Abstract
The limiting factor for quantitative analysis of Markov decision processes (MDP) against specifications given in linear temporal logic (LTL) is the size of the generated product. As recently shown, a special subclass of limit-deterministic Büchi automata (LDBA) can replace deterministic Rabin automata in quantitative probabilistic model checking algorithms. We present an extension of PRISM for LTL model checking of MDP using LDBA. While existing algorithms can be used only with minimal changes, the new approach takes advantage of the special structure and the smaller size of the obtained LDBA to speed up the model checking. We demonstrate the speed up experimentally by a comparison with other approaches.
Access provided by Autonomous University of Puebla. Download conference paper PDF
Similar content being viewed by others
Keywords
- Linear Temporal Logic (LTL)
- Probabilistic Model Checking
- Deterministic Rabin Automaton
- Markov Decision Process (MDP)
- Maximal End Component (MECs)
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
1 Introduction
Linear temporal logic (LTL) [30] is a prominent specification language and has been proven useful in industrial practice. The key to efficient LTL model checking is the automata-theoretic approach [38]: first, a given LTL formula is translated into an automaton; second, a product of the system and the automaton is constructed and analysed. Since real systems are huge, it is crucial to construct small automata in order to avoid a large size increase of the product.
LTL is typically translated into non-deterministic Büchi automata (NBA) [2, 8, 10, 11, 14, 15, 17, 18, 36]. However, for probabilistic models such as Markov decision processes (MDP) non-deterministic automata are not applicable [3] and the standard solution is to determinise them using Safra’s construction [22, 29, 32, 33, 37]. This approach is implemented in the most widespread probabilistic model checker PRISM [27]. However, the determinisation step is costly and often increases the size of automata dramatically. Therefore, direct translations of LTL to deterministic automata have been proposed [1, 13, 25, 26], implemented [5, 16, 24], and shown to be more efficient for probabilistic model checking [6]. Nevertheless, despite more sophisticated acceptance conditions, such as generalized Rabin [26], the imposed determinism inevitably increases the size of the automata.
This naturally raises the question whether fully deterministic automata are necessary or whether restricted forms of determinism are sufficient. For instance, in the setting of games where NBA are not applicable either, a weaker notion of determinism called good-for-games automata is sufficient [20]. It has been proven sufficient also for probabilistic model checking, but practically “did not improve on the standard approach” [23]. Further, unambiguous automata can be used [9] for model checking Markov chains, but not for MDPs. Moreover, limit-deterministic Büchi automata (LDBA) [7, 38] can be used for probabilistic model checking MDPs in the qualitative case (deciding whether a property holds with probability 1). This idea has been further explored also in the quantitative setting (computing the probability of satisfaction) and an algorithm constructing products with several (limit-)deterministic automata proposed [19]. Although LDBA cannot in general be used for probabilistic model checking, a recent translation [35] of LTL produces LDBA, which can be used in the standard algorithm based on the construction of a single product. It also discusses the subclass of LDBA that can be used for this task. Note that there is also an exponentially better translation [21] (based on [25]) of a fragment of LTL called LTL\(_{\setminus {\mathbf {G}}\mathbf {U}}\) into LDBA and that there is also an efficient complementation procedure for LDBA [4].
In this paper, we provide the first implementation of the probabilistic model checking procedure proposed in [35] based on LDBA. Apart from smaller sizes of LDBA, another advantage of the Büchi acceptance condition is a faster analysis of maximal end components (MECs), compared to the standard repetitive re-computation for each Rabin pair. We also present several crucial optimizations, which make our implementation outperform other approaches on many formulas. We illustrate this on experimental results. The tool as well as the explanation of its name can be found on https://www7.in.tum.de/~sickert/projects/mochiba/.
2 Overview of the Algorithm
In order to present our implementation and optimizations, we have to sketch how an MDP \(\mathcal M\) is checked against an LTL formula \(\varphi \) by the algorithm of [35]. First, \(\varphi \) is translated into an LDBA \(\mathcal A(\varphi )\). Second, \(\mathcal M\) is checked against \(\mathcal A(\varphi )\) using a straightforward extension of the standard algorithm.
