Distributed Verification of Rare Properties with ...

Download PDF
6 downloads 0 Views 193KB Size Report
Comment
false, command 1 increments counter w and the output remains undecided. If at any time the input is true, command .... Edsger W. Dijkstra. Guarded commands ...
Distributed Verification of Rare Properties with Lightweight Importance Splitting Observers

arXiv:1502.01838v1 [cs.LO] 6 Feb 2015

Cyrille Jegourel, Axel Legay, Sean Sedwards and Louis-Marie Traonouez INRIA Rennes – Bretagne Atlantique

Abstract Rare properties remain a challenge for statistical model checking due to the quadratic scaling of variance with rarity. Importance splitting can addresses this challenge, but makes demands on the encoding of the model-property product automaton. To maximise the performance of importance splitting, the user must be able to define arbitrary functions of the states of the product automaton. To distribute simulations efficiently, the product automaton must be compact and the length of its state must be small compared to the length of a simulation trace. In this work we describe an implementation of importance splitting for statistical model checking, using “lightweight” observers that meet the above demands. Specifically, we define an expressive bounded time logic and show how it may be compiled into compactly-described automata, whose memory requirement is only dependent on the length of the formula. We also present fixed and adaptive level importance splitting algorithms, optimised for distribution.

1

Introduction

The ‘state explosion problem’ [6] associated with probabilistic model checking has been well addressed by statistical model checking (SMC) [30]. SMC is based on Monte Carlo sampling [24], the performance of which is essentially independent of the size of the sample space [25]. SMC may be efficiently distributed on parallel computation architectures, allowing a linear scaling of performance with the number of computational nodes. Rare properties nevertheless pose a problem because the standard error [14] and relative error [28] scale quadratically with rarity. Since quantifying rare properties is often necessary to certify the reliability of critical systems, we seek to enhance SMC with variance reduction techniques, such as importance sampling and importance splitting [22,14,28]. Importance sampling weights the executable model of a system in such a way that the rare property occurs more frequently in simulations. The proportion of simulations that satisfy the property using the weighted model overestimates the true probability, but the result may be exactly compensated by the weights. It is generally not feasible to implement a perfect executable model for importance sampling because (i) the perfect model may not actually exist as a re-parametrisation of the original model and (ii) a perfect re-parametrisation typically requires an iteration over all the transitions, defeating the benefits of simulation. Practical approaches using importance sampling therefore tend to

use a low dimensional vector of parameters to weight the model [18,17]. Without a guarantee that the simulation model is perfect, however, it is difficult to bound the error of estimates. In contrast to importance sampling, confidence intervals have been defined for importance splitting [4,3], making this technique appealing for SMC. Importance splitting divides a rare property into a set of less rare sub-properties that correspond to an increasing sequence of disjoint levels. The initial state corresponds to the lowest level and the rare property corresponds to the final level. Importance splitting algorithms use a sequence of relatively easy simulation experiments to estimate the conditional probabilities of going to the next level having reached the present one. The overall probability is the product of these estimates, with the lowest variance achieved with many levels of equal probability. While importance splitting may give a significant gain in performance over simple Monte Carlo estimation of rare properties, it is nevertheless computationally intensive. Distributing importance splitting with complex logical properties, however, poses challenges. In contrast to standard SMC, SMC with importance splitting repeatedly initialises simulations with arbitrary states of the modelproperty product automaton. This state must therefore be compact relative to the length of a simulation if it is to be sent across potentially slow communication channels. In addition, a syntactic description of the product automaton must be available to allow the user to define the fine-grained levels necessary for efficient importance splitting. Finally, the property automaton should be as efficient to execute as it would be with standard SMC. In this work we address the above challenges and present an implementation of importance splitting for SMC that may be efficiently distributed. We define an expressive bounded time temporal logic that is compiled into lightweight observers that make the product automaton (i) accessible to the user, (ii) efficient to construct, (iii) efficient to distribute and (iv ) efficient to execute. We also present distributed versions of fixed and adaptive importance splitting algorithms.

2

Related Work

As a standard variance reduction technique, there have been many ad hoc implementations of importance splitting that do not differ greatly from the original ideas of [22,23]. The algorithm of [29] is a relatively recent example that is often cited. The work of [4,3] is important because the authors define efficient adaptive importance splitting algorithms that also include confidence intervals. To our knowledge, [19] is the first work to explicitly link importance splitting to arbitrary logical properties and the present work is the first to describe a practical implementation of importance splitting for SMC. The present work is therefore also the first to consider the problems of distributing importance splitting for SMC.

