deductive safety and liveness verification for ordinary
play

Deductive Safety and Liveness Verification for Ordinary Differential - PowerPoint PPT Presentation

Mar 17, 2024 •244 likes •1.14k views

Deductive Safety and Liveness Verification for Ordinary Differential Equations Yong Kiam Tan Computer Science Department, Carnegie Mellon University INRIA, 30th Apr 2020 1 / 34 Motivation: Cyber-Physical Systems (CPSs) Cyber-Physical System:

  1. Deductive Safety and Liveness Verification for Ordinary Differential Equations Yong Kiam Tan Computer Science Department, Carnegie Mellon University INRIA, 30th Apr 2020 1 / 34

  2. Motivation: Cyber-Physical Systems (CPSs) Cyber-Physical System: Discrete software controller: if (v > speed_limit) a := -1; //apply brakes else a := 0; //cruise × Testing control software on the real CPS is expensive and unsafe. 2 / 34

  3. Motivation: Cyber-Physical Systems (CPSs) Cyber-Physical System: Discrete software controller: if (v > speed_limit) a := -1; //apply brakes else a := 0; //cruise v x Continuous dynamics: x ′ = v , v ′ = a � �� � Ordinary Differential Equations (ODEs) t t × Testing control software on the real CPS is expensive and unsafe. 2 / 34

  4. Motivation: Cyber-Physical Systems (CPSs) Cyber-Physical System: Discrete software controller: if (v > speed_limit) a := -1; //apply brakes else a := 0; //cruise v x Continuous dynamics: x ′ = v , v ′ = a � �� � Need formal proofs for ODEs t t × Testing control software on the real CPS is expensive and unsafe. � Formal proofs give highest level of confidence in correctness of CPSs. 2 / 34

  5. Outline ODEs, Safety, and Liveness 1 ODE Safety Proofs 2 ODE Liveness Proofs 3 ODE Liveness Example 4 Conclusion 5 3 / 34

  6. Outline ODEs, Safety, and Liveness 1 ODE Safety Proofs 2 ODE Liveness Proofs 3 ODE Liveness Example 4 Conclusion 5 4 / 34

  7. Correctness Specifications for CPSs � Safe: always drives below the speed limit 5 / 34

  8. Correctness Specifications for CPSs � Safe: always drives below the speed limit � Safe: always drives below the speed limit 5 / 34

  9. Correctness Specifications for CPSs � Safe: always drives below the speed limit � Live: eventually gets to its destination � Safe: always drives below the speed limit × Not live: stuck in a train repair bay 5 / 34

  10. ODEs & Domain Constraints ODE : Models for the continuous physics of CPSs x ′ = y , y ′ = (1 − x 2 ) y − x Visualization: Van der Pol equations modeling an oscillating electrical circuit. 6 / 34

  11. ODEs & Domain Constraints ODE : Models for the continuous physics of CPSs Analogy: Trains are driving on tracks given by ODE solutions. x' = f ( x ) Ordinary Differential Equation (ODE) � �� � x ′ = f ( x ) 6 / 34

  12. ODEs & Domain Constraints ODE : Models for the continuous physics of CPSs Analogy: Trains are driving on tracks given by ODE solutions. Domain : Specifies the domain of x' = f ( x ) Q definition for ODEs Analogy: Domains make description ODE with domain Q � �� � of train tracks more precise. x ′ = f ( x ) & Q 6 / 34

  13. ✓ ✓ ⨯ ✓ Safety & Liveness for ODEs P Q ODE with domain Q � �� � x ′ = f ( x ) & Q ] P Safety: [ ���� Safe region � Train always stays in Pittsburgh ( P ) along its trajectory. 7 / 34

  14. ✓ ✓ ⨯ ✓ ✓ ⨯ ⨯⨯ Safety & Liveness for ODEs P P Q Q ODE with domain Q ODE with domain Q � �� � � �� � x ′ = f ( x ) & Q ] P x ′ = f ( x ) & Q � P Safety: [ Liveness: � ���� ���� Safe region Goal region � Train always stays in Pittsburgh � Train can eventually be driven to ( P ) along its trajectory. Pittsburgh ( P ). 7 / 34

  15. ⨯ ✓ ⨯⨯ ✓ ✓ ⨯ ✓ Safety & Liveness for ODEs P P Q Q ODE with domain Q ODE with domain Q � �� � � �� � x ′ = f ( x ) & Q � ¬ P x ′ = f ( x ) & Q � P Safety: ¬� Liveness: � ���� ���� Unsafe region Goal region � Train can not eventually be driven � Train can eventually be driven to out of Pittsburgh ( ¬ P ). Pittsburgh ( P ). 7 / 34

