Intro Encoding Delta-Complete Reachability Analysis Robustness Solving Correctness Sicun(Sean) Gao End (Joint work with Ed Clarke and Jeremy Avigad) Carnegie Mellon University Apr 22, 2011
Hybrid Systems H = � X, Q, Init , Flow , Jump , Inv � Intro X ⊆ R k : state space Encoding Robustness Q : a finite set of modes Solving Init ⊆ Q × X : initial configurations Correctness Flow : ⊆ Q × X → TX : continuous flows End Jump : ⊆ Q × X → 2 Q × X : discrete jumps Inv ⊆ Q × X : invariants in each mode Given Unsafe ⊆ R k × Q , � H � ∩ Unsafe = ∅ ?
Example Example (Transmission Controller) Intro Encoding X = R 3 ( v : Speed, Th : Throttle, Fr : Friction) Robustness Q = { q 1 , q 2 , q 3 } (Gears) Solving Correctness Init = ( q 1 , Th = 0 . 2 ∧ v = 0) End Inv q 1 : 0 ≤ v ≤ 30 , Inv q 2 : 25 ≤ v ≤ 50 , Inv q 3 : 45 ≤ v ≤ 70 . Flow q i : dv dt = c i ( a i Th − b i Fr ) ∧ dFr = e i v 2 . dt Jump q 1 , q 2 : ( v ≥ 20 ∧ Th > 0 . 6 ∧ v ′ = v ∧ Th ′ = Th ), etc. Is ( q 2 , Th = 0 . 1 ∧ v < 30) reachable?
Hybrid System Verification is Hard. Intro Although there are successful examples, most of the Encoding practical systems can not be handled. Robustness Solving Main Approaches: Correctness Geometric Methods End Over-estimate � H � up to some time bound t . 1 Check if � H � <t ∩ Unsafe = ∅ . 2 Proof-theoretic Methods Show that Φ( H ) ⊢ ¬ Unsafe is derivable 1 syntactically in a sound axiomatic system.
Geometric Methods Pros: Computations can be made visible. Intro Very helpful for the general understanding of behavior. Encoding Cons: Robustness High complexity; error control is hard. Solving Correctness Hard to handle complex dynamics or high dimensions. End Hard to handle logical operations.
Proof-theoretic Approaches Pros: Highly complex systems/properties. Reliable answers. Intro Encoding No bounds on variables. Robustness Cons: Solving Not for debugging. Correctness End Finding invariants needs much human insight. Underlying decision procedures can be hard to scale.
Stepping Back What made traditional model checking scale? Intro Encode verification problems into logic formulas. Encoding View � X, →� as a logical structure. Robustness Encode properties of interest as a Solving temporal/propositional formula ϕ . Correctness End Check satisfiability of formulas using highly efficient solvers. � X, →� | = ϕ ? Use BDD/SAT/SMT solvers to find a model of ϕ . Comparison: debugging information, flexible; not visible, bounded
Model-theoretic Methods (Discrete Systems) Let M denote the transition system � X, →� . Intro Bounded Reachability Encoding n − 1 � Robustness M | = ∃ � x 0 , ..., � x n ( Init ( � x 0 ) ∧ Trans ( � x i , � x i +1 ) ∧ Target ( � x n ))? Solving i =0 Reachable Set Computation Correctness n − 1 End x i +1 )) � M =? � � ∃ � x 0 , ..., � x n − 1 ( Init ( � x 0 ) ∧ Trans ( � x i , � i =0 Synthesis Problems n − 1 � � ∀ � x 0 ) ∧ u i ) ∧ x 0 , ..., � x n ( Init ( � Control ( � x i , � x i +1 , � i =0 x n )) � M =? Target ( �
Model-theoretic Methods (Continuous Systems) Logical encoding is not limited to discrete systems. Intro Encoding Continuous Dynamics: d� x ( t ) = � f ( � x ( t ) , t ) Robustness dt Solving The solution curve: � t Correctness � α : R → X, α ( t ) = α (0) + f ( α ( s ) , s ) ds . End 0 Define the predicate x, t ) � M = { ( � x } � Flow f ( � x 0 , � x 0 , � x, t ) : α (0) = � x 0 , α ( t ) = � Reachability M | = ∃ � x 0 , t, � x ( Init ( � x 0 ) ∧ Flow f ( � x, � x 0 , t ) ∧ Target ( � x )) ?
Model-theoretic Methods (Hybrid Systems) Combine the discrete and continuous components 1 : Reach 0 Intro q 0 → q 0 ( � x ) : Encoding ∃ t 0 ∃ � x 0 ( Inv q 0 ( � x 0 ) ∧ Inv q 0 ( � x ) ∧ Flow q 0 ( � x, � x 0 , t 0 )) Robustness Solving Reach n +1 q 0 → q ( � x ) : Correctness End x ′ ∃ t n +1 ∃ � x n +1 ∃ � n +1 � [ Reach n x ′ q 0 → q ′ ( � x n +1 ) ∧ Jump q ′ → q ( � x n +1 , � n +1 ) q ′ ∈ Q x ′ x ′ ) ∧ Inv q ( � x ′ ∧ Flow q ( � x, � n +1 , t n +1 ) ∧ Inv q ( � n +1 )] = Reach n +1 H | q 0 → q ( � x ) ∧ Unsafe ( � x )? 1Assumption: In each location, the flow stays within the invariant before any jump.
