DiffRefiner: Difference Analysis in APAs

• DiffRefiner is a formal tool that analyzes and decomposes differences between abstract probabilistic automata (APAs) used in compositional verification.
• It employs over- and under-approximations with symbolic constraint manipulation to capture counterexamples when refinement fails.
• Its quantitative framework uses discounted metrics to ensure convergence, rigorously balancing soundness and completeness in system analysis.

A DiffRefiner is a formal tool designed for analyzing and decomposing differences between specifications given as Abstract Probabilistic Automata (APAs), particularly in the context of compositional verification and quantitative model reasoning. When two APAs, representing system behaviors or requirements, stand in a non-refinement relation, DiffRefiner systematically synthesizes a new APA that captures all counterexample stochastic systems (implementations) attesting to the failure of refinement. The tool produces both sound over-approximations as well as convergent under-approximations of the difference, with rigorous quantitative control. At its core are distance metrics on automata, discounted convergence, and algorithms for symbolic manipulation of constraint-transition systems (Delahaye et al., 2012).

1. Formal Structure of APAs and Refinement

An Abstract Probabilistic Automaton (APA) in single-valuation normal form is a tuple: $N = (S,\, A,\, L,\, AP,\, V,\, S_0)$ where $S$ is the finite set of states, $A$ an action alphabet, $AP$ atomic propositions, $V:S\to 2^{2^{AP}}$ assigns at most one set of atomic proposition valuations per state, $S_0$ are initial states, and

$L:S \times A \times C(S) \to \{\bot,\, \may,\, \top\}$

maps each state-action-constraint triple to a modality. Here, $C(S)$ is a set of transition constraints on distributions over $S$: $L(s,a,\phi)=\top$ means “must”, $\may$ means “may”, and $\bot$ means “must not”.

Refinement is defined by a relation $R\subseteq S_1 \times S_2$ (for two APAs $N_1, N_2$) such that, for every $(s_1,s_2) \in R$:

• The valuation $V_1(s_1) \subseteq V_2(s_2)$.
• Must-part: for every "must" outgoing from $s_2$, there is a corresponding "must" in $s_1$ satisfying distribution coupling via $R$.
• May-part: for every "may" outgoing from $s_1$, there is a "may" in $s_2$ with correspondingly coupled distributions.

Refinement ($N_1 \preceq N_2$) holds if there exists such a relation covering all initial states. This definition generalizes simulation-like relations to the probabilistic and modal setting and is critical for sound refinement and difference reasoning (Delahaye et al., 2012).

2. Difference Operators and Approximation Schemes

When $N_1 \not\preceq N_2$, it is often useful to characterize the set difference of their implementations, i.e., those PAs allowed by $N_1$ that do not conform to $N_2$. In general, the exact difference

$\mathrm{Impl}(N_1) \setminus \mathrm{Impl}(N_2)$

need not correspond to an APA, so the DiffRefiner computes:

• An over-approximation $N_1 \setminus^{*} N_2$, admitting a superset of the actual difference,
• A family of under-approximations $N_1 \setminus^{K} N_2$ (for depth $K \in \mathbb{N}$), which grow increasingly tight as $K \to \infty$.

These operators are defined by symbolic construction on APA states and transitions, carefully tracking modalities and constraints, and ensuring that under-approximations are contained in the true difference while the over-approximation contains it (Delahaye et al., 2012).

3. Quantitative Theory and Convergence

DiffRefiner introduces a discounted quantitative metric: $$d(s_1, s_2) = \begin{cases} 1, & s_1, s_2 \ \text{incompatible}\ \max\Bigl\{ \max_{a,\phi_1 \neq \bot}\min_{\phi_2 \neq\bot} \lambda D(\phi_1, \phi_2),\; \max_{a,\phi_2= \top}\min_{\phi_1= \top} \lambda D(\phi_1, \phi_2) \Bigr\}, & \text{otherwise} \end{cases}$$ where $0<\lambda<1$ is a discount factor and $D(\phi_1, \phi_2)$ compares sets of distributions via a Hausdorff-like distance. This metric supports rigorous statements about the convergence of under-approximate difference automata: $$\lim_{K \to \infty} d(N_1 \setminus^* N_2, N_1 \setminus^K N_2) = 0, \quad \lim_{K \to \infty} d_t(\mathrm{Impl}(N_1)\setminus\mathrm{Impl}(N_2), \mathrm{Impl}(N_1 \setminus^K N_2)) = 0$$ ensuring precision can be controlled arbitrarily by depth $K$ (Delahaye et al., 2012).

