Refined Probabilistic Abstraction Bj¨ orn Wachter

December 8, 2010

• Bug in control software of power network

⇒ 50 million people without electricity 2 / 40

Model checking: “does a computing system behave as intended?” • mathematical model M of system • specification ϕ • automatic proof or refutation of:

M ϕ • Example: ϕ = no arithmetic overflow

s0

error e.g., arithmetic overflow 3 / 40

Probabilities are Important • computer networks • performance: P(message loss) = 2% • reliability: P(node failure) = 3% • randomized algorithms • network protocols • sorting algorithms • ...

4 / 40

Probabilistic Model checking

• models: Markov chains • properties: PCTL

5 / 40

Probabilistic Model checking s0

P(same IP) < 0.01

same IP

• models: Markov chains • properties: PCTL • Zeroconf protocol • IP for new member picked probabilistically • bad: two members have the same IP!

5 / 40

Why Abstraction? • Limitations of probabilistic model checking • based on state-space exploration • state-space explosion problem

M

M ϕ

6 / 40

Why Abstraction? • Limitations of probabilistic model checking • based on state-space exploration • state-space explosion problem • Abstraction very successful

M

abstraction

M]

M ϕ

6 / 40

Why Abstraction? • Limitations of probabilistic model checking • based on state-space exploration • state-space explosion problem • Abstraction very successful

M

M ϕ

abstraction

M]

M]  ϕ

6 / 40

Why Abstraction? • Limitations of probabilistic model checking • based on state-space exploration • state-space explosion problem • Abstraction very successful

M

M ϕ

abstraction

guarantees

M]

M]  ϕ

6 / 40

Why Abstraction? • Limitations of probabilistic model checking • based on state-space exploration • state-space explosion problem • Abstraction very successful

refine

M

M ϕ

abstraction

guarantees

M]

M]  ϕ

6 / 40

Why Abstraction? • Limitations of probabilistic model checking • based on state-space exploration • state-space explosion problem • Abstraction very successful • Refinement fits the abstraction to the property

refine

M

M ϕ

abstraction

guarantees

M]

M]  ϕ

6 / 40

Contribution Abstraction refinement for very large probabilistic models • ... even infinite ones! • implementation in PASS tool • successful on various network protocols • Wireless LAN • IPV4 • BRP • ...

7 / 40

Background

8 / 40

Probabilistic Programs // parallel composition of modules module sender i : i n t ; // variable definition ... endmodule module channelK [ aF ] ( k =0) -> 0.98 : (k ’=1) // probabilistic + 0.02 : (k ’=2); // guarded command endmodule i n i t T = false & ... e n d i n i t // initial states

9 / 40

Semantics: Markov Decision Process (MDP) ∼ =

states S

assignments to program variables

s0 s4 s1

s2

s3

10 / 40

Semantics: Markov Decision Process (MDP) ∼ = ...

states S probabilistic transitions

assignments to program variables probabilistic choice

b

s0

1 2

s1

s4 1 2

s2

s3

10 / 40

Semantics: Markov Decision Process (MDP) ∼ = ... ...

states S probabilistic transitions non-deterministic choice

assignments to program variables probabilistic choice concurreny

s0 b

c

1 2

s1 • Markov chain

∼ =

1 3 1 2

1 3

1 3

s2

s4

s3

deterministic MDP

10 / 40

Semantics: Markov Decision Process (MDP) ∼ = ... ...

states S probabilistic transitions non-deterministic choice

assignments to program variables probabilistic choice concurreny 1 3

s0 b

c

c

1 2

s1 • Markov chain

∼ =

1 3 1 2

1 3

1 3

s2

2 3

s4

s3

deterministic MDP

10 / 40

Properties: Probabilistic Reachability • probabilities to reach states F ⊆ S

∼ = S → [0, 1]

• valuations [0, 1]S 1 3

s0 b

c

c

1 2

s1

1 3 1 2

1 3

s2

1 3

2 3

s4

s3

11 / 40

Properties: Probabilistic Reachability • probabilities to reach states F ⊆ S

∼ = S → [0, 1]

• valuations [0, 1]S 1 3

s0 c

c

1 3 1 3

s1

s2

1 3

2 3

s4

s3

reachability probability:

1

11 / 40

Properties: Probabilistic Reachability • probabilities to reach states F ⊆ S • valuations [0, 1]S

∼ = S → [0, 1]

1 3

s0 b

c

1 2

s1

2 3

s4 1 2

s2

s3

reachability probability:

1 2

11 / 40

Properties: Probabilistic Reachability • probabilities to reach states F ⊆ S

∼ = S → [0, 1]

• valuations [0, 1]S 1 3

s0 b

c

c

1 2

s1

1 3 1 2

1 3

s2

1 3

2 3

• reachability probability pηF • depends on adversary η

s4

s3

adversary η : Paths → A • resolves non-determinism

⇒ induces a Markov chain

11 / 40

Properties: Probabilistic Reachability • probabilities to reach states F ⊆ S

∼ = S → [0, 1]

