1.1.1. Manual interactive assumption generation

On the existing theory of Markov Decision Process (MDP) model of combinatorial analysis [16], Kwiatkowska et al. [17] first gives out assume-guarantee reasoning for verifying probabilistic automaton (PA) model, including asymmetric assumption-guarantee rule (ASYM), circular assumption-guarantee rule (CRIC) and asynchronous assumption-guarantee rule (ASYNC). It solves the AG-SMC problem as follows: (1) It generates the assumptions through the manual interactive method. (2) In the triple of the form 〈A〉_≥PAM〈P〉_≥PG, system model M is a PA, the assumption 〈A〉_≥PA and guarantee 〈P〉_≥PG are probabilistic safety properties, represented by deterministic finite automaton (DFA). When system component M satisfies assumptions A with minimum probability PA, it will be able to satisfy property P with minimum probability PG. Checking the triple can be reduced to multi-objective model checking [18], which is equivalent to a linear programming (LP) problem. (3) It does not involve to construct the counterexamples. (4) It verifies a stochastic system composed of n ≥ 2 components through multi-component asymmetric assume-guarantee rule (ASYM-N). The core idea of ASYM-N rule is similar to CRIC rule, i.e., the component M₁ satisfies the guarantee 〈A₁〉_≥PAM1, then the guarantee 〈A₁〉_≥PAM1 as the assumption of the component M₂, let the component M₂ can satisfy the guarantee 〈A₂〉_{≥PAM 2}, …, until the component M_n that satisfies the assumption 〈A_n–1〉_≥PAMn–1 can satisfy the guarantee 〈P〉_≥PG. If all above-mentioned conditions hold, the entire system model M₁‖M₂‖ ⋯ ‖M_n will satisfy the guarantee 〈P〉_≥PG.

1.1.2. Automated assumption generation

Bouchekir and Boukala [19], He et al. [20], Komuravelli et al. [21], Feng et al. [22] and [23] are the automated assumption generation methods for solving the AG-SMC problem. They can be divided into the following three kinds further.

Definition 1.

(probabilistic automaton) A probabilistic automaton (PA) is a tuple M=(V,v¯,αM,δM,L) where V is a set of states, v¯∈V is an initial state, α_M is an alphabet for all the action, δ_M ⊆ V × (α_M ∪ {τ}) × Dist(V) is a probabilistic transition relation. τ is an invisible action, and L: V → 2^AP is a labeling function mapping each state to a set of atomic propositions taken from a set AP.

In any state v of a PA M, we use the transition v→αμ to denote that (v, α, μ) ∈ δ_M, where α ∈ α_M ∪ {τ} is an action label. μ is a probability distribution over state v. All transitions are nondeterministic, and it will make a random choice according to the distribution μ. A trace through M is a (finite or infinite) sequence v0→α0,μ0v1→α1,μ1⋅⋅⋅ where v0=v¯ , and for each i ≥ 0, vi→αiμi is a transition and μ_i (v_i+1) > 0. The sequence of actions α₀, α₁, ..., after removal of any τ, from a trace t is also called a path. An adversary σ is sometimes referred to as scheduler, policy, or strategy, which maps any finite path to a sub-distribution over the available transitions in the last state of the path. This paper focuses on are finite-memory adversaries, which store information about the history in a finite-state automaton (see Baier and Katoen [3] Definition 10.97; pp. 848). We define TraceMσ as the set of all traces through M under the control of adversary σ, and Adv_M as the set of all potential adversaries for M. For an adversary, we define a probability space PrMσ on TraceMσ , and the probability space can know the probability of the adversary σ.

Definition 2.

(Parallel composition of PAs) If M1=(V1,v¯1,αM1,δM1,L1) and M2=(V2,v¯2,αM2,δM2,L2) are PAs, then their parallel composition is denoted as M₁‖M₂. It is given by the PA(V1×V2,(v¯1,v¯2),αM1∪αM2,δM1||M2,L) where δ_M1‖M2 is defined such that (v1,v2)→αμ1×μ2 if and only if one of the following holds:

Definition 3.

(Alphabet extension of PA) For any PA M=(V,v¯,αM,δM,L) and set of actions y, we extend the alphabet of M to y, denoted M[y], as follows: M[y]=(V,v¯,αM∪y,δM[y],L) where δ_M[y] is a probabilistic transition relation on M[y], and δ_M[y] = δ_M ∪ {(v, α, η_v)|v ∈ V Λ α ∈ y\α_M}.

