1. No category

CACM-PerfVerif.PDF

neview anticles
D OI : 1 0 . 11 4 5 / 18 1 0 8 9 1 . 18 1 0 9 1 2
A call for the perfect marriage between
classical performanceevaluationand
i state-of-the-art verification techniques.
BY CHRISTELBAIER,BOUDEWIJNR. HAVERKORT,
HOLGERHERMANNS,AND JOOST.PIETER
KATOEN
servers differ in computational capabilities?And what to do when multiole
hosts have the same queue length?
Well, the'Join-the-shortest queue"
policy might be adequatein most cases, but surely not in all. Its adequacy
also depends on what quantity-or
measure-one is interested in. This
may be the mean delay of service requests,the mean queuelength of waiting requests,rejection ratesfor waiting
requests,and so on.
The effect of queue-selectionpolicieson measuresof interestor on decisions on how many serversare needed
to reduce the waiting time by a given
percentage, are answered by performance evaluation techniques. This
branch of computer (system)science
studies the perceived performance of
systemsbased on an architectural system descriptionand a workload model. Prominenttechniquesto obtain the
aforementionedmeasuresof interest
are mathematical analysisthat is typically focusedon obtaining closed-form
expressions,numerical evaluationthat
heavily relies on methods from linear
algebra, and (discrete-event) simulation techniques that are based on
statisticalmethods,The study and descriptionof stochasticprocesses,
most
notably Markov chains, is pivotal for
thesetechniques.
A complementary issue to performance is correctness. The central
question is whether a system is conforming to the requirements and does
not contain any flaws. Typically updatesto our news Web site are queued,
and it is relevantto knowwhethersuch
Pertormance
Evaluation
and Model
Checking
Join Forces
coNslrlrin A $.{AJI}R
llcws Web site like }JlXl rlr t:X N "
Typical}.1,,
sueha sire is equippeelwirh * nunrber c;i
maehinesseruing*s front-*nelst* reeeiveil"le*li:inq
reeluests{*get}rerra,ithsory}eapplicxtion se}v*r$
suehas datial:ase
cnginesfo itanell*theser*qut:bts.
Wl"lena new requestarrives, to whieh servfr rltcs t lrt,
dispateherhavet* reiuteit? x"othc machille wirh tlre
sllelrtestqueue;that is, the queuewittrrtl-len'rinirnrrl
numl:encf *utstandingrequests?'Ihisnrighrbt' rlre
bestdecisi*nmost times,{:ut not in easeswht-:rcsot}te
*f the requestsin fhe shortestqueuc h*ppe r-rto rerprir.c
a verylcng*servicetime, for exarnple,becalrscllrcr
illvqrlvevery detailcd clueries.Anenwhat ir.rclt:lu,,lre,n
r Irc
76
c o l , t u u t l c a r t o N s o F T H EA c M
sEpTEN4BE
2 0R1 0
voL.s3
No g
tr
I
Performanceengineersand verification
engineersare currentlyfacing
very similar modelingand analysis
challenges.
I A joint considerationis possible,
practical,beneficial,and is supported
by effective tools.
I Quantitativemodelcheckersare
appticableto a broadspectrumof
appticationsrangingfrom sensor
networks to security and systems
biology.
*$;*'tl*l* .te:,
$::-
.*::$:*
":i;:::c;i1.""
-'-.-,*,;$
:$s-
.::**
*11**
":$:#;:;'
,:$1:;
-q:;:"-{h:-
6.'+]t*.""
nd*.1.$*
^r?\
- 0\"
.u*nooe
s'::l--
*$11."u
o!)P
-*i.i:-,-*
"'::::l'l::*
*oi'
+S"o1f,.o
ref'
cbu*o09'
{lt$
n^."'^$$1',*.
as9"
s*$:-
_::$g '",ri*$
-::st.
.'r:i$l$
**';i..$*."
*$o
Timetine log-scaled from 2010 backward.
buffers may overflow,giving rise to losing-perhaps headline-news items.
Can such situations ever occur? Is
there a possiblescenarioin which the
dispatcherand application serverare
mutually waiting for each other, thus
effectivelyhalting the system?If such
situations make the CNN news site
unreachable on a presidential Election Day, this has far-reaching consequences. And what if the content of
Web pages unexpectedly depend on
the ordering of seemingly unrelated
eventsin the applicationservers?Such
"race conditions" should, if possible,
be avoided.
A prominent discipline in computer
scienceto assurethe absenceof errors,
or, complementarily, to find errors
("bug hunting") is formal verification.
The spectrum ofkey techniquesin this
field ranges from runtime verification,
such as checking properties while executing the system,to deductive techniques such as theorem proving, to
model checking. The latter is a highly
automated modefbased technique assessingwhethera systemmodel, that is,
the possiblesystembehavior,satisflesa
propertydescribingthe desirablebehavior. Typically,properties are expressed
in temporal extensionsof propositional
Iogic, and systembehavior is captured
by Kripke structures,that is, flnite-state
automatawith labeledstates.Traditionally, such models do not incorporate
quantitative information like timing or
likelihoods of eventoccurrences.
The purposeof this article is to report
on combining performance evaluation
with model checking. Although these
fields havebeen developedby different
researchcommunities in the past, over
the last decadewe haveseenan integra-
tion of thesetwo techniquesfor system
analysis.Significantmerits of this trend
are a major increaseof the applicabilig,
to real cases,and an impulse in the further developmentfor both fields.
A Historic Account
To appreciatethe benefitsof combining performance evaluationand model
checking, it is worthwhile to reflect
on past and recent developments.We
aim to shed light on the hidden assumptions associatedwith these developments.For more details on performance evaluationwe refer to eolch
et al.t0and;ain,22for detailson model
checkingwereferto Baierand Katoenr
and Clarkeet aI.11
Single queues. Performance evaluation dates back to the early 1900s,
when Erlang developedmodels to dimension the number of requiredlines
S E P T E M B2EOR] O V O L . 5 3 N O . 9
rx: ncu 77
re\/iew articles
in analoguetelephoneswitches,based
on the calculationof call lossprobabilities.In fact,he useda queueingmodel,
in which a potentially inflnite supply of
customers(callers)competesfor a limited setof resources(the lines).The set
of models and the theory that evolved
from there is known as queueing theory. It has found, through the last century, wide applicability especially in
telecommunications. Characteristic
for most models is the competition for
a single scarceresourceat a time, leading to models with a single queue.
A large variety of modeling assumptions were made, for example, regarding the number of available servers
(lines), buffering facilities, scheduljob discrimination,and
ing strategies,
the timing involved. The timings were
assumedto follow some continuoustime distribution, most often a negative exponential distribution, leading
to (what we now call) Markovian models. These models were subsequently
analyzed, using calculus, to obtain
such quantities as mean number of
customersqueued,mean delay,sometimes even the delay distribution, or
the call blocking probabiliq' ("hearing
a busy signal"). Many of these measures are available in closed form; at
other times, numerical recipes were
proposed,for example,to derive such
measuresfrom explicit expressionsin
the Laplacedomain. Important to note
is that model construction,as well as
solution, was (and still is) seen as a
craft, only approachableby experts.
