E cient Model Checking of Temporal Exogenous …dhenriq/Tacas10...E cient Model Checking of Temporal Exogenous Probabilistic Logics David Henriques, Pedro Baltazar, and Paulo Mateus

Efficient Model Checking of TemporalExogenous Probabilistic Logics

David Henriques, Pedro Baltazar, and Paulo Mateus

SQIG-Instituto de Telecomunicacoes and IST, Portugaldhenriq,pbtz,[email protected]

Abstract. In this paper, we study the model checking problem for Ex-ogenous Probabilistic Propositional Logic (EPPL) and its temporal ex-tensions. We consider a Bayesian network representation for EPPL mod-els and the relevant case of probabilistic Boolean circuits, that allows foran efficient PSPACE representation of the models in terms of the proposi-tional symbols. Concerning the temporal extensions, we considered bothbranching and linear time. Given a temporal probabilistic formula to ver-ify, we present an algorithm that maps probabilistic Kripke structuresto classical Kripke structures, thus reducing probabilistic verification toclassical temporal verification. As a consequence, we obtain that thecomplexity of model-checking temporal exogenous probabilistic formu-lae is the same as their classical counterparts. Then, we briefly presenta tool that implements the main reduction algorithms and capitalizeson NuSMV. Finally, we consider the case of infinite probabilistic Kripkestructures and obtain preliminary results concerning persistence proper-ties. An example based on a probabilistic mutual exclusion program isused to illustrate the approach.

1 Introduction

Reasoning about probabilistic systems is a very important research subjectwith applications in many fields such as security, performance analysis, systemverification, traffic analysis and even bioinformatics.

The verification of probabilistic systems has been focus, largely, on the anal-yses of asymptotic behaviors. Since the early days [20,21], the models that havebeen used are Markov chains, and its many extensions [13,5]. Markov chainsshowed to be the an appropriate framework to model the execution of pro-gramming languages and algorithms with random operations. Furthermore, theverification methods comprise reachability analyses of Markov chains [2], butalso automata-theoretic techniques [22]. These last techniques extended the firstby introducing a method to compute the probability of path-events defined byBuchi automata, that are not always stopping-time definable.

The introduction of probabilistic features to classical propositional logic lan-guage has been covered by many different authors, and several results regardingcomplete axiomatization and decidability were obtained [19,10]. These results ledto the study of general methods to augment a logic with probabilities [18,4]. For

2 David Henriques, Pedro Baltazar, and Paulo Mateus

specifications of properties, in many cases the logic languages used were drawnfrom classic temporal logics by giving a probabilistic semantics [12], or by en-riching the formulas with quantitative quantifiers [11]. However, the verificationof real-life systems is difficult mainly because the model-checking techniques donot scale, though several reduction methods are used [9,8]. More recent meth-ods [16] perform verification by reducing the problem to probabilistic automataequivalence.

In this paper we consider the branching and linear temporalization of Ex-ogenous Probabilistic Propositional Logic (EPPL) [18,17]. EPPL was initiallyintroduced in [18] to reason about quantum states and further developed in thecontext of a Hoare-like logic [6]. The semantics of EPPL can be given by a set ofpossible valuations over propositional symbols (which, for instance, may denotememory cells of a probabilistic program) along with a probability space thatgives the probability of each possible valuation. EPPL differs significantly fromprobabilistic arithmetical assertion logics, such as the state logic of the proba-bilistic dynamic logic given in [15], where formulas are interpreted as measurablefunctions and the connectives are arithmetical operations such as addition andsubtraction. It is worthwhile to notice that model-checking of EPPL can be donein polynomial-time, although the models consume significant space. In order toaddress this issue we consider Bayesian networks (BN) to compress the repre-sentation, but nevertheless in the worst case, BN take the same space as a vectorof probabilities over the possible events.

Herein, we addressed an important case where the EPPL models can be sim-plified: faulty hardware. Considering digital circuits with faulty behavior is acommon assumption (see for instance [1]) and their study dates from Von Neu-mann [14]. For faulty hardware, EPPL models can be compressed exponentiallygiven the low interdependency of the variables. We explore this issue when pre-senting the model checking EPPL.

Concerning the temporal extensions of EPPL, a simple model-checking al-gorithm can be obtained by reducing the verification of temporal probabilisticformulas over probabilistic Kripke structures to their classical counterparts, andmoreover, this can be done remaining in the same complexity class. A (beta)tool was devised (and is available online) that reduces temporal probabilisticverification to model checking in NuSMV. The main shortcome of our approachis that in many interesting cases, the Kripke structure is infinite. When this hap-pens, checking temporal probabilistic formulas is related to deriving asymptoticproperties of the probabilistic Kripke structure. We present preliminary stepstowards checking persistence properties.

The paper is organized as follows. In Section 2 we present EPPL and itstemporal extensions. In Section 3 we focus in compressing EPPL models usingBayesian networks and considering probabilistic circuits. In Section 4 we presentthe main reduction algorithm that will be used for model checking and depictthe Tool. Finally, in Section 5 the infinite model case is addressed.

