From 8d13bee9cc64793d37093d127aaea6ab46cb9c71 Mon Sep 17 00:00:00 2001 From: Dave Parker Date: Wed, 5 Jul 2023 13:04:08 +0100 Subject: [PATCH] Update manual. --- manual/Appendices/AllOnOnePage.html | 202 +- .../Appendices/AllOnOnePage@action=edit.html | 265 + .../Appendices/AllOnOnePage@action=login.html | 263 + .../Appendices/AllOnOnePage@action=print.html | 376 ++ manual/Appendices/ExplicitModelFiles.html | 202 +- .../ExplicitModelFiles@action=edit.html | 265 + .../ExplicitModelFiles@action=login.html | 263 + .../ExplicitModelFiles@action=print.html | 377 ++ manual/Appendices/Main.html | 168 +- manual/Appendices/Main@action=edit.html | 264 + manual/Appendices/Main@action=login.html | 262 + manual/Appendices/Main@action=print.html | 86 + manual/ConfiguringPRISM/AllOnOnePage.html | 187 +- .../AllOnOnePage@action=edit.html | 269 + .../AllOnOnePage@action=login.html | 267 + .../AllOnOnePage@action=print.html | 535 ++ .../ConfiguringPRISM/AutomataGeneration.html | 170 +- .../AutomataGeneration@action=edit.html | 269 + .../AutomataGeneration@action=login.html | 267 + .../AutomataGeneration@action=print.html | 212 + .../ConfiguringPRISM/ComputationEngines.html | 170 +- .../ComputationEngines@action=edit.html | 269 + .../ComputationEngines@action=login.html | 267 + .../ComputationEngines@action=print.html | 192 + .../Introduction@action=edit.html | 269 + .../Introduction@action=login.html | 267 + .../Introduction@action=print.html | 149 + manual/ConfiguringPRISM/Main.html | 174 +- manual/ConfiguringPRISM/OtherOptions.html | 183 +- .../OtherOptions@action=edit.html | 269 + .../OtherOptions@action=login.html | 267 + .../OtherOptions@action=print.html | 201 + .../SolutionMethodsAndOptions.html | 170 +- ...SolutionMethodsAndOptions@action=edit.html | 269 + ...olutionMethodsAndOptions@action=login.html | 267 + ...olutionMethodsAndOptions@action=print.html | 184 + manual/FrequentlyAskedQuestions.html | 279 + .../AllOnOnePage.html | 174 +- .../AllOnOnePage@action=edit.html | 267 + .../AllOnOnePage@action=login.html | 265 + .../AllOnOnePage@action=print.html | 315 + .../Main@action=edit.html | 266 + .../Main@action=login.html | 264 + .../{Main.html => Main@action=print.html} | 96 +- .../MemoryProblems.html | 174 +- .../MemoryProblems@action=edit.html | 267 + .../MemoryProblems@action=login.html | 265 + .../MemoryProblems@action=print.html | 244 + .../PRISMModelling.html | 176 +- .../PRISMModelling@action=edit.html | 267 + .../PRISMModelling@action=login.html | 265 + .../PRISMModelling@action=print.html | 177 + .../PRISMProperties.html | 174 +- .../PRISMProperties@action=edit.html | 267 + .../PRISMProperties@action=login.html | 265 + .../PRISMProperties@action=print.html | 228 + manual/FrequentlyAskedQuestions/index.html | 279 + manual/InstallingPRISM.html | 458 ++ manual/InstallingPRISM/AllOnOnePage.html | 170 +- .../AllOnOnePage@action=edit.html | 266 + .../AllOnOnePage@action=login.html | 264 + .../AllOnOnePage@action=print.html | 452 ++ .../CommonProblemsAndQuestions.html | 170 +- ...ommonProblemsAndQuestions@action=edit.html | 266 + ...mmonProblemsAndQuestions@action=login.html | 264 + ...mmonProblemsAndQuestions@action=print.html | 252 + .../Instructions@action=edit.html | 266 + .../Instructions@action=login.html | 264 + .../Instructions@action=print.html | 285 + manual/InstallingPRISM/Main.html | 170 +- manual/Main/AllOnOnePage.html | 1331 ++-- manual/Main/AllOnOnePage@action=edit.html | 273 + manual/Main/AllOnOnePage@action=login.html | 271 + manual/Main/AllOnOnePage@action=print.html | 5365 +++++++++++++++++ manual/Main/Contents.html | 174 +- manual/Main/Contents@action=edit.html | 273 + manual/Main/Contents@action=login.html | 271 + manual/Main/Contents@action=print.html | 150 + manual/Main/Introduction.html | 170 +- manual/Main/Introduction@action=edit.html | 273 + manual/Main/Introduction@action=login.html | 271 + manual/Main/Introduction@action=print.html | 120 + manual/Main/Main.html | 172 +- manual/Main/References.html | 170 +- manual/Main/References@action=edit.html | 273 + manual/Main/References@action=login.html | 271 + manual/Main/References@action=print.html | 121 + manual/Main/Search.html | 176 +- manual/Main/Search@action=edit.html | 273 + manual/Main/Search@action=login.html | 271 + manual/Main/Search@action=print.html | 107 + manual/Main/Welcome.html | 289 + manual/Main/Welcome@action=edit.html | 273 + manual/Main/Welcome@action=login.html | 271 + manual/Main/Welcome@action=print.html | 109 + .../PropertySpecification/AllOnOnePage.html | 338 +- .../AllOnOnePage@action=edit.html | 277 + .../AllOnOnePage@action=login.html | 275 + .../AllOnOnePage@action=print.html | 1449 +++++ manual/PropertySpecification/Filters.html | 171 +- .../Filters@action=edit.html | 277 + .../Filters@action=login.html | 275 + .../Filters@action=print.html | 327 + .../IdentifyingASetOfStates.html | 171 +- .../IdentifyingASetOfStates@action=edit.html | 277 + .../IdentifyingASetOfStates@action=login.html | 275 + .../IdentifyingASetOfStates@action=print.html | 140 + .../Introduction@action=edit.html | 277 + .../Introduction@action=login.html | 275 + .../Introduction@action=print.html | 192 + manual/PropertySpecification/Main.html | 171 +- .../Multi-objectiveProperties.html | 181 +- ...Multi-objectiveProperties@action=edit.html | 277 + ...ulti-objectiveProperties@action=login.html | 275 + ...ulti-objectiveProperties@action=print.html | 212 + .../Non-probabilisticProperties.html | 171 +- ...n-probabilisticProperties@action=edit.html | 277 + ...-probabilisticProperties@action=login.html | 275 + ...-probabilisticProperties@action=print.html | 146 + .../PartiallyObservableModels.html | 171 +- ...PartiallyObservableModels@action=edit.html | 277 + ...artiallyObservableModels@action=login.html | 275 + ...artiallyObservableModels@action=print.html | 145 + .../PropertiesFiles.html | 171 +- .../PropertiesFiles@action=edit.html | 277 + .../PropertiesFiles@action=login.html | 275 + .../PropertiesFiles@action=print.html | 182 + .../Real-timeModels.html | 171 +- .../Real-timeModels@action=edit.html | 277 + .../Real-timeModels@action=login.html | 275 + .../Real-timeModels@action=print.html | 154 + .../Reward-basedProperties.html | 173 +- .../Reward-basedProperties@action=edit.html | 277 + .../Reward-basedProperties@action=login.html | 275 + .../Reward-basedProperties@action=print.html | 321 + .../SyntaxAndSemantics.html | 171 +- .../SyntaxAndSemantics@action=edit.html | 277 + .../SyntaxAndSemantics@action=login.html | 275 + .../SyntaxAndSemantics@action=print.html | 200 + .../PropertySpecification/ThePOperator.html | 171 +- .../ThePOperator@action=edit.html | 277 + .../ThePOperator@action=login.html | 275 + .../ThePOperator@action=print.html | 413 ++ .../PropertySpecification/TheSOperator.html | 171 +- .../TheSOperator@action=edit.html | 277 + .../TheSOperator@action=login.html | 275 + .../TheSOperator@action=print.html | 144 + .../UncertainModels.html | 329 + .../UncertainModels@action=edit.html | 277 + .../UncertainModels@action=login.html | 275 + .../UncertainModels@action=print.html | 145 + manual/RunningPRISM/Adversaries.html | 168 - manual/RunningPRISM/AllOnOnePage.html | 525 +- .../AllOnOnePage@action=edit.html | 277 + .../AllOnOnePage@action=login.html | 275 + .../AllOnOnePage@action=print.html | 1669 +++++ .../ApproximateModelChecking.html | 172 +- ...Steady-stateAndTransientProbabilities.html | 172 +- ...AndTransientProbabilities@action=edit.html | 277 + ...ndTransientProbabilities@action=login.html | 275 + ...ndTransientProbabilities@action=print.html | 182 + .../DebuggingModelsWithTheSimulator.html | 174 +- ...ingModelsWithTheSimulator@action=edit.html | 277 + ...ngModelsWithTheSimulator@action=login.html | 275 + ...ngModelsWithTheSimulator@action=print.html | 329 + manual/RunningPRISM/Experiments.html | 213 +- .../RunningPRISM/Experiments@action=edit.html | 277 + .../Experiments@action=login.html | 275 + .../Experiments@action=print.html | 320 + manual/RunningPRISM/ExplicitModelImport.html | 185 +- .../ExplicitModelImport@action=edit.html | 277 + .../ExplicitModelImport@action=login.html | 275 + .../ExplicitModelImport@action=print.html | 202 + manual/RunningPRISM/ExportingTheModel.html | 194 +- .../ExportingTheModel@action=edit.html | 277 + .../ExportingTheModel@action=login.html | 275 + .../ExportingTheModel@action=print.html | 311 + .../LoadingAndBuildingAModel.html | 172 +- .../LoadingAndBuildingAModel@action=edit.html | 277 + ...LoadingAndBuildingAModel@action=login.html | 275 + ...LoadingAndBuildingAModel@action=print.html | 164 + manual/RunningPRISM/Main.html | 176 +- manual/RunningPRISM/ModelChecking.html | 172 +- .../ModelChecking@action=edit.html | 277 + .../ModelChecking@action=login.html | 275 + .../ModelChecking@action=print.html | 189 + .../RunningPRISM/ParametricModelChecking.html | 172 +- .../ParametricModelChecking@action=edit.html | 277 + .../ParametricModelChecking@action=login.html | 275 + .../ParametricModelChecking@action=print.html | 171 + .../StartingPRISM@action=edit.html | 277 + .../StartingPRISM@action=login.html | 275 + .../StartingPRISM@action=print.html | 154 + .../StatisticalModelChecking.html | 172 +- .../StatisticalModelChecking@action=edit.html | 277 + ...StatisticalModelChecking@action=login.html | 275 + ...StatisticalModelChecking@action=print.html | 209 + manual/RunningPRISM/Strategies.html | 416 ++ .../RunningPRISM/Strategies@action=edit.html | 277 + .../RunningPRISM/Strategies@action=login.html | 275 + .../RunningPRISM/Strategies@action=print.html | 232 + manual/RunningPRISM/SupportForPEPAModels.html | 172 +- .../SupportForPEPAModels@action=edit.html | 277 + .../SupportForPEPAModels@action=login.html | 275 + .../SupportForPEPAModels@action=print.html | 112 + manual/RunningPRISM/SupportForSBML.html | 282 +- .../SupportForSBML@action=edit.html | 277 + .../SupportForSBML@action=login.html | 275 + .../SupportForSBML@action=print.html | 425 ++ manual/ThePRISMLanguage/AllOnOnePage.html | 205 +- .../AllOnOnePage@action=edit.html | 286 + .../AllOnOnePage@action=login.html | 284 + .../AllOnOnePage@action=print.html | 1087 ++++ manual/ThePRISMLanguage/CTMCs.html | 171 +- .../ThePRISMLanguage/CTMCs@action=edit.html | 286 + .../ThePRISMLanguage/CTMCs@action=login.html | 284 + .../ThePRISMLanguage/CTMCs@action=print.html | 144 + manual/ThePRISMLanguage/Commands.html | 171 +- .../Commands@action=edit.html | 286 + .../Commands@action=login.html | 284 + .../Commands@action=print.html | 176 + manual/ThePRISMLanguage/Constants.html | 171 +- .../Constants@action=edit.html | 286 + .../Constants@action=login.html | 284 + .../Constants@action=print.html | 134 + manual/ThePRISMLanguage/CostsAndRewards.html | 171 +- .../CostsAndRewards@action=edit.html | 286 + .../CostsAndRewards@action=login.html | 284 + .../CostsAndRewards@action=print.html | 214 + manual/ThePRISMLanguage/Example1.html | 171 +- .../Example1@action=edit.html | 286 + .../Example1@action=login.html | 284 + .../Example1@action=print.html | 151 + manual/ThePRISMLanguage/Example2.html | 171 +- .../Example2@action=edit.html | 286 + .../Example2@action=login.html | 284 + .../Example2@action=print.html | 147 + manual/ThePRISMLanguage/Expressions.html | 171 +- .../Expressions@action=edit.html | 286 + .../Expressions@action=login.html | 284 + .../Expressions@action=print.html | 181 + .../ThePRISMLanguage/FormulasAndLabels.html | 173 +- .../FormulasAndLabels@action=edit.html | 286 + .../FormulasAndLabels@action=login.html | 284 + .../FormulasAndLabels@action=print.html | 156 + manual/ThePRISMLanguage/GlobalVariables.html | 171 +- .../GlobalVariables@action=edit.html | 286 + .../GlobalVariables@action=login.html | 284 + .../GlobalVariables@action=print.html | 127 + .../Introduction@action=edit.html | 286 + .../Introduction@action=login.html | 284 + .../Introduction@action=print.html | 135 + .../ThePRISMLanguage/LocalNondeterminism.html | 171 +- .../LocalNondeterminism@action=edit.html | 286 + .../LocalNondeterminism@action=login.html | 284 + .../LocalNondeterminism@action=print.html | 143 + manual/ThePRISMLanguage/Main.html | 171 +- manual/ThePRISMLanguage/ModelType.html | 171 +- .../ModelType@action=edit.html | 286 + .../ModelType@action=login.html | 284 + .../ModelType@action=print.html | 109 + manual/ThePRISMLanguage/ModuleRenaming.html | 171 +- .../ModuleRenaming@action=edit.html | 286 + .../ModuleRenaming@action=login.html | 284 + .../ModuleRenaming@action=print.html | 121 + .../ThePRISMLanguage/ModulesAndVariables.html | 171 +- .../ModulesAndVariables@action=edit.html | 286 + .../ModulesAndVariables@action=login.html | 284 + .../ModulesAndVariables@action=print.html | 231 + .../MultipleInitialStates.html | 171 +- .../MultipleInitialStates@action=edit.html | 286 + .../MultipleInitialStates@action=login.html | 284 + .../MultipleInitialStates@action=print.html | 142 + .../ThePRISMLanguage/POMDPs@action=edit.html | 181 +- manual/ThePRISMLanguage/PRISMModelFiles.html | 171 +- .../PRISMModelFiles@action=edit.html | 286 + .../PRISMModelFiles@action=login.html | 284 + .../PRISMModelFiles@action=print.html | 98 + .../ThePRISMLanguage/ParallelComposition.html | 171 +- .../ParallelComposition@action=edit.html | 286 + .../ParallelComposition@action=login.html | 284 + .../ParallelComposition@action=print.html | 139 + .../PartiallyObservableModels.html | 173 +- ...PartiallyObservableModels@action=edit.html | 286 + ...artiallyObservableModels@action=login.html | 284 + ...artiallyObservableModels@action=print.html | 162 + .../ProcessAlgebraOperators.html | 171 +- .../ProcessAlgebraOperators@action=edit.html | 286 + .../ProcessAlgebraOperators@action=login.html | 284 + .../ProcessAlgebraOperators@action=print.html | 111 + manual/ThePRISMLanguage/Real-timeModels.html | 178 +- .../Real-timeModels@action=edit.html | 286 + .../Real-timeModels@action=login.html | 284 + .../Real-timeModels@action=print.html | 164 + manual/ThePRISMLanguage/Synchronisation.html | 171 +- .../Synchronisation@action=edit.html | 286 + .../Synchronisation@action=login.html | 284 + .../Synchronisation@action=print.html | 132 + manual/ThePRISMLanguage/UncertainModels.html | 322 + .../UncertainModels@action=edit.html | 286 + .../UncertainModels@action=login.html | 284 + .../UncertainModels@action=print.html | 129 + manual/index.html | 172 +- manual/pub/skins/offline/css/base.css | 12 - manual/pub/skins/offline/css/prism.css | 513 -- manual/pub/skins/offline/images/p16.ico | Bin 1150 -> 0 bytes .../{offline => prism}/css/prismmanual.css | 0 307 files changed, 79707 insertions(+), 2281 deletions(-) create mode 100644 manual/Appendices/AllOnOnePage@action=edit.html create mode 100644 manual/Appendices/AllOnOnePage@action=login.html create mode 100644 manual/Appendices/AllOnOnePage@action=print.html create mode 100644 manual/Appendices/ExplicitModelFiles@action=edit.html create mode 100644 manual/Appendices/ExplicitModelFiles@action=login.html create mode 100644 manual/Appendices/ExplicitModelFiles@action=print.html create mode 100644 manual/Appendices/Main@action=edit.html create mode 100644 manual/Appendices/Main@action=login.html create mode 100644 manual/Appendices/Main@action=print.html create mode 100644 manual/ConfiguringPRISM/AllOnOnePage@action=edit.html create mode 100644 manual/ConfiguringPRISM/AllOnOnePage@action=login.html create mode 100644 manual/ConfiguringPRISM/AllOnOnePage@action=print.html create mode 100644 manual/ConfiguringPRISM/AutomataGeneration@action=edit.html create mode 100644 manual/ConfiguringPRISM/AutomataGeneration@action=login.html create mode 100644 manual/ConfiguringPRISM/AutomataGeneration@action=print.html create mode 100644 manual/ConfiguringPRISM/ComputationEngines@action=edit.html create mode 100644 manual/ConfiguringPRISM/ComputationEngines@action=login.html create mode 100644 manual/ConfiguringPRISM/ComputationEngines@action=print.html create mode 100644 manual/ConfiguringPRISM/Introduction@action=edit.html create mode 100644 manual/ConfiguringPRISM/Introduction@action=login.html create mode 100644 manual/ConfiguringPRISM/Introduction@action=print.html create mode 100644 manual/ConfiguringPRISM/OtherOptions@action=edit.html create mode 100644 manual/ConfiguringPRISM/OtherOptions@action=login.html create mode 100644 manual/ConfiguringPRISM/OtherOptions@action=print.html create mode 100644 manual/ConfiguringPRISM/SolutionMethodsAndOptions@action=edit.html create mode 100644 manual/ConfiguringPRISM/SolutionMethodsAndOptions@action=login.html create mode 100644 manual/ConfiguringPRISM/SolutionMethodsAndOptions@action=print.html create mode 100644 manual/FrequentlyAskedQuestions.html create mode 100644 manual/FrequentlyAskedQuestions/AllOnOnePage@action=edit.html create mode 100644 manual/FrequentlyAskedQuestions/AllOnOnePage@action=login.html create mode 100644 manual/FrequentlyAskedQuestions/AllOnOnePage@action=print.html create mode 100644 manual/FrequentlyAskedQuestions/Main@action=edit.html create mode 100644 manual/FrequentlyAskedQuestions/Main@action=login.html rename manual/FrequentlyAskedQuestions/{Main.html => Main@action=print.html} (62%) create mode 100644 manual/FrequentlyAskedQuestions/MemoryProblems@action=edit.html create mode 100644 manual/FrequentlyAskedQuestions/MemoryProblems@action=login.html create mode 100644 manual/FrequentlyAskedQuestions/MemoryProblems@action=print.html create mode 100644 manual/FrequentlyAskedQuestions/PRISMModelling@action=edit.html create mode 100644 manual/FrequentlyAskedQuestions/PRISMModelling@action=login.html create mode 100644 manual/FrequentlyAskedQuestions/PRISMModelling@action=print.html create mode 100644 manual/FrequentlyAskedQuestions/PRISMProperties@action=edit.html create mode 100644 manual/FrequentlyAskedQuestions/PRISMProperties@action=login.html create mode 100644 manual/FrequentlyAskedQuestions/PRISMProperties@action=print.html create mode 100644 manual/FrequentlyAskedQuestions/index.html create mode 100644 manual/InstallingPRISM.html create mode 100644 manual/InstallingPRISM/AllOnOnePage@action=edit.html create mode 100644 manual/InstallingPRISM/AllOnOnePage@action=login.html create mode 100644 manual/InstallingPRISM/AllOnOnePage@action=print.html create mode 100644 manual/InstallingPRISM/CommonProblemsAndQuestions@action=edit.html create mode 100644 manual/InstallingPRISM/CommonProblemsAndQuestions@action=login.html create mode 100644 manual/InstallingPRISM/CommonProblemsAndQuestions@action=print.html create mode 100644 manual/InstallingPRISM/Instructions@action=edit.html create mode 100644 manual/InstallingPRISM/Instructions@action=login.html create mode 100644 manual/InstallingPRISM/Instructions@action=print.html create mode 100644 manual/Main/AllOnOnePage@action=edit.html create mode 100644 manual/Main/AllOnOnePage@action=login.html create mode 100644 manual/Main/AllOnOnePage@action=print.html create mode 100644 manual/Main/Contents@action=edit.html create mode 100644 manual/Main/Contents@action=login.html create mode 100644 manual/Main/Contents@action=print.html create mode 100644 manual/Main/Introduction@action=edit.html create mode 100644 manual/Main/Introduction@action=login.html create mode 100644 manual/Main/Introduction@action=print.html create mode 100644 manual/Main/References@action=edit.html create mode 100644 manual/Main/References@action=login.html create mode 100644 manual/Main/References@action=print.html create mode 100644 manual/Main/Search@action=edit.html create mode 100644 manual/Main/Search@action=login.html create mode 100644 manual/Main/Search@action=print.html create mode 100644 manual/Main/Welcome.html create mode 100644 manual/Main/Welcome@action=edit.html create mode 100644 manual/Main/Welcome@action=login.html create mode 100644 manual/Main/Welcome@action=print.html create mode 100644 manual/PropertySpecification/AllOnOnePage@action=edit.html create mode 100644 manual/PropertySpecification/AllOnOnePage@action=login.html create mode 100644 manual/PropertySpecification/AllOnOnePage@action=print.html create mode 100644 manual/PropertySpecification/Filters@action=edit.html create mode 100644 manual/PropertySpecification/Filters@action=login.html create mode 100644 manual/PropertySpecification/Filters@action=print.html create mode 100644 manual/PropertySpecification/IdentifyingASetOfStates@action=edit.html create mode 100644 manual/PropertySpecification/IdentifyingASetOfStates@action=login.html create mode 100644 manual/PropertySpecification/IdentifyingASetOfStates@action=print.html create mode 100644 manual/PropertySpecification/Introduction@action=edit.html create mode 100644 manual/PropertySpecification/Introduction@action=login.html create mode 100644 manual/PropertySpecification/Introduction@action=print.html create mode 100644 manual/PropertySpecification/Multi-objectiveProperties@action=edit.html create mode 100644 manual/PropertySpecification/Multi-objectiveProperties@action=login.html create mode 100644 manual/PropertySpecification/Multi-objectiveProperties@action=print.html create mode 100644 manual/PropertySpecification/Non-probabilisticProperties@action=edit.html create mode 100644 manual/PropertySpecification/Non-probabilisticProperties@action=login.html create mode 100644 manual/PropertySpecification/Non-probabilisticProperties@action=print.html create mode 100644 manual/PropertySpecification/PartiallyObservableModels@action=edit.html create mode 100644 manual/PropertySpecification/PartiallyObservableModels@action=login.html create mode 100644 manual/PropertySpecification/PartiallyObservableModels@action=print.html create mode 100644 manual/PropertySpecification/PropertiesFiles@action=edit.html create mode 100644 manual/PropertySpecification/PropertiesFiles@action=login.html create mode 100644 manual/PropertySpecification/PropertiesFiles@action=print.html create mode 100644 manual/PropertySpecification/Real-timeModels@action=edit.html create mode 100644 manual/PropertySpecification/Real-timeModels@action=login.html create mode 100644 manual/PropertySpecification/Real-timeModels@action=print.html create mode 100644 manual/PropertySpecification/Reward-basedProperties@action=edit.html create mode 100644 manual/PropertySpecification/Reward-basedProperties@action=login.html create mode 100644 manual/PropertySpecification/Reward-basedProperties@action=print.html create mode 100644 manual/PropertySpecification/SyntaxAndSemantics@action=edit.html create mode 100644 manual/PropertySpecification/SyntaxAndSemantics@action=login.html create mode 100644 manual/PropertySpecification/SyntaxAndSemantics@action=print.html create mode 100644 manual/PropertySpecification/ThePOperator@action=edit.html create mode 100644 manual/PropertySpecification/ThePOperator@action=login.html create mode 100644 manual/PropertySpecification/ThePOperator@action=print.html create mode 100644 manual/PropertySpecification/TheSOperator@action=edit.html create mode 100644 manual/PropertySpecification/TheSOperator@action=login.html create mode 100644 manual/PropertySpecification/TheSOperator@action=print.html create mode 100644 manual/PropertySpecification/UncertainModels.html create mode 100644 manual/PropertySpecification/UncertainModels@action=edit.html create mode 100644 manual/PropertySpecification/UncertainModels@action=login.html create mode 100644 manual/PropertySpecification/UncertainModels@action=print.html delete mode 100644 manual/RunningPRISM/Adversaries.html create mode 100644 manual/RunningPRISM/AllOnOnePage@action=edit.html create mode 100644 manual/RunningPRISM/AllOnOnePage@action=login.html create mode 100644 manual/RunningPRISM/AllOnOnePage@action=print.html create mode 100644 manual/RunningPRISM/ComputingSteady-stateAndTransientProbabilities@action=edit.html create mode 100644 manual/RunningPRISM/ComputingSteady-stateAndTransientProbabilities@action=login.html create mode 100644 manual/RunningPRISM/ComputingSteady-stateAndTransientProbabilities@action=print.html create mode 100644 manual/RunningPRISM/DebuggingModelsWithTheSimulator@action=edit.html create mode 100644 manual/RunningPRISM/DebuggingModelsWithTheSimulator@action=login.html create mode 100644 manual/RunningPRISM/DebuggingModelsWithTheSimulator@action=print.html create mode 100644 manual/RunningPRISM/Experiments@action=edit.html create mode 100644 manual/RunningPRISM/Experiments@action=login.html create mode 100644 manual/RunningPRISM/Experiments@action=print.html create mode 100644 manual/RunningPRISM/ExplicitModelImport@action=edit.html create mode 100644 manual/RunningPRISM/ExplicitModelImport@action=login.html create mode 100644 manual/RunningPRISM/ExplicitModelImport@action=print.html create mode 100644 manual/RunningPRISM/ExportingTheModel@action=edit.html create mode 100644 manual/RunningPRISM/ExportingTheModel@action=login.html create mode 100644 manual/RunningPRISM/ExportingTheModel@action=print.html create mode 100644 manual/RunningPRISM/LoadingAndBuildingAModel@action=edit.html create mode 100644 manual/RunningPRISM/LoadingAndBuildingAModel@action=login.html create mode 100644 manual/RunningPRISM/LoadingAndBuildingAModel@action=print.html create mode 100644 manual/RunningPRISM/ModelChecking@action=edit.html create mode 100644 manual/RunningPRISM/ModelChecking@action=login.html create mode 100644 manual/RunningPRISM/ModelChecking@action=print.html create mode 100644 manual/RunningPRISM/ParametricModelChecking@action=edit.html create mode 100644 manual/RunningPRISM/ParametricModelChecking@action=login.html create mode 100644 manual/RunningPRISM/ParametricModelChecking@action=print.html create mode 100644 manual/RunningPRISM/StartingPRISM@action=edit.html create mode 100644 manual/RunningPRISM/StartingPRISM@action=login.html create mode 100644 manual/RunningPRISM/StartingPRISM@action=print.html create mode 100644 manual/RunningPRISM/StatisticalModelChecking@action=edit.html create mode 100644 manual/RunningPRISM/StatisticalModelChecking@action=login.html create mode 100644 manual/RunningPRISM/StatisticalModelChecking@action=print.html create mode 100644 manual/RunningPRISM/Strategies.html create mode 100644 manual/RunningPRISM/Strategies@action=edit.html create mode 100644 manual/RunningPRISM/Strategies@action=login.html create mode 100644 manual/RunningPRISM/Strategies@action=print.html create mode 100644 manual/RunningPRISM/SupportForPEPAModels@action=edit.html create mode 100644 manual/RunningPRISM/SupportForPEPAModels@action=login.html create mode 100644 manual/RunningPRISM/SupportForPEPAModels@action=print.html create mode 100644 manual/RunningPRISM/SupportForSBML@action=edit.html create mode 100644 manual/RunningPRISM/SupportForSBML@action=login.html create mode 100644 manual/RunningPRISM/SupportForSBML@action=print.html create mode 100644 manual/ThePRISMLanguage/AllOnOnePage@action=edit.html create mode 100644 manual/ThePRISMLanguage/AllOnOnePage@action=login.html create mode 100644 manual/ThePRISMLanguage/AllOnOnePage@action=print.html create mode 100644 manual/ThePRISMLanguage/CTMCs@action=edit.html create mode 100644 manual/ThePRISMLanguage/CTMCs@action=login.html create mode 100644 manual/ThePRISMLanguage/CTMCs@action=print.html create mode 100644 manual/ThePRISMLanguage/Commands@action=edit.html create mode 100644 manual/ThePRISMLanguage/Commands@action=login.html create mode 100644 manual/ThePRISMLanguage/Commands@action=print.html create mode 100644 manual/ThePRISMLanguage/Constants@action=edit.html create mode 100644 manual/ThePRISMLanguage/Constants@action=login.html create mode 100644 manual/ThePRISMLanguage/Constants@action=print.html create mode 100644 manual/ThePRISMLanguage/CostsAndRewards@action=edit.html create mode 100644 manual/ThePRISMLanguage/CostsAndRewards@action=login.html create mode 100644 manual/ThePRISMLanguage/CostsAndRewards@action=print.html create mode 100644 manual/ThePRISMLanguage/Example1@action=edit.html create mode 100644 manual/ThePRISMLanguage/Example1@action=login.html create mode 100644 manual/ThePRISMLanguage/Example1@action=print.html create mode 100644 manual/ThePRISMLanguage/Example2@action=edit.html create mode 100644 manual/ThePRISMLanguage/Example2@action=login.html create mode 100644 manual/ThePRISMLanguage/Example2@action=print.html create mode 100644 manual/ThePRISMLanguage/Expressions@action=edit.html create mode 100644 manual/ThePRISMLanguage/Expressions@action=login.html create mode 100644 manual/ThePRISMLanguage/Expressions@action=print.html create mode 100644 manual/ThePRISMLanguage/FormulasAndLabels@action=edit.html create mode 100644 manual/ThePRISMLanguage/FormulasAndLabels@action=login.html create mode 100644 manual/ThePRISMLanguage/FormulasAndLabels@action=print.html create mode 100644 manual/ThePRISMLanguage/GlobalVariables@action=edit.html create mode 100644 manual/ThePRISMLanguage/GlobalVariables@action=login.html create mode 100644 manual/ThePRISMLanguage/GlobalVariables@action=print.html create mode 100644 manual/ThePRISMLanguage/Introduction@action=edit.html create mode 100644 manual/ThePRISMLanguage/Introduction@action=login.html create mode 100644 manual/ThePRISMLanguage/Introduction@action=print.html create mode 100644 manual/ThePRISMLanguage/LocalNondeterminism@action=edit.html create mode 100644 manual/ThePRISMLanguage/LocalNondeterminism@action=login.html create mode 100644 manual/ThePRISMLanguage/LocalNondeterminism@action=print.html create mode 100644 manual/ThePRISMLanguage/ModelType@action=edit.html create mode 100644 manual/ThePRISMLanguage/ModelType@action=login.html create mode 100644 manual/ThePRISMLanguage/ModelType@action=print.html create mode 100644 manual/ThePRISMLanguage/ModuleRenaming@action=edit.html create mode 100644 manual/ThePRISMLanguage/ModuleRenaming@action=login.html create mode 100644 manual/ThePRISMLanguage/ModuleRenaming@action=print.html create mode 100644 manual/ThePRISMLanguage/ModulesAndVariables@action=edit.html create mode 100644 manual/ThePRISMLanguage/ModulesAndVariables@action=login.html create mode 100644 manual/ThePRISMLanguage/ModulesAndVariables@action=print.html create mode 100644 manual/ThePRISMLanguage/MultipleInitialStates@action=edit.html create mode 100644 manual/ThePRISMLanguage/MultipleInitialStates@action=login.html create mode 100644 manual/ThePRISMLanguage/MultipleInitialStates@action=print.html create mode 100644 manual/ThePRISMLanguage/PRISMModelFiles@action=edit.html create mode 100644 manual/ThePRISMLanguage/PRISMModelFiles@action=login.html create mode 100644 manual/ThePRISMLanguage/PRISMModelFiles@action=print.html create mode 100644 manual/ThePRISMLanguage/ParallelComposition@action=edit.html create mode 100644 manual/ThePRISMLanguage/ParallelComposition@action=login.html create mode 100644 manual/ThePRISMLanguage/ParallelComposition@action=print.html create mode 100644 manual/ThePRISMLanguage/PartiallyObservableModels@action=edit.html create mode 100644 manual/ThePRISMLanguage/PartiallyObservableModels@action=login.html create mode 100644 manual/ThePRISMLanguage/PartiallyObservableModels@action=print.html create mode 100644 manual/ThePRISMLanguage/ProcessAlgebraOperators@action=edit.html create mode 100644 manual/ThePRISMLanguage/ProcessAlgebraOperators@action=login.html create mode 100644 manual/ThePRISMLanguage/ProcessAlgebraOperators@action=print.html create mode 100644 manual/ThePRISMLanguage/Real-timeModels@action=edit.html create mode 100644 manual/ThePRISMLanguage/Real-timeModels@action=login.html create mode 100644 manual/ThePRISMLanguage/Real-timeModels@action=print.html create mode 100644 manual/ThePRISMLanguage/Synchronisation@action=edit.html create mode 100644 manual/ThePRISMLanguage/Synchronisation@action=login.html create mode 100644 manual/ThePRISMLanguage/Synchronisation@action=print.html create mode 100644 manual/ThePRISMLanguage/UncertainModels.html create mode 100644 manual/ThePRISMLanguage/UncertainModels@action=edit.html create mode 100644 manual/ThePRISMLanguage/UncertainModels@action=login.html create mode 100644 manual/ThePRISMLanguage/UncertainModels@action=print.html delete mode 100644 manual/pub/skins/offline/css/base.css delete mode 100644 manual/pub/skins/offline/css/prism.css delete mode 100644 manual/pub/skins/offline/images/p16.ico rename manual/pub/skins/{offline => prism}/css/prismmanual.css (100%) diff --git a/manual/Appendices/AllOnOnePage.html b/manual/Appendices/AllOnOnePage.html index 26a4bb65b1..b94152375a 100644 --- a/manual/Appendices/AllOnOnePage.html +++ b/manual/Appendices/AllOnOnePage.html @@ -1,22 +1,25 @@ + + -PRISM Manual | Appendices / AllOnOnePage +PRISM Manual | Appendices / All On One Page - - + + + - - - + + + + + + + + + + + + - + + +
+
+
+
www.prismmodelchecker.org
+ + +
+ +
+
+ + +
+ +
+
-

+

State rewards (.srew) files

-

These contain an explicit list of the (non-zero) state rewards for a particular reward structure of a model. The first line of the file is of the form n m where n is the number of states in the model and m is the number of non-zero state rewards. The following m lines are of the form i r, denoting that the state reward for state i is r. +

Reward files contain an (optional) header, giving the name of the reward structure that generated it +and the type of rewards (state or transitions) stored in the file. +For state rewards, the information following this header is an explicit list of the (non-zero) state rewards. +The first line is of the form n m where n is the number of states in the model and m is the number of non-zero state rewards. +The following m lines are of the form i r, denoting that the state reward for state i is r.

For the lec3.pm (6-state) DTMC example from above, we get rewards in 3 states (0, 4 and 5):

-
6 3
+
# Reward structure "r"
+# State rewards
+6 3
0 2
4 1
5 1
@@ -322,16 +462,20 @@

Explicit Model Files

-

+

Transition rewards (.trew) files

-

Files containing transition rewards are formatted identically to transitions files (see above), -except that probabilities/rates are replaced with reward values, and the number of transitions (the last number on the first line) is replaced with the number of non-zero transition rewards. +

Files containing transition rewards, like those for state rewards, start with an (optional) header. +The rest of the file is formatted identically to transitions files (see above), +except that probabilities/rates are replaced with reward values, +and the number of transitions (the last number on the first line) is replaced with the number of non-zero transition rewards.

For the lec3.pm (6-state) DTMC example from above, we get non-zero transition rewards on 4 transitions:

-
6 4
+
# Reward structure: "r"
+# Transition rewards
+6 4
1 0 1
1 2 1
1 4 1
@@ -343,7 +487,9 @@

Explicit Model Files

-
4 5 4
+
# Reward structure: "r"
+# Transition rewards
+4 5 4
1 0 2 6
1 0 3 6
1 1 0 5
@@ -356,6 +502,12 @@

Explicit Model Files

@@ -364,6 +516,13 @@

Explicit Model Files

+ +
@@ -380,5 +539,8 @@

PRISM Manual

+ + diff --git a/manual/Appendices/AllOnOnePage@action=edit.html b/manual/Appendices/AllOnOnePage@action=edit.html new file mode 100644 index 0000000000..b6c5637bfe --- /dev/null +++ b/manual/Appendices/AllOnOnePage@action=edit.html @@ -0,0 +1,265 @@ + + + + + + + + +PRISM Manual | Appendices / All On One Page | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
+
+
www.prismmodelchecker.org
+ + +
+ +
+
+ + +
+ +
+
+ +
+
+ +
+ + + + + + +
+

View - Edit - Print - Search +

+ +
+ + + +
+

Appendices / +

All On One Page

+ +
+ +
+

Password required +

+
+

Password: + +

+
+ + + + + + + + + +
+ + + +
+
+ + + + + + + diff --git a/manual/Appendices/AllOnOnePage@action=login.html b/manual/Appendices/AllOnOnePage@action=login.html new file mode 100644 index 0000000000..1589981c43 --- /dev/null +++ b/manual/Appendices/AllOnOnePage@action=login.html @@ -0,0 +1,263 @@ + + + + + + + + +PRISM Manual | Appendices / All On One Page | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
+
+
www.prismmodelchecker.org
+ + +
+ +
+
+ + +
+ +
+
+ +
+
+ +
+ + + + + + +
+

View - Edit - Print - Search +

+ +
+ + + +
+

Appendices / +

All On One Page

+ +
+ +
+

Password required +

+
+

Password: + +

+
+ + + + + + + + + +
+ + + +
+
+ + + + + + + diff --git a/manual/Appendices/AllOnOnePage@action=print.html b/manual/Appendices/AllOnOnePage@action=print.html new file mode 100644 index 0000000000..1719cdff40 --- /dev/null +++ b/manual/Appendices/AllOnOnePage@action=print.html @@ -0,0 +1,376 @@ + + + + + + +PRISM Manual | Appendices / AllOnOnePage + + + + + + + + + + + + + + + + + + +
+

Appendices

+
+

Explicit Model Files

+

This appendix details the (plain text) file formats used by PRISM for exporting and importing models that have already been constructed, i.e., they comprise an explicit list of states, transitions, etc. making up the model, rather than a high-level model description in the PRISM modelling language. +Below, we describe: +

+
+

+

States (.sta) files

+

These contain an explicit list of the reachable states of a model. The first line is of the form (v1,...,vn), listing the names of all the variables in the model in the order that they appear in the PRISM model. Subsequent lines list the values of the n variables in each state of the model. Each line is of the form i:(x1,...,xn), where i is the index of the state (starting from 0) and x1,...,xn are the values of each variable in the state. States are ordered by their index, or, equivalently, lexicographically according to the tuple of variable values. +

+

For the example PRISM model poll2.sm, the states file looks like: +

+
+
+
(s,a,s1,s2)
+0:(1,0,0,0)
+1:(1,0,0,1)
+2:(1,0,1,0)
+3:(1,0,1,1)
+4:(1,1,1,0)
+5:(1,1,1,1)
+6:(2,0,0,0)
+7:(2,0,0,1)
+8:(2,0,1,0)
+9:(2,0,1,1)
+10:(2,1,0,1)
+11:(2,1,1,1)
+
[$[Get Code]]
+
+ +
+

+

Transitions (.tra) files

+

These contain an explicit list of the transitions making up a probabilistic model, i.e. they are essentially a sparse matrix representation of the transition probability/rate matrix. The first line of the file contains information about the size of the model, the remaining lines contain information about transitions, one per line. +

+

DTMCs and CTMCs +

+

For Markov chains the first line take the form "n m", giving the number of states (n) and the number of transitions (m). The remaining lines are of the form "i j x", where i and j are the row (source) and column (destination) indices of the transition, and x is the probability (for a DTMC) or rate (for a CTMC) of the transition. Row/column state indices are zero-indexed (i.e. between 0 and n-1). Probability/rate values are written as (positive) floating point numbers (examples: 0.5, .5, 5.6e-6, 1). +

+

Often, the transition lines in the file are ordered by row index and then column index, but this is optional. For a DTMC, the probabilities for the outgoing transitions of each state should sum to 1. +

+

Here is an example, for the (DTMC) PRISM model lec3.pm (which looks like this): +

+
+
+
6 9
+0 1 0.5
+0 3 0.5
+1 0 0.5
+1 2 0.25
+1 4 0.25
+2 5 1
+3 3 1
+4 4 1
+5 2 1
+
[$[Get Code]]
+
+ +

and here is one for the (CTMC) PRISM model poll2.sm (which looks like this): +

+
+
+
12 22
+0 1 0.5
+0 2 0.5
+0 6 200
+1 3 0.5
+1 7 200
+2 3 0.5
+2 4 200
+3 5 200
+4 5 0.5
+4 6 1
+5 7 1
+6 0 200
+6 7 0.5
+6 8 0.5
+7 9 0.5
+7 10 200
+8 2 200
+8 9 0.5
+9 11 200
+10 0 1
+10 11 0.5
+11 2 1
+
[$[Get Code]]
+
+ +

MDPs (or PAs) +

+

For MDPs, the format is an extension of the above +To clarify terminology: each state of the MDP contains (nondeterministic) choices, each of which is essentially a probability distribution over successor states that we can view as a set of transitions. Optionally, each choice can be labelled with an action. +

+

The first line of the file take the form "n c m", giving the number of states (n), the total number of choices (c) and the total number of transitions (m). The remaining lines are of the form "i k j x" or "i k j x a", where i and j are the row (source) and column (destination) indices of the transition, k is the index of the choice that it belongs to, and x is the probability of the transition. a is optional and gives the action label for the choice of the transition. Action labels can be present for some, all or no states but, in slightly redundant fashion, the action labels, if present, must be the same for all transitions belonging to the same choice. +

+

Row/column state indices and choice indices are all zero-indexed. Probability values (as above) are written as (positive) floating point numbers and should sum to 1 for each choice. Often, the transition lines in the file are ordered by row index, then choice index and then column index, but this is optional. +

+

Here is an example, for the (MDP) PRISM model lec12mdp.nm (which looks like this): +

+
+
+
4 5 7
+0 0 1 1
+1 0 0 0.7
+1 0 1 0.3
+1 1 2 0.5
+1 1 3 0.5
+2 0 2 1
+3 0 3 1
+
[$[Get Code]]
+
+ +

and here is an action-labelled version of the same model, lec12mdpa.nm (which looks like this): +

+
+
+
4 5 7
+0 0 1 1 a
+1 0 2 0.5 c
+1 0 3 0.5 c
+1 1 0 0.7 b
+1 1 1 0.3 b
+2 0 2 1 a
+3 0 3 1 a
+
[$[Get Code]]
+
+ +
+

+

Transitions (.tra) files (row form)

+

There is alternative format for transition matrices (see the -exportrows switch) where transitions for each state/choice are collated on a single line. +

+

Here is the result for the lec3.pm example from above (a DTMC): +

+
+
+
6 9
+0 0.5:1 0.5:3
+1 0.5:0 0.25:2 0.25:4
+2 1:5
+3 1:3
+4 1:4
+5 1:2
+
[$[Get Code]]
+
+ +

for the lec12mdp.nm example (an MDP): +

+
+
+
4 5 7
+0 1:1
+1 0.7:0 0.3:1
+1 0.5:2 0.5:3
+2 1:2
+3 1:3
+
[$[Get Code]]
+
+ +

and for the lec12mdpa.nm example (an MDP with actions): +

+
+
+
4 5 7
+0 1:1 a
+1 0.5:2 0.5:3 c
+1 0.7:0 0.3:1 b
+2 1:2 a
+3 1:3 a
+
[$[Get Code]]
+
+ +
+

+

Labels (.lab) files

+

These contain an explicit list of which labels are satisfied in each state. +The first line lists the labels, assigning each one an index. +The remaining lines list indices of all states satisfying one or more labels, +followed by a list of the the indices of labels that that are satisfied in it. +This includes the built-in labels "init" (initial states) and deadlock (deadlock states). +An example is shown below, where, for example, both "heads" and "end" are satisfied in state 2. +

+
+
+
0="init" 1="deadlock" 2="heads" 3="tails" 4="end"
+0: 0
+2: 2 4
+3: 3 4
+
[$[Get Code]]
+
+ +
+

+

State rewards (.srew) files

+

Reward files contain an (optional) header, giving the name of the reward structure that generated it +and the type of rewards (state or transitions) stored in the file. +For state rewards, the information following this header is an explicit list of the (non-zero) state rewards. +The first line is of the form n m where n is the number of states in the model and m is the number of non-zero state rewards. +The following m lines are of the form i r, denoting that the state reward for state i is r. +

+

For the lec3.pm (6-state) DTMC example from above, we get rewards in 3 states (0, 4 and 5): +

+
+
+
# Reward structure "r"
+# State rewards
+6 3
+0 2
+4 1
+5 1
+
[$[Get Code]]
+
+ +
+

+

Transition rewards (.trew) files

+

Files containing transition rewards, like those for state rewards, start with an (optional) header. +The rest of the file is formatted identically to transitions files (see above), +except that probabilities/rates are replaced with reward values, +and the number of transitions (the last number on the first line) is replaced with the number of non-zero transition rewards. +

+

For the lec3.pm (6-state) DTMC example from above, we get non-zero transition rewards on 4 transitions: +

+
+
+
# Reward structure: "r"
+# Transition rewards
+6 4
+1 0 1
+1 2 1
+1 4 1
+2 5 2
+
[$[Get Code]]
+
+ +

And or the lec12mdpa.nm (4-state) MDP example, we get non-zero transition rewards on 4 transitions: +

+
+
+
# Reward structure: "r"
+# Transition rewards
+4 5 4
+1 0 2 6
+1 0 3 6
+1 1 0 5
+1 1 1 5
+
[$[Get Code]]
+
+ +
+ + + + diff --git a/manual/Appendices/ExplicitModelFiles.html b/manual/Appendices/ExplicitModelFiles.html index 5e657fa51b..08e28cec30 100644 --- a/manual/Appendices/ExplicitModelFiles.html +++ b/manual/Appendices/ExplicitModelFiles.html @@ -1,22 +1,25 @@ + + -PRISM Manual | Appendices / ExplicitModelFiles +PRISM Manual | Appendices / Explicit Model Files - - + + + - - - + + + + + + + + + + + + - + + +
+
+
+
www.prismmodelchecker.org
+ + +
+ +
+
+ + +
+ +
+
-

+

State rewards (.srew) files

-

These contain an explicit list of the (non-zero) state rewards for a particular reward structure of a model. The first line of the file is of the form n m where n is the number of states in the model and m is the number of non-zero state rewards. The following m lines are of the form i r, denoting that the state reward for state i is r. +

Reward files contain an (optional) header, giving the name of the reward structure that generated it +and the type of rewards (state or transitions) stored in the file. +For state rewards, the information following this header is an explicit list of the (non-zero) state rewards. +The first line is of the form n m where n is the number of states in the model and m is the number of non-zero state rewards. +The following m lines are of the form i r, denoting that the state reward for state i is r.

For the lec3.pm (6-state) DTMC example from above, we get rewards in 3 states (0, 4 and 5):

-
6 3
+
# Reward structure "r"
+# State rewards
+6 3
0 2
4 1
5 1
@@ -325,16 +465,20 @@
-

+

Transition rewards (.trew) files

-

Files containing transition rewards are formatted identically to transitions files (see above), -except that probabilities/rates are replaced with reward values, and the number of transitions (the last number on the first line) is replaced with the number of non-zero transition rewards. +

Files containing transition rewards, like those for state rewards, start with an (optional) header. +The rest of the file is formatted identically to transitions files (see above), +except that probabilities/rates are replaced with reward values, +and the number of transitions (the last number on the first line) is replaced with the number of non-zero transition rewards.

For the lec3.pm (6-state) DTMC example from above, we get non-zero transition rewards on 4 transitions:

-
6 4
+
# Reward structure: "r"
+# Transition rewards
+6 4
1 0 1
1 2 1
1 4 1
@@ -346,7 +490,9 @@

-
4 5 4
+
# Reward structure: "r"
+# Transition rewards
+4 5 4
1 0 2 6
1 0 3 6
1 1 0 5
@@ -359,6 +505,12 @@ @@ -367,6 +519,13 @@
+ +
@@ -383,5 +542,8 @@

PRISM Manual

+ + diff --git a/manual/Appendices/ExplicitModelFiles@action=edit.html b/manual/Appendices/ExplicitModelFiles@action=edit.html new file mode 100644 index 0000000000..60b530cbd1 --- /dev/null +++ b/manual/Appendices/ExplicitModelFiles@action=edit.html @@ -0,0 +1,265 @@ + + + + + + + + +PRISM Manual | Appendices / Explicit Model Files | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
+
+
www.prismmodelchecker.org
+ + +
+ +
+
+ + +
+ +
+
+ +
+
+ +
+ + + + + + +
+

View - Edit - Print - Search +

+ +
+ + + +
+

Appendices / +

Explicit Model Files

+ +
+ +
+

Password required +

+
+

Password: + +

+
+ + + + + + + + + +
+ + + +
+
+ + + + + + + diff --git a/manual/Appendices/ExplicitModelFiles@action=login.html b/manual/Appendices/ExplicitModelFiles@action=login.html new file mode 100644 index 0000000000..f9cbae748a --- /dev/null +++ b/manual/Appendices/ExplicitModelFiles@action=login.html @@ -0,0 +1,263 @@ + + + + + + + + +PRISM Manual | Appendices / Explicit Model Files | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
+
+
www.prismmodelchecker.org
+ + +
+ +
+
+ + +
+ +
+
+ +
+
+ +
+ + + + + + +
+

View - Edit - Print - Search +

+ +
+ + + +
+

Appendices / +

Explicit Model Files

+ +
+ +
+

Password required +

+
+

Password: + +

+
+ + + + + + + + + +
+ + + +
+
+ + + + + + + diff --git a/manual/Appendices/ExplicitModelFiles@action=print.html b/manual/Appendices/ExplicitModelFiles@action=print.html new file mode 100644 index 0000000000..13e30feb1a --- /dev/null +++ b/manual/Appendices/ExplicitModelFiles@action=print.html @@ -0,0 +1,377 @@ + + + + + + +PRISM Manual | Appendices / ExplicitModelFiles + + + + + + + + + + + + + + + + + + +

Appendices / +

Explicit Model Files

+ + +
+

This appendix details the (plain text) file formats used by PRISM for exporting and importing models that have already been constructed, i.e., they comprise an explicit list of states, transitions, etc. making up the model, rather than a high-level model description in the PRISM modelling language. +Below, we describe: +

+
+

+

States (.sta) files

+

These contain an explicit list of the reachable states of a model. The first line is of the form (v1,...,vn), listing the names of all the variables in the model in the order that they appear in the PRISM model. Subsequent lines list the values of the n variables in each state of the model. Each line is of the form i:(x1,...,xn), where i is the index of the state (starting from 0) and x1,...,xn are the values of each variable in the state. States are ordered by their index, or, equivalently, lexicographically according to the tuple of variable values. +

+

For the example PRISM model poll2.sm, the states file looks like: +

+
+
+
(s,a,s1,s2)
+0:(1,0,0,0)
+1:(1,0,0,1)
+2:(1,0,1,0)
+3:(1,0,1,1)
+4:(1,1,1,0)
+5:(1,1,1,1)
+6:(2,0,0,0)
+7:(2,0,0,1)
+8:(2,0,1,0)
+9:(2,0,1,1)
+10:(2,1,0,1)
+11:(2,1,1,1)
+
[$[Get Code]]
+
+ +
+

+

Transitions (.tra) files

+

These contain an explicit list of the transitions making up a probabilistic model, i.e. they are essentially a sparse matrix representation of the transition probability/rate matrix. The first line of the file contains information about the size of the model, the remaining lines contain information about transitions, one per line. +

+

DTMCs and CTMCs +

+

For Markov chains the first line take the form "n m", giving the number of states (n) and the number of transitions (m). The remaining lines are of the form "i j x", where i and j are the row (source) and column (destination) indices of the transition, and x is the probability (for a DTMC) or rate (for a CTMC) of the transition. Row/column state indices are zero-indexed (i.e. between 0 and n-1). Probability/rate values are written as (positive) floating point numbers (examples: 0.5, .5, 5.6e-6, 1). +

+

Often, the transition lines in the file are ordered by row index and then column index, but this is optional. For a DTMC, the probabilities for the outgoing transitions of each state should sum to 1. +

+

Here is an example, for the (DTMC) PRISM model lec3.pm (which looks like this): +

+
+
+
6 9
+0 1 0.5
+0 3 0.5
+1 0 0.5
+1 2 0.25
+1 4 0.25
+2 5 1
+3 3 1
+4 4 1
+5 2 1
+
[$[Get Code]]
+
+ +

and here is one for the (CTMC) PRISM model poll2.sm (which looks like this): +

+
+
+
12 22
+0 1 0.5
+0 2 0.5
+0 6 200
+1 3 0.5
+1 7 200
+2 3 0.5
+2 4 200
+3 5 200
+4 5 0.5
+4 6 1
+5 7 1
+6 0 200
+6 7 0.5
+6 8 0.5
+7 9 0.5
+7 10 200
+8 2 200
+8 9 0.5
+9 11 200
+10 0 1
+10 11 0.5
+11 2 1
+
[$[Get Code]]
+
+ +

MDPs (or PAs) +

+

For MDPs, the format is an extension of the above +To clarify terminology: each state of the MDP contains (nondeterministic) choices, each of which is essentially a probability distribution over successor states that we can view as a set of transitions. Optionally, each choice can be labelled with an action. +

+

The first line of the file take the form "n c m", giving the number of states (n), the total number of choices (c) and the total number of transitions (m). The remaining lines are of the form "i k j x" or "i k j x a", where i and j are the row (source) and column (destination) indices of the transition, k is the index of the choice that it belongs to, and x is the probability of the transition. a is optional and gives the action label for the choice of the transition. Action labels can be present for some, all or no states but, in slightly redundant fashion, the action labels, if present, must be the same for all transitions belonging to the same choice. +

+

Row/column state indices and choice indices are all zero-indexed. Probability values (as above) are written as (positive) floating point numbers and should sum to 1 for each choice. Often, the transition lines in the file are ordered by row index, then choice index and then column index, but this is optional. +

+

Here is an example, for the (MDP) PRISM model lec12mdp.nm (which looks like this): +

+
+
+
4 5 7
+0 0 1 1
+1 0 0 0.7
+1 0 1 0.3
+1 1 2 0.5
+1 1 3 0.5
+2 0 2 1
+3 0 3 1
+
[$[Get Code]]
+
+ +

and here is an action-labelled version of the same model, lec12mdpa.nm (which looks like this): +

+
+
+
4 5 7
+0 0 1 1 a
+1 0 2 0.5 c
+1 0 3 0.5 c
+1 1 0 0.7 b
+1 1 1 0.3 b
+2 0 2 1 a
+3 0 3 1 a
+
[$[Get Code]]
+
+ +
+

+

Transitions (.tra) files (row form)

+

There is alternative format for transition matrices (see the -exportrows switch) where transitions for each state/choice are collated on a single line. +

+

Here is the result for the lec3.pm example from above (a DTMC): +

+
+
+
6 9
+0 0.5:1 0.5:3
+1 0.5:0 0.25:2 0.25:4
+2 1:5
+3 1:3
+4 1:4
+5 1:2
+
[$[Get Code]]
+
+ +

for the lec12mdp.nm example (an MDP): +

+
+
+
4 5 7
+0 1:1
+1 0.7:0 0.3:1
+1 0.5:2 0.5:3
+2 1:2
+3 1:3
+
[$[Get Code]]
+
+ +

and for the lec12mdpa.nm example (an MDP with actions): +

+
+
+
4 5 7
+0 1:1 a
+1 0.5:2 0.5:3 c
+1 0.7:0 0.3:1 b
+2 1:2 a
+3 1:3 a
+
[$[Get Code]]
+
+ +
+

+

Labels (.lab) files

+

These contain an explicit list of which labels are satisfied in each state. +The first line lists the labels, assigning each one an index. +The remaining lines list indices of all states satisfying one or more labels, +followed by a list of the the indices of labels that that are satisfied in it. +This includes the built-in labels "init" (initial states) and deadlock (deadlock states). +An example is shown below, where, for example, both "heads" and "end" are satisfied in state 2. +

+
+
+
0="init" 1="deadlock" 2="heads" 3="tails" 4="end"
+0: 0
+2: 2 4
+3: 3 4
+
[$[Get Code]]
+
+ +
+

+

State rewards (.srew) files

+

Reward files contain an (optional) header, giving the name of the reward structure that generated it +and the type of rewards (state or transitions) stored in the file. +For state rewards, the information following this header is an explicit list of the (non-zero) state rewards. +The first line is of the form n m where n is the number of states in the model and m is the number of non-zero state rewards. +The following m lines are of the form i r, denoting that the state reward for state i is r. +

+

For the lec3.pm (6-state) DTMC example from above, we get rewards in 3 states (0, 4 and 5): +

+
+
+
# Reward structure "r"
+# State rewards
+6 3
+0 2
+4 1
+5 1
+
[$[Get Code]]
+
+ +
+

+

Transition rewards (.trew) files

+

Files containing transition rewards, like those for state rewards, start with an (optional) header. +The rest of the file is formatted identically to transitions files (see above), +except that probabilities/rates are replaced with reward values, +and the number of transitions (the last number on the first line) is replaced with the number of non-zero transition rewards. +

+

For the lec3.pm (6-state) DTMC example from above, we get non-zero transition rewards on 4 transitions: +

+
+
+
# Reward structure: "r"
+# Transition rewards
+6 4
+1 0 1
+1 2 1
+1 4 1
+2 5 2
+
[$[Get Code]]
+
+ +

And or the lec12mdpa.nm (4-state) MDP example, we get non-zero transition rewards on 4 transitions: +

+
+
+
# Reward structure: "r"
+# Transition rewards
+4 5 4
+1 0 2 6
+1 0 3 6
+1 1 0 5
+1 1 1 5
+
[$[Get Code]]
+
+ +
+ + + + diff --git a/manual/Appendices/Main.html b/manual/Appendices/Main.html index f9b4bcef60..32f69fcace 100644 --- a/manual/Appendices/Main.html +++ b/manual/Appendices/Main.html @@ -1,6 +1,8 @@ + + @@ -11,12 +13,13 @@ - - + + + - - - + + + + + + + + + + + + - + + +
+
+
+
www.prismmodelchecker.org
+ + +
+ +
+
+ + +
+ +
+
+ + +
+

View - Edit - Print - Search +

+ +
@@ -80,6 +214,12 @@

Appendices

@@ -88,6 +228,13 @@

Appendices

+ +
@@ -104,5 +251,8 @@

PRISM Manual

+ + diff --git a/manual/Appendices/Main@action=edit.html b/manual/Appendices/Main@action=edit.html new file mode 100644 index 0000000000..e151526c7a --- /dev/null +++ b/manual/Appendices/Main@action=edit.html @@ -0,0 +1,264 @@ + + + + + + + + +PRISM Manual | Appendices / Main | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
+
+
www.prismmodelchecker.org
+ + +
+ +
+
+ + +
+ +
+
+ +
+
+ +
+ + + + + + +
+

View - Edit - Print - Search +

+ +
+ + + +
+

Appendices

+ +
+ +
+

Password required +

+
+

Password: + +

+
+ + + + + + + + + +
+ + + +
+
+ + + + + + + diff --git a/manual/Appendices/Main@action=login.html b/manual/Appendices/Main@action=login.html new file mode 100644 index 0000000000..47c8ad059e --- /dev/null +++ b/manual/Appendices/Main@action=login.html @@ -0,0 +1,262 @@ + + + + + + + + +PRISM Manual | Appendices / Main | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
+
+
www.prismmodelchecker.org
+ + +
+ +
+
+ + +
+ +
+
+ +
+
+ +
+ + + + + + +
+

View - Edit - Print - Search +

+ +
+ + + +
+

Appendices

+ +
+ +
+

Password required +

+
+

Password: + +

+
+ + + + + + + + + +
+ + + +
+
+ + + + + + + diff --git a/manual/Appendices/Main@action=print.html b/manual/Appendices/Main@action=print.html new file mode 100644 index 0000000000..950f3ed952 --- /dev/null +++ b/manual/Appendices/Main@action=print.html @@ -0,0 +1,86 @@ + + + + + + +PRISM Manual | Appendices / Main + + + + + + + + + + + + + + + + + + +

Appendices

+ + + + + + + diff --git a/manual/ConfiguringPRISM/AllOnOnePage.html b/manual/ConfiguringPRISM/AllOnOnePage.html index cbf15f3e41..917c19ddfa 100644 --- a/manual/ConfiguringPRISM/AllOnOnePage.html +++ b/manual/ConfiguringPRISM/AllOnOnePage.html @@ -1,22 +1,25 @@ + + -PRISM Manual | ConfiguringPRISM / AllOnOnePage +PRISM Manual | Configuring PRISM / All On One Page - - + + + - - - + + + + + + + + + + + + - + + +
+
+
+
www.prismmodelchecker.org
+ + +
+ +
+
+ + +
+ +
+
+ + +
+

View - Edit - Print - Search +

+ +
@@ -138,11 +272,11 @@

Introduction

User options and settings for the GUI are saved in a file locally and reused. Currently the "Options" dialog in the GUI represents the easiest way to modify the settings, but the settings file is in a simple textual format and can also be edited by hand. To restore the default options for PRISM, click "Load Defaults" and then "Save Options" from the "Options" dialog in the GUI. Alternatively, delete the settings file re-launch the GUI. The location of the settings file depends on the operating system. As of PRISM 4.5, it is stored in:

-
  • $XDG_CONFIG_HOME/prism.settings (on Linux, if that environment variable is set) +
    • $HOME/.prism (if the settings file was already created by an older version of PRISM) +
    • $XDG_CONFIG_HOME/prism.settings (on Linux, if that environment variable is set)
    • $HOME/.config/prism.settings (on Linux, if $XDG_CONFIG_HOME is not set)
    • $HOME/Library/Preferences/prism.settings (on Mac OS)
    • .prism in the user's home directory, e.g. C:\Documents and Settings\username (on Windows) -
    • $HOME/.prism (if the settings file was already created by an older version of PRISM)

    From the command-line version of PRISM, options are controlled by switches. A full list can be displayed by typing:

    @@ -429,7 +563,7 @@

    Automata Generation

    Other Options

    Output options

    -

    To increase the amount of information displayed by PRISM (in particular, to display lists of states and probability vectors), you can use the "Verbose output" option (activated with comand-line switch -verbose or -v). To display additional statistics about MTBDDs after model construction, use the "Extra MTBDD information" option (switch -extraddinfo) and, to view MTBDD sizes during the process of reachability, use option "Extra reachability information" (switch -extrareachinfo). +

    To increase the amount of information displayed by PRISM (in particular, to display lists of states and probability vectors), you can use the "Verbose output" option (activated with command-line switch -verbose or -v). To display additional statistics about MTBDDs after model construction, use the "Extra MTBDD information" option (switch -extraddinfo) and, to view MTBDD sizes during the process of reachability, use option "Extra reachability information" (switch -extrareachinfo).

    Fairness

    Sometimes, model checking of properties for MDPs requires fairness constraints to be taken into account. @@ -503,6 +637,17 @@

    Output options

    To set the memory to 4GB, for example, add -Xmx4g to the list of arguments in the call to java or javaw at the end of the file. To change the stack size to 1GB, add -Xss1g.

    +

    Other Java options

    +

    If you want to pass additional switches to the JVM used to run PRISM, you can use the -javaparams switch. +For example: +

    +
    +
    +
    prism -javaparams "-XX:AutoBoxCacheMax=100000000 -Xmn2g" -javamaxmem 12g
    +
    +
    [$[Get Code]]
    +
    +

    Precomputation

    By default, PRISM's probabilistic model checking algorithms use an initial precomputation step which uses graph-based techniques to efficient detect trivial cases where probabilities are 0 or 1. This can often result in improved performance and also reduce round-off errors. Occasionally, though, you may want to disable this step for efficiency (e.g. if you know that there are no/few such states and the precomputation process is slow). This can be done with the -nopre switch. You can also disable the individual algorithms for probability 0/1 using switches -noprob0 and -noprob1.

    @@ -516,6 +661,12 @@

    Output options

    @@ -524,6 +675,13 @@

    Output options

+ +
@@ -544,5 +702,8 @@

PRISM Manual

+ + diff --git a/manual/ConfiguringPRISM/AllOnOnePage@action=edit.html b/manual/ConfiguringPRISM/AllOnOnePage@action=edit.html new file mode 100644 index 0000000000..4bd0c31888 --- /dev/null +++ b/manual/ConfiguringPRISM/AllOnOnePage@action=edit.html @@ -0,0 +1,269 @@ + + + + + + + + +PRISM Manual | Configuring PRISM / All On One Page | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
+
+
www.prismmodelchecker.org
+ + +
+ +
+
+ + +
+ +
+
+ +
+
+ +
+ + + + + + +
+

View - Edit - Print - Search +

+ +
+ + + +
+

Configuring PRISM / +

All On One Page

+ +
+ +
+

Password required +

+
+

Password: + +

+
+ + + + + + + + + +
+ + + +
+
+ + + + + + + diff --git a/manual/ConfiguringPRISM/AllOnOnePage@action=login.html b/manual/ConfiguringPRISM/AllOnOnePage@action=login.html new file mode 100644 index 0000000000..d94bfbc55c --- /dev/null +++ b/manual/ConfiguringPRISM/AllOnOnePage@action=login.html @@ -0,0 +1,267 @@ + + + + + + + + +PRISM Manual | Configuring PRISM / All On One Page | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
+
+
www.prismmodelchecker.org
+ + +
+ +
+
+ + +
+ +
+
+ +
+
+ +
+ + + + + + +
+

View - Edit - Print - Search +

+ +
+ + + +
+

Configuring PRISM / +

All On One Page

+ +
+ +
+

Password required +

+
+

Password: + +

+
+ + + + + + + + + +
+ + + +
+
+ + + + + + + diff --git a/manual/ConfiguringPRISM/AllOnOnePage@action=print.html b/manual/ConfiguringPRISM/AllOnOnePage@action=print.html new file mode 100644 index 0000000000..72c4daca85 --- /dev/null +++ b/manual/ConfiguringPRISM/AllOnOnePage@action=print.html @@ -0,0 +1,535 @@ + + + + + + +PRISM Manual | ConfiguringPRISM / AllOnOnePage + + + + + + + + + + + + + + + + + + +
+

Configuring PRISM

+
+

Introduction

+

The operation of PRISM can be configured in a number of ways. From the GUI, select "Options" from the main menu to bring up the "Options" dialog. The settings are grouped under several tabs. Those which affect the basic model checking functionality of the tool are under the heading "PRISM". Separate settings are available for the simulator and various aspects of the GUI (the model editor, the property editor and the log). +

+

User options and settings for the GUI are saved in a file locally and reused. Currently the "Options" dialog in the GUI represents the easiest way to modify the settings, but the settings file is in a simple textual format and can also be edited by hand. To restore the default options for PRISM, click "Load Defaults" and then "Save Options" from the "Options" dialog in the GUI. Alternatively, delete the settings file re-launch the GUI. The location of the settings file depends on the operating system. As of PRISM 4.5, it is stored in: +

+
  • $HOME/.prism (if the settings file was already created by an older version of PRISM) +
  • $XDG_CONFIG_HOME/prism.settings (on Linux, if that environment variable is set) +
  • $HOME/.config/prism.settings (on Linux, if $XDG_CONFIG_HOME is not set) +
  • $HOME/Library/Preferences/prism.settings (on Mac OS) +
  • .prism in the user's home directory, e.g. C:\Documents and Settings\username (on Windows) +

From the command-line version of PRISM, options are controlled by switches. A full list can be displayed by typing: +

+
+
+
prism -help
+
+
[$[Get Code]]
+
+ +

For some switches, whose format is not straightforward, there is additional help available on the command-line, using -help switch. For example: +

+
+
+
prism -help const
+prism -help simpath
+prism -help exportresults
+prism -help exportmodel
+
+
[$[Get Code]]
+
+ +

The settings file is ignored by the command-line version (unlike earlier versions of PRISM, where it was used). You can, however, request that the settings file is read, using the -settings switch, e.g.: +

+
+
+
prism -settings ~/.prism
+
+
[$[Get Code]]
+
+ +

In the following sections, we give a brief description of the most important configuration options available. +

+
+

Computation Engines

+

Computation engines

+

PRISM contains four main engines, +which implement the majority of its model checking functionality: +

+
  • "MTBDD" +
  • "sparse" +
  • "hybrid" +
  • "explicit" +

The first three of these engines are either wholly or partly symbolic, +meaning that they use data structures such as +binary decision diagrams (BDDs) and multi-terminal BDDs (MTBDDs). +For these three engines, the process of +constructing a probabilistic model (DTMC, MDP or CTMC) +is performed in a symbolic fashion, +representing the model as an MTBDD. +Subsequent numerical computation performed during model checking, however, +is carried out differently for the three engines. +The "MTBDD" engine is implemented purely using MTBDDs and BDDs; +the "sparse" engine uses sparse matrices; +and the "hybrid" engine uses a combination of the other two. +The "hybrid" engine is described in [KNP04b]. +For detailed information about all three engines, see [Par02]. +

+

The fourth engine, "explicit", performs all aspects of model construction +and model checking using explicit-state data structures. +Models are typically stored as sparse matrices or variants of. +This engine is implemented purely in Java, unlike the other engines +which make use of code/libraries implemented in C/C++. +One goal of the "explicit" engine is to provide an easily extensible model +checking engine without the complication of symbolic data structures, +although it also has other benefits (see below). +

+

The choice of engine ("MTBDD", "sparse", "hybrid" or "engine") should not affect the results of model checking - all engines perform essentially the same calculations. In some cases, though, certain functionality is not available with all engines and PRISM will either automatically switch to an appropriate engine, or prompt you to do so. +Performance (time and space), however, may vary significantly and if you are using too much time/memory with one engine, it may be worth experimenting. Below, we briefly summarise the key characteristics of each engine. +

+
  • The hybrid engine is enabled by default in PRISM. It uses a combination of symbolic and explicit-state data structures (as used in the MTBDD and sparse engines, respectively). In general it provides the best compromise between time and memory usage: it (almost) always uses less memory than the sparse engine, but is typically slightly slower. The size of model which can be handled with this engine is quite predictable. The limiting factor in terms of memory usage comes from the storage of 2-4 (depending on the computation being performed) arrays of 8-byte values, one for each state in the model. So, a typical PC can handle models with between 107 and 108 states (one vector for 107 states uses approximately 75 MB). +
  • The sparse engine can be a good option for smaller models where model checking takes a long time. For larger models, however, memory usage quickly becomes prohibitive. As a rule of thumb, the upper limit for this engine, in terms of model sizes which can be handled, is about a factor of 10 less than the hybrid engine. +
  • The MTBDD engine is much more unpredictable in terms of performance but, when a model exhibits a lot of structure and regularity, can be very effective. This engine has been successfully applied to extremely large structured (but non-trivial) models, in cases where the other two engines cannot be applied. The MTBDD engine often performs poorly when the model (or solutions computed from it) contain lots of distinct probabilities/rates; it performs best when there are few such values. For this reason the engine is often successfully applied to MDP models, but much less frequently to CTMCs. When using the MTBDD engine, the variable ordering of your model is especially important. This topic is covered in the FAQ section. +
  • The explicit engine is similar to the sparse engine, in that it can be a good option for relatively small models, but will not scale up to some of the models that can be handled by the hybrid or MTBDD engines. However, unlike the sparse engine, the explicit engine does not use symbolic data structures for model construction, which can be beneficial in some cases. One example is models with a potentially very large state space, only a fraction of which is actually reachable. +

When using the PRISM GUI, the engine to be used for model checking can be selected from the "Engine" option under the "PRISM" tab of the "Options" dialog. From the command-line, engines are activated using the -mtbdd, -sparse, -hybrid and -explicit (or -m, -s, -h and -ex, respectively) switches, e.g.: +

+
+
+
prism poll2.sm -tr 1000 -m
+prism poll2.sm -tr 1000 -s
+prism poll2.sm -tr 1000 -h
+prism poll2.sm -tr 1000 -ex
+
+
[$[Get Code]]
+
+ +

Note also that precise details regarding the memory usage of the current engine are displayed during model checking (from the GUI, check the "Log" tab). This can provide valuable feedback when experimenting with different engines. +

+

PRISM also has some basic support for automatically selecting the engine (and other settings) heuristically, +based on the size and type of the model, and the property being checked. +Use, for example, -heuristic speed from the command-line to choose options +which target computation speed rather than saving memory. +This is also available from the "Heuristic" option under the "PRISM" tab of the "Options" dialog in the GUI. +

+

Approximate/statistical model checking

+

Although it is not treated as a separate "engine", like those above, +PRISM also provides approximate/statistical model checking, +which is based on the use of discrete-event simulation. +From the GUI, this is enabled by choosing "Simulate" menu items or tick boxes; +from the command-line, add the -sim switch. +See the "Statistical Model Checking" +section for more details. +

+

+

Exact model checking

+

Most of PRISM's model checking functionality uses numerical solution based on floating point arithmetic and, often, this uses iterative numerical methods, which are run until some user-specified precision is reached. PRISM currently has some support for "exact" model checking, i.e., using arbitrary precision arithmetic to provide exact numerical values. Currently, this is implemented as a special case of parametric model checking, which limits is application to relatively small models. It can be used for analysing DTMCs/CTMCs (unbounded until, steady-state probabilities, reachability reward and steady-state reward) or MDPs (unbounded until and reachability rewards). You can enable this functionality using the "Do exact model checking" option in the GUI or using switch -exact from the command line. +

+

+

PTA engines

+

The techniques used to model check PTAs are different to the ones used for DTMCs, MDPs and CTMCs. For PTAs, PRISM currently has three distinct engines that can be used: +

+
  • The stochastic games engine uses abstraction-refinement techniques based on stochastic two-player games [KNP09c]. +
  • The digital clocks engine performs a discretisation, in the form of a language-level model translation, that reduces the problem to one of model checking over a finite-state MDP [KNPS06]. +
  • The backwards reachability engine is a zone-based method based on a backwards traversal of the state space and solution of the resulting finite-state MDP [KNSW07]. +

The default engine for PTAs is "stochastic games". The engine to be used can be specified using the "PTA model checking method" setting in the "PRISM" options panel in the GUI. From the command-line, switch -ptamethod <name> should be used where <name> is either games, digital or backwards. +

+

The choice of engine for PTA model checking affects restrictions that imposed on both +the modelling language +and the types of properties that can be checked. +

+

Solution Methods and Options

+

Separately from the choice of engines, +PRISM often offers several different solution methods +that can be used for the computation of probabilities and expected costs/rewards during model checking. +Many, but not all, of these are iterative numerical methods. +The choice of method (and their settings) depends on the type of analysis that is being done (i.e., what type of model and property). +

+

Linear Equation Systems

+

For many properties of Markov chains +(e.g. "reachability"/"until" properties for DTMCs and CTMCs, steady-state properties for CTMCs and "reachability reward" properties for DTMCs), +PRISM solves a set of linear equation systems, for which several numerical methods are available. +Below is a list of the alternatives and the switches used to select them from the command-line. +The corresponding GUI option is "Linear equations method". +

+
  • Power method: -power (or -pow, -pwr) +
  • Jacobi method: -jacobi (or -jac) +
  • Gauss-Seidel method: -gaussseidel (or -gs) +
  • Backwards Gauss-Seidel method: -bgaussseidel (or -bgs) +
  • JOR method (Jacobi with over-relaxation): -jor +
  • SOR method: -sor +
  • Backwards SOR method: -bsor +

When using the MTBDD engine, Gauss-Seidel/SOR based methods are not available. +When using the hybrid engine, pseudo variants of Gauss-Seidel/SOR based method can also be used [Par02] +(type prism -help at the command-line for details of the corresponding switches). +For methods which use over-relaxation (JOR/SOR), the over-relaxation parameter (between 0.0 and 2.0) +can also be specified with option "Over-relaxation parameter" (switch -omega <val>). +

+

For options relating to convergence (of this and other iterative methods), +see the Convergence section below. +

+

+

MDP Solution Methods

+

When analysing MDPs, there are multiple solution methods on offer. +For most of these, you can select them under the "MDP solution method" setting from the GUI, +or use the command-line switches listed below. +Currently, all except value iteration are only supported by the explicit engine. +For more details of the methods, see e.g. [FKNP11] (about probabilistic verification of MDPs) +or classic MDP texts such as [Put94]). +

+
  • Value iteration (switch -valiter) [this is the default] +
  • Gauss Seidel (switch -gs) +
  • Policy iteration (switch -politer) +
  • Modified policy iteration (switch -modpoliter) +

Where the methods above use iterative numerical solution, +you can also use the settings under described in the Convergence section below. +

+

+

Interval Iteration

+

Interval iteration [HM14],[BKLPW17] is an alternative solution method for either MDPs or DTMCs +which performs two separate instances of numerical iterative solution, +one from below and one from above. This is designed to provide clearer information +about the accuracy of the computed values and avoid possible problems with premature convergence. +This can be enabled using the switch -intervaliter (or -ii) +or via the "Use interval iteration" GUI option. +A variety of options can be configured, either using +-intervaliter:option1,option2,... or by +setting the string "option1,option2,..." under "Interval iteration options" in the GUI. +Type prism -help intervaliter from the command-line for a list of the options +and see [BKLPW17] for the details. +

+

+

Topological Value Iteration

+

Topological value iteration is a variant of value iteration which improves efficiency +by analysing the graph structure of the model and using this to update the values for +states in an alternative order which increases the speed of convergence. +Use switch -topological or GUI option "Use topological value iteration" to enable this. +In addition to standard value iteration for MDPs, the topological variant can be used to optimise +both interval iteration (see above) and the numerical solution of DTMCs. +

+

+

CTMC Transient Analysis

+

When computing transient probabilities of a CTMC +(either directly or when verifying time-bounded operators of CSL), there are two options: +uniformisation and fast adaptive uniformisation (FAU). These can be selected using the GUI option "Transient probability computation method", or using the command-line switch -transientmethod <name>, where <name> is either unif or fau. +

+

Uniformisation is a standard iterative numerical method for computing transient probabilities on a CTMC, which works by reducing the problem to an analysis of a "uniformised" DTMC. +As an optimisation, when it is detected that the transient probabilities have converged, no further iterations are performed. If necessary (e.g. in case of round-off problems), this optimisation can be disabled with the "Use steady-state detection" option (command-line switch -nossdetect). +

+

+Fast adaptive uniformisation (FAU) [MWDH10] is a method to efficiently approximate transient properties of large CTMCs. The basic idea is that only the parts of the model that are relevant for the current time period are kept in memory. In more detail, starting with the initial states, in each step FAU +explores further states in a DTMC which is a discrete-time version of the original CTMC. By combining the +probabilities there with those of a certain continuous-time stochastic process (a birth process), transient properties in the original CTMC can be computed. If it turns out that the probability of being in some state in the DTMC is below a given threshold, this state is removed from the model explored so far. After a given number of steps, which corresponds to the number of steps which are likely to happen within the time bound, the exploration can be stopped. In the implementation in PRISM [DHK13], FAU can be used to compute transient probability distributions and to model check the following types of non-nested CSL formulas: time-bounded until, instantaneous reward, cumulative reward. +

+

The following options can be used to configure FAU: +

+
  • "FAU epsilon" (switch -fauepsilon <x>): FAU analyses the DTMC for a number of iterations such that the probability of more steps being relevant is below this value. The default is 1e-6. +
  • "FAU cut off delta" (switch -faudelta <x>): States that have a lower probability than this value are discarded. The default is 1e-12. +
  • "FAU array threshold" (switch -fauarraythreshold <x>): After this number of steps without any new states being explored or discarded, FAU will switch to a faster, fixed-size data structure until further states have to be explored or discarded. The default is 100. +
  • "FAU time intervals" (switch -fauintervals <x>): In some cases, it is advantageous to divide the time interval the analysis is done for into several smaller intervals. This option dictates the number of (equal length) intervals used for this split. The default is 1, meaning that only one time interval is used. +
  • "FAU initial time interval" (switch -fauinitival <x>): It is also possible to specify an additional initial time interval which is handled separately from the rest of the time. This is often advantageous, because in this interval certain parameters of the model can be explored, which can subsequently be used to speed up the computation of the remaining time interval. The default for this option is 1.0. +

+

Convergence

+

Common to all of these methods is the way that PRISM checks convergence, i.e. decides when to terminate the iterative methods because the answers have converged sufficiently. This is done by checking when the maximum difference between elements in the solution vectors from successive iterations drops below a given threshold (or, in the case of interval iteration, if the difference of the elements in the iterations from above and below are below the threshold). +The default value for this threshold is 10-6 but it can be altered with the "Termination epsilon" option (switch -epsilon <val>). The way that the maximum difference is computed can also be varied: +either "relative" or "absolute" (the default is "relative"). This can be changed using the "Termination criteria" option (command-line switches -relative and -absolute, or -rel and -abs for short). +

+

Also, the maximum number of iterations performed is given an upper limit +in order to trap the cases when computation will not converge. +The default limit is 10,000 but can be changed with the "Termination max. iterations" option (switch -maxiters <val>). Computations that reach this upper limit will trigger an error during model checking to alert the user to this fact. +

+

Automata Generation

+

When PRISM performs verification of LTL formulas, it does so by converting the formula into a deterministic omega automaton (such as a Rabin automaton) and then analysing a larger product model, constructed from the model being verified and the omega automaton. For this reason, the size of the omega automaton has an important effect on the efficiency of verification. +

+

By default PRISM uses a port of the ltl2dstar library to construct these automata. But it also allows the use of external LTL-to-automata converters producing deterministic automata through support for the Hanoi Omega Automaton (HOA) format. From the command line, an example of this is: +

+
+
+
prism model.pm -pf "P=? [ G F x=1 ]" -ltl2datool hoa-ltl2dstar-for-prism -ltl2dasyntax lbt
+
+
[$[Get Code]]
+
+ +

The -ltl2datool switch specifies the location of the program to be executed to perform the LTL-to-automaton conversion. This will be called by PRISM as "exec in-file out-file", where exec is the executable, in-file is the name of a file containing the LTL formula to be converted and out-file is the name of a file where the resulting automaton should be written, in HOA format. Typically, the executable will be a script. Here is a simple example (called as hoa-ltl2dstar-for-prism in the above example), which calls an external copy of ltl2dstar in the required fashion (assuming that the ltl2dstar and ltl2ba executables are located in the current directory or on the PATH). +

+
+
+
#! /bin/bash
+ltl2dstar --output=automaton --output-format=hoa "$1" "$2"
+
[$[Get Code]]
+
+ +

PRISM is known to work with these HOA-enabled tools: +

+

and contains ready-made scripts for calling them in the etc/scripts/hoa directory of the distribution: +

+
  • hoa-ltl2dstar-with-ltl2ba-for-prism
    (ltl2dstar using ltl2ba as the LTL-to-NBA tool) +
  • hoa-ltl2dstar-with-ltl2tgba-for-prism
    (ltl2dstar using Spot's ltl2tgba as the LTL-to-NBA tool +
  • hoa-ltl2dstar-with-ltl3ba-for-prism
    (ltl2dstar using LTL3BA as the LTL-to-NBA tool +
  • hoa-ltl3dra-dra-for-prism
    (ltl3dra, generating Rabin automata) +
  • hoa-ltl3dra-tdgra-for-prism
    (ltl3dra, generating transition-based generalized Rabin automata) +
  • hoa-rabinizer3-dgra-for-prism
    (Rabinizer 3, generating generalized Rabin automata) +
  • hoa-rabinizer3-dra-for-prism
    (Rabinizer 3, generating Rabin automata) +
  • hoa-rabinizer3-tdgra-for-prism
    (Rabinizer 3, generating transition-based generalized Rabin automata) +
  • hoa-rabinizer3-tdra-for-prism
    (Rabinizer 3, generating transition-based Rabin automata) +

There are also scripts for the upcoming Rabinizer 3.1. +

+

See the files themselves for details of any configuration required and for a reminder of the PRISM command-line arguments required. +

+

The -ltl2dasyntax switch is used to specify the textual format for passing the LTL formula to the external converter (i.e., in the file out-file). The options are: +

+
  • lbt - LBT format +
  • spin - SPIN format +
  • spot - Spot format +
  • rabinizer - Rabinizer format +

From the GUI, configuring the external LTL converter is done with the two options +"Use external LTL->DA tool" and "LTL syntax for external LTL->DA tool". +

+

Another related option is "All path formulas via automata" (command-line switch -pathviaautomata), which forces construction of an automata +when computing the probability of a path formula, even if it is not needed. This is primarily intended for debugging/testing, not regular use. +

+

As mentioned above, PRISM's external LTL-to-automaton interfacing works using the +HOA format +(and, in particular, using the jhoafparser HOA parser. +Currently, PRISM can handle automata in HOA format that are +deterministic and complete, with state-based acceptance. +Automata with transition-based acceptance are converted to state-based acceptance by PRISM. +For DTMC and CTMC model checking, generic acceptance conditions are supported, i.e., +anything that can be specified as an Acceptance: header in HOA format. +For MDP model checking, currently Rabin and generalized Rabin acceptance +specified via the acc-name: header are supported. See the HOA format specification for details. +

+
+

Other Options

+

Output options

+

To increase the amount of information displayed by PRISM (in particular, to display lists of states and probability vectors), you can use the "Verbose output" option (activated with command-line switch -verbose or -v). To display additional statistics about MTBDDs after model construction, use the "Extra MTBDD information" option (switch -extraddinfo) and, to view MTBDD sizes during the process of reachability, use option "Extra reachability information" (switch -extrareachinfo). +

+

Fairness

+

Sometimes, model checking of properties for MDPs requires fairness constraints to be taken into account. +See e.g. [BK98],[Bai98] for more information. +To enable the use of fairness constraints (for P operator properties), use the -fair switch. +

+

Probability/rate checks

+

By default, when constructing a model, PRISM checks that all probabilities and rates are within acceptable ranges (i.e. are between 0 and 1, or are non-negative, respectively). For DTMCs and MDPs, it also checks that the probabilities sum up to one for each command. These checks are often very useful for highlighting user modelling errors and it is strongly recommended that you keep them enabled, however if you need to disable them you can do so via option "do prob checks?" in the GUI or command-line switch -noprobchecks. +You can also change the level of precision used to check that probabilities sum to 1 using the option "Probability sum threshold" (or command-line switch -sumroundoff. +

+

CUDD memory

+

CUDD, the underlying BDD and MTBDD library used in PRISM has an upper memory limit. By default, this limit is 1 GB. If you are working on a machine with significantly more memory this and PRISM runs out of memory when model checking, it may help to change this. To set the limit, from the command-line, use the -cuddmaxmem switch. For example: +

+
+
+
prism -cuddmaxmem 2g big_model.pm
+
+
[$[Get Code]]
+
+ +

Above, g denotes GB. You can also use m for MB. +You can also the CUDD maximum memory setting from the options panel in the GUI, but you will need to close and restart the GUI (saving the settings as you do) for this to take effect. +

+

+

Java memory

+

The Java virtual machine (JVM) used to execute PRISM also has upper memory limits. Sometimes this limit will be exceeded and you will see an error of the form java.lang.OutOfMemory. To resolve this problem, you can increase this memory limit. On Unix, Linux or Mac OS X platforms, this can done by using the -javamaxmem switch, passed either to the command-line script prism or the GUI launcher xprism. For example: +

+
+
+
prism -javamaxmem 4g big_model.pm
+xprism -javamaxmem 4g big_model.pm
+
+
[$[Get Code]]
+
+ +

each set the limit to 4GB. Alternatively, you set the environment variable PRISM_JAVAMAXMEM before running PRISM. For example, under a bash shell: +

+
+
+
PRISM_JAVAMAXMEM=4g
+export PRISM_JAVAMAXMEM
+prism big_model.pm
+
+
[$[Get Code]]
+
+ +

If you get an error of the form java.lang.StackOverflowError, then you can try increasing the stack size of the JVM. +On Unix, Linux or Mac OS X platforms, this can done by using the -javastack switch or the PRISM_JAVASTACKSIZE environment variable. +Examples are: +

+
+
+
prism -javastack 1g big_model.pm
+xprism -javastack 1g big_model.pm
+
+
[$[Get Code]]
+
+ +

or: +

+
+
+
PRISM_JAVASTACKSIZE=1g
+export PRISM_JAVASTACKSIZE
+prism big_model.pm
+
+
[$[Get Code]]
+
+ +

If you are running PRISM on Windows you will have to do make adjustments to Java memory manually, by modifying the prism.bat or xprism.bat scripts. +To set the memory to 4GB, for example, add -Xmx4g to the list of arguments in the call to java or javaw at the end of the file. +To change the stack size to 1GB, add -Xss1g. +

+

Other Java options

+

If you want to pass additional switches to the JVM used to run PRISM, you can use the -javaparams switch. +For example: +

+
+
+
prism -javaparams "-XX:AutoBoxCacheMax=100000000 -Xmn2g" -javamaxmem 12g
+
+
[$[Get Code]]
+
+ +

Precomputation

+

By default, PRISM's probabilistic model checking algorithms use an initial precomputation step which uses graph-based techniques to efficient detect trivial cases where probabilities are 0 or 1. This can often result in improved performance and also reduce round-off errors. Occasionally, though, you may want to disable this step for efficiency (e.g. if you know that there are no/few such states and the precomputation process is slow). This can be done with the -nopre switch. You can also disable the individual algorithms for probability 0/1 using switches -noprob0 and -noprob1. +

+

Time-outs

+

The command-line version of PRISM has a time-out option, specified using the switch -timeout <n>. +This causes the program to exit after <n> seconds if it has not already terminated by that point. +This is particularly useful for benchmarking scenarios where you wish to ignore runs of PRISM that exceed a certain length of time. +

+
+ + + + diff --git a/manual/ConfiguringPRISM/AutomataGeneration.html b/manual/ConfiguringPRISM/AutomataGeneration.html index 17ac139b1d..ee05e2ad5e 100644 --- a/manual/ConfiguringPRISM/AutomataGeneration.html +++ b/manual/ConfiguringPRISM/AutomataGeneration.html @@ -1,22 +1,25 @@ + + -PRISM Manual | ConfiguringPRISM / AutomataGeneration +PRISM Manual | Configuring PRISM / Automata Generation - - + + + - - - + + + + + + + + + + + + - + + +
+
+
+
www.prismmodelchecker.org
+ + +
+ +
+
+ + +
+ +
+
+ + +
+

View - Edit - Print - Search +

+ +
@@ -206,6 +340,12 @@ @@ -214,6 +354,13 @@
+ +
@@ -234,5 +381,8 @@

PRISM Manual

+ + diff --git a/manual/ConfiguringPRISM/AutomataGeneration@action=edit.html b/manual/ConfiguringPRISM/AutomataGeneration@action=edit.html new file mode 100644 index 0000000000..63f4d9b6cf --- /dev/null +++ b/manual/ConfiguringPRISM/AutomataGeneration@action=edit.html @@ -0,0 +1,269 @@ + + + + + + + + +PRISM Manual | Configuring PRISM / Automata Generation | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
+
+
www.prismmodelchecker.org
+ + +
+ +
+
+ + +
+ +
+
+ +
+
+ +
+ + + + + + +
+

View - Edit - Print - Search +

+ +
+ + + +
+

Configuring PRISM / +

Automata Generation

+ +
+ +
+

Password required +

+
+

Password: + +

+
+ + + + + + + + + +
+ + + +
+
+ + + + + + + diff --git a/manual/ConfiguringPRISM/AutomataGeneration@action=login.html b/manual/ConfiguringPRISM/AutomataGeneration@action=login.html new file mode 100644 index 0000000000..d42f395122 --- /dev/null +++ b/manual/ConfiguringPRISM/AutomataGeneration@action=login.html @@ -0,0 +1,267 @@ + + + + + + + + +PRISM Manual | Configuring PRISM / Automata Generation | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
+
+
www.prismmodelchecker.org
+ + +
+ +
+
+ + +
+ +
+
+ +
+
+ +
+ + + + + + +
+

View - Edit - Print - Search +

+ +
+ + + +
+

Configuring PRISM / +

Automata Generation

+ +
+ +
+

Password required +

+
+

Password: + +

+
+ + + + + + + + + +
+ + + +
+
+ + + + + + + diff --git a/manual/ConfiguringPRISM/AutomataGeneration@action=print.html b/manual/ConfiguringPRISM/AutomataGeneration@action=print.html new file mode 100644 index 0000000000..e48cb1c72c --- /dev/null +++ b/manual/ConfiguringPRISM/AutomataGeneration@action=print.html @@ -0,0 +1,212 @@ + + + + + + +PRISM Manual | ConfiguringPRISM / AutomataGeneration + + + + + + + + + + + + + + + + + + +

Configuring PRISM / +

Automata Generation

+ + +
+

When PRISM performs verification of LTL formulas, it does so by converting the formula into a deterministic omega automaton (such as a Rabin automaton) and then analysing a larger product model, constructed from the model being verified and the omega automaton. For this reason, the size of the omega automaton has an important effect on the efficiency of verification. +

+

By default PRISM uses a port of the ltl2dstar library to construct these automata. But it also allows the use of external LTL-to-automata converters producing deterministic automata through support for the Hanoi Omega Automaton (HOA) format. From the command line, an example of this is: +

+
+
+
prism model.pm -pf "P=? [ G F x=1 ]" -ltl2datool hoa-ltl2dstar-for-prism -ltl2dasyntax lbt
+
+
[$[Get Code]]
+
+ +

The -ltl2datool switch specifies the location of the program to be executed to perform the LTL-to-automaton conversion. This will be called by PRISM as "exec in-file out-file", where exec is the executable, in-file is the name of a file containing the LTL formula to be converted and out-file is the name of a file where the resulting automaton should be written, in HOA format. Typically, the executable will be a script. Here is a simple example (called as hoa-ltl2dstar-for-prism in the above example), which calls an external copy of ltl2dstar in the required fashion (assuming that the ltl2dstar and ltl2ba executables are located in the current directory or on the PATH). +

+
+
+
#! /bin/bash
+ltl2dstar --output=automaton --output-format=hoa "$1" "$2"
+
[$[Get Code]]
+
+ +

PRISM is known to work with these HOA-enabled tools: +

+

and contains ready-made scripts for calling them in the etc/scripts/hoa directory of the distribution: +

+
  • hoa-ltl2dstar-with-ltl2ba-for-prism
    (ltl2dstar using ltl2ba as the LTL-to-NBA tool) +
  • hoa-ltl2dstar-with-ltl2tgba-for-prism
    (ltl2dstar using Spot's ltl2tgba as the LTL-to-NBA tool +
  • hoa-ltl2dstar-with-ltl3ba-for-prism
    (ltl2dstar using LTL3BA as the LTL-to-NBA tool +
  • hoa-ltl3dra-dra-for-prism
    (ltl3dra, generating Rabin automata) +
  • hoa-ltl3dra-tdgra-for-prism
    (ltl3dra, generating transition-based generalized Rabin automata) +
  • hoa-rabinizer3-dgra-for-prism
    (Rabinizer 3, generating generalized Rabin automata) +
  • hoa-rabinizer3-dra-for-prism
    (Rabinizer 3, generating Rabin automata) +
  • hoa-rabinizer3-tdgra-for-prism
    (Rabinizer 3, generating transition-based generalized Rabin automata) +
  • hoa-rabinizer3-tdra-for-prism
    (Rabinizer 3, generating transition-based Rabin automata) +

There are also scripts for the upcoming Rabinizer 3.1. +

+

See the files themselves for details of any configuration required and for a reminder of the PRISM command-line arguments required. +

+

The -ltl2dasyntax switch is used to specify the textual format for passing the LTL formula to the external converter (i.e., in the file out-file). The options are: +

+
  • lbt - LBT format +
  • spin - SPIN format +
  • spot - Spot format +
  • rabinizer - Rabinizer format +

From the GUI, configuring the external LTL converter is done with the two options +"Use external LTL->DA tool" and "LTL syntax for external LTL->DA tool". +

+

Another related option is "All path formulas via automata" (command-line switch -pathviaautomata), which forces construction of an automata +when computing the probability of a path formula, even if it is not needed. This is primarily intended for debugging/testing, not regular use. +

+

As mentioned above, PRISM's external LTL-to-automaton interfacing works using the +HOA format +(and, in particular, using the jhoafparser HOA parser. +Currently, PRISM can handle automata in HOA format that are +deterministic and complete, with state-based acceptance. +Automata with transition-based acceptance are converted to state-based acceptance by PRISM. +For DTMC and CTMC model checking, generic acceptance conditions are supported, i.e., +anything that can be specified as an Acceptance: header in HOA format. +For MDP model checking, currently Rabin and generalized Rabin acceptance +specified via the acc-name: header are supported. See the HOA format specification for details. +

+
+
+ + + + diff --git a/manual/ConfiguringPRISM/ComputationEngines.html b/manual/ConfiguringPRISM/ComputationEngines.html index b3d553378a..5d739c926f 100644 --- a/manual/ConfiguringPRISM/ComputationEngines.html +++ b/manual/ConfiguringPRISM/ComputationEngines.html @@ -1,22 +1,25 @@ + + -PRISM Manual | ConfiguringPRISM / ComputationEngines +PRISM Manual | Configuring PRISM / Computation Engines - - + + + - - - + + + + + + + + + + + + - + + +
+
+
+
www.prismmodelchecker.org
+ + +
+ +
+
+ + +
+ +
+
+ + +
+

View - Edit - Print - Search +

+ +
@@ -186,6 +320,12 @@

Computation engines

@@ -194,6 +334,13 @@

Computation engines

+ +
@@ -214,5 +361,8 @@

PRISM Manual

+ + diff --git a/manual/ConfiguringPRISM/ComputationEngines@action=edit.html b/manual/ConfiguringPRISM/ComputationEngines@action=edit.html new file mode 100644 index 0000000000..1f16410fb5 --- /dev/null +++ b/manual/ConfiguringPRISM/ComputationEngines@action=edit.html @@ -0,0 +1,269 @@ + + + + + + + + +PRISM Manual | Configuring PRISM / Computation Engines | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
+
+
www.prismmodelchecker.org
+ + +
+ +
+
+ + +
+ +
+
+ +
+
+ +
+ + + + + + +
+

View - Edit - Print - Search +

+ +
+ + + +
+

Configuring PRISM / +

Computation Engines

+ +
+ +
+

Password required +

+
+

Password: + +

+
+ + + + + + + + + +
+ + + +
+
+ + + + + + + diff --git a/manual/ConfiguringPRISM/ComputationEngines@action=login.html b/manual/ConfiguringPRISM/ComputationEngines@action=login.html new file mode 100644 index 0000000000..fb54bfc7f8 --- /dev/null +++ b/manual/ConfiguringPRISM/ComputationEngines@action=login.html @@ -0,0 +1,267 @@ + + + + + + + + +PRISM Manual | Configuring PRISM / Computation Engines | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
+
+
www.prismmodelchecker.org
+ + +
+ +
+
+ + +
+ +
+
+ +
+
+ +
+ + + + + + +
+

View - Edit - Print - Search +

+ +
+ + + +
+

Configuring PRISM / +

Computation Engines

+ +
+ +
+

Password required +

+
+

Password: + +

+
+ + + + + + + + + +
+ + + +
+
+ + + + + + + diff --git a/manual/ConfiguringPRISM/ComputationEngines@action=print.html b/manual/ConfiguringPRISM/ComputationEngines@action=print.html new file mode 100644 index 0000000000..a085588316 --- /dev/null +++ b/manual/ConfiguringPRISM/ComputationEngines@action=print.html @@ -0,0 +1,192 @@ + + + + + + +PRISM Manual | ConfiguringPRISM / ComputationEngines + + + + + + + + + + + + + + + + + + +

Configuring PRISM / +

Computation Engines

+ + +
+

Computation engines

+

PRISM contains four main engines, +which implement the majority of its model checking functionality: +

+
  • "MTBDD" +
  • "sparse" +
  • "hybrid" +
  • "explicit" +

The first three of these engines are either wholly or partly symbolic, +meaning that they use data structures such as +binary decision diagrams (BDDs) and multi-terminal BDDs (MTBDDs). +For these three engines, the process of +constructing a probabilistic model (DTMC, MDP or CTMC) +is performed in a symbolic fashion, +representing the model as an MTBDD. +Subsequent numerical computation performed during model checking, however, +is carried out differently for the three engines. +The "MTBDD" engine is implemented purely using MTBDDs and BDDs; +the "sparse" engine uses sparse matrices; +and the "hybrid" engine uses a combination of the other two. +The "hybrid" engine is described in [KNP04b]. +For detailed information about all three engines, see [Par02]. +

+

The fourth engine, "explicit", performs all aspects of model construction +and model checking using explicit-state data structures. +Models are typically stored as sparse matrices or variants of. +This engine is implemented purely in Java, unlike the other engines +which make use of code/libraries implemented in C/C++. +One goal of the "explicit" engine is to provide an easily extensible model +checking engine without the complication of symbolic data structures, +although it also has other benefits (see below). +

+

The choice of engine ("MTBDD", "sparse", "hybrid" or "engine") should not affect the results of model checking - all engines perform essentially the same calculations. In some cases, though, certain functionality is not available with all engines and PRISM will either automatically switch to an appropriate engine, or prompt you to do so. +Performance (time and space), however, may vary significantly and if you are using too much time/memory with one engine, it may be worth experimenting. Below, we briefly summarise the key characteristics of each engine. +

+
  • The hybrid engine is enabled by default in PRISM. It uses a combination of symbolic and explicit-state data structures (as used in the MTBDD and sparse engines, respectively). In general it provides the best compromise between time and memory usage: it (almost) always uses less memory than the sparse engine, but is typically slightly slower. The size of model which can be handled with this engine is quite predictable. The limiting factor in terms of memory usage comes from the storage of 2-4 (depending on the computation being performed) arrays of 8-byte values, one for each state in the model. So, a typical PC can handle models with between 107 and 108 states (one vector for 107 states uses approximately 75 MB). +
  • The sparse engine can be a good option for smaller models where model checking takes a long time. For larger models, however, memory usage quickly becomes prohibitive. As a rule of thumb, the upper limit for this engine, in terms of model sizes which can be handled, is about a factor of 10 less than the hybrid engine. +
  • The MTBDD engine is much more unpredictable in terms of performance but, when a model exhibits a lot of structure and regularity, can be very effective. This engine has been successfully applied to extremely large structured (but non-trivial) models, in cases where the other two engines cannot be applied. The MTBDD engine often performs poorly when the model (or solutions computed from it) contain lots of distinct probabilities/rates; it performs best when there are few such values. For this reason the engine is often successfully applied to MDP models, but much less frequently to CTMCs. When using the MTBDD engine, the variable ordering of your model is especially important. This topic is covered in the FAQ section. +
  • The explicit engine is similar to the sparse engine, in that it can be a good option for relatively small models, but will not scale up to some of the models that can be handled by the hybrid or MTBDD engines. However, unlike the sparse engine, the explicit engine does not use symbolic data structures for model construction, which can be beneficial in some cases. One example is models with a potentially very large state space, only a fraction of which is actually reachable. +

When using the PRISM GUI, the engine to be used for model checking can be selected from the "Engine" option under the "PRISM" tab of the "Options" dialog. From the command-line, engines are activated using the -mtbdd, -sparse, -hybrid and -explicit (or -m, -s, -h and -ex, respectively) switches, e.g.: +

+
+
+
prism poll2.sm -tr 1000 -m
+prism poll2.sm -tr 1000 -s
+prism poll2.sm -tr 1000 -h
+prism poll2.sm -tr 1000 -ex
+
+
[$[Get Code]]
+
+ +

Note also that precise details regarding the memory usage of the current engine are displayed during model checking (from the GUI, check the "Log" tab). This can provide valuable feedback when experimenting with different engines. +

+

PRISM also has some basic support for automatically selecting the engine (and other settings) heuristically, +based on the size and type of the model, and the property being checked. +Use, for example, -heuristic speed from the command-line to choose options +which target computation speed rather than saving memory. +This is also available from the "Heuristic" option under the "PRISM" tab of the "Options" dialog in the GUI. +

+

Approximate/statistical model checking

+

Although it is not treated as a separate "engine", like those above, +PRISM also provides approximate/statistical model checking, +which is based on the use of discrete-event simulation. +From the GUI, this is enabled by choosing "Simulate" menu items or tick boxes; +from the command-line, add the -sim switch. +See the "Statistical Model Checking" +section for more details. +

+

+

Exact model checking

+

Most of PRISM's model checking functionality uses numerical solution based on floating point arithmetic and, often, this uses iterative numerical methods, which are run until some user-specified precision is reached. PRISM currently has some support for "exact" model checking, i.e., using arbitrary precision arithmetic to provide exact numerical values. Currently, this is implemented as a special case of parametric model checking, which limits is application to relatively small models. It can be used for analysing DTMCs/CTMCs (unbounded until, steady-state probabilities, reachability reward and steady-state reward) or MDPs (unbounded until and reachability rewards). You can enable this functionality using the "Do exact model checking" option in the GUI or using switch -exact from the command line. +

+

+

PTA engines

+

The techniques used to model check PTAs are different to the ones used for DTMCs, MDPs and CTMCs. For PTAs, PRISM currently has three distinct engines that can be used: +

+
  • The stochastic games engine uses abstraction-refinement techniques based on stochastic two-player games [KNP09c]. +
  • The digital clocks engine performs a discretisation, in the form of a language-level model translation, that reduces the problem to one of model checking over a finite-state MDP [KNPS06]. +
  • The backwards reachability engine is a zone-based method based on a backwards traversal of the state space and solution of the resulting finite-state MDP [KNSW07]. +

The default engine for PTAs is "stochastic games". The engine to be used can be specified using the "PTA model checking method" setting in the "PRISM" options panel in the GUI. From the command-line, switch -ptamethod <name> should be used where <name> is either games, digital or backwards. +

+

The choice of engine for PTA model checking affects restrictions that imposed on both +the modelling language +and the types of properties that can be checked. +

+
+ + + + diff --git a/manual/ConfiguringPRISM/Introduction@action=edit.html b/manual/ConfiguringPRISM/Introduction@action=edit.html new file mode 100644 index 0000000000..e09e705646 --- /dev/null +++ b/manual/ConfiguringPRISM/Introduction@action=edit.html @@ -0,0 +1,269 @@ + + + + + + + + +PRISM Manual | Configuring PRISM / Introduction | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
+
+
www.prismmodelchecker.org
+ + +
+ +
+
+ + +
+ +
+
+ +
+
+ +
+ + + + + + +
+

View - Edit - Print - Search +

+ +
+ + + +
+

Configuring PRISM / +

Introduction

+ +
+ +
+

Password required +

+
+

Password: + +

+
+ + + + + + + + + +
+ + + +
+
+ + + + + + + diff --git a/manual/ConfiguringPRISM/Introduction@action=login.html b/manual/ConfiguringPRISM/Introduction@action=login.html new file mode 100644 index 0000000000..635add4900 --- /dev/null +++ b/manual/ConfiguringPRISM/Introduction@action=login.html @@ -0,0 +1,267 @@ + + + + + + + + +PRISM Manual | Configuring PRISM / Introduction | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
+
+
www.prismmodelchecker.org
+ + +
+ +
+
+ + +
+ +
+
+ +
+
+ +
+ + + + + + +
+

View - Edit - Print - Search +

+ +
+ + + +
+

Configuring PRISM / +

Introduction

+ +
+ +
+

Password required +

+
+

Password: + +

+
+ + + + + + + + + +
+ + + +
+
+ + + + + + + diff --git a/manual/ConfiguringPRISM/Introduction@action=print.html b/manual/ConfiguringPRISM/Introduction@action=print.html new file mode 100644 index 0000000000..91083996fa --- /dev/null +++ b/manual/ConfiguringPRISM/Introduction@action=print.html @@ -0,0 +1,149 @@ + + + + + + +PRISM Manual | ConfiguringPRISM / Introduction + + + + + + + + + + + + + + + + + + +

Configuring PRISM / +

Introduction

+ + +
+

The operation of PRISM can be configured in a number of ways. From the GUI, select "Options" from the main menu to bring up the "Options" dialog. The settings are grouped under several tabs. Those which affect the basic model checking functionality of the tool are under the heading "PRISM". Separate settings are available for the simulator and various aspects of the GUI (the model editor, the property editor and the log). +

+

User options and settings for the GUI are saved in a file locally and reused. Currently the "Options" dialog in the GUI represents the easiest way to modify the settings, but the settings file is in a simple textual format and can also be edited by hand. To restore the default options for PRISM, click "Load Defaults" and then "Save Options" from the "Options" dialog in the GUI. Alternatively, delete the settings file re-launch the GUI. The location of the settings file depends on the operating system. As of PRISM 4.5, it is stored in: +

+
  • $HOME/.prism (if the settings file was already created by an older version of PRISM) +
  • $XDG_CONFIG_HOME/prism.settings (on Linux, if that environment variable is set) +
  • $HOME/.config/prism.settings (on Linux, if $XDG_CONFIG_HOME is not set) +
  • $HOME/Library/Preferences/prism.settings (on Mac OS) +
  • .prism in the user's home directory, e.g. C:\Documents and Settings\username (on Windows) +

From the command-line version of PRISM, options are controlled by switches. A full list can be displayed by typing: +

+
+
+
prism -help
+
+
[$[Get Code]]
+
+ +

For some switches, whose format is not straightforward, there is additional help available on the command-line, using -help switch. For example: +

+
+
+
prism -help const
+prism -help simpath
+prism -help exportresults
+prism -help exportmodel
+
+
[$[Get Code]]
+
+ +

The settings file is ignored by the command-line version (unlike earlier versions of PRISM, where it was used). You can, however, request that the settings file is read, using the -settings switch, e.g.: +

+
+
+
prism -settings ~/.prism
+
+
[$[Get Code]]
+
+ +

In the following sections, we give a brief description of the most important configuration options available. +

+
+
+ + + + diff --git a/manual/ConfiguringPRISM/Main.html b/manual/ConfiguringPRISM/Main.html index 4f00fbfab5..de4da933fc 100644 --- a/manual/ConfiguringPRISM/Main.html +++ b/manual/ConfiguringPRISM/Main.html @@ -1,22 +1,25 @@ + + -PRISM Manual | ConfiguringPRISM / Introduction +PRISM Manual | Configuring PRISM / Introduction - - + + + - - - + + + + + + + + + + + + - + + +
+
+
+
www.prismmodelchecker.org
+ + +
+ +
+
+ + +
+ +
+
+ + +
+

View - Edit - Print - Search +

+ +
@@ -100,11 +234,11 @@

User options and settings for the GUI are saved in a file locally and reused. Currently the "Options" dialog in the GUI represents the easiest way to modify the settings, but the settings file is in a simple textual format and can also be edited by hand. To restore the default options for PRISM, click "Load Defaults" and then "Save Options" from the "Options" dialog in the GUI. Alternatively, delete the settings file re-launch the GUI. The location of the settings file depends on the operating system. As of PRISM 4.5, it is stored in:

-
  • $XDG_CONFIG_HOME/prism.settings (on Linux, if that environment variable is set) +
    • $HOME/.prism (if the settings file was already created by an older version of PRISM) +
    • $XDG_CONFIG_HOME/prism.settings (on Linux, if that environment variable is set)
    • $HOME/.config/prism.settings (on Linux, if $XDG_CONFIG_HOME is not set)
    • $HOME/Library/Preferences/prism.settings (on Mac OS)
    • .prism in the user's home directory, e.g. C:\Documents and Settings\username (on Windows) -
    • $HOME/.prism (if the settings file was already created by an older version of PRISM)

    From the command-line version of PRISM, options are controlled by switches. A full list can be displayed by typing:

    @@ -143,6 +277,12 @@ @@ -151,6 +291,13 @@
+ +
@@ -171,5 +318,8 @@

PRISM Manual

+ + diff --git a/manual/ConfiguringPRISM/OtherOptions.html b/manual/ConfiguringPRISM/OtherOptions.html index 22ffe3970b..3cb773b8d1 100644 --- a/manual/ConfiguringPRISM/OtherOptions.html +++ b/manual/ConfiguringPRISM/OtherOptions.html @@ -1,22 +1,25 @@ + + -PRISM Manual | ConfiguringPRISM / OtherOptions +PRISM Manual | Configuring PRISM / Other Options - - + + + - - - + + + + + + + + + + + + - + + +
+
+
+
www.prismmodelchecker.org
+ + +
+ +
+
+ + +
+ +
+
+ + +
+

View - Edit - Print - Search +

+ +
@@ -97,7 +231,7 @@

Output options

-

To increase the amount of information displayed by PRISM (in particular, to display lists of states and probability vectors), you can use the "Verbose output" option (activated with comand-line switch -verbose or -v). To display additional statistics about MTBDDs after model construction, use the "Extra MTBDD information" option (switch -extraddinfo) and, to view MTBDD sizes during the process of reachability, use option "Extra reachability information" (switch -extrareachinfo). +

To increase the amount of information displayed by PRISM (in particular, to display lists of states and probability vectors), you can use the "Verbose output" option (activated with command-line switch -verbose or -v). To display additional statistics about MTBDDs after model construction, use the "Extra MTBDD information" option (switch -extraddinfo) and, to view MTBDD sizes during the process of reachability, use option "Extra reachability information" (switch -extrareachinfo).

Fairness

Sometimes, model checking of properties for MDPs requires fairness constraints to be taken into account. @@ -171,6 +305,17 @@

Output options

To set the memory to 4GB, for example, add -Xmx4g to the list of arguments in the call to java or javaw at the end of the file. To change the stack size to 1GB, add -Xss1g.

+

Other Java options

+

If you want to pass additional switches to the JVM used to run PRISM, you can use the -javaparams switch. +For example: +

+
+
+
prism -javaparams "-XX:AutoBoxCacheMax=100000000 -Xmn2g" -javamaxmem 12g
+
+
[$[Get Code]]
+
+

Precomputation

By default, PRISM's probabilistic model checking algorithms use an initial precomputation step which uses graph-based techniques to efficient detect trivial cases where probabilities are 0 or 1. This can often result in improved performance and also reduce round-off errors. Occasionally, though, you may want to disable this step for efficiency (e.g. if you know that there are no/few such states and the precomputation process is slow). This can be done with the -nopre switch. You can also disable the individual algorithms for probability 0/1 using switches -noprob0 and -noprob1.

@@ -184,6 +329,12 @@

Output options

@@ -192,6 +343,13 @@

Output options

+ +
@@ -212,5 +370,8 @@

PRISM Manual

+ + diff --git a/manual/ConfiguringPRISM/OtherOptions@action=edit.html b/manual/ConfiguringPRISM/OtherOptions@action=edit.html new file mode 100644 index 0000000000..232b3893fa --- /dev/null +++ b/manual/ConfiguringPRISM/OtherOptions@action=edit.html @@ -0,0 +1,269 @@ + + + + + + + + +PRISM Manual | Configuring PRISM / Other Options | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
+
+
www.prismmodelchecker.org
+ + +
+ +
+
+ + +
+ +
+
+ +
+
+ +
+ + + + + + +
+

View - Edit - Print - Search +

+ +
+ + + +
+

Configuring PRISM / +

Other Options

+ +
+ +
+

Password required +

+
+

Password: + +

+
+ + + + + + + + + +
+ + + +
+
+ + + + + + + diff --git a/manual/ConfiguringPRISM/OtherOptions@action=login.html b/manual/ConfiguringPRISM/OtherOptions@action=login.html new file mode 100644 index 0000000000..59017a1d19 --- /dev/null +++ b/manual/ConfiguringPRISM/OtherOptions@action=login.html @@ -0,0 +1,267 @@ + + + + + + + + +PRISM Manual | Configuring PRISM / Other Options | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
+
+
www.prismmodelchecker.org
+ + +
+ +
+
+ + +
+ +
+
+ +
+
+ +
+ + + + + + +
+

View - Edit - Print - Search +

+ +
+ + + +
+

Configuring PRISM / +

Other Options

+ +
+ +
+

Password required +

+
+

Password: + +

+
+ + + + + + + + + +
+ + + +
+
+ + + + + + + diff --git a/manual/ConfiguringPRISM/OtherOptions@action=print.html b/manual/ConfiguringPRISM/OtherOptions@action=print.html new file mode 100644 index 0000000000..282ecb4759 --- /dev/null +++ b/manual/ConfiguringPRISM/OtherOptions@action=print.html @@ -0,0 +1,201 @@ + + + + + + +PRISM Manual | ConfiguringPRISM / OtherOptions + + + + + + + + + + + + + + + + + + +

Configuring PRISM / +

Other Options

+ + +
+

Output options

+

To increase the amount of information displayed by PRISM (in particular, to display lists of states and probability vectors), you can use the "Verbose output" option (activated with command-line switch -verbose or -v). To display additional statistics about MTBDDs after model construction, use the "Extra MTBDD information" option (switch -extraddinfo) and, to view MTBDD sizes during the process of reachability, use option "Extra reachability information" (switch -extrareachinfo). +

+

Fairness

+

Sometimes, model checking of properties for MDPs requires fairness constraints to be taken into account. +See e.g. [BK98],[Bai98] for more information. +To enable the use of fairness constraints (for P operator properties), use the -fair switch. +

+

Probability/rate checks

+

By default, when constructing a model, PRISM checks that all probabilities and rates are within acceptable ranges (i.e. are between 0 and 1, or are non-negative, respectively). For DTMCs and MDPs, it also checks that the probabilities sum up to one for each command. These checks are often very useful for highlighting user modelling errors and it is strongly recommended that you keep them enabled, however if you need to disable them you can do so via option "do prob checks?" in the GUI or command-line switch -noprobchecks. +You can also change the level of precision used to check that probabilities sum to 1 using the option "Probability sum threshold" (or command-line switch -sumroundoff. +

+

CUDD memory

+

CUDD, the underlying BDD and MTBDD library used in PRISM has an upper memory limit. By default, this limit is 1 GB. If you are working on a machine with significantly more memory this and PRISM runs out of memory when model checking, it may help to change this. To set the limit, from the command-line, use the -cuddmaxmem switch. For example: +

+
+
+
prism -cuddmaxmem 2g big_model.pm
+
+
[$[Get Code]]
+
+ +

Above, g denotes GB. You can also use m for MB. +You can also the CUDD maximum memory setting from the options panel in the GUI, but you will need to close and restart the GUI (saving the settings as you do) for this to take effect. +

+

+

Java memory

+

The Java virtual machine (JVM) used to execute PRISM also has upper memory limits. Sometimes this limit will be exceeded and you will see an error of the form java.lang.OutOfMemory. To resolve this problem, you can increase this memory limit. On Unix, Linux or Mac OS X platforms, this can done by using the -javamaxmem switch, passed either to the command-line script prism or the GUI launcher xprism. For example: +

+
+
+
prism -javamaxmem 4g big_model.pm
+xprism -javamaxmem 4g big_model.pm
+
+
[$[Get Code]]
+
+ +

each set the limit to 4GB. Alternatively, you set the environment variable PRISM_JAVAMAXMEM before running PRISM. For example, under a bash shell: +

+
+
+
PRISM_JAVAMAXMEM=4g
+export PRISM_JAVAMAXMEM
+prism big_model.pm
+
+
[$[Get Code]]
+
+ +

If you get an error of the form java.lang.StackOverflowError, then you can try increasing the stack size of the JVM. +On Unix, Linux or Mac OS X platforms, this can done by using the -javastack switch or the PRISM_JAVASTACKSIZE environment variable. +Examples are: +

+
+
+
prism -javastack 1g big_model.pm
+xprism -javastack 1g big_model.pm
+
+
[$[Get Code]]
+
+ +

or: +

+
+
+
PRISM_JAVASTACKSIZE=1g
+export PRISM_JAVASTACKSIZE
+prism big_model.pm
+
+
[$[Get Code]]
+
+ +

If you are running PRISM on Windows you will have to do make adjustments to Java memory manually, by modifying the prism.bat or xprism.bat scripts. +To set the memory to 4GB, for example, add -Xmx4g to the list of arguments in the call to java or javaw at the end of the file. +To change the stack size to 1GB, add -Xss1g. +

+

Other Java options

+

If you want to pass additional switches to the JVM used to run PRISM, you can use the -javaparams switch. +For example: +

+
+
+
prism -javaparams "-XX:AutoBoxCacheMax=100000000 -Xmn2g" -javamaxmem 12g
+
+
[$[Get Code]]
+
+ +

Precomputation

+

By default, PRISM's probabilistic model checking algorithms use an initial precomputation step which uses graph-based techniques to efficient detect trivial cases where probabilities are 0 or 1. This can often result in improved performance and also reduce round-off errors. Occasionally, though, you may want to disable this step for efficiency (e.g. if you know that there are no/few such states and the precomputation process is slow). This can be done with the -nopre switch. You can also disable the individual algorithms for probability 0/1 using switches -noprob0 and -noprob1. +

+

Time-outs

+

The command-line version of PRISM has a time-out option, specified using the switch -timeout <n>. +This causes the program to exit after <n> seconds if it has not already terminated by that point. +This is particularly useful for benchmarking scenarios where you wish to ignore runs of PRISM that exceed a certain length of time. +

+
+ + + + diff --git a/manual/ConfiguringPRISM/SolutionMethodsAndOptions.html b/manual/ConfiguringPRISM/SolutionMethodsAndOptions.html index a06d17e11e..10575f132d 100644 --- a/manual/ConfiguringPRISM/SolutionMethodsAndOptions.html +++ b/manual/ConfiguringPRISM/SolutionMethodsAndOptions.html @@ -1,22 +1,25 @@ + + -PRISM Manual | ConfiguringPRISM / SolutionMethodsAndOptions +PRISM Manual | Configuring PRISM / Solution Methods And Options - - + + + - - - + + + + + + + + + + + + - + + +
+
+
+
www.prismmodelchecker.org
+ + +
+ +
+
+ + +
+ +
+
+ + +
+

View - Edit - Print - Search +

+ +
@@ -178,6 +312,12 @@ @@ -186,6 +326,13 @@
+ +
@@ -206,5 +353,8 @@

PRISM Manual

+ + diff --git a/manual/ConfiguringPRISM/SolutionMethodsAndOptions@action=edit.html b/manual/ConfiguringPRISM/SolutionMethodsAndOptions@action=edit.html new file mode 100644 index 0000000000..251e87abd7 --- /dev/null +++ b/manual/ConfiguringPRISM/SolutionMethodsAndOptions@action=edit.html @@ -0,0 +1,269 @@ + + + + + + + + +PRISM Manual | Configuring PRISM / Solution Methods And Options | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
+
+
www.prismmodelchecker.org
+ + +
+ +
+
+ + +
+ +
+
+ +
+
+ +
+ + + + + + +
+

View - Edit - Print - Search +

+ +
+ + + +
+

Configuring PRISM / +

Solution Methods And Options

+ +
+ +
+

Password required +

+
+

Password: + +

+
+ + + + + + + + + +
+ + + +
+
+ + + + + + + diff --git a/manual/ConfiguringPRISM/SolutionMethodsAndOptions@action=login.html b/manual/ConfiguringPRISM/SolutionMethodsAndOptions@action=login.html new file mode 100644 index 0000000000..850ae906d9 --- /dev/null +++ b/manual/ConfiguringPRISM/SolutionMethodsAndOptions@action=login.html @@ -0,0 +1,267 @@ + + + + + + + + +PRISM Manual | Configuring PRISM / Solution Methods And Options | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
+
+
www.prismmodelchecker.org
+ + +
+ +
+
+ + +
+ +
+
+ +
+
+ +
+ + + + + + +
+

View - Edit - Print - Search +

+ +
+ + + +
+

Configuring PRISM / +

Solution Methods And Options

+ +
+ +
+

Password required +

+
+

Password: + +

+
+ + + + + + + + + +
+ + + +
+
+ + + + + + + diff --git a/manual/ConfiguringPRISM/SolutionMethodsAndOptions@action=print.html b/manual/ConfiguringPRISM/SolutionMethodsAndOptions@action=print.html new file mode 100644 index 0000000000..adf29912f9 --- /dev/null +++ b/manual/ConfiguringPRISM/SolutionMethodsAndOptions@action=print.html @@ -0,0 +1,184 @@ + + + + + + +PRISM Manual | ConfiguringPRISM / SolutionMethodsAndOptions + + + + + + + + + + + + + + + + + + +

Configuring PRISM / +

Solution Methods And Options

+ + +
+

Separately from the choice of engines, +PRISM often offers several different solution methods +that can be used for the computation of probabilities and expected costs/rewards during model checking. +Many, but not all, of these are iterative numerical methods. +The choice of method (and their settings) depends on the type of analysis that is being done (i.e., what type of model and property). +

+

Linear Equation Systems

+

For many properties of Markov chains +(e.g. "reachability"/"until" properties for DTMCs and CTMCs, steady-state properties for CTMCs and "reachability reward" properties for DTMCs), +PRISM solves a set of linear equation systems, for which several numerical methods are available. +Below is a list of the alternatives and the switches used to select them from the command-line. +The corresponding GUI option is "Linear equations method". +

+
  • Power method: -power (or -pow, -pwr) +
  • Jacobi method: -jacobi (or -jac) +
  • Gauss-Seidel method: -gaussseidel (or -gs) +
  • Backwards Gauss-Seidel method: -bgaussseidel (or -bgs) +
  • JOR method (Jacobi with over-relaxation): -jor +
  • SOR method: -sor +
  • Backwards SOR method: -bsor +

When using the MTBDD engine, Gauss-Seidel/SOR based methods are not available. +When using the hybrid engine, pseudo variants of Gauss-Seidel/SOR based method can also be used [Par02] +(type prism -help at the command-line for details of the corresponding switches). +For methods which use over-relaxation (JOR/SOR), the over-relaxation parameter (between 0.0 and 2.0) +can also be specified with option "Over-relaxation parameter" (switch -omega <val>). +

+

For options relating to convergence (of this and other iterative methods), +see the Convergence section below. +

+

+

MDP Solution Methods

+

When analysing MDPs, there are multiple solution methods on offer. +For most of these, you can select them under the "MDP solution method" setting from the GUI, +or use the command-line switches listed below. +Currently, all except value iteration are only supported by the explicit engine. +For more details of the methods, see e.g. [FKNP11] (about probabilistic verification of MDPs) +or classic MDP texts such as [Put94]). +

+
  • Value iteration (switch -valiter) [this is the default] +
  • Gauss Seidel (switch -gs) +
  • Policy iteration (switch -politer) +
  • Modified policy iteration (switch -modpoliter) +

Where the methods above use iterative numerical solution, +you can also use the settings under described in the Convergence section below. +

+

+

Interval Iteration

+

Interval iteration [HM14],[BKLPW17] is an alternative solution method for either MDPs or DTMCs +which performs two separate instances of numerical iterative solution, +one from below and one from above. This is designed to provide clearer information +about the accuracy of the computed values and avoid possible problems with premature convergence. +This can be enabled using the switch -intervaliter (or -ii) +or via the "Use interval iteration" GUI option. +A variety of options can be configured, either using +-intervaliter:option1,option2,... or by +setting the string "option1,option2,..." under "Interval iteration options" in the GUI. +Type prism -help intervaliter from the command-line for a list of the options +and see [BKLPW17] for the details. +

+

+

Topological Value Iteration

+

Topological value iteration is a variant of value iteration which improves efficiency +by analysing the graph structure of the model and using this to update the values for +states in an alternative order which increases the speed of convergence. +Use switch -topological or GUI option "Use topological value iteration" to enable this. +In addition to standard value iteration for MDPs, the topological variant can be used to optimise +both interval iteration (see above) and the numerical solution of DTMCs. +

+

+

CTMC Transient Analysis

+

When computing transient probabilities of a CTMC +(either directly or when verifying time-bounded operators of CSL), there are two options: +uniformisation and fast adaptive uniformisation (FAU). These can be selected using the GUI option "Transient probability computation method", or using the command-line switch -transientmethod <name>, where <name> is either unif or fau. +

+

Uniformisation is a standard iterative numerical method for computing transient probabilities on a CTMC, which works by reducing the problem to an analysis of a "uniformised" DTMC. +As an optimisation, when it is detected that the transient probabilities have converged, no further iterations are performed. If necessary (e.g. in case of round-off problems), this optimisation can be disabled with the "Use steady-state detection" option (command-line switch -nossdetect). +

+

+Fast adaptive uniformisation (FAU) [MWDH10] is a method to efficiently approximate transient properties of large CTMCs. The basic idea is that only the parts of the model that are relevant for the current time period are kept in memory. In more detail, starting with the initial states, in each step FAU +explores further states in a DTMC which is a discrete-time version of the original CTMC. By combining the +probabilities there with those of a certain continuous-time stochastic process (a birth process), transient properties in the original CTMC can be computed. If it turns out that the probability of being in some state in the DTMC is below a given threshold, this state is removed from the model explored so far. After a given number of steps, which corresponds to the number of steps which are likely to happen within the time bound, the exploration can be stopped. In the implementation in PRISM [DHK13], FAU can be used to compute transient probability distributions and to model check the following types of non-nested CSL formulas: time-bounded until, instantaneous reward, cumulative reward. +

+

The following options can be used to configure FAU: +

+
  • "FAU epsilon" (switch -fauepsilon <x>): FAU analyses the DTMC for a number of iterations such that the probability of more steps being relevant is below this value. The default is 1e-6. +
  • "FAU cut off delta" (switch -faudelta <x>): States that have a lower probability than this value are discarded. The default is 1e-12. +
  • "FAU array threshold" (switch -fauarraythreshold <x>): After this number of steps without any new states being explored or discarded, FAU will switch to a faster, fixed-size data structure until further states have to be explored or discarded. The default is 100. +
  • "FAU time intervals" (switch -fauintervals <x>): In some cases, it is advantageous to divide the time interval the analysis is done for into several smaller intervals. This option dictates the number of (equal length) intervals used for this split. The default is 1, meaning that only one time interval is used. +
  • "FAU initial time interval" (switch -fauinitival <x>): It is also possible to specify an additional initial time interval which is handled separately from the rest of the time. This is often advantageous, because in this interval certain parameters of the model can be explored, which can subsequently be used to speed up the computation of the remaining time interval. The default for this option is 1.0. +

+

Convergence

+

Common to all of these methods is the way that PRISM checks convergence, i.e. decides when to terminate the iterative methods because the answers have converged sufficiently. This is done by checking when the maximum difference between elements in the solution vectors from successive iterations drops below a given threshold (or, in the case of interval iteration, if the difference of the elements in the iterations from above and below are below the threshold). +The default value for this threshold is 10-6 but it can be altered with the "Termination epsilon" option (switch -epsilon <val>). The way that the maximum difference is computed can also be varied: +either "relative" or "absolute" (the default is "relative"). This can be changed using the "Termination criteria" option (command-line switches -relative and -absolute, or -rel and -abs for short). +

+

Also, the maximum number of iterations performed is given an upper limit +in order to trap the cases when computation will not converge. +The default limit is 10,000 but can be changed with the "Termination max. iterations" option (switch -maxiters <val>). Computations that reach this upper limit will trigger an error during model checking to alert the user to this fact. +

+
+ + + + diff --git a/manual/FrequentlyAskedQuestions.html b/manual/FrequentlyAskedQuestions.html new file mode 100644 index 0000000000..0f0a02fb17 --- /dev/null +++ b/manual/FrequentlyAskedQuestions.html @@ -0,0 +1,279 @@ + + + + + + + + +PRISM Manual | Frequently Asked Questions / Main + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
+
+
www.prismmodelchecker.org
+ + +
+ +
+
+ + +
+ +
+
+ +
+
+ +
+ + + + + + +
+

View - Edit - Print - Search +

+ +
+ + + +
+

Frequently Asked Questions

+ +
+ + + + + + + + + + + +
+ + + +
+
+ + + + + + + diff --git a/manual/FrequentlyAskedQuestions/AllOnOnePage.html b/manual/FrequentlyAskedQuestions/AllOnOnePage.html index b26cb575ef..56416d2274 100644 --- a/manual/FrequentlyAskedQuestions/AllOnOnePage.html +++ b/manual/FrequentlyAskedQuestions/AllOnOnePage.html @@ -1,22 +1,25 @@ + + -PRISM Manual | FrequentlyAskedQuestions / AllOnOnePage +PRISM Manual | Frequently Asked Questions / All On One Page - - + + + - - - + + + + + + + + + + + + - + + +
+
+
+
www.prismmodelchecker.org
+ + +
+ +
+
+ + +
+ +
+
+ + +
+

View - Edit - Print - Search +

+ +
@@ -299,7 +433,7 @@

PRISM Modelling

In the model, the occurrence of the the go-labelled action occurs with an Erlang distribution with mean mean and shape k. The special case of k=1 is just an exponential distribution. The graph below shows the probability distribution of the delay, i.e. of P=? [ F<=T x=1 ] for different values of k.