Networksof queues.lnthe late 1960s,
computer networks, networked computer systems,and time-sharing computer systems came into play. These
systemshavethe distinguishing feature
that they servea finite customer population; however,theycomprisemultiple
resources.This led to developmentsin
the areaofqueueingnetworks,
inwhich
customers travel through a network of
queues, are served at each queue according to some schedulingdiscipline,
and are routed to their next point of
service,and so on, until returning to
the party that originated the request.
Efficient algorithms to evaluate networks of queuesto obtain a set of "standard measures" such as mean delays,
throughputs, and mean queue lengths,
were developedin the 1970s.a0,s1
A varie$' of software tools emerged support78
C O I . , I U U I . I I C I T I O N SO F T H E A C M
ing these algorithms that typicallyhave
a polynomial complexityin the number
of queuesand customers.
StochasticPetri nets. In early 1980s,
new computer architectures asked
for more expressivemodeling formalisms. In particular, parallel computers motivated modeling notions to
spawn customers and to recombine
smaller tasks into larger ones (fork/
join queues).Moreover,the simultaneous use of multiple resourcesneeded
to be studied. Clearly,these concepts
could not be expressedusing queueing networks. This led to the proposal
to extend Petri nets-originally developed to model concurrency-with a
notion of time, Ieadingto (generalized)
stochasticPetri nets (SPNs).'zHere,
the
tokens can either play the role of customers or of resources.T\.r,zo
observations are important. First, due to the
increase in expressivity,specialized
algorithms, such as those availablefor
queueing networks, are qpically no
longer used. Instead,the SpN models
must be mapped to an underlying stochastic process,a Markov chgin that is
solvedby numericalmeans.Hence,the
statespaceof the model must be generatedexplicitly,and the resultingMarkov chain has to be solvednumerically
(linearequationsolvers).
The computational complexity of
these state-basedmethods is polynomial in the number of states,but this
often is, in turn, (often) a high-degree
polynom in the SPNsize.Secondly,as
a result of the new solution trajectory,
tool support became a central issue.
Results achieved in this area also inspired new numerical algorithms for
extended queueing network models.
With hindsight, SpNs can be considered as the first "product" of the marriage betweenthe field of performance
evaluationand the field of formal modeling. In the 1990s,this trend continued and led to probabilisticvariantsof
ggarded command languages and of
processalgebras,the latterfocusingon
compositionality.
Nondeterminism. All of the models mentioned here are full stochastic models; that is, at no point in the
model can some behavioral alternativesbe left unspecified.For instance,
the join-the-shortest-queuestrategy
leavesit open as to how to handle the
case of severalequally short queues.
S E P I E N , l B E R2 O 1 O
VOL 53
NO 9
This choice cannot be left open with
the methods noted earlier; leaving
such a choice is regarded as underspecification.What typically happens
is that thesecasesare dealt with probabilistically, for example, by assigning probabilities to the alternatives.
That is, nondeterminism is seen as a
problem that must be removedbefore
analysiscan take place.This is important especiallyfor modeling formalisms as SPNs; tools supporting the
evaluationof these models will either
detect and report such nondeterminism through a "well-specifiedcheck"
or will simply insert probabilities to
resolveit. In this case,analysisis carried out under a hidden assumption,
and there is no guarantee that an actual implementation will exhibit the
assumed behavior, nor that the performance derivedon the basis of this
assumptionis achieved.
Trends.The last 20 yearshave seena
varie$iof developmentsin performance
evaluation, mostly related to specific
application fields, such as the works on
effective bandwidth,'2 network calculus,n6self-similar traffic models,aTand
traffic (and mobility) models" (for communication network dimensioning
purposes).A more general concept has
been the development of fluid models
to avoid the statespaceexplosionproblem (for example, Horton et al.as)by
addressing a large denumerable state
spaceas a single continuous statevariable. Furthermore, queueing network
models have been extendedwith layering principles to allow for the modeling
of softwarephenomena.s2
Finally,work
on matrix geometric methodsashas led
to efficient analysismethods for large
classesof queueingmodels.
Model Checking
Proof rules.The fundamental question
"when and why does softwarenotwork
as expected?"has been the subject of
intensive researchsince the early days
of computer science. Software quality is typically based on peer review,
such as manual code inspection, extensivesimulation, and testing.These
rather ad hoc validation techniques
have severe limitations and restrictions. Researchin the field of formal
verificationhas led to complementary
methods aimed at establishing software correctnesswith a very high level
r e v i e wa n t i r l e s
of confidence.The origins of a sound
mathematical approach toward program correctness-at a time where
programs were described as flow diagrams-can be traced back to Turing
in the late 1940s. Early attempts to
assess the correctness of computer
programs were based on mathematical proof rules that allow to reason in
a purely syntax-basedmanner. In the
1960s, these techniques were developed for sequential programs, whereas about a decadelater, this approach
was generalized toward concurrent
programs, in particular shared-variable programs.
Temporal logic. These syntax-based
approachesare basedon an interpretation of programs as input/output transformers and serveto prove partial correctness(such as soundnessofoutput
values for given inputs, provided the
program terminates) and termination.
Thanks to a key insight in the late 1970s
by Pnueli, one recognizedthe need for
concurrent programs to not only make
assertionsabout the starting and final
state of a program, but also about the
states during the computation. This
led to the introduction of temporal logic in the field of forrnal verification.so
Proofs, however, were still conducted
mainly by hand along the syntax of
programs. Proofs for programs of realistic size, though, were rather lengthy
and required a good dose of human
ingenuity. In the field of communication protocols,the first techniquesappeared toward automated checking of
elementaryproperties.;l
In the early 1980s,
Model checkireg.
an alternativeto using proof ruleswas
proposed that checks systematically
whether a (finite) model of a program
satisfiesa given properW.tttThe pioneers Clarke, Emerson, and Sifakis,
receivedthe ACM Turing Award 2007
for this breakthrough; it was the first
step toward the fully automated verification of concurrentprograms.How
does model checking work? Given a
model of the system(the possiblebehavior)and a specificationofthe property to be considered (the desirable
behavior),model checking is a technique that systematicallychecks the
validity of the property in the model.
Models are typicallynondeterministic
finite-state automata, consisting of a
finite set of statesand a set of transi-
Thestrengthof
modelchecking
is notin providing
a rrgorous
coffectnessproof,
but ratherthe
abitityto generate
diagnosticfeedback
in the form of
GOUnterexamples
in casea property
is refuted.
s i r - E f . 4 B E2R0 1 0
tions that describe how the system
evolves from one state into another.
