C2E2: A Verification Tool For Stateflow Models Parasara Sridhar - PowerPoint PPT Presentation

C2E2: A Verification Tool For Stateflow Models Parasara Sridhar Duggirala , Sayan Mitra, Mahesh Viswanathan, Matthew Potok

Pacemaker – Cardiac Cell System + 2

Pacemaker – Cardiac Cell System stimulating pulse 𝑟 0 𝑟 1 Pacemaker … 𝑟 3 𝑟 2 HA = Finite State Machine + Differential Equation 𝑣(𝑢) 𝑦 1 (𝑢) time time Stimulus from pacemaker Behavior of a cardiac cell 3

Features of the Model Safety Verification Unsafe Set 𝑦 1 (𝑢) time Stateflow Model of Pacemaker – Cardiac Cell system Features: Invariants , Guards , and Resets  Inputs: 1. Model of the system 𝐵 , Solution 2. Initial States Θ , and Reachable Set Computation 3. Unsafe States 𝑉  Output: If the system is safe or unsafe ∀𝑦 ∈ Θ, 𝜊 𝑦, 𝑢 ∉ 𝑉 4

Contributions  Simulation based verification algorithm for Fully Hybrid Systems  Theoretical guarantees – Soundness and Relative Completeness  Tool Features • Stateflow Models, hyxml intermediate format • Graphical User Interface • Visualizing the reachable set 5

Overview  Motivation and Problem Statement  Challenges in Verification  Building Blocks and Algorithm  Soundness and Relative Completeness Guarantees  Tool Features  Annotations  Future Work 6

Safety Verification Unsafe Set 𝑣(𝑢) time Stateflow Model of Pacemaker – Cardiac Cell system Features: Invariants , Guards , and Resets  Inputs: 1. Model of the system 𝐵 , Solution 2. Initial States Θ , and Reachable Set Computation 3. Unsafe States 𝑉  Output: If the system is safe or unsafe ∀𝑦 ∈ Θ, 𝜊 𝑦, 𝑢 ∉ 𝑉 7

Challenges In Reachable Set Computation Unsafe Set 𝑣(𝑢) time Stateflow Model of Pacemaker – Cardiac Cell system Features: Invariants , Guards , and Resets  Nonlinear ODEs – do not even have a closed form solution  Switching conditions – predicates on variables (nondeterminism) Our Technique: Use simulations for computing Reachable Set 8

ሶ A Simple (Often The Only) Strategy  Given start and unsafe 𝑉 Θ 𝐶 𝜗 (𝜊(𝑦 0 , 𝑢))  Compute finite cover of initial set  Simulate from the center 𝑦 0 of each cover  Bloat simulation so that bloated tube contains all trajectories from the cover  Union = over-approximation of reach set 𝑦 0 𝑦 = 𝑔(𝑦) 9

ሶ A Simple (Often The Only) Strategy  Given start and unsafe 𝑉 Θ 𝐶 𝜗 (𝜊(𝑦 0 , 𝑢))  Compute finite cover of initial set  Simulate from the center 𝑦 0 of each cover  Bloat simulation so that bloated tube contains all trajectories from the cover  Union = over-approximation of reach set 𝑦 0  Check intersection/containment with 𝑉  Refine 𝑦 = 𝑔(𝑦) 10

ሶ A Simple (Often The Only) Strategy  Given start and unsafe 𝑉 Θ 𝐶 𝜗 (𝜊(𝑦 0 , 𝑢))  Compute finite cover of initial set  Simulate from the center 𝑦 0 of each cover  Bloat simulation so that bloated tube contains all trajectories from the cover  Union = over-approximation of reach set 𝑦 0  Check intersection/containment with 𝑉  Refine 𝑦 = 𝑔(𝑦) 11

ሶ A Simple (Often The Only) Strategy  Given start and unsafe 𝑉 Θ 𝐶 𝜗 (𝜊(𝑦 0 , 𝑢))  Compute finite cover of initial set  Simulate from the center 𝑦 0 of each cover  Bloat simulation so that bloated tube contains all trajectories from the cover  Union = over-approximation of reach set 𝑦 0  Check intersection/containment with 𝑉  Refine 𝑦 = 𝑔(𝑦) 1. How do we get the simulations? 2. How much to bloat? 3. How to handle mode switches? 12

Building Blocks : Simulations Simulation from 𝑦 0 given as 𝜊(𝑦 0 , 𝑢) – no closed form! 𝒕𝒋𝒏𝒗𝒎𝒃𝒖𝒋𝒑𝒐(𝒚 𝟏 , 𝒊, 𝝑, 𝑼) gives a sequence S 0 , … , 𝑇 𝑙 : 1. at any time 𝑢 ∈ [𝑗ℎ, 𝑗 + 1 ℎ] , 𝜊 𝑦 0 , 𝑢 ∈ 𝑇 𝑗 2. 𝑒𝑗𝑏 𝑇 𝑗 ≤ 𝜗 𝒘𝒃𝒎𝑻𝒋𝒏(𝒚 𝟏 , 𝑼, 𝒈) generates such simulations (CAPD) 13

