Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly on the work and slides by Rajeev Alur, with further contributions from: Andrea Mattioli, Paritosh Pandya, Yusi Ramadian
103
Embed
Introduction to Formal Methods for SW and HW Development 11 - Timed and Hybrid Systems: Formal Modeling and Verification Roberto Sebastiani Based mostly.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Introduction to Formal Methods for SW and HW Development
11 - Timed and Hybrid Systems:Formal Modeling and Verification
Roberto Sebastiani
Based mostly on the work and slides by Rajeev Alur,with further contributions from:
• Z(A) is a transition system < Q,Q0,∑, → > s.t. – Q = zone of A; Zone = (s, φ)– Q0 = (s,[X:=0]), for every initial location s of
A– ∑ = set of labels or events– → = ((s, φ), a, (s’,succ(φ, e)))
• succ (φ, e) = clock interpretation after executing e
Symbolic transition
• succ (φ, e) =
1. ^ = intersection2. = interpretation for3. = interpretation • closure under the three operations still a
convex set
]0:[ ]0:[
]0:)[)()))(((( sIsI
Φ fulfill invariant of state s
still fulfill invariant of state s after time elapse fulfill the time constraint of switch e
Symbolic Transitions
n
m
x>3
y:=0
x
ydelays to
x
y
x
y conjuncts to
x
y
projects to
1<=x<=41<=y<=3
1<=x, 1<=y-2<=x-y<=3
3<x, 1<=y-2<=x-y<=3
3<x, y=0
Thus (n,1<=x<=4,1<=y<=3) ==> (m,3<x, y=0)
Canonical Data-structures for Zones: Difference-bound
Matrices Matrix representation of constraints
(bounds on a single clock or difference betn 2 clocks)
Reduced form obtained by running all-pairs shortest path algorithm
Reduced DBM is canonical Operations such as reset, time-successor,
inclusion, intersection are efficient Popular choice in timed-automata-based
tools
Difference-bound matrices (DBM)
• k clocks = (k +1) x (k +1) matrix D• Example :
D0i = lower bound
Di0 = upper bound
)0()10()20( 2121 xxxx
Dij = upper bound of xi and xj difference
• i,j: (c,1) Xi-Xj ≤ c
• i,j:(c,0) Xi-Xj < c
• i,j: ∞ absence of bound
Difference-bound matrices (DBM)
• Upper bound of xi - xl = sum of the upper bounds of xi - xj and xj – xl
• Use all-pairs shortest paths, check DBM Satisfiable Canonical – Satisfiable = a nonempty clock zone – Canonical= Matrices with tightest possible constraints
• Canonical Dbms represent clock zones
x<=1y-x<=2z-y<=2z<=9
x<=1y-x<=2z-y<=2z<=9
x<=1y-x<=2y<=3z-y<=2z<=7
x<=1y-x<=2y<=3z-y<=2z<=7
D1
D2
When are two sets of constraints equivalent?