Theseautomataare usuallycomposed
of concurrent entities and are often
generated from a high-level description language such as Petri nets, processalgebras,Promela,or Statecharts.
Properties are specifled in temporal
logic such as Computation Tree Logic
(CTL), an extension of propositional
logic that allows one to expressproperties that refer to the relative order of
events.Statementscan either be made
about states or about paths, such as
sequencesof statesthat model system
evolution.
The backbone of the CTL model
checking procedure is a recursive descent over the parsetree of the formula
under consideration where temporal
conditions (for example,a reachability for an invariance condition) are
checked using fixed point computations. The class of path properties
expressiblein CTL is restricted to Iocal conditions on the current states
constrained
and its direct successors,
reachability conditions-is a goal state
reachableby not visiting certain states
before?-and their duals.
More complexpath propertiessuch
as repeated reachability or progress
properties, which, for example, can
state that whenever a request enters
the newsWeb site, it is servedeventually, can be specifiedin LinearTemporal
Logic (LTL). The rough idea of model
checkingLTL specificationsis to transform the formula at hand into an automaton (recognizinginfinite words)
and then to analyzethe product of this
automaton with the system model by
means of graph algorithms.
The strength of model checking is
not in providinga rigorouscorrectness
proof, but rather the ability to generate diagnostic feedback in the form of
(suchas error traces)
counterexamples
in casea property is refuted. This information is highly relevant to find flaws
in the model and in the real system.
'the
Taming state space explosion.
time and space complexity of these
algorithms is linear in the size of the
finite-state automaton describing the
system.The main problem is this size
may grow exponentiallyin the number
of program and control variables,and
in the number of componentsin a multithreaded or distributed system.
V O L . 5 3 N 0 .I
C O M M U N I C A T I OONFST H EA C M 7 9
^-,,i-,",
I EV IEVV
-^f.i-t-OI LILIE-
Since the birth of model checking, mitting improvements of underlying
effective methods have been devel- algorithms and data structures and
oped to combat this state explosion hardware technology improvements,
problem. Prominent examplesof such model checking techniquesthat only
techniques are: symbolic data struc- worked for simple examples a decade
partial-orderreduction,ae
tures,3e
cast- ago, are now applicable to more realing model checkingas SAl-problems,38 istic designs. State-of-the-art model
or abstraction techniques.ll Due to checkers can handle state spaces of
these techniques, together with unre- about 10e states using off-the-shelf
tong-run
[,..0(up)
instantaneous
conditionalinstantaneous
lpno(gtrttrp;
p"o(et{tttup)
intervaI
P<o(!trt'1up)
[ong-runintervaI
L..r(1F"0(ntt'flup))
conditionaIinterva[long-run
plp(Orltr,r]
Lno(up))
Let X be a generaIstochasticprocess,i.e,an indexedfamity[X(t) | t e T'] of
randomvariablestakingvaluesin the set S. The indexset lf denotesth,e.time
domainof X andis eitherdiscrete(T'=N) or continuous
(T'=R).Wesuppose
that aLtstateshavepositiveprobabitity
underthe initiaL
p;n,1,
distribution
i.e,,
ti"i,(s)= Pro(X{0)= s) > 0 for atl statess. ForeventE, tet Prx,,(E)denotethe
probabiLity
for E underthe condition
that s is the start state.Eachstateis
Labeted
by a set of atomicpropositions
that can be viewedas state predicates.
LogicolformuLos(denotedby capitatgreekletters@,V) are givenby the
grammar:
iD::=o I OAV, | -O I p"p(O&/rU/)
| [,<p(O)
Here,o is an atomicproposition,
p € [0, 1], ! € [<, >, >, <] andII is a ctosed
intervalof T'.The semanticsof this togicis definedinductivetyas fottows:
s F s iff states is tabeiedwith atomicnronosition
o
sFOA{, iff sF@andsFV
sF-O iff sF@
) q ' A V t /€ T ( r / < t + X ( r ) F O ) J < p
s F I F n o (U@n V ) f f i P r x , [ ] t € [ ( X ( t F
s F n-<p(o)iff t_RA(s,
Sorx(o))<f
= [s e S I s F@JandforB c S, LRA(s,B)
whereSota(iD;
denotesthe"tongrun
average"of beingin a stateof B for runs startingin states. Formatty,LRA(s,8)is
the expectedvatueof the randomvariable
,.
r ft-,.
tim I J. ta(X(e))
d0
with respectto the probabititymeasurePra,..Here,ls denotesthe characteristic
functionof 8, i.e.,la(s/)= 1 if s e I and0 otherwise.
Derivedoperators.Let L1rdenoteL/. Usualpropositional.
operatorssuchas ff,
tt, V arederivable.
Theeventuatly
operator0rwith time boundsgivenby a
time interval]l is obtainedby QrO= ttUl Q.To specifythat condition
Q hotds
continuousty
in the time intervalI, the time-constrained
alwaysoperatornrcan
be definedby usingthe duatityof "eventualty"and "atways".For instance,F-,
(trn@)
is a shorthandnotationfor P.1,,(Qn-q).
80
c o u u u l . t t c l r t o N s o F T H EA c M
sEpTEN4BE
2 0R1 0
voL.53
No 9
technology. Using clever algorithms
and tailored data structures, much
larger state spaces(up to 101'z0
statesll)
can be handled for specificproblems
and reachabilityproperties.
Quantitatiueaspects.From the early
1990son, variousextensionsof model
checking have been developedto treat
aspectssuch as time and probabilities.
Automata have been equipped with
clock variablesto measurethe elapse
of time (resultingin timed automata),
and it has been shown that despite
the infinite underlying state space of
such automata, model checking of a
timed extensionof CTL is still decidable.rTLTL has been interpreted over
(discrete)probabilistic extensionsof
automata, focusing on the probability
that an LTL formula holds, and probabilistic variants of CTL have been developed,as we will elaboratein more
d e t a i l l a t e r o n . F o r a n o v e r v i e w s, e e
Baierand Katoen.T
The combinationof
timing aspectsand probabilitiesstarted about two decadesago and is highly
relevantfor this article.
Various software tools have been
developedthat support model checking. Somewell-known model checking
tools are:SPIN for LTL,NuSMVfor CTL
(and LTL), Uppaal for timed CTL, and
PRISMfor probabilisticCTL.
