The μ-Calculus Model-Checking Algorithm for Generalized Possibilistic Decision Process

Model checking is a formal automatic verification technology for complex concurrent systems. It is used widely in the verification and analysis of computer software and hardware systems, communication protocols, security protocols, etc. The generalized possibilistic μ-calculus model-checking algorithm for decision processes is studied to solve the formal verification problem of concurrent systems with nondeterministic information and incomplete information on the basis of possibility theory. Firstly, the generalized possibilistic decision process is introduced as the system model. Then, the classical proposition μ-calculus is improved and extended, and the concept of generalized possibilistic μ-calculus (GPoμ) is given to describe the attribute characteristics of nondeterministic systems. Then, the GPoμ model-checking algorithm is proposed, and the modelchecking problem is simplified to fuzzy matrix operations. Finally, a specific example and a case study are analyzed and verified. Compared with the classical μ-calculus, the generalized possibilistic μ-calculus has a stronger expressive power and can better characterize the attributes of nondeterministic systems. The model-checking algorithm can give the possibility that the system satisfies the attributes. The research work provides a new idea and method for model checking nondeterministic systems.


Introduction
The continuous enhancement of computer functions makes systems increasingly complex; for the purpose of the correctness of the systems, it usually spends more time on verification than on construction [1]. Formal methods are important methods to ensure the correctness and security of computer systems. They can integrate verification early in the design process and ensure the credibility of the system through strict logical reasoning and mathematical calculations.
Model checking is a formal automatic verification technology that can provide a complete formal verification framework of system attributes [2]. The classical model-checking technology is mainly used for qualitative research on the system-that is, to verify if the system satisfies the system attributes described by temporal logic formulas, such as Computation Tree Logic (CTL), Linear Temporal Logic (LTL), and μ-calculus [3,4]. If it is satisfied, the model checker returns "True"; otherwise, it returns "False" with specific counterexamples. However, in the design of actual systems, nondeterministic systems containing uncertain or inconsistent information are often encountered, so the qualitative research on the systems cannot meet the actual needs. In recent years, some scholars There is some research on quantitative model-checking verification methods on the basis of possibility measures. Li et al. proposed Generalized Possibilistic LTL (GPoLTL), which is an extension of LTL, and gave quantitative model checking methods of linear-time properties based on generalized possibility measures in [18]. They also extended CTL to Generalized Possibilistic CTL (GPoCTL) and proposed a model-checking algorithm under the generalized possibilistic decision process in [21]. Our paper is the first to extend classical μ-calculus in possibility measure theory, and it studies the possibilistic model checking. The μ-calculus is very expressive and it can capture many other temporal (such as CTL * ) and program logics [12]. We extend classical μ-calculus by adding a possibility value, which is denoted as Generalized Possibilistic μ-calculus (GPoμ); the semantics interpret the GPoμ formulas as mappings from the set of states of Generalized Possibilistic Decision Process (GPDP) to the domain of (0,1). The conjunction, disjunction, and negation logical operators are interpreted as the meet, join, and complementation operators in (0,1), respectively, so we use the fuzzy logic and possibility measure theory for reasoning and calculus attribute values of the systems. The GPoμ can express some properties that GPoCTL and GPoLTL cannot describe. Finally, we solve the model-checking problems by fuzzy matrices. This paper is organized as follows. Section 2 gives basic knowledge of fuzzy theory and possibility measure theory. In Section 3, the notion of the generalized possibilistic decision process is introduced as the model of nondeterministic systems. Section 4 introduces the generalized possibilistic μ-calculus (GPoμ) to characterize the attributes for uncertain systems and gives a modelchecking algorithm to verify the possibilities that the system states satisfy the attributes. A specific example and case study are explained in Section 5. We give a conclusion at the end of the paper.

Fuzzy Theory
The fuzzy set [23] on domain U is defined by a function : → [0,1]; then, is called a fuzzy subset on U. If the element in the domain U is represented by , and ( ) ∈ [0,1], then ( ) is the membership degree that belongs to .
Let A and B be two fuzzy subsets on U. For any ∈ , the membership functions of union ∪ , intersection ∩ complement , and implication → , are defined as follows: , then Q is a fuzzy matrix. For arbitrary fuzzy matrice Q, R, = ( ) × , = ( ) × , the union of the fuzzy matrix ∪ , intersection ∩ , and the complement operation are defined as follows: Given fuzzy matrices = ( ) × , = ( ) × , their ∨ − ∧ composite operation, denoted by ∘ , which is defined by ∘ = ∨ ( ∧ ). [21] Let I be the index set, the possibility measure on nonempty set U is a mapping POS:2 → [0,1], satisfying the following formulae:

Possibility Measure Theory
If POS only satisfies the Formulae (1) and (3), then POS is called a generalized possibility measure. If POS is a generalized possibility measure on nonempty set U, for any E⊆U, satisfy ( )

Generalized Possibilistic Decision Process
In the design of practical systems, there are systems that have both nondeterministic choices of actions and possibility distributions of states. We give the notion of the generalized possibilistic decision process as the models for uncertainty systems.

