Parametric Verification

Developing self-adaptive systems typically entails considering uncertainty in system op- eration due to incomplete system specification at design time and changes occurring

in the surrounding environment and the system itself at runtime. Parametric Markov models provide the means of specifying these uncertain aspects for the system under consideration. In these models, transition probabilities are not fixed, but are associated with parameters whose values become known only at runtime and might change dur- ing the system operation. Parametric model checking [54] is an approach comprising a design-time step and a runtime step, and enables to reason about the satisfaction of QoS requirements with low runtime overheads. At design time, through a computation- ally expensive pre-computation step, QoS requirements are translated into algebraic expressions. At runtime, once the system is within a concrete environment, these alge- braic expressions are evaluated by replacing the unknown parameters with the actual values obtained through system monitoring. This runtime evaluation step takes a frac- tion of the time required to carry out quantitative verification on the actual system model. The approaches described in the following paragraph focus on the design-time pre-computation step, and more specifically, on deriving the algebraic expressions.

In his pioneering work on parametric model checking, Daws [54] introduces a new language-theoretic approach to symbolic probabilistic model checking of reachability properties over DTMCs. The approach initially converts a DTMC into a finite state automaton in which transition probabilities are modelled as letters of an alphabet. This step is followed by the synthesis of a regular expression that defines the language recog- nised by the automaton using state elimination algorithms. Subsequently, the derived regular expression is subject to a recursive evaluation that yields a rational algebraic expression for the property to evaluate. Despite its originality and its usefulness in reachability properties, Daw’s approach does not support neither the full PCTL nor reward properties. Another limitation of the approach is that the length of the regular expression is affected heavily by the number of model statesn, yielding in the worst-case scenario an expression of lengthnΘ(logn)_.

In [107, 110], the authors draw upon the work presented by Daws [54] and present an effective approach that intertwines state elimination with early evaluation of the rational function. In each iteration of the approach, a state elimination step is followed by on-the- fly simplification of the rational function taking advantage of cancellations, symmetries and simplifications of arithmetic expressions. Compared to [54], the algorithm requires n3_{operations in most cases showing significant improvements in incurred overheads. In}

the worst-case scenario, however, the length of the rational function is stillnΘ(logn)_{. This}

can occur if no rational function can be simplified during the entire process, a rather uncommon scenario according to the findings [107, 110]. The approach is the core of the model checker PARAM [109] and has been recently implemented in PRISM [149]

and PROPhESY [58].

The WorkingMom framework [76] follows the same principles as [54, 107, 110]. Given a parametric DTMC model of the system and a set of reliability-related QoS require- ments, this technique generates a set of algebraic expressions. The computation time depends on the size of the DTMC model, the number of parametric states and the num- ber of outgoing transitions from these states. Extensive experiments reported in [76] for the probabilistic model checkers PRISM [149] and MRMC [133] showed that the time taken by the runtime step of the approach is several orders of magnitude lower than both probabilistic model checkers. An extension of the approach supporting the deriva- tion of algebraic formulae for DTMCs augmented with reward structures is presented in [75]. For an extended version of the works in [76] and [75], see [79].

The work by Hahn et al. [108] takes a different perspective and considers the problem of parameter synthesis of PCTL formulae for parametric models. Instead of generating a rational function that represents a reachability requirement, the approach synthesises the set of parameter values for which the reachability requirement holds. At design time, applying recursively state space exploration techniques, the parameters space is partitioned into hyper-rectangles, i.e., regions in the dimension of the model parameters that represent families of models. Each of these regions provides globally the same output, that is, the requirement holds (or not) for all the concrete models resulting from instantiations of the parameters with values in this region. Note that the approach allows a limited state space area to remain unknown; evaluation in this area is very complex and is left undecided. When the system undergoes changes at runtime, it is sufficient to access these hyper-rectangles and instantaneously assess whether the requirement is still satisfied or not. A preliminary implementation of the approach has been developed as part of PARAM [109].