SMC tools construct an automaton to accept traces that satisfy a temporal logic formula, typically based on a time bounded variant of temporal logic. The proportion of independent simulations of a stochastic model that satisfy the property is then used to estimate the probability of the property or to test hypotheses about the probability. There is considerable intersection between runtime verification (RV) and SMC, with few concepts unique to either. In particular, there have been many works that construct RV monitors from temporal logic (e.g., [11,13,15,10,1]). Such monitors typically comprise tableau-based automata [12] whose states represent the combinations of sub-formulas of the overall property. While some have considered timed properties (e.g., [1]), the focus is predominantly unbounded LTL properties [27] interpreted on finite paths [9]. In contrast, SMC typically checks formulae with explicit time bounds (see, e.g., (3)), which are inherently defined on finite traces. To avoid the combinatorial explosion of sub-formulas caused by including time in this way, the monitors used by [18,2] are compact programs that generate the states of an automaton on-the-fly and do not store them. We adapt this “lightweight” approach to allow importance splitting for SMC to be efficiently distributed on high performance parallel computational architectures.

3

Score functions and Importance Splitting Algorithms

The neutron shield model of [21,22] is illustrative of how importance sampling works. Neutrons are randomly absorbed by the atoms of a shield, but with some small probability γ they pass through. The distance travelled in the shield defines a monotonic set of levels 0 = s0 < s1 < s2 < · · · < sm = shield thickness, such that reaching a given level implies having reached all the lower levels. While γ is small, the probability of passing from one level to another can be made arbitrarily close to 1 by reducing the distance between levels. By denoting the abstract level of a neutron as s, the probability of a neutron reaching level si can be expressed as P(s ≥ si ) = P(s ≥ si | s ≥ si−1 )P(s ≥ si−1 ). Defining γ = P(s ≥ sm ) and P(s ≥ s0 ) = 1, it is possible to write γ=

m Y

i=1

P(s ≥ si | s ≥ si−1 ).

(1)

Each term of the product (1) is necessarily greater than or equal to γ, making their estimation easier. The above concepts can be generalised to arbitrary systems and properties, treating s and si as values of a score function over simulation traces. Intuitively, a score function discriminates good paths from bad, assigning higher values to paths which more nearly satisfy the overall property. Given a set of finite trace prefixes ω ∈ Ω, an ideal score function S : Ω → R has the characteristics S(ω) > S(ω ′ ) ⇐⇒ P(|= ϕ | ω) > P(|= ϕ | ω ′ ), where P(|= ϕ | ω) is the probability of eventually satisfying ϕ given prefix ω. Intuitively, ω has a higher score than ω ′ iff there is more chance of satisfying ϕ by continuing ω than by continuing ω ′ .

The minimum requirement of a score function is S(ω) ≥ sϕ ⇐⇒ ω |= ϕ, where sϕ is an arbitrary value denoting that ϕ is satisfied. The intuition here is that any trace that satisfies ϕ must have a score of at least sϕ and any trace that does not satisfy ϕ must have a score less than sϕ . In what follows we assume that (1) refers to scores. In physical and chemical systems, distances and quantities may provide a natural notion of level that can be finely divided. In the context of model checking, variables may be Boolean and temporal logic properties may not contain an obvious notion of level. Various ways to construct score functions from a temporal logic property are proposed in [19]. In particular, given rare property ϕ and a sequence of nested sub-properties true = ϕ0 ⇐ ϕ1 ⇐ · · · ⇐ ϕn = ϕ, the indices of the properties constitute a score function that directly correlates logic to score. In this case it is clear that paths with a higher score satisfy more of the overall property. The choice of levels is crucial to the effectiveness of importance splitting. To minimise the relative variance of the final estimate it is desirable to have many levels, with P(s ≥ si | s ≥ si−1 ) the same for all i [7]. A simple logical decomposition of a property may give too few levels or levels with widely divergent conditional probabilities. To maximise the granularity of score functions, they must be implemented as more general mappings from the states of the model-property product automaton to values.

3.1

Fixed Level Algorithm

The fixed level algorithm assumes that levels are pre-defined and typically performs a fixed number of simulations per level. Each simulation is initialised with the terminal state of a simulation that reached the current level, chosen uniformly at random. In the context of SMC, the state is that of the modelproperty product automaton. Simulations terminate as soon as they reach the next level or when they reach a pre-defined maximum length (usually implicit in the bounded temporal logic property). Each conditional probability required by (1) is estimated by the proportion of simulations that successfully pass from one level to the next. Algorithm 1 is our distributed fixed level importance splitting algorithm, in which the terms server and client refer to the root and leaf nodes of a network of computational devices. In essence, the server manages the job and the clients perform the simulations. The server initially sends compact representations of the model and property to each client. Thereafter, only the state of the product automaton is communicated. In general, each client returns terminal states of simulations that reached the current level and the server distributes these as initial states for the next round of simulations. Algorithm 1 optimises this: the server requests and distributes only the number of states necessary to restart the simulations that failed to reach the current level, while maintaining the randomness of the selection.