Definition 1.
A generalized possibilistic decision process (GPDP) [24] is a tuple = ( , , , , , ), where S is a finite, nonempty set of states; : → [0,1] is the possibilistic initial distribution function; Act is a set of actions; : × × → [0,1] is the possibilistic transition distribution function, and for every state ∈ and every action ∈ , there is a state such that ( , , ) > 0; AP is a set of atomic propositions; : × → [0,1] is a labeling function, ( , ) denotes the possibility that the atomic proposition holds on state s.
If S and AP are both finite, we call M a finite GPDP. ( , , ) represents the possibility that the system evolves from state s into state t by action . If ( , , ) > 0, state t is called the successor of state s, and state s is the predecessor of state t. The set of direct -successors of s is defined as: ( , ) = { ∈ | ( , , ) > 0} . The set of predecessors of t is defined by: ( ) = { ∈ | ( , , ) > 0}. The set of actions that state s can trigger is defined as: ( ) ={ ∈ |∃ ∈ , ( , , ) > 0}.
The paths in the GPDP M is denoted as  , and The minimum possibilistic transition matrix is expressed as =∧ , that is, The transition matrix closure of a fuzzy matrix R is denoted as The reflexive transition closure of the fuzzy matrix R is denoted as R * , * = ∨ , where R 0 denotes the identity matrix.
Let us take the generalized possibilistic decision process (GPDP) in Figure 1 as an example. The  The corresponding fuzzy matrices of the generalized possibilistic decision process in Figure 1 is given in the order → → → : For a generalized possibilistic decision process M= ( , , , , , ), a function GPo M :Paths(M)  [0,1] is defined as follows: Hence, the function GPo: For a GPDP M= ( , , , , , ), the function : is defines as: then ( ) r s denotes the maximum possibility measure of a path starting from state s.
Furthermore, any finite Generalized Possibilistic Kripke Structure (GPKS) [18] can be regarded as a finite GPDP with only one action available in any state.
In the generalized possibilistic decision process, once the possibility distribution is selected by actions indeterminately, the selection of the next state is also performed by possibility selection. The uncertainty process describes the alternation of concurrent processes in a distributed system with incomplete information. Therefore, the generalized possibilistic decision process is very suitable as a model for uncertain systems.

Generalized Possibilistic μ-Calculus
The classical μ-calculus [2] is used to represent the properties of the transition systems. It is mainly used for qualitative research on the Boolean systems, but it has certain limitations; it can not describe the properties of nondeterministic systems with possibility information. In this section, we extend the classical μ-calculus by adding the possibility value, and propose the concept of generalized possibilistic μ-calculus (GPoμ); the semantics interpret the GPoμ formulas as mappings from the set of states of GPDP to the domain of [0,1]. The conjunction, disjunction, and negation logical operators are interpreted by fuzzy theory and possibility measure theory, so as to analyze the safety and reliability of uncertain systems.

Definition 3.(Syntax of GPoμ)
Let AP be the set of atomic propositions, , be GPoμ formulae, and = { , , ⋯ } be a set of relational variables; the generalized possibilistic μ-calculus is defined recursively by the grammar: .
Here, to ensure the fixpoint formulas is monotonic, the variable X should be under an even number of negations. The following are the formulas of negativity and duality under the generalized possibilistic μ-calculus:

Theorem 1.
Let Φ be a GPoμ formula; for any ∈ , it satisfies the following equations. Hence, is monotonic, and is also monotonic, since , is monotonic, and the possibility value (0,1) is a finite complete lattice. According to Knaster-Tarski's theorem [11], , have a least fixpoint and greatest fixpoint, respectively. Similiar to the classical μ-calculus, the CTL formulae for the generalized possibilistic decision process can also be expressed by the GPoμ formulae. □ Therefore, we obtain Theorem 3.

Theorem 3.
The fixpoint semantics of CTL formulae for the generalized possibilistic decision process are expressed by GPoμ formulae, as shown in the following: .
Take Equation 12 as an example, we prove the correctness of Theorem 3.
Proof: According to Theorem 2, the fixpoint semantics of CTL formulae for generalized possibilistic decision process are expressed by GPoμ formulae, as shown in the following: .

Model-Checking Algorithm
Given a GPDP M, a state s, and a GPoμ formula Φ, the purpose of GPoμ model checking is to calculate the value of ‖ ‖ ( ) . For GPoμ formula Φ , the value of ‖ ‖ ( ) can be calculated recursively in | | steps; | | represents the length of the formula Φ [25], which are given as follows: denotes the column vector that the possibility that formula  holds on s, i.e., we have, To calculate the possibility about formula =⋄ , for any state and any ∈ , we convert the value of the formula into matrix operations, ‖⋄ ‖ ( ) =∨ ∈ , ∈ ( ( , , ) ∧ ‖ ‖ ( )) = ∘ . Therefore, the maximum and minimum values of ‖⋄ ‖ ( ) denoted by fuzzy matrices are shown below: For =□ , according to Theorem 1, i.e., ¬‖□ ‖ ( ) =‖⋄ ¬ ‖ ( ), for any state and any ∈ , we have Thus, we use the fuzzy matrix to calculate the maximum and minimum values of ‖□ ‖ ( ) as shown below : (‖□ ‖ ( ) ) ∈ = ( ∘ ) .

