Probabilistic Rewrite Theories: Unifying Models ... - Semantic Scholar

Download PDF
8 downloads 0 Views 1MB Size Report
Comment
ship equational theory, and R a collection of labeled rewrite rules of the form l : t −→ t if ...... In Rajeev Alur and Thomas A. Henzinger, editors, Eighth In- ternational ... G. Chiola, C. Anglano, J. Campos, J. M. Colom, and M. Silva. Operational ...
Probabilistic Rewrite Theories: Unifying Models, Logics and Tools Nirman Kumar, Koushik Sen, Jos´e Meseguer, Gul Agha Department of Computer Science, University of Illinois at Urbana-Champaign. {nkumar5,ksen,meseguer,agha}@cs.uiuc.edu

Abstract. Probabilistic rewrite theories are proposed as a general semantic framework that unifies many existing models of probabilistic systems for both discrete and continuous time and suggests new models such as probabilistic hybrid systems. Probabilistic temporal logics for existing models are likewise unified in two logics, namely PRTL and PRTL∗ that we develop. Having a common semantic framework enables rigorously specified combinations of existing modelling and model checking tools that are based on different models–including the PMaude interpreter that can execute finitary probabilistic rewrite theory specifications.

Keywords: rewriting logic, probabilistic systems, stochastic systems, pmaude

1

Introduction

Large scale concurrent systems can be very complex. In modelling such systems, it is infeasible to account for the complex interplay of the various different factors that affect events in the system. For example, in a large scale computer network like the Internet, network delays, congestion and failures affect each other in ways that make it impossible to model the system deterministically. Furthermore, nondeterministic models do not allow us to model the likely behavior of the system. Probabilistic analysis has often been used to understand such complex systems better. A probabilistic model allows us to quantify a number of sources of indeterminacy in concurrent systems. The exact time duration of a behavior often depends on the schedulers, loads, etc. and may be represented by a stochastic process. Process or network failures may occur with a certain rate. Randomness can also come in explicitly: some parts of the system may implement randomized algorithms. An appropriate framework for probabilistic modelling is needed, which permits questions such as: “What is the mean throughput?”, “What is the probability of a successful delivery in the next 10 seconds?” and so on. There has been considerable research on models, logics and verification of probabilistic systems. Work in this area includes probabilistic nondeterministic systems [5, 12], probabilistic Petri nets [28, 30] and probabilistic algebra approaches [23, 22]. Logics such as Continuous Stochastic logic (CSL) [1, 2], Probabilistic Computational Tree Logic (pCTL) and Probabilistic CTL∗ (pCTL∗ ) [5] are some of the logics typically used to express properties for the above models.

2 For some of these logics, tools have been developed to support model checking specifications (e.g., PRISM [27] and ETMCC [20]). Other tools – UltraSan [11], SPNP [9], PEPA workbench [16] and GreatSPN [7]– have been used for performance analysis of CTMCs [24]. These tools have also been applied to several real world applications. For example, [26, 15] consider verification of a wireless network protocol and QoS management using a monitoring and evaluation approach. It is useful to distinguish between a system specification – in which the system we want to study is specified using a particular formalism such as stochastic Petri net – and a property specification – in which specific properties such as safety or performance that the system satisfies are specified using a logic such as probabilistic temporal logic. This distinction corresponds to the difference between semantic models and property logics. Although a number of semantics models and property logics have been developed, there has as yet been no semantic unification of these different formalisms. We propose probabilistic rewrite theories as a way of achieving such a semantic unification. Rewriting logic [31] has already been shown to be a natural and useful semantic framework which unifies different kinds of concurrent systems [31, 33], as well as models of real time and hybrid systems [37]. In a standard rewrite theory, transitions in a system are described by labelled rewrite rules of the form, l : t −→ t0 if cond Intuitively, a rule of this form specifies a pattern t such that, if some fragment of the system’s state matches that pattern and satisfies the condition cond, then a local transition of that state fragment changing into the pattern t0 can take place. In a probabilistic rewrite rule we add probability information to such rules. Specifically, our proposed probabilistic rules are of the form, → − → − → l : t(− x ) −→ t0 (→ x,− y ) if cond(→ x ) with probability π(− x ). The rule will match a state fragment if there is a substitution θ for the variables → − x that makes θ(t) equal to that state fragment and satisfies θ(cond). Because t0 → → is of the form t0 (− x,− y ), the next state is not uniquely determined: it depends on → the choice of an additional substitution ρ for the variables − y . Thus the result of applying the rule may be nondeterministic. The choice of ρ is made according to the probability function θ(π), which in general is not a fixed probability function, − but a family of functions: one for each match θ of the variables → x. It turns out that this general notion of probabilistic rewrite rule can be used to naturally represent the different models of probabilistic systems mentioned above. Figure 1 shows semantics-preserving mappings from such models into the common framework of probabilistic rewrite theories. Inverse mappings defined on appropriate subclasses are also shown. This provides a semantic unification at the system specification level. Furthermore, probabilistic rewrite theories can model hybrid probabilistic systems. At present, the commonly used models have at most only one continuously varying quantity, namely time. However probabilistic rewrite theories can also specify hybrid systems in which different parameters besides time change continuously. For property level specifications we propose probabilistic rewriting temporal logic (PRTL and PRTL∗ ) as a unifying temporal logic. PRTL and PRTL∗ are probabilistic extensions of CTL and

3 CTL∗ , respectively, and are designed to express properties of probabilistic rewrite theories. Again, a number of probabilistic temporal logic proposed for different models, including pCTL and pCTL∗ [5], PBTL [3], CSL [1, 2] can be represented as special cases of PRTL and PRTL∗ . This semantic unification of the specification and property levels enables interoperation different tools within a common semantic framework. Figure 1 shows a number of tools associated to different models that can be used in combination by means of semantics-preserving mappings. Probabilistic rewrite theories are executable under reasonable assumptions. This suggests a gradation of increasingly more stringent formal methods, including: – testing a specification by executing test cases; – statistical verification of properties that can be established with a given degree of confidence by Monte Carlo simulations of the specifications; – model checking probabilistic temporal logic properties if a model checker is available. As a step towards enabling the use of these formal methods, we have implemented an extension of the Maude rewriting logic [10], called PMaude , which can execute finitary probabilistic rewrite theories (see Sections 3.3 and 6).

Tools

PNS

Tools

PRISM

PMaude R PNS

PNS R

CTMC R

R CTMC

CTMC SAN GSPN

PRwTh FPRTh

R GSMP

Tools

GSMP R PRISM, ETMCC , SPNP, UltraSAN GreatSPN

Tools GMSim

GSMP

Fig. 1. Unification of models and tools

4 This paper is organized as follows. Section 2 provides several definitions that are required for defining probabilistic rewrite theories. Section 3 defines the concept and semantics of a probabilistic rewrite theory in all generality. Section 4 shows how various well known models for probabilistic systems can be represented as probabilistic rewrite theories. Section 5 defines probabilistic temporal logics for expressing properties of probabilistic rewrite theories. Section 6 provides details of PMaude, an implementation of finitary probabilistic rewrite theories (see Section 3.3) in Maude. We conclude by discussing directions for future research work. An appendix provides Maude code and sample executions for two examples specified in PMaude.

2

Background

We provide here the definitions of σ-algebra, probability spaces, F-covers, membership equational theories, canonical ground substitutions, equivalence of substitutions and rewrite theories needed in the rest of the paper. Definition 1 (σ-algebra). A σ-algebra on a set X is a nonempty collection of subsets F of X such that (i) X ∈ F , (ii) A ∈ F =⇒ X − A ∈ F, S (iii) I ⊆ N, Ai ∈ F for each i ∈ I =⇒ i∈I Ai ∈ F . We denote by BR the smallest σ-algebra on R containing the sets (−∞, x] for all x ∈ R. Definition 2 (Probability space). A probability space is a triple (X, F, π) with F a σ-algebra on X, and π : F → [0, 1] a function such that: (i) π(X) = 1 and π(∅) = 0, (ii) Given a subset I ⊆ N, a family I, with Ai ∈ F for each i and S Ai , i ∈ P Ai ∩ Aj = ∅ for i 6= j, then π( i∈I Ai ) = i∈I π(Ai ). Here π is known as the probability measure function. For a given σ-algebra F on X, we denote by P F un(X, F) = {π | (X, F, π) is a probability space} Definition 3 (F-cover). An F-cover for a σ-algebra F on X, is a function α : X → F, such that ∀x ∈ X . x ∈ α(x). For a given probability space (X, F, π), an F-cover α naturally defines a function α; π from X to [0, 1]. Thus, for example, with X = R and F = BR , we can define α to be the function that maps the real number x to the set (−∞, x]. With X a finite set and F = P(X), the power set of X, it is natural to define α to be the function that maps x ∈ X to the singleton {x}. A membership equational theory [32] is a pair (Σ, E), with Σ a signature consisting of a set K of kinds, for each k ∈ K a set Sk of sorts, and a set of operator declarations of the form f : k1 . . . kn −→ k, with k, k1 , . . . , kn ∈ K, and with E a set of conditional Σ-equations and Σ-memberships of the form,

