From Boolean to Quantitative System Specifications Tom Henzinger EPFL.

From Boolean to Quantitative System Specifications

Tom Henzinger EPFL

Outline

1 The Quantitative Agenda

2 Some Basic Open Problems

3 Some Promising Directions

The Boolean Agenda

Property/ Specification

Yes/No

Analysis

Program/ System

The Boolean Agenda


Yes/No-perhaps a proof -perhaps some counterexamples -perhaps even a proposed fix

Analysis

Program/ System

The Boolean Agenda

Satisfaction Relation



Structure FormulaProgram/ System

The Boolean Agenda

Program/ System



Analysis

Every request is followed by a grant.

Transition system.

The Boolean Agenda

Quantitative Program/ System

Quantitative Property/

Specification


Analysis

Every request is followed by a grant within 5 time units.

Timed automaton.

The Boolean Agenda



Specification


Analysis

Every request is followed by a grant within probability 1/2.

Markov process.

The Boolean Agenda



Specification

B-perhaps a proof -perhaps some counterexamples -perhaps even a proposed fix

Analysis

Every request is followed by a grant within probability 1/2.

Markov process.

The Quantitative Agenda



Specification

R-measure of “fit” between system and spec -could be cost, quality, etc.

Analysis




Specification


Analysis


The less time between requests and grants, the better.




Specification


Analysis


The fewer unnecessary grants, the better.


Q1 Assigning values to behaviors

Boolean case: correct vs. incorrect behaviors

Q2 Assigning values to systems/properties

Boolean case: sets of behaviors (nondeterminism)

Q3 Assigning values to pairs of systems

Boolean case: preorders on systems

Q1 Assigning Values To Behaviors

a. Probabilities

b. Resource use

-worst case vs. average case (e.g. response time, QoS) -peak vs. accumulative (e.g. power consumption)

c. Quality measures

-discounting vs. long-run averaging (e.g. reliability)

Q1 Assigning Values To Behaviors

a: ok b: fail

Discounted value (0 < d < 1):

aaaaaaaaaa... 1 aaaaaaab... 1 - d8 aab... 1 - d3 b... 0

Long-run average value:

aaaaaaaaaa... 1 aaabaaabaaab... 1 – ¼

abaabaaab... 1babbabbba... 0

Q2, Q3 Assigning Values To Systems

x: behaviors w: observations A,B: systems

A(w) = supx { val(x) : obs(x) = w } B(w) = expx { val(x) : obs(x) = w }

Q2, Q3 Assigning Values To Systems

x: behaviors w: observations A,B: systems

A(w) = supx { val(x) : obs(x) = w } B(w) = expx { val(x) : obs(x) = w }

diff(A,B) = supw { |A(w) – B(w)| } ? Compositionality: diff(A||B,A’||B) · f(diff(A,A’)) [AFHMS].

Is there a Quantitative Framework with

-an appealing mathematical formulation, -useful expressive power, and -good algorithmic properties?

(Like the boolean theory of -regularity.)

Outline




Alphabet: = {a,b,c}

Language: L µ L = (a+b)+(a[c[ (a+b)

abaabaaabccccc... 2 Labcabc... L

Property = Language

Alphabet: = {a,b,c}

Language: L µ L = (a+b)+(a[c[ (a+b)

abaabaaabccccc... 2 Labcabc... L

L: ! B

Boolean Language

Q states : Q ! labeling q0 2 Q initial state

choices : Q Q transition function

Specification = Automaton

a cb

0

1

0

1

0,1

= {0,1}

A:




a cb

0

1

0

1

0,1

= {0,1} L(A) = (a+b)+(a[c[ (a+b)

A:




a cb

0

1

0

1

0,1

0101111... ! aababccc...

A:

“scheduler” “outcome”




Scheduler: x: Q+ ! S ... set of schedulers

Outcome: f(x) = q0q1q2 ... where 8 i : qi+1 = (qi, x(q0...qi))

Language: L = { (f(x)) : x 2 S }

Satisfaction = Language Inclusion

Given two automata A and B, is L(A) µ L(B)?

i.e. 8 w 2 : L(A)(w) · L(B)(w)

Satisfaction = Language Inclusion

Given two automata A and B, is L(A) µ L(B)?

i.e. 8 w 2 : L(A)(w) · L(B)(w)

For finite automata, PSPACE-complete.

