Fast Parametric Model Checking through Model Fragmentation
Xinwei Fang, Radu Calinescu, Simos Gerasimou, Faisal Alhwikem
FFast Parametric Model Checking through ModelFragmentation
Xinwei Fang
Department of Computer ScienceUniversity of York, UK [email protected]
Radu Calinescu
Department of Computer ScienceUniversity of York, UK [email protected]
Simos Gerasimou
Department of Computer ScienceUniversity of York, UK [email protected]
Faisal Alhwikem
Department of Computer ScienceUniversity of York, UK [email protected]
Abstract —Parametric model checking (PMC) computes alge-braic formulae that express key non-functional properties of asystem (reliability, performance, etc.) as rational functions of thesystem and environment parameters. In software engineering,PMC formulae can be used during design, e.g., to analysethe sensitivity of different system architectures to parametricvariability, or to find optimal system configurations. They canalso be used at runtime, e.g., to check if non-functional require-ments are still satisfied after environmental changes, or to selectnew configurations after such changes. However, current PMCtechniques do not scale well to systems with complex behaviourand more than a few parameters. Our paper introduces a fastPMC (fPMC) approach that overcomes this limitation, extendingthe applicability of PMC to a broader class of systems thanpreviously possible. To this end, fPMC partitions the Markovmodels that PMC operates with into fragments whose reacha-bility properties are analysed independently, and obtains PMCreachability formulae by combining the results of these fragmentanalyses. To demonstrate the effectiveness of fPMC, we show howour fPMC tool can analyse three systems (taken from the researchliterature, and belonging to different application domains) withwhich current PMC techniques and tools struggle.
Index Terms —Parametric model checking, discrete-timeMarkov chains, non-functional properties
I. I
NTRODUCTION
Parametric model checking (PMC) [1]–[4] is a formaltechnique for analysing the reliability and performance ofsystems with stochastic behaviour. The underlying conceptsare very simple. Consider a foreign exchange trading (FX)system that obtains up-to-date currency exchange rates fromtwo external web services, by first invoking one of the services,and only invoking the other service if the first service is busy(i.e., if its invocation times out). If the probabilities that thetwo services are not busy are p and p , then the systemwill successfully obtain the exchange rates with probability p succ = p + (1 − p ) p .Expressing the non-functional properties of software sys-tems as closed-form formulae like this has numerous benefits. i.e., mathematical expressions containing constants, variables and simplebinary operations ( + , − , × , / , etc.) that can be computed in constant time At design time, the PMC formulae can be evaluated veryefficiently to compare architectures associated with differentparameter values, e.g., in software product lines [5], [6]. Atruntime, they can be used to efficiently re-verify the sat-isfaction of non-functional requirements after environmentalparameter changes [7], and to select new optimal values for theconfiguration parameters [8], [9]. They also enable the analysisof the non-functional property sensitivity to variations in thesystem parameters [10], and the computation of confidenceintervals for the analysed non-functional properties [11], [12].For instance, if the FX system from our earlier example mustoperate with p succ ≥ . and its developers know (e.g., fromservice-level agreements) that p ≥ . , they can compute theminimum acceptable success probability for the second webservice as p = (0 . − . / (1 − .
95) = 0 . . As anotherillustration, if unit testing is used to establish [0 . , . as a . confidence interval for both p and p from our FX example,then a . ≈ . confidence interval for p succ is given by [min p ,p ∈ [0 . , . p succ , max p ,p ∈ [0 . , . p succ ] = [0 . , . .Of course, for non-trivial systems neither the PMC cal-culations nor the formulae they produce are this simple. Infact, they both become so complex that, despite significantadvances in recent years, current PMC methods [1]–[3] andmodel checkers [13]–[15] do not scale well (i.e., time out, runout of memory, or yield formulae that are too large to evaluate)for many realistic systems with more than a few parameters.Our paper introduces a fast PMC (fPMC) technique thatcomplements the advances from [1]–[3], enabling the effi-cient parametric model checking of reachability propertiesfor parametric discrete-time Markov chains (pDTMCs) ofsystems with more complex behaviour and larger numbers ofparameters than previously possible. fPMC extends and auto-mates a recently proposed theoretical framework for efficientparametric model checking [4].As shown in Fig. 1, fPMC uses a divide-and-conquer strat-egy to partition a pDTMC under analysis into fragments (i.e.,subsets of model states and transitions that satisfy well-definedrules detailed later in the paper) accompanied by fragment- a r X i v : . [ c s . S E ] F e b DTMC Modelfragmentation StandardPMCReachabilityproperty Abstractmodel FragmentPMC formulaeFragmentPMC formulaeAbstract modelPMC formulaFragment+reachabilityproperties StandardPMCFragment+reachabilityproperties StandardPMC fPMC closed-formanalytical model
Fig. 1: Fast parametric model checking processlevel reachability properties, and derives an abstract model forthe analysed pDTMC by replacing each of its fragments witha single state. The fPMC fragments and abstract model arepDTMCs in their own right, and can be analysed individually(using standard PMC techniques [1]–[3]) to produce a setof PMC formulae whose combination provides a closed-formanalytical model for the system-level property of interest.The main contributions of our paper are:1) The first model fragmentation algorithm for the auto-mated partition of pDTMCs into fragments with thecharacteristics defined by our theoretical frameworkfrom [4], which shows how model fragments can beexploited, but does not provide a generally applicablemodel fragmentation technique.2) New theoretical results that allow the formation of modelfragments from subsets of pDTMC states that do not(initially) meet the definition of a fragment. The newresults define valid pDTMC structural modifications thatenable the formation of model fragments of the right sizefor their “standard” PMC analysis to be feasible.3) A prototype fPMC tool that implements the new modelfragmentation algorithm and theoretical results intro-duced in the paper. The fPMC tool invokes the Stormmodel checker [15] for the PMC of model fragments,fully automating the synthesis of closed-form analyticalmodels for the analysed reachability properties.4) An extensive evaluation that demonstrates the fPMC ef-fectiveness at analysing pDTMC reachability propertiesfor systems from three application domains.We organised the rest of the paper as follows. Section IIprovides the required background on parametric model check-ing. Section III introduces a running example that we use toillustrate the use of our fPMC technique, which are detailed inSection IV. Sections V and VI describe our fPMC implementa-tion and evaluation, respectively. Finally, Section VII discussesrelated work, and Section VIII summarises our results andsuggests directions for future research.II. P