5

− (∀→ x ) t = t0 ⇐ u1 = v1 ∧ . . . ∧ un = vn ∧ w1 : s1 ∧ . . . ∧ wm : sm → (∀− x ) t : s ⇐ u1 = v1 ∧ . . . ∧ un = vn ∧ w1 : s1 ∧ . . . ∧ wm : sm A membership t : s with t a Σ-term of kind k and s ∈ Sk asserts that t has sort s. Terms that do not have a sort are considered error terms. Thus, membership equational theories can specify partial functions within a total framework. A Σ-algebra B consists of a K-indexed family of sets X = {Bk }k∈K , together with: (1) for each f : k1 . . . kn −→ k in Σ a function fB : Bk1 × . . . × Bkn −→ Bk ; and (2) for each k ∈ K and each s ∈ Sk a subset Bs ⊆ Bk . The models of a membership equational theory (Σ, E) are those Σ-algebras that satisfy the axioms E. The inference rules of membership equational logic are sound and complete [32]. Any membership equational theory (Σ, E) has an initial algebra TΣ/E which, using the inference rules of membership equational logic and assuming Σ unambiguous, is defined as a quotient of the term algebra TΣ by: – t ≡E t0



E ` (∀∅) t = t0

– [t]≡E ∈ TΣ/E,s



E ` (∀∅) t : s

The paper [6] extends in a natural way to membership equational logic theories the usual results about equational simplification, confluence, termination, and sort-decreasingness. Under such assumptions, a membership equational theory can be executed by equational simplification using the equations from left to right, perhaps modulo some associativity, commutativity and identity axioms A, and we have a canonical term algebra canΣ,E/A , whose elements are Aequivalence classes of terms fully simplified by the equations E. Since any term t can be simplified by E to a unique A-equivalence class CanE/A (t) that cannot be simplified any further, we have a Σ-isomorphism, TΣ/E∪A ∼ = CanΣ,E/A . Definition 4 (E/A-canonical ground substitution). An E/A-canonical − → ground substitution is a substitution θ : → x → TΣ such that ∀x ∈ − x . [θ(x)]A ∈ CanΣ,E/A . Definition 5 (A-equivalent substitution). Two E/A-canonical ground sub− → stitution θ, ρ : → x → TΣ are called A-equivalent if and only if ∀x ∈ − x . [θ(x)]A = [ρ(x)]A . We use [θ]A for A-equivalence classes and define the set, → − CanGSubstE/A (− x ) = {[θ]A | θ : → x → TΣ is an E/A-canonical ground substitution} A rewrite theory [31] is a triple R = (Σ, E, R), with (Σ, E) a membership equational theory, and R a collection of labeled rewrite rules of the form l : t −→ t0 if cond, where t and t0 are terms of the same kind, and cond is a condition that in general may be a conjunction of equations, memberships, and other rewrites. The intuitive meaning of such a rule is that we can perform a one-step rewrite of the E-equivalence class [u]E with the rule if and only if we can find a representative u0 ∈ [u]E , a subterm w of u0 and a substitution θ such that θ(t) = w and θ(cond) can be shown to follow from E and R. We can perform such one-step rewrites much more easily and efficiently if R = (Σ, E, R) satisfies

6 the following executability requirements: (i) the equations E are confluent, terminating, and sort-decreasing modulo axioms A; and (ii) the rules R are coherent [38] relative to E modulo A. Coherence states that if a representative u0 ∈ [u]E can be directly rewritten by a rule in R to a term v, then it is also possible to directly perform a one-step rewrite with R of a representative w ∈ CanE/A (u0 ) to a term v 0 in such a way that canE/A (v) = canE/A (v 0 ). We call the rewrite canE/A (u0 ) −→ canE/A (v 0 ) a canonical one-step rewrite modulo A. Coherence ensures that all one-step rewrites at the level of E-equivalence classes can be simulated by the much simpler canonical one-step rewrites modulo A.

3

Probabilistic Rewrite Theories

We define here probabilistic rewrite theories and the notions of computation and adversary. We then define a probability space on the set of computation paths and give a probability measure function on this space. We conclude by defining an important class of rewrite theories, called finitary rewrite theories, which can be viewed as a restricted class of probabilistic rewrite theories. Definition 6 (Probabilistic rewrite theory). A probabilistic rewrite theory is a 4-tuple R = (Σ, E ∪ A, R, π), with (Σ, E ∪ A, R) a rewrite theory where the rules r ∈ R are of the form → → − → l : t(− x ) → t0 (− x,→ y ) if C(− x) with → → → (i) − x is the set of all variables in t and − x ∪− y is the set of variables in t0 . Let − → → − x = x1 : s1 . . . xn : sn and y = y1 : u1 . . . ym : um , be the corresponding sort assignments for the variables, V V (ii) C is a condition of the form ( j uj = u0j ) ∧ ( k vk : sk ) , that is, C is a conjunction of equations and memberships. with π a function assigning to each rewrite rule r ∈ R a function − πr : [[C]] → P F un(CanGSubstE/A (→ y ), Fr ), where → [[C]] = {[µ]A ∈ CanGSubstE/A (− x ) | E ∪ A ` (∀∅) µ(C)}, and − Fr is a σ-algebra on CanGSubstE/A (→ y ). We denote each rule r with its associated function πr , with the notation → → → → − l : t(− x ) → t0 (− x,− y ) if C(− x ) with probability πr (→ x) We denote the class of general probabilistic rewrite theories as PRwTh. 3.1

Semantics of Probabilistic Rewrite Theories

Let R = (Σ, E ∪ A, R, π) be a probabilistic rewrite theory such that: 1. E is confluent, terminating and sort-decreasing modulo A. 2. the rules R are coherent with E modulo A.

7 We also assume a choice for each rule r of an Fr -cover αr : → CanGSubstE/A (− y ) → Fr . This Fr -cover will be used to assign probabilities to rewrite steps. Its choice will depend on the particular problem under consideration. Definition 7 (Context). A context C is a Σ-term with a single occurrence of a single variable, ¯, called the hole. Two contexts C and C0 are called Aequivalent if and only if A ` (∀¯) C = C0 . We use [C]A for such equivalence classes. Definition 8 (R/A-matches). Given [u]A ∈ CanΣ,E/A its R/A-matches are triples, ([C]A , r, [θ]A ), where, if r ∈ R is a rule → → → → − l : t(− x ) → t0 (− x,− y ) if C(− x ) with probability πr (→ x) then [θ]A ∈ [[C]] and [u]A = [C(¯ ← θ(t))]A . Definition 9 (E/A-canonical one-step R-rewrite). An E/A-canonical onestep R-rewrite is a labelled transition of the form, ([C]A ,r,[θ]A ,[ρ]A )

[u]A −−−−−−−−−−−→ [v]A where (i) (ii) (iii) (iv)

[u]A , [v]A ∈ CanΣ,E/A ([C]A , r, [θ]A ) is an R/A-match of [u]A − [ρ]A ∈ CanGSubstE/A (→ y ), and → → − [v]A = canE/A (C(¯ ← {θ, ρ}(t0 (− x,− y )))), with {θ, ρ}|→ x = θ, and − {θ, ρ}|→ = ρ. y

Definition 10 (E/A-canonical R-computation). An E/A-canonical Rcomputation is an infinite sequence α

α

α

0 1 n [u0 ]A −→ [u1 ]A −→ · · · [un ]A −−→ [un+1 ]A · · ·

α

where either the [ui ]A →i [ui+1 ]A are all E/A-canonical one-step R-rewrites, or there is an n ∈ N such that [un ]A cannot be rewritten with R, for each i < n αi the [ui ]A −→ [ui+1 ]A are canonical one-step R-rewrites, and for each j ≥ n, [uj ]A = [un ]A , and αj =!, where “!” is a special label denoting deadlock. Definition 11 (R-path). An infinite sequence [u0 ]A [u1 ]A [u2 ]A · · · is called an R-path starting at [u0 ]A , denoted by ω[u0 ]A , if there exists an E/A-canonical R-computation α