Word: element of Probabilistic Word: probability space on Probabilistic Language: set of probabilistic words

Probabilistic Language

w: ab ! 1/2 aab ! 1/4 aaab ! 1/8

...


choices : Q D(Q) transition function

Markov Decision Process

a cb

0: 0.5

0: 0.5 1: 1

0: 0.5

0,1A:

0: 0.5 1: 1




a cb

0: 0.5

0: 0.5 1: 1

0: 0.5

0,1A:

0: 0.5 1: 1

0101111... ! abccc... ! 1/2aabccc... ! 1/4 ...




Pure scheduler: x: Q+ ! Probabilistic scheduler: x: Q+ ! D()




a cb

0: 0.5

0: 0.5 1: 1

0: 0.5

0,1A:

0: 0.5 1: 1

{0: 0.5, 1: 0.5} ! abccc... ! 9/16 aabccc... ! 9/64

...

Probabilistic Language Inclusion

Given two MDPs A and B, is L(A) µ L(B)?



?



?Open even if specification B is deterministic (i.e. || = 1) and implementation scheduler required to be pure. If both sides are deterministic, then it can be solved in polynomial time (equivalence of Rabin’s probabilistic automata) [Tzeng, DHR].

Language: L: ! B

Quantitative Language: L: ! R

Quantitative Language

L(ab) = 1/2 L(aab) = 1/4 L(aaab) = 1/8 ...


choices : Q R £ Q transition function

Weighted Automaton

a cb

0; 4

1; 2

0; 0

0,1; 0A:

1; 1



Weighted Automaton

a cb

0; 4

1; 2

0; 0

0,1; 0A:

1; 1

0101111... ! aababccc...; 4 1111111... ! abccc...; 2

Max value:



Weighted Automaton

Outcome: f(x) = q0v1q1v2q2... where 8 i : (vi+1,qi+1) = (qi, x(q0...qi))

Max value: val(q0v1q1v2q2...) = sup{ vi : i ¸ 1 }



Weighted Automaton

Outcome: f(x) = q0v1q1v2q2... where 8 i : (vi+1,qi+1) = (qi, x(q0...qi))

Max value: val(q0v1q1v2q2...) = sup{ vi : i ¸ 1 }

q-Language: L(w) = sup{ val(f(x)) : x 2 S s.t. (f(x)) = w }

Different Value Functions

Max value: val(q0v1q1v2q2...) = sup{ vi : i ¸ 1 } (only 0 and 1 costs: finite automaton)

Limsup value: val = limn!1 sup{ vi : i ¸ n } (only 0 and 1 costs: Buechi automaton)




Limavg value: val = limn!1 1/n ¢ 1·i·n vi




Limavg value: val = limn!1 1/n ¢ 1·i·n vi

Discounted: val = i¸ 1 di ¢ vi for some 0<d<1

Weighted Automaton

a cb

0; 4

1; 2

0; 0

0,1; 0A:

1; 1

01010101... ! aabababab...; 2 11111111... ! abccc...; 0

Limsup value:

01010101... ! aabababab...; 1 11111111... ! abccc...; 0

Limavg value:

01010101... ! aabababab...; 2.66... 11111111... ! abccc...; 1.25

Discounted: (d = 0.5)

Quantitative Language Inclusion

Given two weighted automata A and B, is 8 w 2 : L(A)(w) · L(B)(w) ?



For max and limsup values: PSPACE. For limavg and discounted values: Open.



For max and limsup values: PSPACE. For limavg and discounted values: Open.

If specification B is deterministic, then it can be solved in polynomial time [CDH].

Quantitative Simulation

a

1

b1

1

1

b

2

a2

0

0

b

0

a0

2

2

a

2

0

·

A not simulated by B.

Simulation game solvable in P for max, and in NP Å coNP for limsup, limavg, discounted [CDH].

A: B:

Quantitative Emptiness and Universality

Emptiness: Given a weighted automaton A, is L(A)(w) ¸ 1 for some word w 2 ?

In P for max, limsup, limavg, and discounted automata. Solvable by finding a path with maximal value [CDH].

Quantitative Emptiness and Universality

Emptiness: Given a weighted automaton A, is L(A)(w) ¸ 1 for some word w 2 ?

In P for max, limsup, limavg, and discounted automata. Solvable by finding a path with maximal value [CDH].

Universality: Given a weighted automaton A, is L(A)(w) ¸ 1 for all words w 2 ?

As hard as language inclusion.

Quantitative Expressiveness

[CDH CSL08, LICS09]

Quantitative Expressiveness

ba,b

0 1

E.g. limavg automata not determinizable:

*b expressible by a nondeterministic limavg automaton.

*b not expressible by a deterministic limavg automaton.

Every b-cycle would need weight 1.Consider wn = (abn).Then val(wn)=1 for sufficiently large n, but wn*b.