  16. ✓ ✓ ⨯ ✓ ✓ ⨯ ⨯⨯ Safety & Liveness for ODEs P P Q Q ODE with domain Q ODE with domain Q � �� � � �� � x ′ = f ( x ) & Q � ¬ P x ′ = f ( x ) & Q ] ¬ P Safety: ¬� Liveness: ¬ [ ���� ���� Unsafe region Not at goal � Train can not eventually be driven � Train does not always stay out of out of Pittsburgh ( ¬ P ). Pittsburgh ( ¬ P ). 7 / 34

  17. ✓ ✓ ⨯ ✓ ✓ ⨯ ⨯⨯ Safety & Liveness for ODEs P P Q Q ODE with domain Q ODE with domain Q � �� � � �� � x ′ = f ( x ) & Q � ¬ P x ′ = f ( x ) & Q ] ¬ P Safety: ¬� Liveness: ¬ [ ���� ���� Unsafe region Not at goal This talk: Exploiting logical duality in proofs of ODE safety and liveness. 7 / 34

  18. ⨯ ✓ ⨯⨯ Safety & Liveness for ODEs ODE Safety Proofs 2 Rigorous proofs of ODE safety using ODE invariants. P Q ODE with domain Q ODE with domain Q � �� � � �� � x ′ = f ( x ) & Q � ¬ P x ′ = f ( x ) & Q ] ¬ P Safety: ¬� Liveness: ¬ [ ���� ���� Unsafe region Not at goal This talk: Exploiting logical duality in proofs of ODE safety and liveness. 7 / 34

  19. Safety & Liveness for ODEs ODE Safety Proofs 2 ODE Liveness Proofs 3 Rigorous proofs of ODE safety Rigorous proofs of ODE liveness using ODE invariants. using ODE safety. ODE with domain Q ODE with domain Q � �� � � �� � x ′ = f ( x ) & Q � ¬ P x ′ = f ( x ) & Q ] ¬ P Safety: ¬� Liveness: ¬ [ ���� ���� Unsafe region Not at goal This talk: Exploiting logical duality in proofs of ODE safety and liveness. 7 / 34

  20. Safety & Liveness for ODEs ODE Safety Proofs 2 ODE Liveness Proofs 3 Rigorous proofs of ODE safety Rigorous proofs of ODE liveness using ODE invariants. using ODE safety. ODE Liveness Example 4 An example application of formal ODE liveness arguments. ODE with domain Q ODE with domain Q � �� � � �� � x ′ = f ( x ) & Q � ¬ P x ′ = f ( x ) & Q ] ¬ P Safety: ¬� Liveness: ¬ [ ���� ���� Unsafe region Not at goal This talk: Exploiting logical duality in proofs of ODE safety and liveness. 7 / 34

  21. Outline ODEs, Safety, and Liveness 1 ODE Safety Proofs 2 ODE Liveness Proofs 3 ODE Liveness Example 4 Conclusion 5 8 / 34

  22. ⨯ From ODE Safety to ODE Invariance Pennsylvanian ( PA ) regional trains in Pittsburgh ( P ) always stay out of Canada ( ¬ C ): P → [ x ′ = f ( x )] ¬ C PA Pitt. 9 / 34

  23. ⨯ From ODE Safety to ODE Invariance Pennsylvanian ( PA ) regional trains in Pittsburgh ( P ) always stay out of Canada ( ¬ C ): P → [ x ′ = f ( x )] ¬ C 1 Trains in Pittsburgh are in Pennsylvania: P → PA PA Pitt. 9 / 34

  24. ⨯ From ODE Safety to ODE Invariance Pennsylvanian ( PA ) regional trains in Pittsburgh ( P ) always stay out of Canada ( ¬ C ): P → [ x ′ = f ( x )] ¬ C 1 Trains in Pittsburgh are in Pennsylvania: P → PA 2 Trains in Pennsylvania are not in Canada: PA → ¬ C PA Pitt. 9 / 34

  25. ⨯ From ODE Safety to ODE Invariance Pennsylvanian ( PA ) regional trains in Pittsburgh ( P ) always stay out of Canada ( ¬ C ): P → [ x ′ = f ( x )] ¬ C 1 Trains in Pittsburgh are in Pennsylvania: P → PA 2 Trains in Pennsylvania are not in Canada: PA → ¬ C PA 3 PA regional trains always stay in-state: Pitt. PA → [ x ′ = f ( x )] PA Claim: PA is an invariant of the ODE 9 / 34