• valuations [0, 1]S 1 3

s0 b

c

c

1 2

s1

1 3 1 2

1 3

s2

1 3

2 3

s4

s3

• reachability probability pηF • depends on adversary η • minimal/maximal

pmin F

=

inf

pηF

pmax F

=

sup

pηF

η

η

adversary η : Paths → A • resolves non-determinism

⇒ induces a Markov chain

11 / 40

Properties: Probabilistic Reachability • probabilities to reach states F ⊆ S

∼ = S → [0, 1]

• valuations [0, 1]S 1 3

s0 b

c

c

1 2

s1

1 3 1 2

1 3

s2

1 3

2 3

s4

s3

adversary η : Paths → A • resolves non-determinism

⇒ induces a Markov chain

• reachability probability pηF • depends on adversary η • minimal/maximal

pmin F

=

inf

pηF

pmax F

=

sup

pηF

η

η

least fixpoint of Pre min : [0, 1]S → [0, 1]S   1    w→ 7 λs. 0     min

P

;s ∈ F ; s ∈ F0 R(s, u, t) · w(t) ; ow.

a∈A(s)(u,t)∈U ×S

11 / 40

Properties: Probabilistic Reachability • probabilities to reach states F ⊆ S

∼ = S → [0, 1]

• valuations [0, 1]S 1 3

s0 b

c

c

1 2

s1

1 3 1 2

1 3

s2

1 3

2 3

s4

s3

adversary η : Paths → A • resolves non-determinism

⇒ induces a Markov chain

• reachability probability pηF • depends on adversary η • minimal/maximal

pmin F

=

inf

pηF

pmax F

=

sup

pηF

η

η

least fixpoint of Pre min : [0, 1]S → [0, 1]S   1    w→ 7 λs. 0     min

P

;s ∈ F ; s ∈ F0 R(s, u, t) · w(t) ; ow.

a∈A(s)(u,t)∈U ×S

11 / 40

Properties: Probabilistic Reachability • probabilities to reach states F ⊆ S

∼ = S → [0, 1]

• valuations [0, 1]S 1 3

s0 b

c

c

1 2

s1

1 3 1 2

1 3

s2

1 3

2 3

s4

s3

adversary η : Paths → A • resolves non-determinism

⇒ induces a Markov chain

• reachability probability pηF • depends on adversary η • minimal/maximal

pmin F

=

inf

pηF

pmax F

=

sup

pηF

η

η

least fixpoint of Pre max : [0, 1]S → [0, 1]S   1    w→ 7 λs. 0     max

P

;s ∈ F ; s ∈ F0 R(s, u, t) · w(t) ; ow.

a∈A(s)(u,t)∈U ×S

11 / 40

Abstraction

12 / 40

Abstraction for Probabilistic Reachability • Problem: many states S

reachability probability 1.0 0.5 1.0 1.0 0.2 0.1 1.0 1.0 0.3 0.7 0.4 0.1 0.0 0.8 0.3 0.2

in general, hard to compute

13 / 40

Abstraction for Probabilistic Reachability • Problem: many states S 1

merge states to blocks Q

reachability probability 1.0 0.5 1.0 1.0 B1

0.2 0.1 1.0 1.0

B2

0.3 0.7 0.4 0.1 B3

0.0 0.8 0.3 0.2

in general, hard to compute

13 / 40

Abstraction for Probabilistic Reachability • Problem: many states S 1

merge states to blocks Q • in example, 16 states but only 3 blocks Q = {B1 , B2 , B3 }.

reachability probability 1.0 0.5 1.0 1.0 B1

0.2 0.1 1.0 1.0

B2

B1

B2

0.3 0.7 0.4 0.1 B3

0.0 0.8 0.3 0.2

B3

in general, hard to compute

13 / 40

Abstraction for Probabilistic Reachability • Problem: many states S 1

merge states to blocks Q • in example, 16 states but only 3 blocks Q = {B1 , B2 , B3 }.

2

compute abstract valuations [0, 1]

Q

reachability probability 1.0 0.5 1.0 1.0 B1

0.2 0.1 1.0 1.0 0.3 0.7 0.4 0.1

B3

0.0 0.8 0.3 0.2

B2

≤

B1

1.0

B3

0.8

1.0

B2

13 / 40

Abstraction for Probabilistic Reachability • Problem: many states S 1

merge states to blocks Q • in example, 16 states but only 3 blocks Q = {B1 , B2 , B3 }.