Let's Join Forces
Developments in performance evaluation lean toward more complex measures of interest, and focus on more
complex system behavior, However,
quantitative aspects such as timing
and random phenomenaarebecoming
more important in the field of model
checking. Performanceevaluationand
model checking have thus grown in
eachother's direction,simply because
from either end, it was felt that the
methods in isolation did not answer
the questions that were at stake. Let
us discussthe reasonsfor this, and the
benefits of combiningthesemethods.
lndividuat Shortcomings
Why is a performance(or a dependabif
ity) evaluationof a system in itself not
good enough?And why is a formal veriflcation of a systeminsufficient to validateits usefulness?Thesequestionsare
best answered by taking a simple system design example,for instancea reliable data transmissionprotocol such as
^ ^g, v, ;t -c,v" v,
I
TCP.Sucha protocol relieson a number
of ingredients that, when suitably combined, result in the desired behavior:
reliable,end-to-endin-order deliveryof
packetsbetweencommunicatingpeers.
These ingredients comprise timers, sequencenumbers, retransmissions,and
error-detectingcodes.
A typical performance model will
take into account the TCP timing and
retransmission aspects,whereas the
error correctionwill mostly be included as a random phenomenon.
For the sakeof simplicity,sequence
numbers are neglected,which results
in a model that can be analyzedusing
either a closed-formformula or some
numerical technique that, under the
assumption the model is functiona l l y c o r r e c t ,g i v e sa c e r t a i nm e a n p e r formance, measured as throughput
or mean packet delay. However, the
obtained quantities do not say anything about the question of whether
the packets do arrive correctly at all,
hence, whether the protocol is correct.Conversely,a classicalfunctional
model of the sketched protocol here
will most likely result in a correctness
statementof the form "all packetswill
eventually arrive correctly." But this
givesno information about perceived
delays and throughputs. Needlessto
say, one cannot simply "add up" the
results of both analyses,as they result from two different-and possibly
quite unrelated-models.
The key challengelies in developing
an integrated model. Preferably, the
user, such as the system architect or
design engineer,just provides a single
model (as engineering artifact) that
forms the basis for both typesof analysis.To improve the efficiency,additional property-dependentabstractiontechniques can be applied to abstractaway
from all details of the model that are irrelevantfor the property to be checked.
For example,checkingwhethera purely
functional property holds for a Markov
model requires an analysis of the underlying graph structure, and one can
ignore all stochasticinformation.
Benefits
Modeling and measure specification.
An important advantageof using temporal logics (or automata) to specify
properties of interest-in fact guarantees on measuresof interest-is the
possibility to describe properties at
the same abstractionlevelas the modeling of the stochasticprocess.Up to
now, it has been tradition to specifl'
measuresof interest such as "what is
the probability to fail within deadline
d?" at statelevel,that is, in terms of the
statesand their elementaryproperties
(logically speaking, atomic propositions). Sometimes reward structures
have been added at state level to quantiff the use ofresourcessuch as queue
occupanciesand the like. This stands
in sharp contrastwith the description
of the models themselves,which is
mostly done using high-level modeli n g f o r m a l i s m ss u c h a s q u e u e i n gn e t works, SPNs,stochasticautomatanetworks, or stochasticprocessalgebra.
Temporal logics close this paradigm
gap between high-level and statebasedmodeling as they allow to speci$zproperties in terms of the high-level
models, for example,in terms of the
token distribution among places in a
-^+.i^t^^
cl,tLlLtu:
Petrinet. By the use of temporallogics,
modeling and measure specification
become treated at an equal footing.
An example logic with semantics
interpretation is illustrated in Figure 1. Instancesof this generic logic
arise by considering special types of
stochasticprocesses,for example,for
an interpretation over discrete-time
Markov chains (DTMC), ? = N and
we obtain probabilistic computation
tree logic (PCTL).l8For continuoustime Markov chains (CTMC),the time
domain is ? =rR,and continuous stochastic logic (CSL)is obtained.a,6
Figure 3 presentsa small representative
example3'e
with some typical logical
formulae.
Expressivityandflexibility.The use of
logics offers, in addition, a high degree
of expressiveness.
Simple performance
and dependabilitymetrics such as transient probabilities-what is the probability of being in a failure stateat time
t?-and long-run likelihoods (when
.F
given:a stochasticprocessX anda logicalformu[a@
task: computePrx{X(0)l= Ol
idea: computethe sets Sotx(V)= [s e S I s F VJ for anysubformulaV of @and
return,X,pi";1(s)
>Sotx(o)= {s e S I states is labetedwith atomicproposition
a]
>Sotx(rlrr
A {/r) = Sqfo(V1)
n Sotx(Vz)
>Sotx(-{/)=S\Sot*(V)
>computationof Sots(tror(V1
U Vz)):
cosel: [= 10U
, f o r s o m e t € l f , t > 0 . L e t Y b e t h es t o c h a s t ipcr o c e s s t h a t
resuttsfrom X by makinga[[ stateswhereVzholdsor Vr is refutedabsorbing.
That is, if B = Sotx(Vz)u S \ Sofx(Vr),then y is givenby
y' r r \ = l - X ( f ) : iXf ( t / d) B f o r a l t t / < t
\'/
d ( f t ) / B o r X ( t "=) s f o r a l l l t < { .
f s : i f X ( t / =) s € B f o r s o m e t / < t a n X
Appl.yknownmethodsof performance
evatuation
to computethe probabil.ities
p, = Pro,,[X(f) e Sotx(Vz)i
and returnSota(lPno(V1
U: Vz))= {s e S I p, < pl.
cose2'.1= [tr,td for somefr > 0. Let Y be the stochasticprocessthat arises
from X by makingat[ statesrefutingVl absorbing.
Regardthe stochastic
processZthat arisesfrom Y by shiftingthe time by t1time units,i.e.,Z is
specifiedby Z(t) = Y (f + tr).Wethen evatuatethe formutaIP"p(iV1
,/t0'',hl V2)
overZ as in case1 and return
Soty(tr"'(V1U\ V2))= Sot"(tr<p(Vr
Lltor2ir)V2)).
>Let I = Sof*(O)andappLyknownmethodsof performance
evatuation
to
computethe Longrun averageLRA(s,B)
of beingin a stateof B for runs
startingin states, Return
= ls e S I LRA(s,B)
< pl.
Soto(n-_.0(o))
SEpTENIBE
2R
0ro
voL.53
No I
c o M M U N t c A T t o N so F T H E a c u
81
^-,.i^,",
IUVIEVV
-^f;-1
^^
C:! LILIgif
the system is observed long enough)
can readily be expressed.Most standard performance measuresare easily
captured, seeTable 1 for a selectionof
properties. More importantly, the use
of logics offers an enormous degree
of flexibility. Nesting formulas yields a
simple mechanism to speci$rcomplex
measuresin a succinctmanner.A propertylike "the probabilityto reacha state
within 25 seconds that almost surely
stayssafefor the next 10 seconds,via legal statesonly exceeds'/2"boils down to
P.1(legalU<" P=,(n<'osale))
This immediatelypinpoints another
advantage:given the formal semantics
of the temporal logic, the meaning of
the aboveformula is precise.That is to
say,there is no possibility that any confusion might arise about its meaning.