-
+

There is an obvious trade-off here between the accuracy (how close it is to modelling a deterministic time delay) and the resulting blow-up in the size of the model that you add this to. For k=1000, you can see that the shape is quite "deterministic" but this would increase your model size by a factor of ~1000.

@@ -307,6 +441,12 @@

PRISM Modelling

@@ -315,6 +455,13 @@

PRISM Modelling

+ +
@@ -322,7 +469,7 @@

PRISM Modelling

+ + diff --git a/manual/FrequentlyAskedQuestions/AllOnOnePage@action=edit.html b/manual/FrequentlyAskedQuestions/AllOnOnePage@action=edit.html new file mode 100644 index 0000000000..69270a0493 --- /dev/null +++ b/manual/FrequentlyAskedQuestions/AllOnOnePage@action=edit.html @@ -0,0 +1,267 @@ + + + + + + + + +PRISM Manual | Frequently Asked Questions / All On One Page | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
+
+
www.prismmodelchecker.org
+ + +
+ +
+
+ + +
+ +
+
+ +
+
+ +
+ + + + + + +
+

View - Edit - Print - Search +

+ +
+ + + +
+

Frequently Asked Questions / +

All On One Page

+ +
+ +
+

Password required +

+
+

Password: + +

+
+ + + + + + + + + +
+ + + +
+
+ + + + + + + diff --git a/manual/FrequentlyAskedQuestions/AllOnOnePage@action=login.html b/manual/FrequentlyAskedQuestions/AllOnOnePage@action=login.html new file mode 100644 index 0000000000..97163f6b05 --- /dev/null +++ b/manual/FrequentlyAskedQuestions/AllOnOnePage@action=login.html @@ -0,0 +1,265 @@ + + + + + + + + +PRISM Manual | Frequently Asked Questions / All On One Page | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
+
+
www.prismmodelchecker.org
+ + +
+ +
+
+ + +
+ +
+
+ +
+
+ +
+ + + + + + +
+

View - Edit - Print - Search +

+ +
+ + + +
+

Frequently Asked Questions / +

All On One Page

+ +
+ +
+

Password required +

+
+

Password: + +

+
+ + + + + + + + + +
+ + + +
+
+ + + + + + + diff --git a/manual/FrequentlyAskedQuestions/AllOnOnePage@action=print.html b/manual/FrequentlyAskedQuestions/AllOnOnePage@action=print.html new file mode 100644 index 0000000000..cfa7776c04 --- /dev/null +++ b/manual/FrequentlyAskedQuestions/AllOnOnePage@action=print.html @@ -0,0 +1,315 @@ + + + + + + +PRISM Manual | FrequentlyAskedQuestions / AllOnOnePage + + + + + + + + + + + + + + + + + + +
+

Frequently Asked Questions

+
+

Memory Problems

+

+

PRISM crashed or stopped responding. Why?

+
+

When PRISM crashes, the most likely cause is that it has run out of memory. +Similarly, if PRISM (or the machine you are running it on) becomes very slow or seems to have stopped responding, this is probably because it is using too much of your machine's memory. Probabilistic model checking, much like other formal verification techniques, can be a very resource-intensive process. It is very easy to create a seemingly simple PRISM model that requires a large amount of time and/or memory to construct and analyse. See some of the other questions in this section for tips on how to avoid this. +

+

The other possibility is that you have found a bug. +If PRISM crashes or freezes whilst not using all/most of the available memory (you can check this with the top command in a Unix/Linux terminal or the Task Manager (via Ctrl-Alt-Delete) on Windows) then please file a bug report. +

+

+

I ran out of memory. What can I do?

+
+

It depends. First, you need to establish at what point in PRISM's operation, you ran out of memory. If you are running the command-line version of PRISM then the output from the tool so far should give an indication of this. If using the GUI, check the log tab for this information. If PRISM crashed because of its memory usage, the error message can be helpful. If using the GUI, you may need to start the GUI from the command-line to see any error messages. +

+

The two main steps that PRISM typically has to perform are: +

+
  1. Model construction (conversion of a PRISM language description to the corresponding probabilistic model) +
  2. Model checking/analysis (processing/analysis of a constructed probabilistic model in order to determine the result of a property or to compute steady-state/transient probabilities) +

Memory usage issues for each of these steps are discussed in separate sections below. In some cases the process performed prior to step 1 (model parsing - reading in a model description in the PRISM language and checking it for correctness) can also be resource intensive. This is also discussed below. +

+

If you are using the simulator to generate approximate model checking results then step 1 (model construction) is not performed and step 2 is carried out very differently. Memory consumption is not usually a problem in this case. +

+

+

I ran out of memory during model construction. What can I do?

+
+

If PRISM has already output this: +

+
+
Building model...
+
+
[$[Get Code]]
+
+ +

but there is no line of the form: +

+
+
Time for model construction: 34.3 seconds.
+
+
[$[Get Code]]
+
+ +

and then you get an error like this: +

+
+
#
+# An unexpected error has been detected by Java Runtime Environment:
+#
+# SIGSEGV (0xb) at pc=0xb5249323, pid=19298, tid=3086363536
+#
+# Java VM: Java HotSpot(TM) Client VM (1.6.0-b105 mixed mode, sharing)
+# Problematic frame:
+# C [libdd.so+0x39323] Cudd_Ref+0xf
+#
+# An error report file with more information is saved as hs_err_pid19298.log
+#
+# If you would like to submit a bug report, please visit:
+# http://java.sun.com/webapps/bugreport/crash.jsp
+#
+/home/dxp/bin/prism: line 50: 19298 Aborted "$PRISM_JAVA" #$PRISM_JAVAMAXMEM -Djava.awt.headless=$PRISM_HEADLESS -Djava.library.path=$PRISM_DIR/lib -classpath "$PRISM_CLASSPATH" $PRISM_MAINCLASS "$@"
+
+
[$[Get Code]]
+
+ +

or like this: +

+
+
#
+# An unexpected error has been detected by HotSpot Virtual Machine:
+#
+# EXCEPTION_ACCESS_VIOLATION (0xc0000005) at pc=0x0b1c7da3, pid=2884, tid=2544
+#
+# Java VM: Java HotSpot(TM) Client VM (1.5.0_06-b05 mixed mode)
+# Problematic frame:
+# C [dd.dll+0x7da3]
+#
+...
+
+
[$[Get Code]]
+
+ +

then PRISM ran out of memory whilst trying to construct the model. +Model construction in PRISM is performed using BDDs (binary decision diagrams) and MTBDDs (multi-terminal) BDDs which are implemented in the CUDD library. +The first thing to try in this case is to increase the amount of memory available to CUDD. See the entry "CUDD memory" in the section "Configuring PRISM - Other Options" for details of this. +

+

If increasing this memory limit does not resolve the problem, then you will need to consider ways to reduce the size of your model. You can find some tips on this in the PRISM Modelling section. Bear in mind also that if you are having to increase the CUDD memory limit too high (e.g. close to the physical memory available on your computer) just for model construction, then it is unlikely that you will have enough memory for subsequent model checking operations. +

+

Finally, it is also worth considering the ordering of the modules and variables in your model since this can have a (in some cases dramatic) effect on the size of MTBDD representation of the model. This topic is covered in the "PRISM Modelling" section of this FAQ. +

+

+

I ran out of memory during model checking. What can I do?

+
+

If model construction was successfully completed (see previous question) but model checking was not, there are several things you can try. First of all, if the error message you see looks like the one in the previous question or you see a message such as +

+
+
DD_MatrixMultiply: res is NULL
+
+
[$[Get Code]]
+
+ +

then it may be worth increasing the memory limit for CUDD (as described above). However, if you see an error more like this: +

+
+
/home/dxp/bin/prism: line 50: 3139 Aborted "$PRISM_JAVA" $PRISM_JAVAMAXMEM -Djava.awt.headless=$PRISM_HEADLESS -Djava.library.path=$PRISM_DIR/lib -classpath "$PRISM_CLASSPATH" $PRISM_MAINCLASS "$@"
+
+
[$[Get Code]]
+
+ +

then increasing the memory CUDD probably will not help - PRISM is just trying to allocate more memory than is physically available on your system. +

+

Here are some general tips: +

+
  • Try experimenting with using the different engines in PRISM. Read the section "Configuring PRISM - Computation Engines" for details. +
  • Look at the detailed output of PRISM for information about memory usage. If you are using the hybrid (or sparse) engine and the limiting factor in terms of memory is creation of the vectors, then you have no choice but to try and reduce the size (number of states) of your model. If you are using the MTBDD engine, it is also well worth considering the variable ordering of your model. Both topics are discussed in the "PRISM Modelling" section of this FAQ. +
  • Finally, if you can find no way to reduce the size of your model and are happy to consider an approximate (rather than exact) analysis, you may wish to try using PRISM's discrete-event simulation engine for analysis. +
+

+

I ran out of memory during model parsing. What can I do?

+
+

This is a less common problem and will only occur if the actual PRISM language description of your model is very large. This may be the case, for example, if you are automatically generating PRISM models in some way. Errors due to lack of memory during parsing usually look like: +

+
+
Exception in thread "main" java.lang.OutOfMemoryError: Java heap space
+
+
[$[Get Code]]
+
+ +

or: +

+
+
Exception in thread "main" java.lang.StackOverflowError
+
+
[$[Get Code]]
+
+ +

You can resolve this problem by increasing the memory allocated to Java. +See the entry "Java memory" in the section "Configuring PRISM - Other Options" for details of this. +

+
+

PRISM Modelling

+

+

What size models can PRISM handle?

+
+

There is no definitive answer to this. Because of PRISM's symbolic implementation, using data structures based on binary decision diagrams (BDDs), its performance can be unpredictable in this respect. There are also several factors that affect performance, including the type of model and property being checked and the engine being used (PRISM has several different engines, which have varying performance). +

+

Having said that, using the default engine in PRISM (the “hybrid” engine), you can normally expect to be able to handle models with up to 10^7-10^8 states on a typical PC. Using the MTBDD engine, you may be able to analyse much larger models (on some of the PRISM case studies, for example, PRISM can do numerical analysis of models with as many as 10^10 or 10^11 states). The manual has more information about PRISM's engines. +

+

+

How can I reduce the size of my model?

+
+

The size of a probabilistic model (i.e. the number of states/transitions) is critical to the efficiency of performing probabilistic model checking on it, since both the time and memory required to do so are often proportional to the model size. Unfortunately, it is very easy to create models that are extremely large. Below are a few general tips for reducing model size. +

+
  • Look for variables that have unnecessarily large ranges and try to reduce them. Even if your model needs large variables, it is generally a good strategy to first get a smaller version building successfully and then scale it up afterwards. +
  • Similarly, can you (if only temporarily) reduce the number of modules/components of your model? Start with the smallest number of components possible and then add others one by one. +
  • Do you have any inter-dependencies between variables? For example, perhaps you have some variables which are simply functions of other variables of the model. Even if these are convenient for model checking, they can be replaced with formulas or labels, which do not contribute to the state space. +
  • Do any variables include more detail than is necessary for the model? Perhaps this can be exploited in order to reduce the number of variables in your model. +
  • More generally, are any aspects of the model not relevant to the properties that you are interested in? If so, start with a simpler, more abstract version of the model and then add more details if possible. +
+

+

How can I choose a good variable ordering?

+
+

Because PRISM is a symbolic model checker, the amount of memory required to store the probabilistic model can vary (sometime unpredictably) according to several factors. One example is the order in which the variables of your model appear in the model file. In general, there is no definitive answer to what the best ordering is but the following heuristics are a good guide. +

+
  • Variables which are closely related should appear close together +
  • Variables which are related to most or all other variables should appear near the start of the ordering +

Variables x and y are "related" if, for example, the value of one is has an effect on how the other changes (e.g. (y'=x+1)) or if both appear together in an expression (e.g. a guard). +

+

These heuristics also apply to the ordering of modules within the model file. +

+

For technical details about variable ordering issues, see e.g. section 8 of [HKN+03] or section 4.1.2 of [Par02]. +

+

+

How can I add deterministic time delays to a CTMC model?

+
+

All delays in a CTMC need to be modelled as exponential distributions. This is what makes them efficient to analyse. If you included a transition whose delay was deterministic, i.e. which always occurred after exactly the same delay, the model would no longer be a CTMC. +

+

One solution to this, if your model require such a delay, is to approximate a deterministic delay with an Erlang distribution (a special case of a phase-type distribution). See for example this PRISM model: +

+
+
+
ctmc
+
+const int k;
+const double mean = 10;
+
+module trigger
+
+ i : [1..k+1];
+
+ []   i < k -> k/mean : (i'=i+1);
+ [go] i = k -> k/mean : (i'=i+1);
+
+endmodule
+
+module main
+
+ x : [0..1];
+
+ [go] x=0 -> (x'=1);
+
+endmodule
+
+
[$[Get Code]]
+
+ +

In the model, the occurrence of the the go-labelled action occurs with an Erlang distribution with mean mean and shape k. The special case of k=1 is just an exponential distribution. The graph below shows the probability distribution of the delay, i.e. of P=? [ F<=T x=1 ] for different values of k. +

+
+

There is an obvious trade-off here between the accuracy (how close it is to modelling a deterministic time delay) and the resulting blow-up in the size of the model that you add this to. For k=1000, you can see that the shape is quite "deterministic" but this would increase your model size by a factor of ~1000. +

+
+ + + + diff --git a/manual/FrequentlyAskedQuestions/Main@action=edit.html b/manual/FrequentlyAskedQuestions/Main@action=edit.html new file mode 100644 index 0000000000..ab08d9dbbd --- /dev/null +++ b/manual/FrequentlyAskedQuestions/Main@action=edit.html @@ -0,0 +1,266 @@ + + + + + + + + +PRISM Manual | Frequently Asked Questions / Main | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
+
+
www.prismmodelchecker.org
+ + +
+ +
+
+ + +
+ +
+
+ +
+
+ +
+ + + + + + +
+

View - Edit - Print - Search +

+ +
+ + + +
+

Frequently Asked Questions

+ +
+ +
+

Password required +

+
+

Password: + +

+
+ + + + + + + + + +
+ + + +
+
+ + + + + + + diff --git a/manual/FrequentlyAskedQuestions/Main@action=login.html b/manual/FrequentlyAskedQuestions/Main@action=login.html new file mode 100644 index 0000000000..5ebdbf4b82 --- /dev/null +++ b/manual/FrequentlyAskedQuestions/Main@action=login.html @@ -0,0 +1,264 @@ + + + + + + + + +PRISM Manual | Frequently Asked Questions / Main | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
+
+
www.prismmodelchecker.org
+ + +
+ +
+
+ + +
+ +
+
+ +
+
+ +
+ + + + + + +
+

View - Edit - Print - Search +

+ +
+ + + +
+

Frequently Asked Questions

+ +
+ +
+

Password required +

+
+

Password: + +

+
+ + + + + + + + + +
+ + + +
+
+ + + + + + + diff --git a/manual/FrequentlyAskedQuestions/Main.html b/manual/FrequentlyAskedQuestions/Main@action=print.html similarity index 62% rename from manual/FrequentlyAskedQuestions/Main.html rename to manual/FrequentlyAskedQuestions/Main@action=print.html index c4eda0c899..5170f8ed78 100644 --- a/manual/FrequentlyAskedQuestions/Main.html +++ b/manual/FrequentlyAskedQuestions/Main@action=print.html @@ -1,22 +1,16 @@ - + + - -PRISM Manual | FrequentlyAskedQuestions / Main - - - - +PRISM Manual | FrequentlyAskedQuestions / Main - - + - +--> - - - + + + + + + - - -
-
- -
- - - - - + -
-

Frequently Asked Questions

+

Frequently Asked Questions

-

Below are some frequently asked questions about the use of PRISM. @@ -97,33 +101,5 @@

Frequently Asked Questions

- - - - - - - -
- -
-
- - - diff --git a/manual/FrequentlyAskedQuestions/MemoryProblems.html b/manual/FrequentlyAskedQuestions/MemoryProblems.html index c62558e506..8d57b1cd05 100644 --- a/manual/FrequentlyAskedQuestions/MemoryProblems.html +++ b/manual/FrequentlyAskedQuestions/MemoryProblems.html @@ -1,22 +1,25 @@ + + -PRISM Manual | FrequentlyAskedQuestions / MemoryProblems +PRISM Manual | Frequently Asked Questions / Memory Problems - - + + + - - - + + + + + + + + + + + + - + + +
+
+
+
www.prismmodelchecker.org
+ + +
+ +
+
+ + +
+ +
+
+ + +
+

View - Edit - Print - Search +

+ +
@@ -238,6 +372,12 @@ @@ -246,6 +386,13 @@
+ +
@@ -253,7 +400,7 @@
+ + diff --git a/manual/FrequentlyAskedQuestions/MemoryProblems@action=edit.html b/manual/FrequentlyAskedQuestions/MemoryProblems@action=edit.html new file mode 100644 index 0000000000..b929d9fa06 --- /dev/null +++ b/manual/FrequentlyAskedQuestions/MemoryProblems@action=edit.html @@ -0,0 +1,267 @@ + + + + + + + + +PRISM Manual | Frequently Asked Questions / Memory Problems | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
+
+
www.prismmodelchecker.org
+ + +
+ +
+
+ + +
+ +
+
+ +
+
+ +
+ + + + + + +
+

View - Edit - Print - Search +

+ +
+ + + +
+

Frequently Asked Questions / +

Memory Problems

+ +
+ +
+

Password required +

+
+

Password: + +

+
+ + + + + + + + + +
+ + + +
+
+ + + + + + + diff --git a/manual/FrequentlyAskedQuestions/MemoryProblems@action=login.html b/manual/FrequentlyAskedQuestions/MemoryProblems@action=login.html new file mode 100644 index 0000000000..d4729d9e72 --- /dev/null +++ b/manual/FrequentlyAskedQuestions/MemoryProblems@action=login.html @@ -0,0 +1,265 @@ + + + + + + + + +PRISM Manual | Frequently Asked Questions / Memory Problems | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
+
+
www.prismmodelchecker.org
+ + +
+ +
+
+ + +
+ +
+
+ +
+
+ +
+ + + + + + +
+

View - Edit - Print - Search +

+ +
+ + + +
+

Frequently Asked Questions / +

Memory Problems

+ +
+ +
+

Password required +

+
+

Password: + +

+
+ + + + + + + + + +
+ + + +
+
+ + + + + + + diff --git a/manual/FrequentlyAskedQuestions/MemoryProblems@action=print.html b/manual/FrequentlyAskedQuestions/MemoryProblems@action=print.html new file mode 100644 index 0000000000..40d1e33760 --- /dev/null +++ b/manual/FrequentlyAskedQuestions/MemoryProblems@action=print.html @@ -0,0 +1,244 @@ + + + + + + +PRISM Manual | FrequentlyAskedQuestions / MemoryProblems + + + + + + + + + + + + + + + + + + +

Frequently Asked Questions / +

Memory Problems

+ + +
+

+

PRISM crashed or stopped responding. Why?

+
+

When PRISM crashes, the most likely cause is that it has run out of memory. +Similarly, if PRISM (or the machine you are running it on) becomes very slow or seems to have stopped responding, this is probably because it is using too much of your machine's memory. Probabilistic model checking, much like other formal verification techniques, can be a very resource-intensive process. It is very easy to create a seemingly simple PRISM model that requires a large amount of time and/or memory to construct and analyse. See some of the other questions in this section for tips on how to avoid this. +

+

The other possibility is that you have found a bug. +If PRISM crashes or freezes whilst not using all/most of the available memory (you can check this with the top command in a Unix/Linux terminal or the Task Manager (via Ctrl-Alt-Delete) on Windows) then please file a bug report. +

+

+

I ran out of memory. What can I do?

+
+

It depends. First, you need to establish at what point in PRISM's operation, you ran out of memory. If you are running the command-line version of PRISM then the output from the tool so far should give an indication of this. If using the GUI, check the log tab for this information. If PRISM crashed because of its memory usage, the error message can be helpful. If using the GUI, you may need to start the GUI from the command-line to see any error messages. +

+

The two main steps that PRISM typically has to perform are: +

+
  1. Model construction (conversion of a PRISM language description to the corresponding probabilistic model) +
  2. Model checking/analysis (processing/analysis of a constructed probabilistic model in order to determine the result of a property or to compute steady-state/transient probabilities) +

Memory usage issues for each of these steps are discussed in separate sections below. In some cases the process performed prior to step 1 (model parsing - reading in a model description in the PRISM language and checking it for correctness) can also be resource intensive. This is also discussed below. +

+

If you are using the simulator to generate approximate model checking results then step 1 (model construction) is not performed and step 2 is carried out very differently. Memory consumption is not usually a problem in this case. +

+

+

I ran out of memory during model construction. What can I do?

+
+

If PRISM has already output this: +

+
+
Building model...
+
+
[$[Get Code]]
+
+ +

but there is no line of the form: +

+
+
Time for model construction: 34.3 seconds.
+
+
[$[Get Code]]
+
+ +

and then you get an error like this: +

+
+
#
+# An unexpected error has been detected by Java Runtime Environment:
+#
+# SIGSEGV (0xb) at pc=0xb5249323, pid=19298, tid=3086363536
+#
+# Java VM: Java HotSpot(TM) Client VM (1.6.0-b105 mixed mode, sharing)
+# Problematic frame:
+# C [libdd.so+0x39323] Cudd_Ref+0xf
+#
+# An error report file with more information is saved as hs_err_pid19298.log
+#
+# If you would like to submit a bug report, please visit:
+# http://java.sun.com/webapps/bugreport/crash.jsp
+#
+/home/dxp/bin/prism: line 50: 19298 Aborted "$PRISM_JAVA" #$PRISM_JAVAMAXMEM -Djava.awt.headless=$PRISM_HEADLESS -Djava.library.path=$PRISM_DIR/lib -classpath "$PRISM_CLASSPATH" $PRISM_MAINCLASS "$@"
+
+
[$[Get Code]]
+
+ +

or like this: +

+
+
#
+# An unexpected error has been detected by HotSpot Virtual Machine:
+#
+# EXCEPTION_ACCESS_VIOLATION (0xc0000005) at pc=0x0b1c7da3, pid=2884, tid=2544
+#
+# Java VM: Java HotSpot(TM) Client VM (1.5.0_06-b05 mixed mode)
+# Problematic frame:
+# C [dd.dll+0x7da3]
+#
+...
+
+
[$[Get Code]]
+
+ +

then PRISM ran out of memory whilst trying to construct the model. +Model construction in PRISM is performed using BDDs (binary decision diagrams) and MTBDDs (multi-terminal) BDDs which are implemented in the CUDD library. +The first thing to try in this case is to increase the amount of memory available to CUDD. See the entry "CUDD memory" in the section "Configuring PRISM - Other Options" for details of this. +

+

If increasing this memory limit does not resolve the problem, then you will need to consider ways to reduce the size of your model. You can find some tips on this in the PRISM Modelling section. Bear in mind also that if you are having to increase the CUDD memory limit too high (e.g. close to the physical memory available on your computer) just for model construction, then it is unlikely that you will have enough memory for subsequent model checking operations. +

+

Finally, it is also worth considering the ordering of the modules and variables in your model since this can have a (in some cases dramatic) effect on the size of MTBDD representation of the model. This topic is covered in the "PRISM Modelling" section of this FAQ. +

+

+

I ran out of memory during model checking. What can I do?

+
+

If model construction was successfully completed (see previous question) but model checking was not, there are several things you can try. First of all, if the error message you see looks like the one in the previous question or you see a message such as +

+
+
DD_MatrixMultiply: res is NULL
+
+
[$[Get Code]]
+
+ +

then it may be worth increasing the memory limit for CUDD (as described above). However, if you see an error more like this: +

+
+
/home/dxp/bin/prism: line 50: 3139 Aborted "$PRISM_JAVA" $PRISM_JAVAMAXMEM -Djava.awt.headless=$PRISM_HEADLESS -Djava.library.path=$PRISM_DIR/lib -classpath "$PRISM_CLASSPATH" $PRISM_MAINCLASS "$@"
+
+
[$[Get Code]]
+
+ +

then increasing the memory CUDD probably will not help - PRISM is just trying to allocate more memory than is physically available on your system. +

+

Here are some general tips: +

+
  • Try experimenting with using the different engines in PRISM. Read the section "Configuring PRISM - Computation Engines" for details. +
  • Look at the detailed output of PRISM for information about memory usage. If you are using the hybrid (or sparse) engine and the limiting factor in terms of memory is creation of the vectors, then you have no choice but to try and reduce the size (number of states) of your model. If you are using the MTBDD engine, it is also well worth considering the variable ordering of your model. Both topics are discussed in the "PRISM Modelling" section of this FAQ. +
  • Finally, if you can find no way to reduce the size of your model and are happy to consider an approximate (rather than exact) analysis, you may wish to try using PRISM's discrete-event simulation engine for analysis. +
+

+

I ran out of memory during model parsing. What can I do?

+
+

This is a less common problem and will only occur if the actual PRISM language description of your model is very large. This may be the case, for example, if you are automatically generating PRISM models in some way. Errors due to lack of memory during parsing usually look like: +

+
+
Exception in thread "main" java.lang.OutOfMemoryError: Java heap space
+
+
[$[Get Code]]
+
+ +

or: +

+
+
Exception in thread "main" java.lang.StackOverflowError
+
+
[$[Get Code]]
+
+ +

You can resolve this problem by increasing the memory allocated to Java. +See the entry "Java memory" in the section "Configuring PRISM - Other Options" for details of this. +

+
+ + + + diff --git a/manual/FrequentlyAskedQuestions/PRISMModelling.html b/manual/FrequentlyAskedQuestions/PRISMModelling.html index 92f4e5ed12..0547a71497 100644 --- a/manual/FrequentlyAskedQuestions/PRISMModelling.html +++ b/manual/FrequentlyAskedQuestions/PRISMModelling.html @@ -1,22 +1,25 @@ + + -PRISM Manual | FrequentlyAskedQuestions / PRISMModelling +PRISM Manual | Frequently Asked Questions / PRISM Modelling - - + + + - - - + + + + + + + + + + + + - + + +
+
+
+
www.prismmodelchecker.org
+ + +
+ +
+
+ + +
+ +
+
+ + +
+

View - Edit - Print - Search +

+ +
@@ -163,7 +297,7 @@

In the model, the occurrence of the the go-labelled action occurs with an Erlang distribution with mean mean and shape k. The special case of k=1 is just an exponential distribution. The graph below shows the probability distribution of the delay, i.e. of P=? [ F<=T x=1 ] for different values of k.

-
+

There is an obvious trade-off here between the accuracy (how close it is to modelling a deterministic time delay) and the resulting blow-up in the size of the model that you add this to. For k=1000, you can see that the shape is quite "deterministic" but this would increase your model size by a factor of ~1000.

@@ -171,6 +305,12 @@ @@ -179,6 +319,13 @@
+ +
@@ -186,7 +333,7 @@

PRISM Manual

-

Frequently Asked Questions +

Frequently Asked Questions

+ + diff --git a/manual/FrequentlyAskedQuestions/PRISMModelling@action=edit.html b/manual/FrequentlyAskedQuestions/PRISMModelling@action=edit.html new file mode 100644 index 0000000000..2f4b3262b7 --- /dev/null +++ b/manual/FrequentlyAskedQuestions/PRISMModelling@action=edit.html @@ -0,0 +1,267 @@ + + + + + + + + +PRISM Manual | Frequently Asked Questions / PRISM Modelling | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
+
+
www.prismmodelchecker.org
+ + +
+ +
+
+ + +
+ +
+
+ +
+
+ +
+ + + + + + +
+

View - Edit - Print - Search +

+ +
+ + + +
+

Frequently Asked Questions / +

PRISM Modelling

+ +
+ +
+

Password required +

+
+

Password: + +

+
+ + + + + + + + + +
+ + + +
+
+ +
+ +
+ + + + + diff --git a/manual/FrequentlyAskedQuestions/PRISMModelling@action=login.html b/manual/FrequentlyAskedQuestions/PRISMModelling@action=login.html new file mode 100644 index 0000000000..09f5607853 --- /dev/null +++ b/manual/FrequentlyAskedQuestions/PRISMModelling@action=login.html @@ -0,0 +1,265 @@ + + + + + + + + +PRISM Manual | Frequently Asked Questions / PRISM Modelling | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
+
+
www.prismmodelchecker.org
+ + +
+ +
+
+ + +
+ +
+
+ +
+
+ +
+ + + + + + +
+

View - Edit - Print - Search +

+ +
+ + + +
+

Frequently Asked Questions / +

PRISM Modelling

+ +
+ +
+

Password required +

+
+

Password: + +

+
+ + + + + + + + + +
+ + + +
+
+ +
+ +
+ + + + + diff --git a/manual/FrequentlyAskedQuestions/PRISMModelling@action=print.html b/manual/FrequentlyAskedQuestions/PRISMModelling@action=print.html new file mode 100644 index 0000000000..9a868bf849 --- /dev/null +++ b/manual/FrequentlyAskedQuestions/PRISMModelling@action=print.html @@ -0,0 +1,177 @@ + + + + + + +PRISM Manual | FrequentlyAskedQuestions / PRISMModelling + + + + + + + + + + + + + + + + + + +

Frequently Asked Questions / +

PRISM Modelling

+ + +
+

+

What size models can PRISM handle?

+
+

There is no definitive answer to this. Because of PRISM's symbolic implementation, using data structures based on binary decision diagrams (BDDs), its performance can be unpredictable in this respect. There are also several factors that affect performance, including the type of model and property being checked and the engine being used (PRISM has several different engines, which have varying performance). +

+

Having said that, using the default engine in PRISM (the “hybrid” engine), you can normally expect to be able to handle models with up to 10^7-10^8 states on a typical PC. Using the MTBDD engine, you may be able to analyse much larger models (on some of the PRISM case studies, for example, PRISM can do numerical analysis of models with as many as 10^10 or 10^11 states). The manual has more information about PRISM's engines. +

+

+

How can I reduce the size of my model?

+
+

The size of a probabilistic model (i.e. the number of states/transitions) is critical to the efficiency of performing probabilistic model checking on it, since both the time and memory required to do so are often proportional to the model size. Unfortunately, it is very easy to create models that are extremely large. Below are a few general tips for reducing model size. +

+
  • Look for variables that have unnecessarily large ranges and try to reduce them. Even if your model needs large variables, it is generally a good strategy to first get a smaller version building successfully and then scale it up afterwards. +
  • Similarly, can you (if only temporarily) reduce the number of modules/components of your model? Start with the smallest number of components possible and then add others one by one. +
  • Do you have any inter-dependencies between variables? For example, perhaps you have some variables which are simply functions of other variables of the model. Even if these are convenient for model checking, they can be replaced with formulas or labels, which do not contribute to the state space. +
  • Do any variables include more detail than is necessary for the model? Perhaps this can be exploited in order to reduce the number of variables in your model. +
  • More generally, are any aspects of the model not relevant to the properties that you are interested in? If so, start with a simpler, more abstract version of the model and then add more details if possible. +
+

+

How can I choose a good variable ordering?

+
+

Because PRISM is a symbolic model checker, the amount of memory required to store the probabilistic model can vary (sometime unpredictably) according to several factors. One example is the order in which the variables of your model appear in the model file. In general, there is no definitive answer to what the best ordering is but the following heuristics are a good guide. +

+
  • Variables which are closely related should appear close together +
  • Variables which are related to most or all other variables should appear near the start of the ordering +

Variables x and y are "related" if, for example, the value of one is has an effect on how the other changes (e.g. (y'=x+1)) or if both appear together in an expression (e.g. a guard). +

+

These heuristics also apply to the ordering of modules within the model file. +

+

For technical details about variable ordering issues, see e.g. section 8 of [HKN+03] or section 4.1.2 of [Par02]. +

+

+

How can I add deterministic time delays to a CTMC model?

+
+

All delays in a CTMC need to be modelled as exponential distributions. This is what makes them efficient to analyse. If you included a transition whose delay was deterministic, i.e. which always occurred after exactly the same delay, the model would no longer be a CTMC. +

+

One solution to this, if your model require such a delay, is to approximate a deterministic delay with an Erlang distribution (a special case of a phase-type distribution). See for example this PRISM model: +

+
+
+
ctmc
+
+const int k;
+const double mean = 10;
+
+module trigger
+
+ i : [1..k+1];
+
+ []   i < k -> k/mean : (i'=i+1);
+ [go] i = k -> k/mean : (i'=i+1);
+
+endmodule
+
+module main
+
+ x : [0..1];
+
+ [go] x=0 -> (x'=1);
+
+endmodule
+
+
[$[Get Code]]
+
+ +

In the model, the occurrence of the the go-labelled action occurs with an Erlang distribution with mean mean and shape k. The special case of k=1 is just an exponential distribution. The graph below shows the probability distribution of the delay, i.e. of P=? [ F<=T x=1 ] for different values of k. +

+
+

There is an obvious trade-off here between the accuracy (how close it is to modelling a deterministic time delay) and the resulting blow-up in the size of the model that you add this to. For k=1000, you can see that the shape is quite "deterministic" but this would increase your model size by a factor of ~1000. +

+
+ + + + diff --git a/manual/FrequentlyAskedQuestions/PRISMProperties.html b/manual/FrequentlyAskedQuestions/PRISMProperties.html index 79b4715611..4589b10888 100644 --- a/manual/FrequentlyAskedQuestions/PRISMProperties.html +++ b/manual/FrequentlyAskedQuestions/PRISMProperties.html @@ -1,22 +1,25 @@ + + -PRISM Manual | FrequentlyAskedQuestions / PRISMProperties +PRISM Manual | Frequently Asked Questions / PRISM Properties - - + + + - - - + + + + + + + + + + + + - + + +
+
+
+
www.prismmodelchecker.org
+ + +
+ +
+
+ + +
+ +
+
+ + +
+

View - Edit - Print - Search +

+ +
@@ -222,6 +356,12 @@ @@ -230,6 +370,13 @@
+ +
@@ -237,7 +384,7 @@

PRISM Manual

-

Frequently Asked Questions +

Frequently Asked Questions

+ + diff --git a/manual/FrequentlyAskedQuestions/PRISMProperties@action=edit.html b/manual/FrequentlyAskedQuestions/PRISMProperties@action=edit.html new file mode 100644 index 0000000000..f217d7b2b4 --- /dev/null +++ b/manual/FrequentlyAskedQuestions/PRISMProperties@action=edit.html @@ -0,0 +1,267 @@ + + + + + + + + +PRISM Manual | Frequently Asked Questions / PRISM Properties | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
+
+
www.prismmodelchecker.org
+ + +
+ +
+
+ + +
+ +
+
+ +
+
+ +
+ + + + + + +
+

View - Edit - Print - Search +

+ +
+ + + +
+

Frequently Asked Questions / +

PRISM Properties

+ +
+ +
+

Password required +

+
+

Password: + +

+
+ + + + + + + + + +
+ + + +
+
+ +
+ +
+ + + + + diff --git a/manual/FrequentlyAskedQuestions/PRISMProperties@action=login.html b/manual/FrequentlyAskedQuestions/PRISMProperties@action=login.html new file mode 100644 index 0000000000..c7bd1a7d05 --- /dev/null +++ b/manual/FrequentlyAskedQuestions/PRISMProperties@action=login.html @@ -0,0 +1,265 @@ + + + + + + + + +PRISM Manual | Frequently Asked Questions / PRISM Properties | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
+
+
www.prismmodelchecker.org
+ + +
+ +
+
+ + +
+ +
+
+ +
+
+ +
+ + + + + + +
+

View - Edit - Print - Search +

+ +
+ + + +
+

Frequently Asked Questions / +

PRISM Properties

+ +
+ +
+

Password required +

+
+

Password: + +

+
+ + + + + + + + + +
+ + + +
+
+ +
+ +
+ + + + + diff --git a/manual/FrequentlyAskedQuestions/PRISMProperties@action=print.html b/manual/FrequentlyAskedQuestions/PRISMProperties@action=print.html new file mode 100644 index 0000000000..405b9281e4 --- /dev/null +++ b/manual/FrequentlyAskedQuestions/PRISMProperties@action=print.html @@ -0,0 +1,228 @@ + + + + + + +PRISM Manual | FrequentlyAskedQuestions / PRISMProperties + + + + + + + + + + + + + + + + + + +

Frequently Asked Questions / +

PRISM Properties

+ + +
+

+

Why is my expected reward infinite?

+
+

This mostly commonly occurs when you are computing the expected reward that is accumulated up until some target set of states is reached ("reachability reward" properties). For example: +

+
+
+
R=? [ F "end" ]
+
+
[$[Get Code]]
+
+ +

As mentioned earlier, this kind of property returns infinity if "end" is not eventually reached with probability 1. This is a choice that we made when designing the property specification language. Often, it is reasonable to assume that, if a path continues indefinitely without reaching a goal state, then reward will continue to be accumulated infinitely often (this would usually be true when modelling time as a reward structure, for instance). If there is a non-zero probability of not reaching the target (i.e. the probability of reaching it is less than 1), we would then expect the overall expected reward to be infinite. +

+

You can check whether the probability of reaching the target is 1 with a property like: +

+
+
+
P=? [ F "end" ]
+
+
[$[Get Code]]
+
+ +

A similar situation arises with models that contain nondeterminism, such as MDPs. The maximum expected reward to reach a target is finite if and only if the minimum probability of reaching the target is 1. Conversely, the minimum expected reward is finite if and only if the maximum probability is 1. +

+
+

+

How do I check if a property is true in multiple (or all) states?

+
+

Consider a typical boolean-valued PRISM property, such as: +

+
+
+
P<0.01 [ F "error" ]
+
+
[$[Get Code]]
+
+ +

i.e. "the probability of reaching a state labelled with "error" is less than 0.01. By default, when model checking this query, PRISM will report the result of this property for the initial state of the model, i.e. whether, starting from the initial state, the probability of reaching "error" is below 0.01. +(This is in contrast to older versions of PRISM, which used to report whether the property was true for all states.) +

+

To check whether the above property is true for, say, all (reachable) states satisfying the label "safe", you should use filters, as +illustrated below: +

+
+
+
filter(forall, P<0.01 [ F "error" ], "safe")
+
+
[$[Get Code]]
+
+ +

If you want to check whether the property is true for all reachable states, you can use either of the following two (equivalent) properties: +

+
+
+
filter(forall, P<0.01 [ F "error" ], true)
+filter(forall, P<0.01 [ F "error" ])
+
+
[$[Get Code]]
+
+ +

In older versions of PRISM, checking that a property was true in a particular set of states was done using implication (=>). If you wish, you can still use a similar form of property to achieve this, as shown by the following example: +

+
+
filter(forall, "safe" => P<0.01 [ F "error" ])
+
+
[$[Get Code]]
+
+ +
+

+

How do I compute the probability of an action occurring?

+
+

PRISM's property specification language is primarily state-based, e.g. you can compute the probability of reaching a state that satisfies the label "error": +

+
+
+
P=? [ F "error" ]
+
+
[$[Get Code]]
+
+ +

So how do you compute the probability of a some action b occurring? You need to make a small change to your model. The cleanest way to do this is to add a small module that changes state when the action occurs, e.g.: +

+
+
+
module checker
+
+    q : [0..1] init 0;
+
+    [b] q=0 -> (q'=1);
+    [b] q=1 -> (q'=1);
+
+endmodule
+
+
[$[Get Code]]
+
+ +

You can determine the probability of action b occurring in the model with the property: +

+
+
+
P=? [ F q=1 ]
+
+
[$[Get Code]]
+
+ +

By design, the module above will not affect the behaviour (timing, probability, etc.) of your model at all, so all other properties will remain unchanged. This is true for any of the model types that PRISM supports. It may, though, lead to a (hopefully small) increase in total model size. +

+

You can also modify the property above to compute, for example, the probability of b occurring within T time-units or the expected time until b occurs: +

+
+
+
P=? [ F<=T q=1 ]
+R{"time"}=? [ F q=1 ]
+
+
[$[Get Code]]
+
+ +

(where a constant T or reward structure time have been added to the model, as appropriate). +

+
+ + + + diff --git a/manual/FrequentlyAskedQuestions/index.html b/manual/FrequentlyAskedQuestions/index.html new file mode 100644 index 0000000000..72f153e265 --- /dev/null +++ b/manual/FrequentlyAskedQuestions/index.html @@ -0,0 +1,279 @@ + + + + + + + + +PRISM Manual | Frequently Asked Questions / Main + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
+
+
www.prismmodelchecker.org
+ + +
+ +
+
+ + +
+ +
+
+ +
+
+ +
+ + + + + + +
+

View - Edit - Print - Search +

+ +
+ + + +
+

Frequently Asked Questions

+ +
+ + + + + + + + + + + +
+ + + +
+
+ +
+ +
+ + + + + diff --git a/manual/InstallingPRISM.html b/manual/InstallingPRISM.html new file mode 100644 index 0000000000..448e9f9660 --- /dev/null +++ b/manual/InstallingPRISM.html @@ -0,0 +1,458 @@ + + + + + + + + +PRISM Manual | Installing PRISM / Instructions + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
+
+
www.prismmodelchecker.org
+ + +
+ +
+
+ + +
+ +
+
+ +
+
+ +
+ + + + + + +
+

View - Edit - Print - Search +

+ +
+ + + +
+

Installing PRISM / +

Instructions

+ +
+ +
+

Prerequisites

+

PRISM is known to run on Linux, Windows and Mac OS X, both 64-bit and 32-bit versions. +

+

You will need Java, version 9 or above +(get it, for example from Oracle +or AdoptOpenJDK). +To run binary versions of PRISM, you only need the Java Runtime Environment (JRE), not the full Java Development Kit (JDK). +

+

To compile PRISM from source, you need the Java Development Kit (JDK), GNU make and a C/C++ compiler (e.g. gcc/g++). For compilation under Windows, you will need Cygwin. See below for more information: +

+

If you are installing on a completely fresh operating system installation (e.g. in a virtual machine), you may find the following scripts useful, +which install the required dependencies and PRISM itself. They can be found in the prism/etc/scripts directory: +

+
+

+ +

Installation on Windows

+

To install PRISM on Windows, just run the self-extracting installer which you downloaded. You do not need administrator privileges for this, just write-access to the directory chosen for installation. +

+

If requested, the installer will place shortcuts to run PRISM on the desktop and/or start menu. If not, you can run by PRISM double-clicking the file xprism.bat (which may just appear as xprism) in the bin folder of your PRISM folder. If nothing happens, the most likely explanation is that Java is not installed or not in your path. To check, open a command prompt window, navigate to the PRISM directory, type cd bin, then xprism.bat and examine the resulting error. If you want to create shortcuts to xprism.bat manually, you will find some PRISM icons in the etc folder. +

+

If you wish to use the command-line version of PRISM on Windows, open a command prompt window and type for example: +

+
+
+
cd "c:\Program Files\prism-4.5-win\bin"
+prism ..\prism-examples\simple\dice\dice.pm
+
+
[$[Get Code]]
+
+ +

You can also edit the file bin\prism.bat to allow it to be run from any location. See the instructions within the file for further details. +

+

Problems? See the section "Common Problems And Questions''. +

+
+

+

Installation of Linux/Mac binary versions

+

To ensure compatibility, we recommend that you compile PRISM from source on non-Windows platforms. See below for instructions. However, we do provide pre-compiled binary distributions for Linux and Mac OS X. +

+

To install a binary distribution, unpack the tarred/zipped PRISM distribution into a suitable location, enter the directory and run the install.sh script, e.g.: +

+
+
+
gunzip prism-4.5-linux64.tar.gz
+tar xf prism-4.5-linux64.tar
+cd prism-4.5-linux64
+./install.sh
+
+
[$[Get Code]]
+
+ +

You do not need to be root to install PRISM. The install script simply makes some small customisations to the scripts used to launch PRISM. The PRISM distribution is self-contained and can be freely moved/renamed, however if you do so you will need to re-run ./install.sh afterwards. +

+

To run PRISM, execute either the xprism or prism script (for the graphical user interface or command-line version, respectively). These can be found in the bin directory. These scripts are designed to be run from anywhere and you can easily create symbolic links or aliases to them. If you want icons to create desktop shortcuts to PRISM, you can find some in the etc directory. +

+

Problems? See the section "Common Problems And Questions''. +

+
+

+

Building PRISM from source (non-Windows)

+

To compile PRISM form source code, you will need: +

+
  • GNU make (sometimes called gmake) +
  • a C/C++ compiler (e.g. gcc/g++) +
  • a Java Development Kit, version 8 or above +

To check that you have the development kit, type javac. If you get an error message that javac cannot be found, you probably do not have the JDK installed (or your path is not set up correctly). To check what version you have, type javac -version. +

+

Hopefully, you can build PRISM simply by entering the PRISM directory and running make, e.g.: +

+
+
+
gunzip prism-4.5-src.tar.gz
+tar xf prism-4.5-src.tar
+cd prism-4.5-src/prism
+make
+
+
[$[Get Code]]
+
+ +

For this process to complete correctly, PRISM needs to be able to determine both the operating system you are using and the location of your Java distribution. If there is a problem with either of these, you will see an error message and will need to specify one or both of these manually, such as in these examples: +

+
+
+

+make OSTYPE=linux
+make JAVA_DIR=/usr/java/jdk1.8.0
+make OSTYPE=cygwin JAVA_DIR="/cygdrive/c/Program Files/Java/jdk1.8.0"
+
+
[$[Get Code]]
+
+ +

Note the use of double quotes for the case where the directory contains a space. If you don't know the location of your Java installation, try typing which javac. If the result is e.g. /usr/java/jdk1.8.0/bin/javac then your Java directory is /usr/java/jdk1.8.0. Sometimes javac will be a symbolic link, in which case use "ls -l" to determine the actual location. +

+

It is also possible to to set the environment variables OSTYPE and JAVA_DIR directly or edit their values in the Makefile directly. Note that even when you specify JAVA_DIR explicitly (in either way), PRISM still uses the versions of javac (and javah) that are in your path so make sure this is set up correctly. +

+

64-bit OSs +

+

PRISM should also detect when it is running on a 64-bit architecture, and building will work as above. If this does not work for some reason, you can override detection by setting ARCH to either amd64 (for AMD/Intel 64) or ia64 (for Itanium). For example: +

+
+
+

+make ARCH=amd64
+
+
[$[Get Code]]
+
+ +

If you have problems building a 64-bit version of PRISM, one option is to instead compile and run a 32-bit version of PRISM. To do this, you need to: +

+
  1. Make sure you are using a 32-bit version of Java +
  2. Override detection of the 64-bit architecture when building: +
+
+

+make clean_all
+make ARCH=
+
+
[$[Get Code]]
+
+ +

Problems? See the section "Common Problems And Questions''. +

+
+

+

Building PRISM from source on Windows using Cygwin

+

The compilation of PRISM currently relies on a Unix-like environment. On Windows, this can be achieved using the Cygwin development environment (or alternatively using MSYS - see below). Once Cygwin is installed, first ensure you have the following installed: +

  • make +
  • mingw64-i686-gcc-g++ (or mingw64-x86_64-gcc-g++ for 64-bit Windows) +
  • binutils +
  • dos2unix +

Then proceed as described in the previous section. Note that the PRISM compilation process uses the MinGW libraries so that the final result is independent of Cygwin at run-time. +

+

One thing to note: make sure you unzip the PRISM distribution from within Cygwin (e.g. using tar xfz prism-XXX-src.tar.gz). Don't use a Windows program (Winzip, etc.) since this can cause problems. +

+

If you use git to checkout the PRISM repository, we recommend that you use the version of git provided by Cygwin. +If you use a native Windows version of git, you may want to disable the Unix-to-Windows line-ending conversion, e.g., via +

+
  • git config --global core.autocrlf false +

Problems? See the section "Common Problems And Questions''. +

+
+

+

Building PRISM from source on Windows using MSYS

+

Compiling from source in MSYS is less obvious as this environment is currently not directly supported in the makefile. Additionally, MSYS does not handle symlinks in the same way as cygwin does. The first problem is fixed by providing a OSTYPE variable to the makefile, whereas the second problem currently has to be solved manually. +

+
+
+

+make OSTYPE=cygwin
+
+
[$[Get Code]]
+
+ +

At some point it will fail, saying that it cannot find the CUDD library, this is due to the failing symlinks. You can solve this as follows: +

+
+
+

+cd cudd/
+rmdir lib/
+./setup.sh
+cd ..
+make OSTYPE=cygwin
+./install.sh
+
+
[$[Get Code]]
+
+ +

Problems? See the section "Common Problems And Questions''. +

+
+ + + + + + + + + +
+ + + +
+
+ +
+ +
+ + + + + diff --git a/manual/InstallingPRISM/AllOnOnePage.html b/manual/InstallingPRISM/AllOnOnePage.html index c107cd1a7a..369599f1e4 100644 --- a/manual/InstallingPRISM/AllOnOnePage.html +++ b/manual/InstallingPRISM/AllOnOnePage.html @@ -1,22 +1,25 @@ + + -PRISM Manual | InstallingPRISM / AllOnOnePage +PRISM Manual | Installing PRISM / All On One Page - - + + + - - - + + + + + + + + + + + + - + + +
+
+
+
www.prismmodelchecker.org
+ + +
+ +
+
+ + +
+ +
+
+ + +
+

View - Edit - Print - Search +

+ +
@@ -444,6 +578,12 @@

Common Problems And Questions

@@ -452,6 +592,13 @@

Common Problems And Questions

+ +
@@ -469,5 +616,8 @@

PRISM Manual

+ + diff --git a/manual/InstallingPRISM/AllOnOnePage@action=edit.html b/manual/InstallingPRISM/AllOnOnePage@action=edit.html new file mode 100644 index 0000000000..0de40a780b --- /dev/null +++ b/manual/InstallingPRISM/AllOnOnePage@action=edit.html @@ -0,0 +1,266 @@ + + + + + + + + +PRISM Manual | Installing PRISM / All On One Page | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
+
+
www.prismmodelchecker.org
+ + +
+ +
+
+ + +
+ +
+
+ +
+
+ +
+ + + + + + +
+

View - Edit - Print - Search +

+ +
+ + + +
+

Installing PRISM / +

All On One Page

+ +
+ +
+

Password required +

+
+

Password: + +

+
+ + + + + + + + + +
+ + + +
+
+ +
+ +
+ + + + + diff --git a/manual/InstallingPRISM/AllOnOnePage@action=login.html b/manual/InstallingPRISM/AllOnOnePage@action=login.html new file mode 100644 index 0000000000..e10764ac92 --- /dev/null +++ b/manual/InstallingPRISM/AllOnOnePage@action=login.html @@ -0,0 +1,264 @@ + + + + + + + + +PRISM Manual | Installing PRISM / All On One Page | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
+
+
www.prismmodelchecker.org
+ + +
+ +
+
+ + +
+ +
+
+ +
+
+ +
+ + + + + + +
+

View - Edit - Print - Search +

+ +
+ + + +
+

Installing PRISM / +

All On One Page

+ +
+ +
+

Password required +

+
+

Password: + +

+
+ + + + + + + + + +
+ + + +
+
+ +
+ +
+ + + + + diff --git a/manual/InstallingPRISM/AllOnOnePage@action=print.html b/manual/InstallingPRISM/AllOnOnePage@action=print.html new file mode 100644 index 0000000000..c95ec0d49d --- /dev/null +++ b/manual/InstallingPRISM/AllOnOnePage@action=print.html @@ -0,0 +1,452 @@ + + + + + + +PRISM Manual | InstallingPRISM / AllOnOnePage + + + + + + + + + + + + + + + + + + +
+

Installing PRISM

+
+

Instructions

+

Prerequisites

+

PRISM is known to run on Linux, Windows and Mac OS X, both 64-bit and 32-bit versions. +

+

You will need Java, version 9 or above +(get it, for example from Oracle +or AdoptOpenJDK). +To run binary versions of PRISM, you only need the Java Runtime Environment (JRE), not the full Java Development Kit (JDK). +

+

To compile PRISM from source, you need the Java Development Kit (JDK), GNU make and a C/C++ compiler (e.g. gcc/g++). For compilation under Windows, you will need Cygwin. See below for more information: +

+

If you are installing on a completely fresh operating system installation (e.g. in a virtual machine), you may find the following scripts useful, +which install the required dependencies and PRISM itself. They can be found in the prism/etc/scripts directory: +

+
+

+ +

Installation on Windows

+

To install PRISM on Windows, just run the self-extracting installer which you downloaded. You do not need administrator privileges for this, just write-access to the directory chosen for installation. +

+

If requested, the installer will place shortcuts to run PRISM on the desktop and/or start menu. If not, you can run by PRISM double-clicking the file xprism.bat (which may just appear as xprism) in the bin folder of your PRISM folder. If nothing happens, the most likely explanation is that Java is not installed or not in your path. To check, open a command prompt window, navigate to the PRISM directory, type cd bin, then xprism.bat and examine the resulting error. If you want to create shortcuts to xprism.bat manually, you will find some PRISM icons in the etc folder. +

+

If you wish to use the command-line version of PRISM on Windows, open a command prompt window and type for example: +

+
+
+
cd "c:\Program Files\prism-4.5-win\bin"
+prism ..\prism-examples\simple\dice\dice.pm
+
+
[$[Get Code]]
+
+ +

You can also edit the file bin\prism.bat to allow it to be run from any location. See the instructions within the file for further details. +

+

Problems? See the section "Common Problems And Questions''. +

+
+

+

Installation of Linux/Mac binary versions

+

To ensure compatibility, we recommend that you compile PRISM from source on non-Windows platforms. See below for instructions. However, we do provide pre-compiled binary distributions for Linux and Mac OS X. +

+

To install a binary distribution, unpack the tarred/zipped PRISM distribution into a suitable location, enter the directory and run the install.sh script, e.g.: +

+
+
+
gunzip prism-4.5-linux64.tar.gz
+tar xf prism-4.5-linux64.tar
+cd prism-4.5-linux64
+./install.sh
+
+
[$[Get Code]]
+
+ +

You do not need to be root to install PRISM. The install script simply makes some small customisations to the scripts used to launch PRISM. The PRISM distribution is self-contained and can be freely moved/renamed, however if you do so you will need to re-run ./install.sh afterwards. +

+

To run PRISM, execute either the xprism or prism script (for the graphical user interface or command-line version, respectively). These can be found in the bin directory. These scripts are designed to be run from anywhere and you can easily create symbolic links or aliases to them. If you want icons to create desktop shortcuts to PRISM, you can find some in the etc directory. +

+

Problems? See the section "Common Problems And Questions''. +

+
+

+

Building PRISM from source (non-Windows)

+

To compile PRISM form source code, you will need: +

+

To check that you have the development kit, type javac. If you get an error message that javac cannot be found, you probably do not have the JDK installed (or your path is not set up correctly). To check what version you have, type javac -version. +

+

Hopefully, you can build PRISM simply by entering the PRISM directory and running make, e.g.: +

+
+
+
gunzip prism-4.5-src.tar.gz
+tar xf prism-4.5-src.tar
+cd prism-4.5-src/prism
+make
+
+
[$[Get Code]]
+
+ +

For this process to complete correctly, PRISM needs to be able to determine both the operating system you are using and the location of your Java distribution. If there is a problem with either of these, you will see an error message and will need to specify one or both of these manually, such as in these examples: +

+
+
+

+make OSTYPE=linux
+make JAVA_DIR=/usr/java/jdk1.8.0
+make OSTYPE=cygwin JAVA_DIR="/cygdrive/c/Program Files/Java/jdk1.8.0"
+
+
[$[Get Code]]
+
+ +

Note the use of double quotes for the case where the directory contains a space. If you don't know the location of your Java installation, try typing which javac. If the result is e.g. /usr/java/jdk1.8.0/bin/javac then your Java directory is /usr/java/jdk1.8.0. Sometimes javac will be a symbolic link, in which case use "ls -l" to determine the actual location. +

+

It is also possible to to set the environment variables OSTYPE and JAVA_DIR directly or edit their values in the Makefile directly. Note that even when you specify JAVA_DIR explicitly (in either way), PRISM still uses the versions of javac (and javah) that are in your path so make sure this is set up correctly. +

+

64-bit OSs +

+

PRISM should also detect when it is running on a 64-bit architecture, and building will work as above. If this does not work for some reason, you can override detection by setting ARCH to either amd64 (for AMD/Intel 64) or ia64 (for Itanium). For example: +

+
+
+

+make ARCH=amd64
+
+
[$[Get Code]]
+
+ +

If you have problems building a 64-bit version of PRISM, one option is to instead compile and run a 32-bit version of PRISM. To do this, you need to: +

+
  1. Make sure you are using a 32-bit version of Java +
  2. Override detection of the 64-bit architecture when building: +
+
+

+make clean_all
+make ARCH=
+
+
[$[Get Code]]
+
+ +

Problems? See the section "Common Problems And Questions''. +

+
+

+

Building PRISM from source on Windows using Cygwin

+

The compilation of PRISM currently relies on a Unix-like environment. On Windows, this can be achieved using the Cygwin development environment (or alternatively using MSYS - see below). Once Cygwin is installed, first ensure you have the following installed: +

Then proceed as described in the previous section. Note that the PRISM compilation process uses the MinGW libraries so that the final result is independent of Cygwin at run-time. +

+

One thing to note: make sure you unzip the PRISM distribution from within Cygwin (e.g. using tar xfz prism-XXX-src.tar.gz). Don't use a Windows program (Winzip, etc.) since this can cause problems. +

+

If you use git to checkout the PRISM repository, we recommend that you use the version of git provided by Cygwin. +If you use a native Windows version of git, you may want to disable the Unix-to-Windows line-ending conversion, e.g., via +

+

Problems? See the section "Common Problems And Questions''. +

+
+

+

Building PRISM from source on Windows using MSYS

+

Compiling from source in MSYS is less obvious as this environment is currently not directly supported in the makefile. Additionally, MSYS does not handle symlinks in the same way as cygwin does. The first problem is fixed by providing a OSTYPE variable to the makefile, whereas the second problem currently has to be solved manually. +

+
+
+

+make OSTYPE=cygwin
+
+
[$[Get Code]]
+
+ +

At some point it will fail, saying that it cannot find the CUDD library, this is due to the failing symlinks. You can solve this as follows: +

+
+
+

+cd cudd/
+rmdir lib/
+./setup.sh
+cd ..
+make OSTYPE=cygwin
+./install.sh
+
+
[$[Get Code]]
+
+ +

Problems? See the section "Common Problems And Questions''. +

+

Common Problems And Questions

+

This section describes some of the most common problems and questions related to the installation and running of PRISM. These are grouped into the following categories: +

+
+

Running PRISM on Windows

+

When I try to run PRISM on Windows, I double-click the PRISM shortcut but nothing happens. +

+
+

The most common cause of this is that you either do not have Java installed or the java executable is not in your path. In any case, to determine the exact problem, launch a command shell and navigate to the bin directory inside the directory where you installed PRISM (you can use the "PRISM (console)" shortcut installed in the start menu to do this). Then, type xprism.bat and see what error message is displayed. +

+

When I try to run PRISM on Windows, I get an error of the form:
Can't load IA 32-bit .dll on a AMD 64-bit platform +

+
+

You are probably running a 32-bit Windows binary using a 64-bit version of Java. The version of PRISM (32- or 64-bit) needs to match Java. Either download the 64-bit binary for PRISM, or use a 32-bit version of Java. For the latter case, either make sure the right version of Java is first in your path or update the bin\xprism.bat (or bin\prism.bat) script, giving the full path to javaw at the end of the file. +

+
+

Running PRISM on non-Windows platforms

+

When I try to run PRISM, I get an error of the form:
Exception in thread "main" java.lang.NoClassDefFoundError: ... +

+
+

Check: +

  • Did you run install.sh from the PRISM directory? (non-Windows platforms) +
  • If you compiled PRISM from source code, are you sure no errors occurred during the process? To check, go into the PRISM directory, type make clean_all and then re-compile, checking the output (especially at the end) carefully for any error messages. +
+

When I try to run PRISM, I get an error of the form:
java.lang.UnsatisfiedLinkError: no prism in java.library.path +

+
+

Check: +

  • Did you run install.sh from the PRISM directory? (non-Windows platforms) +
  • If you compiled PRISM from source code, are you sure no errors occurred during the process? To check, go into the PRISM directory, type make clean_all and then re-compile, checking the output (especially at the end) carefully for any error messages. +

Are you on a 64-bit machine? If so, make sure that you are running 64-bit versions of java and javac. (Look for "64-Bit Server VM" in the output of java -version). +

+

When I try to run PRISM, I get an error of the form:
java.lang.UnsatisfiedLinkError: ...
Library not loaded: ../../lib/libdd.dylib +

+
+

Are you running a new version of Mac OS X (notably El Capitan)? +This seems to have some problems. +A workaround is to change the path to the 'java' executable that runs PRISM. +You should find an installation of Java somewhere like this: +

+

/Library/Java/JavaVirtualMachines/jdk1.8.0_60.jdk +

+

(obviously the precise name will depend on the version you have) +Try running PRISM with the java executable to be found there, e.g. by running: +

+

PRISM_JAVA=/Library/Java/JavaVirtualMachines/jdk1.8.0_60.jdk/Contents/Home/bin/java prism +

+

or by replacing the value of PRISM_JAVA directly in the prism script +directly. +

+

When I try to run PRISM, I get an error of the form:
Exception in thread "main" java.lang.UnsupportedClassVersionError: Bad version number in .class file +

+
+

Your version of Java is too old. Update or install a newer version of Oracle Java and then try again. +

+

When I try to run a (Linux) binary version of PRISM, I get an error saying that libstdc++.so.5 cannot be found or libstdc++.so.6 cannot be found. +

+
+

This is usually due to a discrepancy between the version of Linux that was used to build the binary distribution and the version that you are using to run it. +

+

If the error message is about libstdc++.so.5, you will just need to install an old version of the libstdc++ library. This should be quite easy to find for most Linux distributions. On Fedora Core, for example, just type: yum install compat-libstdc++-33 as root. +

+

If the error message is about libstdc++.so.6, you are running an older version of Linux than the binary release was compiled for. The easiest solution is to compile PRISM yourself from the source code version instead. +

+

When I try to run PRISM, I get an error of the form:
Exception in thread "main" java.lang.ExceptionInInitializerError
at java.lang.Class.initializeClass(libgcj.so.7)
at prism.PrismSettings.<init>(PrismSettings.java:297) +

+
+

You are not running the Oracle version of Java. You will need to install it. +

+

When I try to run PRISM, I get an error of the form:
java.lang.UnsatisfiedLinkError: libprism: ... cannot restore segment prot after reloc: Permission denied +

+
+

This is likely to be caused by the default settings of SELinux on newer versions of Linux. Open up the "Security Level Configuration" (on Fedora, for example, this is found under "Administration | Security Level and Firewall" under the main menu or by running system-config-securitylevel). Look in the "Compatibility" section of the SELinux Policy settings and make sure "Allow the use of shared libraries with Text Relocation" is ticked. You may need to reboot for changes to take effect. +

+

Do I have to use Oracle's version of Java to build/run PRISM? +

+
+

Currently, this seems to be the case. We will aim to address this in the future. +

+
+

Compiling PRISM

+

When I try to compile PRISM, make seems to get stuck in an infinite loop +

+
+

This is probably due to the detection of Java failing. Specify the location of your Java directory by hand, e.g. make JAVA_DIR=/usr/java/jdk1.6.0. See the Instructions page for more on this. +

+

When I try to compile PRISM, I get errors of the form:
/usr/bin/libtool: for architecture: cputype (16777234) cpusubtype (0) file: -lSystem is not an object file (not allowed in a library) +

+
+

Are you compiling PRISM on Max OS X? If so, the likely explanation is that you have upgraded to a new version of Mac OS X but have not upgraded the developer tools (eg. XCode). Upgrade and try again. +

+

When I try to compile PRISM, nothing seems to happen +

+
+

Perhaps you are not using the GNU version of make. Try typing make -v to find out. On some systems, GNU make is called gmake. +

+

When I try to compile PRISM, I get errors of the form:
Unexpected end of line seen...
or:
make: Fatal error in reader: Makefile, line 58: Unexpected end of line seen... +

+
+

Perhaps you are not using the GNU version of make. Try typing make -v to find out. On some systems, GNU make is called gmake. +

+

When I try to compile PRISM, I get an error of the form:
./setup.sh: line 33: syntax error: unexpected end of file +

+
+

Are you building on Cygwin? And did you unpack PRISM using WinZip? If so, unpack from Cygwin, using tar xfz (or similar) instead. +

+

When I try to compile PRISM, I get an error of the form:
Assembler messages: Fatal error: can't create ../../obj/dd/dd_abstr.o: No such file or directory +

+
+

Did you unpack PRISM using a graphical tool or file manager? If so, unpack using tar xfz (or similar) instead. +

+

When I try to compile PRISM, I get errors of the form:
dirname: extra operand `Files/Java/jdk1.6.0_09/bin/javac' Try `dirname --help' for more information. +

+
+

This error occurs if the path to your Java distribution contains a space (a common example is when it is somewhere in "Program Files" on Windows). Hopefully, this will be fixed soon. A workaround is to move the java installation to e.g. C:\java. +

+

When I try to compile PRISM, I get an error of the form:
/bin/sh: line 43: [: :/cygdrive/c/Program: binary operator expected... +

+
+

See answer to previous question. +

+

Do I have to use GNU make to build PRISM? +

+
+

Strictly speaking, no, but you will have to modify the various PRISM Makefiles manually to overcome this. +

+

Can I build PRISM on operating systems other than those currently supported? +

+
+

PRISM should be suitable for any Unix/Linux variant. +

+

The first thing you will need to do is compile CUDD (the BDD library used by and included in PRISM) on that platform. +Fortunately, CUDD has already been successfully built on a large number of +operating systems. Have a look at the sample Makefiles we provide (i.e. the +files cudd/Makefile.*) which are slight variants of the original Makefile +provided with CUDD (found here: cudd/modified/orig/Makefile). They contain +instructions on how to modify it for various platforms. You can then call +your new modified makefile something appropriate (cudd/Makefile.$OSTYPE) and +proceed to build PRISM as usual. To just build CUDD, not PRISM, type +make cuddpackage instead of make. +

+

Next, look at the main PRISM Makefile, in particular, each place where the +variable $OSTYPE is referred to. Most lines include comments and further +instructions. Once you have done this, proceed as usual. +

+

If you do successfully build PRISM on other platforms, please let us know +so we can include this information in future releases. Thanks. +

+
+

Other issues

+

How do I uninstall PRISM? +

+
+

If you installed PRISM on Windows using the self-extracting installer, you can uninstall it using the option on the start menu. If you didn't add these shortcuts, just run uninstall.exe from the directory where you installed PRISM. +

+

For older versions of PRISM on Windows or on any other platform, simply delete the directory containing it. +

+

The only thing that is not removed via either of these methods is the .prism file containing your PRISM settings which is in your home directory (see the section "Configuring PRISM"). You may wish to retain this when upgrading. +

+

I still have a problem installing/running PRISM. What can I do? +

+
+

Please post a message in the discussion group (see the support section of the PRISM website). +

+
+ + + + diff --git a/manual/InstallingPRISM/CommonProblemsAndQuestions.html b/manual/InstallingPRISM/CommonProblemsAndQuestions.html index 5880a9ec54..d63c862c8e 100644 --- a/manual/InstallingPRISM/CommonProblemsAndQuestions.html +++ b/manual/InstallingPRISM/CommonProblemsAndQuestions.html @@ -1,22 +1,25 @@ + + -PRISM Manual | InstallingPRISM / CommonProblemsAndQuestions +PRISM Manual | Installing PRISM / Common Problems And Questions - - + + + - - - + + + + + + + + + + + + - + + +
+
+
+
www.prismmodelchecker.org
+ + +
+ +
+
+ + +
+ +
+
+ + +
+

View - Edit - Print - Search +

+ +
@@ -246,6 +380,12 @@ @@ -254,6 +394,13 @@
+ +
@@ -271,5 +418,8 @@

PRISM Manual

+ + diff --git a/manual/InstallingPRISM/CommonProblemsAndQuestions@action=edit.html b/manual/InstallingPRISM/CommonProblemsAndQuestions@action=edit.html new file mode 100644 index 0000000000..cc0d0c3cff --- /dev/null +++ b/manual/InstallingPRISM/CommonProblemsAndQuestions@action=edit.html @@ -0,0 +1,266 @@ + + + + + + + + +PRISM Manual | Installing PRISM / Common Problems And Questions | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
+
+
www.prismmodelchecker.org
+ + +
+ +
+
+ + +
+ +
+
+ +
+
+ +
+ + + + + + +
+

View - Edit - Print - Search +

+ +
+ + + +
+

Installing PRISM / +

Common Problems And Questions

+ +
+ +
+

Password required +

+
+

Password: + +

+
+ + + + + + + + + +
+ + + +
+
+ +
+ +
+ + + + + diff --git a/manual/InstallingPRISM/CommonProblemsAndQuestions@action=login.html b/manual/InstallingPRISM/CommonProblemsAndQuestions@action=login.html new file mode 100644 index 0000000000..8f93374eb5 --- /dev/null +++ b/manual/InstallingPRISM/CommonProblemsAndQuestions@action=login.html @@ -0,0 +1,264 @@ + + + + + + + + +PRISM Manual | Installing PRISM / Common Problems And Questions | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
+
+
www.prismmodelchecker.org
+ + +
+ +
+
+ + +
+ +
+
+ +
+
+ +
+ + + + + + +
+

View - Edit - Print - Search +

+ +
+ + + +
+

Installing PRISM / +

Common Problems And Questions

+ +
+ +
+

Password required +

+
+

Password: + +

+
+ + + + + + + + + +
+ + + +
+
+ +
+ +
+ + + + + diff --git a/manual/InstallingPRISM/CommonProblemsAndQuestions@action=print.html b/manual/InstallingPRISM/CommonProblemsAndQuestions@action=print.html new file mode 100644 index 0000000000..e100c163db --- /dev/null +++ b/manual/InstallingPRISM/CommonProblemsAndQuestions@action=print.html @@ -0,0 +1,252 @@ + + + + + + +PRISM Manual | InstallingPRISM / CommonProblemsAndQuestions + + + + + + + + + + + + + + + + + + +

Installing PRISM / +

Common Problems And Questions

+ + +
+

This section describes some of the most common problems and questions related to the installation and running of PRISM. These are grouped into the following categories: +

+
+

Running PRISM on Windows

+

When I try to run PRISM on Windows, I double-click the PRISM shortcut but nothing happens. +

+
+

The most common cause of this is that you either do not have Java installed or the java executable is not in your path. In any case, to determine the exact problem, launch a command shell and navigate to the bin directory inside the directory where you installed PRISM (you can use the "PRISM (console)" shortcut installed in the start menu to do this). Then, type xprism.bat and see what error message is displayed. +

+

When I try to run PRISM on Windows, I get an error of the form:
Can't load IA 32-bit .dll on a AMD 64-bit platform +

+
+

You are probably running a 32-bit Windows binary using a 64-bit version of Java. The version of PRISM (32- or 64-bit) needs to match Java. Either download the 64-bit binary for PRISM, or use a 32-bit version of Java. For the latter case, either make sure the right version of Java is first in your path or update the bin\xprism.bat (or bin\prism.bat) script, giving the full path to javaw at the end of the file. +

+
+

Running PRISM on non-Windows platforms

+

When I try to run PRISM, I get an error of the form:
Exception in thread "main" java.lang.NoClassDefFoundError: ... +

+
+

Check: +

  • Did you run install.sh from the PRISM directory? (non-Windows platforms) +
  • If you compiled PRISM from source code, are you sure no errors occurred during the process? To check, go into the PRISM directory, type make clean_all and then re-compile, checking the output (especially at the end) carefully for any error messages. +
+

When I try to run PRISM, I get an error of the form:
java.lang.UnsatisfiedLinkError: no prism in java.library.path +

+
+

Check: +

  • Did you run install.sh from the PRISM directory? (non-Windows platforms) +
  • If you compiled PRISM from source code, are you sure no errors occurred during the process? To check, go into the PRISM directory, type make clean_all and then re-compile, checking the output (especially at the end) carefully for any error messages. +

Are you on a 64-bit machine? If so, make sure that you are running 64-bit versions of java and javac. (Look for "64-Bit Server VM" in the output of java -version). +

+

When I try to run PRISM, I get an error of the form:
java.lang.UnsatisfiedLinkError: ...
Library not loaded: ../../lib/libdd.dylib +

+
+

Are you running a new version of Mac OS X (notably El Capitan)? +This seems to have some problems. +A workaround is to change the path to the 'java' executable that runs PRISM. +You should find an installation of Java somewhere like this: +

+

/Library/Java/JavaVirtualMachines/jdk1.8.0_60.jdk +

+

(obviously the precise name will depend on the version you have) +Try running PRISM with the java executable to be found there, e.g. by running: +

+

PRISM_JAVA=/Library/Java/JavaVirtualMachines/jdk1.8.0_60.jdk/Contents/Home/bin/java prism +

+

or by replacing the value of PRISM_JAVA directly in the prism script +directly. +

+

When I try to run PRISM, I get an error of the form:
Exception in thread "main" java.lang.UnsupportedClassVersionError: Bad version number in .class file +

+
+

Your version of Java is too old. Update or install a newer version of Oracle Java and then try again. +

+

When I try to run a (Linux) binary version of PRISM, I get an error saying that libstdc++.so.5 cannot be found or libstdc++.so.6 cannot be found. +

+
+

This is usually due to a discrepancy between the version of Linux that was used to build the binary distribution and the version that you are using to run it. +

+

If the error message is about libstdc++.so.5, you will just need to install an old version of the libstdc++ library. This should be quite easy to find for most Linux distributions. On Fedora Core, for example, just type: yum install compat-libstdc++-33 as root. +

+

If the error message is about libstdc++.so.6, you are running an older version of Linux than the binary release was compiled for. The easiest solution is to compile PRISM yourself from the source code version instead. +

+

When I try to run PRISM, I get an error of the form:
Exception in thread "main" java.lang.ExceptionInInitializerError
at java.lang.Class.initializeClass(libgcj.so.7)
at prism.PrismSettings.<init>(PrismSettings.java:297) +

+
+

You are not running the Oracle version of Java. You will need to install it. +

+

When I try to run PRISM, I get an error of the form:
java.lang.UnsatisfiedLinkError: libprism: ... cannot restore segment prot after reloc: Permission denied +

+
+

This is likely to be caused by the default settings of SELinux on newer versions of Linux. Open up the "Security Level Configuration" (on Fedora, for example, this is found under "Administration | Security Level and Firewall" under the main menu or by running system-config-securitylevel). Look in the "Compatibility" section of the SELinux Policy settings and make sure "Allow the use of shared libraries with Text Relocation" is ticked. You may need to reboot for changes to take effect. +

+

Do I have to use Oracle's version of Java to build/run PRISM? +

+
+

Currently, this seems to be the case. We will aim to address this in the future. +

+
+

Compiling PRISM

+

When I try to compile PRISM, make seems to get stuck in an infinite loop +

+
+

This is probably due to the detection of Java failing. Specify the location of your Java directory by hand, e.g. make JAVA_DIR=/usr/java/jdk1.6.0. See the Instructions page for more on this. +

+

When I try to compile PRISM, I get errors of the form:
/usr/bin/libtool: for architecture: cputype (16777234) cpusubtype (0) file: -lSystem is not an object file (not allowed in a library) +

+
+

Are you compiling PRISM on Max OS X? If so, the likely explanation is that you have upgraded to a new version of Mac OS X but have not upgraded the developer tools (eg. XCode). Upgrade and try again. +

+

When I try to compile PRISM, nothing seems to happen +

+
+

Perhaps you are not using the GNU version of make. Try typing make -v to find out. On some systems, GNU make is called gmake. +

+

When I try to compile PRISM, I get errors of the form:
Unexpected end of line seen...
or:
make: Fatal error in reader: Makefile, line 58: Unexpected end of line seen... +

+
+

Perhaps you are not using the GNU version of make. Try typing make -v to find out. On some systems, GNU make is called gmake. +

+

When I try to compile PRISM, I get an error of the form:
./setup.sh: line 33: syntax error: unexpected end of file +

+
+

Are you building on Cygwin? And did you unpack PRISM using WinZip? If so, unpack from Cygwin, using tar xfz (or similar) instead. +

+

When I try to compile PRISM, I get an error of the form:
Assembler messages: Fatal error: can't create ../../obj/dd/dd_abstr.o: No such file or directory +

+
+

Did you unpack PRISM using a graphical tool or file manager? If so, unpack using tar xfz (or similar) instead. +

+

When I try to compile PRISM, I get errors of the form:
dirname: extra operand `Files/Java/jdk1.6.0_09/bin/javac' Try `dirname --help' for more information. +

+
+

This error occurs if the path to your Java distribution contains a space (a common example is when it is somewhere in "Program Files" on Windows). Hopefully, this will be fixed soon. A workaround is to move the java installation to e.g. C:\java. +

+

When I try to compile PRISM, I get an error of the form:
/bin/sh: line 43: [: :/cygdrive/c/Program: binary operator expected... +

+
+

See answer to previous question. +

+

Do I have to use GNU make to build PRISM? +

+
+

Strictly speaking, no, but you will have to modify the various PRISM Makefiles manually to overcome this. +

+

Can I build PRISM on operating systems other than those currently supported? +

+
+

PRISM should be suitable for any Unix/Linux variant. +

+

The first thing you will need to do is compile CUDD (the BDD library used by and included in PRISM) on that platform. +Fortunately, CUDD has already been successfully built on a large number of +operating systems. Have a look at the sample Makefiles we provide (i.e. the +files cudd/Makefile.*) which are slight variants of the original Makefile +provided with CUDD (found here: cudd/modified/orig/Makefile). They contain +instructions on how to modify it for various platforms. You can then call +your new modified makefile something appropriate (cudd/Makefile.$OSTYPE) and +proceed to build PRISM as usual. To just build CUDD, not PRISM, type +make cuddpackage instead of make. +

+

Next, look at the main PRISM Makefile, in particular, each place where the +variable $OSTYPE is referred to. Most lines include comments and further +instructions. Once you have done this, proceed as usual. +

+

If you do successfully build PRISM on other platforms, please let us know +so we can include this information in future releases. Thanks. +

+
+

Other issues

+

How do I uninstall PRISM? +

+
+

If you installed PRISM on Windows using the self-extracting installer, you can uninstall it using the option on the start menu. If you didn't add these shortcuts, just run uninstall.exe from the directory where you installed PRISM. +

+

For older versions of PRISM on Windows or on any other platform, simply delete the directory containing it. +

+

The only thing that is not removed via either of these methods is the .prism file containing your PRISM settings which is in your home directory (see the section "Configuring PRISM"). You may wish to retain this when upgrading. +

+

I still have a problem installing/running PRISM. What can I do? +

+
+

Please post a message in the discussion group (see the support section of the PRISM website). +

+
+ + + + diff --git a/manual/InstallingPRISM/Instructions@action=edit.html b/manual/InstallingPRISM/Instructions@action=edit.html new file mode 100644 index 0000000000..fff368c12f --- /dev/null +++ b/manual/InstallingPRISM/Instructions@action=edit.html @@ -0,0 +1,266 @@ + + + + + + + + +PRISM Manual | Installing PRISM / Instructions | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
+
+
www.prismmodelchecker.org
+ + +
+ +
+
+ + +
+ +
+
+ +
+
+ +
+ + + + + + +
+

View - Edit - Print - Search +

+ +
+ + + +
+

Installing PRISM / +

Instructions

+ +
+ +
+

Password required +

+
+

Password: + +

+
+ + + + + + + + + +
+ + + +
+
+ +
+ +
+ + + + + diff --git a/manual/InstallingPRISM/Instructions@action=login.html b/manual/InstallingPRISM/Instructions@action=login.html new file mode 100644 index 0000000000..1d8c1318ce --- /dev/null +++ b/manual/InstallingPRISM/Instructions@action=login.html @@ -0,0 +1,264 @@ + + + + + + + + +PRISM Manual | Installing PRISM / Instructions | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
+
+
+
www.prismmodelchecker.org
+ + +
+ +
+
+ + +
+ +
+
+ +
+
+ +
+ + + + + + +
+

View - Edit - Print - Search +

+ +
+ + + +
+

Installing PRISM / +

Instructions

+ +
+ +
+

Password required +

+
+

Password: + +

+
+ + + + + + + + + +
+ + + +
+
+ +
+ +
+ + + + + diff --git a/manual/InstallingPRISM/Instructions@action=print.html b/manual/InstallingPRISM/Instructions@action=print.html new file mode 100644 index 0000000000..66325cd08f --- /dev/null +++ b/manual/InstallingPRISM/Instructions@action=print.html @@ -0,0 +1,285 @@ + + + + + + +PRISM Manual | InstallingPRISM / Instructions + + + + + + + + + + + + + + + + + + +

Installing PRISM / +

Instructions

+ + +
+

Prerequisites

+

PRISM is known to run on Linux, Windows and Mac OS X, both 64-bit and 32-bit versions. +

+

You will need Java, version 9 or above +(get it, for example from Oracle +or AdoptOpenJDK). +To run binary versions of PRISM, you only need the Java Runtime Environment (JRE), not the full Java Development Kit (JDK). +

+

To compile PRISM from source, you need the Java Development Kit (JDK), GNU make and a C/C++ compiler (e.g. gcc/g++). For compilation under Windows, you will need Cygwin. See below for more information: +

+

If you are installing on a completely fresh operating system installation (e.g. in a virtual machine), you may find the following scripts useful, +which install the required dependencies and PRISM itself. They can be found in the prism/etc/scripts directory: +

+
+

+ +

Installation on Windows

+

To install PRISM on Windows, just run the self-extracting installer which you downloaded. You do not need administrator privileges for this, just write-access to the directory chosen for installation. +

+

If requested, the installer will place shortcuts to run PRISM on the desktop and/or start menu. If not, you can run by PRISM double-clicking the file xprism.bat (which may just appear as xprism) in the bin folder of your PRISM folder. If nothing happens, the most likely explanation is that Java is not installed or not in your path. To check, open a command prompt window, navigate to the PRISM directory, type cd bin, then xprism.bat and examine the resulting error. If you want to create shortcuts to xprism.bat manually, you will find some PRISM icons in the etc folder. +

+

If you wish to use the command-line version of PRISM on Windows, open a command prompt window and type for example: +

+
+
+
cd "c:\Program Files\prism-4.5-win\bin"
+prism ..\prism-examples\simple\dice\dice.pm
+
+
[$[Get Code]]
+
+ +

You can also edit the file bin\prism.bat to allow it to be run from any location. See the instructions within the file for further details. +

+

Problems? See the section "Common Problems And Questions''. +

+
+

+

Installation of Linux/Mac binary versions

+

To ensure compatibility, we recommend that you compile PRISM from source on non-Windows platforms. See below for instructions. However, we do provide pre-compiled binary distributions for Linux and Mac OS X. +

+

To install a binary distribution, unpack the tarred/zipped PRISM distribution into a suitable location, enter the directory and run the install.sh script, e.g.: +

+
+
+
gunzip prism-4.5-linux64.tar.gz
+tar xf prism-4.5-linux64.tar
+cd prism-4.5-linux64
+./install.sh
+
+
[$[Get Code]]
+
+ +

You do not need to be root to install PRISM. The install script simply makes some small customisations to the scripts used to launch PRISM. The PRISM distribution is self-contained and can be freely moved/renamed, however if you do so you will need to re-run ./install.sh afterwards. +

+

To run PRISM, execute either the xprism or prism script (for the graphical user interface or command-line version, respectively). These can be found in the bin directory. These scripts are designed to be run from anywhere and you can easily create symbolic links or aliases to them. If you want icons to create desktop shortcuts to PRISM, you can find some in the etc directory. +

+

Problems? See the section "Common Problems And Questions''. +

+
+

+

Building PRISM from source (non-Windows)

+

To compile PRISM form source code, you will need: +

+

To check that you have the development kit, type javac. If you get an error message that javac cannot be found, you probably do not have the JDK installed (or your path is not set up correctly). To check what version you have, type javac -version. +

+

Hopefully, you can build PRISM simply by entering the PRISM directory and running make, e.g.: +

+
+
+
gunzip prism-4.5-src.tar.gz
+tar xf prism-4.5-src.tar
+cd prism-4.5-src/prism
+make
+
+
[$[Get Code]]
+
+ +

For this process to complete correctly, PRISM needs to be able to determine both the operating system you are using and the location of your Java distribution. If there is a problem with either of these, you will see an error message and will need to specify one or both of these manually, such as in these examples: +

+
+
+

+make OSTYPE=linux
+make JAVA_DIR=/usr/java/jdk1.8.0
+make OSTYPE=cygwin JAVA_DIR="/cygdrive/c/Program Files/Java/jdk1.8.0"
+
+
[$[Get Code]]
+
+ +

Note the use of double quotes for the case where the directory contains a space. If you don't know the location of your Java installation, try typing which javac. If the result is e.g. /usr/java/jdk1.8.0/bin/javac then your Java directory is /usr/java/jdk1.8.0. Sometimes javac will be a symbolic link, in which case use "ls -l" to determine the actual location. +

+

It is also possible to to set the environment variables OSTYPE and JAVA_DIR directly or edit their values in the Makefile directly. Note that even when you specify JAVA_DIR explicitly (in either way), PRISM still uses the versions of javac (and javah) that are in your path so make sure this is set up correctly. +

+

64-bit OSs +

+

PRISM should also detect when it is running on a 64-bit architecture, and building will work as above. If this does not work for some reason, you can override detection by setting ARCH to either amd64 (for AMD/Intel 64) or ia64 (for Itanium). For example: +

+
+
+

+make ARCH=amd64
+
+
[$[Get Code]]
+
+ +

If you have problems building a 64-bit version of PRISM, one option is to instead compile and run a 32-bit version of PRISM. To do this, you need to: +

+
  1. Make sure you are using a 32-bit version of Java +
  2. Override detection of the 64-bit architecture when building: +
+
+

+make clean_all
+make ARCH=
+
+
[$[Get Code]]
+
+ +

Problems? See the section "Common Problems And Questions''. +

+
+

+

Building PRISM from source on Windows using Cygwin

+

The compilation of PRISM currently relies on a Unix-like environment. On Windows, this can be achieved using the Cygwin development environment (or alternatively using MSYS - see below). Once Cygwin is installed, first ensure you have the following installed: +

Then proceed as described in the previous section. Note that the PRISM compilation process uses the MinGW libraries so that the final result is independent of Cygwin at run-time. +

+

One thing to note: make sure you unzip the PRISM distribution from within Cygwin (e.g. using tar xfz prism-XXX-src.tar.gz). Don't use a Windows program (Winzip, etc.) since this can cause problems. +

+

If you use git to checkout the PRISM repository, we recommend that you use the version of git provided by Cygwin. +If you use a native Windows version of git, you may want to disable the Unix-to-Windows line-ending conversion, e.g., via +

+

Problems? See the section "Common Problems And Questions''. +

+
+

+

Building PRISM from source on Windows using MSYS

+

Compiling from source in MSYS is less obvious as this environment is currently not directly supported in the makefile. Additionally, MSYS does not handle symlinks in the same way as cygwin does. The first problem is fixed by providing a OSTYPE variable to the makefile, whereas the second problem currently has to be solved manually. +

+
+
+

+make OSTYPE=cygwin
+
+
[$[Get Code]]
+
+ +

At some point it will fail, saying that it cannot find the CUDD library, this is due to the failing symlinks. You can solve this as follows: +

+
+
+

+cd cudd/
+rmdir lib/
+./setup.sh
+cd ..
+make OSTYPE=cygwin
+./install.sh
+
+
[$[Get Code]]
+
+ +

Problems? See the section "Common Problems And Questions''. +

+
+ + + + diff --git a/manual/InstallingPRISM/Main.html b/manual/InstallingPRISM/Main.html index abf16ff320..7876db5326 100644 --- a/manual/InstallingPRISM/Main.html +++ b/manual/InstallingPRISM/Main.html @@ -1,22 +1,25 @@ + + -PRISM Manual | InstallingPRISM / Instructions +PRISM Manual | Installing PRISM / Instructions - - + + + - - - + + + + + + + + + + + + - + + +
+
+
+
www.prismmodelchecker.org
+ + +
+ +
+
+ + +
+ +
+
+ + +
+

View - Edit - Print - Search +

+ +
@@ -279,6 +413,12 @@

Prerequisites

@@ -287,6 +427,13 @@

Prerequisites

+ +
@@ -304,5 +451,8 @@

PRISM Manual

+ + diff --git a/manual/Main/AllOnOnePage.html b/manual/Main/AllOnOnePage.html index b5f5bb3497..fb7d94bd9b 100644 --- a/manual/Main/AllOnOnePage.html +++ b/manual/Main/AllOnOnePage.html @@ -1,6 +1,8 @@ + + @@ -11,12 +13,13 @@ - - + + + - - - + + + + + + + + + + + + - + + +
+
+
+
www.prismmodelchecker.org
+ + +
+ +
+
+ + +
+ +
+
+ + +
+

View - Edit - Print - Search +

+ +
-

PRISM Manual   version 4.7

+

PRISM Manual   version 4.8

Contents

@@ -206,6 +340,7 @@

Introduction

  • Costs And Rewards
  • Real-time Models
  • Partially Observable Models +
  • Uncertain Models
  • Process Algebra Operators
  • PRISM Model Files

    • Property Specification

    @@ -217,6 +352,7 @@

    Introduction

  • Multi-objective Properties
  • Real-time Models
  • Partially Observable Models +
  • Uncertain Models
  • Non-probabilistic Properties
  • Syntax And Semantics
  • Filters @@ -230,7 +366,7 @@

    Introduction

  • Statistical Model Checking
  • Computing Steady-state And Transient Probabilities
  • Experiments -
  • Adversaries +
  • Strategies
  • Support For PEPA Models
  • Support For SBML
  • Explicit Model Import @@ -1319,7 +1455,7 @@

    Formulas And Labels

    During parsing of the model, expansion of formulas is done before module renaming so, if a module which uses formulas is renamed to another module, it is the contents of the formula which will be renamed, not the formula itself.

    Labels

    -

    PRISM models can also contain labels. These are are a way of identifying sets of states that are of particular interest. Labels can only be used when specifying properties but, for convenience, can be defined in model files as well as property files. +

    PRISM models can also contain labels. These are a way of identifying sets of states that are of particular interest. Labels can only be used when specifying properties but, for convenience, can be defined in model files as well as property files.

    Labels differ from formulas in two other ways: firstly, they must be of Boolean type; secondly, they are written using quotation marks ("..."), as illustrated in the following example: @@ -1452,7 +1588,7 @@

    Real-time Models

    Before describing how PTA features are incorporated into the PRISM modelling language, we give a simple example. Here is a small PTA:

    -
    +

    and here is a corresponding PRISM model:

    @@ -1477,7 +1613,7 @@

    Real-time Models

    [$[Get Code]]
    • -

    For modelling PTAs in PRISM, there is a new datatype, clock, used for variables that are clocks. These must be local to a particular module, not global. Other types of PRISM variables can be defined in the usual way. In the example above, we use just a single integer variable s to represent the locations of the PTAs. +

    For modelling PTAs in PRISM, there is a new datatype, clock, used for variables that are clocks. Other types of PRISM variables can be defined in the usual way. In the example above, we use just a single integer variable s to represent the locations of the PTAs.

    In a PTA, transitions can include a guard, which constrains when it can occur based on the current value of clocks, and resets, which specify that a clock's values should be set to a new (integer) value. These are both specified in PRISM commands in the usual way: see, for example, the inclusion of x>=1 in the guard for the send-labelled command and the updates of the form (x'=0) which reset the clock x to 0.

    @@ -1489,8 +1625,7 @@

    Real-time Models

    For the stochastic games and backwards reachability engines:

    -
    • Modules cannot read the local variables of other modules and global variables are not permitted. -
    • The model must also have a single initial state (i.e. the init...endinit construct is not permitted). +
      • The model must also have a single initial state (i.e. the init...endinit construct is not permitted).

      For the digital clocks engine:

      • Clock constraints cannot use strict comparison operators, e.g. x<=5 is allowed, but x<5 is not. @@ -1504,7 +1639,7 @@

        Partially Observable Models

        PRISM supports analysis of partially observable probabilistic models, most notably partially observable Markov decision processes (POMDPs), but also partially observable probabilistic timed automata (POPTAs). -POMDPs are a variant of MDPs in which the strategy/policy/adversary +POMDPs are a variant of MDPs in which the strategy/policy which resolves nondeterministic choices in the model is unable to see the precise state of the model, but instead just observations of it. For background material on POMDPs and POPTAs, see for example [NPZ17]. @@ -1556,6 +1691,29 @@

        Partially Observable Models

        so inherit the restrictions for that engine. Furthermore, for a POPTA, all clock variables must be observable.

        +

        Uncertain models

        +

        PRISM has support for uncertain models, in which there is epistemic uncertainty regarding some quantitative aspects of the probabilistic models being verified. In particular, it currently supports interval MDPs (IMDPs) and interval DTMCs (IDTMCs), which are MDPs or DTMCs in which transition probabilities can be specified as intervals, indicating that the exact probability is not precisely known. This can be useful, for example, when the transition probabilities have been estimated from data. +

        +

        Currently, this is achieved by simply replacing the probabilities attached to updates in commands with intervals, e.g.: +

        +
        +
        +
        [] x=0 -> [0.8,0.9]:(x'=0) + [0.1,0.2]:(x'=1);
        +
        +
        [$[Get Code]]
        +
        + +

        As usual, the probability thresholds can be expressions involving state variables or constants, for example: +

        +
        +
        +
        [] x=0 -> [p,p+0.1]:(x'=0) + [0.9-p,1-p]:(x'=1);
        +
        +
        [$[Get Code]]
        +
        + +

        See the property specification section for details of how these models are analysed. +

        Process Algebra Operators

        To make the concept of synchronisation described above more powerful, PRISM allows you to define precisely the way in which the set of modules are composed in parallel. @@ -1620,28 +1778,28 @@

        Introduction

        In each case, we give both the PRISM syntax and a natural language translation:

        -
        +
        P>=1 [ F "terminate" ]
        -
        [$[Get Code]]
        +
        [$[Get Code]]

        "the algorithm eventually terminates successfully with probability 1"

        -
        +
        "P<0.1 [ F<=100 num_errors > 5 ]
        -
        [$[Get Code]]
        +
        [$[Get Code]]

        "the probability that more than 5 errors occur within the first 100 time units is less than 0.1"

        -
        +
        S<0.01 [ num_sensors < min_sensors ]
        -
        [$[Get Code]]
        +
        [$[Get Code]]

        "in the long-run, the probability that an inadequate number of sensors are operational is less than 0.01" @@ -1653,28 +1811,28 @@

        Introduction

        In PRISM, we can also directly specify properties which evaluate to a numerical value, e.g.:

        -
        +
        P=? [ !proc2_terminate U proc1_terminate ]
        -
        [$[Get Code]]
        +
        [$[Get Code]]

        "the probability that process 1 terminates before process 2 does"

        -
        +
        Pmax=? [ F<=T messages_lost > 10 ]
        -
        [$[Get Code]]
        +
        [$[Get Code]]

        "the maximum probability that more than 10 messages have been lost by time T" (for an MDP/PTA)

        -
        +
        S=? [ queue_size / max_size > 0.75 ]
        -
        [$[Get Code]]
        +
        [$[Get Code]]

        "the long-run probability that the queue is more than 75% full" @@ -1701,10 +1859,10 @@

        Identifying A Set Of States

        For example, in the property given above:

        -
        +
        P<0.1 [ F<=100 num_errors > 5 ]
        -
        [$[Get Code]]
        +
        [$[Get Code]]

        the expression num_errors > 5 is used to identify states of the model where more than 5 errors have occurred. @@ -1712,10 +1870,10 @@

        Identifying A Set Of States

        It is also common to use labels to identify states in this way, like "terminate" in the example:

        -
        +
        P>=1 [ F "terminate" ]
        -
        [$[Get Code]]
        +
        [$[Get Code]]

        Properties can refer to labels either from the model to which the property relates, or included in the same properties file. @@ -1726,10 +1884,10 @@

        The P Operator

        Informally, the property:

        -
        +
        P bound [ pathprop ]
        -
        [$[Get Code]]
        +
        [$[Get Code]]

        is true in a state s of a model if @@ -1738,10 +1896,10 @@

        The P Operator

        A typical example of a bound would be:

        -
        +
        P>0.98 [ pathprop ]
        -
        [$[Get Code]]
        +
        [$[Get Code]]

        which means: "the probability that pathprop is satisfied by the paths from state s is greater than 0.98". More precisely, bound can be any of >=p, >p, <=p or <p, @@ -1768,10 +1926,10 @@

        The P Operator

        Hence, PRISM allows the P operator to take the following form:

        -
        +
        P=? [ pathprop ]
        -
        [$[Get Code]]
        +
        [$[Get Code]]

        These properties return a numerical rather than a Boolean value. @@ -1780,11 +1938,11 @@

        The P Operator

        As mentioned above, for nondeterministic models (MDPs or PTAs), either minimum or maximum probability values can be computed. Therefore, in this case, we have two possible types of property:

        -
        +
        Pmin=? [ pathprop ]
        Pmax=? [ pathprop ]
        -
        [$[Get Code]]
        +
        [$[Get Code]]

        which return the minimum and maximum probabilities, respectively. @@ -1812,10 +1970,10 @@

        The P Operator

        An example of this type of property, used inside a P operator, is:

        -
        +
        P<0.01 [ X y=1 ]
        -
        [$[Get Code]]
        +
        [$[Get Code]]

        which is true in a state if "the probability of the expression y=1 being true in the next state is less than 0.01". @@ -1826,10 +1984,10 @@

        The P Operator

        A simple example of this would be:

        -
        +
        P>0.5 [ z<2 U z=2 ]
        -
        [$[Get Code]]
        +
        [$[Get Code]]

        which is true in a state if "the probability that z is eventually equal to 2, and that z remains less than 2 up until that point, is greater than 0.5". @@ -1838,10 +1996,10 @@

        The P Operator

        The property F prop is true for a path if prop eventually becomes true at some point along the path. The F operator is in fact a special case of the U operator (you will often see F prop written as true U prop). A simple example is:

        -
        +
        P<0.1 [ F z>2 ]
        -
        [$[Get Code]]
        +
        [$[Get Code]]

        which is true in a state if "the probability that z is eventually greater than 2is less than 0.1". @@ -1850,10 +2008,10 @@

        The P Operator

        Whereas the F operator is used for "reachability" properties, G represents "invariance". The property G prop is true of a path if prop remains true at all states along the path. Thus, for example:

        -
        +
        P>=0.99 [ G z<10 ]
        -
        [$[Get Code]]
        +
        [$[Get Code]]

        states that, with probability at least 0.99, z never exceeds 10. @@ -1864,10 +2022,10 @@

        The P Operator

        Weak until (a W b), which is equivalent to (a U b) | G a, requires that a remains true until b becomes true, but does not require that b ever does becomes true (i.e. a remains true forever). For example, a weak form of the until example used above is:

        -
        +
        P>0.5 [ z<2 U z=2 ]
        -
        [$[Get Code]]
        +
        [$[Get Code]]

        which states that, with probability greater than 0.5, either z is always less than 2, or it is less than 2 until the point where z is 2. @@ -1883,28 +2041,28 @@

        The P Operator

        A typical example of this would be:

        -
        +
        P>=0.98 [ y<4 U<=7 y=4 ]
        -
        [$[Get Code]]
        +
        [$[Get Code]]

        which is true in a state if "the probability of y first exceeding 3 within 7 time units is greater than or equal to 0.98". Similarly:

        -
        +
        P>=0.98 [ F<=7 y=4 ]
        -
        [$[Get Code]]
        +
        [$[Get Code]]

        is true in a state if "the probability of y being equal to 4 within 7 time units is greater than or equal to 0.98" and:

        -
        +
        P>=0.98 [ G<=7 y=4 ]
        -
        [$[Get Code]]
        +
        [$[Get Code]]

        is true if the probability of y staying equal to 4 for 7 time units is at least 0.98. @@ -1914,20 +2072,20 @@

        The P Operator

        as in the following example:

        -
        +
        P>=0.98 [ G<=(2*k+1) y=4 ]
        -
        [$[Get Code]]
        +
        [$[Get Code]]

        You can also use lower time-bounds (i.e. >=t or >t) and time intervals [t1,t2], e.g.:

        -
        +
        P>=0.98 [ F>=10 y=4 ]
        P>=0.98 [ F[10,20] y=4 ]
        -
        [$[Get Code]]
        +
        [$[Get Code]]

        which refer to the probability of y becoming equal to 4 after 10 or more time units, and after between 10 and 20 time-units respectively. @@ -1936,10 +2094,10 @@

        The P Operator

        For example:

        -
        +
        P>=0.25 [ y<=1 U<=6.5 y>1 ]
        -
        [$[Get Code]]
        +
        [$[Get Code]]

        means that the probability of y being greater than 1 within 6.5 time-units (and remaining less than or equal to 1 at all preceding time-points) is at least 0.25. @@ -1948,19 +2106,19 @@

        The P Operator

        We can also use the bounded F operator to refer to a single time instant, e.g.:

        -
        +
        P=? [ F[10,10] y=6 ]
        -
        [$[Get Code]]
        +
        [$[Get Code]]

        or, equivalently:

        -
        +
        P=? [ F=10 y=6 ]
        -
        [$[Get Code]]
        +
        [$[Get Code]]

        both of which give the probability of y being 6 at time instant 10. @@ -1970,28 +2128,28 @@

        The P Operator

        PRISM also supports probabilistic model checking of the temporal logic LTL (and, in fact, PCTL*). LTL provides a richer set of path properties for use with the P operator, by permitting temporal operators to be combined. Here are a few examples of properties expressible using this functionality:

        -
        +
        P>0.99 [ F ( "request" & (X "ack") ) ]
        -
        [$[Get Code]]
        +
        [$[Get Code]]

        "with probability greater than 0.99, a request is eventually received, followed immediately by an acknowledgement"

        -
        +
        P>=1 [ G F "send" ]
        -
        [$[Get Code]]
        +
        [$[Get Code]]

        "a message is sent infinitely often with probability 1"

        -
        +
        P=? [ F G ("error" & !"repair") ]
        -
        [$[Get Code]]
        +
        [$[Get Code]]

        "the probability of an error occurring that is never repaired” @@ -1999,10 +2157,10 @@

        The P Operator

        Note that logical operators have precedence over temporal ones, so you will often need to include parentheses when using logical operators, e.g.:

        -
        +
        P=? [ (F "error1") & (F "error2") ]
        -
        [$[Get Code]]
        +
        [$[Get Code]]

        For temporal operators, unary operators (such as F, G and X) have precedence over binary ones (such as U). Unary operators can be nested, without parentheses, but binary ones cannot. @@ -2010,21 +2168,21 @@

        The P Operator

        So, these are allowed:

        -
        +
        P=? [ F X X X "a" ]
        P=? [ "a" U X X X "error" ]
        P=? [ ("a" U "b") U "c" "error" ]
        -
        [$[Get Code]]
        +
        [$[Get Code]]

        but this is not:

        -
        +
        P=? [ "a" U "b" U "c" "error" ]
        -
        [$[Get Code]]
        +
        [$[Get Code]]
        @@ -2036,10 +2194,10 @@

        The S Operator

        Informally, the property:

        -
        +
        S bound [ prop ]
        -
        [$[Get Code]]
        +
        [$[Get Code]]

        is true in a state s of a DTMC or CTMC if @@ -2047,10 +2205,10 @@

        The S Operator

        A typical example of this type of property would be:

        -
        +
        S<0.05 [ queue_size / max_size > 0.75 ]
        -
        [$[Get Code]]
        +
        [$[Get Code]]

        which means: "the long-run probability of the queue being more than 75% full is less than 0.05". @@ -2058,10 +2216,10 @@

        The S Operator

        Like the P operator, the S operator can be used in a quantitative form, which returns the actual probability value, e.g.:

        -
        +
        S=? [ queue_size / max_size > 0.75 ]
        -
        [$[Get Code]]
        +
        [$[Get Code]]

        and can be further customised with the use of filters. @@ -2073,20 +2231,20 @@

        Reward-based Properties

        P and S operators, and can be used either in a Boolean-valued query, e.g.:

        -
        +
        R bound [ rewardprop ]
        -
        [$[Get Code]]
        +
        [$[Get Code]]

        where bound takes the form <r, <=r, >r or >=r for an expression r evaluating to a non-negative double, or a real-valued query, e.g.:

        -
        +
        R query [ rewardprop ]
        -
        [$[Get Code]]
        +
        [$[Get Code]]

        where query is =?, min=? or max=?. @@ -2132,10 +2290,10 @@

        Reward-based Properties

        One can then state, for example:

        -
        +
        R<=9.5 [ F z=2 ]
        -
        [$[Get Code]]
        +
        [$[Get Code]]

        which is true in a state s if "the expected time taken to reach, from s, a state where z equals 2 is less than or equal to 9.5". @@ -2147,20 +2305,20 @@

        Reward-based Properties

        queries the expected reward accumulated until first goal equals 1 and then subsequently goal equals 2:

        -
        -
        R=? [ F (goal=1 & F goal2) ]
        +
        +
        R=? [ F (goal=1 & F goal=2) ]
        -
        [$[Get Code]]
        +
        [$[Get Code]]

        and this property, for an MDP, minimises the expected reward until loc equals 1, having passed only through states where loc never equals 4

        -
        +
        Rmin=? [ loc!=4 U loc=1 ]
        -
        [$[Get Code]]
        +
        [$[Get Code]]

        As for reachability rewards, if the probability of satisfying the formula is less than 1, @@ -2189,10 +2347,10 @@

        Reward-based Properties

        then the property:

        -
        +
        R=? [ C<=15.5 ]
        -
        [$[Get Code]]
        +
        [$[Get Code]]

        would return, for a given state of the model, @@ -2210,10 +2368,10 @@

        Reward-based Properties

        Re-using the reward structure in the previous example,

        -
        +
        R=? [ C ]
        -
        [$[Get Code]]
        +
        [$[Get Code]]

        returns "the expected total number of lost requests". @@ -2230,10 +2388,10 @@

        Reward-based Properties

        Then, the following property:

        -
        +
        R<4.4 [ I=100 ]
        -
        [$[Get Code]]
        +
        [$[Get Code]]

        would be true in a state s of the model if @@ -2248,10 +2406,10 @@

        Reward-based Properties

        the rewards associated with the model correspond to power consumption, the property:

        -
        +
        R<=0.7 [ S ]
        -
        [$[Get Code]]
        +
        [$[Get Code]]

        which is true in a state s if "starting from s, the long-run average power consumption is less than 0.7". @@ -2260,12 +2418,12 @@

        Reward-based Properties

        In the case where a PRISM model has multiple reward structures you may need to specify which reward structure your property refers to. This is done by placing the information in braces ({}) after the R operator. You can do so either using the name assigned to a reward structure (if any) or using the index (where 1 means the first rewards structure in the PRISM model file, 2 the second, etc.). Examples are:

        -
        +
        R{"num_failures"}=? [ C<=10.0 ]
        R{"time"}=? [ F step=final ]
        R{2}=? [ F step=final ]
        -
        [$[Get Code]]
        +
        [$[Get Code]]

        Note that when using an index to specify the reward structure, you can actually put any expression that evaluates to an integer. This allows you to, for example, write a property of the form R{c}=?[...] where c is an undefined integer constant. You can then vary the value of c in an experiment and compute values for several different reward structures at once. @@ -2285,45 +2443,45 @@

        Multi-objective Properties

        For MDPs, PRISM supports multi-objective properties. Consider a property that uses the P operator. For example:

        -
        +
        P<0.01 [ F "error" ]
        -
        [$[Get Code]]
        +
        [$[Get Code]]
        -

        This states that, for all adversaries of the MDP, the probability of reaching an "error" state is less than 0.01. +

        This states that, for all strategies (or policies) of the MDP, the probability of reaching an "error" state is less than 0.01.

        -

        Multi-objective queries differ in two important ways. Firstly, (by default) they ask about the existence of an adversary. Secondly they refer to multiple properties of an adversary. For example: +

        Multi-objective queries differ in two important ways. Firstly, (by default) they ask about the existence of a strategy. Secondly they refer to multiple properties of a strategy. For example:

        -
        +
        multi(P<0.01 [ F "error1" ], P<0.02 [ F "error2" ])
        -
        [$[Get Code]]
        +
        [$[Get Code]]
        -

        means: "does there exist an adversary of the MDP under which the probability of reaching an "error1" state is less than 0.01 and the probability of reaching an "error2" state is less than 0.02?" +

        means: "does there exist a strategy of the MDP under which the probability of reaching an "error1" state is less than 0.01 and the probability of reaching an "error2" state is less than 0.02?"

        -

        To use the terminology from [FKP12], the above is an "achievability" query (i.e. is this combination of objectives achievable by some adversary?). PRISM also supports two other kinds of multi-objective query: "numerical" and "Pareto" queries. +

        To use the terminology from [FKP12], the above is an "achievability" query (i.e., is this combination of objectives achievable by some strategy?). PRISM also supports two other kinds of multi-objective query: "numerical" and "Pareto" queries.

        A "numerical" query looks like:

        -
        +
        multi(Pmin=? [ F "error1" ], P<0.02 [ F "error2" ])
        -
        [$[Get Code]]
        +
        [$[Get Code]]
        -

        meaning "what is the minimum possible probability of reaching "error1", over all adversaries of the MDP for which the probability of reaching "error2" is less than 0.02?". +

        meaning "what is the minimum possible probability of reaching "error1", over all strategies of the MDP for which the probability of reaching "error2" is less than 0.02?".

        A "Pareto" queries leaves both of the objectives unbounded, e.g.:

        -
        +
        multi(Pmin=? [ F "error1" ], Pmin=? [ F "error2" ])
        -
        [$[Get Code]]
        +
        [$[Get Code]]

        This asks PRISM to compute (approximately), the Pareto curve for this pair objectives. Intuitively, this is the set of pairs of probabilities (of reaching "error1"/"error2") such that reducing one probability any more would necessitate an increase in the other probability. @@ -2335,10 +2493,10 @@

        Multi-objective Properties

        LTL property. For example:

        -
        +
        multi(Pmax=? [ G "good1" ], P>=0.9 [ G F "good2" ])
        -
        [$[Get Code]]
        +
        [$[Get Code]]

        "What is the maximum probability of staying forever in "good1" states, such that the probability of visiting "good2" states infinitely often remains at least 0.9?". @@ -2346,10 +2504,10 @@

        Multi-objective Properties

        We can also use more than 2 objectives, e.g.:

        -
        +
        multi(Pmax=? [ G "good1" ], P>=0.9 [ G F "good2" ], P>=0.95 [ G F "good3" ])
        -
        [$[Get Code]]
        +
        [$[Get Code]]

        "What is the maximum probability of staying forever in "good1" states, such that the probability of visiting "good2" states infinitely often remains at least 0.9 and the probability of visiting "good3" states infinitely often remains at least 0.95?". @@ -2357,10 +2515,10 @@

        Multi-objective Properties

        Multi-objective queries can also refer to the expected total cumulative value of a reward structure. We write such properties in the form:

        -
        +
        multi(R{"time"}min=?[ C ], R{"energy"}<=1.45 [ C ])
        -
        [$[Get Code]]
        +
        [$[Get Code]]

        "What is the minimum expected cumulative value of reward structure "time", such that the expected cumulative value of reward structure "energy" is below 1.45. @@ -2374,10 +2532,10 @@

        Multi-objective Properties

      Finally, time-bounded variants of both probabilistic reachability and expected cumulative rewards objectives can be used. Here is an example that uses the latter:

      -
      +
      multi(R{"power"}min=? [ C<=k ], R{"queue"}<=r [ C<=k ])
      -
      [$[Get Code]]
      +
      [$[Get Code]]

      Solution Methods

      @@ -2393,13 +2551,13 @@

      Real-time Models

      For the "stochastic games" engine, we essentially only allow unbounded or time-bounded probabilistic reachability properties, i.e. properties of the form:

      -
      +
      Pmin=? [ F target ]
      Pmax=? [ F target ]
      Pmin=? [ F<=T target ]
      Pmax=? [ F<=T target ]
      -
      [$[Get Code]]
      +
      [$[Get Code]]

      where target is a Boolean-valued expression that does not include references to any clock variables and T is an integer-valued expression. The P operator cannot be nested and the S and R operators are not supported. @@ -2410,10 +2568,10 @@

      Real-time Models

      e.g. until (U) properties are allowed, as are clock variables in expressions and arithmetic expressions such as:

      -
      +
      1 - Pmin=? [ F target ]
      -
      [$[Get Code]]
      +
      [$[Get Code]]

      This engine, like the "stochastic games" engine, does not allowed nested properties. Also, references to clocks must, like in the modelling language, not use strict comparisons @@ -2423,11 +2581,11 @@

      Real-time Models

      it is possible to check reachability reward properties of the form:

      -
      +
      Rmin=? [ F target ]
      Rmax=? [ F target ]
      -
      [$[Get Code]]
      +
      [$[Get Code]]

      Reward structures specified in the model, though, must not depend on clock variables. @@ -2444,7 +2602,7 @@

      Partially Observable Models

      probabilistic until, or expected reachability rewards properties, i.e.:

      -
      +
      Pmin=? [ F target ]
      Pmax=? [ F target ]
      Pmin=? [ remain U target ]
      @@ -2452,7 +2610,7 @@

      Partially Observable Models

      Rmin=? [ F target ]
      Rmax=? [ F target ]
      -
      [$[Get Code]]
      +
      [$[Get Code]]

      or bounded variants with a probability/threshold instead @@ -2474,19 +2632,58 @@

      Partially Observable Models

      (that strict or diagonal clock comparisons are not allowed). However for POPTAs, time-bounded probabilistic reachability is also supported.

      -

      Non-Probabilistic Properties

      -

      PRISM also supports model checking of the non-probabilistic temporal logics CTL (computation tree logic) and LTL (linear temporal logic). -Properties in these logics use the A (for all) and E (there exists) operators, +

      Uncertain Models

      +

      For uncertain models, currently interval MDPs (IMDPs) or interval DTMCs (IDTMCs), PRISM performs robust verification, which considers the best- or worst-case behaviour that can arise depending on the way that probabilities are selected from intervals. +

      +

      For example, instead of a property for a DTMC such as +

      +
      +
      +
      P=? [ F "goal" ]
      +
      +
      [$[Get Code]]
      +
      + +

      which asks for the probability to reach a state satisfying "goal", IDTMCs use MDP-style queries: +

      +
      +
      +
      Pmin=? [ F "goal" ]
      +Pmax=? [ F "goal" ]
      +
      +
      [$[Get Code]]
      +
      + +

      which compute the minimum or maximum possible probability that can arise. +

      +

      Similarly, for an IMDP, there are now two separate quantifications, firstly over strategies (policies) and secondly over the distinct ways that transition probabilities can be selected from intervals, for which min or max appear in that order in the query. For example: +

      +
      +
      +
      Pmaxmin=? [ F "goal" ]
      +Pmaxmax=? [ F "goal" ]
      +
      +
      [$[Get Code]]
      +
      + +

      return the minimum and maximum values, respectively, over resolutions of transition probabilities for the maximum probability of reaching "goal". Similarly, minmin and minmax are used for the minimum probability of reaching "goal". Model checking is supported for: +

      +
      • the P operator, for next and bounded/unbounded until/reachability properties +
      • the R operator, for the expected reward to reach a target or satisfy a co-safe LTL formula +
      +

      Non-Probabilistic Properties

      +

      PRISM also supports model checking of the non-probabilistic temporal logics CTL (computation tree logic) and LTL (linear temporal logic). +Properties in these logics use the A (for all) and E (there exists) operators, instead of the probabilistic P operator used in many other properties supported by PRISM.

      Properties take the form:

      -
      +
      A [ pathprop ]
      E [ pathprop ]
      -
      [$[Get Code]]
      +
      [$[Get Code]]

      which are true in a state s of a model if @@ -2499,7 +2696,7 @@

      Non-Probabilistic Properties

      Example properties include:

      -
      +
      E [ F "goal" ] // There exists a path that reaches a state satisfying "goal"

      A [ G x<=10 ] // Variable x is always at most 10 along all paths of the model
      @@ -2508,7 +2705,7 @@

      Non-Probabilistic Properties


      A [ (G F x=1) | (G F x=2) ] // Along all paths, either x=1 or x=2 is true infinitely often
      -
      [$[Get Code]]
      +
      [$[Get Code]]

      Counterexamples and Witnesses

      @@ -2537,10 +2734,10 @@

      Syntax

    This allows you to write any property expressible in logics such as PCTL and CSL. For example, CSL allows you to nest P and S operators:

    -
    +
    P=? [ F>2 S>0.9[ num_servers >= 5 ] ]
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    "the probability of it taking more than 2 hours to get to a state from which the long-run probability of at least 5 servers being operational is >0.9" @@ -2548,28 +2745,28 @@

    Syntax

    You can also express various arithmetic expressions such as:

    -
    +
    1 - P=? [ F[3600,7200] oper ]
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    "the probability that the system is not operational at any point during the second hour of operation"

    -
    +
    R{"oper"}=? [ C<=t ] / t
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    "the expected fraction of time that the system is available (i.e. the expected interval availability) in the time interval [0, t]"

    -
    +
    P=? [ F fail_A ] / P=? [ F any_fail ]
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    "the (conditional) probability that component A eventually fails, given @@ -2581,20 +2778,20 @@

    Syntax

    It is worth, however, clarifying a few points specific to PRISM. A property is evaluated with respect to a particular state of a model. Depending on the type of the property, this value may either be a Boolean, an integer or a double. When performing model checking, PRISM usually has to actually compute the value for all states of the model but, for clarity, will by default report just a single value. Typically, this is the value for the (single) initial state of the model. For example, this:

    -
    +
    P=? [ F "error" ]
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    will report the probability, from the initial state of the model, of reaching an "error" state. This:

    -
    +
    P>0.5 [ F "error" ]
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    will return true if and only if the probability, from the initial state, is greater than 0.5. @@ -2614,10 +2811,10 @@

    Filters

    Filters are created using the filter keyword. They take the following form:

    -
    +
    filter(op, prop, states)
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    where op is the filter operator (see below), prop is any PRISM property and states is a Boolean-valued expression identifying a set of states over which to apply the filter. @@ -2625,20 +2822,20 @@

    Filters

    In fact, the states argument is optional; if omitted, the filter is applied over all states. So, the following properties are equivalent:

    -
    +
    filter(op, prop)
    filter(op, prop, true)
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    Here's a simple example of a filter:

    -
    +
    filter(max, P=? [ F "error" ], x=0)
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    This gives the maximum value, starting from any state satisfying x=0, of the probability of reaching an "error" state. @@ -2648,20 +2845,20 @@

    Filters

    we eventually reach a "done" state with probability 1.

    -
    +
    filter(forall, P>=1 [ F "done" ])
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    We could modify this property slightly to instead check whether, from any state that satisfies the label "ready", we eventually reach a "done" state with probability 1. This could be done with either of the following two equivalent properties:

    -
    +
    filter(forall, "ready" => P>=1 [ F "done" ])
    filter(forall, P>=1 [ F "done" ], "ready")
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    Note: In older versions of PRISM, the property above could be written just as "ready" => P>=1 [ F "done" ] since the result was checked for all states by default, not just the initial state. Now, you need to explicitly include a filter, as shown above, to achieve this. @@ -2695,10 +2892,10 @@

    Filters

    Filters provide a quick way to print the results of a model checking query for several states. In most cases, for example, a P=? query just returns the probability from the initial state. To see the probability for all states satisfying x>2, use:

    -
    +
    filter(print, P=? [ ... ], x>2)
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    Values are printed in the log (i.e. to the "Log" tab in the GUI or to the terminal from the command-line). For small models, you could omit the final states argument (x>2 here) and view the probabilities from all states. You can also use PRISM's verbose mode to view values for all states, but filters provide an easier and more flexible solution. @@ -2707,10 +2904,10 @@

    Filters

    You can also use print filters to display lists of states. For example, this property:

    -
    +
    filter(print, filter(argmax, P=? [ F "error" ]))
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    prints the states which have the highest probability of reaching an error state. @@ -2719,10 +2916,10 @@

    Filters

    Another common use of filters is to display the value for a particular state of the model (rather than the initial state, which is used by default). To achieve this, use e.g.:

    -
    +
    filter(state, P=? [ F "error" ], x=2&y=3)
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    where x=2&y=3 is assumed to specify one particular state. @@ -2731,20 +2928,20 @@

    Filters

    Filters can also be built up into more complex expressions. For example, the following two properties are equivalent:

    -
    +
    filter(avg, P=? [ F "error" ], "init")
    filter(sum, P=? [ F "error" ], "init") / filter(count, "init")
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    The range filter, unlike most PRISM expressions which are of type Boolean, integer or double, actually returns an interval: a pair of integers or doubles. For example:

    -
    +
    filter(range, P=? [ F count=10 ], count=0)
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    gives the range of all possible values for the probability of reach a state satisfying count=10, from all states satisfying count=0. @@ -2754,34 +2951,34 @@

    Filters

    In older versions of PRISM, filters were also available, but in a less expressive form. Previously, they were only usable on P, S or R properties and only a small set of filter operators were permitted. They were also specified in a different way, using braces ({...}). For compatibility with old properties files (and for compactness), these forms of filters are still allowed. These old-style forms of filters:

    -
    +
    P=? [ pathprop {states} ]
    P=? [ pathprop {states}{min} ]
    P=? [ pathprop {states}{max} ]
    P=? [ pathprop {states}{min}{max} ]
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    are equivalent to:

    -
    +
    filter(state, P=? [ pathprop ], states)
    filter(min, P=? [ pathprop ], states)
    filter(max, P=? [ pathprop ], states)
    filter(range, P=? [ pathprop ], states)
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    Notice that the first of the four properties above (i.e. an old-style filter of the form {states} will result in an error if states is not satisfied by exactly one state of the model. Older versions of PRISM just gave you the value for the first state state satisfying the filter, without warning you about this. If you want to recreate the old behaviour, just use a first filter:

    -
    +
    filter(first, P=? [ pathprop ], states)
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    Default filters

    @@ -2792,38 +2989,38 @@

    Filters

    Queries of the form:

    -
    +
    P>0.5 [ F "error" ]
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    are the same as:

    -
    +
    filter(forall, P>0.5 [ F "error" ], "init")
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    and queries of the form:

    -
    +
    P=? [ F "error" ]
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    are the same as either:

    -
    +
    filter(state, P=? [ F "error" ], "init")
    filter(range, P=? [ F "error" ], "init")
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    for the cases where there the model has a single initial state @@ -2835,14 +3032,14 @@

    Constants

    These are defined in identical fashion, for example:

    -
    +
    const int k = 7;
    const double T = 9.5;
    const double p = 0.01;

    P<p [ F<=T x=k ];
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    As before, these constants can actually be left undefined and then later @@ -2860,13 +3057,13 @@

    Constants

    Labels are defined using the keyword label, followed by a name (identifier) in double quotes, and then an expression which evaluates to a Boolean. Definition and usage of labels are illustrated in the following example:

    -
    +
    label "safe" = temp<=100 | alarm=true;
    label "fail" = temp>100 & alarm=false;

    P>=0.99 [ "safe" U "fail" ];
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    Two special cases are the "init" and "deadlock" labels which are always defined. @@ -2877,19 +3074,19 @@

    Constants

    For convenience, properties can be annotated with names, as shown in the following example:

    -
    +
    "safe": P<0.01 [ F temperature > t_max ];
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    which gives the name "safe" to the property. It is then possible to include named properties as sub-expressions of other properties, e.g.:

    -
    +
    filter(forall, num_sensors>0 => "safe");
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    Notice that the syntax for referring to named properties is identical to the syntax for labels. For this reason, property names must be disjoint from those of any existing labels. @@ -2921,31 +3118,31 @@

    Starting PRISM

    You can also optionally specify a model file and a properties file to load upon starting the GUI, e.g.:

    -
    +
    xprism example.prism
    xprism example.prism example.props
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    To use the command-line version of PRISM, run the prism script, also in the bin directory, e.g.:

    -
    +
    prism example.prism example.props -prop 2
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    The -dir switch can be used to specify a directory for input (and output) files. So the following are equivalent:

    -
    +
    prism ~/myfiles/example.prism ~/myfiles/example.props
    prism -dir ~/myfiles example.prism example.props
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    The remainder of this section of the manual describes the main types of functionality offered by PRISM. @@ -2953,8 +3150,8 @@

    Starting PRISM

    tutorial on the PRISM web site. Some screenshots of the GUI version of PRISM are shown below.

    -

    The PRISM GUI (editing a model)
    -

    The PRISM GUI (model checking)
    +

    The PRISM GUI (editing a model)
    +

    The PRISM GUI (model checking)

    Loading And Building a Model

    Typically, when using PRISM, the first step is to load a model that has been specified in the PRISM modelling language. If using the GUI, select menu option "Model | Open Model" and choose a file. There are a selection of sample PRISM model files in the prism-examples directory of the distribution. @@ -2971,10 +3168,10 @@

    Loading And Building a Model

    From the command-line, simply type:

    -
    +
    prism model.nm
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    where model.nm is the name of the file containing the model description. @@ -2997,10 +3194,10 @@

    Loading And Building a Model

    To find out how deadlocks occur, i.e. which paths through the model lead to a deadlock state, there are several possibilities. Firstly, you can model check the CTL property E[F "deadlock"]. When checked from the GUI, this will provide you with the option of display a path to a deadlock in the simulator. From the command-line, for example with:

    -
    +
    prism dice.pm -pf 'E[F "deadlock"]'
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    a path to a deadlock will be displayed in the log. @@ -3008,10 +3205,10 @@

    Loading And Building a Model

    Finally, in the eventuality that the model is too large to be model checked, you can still use the simulator to search for deadlocks. This can be done either by manually generating random paths using the simulator in the GUI or, from the command-line, e.g. by running:

    -
    +
    prism dice.pm -simpath deadlock stdout
    -
    [$[Get Code]]
    +
    [$[Get Code]]
    @@ -3036,7 +3233,7 @@

    Debugging Models With The Simulator

    The figure shows the simulator in action.

    -

    The PRISM GUI: exploring a model using the simulator
    +

    The PRISM GUI: exploring a model using the simulator

    It is also possible to:

    • backtrack to an earlier point in a path @@ -3057,12 +3254,12 @@

      Debugging Models With The Simulator

      It is also possible to generate random paths through a model using the command-line version of PRISM. This is achieved using the -simpath switch, which requires two arguments, the first describing the path to be generated and the second specifying the file to which the path should be output (as usual, specifying stdout sends output to the terminal). The following examples illustrate the various ways of generating paths in this way:

      -
      +
      prism model.pm -simpath 10 path.txt
      prism model.pm -simpath time=7.5 path.txt
      prism model.pm -simpath deadlock path.txt
      -
      [$[Get Code]]
      +
      [$[Get Code]]

      These generate a path of 10 steps, a path of at least 7.5 time units and a path ending in deadlock, respectively. @@ -3070,7 +3267,7 @@

      Debugging Models With The Simulator

      Here's an example of the output:

      -
      +
      prism poll2.sm -simpath 10 stdout
      ...
      action step time s a s1 s2
      @@ -3086,7 +3283,7 @@

      Debugging Models With The Simulator

      [loop1a] 9 0.04934857366557349 2 0 0 0
      [loop2a] 10 0.055031679365844674 1 0 0 0
      -
      [$[Get Code]]
      +
      [$[Get Code]]

      This shows the sequence of states in the path, i.e. the values of the variables in each state. In the example above, there are 4 variables: s, a, s1 and s2. @@ -3095,7 +3292,7 @@

      Debugging Models With The Simulator

      Further options can also be appended to the first parameter. For example, option probs=true also displays the probability/rate associated with each transition. For example:

      -
      +
      prism poll2.sm -simpath '5,probs=true' stdout
      ...
      action probability step time s a s1 s2
      @@ -3106,7 +3303,7 @@

      Debugging Models With The Simulator

      [loop2a] 200.0 4 0.023258883912578403 1 0 0 0
      [loop1a] 200.0 5 0.027402404026254504 2 0 0 0
      -
      [$[Get Code]]
      +
      [$[Get Code]]

      In this example, the rate is 200.0 for all transitions. @@ -3115,7 +3312,7 @@

      Debugging Models With The Simulator

      If you are only interested in values of certain variables of your model, use the vars=(...) option. For example:

      -
      +
      prism poll2.sm -simpath '500,probs=true,vars=(a,s1,s2)' stdout
      ...
      action probability step time a s1 s2
      @@ -3133,7 +3330,7 @@

      Debugging Models With The Simulator

      [loop2b] 200.0 251 3.637552738997181 1 0 1
      [serve2] 1.0 252 3.7343375346150576 0 0 0
      -
      [$[Get Code]]
      +
      [$[Get Code]]

      Note the use of single quotes around the path description argument to prevent the shell from misinterpreting special characters such as "(". @@ -3143,7 +3340,7 @@

      Debugging Models With The Simulator

      An alternative way of viewing paths is to only display paths at certain fixed points in time. This is achieved with the snapshot=x option, where x is the time step. For example:

      -
      +
      prism poll2.sm -simpath 'time=5.0,snapshot=0.5' stdout
      ...
      step time s a s1 s2
      @@ -3159,13 +3356,13 @@

      Debugging Models With The Simulator

      478 4.5 1 0 0 0
      511 5.0 2 0 0 0
      -
      [$[Get Code]]
      +
      [$[Get Code]]

      You can also use the sep=... option to specify the column separator. Possible values are space (the default), tab and comma. For example:

      -
      +
      prism poll2.sm -simpath '10,vars=(a,b),sep=comma' stdout
      ...
      step,a,b,time
      @@ -3176,22 +3373,22 @@

      Debugging Models With The Simulator

      7,1,3,0.284062896359802
      8,1,4,1.1792064236954896
      -
      [$[Get Code]]
      +
      [$[Get Code]]

      When generating paths to a deadlock state, additional repeat=... option is available which will construct multiple paths until a deadlock is found. For example:

      -
      +
      prism model.sm -simpath 'deadlock,repeat=100' stdout
      -
      [$[Get Code]]
      +
      [$[Get Code]]

      By default, the simulator detects deterministic loops in paths (e.g. if a path reaches a state from which there is a just a single self-loop leaving that state) and stops generating the path any further. You can disable this behaviour with the loopcheck=false option. For example:

      -
      +
      prism dice.pm -simpath 10 stdout
      ...
      Warning: Deterministic loop detected after 6 steps (use loopcheck=false option to extend path).
      @@ -3202,11 +3399,11 @@

      Debugging Models With The Simulator

      die 3 7 3
      die 4 7 3
      -
      [$[Get Code]]
      +
      [$[Get Code]]
      -
      +
      prism dice.pm -simpath 10,loopcheck=false stdout
      ...
      action step s d
      @@ -3222,7 +3419,7 @@

      Debugging Models With The Simulator

      die 9 7 2
      die 10 7 2
      -
      [$[Get Code]]
      +
      [$[Get Code]]

      One final note: the -simpath switch only generates paths up to the maximum path length setting of the simulator (the default is 10,000). If you want to generate longer paths, either change the @@ -3232,10 +3429,10 @@

      Debugging Models With The Simulator

      but only within 100 steps:

      -
      +
      prism model.sm -simpath deadlock stdout -simpathlen 100
      -
      [$[Get Code]]
      +
      [$[Get Code]]
      @@ -3266,40 +3463,42 @@

      Exporting The Model

      The export command-line switches can be used in combination. For example:

      -
      +
      prism poll2.sm -exportstates poll2.sta -exporttrans poll2.tra
      -
      [$[Get Code]]
      +
      [$[Get Code]]

      exports both the state space and transition matrix. You can export both state and transition rewards using the -exportrewards switch. The following are equivalent:

      -
      -
      prism poll2.sm -exportrewards poll2.rews poll2.rewt
      -prism poll2.sm -exportstaterewards poll2.rews -exporttransrewards poll2.rewt
      +
      +
      prism poll2.sm -exportrewards poll2.srew poll2.trew
      +prism poll2.sm -exportstaterewards poll2.srew -exporttransrewards poll2.trew
      -
      [$[Get Code]]
      +
      [$[Get Code]]

      When there are multiple reward structures, a separate file is created for each one and a (1-indexed) suffix is added to distinguish them. +A header in each file (see the "Explicit Model Files" appendix) also shows the name of the reward structure. +These headers can be omitted using the switch -noexportheaders (or via the option "Include headers in model exports" in the GUI).

