Algorithmic Algebraic Model Checking II

1
Algorithmic Algebraic Model Checking II
Decidability of Semi-Algebraic Model Checking and
its applications to Systems Biology

• Venkatesh Mysore
• Courant Institute Of Mathematical Sciences, NYU
• Carla Piazza
• University of Udine, Italy
• Bud Mishra
• Courant Institute Of Mathematical Sciences, NYU
• School of Medicine, NYU

2
Quick Outline

• Semi-Algebraic Hybrid Automata Yet another
  hybrid systems subclass ??! WHY WHY WHY ?
• Real Quantifier Elimination (Yes, the algorithm
  that Prof. Manna abhors, and gave a - -
  complexity grade)
• Timed Computation Tree Logic (TCTL) to decide or
  not to decide ? That is the question
• Blum-Shube-Smale Complexity What really are Real
  Turing Machines ?
• Algorithmic Algebraic Model Checking (AAMC)
  over-ambitious hyperbole ?

3
Simple Goals of This Talk

• Jargon ! Jargon ! Everywhere,
• ..and not a chance to Think !
• Fancy phrases where they come from, and why you
  dont really need them
• Will I waste your 30 minutes ? NO !
• Simple general ideas you can use
• I have the difficult task of addressing a very
  diverse audience from the wise men of Weizmann
  to the dainty doctors-to-be

4
Motivation Model Checking In Biology

• Systems Biology Model, simulate and analyze
  biochemical systems to test hypotheses, validate
  predictions and suggest experiments

5
The Model-Checking ProblemVerify Temporal
Properties Of A Reactive System

• Step 1 Formally encode the behavior of the
  system
• Step 2 Formally encode the properties of
  interest
• Step 3 Automate the process of checking if the
  formal model of the system satisfies the formally
  encoded properties
• Step 4 Conclude that the original system
  satisfies original properties (proof /
  counter-example)

6
Task Verify temporal properties of a reactive
system
Step 1 Formally encode the behavior of the
system as a semi-algebraic hybrid automaton
7
Hybrid Systems

• Let H (Z,V,E,Init,Inv,Flow,Jump) be a hybrid
  automaton of dimension k
• States have invariants and initial values
• Transitions have jumps (guards and resets)

8
Continuous Transition

• Invariant should hold at every point (except
  end-point) along the flow-evolution curve
• Flow(v)(r, s, t, h) is an algebraic relation
  between the continuous state r at time t and the
  continuous state s after h time units in the
  discrete state v

9
Discrete Transition

• Guard condition satisfied before the transition
• Reset condition determines the values after the
  transition
• Discrete state transitions take zero time

10
Transition Relation Trace

• Transition relation expression connecting the
  possible values of the system variables before
  and after a zero-time discrete step or a
  continuous evolution for any time period t gt 0

• Trace sequence of admissible locations

11
Trace
Total time h1 h2 h3 h4
s1
s2
s3
s4
h1
h2
h3
h4
time
12
Hybrid Systems For Biochemical Modeling

• Chemical Kinetics The kinetic mass-action
  equations for the time variation of the
  concentrations of the interacting species of
  biochemicals can be written down in the form of a
  system of ordinary differential equations
• The discrete states of the hybrid system can then
  be used to describe regimes of system behavior
  which are qualitatively different in terms of
  which species and reactions predominate

13
Subclasses Of Hybrid Systems

• Timed Automaton - a discrete transition system
  where the only continuous variable allowed is the
  clock
• Multirate Automaton - a discrete transition
  system where there can be many continuous
  variables with a constant flow
• Rectangular Automaton is a discrete transition
  system where the flows are allowed to vary within
  a range
• Linear Systems - The reachability problem for
  sub-classes of linear hybrid systems have been
  proved
• O-Minimal Systems - restricted jump condition
  the new continuous state cannot depend on the old
  state, and the system is assumed to be
  time-invariant

14
Semi-Algebraic Hybrid Systems

• Restriction The expressions for invariant,
  initial, guard and reset are restricted to be
  boolean combinations of polynomial equations and
  inequalities
• Motivation The quantified expressions
  corresponding to the translation of the temporal
  logic queries become amenable to quantifier
  elimination (and other techniques from real
  algebraic geometry)

15
Semi-Algebraic Set

• Every quantifier-free formula composed of
  polynomial equations and inequalities, and
  Boolean connectives defines a semi-algebraic set.

