Limit-Deterministic Bchi Automata for Probabilistic Model Checking - - PowerPoint PPT Presentation
Limit-Deterministic Bchi Automata for Probabilistic Model Checking Jan Ketnsk Javier Esparza Salomon Sickert Stefan Jaax Technische Universitt Mnchen PROBABILISTIC MODEL CHECKING Markov Decision Process (MDP) . At each state,
Technische Universität München
Javier Esparza Jan Křetínský Salomon Sickert Stefan Jaax
At each state, a scheduler chooses a probability distribution, and then the next state is chosen stochastically according to the distribution.
MDP → Markov chain
schedulers with probability 1?
schedulers with probability at least c?
schedulers with probability 1?
schedulers with probability at least c?
Initial Component Accepting Component
(possibly) non-deterministic deterministic
“Jumps”
Kripke struct. LTL
Product Yes/No
Vardi , Wolper middle 80s Emptiness check
MDP Limit-det. Büchi LTL
Product Prob=1? Yes/No
Vardi and Wolper Courcoubetis, and Yannakakis [95] Vardi and Wolper Courcoubetis, and Yannakakis [95]
MDP Limit-det. Büchi LTL
Product Prob=1? Yes/No
the formula, optimal.
quantitative case.
Vardi and Wolper Courcoubetis, and Yannakakis [95] Vardi and Wolper Courcoubetis, and Yannakakis [95]
Safra [89]
MDP
LTL
Product P≥0,7? Yes/No
Safra [89]
MDP
LTL
Product P≥0,7? Yes/No
in the formula.
quantitative case.
Safra [89]
MDP
LTL
Product P≥0,7? Yes/No
in the formula.
quantitative case.
Our Construction
MDP Limit-det. Büchi LTL Product P≥0.7? Yes/No
Our Construction
MDP Limit-det. Büchi LTL Product P≥0.7? Yes/No
Our Construction
MDP Limit-det. Büchi LTL Product P≥0.7? Yes/No
Initial Component Accepting Component
non-deterministic deterministic
“Jumps”
Initial Component Accepting Component
non-deterministic deterministic
“Jumps”
In our construction: deterministic Every runs „uses“ nondeterminism at most once
if satisfies satisfies all the subformulas of satisfied by , and perhaps more then satisfies
Only liveness operator.
if satisfies satisfies all the subformulas of satisfied by , and perhaps more then satisfies
tt
tt
tt
tt
tt
The formula (,) (“ after ”) is defined by:
tt
property that must hold now for the original property to hold at the beginning
enough.
property that must hold now for the original property to hold at the beginning
enough.
tt
property that must hold now for the original property to hold at the beginning
enough.
tt
property that must hold now for the original property to hold at the beginning
enough.
tt
and a word . Let be a -subformula of .
and a word . Let be a -subformula of .
c b a b a b c c
and a word . Let be a -subformula of .
b a b a b c c
and a word . Let be a -subformula of .
c b a b a b c c
and a word . Let be a -subformula of .
c b a b a b c c
and a word . Let be a -subformula of .
ρ ρ ρ ρ …
c b a b a b c c
and a word . Let be a -subformula of .
eventually stabilizes to a set Trues(,).
c b a b a b c c
ρ ρ ρ ρ …
can nondeterministically jump to the accepting component.
that the rest of the word satisfies
1.
(every formula of ), and
2.
⇒ even if no other -subformula of ever becomes true.
„check that the guess is correct“, i.e., accept iff the guess is correct.
can nondeterministically jump to the accepting component.
that the rest of the word satisfies
1.
(every formula of ), and
2.
⇒ even if no other -subformula of ever becomes true.
„check that the guess is correct“, i.e., accept iff the guess is correct.
can nondeterministically jump to the accepting component.
that the rest of the word satisfies
1.
(every formula of ), and
2.
⇒ even if no other -subformula of ever becomes true.
„check that the guess is correct“, i.e., accept iff the guess is correct.
can nondeterministically jump to the accepting component.
that the rest of the word satisfies
1.
(every formula of ), and ⇒ even if no other -subformula of ever becomes true.
„check that the guess is correct“, i.e., accept iff the guess is correct.
can nondeterministically jump to the accepting component.
that the rest of the word satisfies
1.
(every formula of ), and
2.
⇒ even if no other -subformula of ever becomes true.
„check that the guess is correct“, i.e., accept iff the guess is correct.
can nondeterministically jump to the accepting component.
that the rest of the word satisfies
1.
(every formula of ), and
2.
⇒ even if no other -subformula of ever becomes true.
„check that the guess is correct“, i.e., accept iff the guess is correct.
can nondeterministically jump to the accepting component.
that the rest of the word satisfies
1.
(every formula of ), and
2.
⇒ even if no other -subformula of ever becomes true.
„check that the guess is correct“, i.e., accept iff the guess is correct.
w → w ⊨ → ⊨
(tracking!)
for some suffix ′ → jump before ′ with ≔ True , satisfies 1. and 2.
„guesses“ that the rest of the run satisfies
1.
(every formula of ), and
2.
⇒
even if no other -subformula of ever becomes true.
w → w ⊨ → ⊨
(tracking!)
for some suffix ′ → jump before ′ with ≔ True , satisfies 1. and 2.
„guesses“ that the rest of the run satisfies
1.
(every formula of ), and
2.
