Best-First Search (BF) - Directed Diagnostics of System Dependability Models

5.3 Specialised Directed Search Algorithms . . . . 42 5.4 Directed Explicit-State Model Checking. . . . 47

5.1 Introduction

As explained in Section4.4, the counterexample generation is, in principle, a search problem on the state transition graph of the given model. We need efficient and scal-able search algorithms in order to deal with large models. Moreover, the provided counterexamples should be informative and useful for debugging. A promising way to fulfil both requirements is the use of heuristics guided on-the-fly graph search, also called directed or informed search. This chapter introduces the basics of this kind of search algorithms on general state transition graphs. We begin with the primary directed search strategy Best-First in Section 5.2. Then, we introduce in Section 5.3 some of the widely used directed algorithms based on BF like A^∗ and study their essential features and properties. Afterwards, we explain how directed search is used in the functional model checking to improve its scalability and to pro-vide informative counterexamples. The use of directed search in the counterexample generation for stochastic model checking will first be explained in Chapter 6.

5.2 Best-First Search (BF)

Most of the prevalent directed search algorithms are based on a common optimising search strategy called Best-First (BF) [Pea86]. Before we explain the algorithmic structure of BF we first introduce some notations. BF operates on general directed graphs. However, we restrict our explanations to state transition graphs (STGs) in order to be close to our application domain. Recollect that a state transition graph (STG) is a directed graph which represents the state space of a system (see Section 4.4.1). The nodes of the graph are called states and the edges are called transitions. The set of possible states is denoted as S. A state s∈ S is an object

38 Chapter 5. Directed Search

which encapsulates information about the status of the system such as values of system variables. A transition (s, s⁰) represents a possible action which changes the system status from the state stos⁰. A sequence of states s0, s1, . . . is called apath or trace iff (si, si+) is a transition for all i with 0 ≤ i < n. A state s⁰ is said to be reachable from a state s iff a path from s to s⁰ exists. An STG has a unique initial state ˆs, also called start state, which represents the initial configuration of the system. We usually search for states which satisfy a certain specification. We call them target states. A path from the initial state ˆs to any target state is called asolution path. Sometimes we also call such pathsdiagnostic traces. This notation originates from our application domain of counterexample generation.

The objective of BF is usually to find a solution path if one exists. Often, one is interested in an optimal or sub-optimal solution path. More precisely, we assume that paths are associated with some notion of cost like path length. We measure this cost using a cost metric C. An optimal solution path is one with a minimal cost. For a pair of states sand s⁰,C^∗(s, s⁰) denotes the minimal cost to go froms tos⁰. Formally, C^∗(s, s⁰) is defined as follows:

C^∗(s, s⁰) =

∞ ifs⁰ is not reachable froms,

min{C(σ)|σ is a path from stos⁰} otherwise.

With C^∗ we denote the minimal cost to go from the initial state ˆs to any target state. That means, C^∗ is equal to the cost of the optimal solution path (C^∗ =∞if no target state is reachable from ˆs). BF can also be applied to problems in which paths are associated with a notion of quality instead of cost. In such application domains, C is a quality metric and one is interested in solution path with high quality. In this case C^∗(s, s⁰) denotes the maximal quality to go from s to s⁰. It holds then thatC^∗(s, s⁰) = 0 ifs⁰ is not reachable fromsorC^∗(s, s⁰) =max{C(σ)| σ is a path from stos⁰} otherwise. In this case an optimal solution path is one with maximal quality. Although we will be dealing with qualities in the application of counterexample generation, we adhere to the conventional view of C as a cost metric while explaining the directed search

We assume that an STG is not explicitly available but is implicitly given by its initial state and a successor operator succ : S → 2^S which computes all possible transitions outgoing of each state. For a pair of statessands⁰such thats⁰∈succ(s), we say that s⁰ is a successor of s and s is a parent of s⁰. We exclusively consider locally finite graphs. That means, we always assume that each state has a finite number of successors, i.e. the set succ(s) is finite.

The basic step of BF search is the state expansion which means computing the successor states of a particular state using the successor operator succ. The parent state is said to be expanded or closed and each new successor is said to be generated. States which have been generated are called explored, regardless of whether they have been expanded or not. BF uses two sets to store all explored states as illustrated in Figure 5.1. One is called closed and contains the closed states, while the second is calledopenand stores all explored states which have not yet been expanded. We call such statesopenstates . These states are waiting to be

5.2. Best-First Search (BF) 39

Figure 5.1: Illustration of Best-First search.

expanded. The setopenis organised as a priority queue which is sorted according to the promise of states to lead to a target state. This promise is numerically estimated by an evaluation function f. Amongst others, f usually depends on local state information like the values of the state variables and on the information gathered by the search so far. f may also depend on the specification of the target states, in our case the given PCTL or CSL property, as well as further knowledge about the problem domain. This knowledge is mostly encoded in a heuristic function h which is used by the evaluation function f. If such a heuristic function is used in the search we call the resulting algorithm,heuristics-guided,informedordirected.

Algorithm 1 illustrates the steps of the BF search. Initially, BF puts ˆsinto the queue open, then it performs iteratively (see Line 4). In each search iteration the best open states, i.e., the state fromopenwith the bestf value, is expanded. That means, s is moved from opento closed and all successor states of sare generated.