16
Flow Expression Accuracy

• Case 1 Closed-form solution is a polynomial
• Case 2 Differential equation is a polynomial

17
Approximate Symbolic Integration Euler Forward
Discretization

• First order Taylor polynomial
• Approximate as a straight line with slope equal
  to first derivative
• If r represents the vector of variables of the
  hybrid system at time t in discrete state v, the
  approximate value of r(t h) is given by

Leonhard Euler (1707-1783)

• Improved Two-Way Euler f(t) 1/2h f(th)
  f(t-h)

18
Approximate Symbolic Integration Taylor Series

• Differential flow equations discretized using
  Taylor polynomials
• Degree of the Taylor polynomial influences the
  complexity of formulæ and the number of steps
  needed to get a sufficient precision
• Error Control Upper bound time spent in one
  step of continuous evolution

Brook Taylor (1685-1731)
In other words
19
Approximate Symbolic Integration Second Order
Runge-Kutta

• At time to, find k1 - the derivative of y(t)
• Find an initial value for y(toh) using the
  Euler formula
• From y(toh) estimate k2 - the derivative of
  y(t) at toh
• Get a new value for y'(toh) based on the
  average of the values of k1 and k2

Carl Runge (1856-1927)
M. W. Kutta (1867-1944)
20
Summary Of Flow Constraint

• Accurate Solution
• If there exists an accurate closed-form
  semi-algebraic formula connecting y(t) and y(th)
  valid for all y,t and h
• The solution of the differential equation must be
  polynomial
• Lafferriere et al.s work shows that in some
  cases exponential and trigonometric solutions can
  be expressed as semi-algebraic sets
• Approximate Solution
• If the differential equation is polynomial
• Approximate Symbolic Integration techniques Eg.
  Euler, Runge-Kutta or Taylor Series
• Upper bound continuous time step to control error

21
Task verify temporal properties of a reactive
system

• Step 1. Formally encode the behavior of the
  system as a semi-algebraic automaton
• Step 2. Formally encode the properties of
  interest in TCTL

22
Linear Temporal Logic (LTL)

• Interpreted over sequential natural models for
  which LTL is expressively complete
• We do not explicitly talk about the different
  paths the system can evolve through
• A property is sequence-valid on a Kripke
  structure if it is valid in all natural models
  which are generated from it
• Temporal Operators Next, Eventually, Henceforth,
  Until, and past-counterparts
• We can have a arbitrary number of such temporal
  operators preceding a property allowing us to
  capture very complex temporal properties along
  the path

Amir Pnueli
Zohar Manna
23
Computation Tree Logic (CTL)

• Branching Time temporal logic interpreted over
  an execution tree where branching denotes
  non-deterministic actions
• A property is tree-valid in a Kripke model if it
  is valid in the root of the unique maximal tree
  generated from it
• Second order logic as we explicitly quantify over
  two modes the path and the time
• Each time we talk about a temporal property, we
  also specify whether it is true on all possible
  paths or whether it is true on atleast one path -
  Path quantifiers
• A for all future paths
• E for some future path

Ed Clarke
EA Emerson
24
Continuous-Time Logics

• Linear Time
• Metric Temporal Logic (MTL)
• Timed Propositional Temporal Logic (TPTL)
• Real-Time Temporal Logic (RTTL)
• Explicit-Clock Temporal Logic (ECTL)
• Metric Interval Temporal Logic (MITL)
• Branching time
• Real-Time Computation Tree Logic (RTCTL)
• Timed Computation Tree Logic (TCTL)
• TCTL the most used branching time temporal
  logic for real-time systems (Farn Wang, 2004)

25
TCTL Syntax And Semantics
Rajeev Alur
David Dill
26
TCTL One-Step Until

• q can be reached within one step of the hybrid
  system and p holds until that point in the
  transition
• p continuously holds until some intermediate
  point immediately followed by q being true
• p or q holding all along that one step of the
  hybrid system and q being true at the end of the
  one-step evolution
• Discrete time model-checking next state
  operator X
• Continuous-mode single-step until operator

Tom Henzinger
27
TCTL Model Checking

• Only Until requires computation
• Until Iterative computation of one-step Until
• Least fixpoint computation

28
Task verify temporal properties of a reactive
system

• Step 1. Formally encode the behavior of the
  system as a semi-algebraic hybrid automaton
• Step 2. Formally encode the properties of
  interest in TCTL
• Step 3. Automate the process of checking if the
  formal model of the system satisfies the formally
  encoded properties using quantifier elimination

29
Single-Step Until For Semi-Algebraic Hybrid
Systems

• p or q holds on discrete step
• q must be true after jump
• p or q holds on continuous step
• Every intermediate point must satisfy p or q
• q must be true at the end of the evolution
• Can be simplified into p must hold at every
  intermediate point with q holding at the end

