newStates, and subSys are created (Line 3). If SymbModelCheck(bP,bI,Tb) shows that λ is exceeded, the reachability property is violated and the search for a counterexample starts (Line 2). Otherwise, the algorithm just terminates, returning an empty subsystem since no counterexample exists. The condition of the while-loop invokes model checking for the cur- rent subsystem subSys and the initial states and target states (Line 3). The loop runs until
SymbModelCheck(subSys,bI,Tb)returns a value which is greater than λ, in which case the cur- rent subsystem is critical. In every iteration, first the methodFindNewStates(bP,bI,T,b subSys)re- turns a set of states which occur on a path or a set of paths through the system (Line 4). If this set is not empty, the current set of states is extended by these new states (Line 6). Afterwards, the cur- rent subsystem is extended (Line 7) in the following way: ToTransitionBDD(subSysStates)
generates a transition relation between all pairs of found states. Multiplying the resulting BDD and the original transition MTBDDbP induces a probability matrix P0⊆ P restricted to transitions between the states insubSysStates. These transitions define the updated subsystemsubSys. Remark 24 The extension as performed in this framework is a symbolic implementation of the extension of a subsystem by states, see Definition 53 on Page 84.
5.5 Explicit path searching algorithms
We now present two search concepts, namely the global search and the fragment search. The first one lists paths leading from initial states to target states of the system in descending order of their probability, as proposed in [HKD09]. The second one was developed in [10] and dynamically finds most probable path fragments that extend the current subsystem.
We give the general concepts in detail and explain how they are implemented for explicit graph representations. We use well-known graph algorithms which are not explained in detail here.
5.5.1 Explicit global search
For finding paths in descending order of their probability we follow the way proposed in [HKD09], see Section 3.1. Here, we call this approach fitted to the generation of critical subsystems a global search.
By transforming a DTMC into a weighted directed graph where the weights are the negative logarithm of the corresponding probabilities, the k shortest paths are the associated k most probable paths. As we cannot fix beforehand how many paths are needed for a counterexample, the k is determined according to an external condition on the fly. As already explained in Section 3.1.1, we therefore use the k shortest paths algorithm by Jiminez and Marzal [JM99].
After a path has been found, the framework for explicit counterexample generation, see Algorithm 5 on Page 94, extends the current subsystem by the states or transitions on this path. This procedure is repeated until the subsystem has enough probability mass to be critical. If this is the case, the k shortest path algorithm terminates.
5.5. EXPLICIT PATH SEARCHING ALGORITHMS
To describe the next path to be found formally, let D = (S, I, P, L) be a DTMC and T ⊆ S a set of target states. Let F ⊆ PathsD
fin(InitD, T ) be the set of paths that were already found. The
candidates for the next global path are therefore Cglob= PathsDfin(InitD, T )\ F. The next path πnext
is then given by
πnext:= argmax
π∈Cglob
PD(π). Note that this path is not unique.
Example 16 Consider again the DTMC D from Example 1 on Page 20:
s0 s1 s2 s4 s3 {target} 1 s5 s6 s7 s8 1 0.5 0.25 0.25 0.5 0.5 0.5 0.5 0.7 0.3 1 0.5 0.5 0.25 0.5 0.25
The model checking probability of reaching the target state s3is PrD
s0(◊target) = 0.9175. We are
interested in a counterexample for the violated property P≤0.7(◊target). Subsystems will always be
extended by states. The most probable path for this system is π1= s0, s1, s3, PD(π1) = 0.25
Thus, we will extend the currently empty subsystem D0by the states of π
1. We will always highlight
the latest paths by thick edges in the subsystem. The reachability probability in this first subsystem is PrD0 s0(◊target) = 0.25 < 0.7. s0 s1 s3 {target} 1 0.5 0.5
Now, the set of already found paths is F = {(s0, s1, s3)}. The candidate set for the next most
probable path is therefore Cglob= PathsD
fin(s0, s3) \ F. We have:
π2= s0, s5, s6, s3, PD(π2) = 0.125
The subsystem is then extended by these states. The probability is now PrD0
s0(◊target) = 0.375 which
5.5. EXPLICIT PATH SEARCHING ALGORITHMS s0 s1 s3 {target} 1 s5 s6 0.5 0.25 0.5 1 0.5
The next path is
π3= s0, s2, s1, s3, PD(π3) = 0.0625
This effectively extends the subsystem by state s2 as the other states are already included. The model checking result is now PrD0
s0(◊target) = 0.542, so another search iteration is started.