      You can also easily perform multiple exports simultaneously using the -exportmodel switch, which specifies multiple files using a list of extensions. The file extensions then dictate what is exported. For example:

      -
      +
      prism poll2.sm -exportmodel out.tra,sta
      -
      [$[Get Code]]
      +
      [$[Get Code]]

      exports the transition matrix and states list to out.tra and out.sta, respectively. If you omit the file basename (out in this case), then the basename of the model file (poll2 in this case) is used. For example:

      -
      +
      prism poll2.sm -exportmodel .tra,sta
      -
      [$[Get Code]]
      +
      [$[Get Code]]

      exports the transition matrix and states list to poll2.tra and poll2.sta. @@ -3313,11 +3512,11 @@

      Exporting The Model

      You can use the shorthand .all to export everything, and .rew to export both state and transition rewards. For example:

      -
      +
      prism poll2.sm -exportmodel out.all
      prism poll2.sm -exportmodel .all
      -
      [$[Get Code]]
      +
      [$[Get Code]]

      creates multiple files of the form out.* or poll2.*, respectively. @@ -3325,24 +3524,29 @@

      Exporting The Model

      As mentioned above, you can always use stdout instead of a filename. For example:

      -
      +
      prism poll2.sm -exportmodel stdout.all
      -
      [$[Get Code]]
      +
      [$[Get Code]]

      is a quick way to print all details (of a small model) to the terminal.

      -

      Although is not exported when using .all, the -exportmodel switch can also be used to export the transition matrix +

      Although it is not exported when using .all, the -exportmodel switch can also be used to export the transition matrix in Dot format which allows easy graphical visualisation of the model:

      -
      +
      prism poll2.sm -exportmodel poll2.dot
      -
      [$[Get Code]]
      +
      [$[Get Code]]
      +

      Export options

      +

      When exporting model details in this way, the precision of numerical values (e.g., for probabilities or rewards) can be configured. +From the command line, use the switch -exportmodelprecision <x> to show values to <x> significant digits. +The same setting is available for exports from the GUI via option "Precision of model export". +

      Finally, the -exportmodel switch can be passed various options. The general form is -exportmodel files:options where options is a comma-separated list of options taken from the following list:

      • mrmc - export data in MRMC format @@ -3350,23 +3554,28 @@

        Exporting The Model

      • rows - export matrices with one row/distribution on each line
      • ordered - output states indices in ascending order [default]
      • unordered - don't output states indices in ascending order +
      • proplabels - also export labels from the properties file

      An example is:

      -
      +
      prism poll2.sm -exportmodel out.tra,out.trew:matlab,unordered
      -
      [$[Get Code]]
      +
      [$[Get Code]]
      -

      The meaning of these options is described below. +

      By default, when labels are exported, this only includes the labels from the model. +The proplabels option listed above +(which applies to both -exportmodel and -exportlabels) +indicates that labels from any properties file are exported too. +To export just those labels, use switch -exportproplabels <file>.

      File formats

      By default, model data is exported (or displayed) in plain text format. The precise details of the formats used can be found in the "Explicit Model Files" appendix. As mentioned above, by convention, we use file extensions .sta (for states files), .tra (for transitions files), -.rews and .rewt (for state/transition rewards files) +.srew and .trew (for state/transition rewards files) and .lab (for labels).

      Alternatively, it is possible to export this information as Matlab code @@ -3404,10 +3613,10 @@

      Exporting The Model

    As mentioned above, for the latter, the following is equivalent (and easier to remember):

    -
    +
    prism poll2.sm -exportmodel poll2.dot
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    @@ -3415,20 +3624,20 @@

    Exporting The Model

    It is also possible to export the set of (bottom) strongly connected components (SCCs or BSCCs) for a model. This can only be done from the command-line currently. Use, for example:

    -
    +
    prism poll2.sm -exportsccs stdout
    prism poll2.sm -exportbsccs stdout
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    For an MDP, you can also export the set of maximal end components (MECs):

    -
    +
    prism mdp.nm -exportmecs stdout
    -
    [$[Get Code]]
    +
    [$[Get Code]]
    @@ -3463,10 +3672,10 @@

    Model Checking

    From the command-line, model checking is achieved by passing both a model file and a properties file as arguments, e.g.:

    -
    +
    prism poll2.sm poll.csl
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    The results of model checking are sent to the display and are as described above for the GUI version. @@ -3475,38 +3684,38 @@

    Model Checking

    For example, to check only the fourth property in the file:

    -
    +
    prism poll2.sm poll.csl -prop 4
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    or to check only the property with name "safe" in the file:

    -
    +
    prism poll2.sm poll.csl -prop safe
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    You can also provide a comma-separated list of multiple properties to check, using neither numerical indices or property names:

    -
    +
    prism poll2.sm poll.csl -prop 4,5,safe
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    Alternatively, the contents of a properties file can be specified directly from the command-line, using the -pf switch:

    -
    +
    prism poll2.sm -pf 'P>=0.5 [ true U<=5 (s=1 & a=0) ]'
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    The switches -pctl and -csl are aliases for -pf. @@ -3596,10 +3805,10 @@

    Approximate Model Checking

    Statistical model checking can also be enabled from the command-line version of PRISM, by including the -sim switch. The default methods used are CI (Confidence Interval) for "quantitative" properties and SPRT (Sequential Probability Ratio Test) for "bounded" properties. To select a particular method, use switch -simmethod <method> where <method> is one of ci, aci, apmc and sprt. For example:

    -
    +
    prism model.pm model.pctl -prop 1 -sim -simmethod aci
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    PRISM has default values for the various simulation method parameters, but these can also be specified using the switches -simsamples, -simconf, -simwidth and -simapprox. The exact meaning of these switches for each simulation method is given in the table below. @@ -3628,19 +3837,19 @@

    Computing Steady-state And Transient Probabilities

    From the command-line, add the -steadystate (or -ss) switch:

    -
    +
    prism poll2.sm -ss
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    for steady-state probabilities or the -transient (or -tr) switch:

    -
    +
    prism poll2.sm -tr 2.0
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    for transient probabilities, again specifying a time value in the latter case. @@ -3650,11 +3859,11 @@

    Computing Steady-state And Transient Probabilities

    To instead export the vector of computed probabilities to a file, use the "Model | Compute/export" option from the GUI, or the -exportsteadystate (or -exportss) and -exporttransient (or -exporttr) switches from the command-line:

    -
    +
    prism poll2.sm -ss -exportss poll2-ss.txt
    prism poll2.sm -tr 2.0 -exporttr poll2-tr2.txt
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    From the command-line, you can request that the probability vectors exported are in Matlab format by adding the -exportmatlab switch. @@ -3666,30 +3875,30 @@

    Computing Steady-state And Transient Probabilities

    You can override this and provide a specific initial distribution. This is done using the -importinitdist switch. The format for this imported distribution is identical to the ones exported by PRISM, i.e. simply a list of probabilities for all states separated by new lines. For example, this:

    -
    +
    prism poll2.sm -tr 1.0 -exporttr poll2-tr1.txt
    prism poll2.sm -tr 1.0 -importinitdist poll2-tr1.txt -exporttr poll2-tr2.txt
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    is (essentially) equivalent to this:

    -
    +
    prism poll2.sm -tr 2.0 -exporttr poll2-tr2.txt
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    Ranges of time values

    Finally, you can compute transient probabilities for a range of time values, e.g.:

    -
    +
    prism poll2.sm -tr 0.1:0.01:0.2
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    which computes transient probabilities for the time points 0.1, 0.11, 0.12, .., 0.2. In this case, the computation is done incrementally, with probabilities for each time point being computed from the previous point for efficiency. @@ -3699,30 +3908,30 @@

    Experiments

    This is done by leaving one or more constants undefined, e.g.:

    -
    +
    const int N;
    const double T;
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    This can be done for constants in the model file, the properties file, or both. Before any verification can be performed, values must be provided for any such constants. In the GUI, a dialog appears in which the user is required to enter values. From the command line, the -const switch must be used, e.g.:

    -
    +
    prism cluster.sm cluster.csl -const N=4,T=85.9
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    To run an experiment, provide a range of values for one or more of the constants. Model checking will be performed for all combinations of the constant values provided. For example:

    -
    +
    prism cluster.sm cluster.csl -const N=4:6,T=60:10:100
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    where N=4:6 means that values of 4,5 and 6 are used for N, @@ -3732,10 +3941,10 @@

    Experiments

    You can also specify double-valued constants as fractions rather than decimals. For example:

    -
    +
    prism cluster.sm cluster.csl -const N=4,T=85.9 -const p=1/3
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    From the GUI, the same thing can be achieved by selecting a single property, @@ -3769,19 +3978,19 @@

    Experiments

    You can export all the results from an experiment to a file or to the screen. From the command-line, use the -exportresults switch, for example:

    -
    +
    prism cluster.sm cluster.csl -prop 4 -const N=4:5,T=0:10:20 -exportresults res.txt
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    to send to output file res.txt, or:

    -
    +
    prism cluster.sm cluster.csl -prop 4 -const N=4:5,T=0:10:20 -exportresults stdout
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    to send the results straight to the screen. From the GUI, right click on the experiment and select "Export results". @@ -3789,7 +3998,7 @@

    Experiments

    The default behaviour is to export a list of results in text form, using tabs to separate items. The above examples produce:

    -
    +
    N       T       Result
    4       0       0.0
    4       10      4.707364688019771E-6
    @@ -3797,20 +4006,20 @@

    Experiments

    5       0       0.0
    5       10      3.267731327728599E-6
    5       20      8.343575060356386E-6
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    You can change the format in which the results are exported by appending one or more comma-separated options to the end of the -exportresults switch, for example to export in CSV (comma-separated values) format:

    -
    +
    prism cluster.sm cluster.csl -prop 4 -const N=4:5,T=0:10:20 -exportresults res.txt:csv
    -
    [$[Get Code]]
    +
    [$[Get Code]]
    -
    +
    N, T, Result
    4, 0, 0.0
    4, 10, 4.707364688019771E-6
    @@ -3818,41 +4027,62 @@

    Experiments

    5, 0, 0.0
    5, 10, 3.267731327728599E-6
    5, 20, 8.343575060356386E-6
    -
    [$[Get Code]]
    +
    [$[Get Code]]
    +
    + +

    or in DataFrame format: +

    +
    +
    +
    prism cluster.sm cluster.csl -prop 4 -const N=4:5,T=0:10:20 -exportresults res.txt:dataframe
    +
    +
    [$[Get Code]]
    +
    + +
    +
    +
    N,T,Result
    +4,0,0
    +4,10,4.70736468802e-06
    +4,20,1.31264206368e-05
    +5,0,0
    +5,10,3.26773132773e-06
    +5,20,8.34357506036e-06
    +
    [$[Get Code]]

    You can also add the matrix option, to export the results as one or more 2D matrices, rather than a list. This is particularly useful if you want to create a surface plot from results that vary over two constants.

    -
    +
    prism cluster.sm cluster.csl -prop 4 -const N=4:5,T=0:10:20 -exportresults res.txt:csv,matrix
    -
    [$[Get Code]]
    +
    [$[Get Code]]
    -
    +
    "N\T"
    , 0.0, 10.0, 20.0
    4, 0.0, 4.707364688019771E-6, 1.3126420636755292E-5
    5, 0.0, 3.267731327728599E-6, 8.343575060356386E-6
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    The matrix option is also available in normal (non-CSV) mode.

    -

    Finally, you can export results in the form of comments, used by PRISM's functionality: +

    You can also export results in the form of comments, used by PRISM's regression testing functionality:

    -
    +
    prism cluster.sm cluster.csl -prop 4 -const N=4:5,T=0:10:20 -exportresults res.txt:comment
    -
    [$[Get Code]]
    +
    [$[Get Code]]
    -
    +
    // RESULT (N=4,T=0): 0.0
    // RESULT (N=4,T=10): 4.707364688019771E-6
    // RESULT (N=4,T=20): 1.3126420636755292E-5
    @@ -3860,41 +4090,124 @@

    Experiments

    // RESULT (N=5,T=10): 3.267731327728599E-6
    // RESULT (N=5,T=20): 8.343575060356386E-6
    -
    [$[Get Code]]
    +
    [$[Get Code]]
    +

    From the GUI, it is also possible to import previously exported results (in DataFrame format). +

    A related option is the -exportvector <file> switch, useful in general contexts, not for experiments. This exports the results for all states of the model (typically, the log just displays the result for the initial state, unless a filter has been used) to the the file file.

    -

    Adversaries

    -

    When model checking some properties of MDPs, PRISM can also generate an optimal adversary, i.e. one which corresponds to either the minimum or maximum values of the probabilities or rewards computed during verification. Recall that, for MDPs, PRISM quantifies over all possible adversaries, i.e. all possible resolutions of nondeterminism in the model. A typical property would be: +

    Strategies

    +

    Properties to be model checked on MDPs (and their variants, such as POMDPs or IMDPs) usually quantify over strategies (or policies) of the model, i.e., over the different possible ways that nondeterminism can be resolved in the model. +For example, this property:

    -
    -
    Pmax=? [ F "error" ]
    +
    +
    Pmax=? [ F "goal" ]
    -
    [$[Get Code]]
    +
    [$[Get Code]]
    -

    which computes the maximum probability, over all adversaries, of reaching a state satisfying the label "error", from all states of the model. When under the control of a specific adversary, the behaviour of an MDP is purely probabilistic, yielding a single value (for each state) for the probability of reaching "error". In addition to giving the maximum probability value(s), PRISM can produce an adversary of the MDP for which the probabilities (for each state) coincide with the maximum values. +

    determines the maximum probability, over all strategies, of reaching a state satisfying the label "goal". When checking such properties, you can also ask PRISM to generate a corresponding (optimal) strategy, which yields this maximum probability when followed. The strategy can then be viewed, exported or simulated.

    -

    For a probabilistic reachability property, such as the one above, a memoryless adversary suffices, that is one which always makes the same choice in any given state of the model. So, the default form in which PRISM provides an adversary is a DTMC derived by retaining only a single nondeterministic choice in each state of the MDP. This DTMC is given in the same format as when exporting the transition matrix of a DTMC, i.e. a list of transitions. +

    Note: For consistency across models, PRISM now uses the terminology strategy (rather than alternatives such as policy). In older versions of the tool, these were referred to as adversaries. Currently, the newer (and more extensive) strategy generation functionality is implemented just for the "explicit" model checking engine, +which is used automatically if strategy generation is requested. +The old adversary generation functionality (see below) still exists for the "sparse" engine, but will be updated in the future.

    -

    Currently, adversary generation is only implemented in the sparse engine, so you need to make sure this engine is enabled. From the command-line, you specify that an optimal adversary should be generated using the -exportadv switch, e.g.: +

    Generating strategies. Optimal strategies can be generated either from the command-line or the graphical user interface (GUI). For the former, use the -exportstrat switch. Simple examples are:

    -
    -
    prism mdp.nm -pctl 'Pmax=? [ F "error" ]' -exportadv adv.tra -s
    +
    +
    prism mdp.prism -pf 'Pmax=? [ F "goal" ]' -exportstrat stdout
    +prism mdp.prism -pf 'Pmax=? [ F "goal" ]' -exportstrat strat.tra
    +prism mdp.prism -pf 'Pmax=? [ F "goal" ]' -exportstrat strat.dot
    -
    [$[Get Code]]
    +
    [$[Get Code]]
    +
    + +

    From the GUI, you can trigger strategy generation by ticking the "Generate strategy" box either on the popup menu that appears when you right-click a property, or from the "Strategies" menu at the top. As long as it is supported, a strategy will be then generated once "Verify" is clicked. +

    +

    From the same menu(s), you can then +

    +
    • export the strategy to a file +
    • view the strategy by printing it in the log +
    • explore the strategy in the simulator +

    Strategy export types. Strategies can be viewed or exported in several different formats: +

    +

    (i) Action list. This is a list of the action taken in each state of the model, e.g.: +

    +
    +
    +
    (0,0):east
    +(0,1):north
    +(0,2):north
    +(1,0):south
    +...
    +
    [$[Get Code]]
    +
    + +

    where states, by default, are shown as a tuple of variable values. +

    +

    (ii) Induced model. This is a representation of the model that is induced when the strategy is applied. There are two "modes" for this export: restrict, which shows the original model but with a restricted set of choices (e.g., an MDP with just one choice in each state); and reduce, which removes the nondeterminism resolved by the strategy (e.g., an MDP becomes a DTMC). The latter can be useful to re-import the model back into PRISM and analyse the induced model; the former is sometimes easier for visualising the strategy's choices. In each case, the transitions of the induced model are presented as a .tra file (as for normal model export), e.g.: +

    +
    +
    +
    9 9 11
    +0 0 5 1 east
    +1 0 10 1 north
    +2 0 15 0.9 north
    +2 0 16 0.1 north
    +...
    +
    [$[Get Code]]
    +
    + +

    (iii) Dot file. This is, like the previous format, a view of the model induced by the strategy, but in Dot format, which allows it to be visualised. +

    +

    Configuring strategy export. +As hinted in the command-line examples above, the -exportstrat switch uses the file extension to determine the preferred format: if the strategy is exported to a file with extension .tra or .dot, then it uses an induced model or Dot file, respectively. Otherwise, the default is an action list. You can specify the desired format: +

    +
    +
    +
    prism mdp.prism -pf 'Pmax=? [ F "goal" ]' -exportstrat file.txt:type=actions
    +prism mdp.prism -pf 'Pmax=? [ F "goal" ]' -exportstrat file.txt:type=induced
    +prism mdp.prism -pf 'Pmax=? [ F "goal" ]' -exportstrat file.txt:type=dot
    +
    +
    [$[Get Code]]
    +
    + +

    Further options can be added, e.g., to specify whether an induced model is exported in "restrict" or "reduce" mode: +

    +
    +
    +
    prism mdp.prism -pf 'Pmax=? [ F "goal" ]' -exportstrat file.txt:type=induced,mode=reduce
    +
    +
    [$[Get Code]]
    -

    From the GUI, change the "Adversary export" option (under the "PRISM" settings) from "None" to "DTMC". You can also change the filename for the export adversary which, by default, is adv.tra as in the example above. -Another option is to export the adversary as an MDP (this is identical to the model produced using the DTMC option, but can be imported back into PRISM as an MDP, if required). Use switch -exportadvmdp, instead of -exportadv form the command-line, or select the "MDP" option from the GUI. +

    A full list of available options is as follows:

    -

    PRISM also supports generation of adversaries for "reachability reward" properties (i.e. the R operator, with argument F) in identical fashion to the case described above. +

    • type (actions, induced or dot): the type of strategy export to use (action list, induced model or Dot file) +
    • mode (restrict or reduce): when exporting as an induced model or Dot file, whether to "restrict" or "reduce" the model (see above); the default is "restrict" +
    • reach (true or false): whether to restrict the strategy to states that are reachable when it is applied to the model (this is currently only used for exporting induced models and Dot files, and the default value is false and true, respectively, in these two cases) +
    • states (true or false): whether to show states, rather than state indices, for actions lists or Dot files; this is true by default +
    • obs (true or false): for partially observable models, whether to merge observationally equivalent states; this is true by default +

    Strategy types. PRISM generates several types of strategies. The simplest are memoryless deterministic strategies, which pick a single action in each state, as in the examples above. For some query types (e.g., step-bounded properties, or LTL-based properties), finite-memory strategies are generated, where an additional memory value is used. For these, induced models or Dot files are most useful since they will also show how the memory values are updated as the strategy is executed. Note that, in these cases, the state indices of the strategy will correspond to the product model constructed during model checking, not the original model. The product model can be exported using the -exportprodtrans and -exportprodstates switches. +

    +

    Adversary generation. As mentioned above, the "sparse" model checking engine still includes older so-called "adversary generation" functionality. This can be used to export the induced model to a file using the -exportadv switch, e.g.: +

    +
    +
    +
    prism mdp.nm -pf 'Pmax=? [ F "goal" ]' -exportadv adv.tra -s
    +prism mdp.nm -pf 'Pmax=? [ F "goal" ]' -exportadvmdp adv.tra -s
    +
    +
    [$[Get Code]]
    +
    + +

    where the -exportadv and -exportadvmdp export a DTMC and an MDP, respectively, i.e., corresponding to the "reduce" and "restrict" modes described above. +From the GUI, change the "Adversary export" option (under the "PRISM" settings) from "None" to "DTMC" or "MDP". You can also change the filename for the export adversary which, by default, is adv.tra as in the example above.

    Support For PEPA Models

    For CTMCs, PRISM also accepts model descriptions in the stochastic process algebra PEPA [Hil96]. @@ -3935,73 +4248,73 @@

    Support For SBML

    An SBML file comprises a set of species and a set of reactions which they undergo. Below is the SBML file for the simple reversible reaction: Na + Cl ↔ Na+ + Cl-, where there are initially 100 Na and Cl atoms and no ions, and the base rates for the forwards and backwards reactions are 100 and 10, respectively.

    -
    -
    <?xml version="1.0" encoding="UTF-8"?>
    -<sbml xmlns="http://www.sbml.org/sbml/level2" metaid="_000000" level="2" version="1">
    <model id="nacl" name="Na+Cl">
    +
    +
    <?xml version="1.0" encoding="UTF-8"?>
    +<sbml xmlns="http://www.sbml.org/sbml/level2" metaid="_000000" level="2" version="1">
    <model id="nacl" name="Na+Cl">

    -    <listOfCompartments>
    -      <compartment id="compartment"/>
    -    </listOfCompartments>
    +    <listOfCompartments>
    +      <compartment id="compartment"/>
    +    </listOfCompartments>

    -    <listOfSpecies>
    -      <species id="na" initialAmount="100" hasOnlySubstanceUnits="true"/>
    -      <species id="cl" initialAmount="100" hasOnlySubstanceUnits="true"/>
    -      <species id="na_plus" initialAmount="0" hasOnlySubstanceUnits="true"/>
    -      <species id="cl_minus" initialAmount="0" hasOnlySubstanceUnits="true"/>
    -    </listOfSpecies>
    +    <listOfSpecies>
    +      <species id="na" initialAmount="100" hasOnlySubstanceUnits="true"/>
    +      <species id="cl" initialAmount="100" hasOnlySubstanceUnits="true"/>
    +      <species id="na_plus" initialAmount="0" hasOnlySubstanceUnits="true"/>
    +      <species id="cl_minus" initialAmount="0" hasOnlySubstanceUnits="true"/>
    +    </listOfSpecies>

    -    <listOfReactions>
    -      <reaction id="forwards" reversible="false">
    -        <listOfReactants>
    -          <speciesReference species="na"/>
    -          <speciesReference species="cl"/>
    -        </listOfReactants>
    -        <listOfProducts>
    -          <speciesReference species="na_plus"/>
    -          <speciesReference species="cl_minus"/>
    -        </listOfProducts>
    -        <kineticLaw>
    -          <math xmlns="http://www.w3.org/1998/Math/MathML">
    -            <apply><times/><ci>forwards_rate</ci>
    -              <apply><times/><ci>na</ci><ci>cl</ci></apply></apply>
    -          </math>
    -          <listOfParameters>
    -            <parameter id="forwards_rate" value="100"/>
    -          </listOfParameters>
    -        </kineticLaw>
    -      </reaction>
    +    <listOfReactions>
    +      <reaction id="forwards" reversible="false">
    +        <listOfReactants>
    +          <speciesReference species="na"/>
    +          <speciesReference species="cl"/>
    +        </listOfReactants>
    +        <listOfProducts>
    +          <speciesReference species="na_plus"/>
    +          <speciesReference species="cl_minus"/>
    +        </listOfProducts>
    +        <kineticLaw>
    +          <math xmlns="http://www.w3.org/1998/Math/MathML">
    +            <apply><times/><ci>forwards_rate</ci>
    +              <apply><times/><ci>na</ci><ci>cl</ci></apply></apply>
    +          </math>
    +          <listOfParameters>
    +            <parameter id="forwards_rate" value="100"/>
    +          </listOfParameters>
    +        </kineticLaw>
    +      </reaction>

    -      <reaction id="backwards" reversible="false">
    -        <listOfReactants>
    -          <speciesReference species="na_plus"/>
    -          <speciesReference species="cl_minus"/>
    -        </listOfReactants>
    -        <listOfProducts>
    -          <speciesReference species="na"/>
    -          <speciesReference species="cl"/>
    -        </listOfProducts>
    -        <kineticLaw>
    -          <math xmlns="http://www.w3.org/1998/Math/MathML">
    -            <apply><times/><ci>backwards_rate</ci>
    -              <apply><times/><ci>na_plus</ci><ci>cl_minus</ci></apply></apply>
    -          </math>
    -          <listOfParameters>
    -            <parameter id="backwards_rate" value="10"/>
    -          </listOfParameters>
    -        </kineticLaw>
    -      </reaction>
    -    </listOfReactions>
    +      <reaction id="backwards" reversible="false">
    +        <listOfReactants>
    +          <speciesReference species="na_plus"/>
    +          <speciesReference species="cl_minus"/>
    +        </listOfReactants>
    +        <listOfProducts>
    +          <speciesReference species="na"/>
    +          <speciesReference species="cl"/>
    +        </listOfProducts>
    +        <kineticLaw>
    +          <math xmlns="http://www.w3.org/1998/Math/MathML">
    +            <apply><times/><ci>backwards_rate</ci>
    +              <apply><times/><ci>na_plus</ci><ci>cl_minus</ci></apply></apply>
    +          </math>
    +          <listOfParameters>
    +            <parameter id="backwards_rate" value="10"/>
    +          </listOfParameters>
    +        </kineticLaw>
    +      </reaction>
    +    </listOfReactions>

    </model>
    -</sbml>
    -
    [$[Get Code]]
    </model>
    +</sbml>
    +
    [$[Get Code]]

    And here is the resulting PRISM code:

    -
    +
    // File generated by automatic SBML-to-PRISM conversion
    // Original SBML file: nacl.xml

    @@ -4088,22 +4401,22 @@

    Support For SBML

    // 4
    rewards "cl_minus" true : cl_minus; endrewards
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    From the latter, we can use PRISM to generate a simple plot of the expected amount of Na and Na+ over time (using both model checking and a single random trace from the simulator):

    -

    Expected amount of Na/Na+ at time T
    +

    Expected amount of Na/Na+ at time T

    Using the translator

    At present, the SBML-to-PRISM translator is included in the PRISM code-base, but not integrated into the application itself.

    -
    +
    cd prism
    java -cp classes prism.SBML2Prism sbml_file.xml > prism_file.sm
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    If you are using a binary (rather than source code) distribution of PRISM, replace classes with lib/prism.jar in the above. @@ -4111,7 +4424,7 @@

    Support For SBML

    Alternatively (on Linux or Mac OS X), ensure prism is in your path and then save the script below as an executable file called sbml2prism:

    -
    +
    #!/bin/sh

    # Startup script for SBML-to-PRISM translator
    @@ -4120,28 +4433,28 @@

    Support For SBML

    PRISM_MAINCLASS="prism.SBML2Prism"
    export PRISM_MAINCLASS
    prism "$@"
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    Then use:

    -
    +
    sbml2prism sbml_file.xml > prism_file.sm
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    The following PRISM properties file will also be useful:

    -
    +
    const double T;
    const int c;

    R{c}=? [I=T]
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    This contains a single property which, based on the reward structures in the PRISM model generated by the translator, means "the expected amount of species c at time T". The constant c is an integer index which can range between 1 and N, where N is the number of species in the model. To view the expected amount of each species over time, create an experiment in PRISM which varies c from 1 to N and T over the desired time range. @@ -4158,11 +4471,11 @@

    Support For SBML

    Furthermore, since PRISM is primarily a model checking (rather than simulation) tool, it is important that the amount of each species also has an upper bound (to ensure a finite state space). When model checking, the efficiency (or even feasibility) of the process is likely to be very sensitive to the upper bound(s) chosen. When using the discrete-event simulation functionality of PRISM, this is not the case and the bounds can can be set much higher. By default the translator uses an upper bound of 100 (which is increased if the initial amount exceeds this). A different value can specified through a second command-line argument as follows:

    -
    +
    cd prism
    java -cp classes prism.SBML2Prism sbml_file.xml 1000 > prism_file.sm
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    Alternatively, upper bounds can be modified manually after the translation process. @@ -4182,10 +4495,10 @@

    Explicit Model Import

    For example:

    -
    +
    prism -importtrans poll2.tra -ctmc
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    Please note that this method of constructing models in PRISM is typically less efficient than using the PRISM language. @@ -4198,20 +4511,20 @@

    Explicit Model Import

    (not a good strategy in general):

    -
    +
    prism poll2.sm -exporttrans poll2.tra -exportstates poll2.sta
    prism -importtrans poll2.tra -importstates poll2.sta -ctmc
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    You can also import label information using the switch -importlabels, e.g.:

    -
    +
    prism -importtrans poll2.tra -importstates poll2.sta -importlabels poll2.lab -ctmc
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    where the labels file (poll2.lab above) is in the format generated by the -exportlabels export option of PRISM. @@ -4224,19 +4537,23 @@

    Explicit Model Import

    Lastly, state (but currently not transition) rewards can also be imported, using the -importstaterewards switch, e.g.:

    -
    +
    prism -importtrans poll2.tra -importstates poll2.sta -importlabels poll2.lab -importstaterewards poll2.srew -ctmc
    -
    [$[Get Code]]
    +
    [$[Get Code]]
    +

    You can import multiple reward structures using multiple instances of the -importstaterewards switch. +If present in the rewards files (see the appendix "Explicit Model Files"), +the names of the reward structures are read too. +

    In a similar style to PRISM's -exportmodel switch, you can import several several files for a model using a single -importmodel switch. For example, this is equivalent to the command given above:

    -
    +
    prism -importmodel poll2.tra,sta,lab,srew -ctmc
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    The contents of each file is determined by its extension: @@ -4249,10 +4566,19 @@

    Explicit Model Import

    Use the extension .all to import from all of these files:

    -
    +
    prism -importmodel poll2.all -ctmc
    -
    [$[Get Code]]
    +
    [$[Get Code]]
    +
    + +

    In this case, you can omit the -importmodel switch and just specify the .all-ended filename, e.g.: +

    +
    +
    +
    prism poll2.all -ctmc
    +
    +
    [$[Get Code]]



    @@ -4264,39 +4590,39 @@

    Introduction

    User options and settings for the GUI are saved in a file locally and reused. Currently the "Options" dialog in the GUI represents the easiest way to modify the settings, but the settings file is in a simple textual format and can also be edited by hand. To restore the default options for PRISM, click "Load Defaults" and then "Save Options" from the "Options" dialog in the GUI. Alternatively, delete the settings file re-launch the GUI. The location of the settings file depends on the operating system. As of PRISM 4.5, it is stored in:

    -
    • $XDG_CONFIG_HOME/prism.settings (on Linux, if that environment variable is set) +
      • $HOME/.prism (if the settings file was already created by an older version of PRISM) +
      • $XDG_CONFIG_HOME/prism.settings (on Linux, if that environment variable is set)
      • $HOME/.config/prism.settings (on Linux, if $XDG_CONFIG_HOME is not set)
      • $HOME/Library/Preferences/prism.settings (on Mac OS)
      • .prism in the user's home directory, e.g. C:\Documents and Settings\username (on Windows) -
      • $HOME/.prism (if the settings file was already created by an older version of PRISM)

      From the command-line version of PRISM, options are controlled by switches. A full list can be displayed by typing:

      -
      +
      prism -help
      -
      [$[Get Code]]
      +
      [$[Get Code]]

      For some switches, whose format is not straightforward, there is additional help available on the command-line, using -help switch. For example:

      -
      +
      prism -help const
      prism -help simpath
      prism -help exportresults
      prism -help exportmodel
      -
      [$[Get Code]]
      +
      [$[Get Code]]

      The settings file is ignored by the command-line version (unlike earlier versions of PRISM, where it was used). You can, however, request that the settings file is read, using the -settings switch, e.g.:

      -
      +
      prism -settings ~/.prism
      -
      [$[Get Code]]
      +
      [$[Get Code]]

      In the following sections, we give a brief description of the most important configuration options available. @@ -4345,13 +4671,13 @@

      Computation engines

    When using the PRISM GUI, the engine to be used for model checking can be selected from the "Engine" option under the "PRISM" tab of the "Options" dialog. From the command-line, engines are activated using the -mtbdd, -sparse, -hybrid and -explicit (or -m, -s, -h and -ex, respectively) switches, e.g.:

    -
    +
    prism poll2.sm -tr 1000 -m
    prism poll2.sm -tr 1000 -s
    prism poll2.sm -tr 1000 -h
    prism poll2.sm -tr 1000 -ex
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    Note also that precise details regarding the memory usage of the current engine are displayed during model checking (from the GUI, check the "Log" tab). This can provide valuable feedback when experimenting with different engines. @@ -4494,19 +4820,19 @@

    Automata Generation

    By default PRISM uses a port of the ltl2dstar library to construct these automata. But it also allows the use of external LTL-to-automata converters producing deterministic automata through support for the Hanoi Omega Automaton (HOA) format. From the command line, an example of this is:

    -
    +
    prism model.pm -pf "P=? [ G F x=1 ]" -ltl2datool hoa-ltl2dstar-for-prism -ltl2dasyntax lbt
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    The -ltl2datool switch specifies the location of the program to be executed to perform the LTL-to-automaton conversion. This will be called by PRISM as "exec in-file out-file", where exec is the executable, in-file is the name of a file containing the LTL formula to be converted and out-file is the name of a file where the resulting automaton should be written, in HOA format. Typically, the executable will be a script. Here is a simple example (called as hoa-ltl2dstar-for-prism in the above example), which calls an external copy of ltl2dstar in the required fashion (assuming that the ltl2dstar and ltl2ba executables are located in the current directory or on the PATH).

    -
    +
    #! /bin/bash
    ltl2dstar --output=automaton --output-format=hoa "$1" "$2"
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    PRISM is known to work with these HOA-enabled tools: @@ -4555,7 +4881,7 @@

    Automata Generation

    Other Options

    Output options

    -

    To increase the amount of information displayed by PRISM (in particular, to display lists of states and probability vectors), you can use the "Verbose output" option (activated with comand-line switch -verbose or -v). To display additional statistics about MTBDDs after model construction, use the "Extra MTBDD information" option (switch -extraddinfo) and, to view MTBDD sizes during the process of reachability, use option "Extra reachability information" (switch -extrareachinfo). +

    To increase the amount of information displayed by PRISM (in particular, to display lists of states and probability vectors), you can use the "Verbose output" option (activated with command-line switch -verbose or -v). To display additional statistics about MTBDDs after model construction, use the "Extra MTBDD information" option (switch -extraddinfo) and, to view MTBDD sizes during the process of reachability, use option "Extra reachability information" (switch -extrareachinfo).

    Fairness

    Sometimes, model checking of properties for MDPs requires fairness constraints to be taken into account. @@ -4570,10 +4896,10 @@

    Output options

    CUDD, the underlying BDD and MTBDD library used in PRISM has an upper memory limit. By default, this limit is 1 GB. If you are working on a machine with significantly more memory this and PRISM runs out of memory when model checking, it may help to change this. To set the limit, from the command-line, use the -cuddmaxmem switch. For example:

    -
    +
    prism -cuddmaxmem 2g big_model.pm
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    Above, g denotes GB. You can also use m for MB. @@ -4584,22 +4910,22 @@

    Output options

    The Java virtual machine (JVM) used to execute PRISM also has upper memory limits. Sometimes this limit will be exceeded and you will see an error of the form java.lang.OutOfMemory. To resolve this problem, you can increase this memory limit. On Unix, Linux or Mac OS X platforms, this can done by using the -javamaxmem switch, passed either to the command-line script prism or the GUI launcher xprism. For example:

    -
    +
    prism -javamaxmem 4g big_model.pm
    xprism -javamaxmem 4g big_model.pm
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    each set the limit to 4GB. Alternatively, you set the environment variable PRISM_JAVAMAXMEM before running PRISM. For example, under a bash shell:

    -
    +
    PRISM_JAVAMAXMEM=4g
    export PRISM_JAVAMAXMEM
    prism big_model.pm
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    If you get an error of the form java.lang.StackOverflowError, then you can try increasing the stack size of the JVM. @@ -4607,28 +4933,39 @@

    Output options

    Examples are:

    -
    +
    prism -javastack 1g big_model.pm
    xprism -javastack 1g big_model.pm
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    or:

    -
    +
    PRISM_JAVASTACKSIZE=1g
    export PRISM_JAVASTACKSIZE
    prism big_model.pm
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    If you are running PRISM on Windows you will have to do make adjustments to Java memory manually, by modifying the prism.bat or xprism.bat scripts. To set the memory to 4GB, for example, add -Xmx4g to the list of arguments in the call to java or javaw at the end of the file. To change the stack size to 1GB, add -Xss1g.

    +

    Other Java options

    +

    If you want to pass additional switches to the JVM used to run PRISM, you can use the -javaparams switch. +For example: +

    +
    +
    +
    prism -javaparams "-XX:AutoBoxCacheMax=100000000 -Xmn2g" -javamaxmem 12g
    +
    +
    [$[Get Code]]
    +
    +

    Precomputation

    By default, PRISM's probabilistic model checking algorithms use an initial precomputation step which uses graph-based techniques to efficient detect trivial cases where probabilities are 0 or 1. This can often result in improved performance and also reduce round-off errors. Occasionally, though, you may want to disable this step for efficiency (e.g. if you know that there are no/few such states and the precomputation process is slow). This can be done with the -nopre switch. You can also disable the individual algorithms for probability 0/1 using switches -noprob0 and -noprob1.

    @@ -4707,23 +5044,23 @@

    Memory Problems

    If PRISM has already output this:

    -
    +
    Building model...
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    but there is no line of the form:

    -
    +
    Time for model construction: 34.3 seconds.
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    and then you get an error like this:

    -
    +
    #
    # An unexpected error has been detected by Java Runtime Environment:
    #
    @@ -4740,12 +5077,12 @@

    Memory Problems

    #
    /home/dxp/bin/prism: line 50: 19298 Aborted "$PRISM_JAVA" #$PRISM_JAVAMAXMEM -Djava.awt.headless=$PRISM_HEADLESS -Djava.library.path=$PRISM_DIR/lib -classpath "$PRISM_CLASSPATH" $PRISM_MAINCLASS "$@"
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    or like this:

    -
    +
    #
    # An unexpected error has been detected by HotSpot Virtual Machine:
    #
    @@ -4757,7 +5094,7 @@

    Memory Problems

    #
    ...
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    then PRISM ran out of memory whilst trying to construct the model. @@ -4773,18 +5110,18 @@

    Memory Problems

    If model construction was successfully completed (see previous question) but model checking was not, there are several things you can try. First of all, if the error message you see looks like the one in the previous question or you see a message such as

    -
    +
    DD_MatrixMultiply: res is NULL
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    then it may be worth increasing the memory limit for CUDD (as described above). However, if you see an error more like this:

    -
    +
    /home/dxp/bin/prism: line 50: 3139 Aborted "$PRISM_JAVA" $PRISM_JAVAMAXMEM -Djava.awt.headless=$PRISM_HEADLESS -Djava.library.path=$PRISM_DIR/lib -classpath "$PRISM_CLASSPATH" $PRISM_MAINCLASS "$@"
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    then increasing the memory CUDD probably will not help - PRISM is just trying to allocate more memory than is physically available on your system. @@ -4800,18 +5137,18 @@

    Memory Problems

    This is a less common problem and will only occur if the actual PRISM language description of your model is very large. This may be the case, for example, if you are automatically generating PRISM models in some way. Errors due to lack of memory during parsing usually look like:

    -
    +
    Exception in thread "main" java.lang.OutOfMemoryError: Java heap space
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    or:

    -
    +
    Exception in thread "main" java.lang.StackOverflowError
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    You can resolve this problem by increasing the memory allocated to Java. @@ -4858,7 +5195,7 @@

    PRISM Modelling

    One solution to this, if your model require such a delay, is to approximate a deterministic delay with an Erlang distribution (a special case of a phase-type distribution). See for example this PRISM model:

    -
    +
    ctmc

    const int k;
    @@ -4881,12 +5218,12 @@

    PRISM Modelling


    endmodule
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    In the model, the occurrence of the the go-labelled action occurs with an Erlang distribution with mean mean and shape k. The special case of k=1 is just an exponential distribution. The graph below shows the probability distribution of the delay, i.e. of P=? [ F<=T x=1 ] for different values of k.

    -
    +

    There is an obvious trade-off here between the accuracy (how close it is to modelling a deterministic time delay) and the resulting blow-up in the size of the model that you add this to. For k=1000, you can see that the shape is quite "deterministic" but this would increase your model size by a factor of ~1000.



    ---- @@ -4901,8 +5238,8 @@

    Explicit Model Files

  • Transitions (.tra) files
  • Transitions (.tra) files (row form)
  • Labels (.lab) files -
  • State rewards (.rews) files -
  • Transition rewards (.rewt) files +
  • State rewards (.srew) files +
  • Transition rewards (.trew) files

    • States (.sta) files

    @@ -4911,7 +5248,7 @@

    Explicit Model Files

    For the example PRISM model poll2.sm, the states file looks like:

    -
    +
    (s,a,s1,s2)
    0:(1,0,0,0)
    1:(1,0,0,1)
    @@ -4925,7 +5262,7 @@

    Explicit Model Files

    9:(2,0,1,1)
    10:(2,1,0,1)
    11:(2,1,1,1)
    -
    [$[Get Code]]
    +
    [$[Get Code]]
    @@ -4942,7 +5279,7 @@

    Explicit Model Files

    Here is an example, for the (DTMC) PRISM model lec3.pm (which looks like this):

    -
    +
    6 9
    0 1 0.5
    0 3 0.5
    @@ -4953,13 +5290,13 @@

    Explicit Model Files

    3 3 1
    4 4 1
    5 2 1
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    and here is one for the (CTMC) PRISM model poll2.sm (which looks like this):

    -
    +
    12 22
    0 1 0.5
    0 2 0.5
    @@ -4983,7 +5320,7 @@

    Explicit Model Files

    10 0 1
    10 11 0.5
    11 2 1
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    MDPs (or PAs) @@ -4998,7 +5335,7 @@

    Explicit Model Files

    Here is an example, for the (MDP) PRISM model lec12mdp.nm (which looks like this):

    -
    +
    4 5 7
    0 0 1 1
    1 0 0 0.7
    @@ -5007,13 +5344,13 @@

    Explicit Model Files

    1 1 3 0.5
    2 0 2 1
    3 0 3 1
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    and here is an action-labelled version of the same model, lec12mdpa.nm (which looks like this):

    -
    +
    4 5 7
    0 0 1 1 a
    1 0 2 0.5 c
    @@ -5022,7 +5359,7 @@

    Explicit Model Files

    1 1 1 0.3 b
    2 0 2 1 a
    3 0 3 1 a
    -
    [$[Get Code]]
    +
    [$[Get Code]]
    @@ -5033,7 +5370,7 @@

    Explicit Model Files

    Here is the result for the lec3.pm example from above (a DTMC):

    -
    +
    6 9
    0 0.5:1 0.5:3
    1 0.5:0 0.25:2 0.25:4
    @@ -5041,33 +5378,33 @@

    Explicit Model Files

    3 1:3
    4 1:4
    5 1:2
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    for the lec12mdp.nm example (an MDP):

    -
    +
    4 5 7
    0 1:1
    1 0.7:0 0.3:1
    1 0.5:2 0.5:3
    2 1:2
    3 1:3
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    and for the lec12mdpa.nm example (an MDP with actions):

    -
    +
    4 5 7
    0 1:1 a
    1 0.5:2 0.5:3 c
    1 0.7:0 0.3:1 b
    2 1:2 a
    3 1:3 a
    -
    [$[Get Code]]
    +
    [$[Get Code]]
    @@ -5081,58 +5418,70 @@

    Explicit Model Files

    An example is shown below, where, for example, both "heads" and "end" are satisfied in state 2.

    -
    +
    0="init" 1="deadlock" 2="heads" 3="tails" 4="end"
    0: 0
    2: 2 4
    3: 3 4
    -
    [$[Get Code]]
    +
    [$[Get Code]]
    -

    +

    State rewards (.srew) files

    -

    These contain an explicit list of the (non-zero) state rewards for a particular reward structure of a model. The first line of the file is of the form n m where n is the number of states in the model and m is the number of non-zero state rewards. The following m lines are of the form i r, denoting that the state reward for state i is r. +

    Reward files contain an (optional) header, giving the name of the reward structure that generated it +and the type of rewards (state or transitions) stored in the file. +For state rewards, the information following this header is an explicit list of the (non-zero) state rewards. +The first line is of the form n m where n is the number of states in the model and m is the number of non-zero state rewards. +The following m lines are of the form i r, denoting that the state reward for state i is r.

    For the lec3.pm (6-state) DTMC example from above, we get rewards in 3 states (0, 4 and 5):

    -
    -
    6 3
    +
    +
    # Reward structure "r"
    +# State rewards
    +6 3
    0 2
    4 1
    5 1
    -
    [$[Get Code]]
    +
    [$[Get Code]]
    -

    +

    Transition rewards (.trew) files

    -

    Files containing transition rewards are formatted identically to transitions files (see above), -except that probabilities/rates are replaced with reward values, and the number of transitions (the last number on the first line) is replaced with the number of non-zero transition rewards. +

    Files containing transition rewards, like those for state rewards, start with an (optional) header. +The rest of the file is formatted identically to transitions files (see above), +except that probabilities/rates are replaced with reward values, +and the number of transitions (the last number on the first line) is replaced with the number of non-zero transition rewards.

    For the lec3.pm (6-state) DTMC example from above, we get non-zero transition rewards on 4 transitions:

    -
    -
    6 4
    +
    +
    # Reward structure: "r"
    +# Transition rewards
    +6 4
    1 0 1
    1 2 1
    1 4 1
    2 5 2
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    And or the lec12mdpa.nm (4-state) MDP example, we get non-zero transition rewards on 4 transitions:

    -
    -
    4 5 4
    +
    +
    # Reward structure: "r"
    +# Transition rewards
    +4 5 4
    1 0 2 6
    1 0 3 6
    1 1 0 5
    1 1 1 5
    -
    [$[Get Code]]
    +
    [$[Get Code]]



    @@ -5142,6 +5491,12 @@

    Explicit Model Files

    @@ -5150,6 +5505,13 @@

    Explicit Model Files

    + +
    @@ -5165,7 +5527,7 @@

    PRISM Manual

  • Running PRISM
  • Configuring PRISM
  • References -
  • FAQ +
  • FAQ
  • Appendices

    • [ View all ]

    @@ -5174,5 +5536,8 @@

    PRISM Manual

    + + diff --git a/manual/Main/AllOnOnePage@action=edit.html b/manual/Main/AllOnOnePage@action=edit.html new file mode 100644 index 0000000000..6346567669 --- /dev/null +++ b/manual/Main/AllOnOnePage@action=edit.html @@ -0,0 +1,273 @@ + + + + + + + + +PRISM Manual | Main / All On One Page | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Main / +

    All On One Page

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/Main/AllOnOnePage@action=login.html b/manual/Main/AllOnOnePage@action=login.html new file mode 100644 index 0000000000..8d3dfbeb14 --- /dev/null +++ b/manual/Main/AllOnOnePage@action=login.html @@ -0,0 +1,271 @@ + + + + + + + + +PRISM Manual | Main / All On One Page | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Main / +

    All On One Page

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/Main/AllOnOnePage@action=print.html b/manual/Main/AllOnOnePage@action=print.html new file mode 100644 index 0000000000..0fae8c3b93 --- /dev/null +++ b/manual/Main/AllOnOnePage@action=print.html @@ -0,0 +1,5365 @@ + + + + + + +PRISM Manual | Main / Real-time Models + + + + + + + + + + + + + + + + + + +
    +

    PRISM Manual   version 4.8

    +
    +

    Contents

    +
    +

    Introduction

    +

    Installing PRISM

    +

    The PRISM Language

    +

    Property Specification

    +

    Running PRISM

    +

    Configuring PRISM

    +

    References

    +

    Appendices

    +



    +

    +

    Introduction

    +
    +

    PRISM is a probabilistic model checker, +a tool for the modelling and analysis of systems which exhibit probabilistic behaviour. +Probabilistic model checking is a formal verification technique. +It is based on the construction of a precise mathematical model of a system which is to be analysed. +Properties of this system are then expressed formally in temporal logic +and automatically analysed against the constructed model. +

    +

    PRISM has support for a wide range of probabilistic models: +

    +
    • discrete-time Markov chains (DTMCs) +
    • continuous-time Markov chains (CTMCs) +
    • Markov decision processes (MDPs) +
    • probabilistic timed automata (PTAs) +
    • partially observable Markov decision processes (POMDPs) +
    • partially observable probabilistic timed automata (POPTAs) +

    In fact, PRISM's support for MDPs extends to the more general model of +probabilistic automata (PAs) [Seg95], which does not require unique action names in each state. +For background material on these models, look at the pointers to +resources +on the PRISM web site. +

    +

    PRISM also supports non-probabilistic models, notably labelled transition systems (LTSs). +

    +

    Models are supplied to the tool by writing descriptions in the PRISM language, a simple, high-level modelling language. +

    +

    Properties of these models are written in the PRISM property specification language which is based on temporal logic. It incorporates several well-known probabilistic temporal logics: +

    +
    • PCTL (probabilistic computation tree logic), +
    • CSL (continuous stochastic logic), +
    • (probabiistic) LTL (linear time logic), +
    • PCTL* (which subsumes both PCTL and LTL). +

    The property language also supports costs and rewards, "numerical" properties, several other custom features and extensions, and also also incorporates the non-probabilistic temporal logics CTL (computation tree logic) and LTL. +

    +

    PRISM performs probabilistic model checking, based on exhaustive search and numerical solution, to automatically analyse such properties. It also contains a discrete-event simulation engine for approximate model checking. +

    +

    +

    Installing PRISM

    +
    +

    Instructions

    +

    Prerequisites

    +

    PRISM is known to run on Linux, Windows and Mac OS X, both 64-bit and 32-bit versions. +

    +

    You will need Java, version 9 or above +(get it, for example from Oracle +or AdoptOpenJDK). +To run binary versions of PRISM, you only need the Java Runtime Environment (JRE), not the full Java Development Kit (JDK). +

    +

    To compile PRISM from source, you need the Java Development Kit (JDK), GNU make and a C/C++ compiler (e.g. gcc/g++). For compilation under Windows, you will need Cygwin. See below for more information: +

    +

    If you are installing on a completely fresh operating system installation (e.g. in a virtual machine), you may find the following scripts useful, +which install the required dependencies and PRISM itself. They can be found in the prism/etc/scripts directory: +

    +
    +

    + +

    Installation on Windows

    +

    To install PRISM on Windows, just run the self-extracting installer which you downloaded. You do not need administrator privileges for this, just write-access to the directory chosen for installation. +

    +

    If requested, the installer will place shortcuts to run PRISM on the desktop and/or start menu. If not, you can run by PRISM double-clicking the file xprism.bat (which may just appear as xprism) in the bin folder of your PRISM folder. If nothing happens, the most likely explanation is that Java is not installed or not in your path. To check, open a command prompt window, navigate to the PRISM directory, type cd bin, then xprism.bat and examine the resulting error. If you want to create shortcuts to xprism.bat manually, you will find some PRISM icons in the etc folder. +

    +

    If you wish to use the command-line version of PRISM on Windows, open a command prompt window and type for example: +

    +
    +
    +
    cd "c:\Program Files\prism-4.5-win\bin"
    +prism ..\prism-examples\simple\dice\dice.pm
    +
    +
    [$[Get Code]]
    +
    + +

    You can also edit the file bin\prism.bat to allow it to be run from any location. See the instructions within the file for further details. +

    +

    Problems? See the section "Common Problems And Questions''. +

    +
    +

    +

    Installation of Linux/Mac binary versions

    +

    To ensure compatibility, we recommend that you compile PRISM from source on non-Windows platforms. See below for instructions. However, we do provide pre-compiled binary distributions for Linux and Mac OS X. +

    +

    To install a binary distribution, unpack the tarred/zipped PRISM distribution into a suitable location, enter the directory and run the install.sh script, e.g.: +

    +
    +
    +
    gunzip prism-4.5-linux64.tar.gz
    +tar xf prism-4.5-linux64.tar
    +cd prism-4.5-linux64
    +./install.sh
    +
    +
    [$[Get Code]]
    +
    + +

    You do not need to be root to install PRISM. The install script simply makes some small customisations to the scripts used to launch PRISM. The PRISM distribution is self-contained and can be freely moved/renamed, however if you do so you will need to re-run ./install.sh afterwards. +

    +

    To run PRISM, execute either the xprism or prism script (for the graphical user interface or command-line version, respectively). These can be found in the bin directory. These scripts are designed to be run from anywhere and you can easily create symbolic links or aliases to them. If you want icons to create desktop shortcuts to PRISM, you can find some in the etc directory. +

    +

    Problems? See the section "Common Problems And Questions''. +

    +
    +

    +

    Building PRISM from source (non-Windows)

    +

    To compile PRISM form source code, you will need: +

    +
    • GNU make (sometimes called gmake) +
    • a C/C++ compiler (e.g. gcc/g++) +
    • a Java Development Kit, version 8 or above +

    To check that you have the development kit, type javac. If you get an error message that javac cannot be found, you probably do not have the JDK installed (or your path is not set up correctly). To check what version you have, type javac -version. +

    +

    Hopefully, you can build PRISM simply by entering the PRISM directory and running make, e.g.: +

    +
    +
    +
    gunzip prism-4.5-src.tar.gz
    +tar xf prism-4.5-src.tar
    +cd prism-4.5-src/prism
    +make
    +
    +
    [$[Get Code]]
    +
    + +

    For this process to complete correctly, PRISM needs to be able to determine both the operating system you are using and the location of your Java distribution. If there is a problem with either of these, you will see an error message and will need to specify one or both of these manually, such as in these examples: +

    +
    +
    +

    +make OSTYPE=linux
    +make JAVA_DIR=/usr/java/jdk1.8.0
    +make OSTYPE=cygwin JAVA_DIR="/cygdrive/c/Program Files/Java/jdk1.8.0"
    +
    +
    [$[Get Code]]
    +
    + +

    Note the use of double quotes for the case where the directory contains a space. If you don't know the location of your Java installation, try typing which javac. If the result is e.g. /usr/java/jdk1.8.0/bin/javac then your Java directory is /usr/java/jdk1.8.0. Sometimes javac will be a symbolic link, in which case use "ls -l" to determine the actual location. +

    +

    It is also possible to to set the environment variables OSTYPE and JAVA_DIR directly or edit their values in the Makefile directly. Note that even when you specify JAVA_DIR explicitly (in either way), PRISM still uses the versions of javac (and javah) that are in your path so make sure this is set up correctly. +

    +

    64-bit OSs +

    +

    PRISM should also detect when it is running on a 64-bit architecture, and building will work as above. If this does not work for some reason, you can override detection by setting ARCH to either amd64 (for AMD/Intel 64) or ia64 (for Itanium). For example: +

    +
    +
    +

    +make ARCH=amd64
    +
    +
    [$[Get Code]]
    +
    + +

    If you have problems building a 64-bit version of PRISM, one option is to instead compile and run a 32-bit version of PRISM. To do this, you need to: +

    +
    1. Make sure you are using a 32-bit version of Java +
    2. Override detection of the 64-bit architecture when building: +
    +
    +

    +make clean_all
    +make ARCH=
    +
    +
    [$[Get Code]]
    +
    + +

    Problems? See the section "Common Problems And Questions''. +

    +
    +

    +

    Building PRISM from source on Windows using Cygwin

    +

    The compilation of PRISM currently relies on a Unix-like environment. On Windows, this can be achieved using the Cygwin development environment (or alternatively using MSYS - see below). Once Cygwin is installed, first ensure you have the following installed: +

    • make +
    • mingw64-i686-gcc-g++ (or mingw64-x86_64-gcc-g++ for 64-bit Windows) +
    • binutils +
    • dos2unix +

    Then proceed as described in the previous section. Note that the PRISM compilation process uses the MinGW libraries so that the final result is independent of Cygwin at run-time. +

    +

    One thing to note: make sure you unzip the PRISM distribution from within Cygwin (e.g. using tar xfz prism-XXX-src.tar.gz). Don't use a Windows program (Winzip, etc.) since this can cause problems. +

    +

    If you use git to checkout the PRISM repository, we recommend that you use the version of git provided by Cygwin. +If you use a native Windows version of git, you may want to disable the Unix-to-Windows line-ending conversion, e.g., via +

    +
    • git config --global core.autocrlf false +

    Problems? See the section "Common Problems And Questions''. +

    +
    +

    +

    Building PRISM from source on Windows using MSYS

    +

    Compiling from source in MSYS is less obvious as this environment is currently not directly supported in the makefile. Additionally, MSYS does not handle symlinks in the same way as cygwin does. The first problem is fixed by providing a OSTYPE variable to the makefile, whereas the second problem currently has to be solved manually. +

    +
    +
    +

    +make OSTYPE=cygwin
    +
    +
    [$[Get Code]]
    +
    + +

    At some point it will fail, saying that it cannot find the CUDD library, this is due to the failing symlinks. You can solve this as follows: +

    +
    +
    +

    +cd cudd/
    +rmdir lib/
    +./setup.sh
    +cd ..
    +make OSTYPE=cygwin
    +./install.sh
    +
    +
    [$[Get Code]]
    +
    + +

    Problems? See the section "Common Problems And Questions''. +

    +

    Common Problems And Questions

    +

    This section describes some of the most common problems and questions related to the installation and running of PRISM. These are grouped into the following categories: +

    +
    • Running PRISM on Windows +
    • Running PRISM on non-Windows platforms +
    • Compiling PRISM +
    • Other issues +
    +

    Running PRISM on Windows

    +

    When I try to run PRISM on Windows, I double-click the PRISM shortcut but nothing happens. +

    +
    +

    The most common cause of this is that you either do not have Java installed or the java executable is not in your path. In any case, to determine the exact problem, launch a command shell and navigate to the bin directory inside the directory where you installed PRISM (you can use the "PRISM (console)" shortcut installed in the start menu to do this). Then, type xprism.bat and see what error message is displayed. +

    +

    When I try to run PRISM on Windows, I get an error of the form:
    Can't load IA 32-bit .dll on a AMD 64-bit platform     +

    +
    +

    You are probably running a 32-bit Windows binary using a 64-bit version of Java. The version of PRISM (32- or 64-bit) needs to match Java. Either download the 64-bit binary for PRISM, or use a 32-bit version of Java. For the latter case, either make sure the right version of Java is first in your path or update the bin\xprism.bat (or bin\prism.bat) script, giving the full path to javaw at the end of the file. +

    +
    +

    Running PRISM on non-Windows platforms

    +

    When I try to run PRISM, I get an error of the form:
    Exception in thread "main" java.lang.NoClassDefFoundError: ...     +

    +
    +

    Check: +

    • Did you run install.sh from the PRISM directory? (non-Windows platforms) +
    • If you compiled PRISM from source code, are you sure no errors occurred during the process? To check, go into the PRISM directory, type make clean_all and then re-compile, checking the output (especially at the end) carefully for any error messages. +
    +

    When I try to run PRISM, I get an error of the form:
    java.lang.UnsatisfiedLinkError: no prism in java.library.path     +

    +
    +

    Check: +

    • Did you run install.sh from the PRISM directory? (non-Windows platforms) +
    • If you compiled PRISM from source code, are you sure no errors occurred during the process? To check, go into the PRISM directory, type make clean_all and then re-compile, checking the output (especially at the end) carefully for any error messages. +

    Are you on a 64-bit machine? If so, make sure that you are running 64-bit versions of java and javac. (Look for "64-Bit Server VM" in the output of java -version). +

    +

    When I try to run PRISM, I get an error of the form:
    java.lang.UnsatisfiedLinkError: ...
    Library not loaded: ../../lib/libdd.dylib     +

    +
    +

    Are you running a new version of Mac OS X (notably El Capitan)? +This seems to have some problems. +A workaround is to change the path to the 'java' executable that runs PRISM. +You should find an installation of Java somewhere like this: +

    +

    /Library/Java/JavaVirtualMachines/jdk1.8.0_60.jdk +

    +

    (obviously the precise name will depend on the version you have) +Try running PRISM with the java executable to be found there, e.g. by running: +

    +

    PRISM_JAVA=/Library/Java/JavaVirtualMachines/jdk1.8.0_60.jdk/Contents/Home/bin/java prism +

    +

    or by replacing the value of PRISM_JAVA directly in the prism script +directly. +

    +

    When I try to run PRISM, I get an error of the form:
    Exception in thread "main" java.lang.UnsupportedClassVersionError: Bad version number in .class file     +

    +
    +

    Your version of Java is too old. Update or install a newer version of Oracle Java and then try again. +

    +

    When I try to run a (Linux) binary version of PRISM, I get an error saying that libstdc++.so.5 cannot be found or libstdc++.so.6 cannot be found. +

    +
    +

    This is usually due to a discrepancy between the version of Linux that was used to build the binary distribution and the version that you are using to run it. +

    +

    If the error message is about libstdc++.so.5, you will just need to install an old version of the libstdc++ library. This should be quite easy to find for most Linux distributions. On Fedora Core, for example, just type: yum install compat-libstdc++-33 as root. +

    +

    If the error message is about libstdc++.so.6, you are running an older version of Linux than the binary release was compiled for. The easiest solution is to compile PRISM yourself from the source code version instead. +

    +

    When I try to run PRISM, I get an error of the form:
    Exception in thread "main" java.lang.ExceptionInInitializerError
    at java.lang.Class.initializeClass(libgcj.so.7)
    at prism.PrismSettings.<init>(PrismSettings.java:297)     +

    +
    +

    You are not running the Oracle version of Java. You will need to install it. +

    +

    When I try to run PRISM, I get an error of the form:
    java.lang.UnsatisfiedLinkError: libprism: ... cannot restore segment prot after reloc: Permission denied     +

    +
    +

    This is likely to be caused by the default settings of SELinux on newer versions of Linux. Open up the "Security Level Configuration" (on Fedora, for example, this is found under "Administration | Security Level and Firewall" under the main menu or by running system-config-securitylevel). Look in the "Compatibility" section of the SELinux Policy settings and make sure "Allow the use of shared libraries with Text Relocation" is ticked. You may need to reboot for changes to take effect. +

    +

    Do I have to use Oracle's version of Java to build/run PRISM? +

    +
    +

    Currently, this seems to be the case. We will aim to address this in the future. +

    +
    +

    Compiling PRISM

    +

    When I try to compile PRISM, make seems to get stuck in an infinite loop +

    +
    +

    This is probably due to the detection of Java failing. Specify the location of your Java directory by hand, e.g. make JAVA_DIR=/usr/java/jdk1.6.0. See the Instructions page for more on this. +

    +

    When I try to compile PRISM, I get errors of the form:
    /usr/bin/libtool: for architecture: cputype (16777234) cpusubtype (0) file: -lSystem is not an object file (not allowed in a library)     +

    +
    +

    Are you compiling PRISM on Max OS X? If so, the likely explanation is that you have upgraded to a new version of Mac OS X but have not upgraded the developer tools (eg. XCode). Upgrade and try again. +

    +

    When I try to compile PRISM, nothing seems to happen +

    +
    +

    Perhaps you are not using the GNU version of make. Try typing make -v to find out. On some systems, GNU make is called gmake. +

    +

    When I try to compile PRISM, I get errors of the form:
    Unexpected end of line seen...
    or:
    make: Fatal error in reader: Makefile, line 58: Unexpected end of line seen...     +

    +
    +

    Perhaps you are not using the GNU version of make. Try typing make -v to find out. On some systems, GNU make is called gmake. +

    +

    When I try to compile PRISM, I get an error of the form:
    ./setup.sh: line 33: syntax error: unexpected end of file     +

    +
    +

    Are you building on Cygwin? And did you unpack PRISM using WinZip? If so, unpack from Cygwin, using tar xfz (or similar) instead. +

    +

    When I try to compile PRISM, I get an error of the form:
    Assembler messages: Fatal error: can't create ../../obj/dd/dd_abstr.o: No such file or directory     +

    +
    +

    Did you unpack PRISM using a graphical tool or file manager? If so, unpack using tar xfz (or similar) instead. +

    +

    When I try to compile PRISM, I get errors of the form:
    dirname: extra operand `Files/Java/jdk1.6.0_09/bin/javac' Try `dirname --help' for more information.     +

    +
    +

    This error occurs if the path to your Java distribution contains a space (a common example is when it is somewhere in "Program Files" on Windows). Hopefully, this will be fixed soon. A workaround is to move the java installation to e.g. C:\java. +

    +

    When I try to compile PRISM, I get an error of the form:
    /bin/sh: line 43: [: :/cygdrive/c/Program: binary operator expected...     +

    +
    +

    See answer to previous question. +

    +

    Do I have to use GNU make to build PRISM? +

    +
    +

    Strictly speaking, no, but you will have to modify the various PRISM Makefiles manually to overcome this. +

    +

    Can I build PRISM on operating systems other than those currently supported? +

    +
    +

    PRISM should be suitable for any Unix/Linux variant. +

    +

    The first thing you will need to do is compile CUDD (the BDD library used by and included in PRISM) on that platform. +Fortunately, CUDD has already been successfully built on a large number of +operating systems. Have a look at the sample Makefiles we provide (i.e. the +files cudd/Makefile.*) which are slight variants of the original Makefile +provided with CUDD (found here: cudd/modified/orig/Makefile). They contain +instructions on how to modify it for various platforms. You can then call +your new modified makefile something appropriate (cudd/Makefile.$OSTYPE) and +proceed to build PRISM as usual. To just build CUDD, not PRISM, type +make cuddpackage instead of make. +

    +

    Next, look at the main PRISM Makefile, in particular, each place where the +variable $OSTYPE is referred to. Most lines include comments and further +instructions. Once you have done this, proceed as usual. +

    +

    If you do successfully build PRISM on other platforms, please let us know +so we can include this information in future releases. Thanks. +

    +
    +

    Other issues

    +

    How do I uninstall PRISM? +

    +
    +

    If you installed PRISM on Windows using the self-extracting installer, you can uninstall it using the option on the start menu. If you didn't add these shortcuts, just run uninstall.exe from the directory where you installed PRISM. +

    +

    For older versions of PRISM on Windows or on any other platform, simply delete the directory containing it. +

    +

    The only thing that is not removed via either of these methods is the .prism file containing your PRISM settings which is in your home directory (see the section "Configuring PRISM"). You may wish to retain this when upgrading. +

    +

    I still have a problem installing/running PRISM. What can I do? +

    +
    +

    Please post a message in the discussion group (see the support section of the PRISM website). +

    +



    +

    +

    The PRISM Language

    +
    +

    Introduction

    +

    In order to construct and analyse a model with PRISM, +it must be specified in the PRISM language, +a simple, state-based language, +based on the Reactive Modules formalism of Alur and Henzinger [AH99]. +This is used for all of the types of model that PRISM supports. +

    +

    In this section, we describe the PRISM language and present a number of small illustrative examples. +A precise definition of the semantics of the language is available from the "Documentation" section of the PRISM web site. One of the best ways to learn what can be done with the PRISM language is to look at some existing examples. +A number of these are included with the tool distribution in the prism-examples directory. +Many additional examples can be found on the "Case Studies" section of the PRISM website. +

    +

    The fundamental components of the PRISM language are modules and variables. +A model is composed of a number of modules which can interact with each other. +A module contains a number of local variables. +The values of these variables at any given time constitute the state of the module. +The global state of the whole model is determined by the local state of all modules. +The behaviour of each module is described by a set of commands. +A command takes the form: +

    +
    +
    +
    [action] guard -> prob_1 : update_1 + ... + prob_n : update_n;
    +
    +
    [$[Get Code]]
    +
    + +

    The guard is a predicate over all the variables in the model (including those belonging to other modules). Each update describes a transition which the module can make if the guard is true. A transition is specified by giving the new values of the variables in the module, possibly as a function of other variables. Each update is assigned a probability (or in some cases a rate) which will be assigned to the corresponding transition. The command also optionally includes an action, either just to annotate it, or for synchronisation. +

    +

    Example 1

    +

    We will use the following simple example to illustrate the basic concepts of the PRISM language. +Consider a system comprising two identical processes which must operate under mutual exclusion. +Each process can be in one of 3 states: {0,1,2}. +From state 0, a process will move to state 1 with probability 0.2 +and remain in the same state with probability 0.8. +From state 1, it tries to move to the critical section: state 2. +This can only occur if the other process is not in its critical section. +Finally, from state 2, a process will either remain there or move back to state 0 +with equal probability. +The PRISM code to describe an MDP model of this system can be seen below. +In the next sections, we explain each aspect of the code in turn. +

    +
    +
    +
    // Example 1
    +// Two process mutual exclusion
    +
    +mdp
    +
    +module M1
    +
    +    x : [0..2] init 0;
    +
    +    [] x=0 -> 0.8:(x'=0) + 0.2:(x'=1);
    +    [] x=1 & y!=2 -> (x'=2);
    +    [] x=2 -> 0.5:(x'=2) + 0.5:(x'=0);
    +
    +endmodule
    +
    +module M2
    +
    +    y : [0..2] init 0;
    +
    +    [] y=0 -> 0.8:(y'=0) + 0.2:(y'=1);
    +    [] y=1 & x!=2 -> (y'=2);
    +    [] y=2 -> 0.5:(y'=2) + 0.5:(y'=0);
    +
    +endmodule
    +
    +
    [$[Get Code]]
    +
    + +

    The PRISM Language: Example 1 +

    +

    Model Type

    +

    As mentioned above, the PRISM language can be used to describe several types of probabilistic models. +To indicate which type is being described, a PRISM model usually includes a model type keyword: +

    +
    • dtmc: discrete-time Markov chain +
    • ctmc: continuous-time Markov chain +
    • mdp: Markov decision process (or probabilistic automaton) +
    • pta: probabilistic timed automaton +
    • pomdp: partially observable Markov decision process +
    • popta: partially observable probabilistic timed automaton +

    This is typically at the very start of the file, +but can actually occur anywhere in the file (except inside modules and other declarations). +

    +

    If no such model type declaration is included, the model is by default assumed to be an MDP. +PRISM also performs some auto-detection of the model type; +for example, an MDP with clock variables is assumed to be a PTA, +and an MDP with observables? is assumed to be a POMDP. +

    +

    Note: For compatibility with old versions of PRISM, +the keywords probabilistic, stochastic and nondeterministic +can be used as alternatives for dtmc, ctmc and mdp, respectively. +

    +
    +

    Modules And Variables

    +

    The previous example uses two modules, M1 and M2, one representing each process. +A module is specified as: +

    +
    +
    +
    module name ... endmodule
    +
    +
    [$[Get Code]]
    +
    + +

    The definition of a module contains two parts: its variables and its commands. +The variables describe the possible states that the module can be in; +the commands describe its behaviour, i.e. the way in which the state changes over time. +Currently, PRISM supports just a few simple types of variables: +they can either be (finite ranges of) integers or Booleans +(we ignore clocks for now). +

    +

    In the example above, each module has one integer variable with range [0..2]. +A variable declaration looks like: +

    +
    +
    +
    x : [0..2] init 0;
    +
    +
    [$[Get Code]]
    +
    + +

    Notice that the initial value of the variable is also specified. +A Boolean variable is declared as follows: +

    +
    +
    +
    b : bool init false;
    +
    +
    [$[Get Code]]
    +
    + +

    It is also possible to omit the initial value of a variable, +in which case it is assumed to be the lowest value in the range (or false for a Boolean). +Thus, the variable declarations shown below are equivalent to the ones above. +As will be described later, it is also possible to specify +multiple initial states for a model. +

    +
    +
    +
    x : [0..2];
    +b : bool;
    +
    +
    [$[Get Code]]
    +
    + +

    We also mention that, for a few kinds of model analysis (typically those based on simulation, such as approximate model checking or fast adaptive simulation, it is also permissable to use integer variables with unbounded ranges, denoted as: +

    +
    +
    +
    x : int;
    +y : int init 3;
    +
    +
    [$[Get Code]]
    +
    + +

    Where the state space of the model remains finite, despite the presence of such unbounded variables, you can use the explicit engine to build and analyse the model. +

    +

    Identifiers

    +

    The names given to modules and variables are referred to as identifiers. +Identifiers can be made up of letters, digits and the underscore character, but cannot begin with a digit, +i.e. they must satisfy the regular expression [A-Za-z_][A-Za-z0-9_]*, and are case-sensitive. +Furthermore, identifiers cannot be any of the following, which are all reserved keywords in PRISM: +A, +bool, +clock, +const, +ctmc, +C, +double, +dtmc, +E, +endinit, +endinvariant, +endmodule, +endobservables, +endrewards, +endsystem, +false, +formula, +filter, +func, +F, +global, +G, +init, +invariant, +I, +int, +label, +max, +mdp, +min, +module, +X, +nondeterministic, +observable, +observables, +of, +Pmax, +Pmin, +P, +pomdp, +popta, +probabilistic, +prob, +pta, +rate, +rewards, +Rmax, +Rmin, +R, +S, +stochastic, +system, +true, +U, +W. +

    +

    Commands

    +

    The behaviour of each module is described by commands, +comprising a guard and one or more updates. +The first command of module M1 in our example is: +

    +
    +
    +
    [] x=0 -> 0.8:(x'=0) + 0.2:(x'=1);
    +
    +
    [$[Get Code]]
    +
    + +

    The guard x=0 indicates that this describes the behaviour of the module when the variable x has value 0. +The updates (x'=0) and (x'=1) and their associated probabilities state that the value of x will +remain at 0 with probability 0.8 and change to 1 with probability 0.2. +Note that the inclusion of updates in parentheses, e.g. (x'=1), is essential. +While older versions of PRISM did not report the absence of parentheses as an error, newer versions do. +Note also that PRISM will complain if the probabilities on the right hand side of a command do not sum to one. +

    +

    The second command: +

    +
    +
    +
    [] x=1 & y!=2 -> (x'=2);
    +
    +
    [$[Get Code]]
    +
    + +

    illustrates that guards can contain constraints on any variable, not just the ones in that module, +i.e. the behaviour of one module can depend on the state of another. +Updates, however, can only specify values for variables belonging to the module. +In general a module can read the variables of any other module, but only write to its own. +When a command comprises a single update with probability 1, the 1.0: can be omitted, +as is done in the example above. +

    +

    If a module has more than one variable, updates describe the new value for each of them. +For example, if it had two variables x1 and x2, a possible command would be: +

    +
    +
    +
    [] x1=0 & x2>0 & x2<10 -> 0.5:(x1'=1)&(x2'=x2+1) + 0.5:(x1'=2)&(x2'=x2-1);
    +
    +
    [$[Get Code]]
    +
    + +

    Notice that elements of the updates are concatenated with & and that each element must be bracketed individually. +If an update does not give a new value for a local variable, it is assumed not to change. +As a special case, the keyword true can be used to denote an update where no variable's value changes, i.e. the following are all equivalent: +

    +
    +
    +
    [] x1>10 | x2>10 -> (x1'=x1)&(x2'=x2);
    +[] x1>10 | x2>10 -> (x1'=x1);
    +[] x1>10 | x2>10 -> true;
    +
    +
    [$[Get Code]]
    +
    + +

    Finally, it is important to remember that the expressions on the right hand side of each update refer to the state of the model before the update occurs. So, for example, this command: +

    +
    +
    +
    [] x1=0 & x2=1 -> (x1'=2)&(x2'=x1)
    +
    +
    [$[Get Code]]
    +
    + +

    updates variable x2 to 0, not 2. +

    +
    +

    Parallel Composition

    +

    The probabilistic model corresponding to a PRISM language description is constructed as the parallel composition of its modules. In every state of the model, there is a set of commands (belonging to any of the modules) which are enabled, i.e. whose guards are satisfied in that state. The choice between which command is performed (i.e. the scheduling) depends on the model type. +

    +

    For an MDP, as in Example 1, the choice is nondeterministic. By way of example, consider state (0,0) (i.e. x=0 and y=0). There are two commands enabled, one from each module: +

    +
    +
    +
    [] x=0 -> 0.8:(x'=0) + 0.2:(x'=1);
    +
    +
    [$[Get Code]]
    +
    + +
    +
    +
    [] y=0 -> 0.8:(y'=0) + 0.2:(y'=1);
    +
    +
    [$[Get Code]]
    +
    + +

    In state (0,0) of the MDP, there would be a nondeterministic choice between these two probability distributions: +

    +
    • 0.8:(0,0) + 0.2:(1,0) (module M1 moves) +
    • 0.8:(0,0) + 0.2:(0,1) (module M2 moves) +

    For a DTMC, the choice is probabilistic: each enabled command is selected with equal probability. +If Example 1 was a DTMC, then in state (0,0) of the model +the following probability distribution would result: +

    +
    • 0.8:(0,0) + 0.1:(1,0) + 0.1:(0,1) +

    For a CTMC, as will be discussed shortly, +the choice is modelled as a "race" between transitions. +

    +

    See the later sections on "Synchronisation" and "Process Algebra Operators" for other topics related to parallel composition. +

    +

    Local Nondeterminism

    +

    PRISM models that support nondeterminism, such as are MDPs, can also exhibit local nondeterminism, +which allows the modules themselves to make nondeterministic choices. +In Example 1, we can make the probabilistic choice in the first state of module M1 nondeterministic by replacing the command: +

    +
    +
    +
    [] x=0 -> 0.8:(x'=0) + 0.2:(x'=1);
    +
    +
    [$[Get Code]]
    +
    + +

    with the commands: +

    +
    +
    +
    [] x=0 -> (x'=0);
    +[] x=0 -> (x'=1);
    +
    +
    [$[Get Code]]
    +
    + +

    Assuming we do the same for module M2, in state (0,0) of the MDP +there will be a nondeterministic choice between the three (trivial) probability distributions listed below. (There are three, not four, distributions because two possibilities result in identical behaviour: staying with probability 1 in the state state.) +

    +
    • 1.0:(0,0) +
    • 1.0:(1,0) +
    • 1.0:(0,1) +

    More generally, local nondeterminism can also arise when the guards of two commands overlap only partially, rather than completely as in the example above. +

    +

    PRISM also permits local nondeterminism in models which are DTMCs, +although the nondeterministic choice is randomised when the parallel composition of the modules occurs. +Since the appearance of nondeterminism in a DTMC is often the result of +a user error in the model specification, PRISM displays a warning when local nondeterminism is detected in a DTMC. +Overlapping guards in CTMCs are not treated as nondeterministic choices. +

    +
    +

    CTMCs

    +

    Specifying the behaviour of a continuous-time Markov chain (CTMC) +is done in similar fashion to a DTMC or an MDP, as discussed so far. +The main difference is that updates in commands are +labelled with (positive-valued) rates, rather than probabilities. +The notation used in commands, however, to associate rates to transitions is identical to +the one used to assign probabilities: +

    +
    +
    +
    rate_1:update_1 + rate_2:update_2 + ...
    +
    +
    [$[Get Code]]
    +
    + +

    In a CTMC, when multiple possible transitions are available in a state, a race condition occurs +(see e.g. [KNP07a] for more details). +In terms of PRISM commands, this can arise in several ways. +Firstly, within in a module, multiple transitions can be specified either as several different updates in a command, or as multiple commands with overlapping guards. The following, for example. are equivalent: +

    +
    +
    +
    [] x=0 -> 50:(x'=1) + 60:(x'=2);
    +
    +
    [$[Get Code]]
    +
    + +
    +
    +
    [] x=0 -> 50:(x'=1);
    +[] x=0 -> 60:(x'=2);
    +
    +
    [$[Get Code]]
    +
    + +

    Furthermore, parallel composition between modules in a CTMC is modelled as a race condition, +rather as a nondeterministic choice, like for MDPs. +

    +

    Example 2

    +

    We now introduce a second example: a CTMC that models an N-place queue of jobs and +a server which removes jobs from the queue and processes them. +The PRISM code is as follows: +

    +
    +
    +
    // Example 2
    +// N-place queue + server
    +
    +ctmc
    +
    +const int N = 10;
    +const double mu = 1/10;
    +const double lambda = 1/2;
    +const double gamma = 1/3;
    +
    +module queue
    +     q : [0..N];
    +
    +     [] q<N -> mu:(q'=q+1);
    +     [] q=N -> mu:(q'=q);
    +     [serve] q>0 -> lambda:(q'=q-1);
    +endmodule
    +
    +module server
    +     s : [0..1];
    +
    +     [serve] s=0 -> 1:(s'=1);
    +     [] s=1 -> gamma:(s'=0);
    +endmodule
    +
    +
    [$[Get Code]]
    +
    + +

    The PRISM Language: Example 2 +

    +

    This example also introduces a number of other PRISM language concepts, +including constants, action labels and synchronisation. +These are described in the following sections. +

    +

    Constants

    +

    PRISM supports the use of constants, as seen in Example 2. +Constants can be integers, doubles or Booleans +and can be defined using literal values or as constant expressions (including in terms of each other) using the const +keyword. For example: +

    +
    +
    +
    const int radius = 12;
    +const double pi = 3.141592;
    +const double area = pi * radius * radius;
    +const bool yes = true;
    +
    +
    [$[Get Code]]
    +
    + +

    The identifiers used for their names are subject to the same rules as variables. +

    +

    Constants can be used anywhere that a constant value would be expected, +such as the lower or upper range of a variable (e.g. N in Example 2), +the probability or rate associated with an update (mu in Example 2), +or anywhere in a guard or update. +As will be described later constants can also be left undefined +and specified later, either to a single value or a range of values, using experiments. +

    +

    Note: For the sake of backward-compatibility, the notation used in earlier versions of PRISM +(const for const int and rate or prob for const double) is still supported. +

    +

    Expressions

    +

    The definition of the area constant, in the example above, uses an expression. +We now define more precisely what types of expression are supported by PRISM. +Expressions can contain literal values (12, 3.141592, true, false, etc.), +identifiers (corresponding to variables, constants, etc.) and operators from the following list: +

    +
    • - (unary minus) +
    • *, / (multiplication, division) +
    • +, - (addition, subtraction) +
    • <, <=, >=, > (relational operators) +
    • =, != (equality operators) +
    • ! (negation) +
    • & (conjunction) +
    • | (disjunction) +
    • <=> (if-and-only-if) +
    • => (implication) +
    • ? (condition evaluation: condition ? a : b means "if condition is true then a else b") +

    All of these operators except ? are left associative +(i.e. they are evaluated from left to right). +The precedence of the operators is as found in the list above, +most strongly binding operators first. +Operators on the same line (e.g. + and -) are of equal precedence. +

    +

    Much of the notation for expressions is hence essentially equivalent to that of C/C++ or Java. +One notable exception to this is that the division operator / always performs floating point, not integer, division, +i.e. the result of 22/7 is 3.142857... not 3. +All expressions must evaluate correctly in terms of type (integer, double or Boolean). +

    +

    Built-in Functions +

    +

    Expressions can make use of several built-in functions: +

    +
    • min(...) and max(...), which select the minimum and maximum value, respectively, of two or more numbers +
    • floor(x) and ceil(x), which round x down and up, respectively, to the nearest integer +
    • round(x), which rounds x to the nearest integer (note, in a tie-break, we always round up, e.g. round(-1.5) gives -1 not -2) +
    • pow(x,y) which computes x to the power of y +
    • mod(i,n) for integer modulo operations +
    • log(x,b), which computes the logarithm of x to base b +

    Examples of their usage are: +

    +
    +
    +
    min(x+1, x_max)
    +max(a,b,c)
    +floor(13.5)
    +ceil(13.5)
    +round(13.5)
    +pow(2, 8)
    +pow(9.0, 0.5)
    +mod(1977, 100)
    +log(123, 2.71828183)
    +
    +
    [$[Get Code]]
    +
    + +

    For compatibility with older versions of PRISM, all functions can also be expressed via the func keyword, e.g. func(floor, 13.5). +

    +

    Use of Expressions +

    +

    Expressions can be used in a wide range of places in a PRISM language description, e.g.: +

    +
    • constant definitions +
    • lower/upper bounds and initial values for variables +
    • guards +
    • probabilities/rates +
    • updates +

    This allows, for example, the probability in a command to be dependent on the current state: +

    +
    +
    +
    [] (x>=1 & x<=10) -> x/10 : (x'=max(1,x-1)) + 1-x/10 : (x'=min(10,x+1))
    +
    +
    [$[Get Code]]
    +
    + +
    +

    Synchronisation

    +

    Another feature of PRISM introduced in Example 2 is synchronisation. +In the style of many process algebras, we allow commands to be labelled with actions. +These are placed inside the square brackets which mark the start of the command, +for example serve in this command from Example 2: +

    +
    +
    +
    [serve] q>0 -> lambda:(q'=q-1);
    +
    +
    [$[Get Code]]
    +
    + +

    These actions can be used to force two or more modules to make transitions simultaneously +(i.e. to synchronise). +For example, in state (3,0) (i.e. q=3 and s=0), +the composed model can move to state (2,1), +synchronising over the serve action. +The rate of this transition is equal to the product of the two individual rates +(in this case, lambda * 1 = lambda). +The product of two rates does not always meaningfully represent the rate of a synchronised transition. +A common technique, as seen here, is to make one action passive, with rate 1 and one action active, +which actually defines the rate for the synchronised transition. +By default, all modules are combined using the standard CSP parallel composition +(i.e. modules synchronise over all their common actions). +

    +

    Module Renaming

    +

    PRISM also supports module renaming, which allows duplication of modules. +In Example 1, module M2 is identical to module M1 so we can in fact replace its entire definition with: +

    +
    +
    +
    module M2 = M1 [ x=y, y=x ] endmodule
    +
    +
    [$[Get Code]]
    +
    + +

    All of the variables in the module being renamed (in this case, just x) must be renamed to new, unused names. Optionally, it is also possible to rename other aspects of the module definition. In fact, the renaming is done at a textual level, so any identifiers (including action labels, constants and functions) used in the module definition can be changed in this way. +

    +

    Note: Care should be taken when renaming modules that make use of formulas. +

    +

    Multiple Initial States

    +

    Typically, a variable declaration +specifies the initial value for that variable. +The initial state for the model is then defined by the initial value for all variables. +It is possible, however, to specify that a model has multiple initial states. +This is done using the init...endinit construct, +which can be placed anywhere in the file except within a module definition, +and removing any initial values from variable declarations. +Between the init and endinit keywords, there should be a +predicate over all the variables of the model. +Any state which satisfies this predicate is an initial state. +

    +

    Consider again Example 1. +As it stands, there is a single initial state (0,0) (i.e. x=0 and y=0). +If we remove the init 0 part of both variable declarations +and add the following to the end of the file: +

    +
    +
    +
    init x=0 endinit
    +
    +
    [$[Get Code]]
    +
    + +

    there will be three initial states: (0,0), (0,1) and (0,2). +Similarly, we could instead add: +

    +
    +
    +
    init x+y=1 endinit
    +
    +
    [$[Get Code]]
    +
    + +

    in which case there would be two initial states: (0,1) and (1,0). +

    +

    Global Variables

    +

    In addition to the local variables belonging to each module, a PRISM model can also include global variables, +which can be written to, as well as read, by all modules. +Like local variables, these can be integers or Booleans. +Global variables are declared in identical fashion to a module's local variables, +except that the declaration must not be inside the definition of any module. +Some example declarations are as follows: +

    +
    +
    +
    global g : [1..10];
    +global b : bool init true;
    +
    +
    [$[Get Code]]
    +
    + +

    A global variable can be modified by any module and provides another way for modules to interact. +An important restriction on the use of global variables is the fact that commands which synchronise with other modules +(i.e. those with an action label attached; see the section "Synchronisation") cannot modify global variables. +PRISM will detect this and report an error. +

    +

    Formulas And Labels

    +

    PRISM models can include formulas which are used to avoid duplication of code. +A formula comprises a name (an identifier) and an expression. +The formula name can then be used as shorthand for the expression anywhere an expression might usually be accepted. +A formula is defined as follows: +

    +
    +
    +
    formula num_tokens = q1+q2+q3+q+q5;
    +
    +
    [$[Get Code]]
    +
    + +

    It can then be used anywhere within that file, as for example in this command: +

    +
    +
    +
    [] p1=2 & num_tokens=5 -> (p1'=4);
    +
    +
    [$[Get Code]]
    +
    + +

    The effect is exactly as if the following had been typed: +

    +
    +
    +
    [] p1=2 & (q1+q2+q3+q+q5)=5 -> (p1'=4);
    +
    +
    [$[Get Code]]
    +
    + +

    Formulas defined in a model can also be used when specifying its properties. +

    +

    Formulas and renaming

    +

    During parsing of the model, expansion of formulas is done before module renaming so, if a module which uses formulas is renamed to another module, it is the contents of the formula which will be renamed, not the formula itself. +

    +

    Labels

    +

    PRISM models can also contain labels. These are a way of identifying sets of states that are of particular interest. Labels can only be used when specifying properties but, for convenience, can be defined in model files as well as property files. +

    +

    Labels differ from formulas in two other ways: firstly, they must be of Boolean type; +secondly, they are written using quotation marks ("..."), as illustrated in the following example: +

    +
    +
    +
    label "safe" = temp<=100 | alarm=true;
    +label "fail" = temp>100 & alarm=false;
    +
    +
    [$[Get Code]]
    +
    + +
    +

    Costs And Rewards

    +

    PRISM supports the specification and analysis of +properties based on costs and rewards. +This means that it can be used to reason, +not just about the probability that a model behaves in a certain fashion, +but about a wider range of quantitative measures relating to model behaviour. +For example, PRISM can be used to compute properties such as +"expected time", "expected number of lost messages" or "expected power consumption". +The implementation of cost- and reward-based techniques in the tool is only partially completed and is still ongoing. +If you have questions, comments or feature-requests relating to this functionality, +please feel free to contact the PRISM team about this. +

    +

    The basic idea is that probabilistic models (of all types) developed in PRISM +can be augmented with costs or rewards: real values associated with certain states or transitions of the model. +In fact, since there is no practical distinction between costs and rewards +(except that costs are generally perceived to be "bad" and rewards to be "good"), +PRISM only supports rewards. +The user is, however, free to interpret the values however they choose. +

    +

    In this section, we describe how models described in the PRISM language +can be augmented with rewards. +Later, we will discuss how to express properties that relate to these rewards. +Rewards are associated with models using rewards ... endrewards constructs, +which can appear anywhere in a model file except within a module definition. +These constructs contains one or more reward items. +Consider the following simple example: +

    +
    +
    +
    rewards
    +    true : 1;
    +endrewards
    +
    +
    [$[Get Code]]
    +
    + +

    This assigns a reward of 1 to every state of the model. +It comprises a single reward item, the left part of which (true) is a guard +and the right part of which (1) is a reward. +States of the model which satisfy the predicate in the guard are assigned the corresponding reward. +More generally, state rewards can be specified using multiple reward items, +each of the form guard : reward;, +where guardis a predicate (over all the variables of the model) +and reward is an expression (containing any variables, constants, etc. from the model). +For example: +

    +
    +
    +
    rewards
    +    x=0 : 100;
    +    x>0 & x<10 : 2*x;
    +    x=10 : 100;
    +endrewards
    +
    +
    [$[Get Code]]
    +
    + +

    assigns a reward of 100 to states satisfying x=0 or x=10 +and a reward of 2*x to states satisfying x>0 & x<10. +Note that a single reward item can assign different rewards to different states, +depending on the values of model variables in each one. +Any states which do not satisfy the guard of any reward item will have no reward assigned to them. +For states which satisfy multiple guards, the reward assigned to the state +is the sum of the rewards for all the corresponding reward items. +

    +

    Rewards can also be assigned to transitions of a model. +These are specified in a similar fashion to state rewards, +within the rewards ... endrewards construct. +Reward items describing transition rewards are of the form [action] guard : reward;, +the interpretation being that transitions from states which satisfy the guard guard +and are labelled with the action action acquire the reward reward. +For example: +

    +
    +
    +
    rewards
    +    [] true : 1;
    +    [a] true : x;
    +    [b] true : 2*x;
    +endrewards
    +
    +
    [$[Get Code]]
    +
    + +

    assigns a reward of 1 to all transitions in the model with no action label, +and rewards of x and 2*x to all transitions labelled with actions a and b, respectively. +

    +

    As is the case for states, multiple reward items can specify rewards for a single transition, +in which case the resulting reward is the sum of all the individual rewards. +A model description can specify rewards for both states and transitions. +These are all placed together in a single rewards...endrewards construct. +

    +

    A PRISM model can have multiple reward structures. Optionally, these can be given labels such as in the following example: +

    +
    +
    +
    rewards "total_time"
    +    true : 1;
    +endrewards
    +
    +rewards "num_failures"
    +    [fail] true : 1;
    +endrewards
    +
    +
    [$[Get Code]]
    +
    + +
    +

    Real-time Models

    +

    So far in this section, we have mainly focused on three types of models: DTMCs, MDPs and CTMCs, +in which all the variables making up their state are finite. +PRISM also supports real-time models, in particular, +probabilistic timed automata (PTAs), which extend MDPs with the ability to model real-time behaviour. +This is done in the style of timed automata [AD94], by adding clocks, +real-valued variables which increase with time and can be reset. For background material on PTAs, see for example [NPS13]. +You can also find several example PTA models included in the PRISM distribution. Look in the prism-examples/ptas directory. +

    +

    Before describing how PTA features are incorporated into the PRISM modelling language, we give a simple example. Here is a small PTA: +

    +
    +

    and here is a corresponding PRISM model: +

    +
    +
    +
    pta
    +
    +module M
    +
    +    s : [0..2] init 0;
    +    x : clock;
    +
    +    invariant
    +        (s=0 => x<=2) &
    +        (s=2 => x<=3)
    +    endinvariant
    +
    +    [send] s=0 & x>=1 -> 0.9:(s'=1)&(x'=0) + 0.1:(s'=2)&(x'=0);
    +    [retry] s=2 & x>=2 -> 0.95:(s'=1) + 0.05:(s'=2)&(x'=0);
    +
    +endmodule
    +
    +
    [$[Get Code]]
    +
    + +

    For modelling PTAs in PRISM, there is a new datatype, clock, used for variables that are clocks. Other types of PRISM variables can be defined in the usual way. In the example above, we use just a single integer variable s to represent the locations of the PTAs. +

    +

    In a PTA, transitions can include a guard, which constrains when it can occur based on the current value of clocks, and resets, which specify that a clock's values should be set to a new (integer) value. These are both specified in PRISM commands in the usual way: see, for example, the inclusion of x>=1 in the guard for the send-labelled command and the updates of the form (x'=0) which reset the clock x to 0. +

    +

    The other new addition is an invariant construct, which is used to specify an expression describing the clock invariants for each PRISM module. These impose restrictions on the allowable values of clock variables, depending on the values of the other non-clock variables. The invariant construct should appear between the variable declarations and the commands of the module. Often, clock invariants are described separately for each PTA location; hence, the invariant will often take the form of a conjunction of implications, as in the example model above, but more general expressions are also permitted. In the example, the clock x must satisfy x<=2 or x<=3 when local variables s is 0 or 2, respectively. If s is 1, there is no restriction (since the invariant is effectively true in this case). +

    +

    Expressions that include reference to clocks, whether in guards or invariants, must satisfy certain conditions to facilitate model checking. In particular, references to clocks must appear as conjunctions of simple clock constraints, i.e. conjunctions of expressions of the form x~c or x~y where x and y are clocks, c is an integer-valued expression and ~ is one of <, <=, >=, >, =). +

    +

    There are also some additional restrictions imposed on PTA models that are dependent on which of the PTA model checking engines is in use. +

    +

    For the stochastic games and backwards reachability engines: +

    +
    • The model must also have a single initial state (i.e. the init...endinit construct is not permitted). +

    For the digital clocks engine: +

    +
    • Clock constraints cannot use strict comparison operators, e.g. x<=5 is allowed, but x<5 is not. +
    • Diagonal clock constraints are not allowed, i.e. those containing references to two clocks, such as x<=y. +

    Finally, PRISM makes several assumptions about PTAs, regardless of the engine used. +

    +
    • Firstly PTAs should not exhibit timelocks, i.e. the possibility of reaching a state where no transitions are possible and time cannot elapse beyond a certain point (due to invariant conditions). PRISM checks for timelocks and reports an error if one is found. +
    • Secondly, PTAs should be well-formed and non-zeno (see e.g. [KNSW07] for details). Currently, PRISM does not check automatically that these assumptions are satisfied. +
    +

    Partially Observable Models

    +

    PRISM supports analysis of partially observable probabilistic models, +most notably partially observable Markov decision processes (POMDPs), +but also partially observable probabilistic timed automata (POPTAs). +POMDPs are a variant of MDPs in which the strategy/policy +which resolves nondeterministic choices in the model is unable to +see the precise state of the model, but instead just observations of it. +For background material on POMDPs and POPTAs, see for example [NPZ17]. +You can also find several example models included in the PRISM distribution. +Look in the prism-examples/pomdps and prism-examples/poptas directories. +

    +

    PRISM currently supports state-based observations: +this means that, upon entering a new POMDP state, +the observation is determined by that state. +In the same way that a model state comprises the values or one or more variables, +an observation comprises one or more observables. +There are several way to define these observables. +The simplest is to specify a subset of the model's variables +that are designated as being observable. The rest are unobservable. +

    +

    For example, in a POMDP with 3 variables, s, l and h, the following: +

    +
    +
    +
    observables s, l endobservables
    +
    +
    [$[Get Code]]
    +
    + +

    specifies that s and l are observable and h is not. +

    +

    Alternatively, observables can be specified as arbitrary expressions over variables. +For example, assuming the same variables s, l and h, this specification: +

    +
    +
    +
    observable "s" = s;
    +observable "pos" = l>0;
    +
    +
    [$[Get Code]]
    +
    + +

    defines 2 observables. The first is, as above, the variable s. +The second, named "pos", determines if variable l is positive. +Other than this, the values of l and h are unobservable. +The named observables can then be used in properties +in the same way that labels can. +

    +

    The above two styles of definition can also be mixed +to specify a combined set of observables. +

    +

    POPTAs (partially observable PTAs) combine the features of both PTAs and POMDPs. +They are are currently analysed using the digital clocks engine, +so inherit the restrictions for that engine. +Furthermore, for a POPTA, all clock variables must be observable. +

    +

    Uncertain models

    +

    PRISM has support for uncertain models, in which there is epistemic uncertainty regarding some quantitative aspects of the probabilistic models being verified. In particular, it currently supports interval MDPs (IMDPs) and interval DTMCs (IDTMCs), which are MDPs or DTMCs in which transition probabilities can be specified as intervals, indicating that the exact probability is not precisely known. This can be useful, for example, when the transition probabilities have been estimated from data. +

    +

    Currently, this is achieved by simply replacing the probabilities attached to updates in commands with intervals, e.g.: +

    +
    +
    +
    [] x=0 -> [0.8,0.9]:(x'=0) + [0.1,0.2]:(x'=1);
    +
    +
    [$[Get Code]]
    +
    + +

    As usual, the probability thresholds can be expressions involving state variables or constants, for example: +

    +
    +
    +
    [] x=0 -> [p,p+0.1]:(x'=0) + [0.9-p,1-p]:(x'=1);
    +
    +
    [$[Get Code]]
    +
    + +

    See the property specification section for details of how these models are analysed. +

    +

    Process Algebra Operators

    +

    To make the concept of synchronisation described above more powerful, +PRISM allows you to define precisely the way in which the set of modules are composed in parallel. +This is specified using the system ... endsystem construct, +placed at the end of the model description, which should contain a process-algebraic expression. +This expression should feature each module exactly once, and can use the following (CSP-based) operators: +

    +
    • M1 || M2 : alphabetised parallel composition of modules M1 and M2 (synchronising on only actions appearing in both M1 and M2) +
    • M1 ||| M2 : asynchronous parallel composition of M1 and M2 (fully interleaved, no synchronisation) +
    • M1 |[a,b,...]| M2 : restricted parallel composition of modules M1 and M2 (synchronising only on actions from the set {a, b,...}) +
    • M / {a,b,...} : hiding of actions {a, b, ...} in module M +
    • M {a<-b,c<-d,...} : renaming of actions a to b, c to d, etc. in module M. +

    The first two types of parallel composition (|| and |||) are associative and can be applied to more than two modules at once. +When evaluating the expression, the hiding and renaming operators bind more tightly than the three parallel composition operators. +No other rules of precedence are defined and parentheses should be used to specify the order in which modules are composed. +

    +

    Some examples of expressions which could be included in the system ... endsystem construct are as follows: +

    +
    • (station1 ||| station2 ||| station3) |[serve]| server +
    • ((P1 |[a]| P2) / {a}) || Q +
    • ((P1 |[a]| P2) {a<-b}) |[b]| Q +

    When no parallel composition is specified by the user, +PRISM implicitly assumes an expression of the form M1 || M2 || ... containing all of the modules in the model. +For a more formal definition of the process algebra operators described above, check the semantics of the PRISM language, available from the "Documentation" section of the PRISM web site. +

    +

    PRISM is also able to import model descriptions written in (a subset of) the stochastic process algebra PEPA [Hil96]. +

    +

    PRISM Model Files

    +

    Files containing model descriptions written in the PRISM language +can contain any amount of white space (spaces, tabs, new lines, etc.), +all of which is ignored when the file is parsed by the tool. +Comments can also be used included in files in the style of the C programming language, +by preceding them with the characters //. +This is illustrated by the PRISM language examples from earlier in this section. +

    +

    We recommend that the .prism extension is used for PRISM model files. +Historically (when the tool supported fewer types of model), +different extensions were often used for each model type: +.nm for MDPs or PTAs, .pm for DTMCs and .sm for CTMCs. +

    +



    +

    +

    Property Specification

    +
    +

    Introduction

    +

    In order to analyse a probabilistic model which has been specified and constructed in PRISM, +it is necessary to identify one or more properties of the model +which can be evaluated by the tool. +PRISM's property specification language subsumes several well-known probabilistic temporal logics, including PCTL, CSL, probabilistic LTL and PCTL*. +PCTL is used for specifying properties of discrete-time models such as DTMCs or PTAs, +and also real-time models such as PTAs; CSL is an extension of PCTL for CTMCs; +LTL and PCTL* can be used to specify properties of +discrete-time models (or untimed properties of CTMCs). +PRISM also supports most of the (non-probabilistic) temporal logic CTL. +

    +

    In fact, PRISM also supports numerous additional customisations and extensions of these two logics. +Full details of the property specifications permitted in PRISM are provided in the following sections. The presentation given here is relatively informal. For the precise syntax and semantics of the various logics, see [HJ94],[BdA95] for PCTL, [ASSB96],[BKH99] for CSL and, for example, [Bai98] for LTL and PCTL*. You can also find various pointers to useful papers in the About and Documentation sections of the PRISM website. +

    +

    Before discussing property specifications in more detail, +it is perhaps instructive to first illustrate some typical examples of properties which PRISM can handle. +The following are a selection of such properties. +In each case, we give both the PRISM syntax and a natural language translation: +

    +
    +
    +
    P>=1 [ F "terminate" ]
    +
    +
    [$[Get Code]]
    +
    + +

    "the algorithm eventually terminates successfully with probability 1" +

    +
    +
    +
    "P<0.1 [ F<=100 num_errors > 5 ]
    +
    +
    [$[Get Code]]
    +
    + +

    "the probability that more than 5 errors occur within the first 100 time units is less than 0.1" +

    +
    +
    +
    S<0.01 [ num_sensors < min_sensors ]
    +
    +
    [$[Get Code]]
    +
    + +

    "in the long-run, the probability that an inadequate number of sensors are operational is less than 0.01" +

    +

    Note that the above properties are all assertions, +i.e. ones to which we would expect a "yes" or "no" answer. +This is because all references to probabilities are associated with an upper or lower bound +which can be checked to be either true or false. +In PRISM, we can also directly specify properties which evaluate to a numerical value, e.g.: +

    +
    +
    +
    P=? [ !proc2_terminate U proc1_terminate ]
    +
    +
    [$[Get Code]]
    +
    + +

    "the probability that process 1 terminates before process 2 does" +

    +
    +
    +
    Pmax=? [ F<=T messages_lost > 10 ]
    +
    +
    [$[Get Code]]
    +
    + +

    "the maximum probability that more than 10 messages have been lost by time T" (for an MDP/PTA) +

    +
    +
    +
    S=? [ queue_size / max_size > 0.75 ]
    +
    +
    [$[Get Code]]
    +
    + +

    "the long-run probability that the queue is more than 75% full" +

    +

    Furthermore, PRISM makes it easy to combine such properties into more complex expressions, +compute their values for a range of parameters +and plot graphs of the results using experiments. +This is often a very useful way of identifying interesting +patterns or trends in the behaviour of a system. +See the Case Studies section of the PRISM website for many examples of this kind of analysis. +

    +

    Identifying A Set Of States

    +

    One of the most fundamental tasks when specifying properties of a model +is to identify particular sets or classes of states of the model. +For example, to verify a property such as +"the algorithm eventually terminates successfully with probability 1", +it is first necessary to identify the states of the model +which correspond to situations where "the algorithm has terminated successfully". +In terms of the way temporal logics are usually presented, +these correspond to atomic propositions. +

    +

    In PRISM, this is achieved simply by writing an expression in the PRISM language which evaluates to a Boolean value. This expression will typically contain references to variables (and constants) from the model to which it relates. The set of states corresponding to this expression is those for which it evaluates to true. We say that the expression is "satisfied" in these states. +

    +

    For example, in the property given above: +

    +
    +
    +
    P<0.1 [ F<=100 num_errors > 5 ]
    +
    +
    [$[Get Code]]
    +
    + +

    the expression num_errors > 5 is used to identify states of the model where more than 5 errors have occurred. +

    +

    It is also common to use labels to identify states in this way, like "terminate" in the example: +

    +
    +
    +
    P>=1 [ F "terminate" ]
    +
    +
    [$[Get Code]]
    +
    + +

    Properties can refer to labels either from the model to which the property relates, or included in the same properties file. +

    +

    The P Operator

    +

    One of the most important operators in the PRISM property specification language is the P operator, which is used to reason about the probability of an event's occurrence. This operator was originally proposed in the logic PCTL but also features in the other logics supported by PRISM, such as CSL. The P operator is applicable to all types of models supported by PRISM. +

    +

    Informally, the property: +

    +
    +
    +
    P bound [ pathprop ]
    +
    +
    [$[Get Code]]
    +
    + +

    is true in a state s of a model if +"the probability that path property pathprop is satisfied by the paths from state s +meets the bound bound". +A typical example of a bound would be: +

    +
    +
    +
    P>0.98 [ pathprop ]
    +
    +
    [$[Get Code]]
    +
    + +

    which means: "the probability that pathprop is satisfied by the paths from state s is greater than 0.98". More precisely, bound can be any of >=p, >p, <=p or <p, +where p is a PRISM language expression evaluating to a double in the range [0,1]. +

    +

    The types of path property supported by PRISM and their semantics will be discussed shortly. +

    +

    Nondeterminism

    +

    For models that can exhibit nondeterministic behaviour, such as MDPs or PTAs, some additional clarifications are necessary. Whereas for fully probabilistic models such as DTMCs and CTMCs, probability measures over paths are well defined (see e.g. [KSK76] and [BKH99], respectively), for nondeterministic models a probability measure can only be feasibly defined once all nondeterminism has been removed. +

    +

    Hence, the actual meaning of the property P bound [ pathprop ] in these cases is: +"the probability that pathprop is satisfied by the paths from state s +meets the bound bound for all possible resolutions of nondeterminism". +This means that, properties using the P operator then effectively reason about the +minimum or maximum probability, over all possible resolutions of nondeterminism, +that a certain type of behaviour is observed. +This depends on the bound attached to the P operator: +a lower bound (> or >=) relates to minimum probabilities +and an upper bound (< or <=) to maximum probabilities. +

    +

    Quantitative properties

    +

    It is also very often useful to take a quantitative approach to probabilistic model checking, computing the actual probability that some behaviour of a model is observed, +rather than just verifying whether or not the probability is above or below a given bound. +Hence, PRISM allows the P operator to take the following form: +

    +
    +
    +
    P=? [ pathprop ]
    +
    +
    [$[Get Code]]
    +
    + +

    These properties return a numerical rather than a Boolean value. +The S and R operators, discussed later, can also be used in this way. +

    +

    As mentioned above, for nondeterministic models (MDPs or PTAs), either minimum or maximum probability values can be computed. Therefore, in this case, we have two possible types of property: +

    +
    +
    +
    Pmin=? [ pathprop ]
    +Pmax=? [ pathprop ]
    +
    +
    [$[Get Code]]
    +
    + +

    which return the minimum and maximum probabilities, respectively. +

    +

    It is also possible to specify to which state the probability returned by a quantitative property refers. This is covered in the later section on filters. +

    +

    Path properties

    +

    PRISM supports a wide range of path properties that can be used with the P operator. +A path property is a formula that evaluates to either true or false for a single path in a model. +Here, we review some of the simpler properties that feature a single temporal operator, +as used for example in the logics PCTL and CSL. Later, we briefly describe how PRISM also supports more complex LTL-style path properties. +

    +

    The basic different types of path property that can be used inside the P operator are: +

    +
    • X : "next" +
    • U : "until" +
    • F : "eventually" (sometimes called "future") +
    • G : "always" (sometimes called "globally") +
    • W : "weak until" +
    • R : "release" +

    In the following sections, we describe each of these temporal operators. We then discuss the (optional) use of time bounds with these operators. Finally, we also discuss LTL-style path properties. +

    +

    "Next" path properties

    +

    The property X prop is true for a path if prop is true in its second state, +An example of this type of property, used inside a P operator, is: +

    +
    +
    +
    P<0.01 [ X y=1 ]
    +
    +
    [$[Get Code]]
    +
    + +

    which is true in a state if "the probability of the expression y=1 being true in the next state is less than 0.01". +

    +

    "Until" path properties

    +

    The property prop1 U prop2 is true for a path if +prop2 is true in some state of the path and prop1 is true in all preceding states. +A simple example of this would be: +

    +
    +
    +
    P>0.5 [ z<2 U z=2 ]
    +
    +
    [$[Get Code]]
    +
    + +

    which is true in a state if "the probability that z is eventually equal to 2, and that z remains less than 2 up until that point, is greater than 0.5". +

    +

    "Eventually" path properties

    +

    The property F prop is true for a path if prop eventually becomes true at some point along the path. The F operator is in fact a special case of the U operator (you will often see F prop written as true U prop). A simple example is: +

    +
    +
    +
    P<0.1 [ F z>2 ]
    +
    +
    [$[Get Code]]
    +
    + +

    which is true in a state if "the probability that z is eventually greater than 2is less than 0.1". +

    +

    "Globally" path properties

    +

    Whereas the F operator is used for "reachability" properties, G represents "invariance". The property G prop is true of a path if prop remains true at all states along the path. Thus, for example: +

    +
    +
    +
    P>=0.99 [ G z<10 ]
    +
    +
    [$[Get Code]]
    +
    + +

    states that, with probability at least 0.99, z never exceeds 10. +

    +

    "Weak until" and "release" path properties

    +

    Like F and G, the operators W and R are derivable from other temporal operators. +

    +

    Weak until (a W b), which is equivalent to (a U b) | G a, requires that a remains true until b becomes true, but does not require that b ever does becomes true (i.e. a remains true forever). For example, a weak form of the until example used above is: +

    +
    +
    +
    P>0.5 [ z<2 U z=2 ]
    +
    +
    [$[Get Code]]
    +
    + +

    which states that, with probability greater than 0.5, either z is always less than 2, or it is less than 2 until the point where z is 2. +

    +

    Release (a R b), which is equivalent to !(!a U !b), informally means that b is true until a becomes true, or b is true forever. +

    +

    +

    "Bounded" variants of path properties

    +

    All of the temporal operators given above, with the exception of X, have "bounded" variants, where an additional time bound is imposed on the property being satisfied. +The most common case is to use an upper time bound, i.e. of the form "<=t" or "<t", where t is a PRISM expression evaluating to a constant, non-negative value. +

    +

    For example, a bounded until property prop1 U<=t prop2, is satisfied along a path if prop2 becomes true within t steps and prop1 is true in all states before that point. +A typical example of this would be: +

    +
    +
    +
    P>=0.98 [ y<4 U<=7 y=4 ]
    +
    +
    [$[Get Code]]
    +
    + +

    which is true in a state if "the probability of y first exceeding 3 within 7 time units is greater than or equal to 0.98". Similarly: +

    +
    +
    +
    P>=0.98 [ F<=7 y=4 ]
    +
    +
    [$[Get Code]]
    +
    + +

    is true in a state if "the probability of y being equal to 4 within 7 time units is greater than or equal to 0.98" and: +

    +
    +
    +
    P>=0.98 [ G<=7 y=4 ]
    +
    +
    [$[Get Code]]
    +
    + +

    is true if the probability of y staying equal to 4 for 7 time units is at least 0.98. +

    +

    The time bound can be an arbitrary (constant) expression, +but note that you may need to bracket it, +as in the following example: +

    +
    +
    +
    P>=0.98 [ G<=(2*k+1) y=4 ]
    +
    +
    [$[Get Code]]
    +
    + +

    You can also use lower time-bounds (i.e. >=t or >t) and time intervals [t1,t2], e.g.: +

    +
    +
    +
    P>=0.98 [ F>=10 y=4 ]
    +P>=0.98 [ F[10,20] y=4 ]
    +
    +
    [$[Get Code]]
    +
    + +

    which refer to the probability of y becoming equal to 4 after 10 or more time units, and after between 10 and 20 time-units respectively. +

    +

    For CTMCs, the time bounds can be any (non-negative) numerical values - they are not restricted to integers, as for discrete-time models. +For example: +

    +
    +
    +
    P>=0.25 [ y<=1 U<=6.5 y>1 ]
    +
    +
    [$[Get Code]]
    +
    + +

    means that the probability of y being greater than 1 within 6.5 time-units (and remaining less than or equal to 1 at all preceding time-points) is at least 0.25. +

    +

    Transient probabilities

    +

    We can also use the bounded F operator to refer to a single time instant, e.g.: +

    +
    +
    +
    P=? [ F[10,10] y=6 ]
    +
    +
    [$[Get Code]]
    +
    + +

    or, equivalently: +

    +
    +
    +
    P=? [ F=10 y=6 ]
    +
    +
    [$[Get Code]]
    +
    + +

    both of which give the probability of y being 6 at time instant 10. +

    +

    +

    LTL-style path properties

    +

    PRISM also supports probabilistic model checking of the temporal logic LTL (and, in fact, PCTL*). LTL provides a richer set of path properties for use with the P operator, by permitting temporal operators to be combined. Here are a few examples of properties expressible using this functionality: +

    +
    +
    +
    P>0.99 [ F ( "request" & (X "ack") ) ]
    +
    +
    [$[Get Code]]
    +
    + +

    "with probability greater than 0.99, a request is eventually received, followed immediately by an acknowledgement" +

    +
    +
    +
    P>=1 [ G F "send" ]
    +
    +
    [$[Get Code]]
    +
    + +

    "a message is sent infinitely often with probability 1" +

    +
    +
    +
    P=? [ F G ("error" & !"repair") ]
    +
    +
    [$[Get Code]]
    +
    + +

    "the probability of an error occurring that is never repaired” +

    +

    Note that logical operators have precedence over temporal ones, so you will often need to include parentheses when using logical operators, e.g.: +

    +
    +
    +
    P=? [ (F "error1") & (F "error2") ]
    +
    +
    [$[Get Code]]
    +
    + +

    For temporal operators, unary operators (such as F, G and X) have precedence over binary ones (such as U). Unary operators can be nested, without parentheses, but binary ones cannot. +

    +

    So, these are allowed: +

    +
    +
    +
    P=? [ F X X X "a" ]
    +P=? [ "a" U X X X "error" ]
    +P=? [ ("a" U "b") U "c" "error" ]
    +
    +
    [$[Get Code]]
    +
    + +

    but this is not: +

    +
    +
    +
    P=? [ "a" U "b" U "c" "error" ]
    +
    +
    [$[Get Code]]
    +
    + +
    +

    The S Operator

    +

    The S operator is used to reason about the steady-state behaviour of a model, +i.e. its behaviour in the long-run or equilibrium. +PRISM currently only provides support for DTMCs and CTMCs. +The definition of steady-state (long-run) probabilities for finite DTMCS and CTMCs is well defined (see e.g. [Ste94]). +Informally, the property: +

    +
    +
    +
    S bound [ prop ]
    +
    +
    [$[Get Code]]
    +
    + +

    is true in a state s of a DTMC or CTMC if +"starting from s, the steady-state (long-run) probability of being in a state which satisfies the (Boolean-valued) PRISM property prop, meets the bound bound". +A typical example of this type of property would be: +

    +
    +
    +
    S<0.05 [ queue_size / max_size > 0.75 ]
    +
    +
    [$[Get Code]]
    +
    + +

    which means: "the long-run probability of the queue being more than 75% full is less than 0.05". +

    +

    Like the P operator, the S operator can be used in a quantitative form, which returns the actual probability value, e.g.: +

    +
    +
    +
    S=? [ queue_size / max_size > 0.75 ]
    +
    +
    [$[Get Code]]
    +
    + +

    and can be further customised with the use of filters. +

    +

    Reward-based Properties

    +

    PRISM models can be augmented with information about rewards (or, equivalently, costs). +The tool can analyse properties which relate to the expected values of these rewards. +This is achieved using the R operator, which works in a similar fashion to the +P and S operators, and can be used either in a Boolean-valued query, e.g.: +

    +
    +
    +
    R bound [ rewardprop ]
    +
    +
    [$[Get Code]]
    +
    + +

    where bound takes the form <r, <=r, >r or >=r for an expression r evaluating to a non-negative double, +or a real-valued query, e.g.: +

    +
    +
    +
    R query [ rewardprop ]
    +
    +
    [$[Get Code]]
    +
    + +

    where query is =?, min=? or max=?. +In the latter case, filters can be used, as for the P and S operators. +

    +

    Informally, "R bound [ rewardprop ]" is true in a state of a model if +"the expected reward associated with rewardprop of the model when starting from that state'' +meets the bound bound and "R query [ rewardprop ]" returns the actual expected reward value. +

    +

    There are various different types of reward properties: +

    +
    • "reachability reward": F prop +
    • "co-safe LTL reward": e.g. F (prop1 & F prop2) +
    • "cumulative reward" : C<=t +
    • "total reward" : C +
    • "instantaneous reward" : I=t +
    • "steady-state reward" : S. +

    Below, we consider each of these cases in turn. +The descriptions here are kept relatively informal. +Precise definitions for most of these can be found in, for example, +[KNP07a] (for DTMCs and CTMCs) or [FKNP11] (for MDPs). +

    +

    "Reachability reward" properties

    +

    "Reachability reward" properties associate a reward with each path of a model. +More specifically, they refer to the reward accumulated along a path until a certain point is reached. +The manner in which rewards are accumulated depends on the model type. +For DTMCs and MDPs, the total reward for a path is the sum of the state rewards for each state along the path +plus the sum of the transition rewards for each transition between these states. +The situation for CTMCs is similar, except that the state reward assigned to each state +of the model is interpreted as the rate at which rewards are accumulated in that state, +i.e. if t time units are spent in a state with state reward r, +the reward accumulated in that state is r x t. +Hence, the total reward for a path in a CTMC is the sum of these products for each state along the path +plus the sum of the transition rewards for each transition between these states. +

    +

    The reward property "F prop" corresponds to the reward cumulated along a path +until a state satisfying property prop is reached, +where rewards are cumulated as described above. +State rewards for the prop-satisfying state reached are not included in the cumulated value. +In the case where the probability of reaching a state satisfying prop is less than 1, the reward is equal to infinity. +

    +

    A common application of this type of property is the case when the rewards associated with the model correspond to time. +One can then state, for example: +

    +
    +
    +
    R<=9.5 [ F z=2 ]
    +
    +
    [$[Get Code]]
    +
    + +

    which is true in a state s if "the expected time taken to reach, from s, a state where z equals 2 is less than or equal to 9.5". +

    +

    "Co-safe LTL reward" properties

    +

    These generalise the "reachability" properties above. Again, reward is accumulated along a path up until some point, +but this is specified in a more general way, by giving a formula in the co-safe fragment of linear temporal logic (LTL). +Rewards are accumulated up until the point where the formula is first satisfied. For example, this property, for a DTMC or CTMC, +queries the expected reward accumulated until first goal equals 1 and then subsequently goal equals 2: +

    +
    +
    +
    R=? [ F (goal=1 & F goal=2) ]
    +
    +
    [$[Get Code]]
    +
    + +

    and this property, for an MDP, minimises the expected reward until loc equals 1, +having passed only through states where loc never equals 4 +

    +
    +
    +
    Rmin=? [ loc!=4 U loc=1 ]
    +
    +
    [$[Get Code]]
    +
    + +

    As for reachability rewards, if the probability of satisfying the formula is less than 1, +then the expected reward is defined to be infinite. +

    +

    Intuitively, a co-safe formula is one that is satisfied within a finite period of time, +and remains true for ever once it becomes true for the first time. +For simplicity, PRISM actually supports the syntactic co-safe fragment of LTL, +which is defined as any LTL formula that only uses the temporal operators F, U and X +(but not G, for example). +PRISM's notation for LTL formulas is described here. +

    +

    "Cumulative reward" properties

    +

    "Cumulative reward" properties also associate a reward with each path of a model, +but only up to a given time bound. +The property C<=t corresponds to the reward cumulated along a path +until t time units have elapsed. +For DTMCs and MDPs, the bound t must evaluate to an integer; +for CTMCs, it can evaluate to double. +State and transition rewards along a path are cumulated exactly as described in the previous section. +

    +

    A typical application of this type of property is the following. +Consider a model of a disk-drive controller which includes a queue of incoming disk requests. +If we assign a reward of 1 to each transition of the model +corresponding to the situation where an incoming request is lost because the queue is full, +then the property: +

    +
    +
    +
    R=? [ C<=15.5 ]
    +
    +
    [$[Get Code]]
    +
    + +

    would return, for a given state of the model, +"the expected number of lost requests within 15.5 time units of operation". +

    +

    +

    "Total reward" properties

    +

    "Total reward" properties refer to the accumulation of state and transition rewards +in the same way as for "reachability reward" and "cumulative reward" properties, +but the rewards is accumulated indefinitely, +i.e. the total reward accumulated along the whole (infinite) path. +Note that this means that, unless a path ends up remaining forever in states with zero reward, +the total reward will be infinite. +

    +

    Re-using the reward structure in the previous example, +

    +
    +
    +
    R=? [ C ]
    +
    +
    [$[Get Code]]
    +
    + +

    returns "the expected total number of lost requests". +

    +

    "Instantaneous reward" properties

    +

    "Instantaneous reward" properties refer to the reward of a model at a particular instant in time. +The reward property I=t associates with a path the reward in the state +of that path when exactly t time units have elapsed. +For DTMCs and MDPs, the bound t must evaluate to an integer; +for CTMCs, it can evaluate to double. +

    +

    Returning to our example from the previous section of a model for a disk-request queue in a disk-drive controller, +consider the case where the rewards assigned to each state of the model give the current size of the queue in that state. +Then, the following property: +

    +
    +
    +
    R<4.4 [ I=100 ]
    +
    +
    [$[Get Code]]
    +
    + +

    would be true in a state s of the model if +"starting from s, the expected queue size exactly 100 time units later is less than 4.4". +Note that, for this type of reward property, state rewards for CTMCs do not have to refer to rates; +they can refer to any instantaneous measure of interest for a state. +

    +

    "Steady-state reward" properties

    +

    Unlike the previous three types of property, +"steady-state reward" properties relate not to paths, but rather to the reward in the long-run. +A typical application of this type of property would be, in the case where +the rewards associated with the model correspond to power consumption, the property: +

    +
    +
    +
    R<=0.7 [ S ]
    +
    +
    [$[Get Code]]
    +
    + +

    which is true in a state s if "starting from s, the long-run average power consumption is less than 0.7". +

    +

    Which reward structure?

