2.5 Probabilistic counterexamples
In this section we give a short introduction to counterexamples for probabilistic reachability properties. The concepts presented here are basically taken from Han, Katoen and Damman in [HKD09] as this work can be considered as the basic foundation for this thesis.
Intuitively, a counterexample for a DTMC D = (S, sI, P, L), a set of target states T ⊆ S, and an
upper probability bound λ ∈ [0, 1] ⊆ Q is a set of paths starting in sIand ending in a target state
out of T such that the combined probability mass of these paths exceeds the bound. For a PA M , a counterexample specifies a deterministic memoryless scheduler σ and a counterexample for the induced DTMC Mσ. Formally, we first fix the set of paths that can be part of a counterexample,
so-called evidences for the violation of a PCTL state formula of the form P≤λ(◊T ).
Definition 35 (Evidence and counterexample) Given a DTMC D = (S, sI, P, L) and a PCTL state formula ψ = P≤λ(◊T ) such that D 6|= ψ. A path π ∈ PathsDfin(sI, T ), i. e., π |= ◊T, is
called an evidence for the violation of the PCTL path formula ◊T in D. Path π is called a shortest evidence iff there exists no other evidence π0which is a real prefix of π.
A counterexample for D and ψ is a set of shortest evidences Cψ⊆ PathsDfin(sI, T ) such that
Cψ6|= ψ.
An evidence is a finite path contributing to the violation of a property with respect to the probability. A counterexample is a set of finite paths—shortest evidences—whose cumulated probability mass leads to violation of the PCTL property. For the reachability property ψ = P≤λ(◊T ), a counterexample is a set Cψ⊆ PathsDfin(sI, T ) such that PrDsI(Cψ) =
P
π∈CψP
D(π) > λ.
Note that as the shortest evidences are all stochastically independent paths, the probability computation consists just of computing the sum over all paths. Analogously, if we have a strict bound on the probability, i. e., ψ = P<λ(◊T ), it suffices to actually reach the probability bound
for the counterexample Cψ: PrD sI(Cψ) =
P
π∈CψP
D(π) ≥ λ
Counterexamples for reachability properties are the main focus of this thesis. The reduction of Until-formulae can be done as follows.
Reduction of until-formulae to reachability for DTMCs Both model checking and coun-
terexample generation for PCTL properties like ψ = P≤λ(aU b) can be reduced to the han- dling of mere reachability properties. Consider the following simple transformation of a DTMC D = (S, sI, P, L) where ψ is violated:
• For all s ∈ S with b ∈ L(s) set P(s, s0) = 0 for all s0∈ S \ {s} and P(s, s) = 1.
• For all s ∈ S with a, b 6∈ L(s) set P(s, s0) = 0 for all s0∈ S \ {s} and P(s, s) = 1.
Basically, all states that are labeled with b as well as all states that are neither labeled with a or with b are made absorbing. Now, the only non-absorbing states are those labeled with a. Thereby, every path that reaches a b-labelled state satisfies aU b. By checking the probability of
2.5. PROBABILISTIC COUNTEREXAMPLES s0 s1 s2 s3 1 s5 1 {target} 0.5 0.5 0.5 0.5 1
Figure 2.6:DTMC Dinfinducing an infinite set of paths as counterexample for property P<0.5(◊target)
reaching b-states we actually compute the probability of the path formula aU b in the original DTMC.
Lower bounds on the probability for DTMCs If reachability properties together with a lower
bound on the probability occur, the computation of counterexamples can be reduced to the case of upper bounds by considering sets of paths that don’t reach the target states T but end in bottom SCCs without states from T . Formally, we fix B ⊆ S \ T as the set of these bottom SCCs. Then we have ψ = P≥λ(◊T ) and a counterexample Cψ⊆ PathsDfin(sI, B) such that PD(Cψ) > (1 − λ). The
intuition is that if the probability of not satisfying the reachability property is higher than 1 − λ then the lower bound λ on satisfying the reachability property cannot not be reached.
We refer again to [HKD09] for further details on counterexamples for, e. g., step bounded reachability.
ω-regular properties for DTMCs We already discussed that model checking ω-regular prop-
erties on DTMCs can be reduced to computing reachability probabilities, see Section 2.3.3.1. The same holds for computing counterexamples of ω-regular properties.
Definition 36 (Counterexample forω-regular properties) Let D = (S, sI, P, L) be a DTMC, L be an ω-regular property and A = (Q, qI, Σ, δ, F) be a DRA with L (A ) = L . Let
D ⊗ A = (S × Q, (s, q)I, Act, P0, L0) be the product of D and A . Let B = {B1, . . . , Bn} ⊆ 2S×Q
be the accepting BSCCs of D ⊗ A and λ ∈ [0, 1] ⊆ Q be an upper probability bound. Let TB = {s ∈ S × Q | ∃B ∈ B. s ∈ B}.
A counterexample for D and L is defined as a counterexample for D and the PCTL state formula P≤λ(◊TB).
A counterexample for an ω-regular property is thereby simply a counterexample for a reacha- bility property where the states of the accepting BSCCs from B serve as target states.
2.5. PROBABILISTIC COUNTEREXAMPLES
To give a short intuition on the problems of path-based counterexamples, we discuss a short example. The number of paths that are needed to form a counterexample might be very large. In case of strict probability bounds it can even be infinite [HKD09]. This is illustrated by the following example.
Example 7 (Infinite number of paths) Consider the DTMC Dinf depicted in Figure 2.6, which is a slightly modified version of the DTMC D of Figure 2.1 on Page 20, and the set of target states T = {s3}. We are interested in the reachability property P<0.5◊(T ) with a strict probability bound
of 0.5. The probability of reaching the only target state s3 is 0.5 here, so the property is violated. In order for a set of paths to form a counterexample it would need to have the exact reachability probability 0.5. The set of all paths leading to s3from the initial state is given by:
C = {πi ∈ PathsDfininf | π = s0s1(s2s1)is3, i ∈ N} = PathsDfininf(s0, s3)
The probability of this set of paths can be computed as follows: PrDinf sI (C) = X i∈N 0.5 · (0.5 · 1)i· 0.5 = 0.5 ·X i∈N (0.5)i· 0.5
= 0.5 ·1 − 0.51 · 0.5 (using the geometric series) = 0.5
So, this infinite set of paths has exactly the probability PrDinf
sI (C) = 0.5 and forms the only possible counterexample.
Although this example might seem unrealistic, there are actually many examples and practical case studies where the number of needed paths is exponentially larger then the number of states of the DTMC under consideration [HKD09].
What remains is to give a formal definition of counterexamples for PAs. As mentioned in the beginning, the crucial point here is to compute a scheduler that induces a DTMC where the actual counterexample is formed. Note that it might not be beneficial to just compute the maximizing scheduler as explained in Section 2.3.1.2.
Definition 37 (Counterexample for PAs) Given a PA M = (S, I, Act, P , L) and a PCTL for- mula ψ such that M 6|= ψ, a counterexample for M and ψ is a pair (σ, Cψ) such that σ is a