The estimate γ˜ is unbiased and subject to the following (1 − α) confidence interval [19]: 

    zα σ zα σ CI = γˆ/ 1 + √ , γˆ / 1 − √ kn kn

σ2 ≥

with

m X 1 − γi i=1

γi

(2)

zα is the 1 − α/2 quantile of the standard normal distribution and γi is the conditional probability of level i. For any fixed m, the minimisation problem min

m X 1 − γi i=1

γi

with constraint

m Y

γi = γ

i=1

implies that σ is reduced by making all γi equal. The memory requirements of Algorithm 1 are minimal: each client need only store the state of n simulations. As such, it is conceivable to distribute simulation on the lightweight computational threads provided by GPGPU (general purpose computing on graphics processing units).

Algorithm 1: Distributed Fixed Level Importance Splitting

1 2 3 4 5 6 7 8 9 10 11

input: s1 < s2 < · · · < sm is a sequence of scores, with sm = sϕ the score necessary to satisfy property ϕ γˆ ← 1 is the initial estimate of γ = P(ω |= ϕ) server sends compact description of model and observer to k clients each client initialises n simulations for s ← s1 , . . . , sm do each client continues its n simulations from their current state; simulations stop early if their scores reach s ∀ clients, client i sends server the number P of traces ni that reached s server calculates γˆ ← γˆ n′ /kn, where n′ = ni for j ← 1, . . . , kn − n′ do server chooses client i at random, with probability ni /n′ client i sends server a state chosen uniformly at random from those that reached s server sends state to client corresponding to failed simulation j, as initial state of new simulation to replace simulation j output: γˆ

3.2

Adaptive Level Algorithm

Given sufficient granularity, a further challenge is to define the levels. In practice these might be guessed or found by trial and error, but [4,19,20] give algorithms that find optimal levels adaptively. Instead of pre-defining levels, the adaptive

algorithm pre-defines the proportion of simulations to retain after each iteration. This proportion, denoted γ0 , defines all but the final conditional probability, r0 ≥ γ0 , in (1). The algorithm initially performs a number of simulations to completion, recording the maximum score achieved in each. The scores are ordered and the 1 − γ0 lowest quantile are re-simulated from initial states selected uniformly at random from those corresponding to the minimum score in the retained simulations. The process of rejecting the lowest quantile is repeated while the retained simulations do not all reach the score required to satisfy the overall property. The adaptive algorithm stores complete or partially simulation traces, so it makes much heavier use of memory than the fixed level algorithm.

Algorithm 2: Distributed Adaptive Importance Splitting 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17

input: sϕ is the minimum score to satisfy property ϕ γˆ ← 1 is the initial estimate of γ = P(ω |= ϕ) server sends compact description of model and observer to k clients each client simulates n complete traces, recording their maximum score each client sends n ordered scores and corresponding trace ids to the server server merges scores to find lowest, smin , and second lowest, s′min while smin < sϕ do server identifies u “unsuccessful” traces whose score is smin server calculates γˆ ← γˆ (kn − u)/kn server chooses, uniformly at random, t ids of kn − u “successful” traces server sends each of u′ ≤ u clients smin and id(s) of its trace(s) to branch each of the u′ clients finds smin in its trace(s) and returns branching state(s) to server server distributes branching states to the u′′ ≤ u clients with unsuccessful traces each of the u′′ clients re-initialises its unsuccessful trace(s) with new branching state(s) server broadcasts s′min to all clients clients continue all initialised and previously unterminated simulations, but stop and record score if it exceeds s′min clients return new scores and corresponding trace ids to server server removes old scores and inserts new scores in existing order output: γˆ