Unambigrrous measure specifications
are of utmost importance. Existing
mathematical measure specifications
are rigorous too of course, but do not
offer the flexibilitv and succinctness
TheIPv4 zeroconfprotocolis a simpteprotocolproposed
by the IETF (RFC
3927),aimedat the setf-configuration
of IP networkinterfaces
in ad hoc
networks.
Suchad hocnetworksmust be hot-pLuggabte
andself-configuring.
Amongothers,thismeansthat whena newapptiance,
hithertocatteda
newcomer,
is connecting
to a network,it mustbe configured
with a unique
IP addressautomaticatty,
The zeroconfprotocoIsotvesthis task using
randomization.
A newcomerintending
to joinan existingnetworkrandomty
setectsan IP address,U say,out of the 65024avail.abte
addressesand
broadcasts
a message(caLl"ed
a probe)asking"Whoownsthe addressU?".
If an ownerof U is presentanddoesreceivethat message,it replies,to force
the newcomerto randomtysetectanotheraddress,Dueto messagelossor
busyhosts,messagesmay not arriveat somehosts,Thereforea newco{per
is requiredto senda total of four probes,eachfotlowedby a listeningperiod
of two secondsbeforeit may assumethat a setectedaddressis unused.
Therefore,the newcomercan start usingthe selectedIP addressontyafter
eightseconds.Notabl.y,
there is a Lowprobabi[ityriskthat a newcomermay stiLL
endup usingan atreadyownedIP address,
for exampte,
because
at[ probes
were[ost.Thissituation,
caltedaddresscottision,
is hightyundesirabte.
stort
so ---L
s, --i+
p
€5r
,/
z
'.€
/v
-'t
\
errcr
-o
The protocolbehavior
of a newcomeris easilymodetedby a DTMCdepicted
aboveconsistingof ninestates.3's
The protocolstarts in s0wherethe newcomer
randomtychoosesan IP address.
q = m165024the addressis
Withprobabitity
atreadyowned,wherem is the currentsizeof the network.States, (0 < I < 4)
is reachedafterissuingthe i-th probe.Withprobabitity
p no reptyis received
duringtwo secondson a sentprobe(aseitherthe probeor its repLyhasbeen
tost).States, (tabeted
ok) indicates
that eventuatty
a uniqueaddresshasbeen
setected,whitestatesu(labetederror)correspondsto the undesirabte
situation
of an addresscottision.
Forsucha modeisometypicalexampteformutaeare:
>0n the long run,the protocolwil.lhavesetectedan address:n-,1(okv error).
>The probabitityto end up with an addresscotlisionis at mostp: F=0,(Qerror)
>Theprobabitity
to arriveat an unusedaddresswithink stepsexceeds
P/:F.r, (9lo'r'16L;
Manymoremeasuresinctuding
expectedtimesandaccumulated
costscanoe
expressed
usingextensions
of the baselogicandmodelintroduced
here.
82
couuutttclrloNs
o F T H EA c M
s E p T E M B E2R0 1 0
voL s3
N o .s
of logics. Temporal logic provides a
framework that is based on iust a few
Dasrcoperators,
Many measures,one algorithm. The
above concernsthe measurespecification. The main benefit though is
the use of model checkingas a fully algorithmic approach toward measure
evaluation.Even better, it provides a
single computational technique for
any possiblemeasurethat can be written. This applies from simple properties to complicated, nested,and possibly hard-to-graspformulas. For the
examplelogic this is illustratedin Figure 2. This is radically different from
common practicein performanceand
dependability evaluation where tailored and brand new algorithms are
developedfor "new" measures.One
might argue that this will have a high
price, that is, the computational and
spacecomplexity of the exploited algorithms must be extremelyhigh. Nol
On the contrary,in the worst case,the
time complexity is linear in the size
of the measure specification (logic
formula), and polynomial (typically
of order 2 or 3, at most) in the number of statesof the stochasticprocess
under consideration.As indicated in
Figure 4, the verification of bounded
reachability probabilities in DTMCs
and CTMCs-often the most timeconsuming ones- is a matter of a few
seconds even for millions of states:
The space complexity is quadratic in
the number of statesin the worst case,
In fact, as for other state-basedperformance evaluation techniques this
polynomial complexity is an issue of
concern as the number of statesmay
grow rapidly.
Perhaps the largest advantage of
model checking for performance
analysisis that all algorithmic details,
all detailed and non-trivial numerical
computation steps are hidden to the
user. Without any expert knowledge
on, say,numerical analysistechniques
for CTMCs, measure evaluation is
possible.Even better: the algorithmic
analysis is measure-driven.That is to
say, the stochastic process can be tailored to the measureof interest prior to
any computation, avoiding the consideration of parts of the state spacethat
are irrelevant for the property of interest.In this way,computationsmust be
carried out only on the fragments of
review anticles
the state spacethat are relevant to the
properqi of interest. In fact, this generalizesthe ideas put forward by Sanders and Meyer on variable-drivenstate
spacegenerationin the late 1980s.33
Dependabilityeyaluation.This measure-drivenaspectis evenmore beneficial in the field of systemdependability evaluation, a field tightly related to
performance evaluation,but especially
concernedwith evaluatingservicecontinui$' of computer systems. Questions like "under which systemfaults
can a given service still be provided
adequately?"are addressed,and typical measuresof interest are system reliability and availability, as illustrated
in Table 1. Sincethe beginning of the
1980s this field has matured significantly,due to the introduction ofstateoriented n.rodelsand the invention of
This facilitated the
unifonnizatior.r.'1
efficient analvsis of time-dependent
properties such as reliabili$' or availir.rcombinationwith
abiliryevalu:rtior.r,
high-level nrodel specification techniques such as SP\s. The models that
one could analrze norvwent well above
the "standard nrodels" based on reliability block dirrgramsor fault-trees.
The measures of interest in this
field often involvecosts,modeling the
usageof resources.E\tensionsof stochasticproccsscsrvith cost (or reward)
functions give rise to a logic where in
a d d i t i o nt o . f o r c r a r n p l e t, i m e b o u n d s ,
c o n d i t i o n si r b o u tt h e a c c u m u l a t e dr e ward along .rn trecutior-rpath can be
imposed. \lodrl checkingstill goes
along the lirrc: oi Figure2, but involves
computiitiorial procedures that are
mofe
checking provides two for the price of
oner both performance/dependabiliq,
analysisand checking functional properties.This forcesthe userto construct
models with a high precisionas anytiny
inconsistencywill be detected.Comparethis to simulationmodel construction in NS2or OPNET!
Nondeterminism.Sometimes this
need for precision might seem as a
burden, but it is a vehicle to force the
modeler to make hidden assumptions explicit-or to leave them out.