Efficient Model Checking of Temporal Exogenous Probabilistic Logics 3

2 Probabilistic State Logic and Temporal Extensions

We start by presenting the Exogenous Probabilistic Propositional Logic (EPPL),a logic for reasoning about probabilities that was proposed in [18]. The term ex-ogenous was coined by Kozen in [15] to express that the probabilities had propersyntax and were not hidden in the propositional symbols or connectives (like inPCTL [2]). As we shall see, this is precisely the case in EPPL, hence the name.Then, given the similarities between both EPPL temporal extensions (EPCTLand EPLTL), we present them concurrently.

2.1 EPPL Syntax

The construction of EPPL follows the exogenous approach: a set of formulaeis taken at a base level - basic formulae - and another set is built over it at anhigher level - global formulae. A set of probabilistic terms is also considered. Thesyntax is described in Table 1 by mutual recursion.

β := p 8 (¬β) 8 (β⇒ β) basic formulaet := z 8 0 8 1 8 (

∫β) 8 (t+ t) 8 (t · t) probabilistic terms

δ := (β) 8 (t ≤ t) 8 (∼δ) 8 (δ ⊃ δ) global formulae

where p ∈ Λ, z ∈ Z.Table 1. EPPL syntax

Basic formulae are simply propositional formulae over a finite set Λ of propo-sitional symbols which are abstractions of program variables, allowing for clas-sical reasoning over them. The usual abbreviations for falsum ⊥, disjunction(β1 ∨ β2), conjunction (β1 ∧ β2) and equivalence (β1⇔ β2) are henceforth usedfreely.

Probabilistic terms permit quantitative reasoning over the set of algebraicreal numbers by introducing a set of algebraic real variables Z which, togetherwith addition, multiplication, 0, 1 and the equality relation of global formulae,allow the representation of any algebraic real number. Measure terms, terms ofthe form (

∫β) denote the probability of satisfying β.

Global formulae are built by taking comparison formulae (t1 ≤ t2) and neces-sity modal formulae (β) as atoms and building an analog of the propositionallanguage over them. In this paper, we will consider the original semantics for(β) in [18], which means that (β) requires that β will be satisfied with prob-ability 1. As in the basic case, we will assume the analogs of usual abbreviationsfor global falsum f , global disjunction (δ1 ∪ δ2), global conjunction (δ1 ∩ δ2) andglobal equivalence (δ1≡ δ2). The comparison operators =, 6=,≥, <,> will alsobe used as usual.

When no ambiguity arises, we shall drop the parenthesis.


2.2 EPPL Semantics

A model for EPPL is a pairm = ((Ω,F , µ),X) where (Ω,F , µ) is a probabilityspace and X = (Xp)p∈Λ is a stochastic process over (Ω,F , µ) where each Xp

is a Bernoulli random variables that ranges over 0, 1. Therefore, each ω ∈ Ωinduces a valuation vω over Λ defined by vω(p) = Xp(ω) for each p ∈ Λ. Moreover,each basic formula β induces a Bernoulli random variable Xβ over (Ω,F , µ),defined recursively:

– X(¬β)(ω) = 1−Xβ(ω)– X(β1⇒β2)(ω) = max((1−Xβ1

(ω)), Xβ2(ω))

By structural induction it is easy to show that

ω ∈ Ω : vω(β) = 1 = ω ∈ Ω : Xβ(ω) = 1. (1)

For each EPPL model m = ((Ω,F , µ),X) and assignment γ for real variables,the semantics of global formulae are defined in the following way:

– Denotation of probabilistic terms:• [[z]]m,ρ = ρ(z); [[0]]m,ρ = 0; [[1]]m,ρ = 1;• [[t1 + t2]]m,ρ = [[t1]]m,ρ + [[t2]]m,ρ; [[t1.t2]]m,ρ = [[t1]]m,ρ.[[t2]]m,ρ;• [[(

∫β)]]m,ρ =

∫Xβ dµ = µ(X−1β (1)) is the probability of observing an

outcome ω such that vω(β) = 1.– Satisfaction of global formulae:• m, ρ (β) iff (

∫β) = 1;

• m, ρ (t1 ≤ t2) iff [[t1]]m,ρ ≤ [[t2]]m,ρ;• m, ρ (∼δ) iff m, ρ 6 δ;• m, ρ (δ1 ⊃ δ2) iff m, ρ δ2 or m, ρ 6 δ1.

2.3 Temporal Extensions Syntax

We consider two temporal extensions of EPPL: EPCTL and EPLTL. The for-mulae are built over EPPL formulae by adding the temporal CTL and LTL modal-ities as presented in Tables 2 and 3.

θ := δ 8 (∼θ) 8 (θ ⊃ θ) 8 (EXθ) 8 (AFθ) 8 (E[θUθ]) where δ is an EPPL formula

Table 2. EPCTL syntax

The similarities between these extensions and CTL and LTL should be obvi-ous. Abbreviations for both logics are introduced as for the classical case.


θ := δ 8 (∼θ) 8 (θ ⊃ θ) 8 (Xθ) 8 (θUθ) where δ is an EPPL formula

Table 3. EPLTL syntax

2.4 Temporal Extensions Semantics

Semantics for both EPCTL and EPLTL are given over a generalization ofthe concept of Kripke strucutre. A probabilistic Kripke structure is a tuple T =(S,R, L), where S is a non-empty set of states, R ⊆ S× S is a total relation andL is a function such that, for each s ∈ S, L(s) is a pair (ms, ρs), where m isan EPPL model and ρ is an assignment over Z. Like for Kripke structures, acomputation path is a infinite sequence π = (m1, ρ1), (m2, ρ2) . . . such that forany i ≥ 1, we have ((mi, ρi), (mi+1, ρi+1)) ∈ R.