For any state v = (v₁, v₂) of M₁‖M₂, the projection of v on M_i, denoted by v ↾_Mi. Then, we extend it to distributions on the state space V₁ × V₂ of M₁‖M₂. For each trace t on M₁‖M₂, the projection of t on M_i, denoted by t ↾_Mi, i.e., the trace can be acquired from M_i by projecting each state of t onto M_i and removing all the actions not in the alphabet α_Mi.

Definition 4.

(Adversary projections) Let us suppose that M₁ and M₂ are PAs, σ is an adversary of M₁‖M₂. The projection of σ on M_i is denoted as σ ↾_Mi, which is the adversary on M_i, for any finite trace t_i of M_i, σ ↾_Mi (t) (α, μ_i) equals:

Definition 5.

(Assume-guarantee triple) If 〈A〉_≥PA and 〈P〉_≥PG are probabilistic safety properties, M is a PA and alphabet α_P ⊆ α_A ∪ α_M, then:

Determining whether an assume-guarantee triple holds can reduce to multi-objective probabilistic model checking [18,33]. In the absence of an assumption (denoted by 〈true〉), checking the triple can reduce to normal model checking:

Theorem 1.

Let us suppose that M₁, M₂ are PAs and 〈A_M1〉_≥PAM1, 〈A_M2〉_≥PAM2, 〈P〉_≥PG are probabilistic safety properties. Respectively, their alphabets satisfy α_AM1 ⊆ α_M2, α_AM2 ⊆ α_M1 and α_P ⊆ α_AM1 ∪ α_AM2. co〈A_M1〉_≥PAM1 denote the co-assumption for M₁ which is the complement of 〈A_M1〉_≥PAM1, similarly for co〈A_M2〉_≥PAM2, the following SYM rule holds:

Proof of Theorem 1.

We provide the proof of Theorem 1 in the following. This requires Lemma 1, which derives from Kwiatkowska et al. [33].

Lemma 1.

Let us suppose that M₁, M₂ are PAs, σ ∈ Adv_M1‖M2, y ⊆ α_M1‖M2 and i = 1, 2. If A is regular safety properties such that α_A ⊆ α_Mi[y], then:

Proof (of Theorem 1). The proof is by contradiction. Assume that the premise 1, 2 and 3 hold, but the conclusion does not. Since M₁‖M₂ ⊭ 〈P〉_≥PG, we will be able to find an adversary σ ∈ Adv_M1‖M2, such that PrM1||M2σ(P)<PG . Now, it follows that:

By Lemma 1 since α_P ⊆ α_AM1 ∪ α_AM2 ⊆ α_M1[αAM1]

Similarly

Our assumption contradicts (19), so this adversary σ is nonexistent. Next, we will use a simple example to illustrate the rule (taken from Kwiatkowska et al. [33]).

Example 1.

Figure 1 shows two PAs M₁ and M₂. The switch of a device M₂ is controlled by a controller M₁. Once the emergence of the detect signal, M₁ can send a warn signal before the shutdown signal, but the attempt may be not successful with probability 0.2. M₁ issues the shutdown signal directly, this will lead to the occurrence of a mistake in the device M₂ with probability 0.1 (i.e., M₂ will not shut down correctly). The DFA P^err indicates that action fail never occurs. We need to verify whether M₁‖M₂ ⊨ 〈P〉_≥0.98 holds.

For checking whether 〈true〉M₁‖M₂ 〈P〉_≥0.98 holds, we use the rule (SYM) and two probabilistic safety properties 〈A_M1〉_≥0.9 and 〈A_M2〉_≥0.8 (see Section 3.2 for details) as the assumptions about M₁ and M₂. They are represented by DFA AM1err and AM2err in Figure 2 (since alphabet α_AM1 is same as α_AM2, AM1err is also same as AM2err ). Note that only state a₂ is in the set of accepting states F (see Section 2.2) and indicates that the safety property P is violated.

We can compute the probability of A_M1 and A_M2 in the premise 1 and 2, because we can solve these queries: 〈A〉_≥PA M〈P〉_IG=? and 〈A〉_IA=? M〈P〉_≥PG, through multi-objective model checking, as shown in Etessami et al. [18] and Kwiatkowska et al. [33]. Actually, if there exists any adversary of the component M that satisfies the strongest assumption 〈A〉_≥1 but violate the probabilistic safety property 〈P〉_≥PG, the interval I_A will be empty in the second question.

