Symmetry Reduction for Probabilistic Model Checking

2002

In this paper we describe PRISM, a tool being developed at the University of Birmingham for the analysis of probabilistic systems. PRISM supports two probabilistic models: continuous-time Markov chains and Markov decision processes. Analysis is performed through model checking such systems against specifications written in the probabilistic temporal logics PCTL and CSL. The tool features three model checking engines: one symbolic, using BDDs (binary decision diagrams) and MTBDDs (multi-terminal BDDs); one based on sparse matrices; and one which combines both symbolic and sparse matrix methods. PRISM has been successfully used to analyse probabilistic termination, performance, dependability and quality of service properties for a range of systems, including randomized distributed algorithms, polling systems, workstation cluster and wireless cell communication.

2000

In this paper we describe our experience with model checking randomized distributed algorithms using PRISM, a symbolic model checker for concurrent probabilistic systems currently being developed. PRISM uses Multi-Terminal Binary Decision Diagrams (MTBDDs) as supplied by the CUDD package of Fabio Somenzi. Implemented in Java, PRISM has a system description language similar to Reactive Modules and supports model checking of probabilistic temporal logic PCTL (also under fairness constraints). Our experiments indicate that using the BDD variable ordering induced from the Kronecker representation yields very efficient MTBDD representations of randomized distributed algorithms. In particular, we are able to construct models of up to 10 30 states in seconds. Model checking of 'with probability 1' PCTL properties is also fast. The efficiency of numerical computation with MTBDDs, however, and hence also model checking of quantitative probabilistic temporal logic properties, is still considerably poorer than e.g. for sparse matrices. Descriptions and statistics obtained for several case studies can be found at

1999

Symbolic model checking for purely probabilistic processes using MTBDDs was introduced in [4] and further developed in . In this paper we consider models for concurrent probabilistic systems similar to those of and the concurrent Markov chains of , which extend the purely probabilistic processes through the addition of nondeterministic choice. As a specification formalism we use probabilistic branchingtime temporal logic PBTL of , which allows to express properties such as "under any scheduling of nondeterministic choices, the probability of φ holding until ψ is true is at least 0.78". In it is shown that the verification of "until" properties can be reduced to a linear programming problem and solved with the help of e.g. the simplex algorithm, but no symbolic model checking is considered. Based on the algorithms of , we derive symbolic model checking procedure for PBTL over concurrent probabilistic systems using MTBDDs. We furthermore implement an experimental model checker using the Colorado University Decision Diagrams (CUDD) package . Our key contribution is an implementation of the simplex algorithm in terms of MTBDDs. * supported in part by EPSRC grants GR/M04617 and GR/M13046 1 The model checking algorithms of coincide for the case of verification without fairness constraints. Fairness is needed for the verification of liveness properties and is considered in .

Formal Methods for Industrial Critical Systems, 2012

relevant case study: the IEEE 802.3 (CSMA/CD) protocol. We also discuss two contrasting approaches to the implementation of probabilistic model checking, namely those based on numerical computation and those based on discrete-event simulation. Using results from the two tools PRISM and APMC, we summarise the advantages, disadvantages and trade-offs associated with these techniques.

International Journal on Software Tools for Technology Transfer, 2004

In this paper we present efficient symbolic techniques for probabilistic model checking. These have been implemented in PRISM, a tool for the analysis of probabilistic models such as discrete-time Markov chains, continuous-time Markov chains and Markov decision processes using specifications in the probabilistic temporal logics PCTL and CSL. Motivated by the success of model checkers such as SMV which use BDDs (binary decision diagrams), we have developed an implementation of PCTL and CSL model checking based on MTBDDs (multi-terminal BDDs) and BDDs. Existing work in this direction has been hindered by the generally poor performance of MTBDD-based numerical computation, which is often substantially slower than explicit methods using sparse matrices. The focus of this paper is a novel hybrid technique which combines aspects of symbolic and explicit approaches to overcome these performance problems. For typical examples, we achieve a dramatic improvement over the purely symbolic approach. In addition, thanks to the compact model representation using MTBDDs, we can verify systems an order of magnitude larger than with sparse matrices, while almost matching or even beating them for speed.