By equalising the conditional probabilities, the adaptive algorithm improves the variance reduction performance. The variance of the estimate γ˜ is given by   γ2 1 − γ0 1 − r0 V ar(ˆ γ) = (m − 1) + + o(n−1 ) , n γ0 r0 with function γ0 7−→ (γ0 − 1)/(γ0 log γ0 ) strictly decreasing on ]0, 1[. Increasing γ0 therefore decreases the variance (σ 2 ) and improves the confidence (2). To minimise variance and maximise confidence, Algorithm 2 implements a special

case of the adaptive level algorithm, where all but the trace(s) with the least score are retained at each level. Ideally, γ0 = 1 − 1/n, but there may be more than one path with minimal score. Hence, typically, γ0 = 1 − u/n, with u ≥ 1 the number of paths with minimal score. The iterations of the adaptive importance splitting algorithm are necessarily sequential. By reducing the number of rejected traces per iteration to reduce variance, the algorithm is made less efficient for distribution. If the ideal condition for variance reduction is achieved, there will be just one simulation per iterative step and all but one client will be idle. Our solution in Algorithm 2 is to not take simulations to completion during the iterative phase. The goal of the algorithm at each level is to identify the trace(s) with the minimum score, but it is not necessary to continue simulations once they have exceeded the existing minimum (the second lowest score in the previous iteration). Occasionally, new simulations may not reach the existing minimum score and must be continued to completion. This will be rare, but the scores of such simulations compete to be the new minimum. Hence, at the end of any iteration there exists a set of completed simulations containing those with minimum score and a set of incomplete simulations with scores greater than the minimum. The subsequent iteration continues the incomplete simulations and starts new simulations to replace those having minimum score, but no simulation need continue once it has exceeded the second lowest score. Since scores are distributed randomly across the clients, the simulation load is probabilistically distributed evenly.

4

Logic for Importance Splitting

Our SMC tools [18,2] implement a bounded linear temporal logic having the following syntactic form: φ =Xk φ | Fk φ | Gk φ | φUk φ | ¬φ | φ ∨ φ | φ ∧ φ | φ ⇒ φ | α α =true | false | Boolean variable | ρ ρ =ν > ν | ν ≥ ν | ν = ν | ν ≤ ν | ν < ν ν =numeric expression of system variables

(3)

This syntax allows arbitrary combinations and nesting of temporal and atomic properties (i.e., those which may be evaluated in a single state and denoted by α). The time bound k may denote discrete steps or continuous time, but in this work we consider only discrete time semantics. Given a finite trace ω, comprising a sequence of states ω0 ω1 ω2 · · · , ω (i) denotes the suffix ωi ωi+1 ωi+2 · · · . The semantics of the satisfaction relation |= is constructed inductively as follows: ω (i) |= true ∈ |=

ω (i) |= false 6∈ |=

ω (i) |= α ⇐⇒ α evaluates to true in state ωi

ω (i) |= ¬ϕ ⇐⇒ ω (i) |= ϕ 6∈ |= ω (i) |= ϕ1 ∨ ϕ2 ⇐⇒ ω (i) |= ϕ1 or ω (i) |= ϕ2 ω (i) |= ϕ1 ∧ ϕ2 ⇐⇒ ω (i) |= ϕ1 and ω (i) |= ϕ2 ω (i) |= Xk ϕ ⇐⇒ ω (k+i) |= ϕ ω (i) |= Fk ϕ ⇐⇒ ∃j ∈ {i, . . . , i + k} : ω (j) |= ϕ ω (i) |= Gk ϕ ⇐⇒ ∀j ∈ {i, . . . , i + k} : ω (j) |= ϕ ω (i) |= ϕ1 Uk ϕ2 ⇐⇒ ∃j ∈ {i, . . . , i + k} : ω (j) |= ϕ2 ∧(j = i ∨ ∀l ∈ {i, . . . , j − 1} : ω (l) |= ϕ1 ) Hence, given a property ϕ, with syntax according to (3), ω |= ϕ is evaluated by ω (0) |= ϕ. To check unbounded LTL properties it is usual to construct a finite state automaton (FSA) whose states represent all the combinations of truth values of the property’s sub-formulas. Even if such automata are constructed explicitly, they are typically tractable because of the symmetries afforded by unbounded properties. Many of these symmetries disappear, however, with time bounded properties. E.g., if an unbounded LTL automaton receives input ψ ∧ ¬ϕ in a state where ψUϕ is true, it returns to the same state, whereas an automaton of (3) in a state where ψUk ϕ is true would move to a new state where ψUk−1 ϕ is true. It is nevertheless possible to construct compact automata to evaluate properties of (3) on finite traces. With access to the states of a trace, an automaton may be constructed by simply implementing the semantics as a set of recursively called functions. The automaton is effectively implemented as a program of size proportional to the formula and memory proportional to the nested time bounds. To facilitate efficient on-the-fly verification, the existential and universal quantifiers of the temporal operators can be implemented as loops that iterate over states, breaking as soon as the property is decided. A naive implementation will incur running time that scales in proportion to the product of the time bounds of nested temporal operators, instead of the sum. Efficient tools therefore implement nested temporal operators by merely keeping track of when the last decision was made [18]. We adopt this approach in the automata we present in Section 5. In the present context, automata with size proportional to the time bounds of nested temporal operators are not adequate. Algorithms 1 and 2 require the state of the model-property automaton to be sent between server and client on communication channels that are likely to be very slow in comparison to direct memory access. If the state of the product automaton includes part of the trace, the cost of communication may approach or exceed the cost of simulation. To distribute importance splitting efficiently, we therefore define a subset of (3), the size of whose automata is not dependent on the bounds of temporal operators.

