INFAMY: An Infinite-State Markov Model Checker

The design of complex concurrent systems often involves intricate performance and dependability considerations. Continuous-time Markov chains (CTMCs) are a widely used modeling formalism, where performance and dependability properties are analyzable by model checking. We present INFAMY, a model checker for arbitrarily structured infinite-state CTMCs. It checks probabilistic timing properties expressible in continuous stochastic logic (CSL). Conventional model checkers explore the given model exhaustively, which is often costly, due to state explosion, and impossible if the model is infinite. INFAMY only explores the model up to a finite depth, with the depth bound being computed on-the-fly. The computation of depth bounds is configurable to adapt to the characteristics of different classes of models. 1 Introducing INFAMY Continuous-time Markov chains (CTMCs) are widely used in performance and dependability analysis and biological modeling. Properties are typically specified in continuous stochastic logic (CSL) [1], a logic inspired by CTL. In CSL, the until operator is equipped with a time interval to express properties such as: “The probability to reach a goal within 2 hours while maintaining a probability of at least 0.5 of communicating periodically (every five minutes) with a base station, is at least 0.9” via P≥0.9 P≥0.5 ≤5communicate ) U≤120 goal. CSL model checking amounts to analysis of the transient (time-dependent) probability vectors [1], typically carried out by uniformization, where the transient probability is expressed by a weighted infinite sum (weights are given by a Poisson process). The standard methodology in CSL model checking is to truncate the infinite sum up to some pre-specified accuracy [2]. Outside the model checking arena, ideas have been developed [3,4,5] which not only truncate the infinite sum, but also the matrix representing the system, which admits transient analysis of CTMCs with large or even infinite state spaces, provided they are given implicitly in a This work is supported by the NWO-DFG bilateral project VOSS, by the DFG as part of the Transregional Collaborative Research Center SFB/TR 14 AVACS and the Graduiertenkolleg “Leistungsgarantien für Rechnersysteme”, and has received funding from the European Community’s Seventh Framework Programme under grant agreement n 214755. A. Bouajjani and O. Maler (Eds.): CAV 2009, LNCS 5643, pp. 641–647, 2009. c © Springer-Verlag Berlin Heidelberg 2009 642 E.M. Hahn et al. modeling language. Harvesting and improving on these ideas, INFAMY is the first CSL model checker based on truncation. The underlying truncation technique was developed in [6]. Besides truncation, INFAMY features SPIN-like [7] state space exploration, and supports models given in a high-level description language. Several other CSL model checkers exist, see [8] for an overview. Among them, PRISM [9] is a probabilistic model checker which uses advanced techniques for model representation and model checking for several stochastic model types. The model description language of INFAMY is based on the one of PRISM, but allows for infinite variable domains, while PRISM is restricted to finite models. Thus the tools are incomparable for infinite models. For several very large finite models, INFAMY is competitive with PRISM, as evident from Section 3. Model checkers based on discrete-event simulation [10,11,12,9] could, in principle, also analyze models with implicitly infinite state space, however they have not yet been applied to such models, and thus we cannot compare with them. INFAMY is available at http://depend.cs.uni-sb.de/~emh/infamy. 2 Truncation-Based Model Checking INFAMY reads models in a guarded-command language extending the one of PRISM. The semantics of a model is a CTMC in which each state is a valuation of model variables. Initial states are specified by an expressions over model variables. The rest of the description consists of commands. Each command comprises a guard and a set of rates. Each rate is associated with an update formula. If a state fulfills the guard of a command, this state has a rate to each state obtained by the respective update formula. Contrary to PRISM, we allow variables with infinite range. Properties are specified in the time-dependent fragment of CSL which involves the Boolean operators, timed until and next operators. Layer 0 100 s2 s1 s4 s3