Each successor state s⁰ is labelled with a parent link to its parent s. Then, f(s⁰) is computed. Afterwards, the algorithm checks whether s⁰ is a target state. If s⁰ is a target state, the algorithm terminates and the solution path is constructed by backtracking the parent links from s⁰ up to the initial state ˆs. Otherwise, sis put into open (see Line 11). Once open is empty, the algorithm terminates without a solution. If s⁰ has been explored before, i.e. it is contained in open orclosed, then the better path tos⁰ is taken and the other is discarded (see Line12). Ifs⁰ is closed and a the new path is better, thens⁰will be moved fromclosedtoopen(cf. Line15).

Consequently, it will be waiting to be expanded again. This step is usually called reopening and the states⁰ is said to bereopened. Due to the selection of the better path, each state has exactly one parent link except the initial state which does not have any parents. These parent links form a tree which is called the search tree.

For any state s in the search tree, there is exactly one path from the root ˆs tos.

We call this path thesolution base of s.

The strategy BF^∗is derived from BF by a slight modification calledtermination delay. This means that the algorithm does not immediately terminate when a target state is generated, but the termination is delayed until a target state is

40 Chapter 5. Directed Search

Algorithm 1: Best-First Search

Data: A state transition graph given by its initial state ˆs∈S and its successor functionsucc

Result: A solution path if one exists open← an empty priority queue

closed ←an empty hash table

Insert ˆsintoopen

whileopen is not empty do

Remove fromopenand place on closed the statesfor which f is optimal.

foreachs⁰ ∈succ(s) do

Attach tos⁰ a parent link referring to s

Compute f(s⁰). if s⁰ is a target state then

Exit successfully with the path constructed by tracing the parent

links from s⁰ up to ˆs

if s⁰ is not already in open or closed then

Insert s⁰ into open.

else

if The newly computed f(s⁰) is better than the old value then

Replace the old s⁰ by the newly generated one (s⁰ has the new

f(s⁰) value and its parent link point back tos instead of the old parent).

selected for expansion. This modification is a necessary condition for assuring the optimality of the solution, when an optimal solution is required. For more details about termination delay we refer to the literature, e.g. [Pea86].

Note that we have to state a relationship between the state evaluation function f and the cost of solution paths. This point is essential to assure thatf guides the BF or BF^∗ search towards a solution path with a low cost. The evaluation function f must be monotonic in C for all target states. A formal explanation follows: for any state s and any path κ = ˆs, . . . , s, . . . leading to s, we denote with f_κ(s) the f-value of s computed according to the prefix of κ to s. For any solution path σ =s0, s1, . . . , sr, i.e. s0= ˆsandsr is a target state, we require that

fσ(sr) =ψ(C(σ)), (5.1)

whereψis some non-decreasing function in its argument. Note that this requirement applies only to target states. This monotonicity is not required for non-target states.

Recollect that BF and BF^∗ keeps one solution base for each states. All paths

5.2. Best-First Search (BF) 41

leading toswhich are not better than the solution base are discarded. Consequently, many paths going through s are not considered during the search. We have to ensure that the prefix of the optimal solution is not discarded if we are interested in the solution optimality. To achieve that the evaluation function must be order-preserving [Pea86].

Definition 12. For two paths κ_i and κ_j such that κ_j is an extension of κ_i, i.e.

last(κi) =f irst(κj), letκiκj denote the concatenation of both paths. An evaluation function is said to beorder-preservingif for any two pathsκ₁ andκ₂ leading from ˆ

s to a state sand a common extension κ₃ from s, the following holds:

f_κ₁(s)≥f_κ₂(s)⇒f_κ₁_κ₃(s⁰)≥f_κ₂_κ₃(s⁰) for alls⁰ ∈κ₃

The order-preservation off makes sure that if BF^∗ discards a pathκ₁ leading tos because a better oneκ2 is found, then no common extension can complete κ1 to a better path than κ2.

Without a proof, we cite here that BF and BF^∗terminate and they are complete.

More precisely, if there is a solution path and the evaluation functionf is unbounded along infinite paths, then BF and BF^∗ terminate with a solution [Nil80,Pea86].

Theorem 1. Both search strategies BF and BF^∗ are complete iff is unbounded for infinite paths.

Furthermore, iff is order-preserving, then BF^∗ isψ-admissible, whereψis the non-decreasing function mentioned above in Equation 5.1. That means the following.

Let σ₁, . . . , σ_j, . . . be the set of all solution paths in the STG. Note that the set of solution paths is countable in a locally finite graph [Pea86]. Let M be the value defined as

M =min

j {max

s∈σj

{f_σ_j(s)} }

If BF^∗ terminates with a solution pathσ, then it holds thatC(σ)≤ψ⁻¹(M). This fact forms a basis to verify the solution optimality of most directed algorithms. We will use it when we prove the solution optimality of A^∗ in Section5.3.2.1.

There are some works on the asymptotic complexity analysis of heuristic search algorithms under certain conditions [Mar77,KR98,KRE01]. The space complexity of directed algorithms does not differ from the undirected ones. BF and BF^∗ need, in the worst case, to store the entire graph attaching a search mark of a constant size to each state. Hence, they have a linear space complexity in the number of states and transitions. Meanwhile, the worst-case runtime complexity is not pivotal for most heuristic search algorithms. Many heuristic search strategies, in particular BF and BF^∗, have an exponential worst-case runtime complexity. However, they have a good average-case performance [Nil80]. We will therefore not focus much on complexity analysis of heuristic search algorithms. Nevertheless, we will sometimes briefly discuss complexity issues.

42 Chapter 5. Directed Search

Im Dokument Directed Diagnostics of System Dependability Models (Seite 53-58)