REQUISITOS DE DISEÑO

Let us recall Chapter 4, where the substitution of a non-absorbing set of states by its abstraction was introduced, see Definition 44 on Page 63. In order to allow for a more general setting, we can identify induced DTMCs as in Definition 41, see Page 58, and replace them either by their abstractions or by their concretizations, respectively.

Definition 55 (DTMC substitution) Assume a DTMC D = (S, I, P, L), a non-absorbing set of states K ⊆ S and the induced DTMC DK _{= (S}K_{, I}K_{, P}K_{, L}K_{). Let D}0 _{= (S}0_{, I}0_{, P}0_{, L}0_{) be a}

5.2. HIERARCHICAL COUNTEREXAMPLE GENERATION

DTMC with Init_D0 = Init_DK, Out_D(K) ⊆ S0absorbing in D0, and S0\ Out_D(K) non-absorbing and disjoint from S \ K. Then the substitution of DK by D0 _{in D is given by D}

DK_7→D0 = (SDK_7→D0, I_DK_7→D0, P_DK_7→D0, L_DK_7→D0) with: • S_DK_7→D0= (S \ K) ∪ S0 • ∀s, s0_{∈ S} DK_7→D0. I_DK_7→D0(s) = I(s) • P_DK_7→D0(s, s0) =      P(s, s0_{) if s /∈ K} P0_{(s, s}0_{) if s, s}0_{∈ S}0 0 otherwise • L_DK_7→D0(s) =      L(s) if s /∈ K L0_{(s) if s ∈ S}0 ; otherwise.

Note that SK = K ] OutD(K), see Definition 41 on Page 58. Having this, we now present a

method to compute the concretization of an abstract DTMC D resulting from the SCC-based model checking procedure, see Algorithm 2 on Page 64. Recall that we stored every abstraction pair for the DTMC D in the set SubD, see Definition 45 on Page 64.

Remark 21 (Abstract states) An abstract DTMC consists of one or more input states that have transitions to other states. These states are replaced by their concretization. In what follows we also speak of abstract states.

We now present the concretization algorithm dedicated to the hierarchical counterexample generation. Intuitively, a number of abstract states are replaced by their concrete counterpart according to the abstraction pairs that were saved during SCC-based model checking. In the resulting DTMC, which we call Dmax, the probabilities of reaching target states is preserved so

this concretized system can be seen as an upper bound on a critical subsystem that could be computed. In order to achieve a refined solution, we also maintain a DTMC Dmin where all

concretized parts are “cut out”. This forms a lower bound on the critical subsystem we want to compute. The algorithm is given in Algorithm 3.

5.2. HIERARCHICAL COUNTEREXAMPLE GENERATION s0 s1 s₂ s3 {target} 1 s₅ s₆ s₈ 1 0.5 0.25 0.25 1 1 1 0.615 0.308 0.077 (a) Abstract DTMC D s₀ s₁ s2 s₃ {target1 } s5 s6 s₇ s8 1 0.5 0.25 0.25 1 1 1

(b) DTMC Dminafter concretization of s6

s₀ s₁ s2 s₃ {target1 } s5 s6 s₇ s8 1 0.5 0.25 0.25 1 1 1 0.5 0.5 0.25 0.5 0.25

(c) DTMC Dmaxafter concretization of s6

Figure 5.2:Concretizing state s₆, resulting DTMCs Dminand Dmax

Algorithm 3

Concretize(DTMC D, Abstractions Sub_D) begin

Booleanconcretized:=false (1)

DTMC Dmin:= ; DTMC Dmax:= D (2)

State s_{a:= ⊥} (3)

whiletrue do (4)

s_a:=FindAbstractState(D, SubD) (5)

if(s_a= ⊥) then (6)

return₍concretized, D_min, D_max) (7)

else (8)

concretized:=true (9)

Let (Dabs, Dconc) ∈ SubD such that sa∈ InitDabs (10) Dmin:=Restrict(D, ED\ EDabs) (11)

Dmax:= DDabs7→Dconc (12)

end if (13)

5.2. HIERARCHICAL COUNTEREXAMPLE GENERATION

Parameters

D is an abstract DTMC D = (S, I, P, L) which results from SCC-based model checking, see Chapter 4.

