Inductive Verification of Hybrid Automata with Strongest Postcondition Calculus June 12, 2013 @ iFM Daisuke Ishii Tokyo Institute of Technology Guillaume Melquiond INRIA Saclay / LRI, Université Paris Sud 11 Shin Nakajima National Institute of Informatics, Tokyo 1
60
Embed
Inductive Verification of Hybrid Automata with Strongest ...ishii/pub/06-12_ifm.pdf · Hybrid Automata with Strongest Postcondition Calculus June 12, 2013 @ iFM Daisuke Ishii Tokyo
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Inductive Verification of Hybrid Automata with
Strongest Postcondition Calculus
June 12, 2013 @ iFM
Daisuke IshiiTokyo Institute of Technology
Guillaume MelquiondINRIA Saclay / LRI, Université Paris Sud 11
Shin NakajimaNational Institute of Informatics, Tokyo
1
Hybrid Systems
•Systems whose states can make both continuous and discrete changes
•Example: Water-level monitor
2
maxhigh
lowmin
level sensor
pump
x
on/off
x = rateout・
x = ratein・
Hybrid Systems
•Systems whose states can make both continuous and discrete changes
•Example: Water-level monitor
2
maxhigh
lowmin
level sensor
pump
x
on/off
Verification of Hybrid Systems•Model-checking approach
-Based on hybrid automata -Many practical automated tools: e.g. HyTech
[Henzinger+ 96] and PHAVer [Frehse 02]
-Tractable problems are limited: small linear models, without uncertain parameters
3
Verification of Hybrid Systems•Model-checking approach
-Based on hybrid automata -Many practical automated tools: e.g. HyTech
[Henzinger+ 96] and PHAVer [Frehse 02]
-Tractable problems are limited: small linear models, without uncertain parameters
•Logical analytic approach-Based on annotated imperative programs-Theoretically studied but few practical tools-KeYmaera [Platzer+ 08] has been successful-Applicable to larger class of systems
✴systems with symbolic parameters, nonlinear systems-Verification process is not fully automatic 3
•We propose an algorithmic logical analytic method built on top of symbolic arithmetic solvers-Clear and correct scheme: conjunction of simple transformations
-Applicable to a large class of hybrid automata✴with nonlinear flows and uncertain parameters
Talk Overview
4
safety verification of hybrid automaton
□P
dx=...
… …
•We propose an algorithmic logical analytic method built on top of symbolic arithmetic solvers-Clear and correct scheme: conjunction of simple transformations
-Applicable to a large class of hybrid automata✴with nonlinear flows and uncertain parameters
Talk Overview
4
safety verification of hybrid automaton
□P
dx=...
… …ImpHA program
trans; evolve ti; …
•We propose an algorithmic logical analytic method built on top of symbolic arithmetic solvers-Clear and correct scheme: conjunction of simple transformations
-Applicable to a large class of hybrid automata✴with nonlinear flows and uncertain parameters
Talk Overview
4
safety verification of hybrid automaton
□P
dx=...
… …ImpHA program
trans; evolve ti; …
verification condition
VC1, ..., VCm+n
inductionSP calculus
•We propose an algorithmic logical analytic method built on top of symbolic arithmetic solvers-Clear and correct scheme: conjunction of simple transformations
-Applicable to a large class of hybrid automata✴with nonlinear flows and uncertain parameters
Talk Overview
4
safety verification of hybrid automaton
□P
dx=...
… …ImpHA program
trans; evolve ti; …
safety proof
Mathematica
verification condition
VC1, ..., VCm+n
inductionSP calculus
•We propose an algorithmic logical analytic method built on top of symbolic arithmetic solvers-Clear and correct scheme: conjunction of simple transformations
-Applicable to a large class of hybrid automata✴with nonlinear flows and uncertain parameters
Talk Overview
4
safety verification of hybrid automaton
□P
dx=...