LDBA Construction. An LDBA is a (possibly generalised) Büchi automaton partitioned into an initial and an accepting part, where the initial part contains no accepting transitions and the accepting part is deterministic. Moreover, the construction of [35] produces LDBA with the initial part deterministic except for \(\varepsilon \)-transitions into the accepting part.
LDBA \(\mathcal {A}(\varphi )\) with the initial part on the left and the accepting on the right.
We illustrate the translation on \(\varphi = a \wedge {\mathbf {X}}({\mathbf {F}}{\mathbf {G}}a \vee {\mathbf {F}}{\mathbf {G}}b)\). Each state in the initial part is labeled with a formula. The words accepted from a state are exactly those satisfying the formula. Observe that \({\mathbf {F}}{\mathbf {G}}a\vee {\mathbf {F}}{\mathbf {G}}b\) holds iff eventually we reach a point where \({\mathbf {G}}a\) holds or \({\mathbf {G}}b\) holds. We non-deterministically guess this point and take the \(\varepsilon \)-transition to the accepting part, where we check the guess.
For this formula spot (2.0) produces a deterministic Rabin automaton with 4 states, too, but adding two more disjuncts \({\mathbf {F}}{\mathbf {G}}c\) and \({\mathbf {F}}{\mathbf {G}}d\) increases the size to 26 states. In contrast, our LDBA requires only two extra states.
An MDP \(\mathcal M\).
Product Construction and Analysis. We proceed according to the standard algorithm:
-
1.
Construct the product \(\mathcal {P}=\mathcal M\times \mathcal A(\varphi )\).
-
2.
Compute maximal end-components (MECs) of \(\mathcal {P}\).
-
3.
Compute the maximum probability to reach winning MECs. A MEC is winning if it satisfies the acceptance condition of \(\mathcal A(\varphi )\): here, if it contains an accepting transition for each Büchi condition.
The product \(\mathcal M\times \mathcal A(\varphi )\).
The standard product of an MDP and a deterministic automaton defines the transitions (in the usual notation) by \(P(\langle s,q\rangle ,\alpha ,\langle s',q'\rangle )=P(s,\alpha ,s')\) if \(q'=\delta (q, Label (s'))\) and otherwise equals 0. We extend the procedure to handle also non-deterministic \(\varepsilon \)-transitions by additional actions: let \(q_1,\ldots ,q_n\) be the successors of q under \(\varepsilon \), then for each \(i=1,\ldots ,n\) we add a new action called \(\varepsilon _{q_i}\) and define \(P (\langle s,q\rangle ,\varepsilon _{q_i},\langle s,q_i\rangle )=1\) (note that s does not move here).
Figure 3 illustrates the construction by a product of the system of Fig. 2 and the automaton of Fig. 1. A crucial optimization used here is that it is sufficient to take \(\varepsilon \)-transitions only from states in MECs of \(\mathcal M\times \mathcal {N}(\varphi )\) (which are exactly MECs of the product of \(\mathcal M\) and the initial part of \(\mathcal A(\varphi )\)). Hence no \(\varepsilon \)-transitions have to be produced in the initial state here.
3 Implementation and Optimizations
MoChiBA [34] replaces the LTL model-checker and the MEC computation in the explicit-state model-checker of PRISM, while other infrastructure (parsing, model construction, probability computation) are inherited from PRISM. The tool cannot be configured — all optimizations are enabled — and does not need to be installed. It reads a model (given as an MDP, .nm) and a property specification (.pctl) and prints the results to stdout:
./mochiba.sh model.nm properties.pctl
Apart from taking \(\varepsilon \)-transitions only from states in MECs of \(\mathcal M\times \mathcal {N}(\varphi )\) as mentioned above, we implement the following optimizations:
Transition-based acceptance leads to smaller automata, compared to state-based acceptance. Consequently, it is used by many translators, for instance [1, 11, 24]. However, PRISM translates all automata to state-based, thus increasing the size of the product. Our procedure avoids this and constructs and analyses directly the transition-based product.
Generalised Büchi acceptance condition allows for more efficient analysis than (generalised) Rabin, Streett, or parity conditions. Indeed, for the latter conditions expensive re-computations of MECs are necessary to handle different sets to be visited finitely often. In contrast, we compute MECs only once and check whether each set to be visited infinitely often intersects the MEC.
