CSLTA: an Expressive Logic for Continuous-Time Markov Chains

CSL

: an Expressive Logic for

Continuous-Time Markov Chains

S. Donatelli1 S. Haddad2 J. Sproston1

1_{Dipartimento di Informatica, University of Turin, Italy}

2_{LAMSADE, CNRS & Universit´e Paris-Dauphine, France}

Plan

1 Introduction

2 CSLTA

3 Model checking for CSLTA

Model checking for stochastic systems

Model checking for stochastic systems

• Focus on operator P∼λ(ϕ) of stochastic temporal logics

CSL [Aziz et al. 2000, Baier et al. 2003] and asCSL [Baier et al. 2004]

• ∼∈ {<, ≤, =, ≥, >} and λ ∈ [0, 1]

• ϕ is a “path formula” - an execution path of the CTMC either satisfies ϕ or does not satisfy ϕ

• ϕ may reason about any/all of: • State labels lab(si)

• Actions ai

• Transition durations τi

Model checking for stochastic systems

• CSL and asCSL semantics includes:

State s satisfies P∼λ(ϕ)

iff

Probs({σ ∈ Path(s) | σ |= ϕ}) ∼ λ

• Probs is a probability measure over measurable sets of paths

starting in s

• {σ ∈ Path(s) | σ |= ϕ} is the (measurable) set of paths starting in s and satisfying ϕ

Model checking for stochastic systems

• CSL - principal path formula is the until formula Φ1UIΦ2

• Reach a Φ2-state at a time point in the interval I , remaining in

Φ1states until that point

• E.g., a path satisfies work U[0,9]_{fail iff the path reaches a}

fail -labelled state within 9 time units, and remains in work-labelled states beforehand

Model checking for stochastic systems

• CSL path formulae (from [Baier et al. 2003]) are not able to express “sequential reachability”

• E.g., pass through work-states, then pass through degraded -states, then reach fail -states

• Generally: more expressiveness of path formulae? (More like linear temporal logic?)

Model checking for stochastic systems

• asCSL [Baier et al. 2004] offers a solution: path formulae expressed as regular expressions over state and action labels

• (work, Act)∗; (degraded , Act)∗; (fail ,√)[0,9]:

the path reaches a fail -state within 9 time units, passing through work-states, then degraded -states, beforehand

Model checking for stochastic systems

• Note: in CSL and asCSL only one time interval per path formula

• How to express

“pass from work- to degraded -states within 5 time units, and then pass from degraded - to fail -states in between 2 and 9 time units”?

Model checking for stochastic systems

• How to express

“pass from work- to degraded -states within 5 time units, and then pass from degraded - to fail -states in between 2 and 9 time units after entering degraded -states”?

Our contribution: CSL

• In CSL a “path formula” is expressed using:

• a temporal logic modality • a time constraint

• In asCSL a “path formula” is expressed using:

• a regular expression • a time constraint

• In CSLTA a “path formula” is expressed using a (restricted)

timed automaton [Alur & Dill 1994]

• CSLTA is strictly more expressive than CSL, and at least as expressive as asCSL

Plan

1 Introduction

2 CSLTA

3 Model checking for CSLTA

CSL

: overview

• Precedents representing path formulae with automata (neither for stochastic systems):

• ECTL [Clarke et al. 1993] • TECTL∗_∃[Bouajjani et al. 1996]

• Regular expressions of asCSL: automata (not timed)

• CSLTA replaces “path formulae” withdeterministic timed automata with one clock (DTA)

• Can express path formulae with multiple time intervals, and even time intervals which are dependent on CTMC behaviour

Deterministic one-clock timed automata

• Finite automaton with timing constraints expressed bytests

andresets of a clock variable

• Transitions from location to location of a timed automaton are instantaneous

• Clock variable: increases at the same rate as real-time

• “Reads” a CTMC path (state and transition labels),accepts

Deterministic one-clock timed automata

• DTA locations are labelled with CSLTA formulae

• DTA locations can be initial

(e.g., l0) and/or final(e.g.,

l2)

• DTA transition: l −−−→ lγ;A;r 0

• γ is a guard (constraint on clocks, e.g.,

α ≤ x ≤ β, x = α) • A is a set of CTMC

actions (or the special symbol√)

• r ∈ {x , ∅}: either reset the clock (x ) or not (∅)

Deterministic one-clock timed automata

• Acceptance: exists a DTA path which “matches” the CTMC path and reaches a final location?

• Simple case (no √-transitions): each CTMC transition must be “matched” by a single DTA transition

Deterministic one-clock timed automata

• s −−→ sa,τ 0 matched by l −−−→ lγ,A,r 0 (given the current clock value)?

