Modular Specification and Compositional Analysis of Stochastic Systems

Je tiens également à remercier les membres de mon jury de m'avoir honoré de leur présence. Dans le même esprit, je tiens à remercier tous les professeurs de l'ENS avec qui j'ai eu le plaisir de travailler : Ludo, Fanfoué, Kevin, Romain, Christophe.

Preamble

Résumé de la thèse

Spécification Modulaire et Analyse Compositionnelle de Systèmes

Stochastiques

• Introduction
• Contexte
• Contributions et plan de la thèse
• Chaînes de Markov à Intervalles
• Chaînes de Markov à Contraintes
• Contrats (Probabilistes)
• Abstraction Stochastique et Model-Checking d’un Sys- tème Hétérogène de grande tailletème Hétérogène de grande taille
• Introduction

Enfin, nous proposons un algorithme qui permet à partir de n'importe quel CMCS de créer un CMC déterministe contenant S. Nous proposons un concept de composition de CMC basé sur le principe de séparation des préoccupations. Un exemple est donné dans la figure 5. Nous proposons des représentations symboliques et effectives des contrats et des systèmes.

Context

In practice, you should be able to decide whether there is at least one environment in which the two components can work together, that is, in which the composition makes sense. Given two components that satisfy two interfaces, the theory must ensure that the composition of the two components corresponds to the composition of their respective interfaces.

Contributions

We show that the satisfaction of availability properties can be checked with an extension of the work presented in [53]. We then characterized these interactions by introducing probability distributions into the component behaviors.

Interval Markov Chains

Introduction

Here we show that this procedure can be implemented in single exponential time, and after discussing the lower bound, we show that TR is EXPTIME-complete. In Section 2.3 we discuss decision on TR and other refinement procedures, extending the consequences of determinism on refinements in Section 2.4.

Background

We close with a discussion of the results and a conclusion (Section 2.6). b) Markov Chain transition matrixC. We say that I1 strongly refines I2, written I1 ≤S I2, if there exists a strong refinement relation containing (qo, so).

Refinement Relations

• Weak and Strong Refinement
• Granularity
• Deciding Thorough Refinement

For TR, the number of iterations on the state space of the ratio is exponential, while it is only quadratic for the weak refinement. Since there may be multiple modes, such as 99Ky s, the expression ∆1j,r may appear in the definition of multiple coefficients ∆2j,l.

Determinism

Similarly for MTSs, TR is known to coincide with modal refinement for deterministic objects. We prove that if an IMCI is not strongly deterministic, then it is not weakly deterministic either.

Common Implementation and Consistency

We start with the definition of coherence relations that witness a joint implementation between two IMCs. In the next chapter, we present a more general pruning algorithm that does not involve constructing a consistency relation.

Conclusion and Related Work

However, there are also problems that are usually solved using connections that the methodology presented in this chapter cannot solve. In the same way, the methodology presented in this chapter does not allow us to reason about parallel composition and therefore about incremental design.

Constraint Markov Chains

Introduction

In Section 3.2 we introduce the concept of CMCs and a satisfiability relation with respect to Markov chains. In Section 3.6 we introduce deterministic CMCs and show that, for this class of CMCs, strong and weak refinements coincide with the inclusion of implementation sets.

Constraint Markov Chains

We also compare the expressiveness of the operation of parallel composition and that of conjunction. Here, a valuation is allowed if it is contained in the specification's set of allowed valuations. The customer specifies that the probability of the high power state (state 2) is higher than 0.7.

Consistency, Refinement and Conjunction

• Consistency
• Refinement
• Conjunction

Since each coefficient of∆ appears once and only once in the same row of′, it is clear that ∆′ is a correspondence matrix. Since strong refinement implies weak refinement by construction, it also holds that strong refinement implies implementation inclusion. As an example, consider that all the constraints in S1 and S2 are polynomial of degree d with less than k bound variables - we will see that polynomial constraints are the least class under which CMCs are closed.

Compositional Reasoning

• Independent parallel composition
• Synchronization
• Comparison of conjunction and parallel composition

The following theorem shows that the weak refinement is a precongruence with respect to parallel composition. Synchronization is associative with respect to composition, meaning that the order of synchronization and composition is immaterial to the final functionality of the system. A direct consequence of the above theorem is that any model of the composition is a model of the conjunction, i.e. [[S1kS2]] ⊆ [[S1∧S2]].