30
One-Step Until
State v
State u
q
ltv,rgt
ltu,sgt
p or q
h
q
ltv,sgt
time
31
Semi-Algebraic Sets Are Amenable To Quantifier
Elimination

• Recall Semi-Algebraic Set
• Every quantifier-free formula composed of
  polynomial inequalities and Boolean connectives
  defines a semialgebraic set
• 1930s Tarski proved Quantifier Elimination is
  possible for quantified semi-algebraic sets but
  his algorithm was too slow

Alfred Tarski 1902-1983
32
Quantifier Elimination

• 1973 Collins discovered new method
  cylindrical algebraic decomposition (CAD)
• Doubly exponential in number of variables
• Polynomial in number and degree of polynomials,
  number of atomic formulae
• Hoon Hong implemented the system Quantifier
  Elimination by Partial Cylindrical Algebraic
  Decomposition (Qepcad)
• Input (Ex) x2 b x c 0
• Output b2 - 4 c gt 0

Hoon Hong
33
Quantifier Elimination Suffering from a
Complexity Complex

• Tarskis almost impractical algorithm
• Collins cylindrical algebraic decomposition
  (CAD) algorithm - double-exponential dependence
  on the number of variables
• Collins doctoral student Hong implemented the
  first quantifier elimination software Qepcad
• Alternative CAD-based methods Grigoriev, Renegar
  and Heintz that are doubly exponential in the
  number of quantifier alternations
• Weispfennings work on cubic quantified variables
• Implemented on Reduce as Redlog and Risa/Asir
  1
• Complexity independent of the number of free
  variables
• New quantifier elimination approaches Basu,
  Pollack and Roy

34
Semi-Decidability Of TCTL

• Global time variable
• Allows interpretation of the TCTL operators
  freeze (z.X) and subscripted until (Ua)
• Initial value 0, flow 1 in all discrete states
  and never reset
• While one-step until is decidable, the fixpoint
  is not guaranteed to converge
• So TCTL is semi-decidable
• Existential segment and negation of Universal
  Segment
• Subscripted operators are decidable in non-zeno
  systems

35
Lets squeeze in a yawn and a stretch before
continuing Also a good place to check how many
minutes we have left
36
General Undecidability Of Reachability

• Classical theory of computation and complexity
  analysis centered around the binary Turing
  machine is not sufficient to fully characterize
  problems involving real-valued mathematics
• Blum-Cucker-Shub-Smale proposed the more general
  real Turing machine that has exact rational
  operations and comparison of real numbers
  built-in as atomic operations represented as
  maps

37
Relation To Semi-Algebraic Sets
38
Undecidability Of The Mandelbrot Set

• The Mandelbrot set is not decidable over R. This
  follows from the fact that the Mandelbrot set
  cannot be the countable union of semi-algebraic
  sets over R as its boundary has complex
  mathematical properties
• Complement of

Benoit Mandelbrot (1924-)
39
Mandelbrot Hybrid Automaton
Let
Invariant False Flows Null
Then
Reachability Query
40
Implementation Tolque

• Implemented in C / C
• Accepts the hybrid system specification, with
  flow equation already approximated by user
• Accepts existential until (EU) TCTL query
• At each iteration, it computes the p one-step
  until q formula and calls the quantifier-eliminat
  ion software Qepcad

Abstract Interpretation Of Tolque In Action
41
Tolque Limitations

• The most severe limitation of Tolque comes from
  the computational complexity of the cylindrical
  algebraic decomposition algorithm -
  double-exponential dependence on the number of
  variables
• The Qepcad implementation has the additional
  disadvantage of not supporting real numbers
• Degrees of the resulting polynomials increasing
  at each time-step quickly leading to Qepcad
  choking on the query

42
So, what have we learnt ?

• Quantifier elimination is gooooooooood !
• Not just YES or NO answers, but actual ranges and
  constraints on parameters that need to hold for a
  certain property to be true can be solved
• Its a good idea to see what is possible, and
  then see what sub-problem you can solve more
  efficiently good perspective
• Can you express the problem that YOU are studying
  as a quantifier elimination problem ? Show
  something to be decidable for a change ?