2

compute abstract valuations [0, 1]

Q

reachability probability 1.0 0.5 1.0 1.0 B1

0.1

B3

0.0

1.0

B2

≤

lower-bound analysis

B1

0.2 0.1 1.0 1.0 0.3 0.7 0.4 0.1

B3

0.0 0.8 0.3 0.2

B2

≤

B1

1.0

B3

0.8

1.0

B2

upper-bound analysis

13 / 40

Challenge of Analysis Design uncertainty from abstraction complex interplay probabilism

concurrency

• Open Question:

what does an optimal analysis look like?

14 / 40

Challenge of Analysis Design uncertainty from abstraction complex interplay probabilism

concurrency

• Open Question:

what does an optimal analysis look like? • Our solution:

• Recipe:

Abstract Interpretation [Cousot77]

14 / 40

Challenge of Analysis Design uncertainty from abstraction complex interplay probabilism

concurrency

• Open Question:

what does an optimal analysis look like? • Our solution:

• Recipe: Abstract Interpretation [Cousot77] • Ingredients: • abstraction functions

14 / 40

Abstraction & concretization 1

abstraction functions: [0, 1]S

• mappings S

[0, 1] 7→ [0, 1]

[0, 1]Q

Q

w B1

1.0 0.5 1.0 1.0 0.2 0.1 1.0 1.0

B2

0.3 0.7 0.4 0.1 B3

0.0 0.8 0.3 0.2

15 / 40

Abstraction & concretization 1

abstraction functions: [0, 1]S

• mappings S

[0, 1] 7→ [0, 1]

[0, 1]Q

Q

• lower bound:

αl (w) = λB. inf w(s) s∈B

w B1

1.0 0.5 1.0 1.0 0.2 0.1 1.0 1.0

B2

0.3 0.7 0.4 0.1 B3

0.0 0.8 0.3 0.2

αl B1

0.1

B3

0.0

1.0

B2

15 / 40

Abstraction & concretization abstraction functions: [0, 1]S

• mappings S

[0, 1] 7→ [0, 1]

[0, 1]Q

Q

• lower bound:

B1

1.0

B3

0.8

B1

0.1

B3

0.0

1.0

B2

1.0

B2

l

α (w) = λB. inf w(s) s∈B

• upper bound:

αu (w) = λB. sup w(s)

w

s∈B B1

u

α

1.0 0.5 1.0 1.0 0.2 0.1 1.0 1.0

B2

≤

1

0.3 0.7 0.4 0.1 B3

0.0 0.8 0.3 0.2

αl

15 / 40

Abstraction & concretization abstraction functions: [0, 1]S

• mappings

[0, 1] 7→ [0, 1]

1.0 1.0 1.0 1.0

• lower bound:

B1

l

α (w) = λB. inf w(s) s∈B

• upper bound:

αu (w) = λB. sup w(s)

concretiztion function

B2

γ

B1

1.0

w B1

0.8 0.8 0.8 0.8

B3

0.8

S

B1

0.1

B3

0.0

1.0

B2

1.0

B2

u

α

1.0 0.5 1.0 1.0 0.2 0.1 1.0 1.0

B2

0.3 0.7 0.4 0.1

(or meaning function) Q

1.0 1.0 1.0 1.0 0.8 0.8 0.8 0.8

B3

s∈B

B3

• [0, 1] → 7 [0, 1] • γ(w] ) = λs. w ] ([s]).

0.0 0.8 0.3 0.2

αl

≤

2

[0, 1]Q

Q

≤

S

≤

1

0.1 0.1 1.0 1.0 B1

0.1 0.1 1.0 1.0

B2

γ

0.0 0.0 0.0 0.0 B3

0.0 0.0 0.0 0.0

15 / 40

How do we get an Abstract Analysis? • abstract analysis Q Q • function f ] : [0, 1] → [0, 1] ⇒ lower/upper bound = fixpoint of f ] • Best-transformer paradigm [Cousot 2002]

[0, 1]Q

[0, 1]Q

γ

α MDP

16 / 40

How do we get an Abstract Analysis? • abstract analysis Q Q • function f ] : [0, 1] → [0, 1] ⇒ lower/upper bound = fixpoint of f ] • Best-transformer paradigm [Cousot 2002]

f]

Q

[0, 1]Q

[0, 1]

γ

α MDP

16 / 40

How do we get an Abstract Analysis? • abstract analysis Q Q • function f ] : [0, 1] → [0, 1] ⇒ lower/upper bound = fixpoint of f ] • Best-transformer paradigm [Cousot 2002]

f]

Q

[0, 1]Q

[0, 1]

γ

α MDP concrete transformer min F

Pre abstract

Pre max F

abstract

pmin F

pmax F

|

|

16 / 40

How do we get an Abstract Analysis? • abstract analysis Q Q • function f ] : [0, 1] → [0, 1] ⇒ lower/upper bound = fixpoint of f ] • Best-transformer paradigm [Cousot 2002]

f]

Q

[0, 1]Q

[0, 1]