Disjunction and Universality

• On the Existence of a Disjunction of CMCs
• The Universality Problem for CMCs

As a solution to this problem, we propose the concept of an extended state, which involves creating a new initial state with a new special valuation x /∈ A and then redistributing the entire probability mass to the original initial state. The union of the extended-state versions of S1 and S2 can now be calculated and compared to the extended-state version of UnivA. It is obvious that all implementations of the extended-state version of a given CMCC are versions of the extended-state implementation of C.

Deterministic CMCs

Axiom(2) for the weak refinement relations: Given a distribution X on the outgoing transitions of v, we must find a correspondence matrix ∆ that satisfies axioms 2(a), 2(b) and 2(c) for the refinement relation. Since ∆ comes from a satisfaction relation, Axiom 2(c) for the refinement relation is not so immediate. If we assume that there exists I′andp′ such that p′ |=v′andp′ 6|=u′, we build an implementation IbfromI andI′ such that the state of Ibis is syntactically equivalent to statep′.

Polynomial CMCs

As presented in Chapter 2, there is another natural way to solve the problem: consider a weaker version of determinism, which would be equivalent to the notion of determinism introduced in Chapter 2. have disjointed sets of valuations. Hence, working with this weaker but natural version of determinism does not close the gap between weak and deep refinements.

On the relation with Probabilistic Automata

• Reduction from Simulation
• Encoding Probabilistic Simulation

Note that all the constraints on the coding presented in Section 3.8 are non-deterministic distribution constraints or single-point constraints. Alsoˇ l1 anddel2 are used to refer to the number of combinations of the state action Sˇ and T respectively. From the construction of the coding we know that any probability distribution x satisfying ϕ(i)(x) is a point distribution, and x such that that x2k+i′ = 1 is possible.

Related Work and Concluding Remarks

First, it would be interesting to see whether the results presented in Chapter 2 extend to the continuous-time model of [89, 90]. For this purpose, it would be important to study the logical fragment that can be expressed using CMCs. In the spirit of [56], it would be interesting to extend our composition operation by considering products of dependent probability distributions.

Probabilistic contracts: a compositional reasoning methodology for the design of

Introduction

Conjunction produces a contract whose assumptions are the union of the originals and guarantees are the intersection of the originals. As an example, we will show that if a non-stochastic system S1 reliably fulfills2a contractC1 and a non-stochastic systemS2 reliably fulfills a contractC2, then the composition of the two systems reliably fulfills the composition of the two contracts. Finally, we also show that operations between and on contracts can be easily performed on the automaton-based representations.

Preliminaries

An infinite run is to accept forw with the Büchi condition if inf(̺)∩F 6= ∅, where inf(̺) is the set of states visited infinitely often by. A symbolic transition system over V is a tupleSymb= (V, Qs, T, Qs0), where V is a set of variables defined over a finite domain D, Q is a set of states (a state is a mapping from V to D), T ⊆Qs× Q is the transition relation, and Qs0 ⊆Q is the set of initial states. A symbolic transition system for a system (V,Ω) is a symbolic transition system over V whose set of runs isΩ.

Non-Probabilistic Contracts

• Contracts
• Compositional reasoning
• Compositional Verification
• Effective algorithms/representations

In Section 4.3.4, we will propose techniques to check the fulfillment of contracts that are represented with symbolic structures. In the remainder of the section, we propose definitions for composition, conjunction, and refinement. The double implication in the second point of the sentence is valid, since conjunction is not defined at the system level.

Probabilistic Contracts

• Probabilistic contracts
• Operations on probabilistic contracts and Compositional reasoning
• Effective algorithms/representations

Before we define the relations between systems and contracts, we must first define the probability measure on the set of system launches. Transitions from states marked by improbable variables form a probability distribution of possible values ​​of the probability variables. In this context, the drive for the MDP is simply the exchange of valuations of improbable and probabilistic variables.

Some Related Work

However, contrary to the theory we present in this chapter, KPMs and CMCs do not allow for a clear treatment of assumptions and guarantees. However, they do not take into account connectivity, availability (they limit themselves mainly to security features) and stochastic aspects. Although quantitative notions of satisfaction have been proposed for security properties, they do not take availability into account.

