Compositional Formal Verification using MOCHA PI: Tom Henzinger Student 1: Freddy Mang (game-theoretic methods) Student 2: Ranjit Jhala (probabilistic systems) UC Berkeley

Luca De Alfaro Thomas A. Henzinger Ranjit Jhala UC Berkeley Compositional Methods for Probabilistic Systems

Compositional Methods for Probababilistic Systems3 Introduction A lot of work on making model checking a viable industrial tool –Symbolic Model Checking –Assume-Guarantee based “Compositional” Reasoning The work has focused on systems that can be modelled accurately using non-determinism –Loss of information: Many systems cannot be appropriately modelled e.g. Communication Protocols, Embedded Components Goal: To extend MOCHA to model and verify systems with probabilistic behavior –Assume-Guarantee style reasoning for such systems

Compositional Methods for Probababilistic Systems4 Compositional Models System Model is Compositional if: –Systems can be composed to obtain more complex systems –System properties can be decomposed into component properties For non-deterministic systems, the trace-based or linear-time view Advantages: 1.Refinement is simply trace containment 2.Assume-Guarantee rule to decompose refinement proof 3.Simulation as algorithmically checkable sufficient criterion for checking refinement We conservatively generalise the trace-based view to systems with both non-deterministic and probabilistic choice –Our approach inherits the advantages mentioned above

Compositional Methods for Probababilistic Systems5 The Linear-time (Trace-based) View Given a set of variables X: –X-state: A valuation of the variables in X –X-trace: A sequence of X-states –X-language: A set of X-traces Given a system P with variables X, its semantics |[ P ]| is an X-language Refinement corresponds to trace inclusion: –P ¹ Q if |[ P ]| µ |[ Q ]|

Compositional Methods for Probababilistic Systems6 Benefits of Linear-time View 1.Parallel composition corresponds to set intersection: –|[ P k Q ]| = |[ P ]| Å |[ Q ]| 2.Assume-Guarantee rule to decompose refinement checks [Abadi & Lamport 94, Alur & Henzinger 99, McMillan 97] –To show P 1 k P 2 ¹ Q 1 k Q 2 it suffices to check P 1 k Q 2 ¹ Q 1 and Q 1 k P 2 ¹ Q 2 3.Simulation is an algorithmically efficient sufficient condition for refinement

Compositional Methods for Probababilistic Systems7 Probabilistic Systems We wish to model transition systems that can make both Probabilistic and Non-deterministic choice At a state, the system does the following: 1.Picks one of several available distributions (or moves) over next state non-deterministically 2.Picks a next state out randomly out of the chosen distribution

Compositional Methods for Probababilistic Systems8 Related Work A large body of work on the modelling and verification of probabilistic systems –Vardi 1985, Courcoubetis & Yannakakis 1989 –Basic Model : Markov Decision Processes –Defining the behaviour using schedulers Several complicated “branching-time” models based on Process Algebras: [JL91], [LS90] Models based on I/O Automata by Segala [Segala95] –Semantics described as Trace Distributions –Refinement as trace distribution inclusion Our contribution: –First simple “linear-time” style model with compositional semantics that allow Assume-Guarantee reasoning –Generalize traces to bundles, demonstrate that many of the properties of linear-time models generalize to systems with probabilistic choice

Compositional Methods for Probababilistic Systems9 Prob. Systems: Example ¼ ¾ ½ ½ There are 2 possible behaviours arising from the non-deterministic choice at ¼, ¾ ½, ½

Compositional Methods for Probababilistic Systems10 Semantics of Probabilistic Systems Given a set of variables X: –X-state: A valuation of the variables in X –X-Move: A distribution over X-states –X-trace: A sequence of X-states –X-bundle: A distribution over X-traces –X-Probabilistic Language: A set of X-bundles Given a Probabilistic system P with variables X, its semantics |[ P ]| is an X-Probabilistic language Refinement corresponds to bundle inclusion: –P ¹ Q if |[ P ]| µ |[ Q ]|

Compositional Methods for Probababilistic Systems11 Semantics: dealing with choices Non-deterministic, Probabilistic choice are “orthogonal” Factor out non-determinism using schedulers [Derman70, Vardi 1985, Courcoubetis & Yannakakis 1989] Given a scheduler, the execution is fully probabilistic –Outcome: A sequence of bundles of length i, 8 i > 0 –Semantics: Sum of the outcomes for all the different schedulers