    +

    In the case where a PRISM model has multiple reward structures you may need to specify which reward structure your property refers to. This is done by placing the information in braces ({}) after the R operator. You can do so either using the name assigned to a reward structure (if any) or using the index (where 1 means the first rewards structure in the PRISM model file, 2 the second, etc.). Examples are: +

    +
    +
    +
    R{"num_failures"}=? [ C<=10.0 ]
    +R{"time"}=? [ F step=final ]
    +R{2}=? [ F step=final ]
    +
    +
    [$[Get Code]]
    +
    + +

    Note that when using an index to specify the reward structure, you can actually put any expression that evaluates to an integer. This allows you to, for example, write a property of the form R{c}=?[...] where c is an undefined integer constant. You can then vary the value of c in an experiment and compute values for several different reward structures at once. +

    +

    If you don't specify a reward structure to the R operator, by default, the first one in the model file is used. +

    +

    Availability

    +

    There are currently a few restrictions on the model checking engines that can be used for some reward properties. The following table summarises the currently availability, where S, M, H and E denote the "sparse", "MTBDD", "hybrid" and "explicit" engines, respectively, for DTMCs, CTMCs and MDPs. For PTAs, support for rewards is currently quite restrictive; see the later section on real-time model properties for details. +

    +
    + + + + +
     FcosafeC<=tCI=tS
    DTMCsSMHESMHESMHESMHESMHESMHE
    CTMCsSMHESMHESMHESMHESMHESMHE
    MDPsSM-ESMHES--E----SM-E----
    +

    Multi-objective Properties

    +

    For MDPs, PRISM supports multi-objective properties. Consider a property that uses the P operator. For example: +

    +
    +
    +
    P<0.01 [ F "error" ]
    +
    +
    [$[Get Code]]
    +
    + +

    This states that, for all strategies (or policies) of the MDP, the probability of reaching an "error" state is less than 0.01. +

    +

    Multi-objective queries differ in two important ways. Firstly, (by default) they ask about the existence of a strategy. Secondly they refer to multiple properties of a strategy. For example: +

    +
    +
    +
    multi(P<0.01 [ F "error1" ], P<0.02 [ F "error2" ])
    +
    +
    [$[Get Code]]
    +
    + +

    means: "does there exist a strategy of the MDP under which the probability of reaching an "error1" state is less than 0.01 and the probability of reaching an "error2" state is less than 0.02?" +

    +

    To use the terminology from [FKP12], the above is an "achievability" query (i.e., is this combination of objectives achievable by some strategy?). PRISM also supports two other kinds of multi-objective query: "numerical" and "Pareto" queries. +

    +

    A "numerical" query looks like: +

    +
    +
    +
    multi(Pmin=? [ F "error1" ], P<0.02 [ F "error2" ])
    +
    +
    [$[Get Code]]
    +
    + +

    meaning "what is the minimum possible probability of reaching "error1", over all strategies of the MDP for which the probability of reaching "error2" is less than 0.02?". +

    +

    A "Pareto" queries leaves both of the objectives unbounded, e.g.: +

    +
    +
    +
    multi(Pmin=? [ F "error1" ], Pmin=? [ F "error2" ])
    +
    +
    [$[Get Code]]
    +
    + +

    This asks PRISM to compute (approximately), the Pareto curve for this pair objectives. Intuitively, this is the set of pairs of probabilities (of reaching "error1"/"error2") such that reducing one probability any more would necessitate an increase in the other probability. +

    +

    Types of Objectives

    +

    For simplicity, the examples above all refer to the probability of reaching classes of states in the model. Other types of property (objective) are also possible. +

    +

    Firstly, we can extend the examples above by referring to the probability of any +LTL property. For example: +

    +
    +
    +
    multi(Pmax=? [ G "good1" ], P>=0.9 [ G F "good2" ])
    +
    +
    [$[Get Code]]
    +
    + +

    "What is the maximum probability of staying forever in "good1" states, such that the probability of visiting "good2" states infinitely often remains at least 0.9?". +

    +

    We can also use more than 2 objectives, e.g.: +

    +
    +
    +
    multi(Pmax=? [ G "good1" ], P>=0.9 [ G F "good2" ], P>=0.95 [ G F "good3" ])
    +
    +
    [$[Get Code]]
    +
    + +

    "What is the maximum probability of staying forever in "good1" states, such that the probability of visiting "good2" states infinitely often remains at least 0.9 and the probability of visiting "good3" states infinitely often remains at least 0.95?". +

    +

    Multi-objective queries can also refer to the expected total cumulative value of a reward structure. We write such properties in the form: +

    +
    +
    +
    multi(R{"time"}min=?[ C ], R{"energy"}<=1.45 [ C ])
    +
    +
    [$[Get Code]]
    +
    + +

    "What is the minimum expected cumulative value of reward structure "time", such that the expected cumulative value of reward structure "energy" is below 1.45. +

    +

    Note that this C reward operator differs from the F "target" operator, usually used for standard (single-objective) MDP model checking. Whereas the F "target" operator refers to the expected reward accumulated until a "target" state is reached the C operator refers to the expected total reward. +

    +

    A few important notes regarding rewards: +

    +
    • Currently only transition rewards are supported; state rewards are not. +
    • Certain assumptions are made regarding the finiteness of rewards; see p.7 of [FKP12] for details. +

    Finally, time-bounded variants of both probabilistic reachability and expected cumulative rewards objectives can be used. Here is an example that uses the latter: +

    +
    +
    +
    multi(R{"power"}min=? [ C<=k ], R{"queue"}<=r [ C<=k ])
    +
    +
    [$[Get Code]]
    +
    + +

    Solution Methods

    +

    PRISM can perform multi-objective model checking using two distinct solution methods, which are described in [FKN+11] and [FKP12]. The former is based on the use of linear programming; the latter reduces multi-objective model checking to a series of simpler problems, solved using value iteration (or the Gauss-Seidel variant of value iteration). The default is "Value iteration". You can change this in the GUI using the option "MDP multi-objective solution methods", or using the command-line switches -lp, -valiter, -gs. +

    +

    There are some restrictions for the different methods, e.g. +

    +
    • Linear programming does not support time-bounded properties or Pareto queries +
    +

    Real-time Models

    +

    The classes of property that can be checked for real-time models (PTAs and POPTAs) are currently more restricted than for the other kinds of models that PRISM supports. This is because the model checking procedures are quite different for this type of model. We describe these restrictions here. The situation is also dependent on which of the PTA model checking engines is being used. +

    +

    For the "stochastic games" engine, we essentially only allow unbounded or time-bounded probabilistic reachability properties, i.e. properties of the form: +

    +
    +
    +
    Pmin=? [ F target ]
    +Pmax=? [ F target ]
    +Pmin=? [ F<=T target ]
    +Pmax=? [ F<=T target ]
    +
    +
    [$[Get Code]]
    +
    + +

    where target is a Boolean-valued expression that does not include references to any clock variables and T is an integer-valued expression. The P operator cannot be nested and the S and R operators are not supported. +

    +

    The "backwards reachability" engine is similar but currently only handles maximum probabilities. +

    +

    For the "digital clocks" engine, there is slightly more flexibility, +e.g. until (U) properties are allowed, as are clock variables in expressions and arithmetic expressions such as: +

    +
    +
    +
    1 - Pmin=? [ F target ]
    +
    +
    [$[Get Code]]
    +
    + +

    This engine, like the "stochastic games" engine, does not allowed nested properties. Also, references to clocks must, like in the modelling language, not use strict comparisons +(e.g. x<=5 is allowed, x<5 is not). +

    +

    The digital clocks also has support for rewards: +it is possible to check reachability reward properties of the form: +

    +
    +
    +
    Rmin=? [ F target ]
    +Rmax=? [ F target ]
    +
    +
    [$[Get Code]]
    +
    + +

    Reward structures specified in the model, though, must not depend on clock variables. +Formally, the class of PTAs with this kind of reward structure is sometime called linearly priced PTAs (see e.g. [KNPS06]. +

    +

    The digital clocks method is based on a language-level translation from a PTA model to an MDP one. If you want to see the MDP PRISM model that was generated, add the switch -exportdigital digital.nm when model checking property to export the model file to digital.nm. +

    +

    Partially Observable Models

    +

    For partially observable models (POMDPs and POPTAs), +PRISM uses the same property language as the their +fully observational equivalents (MDPs and PTAs). +However, a more limited range of properties are available. +For POMDPs, PRISM currently supports probabilistic reachability, +probabilistic until, or expected reachability rewards properties, i.e.: +

    +
    +
    +
    Pmin=? [ F target ]
    +Pmax=? [ F target ]
    +Pmin=? [ remain U target ]
    +Pmax=? [ remain U target ]
    +Rmin=? [ F target ]
    +Rmax=? [ F target ]
    +
    +
    [$[Get Code]]
    +
    + +

    or bounded variants with a probability/threshold instead +of the min=? or max=?. +

    +

    For the verification methods currently implemented, +there are a few additional restrictions. +Firstly, the target (and remain) expression appearing +in the property must be an observable. +In other words, if any state of the POMDP satisfies the expression, +then all other observationally equivalent states must also satisfy it. +This is easily achieved by only using either observable variables +or named observables in the expression, but that is not required. +Secondly, probabilities and expected rewards are only computed from a single state. +

    +

    POPTAs are currently verified using the "digital clocks" approach to +translate them into a POMDP, so they inherit the same +restrictions +(that strict or diagonal clock comparisons are not allowed). +However for POPTAs, time-bounded probabilistic reachability is also supported. +

    +

    Uncertain Models

    +

    For uncertain models, currently interval MDPs (IMDPs) or interval DTMCs (IDTMCs), PRISM performs robust verification, which considers the best- or worst-case behaviour that can arise depending on the way that probabilities are selected from intervals. +

    +

    For example, instead of a property for a DTMC such as +

    +
    +
    +
    P=? [ F "goal" ]
    +
    +
    [$[Get Code]]
    +
    + +

    which asks for the probability to reach a state satisfying "goal", IDTMCs use MDP-style queries: +

    +
    +
    +
    Pmin=? [ F "goal" ]
    +Pmax=? [ F "goal" ]
    +
    +
    [$[Get Code]]
    +
    + +

    which compute the minimum or maximum possible probability that can arise. +

    +

    Similarly, for an IMDP, there are now two separate quantifications, firstly over strategies (policies) and secondly over the distinct ways that transition probabilities can be selected from intervals, for which min or max appear in that order in the query. For example: +

    +
    +
    +
    Pmaxmin=? [ F "goal" ]
    +Pmaxmax=? [ F "goal" ]
    +
    +
    [$[Get Code]]
    +
    + +

    return the minimum and maximum values, respectively, over resolutions of transition probabilities for the maximum probability of reaching "goal". Similarly, minmin and minmax are used for the minimum probability of reaching "goal". Model checking is supported for: +

    +
    • the P operator, for next and bounded/unbounded until/reachability properties +
    • the R operator, for the expected reward to reach a target or satisfy a co-safe LTL formula +
    +

    Non-Probabilistic Properties

    +

    PRISM also supports model checking of the non-probabilistic temporal logics CTL (computation tree logic) and LTL (linear temporal logic). +Properties in these logics use the A (for all) and E (there exists) operators, +instead of the probabilistic P operator used in many other properties supported by PRISM. +

    +

    Properties take the form: +

    +
    +
    +
    A [ pathprop ]
    +E [ pathprop ]
    +
    +
    [$[Get Code]]
    +
    + +

    which are true in a state s of a model if +"path property pathprop is satisfied by all paths from state s" +and +"path property pathprop is satisfied by some path from state s", +respectively. +The syntax for LTL formulas is the same as those allowed within the P operator. +

    +

    Example properties include: +

    +
    +
    +
    E [ F "goal" ] // There exists a path that reaches a state satisfying "goal"
    +
    +A [ G x<=10 ] // Variable x is always at most 10 along all paths of the model
    +
    +E [ F "ready" & (X "launch") ] // There exists a path along which label "ready" eventually becomes true and label "launch" is true immediately afterwards
    +
    +A [ (G F x=1) | (G F x=2) ] // Along all paths, either x=1 or x=2 is true infinitely often
    +
    +
    [$[Get Code]]
    +
    + +

    Counterexamples and Witnesses

    +

    If you check a CTL property of the form A [ G "inv" ] and it is false, PRISM will generate a counterexample in the form of a path that reaches a state where "inv" is not true. This is displayed either in the simulator (from the GUI) or at the command-line. Similarly, if you check E [ F "goal" ] and the result is true, a witness (a path reaching a "goal" state) will be generated. +

    +

    Syntax And Semantics

    +

    Syntax

    +

    The syntax of the PRISM property specification language subsumes various probabilistic temporal logics, including PCTL, CSL, (probabilistic) LTL, PCTL* and CTL. Informally, the syntax can be summarised as follows: a property can be any valid, well-typed PRISM expression, which (optionally) also includes the probabilistic operators discussed previously (P, S and R) and the non-probabilistic (CTL) ones A and E). This mean that any of the following operators can be used: +

    +
    • - (unary minus) +
    • *, / (multiplication, division) +
    • +, - (addition, subtraction) +
    • <, <=, >=, > (relational operators) +
    • =, != (equality operators) +
    • ! (negation) +
    • & (conjunction) +
    • | (disjunction) +
    • <=> (if-and-only-if) +
    • => (implication) +
    • ? (condition evaluation: condition ? a : b means "if condition is true then a else b") +
    • P (probabilistic operator) +
    • S (steady-state operator) +
    • R (reward operator) +
    • A (for-all operator) +
    • E (there-exists operator) +

    This allows you to write any property expressible in logics such as PCTL and CSL. For example, CSL allows you to nest P and S operators: +

    +
    +
    +
    P=? [ F>2 S>0.9[ num_servers >= 5 ] ]
    +
    +
    [$[Get Code]]
    +
    + +

    "the probability of it taking more than 2 hours to get to a state from which the long-run probability of at least 5 servers being operational is >0.9" +

    +

    You can also express various arithmetic expressions such as: +

    +
    +
    +
    1 - P=? [ F[3600,7200] oper ]
    +
    +
    [$[Get Code]]
    +
    + +

    "the probability that the system is not operational at any point during the second hour of operation" +

    +
    +
    +
    R{"oper"}=? [ C<=t ] / t
    +
    +
    [$[Get Code]]
    +
    + +

    "the expected fraction of time that the system is available (i.e. the expected interval availability) in the time interval [0, t]" +

    +
    +
    +
    P=? [ F fail_A ] / P=? [ F any_fail ]
    +
    +
    [$[Get Code]]
    +
    + +

    "the (conditional) probability that component A eventually fails, given +that at least one component fails" +

    +

    Semantics

    +

    We omit a formal presentation of the semantics of the PRISM property language. The semantics of the probabilistic temporal logics that the language incorporates can be found from a variety of sources. See for example the pointers given in the About and Documentation sections of the PRISM website. +

    +

    It is worth, however, clarifying a few points specific to PRISM. A property is evaluated with respect to a particular state of a model. Depending on the type of the property, this value may either be a Boolean, an integer or a double. When performing model checking, PRISM usually has to actually compute the value for all states of the model but, for clarity, will by default report just a single value. Typically, this is the value for the (single) initial state of the model. For example, this: +

    +
    +
    +
    P=? [ F "error" ]
    +
    +
    [$[Get Code]]
    +
    + +

    will report the probability, from the initial state of the model, of reaching an "error" state. +This: +

    +
    +
    +
    P>0.5 [ F "error" ]
    +
    +
    [$[Get Code]]
    +
    + +

    will return true if and only if the probability, from the initial state, is greater than 0.5. +

    +

    Note: This is contrast to older versions of PRISM, which treated numerical and Boolean-valued properties differently in this respect. +

    +

    For models with multiple initial states, we need to adapt these definitions slightly. In this case, the two properties above will yield, respectively: +

    +
    • the range of values (over all initial states) of the probability of reaching "error" +
    • true if and only if the probability is greater than 0.5 from all initial states. +

    You can also ask PRISM to return different values using filters, +which are described in the next section. +

    +

    Filters

    +

    As discussed above, when reporting the result of model checking a property, PRISM will by default return the value for the (single) initial state of the model. However, since PRISM in fact usually has to compute values for all states simultaneously, you can customise PRISM properties to obtain different results. This is done using filters. +

    +

    Filters are created using the filter keyword. They take the following form: +

    +
    +
    +
    filter(op, prop, states)
    +
    +
    [$[Get Code]]
    +
    + +

    where op is the filter operator (see below), prop is any PRISM property and states is a Boolean-valued expression identifying a set of states over which to apply the filter. +

    +

    In fact, the states argument is optional; if omitted, the filter is applied over all states. So, the following properties are equivalent: +

    +
    +
    +
    filter(op, prop)
    +filter(op, prop, true)
    +
    +
    [$[Get Code]]
    +
    + +

    Here's a simple example of a filter: +

    +
    +
    +
    filter(max, P=? [ F "error" ], x=0)
    +
    +
    [$[Get Code]]
    +
    + +

    This gives the maximum value, starting from any state satisfying x=0, of the probability of reaching an "error" state. +

    +

    Here's another simple example, +which checks whether, starting from any reachable state, +we eventually reach a "done" state with probability 1. +

    +
    +
    +
    filter(forall, P>=1 [ F "done" ])
    +
    +
    [$[Get Code]]
    +
    + +

    We could modify this property slightly to instead check whether, from any state that satisfies the label "ready", we eventually reach a "done" state with probability 1. This could be done with either of the following two equivalent properties: +

    +
    +
    +
    filter(forall, "ready" => P>=1 [ F "done" ])
    +filter(forall, P>=1 [ F "done" ], "ready")
    +
    +
    [$[Get Code]]
    +
    + +

    Note: In older versions of PRISM, the property above could be written just as "ready" => P>=1 [ F "done" ] since the result was checked for all states by default, not just the initial state. Now, you need to explicitly include a filter, as shown above, to achieve this. +

    +

    Types of filter

    +

    Most filters of the form filter(op, prop, states) +apply some operator op to the values of property prop +for all the states satisfying states, +resulting in a single value. +The full list of filter operators op in this category is: +

    +
    • min: the minimum value of prop over states satisfying states +
    • max: the maximum value of prop over states satisfying states +
    • count: counts the number of states satisfying states for which prop is true +
    • sum (or +): sums the value of prop for states satisfying states +
    • avg: the average value of prop over states satisfying states +
    • first: the value of prop for the first (lowest-indexed) state satisfying states +
    • range: the range (interval) of values of prop over states satisfying states +
    • forall (or &): returns true if prop is true for all states satisfying states +
    • exists (or |): returns true if prop is true for some states satisfying states +
    • state: returns the value for the single state satisfying states (if there is more than one, this is an error) +

    There are also a few filters that, rather than returning a single value, return different values for each state, like a normal PRISM property: +

    +
    • argmin: returns true for the states satisfying states that yield the minimum value of prop +
    • argmax: returns true for the states satisfying states that yield the maximum value of prop +
    • print: does not change the result of prop but prints the (non-zero) values to the log +
    • printall: like print, but displays all values, even for states where the value is zero +

    More examples

    +

    Here are some further illustrative examples of properties that use filters. +

    +

    Filters provide a quick way to print the results of a model checking query for several states. In most cases, for example, a P=? query just returns the probability from the initial state. To see the probability for all states satisfying x>2, use: +

    +
    +
    +
    filter(print, P=? [ ... ], x>2)
    +
    +
    [$[Get Code]]
    +
    + +

    Values are printed in the log (i.e. to the "Log" tab in the GUI or to the terminal from the command-line). For small models, you could omit the final states argument (x>2 here) and view the probabilities from all states. You can also use PRISM's verbose mode to view values for all states, but filters provide an easier and more flexible solution. +print filters do not actually alter the result returned so, in the example above, PRISM will still return the probability for the initial state, in addition to printing other probabilities in the log. +

    +

    You can also use print filters to display lists of states. For example, this property: +

    +
    +
    +
    filter(print, filter(argmax, P=? [ F "error" ]))
    +
    +
    [$[Get Code]]
    +
    + +

    prints the states which have the highest probability of reaching an error state. +However, you should exercise caution when using argmax (or argmin) on properties such as P=? [ ... ] (or S=? [ ... ] or R=? [ ... ]), whose results are only approximate due to the nature of the methods used to compute them (or because of round-off errors.) +

    +

    Another common use of filters is to display the value for a particular state of the model (rather than the initial state, which is used by default). To achieve this, use e.g.: +

    +
    +
    +
    filter(state, P=? [ F "error" ], x=2&y=3)
    +
    +
    [$[Get Code]]
    +
    + +

    where x=2&y=3 is assumed to specify one particular state. +A state filter will produce an error if the filter expression is not satisfied by exactly one state of the model. +

    +

    Filters can also be built up into more complex expressions. For example, the following two properties are equivalent: +

    +
    +
    +
    filter(avg, P=? [ F "error" ], "init")
    +filter(sum, P=? [ F "error" ], "init") / filter(count, "init")
    +
    +
    [$[Get Code]]
    +
    + +

    The range filter, unlike most PRISM expressions which are of type Boolean, integer or double, actually returns an interval: a pair of integers or doubles. For example: +

    +
    +
    +
    filter(range, P=? [ F count=10 ], count=0)
    +
    +
    [$[Get Code]]
    +
    + +

    gives the range of all possible values for the probability of reach a state satisfying count=10, from all states satisfying count=0. +As will be described below, this kind of property also results from the use of old-style ({...}) filters and properties on models with multiple initial states. +

    +

    Old-style filters

    +

    In older versions of PRISM, filters were also available, but in a less expressive form. Previously, they were only usable on P, S or R properties and only a small set of filter operators were permitted. They were also specified in a different way, using braces ({...}). For compatibility with old properties files (and for compactness), these forms of filters are still allowed. These old-style forms of filters: +

    +
    +
    +
    P=? [ pathprop {states} ]
    +P=? [ pathprop {states}{min} ]
    +P=? [ pathprop {states}{max} ]
    +P=? [ pathprop {states}{min}{max} ]
    +
    +
    [$[Get Code]]
    +
    + +

    are equivalent to: +

    +
    +
    +
    filter(state, P=? [ pathprop ], states)
    +filter(min, P=? [ pathprop ], states)
    +filter(max, P=? [ pathprop ], states)
    +filter(range, P=? [ pathprop ], states)
    +
    +
    [$[Get Code]]
    +
    + +

    Notice that the first of the four properties above (i.e. an old-style filter of the form {states} will result in an error if states is not satisfied by exactly one state of the model. Older versions of PRISM just gave you the value for the first state state satisfying the filter, without warning you about this. If you want to recreate the old behaviour, just use a first filter: +

    +
    +
    +
    filter(first, P=? [ pathprop ], states)
    +
    +
    [$[Get Code]]
    +
    + +

    Default filters

    +

    Finally, for completeness, we show what the default filters are in PRISM, +i.e. how the way that PRISM returns values from properties by default +could have been achieved equivalently using filters. +

    +

    Queries of the form: +

    +
    +
    +
    P>0.5 [ F "error" ]
    +
    +
    [$[Get Code]]
    +
    + +

    are the same as: +

    +
    +
    +
    filter(forall, P>0.5 [ F "error" ], "init")
    +
    +
    [$[Get Code]]
    +
    + +

    and queries of the form: +

    +
    +
    +
    P=? [ F "error" ]
    +
    +
    [$[Get Code]]
    +
    + +

    are the same as either: +

    +
    +
    +
    filter(state, P=? [ F "error" ], "init")
    +filter(range, P=? [ F "error" ], "init")
    +
    +
    [$[Get Code]]
    +
    + +

    for the cases where there the model has a single initial state +or multiple initial states, respectively. +

    +

    Properties Files

    +

    Constants

    +

    Files containing properties to be analysed by PRISM can also contain constants, as is the case for model files. +These are defined in identical fashion, for example: +

    +
    +
    +
    const int k = 7;
    +const double T = 9.5;
    +const double p = 0.01;
    +
    +P<p [ F<=T x=k ];
    +
    +
    [$[Get Code]]
    +
    + +

    As before, these constants can actually be left undefined and then later +assigned either a single value or a range of values using experiments. +

    +

    In fact, values such as the probability bounds for the P or S operators (like P above) +and upper or lower bounds for the U operator (like T above) +can be arbitrary expressions, provided they are constant. +Furthermore, expressions in the properties file can also refer to constants previous defined in the model file. +

    +

    +

    Labels

    +

    Another feature of properties files is labels. These are a way of defining sets of states that will be referred to in properties (they correspond to atomic propositions in a temporal logic setting). As described earlier, labels can be defined in either model files or property files. +

    +

    Labels are defined using the keyword label, followed by a name (identifier) in double quotes, and then an expression which evaluates to a Boolean. Definition and usage of labels are illustrated in the following example: +

    +
    +
    +
    label "safe" = temp<=100 | alarm=true;
    +label "fail" = temp>100 & alarm=false;
    +
    +P>=0.99 [ "safe" U "fail" ];
    +
    +
    [$[Get Code]]
    +
    + +

    Two special cases are the "init" and "deadlock" labels which are always defined. +These are true in initial states of the model and states where deadlocks were found (and, usually, fixed by adding self-loops), respectively. +

    +

    +

    Property names

    +

    For convenience, properties can be annotated with names, as shown in the following example: +

    +
    +
    +
    "safe": P<0.01 [ F temperature > t_max ];
    +
    +
    [$[Get Code]]
    +
    + +

    which gives the name "safe" to the property. It is then possible to include named properties as sub-expressions of other properties, e.g.: +

    +
    +
    +
    filter(forall, num_sensors>0 => "safe");
    +
    +
    [$[Get Code]]
    +
    + +

    Notice that the syntax for referring to named properties is identical to the syntax for labels. For this reason, property names must be disjoint from those of any existing labels. +

    +

    You can refer to property names when using the command-line switch -prop to specify which property is to be model checked. +

    +

    Properties files

    +

    A PRISM properties file can contain any number of properties. +It is good practice, as shown in the examples above, to terminate each property with a semicolon. Currently, this is not enforced by PRISM (to prevent incompatibility with old properties files) but this may change in the future. +

    +

    Like model files, properties can also include any amount of white space (spaces, tabs, new lines, etc.) and C-style comments, which are both ignored. +The recommended file extension for PRISM properties is now .props. +Previously, though, the convention was to use extension .pctl for properties of DTMCs, MDPs or PTAs +and extension .csl for properties of CTMCs, so these are still also valid. +

    +

    +

    Running PRISM

    +
    +

    Starting PRISM

    +

    There are two versions of PRISM, one based on a graphical user interface (GUI), +the other based on a command line interface. Both use the same underlying model checker. +The latter is useful for running large batches of jobs, leaving long-running model checking tasks in the background, or simply for running the tool quickly and easily once you are familiar with its operation. +

    +

    Details how how to run PRISM can be found in the installation instructions. +In short, to run the PRISM GUI: +

    +
    • (on Windows) click the short-cut (to xprism.bat) installed on the Desktop/Start Menu +
    • (on other OSs) run the xprism script in the bin directory +

    You can also optionally specify a model file and a properties file to load upon starting the GUI, e.g.: +

    +
    +
    +
    xprism example.prism
    +xprism example.prism example.props
    +
    +
    [$[Get Code]]
    +
    + +

    To use the command-line version of PRISM, run the prism script, also in the bin directory, e.g.: +

    +
    +
    +
    prism example.prism example.props -prop 2
    +
    +
    [$[Get Code]]
    +
    + +

    The -dir switch can be used to specify a directory for input (and output) files. +So the following are equivalent: +

    +
    +
    +
    prism ~/myfiles/example.prism ~/myfiles/example.props
    +prism -dir ~/myfiles example.prism example.props
    +
    +
    [$[Get Code]]
    +
    + +

    The remainder of this section of the manual describes the main types of functionality offered by PRISM. +For a more introductory guide to using the tool, try the +tutorial on the PRISM web site. +Some screenshots of the GUI version of PRISM are shown below. +

    +

    The PRISM GUI (editing a model)
    +

    The PRISM GUI (model checking)
    +
    +

    Loading And Building a Model

    +

    Typically, when using PRISM, the first step is to load a model that has been specified in the PRISM modelling language. If using the GUI, select menu option "Model | Open Model" and choose a file. There are a selection of sample PRISM model files in the prism-examples directory of the distribution. +A few very small models are contained in the subdirectory simple; +the rest are in subdirectories grouped by model type. +

    +

    The model will then be displayed in the editor in the "Model" tab of the GUI window. The file is parsed upon loading. If there are no errors, information about the modules, variables, and other components of the model is displayed in the panel to the left and a green tick will be visible. If there are errors in the file, a red cross will appear instead and the errors will be highlighted in the model editor. To view details of the error, position the mouse pointer over the source of the error (or over the red cross). Alternatively, select menu option "Model | Parse Model" and the error mIessage will be displayed in a message box. Model descriptions can, of course, also be typed from scratch into the GUI's editor. +

    +

    Building the model

    +

    In order to perform model checking, PRISM will (in most cases) need to construct the corresponding probabilistic model, i.e. convert the PRISM model description to, for example, an MDP, DTMC, etc. During this process, PRISM computes the set of states in the model which are reachable from the initial states and the transition matrix which represents the model. +

    +

    Model construction is done automatically when you perform model checking. However, you may always want to explicitly ask PRISM to build the model in order to test for errors or to see how large the model is. From the GUI, you can do this by by selecting "Model | Build Model". If there are no errors during model construction, the number of states and transitions in the model will be displayed in the bottom left corner of the window. +

    +

    From the command-line, simply type: +

    +
    +
    +
    prism model.nm
    +
    +
    [$[Get Code]]
    +
    + +

    where model.nm is the name of the file containing the model description. +

    +

    For some types of models, notably PTAs, models are not constructed in this way (because the models are infinite-state). In these cases, analysis of the model is not performed until model checking is performed. +

    +

    +

    Deadlocks

    +

    You should be aware of the possibility of deadlock states (or deadlocks) in the model, +i.e. states which are reachable but from which there are no outgoing transitions. +PRISM will automatically search your model for deadlocks and, by default, +"fix" them by adding self-loops in these states. +Since deadlocks are sometimes caused by modelling errors, +PRISM will display a warning message in the log when deadlocks are fixed in this way. +

    +

    You can control whether deadlocks are automatically fixed in this way using the "Automatically fix deadlocks" option (or with command-line switches -nofixdl and -fixdl). When fixing is disabled, PRISM will report and error when the model contains deadlocks (this used to be the default behaviour in older versions of PRISM). +

    +

    If you have unwanted or unexpected deadlocks in your model, there are several ways you can detect then. Firstly, by disabling deadlock fixing (as described above), PRISM will display a list of deadlock states in the log. Alternatively, you can model check the filter property filter(print, "deadlock"), which has the safe effect. +

    +

    To find out how deadlocks occur, i.e. which paths through the model lead to a deadlock state, there are several possibilities. Firstly, you can model check the CTL property E[F "deadlock"]. When checked from the GUI, this will provide you with the option of display a path to a deadlock in the simulator. From the command-line, for example with: +

    +
    +
    +
    prism dice.pm -pf 'E[F "deadlock"]'
    +
    +
    [$[Get Code]]
    +
    + +

    a path to a deadlock will be displayed in the log. +

    +

    Finally, in the eventuality that the model is too large to be model checked, you can still use the simulator to search for deadlocks. This can be done either by manually generating random paths using the simulator in the GUI or, from the command-line, e.g. by running: +

    +
    +
    +
    prism dice.pm -simpath deadlock stdout
    +
    +
    [$[Get Code]]
    +
    + +
    +

    Debugging Models With The Simulator

    +

    PRISM includes a simulator, a tool which can be used to generate sample paths (executions) through a PRISM model. From the GUI, the simulator allows you to explore a model by interactively generating such paths. This is particularly useful for debugging models during development and for running sanity checks on completed models. Paths can also be generated from the command-line. +

    +

    +

    Generating a path in the GUI

    +

    Once you have loaded a model into the PRISM GUI +(note that it is not necessary to build the model), +select the "Simulator" tab at the bottom of the main window. +You can now start a new path by double-clicking in the bottom half of the window +(or right-clicking and selecting "New path"). +If there are undefined constants in the +model (or in any currently loaded properties files) you will be prompted to give values for these. You +can also specify the state from which you wish to generate a path. By default, this is the initial state of +the model. +

    +

    The main portion of the user interface (the bottom part) displays a path through the currently loaded model. Initially, this will comprise just a single state. The table above shows the list of available transitions from this state. Double-click one of these to extend the path with this transition. The process can be repeated to extend the path in an interactive fashion. Clicking on any state in the current path shows the transition which was taken at this stage. Click on the final state in the path to continue +extending the path. Alternatively, clicking the "Simulate" button will select a transition randomly (according to the probabilities/rates of the available transitions). By changing the number in the box below this button, you can easily generate random paths of a given length with a single click. +There are also options (in the accompanying drop-down menu) to allow generation of paths up until a particular length or, for CTMCs, in terms of the time taken. +

    +

    The figure shows the simulator in action. +

    +

    The PRISM GUI: exploring a model using the simulator
    +

    It is also possible to: +

    +
    • backtrack to an earlier point in a path +
    • remove all of the states before some point in a path +
    • restart a path from its first state +
    • export a path to a text file +

    Notice that the table containing the path displays not just the value of each variable in each +state but also the time spent in that state and any rewards accumulated there. You can configure exactly which columns appear by right-clicking on the path and selecting "Configure view". For rewards (and for CTMC models, for the time-values), you can can opt to display the reward/time for each individual state and/or the cumulative total up until each point in the path. +

    +

    At the top-right of the interface, any labels contained in the currently loaded model/properties file are displayed, along with their value in the currently selected state of the path. In addition, the built-in labels "init" and "deadlock" are also included. Selecting a label from the list highlights all states in the current path which satisfy it. +

    +

    The other tabs in this panel allow the value of path operators (taken from properties in the current file) to be viewed for the current path, as well as various other statistics. +

    +

    Another very useful feature for some models is to use the "Plot new path" option from the simulator, which generates a plot of some/all of the variable/reward values for a particular randomly generated path through the model. +

    +

    +

    Path generation from the command-line

    +

    It is also possible to generate random paths through a model using the command-line version of PRISM. This is achieved using the -simpath switch, which requires two arguments, the first describing the path to be generated and the second specifying the file to which the path should be output (as usual, specifying stdout sends output to the terminal). The following examples illustrate the various ways of generating paths in this way: +

    +
    +
    +
    prism model.pm -simpath 10 path.txt
    +prism model.pm -simpath time=7.5 path.txt
    +prism model.pm -simpath deadlock path.txt
    +
    +
    [$[Get Code]]
    +
    + +

    These generate a path of 10 steps, a path of at least 7.5 time units and a path ending in deadlock, respectively. +

    +

    Here's an example of the output: +

    +
    +
    +
    prism poll2.sm -simpath 10 stdout
    +...
    +action step time s a s1 s2
    +- 0 0.0 1 0 0 0
    +[loop1a] 1 0.007479539729154247 2 0 0 0
    +[loop2a] 2 0.00782819795294666 1 0 0 0
    +[loop1a] 3 0.01570585559933703 2 0 0 0
    +[loop2a] 4 0.017061111948220263 1 0 0 0
    +[loop1a] 5 0.026816317516034468 2 0 0 0
    +[loop2a] 6 0.039878416276337814 1 0 0 0
    +[loop1a] 7 0.04456566315999103 2 0 0 0
    +[loop2a] 8 0.047368359683643765 1 0 0 0
    +[loop1a] 9 0.04934857366557349 2 0 0 0
    +[loop2a] 10 0.055031679365844674 1 0 0 0
    +
    +
    [$[Get Code]]
    +
    + +

    This shows the sequence of states in the path, i.e. the values of the variables in each state. In the example above, there are 4 variables: s, a, s1 and s2. +The first three columns show the type of transition taken to reach that state, its index within the path (starting from 0) and the time at which it was entered. The latter is only shown for continuous time models. The type of the transition is written as [act] if action label act was taken, and as module1 if the module named module1 takes an unlabelled transition). +

    +

    Further options can also be appended to the first parameter. For example, option probs=true also displays the probability/rate associated with each transition. For example: +

    +
    +
    +
    prism poll2.sm -simpath '5,probs=true' stdout
    +...
    +action probability step time s a s1 s2
    +- - 0 0.0 1 0 0 0
    +[loop1a] 200.0 1 0.0011880118081395378 2 0 0 0
    +[loop2a] 200.0 2 0.0037798355025401888 1 0 0 0
    +[loop1a] 200.0 3 0.01029212322894221 2 0 0 0
    +[loop2a] 200.0 4 0.023258883912578403 1 0 0 0
    +[loop1a] 200.0 5 0.027402404026254504 2 0 0 0
    +
    +
    [$[Get Code]]
    +
    + +

    In this example, the rate is 200.0 for all transitions. +To show the state/transition rewards for each step, use option rewards=true. +

    +

    If you are only interested in values of certain variables of your model, use the vars=(...) option. For example: +

    +
    +
    +
    prism poll2.sm -simpath '500,probs=true,vars=(a,s1,s2)' stdout
    +...
    +action probability step time a s1 s2
    +- - 0 0.0 0 0 0
    +station2 0.5 110 0.5025332771499665 0 0 1
    +[loop2b] 200.0 111 0.5109407735244359 1 0 1
    +[serve2] 1.0 112 0.9960642154887506 0 0 0
    +station1 0.5 130 1.0645858553472822 0 1 0
    +[loop1b] 200.0 132 1.0732572896618477 1 1 0
    +[serve1] 1.0 133 2.939742026148121 0 0 0
    +station2 0.5 225 3.4311507854807677 0 0 1
    +[loop2b] 200.0 227 3.434285492243098 1 0 1
    +[serve2] 1.0 228 3.553118276800078 0 0 0
    +station2 0.5 250 3.6354431222941406 0 0 1
    +[loop2b] 200.0 251 3.637552738997181 1 0 1
    +[serve2] 1.0 252 3.7343375346150576 0 0 0
    +
    +
    [$[Get Code]]
    +
    + +

    Note the use of single quotes around the path description argument to prevent the shell from misinterpreting special characters such as "(". +

    +

    Notice also that the above only displays states in which the values of some variable of interest changes. This is achieved with the option changes=true, which is automatically enabled when you use vars=(...). If you want to see all steps of the path, add the option changes=false. +

    +

    An alternative way of viewing paths is to only display paths at certain fixed points in time. This is achieved with the snapshot=x option, where x is the time step. For example: +

    +
    +
    +
    prism poll2.sm -simpath 'time=5.0,snapshot=0.5' stdout
    +...
    +step time s a s1 s2
    +0 0.0 1 0 0 0
    +94 0.5 1 0 0 0
    +198 1.0 1 0 0 0
    +314 1.5 1 0 0 0
    +375 2.0 1 1 1 1
    +376 2.5 2 0 0 1
    +376 3.0 2 0 0 1
    +378 3.5 1 0 0 0
    +378 4.0 1 0 0 0
    +478 4.5 1 0 0 0
    +511 5.0 2 0 0 0
    +
    +
    [$[Get Code]]
    +
    + +

    You can also use the sep=... option to specify the column separator. Possible values are space (the default), tab and comma. For example: +

    +
    +
    +
    prism poll2.sm -simpath '10,vars=(a,b),sep=comma' stdout
    +...
    +step,a,b,time
    +0,0,0,0.0
    +2,1,0,0.058443536856580006
    +3,1,1,0.09281024515535738
    +6,1,2,0.2556555786269585
    +7,1,3,0.284062896359802
    +8,1,4,1.1792064236954896
    +
    +
    [$[Get Code]]
    +
    + +

    When generating paths to a deadlock state, additional repeat=... option is available which will construct multiple paths until a deadlock is found. For example: +

    +
    +
    +
    prism model.sm -simpath 'deadlock,repeat=100' stdout
    +
    +
    [$[Get Code]]
    +
    + +

    By default, the simulator detects deterministic loops in paths (e.g. if a path reaches a state from which there is a just a single self-loop leaving that state) and stops generating the path any further. You can disable this behaviour with the loopcheck=false option. For example: +

    +
    +
    +
    prism dice.pm -simpath 10 stdout
    +...
    +Warning: Deterministic loop detected after 6 steps (use loopcheck=false option to extend path).
    +action step s d
    +- 0 0 0
    +die 1 1 0
    +die 2 4 0
    +die 3 7 3
    +die 4 7 3
    +
    +
    [$[Get Code]]
    +
    + +
    +
    +
    prism dice.pm -simpath 10,loopcheck=false stdout
    +...
    +action step s d
    +- 0 0 0
    +die 1 1 0
    +die 2 4 0
    +die 3 7 2
    +die 4 7 2
    +die 5 7 2
    +die 6 7 2
    +die 7 7 2
    +die 8 7 2
    +die 9 7 2
    +die 10 7 2
    +
    +
    [$[Get Code]]
    +
    + +

    One final note: the -simpath switch only generates paths up to the maximum path length setting of the simulator (the default is 10,000). If you want to generate longer paths, either change the +default setting or override it temporarily from the command-line using the -simpathlen switch. +You might also use the latter to decrease the setting, +e.g. to look for a path leading to a deadlock state, +but only within 100 steps: +

    +
    +
    +
    prism model.sm -simpath deadlock stdout -simpathlen 100
    +
    +
    [$[Get Code]]
    +
    + +
    +

    Exporting The Model

    +

    If required, once the model has been constructed, it can be exported, either for manual examination or for use in another tool. The following can all be exported: +

    +
    • the set of reachable states; +
    • the transition matrix; +
    • the state rewards vector(s); +
    • the transition rewards matrix (or matrices). +
    • labels (in the model or properties) and the states that satisfy them +

    Note that the last of these also provides a way to export information about initial states and deadlock states (via the built-in labels "init" and "deadlock"). +

    +

    From the GUI, use the "Model | Export" menu to export the data to a file or, for small models, use the "Model | View" menu to print the details directly to the log. For the case of labels, if you want to export labels from the properties file too, use the "Properties | Export labels" option, rather than the "Model | Export" one. +

    +

    From the command-line version of PRISM, use the following switches: +

    +
    • -exportstates <file> +
    • -exporttrans <file> +
    • -exportstaterewards <file> +
    • -exporttransrewards <file> +
    • -exportlabels <file> +

    or, as explained below, use the more convenient switch: +

    +
    • -exportmodel <files[:options]> +

    Replace <file> with stdout in any of the above to print the information to the terminal. +

    +

    The export command-line switches can be used in combination. For example: +

    +
    +
    +
    prism poll2.sm -exportstates poll2.sta -exporttrans poll2.tra
    +
    +
    [$[Get Code]]
    +
    + +

    exports both the state space and transition matrix. You can export both state and transition rewards using the -exportrewards switch. The following are equivalent: +

    +
    +
    +
    prism poll2.sm -exportrewards poll2.srew poll2.trew
    +prism poll2.sm -exportstaterewards poll2.srew -exporttransrewards poll2.trew
    +
    +
    [$[Get Code]]
    +
    + +

    When there are multiple reward structures, a separate file is created for each one and a (1-indexed) suffix is added to distinguish them. +A header in each file (see the "Explicit Model Files" appendix) also shows the name of the reward structure. +These headers can be omitted using the switch -noexportheaders (or via the option "Include headers in model exports" in the GUI). +

    +

    You can also easily perform multiple exports simultaneously using the -exportmodel switch, which specifies multiple files using a list of extensions. The file extensions then dictate what is exported. For example: +

    +
    +
    +
    prism poll2.sm -exportmodel out.tra,sta
    +
    +
    [$[Get Code]]
    +
    + +

    exports the transition matrix and states list to out.tra and out.sta, respectively. If you omit the file basename (out in this case), then the basename of the model file (poll2 in this case) is used. For example: +

    +
    +
    +
    prism poll2.sm -exportmodel .tra,sta
    +
    +
    [$[Get Code]]
    +
    + +

    exports the transition matrix and states list to poll2.tra and poll2.sta. +

    +

    Possible file extensions are: +.sta (reachable states), +.tra (transition matrix), +.srew (state rewards), +.trew (transition rewards), +.lab (labels). +You can use the shorthand .all to export everything, and .rew to export both state and transition rewards. For example: +

    +
    +
    +
    prism poll2.sm -exportmodel out.all
    +prism poll2.sm -exportmodel .all
    +
    +
    [$[Get Code]]
    +
    + +

    creates multiple files of the form out.* or poll2.*, respectively. +

    +

    As mentioned above, you can always use stdout instead of a filename. For example: +

    +
    +
    +
    prism poll2.sm -exportmodel stdout.all
    +
    +
    [$[Get Code]]
    +
    + +

    is a quick way to print all details (of a small model) to the terminal. +

    +

    Although it is not exported when using .all, the -exportmodel switch can also be used to export the transition matrix +in Dot format which allows easy graphical visualisation of the model: +

    +
    +
    +
    prism poll2.sm -exportmodel poll2.dot
    +
    +
    [$[Get Code]]
    +
    + +

    Export options

    +

    When exporting model details in this way, the precision of numerical values (e.g., for probabilities or rewards) can be configured. +From the command line, use the switch -exportmodelprecision <x> to show values to <x> significant digits. +The same setting is available for exports from the GUI via option "Precision of model export". +

    +

    Finally, the -exportmodel switch can be passed various options. The general form is -exportmodel files:options where options is a comma-separated list of options taken from the following list: +

    +
    • mrmc - export data in MRMC format +
    • matlab - export data in Matlab format +
    • rows - export matrices with one row/distribution on each line +
    • ordered - output states indices in ascending order [default] +
    • unordered - don't output states indices in ascending order +
    • proplabels - also export labels from the properties file +

    An example is: +

    +
    +
    +
    prism poll2.sm -exportmodel out.tra,out.trew:matlab,unordered
    +
    +
    [$[Get Code]]
    +
    + +

    By default, when labels are exported, this only includes the labels from the model. +The proplabels option listed above +(which applies to both -exportmodel and -exportlabels) +indicates that labels from any properties file are exported too. +To export just those labels, use switch -exportproplabels <file>. +

    +

    +

    File formats

    +

    By default, model data is exported (or displayed) in plain text format. The precise details of the formats used can be found in the "Explicit Model Files" appendix. +As mentioned above, by convention, we use file extensions +.sta (for states files), .tra (for transitions files), +.srew and .trew (for state/transition rewards files) +and .lab (for labels). +

    +

    Alternatively, it is possible to export this information as Matlab code +(a .m file) or in a format suitable for import into the MRMC tool. Select the appropriate menu item when using the GUI, or add the command-line switches: +

    +
    • -exportmatlab +
    • -exportmrmc +

    or, as described earlier, pass options to the -exportmodel switch. +

    +

    There is no specific MRMC format for labels, so these are exported as plain text in this case. +

    +

    There is some additional export functionality available only from the command-line. +

    +

    Firstly, when outputting matrices for DTMCs or CTMCs, it is possible to request that PRISM does not sort the rows of the matrix, +as is normally the case. This is achieved with the switch: +

    +
    • -exportunordered +

    The reason for this is that in this case PRISM does not need to construct an explicit version of the model in memory and the process can thus be performed with reduced memory consumption. +

    +

    Secondly, there is a switch: +

    +
    • -exportrows +

    which provides an alternative output format for transition matrices where the elements of each row of the matrix (i.e. the transitions from a state/choice) are grouped on the same line. This can be particularly helpful for viewing the matrix for MDPs. The file format is shown here. +

    +

    +

    Graphical model export

    +

    The transition matrix of the model can also be exported in Dot format, +which allows easy graphical visualisation of the graph structure of the model. +You can optionally request that state descriptions are added to each state of graph; if not, states are labelled with integer indices that can be cross-referenced with the list of reachable states. +

    +

    Use the menu entries under "Model | Export | Transition matrix" from the GUI or command-line switches: +

    +
    • -exporttransdot <file> +
    • -exporttransdotstates <file> +

    As mentioned above, for the latter, the following is equivalent (and easier to remember): +

    +
    +
    +
    prism poll2.sm -exportmodel poll2.dot
    +
    +
    [$[Get Code]]
    +
    + +

    +

    Exporting (B)SCCs and end components

    +

    It is also possible to export the set of (bottom) strongly connected components (SCCs or BSCCs) for a model. This can only be done from the command-line currently. Use, for example: +

    +
    +
    +
    prism poll2.sm -exportsccs stdout
    +prism poll2.sm -exportbsccs stdout
    +
    +
    [$[Get Code]]
    +
    + +

    For an MDP, you can also export the set of maximal end components (MECs): +

    +
    +
    +
    prism mdp.nm -exportmecs stdout
    +
    +
    [$[Get Code]]
    +
    + +
    +

    Model Checking

    +

    Typically, once a model has been constructed, it is analysed through model checking. +Properties are specified as described in the "Property Specification" section, +and are usually kept in files with extensions .props, .pctl or .csl. +There are properties files accompanying most of the sample PRISM models in the prism-examples directory. +

    +

    +

    GUI

    +

    To load a file containing properties into the GUI, select menu option "Properties | Open properties list". +The file can only be loaded if there are no errors, otherwise an error is displayed. +Note that it may be necessary to have loaded the corresponding model first, +since the properties will probably make reference to variables (and perhaps constants) declared in the model file. +Once loaded, the properties contained in the file are displayed in a list in the "Properties" tab of the GUI. +Constants and labels are displayed in separate lists below. +You can modify or create new properties, constants and labels from the GUI, +by right-clicking on the appropriate list and selecting from the pop-up menu which appears. Properties with errors are shaded red and marked with a warning sign. +Positioning the mouse pointer over the property displays the corresponding error message. +

    +

    The pop-up menu for the properties list also contains a "Verify" option, +which allows you instruct PRISM to model check the currently selected properties +(hold down Ctrl/Cmd to select more than one property simultaneously). +All properties can be model checked at once by selecting "Verify all". +PRISM verifies each property individually. +Upon completion, the icon next to the property changes according to the result of model checking. For Boolean-valued properties, a result of true or false is indicated by a green tick or red cross, respectively. For properties which have a numerical result (e.g. P=? [ ...]), position the mouse pointer over the property to view the result. +In addition, this and further information about model checking is displayed in the log in the "Log" tab. +

    +

    +

    Command-line

    +

    From the command-line, model checking is achieved by passing both a model file and a properties file as arguments, e.g.: +

    +
    +
    +
    prism poll2.sm poll.csl
    +
    +
    [$[Get Code]]
    +
    + +

    The results of model checking are sent to the display and are as described above for the GUI version. +By default, all properties in the file are checked. +To model check only a single property, use the -prop switch. +For example, to check only the fourth property in the file: +

    +
    +
    +
    prism poll2.sm poll.csl -prop 4
    +
    +
    [$[Get Code]]
    +
    + +

    or to check only the property with name "safe" in the file: +

    +
    +
    +
    prism poll2.sm poll.csl -prop safe
    +
    +
    [$[Get Code]]
    +
    + +

    You can also provide a comma-separated list of multiple properties to check, +using neither numerical indices or property names: +

    +
    +
    +
    prism poll2.sm poll.csl -prop 4,5,safe
    +
    +
    [$[Get Code]]
    +
    + +

    Alternatively, the contents of a properties file can be specified directly from the command-line, using the -pf switch: +

    +
    +
    +
    prism poll2.sm -pf 'P>=0.5 [ true U<=5 (s=1 & a=0) ]'
    +
    +
    [$[Get Code]]
    +
    + +

    The switches -pctl and -csl are aliases for -pf. +

    +

    Note the use of single quotes ('...') to avoid characters such as +( and > being interpreted by the command-line shell. +Single quotes are preferable to double quotes since PRISM properties often include double quotes, e.g. for references to labels or properties. +

    +

    Approximate Model Checking

    +

    The discrete-event simulator built into PRISM (see the section "Debugging Models With The Simulator") can also be used to generate approximate results for PRISM properties, a technique often called statistical model checking. Essentially, this is achieved by sampling: generating a large number of random paths through the model, evaluating the result of the given properties on each run, and using this information to generate an approximately correct result. This approach is particularly useful on very large models when normal model checking is infeasible. This is because discrete-event simulation is performed using the PRISM language model description, without explicitly constructing the corresponding probabilistic model. +

    +

    Currently, statistical model checking can only be applied to P or R operators +and does not support LTL-style path properties or filters. +There are also a few restrictions on the modelling language features that can be used; see below for details. +

    +

    To use this functionality, load a model and some properties into PRISM, as described in the previous sections. To generate an approximate value for one or more properties, select them in the list, right-click and select "Simulate" (as opposed to "Verify"). As usual, it is first necessary to provide values for any undefined constants. Subsequently, a dialog appears. Here, the state from which approximate values are to be computed (i.e. from which the paths will be generated) can be selected. By default, this is the initial state of the model. The other settings in the dialog concern the methods used for simulation. +

    +

    PRISM supports four different methods for performing statistical model checking: +

    +
    • CI (Confidence Interval) +
    • ACI (Asymptotic Confidence Interval) +
    • APMC (Approximate Probabilistic Model Checking) +
    • SPRT (Sequential Probability Ratio Test) +

    The first three of these are intended primarily for "quantitative" properties (e.g. of the form P=?[...]), but can also be used for "bounded" properties (e.g. of the form P<p[...]). The SPRT method is only applicable to "bounded" properties. +

    +

    Each method has several parameters that control its execution, i.e. the number of samples that are generated and the accuracy of the computed approximation. In most cases, these parameters are inter-related so one of them must be left unspecified and its value computed automatically based on the others. In some cases, this is done before simulation; in others, it must be done afterwards. +

    +

    Below, we describe each method in more detail. +For simplicity, we describe the case of checking a P operator. +Details for the case of an R operator can be found in [Nim10]. +

    +

    CI (Confidence Interval) Method

    +

    The CI method gives a confidence interval for the approximate value generated for a P=? property, based on a given confidence level and the number of samples generated. +The parameters of the method are: +

    +
    • "Width" (w) +
    • "Confidence" (alpha) +
    • "Number of samples" (N) +

    Let X denote the true result of the query P=?[...] and Y the approximation generated. +The confidence interval is [Y-w,Y+w], i.e. w gives the half-width of the interval. +The confidence level, which is usually stated as a percentage, is 100(1-alpha)%. +This means that the actual value X should fall into the confidence interval [Y-w,Y+w] 100(1-alpha)% of the time. +

    +

    To determine, for example, the width w for given alpha and N, +we use w = q * sqrt(v / N) where +q is a quantile, for probability 1-alpha/2, from the Student's t-distribution with N-1 degrees of freedom and v is (an estimation of) the variance for X. +Similarly, we can determine the required number of iterations, from w and alpha, +as N = (v * q2)/w2, where q and v are as before. +

    +

    For a bounded property P~p[...], the (Boolean) result is determined according to the generated approximation for the probability. This is not the case, however, if the threshold p falls within the confidence interval [Y-w,Y+w], in which case no value is returned. +

    +

    ACI (Asymptotic Confidence Interval) Method

    +

    The ACI method works in exactly same fashion as the CI method, except that it uses the Normal distribution to approximate the Student's t-distribution when determining the confidence interval. This is appropriate when the number of samples is large (because we can get a reliable estimation of the variance from the samples) but may be less accurate for small numbers of samples. +

    +

    APMC (Approximate Probabilistic Model Checking) Method

    +

    The APMC method, based on [HLMP04], offers a probabilistic guarantee on the accuracy of the approximate value generated for a P=? property, based on the Chernoff-Hoeffding bound. +The parameters of the method are: +

    +
    • "Approximation" (epsilon) +
    • "Confidence" (delta) +
    • "Number of samples" (N) +

    Letting X denote the true result of the query P=?[...] and Y the approximation generated, we have: +

    +
    • Prob(|Y-X| > epsilon) < delta +

    where the parameters are related as follows: +N = ln(2/delta) / 2epsilon2. +This imposes certain restrictions on the parameters, +namely that N(epsilon2) ≥ ln(2)/2. +

    +

    In similar fashion to the CI/ACI methods, the APMC method can be also be used for bounded properties such as P~p[...], as long as the threshold p falls outside the interval [Y-epsilon,Y+epsilon]. +

    +

    SPRT (Sequential Probability Ratio Test) Method

    +

    The SPRT method is specifically for bounded properties, such as P~p[...] and is based on acceptance sampling techniques [YS02]. It uses Wald's sequential probability ratio test (SPRT), which generates a succession of samples, deciding on-the-fly when an answer can be given with a sufficiently high confidence. +

    +

    The parameters of the method are: +

    +
    • "Indifference" (delta) +
    • "Type I/II error" (alpha/beta) +

    Consider a property of the form P≥p[...]. The parameter delta is used as the half-width of an indifference region [p-delta,p+delta]. PRISM will attempt to determine whether either the hypothesis P≥(p+delta)[...] or P≤(p-delta)[...] is true, based on which it will return either true or false, respectively. The parameters alpha and beta represent the probability of the occurrence of a type I error (wrongly accepting the first hypothesis) and a type II error (wrongly accepting the second hypothesis), respectively. For simplicity, PRISM assigns the same value to both alpha and beta. +

    +

    Maximum Path Length

    +

    Another setting that can be configured from the "Simulation Parameters" dialog is the maximum length of paths generated by PRISM during statistical model checking. In order to perform statistical model checking, PRISM needs to evaluate the property being checked along every generated path. For example, when checking P=? [ F<=10 "end" ], PRISM must check whether F<=10 "end" is true for each path. On this example (assuming a discrete-time model), this can always be done within the first 10 steps. For a property such as P=? [ F "end" ], however, there may be paths along which no finite fragment can show F "end" to be true or false. So, PRISM imposes a maximum path length to avoid the need to generate excessively long (or infinite) paths. +The default maximum length is 10,000 steps. +If, for a given property, statistical model checking results in one or more paths on which the property can be evaluated, an error is reported. +

    +

    Command-line Statistical Model Checking

    +

    Statistical model checking can also be enabled from the command-line version of PRISM, by including the -sim switch. The default methods used are CI (Confidence Interval) for "quantitative" properties and SPRT (Sequential Probability Ratio Test) for "bounded" properties. To select a particular method, use switch -simmethod <method> where <method> is one of ci, aci, apmc and sprt. For example: +

    +
    +
    +
    prism model.pm model.pctl -prop 1 -sim -simmethod aci
    +
    +
    [$[Get Code]]
    +
    + +

    PRISM has default values for the various simulation method parameters, but these can also be specified using the switches -simsamples, -simconf, -simwidth and -simapprox. The exact meaning of these switches for each simulation method is given in the table below. +

    +
    + + + + + +
     CIACIAPMCSPRT
    -simsamples"Num. samples""Num. samples""Num. samples"n/a
    -simconf"Confidence""Confidence""Confidence""Type I/II error"
    -simwidth"Width""Width"n/a"Indifference"
    -simapproxn/an/a"Approximation"n/a
    +

    The maximum length of simulation paths is set with switch -simpathlen. +

    +

    Limitations

    +

    Currently, the simulator does not support every part of the PRISM modelling languages. For example, it does not handle models with multiple initial states or with system...endsystem definitions. +

    +

    It is also worth pointing out that statistical model checking techniques are not well suited to models that exhibit nondeterminism, such as MDPs. This because the techniques rely on generation of random paths, which are not well defined for a MDP. PRISM does allow statistical model checking to be performed on an MDP, but does so by simply resolving nondeterministic choices in a (uniformly) random fashion (and displaying a warning message). Currently PTAs are not supported by the simulator. +

    +

    Computing Steady-state And Transient Probabilities

    +

    If the model is a CTMC or DTMC, it is possible to compute corresponding vectors of +steady-state or transient probabilities directly +(rather than indirectly by analysing a property which requires their computation). +From the GUI, select an option from the "Model | Compute" menu. +For transient probabilities, you will be asked to supply the +time value for which you wish to compute probabilities. +From the command-line, add the -steadystate (or -ss) switch: +

    +
    +
    +
    prism poll2.sm -ss
    +
    +
    [$[Get Code]]
    +
    + +

    for steady-state probabilities or the -transient (or -tr) switch: +

    +
    +
    +
    prism poll2.sm -tr 2.0
    +
    +
    [$[Get Code]]
    +
    + +

    for transient probabilities, again specifying a time value in the latter case. +The probabilities are computed for all states of the model and displayed, +either on the screen (from the command-line) or in the log (from the GUI). +

    +

    To instead export the vector of computed probabilities to a file, use the "Model | Compute/export" option from the GUI, or the -exportsteadystate (or -exportss) and -exporttransient (or -exporttr) switches from the command-line: +

    +
    +
    +
    prism poll2.sm -ss -exportss poll2-ss.txt
    +prism poll2.sm -tr 2.0 -exporttr poll2-tr2.txt
    +
    +
    [$[Get Code]]
    +
    + +

    From the command-line, you can request that the probability vectors exported are in Matlab format by adding the -exportmatlab switch. +

    +

    Initial probability distributions

    +

    By default, for both steady-state and transient probability computation, +PRISM assumes that the initial probability distribution of the model is +an equiprobable choice over the set of initial states. +You can override this and provide a specific initial distribution. This is done using the -importinitdist switch. The format for this imported distribution is identical to the ones exported by PRISM, i.e. simply a list of probabilities for all states separated by new lines. For example, this: +

    +
    +
    +
    prism poll2.sm -tr 1.0 -exporttr poll2-tr1.txt
    +prism poll2.sm -tr 1.0 -importinitdist poll2-tr1.txt -exporttr poll2-tr2.txt
    +
    +
    [$[Get Code]]
    +
    + +

    is (essentially) equivalent to this: +

    +
    +
    +
    prism poll2.sm -tr 2.0 -exporttr poll2-tr2.txt
    +
    +
    [$[Get Code]]
    +
    + +

    Ranges of time values

    +

    Finally, you can compute transient probabilities for a range of time values, e.g.: +

    +
    +
    +
    prism poll2.sm -tr 0.1:0.01:0.2
    +
    +
    [$[Get Code]]
    +
    + +

    which computes transient probabilities for the time points 0.1, 0.11, 0.12, .., 0.2. In this case, the computation is done incrementally, with probabilities for each time point being computed from the previous point for efficiency. +

    +

    Experiments

    +

    PRISM supports experiments, which is a way of automating multiple instances of model checking. +This is done by leaving one or more constants undefined, e.g.: +

    +
    +
    +
    const int N;
    +const double T;
    +
    +
    [$[Get Code]]
    +
    + +

    This can be done for constants in the model file, the properties file, or both. +Before any verification can be performed, values must be provided for any such constants. In the GUI, a dialog appears in which the user is required to enter values. From the command line, the -const switch must be used, e.g.: +

    +
    +
    +
    prism cluster.sm cluster.csl -const N=4,T=85.9
    +
    +
    [$[Get Code]]
    +
    + +

    To run an experiment, provide a range of values for one or more of the constants. Model checking will be performed for all combinations of the constant values provided. For example: +

    +
    +
    +
    prism cluster.sm cluster.csl -const N=4:6,T=60:10:100
    +
    +
    [$[Get Code]]
    +
    + +

    where N=4:6 means that values of 4,5 and 6 are used for N, +and T=60:10:100 means that values of 60, 70, 80, 90 and 100 (i.e. steps of 10) are used for T. +

    +

    For convenience, constant specifications can be split across separate instances of the -const switch, if desired. +You can also specify double-valued constants as fractions rather than decimals. For example: +

    +
    +
    +
    prism cluster.sm cluster.csl -const N=4,T=85.9 -const p=1/3
    +
    +
    [$[Get Code]]
    +
    + +

    From the GUI, the same thing can be achieved by selecting a single property, +right clicking on it and selecting "New experiment" +(or alternatively using the popup menu in the "Experiments" panel). +Values or ranges for each undefined constant can then be supplied in the resulting dialog. +Details of the new experiment and its progress are shown in the panel. +To stop the experiment before it has completed, click the red "Stop" button and it will +halt after finishing the current iteration of model checking. +Once the experiment has finished, right clicking on the experiment produces a pop-up menu, +from which you can view the results of the experiment or export them to a file. +

    +

    For experiments based on properties which return numerical results, you can also use the GUI to plot graphs of the results. +This can be done either before the experiment starts, by selecting the "Create graph" tick-box in the dialog used to create the experiment +(in fact this box is ticked by default), or after the experiment's completion, by choosing "Plot results" from the pop-up menu on the experiment. +A dialog appears, where you can choose which constant (if there are more than one) to use for the x-axis of the graph, +and for which values of any other constants the results should be plotted. +The graph will appear in the panel below the list of experiments. +Right clicking on a graph and selecting "Graph options" brings up a dialog from which many properties of the graph can be configured. +From the pop-up menu of a graph, you can also choose to print the graph (to a printer or Postscript file) +or export it in a variety of formats: +as an image (PNG or JPEG), +as an encapsulated Postscript file (EPS), +in an XML-based format (for reloading back into PRISM), +or as code which can be used to generate the graph in Matlab. +

    +

    Approximate computation of quantitive results obtained with the simulator can also be used on experiments. In the GUI, select the "Use Simulation" option when defining the parameters for the experiment. From the command-line, just add the -sim switch as usual. +

    +

    +

    Exporting results

    +

    You can export all the results from an experiment to a file or to the screen. From the command-line, use the -exportresults switch, for example: +

    +
    +
    +
    prism cluster.sm cluster.csl -prop 4 -const N=4:5,T=0:10:20 -exportresults res.txt
    +
    +
    [$[Get Code]]
    +
    + +

    to send to output file res.txt, or: +

    +
    +
    +
    prism cluster.sm cluster.csl -prop 4 -const N=4:5,T=0:10:20 -exportresults stdout
    +
    +
    [$[Get Code]]
    +
    + +

    to send the results straight to the screen. From the GUI, right click on the experiment and select "Export results". +

    +

    The default behaviour is to export a list of results in text form, using tabs to separate items. The above examples produce: +

    +
    +
    +
    N       T       Result
    +4       0       0.0
    +4       10      4.707364688019771E-6
    +4       20      1.3126420636755292E-5
    +5       0       0.0
    +5       10      3.267731327728599E-6
    +5       20      8.343575060356386E-6
    +
    [$[Get Code]]
    +
    + +

    You can change the format in which the results are exported by appending one or more comma-separated options to the end of the -exportresults switch, for example to export in CSV (comma-separated values) format: +

    +
    +
    +
    prism cluster.sm cluster.csl -prop 4 -const N=4:5,T=0:10:20 -exportresults res.txt:csv
    +
    +
    [$[Get Code]]
    +
    + +
    +
    +
    N, T, Result
    +4, 0, 0.0
    +4, 10, 4.707364688019771E-6
    +4, 20, 1.3126420636755292E-5
    +5, 0, 0.0
    +5, 10, 3.267731327728599E-6
    +5, 20, 8.343575060356386E-6
    +
    [$[Get Code]]
    +
    + +

    or in DataFrame format: +

    +
    +
    +
    prism cluster.sm cluster.csl -prop 4 -const N=4:5,T=0:10:20 -exportresults res.txt:dataframe
    +
    +
    [$[Get Code]]
    +
    + +
    +
    +
    N,T,Result
    +4,0,0
    +4,10,4.70736468802e-06
    +4,20,1.31264206368e-05
    +5,0,0
    +5,10,3.26773132773e-06
    +5,20,8.34357506036e-06
    +
    [$[Get Code]]
    +
    + +

    You can also add the matrix option, to export the results as one or more 2D matrices, rather than a list. +This is particularly useful if you want to create a surface plot from results that vary over two constants. +

    +
    +
    +
    prism cluster.sm cluster.csl -prop 4 -const N=4:5,T=0:10:20 -exportresults res.txt:csv,matrix
    +
    +
    [$[Get Code]]
    +
    + +
    +
    +
    "N\T"
    +, 0.0, 10.0, 20.0
    +4, 0.0, 4.707364688019771E-6, 1.3126420636755292E-5
    +5, 0.0, 3.267731327728599E-6, 8.343575060356386E-6
    +
    [$[Get Code]]
    +
    + +

    The matrix option is also available in normal (non-CSV) mode. +

    +

    You can also export results in the form of comments, used by PRISM's regression testing functionality: +

    +
    +
    +
    prism cluster.sm cluster.csl -prop 4 -const N=4:5,T=0:10:20 -exportresults res.txt:comment
    +
    +
    [$[Get Code]]
    +
    + +
    +
    +
    // RESULT (N=4,T=0): 0.0
    +// RESULT (N=4,T=10): 4.707364688019771E-6
    +// RESULT (N=4,T=20): 1.3126420636755292E-5
    +// RESULT (N=5,T=0): 0.0
    +// RESULT (N=5,T=10): 3.267731327728599E-6
    +// RESULT (N=5,T=20): 8.343575060356386E-6
    +
    +
    [$[Get Code]]
    +
    + +

    From the GUI, it is also possible to import previously exported results (in DataFrame format). +

    +

    A related option is the -exportvector <file> switch, useful in general contexts, not for experiments. +This exports the results for all states of the model +(typically, the log just displays the result for the initial state, unless a filter has been used) +to the the file file. +

    +

    Strategies

    +

    Properties to be model checked on MDPs (and their variants, such as POMDPs or IMDPs) usually quantify over strategies (or policies) of the model, i.e., over the different possible ways that nondeterminism can be resolved in the model. +For example, this property: +

    +
    +
    +
    Pmax=? [ F "goal" ]
    +
    +
    [$[Get Code]]
    +
    + +

    determines the maximum probability, over all strategies, of reaching a state satisfying the label "goal". When checking such properties, you can also ask PRISM to generate a corresponding (optimal) strategy, which yields this maximum probability when followed. The strategy can then be viewed, exported or simulated. +

    +

    Note: For consistency across models, PRISM now uses the terminology strategy (rather than alternatives such as policy). In older versions of the tool, these were referred to as adversaries. Currently, the newer (and more extensive) strategy generation functionality is implemented just for the "explicit" model checking engine, +which is used automatically if strategy generation is requested. +The old adversary generation functionality (see below) still exists for the "sparse" engine, but will be updated in the future. +

    +

    Generating strategies. Optimal strategies can be generated either from the command-line or the graphical user interface (GUI). For the former, use the -exportstrat switch. Simple examples are: +

    +
    +
    +
    prism mdp.prism -pf 'Pmax=? [ F "goal" ]' -exportstrat stdout
    +prism mdp.prism -pf 'Pmax=? [ F "goal" ]' -exportstrat strat.tra
    +prism mdp.prism -pf 'Pmax=? [ F "goal" ]' -exportstrat strat.dot
    +
    +
    [$[Get Code]]
    +
    + +

    From the GUI, you can trigger strategy generation by ticking the "Generate strategy" box either on the popup menu that appears when you right-click a property, or from the "Strategies" menu at the top. As long as it is supported, a strategy will be then generated once "Verify" is clicked. +

    +

    From the same menu(s), you can then +

    +
    • export the strategy to a file +
    • view the strategy by printing it in the log +
    • explore the strategy in the simulator +

    Strategy export types. Strategies can be viewed or exported in several different formats: +

    +

    (i) Action list. This is a list of the action taken in each state of the model, e.g.: +

    +
    +
    +
    (0,0):east
    +(0,1):north
    +(0,2):north
    +(1,0):south
    +...
    +
    [$[Get Code]]
    +
    + +

    where states, by default, are shown as a tuple of variable values. +

    +

    (ii) Induced model. This is a representation of the model that is induced when the strategy is applied. There are two "modes" for this export: restrict, which shows the original model but with a restricted set of choices (e.g., an MDP with just one choice in each state); and reduce, which removes the nondeterminism resolved by the strategy (e.g., an MDP becomes a DTMC). The latter can be useful to re-import the model back into PRISM and analyse the induced model; the former is sometimes easier for visualising the strategy's choices. In each case, the transitions of the induced model are presented as a .tra file (as for normal model export), e.g.: +

    +
    +
    +
    9 9 11
    +0 0 5 1 east
    +1 0 10 1 north
    +2 0 15 0.9 north
    +2 0 16 0.1 north
    +...
    +
    [$[Get Code]]
    +
    + +

    (iii) Dot file. This is, like the previous format, a view of the model induced by the strategy, but in Dot format, which allows it to be visualised. +

    +

    Configuring strategy export. +As hinted in the command-line examples above, the -exportstrat switch uses the file extension to determine the preferred format: if the strategy is exported to a file with extension .tra or .dot, then it uses an induced model or Dot file, respectively. Otherwise, the default is an action list. You can specify the desired format: +

    +
    +
    +
    prism mdp.prism -pf 'Pmax=? [ F "goal" ]' -exportstrat file.txt:type=actions
    +prism mdp.prism -pf 'Pmax=? [ F "goal" ]' -exportstrat file.txt:type=induced
    +prism mdp.prism -pf 'Pmax=? [ F "goal" ]' -exportstrat file.txt:type=dot
    +
    +
    [$[Get Code]]
    +
    + +

    Further options can be added, e.g., to specify whether an induced model is exported in "restrict" or "reduce" mode: +

    +
    +
    +
    prism mdp.prism -pf 'Pmax=? [ F "goal" ]' -exportstrat file.txt:type=induced,mode=reduce
    +
    +
    [$[Get Code]]
    +
    + +

    A full list of available options is as follows: +

    +
    • type (actions, induced or dot): the type of strategy export to use (action list, induced model or Dot file) +
    • mode (restrict or reduce): when exporting as an induced model or Dot file, whether to "restrict" or "reduce" the model (see above); the default is "restrict" +
    • reach (true or false): whether to restrict the strategy to states that are reachable when it is applied to the model (this is currently only used for exporting induced models and Dot files, and the default value is false and true, respectively, in these two cases) +
    • states (true or false): whether to show states, rather than state indices, for actions lists or Dot files; this is true by default +
    • obs (true or false): for partially observable models, whether to merge observationally equivalent states; this is true by default +

    Strategy types. PRISM generates several types of strategies. The simplest are memoryless deterministic strategies, which pick a single action in each state, as in the examples above. For some query types (e.g., step-bounded properties, or LTL-based properties), finite-memory strategies are generated, where an additional memory value is used. For these, induced models or Dot files are most useful since they will also show how the memory values are updated as the strategy is executed. Note that, in these cases, the state indices of the strategy will correspond to the product model constructed during model checking, not the original model. The product model can be exported using the -exportprodtrans and -exportprodstates switches. +

    +

    Adversary generation. As mentioned above, the "sparse" model checking engine still includes older so-called "adversary generation" functionality. This can be used to export the induced model to a file using the -exportadv switch, e.g.: +

    +
    +
    +
    prism mdp.nm -pf 'Pmax=? [ F "goal" ]' -exportadv adv.tra -s
    +prism mdp.nm -pf 'Pmax=? [ F "goal" ]' -exportadvmdp adv.tra -s
    +
    +
    [$[Get Code]]
    +
    + +

    where the -exportadv and -exportadvmdp export a DTMC and an MDP, respectively, i.e., corresponding to the "reduce" and "restrict" modes described above. +From the GUI, change the "Adversary export" option (under the "PRISM" settings) from "None" to "DTMC" or "MDP". You can also change the filename for the export adversary which, by default, is adv.tra as in the example above. +

    +

    Support For PEPA Models

    +

    For CTMCs, PRISM also accepts model descriptions in the stochastic process algebra PEPA [Hil96]. +The tool compiles such descriptions into the PRISM language and then constructs the model as normal. +The language accepted by the PEPA to PRISM compiler is actually a subset of PEPA. +The restrictions applied to the language are firstly that component identifiers can only be bound to sequential components +(formed using prefix and choice and references to other sequential components only). +Secondly, each local state of a sequential component must be named. For example, we would rewrite: +

    +
    • P = (a,r).(b,s).P; +

    as: +

    +
    • P = (a,r).P'; +
    • P' = (b,s).P; +

    Finally, active/active synchronisations are not allowed since the PRISM +definition of these differs from the PEPA definition. Every PEPA +synchronisation must have exactly one active component. +Some examples of PEPA model descriptions which can be imported into PRISM +can be found in the prism-examples/pepa directory. +

    +

    From the command-line version of PRISM, add the -importpepa switch and the model will be treated as a PEPA description. +From the GUI, select "Model | Open model" and then choose "PEPA models" +on the "Files of type" drop-down menu. +Alternatively, select "Model | New | PEPA model" and either type a description from scratch +or paste in an existing one from elsewhere. +Once the PEPA model has been successfully parsed by PRISM, +you can view the corresponding PRISM code (as generated by the PEPA-to-PRISM compiler) +by selecting menu option "Model | View | Parsed PRISM model". +

    +

    Support For SBML

    +

    PRISM includes a (prototype) tool to translate specifications in SBML (Systems Biology Markup Language) to model descriptions in the PRISM language. SBML is an XML-based format for representing models of biochemical reaction networks. The translator currently works with Level 2 Version 1 of the SBML specification, details of which can be found here. +

    +

    Since PRISM is a tool for analysing discrete-state systems, the translator is designed for SBML files intended for discrete stochastic simulation. A useful set of such files can be found in the CaliBayes Discrete Stochastic Model Test Suite. There are also many more SBML files available in the BioModels Database. +

    +

    We first give a simple example of an SBML file and its PRISM translation. We then give some more precise details of the translation process. +

    +

    Example

    +

    An SBML file comprises a set of species and a set of reactions which they undergo. Below is the SBML file for the simple reversible reaction: Na + Cl ↔ Na+ + Cl-, where there are initially 100 Na and Cl atoms and no ions, and the base rates for the forwards and backwards reactions are 100 and 10, respectively. +

    +
    +
    +
    <?xml version="1.0" encoding="UTF-8"?>
    +<sbml xmlns="http://www.sbml.org/sbml/level2" metaid="_000000" level="2" version="1">
    <model id="nacl" name="Na+Cl">
    +
    +    <listOfCompartments>
    +      <compartment id="compartment"/>
    +    </listOfCompartments>
    +
    +    <listOfSpecies>
    +      <species id="na" initialAmount="100" hasOnlySubstanceUnits="true"/>
    +      <species id="cl" initialAmount="100" hasOnlySubstanceUnits="true"/>
    +      <species id="na_plus" initialAmount="0" hasOnlySubstanceUnits="true"/>
    +      <species id="cl_minus" initialAmount="0" hasOnlySubstanceUnits="true"/>
    +    </listOfSpecies>
    +
    +    <listOfReactions>
    +      <reaction id="forwards" reversible="false">
    +        <listOfReactants>
    +          <speciesReference species="na"/>
    +          <speciesReference species="cl"/>
    +        </listOfReactants>
    +        <listOfProducts>
    +          <speciesReference species="na_plus"/>
    +          <speciesReference species="cl_minus"/>
    +        </listOfProducts>
    +        <kineticLaw>
    +          <math xmlns="http://www.w3.org/1998/Math/MathML">
    +            <apply><times/><ci>forwards_rate</ci>
    +              <apply><times/><ci>na</ci><ci>cl</ci></apply></apply>
    +          </math>
    +          <listOfParameters>
    +            <parameter id="forwards_rate" value="100"/>
    +          </listOfParameters>
    +        </kineticLaw>
    +      </reaction>
    +
    +      <reaction id="backwards" reversible="false">
    +        <listOfReactants>
    +          <speciesReference species="na_plus"/>
    +          <speciesReference species="cl_minus"/>
    +        </listOfReactants>
    +        <listOfProducts>
    +          <speciesReference species="na"/>
    +          <speciesReference species="cl"/>
    +        </listOfProducts>
    +        <kineticLaw>
    +          <math xmlns="http://www.w3.org/1998/Math/MathML">
    +            <apply><times/><ci>backwards_rate</ci>
    +              <apply><times/><ci>na_plus</ci><ci>cl_minus</ci></apply></apply>
    +          </math>
    +          <listOfParameters>
    +            <parameter id="backwards_rate" value="10"/>
    +          </listOfParameters>
    +        </kineticLaw>
    +      </reaction>
    +    </listOfReactions>
    +
    </model>
    +</sbml>
    +
    [$[Get Code]]
    +
    + +

    And here is the resulting PRISM code: +

    +
    +
    +
    // File generated by automatic SBML-to-PRISM conversion
    +// Original SBML file: nacl.xml
    +
    +ctmc
    +
    +const int MAX_AMOUNT = 100;
    +
    +// Parameters for reaction forwards
    +const double forwards_rate = 100; // forwards_rate
    +
    +// Parameters for reaction backwards
    +const double backwards_rate = 10; // backwards_rate
    +
    +// Species na
    +const int na_MAX = MAX_AMOUNT;
    +module na
    +
    + na : [0..na_MAX] init 100; // Initial amount 100
    +
    + // forwards
    + [forwards] na > 0 -> (na'=na-1);
    + // backwards
    + [backwards]  na <= na_MAX-1 -> (na'=na+1);
    +
    +endmodule
    +
    +// Species cl
    +const int cl_MAX = MAX_AMOUNT;
    +module cl
    +
    + cl : [0..cl_MAX] init 100; // Initial amount 100
    +
    + // forwards
    + [forwards] cl > 0 -> (cl'=cl-1);
    + // backwards
    + [backwards]  cl <= cl_MAX-1 -> (cl'=cl+1);
    +
    +endmodule
    +
    +// Species na_plus
    +const int na_plus_MAX = MAX_AMOUNT;
    +module na_plus
    +
    + na_plus : [0..na_plus_MAX] init 0; // Initial amount 0
    +
    + // forwards
    + [forwards]  na_plus <= na_plus_MAX-1 -> (na_plus'=na_plus+1);
    + // backwards
    + [backwards] na_plus > 0 -> (na_plus'=na_plus-1);
    +
    +endmodule
    +
    +// Species cl_minus
    +const int cl_minus_MAX = MAX_AMOUNT;
    +module cl_minus
    +
    + cl_minus : [0..cl_minus_MAX] init 0; // Initial amount 0
    +
    + // forwards
    + [forwards]  cl_minus <= cl_minus_MAX-1 -> (cl_minus'=cl_minus+1);
    + // backwards
    + [backwards] cl_minus > 0 -> (cl_minus'=cl_minus-1);
    +
    +endmodule
    +
    +// Reaction rates
    +module reaction_rates
    +
    + // forwards
    + [forwards] (forwards_rate*(na*cl)) > 0 -> (forwards_rate*(na*cl)) : true;
    + // backwards
    + [backwards] (backwards_rate*(na_plus*cl_minus)) > 0 -> (backwards_rate*(na_plus*cl_minus)) : true;
    +
    +endmodule
    +
    +// Reward structures (one per species)
    +
    +// 1
    +rewards "na" true : na; endrewards
    +// 2
    +rewards "cl" true : cl; endrewards
    +// 3
    +rewards "na_plus" true : na_plus; endrewards
    +// 4
    +rewards "cl_minus" true : cl_minus; endrewards
    +
    +
    [$[Get Code]]
    +
    + +

    From the latter, we can use PRISM to generate a simple plot of the expected amount of Na and Na+ over time (using both model checking and a single random trace from the simulator): +

    +

    Expected amount of Na/Na+ at time T
    +
    +

    Using the translator

    +

    At present, the SBML-to-PRISM translator is included in the PRISM code-base, but not integrated into the application itself. +

    +
    +
    +
    cd prism
    +java -cp classes prism.SBML2Prism sbml_file.xml > prism_file.sm
    +
    +
    [$[Get Code]]
    +
    + +

    If you are using a binary (rather than source code) distribution of PRISM, replace classes with lib/prism.jar in the above. +

    +

    Alternatively (on Linux or Mac OS X), ensure prism is in your path and then save the script below as an executable file called sbml2prism: +

    +
    +
    +
    #!/bin/sh
    +
    +# Startup script for SBML-to-PRISM translator
    +
    +# Launch using main PRISM script
    +PRISM_MAINCLASS="prism.SBML2Prism"
    +export PRISM_MAINCLASS
    +prism "$@"
    +
    [$[Get Code]]
    +
    + +

    Then use: +

    +
    +
    +
    sbml2prism sbml_file.xml > prism_file.sm
    +
    +
    [$[Get Code]]
    +
    + +

    The following PRISM properties file will also be useful: +

    +
    +
    +
    const double T;
    +const int c;
    +
    +R{c}=? [I=T]
    +
    +
    [$[Get Code]]
    +
    + +

    This contains a single property which, based on the reward structures in the PRISM model generated by the translator, means "the expected amount of species c at time T". The constant c is an integer index which can range between 1 and N, where N is the number of species in the model. To view the expected amount of each species over time, create an experiment in PRISM which varies c from 1 to N and T over the desired time range. +

    +
    +

    Details of the translation

    +

    The basic structure of the translation process is as follows: +

    +
    • Each species in the SBML file is represented by a module in the resulting PRISM file. This module, which (where possible) retains the SBML species id as its name, contains a single variable whose value represents the amount of the species present. A corresponding reward structure for computing the expected amount of the species at a given time instant is also created. Species for which the boundaryCondition flag is set to true in the SBML file do not have a corresponding module. +
    • Each reaction in the SBML file is associated with a unique synchronisation action label. The module for each species which takes part in the reaction will include a synchronous command to represent this. An additional PRISM module called reaction_rates stores the expression representing the rate of each reaction (from the corresponding kineticLaw section in the SBML file). Reaction stoichiometry information is respected but must be provided in the scalar stoichiometry field of a speciesReference element, not in a separate StoichiometryMath element. +
    • Each parameter in the SBML file, either global to the file or specific to a reaction, becomes a constant in the PRISM file. If a value for this parameter is given, it used. If not, the constant is left as undefined. +

    As described above, this translation process is designed for discrete systems and so the amount of each species in the model is represented by an integer variable. It is therefore assumed that the initial amount for each species specified in the SBML file is also given as an integer. If this is not the case, then the values will need to be scaled accordingly first. +

    +

    Furthermore, since PRISM is primarily a model checking (rather than simulation) tool, it is important that the amount of each species also has an upper bound (to ensure a finite state space). When model checking, the efficiency (or even feasibility) of the process is likely to be very sensitive to the upper bound(s) chosen. When using the discrete-event simulation functionality of PRISM, this is not the case and the bounds can can be set much higher. By default the translator uses an upper bound of 100 (which is increased if the initial amount exceeds this). A different value can specified through a second command-line argument as follows: +

    +
    +
    +
    cd prism
    +java -cp classes prism.SBML2Prism sbml_file.xml 1000 > prism_file.sm
    +
    +
    [$[Get Code]]
    +
    + +

    Alternatively, upper bounds can be modified manually after the translation process. +

    +

    Finally, The following aspects of SBML files are not currently supported and are ignored during the translation process: +

    +
    • compartments +
    • events/triggers +
    +

    Explicit Model Import

    +

    It is also possible to construct models in PRISM through direct specification of their transition matrix. +The format in which this information is input to the tool is exactly the same as is currently output +(see the section "Exporting The Model" and the appendix "Explicit Model Files"). +Presently, this functionality is only supported in the command-line version of the tool, using the -importtrans switch (and more convenient -importmodel; see below). +PRISM makes some attempt to discern the model type from the format of the input files, +but if this does not work, the model type can be overwritten using the -dtmc, -ctmc and -mdp switches. +For example: +

    +
    +
    +
    prism -importtrans poll2.tra -ctmc
    +
    +
    [$[Get Code]]
    +
    + +

    Please note that this method of constructing models in PRISM is typically less efficient than using the PRISM language. +This is because PRISM is (primarily) a symbolic model checker and the underlying data structures used to represent the model +function better when there is high-level structure and regularity to exploit. +This situation can be alleviated to a certain extent by importing not just a transition matrix, +but also a definition of each state of the model in terms of a set of variables. +The format of this information is again identical to PRISM's current output format, using the -exportstates switch. +The following example shows how PRISM could be used to build, export and then re-import a model +(not a good strategy in general): +

    +
    +
    +
    prism poll2.sm -exporttrans poll2.tra -exportstates poll2.sta
    +prism -importtrans poll2.tra -importstates poll2.sta -ctmc
    +
    +
    [$[Get Code]]
    +
    + +

    You can also import label information using the switch -importlabels, e.g.: +

    +
    +
    +
    prism -importtrans poll2.tra -importstates poll2.sta -importlabels poll2.lab -ctmc
    +
    +
    [$[Get Code]]
    +
    + +

    where the labels file (poll2.lab above) is in the format generated by the -exportlabels export option of PRISM. +

    +

    In particular, since details about the initial state(s) of a model are not preserved in the files output from -exportstates and -exporttrans, but are included in the labels file, +-importlabels should also be used to designate a particular initial state for a model. +If not, the default is to assume a single initial state, in which all variables take their minimum value +(if -importstates is not used, the model has a a single zero-indexed variable x, and the initial state is x=0). +

    +

    Lastly, state (but currently not transition) rewards can also be imported, using the -importstaterewards switch, e.g.: +

    +
    +
    +
    prism -importtrans poll2.tra -importstates poll2.sta -importlabels poll2.lab -importstaterewards poll2.srew -ctmc
    +
    +
    [$[Get Code]]
    +
    + +

    You can import multiple reward structures using multiple instances of the -importstaterewards switch. +If present in the rewards files (see the appendix "Explicit Model Files"), +the names of the reward structures are read too. +

    +

    In a similar style to PRISM's -exportmodel switch, you can import several several files for a model using a single -importmodel switch. For example, this is equivalent to the command given above: +

    +
    +
    +
    prism -importmodel poll2.tra,sta,lab,srew -ctmc
    +
    +
    [$[Get Code]]
    +
    + +

    The contents of each file is determined by its extension: +Possible file extensions are: +.sta (reachable states), +.tra (transition matrix), +.lab (labels), +.srew (state rewards). +

    +

    Use the extension .all to import from all of these files: +

    +
    +
    +
    prism -importmodel poll2.all -ctmc
    +
    +
    [$[Get Code]]
    +
    + +

    In this case, you can omit the -importmodel switch and just specify the .all-ended filename, e.g.: +

    +
    +
    +
    prism poll2.all -ctmc
    +
    +
    [$[Get Code]]
    +
    + +



    +

    +

    Configuring PRISM

    +
    +

    Introduction

    +

    The operation of PRISM can be configured in a number of ways. From the GUI, select "Options" from the main menu to bring up the "Options" dialog. The settings are grouped under several tabs. Those which affect the basic model checking functionality of the tool are under the heading "PRISM". Separate settings are available for the simulator and various aspects of the GUI (the model editor, the property editor and the log). +

    +

    User options and settings for the GUI are saved in a file locally and reused. Currently the "Options" dialog in the GUI represents the easiest way to modify the settings, but the settings file is in a simple textual format and can also be edited by hand. To restore the default options for PRISM, click "Load Defaults" and then "Save Options" from the "Options" dialog in the GUI. Alternatively, delete the settings file re-launch the GUI. The location of the settings file depends on the operating system. As of PRISM 4.5, it is stored in: +

    +
    • $HOME/.prism (if the settings file was already created by an older version of PRISM) +
    • $XDG_CONFIG_HOME/prism.settings (on Linux, if that environment variable is set) +
    • $HOME/.config/prism.settings (on Linux, if $XDG_CONFIG_HOME is not set) +
    • $HOME/Library/Preferences/prism.settings (on Mac OS) +
    • .prism in the user's home directory, e.g. C:\Documents and Settings\username (on Windows) +

    From the command-line version of PRISM, options are controlled by switches. A full list can be displayed by typing: +

    +
    +
    +
    prism -help
    +
    +
    [$[Get Code]]
    +
    + +

    For some switches, whose format is not straightforward, there is additional help available on the command-line, using -help switch. For example: +

    +
    +
    +
    prism -help const
    +prism -help simpath
    +prism -help exportresults
    +prism -help exportmodel
    +
    +
    [$[Get Code]]
    +
    + +

    The settings file is ignored by the command-line version (unlike earlier versions of PRISM, where it was used). You can, however, request that the settings file is read, using the -settings switch, e.g.: +

    +
    +
    +
    prism -settings ~/.prism
    +
    +
    [$[Get Code]]
    +
    + +

    In the following sections, we give a brief description of the most important configuration options available. +

    +
    +

    Computation Engines

    +

    Computation engines

    +

    PRISM contains four main engines, +which implement the majority of its model checking functionality: +

    +
    • "MTBDD" +
    • "sparse" +
    • "hybrid" +
    • "explicit" +

    The first three of these engines are either wholly or partly symbolic, +meaning that they use data structures such as +binary decision diagrams (BDDs) and multi-terminal BDDs (MTBDDs). +For these three engines, the process of +constructing a probabilistic model (DTMC, MDP or CTMC) +is performed in a symbolic fashion, +representing the model as an MTBDD. +Subsequent numerical computation performed during model checking, however, +is carried out differently for the three engines. +The "MTBDD" engine is implemented purely using MTBDDs and BDDs; +the "sparse" engine uses sparse matrices; +and the "hybrid" engine uses a combination of the other two. +The "hybrid" engine is described in [KNP04b]. +For detailed information about all three engines, see [Par02]. +

    +

    The fourth engine, "explicit", performs all aspects of model construction +and model checking using explicit-state data structures. +Models are typically stored as sparse matrices or variants of. +This engine is implemented purely in Java, unlike the other engines +which make use of code/libraries implemented in C/C++. +One goal of the "explicit" engine is to provide an easily extensible model +checking engine without the complication of symbolic data structures, +although it also has other benefits (see below). +

    +

    The choice of engine ("MTBDD", "sparse", "hybrid" or "engine") should not affect the results of model checking - all engines perform essentially the same calculations. In some cases, though, certain functionality is not available with all engines and PRISM will either automatically switch to an appropriate engine, or prompt you to do so. +Performance (time and space), however, may vary significantly and if you are using too much time/memory with one engine, it may be worth experimenting. Below, we briefly summarise the key characteristics of each engine. +

    +
    • The hybrid engine is enabled by default in PRISM. It uses a combination of symbolic and explicit-state data structures (as used in the MTBDD and sparse engines, respectively). In general it provides the best compromise between time and memory usage: it (almost) always uses less memory than the sparse engine, but is typically slightly slower. The size of model which can be handled with this engine is quite predictable. The limiting factor in terms of memory usage comes from the storage of 2-4 (depending on the computation being performed) arrays of 8-byte values, one for each state in the model. So, a typical PC can handle models with between 107 and 108 states (one vector for 107 states uses approximately 75 MB). +
    • The sparse engine can be a good option for smaller models where model checking takes a long time. For larger models, however, memory usage quickly becomes prohibitive. As a rule of thumb, the upper limit for this engine, in terms of model sizes which can be handled, is about a factor of 10 less than the hybrid engine. +
    • The MTBDD engine is much more unpredictable in terms of performance but, when a model exhibits a lot of structure and regularity, can be very effective. This engine has been successfully applied to extremely large structured (but non-trivial) models, in cases where the other two engines cannot be applied. The MTBDD engine often performs poorly when the model (or solutions computed from it) contain lots of distinct probabilities/rates; it performs best when there are few such values. For this reason the engine is often successfully applied to MDP models, but much less frequently to CTMCs. When using the MTBDD engine, the variable ordering of your model is especially important. This topic is covered in the FAQ section. +
    • The explicit engine is similar to the sparse engine, in that it can be a good option for relatively small models, but will not scale up to some of the models that can be handled by the hybrid or MTBDD engines. However, unlike the sparse engine, the explicit engine does not use symbolic data structures for model construction, which can be beneficial in some cases. One example is models with a potentially very large state space, only a fraction of which is actually reachable. +

    When using the PRISM GUI, the engine to be used for model checking can be selected from the "Engine" option under the "PRISM" tab of the "Options" dialog. From the command-line, engines are activated using the -mtbdd, -sparse, -hybrid and -explicit (or -m, -s, -h and -ex, respectively) switches, e.g.: +

    +
    +
    +
    prism poll2.sm -tr 1000 -m
    +prism poll2.sm -tr 1000 -s
    +prism poll2.sm -tr 1000 -h
    +prism poll2.sm -tr 1000 -ex
    +
    +
    [$[Get Code]]
    +
    + +

    Note also that precise details regarding the memory usage of the current engine are displayed during model checking (from the GUI, check the "Log" tab). This can provide valuable feedback when experimenting with different engines. +

    +

    PRISM also has some basic support for automatically selecting the engine (and other settings) heuristically, +based on the size and type of the model, and the property being checked. +Use, for example, -heuristic speed from the command-line to choose options +which target computation speed rather than saving memory. +This is also available from the "Heuristic" option under the "PRISM" tab of the "Options" dialog in the GUI. +

    +

    Approximate/statistical model checking

    +

    Although it is not treated as a separate "engine", like those above, +PRISM also provides approximate/statistical model checking, +which is based on the use of discrete-event simulation. +From the GUI, this is enabled by choosing "Simulate" menu items or tick boxes; +from the command-line, add the -sim switch. +See the "Statistical Model Checking" +section for more details. +

    +

    +

    Exact model checking

    +

    Most of PRISM's model checking functionality uses numerical solution based on floating point arithmetic and, often, this uses iterative numerical methods, which are run until some user-specified precision is reached. PRISM currently has some support for "exact" model checking, i.e., using arbitrary precision arithmetic to provide exact numerical values. Currently, this is implemented as a special case of parametric model checking, which limits is application to relatively small models. It can be used for analysing DTMCs/CTMCs (unbounded until, steady-state probabilities, reachability reward and steady-state reward) or MDPs (unbounded until and reachability rewards). You can enable this functionality using the "Do exact model checking" option in the GUI or using switch -exact from the command line. +

    +

    +

    PTA engines

    +

    The techniques used to model check PTAs are different to the ones used for DTMCs, MDPs and CTMCs. For PTAs, PRISM currently has three distinct engines that can be used: +

    +
    • The stochastic games engine uses abstraction-refinement techniques based on stochastic two-player games [KNP09c]. +
    • The digital clocks engine performs a discretisation, in the form of a language-level model translation, that reduces the problem to one of model checking over a finite-state MDP [KNPS06]. +
    • The backwards reachability engine is a zone-based method based on a backwards traversal of the state space and solution of the resulting finite-state MDP [KNSW07]. +

    The default engine for PTAs is "stochastic games". The engine to be used can be specified using the "PTA model checking method" setting in the "PRISM" options panel in the GUI. From the command-line, switch -ptamethod <name> should be used where <name> is either games, digital or backwards. +

    +

    The choice of engine for PTA model checking affects restrictions that imposed on both +the modelling language +and the types of properties that can be checked. +

    +

    Solution Methods and Options

    +

    Separately from the choice of engines, +PRISM often offers several different solution methods +that can be used for the computation of probabilities and expected costs/rewards during model checking. +Many, but not all, of these are iterative numerical methods. +The choice of method (and their settings) depends on the type of analysis that is being done (i.e., what type of model and property). +

    +

    Linear Equation Systems

    +

    For many properties of Markov chains +(e.g. "reachability"/"until" properties for DTMCs and CTMCs, steady-state properties for CTMCs and "reachability reward" properties for DTMCs), +PRISM solves a set of linear equation systems, for which several numerical methods are available. +Below is a list of the alternatives and the switches used to select them from the command-line. +The corresponding GUI option is "Linear equations method". +

    +
    • Power method: -power (or -pow, -pwr) +
    • Jacobi method: -jacobi (or -jac) +
    • Gauss-Seidel method: -gaussseidel (or -gs) +
    • Backwards Gauss-Seidel method: -bgaussseidel (or -bgs) +
    • JOR method (Jacobi with over-relaxation): -jor +
    • SOR method: -sor +
    • Backwards SOR method: -bsor +

    When using the MTBDD engine, Gauss-Seidel/SOR based methods are not available. +When using the hybrid engine, pseudo variants of Gauss-Seidel/SOR based method can also be used [Par02] +(type prism -help at the command-line for details of the corresponding switches). +For methods which use over-relaxation (JOR/SOR), the over-relaxation parameter (between 0.0 and 2.0) +can also be specified with option "Over-relaxation parameter" (switch -omega <val>). +

    +

    For options relating to convergence (of this and other iterative methods), +see the Convergence section below. +

    +

    +

    MDP Solution Methods

    +

    When analysing MDPs, there are multiple solution methods on offer. +For most of these, you can select them under the "MDP solution method" setting from the GUI, +or use the command-line switches listed below. +Currently, all except value iteration are only supported by the explicit engine. +For more details of the methods, see e.g. [FKNP11] (about probabilistic verification of MDPs) +or classic MDP texts such as [Put94]). +

    +
    • Value iteration (switch -valiter) [this is the default] +
    • Gauss Seidel (switch -gs) +
    • Policy iteration (switch -politer) +
    • Modified policy iteration (switch -modpoliter) +

    Where the methods above use iterative numerical solution, +you can also use the settings under described in the Convergence section below. +

    +

    +

    Interval Iteration

    +

    Interval iteration [HM14],[BKLPW17] is an alternative solution method for either MDPs or DTMCs +which performs two separate instances of numerical iterative solution, +one from below and one from above. This is designed to provide clearer information +about the accuracy of the computed values and avoid possible problems with premature convergence. +This can be enabled using the switch -intervaliter (or -ii) +or via the "Use interval iteration" GUI option. +A variety of options can be configured, either using +-intervaliter:option1,option2,... or by +setting the string "option1,option2,..." under "Interval iteration options" in the GUI. +Type prism -help intervaliter from the command-line for a list of the options +and see [BKLPW17] for the details. +

    +

    +

    Topological Value Iteration

    +

    Topological value iteration is a variant of value iteration which improves efficiency +by analysing the graph structure of the model and using this to update the values for +states in an alternative order which increases the speed of convergence. +Use switch -topological or GUI option "Use topological value iteration" to enable this. +In addition to standard value iteration for MDPs, the topological variant can be used to optimise +both interval iteration (see above) and the numerical solution of DTMCs. +

    +

    +

    CTMC Transient Analysis

    +

    When computing transient probabilities of a CTMC +(either directly or when verifying time-bounded operators of CSL), there are two options: +uniformisation and fast adaptive uniformisation (FAU). These can be selected using the GUI option "Transient probability computation method", or using the command-line switch -transientmethod <name>, where <name> is either unif or fau. +

    +

    Uniformisation is a standard iterative numerical method for computing transient probabilities on a CTMC, which works by reducing the problem to an analysis of a "uniformised" DTMC. +As an optimisation, when it is detected that the transient probabilities have converged, no further iterations are performed. If necessary (e.g. in case of round-off problems), this optimisation can be disabled with the "Use steady-state detection" option (command-line switch -nossdetect). +

    +

    +Fast adaptive uniformisation (FAU) [MWDH10] is a method to efficiently approximate transient properties of large CTMCs. The basic idea is that only the parts of the model that are relevant for the current time period are kept in memory. In more detail, starting with the initial states, in each step FAU +explores further states in a DTMC which is a discrete-time version of the original CTMC. By combining the +probabilities there with those of a certain continuous-time stochastic process (a birth process), transient properties in the original CTMC can be computed. If it turns out that the probability of being in some state in the DTMC is below a given threshold, this state is removed from the model explored so far. After a given number of steps, which corresponds to the number of steps which are likely to happen within the time bound, the exploration can be stopped. In the implementation in PRISM [DHK13], FAU can be used to compute transient probability distributions and to model check the following types of non-nested CSL formulas: time-bounded until, instantaneous reward, cumulative reward. +

    +

    The following options can be used to configure FAU: +

    +
    • "FAU epsilon" (switch -fauepsilon <x>): FAU analyses the DTMC for a number of iterations such that the probability of more steps being relevant is below this value. The default is 1e-6. +
    • "FAU cut off delta" (switch -faudelta <x>): States that have a lower probability than this value are discarded. The default is 1e-12. +
    • "FAU array threshold" (switch -fauarraythreshold <x>): After this number of steps without any new states being explored or discarded, FAU will switch to a faster, fixed-size data structure until further states have to be explored or discarded. The default is 100. +
    • "FAU time intervals" (switch -fauintervals <x>): In some cases, it is advantageous to divide the time interval the analysis is done for into several smaller intervals. This option dictates the number of (equal length) intervals used for this split. The default is 1, meaning that only one time interval is used. +
    • "FAU initial time interval" (switch -fauinitival <x>): It is also possible to specify an additional initial time interval which is handled separately from the rest of the time. This is often advantageous, because in this interval certain parameters of the model can be explored, which can subsequently be used to speed up the computation of the remaining time interval. The default for this option is 1.0. +

    +

    Convergence

    +

    Common to all of these methods is the way that PRISM checks convergence, i.e. decides when to terminate the iterative methods because the answers have converged sufficiently. This is done by checking when the maximum difference between elements in the solution vectors from successive iterations drops below a given threshold (or, in the case of interval iteration, if the difference of the elements in the iterations from above and below are below the threshold). +The default value for this threshold is 10-6 but it can be altered with the "Termination epsilon" option (switch -epsilon <val>). The way that the maximum difference is computed can also be varied: +either "relative" or "absolute" (the default is "relative"). This can be changed using the "Termination criteria" option (command-line switches -relative and -absolute, or -rel and -abs for short). +

    +

    Also, the maximum number of iterations performed is given an upper limit +in order to trap the cases when computation will not converge. +The default limit is 10,000 but can be changed with the "Termination max. iterations" option (switch -maxiters <val>). Computations that reach this upper limit will trigger an error during model checking to alert the user to this fact. +

    +

    Automata Generation

    +

    When PRISM performs verification of LTL formulas, it does so by converting the formula into a deterministic omega automaton (such as a Rabin automaton) and then analysing a larger product model, constructed from the model being verified and the omega automaton. For this reason, the size of the omega automaton has an important effect on the efficiency of verification. +

    +

    By default PRISM uses a port of the ltl2dstar library to construct these automata. But it also allows the use of external LTL-to-automata converters producing deterministic automata through support for the Hanoi Omega Automaton (HOA) format. From the command line, an example of this is: +

    +
    +
    +
    prism model.pm -pf "P=? [ G F x=1 ]" -ltl2datool hoa-ltl2dstar-for-prism -ltl2dasyntax lbt
    +
    +
    [$[Get Code]]
    +
    + +

    The -ltl2datool switch specifies the location of the program to be executed to perform the LTL-to-automaton conversion. This will be called by PRISM as "exec in-file out-file", where exec is the executable, in-file is the name of a file containing the LTL formula to be converted and out-file is the name of a file where the resulting automaton should be written, in HOA format. Typically, the executable will be a script. Here is a simple example (called as hoa-ltl2dstar-for-prism in the above example), which calls an external copy of ltl2dstar in the required fashion (assuming that the ltl2dstar and ltl2ba executables are located in the current directory or on the PATH). +

    +
    +
    +
    #! /bin/bash
    +ltl2dstar --output=automaton --output-format=hoa "$1" "$2"
    +
    [$[Get Code]]
    +
    + +

    PRISM is known to work with these HOA-enabled tools: +

    +

    and contains ready-made scripts for calling them in the etc/scripts/hoa directory of the distribution: +

    +
    • hoa-ltl2dstar-with-ltl2ba-for-prism
      (ltl2dstar using ltl2ba as the LTL-to-NBA tool) +
    • hoa-ltl2dstar-with-ltl2tgba-for-prism
      (ltl2dstar using Spot's ltl2tgba as the LTL-to-NBA tool +
    • hoa-ltl2dstar-with-ltl3ba-for-prism
      (ltl2dstar using LTL3BA as the LTL-to-NBA tool +
    • hoa-ltl3dra-dra-for-prism
      (ltl3dra, generating Rabin automata) +
    • hoa-ltl3dra-tdgra-for-prism
      (ltl3dra, generating transition-based generalized Rabin automata) +
    • hoa-rabinizer3-dgra-for-prism
      (Rabinizer 3, generating generalized Rabin automata) +
    • hoa-rabinizer3-dra-for-prism
      (Rabinizer 3, generating Rabin automata) +
    • hoa-rabinizer3-tdgra-for-prism
      (Rabinizer 3, generating transition-based generalized Rabin automata) +
    • hoa-rabinizer3-tdra-for-prism
      (Rabinizer 3, generating transition-based Rabin automata) +

    There are also scripts for the upcoming Rabinizer 3.1. +

    +

    See the files themselves for details of any configuration required and for a reminder of the PRISM command-line arguments required. +

    +

    The -ltl2dasyntax switch is used to specify the textual format for passing the LTL formula to the external converter (i.e., in the file out-file). The options are: +

    +
    • lbt - LBT format +
    • spin - SPIN format +
    • spot - Spot format +
    • rabinizer - Rabinizer format +

    From the GUI, configuring the external LTL converter is done with the two options +"Use external LTL->DA tool" and "LTL syntax for external LTL->DA tool". +

    +

    Another related option is "All path formulas via automata" (command-line switch -pathviaautomata), which forces construction of an automata +when computing the probability of a path formula, even if it is not needed. This is primarily intended for debugging/testing, not regular use. +

    +

    As mentioned above, PRISM's external LTL-to-automaton interfacing works using the +HOA format +(and, in particular, using the jhoafparser HOA parser. +Currently, PRISM can handle automata in HOA format that are +deterministic and complete, with state-based acceptance. +Automata with transition-based acceptance are converted to state-based acceptance by PRISM. +For DTMC and CTMC model checking, generic acceptance conditions are supported, i.e., +anything that can be specified as an Acceptance: header in HOA format. +For MDP model checking, currently Rabin and generalized Rabin acceptance +specified via the acc-name: header are supported. See the HOA format specification for details. +

    +
    +

    Other Options

    +

    Output options

    +

    To increase the amount of information displayed by PRISM (in particular, to display lists of states and probability vectors), you can use the "Verbose output" option (activated with command-line switch -verbose or -v). To display additional statistics about MTBDDs after model construction, use the "Extra MTBDD information" option (switch -extraddinfo) and, to view MTBDD sizes during the process of reachability, use option "Extra reachability information" (switch -extrareachinfo). +

    +

    Fairness

    +

    Sometimes, model checking of properties for MDPs requires fairness constraints to be taken into account. +See e.g. [BK98],[Bai98] for more information. +To enable the use of fairness constraints (for P operator properties), use the -fair switch. +

    +

    Probability/rate checks

    +

    By default, when constructing a model, PRISM checks that all probabilities and rates are within acceptable ranges (i.e. are between 0 and 1, or are non-negative, respectively). For DTMCs and MDPs, it also checks that the probabilities sum up to one for each command. These checks are often very useful for highlighting user modelling errors and it is strongly recommended that you keep them enabled, however if you need to disable them you can do so via option "do prob checks?" in the GUI or command-line switch -noprobchecks. +You can also change the level of precision used to check that probabilities sum to 1 using the option "Probability sum threshold" (or command-line switch -sumroundoff. +

    +

    CUDD memory

    +

    CUDD, the underlying BDD and MTBDD library used in PRISM has an upper memory limit. By default, this limit is 1 GB. If you are working on a machine with significantly more memory this and PRISM runs out of memory when model checking, it may help to change this. To set the limit, from the command-line, use the -cuddmaxmem switch. For example: +

    +
    +
    +
    prism -cuddmaxmem 2g big_model.pm
    +
    +
    [$[Get Code]]
    +
    + +

    Above, g denotes GB. You can also use m for MB. +You can also the CUDD maximum memory setting from the options panel in the GUI, but you will need to close and restart the GUI (saving the settings as you do) for this to take effect. +

    +

    +

    Java memory

    +

    The Java virtual machine (JVM) used to execute PRISM also has upper memory limits. Sometimes this limit will be exceeded and you will see an error of the form java.lang.OutOfMemory. To resolve this problem, you can increase this memory limit. On Unix, Linux or Mac OS X platforms, this can done by using the -javamaxmem switch, passed either to the command-line script prism or the GUI launcher xprism. For example: +

    +
    +
    +
    prism -javamaxmem 4g big_model.pm
    +xprism -javamaxmem 4g big_model.pm
    +
    +
    [$[Get Code]]
    +
    + +

    each set the limit to 4GB. Alternatively, you set the environment variable PRISM_JAVAMAXMEM before running PRISM. For example, under a bash shell: +

    +
    +
    +
    PRISM_JAVAMAXMEM=4g
    +export PRISM_JAVAMAXMEM
    +prism big_model.pm
    +
    +
    [$[Get Code]]
    +
    + +

    If you get an error of the form java.lang.StackOverflowError, then you can try increasing the stack size of the JVM. +On Unix, Linux or Mac OS X platforms, this can done by using the -javastack switch or the PRISM_JAVASTACKSIZE environment variable. +Examples are: +

    +
    +
    +
    prism -javastack 1g big_model.pm
    +xprism -javastack 1g big_model.pm
    +
    +
    [$[Get Code]]
    +
    + +

    or: +

    +
    +
    +
    PRISM_JAVASTACKSIZE=1g
    +export PRISM_JAVASTACKSIZE
    +prism big_model.pm
    +
    +
    [$[Get Code]]
    +
    + +

    If you are running PRISM on Windows you will have to do make adjustments to Java memory manually, by modifying the prism.bat or xprism.bat scripts. +To set the memory to 4GB, for example, add -Xmx4g to the list of arguments in the call to java or javaw at the end of the file. +To change the stack size to 1GB, add -Xss1g. +

    +

    Other Java options

    +

    If you want to pass additional switches to the JVM used to run PRISM, you can use the -javaparams switch. +For example: +

    +
    +
    +
    prism -javaparams "-XX:AutoBoxCacheMax=100000000 -Xmn2g" -javamaxmem 12g
    +
    +
    [$[Get Code]]
    +
    + +

    Precomputation

    +

    By default, PRISM's probabilistic model checking algorithms use an initial precomputation step which uses graph-based techniques to efficient detect trivial cases where probabilities are 0 or 1. This can often result in improved performance and also reduce round-off errors. Occasionally, though, you may want to disable this step for efficiency (e.g. if you know that there are no/few such states and the precomputation process is slow). This can be done with the -nopre switch. You can also disable the individual algorithms for probability 0/1 using switches -noprob0 and -noprob1. +

    +

    Time-outs

    +

    The command-line version of PRISM has a time-out option, specified using the switch -timeout <n>. +This causes the program to exit after <n> seconds if it has not already terminated by that point. +This is particularly useful for benchmarking scenarios where you wish to ignore runs of PRISM that exceed a certain length of time. +

    +

    +

    References

    +
    +
    • AD94: R. Alur and D. Dill. A theory of timed automata. Theoretical Computer Science, 126:183-235, 1994. +
    • AH99 R. Alur and T. Henzinger. Reactive modules. Formal Methods in System Design, 15(1):7-48, 1999. +
    • ASSB96: A. Aziz, K. Sanwal, V. Singhal, and R. Brayton. Verifying continuous time Markov chains. In R. Alur and T. Henzinger, editors, Proc. 8th International Conference on Computer Aided Verification (CAV'96), volume 1102 of LNCS, pages 269-276. Springer, 1996. +
    • Bai98: C. Baier. On algorithmic verification methods for probabilistic systems, 1998. Habilitation thesis, Fakultät für Mathematik & Informatik, Universität Mannheim. +
    • BKLPW17: Christel Baier, Joachim Klein, Linda Leuschner, David Parker and Sascha Wunderlich. Ensuring the Reliability of Your Model Checker: Interval Iteration for Markov Decision Processes. In Proc. 28th International Conference on Computer Aided Verification (CAV'17), volume 10426 of LNCS, pages 160-180, Springer, 2017. +
    • BKH99: C. Baier, J.-P. Katoen, and H. Hermanns. Approximate symbolic model checking of continuous-time Markov chains. In J. Baeten and S. Mauw, editors, Proc. 10th International Conference on Concurrency Theory (CONCUR'99), volume 1664 of LNCS, pages 146-161. Springer, 1999. +
    • BK98: C. Baier and M. Kwiatkowska. Model checking for a probabilistic branching time logic with fairness. Distributed Computing, 11(3):125-155, 1998. +
    • BdA95: A. Bianco and L. de Alfaro. Model checking of probabilistic and nondeterministic systems. In P. Thiagarajan, editor, Proc. 15th Conference on Foundations of Software Technology and Theoretical Computer Science (FSTTCS'95), volume 1026 of LNCS, pages 499-513. Springer, 1995. +
    • CHH+13: Taolue Chen, Ernst Moritz Hahn, Tingting Han, Marta Kwiatkowska, Hongyang Qu, and Lijun Zhang. Model repair for Markov decision processes. In Proc. 7th International Symposium on Theoretical Aspects of Software Engineering (TASE'13), pages 85-92. IEEE, 2013. +
    • CE81: E. Clarke and A. Emerson. Design and synthesis of synchronization skeletons using branching time temporal logic. In Proc. Workshop on Logic of Programs, volume 131 of LNCS. Springer, 1981. +
    • DHK13: F. Dannenberg, E. M. Hahn, and M. Kwiatkowska. Computing cumulative rewards using fast adaptive uniformisation. In A. Gupta and T. Henzinger, editors, Proc. 11th Conference on Computational Methods in Systems Biology (CMSB'13), volume 8130 of LNCS, pages 33-49. Springer, 2013. +
    • FKNP11: V. Forejt, M. Kwiatkowska, G. Norman, and D. Parker. Automated verification techniques for probabilistic systems. In M. Bernardo and V. Issarny, editors, Formal Methods for Eternal Networked Software Systems (SFM'11), volume 6659 of LNCS, pages 53-113. Springer, 2011. +
    • FKN+11: V. Forejt, M. Kwiatkowska, G. Norman, D. Parker, and H. Qu. Quantitative multi-objective verification for probabilistic systems. In P. Abdulla and K. Leino, editors, Proc. 17th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS'11), volume 6605 of LNCS, pages 112-127. Springer, 2011. +
    • FKP12: V. Forejt, M. Kwiatkowska, and D. Parker. Pareto curves for probabilistic model checking. In S. Chakraborty and M. Mukund, editors, Proc. 10th International Symposium on Automated Technology for Verification and Analysis (ATVA'12), volume 7561 of LNCS, pages 317-332. Springer, 2012. +
    • HM14: S. Haddad and B. Monmege. Reachability in MDPs: Refining convergence of value iteration. In 8th International Workshop on Reachability Problems (RP), volume 8762 of LNCS, pages 125–137, Springer. 2014. +
    • HHZ11b: E. M. Hahn, H. Hermanns, and L. Zhang. Probabilistic reachability for parametric Markov models. International Journal on Software Tools for Technology Transfer (STTT), 13(1):3-19, 2011. +
    • HHZ11: Ernst Moritz Hahn, Tingting Han, and Lijun Zhang. Synthesis for PCTL in parametric Markov decision processes. In Proc. 3rd NASA Formal Methods Symposium (NFM'11), volume 6617 of LNCS. Springer, 2011. +
    • HJ94: H. Hansson and B. Jonsson. A logic for reasoning about time and reliability. Formal Aspects of Computing, 6(5):512-535, 1994. +
    • HLMP04: T. Hérault, R. Lassaigne, F. Magniette, and S. Peyronnet. Approximate probabilistic model checking. In Proc. 5th International Conference on Verification, Model Checking and Abstract Interpretation (VMCAI'04), volume 2937 of LNCS, pages 307-329. Springer, 2004. +
    • Hil96: J. Hillston. A Compositional Approach to Performance Modelling. Cambridge University Press, 1996. +
    • KSK76: J. Kemeny, J. Snell, and A. Knapp. Denumerable Markov Chains. Springer-Verlag, 2nd edition, 1976. +
    • KNP04b: M. Kwiatkowska, G. Norman, and D. Parker. Probabilistic symbolic model checking with PRISM: A hybrid approach. International Journal on Software Tools for Technology Transfer (STTT), 6(2):128-142, 2004. +
    • KNP07a: M. Kwiatkowska, G. Norman, and D. Parker. Stochastic model checking. In M. Bernardo and J. Hillston, editors, Formal Methods for the Design of Computer, Communication and Software Systems: Performance Evaluation (SFM'07), volume 4486 of LNCS (Tutorial Volume), pages 220-270. Springer, 2007. +
    • KNP09c: M. Kwiatkowska, G. Norman, and D. Parker. Stochastic games for verification of probabilistic timed automata. In J. Ouaknine and F. Vaandrager, editors, Proc. 7th International Conference on Formal Modelling and Analysis of Timed Systems (FORMATS'09), volume 5813 of LNCS, pages 212-227. Springer, 2009. +
    • KNPS06: M. Kwiatkowska, G. Norman, D. Parker, and J. Sproston. Performance analysis of probabilistic timed automata using digital clocks. Formal Methods in System Design, 29:33-78, 2006. +
    • KNSW07: M. Kwiatkowska, G. Norman, J. Sproston, and F. Wang. Symbolic model checking for probabilistic timed automata. Information and Computation, 205(7):1027-1077, 2007. +
    • MWDH10: F. Didier M. Mateescu, V. Wolf and T. Henzinger. Fast adaptive uniformisation of the chemical master equation. IET Syst Biol, 4(6):441-452, 2010. +
    • Nim10: V. Nimal. Statistical Approaches for Probabilistic Model Checking. MSc Mini-project Dissertation, Oxford University Computing Laboratory, 2010. +
    • NPS13: Gethin Norman, David Parker, and Jeremy Sproston. Model checking for probabilistic timed automata. Formal Methods in System Design, 43(2):164-190, 2013. +
    • NPZ17: Gethin Norman, David Parker and Xueyi Zou. Verification and Control of Partially Observable Probabilistic Systems. Real-Time Systems, 53(3):354-402, Springer, 2017. +
    • Par02: D. Parker. Implementation of Symbolic Model Checking for Probabilistic Systems. Ph.D. thesis, University of Birmingham, 2002. +
    • Put94: M. Puterman. Markov Decision Processes: Discrete Stochastic Dynamic Programming. John Wiley and Sons, 1994. +
    • Seg95: R. Segala. Modelling and Verification of Randomized Distributed Real Time Systems. Ph.D. thesis, Massachusetts Institute of Technology, 1995. +
    • Ste94: W. Stewart. Introduction to the Numerical Solution of Markov Chains. Princeton, 1994. +
    • YS02: H. Younes and R. Simmons. Probabilistic verification of discrete event systems using acceptance sampling. In E. Brinksma and K. Larsen, editors, Proc. 14th International Conference on Computer Aided Verification (CAV'02), volume 2404 of LNCS, pages 223-235. Springer, 2002. +



    +

    +

    Frequently Asked Questions

    +
    +

    Memory Problems

    +

    +

    PRISM crashed or stopped responding. Why?

    +
    +

    When PRISM crashes, the most likely cause is that it has run out of memory. +Similarly, if PRISM (or the machine you are running it on) becomes very slow or seems to have stopped responding, this is probably because it is using too much of your machine's memory. Probabilistic model checking, much like other formal verification techniques, can be a very resource-intensive process. It is very easy to create a seemingly simple PRISM model that requires a large amount of time and/or memory to construct and analyse. See some of the other questions in this section for tips on how to avoid this. +

    +

    The other possibility is that you have found a bug. +If PRISM crashes or freezes whilst not using all/most of the available memory (you can check this with the top command in a Unix/Linux terminal or the Task Manager (via Ctrl-Alt-Delete) on Windows) then please file a bug report. +

    +

    +

    I ran out of memory. What can I do?

    +
    +

    It depends. First, you need to establish at what point in PRISM's operation, you ran out of memory. If you are running the command-line version of PRISM then the output from the tool so far should give an indication of this. If using the GUI, check the log tab for this information. If PRISM crashed because of its memory usage, the error message can be helpful. If using the GUI, you may need to start the GUI from the command-line to see any error messages. +

    +

    The two main steps that PRISM typically has to perform are: +

    +
    1. Model construction (conversion of a PRISM language description to the corresponding probabilistic model) +
    2. Model checking/analysis (processing/analysis of a constructed probabilistic model in order to determine the result of a property or to compute steady-state/transient probabilities) +

    Memory usage issues for each of these steps are discussed in separate sections below. In some cases the process performed prior to step 1 (model parsing - reading in a model description in the PRISM language and checking it for correctness) can also be resource intensive. This is also discussed below. +

    +

    If you are using the simulator to generate approximate model checking results then step 1 (model construction) is not performed and step 2 is carried out very differently. Memory consumption is not usually a problem in this case. +

    +

    +

    I ran out of memory during model construction. What can I do?

    +
    +

    If PRISM has already output this: +

    +
    +
    Building model...
    +
    +
    [$[Get Code]]
    +
    + +

    but there is no line of the form: +

    +
    +
    Time for model construction: 34.3 seconds.
    +
    +
    [$[Get Code]]
    +
    + +

    and then you get an error like this: +

    +
    +
    #
    +# An unexpected error has been detected by Java Runtime Environment:
    +#
    +# SIGSEGV (0xb) at pc=0xb5249323, pid=19298, tid=3086363536
    +#
    +# Java VM: Java HotSpot(TM) Client VM (1.6.0-b105 mixed mode, sharing)
    +# Problematic frame:
    +# C [libdd.so+0x39323] Cudd_Ref+0xf
    +#
    +# An error report file with more information is saved as hs_err_pid19298.log
    +#
    +# If you would like to submit a bug report, please visit:
    +# http://java.sun.com/webapps/bugreport/crash.jsp
    +#
    +/home/dxp/bin/prism: line 50: 19298 Aborted "$PRISM_JAVA" #$PRISM_JAVAMAXMEM -Djava.awt.headless=$PRISM_HEADLESS -Djava.library.path=$PRISM_DIR/lib -classpath "$PRISM_CLASSPATH" $PRISM_MAINCLASS "$@"
    +
    +
    [$[Get Code]]
    +
    + +

    or like this: +

    +
    +
    #
    +# An unexpected error has been detected by HotSpot Virtual Machine:
    +#
    +# EXCEPTION_ACCESS_VIOLATION (0xc0000005) at pc=0x0b1c7da3, pid=2884, tid=2544
    +#
    +# Java VM: Java HotSpot(TM) Client VM (1.5.0_06-b05 mixed mode)
    +# Problematic frame:
    +# C [dd.dll+0x7da3]
    +#
    +...
    +
    +
    [$[Get Code]]
    +
    + +

    then PRISM ran out of memory whilst trying to construct the model. +Model construction in PRISM is performed using BDDs (binary decision diagrams) and MTBDDs (multi-terminal) BDDs which are implemented in the CUDD library. +The first thing to try in this case is to increase the amount of memory available to CUDD. See the entry "CUDD memory" in the section "Configuring PRISM - Other Options" for details of this. +

    +

    If increasing this memory limit does not resolve the problem, then you will need to consider ways to reduce the size of your model. You can find some tips on this in the PRISM Modelling section. Bear in mind also that if you are having to increase the CUDD memory limit too high (e.g. close to the physical memory available on your computer) just for model construction, then it is unlikely that you will have enough memory for subsequent model checking operations. +

    +

    Finally, it is also worth considering the ordering of the modules and variables in your model since this can have a (in some cases dramatic) effect on the size of MTBDD representation of the model. This topic is covered in the "PRISM Modelling" section of this FAQ. +

    +

    +

    I ran out of memory during model checking. What can I do?

    +
    +

    If model construction was successfully completed (see previous question) but model checking was not, there are several things you can try. First of all, if the error message you see looks like the one in the previous question or you see a message such as +

    +
    +
    DD_MatrixMultiply: res is NULL
    +
    +
    [$[Get Code]]
    +
    + +

    then it may be worth increasing the memory limit for CUDD (as described above). However, if you see an error more like this: +

    +
    +
    /home/dxp/bin/prism: line 50: 3139 Aborted "$PRISM_JAVA" $PRISM_JAVAMAXMEM -Djava.awt.headless=$PRISM_HEADLESS -Djava.library.path=$PRISM_DIR/lib -classpath "$PRISM_CLASSPATH" $PRISM_MAINCLASS "$@"
    +
    +
    [$[Get Code]]
    +
    + +

    then increasing the memory CUDD probably will not help - PRISM is just trying to allocate more memory than is physically available on your system. +

    +

    Here are some general tips: +

    +
    • Try experimenting with using the different engines in PRISM. Read the section "Configuring PRISM - Computation Engines" for details. +
    • Look at the detailed output of PRISM for information about memory usage. If you are using the hybrid (or sparse) engine and the limiting factor in terms of memory is creation of the vectors, then you have no choice but to try and reduce the size (number of states) of your model. If you are using the MTBDD engine, it is also well worth considering the variable ordering of your model. Both topics are discussed in the "PRISM Modelling" section of this FAQ. +
    • Finally, if you can find no way to reduce the size of your model and are happy to consider an approximate (rather than exact) analysis, you may wish to try using PRISM's discrete-event simulation engine for analysis. +
    +

    +

    I ran out of memory during model parsing. What can I do?

    +
    +

    This is a less common problem and will only occur if the actual PRISM language description of your model is very large. This may be the case, for example, if you are automatically generating PRISM models in some way. Errors due to lack of memory during parsing usually look like: +

    +
    +
    Exception in thread "main" java.lang.OutOfMemoryError: Java heap space
    +
    +
    [$[Get Code]]
    +
    + +

    or: +

    +
    +
    Exception in thread "main" java.lang.StackOverflowError
    +
    +
    [$[Get Code]]
    +
    + +

    You can resolve this problem by increasing the memory allocated to Java. +See the entry "Java memory" in the section "Configuring PRISM - Other Options" for details of this. +

    +
    +

    PRISM Modelling

    +

    +

    What size models can PRISM handle?

    +
    +

    There is no definitive answer to this. Because of PRISM's symbolic implementation, using data structures based on binary decision diagrams (BDDs), its performance can be unpredictable in this respect. There are also several factors that affect performance, including the type of model and property being checked and the engine being used (PRISM has several different engines, which have varying performance). +

    +

    Having said that, using the default engine in PRISM (the “hybrid” engine), you can normally expect to be able to handle models with up to 10^7-10^8 states on a typical PC. Using the MTBDD engine, you may be able to analyse much larger models (on some of the PRISM case studies, for example, PRISM can do numerical analysis of models with as many as 10^10 or 10^11 states). The manual has more information about PRISM's engines. +

    +

    +

    How can I reduce the size of my model?

    +
    +

    The size of a probabilistic model (i.e. the number of states/transitions) is critical to the efficiency of performing probabilistic model checking on it, since both the time and memory required to do so are often proportional to the model size. Unfortunately, it is very easy to create models that are extremely large. Below are a few general tips for reducing model size. +

    +
    • Look for variables that have unnecessarily large ranges and try to reduce them. Even if your model needs large variables, it is generally a good strategy to first get a smaller version building successfully and then scale it up afterwards. +
    • Similarly, can you (if only temporarily) reduce the number of modules/components of your model? Start with the smallest number of components possible and then add others one by one. +
    • Do you have any inter-dependencies between variables? For example, perhaps you have some variables which are simply functions of other variables of the model. Even if these are convenient for model checking, they can be replaced with formulas or labels, which do not contribute to the state space. +
    • Do any variables include more detail than is necessary for the model? Perhaps this can be exploited in order to reduce the number of variables in your model. +
    • More generally, are any aspects of the model not relevant to the properties that you are interested in? If so, start with a simpler, more abstract version of the model and then add more details if possible. +
    +

    +

    How can I choose a good variable ordering?

    +
    +

    Because PRISM is a symbolic model checker, the amount of memory required to store the probabilistic model can vary (sometime unpredictably) according to several factors. One example is the order in which the variables of your model appear in the model file. In general, there is no definitive answer to what the best ordering is but the following heuristics are a good guide. +

    +
    • Variables which are closely related should appear close together +
    • Variables which are related to most or all other variables should appear near the start of the ordering +

    Variables x and y are "related" if, for example, the value of one is has an effect on how the other changes (e.g. (y'=x+1)) or if both appear together in an expression (e.g. a guard). +

    +

    These heuristics also apply to the ordering of modules within the model file. +

    +

    For technical details about variable ordering issues, see e.g. section 8 of [HKN+03] or section 4.1.2 of [Par02]. +

    +

    +

    How can I add deterministic time delays to a CTMC model?

    +
    +

    All delays in a CTMC need to be modelled as exponential distributions. This is what makes them efficient to analyse. If you included a transition whose delay was deterministic, i.e. which always occurred after exactly the same delay, the model would no longer be a CTMC. +

    +

    One solution to this, if your model require such a delay, is to approximate a deterministic delay with an Erlang distribution (a special case of a phase-type distribution). See for example this PRISM model: +

    +
    +
    +
    ctmc
    +
    +const int k;
    +const double mean = 10;
    +
    +module trigger
    +
    + i : [1..k+1];
    +
    + []   i < k -> k/mean : (i'=i+1);
    + [go] i = k -> k/mean : (i'=i+1);
    +
    +endmodule
    +
    +module main
    +
    + x : [0..1];
    +
    + [go] x=0 -> (x'=1);
    +
    +endmodule
    +
    +
    [$[Get Code]]
    +
    + +

    In the model, the occurrence of the the go-labelled action occurs with an Erlang distribution with mean mean and shape k. The special case of k=1 is just an exponential distribution. The graph below shows the probability distribution of the delay, i.e. of P=? [ F<=T x=1 ] for different values of k. +

    +
    +

    There is an obvious trade-off here between the accuracy (how close it is to modelling a deterministic time delay) and the resulting blow-up in the size of the model that you add this to. For k=1000, you can see that the shape is quite "deterministic" but this would increase your model size by a factor of ~1000. +

    +



    ---- +

    +

    Appendices

    +
    +

    Explicit Model Files

    +

    This appendix details the (plain text) file formats used by PRISM for exporting and importing models that have already been constructed, i.e., they comprise an explicit list of states, transitions, etc. making up the model, rather than a high-level model description in the PRISM modelling language. +Below, we describe: +

    +
    +

    +

    States (.sta) files

    +

    These contain an explicit list of the reachable states of a model. The first line is of the form (v1,...,vn), listing the names of all the variables in the model in the order that they appear in the PRISM model. Subsequent lines list the values of the n variables in each state of the model. Each line is of the form i:(x1,...,xn), where i is the index of the state (starting from 0) and x1,...,xn are the values of each variable in the state. States are ordered by their index, or, equivalently, lexicographically according to the tuple of variable values. +

    +

    For the example PRISM model poll2.sm, the states file looks like: +

    +
    +
    +
    (s,a,s1,s2)
    +0:(1,0,0,0)
    +1:(1,0,0,1)
    +2:(1,0,1,0)
    +3:(1,0,1,1)
    +4:(1,1,1,0)
    +5:(1,1,1,1)
    +6:(2,0,0,0)
    +7:(2,0,0,1)
    +8:(2,0,1,0)
    +9:(2,0,1,1)
    +10:(2,1,0,1)
    +11:(2,1,1,1)
    +
    [$[Get Code]]
    +
    + +
    +

    +

    Transitions (.tra) files

    +

    These contain an explicit list of the transitions making up a probabilistic model, i.e. they are essentially a sparse matrix representation of the transition probability/rate matrix. The first line of the file contains information about the size of the model, the remaining lines contain information about transitions, one per line. +

    +

    DTMCs and CTMCs +

    +

    For Markov chains the first line take the form "n m", giving the number of states (n) and the number of transitions (m). The remaining lines are of the form "i j x", where i and j are the row (source) and column (destination) indices of the transition, and x is the probability (for a DTMC) or rate (for a CTMC) of the transition. Row/column state indices are zero-indexed (i.e. between 0 and n-1). Probability/rate values are written as (positive) floating point numbers (examples: 0.5, .5, 5.6e-6, 1). +

    +

    Often, the transition lines in the file are ordered by row index and then column index, but this is optional. For a DTMC, the probabilities for the outgoing transitions of each state should sum to 1. +

    +

    Here is an example, for the (DTMC) PRISM model lec3.pm (which looks like this): +

    +
    +
    +
    6 9
    +0 1 0.5
    +0 3 0.5
    +1 0 0.5
    +1 2 0.25
    +1 4 0.25
    +2 5 1
    +3 3 1
    +4 4 1
    +5 2 1
    +
    [$[Get Code]]
    +
    + +

    and here is one for the (CTMC) PRISM model poll2.sm (which looks like this): +

    +
    +
    +
    12 22
    +0 1 0.5
    +0 2 0.5
    +0 6 200
    +1 3 0.5
    +1 7 200
    +2 3 0.5
    +2 4 200
    +3 5 200
    +4 5 0.5
    +4 6 1
    +5 7 1
    +6 0 200
    +6 7 0.5
    +6 8 0.5
    +7 9 0.5
    +7 10 200
    +8 2 200
    +8 9 0.5
    +9 11 200
    +10 0 1
    +10 11 0.5
    +11 2 1
    +
    [$[Get Code]]
    +
    + +

    MDPs (or PAs) +

    +

    For MDPs, the format is an extension of the above +To clarify terminology: each state of the MDP contains (nondeterministic) choices, each of which is essentially a probability distribution over successor states that we can view as a set of transitions. Optionally, each choice can be labelled with an action. +

    +

    The first line of the file take the form "n c m", giving the number of states (n), the total number of choices (c) and the total number of transitions (m). The remaining lines are of the form "i k j x" or "i k j x a", where i and j are the row (source) and column (destination) indices of the transition, k is the index of the choice that it belongs to, and x is the probability of the transition. a is optional and gives the action label for the choice of the transition. Action labels can be present for some, all or no states but, in slightly redundant fashion, the action labels, if present, must be the same for all transitions belonging to the same choice. +

    +

    Row/column state indices and choice indices are all zero-indexed. Probability values (as above) are written as (positive) floating point numbers and should sum to 1 for each choice. Often, the transition lines in the file are ordered by row index, then choice index and then column index, but this is optional. +

    +

    Here is an example, for the (MDP) PRISM model lec12mdp.nm (which looks like this): +

    +
    +
    +
    4 5 7
    +0 0 1 1
    +1 0 0 0.7
    +1 0 1 0.3
    +1 1 2 0.5
    +1 1 3 0.5
    +2 0 2 1
    +3 0 3 1
    +
    [$[Get Code]]
    +
    + +

    and here is an action-labelled version of the same model, lec12mdpa.nm (which looks like this): +

    +
    +
    +
    4 5 7
    +0 0 1 1 a
    +1 0 2 0.5 c
    +1 0 3 0.5 c
    +1 1 0 0.7 b
    +1 1 1 0.3 b
    +2 0 2 1 a
    +3 0 3 1 a
    +
    [$[Get Code]]
    +
    + +
    +

    +

    Transitions (.tra) files (row form)

    +

    There is alternative format for transition matrices (see the -exportrows switch) where transitions for each state/choice are collated on a single line. +

    +

    Here is the result for the lec3.pm example from above (a DTMC): +

    +
    +
    +
    6 9
    +0 0.5:1 0.5:3
    +1 0.5:0 0.25:2 0.25:4
    +2 1:5
    +3 1:3
    +4 1:4
    +5 1:2
    +
    [$[Get Code]]
    +
    + +

    for the lec12mdp.nm example (an MDP): +

    +
    +
    +
    4 5 7
    +0 1:1
    +1 0.7:0 0.3:1
    +1 0.5:2 0.5:3
    +2 1:2
    +3 1:3
    +
    [$[Get Code]]
    +
    + +

    and for the lec12mdpa.nm example (an MDP with actions): +

    +
    +
    +
    4 5 7
    +0 1:1 a
    +1 0.5:2 0.5:3 c
    +1 0.7:0 0.3:1 b
    +2 1:2 a
    +3 1:3 a
    +
    [$[Get Code]]
    +
    + +
    +

    +

    Labels (.lab) files

    +

    These contain an explicit list of which labels are satisfied in each state. +The first line lists the labels, assigning each one an index. +The remaining lines list indices of all states satisfying one or more labels, +followed by a list of the the indices of labels that that are satisfied in it. +This includes the built-in labels "init" (initial states) and deadlock (deadlock states). +An example is shown below, where, for example, both "heads" and "end" are satisfied in state 2. +

    +
    +
    +
    0="init" 1="deadlock" 2="heads" 3="tails" 4="end"
    +0: 0
    +2: 2 4
    +3: 3 4
    +
    [$[Get Code]]
    +
    + +
    +

    +

    State rewards (.srew) files

    +

    Reward files contain an (optional) header, giving the name of the reward structure that generated it +and the type of rewards (state or transitions) stored in the file. +For state rewards, the information following this header is an explicit list of the (non-zero) state rewards. +The first line is of the form n m where n is the number of states in the model and m is the number of non-zero state rewards. +The following m lines are of the form i r, denoting that the state reward for state i is r. +

    +

    For the lec3.pm (6-state) DTMC example from above, we get rewards in 3 states (0, 4 and 5): +

    +
    +
    +
    # Reward structure "r"
    +# State rewards
    +6 3
    +0 2
    +4 1
    +5 1
    +
    [$[Get Code]]
    +
    + +
    +

    +

    Transition rewards (.trew) files

    +

    Files containing transition rewards, like those for state rewards, start with an (optional) header. +The rest of the file is formatted identically to transitions files (see above), +except that probabilities/rates are replaced with reward values, +and the number of transitions (the last number on the first line) is replaced with the number of non-zero transition rewards. +

    +

    For the lec3.pm (6-state) DTMC example from above, we get non-zero transition rewards on 4 transitions: +

    +
    +
    +
    # Reward structure: "r"
    +# Transition rewards
    +6 4
    +1 0 1
    +1 2 1
    +1 4 1
    +2 5 2
    +
    [$[Get Code]]
    +
    + +

    And or the lec12mdpa.nm (4-state) MDP example, we get non-zero transition rewards on 4 transitions: +

    +
    +
    +
    # Reward structure: "r"
    +# Transition rewards
    +4 5 4
    +1 0 2 6
    +1 0 3 6
    +1 1 0 5
    +1 1 1 5
    +
    [$[Get Code]]
    +
    + +



    +

    +
    + + + + diff --git a/manual/Main/Contents.html b/manual/Main/Contents.html index 781de3e319..fba4dfbfa6 100644 --- a/manual/Main/Contents.html +++ b/manual/Main/Contents.html @@ -1,6 +1,8 @@ + + @@ -11,12 +13,13 @@ - - + + + - - - + + + + + + + + + + + + - + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    @@ -165,7 +314,7 @@

    PRISM Manual

  • Running PRISM
  • Configuring PRISM
  • References -
  • FAQ +
  • FAQ
  • Appendices

    • [ View all ]

    @@ -174,5 +323,8 @@

    PRISM Manual

    + + diff --git a/manual/Main/Contents@action=edit.html b/manual/Main/Contents@action=edit.html new file mode 100644 index 0000000000..5d4260bce2 --- /dev/null +++ b/manual/Main/Contents@action=edit.html @@ -0,0 +1,273 @@ + + + + + + + + +PRISM Manual | Main / Contents | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Main / +

    Contents

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/Main/Contents@action=login.html b/manual/Main/Contents@action=login.html new file mode 100644 index 0000000000..7d21fd174b --- /dev/null +++ b/manual/Main/Contents@action=login.html @@ -0,0 +1,271 @@ + + + + + + + + +PRISM Manual | Main / Contents | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Main / +

    Contents

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/Main/Contents@action=print.html b/manual/Main/Contents@action=print.html new file mode 100644 index 0000000000..da58f609e8 --- /dev/null +++ b/manual/Main/Contents@action=print.html @@ -0,0 +1,150 @@ + + + + + + +PRISM Manual | Main / Contents + + + + + + + + + + + + + + + + + + +

    Main / +

    Contents

    + + + + + + + diff --git a/manual/Main/Introduction.html b/manual/Main/Introduction.html index fa1fe5491c..9c250d79af 100644 --- a/manual/Main/Introduction.html +++ b/manual/Main/Introduction.html @@ -1,6 +1,8 @@ + + @@ -11,12 +13,13 @@ - - + + + - - - + + + + + + + + + + + + - + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + + +
    +

    View - Edit - Print - Search +

    + +
    @@ -114,6 +248,12 @@ @@ -122,6 +262,13 @@
    + +
    @@ -137,7 +284,7 @@

    PRISM Manual

  • Running PRISM
  • Configuring PRISM
  • References -
  • FAQ +
  • FAQ
  • Appendices

    • [ View all ]

    @@ -146,5 +293,8 @@

    PRISM Manual

    + + diff --git a/manual/Main/Introduction@action=edit.html b/manual/Main/Introduction@action=edit.html new file mode 100644 index 0000000000..cc82e6b954 --- /dev/null +++ b/manual/Main/Introduction@action=edit.html @@ -0,0 +1,273 @@ + + + + + + + + +PRISM Manual | Main / Introduction | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Main / +

    Introduction

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/Main/Introduction@action=login.html b/manual/Main/Introduction@action=login.html new file mode 100644 index 0000000000..c0aa05e166 --- /dev/null +++ b/manual/Main/Introduction@action=login.html @@ -0,0 +1,271 @@ + + + + + + + + +PRISM Manual | Main / Introduction | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Main / +

    Introduction

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/Main/Introduction@action=print.html b/manual/Main/Introduction@action=print.html new file mode 100644 index 0000000000..22340cf3c7 --- /dev/null +++ b/manual/Main/Introduction@action=print.html @@ -0,0 +1,120 @@ + + + + + + +PRISM Manual | Main / Introduction + + + + + + + + + + + + + + + + + + +

    Main / +

    Introduction

    + + +
    +

    PRISM is a probabilistic model checker, +a tool for the modelling and analysis of systems which exhibit probabilistic behaviour. +Probabilistic model checking is a formal verification technique. +It is based on the construction of a precise mathematical model of a system which is to be analysed. +Properties of this system are then expressed formally in temporal logic +and automatically analysed against the constructed model. +

    +

    PRISM has support for a wide range of probabilistic models: +

    +
    • discrete-time Markov chains (DTMCs) +
    • continuous-time Markov chains (CTMCs) +
    • Markov decision processes (MDPs) +
    • probabilistic timed automata (PTAs) +
    • partially observable Markov decision processes (POMDPs) +
    • partially observable probabilistic timed automata (POPTAs) +

    In fact, PRISM's support for MDPs extends to the more general model of +probabilistic automata (PAs) [Seg95], which does not require unique action names in each state. +For background material on these models, look at the pointers to +resources +on the PRISM web site. +

    +

    PRISM also supports non-probabilistic models, notably labelled transition systems (LTSs). +

    +

    Models are supplied to the tool by writing descriptions in the PRISM language, a simple, high-level modelling language. +

    +

    Properties of these models are written in the PRISM property specification language which is based on temporal logic. It incorporates several well-known probabilistic temporal logics: +

    +
    • PCTL (probabilistic computation tree logic), +
    • CSL (continuous stochastic logic), +
    • (probabiistic) LTL (linear time logic), +
    • PCTL* (which subsumes both PCTL and LTL). +

    The property language also supports costs and rewards, "numerical" properties, several other custom features and extensions, and also also incorporates the non-probabilistic temporal logics CTL (computation tree logic) and LTL. +

    +

    PRISM performs probabilistic model checking, based on exhaustive search and numerical solution, to automatically analyse such properties. It also contains a discrete-event simulation engine for approximate model checking. +

    +
    + + + + diff --git a/manual/Main/Main.html b/manual/Main/Main.html index 6c7c71c3a2..8552ac7565 100644 --- a/manual/Main/Main.html +++ b/manual/Main/Main.html @@ -1,6 +1,8 @@ + + @@ -11,12 +13,13 @@ - - + + + - - - + + + + + + + + + + + + - + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + + +
    +

    View - Edit - Print - Search +

    + +
    @@ -78,7 +212,7 @@ This document is the main source of information regarding the installation and operation of the PRISM tool. For access to other resources, such as related publications and details of case studies, or to download the tool itself, see the main PRISM website.