Given an probabilistic Kripke structure T , an initial state s ∈ S and a EPCTLformula θ, the semantics of EPCTL are defined in terms of a relation T , s EpCTL γgiven in Table 4. Similarly, the semantics of EPLTL over computation paths isgiven in Table 5. As expected, a probabilistic Kripke structure T is said tosatisfy an EPLTL formula θ, which we denote by T EPLTL θ, if T , π EPLTL θ forall computational paths π in T .

T , s EpCTL γ iff ms, ρs EPPL γ;T , s EpCTL (∼θ) iff T , s 6 EpCTL θ;T , s EpCTL (θ1 ⊃ θ2) iff T , s 6 EpCTL θ1 or T , s EpCTL θ2;T , s EpCTL (EXθ) iff T , s′ EpCTL θ with ((ms, ρs), (ms′ , ρs′)) ∈ R;T , s EpCTL (AFθ) iff for all paths π over R starting in s, there exists k ∈ N

such that T , πk EpCTL θ;T , s EpCTL (E[θ1Uθ2]) iff there exists a path π over R starting in s and k ∈ N

such that T , πk EpCTL θ2 and T , πi EpCTL θ1 for 1 ≤ i < k.

Table 4. Semantics of EPCTL

T , π EPLTL γ iff m1, ρ1 EPPL γ;T , s EPLTL (∼θ) iff T , s 6 EPLTL θ;T , π EPLTL (θ1 ⊃ θ2) iff T , π 6 EPLTL θ1 or T , π EPLTL θ2;T , π EPLTL (Xθ) iff T , π2 EPLTL θ;T , π EPLTL (θ1Uθ2) iff there is some i ≥ 1 such that T , πi EPLTL θ2 and

T , πj EPLTL θ1 for 1 ≤ j < i.

Table 5. Semantics of EPLTL


3 EPPL Model Checking

3.1 General Case

Any implementation of an EPPL model checker will need to deal with the rep-resentation of arbitrary probability spaces. Since probability spaces are very gen-eral, we will consider only probability spaces spanned over valuations of propo-sitional symbols. Moreover, we show that this is enough to represent all possibleEPPL models.

Let Vm = vω : ω ∈ Ω be the set of all valuations over Λ induced bym. Consider, for each bitstring i ∈ 0, 1|Λ|, the set Bi = v ∈ Vm : v(p1) =i1, . . . , v(p|Λ|) = i|Λ| for p1, . . . , p|Λ| ∈ Λ where in is the n−th bit of i Let Bm bethe set of all such B. Observe that an EPPL model m = ((Ω,F , µ),X) inducesa probability space Pm = (Vm,Fm, µm) over valuations, where Fm ⊆ 2Vm is theσ-algebra generated by Bm and µm is defined over Bm by µm(B) = µ(ω ∈ Ω :vω ∈ B) for all B ∈ Bm. Moreover, given a probability space over valuations,P = (V,F , µ), we can construct an EPPL model mP = (P,X) where Xp(v) =v(p). Since X−1β (1) = ω ∈ Ω : Xβ(ω) = 1 = ω ∈ Ω : β(vω) = 1, it is easy tosee that m and mPm satisfy precisely the same formulae.

This means that it is enough to consider probability spaces where each ele-ment of the states space can be univocally associated with one valuation over Λ.Therefore we need only consider Ω such that |Ω| ≤ 2|Λ|, a finite quantity. Wewill henceforth assume this to be the case. Furthermore, under these assump-tions, knowledge of the joint distribution of the random variables Xpi is enoughto describe an EPPL Model. Given P(Xp1 ,...,Xpn )

(Xp1 , ...Xpn),

– Ω = ω : ω ∈ 2Λ,– F = 2Ω ,– µ(ω) = P (Xp1 = ω1, ..., Xp|Λ| = ω|Λ|), Ω being finite, it is enough to defineµ for each singleton set ω ⊂ Ω.

In programs, most variables have some dependency over others. However, itis usual to have disjoint sets of mutually independent variables or to have somevariables depending only on a small subset of other variables. Therefore, usuallywe will be able to save space through the use the Bayesian chain rule to rewriteP(Xp1 ,...,Xp|Λ| )

as

P (X1, ..., X|Λ|) =

|Λ|∏i=1

P (Xi|Xi−1, ..., X1). (2)

Remark 1. Generally, in order to represent the joint probability distribution of nBernoulli random variables, P (X1, ..., Xn) we need O(2n) space. Since each con-ditional distribution P (Xi|Xi−1, ..., X1) needs O(2i),

∏ni=1 P (Xi|Xi−1, ..., X1)

needs∑ni=1O(2i) = O(2n+1); so, in general,there is no gain in rewriting the

distribution as a chain. However, unlike the case of the joint distribution, eachvariable independent of a set of other variables results in a reduction of the space


needed to store the chain, since if Xi ⊥⊥ Y, then P (Xi|X) = P (Xi|X \Y), thus

reducing the space needed from 2|X|+1 to 2|X\Y|+1. This idea is precisely whatis behind the concept of Bayesian network. A Bayesian network relative to a setof random variables is a directed acyclic graph where each vertex is labeled withone of the variables and the joint distribution of those variables can be expressedas the product of the conditioned probability of each vertex by its parents.