γ

α MDP concrete transformer min F

Pre abstract αl

[

F

abstract αu

αl

pmin F

|

Pre max

]

[

αu pmax F

|

]

αu ◦ Pre min F ◦ γ 16 / 40

Abstract Transformers = Stochastic Games ] (αu ◦ Pre min ◦ γ(w] ))(B) = sup Pre min F F (γ(w ))(s) s∈B X = sups∈B mina∈A(s) R(s, a)(s0 ) · (γ(w] ))(s0 ) s0 ∈S

• Markov models • Markov chain = 12 player • MDP = 1 21 player • stochastic game = 2 12 player • minimum / maximum over all strategies for both players ,min pmin,min pmax F F

,max pmin,max pmax F F

concurreny player

0

[

]

abstraction player

1

[

]

abstraction player 17 / 40

Abstract Transformers = Stochastic Games ] (αu ◦ Pre min ◦ γ(w] ))(B) = sup Pre min F F (γ(w ))(s) s∈B X = sups∈B mina∈A(s) R(s, a)(s0 ) · (γ(w] ))(s0 ) s0 ∈S

• Markov models • Markov chain = 12 player • MDP = 1 21 player • stochastic game = 2 12 player • minimum / maximum over all strategies for both players ,min pmin,min pmax F F

,max pmin,max pmax F F

concurreny player

0

[

]

abstraction player

1

[

]

abstraction player 17 / 40

Wrap-up

MDP

abstract MDP

reachability probability 18 / 40

Wrap-up

MDP

4

abstract MDP

reachability probability 18 / 40

Wrap-up

MDP

reachability probability

4

abstract MDP

[lb, ub] 18 / 40

Wrap-up

MDP

reachability probability

4 ∈

abstract MDP

[lb, ub] 18 / 40

Wrap-up probabilistic program semantics

MDP

reachability probability

4 ∈

abstract MDP

[lb, ub] 18 / 40

Wrap-up • diagram defines an abstract semantics (mathematics)

probabilistic program semantics

MDP

reachability probability

4 ∈

abstract MDP

[lb, ub] 18 / 40

Wrap-up • diagram defines an abstract semantics (mathematics)

probabilistic program semantics

MDP

reachability probability

Next: how to compute this

4 ∈

abstract MDP

[lb, ub] 18 / 40

State of the Art before Thesis • de Alfaro, Roy. Magnifying-Lens Abstraction for Markov Decision Processes.. • Chatterjee, Henzinger, Jhala, Majumdar. Counterexample Guided Planning. • D’Argenio, Jeannet, Jensen, Larsen.

CAV 2007 UAI 2005 PAPM-PROBMIV 2002

Reduction and Refinement Strategies for Probabilistic Analysis.

• ... build full semantics

Probabilistic program

1 2

1 2

Prob.

19 / 40

State of the Art before Thesis • de Alfaro, Roy. Magnifying-Lens Abstraction for Markov Decision Processes.. • Chatterjee, Henzinger, Jhala, Majumdar. Counterexample Guided Planning. • D’Argenio, Jeannet, Jensen, Larsen.

CAV 2007 UAI 2005 PAPM-PROBMIV 2002

Reduction and Refinement Strategies for Probabilistic Analysis.

• ... build full semantics ⇒ expensive or even impossible

X

Probabilistic program

1 2

1 2

Prob.

19 / 40

State of the Art before Thesis • de Alfaro, Roy. Magnifying-Lens Abstraction for Markov Decision Processes.. • Chatterjee, Henzinger, Jhala, Majumdar. Counterexample Guided Planning. • D’Argenio, Jeannet, Jensen, Larsen.

CAV 2007 UAI 2005 PAPM-PROBMIV 2002

Reduction and Refinement Strategies for Probabilistic Analysis.

• ... build full semantics ⇒ expensive or even impossible

Premiere: 1st symbolic abstraction for probabilistic programs • abstraction at the language level

X

Probabilistic program

symbolic abstraction 1 2

1 2

Prob.

19 / 40

Predicate Abstraction • Predicates ∼ = expressions over program variables • e.g., x > 0, x < y

x=0 y=0

x = −2 y=0

x=5 y=3

x = −5 y=3

x=0 y = −1

x = −2 y = −1

x=5 y = −7

x = −8 y = −7

20 / 40

Predicate Abstraction • Predicates ∼ = expressions over program variables • e.g., x > 0, x < y define

⇒ partition

x=0 y=0

x = −2 y=0

x=5 y=3

x = −5 y=3

x=0 y = −1

x = −2 y = −1

x=5 y = −7

x = −8 y = −7

20 / 40

Predicate Abstraction • Predicates ∼ = expressions over program variables • e.g., x > 0, x < y define