Building Blocks : Discrepancy Function Discrepancy Function : capturing the continuity of ODE solutions executions that start close, stay close 〈𝐿, 𝛿〉 is called an exponential discrepancy function of the system if for any two states 𝑦 1 and 𝑦 2 ∈ 𝑌 , for any t |𝜊(𝑦 1 , 𝑢) − 𝜊(𝑦 2 , 𝑢)| ≤ 𝐿 𝑦 1 − 𝑦 2 𝑓 𝛿𝑢 𝜊 𝑦 2 , 𝑢 𝑦 2 ≤ 𝐿 𝑦 1 − 𝑦 2 𝑓 𝛿𝑢 1 |𝑦 1 − 𝑦 2 | 𝑦 1 𝜊 𝑦 1 , 𝑢 = 𝐿 𝑦 1 − 𝑦 2 𝑓 𝛿𝑢 1 Discrepancy functions are given as model annotations, i.e. 〈𝐿, 𝛿〉 is given by the user 14

Simulations + Discrepancy Functions = ReachTubes 𝝎 = 𝒔𝒇𝒃𝒅𝒊𝒖𝒗𝒄𝒇 𝑻, 𝝑, 𝑼 of ሶ 𝑦 = 𝑔 𝑦 is a sequence 𝑆 0 , … , 𝑆 𝑙 such that 𝑒𝑗𝑏(𝑆 𝑗 ) ≤ 𝜗 and from any 𝑦 0 ∈ 𝑇, for each time 𝑢 ∈ [𝑗ℎ, (𝑗 + 1)ℎ] , 𝜊 𝑦 0 , 𝑢 ∈ 𝑆 𝑗 . How to compute a ReachTube from validated simulation and annotation? 𝑇 0 , … , 𝑇 𝑙 , 𝜗 1 ← 𝒘𝒃𝒎𝑻𝒋𝒏(𝑦 0 , 𝑈, 𝑔) 15

Simulations + Discrepancy Functions = ReachTubes 𝝎 = 𝒔𝒇𝒃𝒅𝒊𝒖𝒗𝒄𝒇 𝑻, 𝝑, 𝑼 of ሶ 𝑦 = 𝑔 𝑦 is a sequence 𝑆 0 , … , 𝑆 𝑙 such that 𝑒𝑗𝑏(𝑆 𝑗 ) ≤ 𝜗 and from any 𝑦 0 ∈ 𝑇, for each time 𝑢 ∈ [𝑗ℎ, (𝑗 + 1)ℎ] , 𝜊 𝑦 0 , 𝑢 ∈ 𝑆 𝑗 . How to compute a ReachTube from validated simulation and annotation? 𝑇 0 , … , 𝑇 𝑙 , 𝜗 1 ← 𝒘𝒃𝒎𝑻𝒋𝒏(𝑦 0 , 𝑈, 𝑔) For each 𝑗 ∈ 𝑙 𝑢∈𝑈 𝑗 𝐿𝑓 𝛿𝑢 𝜀 ; 𝜗 2 ← max 𝑆 𝑗 ← 𝐶 𝜗 2 𝑇 𝑗 𝑆 0 , … , 𝑆 𝑙 is a reachtube( 𝑪 𝜺 𝒚 𝟏 , 𝝑 𝟐 + 𝝑 𝟑 , 𝑼)  How do we get the simulations? Invariants  How much to bloat? • How to handle mode switches? Guards 16

Handling Invariants Tagging: track a region based on a predicate 𝑄 𝑛𝑣𝑡𝑢 𝑆 ⊆ 𝑄 𝑆 ∩ 𝑄 ≠ ∅, ത 𝒖𝒃𝒉𝑺𝒇𝒉𝒋𝒑𝒐 𝑺, 𝑸 = ቐ 𝑛𝑏𝑧 𝑆 ∩ 𝑄 ≠ ∅ 𝑜𝑝𝑢 𝑆 ∩ 𝑄 = ∅ Goal: Reachtube that respects the invariant of the mode 𝝔 = 𝒋𝒐𝒘𝒃𝒔𝒋𝒃𝒐𝒖𝑸𝒔𝒇𝒈𝒋𝒚(𝝎, 𝑱𝒐𝒘𝒃𝒔𝒋𝒃𝒐𝒖) is 〈𝑆 0 , 𝑢𝑏𝑕 0 , … , 𝑆 𝑛 , 𝑢𝑏𝑕 𝑛 〉 , such that either ′ 𝑡 before it are must 𝑢𝑏𝑕 𝑗 = 𝑛𝑣𝑡𝑢 if all the 𝑆 𝑘 ′ 𝑡 before it are tagged may or must and at least one of 𝑢𝑏𝑕 𝑗 = 𝑛𝑏𝑧 if all the 𝑆 𝑘 them is not must 17