The ordering of the variables is of extreme importance in determining thegains or losses in space. Determining good orderings is a complex matter andis not covered in this paper, however it seems to be a very rich problem thatdeserves serious study.

Example 1. Consider the process X = (X1, ..., X5) where X1, X2 and X3 areindependent Bernoulli random variables with expected values pi 6= 1

2 , X4 = X1+X2 and X5 = X3 +X4. Let us consider different orderings for the factorizationof this process:

– Order 1, 2, 3, 4, 5:

• P (X1)• P (X2|X1) = P (X2)• P (X3|X2, X1) = P (X3)• P (X4|X3, X2, X1) = P (X4|X1, X2)• P (X5|X4, X3, X2, X1) = P (X5|X4, X3)

– Order 5, 1, 3, 4, 2:

• P (X5)• P (X1|X5)• P (X3|X1, X5)• P (X4|X3, X1, X5) = P (X4|X3, X5)• P (X2|X4, X3, X1, X5) = P (X2|X4, X1)

Assuming non-degenerate variables, the first case needs 1+1+1+7+7 = 17floats to be stored, whereas the second needs 1 + 3 + 7 + 7 + 7 = 25 floats. Thejoint probability would need 25 − 1 = 31 floats to store the same information.

3.2 Probabilistic Boolean Circuits

Writing a joint distribution as a Bayesian chain may not always be a simpletask. As such, it is desirable to identify useful cases that are easy to representas a chain.

A probabilistic Boolean circuit (PBC ) is a directed acyclic graph where eachvertex i is labeled with:

– A Bernoulli random variable Ri with expected value ri;– a fresh Boolean variable xi and;– a Boolean function fi : 0, 1k → 0, 1 where k is the number vertexes

pointing to i (the indegree of i).


A vertex whose indegree is zero is called an input vertex, and its labelingvariable is called an input variable. A vertex whose outdegree is zero is calledan output vertex, and its labeling variable is called an output variable. A vertexthat is neither an input vertex nor an output vertex is called an internal vertex.If there is an arrow pointing from vertex i to vertex j, j is said to be a child ofi, and i is said to be a parent of j. The set of parent vertexes of a vertex i isdenoted by par(i).

Each non-input vertex i represents a logical gate that computes the Booleanfunction expressed by the formula fi. This computation returns the correct out-put with probability ri. The variable xi does the double duty of identifying thevertex and representing the outcome of this (probabilistic) computation. We cansee each vertex as a faulty component in the abstraction of a physical circuit.This is not unreasonable as actual physical components state their reliability sowe actually know their probability of failure.

PBCs induce EPPL models where the stochastic process X is composed ofrandom variables induced by the vertexes, their labeling functions and theirlabeling real numbers. Essentially, P (X1 = x1, .., Xn = xn) represents the prob-ability of the vertexes taking the configuration 〈x1, ..., xn〉.

Given their structure, EPPL models induced by PBCs are easily written asa chain, since each vertex explicitly states the vertexes it depends upon. Fur-thermore, since the probability of correctly computing the Boolean functionsexpressed by the labeling formulae, i.e. P (Xi = fi(par(Xi)), is known, we havethe following result:

Proposition 1. Let (X1, ..., Xn) be the variables induced by the vertexes of aPBC and 〈x1, ..., xn〉 a valuation, then:

P (X1 = x1, ..., Xn = xn) =

n∏i=1

riδxi,fi + (1− ri)δ1−xi,fi (3)

where ri is the number labeling i and δxi,fi =

1 if xi = fi(par(xi))0 if xi 6= fi(par(xi))

is the usual

Dirac function.

Proof. In this proof, we denote by par(Xi) = par(xi) the set x ∈ Ω : Xi(x) =xi, Xi ∈ par(Xi). It suffices to prove that P (Xi = xi|Xi−1 = xi−1, ..., X1

= x1) = riδxi,fi +(1−ri)δ1−xi,fi . Using the Total Probabilities theorem with thepartition Ω = Ωxi=fi ∪ Ωxi=fi where Ωxi=fi = x ∈ Ω : xi = fi(xi−1, .., x1),we have:

P [Xi = xi|Xi−1 = xi−1, ..., X1 = x1] = P [Xi = xi|par(Xi) = par(xi)] =P [Xi= fi(par(Xi))]×P [Xi= xi|par(Xi) = par(xi), Xi= fi(par(Xi))] +P [Xi 6= fi(par(Xi))]×P [Xi= xi|par(Xi) = par(xi), Xi 6= fi(par(Xi))] =

ri × P [xi = fi(par(xi))] + (1− ri)× P [xi 6= fi(par(xi))]

and

P [xi = fi(par(xi))] =

1 if xi = fi(par(xi))0 if xi 6= fi(par(xi))

= δxi,fi ,


P [xi 6= fi(par(xi))] =

0 if xi = fi(par(xi)) i.e. (1− xi) 6= fi(par(xi))1 if xi 6= fi(par(xi)) i.e. (1− xi) = fi(par(xi))

= δ(1−xi),fi . ut

This proposition ensures that, in order to store the EPPL model itself, weonly need to store for each factor of the Bayesian chain, a Boolean function(in the form of a propositional formula ϕ) and a real number (in the form ofa float r). This takes O(|Λ|.|ϕ|) space, where |ϕ| is the greater size among thesizes of the propositional formulae needed to code each vertex function. Underthese conditions, we have a procedure that takes linear space on the number ofpropositional connectives (|Λ|), on the size of the coding formulae and on thesize of the global formula to check. Furthermore, in order to compute the actualvalue of each factor given a valuation v ∈ Ω, we need only to check v(ϕ) andreturn r or 1− r, which takes linear time in ϕ. Therefore, this codification doesnot interfere with the temporal complexity of the algorithm.