  26. ⨯ From ODE Safety to ODE Invariance Pennsylvanian ( PA ) regional trains in Pittsburgh ( P ) always stay out of Canada ( ¬ C ): P → [ x ′ = f ( x )] ¬ C 1 Trains in Pittsburgh are in Pennsylvania: P → PA 2 Trains in Pennsylvania are not in Canada: PA → ¬ C PA 3 PA regional trains always stay in-state: Pitt. PA → [ x ′ = f ( x )] PA Claim: PA is an invariant of the ODE Idea 1: ODE safety questions reduce to ODE invariance questions. 9 / 34

  27. Why take a logical approach? (ODE Safety) Theorem (Completeness for invariants [LICS’18]) The differential dynamic logic ( dL ) proof calculus is a sound and complete axiomatization for invariants of polynomial ODEs. In fact, it decides invariance for polynomial ODEs and formulas. Takeaway: Logic yields a complete understanding of ODE invariance. Benefit: Powerful automation for ODE safety from sound foundations. 10 / 34

  28. Why take a logical approach? (ODE Safety) Theorem (Completeness for invariants [LICS’18]) The differential dynamic logic ( dL ) proof calculus is a sound and complete axiomatization for invariants of polynomial ODEs. In fact, it decides invariance for polynomial ODEs and formulas. Takeaway: Logic yields a complete understanding of ODE invariance. Benefit: Powerful automation for ODE safety from sound foundations. 3 PA regional trains always stay in-state: PA → [ x ′ = f ( x )] PA Claim: PA is an invariant of the ODE � �� � � or × answer can be computed mechanically with proof. 10 / 34

  29. Why take a logical approach? (ODE Safety) Theorem (Completeness for invariants [LICS’18]) The differential dynamic logic ( dL ) proof calculus is a sound and complete axiomatization for invariants of polynomial ODEs. In fact, it decides invariance for polynomial ODEs and formulas. Polynomial ODEs (Non-Polynomial) Solutions x ′ = x , x (0) = x 0 x ( t ) = x 0 e t x ′ = y , y ′ = − x , x (0) = 0 , y (0) = 1 x ( t ) = sin t , y ( t ) = cos t x ′ = y , y ′ = (1 − x 2 ) y − x Van der Pol equations (No polynomial solutions) How is this completeness result possible? 10 / 34

Recommend

Ch. 10 Avoiding Liveness Hazards J ESPER P EDERSEN N OTANDER Liveness and Safety A liveness

Ch. 10 Avoiding Liveness Hazards J ESPER P EDERSEN N OTANDER Liveness and Safety A liveness

Ch. 10 Avoiding Liveness Hazards J ESPER P EDERSEN N OTANDER Liveness and Safety A liveness property, something good eventually happens. e.g. program termination. A safety property, something bad never happens. e.g.

338 views • 16 slides
Why3 What is why3? A platform for deductive program verification What is why3? A platform

Why3 What is why3? A platform for deductive program verification What is why3? A platform

Why3 What is why3? A platform for deductive program verification What is why3? A platform for deductive program verification Made by: Franois Bobot Martin Clochard Lon Gondelman Jean-Christophe Fillitre Claude

98 views • 9 slides
3 COMP 1 5 9 3 Algorithmic Verification Safety and Liveness, Fairness Dr. Liam OConnor

3 COMP 1 5 9 3 Algorithmic Verification Safety and Liveness, Fairness Dr. Liam OConnor

<latexit

851 views • 66 slides
3 COMP 1 5 9 3 Algorithmic Verification Safety and Liveness, Fairness Dr. Liam OConnor

3 COMP 1 5 9 3 Algorithmic Verification Safety and Liveness, Fairness Dr. Liam OConnor

<latexit

270 views • 16 slides
Design Verification: Deductive Verification Virendra Singh Associate Professor C omputer A

Design Verification: Deductive Verification Virendra Singh Associate Professor C omputer A

Design Verification: Deductive Verification Virendra Singh Associate Professor C omputer A rchitecture and D ependable S ystems L ab Department of Electrical Engineering Indian Institute of Technology Bombay http://www.ee.iitb.ac.in/~viren/

627 views • 27 slides
Liveness Checking as Safety Checking FMICS, July 12 13, Malaga, Spain Armin Biere, Cyrille