Both soundness (over-approximation admits all true witnesses to non-refinement) and completeness (every true difference appears in some under-approximation) are guaranteed, with convergence governed by the choice of $\lambda$.

4. Core Algorithmic Workflow

The difference computation proceeds as follows:

1. Maximal Refinement Computation: Compute the largest refinement relation $R$ and the associated index function $ind_R$ (witnessing depth to breakdown) between $N_1, N_2$.
2. Depth Selection: Choose minimal $K$ such that $\lambda^K \leq \varepsilon$, for the desired precision $\varepsilon$.
3. Construction of Under-Approximation: Build the under-approximate difference automaton $N_1 \setminus^K N_2$ by symbolically constructing state tuples $(s_1, s_2, e, k)$, with transitions handled according to six "breaking" cases (detailed in the source (Delahaye et al., 2012), Table V).
4. Distance Evaluation and Termination: Optionally, measure the (discounted) distance to verify convergence and sufficiency with respect to $\varepsilon$.

Pseudocode for this high-level process:

function ApproxDifference(N1, N2, λ, ε): if N1 ⪯ N2: return ∅ R, ind_R ← ComputeMaxRefinement(N1, N2) K ← ceil( log(ε) / log(λ) ) Ndiff ← BuildUnderApprox(N1, N2, R, ind_R, K) return Ndiff

Complexity is modest: for fixed $\lambda$ and $\varepsilon$, asymptotically dominated by the cost of the underlying refinement computation and symbolic constraint solving.

5. Implementation and Practical Considerations

Efficient implementation of DiffRefiner entails:

• Representation of APA states, transitions, and constraints (often as SMT objects for $C(S)$).
• Bit-matrix storage and queue management for $R$.
• Implicit handling of under-approximation states using hash-maps keyed on tuples $(s_1, s_2, e, k)$.
• Iterative value-iteration for distance calculations if convergence needs to be explicitly monitored.
• Tuning of $\lambda$ for the sensitivity/convergence tradeoff, and setting $K$ accordingly.

Discounting guarantees that cycles and infinite behaviors contribute at most $\lambda^K$ at depth $K$.

6. Example and Characterization of Results

Consider two APAs $N_A$ and $N_B$ (each with two states, simple Boolean-atomic-propositions). Suppose $N_A$ enables an action $a$ leading deterministically to a state $s_1$, and $N_B$ requires action $a$ to hit state $t_1$ with probability at least 0.5. All implementations of $N_A$ actually refine $N_B$, so the DiffRefiner returns the empty difference.

If instead $N_A$ allows any mixture between $s_0$ and $s_1$ on $a$, there are behaviors excluded by $N_B$; the under-approximate difference at increasing $K$ will include more concrete counterexamples (e.g., those assigning less than 0.5 mass to $s_1$), and as $K\to\infty$, approaches the set of all such witness PAs. Over-approximation represents all possible ways to fail refinement, possibly admitting infinitesimal cases (Delahaye et al., 2012).

7. Theoretical and Practical Significance

The DiffRefiner approach is theoretically grounded, delivering both soundness and completeness guarantees via over-/under-approximation, all under explicit metric control. This enables precision-tunable difference analyses not only for exhaustively distinguishing implementable behaviors but also for understanding specification robustness and root causes in system design.

The construction is as efficient as ordinary refinement-checking. Its rigor and algorithmic transparency make it suitable for runtime integration in probabilistic/verifiable system design and analysis workflows.

For formal details, soundness proofs, construction of difference automata, and worked examples, see "Refinement and Difference for Probabilistic Automata" (Delahaye et al., 2012).