⇒ partition • Blocks

x≥04 y≥04

x≥04 y≥07

x=0 y=0

x=0 y = −1

x = −2 y=0

x=5 y=3

x = −5 y=3

x≥07 y≥04

x = −2 y = −1

x=5 y = −7

x = −8 y = −7

x≥07 y≥07

20 / 40

Predicate Abstraction • Predicates ∼ = expressions over program variables • e.g., x > 0, x < y define

⇒ partition • Blocks

define

⇒ abstract model • stochastic game x≥04 y≥04

x≥04 y≥07

x=0 y=0

x=0 y = −1

x = −2 y=0

x=5 y=3

x = −5 y=3

x≥07 y≥04

x = −2 y = −1

x=5 y = −7

x = −8 y = −7

x≥07 y≥07

20 / 40

Predicate Abstraction • Predicates ∼ = expressions over program variables • e.g., x > 0, x < y define

⇒ partition • Blocks

define

⇒ abstract model • stochastic game • reduce abstraction to satisfiability of logical formulas ⇒ implemented by SMT solver • SMT = Satisfiability Modulo Theories

20 / 40

Example • Consider program module main s : [0..2]; // control flow x,y : i n t ; // integer variables [a] s =0 -> 1.0:( s ’=1) & (x ’= y ); [b] s =0 & x >10 -> 0.5:( s ’=0)+ 0.5:( s ’=2); endmodule

• predicates s = 0,s = 1,s = 2,x = 0,x > 0,x < 0 s = 0, x > 0 b a

s = 1, x < 0

s = 1, x = 0

s = 1, x > 0

s = 2, x > 0 21 / 40

Example • Consider program module main s : [0..2]; x,y : i n t ;

// control flow // integer variables

[a]

s =0 -> 1.0:( s ’=1) & (x ’= y ); [b] s =0 & x >10 -> 0.5:( s ’=0)+ 0.5:( s ’=2); endmodule

• predicates s = 0,s = 1,s = 2,x = 0,x > 0,x < 0 s = 0, x > 0 b a

s = 1, x < 0

s = 1, x = 0

s = 1, x > 0

s = 2, x > 0 21 / 40

Example • Consider program module main s : [0..2]; x,y : i n t ;

// control flow // integer variables

[a]

s =0 -> 1.0:( s ’=1) & (x ’= y ); [b] s =0 & x >10 -> 0.5:( s ’=0)+ 0.5:( s ’=2); endmodule

• predicates s = 0,s = 1,s = 2,x = 0,x > 0,x < 0 s = 0, x > 0 b a

s = 1, x < 0

s = 1, x = 0

s = 1, x > 0

s = 2, x > 0 21 / 40

Example • Consider program module main s : [0..2]; x,y : i n t ;

// control flow // integer variables

[a]

s =0 -> 1.0:( s ’=1) & (x ’= y ); [b] s =0 & x >10 -> 0.5:( s ’=0)+ 0.5:( s ’=2); endmodule

• predicates s = 0,s = 1,s = 2,x = 0,x > 0,x < 0 s = 0, x > 0 b a

s = 1, x < 0

s = 1, x = 0

s = 1, x > 0

s = 2, x > 0 21 / 40

Example • Consider program module main s : [0..2]; // control flow x,y : i n t ; // integer variables [a] s =0 -> 1.0:( s ’=1) & (x ’= y );

[b]

s =0 & x >10 -> 0.5:( s ’=0)+ 0.5:( s ’=2); endmodule

• predicates s = 0,s = 1,s = 2,x = 0,x > 0,x < 0 s = 0, x > 0 b a

0.5 s = 1, x < 0

s = 1, x = 0

s = 1, x > 0

0.5 s = 2, x > 0 21 / 40

Example • Consider program module main s : [0..2]; // control flow x,y : i n t ; // integer variables [a] s =0 -> 1.0:( s ’=1) & (x ’= y );

[b]

s =0 & x >10 -> 0.5:( s ’=0)+ 0.5:( s ’=2); endmodule

• predicates s = 0,s = 1,s = 2,x = 0,x > 0,x < 0 s = 0, x > 0 b a

? 0.5

s = 1, x < 0

s = 1, x = 0

s = 1, x > 0

0.5 s = 2, x > 0 21 / 40

Example • Consider program module main s : [0..2]; // control flow x,y : i n t ; // integer variables [a] s =0 -> 1.0:( s ’=1) & (x ’= y );

[b]

s =0 & x >10 -> 0.5:( s ’=0)+ 0.5:( s ’=2); endmodule

• predicates s = 0,s = 1,s = 2,x = 0,x > 0,x < 0 s = 0, x > 0 b a

? 0.5

s = 1, x < 0

s = 1, x = 0

s = 1, x > 0

0.5 s = 2, x > 0 21 / 40

Example • Consider program module main s : [0..2]; // control flow x,y : i n t ; // integer variables s =0 -> 1.0:( s ’=1) & (x ’= y ); s =0 & x >10 -> 0.5:( s ’=0)+ 0.5:( s ’=2); endmodule