Liveness Checking as Safety Checking FMICS, July 12 13, Malaga, Spain Armin Biere, Cyrille

Liveness Checking as Safety Checking FMICS, July 12 13, Malaga, Spain Armin Biere, Cyrille Artho, Viktor Schuppan http://www.inf.ethz.ch/schuppan/ Safety vs. Liveness 1 Safety Liveness Something bad will not Something good will

480 views • 31 slides
Liveness Checking as Safety Checking for Infinite State Spaces Viktor Schuppan 1 , Armin Biere 2 1

Liveness Checking as Safety Checking for Infinite State Spaces Viktor Schuppan 1 , Armin Biere 2 1

Liveness Checking as Safety Checking for Infinite State Spaces Viktor Schuppan 1 , Armin Biere 2 1 Computer Systems Institute, ETH Z urich 2 Institute for Formal Models and Verification, JKU Linz http://www.inf.ethz.ch/schuppan/

1.23k views • 18 slides
Challenges In Deductive Software Verification Reiner Hhnle (with Marieke Huisman, U Twente)

Challenges In Deductive Software Verification Reiner Hhnle (with Marieke Huisman, U Twente)

Challenges In Deductive Software Verification Reiner Hhnle (with Marieke Huisman, U Twente) www.se.tu-darmstadt.de TU Darmstadt, Software Engineering Group Many challenges apply to AD in general Deductive Software Verification

165 views • 15 slides
Deductive Program Verification with W HY 3 Andrei Paskevich LRI, Universit Paris-Sud

Deductive Program Verification with W HY 3 Andrei Paskevich LRI, Universit Paris-Sud

Deductive Program Verification with W HY 3 Andrei Paskevich LRI, Universit Paris-Sud Toccata, Inria Saclay JCP 2016 1. A short look back 2 / 100 Introduction Software is hard. D ONALD K NUTH ... 1996: Ariane 5 explosion an

1.13k views • 100 slides
Lecture 10.1 Safety and Liveness EN 600.320/420 Instructor: Randal Burns 28 February 2018

Lecture 10.1 Safety and Liveness EN 600.320/420 Instructor: Randal Burns 28 February 2018

Lecture 10.1 Safety and Liveness EN 600.320/420 Instructor: Randal Burns 28 February 2018 Department of Computer Science, Johns Hopkins University Characterizing Concurrency Safety (correctness): what are the semantic guarantees

560 views • 8 slides
Towards Deductive Compilation: Implementing a Partial Evaluator Via a Software Verification Tool

Towards Deductive Compilation: Implementing a Partial Evaluator Via a Software Verification Tool

Towards Deductive Compilation: Implementing a Partial Evaluator Via a Software Verification Tool Reiner H ahnle (joint work with Richard Bubel and Ran Ji) Chalmers University of Technology Department of Computer Science and Engineering 10

1.11k views • 82 slides
Deductive Program Verification with W HY 3 Andrei Paskevich LRI, Universit Paris-Sud

Deductive Program Verification with W HY 3 Andrei Paskevich LRI, Universit Paris-Sud

Deductive Program Verification with W HY 3 Andrei Paskevich LRI, Universit Paris-Sud Toccata, Inria Saclay http://why3.lri.fr/ejcp-2019 JCP 2019 Software is hard. D ONALD K NUTH 2 / 171 Ensure the absence of bugs Several

2k views • 171 slides
1 Deductive Verification Extremely powerful Extremely hard One proof can cover very

1 Deductive Verification Extremely powerful Extremely hard One proof can cover very

Methods of Assessing Model Behavior Testing spot checks aspects of real system Simulation spot checks aspects of abstract (model) system Deductive verification Uses axioms and proofs on a mathematical model of

596 views • 21 slides
Deductive Verification of Object-Oriented Software Part A Bernhard Beckert | VTSA,

Deductive Verification of Object-Oriented Software Part A Bernhard Beckert | VTSA,

Deductive Verification of Object-Oriented Software Part A Bernhard Beckert | VTSA, 24.28.08.2015 KIT I NSTITUTE FOR T HEORETICAL C OMPUTER S CIENCE www.kit.edu KIT University of the State of Baden-Wuerttemberg and National Laboratory

1.29k views • 106 slides
Deductive Verification of Object-Oriented Software Part B Bernhard Beckert | VTSA,

Deductive Verification of Object-Oriented Software Part B Bernhard Beckert | VTSA,