Importance Splitting Linear Temporal Logic – ISPLTL We use the following syntax to generate lightweight importance splitting observers: φ =Xk φ | φUk ψ | ¬φ | φ ∨ φ | φ ∧ φ | φ ⇒ φ | ψ

ψ =Xk ψ | Fk ψ | Gk ψ | α

(4)

α =¬α | α ∨ α | α ∧ α | α ⇒ α | true | false | Boolean variable | ρ

The semantics of (4) is the same as (3), but (4) restricts how temporal operators may be combined in order to limit the size of the state of the automaton. In particular, the until operator (U) may not be nested and nested temporal operators may not be combined using Boolean connectives. These restrictions allow many useful properties and disallow relatively few. For example, properties such as Gk1 (α1 ∨ Gk2 α2 ) and Gk1 (α1 Uk2 α2 ) are not permitted, but the until operator may nevertheless be a sub-formula of the next operator (X) and formulas containing nested temporal operators may also be combined with Boolean operators. Hence, properties Xk1 (φUk2 (Gk3 ψ)) and (Fk1 ψ1 ) ⇒ (Gk2 ψ2 ), for example, are allowed. In general, a problem arises when a nested formula contains a disjunction with G or a conjunction with F. E.g., property Gk1 (α1 ∨ Gk2 α2 ) requires that for all states ωi ∈ ω0 , . . . , ωk1 , state ωi+k2 is known simultaneously. Hence, if the simulation is stopped when Gk1 has only considered α1 ∨ Gk2 α2 for ω0 , the sub-property Gk2 α2 may have already explored states ω0 , . . . , ωk2 . To restart the simulation, it is necessary to know ω1 , . . . , ωk2 , which have already been simulated and must be part of the model-property automaton state. Nested until properties cause a related problem. It is possible to construct automata for nested until operators that do not require storage of the trace, however these automata have the characteristic of outputting more than one value per simulation state. I.e., they may require the simulation to pause while continuing to output values. Such pauses are arbitrarily related to the simulation trace, ψ and ϕ. Hence, in the case of properties such as (Gk1 (φ1 Uk2 ψ1 )) ⇒ (Gk3 (φ2 Uk4 ψ2 )), Gk1 (φ1 Uk2 ψ1 ) and Gk3 (φ2 Uk4 ψ2 ) will generally require different pauses. The states that are generated while one sub-property pauses and the other sub-property continues must later be considered by the paused subproperty. The states are therefore part of the state of the model-property automaton. Given the current range of case studies in the literature, we choose to allow Boolean operatives over temporal operators and forbid nested untils, rather than the converse.

5

Lightweight Observers

A property with syntax (4) is implemented as a set of nested observers, each of which corresponds to a temporal operator, a Boolean operator acting on temporal operators, or an atomic property. Automata are of two kinds: outer

and inner, referring to their level within the nesting of a formula. Each observer comprises a set of ‘guarded commands’ [8], which we write in the form predicate : update in Figs. 1, 2 and 3. The corresponding diagrams are abstractions to give an intuition of how the commands work. Since the output of temporal operators is not known immediately, the automata implement a three-valued logic. The symbols ?, ⊤ and ⊥ denote outputs that are undecided, true and false, respectively. Each observer has Boolean output variables o and d to indicate respectively the result and whether the property has been decided: the value of o is not valid until d = true. All temporal operators take discrete time bound k as a parameter and use counter variable w. Inner temporal operators make use of an additional counter, t. The arguments of operators are Boolean variables o′ and o′′ , with corresponding decidedness d′ and d′′ . The automata for atomic properties are essentially an assignment of a state formula with syntax α to output variable o. Hence, when o′ , o′′ are the evaluation of an atomic property, d′ , d′′ are implicitly true and are omitted. The state of the property automaton is simply the concatenation of the all the values of the variables of the nested automata. Note that although some automata may be derived from combinations of others, to maximise efficiency they are implemented individually.