Compositional Methods for Probababilistic Systems12 Schedulers: Example 1/2 4 Possible Schedulers, one outcome (bundle) for each ½ :, ½ : Outcomes (Bundles)Schedulers

Compositional Methods for Probababilistic Systems13 Non-Det. Choice Vs Prob. Choice 1/2 AB Non-deterministic choice is more flexible than probabilistic choice We want A ¹ B, but … Bundles of A ½, ½ Bundles of B 11 1

Compositional Methods for Probababilistic Systems14 Non-Det. Choice Vs Prob. Choice 1/2 AB Solution: Let the Scheduler be randomized The scheduler of B can flip a coin to decide which nondeterministic choice to pick The move of B is then the convex combination of its simple moves Bundles of B: For every  2 [0,1] In particular  = ½ matches A’s bundle , 1- 

Compositional Methods for Probababilistic Systems15 Concrete Model: Probabilistic Modules Based on Reactive Modules [AH99] State based model, each state corresponds to a valuation of the variables of the system –Probabilities enter in the update values of the variables Module is made up of a set of Atoms Each atom controls a set of variables –Atom: A set of guarded commands –At a state, out of the guards that are true (non-det choice) the system picks one command and updates variables using the distribution over next values of the command

Compositional Methods for Probababilistic Systems16 Probabilistic Modules Transitions & Actions: Given X, Y, two sets of variables Probabilistic Transition from X to Y is a pair (s,m) : X-state £ Y-move Probabilistic Action from X to Y : A set of Probabilistic Transitions Atoms: Atom A, has variables readX(A), ctrX(A) A probabilistic Initial Action: initF(A) from ? to ctrX(A) A probabilistic Update Action: updateF(A) from readX(A) to ctrX(A)

Compositional Methods for Probababilistic Systems17 Probabilistic Modules Modules: Declaration: 3 sets of variables extlX, intfX, privX –The observable variables or obsX = intfX [ extlX Body: Finite set of Atoms, s.t. { ctrX(A) | A 2 Atoms } partitions intfX [ privX Module A Interface x,y External z Atom Ax controls x Init [] true-> ½ x:=0 ½ x:=1 Update [] true-> x’:= x [] y ->¼ x’:= : z ¾ x’= z Atom Ay controls y Init [] true-> y:=0 [] true-> y:=1 Update [] true-> y’:= z

Compositional Methods for Probababilistic Systems18 Operations: Parallel Composition P 1, P 2 may be composed only if they have the same observables Result: P 1 k P 2 where: –privX(P 1 k P 2 ) = privX(P 1 ) [ privX(P 2 ) –intfX(P 1 k P 2 ) = intfX(P 1 ) [ intfX(P 2 ) –extlX(P 1 k P 2 ) = extlX(P 1 ) [ extlX(P 2 ) n intfX(P 1 k P 2 ) –Atoms(P 1 k P 2 ) = Atoms(P 1 ) [ Atoms(P 2 )

Compositional Methods for Probababilistic Systems19 Semantics: Schedulers & Outcomes Scheduler A scheduler  from X to Y: X-traces  Y-moves Outcome Given a scheduler  from X to X, Outcome(  ) is the set of bundles b i where: b i (t) = b i-1 (t(1)  t(i-1)) £  (t(1)  t(i-1))(t(i)) b 0 = The “empty” bundle

Compositional Methods for Probababilistic Systems20 Semantics: Atomic Schedulers Schedulers of a Module: Based on the schedulers of each Atom Atom Schedulers: atom  (A) = set of all schedulers  from readX(A) to ctrX(A) s.t 1. (¢,  (  )) 2 initF(A) 2. (t(n),  (t)) 2 updateF(A) for all readX(A)-Traces t of length n Composing Atom Schedulers: For schedulers  1 from X 1 to Y 1,  2 from X 2 to Y 2, s.t. Y 1 Å Y 2 = ? (  1 £  2 ) : from X 1 [ X 2 to Y 1 [ Y 2 s.t. (  1 £  2 )(t) =  1 (t[X 1 ]) £  2 (t[X 2 ])

Compositional Methods for Probababilistic Systems21 Module Semantics Schedulers of P extl  (P) = set of all schedulers from extlX(P) [ intfX(P) to extlX(P) mod  (P) = extl  (P) £  A 2 Atoms(P) atom  (A) Language of P L(P) = [  2 mod  (P) Outcome(  ) Trace Semantics of P |[ P ]| = L(P)

