now on we will assume that all commands are labeled, and denote just by C its labeled version L(C). The assignment σ0 : XP → 2 is a partial function defined over the set XP ⊆ X of all variables occurring in C. The limit of tosses 23

Table 5: Labeling rules Outer labeling: • λL (C) = ` : λL0 (C); `ˆ semi-colon

ˆ and the head of C is not where L0 = L − {`, `}

• λL (C1 ; C2 ) = ` : λL0 (C1 ); λL00 (C2 )

with L = L0 ∪L00 ∪{`} and all disjoint

Inner labeling: • λL (C) = C,

if C is a basic command;

• λL (if b then C1 else C2 fi) = if b then λL0 (C1 ) else λL00 (C2 ) fi with L = 00 L0 ∪ L and L0 ∩ L00 = ∅ • λL (while b do C od) = while b do λL (C) od • λL ((C1 k C2 )) = (λL0 (C1 ) k λL00 (C2 ))

with L0 , L00 as above

n0 ∈ N ∪ {+∞} defines the number of times a fair coin ccan be tossed during the execution of C. We denote by LP ⊆ L the finite subset of labels of λL (C). Example 4.1 Consider the following probabilistic solution to the mutual exclusion problem: P ::= [x =0, N, `0 : x ∼ toss; l2 : loop forever  l4 : while x 6= 0 do   l6 : skip; l8  od ; l1 :    l : −critical−; 10   l12 : x ∼ toss; l14 end loop; l16 ]

l3 : loop forever l5 : while x 6= 1 do l7 : skip; l9 od ; l11 : −critical−; l13 : x ∼ toss; l15 end loop; l17

      ; l18    

R Mutual exclusion can be specified with the EpCTL formula AG( (l10 ∧ l11 )) = 0).

Semantics We will now show how to generate an EpCTL model from a program P . Given a program P := [σ0 , n0 , C] a classic configuration c for P is a triple (π, σ, n) where π : LP → 2, σ : XP → 2 and n < n0 is non-negative integer. We denote the set of all classic configurations for P by ΣP . A probabilistic

24

configuration for P is a finite probabilistic distribution η : ΣP → [0, 1]. Let D(ΣP ) be the set of all probabilistic configurations for P . Pk We represent η by a formal sum η = i=1 η(ci )ci (like mixed states in physics). As usual when formal sums, c ∈ ΣP represents both the classic configuration and the probabilistic configuration where c has mass 1 (the formal singular sum 1 × c). Let c = (π, σ, n) and c0 = (π 0 , σ 0 , n0 ) be classic configurations of P . For 0 L , L00 ⊆ L, we write π ∪ L0 → π 0 ∪ L00 to denote that π 0 = (π \ L0 ) ∪ L00 and we write σ ≡Y σ 0 if σ and σ 0 agree in all values not in Y ⊆ XP . A program P defines a transition relation RP ⊆ D(ΣP ) × D(ΣP ) on probabilistic configurations. This relation is constructed using the transition relation c RP (C) ⊆ ΣP × D(ΣP ) defined in Table 6. Pk Let η = i=1 η(ci )ci be a probabilistic configuration for P . The probabilistic configuration η gives us the subset {c1 , . . . , ck } of possible classic states of the system and their probabilities. To determined the possible transition from η, we have to consider independently all possible transitions of each classic state in {c1 , . . . , ck }. So, if η1 , . . . , ηk are probabilistic configurations, such that (ci , ηi ) ∈ Pk c RP for all i = 1, . . . , k, then (η, η 0 ) ∈ RP , with η 0 = i=1 η(ci )ηi . Remark that any of this transitions could be the idling transition. Given a program P we construct our EpCTL model as the structure MP = (D(ΣP ), RP , VP ), where VP (η) = (ΣP , 2ΣP , η, XP ∪ LP ) and XP , LP seen as Boolean random variables. Example 4.2 Consider the program P described in Example 4.1, the formula R AG( (l ∧ l11 )) = 0) is satisfied by MP . Another formula satisfied by MP is 10 R R (EF(( l10 ) = x)) ≡ (EF(( l11 ) = x)), that means that both processes access the critical zone with the same probability. The EpCTL model-checking algorithm (Algorithm 3) can be used to check these properties.

5

Conclusions

The contributions of this paper are manifold. Concerning the state logic, we obtained: a small model theorem; a PSPACE bound to the SAT problem; a simpler Hilbert calculus for EPPL than that presented in [15]. Concerning the temporal logic EpCTL, we introduced: a complete Hilbert calculus, an informal proof that the SAT problem is EXPTIME complete; a detailed model-checking algorithm. We have also designed a probabilistic programming logic that can be used to specify probabilistic Kripke structures. We accomplish this by defining a transition based semantics over probabilistic distribution for the programming language. The EpCTL model-checking algorithm can be used to verify temporal probabilistic properties of programs written on this language. It is also possible to extract a finite set of EpCTL formulas HP out of a program P . Indeed, 25

HP is a specification of program P . As soon as HP is determined we can use the EpCTL Hilbert calculus to derive syntactically properties of P . Another verification approach consists in checking the satisfiability of the set HP ∪ {∼δ} for some formula δ that we want to know if P holds. We leave these approaches to future work.