Decision Procedures over Reals Sadly, in general those first-order formulas over R can never Intro be decided. Encoding Robustness The arithmetic theory ( × / +) is decidable but highly Solving complex (double-exponential, PSPACE) . Correctness Available solvers: Usually hard to scale to more than 10 End variables. Handling nontrivial systems will involve (in the Flow predicate) exp , sin / cos , ODEs , ... Wildly undecidable.
Allowing Errors Intro On the other hand, large systems of real Encoding equalities/inequalities/ODEs are routinely solved Robustness numerically. Solving Correctness They are perfect for simulation, but always regarded End inappropriate for verification. (Platzer and Clarke, HSCC 2008) Is there a way of using them still?
Allowing Errors Decide ∃ � x.f ( � x ) = 0 ∧ g ( � x ) = 0 . Intro Encoding Robustness Symbolically: We need to consider the global algebraic Solving properties of f and g . Correctness End Numerically: We use iterations that only involve local evaluations of f and g (and their derivatives). With error bound δ , we’d “numerically” decide: ∃ � x. | f ( � x ) | < δ ∧ | g ( � x ) | < δ.
Robust Formulas Consider any formula Intro ϕ := ∃ I � � � � x ) = 0 ∧ x ) � = 0) x � x. ( f i ( � g j ( � Encoding i j Robustness Solving Define its δ -perturbed form Correctness End ϕ δ := ∃ I � � � � x � x. ( f i ( � x ) < δ ∧ g j ( � x ) ≥ δ ) i j We say ϕ is δ -robust iff ϕ ↔ ϕ δ .
Robust Formulas (Decidability) Robust formulas have very nice computational properties. Intro Definition Encoding Robustness R F = � R , F , < � where F is the set of all real-computable Solving functions. (Type-II computability; exp, sin, ODEs...) Correctness End Let ϕ be a robust and bounded sentence (arbitrary quantification): Theorem R F | = ϕ is decidable. The proof simulates cylindrical decomposition.
Robust Formulas (Complexity) In particular, if ϕ is existentially quantified: Intro Theorem Encoding If F| ϕ is real-computable in complexity class C , then Robustness deciding ϕ is in NP C . Solving Correctness This means: End Corollary Deciding robust bounded existential sentences 1 in L + , × , exp , sin is NP-complete. 2 in L LipschitzODE is PSPACE-complete.
Not Just in Theory Intro We are developing the practical SMT solver dReal . Encoding Robustness DPLL(T) + Interval Constraint Propagation. Solving SAT solver handles Boolean skeleton, ICP handles Correctness systems of equations (scalable to 10 3 variables) . End Currently solvable signature: + / × , exp , sin (Gao et al. FMCAD2010) In progress: (numerically stable) nonlinear ODEs
Interval Constraint Propagation Intro Interval Arithmetic + Constraint Solving Encoding Example Robustness Solving Solve { x = y, x 2 = y } for x ∈ [1 , 4] and y ∈ [1 , 5] : √ √ √ √ Correctness I x : [1 , 4] → [1 , 4 8 16 5] → [1 , 5] → [1 , 5] → [1 , 5] → · · · → [ 1 , 1 ] √ √ √ √ End I y : [1 , 5] → [1 , 5] → [1 , 4 5] → [1 , 8 5] → [1 , 16 5] → · · · → [ 1 , 1 ] ICP routinely handles thousands of variables and highly nonlinear constraints.
Correctness Guarantee (Formula) For any existential formula ϕ (robust or nonrobust), with a Intro tunable error bound δ , we know: Encoding Robustness 1 Solver says “unsat” ⇒ ϕ is δ -robustly unsatisfiable. Solving Unsatisfiable under any perturbation up to δ . Correctness End 2 Solver says “sat” ⇒ ϕ may be unsatisfiable, but ϕ δ is satisfiable. It means we do know that a syntactically-perturbed version of ϕ ( � x ) is satisfiable. This is what we call δ -completeness.
Robust Hybrid Systems Intro Let H = � X, Q, Init , Flow , Jump , Inv � . Encoding Robustness Similarly, we can define δ -robust hybrid systems: Solving H δ = � X, Q, Init δ , Flow δ , Jump δ , Inv δ � Correctness End H is δ -robust if H ∼ σ. bisim H δ
Delta-Complete Bounded Model Checking When model checking H : Intro Encoding ϕ : Reach ≤ n H is unsat ⇔ H is safe up to n Robustness Solving Correctness 1 ϕ is “unsat” ⇒ H is δ -robustly safe. End c is safe under any δ -perturbation � H � c . c is unsafe. c , H � 2 ϕ is “sat” ⇒ ∃ δ -perturbation � The solver returns a solution that shows bug. This is even better than precise solvers!
Delta-Complete Bounded Model Checking Pros: Highly scalable numerical algorithms and SAT solvers Intro Possible to scale to complex dynamics and large Encoding dimensions Robustness Solving No accumulation of numerical errors Correctness Strong robustness check End Counterexamples Cons: Bounded variables (can be very loose) Bounded unwinding depth Computations are not visible Debugging, not verifying (yet!)
Recommend
More recommend