For instance, we have discussedthe
nondeterminism inherent in the jointhe-shortest-queueidea, which-unless made concrete-implies that the
underlying model is not a stochastic
process.Stochasticmodels with nondeterminism are usually referred to
as stochastic decision processes.In
these models the future behavior is
not always determined by a unique
probability distribution, but by selecting one from a set of them. Temporal logics and verification technology havebeen extendedto this type of
models with relative eag: for CTLsand
LTL.14,36
In fact, they constitute the
genuine supermodel that comprises
both the model checking and performance evaluation side as special
cases: When transition systems are
paired with Markov chains or Markov
rewardmodels,the model is known as
Markov decisionprocesses.Here, performance model checking is still pos-
Appealing Application Areas
Several stochastic model checking
tools havebeen developedsince 2005,
of which PRrsM2ois by far the most
widely used. A number of well-known
tools from the performance and dependability evaluationarea,like tools
for SPNsand stochasticprocessalgebras,havebeenextendedwith stochastic model checkingfeatures.All these
tools automatically generatea Markovian model of some sort, either using
symbolicor sparsedata structures.
With these tools, a wide varie$rof
case studies have been carried out,
amongst others, in application areas
such as communication systemsand
protocols,embeddedsystems,systems
biology, hardware design, and security, as well as more "classical"performanceand dependabilirystudies.
Examples of the latter category,
for which CTMCs are a very natural
model, include the analysis of vario u s c l a s s e so f t r a d i t i o n a lq u e u i n gn e t works and even inflnite-statevariants
Workstation
cluster(CTMC)
+
..,.r.r'.
Tandemqueue(CTMC)
tlnlC-( {)ll \UIlll ng.
ls that all'' Not quite.An
One.for.t'rte
i m p o r t a n t p r o b l c n rr v i t h p e r f o r m a n c e
m o d e l i n g r r i a r d l r s s o f s ' h e t h e ro n e
a i m s a t n u r r r c r i e a lr ' r ' a l u a t i o no r a t
s i m u l a t i o n .r \ r ( ) c h c c k t h e f u n c t i o n a l
c o r r e c t n e s so f t h c n r o d e l .F o r a s t o c h a s t i c [ ) e t r i n c t s p e c i f i c a t i o np, l a c e
a n d t r a n s i r i r r ni n v a r i a n t si i r ee x p i o i t e d
t o c h e c k f r r r d c a d l o c k sa n d l i v e n e s s ,
a m o n go t h r r . .
F o r a \ t l r k o r c h a i n n r o d e l ,g r a p h b a s e d a l g o r i t h n r :a r e u s e d t o c h e c k
elementan propcnic's.The good news
is when enrploringnrodelcheckingwe
g e tt h i s f u n et r o n a l i nf o r f r e e .U s i n gt h e
s a m em a c h i n c nf o r v a l i d a t i n gt h e m e a s u r e so f i n r r r r s ! . f u n c t i o n a lp r o p e r t i e s
can be t'ircekrd- I'robabilistic model
sible, but the checker now computes
bounds on the performance, in the
sensethat howeverthe nondeterminism is concretized,the concrete perforrlance figure will stay within the
calculated bounds. Whereas for the
discrete time setting, efficient model
checking algorithms havebeen developed, this fleld is still relativelyopen
i n t h e c o n t i n u o u s - t i msee t t i n g .
-'J*" Crowdsproiocoi(DTMC)
Raqdom
z e dm J t e x( D T l v C J
o
E
5
q,
E
rn:
c
.9
(!
.9
IE
I 10'
010
s E p r E N . l B E2 R
voL 53
NO 9
c o M M U N t c A T t o N so F T H E a c u
83
revicw articles
thereof, fault-tolerant workstation
clusters, and wireless access protoAIso system
cols such as IEEE 8O2.71,.
survivability, that is the ability of a sys-
An impoftant
::*.j::::1"#3:'.'#::'?j,::",'.*,?
to recover predefined service levels
' tr r rr r rF-r
Er
r'
in a timetymannerafterthe occur- pfOblem
With
',Tl{
ifflffi lredormance
:il:il:i:ili'l';"??,1
andhasbeen.veriintroduced
before,
mOdeling
fied rur
rrsu
for .'
Google-like
uuBr
e-r
rKe
file systems.l2The -^-^--ll
^"'1"t"".'.?l? rggatdlgss
evaluationof a wireles
;riill
usingmodel Whgthgf
col for ad hocnetworks.
checking could be carried out at far
lowercostthanusing;t;;;;;i
^^
Ong aimS
_____^^ ^_-:^ ^r
at nUmgfiCat
evaluation
or
simulations.32
The populariqr of Markovian models is rapidly growing due to their application potential in systemsbiology;
the timing and probabilistic nature
of CTMCs naturally reflect the operat i o n s o f b i o l o g i c a lm e c h a n i s m ss u c h
n
smolecular
morecr
rInr r",
*.'r'i1i:1,]l,'",'i:il
reactions,
In fact, various GOffeCtngSS
as
"r'.,,''
biological systems have been studied
by CTMC model checking in recent
years.26
Prominent examples include
ribosome kinetics, signaling pathways, cell cycle control in Eukaryotes,
and enzyme-catalyzedsubstrate conversion. In particular, the possibiliry
to compute time-bounded reachabiliq' probabilities is of great importance
here as traditional studies focus on
steady-statebehavior.
Another application area for CTMC
model checkingis embeddedsystems
where the timeliness of communication between sensor and actuator devices, for example, within cars or between high-speed trains, is of utmost
importance. Stochastic model checking techniques allow us to addressthe
timeliness and the protocols' correctnessfrom a singlemodel. One example
is dynamic power management in relation to job scheduling.''
Examplesfor the discrete-timesetting include severalstudiesof the IPv4
Zeroconf protocol are illustrated in
Figure 3, where next to the probability
of eventuallyobtaining an unused IP
address,extensionshavebeen studied
with costs,addressingissuessuch as
the number of attempts neededto obtain such address.Securityprotocols
are another important class of systems in which discrete randomness
is exploited,for example,by applying
random routing to avoid information
leakage. An interesting case is the
at simuliation,is
to checkthe
functional
the model.
84
coumultclrtoNs
o F T H EA c M
s E p T E M B E2R0 1 0
vol 53
No.9
Of
Crowds protocol,s' a well-known security protocol that aims to hide the
identity of Web-browsing stations.
Checking Markovian models with up
to 107states did provide important
information on quantifiiing the increaseof confidence of an adversary
when observingan Internet packet of
the same sender more than once. A
novel case study in the field of nanotechnology applies stochastic model
checking to quantify the reliability of
a molecular switch with increasing
memory array sizes.13Other natural
cases for discrete-time probabilistic
models are randomizedprotocols-in
which probabilities are used to breal<
ties-such as consensusand broadcast protocols, and medium access
mechanismssuch as Zigbee.