Deductive Verification of Object-Oriented Software Part B Bernhard Beckert | VTSA, 24.28.08.2015 KIT I NSTITUTE FOR T HEORETICAL C OMPUTER S CIENCE www.kit.edu KIT University of the State of Baden-Wuerttemberg and National Laboratory

1.82k views • 158 slides
Teaching Deductive Verification to Teenagers Jean-Christophe Filli atre CNRS IFIP WG

Teaching Deductive Verification to Teenagers Jean-Christophe Filli atre CNRS IFIP WG

Teaching Deductive Verification to Teenagers Jean-Christophe Filli atre CNRS IFIP WG 1.9/2.15 Leuven, Belgium May 1112, 2017 context Universit e Paris Sud participates to a programme called Les Apprentis Chercheurs (the research

707 views • 42 slides
An Introduction to Deductive Program Verification Jean-Christophe Filli atre CNRS Sixth

An Introduction to Deductive Program Verification Jean-Christophe Filli atre CNRS Sixth

An Introduction to Deductive Program Verification Jean-Christophe Filli atre CNRS Sixth Summer School on Formal Techniques May 2016 http://why3.lri.fr/ssft-16/ 1 / 145 Software is hard. Don Knuth why? wrong interpretation of

1.97k views • 145 slides
Types of Formal Specifications for Assertions Concurrent and Reactive Systems Assertions

Types of Formal Specifications for Assertions Concurrent and Reactive Systems Assertions

Outline Formal specifications CISC422/853: Formal Methods Types of formal specifications: in Software Engineering: assertions invariants Computer-Aided Verification safety and liveness properties How to express safety

226 views • 22 slides
Deductive Verification Of Hybrid Systems Lectures on Formal Methods for Cyber-Physical Systems

Deductive Verification Of Hybrid Systems Lectures on Formal Methods for Cyber-Physical Systems

Deductive Verification Of Hybrid Systems Lectures on Formal Methods for Cyber-Physical Systems SOKENDAI, 07/29/19 Jrmy Dubut National Institute of Informatics Japanese-French Laboratory of Informatics Objectives of this lecture

986 views • 84 slides
Deductive Verification of Java programs Introduction with Algebraic Modeling and Multi-Prover

Deductive Verification of Java programs Introduction with Algebraic Modeling and Multi-Prover

Krakatoa Deductive Verification of Java programs Introduction with Algebraic Modeling and Multi-Prover Overview of Krakatoa Algebraic models Backend: the Why/Krakatoa platform Conclusions Claude March e Christine Paulin Jean-Christophe

636 views • 31 slides
Deductive Program Verification Jean-Christophe Filli atre CNRS ITP 2018 Oxford, UK July 12,

Deductive Program Verification Jean-Christophe Filli atre CNRS ITP 2018 Oxford, UK July 12,

Deductive Program Verification Jean-Christophe Filli atre CNRS ITP 2018 Oxford, UK July 12, 2018 1 / 32 joint work with Fran cois Bobot Claude March e Guillaume Melquiond Andrei Paskevich 2 / 32 a question for programmers

991 views • 80 slides
Deductive Program Verification Jean-Christophe Filli atre STOP r = 1 v = u s = 1 u

Deductive Program Verification Jean-Christophe Filli atre STOP r = 1 v = u s = 1 u

Deductive Program Verification Jean-Christophe Filli atre STOP r = 1 v = u s = 1 u = u + v s = s + 1 TEST r n u = 1 r = r + 1 TEST s r A Definition program mathematical + proof statement correctness

823 views • 56 slides
A Timeless Model for the Verification of Quasi-Periodic Distributed Systems Maryam Dabaghchian

A Timeless Model for the Verification of Quasi-Periodic Distributed Systems Maryam Dabaghchian

A Timeless Model for the Verification of Quasi-Periodic Distributed Systems Maryam Dabaghchian Zvonimir Rakamari School of Computing University of Utah Motivating Example Safety property: speed is always in a valid range Liveness property:

596 views • 3 slides
Deductive Program Verification with Why3 Jean-Christophe Filli atre CNRS Tallinn January 15,

Deductive Program Verification with Why3 Jean-Christophe Filli atre CNRS Tallinn January 15,

Deductive Program Verification with Why3 Jean-Christophe Filli atre CNRS Tallinn January 15, 2013 http://why3.lri.fr/tallinn-2013/ 1 / 101 definition program verification + proof conditions specification 2 / 101 this is not new

1.18k views • 101 slides

More recommend