5.5 Interpolation-based probabilistic bounded model checking
5.5.4 Interpolation-based approach for reachability
In order to use generalized interpolation in unbounded probabilistic model checking, one needs toencode the model’s transition relations by an SMT representation. Then one has to generate a probabilistic bounded model checking problem (PBMC) in SSMT [FHT08]
and determine whether the targets are reachable with probability exceeding the safety target within some step bound k. Should this not be the case, one can use generalized Craig interpolation to compute an overapproximation of the states backward reachable4 from the targets within that step bound. Technically, we interpolate between the initial state predicate and thek-fold iteration of the transition relation plus the target predicate, albeit under quantification as explained in the previous subsection. PBMC is iterated for
4One can use overapproximation of the states forward reachable as well, however by exchanging the
5.5. INTERPOLATION-BASED PROBABILISTIC BOUNDED MODEL CHECKING
increasingly larger k until either the safety property is falsified or the generalized Craig interpolant stabilizes, i.e., a superset of all states backward reachable from the target has been computed.
Heat T˙ = 2
t≤3 T ≤10
Cool T˙ =−T
T ≥5
Error T˙ = 0
Check T˙ =−T /2
t≤1 T≥9
T≤6→0t :=
0
t≥2→t0= 0
t≥0.5→ 0.95 :t0 = 0
0.05 t= 0∧x= 0
9≤T ≤10 Initial config
Pr(Error andx≤5) ≤? 0.2 Safety requirement
Figure 5.5: Thermostat case-study discussed in [ZSR+10,FHH+11]. Blueexpressions rep-resent the assignments,greenones represent the guards and the magentaones represent the invariants at each location.
j I1 B1 I2 B2 I3 B3 B
1 ¬A ¬A∨(C∧x≤5) true true true true true
2 ¬F ¬F∨(C∧x≤5) ¬F∨(C∧x≤5) ¬F∨(C∧x≤5) – – ¬F∨(C∧x≤5)
3 ¬A∧ ¬D∧ ¬F (¬A∧ ¬D∧ ¬F)∨(C∧x≤5) ¬F ¬F ¬F ¬F ¬F
Table 5.1: Results of interpolation-based approach of Example 5.3, where j represents the number of the transitions considered by the interpolation,I represents the interpolant computed at j-th step, and B represents the backward reachable states.
Example 5.3: Thermostat case study [ZSR+10]
Let us consider the PHA of Figure 5.5 modelling a thermostat system. Having continuous-dynamics in this model drives us to use ProHVer to obtain a safe ab-straction which is depicted in Figure 5.6a(cf. Subsection 6.2.4).
Now, we would like to verify whetherthe maximum probability to reach the location Error within 5 time units is at most 15 or not.
Note that the property is expressed in terms oftime unitsrather than computation steps. As there isno immediate correspondence between time units and computation
5.5. INTERPOLATION-BASED PROBABILISTIC BOUNDED MODEL CHECKING
t≥0, tA≥0 t=x T≤10
t≥2, xB≥0 t=x−2,
T≤10
xC≤5
t≥0, xF ≥0 t=x−5
T≤10 t≥2, xE ≥0
t=x−4.5 T≤10 t≥0, xD ≥0
t=x−2.5 T≤10
0.05
0.95 0.05
0.95 Heat
Heat
Check
Check Heat
Error
(a) Finite-state Abstraction of Thermostat model in Figure5.5
t≥0, tA≥0 t=x T≤10
t≥2, xB ≥0 t=x−2,
T≤10
xC≤5
t≥0, xF ≥0 t=x−5
T≤10 t≥2, xE ≥0
t=x−4.5 T≤10 t≥0, xD ≥0
t=x−2.5 T≤10
0.05
0.95 0.05
0.95 Heat
Heat
Check
Check Heat
Error B0
(b) Abstraction model after computing backward reachable setB0.
t≥0, tA≥0 t=x T≤10
t≥2, xB≥0 t=x−2,
T≤10
xC≤5
t≥0, xF ≥0 t=x−5
T≤10 t≥2, xE ≥0
t=x−4.5 T≤10 t≥0, xD ≥0
t=x−2.5 T≤10
0.05
0.95 0.05
0.95 Heat
Heat
Check
Check Heat
Error B0 I1 B1
(c) Abstraction model after computing backward reachable setB1 and interpolantI1.