… …ImpHA program
trans; evolve ti; …
loop invariantP+
safety proof
Mathematica
verification condition
VC1, ..., VCm+n
inductionSP calculus
•We propose an algorithmic logical analytic method built on top of symbolic arithmetic solvers-Clear and correct scheme: conjunction of simple transformations
Talk Overview
4
safety verification of hybrid automaton
□P
dx=...
… …ImpHA program
trans; evolve ti; …
loop invariantP+
safety proof
Mathematica
verification condition
VC1, ..., VCm+n
inductionSP calculus
•We propose an algorithmic logical analytic method built on top of symbolic arithmetic solvers-Clear and correct scheme: conjunction of simple transformations
-Applicable to a large class of hybrid automata✴with nonlinear flows and uncertain parameters
Talk Overview
4
safety verification of hybrid automaton
□P
dx=...
… …ImpHA program
trans; evolve ti; …
loop invariantP+
safety proof
Mathematica
verification condition
VC1, ..., VCm+n
inductionSP calculus
Talk Outline
1.Hybrid Automata
2. ImpHA and Strongest Postcondition Calculus
3. Inductive Verification
4.Experimental Results
5
Hybrid Automata (HA)
•Mathematical model of hybrid systems-Discrete aspect is described by an automaton-Continuous dynamics is described by a differential equation indexed by locations of the automaton
6
Hybrid Automata (HA)•A hybrid automaton is a septetHA =〈Loc, Var, Init, Grd, Rst, Flow, Inv〉 that consists of:- Finite set Loc = {L1,...,Lp} of locations- Finite set Var = {x1,...,xq} of real-valued variables- Initial condition Init in L×RVar
- Family Grd = {GrdL,L’}L∈Loc,L’∈Loc of guard conditions GrdL,L’ in RVar
- Family Rst = {RstL,L’}L∈Loc,L’∈Loc of reset functions RstL,L’ : RVar → RVar
- Family Flow = {FlowL}L∈Loc of vector fields FlowL : RVar → RVar
- Family Inv = {InvL}L∈Loc of location invariants InvL in RVar
7
Example: Water-level Monitor
8
onx1=rate_inx1≦high
sw_offx1=rate_in & x2=1
x2≦delay
offx1=rate_outx1≦low
sw_onx1=rate_out & x2=1
x2≦delay
x2=delay ⇒ x2:=0
x2=delay ⇒ x2:=0
x1=low ⇒ x2:=0
x1=high ⇒ x2:=0x1:=low
x1: analog, x2: stopwatch
・ ・ ・
・ ・ ・
Example: Water-level Monitor
8
onx1=rate_inx1≦high
sw_offx1=rate_in & x2=1
x2≦delay
offx1=rate_outx1≦low
sw_onx1=rate_out & x2=1
x2≦delay
x2=delay ⇒ x2:=0
x2=delay ⇒ x2:=0
x1=low ⇒ x2:=0
x1=high ⇒ x2:=0x1:=low
x1: analog, x2: stopwatch
location
transition
initial condition
variables
・ ・ ・
・ ・ ・
Example: Water-level Monitor
8
onx1=rate_inx1≦high
sw_offx1=rate_in & x2=1
x2≦delay
offx1=rate_outx1≦low
sw_onx1=rate_out & x2=1
x2≦delay
x2=delay ⇒ x2:=0
x2=delay ⇒ x2:=0
x1=low ⇒ x2:=0
x1=high ⇒ x2:=0x1:=low
vector field
location invariantguard
reset
x1: analog, x2: stopwatch
location
transition
initial condition
variables
・ ・ ・
・ ・ ・
Execution of Water-level Monitor
•Two rates of the water flow: rate_in and rate_out•The controller tries to turn on/off the pump when the water level reaches low/high
•It takes delay seconds to turn on/off the pump
9
maxhigh
lowmin
onsw_off
off onsw_on
x1(t)
x2(t)
Execution of HA•(Finite- or infinite-length) execution of a HA is a valuation of variables as functions over time
10
〈on,(3,0)〉 → 〈on,(high,0)〉 → 〈sw_off,(high,0)〉 →
〈sw_off,(5.5,delay)〉 → …
3.5 0 delay
0
x1(t)
x2(t)
maxhigh