References [1] P. Baltazar, P. Mateus, R. Nagarajan, and N. Papanikolaou. Exogenous probabilistic computation tree logic. Electronic Notes in Theoretical Computer Science, 190(3):95–110, 2007. [2] S. Basu, R. Pollack, and R. Marie-Fran¸coise. Algorithms in Real Algebraic Geometry. Springer, 2003. [3] C. Caleiro, C. Sernadas, and A. Sernadas. Parameterisation of logics. In J. Fiadeiro, editor, Recent Trends in Algebraic Development Techniques Selected Papers, volume 1589 of Lecture Notes in Computer Science, pages 48–62. Springer-Verlag, 1999. [4] John Canny. Some algebraic and geometric computations in pspace. In STOC ’88: Proceedings of the twentieth annual ACM symposium on Theory of computing, pages 460–469, New York, NY, USA, 1988. ACM. [5] R. Chadha, L. Cruz-Filipe, P. Mateus, and A. Sernadas. Reasoning about probabilistic sequential programs. Theoretical Computer Science, 379(12):142–165, 2007. [6] V. Chv´atal. Linear programming. Freeman, 1983. [7] Edmund M. Clarke and Bernd-Holger Schlingloff. Model checking. In Handbook of Automated Reasoning, pages 1635–1790. 2001. [8] E. A. Emerson and J. Y. Halpern. Decision procedures and expressiveness in the temporal logic of branching time. In STOC, pages 169–180, 1982. [9] R. Fagin and J. Y. Halpern. Reasoning about knowledge and probability. J. ACM, 41(2):340–367, 1994. [10] R. Fagin, J. Y. Halpern, and N. Megiddo. A logic for reasoning about probabilities. Information and Computation, 87(1/2):78–128, 1990. [11] Hans Hansson and Bengt Jonsson. A logic for reasoning about time and reliability. Formal Aspects of Computing, 6(5):512–535, 1994. [12] Marta Kwiatkowska, Gethin Norman, and David Parker. Prism: Probabilistic symbolic model checker. In TOOLS ’02: Proceedings of the 12th International Conference on Computer Performance Evaluation, Modelling Techniques and Tools, pages 200–204, London, UK, 2002. Springer-Verlag. 26

[13] Marta Kwiatkowska, Gethin Norman, and David Parker. Probabilistic model checking in practice: case studies with prism. SIGMETRICS Perform. Eval. Rev., 32(4):16–21, 2005. [14] P. Mateus and A. Sernadas. Weakly complete axiomatization of exogenous quantum propositional logic. Information and Computation, 204(5):771– 794, 2006. ArXiv math.LO/0503453. [15] P. Mateus, A. Sernadas, and C. Sernadas. Exogenous semantics approach to enriching logics. In G. Sica, editor, Essays on the Foundations of Mathematics and Logic, volume 1, pages 165–194. Polimetrica, 2005.

27

Table 6: Program Transitions 1. we include the idling transition on all configuration, such that c (c, c) ∈ RP (C) for all c ∈ ΣP ; c ˆ (` : skip; `) 2. (c, c0 ) ∈ RP

ˆ if σ = σ 0 , n = n0 and π ∪ {`} → π 0 ∪ {`};

c ˆ (` : x := b; `) 3. (c, c0 ) ∈ RP 0 ˆ π ∪ {`} → π ∪ {`};

if σ 0 (x) = b, σ ≡x σ 0 , n = n0 and

c ˆ 4. (c, 12 c0 + 21 c00 ) ∈ RP (` : x ∼ toss; `) if σ ≡x σ 0 ≡x σ 00 , σ 0 (x) = 0, 00 0 00 ˆ σ (x) = 1, n − 1 = n = n ≥ 0 and π ∪ {`} → π 0 ∪ {`};

c ˆ 5. (c, c0 ) ∈ RP (` : request(x); `) ˆ and π ∪ {`} → π 0 ∪ {`};

c ˆ 6. (c, c0 ) ∈ RP (` : release(x); `) 0 ˆ π ∪ {`} → π ∪ {`};

if σ(x) = 1, σ ≡x σ 0 , σ 0 (x) = 0, n = n0

if σ ≡x σ 0 , σ 0 (x) = 1, n = n0 and

c ˆ 7. (c, c0 ) ∈ RP (` : if b then `1 : C1 ; `ˆ1 else `2 : C2 ; `ˆ2 fi; `) following conditions hold:

if one of the

(a) b = 1, σ = σ 0 , n = n0 and π ∪ {`} → π 0 ∪ {`ˆ1 }; (b) σ = σ 0 , n = n0 and π ∪ {`} → π 0 ∪ {`ˆ2 }; c c (c) (c, c0 ) ∈ RP (`1 : C1 ; `ˆ1 ) or (c, c0 ) ∈ RP (`1 : C1 ; `ˆ1 ); c ˆ 8. (c, c0 ) ∈ RP (` : while b do `1 : C1 : `ˆ1 od : `) conditions hold:

if one of the following

(a) b = 1, σ = σ 0 , n = n0 and π ∪ {`} → π 0 ∪ {`ˆ1 }; ˆ (b) b = 0, σ = σ 0 , n = n0 and π ∪ {`} → π 0 ∪ {`}; c (c) (c, c0 ) ∈ RP (`1 : C1 ; `ˆ1 ) c ˆ 9. (c, c0 ) ∈ RP (` : (`1 : C1 : `ˆ1 ||`2 : C2 : `ˆ2 ) : `) conditions hold:

if one of the following

(a) σ = σ 0 , n = n0 and π ∪ {`} → π 0 ∪ {`ˆ1 , `ˆ2 }; (b) σ = σ 0 , n = n0 and π ∪ {`ˆ1 , 28 `ˆ2 } → π 0 ∪ {`}; c c (c) (c, c0 ) ∈ RP (`1 : C1 ; `ˆ1 ) or (c, c0 ) ∈ RP (`1 : C1 ; `ˆ1 ); c c 10. (c, c0 ) ∈ RP (`1 : C1 ; `2 : C2 ; `3 ) if (c, c0 ) ∈ RP (`1 : C1 ; `2 ) or (c, c0 ) ∈ c RP (`2 : C2 ; `3 ) .