α

0 1 [u0 ]A −→ [u1 ]A −→ [u2 ]A · · ·

We denote by ω[u0 ]A (i) the element [ui ]A in the R-path ω[u0 ]A . The set of all R-paths starting at [u]A is denoted by Ω[u]A . The suffix of an R-path ω[u]A i starting at ω[u]A (i) is denoted by ω[u] . A

8 Definition 12 (Borel σ-algebra on Ω[u]A ). Let [u]A [u1 ]A · · · [un ]A ∈ (CanΣ,E/A,k )+ be a finite word, that we denote as w[u]A to emphasize its first element. Then we define the basic cylinder set for w[u]A as the set {ω[u]A ∈ Ω[u]A | ∀ 1 ≤ i ≤ n . ω[u]A (i) = w[u]A (i)}. Let B[u]A ⊆ P(Ω[u]A ) be the smallest σ-algebra on Ω[u]A that contains the basic cylinder sets for all w[u]A ∈ (CanΣ,E/A,k )+ . This algebra is called the Borel σ-algebra of the basic cylinder sets. The presence of nondeterminism in the choice of R/A-matches prevents us from defining a probability measure function on B[u]A . However we can resolve this nondeterminism by the use of an adversary as defined below. Definition 13 (Adversary). An adversary aR is a function that maps each sequence [u0 ]A [u1 ]A · · · [un ]A ∈ (CanΣ,E/A,k )∗ such that the sequence [u0 ]A [u1 ]A · · · [un ]A is the finite prefix of some R-path starting at [u0 ]A , to a probability distribution on the R/A-matches of [un ]A . Let AdvR be the set of all such adversaries. We can associate to a given probabilistic rewrite theory R a subset A ⊆ AdvR as its set of legal adversaries. For a given adversary aR ∈ A, if [u0 ]A is rewritten to [un ]A following the sequence [u0 ]A [u1 ]A · · · [un ]A , then the probability that [un ]A rewrites to [u0 ]A is given by1 P raR ([u0 ]A | [u0 ]A [u1 ]A · · · [un ]A ) =

X

π1 ([C]A , r, [θ]A ) . π2 (αr ([ρ]A ))

([C]A ,r,[θ]A ,[ρ]A )∈Υ

where: ([C]A ,r,[θ]A ,[ρ]A )

1. Υ = {([C]A , r, [θ]A , [ρ]A ) | [un ]A −−−−−−−−−−−→ [u0 ]A }, 2. π1 = aR ([u0 ]A [u1 ]A · · · [un ]A ), and 3. π2 = πr ([θ]A ). Therefore, π1 ([C]A , r, [θ]A ) is the probability associated with the choice of an R/A-match according to the distribution π1 , and π2 (αr ([ρ]A )) is the probability associated with the choice of [ρ]A according to the distribution π2 . For a given adversary aR ∈ A, the probability associated with a basic cylinder set generated by the finite sequence [u0 ]A [u1 ]A · · · [un ]A starting at Qn−1 [u]A = [u0 ]A is given by P raR ([u0 ]A [u1 ]A · · · [un ]A ) = i=0 P raR ([ui+1 ]A | [u0 ]A [u1 ]A · · · [ui ]A ). These probabilities for the basic cylinder sets give rise to a unique probability measure function on B[u]A . → Note that an ordinary rewrite theory R with rules of the form l : t(− x) → − → − → t0 ( x ) if C( x ) with C a conjunction of equations and memberships and with → vars(t) = − x has a unique structure as a probabilistic rewrite theory because, → − since y = ∅, CanGSubst(∅) = ∅, and therefore, once a match is chosen the rewrite happens with probability 1. However, the notion of adversary is still meaningful. 1

In a deadlock situation the looping transition happens with probability 1. That is, if [un ]A cannot be rewritten, then P raR ([un ]A | [u0 ]A [u1 ]A . . . [un ]A ) = 1.

9 3.2

Associating Atomic Propositions to Probabilistic Rewrite Theories

In Section 5 we will associate a temporal logic to a probabilistic rewrite theory R = (Σ, E ∪ A, R, π). For this we need to make two things explicit: 1. the intended kind k of states in the signature Σ and 2. the relevant state predicates. In general, the state predicates need not be part of the system specification R. They are typically part of the property specification. We can assume that they have been defined by means of equations D in an equational theory (Σ 0 , E∪A∪D) extending (Σ, E ∪ A) as a subtheory in protecting 2 mode. We may also assume that the syntax defining the state predicates consists of a subsignature Π ⊆ Σ 0 of function symbols, with each p ∈ Π a different state predicate symbol that can be parameterized, that is, p need not be a constant, but can in general be an operator p : s1 . . . sn −→ P rop. It is also useful to assume that, if k is the kind of states, the semantics of the state predicates Π is defined with the help of an operator, |= : k [P rop] −→ [Bool] 0

in the signature Σ (with [P rop] and [Bool] the kinds of P rop and Bool respectively) and by the equations D ∪ A ∪ E. Specifically, given a ground term u of kind k denoting a state and a (possibly parametric) state predicate p(u1 , . . . , un ), with u1 , . . . , un ground terms, we say that the state predicate p(u1 , . . . , un ) holds in the state [u]A if and only if, E ∪ A ∪ D ` (∀ ∅) u |= p(u1 , . . . , un ) = true . In practice we want the equality u |= p(u1 , . . . , u1 ) = true to be decidable. This can be achieved by making sure that D ∪ A ∪ E is a set of confluent, sort-decreasing, and terminating equations and memberships modulo A. In this way we can associate to a probabilistic rewrite theory R = (Σ, E ∪ A, R, π) (with a selected kind k of states and with state predicates Π) a set of atomic predicates APΠ = {θ(p) | p ∈ Π, θ ground substitution}, where by convention we use the simplified notation θ(p) to denote the ground term θ(p(x1 , . . . , xn )). This defines a labeling function LΠ on the set of states CanΣ,E/A,k assigning to each [u]A ∈ CanΣ,E/A,k the set of atomic propositions, LΠ ([u]A ) = {θ(p) ∈ APΠ | (E ∪ A ∪ D) ` (∀ ∅) u |= θ(p) = true}. 3.3

Finitary Probabilistic Rewrite Theories

Definition 14 (Finitary probabilistic rewrite theory). 3 A finitary probabilistic rewrite theory is a 4-tuple Rf = (Σ, E ∪ A, R, γ), with (Σ, E ∪ A, R) 2

3

By definition, being protecting means that the unique Σ-homomorphism h : TΣ/E −→ TΣ 0 /E∪D |Σ ensured by the initiality of TΣ/E restricts for each sort s in Σ to a bijective function hs : TΣ/E,s −→ TΣ 0 /E∪D,s . Finitary probabilistic rewrite theories were called probabilistic rewrite theories in [25]. Here they appear as a special case of our more general notion.

10 a rewrite theory and γ : R → TΣ,E/A (X)P osReal a function associating to each rewrite rule in R a term of sort P osReal, where P osReal is a sort in (Σ, E ∪ A) corresponding to the positive fragment of a computable subfield of the real numbers. The term γ(r) represents the rate function associated with rule in r ∈ R. → Furthermore, if l : t → t0 if C is a rule in R involving variables − x , then γ maps − → the rule to a term of the form r( x ) possibly involving some of the variables in → − x . We then use the notation → l : t → t0 if C [rate r(− x )] for the γ-annotated rule. Furthermore, we require that all rules labelled by l have the same lefthand side and are of the form − l : t → t01 if C1 [rate r1 (→ x )] ··· − l : t → t0n if Cn [rate rn (→ x )]

(1)

where: S → 1. − x = f vars(t) ⊇ i∈[1:n] f vars(t0i ) ∪ f vars(Ci ), V V 2. Ci is of the form ( j uj = u0j ) ∧ ( k vk : sk ) , that is, condition Ci is a conjunction of equations and memberships.4 We denote the class of finitary probabilistic rewrite theories by FPRTh. 3.4

Semantics of Finitary Probabilistic Rewrite Theories

Given a finitary probabilistic rewrite theory Rf = (Σ, E ∪ A, R, γ), we can express it as a probabilistic rewrite theory, say R•f , by defining a map FR : Rf 7→ R•f , with R•f = (Σ • , E • ∪ A, R• , π • ) and (Σ, E ∪ A) ⊆ (Σ • , E • ∪ A), in the following way. We encode each group of rules in R with label l of the form 1 above by a single rewrite rule5 → → → − → e1 (− en (→ t(− x ) → proj(i, (t01 (− x ), . . . , t0n (− x ))) if C x ) or . . . or C x ) = true → with probability πr (− x) in R• . Corresponding to each such rule, we add to Σ • the sort [1 : n], the constants 1, . . . , n :→ [1 : n], and the projection operator proj : [1 : n] k . . . k → k. We also add to E • the equations proj(i, t1 , . . . , tn ) = ti for each i ∈ {1, . . . , n}. Note that the only new variable on the righthand side is i, and therefore 4