lowmin
on sw_off off onsw_on3.5 delay
3
5.5
delay0
Execution of HA•(Finite- or infinite-length) execution of a HA is a valuation of variables as functions over time
Strongest Postcondition Calculus•Lemma 3. For any program s in ImpHA, if the initial state satisfies P, the final state satisfies SP(P,s) with SP defined as follows:
Strongest Postcondition Calculus•Lemma 3. For any program s in ImpHA, if the initial state satisfies P, the final state satisfies SP(P,s) with SP defined as follows:
) then5: break6: end if7: if 9j 2 {m+ 1, . . . ,m+ n,�1} ¬Validate(VC
j
) then8: P
+ := P
+ ^ Learn(VCj
)9: else
10: return true11: end if12: end while13: end for14: return false
Fig. 4. Algorithm for inductive verification.
Learn computes Q by using a quantifier elimination (QE) method, such as theResolve procedure of Mathematica:
Q := QE(8xs
8t1 . . . ti (SP((P+ ^ x0 = x
s
), s) ) P ))[x0 x
s
].
To simplify the loop invariant, the other local variables in VCi
, i.e., �, t̃, l0, x0v
introduced in the SP calculus in Lemma 3 and t
i
introduced in Theorem 2,should also be removed. Unfortunately, QE with mixed quantifiers and functionquantifiers is a hard problem in general. See Remark 1 and the next section fordetails on how we perform this simplification.
The formula computed for Q is often a large disjunctive formula that isunusable as a loop invariant. For instance, some sub-formulas ofQ describe statesthat are never accepted by the HA. Such sub-formulas are not only useless butmake the verification process expensive. So we strengthen Q according to thefollowing strategies:
– Lemma separation. We split Q at the (top-most) disjunction operators andemploy one (or several) of the resulting sub-formulas.
– Location disabling. When we remove a sub-formula of Q that is related tosome location l, we insert the constraint x
l
6= l. The resulting loop invariantmight be e↵ective when combined with loop unrolling.
5 Implementation
We have implemented the method presented in the previous sections using Math-ematica 8.0.45, which can perform the computations in a fully symbolic manner.
5http://www.wolfram.com/mathematica/
Algorithm for Inductive Verification•Following algorithm generates VCs for (m,n)∈[0,mmax]×[1,nmax] and discharges the VCs
27
Input: HA; P ; mmax 2 N�0; nmax 2 N>0
Output: true: HA |= ⇤P ; false: cannot decide ⇤P within mmax + nmax steps1: for m 2 {0, . . . ,mmax}; n 2 {1, · · · , nmax} do2: P
) then5: break6: end if7: if 9j 2 {m+ 1, . . . ,m+ n,�1} ¬Validate(VC
j
) then8: P
+ := P
+ ^ Learn(VCj
)9: else
10: return true11: end if12: end while13: end for14: return false
Fig. 4. Algorithm for inductive verification.
Learn computes Q by using a quantifier elimination (QE) method, such as theResolve procedure of Mathematica:
Q := QE(8xs
8t1 . . . ti (SP((P+ ^ x0 = x
s
), s) ) P ))[x0 x
s
].
To simplify the loop invariant, the other local variables in VCi
, i.e., �, t̃, l0, x0v
introduced in the SP calculus in Lemma 3 and t
i
introduced in Theorem 2,should also be removed. Unfortunately, QE with mixed quantifiers and functionquantifiers is a hard problem in general. See Remark 1 and the next section fordetails on how we perform this simplification.