Achievements and Future Work

Interface automata do not capture the notion of a model because it is not possible to distinguish between interfaces and implementations. However, unlike contracts, interface automata do not allow explicit treatment of assumptions and guarantees, and there is no stochastic extension. First, they need to find the decomposition of the system into subsystems, and second, they do not support compositional planning operators (conjunction, refinement).

Statistical Abstraction and

Model-Checking of Large Heterogeneous Systems

Introduction

We propose to exploit the structure of the system to increase the efficiency of the verification process. Our second contribution is to study the accuracy of clock synchronization between various devices of the HCS. Thanks to this approach, we were able to derive precise limits that guarantee proper synchronization for all the devices of the system.

An Overview of Statistical Model Checking

• Qualitative Answer using Statistical Model Checking
• Quantitative Answer using Statistical Model Checking
• Playing with Statistical Model Checking Algorithms

We noticed that the obtained values ​​strongly depend on the position of the device in the network. A test has ideal performance if the probability of a type I error (or type II error) is exactly α (or β). Bm are m discrete random variables with a Bernoulli distribution of parameters associated with simulations of the system.

Validation Method and the BIP Toolset

• Validation Method: Stochastic Abstraction
• An Overview of BIP

The efficiency of the above algorithms is characterized by the number of simulations needed to obtain an answer. In particular, BIP fulfills all the requirements of the method proposed above, that is, models constructed in BIP are operational and can be thoroughly simulated. It receives network packets through an input port and delivers them to the respective output ports based on the packets' destination address.

Case Study: Heterogeneous Communication System

• Server
• Network Access Controller (NAC)
• Device
• Complexity of the modeling

In addition, the server must handle the scheduling and routing of generated Ethernet packets over the communications backbone. Therefore, the scheduling policy in the classifier plays an important role in packet transmission delay. A priori, since these packets go from the server to the devices, they will not need to be scheduled - the scheduling is done by the server before the packets are sent.

Experiments on the HCS

• The Precision Time Protocol IEEE 1588
• Parametric Precision Estimation for PTP
• Model Simulations

Synchronization accuracy is adversely affected by jitter (ie, drift) and asymmetry of communication delay between master and slaves. The master records ont4 the time it received the request message and sends it to the slave in the response message. The first two axes correspond to the (incorrect) clocks of the master and slave respectively.

Experiments on Precision Estimation for PTP

• Property 1: Synchronization
• Property 2: Average failure
• Clock Drift

Bounded probability of bounded precision (0,0). b) Probability of meeting the bounded accuracy as a function of the bound for the 3:2:2:1 configuration and 100 ms window. Bounded probability of bounded precision (0,0). d) Probability of meeting the bounded accuracy as a function of the bound for the 5:2:2:1 configuration and 100 ms window. Bounded probability of bounded precision (0,0). f) Probability of meeting bounded accuracy as a function of the bound for the 8:2:2:1 configuration and 100 ms window.

Another case study: the AFDX Network

When reasoning about one execution at a time, this problem is avoided. a) Average ratio of failures as a function of the boundary for configuration 3:2:2:1 and a window of 1.5ms. The problem is that our model of AFDX consists of many BIP components - this is necessary to obtain an accurate model of the network. We then apply statistical model checking to estimate a value of the boundary for which the requirement is satisfied with probability 1.

Achievements and Future work

First, we calculated many simulations to learn the probability distributions of the delays for PTP packets. We can adapt Bayesian statistical model checking [85] to improve the efficiency of ESTIMATE. Moreover, it would be of interest to extend statistical model checking to verify more complex properties such as Availability, presented in Chapter 4 or unbounded properties.

Conclusion

Our technique starts by running simulations of the system to learn the context where the application is used. According to EADS designers, the language of BIP is expressive enough to "mimic" the concrete implementation of the HCS. However, the experiment could not be carried out without the help of EADS designers who validated our mathematical model of the system.

Bibliography

12th International Conference on Concurrency Theory (CONCUR), Aalborg, Denmark, Volume 2154 of Lecture Notes in Computer Science, pages 351-365. 5th International Conference on Concurrency Theory (CONCUR), Uppsala, Sweden, volume 836 of Lecture Notes in Computer Science, pages 481-496. 17th International Conference on Computer-Assisted Verification (CAV), Edinburgh, Scotland, Volume 3576 of Lecture Notes in Computer Science, pages 266–.

Abstracts