Causality in Labeled Transition Systems Georgiana Caltais 1 joint - - PowerPoint PPT Presentation

Causality in Labeled Transition Systems

Georgiana Caltais1 joint work with: Stefan Leue1, Mohammad Reza Mousavi2

1University of Konstanz, Germany 2CERES, Sweden

OPCT 2017, IST Austria

(G. Caltais, University of Konstanz) (De-)composing Causality OPCT 2017, IST Austria 1 / 17

A Railway Crossing Hazard

Safety goal: “It shall always be the case that there is never a car and a train in crossing at the same time”

(G. Caltais, University of Konstanz) (De-)composing Causality OPCT 2017, IST Austria 2 / 17

What is a Cause?

[Lewis 1973] “Causation”. Journal of Philosophy (1973) possible world semantics for counterfactuals

c is causal for e if were c not to occur, then e would not occur either

[Halpern, Pearl 2005] “Causes and explanations: A structural-model

• approach. Part I: Causes”. The British Journal for the Philosophy of

Science (2005) more complex causal dependencies between events [Leitner-Fischer, Leue 2013] “Causality Checking for Complex System Models”. VMCAI (2013) adaptation of [Halpern, Pearl 2005] to concurrent computations and (LTL) reachability properties considers ordering and non-occurrence of events as potential causal factors

(G. Caltais, University of Konstanz) (De-)composing Causality OPCT 2017, IST Austria 3 / 17

LTS’s & HML

Labeled Transition Systems (LTS’s)

1

T = (S, s00, A, →)

2

s00

a

− → s10

3

s00

bch

− − → → s31, ε – empty word

4

computations, e.g., π = (s00, b, [ε, d, e, ee, . . .]), (s11, c, [h, ε, ε, ε . . .]), s21

(G. Caltais, University of Konstanz) (De-)composing Causality OPCT 2017, IST Austria 4 / 17

LTS’s & HML

Labeled Transition Systems (LTS’s)

1

T = (S, s00, A, →)

2

s00

a

− → s10

3

s00

bch

− − → → s31, ε – empty word

4

computations, e.g., π = (s00, b, [ε, d, e, ee, . . .]), (s11, c, [h, ε, ε, ε . . .]), s21 traces(π) = {bch, bdc, bec, beec, . . .} (s00, b, [ε, c, ch, bec]), s11 ∈ sub(π)

(G. Caltais, University of Konstanz) (De-)composing Causality OPCT 2017, IST Austria 4 / 17

LTS’s & HML

Labeled Transition Systems (LTS’s)

1

T = (S, s00, A, →)

2

s00

a

− → s10

3

s00

bch

− − → → s31, ε – empty word

4

computations

5

interleaving (||) & non-deterministic choice (+)

T = (S, s0, A, →) a ∈ A, s, s′, p, p′ ∈ S s || p

a

− → s′ || p whenever s

a

− → s′ s + p

a

− → s′ whenever s

a

− → s′ s || p

a

− → s || p′ whenever p

a

− → p′ s + p

a

− → p′ whenever p

a

− → p′.

(G. Caltais, University of Konstanz) (De-)composing Causality OPCT 2017, IST Austria 5 / 17

LTS’s & HML

Hennessy-Milner Logic (HML). Syntax & Semantics. φ, ψ ::= ⊤ | aφ | [a]φ | ¬φ | φ ∧ ψ | φ ∨ ψ (a ∈ A). Consider T = (S, s0, A, →), φ, ψ. It holds that: s ⊤ for all s ∈ S s ¬φ whenever s does not satisfy φ; also written as s φ s φ ∧ ψ if and only if s φ and s ψ s φ ∨ ψ if and only if s φ or s ψ s aφ if and only if s

a

− → s′ for some s′ ∈ S such that s′ φ s [a]φ if and only if s′ φ for all s′ ∈ S such that s

a

− → s′.

(G. Caltais, University of Konstanz) (De-)composing Causality OPCT 2017, IST Austria 6 / 17

Causality for LTS’s – AC1

Consider T = (S, s0, A, →) and a HML property φ in T. π = (s0, l0, D0), . . . , (sn, ln, Dn), sn+1 ∈ Causes(φ, T) iff:

• 1. Positive causality, AC1

s0

l0

− → . . . sn

ln

− → sn+1 ∧ sn+1 φ φ = h⊤ π1 = (s40, a, D1

40), s42

π2 = (s40, a, D2

40), (s42, b, D2 42), s43

(G. Caltais, University of Konstanz) (De-)composing Causality OPCT 2017, IST Austria 7 / 17

Causality for LTS’s – AC2(a)

Consider T = (S, s0, A, →) and a HML property φ in T. π = (s0, l0, D0), . . . , (sn, ln, Dn), sn+1 ∈ Causes(φ, T) iff:

• 2. Counter-factual, AC2(a)

∃χ ∈ A∗, s′ ∈ S : s0

χ

− → → s′ ∧ s′ ¬φ φ = h⊤ e.g., χ = acb, χ = ah

(G. Caltais, University of Konstanz) (De-)composing Causality OPCT 2017, IST Austria 8 / 17

Causality of non-occurrence

What if the car leaves (Cl) the crossing before the train enters the crossing? Cl is causal by its non-occurrence...