t≥0, tA≥0 t=x T≤10
t≥2, xB ≥0 t=x−2,
T≤10
xC≤5
t≥0, xF ≥0 t=x−5
T≤10 t≥2, xE ≥0
t=x−4.5 T≤10 t≥0, xD ≥0
t=x−2.5 T≤10
0.05
0.95 0.05
0.95 Heat
Heat
Check
Check Heat
Error B0 I1 I2 B2 B1 I3 B3
(d) Abstraction model after computing backward reachable setsB2andB3and interpolantI2and I3.
Figure 5.6: Illustration of computed backward reachable sets together with generalized Craig interpolants to compute the maximum probability of reachingErrorstate over number kof transition steps.
steps, this verification problem cannot be solved by PBMC, since PBMC computes the lower bound of reaching Error state. Thus, it requires unbounded reachability computation by GCI.
In the abstract model, the probability to reach the error states within 5 time units is 0.0975, which is less than 15 and thus acceptable. To determine this probability, we encode the abstraction of the thermostat as an SSMT formula and then compute overapproximations of the backward reachable states incrementally by GCI until it stabilizes. The target is C-Error which cannot be reached from the initialA-Heat via a single transition. In the first interpolation, the target C-Errortogether with a single transition relation represents the A part, while the initial state predicate A-Heatconstitutes B. The first computed interpolant (while j = 1 in Scheme5.4) will thus equal all states except the initial one, providing a useless upper bound of 1 on the probability of eventually hitting the target. Successive interpolations (withj larger than 1 as in Table5.1) for larger step numbers yield tighter approximations.
5.5. INTERPOLATION-BASED PROBABILISTIC BOUNDED MODEL CHECKING
For example, whenj= 2, we get the first overapproximated backward reachable-set equals to¬F (meansA∨B∨C∨D∨E), which is not so precise sinceAandDare reachable after two steps. However, if we increasej to be 3, then we get in the first overapproximation a more precise backward reachable-set, namely ¬A∧ ¬D∧ ¬F (meansB∨C∨E) which emphasises our aforementioned observation that whenever jincreases, one get more realistic overapproximation. In the latter case, it is noticed that the interpolant stabilizes after 2 steps. This result was used while computing the upper bound probability of reaching Error state in SiSAT.
In this model, the interpolant stabilizes after three iterations and yields a tight enough overapproximation of the backward reachable state set (cf. Appendix A for more details). As aforementioned, one can in each step use interpolants for computing an upper approximation of the (unbounded) reachability probability, while PBMC yields a valid lower approximation. Figure5.9represents three results:
theupper (red) curverepresents the upper bound on the step-unbounded probability to reach location Errorwithin 5 time units, as computed by GCI.
0 0,2 0,4 0,6 0,8 1 1,2
0 2 4 6 8 10 12
LB UB Exact Computed by
Interpolnat
computed by PBMC
Figure 5.7: Probability of reaching Error within 5 time units once by us-ing PBMC and once by usus-ing GCI.
The numbers on the horizontal axis here refer to the iteration (the num-ber of steps), while the vertical axis refers to the computed probabilities.
The middle (green) line represents the exact probability to reach lo-cation Error within 5 time units.
Thelower (blue) curverepresents the lower bound on the probability to reach an Error state within 5 time units, as computed by PBMC. One may observe that upper and lower bounds almost coincide after stepk= 4. In fact, interpolation then tells us that the reachability probability is
be-low 0.1, i.e., well bebe-low the safety target. All details of computing interpolants for j= 1 and j= 2 are depicted in Appendix A.
Remark 5.1: Using ProHVer
The main reason to use ProHVer comes from the limitation to integrate our stochas-tic resolution tool with SiSAT tool. Thus, we encode the problem back and forth between SiSAT and the resolver manually. Finally, if one can integrate the resolver in SiSAT, then it is much better not to use any abstraction, but direct encoding in SiSAT will solve these problems in non-linear PHA efficiently (cf. Subsection6.2.4).