• predicates s = 0,s = 1,s = 2,x = 0,x > 0,x < 0

stochastic two-player game s = 0, x > 0 b a

? 0.5

s = 1, x < 0

s = 1, x = 0

s = 1, x > 0

0.5 s = 2, x > 0 21 / 40

Wrap-up • fully automatic and symbolic abstraction • for given predicate set

probabilistic program semantics

MDP

abstract MDP

22 / 40

Wrap-up • fully automatic and symbolic abstraction • for given predicate set

probabilistic program semantics predicate abstraction

MDP

abstract MDP

22 / 40

Wrap-up • fully automatic and symbolic abstraction • for given predicate set • ... but where do predicates come from?

probabilistic program semantics predicate abstraction

MDP

abstract MDP

22 / 40

Reachability Properties

]

s0

η PB (

e) < 0.03

e

23 / 40

reachability probability

Abstraction Refinement

refinement steps

24 / 40

reachability probability

Abstraction Refinement

due to abstraction

refinement steps

24 / 40

reachability probability

Abstraction Refinement

due to abstraction

refinement steps

24 / 40

reachability probability

Abstraction Refinement

due to abstraction

refinement steps

24 / 40

reachability probability

Abstraction Refinement

refinement steps

24 / 40

]

η PB (

e) < p

reachability probability

Abstraction Refinement

refinement steps

24 / 40

]

η PB (

e) < p

reachability probability

Abstraction Refinement

refinement steps

24 / 40

]

η PB (

e) < p

reachability probability

Abstraction Refinement

refinement steps

24 / 40

]

η PB (

e) < p

reachability probability

Property shown

refinement steps

24 / 40

]

η PB (

e) < p

4

reachability probability

Property shown

refinement steps

24 / 40

]

η PB (

e) < p

reachability probability

Property refuted

refinement steps

24 / 40

]

η PB (

e) < p

7

reachability probability

Property refuted

refinement steps

24 / 40

]

η PB (

e) < p

reachability probability

Inconclusive: refinement due

refinement steps

24 / 40

]

η PB (

e) < p

?

reachability probability

Inconclusive: refinement due

refinement steps

24 / 40

]

η PB (

e) < p

?

reachability probability

Inconclusive: refinement due

refinement steps

24 / 40

CEGAR: Counterexample-Guided Abstraction Refinement

• refinement technique in software model checking • SLAM project at Microsoft [Ball/Rajamani 2002,...] • Blast • ... property new predicates

program

build abstraction

analyse CE

analyse abstraction abstract CE

CE

7

4

25 / 40

CEGAR: Counterexample-Guided Abstraction Refinement

• refinement technique in software model checking • SLAM project at Microsoft [Ball/Rajamani 2002,...] • Blast • ... property new predicates

program

What is an abstract CE?

build abstraction

analyse CE

analyse abstraction abstract CE

CE

7

• pioneering work in

probabilistic verification

4

25 / 40

Counterexamples Safety: Error State Unreachable

Probabilistic Reachability

Transition System

26 / 40

Counterexamples Safety: Error State Unreachable

Probabilistic Reachability

Transition System

CE is a Path

“error state is reachable”

26 / 40

Counterexamples Safety: Error State Unreachable

Probabilistic Reachability

Transition System resolve nondet. choice CE is a Path

“error state is reachable”

26 / 40

Counterexamples Safety: Error State Unreachable

Probabilistic Reachability

Transition System

Stochastic Game resolve nondet. choice

1 3

2 3

1 3

1 3 1 3

CE is a Path

“error state is reachable”

26 / 40

Counterexamples Safety: Error State Unreachable

Probabilistic Reachability

Transition System

Stochastic Game resolve nondet. choice

CE is a Path

1 3

1 3

2 3

1 3 1 3

Markov Chain 1 3

2 3

1 3

1 3 1 3

“error state is reachable”

“probability to reach error state = 13 ”

26 / 40

Counterexamples Safety: Error State Unreachable

Probabilistic Reachability

Transition System

Stochastic Game resolve nondet. choice

CE is a Path

1 3

1 3

2 3

1 3 1 3

Markov Chain 1 3

2 3

1 3

1 3 1 3

“error state is reachable”

“probability to reach error state = 13 ” 2 3

1 3

1 3

2 3

1 3

1 3

1 3

2 3

...