    Which version of PRISM does this manual describe?

    -

    This manual describes version 4.7. +

    This manual describes version 4.8. In general, the online copy of the manual corresponds to the most recent publically available version of PRISM (including beta versions). @@ -103,6 +237,12 @@

    @@ -111,6 +251,13 @@
    + +
    @@ -126,7 +273,7 @@

    PRISM Manual

  • Running PRISM
  • Configuring PRISM
  • References -
  • FAQ +
  • FAQ
  • Appendices

    • [ View all ]

    @@ -135,5 +282,8 @@

    PRISM Manual

    + + diff --git a/manual/Main/References.html b/manual/Main/References.html index e192bee0db..d095807d03 100644 --- a/manual/Main/References.html +++ b/manual/Main/References.html @@ -1,6 +1,8 @@ + + @@ -11,12 +13,13 @@ - - + + + - - - + + + + + + + + + + + + - + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + + +
    +

    View - Edit - Print - Search +

    + +
    @@ -115,6 +249,12 @@ @@ -123,6 +263,13 @@
    + +
    @@ -138,7 +285,7 @@

    PRISM Manual

  • Running PRISM
  • Configuring PRISM
  • References -
  • FAQ +
  • FAQ
  • Appendices

    • [ View all ]

    @@ -147,5 +294,8 @@

    PRISM Manual

    + + diff --git a/manual/Main/References@action=edit.html b/manual/Main/References@action=edit.html new file mode 100644 index 0000000000..178a771325 --- /dev/null +++ b/manual/Main/References@action=edit.html @@ -0,0 +1,273 @@ + + + + + + + + +PRISM Manual | Main / References | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Main / +

    References

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/Main/References@action=login.html b/manual/Main/References@action=login.html new file mode 100644 index 0000000000..8351412a07 --- /dev/null +++ b/manual/Main/References@action=login.html @@ -0,0 +1,271 @@ + + + + + + + + +PRISM Manual | Main / References | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Main / +

    References

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/Main/References@action=print.html b/manual/Main/References@action=print.html new file mode 100644 index 0000000000..40b6e75058 --- /dev/null +++ b/manual/Main/References@action=print.html @@ -0,0 +1,121 @@ + + + + + + +PRISM Manual | Main / References + + + + + + + + + + + + + + + + + + +

    Main / +

    References

    + + +
    +
    • AD94: R. Alur and D. Dill. A theory of timed automata. Theoretical Computer Science, 126:183-235, 1994. +
    • AH99 R. Alur and T. Henzinger. Reactive modules. Formal Methods in System Design, 15(1):7-48, 1999. +
    • ASSB96: A. Aziz, K. Sanwal, V. Singhal, and R. Brayton. Verifying continuous time Markov chains. In R. Alur and T. Henzinger, editors, Proc. 8th International Conference on Computer Aided Verification (CAV'96), volume 1102 of LNCS, pages 269-276. Springer, 1996. +
    • Bai98: C. Baier. On algorithmic verification methods for probabilistic systems, 1998. Habilitation thesis, Fakultät für Mathematik & Informatik, Universität Mannheim. +
    • BKLPW17: Christel Baier, Joachim Klein, Linda Leuschner, David Parker and Sascha Wunderlich. Ensuring the Reliability of Your Model Checker: Interval Iteration for Markov Decision Processes. In Proc. 28th International Conference on Computer Aided Verification (CAV'17), volume 10426 of LNCS, pages 160-180, Springer, 2017. +
    • BKH99: C. Baier, J.-P. Katoen, and H. Hermanns. Approximate symbolic model checking of continuous-time Markov chains. In J. Baeten and S. Mauw, editors, Proc. 10th International Conference on Concurrency Theory (CONCUR'99), volume 1664 of LNCS, pages 146-161. Springer, 1999. +
    • BK98: C. Baier and M. Kwiatkowska. Model checking for a probabilistic branching time logic with fairness. Distributed Computing, 11(3):125-155, 1998. +
    • BdA95: A. Bianco and L. de Alfaro. Model checking of probabilistic and nondeterministic systems. In P. Thiagarajan, editor, Proc. 15th Conference on Foundations of Software Technology and Theoretical Computer Science (FSTTCS'95), volume 1026 of LNCS, pages 499-513. Springer, 1995. +
    • CHH+13: Taolue Chen, Ernst Moritz Hahn, Tingting Han, Marta Kwiatkowska, Hongyang Qu, and Lijun Zhang. Model repair for Markov decision processes. In Proc. 7th International Symposium on Theoretical Aspects of Software Engineering (TASE'13), pages 85-92. IEEE, 2013. +
    • CE81: E. Clarke and A. Emerson. Design and synthesis of synchronization skeletons using branching time temporal logic. In Proc. Workshop on Logic of Programs, volume 131 of LNCS. Springer, 1981. +
    • DHK13: F. Dannenberg, E. M. Hahn, and M. Kwiatkowska. Computing cumulative rewards using fast adaptive uniformisation. In A. Gupta and T. Henzinger, editors, Proc. 11th Conference on Computational Methods in Systems Biology (CMSB'13), volume 8130 of LNCS, pages 33-49. Springer, 2013. +
    • FKNP11: V. Forejt, M. Kwiatkowska, G. Norman, and D. Parker. Automated verification techniques for probabilistic systems. In M. Bernardo and V. Issarny, editors, Formal Methods for Eternal Networked Software Systems (SFM'11), volume 6659 of LNCS, pages 53-113. Springer, 2011. +
    • FKN+11: V. Forejt, M. Kwiatkowska, G. Norman, D. Parker, and H. Qu. Quantitative multi-objective verification for probabilistic systems. In P. Abdulla and K. Leino, editors, Proc. 17th International Conference on Tools and Algorithms for the Construction and Analysis of Systems (TACAS'11), volume 6605 of LNCS, pages 112-127. Springer, 2011. +
    • FKP12: V. Forejt, M. Kwiatkowska, and D. Parker. Pareto curves for probabilistic model checking. In S. Chakraborty and M. Mukund, editors, Proc. 10th International Symposium on Automated Technology for Verification and Analysis (ATVA'12), volume 7561 of LNCS, pages 317-332. Springer, 2012. +
    • HM14: S. Haddad and B. Monmege. Reachability in MDPs: Refining convergence of value iteration. In 8th International Workshop on Reachability Problems (RP), volume 8762 of LNCS, pages 125–137, Springer. 2014. +
    • HHZ11b: E. M. Hahn, H. Hermanns, and L. Zhang. Probabilistic reachability for parametric Markov models. International Journal on Software Tools for Technology Transfer (STTT), 13(1):3-19, 2011. +
    • HHZ11: Ernst Moritz Hahn, Tingting Han, and Lijun Zhang. Synthesis for PCTL in parametric Markov decision processes. In Proc. 3rd NASA Formal Methods Symposium (NFM'11), volume 6617 of LNCS. Springer, 2011. +
    • HJ94: H. Hansson and B. Jonsson. A logic for reasoning about time and reliability. Formal Aspects of Computing, 6(5):512-535, 1994. +
    • HLMP04: T. Hérault, R. Lassaigne, F. Magniette, and S. Peyronnet. Approximate probabilistic model checking. In Proc. 5th International Conference on Verification, Model Checking and Abstract Interpretation (VMCAI'04), volume 2937 of LNCS, pages 307-329. Springer, 2004. +
    • Hil96: J. Hillston. A Compositional Approach to Performance Modelling. Cambridge University Press, 1996. +
    • KSK76: J. Kemeny, J. Snell, and A. Knapp. Denumerable Markov Chains. Springer-Verlag, 2nd edition, 1976. +
    • KNP04b: M. Kwiatkowska, G. Norman, and D. Parker. Probabilistic symbolic model checking with PRISM: A hybrid approach. International Journal on Software Tools for Technology Transfer (STTT), 6(2):128-142, 2004. +
    • KNP07a: M. Kwiatkowska, G. Norman, and D. Parker. Stochastic model checking. In M. Bernardo and J. Hillston, editors, Formal Methods for the Design of Computer, Communication and Software Systems: Performance Evaluation (SFM'07), volume 4486 of LNCS (Tutorial Volume), pages 220-270. Springer, 2007. +
    • KNP09c: M. Kwiatkowska, G. Norman, and D. Parker. Stochastic games for verification of probabilistic timed automata. In J. Ouaknine and F. Vaandrager, editors, Proc. 7th International Conference on Formal Modelling and Analysis of Timed Systems (FORMATS'09), volume 5813 of LNCS, pages 212-227. Springer, 2009. +
    • KNPS06: M. Kwiatkowska, G. Norman, D. Parker, and J. Sproston. Performance analysis of probabilistic timed automata using digital clocks. Formal Methods in System Design, 29:33-78, 2006. +
    • KNSW07: M. Kwiatkowska, G. Norman, J. Sproston, and F. Wang. Symbolic model checking for probabilistic timed automata. Information and Computation, 205(7):1027-1077, 2007. +
    • MWDH10: F. Didier M. Mateescu, V. Wolf and T. Henzinger. Fast adaptive uniformisation of the chemical master equation. IET Syst Biol, 4(6):441-452, 2010. +
    • Nim10: V. Nimal. Statistical Approaches for Probabilistic Model Checking. MSc Mini-project Dissertation, Oxford University Computing Laboratory, 2010. +
    • NPS13: Gethin Norman, David Parker, and Jeremy Sproston. Model checking for probabilistic timed automata. Formal Methods in System Design, 43(2):164-190, 2013. +
    • NPZ17: Gethin Norman, David Parker and Xueyi Zou. Verification and Control of Partially Observable Probabilistic Systems. Real-Time Systems, 53(3):354-402, Springer, 2017. +
    • Par02: D. Parker. Implementation of Symbolic Model Checking for Probabilistic Systems. Ph.D. thesis, University of Birmingham, 2002. +
    • Put94: M. Puterman. Markov Decision Processes: Discrete Stochastic Dynamic Programming. John Wiley and Sons, 1994. +
    • Seg95: R. Segala. Modelling and Verification of Randomized Distributed Real Time Systems. Ph.D. thesis, Massachusetts Institute of Technology, 1995. +
    • Ste94: W. Stewart. Introduction to the Numerical Solution of Markov Chains. Princeton, 1994. +
    • YS02: H. Younes and R. Simmons. Probabilistic verification of discrete event systems using acceptance sampling. In E. Brinksma and K. Larsen, editors, Proc. 14th International Conference on Computer Aided Verification (CAV'02), volume 2404 of LNCS, pages 223-235. Springer, 2002. +
    +
    + + + + diff --git a/manual/Main/Search.html b/manual/Main/Search.html index d4dbb83ab2..0c0c791ff4 100644 --- a/manual/Main/Search.html +++ b/manual/Main/Search.html @@ -1,6 +1,8 @@ + + @@ -11,12 +13,13 @@ - - + + + - - - + + + + + + + + + + + + - + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + + +
    +

    View - Edit - Print - Search +

    + +
    @@ -74,15 +208,13 @@
    -
    +

    A search for more than one word will find pages that contain all of the words. Use quotation marks to search for a phrase. Also use quotes for text with punctuation or special characters.

    To limit your search to a single group, enter the group name followed by a slash at the beginning of the search string (e.g., "PmWiki/" or "Main/"). To list all pages, enter a slash for the search.

    -

    Search examples

    +

    Search examples

    @@ -103,6 +235,12 @@ @@ -111,6 +249,13 @@ + + @@ -126,7 +271,7 @@

    PRISM Manual

  • Running PRISM
  • Configuring PRISM
  • References -
  • FAQ +
  • FAQ
  • Appendices

    • [ View all ]

    @@ -135,5 +280,8 @@

    PRISM Manual

    + + diff --git a/manual/Main/Search@action=edit.html b/manual/Main/Search@action=edit.html new file mode 100644 index 0000000000..03fce746da --- /dev/null +++ b/manual/Main/Search@action=edit.html @@ -0,0 +1,273 @@ + + + + + + + + +PRISM Manual | Main / Search | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + + + + + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Main / +

    Search

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/Main/Search@action=login.html b/manual/Main/Search@action=login.html new file mode 100644 index 0000000000..58fa6e1aca --- /dev/null +++ b/manual/Main/Search@action=login.html @@ -0,0 +1,271 @@ + + + + + + + + +PRISM Manual | Main / Search | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + + + + + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Main / +

    Search

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/Main/Search@action=print.html b/manual/Main/Search@action=print.html new file mode 100644 index 0000000000..51595a36f5 --- /dev/null +++ b/manual/Main/Search@action=print.html @@ -0,0 +1,107 @@ + + + + + + +PRISM Manual | Main / Search + + + + + + + + + + + + + + + + + + +

    Main / +

    Search

    + + +
    +
    +

    A search for more than one word will find pages that contain all of the words. +Use quotation marks to search for a phrase. Also use quotes for text with punctuation or special characters. +

    +

    To limit your search to a single group, enter the group name followed by a slash at the beginning of the search string (e.g., "PmWiki/" or "Main/"). To list all pages, enter a slash for the search. +

    +

    Search examples

    +
    EnterTo find pages containing
    apple pieboth 'apple' and 'pie'
    "apple pie"the phrase 'apple pie'
    + + + + + + + + + + +
    EnterTo find pages containing
    apple pieboth 'apple' and 'pie'
    "apple pie"the phrase 'apple pie'
    pmwiki/apple'apple' in the PmWiki group
    "pmwiki/apple"the phrase 'pmwiki/apple' in all groups
    apple -pie'apple', omitting those containing 'pie'
    food -"apple pie"'food', omitting those containing 'apple pie'
    apple "-pie"the words 'apple' and '-pie'
    apple - pie'apple', '-', and 'pie'
    "pie:"the word 'pie' with a colon
    "pie=tasty"the phrase 'pie=tasty'
    +

    Some special characters need to be enclosed in quotes, including the colon (:), equals sign (=), single quote (') and double quote("). +

    +
    +
    + + + + diff --git a/manual/Main/Welcome.html b/manual/Main/Welcome.html new file mode 100644 index 0000000000..8552ac7565 --- /dev/null +++ b/manual/Main/Welcome.html @@ -0,0 +1,289 @@ + + + + + + + + +PRISM Manual | Main / Welcome + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Main / +

    Welcome

    + +
    + +
    +

    Welcome to the manual for PRISM. +This document is the main source of information regarding the installation and operation of the PRISM tool. For access to other resources, such as related publications and details of case studies, or to download the tool itself, see the main PRISM website. +

    +

    Which version of PRISM does this manual describe?

    +

    This manual describes version 4.8. +In general, the online copy of the manual corresponds to the most recent +publically available +version of PRISM (including beta versions). +If you need the manual for an older version of PRISM, +use the version included in that distribution. +

    +

    How do I search the manual?

    +

    This documentation is continuously updated and is best viewed online. If you are reading this online, you can use the built-in search facility (there is a link in the grey box at the top of each page). For a nicer search interface (but possibly not 100% up-to-date index), you can also search with Google, using the search box in the banner at the top of the site. +

    +

    If you are browsing these pages off-line, for example using the copy distributed with the tool, you can view the whole manual on one page and use the search functionality of your browser. +

    +

    How do I print the manual?

    +

    To print an individual page of the manual click on the "Print" link at the top-right hand corner of the page (in the online version) and print the page from your web browser. You can also print an entire section (see the "View all" link under the contents on the left) or the entire manual in this way. +

    +

    More questions?

    +

    If you have a question about PRISM and you cannot find the answer in this manual, please use the discussion group provided. Check the +support +section of the PRISM website for details. +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/Main/Welcome@action=edit.html b/manual/Main/Welcome@action=edit.html new file mode 100644 index 0000000000..bf7e5feadf --- /dev/null +++ b/manual/Main/Welcome@action=edit.html @@ -0,0 +1,273 @@ + + + + + + + + +PRISM Manual | Main / Welcome | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Main / +

    Welcome

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/Main/Welcome@action=login.html b/manual/Main/Welcome@action=login.html new file mode 100644 index 0000000000..1f40290d42 --- /dev/null +++ b/manual/Main/Welcome@action=login.html @@ -0,0 +1,271 @@ + + + + + + + + +PRISM Manual | Main / Welcome | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Main / +

    Welcome

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/Main/Welcome@action=print.html b/manual/Main/Welcome@action=print.html new file mode 100644 index 0000000000..7ed3c844ed --- /dev/null +++ b/manual/Main/Welcome@action=print.html @@ -0,0 +1,109 @@ + + + + + + +PRISM Manual | Main / Welcome + + + + + + + + + + + + + + + + + + +

    Main / +

    Welcome

    + + +
    +

    Welcome to the manual for PRISM. +This document is the main source of information regarding the installation and operation of the PRISM tool. For access to other resources, such as related publications and details of case studies, or to download the tool itself, see the main PRISM website. +

    +

    Which version of PRISM does this manual describe?

    +

    This manual describes version 4.8. +In general, the online copy of the manual corresponds to the most recent +publically available +version of PRISM (including beta versions). +If you need the manual for an older version of PRISM, +use the version included in that distribution. +

    +

    How do I search the manual?

    +

    This documentation is continuously updated and is best viewed online. If you are reading this online, you can use the built-in search facility (there is a link in the grey box at the top of each page). For a nicer search interface (but possibly not 100% up-to-date index), you can also search with Google, using the search box in the banner at the top of the site. +

    +

    If you are browsing these pages off-line, for example using the copy distributed with the tool, you can view the whole manual on one page and use the search functionality of your browser. +

    +

    How do I print the manual?

    +

    To print an individual page of the manual click on the "Print" link at the top-right hand corner of the page (in the online version) and print the page from your web browser. You can also print an entire section (see the "View all" link under the contents on the left) or the entire manual in this way. +

    +

    More questions?

    +

    If you have a question about PRISM and you cannot find the answer in this manual, please use the discussion group provided. Check the +support +section of the PRISM website for details. +

    +
    + + + + diff --git a/manual/PropertySpecification/AllOnOnePage.html b/manual/PropertySpecification/AllOnOnePage.html index 79fffccc09..26d865fb82 100644 --- a/manual/PropertySpecification/AllOnOnePage.html +++ b/manual/PropertySpecification/AllOnOnePage.html @@ -1,22 +1,25 @@ + + -PRISM Manual | PropertySpecification / AllOnOnePage +PRISM Manual | Property Specification / All On One Page - - + + + - - - + + + + + + + + + + + + - + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + + +
    +

    View - Edit - Print - Search +

    + +
    @@ -640,7 +774,7 @@

    Reward-based Properties

    -
    R=? [ F (goal=1 & F goal2) ]
    +
    R=? [ F (goal=1 & F goal=2) ]
    [$[Get Code]]
    @@ -783,9 +917,9 @@

    Multi-objective Properties

    [$[Get Code]]
    -

    This states that, for all adversaries of the MDP, the probability of reaching an "error" state is less than 0.01. +

    This states that, for all strategies (or policies) of the MDP, the probability of reaching an "error" state is less than 0.01.

    -

    Multi-objective queries differ in two important ways. Firstly, (by default) they ask about the existence of an adversary. Secondly they refer to multiple properties of an adversary. For example: +

    Multi-objective queries differ in two important ways. Firstly, (by default) they ask about the existence of a strategy. Secondly they refer to multiple properties of a strategy. For example:

    @@ -794,9 +928,9 @@

    Multi-objective Properties

    [$[Get Code]]
    -

    means: "does there exist an adversary of the MDP under which the probability of reaching an "error1" state is less than 0.01 and the probability of reaching an "error2" state is less than 0.02?" +

    means: "does there exist a strategy of the MDP under which the probability of reaching an "error1" state is less than 0.01 and the probability of reaching an "error2" state is less than 0.02?"

    -

    To use the terminology from [FKP12], the above is an "achievability" query (i.e. is this combination of objectives achievable by some adversary?). PRISM also supports two other kinds of multi-objective query: "numerical" and "Pareto" queries. +

    To use the terminology from [FKP12], the above is an "achievability" query (i.e., is this combination of objectives achievable by some strategy?). PRISM also supports two other kinds of multi-objective query: "numerical" and "Pareto" queries.

    A "numerical" query looks like:

    @@ -807,7 +941,7 @@

    Multi-objective Properties

    [$[Get Code]]
    -

    meaning "what is the minimum possible probability of reaching "error1", over all adversaries of the MDP for which the probability of reaching "error2" is less than 0.02?". +

    meaning "what is the minimum possible probability of reaching "error1", over all strategies of the MDP for which the probability of reaching "error2" is less than 0.02?".

    A "Pareto" queries leaves both of the objectives unbounded, e.g.:

    @@ -966,6 +1100,45 @@

    Partially Observable Models

    (that strict or diagonal clock comparisons are not allowed). However for POPTAs, time-bounded probabilistic reachability is also supported.

    +

    Uncertain Models

    +

    For uncertain models, currently interval MDPs (IMDPs) or interval DTMCs (IDTMCs), PRISM performs robust verification, which considers the best- or worst-case behaviour that can arise depending on the way that probabilities are selected from intervals. +

    +

    For example, instead of a property for a DTMC such as +

    +
    +
    +
    P=? [ F "goal" ]
    +
    +
    [$[Get Code]]
    +
    + +

    which asks for the probability to reach a state satisfying "goal", IDTMCs use MDP-style queries: +

    +
    +
    +
    Pmin=? [ F "goal" ]
    +Pmax=? [ F "goal" ]
    +
    +
    [$[Get Code]]
    +
    + +

    which compute the minimum or maximum possible probability that can arise. +

    +

    Similarly, for an IMDP, there are now two separate quantifications, firstly over strategies (policies) and secondly over the distinct ways that transition probabilities can be selected from intervals, for which min or max appear in that order in the query. For example: +

    +
    +
    +
    Pmaxmin=? [ F "goal" ]
    +Pmaxmax=? [ F "goal" ]
    +
    +
    [$[Get Code]]
    +
    + +

    return the minimum and maximum values, respectively, over resolutions of transition probabilities for the maximum probability of reaching "goal". Similarly, minmin and minmax are used for the minimum probability of reaching "goal". Model checking is supported for: +

    +
    • the P operator, for next and bounded/unbounded until/reachability properties +
    • the R operator, for the expected reward to reach a target or satisfy a co-safe LTL formula +

    Non-Probabilistic Properties

    PRISM also supports model checking of the non-probabilistic temporal logics CTL (computation tree logic) and LTL (linear temporal logic). Properties in these logics use the A (for all) and E (there exists) operators, @@ -974,11 +1147,11 @@

    Non-Probabilistic Properties

    Properties take the form:

    -
    +
    A [ pathprop ]
    E [ pathprop ]
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    which are true in a state s of a model if @@ -991,7 +1164,7 @@

    Non-Probabilistic Properties

    Example properties include:

    -
    +
    E [ F "goal" ] // There exists a path that reaches a state satisfying "goal"

    A [ G x<=10 ] // Variable x is always at most 10 along all paths of the model
    @@ -1000,7 +1173,7 @@

    Non-Probabilistic Properties


    A [ (G F x=1) | (G F x=2) ] // Along all paths, either x=1 or x=2 is true infinitely often
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    Counterexamples and Witnesses

    @@ -1029,10 +1202,10 @@

    Syntax

    This allows you to write any property expressible in logics such as PCTL and CSL. For example, CSL allows you to nest P and S operators:

    -
    +
    P=? [ F>2 S>0.9[ num_servers >= 5 ] ]
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    "the probability of it taking more than 2 hours to get to a state from which the long-run probability of at least 5 servers being operational is >0.9" @@ -1040,28 +1213,28 @@

    Syntax

    You can also express various arithmetic expressions such as:

    -
    +
    1 - P=? [ F[3600,7200] oper ]
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    "the probability that the system is not operational at any point during the second hour of operation"

    -
    +
    R{"oper"}=? [ C<=t ] / t
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    "the expected fraction of time that the system is available (i.e. the expected interval availability) in the time interval [0, t]"

    -
    +
    P=? [ F fail_A ] / P=? [ F any_fail ]
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    "the (conditional) probability that component A eventually fails, given @@ -1073,20 +1246,20 @@

    Syntax

    It is worth, however, clarifying a few points specific to PRISM. A property is evaluated with respect to a particular state of a model. Depending on the type of the property, this value may either be a Boolean, an integer or a double. When performing model checking, PRISM usually has to actually compute the value for all states of the model but, for clarity, will by default report just a single value. Typically, this is the value for the (single) initial state of the model. For example, this:

    -
    +
    P=? [ F "error" ]
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    will report the probability, from the initial state of the model, of reaching an "error" state. This:

    -
    +
    P>0.5 [ F "error" ]
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    will return true if and only if the probability, from the initial state, is greater than 0.5. @@ -1106,10 +1279,10 @@

    Filters

    Filters are created using the filter keyword. They take the following form:

    -
    +
    filter(op, prop, states)
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    where op is the filter operator (see below), prop is any PRISM property and states is a Boolean-valued expression identifying a set of states over which to apply the filter. @@ -1117,20 +1290,20 @@

    Filters

    In fact, the states argument is optional; if omitted, the filter is applied over all states. So, the following properties are equivalent:

    -
    +
    filter(op, prop)
    filter(op, prop, true)
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    Here's a simple example of a filter:

    -
    +
    filter(max, P=? [ F "error" ], x=0)
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    This gives the maximum value, starting from any state satisfying x=0, of the probability of reaching an "error" state. @@ -1140,20 +1313,20 @@

    Filters

    we eventually reach a "done" state with probability 1.

    -
    +
    filter(forall, P>=1 [ F "done" ])
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    We could modify this property slightly to instead check whether, from any state that satisfies the label "ready", we eventually reach a "done" state with probability 1. This could be done with either of the following two equivalent properties:

    -
    +
    filter(forall, "ready" => P>=1 [ F "done" ])
    filter(forall, P>=1 [ F "done" ], "ready")
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    Note: In older versions of PRISM, the property above could be written just as "ready" => P>=1 [ F "done" ] since the result was checked for all states by default, not just the initial state. Now, you need to explicitly include a filter, as shown above, to achieve this. @@ -1187,10 +1360,10 @@

    Filters

    Filters provide a quick way to print the results of a model checking query for several states. In most cases, for example, a P=? query just returns the probability from the initial state. To see the probability for all states satisfying x>2, use:

    -
    +
    filter(print, P=? [ ... ], x>2)
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    Values are printed in the log (i.e. to the "Log" tab in the GUI or to the terminal from the command-line). For small models, you could omit the final states argument (x>2 here) and view the probabilities from all states. You can also use PRISM's verbose mode to view values for all states, but filters provide an easier and more flexible solution. @@ -1199,10 +1372,10 @@

    Filters

    You can also use print filters to display lists of states. For example, this property:

    -
    +
    filter(print, filter(argmax, P=? [ F "error" ]))
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    prints the states which have the highest probability of reaching an error state. @@ -1211,10 +1384,10 @@

    Filters

    Another common use of filters is to display the value for a particular state of the model (rather than the initial state, which is used by default). To achieve this, use e.g.:

    -
    +
    filter(state, P=? [ F "error" ], x=2&y=3)
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    where x=2&y=3 is assumed to specify one particular state. @@ -1223,20 +1396,20 @@

    Filters

    Filters can also be built up into more complex expressions. For example, the following two properties are equivalent:

    -
    +
    filter(avg, P=? [ F "error" ], "init")
    filter(sum, P=? [ F "error" ], "init") / filter(count, "init")
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    The range filter, unlike most PRISM expressions which are of type Boolean, integer or double, actually returns an interval: a pair of integers or doubles. For example:

    -
    +
    filter(range, P=? [ F count=10 ], count=0)
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    gives the range of all possible values for the probability of reach a state satisfying count=10, from all states satisfying count=0. @@ -1246,34 +1419,34 @@

    Filters

    In older versions of PRISM, filters were also available, but in a less expressive form. Previously, they were only usable on P, S or R properties and only a small set of filter operators were permitted. They were also specified in a different way, using braces ({...}). For compatibility with old properties files (and for compactness), these forms of filters are still allowed. These old-style forms of filters:

    -
    +
    P=? [ pathprop {states} ]
    P=? [ pathprop {states}{min} ]
    P=? [ pathprop {states}{max} ]
    P=? [ pathprop {states}{min}{max} ]
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    are equivalent to:

    -
    +
    filter(state, P=? [ pathprop ], states)
    filter(min, P=? [ pathprop ], states)
    filter(max, P=? [ pathprop ], states)
    filter(range, P=? [ pathprop ], states)
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    Notice that the first of the four properties above (i.e. an old-style filter of the form {states} will result in an error if states is not satisfied by exactly one state of the model. Older versions of PRISM just gave you the value for the first state state satisfying the filter, without warning you about this. If you want to recreate the old behaviour, just use a first filter:

    -
    +
    filter(first, P=? [ pathprop ], states)
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    Default filters

    @@ -1284,38 +1457,38 @@

    Filters

    Queries of the form:

    -
    +
    P>0.5 [ F "error" ]
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    are the same as:

    -
    +
    filter(forall, P>0.5 [ F "error" ], "init")
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    and queries of the form:

    -
    +
    P=? [ F "error" ]
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    are the same as either:

    -
    +
    filter(state, P=? [ F "error" ], "init")
    filter(range, P=? [ F "error" ], "init")
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    for the cases where there the model has a single initial state @@ -1327,14 +1500,14 @@

    Constants

    These are defined in identical fashion, for example:

    -
    +
    const int k = 7;
    const double T = 9.5;
    const double p = 0.01;

    P<p [ F<=T x=k ];
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    As before, these constants can actually be left undefined and then later @@ -1352,13 +1525,13 @@

    Constants

    Labels are defined using the keyword label, followed by a name (identifier) in double quotes, and then an expression which evaluates to a Boolean. Definition and usage of labels are illustrated in the following example:

    -
    +
    label "safe" = temp<=100 | alarm=true;
    label "fail" = temp>100 & alarm=false;

    P>=0.99 [ "safe" U "fail" ];
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    Two special cases are the "init" and "deadlock" labels which are always defined. @@ -1369,19 +1542,19 @@

    Constants

    For convenience, properties can be annotated with names, as shown in the following example:

    -
    +
    "safe": P<0.01 [ F temperature > t_max ];
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    which gives the name "safe" to the property. It is then possible to include named properties as sub-expressions of other properties, e.g.:

    -
    +
    filter(forall, num_sensors>0 => "safe");
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    Notice that the syntax for referring to named properties is identical to the syntax for labels. For this reason, property names must be disjoint from those of any existing labels. @@ -1402,6 +1575,12 @@

    Constants

    @@ -1410,6 +1589,13 @@

    Constants

    + +
    @@ -1426,6 +1612,7 @@

    PRISM Manual

  • Multi-objective Properties
  • Real-time Models
  • Partially Observable Models +
  • Uncertain Models
  • Non-probabilistic Properties
  • Syntax And Semantics
  • Filters @@ -1437,5 +1624,8 @@

    PRISM Manual

    • + + diff --git a/manual/PropertySpecification/AllOnOnePage@action=edit.html b/manual/PropertySpecification/AllOnOnePage@action=edit.html new file mode 100644 index 0000000000..81b9f3d5f3 --- /dev/null +++ b/manual/PropertySpecification/AllOnOnePage@action=edit.html @@ -0,0 +1,277 @@ + + + + + + + + +PRISM Manual | Property Specification / All On One Page | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Property Specification / +

    All On One Page

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/PropertySpecification/AllOnOnePage@action=login.html b/manual/PropertySpecification/AllOnOnePage@action=login.html new file mode 100644 index 0000000000..66cb7ccff2 --- /dev/null +++ b/manual/PropertySpecification/AllOnOnePage@action=login.html @@ -0,0 +1,275 @@ + + + + + + + + +PRISM Manual | Property Specification / All On One Page | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Property Specification / +

    All On One Page

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/PropertySpecification/AllOnOnePage@action=print.html b/manual/PropertySpecification/AllOnOnePage@action=print.html new file mode 100644 index 0000000000..80f44ded40 --- /dev/null +++ b/manual/PropertySpecification/AllOnOnePage@action=print.html @@ -0,0 +1,1449 @@ + + + + + + +PRISM Manual | PropertySpecification / AllOnOnePage + + + + + + + + + + + + + + + + + + +
    +

    Property Specification

    +
    +

    Introduction

    +

    In order to analyse a probabilistic model which has been specified and constructed in PRISM, +it is necessary to identify one or more properties of the model +which can be evaluated by the tool. +PRISM's property specification language subsumes several well-known probabilistic temporal logics, including PCTL, CSL, probabilistic LTL and PCTL*. +PCTL is used for specifying properties of discrete-time models such as DTMCs or PTAs, +and also real-time models such as PTAs; CSL is an extension of PCTL for CTMCs; +LTL and PCTL* can be used to specify properties of +discrete-time models (or untimed properties of CTMCs). +PRISM also supports most of the (non-probabilistic) temporal logic CTL. +

    +

    In fact, PRISM also supports numerous additional customisations and extensions of these two logics. +Full details of the property specifications permitted in PRISM are provided in the following sections. The presentation given here is relatively informal. For the precise syntax and semantics of the various logics, see [HJ94],[BdA95] for PCTL, [ASSB96],[BKH99] for CSL and, for example, [Bai98] for LTL and PCTL*. You can also find various pointers to useful papers in the About and Documentation sections of the PRISM website. +

    +

    Before discussing property specifications in more detail, +it is perhaps instructive to first illustrate some typical examples of properties which PRISM can handle. +The following are a selection of such properties. +In each case, we give both the PRISM syntax and a natural language translation: +

    +
    +
    +
    P>=1 [ F "terminate" ]
    +
    +
    [$[Get Code]]
    +
    + +

    "the algorithm eventually terminates successfully with probability 1" +

    +
    +
    +
    "P<0.1 [ F<=100 num_errors > 5 ]
    +
    +
    [$[Get Code]]
    +
    + +

    "the probability that more than 5 errors occur within the first 100 time units is less than 0.1" +

    +
    +
    +
    S<0.01 [ num_sensors < min_sensors ]
    +
    +
    [$[Get Code]]
    +
    + +

    "in the long-run, the probability that an inadequate number of sensors are operational is less than 0.01" +

    +

    Note that the above properties are all assertions, +i.e. ones to which we would expect a "yes" or "no" answer. +This is because all references to probabilities are associated with an upper or lower bound +which can be checked to be either true or false. +In PRISM, we can also directly specify properties which evaluate to a numerical value, e.g.: +

    +
    +
    +
    P=? [ !proc2_terminate U proc1_terminate ]
    +
    +
    [$[Get Code]]
    +
    + +

    "the probability that process 1 terminates before process 2 does" +

    +
    +
    +
    Pmax=? [ F<=T messages_lost > 10 ]
    +
    +
    [$[Get Code]]
    +
    + +

    "the maximum probability that more than 10 messages have been lost by time T" (for an MDP/PTA) +

    +
    +
    +
    S=? [ queue_size / max_size > 0.75 ]
    +
    +
    [$[Get Code]]
    +
    + +

    "the long-run probability that the queue is more than 75% full" +

    +

    Furthermore, PRISM makes it easy to combine such properties into more complex expressions, +compute their values for a range of parameters +and plot graphs of the results using experiments. +This is often a very useful way of identifying interesting +patterns or trends in the behaviour of a system. +See the Case Studies section of the PRISM website for many examples of this kind of analysis. +

    +

    Identifying A Set Of States

    +

    One of the most fundamental tasks when specifying properties of a model +is to identify particular sets or classes of states of the model. +For example, to verify a property such as +"the algorithm eventually terminates successfully with probability 1", +it is first necessary to identify the states of the model +which correspond to situations where "the algorithm has terminated successfully". +In terms of the way temporal logics are usually presented, +these correspond to atomic propositions. +

    +

    In PRISM, this is achieved simply by writing an expression in the PRISM language which evaluates to a Boolean value. This expression will typically contain references to variables (and constants) from the model to which it relates. The set of states corresponding to this expression is those for which it evaluates to true. We say that the expression is "satisfied" in these states. +

    +

    For example, in the property given above: +

    +
    +
    +
    P<0.1 [ F<=100 num_errors > 5 ]
    +
    +
    [$[Get Code]]
    +
    + +

    the expression num_errors > 5 is used to identify states of the model where more than 5 errors have occurred. +

    +

    It is also common to use labels to identify states in this way, like "terminate" in the example: +

    +
    +
    +
    P>=1 [ F "terminate" ]
    +
    +
    [$[Get Code]]
    +
    + +

    Properties can refer to labels either from the model to which the property relates, or included in the same properties file. +

    +

    The P Operator

    +

    One of the most important operators in the PRISM property specification language is the P operator, which is used to reason about the probability of an event's occurrence. This operator was originally proposed in the logic PCTL but also features in the other logics supported by PRISM, such as CSL. The P operator is applicable to all types of models supported by PRISM. +

    +

    Informally, the property: +

    +
    +
    +
    P bound [ pathprop ]
    +
    +
    [$[Get Code]]
    +
    + +

    is true in a state s of a model if +"the probability that path property pathprop is satisfied by the paths from state s +meets the bound bound". +A typical example of a bound would be: +

    +
    +
    +
    P>0.98 [ pathprop ]
    +
    +
    [$[Get Code]]
    +
    + +

    which means: "the probability that pathprop is satisfied by the paths from state s is greater than 0.98". More precisely, bound can be any of >=p, >p, <=p or <p, +where p is a PRISM language expression evaluating to a double in the range [0,1]. +

    +

    The types of path property supported by PRISM and their semantics will be discussed shortly. +

    +

    Nondeterminism

    +

    For models that can exhibit nondeterministic behaviour, such as MDPs or PTAs, some additional clarifications are necessary. Whereas for fully probabilistic models such as DTMCs and CTMCs, probability measures over paths are well defined (see e.g. [KSK76] and [BKH99], respectively), for nondeterministic models a probability measure can only be feasibly defined once all nondeterminism has been removed. +

    +

    Hence, the actual meaning of the property P bound [ pathprop ] in these cases is: +"the probability that pathprop is satisfied by the paths from state s +meets the bound bound for all possible resolutions of nondeterminism". +This means that, properties using the P operator then effectively reason about the +minimum or maximum probability, over all possible resolutions of nondeterminism, +that a certain type of behaviour is observed. +This depends on the bound attached to the P operator: +a lower bound (> or >=) relates to minimum probabilities +and an upper bound (< or <=) to maximum probabilities. +

    +

    Quantitative properties

    +

    It is also very often useful to take a quantitative approach to probabilistic model checking, computing the actual probability that some behaviour of a model is observed, +rather than just verifying whether or not the probability is above or below a given bound. +Hence, PRISM allows the P operator to take the following form: +

    +
    +
    +
    P=? [ pathprop ]
    +
    +
    [$[Get Code]]
    +
    + +

    These properties return a numerical rather than a Boolean value. +The S and R operators, discussed later, can also be used in this way. +

    +

    As mentioned above, for nondeterministic models (MDPs or PTAs), either minimum or maximum probability values can be computed. Therefore, in this case, we have two possible types of property: +

    +
    +
    +
    Pmin=? [ pathprop ]
    +Pmax=? [ pathprop ]
    +
    +
    [$[Get Code]]
    +
    + +

    which return the minimum and maximum probabilities, respectively. +

    +

    It is also possible to specify to which state the probability returned by a quantitative property refers. This is covered in the later section on filters. +

    +

    Path properties

    +

    PRISM supports a wide range of path properties that can be used with the P operator. +A path property is a formula that evaluates to either true or false for a single path in a model. +Here, we review some of the simpler properties that feature a single temporal operator, +as used for example in the logics PCTL and CSL. Later, we briefly describe how PRISM also supports more complex LTL-style path properties. +

    +

    The basic different types of path property that can be used inside the P operator are: +

    +
    • X : "next" +
    • U : "until" +
    • F : "eventually" (sometimes called "future") +
    • G : "always" (sometimes called "globally") +
    • W : "weak until" +
    • R : "release" +

    In the following sections, we describe each of these temporal operators. We then discuss the (optional) use of time bounds with these operators. Finally, we also discuss LTL-style path properties. +

    +

    "Next" path properties

    +

    The property X prop is true for a path if prop is true in its second state, +An example of this type of property, used inside a P operator, is: +

    +
    +
    +
    P<0.01 [ X y=1 ]
    +
    +
    [$[Get Code]]
    +
    + +

    which is true in a state if "the probability of the expression y=1 being true in the next state is less than 0.01". +

    +

    "Until" path properties

    +

    The property prop1 U prop2 is true for a path if +prop2 is true in some state of the path and prop1 is true in all preceding states. +A simple example of this would be: +

    +
    +
    +
    P>0.5 [ z<2 U z=2 ]
    +
    +
    [$[Get Code]]
    +
    + +

    which is true in a state if "the probability that z is eventually equal to 2, and that z remains less than 2 up until that point, is greater than 0.5". +

    +

    "Eventually" path properties

    +

    The property F prop is true for a path if prop eventually becomes true at some point along the path. The F operator is in fact a special case of the U operator (you will often see F prop written as true U prop). A simple example is: +

    +
    +
    +
    P<0.1 [ F z>2 ]
    +
    +
    [$[Get Code]]
    +
    + +

    which is true in a state if "the probability that z is eventually greater than 2is less than 0.1". +

    +

    "Globally" path properties

    +

    Whereas the F operator is used for "reachability" properties, G represents "invariance". The property G prop is true of a path if prop remains true at all states along the path. Thus, for example: +

    +
    +
    +
    P>=0.99 [ G z<10 ]
    +
    +
    [$[Get Code]]
    +
    + +

    states that, with probability at least 0.99, z never exceeds 10. +

    +

    "Weak until" and "release" path properties

    +

    Like F and G, the operators W and R are derivable from other temporal operators. +

    +

    Weak until (a W b), which is equivalent to (a U b) | G a, requires that a remains true until b becomes true, but does not require that b ever does becomes true (i.e. a remains true forever). For example, a weak form of the until example used above is: +

    +
    +
    +
    P>0.5 [ z<2 U z=2 ]
    +
    +
    [$[Get Code]]
    +
    + +

    which states that, with probability greater than 0.5, either z is always less than 2, or it is less than 2 until the point where z is 2. +

    +

    Release (a R b), which is equivalent to !(!a U !b), informally means that b is true until a becomes true, or b is true forever. +

    +

    +

    "Bounded" variants of path properties

    +

    All of the temporal operators given above, with the exception of X, have "bounded" variants, where an additional time bound is imposed on the property being satisfied. +The most common case is to use an upper time bound, i.e. of the form "<=t" or "<t", where t is a PRISM expression evaluating to a constant, non-negative value. +

    +

    For example, a bounded until property prop1 U<=t prop2, is satisfied along a path if prop2 becomes true within t steps and prop1 is true in all states before that point. +A typical example of this would be: +

    +
    +
    +
    P>=0.98 [ y<4 U<=7 y=4 ]
    +
    +
    [$[Get Code]]
    +
    + +

    which is true in a state if "the probability of y first exceeding 3 within 7 time units is greater than or equal to 0.98". Similarly: +

    +
    +
    +
    P>=0.98 [ F<=7 y=4 ]
    +
    +
    [$[Get Code]]
    +
    + +

    is true in a state if "the probability of y being equal to 4 within 7 time units is greater than or equal to 0.98" and: +

    +
    +
    +
    P>=0.98 [ G<=7 y=4 ]
    +
    +
    [$[Get Code]]
    +
    + +

    is true if the probability of y staying equal to 4 for 7 time units is at least 0.98. +

    +

    The time bound can be an arbitrary (constant) expression, +but note that you may need to bracket it, +as in the following example: +

    +
    +
    +
    P>=0.98 [ G<=(2*k+1) y=4 ]
    +
    +
    [$[Get Code]]
    +
    + +

    You can also use lower time-bounds (i.e. >=t or >t) and time intervals [t1,t2], e.g.: +

    +
    +
    +
    P>=0.98 [ F>=10 y=4 ]
    +P>=0.98 [ F[10,20] y=4 ]
    +
    +
    [$[Get Code]]
    +
    + +

    which refer to the probability of y becoming equal to 4 after 10 or more time units, and after between 10 and 20 time-units respectively. +

    +

    For CTMCs, the time bounds can be any (non-negative) numerical values - they are not restricted to integers, as for discrete-time models. +For example: +

    +
    +
    +
    P>=0.25 [ y<=1 U<=6.5 y>1 ]
    +
    +
    [$[Get Code]]
    +
    + +

    means that the probability of y being greater than 1 within 6.5 time-units (and remaining less than or equal to 1 at all preceding time-points) is at least 0.25. +

    +

    Transient probabilities

    +

    We can also use the bounded F operator to refer to a single time instant, e.g.: +

    +
    +
    +
    P=? [ F[10,10] y=6 ]
    +
    +
    [$[Get Code]]
    +
    + +

    or, equivalently: +

    +
    +
    +
    P=? [ F=10 y=6 ]
    +
    +
    [$[Get Code]]
    +
    + +

    both of which give the probability of y being 6 at time instant 10. +

    +

    +

    LTL-style path properties

    +

    PRISM also supports probabilistic model checking of the temporal logic LTL (and, in fact, PCTL*). LTL provides a richer set of path properties for use with the P operator, by permitting temporal operators to be combined. Here are a few examples of properties expressible using this functionality: +

    +
    +
    +
    P>0.99 [ F ( "request" & (X "ack") ) ]
    +
    +
    [$[Get Code]]
    +
    + +

    "with probability greater than 0.99, a request is eventually received, followed immediately by an acknowledgement" +

    +
    +
    +
    P>=1 [ G F "send" ]
    +
    +
    [$[Get Code]]
    +
    + +

    "a message is sent infinitely often with probability 1" +

    +
    +
    +
    P=? [ F G ("error" & !"repair") ]
    +
    +
    [$[Get Code]]
    +
    + +

    "the probability of an error occurring that is never repaired” +

    +

    Note that logical operators have precedence over temporal ones, so you will often need to include parentheses when using logical operators, e.g.: +

    +
    +
    +
    P=? [ (F "error1") & (F "error2") ]
    +
    +
    [$[Get Code]]
    +
    + +

    For temporal operators, unary operators (such as F, G and X) have precedence over binary ones (such as U). Unary operators can be nested, without parentheses, but binary ones cannot. +

    +

    So, these are allowed: +

    +
    +
    +
    P=? [ F X X X "a" ]
    +P=? [ "a" U X X X "error" ]
    +P=? [ ("a" U "b") U "c" "error" ]
    +
    +
    [$[Get Code]]
    +
    + +

    but this is not: +

    +
    +
    +
    P=? [ "a" U "b" U "c" "error" ]
    +
    +
    [$[Get Code]]
    +
    + +
    +

    The S Operator

    +

    The S operator is used to reason about the steady-state behaviour of a model, +i.e. its behaviour in the long-run or equilibrium. +PRISM currently only provides support for DTMCs and CTMCs. +The definition of steady-state (long-run) probabilities for finite DTMCS and CTMCs is well defined (see e.g. [Ste94]). +Informally, the property: +

    +
    +
    +
    S bound [ prop ]
    +
    +
    [$[Get Code]]
    +
    + +

    is true in a state s of a DTMC or CTMC if +"starting from s, the steady-state (long-run) probability of being in a state which satisfies the (Boolean-valued) PRISM property prop, meets the bound bound". +A typical example of this type of property would be: +

    +
    +
    +
    S<0.05 [ queue_size / max_size > 0.75 ]
    +
    +
    [$[Get Code]]
    +
    + +

    which means: "the long-run probability of the queue being more than 75% full is less than 0.05". +

    +

    Like the P operator, the S operator can be used in a quantitative form, which returns the actual probability value, e.g.: +

    +
    +
    +
    S=? [ queue_size / max_size > 0.75 ]
    +
    +
    [$[Get Code]]
    +
    + +

    and can be further customised with the use of filters. +

    +

    Reward-based Properties

    +

    PRISM models can be augmented with information about rewards (or, equivalently, costs). +The tool can analyse properties which relate to the expected values of these rewards. +This is achieved using the R operator, which works in a similar fashion to the +P and S operators, and can be used either in a Boolean-valued query, e.g.: +

    +
    +
    +
    R bound [ rewardprop ]
    +
    +
    [$[Get Code]]
    +
    + +

    where bound takes the form <r, <=r, >r or >=r for an expression r evaluating to a non-negative double, +or a real-valued query, e.g.: +

    +
    +
    +
    R query [ rewardprop ]
    +
    +
    [$[Get Code]]
    +
    + +

    where query is =?, min=? or max=?. +In the latter case, filters can be used, as for the P and S operators. +

    +

    Informally, "R bound [ rewardprop ]" is true in a state of a model if +"the expected reward associated with rewardprop of the model when starting from that state'' +meets the bound bound and "R query [ rewardprop ]" returns the actual expected reward value. +

    +

    There are various different types of reward properties: +

    +
    • "reachability reward": F prop +
    • "co-safe LTL reward": e.g. F (prop1 & F prop2) +
    • "cumulative reward" : C<=t +
    • "total reward" : C +
    • "instantaneous reward" : I=t +
    • "steady-state reward" : S. +

    Below, we consider each of these cases in turn. +The descriptions here are kept relatively informal. +Precise definitions for most of these can be found in, for example, +[KNP07a] (for DTMCs and CTMCs) or [FKNP11] (for MDPs). +

    +

    "Reachability reward" properties

    +

    "Reachability reward" properties associate a reward with each path of a model. +More specifically, they refer to the reward accumulated along a path until a certain point is reached. +The manner in which rewards are accumulated depends on the model type. +For DTMCs and MDPs, the total reward for a path is the sum of the state rewards for each state along the path +plus the sum of the transition rewards for each transition between these states. +The situation for CTMCs is similar, except that the state reward assigned to each state +of the model is interpreted as the rate at which rewards are accumulated in that state, +i.e. if t time units are spent in a state with state reward r, +the reward accumulated in that state is r x t. +Hence, the total reward for a path in a CTMC is the sum of these products for each state along the path +plus the sum of the transition rewards for each transition between these states. +

    +

    The reward property "F prop" corresponds to the reward cumulated along a path +until a state satisfying property prop is reached, +where rewards are cumulated as described above. +State rewards for the prop-satisfying state reached are not included in the cumulated value. +In the case where the probability of reaching a state satisfying prop is less than 1, the reward is equal to infinity. +

    +

    A common application of this type of property is the case when the rewards associated with the model correspond to time. +One can then state, for example: +

    +
    +
    +
    R<=9.5 [ F z=2 ]
    +
    +
    [$[Get Code]]
    +
    + +

    which is true in a state s if "the expected time taken to reach, from s, a state where z equals 2 is less than or equal to 9.5". +

    +

    "Co-safe LTL reward" properties

    +

    These generalise the "reachability" properties above. Again, reward is accumulated along a path up until some point, +but this is specified in a more general way, by giving a formula in the co-safe fragment of linear temporal logic (LTL). +Rewards are accumulated up until the point where the formula is first satisfied. For example, this property, for a DTMC or CTMC, +queries the expected reward accumulated until first goal equals 1 and then subsequently goal equals 2: +

    +
    +
    +
    R=? [ F (goal=1 & F goal=2) ]
    +
    +
    [$[Get Code]]
    +
    + +

    and this property, for an MDP, minimises the expected reward until loc equals 1, +having passed only through states where loc never equals 4 +

    +
    +
    +
    Rmin=? [ loc!=4 U loc=1 ]
    +
    +
    [$[Get Code]]
    +
    + +

    As for reachability rewards, if the probability of satisfying the formula is less than 1, +then the expected reward is defined to be infinite. +

    +

    Intuitively, a co-safe formula is one that is satisfied within a finite period of time, +and remains true for ever once it becomes true for the first time. +For simplicity, PRISM actually supports the syntactic co-safe fragment of LTL, +which is defined as any LTL formula that only uses the temporal operators F, U and X +(but not G, for example). +PRISM's notation for LTL formulas is described here. +

    +

    "Cumulative reward" properties

    +

    "Cumulative reward" properties also associate a reward with each path of a model, +but only up to a given time bound. +The property C<=t corresponds to the reward cumulated along a path +until t time units have elapsed. +For DTMCs and MDPs, the bound t must evaluate to an integer; +for CTMCs, it can evaluate to double. +State and transition rewards along a path are cumulated exactly as described in the previous section. +

    +

    A typical application of this type of property is the following. +Consider a model of a disk-drive controller which includes a queue of incoming disk requests. +If we assign a reward of 1 to each transition of the model +corresponding to the situation where an incoming request is lost because the queue is full, +then the property: +

    +
    +
    +
    R=? [ C<=15.5 ]
    +
    +
    [$[Get Code]]
    +
    + +

    would return, for a given state of the model, +"the expected number of lost requests within 15.5 time units of operation". +

    +

    +

    "Total reward" properties

    +

    "Total reward" properties refer to the accumulation of state and transition rewards +in the same way as for "reachability reward" and "cumulative reward" properties, +but the rewards is accumulated indefinitely, +i.e. the total reward accumulated along the whole (infinite) path. +Note that this means that, unless a path ends up remaining forever in states with zero reward, +the total reward will be infinite. +

    +

    Re-using the reward structure in the previous example, +

    +
    +
    +
    R=? [ C ]
    +
    +
    [$[Get Code]]
    +
    + +

    returns "the expected total number of lost requests". +

    +

    "Instantaneous reward" properties

    +

    "Instantaneous reward" properties refer to the reward of a model at a particular instant in time. +The reward property I=t associates with a path the reward in the state +of that path when exactly t time units have elapsed. +For DTMCs and MDPs, the bound t must evaluate to an integer; +for CTMCs, it can evaluate to double. +

    +

    Returning to our example from the previous section of a model for a disk-request queue in a disk-drive controller, +consider the case where the rewards assigned to each state of the model give the current size of the queue in that state. +Then, the following property: +

    +
    +
    +
    R<4.4 [ I=100 ]
    +
    +
    [$[Get Code]]
    +
    + +

    would be true in a state s of the model if +"starting from s, the expected queue size exactly 100 time units later is less than 4.4". +Note that, for this type of reward property, state rewards for CTMCs do not have to refer to rates; +they can refer to any instantaneous measure of interest for a state. +

    +

    "Steady-state reward" properties

    +

    Unlike the previous three types of property, +"steady-state reward" properties relate not to paths, but rather to the reward in the long-run. +A typical application of this type of property would be, in the case where +the rewards associated with the model correspond to power consumption, the property: +

    +
    +
    +
    R<=0.7 [ S ]
    +
    +
    [$[Get Code]]
    +
    + +

    which is true in a state s if "starting from s, the long-run average power consumption is less than 0.7". +

    +

    Which reward structure?

    +

    In the case where a PRISM model has multiple reward structures you may need to specify which reward structure your property refers to. This is done by placing the information in braces ({}) after the R operator. You can do so either using the name assigned to a reward structure (if any) or using the index (where 1 means the first rewards structure in the PRISM model file, 2 the second, etc.). Examples are: +

    +
    +
    +
    R{"num_failures"}=? [ C<=10.0 ]
    +R{"time"}=? [ F step=final ]
    +R{2}=? [ F step=final ]
    +
    +
    [$[Get Code]]
    +
    + +

    Note that when using an index to specify the reward structure, you can actually put any expression that evaluates to an integer. This allows you to, for example, write a property of the form R{c}=?[...] where c is an undefined integer constant. You can then vary the value of c in an experiment and compute values for several different reward structures at once. +

    +

    If you don't specify a reward structure to the R operator, by default, the first one in the model file is used. +

    +

    Availability

    +

    There are currently a few restrictions on the model checking engines that can be used for some reward properties. The following table summarises the currently availability, where S, M, H and E denote the "sparse", "MTBDD", "hybrid" and "explicit" engines, respectively, for DTMCs, CTMCs and MDPs. For PTAs, support for rewards is currently quite restrictive; see the later section on real-time model properties for details. +

    +
    + + + + +
     FcosafeC<=tCI=tS
    DTMCsSMHESMHESMHESMHESMHESMHE
    CTMCsSMHESMHESMHESMHESMHESMHE
    MDPsSM-ESMHES--E----SM-E----
    +

    Multi-objective Properties

    +

    For MDPs, PRISM supports multi-objective properties. Consider a property that uses the P operator. For example: +

    +
    +
    +
    P<0.01 [ F "error" ]
    +
    +
    [$[Get Code]]
    +
    + +

    This states that, for all strategies (or policies) of the MDP, the probability of reaching an "error" state is less than 0.01. +

    +

    Multi-objective queries differ in two important ways. Firstly, (by default) they ask about the existence of a strategy. Secondly they refer to multiple properties of a strategy. For example: +

    +
    +
    +
    multi(P<0.01 [ F "error1" ], P<0.02 [ F "error2" ])
    +
    +
    [$[Get Code]]
    +
    + +

    means: "does there exist a strategy of the MDP under which the probability of reaching an "error1" state is less than 0.01 and the probability of reaching an "error2" state is less than 0.02?" +

    +

    To use the terminology from [FKP12], the above is an "achievability" query (i.e., is this combination of objectives achievable by some strategy?). PRISM also supports two other kinds of multi-objective query: "numerical" and "Pareto" queries. +

    +

    A "numerical" query looks like: +

    +
    +
    +
    multi(Pmin=? [ F "error1" ], P<0.02 [ F "error2" ])
    +
    +
    [$[Get Code]]
    +
    + +

    meaning "what is the minimum possible probability of reaching "error1", over all strategies of the MDP for which the probability of reaching "error2" is less than 0.02?". +

    +

    A "Pareto" queries leaves both of the objectives unbounded, e.g.: +

    +
    +
    +
    multi(Pmin=? [ F "error1" ], Pmin=? [ F "error2" ])
    +
    +
    [$[Get Code]]
    +
    + +

    This asks PRISM to compute (approximately), the Pareto curve for this pair objectives. Intuitively, this is the set of pairs of probabilities (of reaching "error1"/"error2") such that reducing one probability any more would necessitate an increase in the other probability. +

    +

    Types of Objectives

    +

    For simplicity, the examples above all refer to the probability of reaching classes of states in the model. Other types of property (objective) are also possible. +

    +

    Firstly, we can extend the examples above by referring to the probability of any +LTL property. For example: +

    +
    +
    +
    multi(Pmax=? [ G "good1" ], P>=0.9 [ G F "good2" ])
    +
    +
    [$[Get Code]]
    +
    + +

    "What is the maximum probability of staying forever in "good1" states, such that the probability of visiting "good2" states infinitely often remains at least 0.9?". +

    +

    We can also use more than 2 objectives, e.g.: +

    +
    +
    +
    multi(Pmax=? [ G "good1" ], P>=0.9 [ G F "good2" ], P>=0.95 [ G F "good3" ])
    +
    +
    [$[Get Code]]
    +
    + +

    "What is the maximum probability of staying forever in "good1" states, such that the probability of visiting "good2" states infinitely often remains at least 0.9 and the probability of visiting "good3" states infinitely often remains at least 0.95?". +

    +

    Multi-objective queries can also refer to the expected total cumulative value of a reward structure. We write such properties in the form: +

    +
    +
    +
    multi(R{"time"}min=?[ C ], R{"energy"}<=1.45 [ C ])
    +
    +
    [$[Get Code]]
    +
    + +

    "What is the minimum expected cumulative value of reward structure "time", such that the expected cumulative value of reward structure "energy" is below 1.45. +

    +

    Note that this C reward operator differs from the F "target" operator, usually used for standard (single-objective) MDP model checking. Whereas the F "target" operator refers to the expected reward accumulated until a "target" state is reached the C operator refers to the expected total reward. +

    +

    A few important notes regarding rewards: +

    +
    • Currently only transition rewards are supported; state rewards are not. +
    • Certain assumptions are made regarding the finiteness of rewards; see p.7 of [FKP12] for details. +

    Finally, time-bounded variants of both probabilistic reachability and expected cumulative rewards objectives can be used. Here is an example that uses the latter: +

    +
    +
    +
    multi(R{"power"}min=? [ C<=k ], R{"queue"}<=r [ C<=k ])
    +
    +
    [$[Get Code]]
    +
    + +

    Solution Methods

    +

    PRISM can perform multi-objective model checking using two distinct solution methods, which are described in [FKN+11] and [FKP12]. The former is based on the use of linear programming; the latter reduces multi-objective model checking to a series of simpler problems, solved using value iteration (or the Gauss-Seidel variant of value iteration). The default is "Value iteration". You can change this in the GUI using the option "MDP multi-objective solution methods", or using the command-line switches -lp, -valiter, -gs. +

    +

    There are some restrictions for the different methods, e.g. +

    +
    • Linear programming does not support time-bounded properties or Pareto queries +
    +

    Real-time Models

    +

    The classes of property that can be checked for real-time models (PTAs and POPTAs) are currently more restricted than for the other kinds of models that PRISM supports. This is because the model checking procedures are quite different for this type of model. We describe these restrictions here. The situation is also dependent on which of the PTA model checking engines is being used. +

    +

    For the "stochastic games" engine, we essentially only allow unbounded or time-bounded probabilistic reachability properties, i.e. properties of the form: +

    +
    +
    +
    Pmin=? [ F target ]
    +Pmax=? [ F target ]
    +Pmin=? [ F<=T target ]
    +Pmax=? [ F<=T target ]
    +
    +
    [$[Get Code]]
    +
    + +

    where target is a Boolean-valued expression that does not include references to any clock variables and T is an integer-valued expression. The P operator cannot be nested and the S and R operators are not supported. +

    +

    The "backwards reachability" engine is similar but currently only handles maximum probabilities. +

    +

    For the "digital clocks" engine, there is slightly more flexibility, +e.g. until (U) properties are allowed, as are clock variables in expressions and arithmetic expressions such as: +

    +
    +
    +
    1 - Pmin=? [ F target ]
    +
    +
    [$[Get Code]]
    +
    + +

    This engine, like the "stochastic games" engine, does not allowed nested properties. Also, references to clocks must, like in the modelling language, not use strict comparisons +(e.g. x<=5 is allowed, x<5 is not). +

    +

    The digital clocks also has support for rewards: +it is possible to check reachability reward properties of the form: +

    +
    +
    +
    Rmin=? [ F target ]
    +Rmax=? [ F target ]
    +
    +
    [$[Get Code]]
    +
    + +

    Reward structures specified in the model, though, must not depend on clock variables. +Formally, the class of PTAs with this kind of reward structure is sometime called linearly priced PTAs (see e.g. [KNPS06]. +

    +

    The digital clocks method is based on a language-level translation from a PTA model to an MDP one. If you want to see the MDP PRISM model that was generated, add the switch -exportdigital digital.nm when model checking property to export the model file to digital.nm. +

    +

    Partially Observable Models

    +

    For partially observable models (POMDPs and POPTAs), +PRISM uses the same property language as the their +fully observational equivalents (MDPs and PTAs). +However, a more limited range of properties are available. +For POMDPs, PRISM currently supports probabilistic reachability, +probabilistic until, or expected reachability rewards properties, i.e.: +

    +
    +
    +
    Pmin=? [ F target ]
    +Pmax=? [ F target ]
    +Pmin=? [ remain U target ]
    +Pmax=? [ remain U target ]
    +Rmin=? [ F target ]
    +Rmax=? [ F target ]
    +
    +
    [$[Get Code]]
    +
    + +

    or bounded variants with a probability/threshold instead +of the min=? or max=?. +

    +

    For the verification methods currently implemented, +there are a few additional restrictions. +Firstly, the target (and remain) expression appearing +in the property must be an observable. +In other words, if any state of the POMDP satisfies the expression, +then all other observationally equivalent states must also satisfy it. +This is easily achieved by only using either observable variables +or named observables in the expression, but that is not required. +Secondly, probabilities and expected rewards are only computed from a single state. +

    +

    POPTAs are currently verified using the "digital clocks" approach to +translate them into a POMDP, so they inherit the same +restrictions +(that strict or diagonal clock comparisons are not allowed). +However for POPTAs, time-bounded probabilistic reachability is also supported. +

    +

    Uncertain Models

    +

    For uncertain models, currently interval MDPs (IMDPs) or interval DTMCs (IDTMCs), PRISM performs robust verification, which considers the best- or worst-case behaviour that can arise depending on the way that probabilities are selected from intervals. +

    +

    For example, instead of a property for a DTMC such as +

    +
    +
    +
    P=? [ F "goal" ]
    +
    +
    [$[Get Code]]
    +
    + +

    which asks for the probability to reach a state satisfying "goal", IDTMCs use MDP-style queries: +

    +
    +
    +
    Pmin=? [ F "goal" ]
    +Pmax=? [ F "goal" ]
    +
    +
    [$[Get Code]]
    +
    + +

    which compute the minimum or maximum possible probability that can arise. +

    +

    Similarly, for an IMDP, there are now two separate quantifications, firstly over strategies (policies) and secondly over the distinct ways that transition probabilities can be selected from intervals, for which min or max appear in that order in the query. For example: +

    +
    +
    +
    Pmaxmin=? [ F "goal" ]
    +Pmaxmax=? [ F "goal" ]
    +
    +
    [$[Get Code]]
    +
    + +

    return the minimum and maximum values, respectively, over resolutions of transition probabilities for the maximum probability of reaching "goal". Similarly, minmin and minmax are used for the minimum probability of reaching "goal". Model checking is supported for: +

    +
    • the P operator, for next and bounded/unbounded until/reachability properties +
    • the R operator, for the expected reward to reach a target or satisfy a co-safe LTL formula +
    +

    Non-Probabilistic Properties

    +

    PRISM also supports model checking of the non-probabilistic temporal logics CTL (computation tree logic) and LTL (linear temporal logic). +Properties in these logics use the A (for all) and E (there exists) operators, +instead of the probabilistic P operator used in many other properties supported by PRISM. +

    +

    Properties take the form: +

    +
    +
    +
    A [ pathprop ]
    +E [ pathprop ]
    +
    +
    [$[Get Code]]
    +
    + +

    which are true in a state s of a model if +"path property pathprop is satisfied by all paths from state s" +and +"path property pathprop is satisfied by some path from state s", +respectively. +The syntax for LTL formulas is the same as those allowed within the P operator. +

    +

    Example properties include: +

    +
    +
    +
    E [ F "goal" ] // There exists a path that reaches a state satisfying "goal"
    +
    +A [ G x<=10 ] // Variable x is always at most 10 along all paths of the model
    +
    +E [ F "ready" & (X "launch") ] // There exists a path along which label "ready" eventually becomes true and label "launch" is true immediately afterwards
    +
    +A [ (G F x=1) | (G F x=2) ] // Along all paths, either x=1 or x=2 is true infinitely often
    +
    +
    [$[Get Code]]
    +
    + +

    Counterexamples and Witnesses

    +

    If you check a CTL property of the form A [ G "inv" ] and it is false, PRISM will generate a counterexample in the form of a path that reaches a state where "inv" is not true. This is displayed either in the simulator (from the GUI) or at the command-line. Similarly, if you check E [ F "goal" ] and the result is true, a witness (a path reaching a "goal" state) will be generated. +

    +

    Syntax And Semantics

    +

    Syntax

    +

    The syntax of the PRISM property specification language subsumes various probabilistic temporal logics, including PCTL, CSL, (probabilistic) LTL, PCTL* and CTL. Informally, the syntax can be summarised as follows: a property can be any valid, well-typed PRISM expression, which (optionally) also includes the probabilistic operators discussed previously (P, S and R) and the non-probabilistic (CTL) ones A and E). This mean that any of the following operators can be used: +

    +
    • - (unary minus) +
    • *, / (multiplication, division) +
    • +, - (addition, subtraction) +
    • <, <=, >=, > (relational operators) +
    • =, != (equality operators) +
    • ! (negation) +
    • & (conjunction) +
    • | (disjunction) +
    • <=> (if-and-only-if) +
    • => (implication) +
    • ? (condition evaluation: condition ? a : b means "if condition is true then a else b") +
    • P (probabilistic operator) +
    • S (steady-state operator) +
    • R (reward operator) +
    • A (for-all operator) +
    • E (there-exists operator) +

    This allows you to write any property expressible in logics such as PCTL and CSL. For example, CSL allows you to nest P and S operators: +

    +
    +
    +
    P=? [ F>2 S>0.9[ num_servers >= 5 ] ]
    +
    +
    [$[Get Code]]
    +
    + +

    "the probability of it taking more than 2 hours to get to a state from which the long-run probability of at least 5 servers being operational is >0.9" +

    +

    You can also express various arithmetic expressions such as: +

    +
    +
    +
    1 - P=? [ F[3600,7200] oper ]
    +
    +
    [$[Get Code]]
    +
    + +

    "the probability that the system is not operational at any point during the second hour of operation" +

    +
    +
    +
    R{"oper"}=? [ C<=t ] / t
    +
    +
    [$[Get Code]]
    +
    + +

    "the expected fraction of time that the system is available (i.e. the expected interval availability) in the time interval [0, t]" +

    +
    +
    +
    P=? [ F fail_A ] / P=? [ F any_fail ]
    +
    +
    [$[Get Code]]
    +
    + +

    "the (conditional) probability that component A eventually fails, given +that at least one component fails" +

    +

    Semantics

    +

    We omit a formal presentation of the semantics of the PRISM property language. The semantics of the probabilistic temporal logics that the language incorporates can be found from a variety of sources. See for example the pointers given in the About and Documentation sections of the PRISM website. +

    +

    It is worth, however, clarifying a few points specific to PRISM. A property is evaluated with respect to a particular state of a model. Depending on the type of the property, this value may either be a Boolean, an integer or a double. When performing model checking, PRISM usually has to actually compute the value for all states of the model but, for clarity, will by default report just a single value. Typically, this is the value for the (single) initial state of the model. For example, this: +

    +
    +
    +
    P=? [ F "error" ]
    +
    +
    [$[Get Code]]
    +
    + +

    will report the probability, from the initial state of the model, of reaching an "error" state. +This: +

    +
    +
    +
    P>0.5 [ F "error" ]
    +
    +
    [$[Get Code]]
    +
    + +

    will return true if and only if the probability, from the initial state, is greater than 0.5. +

    +

    Note: This is contrast to older versions of PRISM, which treated numerical and Boolean-valued properties differently in this respect. +

    +

    For models with multiple initial states, we need to adapt these definitions slightly. In this case, the two properties above will yield, respectively: +

    +
    • the range of values (over all initial states) of the probability of reaching "error" +
    • true if and only if the probability is greater than 0.5 from all initial states. +

    You can also ask PRISM to return different values using filters, +which are described in the next section. +

    +

    Filters

    +

    As discussed above, when reporting the result of model checking a property, PRISM will by default return the value for the (single) initial state of the model. However, since PRISM in fact usually has to compute values for all states simultaneously, you can customise PRISM properties to obtain different results. This is done using filters. +

    +

    Filters are created using the filter keyword. They take the following form: +

    +
    +
    +
    filter(op, prop, states)
    +
    +
    [$[Get Code]]
    +
    + +

    where op is the filter operator (see below), prop is any PRISM property and states is a Boolean-valued expression identifying a set of states over which to apply the filter. +

    +

    In fact, the states argument is optional; if omitted, the filter is applied over all states. So, the following properties are equivalent: +

    +
    +
    +
    filter(op, prop)
    +filter(op, prop, true)
    +
    +
    [$[Get Code]]
    +
    + +

    Here's a simple example of a filter: +

    +
    +
    +
    filter(max, P=? [ F "error" ], x=0)
    +
    +
    [$[Get Code]]
    +
    + +

    This gives the maximum value, starting from any state satisfying x=0, of the probability of reaching an "error" state. +

    +

    Here's another simple example, +which checks whether, starting from any reachable state, +we eventually reach a "done" state with probability 1. +

    +
    +
    +
    filter(forall, P>=1 [ F "done" ])
    +
    +
    [$[Get Code]]
    +
    + +

    We could modify this property slightly to instead check whether, from any state that satisfies the label "ready", we eventually reach a "done" state with probability 1. This could be done with either of the following two equivalent properties: +

    +
    +
    +
    filter(forall, "ready" => P>=1 [ F "done" ])
    +filter(forall, P>=1 [ F "done" ], "ready")
    +
    +
    [$[Get Code]]
    +
    + +

    Note: In older versions of PRISM, the property above could be written just as "ready" => P>=1 [ F "done" ] since the result was checked for all states by default, not just the initial state. Now, you need to explicitly include a filter, as shown above, to achieve this. +

    +

    Types of filter

    +

    Most filters of the form filter(op, prop, states) +apply some operator op to the values of property prop +for all the states satisfying states, +resulting in a single value. +The full list of filter operators op in this category is: +

    +
    • min: the minimum value of prop over states satisfying states +
    • max: the maximum value of prop over states satisfying states +
    • count: counts the number of states satisfying states for which prop is true +
    • sum (or +): sums the value of prop for states satisfying states +
    • avg: the average value of prop over states satisfying states +
    • first: the value of prop for the first (lowest-indexed) state satisfying states +
    • range: the range (interval) of values of prop over states satisfying states +
    • forall (or &): returns true if prop is true for all states satisfying states +
    • exists (or |): returns true if prop is true for some states satisfying states +
    • state: returns the value for the single state satisfying states (if there is more than one, this is an error) +

    There are also a few filters that, rather than returning a single value, return different values for each state, like a normal PRISM property: +

    +
    • argmin: returns true for the states satisfying states that yield the minimum value of prop +
    • argmax: returns true for the states satisfying states that yield the maximum value of prop +
    • print: does not change the result of prop but prints the (non-zero) values to the log +
    • printall: like print, but displays all values, even for states where the value is zero +

    More examples

    +

    Here are some further illustrative examples of properties that use filters. +

    +

    Filters provide a quick way to print the results of a model checking query for several states. In most cases, for example, a P=? query just returns the probability from the initial state. To see the probability for all states satisfying x>2, use: +

    +
    +
    +
    filter(print, P=? [ ... ], x>2)
    +
    +
    [$[Get Code]]
    +
    + +

    Values are printed in the log (i.e. to the "Log" tab in the GUI or to the terminal from the command-line). For small models, you could omit the final states argument (x>2 here) and view the probabilities from all states. You can also use PRISM's verbose mode to view values for all states, but filters provide an easier and more flexible solution. +print filters do not actually alter the result returned so, in the example above, PRISM will still return the probability for the initial state, in addition to printing other probabilities in the log. +

    +

    You can also use print filters to display lists of states. For example, this property: +

    +
    +
    +
    filter(print, filter(argmax, P=? [ F "error" ]))
    +
    +
    [$[Get Code]]
    +
    + +

    prints the states which have the highest probability of reaching an error state. +However, you should exercise caution when using argmax (or argmin) on properties such as P=? [ ... ] (or S=? [ ... ] or R=? [ ... ]), whose results are only approximate due to the nature of the methods used to compute them (or because of round-off errors.) +

    +

    Another common use of filters is to display the value for a particular state of the model (rather than the initial state, which is used by default). To achieve this, use e.g.: +

    +
    +
    +
    filter(state, P=? [ F "error" ], x=2&y=3)
    +
    +
    [$[Get Code]]
    +
    + +

    where x=2&y=3 is assumed to specify one particular state. +A state filter will produce an error if the filter expression is not satisfied by exactly one state of the model. +

    +

    Filters can also be built up into more complex expressions. For example, the following two properties are equivalent: +

    +
    +
    +
    filter(avg, P=? [ F "error" ], "init")
    +filter(sum, P=? [ F "error" ], "init") / filter(count, "init")
    +
    +
    [$[Get Code]]
    +
    + +

    The range filter, unlike most PRISM expressions which are of type Boolean, integer or double, actually returns an interval: a pair of integers or doubles. For example: +

    +
    +
    +
    filter(range, P=? [ F count=10 ], count=0)
    +
    +
    [$[Get Code]]
    +
    + +

    gives the range of all possible values for the probability of reach a state satisfying count=10, from all states satisfying count=0. +As will be described below, this kind of property also results from the use of old-style ({...}) filters and properties on models with multiple initial states. +

    +

    Old-style filters

    +

    In older versions of PRISM, filters were also available, but in a less expressive form. Previously, they were only usable on P, S or R properties and only a small set of filter operators were permitted. They were also specified in a different way, using braces ({...}). For compatibility with old properties files (and for compactness), these forms of filters are still allowed. These old-style forms of filters: +

    +
    +
    +
    P=? [ pathprop {states} ]
    +P=? [ pathprop {states}{min} ]
    +P=? [ pathprop {states}{max} ]
    +P=? [ pathprop {states}{min}{max} ]
    +
    +
    [$[Get Code]]
    +
    + +

    are equivalent to: +

    +
    +
    +
    filter(state, P=? [ pathprop ], states)
    +filter(min, P=? [ pathprop ], states)
    +filter(max, P=? [ pathprop ], states)
    +filter(range, P=? [ pathprop ], states)
    +
    +
    [$[Get Code]]
    +
    + +

    Notice that the first of the four properties above (i.e. an old-style filter of the form {states} will result in an error if states is not satisfied by exactly one state of the model. Older versions of PRISM just gave you the value for the first state state satisfying the filter, without warning you about this. If you want to recreate the old behaviour, just use a first filter: +

    +
    +
    +
    filter(first, P=? [ pathprop ], states)
    +
    +
    [$[Get Code]]
    +
    + +

    Default filters

    +

    Finally, for completeness, we show what the default filters are in PRISM, +i.e. how the way that PRISM returns values from properties by default +could have been achieved equivalently using filters. +

    +

    Queries of the form: +

    +
    +
    +
    P>0.5 [ F "error" ]
    +
    +
    [$[Get Code]]
    +
    + +

    are the same as: +

    +
    +
    +
    filter(forall, P>0.5 [ F "error" ], "init")
    +
    +
    [$[Get Code]]
    +
    + +

    and queries of the form: +

    +
    +
    +
    P=? [ F "error" ]
    +
    +
    [$[Get Code]]
    +
    + +

    are the same as either: +

    +
    +
    +
    filter(state, P=? [ F "error" ], "init")
    +filter(range, P=? [ F "error" ], "init")
    +
    +
    [$[Get Code]]
    +
    + +

    for the cases where there the model has a single initial state +or multiple initial states, respectively. +

    +

    Properties Files

    +

    Constants

    +

    Files containing properties to be analysed by PRISM can also contain constants, as is the case for model files. +These are defined in identical fashion, for example: +

    +
    +
    +
    const int k = 7;
    +const double T = 9.5;
    +const double p = 0.01;
    +
    +P<p [ F<=T x=k ];
    +
    +
    [$[Get Code]]
    +
    + +

    As before, these constants can actually be left undefined and then later +assigned either a single value or a range of values using experiments. +

    +

    In fact, values such as the probability bounds for the P or S operators (like P above) +and upper or lower bounds for the U operator (like T above) +can be arbitrary expressions, provided they are constant. +Furthermore, expressions in the properties file can also refer to constants previous defined in the model file. +

    +

    +

    Labels

    +

    Another feature of properties files is labels. These are a way of defining sets of states that will be referred to in properties (they correspond to atomic propositions in a temporal logic setting). As described earlier, labels can be defined in either model files or property files. +

    +

    Labels are defined using the keyword label, followed by a name (identifier) in double quotes, and then an expression which evaluates to a Boolean. Definition and usage of labels are illustrated in the following example: +

    +
    +
    +
    label "safe" = temp<=100 | alarm=true;
    +label "fail" = temp>100 & alarm=false;
    +
    +P>=0.99 [ "safe" U "fail" ];
    +
    +
    [$[Get Code]]
    +
    + +

    Two special cases are the "init" and "deadlock" labels which are always defined. +These are true in initial states of the model and states where deadlocks were found (and, usually, fixed by adding self-loops), respectively. +

    +

    +

    Property names

    +

    For convenience, properties can be annotated with names, as shown in the following example: +

    +
    +
    +
    "safe": P<0.01 [ F temperature > t_max ];
    +
    +
    [$[Get Code]]
    +
    + +

    which gives the name "safe" to the property. It is then possible to include named properties as sub-expressions of other properties, e.g.: +

    +
    +
    +
    filter(forall, num_sensors>0 => "safe");
    +
    +
    [$[Get Code]]
    +
    + +

    Notice that the syntax for referring to named properties is identical to the syntax for labels. For this reason, property names must be disjoint from those of any existing labels. +

    +

    You can refer to property names when using the command-line switch -prop to specify which property is to be model checked. +

    +

    Properties files

    +

    A PRISM properties file can contain any number of properties. +It is good practice, as shown in the examples above, to terminate each property with a semicolon. Currently, this is not enforced by PRISM (to prevent incompatibility with old properties files) but this may change in the future. +

    +

    Like model files, properties can also include any amount of white space (spaces, tabs, new lines, etc.) and C-style comments, which are both ignored. +The recommended file extension for PRISM properties is now .props. +Previously, though, the convention was to use extension .pctl for properties of DTMCs, MDPs or PTAs +and extension .csl for properties of CTMCs, so these are still also valid. +

    +
    + + + + diff --git a/manual/PropertySpecification/Filters.html b/manual/PropertySpecification/Filters.html index d2f308d2b2..843954d628 100644 --- a/manual/PropertySpecification/Filters.html +++ b/manual/PropertySpecification/Filters.html @@ -1,22 +1,25 @@ + + -PRISM Manual | PropertySpecification / Filters +PRISM Manual | Property Specification / Filters - - + + + - - - + + + + + + + + + + + + - + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + + +
    +

    View - Edit - Print - Search +

    + +
    @@ -321,6 +455,12 @@ @@ -329,6 +469,13 @@
    + +
    @@ -345,6 +492,7 @@

    PRISM Manual

  • Multi-objective Properties
  • Real-time Models
  • Partially Observable Models +
  • Uncertain Models
  • Non-probabilistic Properties
  • Syntax And Semantics
  • Filters @@ -356,5 +504,8 @@

    PRISM Manual

    • + + diff --git a/manual/PropertySpecification/Filters@action=edit.html b/manual/PropertySpecification/Filters@action=edit.html new file mode 100644 index 0000000000..ef3f234a6c --- /dev/null +++ b/manual/PropertySpecification/Filters@action=edit.html @@ -0,0 +1,277 @@ + + + + + + + + +PRISM Manual | Property Specification / Filters | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Property Specification / +

    Filters

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/PropertySpecification/Filters@action=login.html b/manual/PropertySpecification/Filters@action=login.html new file mode 100644 index 0000000000..8e1a40bfec --- /dev/null +++ b/manual/PropertySpecification/Filters@action=login.html @@ -0,0 +1,275 @@ + + + + + + + + +PRISM Manual | Property Specification / Filters | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Property Specification / +

    Filters

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/PropertySpecification/Filters@action=print.html b/manual/PropertySpecification/Filters@action=print.html new file mode 100644 index 0000000000..50ae577b53 --- /dev/null +++ b/manual/PropertySpecification/Filters@action=print.html @@ -0,0 +1,327 @@ + + + + + + +PRISM Manual | PropertySpecification / Filters + + + + + + + + + + + + + + + + + + +

    Property Specification / +

    Filters

    + + +
    +

    As discussed above, when reporting the result of model checking a property, PRISM will by default return the value for the (single) initial state of the model. However, since PRISM in fact usually has to compute values for all states simultaneously, you can customise PRISM properties to obtain different results. This is done using filters. +

    +

    Filters are created using the filter keyword. They take the following form: +

    +
    +
    +
    filter(op, prop, states)
    +
    +
    [$[Get Code]]
    +
    + +

    where op is the filter operator (see below), prop is any PRISM property and states is a Boolean-valued expression identifying a set of states over which to apply the filter. +

    +

    In fact, the states argument is optional; if omitted, the filter is applied over all states. So, the following properties are equivalent: +

    +
    +
    +
    filter(op, prop)
    +filter(op, prop, true)
    +
    +
    [$[Get Code]]
    +
    + +

    Here's a simple example of a filter: +

    +
    +
    +
    filter(max, P=? [ F "error" ], x=0)
    +
    +
    [$[Get Code]]
    +
    + +

    This gives the maximum value, starting from any state satisfying x=0, of the probability of reaching an "error" state. +

    +

    Here's another simple example, +which checks whether, starting from any reachable state, +we eventually reach a "done" state with probability 1. +

    +
    +
    +
    filter(forall, P>=1 [ F "done" ])
    +
    +
    [$[Get Code]]
    +
    + +

    We could modify this property slightly to instead check whether, from any state that satisfies the label "ready", we eventually reach a "done" state with probability 1. This could be done with either of the following two equivalent properties: +

    +
    +
    +
    filter(forall, "ready" => P>=1 [ F "done" ])
    +filter(forall, P>=1 [ F "done" ], "ready")
    +
    +
    [$[Get Code]]
    +
    + +

    Note: In older versions of PRISM, the property above could be written just as "ready" => P>=1 [ F "done" ] since the result was checked for all states by default, not just the initial state. Now, you need to explicitly include a filter, as shown above, to achieve this. +

    +

    Types of filter

    +

    Most filters of the form filter(op, prop, states) +apply some operator op to the values of property prop +for all the states satisfying states, +resulting in a single value. +The full list of filter operators op in this category is: +

    +
    • min: the minimum value of prop over states satisfying states +
    • max: the maximum value of prop over states satisfying states +
    • count: counts the number of states satisfying states for which prop is true +
    • sum (or +): sums the value of prop for states satisfying states +
    • avg: the average value of prop over states satisfying states +
    • first: the value of prop for the first (lowest-indexed) state satisfying states +
    • range: the range (interval) of values of prop over states satisfying states +
    • forall (or &): returns true if prop is true for all states satisfying states +
    • exists (or |): returns true if prop is true for some states satisfying states +
    • state: returns the value for the single state satisfying states (if there is more than one, this is an error) +

    There are also a few filters that, rather than returning a single value, return different values for each state, like a normal PRISM property: +

    +
    • argmin: returns true for the states satisfying states that yield the minimum value of prop +
    • argmax: returns true for the states satisfying states that yield the maximum value of prop +
    • print: does not change the result of prop but prints the (non-zero) values to the log +
    • printall: like print, but displays all values, even for states where the value is zero +

    More examples

    +

    Here are some further illustrative examples of properties that use filters. +

    +

    Filters provide a quick way to print the results of a model checking query for several states. In most cases, for example, a P=? query just returns the probability from the initial state. To see the probability for all states satisfying x>2, use: +

    +
    +
    +
    filter(print, P=? [ ... ], x>2)
    +
    +
    [$[Get Code]]
    +
    + +

    Values are printed in the log (i.e. to the "Log" tab in the GUI or to the terminal from the command-line). For small models, you could omit the final states argument (x>2 here) and view the probabilities from all states. You can also use PRISM's verbose mode to view values for all states, but filters provide an easier and more flexible solution. +print filters do not actually alter the result returned so, in the example above, PRISM will still return the probability for the initial state, in addition to printing other probabilities in the log. +

    +

    You can also use print filters to display lists of states. For example, this property: +

    +
    +
    +
    filter(print, filter(argmax, P=? [ F "error" ]))
    +
    +
    [$[Get Code]]
    +
    + +

    prints the states which have the highest probability of reaching an error state. +However, you should exercise caution when using argmax (or argmin) on properties such as P=? [ ... ] (or S=? [ ... ] or R=? [ ... ]), whose results are only approximate due to the nature of the methods used to compute them (or because of round-off errors.) +

    +

    Another common use of filters is to display the value for a particular state of the model (rather than the initial state, which is used by default). To achieve this, use e.g.: +

    +
    +
    +
    filter(state, P=? [ F "error" ], x=2&y=3)
    +
    +
    [$[Get Code]]
    +
    + +

    where x=2&y=3 is assumed to specify one particular state. +A state filter will produce an error if the filter expression is not satisfied by exactly one state of the model. +

    +

    Filters can also be built up into more complex expressions. For example, the following two properties are equivalent: +

    +
    +
    +
    filter(avg, P=? [ F "error" ], "init")
    +filter(sum, P=? [ F "error" ], "init") / filter(count, "init")
    +
    +
    [$[Get Code]]
    +
    + +

    The range filter, unlike most PRISM expressions which are of type Boolean, integer or double, actually returns an interval: a pair of integers or doubles. For example: +

    +
    +
    +
    filter(range, P=? [ F count=10 ], count=0)
    +
    +
    [$[Get Code]]
    +
    + +

    gives the range of all possible values for the probability of reach a state satisfying count=10, from all states satisfying count=0. +As will be described below, this kind of property also results from the use of old-style ({...}) filters and properties on models with multiple initial states. +

    +

    Old-style filters

    +

    In older versions of PRISM, filters were also available, but in a less expressive form. Previously, they were only usable on P, S or R properties and only a small set of filter operators were permitted. They were also specified in a different way, using braces ({...}). For compatibility with old properties files (and for compactness), these forms of filters are still allowed. These old-style forms of filters: +

    +
    +
    +
    P=? [ pathprop {states} ]
    +P=? [ pathprop {states}{min} ]
    +P=? [ pathprop {states}{max} ]
    +P=? [ pathprop {states}{min}{max} ]
    +
    +
    [$[Get Code]]
    +
    + +

    are equivalent to: +

    +
    +
    +
    filter(state, P=? [ pathprop ], states)
    +filter(min, P=? [ pathprop ], states)
    +filter(max, P=? [ pathprop ], states)
    +filter(range, P=? [ pathprop ], states)
    +
    +
    [$[Get Code]]
    +
    + +

    Notice that the first of the four properties above (i.e. an old-style filter of the form {states} will result in an error if states is not satisfied by exactly one state of the model. Older versions of PRISM just gave you the value for the first state state satisfying the filter, without warning you about this. If you want to recreate the old behaviour, just use a first filter: +

    +
    +
    +
    filter(first, P=? [ pathprop ], states)
    +
    +
    [$[Get Code]]
    +
    + +

    Default filters

    +

    Finally, for completeness, we show what the default filters are in PRISM, +i.e. how the way that PRISM returns values from properties by default +could have been achieved equivalently using filters. +

    +

    Queries of the form: +

    +
    +
    +
    P>0.5 [ F "error" ]
    +
    +
    [$[Get Code]]
    +
    + +

    are the same as: +

    +
    +
    +
    filter(forall, P>0.5 [ F "error" ], "init")
    +
    +
    [$[Get Code]]
    +
    + +

    and queries of the form: +

    +
    +
    +
    P=? [ F "error" ]
    +
    +
    [$[Get Code]]
    +
    + +

    are the same as either: +

    +
    +
    +
    filter(state, P=? [ F "error" ], "init")
    +filter(range, P=? [ F "error" ], "init")
    +
    +
    [$[Get Code]]
    +
    + +

    for the cases where there the model has a single initial state +or multiple initial states, respectively. +

    +
    + + + + diff --git a/manual/PropertySpecification/IdentifyingASetOfStates.html b/manual/PropertySpecification/IdentifyingASetOfStates.html index 8558c983b3..177e590dea 100644 --- a/manual/PropertySpecification/IdentifyingASetOfStates.html +++ b/manual/PropertySpecification/IdentifyingASetOfStates.html @@ -1,22 +1,25 @@ + + -PRISM Manual | PropertySpecification / IdentifyingASetOfStates +PRISM Manual | Property Specification / Identifying A Set Of States - - + + + - - - + + + + + + + + + + + + - + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + + +
    +

    View - Edit - Print - Search +

    + +
    @@ -134,6 +268,12 @@ @@ -142,6 +282,13 @@
    + +
    @@ -158,6 +305,7 @@

    PRISM Manual

  • Multi-objective Properties
  • Real-time Models
  • Partially Observable Models +
  • Uncertain Models
  • Non-probabilistic Properties
  • Syntax And Semantics
  • Filters @@ -169,5 +317,8 @@

    PRISM Manual

    • + + diff --git a/manual/PropertySpecification/IdentifyingASetOfStates@action=edit.html b/manual/PropertySpecification/IdentifyingASetOfStates@action=edit.html new file mode 100644 index 0000000000..276ddc585f --- /dev/null +++ b/manual/PropertySpecification/IdentifyingASetOfStates@action=edit.html @@ -0,0 +1,277 @@ + + + + + + + + +PRISM Manual | Property Specification / Identifying A Set Of States | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Property Specification / +

    Identifying A Set Of States

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/PropertySpecification/IdentifyingASetOfStates@action=login.html b/manual/PropertySpecification/IdentifyingASetOfStates@action=login.html new file mode 100644 index 0000000000..22aa1ac398 --- /dev/null +++ b/manual/PropertySpecification/IdentifyingASetOfStates@action=login.html @@ -0,0 +1,275 @@ + + + + + + + + +PRISM Manual | Property Specification / Identifying A Set Of States | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Property Specification / +

    Identifying A Set Of States

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/PropertySpecification/IdentifyingASetOfStates@action=print.html b/manual/PropertySpecification/IdentifyingASetOfStates@action=print.html new file mode 100644 index 0000000000..06ece96f7a --- /dev/null +++ b/manual/PropertySpecification/IdentifyingASetOfStates@action=print.html @@ -0,0 +1,140 @@ + + + + + + +PRISM Manual | PropertySpecification / IdentifyingASetOfStates + + + + + + + + + + + + + + + + + + +

    Property Specification / +

    Identifying A Set Of States

    + + +
    +

    One of the most fundamental tasks when specifying properties of a model +is to identify particular sets or classes of states of the model. +For example, to verify a property such as +"the algorithm eventually terminates successfully with probability 1", +it is first necessary to identify the states of the model +which correspond to situations where "the algorithm has terminated successfully". +In terms of the way temporal logics are usually presented, +these correspond to atomic propositions. +

    +

    In PRISM, this is achieved simply by writing an expression in the PRISM language which evaluates to a Boolean value. This expression will typically contain references to variables (and constants) from the model to which it relates. The set of states corresponding to this expression is those for which it evaluates to true. We say that the expression is "satisfied" in these states. +

    +

    For example, in the property given above: +

    +
    +
    +
    P<0.1 [ F<=100 num_errors > 5 ]
    +
    +
    [$[Get Code]]
    +
    + +

    the expression num_errors > 5 is used to identify states of the model where more than 5 errors have occurred. +

    +

    It is also common to use labels to identify states in this way, like "terminate" in the example: +

    +
    +
    +
    P>=1 [ F "terminate" ]
    +
    +
    [$[Get Code]]
    +
    + +

    Properties can refer to labels either from the model to which the property relates, or included in the same properties file. +

    +
    + + + + diff --git a/manual/PropertySpecification/Introduction@action=edit.html b/manual/PropertySpecification/Introduction@action=edit.html new file mode 100644 index 0000000000..48fcc3de2e --- /dev/null +++ b/manual/PropertySpecification/Introduction@action=edit.html @@ -0,0 +1,277 @@ + + + + + + + + +PRISM Manual | Property Specification / Introduction | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Property Specification / +

    Introduction

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/PropertySpecification/Introduction@action=login.html b/manual/PropertySpecification/Introduction@action=login.html new file mode 100644 index 0000000000..70eea9359e --- /dev/null +++ b/manual/PropertySpecification/Introduction@action=login.html @@ -0,0 +1,275 @@ + + + + + + + + +PRISM Manual | Property Specification / Introduction | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Property Specification / +

    Introduction

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/PropertySpecification/Introduction@action=print.html b/manual/PropertySpecification/Introduction@action=print.html new file mode 100644 index 0000000000..8e84ea16e8 --- /dev/null +++ b/manual/PropertySpecification/Introduction@action=print.html @@ -0,0 +1,192 @@ + + + + + + +PRISM Manual | PropertySpecification / Introduction + + + + + + + + + + + + + + + + + + +

    Property Specification / +

    Introduction

    + + +
    +

    In order to analyse a probabilistic model which has been specified and constructed in PRISM, +it is necessary to identify one or more properties of the model +which can be evaluated by the tool. +PRISM's property specification language subsumes several well-known probabilistic temporal logics, including PCTL, CSL, probabilistic LTL and PCTL*. +PCTL is used for specifying properties of discrete-time models such as DTMCs or PTAs, +and also real-time models such as PTAs; CSL is an extension of PCTL for CTMCs; +LTL and PCTL* can be used to specify properties of +discrete-time models (or untimed properties of CTMCs). +PRISM also supports most of the (non-probabilistic) temporal logic CTL. +

    +

    In fact, PRISM also supports numerous additional customisations and extensions of these two logics. +Full details of the property specifications permitted in PRISM are provided in the following sections. The presentation given here is relatively informal. For the precise syntax and semantics of the various logics, see [HJ94],[BdA95] for PCTL, [ASSB96],[BKH99] for CSL and, for example, [Bai98] for LTL and PCTL*. You can also find various pointers to useful papers in the About and Documentation sections of the PRISM website. +

    +

    Before discussing property specifications in more detail, +it is perhaps instructive to first illustrate some typical examples of properties which PRISM can handle. +The following are a selection of such properties. +In each case, we give both the PRISM syntax and a natural language translation: +

    +
    +
    +
    P>=1 [ F "terminate" ]
    +
    +
    [$[Get Code]]
    +
    + +

    "the algorithm eventually terminates successfully with probability 1" +

    +
    +
    +
    "P<0.1 [ F<=100 num_errors > 5 ]
    +
    +
    [$[Get Code]]
    +
    + +

    "the probability that more than 5 errors occur within the first 100 time units is less than 0.1" +

    +
    +
    +
    S<0.01 [ num_sensors < min_sensors ]
    +
    +
    [$[Get Code]]
    +
    + +

    "in the long-run, the probability that an inadequate number of sensors are operational is less than 0.01" +

    +

    Note that the above properties are all assertions, +i.e. ones to which we would expect a "yes" or "no" answer. +This is because all references to probabilities are associated with an upper or lower bound +which can be checked to be either true or false. +In PRISM, we can also directly specify properties which evaluate to a numerical value, e.g.: +

    +
    +
    +
    P=? [ !proc2_terminate U proc1_terminate ]
    +
    +
    [$[Get Code]]
    +
    + +

    "the probability that process 1 terminates before process 2 does" +

    +
    +
    +
    Pmax=? [ F<=T messages_lost > 10 ]
    +
    +
    [$[Get Code]]
    +
    + +

    "the maximum probability that more than 10 messages have been lost by time T" (for an MDP/PTA) +

    +
    +
    +
    S=? [ queue_size / max_size > 0.75 ]
    +
    +
    [$[Get Code]]
    +
    + +

    "the long-run probability that the queue is more than 75% full" +

    +

    Furthermore, PRISM makes it easy to combine such properties into more complex expressions, +compute their values for a range of parameters +and plot graphs of the results using experiments. +This is often a very useful way of identifying interesting +patterns or trends in the behaviour of a system. +See the Case Studies section of the PRISM website for many examples of this kind of analysis. +

    +
    + + + + diff --git a/manual/PropertySpecification/Main.html b/manual/PropertySpecification/Main.html index d5fad0289b..2d0a563eb4 100644 --- a/manual/PropertySpecification/Main.html +++ b/manual/PropertySpecification/Main.html @@ -1,22 +1,25 @@ + + -PRISM Manual | PropertySpecification / Introduction +PRISM Manual | Property Specification / Introduction - - + + + - - - + + + + + + + + + + + + - + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + + +
    +

    View - Edit - Print - Search +

    + +
    @@ -186,6 +320,12 @@ @@ -194,6 +334,13 @@
    + +
    @@ -210,6 +357,7 @@

    PRISM Manual

  • Multi-objective Properties
  • Real-time Models
  • Partially Observable Models +
  • Uncertain Models
  • Non-probabilistic Properties
  • Syntax And Semantics
  • Filters @@ -221,5 +369,8 @@

    PRISM Manual

    • + + diff --git a/manual/PropertySpecification/Multi-objectiveProperties.html b/manual/PropertySpecification/Multi-objectiveProperties.html index 41314bfea6..1766f30a4c 100644 --- a/manual/PropertySpecification/Multi-objectiveProperties.html +++ b/manual/PropertySpecification/Multi-objectiveProperties.html @@ -1,22 +1,25 @@ + + -PRISM Manual | PropertySpecification / Multi-objectiveProperties +PRISM Manual | Property Specification / Multi-objective Properties - - + + + - - - + + + + + + + + + + + + - + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + + +
    +

    View - Edit - Print - Search +

    + +
    @@ -105,9 +239,9 @@
    [$[Get Code]]
    -

    This states that, for all adversaries of the MDP, the probability of reaching an "error" state is less than 0.01. +

    This states that, for all strategies (or policies) of the MDP, the probability of reaching an "error" state is less than 0.01.

    -

    Multi-objective queries differ in two important ways. Firstly, (by default) they ask about the existence of an adversary. Secondly they refer to multiple properties of an adversary. For example: +

    Multi-objective queries differ in two important ways. Firstly, (by default) they ask about the existence of a strategy. Secondly they refer to multiple properties of a strategy. For example:

    @@ -116,9 +250,9 @@
    [$[Get Code]]
    -

    means: "does there exist an adversary of the MDP under which the probability of reaching an "error1" state is less than 0.01 and the probability of reaching an "error2" state is less than 0.02?" +

    means: "does there exist a strategy of the MDP under which the probability of reaching an "error1" state is less than 0.01 and the probability of reaching an "error2" state is less than 0.02?"

    -

    To use the terminology from [FKP12], the above is an "achievability" query (i.e. is this combination of objectives achievable by some adversary?). PRISM also supports two other kinds of multi-objective query: "numerical" and "Pareto" queries. +

    To use the terminology from [FKP12], the above is an "achievability" query (i.e., is this combination of objectives achievable by some strategy?). PRISM also supports two other kinds of multi-objective query: "numerical" and "Pareto" queries.

    A "numerical" query looks like:

    @@ -129,7 +263,7 @@
    [$[Get Code]]
    -

    meaning "what is the minimum possible probability of reaching "error1", over all adversaries of the MDP for which the probability of reaching "error2" is less than 0.02?". +

    meaning "what is the minimum possible probability of reaching "error1", over all strategies of the MDP for which the probability of reaching "error2" is less than 0.02?".

    A "Pareto" queries leaves both of the objectives unbounded, e.g.:

    @@ -206,6 +340,12 @@ @@ -214,6 +354,13 @@
    + +
    @@ -230,6 +377,7 @@

    PRISM Manual

  • Multi-objective Properties
  • Real-time Models
  • Partially Observable Models +
  • Uncertain Models
  • Non-probabilistic Properties
  • Syntax And Semantics
  • Filters @@ -241,5 +389,8 @@

    PRISM Manual

    • + + diff --git a/manual/PropertySpecification/Multi-objectiveProperties@action=edit.html b/manual/PropertySpecification/Multi-objectiveProperties@action=edit.html new file mode 100644 index 0000000000..1e58fdeed5 --- /dev/null +++ b/manual/PropertySpecification/Multi-objectiveProperties@action=edit.html @@ -0,0 +1,277 @@ + + + + + + + + +PRISM Manual | Property Specification / Multi-objective Properties | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Property Specification / +

    Multi-objective Properties

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/PropertySpecification/Multi-objectiveProperties@action=login.html b/manual/PropertySpecification/Multi-objectiveProperties@action=login.html new file mode 100644 index 0000000000..c40c9fa72f --- /dev/null +++ b/manual/PropertySpecification/Multi-objectiveProperties@action=login.html @@ -0,0 +1,275 @@ + + + + + + + + +PRISM Manual | Property Specification / Multi-objective Properties | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Property Specification / +

    Multi-objective Properties

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/PropertySpecification/Multi-objectiveProperties@action=print.html b/manual/PropertySpecification/Multi-objectiveProperties@action=print.html new file mode 100644 index 0000000000..be2aca5549 --- /dev/null +++ b/manual/PropertySpecification/Multi-objectiveProperties@action=print.html @@ -0,0 +1,212 @@ + + + + + + +PRISM Manual | PropertySpecification / Multi-objectiveProperties + + + + + + + + + + + + + + + + + + +

    Property Specification / +

    Multi-objective Properties

    + + +
    +

    For MDPs, PRISM supports multi-objective properties. Consider a property that uses the P operator. For example: +

    +
    +
    +
    P<0.01 [ F "error" ]
    +
    +
    [$[Get Code]]
    +
    + +

    This states that, for all strategies (or policies) of the MDP, the probability of reaching an "error" state is less than 0.01. +

    +

    Multi-objective queries differ in two important ways. Firstly, (by default) they ask about the existence of a strategy. Secondly they refer to multiple properties of a strategy. For example: +

    +
    +
    +
    multi(P<0.01 [ F "error1" ], P<0.02 [ F "error2" ])
    +
    +
    [$[Get Code]]
    +
    + +

    means: "does there exist a strategy of the MDP under which the probability of reaching an "error1" state is less than 0.01 and the probability of reaching an "error2" state is less than 0.02?" +

    +

    To use the terminology from [FKP12], the above is an "achievability" query (i.e., is this combination of objectives achievable by some strategy?). PRISM also supports two other kinds of multi-objective query: "numerical" and "Pareto" queries. +

    +

    A "numerical" query looks like: +

    +
    +
    +
    multi(Pmin=? [ F "error1" ], P<0.02 [ F "error2" ])
    +
    +
    [$[Get Code]]
    +
    + +

    meaning "what is the minimum possible probability of reaching "error1", over all strategies of the MDP for which the probability of reaching "error2" is less than 0.02?". +

    +

    A "Pareto" queries leaves both of the objectives unbounded, e.g.: +

    +
    +
    +
    multi(Pmin=? [ F "error1" ], Pmin=? [ F "error2" ])
    +
    +
    [$[Get Code]]
    +
    + +

    This asks PRISM to compute (approximately), the Pareto curve for this pair objectives. Intuitively, this is the set of pairs of probabilities (of reaching "error1"/"error2") such that reducing one probability any more would necessitate an increase in the other probability. +

    +

    Types of Objectives

    +

    For simplicity, the examples above all refer to the probability of reaching classes of states in the model. Other types of property (objective) are also possible. +

    +

    Firstly, we can extend the examples above by referring to the probability of any +LTL property. For example: +

    +
    +
    +
    multi(Pmax=? [ G "good1" ], P>=0.9 [ G F "good2" ])
    +
    +
    [$[Get Code]]
    +
    + +

    "What is the maximum probability of staying forever in "good1" states, such that the probability of visiting "good2" states infinitely often remains at least 0.9?". +

    +

    We can also use more than 2 objectives, e.g.: +

    +
    +
    +
    multi(Pmax=? [ G "good1" ], P>=0.9 [ G F "good2" ], P>=0.95 [ G F "good3" ])
    +
    +
    [$[Get Code]]
    +
    + +

    "What is the maximum probability of staying forever in "good1" states, such that the probability of visiting "good2" states infinitely often remains at least 0.9 and the probability of visiting "good3" states infinitely often remains at least 0.95?". +

    +

    Multi-objective queries can also refer to the expected total cumulative value of a reward structure. We write such properties in the form: +

    +
    +
    +
    multi(R{"time"}min=?[ C ], R{"energy"}<=1.45 [ C ])
    +
    +
    [$[Get Code]]
    +
    + +

    "What is the minimum expected cumulative value of reward structure "time", such that the expected cumulative value of reward structure "energy" is below 1.45. +

    +

    Note that this C reward operator differs from the F "target" operator, usually used for standard (single-objective) MDP model checking. Whereas the F "target" operator refers to the expected reward accumulated until a "target" state is reached the C operator refers to the expected total reward. +

    +

    A few important notes regarding rewards: +

    +
    • Currently only transition rewards are supported; state rewards are not. +
    • Certain assumptions are made regarding the finiteness of rewards; see p.7 of [FKP12] for details. +

    Finally, time-bounded variants of both probabilistic reachability and expected cumulative rewards objectives can be used. Here is an example that uses the latter: +

    +
    +
    +
    multi(R{"power"}min=? [ C<=k ], R{"queue"}<=r [ C<=k ])
    +
    +
    [$[Get Code]]
    +
    + +

    Solution Methods

    +

    PRISM can perform multi-objective model checking using two distinct solution methods, which are described in [FKN+11] and [FKP12]. The former is based on the use of linear programming; the latter reduces multi-objective model checking to a series of simpler problems, solved using value iteration (or the Gauss-Seidel variant of value iteration). The default is "Value iteration". You can change this in the GUI using the option "MDP multi-objective solution methods", or using the command-line switches -lp, -valiter, -gs. +

    +

    There are some restrictions for the different methods, e.g. +

    +
    • Linear programming does not support time-bounded properties or Pareto queries +
    +
    + + + + diff --git a/manual/PropertySpecification/Non-probabilisticProperties.html b/manual/PropertySpecification/Non-probabilisticProperties.html index 7f5496fd09..aca79ffea1 100644 --- a/manual/PropertySpecification/Non-probabilisticProperties.html +++ b/manual/PropertySpecification/Non-probabilisticProperties.html @@ -1,22 +1,25 @@ + + -PRISM Manual | PropertySpecification / Non-probabilisticProperties +PRISM Manual | Property Specification / Non-probabilistic Properties - - + + + - - - + + + + + + + + + + + + - + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + + +
    +

    View - Edit - Print - Search +

    + +
    @@ -140,6 +274,12 @@ @@ -148,6 +288,13 @@
    + +
    @@ -164,6 +311,7 @@

    PRISM Manual

  • Multi-objective Properties
  • Real-time Models
  • Partially Observable Models +
  • Uncertain Models
  • Non-probabilistic Properties
  • Syntax And Semantics
  • Filters @@ -175,5 +323,8 @@

    PRISM Manual

    • + + diff --git a/manual/PropertySpecification/Non-probabilisticProperties@action=edit.html b/manual/PropertySpecification/Non-probabilisticProperties@action=edit.html new file mode 100644 index 0000000000..f5abffb4dc --- /dev/null +++ b/manual/PropertySpecification/Non-probabilisticProperties@action=edit.html @@ -0,0 +1,277 @@ + + + + + + + + +PRISM Manual | Property Specification / Non-probabilistic Properties | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Property Specification / +

    Non-probabilistic Properties

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/PropertySpecification/Non-probabilisticProperties@action=login.html b/manual/PropertySpecification/Non-probabilisticProperties@action=login.html new file mode 100644 index 0000000000..d5359d6831 --- /dev/null +++ b/manual/PropertySpecification/Non-probabilisticProperties@action=login.html @@ -0,0 +1,275 @@ + + + + + + + + +PRISM Manual | Property Specification / Non-probabilistic Properties | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Property Specification / +

    Non-probabilistic Properties

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/PropertySpecification/Non-probabilisticProperties@action=print.html b/manual/PropertySpecification/Non-probabilisticProperties@action=print.html new file mode 100644 index 0000000000..b23823628a --- /dev/null +++ b/manual/PropertySpecification/Non-probabilisticProperties@action=print.html @@ -0,0 +1,146 @@ + + + + + + +PRISM Manual | PropertySpecification / Non-probabilisticProperties + + + + + + + + + + + + + + + + + + +

    Property Specification / +

    Non-probabilistic Properties

    + + +
    +

    PRISM also supports model checking of the non-probabilistic temporal logics CTL (computation tree logic) and LTL (linear temporal logic). +Properties in these logics use the A (for all) and E (there exists) operators, +instead of the probabilistic P operator used in many other properties supported by PRISM. +

    +

    Properties take the form: +

    +
    +
    +
    A [ pathprop ]
    +E [ pathprop ]
    +
    +
    [$[Get Code]]
    +
    + +

    which are true in a state s of a model if +"path property pathprop is satisfied by all paths from state s" +and +"path property pathprop is satisfied by some path from state s", +respectively. +The syntax for LTL formulas is the same as those allowed within the P operator. +

    +

    Example properties include: +

    +
    +
    +
    E [ F "goal" ] // There exists a path that reaches a state satisfying "goal"
    +
    +A [ G x<=10 ] // Variable x is always at most 10 along all paths of the model
    +
    +E [ F "ready" & (X "launch") ] // There exists a path along which label "ready" eventually becomes true and label "launch" is true immediately afterwards
    +
    +A [ (G F x=1) | (G F x=2) ] // Along all paths, either x=1 or x=2 is true infinitely often
    +
    +
    [$[Get Code]]
    +
    + +

    Counterexamples and Witnesses

    +

    If you check a CTL property of the form A [ G "inv" ] and it is false, PRISM will generate a counterexample in the form of a path that reaches a state where "inv" is not true. This is displayed either in the simulator (from the GUI) or at the command-line. Similarly, if you check E [ F "goal" ] and the result is true, a witness (a path reaching a "goal" state) will be generated. +

    +
    + + + + diff --git a/manual/PropertySpecification/PartiallyObservableModels.html b/manual/PropertySpecification/PartiallyObservableModels.html index e667a84029..aa0572053b 100644 --- a/manual/PropertySpecification/PartiallyObservableModels.html +++ b/manual/PropertySpecification/PartiallyObservableModels.html @@ -1,22 +1,25 @@ + + -PRISM Manual | PropertySpecification / PartiallyObservableModels +PRISM Manual | Property Specification / Partially Observable Models - - + + + - - - + + + + + + + + + + + + - + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + + +
    +

    View - Edit - Print - Search +

    + +
    @@ -139,6 +273,12 @@ @@ -147,6 +287,13 @@
    + +
    @@ -163,6 +310,7 @@

    PRISM Manual

  • Multi-objective Properties
  • Real-time Models
  • Partially Observable Models +
  • Uncertain Models
  • Non-probabilistic Properties
  • Syntax And Semantics
  • Filters @@ -174,5 +322,8 @@

    PRISM Manual

    • + + diff --git a/manual/PropertySpecification/PartiallyObservableModels@action=edit.html b/manual/PropertySpecification/PartiallyObservableModels@action=edit.html new file mode 100644 index 0000000000..d47b7483c3 --- /dev/null +++ b/manual/PropertySpecification/PartiallyObservableModels@action=edit.html @@ -0,0 +1,277 @@ + + + + + + + + +PRISM Manual | Property Specification / Partially Observable Models | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Property Specification / +

    Partially Observable Models

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/PropertySpecification/PartiallyObservableModels@action=login.html b/manual/PropertySpecification/PartiallyObservableModels@action=login.html new file mode 100644 index 0000000000..9ff990b23c --- /dev/null +++ b/manual/PropertySpecification/PartiallyObservableModels@action=login.html @@ -0,0 +1,275 @@ + + + + + + + + +PRISM Manual | Property Specification / Partially Observable Models | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Property Specification / +

    Partially Observable Models

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/PropertySpecification/PartiallyObservableModels@action=print.html b/manual/PropertySpecification/PartiallyObservableModels@action=print.html new file mode 100644 index 0000000000..eaa2fdd309 --- /dev/null +++ b/manual/PropertySpecification/PartiallyObservableModels@action=print.html @@ -0,0 +1,145 @@ + + + + + + +PRISM Manual | PropertySpecification / PartiallyObservableModels + + + + + + + + + + + + + + + + + + +

    Property Specification / +

    Partially Observable Models

    + + +
    +

    For partially observable models (POMDPs and POPTAs), +PRISM uses the same property language as the their +fully observational equivalents (MDPs and PTAs). +However, a more limited range of properties are available. +For POMDPs, PRISM currently supports probabilistic reachability, +probabilistic until, or expected reachability rewards properties, i.e.: +

    +
    +
    +
    Pmin=? [ F target ]
    +Pmax=? [ F target ]
    +Pmin=? [ remain U target ]
    +Pmax=? [ remain U target ]
    +Rmin=? [ F target ]
    +Rmax=? [ F target ]
    +
    +
    [$[Get Code]]
    +
    + +

    or bounded variants with a probability/threshold instead +of the min=? or max=?. +

    +

    For the verification methods currently implemented, +there are a few additional restrictions. +Firstly, the target (and remain) expression appearing +in the property must be an observable. +In other words, if any state of the POMDP satisfies the expression, +then all other observationally equivalent states must also satisfy it. +This is easily achieved by only using either observable variables +or named observables in the expression, but that is not required. +Secondly, probabilities and expected rewards are only computed from a single state. +

    +

    POPTAs are currently verified using the "digital clocks" approach to +translate them into a POMDP, so they inherit the same +restrictions +(that strict or diagonal clock comparisons are not allowed). +However for POPTAs, time-bounded probabilistic reachability is also supported. +

    +
    + + + + diff --git a/manual/PropertySpecification/PropertiesFiles.html b/manual/PropertySpecification/PropertiesFiles.html index 3fb10f01d4..6f3c465127 100644 --- a/manual/PropertySpecification/PropertiesFiles.html +++ b/manual/PropertySpecification/PropertiesFiles.html @@ -1,22 +1,25 @@ + + -PRISM Manual | PropertySpecification / PropertiesFiles +PRISM Manual | Property Specification / Properties Files - - + + + - - - + + + + + + + + + + + + - + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + + +
    +

    View - Edit - Print - Search +

    + +
    @@ -176,6 +310,12 @@

    Constants

    @@ -184,6 +324,13 @@

    Constants

    + +
    @@ -200,6 +347,7 @@

    PRISM Manual

  • Multi-objective Properties
  • Real-time Models
  • Partially Observable Models +
  • Uncertain Models
  • Non-probabilistic Properties
  • Syntax And Semantics
  • Filters @@ -211,5 +359,8 @@

    PRISM Manual

    • + + diff --git a/manual/PropertySpecification/PropertiesFiles@action=edit.html b/manual/PropertySpecification/PropertiesFiles@action=edit.html new file mode 100644 index 0000000000..e175121794 --- /dev/null +++ b/manual/PropertySpecification/PropertiesFiles@action=edit.html @@ -0,0 +1,277 @@ + + + + + + + + +PRISM Manual | Property Specification / Properties Files | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Property Specification / +

    Properties Files

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/PropertySpecification/PropertiesFiles@action=login.html b/manual/PropertySpecification/PropertiesFiles@action=login.html new file mode 100644 index 0000000000..7fc90577bc --- /dev/null +++ b/manual/PropertySpecification/PropertiesFiles@action=login.html @@ -0,0 +1,275 @@ + + + + + + + + +PRISM Manual | Property Specification / Properties Files | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Property Specification / +

    Properties Files

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/PropertySpecification/PropertiesFiles@action=print.html b/manual/PropertySpecification/PropertiesFiles@action=print.html new file mode 100644 index 0000000000..0973a28b7a --- /dev/null +++ b/manual/PropertySpecification/PropertiesFiles@action=print.html @@ -0,0 +1,182 @@ + + + + + + +PRISM Manual | PropertySpecification / PropertiesFiles + + + + + + + + + + + + + + + + + + +

    Property Specification / +

    Properties Files

    + + +
    +

    Constants

    +

    Files containing properties to be analysed by PRISM can also contain constants, as is the case for model files. +These are defined in identical fashion, for example: +

    +
    +
    +
    const int k = 7;
    +const double T = 9.5;
    +const double p = 0.01;
    +
    +P<p [ F<=T x=k ];
    +
    +
    [$[Get Code]]
    +
    + +

    As before, these constants can actually be left undefined and then later +assigned either a single value or a range of values using experiments. +

    +

    In fact, values such as the probability bounds for the P or S operators (like P above) +and upper or lower bounds for the U operator (like T above) +can be arbitrary expressions, provided they are constant. +Furthermore, expressions in the properties file can also refer to constants previous defined in the model file. +

    +

    +

    Labels

    +

    Another feature of properties files is labels. These are a way of defining sets of states that will be referred to in properties (they correspond to atomic propositions in a temporal logic setting). As described earlier, labels can be defined in either model files or property files. +

    +

    Labels are defined using the keyword label, followed by a name (identifier) in double quotes, and then an expression which evaluates to a Boolean. Definition and usage of labels are illustrated in the following example: +

    +
    +
    +
    label "safe" = temp<=100 | alarm=true;
    +label "fail" = temp>100 & alarm=false;
    +
    +P>=0.99 [ "safe" U "fail" ];
    +
    +
    [$[Get Code]]
    +
    + +

    Two special cases are the "init" and "deadlock" labels which are always defined. +These are true in initial states of the model and states where deadlocks were found (and, usually, fixed by adding self-loops), respectively. +

    +

    +

    Property names

    +

    For convenience, properties can be annotated with names, as shown in the following example: +

    +
    +
    +
    "safe": P<0.01 [ F temperature > t_max ];
    +
    +
    [$[Get Code]]
    +
    + +

    which gives the name "safe" to the property. It is then possible to include named properties as sub-expressions of other properties, e.g.: +

    +
    +
    +
    filter(forall, num_sensors>0 => "safe");
    +
    +
    [$[Get Code]]
    +
    + +

    Notice that the syntax for referring to named properties is identical to the syntax for labels. For this reason, property names must be disjoint from those of any existing labels. +

    +

    You can refer to property names when using the command-line switch -prop to specify which property is to be model checked. +

    +

    Properties files

    +

    A PRISM properties file can contain any number of properties. +It is good practice, as shown in the examples above, to terminate each property with a semicolon. Currently, this is not enforced by PRISM (to prevent incompatibility with old properties files) but this may change in the future. +

    +

    Like model files, properties can also include any amount of white space (spaces, tabs, new lines, etc.) and C-style comments, which are both ignored. +The recommended file extension for PRISM properties is now .props. +Previously, though, the convention was to use extension .pctl for properties of DTMCs, MDPs or PTAs +and extension .csl for properties of CTMCs, so these are still also valid. +

    +
    + + + + diff --git a/manual/PropertySpecification/Real-timeModels.html b/manual/PropertySpecification/Real-timeModels.html index 1f0b4ba5f6..820d09bf68 100644 --- a/manual/PropertySpecification/Real-timeModels.html +++ b/manual/PropertySpecification/Real-timeModels.html @@ -1,22 +1,25 @@ + + -PRISM Manual | PropertySpecification / Real-timeModels +PRISM Manual | Property Specification / Real-time Models - - + + + - - - + + + + + + + + + + + + - + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + + +
    +

    View - Edit - Print - Search +

    + +
    @@ -148,6 +282,12 @@ @@ -156,6 +296,13 @@
    + +
    @@ -172,6 +319,7 @@

    PRISM Manual

  • Multi-objective Properties
  • Real-time Models
  • Partially Observable Models +
  • Uncertain Models
  • Non-probabilistic Properties
  • Syntax And Semantics
  • Filters @@ -183,5 +331,8 @@

    PRISM Manual

    • + + diff --git a/manual/PropertySpecification/Real-timeModels@action=edit.html b/manual/PropertySpecification/Real-timeModels@action=edit.html new file mode 100644 index 0000000000..33426e904b --- /dev/null +++ b/manual/PropertySpecification/Real-timeModels@action=edit.html @@ -0,0 +1,277 @@ + + + + + + + + +PRISM Manual | Property Specification / Real-time Models | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Property Specification / +

    Real-time Models

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/PropertySpecification/Real-timeModels@action=login.html b/manual/PropertySpecification/Real-timeModels@action=login.html new file mode 100644 index 0000000000..c19217bf9b --- /dev/null +++ b/manual/PropertySpecification/Real-timeModels@action=login.html @@ -0,0 +1,275 @@ + + + + + + + + +PRISM Manual | Property Specification / Real-time Models | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Property Specification / +

    Real-time Models

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/PropertySpecification/Real-timeModels@action=print.html b/manual/PropertySpecification/Real-timeModels@action=print.html new file mode 100644 index 0000000000..78a04fd864 --- /dev/null +++ b/manual/PropertySpecification/Real-timeModels@action=print.html @@ -0,0 +1,154 @@ + + + + + + +PRISM Manual | PropertySpecification / Real-timeModels + + + + + + + + + + + + + + + + + + +

    Property Specification / +

    Real-time Models

    + + +
    +

    The classes of property that can be checked for real-time models (PTAs and POPTAs) are currently more restricted than for the other kinds of models that PRISM supports. This is because the model checking procedures are quite different for this type of model. We describe these restrictions here. The situation is also dependent on which of the PTA model checking engines is being used. +

    +

    For the "stochastic games" engine, we essentially only allow unbounded or time-bounded probabilistic reachability properties, i.e. properties of the form: +

    +
    +
    +
    Pmin=? [ F target ]
    +Pmax=? [ F target ]
    +Pmin=? [ F<=T target ]
    +Pmax=? [ F<=T target ]
    +
    +
    [$[Get Code]]
    +
    + +

    where target is a Boolean-valued expression that does not include references to any clock variables and T is an integer-valued expression. The P operator cannot be nested and the S and R operators are not supported. +

    +

    The "backwards reachability" engine is similar but currently only handles maximum probabilities. +

    +

    For the "digital clocks" engine, there is slightly more flexibility, +e.g. until (U) properties are allowed, as are clock variables in expressions and arithmetic expressions such as: +

    +
    +
    +
    1 - Pmin=? [ F target ]
    +
    +
    [$[Get Code]]
    +
    + +

    This engine, like the "stochastic games" engine, does not allowed nested properties. Also, references to clocks must, like in the modelling language, not use strict comparisons +(e.g. x<=5 is allowed, x<5 is not). +

    +

    The digital clocks also has support for rewards: +it is possible to check reachability reward properties of the form: +

    +
    +
    +
    Rmin=? [ F target ]
    +Rmax=? [ F target ]
    +
    +
    [$[Get Code]]
    +
    + +

    Reward structures specified in the model, though, must not depend on clock variables. +Formally, the class of PTAs with this kind of reward structure is sometime called linearly priced PTAs (see e.g. [KNPS06]. +

    +

    The digital clocks method is based on a language-level translation from a PTA model to an MDP one. If you want to see the MDP PRISM model that was generated, add the switch -exportdigital digital.nm when model checking property to export the model file to digital.nm. +

    +
    + + + + diff --git a/manual/PropertySpecification/Reward-basedProperties.html b/manual/PropertySpecification/Reward-basedProperties.html index b36c71a495..96f3315eac 100644 --- a/manual/PropertySpecification/Reward-basedProperties.html +++ b/manual/PropertySpecification/Reward-basedProperties.html @@ -1,22 +1,25 @@ + + -PRISM Manual | PropertySpecification / Reward-basedProperties +PRISM Manual | Property Specification / Reward-based Properties - - + + + - - - + + + + + + + + + + + + - + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + + +
    +

    View - Edit - Print - Search +

    + +
    @@ -177,7 +311,7 @@

    -
    R=? [ F (goal=1 & F goal2) ]
    +
    R=? [ F (goal=1 & F goal=2) ]
    [$[Get Code]]
    @@ -315,6 +449,12 @@ @@ -323,6 +463,13 @@
    + +
    @@ -339,6 +486,7 @@

    PRISM Manual

  • Multi-objective Properties
  • Real-time Models
  • Partially Observable Models +
  • Uncertain Models
  • Non-probabilistic Properties
  • Syntax And Semantics
  • Filters @@ -350,5 +498,8 @@

    PRISM Manual

    • + + diff --git a/manual/PropertySpecification/Reward-basedProperties@action=edit.html b/manual/PropertySpecification/Reward-basedProperties@action=edit.html new file mode 100644 index 0000000000..9d13d69085 --- /dev/null +++ b/manual/PropertySpecification/Reward-basedProperties@action=edit.html @@ -0,0 +1,277 @@ + + + + + + + + +PRISM Manual | Property Specification / Reward-based Properties | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Property Specification / +

    Reward-based Properties

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/PropertySpecification/Reward-basedProperties@action=login.html b/manual/PropertySpecification/Reward-basedProperties@action=login.html new file mode 100644 index 0000000000..4861d0428b --- /dev/null +++ b/manual/PropertySpecification/Reward-basedProperties@action=login.html @@ -0,0 +1,275 @@ + + + + + + + + +PRISM Manual | Property Specification / Reward-based Properties | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Property Specification / +

    Reward-based Properties

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/PropertySpecification/Reward-basedProperties@action=print.html b/manual/PropertySpecification/Reward-basedProperties@action=print.html new file mode 100644 index 0000000000..7033c5cbc8 --- /dev/null +++ b/manual/PropertySpecification/Reward-basedProperties@action=print.html @@ -0,0 +1,321 @@ + + + + + + +PRISM Manual | PropertySpecification / Reward-basedProperties + + + + + + + + + + + + + + + + + + +

    Property Specification / +

    Reward-based Properties

    + + +
    +

    PRISM models can be augmented with information about rewards (or, equivalently, costs). +The tool can analyse properties which relate to the expected values of these rewards. +This is achieved using the R operator, which works in a similar fashion to the +P and S operators, and can be used either in a Boolean-valued query, e.g.: +

    +
    +
    +
    R bound [ rewardprop ]
    +
    +
    [$[Get Code]]
    +
    + +

    where bound takes the form <r, <=r, >r or >=r for an expression r evaluating to a non-negative double, +or a real-valued query, e.g.: +

    +
    +
    +
    R query [ rewardprop ]
    +
    +
    [$[Get Code]]
    +
    + +

    where query is =?, min=? or max=?. +In the latter case, filters can be used, as for the P and S operators. +

    +

    Informally, "R bound [ rewardprop ]" is true in a state of a model if +"the expected reward associated with rewardprop of the model when starting from that state'' +meets the bound bound and "R query [ rewardprop ]" returns the actual expected reward value. +

    +

    There are various different types of reward properties: +

    +
    • "reachability reward": F prop +
    • "co-safe LTL reward": e.g. F (prop1 & F prop2) +
    • "cumulative reward" : C<=t +
    • "total reward" : C +
    • "instantaneous reward" : I=t +
    • "steady-state reward" : S. +

    Below, we consider each of these cases in turn. +The descriptions here are kept relatively informal. +Precise definitions for most of these can be found in, for example, +[KNP07a] (for DTMCs and CTMCs) or [FKNP11] (for MDPs). +

    +

    "Reachability reward" properties

    +

    "Reachability reward" properties associate a reward with each path of a model. +More specifically, they refer to the reward accumulated along a path until a certain point is reached. +The manner in which rewards are accumulated depends on the model type. +For DTMCs and MDPs, the total reward for a path is the sum of the state rewards for each state along the path +plus the sum of the transition rewards for each transition between these states. +The situation for CTMCs is similar, except that the state reward assigned to each state +of the model is interpreted as the rate at which rewards are accumulated in that state, +i.e. if t time units are spent in a state with state reward r, +the reward accumulated in that state is r x t. +Hence, the total reward for a path in a CTMC is the sum of these products for each state along the path +plus the sum of the transition rewards for each transition between these states. +

    +

    The reward property "F prop" corresponds to the reward cumulated along a path +until a state satisfying property prop is reached, +where rewards are cumulated as described above. +State rewards for the prop-satisfying state reached are not included in the cumulated value. +In the case where the probability of reaching a state satisfying prop is less than 1, the reward is equal to infinity. +

    +

    A common application of this type of property is the case when the rewards associated with the model correspond to time. +One can then state, for example: +

    +
    +
    +
    R<=9.5 [ F z=2 ]
    +
    +
    [$[Get Code]]
    +
    + +

    which is true in a state s if "the expected time taken to reach, from s, a state where z equals 2 is less than or equal to 9.5". +

    +

    "Co-safe LTL reward" properties

    +

    These generalise the "reachability" properties above. Again, reward is accumulated along a path up until some point, +but this is specified in a more general way, by giving a formula in the co-safe fragment of linear temporal logic (LTL). +Rewards are accumulated up until the point where the formula is first satisfied. For example, this property, for a DTMC or CTMC, +queries the expected reward accumulated until first goal equals 1 and then subsequently goal equals 2: +

    +
    +
    +
    R=? [ F (goal=1 & F goal=2) ]
    +
    +
    [$[Get Code]]
    +
    + +

    and this property, for an MDP, minimises the expected reward until loc equals 1, +having passed only through states where loc never equals 4 +

    +
    +
    +
    Rmin=? [ loc!=4 U loc=1 ]
    +
    +
    [$[Get Code]]
    +
    + +

    As for reachability rewards, if the probability of satisfying the formula is less than 1, +then the expected reward is defined to be infinite. +

    +

    Intuitively, a co-safe formula is one that is satisfied within a finite period of time, +and remains true for ever once it becomes true for the first time. +For simplicity, PRISM actually supports the syntactic co-safe fragment of LTL, +which is defined as any LTL formula that only uses the temporal operators F, U and X +(but not G, for example). +PRISM's notation for LTL formulas is described here. +

    +

    "Cumulative reward" properties

    +

    "Cumulative reward" properties also associate a reward with each path of a model, +but only up to a given time bound. +The property C<=t corresponds to the reward cumulated along a path +until t time units have elapsed. +For DTMCs and MDPs, the bound t must evaluate to an integer; +for CTMCs, it can evaluate to double. +State and transition rewards along a path are cumulated exactly as described in the previous section. +

    +

    A typical application of this type of property is the following. +Consider a model of a disk-drive controller which includes a queue of incoming disk requests. +If we assign a reward of 1 to each transition of the model +corresponding to the situation where an incoming request is lost because the queue is full, +then the property: +

    +
    +
    +
    R=? [ C<=15.5 ]
    +
    +
    [$[Get Code]]
    +
    + +

    would return, for a given state of the model, +"the expected number of lost requests within 15.5 time units of operation". +

    +

    +

    "Total reward" properties

    +

    "Total reward" properties refer to the accumulation of state and transition rewards +in the same way as for "reachability reward" and "cumulative reward" properties, +but the rewards is accumulated indefinitely, +i.e. the total reward accumulated along the whole (infinite) path. +Note that this means that, unless a path ends up remaining forever in states with zero reward, +the total reward will be infinite. +

    +

    Re-using the reward structure in the previous example, +

    +
    +
    +
    R=? [ C ]
    +
    +
    [$[Get Code]]
    +
    + +

    returns "the expected total number of lost requests". +

    +

    "Instantaneous reward" properties

    +

    "Instantaneous reward" properties refer to the reward of a model at a particular instant in time. +The reward property I=t associates with a path the reward in the state +of that path when exactly t time units have elapsed. +For DTMCs and MDPs, the bound t must evaluate to an integer; +for CTMCs, it can evaluate to double. +

    +

    Returning to our example from the previous section of a model for a disk-request queue in a disk-drive controller, +consider the case where the rewards assigned to each state of the model give the current size of the queue in that state. +Then, the following property: +

    +
    +
    +
    R<4.4 [ I=100 ]
    +
    +
    [$[Get Code]]
    +
    + +

    would be true in a state s of the model if +"starting from s, the expected queue size exactly 100 time units later is less than 4.4". +Note that, for this type of reward property, state rewards for CTMCs do not have to refer to rates; +they can refer to any instantaneous measure of interest for a state. +

    +

    "Steady-state reward" properties

    +

    Unlike the previous three types of property, +"steady-state reward" properties relate not to paths, but rather to the reward in the long-run. +A typical application of this type of property would be, in the case where +the rewards associated with the model correspond to power consumption, the property: +

    +
    +
    +
    R<=0.7 [ S ]
    +
    +
    [$[Get Code]]
    +
    + +

    which is true in a state s if "starting from s, the long-run average power consumption is less than 0.7". +

    +

    Which reward structure?