Example 5.4: Action planning
In Figure 5.8a, we have another example of probabilistic hybrid automaton where continuous dynamics at each state is represented by linear ordinary differential equation i.e. ˙r := 1. It represents a behaviour of a robot (e.g., rescue robot) such
5.5. INTERPOLATION-BASED PROBABILISTIC BOUNDED MODEL CHECKING
E
A
C B
D
r≥15→
r≤15 x0:=x+r
r≥5→
x0:=x+r
r0:=0 r0:=0
r≥6→ r≥11→
r≤11
x0:=x+r r0:=0
x0:=x+r r0:= 0 r≤11
r >11→ x0:=x+r
r0:= 0 r >8→
x0:=x+r r:= 0 r>7→
x0:=
x+r r:=
0
x:= 0, r:= 0
init
deviate success
think
fail 0.91
0.9
0.045
0.85 0.105
Pr(C) ≤?0.15
initial config
Safety req.
(a) PHA model of a robot route
E
A
C B
D
r≥15→
r≤15 x0:=x+r
r≥5→
x0:=x+r
r0:=0 r0:=0
r≥6→ r≥11→
r≤11
x0:=x+r r0:=0
x0:=x+r r0:= 0 r≤11
r >11→ x0:=x+r
r0:= 0 r >8→
x0:=x+r r:= 0 r>7→
x0:=
x+r r:=
0
x:= 0, r:= 0
init
deviate success
think
fail 0.91
0.9
0.045
0.85 0.105
Pr(C)≤?0.15
initial config
Safety req.
B0 B1 I1
B2 I2
(b) PHA model with reachable set of states and in-terpolants
Figure 5.8: PHA model represents action planning of a robot, wherefail state represents unwanted behaviour.
j I1 B1 I2 B2 I3 B3 B
1 ¬A ¬A∨C true true true true true
2 ¬E ¬E∨C ¬E∨C ¬E∨C – – ¬E∨C
3 ¬E∧ ¬A (¬E∧ ¬A)∨C ¬E ¬E∨C ¬E ¬E∨C ¬E∨C Table 5.2: Results of interpolation-based approach of Example5.4, where jrepresents the
number of the transitions considered by the interpolation to increase the pre-ciseness, I represents the interpolant computed at j-th step, and B represents the backward reachable states.
that it begins from init location. After certain steps (transitions) it can either eventually end with success state (right route) or with fail state (bad route).
From initial state it can non-deterministically either directly go to success (the right direction) or go to deviate state. If the latter choice was the case, then the robot can either with a probability 0.09 go tofail state or with a probability 0.91 go to a situation to decide (think state). After that, from think state it can go probabilistically either tosuccessor to the initial situation or tofailstate. Now, we want to verify that over all policies the property that the robot will reach fail is less than or equal 0.15. This property is unbounded property, where GCI can compute it efficiently.
We will apply the same procedure as done before. Namely, we encode the model as an SSMT formula. We compute the interpolant for the transition system while j = 1,2, ... as performed in thermostat case study, until either the interpolant stabilizes or the safety property is violated.
5.5. INTERPOLATION-BASED PROBABILISTIC BOUNDED MODEL CHECKING
0,11183904
0 0,1 0,2 0,3 0,4 0,5 0,6 0,7 0,8 0,9 1
0 10 20 30 40 50 60 70 80 90 100
LB UB Computed by
Interpolnat
computed by PBMC
Figure 5.9: Probability of reachingfailonce by using PBMC and once by us-ing GCI.
We summarize the results obtained by our prototypical tool in Table5.2, where different sizes of transition sys-tem were used during interpolating, namely j = 1,2 and 3. We observe that the interpolant stabilizes in case of j ≥ 2, where it overapproximates the reachable states; i.e,C∨ ¬E. Fig-ure5.9represents two results: the up-per (red) curve represents the upper bound on the step-unbounded proba-bility to reach locationfail, as com-puted by GCI. The numbers on the horizontal axis here refer to the itera-tion (the number of steps), while the
vertical axis refers to the computed probabilities. Thelower (blue) curverepresents the lower bound on the probability to reach anfailstate, as computed by PBMC.
One may observe that upper and lower bounds almost coincide after stepk= 11.