• Intuitively “transition matching” requires:

• Current value of x plus τ satisfies the constraint γ

• Action a of CTMC transition is in the action set A of DTA transition

• s0 satisfies the CSLTA_{formula LAB(l}0_{) labelling l}0

• Clock value immediately after l −−−→ lγ,A,r 0 depends on r (reset the clock to 0, or retain the current value)

Deterministic one-clock timed automata

• Timed next X[α,β]Φ1 of CSL:

• Accept paths whose first transition: • Takes place in the time interval [α, β] • Leads to a state satisfying Φ1

• Interpretation of the DTA:

• Clock is denoted by x , initially equals 0 (by convention) • Transition from l0to l1can only be taken when:

• Value of the clock x is in [α, β]

Deterministic one-clock timed automata

Deterministic one-clock timed automata

• √-transitions: adapted from asCSL

• √-transitions mustbe taken when enabled (have priority)

• Arenottriggered by reading a CTMC transition

• Useful for changing location only because time elapses

• E.g., when enter the interval I of Φ1UIΦ2

• In I , if Φ2 becomes true, satisfy

Φ1UIΦ2

• Before I , if Φ2becomes true,

do not necessarily satisfy Φ1UIΦ2

Deterministic one-clock timed automata

• Therefore, a single CTMC transition may be matched by multiple √-transitions, following by a non-√-transition

Syntax of CSL

• A(Φ1, . . . , Φn) is a DTA with a finite set {Φ1, . . . , Φn} of CSLTA formulae used as location labels

Semantics of CSL

Semantics of CSLTA:

Defined as for CSL, apart from:

s |= P∼λ(A(Φ1, . . . , Φn)) ⇔

Plan

1 Introduction

2 CSLTA

3 Model checking for CSLTA

Model checking for CSL

• Aim: compute the set of states of CTMC M which satisfy the CSLTA formula P∼λ(A(Φ1, . . . , Φn))

• Automata-theoretic approach: construct a product M × A (M and A running “in conjunction”)

• M × A is aMarkov renewal process:

stochastic process with “renewal points”, from which the future behaviour does not depend on the past behaviour

• Case of x ≤ max constant(A) (“usual”) – renewal points are when the clock x :

• Reaches a constant used in the description of A • Is reset to 0

• Case of x ≥ max constant(A) –

Model checking for CSL

• Approach: construct a “tangible reachability graph” for M × A

• Nodes: primarily of the form (s, l , c)

• s is a state of CTMC M • l is a location of DTA A

• c is a timing constant used in the guards of A • Also have nodes ⊥ (A rejects) and > (A accepts)

• Key point: the elapse of time between two consecutive constants c and c0 of A is interpreted as a deterministic “transition” of duration c0− c

Model checking for CSL

Model checking for CSL

• The completed tangible reachability graph:

• Probs({σ ∈ Path(s) | σ accepted by A}) equals the

Model checking for CSL

• Calculating the probability of reaching > in M × A:

• Relies on solution methods for Markov renewal processes (e.g., [German 2000])

• Exploits the tangible reachability graph construction • Identify “reach constant” (D) and “reset x ” (M res)

transitions in the tangible reachability graph:

• State reached by such a transition will be at a renewal point • Between the firing of such transitions, the behaviour of

Model checking for CSL

• E.g., from (s0, l0, 0):

• Interested in the behaviour until time 2 (time at which the D transitions fire)

Model checking for CSL

• Tangible reachability graph states reached by D- or M res-transitions form states of a DTMC (also > and ⊥)

• Compute on CTMCs to obtain transition probabilities of the DTMC

• Compute the probability of reaching > on the DTMC

• Note: can be computed using tools for Deterministic Stochastic Petri Nets

Plan

1 Introduction

2 CSLTA

3 Model checking for CSLTA

Conclusions and future work

Conclusions:

• Presented an extension of CSL and asCSL able to reason about “multiple time intervals” in the same path formula

• Model-checking approach via Markov renewal process construction

• CSLTA is at least as expressive as asCSL and strictly more expressive than CSL

• CSL cannot express properties such as

P≥ζ(q satisfied in exactly 2 transitions), where q is an atomic

proposition

Ongoing and future work:

• Implementation

• Incorporation of rewards in CSLTA

• Comparison with the automata-based approach of [Obal & Sanders 1999]

Model checking for CSL

• Let 2 time units pass without taking a transition from s0 in M

• Go to node (s0, l0, 2) (same state, same location, but the

Model checking for CSL

• Can take s0−→ sa 1 before 2 time units

• Synchronize with A-transition I

Model checking for CSL

• Can take s1−→ sb 1 before 2 time units

• Synchronize with A-transition II

Model checking for CSL

• Can take s1−→ sa 0 before 2 time units

• Cannot synchronize with any A transition

Model checking for CSL

• Let 2 time units pass without taking a transition from s1 in M

• Go to node (s1, l1, 2) (same state, same location, but the

Model checking for CSL

• Can take s1−→ sa 0 after 2 time units

• Synchronize with A transition-III

Model checking for CSL

• Can let time elapse until x = 3, then A takes transition IV