To conclude, an interesting case
study using DTMCs with non-determinism is the analysisof the Firewire
protocol (IEEE 1394). This protocol
has been developed to allow "plugand-play" network connectivity for
multimedia consumer electronics in
the home environment.A key component in IEEE 1394 is a leader election
protocol (the "root contention protocol") that exploitsa coin-tossingmechanism to break ties. Stochasticmodel
checking revealedthat using a biased
coin instead of the typically used unbiasedcoin, speedsup the leaderelection process.This confirmed a conjecThis insight would
ture in Stoelinga.s5
not have been found through "classical" qualitative verification.
Current Trends and Ghallenges
Edmund M. Clarke,a co-recipientof the
2007 ACM A.M. Turing Award, points
out that probabilisticmodel checking
is one of the brandsofverificationthat
requires further developments.alHere,
we note some of the current trends and
major researchchallenges.
One of the major practicalobstacles
shared by model-based perfortnance
evaluation and model checking is the
state space explosion problem. To
combatthe statespaceexplosionproblem, varioustechniqueshavebeen developed and successfullyapplied for
model checking Kripke structuresll
(and the literaturementionedthere).
For stochastic models the state
spaceexplosionproblem is evenmore
severe.This is rooted in the fact that
review articles
memories IEEE Trans.on Nonatechnalagy7 2 (,2048)
the model checking algorithms for timed2sor hybrid automata, but more
242-208.
stochasticmodels rely on a combina- work on the tool side is needed to as- 14 Courcoubetls,C.and Yannakakis,fy' The comptexrtyol
probabltisticverifcatlan JACM 42, 4 {1995),857-907
tion of model checkingtechniquesfor sess the merits of these approaches 1 5 D A r g e n i oP . RJ e a n n e tB , J e n s e nH, , a n d L a r s e n '
K.G.Reductionand reflnementstraieg es ior
non-stochasticsystems,such as graph faithfully. Theorem-proving techprobabrtistc anatysis.LNCS2399 (2002i 335 372
sysprobabilistic
for
analyzing
niques
ofmathematical,
also
but
algorithms,
, H Optimat
1 6 . D e r i s a v, S . ,H e r m a n n sH, . a n dS a n d e r sW
state spacelumpingin f4arkovchains Inl Proc
ten numerical methods for calculating tems21are also a very promising direcL e t t e r s S T . 6( 2 0 0 3 ) 3 0 9 3 1 5 .
probabilities,such as linear equation tion. One of the major open technical 1 7 H a n Y . ,K a t o e nJ, - P a n d D a m m a nB, C o u n t e r i c o d e L c h e c k n lIlE E E T S E
models
e x a m p t e sn p r o b a b i l i s t m
problems is the treatment of
s o l v i n go r l i n e a rp r o g r a m m i n g .
3 6 , 3 ( 2 0 1 0 )3 9 0 4 0 8
continuous
and
Many of the advancedtechniques with nondeterminism
1 8 . H a n s s o nH, . a n dJ o n s s o nB, . A l o g i ct o r r e a s o nn g
abouttime and ref abifity.FormoLAspectsof Comp 6
for very large non-stochastic models distributions. Initial results are inter5 ( 1 9 9 4 )5 1 2 - 5 3 5
(severe)
to
subject
typically
but
have been adapted to treat stochastic esting
1 9 . H e r m a n n sH, . ,W a c h t e rB, , a n dZ h a n gL P r o b a b i l i s t i c
CEGAR.Compuier A ided VerificationLNCS5723
systems,including variations of deci- restrictions.
( 2 0 0 8 )1 6 2 1 7 s
need
the
mention
we
final
item,
As
a
state
large
represent
org
sion diagramsto
20 wwwpr smmodelchecker
, . P r o b a b isl t l c
n d M o r g a nC
Complementary to tailor the general-purposeprobabi- 2 1 H u r d ,J , l V c l v e rA amechan
spacessymbolically.30
zed nHaL Theor'Comp
guarcledcommands
5 c . 3 4 6 I ( 2 0 0 5 )9 6 1 1 2 .
techniques attempt to abstract from listic model checking techniques to
R The Art cf ComputerSystemPerformance
irrelevant or redundant details in the special application areas. This covers 22. Jain,
AnolysrsWitey,1991
model and to replacethe model with a the design of special modeling lan- 2 3 K u c e r aA, , E s p a r z aJ , a n d N 4 a yRr , l ' 4 o d ecth e c k i n g
probabifsilc pushdownautomata LogicalMethodsin
smaller,but "equivalent"one. Someof guagesand logics that extend or adapt
ComputerScience2.1 \2406)
tem24. Kwiatkowska,M.Z. Norman G. and Parker,D.
them relyon the conceptof lumpability classicalmodeling languagesand
Symmetry reductionfor probabIistic model checking.
for stochasticprocesses,which in the poral logics by adding featuresthat are
Computer Aided VerificationLNCS4744 (.2048)
238 248
formal verification setting is known as specificfor the application area.
25 Kwlatkowska,lvlZ, Norman,G.,Parker,D and
bisimulation quotienting, and where
Sproston J. Performanceanalysisof probabilsilc
timeciautomatausingd gitat clocks FarmoLMethads
stateswith the same probabilisticbe- Acknowledgments
]n SystemDesign29,11 (2006),33 78.
Gianfranco
Bobbio,
Andrea
We
thank
repinto
a
single
havior are collapsed
, , a n d P a r k e rD
2 6 . K w i a t k o w s k aM . Z .N o r m a nG
t o r s y s t e m sb r o l o g y
ProbabiLism
t i co d e lc h e c k i n g
Ciardo, William Knottenbelt, Marta
resentative.l6'27
SymbollcSysiemsEiology 2OIO.
Other advancedtechniques to fight Kwiatkowska,EvgeniaSmirni, and the 27 Lasen K G.and Skou.A Bis muiationthrougrr
p r o b a bL i s t i ct e s t n g I n f . 6 C a m p 9 4 I ( 1 9 8 9 11 2 8
the state-explosionproblem include anonvmous reviewers for their valu28 Mclver,A. and Morgan.C. Abstroction Refrnement
s
Systems.Springer2005
symmetryexploitation,t'partial order able feedback.
anclProoffor Probabilistic
2 9 M c l v e r .A , M o r g a nC, . a n d G o n z a l i aC . P r o o t sa n d
reduction,s or some form of abstracrefutat on for probabilistc systems FotmoLMethads
L N C S5 1 1 4( 2 0 0 8 ) , 1 0 01 1 5
tion28, possibly combined with au- Reterences
30. l'.4ner.A and Parker,D. Symbolicrepresentationand
tomatic refinement.r;leAll these ap- Due ta spoce Limitotianso camprehensiveListaf alL
af
anatyss of large probabillsticsystems Voltdotton
cited in this orticLecan be faund at the outhars
Stochostic Systems A Guideta Current Reseorch
proachestake inspiration in classical references
Web sttes
L N C s2 9 2 5( 2 0 0 5 ) 2, 9 6 - 3 3 8
which often 1 A b d u t l aP, . B e r t r a n dN . R a b i n o v i cAh . a n d
model checkingadvances,
31. Norman G, Parker D..Kwiatkowskalu1Z Shukta
S c h n o e b e l eP
n V e r f i c a t o no f p r o b a b i l i s tscy s t e m s
i c o d e lc h e c kn g t o r
. . U s i n gp r o b a b i l i s t m
S K , G u p t aR
get much more intricateto realize,and
Inl ond CDmp 202 2
w th fautty communicatlon.
dynamicpower manaqementFormoLAsp Comp 17 2
practiand
theoretical
raiseinteresting
(2005),160-176.