    +

    In the case where a PRISM model has multiple reward structures you may need to specify which reward structure your property refers to. This is done by placing the information in braces ({}) after the R operator. You can do so either using the name assigned to a reward structure (if any) or using the index (where 1 means the first rewards structure in the PRISM model file, 2 the second, etc.). Examples are: +

    +
    +
    +
    R{"num_failures"}=? [ C<=10.0 ]
    +R{"time"}=? [ F step=final ]
    +R{2}=? [ F step=final ]
    +
    +
    [$[Get Code]]
    +
    + +

    Note that when using an index to specify the reward structure, you can actually put any expression that evaluates to an integer. This allows you to, for example, write a property of the form R{c}=?[...] where c is an undefined integer constant. You can then vary the value of c in an experiment and compute values for several different reward structures at once. +

    +

    If you don't specify a reward structure to the R operator, by default, the first one in the model file is used. +

    +

    Availability

    +

    There are currently a few restrictions on the model checking engines that can be used for some reward properties. The following table summarises the currently availability, where S, M, H and E denote the "sparse", "MTBDD", "hybrid" and "explicit" engines, respectively, for DTMCs, CTMCs and MDPs. For PTAs, support for rewards is currently quite restrictive; see the later section on real-time model properties for details. +

    +
    + + + + +
     FcosafeC<=tCI=tS
    DTMCsSMHESMHESMHESMHESMHESMHE
    CTMCsSMHESMHESMHESMHESMHESMHE
    MDPsSM-ESMHES--E----SM-E----
    +
    + + + + diff --git a/manual/PropertySpecification/SyntaxAndSemantics.html b/manual/PropertySpecification/SyntaxAndSemantics.html index f7f7690313..6669a0ca80 100644 --- a/manual/PropertySpecification/SyntaxAndSemantics.html +++ b/manual/PropertySpecification/SyntaxAndSemantics.html @@ -1,22 +1,25 @@ + + -PRISM Manual | PropertySpecification / SyntaxAndSemantics +PRISM Manual | Property Specification / Syntax And Semantics - - + + + - - - + + + + + + + + + + + + - + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + + +
    +

    View - Edit - Print - Search +

    + +
    @@ -194,6 +328,12 @@

    Syntax

    @@ -202,6 +342,13 @@

    Syntax

    + +
    @@ -218,6 +365,7 @@

    PRISM Manual

  • Multi-objective Properties
  • Real-time Models
  • Partially Observable Models +
  • Uncertain Models
  • Non-probabilistic Properties
  • Syntax And Semantics
  • Filters @@ -229,5 +377,8 @@

    PRISM Manual

    • + + diff --git a/manual/PropertySpecification/SyntaxAndSemantics@action=edit.html b/manual/PropertySpecification/SyntaxAndSemantics@action=edit.html new file mode 100644 index 0000000000..b26ee4949e --- /dev/null +++ b/manual/PropertySpecification/SyntaxAndSemantics@action=edit.html @@ -0,0 +1,277 @@ + + + + + + + + +PRISM Manual | Property Specification / Syntax And Semantics | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Property Specification / +

    Syntax And Semantics

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/PropertySpecification/SyntaxAndSemantics@action=login.html b/manual/PropertySpecification/SyntaxAndSemantics@action=login.html new file mode 100644 index 0000000000..7e47d2890a --- /dev/null +++ b/manual/PropertySpecification/SyntaxAndSemantics@action=login.html @@ -0,0 +1,275 @@ + + + + + + + + +PRISM Manual | Property Specification / Syntax And Semantics | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Property Specification / +

    Syntax And Semantics

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/PropertySpecification/SyntaxAndSemantics@action=print.html b/manual/PropertySpecification/SyntaxAndSemantics@action=print.html new file mode 100644 index 0000000000..29617cfbb1 --- /dev/null +++ b/manual/PropertySpecification/SyntaxAndSemantics@action=print.html @@ -0,0 +1,200 @@ + + + + + + +PRISM Manual | PropertySpecification / SyntaxAndSemantics + + + + + + + + + + + + + + + + + + +

    Property Specification / +

    Syntax And Semantics

    + + +
    +

    Syntax

    +

    The syntax of the PRISM property specification language subsumes various probabilistic temporal logics, including PCTL, CSL, (probabilistic) LTL, PCTL* and CTL. Informally, the syntax can be summarised as follows: a property can be any valid, well-typed PRISM expression, which (optionally) also includes the probabilistic operators discussed previously (P, S and R) and the non-probabilistic (CTL) ones A and E). This mean that any of the following operators can be used: +

    +
    • - (unary minus) +
    • *, / (multiplication, division) +
    • +, - (addition, subtraction) +
    • <, <=, >=, > (relational operators) +
    • =, != (equality operators) +
    • ! (negation) +
    • & (conjunction) +
    • | (disjunction) +
    • <=> (if-and-only-if) +
    • => (implication) +
    • ? (condition evaluation: condition ? a : b means "if condition is true then a else b") +
    • P (probabilistic operator) +
    • S (steady-state operator) +
    • R (reward operator) +
    • A (for-all operator) +
    • E (there-exists operator) +

    This allows you to write any property expressible in logics such as PCTL and CSL. For example, CSL allows you to nest P and S operators: +

    +
    +
    +
    P=? [ F>2 S>0.9[ num_servers >= 5 ] ]
    +
    +
    [$[Get Code]]
    +
    + +

    "the probability of it taking more than 2 hours to get to a state from which the long-run probability of at least 5 servers being operational is >0.9" +

    +

    You can also express various arithmetic expressions such as: +

    +
    +
    +
    1 - P=? [ F[3600,7200] oper ]
    +
    +
    [$[Get Code]]
    +
    + +

    "the probability that the system is not operational at any point during the second hour of operation" +

    +
    +
    +
    R{"oper"}=? [ C<=t ] / t
    +
    +
    [$[Get Code]]
    +
    + +

    "the expected fraction of time that the system is available (i.e. the expected interval availability) in the time interval [0, t]" +

    +
    +
    +
    P=? [ F fail_A ] / P=? [ F any_fail ]
    +
    +
    [$[Get Code]]
    +
    + +

    "the (conditional) probability that component A eventually fails, given +that at least one component fails" +

    +

    Semantics

    +

    We omit a formal presentation of the semantics of the PRISM property language. The semantics of the probabilistic temporal logics that the language incorporates can be found from a variety of sources. See for example the pointers given in the About and Documentation sections of the PRISM website. +

    +

    It is worth, however, clarifying a few points specific to PRISM. A property is evaluated with respect to a particular state of a model. Depending on the type of the property, this value may either be a Boolean, an integer or a double. When performing model checking, PRISM usually has to actually compute the value for all states of the model but, for clarity, will by default report just a single value. Typically, this is the value for the (single) initial state of the model. For example, this: +

    +
    +
    +
    P=? [ F "error" ]
    +
    +
    [$[Get Code]]
    +
    + +

    will report the probability, from the initial state of the model, of reaching an "error" state. +This: +

    +
    +
    +
    P>0.5 [ F "error" ]
    +
    +
    [$[Get Code]]
    +
    + +

    will return true if and only if the probability, from the initial state, is greater than 0.5. +

    +

    Note: This is contrast to older versions of PRISM, which treated numerical and Boolean-valued properties differently in this respect. +

    +

    For models with multiple initial states, we need to adapt these definitions slightly. In this case, the two properties above will yield, respectively: +

    +
    • the range of values (over all initial states) of the probability of reaching "error" +
    • true if and only if the probability is greater than 0.5 from all initial states. +

    You can also ask PRISM to return different values using filters, +which are described in the next section. +

    +
    + + + + diff --git a/manual/PropertySpecification/ThePOperator.html b/manual/PropertySpecification/ThePOperator.html index 6c73cf862a..d79b0de98c 100644 --- a/manual/PropertySpecification/ThePOperator.html +++ b/manual/PropertySpecification/ThePOperator.html @@ -1,22 +1,25 @@ + + -PRISM Manual | PropertySpecification / ThePOperator +PRISM Manual | Property Specification / The P Operator - - + + + - - - + + + + + + + + + + + + - + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + + +
    +

    View - Edit - Print - Search +

    + +
    @@ -407,6 +541,12 @@ @@ -415,6 +555,13 @@
    + +
    @@ -431,6 +578,7 @@

    PRISM Manual

  • Multi-objective Properties
  • Real-time Models
  • Partially Observable Models +
  • Uncertain Models
  • Non-probabilistic Properties
  • Syntax And Semantics
  • Filters @@ -442,5 +590,8 @@

    PRISM Manual

    • + + diff --git a/manual/PropertySpecification/ThePOperator@action=edit.html b/manual/PropertySpecification/ThePOperator@action=edit.html new file mode 100644 index 0000000000..a2672c06ce --- /dev/null +++ b/manual/PropertySpecification/ThePOperator@action=edit.html @@ -0,0 +1,277 @@ + + + + + + + + +PRISM Manual | Property Specification / The P Operator | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Property Specification / +

    The P Operator

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/PropertySpecification/ThePOperator@action=login.html b/manual/PropertySpecification/ThePOperator@action=login.html new file mode 100644 index 0000000000..923b7cfa3c --- /dev/null +++ b/manual/PropertySpecification/ThePOperator@action=login.html @@ -0,0 +1,275 @@ + + + + + + + + +PRISM Manual | Property Specification / The P Operator | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Property Specification / +

    The P Operator

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/PropertySpecification/ThePOperator@action=print.html b/manual/PropertySpecification/ThePOperator@action=print.html new file mode 100644 index 0000000000..d02da6412b --- /dev/null +++ b/manual/PropertySpecification/ThePOperator@action=print.html @@ -0,0 +1,413 @@ + + + + + + +PRISM Manual | PropertySpecification / ThePOperator + + + + + + + + + + + + + + + + + + +

    Property Specification / +

    The P Operator

    + + +
    +

    One of the most important operators in the PRISM property specification language is the P operator, which is used to reason about the probability of an event's occurrence. This operator was originally proposed in the logic PCTL but also features in the other logics supported by PRISM, such as CSL. The P operator is applicable to all types of models supported by PRISM. +

    +

    Informally, the property: +

    +
    +
    +
    P bound [ pathprop ]
    +
    +
    [$[Get Code]]
    +
    + +

    is true in a state s of a model if +"the probability that path property pathprop is satisfied by the paths from state s +meets the bound bound". +A typical example of a bound would be: +

    +
    +
    +
    P>0.98 [ pathprop ]
    +
    +
    [$[Get Code]]
    +
    + +

    which means: "the probability that pathprop is satisfied by the paths from state s is greater than 0.98". More precisely, bound can be any of >=p, >p, <=p or <p, +where p is a PRISM language expression evaluating to a double in the range [0,1]. +

    +

    The types of path property supported by PRISM and their semantics will be discussed shortly. +

    +

    Nondeterminism

    +

    For models that can exhibit nondeterministic behaviour, such as MDPs or PTAs, some additional clarifications are necessary. Whereas for fully probabilistic models such as DTMCs and CTMCs, probability measures over paths are well defined (see e.g. [KSK76] and [BKH99], respectively), for nondeterministic models a probability measure can only be feasibly defined once all nondeterminism has been removed. +

    +

    Hence, the actual meaning of the property P bound [ pathprop ] in these cases is: +"the probability that pathprop is satisfied by the paths from state s +meets the bound bound for all possible resolutions of nondeterminism". +This means that, properties using the P operator then effectively reason about the +minimum or maximum probability, over all possible resolutions of nondeterminism, +that a certain type of behaviour is observed. +This depends on the bound attached to the P operator: +a lower bound (> or >=) relates to minimum probabilities +and an upper bound (< or <=) to maximum probabilities. +

    +

    Quantitative properties

    +

    It is also very often useful to take a quantitative approach to probabilistic model checking, computing the actual probability that some behaviour of a model is observed, +rather than just verifying whether or not the probability is above or below a given bound. +Hence, PRISM allows the P operator to take the following form: +

    +
    +
    +
    P=? [ pathprop ]
    +
    +
    [$[Get Code]]
    +
    + +

    These properties return a numerical rather than a Boolean value. +The S and R operators, discussed later, can also be used in this way. +

    +

    As mentioned above, for nondeterministic models (MDPs or PTAs), either minimum or maximum probability values can be computed. Therefore, in this case, we have two possible types of property: +

    +
    +
    +
    Pmin=? [ pathprop ]
    +Pmax=? [ pathprop ]
    +
    +
    [$[Get Code]]
    +
    + +

    which return the minimum and maximum probabilities, respectively. +

    +

    It is also possible to specify to which state the probability returned by a quantitative property refers. This is covered in the later section on filters. +

    +

    Path properties

    +

    PRISM supports a wide range of path properties that can be used with the P operator. +A path property is a formula that evaluates to either true or false for a single path in a model. +Here, we review some of the simpler properties that feature a single temporal operator, +as used for example in the logics PCTL and CSL. Later, we briefly describe how PRISM also supports more complex LTL-style path properties. +

    +

    The basic different types of path property that can be used inside the P operator are: +

    +
    • X : "next" +
    • U : "until" +
    • F : "eventually" (sometimes called "future") +
    • G : "always" (sometimes called "globally") +
    • W : "weak until" +
    • R : "release" +

    In the following sections, we describe each of these temporal operators. We then discuss the (optional) use of time bounds with these operators. Finally, we also discuss LTL-style path properties. +

    +

    "Next" path properties

    +

    The property X prop is true for a path if prop is true in its second state, +An example of this type of property, used inside a P operator, is: +

    +
    +
    +
    P<0.01 [ X y=1 ]
    +
    +
    [$[Get Code]]
    +
    + +

    which is true in a state if "the probability of the expression y=1 being true in the next state is less than 0.01". +

    +

    "Until" path properties

    +

    The property prop1 U prop2 is true for a path if +prop2 is true in some state of the path and prop1 is true in all preceding states. +A simple example of this would be: +

    +
    +
    +
    P>0.5 [ z<2 U z=2 ]
    +
    +
    [$[Get Code]]
    +
    + +

    which is true in a state if "the probability that z is eventually equal to 2, and that z remains less than 2 up until that point, is greater than 0.5". +

    +

    "Eventually" path properties

    +

    The property F prop is true for a path if prop eventually becomes true at some point along the path. The F operator is in fact a special case of the U operator (you will often see F prop written as true U prop). A simple example is: +

    +
    +
    +
    P<0.1 [ F z>2 ]
    +
    +
    [$[Get Code]]
    +
    + +

    which is true in a state if "the probability that z is eventually greater than 2is less than 0.1". +

    +

    "Globally" path properties

    +

    Whereas the F operator is used for "reachability" properties, G represents "invariance". The property G prop is true of a path if prop remains true at all states along the path. Thus, for example: +

    +
    +
    +
    P>=0.99 [ G z<10 ]
    +
    +
    [$[Get Code]]
    +
    + +

    states that, with probability at least 0.99, z never exceeds 10. +

    +

    "Weak until" and "release" path properties

    +

    Like F and G, the operators W and R are derivable from other temporal operators. +

    +

    Weak until (a W b), which is equivalent to (a U b) | G a, requires that a remains true until b becomes true, but does not require that b ever does becomes true (i.e. a remains true forever). For example, a weak form of the until example used above is: +

    +
    +
    +
    P>0.5 [ z<2 U z=2 ]
    +
    +
    [$[Get Code]]
    +
    + +

    which states that, with probability greater than 0.5, either z is always less than 2, or it is less than 2 until the point where z is 2. +

    +

    Release (a R b), which is equivalent to !(!a U !b), informally means that b is true until a becomes true, or b is true forever. +

    +

    +

    "Bounded" variants of path properties

    +

    All of the temporal operators given above, with the exception of X, have "bounded" variants, where an additional time bound is imposed on the property being satisfied. +The most common case is to use an upper time bound, i.e. of the form "<=t" or "<t", where t is a PRISM expression evaluating to a constant, non-negative value. +

    +

    For example, a bounded until property prop1 U<=t prop2, is satisfied along a path if prop2 becomes true within t steps and prop1 is true in all states before that point. +A typical example of this would be: +

    +
    +
    +
    P>=0.98 [ y<4 U<=7 y=4 ]
    +
    +
    [$[Get Code]]
    +
    + +

    which is true in a state if "the probability of y first exceeding 3 within 7 time units is greater than or equal to 0.98". Similarly: +

    +
    +
    +
    P>=0.98 [ F<=7 y=4 ]
    +
    +
    [$[Get Code]]
    +
    + +

    is true in a state if "the probability of y being equal to 4 within 7 time units is greater than or equal to 0.98" and: +

    +
    +
    +
    P>=0.98 [ G<=7 y=4 ]
    +
    +
    [$[Get Code]]
    +
    + +

    is true if the probability of y staying equal to 4 for 7 time units is at least 0.98. +

    +

    The time bound can be an arbitrary (constant) expression, +but note that you may need to bracket it, +as in the following example: +

    +
    +
    +
    P>=0.98 [ G<=(2*k+1) y=4 ]
    +
    +
    [$[Get Code]]
    +
    + +

    You can also use lower time-bounds (i.e. >=t or >t) and time intervals [t1,t2], e.g.: +

    +
    +
    +
    P>=0.98 [ F>=10 y=4 ]
    +P>=0.98 [ F[10,20] y=4 ]
    +
    +
    [$[Get Code]]
    +
    + +

    which refer to the probability of y becoming equal to 4 after 10 or more time units, and after between 10 and 20 time-units respectively. +

    +

    For CTMCs, the time bounds can be any (non-negative) numerical values - they are not restricted to integers, as for discrete-time models. +For example: +

    +
    +
    +
    P>=0.25 [ y<=1 U<=6.5 y>1 ]
    +
    +
    [$[Get Code]]
    +
    + +

    means that the probability of y being greater than 1 within 6.5 time-units (and remaining less than or equal to 1 at all preceding time-points) is at least 0.25. +

    +

    Transient probabilities

    +

    We can also use the bounded F operator to refer to a single time instant, e.g.: +

    +
    +
    +
    P=? [ F[10,10] y=6 ]
    +
    +
    [$[Get Code]]
    +
    + +

    or, equivalently: +

    +
    +
    +
    P=? [ F=10 y=6 ]
    +
    +
    [$[Get Code]]
    +
    + +

    both of which give the probability of y being 6 at time instant 10. +

    +

    +

    LTL-style path properties

    +

    PRISM also supports probabilistic model checking of the temporal logic LTL (and, in fact, PCTL*). LTL provides a richer set of path properties for use with the P operator, by permitting temporal operators to be combined. Here are a few examples of properties expressible using this functionality: +

    +
    +
    +
    P>0.99 [ F ( "request" & (X "ack") ) ]
    +
    +
    [$[Get Code]]
    +
    + +

    "with probability greater than 0.99, a request is eventually received, followed immediately by an acknowledgement" +

    +
    +
    +
    P>=1 [ G F "send" ]
    +
    +
    [$[Get Code]]
    +
    + +

    "a message is sent infinitely often with probability 1" +

    +
    +
    +
    P=? [ F G ("error" & !"repair") ]
    +
    +
    [$[Get Code]]
    +
    + +

    "the probability of an error occurring that is never repaired” +

    +

    Note that logical operators have precedence over temporal ones, so you will often need to include parentheses when using logical operators, e.g.: +

    +
    +
    +
    P=? [ (F "error1") & (F "error2") ]
    +
    +
    [$[Get Code]]
    +
    + +

    For temporal operators, unary operators (such as F, G and X) have precedence over binary ones (such as U). Unary operators can be nested, without parentheses, but binary ones cannot. +

    +

    So, these are allowed: +

    +
    +
    +
    P=? [ F X X X "a" ]
    +P=? [ "a" U X X X "error" ]
    +P=? [ ("a" U "b") U "c" "error" ]
    +
    +
    [$[Get Code]]
    +
    + +

    but this is not: +

    +
    +
    +
    P=? [ "a" U "b" U "c" "error" ]
    +
    +
    [$[Get Code]]
    +
    + +
    + + + + diff --git a/manual/PropertySpecification/TheSOperator.html b/manual/PropertySpecification/TheSOperator.html index 22448fd102..dee173fb71 100644 --- a/manual/PropertySpecification/TheSOperator.html +++ b/manual/PropertySpecification/TheSOperator.html @@ -1,22 +1,25 @@ + + -PRISM Manual | PropertySpecification / TheSOperator +PRISM Manual | Property Specification / The S Operator - - + + + - - - + + + + + + + + + + + + - + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + + +
    +

    View - Edit - Print - Search +

    + +
    @@ -138,6 +272,12 @@ @@ -146,6 +286,13 @@
    + +
    @@ -162,6 +309,7 @@

    PRISM Manual

  • Multi-objective Properties
  • Real-time Models
  • Partially Observable Models +
  • Uncertain Models
  • Non-probabilistic Properties
  • Syntax And Semantics
  • Filters @@ -173,5 +321,8 @@

    PRISM Manual

    • + + diff --git a/manual/PropertySpecification/TheSOperator@action=edit.html b/manual/PropertySpecification/TheSOperator@action=edit.html new file mode 100644 index 0000000000..1e4076fe4b --- /dev/null +++ b/manual/PropertySpecification/TheSOperator@action=edit.html @@ -0,0 +1,277 @@ + + + + + + + + +PRISM Manual | Property Specification / The S Operator | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Property Specification / +

    The S Operator

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/PropertySpecification/TheSOperator@action=login.html b/manual/PropertySpecification/TheSOperator@action=login.html new file mode 100644 index 0000000000..8d1030eb0a --- /dev/null +++ b/manual/PropertySpecification/TheSOperator@action=login.html @@ -0,0 +1,275 @@ + + + + + + + + +PRISM Manual | Property Specification / The S Operator | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Property Specification / +

    The S Operator

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/PropertySpecification/TheSOperator@action=print.html b/manual/PropertySpecification/TheSOperator@action=print.html new file mode 100644 index 0000000000..450b2dffc6 --- /dev/null +++ b/manual/PropertySpecification/TheSOperator@action=print.html @@ -0,0 +1,144 @@ + + + + + + +PRISM Manual | PropertySpecification / TheSOperator + + + + + + + + + + + + + + + + + + +

    Property Specification / +

    The S Operator

    + + +
    +

    The S operator is used to reason about the steady-state behaviour of a model, +i.e. its behaviour in the long-run or equilibrium. +PRISM currently only provides support for DTMCs and CTMCs. +The definition of steady-state (long-run) probabilities for finite DTMCS and CTMCs is well defined (see e.g. [Ste94]). +Informally, the property: +

    +
    +
    +
    S bound [ prop ]
    +
    +
    [$[Get Code]]
    +
    + +

    is true in a state s of a DTMC or CTMC if +"starting from s, the steady-state (long-run) probability of being in a state which satisfies the (Boolean-valued) PRISM property prop, meets the bound bound". +A typical example of this type of property would be: +

    +
    +
    +
    S<0.05 [ queue_size / max_size > 0.75 ]
    +
    +
    [$[Get Code]]
    +
    + +

    which means: "the long-run probability of the queue being more than 75% full is less than 0.05". +

    +

    Like the P operator, the S operator can be used in a quantitative form, which returns the actual probability value, e.g.: +

    +
    +
    +
    S=? [ queue_size / max_size > 0.75 ]
    +
    +
    [$[Get Code]]
    +
    + +

    and can be further customised with the use of filters. +

    +
    + + + + diff --git a/manual/PropertySpecification/UncertainModels.html b/manual/PropertySpecification/UncertainModels.html new file mode 100644 index 0000000000..1647fc382a --- /dev/null +++ b/manual/PropertySpecification/UncertainModels.html @@ -0,0 +1,329 @@ + + + + + + + + +PRISM Manual | Property Specification / Uncertain Models + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Property Specification / +

    Uncertain Models

    + +
    + +
    +

    For uncertain models, currently interval MDPs (IMDPs) or interval DTMCs (IDTMCs), PRISM performs robust verification, which considers the best- or worst-case behaviour that can arise depending on the way that probabilities are selected from intervals. +

    +

    For example, instead of a property for a DTMC such as +

    +
    +
    +
    P=? [ F "goal" ]
    +
    +
    [$[Get Code]]
    +
    + +

    which asks for the probability to reach a state satisfying "goal", IDTMCs use MDP-style queries: +

    +
    +
    +
    Pmin=? [ F "goal" ]
    +Pmax=? [ F "goal" ]
    +
    +
    [$[Get Code]]
    +
    + +

    which compute the minimum or maximum possible probability that can arise. +

    +

    Similarly, for an IMDP, there are now two separate quantifications, firstly over strategies (policies) and secondly over the distinct ways that transition probabilities can be selected from intervals, for which min or max appear in that order in the query. For example: +

    +
    +
    +
    Pmaxmin=? [ F "goal" ]
    +Pmaxmax=? [ F "goal" ]
    +
    +
    [$[Get Code]]
    +
    + +

    return the minimum and maximum values, respectively, over resolutions of transition probabilities for the maximum probability of reaching "goal". Similarly, minmin and minmax are used for the minimum probability of reaching "goal". Model checking is supported for: +

    +
    • the P operator, for next and bounded/unbounded until/reachability properties +
    • the R operator, for the expected reward to reach a target or satisfy a co-safe LTL formula +
    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/PropertySpecification/UncertainModels@action=edit.html b/manual/PropertySpecification/UncertainModels@action=edit.html new file mode 100644 index 0000000000..87a87aa8ea --- /dev/null +++ b/manual/PropertySpecification/UncertainModels@action=edit.html @@ -0,0 +1,277 @@ + + + + + + + + +PRISM Manual | Property Specification / Uncertain Models | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Property Specification / +

    Uncertain Models

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/PropertySpecification/UncertainModels@action=login.html b/manual/PropertySpecification/UncertainModels@action=login.html new file mode 100644 index 0000000000..284056c060 --- /dev/null +++ b/manual/PropertySpecification/UncertainModels@action=login.html @@ -0,0 +1,275 @@ + + + + + + + + +PRISM Manual | Property Specification / Uncertain Models | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Property Specification / +

    Uncertain Models

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/PropertySpecification/UncertainModels@action=print.html b/manual/PropertySpecification/UncertainModels@action=print.html new file mode 100644 index 0000000000..299c14d637 --- /dev/null +++ b/manual/PropertySpecification/UncertainModels@action=print.html @@ -0,0 +1,145 @@ + + + + + + +PRISM Manual | PropertySpecification / UncertainModels + + + + + + + + + + + + + + + + + + +

    Property Specification / +

    Uncertain Models

    + + +
    +

    For uncertain models, currently interval MDPs (IMDPs) or interval DTMCs (IDTMCs), PRISM performs robust verification, which considers the best- or worst-case behaviour that can arise depending on the way that probabilities are selected from intervals. +

    +

    For example, instead of a property for a DTMC such as +

    +
    +
    +
    P=? [ F "goal" ]
    +
    +
    [$[Get Code]]
    +
    + +

    which asks for the probability to reach a state satisfying "goal", IDTMCs use MDP-style queries: +

    +
    +
    +
    Pmin=? [ F "goal" ]
    +Pmax=? [ F "goal" ]
    +
    +
    [$[Get Code]]
    +
    + +

    which compute the minimum or maximum possible probability that can arise. +

    +

    Similarly, for an IMDP, there are now two separate quantifications, firstly over strategies (policies) and secondly over the distinct ways that transition probabilities can be selected from intervals, for which min or max appear in that order in the query. For example: +

    +
    +
    +
    Pmaxmin=? [ F "goal" ]
    +Pmaxmax=? [ F "goal" ]
    +
    +
    [$[Get Code]]
    +
    + +

    return the minimum and maximum values, respectively, over resolutions of transition probabilities for the maximum probability of reaching "goal". Similarly, minmin and minmax are used for the minimum probability of reaching "goal". Model checking is supported for: +

    +
    • the P operator, for next and bounded/unbounded until/reachability properties +
    • the R operator, for the expected reward to reach a target or satisfy a co-safe LTL formula +
    +
    + + + + diff --git a/manual/RunningPRISM/Adversaries.html b/manual/RunningPRISM/Adversaries.html deleted file mode 100644 index 05cd13b1bc..0000000000 --- a/manual/RunningPRISM/Adversaries.html +++ /dev/null @@ -1,168 +0,0 @@ - - - - - - -PRISM Manual | RunningPRISM / Adversaries - - - - - - - - - - - - - - - - - - - -
    -
    - -
    - - - - - - - -
    -

    Running PRISM / -

    Adversaries

    - -
    - -
    -

    When model checking some properties of MDPs, PRISM can also generate an optimal adversary, i.e. one which corresponds to either the minimum or maximum values of the probabilities or rewards computed during verification. Recall that, for MDPs, PRISM quantifies over all possible adversaries, i.e. all possible resolutions of nondeterminism in the model. A typical property would be: -

    -
    -
    -
    Pmax=? [ F "error" ]
    -
    -
    [$[Get Code]]
    -
    - -

    which computes the maximum probability, over all adversaries, of reaching a state satisfying the label "error", from all states of the model. When under the control of a specific adversary, the behaviour of an MDP is purely probabilistic, yielding a single value (for each state) for the probability of reaching "error". In addition to giving the maximum probability value(s), PRISM can produce an adversary of the MDP for which the probabilities (for each state) coincide with the maximum values. -

    -

    For a probabilistic reachability property, such as the one above, a memoryless adversary suffices, that is one which always makes the same choice in any given state of the model. So, the default form in which PRISM provides an adversary is a DTMC derived by retaining only a single nondeterministic choice in each state of the MDP. This DTMC is given in the same format as when exporting the transition matrix of a DTMC, i.e. a list of transitions. -

    -

    Currently, adversary generation is only implemented in the sparse engine, so you need to make sure this engine is enabled. From the command-line, you specify that an optimal adversary should be generated using the -exportadv switch, e.g.: -

    -
    -
    -
    prism mdp.nm -pctl 'Pmax=? [ F "error" ]' -exportadv adv.tra -s
    -
    -
    [$[Get Code]]
    -
    - -

    From the GUI, change the "Adversary export" option (under the "PRISM" settings) from "None" to "DTMC". You can also change the filename for the export adversary which, by default, is adv.tra as in the example above. -Another option is to export the adversary as an MDP (this is identical to the model produced using the DTMC option, but can be imported back into PRISM as an MDP, if required). Use switch -exportadvmdp, instead of -exportadv form the command-line, or select the "MDP" option from the GUI. -

    -

    PRISM also supports generation of adversaries for "reachability reward" properties (i.e. the R operator, with argument F) in identical fashion to the case described above. -

    -
    - - - - - - - - - -
    - -
    -
    - - - - - diff --git a/manual/RunningPRISM/AllOnOnePage.html b/manual/RunningPRISM/AllOnOnePage.html index 7eaa14fd47..071e4d32dc 100644 --- a/manual/RunningPRISM/AllOnOnePage.html +++ b/manual/RunningPRISM/AllOnOnePage.html @@ -1,22 +1,25 @@ + + -PRISM Manual | RunningPRISM / AllOnOnePage +PRISM Manual | Running PRISM / All On One Page - - + + + - - - + + + + + + + + + + + + - + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + + +
    +

    View - Edit - Print - Search +

    + +
    @@ -225,8 +359,8 @@

    Starting PRISM

    tutorial on the PRISM web site. Some screenshots of the GUI version of PRISM are shown below.

    -

    The PRISM GUI (editing a model)
    -

    The PRISM GUI (model checking)
    +

    The PRISM GUI (editing a model)
    +

    The PRISM GUI (model checking)

    Loading And Building a Model

    Typically, when using PRISM, the first step is to load a model that has been specified in the PRISM modelling language. If using the GUI, select menu option "Model | Open Model" and choose a file. There are a selection of sample PRISM model files in the prism-examples directory of the distribution. @@ -308,7 +442,7 @@

    Debugging Models With The Simulator

    The figure shows the simulator in action.

    -

    The PRISM GUI: exploring a model using the simulator
    +

    The PRISM GUI: exploring a model using the simulator

    It is also possible to:

    • backtrack to an earlier point in a path @@ -548,13 +682,15 @@

      Exporting The Model

      -
      prism poll2.sm -exportrewards poll2.rews poll2.rewt
      -prism poll2.sm -exportstaterewards poll2.rews -exporttransrewards poll2.rewt
      +
      prism poll2.sm -exportrewards poll2.srew poll2.trew
      +prism poll2.sm -exportstaterewards poll2.srew -exporttransrewards poll2.trew
      [$[Get Code]]

      When there are multiple reward structures, a separate file is created for each one and a (1-indexed) suffix is added to distinguish them. +A header in each file (see the "Explicit Model Files" appendix) also shows the name of the reward structure. +These headers can be omitted using the switch -noexportheaders (or via the option "Include headers in model exports" in the GUI).

      You can also easily perform multiple exports simultaneously using the -exportmodel switch, which specifies multiple files using a list of extensions. The file extensions then dictate what is exported. For example:

      @@ -605,7 +741,7 @@

      Exporting The Model

      is a quick way to print all details (of a small model) to the terminal.

      -

      Although is not exported when using .all, the -exportmodel switch can also be used to export the transition matrix +

      Although it is not exported when using .all, the -exportmodel switch can also be used to export the transition matrix in Dot format which allows easy graphical visualisation of the model:

      @@ -615,6 +751,11 @@

      Exporting The Model

      [$[Get Code]]
      +

      Export options

      +

      When exporting model details in this way, the precision of numerical values (e.g., for probabilities or rewards) can be configured. +From the command line, use the switch -exportmodelprecision <x> to show values to <x> significant digits. +The same setting is available for exports from the GUI via option "Precision of model export". +

      Finally, the -exportmodel switch can be passed various options. The general form is -exportmodel files:options where options is a comma-separated list of options taken from the following list:

      • mrmc - export data in MRMC format @@ -622,6 +763,7 @@

        Exporting The Model

      • rows - export matrices with one row/distribution on each line
      • ordered - output states indices in ascending order [default]
      • unordered - don't output states indices in ascending order +
      • proplabels - also export labels from the properties file

      An example is:

      @@ -631,14 +773,18 @@

      Exporting The Model

      [$[Get Code]]
      -

      The meaning of these options is described below. +

      By default, when labels are exported, this only includes the labels from the model. +The proplabels option listed above +(which applies to both -exportmodel and -exportlabels) +indicates that labels from any properties file are exported too. +To export just those labels, use switch -exportproplabels <file>.

      File formats

      By default, model data is exported (or displayed) in plain text format. The precise details of the formats used can be found in the "Explicit Model Files" appendix. As mentioned above, by convention, we use file extensions .sta (for states files), .tra (for transitions files), -.rews and .rewt (for state/transition rewards files) +.srew and .trew (for state/transition rewards files) and .lab (for labels).

      Alternatively, it is possible to export this information as Matlab code @@ -1093,38 +1239,59 @@

      Experiments

      [$[Get Code]]
    -

    You can also add the matrix option, to export the results as one or more 2D matrices, rather than a list. -This is particularly useful if you want to create a surface plot from results that vary over two constants. +

    or in DataFrame format:

    -
    prism cluster.sm cluster.csl -prop 4 -const N=4:5,T=0:10:20 -exportresults res.txt:csv,matrix
    +
    prism cluster.sm cluster.csl -prop 4 -const N=4:5,T=0:10:20 -exportresults res.txt:dataframe
    [$[Get Code]]
    +
    N,T,Result
    +4,0,0
    +4,10,4.70736468802e-06
    +4,20,1.31264206368e-05
    +5,0,0
    +5,10,3.26773132773e-06
    +5,20,8.34357506036e-06
    +
    [$[Get Code]]
    +
    + +

    You can also add the matrix option, to export the results as one or more 2D matrices, rather than a list. +This is particularly useful if you want to create a surface plot from results that vary over two constants. +

    +
    +
    +
    prism cluster.sm cluster.csl -prop 4 -const N=4:5,T=0:10:20 -exportresults res.txt:csv,matrix
    +
    +
    [$[Get Code]]
    +
    + +
    +
    "N\T"
    , 0.0, 10.0, 20.0
    4, 0.0, 4.707364688019771E-6, 1.3126420636755292E-5
    5, 0.0, 3.267731327728599E-6, 8.343575060356386E-6
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    The matrix option is also available in normal (non-CSV) mode.

    -

    Finally, you can export results in the form of comments, used by PRISM's functionality: +

    You can also export results in the form of comments, used by PRISM's regression testing functionality:

    -
    +
    prism cluster.sm cluster.csl -prop 4 -const N=4:5,T=0:10:20 -exportresults res.txt:comment
    -
    [$[Get Code]]
    +
    [$[Get Code]]
    -
    +
    // RESULT (N=4,T=0): 0.0
    // RESULT (N=4,T=10): 4.707364688019771E-6
    // RESULT (N=4,T=20): 1.3126420636755292E-5
    @@ -1132,41 +1299,124 @@

    Experiments

    // RESULT (N=5,T=10): 3.267731327728599E-6
    // RESULT (N=5,T=20): 8.343575060356386E-6
    -
    [$[Get Code]]
    +
    [$[Get Code]]
    +

    From the GUI, it is also possible to import previously exported results (in DataFrame format). +

    A related option is the -exportvector <file> switch, useful in general contexts, not for experiments. This exports the results for all states of the model (typically, the log just displays the result for the initial state, unless a filter has been used) to the the file file.

    -

    Adversaries

    -

    When model checking some properties of MDPs, PRISM can also generate an optimal adversary, i.e. one which corresponds to either the minimum or maximum values of the probabilities or rewards computed during verification. Recall that, for MDPs, PRISM quantifies over all possible adversaries, i.e. all possible resolutions of nondeterminism in the model. A typical property would be: +

    Strategies

    +

    Properties to be model checked on MDPs (and their variants, such as POMDPs or IMDPs) usually quantify over strategies (or policies) of the model, i.e., over the different possible ways that nondeterminism can be resolved in the model. +For example, this property:

    -
    -
    Pmax=? [ F "error" ]
    +
    +
    Pmax=? [ F "goal" ]
    -
    [$[Get Code]]
    +
    [$[Get Code]]
    -

    which computes the maximum probability, over all adversaries, of reaching a state satisfying the label "error", from all states of the model. When under the control of a specific adversary, the behaviour of an MDP is purely probabilistic, yielding a single value (for each state) for the probability of reaching "error". In addition to giving the maximum probability value(s), PRISM can produce an adversary of the MDP for which the probabilities (for each state) coincide with the maximum values. +

    determines the maximum probability, over all strategies, of reaching a state satisfying the label "goal". When checking such properties, you can also ask PRISM to generate a corresponding (optimal) strategy, which yields this maximum probability when followed. The strategy can then be viewed, exported or simulated.

    -

    For a probabilistic reachability property, such as the one above, a memoryless adversary suffices, that is one which always makes the same choice in any given state of the model. So, the default form in which PRISM provides an adversary is a DTMC derived by retaining only a single nondeterministic choice in each state of the MDP. This DTMC is given in the same format as when exporting the transition matrix of a DTMC, i.e. a list of transitions. +

    Note: For consistency across models, PRISM now uses the terminology strategy (rather than alternatives such as policy). In older versions of the tool, these were referred to as adversaries. Currently, the newer (and more extensive) strategy generation functionality is implemented just for the "explicit" model checking engine, +which is used automatically if strategy generation is requested. +The old adversary generation functionality (see below) still exists for the "sparse" engine, but will be updated in the future.

    -

    Currently, adversary generation is only implemented in the sparse engine, so you need to make sure this engine is enabled. From the command-line, you specify that an optimal adversary should be generated using the -exportadv switch, e.g.: +

    Generating strategies. Optimal strategies can be generated either from the command-line or the graphical user interface (GUI). For the former, use the -exportstrat switch. Simple examples are:

    -
    -
    prism mdp.nm -pctl 'Pmax=? [ F "error" ]' -exportadv adv.tra -s
    +
    +
    prism mdp.prism -pf 'Pmax=? [ F "goal" ]' -exportstrat stdout
    +prism mdp.prism -pf 'Pmax=? [ F "goal" ]' -exportstrat strat.tra
    +prism mdp.prism -pf 'Pmax=? [ F "goal" ]' -exportstrat strat.dot
    -
    [$[Get Code]]
    +
    [$[Get Code]]
    +
    + +

    From the GUI, you can trigger strategy generation by ticking the "Generate strategy" box either on the popup menu that appears when you right-click a property, or from the "Strategies" menu at the top. As long as it is supported, a strategy will be then generated once "Verify" is clicked. +

    +

    From the same menu(s), you can then +

    +
    • export the strategy to a file +
    • view the strategy by printing it in the log +
    • explore the strategy in the simulator +

    Strategy export types. Strategies can be viewed or exported in several different formats: +

    +

    (i) Action list. This is a list of the action taken in each state of the model, e.g.: +

    +
    +
    +
    (0,0):east
    +(0,1):north
    +(0,2):north
    +(1,0):south
    +...
    +
    [$[Get Code]]
    +
    + +

    where states, by default, are shown as a tuple of variable values. +

    +

    (ii) Induced model. This is a representation of the model that is induced when the strategy is applied. There are two "modes" for this export: restrict, which shows the original model but with a restricted set of choices (e.g., an MDP with just one choice in each state); and reduce, which removes the nondeterminism resolved by the strategy (e.g., an MDP becomes a DTMC). The latter can be useful to re-import the model back into PRISM and analyse the induced model; the former is sometimes easier for visualising the strategy's choices. In each case, the transitions of the induced model are presented as a .tra file (as for normal model export), e.g.: +

    +
    +
    +
    9 9 11
    +0 0 5 1 east
    +1 0 10 1 north
    +2 0 15 0.9 north
    +2 0 16 0.1 north
    +...
    +
    [$[Get Code]]
    +
    + +

    (iii) Dot file. This is, like the previous format, a view of the model induced by the strategy, but in Dot format, which allows it to be visualised. +

    +

    Configuring strategy export. +As hinted in the command-line examples above, the -exportstrat switch uses the file extension to determine the preferred format: if the strategy is exported to a file with extension .tra or .dot, then it uses an induced model or Dot file, respectively. Otherwise, the default is an action list. You can specify the desired format: +

    +
    +
    +
    prism mdp.prism -pf 'Pmax=? [ F "goal" ]' -exportstrat file.txt:type=actions
    +prism mdp.prism -pf 'Pmax=? [ F "goal" ]' -exportstrat file.txt:type=induced
    +prism mdp.prism -pf 'Pmax=? [ F "goal" ]' -exportstrat file.txt:type=dot
    +
    +
    [$[Get Code]]
    +
    + +

    Further options can be added, e.g., to specify whether an induced model is exported in "restrict" or "reduce" mode: +

    +
    +
    +
    prism mdp.prism -pf 'Pmax=? [ F "goal" ]' -exportstrat file.txt:type=induced,mode=reduce
    +
    +
    [$[Get Code]]
    -

    From the GUI, change the "Adversary export" option (under the "PRISM" settings) from "None" to "DTMC". You can also change the filename for the export adversary which, by default, is adv.tra as in the example above. -Another option is to export the adversary as an MDP (this is identical to the model produced using the DTMC option, but can be imported back into PRISM as an MDP, if required). Use switch -exportadvmdp, instead of -exportadv form the command-line, or select the "MDP" option from the GUI. +

    A full list of available options is as follows: +

    +
    • type (actions, induced or dot): the type of strategy export to use (action list, induced model or Dot file) +
    • mode (restrict or reduce): when exporting as an induced model or Dot file, whether to "restrict" or "reduce" the model (see above); the default is "restrict" +
    • reach (true or false): whether to restrict the strategy to states that are reachable when it is applied to the model (this is currently only used for exporting induced models and Dot files, and the default value is false and true, respectively, in these two cases) +
    • states (true or false): whether to show states, rather than state indices, for actions lists or Dot files; this is true by default +
    • obs (true or false): for partially observable models, whether to merge observationally equivalent states; this is true by default +

    Strategy types. PRISM generates several types of strategies. The simplest are memoryless deterministic strategies, which pick a single action in each state, as in the examples above. For some query types (e.g., step-bounded properties, or LTL-based properties), finite-memory strategies are generated, where an additional memory value is used. For these, induced models or Dot files are most useful since they will also show how the memory values are updated as the strategy is executed. Note that, in these cases, the state indices of the strategy will correspond to the product model constructed during model checking, not the original model. The product model can be exported using the -exportprodtrans and -exportprodstates switches.

    -

    PRISM also supports generation of adversaries for "reachability reward" properties (i.e. the R operator, with argument F) in identical fashion to the case described above. +

    Adversary generation. As mentioned above, the "sparse" model checking engine still includes older so-called "adversary generation" functionality. This can be used to export the induced model to a file using the -exportadv switch, e.g.: +

    +
    +
    +
    prism mdp.nm -pf 'Pmax=? [ F "goal" ]' -exportadv adv.tra -s
    +prism mdp.nm -pf 'Pmax=? [ F "goal" ]' -exportadvmdp adv.tra -s
    +
    +
    [$[Get Code]]
    +
    + +

    where the -exportadv and -exportadvmdp export a DTMC and an MDP, respectively, i.e., corresponding to the "reduce" and "restrict" modes described above. +From the GUI, change the "Adversary export" option (under the "PRISM" settings) from "None" to "DTMC" or "MDP". You can also change the filename for the export adversary which, by default, is adv.tra as in the example above.

    Support For PEPA Models

    For CTMCs, PRISM also accepts model descriptions in the stochastic process algebra PEPA [Hil96]. @@ -1207,73 +1457,73 @@

    Support For SBML

    An SBML file comprises a set of species and a set of reactions which they undergo. Below is the SBML file for the simple reversible reaction: Na + Cl ↔ Na+ + Cl-, where there are initially 100 Na and Cl atoms and no ions, and the base rates for the forwards and backwards reactions are 100 and 10, respectively.

    -
    -
    <?xml version="1.0" encoding="UTF-8"?>
    -<sbml xmlns="http://www.sbml.org/sbml/level2" metaid="_000000" level="2" version="1">
    <model id="nacl" name="Na+Cl">
    +
    +
    <?xml version="1.0" encoding="UTF-8"?>
    +<sbml xmlns="http://www.sbml.org/sbml/level2" metaid="_000000" level="2" version="1">
    <model id="nacl" name="Na+Cl">

    -    <listOfCompartments>
    -      <compartment id="compartment"/>
    -    </listOfCompartments>
    +    <listOfCompartments>
    +      <compartment id="compartment"/>
    +    </listOfCompartments>

    -    <listOfSpecies>
    -      <species id="na" initialAmount="100" hasOnlySubstanceUnits="true"/>
    -      <species id="cl" initialAmount="100" hasOnlySubstanceUnits="true"/>
    -      <species id="na_plus" initialAmount="0" hasOnlySubstanceUnits="true"/>
    -      <species id="cl_minus" initialAmount="0" hasOnlySubstanceUnits="true"/>
    -    </listOfSpecies>
    +    <listOfSpecies>
    +      <species id="na" initialAmount="100" hasOnlySubstanceUnits="true"/>
    +      <species id="cl" initialAmount="100" hasOnlySubstanceUnits="true"/>
    +      <species id="na_plus" initialAmount="0" hasOnlySubstanceUnits="true"/>
    +      <species id="cl_minus" initialAmount="0" hasOnlySubstanceUnits="true"/>
    +    </listOfSpecies>

    -    <listOfReactions>
    -      <reaction id="forwards" reversible="false">
    -        <listOfReactants>
    -          <speciesReference species="na"/>
    -          <speciesReference species="cl"/>
    -        </listOfReactants>
    -        <listOfProducts>
    -          <speciesReference species="na_plus"/>
    -          <speciesReference species="cl_minus"/>
    -        </listOfProducts>
    -        <kineticLaw>
    -          <math xmlns="http://www.w3.org/1998/Math/MathML">
    -            <apply><times/><ci>forwards_rate</ci>
    -              <apply><times/><ci>na</ci><ci>cl</ci></apply></apply>
    -          </math>
    -          <listOfParameters>
    -            <parameter id="forwards_rate" value="100"/>
    -          </listOfParameters>
    -        </kineticLaw>
    -      </reaction>
    +    <listOfReactions>
    +      <reaction id="forwards" reversible="false">
    +        <listOfReactants>
    +          <speciesReference species="na"/>
    +          <speciesReference species="cl"/>
    +        </listOfReactants>
    +        <listOfProducts>
    +          <speciesReference species="na_plus"/>
    +          <speciesReference species="cl_minus"/>
    +        </listOfProducts>
    +        <kineticLaw>
    +          <math xmlns="http://www.w3.org/1998/Math/MathML">
    +            <apply><times/><ci>forwards_rate</ci>
    +              <apply><times/><ci>na</ci><ci>cl</ci></apply></apply>
    +          </math>
    +          <listOfParameters>
    +            <parameter id="forwards_rate" value="100"/>
    +          </listOfParameters>
    +        </kineticLaw>
    +      </reaction>

    -      <reaction id="backwards" reversible="false">
    -        <listOfReactants>
    -          <speciesReference species="na_plus"/>
    -          <speciesReference species="cl_minus"/>
    -        </listOfReactants>
    -        <listOfProducts>
    -          <speciesReference species="na"/>
    -          <speciesReference species="cl"/>
    -        </listOfProducts>
    -        <kineticLaw>
    -          <math xmlns="http://www.w3.org/1998/Math/MathML">
    -            <apply><times/><ci>backwards_rate</ci>
    -              <apply><times/><ci>na_plus</ci><ci>cl_minus</ci></apply></apply>
    -          </math>
    -          <listOfParameters>
    -            <parameter id="backwards_rate" value="10"/>
    -          </listOfParameters>
    -        </kineticLaw>
    -      </reaction>
    -    </listOfReactions>
    +      <reaction id="backwards" reversible="false">
    +        <listOfReactants>
    +          <speciesReference species="na_plus"/>
    +          <speciesReference species="cl_minus"/>
    +        </listOfReactants>
    +        <listOfProducts>
    +          <speciesReference species="na"/>
    +          <speciesReference species="cl"/>
    +        </listOfProducts>
    +        <kineticLaw>
    +          <math xmlns="http://www.w3.org/1998/Math/MathML">
    +            <apply><times/><ci>backwards_rate</ci>
    +              <apply><times/><ci>na_plus</ci><ci>cl_minus</ci></apply></apply>
    +          </math>
    +          <listOfParameters>
    +            <parameter id="backwards_rate" value="10"/>
    +          </listOfParameters>
    +        </kineticLaw>
    +      </reaction>
    +    </listOfReactions>

    </model>
    -</sbml>
    -
    [$[Get Code]]
    </model>
    +</sbml>
    +
    [$[Get Code]]

    And here is the resulting PRISM code:

    -
    +
    // File generated by automatic SBML-to-PRISM conversion
    // Original SBML file: nacl.xml

    @@ -1360,22 +1610,22 @@

    Support For SBML

    // 4
    rewards "cl_minus" true : cl_minus; endrewards
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    From the latter, we can use PRISM to generate a simple plot of the expected amount of Na and Na+ over time (using both model checking and a single random trace from the simulator):

    -

    Expected amount of Na/Na+ at time T
    +

    Expected amount of Na/Na+ at time T

    Using the translator

    At present, the SBML-to-PRISM translator is included in the PRISM code-base, but not integrated into the application itself.

    -
    +
    cd prism
    java -cp classes prism.SBML2Prism sbml_file.xml > prism_file.sm
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    If you are using a binary (rather than source code) distribution of PRISM, replace classes with lib/prism.jar in the above. @@ -1383,7 +1633,7 @@

    Support For SBML

    Alternatively (on Linux or Mac OS X), ensure prism is in your path and then save the script below as an executable file called sbml2prism:

    -
    +
    #!/bin/sh

    # Startup script for SBML-to-PRISM translator
    @@ -1392,28 +1642,28 @@

    Support For SBML

    PRISM_MAINCLASS="prism.SBML2Prism"
    export PRISM_MAINCLASS
    prism "$@"
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    Then use:

    -
    +
    sbml2prism sbml_file.xml > prism_file.sm
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    The following PRISM properties file will also be useful:

    -
    +
    const double T;
    const int c;

    R{c}=? [I=T]
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    This contains a single property which, based on the reward structures in the PRISM model generated by the translator, means "the expected amount of species c at time T". The constant c is an integer index which can range between 1 and N, where N is the number of species in the model. To view the expected amount of each species over time, create an experiment in PRISM which varies c from 1 to N and T over the desired time range. @@ -1430,11 +1680,11 @@

    Support For SBML

    Furthermore, since PRISM is primarily a model checking (rather than simulation) tool, it is important that the amount of each species also has an upper bound (to ensure a finite state space). When model checking, the efficiency (or even feasibility) of the process is likely to be very sensitive to the upper bound(s) chosen. When using the discrete-event simulation functionality of PRISM, this is not the case and the bounds can can be set much higher. By default the translator uses an upper bound of 100 (which is increased if the initial amount exceeds this). A different value can specified through a second command-line argument as follows:

    -
    +
    cd prism
    java -cp classes prism.SBML2Prism sbml_file.xml 1000 > prism_file.sm
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    Alternatively, upper bounds can be modified manually after the translation process. @@ -1454,10 +1704,10 @@

    Explicit Model Import

    For example:

    -
    +
    prism -importtrans poll2.tra -ctmc
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    Please note that this method of constructing models in PRISM is typically less efficient than using the PRISM language. @@ -1470,20 +1720,20 @@

    Explicit Model Import

    (not a good strategy in general):

    -
    +
    prism poll2.sm -exporttrans poll2.tra -exportstates poll2.sta
    prism -importtrans poll2.tra -importstates poll2.sta -ctmc
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    You can also import label information using the switch -importlabels, e.g.:

    -
    +
    prism -importtrans poll2.tra -importstates poll2.sta -importlabels poll2.lab -ctmc
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    where the labels file (poll2.lab above) is in the format generated by the -exportlabels export option of PRISM. @@ -1496,19 +1746,23 @@

    Explicit Model Import

    Lastly, state (but currently not transition) rewards can also be imported, using the -importstaterewards switch, e.g.:

    -
    +
    prism -importtrans poll2.tra -importstates poll2.sta -importlabels poll2.lab -importstaterewards poll2.srew -ctmc
    -
    [$[Get Code]]
    +
    [$[Get Code]]
    +

    You can import multiple reward structures using multiple instances of the -importstaterewards switch. +If present in the rewards files (see the appendix "Explicit Model Files"), +the names of the reward structures are read too. +

    In a similar style to PRISM's -exportmodel switch, you can import several several files for a model using a single -importmodel switch. For example, this is equivalent to the command given above:

    -
    +
    prism -importmodel poll2.tra,sta,lab,srew -ctmc
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    The contents of each file is determined by its extension: @@ -1521,10 +1775,19 @@

    Explicit Model Import

    Use the extension .all to import from all of these files:

    -
    +
    prism -importmodel poll2.all -ctmc
    -
    [$[Get Code]]
    +
    [$[Get Code]]
    +
    + +

    In this case, you can omit the -importmodel switch and just specify the .all-ended filename, e.g.: +

    +
    +
    +
    prism poll2.all -ctmc
    +
    +
    [$[Get Code]]
    @@ -1532,6 +1795,12 @@

    Explicit Model Import

    @@ -1540,6 +1809,13 @@

    Explicit Model Import

    + +
    @@ -1556,7 +1832,7 @@

    PRISM Manual

  • Statistical Model Checking
  • Computing Steady-state And Transient Probabilities
  • Experiments -
  • Adversaries +
  • Strategies
  • Support For PEPA Models
  • Support For SBML
  • Explicit Model Import @@ -1568,5 +1844,8 @@

    PRISM Manual

    • + + diff --git a/manual/RunningPRISM/AllOnOnePage@action=edit.html b/manual/RunningPRISM/AllOnOnePage@action=edit.html new file mode 100644 index 0000000000..e104825e7b --- /dev/null +++ b/manual/RunningPRISM/AllOnOnePage@action=edit.html @@ -0,0 +1,277 @@ + + + + + + + + +PRISM Manual | Running PRISM / All On One Page | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Running PRISM / +

    All On One Page

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/RunningPRISM/AllOnOnePage@action=login.html b/manual/RunningPRISM/AllOnOnePage@action=login.html new file mode 100644 index 0000000000..60a2717f0b --- /dev/null +++ b/manual/RunningPRISM/AllOnOnePage@action=login.html @@ -0,0 +1,275 @@ + + + + + + + + +PRISM Manual | Running PRISM / All On One Page | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Running PRISM / +

    All On One Page

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/RunningPRISM/AllOnOnePage@action=print.html b/manual/RunningPRISM/AllOnOnePage@action=print.html new file mode 100644 index 0000000000..0ca5d66f87 --- /dev/null +++ b/manual/RunningPRISM/AllOnOnePage@action=print.html @@ -0,0 +1,1669 @@ + + + + + + +PRISM Manual | RunningPRISM / AllOnOnePage + + + + + + + + + + + + + + + + + + +
    +

    Running PRISM

    +
    +

    Starting PRISM

    +

    There are two versions of PRISM, one based on a graphical user interface (GUI), +the other based on a command line interface. Both use the same underlying model checker. +The latter is useful for running large batches of jobs, leaving long-running model checking tasks in the background, or simply for running the tool quickly and easily once you are familiar with its operation. +

    +

    Details how how to run PRISM can be found in the installation instructions. +In short, to run the PRISM GUI: +

    +
    • (on Windows) click the short-cut (to xprism.bat) installed on the Desktop/Start Menu +
    • (on other OSs) run the xprism script in the bin directory +

    You can also optionally specify a model file and a properties file to load upon starting the GUI, e.g.: +

    +
    +
    +
    xprism example.prism
    +xprism example.prism example.props
    +
    +
    [$[Get Code]]
    +
    + +

    To use the command-line version of PRISM, run the prism script, also in the bin directory, e.g.: +

    +
    +
    +
    prism example.prism example.props -prop 2
    +
    +
    [$[Get Code]]
    +
    + +

    The -dir switch can be used to specify a directory for input (and output) files. +So the following are equivalent: +

    +
    +
    +
    prism ~/myfiles/example.prism ~/myfiles/example.props
    +prism -dir ~/myfiles example.prism example.props
    +
    +
    [$[Get Code]]
    +
    + +

    The remainder of this section of the manual describes the main types of functionality offered by PRISM. +For a more introductory guide to using the tool, try the +tutorial on the PRISM web site. +Some screenshots of the GUI version of PRISM are shown below. +

    +

    The PRISM GUI (editing a model)
    +

    The PRISM GUI (model checking)
    +
    +

    Loading And Building a Model

    +

    Typically, when using PRISM, the first step is to load a model that has been specified in the PRISM modelling language. If using the GUI, select menu option "Model | Open Model" and choose a file. There are a selection of sample PRISM model files in the prism-examples directory of the distribution. +A few very small models are contained in the subdirectory simple; +the rest are in subdirectories grouped by model type. +

    +

    The model will then be displayed in the editor in the "Model" tab of the GUI window. The file is parsed upon loading. If there are no errors, information about the modules, variables, and other components of the model is displayed in the panel to the left and a green tick will be visible. If there are errors in the file, a red cross will appear instead and the errors will be highlighted in the model editor. To view details of the error, position the mouse pointer over the source of the error (or over the red cross). Alternatively, select menu option "Model | Parse Model" and the error mIessage will be displayed in a message box. Model descriptions can, of course, also be typed from scratch into the GUI's editor. +

    +

    Building the model

    +

    In order to perform model checking, PRISM will (in most cases) need to construct the corresponding probabilistic model, i.e. convert the PRISM model description to, for example, an MDP, DTMC, etc. During this process, PRISM computes the set of states in the model which are reachable from the initial states and the transition matrix which represents the model. +

    +

    Model construction is done automatically when you perform model checking. However, you may always want to explicitly ask PRISM to build the model in order to test for errors or to see how large the model is. From the GUI, you can do this by by selecting "Model | Build Model". If there are no errors during model construction, the number of states and transitions in the model will be displayed in the bottom left corner of the window. +

    +

    From the command-line, simply type: +

    +
    +
    +
    prism model.nm
    +
    +
    [$[Get Code]]
    +
    + +

    where model.nm is the name of the file containing the model description. +

    +

    For some types of models, notably PTAs, models are not constructed in this way (because the models are infinite-state). In these cases, analysis of the model is not performed until model checking is performed. +

    +

    +

    Deadlocks

    +

    You should be aware of the possibility of deadlock states (or deadlocks) in the model, +i.e. states which are reachable but from which there are no outgoing transitions. +PRISM will automatically search your model for deadlocks and, by default, +"fix" them by adding self-loops in these states. +Since deadlocks are sometimes caused by modelling errors, +PRISM will display a warning message in the log when deadlocks are fixed in this way. +

    +

    You can control whether deadlocks are automatically fixed in this way using the "Automatically fix deadlocks" option (or with command-line switches -nofixdl and -fixdl). When fixing is disabled, PRISM will report and error when the model contains deadlocks (this used to be the default behaviour in older versions of PRISM). +

    +

    If you have unwanted or unexpected deadlocks in your model, there are several ways you can detect then. Firstly, by disabling deadlock fixing (as described above), PRISM will display a list of deadlock states in the log. Alternatively, you can model check the filter property filter(print, "deadlock"), which has the safe effect. +

    +

    To find out how deadlocks occur, i.e. which paths through the model lead to a deadlock state, there are several possibilities. Firstly, you can model check the CTL property E[F "deadlock"]. When checked from the GUI, this will provide you with the option of display a path to a deadlock in the simulator. From the command-line, for example with: +

    +
    +
    +
    prism dice.pm -pf 'E[F "deadlock"]'
    +
    +
    [$[Get Code]]
    +
    + +

    a path to a deadlock will be displayed in the log. +

    +

    Finally, in the eventuality that the model is too large to be model checked, you can still use the simulator to search for deadlocks. This can be done either by manually generating random paths using the simulator in the GUI or, from the command-line, e.g. by running: +

    +
    +
    +
    prism dice.pm -simpath deadlock stdout
    +
    +
    [$[Get Code]]
    +
    + +
    +

    Debugging Models With The Simulator

    +

    PRISM includes a simulator, a tool which can be used to generate sample paths (executions) through a PRISM model. From the GUI, the simulator allows you to explore a model by interactively generating such paths. This is particularly useful for debugging models during development and for running sanity checks on completed models. Paths can also be generated from the command-line. +

    +

    +

    Generating a path in the GUI

    +

    Once you have loaded a model into the PRISM GUI +(note that it is not necessary to build the model), +select the "Simulator" tab at the bottom of the main window. +You can now start a new path by double-clicking in the bottom half of the window +(or right-clicking and selecting "New path"). +If there are undefined constants in the +model (or in any currently loaded properties files) you will be prompted to give values for these. You +can also specify the state from which you wish to generate a path. By default, this is the initial state of +the model. +

    +

    The main portion of the user interface (the bottom part) displays a path through the currently loaded model. Initially, this will comprise just a single state. The table above shows the list of available transitions from this state. Double-click one of these to extend the path with this transition. The process can be repeated to extend the path in an interactive fashion. Clicking on any state in the current path shows the transition which was taken at this stage. Click on the final state in the path to continue +extending the path. Alternatively, clicking the "Simulate" button will select a transition randomly (according to the probabilities/rates of the available transitions). By changing the number in the box below this button, you can easily generate random paths of a given length with a single click. +There are also options (in the accompanying drop-down menu) to allow generation of paths up until a particular length or, for CTMCs, in terms of the time taken. +

    +

    The figure shows the simulator in action. +

    +

    The PRISM GUI: exploring a model using the simulator
    +

    It is also possible to: +

    +
    • backtrack to an earlier point in a path +
    • remove all of the states before some point in a path +
    • restart a path from its first state +
    • export a path to a text file +

    Notice that the table containing the path displays not just the value of each variable in each +state but also the time spent in that state and any rewards accumulated there. You can configure exactly which columns appear by right-clicking on the path and selecting "Configure view". For rewards (and for CTMC models, for the time-values), you can can opt to display the reward/time for each individual state and/or the cumulative total up until each point in the path. +

    +

    At the top-right of the interface, any labels contained in the currently loaded model/properties file are displayed, along with their value in the currently selected state of the path. In addition, the built-in labels "init" and "deadlock" are also included. Selecting a label from the list highlights all states in the current path which satisfy it. +

    +

    The other tabs in this panel allow the value of path operators (taken from properties in the current file) to be viewed for the current path, as well as various other statistics. +

    +

    Another very useful feature for some models is to use the "Plot new path" option from the simulator, which generates a plot of some/all of the variable/reward values for a particular randomly generated path through the model. +

    +

    +

    Path generation from the command-line

    +

    It is also possible to generate random paths through a model using the command-line version of PRISM. This is achieved using the -simpath switch, which requires two arguments, the first describing the path to be generated and the second specifying the file to which the path should be output (as usual, specifying stdout sends output to the terminal). The following examples illustrate the various ways of generating paths in this way: +

    +
    +
    +
    prism model.pm -simpath 10 path.txt
    +prism model.pm -simpath time=7.5 path.txt
    +prism model.pm -simpath deadlock path.txt
    +
    +
    [$[Get Code]]
    +
    + +

    These generate a path of 10 steps, a path of at least 7.5 time units and a path ending in deadlock, respectively. +

    +

    Here's an example of the output: +

    +
    +
    +
    prism poll2.sm -simpath 10 stdout
    +...
    +action step time s a s1 s2
    +- 0 0.0 1 0 0 0
    +[loop1a] 1 0.007479539729154247 2 0 0 0
    +[loop2a] 2 0.00782819795294666 1 0 0 0
    +[loop1a] 3 0.01570585559933703 2 0 0 0
    +[loop2a] 4 0.017061111948220263 1 0 0 0
    +[loop1a] 5 0.026816317516034468 2 0 0 0
    +[loop2a] 6 0.039878416276337814 1 0 0 0
    +[loop1a] 7 0.04456566315999103 2 0 0 0
    +[loop2a] 8 0.047368359683643765 1 0 0 0
    +[loop1a] 9 0.04934857366557349 2 0 0 0
    +[loop2a] 10 0.055031679365844674 1 0 0 0
    +
    +
    [$[Get Code]]
    +
    + +

    This shows the sequence of states in the path, i.e. the values of the variables in each state. In the example above, there are 4 variables: s, a, s1 and s2. +The first three columns show the type of transition taken to reach that state, its index within the path (starting from 0) and the time at which it was entered. The latter is only shown for continuous time models. The type of the transition is written as [act] if action label act was taken, and as module1 if the module named module1 takes an unlabelled transition). +

    +

    Further options can also be appended to the first parameter. For example, option probs=true also displays the probability/rate associated with each transition. For example: +

    +
    +
    +
    prism poll2.sm -simpath '5,probs=true' stdout
    +...
    +action probability step time s a s1 s2
    +- - 0 0.0 1 0 0 0
    +[loop1a] 200.0 1 0.0011880118081395378 2 0 0 0
    +[loop2a] 200.0 2 0.0037798355025401888 1 0 0 0
    +[loop1a] 200.0 3 0.01029212322894221 2 0 0 0
    +[loop2a] 200.0 4 0.023258883912578403 1 0 0 0
    +[loop1a] 200.0 5 0.027402404026254504 2 0 0 0
    +
    +
    [$[Get Code]]
    +
    + +

    In this example, the rate is 200.0 for all transitions. +To show the state/transition rewards for each step, use option rewards=true. +

    +

    If you are only interested in values of certain variables of your model, use the vars=(...) option. For example: +

    +
    +
    +
    prism poll2.sm -simpath '500,probs=true,vars=(a,s1,s2)' stdout
    +...
    +action probability step time a s1 s2
    +- - 0 0.0 0 0 0
    +station2 0.5 110 0.5025332771499665 0 0 1
    +[loop2b] 200.0 111 0.5109407735244359 1 0 1
    +[serve2] 1.0 112 0.9960642154887506 0 0 0
    +station1 0.5 130 1.0645858553472822 0 1 0
    +[loop1b] 200.0 132 1.0732572896618477 1 1 0
    +[serve1] 1.0 133 2.939742026148121 0 0 0
    +station2 0.5 225 3.4311507854807677 0 0 1
    +[loop2b] 200.0 227 3.434285492243098 1 0 1
    +[serve2] 1.0 228 3.553118276800078 0 0 0
    +station2 0.5 250 3.6354431222941406 0 0 1
    +[loop2b] 200.0 251 3.637552738997181 1 0 1
    +[serve2] 1.0 252 3.7343375346150576 0 0 0
    +
    +
    [$[Get Code]]
    +
    + +

    Note the use of single quotes around the path description argument to prevent the shell from misinterpreting special characters such as "(". +

    +

    Notice also that the above only displays states in which the values of some variable of interest changes. This is achieved with the option changes=true, which is automatically enabled when you use vars=(...). If you want to see all steps of the path, add the option changes=false. +

    +

    An alternative way of viewing paths is to only display paths at certain fixed points in time. This is achieved with the snapshot=x option, where x is the time step. For example: +

    +
    +
    +
    prism poll2.sm -simpath 'time=5.0,snapshot=0.5' stdout
    +...
    +step time s a s1 s2
    +0 0.0 1 0 0 0
    +94 0.5 1 0 0 0
    +198 1.0 1 0 0 0
    +314 1.5 1 0 0 0
    +375 2.0 1 1 1 1
    +376 2.5 2 0 0 1
    +376 3.0 2 0 0 1
    +378 3.5 1 0 0 0
    +378 4.0 1 0 0 0
    +478 4.5 1 0 0 0
    +511 5.0 2 0 0 0
    +
    +
    [$[Get Code]]
    +
    + +

    You can also use the sep=... option to specify the column separator. Possible values are space (the default), tab and comma. For example: +

    +
    +
    +
    prism poll2.sm -simpath '10,vars=(a,b),sep=comma' stdout
    +...
    +step,a,b,time
    +0,0,0,0.0
    +2,1,0,0.058443536856580006
    +3,1,1,0.09281024515535738
    +6,1,2,0.2556555786269585
    +7,1,3,0.284062896359802
    +8,1,4,1.1792064236954896
    +
    +
    [$[Get Code]]
    +
    + +

    When generating paths to a deadlock state, additional repeat=... option is available which will construct multiple paths until a deadlock is found. For example: +

    +
    +
    +
    prism model.sm -simpath 'deadlock,repeat=100' stdout
    +
    +
    [$[Get Code]]
    +
    + +

    By default, the simulator detects deterministic loops in paths (e.g. if a path reaches a state from which there is a just a single self-loop leaving that state) and stops generating the path any further. You can disable this behaviour with the loopcheck=false option. For example: +

    +
    +
    +
    prism dice.pm -simpath 10 stdout
    +...
    +Warning: Deterministic loop detected after 6 steps (use loopcheck=false option to extend path).
    +action step s d
    +- 0 0 0
    +die 1 1 0
    +die 2 4 0
    +die 3 7 3
    +die 4 7 3
    +
    +
    [$[Get Code]]
    +
    + +
    +
    +
    prism dice.pm -simpath 10,loopcheck=false stdout
    +...
    +action step s d
    +- 0 0 0
    +die 1 1 0
    +die 2 4 0
    +die 3 7 2
    +die 4 7 2
    +die 5 7 2
    +die 6 7 2
    +die 7 7 2
    +die 8 7 2
    +die 9 7 2
    +die 10 7 2
    +
    +
    [$[Get Code]]
    +
    + +

    One final note: the -simpath switch only generates paths up to the maximum path length setting of the simulator (the default is 10,000). If you want to generate longer paths, either change the +default setting or override it temporarily from the command-line using the -simpathlen switch. +You might also use the latter to decrease the setting, +e.g. to look for a path leading to a deadlock state, +but only within 100 steps: +

    +
    +
    +
    prism model.sm -simpath deadlock stdout -simpathlen 100
    +
    +
    [$[Get Code]]
    +
    + +
    +

    Exporting The Model

    +

    If required, once the model has been constructed, it can be exported, either for manual examination or for use in another tool. The following can all be exported: +

    +
    • the set of reachable states; +
    • the transition matrix; +
    • the state rewards vector(s); +
    • the transition rewards matrix (or matrices). +
    • labels (in the model or properties) and the states that satisfy them +

    Note that the last of these also provides a way to export information about initial states and deadlock states (via the built-in labels "init" and "deadlock"). +

    +

    From the GUI, use the "Model | Export" menu to export the data to a file or, for small models, use the "Model | View" menu to print the details directly to the log. For the case of labels, if you want to export labels from the properties file too, use the "Properties | Export labels" option, rather than the "Model | Export" one. +

    +

    From the command-line version of PRISM, use the following switches: +

    +
    • -exportstates <file> +
    • -exporttrans <file> +
    • -exportstaterewards <file> +
    • -exporttransrewards <file> +
    • -exportlabels <file> +

    or, as explained below, use the more convenient switch: +

    +
    • -exportmodel <files[:options]> +

    Replace <file> with stdout in any of the above to print the information to the terminal. +

    +

    The export command-line switches can be used in combination. For example: +

    +
    +
    +
    prism poll2.sm -exportstates poll2.sta -exporttrans poll2.tra
    +
    +
    [$[Get Code]]
    +
    + +

    exports both the state space and transition matrix. You can export both state and transition rewards using the -exportrewards switch. The following are equivalent: +

    +
    +
    +
    prism poll2.sm -exportrewards poll2.srew poll2.trew
    +prism poll2.sm -exportstaterewards poll2.srew -exporttransrewards poll2.trew
    +
    +
    [$[Get Code]]
    +
    + +

    When there are multiple reward structures, a separate file is created for each one and a (1-indexed) suffix is added to distinguish them. +A header in each file (see the "Explicit Model Files" appendix) also shows the name of the reward structure. +These headers can be omitted using the switch -noexportheaders (or via the option "Include headers in model exports" in the GUI). +

    +

    You can also easily perform multiple exports simultaneously using the -exportmodel switch, which specifies multiple files using a list of extensions. The file extensions then dictate what is exported. For example: +

    +
    +
    +
    prism poll2.sm -exportmodel out.tra,sta
    +
    +
    [$[Get Code]]
    +
    + +

    exports the transition matrix and states list to out.tra and out.sta, respectively. If you omit the file basename (out in this case), then the basename of the model file (poll2 in this case) is used. For example: +

    +
    +
    +
    prism poll2.sm -exportmodel .tra,sta
    +
    +
    [$[Get Code]]
    +
    + +

    exports the transition matrix and states list to poll2.tra and poll2.sta. +

    +

    Possible file extensions are: +.sta (reachable states), +.tra (transition matrix), +.srew (state rewards), +.trew (transition rewards), +.lab (labels). +You can use the shorthand .all to export everything, and .rew to export both state and transition rewards. For example: +

    +
    +
    +
    prism poll2.sm -exportmodel out.all
    +prism poll2.sm -exportmodel .all
    +
    +
    [$[Get Code]]
    +
    + +

    creates multiple files of the form out.* or poll2.*, respectively. +

    +

    As mentioned above, you can always use stdout instead of a filename. For example: +

    +
    +
    +
    prism poll2.sm -exportmodel stdout.all
    +
    +
    [$[Get Code]]
    +
    + +

    is a quick way to print all details (of a small model) to the terminal. +

    +

    Although it is not exported when using .all, the -exportmodel switch can also be used to export the transition matrix +in Dot format which allows easy graphical visualisation of the model: +

    +
    +
    +
    prism poll2.sm -exportmodel poll2.dot
    +
    +
    [$[Get Code]]
    +
    + +

    Export options

    +

    When exporting model details in this way, the precision of numerical values (e.g., for probabilities or rewards) can be configured. +From the command line, use the switch -exportmodelprecision <x> to show values to <x> significant digits. +The same setting is available for exports from the GUI via option "Precision of model export". +

    +

    Finally, the -exportmodel switch can be passed various options. The general form is -exportmodel files:options where options is a comma-separated list of options taken from the following list: +

    +
    • mrmc - export data in MRMC format +
    • matlab - export data in Matlab format +
    • rows - export matrices with one row/distribution on each line +
    • ordered - output states indices in ascending order [default] +
    • unordered - don't output states indices in ascending order +
    • proplabels - also export labels from the properties file +

    An example is: +

    +
    +
    +
    prism poll2.sm -exportmodel out.tra,out.trew:matlab,unordered
    +
    +
    [$[Get Code]]
    +
    + +

    By default, when labels are exported, this only includes the labels from the model. +The proplabels option listed above +(which applies to both -exportmodel and -exportlabels) +indicates that labels from any properties file are exported too. +To export just those labels, use switch -exportproplabels <file>. +

    +

    +

    File formats

    +

    By default, model data is exported (or displayed) in plain text format. The precise details of the formats used can be found in the "Explicit Model Files" appendix. +As mentioned above, by convention, we use file extensions +.sta (for states files), .tra (for transitions files), +.srew and .trew (for state/transition rewards files) +and .lab (for labels). +

    +

    Alternatively, it is possible to export this information as Matlab code +(a .m file) or in a format suitable for import into the MRMC tool. Select the appropriate menu item when using the GUI, or add the command-line switches: +

    +
    • -exportmatlab +
    • -exportmrmc +

    or, as described earlier, pass options to the -exportmodel switch. +

    +

    There is no specific MRMC format for labels, so these are exported as plain text in this case. +

    +

    There is some additional export functionality available only from the command-line. +

    +

    Firstly, when outputting matrices for DTMCs or CTMCs, it is possible to request that PRISM does not sort the rows of the matrix, +as is normally the case. This is achieved with the switch: +

    +
    • -exportunordered +

    The reason for this is that in this case PRISM does not need to construct an explicit version of the model in memory and the process can thus be performed with reduced memory consumption. +

    +

    Secondly, there is a switch: +

    +
    • -exportrows +

    which provides an alternative output format for transition matrices where the elements of each row of the matrix (i.e. the transitions from a state/choice) are grouped on the same line. This can be particularly helpful for viewing the matrix for MDPs. The file format is shown here. +

    +

    +

    Graphical model export

    +

    The transition matrix of the model can also be exported in Dot format, +which allows easy graphical visualisation of the graph structure of the model. +You can optionally request that state descriptions are added to each state of graph; if not, states are labelled with integer indices that can be cross-referenced with the list of reachable states. +

    +

    Use the menu entries under "Model | Export | Transition matrix" from the GUI or command-line switches: +

    +
    • -exporttransdot <file> +
    • -exporttransdotstates <file> +

    As mentioned above, for the latter, the following is equivalent (and easier to remember): +

    +
    +
    +
    prism poll2.sm -exportmodel poll2.dot
    +
    +
    [$[Get Code]]
    +
    + +

    +

    Exporting (B)SCCs and end components

    +

    It is also possible to export the set of (bottom) strongly connected components (SCCs or BSCCs) for a model. This can only be done from the command-line currently. Use, for example: +

    +
    +
    +
    prism poll2.sm -exportsccs stdout
    +prism poll2.sm -exportbsccs stdout
    +
    +
    [$[Get Code]]
    +
    + +

    For an MDP, you can also export the set of maximal end components (MECs): +

    +
    +
    +
    prism mdp.nm -exportmecs stdout
    +
    +
    [$[Get Code]]
    +
    + +
    +

    Model Checking

    +

    Typically, once a model has been constructed, it is analysed through model checking. +Properties are specified as described in the "Property Specification" section, +and are usually kept in files with extensions .props, .pctl or .csl. +There are properties files accompanying most of the sample PRISM models in the prism-examples directory. +

    +

    +

    GUI

    +

    To load a file containing properties into the GUI, select menu option "Properties | Open properties list". +The file can only be loaded if there are no errors, otherwise an error is displayed. +Note that it may be necessary to have loaded the corresponding model first, +since the properties will probably make reference to variables (and perhaps constants) declared in the model file. +Once loaded, the properties contained in the file are displayed in a list in the "Properties" tab of the GUI. +Constants and labels are displayed in separate lists below. +You can modify or create new properties, constants and labels from the GUI, +by right-clicking on the appropriate list and selecting from the pop-up menu which appears. Properties with errors are shaded red and marked with a warning sign. +Positioning the mouse pointer over the property displays the corresponding error message. +

    +

    The pop-up menu for the properties list also contains a "Verify" option, +which allows you instruct PRISM to model check the currently selected properties +(hold down Ctrl/Cmd to select more than one property simultaneously). +All properties can be model checked at once by selecting "Verify all". +PRISM verifies each property individually. +Upon completion, the icon next to the property changes according to the result of model checking. For Boolean-valued properties, a result of true or false is indicated by a green tick or red cross, respectively. For properties which have a numerical result (e.g. P=? [ ...]), position the mouse pointer over the property to view the result. +In addition, this and further information about model checking is displayed in the log in the "Log" tab. +

    +

    +

    Command-line

    +

    From the command-line, model checking is achieved by passing both a model file and a properties file as arguments, e.g.: +

    +
    +
    +
    prism poll2.sm poll.csl
    +
    +
    [$[Get Code]]
    +
    + +

    The results of model checking are sent to the display and are as described above for the GUI version. +By default, all properties in the file are checked. +To model check only a single property, use the -prop switch. +For example, to check only the fourth property in the file: +

    +
    +
    +
    prism poll2.sm poll.csl -prop 4
    +
    +
    [$[Get Code]]
    +
    + +

    or to check only the property with name "safe" in the file: +

    +
    +
    +
    prism poll2.sm poll.csl -prop safe
    +
    +
    [$[Get Code]]
    +
    + +

    You can also provide a comma-separated list of multiple properties to check, +using neither numerical indices or property names: +

    +
    +
    +
    prism poll2.sm poll.csl -prop 4,5,safe
    +
    +
    [$[Get Code]]
    +
    + +

    Alternatively, the contents of a properties file can be specified directly from the command-line, using the -pf switch: +

    +
    +
    +
    prism poll2.sm -pf 'P>=0.5 [ true U<=5 (s=1 & a=0) ]'
    +
    +
    [$[Get Code]]
    +
    + +

    The switches -pctl and -csl are aliases for -pf. +

    +

    Note the use of single quotes ('...') to avoid characters such as +( and > being interpreted by the command-line shell. +Single quotes are preferable to double quotes since PRISM properties often include double quotes, e.g. for references to labels or properties. +

    +

    Approximate Model Checking

    +

    The discrete-event simulator built into PRISM (see the section "Debugging Models With The Simulator") can also be used to generate approximate results for PRISM properties, a technique often called statistical model checking. Essentially, this is achieved by sampling: generating a large number of random paths through the model, evaluating the result of the given properties on each run, and using this information to generate an approximately correct result. This approach is particularly useful on very large models when normal model checking is infeasible. This is because discrete-event simulation is performed using the PRISM language model description, without explicitly constructing the corresponding probabilistic model. +

    +

    Currently, statistical model checking can only be applied to P or R operators +and does not support LTL-style path properties or filters. +There are also a few restrictions on the modelling language features that can be used; see below for details. +

    +

    To use this functionality, load a model and some properties into PRISM, as described in the previous sections. To generate an approximate value for one or more properties, select them in the list, right-click and select "Simulate" (as opposed to "Verify"). As usual, it is first necessary to provide values for any undefined constants. Subsequently, a dialog appears. Here, the state from which approximate values are to be computed (i.e. from which the paths will be generated) can be selected. By default, this is the initial state of the model. The other settings in the dialog concern the methods used for simulation. +

    +

    PRISM supports four different methods for performing statistical model checking: +

    +
    • CI (Confidence Interval) +
    • ACI (Asymptotic Confidence Interval) +
    • APMC (Approximate Probabilistic Model Checking) +
    • SPRT (Sequential Probability Ratio Test) +

    The first three of these are intended primarily for "quantitative" properties (e.g. of the form P=?[...]), but can also be used for "bounded" properties (e.g. of the form P<p[...]). The SPRT method is only applicable to "bounded" properties. +

    +

    Each method has several parameters that control its execution, i.e. the number of samples that are generated and the accuracy of the computed approximation. In most cases, these parameters are inter-related so one of them must be left unspecified and its value computed automatically based on the others. In some cases, this is done before simulation; in others, it must be done afterwards. +

    +

    Below, we describe each method in more detail. +For simplicity, we describe the case of checking a P operator. +Details for the case of an R operator can be found in [Nim10]. +

    +

    CI (Confidence Interval) Method

    +

    The CI method gives a confidence interval for the approximate value generated for a P=? property, based on a given confidence level and the number of samples generated. +The parameters of the method are: +

    +
    • "Width" (w) +
    • "Confidence" (alpha) +
    • "Number of samples" (N) +

    Let X denote the true result of the query P=?[...] and Y the approximation generated. +The confidence interval is [Y-w,Y+w], i.e. w gives the half-width of the interval. +The confidence level, which is usually stated as a percentage, is 100(1-alpha)%. +This means that the actual value X should fall into the confidence interval [Y-w,Y+w] 100(1-alpha)% of the time. +

    +

    To determine, for example, the width w for given alpha and N, +we use w = q * sqrt(v / N) where +q is a quantile, for probability 1-alpha/2, from the Student's t-distribution with N-1 degrees of freedom and v is (an estimation of) the variance for X. +Similarly, we can determine the required number of iterations, from w and alpha, +as N = (v * q2)/w2, where q and v are as before. +

    +

    For a bounded property P~p[...], the (Boolean) result is determined according to the generated approximation for the probability. This is not the case, however, if the threshold p falls within the confidence interval [Y-w,Y+w], in which case no value is returned. +

    +

    ACI (Asymptotic Confidence Interval) Method

    +

    The ACI method works in exactly same fashion as the CI method, except that it uses the Normal distribution to approximate the Student's t-distribution when determining the confidence interval. This is appropriate when the number of samples is large (because we can get a reliable estimation of the variance from the samples) but may be less accurate for small numbers of samples. +

    +

    APMC (Approximate Probabilistic Model Checking) Method

    +

    The APMC method, based on [HLMP04], offers a probabilistic guarantee on the accuracy of the approximate value generated for a P=? property, based on the Chernoff-Hoeffding bound. +The parameters of the method are: +

    +
    • "Approximation" (epsilon) +
    • "Confidence" (delta) +
    • "Number of samples" (N) +

    Letting X denote the true result of the query P=?[...] and Y the approximation generated, we have: +

    +
    • Prob(|Y-X| > epsilon) < delta +

    where the parameters are related as follows: +N = ln(2/delta) / 2epsilon2. +This imposes certain restrictions on the parameters, +namely that N(epsilon2) ≥ ln(2)/2. +

    +

    In similar fashion to the CI/ACI methods, the APMC method can be also be used for bounded properties such as P~p[...], as long as the threshold p falls outside the interval [Y-epsilon,Y+epsilon]. +

    +

    SPRT (Sequential Probability Ratio Test) Method

    +

    The SPRT method is specifically for bounded properties, such as P~p[...] and is based on acceptance sampling techniques [YS02]. It uses Wald's sequential probability ratio test (SPRT), which generates a succession of samples, deciding on-the-fly when an answer can be given with a sufficiently high confidence. +

    +

    The parameters of the method are: +

    +
    • "Indifference" (delta) +
    • "Type I/II error" (alpha/beta) +

    Consider a property of the form P≥p[...]. The parameter delta is used as the half-width of an indifference region [p-delta,p+delta]. PRISM will attempt to determine whether either the hypothesis P≥(p+delta)[...] or P≤(p-delta)[...] is true, based on which it will return either true or false, respectively. The parameters alpha and beta represent the probability of the occurrence of a type I error (wrongly accepting the first hypothesis) and a type II error (wrongly accepting the second hypothesis), respectively. For simplicity, PRISM assigns the same value to both alpha and beta. +

    +

    Maximum Path Length

    +

    Another setting that can be configured from the "Simulation Parameters" dialog is the maximum length of paths generated by PRISM during statistical model checking. In order to perform statistical model checking, PRISM needs to evaluate the property being checked along every generated path. For example, when checking P=? [ F<=10 "end" ], PRISM must check whether F<=10 "end" is true for each path. On this example (assuming a discrete-time model), this can always be done within the first 10 steps. For a property such as P=? [ F "end" ], however, there may be paths along which no finite fragment can show F "end" to be true or false. So, PRISM imposes a maximum path length to avoid the need to generate excessively long (or infinite) paths. +The default maximum length is 10,000 steps. +If, for a given property, statistical model checking results in one or more paths on which the property can be evaluated, an error is reported. +

    +

    Command-line Statistical Model Checking

    +

    Statistical model checking can also be enabled from the command-line version of PRISM, by including the -sim switch. The default methods used are CI (Confidence Interval) for "quantitative" properties and SPRT (Sequential Probability Ratio Test) for "bounded" properties. To select a particular method, use switch -simmethod <method> where <method> is one of ci, aci, apmc and sprt. For example: +

    +
    +
    +
    prism model.pm model.pctl -prop 1 -sim -simmethod aci
    +
    +
    [$[Get Code]]
    +
    + +

    PRISM has default values for the various simulation method parameters, but these can also be specified using the switches -simsamples, -simconf, -simwidth and -simapprox. The exact meaning of these switches for each simulation method is given in the table below. +

    +
    + + + + + +
     CIACIAPMCSPRT
    -simsamples"Num. samples""Num. samples""Num. samples"n/a
    -simconf"Confidence""Confidence""Confidence""Type I/II error"
    -simwidth"Width""Width"n/a"Indifference"
    -simapproxn/an/a"Approximation"n/a
    +

    The maximum length of simulation paths is set with switch -simpathlen. +

    +

    Limitations

    +

    Currently, the simulator does not support every part of the PRISM modelling languages. For example, it does not handle models with multiple initial states or with system...endsystem definitions. +

    +

    It is also worth pointing out that statistical model checking techniques are not well suited to models that exhibit nondeterminism, such as MDPs. This because the techniques rely on generation of random paths, which are not well defined for a MDP. PRISM does allow statistical model checking to be performed on an MDP, but does so by simply resolving nondeterministic choices in a (uniformly) random fashion (and displaying a warning message). Currently PTAs are not supported by the simulator. +

    +

    Computing Steady-state And Transient Probabilities

    +

    If the model is a CTMC or DTMC, it is possible to compute corresponding vectors of +steady-state or transient probabilities directly +(rather than indirectly by analysing a property which requires their computation). +From the GUI, select an option from the "Model | Compute" menu. +For transient probabilities, you will be asked to supply the +time value for which you wish to compute probabilities. +From the command-line, add the -steadystate (or -ss) switch: +

    +
    +
    +
    prism poll2.sm -ss
    +
    +
    [$[Get Code]]
    +
    + +

    for steady-state probabilities or the -transient (or -tr) switch: +

    +
    +
    +
    prism poll2.sm -tr 2.0
    +
    +
    [$[Get Code]]
    +
    + +

    for transient probabilities, again specifying a time value in the latter case. +The probabilities are computed for all states of the model and displayed, +either on the screen (from the command-line) or in the log (from the GUI). +

    +

    To instead export the vector of computed probabilities to a file, use the "Model | Compute/export" option from the GUI, or the -exportsteadystate (or -exportss) and -exporttransient (or -exporttr) switches from the command-line: +

    +
    +
    +
    prism poll2.sm -ss -exportss poll2-ss.txt
    +prism poll2.sm -tr 2.0 -exporttr poll2-tr2.txt
    +
    +
    [$[Get Code]]
    +
    + +

    From the command-line, you can request that the probability vectors exported are in Matlab format by adding the -exportmatlab switch. +

    +

    Initial probability distributions

    +

    By default, for both steady-state and transient probability computation, +PRISM assumes that the initial probability distribution of the model is +an equiprobable choice over the set of initial states. +You can override this and provide a specific initial distribution. This is done using the -importinitdist switch. The format for this imported distribution is identical to the ones exported by PRISM, i.e. simply a list of probabilities for all states separated by new lines. For example, this: +

    +
    +
    +
    prism poll2.sm -tr 1.0 -exporttr poll2-tr1.txt
    +prism poll2.sm -tr 1.0 -importinitdist poll2-tr1.txt -exporttr poll2-tr2.txt
    +
    +
    [$[Get Code]]
    +
    + +

    is (essentially) equivalent to this: +

    +
    +
    +
    prism poll2.sm -tr 2.0 -exporttr poll2-tr2.txt
    +
    +
    [$[Get Code]]
    +
    + +

    Ranges of time values

    +

    Finally, you can compute transient probabilities for a range of time values, e.g.: +

    +
    +
    +
    prism poll2.sm -tr 0.1:0.01:0.2
    +
    +
    [$[Get Code]]
    +
    + +

    which computes transient probabilities for the time points 0.1, 0.11, 0.12, .., 0.2. In this case, the computation is done incrementally, with probabilities for each time point being computed from the previous point for efficiency. +

    +

    Experiments

    +

    PRISM supports experiments, which is a way of automating multiple instances of model checking. +This is done by leaving one or more constants undefined, e.g.: +

    +
    +
    +
    const int N;
    +const double T;
    +
    +
    [$[Get Code]]
    +
    + +

    This can be done for constants in the model file, the properties file, or both. +Before any verification can be performed, values must be provided for any such constants. In the GUI, a dialog appears in which the user is required to enter values. From the command line, the -const switch must be used, e.g.: +

    +
    +
    +
    prism cluster.sm cluster.csl -const N=4,T=85.9
    +
    +
    [$[Get Code]]
    +
    + +

    To run an experiment, provide a range of values for one or more of the constants. Model checking will be performed for all combinations of the constant values provided. For example: +

    +
    +
    +
    prism cluster.sm cluster.csl -const N=4:6,T=60:10:100
    +
    +
    [$[Get Code]]
    +
    + +

    where N=4:6 means that values of 4,5 and 6 are used for N, +and T=60:10:100 means that values of 60, 70, 80, 90 and 100 (i.e. steps of 10) are used for T. +

    +

    For convenience, constant specifications can be split across separate instances of the -const switch, if desired. +You can also specify double-valued constants as fractions rather than decimals. For example: +

    +
    +
    +
    prism cluster.sm cluster.csl -const N=4,T=85.9 -const p=1/3
    +
    +
    [$[Get Code]]
    +
    + +

    From the GUI, the same thing can be achieved by selecting a single property, +right clicking on it and selecting "New experiment" +(or alternatively using the popup menu in the "Experiments" panel). +Values or ranges for each undefined constant can then be supplied in the resulting dialog. +Details of the new experiment and its progress are shown in the panel. +To stop the experiment before it has completed, click the red "Stop" button and it will +halt after finishing the current iteration of model checking. +Once the experiment has finished, right clicking on the experiment produces a pop-up menu, +from which you can view the results of the experiment or export them to a file. +

    +

    For experiments based on properties which return numerical results, you can also use the GUI to plot graphs of the results. +This can be done either before the experiment starts, by selecting the "Create graph" tick-box in the dialog used to create the experiment +(in fact this box is ticked by default), or after the experiment's completion, by choosing "Plot results" from the pop-up menu on the experiment. +A dialog appears, where you can choose which constant (if there are more than one) to use for the x-axis of the graph, +and for which values of any other constants the results should be plotted. +The graph will appear in the panel below the list of experiments. +Right clicking on a graph and selecting "Graph options" brings up a dialog from which many properties of the graph can be configured. +From the pop-up menu of a graph, you can also choose to print the graph (to a printer or Postscript file) +or export it in a variety of formats: +as an image (PNG or JPEG), +as an encapsulated Postscript file (EPS), +in an XML-based format (for reloading back into PRISM), +or as code which can be used to generate the graph in Matlab. +

    +

    Approximate computation of quantitive results obtained with the simulator can also be used on experiments. In the GUI, select the "Use Simulation" option when defining the parameters for the experiment. From the command-line, just add the -sim switch as usual. +

    +

    +

    Exporting results

    +

    You can export all the results from an experiment to a file or to the screen. From the command-line, use the -exportresults switch, for example: +

    +
    +
    +
    prism cluster.sm cluster.csl -prop 4 -const N=4:5,T=0:10:20 -exportresults res.txt
    +
    +
    [$[Get Code]]
    +
    + +

    to send to output file res.txt, or: +

    +
    +
    +
    prism cluster.sm cluster.csl -prop 4 -const N=4:5,T=0:10:20 -exportresults stdout
    +
    +
    [$[Get Code]]
    +
    + +

    to send the results straight to the screen. From the GUI, right click on the experiment and select "Export results". +

    +

    The default behaviour is to export a list of results in text form, using tabs to separate items. The above examples produce: +

    +
    +
    +
    N       T       Result
    +4       0       0.0
    +4       10      4.707364688019771E-6
    +4       20      1.3126420636755292E-5
    +5       0       0.0
    +5       10      3.267731327728599E-6
    +5       20      8.343575060356386E-6
    +
    [$[Get Code]]
    +
    + +

    You can change the format in which the results are exported by appending one or more comma-separated options to the end of the -exportresults switch, for example to export in CSV (comma-separated values) format: +

    +
    +
    +
    prism cluster.sm cluster.csl -prop 4 -const N=4:5,T=0:10:20 -exportresults res.txt:csv
    +
    +
    [$[Get Code]]
    +
    + +
    +
    +
    N, T, Result
    +4, 0, 0.0
    +4, 10, 4.707364688019771E-6
    +4, 20, 1.3126420636755292E-5
    +5, 0, 0.0
    +5, 10, 3.267731327728599E-6
    +5, 20, 8.343575060356386E-6
    +
    [$[Get Code]]
    +
    + +

    or in DataFrame format: +

    +
    +
    +
    prism cluster.sm cluster.csl -prop 4 -const N=4:5,T=0:10:20 -exportresults res.txt:dataframe
    +
    +
    [$[Get Code]]
    +
    + +
    +
    +
    N,T,Result
    +4,0,0
    +4,10,4.70736468802e-06
    +4,20,1.31264206368e-05
    +5,0,0
    +5,10,3.26773132773e-06
    +5,20,8.34357506036e-06
    +
    [$[Get Code]]
    +
    + +

    You can also add the matrix option, to export the results as one or more 2D matrices, rather than a list. +This is particularly useful if you want to create a surface plot from results that vary over two constants. +

    +
    +
    +
    prism cluster.sm cluster.csl -prop 4 -const N=4:5,T=0:10:20 -exportresults res.txt:csv,matrix
    +
    +
    [$[Get Code]]
    +
    + +
    +
    +
    "N\T"
    +, 0.0, 10.0, 20.0
    +4, 0.0, 4.707364688019771E-6, 1.3126420636755292E-5
    +5, 0.0, 3.267731327728599E-6, 8.343575060356386E-6
    +
    [$[Get Code]]
    +
    + +

    The matrix option is also available in normal (non-CSV) mode. +

    +

    You can also export results in the form of comments, used by PRISM's regression testing functionality: +

    +
    +
    +
    prism cluster.sm cluster.csl -prop 4 -const N=4:5,T=0:10:20 -exportresults res.txt:comment
    +
    +
    [$[Get Code]]
    +
    + +
    +
    +
    // RESULT (N=4,T=0): 0.0
    +// RESULT (N=4,T=10): 4.707364688019771E-6
    +// RESULT (N=4,T=20): 1.3126420636755292E-5
    +// RESULT (N=5,T=0): 0.0
    +// RESULT (N=5,T=10): 3.267731327728599E-6
    +// RESULT (N=5,T=20): 8.343575060356386E-6
    +
    +
    [$[Get Code]]
    +
    + +

    From the GUI, it is also possible to import previously exported results (in DataFrame format). +

    +

    A related option is the -exportvector <file> switch, useful in general contexts, not for experiments. +This exports the results for all states of the model +(typically, the log just displays the result for the initial state, unless a filter has been used) +to the the file file. +

    +

    Strategies

    +

    Properties to be model checked on MDPs (and their variants, such as POMDPs or IMDPs) usually quantify over strategies (or policies) of the model, i.e., over the different possible ways that nondeterminism can be resolved in the model. +For example, this property: +

    +
    +
    +
    Pmax=? [ F "goal" ]
    +
    +
    [$[Get Code]]
    +
    + +

    determines the maximum probability, over all strategies, of reaching a state satisfying the label "goal". When checking such properties, you can also ask PRISM to generate a corresponding (optimal) strategy, which yields this maximum probability when followed. The strategy can then be viewed, exported or simulated. +

    +

    Note: For consistency across models, PRISM now uses the terminology strategy (rather than alternatives such as policy). In older versions of the tool, these were referred to as adversaries. Currently, the newer (and more extensive) strategy generation functionality is implemented just for the "explicit" model checking engine, +which is used automatically if strategy generation is requested. +The old adversary generation functionality (see below) still exists for the "sparse" engine, but will be updated in the future. +

    +

    Generating strategies. Optimal strategies can be generated either from the command-line or the graphical user interface (GUI). For the former, use the -exportstrat switch. Simple examples are: +

    +
    +
    +
    prism mdp.prism -pf 'Pmax=? [ F "goal" ]' -exportstrat stdout
    +prism mdp.prism -pf 'Pmax=? [ F "goal" ]' -exportstrat strat.tra
    +prism mdp.prism -pf 'Pmax=? [ F "goal" ]' -exportstrat strat.dot
    +
    +
    [$[Get Code]]
    +
    + +

    From the GUI, you can trigger strategy generation by ticking the "Generate strategy" box either on the popup menu that appears when you right-click a property, or from the "Strategies" menu at the top. As long as it is supported, a strategy will be then generated once "Verify" is clicked. +

    +

    From the same menu(s), you can then +

    +
    • export the strategy to a file +
    • view the strategy by printing it in the log +
    • explore the strategy in the simulator +

    Strategy export types. Strategies can be viewed or exported in several different formats: +

    +

    (i) Action list. This is a list of the action taken in each state of the model, e.g.: +

    +
    +
    +
    (0,0):east
    +(0,1):north
    +(0,2):north
    +(1,0):south
    +...
    +
    [$[Get Code]]
    +
    + +

    where states, by default, are shown as a tuple of variable values. +

    +

    (ii) Induced model. This is a representation of the model that is induced when the strategy is applied. There are two "modes" for this export: restrict, which shows the original model but with a restricted set of choices (e.g., an MDP with just one choice in each state); and reduce, which removes the nondeterminism resolved by the strategy (e.g., an MDP becomes a DTMC). The latter can be useful to re-import the model back into PRISM and analyse the induced model; the former is sometimes easier for visualising the strategy's choices. In each case, the transitions of the induced model are presented as a .tra file (as for normal model export), e.g.: +

    +
    +
    +
    9 9 11
    +0 0 5 1 east
    +1 0 10 1 north
    +2 0 15 0.9 north
    +2 0 16 0.1 north
    +...
    +
    [$[Get Code]]
    +
    + +

    (iii) Dot file. This is, like the previous format, a view of the model induced by the strategy, but in Dot format, which allows it to be visualised. +

    +

    Configuring strategy export. +As hinted in the command-line examples above, the -exportstrat switch uses the file extension to determine the preferred format: if the strategy is exported to a file with extension .tra or .dot, then it uses an induced model or Dot file, respectively. Otherwise, the default is an action list. You can specify the desired format: +

    +
    +
    +
    prism mdp.prism -pf 'Pmax=? [ F "goal" ]' -exportstrat file.txt:type=actions
    +prism mdp.prism -pf 'Pmax=? [ F "goal" ]' -exportstrat file.txt:type=induced
    +prism mdp.prism -pf 'Pmax=? [ F "goal" ]' -exportstrat file.txt:type=dot
    +
    +
    [$[Get Code]]
    +
    + +

    Further options can be added, e.g., to specify whether an induced model is exported in "restrict" or "reduce" mode: +

    +
    +
    +
    prism mdp.prism -pf 'Pmax=? [ F "goal" ]' -exportstrat file.txt:type=induced,mode=reduce
    +
    +
    [$[Get Code]]
    +
    + +

    A full list of available options is as follows: +

    +
    • type (actions, induced or dot): the type of strategy export to use (action list, induced model or Dot file) +
    • mode (restrict or reduce): when exporting as an induced model or Dot file, whether to "restrict" or "reduce" the model (see above); the default is "restrict" +
    • reach (true or false): whether to restrict the strategy to states that are reachable when it is applied to the model (this is currently only used for exporting induced models and Dot files, and the default value is false and true, respectively, in these two cases) +
    • states (true or false): whether to show states, rather than state indices, for actions lists or Dot files; this is true by default +
    • obs (true or false): for partially observable models, whether to merge observationally equivalent states; this is true by default +

    Strategy types. PRISM generates several types of strategies. The simplest are memoryless deterministic strategies, which pick a single action in each state, as in the examples above. For some query types (e.g., step-bounded properties, or LTL-based properties), finite-memory strategies are generated, where an additional memory value is used. For these, induced models or Dot files are most useful since they will also show how the memory values are updated as the strategy is executed. Note that, in these cases, the state indices of the strategy will correspond to the product model constructed during model checking, not the original model. The product model can be exported using the -exportprodtrans and -exportprodstates switches. +

    +

    Adversary generation. As mentioned above, the "sparse" model checking engine still includes older so-called "adversary generation" functionality. This can be used to export the induced model to a file using the -exportadv switch, e.g.: +

    +
    +
    +
    prism mdp.nm -pf 'Pmax=? [ F "goal" ]' -exportadv adv.tra -s
    +prism mdp.nm -pf 'Pmax=? [ F "goal" ]' -exportadvmdp adv.tra -s
    +
    +
    [$[Get Code]]
    +
    + +

    where the -exportadv and -exportadvmdp export a DTMC and an MDP, respectively, i.e., corresponding to the "reduce" and "restrict" modes described above. +From the GUI, change the "Adversary export" option (under the "PRISM" settings) from "None" to "DTMC" or "MDP". You can also change the filename for the export adversary which, by default, is adv.tra as in the example above. +

    +

    Support For PEPA Models

    +

    For CTMCs, PRISM also accepts model descriptions in the stochastic process algebra PEPA [Hil96]. +The tool compiles such descriptions into the PRISM language and then constructs the model as normal. +The language accepted by the PEPA to PRISM compiler is actually a subset of PEPA. +The restrictions applied to the language are firstly that component identifiers can only be bound to sequential components +(formed using prefix and choice and references to other sequential components only). +Secondly, each local state of a sequential component must be named. For example, we would rewrite: +

    +
    • P = (a,r).(b,s).P; +

    as: +

    +
    • P = (a,r).P'; +
    • P' = (b,s).P; +

    Finally, active/active synchronisations are not allowed since the PRISM +definition of these differs from the PEPA definition. Every PEPA +synchronisation must have exactly one active component. +Some examples of PEPA model descriptions which can be imported into PRISM +can be found in the prism-examples/pepa directory. +

    +

    From the command-line version of PRISM, add the -importpepa switch and the model will be treated as a PEPA description. +From the GUI, select "Model | Open model" and then choose "PEPA models" +on the "Files of type" drop-down menu. +Alternatively, select "Model | New | PEPA model" and either type a description from scratch +or paste in an existing one from elsewhere. +Once the PEPA model has been successfully parsed by PRISM, +you can view the corresponding PRISM code (as generated by the PEPA-to-PRISM compiler) +by selecting menu option "Model | View | Parsed PRISM model". +

    +

    Support For SBML

    +

    PRISM includes a (prototype) tool to translate specifications in SBML (Systems Biology Markup Language) to model descriptions in the PRISM language. SBML is an XML-based format for representing models of biochemical reaction networks. The translator currently works with Level 2 Version 1 of the SBML specification, details of which can be found here. +

    +

    Since PRISM is a tool for analysing discrete-state systems, the translator is designed for SBML files intended for discrete stochastic simulation. A useful set of such files can be found in the CaliBayes Discrete Stochastic Model Test Suite. There are also many more SBML files available in the BioModels Database. +

    +

    We first give a simple example of an SBML file and its PRISM translation. We then give some more precise details of the translation process. +

    +

    Example

    +

    An SBML file comprises a set of species and a set of reactions which they undergo. Below is the SBML file for the simple reversible reaction: Na + Cl ↔ Na+ + Cl-, where there are initially 100 Na and Cl atoms and no ions, and the base rates for the forwards and backwards reactions are 100 and 10, respectively. +

    +
    +
    +
    <?xml version="1.0" encoding="UTF-8"?>
    +<sbml xmlns="http://www.sbml.org/sbml/level2" metaid="_000000" level="2" version="1">
    <model id="nacl" name="Na+Cl">
    +
    +    <listOfCompartments>
    +      <compartment id="compartment"/>
    +    </listOfCompartments>
    +
    +    <listOfSpecies>
    +      <species id="na" initialAmount="100" hasOnlySubstanceUnits="true"/>
    +      <species id="cl" initialAmount="100" hasOnlySubstanceUnits="true"/>
    +      <species id="na_plus" initialAmount="0" hasOnlySubstanceUnits="true"/>
    +      <species id="cl_minus" initialAmount="0" hasOnlySubstanceUnits="true"/>
    +    </listOfSpecies>
    +
    +    <listOfReactions>
    +      <reaction id="forwards" reversible="false">
    +        <listOfReactants>
    +          <speciesReference species="na"/>
    +          <speciesReference species="cl"/>
    +        </listOfReactants>
    +        <listOfProducts>
    +          <speciesReference species="na_plus"/>
    +          <speciesReference species="cl_minus"/>
    +        </listOfProducts>
    +        <kineticLaw>
    +          <math xmlns="http://www.w3.org/1998/Math/MathML">
    +            <apply><times/><ci>forwards_rate</ci>
    +              <apply><times/><ci>na</ci><ci>cl</ci></apply></apply>
    +          </math>
    +          <listOfParameters>
    +            <parameter id="forwards_rate" value="100"/>
    +          </listOfParameters>
    +        </kineticLaw>
    +      </reaction>
    +
    +      <reaction id="backwards" reversible="false">
    +        <listOfReactants>
    +          <speciesReference species="na_plus"/>
    +          <speciesReference species="cl_minus"/>
    +        </listOfReactants>
    +        <listOfProducts>
    +          <speciesReference species="na"/>
    +          <speciesReference species="cl"/>
    +        </listOfProducts>
    +        <kineticLaw>
    +          <math xmlns="http://www.w3.org/1998/Math/MathML">
    +            <apply><times/><ci>backwards_rate</ci>
    +              <apply><times/><ci>na_plus</ci><ci>cl_minus</ci></apply></apply>
    +          </math>
    +          <listOfParameters>
    +            <parameter id="backwards_rate" value="10"/>
    +          </listOfParameters>
    +        </kineticLaw>
    +      </reaction>
    +    </listOfReactions>
    +
    </model>
    +</sbml>
    +
    [$[Get Code]]
    +
    + +

    And here is the resulting PRISM code: +

    +
    +
    +
    // File generated by automatic SBML-to-PRISM conversion
    +// Original SBML file: nacl.xml
    +
    +ctmc
    +
    +const int MAX_AMOUNT = 100;
    +
    +// Parameters for reaction forwards
    +const double forwards_rate = 100; // forwards_rate
    +
    +// Parameters for reaction backwards
    +const double backwards_rate = 10; // backwards_rate
    +
    +// Species na
    +const int na_MAX = MAX_AMOUNT;
    +module na
    +
    + na : [0..na_MAX] init 100; // Initial amount 100
    +
    + // forwards
    + [forwards] na > 0 -> (na'=na-1);
    + // backwards
    + [backwards]  na <= na_MAX-1 -> (na'=na+1);
    +
    +endmodule
    +
    +// Species cl
    +const int cl_MAX = MAX_AMOUNT;
    +module cl
    +
    + cl : [0..cl_MAX] init 100; // Initial amount 100
    +
    + // forwards
    + [forwards] cl > 0 -> (cl'=cl-1);
    + // backwards
    + [backwards]  cl <= cl_MAX-1 -> (cl'=cl+1);
    +
    +endmodule
    +
    +// Species na_plus
    +const int na_plus_MAX = MAX_AMOUNT;
    +module na_plus
    +
    + na_plus : [0..na_plus_MAX] init 0; // Initial amount 0
    +
    + // forwards
    + [forwards]  na_plus <= na_plus_MAX-1 -> (na_plus'=na_plus+1);
    + // backwards
    + [backwards] na_plus > 0 -> (na_plus'=na_plus-1);
    +
    +endmodule
    +
    +// Species cl_minus
    +const int cl_minus_MAX = MAX_AMOUNT;
    +module cl_minus
    +
    + cl_minus : [0..cl_minus_MAX] init 0; // Initial amount 0
    +
    + // forwards
    + [forwards]  cl_minus <= cl_minus_MAX-1 -> (cl_minus'=cl_minus+1);
    + // backwards
    + [backwards] cl_minus > 0 -> (cl_minus'=cl_minus-1);
    +
    +endmodule
    +
    +// Reaction rates
    +module reaction_rates
    +
    + // forwards
    + [forwards] (forwards_rate*(na*cl)) > 0 -> (forwards_rate*(na*cl)) : true;
    + // backwards
    + [backwards] (backwards_rate*(na_plus*cl_minus)) > 0 -> (backwards_rate*(na_plus*cl_minus)) : true;
    +
    +endmodule
    +
    +// Reward structures (one per species)
    +
    +// 1
    +rewards "na" true : na; endrewards
    +// 2
    +rewards "cl" true : cl; endrewards
    +// 3
    +rewards "na_plus" true : na_plus; endrewards
    +// 4
    +rewards "cl_minus" true : cl_minus; endrewards
    +
    +
    [$[Get Code]]
    +
    + +

    From the latter, we can use PRISM to generate a simple plot of the expected amount of Na and Na+ over time (using both model checking and a single random trace from the simulator): +

    +

    Expected amount of Na/Na+ at time T
    +
    +

    Using the translator

    +

    At present, the SBML-to-PRISM translator is included in the PRISM code-base, but not integrated into the application itself. +

    +
    +
    +
    cd prism
    +java -cp classes prism.SBML2Prism sbml_file.xml > prism_file.sm
    +
    +
    [$[Get Code]]
    +
    + +

    If you are using a binary (rather than source code) distribution of PRISM, replace classes with lib/prism.jar in the above. +

    +

    Alternatively (on Linux or Mac OS X), ensure prism is in your path and then save the script below as an executable file called sbml2prism: +

    +
    +
    +
    #!/bin/sh
    +
    +# Startup script for SBML-to-PRISM translator
    +
    +# Launch using main PRISM script
    +PRISM_MAINCLASS="prism.SBML2Prism"
    +export PRISM_MAINCLASS
    +prism "$@"
    +
    [$[Get Code]]
    +
    + +

    Then use: +

    +
    +
    +
    sbml2prism sbml_file.xml > prism_file.sm
    +
    +
    [$[Get Code]]
    +
    + +

    The following PRISM properties file will also be useful: +

    +
    +
    +
    const double T;
    +const int c;
    +
    +R{c}=? [I=T]
    +
    +
    [$[Get Code]]
    +
    + +

    This contains a single property which, based on the reward structures in the PRISM model generated by the translator, means "the expected amount of species c at time T". The constant c is an integer index which can range between 1 and N, where N is the number of species in the model. To view the expected amount of each species over time, create an experiment in PRISM which varies c from 1 to N and T over the desired time range. +

    +
    +

    Details of the translation

    +

    The basic structure of the translation process is as follows: +

    +
    • Each species in the SBML file is represented by a module in the resulting PRISM file. This module, which (where possible) retains the SBML species id as its name, contains a single variable whose value represents the amount of the species present. A corresponding reward structure for computing the expected amount of the species at a given time instant is also created. Species for which the boundaryCondition flag is set to true in the SBML file do not have a corresponding module. +
    • Each reaction in the SBML file is associated with a unique synchronisation action label. The module for each species which takes part in the reaction will include a synchronous command to represent this. An additional PRISM module called reaction_rates stores the expression representing the rate of each reaction (from the corresponding kineticLaw section in the SBML file). Reaction stoichiometry information is respected but must be provided in the scalar stoichiometry field of a speciesReference element, not in a separate StoichiometryMath element. +
    • Each parameter in the SBML file, either global to the file or specific to a reaction, becomes a constant in the PRISM file. If a value for this parameter is given, it used. If not, the constant is left as undefined. +

    As described above, this translation process is designed for discrete systems and so the amount of each species in the model is represented by an integer variable. It is therefore assumed that the initial amount for each species specified in the SBML file is also given as an integer. If this is not the case, then the values will need to be scaled accordingly first. +

    +

    Furthermore, since PRISM is primarily a model checking (rather than simulation) tool, it is important that the amount of each species also has an upper bound (to ensure a finite state space). When model checking, the efficiency (or even feasibility) of the process is likely to be very sensitive to the upper bound(s) chosen. When using the discrete-event simulation functionality of PRISM, this is not the case and the bounds can can be set much higher. By default the translator uses an upper bound of 100 (which is increased if the initial amount exceeds this). A different value can specified through a second command-line argument as follows: +

    +
    +
    +
    cd prism
    +java -cp classes prism.SBML2Prism sbml_file.xml 1000 > prism_file.sm
    +
    +
    [$[Get Code]]
    +
    + +

    Alternatively, upper bounds can be modified manually after the translation process. +

    +

    Finally, The following aspects of SBML files are not currently supported and are ignored during the translation process: +

    +
    • compartments +
    • events/triggers +
    +

    Explicit Model Import

    +

    It is also possible to construct models in PRISM through direct specification of their transition matrix. +The format in which this information is input to the tool is exactly the same as is currently output +(see the section "Exporting The Model" and the appendix "Explicit Model Files"). +Presently, this functionality is only supported in the command-line version of the tool, using the -importtrans switch (and more convenient -importmodel; see below). +PRISM makes some attempt to discern the model type from the format of the input files, +but if this does not work, the model type can be overwritten using the -dtmc, -ctmc and -mdp switches. +For example: +

    +
    +
    +
    prism -importtrans poll2.tra -ctmc
    +
    +
    [$[Get Code]]
    +
    + +

    Please note that this method of constructing models in PRISM is typically less efficient than using the PRISM language. +This is because PRISM is (primarily) a symbolic model checker and the underlying data structures used to represent the model +function better when there is high-level structure and regularity to exploit. +This situation can be alleviated to a certain extent by importing not just a transition matrix, +but also a definition of each state of the model in terms of a set of variables. +The format of this information is again identical to PRISM's current output format, using the -exportstates switch. +The following example shows how PRISM could be used to build, export and then re-import a model +(not a good strategy in general): +

    +
    +
    +
    prism poll2.sm -exporttrans poll2.tra -exportstates poll2.sta
    +prism -importtrans poll2.tra -importstates poll2.sta -ctmc
    +
    +
    [$[Get Code]]
    +
    + +

    You can also import label information using the switch -importlabels, e.g.: +

    +
    +
    +
    prism -importtrans poll2.tra -importstates poll2.sta -importlabels poll2.lab -ctmc
    +
    +
    [$[Get Code]]
    +
    + +

    where the labels file (poll2.lab above) is in the format generated by the -exportlabels export option of PRISM. +

    +

    In particular, since details about the initial state(s) of a model are not preserved in the files output from -exportstates and -exporttrans, but are included in the labels file, +-importlabels should also be used to designate a particular initial state for a model. +If not, the default is to assume a single initial state, in which all variables take their minimum value +(if -importstates is not used, the model has a a single zero-indexed variable x, and the initial state is x=0). +

    +

    Lastly, state (but currently not transition) rewards can also be imported, using the -importstaterewards switch, e.g.: +

    +
    +
    +
    prism -importtrans poll2.tra -importstates poll2.sta -importlabels poll2.lab -importstaterewards poll2.srew -ctmc
    +
    +
    [$[Get Code]]
    +
    + +

    You can import multiple reward structures using multiple instances of the -importstaterewards switch. +If present in the rewards files (see the appendix "Explicit Model Files"), +the names of the reward structures are read too. +

    +

    In a similar style to PRISM's -exportmodel switch, you can import several several files for a model using a single -importmodel switch. For example, this is equivalent to the command given above: +

    +
    +
    +
    prism -importmodel poll2.tra,sta,lab,srew -ctmc
    +
    +
    [$[Get Code]]
    +
    + +

    The contents of each file is determined by its extension: +Possible file extensions are: +.sta (reachable states), +.tra (transition matrix), +.lab (labels), +.srew (state rewards). +

    +

    Use the extension .all to import from all of these files: +

    +
    +
    +
    prism -importmodel poll2.all -ctmc
    +
    +
    [$[Get Code]]
    +
    + +

    In this case, you can omit the -importmodel switch and just specify the .all-ended filename, e.g.: +

    +
    +
    +
    prism poll2.all -ctmc
    +
    +
    [$[Get Code]]
    +
    + +
    + + + + diff --git a/manual/RunningPRISM/ApproximateModelChecking.html b/manual/RunningPRISM/ApproximateModelChecking.html index 5d65af31fd..19c87024af 100644 --- a/manual/RunningPRISM/ApproximateModelChecking.html +++ b/manual/RunningPRISM/ApproximateModelChecking.html @@ -1,22 +1,25 @@ + + -PRISM Manual | RunningPRISM / StatisticalModelChecking +PRISM Manual | Running PRISM / Statistical Model Checking - - + + + - - - + + + + + + + + + + + + - + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + + +
    +

    View - Edit - Print - Search +

    + +
    @@ -203,6 +337,12 @@ @@ -211,6 +351,13 @@
    + +
    @@ -227,7 +374,7 @@

    PRISM Manual

  • Statistical Model Checking
  • Computing Steady-state And Transient Probabilities
  • Experiments -
  • Adversaries +
  • Strategies
  • Support For PEPA Models
  • Support For SBML
  • Explicit Model Import @@ -239,5 +386,8 @@

    PRISM Manual

    • + + diff --git a/manual/RunningPRISM/ComputingSteady-stateAndTransientProbabilities.html b/manual/RunningPRISM/ComputingSteady-stateAndTransientProbabilities.html index 4223244b75..13c9c986f1 100644 --- a/manual/RunningPRISM/ComputingSteady-stateAndTransientProbabilities.html +++ b/manual/RunningPRISM/ComputingSteady-stateAndTransientProbabilities.html @@ -1,22 +1,25 @@ + + -PRISM Manual | RunningPRISM / ComputingSteady-stateAndTransientProbabilities +PRISM Manual | Running PRISM / Computing Steady-state And Transient Probabilities - - + + + - - - + + + + + + + + + + + + - + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + + +
    +

    View - Edit - Print - Search +

    + +
    @@ -176,6 +310,12 @@ @@ -184,6 +324,13 @@
    + +
    @@ -200,7 +347,7 @@

    PRISM Manual

  • Statistical Model Checking
  • Computing Steady-state And Transient Probabilities
  • Experiments -
  • Adversaries +
  • Strategies
  • Support For PEPA Models
  • Support For SBML
  • Explicit Model Import @@ -212,5 +359,8 @@

    PRISM Manual

    • + + diff --git a/manual/RunningPRISM/ComputingSteady-stateAndTransientProbabilities@action=edit.html b/manual/RunningPRISM/ComputingSteady-stateAndTransientProbabilities@action=edit.html new file mode 100644 index 0000000000..2c9a69ebe9 --- /dev/null +++ b/manual/RunningPRISM/ComputingSteady-stateAndTransientProbabilities@action=edit.html @@ -0,0 +1,277 @@ + + + + + + + + +PRISM Manual | Running PRISM / Computing Steady-state And Transient Probabilities | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Running PRISM / +

    Computing Steady-state And Transient Probabilities

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/RunningPRISM/ComputingSteady-stateAndTransientProbabilities@action=login.html b/manual/RunningPRISM/ComputingSteady-stateAndTransientProbabilities@action=login.html new file mode 100644 index 0000000000..1860bc8f06 --- /dev/null +++ b/manual/RunningPRISM/ComputingSteady-stateAndTransientProbabilities@action=login.html @@ -0,0 +1,275 @@ + + + + + + + + +PRISM Manual | Running PRISM / Computing Steady-state And Transient Probabilities | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Running PRISM / +

    Computing Steady-state And Transient Probabilities

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/RunningPRISM/ComputingSteady-stateAndTransientProbabilities@action=print.html b/manual/RunningPRISM/ComputingSteady-stateAndTransientProbabilities@action=print.html new file mode 100644 index 0000000000..c376791c27 --- /dev/null +++ b/manual/RunningPRISM/ComputingSteady-stateAndTransientProbabilities@action=print.html @@ -0,0 +1,182 @@ + + + + + + +PRISM Manual | RunningPRISM / ComputingSteady-stateAndTransientProbabilities + + + + + + + + + + + + + + + + + + +

    Running PRISM / +

    Computing Steady-state And Transient Probabilities

    + + +
    +

    If the model is a CTMC or DTMC, it is possible to compute corresponding vectors of +steady-state or transient probabilities directly +(rather than indirectly by analysing a property which requires their computation). +From the GUI, select an option from the "Model | Compute" menu. +For transient probabilities, you will be asked to supply the +time value for which you wish to compute probabilities. +From the command-line, add the -steadystate (or -ss) switch: +

    +
    +
    +
    prism poll2.sm -ss
    +
    +
    [$[Get Code]]
    +
    + +

    for steady-state probabilities or the -transient (or -tr) switch: +

    +
    +
    +
    prism poll2.sm -tr 2.0
    +
    +
    [$[Get Code]]
    +
    + +

    for transient probabilities, again specifying a time value in the latter case. +The probabilities are computed for all states of the model and displayed, +either on the screen (from the command-line) or in the log (from the GUI). +

    +

    To instead export the vector of computed probabilities to a file, use the "Model | Compute/export" option from the GUI, or the -exportsteadystate (or -exportss) and -exporttransient (or -exporttr) switches from the command-line: +

    +
    +
    +
    prism poll2.sm -ss -exportss poll2-ss.txt
    +prism poll2.sm -tr 2.0 -exporttr poll2-tr2.txt
    +
    +
    [$[Get Code]]
    +
    + +

    From the command-line, you can request that the probability vectors exported are in Matlab format by adding the -exportmatlab switch. +

    +

    Initial probability distributions

    +

    By default, for both steady-state and transient probability computation, +PRISM assumes that the initial probability distribution of the model is +an equiprobable choice over the set of initial states. +You can override this and provide a specific initial distribution. This is done using the -importinitdist switch. The format for this imported distribution is identical to the ones exported by PRISM, i.e. simply a list of probabilities for all states separated by new lines. For example, this: +

    +
    +
    +
    prism poll2.sm -tr 1.0 -exporttr poll2-tr1.txt
    +prism poll2.sm -tr 1.0 -importinitdist poll2-tr1.txt -exporttr poll2-tr2.txt
    +
    +
    [$[Get Code]]
    +
    + +

    is (essentially) equivalent to this: +

    +
    +
    +
    prism poll2.sm -tr 2.0 -exporttr poll2-tr2.txt
    +
    +
    [$[Get Code]]
    +
    + +

    Ranges of time values

    +

    Finally, you can compute transient probabilities for a range of time values, e.g.: +

    +
    +
    +
    prism poll2.sm -tr 0.1:0.01:0.2
    +
    +
    [$[Get Code]]
    +
    + +

    which computes transient probabilities for the time points 0.1, 0.11, 0.12, .., 0.2. In this case, the computation is done incrementally, with probabilities for each time point being computed from the previous point for efficiency. +

    +
    + + + + diff --git a/manual/RunningPRISM/DebuggingModelsWithTheSimulator.html b/manual/RunningPRISM/DebuggingModelsWithTheSimulator.html index 1a8faeb7ca..2edd8b3a46 100644 --- a/manual/RunningPRISM/DebuggingModelsWithTheSimulator.html +++ b/manual/RunningPRISM/DebuggingModelsWithTheSimulator.html @@ -1,22 +1,25 @@ + + -PRISM Manual | RunningPRISM / DebuggingModelsWithTheSimulator +PRISM Manual | Running PRISM / Debugging Models With The Simulator - - + + + - - - + + + + + + + + + + + + - + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + + +
    +

    View - Edit - Print - Search +

    + +
    @@ -116,7 +250,7 @@

    The figure shows the simulator in action.