1 3

26 / 40

Conventional counterexample analysis • check if the abstract counterexample is realisable ... B0

B1

B2

B3

B4

error

27 / 40

Conventional counterexample analysis • check if the abstract counterexample is realisable ... • if so, we’ve found a bug B0

B1

B2

B3

B4

27 / 40

Conventional counterexample analysis • check if the abstract counterexample is realisable ... • if so, we’ve found a bug B0

B1

B2

B3

B4

• ... or spurious • abstraction too coarse, i.e., needs refinement B0

B1

B2

B3

B4

reachable via prefix can do postfix

27 / 40

Conventional counterexample analysis • check if the abstract counterexample is realisable ... • if so, we’ve found a bug B0

B1

B2

B3

B4

• ... or spurious • abstraction too coarse, i.e., needs refinement B0

B1

B2

B3

B4

reachable via prefix can do postfix

• Implementation with SMT solver: • convert path to formula • path realisable ⇐⇒ formula satisfiable • generate splitting predicate, e.g., by interpolation 27 / 40

Analysis of Probabilistic CE • Is there a matching real counterexample? • replay decisions of abstract counterexample

abstract CE

B0

B1

B2

u1 , 31 c0

c2

u3

u2 , 23 c1

u4

28 / 40

Analysis of Probabilistic CE • Is there a matching real counterexample? • replay decisions of abstract counterexample

abstract CE

B0

B1

B2

u1 , 31 c0

c2

u3

u2 , 23 c1

u4

• Challenge: CE correspond to many paths • Markov chain: cyclic & has probabilistic branching • Goal 1: Leverage conventional counterexample analysis • path analysis based on SMT and interpolation • Goal 2: avoid exploring too many paths

28 / 40

Probabilistic CEGAR • enumerate paths of CE Markov chain • visit paths with highest probability first [Han&Katoen 2007] • path σ1] • if spurious generate predicate (interpolation)

]

η abstract probability mass PB ( e)

σ1]

29 / 40

Probabilistic CEGAR • enumerate paths of CE Markov chain • visit paths with highest probability first [Han&Katoen 2007] • path σ1] • if spurious generate predicate (interpolation) • path σ2]

]

η abstract probability mass PB ( e)

σ1]

σ2]

29 / 40

Probabilistic CEGAR • enumerate paths of CE Markov chain • visit paths with highest probability first [Han&Katoen 2007] • path σ1] • if spurious generate predicate (interpolation) • path σ2] • ... ]

η abstract probability mass PB ( e)

σ1]

σ2]

σ3]

29 / 40

Probabilistic CEGAR • enumerate paths of CE Markov chain • visit paths with highest probability first [Han&Katoen 2007] • path σ1] • if spurious generate predicate (interpolation) • path σ2] • ... ]

η abstract probability mass PB ( e)

σ1]

σ2]

σ3]

σ4]

29 / 40

Probabilistic CEGAR • enumerate paths of CE Markov chain • visit paths with highest probability first [Han&Katoen 2007] • path σ1] • if spurious generate predicate (interpolation) • path σ2] • ... ]

η abstract probability mass PB ( e)

σ1]

σ2]

σ3]

σ4]

σ5]

29 / 40

Probabilistic CEGAR • enumerate paths of CE Markov chain • visit paths with highest probability first [Han&Katoen 2007] • path σ1] • if spurious generate predicate (interpolation) • path σ2] • ...

• realisable probability mass > p? ]

η abstract probability mass PB ( e)

σ1]

σ2]

σ3]

σ4]

σ5]

]

η PB (realisable paths) > p?

29 / 40

Computing realisable probability is harder than it seems realisable probability 6=

P {P(σ ] ) | realizable path} = 1 B1

c1

u3

B3

u1 , 13 B0

c0

u2 , 23

c1

u3

B2

30 / 40

Computing realisable probability is harder than it seems 2 3

= realisable probability 6=

P {P(σ ] ) | realizable path} = 1 B1

u1 , 13

Ps1 ( e) =

1 3

c1 goal states

c0

u1 , 31

B0

u2 , 32

Ps0 ( e) =

2 3

c0

B3

u2 , 23 c1 B2

30 / 40

Computing realisable probability is harder than it seems 2 3

= realisable probability 6=

P {P(σ ] ) | realizable path} = 1 B1

u1 , 13

Ps1 ( e) =

1 3

c1 goal states

c0

u1 , 31

B0

u2 , 32

Ps0 ( e) =

2 3

c0

B3

u2 , 23 c1 B2

Theorem (Realisable probability) Realisable probability as optimisationPproblem: M axSmt(exp1 , . . . , expn ) = max { ni=1 [[expi ]]s · pi | s ∈ [[I ∧ F (B)]]} where expi characterizes path σi 30 / 40

Probabilistic CEGAR • analyse paths in Markov chain with decreasing probability • spurious paths give predicates • realizable paths can improve lower bound • MaxSMT

σ1]

σ2]

σ3]

σ4]

σ5]

M axSM T (Creal ) η]

PB (C)

31 / 40

Probabilistic CEGAR • analyse paths in Markov chain with decreasing probability • spurious paths give predicates • realizable paths can improve lower bound • MaxSMT