5.1

Execution Semantics

An automaton advances only when its input is decided, noting that the connective automata in Fig. 2 can also make a decision when only one of their arguments is decided. The dependency between observers has a tree structure, with atomic property observers being the leaves. Syntactically, the level of nesting is indicated by the file order of the modules. Leaf observers appear at the top and are executed first, while the root observer appears at the bottom and is executed last. Observers at the same level have no co-dependency and may be executed in an arbitrary order. The automata are designed such that no more than one command is ever enabled. For each simulated state of the probabilistic model, the virtual machine executes the enabled commands in syntactic order. An individual automaton may reach a deadlock state (no commands enabled) once its output cannot be changed by further input. The simulation terminates when the output of the root observer is decided.

5.2

Outer Temporal Automata

Figure 1 describes the automata for outer temporal operators. The output of outer automata is monotonic: they proceed from undecided (?) to decided (⊤ or ⊥) and then do not change their decision.

Xk (Fig. 1a) While the number of valid input states (d′ = true) is less than the bound k, command 1 increments counter w. Once the bound is reached (w = k), command 2 sets the output to the truth value of the last input and indicates that the property is decided (d ← true). Thereafter the automaton is deadlocked. Fk (Fig. 1b) While the bound k has not been reached and the input value is false, command 1 increments counter w and the output remains undecided. If at any time the input is true, command 2 sets the output and decidedness to true. If the bound is ever reached (w = k), the output is decided with value false. Gk Since Gk o′ = ¬(Fk ¬o′ ), the automaton for Gk is derived from that of Fk by negating all instances of o′ , ¬o′ and exchanging o ← true with o ← false. Uk (Fig. 1c) While the bound k has not been reached, the value of input o′ is false and the value of input o′′ is true, command 1 increments counter w and the output remains undecided. If at any time neither o′ nor o′′ are true or the bound is reached (w = k) and o′ is not true, command 3 decides the output to be false. Otherwise, the output is decided true by command 2 if o′ is true. 1 ?

2



2

1. ¬d ∧ d′ ∧ w < k : w ← w + 1 2. ¬d ∧ d′ ∧ w = k : d ← true, o ← o′

⊥ (a) o ← Xk o′ 1 ?

2

3



1. ¬d ∧ d′ ∧ ¬o′ ∧ w < k : w ← w + 1 2. ¬d ∧ d′ ∧ o′ : d ← true, o ← true 3. ¬d ∧ d′ ∧ ¬o′ ∧ w = k : d ← true, o ← false

⊥ (b) o ← Fk o′ 1 ? 3

2



1. ¬d ∧ d′ ∧ d′′ ∧ ¬o′ ∧ o′′ ∧ w < k : w ← w + 1 2. ¬d ∧ d′ ∧ o′ : d ← true, o ← true 3. ¬d∧d′ ∧d′′ ∧¬o′ ∧(¬o′′ ∨o′′ ∧w = k) : d ← true, o ← false

⊥ (c) o ← o′′ Uk o′

Figure 1: Automata for outer temporal operators. Initially w = 0, d = false.

5.3

Outer Connective Automata

Figure 2 describes the automata for Boolean connective automata. The connectives may be combined, but otherwise act only on outer temporal operators. Negation of an automaton is implemented by inverting its truth assignment, i.e., by exchanging o ← true, o ← false. Boolean connectives at syntactic level α are implemented directly in formulas, within automata for atomic properties. The connective automata implement a three-valued logic and decide their output without necessarily waiting for all inputs to be decided. E.g., the following expressions are valid for any values of ?: true ∧ ? = false, true ∨ ? = true and ? ⇒ true = true. 1 ?

2



3

1. ¬d ∧ (¬d′ ∨ ¬d′′ ) ∧ (o′ ∧ d′ ∨ o′′ ∧ d′′ ) 2. ¬d ∧ d′ ∧ o′ ∧ d′′ ∧ o′′ : d ← true, o ← true 3. ¬d ∧ (¬o′ ∧ d′ ∨ ¬o′′ ∧ d′′ ) : d ← true, o ← false

⊥ (a) o ← o′ ∧ o′′ 1 ?

2



3

1. ¬d ∧ (¬d′ ∨ ¬d′′ ) ∧ (¬o′ ∧ d′ ∨ ¬o′′ ∧ d′′ ) 2. ¬d ∧ d′ ∧ ¬o′ ∧ d′′ ∧ ¬o′′ : d ← true, o ← false 3. ¬d ∧ (o′ ∧ d′ ∨ o′′ ∧ d′′ ) : d ← true, o ← true

⊤ (b) o ← o′ ∨ o′′ 1 ? 3

2



1. ¬d ∧ (¬d′ ∧ (¬o′′ ∧ d′′ ∨ ¬d′′ ) ∨ o′ ∧ d′ ∧ ¬d′′ ) 2. ¬d ∧ (¬o′ ∧ d′ ∨ o′′ ∧ d′′ ) : d ← true, o ← true 3. ¬d ∧ d′ ∧ o′ ∧ d′′ ∧ ¬o′′ : d ← true, o ← false

⊥ (c) o ← o′ ⇒ o′′

Figure 2: Automata for outer Boolean connectives. Initially d = false.