4 Temporal Model Checking

In [3] and [4], different approaches are used in the proposed algorithms formodel checking EPCTL and EPLTL. These algorithms are essentially variations ofthe classical CTL and LTL model checkers [7]. The first one consists in exchangingthe propositional verification step of the classical model checking procedure bythe state model checker for EPPL. The other reduces probabilistic model checkingto classical model checking. While both approaches are in the same complexityclass, the second one has a major practical advantage over the first one: followingthis approach, an actual implementation can be built over any already developedclassical model checking tool. This is highly desirable from an implementationperspective. In [4] only a brief comment of the procedure for EPLTL is mentioned,herein we detail the algorithm and give an implementation.

Given an EPCTL or EPLTL formula θ, let Atm = a1, ..., an be the setof atomic subformulae of θ (that is, the set of subformulae of θ of the form(β) and (t1 ≤ t2)). Let Ξ = ξ1, ..., ξn be a set of propositional symbolswith |Ξ| = |Atm|. Let λθ : Atm → Ξ be a function that maps biunivocallyatomic subformulae of θ to propositional symbols (say λθ(ai) = ξi). Althoughλθ depends on θ, we will drop the subscript when no ambiguity arises.

Given a probabilistic Kripke structure T , λ can be used to map it to a classicalKripke structure T in the following way: T = (S, R, L), such that there is a bijec-tion f : S→ S (we will write s instead of f(s)) , (s, s′) ∈ R iff (s, s′) ∈ R and thelabeling of states is such that L(s) [ξi] = 1 if ms, ρs EPPL λ

−1(ξi), 0 otherwise.We can inductively extend λ to map θ to a CTL or LTL formula, mapping

each connective to its CTL or LTL analog. We shall denote by θ the image of thismapping over θ.

Proposition 2. Let T be a probabilistic Kripke structure and s ∈ S. ThenT , s EpCTL θ iff T , s CTL θ


Proof. By induction on the structure of θ:

– if θ ∈ Atm, i.e., θ is ai for some i, then T , s EpCTL θ iff ms, ρs EPPL ai iffL(s) [ξi] = 1 iff s CTL xi (xi = λ(θ));

– if θ is (∼θ1), then T , s EpCTL (∼θ1) iff T , s 6 EpCTL θ1 iff, by IH, T , s 6 CTL θ1 iffT , s CTL (¬θ1) ((¬θ1) = λ(∼θ1) = λ(θ));

– if θ is (θ1 ⊃ θ2), then T , s EpCTL (θ1 ⊃ θ2) iff T , s 6 EpCTL θ1 or T , s EpCTL θ2iff, by IH, T , s 6 CTL θ1 or T , s CTL θ2 iff T , s CTL (θ1 ⇒ θ2) ((θ1 ⇒ θ2) =λ(θ1 ⊃ θ2) = λ(θ));

– if θ is EXθ1, then T , s EpCTL (EXθ1) iff there is (s, s′) ∈ R such that T , s′ EpCTL

(θ1) iif, by IH, T , s′ CTL (θ1) iff (since (s, s′) ∈ R) T , s CTL (EXθ1) ((EXθ1) =λ(EXθ1) = λ(θ));

– if θ is (AFθ1), then T , s EpCTL (AFθ1) iff for all path π over R starting ins, there is i ≥ 0 s.t. T , πi EpCTL θ1 iff, by IH (and since π are preciselyall paths over R starting in s), for all π there is i ≥ 0 s.t. T , πi CTL θ1 iffT , s CTL (AFθ1) (AFθ1 = λ(AFθ));

– if θ is (E[θ1Uθ2]), then T , s EpCTL (E[θ1Uθ2]) iff there is a path π over Rstarting in s and i ≥ 0 such that T , πi EpCTL θ2 and T , πj EpCTL θ1 for

0 ≤ j < i iff, by IH (and since π is a path in R) there exists a path π in Rstarting in s and i ≥ 0 such that T , πi CTL θ2 and T , πj CTL θ1 for 0 ≤ j < i

iff T , s CTL (E[θ1Uθ2]) (E[θ1Uθ2] = λ(E[θ1Uθ2]) = λ(θ)). ut

Lemma 1. Let T be a probabilistic Kripke structure and π a path over R. ThenT , π EPLTL θ iff T , π LTL θ.