    -

    The PRISM GUI: exploring a model using the simulator
    +

    The PRISM GUI: exploring a model using the simulator

    It is also possible to:

    • backtrack to an earlier point in a path @@ -323,6 +457,12 @@ @@ -331,6 +471,13 @@
    + +
    @@ -347,7 +494,7 @@

    PRISM Manual

  • Statistical Model Checking
  • Computing Steady-state And Transient Probabilities
  • Experiments -
  • Adversaries +
  • Strategies
  • Support For PEPA Models
  • Support For SBML
  • Explicit Model Import @@ -359,5 +506,8 @@

    PRISM Manual

    • + + diff --git a/manual/RunningPRISM/DebuggingModelsWithTheSimulator@action=edit.html b/manual/RunningPRISM/DebuggingModelsWithTheSimulator@action=edit.html new file mode 100644 index 0000000000..30a9cc5741 --- /dev/null +++ b/manual/RunningPRISM/DebuggingModelsWithTheSimulator@action=edit.html @@ -0,0 +1,277 @@ + + + + + + + + +PRISM Manual | Running PRISM / Debugging Models With The Simulator | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Running PRISM / +

    Debugging Models With The Simulator

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/RunningPRISM/DebuggingModelsWithTheSimulator@action=login.html b/manual/RunningPRISM/DebuggingModelsWithTheSimulator@action=login.html new file mode 100644 index 0000000000..104fdebfb3 --- /dev/null +++ b/manual/RunningPRISM/DebuggingModelsWithTheSimulator@action=login.html @@ -0,0 +1,275 @@ + + + + + + + + +PRISM Manual | Running PRISM / Debugging Models With The Simulator | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Running PRISM / +

    Debugging Models With The Simulator

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/RunningPRISM/DebuggingModelsWithTheSimulator@action=print.html b/manual/RunningPRISM/DebuggingModelsWithTheSimulator@action=print.html new file mode 100644 index 0000000000..7d0c8698a2 --- /dev/null +++ b/manual/RunningPRISM/DebuggingModelsWithTheSimulator@action=print.html @@ -0,0 +1,329 @@ + + + + + + +PRISM Manual | RunningPRISM / DebuggingModelsWithTheSimulator + + + + + + + + + + + + + + + + + + +

    Running PRISM / +

    Debugging Models With The Simulator

    + + +
    +

    PRISM includes a simulator, a tool which can be used to generate sample paths (executions) through a PRISM model. From the GUI, the simulator allows you to explore a model by interactively generating such paths. This is particularly useful for debugging models during development and for running sanity checks on completed models. Paths can also be generated from the command-line. +

    +

    +

    Generating a path in the GUI

    +

    Once you have loaded a model into the PRISM GUI +(note that it is not necessary to build the model), +select the "Simulator" tab at the bottom of the main window. +You can now start a new path by double-clicking in the bottom half of the window +(or right-clicking and selecting "New path"). +If there are undefined constants in the +model (or in any currently loaded properties files) you will be prompted to give values for these. You +can also specify the state from which you wish to generate a path. By default, this is the initial state of +the model. +

    +

    The main portion of the user interface (the bottom part) displays a path through the currently loaded model. Initially, this will comprise just a single state. The table above shows the list of available transitions from this state. Double-click one of these to extend the path with this transition. The process can be repeated to extend the path in an interactive fashion. Clicking on any state in the current path shows the transition which was taken at this stage. Click on the final state in the path to continue +extending the path. Alternatively, clicking the "Simulate" button will select a transition randomly (according to the probabilities/rates of the available transitions). By changing the number in the box below this button, you can easily generate random paths of a given length with a single click. +There are also options (in the accompanying drop-down menu) to allow generation of paths up until a particular length or, for CTMCs, in terms of the time taken. +

    +

    The figure shows the simulator in action. +

    +

    The PRISM GUI: exploring a model using the simulator
    +

    It is also possible to: +

    +
    • backtrack to an earlier point in a path +
    • remove all of the states before some point in a path +
    • restart a path from its first state +
    • export a path to a text file +

    Notice that the table containing the path displays not just the value of each variable in each +state but also the time spent in that state and any rewards accumulated there. You can configure exactly which columns appear by right-clicking on the path and selecting "Configure view". For rewards (and for CTMC models, for the time-values), you can can opt to display the reward/time for each individual state and/or the cumulative total up until each point in the path. +

    +

    At the top-right of the interface, any labels contained in the currently loaded model/properties file are displayed, along with their value in the currently selected state of the path. In addition, the built-in labels "init" and "deadlock" are also included. Selecting a label from the list highlights all states in the current path which satisfy it. +

    +

    The other tabs in this panel allow the value of path operators (taken from properties in the current file) to be viewed for the current path, as well as various other statistics. +

    +

    Another very useful feature for some models is to use the "Plot new path" option from the simulator, which generates a plot of some/all of the variable/reward values for a particular randomly generated path through the model. +

    +

    +

    Path generation from the command-line

    +

    It is also possible to generate random paths through a model using the command-line version of PRISM. This is achieved using the -simpath switch, which requires two arguments, the first describing the path to be generated and the second specifying the file to which the path should be output (as usual, specifying stdout sends output to the terminal). The following examples illustrate the various ways of generating paths in this way: +

    +
    +
    +
    prism model.pm -simpath 10 path.txt
    +prism model.pm -simpath time=7.5 path.txt
    +prism model.pm -simpath deadlock path.txt
    +
    +
    [$[Get Code]]
    +
    + +

    These generate a path of 10 steps, a path of at least 7.5 time units and a path ending in deadlock, respectively. +

    +

    Here's an example of the output: +

    +
    +
    +
    prism poll2.sm -simpath 10 stdout
    +...
    +action step time s a s1 s2
    +- 0 0.0 1 0 0 0
    +[loop1a] 1 0.007479539729154247 2 0 0 0
    +[loop2a] 2 0.00782819795294666 1 0 0 0
    +[loop1a] 3 0.01570585559933703 2 0 0 0
    +[loop2a] 4 0.017061111948220263 1 0 0 0
    +[loop1a] 5 0.026816317516034468 2 0 0 0
    +[loop2a] 6 0.039878416276337814 1 0 0 0
    +[loop1a] 7 0.04456566315999103 2 0 0 0
    +[loop2a] 8 0.047368359683643765 1 0 0 0
    +[loop1a] 9 0.04934857366557349 2 0 0 0
    +[loop2a] 10 0.055031679365844674 1 0 0 0
    +
    +
    [$[Get Code]]
    +
    + +

    This shows the sequence of states in the path, i.e. the values of the variables in each state. In the example above, there are 4 variables: s, a, s1 and s2. +The first three columns show the type of transition taken to reach that state, its index within the path (starting from 0) and the time at which it was entered. The latter is only shown for continuous time models. The type of the transition is written as [act] if action label act was taken, and as module1 if the module named module1 takes an unlabelled transition). +

    +

    Further options can also be appended to the first parameter. For example, option probs=true also displays the probability/rate associated with each transition. For example: +

    +
    +
    +
    prism poll2.sm -simpath '5,probs=true' stdout
    +...
    +action probability step time s a s1 s2
    +- - 0 0.0 1 0 0 0
    +[loop1a] 200.0 1 0.0011880118081395378 2 0 0 0
    +[loop2a] 200.0 2 0.0037798355025401888 1 0 0 0
    +[loop1a] 200.0 3 0.01029212322894221 2 0 0 0
    +[loop2a] 200.0 4 0.023258883912578403 1 0 0 0
    +[loop1a] 200.0 5 0.027402404026254504 2 0 0 0
    +
    +
    [$[Get Code]]
    +
    + +

    In this example, the rate is 200.0 for all transitions. +To show the state/transition rewards for each step, use option rewards=true. +

    +

    If you are only interested in values of certain variables of your model, use the vars=(...) option. For example: +

    +
    +
    +
    prism poll2.sm -simpath '500,probs=true,vars=(a,s1,s2)' stdout
    +...
    +action probability step time a s1 s2
    +- - 0 0.0 0 0 0
    +station2 0.5 110 0.5025332771499665 0 0 1
    +[loop2b] 200.0 111 0.5109407735244359 1 0 1
    +[serve2] 1.0 112 0.9960642154887506 0 0 0
    +station1 0.5 130 1.0645858553472822 0 1 0
    +[loop1b] 200.0 132 1.0732572896618477 1 1 0
    +[serve1] 1.0 133 2.939742026148121 0 0 0
    +station2 0.5 225 3.4311507854807677 0 0 1
    +[loop2b] 200.0 227 3.434285492243098 1 0 1
    +[serve2] 1.0 228 3.553118276800078 0 0 0
    +station2 0.5 250 3.6354431222941406 0 0 1
    +[loop2b] 200.0 251 3.637552738997181 1 0 1
    +[serve2] 1.0 252 3.7343375346150576 0 0 0
    +
    +
    [$[Get Code]]
    +
    + +

    Note the use of single quotes around the path description argument to prevent the shell from misinterpreting special characters such as "(". +

    +

    Notice also that the above only displays states in which the values of some variable of interest changes. This is achieved with the option changes=true, which is automatically enabled when you use vars=(...). If you want to see all steps of the path, add the option changes=false. +

    +

    An alternative way of viewing paths is to only display paths at certain fixed points in time. This is achieved with the snapshot=x option, where x is the time step. For example: +

    +
    +
    +
    prism poll2.sm -simpath 'time=5.0,snapshot=0.5' stdout
    +...
    +step time s a s1 s2
    +0 0.0 1 0 0 0
    +94 0.5 1 0 0 0
    +198 1.0 1 0 0 0
    +314 1.5 1 0 0 0
    +375 2.0 1 1 1 1
    +376 2.5 2 0 0 1
    +376 3.0 2 0 0 1
    +378 3.5 1 0 0 0
    +378 4.0 1 0 0 0
    +478 4.5 1 0 0 0
    +511 5.0 2 0 0 0
    +
    +
    [$[Get Code]]
    +
    + +

    You can also use the sep=... option to specify the column separator. Possible values are space (the default), tab and comma. For example: +

    +
    +
    +
    prism poll2.sm -simpath '10,vars=(a,b),sep=comma' stdout
    +...
    +step,a,b,time
    +0,0,0,0.0
    +2,1,0,0.058443536856580006
    +3,1,1,0.09281024515535738
    +6,1,2,0.2556555786269585
    +7,1,3,0.284062896359802
    +8,1,4,1.1792064236954896
    +
    +
    [$[Get Code]]
    +
    + +

    When generating paths to a deadlock state, additional repeat=... option is available which will construct multiple paths until a deadlock is found. For example: +

    +
    +
    +
    prism model.sm -simpath 'deadlock,repeat=100' stdout
    +
    +
    [$[Get Code]]
    +
    + +

    By default, the simulator detects deterministic loops in paths (e.g. if a path reaches a state from which there is a just a single self-loop leaving that state) and stops generating the path any further. You can disable this behaviour with the loopcheck=false option. For example: +

    +
    +
    +
    prism dice.pm -simpath 10 stdout
    +...
    +Warning: Deterministic loop detected after 6 steps (use loopcheck=false option to extend path).
    +action step s d
    +- 0 0 0
    +die 1 1 0
    +die 2 4 0
    +die 3 7 3
    +die 4 7 3
    +
    +
    [$[Get Code]]
    +
    + +
    +
    +
    prism dice.pm -simpath 10,loopcheck=false stdout
    +...
    +action step s d
    +- 0 0 0
    +die 1 1 0
    +die 2 4 0
    +die 3 7 2
    +die 4 7 2
    +die 5 7 2
    +die 6 7 2
    +die 7 7 2
    +die 8 7 2
    +die 9 7 2
    +die 10 7 2
    +
    +
    [$[Get Code]]
    +
    + +

    One final note: the -simpath switch only generates paths up to the maximum path length setting of the simulator (the default is 10,000). If you want to generate longer paths, either change the +default setting or override it temporarily from the command-line using the -simpathlen switch. +You might also use the latter to decrease the setting, +e.g. to look for a path leading to a deadlock state, +but only within 100 steps: +

    +
    +
    +
    prism model.sm -simpath deadlock stdout -simpathlen 100
    +
    +
    [$[Get Code]]
    +
    + +
    + + + + diff --git a/manual/RunningPRISM/Experiments.html b/manual/RunningPRISM/Experiments.html index 9175d362f6..5edb75938d 100644 --- a/manual/RunningPRISM/Experiments.html +++ b/manual/RunningPRISM/Experiments.html @@ -1,22 +1,25 @@ + + -PRISM Manual | RunningPRISM / Experiments +PRISM Manual | Running PRISM / Experiments - - + + + - - - + + + + + + + + + + + + - + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + + +
    +

    View - Edit - Print - Search +

    + +
    @@ -239,38 +373,59 @@
    [$[Get Code]]
    -

    You can also add the matrix option, to export the results as one or more 2D matrices, rather than a list. -This is particularly useful if you want to create a surface plot from results that vary over two constants. +

    or in DataFrame format:

    -
    prism cluster.sm cluster.csl -prop 4 -const N=4:5,T=0:10:20 -exportresults res.txt:csv,matrix
    +
    prism cluster.sm cluster.csl -prop 4 -const N=4:5,T=0:10:20 -exportresults res.txt:dataframe
    [$[Get Code]]
    +
    N,T,Result
    +4,0,0
    +4,10,4.70736468802e-06
    +4,20,1.31264206368e-05
    +5,0,0
    +5,10,3.26773132773e-06
    +5,20,8.34357506036e-06
    +
    [$[Get Code]]
    +
    + +

    You can also add the matrix option, to export the results as one or more 2D matrices, rather than a list. +This is particularly useful if you want to create a surface plot from results that vary over two constants. +

    +
    +
    +
    prism cluster.sm cluster.csl -prop 4 -const N=4:5,T=0:10:20 -exportresults res.txt:csv,matrix
    +
    +
    [$[Get Code]]
    +
    + +
    +
    "N\T"
    , 0.0, 10.0, 20.0
    4, 0.0, 4.707364688019771E-6, 1.3126420636755292E-5
    5, 0.0, 3.267731327728599E-6, 8.343575060356386E-6
    -
    [$[Get Code]]
    +
    [$[Get Code]]

    The matrix option is also available in normal (non-CSV) mode.

    -

    Finally, you can export results in the form of comments, used by PRISM's functionality: +

    You can also export results in the form of comments, used by PRISM's regression testing functionality:

    -
    +
    prism cluster.sm cluster.csl -prop 4 -const N=4:5,T=0:10:20 -exportresults res.txt:comment
    -
    [$[Get Code]]
    +
    [$[Get Code]]
    -
    +
    // RESULT (N=4,T=0): 0.0
    // RESULT (N=4,T=10): 4.707364688019771E-6
    // RESULT (N=4,T=20): 1.3126420636755292E-5
    @@ -278,9 +433,11 @@ // RESULT (N=5,T=10): 3.267731327728599E-6
    // RESULT (N=5,T=20): 8.343575060356386E-6
    -
    [$[Get Code]]
    +
    [$[Get Code]]
    +

    From the GUI, it is also possible to import previously exported results (in DataFrame format). +

    A related option is the -exportvector <file> switch, useful in general contexts, not for experiments. This exports the results for all states of the model (typically, the log just displays the result for the initial state, unless a filter has been used) @@ -291,6 +448,12 @@

    @@ -299,6 +462,13 @@
    + +
    @@ -315,7 +485,7 @@

    PRISM Manual

  • Statistical Model Checking
  • Computing Steady-state And Transient Probabilities
  • Experiments -
  • Adversaries +
  • Strategies
  • Support For PEPA Models
  • Support For SBML
  • Explicit Model Import @@ -327,5 +497,8 @@

    PRISM Manual

    • + + diff --git a/manual/RunningPRISM/Experiments@action=edit.html b/manual/RunningPRISM/Experiments@action=edit.html new file mode 100644 index 0000000000..0e6d00c59d --- /dev/null +++ b/manual/RunningPRISM/Experiments@action=edit.html @@ -0,0 +1,277 @@ + + + + + + + + +PRISM Manual | Running PRISM / Experiments | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Running PRISM / +

    Experiments

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/RunningPRISM/Experiments@action=login.html b/manual/RunningPRISM/Experiments@action=login.html new file mode 100644 index 0000000000..b7baa13416 --- /dev/null +++ b/manual/RunningPRISM/Experiments@action=login.html @@ -0,0 +1,275 @@ + + + + + + + + +PRISM Manual | Running PRISM / Experiments | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Running PRISM / +

    Experiments

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/RunningPRISM/Experiments@action=print.html b/manual/RunningPRISM/Experiments@action=print.html new file mode 100644 index 0000000000..e0e762ed11 --- /dev/null +++ b/manual/RunningPRISM/Experiments@action=print.html @@ -0,0 +1,320 @@ + + + + + + +PRISM Manual | RunningPRISM / Experiments + + + + + + + + + + + + + + + + + + +

    Running PRISM / +

    Experiments

    + + +
    +

    PRISM supports experiments, which is a way of automating multiple instances of model checking. +This is done by leaving one or more constants undefined, e.g.: +

    +
    +
    +
    const int N;
    +const double T;
    +
    +
    [$[Get Code]]
    +
    + +

    This can be done for constants in the model file, the properties file, or both. +Before any verification can be performed, values must be provided for any such constants. In the GUI, a dialog appears in which the user is required to enter values. From the command line, the -const switch must be used, e.g.: +

    +
    +
    +
    prism cluster.sm cluster.csl -const N=4,T=85.9
    +
    +
    [$[Get Code]]
    +
    + +

    To run an experiment, provide a range of values for one or more of the constants. Model checking will be performed for all combinations of the constant values provided. For example: +

    +
    +
    +
    prism cluster.sm cluster.csl -const N=4:6,T=60:10:100
    +
    +
    [$[Get Code]]
    +
    + +

    where N=4:6 means that values of 4,5 and 6 are used for N, +and T=60:10:100 means that values of 60, 70, 80, 90 and 100 (i.e. steps of 10) are used for T. +

    +

    For convenience, constant specifications can be split across separate instances of the -const switch, if desired. +You can also specify double-valued constants as fractions rather than decimals. For example: +

    +
    +
    +
    prism cluster.sm cluster.csl -const N=4,T=85.9 -const p=1/3
    +
    +
    [$[Get Code]]
    +
    + +

    From the GUI, the same thing can be achieved by selecting a single property, +right clicking on it and selecting "New experiment" +(or alternatively using the popup menu in the "Experiments" panel). +Values or ranges for each undefined constant can then be supplied in the resulting dialog. +Details of the new experiment and its progress are shown in the panel. +To stop the experiment before it has completed, click the red "Stop" button and it will +halt after finishing the current iteration of model checking. +Once the experiment has finished, right clicking on the experiment produces a pop-up menu, +from which you can view the results of the experiment or export them to a file. +

    +

    For experiments based on properties which return numerical results, you can also use the GUI to plot graphs of the results. +This can be done either before the experiment starts, by selecting the "Create graph" tick-box in the dialog used to create the experiment +(in fact this box is ticked by default), or after the experiment's completion, by choosing "Plot results" from the pop-up menu on the experiment. +A dialog appears, where you can choose which constant (if there are more than one) to use for the x-axis of the graph, +and for which values of any other constants the results should be plotted. +The graph will appear in the panel below the list of experiments. +Right clicking on a graph and selecting "Graph options" brings up a dialog from which many properties of the graph can be configured. +From the pop-up menu of a graph, you can also choose to print the graph (to a printer or Postscript file) +or export it in a variety of formats: +as an image (PNG or JPEG), +as an encapsulated Postscript file (EPS), +in an XML-based format (for reloading back into PRISM), +or as code which can be used to generate the graph in Matlab. +

    +

    Approximate computation of quantitive results obtained with the simulator can also be used on experiments. In the GUI, select the "Use Simulation" option when defining the parameters for the experiment. From the command-line, just add the -sim switch as usual. +

    +

    +

    Exporting results

    +

    You can export all the results from an experiment to a file or to the screen. From the command-line, use the -exportresults switch, for example: +

    +
    +
    +
    prism cluster.sm cluster.csl -prop 4 -const N=4:5,T=0:10:20 -exportresults res.txt
    +
    +
    [$[Get Code]]
    +
    + +

    to send to output file res.txt, or: +

    +
    +
    +
    prism cluster.sm cluster.csl -prop 4 -const N=4:5,T=0:10:20 -exportresults stdout
    +
    +
    [$[Get Code]]
    +
    + +

    to send the results straight to the screen. From the GUI, right click on the experiment and select "Export results". +

    +

    The default behaviour is to export a list of results in text form, using tabs to separate items. The above examples produce: +

    +
    +
    +
    N       T       Result
    +4       0       0.0
    +4       10      4.707364688019771E-6
    +4       20      1.3126420636755292E-5
    +5       0       0.0
    +5       10      3.267731327728599E-6
    +5       20      8.343575060356386E-6
    +
    [$[Get Code]]
    +
    + +

    You can change the format in which the results are exported by appending one or more comma-separated options to the end of the -exportresults switch, for example to export in CSV (comma-separated values) format: +

    +
    +
    +
    prism cluster.sm cluster.csl -prop 4 -const N=4:5,T=0:10:20 -exportresults res.txt:csv
    +
    +
    [$[Get Code]]
    +
    + +
    +
    +
    N, T, Result
    +4, 0, 0.0
    +4, 10, 4.707364688019771E-6
    +4, 20, 1.3126420636755292E-5
    +5, 0, 0.0
    +5, 10, 3.267731327728599E-6
    +5, 20, 8.343575060356386E-6
    +
    [$[Get Code]]
    +
    + +

    or in DataFrame format: +

    +
    +
    +
    prism cluster.sm cluster.csl -prop 4 -const N=4:5,T=0:10:20 -exportresults res.txt:dataframe
    +
    +
    [$[Get Code]]
    +
    + +
    +
    +
    N,T,Result
    +4,0,0
    +4,10,4.70736468802e-06
    +4,20,1.31264206368e-05
    +5,0,0
    +5,10,3.26773132773e-06
    +5,20,8.34357506036e-06
    +
    [$[Get Code]]
    +
    + +

    You can also add the matrix option, to export the results as one or more 2D matrices, rather than a list. +This is particularly useful if you want to create a surface plot from results that vary over two constants. +

    +
    +
    +
    prism cluster.sm cluster.csl -prop 4 -const N=4:5,T=0:10:20 -exportresults res.txt:csv,matrix
    +
    +
    [$[Get Code]]
    +
    + +
    +
    +
    "N\T"
    +, 0.0, 10.0, 20.0
    +4, 0.0, 4.707364688019771E-6, 1.3126420636755292E-5
    +5, 0.0, 3.267731327728599E-6, 8.343575060356386E-6
    +
    [$[Get Code]]
    +
    + +

    The matrix option is also available in normal (non-CSV) mode. +

    +

    You can also export results in the form of comments, used by PRISM's regression testing functionality: +

    +
    +
    +
    prism cluster.sm cluster.csl -prop 4 -const N=4:5,T=0:10:20 -exportresults res.txt:comment
    +
    +
    [$[Get Code]]
    +
    + +
    +
    +
    // RESULT (N=4,T=0): 0.0
    +// RESULT (N=4,T=10): 4.707364688019771E-6
    +// RESULT (N=4,T=20): 1.3126420636755292E-5
    +// RESULT (N=5,T=0): 0.0
    +// RESULT (N=5,T=10): 3.267731327728599E-6
    +// RESULT (N=5,T=20): 8.343575060356386E-6
    +
    +
    [$[Get Code]]
    +
    + +

    From the GUI, it is also possible to import previously exported results (in DataFrame format). +

    +

    A related option is the -exportvector <file> switch, useful in general contexts, not for experiments. +This exports the results for all states of the model +(typically, the log just displays the result for the initial state, unless a filter has been used) +to the the file file. +

    +
    + + + + diff --git a/manual/RunningPRISM/ExplicitModelImport.html b/manual/RunningPRISM/ExplicitModelImport.html index 3de6b51767..e63309d37a 100644 --- a/manual/RunningPRISM/ExplicitModelImport.html +++ b/manual/RunningPRISM/ExplicitModelImport.html @@ -1,22 +1,25 @@ + + -PRISM Manual | RunningPRISM / ExplicitModelImport +PRISM Manual | Running PRISM / Explicit Model Import - - + + + - - - + + + + + + + + + + + + - + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + + +
    +

    View - Edit - Print - Search +

    + +
    @@ -153,6 +287,10 @@
    [$[Get Code]]
    +

    You can import multiple reward structures using multiple instances of the -importstaterewards switch. +If present in the rewards files (see the appendix "Explicit Model Files"), +the names of the reward structures are read too. +

    In a similar style to PRISM's -exportmodel switch, you can import several several files for a model using a single -importmodel switch. For example, this is equivalent to the command given above:

    @@ -178,11 +316,26 @@
    [$[Get Code]]
    +

    In this case, you can omit the -importmodel switch and just specify the .all-ended filename, e.g.: +

    +
    +
    +
    prism poll2.all -ctmc
    +
    +
    [$[Get Code]]
    +
    +
    @@ -191,6 +344,13 @@
    + +
    @@ -207,7 +367,7 @@

    PRISM Manual

  • Statistical Model Checking
  • Computing Steady-state And Transient Probabilities
  • Experiments -
  • Adversaries +
  • Strategies
  • Support For PEPA Models
  • Support For SBML
  • Explicit Model Import @@ -219,5 +379,8 @@

    PRISM Manual

    • + + diff --git a/manual/RunningPRISM/ExplicitModelImport@action=edit.html b/manual/RunningPRISM/ExplicitModelImport@action=edit.html new file mode 100644 index 0000000000..aae76c2126 --- /dev/null +++ b/manual/RunningPRISM/ExplicitModelImport@action=edit.html @@ -0,0 +1,277 @@ + + + + + + + + +PRISM Manual | Running PRISM / Explicit Model Import | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Running PRISM / +

    Explicit Model Import

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/RunningPRISM/ExplicitModelImport@action=login.html b/manual/RunningPRISM/ExplicitModelImport@action=login.html new file mode 100644 index 0000000000..75f127dacc --- /dev/null +++ b/manual/RunningPRISM/ExplicitModelImport@action=login.html @@ -0,0 +1,275 @@ + + + + + + + + +PRISM Manual | Running PRISM / Explicit Model Import | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Running PRISM / +

    Explicit Model Import

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/RunningPRISM/ExplicitModelImport@action=print.html b/manual/RunningPRISM/ExplicitModelImport@action=print.html new file mode 100644 index 0000000000..c5ec4ed390 --- /dev/null +++ b/manual/RunningPRISM/ExplicitModelImport@action=print.html @@ -0,0 +1,202 @@ + + + + + + +PRISM Manual | RunningPRISM / ExplicitModelImport + + + + + + + + + + + + + + + + + + +

    Running PRISM / +

    Explicit Model Import

    + + +
    +

    It is also possible to construct models in PRISM through direct specification of their transition matrix. +The format in which this information is input to the tool is exactly the same as is currently output +(see the section "Exporting The Model" and the appendix "Explicit Model Files"). +Presently, this functionality is only supported in the command-line version of the tool, using the -importtrans switch (and more convenient -importmodel; see below). +PRISM makes some attempt to discern the model type from the format of the input files, +but if this does not work, the model type can be overwritten using the -dtmc, -ctmc and -mdp switches. +For example: +

    +
    +
    +
    prism -importtrans poll2.tra -ctmc
    +
    +
    [$[Get Code]]
    +
    + +

    Please note that this method of constructing models in PRISM is typically less efficient than using the PRISM language. +This is because PRISM is (primarily) a symbolic model checker and the underlying data structures used to represent the model +function better when there is high-level structure and regularity to exploit. +This situation can be alleviated to a certain extent by importing not just a transition matrix, +but also a definition of each state of the model in terms of a set of variables. +The format of this information is again identical to PRISM's current output format, using the -exportstates switch. +The following example shows how PRISM could be used to build, export and then re-import a model +(not a good strategy in general): +

    +
    +
    +
    prism poll2.sm -exporttrans poll2.tra -exportstates poll2.sta
    +prism -importtrans poll2.tra -importstates poll2.sta -ctmc
    +
    +
    [$[Get Code]]
    +
    + +

    You can also import label information using the switch -importlabels, e.g.: +

    +
    +
    +
    prism -importtrans poll2.tra -importstates poll2.sta -importlabels poll2.lab -ctmc
    +
    +
    [$[Get Code]]
    +
    + +

    where the labels file (poll2.lab above) is in the format generated by the -exportlabels export option of PRISM. +

    +

    In particular, since details about the initial state(s) of a model are not preserved in the files output from -exportstates and -exporttrans, but are included in the labels file, +-importlabels should also be used to designate a particular initial state for a model. +If not, the default is to assume a single initial state, in which all variables take their minimum value +(if -importstates is not used, the model has a a single zero-indexed variable x, and the initial state is x=0). +

    +

    Lastly, state (but currently not transition) rewards can also be imported, using the -importstaterewards switch, e.g.: +

    +
    +
    +
    prism -importtrans poll2.tra -importstates poll2.sta -importlabels poll2.lab -importstaterewards poll2.srew -ctmc
    +
    +
    [$[Get Code]]
    +
    + +

    You can import multiple reward structures using multiple instances of the -importstaterewards switch. +If present in the rewards files (see the appendix "Explicit Model Files"), +the names of the reward structures are read too. +

    +

    In a similar style to PRISM's -exportmodel switch, you can import several several files for a model using a single -importmodel switch. For example, this is equivalent to the command given above: +

    +
    +
    +
    prism -importmodel poll2.tra,sta,lab,srew -ctmc
    +
    +
    [$[Get Code]]
    +
    + +

    The contents of each file is determined by its extension: +Possible file extensions are: +.sta (reachable states), +.tra (transition matrix), +.lab (labels), +.srew (state rewards). +

    +

    Use the extension .all to import from all of these files: +

    +
    +
    +
    prism -importmodel poll2.all -ctmc
    +
    +
    [$[Get Code]]
    +
    + +

    In this case, you can omit the -importmodel switch and just specify the .all-ended filename, e.g.: +

    +
    +
    +
    prism poll2.all -ctmc
    +
    +
    [$[Get Code]]
    +
    + +
    + + + + diff --git a/manual/RunningPRISM/ExportingTheModel.html b/manual/RunningPRISM/ExportingTheModel.html index 8750997a7d..68cea85d63 100644 --- a/manual/RunningPRISM/ExportingTheModel.html +++ b/manual/RunningPRISM/ExportingTheModel.html @@ -1,22 +1,25 @@ + + -PRISM Manual | RunningPRISM / ExportingTheModel +PRISM Manual | Running PRISM / Exporting The Model - - + + + - - - + + + + + + + + + + + + - + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + + +
    +

    View - Edit - Print - Search +

    + +
    @@ -132,13 +266,15 @@

    -
    prism poll2.sm -exportrewards poll2.rews poll2.rewt
    -prism poll2.sm -exportstaterewards poll2.rews -exporttransrewards poll2.rewt
    +
    prism poll2.sm -exportrewards poll2.srew poll2.trew
    +prism poll2.sm -exportstaterewards poll2.srew -exporttransrewards poll2.trew
    [$[Get Code]]

    When there are multiple reward structures, a separate file is created for each one and a (1-indexed) suffix is added to distinguish them. +A header in each file (see the "Explicit Model Files" appendix) also shows the name of the reward structure. +These headers can be omitted using the switch -noexportheaders (or via the option "Include headers in model exports" in the GUI).

    You can also easily perform multiple exports simultaneously using the -exportmodel switch, which specifies multiple files using a list of extensions. The file extensions then dictate what is exported. For example:

    @@ -189,7 +325,7 @@

    is a quick way to print all details (of a small model) to the terminal.

    -

    Although is not exported when using .all, the -exportmodel switch can also be used to export the transition matrix +

    Although it is not exported when using .all, the -exportmodel switch can also be used to export the transition matrix in Dot format which allows easy graphical visualisation of the model:

    @@ -199,6 +335,11 @@
    [$[Get Code]]
    +

    Export options

    +

    When exporting model details in this way, the precision of numerical values (e.g., for probabilities or rewards) can be configured. +From the command line, use the switch -exportmodelprecision <x> to show values to <x> significant digits. +The same setting is available for exports from the GUI via option "Precision of model export". +

    Finally, the -exportmodel switch can be passed various options. The general form is -exportmodel files:options where options is a comma-separated list of options taken from the following list:

    • mrmc - export data in MRMC format @@ -206,6 +347,7 @@
    • rows - export matrices with one row/distribution on each line
    • ordered - output states indices in ascending order [default]
    • unordered - don't output states indices in ascending order +
    • proplabels - also export labels from the properties file

    An example is:

    @@ -215,14 +357,18 @@
    [$[Get Code]]
    -

    The meaning of these options is described below. +

    By default, when labels are exported, this only includes the labels from the model. +The proplabels option listed above +(which applies to both -exportmodel and -exportlabels) +indicates that labels from any properties file are exported too. +To export just those labels, use switch -exportproplabels <file>.

    File formats

    By default, model data is exported (or displayed) in plain text format. The precise details of the formats used can be found in the "Explicit Model Files" appendix. As mentioned above, by convention, we use file extensions .sta (for states files), .tra (for transitions files), -.rews and .rewt (for state/transition rewards files) +.srew and .trew (for state/transition rewards files) and .lab (for labels).

    Alternatively, it is possible to export this information as Matlab code @@ -293,6 +439,12 @@

    @@ -301,6 +453,13 @@
    + +
    @@ -317,7 +476,7 @@

    PRISM Manual

  • Statistical Model Checking
  • Computing Steady-state And Transient Probabilities
  • Experiments -
  • Adversaries +
  • Strategies
  • Support For PEPA Models
  • Support For SBML
  • Explicit Model Import @@ -329,5 +488,8 @@

    PRISM Manual

    • + + diff --git a/manual/RunningPRISM/ExportingTheModel@action=edit.html b/manual/RunningPRISM/ExportingTheModel@action=edit.html new file mode 100644 index 0000000000..f98aa013c2 --- /dev/null +++ b/manual/RunningPRISM/ExportingTheModel@action=edit.html @@ -0,0 +1,277 @@ + + + + + + + + +PRISM Manual | Running PRISM / Exporting The Model | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Running PRISM / +

    Exporting The Model

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/RunningPRISM/ExportingTheModel@action=login.html b/manual/RunningPRISM/ExportingTheModel@action=login.html new file mode 100644 index 0000000000..55f0eec903 --- /dev/null +++ b/manual/RunningPRISM/ExportingTheModel@action=login.html @@ -0,0 +1,275 @@ + + + + + + + + +PRISM Manual | Running PRISM / Exporting The Model | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Running PRISM / +

    Exporting The Model

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/RunningPRISM/ExportingTheModel@action=print.html b/manual/RunningPRISM/ExportingTheModel@action=print.html new file mode 100644 index 0000000000..b785d5eab5 --- /dev/null +++ b/manual/RunningPRISM/ExportingTheModel@action=print.html @@ -0,0 +1,311 @@ + + + + + + +PRISM Manual | RunningPRISM / ExportingTheModel + + + + + + + + + + + + + + + + + + +

    Running PRISM / +

    Exporting The Model

    + + +
    +

    If required, once the model has been constructed, it can be exported, either for manual examination or for use in another tool. The following can all be exported: +

    +
    • the set of reachable states; +
    • the transition matrix; +
    • the state rewards vector(s); +
    • the transition rewards matrix (or matrices). +
    • labels (in the model or properties) and the states that satisfy them +

    Note that the last of these also provides a way to export information about initial states and deadlock states (via the built-in labels "init" and "deadlock"). +

    +

    From the GUI, use the "Model | Export" menu to export the data to a file or, for small models, use the "Model | View" menu to print the details directly to the log. For the case of labels, if you want to export labels from the properties file too, use the "Properties | Export labels" option, rather than the "Model | Export" one. +

    +

    From the command-line version of PRISM, use the following switches: +

    +
    • -exportstates <file> +
    • -exporttrans <file> +
    • -exportstaterewards <file> +
    • -exporttransrewards <file> +
    • -exportlabels <file> +

    or, as explained below, use the more convenient switch: +

    +
    • -exportmodel <files[:options]> +

    Replace <file> with stdout in any of the above to print the information to the terminal. +

    +

    The export command-line switches can be used in combination. For example: +

    +
    +
    +
    prism poll2.sm -exportstates poll2.sta -exporttrans poll2.tra
    +
    +
    [$[Get Code]]
    +
    + +

    exports both the state space and transition matrix. You can export both state and transition rewards using the -exportrewards switch. The following are equivalent: +

    +
    +
    +
    prism poll2.sm -exportrewards poll2.srew poll2.trew
    +prism poll2.sm -exportstaterewards poll2.srew -exporttransrewards poll2.trew
    +
    +
    [$[Get Code]]
    +
    + +

    When there are multiple reward structures, a separate file is created for each one and a (1-indexed) suffix is added to distinguish them. +A header in each file (see the "Explicit Model Files" appendix) also shows the name of the reward structure. +These headers can be omitted using the switch -noexportheaders (or via the option "Include headers in model exports" in the GUI). +

    +

    You can also easily perform multiple exports simultaneously using the -exportmodel switch, which specifies multiple files using a list of extensions. The file extensions then dictate what is exported. For example: +

    +
    +
    +
    prism poll2.sm -exportmodel out.tra,sta
    +
    +
    [$[Get Code]]
    +
    + +

    exports the transition matrix and states list to out.tra and out.sta, respectively. If you omit the file basename (out in this case), then the basename of the model file (poll2 in this case) is used. For example: +

    +
    +
    +
    prism poll2.sm -exportmodel .tra,sta
    +
    +
    [$[Get Code]]
    +
    + +

    exports the transition matrix and states list to poll2.tra and poll2.sta. +

    +

    Possible file extensions are: +.sta (reachable states), +.tra (transition matrix), +.srew (state rewards), +.trew (transition rewards), +.lab (labels). +You can use the shorthand .all to export everything, and .rew to export both state and transition rewards. For example: +

    +
    +
    +
    prism poll2.sm -exportmodel out.all
    +prism poll2.sm -exportmodel .all
    +
    +
    [$[Get Code]]
    +
    + +

    creates multiple files of the form out.* or poll2.*, respectively. +

    +

    As mentioned above, you can always use stdout instead of a filename. For example: +

    +
    +
    +
    prism poll2.sm -exportmodel stdout.all
    +
    +
    [$[Get Code]]
    +
    + +

    is a quick way to print all details (of a small model) to the terminal. +

    +

    Although it is not exported when using .all, the -exportmodel switch can also be used to export the transition matrix +in Dot format which allows easy graphical visualisation of the model: +

    +
    +
    +
    prism poll2.sm -exportmodel poll2.dot
    +
    +
    [$[Get Code]]
    +
    + +

    Export options

    +

    When exporting model details in this way, the precision of numerical values (e.g., for probabilities or rewards) can be configured. +From the command line, use the switch -exportmodelprecision <x> to show values to <x> significant digits. +The same setting is available for exports from the GUI via option "Precision of model export". +

    +

    Finally, the -exportmodel switch can be passed various options. The general form is -exportmodel files:options where options is a comma-separated list of options taken from the following list: +

    +
    • mrmc - export data in MRMC format +
    • matlab - export data in Matlab format +
    • rows - export matrices with one row/distribution on each line +
    • ordered - output states indices in ascending order [default] +
    • unordered - don't output states indices in ascending order +
    • proplabels - also export labels from the properties file +

    An example is: +

    +
    +
    +
    prism poll2.sm -exportmodel out.tra,out.trew:matlab,unordered
    +
    +
    [$[Get Code]]
    +
    + +

    By default, when labels are exported, this only includes the labels from the model. +The proplabels option listed above +(which applies to both -exportmodel and -exportlabels) +indicates that labels from any properties file are exported too. +To export just those labels, use switch -exportproplabels <file>. +

    +

    +

    File formats

    +

    By default, model data is exported (or displayed) in plain text format. The precise details of the formats used can be found in the "Explicit Model Files" appendix. +As mentioned above, by convention, we use file extensions +.sta (for states files), .tra (for transitions files), +.srew and .trew (for state/transition rewards files) +and .lab (for labels). +

    +

    Alternatively, it is possible to export this information as Matlab code +(a .m file) or in a format suitable for import into the MRMC tool. Select the appropriate menu item when using the GUI, or add the command-line switches: +

    +
    • -exportmatlab +
    • -exportmrmc +

    or, as described earlier, pass options to the -exportmodel switch. +

    +

    There is no specific MRMC format for labels, so these are exported as plain text in this case. +

    +

    There is some additional export functionality available only from the command-line. +

    +

    Firstly, when outputting matrices for DTMCs or CTMCs, it is possible to request that PRISM does not sort the rows of the matrix, +as is normally the case. This is achieved with the switch: +

    +
    • -exportunordered +

    The reason for this is that in this case PRISM does not need to construct an explicit version of the model in memory and the process can thus be performed with reduced memory consumption. +

    +

    Secondly, there is a switch: +

    +
    • -exportrows +

    which provides an alternative output format for transition matrices where the elements of each row of the matrix (i.e. the transitions from a state/choice) are grouped on the same line. This can be particularly helpful for viewing the matrix for MDPs. The file format is shown here. +

    +

    +

    Graphical model export

    +

    The transition matrix of the model can also be exported in Dot format, +which allows easy graphical visualisation of the graph structure of the model. +You can optionally request that state descriptions are added to each state of graph; if not, states are labelled with integer indices that can be cross-referenced with the list of reachable states. +

    +

    Use the menu entries under "Model | Export | Transition matrix" from the GUI or command-line switches: +

    +
    • -exporttransdot <file> +
    • -exporttransdotstates <file> +

    As mentioned above, for the latter, the following is equivalent (and easier to remember): +

    +
    +
    +
    prism poll2.sm -exportmodel poll2.dot
    +
    +
    [$[Get Code]]
    +
    + +

    +

    Exporting (B)SCCs and end components

    +

    It is also possible to export the set of (bottom) strongly connected components (SCCs or BSCCs) for a model. This can only be done from the command-line currently. Use, for example: +

    +
    +
    +
    prism poll2.sm -exportsccs stdout
    +prism poll2.sm -exportbsccs stdout
    +
    +
    [$[Get Code]]
    +
    + +

    For an MDP, you can also export the set of maximal end components (MECs): +

    +
    +
    +
    prism mdp.nm -exportmecs stdout
    +
    +
    [$[Get Code]]
    +
    + +
    +
    + + + + diff --git a/manual/RunningPRISM/LoadingAndBuildingAModel.html b/manual/RunningPRISM/LoadingAndBuildingAModel.html index de0ef2059e..28328ebec4 100644 --- a/manual/RunningPRISM/LoadingAndBuildingAModel.html +++ b/manual/RunningPRISM/LoadingAndBuildingAModel.html @@ -1,22 +1,25 @@ + + -PRISM Manual | RunningPRISM / LoadingAndBuildingAModel +PRISM Manual | Running PRISM / Loading And Building A Model - - + + + - - - + + + + + + + + + + + + - + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + + +
    +

    View - Edit - Print - Search +

    + +
    @@ -158,6 +292,12 @@ @@ -166,6 +306,13 @@
    + +
    @@ -182,7 +329,7 @@

    PRISM Manual

  • Statistical Model Checking
  • Computing Steady-state And Transient Probabilities
  • Experiments -
  • Adversaries +
  • Strategies
  • Support For PEPA Models
  • Support For SBML
  • Explicit Model Import @@ -194,5 +341,8 @@

    PRISM Manual

    • + + diff --git a/manual/RunningPRISM/LoadingAndBuildingAModel@action=edit.html b/manual/RunningPRISM/LoadingAndBuildingAModel@action=edit.html new file mode 100644 index 0000000000..eb3b923720 --- /dev/null +++ b/manual/RunningPRISM/LoadingAndBuildingAModel@action=edit.html @@ -0,0 +1,277 @@ + + + + + + + + +PRISM Manual | Running PRISM / Loading And Building A Model | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Running PRISM / +

    Loading And Building A Model

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/RunningPRISM/LoadingAndBuildingAModel@action=login.html b/manual/RunningPRISM/LoadingAndBuildingAModel@action=login.html new file mode 100644 index 0000000000..6ee9bc385b --- /dev/null +++ b/manual/RunningPRISM/LoadingAndBuildingAModel@action=login.html @@ -0,0 +1,275 @@ + + + + + + + + +PRISM Manual | Running PRISM / Loading And Building A Model | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Running PRISM / +

    Loading And Building A Model

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/RunningPRISM/LoadingAndBuildingAModel@action=print.html b/manual/RunningPRISM/LoadingAndBuildingAModel@action=print.html new file mode 100644 index 0000000000..497a5762db --- /dev/null +++ b/manual/RunningPRISM/LoadingAndBuildingAModel@action=print.html @@ -0,0 +1,164 @@ + + + + + + +PRISM Manual | RunningPRISM / LoadingAndBuildingAModel + + + + + + + + + + + + + + + + + + +

    Running PRISM / +

    Loading And Building A Model

    + + +
    +

    Typically, when using PRISM, the first step is to load a model that has been specified in the PRISM modelling language. If using the GUI, select menu option "Model | Open Model" and choose a file. There are a selection of sample PRISM model files in the prism-examples directory of the distribution. +A few very small models are contained in the subdirectory simple; +the rest are in subdirectories grouped by model type. +

    +

    The model will then be displayed in the editor in the "Model" tab of the GUI window. The file is parsed upon loading. If there are no errors, information about the modules, variables, and other components of the model is displayed in the panel to the left and a green tick will be visible. If there are errors in the file, a red cross will appear instead and the errors will be highlighted in the model editor. To view details of the error, position the mouse pointer over the source of the error (or over the red cross). Alternatively, select menu option "Model | Parse Model" and the error mIessage will be displayed in a message box. Model descriptions can, of course, also be typed from scratch into the GUI's editor. +

    +

    Building the model

    +

    In order to perform model checking, PRISM will (in most cases) need to construct the corresponding probabilistic model, i.e. convert the PRISM model description to, for example, an MDP, DTMC, etc. During this process, PRISM computes the set of states in the model which are reachable from the initial states and the transition matrix which represents the model. +

    +

    Model construction is done automatically when you perform model checking. However, you may always want to explicitly ask PRISM to build the model in order to test for errors or to see how large the model is. From the GUI, you can do this by by selecting "Model | Build Model". If there are no errors during model construction, the number of states and transitions in the model will be displayed in the bottom left corner of the window. +

    +

    From the command-line, simply type: +

    +
    +
    +
    prism model.nm
    +
    +
    [$[Get Code]]
    +
    + +

    where model.nm is the name of the file containing the model description. +

    +

    For some types of models, notably PTAs, models are not constructed in this way (because the models are infinite-state). In these cases, analysis of the model is not performed until model checking is performed. +

    +

    +

    Deadlocks

    +

    You should be aware of the possibility of deadlock states (or deadlocks) in the model, +i.e. states which are reachable but from which there are no outgoing transitions. +PRISM will automatically search your model for deadlocks and, by default, +"fix" them by adding self-loops in these states. +Since deadlocks are sometimes caused by modelling errors, +PRISM will display a warning message in the log when deadlocks are fixed in this way. +

    +

    You can control whether deadlocks are automatically fixed in this way using the "Automatically fix deadlocks" option (or with command-line switches -nofixdl and -fixdl). When fixing is disabled, PRISM will report and error when the model contains deadlocks (this used to be the default behaviour in older versions of PRISM). +

    +

    If you have unwanted or unexpected deadlocks in your model, there are several ways you can detect then. Firstly, by disabling deadlock fixing (as described above), PRISM will display a list of deadlock states in the log. Alternatively, you can model check the filter property filter(print, "deadlock"), which has the safe effect. +

    +

    To find out how deadlocks occur, i.e. which paths through the model lead to a deadlock state, there are several possibilities. Firstly, you can model check the CTL property E[F "deadlock"]. When checked from the GUI, this will provide you with the option of display a path to a deadlock in the simulator. From the command-line, for example with: +

    +
    +
    +
    prism dice.pm -pf 'E[F "deadlock"]'
    +
    +
    [$[Get Code]]
    +
    + +

    a path to a deadlock will be displayed in the log. +

    +

    Finally, in the eventuality that the model is too large to be model checked, you can still use the simulator to search for deadlocks. This can be done either by manually generating random paths using the simulator in the GUI or, from the command-line, e.g. by running: +

    +
    +
    +
    prism dice.pm -simpath deadlock stdout
    +
    +
    [$[Get Code]]
    +
    + +
    + + + + diff --git a/manual/RunningPRISM/Main.html b/manual/RunningPRISM/Main.html index 5c5abdaf2b..6e8c63e139 100644 --- a/manual/RunningPRISM/Main.html +++ b/manual/RunningPRISM/Main.html @@ -1,22 +1,25 @@ + + -PRISM Manual | RunningPRISM / StartingPRISM +PRISM Manual | Running PRISM / Starting PRISM - - + + + - - - + + + + + + + + + + + + - + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + + +
    +

    View - Edit - Print - Search +

    + +
    @@ -140,14 +274,20 @@ tutorial on the PRISM web site. Some screenshots of the GUI version of PRISM are shown below.

    -

    The PRISM GUI (editing a model)
    -

    The PRISM GUI (model checking)
    +

    The PRISM GUI (editing a model)
    +

    The PRISM GUI (model checking)
    @@ -156,6 +296,13 @@
    + +
    @@ -172,7 +319,7 @@

    PRISM Manual

  • Statistical Model Checking
  • Computing Steady-state And Transient Probabilities
  • Experiments -
  • Adversaries +
  • Strategies
  • Support For PEPA Models
  • Support For SBML
  • Explicit Model Import @@ -184,5 +331,8 @@

    PRISM Manual

    • + + diff --git a/manual/RunningPRISM/ModelChecking.html b/manual/RunningPRISM/ModelChecking.html index 72274c5fc6..e7a73b0f32 100644 --- a/manual/RunningPRISM/ModelChecking.html +++ b/manual/RunningPRISM/ModelChecking.html @@ -1,22 +1,25 @@ + + -PRISM Manual | RunningPRISM / ModelChecking +PRISM Manual | Running PRISM / Model Checking - - + + + - - - + + + + + + + + + + + + - + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + + +
    +

    View - Edit - Print - Search +

    + +
    @@ -183,6 +317,12 @@ @@ -191,6 +331,13 @@
    + +
    @@ -207,7 +354,7 @@

    PRISM Manual

  • Statistical Model Checking
  • Computing Steady-state And Transient Probabilities
  • Experiments -
  • Adversaries +
  • Strategies
  • Support For PEPA Models
  • Support For SBML
  • Explicit Model Import @@ -219,5 +366,8 @@

    PRISM Manual

    • + + diff --git a/manual/RunningPRISM/ModelChecking@action=edit.html b/manual/RunningPRISM/ModelChecking@action=edit.html new file mode 100644 index 0000000000..b1dd5c177b --- /dev/null +++ b/manual/RunningPRISM/ModelChecking@action=edit.html @@ -0,0 +1,277 @@ + + + + + + + + +PRISM Manual | Running PRISM / Model Checking | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Running PRISM / +

    Model Checking

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/RunningPRISM/ModelChecking@action=login.html b/manual/RunningPRISM/ModelChecking@action=login.html new file mode 100644 index 0000000000..d542d61d27 --- /dev/null +++ b/manual/RunningPRISM/ModelChecking@action=login.html @@ -0,0 +1,275 @@ + + + + + + + + +PRISM Manual | Running PRISM / Model Checking | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Running PRISM / +

    Model Checking

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/RunningPRISM/ModelChecking@action=print.html b/manual/RunningPRISM/ModelChecking@action=print.html new file mode 100644 index 0000000000..c05ba80c79 --- /dev/null +++ b/manual/RunningPRISM/ModelChecking@action=print.html @@ -0,0 +1,189 @@ + + + + + + +PRISM Manual | RunningPRISM / ModelChecking + + + + + + + + + + + + + + + + + + +

    Running PRISM / +

    Model Checking

    + + +
    +

    Typically, once a model has been constructed, it is analysed through model checking. +Properties are specified as described in the "Property Specification" section, +and are usually kept in files with extensions .props, .pctl or .csl. +There are properties files accompanying most of the sample PRISM models in the prism-examples directory. +

    +

    +

    GUI

    +

    To load a file containing properties into the GUI, select menu option "Properties | Open properties list". +The file can only be loaded if there are no errors, otherwise an error is displayed. +Note that it may be necessary to have loaded the corresponding model first, +since the properties will probably make reference to variables (and perhaps constants) declared in the model file. +Once loaded, the properties contained in the file are displayed in a list in the "Properties" tab of the GUI. +Constants and labels are displayed in separate lists below. +You can modify or create new properties, constants and labels from the GUI, +by right-clicking on the appropriate list and selecting from the pop-up menu which appears. Properties with errors are shaded red and marked with a warning sign. +Positioning the mouse pointer over the property displays the corresponding error message. +

    +

    The pop-up menu for the properties list also contains a "Verify" option, +which allows you instruct PRISM to model check the currently selected properties +(hold down Ctrl/Cmd to select more than one property simultaneously). +All properties can be model checked at once by selecting "Verify all". +PRISM verifies each property individually. +Upon completion, the icon next to the property changes according to the result of model checking. For Boolean-valued properties, a result of true or false is indicated by a green tick or red cross, respectively. For properties which have a numerical result (e.g. P=? [ ...]), position the mouse pointer over the property to view the result. +In addition, this and further information about model checking is displayed in the log in the "Log" tab. +

    +

    +

    Command-line

    +

    From the command-line, model checking is achieved by passing both a model file and a properties file as arguments, e.g.: +

    +
    +
    +
    prism poll2.sm poll.csl
    +
    +
    [$[Get Code]]
    +
    + +

    The results of model checking are sent to the display and are as described above for the GUI version. +By default, all properties in the file are checked. +To model check only a single property, use the -prop switch. +For example, to check only the fourth property in the file: +

    +
    +
    +
    prism poll2.sm poll.csl -prop 4
    +
    +
    [$[Get Code]]
    +
    + +

    or to check only the property with name "safe" in the file: +

    +
    +
    +
    prism poll2.sm poll.csl -prop safe
    +
    +
    [$[Get Code]]
    +
    + +

    You can also provide a comma-separated list of multiple properties to check, +using neither numerical indices or property names: +

    +
    +
    +
    prism poll2.sm poll.csl -prop 4,5,safe
    +
    +
    [$[Get Code]]
    +
    + +

    Alternatively, the contents of a properties file can be specified directly from the command-line, using the -pf switch: +

    +
    +
    +
    prism poll2.sm -pf 'P>=0.5 [ true U<=5 (s=1 & a=0) ]'
    +
    +
    [$[Get Code]]
    +
    + +

    The switches -pctl and -csl are aliases for -pf. +

    +

    Note the use of single quotes ('...') to avoid characters such as +( and > being interpreted by the command-line shell. +Single quotes are preferable to double quotes since PRISM properties often include double quotes, e.g. for references to labels or properties. +

    +
    + + + + diff --git a/manual/RunningPRISM/ParametricModelChecking.html b/manual/RunningPRISM/ParametricModelChecking.html index e0bd20ceee..deb09bb139 100644 --- a/manual/RunningPRISM/ParametricModelChecking.html +++ b/manual/RunningPRISM/ParametricModelChecking.html @@ -1,22 +1,25 @@ + + -PRISM Manual | RunningPRISM / ParametricModelChecking +PRISM Manual | Running PRISM / Parametric Model Checking - - + + + - - - + + + + + + + + + + + + - + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + + +
    +

    View - Edit - Print - Search +

    + +
    @@ -165,6 +299,12 @@ @@ -173,6 +313,13 @@
    + +
    @@ -189,7 +336,7 @@

    PRISM Manual

  • Statistical Model Checking
  • Computing Steady-state And Transient Probabilities
  • Experiments -
  • Adversaries +
  • Strategies
  • Support For PEPA Models
  • Support For SBML
  • Explicit Model Import @@ -201,5 +348,8 @@

    PRISM Manual

    • + + diff --git a/manual/RunningPRISM/ParametricModelChecking@action=edit.html b/manual/RunningPRISM/ParametricModelChecking@action=edit.html new file mode 100644 index 0000000000..b05047fd21 --- /dev/null +++ b/manual/RunningPRISM/ParametricModelChecking@action=edit.html @@ -0,0 +1,277 @@ + + + + + + + + +PRISM Manual | Running PRISM / Parametric Model Checking | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Running PRISM / +

    Parametric Model Checking

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/RunningPRISM/ParametricModelChecking@action=login.html b/manual/RunningPRISM/ParametricModelChecking@action=login.html new file mode 100644 index 0000000000..73fa072a1d --- /dev/null +++ b/manual/RunningPRISM/ParametricModelChecking@action=login.html @@ -0,0 +1,275 @@ + + + + + + + + +PRISM Manual | Running PRISM / Parametric Model Checking | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Running PRISM / +

    Parametric Model Checking

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/RunningPRISM/ParametricModelChecking@action=print.html b/manual/RunningPRISM/ParametricModelChecking@action=print.html new file mode 100644 index 0000000000..925de70405 --- /dev/null +++ b/manual/RunningPRISM/ParametricModelChecking@action=print.html @@ -0,0 +1,171 @@ + + + + + + +PRISM Manual | RunningPRISM / ParametricModelChecking + + + + + + + + + + + + + + + + + + +

    Running PRISM / +

    Parametric Model Checking

    + + +
    +

    Often, PRISM models contain constants, representing parameters of the system being modelled, which define for example the transition probabilities in the model. In order to perform model checking, these constants have to be assigned concrete values. PRISM also allows experiments, where model checking is performed for a range of different values for the constants. +

    +

    PRISM's parametric model checking [HHZ11b],[HHZ11] functionality, however, provides a more powerful method for analysing probabilistic models whose transition probabilities are specified as functions over a set of parameters. Depending on the property under consideration, the result is then given as either a rational function over the parameters or as a mapping from regions of these parameters to rational functions or truth values. This function (or functions) can then be used to, for example: +

    +
    • plot a graph showing how the parameter affects the result of the property; or +
    • use optimisation methods to find parameter values that minimise or maximise the result. +

    PRISM's implementation of parametric model checking [CHH+13] re-implements the techniques previously included in the PARAM tool. +

    +

    Parameters are specified as undefined constants in the model file, e.g.: +

    +
    +
    +
    const double x;
    +
    +
    [$[Get Code]]
    +
    + +

    These parameters can only be used to describe probabilities (or rates). For example: +

    +
    +
    +
    [] s=0 -> x : (s'=1) + 1-x : (s'=2);
    +
    +
    [$[Get Code]]
    +
    + +

    They may not be used in guards or updates. The parametric definitions of probabilities or rates (e.g. x and 1-x in the above) must be rational functions (fractions of polynomials). PRISM currently supports parametric versions of discrete-time Markov chains (DTMCs), continuous-time Markov chains (CTMCs) and Markov decision processes (MDPs). The classes of properties that be checked on these models are as follows: +

    +
    • parametric DTMCs/CTMCs: unbounded until, steady-state probabilities, reachability reward and steady-state reward; +
    • parametric MDPs: unbounded until and reachability rewards. +

    Currently, parametric model checking can only be performed from the command-line. This is done by using the switch -param <vals>, where <vals> lists the undefined constants that should be treated as parameters. A range of possible values should also be provided for each parameter, in the form <parameter>=<lower-bound>:<upper-bound>. For example: +

    +
    +
    +
    prism model.pm model.props -param x=0.2:0.4,y=-2:2
    +
    +
    [$[Get Code]]
    +
    + +

    would specify a parameter x with lower bound 0.2 and upper bound 0.4, and a parameter y with values between -2 and 2. You can also omit the bounds for a parameter, in which case it will be assumed to have range 0 to 1. +

    +

    The result of parametric model checking will be a mapping from regions (subsets of parameter valuations) to functions over the parameters. The regions are given as hyper-rectangles, e.g. "[ [0.2,0.3],[-2,0] ]" would represent the region of parameter valuations in which the first parameter is between 0.2 and 0.3 and the second is between -2 and 0. The results obtained are exact, that is no rounding errors are made during computation. Here is an example of the output of model checking: +

    +
    +
    +
    prism model.pm model.props -param x=0:1
    +...
    +Result: ([0.0,1.0]): { 2 x - 5 | 8 x - 12 }
    +
    +
    [$[Get Code]]
    +
    + +

    which indicates that, for the full range ([0,1]) of the parameter x, the result of model checking is the expression (2x-5)/(8x-2). +

    +

    Parametric model checking can be configured with the following options: +

    +
    • -paramprecision <x>: PRISM uses regions in the form of hyper-rectangles to subsume parameter valuations with the same rational function or truth value. Because it is not always possible to cover the whole parameter space with hyper-rectangles, this option can be used to specify a precision, that is, an amount of the parameter space which may remain undecided. The default is 5/100. +
    • -paramsplit <name>: During model checking, undecided regions may have to be split into several parts, because there might not exist a single rational function or truth value to which all parameter valuations of the original regions can be mapped. When a region is split, it can either be split at only its longest side (<name>=longest) or at all all sides at once (<name>=all). The default is longest. +
    • -parambisim <name>: The parametric analysis is costly in terms of time and memory, so it can help to perform bisimulation minimisation to speed up the analysis and use less memory. The possible options here are to use weak bisimulation (<name>=weak), strong bisimulation (<name>=strong) or none at all (<name>=none). The default is weak. In case an analysis is to be performed for which the current bisimulation type does not maintain validity of the results (e.g. weak bisimulation and a steady state analysis), an appropriate bisimulation engine is chosen automatically. +
    • -paramfunction <name>: Sets the way rational functions are represented. Currently, only Java Algebra System (JAS) is supported. The options are to use JAS directly (<name>=jas) or to use a version in which results of some previous mathematical operations performed during the analysis are cached (<name>=jas-cached). This can speed up computation, but also needs more memory. The default is to use the cached version. +
    • -paramelimorder <name>: In the parametric engine, computations are performed by "eliminating" one state after the other, that is completely treating a state together with its incoming and outgoing transitions, rather than performing iterative methods. This option sets the order in which states are eliminated. The values currently available are: arbitrary order (<name>=arbitrary), forward starting from the initial states (<name>=forward), reversed forward order (<name>=forward-reversed), starting with target/unsafe states and then going backward (<name>=backward), the reverse of this order (<name>=backward-reversed) or random order (<name>=random). The default is the backward order. +
    • -paramrandompoints <n>: Under some conditions, it has to be decided whether certain properties hold for all parameter valuations of a given region. This is the case for instance when computing truth values of properties for parametric DTMCs, CTMCs and MDPs, and also when computing any value for MDPs. At the moment, the truth values are only computed approximately, by evaluating and checking values at the edges of regions (as they are hyper-rectangles) and some random points. The exact number of random points to use is given with this option. The default is 5. +
    • -paramsubsumeregions <b>: During the parametric analysis, quite a number of different regions might be created, which have to be stored in memory. If this option is used (<b>=true), PRISM tries to subsume neighbouring regions with the same value. The default is to use it. +
    +
    + + + + diff --git a/manual/RunningPRISM/StartingPRISM@action=edit.html b/manual/RunningPRISM/StartingPRISM@action=edit.html new file mode 100644 index 0000000000..a8569ed307 --- /dev/null +++ b/manual/RunningPRISM/StartingPRISM@action=edit.html @@ -0,0 +1,277 @@ + + + + + + + + +PRISM Manual | Running PRISM / Starting PRISM | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Running PRISM / +

    Starting PRISM

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/RunningPRISM/StartingPRISM@action=login.html b/manual/RunningPRISM/StartingPRISM@action=login.html new file mode 100644 index 0000000000..9a27d26e8a --- /dev/null +++ b/manual/RunningPRISM/StartingPRISM@action=login.html @@ -0,0 +1,275 @@ + + + + + + + + +PRISM Manual | Running PRISM / Starting PRISM | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Running PRISM / +

    Starting PRISM

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/RunningPRISM/StartingPRISM@action=print.html b/manual/RunningPRISM/StartingPRISM@action=print.html new file mode 100644 index 0000000000..18d1cc3117 --- /dev/null +++ b/manual/RunningPRISM/StartingPRISM@action=print.html @@ -0,0 +1,154 @@ + + + + + + +PRISM Manual | RunningPRISM / StartingPRISM + + + + + + + + + + + + + + + + + + +

    Running PRISM / +

    Starting PRISM

    + + +
    +

    There are two versions of PRISM, one based on a graphical user interface (GUI), +the other based on a command line interface. Both use the same underlying model checker. +The latter is useful for running large batches of jobs, leaving long-running model checking tasks in the background, or simply for running the tool quickly and easily once you are familiar with its operation. +

    +

    Details how how to run PRISM can be found in the installation instructions. +In short, to run the PRISM GUI: +

    +
    • (on Windows) click the short-cut (to xprism.bat) installed on the Desktop/Start Menu +
    • (on other OSs) run the xprism script in the bin directory +

    You can also optionally specify a model file and a properties file to load upon starting the GUI, e.g.: +

    +
    +
    +
    xprism example.prism
    +xprism example.prism example.props
    +
    +
    [$[Get Code]]
    +
    + +

    To use the command-line version of PRISM, run the prism script, also in the bin directory, e.g.: +

    +
    +
    +
    prism example.prism example.props -prop 2
    +
    +
    [$[Get Code]]
    +
    + +

    The -dir switch can be used to specify a directory for input (and output) files. +So the following are equivalent: +

    +
    +
    +
    prism ~/myfiles/example.prism ~/myfiles/example.props
    +prism -dir ~/myfiles example.prism example.props
    +
    +
    [$[Get Code]]
    +
    + +

    The remainder of this section of the manual describes the main types of functionality offered by PRISM. +For a more introductory guide to using the tool, try the +tutorial on the PRISM web site. +Some screenshots of the GUI version of PRISM are shown below. +

    +

    The PRISM GUI (editing a model)
    +

    The PRISM GUI (model checking)
    +
    +
    + + + + diff --git a/manual/RunningPRISM/StatisticalModelChecking.html b/manual/RunningPRISM/StatisticalModelChecking.html index 5d65af31fd..19c87024af 100644 --- a/manual/RunningPRISM/StatisticalModelChecking.html +++ b/manual/RunningPRISM/StatisticalModelChecking.html @@ -1,22 +1,25 @@ + + -PRISM Manual | RunningPRISM / StatisticalModelChecking +PRISM Manual | Running PRISM / Statistical Model Checking - - + + + - - - + + + + + + + + + + + + - + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + + +
    +

    View - Edit - Print - Search +

    + +
    @@ -203,6 +337,12 @@ @@ -211,6 +351,13 @@
    + +
    @@ -227,7 +374,7 @@

    PRISM Manual

  • Statistical Model Checking
  • Computing Steady-state And Transient Probabilities
  • Experiments -
  • Adversaries +
  • Strategies
  • Support For PEPA Models
  • Support For SBML
  • Explicit Model Import @@ -239,5 +386,8 @@

    PRISM Manual

    • + + diff --git a/manual/RunningPRISM/StatisticalModelChecking@action=edit.html b/manual/RunningPRISM/StatisticalModelChecking@action=edit.html new file mode 100644 index 0000000000..e85f4fd17c --- /dev/null +++ b/manual/RunningPRISM/StatisticalModelChecking@action=edit.html @@ -0,0 +1,277 @@ + + + + + + + + +PRISM Manual | Running PRISM / Statistical Model Checking | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Running PRISM / +

    Statistical Model Checking

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/RunningPRISM/StatisticalModelChecking@action=login.html b/manual/RunningPRISM/StatisticalModelChecking@action=login.html new file mode 100644 index 0000000000..dd59b38872 --- /dev/null +++ b/manual/RunningPRISM/StatisticalModelChecking@action=login.html @@ -0,0 +1,275 @@ + + + + + + + + +PRISM Manual | Running PRISM / Statistical Model Checking | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Running PRISM / +

    Statistical Model Checking

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/RunningPRISM/StatisticalModelChecking@action=print.html b/manual/RunningPRISM/StatisticalModelChecking@action=print.html new file mode 100644 index 0000000000..ea62281ccc --- /dev/null +++ b/manual/RunningPRISM/StatisticalModelChecking@action=print.html @@ -0,0 +1,209 @@ + + + + + + +PRISM Manual | RunningPRISM / StatisticalModelChecking + + + + + + + + + + + + + + + + + + +

    Running PRISM / +

    Statistical Model Checking

    + + +
    +

    The discrete-event simulator built into PRISM (see the section "Debugging Models With The Simulator") can also be used to generate approximate results for PRISM properties, a technique often called statistical model checking. Essentially, this is achieved by sampling: generating a large number of random paths through the model, evaluating the result of the given properties on each run, and using this information to generate an approximately correct result. This approach is particularly useful on very large models when normal model checking is infeasible. This is because discrete-event simulation is performed using the PRISM language model description, without explicitly constructing the corresponding probabilistic model. +

    +

    Currently, statistical model checking can only be applied to P or R operators +and does not support LTL-style path properties or filters. +There are also a few restrictions on the modelling language features that can be used; see below for details. +

    +

    To use this functionality, load a model and some properties into PRISM, as described in the previous sections. To generate an approximate value for one or more properties, select them in the list, right-click and select "Simulate" (as opposed to "Verify"). As usual, it is first necessary to provide values for any undefined constants. Subsequently, a dialog appears. Here, the state from which approximate values are to be computed (i.e. from which the paths will be generated) can be selected. By default, this is the initial state of the model. The other settings in the dialog concern the methods used for simulation. +

    +

    PRISM supports four different methods for performing statistical model checking: +

    +
    • CI (Confidence Interval) +
    • ACI (Asymptotic Confidence Interval) +
    • APMC (Approximate Probabilistic Model Checking) +
    • SPRT (Sequential Probability Ratio Test) +

    The first three of these are intended primarily for "quantitative" properties (e.g. of the form P=?[...]), but can also be used for "bounded" properties (e.g. of the form P<p[...]). The SPRT method is only applicable to "bounded" properties. +

    +

    Each method has several parameters that control its execution, i.e. the number of samples that are generated and the accuracy of the computed approximation. In most cases, these parameters are inter-related so one of them must be left unspecified and its value computed automatically based on the others. In some cases, this is done before simulation; in others, it must be done afterwards. +

    +

    Below, we describe each method in more detail. +For simplicity, we describe the case of checking a P operator. +Details for the case of an R operator can be found in [Nim10]. +

    +

    CI (Confidence Interval) Method

    +

    The CI method gives a confidence interval for the approximate value generated for a P=? property, based on a given confidence level and the number of samples generated. +The parameters of the method are: +

    +
    • "Width" (w) +
    • "Confidence" (alpha) +
    • "Number of samples" (N) +

    Let X denote the true result of the query P=?[...] and Y the approximation generated. +The confidence interval is [Y-w,Y+w], i.e. w gives the half-width of the interval. +The confidence level, which is usually stated as a percentage, is 100(1-alpha)%. +This means that the actual value X should fall into the confidence interval [Y-w,Y+w] 100(1-alpha)% of the time. +

    +

    To determine, for example, the width w for given alpha and N, +we use w = q * sqrt(v / N) where +q is a quantile, for probability 1-alpha/2, from the Student's t-distribution with N-1 degrees of freedom and v is (an estimation of) the variance for X. +Similarly, we can determine the required number of iterations, from w and alpha, +as N = (v * q2)/w2, where q and v are as before. +

    +

    For a bounded property P~p[...], the (Boolean) result is determined according to the generated approximation for the probability. This is not the case, however, if the threshold p falls within the confidence interval [Y-w,Y+w], in which case no value is returned. +

    +

    ACI (Asymptotic Confidence Interval) Method

    +

    The ACI method works in exactly same fashion as the CI method, except that it uses the Normal distribution to approximate the Student's t-distribution when determining the confidence interval. This is appropriate when the number of samples is large (because we can get a reliable estimation of the variance from the samples) but may be less accurate for small numbers of samples. +

    +

    APMC (Approximate Probabilistic Model Checking) Method

    +

    The APMC method, based on [HLMP04], offers a probabilistic guarantee on the accuracy of the approximate value generated for a P=? property, based on the Chernoff-Hoeffding bound. +The parameters of the method are: +

    +
    • "Approximation" (epsilon) +
    • "Confidence" (delta) +
    • "Number of samples" (N) +

    Letting X denote the true result of the query P=?[...] and Y the approximation generated, we have: +

    +
    • Prob(|Y-X| > epsilon) < delta +

    where the parameters are related as follows: +N = ln(2/delta) / 2epsilon2. +This imposes certain restrictions on the parameters, +namely that N(epsilon2) ≥ ln(2)/2. +

    +

    In similar fashion to the CI/ACI methods, the APMC method can be also be used for bounded properties such as P~p[...], as long as the threshold p falls outside the interval [Y-epsilon,Y+epsilon]. +

    +

    SPRT (Sequential Probability Ratio Test) Method

    +

    The SPRT method is specifically for bounded properties, such as P~p[...] and is based on acceptance sampling techniques [YS02]. It uses Wald's sequential probability ratio test (SPRT), which generates a succession of samples, deciding on-the-fly when an answer can be given with a sufficiently high confidence. +

    +

    The parameters of the method are: +

    +
    • "Indifference" (delta) +
    • "Type I/II error" (alpha/beta) +

    Consider a property of the form P≥p[...]. The parameter delta is used as the half-width of an indifference region [p-delta,p+delta]. PRISM will attempt to determine whether either the hypothesis P≥(p+delta)[...] or P≤(p-delta)[...] is true, based on which it will return either true or false, respectively. The parameters alpha and beta represent the probability of the occurrence of a type I error (wrongly accepting the first hypothesis) and a type II error (wrongly accepting the second hypothesis), respectively. For simplicity, PRISM assigns the same value to both alpha and beta. +

    +

    Maximum Path Length

    +

    Another setting that can be configured from the "Simulation Parameters" dialog is the maximum length of paths generated by PRISM during statistical model checking. In order to perform statistical model checking, PRISM needs to evaluate the property being checked along every generated path. For example, when checking P=? [ F<=10 "end" ], PRISM must check whether F<=10 "end" is true for each path. On this example (assuming a discrete-time model), this can always be done within the first 10 steps. For a property such as P=? [ F "end" ], however, there may be paths along which no finite fragment can show F "end" to be true or false. So, PRISM imposes a maximum path length to avoid the need to generate excessively long (or infinite) paths. +The default maximum length is 10,000 steps. +If, for a given property, statistical model checking results in one or more paths on which the property can be evaluated, an error is reported. +

    +

    Command-line Statistical Model Checking

    +

    Statistical model checking can also be enabled from the command-line version of PRISM, by including the -sim switch. The default methods used are CI (Confidence Interval) for "quantitative" properties and SPRT (Sequential Probability Ratio Test) for "bounded" properties. To select a particular method, use switch -simmethod <method> where <method> is one of ci, aci, apmc and sprt. For example: +

    +
    +
    +
    prism model.pm model.pctl -prop 1 -sim -simmethod aci
    +
    +
    [$[Get Code]]
    +
    + +

    PRISM has default values for the various simulation method parameters, but these can also be specified using the switches -simsamples, -simconf, -simwidth and -simapprox. The exact meaning of these switches for each simulation method is given in the table below. +

    +
    + + + + + +
     CIACIAPMCSPRT
    -simsamples"Num. samples""Num. samples""Num. samples"n/a
    -simconf"Confidence""Confidence""Confidence""Type I/II error"
    -simwidth"Width""Width"n/a"Indifference"
    -simapproxn/an/a"Approximation"n/a
    +

    The maximum length of simulation paths is set with switch -simpathlen. +

    +

    Limitations

    +

    Currently, the simulator does not support every part of the PRISM modelling languages. For example, it does not handle models with multiple initial states or with system...endsystem definitions. +

    +

    It is also worth pointing out that statistical model checking techniques are not well suited to models that exhibit nondeterminism, such as MDPs. This because the techniques rely on generation of random paths, which are not well defined for a MDP. PRISM does allow statistical model checking to be performed on an MDP, but does so by simply resolving nondeterministic choices in a (uniformly) random fashion (and displaying a warning message). Currently PTAs are not supported by the simulator. +

    +
    + + + + diff --git a/manual/RunningPRISM/Strategies.html b/manual/RunningPRISM/Strategies.html new file mode 100644 index 0000000000..e522a46416 --- /dev/null +++ b/manual/RunningPRISM/Strategies.html @@ -0,0 +1,416 @@ + + + + + + + + +PRISM Manual | Running PRISM / Strategies + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Running PRISM / +

    Strategies

    + +
    + +
    +

    Properties to be model checked on MDPs (and their variants, such as POMDPs or IMDPs) usually quantify over strategies (or policies) of the model, i.e., over the different possible ways that nondeterminism can be resolved in the model. +For example, this property: +

    +
    +
    +
    Pmax=? [ F "goal" ]
    +
    +
    [$[Get Code]]
    +
    + +

    determines the maximum probability, over all strategies, of reaching a state satisfying the label "goal". When checking such properties, you can also ask PRISM to generate a corresponding (optimal) strategy, which yields this maximum probability when followed. The strategy can then be viewed, exported or simulated. +

    +

    Note: For consistency across models, PRISM now uses the terminology strategy (rather than alternatives such as policy). In older versions of the tool, these were referred to as adversaries. Currently, the newer (and more extensive) strategy generation functionality is implemented just for the "explicit" model checking engine, +which is used automatically if strategy generation is requested. +The old adversary generation functionality (see below) still exists for the "sparse" engine, but will be updated in the future. +

    +

    Generating strategies. Optimal strategies can be generated either from the command-line or the graphical user interface (GUI). For the former, use the -exportstrat switch. Simple examples are: +

    +
    +
    +
    prism mdp.prism -pf 'Pmax=? [ F "goal" ]' -exportstrat stdout
    +prism mdp.prism -pf 'Pmax=? [ F "goal" ]' -exportstrat strat.tra
    +prism mdp.prism -pf 'Pmax=? [ F "goal" ]' -exportstrat strat.dot
    +
    +
    [$[Get Code]]
    +
    + +

    From the GUI, you can trigger strategy generation by ticking the "Generate strategy" box either on the popup menu that appears when you right-click a property, or from the "Strategies" menu at the top. As long as it is supported, a strategy will be then generated once "Verify" is clicked. +

    +

    From the same menu(s), you can then +

    +
    • export the strategy to a file +
    • view the strategy by printing it in the log +
    • explore the strategy in the simulator +

    Strategy export types. Strategies can be viewed or exported in several different formats: +

    +

    (i) Action list. This is a list of the action taken in each state of the model, e.g.: +

    +
    +
    +
    (0,0):east
    +(0,1):north
    +(0,2):north
    +(1,0):south
    +...
    +
    [$[Get Code]]
    +
    + +

    where states, by default, are shown as a tuple of variable values. +

    +

    (ii) Induced model. This is a representation of the model that is induced when the strategy is applied. There are two "modes" for this export: restrict, which shows the original model but with a restricted set of choices (e.g., an MDP with just one choice in each state); and reduce, which removes the nondeterminism resolved by the strategy (e.g., an MDP becomes a DTMC). The latter can be useful to re-import the model back into PRISM and analyse the induced model; the former is sometimes easier for visualising the strategy's choices. In each case, the transitions of the induced model are presented as a .tra file (as for normal model export), e.g.: +

    +
    +
    +
    9 9 11
    +0 0 5 1 east
    +1 0 10 1 north
    +2 0 15 0.9 north
    +2 0 16 0.1 north
    +...
    +
    [$[Get Code]]
    +
    + +

    (iii) Dot file. This is, like the previous format, a view of the model induced by the strategy, but in Dot format, which allows it to be visualised. +

    +

    Configuring strategy export. +As hinted in the command-line examples above, the -exportstrat switch uses the file extension to determine the preferred format: if the strategy is exported to a file with extension .tra or .dot, then it uses an induced model or Dot file, respectively. Otherwise, the default is an action list. You can specify the desired format: +

    +
    +
    +
    prism mdp.prism -pf 'Pmax=? [ F "goal" ]' -exportstrat file.txt:type=actions
    +prism mdp.prism -pf 'Pmax=? [ F "goal" ]' -exportstrat file.txt:type=induced
    +prism mdp.prism -pf 'Pmax=? [ F "goal" ]' -exportstrat file.txt:type=dot
    +
    +
    [$[Get Code]]
    +
    + +

    Further options can be added, e.g., to specify whether an induced model is exported in "restrict" or "reduce" mode: +

    +
    +
    +
    prism mdp.prism -pf 'Pmax=? [ F "goal" ]' -exportstrat file.txt:type=induced,mode=reduce
    +
    +
    [$[Get Code]]
    +
    + +

    A full list of available options is as follows: +

    +
    • type (actions, induced or dot): the type of strategy export to use (action list, induced model or Dot file) +
    • mode (restrict or reduce): when exporting as an induced model or Dot file, whether to "restrict" or "reduce" the model (see above); the default is "restrict" +
    • reach (true or false): whether to restrict the strategy to states that are reachable when it is applied to the model (this is currently only used for exporting induced models and Dot files, and the default value is false and true, respectively, in these two cases) +
    • states (true or false): whether to show states, rather than state indices, for actions lists or Dot files; this is true by default +
    • obs (true or false): for partially observable models, whether to merge observationally equivalent states; this is true by default +

    Strategy types. PRISM generates several types of strategies. The simplest are memoryless deterministic strategies, which pick a single action in each state, as in the examples above. For some query types (e.g., step-bounded properties, or LTL-based properties), finite-memory strategies are generated, where an additional memory value is used. For these, induced models or Dot files are most useful since they will also show how the memory values are updated as the strategy is executed. Note that, in these cases, the state indices of the strategy will correspond to the product model constructed during model checking, not the original model. The product model can be exported using the -exportprodtrans and -exportprodstates switches. +

    +

    Adversary generation. As mentioned above, the "sparse" model checking engine still includes older so-called "adversary generation" functionality. This can be used to export the induced model to a file using the -exportadv switch, e.g.: +

    +
    +
    +
    prism mdp.nm -pf 'Pmax=? [ F "goal" ]' -exportadv adv.tra -s
    +prism mdp.nm -pf 'Pmax=? [ F "goal" ]' -exportadvmdp adv.tra -s
    +
    +
    [$[Get Code]]
    +
    + +

    where the -exportadv and -exportadvmdp export a DTMC and an MDP, respectively, i.e., corresponding to the "reduce" and "restrict" modes described above. +From the GUI, change the "Adversary export" option (under the "PRISM" settings) from "None" to "DTMC" or "MDP". You can also change the filename for the export adversary which, by default, is adv.tra as in the example above. +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/RunningPRISM/Strategies@action=edit.html b/manual/RunningPRISM/Strategies@action=edit.html new file mode 100644 index 0000000000..93d2e9defe --- /dev/null +++ b/manual/RunningPRISM/Strategies@action=edit.html @@ -0,0 +1,277 @@ + + + + + + + + +PRISM Manual | Running PRISM / Strategies | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Running PRISM / +

    Strategies

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/RunningPRISM/Strategies@action=login.html b/manual/RunningPRISM/Strategies@action=login.html new file mode 100644 index 0000000000..445c458a09 --- /dev/null +++ b/manual/RunningPRISM/Strategies@action=login.html @@ -0,0 +1,275 @@ + + + + + + + + +PRISM Manual | Running PRISM / Strategies | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Running PRISM / +

    Strategies

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/RunningPRISM/Strategies@action=print.html b/manual/RunningPRISM/Strategies@action=print.html new file mode 100644 index 0000000000..a713773189 --- /dev/null +++ b/manual/RunningPRISM/Strategies@action=print.html @@ -0,0 +1,232 @@ + + + + + + +PRISM Manual | RunningPRISM / Strategies + + + + + + + + + + + + + + + + + + +

    Running PRISM / +

    Strategies

    + + +
    +

    Properties to be model checked on MDPs (and their variants, such as POMDPs or IMDPs) usually quantify over strategies (or policies) of the model, i.e., over the different possible ways that nondeterminism can be resolved in the model. +For example, this property: +

    +
    +
    +
    Pmax=? [ F "goal" ]
    +
    +
    [$[Get Code]]
    +
    + +

    determines the maximum probability, over all strategies, of reaching a state satisfying the label "goal". When checking such properties, you can also ask PRISM to generate a corresponding (optimal) strategy, which yields this maximum probability when followed. The strategy can then be viewed, exported or simulated. +

    +

    Note: For consistency across models, PRISM now uses the terminology strategy (rather than alternatives such as policy). In older versions of the tool, these were referred to as adversaries. Currently, the newer (and more extensive) strategy generation functionality is implemented just for the "explicit" model checking engine, +which is used automatically if strategy generation is requested. +The old adversary generation functionality (see below) still exists for the "sparse" engine, but will be updated in the future. +

    +

    Generating strategies. Optimal strategies can be generated either from the command-line or the graphical user interface (GUI). For the former, use the -exportstrat switch. Simple examples are: +

    +
    +
    +
    prism mdp.prism -pf 'Pmax=? [ F "goal" ]' -exportstrat stdout
    +prism mdp.prism -pf 'Pmax=? [ F "goal" ]' -exportstrat strat.tra
    +prism mdp.prism -pf 'Pmax=? [ F "goal" ]' -exportstrat strat.dot
    +
    +
    [$[Get Code]]
    +
    + +

    From the GUI, you can trigger strategy generation by ticking the "Generate strategy" box either on the popup menu that appears when you right-click a property, or from the "Strategies" menu at the top. As long as it is supported, a strategy will be then generated once "Verify" is clicked. +

    +

    From the same menu(s), you can then +

    +
    • export the strategy to a file +
    • view the strategy by printing it in the log +
    • explore the strategy in the simulator +

    Strategy export types. Strategies can be viewed or exported in several different formats: +

    +

    (i) Action list. This is a list of the action taken in each state of the model, e.g.: +

    +
    +
    +
    (0,0):east
    +(0,1):north
    +(0,2):north
    +(1,0):south
    +...
    +
    [$[Get Code]]
    +
    + +

    where states, by default, are shown as a tuple of variable values. +

    +

    (ii) Induced model. This is a representation of the model that is induced when the strategy is applied. There are two "modes" for this export: restrict, which shows the original model but with a restricted set of choices (e.g., an MDP with just one choice in each state); and reduce, which removes the nondeterminism resolved by the strategy (e.g., an MDP becomes a DTMC). The latter can be useful to re-import the model back into PRISM and analyse the induced model; the former is sometimes easier for visualising the strategy's choices. In each case, the transitions of the induced model are presented as a .tra file (as for normal model export), e.g.: +

    +
    +
    +
    9 9 11
    +0 0 5 1 east
    +1 0 10 1 north
    +2 0 15 0.9 north
    +2 0 16 0.1 north
    +...
    +
    [$[Get Code]]
    +
    + +

    (iii) Dot file. This is, like the previous format, a view of the model induced by the strategy, but in Dot format, which allows it to be visualised. +

    +

    Configuring strategy export. +As hinted in the command-line examples above, the -exportstrat switch uses the file extension to determine the preferred format: if the strategy is exported to a file with extension .tra or .dot, then it uses an induced model or Dot file, respectively. Otherwise, the default is an action list. You can specify the desired format: +

    +
    +
    +
    prism mdp.prism -pf 'Pmax=? [ F "goal" ]' -exportstrat file.txt:type=actions
    +prism mdp.prism -pf 'Pmax=? [ F "goal" ]' -exportstrat file.txt:type=induced
    +prism mdp.prism -pf 'Pmax=? [ F "goal" ]' -exportstrat file.txt:type=dot
    +
    +
    [$[Get Code]]
    +
    + +

    Further options can be added, e.g., to specify whether an induced model is exported in "restrict" or "reduce" mode: +

    +
    +
    +
    prism mdp.prism -pf 'Pmax=? [ F "goal" ]' -exportstrat file.txt:type=induced,mode=reduce
    +
    +
    [$[Get Code]]
    +
    + +

    A full list of available options is as follows: +

    +
    • type (actions, induced or dot): the type of strategy export to use (action list, induced model or Dot file) +
    • mode (restrict or reduce): when exporting as an induced model or Dot file, whether to "restrict" or "reduce" the model (see above); the default is "restrict" +
    • reach (true or false): whether to restrict the strategy to states that are reachable when it is applied to the model (this is currently only used for exporting induced models and Dot files, and the default value is false and true, respectively, in these two cases) +
    • states (true or false): whether to show states, rather than state indices, for actions lists or Dot files; this is true by default +
    • obs (true or false): for partially observable models, whether to merge observationally equivalent states; this is true by default +

    Strategy types. PRISM generates several types of strategies. The simplest are memoryless deterministic strategies, which pick a single action in each state, as in the examples above. For some query types (e.g., step-bounded properties, or LTL-based properties), finite-memory strategies are generated, where an additional memory value is used. For these, induced models or Dot files are most useful since they will also show how the memory values are updated as the strategy is executed. Note that, in these cases, the state indices of the strategy will correspond to the product model constructed during model checking, not the original model. The product model can be exported using the -exportprodtrans and -exportprodstates switches. +

    +

    Adversary generation. As mentioned above, the "sparse" model checking engine still includes older so-called "adversary generation" functionality. This can be used to export the induced model to a file using the -exportadv switch, e.g.: +

    +
    +
    +
    prism mdp.nm -pf 'Pmax=? [ F "goal" ]' -exportadv adv.tra -s
    +prism mdp.nm -pf 'Pmax=? [ F "goal" ]' -exportadvmdp adv.tra -s
    +
    +
    [$[Get Code]]
    +
    + +

    where the -exportadv and -exportadvmdp export a DTMC and an MDP, respectively, i.e., corresponding to the "reduce" and "restrict" modes described above. +From the GUI, change the "Adversary export" option (under the "PRISM" settings) from "None" to "DTMC" or "MDP". You can also change the filename for the export adversary which, by default, is adv.tra as in the example above. +

    +
    + + + + diff --git a/manual/RunningPRISM/SupportForPEPAModels.html b/manual/RunningPRISM/SupportForPEPAModels.html index dad9fee083..464b9ca9b3 100644 --- a/manual/RunningPRISM/SupportForPEPAModels.html +++ b/manual/RunningPRISM/SupportForPEPAModels.html @@ -1,22 +1,25 @@ + + -PRISM Manual | RunningPRISM / SupportForPEPAModels +PRISM Manual | Running PRISM / Support For PEPA Models - - + + + - - - + + + + + + + + + + + + - + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + + +
    +

    View - Edit - Print - Search +

    + +
    @@ -106,6 +240,12 @@ @@ -114,6 +254,13 @@
    + +
    @@ -130,7 +277,7 @@

    PRISM Manual

  • Statistical Model Checking
  • Computing Steady-state And Transient Probabilities
  • Experiments -
  • Adversaries +
  • Strategies
  • Support For PEPA Models
  • Support For SBML
  • Explicit Model Import @@ -142,5 +289,8 @@

    PRISM Manual

    • + + diff --git a/manual/RunningPRISM/SupportForPEPAModels@action=edit.html b/manual/RunningPRISM/SupportForPEPAModels@action=edit.html new file mode 100644 index 0000000000..e2e67beef2 --- /dev/null +++ b/manual/RunningPRISM/SupportForPEPAModels@action=edit.html @@ -0,0 +1,277 @@ + + + + + + + + +PRISM Manual | Running PRISM / Support For PEPA Models | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Running PRISM / +

    Support For PEPA Models

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/RunningPRISM/SupportForPEPAModels@action=login.html b/manual/RunningPRISM/SupportForPEPAModels@action=login.html new file mode 100644 index 0000000000..c4308ba46f --- /dev/null +++ b/manual/RunningPRISM/SupportForPEPAModels@action=login.html @@ -0,0 +1,275 @@ + + + + + + + + +PRISM Manual | Running PRISM / Support For PEPA Models | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Running PRISM / +

    Support For PEPA Models

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/RunningPRISM/SupportForPEPAModels@action=print.html b/manual/RunningPRISM/SupportForPEPAModels@action=print.html new file mode 100644 index 0000000000..e91ee9cd26 --- /dev/null +++ b/manual/RunningPRISM/SupportForPEPAModels@action=print.html @@ -0,0 +1,112 @@ + + + + + + +PRISM Manual | RunningPRISM / SupportForPEPAModels + + + + + + + + + + + + + + + + + + +

    Running PRISM / +

    Support For PEPA Models

    + + +
    +

    For CTMCs, PRISM also accepts model descriptions in the stochastic process algebra PEPA [Hil96]. +The tool compiles such descriptions into the PRISM language and then constructs the model as normal. +The language accepted by the PEPA to PRISM compiler is actually a subset of PEPA. +The restrictions applied to the language are firstly that component identifiers can only be bound to sequential components +(formed using prefix and choice and references to other sequential components only). +Secondly, each local state of a sequential component must be named. For example, we would rewrite: +

    +
    • P = (a,r).(b,s).P; +

    as: +

    +
    • P = (a,r).P'; +
    • P' = (b,s).P; +

    Finally, active/active synchronisations are not allowed since the PRISM +definition of these differs from the PEPA definition. Every PEPA +synchronisation must have exactly one active component. +Some examples of PEPA model descriptions which can be imported into PRISM +can be found in the prism-examples/pepa directory. +

    +

    From the command-line version of PRISM, add the -importpepa switch and the model will be treated as a PEPA description. +From the GUI, select "Model | Open model" and then choose "PEPA models" +on the "Files of type" drop-down menu. +Alternatively, select "Model | New | PEPA model" and either type a description from scratch +or paste in an existing one from elsewhere. +Once the PEPA model has been successfully parsed by PRISM, +you can view the corresponding PRISM code (as generated by the PEPA-to-PRISM compiler) +by selecting menu option "Model | View | Parsed PRISM model". +

    +
    + + + + diff --git a/manual/RunningPRISM/SupportForSBML.html b/manual/RunningPRISM/SupportForSBML.html index b5b0d833de..746e2be040 100644 --- a/manual/RunningPRISM/SupportForSBML.html +++ b/manual/RunningPRISM/SupportForSBML.html @@ -1,22 +1,25 @@ + + -PRISM Manual | RunningPRISM / SupportForSBML +PRISM Manual | Running PRISM / Support For SBML - - + + + - - - + + + + + + + + + + + + - + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + + +
    +

    View - Edit - Print - Search +

    + +
    @@ -178,65 +312,65 @@

    -
    <?xml version="1.0" encoding="UTF-8"?>
    -<sbml xmlns="http://www.sbml.org/sbml/level2" metaid="_000000" level="2" version="1">
    <model id="nacl" name="Na+Cl">
    +
    <?xml version="1.0" encoding="UTF-8"?>
    +<sbml xmlns="http://www.sbml.org/sbml/level2" metaid="_000000" level="2" version="1">
    <model id="nacl" name="Na+Cl">

    -    <listOfCompartments>
    -      <compartment id="compartment"/>
    -    </listOfCompartments>
    +    <listOfCompartments>
    +      <compartment id="compartment"/>
    +    </listOfCompartments>

    -    <listOfSpecies>
    -      <species id="na" initialAmount="100" hasOnlySubstanceUnits="true"/>
    -      <species id="cl" initialAmount="100" hasOnlySubstanceUnits="true"/>
    -      <species id="na_plus" initialAmount="0" hasOnlySubstanceUnits="true"/>
    -      <species id="cl_minus" initialAmount="0" hasOnlySubstanceUnits="true"/>
    -    </listOfSpecies>
    +    <listOfSpecies>
    +      <species id="na" initialAmount="100" hasOnlySubstanceUnits="true"/>
    +      <species id="cl" initialAmount="100" hasOnlySubstanceUnits="true"/>
    +      <species id="na_plus" initialAmount="0" hasOnlySubstanceUnits="true"/>
    +      <species id="cl_minus" initialAmount="0" hasOnlySubstanceUnits="true"/>
    +    </listOfSpecies>

    -    <listOfReactions>
    -      <reaction id="forwards" reversible="false">
    -        <listOfReactants>
    -          <speciesReference species="na"/>
    -          <speciesReference species="cl"/>
    -        </listOfReactants>
    -        <listOfProducts>
    -          <speciesReference species="na_plus"/>
    -          <speciesReference species="cl_minus"/>
    -        </listOfProducts>
    -        <kineticLaw>
    -          <math xmlns="http://www.w3.org/1998/Math/MathML">
    -            <apply><times/><ci>forwards_rate</ci>
    -              <apply><times/><ci>na</ci><ci>cl</ci></apply></apply>
    -          </math>
    -          <listOfParameters>
    -            <parameter id="forwards_rate" value="100"/>
    -          </listOfParameters>
    -        </kineticLaw>
    -      </reaction>
    +    <listOfReactions>
    +      <reaction id="forwards" reversible="false">
    +        <listOfReactants>
    +          <speciesReference species="na"/>
    +          <speciesReference species="cl"/>
    +        </listOfReactants>
    +        <listOfProducts>
    +          <speciesReference species="na_plus"/>
    +          <speciesReference species="cl_minus"/>
    +        </listOfProducts>
    +        <kineticLaw>
    +          <math xmlns="http://www.w3.org/1998/Math/MathML">
    +            <apply><times/><ci>forwards_rate</ci>
    +              <apply><times/><ci>na</ci><ci>cl</ci></apply></apply>
    +          </math>
    +          <listOfParameters>
    +            <parameter id="forwards_rate" value="100"/>
    +          </listOfParameters>
    +        </kineticLaw>
    +      </reaction>

    -      <reaction id="backwards" reversible="false">
    -        <listOfReactants>
    -          <speciesReference species="na_plus"/>
    -          <speciesReference species="cl_minus"/>
    -        </listOfReactants>
    -        <listOfProducts>
    -          <speciesReference species="na"/>
    -          <speciesReference species="cl"/>
    -        </listOfProducts>
    -        <kineticLaw>
    -          <math xmlns="http://www.w3.org/1998/Math/MathML">
    -            <apply><times/><ci>backwards_rate</ci>
    -              <apply><times/><ci>na_plus</ci><ci>cl_minus</ci></apply></apply>
    -          </math>
    -          <listOfParameters>
    -            <parameter id="backwards_rate" value="10"/>
    -          </listOfParameters>
    -        </kineticLaw>
    -      </reaction>
    -    </listOfReactions>
    +      <reaction id="backwards" reversible="false">
    +        <listOfReactants>
    +          <speciesReference species="na_plus"/>
    +          <speciesReference species="cl_minus"/>
    +        </listOfReactants>
    +        <listOfProducts>
    +          <speciesReference species="na"/>
    +          <speciesReference species="cl"/>
    +        </listOfProducts>
    +        <kineticLaw>
    +          <math xmlns="http://www.w3.org/1998/Math/MathML">
    +            <apply><times/><ci>backwards_rate</ci>
    +              <apply><times/><ci>na_plus</ci><ci>cl_minus</ci></apply></apply>
    +          </math>
    +          <listOfParameters>
    +            <parameter id="backwards_rate" value="10"/>
    +          </listOfParameters>
    +        </kineticLaw>
    +      </reaction>
    +    </listOfReactions>

    </model>
    -</sbml>
    </model>
    +</sbml>
    [$[Get Code]]
    @@ -335,7 +469,7 @@

    From the latter, we can use PRISM to generate a simple plot of the expected amount of Na and Na+ over time (using both model checking and a single random trace from the simulator):

    -

    Expected amount of Na/Na+ at time T
    +

    Expected amount of Na/Na+ at time T

    Using the translator

    At present, the SBML-to-PRISM translator is included in the PRISM code-base, but not integrated into the application itself. @@ -419,6 +553,12 @@

    @@ -427,6 +567,13 @@
    + +
    @@ -443,7 +590,7 @@

    PRISM Manual

  • Statistical Model Checking
  • Computing Steady-state And Transient Probabilities
  • Experiments -
  • Adversaries +
  • Strategies
  • Support For PEPA Models
  • Support For SBML
  • Explicit Model Import @@ -455,5 +602,8 @@

    PRISM Manual

    • + + diff --git a/manual/RunningPRISM/SupportForSBML@action=edit.html b/manual/RunningPRISM/SupportForSBML@action=edit.html new file mode 100644 index 0000000000..4ef8f7922d --- /dev/null +++ b/manual/RunningPRISM/SupportForSBML@action=edit.html @@ -0,0 +1,277 @@ + + + + + + + + +PRISM Manual | Running PRISM / Support For SBML | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Running PRISM / +

    Support For SBML

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/RunningPRISM/SupportForSBML@action=login.html b/manual/RunningPRISM/SupportForSBML@action=login.html new file mode 100644 index 0000000000..554142c525 --- /dev/null +++ b/manual/RunningPRISM/SupportForSBML@action=login.html @@ -0,0 +1,275 @@ + + + + + + + + +PRISM Manual | Running PRISM / Support For SBML | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    Running PRISM / +

    Support For SBML

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/RunningPRISM/SupportForSBML@action=print.html b/manual/RunningPRISM/SupportForSBML@action=print.html new file mode 100644 index 0000000000..0ecd4b473a --- /dev/null +++ b/manual/RunningPRISM/SupportForSBML@action=print.html @@ -0,0 +1,425 @@ + + + + + + +PRISM Manual | RunningPRISM / SupportForSBML + + + + + + + + + + + + + + + + + + +

    Running PRISM / +

    Support For SBML

    + + +
    +

    PRISM includes a (prototype) tool to translate specifications in SBML (Systems Biology Markup Language) to model descriptions in the PRISM language. SBML is an XML-based format for representing models of biochemical reaction networks. The translator currently works with Level 2 Version 1 of the SBML specification, details of which can be found here. +

    +

    Since PRISM is a tool for analysing discrete-state systems, the translator is designed for SBML files intended for discrete stochastic simulation. A useful set of such files can be found in the CaliBayes Discrete Stochastic Model Test Suite. There are also many more SBML files available in the BioModels Database. +

    +

    We first give a simple example of an SBML file and its PRISM translation. We then give some more precise details of the translation process. +

    +

    Example

    +

    An SBML file comprises a set of species and a set of reactions which they undergo. Below is the SBML file for the simple reversible reaction: Na + Cl ↔ Na+ + Cl-, where there are initially 100 Na and Cl atoms and no ions, and the base rates for the forwards and backwards reactions are 100 and 10, respectively. +

    +
    +
    +
    <?xml version="1.0" encoding="UTF-8"?>
    +<sbml xmlns="http://www.sbml.org/sbml/level2" metaid="_000000" level="2" version="1">
    <model id="nacl" name="Na+Cl">
    +
    +    <listOfCompartments>
    +      <compartment id="compartment"/>
    +    </listOfCompartments>
    +
    +    <listOfSpecies>
    +      <species id="na" initialAmount="100" hasOnlySubstanceUnits="true"/>
    +      <species id="cl" initialAmount="100" hasOnlySubstanceUnits="true"/>
    +      <species id="na_plus" initialAmount="0" hasOnlySubstanceUnits="true"/>
    +      <species id="cl_minus" initialAmount="0" hasOnlySubstanceUnits="true"/>
    +    </listOfSpecies>
    +
    +    <listOfReactions>
    +      <reaction id="forwards" reversible="false">
    +        <listOfReactants>
    +          <speciesReference species="na"/>
    +          <speciesReference species="cl"/>
    +        </listOfReactants>
    +        <listOfProducts>
    +          <speciesReference species="na_plus"/>
    +          <speciesReference species="cl_minus"/>
    +        </listOfProducts>
    +        <kineticLaw>
    +          <math xmlns="http://www.w3.org/1998/Math/MathML">
    +            <apply><times/><ci>forwards_rate</ci>
    +              <apply><times/><ci>na</ci><ci>cl</ci></apply></apply>
    +          </math>
    +          <listOfParameters>
    +            <parameter id="forwards_rate" value="100"/>
    +          </listOfParameters>
    +        </kineticLaw>
    +      </reaction>
    +
    +      <reaction id="backwards" reversible="false">
    +        <listOfReactants>
    +          <speciesReference species="na_plus"/>
    +          <speciesReference species="cl_minus"/>
    +        </listOfReactants>
    +        <listOfProducts>
    +          <speciesReference species="na"/>
    +          <speciesReference species="cl"/>
    +        </listOfProducts>
    +        <kineticLaw>
    +          <math xmlns="http://www.w3.org/1998/Math/MathML">
    +            <apply><times/><ci>backwards_rate</ci>
    +              <apply><times/><ci>na_plus</ci><ci>cl_minus</ci></apply></apply>
    +          </math>
    +          <listOfParameters>
    +            <parameter id="backwards_rate" value="10"/>
    +          </listOfParameters>
    +        </kineticLaw>
    +      </reaction>
    +    </listOfReactions>
    +
    </model>
    +</sbml>
    +
    [$[Get Code]]
    +
    + +

    And here is the resulting PRISM code: +

    +
    +
    +
    // File generated by automatic SBML-to-PRISM conversion
    +// Original SBML file: nacl.xml
    +
    +ctmc
    +
    +const int MAX_AMOUNT = 100;
    +
    +// Parameters for reaction forwards
    +const double forwards_rate = 100; // forwards_rate
    +
    +// Parameters for reaction backwards
    +const double backwards_rate = 10; // backwards_rate
    +
    +// Species na
    +const int na_MAX = MAX_AMOUNT;
    +module na
    +
    + na : [0..na_MAX] init 100; // Initial amount 100
    +
    + // forwards
    + [forwards] na > 0 -> (na'=na-1);
    + // backwards
    + [backwards]  na <= na_MAX-1 -> (na'=na+1);
    +
    +endmodule
    +
    +// Species cl
    +const int cl_MAX = MAX_AMOUNT;
    +module cl
    +
    + cl : [0..cl_MAX] init 100; // Initial amount 100
    +
    + // forwards
    + [forwards] cl > 0 -> (cl'=cl-1);
    + // backwards
    + [backwards]  cl <= cl_MAX-1 -> (cl'=cl+1);
    +
    +endmodule
    +
    +// Species na_plus
    +const int na_plus_MAX = MAX_AMOUNT;
    +module na_plus
    +
    + na_plus : [0..na_plus_MAX] init 0; // Initial amount 0
    +
    + // forwards
    + [forwards]  na_plus <= na_plus_MAX-1 -> (na_plus'=na_plus+1);
    + // backwards
    + [backwards] na_plus > 0 -> (na_plus'=na_plus-1);
    +
    +endmodule
    +
    +// Species cl_minus
    +const int cl_minus_MAX = MAX_AMOUNT;
    +module cl_minus
    +
    + cl_minus : [0..cl_minus_MAX] init 0; // Initial amount 0
    +
    + // forwards
    + [forwards]  cl_minus <= cl_minus_MAX-1 -> (cl_minus'=cl_minus+1);
    + // backwards
    + [backwards] cl_minus > 0 -> (cl_minus'=cl_minus-1);
    +
    +endmodule
    +
    +// Reaction rates
    +module reaction_rates
    +
    + // forwards
    + [forwards] (forwards_rate*(na*cl)) > 0 -> (forwards_rate*(na*cl)) : true;
    + // backwards
    + [backwards] (backwards_rate*(na_plus*cl_minus)) > 0 -> (backwards_rate*(na_plus*cl_minus)) : true;
    +
    +endmodule
    +
    +// Reward structures (one per species)
    +
    +// 1
    +rewards "na" true : na; endrewards
    +// 2
    +rewards "cl" true : cl; endrewards
    +// 3
    +rewards "na_plus" true : na_plus; endrewards
    +// 4
    +rewards "cl_minus" true : cl_minus; endrewards
    +
    +
    [$[Get Code]]
    +
    + +

    From the latter, we can use PRISM to generate a simple plot of the expected amount of Na and Na+ over time (using both model checking and a single random trace from the simulator): +

    +

    Expected amount of Na/Na+ at time T
    +
    +

    Using the translator

    +

    At present, the SBML-to-PRISM translator is included in the PRISM code-base, but not integrated into the application itself. +

    +
    +
    +
    cd prism
    +java -cp classes prism.SBML2Prism sbml_file.xml > prism_file.sm
    +
    +
    [$[Get Code]]
    +
    + +

    If you are using a binary (rather than source code) distribution of PRISM, replace classes with lib/prism.jar in the above. +

    +

    Alternatively (on Linux or Mac OS X), ensure prism is in your path and then save the script below as an executable file called sbml2prism: +

    +
    +
    +
    #!/bin/sh
    +
    +# Startup script for SBML-to-PRISM translator
    +
    +# Launch using main PRISM script
    +PRISM_MAINCLASS="prism.SBML2Prism"
    +export PRISM_MAINCLASS
    +prism "$@"
    +
    [$[Get Code]]
    +
    + +

    Then use: +

    +
    +
    +
    sbml2prism sbml_file.xml > prism_file.sm
    +
    +
    [$[Get Code]]
    +
    + +

    The following PRISM properties file will also be useful: +

    +
    +
    +
    const double T;
    +const int c;
    +
    +R{c}=? [I=T]
    +
    +
    [$[Get Code]]
    +
    + +

    This contains a single property which, based on the reward structures in the PRISM model generated by the translator, means "the expected amount of species c at time T". The constant c is an integer index which can range between 1 and N, where N is the number of species in the model. To view the expected amount of each species over time, create an experiment in PRISM which varies c from 1 to N and T over the desired time range. +

    +
    +

    Details of the translation

    +

    The basic structure of the translation process is as follows: +

    +
    • Each species in the SBML file is represented by a module in the resulting PRISM file. This module, which (where possible) retains the SBML species id as its name, contains a single variable whose value represents the amount of the species present. A corresponding reward structure for computing the expected amount of the species at a given time instant is also created. Species for which the boundaryCondition flag is set to true in the SBML file do not have a corresponding module. +
    • Each reaction in the SBML file is associated with a unique synchronisation action label. The module for each species which takes part in the reaction will include a synchronous command to represent this. An additional PRISM module called reaction_rates stores the expression representing the rate of each reaction (from the corresponding kineticLaw section in the SBML file). Reaction stoichiometry information is respected but must be provided in the scalar stoichiometry field of a speciesReference element, not in a separate StoichiometryMath element. +
    • Each parameter in the SBML file, either global to the file or specific to a reaction, becomes a constant in the PRISM file. If a value for this parameter is given, it used. If not, the constant is left as undefined. +

    As described above, this translation process is designed for discrete systems and so the amount of each species in the model is represented by an integer variable. It is therefore assumed that the initial amount for each species specified in the SBML file is also given as an integer. If this is not the case, then the values will need to be scaled accordingly first. +

    +

    Furthermore, since PRISM is primarily a model checking (rather than simulation) tool, it is important that the amount of each species also has an upper bound (to ensure a finite state space). When model checking, the efficiency (or even feasibility) of the process is likely to be very sensitive to the upper bound(s) chosen. When using the discrete-event simulation functionality of PRISM, this is not the case and the bounds can can be set much higher. By default the translator uses an upper bound of 100 (which is increased if the initial amount exceeds this). A different value can specified through a second command-line argument as follows: +

    +
    +
    +
    cd prism
    +java -cp classes prism.SBML2Prism sbml_file.xml 1000 > prism_file.sm
    +
    +
    [$[Get Code]]
    +
    + +

    Alternatively, upper bounds can be modified manually after the translation process. +

    +

    Finally, The following aspects of SBML files are not currently supported and are ignored during the translation process: +

    +
    • compartments +
    • events/triggers +
    +
    + + + + diff --git a/manual/ThePRISMLanguage/AllOnOnePage.html b/manual/ThePRISMLanguage/AllOnOnePage.html index 673a890c6d..5c22263876 100644 --- a/manual/ThePRISMLanguage/AllOnOnePage.html +++ b/manual/ThePRISMLanguage/AllOnOnePage.html @@ -1,22 +1,25 @@ + + -PRISM Manual | ThePRISMLanguage / Real-time Models +PRISM Manual | The PRISM Language / Real-time Models - - + + + - - - + + + + + + + + + + + + - + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + + +
    +

    View - Edit - Print - Search +

    + +
    @@ -774,7 +908,7 @@

    Formulas And Labels

    During parsing of the model, expansion of formulas is done before module renaming so, if a module which uses formulas is renamed to another module, it is the contents of the formula which will be renamed, not the formula itself.

    Labels

    -

    PRISM models can also contain labels. These are are a way of identifying sets of states that are of particular interest. Labels can only be used when specifying properties but, for convenience, can be defined in model files as well as property files. +

    PRISM models can also contain labels. These are a way of identifying sets of states that are of particular interest. Labels can only be used when specifying properties but, for convenience, can be defined in model files as well as property files.

    Labels differ from formulas in two other ways: firstly, they must be of Boolean type; secondly, they are written using quotation marks ("..."), as illustrated in the following example: @@ -907,7 +1041,7 @@

    Real-time Models

    Before describing how PTA features are incorporated into the PRISM modelling language, we give a simple example. Here is a small PTA:

    -
    +

    and here is a corresponding PRISM model:

    @@ -932,7 +1066,7 @@

    Real-time Models

    [$[Get Code]]
    -

    For modelling PTAs in PRISM, there is a new datatype, clock, used for variables that are clocks. These must be local to a particular module, not global. Other types of PRISM variables can be defined in the usual way. In the example above, we use just a single integer variable s to represent the locations of the PTAs. +

    For modelling PTAs in PRISM, there is a new datatype, clock, used for variables that are clocks. Other types of PRISM variables can be defined in the usual way. In the example above, we use just a single integer variable s to represent the locations of the PTAs.

    In a PTA, transitions can include a guard, which constrains when it can occur based on the current value of clocks, and resets, which specify that a clock's values should be set to a new (integer) value. These are both specified in PRISM commands in the usual way: see, for example, the inclusion of x>=1 in the guard for the send-labelled command and the updates of the form (x'=0) which reset the clock x to 0.

    @@ -944,8 +1078,7 @@

    Real-time Models

    For the stochastic games and backwards reachability engines:

    -
    • Modules cannot read the local variables of other modules and global variables are not permitted. -
    • The model must also have a single initial state (i.e. the init...endinit construct is not permitted). +
      • The model must also have a single initial state (i.e. the init...endinit construct is not permitted).

      For the digital clocks engine:

      • Clock constraints cannot use strict comparison operators, e.g. x<=5 is allowed, but x<5 is not. @@ -959,7 +1092,7 @@

        Partially Observable Models

        PRISM supports analysis of partially observable probabilistic models, most notably partially observable Markov decision processes (POMDPs), but also partially observable probabilistic timed automata (POPTAs). -POMDPs are a variant of MDPs in which the strategy/policy/adversary +POMDPs are a variant of MDPs in which the strategy/policy which resolves nondeterministic choices in the model is unable to see the precise state of the model, but instead just observations of it. For background material on POMDPs and POPTAs, see for example [NPZ17]. @@ -1011,6 +1144,29 @@

        Partially Observable Models

        so inherit the restrictions for that engine. Furthermore, for a POPTA, all clock variables must be observable.