(G. Caltais, University of Konstanz) (De-)composing Causality OPCT 2017, IST Austria 9 / 17

Causality for LTS’s – AC2(c)

Consider T = (S, s0, A, →) and a HML property φ in T. π = (s0, l0, D0), . . . , (sn, ln, Dn), sn+1 ∈ Causes(φ, T) iff:

• 4. Causality of non-occurrence, AC2(c)

∀χ′ ∈ (traces((l0, D0) . . . (ln, Dn)) \ {l0 . . . ln}), s′ ∈ S : s0

χ′

− → → s′ ⇒ s′ ¬φ φ = h⊤ π1 = (s40, a, [c, cb, h, bh]), s42 π2 = (s40, a, [c, ε]), (s42, b, [ε, h]), s43

(G. Caltais, University of Konstanz) (De-)composing Causality OPCT 2017, IST Austria 10 / 17

Causality for LTS’s – AC2(b)

Consider T = (S, s0, A, →) and a HML property φ in T. π = (s0, l0, D0), . . . , (sn, ln, Dn), sn+1 ∈ Causes(φ, T) iff:

• 3. Causality of occurrence, AC2(b)

∀χ′ = l0χ0 . . . lnχn ∈ (A∗ \ traces((l0, D0) . . . (ln, Dn))) ∪ {l0 . . . ln}, s0

χ′

− → → s′ ⇒ s′ φ φ = h⊤ π1 = (s40, a, [c, cb, h, bh]), s42 π2 = (s40, a, [c, ε]), (s42, b, [ε, h]), s43

(G. Caltais, University of Konstanz) (De-)composing Causality OPCT 2017, IST Austria 11 / 17

Causality for LTS’s – AC3

Consider T = (S, s0, A, →) and a HML property φ in T. π = (s0, l0, D0), . . . , (sn, ln, Dn), sn+1 ∈ Causes(φ, T) iff:

• 5. Minimality, AC3

∀π′ ∈ sub(π) : π′ does not satisfy AC1–AC2(c) φ = h⊤ π1 = (s40, a, [c, cb, h, bh]), s42 π2 = (s40, a, [c, ε]), (s42, b, [ε, h]), s43 π1 ∈ sub(π2) satisfies AC1–AC2(c)

(G. Caltais, University of Konstanz) (De-)composing Causality OPCT 2017, IST Austria 12 / 17

Causality for LTS’s – AC3

Consider T = (S, s0, A, →) and a HML property φ in T. π = (s0, l0, D0), . . . , (sn, ln, Dn), sn+1 ∈ Causes(φ, T) iff:

• 5. Minimality, AC3

∀π′ ∈ sub(π) : π′ does not satisfy AC1–AC2(c) φ = h⊤ π1 = (s40, a, [c, cb, h, bh]), s42 π2 = (s40, a, [c, ε]), (s42, b, [ε, h]), s43 π1 ∈ sub(π2) satisfies AC1–AC2(c) ⇒ π1 is causal!

(G. Caltais, University of Konstanz) (De-)composing Causality OPCT 2017, IST Austria 12 / 17

Causal Projection

Consider T = (S, s0, A, →) and a HML property φ in T. We write T ↓ φ (or s0 ↓ φ) to denote the causal projection of T w.r.t. φ e.g., s0 ↓ h⊤ and p0 ↓ h′⊤:

(G. Caltais, University of Konstanz) (De-)composing Causality OPCT 2017, IST Austria 13 / 17

(De-)Composing Causality

From causality in s0 || p0 to causality in s0 and/or p0?

(G. Caltais, University of Konstanz) (De-)composing Causality OPCT 2017, IST Austria 14 / 17

(De-)Composing Disjunction

Consider LTS’s T = (S, s0, A, →) and T ′ = (S′, s′

0, B, →′) such that A ∩ B = ∅. Assume

two HML formulae φ and ψ over A and B, respectively. The following holds: T || T ′ ↓ (φ ∨ ψ) ≃ T ↓ φ + T ′ ↓ ψ. Example: h⊤ ∨ h′⊤

(G. Caltais, University of Konstanz) (De-)composing Causality OPCT 2017, IST Austria 15 / 17

(De-)Composing Conjunction

Consider LTS’s T = (S, s0, A, →) and T ′ = (S′, s′

0, B, →′) such that A ∩ B = ∅. Assume

two HML formulae φ and ψ over A and B, respectively. The following holds: T || T ′ ↓ (φ ∧ ψ) = (T ↓ φ) || (T ′ ↓ ψ). Example: h⊤ ∧ h′⊤

(G. Caltais, University of Konstanz) (De-)composing Causality OPCT 2017, IST Austria 16 / 17

Conclusions & Future Work

Our contributions:

defined causality for LTS’s & HML (reachability properties) established first compositionality results for non-communicating LTS’s

Future work:

reasoning on causality in an algorithmic / automatic fashion work in progress: encoding causality in mCLR2 extension to communicating LTS’s (in the style of CCS) extension to liveness properties (via HML with recursion)

(G. Caltais, University of Konstanz) (De-)composing Causality OPCT 2017, IST Austria 17 / 17