5

It is unproblematic to relax the requirement that f vars(Ci ) ⊆ f vars(t) by allowing new variables in Ci to be introduced in “matching equations” in the sense of [10]. Then these new variables can also appear in t0i . By the assumption that (Σ, E ∪ A) is confluent, sort-decreasing, and terminating modulo a metatheorem of Bergstra and Tucker [4], any condition C of the V A, and by V form ( i vi = ui ∧ j wj ; sj ) can be replaced in an appropriate protecting enrichment e E e ∪ A) of (Σ, E ∪ A) by a semantically equivalent Boolean condition C e = true. (Σ,

11 CanGSubstE/A (i) ∼ = {1, . . . , n}. We consider the σ-algebra P({1, . . . , n}) on {1, . . . , n}. Then πr is the function πr : [[C]] → P F un({1, . . . , n}, P({1, . . . , n})) − → e1 (θ(→ en (θ(− defined as follows. If θ is such that C x )) or . . . or C x )) = true, then π1 = πr (θ) sends each i ∈ [1 : n] to, − ?ri (θ(→ x )) − → − → → ?r1 (θ( x ))+?r2 (θ( x )) + · · · +?rn (θ(− x )) − → − → − → ei (θ( x )) then ri (θ( x )) else 0 fi . where ?ri (θ( x )) = if C The semantics of Rf computations is now defined in terms of its associated theory R•f in the standard way, by choosing the singleton F-cover αr : {1, . . . , n} → P({1, . . . , n}) mapping each i to {i}. We can associate to R•f three possible sets of adversaries A1 , A2 and A3 defined as follows: π1 ({i}) =

1. A1 is simply AdvR•f . 2. Any aR ∈ A2 maps any finite sequence [u0 ]A [u1 ]A · · · [un ]A to a probability distribution π on the R/A-matches of [un ]A such that π assigns probability of 1 to exactly one of the R/A-matches and 0 to the rest. 3. Any aR ∈ A3 partitions the set of R/A-matches of [un ]A into a finite number of classes C1 , C2 , . . . , Ck with ni elements in the class Ci for 1 ≤ i ≤ k. This partitioning depends only on the adversary aR and [un ]A . A probability of 1 kni is assigned to a match in class Ci . We have extended Maude 2.0 to support finitary probabilistic rewrite theories. We call this extension PMaude (see Section 6). In PMaude , besides being able to specify any finitary probabilistic rewrite theories, one can also do Monte-Carlo simulations of such finitary probabilistic rewrite theories for an adversary, chosen from the set A3 defined above, depending on the particular finitary probabilistic rewrite theory specified as input. We give the details in section 6.

4

Unifying Models of Probabilistic Systems

We show below how we can specify probabilistic non-deterministic systems (PNS) [5, 12], generalized semi-markov processes (GSMP) [18, 17] and continuous time markov chains (CTMC) [24], as probabilistic rewrite theories with some restrictions. We define mappings that transform a specification in one of those models into a probabilistic rewrite theory with the same semantics. By this we mean that the computation paths for the respective model and the probabilistic rewrite theory defined by the mapping are in one-to-one correspondence. 4.1

PNS’s as a special case of Finitary Probabilistic Rewrite Theories

Definition 15 (Next-state probability distribution). If S is the set of states of aP system, a next-state probability distribution is a function p : S → [0, 1] such that s∈S p(s) = 1. For s ∈ S, p(s) represents the probability of making a direct transition to s from the current state.

12 Definition 16 (PNS). A PNS is a 4-tuple Π = (S, P, V, τ ), where, – S is a finite set of states, – P is a set of atomic propositions, – V : S → P(AP ) is a labelling function that associates to each s ∈ S the set V (s) ⊆ P of atomic propositions that holds in s, and – τ is a function which associates to each s ∈ S a finite set τ (s) = {ps1 , . . . , psks } of next-state probability distributions for transitions from s. The next state of s in a computation is chosen in two steps: 1. A next-state probability distribution psi ∈ τ (s) is chosen nondeterministically from the set τ (s), 2. Then, a successor state s0 ∈ S is chosen with probability psi (s0 ). We can see PNSs as a special low-level form of finitary probabilistic rewrite theories by defining a map RP N S : PNS → FPRTh as follows. Given a PNS P = (S, P, V, τ ) we define RP N S (P ) as an appropriate extension with state predicates (see below) of a finitary probabilistic rewrite theory Rf = (ΣP , EP , RP , γP ) with ΣP a signature consisting of a single sort State and the constants s : → State s for each s ∈ S. For each s ∈ S and for each let {s1 , . . . , sm } be the Ppi ∈ τ (s), s set of next states such that pi (sj ) > 0 and j∈[1,m] psi (sj ) = 1. For each such s and psi , the set LP of rule labels contains the label l(s, psi ). RP then contains for each label l(s, psi ) the following set of rewrite rules: l(s, psi ) : s → s1 [rate psi (s1 )] ··· s l(s, pi ) : s → sm [rate psi (sm )] and γP maps each such rule l(s, psi ) : s → sj to psi (sj ). To define the semantics of state predicates, we extend this rewrite theory to (ΣP0 , EP ∪ DP , LP , RP , γP ) such that AP ⊆ Σ 0 contains the atomic propositions q ∈ AP as constants of sort P rop, and for each q ∈ AP , DP contains the equations s |= q = true for each s ∈ S such that q ∈ V (s). We then define RP N S (P ) = (ΣP0 , EP ∪ DP , LP , RP , γP ). Conversely, given a finitary probabilistic rewrite theory Rf , together with a chosen kind [State] of states such that CanΣ,E/A,[State] is finite and with state predicates Π, and such that all rewrite rules rewrite only terms of kind [State], it is easy to define an inverse mapping P N SR : Rf 7→ P N SR (Rf ), associating to Rf its “underlying” PNS. 4.2

GSMP’s as a special case of Probabilistic Rewrite Theories

We can view Generalized semi-markov processes [18, 17] as a special case of Probabilistic Rewrite Theories. Definition 17 (GSMP). A GSMP is a tuple (S, E, h, P, r, F, ν, µ) where – S is a finite or countably infinite set of states. – E = {e1 , e2 , . . . , en } is a finite set of events.

13 – h : S → P(E) is a function that assigns to each state s ∈ S, a subset of events h(s) ⊆ E, which are scheduled to occur in s. We say that an event e is active in s if e ∈ h(s). – P is a partial function P : S × P(E) → P F un(S, P(S)) which assigns to a tuple (s, E ∗ ), s ∈ S, E ∗ ⊆ h(s), a probability measure function on P(S). – r : S × E → R+ is a function that assigns to each event e ∈ E a positive rate r(s, e), at which the clock for e runs in state s. – F : S × E × S × P(E) → P F un(R, BR ) is a partial function that assigns to a quadruple (s0 , e0 , s, E ∗ ), E ∗ ⊆ h(s), a probability distribution function for the clock setting for event e0 in the state s0 when the last state was s and the state change was made due to the simultaneous occurrence of events in E ∗ . Such distributions assume special fixed values for clocks of some events, for example the setting must be 0 for clocks of events e0 ∈ / h(s0 ). Nonetheless we can view such fixed durations to be also specified by appropriate probability distributions on the set R of real numbers. We refer the reader to [17] for the details regarding the setting of clock values for the various events. – ν is a probability distribution on the set S which assigns initial probabilities to each state s ∈ S. – µ : S → P(P F un(R, BR )) is a function that assigns to each state s a function µ(s) : h(s) → P F un(R, BR ) which determines for each event e ∈ h(s), a probability measure function on the set of real numbers R, with BR as the underlying σ-algebra. The initial clock setting, for the clock of event e, is chosen in accordance with this distribution. We can define a map RGSM P : GSMP → PRwTh associating to each GSMP G, a probabilistic rewrite theory RGSM P (G) with the same semantics. For the GSMP G = (S, E, h, P, r, F, ν, µ) we define the probabilistic rewrite theory (ΣG , EG , RG , πG ) where ΣG contains three sorts: State, System and P osReal. The sort P osReal represents the nonnegative elements in a computable subfield of the real numbers. The sort State has a constant sinit as well as a set of terms in bijection with S. Clearly if S is finite, this can be achieved by having the sort SG contain only constants. If S is a countably infinite set, we can define sinit = 0, and add a successor function constructor s : State → State to generate all the other states. The sort System has two constructors which can be defined as follows. We let n denote |E|. h , , . . . , i : State P osReal . . . P osReal → System { , , , . . . , } : State State P osReal P osReal . . . P osReal → System In the above constructor definitions the constructor h , . . . , i has an arity of (n + 1) where the first argument is of sort State while the remaining arguments are of sort P osReal. The second constructor { , . . . , } has arity (n + 2) with the first two arguments of sort State and the remaining of sort P osReal. All rewrites are in the sort System. The rewrite rules in RG consist of two rules with the labels select and advance. We show these rules below and describe how the function πG acts on each of these rules. select : hx, t1 , . . . , tn i → {x, y, t1 , t2 , . . . , tn } with probability πselect (x, t1 , . . . , tn ) . advance : {x, y, t1 , . . . , tn } → hy, t1 + ∆t1 , . . . , tn + ∆tn i with probability πadvance (x, y, t1 , . . . , tn ) .