RELIMINARIES
A. Parametric Model Checking
Parametric model checking (PMC) is a formal techniquefor the symbolic analysis of Markov chains whose transition probabilities are specified as rational functions over a set ofcontinuous variables [1]–[3]. Formally, a parametric discrete-time Markov chain is a tuple D = ( S, s , P , L ) , where: S is afinite set of states; s ∈ S is the initial state; P : S × S → [0 , is a transition probability matrix such that for any states s, s (cid:48) ∈ S , P ( s, s (cid:48) ) gives the probability of transitioning from s to s (cid:48) , and, for any s ∈ S , (cid:80) s (cid:48) ∈ S , P ( s, s (cid:48) ) = 1 ; L : S → AP is a labelling function that maps every state s ∈ S to elementsof a set of atomic propositions AP that hold in that state. Astate s ∈ S is absorbing if P ( s, s ) = 1 and P ( s, s (cid:48) ) = 0 forall s (cid:54) = s (cid:48) , and a transient state otherwise.When used in software performance and reliability engi-neering, the pDTMC states map to relevant configurationsof the modelled system; and pDTMC transitions capturepossible transitions between those states, corresponding to thefeasible changes between their associated configurations. PMCis supported by the probabilistic model checkers PARAM [13],PRISM [14] and Storm [15]. These tools compute closed-form formulae for pDTMC properties specified in probabilisticcomputation tree logic (PCTL) [16]–[18] and defined (as inprobabilistic model checking [19]–[23]) by the grammar: Φ ::= true | a | Φ ∧ Φ | ¬ Φ | P =? [Ψ]Ψ ::= X Φ | Φ U Φ | Φ U ≤ k Φ (1)where Φ is a state formula and Ψ is a path formula , k ∈ N > is a timestep bound and α ∈ AP is an atomic proposition.The PCTL semantics is defined using a satisfactionrelation | = over the states S . Given a state s of a Markovchain D , s | = Φ means “ Φ holds in state s ”, and we have:always s | = true ; s | = a iff a ∈ L ( s ) ; s | = ¬ Φ iff ¬ ( s | = Φ) ;and s | = Φ ∧ Φ iff s | = Φ and s | = Φ . The time-boundeduntil formula Φ U ≤ k Φ holds for a path iff Φ holds inthe first i < k path states and Φ holds in the ( i + 1) -thpath state; and the unbounded until formula Φ U Φ removesthe bound k from the time-bounded until formula. The nextformula X Φ holds if Φ is satisfied in the next state. The stateformula P =? [Ψ] specifies the probability that paths startingat a chosen state s satisfy a path property Ψ . Reachabilityproperties P =? [ true U Φ] are equivalently written as P =? [ F Φ] or P =? [ F R ] , where R ⊆ S is the set of states in which Φ holds.For a full description of the PCTL semantics, see [16], [17]. B. Parametric Model Checking Using Model Fragments
We summarise the concept of a pDTMC fragment and itsexploitation by the PMC approach introduced in [4], where theresults from this section are taken from. As shown in Fig. 2,a fragment of a pDTMC D = ( S, s , P , L ) is a tuple F = ( Z, z , Z out ) , (2)where: Z ⊂ S is a subset of transient MC states; z isthe (only) input state of F , i.e., { z } = { z ∈ Z | ∃ s ∈ S \ Z . P ( s, z ) > } ; Z out = { z ∈ Z | ∃ s ∈ S \ Z . P ( z, s ) > } is the non-empty set of output states of F , and all outgoingtransitions from the output states are to states outside Z \{ z } ,i.e., P ( z, z (cid:48) ) = 0 for all ( z, z (cid:48) ) ∈ Z out × ( Z \ { z } ) . utputstatesinputstate innerstates z Z out Z \ ( { z }∪ Z out ) { { { outgoingtransitionsto statesin S \ Z incomingtransitionsfromstates in S \ Z { { Fig. 2: Fragment of a pDTMC modelFragments are not strongly connected components (SCCs)of the graph induced by the pDTMC states and transitions.For instance, the “inner states” region of the fragment fromFig. 2 can contain one or more SCCs, and an outgoingtransition from an output state in Z out can reach a state s comprising an outgoing transition back to the input state z .Any subset of model states satisfying the constraints describedearlier in this section form a fragment. However, partitioninga pDTMC or a part of a pDTMC into fragments is notalways possible. For example, fully connected subsets of statescannot be split into fragments because none of their states canbe an inner fragment state (as shown in Fig. 2) as it willhave incoming transitions from outside states and outgoingtransitions to outside states; restructuring using the techniquesdescribed later in Section IV-B is not possible either, as thepremises for these techniques are violated.The theoretical framework from [4] shows that, if a fragment F of a pDTMC D is identified, then the “monolithic”, one-step PMC of reachability, unbounded until and (not coveredin our paper) reward properties [24] of D can be replaced bythe following equivalent steps:1) Compute PMC formulae for the probabilities of reachingall the output states of fragment F starting from its inputstate z ; this amounts to the PMC of Z out reachabilityproperties of a pDTMC built from F removing theincoming transitions of z and by replacing the outgoingtransitions of each output state in Z out with a “self-loop”transition of probability .2) Build an abstract pDTMC model D (cid:48) from D by replac-ing the states in Z and their internal transitions with asingle state z (cid:48) whose incoming transitions (and transitionprobabilities) are those of z . Additionally, state z (cid:48) hasoutgoing transitions to every state that one or morestates from Z out have outgoing transitions to in D ; andthe probabilities of these transitions can be expressedin terms of the reachability properties computed instep 1. Due to space constraints, we do not provide theexpressions for these transition probabilities in the paper;the interested reader can find them in [4]. i.e., the directed graph comprising a vertex for each pDMTC state and anedge between each pair of vertices that correspond to pDTMC states betweenwhich a transition is possible
3) Compute the PMC formula for the original propertyunder analysis, for the abstract model from step 2.4) Combine the PMC from step 1 and the PMC formulafrom step 3 into a system of equations.The system of equations from step 4 provides a closed-formanalytical model for the analysed property. This analyticalmodel is equivalent to the PMC formula obtained by analysingthe original pDTMC in one step.Because the PMC analyses from steps 1 and 3 are performedon models that are smaller and simpler than D , this four-stepPMC approach is often faster, produces much simpler closed-form expressions, or succeeds for more complex models thanmonolithic PMC can handle. However, no method for parti-tioning pDTMCs into fragments is proposed in [4]. Instead,the approach is only exploited for specific types of component-based systems (i.e., service-based systems and multi-tier archi-tectures) for which: (i) pDTMCs can be obtained by combiningmanually pre-built pDTMC models of their components; and(ii) the component pDTMCs form fragments in the systempDTMC. This limits the applicability of the approach (to spe-cific types of systems for which new pDTMCs are assembledfollowing this recipe), requires additional effort and expertise,and can be error prone due to the manual steps involved.III. R UNNING E XAMPLE
We illustrate our fPMC approach using a six-operationservice-based system from the area of foreign exchange trad-ing (FX) introduced in [25], [26]. The FX system implementsthe workflow shown in Fig. 3 and described briefly below.
FX description.