x x
0 y
z
1 2
29
ShortestPath
Closure
ShortestPath
Closure
0 y
z
1 2
25
0
x
y
z
1 2
27
0
x
y
z
1 2
25
3
3 3
Graph
Graph
Canonical Data-structures for Zones:Difference Bounded Matrices
Complexity
• Theoretically :– Zone automaton may be
exponentially bigger than the region automaton
• Practically : – Fewer reachable vertices performances much improved
Implementation
• Verification problem :– Input = timed automaton Ai
– Process = searching R(||iAi) or Z(||iAi) • BDD-based engine (preferably for region
construction)• On-the-fly enumerative search
(preferably for zone construction)
Timed Automata: summary
Only continuous variables are timers Invariants and Guards: x<const,
x>=const Actions: x:=0 Reachability is decidable Clustering of regions into zones desirable
in practice Tools: Uppaal, Kronos, RED … Symbolic representation: matrices Techniques to construct timed
abstractions of general hybrid systems
Decidable Problems
Model checking branching-time properties of timed automata
Reachability in rectangular automata Timed bisimilarity: are two given timed
State: (l, x) such that x satisfies Inv(l) Initialization: (l,x) s.t. x satisfies Init(l) Two types of state updates Discrete switches: (l,x) –a-> (l’,x’) if there is
an a-labeled edge e from l to l’ s.t. x satisfies Guard(e) and (x,x’) satisfies update relation Jump(e)
Continuous flows: (l,x) –f-> (l,x’) where f is a continuous function from [0,d] s.t. f(0)=x, f(d)=x’, and for all t<=d, f(t) satisfies Inv(l) and df(t) satisfies Flow(l)(f(t))
Example of (linear) Hybrid Automaton
Gate for a railroad controller
Openh = 90dh = 0
loweringh >= 0
-10<dh <-9
raisingh <= 90
8< dh <10
closedh = 0
dh = 0
h = 90 ?lower
?lower
?raise
?raise
h = 90 h = 0
Part 4. Symbolic Reachability
Analysis for Hybrid Systems
Outline: Part 4
Symbolic Reachability Analysis Linear Hybrid Automata (HyTech) Polyhedral Flow-pipe
Approximations (CheckMate)
Standard Reachability Problem
Model variables X ={x1, … xn} Each var is of finite type, say, boolean
Initialization: I(X) condition over XUpdate: T(X,X’)
How new vars X’ are related to old vars X as a result of executing one step of the program
Target set: F(X)Computational problem:
Can F be satisfied starting with I by repeatedly applying T ?
Graph Search problem
General Symbolic SolutionData type: region to represent state-setsR:=I(X)Repeat
If R intersects F report “yes”Else if R contains Image(R) report “no”Else R := R union Image(R)
Image(R): Set of successors of states in RTermination may or may not be guaranteed
Symbolic Representations
Necessary operations on RegionsUnion
Intersection
Negation
Projection
Renaming
Equality/containment test
Emptiness test
Different choices for different classesBDDs for boolean variables in hardware
verification
Size of representation as opposed to number of states
Reachability for Hybrid Systems
Same algorithm works in principle What’s a suitable representation of
regions? Region: subset of Rk
Main problem: handling continuous dynamics
Precise solutions available for restricted continuous dynamics
Timed automata Linear hybrid automata
Even for linear systems, over-approximations of reachable set needed
Reachability Analysis for Dynamical Systems
Goal: Given an initial region, compute whether a bad state can be reached
Key step is to compute Reach(X) for a given set X under dx/dt = f(x) (hereafter dx = f(x) for short)
X
Reach(X)
Outline: Part 4
Symbolic Reachability Analysis Linear Hybrid Automata (HyTech) Polyhedral Flow-pipe
Approximations (CheckMate)
Multi-rate Automata
Modest extension of timed automata• Dynamics of the form dx = const (rate of a
clock is same in all locations) • Guards and invariants: x < const, x > const• Resets: x := const
Simple translation to timed automata that gives time-abstract bisimilar system by scaling
dx = 2dy = 3
x>5 and y <1
du = 1dv = 1
u>5/2 and v <1/3
Rectangular Automata
Interesting extension of timed automata• Dynamics of the form dx in const
interval (rate-bounds of a clock same in all locations)
• Guards/invariants/resets as before Translation to multi-rate automata that
gives time-abstract language-equiv systemdx in
[2,3]
x>5
x<2 dxm = 2dxM = 3
xM>5, xm:=5
xm<2, xM:=2
Puri, Henzinger, 95
Linear Hybrid Automata
Invariants and guards: linear (Ax <= b) Actions: linear transforms (x’:= Ax) Dynamics: time-invarint, state-
independentspecified by a convex polytope constraining ratesE.g. 2 < x <= 3, x = y
Tools: HyTech Symbolic representation: Polyhedra Methodology: abstract dynamics by
differential inclusions bounding rates
Example LHAGate for a railroad controller
Openh = 90dh = 0
loweringh >= 0
-10<dh <-9
raisingh <= 90
8< dh <10
closedh = 0
dh = 0
h = 90 ?lower
?lower
?raise
?raise
h = 90 h = 0
Reachability ComputationBasic element: (location l, polyhedron p)Set of visited states: a list of (l,p) pairsKey steps: Compute “discrete” successors of (l,p) Compute “continuous” successor of (l,p) Check if p intersects with “bad” region Check if newly found p is covered by
already visited polyhedra p1,…, pk (expensive!)