Sub_D contains all abstraction pairs (Dabs, Dconc) resulting from SCC-based model checking, see Definition 45 on Page 64.

Variables

concretized is a flag and indicates whether at least one state was concretized or not.

Dmin represents the DTMC D where all abstract states due for concretization are removed.

Intuitively, this DTMC has “holes” at these parts such that Dminputs a lower bound on the

reachability probability with respect to the concretization.

Dmax represents the DTMC D where the chosen abstract states are replaced by their concretiza-

tions.

s_a represents the current abstract state which is to be concretized. Its reachability probability is the maximal one that can be achieved by a counterexample.

Return value

The algorithm returns the DTMCs Dminand Dmaxas well as the Boolean variableconcretized

indicating whether at least one state was concretized.

Methods

FindAbstractState(DTMC D, Abstraction Sub_D) chooses heuristically an abstract state s_a

of D which is one of the initial states of an abstract DTMC. Details on suitable heuristics are discussed later.

Restrict_{(D, ED}\ E_{Dabs) restricts the DTMC with respect to a set of transitions, see Definition 54}

on Page 85.

Procedure

First, concretizedis set to false (Line 1). Two DTMCs Dmin and Dmax are created, the

former one is empty, the latter one is the input DTMC (Lines 2-3). The while-loop runs until

FindAbstractState() returns no abstract state, i. e., sa = ⊥ (Line 6). If this is the case, the

resulting DTMCs Dmax and Dmin are returned (Line 7). If no abstract state was chosen during

the procedure, concretized has never been assigned true. In case an abstract state s_{a ∈ S} was chosen, concretizedis assignedtrue (Line 1). Then, the abstraction pair (Dabs, Dconc) is

5.2. HIERARCHICAL COUNTEREXAMPLE GENERATION

selected from Sub_D such that sa is one of their input states (Line 10). The result is saved in Dmin

(Line 11). Finally, the abstraction Dabs is replaced by its concretization Dconc (Line 12). This is saved in Dmax.

Lemma 1 (Correctness ofConcretize) Assume a DTMC D = (S, I, P, L), a set Sub_Daccording to Definition 45 on Page 64 and a set of absorbing target states T ⊆ S in D. Let (true,D_min,D_max)

be the result of the methodConcretize(D,Sub_D). It holds for all s_I∈ Init_D and for all t ∈ T that

PrD_(PathsD

fin(sI, t)) = PDmax(PathsD_finmax(sI, t)).

The correctness of this lemma follows straightforward from the assumption that all pairs (Dabs, Dconc) ∈ Sub have the same reachability probabilities, see Theorem 3 on Page 61 and Corollary 1 on Page 63.

Example 14 To explain the procedure of concretizing states, consider the DTMC D depicted in Figure 5.2(a), where states s₁, s₂ and s₆are abstract while s₀ and s₅ have already been concretized. For the abstraction procedure, see Example 10 on Page 66.

Assume, s_{6 is chosen to be concretized. The resulting DTMCs Dmin and Dmax} are depicted in Figures 5.2(b) and 5.2(c). All abstract transitions leaving s_{6 are removed in Dmin}yielding a “hole” of transitions indicated by the grey rectangle. In Dmax the original transitions of s6 and s7 replace

the abstract ones. Now, Dmincan be locally extended inside this hole by transitions of Dmax.

5.2.1.1 How to choose abstract states

In our toolCOMICS[6] the user has the possibility to choose the states that are to be concretized via the graphical user interface. Besides, we offer several heuristics that govern how these states are chosen and how many states are chosen. For instance, all available abstract states are ordered with respect to the combined probability of their adjacent edges in the current subsystem. The states are then chosen in descending order. In our benchmarks, it performed best to concretize p_{n out of n available abstract states.}