s0 s1 s2 s3 {target} 1 s5 s6 0.5 0.25 0.25 0.5 0.5 0.5 1 0.5
The next path is the first one containing a loop and has the same probability as π3: π4= s0, s1, s2, s1, s3, PD(π4) = 0.0625
As there are no new states on the path, the subsystem is not extended and the model checking result remains 0.524: s0 s1 s2 s3 {target} 1 s5 s6 0.5 0.25 0.25 0.5 0.5 0.5 1 0.5
The next path is:
π5= s0, s2, s4, s1, s3, PD(π5) = 0.04375
Although this path has a relatively small probability, state s4is added which induces three transitions yielding the probability mass PrD0
s0(◊target) = 0.875 for the subsystem. Therefore, the subsystem is
critical and the search is terminated with the following final subsystem representing a counterexam- ple:
5.5. EXPLICIT PATH SEARCHING ALGORITHMS s0 s1 s2 s4 s3 {target} 1 s5 s6 0.5 0.25 0.25 0.5 0.5 0.5 0.5 0.7 0.3 1 0.5
The problem of the global search approach is illustrated by Example 16. Paths containing loops can be found. For large systems, where most of the paths have very small probability, many paths are found that only differ in the iteration of loops. As these paths do not extend the subsystems, this is unwanted behavior which cannot easily be prevented.
Adaption for hierarchical counterexample generation The global search can directly be used
for generating hierarchical counterexamples. Consider the DTMCs Dmaxand Dmin as described
in Section 5.2. Paths from Dmaxaccording to the global search are incrementally added to Dmin
by the explicit framework, see Algorithm 5 on Page 94. Note that the “holes” in Dminresulting
from concretization steps are not particularly treated here.
5.5.2 Explicit fragment search
In contrast to the global search approach, the fragment search does not aim at finding paths from initial to target states but to identify connected fragments of the search graph. This is achieved by searching for the most probable path that starts and ends in states of the current subsystem. In the context of the whole graph, these paths are called path fragments.
Let D0= (S0, I0, P0, L0) with D0v D be the current subsystem for D and the set of absorbing
target states T . The candidate set for the next path fragment is Cfrag= {π ∈ PathsDfin(S0\ T, S0) \
PathsDfin0}, i. e., the finite paths of the original DTMC D that both start and end in a state of D0
while the starting states are not target states. The next path πnextis then given by πnext:= argmax
π∈Cfrag
PD(π)
Initially, we set S0:= Init
D∪ T. Therefore, the first path is a most probable path leading from an
initial state sI∈ InitDto a target state t ∈ T.
Remark 25 Algorithmically, for every state of D0 Dijkstra’s algorithm has to be called which is of course very expensive. In our implementation we use a simple trick: We introduce a dummy state which has transitions of equal probability leading to each state of D0. Then, the most probable
path is determined starting from this dummy state which speeds up the computation by orders of magnitude.
5.5. EXPLICIT PATH SEARCHING ALGORITHMS
Example 17 We give an example similar to Example 16 on Page 100 for the global search approach by means of DTMC D from Example 1 on Page 20:
s0 s1 s2 s4 s3 {target} 1 s5 s6 s7 s8 1 0.5 0.25 0.25 0.5 0.5 0.5 0.5 0.7 0.3 1 0.5 0.5 0.25 0.5 0.25
The model checking probability of reaching the target state s3is PrD
s0(◊target) = 0.9175. We are
again interested in a counterexample for the violated property P≤0.7(◊s3). Subsystems are extended
by states. As the initial subsystem is empty except for initial and target states, the first path is the same as for the global search:
π01= s0, s1, s3, PD(π01) = 0.25
The reachability probability in the first subsystem D0is PrD0
s0(◊target) = 0.25 < 0.7.
s0 s1 s3
{target}
1
0.5 0.5
Now, we search for path fragments starting and ending in states s0, s1 or s3. The most probable path fragment is the loop:
π02= s1, s2, s1, PD(π02) = 0.25
The resulting subsystem D0has a reachability probability of PrD0
s0(◊target) = 0.542 as three transi-
tions are induced:
s0 s1 s2 s3 {target} 1 0.5 0.25 0.5 0.5 0.5