Electronic Notes in Theoretical Computer Science, 2008

The verification of quantitative aspects like performance and dependability by means of model checking has become an important and vivid area of research over the past decade. An important result of that research is the logic CSL (continuous stochastic logic) and its corresponding model checking algorithms. The evaluation of properties expressed in CSL makes it necessary to solve large systems of linear (differential) equations, usually by means of numerical analysis. Both the inherent time and space complexity of the numerical algorithms make it practically infeasible to model check systems with more than 100 million states, whereas realistic system models may have billions of states. To overcome this severe restriction, it is important to be able to replace the original state space with a probabilistically equivalent, but smaller one. The most prominent equivalence relation is bisimulation, for which also a stochastic variant exists (Markovian bisimulation). In many cases, this bisimulation allows for a substantial reduction of the state space size. But, these savings in space come at the cost of an increased time complexity. Therefore in this paper a new distributed signature-based algorithm for the computation of the bisimulation quotient of a given state space is introduced. To demonstrate the feasibility of our approach in both a sequential, and more important, in a distributed setting, we have performed a number of case studies.

ACM Transactions on Computational Logic, 2007

The goal of model checking is to verify the correctness of a given program, on all its inputs. The main obstacle, in many cases, is the intractably large size of the program's transition system. Property testing is a randomized method to verify whether some fixed property holds on individual inputs, by looking at a small random part of that input. We join the strengths of both approaches by introducing a new notion of probabilistic abstraction, and by extending the framework of model checking to include the use of these abstractions.

2006

Probabilistic model checking is an automatic formal verification technique for analysing quantitative properties of systems which exhibit stochastic behaviour. PRISM is a probabilistic model checking tool which has already been successfully deployed in a wide range of application domains, from real-time communication protocols to biological signalling pathways. The tool has recently undergone a significant amount of development. Major additions include facilities to manually explore models, Monte-Carlo discrete-event simulation techniques for approximate model analysis (including support for distributed simulation) and the ability to compute cost- and reward-based measures, e.g. “the expected energy consumption of the system before the first failure occurs”. This paper presents an overview of all the main features of PRISM. More information can be found on the website: www.cs.bham.ac.uk/~dxp/prism.

Eccc, 2001

The goal of model checking is to verify the correctness of a given program, on all its inputs. The main obstacle, in many cases, is the intractably large size of the program's transition system. Property testing is a randomized method to verify whether some fixed property holds on individual inputs, by looking at a small random part of that input. We join the strengths of both approaches by introducing a new notion of probabilistic abstraction, and by extending the framework of model checking to include the use of these abstractions.

Sigmetrics Performance Evaluation Review, 2005

In this paper, we describe some practical applications of probabilistic model checking, a technique for the formal analysis of systems which exhibit stochastic behaviour. We give an overview of a selection of case studies carried out using the probabilistic model checking tool PRISM, demonstrating the wide range of application domains to which these methods are applicable. We also illustrate several benefits of using formal verification techniques to analyse probabilistic systems, including: (i) that they allow a wide range of numerical properties to be computed accurately; and (ii) that they perform a complete and exhaustive analysis enabling, for example, a study of best-and worst-case scenarios.

2008 11th IEEE Workshop on Design and Diagnostics of Electronic Circuits and Systems, 2008