The formula computed for Q is often a large disjunctive formula that isunusable as a loop invariant. For instance, some sub-formulas ofQ describe statesthat are never accepted by the HA. Such sub-formulas are not only useless butmake the verification process expensive. So we strengthen Q according to thefollowing strategies:
– Lemma separation. We split Q at the (top-most) disjunction operators andemploy one (or several) of the resulting sub-formulas.
– Location disabling. When we remove a sub-formula of Q that is related tosome location l, we insert the constraint x
l
6= l. The resulting loop invariantmight be e↵ective when combined with loop unrolling.
5 Implementation
We have implemented the method presented in the previous sections using Math-ematica 8.0.45, which can perform the computations in a fully symbolic manner.
5http://www.wolfram.com/mathematica/
initialize P+
loop invariant generation
Loop Invariant Generation
•When verification ofVCi : ∀t1..ti ≥0 (SP(P+∧s) ⇒ P) fails, we can generate a loop invariant using a quantifier elimination (QE) method
28
QE(∀xs ∀t1..ti VCi)[x0 ← xs]
Loop Invariant Generation
•When verification ofVCi : ∀t1..ti ≥0 (SP(P+∧s) ⇒ P) fails, we can generate a loop invariant using a quantifier elimination (QE) method
•This process is hard in general-VCi should be simplified by assuming a class of
problems✴Otherwise QE might not succeed
-Generated invariant might be too large.They should be simplified manually✴Two strategies for the simplification
28
QE(∀xs ∀t1..ti VCi)[x0 ← xs]
Implementation
•We have implemented the verification algorithm using Mathematica (i.e. algebraic formula manipulation system)-ODEs are solved into closed forms with DSolve-Validate is implemented using built-in functions,
FullSimplify, Reduce, and FindInstance-Learn is implemented using a built-in function Resolve
that performs QE
29
Implementation
•We have implemented the verification algorithm using Mathematica (i.e. algebraic formula manipulation system)-ODEs are solved into closed forms with DSolve-Validate is implemented using built-in functions,
FullSimplify, Reduce, and FindInstance-Learn is implemented using a built-in function Resolve
that performs QE
•Several optimizations-Separation of formulas wrt HA locations-Reutilization of simplification process of sub-formulas
29
Talk Outline
1.Hybrid Automata
2. ImpHA and Strongest Postcondition Calculus
3. Inductive Verification
4.Experimental Results
30
Experimental Results
31
Problem #Loc#Var m/n Our
methodMC
toolsKeYma
eraWLM 4/2 0/1 0.85s N/A 1.8s
Gas burner 2/3 4/2 2.22s 0.004s N/A
Temp. ctrl 4/3 1/1 2.82s 0.012s N/A
Bouncing ball 1/2 0/1 0.49s N/A 0.9s
ETCS 2/3 0/1 4.48s N/A 3.1s
Highway 9 10/9 0/2 0.22s 0.22s N/A
Highway 19 20/19 0/2 3.64s N/A N/A
Comparison with Other Tools
•MC tools-HyTech [Henzinger+ 96] and PHAVer [Frahse 02]-Solve three problems quite efficiently (Ex.2,3,6)-Cannot handle instances with uncertain parameters
(Ex.1,4)-Some scaling issues (Ex.6,7)
•KeYmaera [Platzer+ 08]-Handles various hybrid programs automatically-However, does not succeed on most of programs
translated from HA (Ex.2,3,6,7)✴Models should be annotated manually✴Otherwise, users need to interact with underlying
theorem prover32
Conclusion
•Automated logical analytic method for a large class of linear and nonlinear HA-Algorithmic verification with SP calculus and limited
derivation rules, i.e., induction and loop unrolling
- Loop invariant generation guided by the response from the decision process
-Promising experimental results with several HA
•Future work-Automation of generation process of efficient loop
invariants-Support for larger class of HA,
e.g., with unsolvable ODEs, parallel composition33