⇒
even if no other -subformula of ever becomes true.
which implies ⊨ (tracking!)
for some suffix ′ → jump before ′ with ≔ True , satisfies 1. and 2.
„guesses“ that the rest of the run satisfies
1.
(every formula of ), and
2.
⇒
even if no other -subformula of ever becomes true.
which implies ⊨ (tracking!)
for some suffix ′ and so the jump before ′ that chooses ≔ True , satisfies 1. and 2.
„guesses“ that the rest of the run satisfies
1.
(every formula of ), and
2.
⇒
even if no other -subformula of ever becomes true.
suffices to construct two DBAs for 1. and 2.
= ∨ ∧ ( ∨ ) = { ∨ }
Reduces to checking
= ∨ ∧ ( ∨ ) = { ∨ }
Reduces to checking
[ \ tt , \ ff ]
= ∨ ∧ ( ∨ ) = { ∨ }
Reduces to checking
[ \ tt , \ ff ]
becomes true”
= ∧ ∧ ( ∨ ) = { , ∧ ∨ }
reduces to checking ∧ ≡ ( ∧ )
becomes true”
= ∧ ∧ ( ∨ ) = { , ∧ ∨ }
reduces to checking ∧ ≡ ( ∧ )
becomes true”
= ∧ ∧ ( ∨ ) = { , ∧ ∨ }
reduces to checking ∧ ≡ ( ∧ )
becomes true”
Tracking automaton for
Accepting component for Accepting component for
Tracking automaton for Tracking automaton for
[ \ , \ ]
Automaton for
, where is G-free
Accepting component for
( ∨ ) ∧
( ∨ )
Guess = {( ∨ )}
( ∨ ) ∧
( ∨ )
Tracking automaton for X Automaton for ( ∨ )
Guess = {( ∨ )}
( ∨ ) ∧
( ∨ )
Tracking automaton for X Automaton for ( ∨ )
Guess = {( ∨ )}
( ∨ ) ∧
( ∨ )
tt
Tracking automaton for X Automaton for ( ∨ )
Guess = {( ∨ )}
( ∨ ) ∧
( ∨ )
tt
a c b c ( ∨ )
a c b c ( ∨ ) ∨ ∨ ∨ ∨ ∨
a c b c ( ∨ )
∨ ∨ ∨ ∨ tt
a c b c ( ∨ )
∨ ∨ ∨ ∨ ∨ tt
a c b c ( ∨ )
∨ ∨ ∨ ∨ ∨ tt tt
a c b c ( ∨ )
∨ ∨ ∨ ∨ ∨ tt tt
a c b c ( ∨ ) ∨ ∨ ∨ ∨ ∨
∨ ∧ ( ∨ ) ≡
tt tt
a b c
a c b c ∨
∨
a c b c ∨ ∨
c
a c b c ∨ ∨ ∨
∨
c a
a c b c ∨ ∨ ∨ ∨
tt tt
∨
c a b
a c b c ∨ ∨ ∨ tt tt
∨
∨
a b
a c b c ∨
∨
∨
a b
a c b c ∨
∨
∨
a b
a c b c
∨
∨
∨ ∨
a b c
1.Tracking DBA for (abbr. ≔ ∨ )
checking and the –remainder
1.Tracking DBA for (abbr. ≔ ∨ )
checking and the –remainder
1.Tracking DBA for (abbr. ≔ ∨ )
checking and the –remainder
1.Tracking DBA for (abbr. ≔ ∨ )
checking and the –remainder
positive boolean combination of subformulas of . ∨ ( ∨ )
2 „tracking formulas” up to equivalence, even if we
leave temporal operators uninterpreted. ∧ ∨ = ∨ ≠
positive boolean combination of subformulas of . ∨ ( ∨ )
2 „tracking formulas” up to equivalence, even if we
leave temporal operators uninterpreted. ∧ ∨ = ∨ ≠
positive boolean combination of subformulas of . ∨ ( ∨ )
2 „tracking formulas” up to equivalence, even if we
leave temporal operators uninterpreted. ∧ ∨ = ∨ ≠
Part Size
Initial Component
22n
G-Monitor
22n+1
Accepting Component
22O(n)
Total
22O(n)
LDBA Safra (spot+ltl2dstar) Rabinizer
LDBA Safra (spot+ltl2dstar) Rabinizer
IscasMC explicit PRISM+ Rabinizer symbolic PRISM symb
MODEL CHECKING RUNTIME PNUELI-ZUCK MUTEX PROTOCOL
Our Imp. explicit
#Clients
IscasMC explicit PRISM+ Rabinizer symbolic PRISM symb
MODEL CHECKING RUNTIME PNUELI-ZUCK MUTEX PROTOCOL
Our Imp. explicit
#Clients
Uncontrolled system
LTL
Product Parity game
Uncontrolled system
LTL
Product Parity game
single exp. Safra, single exp.
Uncontrolled system Limit-det. Büchi LTL Product Parity game
Uncontrolled system Limit-det. Büchi LTL Product Parity game
double exp. single exp.
Uncontrolled system Limit-det. Büchi LTL Product Parity game
double exp.
Limit-det. Büchi LTL
Model checking Probabilistic model checking for MDPs Synthesis
Limit-det. Büchi LTL
Model checking Probabilistic model checking for MDPs Synthesis
Probabilistic model checking for MCs
Limit-det. Büchi LTL
Model checking Probabilistic model checking for MDPs Synthesis
Probabilistic model checking for MCs Good for Games Synthesis