14

In the above rules the symbols ∆ti , ti denote variables in the sort P osReal. Intuitively, the variables ti denote the reading of the clock values for the various events ei ∈ E. The variables x and y are of sort State.The function πG assigns the function πselect (x, t1 , . . . , tn ) to the rewrite rule labelled select. This function gives a probability distribution on CanΣG ,EG ,[State] . This function mimics ν, when x = sinit and t1 = · · · = tn = 0, by assigning the same probability distribution as ν on the set S, to the corresponding set CanΣG ,EG ,[State] −{sinit }. For other values of x, the function πselect (x, t1 , . . . , tn ) operates as follows: Let sx and sy denote the states in S corresponding to the terms x, y of sort State. (i) πselect first computes the set E ∗ ⊆ h(sx ) of events which have occurred in the state sx to cause the transition to the new state sy . Let Ax ⊆ {1, 2, . . . , n} denote the set of indexes corresponding to the events in h(sx ). Then the desired set E ∗ is the set of events ei corresponding to the set of indexes A n ¯ A = (i ∈ Ax )¯

o tj ti ≥ for each j ∈ Ax r(sx , ej ) r(sx , ei )

The set A of indexes represents the set of events whose clocks run out the earliest. (ii) The function πselect then mimics the distribution on CanΣG ,EG ,[State] − {sinit } as that given on S by P (sx , E ∗ ). The function πadvance assigns to each pair of states a distribution on CannΣG ,EG ,P osReal ⊆ Rn , which indicates the setting of clocks in the new state sy . This function simply mimics the function F (sy , e0 , sx , E ∗ ) for setting the clock of event e0 . The distribution πadvance is simply the joint distribution for the independent distributions given by F . Because these distributions are independent, the joint distribution will simply be the product of those distributions. Conversely, given a probabilistic rewrite theory R, together with a chosen kind [System] which encapsulates a sort State and a constant finite number of terms of sort P osReal, changing as per rules dictated by GSMP semantics, and such that, all rewrite rules rewrite terms of kind [System], it is easy to define an inverse mapping GSM PR : R 7→ GSM PR (R), associating to R its “underlying” GSMP. If the set of terms in R of sort System is finite it is also possible to compute GSM PR (R) explicitly. 4.3

CTMC’s as a special case of probabilistic rewrite theories

Continuous time markov chains (CTMCs) are a special case of GSMP’s but the semantics of a CTMC is much simpler. As an easier to understand example we show how it is possible to express CTMCs [24] as Probabilistic rewrite theories. We modify the generalized approach for a GSMP, by removing the excess machinery to deal with GSMP semantics, to deal with a CTMC. Definition 18 (CTMC). A CTMC is a triple (S, R, L) where – S is a finite or countably infinite set of states.

15 – R : S × S → R+ is the transition rate matrix. The probability of moving 0 from state s to state s0 within time t > 0 is given by 1 − e−R(s,s )t . – L : S → 2AP is a function labelling states with atomic propositions. We can view a CTMC as a special case of a probabilistic rewrite theory by defining a map RCT M C : CTMC → PRwTh. Given a CTMC C = (S, R, L) the map RCT M C associates to it a probabilistic rewrite theory which is an appropriate extension with state predicates (see below) of the probabilistic rewrite theory (ΣC , EC , RC , πC ) defined as follows: The signature ΣC has three sorts: State, System and P osReal, where as before, P osReal represents the nonnegative elements in a computable subfield of the real numbers. The definition of the equations EC should be such that, the elements of the set CanΣC ,EC ,[State] are in bijective correspondence with the set of states S of the CTMC. As mentioned in the case of a GSMP, if the set of states S is finite, we can have State consist only of constants. If the set of states S is countably infinite, we can define a constant 0 of sort State and a constructor s : State → State, to ensure that CanΣC ,EC ,[State] is in bijective correspondence with S. Elements of sort System are built using the constructor h , i : State P osReal → System Intuitively, the terms of the sort System encapsulate the current state of the CTMC and the current time. There is a single rewrite rule: select : hx, ti → hy, t + t0 i with probability πselect (x, t) . In this rewrite rule the variables x, y are of sort State, while t, t0 belong to the sort P osReal. The function πC acts on this rewrite rule to give the function πselect (x, t). The function πselect (x, t) maps the current state and time into a distribution on the set of new variables y, t0 . By assumption the set CanΣC ,EC ,[State] is in bijective correspondence with the set of states S of the CTMC. Let sx denote the state corresponding to x ∈ CanΣC ,EC ,[State] . The new state has a distribution given by R(sx , sy ) sy ∈S R(sx , sy )

Pr({sy }) = P

On the other hand the time duration of the transition has a distribution given by Pr({t0 ≤ T }) = 1 − e−

P s0 ∈S

R(sx ,s0 )T

The above events are independent and this follows from the semantics of a CTMC. We refer the reader to [24] for further details. The distribution on the set CanΣC ,EC ,[State] × CanΣC ,EC ,P osReal specified by the function πselect (x, t) is the joint distribution of the two distributions above. Since the distributions are independent, the joint distribution is simply the product of the two distributions. To define the semantics of state predicates, we extend this rewrite theory to 0 0 (ΣC , EC ∪ DC , RC , γC ) such that Π ⊆ ΣC contains the operators pi : → P rop for each pi ∈ AP and DC contains the equations s |= pi = true for each s ∈ S 0 such that pi ∈ L(s). We then define RCT M C (P ) = (ΣC , EC ∪ DC , RC , γC ).

16 Conversely, given a probabilistic rewrite theory R, together with a chosen kind [System] which encapsulates a sort State and a single term of sort P osReal, changing as per rules dictated by CTMC semantics, and such that all rewrite rules rewrite terms of kind [System], it is easy to define an inverse mapping CT M CR : R 7→ CT M CR (R), associating to R the “underlying” CTMC. If the set of terms in R of sort System are finite it is also possible to compute CT M CR (R) explicitly. We mention here that the same method will work for expressing the Performance Evaluation Process Algebra(PEPA) language [22] as a probabilistic rewrite theory. It is well known that the process terms in this process algebraic framework have an underlying CTMC semantics. It is easy to specify PEPA as a probabilistic rewrite theory: we only need to require that, given a state represented by a process term, the other states reachable from it by applications of reduction rules, as well as the associated rates, are computable. This is clearly true of process algebraic terms. Of course this change will be reflected in the definition of the function πselect above (which will do these computations which depend on the state represented by x). It is also possible to express various other models with underlying CTMC semantics in this fashion. For example, Stochastic Activity Networks (SANs) [34], Stochastic Reward Nets (SRNs) [35] and Generalized Stochastic Petri Nets (GSPNs) [29, 8], are well known models with underlying CTMC semantics. Stochastic Petri Nets (SPNs) with generally distributed firing times are known to be isomorphic to GSMPs, and we have already shown how we can specify GSMPs as probabilistic rewrite theories. As pointed out in respective subsections, for various restricted classes of rewrite theories we can define appropriate inverse maps. All the mappings defined in this section were summarized in Figure 1.