A single trap state is present in the product. Should the product enter any state from which the automaton component can never accept, the exploration of this part stops and redirects the transition to the single trap state.
Primitive data structures such as arrays are used instead of the more flexible Java collections, since they are more memory efficient, as boxing into objects is not necessary.
Sparse bit sets have proven more memory efficient for our approach than plain bit sets with a mapping table.
MEC decomposition is performed locally on disconnected accepting parts (corresponding to different \(\varepsilon \)-transitions). Together with the use of sparse bit sets, MECs are computed faster and using less memory.
4 Experimental Evaluation
We evaluate our novel approach in the setting of [6, 19]: we consider the Pneuli-Zuck randomised mutual exclusion protocol [31] of the PRISM benchmark suite [28] and also the same previously considered formulas (see lines 1–10 of Table 1). Additionally, lines 11–14 consider the deeply nested formulas of [35]. Finally, complementary to the \({\mathbf {G}}{\mathbf {F}}\)-, \({\mathbf {F}}{\mathbf {G}}\)- and fairness-like properties, lines 15–16 include simple reachability properties, which lie in the focus of the traditional methods.
The experiments were performed on a 2.5 GHz Intel Core i7 (I7-4870HQ) and granted 12 GB RAM and 1 h computing time for model checking each property (given the model already in the memory). We denote time-outs and mem-outs by “-”. We compare the following tools
-
MoChiBA (1.0) [34] is our implementation based on the LDBA translation of [35] and the explicit model checker of PRISM.
-
PRISM (4.3) [27] with the symbolic engine, which is the fastest here, and with the following translators:
-
IscasMC (unofficial, unversioned) implements the lazy approach of [19], using SPOT 1.2.6 [12] to translate LTL to non-deterministic Büchi automaton. We used the two fastest configurations as listed in [19]:
-
Multi-breakpoint (BP) construction with the explicit engine.
-
Rabin (R) construction with the explicit engine.
-
5 Conclusion
We have implemented a novel approach for probabilistic LTL model checking using a subclass of non-deterministic Büchi automata. Since the experimental results for the explicit state-space implementation are encouraging, we plan to extend the approach to a symbolic one. Further, a parellelisation of the product construction and MECs analysis, as well as dedicated constructions for the Release-operator or various LTL fragments could lead to further speed ups.
References
Babiak, T., Blahoudek, F., Křetínský, M., Strejček, J.: Effective translation of LTL to deterministic Rabin automata: beyond the (F, G)-fragment. In: ATVA, pp. 24–39 (2013)
Babiak, T., Křetínský, M., Řehák, V., Strejček, J.: LTL to Büchi automata translation: fast and more deterministic. In: Flanagan, C., König, B. (eds.) TACAS 2012. LNCS, vol. 7214, pp. 95–109. Springer, Heidelberg (2012). doi:10.1007/978-3-642-28756-5_8
Baier, C., Katoen, J.: Principles of Model Checking. MIT Press, Cambridge (2008)
Blahoudek, F., Heizmann, M., Schewe, S., Strejček, J., Tsai, M.-H.: Complementing semi-deterministic Büchi automata. In: Chechik, M., Raskin, J.-F. (eds.) TACAS 2016. LNCS, vol. 9636, pp. 770–787. Springer, Heidelberg (2016). doi:10.1007/978-3-662-49674-9_49