Proof. By induction on the structure of θ:

– if θ ∈ Atm, i.e., θ is ai for some i, then T , π EPLTL θ iff mπ0, ρπ0

EPPL ai iffL(π0) [ξi] = 1 iff π0 LTL xi (xi = λ(θ));

– if θ is (∼θ1), then T , π EpCTL (∼θ1) iff T , π 6 EPLTL θ1 iff, by IH, T , π 6 LTL θ1iff T , π LTL (¬θ1) ((¬θ1) = λ(∼θ1) = λ(θ));

– if θ is (θ1 ⊃ θ2), then T , π EPLTL (θ1 ⊃ θ2) iff T , π 6 EPLTL θ1 or T , π EPLTL θ2iff, by IH, T , π 6 LTL θ1 or T , π LTL θ2 iff T , π LTL (θ1 ⇒ θ2) ((θ1 ⇒ θ2) =λ(θ1 ⊃ θ2) = λ(θ));

– if θ is Xθ1, then T , π EPLTL (Xθ1) iff T , π1 EPLTL (θ1) iif, by IH, T , π1 LTL (θ1)iff (since (π0, π1) ∈ R) T , π LTL (Xθ1) ((Xθ1) = λ(Xθ1) = λ(θ));

– if θ is (θ1Uθ2), then T , π EPLTL (θ1Uθ2) iff there is i ≥ 0 such that T , πi EPLTL

θ2 and T , πj EPLTL θ1 for 0 ≤ j < i iff, by IH (and since π is a path in R)

there exists i ≥ 0 such that T , πi LTL θ2 and T , πj LTL θ1 for 0 ≤ j < i iff

T , s LTL (θ1Uθ2) (θ1Uθ2 = λ(θ1Uθ2) = λ(θ)). ut

Proposition 3. Let T be a probabilistic Kripke structure. Then T EPLTL θ iffT LTL θ.

Proof. Follows directly from considering Lemma 1 over all paths over R. ut

We can now justify the soundness of the following algorithm:


Algorithm 1: EpCTL/LTL model checker

Input: EPCTL or EPLTL formula θ, probabilistic Kripke structure T ,s ∈ S (in the case of EPCTL)

Output: 1 iff T epctl θ or iff T epltl θ

compute Atm, n = |Atm|, θ;1

S = , R = , L = ;2

foreach si ∈ S do3

S = S ∪ si; bi = bool [n]; L = L ∪ (si, bi);4

foreach aj ∈ Atm do5

bi [j] = EpplCheck(msi , ρsi , ai);6

end7

end8

foreach (si, sj) ∈ R do9

R = R ∪ (si, sj);10

end11

return (CTLCheck((T, RL), θ) or LTLCheck((T, R, L), θ));12

Where EPPLCheck is the polynomial-time algorithm for model checkingEPPL in [4] and CTLCheck and LTLCheck are the polynomial-time and polynomial-space algorithms, respectively, for model checking LTL and CTL. The cycle inline 3 runs O(|θ|) times and the nested cycles in lines 3 and 5 run O(|T |) andO(|θ|) times, respectively. The cycle in line 9 runs O(|T |) times. EpplCheck isin polynomial-time so, up to line 11, the complexity is O(|T |) ∗ (1 + O(|θ|)2 ∗O(EpplCheck) which remains in polynomial-time. Since O(|T |) = O(|T |) andO(|θ|) = O(|θ|), the input is linearly expanded when translated from EPCTLtoCTL, and the same happens to linear temporal logic. Therefore, the whole algo-rithm is polynomial-time for EPCTLand polynomial-space for EPLTL.

4.1 Tool

The previous algorithm is remarkable for the simplicity of its implementation.Based on it, we developed a simple model checking tool for Windows based OS,EpTemp, which is simultaneously an implementation of both EPPLCheck andof Algorithm 1. Classical temporal model checking procedures are left to the wellknown NuSMV model checker. EPPL states are coded in MSBNX, a Bayesiannetwork representation tool from Microsoft. A simple GUI can be used to writeof EPCTL and EPLTL formulae, as well as for defining the transition relation.

The tool and its documentation can be found at http:\\www.math.ist.utl.pt\dhenriq\EpTemp.html

Example 2. Consider the following probabilistic solution for a mutual exclusionprogram where each thread only accesses the critical region once:


P ::= [x = 0, N, `0 : x ∼ toss;

l1 :

l2 : while x 6= 0 do l3 : while x 6= 1 dol4 : skip; l8 l5 : skip; l9

od ; od ;l8 : −critical−; l9 : −critical−;l10 : x = 1; l14 l11 : x = 0; l13

; l16

]

Mutual exclusion can be specified with the EPCTL formula AG(∫

(l10∧ l11) =0). This property can be verified using the tool.

In figure 1 we present snapshots of the tool, for the previous example (ex-cept for the first snapshot, which is the MSBNX environment and the last one,which is more interesting when the formula is not satisfied, as it provides acounterexample.)

Fig. 1. Snapshots of different steps in using EpTemp

5 Infinite models

In order to use the tool, we require an explicit description of the probabilis-tic Kripke structure. While in many cases this is not a problem, it is easy to


conceive examples of situations where EPPL temporal extensions are useful butthe corresponding structure is infinite. In such cases, at the moment, we cannotuse EpTemp for obvious reasons.

A important example is the case of Markov chains with states labeled byvaluations, that can be used to model a wide range of applications. One canalways generate a probabilistic Kripke structure from one of these Markov chains,considering the possible positions after m computation steps and claiming theprocess to be in each one of them at the same time with some probability (likequantum states). In this case the Kripke structure is just a line and branchinga linear time reasoning coincide. We start with a relevant example of a Markovchain, and show how to check EPLTL formulas on it.

Example 3. Consider the abstraction of a mutual exclusion program depicted inthe probabilistic automaton of Figure 2 where non-determinism is solved with astochastic scheduler. The symbol ni denotes that thread i is in the non-criticalregion and ci symbolizes that it is in the critical region.