5

Probabilistic Rewriting Temporal Logic (PRTL)

We define two probabilistic temporal logics. Logics for various models considered earlier can be viewed as special versions of our logics. 5.1

Syntax of PRTL and PRTL∗

The logics PRTL and PRTL∗ are the natural extensions of CTL and CTL*[14] ∀ ∀ by adding the probabilistic operator P . Informally P≤p (ϕ) (resp. P≥p (ϕ)) means that the probability that ϕ holds, for all adversaries, is less than or equal to ∃ ∃ (resp. greater than or equal to) p. P≤p (ϕ) (resp. P≥p (ϕ)) means that, for some adversary, the probability that ϕ holds is less than or equal to (resp. greater than or equal to) p. In the following, φ represents State formulas and ϕ represents Path formulas. The syntax of PRTL (probabilistic extension of CTL) is given by: ∀ ∃ φ ::= true | q ∈ APΠ | ¬φ | φ ∧ φ | P./p (ϕ) | P./p (ϕ) ϕ ::= Xφ | φ U φ

The syntax of PRTL∗ (probabilistic extension of CTL*) is given by:

17

∀ ∃ φ ::= true | q ∈ APΠ | ¬φ | φ ∧ φ | Aϕ | Eϕ | P./p (ϕ) | P./p (ϕ) ϕ ::= φ | ϕ ∧ ϕ | ¬ϕ | Xϕ | ϕ U ϕ

In the above definitions ./ stands for one of , ≥ and p ∈ [0, 1]. Semantics of PRTL and PRTL∗

5.2

For the tuple (R, k, {αr }r∈R , Π, A), R ∈ PRwTh with k, a kind, the αr Fr covers, Π the chosen state predicates defined by equations E ∪ D, and A a set of adversaries, the semantics of PRTL is defined as follows: [u]A [u]A [u]A [u]A [u]A [u]A ω[u]A ω[u]A

|= true for all [u]A ∈ CanΣ,E/A,k |= q iff q ∈ LΠ ([u]A ) |= ¬φ iff [u]A 2 φ |= φ1 ∧ φ2 iff [u]A |= φ1 and [u]A |= φ2 ∀ (ϕ) iff P raR ({ω[u]A ∈ Ω[u]A | ω[u]A |= ϕ}) ./ p for all aR ∈ A |= P./p ∃ |= P./p (ϕ) iff P raR ({ω[u]A ∈ Ω[u]A | ω[u]A |= ϕ}) ./ p for some aR ∈ A |= Xφ iff ω[u]A (1) |= φ |= φ1 U φ2 iff ∃k ≥ 0 . ω[u]A (k) |= φ2 and ω[u]A (i) |= φ1 for i ∈ [0 : k − 1]

The semantics for PRTL∗ is likewise defined as follows: [u]A [u]A [u]A [u]A [u]A [u]A [u]A [u]A ω[u]A ω[u]A ω[u]A ω[u]A 5.3

|= true for all [u]A ∈ CanΣ,E/A,k |= q iff q ∈ LΠ ([u]A ) |= ¬φ iff [u]A 2 φ |= φ1 ∧ φ2 iff [u]A |= φ1 and [u]A |= φ2 |= Aϕ iff ∀ω[u]A ∈ Ω[u]A . ω[u]A |= ϕ |= Eϕ iff ∃ω[u]A ∈ Ω[u]A . ω[u]A |= ϕ ∀ |= P./p (ϕ) iff P raR ({ω[u]A ∈ Ω[u]A | ω[u]A |= ϕ}) ./ p for all aR ∈ A ∃ |= P./p (ϕ) iff P raR ({ω[u]A ∈ Ω[u]A | ω[u]A |= ϕ}) ./ p for some aR ∈ A |= ¬ϕ iff ω[u]A 2 ϕ |= ϕ1 ∧ ϕ2 iff ω[u]A |= ϕ1 and ω[u]A |= ϕ2 1 |= Xϕ iff ω[u] |= ϕ A k i |= ϕ1 U ϕ2 iff ∃k ≥ 0 . ω[u] |= φ2 and ω[u] |= φ1 for i ∈ [0 : k − 1] A A

Unifying Probabilistic Temporal Logics

The logic pCTL (resp. pCTL*) [5] can be seen as a special case of PRTL (resp. PRTL*), when interpreted over finitary probabilistic rewrite theories with associated set of adversaries A1 , by removing the next operator X from PRTL ( resp. PRTL*). The logic PBTL [3] agrees with PRTL, when interpreted over finitary probabilistic rewrite theories. The probabilistic rewrite theories, where each rewrite rule has an extra single variable t ∈ R≥0 , denoting time, on the righthand side of each rule, can be seen as a model for continuous time probabilistic systems. When interpreted over

18 such systems, the logic CSL (continuous stochastic logic) [1, 2] 6 can be seen as ∃ a special case of PRTL by removing the operator P./p from PRTL. Any formula ≤t of the form φ1 U φ2 in CSL can be expressed by a formula of the form φ01 U φ02 in PRTL by including the atomic propositions involving the state variable t in the state formulas φ1 and φ2 .

6

Tools: The PMaude Interpreter and Other Tools

We have developed an interpreter called PMaude , which provides a framework for specification and execution of finitary probabilistic rewrite theories. The PMaude interpreter has been built on top of Maude 2.0 [10] using the Full-Maude library [13]. We describe below how a finitary probabilistic rewrite theory is specified in our implemented framework and discuss some of the implementation details. Consider a finitary probabilistic rewrite theory with k distinct rewrite labels and with ni rewrite rules for the ith distinct label, for i = 1, 2, . . . , k. → l1 : t1 → t011 if C11 [rate r11 (− x )] ··· → l1 : t1 → t01n1 if C1n1 [rate r1n1 (− x )] ··· → lk : tk → t0k1 if Ck1 [rate rk1 (− x )] ··· → lk : tk → t0knk if Cknk [rate rknk (− x )] At one level we want all rewrite rules in the specification to have distinct labels, so that we have low level control over these rules, while at the conceptual level, groups of rules must have the same label. We achieve this by giving two labels: one, common to a group and corresponding to the group’s label l at the beginning, and another, unique for each rule, at the end. The above finitary probabilistic rewrite theory can be specified as follows in the PMaude interpreter: pmod FINITARY-EXAMPLE is ... cprl [l1]: t1 => t’11 if C11 [rate r11(x1,..)][label l11] . ... cprl [l1]: t1 => t’1n1 if C1n1(x1,..) [rate r1n1(x1,..)][label l1n1] . ... cprl [lk]: tk => t’k1 if Ck1 [rate rk1(x1,..)][label lk1] . ... cprl [lk]: tk => t’knk if Cknk [rate rknk(x1,..)][label lknk] . endpm

User input and output are supported as in Full Maude using the LOOP-MODE module. PMaude extends the Full Maude functions for parsing modules and 6

We consider the logic operators CSL as defined in [1, 2]. We do not consider the additional “steady state” operators introduced in [20].

19 any terms entered later by the user for rewriting purposes. Currently PMaude supports four user commands. Two of these are low level commands used to change certain seeds of pseudo-random generators. We shall not describe the implementation of the two commands here. The other two commands are rewrite commands. Their syntax is as follows: (prew t .) (prew-[n] t .) The default module M in which these commands are interpreted is the last read probabilistic module. The prew command is an instruction to the interpreter to rewrite the term t in the default module M, till no further rewrites are possible. Of course, it could happen that this command fails to terminate. The prew-[n] command takes a natural number n specifying the maximum number of rewrites to perform on the term t. This command always terminates in at most n steps of rewriting. Both commands report the final term (if prew terminates). The implementation of these commands is as follows. When the interpreter is given one of these commands, it extracts the term t from the command and then computes all possible one-step rewrites for t in the default module M. Out of all possible groups l1,l2,..,lk in which some rewrite rule applies, one is chosen, uniformly at random. For the chosen group li, all the rewrite rules li1,li2,..,lini associated with li, are guaranteed to have the same left-hand side ti(x1,x2,..). From all possible canonical (substitution, context) pairs ([θ]A , [C]A ) for the variables xj, representing successful matches of ti(x1,x2,..) with the given term t, that is, matches that also satisfy one of the conditions Cij on the right hand side, one of the matches is chosen uniformly at random. This also describes the exact adversary aR ∈ A3 we associate to a given finitary probabilistic rewrite theory (see subsection 3.4). To choose the exact rewrite rule lij to apply, use of the rate functions is made. The values of the various rates rip are calculated for those rules lip such that [θ]A satisfies the condition of the rule lip. Then these rates are normalized and the choice of the rule lij is made probabilistically, based on the calculated rates. This rewrite rule is then applied to the term t, in the chosen context with the chosen substitution. The interpreter then decides whether to stop rewriting or to proceed, based on the command prew or prew-[n]. If the interpreter finds no successful matches for a given term, it immediately reports that term as the answer. Whichever way the interpreter terminates, it always reports the final term reached. Notice that the rates depend on the chosen substitution. This allows users to specify very general systems, in which the probabilities of actions are actually determined by the physical state of the system. The URL for the complete code of the PMaude interpreter and code for two small examples are given in the Appendix. PMaude can be used to generate execution traces of concurrent systems with probabilistic actions. The programmer must supply the system specification along with the probabilities as a PMaude module and also supply a start term. The interpreter will then generate an execution trace for the system as per the specification. To obtain different traces the seeds for the random number generators must be changed at each invocation. This can be done by using a scripting language to call the interpreter repeatedly but setting different seeds