A trader can use FX in two execution modes.In the expert mode, FX runs a loop that analyses marketactivity, identifies patterns that satisfy the trader’s objectives,and automatically carries out trades. Thus, the
Market watch operation extracts real-time exchange rates (bid/ask price) ofselected currency pairs. This data is used by a
Technicalanalysis operation that evaluates the current trading conditions,predicts future price movement, and decides if the trader’sobjectives are: (i) “met” (causing the invocation of an
Order service to carry out a trade); (ii) “not met” (resulting in a new
Market watch invocation); or (iii) an error occured (triggeringan
Alarm operation to notify the trader about discrepan-cies/opportunities not covered by the trading objectives). In the normal mode, FX assesses the economic outlook of a countryusing a
Fundamental analysis operation that collects, analysesand evaluates information (e.g., news reports, economic dataand political events), and provides an assessment on thecountry’s currency. If satisfied with this assessment, the tradercan use the
Order operation to sell/buy currency; then, a
Notification operation confirms the completion of the trade.Given its business-critical nature, assume that the softwarearchitect aims at designing an FX system with high reliabil-ity. Thus, for the i -th operation FX uses two functionally-equivalent service implementations and adopts a sequentialexecution strategy with retry (SEQ R) based on which thetwo services per operation are invoked in order. If the firstservice fails, it is re-invoked with probability r i , whereas arket Watch Technical AnalysisFundamental Analysis AlarmOrder Notificationexpert modenormal mode x1-x do transcationobjectives not met errorobjectives metretry end1-y1-y2y2y1z1 z21-z1-z2 Fig. 3: FX service-based system, where x , y , y , z , z arethe (unknown) probabilities of different execution paths serviceimplementationsparameters1234567891011121314151617181920212223242546474849505152 dtmcconst double x; const double y1; const double y2; const double z1; const double z2; const double p11; const double r11; const double p12; const double r12; const double p21; const double r21; const double p22; const double r22; const double p31; const double r31; const double p32; const double r32; const double p41; const double r41; const double p42; const double r42; const double p51; const double r51; const double p52; const double r52; const double p61; const double r61; const double p62; const double r62; module WorkflowFXs: [0..11] init //FX state rtr: [1..2] init //retry status of each service implementation op1:[1..2] init
1; op2:[1..2] init
1; op3:[1..2] init //employed service implementation op4:[1..2] init
1; op5:[1..2] init
1; op6:[1..2] init //for each operation op1..op6// Start: expert or normal mode [ fxStart ] s = → x :(s’=1) + (1-x):(s’=4); //Operation [ op11 ] (s = = = → p11:(s’=2)&(op1’=1)&(rtr’=1) + 1-p11:(rtr’=2) [ op11r ] (s = = = → r11:(s’=1)&(op1’=1)&(rtr’=1)+ 1-r11:(op1’=2)&(rtr’=1) [ op12 ] (s = = = → p12:(s’=2)&(op1’=1)&(rtr’=1) + 1-p12:(rtr’=2) [ op12r ] (s = = = → r21:(s’=1)&(op1’=2)&(rtr’=1) + 1-r21:(s’=9) //Operation [ op21 ] (s = = = → p21:(s’=7)&(op2’=1)&(rtr’=1) + 1-p21:(rtr’=2) [ op21r ] (s = = = → r21:(s’=2)&(op2’=1)&(rtr’=1)+ 1-r21:(op2’=2)&(rtr’=1) [ op22 ] (s = = = → p22:(s’=7)&(op2’=1)&(rtr’=1) + 1-p22:(rtr’=2) [ op22r ] (s = = = → r22:(s’=2)&(op2’=2)&(rtr’=1) + 1-r22:(s’=9) ......//Technical Analysis Result [ TAResult ] (s = → y1:(s’=5) + y2:(s’=1) + 1-y1-y2:(s’=3) //Fundamental Analysis Result [ FAResult ] (s = → z1:(s’=5) + z2:(s’=0) + 1-z1-z2:(s’=4) [ failedFX ] (s = → [ successFX ] (s = → endmodule operationalprofilesequential execution strategy with retryfor the Market Watch operationDecision basedon technicaland fundamentalanalysis outcomesFX final states(trade completedsuccessfully orfailed) Fig. 4: pDTMC model of the FX system.the operation is attempted using the second service withprobability − r i . If the execution of the second service fails,it is retried with probability r i ; otherwise, with probability − r i , the entire system execution fails. Finally, assumethat the selected service implementations per FX operationis based on the analysis results of the system-level probabilityof successfully completing the handling of a request. FX pDTMC.
Fig. 4 shows the pDTMC of the FX systemspecified in the modelling language of the PRISM modelchecker [14]. The model comprises a
WorkflowFX modulemodelling the FX workflow (lines 9–52), and the parametersassociated with the operational profile (line 2) and with the initial successFXfailedFX
Fig. 5: The directed graph induced by the FX pDTMC fromFig. 4, showing the initial, failedFX and successFX states.service implementations for each FX operation (lines 3–8); p ij and r ij signify the probability of successful execution and theprobability of retrying the i -th operation using the j -th serviceimplementation, respectively. The model uses parameters bothfor the operational profile of the system and for its configurableaspects because the former is typically unknown when themodel is produced, and the latter enables the exploration andselection of good configuration parameter values.Within the WorkflowFX module, the local variable s (line10) models the state of the FX system, while op i (line 12–13) and retry (line 11) encode the employed service im-plementation per operation and the retry status of a serviceimplementation, respectively. Following the selection of theexpert FX mode (line 15), the Market watch operation withretry and two service implementations is executed (lines 16–20). The first service implementation succeeds with probability p and FX moves to the Technical analysis operation, failswith probability − p and retries with probability r (lines 17–18); otherwise, the second service implementationis executed and succeeds or is re-invoked with probabilities p and r , respectively. If both service implementations fail,the FX execution terminates (line 50). The other FX operationsfunction similarly (lines 21–45) but we omit their details dueto space constraints. The pDTMC model of the FX systemproduces the directed graph shown in Fig. 5, which comprises29 states and 58 transitions and with the initial, failed andsuccessful states coloured in blue, red and green, respectively.Given this pDTMC model, we used PRISM [14] andStorm [15] to obtain the closed-form PMC formula for theprobability of successfully handing a request (i.e., to reach thesucceed state) encoded in PCTL as P =? [F s = 10] . Despitethe small number of states and transitions, neither modelchecker was able to compute the formula within an hour (ona computer with the specification from Section VI-B). Weexplain next how fPMC supports the computation of thoseformulae through automated model fragmentation.IV. F PMC A
PPROACH
A. Markov Chain Fragmentation Algorithm
The fPMC partition of a pDTMC into fragments is per-formed by function F