Through premise 3, in 〈AM1err〉≥0.1 , we can find a counterexample cex(0.2, 〈shutdown〉), but corresponding counterexample in 〈AM2err〉≥0.2 is nonexistent (since action fail exists). So prefixes of all infinite traces in 〈AM1err〉≥0.1||〈AM2err〉≥0.2 can be accepted by ℒ(〈AM1err〉≥0.1||〈AM2err〉≥0.2) and we can think M₁‖M₂ ⊨ 〈P〉_≥0.98 holds. Note that if a trace in 〈AM2err〉≥0.2 corresponding to multiple traces in M₂, we give preference to the trace with action fail. Besides, we can find that the trace 〈shutdown〉 is a prefix of 〈shutdown, warn〉, 〈shutdown, shutdown〉 and 〈shutdown, off〉, so there is no need to consider for the last three traces.

3.2.1. Overview

The NL^*-based learning framework for compositional stochastic model checking with rule SYM is shown in Figure 3. Here, the MAT first answers a membership query: whether a given finite trace t₁ should be included in the assumption A_M1. If t₁ is not in the assumption A_M1, we will try to find corresponding traces in M₁ and M₂. If their probability violates the probabilistic safety property 〈P〉_≥PG, t₁ will be not a spurious counterexample. We can think the model does not satisfy the property, otherwise continue to answer the next membership query after checking until the appearance of a conjectured assumption A_M1. Then, the MAT answers an equivalence query. Through a multi-objective model checking technique [18,33], we can calculate the probability of a conjectured assumption, which is an interval I_A1. If I_A1 is an empty interval, the framework will construct a probabilistic counterexample cex(σ, w, c). σ is an adversary for M₁ with PrM1σ(P)<PG . w is a witness for 〈A_M1〉_≥PAM1 (PA_M1 is a lower bound of the interval I_A1) in M₁[α_AM1], i.e., a set w of infinite traces in M1σ is defined as Pr(w) ≥ PA_M1 and t₁↾_M1 ⊨ A_M1 for all t₁ ∈ w. A set c of finite traces in M1σ (i.e., M1σ,c ) such that Pr(c) >1 – PG and t₁↾_M1 ⊭ P for all t₁ ∈ c. In short, probabilistic counterexamples are more complex than nonprobabilistic counterexamples. More details are provided in Feng et al. [22] and Ma et al. [40]. Next, we must check whether the appearance of a trace t₁ in the probabilistic counterexample cex(σ, w, c) causes the violation of 〈P〉_≥PG on M₁‖M₂. If the trace exists, the execution of the learning algorithm will be terminated. Otherwise, the learning algorithm will refine the original conjecture and generate a new assumption. When all the conjectured assumptions are successful to be generated, we judge whether there exists any common trace that can be accepted by ℒ(co〈A_M1〉_IA1‖co〈A_M2〉_IA2). It requires us to do Counterexample Analysis. If counterexample does not exist, we can conclude that M₁‖M₂ ⊨ 〈P〉_≥PG.

Figure 3

NL^*-based learning framework for the rule SYM

On the contrary, we need to check whether it is a spurious counterexample, let the conjectured assumption becomes stronger than necessary. If the spurious counterexample exists, the conjectured assumption must be refined once again. When the conjectured assumption is updated, the framework will return a lower and an upper bound on the minimum probability of safety property P holding. This measure means that it can provide some valuable information to the user, even if the framework could not produce an accurate judgment. More details are described in the following sections.

3.2.2. Answering membership queries

Minimally adequate teacher is responsible for the membership queries, i.e., checking t₁‖M₁ ⊨ 〈P〉_≥PG. t₁ represents the trace in which each transition has probability 1. If trace t_M1 ∈ M₁, t_M2 ∈ M₂ and t_M1↾_AM1 = t_M2↾_AM1 = t₁, then P₁ and P₂ are the probability of trace t_M1 and t_M2 respectively. If the trace t_M1 or t_M2 has action fail and P₁ * 1 > 1 – PG (i.e., t₁‖M₁ ⊭ 〈P〉_≥PG), t₁ will not be included in assumption A_M1 and it will be in AM1err . Then, we use t₁ to verify c ∈ ℒ(M₁‖M₂). If P₁ * P₂ > 1 – PG, t₁ will be the counterexample c of ℒ(M₁‖M₂). We define cex(σ′, c′) as a probabilistic counterexample trace, and cex(σ′, c′) = cex(P₁ * P₂, c) here. If t₁ is the counterexample c, we can conclude M₁‖M₂ ⊭ 〈P〉_≥PG. Then the learning algorithm is terminated and returns the probabilistic counterexample trace cex(σ ′, c′). Otherwise, the MAT continues to answer the membership queries, until it produces a conjectured assumption A_M1, similarly for t₂‖M₂ ⊨ 〈P〉_≥PG. Note that alphabet α_AM1 is same as α_AM2 in most cases, because α_AM1 and α_AM2 all reflect the same safety property P essentially. If α_AM1 is same as α_AM2, t₂‖M₂ ⊨ 〈P〉_≥PG can be omitted, and A_M1 is same as A_M2.