5.4

Inner Temporal Automata

Figure 3 describes the inner temporal automata. Inner automata act on a sliding window of states created by an enclosing temporal operator, hence their output is not necessarily monotonic. As the diagrammatic representations suggest, the output may pass between any decided and undecided states.

Xk (Fig. 3a) Command 1 works the same as for the outer X automaton, however command 2 is enabled whether the output is decided or not, to allow the automaton to work on a sliding window of input states. Command 3 switches the output from decided to undecided if the input ceases to be valid. Fk (Fig. 3b) Command 1 works the same as for the outer F command, however the value of the w variable is now interpreted as the width of the window of states that have been considered so far. Commands 2 and 3 are enabled whether the output is decided or not, to allow the automaton to continue working over a window of states. While the input is true, command 2 decides the output to be true assigns the value of w to t. This is the number of trues to output if there are no further true inputs. Whenever the input is false, t is decremented. If t reaches 0 and the window has maximum width (w = k), command 3 will decide the output to be false. If the width of the window is not yet maximum(w < k), command 4 sets the output to being undecided. Gk As in the case of the outer automaton, the inner automaton for Gk is derived from that of Fk by negating all instances of o′ , ¬o′ and exchanging o ← true with o ← false 1 2 ⊤

?

3

2 2

2

3

2

1. ¬d ∧ d′ ∧ w < k : w ← w + 1 2. d′ ∧ w = k : d ← true, o ← o′ 3. d ∧ ¬d′ : d ← false

2

⊥ (a) o ← Xk o′ 1 2 ⊤

? 3 3

4,6 6



3

2

2,5

1. 2. 3. 4. 5. 6.

¬d ∧ d′ ∧ ¬o′ ∧ w < k : w ← w + 1 d′ ∧ o′ : o ← true, d ← true, t ← w d′ ∧ ¬o′ ∧ t = 0 ∧ w = k : d ← true, o ← false d ∧ d′ ∧ ¬o′ ∧ t = 0 ∧ w < k : d ← false d ∧ d′ ∧ ¬o′ ∧ t > 0 : t ← t − 1 d ∧ ¬d′ : d ← false

(b) o ← Fk o′

Figure 3: Automata for inner temporal operators. Initially w = 0, t = 0, d = false.

6

Prospects and Challenges

We have made a general purpose implementation of importance splitting for SMC using lightweight observers, which may be efficiently distributed.

By exposing the syntax of observers, users are able to construct the finegrained score functions necessary for high performance importance splitting algorithms. The construction of score functions adds to the overall cost and is challenging to automate efficiently. We nevertheless anticipate that it may be possible to construct score functions using statistical learning techniques. The presented algorithms are already equipped with confidence intervals, however an ongoing challenge is to improve the confidence and to define a Chernoff bound [5,26,16] for importance splitting.

References 1. Andreas Bauer, Martin Leucker, and Christian Schallhart. Monitoring of real-time properties. In FSTTCS 2006: Foundations of Software Technology and Theoretical Computer Science, pages 260–272. Springer, 2006. 2. Benoˆıt Boyer, Kevin Corre, Axel Legay, and Sean Sedwards. PLASMA-lab: A flexible, distributable statistical model checking library. In Kaustubh Joshi, Markus Siegle, Mari¨elle Stoelinga, and Pedro R. D’Argenio, editors, Quantitative Evaluation of Systems, volume 8054 of LNCS, pages 160–164. Springer, 2013. 3. F. C´erou, P. Del Moral, T. Furon, and A. Guyader. Sequential Monte Carlo for rare event estimation. Statistics and Computing, 22:795–808, 2012. 4. Fr´ed´eric C´erou and Arnaud Guyader. Adaptive multilevel splitting for rare event analysis. Stochastic Analysis and Applications, 25:417–443, 2007. 5. Herman Chernoff. A measure of asymptotic efficiency for tests of a hypothesis based on the sum of observations. Ann. Math. Statist., 23(4):493–507, 1952. 6. E. M. Clarke, E. A. Emerson, and J. Sifakis. Model checking: algorithmic verification and debugging. Commun. ACM, 52(11):74–84, November 2009. 7. Pierre Del Moral. Feynman-Kac Formulae: Genealogical and Interacting Particle Systems with Applications. Probability and Its Applications. Springer, 2004. 8. Edsger W. Dijkstra. Guarded commands, nondeterminacy and formal derivation of programs. Commun. ACM, 18(8):453–457, August 1975. 9. Cindy Eisner, Dana Fisman, John Havlicek, Yoad Lustig, Anthony McIsaac, and David Van Campenhout. Reasoning with temporal logic on truncated paths. In Computer Aided Verification, pages 27–39. Springer, 2003. 10. Bernd Finkbeiner and Henny Sipma. Checking finite traces using alternating automata. Formal Methods in System Design, 24(2):101–127, 2004. 11. M. C. W. Geilen. On the construction of monitors for temporal logic properties. Electronic Notes in Theoretical Computer Science, 55(2):181–199, 2001. 12. Rob Gerth, Doron Peled, Moshe Y. Vardi Vardi, and Pierre Wolper. Simple onthe-fly automatic verification of linear temporal logic. In In Protocol Specification Testing and Verification, pages 3–18. Chapman & Hall, 1995. 13. D. Giannakopoulou and K. Havelund. Automata-based verification of temporal properties on running programs. In Proceedings of 16th Annual International Conference on Automated Software Engineering (ASE 2001), pages 412–416. IEEE, Nov 2001. 14. J. M. Hammersley and D. C. Handscomb. Monte Carlo Methods. Methuen & Co., 1964. 15. Klaus Havelund and Grigore Ro¸su. Synthesizing monitors for safety properties. In Joost-Pieter Katoen and Perdita Stevens, editors, Tools and Algorithms for the Construction and Analysis of Systems, volume 2280 of Lecture Notes in Computer Science, pages 342–356. Springer, 2002.