20 before each execution. The simulation traces generated by PMaude can be used for various purposes. They can be used to infer the average behavior of certain parameters of interest as well as for probabilistic validation of properties [39]. 6.1

Extensions of PMaude and use with other tools

The scheme used to represent finitary probabilistic rewrite theories in PMaude can be extended to also represent more general probabilistic rewrite theories. Moreover, we can implement the mappings CT M CR , P N SR and GSM PR respectively to convert certain restricted classes of probabilistic rewrite theories into the underlying models CTMC, PNS and GSMP. In the case of PNSs and CTMCs one can use existing tools like ETMCC and PRISM [19, 27] for modelchecking the initial specification. The mapping CT M CR also provides us with the ability to use a number of other tools. These include the Stochastic Petri Net Package (SPNP) [9] for verifying SPNs and SRNs; and the UltraSAN package [11] for verifying SANs. The GSP MR mapping enables us to use the GMSim tool [36] which has been developed to analyze GSMPs (recall Figure 1). Finally, note that for systems such as GSMPs for which no known verification tools exist, acceptance sampling methods have been used to provide probabilistic validation of properties [39]. These methods depend on simulation traces of executions. As pointed out in Section 6 the PMaude tool can be used to generate simulation traces.

7

Conclusions and Future Work

We have developed probabilistic rewrite theories which provide a general semantic framework supporting high level specification of probabilistic systems. We showed how various well known models can be seen as special cases of our general framework. For one fairly general subclass, namely finitary probabilistic rewrite theories, we have implemented a simulator PMaude and tested it on some relatively simple examples. However further work is required in developing the theory, enhancing the tool and carrying out case studies. On the more theoretical side, we feel that it is important to develop a general model of probabilistic systems with concurrent probabilistic actions, as opposed to the current interleaving semantics. One then needs to define the semantics of such systems and the associated probability space. Moreover, deductive and analytic methods for property verification of probabilistic systems, based on our current framework seems to be an important research direction. As an application of our theory, we believe that it will be fruitful to apply our ideas to the study of probabilistic hybrid systems, where, apart from time, there are other continuous state variables of interest whose stochastic behavior might be of interest. Extending the PMaude framework to enable specification of more general class of probabilistic rewrite theories and adversaries is required. This will allow the generation of simulation traces for the system under consideration and will be necessary for implementation of the model independent Monte-Carlo simulation and acceptance sampling methods in [39] for our logics (see Section 5).

21 Furthermore, development of algorithms for implementation of the mappings RP N S , RGSM P , RCT M C (see Section 4) will allow hooking up our tool with other verification and performance analysis tools [27, 20, 7, 36].

8

Acknowledgment

The work is supported in part by the Defense Advanced Research Projects Agency (the DARPA IPTO TASK Program, contract number F30602-00-2-0586 and the DARPA IXO NEST Program, contract number F33615-01-C-1907) and the ONR Grant N00014-02-1-0715. We would like to thank Narciso Mart´ı-Oliet and Abhay Vardhan for reading a previous version of this paper and giving us valuable feedback and Joost-Pieter Katoen for very helpful discussions and pointers to references.

References 1. A. Aziz, K. Sanwal, V. Singhal, and R. K. Brayton. Verifying continuous-time Markov chains. In Rajeev Alur and Thomas A. Henzinger, editors, Eighth International Conference on Computer Aided Verification CAV, volume 1102, pages 269–276, New Brunswick, NJ, USA, 1996. Springer Verlag. 2. A. Aziz, K. Sanwal, V. Singhal, and R. Brayton. Model-checking continuous-time Markov chains. ACM Transactions on Computational Logic (TOCL), 1(1):162– 170, 2000. 3. C. Baier and M. Z. Kwiatkowska. Model checking for a probabilistic branching time logic with fairness. Distributed Computing, 11(3):125–155, 1998. 4. J. Bergstra and J. Tucker. Characterization of computable data types by means of a finite equational specification method. In J. W. de Bakker and J. van Leeuwen, editors, Automata, Languages and Programming, Seventh Colloquium, pages 76–90. Springer-Verlag, 1980. LNCS, Volume 81. 5. A. Bianco and L. de Alfaro. Model checking of probabilistic and nondeterministic systems. FSTTCS: Foundations of Software Technology and Theoretical Computer Science, 15, 1995. 6. A. Bouhoula, J.-P. Jouannaud, and J. Meseguer. Specification and proof in membership equational logic. Theoretical Computer Science, 236:35–132, 2000. 7. G. Chiola, C. Anglano, J. Campos, J. M. Colom, and M. Silva. Operational analysis of timed Petri nets and application to the computation of peformance bounds. In 5th International Workshop on Petri Nets and Performance Models, Toulouse (F) 19.-22. October 1993, pages 128–137, 1993. 8. G. Ciardo, R. German, and C. Lindemann. A characterization of the stochastic process underlying a stochastic Petri net. Software Engineering, 20(7):506–515, 1994. 9. G. Ciardo, J. K. Muppala, and K. S. Trivedi. SPNP: Stochastic Petri net package. In PNPM, pages 142–151, 1989. 10. M. Clavel, F. Dur´ an, S. Eker, P. Lincoln, N. Mart´ı-Oliet, J. Meseguer, and J. Quesada. Maude: specification and programming in rewriting logic. Theoretical Computer Science, 285:187–243, 2002. 11. J. A. Couvillion, R. Freire, R. Johnson, W. D. Obal, M. A. Qureshi, M. Rai, W. H. Sanders, and J. E. Tvedt. Performability modeling with ultraSAN. IEEE Software, 8(5):69–80, Sept. 1991.

22 12. L. de Alfaro. Temporal logics for the specification of performance and reliability. In Symposium on Theoretical Aspects of Computer Science, pages 165–176, 1997. 13. F. Dur´ an and J. Meseguer. On parameterized theories and views in Full Maude 2.0. In K. Futatsugi, editor, Proc. 3rd. Intl. Workshop on Rewriting Logic and its Applications. ENTCS, Elsevier, 2000. 14. J. Edmund M. Clarke, O. Grumberg, and D. A. Peled. Model checking. MIT Press, 1999. 15. L. Franken and B. Haverkort. Quality of service management using generic modelling and monitoring techniques distrib, 1997. 16. S. Gilmore and J. Hillston. The PEPA workbench: A tool to support a process algebra-based approach to performance modelling. In Computer Performance Evaluation, pages 353–368, 1994. 17. P. Glynn. The role of generalized semi-Markov processes in simulation output analysis, 1983. 18. P. J. Haas and G. S. Shedler. Regenerative simulation of stochastic Petri nets. In International Workshop on Timed Petri Nets, Torino, Italy, July 1–3, 1985, pages 14–21. IEEE Computer Society Press, 1985. 19. H. Hermanns, J. Katoen, J. Meyer-Keyser, and M. Siegle. A Markov chain model checker. Tools and Algorithms for the Construction and Analysis of Systems, 6th International Conference, TACAS 2000,Berlin, Germany, pages 347 – 362, 2000. 20. H. Hermanns, J.-P. Katoen, J. Meyer-Kayser, and M. Siegle. A Markov chain model checker. In Tools and Algorithms for Construction and Analysis of Systems, pages 347–362, 2000. 21. J. Hillston. A Compositional Approach to Performance Modelling. PhD thesis. Distinguished Dissertations Series. Cambridge University Press, 1996. 22. J. Hillston. A Compositional Approach to Performance Modelling. Cambridge University Press, 1996. 23. J. Hillston and M. Ribaudo. Stochastic process algebras: A new approach to performance modeling. In J. W. K. Bagchi and G. Zobrist, editors, Modeling and Simulation of Advanced Computer Systems. Gordon Breach, 1998. 24. J.-P. Katoen, M. Kwiatkowska, G. Norman, and D. Parker. Faster and symbolic CTMC model checking. Lecture Notes in Computer Science, 2165, 2001. 25. N. Kumar, K. Sen, J. Meseguer, and G. Agha. Probabilistic rewrite theories. manuscript, June 2002. http://yangtze.cs.uiuc.edu/∼ksen/papers/prwth.ps. 26. M. Kwiatkowska, G. Norman, and J. Sproston. Probabilistic model checking of the IEEE 802.11 wireless local area network protocol. In H. Hermanns and R. Segala, editors, Proc. 2nd Joint International Workshop on Process Algebra and Probabilistic Methods, Performance Modeling and Verification (PAPM/PROBMIV’02), volume 2399 of LNCS, pages 169–187. Springer, 2002. 27. M. Z. Kwiatkowska, G. Norman, and D. Parker. Prism: Probabilistic symbolic model checker, 2002. 28. M. A. Marsan. Stochastic Petri nets: An elementary introduction. Lecture Notes in Computer Science; Advances in Petri Nets 1989, 424:1–29, 1990. NewsletterInfo: 36. 29. M. A. Marsan, G. Balbo, G. Chiola, G. Conte, S. Donatelli, and G. Franceschinis. An introduction to generalized stochastic Petri nets. Microelectronics and Reliability, 31(4):699–725, 1991. 30. M. A. Marsan, A. Bobbio, and S. Donatelli. Petri nets in performance analysis: An introduction. Lecture Notes in Computer Science: Lectures on Petri Nets I: Basic Models, 1491:211–256, 1998. 31. J. Meseguer. Conditional rewriting logic as a unified model of concurrency. Theoretical Computer Science, 96(1):73–155, 1992.