The approaches presented in this section achieve significant improvements in runtime quantitative verification both in terms of computation time and memory consumption. The computationally expensive model exploration is carried out only once at design time, while runtime complexity reduces to simply evaluating a set of algebraic expres- sions in [54, 75, 76, 107, 110] or quickly accessing a lookup table in [108]. Enhancing further these approaches to deal with a larger number of parametric transitions with respect to the total number of system transitions as well as structural model changes are threads of current research. However, these approaches are only applicable to discrete- time models, and cannot manage structural changes in the analysed model. As shown in Table 2.3, our RQV variants introduced in the following chapters address these lim- itations of parametric verification.

Efficient RQV Using Conventional

Software Engineering Techniques

Runtime quantitative verification has been advocated by recent research as a suitable technique to support adaptation in software systems [32, 38, 68]. This is mainly because of the capabilities of the technique to deal with environment uncertainty and unexpected changes to requirements or the system itself. The technique has been successfully ap- plied in various application domains including QoS optimisation in service-based sys- tems [33, 68], and dynamic resource management of cloud infrastructure [37, 130].

Despite its capabilities, RQV suffers from the state-explosion problem [48], which limits the size of models that it can manage at runtime without unacceptable over- heads. The approaches discussed in Section 2.2.3 are a first step towards reducing these overheads and extending the use of the technique to larger models. Each of these ap- proaches achieves reductions in execution time and/or resources required to perform an RQV step, i.e., to carry out the analysis, to interpret the results, and, if needed, to assemble and execute a reconfiguration plan. Their applicability, however, is lim- ited to certain self-adaptation scenarios and to specific types of stochastic models and properties (see Table 2.3).

To improve RQV efficiency further, we need to consider how the behaviour of a soft- ware system affects the use of the technique at runtime, and, certainly, how RQV carries out the analysis of an RQV step (i.e., an adaptation). To illustrate these concepts, we use the UUV system from Section 2.2.1.1 which is required to adapt to changes in mea- surement rates of its on-board sensors by adjusting its speed and the configuration of

sensors. An RQV step is performed either at frequent intervals (e.g., every 5 seconds) or when the sensors undergo changes in their measurement rates (e.g., experience service degradation). When any of these conditions holds, the analysis is executed from the very beginning, irrespective of the extent of the changes. If these changes are mini- mal, i.e., little difference exists between the current and previously estimated system behaviour, it is possible that similar analysis results would have been obtained in the recent past. Similarly, if the changes affect only a subset of the UUV sensors, i.e., they are localised [95], we could possibly reuse some of the results already available.

In this chapter, taking into consideration these observations, we introduce a set of complementary techniques to advance the state-of-the-art in RQV. These techniques are extensively used in other areas of software engineering; see Section 3.4 for a discussion of related work. To the best of our knowledge, however, they have not been applied to improve RQV efficiency previously.

First, we consider the caching of recent verification results. Since changes in real- world systems are often (though by no means always) localised, there is a possibility that verification results from recent RQV steps could be reused if retained for some time. Similar to other applications of caching, the aim is to reduce RQV response time (i.e., the time required to perform an RQV step) and CPU usage at the expense of using additional memory.

Second, we augment RQV with limited lookahead, which involves using spare CPU cycles to pre-verify stochastic models deemed likely to arise in the future. Since some RQV steps may require the verification of models that were already pre-verified, the technique has the potential to reduce RQV response time at the expense of increased use of CPU and memory.

Finally, we combine RQV with nearly-optimal reconfiguration, a technique that ter- minates an RQV step as soon as (i) a system configuration that satisfies QoS require- ments is found; and (ii) a stopping criterion is met, e.g., the selected configuration has a similar utility to the best “utility” encountered over a pre-defined time interval.

The main contribution of this chapter is the integration of RQV with caching, limited lookahead and nearly-optimal reconfiguration, and combinations thereof. We introduce these techniques in Section 3.1. Next, in Section 3.2, we present the extension of the open-source platform MOOS-IvP for the development of autonomous systems with RQV capabilities and also describe the implementation of the techniques within this environment. We analyse our findings in Section 3.3. Finally, in Sections 3.4 and 3.5, we conclude the chapter with a discussion of related work, and with a brief summary of our contributions in this chapter, respectively.

3.1

Techniques for Efficient RQV