RAGMENTATION from Algorithm 1. Thisfunction takes three arguments: • the graph G ( V, E ) induced by the pDTMC; the set of states R whose reachability P =? [ F R ] is beinganalysed; • a threshold parameter α ≥ whose role is described below,and returns a set of pDTMC fragments FS , i.e., a set of tupleswith the structure from Equation (2). As not all pDTMC statescan be included into a fragment that follows the definition fromSection II-B (e.g., states whose only outgoing transition is aself-loop transition do not satisfy the constraints associatedwith any type of fragment state), we extend this definitionto include single-state fragments F = ( { s } , s, { s } ) for anypDTMC state s .The algorithm starts by placing into FS single-state frag-ments for each state in the reachability set R (line 2). Wepreserve the elements of R as single-state fragments so theyend up as states in the fPMC abstract model (see Fig. 1 andthe description from Section II-B), so the reachability property P =? [ F R ] (which refers to these states) can be analysed forthe abstract model. Next, the algorithm generates additionalfragments in each iteration of the for loop from lines 3–25 asfollows. First, a node z not yet included in any fragment isselected (line 3) and inserted into the fragment state set Z ,while the fragment output set Z out is initialised to the emptyset (line 4). A stack T is then populated with the states reachedby outgoing transitions from z by invoking (in line 6) thefunction T RAVERSE from Algorithm 2. Each state w from thisstack is processed by the while loop from lines 7–19, endingup in Z out if it satisfies the constraints associated with outputfragment states (lines 9 and 10). When w does not satisfythese constraints, two options are possible (lines 12–16): • If Z has accumulated fewer states than the threshold α ,the graph traversal function T RAVERSE is invoked againto add to the stack the predecessor and successor verticesof w that are not already in the fragment (line 13). • Otherwise, a restructuring of the graph (see Section IV-B)is invoked (line 15) to “force” w into becoming an outputstate, and thus to enable the formation of a fragment.In this way, the threshold α provides a soft upper boundfor the fragment size, deciding whether fPMC will continuemodel traversal (adding states into the stack) or attempt modelrestructuring by forcing the currently analysed state to becomean output state. As the result, a larger α is expected to lead tolarger fragments. When this bound, α , is reached, the modelrestructuring techniques detailed in Section IV-B are usedto force the formation of a valid fragment. The fragmentcandidate ( Z, z , Z out ) finalised by the while loop is then“downgraded” to a single-state fragment if it does not meetthe definition from Section II-B (lines 20–22), after which it isadded to the fragment set FS (line 23). Additionally, the states Z of this fragment are added to the set R of states alreadyassigned to fragments (line 24), ensuring that the loop startingin line 3 does not reuse them to form other fragments. The selection order for z has an impact on the fragmentation of thepDTMC, and thus on its parametric model checking time; however, findingthe best selection order is outside the scope of this paper. Algorithm 1 pDTMC model fragmentation function F RAGMENTATION ( G ( V, E ) , R, α ) FS ← { ( { r } , r, { r } ) | r ∈ R } for all z ∈ V \ R do Z ← { z } , Z OUT ← {} T ← E MPTY S TACK () T RAVERSE ( G , z , T, FS , R, Z, true ) (cid:46) Alg. 2 while ¬ E MPTY ( T ) do w ← T. P OP () if { i | ( i,w ) ∈ E } ⊆ Z ∧ { o | ( w,o ) ∈ E } ⊆ V \ Z then Z OUT ← Z OUT ∪ { w } else if Z < α then T RAVERSE ( G , w, T, FS , R, Z, false ) (cid:46) Alg. 2 else R ESTRUCTURE ( G , w ) (cid:46) Section IV-B end if end if Z ← Z ∪ { w } end while if ¬ V ALID F RAGMENT (( Z, z , Z OUT )) then Z ← { z } , Z OUT ← { z } end if FS ← FS ∪ { ( Z, z , Z OUT ) } R ← R ∪ Z end for return FS (cid:46) set of fragments end function Finally, the T
RAVERSE function from Algorithm 2 takes avertex w and examines its incoming edges (if w is not theinitial fragment state z , lines 2–11), and its outgoing edges(at all times, lines 12–21). Vertices connected to w by theseincoming and outgoing edges and not already in the set offragment states Z are collected into the input vertex set I (line 3) and output vertex set O (line 12), respectively. Theformer are then added to the stack T if none of them belongsto an existing fragment (lines 4 and 5). Otherwise, the non-input vertex w has incoming edge(s) from another fragment,violating the condition that incoming transitions to inner andoutput fragment states are only allowed from states withinthe same fragment; hence, w becomes a single state fragmentand the graph traversal is terminated (lines 6–9). Lastly, ifthe output set O has at least a vertex not in other fragments(line 13), growing the fragment under construction with w ’ssuccessors may be feasible, and thus the for loop in lines 14–21 places the O vertices not in other fragments on the stack T (line 16) and attempts to restructure the graph to allowfragment formation if these vertices are already part of otherfragments (line 18).Due to space constraints, the full analysis of Algorithms 1and 2 is provided as supplementary material on our projectwebpage. Here, we note that the algorithms are guaranteedto produce a set of valid fragments, comprising: (i) thedegenerate, single-state fragments created in lines 2 and 21of F RAGMENTATION and in line 7 of T
RAVERSE ; (ii) thefragments that “pass” the validation from line 20 of F
RAG - MENTATION , which we assume correct. Furthermore, bothalgorithms terminate. T
RAVERSE terminates because each ofits statements (including the assembly of the vertex sets I a) Auxiliary state insertion to force formation of fragment containing the new states among its output states(b) Transition replacement to force creation of output fragment state Fig. 6: Model restructuring techniques supporting fragment formation
Algorithm 2
Traversal of pDTMC induced graph function T RAVERSE ( G ( V, E ) , w, T, FS , R, Z, isInput ) if ¬ isInput then (cid:46) w is not the fragment’s input I ← { i | i / ∈ Z ∧ ( i, w ) ∈ E } if I ⊆ V \ R then T. P USH ( I ) else FS ← FS ∪ { ( { w } , w, { w } ) } R ← R ∪ { w } return end if end if O ← { o | o / ∈ Z ∧ ( w, o ) ∈ E } if O (cid:54)⊆ R then for all o ∈ O do if o / ∈ R then T. P USH ( o ) else R ESTRUCTURE ( G , w ) (cid:46) Section IV-B end if end for end if end function and O , and its only for loop) operate with a finite numberof vertices. F RAGMENTATION terminates because: (i) eachiteration of its for loop adds at least one vertex (i.e., z ) to R in line 24 until V \ R = {} in line 3 (since V is a finite set)and the loop terminates; (ii) its while loop terminates sinceit iterates over the elements of stack T that can only containone instance of vertices from the finite set V and is thereforefinite too; and (iii) R ESTRUCTURE invocations can only add afinite number of vertices to V , as we show in the next section. B. Model Restructuring to Aid Fragment Formation
While the model fragmentation from §IV-A is guaranteedto produce valid fragments, the success of fPMC also dependson these fragments being neither too small nor too large.Small fragments may yield a large abstract model that may beunfeasible to analyse using standard PMC (Fig. 1); however, inour experience, the pDTMCs whose PMC we want to speed up comprise many loops (cf. Fig 5) that preclude the formation ofonly small fragments. In contrast, fragments that are too largefor standard PMC are more likely to be obtained. As such,fPMC uses the threshold α to decide when to attempt to forcethe formation of a fragment in line 15 from Algorithm 1, andfurther attempts to enable fragment formation in line 18 fromAlgorithm 2, in the two scenarios below.1) When a state z of a fragment under construction hasboth outgoing transitions to inner fragment states and n ≥ outgoing transitions (of probabilities p , p , . . . , p n ) to states s , s , . . . s n not in the fragment (Fig 6a, left). In this case, theaddition of one auxiliary state z (cid:48) i for each outgoing transitionto a state s i , i = 1 , , . . . , n (Fig 6a, right) enables theformation of a fragment that includes the auxiliary states asoutput states. Each auxiliary state z (cid:48) i has an incoming transitionof probability p i from state z , and an outgoing transition ofprobability going to state s i .