Blahoudek, F., Křetínský, M., Strejček, J.: Comparison of LTL to deterministic Rabin automata translators. In: McMillan, K., Middeldorp, A., Voronkov, A. (eds.) LPAR 2013. LNCS, vol. 8312, pp. 164–172. Springer, Heidelberg (2013). doi:10.1007/978-3-642-45221-5_12
Chatterjee, K., Gaiser, A., Křetínský, J.: Automata with generalized Rabin pairs for probabilistic model checking and LTL synthesis. In: Sharygina, N., Veith, H. (eds.) CAV 2013. LNCS, vol. 8044, pp. 559–575. Springer, Heidelberg (2013). doi:10.1007/978-3-642-39799-8_37
Courcoubetis, C., Yannakakis, M.: The complexity of probabilistic verification. J. ACM 42(4), 857–907 (1995)
Couvreur, J.-M.: On-the-fly verification of linear temporal logic. In: Wing, J.M., Woodcock, J., Davies, J. (eds.) FM 1999. LNCS, vol. 1708, pp. 253–271. Springer, Heidelberg (1999). doi:10.1007/3-540-48119-2_16
Couvreur, J.-M., Saheb, N., Sutre, G.: An optimal automata approach to LTL model checking of probabilistic systems. In: Vardi, M.Y., Voronkov, A. (eds.) LPAR 2003. LNCS (LNAI), vol. 2850, pp. 361–375. Springer, Heidelberg (2003). doi:10.1007/978-3-540-39813-4_26
Daniele, M., Giunchiglia, F., Vardi, M.Y.: Improved automata generation for linear temporal logic. In: Halbwachs, N., Peled, D. (eds.) CAV 1999. LNCS, vol. 1633, pp. 249–260. Springer, Heidelberg (1999). doi:10.1007/3-540-48683-6_23
Duret-Lutz, A.: Manipulating LTL formulas using Spot 1.0. In: Hung, D., Ogawa, M. (eds.) ATVA 2013. LNCS, vol. 8172, pp. 442–445. Springer, Heidelberg (2013). doi:10.1007/978-3-319-02444-8_31
Duret-Lutz, A.: LTL translation improvements in Spot 1.0. IJCCBS 5(1–2), 31–54 (2014)
Esparza, J., Křetínský, J.: From LTL to deterministic automata: a safraless compositional approach. In: Biere, A., Bloem, R. (eds.) CAV 2014. LNCS, vol. 8559, pp. 192–208. Springer, Heidelberg (2014). doi:10.1007/978-3-319-08867-9_13
Etessami, K., Holzmann, G.J.: Optimizing Büchi automata. In: Palamidessi, C. (ed.) CONCUR 2000. LNCS, vol. 1877, pp. 153–168. Springer, Heidelberg (2000). doi:10.1007/3-540-44618-4_13
Fritz, C.: Constructing Büchi automata from linear temporal logic using simulation relations for alternating Büchi automata. In: Ibarra, O.H., Dang, Z. (eds.) CIAA 2003. LNCS, vol. 2759, pp. 35–48. Springer, Heidelberg (2003). doi:10.1007/3-540-45089-0_5
Gaiser, A., Křetínský, J., Esparza, J.: Rabinizer: small deterministic automata for LTL(F, G). In: ATVA, pp. 72–76 (2012)
Gastin, P., Oddoux, D.: Fast LTL to Büchi automatatranslation. In: CAV, pp. 53–65 (2001). http://www.lsv.ens-cachan.fr/~gastin/ltl2ba/
Giannakopoulou, D., Lerda, F.: From states to transitions: improving translation of LTL formulae to Büchi automata. In: Peled, D.A., Vardi, M.Y. (eds.) FORTE 2002. LNCS, vol. 2529, pp. 308–326. Springer, Heidelberg (2002). doi:10.1007/3-540-36135-9_20
Hahn, E.M., Li, G., Schewe, S., Turrini, A., Zhang, L.: Lazyprobabilistic model checking without determinisation. In: CONCUR. LIPIcs, vol. 42, pp. 354–367 (2015)
Henzinger, T.A., Piterman, N.: Solving games without determinization. In: Ésik, Z. (ed.) CSL 2006. LNCS, vol. 4207, pp. 395–410. Springer, Heidelberg (2006). doi:10.1007/11874683_26
Kini, D., Viswanathan, M.: Limit deterministic and probabilistic automata for LTL \(\setminus \) GU. In: Baier, C., Tinelli, C. (eds.) TACAS 2015. LNCS, vol. 9035, pp. 628–642. Springer, Heidelberg (2015)
Klein, J.: ltl2dstar - LTL to deterministic Streett and Rabinautomata. http://www.ltl2dstar.de/
