Talk Outline
1. Model Checking
2. Randomized Algorithms
3. LTL Model Checking
4. Probability Theory Primer
5. Monte Carlo Model Checking
6. Implementation & Results
7. Conclusions & Open Problem
Model Checking
• S is a nondeterministic/concurrent system.
is a temporal logic formula.
– in our case Linear Temporal Logic (LTL).
• Basic idea: intelligently explore S’s state space in attempt to establish S ⊨ .
diameter computationtree
Size of S’s state transition graph is O(2|s|)!
Model Checking’s Fly in the Ointment:State Explosion
Symbolic MC (OBDDs)Symmetry ReductionPartial Order ReductionAbstraction RefinementBounded Model Checking
recurrencediameter
computationtree
Monte Carlo: N(,) independent samples
Error margin and confidence ratio
Monte Carlo Approach
LTL
Randomized Algorithms
• Huge impact on CS: (distributed) algorithms, complexity theory, cryptography, etc.
• Takes of next step algorithm may depend on random choice (coin flip).
• Benefits of randomization include simplicity, efficiency, and symmetry breaking.
Randomized Algorithms
• Monte Carlo: may produce incorrect result but with bounded error probability.
– Example: Rabin’s primality testing algorithm
• Las Vegas: always gives correct result but running time is a random variable.
– Example: Randomized Quick Sort
Linear Temporal Logic
• An LTL formula is made up of atomic propositions p, boolean connectives , , and temporal modalities X (neXt) and U (Until).
• Safety: “nothing bad ever happens” E.g. G( (pc1=cs pc2=cs)) where G is a derived
modality (Globally).
• Liveness: “something good eventually happens” E.g. G( req F serviced ) where F is a derived modality (Finally).
LTL Model Checking
• Every LTL formula can be translated to a
Büchi automaton B whose language is the
set of infinite words satisfying .
• Automata-theoretic approach:
S ⊨ iff L(BS) L(B ) iff L(BS B )
Emptiness Checking
• Checking non-emptiness is equivalent to finding an accepting cycle reachable from initial state (lasso).
• Double Depth-First Search (DDFS) algorithm can be used to search for such cycles, and this can be done on-the-fly!
s1 s2 s3 sksk-2 sk-1
sk+1sk+2sk+3sn
DFS2
DFS1
Bernoulli Random Variable(coin flip)
• Value of Bernoulli RV Z:
Z = 1 (success) & Z = 0 (failure)
• Probability mass function:
p(1) = Pr[Z=1] = pz
p(0) = Pr[Z=0] = 1- pz = qz
• Expectation: E[Z] = pz
Geometric Random Variable
• Value of geometric RV X with parameter pz:
no. independent trials until success.
• Probability mass function:
p(N) = Pr[X = N] = qzN-1 pz
• Cumulative Distribution Function:
F(N) = Pr[X N] = ∑i Np(i) = 1 - qzN
How Many Trials?
• Requiring Pr[X N] 1- δ yields:
N ln (δ) / ln (1- pz)
• Lower bound on number of trials N needed to achieve success with confidence ratio δ.
What If pz Unknown?
• Requiring Pr[X N] 1- δ and pz ε yields:
N ln (δ) / ln (1- ε) ln (δ) / ln (1- pz)
• Lower bound on number of trials N needed to achieve success with confidence ratio δ and error margin ε .
Statistical Hypothesis Testing
• Example: Given a fair and a biased coin.
– Null hypothesis H0 - fair coin selected.
– Alternative hypothesis H1 - biased coin selected.
• Hypothesis testing: Perform N trials.
– If number of heads is LOW, reject H0 .
– Else fail to reject H0 .
Statistical Hypothesis Testing
H0 is True H0 is False
reject H0
Type I error
w/prob. α
Correct to reject H0
fail to reject H0
Correct to fail to
reject H0
Type II error
w/prob. β
Hypothesis Testing – Our Case
• Null hypothesis H0: pz ε
• Alternative hypothesis H1: pz < ε
• If no success after N trials, then reject H0
• Type I error: α = Pr[ X > N | H0 ] δ
Monte Carlo Model Checking
• Sample Space: lassos in BS B
• Bernoulli random variable Z :
– Outcome = 1 if randomly chosen lasso accepting
– Outcome = 0 otherwise
• pZ = ∑ pi Zi (expectation of an accepting lasso)
where pi is lasso prob. (uniform random walk)
Lassos Probability Space
L1 = 11 L2 = 1244 L3 = 1231 L4 = 12344
Pr[L1]= ½ Pr[L2]= ¼ Pr[L3]= ⅛ Pr[L4]= ⅛
qZ = L1 + L2 = ¾ pZ = L3 + L4 = ¼
1 2 3 4
Monte Carlo Model Checking (MC2)
input: B=(Σ,Q,Q0,δ,F), ε, δ
N = ln (δ) / ln (1- ε)
for (i = 1; i N; i++) if (RL(B) == 1) return (1, error-trace);
return (0, “reject H0 with α = Pr[ X > N | H0 ] < δ”);
where RL(B) performs a uniform random walk through B (storing states encountered in hash table) to obtain a random sample (lasso).