Computing Discrete Successors
Discrete successor of (l,p) Intersect p with g (result r is a polyhedron) Apply linear transformation A to r (result r’
is a polyhedron) Intersect r’ with the invariant of l’ (result r”
is a polyhedron) Successor is (l’,r”)
l l’g(x)-> x := a(x)
Computing Time Successor
x
y
x
y
(3,2)
(1,4)
Rate Polytope
(1,4)
(3,2)p
Reach(p)
Thm: If initial set p, invariant I, and rate constraint r, are polyhedra, then set of reachable states is a polyhedron (and computable)
Basically, apply extremal rates to vertices of p
Summary: Linear Hybrid Automata
HyTech implements this strategy Core computation: manipulation of
polyhedra Bottlenecks
proliferation of polyhedra (unions) computing with higher dimensional polyhedra
Many case studies (active structure control, Philips audio control protocol, steam boiler…)
Outline: Part 4
Symbolic Reachability Analysis Linear Hybrid Automata (HyTech) Polyhedral Flow-pipe
Approximations (CheckMate)
Beyond LHA
Exact computation with polyhedra is limiting. If dynamics is dX=AX, and P is a polyhedron,
Reach(P) is not a polyehdron Solutions:
Approximate Reach(P) with an enclosing convex polyhedron: Checkmate (Krogh)
Approximate Reach(P) with an enclosing (non-convex) orthogonal polyhedron: d/dt (Dang/Maler)
Level sets method (Greenstreet, Tomlin) Use ellipsoids for representation of sets
(Kurzhanski)
Polyhedral Flow Pipe Approximations
X0
t1
t2
t3
t4
t5t6 t7
t8
t9
• divide R[0,T](X0) into [tk,tk+1] segments
• enclose each segment with a convex polytope
• RM[0,T](X0) = union of polytopes
Wrapping Hyperplanes Around a Set
S
c4
c3
c2c1
Step 1:Choose normal vectors, c1,...,cm
S
c4
c3
c2
c1
Step 2:Compute optimal d in Cx d, CT = [c1 ... cm]:
di = max ciTx
xS
Wrapping Hyperplanes Around a Set
Wrapping a Flow Pipe Segment
Given normal vectors ci, we wrap R[tk,tk+1]
(X0) in a polytope by solving for each i
Optimization problem is solved by embedding simulation into objective function computation
di = max ciTx(t,x0)
xo,t
s.t. x0X0
t [tk,tk+1]
Improvements for Linear Systems
x = Ax x(t, x0) = eAtx0
No longer need to embed simulation into optimization
Flow pipe segment computation depends only on time step t
A segment can be obtained by applying eAt to another segment of the same t
)(ˆ)(ˆ0],0[0],[ XReXR t
Atttt
Example: Van der Pol Equation
X x x0 1 20 8 1 0 { . , }
. ( )
x x
x x x x1 2
2 12
2 10 2 1
Van der Pol Equation
Uniform time stepDtk = 0.5
Initial Set
Summary: Flow Pipe Approximation
• Applies in arbitrary dimensions• Approximation error doesn't grow
with time• Estimation error (Hausdorff
distance) can be made arbitrarily small with Dt < d and size of X0 < d
• Integrated into a complete verification tool (CheckMate)