GFED@ABCaq

33

1−q GFED@ABCb

1−p

33

pss GFED@ABCc

qss

1−q

Fig. 2. Abstraction of mutex program with probabilistic scheduling where a = (c1, n2),b = (n1, n2) and c = (n1, c2).

The structure generated by the automaton in Figure 2 is clearly not finite,as the probabilities of (c1, n2) and (n1, c2) will exhibit a non-periodic behavior.Let S be the transitions matrix of the automaton of Figure 2:

S =(n1, n2)(c1, n2)(n1, c2)

(n1, n2) (c1, n2) (n1, c2) 0 p 1− pq 1− q 0q 0 1− q

Assuming one starts in state (n1, n2), the probability of being in state i after

m computation steps is the i-th entrance of the first row of the m− th power ofthe previous matrix. This can be easily computed by diagonalizing the previousmatrix:

Sm =

1 0 − 1q

1 − 1−pp 1

1 1 1

1 0 00 (1− q)m 00 0 (−q)m

1 0 − 1q

1 − 1−pp 1

1 1 1

−1 .We can now check EPPL atomic propositions on the m-th computation step

by gathering the states that satisfy the basic formulae in the atom and summing


their probabilities. Based on this, we can actually compute EPPL formulae sat-isfaction on those steps. For example, suppose we want to check if, after sometime, we can expect that the critical region is occupied at least with probabilitya in each computation step. This can be relevant when choosing the quantitiesp and q, in order to get a good occupation ratio of the critical region. We wantto check F(G(

∫c1 ∨ c2 > a)) over the path generated by the automaton.

The states that satisfy (c1 ∨ c2) are (c1, n2) and (n1, c2), therefore, in step

m, (∫c1 ∨ c2) = (Sm)1,2 + (Sm)1,3 = 1−(−q)m

q+1 (which is independent of p, as

we might expect). If q = 1, (∫c1 ∨ c2) alternates between 0 and 1, which makes

sense, since after one computation step in the critical region, the system returnsdeterministically to n1, n2. The formula is not satisfied. If q = 0, (

∫c1 ∨ c2) = 1,

as the system gets “trapped” in one of the processes, forever accessing the criticalregion. The formula is satisfied. If 0 < q < 1, as m → ∞, |(−q)m| → 0, so, ifa < 1

q+1 , we have (G(∫c1 ∨ c2) > a) from some m onwards. The formula is

satisfied.

The method we employed in the previous example can be generalized forother Markov chains, hinting that the model-checking of EPLTL formulas againstpaths induced by Markov chains is intrinsically connected to Ergodic Theory.This is clearly an interesting research subject, and we give herein the first steps.

Persistence on Infinite Models

For the moment we will focus our attention to persistence EPLTL formulas,that is formulas of the type F(Gθ) where θ is an EPPL formula. Let S be astochastic matrix that generates a probabilistic Kripke structure, and, for sim-plicity, assume that S is diagonalizable in the form S = BΛB−1 where B isa similarity matrix and Λ is a diagonal matrix. Clearly, not all stochastic ma-trices fulfill this property, and this restriction needs to be further investigated.Nevertheless, diagonalizing a matrix can be done in polynomial-time using QRalgorithm.

Notice that, given an initial state j, the probability of being in the i stateafter m steps is given by (Sm)i,j . Furthermore, given a basic formula β, we canconsider the linear projection operator over β, Pβ : Rn → Rn such that

P (ei) =

ei if the valuation of state i satisfies β0 otherwise

where ei is the i-th canonical vector and 0 is the null vector. Now, we can statethat the probability of β in the m-th computation step is∫

β =⟨Pβ1, BΛmB−1ej

⟩=⟨1, PβBΛ

mB−1ej⟩

(4)

where ej is the canonical vector corresponding to the initial state j, 〈, 〉 denotesthe inner product and 1=

∑nj=1 1.ej . Notice that the previous expression can be

written ask∑i=1

αiλmi (5)


for some αi ∈ C, k ≤ n.Under some conditions, this will allow us to check the persistence of formulas

of the formk∧i=1

(qi < (∫βi) < pi). (6)

Unfortunately, typical proofs by induction of persistence properties are notpossible in these cases: since the λi are, in general, complex numbers, the boundon one step does not guarantee a better bound (or even the same one) in thefollowing step, as the powers of different λi can bias the result in different di-rections for different exponents. However, since the Perron-Frobenius theoremensures that the largest eigenvalue associated with a stochastic matrix is always1, one can still consider assimptotic behavior:

Theorem 1. Let S = BΛB−1 be a diagonalizable stochastic matrix with valu-ations labeling states and β be a basic formula over the variables in those statessuch that its representation in the form of Equation 5 has λi = 1 for all |λi| = 1appearing in the representation.

Then, for each ε > 0,

F(G(α− ε < (∫β) < α+ ε)) (7)

where α =∑|λi|=1

αi.

Proof. In this proof, we denote by (∫β)m the measure of β in the m-th step of

computation.