Random Lasso (RL) Algorithm
Buchi automaton B; sample lasso; return 0 if accepting; 1 if not;
(1)
input : output :
while s := rInit(B); i := 1; f := 0;
(2) (s HashTbl) {(3) HashTbl(s) := i;(4) acc
R
(
AL
s,
V al
B) f
gor
:= iif ;
ithm
(5) t
s := rNext(s,B); i := i +1; }(6) (HashTbl(s) f) 0if return elsere urn 1;
Monte Carlo Model Checking
Theorem: Given a Büchi automaton B, error margin ε, and confidence ratio δ, if MC2 fails to find a counter-example, then
Pr[ X > N | H0 ] δ where N = ln(δ) / ln(1- ε).
Monte Carlo Model Checking
Theorem: Given a Büchi automaton B having diameter D, error margin ε, and confidence ratio δ, MC2 runs in time O(N∙D) and uses space O(D), where N = ln(δ) / ln(1- ε).
Cf. DDFS which runs in O(2|S|+|φ|) time
for B = BS B .
Implementation
• Implemented DDFS and MC2 in jMocha model checker for synchronous systems specified using Reactive Modules.
• Performance and scalability of MC2 compares very favorably to DDFS.
DDFS MC2ph time entr time mxl cxl N
4 0.02 31 0.08 10 10 3 8 1.62 512 0.20 25 8 712 3:13 8191 0.25 37 11 1116 >20:0.0 - 0.57 55 8 1820 - oom 3.16 484 9 2030 - oom 35.4 1478 11 100
40 - oom 11:06 13486 10 209
(Deadlock freedom)
DPh: Symmetric Unfair Version
DDFS MC2ph time entr time mxl cxl N
4 0.17 29 0.02 8 8 2 8 0.71 77 0.01 7 7 112 1:08 125 0.02 9 9 116 7:47:0 173 0.11 18 18 120 - oom 0.08 14 14 130 - oom 1.12 223 223 1
40 - oom 1.23 218 218 1
(Starvation freedom)
DPh: Symmetric Unfair Version
DDFS MC2Phi time entries time max avg
4 0:01 178 0:20 49 216 0:03 1772 0:45 116 428 0:58 18244 2:42 365 99
10 16:44 192476 7:20 720 23412 - oom 21:20 1665 56414 - oom 1:09:52 2994 144216 - oom 3:03:40 7358 314418 - oom 6:41:30 13426 589620 - oom 19:02:00 34158 14923
DPh: Asymmetric Fair Version(Deadlock freedom)
δ = 10-1 ε = 1.8*10-4 N = 1257
DDFS MC2Phi time entries time max avg
4 0:01 538 0:20 50 216 0:17 9106 0:46 123 428 7:56 161764 2:17 276 97
10 - oom 7:37 760 24012 - oom 21:34 1682 57014 - oom 1:09:45 3001 136316 - oom 2:50:50 6124 298318 - oom 8:24:10 17962 739020 - oom 22:59:10 44559 17949
DPh: Asymmetric Fair Version (Starvation freedom)
δ = 10-1 ε = 1.8*10-4 N = 1257
Alternative Sampling Strategies
0 1 nn-1
• Multilasso sampling: ignores backedges that do not lead to an accepting lasso.
Pr[Ln]= O(2-n)
• Probabilistic systems: there is a natural way to assign a probability to a RL.
• Input partitioning: partition input into classes that trigger the same behavior (guards).
Related Work
• Heimdahl et al.’s Lurch debugger.
• Mihail & Papadimitriou (and others) use random walks to sample system state space.
• Herault et al. use bounded model checking to compute an (ε,δ)-approx. for “positive LTL”.
• Probabilistic Model Checking of Markov Chains: ETMCC, PRISM, PIOAtool, and others.