Symbolic Verification of Probabilistic Recursive Programs using MTBDDs
1
2
3
Rohit Chadha , Umang Mathur , Stefan Schwoon
1
2
3
University of Missouri, USA; IIT Bombay, India; LSV, ENS Cachan, France.
Overview
Modelling a Probabilistic Recursive Program
Probabilistic Verification
We consider the problem of verifying safety properties of randomized recursive programs when the safety properties are expressed as unreachability of
locations in the program. Symbolic algorithms have been proposed and implemented for recursive (but not randomized) programs and randomized (but
not recursive) programs respectively. We propose a technique to symbolicaly
verify randomized recursive programs and implement it using MTBDDs in the
tool P ROPED.
Probabilistic Pushdown System A probabilistic pushdown system is a tuple P = (P, Γ, δ Prob), where P is a finite set of control locations (states), Γ
is a finite stack alphabet, δ ⊆ (P × Γ) × (P × Γ∗) is a finite set of rules, and
Prob : δ → (0, 1] such that for every pair pX, we have
In context of probabilistic programs, the goal of verification is to answer questions such as:
ProPed
∑ pX֒→qα Prob(pX ֒→ qα ) = 1
Semantics: A (possibly infinite) Markov chain with configurations pα as states
and transition probabilities given by
x
x
→ qαβ for every β ∈ Γ∗
If pX ֒→ qα ∈ δ , then pX β −
Moped
From Programs to Probabilistic Pushdown Systems : A recursive program
can be viewed as a pushdown system with the call stack being modelled as the
stack of the pushdown system. The following correspondence between a probabilistic precursive program and PPDS holds:
PRISM
PReMo
Figure 1: Comparison with existing state-of-the art tools
procedure s;
p0: if ? then
p1:
call s;
p2:
if ? then
wp 0.2 -> call p;
wp 0.8 -> skip;
end if;
else
p3:
call p;
end if
p4: return;
s0: if ? then
return;
end if;
s1: call p;
s2: return;
• Γ ⇔ (program counter, local valuations)
m0
• Configuration pAw can be interpreted with globals in p, current procedure
with local variables in A and suspended procedures in w
• Rule pX ֒→ qY Z ⇔ call to some procedure
The system is of the form x = P(x), and the sequence 0, P(0), P2(0) · · · converges to the least solution.
Computing the solution is nevertheless PSPACE complete.
• Rule pX ֒→ qε ⇔ return from some procedure
Fix-Point Computation
• Rule pX ֒→ qY ⇔ sequential statement within a procedure
Multi-Terminal Binary Decision Diagrams : A BDD (Binary Decision Diagram) can be used to efficiently encode boolen formulae. MTBDDs, on the
other hand, can encode weighted logic formulae.
x
x
y
y
• The variables [pXq] are just (weighted) relations over the initial and final valuations of variables, so are the program statements
• Can be represented efficiently as MTBBDs
• Fixed point computation - Gauss Seidel Iterative Method
• Both pre* and post* computations.
• Use of CUDD library for MTBDD (ADD) manipulations.
y
procedure main :
z
m0: call s;
m1: return;
1
z
0
0
z
1
0.5
z
0.5
0.5
z
0.5
Applications
z
1
0.5
A program statement can be viewed as a boolean formula (relation) with probabilities on the new (updated) and old valuations of finite-bit program variables.
ε
p1s2m1
s0m1
s1m1
Define a variable [pXq] as the probability of starting at the configuration pX and
eventually reaching the configuration qε . Then [pXq]s are the least solution of
the following system of equations:
x
x
x
[pXq] = ∑ pX ֒→q
x
+
x.[rY
q]
+
x. ∑t∈P[rY t].[tZq]
∑
∑
pX ֒→rY
pX ֒→rY Z
ε
Figure 3: An MTBDD (left) and its reduced form (right)
m1
Quantitative Verification: Formulating system of non-linear
equations
• State p ⇔ valuations of global variables
Recursive Probabilistic Programs : We consider C-like sequential programs having integer and boolena type variables, arrays, complex structures
and enumerated types, while supporting functions and procedures with call-byvalue semantics. We also allow for randomized programs by allowing what we
call a pchoice statement
procedure p:
• Qualitative properties: Does a program property hold with probability 1?
• Quantitative properties: What is the probability with which a certain property
hold?
– Reachability of control states
– simple PCTL properties such as ♦(l1 ∨ l2 · · · lk ), where li are labels in the
program
s0 p2s2m1
x
......
w.p. 0.5 ⇒ x = 0;
w.p. 0.5 ⇒ x = ¬x;
p0s2m1
p3s2m1
p0 p4s2m1
......
Figure 2: A probabilistic recursive program (above) and the corresponding
state transition diagram (bottom)
=⇒
• Verifying temporal logic properties properties in Stochastic models such as
biological systems
• Computer Security and Information Theory: Computing information leakage
in security protocols
References
x′
1
0.5
Figure 4: A probabilistic program statement and its translation to a reduced
MTBDD
[1] Kousha Etessami and Mihalis Yannakakis. Model checking of recursive
probabilistic systems. ACM Trans. Comput. Logic, 13(2):12:1–12:40, April
2012.
[2] Stefan Schwoon. Model-Checking Pushdown Systems. Ph.D. Thesis, Technische Universität München, June 2002.