{ 2 0 0 7 )1 4 1 1 6 5
M.,Conte,G..Batbo,G A class ol
N'1arsan,
3 2 . R e m k eA . ,H a v e r k o r tB R .a n dC l o t h L A v e r s a t i l e
cal challenges.All together, they have 2 Ajmone
generalzed stochastc Petrinets for the performance
i n f i n i t es t a t eM a r k o vr e w a r dm o d e lt o s t u d y
advancedthe field considerablyin the
evaluaton of mult processorsystems.ACM Trons
bottlenecksn 2-hopad hoc networks Quantitatrve
(19841.93722
Syst.2.2
Comput
Evaluaton of SystemsIEEE CS Press 2006 63 72
ability to handle casesas the ones dis- 3. Andova,S. Hermanns,H..and Katoen J. P Discrete
b a s em o d e l
3 3 . S a n d e r sW
, H a n d M e y e rJ F .R e d u c e d
tlme rewarclsmode!checked.FaRMATS'LNCS2791
cussedearlier.
constructionmethodsfor stochastrcact vity networks
( 2 0 0 3 )8 8 1 0 4 .
IFEE J. on SelectedAreosin Comms I I i1991J'
An important feature of model
AzizA
, . S a n w a l K . S i n g h a tV, .a n d B r a y t o nR K M o d e l
25-36.
ACM
TOCL
checkingcontinuoust me Markovcha ns
checkersfor non-stochasticsystemsis
t i co d e lc h e c k r nogl a n
3 4 . S h m a t i k o vV, P r o b a b i L i s m
_ 1i , ( 2 0 0 0 ) , 1 6 21 7 0
anonymitysystem J CampLlterSecLriy l2 l20A4)
the generation of counterexamplesfor
P
a
r
t
a
l
o
r
d
e
r
n
s
k
i
,
F
C
i
e
s
, , and
B a e r C , G r o B e rM
355-377
reductionfor probablistic systems Quontitattve
properties that have been refuted by
3 5 . S t o e t i n g aM . F u nw t h F r e w r e A c c m p a r a t r vset u d y
Evoluotionof SystemsIEEE CS Press 2004
o f f o r m a lv e rf i c a t i o nm e t h o d sa p p te d t o t h e I E E E
the model checker.The principal situ230,239.
1394 root contenton protocol Farmcl Asp Comp,14
Baier,C. Haverkort,B R. Hermanns,H and Katoen
3 { 2 0 0 3 )3 2 8 3 3 7
ation is more difficult in the stochastic
J-P.Modelcheckingalgorithmsfor contrnuous-trme
36. Vardi [4.Y.Automaticver]fcatlonof probabilst c
properties,
probabilistic
for
setting,as
Markovchalns.IFEETSE 29 6 {2003],524 541
concurrentf n te-state programs ln Proaeedillgs
of Camp
of the 26th IEEE Symp.on Faundattans
say the requirement that a certain un- 7. Baier,C.and Katoen J P.Prtnciplesof ModelChecking
M I T P r e s s2, 0 0 8 .
Science.IEEE CS Press(1985) 327 338
desired event will appear with prob- 8 Bianco,A and De Alfaro,L. f4odelcheckrngol
probabitisticand non determinst c systems
abiliquat most 10 3, single error traces
Faundotionsof Saftw. Technologyond Theor'Camp
Christel Baier (baier@tcsinf tu dresdenoei rs a prolessor
are not adequate.The generation and
S c i e n c eL N C Si 0 2 6 ( 1 3 9 5 ) , 4 9 95 1 3
a t T U D r e s d e nG e r m a n Y
H,
P
,
H
e
r
m
a
n
n
s
v
a
n
d
e
r
S
t
o
k
,
H
B
o
h
n
e
n
k
a
m
p
,
,
representationof counterexamplesis
F.W Costopt misatlonof the IPv4
and Vaandrager,
utwentenll is a
Boudewijn R. Haverkort lbrhaolcs
of the lntL Conf an
therefore a topic of much increasing
zeroconfprotocof In Proceedings
p r o f e s s oar t t h e U n i v e r s i i oy f T w e n t e a n ds c e n t l f i c
Systemsond Networks IEEE CS Press
Dependoble
within the community.
attentionlT'2e
directorof the EmbeddedSystemsInstitute Elndhoven
2 0 0 3 ,5 3 1 ' 5 4 0
To overcomethe limitation to finite 10. Bolch,G..GreinerS , de Meer,H Tr ved , K S Queueing The Netherlands.
and MarkavChoins.WiteyPress,1998
statespaces,much work hasbeendone 1 1 . CNetwarks
H o l g e r H e r m a n n s{ h e r m a n n s @ cusn L - sdl ]e l s a
, Model
t a r k eE. . M .G r u m b e r g0 , a n d P e l e dD
SaarbruckenGerma.!
professorat SaartandUniversity,
Checklng.f4IT Press 1999.
to treat infinite-state probabilistic sysfor
. 4 o d eclh e c k i n g
1 2 C t o t h ,L . a n d H a v e r k o r tB . R N
flavors.r'23
different
de) is a
tems, in many
Joost-Pieter Katoen ([email protected]
ol Systems IEEE
survivabifty QuontitotiveEvaLLlotron
Aachen Germany.
professorat RWTHAachenUniversity,
(
2
0
0
5
)
1
5
4
.
1
4
5
interest
P
r
e
s
s
C
S
ongoing
of
topic
Another
1 3 . C o k e rA, , T a y t o rV B h a d u r iD, . S h u k l aS
Iies in combining probabilisticbehav, M u L t l u n c t i otna u l t
R a y c h o w d h u rAy . .a n d R o y K
t o 2 0 1 0A C M0 0 0 1 - 0 7 8 2 / 1 0 / 0 9 0s01 0 . 0 0
t o l e r a n c ea r c h i t e c t u rfeo r n a n o s c a Icer o s s b a r
ior with continuous dvnamics as in
s E p T E M B E2R0 1 0
v0L s3
No.9
c o M M u N l c a r l o N so F T H Ea c u
85

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2026 Paperzz