(∫β)m =

k∑j=1

αjλmj =

∑λj=1

αjλmj +

∑|λj |<1

αjλmj =

∑λj=1

αj +∑|λj |<1

αj(|λj |eiθj )m = α+∑|λj |<1

αj |λj |memiθj

Since |∑|λj |<1

αj |λj |memiθj | ≤∑|λj |<1

|αj .|λj |m.emiθj | ≤∑|λj |<1

|αj |.|λj |m.|emiθj | =∑|λj |<1

|αj |.|λj |m ≤ max|λj |<1

|λj |m∑|λj |<1

|αj | = c max|λj |<1

|λj |m, where c is a real con-

stant, we have

α− c max|λj |<1

|λj |m ≤ (∫β)m ≤ α+ c max

|λj |<1|λj |m

And c max|λj |<1

|λj |m → 0. So, for sufficiently large values of m (F), for any

n ≥ m (G), we have α− ε < (∫β)n < α+ ε, that is,

F(G(α− ε < (∫β) < α+ ε))

ut


The problem of checking safety specifications is slightly more complicated,as we need to find a good way to get global bounds. We believe, however, thatlittle more hypothesis are needed in order to strengthen Theorem 1 to accountfor safety properties. Nevertheless, as it is, the previous theorem delivers aninteresting asymptotical result.

References

1. B.E.S. Akgul, L.N. Chakrapani, P. Korkmaz, and K.V. Palem. Probabilistic cmostechnology: A survey and future directions. Very Large Scale Integration, 2006IFIP International Conference on, pages 1–6, Oct. 2006.

2. Christel Baier, Edmund M. Clarke, Vassili Hartonas-Garmhausen, Marta Z.Kwiatkowska, and Mark Ryan. Symbolic model checking for probabilistic pro-cesses. In ICALP, pages 430–440, 1997.

3. P. Baltazar, P. Mateus, R. Nagarajan, and N. Papanikolaou. Exogenous proba-bilistic computation tree logic. Electronic Notes in Theoretical Computer Science,190(3):95–110, 2007.

4. Pedro Baltazar and Paulo Mateus. Temporalization of probabilistic propositionallogic. In LFCS, pages 46–60, 2009.

5. Andrea Bianco and Luca de Alfaro. Model checking of probabalistic and nondeter-ministic systems. In Proceedings of the 15th Conference on Foundations of SoftwareTechnology and Theoretical Computer Science, pages 499–513, London, UK, 1995.Springer-Verlag. One of the first paper about probabilistic model-checking.

6. R. Chadha, L. Cruz-Filipe, P. Mateus, and A. Sernadas. Reasoning about prob-abilistic sequential programs. Theoretical Computer Science, 379(1-2):142–165,2007.

7. E.M. Clarke, J. O. Grumberg, and D.A. Peled. In Model Checking. Cambridge:MITPress, 1999.

8. Luca de Alfaro, Marta Z. Kwiatkowska, Gethin Norman, David Parker, andRoberto Segala. Symbolic model checking of probabilistic processes using mtb-dds and the kronecker representation. In TACAS, pages 395–410, 2000.

9. M. Fujita E. Clarke, P. C. McGeer, and J. C.-Y. Yang. Multi-terminal binarydecision diagrams: An efficient data structure for matrix representation. In IWLS’93 International Workshop on Logic Synthesis, Tahoe City, CA, May 23-26, 1993.

10. R. Fagin, J. Y. Halpern, and N. Megiddo. A logic for reasoning about probabilities.Information and Computation, 87(1/2):78–128, 1990.

11. H. Hansson and B. Jonsson. A logic for reasoning about time and reliability. FormalAspects of Computing, 6(5):512–535, 1994.

12. Sergiu Hart and Micha Sharir. Probabilistic propositional temporal logics. Infor-mation and Control, 70(2/3):97–155, 1986.

13. Sergiu Hart, Micha Sharir, and Amir Pnueli. Termination of probabilistic concur-rent program. ACM Trans. Program. Lang. Syst., 5(3):356–380, 1983.

14. J. von Neumann. Probabilistic logic and synthesis of reliable organisms from un-reliable components. Automata Studies, pages 43–98, 1956.

15. D. Kozen. A probabilistic PDL. Journal of Computer System Science, 30:162–178,1985.

16. Axel Legay, Andrzej S. Murawski, Joel Ouaknine, and James Worrell. On auto-mated verification of probabilistic programs. In TACAS, pages 173–187, 2008.


17. P. Mateus and A. Sernadas. Weakly complete axiomatization of exogenous quan-tum propositional logic. Information and Computation, 204(5):771–794, 2006.ArXiv math.LO/0503453.

18. P. Mateus, A. Sernadas, and C. Sernadas. Exogenous semantics approach to en-riching logics. In G. Sica, editor, Essays on the Foundations of Mathematics andLogic, volume 1, pages 165–194. Polimetrica, 2005.

19. Nils J. Nilsson. Probabilistic logic. Artif. Intell., 28(1):71–88, 1986.20. Lyle Harold Ramshaw. Formalizing the analysis of algorithms. PhD thesis, Stan-

ford, CA, USA, 1979.21. Micha Sharir, Amir Pnueli, and Sergiu Hart. Verification of probabilistic programs.

SIAM J. Comput., 13(2):292–314, 1984.22. Moshe Y. Vardi. Automatic verification of probabilistic concurrent finite state

programs. Symposium on Foundations of Computer Science, 0:327–338, 1985.

Documents

E cient Model Checking of Temporal Exogenous …dhenriq/Tacas10...E cient Model Checking of Temporal Exogenous Probabilistic Logics David Henriques, Pedro Baltazar, and Paulo Mateus