2) When a non-input state z of a fragment under construc-tion has m ≥ incoming transitions (of probabilities p i , p i ,. . . , p im ) from states s i , s i , . . . s im outside the fragment,and n ≥ outgoing transitions (of probabilities p o , p o , . . . , p on ) to states s o , s o , . . . s on not in the fragment (Fig 6b,left). In this case, each of the m transitions from a state s ij to z , j = 1 , , . . . , m , can be replaced by n transitions fromstate s ij to states s o , s o , . . . s on (Fig 6b, right), where theprobability of transition from s ij to s ok , k = 1 , , . . . , n , isset to p ij p ok .Note that the restructuring process is invoked halfwaythrough the construction of a fragment, when Z OUT has not yetbeen finalised. Thus, the model restructuring process can applyto any state z that satisfies one of the above scenarios and thatwe may want to include into Z OUT , but cannot because one ofthe constraints from the definition of a fragment is violated.
Theorem 1.
Applying the model restructuring techniques from Using a single auxiliary state z (cid:48) obtained by combining states z (cid:48) , z (cid:48) ,. . . , z (cid:48) n is also possible, but leads to more complex expressions for the newtransition probabilities, so we did not opt for it in the current version of fPMC. ig. 6 to a pDTMC does not affect its reachability properties.Proof. Consider the sets Π and Π (cid:48) of all paths (i.e., se-quences of possible states and state transitions) that satisfya reachability property P of a pDTMC D = ( S, s , P , L ) before and after model restructuring is applied to change it to D (cid:48) = ( S (cid:48) , s , P (cid:48) , L ) , respectively. According to the semanticsof PCTL [16], [17], we need to show that Pr s (Π) =Pr (cid:48) s (Π (cid:48) ) , where Pr s is a probability measure defined overall paths π = s s s . . . s n starting in the initial state s ofpDTMC D such that Pr s ( π ) = (cid:81) n − i =0 P ( s i , s i +1 ) , and Pr (cid:48) s is a similarly defined probability measure for D (cid:48) . We focuson the paths that differ between Π and Π (cid:48) , and show that Pr s (Π \ Π (cid:48) ) = Pr (cid:48) s (Π (cid:48) \ Π) for each technique in turn.1) A path from Π \ Π (cid:48) has the form π = s ω zs i ω forsome i ∈ { , , . . . , n } and subpaths ω , ω , with ω ending inone of the states from the reachability state set. For any suchpath π , there is a corresponding path π (cid:48) = s ω zz (cid:48) i s i ω ∈ Π (cid:48) \ Π , and the other way around . We have Pr s ( π ) =Pr s ( s ω ) P ( z, s i )Pr s ( s i ω ) = Pr s ( s ω ) p i Pr s ( s i ω ) =Pr (cid:48) s ( s ω ) P (cid:48) ( z, z (cid:48) i ) P (cid:48) ( z (cid:48) i , s i ) Pr (cid:48) s ( s i ω ) = Pr (cid:48) s ( π (cid:48) ) , so thetheorem holds for the first restructuring technique.2) A path from Π \ Π (cid:48) has the form π = s ω s oj zs ik ω ,with j ∈ { , , . . . , m } , k ∈ { , , . . . , n } , and subpath ω ending in one of the states from the reachability state set. Path π has a corresponding path π (cid:48) = s ω s oj s ik ω ∈ Π (cid:48) \ Π , andthe other way around , and it is straightforward to show that Pr s ( π ) = Pr (cid:48) s ( π (cid:48) ) since P ( s ij , z ) P ( z, s ok ) = P (cid:48) ( s ij , s ok ) ,which completes the proof.From the two model restructuring techniques, only thefirst increases the number of pDTMC states – with as manyauxiliary states as there are ougoing transitions from state z to states outside the fragment under construction. Because(i) the pDTMC has a finite number of states, each with a finitenumber of outgoing transitions; and (ii) the auxiliary statesdo not require the application of the first technique (as theyhave a single outgoing transition), it follows that the maximumnumber of auxiliary states that fPMC may create is also finite. C. fPMC Application to the Running Example
Applied to the pDTMC and reachability property for the FXsystem from our running example (which current parametricmodel checkers cannot analyse, cf. §III), our fPMC tool (runfor α = 6 ) generated the model fragmentation from Fig. 7. Thefive single-state and eight multi-state fragments (13 fragmentsin total) comprise 49 states and 83 transitions compared to the29 states and 58 transitions of the original pDTMC (Fig. 5),with the additional states and transitions due to the modelrestructuring techniques from §IV-B. The end-to-end compu-tation of a closed-form analytical model for the FX successprobability took fPMC 4.43s, and the algebraic formulae ofthis model contain 1,456 arithmetic operations and took 0.002sto evaluate in Matlab (on a computer with the specificationfrom Section VI-B). As for all fPMC experiments presentedin the paper, we carefully checked the correctness of ourPMC formulae by ensuring that their evaluation for randomly initial successFXfailedFX Fig. 7: Fragmentation of the pDTMC model from the runningexample (with the 13 fragments depicted in different colours)generated combinations of parameter values produced thesame numerical results (subject to negligible rounding errors)as those obtained by running the probabilistic model checkersPRISM [14] and Storm [15] to analyse the non-parametricMarkov chains obtained by replacing the pDTMC parameterswith these random values.V. I
MPLEMENTATION
To ease the evaluation and adoption of fPMC, we developeda prototype Java tool that implements Algorithms 1 and 2from §IV. The tool invokes the model checkers PRISM [14]and Storm [15] to obtain the pDTMC transition probabilitymatrix, and to compute the PMC formulae for the pDTMCfragments and abstract model, respectively. The open-sourcefPMC prototype, the full experimental results summarisednext, additional information about fPMC and the case studiesused for its evaluation are available on our project webpageat https://github.com/xinwei2124/fPMC ICSE.VI. E
VALUATION
A. Research Questions
We carried out experiments to answer the following threeresearch questions (RQs).
RQ1 (Effectiveness): Can model fragmentation improvePMC efficiency and extend its applicability?
We assessedwhether fPMC can speed up PMC compared to PRISM [14]and Storm [15], and whether our approach enables the analysisof models that these model checkers cannot handle.
RQ2 (Scalability): How does the number of parameters ina pDTMC model affect the ability of fPMC to fragment themodel and compute closed-form formulae?
As the numberof pDTMC model parameters is a factor influencing theperformance of current PMC solutions, we investigated howfPMC performs as the number of such parameters increases.
RQ3 (Configurability): What is the impact of the hyperpa-rameter α on fPMC? We examined how different threshold α values, i.e., the only fPMC hyperparameter (cf. Algorithm 1),affect fPMC in terms of the number of operations in thecomputed closed-form analytical model and execution time. . Experimental Setup We evaluated fPMC for three software systems and pro-cesses taken from related research [4], [5], [25], [27], [28]and belonging to different application domains. We selectedthese systems because (i) their Markov models include hyper-parameters that can be tuned to devise pDTMCs with variousnumbers of states S and transition probability matrices P ;and (ii) without changing the pDTMC structure, several non-trivial transition probabilities in P can become parameters, thusincreasing the number of parameters within the model. Due tospace constraints, we only provide brief descriptions of thesesystems; full details are available from [4], [5], [25], [27], [28]. FX System.