In formal verification, reliable results are of utmost bilistic models and logics that can be handled algorithmically, importance. In model checking of digital systems, mainly init has also reached the usage within industrial applications. correct implementations of the model checking algorithms due There are several academic tools available for stochastic to logical errors are the source of wrong results. In probabilistic model checking, however, numerical instabilities are an additional model checking. We are only aware of two publications about source for inconsistent results. computing probabilities in a reliable way: [2] computes regular We motivate our investigations with an example, for which expressions in a symbolic way from which the probabilities several state-of-the-art probabilistic model checking tools give can be derived using only addition and multiplication, which completely wrong results due to inexact computations. We then can be performed with rational arithmetic. However, this analyze, at which points inaccuracies are introduced during the model checking process. We discuss first ideas how, in spite of approach cannot cope with nested PCTL formulae and we these inaccuracies, reliable results can be obtained or at least the do not expect it to scale well. The second paper [3] deals user be warned about potential correctness problems: (1) usage with performance analysis for compositional probabilistic I/O of exact (rational) arithmetic, (2) usage of interval arithmetic automata, but without comparison to inexact arithmetic. to obtain safe approximations of the actual probabilities, (3) All other state-of-the-art tools like PRISM [4] and 10 years, stochastic model checking has been in the focus Of the basic definitions of discrete-time Markov chains (DTMCs), intense research and besides enormous advances w. r. t. probathe logic PCTL, and the algorithms for model checking PCTL formulae on DTMCs. We motivate our investigation by pro-*This work was partly supported by the German Research Council (DFG) viding an example for which inexact arithmetic is definitively as part of the Transregional Collaborative Research Center "Automatic Verification and Analysis of Complex Systems" (SFBITR 14 AVACS). See inappropriate. The next section is devoted to the analysis, www. avacs .org for more information, at which points of the model checking process inaccuracies

2010

We present a compositional verification technique for systems that exhibit both probabilistic and nondeterministic behaviour. We adopt an assume-guarantee approach to verification, where both the assumptions made about system components and the guarantees that they provide are regular safety properties, represented by finite automata. Unlike previous proposals for assume-guarantee reasoning about probabilistic systems, our approach does not require that components interact in a fully synchronous fashion. In addition, the compositional verification method is efficient and fully automated, based on a reduction to the problem of multi-objective probabilistic model checking. We present asymmetric and circular assume-guarantee rules, and show how they can be adapted to form quantitative queries, yielding lower and upper bounds on the actual probabilities that a property is satisfied. Our techniques have been implemented and applied to several large case studies, including instances where conventional probabilistic verification is infeasible.

IEEE Transactions on Software Engineering, 2000

We present an implementation of model checking for probabilistic and stochastic extensions of the π-calculus, a process algebra which supports modelling of concurrency and mobility. Formal verification techniques for such extensions have clear applications in several domains, including mobile ad-hoc network protocols, probabilistic security protocols and biological pathways. Despite this, no implementation of automated verification exists. Building upon the π-calculus model checker MMC, we first show an automated procedure for constructing the underlying semantic model of a probabilistic or stochastic π-calculus process. This can then be verified using existing probabilistic model checkers such as PRISM. Secondly, we demonstrate how for processes of a specific structure a more efficient, compositional approach is applicable, which uses our extension of MMC on each parallel component of the system and then translates the results into a high-level modular description for the PRISM tool. The feasibility of our techniques is demonstrated through a number of case studies from the π-calculus literature.

1993

Model checking is a powerful technique for verification of concurrent systems. One of the potential problems with this technique is state space explosion. There are two ways in which one could cope with state explosion: reducing the search space and searching less space. Most of the existing algorithms are based on the first approach. One of the successful approach for reducing search space uses Binary Decision Diagrams (BDDs) to represent the system. Systems with a large number of states (of the order of 5 x 10") have been thus verified. But there are limitations to this heuristic approach. Even systems of reasonable complexity have many more states. Also, the BDD approach might fail even on some simple systems. In this paper we propose the use of parallelism to extend the applicability of BDDs in model checking. In particular we present very fast algorithms for model checking that employ BDDs. The algorithms presented are much faster than the best known previous algorithms. We also describe searching less space as an attractive approach to model checking. In this paper we demonstrate the power of this approach. We also suggest the use of randomization in the design of model checking algorithms.

FM 2006: Formal Methods, 2006

Abstract. Symmetry reduction techniques can help to combat the state space explosion problem for model checking, but are restricted by the hard problem of determining equivalence of states during search. Con-sequently, existing symmetry reduction packages can only exploit full ...