23 32. J. Meseguer. Membership algebra as a logical framework for equational specification. In F. Parisi-Presicce, ed., Proc. WADT’97, 18–61, Springer LNCS 1376, 1998. 33. J. Meseguer. Research directions in rewriting logic. In U. Berger and H. Schwichtenberg, editors, Computational Logic, NATO Advanced Study Institute, Marktoberdorf, Germany, July 29 – August 6, 1997. Springer-Verlag, 1999. 34. J. F. Meyer, A. Movaghar, and W. H. Sanders. Stochastic activity networks: Structure, behavior and application. In International Workshop on Timed Petri Nets, Torino, Italy, Jul. 1-3, 1985, pages 106–115. IEEE Computer Society Press, 1985. 35. J. K. Muppala, G. Ciardo, and K. S. Trivedi. Stochastic reward nets for reliability prediction. Communications in Reliability, Maintenability and Serviceability, 1(2):9–20, July 1994. 36. F. Nilsen. Gmsim: A tool for compositional gsmp modeling, 1998. ¨ 37. P. C. Olveczky and J. Meseguer. Specification of real-time and hybrid systems in rewriting logic. Theoretical Computer Science, 285:359–405, 2002. 38. P. Viry. Equational rules for rewriting logic. Theoretical Computer Science, 285:487–517, 2002. 39. H. L. S. Younes and R. G. Simmons. Probabilistic verification of discrete event systems using acceptance sampling. In E. Brinksma and K. G. Larsen, editors, Proceedings of the 14th International Conference on Computer Aided Verification, volume 2404 of Lecture Notes in Computer Science, pages 223–235, Copenhagen, Denmark, July 2002. Springer.

Appendix Example1 : Two Clocks This system consists of two clocks operating on batteries. Each rewrite rule describes a possible action of a clock. The rules are divided into three groups. In group g3, the rule specifies that the clock is just reset. This models human intervention in this particular system. In group g2 there are two rules. One rule says that a clock ticks and the other says that it breaks. The probability that it breaks depends on the battery power and it increases as the power decreases. The exact probability can be calculated from the rate functions specified in the code below. Each tick of the clock decreases its battery power by a certain quantity. The clocks tick in unison (as long as they are not broken or reset). After each tick they become unable to tick until the rewrite rule in group g1 enables both of them (or one of them, if the other is broken). The complete specification is given below. *** clock-pmaude.maude (pmod CLOCK is *** mandatory declarations inc RAT . op p : -> Rat . sorts Clock Flag Status State . ops current next : -> Flag . ops running broken : -> Status . op clock : Rat Nat Status Flag -> Clock [ctor] . *** - Two clocks form the global state op state : Clock Clock -> State [ctor] . op enabled : State -> Bool . op tick : State -> State . op delta : -> Rat . eq delta = 1 / 10 . op init : -> State .

24 var S : State . vars t t1 t2 : Nat . vars B B1 B2 : Rat . vars f f1 f2 : Flag . vars C1 C2 : Clock . var s : Status . *** - Definition of the enabled predicate eq enabled( state(clock(B,t,running,current ), C2 ) ) = true . eq enabled( state(C1,clock(B,t,running,current )) ) = true . *** - Once a clock is broken it is never to be ticked *** - This statement will ensure that eq enabled(state(clock(B1,t1,broken,f1),clock(B2,t2,broken,f2))) = true . op enable : Clock -> Clock . eq tick(state(C1,C2))=state(enable(C1),enable(C2)) . eq enable (clock(B,t,running,next))=clock(B,t,running,current) . eq enable (clock(B,t,broken,f)) = clock(B,t,broken,f) . cprl [g1] : S => tick(S) if enabled(S) =/= true rate[1][label tick] . prl [g2] : clock(B,t,running,current) => clock(B - delta,t + 1,running,next) rate[B][label internal-run] . prl [g2] : clock(B,t,running,current) => clock(B,t,broken,current) rate[1][label internal-break] . prl [g3] : clock(B,t,running,current) => clock(B,0,running,next) rate[1][label reset] . eq init = state(clock(100,7,running,current), clock(200,0,running,current) ) . endpm)

The result of a few command executions are shown below. Maude> (prew init .) rewrites: 1176805 in 5740ms cpu (5940ms real) (205018 rewrites/second) state(clock(91,3,broken,current),clock(1589/10,1,broken,current)) Maude> (prew-[10] init .) rewrites: 8004 in 40ms cpu (40ms real) (200100 rewrites/second) state(clock(999/10,0,running,next),clock(999/5,2,running,current))

Example 2: The Rooks Example This module, describes two rooks on a board. The rooks move on the board independently of each other in one of four possible directions (unlike chess rooks, these rooks move only a single square at a time), with some associated rates. The rooks always remain on the board. However there may be situations in which the rooks come together in one square. In this case they can either move away in one of the four possible directions, or they can make another non-deterministic choice: they can decide to fight. If the rooks fight they both die. ( pmod ROOKS is *** - Mandatory declarations in a probabilistic module inc RAT . op p : -> Rat . inc NAT . *** - Telling whether a rook is alive or dead sort Flag . ops alive dead : -> Flag . sort Rook . op rook : Nat Nat Flag -> Rook . *** - A board has two wandering rooks sort Board . op board : Rook Rook -> Board . *** - Length of board in the X and Y directions

25 *** - Lower left square of the board is (0,0) ops X Y : -> Nat . *** - Defining X and Y - change as required. eq X = 7 . eq Y = 7 . vars N1 N2 : Nat . prl [g1] : rook(N1,N2,alive) => rook( N1 + 1 , N2, alive ) rate[ X - N1][label move-right] . prl [g1] : rook(N1,N2,alive) => rook( - 1 + N1 , N2,alive ) rate[N1][label move-left] . prl [g1] : rook(N1,N2,alive) => rook( N1 , N2 + 1, alive ) rate[ Y - N2 ][label move-up] . prl [g1] : rook(N1,N2,alive) => rook( N1,- 1 + N2,alive ) rate [N2][label move-down] . *** - if the rooks are together they could kill each other prl [g2] : board(rook(N1,N2,alive),rook(N1,N2,alive)) => board(rook(N1,N2,dead),rook(N1,N2,dead)) rate[1][label fight] . op init : -> Board . eq init = board(rook(2,3,alive),rook(3,5,alive)) . endpm )

We show below the result of a few command executions. Maude> (prew init .) rewrites: 212364 in 800ms cpu (810ms real) (265455 rewrites/second) board(rook(5,3,dead),rook(5,3,dead)) Maude> (prew-[10] init .) rewrites: 13288 in 60ms cpu (60ms real) (221466 rewrites/second) board(rook(3,1,alive),rook(4,5,alive)) Maude> (set ndSeed 95467 .) rewrites: 86 in 0ms cpu (0ms real) (~ rewrites/second) Seed for random number generator set Maude> (prew init .) rewrites: 7878 in 30ms cpu (30ms real) (262600 rewrites/second) board(rook(2,6,dead),rook(2,6,dead))

The complete code for the PMaude interpreter can be found at: http://yangtze.cs.uiuc.edu/~nkumar5/PMaude/.