We have presented the high-level overview of theFX system in Section III and the pDTMC corresponding to thesequential execution strategy with retry (SEQ R) in Fig. 4. Wealso consider the strategies below for executing between 1–5functionally-equivalent service implementations per operation:SEQ: The services are invoked in order, stopping after thefirst successful invocation or after the last service fails.PAR: All services are invoked in parallel (i.e., simultane-ously), and the operation uses the result returned by thefirst service terminating successfully.PROB: A probabilistic selection is made among the availableservices with the total probability being equal to 1.PROB R: Similar to PROB, but if the selected service fails,it is retried with a given probability (as in SEQ R).
PL System.
This product line system (PL) [5], [28] modelsthe process in various vending machines that enable a user toinsert coins and select a beverage, based on which the vendingmachine delivers the beverage and, if needed, gives changes.The features of this system comprises the beverage type (soda,tea, or both), payment mode (cash or free) and taste preference(e.g., add lemon, sugar) enabling the derivation of vendingmachines, and accordingly the definition of pDTMCs, whosestructures contain between 4 and 22 features.
COM Process.
We consider a communication (COM) pro-cess [27] among n identical individuals, inspired by the waythat honeybees emit an alarm pheromone to recruit workersand protect their colonies from intruders. Due to the self-destructive defence behaviour in social insects, the recruitedworkers die after completing their defence actions. Hence,a balance between efficient defence and preservation of acritical workers mass can be found. The induced pDTMCis a stochastic population model with n parameters. Thequantitative analysis of such stochastic models of multi-agentsystems is often challenging because the dependencies amongthe agents within the population make the models complex.We compare fPMC against the leading PMC model checkersPRISM (version 4.6) and Storm (version 1.5.1), both withtheir default settings. For a fair comparison, we ensured thatboth PRISM and Storm can process at least the simplerpDTMCs of these systems. We run each experiment usingfPMC, PRISM and Storm, and observe (i) the time required to compute the PMC formulae, with a 60-minute timeout (thelower the execution time the better); and (ii) the number ofarithmetic operations in the devised formulae (formulae withfewer arithmetic operations can be evaluated faster).All experiments were performed on a MacBook Pro (early2015) with 2.7GHz dual Core Intel i5 processor and 8GBRAM. The source code, the full Markov models and reach-ability properties, and all experimental results are publiclyavailable at https://github.com/xinwei2124/fPMC ICSE. C. Results & Discussion
RQ1 (Effectiveness).
Table I shows the execution time, thenumber of arithmetic operations of the computed closed-formformulae and the number of fragments devised by fPMC usingFX system variants with different execution strategies andnumber of functionally-equivalent service implementations peroperation. The size of the derived pDTMCs ranges from 11states and 22 transitions (SEQ with 1 service implementation)to 208 states and 399 transitions (PAR with 5 services).For all pDTMCs of FX variants, fPMC succeeded incomputing all closed-form formulae within the 60 minutestimeframe (fPMC column) taking . s for the simplest models,and just under 240s for most models with the exceptionof SEQ R with 5 services for which fPMC took ≈ s .In contrast, Storm computed the formulae for eight of 21pDTMCs ( ≈ ) with the majority being the simplest modelsacross all execution strategies, except from PROB variants forwhich Storm produced all formulae. Finally, PRISM computedthe PMC formulae for four of the 21 pDTMCs ( ≈ ), whichagain were the pDTMCs with the fewest states and transitions.Similar results were obtained for the four analysed PLsystem variants (with 4, 16, 18 and 22 features) whose resultsare shown in Table II. Considering column P100, for instance,the most difficult case in which the transition probabilitymatrix P comprises only parameters (i.e., no transition is setto a constant value), fPMC returned the closed-form formulaein less than ≈ s in the worst case. Neither Storm nor PRISMsucceeded in any of the four PL system variants for P .While fPMC outperforms both Storm and PRISM whenhandling complex models with several parameters, we noticedan interesting behaviour with simpler models (for FX andPL) and simpler properties (for COM). In particular, for thesimplest FX models with SEQ, PAR and PROB strategiesand 1–2 services (cf. Table I) mostly Storm, and occasion-ally PRISM, computed the formulae faster than fPMC. Thisbehaviour occurs for PL system models up to P in Table II( of the total pDTMC parameters were maintained) andproperties P − P , P − P for the COM process (Ta-ble III). Since both Storm and PRISM represent internallythe induced pDTMCs with advanced data structures (e.g.,sparse matrices, binary decision diagrams) and use sophisti-cated reachability analysis algorithms, this behaviour is logicalfor models and reachability properties that can exploit thesefeatures. As we have demonstrated, however, these featuresalone cannot handle reachability properties for pDTMCs withcharacteristics similar to those of the most complex modelsABLE I: Parametric model checking for the FX system showing the execution time, the number of arithmetic operations ofthe closed-form formulae and the number of fragments devised by fPMC. STG α = ∞ ) Storm PRISM fPMC fPMC ( α = ∞ ) Storm PRISM fPMC fPMC ( α = ∞ ) SEQ
PAR
PROB
SEQ R
PROB R
Notation – STG: strategy adopted for the functionally-equivalent service implementations per FX operation; α =15 except from SEQ R α =3 ;fPMC ( α = ∞ ) : fPMC variant where the invocation of the R ESTRUCTURE function in Algorithm 1 is disabled; T: timeout–no result returned in 60min.
TABLE II: Parametric model checking for four variants of the PL system (with 4,16,18 and 22 features) showing the executiontime and the number of arithmetic operations ( α = 10 , and for the pDTMC with 22 features α = 5 . Percentage of parameters in the pDTMCpDTMC Model checker P01 P10 P20 P30 P40 P50 P60 P70 P80 P90 P100Time (s) fPMC
Time (s)
Storm
Time (s)
Time (s) fPMC
Time (s)
Storm
Time (s)
Time (s) fPMC
Time (s)
Storm
Time (s)
Time (s) fPMC
Time (s)
Storm
Time (s)
Notation – P ,...,P : percentage of pDTMCparameters maintained – the others are set to random values ∈ [0 , preserving the pDTMC structure; T: timeout–no result returned within 60 minutes. in Tables I–III. This observation indicates the potential ofa hybrid probabilistic model checker that uses fPMC andStorm/PRISM interchangeably based on the pDTMC structureand reachability property.Considering the complexity of the derived closed-formformulae as a factor of the number of involved arithmeticoperations, we observe that for all systems and all variants,the complexity increases as the model complexity (states andtransitions) increases. For instance, for the FX system with SEQ R strategy (the motivating example) the arithmetic op-erations for the fPMC-computed formulae increase from 3068to ≈ K as the number of functionally-equivalent servicesincreases from two to five. In general, the fPMC-producedformulae contain fewer operations than those produced byStorm or PRISM. This observation is evident in Table III,where the closed-form analytical models derived from fPMCinclude K − K operations for all properties, whereas, inmany cases, the formulae produced by Storm and PRISM areABLE III: Parametric model checking of reachability prop-erties P ,...,P from [27] for the COM process with n = 20 individuals (parameters) and α = 50 , showing the executiontime and the number of arithmetic operations of the derivedformulae. The pDTMC has 234 states and 444 transitions. P very large (between several megabytes and 167MB) and couldnot be analysed using our experimental machine.These findings indicate that fPMC, underpinned by themodel fragmentation algorithm, significantly speeds up theparametric model checking of reachability properties by sev-eral orders of magnitude, produces closed-form analyticalmodels of modest complexity, and enables the analysis ofpDTMCs that leading probabilistic model checkers cannothandle. Also, the use of systems from different applicationdomains, whose induced pDTMCs have distinct characteristicsin terms of model structure and complexity, provides evidencesupporting the general applicability of fPMC. This conclusionis reinforced by the fact that the fragmentation is completelyautomated and does not require any domain knowledge orhuman intervention (cf. Algorithms 1 and 2).