3.2.3. Answering conjectures for each component

〈(A_M1)_i〉_IA1=? M₁〈P〉_≥PG (i.e., 〈A_M1〉_≥PAM1 M₁〈P〉_≥PG in SYM) can be calculated by multi-objective model checking [18,33]. The widest interval I_A1 is defined as [PA_M1, 1] and PA_M1 = 1 − (1 − PG)/P₁. P₁ is the probability of trace t_M1, if the trace t_M1 ∈ M₁ or t_M2 ∈ M₂ has action fail and t_M1 ↾A_M1 = t_M2↾A_M1 = t₁, t1∈AM1err . i = 1 indicates that this is the first conjectured assumption 〈(A_M1)₁〉_IA1. If I_A1 = Ø, even under the conjectured assumption 〈A_M1〉_≥1, M₁ still violates 〈P〉_≥PG. We can construct a probabilistic counterexample cex(σ, w, c) [22,40] to indicate that 〈A_M1〉_≥1 M₁〈P〉_≥PG does not hold. Next, we consider whether the probabilistic counterexample cex(σ, w, c) also belongs to the language ℒ(M₁‖M₂), i.e., if cex(σ, w, c) is not a spurious counterexample (through checking M1σ,c||M2⊭〈P〉≥PG [22]), it will prove the conclusion M₁‖M₂ ⊭ 〈P〉_≥PG. We can directly obtain a probabilistic counterexample trace cex(σ′, c′) from cex(σ, w, c). If cex(σ, w, c) is spurious, we need to acquire all traces in the set T = c↾_AM1. Then, we should find out those traces, which are currently included in the conjectured assumption 〈(A_M1)₁〉_IA1 but in fact should be excluded, because it violates the properties 〈P〉_≥PG. In other words, we need to find some bad traces t₁ = t_M1↾_AM1, t_M1 ∈ c, which is not in AM1err . All those traces t₁ will be provided to NL^*, and it will produce a conjectured assumption 〈(A_M1)₂〉_IA1 again. Similarly, we deal with the component M₂.

Figure 4

The first conjectured assumptions AM1err , AM2err for M₁, M₂

3.2.4. Compositional verification of assumptions

If the interval I_A1 and I_A2 are nonempty, we will check premise 3 of SYM, we need to verify whether ℒ(co〈(A_M1)_i〉_IA1 ‖ co 〈(A_M2)_j〉_IA2) = Ø. Here, the conjectured assumption A_M1 is the one derived after i iterations of learning, similarly for j. PA_M1 is the lower bound of the interval I_A1, similarly for PA_M2.

So ℒ(co〈(A_M1)_i〉_IA1 ‖ co 〈(A_M2)_j〉_IA2) can simplify to ℒ(co〈A_M1〉_≥PAM1 ‖ co 〈A_M2〉_≥PAM2), which can convert into the problem whether a prefix of the infinite trace is not accepted by ℒ(〈AM1err〉≥1-PAM1||〈AM2err〉≥1-PAM2) . Then, counterexample is analyzed by the following process. If the trace t1∈AM1err , we need to find the probability P_M1 of the trace t_M1, if and only if t_M1 ∈ M₁ and t_M1↾_AM1 = t₁. If t_M1 is not unique, we will first return the trace with action fail. If it is nonexistent, we will return the trace with minimum probability for all t_M1. When the returned trace has action fail, the spurious counterexample trace cex(σ₁, c₁) = cex(P_M1, t₁) will not exist in 〈AM1err〉≥1-PAM1 , otherwise it will exist. Note that cex(σ₁, c₁) cannot prove M₁‖M₂ ⊭ 〈P〉_≥PG and it indicates that a trace satisfies the property 〈P〉_≥PG in 〈AM1err〉≥1-PAM1 essentially. So we call it as spurious counterexample trace. Similarly, we return the cex(σ₂, c₂) = cex(P_M2, t₂) as spurious counterexample trace in 〈AM2err〉≥1-PAM2 . When 〈AM1err〉≥1-PAM1 and 〈AM2err〉≥1-PAM2 all have spurious counterexample trace, the spurious counterexample trace cex(σ, c) = cex(P_M1* P_M2, t₁‖t₂) will may exist in ℒ(〈AM1err〉≥1-PAM1||〈AM2err〉≥1-PAM2) . Next, if P_M1*P_M2 > 1 – PG, a prefix of the infinite trace is not accepted by ℒ(〈AM1err〉≥1-PAM1||〈AM2err〉≥1-PAM2) . So we need to use the spurious counterexample traces cex(σ₁, c₁) and cex(σ₂, c₂) to weaken the corresponding assumptions, i.e., t₁ and t₂ will be added in the assumption A_M1 and A_M2 respectively, then the conjectured assumptions must be refined once again. Otherwise, if P_M1*P_M2 ≤ 1 – PG, it will be not a spurious counterexample trace in ℒ(〈AM1err〉≥1-PAM1||〈AM2err〉≥1-PAM2) .