σ1]

σ2]

σ3]

σ4]

σ5]

M axSM T (Creal ) η]

PB (C) • Semi-decision procedure for probabilistic CE analysis • always terminates returning either 7 CE realizable 4 CE spurious and predicate ? don’t know and predicate • incomplete to ensure termination • limit on number of spurious paths 31 / 40

Justification for Incompleteness: Undecidability • A CE analysis problem consists of • probabilistic program M • threshold p • abstraction G of M η] • CE (B, η ] ) in G, i.e., PB ( e)> p • decide if the CE is real • there is a corresponding concrete CE (s, η) with Psη ( e)> p

32 / 40

Justification for Incompleteness: Undecidability • A CE analysis problem consists of • probabilistic program M • threshold p • abstraction G of M η] • CE (B, η ] ) in G, i.e., PB ( e)> p • decide if the CE is real • there is a corresponding concrete CE (s, η) with Psη ( e)> p • assume: expressions language = linear arithmetic over the integers ⇒ conventional counterexample analysis decidable

32 / 40

Justification for Incompleteness: Undecidability • A CE analysis problem consists of • probabilistic program M • threshold p • abstraction G of M η] • CE (B, η ] ) in G, i.e., PB ( e)> p • decide if the CE is real • there is a corresponding concrete CE (s, η) with Psη ( e)> p • assume: expressions language = linear arithmetic over the integers ⇒ conventional counterexample analysis decidable

Theorem (Undecidability of Counterexample Analysis) Counterexample analysis for probabilistic programs is undecidable

Proof. Halting problem for counter machines can be reduced to CE analysis 32 / 40

Backward Refinement (VMCAI 2010) • Refinement if no threshold is available • Target uncertainty from abstraction (leverage game strategies)

33 / 40

The PASS tool program

parser

property

predicate abstraction

refinement

game

prob. reachability

34 / 40

Case Study: BRP • Probability to reach: “receiver does not receive any chunk and sender tried to send a chunk” • Can be analyzed for an infinite parameter range with PASS • for any file size ≥ 16, probability is 1.6E − 7 • PASS provides proof for arbitrary file size • BRP is just one case study: Case study (parameters) WLAN (BOFF T)

CSMA/CD (BOFF)

BRP (N MAX)

SW

5 315 6 315 6 315 6 9500 3 4 3 4 16 3 32 5 64 5 >16 3 >16 4 >16 5

Property k=3 k=3 k=6 k=6 p1 p1 p2 p2 p1 p1 p1 p4 p4 p4 goodput timeout

states 5,195K 12,616K 12,616K – 41K 124K 41K 124K 2K 5K 10K ∞ ∞ ∞ ∞ ∞

Conventional trans 11,377K 28,137K 28,137K – 52K 161K 52K 161K 3K 7K 14K – – – – –

time 93 302 2024 TO 10 56 10 21 5.4 12 26 – – – – –

states 34K 34K 771K 771K 1K 6K 0.5K 0.5K 2K 5K 10K 0.5K 0.6K 0.7K 5K 27K

trans 36K 42K 113K 113K 2K 9K 0.9K 1.5K 3K 7K 14K 0.9K 1K 1K 11K 44K

Abstraction refs preds 9 120 9 116 9 182 9 182 8 58 14 100 12 41 12 41 9 46 9 64 8 95 7 26 7 27 8 28 3 40 3 49

paths 604 604 582 582 28 56 28 44 41 111 585 17 17 18 7 6

time 72 88 306 311 9 38 10 11 9 21 91 3 4 5 87 89

35 / 40

Why abstraction works. • absolute values do matter but only, e.g., differences between variables • cannot contribute to optimum

[0.2, 0.3]

[0.4, 0.8]

36 / 40

Contributions a novel analysis method for probabilistic programs: • symbolic abstraction to tackle large state spaces • Premi` ere: predicate abstraction in probabilistic verification • prior work in qualitative software verification • Challenge uncertainty from abstraction complex interplay probabilism

concurrency

• refinement to achieve full automation • Premi` ere: Probabilistic CEGAR • prior work: CEGAR in qualitative software verification • Challenge • counterexamples are Markov chains

• implemented in PASS tool

37 / 40

Limitations • Abstraction is not a panacea / silver bullet • can be less efficient for certain finite-state models • Probabilistic CEGAR: • lower thresholds for minimal reachability? • No support for state-dependent probabilities:

[] m =1 & x >0 ->

1 x:

(x ’= x -1) +

x−1 x :

(m ’=3);

38 / 40

Avenues for Future Work • Beyond probabilistic reachability for MDPs • rewards and expectations • Exponential distributions • Support for full PCTL • Richer input language • Modest

39 / 40

Thesis Statement Abstraction enables automatic verification of probabilistic programs with large and, for the first time, infinite state spaces.

40 / 40