RQ2 (Scalability).
We answer this research question byanalysing how increasing the number of parameters in apDTMC (i.e., the number of transition probabilities specifiedas rational functions), affects the execution time and complex-ity of formulae computed by fPMC, Storm and PRISM. Weused the four PL system variants and varied the number ofparameters in these models as a percentage of the total modelparameters, setting the remaining parameters to randomlyselected constant values that preserve the pDTMC structure.For all pDTMCs, we started from 1% (P01), continuing inincrements of 10% (P10), 20% (P20) etc. until all transitionprobabilities are given by rational functions (P100).Table II shows the PMC results for the four PL variants.For all PMC approaches, as expected, increasing the numberof pDTMC model parameters incurs a corresponding increasein the execution time and formulae complexity. Both Storm and PRISM, however, exhibit exponential growth in these twometrics until P60, and fail to produce any formula from P70thereafter. In fact, some of the formulae comprise as many as3.91M and 1.17M arithmetic operations for PRISM and Storm,respectively. In contrast, fPMC terminates successfully in allcases, consuming at most 94s, indicating that fPMC is barelyinfluenced by the increase in model parameters. This insight isalso supported by the result that the fPMC-computed closed-form analytical models contain at most 261K operations.Considering these results, we have strong empirical evi-dence indicating that the higher the percentage of transitionprobabilities specified as rational functions over the totalnumber of transition probabilities, the more apparent is theperformance gap favouring fPMC over Storm and PRISM.Accordingly, fPMC can support the derivation of closed-formanalytical models for reachability properties whose associatedpDTMCs specify as much as 100% transition probabilities asrational functions in the evaluated pDTMCs.
RQ3 (Configurability).
Columns fPMC and fPMC ( α = ∞ )in Table I compare the fPMC performance with the soft upperbound for the fragment size enabled and disabled, respectively.Clearly, using α extends the applicability of the fPMC, reducesits execution time and produces analytical models with asmaller number of operations. Fig. 8 shows the executiontime and number of operations for the closed-form analyticalmodels for threshold α ∈{ , .., } for the FX system from ourrunning example. The general pattern indicates that larger α values, contribute to longer execution times and larger formu-lae, thus negatively influencing the fPMC performance. Sincefor larger α the model restructuring techniques are invokedless often, the computed formulae are unsurprisingly morecomplex. However, we observe a ‘sweet spot’ for α ∈ { ,.., } signifying that fragments of those sizes produce the mosteffective pDTMC fragmentation. These findings illustrate thatenhancing fPMC with mechanisms enabling the automatedselection of α values (e.g., based on the pDTMC structure)can extend further its applicability; this is left for future work. D. Threats to Validity
We limit construct validity threats that may originate fromsimplifications and assumptions made when establishing theexperimental methodology using the pDTMCs and reachabilityproperties from three publicly-available software systems andprocesses, also used in related research [4], [5], [25], [27],[28].We mitigate internal validity threats that could introducebias when identifying cause-effect relationships in our exper-iments by designing independent research questions and eval-uating the effectiveness, scalability and configurability (sensi-tivity) of fPMC. To further reduce the risk of biased results,we compared fPMC against the latest versions of the leadingprobabilistic model checkers Storm [15] and PRISM [14] thatwere available when we conducted the evaluation. We alsoperformed experiments using multiple variants of the studiedsoftware systems and process, and evaluated the correctnessof all the fPMC-computed formulae by adopting the approach
The value of the hyperparameter, T i m e i n s e c ond s ( Log S c a l e ) The value of the hyperparameter, N u m be r o f O pe r a t i on s ( Log S c a l e ) Fig. 8: Impact of the threshold α on the fPMC time (top) andfPMC expression complexity (bottom) for the FX systemdescribed in Section IV-C. Finally, we enable replication andverification of our findings by making all experimental resultspublicly available online.We limit external validity threats that could affect thegeneralisability of our findings by evaluating fPMC usingpDTMCS of systems and processes from three different appli-cation domains (i.e., service-based systems [29], [30], softwareproduct lines [31], [32], communication processes [33], [34]).Furthermore, we carried out experiments to check that fPMCcan work with pDTMCs containing up to 83 parameters,incurring modest increase in execution time with the com-puted closed-form analytical models containing significantlyfewer arithmetic operations than those produced by the modelcheckers PRISM and Storm. We reduce further the risk thatfPMC might be difficult to use in practice by developing anfPMC prototype tool that requires the same domain expertisefor specifying pDTMCs as for using PRISM and Storm.However, additional experiments are needed to confirm thatfPMC can analyse pDTMCs modelling other software systemsand processes than those employed in our evaluation.VII. R ELATED W ORK
Introduced by Daws [1] less than two decades ago, paramet-ric model checking has been significantly advanced throughthe use of rational PMC expression characteristics such assymmetry and cancellation properties [2], and of polynomialfactorisation and strongly connected component decomposi-tion [3]. Both the former advance (implemented by the modelcheckers PARAM [13], PRISM [14] and Storm [15]) and thelatter (implemented, to the best of our knowledge, only byStorm [15]) have greatly improved the scalability of PMC by ensuring that simpler expressions than those from [1] areproduced during the parametric model checking process.However, the objective of all these PMC techniques isto compute a single closed-form expression. The size andcomplexity of this expression grow rapidly as the analysedpDTMCs become larger and have more parameters, until itscomputation is no longer feasible, or the expression is so largethat its evaluation is impractical. Our fPMC technique employsa divide-and-conquer strategy that is completely different fromthe PMC techniques from [1]–[3]. As such, for many large orcomplex models, and for models with many parameters, fPMCreplaces the often unfeasible task of computing extremely largeexpressions with feasible tasks that involve the computation ofmultiple much simpler expressions. By additionally leveragingthe existing PMC techniques for the computation of thesesimpler expressions, fPMC manages to successfully handlemuch larger pDTMCs than previously possible.Our PMC theoretical framework from [4], which fPMC ex-tends and automates, is complementary to the work presentedin this paper. As detailed in §II-B, this approach requiresmanual assembly of the analysed pDTMC by an expert,which is time consuming, error prone, and only feasible forspecific classes of component-based systems. To the best ofour knowledge, fPMC is the first approach that can tackle thePMC of parametric Markov models of the complexity and withthe number of parameters illustrated in §VI.VIII. C
ONCLUSION
We presented, implemented and evaluated fPMC, an au-tomated model fragmentation technique that enables the fastparametric model checking of reachability properties for sys-tems with complex stochastic behaviour and large numbersof parameters. fPMC complements, leverages and extends theapplicability of current PMC techniques and tools, so thatclosed-form analytical models can be computed for additionalclasses of systems. Given the usefulness of such analyticalmodels in software engineering and other disciplines, we planto continue to develop fPMC.Our next steps in this project will focus on extendingthe types of properties handled by fPMC with unboundeduntil (§II-A) and reward [24] PCTL properties, on developingadditional model restructuring techniques to support the fPMCmodel fragmentation, and on investigating how the selectionof node z affects the performance of fPMC, thus improv-ing model fragmentation further via z -informed selectionstrategies. Finally, we will extend fPMC with support forhierarchical fragmentation so that large fragments and abstractmodels are further partitioned into smaller models, makingPMC applicable to even larger systems.A CKNOWLEDGEMENT
This project has received funding from the ORCA HubPRF project ‘Continual Verification and Assurance of RoboticSystems under Uncertainty’, the UKRI project EP/V026747/1‘Trustworthy Autonomous Systems Node in Resilience’, andthe Assuring Autonomy International Programme.