Compositional Methods for Probababilistic Systems22 The Importance of Atoms Module A Interface x,y Atom Axy controls x,y Init [] true-> x,y:=0,0 [] true-> x,y:=0,1 [] true-> x,y:=1,0 [] true-> x,y:=1,1 Module B Interface x,y Atom Bx controls x Init [] true-> x:=0 [] true-> x:=1 Update []... Atom By controls y Init [] true-> y:=0 [] true-> y:=1 Update []... A ± B because: A has a bundle where x,y have correlated values { ½: 0,0 ½: 1,1} In B’s bundle it is not possible to get correlation, despite complete non-det in each atom, as the schedulers are independent

Compositional Methods for Probababilistic Systems23 Why Visibility Restrictions ? Atom Qatom controls q,q_ Init [] true-> ½ q,q_:=0,0 ½ q,q_:=0,1 Update [] true-> q’,q_’:= q_,q_ Module Q Intf q Extl p Priv q_ Atom Patom controls p,p_ Init [] true-> ½ p,p_:=0,0 ½ p,p_:=0,1 Update [] true-> p’,p_’:= p_,p_ Module P Intf p Extl q Priv p_ Motivated by need to restrict the power of the environment Environment must not be able to read Private variables If the environment could then both P and Q could have a bundle: { ½ pq = 00 ! 00, ½ pq =00 ! 11} P k Q can have no such bundle Thus semantics would not be compositional

Compositional Methods for Probababilistic Systems24 Compositional Semantics Theorem: [Semantics of Parallel Composition] |[ P 1 k P 2 ]| = |[ P 1 ]| Å |[ P 2 ]| The behaviours of P 1 k P 2 is the intersection of the behaviours of P 1 and P 2

Compositional Methods for Probababilistic Systems25 Refinement Between Modules Module Refinement P ¹ Q if: 1.intfX(P) ¶ intfX(Q) and extlX(P) ¶ extlX(Q) 2.|[ P ]| µ |[ Q ]|

Compositional Methods for Probababilistic Systems26 Refinement Is Compositional Theorem: Refinement is Compositional P k Q ¹ P If P ¹ Q, then P k R ¹ Q k R Theorem: Assume-Guarantee If P 1 k Q 2 ¹ Q 1 and Q 1 k P 2 ¹ Q 2, then P 1 k P 2 ¹ Q 1 k Q 2

Compositional Methods for Probababilistic Systems27 Checking Refinement Sufficient condition for bundle inclusion: –Probabilistic Simulation [JL91, SL95] suffices for two closed systems each with a single atom –We modify this relation to extend it to our setting (where there are visibility restrictions) We use an algorithm based on that of [BEM99] to check atomic Simulation This approach makes the decomposition of the proof mandatory

Compositional Methods for Probababilistic Systems28 Simulation: Example ½ ½ ½ ¼ ¼ AB The three states of B match the two states of A The probabilities are distributed over the states Each state of B “mimics” the state of A depending on how much the state of A’s weight is given to the state of B

Compositional Methods for Probababilistic Systems29 Bundle Inclusion but not Simulation ½ ½½ ½ Difficulty of computing bundle inclusion: 1.A distribution of states of one system is equivalent to a distribution of states of the other 2.Schedulers look at histories – can look at entire trace 3.Modularity brings some problems – thus the standard simulation does not work

Compositional Methods for Probababilistic Systems30 Current Work Algorithm to check Bundle Inclusion exactly Implementation of this work – extending MOCHA to handle probabilistic systems Case Studies: –Communication Protocols with probabilistic behaviour –Embedded Components with probabilistic environments Logics for Specification: –Correctness and performance properties –Compositional reasoning

Compositional Methods for Probababilistic Systems31 References M. Abadi & L. Lamport 1994: –The existence of Refinement Mappings, TOPLAS R. Alur & T. A. Henzinger 1999: –Reactive Modules, Formal Methods in System Design 1999 K. L. McMillan 1999: –A Compositional Rule for Hardware Design Refinement, CAV97 Derman 1970: –Markov Decision Processes M. Vardi 1985: –Automatic Verif. of Probabilistic Concurrent Finite-State Programs, FOCS 85 C. Courcoubetis & M. Yannakakis: –The Complexity of Probabilistic Verification, JACM 1995 [BEM 99] C. Baier & B. Engelen & C. Majster-Paderborn: –Deciding Bisimilarity and Similarity for Probabilistic Processes, JCSS 1999 [JL91] B. Jonsson & K. Larsen –Specification and Refinement of Probabilistic Processes, LICS 1991