Klein, J., Müller, D., Baier, C., Klüppelholz, S.: Are good-for-games automata good for probabilistic model checking? In: Dediu, A.-H., Martín-Vide, C., Sierra-Rodríguez, J.-L., Truthe, B. (eds.) LATA 2014. LNCS, vol. 8370, pp. 453–465. Springer, Heidelberg (2014). doi:10.1007/978-3-319-04921-2_37
Komárková, Z., Křetínský, J.: Rabinizer 3: safraless translation of LTL to small deterministic automata. In: Cassez, F., Raskin, J.-F. (eds.) ATVA 2014. LNCS, vol. 8837, pp. 235–241. Springer, Heidelberg (2014). doi:10.1007/978-3-319-11936-6_17
Křetínský, J., Ledesma-Garza, R.: Rabinizer 2: small deterministic automata for LTL\(_{\setminus \mathbf{GU}}\). In: ATVA, pp. 446–450 (2013)
Křetínský, J., Esparza, J.: Deterministic automata for the (F, G)-fragment of LTL. In: CAV, pp. 7–22 (2012)
Kwiatkowska, M., Norman, G., Parker, D.: PRISM 4.0: verification of probabilistic real-time systems. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 585–591. Springer, Heidelberg (2011). doi:10.1007/978-3-642-22110-1_47
Kwiatkowska, M.Z., Norman, G., Parker, D.: The PRISM benchmark suite. In: QEST, pp. 203–204 (2012)
Piterman, N.: From nondeterministic Büchi and Streett automata to deterministic parity automata. In: LICS, pp. 255–264 (2006)
Pnueli, A.: The temporal logic of programs. In: FOCS, pp. 46–57 (1977)
Pnueli, A., Zuck, L.D.: Verification of multiprocess probabilistic protocols. Distrib. Comput. 1(1), 53–72 (1986). doi:10.1007/BF01843570
Safra, S.: On the complexity of omega-automata. In: FOCS, pp. 319–327 (1988)
Schewe, S.: Tighter bounds for the determinisation of Büchi automata. In: Alfaro, L. (ed.) FoSSaCS 2009. LNCS, vol. 5504, pp. 167–181. Springer, Heidelberg (2009). doi:10.1007/978-3-642-00596-1_13
Sickert, S.: MoChiBA. https://www7.in.tum.de/~sickert/projects/mochiba/
Sickert, S., Esparza, J., Jaax, S., Křetínský, J.: Limit-deterministic Büchi automata for linear temporal logic. In: Chaudhuri, S., Farzan, A. (eds.) CAV 2016. LNCS, vol. 9780, pp. 312–332. Springer, Heidelberg (2016). doi:10.1007/978-3-319-41540-6_17
Somenzi, F., Bloem, R.: Efficient Büchi automata from LTL formulae. In: Emerson, E.A., Sistla, A.P. (eds.) CAV 2000. LNCS, vol. 1855, pp. 248–263. Springer, Heidelberg (2000). doi:10.1007/10722167_21
Tsai, M.-H., Tsay, Y.-K., Hwang, Y.-S.: GOAL for games, omega-automata, and logics. In: Sharygina, N., Veith, H. (eds.) CAV 2013. LNCS, vol. 8044, pp. 883–889. Springer, Heidelberg (2013). doi:10.1007/978-3-642-39799-8_62
Vardi, M.Y., Wolper, P.: An automata-theoretic approach to automatic program verification (preliminary report). In: LICS, pp. 332–344 (1986)
Acknowledgements
This work is partially funded by the DFG Research Training Group “PUMA: Programm- und Modell-Analyse” (GRK 1480) and by the Czech Science Foundation, grant No. 15-17564S.
The authors want to thank Ernst Moritz Hahn and Andrea Turrini for providing a private version of IscasMC to compare to and for assistance in using it.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Sickert, S., Křetínský, J. (2016). MoChiBA: Probabilistic LTL Model Checking Using Limit-Deterministic Büchi Automata. In: Artho, C., Legay, A., Peled, D. (eds) Automated Technology for Verification and Analysis. ATVA 2016. Lecture Notes in Computer Science(), vol 9938. Springer, Cham. https://doi.org/10.1007/978-3-319-46520-3_9
Download citation
DOI: https://doi.org/10.1007/978-3-319-46520-3_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-46519-7
Online ISBN: 978-3-319-46520-3
eBook Packages: Computer ScienceComputer Science (R0)