Quantitative Closure Properties

Quantitative Closure Properties

a

0

b0

1

1

a

1

b1

0

0

E.g. limavg automata not closed under min:

min(L1,L2) not expressible by a limavg automaton.

Consider wn = (anbn) for large n.Some a-cycle or b-cycle would need average positive weight.Then some word ua or ub would have a positive value.

L1: L2:

Outline




The Boolean Agenda

Specification

Yes/No

Analysis

System

The Boolean Agenda

Specification

Correct System

Synthesis

The Boolean Agenda

Regular Automaton

Correct System = Winning Strategy

Graph Game with Regular Objective

3.1 Quantitative Synthesis

Optimal System

Synthesis

Quantitative Specification


Optimal System = Optimal Strategy

Weighted Automaton

Graph Game with Quantitative Objective


Graph Game with Quantitative Objective

Weighted Automaton

Optimal System = Optimal Strategy

-positional vs. finite-memory vs. unrestricted strategies

-optimal vs. -optimal strategies

Games for Quantitative Synthesis

1 Constrained Resources

-every weight is a resource cost (e.g. power consumption) -optimize peak resource use: max objective -optimize accumulative resource use: sum objective [Chakrabarti et al.]

Games for Quantitative Synthesis

1 Constrained Resources

2 Preference between Different Implementations

-boolean spec, but certain implementations preferred-formalized using lexicographic objectives

[Jobstmann et al.]

h f, g1, ... gn i

boolean objective quantitative objectives

Request-Grant Limavg Automaton 1

r g

1

1

11

Following a request, all steps until the next grant are penalized.

Request-Grant Limavg Automaton 2

r g

1

1

Following a request, all repeated grants are penalized.

3.2 Robust Systems

1 Robustness as Mathematical Continuity:

-small input changes should cause small output changes -only possible in a quantitative framework

8 >0. 9 >0. input-change · ) output-change ·

In general programs are not continuous. But they can less continuous:

read sensor value x; if x · c then y = f1(x)

else y = f2(x);

f1

f2

c

In general programs are not continuous. But they can less continuous:

read sensor value x; if x · c then y = f1(x)

else y = f2(x);

Or more continuous:

if x · c - then y = f1(x); if x ¸ c + then y = f2(x)

else y = (f2(c+)-f1(c-))(x-c+)/2 + f1(c-);

[Majumdar et at., Gulwani et al.]

f1

f2

c

3.2 Robust Systems



8 >0. 9 >0. input-change · ) output-change ·

Example of a Robustness Theorem [AHM]:

If discountedBisimilarity(A,B) > 1 - , then 8w : |A(w) – B(w)| < f().

3.2 Robust Systems



2 Robustness w.r.t. Faulty Assumptions:

-environment may violate assumptions -few environment mistakes should cause few system

mistakes -ratio of system to environment mistakes as

quantitative quality measure

[Greimel et al.]

3.3 Resource Interfaces

-Component interfaces expose resource requirements (e.g. time, memory, power).

-Interfaces are compatible if their combined requirements do not exceed the available resources.

-If the requirements are dynamic, then compatibility can be solved as a graph game with quantitative objectives.

[Chakrabarti et al.]

2

99

5

9 5

15 19

59

A

B

C

D

E F

G H

node limit = 20

Max Constraint

minimizer maximizer

2

99

5

9 5

15 19

59

A

B

C

D

E F

G H

node limit = 20

Max Constraint

minimizer maximizer

-10

99

5

9 -9

15 19

59

A

B

C

D

E F

G H

path limit = 10

Sum Constraint

minimizer maximizer

-10

99

5

9 -9

15 19

59

A

B

C

D

E F

G H

path limit = 10

Sum Constraint

minimizer maximizer

3.4 System Reliability

-assuming x% of periodic input values are valid, y% of periodic output values should be valid

-hardware faulty, but can be replicated

-compiler ensures specified reliability through replication

[Ghosal et al.]

3.4 System Reliability

a: ok b: fail

Limit-average value:

aaaaaaaaaa... 1 aaabaaabaaab... 3/4 ababbabbb... 0

Want reliabitity of 1 – 10-x.

Conclusions

-“Quantitative” is more than “timed” and “probabilistic.”

-We need to move from boolean correctness criteria to quantitative system preference metrics.

-We have interesting point solutions, but no convincing overall framework.

From Boolean to Quantitative System Specifications Tom Henzinger EPFL.

Documents

analysis slide

reliability slide

transition system

behaviors boolean case

systemsproperties boolean

pairs of systems boolean

behaviors w

average case