        +

        Uncertain models

        +

        PRISM has support for uncertain models, in which there is epistemic uncertainty regarding some quantitative aspects of the probabilistic models being verified. In particular, it currently supports interval MDPs (IMDPs) and interval DTMCs (IDTMCs), which are MDPs or DTMCs in which transition probabilities can be specified as intervals, indicating that the exact probability is not precisely known. This can be useful, for example, when the transition probabilities have been estimated from data. +

        +

        Currently, this is achieved by simply replacing the probabilities attached to updates in commands with intervals, e.g.: +

        +
        +
        +
        [] x=0 -> [0.8,0.9]:(x'=0) + [0.1,0.2]:(x'=1);
        +
        +
        [$[Get Code]]
        +
        + +

        As usual, the probability thresholds can be expressions involving state variables or constants, for example: +

        +
        +
        +
        [] x=0 -> [p,p+0.1]:(x'=0) + [0.9-p,1-p]:(x'=1);
        +
        +
        [$[Get Code]]
        +
        + +

        See the property specification section for details of how these models are analysed. +

        Process Algebra Operators

        To make the concept of synchronisation described above more powerful, PRISM allows you to define precisely the way in which the set of modules are composed in parallel. @@ -1057,6 +1213,12 @@

        PRISM Model Files

        @@ -1065,6 +1227,13 @@

        PRISM Model Files

    + +
    @@ -1092,6 +1261,7 @@

    PRISM Manual

  • Costs And Rewards
  • Real-time Models
  • Partially Observable Models +
  • Uncertain Models
  • Process Algebra Operators
  • PRISM Model Files

    • [ View all ] @@ -1101,5 +1271,8 @@

    PRISM Manual

    + + diff --git a/manual/ThePRISMLanguage/AllOnOnePage@action=edit.html b/manual/ThePRISMLanguage/AllOnOnePage@action=edit.html new file mode 100644 index 0000000000..09913d2a08 --- /dev/null +++ b/manual/ThePRISMLanguage/AllOnOnePage@action=edit.html @@ -0,0 +1,286 @@ + + + + + + + + +PRISM Manual | The PRISM Language / All On One Page | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    The PRISM Language / +

    All On One Page

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/ThePRISMLanguage/AllOnOnePage@action=login.html b/manual/ThePRISMLanguage/AllOnOnePage@action=login.html new file mode 100644 index 0000000000..0f088cbe17 --- /dev/null +++ b/manual/ThePRISMLanguage/AllOnOnePage@action=login.html @@ -0,0 +1,284 @@ + + + + + + + + +PRISM Manual | The PRISM Language / All On One Page | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    The PRISM Language / +

    All On One Page

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/ThePRISMLanguage/AllOnOnePage@action=print.html b/manual/ThePRISMLanguage/AllOnOnePage@action=print.html new file mode 100644 index 0000000000..dbef36b9a2 --- /dev/null +++ b/manual/ThePRISMLanguage/AllOnOnePage@action=print.html @@ -0,0 +1,1087 @@ + + + + + + +PRISM Manual | ThePRISMLanguage / Real-time Models + + + + + + + + + + + + + + + + + + +
    +

    The PRISM Language

    +
    +

    Introduction

    +

    In order to construct and analyse a model with PRISM, +it must be specified in the PRISM language, +a simple, state-based language, +based on the Reactive Modules formalism of Alur and Henzinger [AH99]. +This is used for all of the types of model that PRISM supports. +

    +

    In this section, we describe the PRISM language and present a number of small illustrative examples. +A precise definition of the semantics of the language is available from the "Documentation" section of the PRISM web site. One of the best ways to learn what can be done with the PRISM language is to look at some existing examples. +A number of these are included with the tool distribution in the prism-examples directory. +Many additional examples can be found on the "Case Studies" section of the PRISM website. +

    +

    The fundamental components of the PRISM language are modules and variables. +A model is composed of a number of modules which can interact with each other. +A module contains a number of local variables. +The values of these variables at any given time constitute the state of the module. +The global state of the whole model is determined by the local state of all modules. +The behaviour of each module is described by a set of commands. +A command takes the form: +

    +
    +
    +
    [action] guard -> prob_1 : update_1 + ... + prob_n : update_n;
    +
    +
    [$[Get Code]]
    +
    + +

    The guard is a predicate over all the variables in the model (including those belonging to other modules). Each update describes a transition which the module can make if the guard is true. A transition is specified by giving the new values of the variables in the module, possibly as a function of other variables. Each update is assigned a probability (or in some cases a rate) which will be assigned to the corresponding transition. The command also optionally includes an action, either just to annotate it, or for synchronisation. +

    +

    Example 1

    +

    We will use the following simple example to illustrate the basic concepts of the PRISM language. +Consider a system comprising two identical processes which must operate under mutual exclusion. +Each process can be in one of 3 states: {0,1,2}. +From state 0, a process will move to state 1 with probability 0.2 +and remain in the same state with probability 0.8. +From state 1, it tries to move to the critical section: state 2. +This can only occur if the other process is not in its critical section. +Finally, from state 2, a process will either remain there or move back to state 0 +with equal probability. +The PRISM code to describe an MDP model of this system can be seen below. +In the next sections, we explain each aspect of the code in turn. +

    +
    +
    +
    // Example 1
    +// Two process mutual exclusion
    +
    +mdp
    +
    +module M1
    +
    +    x : [0..2] init 0;
    +
    +    [] x=0 -> 0.8:(x'=0) + 0.2:(x'=1);
    +    [] x=1 & y!=2 -> (x'=2);
    +    [] x=2 -> 0.5:(x'=2) + 0.5:(x'=0);
    +
    +endmodule
    +
    +module M2
    +
    +    y : [0..2] init 0;
    +
    +    [] y=0 -> 0.8:(y'=0) + 0.2:(y'=1);
    +    [] y=1 & x!=2 -> (y'=2);
    +    [] y=2 -> 0.5:(y'=2) + 0.5:(y'=0);
    +
    +endmodule
    +
    +
    [$[Get Code]]
    +
    + +

    The PRISM Language: Example 1 +

    +

    Model Type

    +

    As mentioned above, the PRISM language can be used to describe several types of probabilistic models. +To indicate which type is being described, a PRISM model usually includes a model type keyword: +

    +
    • dtmc: discrete-time Markov chain +
    • ctmc: continuous-time Markov chain +
    • mdp: Markov decision process (or probabilistic automaton) +
    • pta: probabilistic timed automaton +
    • pomdp: partially observable Markov decision process +
    • popta: partially observable probabilistic timed automaton +

    This is typically at the very start of the file, +but can actually occur anywhere in the file (except inside modules and other declarations). +

    +

    If no such model type declaration is included, the model is by default assumed to be an MDP. +PRISM also performs some auto-detection of the model type; +for example, an MDP with clock variables is assumed to be a PTA, +and an MDP with observables? is assumed to be a POMDP. +

    +

    Note: For compatibility with old versions of PRISM, +the keywords probabilistic, stochastic and nondeterministic +can be used as alternatives for dtmc, ctmc and mdp, respectively. +

    +
    +

    Modules And Variables

    +

    The previous example uses two modules, M1 and M2, one representing each process. +A module is specified as: +

    +
    +
    +
    module name ... endmodule
    +
    +
    [$[Get Code]]
    +
    + +

    The definition of a module contains two parts: its variables and its commands. +The variables describe the possible states that the module can be in; +the commands describe its behaviour, i.e. the way in which the state changes over time. +Currently, PRISM supports just a few simple types of variables: +they can either be (finite ranges of) integers or Booleans +(we ignore clocks for now). +

    +

    In the example above, each module has one integer variable with range [0..2]. +A variable declaration looks like: +

    +
    +
    +
    x : [0..2] init 0;
    +
    +
    [$[Get Code]]
    +
    + +

    Notice that the initial value of the variable is also specified. +A Boolean variable is declared as follows: +

    +
    +
    +
    b : bool init false;
    +
    +
    [$[Get Code]]
    +
    + +

    It is also possible to omit the initial value of a variable, +in which case it is assumed to be the lowest value in the range (or false for a Boolean). +Thus, the variable declarations shown below are equivalent to the ones above. +As will be described later, it is also possible to specify +multiple initial states for a model. +

    +
    +
    +
    x : [0..2];
    +b : bool;
    +
    +
    [$[Get Code]]
    +
    + +

    We also mention that, for a few kinds of model analysis (typically those based on simulation, such as approximate model checking or fast adaptive simulation, it is also permissable to use integer variables with unbounded ranges, denoted as: +

    +
    +
    +
    x : int;
    +y : int init 3;
    +
    +
    [$[Get Code]]
    +
    + +

    Where the state space of the model remains finite, despite the presence of such unbounded variables, you can use the explicit engine to build and analyse the model. +

    +

    Identifiers

    +

    The names given to modules and variables are referred to as identifiers. +Identifiers can be made up of letters, digits and the underscore character, but cannot begin with a digit, +i.e. they must satisfy the regular expression [A-Za-z_][A-Za-z0-9_]*, and are case-sensitive. +Furthermore, identifiers cannot be any of the following, which are all reserved keywords in PRISM: +A, +bool, +clock, +const, +ctmc, +C, +double, +dtmc, +E, +endinit, +endinvariant, +endmodule, +endobservables, +endrewards, +endsystem, +false, +formula, +filter, +func, +F, +global, +G, +init, +invariant, +I, +int, +label, +max, +mdp, +min, +module, +X, +nondeterministic, +observable, +observables, +of, +Pmax, +Pmin, +P, +pomdp, +popta, +probabilistic, +prob, +pta, +rate, +rewards, +Rmax, +Rmin, +R, +S, +stochastic, +system, +true, +U, +W. +

    +

    Commands

    +

    The behaviour of each module is described by commands, +comprising a guard and one or more updates. +The first command of module M1 in our example is: +

    +
    +
    +
    [] x=0 -> 0.8:(x'=0) + 0.2:(x'=1);
    +
    +
    [$[Get Code]]
    +
    + +

    The guard x=0 indicates that this describes the behaviour of the module when the variable x has value 0. +The updates (x'=0) and (x'=1) and their associated probabilities state that the value of x will +remain at 0 with probability 0.8 and change to 1 with probability 0.2. +Note that the inclusion of updates in parentheses, e.g. (x'=1), is essential. +While older versions of PRISM did not report the absence of parentheses as an error, newer versions do. +Note also that PRISM will complain if the probabilities on the right hand side of a command do not sum to one. +

    +

    The second command: +

    +
    +
    +
    [] x=1 & y!=2 -> (x'=2);
    +
    +
    [$[Get Code]]
    +
    + +

    illustrates that guards can contain constraints on any variable, not just the ones in that module, +i.e. the behaviour of one module can depend on the state of another. +Updates, however, can only specify values for variables belonging to the module. +In general a module can read the variables of any other module, but only write to its own. +When a command comprises a single update with probability 1, the 1.0: can be omitted, +as is done in the example above. +

    +

    If a module has more than one variable, updates describe the new value for each of them. +For example, if it had two variables x1 and x2, a possible command would be: +

    +
    +
    +
    [] x1=0 & x2>0 & x2<10 -> 0.5:(x1'=1)&(x2'=x2+1) + 0.5:(x1'=2)&(x2'=x2-1);
    +
    +
    [$[Get Code]]
    +
    + +

    Notice that elements of the updates are concatenated with & and that each element must be bracketed individually. +If an update does not give a new value for a local variable, it is assumed not to change. +As a special case, the keyword true can be used to denote an update where no variable's value changes, i.e. the following are all equivalent: +

    +
    +
    +
    [] x1>10 | x2>10 -> (x1'=x1)&(x2'=x2);
    +[] x1>10 | x2>10 -> (x1'=x1);
    +[] x1>10 | x2>10 -> true;
    +
    +
    [$[Get Code]]
    +
    + +

    Finally, it is important to remember that the expressions on the right hand side of each update refer to the state of the model before the update occurs. So, for example, this command: +

    +
    +
    +
    [] x1=0 & x2=1 -> (x1'=2)&(x2'=x1)
    +
    +
    [$[Get Code]]
    +
    + +

    updates variable x2 to 0, not 2. +

    +
    +

    Parallel Composition

    +

    The probabilistic model corresponding to a PRISM language description is constructed as the parallel composition of its modules. In every state of the model, there is a set of commands (belonging to any of the modules) which are enabled, i.e. whose guards are satisfied in that state. The choice between which command is performed (i.e. the scheduling) depends on the model type. +

    +

    For an MDP, as in Example 1, the choice is nondeterministic. By way of example, consider state (0,0) (i.e. x=0 and y=0). There are two commands enabled, one from each module: +

    +
    +
    +
    [] x=0 -> 0.8:(x'=0) + 0.2:(x'=1);
    +
    +
    [$[Get Code]]
    +
    + +
    +
    +
    [] y=0 -> 0.8:(y'=0) + 0.2:(y'=1);
    +
    +
    [$[Get Code]]
    +
    + +

    In state (0,0) of the MDP, there would be a nondeterministic choice between these two probability distributions: +

    +
    • 0.8:(0,0) + 0.2:(1,0) (module M1 moves) +
    • 0.8:(0,0) + 0.2:(0,1) (module M2 moves) +

    For a DTMC, the choice is probabilistic: each enabled command is selected with equal probability. +If Example 1 was a DTMC, then in state (0,0) of the model +the following probability distribution would result: +

    +
    • 0.8:(0,0) + 0.1:(1,0) + 0.1:(0,1) +

    For a CTMC, as will be discussed shortly, +the choice is modelled as a "race" between transitions. +

    +

    See the later sections on "Synchronisation" and "Process Algebra Operators" for other topics related to parallel composition. +

    +

    Local Nondeterminism

    +

    PRISM models that support nondeterminism, such as are MDPs, can also exhibit local nondeterminism, +which allows the modules themselves to make nondeterministic choices. +In Example 1, we can make the probabilistic choice in the first state of module M1 nondeterministic by replacing the command: +

    +
    +
    +
    [] x=0 -> 0.8:(x'=0) + 0.2:(x'=1);
    +
    +
    [$[Get Code]]
    +
    + +

    with the commands: +

    +
    +
    +
    [] x=0 -> (x'=0);
    +[] x=0 -> (x'=1);
    +
    +
    [$[Get Code]]
    +
    + +

    Assuming we do the same for module M2, in state (0,0) of the MDP +there will be a nondeterministic choice between the three (trivial) probability distributions listed below. (There are three, not four, distributions because two possibilities result in identical behaviour: staying with probability 1 in the state state.) +

    +
    • 1.0:(0,0) +
    • 1.0:(1,0) +
    • 1.0:(0,1) +

    More generally, local nondeterminism can also arise when the guards of two commands overlap only partially, rather than completely as in the example above. +

    +

    PRISM also permits local nondeterminism in models which are DTMCs, +although the nondeterministic choice is randomised when the parallel composition of the modules occurs. +Since the appearance of nondeterminism in a DTMC is often the result of +a user error in the model specification, PRISM displays a warning when local nondeterminism is detected in a DTMC. +Overlapping guards in CTMCs are not treated as nondeterministic choices. +

    +
    +

    CTMCs

    +

    Specifying the behaviour of a continuous-time Markov chain (CTMC) +is done in similar fashion to a DTMC or an MDP, as discussed so far. +The main difference is that updates in commands are +labelled with (positive-valued) rates, rather than probabilities. +The notation used in commands, however, to associate rates to transitions is identical to +the one used to assign probabilities: +

    +
    +
    +
    rate_1:update_1 + rate_2:update_2 + ...
    +
    +
    [$[Get Code]]
    +
    + +

    In a CTMC, when multiple possible transitions are available in a state, a race condition occurs +(see e.g. [KNP07a] for more details). +In terms of PRISM commands, this can arise in several ways. +Firstly, within in a module, multiple transitions can be specified either as several different updates in a command, or as multiple commands with overlapping guards. The following, for example. are equivalent: +

    +
    +
    +
    [] x=0 -> 50:(x'=1) + 60:(x'=2);
    +
    +
    [$[Get Code]]
    +
    + +
    +
    +
    [] x=0 -> 50:(x'=1);
    +[] x=0 -> 60:(x'=2);
    +
    +
    [$[Get Code]]
    +
    + +

    Furthermore, parallel composition between modules in a CTMC is modelled as a race condition, +rather as a nondeterministic choice, like for MDPs. +

    +

    Example 2

    +

    We now introduce a second example: a CTMC that models an N-place queue of jobs and +a server which removes jobs from the queue and processes them. +The PRISM code is as follows: +

    +
    +
    +
    // Example 2
    +// N-place queue + server
    +
    +ctmc
    +
    +const int N = 10;
    +const double mu = 1/10;
    +const double lambda = 1/2;
    +const double gamma = 1/3;
    +
    +module queue
    +     q : [0..N];
    +
    +     [] q<N -> mu:(q'=q+1);
    +     [] q=N -> mu:(q'=q);
    +     [serve] q>0 -> lambda:(q'=q-1);
    +endmodule
    +
    +module server
    +     s : [0..1];
    +
    +     [serve] s=0 -> 1:(s'=1);
    +     [] s=1 -> gamma:(s'=0);
    +endmodule
    +
    +
    [$[Get Code]]
    +
    + +

    The PRISM Language: Example 2 +

    +

    This example also introduces a number of other PRISM language concepts, +including constants, action labels and synchronisation. +These are described in the following sections. +

    +

    Constants

    +

    PRISM supports the use of constants, as seen in Example 2. +Constants can be integers, doubles or Booleans +and can be defined using literal values or as constant expressions (including in terms of each other) using the const +keyword. For example: +

    +
    +
    +
    const int radius = 12;
    +const double pi = 3.141592;
    +const double area = pi * radius * radius;
    +const bool yes = true;
    +
    +
    [$[Get Code]]
    +
    + +

    The identifiers used for their names are subject to the same rules as variables. +

    +

    Constants can be used anywhere that a constant value would be expected, +such as the lower or upper range of a variable (e.g. N in Example 2), +the probability or rate associated with an update (mu in Example 2), +or anywhere in a guard or update. +As will be described later constants can also be left undefined +and specified later, either to a single value or a range of values, using experiments. +

    +

    Note: For the sake of backward-compatibility, the notation used in earlier versions of PRISM +(const for const int and rate or prob for const double) is still supported. +

    +

    Expressions

    +

    The definition of the area constant, in the example above, uses an expression. +We now define more precisely what types of expression are supported by PRISM. +Expressions can contain literal values (12, 3.141592, true, false, etc.), +identifiers (corresponding to variables, constants, etc.) and operators from the following list: +

    +
    • - (unary minus) +
    • *, / (multiplication, division) +
    • +, - (addition, subtraction) +
    • <, <=, >=, > (relational operators) +
    • =, != (equality operators) +
    • ! (negation) +
    • & (conjunction) +
    • | (disjunction) +
    • <=> (if-and-only-if) +
    • => (implication) +
    • ? (condition evaluation: condition ? a : b means "if condition is true then a else b") +

    All of these operators except ? are left associative +(i.e. they are evaluated from left to right). +The precedence of the operators is as found in the list above, +most strongly binding operators first. +Operators on the same line (e.g. + and -) are of equal precedence. +

    +

    Much of the notation for expressions is hence essentially equivalent to that of C/C++ or Java. +One notable exception to this is that the division operator / always performs floating point, not integer, division, +i.e. the result of 22/7 is 3.142857... not 3. +All expressions must evaluate correctly in terms of type (integer, double or Boolean). +

    +

    Built-in Functions +

    +

    Expressions can make use of several built-in functions: +

    +
    • min(...) and max(...), which select the minimum and maximum value, respectively, of two or more numbers +
    • floor(x) and ceil(x), which round x down and up, respectively, to the nearest integer +
    • round(x), which rounds x to the nearest integer (note, in a tie-break, we always round up, e.g. round(-1.5) gives -1 not -2) +
    • pow(x,y) which computes x to the power of y +
    • mod(i,n) for integer modulo operations +
    • log(x,b), which computes the logarithm of x to base b +

    Examples of their usage are: +

    +
    +
    +
    min(x+1, x_max)
    +max(a,b,c)
    +floor(13.5)
    +ceil(13.5)
    +round(13.5)
    +pow(2, 8)
    +pow(9.0, 0.5)
    +mod(1977, 100)
    +log(123, 2.71828183)
    +
    +
    [$[Get Code]]
    +
    + +

    For compatibility with older versions of PRISM, all functions can also be expressed via the func keyword, e.g. func(floor, 13.5). +

    +

    Use of Expressions +

    +

    Expressions can be used in a wide range of places in a PRISM language description, e.g.: +

    +
    • constant definitions +
    • lower/upper bounds and initial values for variables +
    • guards +
    • probabilities/rates +
    • updates +

    This allows, for example, the probability in a command to be dependent on the current state: +

    +
    +
    +
    [] (x>=1 & x<=10) -> x/10 : (x'=max(1,x-1)) + 1-x/10 : (x'=min(10,x+1))
    +
    +
    [$[Get Code]]
    +
    + +
    +

    Synchronisation

    +

    Another feature of PRISM introduced in Example 2 is synchronisation. +In the style of many process algebras, we allow commands to be labelled with actions. +These are placed inside the square brackets which mark the start of the command, +for example serve in this command from Example 2: +

    +
    +
    +
    [serve] q>0 -> lambda:(q'=q-1);
    +
    +
    [$[Get Code]]
    +
    + +

    These actions can be used to force two or more modules to make transitions simultaneously +(i.e. to synchronise). +For example, in state (3,0) (i.e. q=3 and s=0), +the composed model can move to state (2,1), +synchronising over the serve action. +The rate of this transition is equal to the product of the two individual rates +(in this case, lambda * 1 = lambda). +The product of two rates does not always meaningfully represent the rate of a synchronised transition. +A common technique, as seen here, is to make one action passive, with rate 1 and one action active, +which actually defines the rate for the synchronised transition. +By default, all modules are combined using the standard CSP parallel composition +(i.e. modules synchronise over all their common actions). +

    +

    Module Renaming

    +

    PRISM also supports module renaming, which allows duplication of modules. +In Example 1, module M2 is identical to module M1 so we can in fact replace its entire definition with: +

    +
    +
    +
    module M2 = M1 [ x=y, y=x ] endmodule
    +
    +
    [$[Get Code]]
    +
    + +

    All of the variables in the module being renamed (in this case, just x) must be renamed to new, unused names. Optionally, it is also possible to rename other aspects of the module definition. In fact, the renaming is done at a textual level, so any identifiers (including action labels, constants and functions) used in the module definition can be changed in this way. +

    +

    Note: Care should be taken when renaming modules that make use of formulas. +

    +

    Multiple Initial States

    +

    Typically, a variable declaration +specifies the initial value for that variable. +The initial state for the model is then defined by the initial value for all variables. +It is possible, however, to specify that a model has multiple initial states. +This is done using the init...endinit construct, +which can be placed anywhere in the file except within a module definition, +and removing any initial values from variable declarations. +Between the init and endinit keywords, there should be a +predicate over all the variables of the model. +Any state which satisfies this predicate is an initial state. +

    +

    Consider again Example 1. +As it stands, there is a single initial state (0,0) (i.e. x=0 and y=0). +If we remove the init 0 part of both variable declarations +and add the following to the end of the file: +

    +
    +
    +
    init x=0 endinit
    +
    +
    [$[Get Code]]
    +
    + +

    there will be three initial states: (0,0), (0,1) and (0,2). +Similarly, we could instead add: +

    +
    +
    +
    init x+y=1 endinit
    +
    +
    [$[Get Code]]
    +
    + +

    in which case there would be two initial states: (0,1) and (1,0). +

    +

    Global Variables

    +

    In addition to the local variables belonging to each module, a PRISM model can also include global variables, +which can be written to, as well as read, by all modules. +Like local variables, these can be integers or Booleans. +Global variables are declared in identical fashion to a module's local variables, +except that the declaration must not be inside the definition of any module. +Some example declarations are as follows: +

    +
    +
    +
    global g : [1..10];
    +global b : bool init true;
    +
    +
    [$[Get Code]]
    +
    + +

    A global variable can be modified by any module and provides another way for modules to interact. +An important restriction on the use of global variables is the fact that commands which synchronise with other modules +(i.e. those with an action label attached; see the section "Synchronisation") cannot modify global variables. +PRISM will detect this and report an error. +

    +

    Formulas And Labels

    +

    PRISM models can include formulas which are used to avoid duplication of code. +A formula comprises a name (an identifier) and an expression. +The formula name can then be used as shorthand for the expression anywhere an expression might usually be accepted. +A formula is defined as follows: +

    +
    +
    +
    formula num_tokens = q1+q2+q3+q+q5;
    +
    +
    [$[Get Code]]
    +
    + +

    It can then be used anywhere within that file, as for example in this command: +

    +
    +
    +
    [] p1=2 & num_tokens=5 -> (p1'=4);
    +
    +
    [$[Get Code]]
    +
    + +

    The effect is exactly as if the following had been typed: +

    +
    +
    +
    [] p1=2 & (q1+q2+q3+q+q5)=5 -> (p1'=4);
    +
    +
    [$[Get Code]]
    +
    + +

    Formulas defined in a model can also be used when specifying its properties. +

    +

    Formulas and renaming

    +

    During parsing of the model, expansion of formulas is done before module renaming so, if a module which uses formulas is renamed to another module, it is the contents of the formula which will be renamed, not the formula itself. +

    +

    Labels

    +

    PRISM models can also contain labels. These are a way of identifying sets of states that are of particular interest. Labels can only be used when specifying properties but, for convenience, can be defined in model files as well as property files. +

    +

    Labels differ from formulas in two other ways: firstly, they must be of Boolean type; +secondly, they are written using quotation marks ("..."), as illustrated in the following example: +

    +
    +
    +
    label "safe" = temp<=100 | alarm=true;
    +label "fail" = temp>100 & alarm=false;
    +
    +
    [$[Get Code]]
    +
    + +
    +

    Costs And Rewards

    +

    PRISM supports the specification and analysis of +properties based on costs and rewards. +This means that it can be used to reason, +not just about the probability that a model behaves in a certain fashion, +but about a wider range of quantitative measures relating to model behaviour. +For example, PRISM can be used to compute properties such as +"expected time", "expected number of lost messages" or "expected power consumption". +The implementation of cost- and reward-based techniques in the tool is only partially completed and is still ongoing. +If you have questions, comments or feature-requests relating to this functionality, +please feel free to contact the PRISM team about this. +

    +

    The basic idea is that probabilistic models (of all types) developed in PRISM +can be augmented with costs or rewards: real values associated with certain states or transitions of the model. +In fact, since there is no practical distinction between costs and rewards +(except that costs are generally perceived to be "bad" and rewards to be "good"), +PRISM only supports rewards. +The user is, however, free to interpret the values however they choose. +

    +

    In this section, we describe how models described in the PRISM language +can be augmented with rewards. +Later, we will discuss how to express properties that relate to these rewards. +Rewards are associated with models using rewards ... endrewards constructs, +which can appear anywhere in a model file except within a module definition. +These constructs contains one or more reward items. +Consider the following simple example: +

    +
    +
    +
    rewards
    +    true : 1;
    +endrewards
    +
    +
    [$[Get Code]]
    +
    + +

    This assigns a reward of 1 to every state of the model. +It comprises a single reward item, the left part of which (true) is a guard +and the right part of which (1) is a reward. +States of the model which satisfy the predicate in the guard are assigned the corresponding reward. +More generally, state rewards can be specified using multiple reward items, +each of the form guard : reward;, +where guardis a predicate (over all the variables of the model) +and reward is an expression (containing any variables, constants, etc. from the model). +For example: +

    +
    +
    +
    rewards
    +    x=0 : 100;
    +    x>0 & x<10 : 2*x;
    +    x=10 : 100;
    +endrewards
    +
    +
    [$[Get Code]]
    +
    + +

    assigns a reward of 100 to states satisfying x=0 or x=10 +and a reward of 2*x to states satisfying x>0 & x<10. +Note that a single reward item can assign different rewards to different states, +depending on the values of model variables in each one. +Any states which do not satisfy the guard of any reward item will have no reward assigned to them. +For states which satisfy multiple guards, the reward assigned to the state +is the sum of the rewards for all the corresponding reward items. +

    +

    Rewards can also be assigned to transitions of a model. +These are specified in a similar fashion to state rewards, +within the rewards ... endrewards construct. +Reward items describing transition rewards are of the form [action] guard : reward;, +the interpretation being that transitions from states which satisfy the guard guard +and are labelled with the action action acquire the reward reward. +For example: +

    +
    +
    +
    rewards
    +    [] true : 1;
    +    [a] true : x;
    +    [b] true : 2*x;
    +endrewards
    +
    +
    [$[Get Code]]
    +
    + +

    assigns a reward of 1 to all transitions in the model with no action label, +and rewards of x and 2*x to all transitions labelled with actions a and b, respectively. +

    +

    As is the case for states, multiple reward items can specify rewards for a single transition, +in which case the resulting reward is the sum of all the individual rewards. +A model description can specify rewards for both states and transitions. +These are all placed together in a single rewards...endrewards construct. +

    +

    A PRISM model can have multiple reward structures. Optionally, these can be given labels such as in the following example: +

    +
    +
    +
    rewards "total_time"
    +    true : 1;
    +endrewards
    +
    +rewards "num_failures"
    +    [fail] true : 1;
    +endrewards
    +
    +
    [$[Get Code]]
    +
    + +
    +

    Real-time Models

    +

    So far in this section, we have mainly focused on three types of models: DTMCs, MDPs and CTMCs, +in which all the variables making up their state are finite. +PRISM also supports real-time models, in particular, +probabilistic timed automata (PTAs), which extend MDPs with the ability to model real-time behaviour. +This is done in the style of timed automata [AD94], by adding clocks, +real-valued variables which increase with time and can be reset. For background material on PTAs, see for example [NPS13]. +You can also find several example PTA models included in the PRISM distribution. Look in the prism-examples/ptas directory. +

    +

    Before describing how PTA features are incorporated into the PRISM modelling language, we give a simple example. Here is a small PTA: +

    +
    +

    and here is a corresponding PRISM model: +

    +
    +
    +
    pta
    +
    +module M
    +
    +    s : [0..2] init 0;
    +    x : clock;
    +
    +    invariant
    +        (s=0 => x<=2) &
    +        (s=2 => x<=3)
    +    endinvariant
    +
    +    [send] s=0 & x>=1 -> 0.9:(s'=1)&(x'=0) + 0.1:(s'=2)&(x'=0);
    +    [retry] s=2 & x>=2 -> 0.95:(s'=1) + 0.05:(s'=2)&(x'=0);
    +
    +endmodule
    +
    +
    [$[Get Code]]
    +
    + +

    For modelling PTAs in PRISM, there is a new datatype, clock, used for variables that are clocks. Other types of PRISM variables can be defined in the usual way. In the example above, we use just a single integer variable s to represent the locations of the PTAs. +

    +

    In a PTA, transitions can include a guard, which constrains when it can occur based on the current value of clocks, and resets, which specify that a clock's values should be set to a new (integer) value. These are both specified in PRISM commands in the usual way: see, for example, the inclusion of x>=1 in the guard for the send-labelled command and the updates of the form (x'=0) which reset the clock x to 0. +

    +

    The other new addition is an invariant construct, which is used to specify an expression describing the clock invariants for each PRISM module. These impose restrictions on the allowable values of clock variables, depending on the values of the other non-clock variables. The invariant construct should appear between the variable declarations and the commands of the module. Often, clock invariants are described separately for each PTA location; hence, the invariant will often take the form of a conjunction of implications, as in the example model above, but more general expressions are also permitted. In the example, the clock x must satisfy x<=2 or x<=3 when local variables s is 0 or 2, respectively. If s is 1, there is no restriction (since the invariant is effectively true in this case). +

    +

    Expressions that include reference to clocks, whether in guards or invariants, must satisfy certain conditions to facilitate model checking. In particular, references to clocks must appear as conjunctions of simple clock constraints, i.e. conjunctions of expressions of the form x~c or x~y where x and y are clocks, c is an integer-valued expression and ~ is one of <, <=, >=, >, =). +

    +

    There are also some additional restrictions imposed on PTA models that are dependent on which of the PTA model checking engines is in use. +

    +

    For the stochastic games and backwards reachability engines: +

    +
    • The model must also have a single initial state (i.e. the init...endinit construct is not permitted). +

    For the digital clocks engine: +

    +
    • Clock constraints cannot use strict comparison operators, e.g. x<=5 is allowed, but x<5 is not. +
    • Diagonal clock constraints are not allowed, i.e. those containing references to two clocks, such as x<=y. +

    Finally, PRISM makes several assumptions about PTAs, regardless of the engine used. +

    +
    • Firstly PTAs should not exhibit timelocks, i.e. the possibility of reaching a state where no transitions are possible and time cannot elapse beyond a certain point (due to invariant conditions). PRISM checks for timelocks and reports an error if one is found. +
    • Secondly, PTAs should be well-formed and non-zeno (see e.g. [KNSW07] for details). Currently, PRISM does not check automatically that these assumptions are satisfied. +
    +

    Partially Observable Models

    +

    PRISM supports analysis of partially observable probabilistic models, +most notably partially observable Markov decision processes (POMDPs), +but also partially observable probabilistic timed automata (POPTAs). +POMDPs are a variant of MDPs in which the strategy/policy +which resolves nondeterministic choices in the model is unable to +see the precise state of the model, but instead just observations of it. +For background material on POMDPs and POPTAs, see for example [NPZ17]. +You can also find several example models included in the PRISM distribution. +Look in the prism-examples/pomdps and prism-examples/poptas directories. +

    +

    PRISM currently supports state-based observations: +this means that, upon entering a new POMDP state, +the observation is determined by that state. +In the same way that a model state comprises the values or one or more variables, +an observation comprises one or more observables. +There are several way to define these observables. +The simplest is to specify a subset of the model's variables +that are designated as being observable. The rest are unobservable. +

    +

    For example, in a POMDP with 3 variables, s, l and h, the following: +

    +
    +
    +
    observables s, l endobservables
    +
    +
    [$[Get Code]]
    +
    + +

    specifies that s and l are observable and h is not. +

    +

    Alternatively, observables can be specified as arbitrary expressions over variables. +For example, assuming the same variables s, l and h, this specification: +

    +
    +
    +
    observable "s" = s;
    +observable "pos" = l>0;
    +
    +
    [$[Get Code]]
    +
    + +

    defines 2 observables. The first is, as above, the variable s. +The second, named "pos", determines if variable l is positive. +Other than this, the values of l and h are unobservable. +The named observables can then be used in properties +in the same way that labels can. +

    +

    The above two styles of definition can also be mixed +to specify a combined set of observables. +

    +

    POPTAs (partially observable PTAs) combine the features of both PTAs and POMDPs. +They are are currently analysed using the digital clocks engine, +so inherit the restrictions for that engine. +Furthermore, for a POPTA, all clock variables must be observable. +

    +

    Uncertain models

    +

    PRISM has support for uncertain models, in which there is epistemic uncertainty regarding some quantitative aspects of the probabilistic models being verified. In particular, it currently supports interval MDPs (IMDPs) and interval DTMCs (IDTMCs), which are MDPs or DTMCs in which transition probabilities can be specified as intervals, indicating that the exact probability is not precisely known. This can be useful, for example, when the transition probabilities have been estimated from data. +

    +

    Currently, this is achieved by simply replacing the probabilities attached to updates in commands with intervals, e.g.: +

    +
    +
    +
    [] x=0 -> [0.8,0.9]:(x'=0) + [0.1,0.2]:(x'=1);
    +
    +
    [$[Get Code]]
    +
    + +

    As usual, the probability thresholds can be expressions involving state variables or constants, for example: +

    +
    +
    +
    [] x=0 -> [p,p+0.1]:(x'=0) + [0.9-p,1-p]:(x'=1);
    +
    +
    [$[Get Code]]
    +
    + +

    See the property specification section for details of how these models are analysed. +

    +

    Process Algebra Operators

    +

    To make the concept of synchronisation described above more powerful, +PRISM allows you to define precisely the way in which the set of modules are composed in parallel. +This is specified using the system ... endsystem construct, +placed at the end of the model description, which should contain a process-algebraic expression. +This expression should feature each module exactly once, and can use the following (CSP-based) operators: +

    +
    • M1 || M2 : alphabetised parallel composition of modules M1 and M2 (synchronising on only actions appearing in both M1 and M2) +
    • M1 ||| M2 : asynchronous parallel composition of M1 and M2 (fully interleaved, no synchronisation) +
    • M1 |[a,b,...]| M2 : restricted parallel composition of modules M1 and M2 (synchronising only on actions from the set {a, b,...}) +
    • M / {a,b,...} : hiding of actions {a, b, ...} in module M +
    • M {a<-b,c<-d,...} : renaming of actions a to b, c to d, etc. in module M. +

    The first two types of parallel composition (|| and |||) are associative and can be applied to more than two modules at once. +When evaluating the expression, the hiding and renaming operators bind more tightly than the three parallel composition operators. +No other rules of precedence are defined and parentheses should be used to specify the order in which modules are composed. +

    +

    Some examples of expressions which could be included in the system ... endsystem construct are as follows: +

    +
    • (station1 ||| station2 ||| station3) |[serve]| server +
    • ((P1 |[a]| P2) / {a}) || Q +
    • ((P1 |[a]| P2) {a<-b}) |[b]| Q +

    When no parallel composition is specified by the user, +PRISM implicitly assumes an expression of the form M1 || M2 || ... containing all of the modules in the model. +For a more formal definition of the process algebra operators described above, check the semantics of the PRISM language, available from the "Documentation" section of the PRISM web site. +

    +

    PRISM is also able to import model descriptions written in (a subset of) the stochastic process algebra PEPA [Hil96]. +

    +

    PRISM Model Files

    +

    Files containing model descriptions written in the PRISM language +can contain any amount of white space (spaces, tabs, new lines, etc.), +all of which is ignored when the file is parsed by the tool. +Comments can also be used included in files in the style of the C programming language, +by preceding them with the characters //. +This is illustrated by the PRISM language examples from earlier in this section. +

    +

    We recommend that the .prism extension is used for PRISM model files. +Historically (when the tool supported fewer types of model), +different extensions were often used for each model type: +.nm for MDPs or PTAs, .pm for DTMCs and .sm for CTMCs. +

    +
    +
    + + + + diff --git a/manual/ThePRISMLanguage/CTMCs.html b/manual/ThePRISMLanguage/CTMCs.html index 37e36d2261..28ab0378be 100644 --- a/manual/ThePRISMLanguage/CTMCs.html +++ b/manual/ThePRISMLanguage/CTMCs.html @@ -1,22 +1,25 @@ + + -PRISM Manual | ThePRISMLanguage / CTMCs +PRISM Manual | The PRISM Language / CTMCs - - + + + - - - + + + + + + + + + + + + - + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + + +
    +

    View - Edit - Print - Search +

    + +
    @@ -138,6 +272,12 @@ @@ -146,6 +286,13 @@
    + +
    @@ -173,6 +320,7 @@

    PRISM Manual

  • Costs And Rewards
  • Real-time Models
  • Partially Observable Models +
  • Uncertain Models
  • Process Algebra Operators
  • PRISM Model Files

    • [ View all ] @@ -182,5 +330,8 @@

    PRISM Manual

    + + diff --git a/manual/ThePRISMLanguage/CTMCs@action=edit.html b/manual/ThePRISMLanguage/CTMCs@action=edit.html new file mode 100644 index 0000000000..0712dec345 --- /dev/null +++ b/manual/ThePRISMLanguage/CTMCs@action=edit.html @@ -0,0 +1,286 @@ + + + + + + + + +PRISM Manual | The PRISM Language / CTMCs | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    The PRISM Language / +

    CTMCs

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/ThePRISMLanguage/CTMCs@action=login.html b/manual/ThePRISMLanguage/CTMCs@action=login.html new file mode 100644 index 0000000000..dc8409de15 --- /dev/null +++ b/manual/ThePRISMLanguage/CTMCs@action=login.html @@ -0,0 +1,284 @@ + + + + + + + + +PRISM Manual | The PRISM Language / CTMCs | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    The PRISM Language / +

    CTMCs

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/ThePRISMLanguage/CTMCs@action=print.html b/manual/ThePRISMLanguage/CTMCs@action=print.html new file mode 100644 index 0000000000..36e099b85b --- /dev/null +++ b/manual/ThePRISMLanguage/CTMCs@action=print.html @@ -0,0 +1,144 @@ + + + + + + +PRISM Manual | ThePRISMLanguage / CTMCs + + + + + + + + + + + + + + + + + + +

    The PRISM Language / +

    CTMCs

    + + +
    +

    Specifying the behaviour of a continuous-time Markov chain (CTMC) +is done in similar fashion to a DTMC or an MDP, as discussed so far. +The main difference is that updates in commands are +labelled with (positive-valued) rates, rather than probabilities. +The notation used in commands, however, to associate rates to transitions is identical to +the one used to assign probabilities: +

    +
    +
    +
    rate_1:update_1 + rate_2:update_2 + ...
    +
    +
    [$[Get Code]]
    +
    + +

    In a CTMC, when multiple possible transitions are available in a state, a race condition occurs +(see e.g. [KNP07a] for more details). +In terms of PRISM commands, this can arise in several ways. +Firstly, within in a module, multiple transitions can be specified either as several different updates in a command, or as multiple commands with overlapping guards. The following, for example. are equivalent: +

    +
    +
    +
    [] x=0 -> 50:(x'=1) + 60:(x'=2);
    +
    +
    [$[Get Code]]
    +
    + +
    +
    +
    [] x=0 -> 50:(x'=1);
    +[] x=0 -> 60:(x'=2);
    +
    +
    [$[Get Code]]
    +
    + +

    Furthermore, parallel composition between modules in a CTMC is modelled as a race condition, +rather as a nondeterministic choice, like for MDPs. +

    +
    + + + + diff --git a/manual/ThePRISMLanguage/Commands.html b/manual/ThePRISMLanguage/Commands.html index aaa20280b6..498a676aa0 100644 --- a/manual/ThePRISMLanguage/Commands.html +++ b/manual/ThePRISMLanguage/Commands.html @@ -1,22 +1,25 @@ + + -PRISM Manual | ThePRISMLanguage / Commands +PRISM Manual | The PRISM Language / Commands - - + + + - - - + + + + + + + + + + + + - + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + + +
    +

    View - Edit - Print - Search +

    + +
    @@ -170,6 +304,12 @@ @@ -178,6 +318,13 @@
    + +
    @@ -205,6 +352,7 @@

    PRISM Manual

  • Costs And Rewards
  • Real-time Models
  • Partially Observable Models +
  • Uncertain Models
  • Process Algebra Operators
  • PRISM Model Files

    • [ View all ] @@ -214,5 +362,8 @@

    PRISM Manual

    + + diff --git a/manual/ThePRISMLanguage/Commands@action=edit.html b/manual/ThePRISMLanguage/Commands@action=edit.html new file mode 100644 index 0000000000..14052f2151 --- /dev/null +++ b/manual/ThePRISMLanguage/Commands@action=edit.html @@ -0,0 +1,286 @@ + + + + + + + + +PRISM Manual | The PRISM Language / Commands | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    The PRISM Language / +

    Commands

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/ThePRISMLanguage/Commands@action=login.html b/manual/ThePRISMLanguage/Commands@action=login.html new file mode 100644 index 0000000000..5095c31cc0 --- /dev/null +++ b/manual/ThePRISMLanguage/Commands@action=login.html @@ -0,0 +1,284 @@ + + + + + + + + +PRISM Manual | The PRISM Language / Commands | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    The PRISM Language / +

    Commands

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/ThePRISMLanguage/Commands@action=print.html b/manual/ThePRISMLanguage/Commands@action=print.html new file mode 100644 index 0000000000..d652fbd9ae --- /dev/null +++ b/manual/ThePRISMLanguage/Commands@action=print.html @@ -0,0 +1,176 @@ + + + + + + +PRISM Manual | ThePRISMLanguage / Commands + + + + + + + + + + + + + + + + + + +

    The PRISM Language / +

    Commands

    + + +
    +

    The behaviour of each module is described by commands, +comprising a guard and one or more updates. +The first command of module M1 in our example is: +

    +
    +
    +
    [] x=0 -> 0.8:(x'=0) + 0.2:(x'=1);
    +
    +
    [$[Get Code]]
    +
    + +

    The guard x=0 indicates that this describes the behaviour of the module when the variable x has value 0. +The updates (x'=0) and (x'=1) and their associated probabilities state that the value of x will +remain at 0 with probability 0.8 and change to 1 with probability 0.2. +Note that the inclusion of updates in parentheses, e.g. (x'=1), is essential. +While older versions of PRISM did not report the absence of parentheses as an error, newer versions do. +Note also that PRISM will complain if the probabilities on the right hand side of a command do not sum to one. +

    +

    The second command: +

    +
    +
    +
    [] x=1 & y!=2 -> (x'=2);
    +
    +
    [$[Get Code]]
    +
    + +

    illustrates that guards can contain constraints on any variable, not just the ones in that module, +i.e. the behaviour of one module can depend on the state of another. +Updates, however, can only specify values for variables belonging to the module. +In general a module can read the variables of any other module, but only write to its own. +When a command comprises a single update with probability 1, the 1.0: can be omitted, +as is done in the example above. +

    +

    If a module has more than one variable, updates describe the new value for each of them. +For example, if it had two variables x1 and x2, a possible command would be: +

    +
    +
    +
    [] x1=0 & x2>0 & x2<10 -> 0.5:(x1'=1)&(x2'=x2+1) + 0.5:(x1'=2)&(x2'=x2-1);
    +
    +
    [$[Get Code]]
    +
    + +

    Notice that elements of the updates are concatenated with & and that each element must be bracketed individually. +If an update does not give a new value for a local variable, it is assumed not to change. +As a special case, the keyword true can be used to denote an update where no variable's value changes, i.e. the following are all equivalent: +

    +
    +
    +
    [] x1>10 | x2>10 -> (x1'=x1)&(x2'=x2);
    +[] x1>10 | x2>10 -> (x1'=x1);
    +[] x1>10 | x2>10 -> true;
    +
    +
    [$[Get Code]]
    +
    + +

    Finally, it is important to remember that the expressions on the right hand side of each update refer to the state of the model before the update occurs. So, for example, this command: +

    +
    +
    +
    [] x1=0 & x2=1 -> (x1'=2)&(x2'=x1)
    +
    +
    [$[Get Code]]
    +
    + +

    updates variable x2 to 0, not 2. +

    +
    +
    + + + + diff --git a/manual/ThePRISMLanguage/Constants.html b/manual/ThePRISMLanguage/Constants.html index f03414a9b7..b0189e518d 100644 --- a/manual/ThePRISMLanguage/Constants.html +++ b/manual/ThePRISMLanguage/Constants.html @@ -1,22 +1,25 @@ + + -PRISM Manual | ThePRISMLanguage / Constants +PRISM Manual | The PRISM Language / Constants - - + + + - - - + + + + + + + + + + + + - + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + + +
    +

    View - Edit - Print - Search +

    + +
    @@ -128,6 +262,12 @@ @@ -136,6 +276,13 @@
    + +
    @@ -163,6 +310,7 @@

    PRISM Manual

  • Costs And Rewards
  • Real-time Models
  • Partially Observable Models +
  • Uncertain Models
  • Process Algebra Operators
  • PRISM Model Files

    • [ View all ] @@ -172,5 +320,8 @@

    PRISM Manual

    + + diff --git a/manual/ThePRISMLanguage/Constants@action=edit.html b/manual/ThePRISMLanguage/Constants@action=edit.html new file mode 100644 index 0000000000..fb16818ed3 --- /dev/null +++ b/manual/ThePRISMLanguage/Constants@action=edit.html @@ -0,0 +1,286 @@ + + + + + + + + +PRISM Manual | The PRISM Language / Constants | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    The PRISM Language / +

    Constants

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/ThePRISMLanguage/Constants@action=login.html b/manual/ThePRISMLanguage/Constants@action=login.html new file mode 100644 index 0000000000..7bd7b4d6a3 --- /dev/null +++ b/manual/ThePRISMLanguage/Constants@action=login.html @@ -0,0 +1,284 @@ + + + + + + + + +PRISM Manual | The PRISM Language / Constants | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    The PRISM Language / +

    Constants

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/ThePRISMLanguage/Constants@action=print.html b/manual/ThePRISMLanguage/Constants@action=print.html new file mode 100644 index 0000000000..2095d775ed --- /dev/null +++ b/manual/ThePRISMLanguage/Constants@action=print.html @@ -0,0 +1,134 @@ + + + + + + +PRISM Manual | ThePRISMLanguage / Constants + + + + + + + + + + + + + + + + + + +

    The PRISM Language / +

    Constants

    + + +
    +

    PRISM supports the use of constants, as seen in Example 2. +Constants can be integers, doubles or Booleans +and can be defined using literal values or as constant expressions (including in terms of each other) using the const +keyword. For example: +

    +
    +
    +
    const int radius = 12;
    +const double pi = 3.141592;
    +const double area = pi * radius * radius;
    +const bool yes = true;
    +
    +
    [$[Get Code]]
    +
    + +

    The identifiers used for their names are subject to the same rules as variables. +

    +

    Constants can be used anywhere that a constant value would be expected, +such as the lower or upper range of a variable (e.g. N in Example 2), +the probability or rate associated with an update (mu in Example 2), +or anywhere in a guard or update. +As will be described later constants can also be left undefined +and specified later, either to a single value or a range of values, using experiments. +

    +

    Note: For the sake of backward-compatibility, the notation used in earlier versions of PRISM +(const for const int and rate or prob for const double) is still supported. +

    +
    + + + + diff --git a/manual/ThePRISMLanguage/CostsAndRewards.html b/manual/ThePRISMLanguage/CostsAndRewards.html index 303e80d954..43fc24714a 100644 --- a/manual/ThePRISMLanguage/CostsAndRewards.html +++ b/manual/ThePRISMLanguage/CostsAndRewards.html @@ -1,22 +1,25 @@ + + -PRISM Manual | ThePRISMLanguage / CostsAndRewards +PRISM Manual | The PRISM Language / Costs And Rewards - - + + + - - - + + + + + + + + + + + + - + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + + +
    +

    View - Edit - Print - Search +

    + +
    @@ -208,6 +342,12 @@ @@ -216,6 +356,13 @@
    + +
    @@ -243,6 +390,7 @@

    PRISM Manual

  • Costs And Rewards
  • Real-time Models
  • Partially Observable Models +
  • Uncertain Models
  • Process Algebra Operators
  • PRISM Model Files

    • [ View all ] @@ -252,5 +400,8 @@

    PRISM Manual

    + + diff --git a/manual/ThePRISMLanguage/CostsAndRewards@action=edit.html b/manual/ThePRISMLanguage/CostsAndRewards@action=edit.html new file mode 100644 index 0000000000..a4bfe26d98 --- /dev/null +++ b/manual/ThePRISMLanguage/CostsAndRewards@action=edit.html @@ -0,0 +1,286 @@ + + + + + + + + +PRISM Manual | The PRISM Language / Costs And Rewards | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    The PRISM Language / +

    Costs And Rewards

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/ThePRISMLanguage/CostsAndRewards@action=login.html b/manual/ThePRISMLanguage/CostsAndRewards@action=login.html new file mode 100644 index 0000000000..e4ce4c0d17 --- /dev/null +++ b/manual/ThePRISMLanguage/CostsAndRewards@action=login.html @@ -0,0 +1,284 @@ + + + + + + + + +PRISM Manual | The PRISM Language / Costs And Rewards | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    The PRISM Language / +

    Costs And Rewards

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/ThePRISMLanguage/CostsAndRewards@action=print.html b/manual/ThePRISMLanguage/CostsAndRewards@action=print.html new file mode 100644 index 0000000000..882d1428ca --- /dev/null +++ b/manual/ThePRISMLanguage/CostsAndRewards@action=print.html @@ -0,0 +1,214 @@ + + + + + + +PRISM Manual | ThePRISMLanguage / CostsAndRewards + + + + + + + + + + + + + + + + + + +

    The PRISM Language / +

    Costs And Rewards

    + + +
    +

    PRISM supports the specification and analysis of +properties based on costs and rewards. +This means that it can be used to reason, +not just about the probability that a model behaves in a certain fashion, +but about a wider range of quantitative measures relating to model behaviour. +For example, PRISM can be used to compute properties such as +"expected time", "expected number of lost messages" or "expected power consumption". +The implementation of cost- and reward-based techniques in the tool is only partially completed and is still ongoing. +If you have questions, comments or feature-requests relating to this functionality, +please feel free to contact the PRISM team about this. +

    +

    The basic idea is that probabilistic models (of all types) developed in PRISM +can be augmented with costs or rewards: real values associated with certain states or transitions of the model. +In fact, since there is no practical distinction between costs and rewards +(except that costs are generally perceived to be "bad" and rewards to be "good"), +PRISM only supports rewards. +The user is, however, free to interpret the values however they choose. +

    +

    In this section, we describe how models described in the PRISM language +can be augmented with rewards. +Later, we will discuss how to express properties that relate to these rewards. +Rewards are associated with models using rewards ... endrewards constructs, +which can appear anywhere in a model file except within a module definition. +These constructs contains one or more reward items. +Consider the following simple example: +

    +
    +
    +
    rewards
    +    true : 1;
    +endrewards
    +
    +
    [$[Get Code]]
    +
    + +

    This assigns a reward of 1 to every state of the model. +It comprises a single reward item, the left part of which (true) is a guard +and the right part of which (1) is a reward. +States of the model which satisfy the predicate in the guard are assigned the corresponding reward. +More generally, state rewards can be specified using multiple reward items, +each of the form guard : reward;, +where guardis a predicate (over all the variables of the model) +and reward is an expression (containing any variables, constants, etc. from the model). +For example: +

    +
    +
    +
    rewards
    +    x=0 : 100;
    +    x>0 & x<10 : 2*x;
    +    x=10 : 100;
    +endrewards
    +
    +
    [$[Get Code]]
    +
    + +

    assigns a reward of 100 to states satisfying x=0 or x=10 +and a reward of 2*x to states satisfying x>0 & x<10. +Note that a single reward item can assign different rewards to different states, +depending on the values of model variables in each one. +Any states which do not satisfy the guard of any reward item will have no reward assigned to them. +For states which satisfy multiple guards, the reward assigned to the state +is the sum of the rewards for all the corresponding reward items. +

    +

    Rewards can also be assigned to transitions of a model. +These are specified in a similar fashion to state rewards, +within the rewards ... endrewards construct. +Reward items describing transition rewards are of the form [action] guard : reward;, +the interpretation being that transitions from states which satisfy the guard guard +and are labelled with the action action acquire the reward reward. +For example: +

    +
    +
    +
    rewards
    +    [] true : 1;
    +    [a] true : x;
    +    [b] true : 2*x;
    +endrewards
    +
    +
    [$[Get Code]]
    +
    + +

    assigns a reward of 1 to all transitions in the model with no action label, +and rewards of x and 2*x to all transitions labelled with actions a and b, respectively. +

    +

    As is the case for states, multiple reward items can specify rewards for a single transition, +in which case the resulting reward is the sum of all the individual rewards. +A model description can specify rewards for both states and transitions. +These are all placed together in a single rewards...endrewards construct. +

    +

    A PRISM model can have multiple reward structures. Optionally, these can be given labels such as in the following example: +

    +
    +
    +
    rewards "total_time"
    +    true : 1;
    +endrewards
    +
    +rewards "num_failures"
    +    [fail] true : 1;
    +endrewards
    +
    +
    [$[Get Code]]
    +
    + +
    +
    + + + + diff --git a/manual/ThePRISMLanguage/Example1.html b/manual/ThePRISMLanguage/Example1.html index 829e08ce68..1a183c070d 100644 --- a/manual/ThePRISMLanguage/Example1.html +++ b/manual/ThePRISMLanguage/Example1.html @@ -1,22 +1,25 @@ + + -PRISM Manual | ThePRISMLanguage / Example1 +PRISM Manual | The PRISM Language / Example 1 - - + + + - - - + + + + + + + + + + + + - + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + + +
    +

    View - Edit - Print - Search +

    + +
    @@ -145,6 +279,12 @@ @@ -153,6 +293,13 @@
    + +
    @@ -180,6 +327,7 @@

    PRISM Manual

  • Costs And Rewards
  • Real-time Models
  • Partially Observable Models +
  • Uncertain Models
  • Process Algebra Operators
  • PRISM Model Files

    • [ View all ] @@ -189,5 +337,8 @@

    PRISM Manual

    + + diff --git a/manual/ThePRISMLanguage/Example1@action=edit.html b/manual/ThePRISMLanguage/Example1@action=edit.html new file mode 100644 index 0000000000..65181be514 --- /dev/null +++ b/manual/ThePRISMLanguage/Example1@action=edit.html @@ -0,0 +1,286 @@ + + + + + + + + +PRISM Manual | The PRISM Language / Example 1 | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    The PRISM Language / +

    Example 1

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/ThePRISMLanguage/Example1@action=login.html b/manual/ThePRISMLanguage/Example1@action=login.html new file mode 100644 index 0000000000..bb51f12a9c --- /dev/null +++ b/manual/ThePRISMLanguage/Example1@action=login.html @@ -0,0 +1,284 @@ + + + + + + + + +PRISM Manual | The PRISM Language / Example 1 | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    The PRISM Language / +

    Example 1

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/ThePRISMLanguage/Example1@action=print.html b/manual/ThePRISMLanguage/Example1@action=print.html new file mode 100644 index 0000000000..b75a08ba3b --- /dev/null +++ b/manual/ThePRISMLanguage/Example1@action=print.html @@ -0,0 +1,151 @@ + + + + + + +PRISM Manual | ThePRISMLanguage / Example1 + + + + + + + + + + + + + + + + + + +

    The PRISM Language / +

    Example 1

    + + +
    +

    We will use the following simple example to illustrate the basic concepts of the PRISM language. +Consider a system comprising two identical processes which must operate under mutual exclusion. +Each process can be in one of 3 states: {0,1,2}. +From state 0, a process will move to state 1 with probability 0.2 +and remain in the same state with probability 0.8. +From state 1, it tries to move to the critical section: state 2. +This can only occur if the other process is not in its critical section. +Finally, from state 2, a process will either remain there or move back to state 0 +with equal probability. +The PRISM code to describe an MDP model of this system can be seen below. +In the next sections, we explain each aspect of the code in turn. +

    +
    +
    +
    // Example 1
    +// Two process mutual exclusion
    +
    +mdp
    +
    +module M1
    +
    +    x : [0..2] init 0;
    +
    +    [] x=0 -> 0.8:(x'=0) + 0.2:(x'=1);
    +    [] x=1 & y!=2 -> (x'=2);
    +    [] x=2 -> 0.5:(x'=2) + 0.5:(x'=0);
    +
    +endmodule
    +
    +module M2
    +
    +    y : [0..2] init 0;
    +
    +    [] y=0 -> 0.8:(y'=0) + 0.2:(y'=1);
    +    [] y=1 & x!=2 -> (y'=2);
    +    [] y=2 -> 0.5:(y'=2) + 0.5:(y'=0);
    +
    +endmodule
    +
    +
    [$[Get Code]]
    +
    + +

    The PRISM Language: Example 1 +

    +
    + + + + diff --git a/manual/ThePRISMLanguage/Example2.html b/manual/ThePRISMLanguage/Example2.html index 51d4e1867f..86b11e9fe7 100644 --- a/manual/ThePRISMLanguage/Example2.html +++ b/manual/ThePRISMLanguage/Example2.html @@ -1,22 +1,25 @@ + + -PRISM Manual | ThePRISMLanguage / Example2 +PRISM Manual | The PRISM Language / Example 2 - - + + + - - - + + + + + + + + + + + + - + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + + +
    +

    View - Edit - Print - Search +

    + +
    @@ -141,6 +275,12 @@ @@ -149,6 +289,13 @@
    + +
    @@ -176,6 +323,7 @@

    PRISM Manual

  • Costs And Rewards
  • Real-time Models
  • Partially Observable Models +
  • Uncertain Models
  • Process Algebra Operators
  • PRISM Model Files

    • [ View all ] @@ -185,5 +333,8 @@

    PRISM Manual

    + + diff --git a/manual/ThePRISMLanguage/Example2@action=edit.html b/manual/ThePRISMLanguage/Example2@action=edit.html new file mode 100644 index 0000000000..63f8368fd4 --- /dev/null +++ b/manual/ThePRISMLanguage/Example2@action=edit.html @@ -0,0 +1,286 @@ + + + + + + + + +PRISM Manual | The PRISM Language / Example 2 | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    The PRISM Language / +

    Example 2

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/ThePRISMLanguage/Example2@action=login.html b/manual/ThePRISMLanguage/Example2@action=login.html new file mode 100644 index 0000000000..6ce15140da --- /dev/null +++ b/manual/ThePRISMLanguage/Example2@action=login.html @@ -0,0 +1,284 @@ + + + + + + + + +PRISM Manual | The PRISM Language / Example 2 | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    The PRISM Language / +

    Example 2

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/ThePRISMLanguage/Example2@action=print.html b/manual/ThePRISMLanguage/Example2@action=print.html new file mode 100644 index 0000000000..81d6cfcf7c --- /dev/null +++ b/manual/ThePRISMLanguage/Example2@action=print.html @@ -0,0 +1,147 @@ + + + + + + +PRISM Manual | ThePRISMLanguage / Example2 + + + + + + + + + + + + + + + + + + +

    The PRISM Language / +

    Example 2

    + + +
    +

    We now introduce a second example: a CTMC that models an N-place queue of jobs and +a server which removes jobs from the queue and processes them. +The PRISM code is as follows: +

    +
    +
    +
    // Example 2
    +// N-place queue + server
    +
    +ctmc
    +
    +const int N = 10;
    +const double mu = 1/10;
    +const double lambda = 1/2;
    +const double gamma = 1/3;
    +
    +module queue
    +     q : [0..N];
    +
    +     [] q<N -> mu:(q'=q+1);
    +     [] q=N -> mu:(q'=q);
    +     [serve] q>0 -> lambda:(q'=q-1);
    +endmodule
    +
    +module server
    +     s : [0..1];
    +
    +     [serve] s=0 -> 1:(s'=1);
    +     [] s=1 -> gamma:(s'=0);
    +endmodule
    +
    +
    [$[Get Code]]
    +
    + +

    The PRISM Language: Example 2 +

    +

    This example also introduces a number of other PRISM language concepts, +including constants, action labels and synchronisation. +These are described in the following sections. +

    +
    + + + + diff --git a/manual/ThePRISMLanguage/Expressions.html b/manual/ThePRISMLanguage/Expressions.html index 35b440d8d2..77ec5afa2d 100644 --- a/manual/ThePRISMLanguage/Expressions.html +++ b/manual/ThePRISMLanguage/Expressions.html @@ -1,22 +1,25 @@ + + -PRISM Manual | ThePRISMLanguage / Expressions +PRISM Manual | The PRISM Language / Expressions - - + + + - - - + + + + + + + + + + + + - + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + + +
    +

    View - Edit - Print - Search +

    + +
    @@ -175,6 +309,12 @@ @@ -183,6 +323,13 @@
    + +
    @@ -210,6 +357,7 @@

    PRISM Manual

  • Costs And Rewards
  • Real-time Models
  • Partially Observable Models +
  • Uncertain Models
  • Process Algebra Operators
  • PRISM Model Files

    • [ View all ] @@ -219,5 +367,8 @@

    PRISM Manual

    + + diff --git a/manual/ThePRISMLanguage/Expressions@action=edit.html b/manual/ThePRISMLanguage/Expressions@action=edit.html new file mode 100644 index 0000000000..0e342b3651 --- /dev/null +++ b/manual/ThePRISMLanguage/Expressions@action=edit.html @@ -0,0 +1,286 @@ + + + + + + + + +PRISM Manual | The PRISM Language / Expressions | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    The PRISM Language / +

    Expressions

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/ThePRISMLanguage/Expressions@action=login.html b/manual/ThePRISMLanguage/Expressions@action=login.html new file mode 100644 index 0000000000..65cae58933 --- /dev/null +++ b/manual/ThePRISMLanguage/Expressions@action=login.html @@ -0,0 +1,284 @@ + + + + + + + + +PRISM Manual | The PRISM Language / Expressions | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    The PRISM Language / +

    Expressions

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/ThePRISMLanguage/Expressions@action=print.html b/manual/ThePRISMLanguage/Expressions@action=print.html new file mode 100644 index 0000000000..eff04a91d6 --- /dev/null +++ b/manual/ThePRISMLanguage/Expressions@action=print.html @@ -0,0 +1,181 @@ + + + + + + +PRISM Manual | ThePRISMLanguage / Expressions + + + + + + + + + + + + + + + + + + +

    The PRISM Language / +

    Expressions

    + + +
    +

    The definition of the area constant, in the example above, uses an expression. +We now define more precisely what types of expression are supported by PRISM. +Expressions can contain literal values (12, 3.141592, true, false, etc.), +identifiers (corresponding to variables, constants, etc.) and operators from the following list: +

    +
    • - (unary minus) +
    • *, / (multiplication, division) +
    • +, - (addition, subtraction) +
    • <, <=, >=, > (relational operators) +
    • =, != (equality operators) +
    • ! (negation) +
    • & (conjunction) +
    • | (disjunction) +
    • <=> (if-and-only-if) +
    • => (implication) +
    • ? (condition evaluation: condition ? a : b means "if condition is true then a else b") +

    All of these operators except ? are left associative +(i.e. they are evaluated from left to right). +The precedence of the operators is as found in the list above, +most strongly binding operators first. +Operators on the same line (e.g. + and -) are of equal precedence. +

    +

    Much of the notation for expressions is hence essentially equivalent to that of C/C++ or Java. +One notable exception to this is that the division operator / always performs floating point, not integer, division, +i.e. the result of 22/7 is 3.142857... not 3. +All expressions must evaluate correctly in terms of type (integer, double or Boolean). +

    +

    Built-in Functions +

    +

    Expressions can make use of several built-in functions: +

    +
    • min(...) and max(...), which select the minimum and maximum value, respectively, of two or more numbers +
    • floor(x) and ceil(x), which round x down and up, respectively, to the nearest integer +
    • round(x), which rounds x to the nearest integer (note, in a tie-break, we always round up, e.g. round(-1.5) gives -1 not -2) +
    • pow(x,y) which computes x to the power of y +
    • mod(i,n) for integer modulo operations +
    • log(x,b), which computes the logarithm of x to base b +

    Examples of their usage are: +

    +
    +
    +
    min(x+1, x_max)
    +max(a,b,c)
    +floor(13.5)
    +ceil(13.5)
    +round(13.5)
    +pow(2, 8)
    +pow(9.0, 0.5)
    +mod(1977, 100)
    +log(123, 2.71828183)
    +
    +
    [$[Get Code]]
    +
    + +

    For compatibility with older versions of PRISM, all functions can also be expressed via the func keyword, e.g. func(floor, 13.5). +

    +

    Use of Expressions +

    +

    Expressions can be used in a wide range of places in a PRISM language description, e.g.: +

    +
    • constant definitions +
    • lower/upper bounds and initial values for variables +
    • guards +
    • probabilities/rates +
    • updates +

    This allows, for example, the probability in a command to be dependent on the current state: +

    +
    +
    +
    [] (x>=1 & x<=10) -> x/10 : (x'=max(1,x-1)) + 1-x/10 : (x'=min(10,x+1))
    +
    +
    [$[Get Code]]
    +
    + +
    + + + + diff --git a/manual/ThePRISMLanguage/FormulasAndLabels.html b/manual/ThePRISMLanguage/FormulasAndLabels.html index dbfcd4de9e..d127991d0b 100644 --- a/manual/ThePRISMLanguage/FormulasAndLabels.html +++ b/manual/ThePRISMLanguage/FormulasAndLabels.html @@ -1,22 +1,25 @@ + + -PRISM Manual | ThePRISMLanguage / FormulasAndLabels +PRISM Manual | The PRISM Language / Formulas And Labels - - + + + - - - + + + + + + + + + + + + - + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + + +
    +

    View - Edit - Print - Search +

    + +
    @@ -132,7 +266,7 @@

    During parsing of the model, expansion of formulas is done before module renaming so, if a module which uses formulas is renamed to another module, it is the contents of the formula which will be renamed, not the formula itself.

    Labels

    -

    PRISM models can also contain labels. These are are a way of identifying sets of states that are of particular interest. Labels can only be used when specifying properties but, for convenience, can be defined in model files as well as property files. +

    PRISM models can also contain labels. These are a way of identifying sets of states that are of particular interest. Labels can only be used when specifying properties but, for convenience, can be defined in model files as well as property files.

    Labels differ from formulas in two other ways: firstly, they must be of Boolean type; secondly, they are written using quotation marks ("..."), as illustrated in the following example: @@ -150,6 +284,12 @@

    @@ -158,6 +298,13 @@
    + +
    @@ -185,6 +332,7 @@

    PRISM Manual

  • Costs And Rewards
  • Real-time Models
  • Partially Observable Models +
  • Uncertain Models
  • Process Algebra Operators
  • PRISM Model Files

    • [ View all ] @@ -194,5 +342,8 @@

    PRISM Manual

    + + diff --git a/manual/ThePRISMLanguage/FormulasAndLabels@action=edit.html b/manual/ThePRISMLanguage/FormulasAndLabels@action=edit.html new file mode 100644 index 0000000000..20a32a8bc0 --- /dev/null +++ b/manual/ThePRISMLanguage/FormulasAndLabels@action=edit.html @@ -0,0 +1,286 @@ + + + + + + + + +PRISM Manual | The PRISM Language / Formulas And Labels | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    The PRISM Language / +

    Formulas And Labels

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/ThePRISMLanguage/FormulasAndLabels@action=login.html b/manual/ThePRISMLanguage/FormulasAndLabels@action=login.html new file mode 100644 index 0000000000..30e331a73c --- /dev/null +++ b/manual/ThePRISMLanguage/FormulasAndLabels@action=login.html @@ -0,0 +1,284 @@ + + + + + + + + +PRISM Manual | The PRISM Language / Formulas And Labels | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    The PRISM Language / +

    Formulas And Labels

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/ThePRISMLanguage/FormulasAndLabels@action=print.html b/manual/ThePRISMLanguage/FormulasAndLabels@action=print.html new file mode 100644 index 0000000000..a8f98c5066 --- /dev/null +++ b/manual/ThePRISMLanguage/FormulasAndLabels@action=print.html @@ -0,0 +1,156 @@ + + + + + + +PRISM Manual | ThePRISMLanguage / FormulasAndLabels + + + + + + + + + + + + + + + + + + +

    The PRISM Language / +

    Formulas And Labels

    + + +
    +

    PRISM models can include formulas which are used to avoid duplication of code. +A formula comprises a name (an identifier) and an expression. +The formula name can then be used as shorthand for the expression anywhere an expression might usually be accepted. +A formula is defined as follows: +

    +
    +
    +
    formula num_tokens = q1+q2+q3+q+q5;
    +
    +
    [$[Get Code]]
    +
    + +

    It can then be used anywhere within that file, as for example in this command: +

    +
    +
    +
    [] p1=2 & num_tokens=5 -> (p1'=4);
    +
    +
    [$[Get Code]]
    +
    + +

    The effect is exactly as if the following had been typed: +

    +
    +
    +
    [] p1=2 & (q1+q2+q3+q+q5)=5 -> (p1'=4);
    +
    +
    [$[Get Code]]
    +
    + +

    Formulas defined in a model can also be used when specifying its properties. +

    +

    Formulas and renaming

    +

    During parsing of the model, expansion of formulas is done before module renaming so, if a module which uses formulas is renamed to another module, it is the contents of the formula which will be renamed, not the formula itself. +

    +

    Labels

    +

    PRISM models can also contain labels. These are a way of identifying sets of states that are of particular interest. Labels can only be used when specifying properties but, for convenience, can be defined in model files as well as property files. +

    +

    Labels differ from formulas in two other ways: firstly, they must be of Boolean type; +secondly, they are written using quotation marks ("..."), as illustrated in the following example: +

    +
    +
    +
    label "safe" = temp<=100 | alarm=true;
    +label "fail" = temp>100 & alarm=false;
    +
    +
    [$[Get Code]]
    +
    + +
    + + + + diff --git a/manual/ThePRISMLanguage/GlobalVariables.html b/manual/ThePRISMLanguage/GlobalVariables.html index 5813191fd3..36ffd9030a 100644 --- a/manual/ThePRISMLanguage/GlobalVariables.html +++ b/manual/ThePRISMLanguage/GlobalVariables.html @@ -1,22 +1,25 @@ + + -PRISM Manual | ThePRISMLanguage / GlobalVariables +PRISM Manual | The PRISM Language / Global Variables - - + + + - - - + + + + + + + + + + + + - + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + + +
    +

    View - Edit - Print - Search +

    + +
    @@ -121,6 +255,12 @@ @@ -129,6 +269,13 @@
    + +
    @@ -156,6 +303,7 @@

    PRISM Manual

  • Costs And Rewards
  • Real-time Models
  • Partially Observable Models +
  • Uncertain Models
  • Process Algebra Operators
  • PRISM Model Files

    • [ View all ] @@ -165,5 +313,8 @@

    PRISM Manual

    + + diff --git a/manual/ThePRISMLanguage/GlobalVariables@action=edit.html b/manual/ThePRISMLanguage/GlobalVariables@action=edit.html new file mode 100644 index 0000000000..3157320ef6 --- /dev/null +++ b/manual/ThePRISMLanguage/GlobalVariables@action=edit.html @@ -0,0 +1,286 @@ + + + + + + + + +PRISM Manual | The PRISM Language / Global Variables | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    The PRISM Language / +

    Global Variables

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/ThePRISMLanguage/GlobalVariables@action=login.html b/manual/ThePRISMLanguage/GlobalVariables@action=login.html new file mode 100644 index 0000000000..2294d03711 --- /dev/null +++ b/manual/ThePRISMLanguage/GlobalVariables@action=login.html @@ -0,0 +1,284 @@ + + + + + + + + +PRISM Manual | The PRISM Language / Global Variables | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    The PRISM Language / +

    Global Variables

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/ThePRISMLanguage/GlobalVariables@action=print.html b/manual/ThePRISMLanguage/GlobalVariables@action=print.html new file mode 100644 index 0000000000..b6b28f7bda --- /dev/null +++ b/manual/ThePRISMLanguage/GlobalVariables@action=print.html @@ -0,0 +1,127 @@ + + + + + + +PRISM Manual | ThePRISMLanguage / GlobalVariables + + + + + + + + + + + + + + + + + + +

    The PRISM Language / +

    Global Variables

    + + +
    +

    In addition to the local variables belonging to each module, a PRISM model can also include global variables, +which can be written to, as well as read, by all modules. +Like local variables, these can be integers or Booleans. +Global variables are declared in identical fashion to a module's local variables, +except that the declaration must not be inside the definition of any module. +Some example declarations are as follows: +

    +
    +
    +
    global g : [1..10];
    +global b : bool init true;
    +
    +
    [$[Get Code]]
    +
    + +

    A global variable can be modified by any module and provides another way for modules to interact. +An important restriction on the use of global variables is the fact that commands which synchronise with other modules +(i.e. those with an action label attached; see the section "Synchronisation") cannot modify global variables. +PRISM will detect this and report an error. +

    +
    + + + + diff --git a/manual/ThePRISMLanguage/Introduction@action=edit.html b/manual/ThePRISMLanguage/Introduction@action=edit.html new file mode 100644 index 0000000000..8bdbe6863d --- /dev/null +++ b/manual/ThePRISMLanguage/Introduction@action=edit.html @@ -0,0 +1,286 @@ + + + + + + + + +PRISM Manual | The PRISM Language / Introduction | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    The PRISM Language / +

    Introduction

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/ThePRISMLanguage/Introduction@action=login.html b/manual/ThePRISMLanguage/Introduction@action=login.html new file mode 100644 index 0000000000..eb55691de4 --- /dev/null +++ b/manual/ThePRISMLanguage/Introduction@action=login.html @@ -0,0 +1,284 @@ + + + + + + + + +PRISM Manual | The PRISM Language / Introduction | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    The PRISM Language / +

    Introduction

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/ThePRISMLanguage/Introduction@action=print.html b/manual/ThePRISMLanguage/Introduction@action=print.html new file mode 100644 index 0000000000..4adac0daaa --- /dev/null +++ b/manual/ThePRISMLanguage/Introduction@action=print.html @@ -0,0 +1,135 @@ + + + + + + +PRISM Manual | ThePRISMLanguage / Introduction + + + + + + + + + + + + + + + + + + +

    The PRISM Language / +

    Introduction

    + + +
    +

    In order to construct and analyse a model with PRISM, +it must be specified in the PRISM language, +a simple, state-based language, +based on the Reactive Modules formalism of Alur and Henzinger [AH99]. +This is used for all of the types of model that PRISM supports. +

    +

    In this section, we describe the PRISM language and present a number of small illustrative examples. +A precise definition of the semantics of the language is available from the "Documentation" section of the PRISM web site. One of the best ways to learn what can be done with the PRISM language is to look at some existing examples. +A number of these are included with the tool distribution in the prism-examples directory. +Many additional examples can be found on the "Case Studies" section of the PRISM website. +

    +

    The fundamental components of the PRISM language are modules and variables. +A model is composed of a number of modules which can interact with each other. +A module contains a number of local variables. +The values of these variables at any given time constitute the state of the module. +The global state of the whole model is determined by the local state of all modules. +The behaviour of each module is described by a set of commands. +A command takes the form: +

    +
    +
    +
    [action] guard -> prob_1 : update_1 + ... + prob_n : update_n;
    +
    +
    [$[Get Code]]
    +
    + +

    The guard is a predicate over all the variables in the model (including those belonging to other modules). Each update describes a transition which the module can make if the guard is true. A transition is specified by giving the new values of the variables in the module, possibly as a function of other variables. Each update is assigned a probability (or in some cases a rate) which will be assigned to the corresponding transition. The command also optionally includes an action, either just to annotate it, or for synchronisation. +

    +
    + + + + diff --git a/manual/ThePRISMLanguage/LocalNondeterminism.html b/manual/ThePRISMLanguage/LocalNondeterminism.html index b1a25d85d0..350f9683b9 100644 --- a/manual/ThePRISMLanguage/LocalNondeterminism.html +++ b/manual/ThePRISMLanguage/LocalNondeterminism.html @@ -1,22 +1,25 @@ + + -PRISM Manual | ThePRISMLanguage / LocalNondeterminism +PRISM Manual | The PRISM Language / Local Nondeterminism - - + + + - - - + + + + + + + + + + + + - + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + + +
    +

    View - Edit - Print - Search +

    + +
    @@ -137,6 +271,12 @@ @@ -145,6 +285,13 @@
    + +
    @@ -172,6 +319,7 @@

    PRISM Manual

  • Costs And Rewards
  • Real-time Models
  • Partially Observable Models +
  • Uncertain Models
  • Process Algebra Operators
  • PRISM Model Files

    • [ View all ] @@ -181,5 +329,8 @@

    PRISM Manual

    + + diff --git a/manual/ThePRISMLanguage/LocalNondeterminism@action=edit.html b/manual/ThePRISMLanguage/LocalNondeterminism@action=edit.html new file mode 100644 index 0000000000..5cd686de1c --- /dev/null +++ b/manual/ThePRISMLanguage/LocalNondeterminism@action=edit.html @@ -0,0 +1,286 @@ + + + + + + + + +PRISM Manual | The PRISM Language / Local Nondeterminism | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    The PRISM Language / +

    Local Nondeterminism

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/ThePRISMLanguage/LocalNondeterminism@action=login.html b/manual/ThePRISMLanguage/LocalNondeterminism@action=login.html new file mode 100644 index 0000000000..bdb9203204 --- /dev/null +++ b/manual/ThePRISMLanguage/LocalNondeterminism@action=login.html @@ -0,0 +1,284 @@ + + + + + + + + +PRISM Manual | The PRISM Language / Local Nondeterminism | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    The PRISM Language / +

    Local Nondeterminism

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/ThePRISMLanguage/LocalNondeterminism@action=print.html b/manual/ThePRISMLanguage/LocalNondeterminism@action=print.html new file mode 100644 index 0000000000..1c74dd3c59 --- /dev/null +++ b/manual/ThePRISMLanguage/LocalNondeterminism@action=print.html @@ -0,0 +1,143 @@ + + + + + + +PRISM Manual | ThePRISMLanguage / LocalNondeterminism + + + + + + + + + + + + + + + + + + +

    The PRISM Language / +

    Local Nondeterminism

    + + +
    +

    PRISM models that support nondeterminism, such as are MDPs, can also exhibit local nondeterminism, +which allows the modules themselves to make nondeterministic choices. +In Example 1, we can make the probabilistic choice in the first state of module M1 nondeterministic by replacing the command: +

    +
    +
    +
    [] x=0 -> 0.8:(x'=0) + 0.2:(x'=1);
    +
    +
    [$[Get Code]]
    +
    + +

    with the commands: +

    +
    +
    +
    [] x=0 -> (x'=0);
    +[] x=0 -> (x'=1);
    +
    +
    [$[Get Code]]
    +
    + +

    Assuming we do the same for module M2, in state (0,0) of the MDP +there will be a nondeterministic choice between the three (trivial) probability distributions listed below. (There are three, not four, distributions because two possibilities result in identical behaviour: staying with probability 1 in the state state.) +

    +
    • 1.0:(0,0) +
    • 1.0:(1,0) +
    • 1.0:(0,1) +

    More generally, local nondeterminism can also arise when the guards of two commands overlap only partially, rather than completely as in the example above. +

    +

    PRISM also permits local nondeterminism in models which are DTMCs, +although the nondeterministic choice is randomised when the parallel composition of the modules occurs. +Since the appearance of nondeterminism in a DTMC is often the result of +a user error in the model specification, PRISM displays a warning when local nondeterminism is detected in a DTMC. +Overlapping guards in CTMCs are not treated as nondeterministic choices. +

    +
    +
    + + + + diff --git a/manual/ThePRISMLanguage/Main.html b/manual/ThePRISMLanguage/Main.html index d700b453c7..530f9e6e19 100644 --- a/manual/ThePRISMLanguage/Main.html +++ b/manual/ThePRISMLanguage/Main.html @@ -1,22 +1,25 @@ + + -PRISM Manual | ThePRISMLanguage / Introduction +PRISM Manual | The PRISM Language / Introduction - - + + + - - - + + + + + + + + + + + + - + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + + +
    +

    View - Edit - Print - Search +

    + +
    @@ -129,6 +263,12 @@ @@ -137,6 +277,13 @@
    + +
    @@ -164,6 +311,7 @@

    PRISM Manual

  • Costs And Rewards
  • Real-time Models
  • Partially Observable Models +
  • Uncertain Models
  • Process Algebra Operators
  • PRISM Model Files

    • [ View all ] @@ -173,5 +321,8 @@

    PRISM Manual

    + + diff --git a/manual/ThePRISMLanguage/ModelType.html b/manual/ThePRISMLanguage/ModelType.html index 4a7437b765..8d388eb3bd 100644 --- a/manual/ThePRISMLanguage/ModelType.html +++ b/manual/ThePRISMLanguage/ModelType.html @@ -1,22 +1,25 @@ + + -PRISM Manual | ThePRISMLanguage / ModelType +PRISM Manual | The PRISM Language / Model Type - - + + + - - - + + + + + + + + + + + + - + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + + +
    +

    View - Edit - Print - Search +

    + +
    @@ -103,6 +237,12 @@ @@ -111,6 +251,13 @@
    + +
    @@ -138,6 +285,7 @@

    PRISM Manual

  • Costs And Rewards
  • Real-time Models
  • Partially Observable Models +
  • Uncertain Models
  • Process Algebra Operators
  • PRISM Model Files

    • [ View all ] @@ -147,5 +295,8 @@

    PRISM Manual

    + + diff --git a/manual/ThePRISMLanguage/ModelType@action=edit.html b/manual/ThePRISMLanguage/ModelType@action=edit.html new file mode 100644 index 0000000000..c44d71abee --- /dev/null +++ b/manual/ThePRISMLanguage/ModelType@action=edit.html @@ -0,0 +1,286 @@ + + + + + + + + +PRISM Manual | The PRISM Language / Model Type | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    The PRISM Language / +

    Model Type

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/ThePRISMLanguage/ModelType@action=login.html b/manual/ThePRISMLanguage/ModelType@action=login.html new file mode 100644 index 0000000000..3e5cae480f --- /dev/null +++ b/manual/ThePRISMLanguage/ModelType@action=login.html @@ -0,0 +1,284 @@ + + + + + + + + +PRISM Manual | The PRISM Language / Model Type | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    The PRISM Language / +

    Model Type

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/ThePRISMLanguage/ModelType@action=print.html b/manual/ThePRISMLanguage/ModelType@action=print.html new file mode 100644 index 0000000000..c4ca04278f --- /dev/null +++ b/manual/ThePRISMLanguage/ModelType@action=print.html @@ -0,0 +1,109 @@ + + + + + + +PRISM Manual | ThePRISMLanguage / ModelType + + + + + + + + + + + + + + + + + + +

    The PRISM Language / +

    Model Type

    + + +
    +

    As mentioned above, the PRISM language can be used to describe several types of probabilistic models. +To indicate which type is being described, a PRISM model usually includes a model type keyword: +

    +
    • dtmc: discrete-time Markov chain +
    • ctmc: continuous-time Markov chain +
    • mdp: Markov decision process (or probabilistic automaton) +
    • pta: probabilistic timed automaton +
    • pomdp: partially observable Markov decision process +
    • popta: partially observable probabilistic timed automaton +

    This is typically at the very start of the file, +but can actually occur anywhere in the file (except inside modules and other declarations). +

    +

    If no such model type declaration is included, the model is by default assumed to be an MDP. +PRISM also performs some auto-detection of the model type; +for example, an MDP with clock variables is assumed to be a PTA, +and an MDP with observables? is assumed to be a POMDP. +

    +

    Note: For compatibility with old versions of PRISM, +the keywords probabilistic, stochastic and nondeterministic +can be used as alternatives for dtmc, ctmc and mdp, respectively. +

    +
    +
    + + + + diff --git a/manual/ThePRISMLanguage/ModuleRenaming.html b/manual/ThePRISMLanguage/ModuleRenaming.html index 88a2e3b672..449bc30fba 100644 --- a/manual/ThePRISMLanguage/ModuleRenaming.html +++ b/manual/ThePRISMLanguage/ModuleRenaming.html @@ -1,22 +1,25 @@ + + -PRISM Manual | ThePRISMLanguage / ModuleRenaming +PRISM Manual | The PRISM Language / Module Renaming - - + + + - - - + + + + + + + + + + + + - + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + + +
    +

    View - Edit - Print - Search +

    + +
    @@ -115,6 +249,12 @@ @@ -123,6 +263,13 @@
    + +
    @@ -150,6 +297,7 @@

    PRISM Manual

  • Costs And Rewards
  • Real-time Models
  • Partially Observable Models +
  • Uncertain Models
  • Process Algebra Operators
  • PRISM Model Files

    • [ View all ] @@ -159,5 +307,8 @@

    PRISM Manual

    + + diff --git a/manual/ThePRISMLanguage/ModuleRenaming@action=edit.html b/manual/ThePRISMLanguage/ModuleRenaming@action=edit.html new file mode 100644 index 0000000000..c66ae9340b --- /dev/null +++ b/manual/ThePRISMLanguage/ModuleRenaming@action=edit.html @@ -0,0 +1,286 @@ + + + + + + + + +PRISM Manual | The PRISM Language / Module Renaming | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    The PRISM Language / +

    Module Renaming

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/ThePRISMLanguage/ModuleRenaming@action=login.html b/manual/ThePRISMLanguage/ModuleRenaming@action=login.html new file mode 100644 index 0000000000..2bcfde2f4a --- /dev/null +++ b/manual/ThePRISMLanguage/ModuleRenaming@action=login.html @@ -0,0 +1,284 @@ + + + + + + + + +PRISM Manual | The PRISM Language / Module Renaming | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    The PRISM Language / +

    Module Renaming

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/ThePRISMLanguage/ModuleRenaming@action=print.html b/manual/ThePRISMLanguage/ModuleRenaming@action=print.html new file mode 100644 index 0000000000..1d189cf149 --- /dev/null +++ b/manual/ThePRISMLanguage/ModuleRenaming@action=print.html @@ -0,0 +1,121 @@ + + + + + + +PRISM Manual | ThePRISMLanguage / ModuleRenaming + + + + + + + + + + + + + + + + + + +

    The PRISM Language / +

    Module Renaming

    + + +
    +

    PRISM also supports module renaming, which allows duplication of modules. +In Example 1, module M2 is identical to module M1 so we can in fact replace its entire definition with: +

    +
    +
    +
    module M2 = M1 [ x=y, y=x ] endmodule
    +
    +
    [$[Get Code]]
    +
    + +

    All of the variables in the module being renamed (in this case, just x) must be renamed to new, unused names. Optionally, it is also possible to rename other aspects of the module definition. In fact, the renaming is done at a textual level, so any identifiers (including action labels, constants and functions) used in the module definition can be changed in this way. +

    +

    Note: Care should be taken when renaming modules that make use of formulas. +

    +
    + + + + diff --git a/manual/ThePRISMLanguage/ModulesAndVariables.html b/manual/ThePRISMLanguage/ModulesAndVariables.html index 3ddfb77fa3..db99e8c29e 100644 --- a/manual/ThePRISMLanguage/ModulesAndVariables.html +++ b/manual/ThePRISMLanguage/ModulesAndVariables.html @@ -1,22 +1,25 @@ + + -PRISM Manual | ThePRISMLanguage / ModulesAndVariables +PRISM Manual | The PRISM Language / Modules And Variables - - + + + - - - + + + + + + + + + + + + - + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + + +
    +

    View - Edit - Print - Search +

    + +
    @@ -225,6 +359,12 @@ @@ -233,6 +373,13 @@
    + +
    @@ -260,6 +407,7 @@

    PRISM Manual

  • Costs And Rewards
  • Real-time Models
  • Partially Observable Models +
  • Uncertain Models
  • Process Algebra Operators
  • PRISM Model Files

    • [ View all ] @@ -269,5 +417,8 @@

    PRISM Manual

    + + diff --git a/manual/ThePRISMLanguage/ModulesAndVariables@action=edit.html b/manual/ThePRISMLanguage/ModulesAndVariables@action=edit.html new file mode 100644 index 0000000000..40c8ee53af --- /dev/null +++ b/manual/ThePRISMLanguage/ModulesAndVariables@action=edit.html @@ -0,0 +1,286 @@ + + + + + + + + +PRISM Manual | The PRISM Language / Modules And Variables | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    The PRISM Language / +

    Modules And Variables

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/ThePRISMLanguage/ModulesAndVariables@action=login.html b/manual/ThePRISMLanguage/ModulesAndVariables@action=login.html new file mode 100644 index 0000000000..5eee18a744 --- /dev/null +++ b/manual/ThePRISMLanguage/ModulesAndVariables@action=login.html @@ -0,0 +1,284 @@ + + + + + + + + +PRISM Manual | The PRISM Language / Modules And Variables | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    The PRISM Language / +

    Modules And Variables

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/ThePRISMLanguage/ModulesAndVariables@action=print.html b/manual/ThePRISMLanguage/ModulesAndVariables@action=print.html new file mode 100644 index 0000000000..86cfaf9173 --- /dev/null +++ b/manual/ThePRISMLanguage/ModulesAndVariables@action=print.html @@ -0,0 +1,231 @@ + + + + + + +PRISM Manual | ThePRISMLanguage / ModulesAndVariables + + + + + + + + + + + + + + + + + + +

    The PRISM Language / +

    Modules And Variables

    + + +
    +

    The previous example uses two modules, M1 and M2, one representing each process. +A module is specified as: +

    +
    +
    +
    module name ... endmodule
    +
    +
    [$[Get Code]]
    +
    + +

    The definition of a module contains two parts: its variables and its commands. +The variables describe the possible states that the module can be in; +the commands describe its behaviour, i.e. the way in which the state changes over time. +Currently, PRISM supports just a few simple types of variables: +they can either be (finite ranges of) integers or Booleans +(we ignore clocks for now). +

    +

    In the example above, each module has one integer variable with range [0..2]. +A variable declaration looks like: +

    +
    +
    +
    x : [0..2] init 0;
    +
    +
    [$[Get Code]]
    +
    + +

    Notice that the initial value of the variable is also specified. +A Boolean variable is declared as follows: +

    +
    +
    +
    b : bool init false;
    +
    +
    [$[Get Code]]
    +
    + +

    It is also possible to omit the initial value of a variable, +in which case it is assumed to be the lowest value in the range (or false for a Boolean). +Thus, the variable declarations shown below are equivalent to the ones above. +As will be described later, it is also possible to specify +multiple initial states for a model. +

    +
    +
    +
    x : [0..2];
    +b : bool;
    +
    +
    [$[Get Code]]
    +
    + +

    We also mention that, for a few kinds of model analysis (typically those based on simulation, such as approximate model checking or fast adaptive simulation, it is also permissable to use integer variables with unbounded ranges, denoted as: +

    +
    +
    +
    x : int;
    +y : int init 3;
    +
    +
    [$[Get Code]]
    +
    + +

    Where the state space of the model remains finite, despite the presence of such unbounded variables, you can use the explicit engine to build and analyse the model. +

    +

    Identifiers

    +

    The names given to modules and variables are referred to as identifiers. +Identifiers can be made up of letters, digits and the underscore character, but cannot begin with a digit, +i.e. they must satisfy the regular expression [A-Za-z_][A-Za-z0-9_]*, and are case-sensitive. +Furthermore, identifiers cannot be any of the following, which are all reserved keywords in PRISM: +A, +bool, +clock, +const, +ctmc, +C, +double, +dtmc, +E, +endinit, +endinvariant, +endmodule, +endobservables, +endrewards, +endsystem, +false, +formula, +filter, +func, +F, +global, +G, +init, +invariant, +I, +int, +label, +max, +mdp, +min, +module, +X, +nondeterministic, +observable, +observables, +of, +Pmax, +Pmin, +P, +pomdp, +popta, +probabilistic, +prob, +pta, +rate, +rewards, +Rmax, +Rmin, +R, +S, +stochastic, +system, +true, +U, +W. +

    +
    + + + + diff --git a/manual/ThePRISMLanguage/MultipleInitialStates.html b/manual/ThePRISMLanguage/MultipleInitialStates.html index 0ab3c86e36..88912aca77 100644 --- a/manual/ThePRISMLanguage/MultipleInitialStates.html +++ b/manual/ThePRISMLanguage/MultipleInitialStates.html @@ -1,22 +1,25 @@ + + -PRISM Manual | ThePRISMLanguage / MultipleInitialStates +PRISM Manual | The PRISM Language / Multiple Initial States - - + + + - - - + + + + + + + + + + + + - + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + + +
    +

    View - Edit - Print - Search +

    + +
    @@ -136,6 +270,12 @@ @@ -144,6 +284,13 @@
    + +
    @@ -171,6 +318,7 @@

    PRISM Manual

  • Costs And Rewards
  • Real-time Models
  • Partially Observable Models +
  • Uncertain Models
  • Process Algebra Operators
  • PRISM Model Files

    • [ View all ] @@ -180,5 +328,8 @@

    PRISM Manual

    + + diff --git a/manual/ThePRISMLanguage/MultipleInitialStates@action=edit.html b/manual/ThePRISMLanguage/MultipleInitialStates@action=edit.html new file mode 100644 index 0000000000..e61e99c451 --- /dev/null +++ b/manual/ThePRISMLanguage/MultipleInitialStates@action=edit.html @@ -0,0 +1,286 @@ + + + + + + + + +PRISM Manual | The PRISM Language / Multiple Initial States | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    The PRISM Language / +

    Multiple Initial States

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/ThePRISMLanguage/MultipleInitialStates@action=login.html b/manual/ThePRISMLanguage/MultipleInitialStates@action=login.html new file mode 100644 index 0000000000..f13d3739e2 --- /dev/null +++ b/manual/ThePRISMLanguage/MultipleInitialStates@action=login.html @@ -0,0 +1,284 @@ + + + + + + + + +PRISM Manual | The PRISM Language / Multiple Initial States | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    The PRISM Language / +

    Multiple Initial States

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/ThePRISMLanguage/MultipleInitialStates@action=print.html b/manual/ThePRISMLanguage/MultipleInitialStates@action=print.html new file mode 100644 index 0000000000..a739149793 --- /dev/null +++ b/manual/ThePRISMLanguage/MultipleInitialStates@action=print.html @@ -0,0 +1,142 @@ + + + + + + +PRISM Manual | ThePRISMLanguage / MultipleInitialStates + + + + + + + + + + + + + + + + + + +

    The PRISM Language / +

    Multiple Initial States

    + + +
    +

    Typically, a variable declaration +specifies the initial value for that variable. +The initial state for the model is then defined by the initial value for all variables. +It is possible, however, to specify that a model has multiple initial states. +This is done using the init...endinit construct, +which can be placed anywhere in the file except within a module definition, +and removing any initial values from variable declarations. +Between the init and endinit keywords, there should be a +predicate over all the variables of the model. +Any state which satisfies this predicate is an initial state. +

    +

    Consider again Example 1. +As it stands, there is a single initial state (0,0) (i.e. x=0 and y=0). +If we remove the init 0 part of both variable declarations +and add the following to the end of the file: +

    +
    +
    +
    init x=0 endinit
    +
    +
    [$[Get Code]]
    +
    + +

    there will be three initial states: (0,0), (0,1) and (0,2). +Similarly, we could instead add: +

    +
    +
    +
    init x+y=1 endinit
    +
    +
    [$[Get Code]]
    +
    + +

    in which case there would be two initial states: (0,1) and (1,0). +

    +
    + + + + diff --git a/manual/ThePRISMLanguage/POMDPs@action=edit.html b/manual/ThePRISMLanguage/POMDPs@action=edit.html index aab86b13a7..4a42630ebc 100644 --- a/manual/ThePRISMLanguage/POMDPs@action=edit.html +++ b/manual/ThePRISMLanguage/POMDPs@action=edit.html @@ -1,22 +1,25 @@ + + -PRISM Manual | ThePRISMLanguage / POMDPs | Edit +PRISM Manual | The PRISM Language / POMD Ps | Edit - - + + + - - - + + + + + + + + + + + + - + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + + +
    +

    View? - Edit - Print - Search +

    + +
    @@ -79,16 +215,22 @@

    Password required

    -

    Password: +

    Password:

    -
    +
    @@ -97,6 +239,13 @@
    + +
    @@ -124,6 +273,7 @@

    PRISM Manual

  • Costs And Rewards
  • Real-time Models
  • Partially Observable Models +
  • Uncertain Models
  • Process Algebra Operators
  • PRISM Model Files

    • [ View all ] @@ -133,5 +283,8 @@

    PRISM Manual

    + + diff --git a/manual/ThePRISMLanguage/PRISMModelFiles.html b/manual/ThePRISMLanguage/PRISMModelFiles.html index b95550f995..5f3d2486ab 100644 --- a/manual/ThePRISMLanguage/PRISMModelFiles.html +++ b/manual/ThePRISMLanguage/PRISMModelFiles.html @@ -1,22 +1,25 @@ + + -PRISM Manual | ThePRISMLanguage / PRISMModelFiles +PRISM Manual | The PRISM Language / PRISM Model Files - - + + + - - - + + + + + + + + + + + + - + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + + +
    +

    View - Edit - Print - Search +

    + +
    @@ -92,6 +226,12 @@ @@ -100,6 +240,13 @@
    + +
    @@ -127,6 +274,7 @@

    PRISM Manual

  • Costs And Rewards
  • Real-time Models
  • Partially Observable Models +
  • Uncertain Models
  • Process Algebra Operators
  • PRISM Model Files

    • [ View all ] @@ -136,5 +284,8 @@

    PRISM Manual

    + + diff --git a/manual/ThePRISMLanguage/PRISMModelFiles@action=edit.html b/manual/ThePRISMLanguage/PRISMModelFiles@action=edit.html new file mode 100644 index 0000000000..07d0d58bd9 --- /dev/null +++ b/manual/ThePRISMLanguage/PRISMModelFiles@action=edit.html @@ -0,0 +1,286 @@ + + + + + + + + +PRISM Manual | The PRISM Language / PRISM Model Files | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    The PRISM Language / +

    PRISM Model Files

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/ThePRISMLanguage/PRISMModelFiles@action=login.html b/manual/ThePRISMLanguage/PRISMModelFiles@action=login.html new file mode 100644 index 0000000000..32564eca2a --- /dev/null +++ b/manual/ThePRISMLanguage/PRISMModelFiles@action=login.html @@ -0,0 +1,284 @@ + + + + + + + + +PRISM Manual | The PRISM Language / PRISM Model Files | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    The PRISM Language / +

    PRISM Model Files

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/ThePRISMLanguage/PRISMModelFiles@action=print.html b/manual/ThePRISMLanguage/PRISMModelFiles@action=print.html new file mode 100644 index 0000000000..2b40911be5 --- /dev/null +++ b/manual/ThePRISMLanguage/PRISMModelFiles@action=print.html @@ -0,0 +1,98 @@ + + + + + + +PRISM Manual | ThePRISMLanguage / PRISMModelFiles + + + + + + + + + + + + + + + + + + +

    The PRISM Language / +

    PRISM Model Files

    + + +
    +

    Files containing model descriptions written in the PRISM language +can contain any amount of white space (spaces, tabs, new lines, etc.), +all of which is ignored when the file is parsed by the tool. +Comments can also be used included in files in the style of the C programming language, +by preceding them with the characters //. +This is illustrated by the PRISM language examples from earlier in this section. +

    +

    We recommend that the .prism extension is used for PRISM model files. +Historically (when the tool supported fewer types of model), +different extensions were often used for each model type: +.nm for MDPs or PTAs, .pm for DTMCs and .sm for CTMCs. +

    +
    +
    + + + + diff --git a/manual/ThePRISMLanguage/ParallelComposition.html b/manual/ThePRISMLanguage/ParallelComposition.html index 956f2a146e..a8eea8c911 100644 --- a/manual/ThePRISMLanguage/ParallelComposition.html +++ b/manual/ThePRISMLanguage/ParallelComposition.html @@ -1,22 +1,25 @@ + + -PRISM Manual | ThePRISMLanguage / ParallelComposition +PRISM Manual | The PRISM Language / Parallel Composition - - + + + - - - + + + + + + + + + + + + - + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + + +
    +

    View - Edit - Print - Search +

    + +
    @@ -133,6 +267,12 @@ @@ -141,6 +281,13 @@
    + +
    @@ -168,6 +315,7 @@

    PRISM Manual

  • Costs And Rewards
  • Real-time Models
  • Partially Observable Models +
  • Uncertain Models
  • Process Algebra Operators
  • PRISM Model Files

    • [ View all ] @@ -177,5 +325,8 @@

    PRISM Manual

    + + diff --git a/manual/ThePRISMLanguage/ParallelComposition@action=edit.html b/manual/ThePRISMLanguage/ParallelComposition@action=edit.html new file mode 100644 index 0000000000..3b60f2d91f --- /dev/null +++ b/manual/ThePRISMLanguage/ParallelComposition@action=edit.html @@ -0,0 +1,286 @@ + + + + + + + + +PRISM Manual | The PRISM Language / Parallel Composition | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    The PRISM Language / +

    Parallel Composition

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/ThePRISMLanguage/ParallelComposition@action=login.html b/manual/ThePRISMLanguage/ParallelComposition@action=login.html new file mode 100644 index 0000000000..e60687095c --- /dev/null +++ b/manual/ThePRISMLanguage/ParallelComposition@action=login.html @@ -0,0 +1,284 @@ + + + + + + + + +PRISM Manual | The PRISM Language / Parallel Composition | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    The PRISM Language / +

    Parallel Composition

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/ThePRISMLanguage/ParallelComposition@action=print.html b/manual/ThePRISMLanguage/ParallelComposition@action=print.html new file mode 100644 index 0000000000..0b8295ebac --- /dev/null +++ b/manual/ThePRISMLanguage/ParallelComposition@action=print.html @@ -0,0 +1,139 @@ + + + + + + +PRISM Manual | ThePRISMLanguage / ParallelComposition + + + + + + + + + + + + + + + + + + +

    The PRISM Language / +

    Parallel Composition

    + + +
    +

    The probabilistic model corresponding to a PRISM language description is constructed as the parallel composition of its modules. In every state of the model, there is a set of commands (belonging to any of the modules) which are enabled, i.e. whose guards are satisfied in that state. The choice between which command is performed (i.e. the scheduling) depends on the model type. +

    +

    For an MDP, as in Example 1, the choice is nondeterministic. By way of example, consider state (0,0) (i.e. x=0 and y=0). There are two commands enabled, one from each module: +

    +
    +
    +
    [] x=0 -> 0.8:(x'=0) + 0.2:(x'=1);
    +
    +
    [$[Get Code]]
    +
    + +
    +
    +
    [] y=0 -> 0.8:(y'=0) + 0.2:(y'=1);
    +
    +
    [$[Get Code]]
    +
    + +

    In state (0,0) of the MDP, there would be a nondeterministic choice between these two probability distributions: +

    +
    • 0.8:(0,0) + 0.2:(1,0) (module M1 moves) +
    • 0.8:(0,0) + 0.2:(0,1) (module M2 moves) +

    For a DTMC, the choice is probabilistic: each enabled command is selected with equal probability. +If Example 1 was a DTMC, then in state (0,0) of the model +the following probability distribution would result: +

    +
    • 0.8:(0,0) + 0.1:(1,0) + 0.1:(0,1) +

    For a CTMC, as will be discussed shortly, +the choice is modelled as a "race" between transitions. +

    +

    See the later sections on "Synchronisation" and "Process Algebra Operators" for other topics related to parallel composition. +

    +
    + + + + diff --git a/manual/ThePRISMLanguage/PartiallyObservableModels.html b/manual/ThePRISMLanguage/PartiallyObservableModels.html index 30af73c802..18b5343557 100644 --- a/manual/ThePRISMLanguage/PartiallyObservableModels.html +++ b/manual/ThePRISMLanguage/PartiallyObservableModels.html @@ -1,22 +1,25 @@ + + -PRISM Manual | ThePRISMLanguage / PartiallyObservableModels +PRISM Manual | The PRISM Language / Partially Observable Models - - + + + - - - + + + + + + + + + + + + - + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + + +
    +

    View - Edit - Print - Search +

    + +
    @@ -99,7 +233,7 @@

    PRISM supports analysis of partially observable probabilistic models, most notably partially observable Markov decision processes (POMDPs), but also partially observable probabilistic timed automata (POPTAs). -POMDPs are a variant of MDPs in which the strategy/policy/adversary +POMDPs are a variant of MDPs in which the strategy/policy which resolves nondeterministic choices in the model is unable to see the precise state of the model, but instead just observations of it. For background material on POMDPs and POPTAs, see for example [NPZ17]. @@ -156,6 +290,12 @@

    @@ -164,6 +304,13 @@
    + +
    @@ -191,6 +338,7 @@

    PRISM Manual

  • Costs And Rewards
  • Real-time Models
  • Partially Observable Models +
  • Uncertain Models
  • Process Algebra Operators
  • PRISM Model Files

    • [ View all ] @@ -200,5 +348,8 @@

    PRISM Manual

    + + diff --git a/manual/ThePRISMLanguage/PartiallyObservableModels@action=edit.html b/manual/ThePRISMLanguage/PartiallyObservableModels@action=edit.html new file mode 100644 index 0000000000..1dea9b8c0b --- /dev/null +++ b/manual/ThePRISMLanguage/PartiallyObservableModels@action=edit.html @@ -0,0 +1,286 @@ + + + + + + + + +PRISM Manual | The PRISM Language / Partially Observable Models | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    The PRISM Language / +

    Partially Observable Models

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/ThePRISMLanguage/PartiallyObservableModels@action=login.html b/manual/ThePRISMLanguage/PartiallyObservableModels@action=login.html new file mode 100644 index 0000000000..60ace76f87 --- /dev/null +++ b/manual/ThePRISMLanguage/PartiallyObservableModels@action=login.html @@ -0,0 +1,284 @@ + + + + + + + + +PRISM Manual | The PRISM Language / Partially Observable Models | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    The PRISM Language / +

    Partially Observable Models

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/ThePRISMLanguage/PartiallyObservableModels@action=print.html b/manual/ThePRISMLanguage/PartiallyObservableModels@action=print.html new file mode 100644 index 0000000000..5ed9757cbd --- /dev/null +++ b/manual/ThePRISMLanguage/PartiallyObservableModels@action=print.html @@ -0,0 +1,162 @@ + + + + + + +PRISM Manual | ThePRISMLanguage / PartiallyObservableModels + + + + + + + + + + + + + + + + + + +

    The PRISM Language / +

    Partially Observable Models

    + + +
    +

    PRISM supports analysis of partially observable probabilistic models, +most notably partially observable Markov decision processes (POMDPs), +but also partially observable probabilistic timed automata (POPTAs). +POMDPs are a variant of MDPs in which the strategy/policy +which resolves nondeterministic choices in the model is unable to +see the precise state of the model, but instead just observations of it. +For background material on POMDPs and POPTAs, see for example [NPZ17]. +You can also find several example models included in the PRISM distribution. +Look in the prism-examples/pomdps and prism-examples/poptas directories. +

    +

    PRISM currently supports state-based observations: +this means that, upon entering a new POMDP state, +the observation is determined by that state. +In the same way that a model state comprises the values or one or more variables, +an observation comprises one or more observables. +There are several way to define these observables. +The simplest is to specify a subset of the model's variables +that are designated as being observable. The rest are unobservable. +

    +

    For example, in a POMDP with 3 variables, s, l and h, the following: +

    +
    +
    +
    observables s, l endobservables
    +
    +
    [$[Get Code]]
    +
    + +

    specifies that s and l are observable and h is not. +

    +

    Alternatively, observables can be specified as arbitrary expressions over variables. +For example, assuming the same variables s, l and h, this specification: +

    +
    +
    +
    observable "s" = s;
    +observable "pos" = l>0;
    +
    +
    [$[Get Code]]
    +
    + +

    defines 2 observables. The first is, as above, the variable s. +The second, named "pos", determines if variable l is positive. +Other than this, the values of l and h are unobservable. +The named observables can then be used in properties +in the same way that labels can. +

    +

    The above two styles of definition can also be mixed +to specify a combined set of observables. +

    +

    POPTAs (partially observable PTAs) combine the features of both PTAs and POMDPs. +They are are currently analysed using the digital clocks engine, +so inherit the restrictions for that engine. +Furthermore, for a POPTA, all clock variables must be observable. +

    +
    + + + + diff --git a/manual/ThePRISMLanguage/ProcessAlgebraOperators.html b/manual/ThePRISMLanguage/ProcessAlgebraOperators.html index d2adcf2063..97a805fafd 100644 --- a/manual/ThePRISMLanguage/ProcessAlgebraOperators.html +++ b/manual/ThePRISMLanguage/ProcessAlgebraOperators.html @@ -1,22 +1,25 @@ + + -PRISM Manual | ThePRISMLanguage / ProcessAlgebraOperators +PRISM Manual | The PRISM Language / Process Algebra Operators - - + + + - - - + + + + + + + + + + + + - + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + + +
    +

    View - Edit - Print - Search +

    + +
    @@ -105,6 +239,12 @@ @@ -113,6 +253,13 @@
    + +
    @@ -140,6 +287,7 @@

    PRISM Manual

  • Costs And Rewards
  • Real-time Models
  • Partially Observable Models +
  • Uncertain Models
  • Process Algebra Operators
  • PRISM Model Files

    • [ View all ] @@ -149,5 +297,8 @@

    PRISM Manual

    + + diff --git a/manual/ThePRISMLanguage/ProcessAlgebraOperators@action=edit.html b/manual/ThePRISMLanguage/ProcessAlgebraOperators@action=edit.html new file mode 100644 index 0000000000..9ac0e23187 --- /dev/null +++ b/manual/ThePRISMLanguage/ProcessAlgebraOperators@action=edit.html @@ -0,0 +1,286 @@ + + + + + + + + +PRISM Manual | The PRISM Language / Process Algebra Operators | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    The PRISM Language / +

    Process Algebra Operators

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/ThePRISMLanguage/ProcessAlgebraOperators@action=login.html b/manual/ThePRISMLanguage/ProcessAlgebraOperators@action=login.html new file mode 100644 index 0000000000..d841c8836a --- /dev/null +++ b/manual/ThePRISMLanguage/ProcessAlgebraOperators@action=login.html @@ -0,0 +1,284 @@ + + + + + + + + +PRISM Manual | The PRISM Language / Process Algebra Operators | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    The PRISM Language / +

    Process Algebra Operators

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/ThePRISMLanguage/ProcessAlgebraOperators@action=print.html b/manual/ThePRISMLanguage/ProcessAlgebraOperators@action=print.html new file mode 100644 index 0000000000..bf3a9efe9d --- /dev/null +++ b/manual/ThePRISMLanguage/ProcessAlgebraOperators@action=print.html @@ -0,0 +1,111 @@ + + + + + + +PRISM Manual | ThePRISMLanguage / ProcessAlgebraOperators + + + + + + + + + + + + + + + + + + +

    The PRISM Language / +

    Process Algebra Operators

    + + +
    +

    To make the concept of synchronisation described above more powerful, +PRISM allows you to define precisely the way in which the set of modules are composed in parallel. +This is specified using the system ... endsystem construct, +placed at the end of the model description, which should contain a process-algebraic expression. +This expression should feature each module exactly once, and can use the following (CSP-based) operators: +

    +
    • M1 || M2 : alphabetised parallel composition of modules M1 and M2 (synchronising on only actions appearing in both M1 and M2) +
    • M1 ||| M2 : asynchronous parallel composition of M1 and M2 (fully interleaved, no synchronisation) +
    • M1 |[a,b,...]| M2 : restricted parallel composition of modules M1 and M2 (synchronising only on actions from the set {a, b,...}) +
    • M / {a,b,...} : hiding of actions {a, b, ...} in module M +
    • M {a<-b,c<-d,...} : renaming of actions a to b, c to d, etc. in module M. +

    The first two types of parallel composition (|| and |||) are associative and can be applied to more than two modules at once. +When evaluating the expression, the hiding and renaming operators bind more tightly than the three parallel composition operators. +No other rules of precedence are defined and parentheses should be used to specify the order in which modules are composed. +

    +

    Some examples of expressions which could be included in the system ... endsystem construct are as follows: +

    +
    • (station1 ||| station2 ||| station3) |[serve]| server +
    • ((P1 |[a]| P2) / {a}) || Q +
    • ((P1 |[a]| P2) {a<-b}) |[b]| Q +

    When no parallel composition is specified by the user, +PRISM implicitly assumes an expression of the form M1 || M2 || ... containing all of the modules in the model. +For a more formal definition of the process algebra operators described above, check the semantics of the PRISM language, available from the "Documentation" section of the PRISM web site. +

    +

    PRISM is also able to import model descriptions written in (a subset of) the stochastic process algebra PEPA [Hil96]. +

    +
    + + + + diff --git a/manual/ThePRISMLanguage/Real-timeModels.html b/manual/ThePRISMLanguage/Real-timeModels.html index 266aed69c1..b857f5817b 100644 --- a/manual/ThePRISMLanguage/Real-timeModels.html +++ b/manual/ThePRISMLanguage/Real-timeModels.html @@ -1,22 +1,25 @@ + + -PRISM Manual | ThePRISMLanguage / Real-time Models +PRISM Manual | The PRISM Language / Real-time Models - - + + + - - - + + + + + + + + + + + + - + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + + +
    +

    View - Edit - Print - Search +

    + +
    @@ -106,7 +240,7 @@

    Before describing how PTA features are incorporated into the PRISM modelling language, we give a simple example. Here is a small PTA:

    -
    +

    and here is a corresponding PRISM model:

    @@ -131,7 +265,7 @@
    [$[Get Code]]
    -

    For modelling PTAs in PRISM, there is a new datatype, clock, used for variables that are clocks. These must be local to a particular module, not global. Other types of PRISM variables can be defined in the usual way. In the example above, we use just a single integer variable s to represent the locations of the PTAs. +

    For modelling PTAs in PRISM, there is a new datatype, clock, used for variables that are clocks. Other types of PRISM variables can be defined in the usual way. In the example above, we use just a single integer variable s to represent the locations of the PTAs.

    In a PTA, transitions can include a guard, which constrains when it can occur based on the current value of clocks, and resets, which specify that a clock's values should be set to a new (integer) value. These are both specified in PRISM commands in the usual way: see, for example, the inclusion of x>=1 in the guard for the send-labelled command and the updates of the form (x'=0) which reset the clock x to 0.

    @@ -143,8 +277,7 @@

    For the stochastic games and backwards reachability engines:

    -
    • Modules cannot read the local variables of other modules and global variables are not permitted. -
    • The model must also have a single initial state (i.e. the init...endinit construct is not permitted). +
      • The model must also have a single initial state (i.e. the init...endinit construct is not permitted).

      For the digital clocks engine:

      • Clock constraints cannot use strict comparison operators, e.g. x<=5 is allowed, but x<5 is not. @@ -159,6 +292,12 @@ @@ -167,6 +306,13 @@
    + +
    @@ -194,6 +340,7 @@

    PRISM Manual

  • Costs And Rewards
  • Real-time Models
  • Partially Observable Models +
  • Uncertain Models
  • Process Algebra Operators
  • PRISM Model Files

    • [ View all ] @@ -203,5 +350,8 @@

    PRISM Manual

    + + diff --git a/manual/ThePRISMLanguage/Real-timeModels@action=edit.html b/manual/ThePRISMLanguage/Real-timeModels@action=edit.html new file mode 100644 index 0000000000..5d23776f51 --- /dev/null +++ b/manual/ThePRISMLanguage/Real-timeModels@action=edit.html @@ -0,0 +1,286 @@ + + + + + + + + +PRISM Manual | The PRISM Language / Real-time Models | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    The PRISM Language / +

    Real-time Models

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/ThePRISMLanguage/Real-timeModels@action=login.html b/manual/ThePRISMLanguage/Real-timeModels@action=login.html new file mode 100644 index 0000000000..a201092672 --- /dev/null +++ b/manual/ThePRISMLanguage/Real-timeModels@action=login.html @@ -0,0 +1,284 @@ + + + + + + + + +PRISM Manual | The PRISM Language / Real-time Models | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    The PRISM Language / +

    Real-time Models

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/ThePRISMLanguage/Real-timeModels@action=print.html b/manual/ThePRISMLanguage/Real-timeModels@action=print.html new file mode 100644 index 0000000000..4854e60683 --- /dev/null +++ b/manual/ThePRISMLanguage/Real-timeModels@action=print.html @@ -0,0 +1,164 @@ + + + + + + +PRISM Manual | ThePRISMLanguage / Real-time Models + + + + + + + + + + + + + + + + + + +

    The PRISM Language / +

    Real-time Models

    + + +
    +

    So far in this section, we have mainly focused on three types of models: DTMCs, MDPs and CTMCs, +in which all the variables making up their state are finite. +PRISM also supports real-time models, in particular, +probabilistic timed automata (PTAs), which extend MDPs with the ability to model real-time behaviour. +This is done in the style of timed automata [AD94], by adding clocks, +real-valued variables which increase with time and can be reset. For background material on PTAs, see for example [NPS13]. +You can also find several example PTA models included in the PRISM distribution. Look in the prism-examples/ptas directory. +

    +

    Before describing how PTA features are incorporated into the PRISM modelling language, we give a simple example. Here is a small PTA: +

    +
    +

    and here is a corresponding PRISM model: +

    +
    +
    +
    pta
    +
    +module M
    +
    +    s : [0..2] init 0;
    +    x : clock;
    +
    +    invariant
    +        (s=0 => x<=2) &
    +        (s=2 => x<=3)
    +    endinvariant
    +
    +    [send] s=0 & x>=1 -> 0.9:(s'=1)&(x'=0) + 0.1:(s'=2)&(x'=0);
    +    [retry] s=2 & x>=2 -> 0.95:(s'=1) + 0.05:(s'=2)&(x'=0);
    +
    +endmodule
    +
    +
    [$[Get Code]]
    +
    + +

    For modelling PTAs in PRISM, there is a new datatype, clock, used for variables that are clocks. Other types of PRISM variables can be defined in the usual way. In the example above, we use just a single integer variable s to represent the locations of the PTAs. +

    +

    In a PTA, transitions can include a guard, which constrains when it can occur based on the current value of clocks, and resets, which specify that a clock's values should be set to a new (integer) value. These are both specified in PRISM commands in the usual way: see, for example, the inclusion of x>=1 in the guard for the send-labelled command and the updates of the form (x'=0) which reset the clock x to 0. +

    +

    The other new addition is an invariant construct, which is used to specify an expression describing the clock invariants for each PRISM module. These impose restrictions on the allowable values of clock variables, depending on the values of the other non-clock variables. The invariant construct should appear between the variable declarations and the commands of the module. Often, clock invariants are described separately for each PTA location; hence, the invariant will often take the form of a conjunction of implications, as in the example model above, but more general expressions are also permitted. In the example, the clock x must satisfy x<=2 or x<=3 when local variables s is 0 or 2, respectively. If s is 1, there is no restriction (since the invariant is effectively true in this case). +

    +

    Expressions that include reference to clocks, whether in guards or invariants, must satisfy certain conditions to facilitate model checking. In particular, references to clocks must appear as conjunctions of simple clock constraints, i.e. conjunctions of expressions of the form x~c or x~y where x and y are clocks, c is an integer-valued expression and ~ is one of <, <=, >=, >, =). +

    +

    There are also some additional restrictions imposed on PTA models that are dependent on which of the PTA model checking engines is in use. +

    +

    For the stochastic games and backwards reachability engines: +

    +
    • The model must also have a single initial state (i.e. the init...endinit construct is not permitted). +

    For the digital clocks engine: +

    +
    • Clock constraints cannot use strict comparison operators, e.g. x<=5 is allowed, but x<5 is not. +
    • Diagonal clock constraints are not allowed, i.e. those containing references to two clocks, such as x<=y. +

    Finally, PRISM makes several assumptions about PTAs, regardless of the engine used. +

    +
    • Firstly PTAs should not exhibit timelocks, i.e. the possibility of reaching a state where no transitions are possible and time cannot elapse beyond a certain point (due to invariant conditions). PRISM checks for timelocks and reports an error if one is found. +
    • Secondly, PTAs should be well-formed and non-zeno (see e.g. [KNSW07] for details). Currently, PRISM does not check automatically that these assumptions are satisfied. +
    +
    + + + + diff --git a/manual/ThePRISMLanguage/Synchronisation.html b/manual/ThePRISMLanguage/Synchronisation.html index f20dd1b9fa..473cf8a61d 100644 --- a/manual/ThePRISMLanguage/Synchronisation.html +++ b/manual/ThePRISMLanguage/Synchronisation.html @@ -1,22 +1,25 @@ + + -PRISM Manual | ThePRISMLanguage / Synchronisation +PRISM Manual | The PRISM Language / Synchronisation - - + + + - - - + + + + + + + + + + + + - + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + + +
    +

    View - Edit - Print - Search +

    + +
    @@ -126,6 +260,12 @@ @@ -134,6 +274,13 @@
    + +
    @@ -161,6 +308,7 @@

    PRISM Manual

  • Costs And Rewards
  • Real-time Models
  • Partially Observable Models +
  • Uncertain Models
  • Process Algebra Operators
  • PRISM Model Files

    • [ View all ] @@ -170,5 +318,8 @@

    PRISM Manual

    + + diff --git a/manual/ThePRISMLanguage/Synchronisation@action=edit.html b/manual/ThePRISMLanguage/Synchronisation@action=edit.html new file mode 100644 index 0000000000..a51fe5da82 --- /dev/null +++ b/manual/ThePRISMLanguage/Synchronisation@action=edit.html @@ -0,0 +1,286 @@ + + + + + + + + +PRISM Manual | The PRISM Language / Synchronisation | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    The PRISM Language / +

    Synchronisation

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/ThePRISMLanguage/Synchronisation@action=login.html b/manual/ThePRISMLanguage/Synchronisation@action=login.html new file mode 100644 index 0000000000..b01624318b --- /dev/null +++ b/manual/ThePRISMLanguage/Synchronisation@action=login.html @@ -0,0 +1,284 @@ + + + + + + + + +PRISM Manual | The PRISM Language / Synchronisation | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    The PRISM Language / +

    Synchronisation

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/ThePRISMLanguage/Synchronisation@action=print.html b/manual/ThePRISMLanguage/Synchronisation@action=print.html new file mode 100644 index 0000000000..1e3f35cd2c --- /dev/null +++ b/manual/ThePRISMLanguage/Synchronisation@action=print.html @@ -0,0 +1,132 @@ + + + + + + +PRISM Manual | ThePRISMLanguage / Synchronisation + + + + + + + + + + + + + + + + + + +

    The PRISM Language / +

    Synchronisation

    + + +
    +

    Another feature of PRISM introduced in Example 2 is synchronisation. +In the style of many process algebras, we allow commands to be labelled with actions. +These are placed inside the square brackets which mark the start of the command, +for example serve in this command from Example 2: +

    +
    +
    +
    [serve] q>0 -> lambda:(q'=q-1);
    +
    +
    [$[Get Code]]
    +
    + +

    These actions can be used to force two or more modules to make transitions simultaneously +(i.e. to synchronise). +For example, in state (3,0) (i.e. q=3 and s=0), +the composed model can move to state (2,1), +synchronising over the serve action. +The rate of this transition is equal to the product of the two individual rates +(in this case, lambda * 1 = lambda). +The product of two rates does not always meaningfully represent the rate of a synchronised transition. +A common technique, as seen here, is to make one action passive, with rate 1 and one action active, +which actually defines the rate for the synchronised transition. +By default, all modules are combined using the standard CSP parallel composition +(i.e. modules synchronise over all their common actions). +

    +
    + + + + diff --git a/manual/ThePRISMLanguage/UncertainModels.html b/manual/ThePRISMLanguage/UncertainModels.html new file mode 100644 index 0000000000..32835b016c --- /dev/null +++ b/manual/ThePRISMLanguage/UncertainModels.html @@ -0,0 +1,322 @@ + + + + + + + + +PRISM Manual | The PRISM Language / Uncertain Models + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    The PRISM Language / +

    Uncertain Models

    + +
    + +
    +

    PRISM has support for uncertain models, in which there is epistemic uncertainty regarding some quantitative aspects of the probabilistic models being verified. In particular, it currently supports interval MDPs (IMDPs) and interval DTMCs (IDTMCs), which are MDPs or DTMCs in which transition probabilities can be specified as intervals, indicating that the exact probability is not precisely known. This can be useful, for example, when the transition probabilities have been estimated from data. +

    +

    Currently, this is achieved by simply replacing the probabilities attached to updates in commands with intervals, e.g.: +

    +
    +
    +
    [] x=0 -> [0.8,0.9]:(x'=0) + [0.1,0.2]:(x'=1);
    +
    +
    [$[Get Code]]
    +
    + +

    As usual, the probability thresholds can be expressions involving state variables or constants, for example: +

    +
    +
    +
    [] x=0 -> [p,p+0.1]:(x'=0) + [0.9-p,1-p]:(x'=1);
    +
    +
    [$[Get Code]]
    +
    + +

    See the property specification section for details of how these models are analysed. +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/ThePRISMLanguage/UncertainModels@action=edit.html b/manual/ThePRISMLanguage/UncertainModels@action=edit.html new file mode 100644 index 0000000000..25b3c063c2 --- /dev/null +++ b/manual/ThePRISMLanguage/UncertainModels@action=edit.html @@ -0,0 +1,286 @@ + + + + + + + + +PRISM Manual | The PRISM Language / Uncertain Models | Edit + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    The PRISM Language / +

    Uncertain Models

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/ThePRISMLanguage/UncertainModels@action=login.html b/manual/ThePRISMLanguage/UncertainModels@action=login.html new file mode 100644 index 0000000000..a8cca6c14e --- /dev/null +++ b/manual/ThePRISMLanguage/UncertainModels@action=login.html @@ -0,0 +1,284 @@ + + + + + + + + +PRISM Manual | The PRISM Language / Uncertain Models | Login + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + +
    +
    + +
    + + + + + + +
    +

    View - Edit - Print - Search +

    + +
    + + + +
    +

    The PRISM Language / +

    Uncertain Models

    + +
    + +
    +

    Password required +

    +
    +

    Password: + +

    +
    + + + + + + + + + +
    + + + +
    +
    + + + + + + + diff --git a/manual/ThePRISMLanguage/UncertainModels@action=print.html b/manual/ThePRISMLanguage/UncertainModels@action=print.html new file mode 100644 index 0000000000..1552f13ea2 --- /dev/null +++ b/manual/ThePRISMLanguage/UncertainModels@action=print.html @@ -0,0 +1,129 @@ + + + + + + +PRISM Manual | ThePRISMLanguage / UncertainModels + + + + + + + + + + + + + + + + + + +

    The PRISM Language / +

    Uncertain Models

    + + +
    +

    PRISM has support for uncertain models, in which there is epistemic uncertainty regarding some quantitative aspects of the probabilistic models being verified. In particular, it currently supports interval MDPs (IMDPs) and interval DTMCs (IDTMCs), which are MDPs or DTMCs in which transition probabilities can be specified as intervals, indicating that the exact probability is not precisely known. This can be useful, for example, when the transition probabilities have been estimated from data. +

    +

    Currently, this is achieved by simply replacing the probabilities attached to updates in commands with intervals, e.g.: +

    +
    +
    +
    [] x=0 -> [0.8,0.9]:(x'=0) + [0.1,0.2]:(x'=1);
    +
    +
    [$[Get Code]]
    +
    + +

    As usual, the probability thresholds can be expressions involving state variables or constants, for example: +

    +
    +
    +
    [] x=0 -> [p,p+0.1]:(x'=0) + [0.9-p,1-p]:(x'=1);
    +
    +
    [$[Get Code]]
    +
    + +

    See the property specification section for details of how these models are analysed. +

    +
    + + + + diff --git a/manual/index.html b/manual/index.html index 86eb05d4bc..42276739ec 100644 --- a/manual/index.html +++ b/manual/index.html @@ -1,6 +1,8 @@ + + @@ -11,12 +13,13 @@ - - + + + - - - + + + + + + + + + + + + - + + +
    +
    +
    +
    www.prismmodelchecker.org
    + + +
    + +
    +
    + + +
    + +
    +
    + + +
    +

    View - Edit - Print - Search +

    + +
    @@ -78,7 +212,7 @@ This document is the main source of information regarding the installation and operation of the PRISM tool. For access to other resources, such as related publications and details of case studies, or to download the tool itself, see the main PRISM website.

    Which version of PRISM does this manual describe?

    -

    This manual describes version 4.7. +

    This manual describes version 4.8. In general, the online copy of the manual corresponds to the most recent publically available version of PRISM (including beta versions). @@ -103,6 +237,12 @@

    @@ -111,6 +251,13 @@
    + +
    @@ -126,7 +273,7 @@

    PRISM Manual

  • Running PRISM
  • Configuring PRISM
  • References -
  • FAQ +
  • FAQ
  • Appendices

    • [ View all ]

    @@ -135,5 +282,8 @@

    PRISM Manual

    + + diff --git a/manual/pub/skins/offline/css/base.css b/manual/pub/skins/offline/css/base.css deleted file mode 100644 index 636aa91dff..0000000000 --- a/manual/pub/skins/offline/css/base.css +++ /dev/null @@ -1,12 +0,0 @@ -body,input { font-family:"Helvetica Neue",Helvetica,Arial,sans-serif; font-size:100%; text-align:left; } -/* h1,h2,h1 a,h2 a { font-size:16pt; } */ -/* h3,h4,h3 a,h4 a { font-size:12pt; } */ -/* h5,h5 a { font-size:11pt; } */ -pre { font-family:monospace; text-align:left /* font-size:9pt; */ } -.pre { font-family:monospace; } -a:link { color:#0000ff; text-decoration:none } -a:visited { color:#000099; text-decoration:none } -a:hover { color:#0000ff; text-decoration:underline } -a:active { color:#ff0000; text-decoration:none } -img { border:0; } -:focus, :link:focus, :visited:focus { outline:0px; } diff --git a/manual/pub/skins/offline/css/prism.css b/manual/pub/skins/offline/css/prism.css deleted file mode 100644 index 3bd4c1d045..0000000000 --- a/manual/pub/skins/offline/css/prism.css +++ /dev/null @@ -1,513 +0,0 @@ -body { - background-color:#eeeeee; - margin:0px; - padding:0px; - min-width:600px; -} - -/* Basic (2 column, liquid) layout */ - -div#layout-maincontainer { - margin-left:200px; -} -div#layout-main { - float:right; - width:100%; - margin:0 0 0 -180px; -} -div#layout-leftcol { - width:200px; - margin:0 0 0 0; -} -div#layout-footer { - clear:both; -} - -/* Banner */ - -#prism-banner { - width:100%; - height:120px; - margin:0; - padding:0; - border:0; - text-align:center; - background-color:#6260c1; /* Right blue */ -} -#prism-bannerlefthalf { - position:absolute; - top:0; - left:0; - width:50%; - height:120px; - margin:0; - background-color:#272582; /* Left blue */ -} -#prism-bannerrighthalf { - position:absolute; - top:0; - right:0; - width:50%; - height:120px; - margin:0; - background-color:#6260c1; /* Right blue */ -} -#prism-bannerlogo { - position:absolute; - top:0; - left:0; - width:75px; - height:80px; - margin:0; - padding:30px 0 10px 25px; - text-align:left; - background-color:#272582; /* Left blue */ -} -#prism-bannerurl { - position:absolute; - top:0; - left:0; - width:100%; - height:120px; - margin:0; - padding:0; - text-align:center; -} -#prism-bannerurl img { - margin:0 100px 0 0; /* Centre URL but allow for fact RHS is wider */ - height:120px; - width:auto; -} -#prism-bannerright { - height:120px; - background-color:#333173; -} -#prism-searchbox { - position:absolute; - top:40px; - right:20px; - text-align:center; -} -#prism-searchbox #q { - display:block; - margin:0 0 5px 0; - background:#d9dbe1; - border:1px solid #9097a2; - padding:2px; - width:100px; -} -#prism-searchbox #submit { - display:block; - margin:auto; - background:#6A7389 none repeat scroll 0%; - border-color:#9097a2 #283043 #283043 #9097a2; - border-style:solid; - border-width:1px; - color:#ffffff; - padding:1px 4px; -} - -/* Main navigation bar (horizontal) */ - -#prism-navbar { - clear:both; - padding:2px 0; - border:solid #777777; - border-width:0 0 1px 0; - background:#999999 url('http://www.prismmodelchecker.org/manual/pub/skins/offline/images/nav_top.png') 0 0 repeat-x; -/* font-weight:bold; */ - text-align:center; -} - -#prism-navbarinner { - margin:0 auto; -} - -ul#prism-navbarmenu { - display:inline-block; /* So we can center this horizontally */ - list-style-type:none; - margin:0; - padding:2px; -} - -ul#prism-navbarmenu > li { - display:block; - float:left; - border:0; - margin:0; - padding:0; - background:none; - position:relative; -} - -li.prism-navitem > a, li.prism-navitemsel > a { - display:block; - padding:2px; - border-color:#999999; - border-style:solid; - border-width:1px; - border-radius:4px 4px 0 0; -} - -li.prism-navitem > a.prism-navitemhover, li.prism-navitemsel > a.prism-navitemhover { - background-color:#bbbbbb; - border-color:#777777; - border-width:1px 1px 0 1px; - color:white; -} - -li.prism-navitem > a.prism-navitemhoverempty, li.prism-navitemsel > a.prism-navitemhoverempty { - background-color:#bbbbbb; - border-color:#777777; - border-radius:4px; -} - -li.prism-navitem > a:link { color:black; text-decoration:none; } -li.prism-navitem > a:visited { color:black; text-decoration:none; } -li.prism-navitem > a:hover { color:white; text-decoration:none; } -li.prism-navitem > a:active { color:black; text-decoration:none; } - -li.prism-navitemsel > a:link { color:white; text-decoration:none; } -li.prism-navitemsel > a:visited { color:white; text-decoration:none; } -li.prism-navitemsel > a:hover { color:white; text-decoration:none; } -li.prism-navitemsel > a:active { color:white; text-decoration:none; } - -ul.prism-navbarsubmenu -{ - list-style-type:none; - position:absolute; - display:none; - margin:0; - padding:0; - background:#eeeeee; - border:solid #777777 1px; - padding:2px; - box-shadow:2px 2px 2px rgba(150,150,150,0.5); -} - -ul.prism-navbarsubmenu li { - font-weight:normal; - position:relative; - display:block; - margin:0; - padding:2px; - width:auto; - background:none; - white-space:nowrap; - text-align:left; - text-decoration:none; -} - -ul.prism-navbarsubmenu li:hover { - background:#999999; - color:#ffffff; -} - -ul.prism-navbarsubmenu li:hover a { - background:inherit; - color:inherit; -} - -li.prism-navsubitem > a:link { color:black; text-decoration:none; } -li.prism-navsubitem > a:visited { color:black; text-decoration:none; } -li.prism-navsubitem > a:hover { color:white; text-decoration:none; } -li.prism-navsubitem > a:active { color:black; text-decoration:none; } - -li.prism-navsubitemsel > a:link { color:white; text-decoration:none; } -li.prism-navsubitemsel > a:visited { color:white; text-decoration:none; } -li.prism-navsubitemsel > a:hover { color:white; text-decoration:none; } -li.prism-navsubitemsel > a:active { color:white; text-decoration:none; } - -/* Main content box */ - -#prism-mainbox { - padding:5px 30px 100px 30px; - border:solid #cccccc; - border-width:0 0 1px 1px; - background-color:#ffffff; - border-radius:0 0 0 8px; -} -#prism-unilogo { - float:right; - margin:15px 0 10px 10px; -} - -/* Second navigation panel (LHS) */ - -#prism-navbar2 { - padding:5px 20px 250px 20px; - background:#eeeeee url('../images/trinity.png') 0 0 no-repeat; - color:#333333; - font-size:100%; -} -#prism-navbar2 a { - color:#333333; -} -#prism-navbar2 .selflink { - color:#000000; - font-weight:bold; -} -#prism-navbar2 h1, #prism-navbar2 h1 a { - margin-bottom:0.3em; -} -#prism-navbar2 h3, #prism-navbar2 h3 a { - margin-bottom:0.3em; -} -#prism-navbar2 ul { - margin-left:0.8em; - padding-left:0.8em; -} -#prism-navbar2 li { - list-style-image:url('../images/hyphen.png'); - margin-bottom:0.4em; -} -#prism-navbar2 .prism-newsitem { - margin-top:10px; - margin-left:5px; -} -#prism-navbar2 .prism-newsitem a { - color:blue; -} -#prism-navbar2 hr { - height:0; - border:dotted #808080; - border-width:1px 0 0 0; -} - -#prism-advert { - float:right; - width:150px; - /*height:180px;*/ - margin:20px 30px 0 10px; - background:#eeeeee; - /*background:#eeeeee url('../images/trinity.png') 0 0 no-repeat;*/ - border:solid #777777 1px; - border-radius:7px; - font-size:80%; - box-shadow:2px 2px 2px rgba(150,150,150,0.5); -} - -#prism-advertheader { - background-color:#999999; - border-radius:6px 6px 0 0; - color:#ffffff; - padding:6px; - font-size:110%; - font-weight:bold; -} - -#prism-advertheader a { - color:#ffffff; -} - -#prism-advertbox { - padding:6px; -} - -#prism-advertbox p, #prism-advertbox a { -} - -/* Footer */ - -#prism-footer { - /*margin-left:180px;*/ - padding:20px 0 30px 0; - text-align:center; -} - -/* General components/styles */ - -/* Tables */ - -table.prism-table { - background-color:#eeeeee; - color:#333333; - text-align:left; - margin-left:auto; - margin-right:auto; - border-collapse:collapse; - border:solid 2px #000000; -} -table.prism-table a { - /*color:#333333;*/ -} -table.prism-table tr.prism-th td { - border-color:#999999; - background-color:#cccccc; - color:#000000; - font-weight:bold; - text-align:center; -} -table.prism-table tr.prism-thl td { - border-color:#999999; - background-color:#cccccc; - color:#000000; - font-weight:bold; - text-align:left; -} -table.prism-table td { - border:1px solid; - border-color:#999999 #dddddd #999999 #dddddd; - padding:1px 5px 1px 5px; - vertical-align:top; - text-align:left; -} -div.prism-table-caption -{ - font-weight:bold; - text-align:center; - margin-top:0.5em; - margin-bottom:0.75em; -} - -/* Other */ - -.prism-newsitem { - padding-bottom:10px; -} -.prism-newsitemhead { - font-weight:bold; -} - -.prism-rule { - width:100%; - height:0px; - border:0px; - border-top:dashed 1px #000099; - margin:15px 0 15px 0; -} - -img.prism-image { - display:block; - margin-left:auto; - margin-right:auto; - padding:4px; - border:solid 1px #333333; -} -.prism-image-caption { - margin-top:5px; - text-align:center; - font-weight:bold; -} - -ul.prism-list0 { -} -ul.prism-list0 li { - list-style-image:url('../images/bullet0.png'); -} -ul, ul.prism-list { -} -ul li, ul.prism-list li { - list-style-image:url('../images/bullet.png'); -} -ul.prism-list2, ul ul { -} -ul.prism-list2 li, li li { - list-style-image:url('../images/bullet2.png'); -} - -ul.spacedout li { - margin-top:0.8em; - margin-bottom:0.8em; -} - -.prism-box { - background-color:#eeeeee; - border:dotted 1px #cccccc; - padding:0 10px 0 10px; - width:90%; /* Need a width or else IE6 gets upset */ - overflow:auto; -} -.prism-citebox { - background-color:#fff8dc; - border:solid 1px #d7cca3; - border-radius:7px; - width:90%; /* Need a width or else IE6 gets upset */ - overflow:auto; - box-shadow:2px 2px 2px rgba(150,150,150,0.5); - font-size:90%; -} -.prism-citeboxheader { - background-color:#ffebcd; - padding:5px; -} -.prism-code { - background-color:#ffffcc; - border:dotted 2px #999999; - margin:10px; - padding:10px; - width:90%; /* Need a width or else IE6 gets upset */ - overflow:auto; -} -.prism-code-caption { - margin-top:5px; - text-align:center; -/* font-weight:bold; */ -} -.prism-code-scroll { - background-color:#ffffcc; - border:dotted 2px #999999; - margin:10px; - padding:10px; - height:500px; - width:90%; /* Need a width or else IE6 gets upset */ - overflow:auto; -} -* html .prism-code { - padding-bottom:1.5em; /* Nasty hack to fix IE6 scrollbar positioning */ -} -.prismkeyword { font-weight:bold; } -.prismident { color:#cc0000; } -.prismnum { color:#0000cc; } -.prismcomment { font-style:italic; color:#009900; } -.prismpreproc { color:#a020f0; } - -.prism-floatbox { - clear:both; - float:right; - width: 100px; - background-color:#bdced6; - border:dotted 1px #000099; - margin:20px 10px 20px 20px; - padding:10px; -} - -.prism-download-box { - border:dotted 2px #000099; - margin:15px; - padding:15px; -} - -a.prism-cite { color:#006600; } - -.prism-note { color:#666666; } -.prism-note a { color:#666666; } -.prism-note a.prism-cite { color:#006600; } - -.prism-task { - vertical-align:top; - width:47px; - height:28px; - float:left; - clear:both; -} - -.prism-tag { - color:white; - background-color:grey; - border-radius:2px; - padding:2px; - margin-left:4px; - font-size:75%; -} - -div.prism-shell { - padding:5px 10px 5px 10px; - margin:10px 0 10px 0; - border:1px dotted #808080; - background-color:#F1F0ED; - overflow:auto; - font-family:monospace; - font-weight:bold; - font-size:90%; -} diff --git a/manual/pub/skins/offline/images/p16.ico b/manual/pub/skins/offline/images/p16.ico deleted file mode 100644 index a977a6ab722de9f819e3dd9a32fc2dd7d2e7eab5..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1150 zcmbV|>q}E{7{`CZ%t9gwjj2VYBr6o9SH4Sf&f!_$ysUW*@r_uf<`q|Jsnh8$x|`c{ z7w5d|s89*Rd=vH`1VIo)5xwYj1+u5_Pw}vXDEu8h=XuU^exK)@-@}*$S3&~A{W5Df z!Pt4mm<*tV%0V6BxJ#0ro+f+T)fyP?>sG4@<+0#@d!0*4N-93oSbHT2(awTYtjBiJn(_= zrWL6dQoG=O=PswJLQAvm37Yj-$vo7n1<@|gvjO)@fi^2E%YNwc*!A!ME%=-?H*M$t zzhxTgy`xdzJ_)d0ToPobLGsm%3<2IAcLhNpr^P_aGj3W$k9qW%o3fGDHn!W-)|3py z28T&bPR<#nQu&qpn({JQ3r+81H|oi59NPDJAJ4cU01h=VV(t>0{}uP!TbgKdZH}JJ z`>6R|1J&2n(i2@LEqEQ|cbMJ*(Th&xa``CtJvK9KJzv84C#kl&lJ3@2QFmK2&f*}S z-S`GXYhs?4msea;qK3On+v}@j9vL7_St(UlYRRPUrzOn7GhrA3q7$9u=H^~$zTfy` zcYA|&Ho`PJZQ2XvsgxzyIrLPkSba*2G*Ulg0U6w)byeZ_>_Ym|lkG>BVAz z!kFdCj4R@@3>yT+EeQ~vqlw#UyuKRpY1Tqs-Ad5oUGO^BgYJo-b#$OyEhuBaQRP_A eM2yi#;0Ko&i-0}wlgBs^^CuD1B4@Fe4)_h*kVC@& diff --git a/manual/pub/skins/offline/css/prismmanual.css b/manual/pub/skins/prism/css/prismmanual.css similarity index 100% rename from manual/pub/skins/offline/css/prismmanual.css rename to manual/pub/skins/prism/css/prismmanual.css