Algorithm 1: Fixpoint algorithm
Input: A function f from the possibility distributions on the state set S into itself.

Output:
The fixpoint of f.

End Function
Furthermore, we respectively set Q = 0 or Q = 1 to calculate the least fixpoint or the greast fixpoint in the initial recursion, which is different with the classical fixpoint algorithm.
Hence, according to the GPoμ semantic, we give the GPoμ model-checking algorithm, it is presented in Algorithm 2:

An Illustrative Example
In this section, let us give an example used in [24] to illustrate the GPoμ model-checking algorithm. Assume that a new type of disease occurs, and the doctors do not have enough knowledge to treat such diseases, they can only make treatment plans based on their own experience. Depending on the treatment options taken by the doctors, the patient's physical health is also uncertain. So, GPDP is used to model the patient's treatment process.
Assume that the doctors divide the patient's status into three states, which are represented by , , and , respectively, that is, S = {s , s , s }, and the initial state of the patient is s . AP = {P, G, E} is the set of atomic propositions, where P, G, E respectively indicate that the patient's health status is "poor", "general", and "excellent" in a certain state. For these three health conditions of patients, different doctors understand differently. Therefore, we give them a fuzzy value to indicate the degree of physical health. For example, L(s , P) = 0.7 denotes that the degree that the patient's health is "poor" on state s is 0.7; let Act = {α, β, γ}, which means that the doctors treat the patient with α, β, γ: three different treatment schemes. R(s , β, s ) = 0.5 denotes that the possibility that this patient's health status changes from the state s to s is 0.5 after the doctors adopt the treatment scheme .  Some calculations are presented as follows in detail.
‖⋄ ‖ ( ) denotes the possibility that the patient's health eventually changes to "excellent" after a treatment.

‖□ ‖ ( )
and ‖□ ‖ ( ) respectively represent the maximum and minimum possibilities of ‖□ ‖ ( ) in three states. As a result, the possibility values that each state satisfies the attributes are obtained. Through these data, doctors can compare the results of different treatment options and then make the practical treatment scheme. Our algorithm provides data support for doctors' decision analysis.

Case Study
We use the intelligent washing machine studied in [18] as an example to better explain the application of the GPoμ model-checking method. As shown in Figure 3, it is the control system of the intelligent washing machine, where S0 to S10 are the states of the system, there is only one action in the system, and the possibility values are marked between states. The atomic propositions are dirty (di), detergent (de), and running (r), which denote the condition of the cloths, the state of the detergent, and the state of the system. The value of every atomic proposition is labeled at each state. For example, di = 1 means that the clothes are very dirty, di = 0.5 means that the clothes are moderately dirty, and di = 0 means that the clothes are clean. de = 1 means there is a lot of detergent, de = 0.5 means there is moderate detergent, and de = 0 means that there is no detergent. r =1 denotes that the machine is running, and r = 0 means that the washing machine is off. The initial state is S0, and the clothes are very dirty, there is a lot of detergent, and the system is off. From S1 to S2 , it can be found that the dosage of the detergent is decreasing. At S3, the detergent is 0, but the clothes are still dirty, and the detergent should be added, so S3 may return to initial state S0 or return to S2. In addition, each state has a self-circulation, and the possibility is 1, which are omitted in the figure. For the intellgent washing machine system, we convert some properties into GPoμ formulae:

Property1
The possibility that the washing machine can be turned off at the next time, which is denoted as running .

Property2
The possibility that the clothes can be cleaned when the washing machine is in the next state, which is denoted as dirty   .

Property3
The possibility that the washing machine may have detergent before the clothes are clean, which is denoted as

Property4
The possibility that detergent is always in the washing machine, which can be denoted as .

Property5
The possibility that only with detergent, the clothes can be cleaned in the washing machine, which is denoted as The results of verifying the properties of the intelligent washing machine system you can see in the following Table 1. Table 1. Results of verifying the properties of the intelligent washing machine system. The classical μ-calculus model-checking algorithm simply searches the finite state space of Boolean transition systems to find the satisfaction set of system properties. The GPoμ model-checking algorithm is more powerful in terms of expressiveness for expressing possible information, because it can characterize uncertain information for dealing with the incompleteness of the information in the systems and specifications, and it can give the degree to which the systems satisfy the specifications. The satisfaction relation becomes the possibility values that expected properties hold, which is more in line with the characteristics of the actual systems.

Property1
In the actual system design, for a system containing possibility information, the system is uncertain (lack of basic information) or inconsistent (conflicts often occur when collecting information from multiple sources Information), and classical logic is unable to infer and calculate the relevant characteristics of uncertain systems. Our methods can verify the properties of nondeterministic systems, such as expert systems and intelligent control uncertain systems, etc. However, the research on the expression ability of extended μ-calculus is not enough, such as multilayer nesting between multiple fixpoint formulas, and research on the optimization of nesting algorithms is not enough. In the future, we will continue to study the expression ability of the algorithm and develop a practical model checker to implement automatic verification.