16. Wassily Hoeffding. Probability inequalities for sums of bounded random variables. Journal of the American Statistical Association, 58(301):13–30, March 1963. 17. Cyrille Jegourel, Axel Legay, and Sean Sedwards. Cross-entropy optimisation of importance sampling parameters for statistical model checking. In P. Madhusudan and Sanjit A. Seshia, editors, Computer Aided Verification, volume 7358 of LNCS, pages 327–342. Springer, 2012. 18. Cyrille Jegourel, Axel Legay, and Sean Sedwards. A platform for high performance statistical model checking – PLASMA. In Cormac Flanagan and Barbara K¨ onig, editors, Tools and Algorithms for the Construction and Analysis of Systems, volume 7214 of LNCS, pages 498–503. Springer, 2012. 19. Cyrille Jegourel, Axel Legay, and Sean Sedwards. Importance splitting for statistical model checking rare properties. In Computer Aided Verification, volume 8044 of LNCS, pages 576–591. Springer, 2013. 20. Cyrille Jegourel, Axel Legay, and Sean Sedwards. An effective heuristic for adaptive importance splitting in statistical model checking. In Tiziana Margaria and Bernhard Steffen, editors, Leveraging Applications of Formal Methods, Verification and Validation. Specialized Techniques and Applications, volume 8803 of LNCS, pages 143–159. Springer, 2014. 21. Herman Kahn. Random sampling (Monte Carlo) techniques in neutron attenuation problems. Nucleonics, 6(5):27, 1950. 22. Herman Kahn and T. E. Harris. Estimation of particle transmission by random sampling. In Applied Mathematics, volume 5 of series 12. National Bureau of Standards, 1951. 23. Herman Kahn and A. W. Marshall. Methods of reducing sample size in Monte Carlo computations. Operations Research, 1(5):263–278, November 1953. 24. N. Metropolis and S. Ulam. The Monte Carlo method. Journal of the American Statistical Association, 44(247):335–341, September 1949. 25. H. Niederreiter. Random Number Generation and Quasi-Monte Carlo Methods. Society for Industrial and Applied Mathematics, 1992. 26. Masashi Okamoto. Some inequalities relating to the partial sum of binomial probabilities. Annals of the Institute of Statistical Mathematics, 10:29–35, 1959. 27. Amir Pnueli. The temporal logic of programs. In 18th Annual Symposium on Foundations of Computer Science, pages 46–57, Oct 1977. 28. Gerardo Rubino and Bruno Tufin (eds.). Rare Event Simulation using Monte Carlo Methods. John Wiley & Sons, Ltd, 2009. 29. Manuel Vill´en-Altamirano and Jos´e Vill´en-Altamirano. RESTART: A method for accelerating rare event simulations. In J. W. Cohen and C. D. Pack, editors, Queueing, Performance and Control in ATM, pages 71–76. Elsevier, 1991. 30. H˚ akanL. S. Younes, Marta Kwiatkowska, Gethin Norman, and David Parker. Numerical vs. statistical probabilistic model checking. International Journal on Software Tools for Technology Transfer, 8(3):216–228, 2006.