EFERENCES[1] C. Daws, “Symbolic and parametric model checking of discrete-timeMarkov chains,” in
First International Conference on Theoretical As-pects of Computing (ICTAC) , 2005, pp. 280–294.[2] E. M. Hahn, H. Hermanns, and L. Zhang, “Probabilistic reachability forparametric Markov models,”
International Journal on Software Tools forTechnology Transfer , vol. 13, no. 1, pp. 3–19, 2011.[3] N. Jansen, F. Corzilius, M. Volk, R. Wimmer, E. ´Abrah´am, J. P. Katoen,and B. Becker, “Accelerating parametric probabilistic verification,” in , 2014, pp. 404–420.[4] R. Calinescu, C. A. Paterson, and K. Johnson, “Efficient parametricmodel checking using domain knowledge,”
IEEE Transactions on Soft-ware Engineering , vol. PP, pp. 1–1, 2019.[5] C. Ghezzi and A. M. Sharifloo, “Model-based verification of quantitativenon-functional properties for software product lines,”
Information andSoftware Technology , vol. 55, no. 3, pp. 508–524, 2013.[6] ——, “Verifying non-functional properties of software product lines:Towards an efficient approach using parametric model checking,” in , 2011,pp. 170–174.[7] G. Su, D. S. Rosenblum, and G. Tamburrelli, “Reliability of run-timequality-of-service evaluation using parametric model checking,” in , 2016, p.73–84.[8] A. Filieri, C. Ghezzi, and G. Tamburrelli, “Run-time efficient proba-bilistic model checking,” in , 2011, pp. 341–350.[9] A. Filieri and G. Tamburrelli, “Probabilistic verification at runtime forself-adaptive systems.”
Assurances for Self-Adaptive Systems , vol. 7740,pp. 30–59, 2013.[10] A. Filieri, G. Tamburrelli, and C. Ghezzi, “Supporting self-adaptationvia quantitative verification and sensitivity analysis at run time,”
IEEETransactions on Software Engineering , vol. 42, no. 1, pp. 75–99, 2016.[11] R. Calinescu, C. Ghezzi, K. Johnson, M. Pezz´e, Y. Rafiq, and G. Tam-burrelli, “Formal verification with confidence intervals to establishquality of service properties of software systems,”
IEEE Transactionson Reliability , vol. 65, no. 1, pp. 107–125, 2016.[12] R. Calinescu, K. Johnson, and C. Paterson, “FACT: A probabilisticmodel checker for formal verification with confidence intervals,” in , 2016, pp. 540–546.[13] E. M. Hahn, H. Hermanns, B. Wachter, and L. Zhang, “PARAM: Amodel checker for parametric Markov models,” in , 2010, pp. 660–664.[14] M. Kwiatkowska, G. Norman, and D. Parker, “PRISM 4.0: Verificationof probabilistic real-time systems,” in , 2011, pp. 585–591.[15] C. Dehnert, S. Junges, J. P. Katoen, and M. Volk, “A storm is coming:A modern probabilistic model checker,” in
Computer Aided Verification .Springer International Publishing, 2017.[16] H. Hansson and B. Jonsson, “A logic for reasoning about time andreliability,”
Formal Aspects of Computing , vol. 6, no. 5, pp. 512–535,Sep. 1994.[17] A. Bianco and L. de Alfaro, “Model checking of probabilistic andnondeterministic systems,” in
Foundations of Software Technology andTheoretical Computer Science , vol. 1026. Springer Berlin Heidelberg,1995, pp. 499–513.[18] F. Ciesinski and M. Gr¨oßer, “On probabilistic computation tree logic,”in
Validation of Stochastic Systems - A Guide to Current Research , vol.2925. Springer, 2004, pp. 147–188.[19] C. Baier and J. P. Katoen,
Principles of model checking . MIT press,2008.[20] J. P. Katoen, “Advances in probabilistic model checking,” in , 2010, p. 25.[21] M. Kwiatkowska, G. Norman, and D. Parker, “Stochastic model check-ing,” in
Formal Methods for the Design of Computer, Communica-tion and Software Systems: Performance Evaluation (SFM) , vol. 4486.Springer, 2007, pp. 220–270.[22] ——, “Probabilistic model checking: Advances and applications,” in
Formal System Verification: State of the Art and Future Trends . SpringerInternational Publishing, 2018. [23] ——, “Advances and challenges of probabilistic model checking,”in , 2010.[24] S. Andova, H. Hermanns, and J. P. Katoen, “Discrete-time rewardsmodel-checked,” in
International Conference on Formal Modeling andAnalysis of Timed Systems . Springer, 2003, pp. 88–104.[25] S. Gerasimou, G. Tamburrelli, and R. Calinescu, “Search-based synthesisof probabilistic models for quality-of-service software engineering,”in , 2015, pp. 319–330.[26] S. Gerasimou, R. Calinescu, and G. Tamburrelli, “Synthesis of proba-bilistic models for quality-of-service software engineering,”
AutomatedSoftware Engineering , vol. 25, no. 4, pp. 785–831, 2018.[27] M. Hajnal, M. Nouvian, D. ˇSafr´anek, and T. Petrov, “Data-informedparameter synthesis for population markov chains,” in
InternationalWorkshop on Hybrid Systems Biology . Springer, 2019, pp. 147–164.[28] A. Classen, P. Heymans, P. Y. Schobbens, A. Legay, and J.-F. Raskin,“Model checking lots of systems: efficient verification of temporalproperties in software product lines,” in , 2010, pp. 335–344.[29] D. Ameller, M. Galster, P. Avgeriou, and X. Franch, “A survey on qualityattributes in service-based systems,”
Software quality journal , vol. 24,pp. 271–299, 2016.[30] C. Sun, R. Rossing, M. Sinnema, P. Bulanov, and M. Aiello, “Modelingand managing the variability of web service-based systems,”
Journal ofSystems and Software , vol. 83, pp. 502–516, 2010.[31] P. Clements and L. Northrop,
Software product lines . Addison-WesleyBoston, 2002.[32] S. Apel, D. Batory, C. K¨astner, and G. Saake, “Software product lines,”in
Feature-Oriented Software Product Lines . Springer, 2013, pp. 3–15.[33] F. Dressler and O. B. Akan, “A survey on bio-inspired networking,”
Computer Networks , vol. 54, no. 6, pp. 881–900, 2010.[34] ——, “Bio-inspired networking: from theory to practice,”