Finally, if any spurious counterexample trace in ℒ(〈AM1err〉≥1-PAM1||〈AM2err〉≥1-PAM2) is nonexistent, we can obtain two assumptions 〈A_M1〉_IA1 and 〈A_M2〉_IA2 to prove M₁‖M₂ ⊨ 〈P〉_≥PG.

3.2.5. Generation of lower and upper bounds

In each iteration of the NL^* algorithm, we can obtain the tightest bounds from the iterative process of assumptions (show in the bottom of Figure 3). If the learning framework cannot provide a definitive result (i.e., the runtime is more than the waiting time), some valuable quantitative information will be returned. For each conjectured assumption, we have a lower bound lb(A, P) and an upper bound ub(A, P) on the probabilistic safety property P.

We can calculate pA*=min(PrM1min(AM1), PrM2min(AM2)) and generate a corresponding adversary σ ∈ Adv_M (M is the component about selected assumption), then we compute 〈A〉≥pA*M〈P〉IG=? through multi-objective model checking [18,33].

For the interval lb(A,P)≤PrM1||M2min(P)≤ub(A,P) , we have:

Theorem 2.

Let M₁, M₂, …, M_n are PAs, for i ∈{1, 2, …, n}, 〈A_Mi〉_≥PAMi is an assumption for the corresponding component M_i, 〈P〉_≥PG is a probabilistic safety property. Their alphabets satisfy α_AMi ⊆ α_M1 ∪ ⋯ ∪ α_Mi–1 ∪ α_Mi+1 ∪ ⋯ ∪ α_Mn, and α_P ⊆ α_AM1 ∪ α_AM2 ∪ ⋯ ∪ α_AMn respectively. co〈A_Mi〉_≥PAMi denotes the co-assumption for M_i which is the complement of 〈A_Mi〉_≥PAMi, the following SYM-N rule holds:

Proof by contradiction.

Assume that the premise 1, 2, …, n + 1 hold, but the conclusion does not. We can obtain an adversary σ ∈ Adv_{M1‖M2‖⋯‖Mn}, such that PrM1||M2||⋯||Mnσ(P)<PG . Now, it follows that:

Our assumption contradicts (27), so this adversary σ is nonexistent. Next, we will use Example 5 to explain the rule.

Example 5.

The example is the extension of Example 1. Figure 5 shows three PAs M₁, M₂, M₃ and a probabilistic safety property 〈P〉_≥0.98. The component M₂ indicates that the time signal may reappear with probability 0.5 before the shutdown signal. We will show the verification process by the method of SYM-N rule.

Similar to Example 1, through multi-objective model checking [18,33], we can acquire three assumptions 〈A〉_{M1 ≥ 0.9}, 〈A〉_{M2 ≥ 1} and 〈A〉_{M3 ≥ 0.8}, which are represented by DFA AM1err , AM2err and AM3err in Figure 6.

Through premise n + 1, we can find a spurious counterexample trace cex(0.2, 〈shutdown〉) in 〈AM1err〉≥0.1 and cex(1, 〈shutdown〉) in 〈AM2err〉≥0 , but corresponding spurious counterexample trace in 〈AM3err〉≥0.2 is nonexistent (since action fail exists). So prefixes of all infinite traces in 〈AM1err〉≥0.1||〈AM2err〉≥0||〈AM3err〉≥0.2 can be accepted by ℒ(〈AM1err〉≥0.1||〈AM2err〉≥0||〈AM3err〉≥0.2) and we can think M₁‖M₂‖M₃ ⊨ 〈P〉_≥0.98 holds.