Handling Guards & Resets Goal: Compute set of states in Reachtube that change mode based on Guard 𝒐𝒇𝒚𝒖𝑺𝒇𝒉𝒋𝒑𝒐𝒕(𝝔) returns a set of tagged regions N. ∈ 𝑂 iff ∃ 𝑏 ∈ 𝐵, 〈𝑆 𝑗 , 𝑢𝑏𝑕 𝑗 〉 ∈ 𝜚 such that 𝑆 ′ = 𝑆𝑓𝑡𝑓𝑢 𝑏 𝑆 𝑗 and: 𝑆′, 𝑢𝑏𝑕′ 𝑆 𝑗 ⊆ 𝐻𝑣𝑏𝑠𝑒 𝑏 , 𝑢𝑏𝑕 𝑗 = 𝑢𝑏𝑕 ′ = 𝑛𝑣𝑡𝑢 𝑆 𝑗 ∩ 𝐻𝑣𝑏𝑠𝑒 𝑏 ≠ ∅, 𝑆 𝑗 ∉ 𝐻𝑣𝑏𝑠𝑒 𝑏 , 𝑢𝑏𝑕 𝑗 = 𝑛𝑣𝑡𝑢, 𝑢𝑏𝑕 ′ = 𝑛𝑏𝑧 𝑆 𝑗 ∩ 𝐻𝑣𝑏𝑠𝑒 𝑏 ≠ ∅, 𝑢𝑏𝑕 𝑗 = 𝑢𝑏𝑕′ = 𝑛𝑏𝑧 Tagging is essentially bookkeeping 1. 𝑗𝑜𝑤𝑏𝑠𝑗𝑏𝑜𝑢𝑄𝑠𝑓𝑔𝑗𝑦 discards the invalid trajectories (violating invariant) 2. 𝑜𝑓𝑦𝑢𝑆𝑓𝑕𝑗𝑝𝑜𝑡 tags the regions based on the feasibility of discrete transition Utility of tagging 1. Reachable set is contained in union of may and must regions – inferring safety 2. There exists at least one reachable state in every must region – inferring violation of safety 18

Algorithm for Hybrid Systems Input: Initial Set Θ , Unsafe set 𝑉 , Time 𝑈 , Number of Switches 𝑂 𝑞𝑏𝑠𝑢𝑗𝑢𝑗𝑝𝑜 ← 𝑢𝑏𝑕𝑕𝑓𝑒𝐷𝑝𝑤𝑓𝑠(Θ) ∀ 〈𝑇, 𝑢𝑏𝑕〉 ∈ 𝑞𝑏𝑠𝑢𝑗𝑢𝑗𝑝𝑜 𝜔 ← 𝑠𝑓𝑏𝑑ℎ𝑈𝑣𝑐𝑓(𝑇, 𝑈) 𝑦 0 end; 19

Algorithm for Hybrid Systems Input: Initial Set Θ , Unsafe set 𝑉 , Time 𝑈 , Number of Switches 𝑂 𝑞𝑏𝑠𝑢𝑗𝑢𝑗𝑝𝑜 ← 𝑢𝑏𝑕𝑕𝑓𝑒𝐷𝑝𝑤𝑓𝑠(Θ) ∀ 〈𝑇, 𝑢𝑏𝑕〉 ∈ 𝑞𝑏𝑠𝑢𝑗𝑢𝑗𝑝𝑜 𝜔 ← 𝑠𝑓𝑏𝑑ℎ𝑈𝑣𝑐𝑓(𝑇, 𝑈) 𝜚 ← 𝑗𝑜𝑤𝑏𝑠𝑗𝑏𝑜𝑢𝑄𝑠𝑓𝑔𝑗𝑦(𝜔) invariant end; 20

Algorithm for Hybrid Systems Input: Initial Set Θ , Unsafe set 𝑉 , Time 𝑈 , Number of Switches 𝑂 𝑞𝑏𝑠𝑢𝑗𝑢𝑗𝑝𝑜 ← 𝑢𝑏𝑕𝑕𝑓𝑒𝐷𝑝𝑤𝑓𝑠(Θ) ∀ 〈𝑇, 𝑢𝑏𝑕〉 ∈ 𝑞𝑏𝑠𝑢𝑗𝑢𝑗𝑝𝑜 𝜔 ← 𝑠𝑓𝑏𝑑ℎ𝑈𝑣𝑐𝑓(𝑇, 𝑈) 𝜚 ← 𝑗𝑜𝑤𝑏𝑠𝑗𝑏𝑜𝑢𝑄𝑠𝑓𝑔𝑗𝑦(𝜔) invariant if ( 𝜚 is safe ) then continue; if ( 𝜚 is unsafe and 𝑢𝑏𝑕 is 𝑛𝑣𝑡𝑢 ) return unsafe ; else refine tagged cover; end; return safe ; 21