43
Algebraic Model Checking

• Mats Jirstrand - Qepcad for the problems of
  stationarizable sets, range of controllable
  output, following a curve and reachability
• Hirokazu Anai and Martin Fraenzle - independently
  suggested the use of quantifier elimination for
  the verification of polynomial (semi-algebraic)
  hybrid systems
• Anai and Weispfenning - expounded the use of
  quantifier elimination for the reachability
  analysis of continuous systems with parametric
  inhomogenous linear differential equations
• Fraenzle - proved that progress, safety, state
  recurrence and reachability are semi-decidable
  using quantifier elimination developed proof
  engines for bounded model checking
• Lafferiere et al. - a quantifier-elimination-centr
  ic method for symbolic reachability computation
  of linear vector fields

44
Algebraic Model Checking

• Ratschan and She - constraint propagation based
  abstraction refinement for verification of hybrid
  systems
• Carbonell Tiwari and Sankaranarayanan et al. -
  schemes for generating invariants for hybrid
  systems
• Becker et al.s integration of bounded model
  checking and inductive verification
• Lanotte and Schettinis - monotonic hybrid
  systems
• Lanotte and Tini - approximating each formula in
  any (non-polynomial) hybrid system definition
  with its Taylor polynomial (of some degree k) is
  an over-approximation

45
AAMC I The Case of Biochemical Systems and their
Reachability Analysis Carla Piazza, Marco
Antoniotti, Venkatesh Mysore, Alberto Policriti,
Franz Winkler and Bud Mishra, Computer Aided
Verification (CAV), 2005

• Introduced Semi-Algebraic Hybrid Automata
• Characterized the widest range of automata that
  admit sound albeit expensive mathematical
  techniques, as opposed to focusing on a very
  narrow class of systems that often prematurely
  sacrifices generalizability for the sake of
  efficiency
• Bounded reachability problem shown to be solvable
  using real algebraic techniques like Taylor
  series approximation and quantifier elimination
• Suitability for Systems Biology
• Found sufficiently powerful in analyzing such
  systems as the Delta-Notch protein interaction
  example

46
AAMC II Decidability of Semi-Algebraic Model
Checking and its Applications to Systems Biology
Venkatesh Mysore, Carla Piazza and Bud Mishra,
International Symposium on Automated Technology
for Verification and Analysis (ATVA), 2005

• Solved the algebraic model-checking problem over
  the dense time logic TCTL demonstrated in
  Tolque
• Exploited algebraic bounded reachability
  algorithm of AAMC-I, Franzles ideas for
  polynomial hybrid systems, and Henzinger et al.s
  characterization of the Until operator as a
  fix-point expression involving the one-step-until
  operator
• The ability to perform an entirely symbolic
  analysis of arbitrary polynomial hybrid systems
  over a full temporal logic, limited only by
  computational power, distinguishes our approach
  from the other methods in literature
• Proved that reachability is undecidable even in
  Blum et al.s real Turing machine
  (finite-dimensional machine over a field)
  formalism

47
AAMC III Approximate Methods Venkatesh Mysore
and Bud Mishra, Verification of Infinite State
Systems (Infinity), 2005

• Made existing ideas applicable to semi-algebraic
  hybrid systems, by using quantifier elimination
  in place of the original efficient-but-restrictive
  computational method
• Bisimulation Partitioning
• Polytopes
• Rectangular Grids
• Time Discretization
• Obtained new optimizations and techniques
• Identified well-behaved subclasses

48
Future Theoretical Work

• Algebraic Enhancements
• Groebner basis Characteristic Sets
• Characterizing recursive paths and invariants
• Conditions for convergence of the fixpoint
  expressions
• Extension of Cousots widening technique to
  semi-algebraic sets
• Estimation of expected number of iterations
• Analysis of perturbed and robust systems
• Discretization Of Space Time
• Depart from the continuous infinite space and
  time
• Approximate with rectangular grids, ellipsoids
  and polyhedra
• Use polynomials to identify connected components
  relevant to query abstraction over each
  component
• Chaotic dynamical systems and decidability
• Flux balance analysis and topology

49
Future Software Development

• Tolque being integrated with Simpathica (in Lisp)
• Different integration-discretization schemes and
  the continuous / discrete modes of operation
• Extend repertoire of temporal logic operators
• Extension to real-time LTL
• Integrate other quantifier elimination tools like
  Approximate Quantified Constraint Solving (AQCS)
  and Redlog
• Translate and break down the TL query into small
  quantifier elimination problems, and then use
  heuristics to decide which quantifier elimination
  tool to call for each sub-query
• Eventually, our own symbolic algebra system will
  work hand in hand with the quantifier
  elimination, Groebner basis and characteristic
  set tools to simplify and systematically simplify
  the formulæ at each fixpoint iteration

50
Acknowledgements
Dr. Carla Piazza
For a full list of references, please see
AAMC-I (CAV05) , AAMC-II (ATVA05) AAMC-III
(Infinity05)
Dr. Amir Pnueli
Dr. Bud Mishra
51
Thank You