Proving and Explaining the Unfeasibility of Message Sequence Charts for Hybrid Systems Alessandro Cimatti Sergio Mover Stefano Tonetta Fondazione Bruno Kessler October 31, 2011 Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 1 / 28
Motivations Hybrid Systems Mix discrete (e.g. hardware) and Rod 1 Rod 2 x = 0 x = 0 continuous (e.g. sensor) behaviors. Ready Ready ˙ x ∈ [ 0 . 9 , 1 . 1 ] x ∈ [ 0 . 9 , 1 . 1 ] ˙ TRUE TRUE x ≥ 16 /τ/ x ′ := x Add 1 / x ′ := 0 x ≥ 16 /τ/ x ′ := x Add 2 / x ′ := 0 Recovering In Recovering In ˙ ˙ ˙ ˙ Complex critical systems: train control x ∈ [ 0 . 9 , 1 . 1 ] Remove 1 / x ′ := 0 x ∈ [ 0 . 9 , 1 . 1 ] x ∈ [ 0 . 9 , 1 . 1 ] Remove 2 / x ′ := 0 x ∈ [ 0 . 9 , 1 . 1 ] x ≤ 16 x ≤ 5 . 9 x ≤ 16 x ≤ 5 . 9 Rod1 Rod2 system (ETCS), airplane traffic control Add 1 , Remove 1 Add 2 , Remove 2 system (TCAS), . . . x = 0 x ≥ 16 / Add 1 / x ′ := 0 x ≥ 16 / Add 2 / x ′ := 0 Rod 1 No Rod Rod 2 ˙ x ∈ [ 0 . 9 , 1 . 1 ] ˙ x ∈ [ 0 . 9 , 1 . 1 ] x ∈ [ 0 . 9 , 1 . 1 ] ˙ x ≤ 5 . 9 x ≤ 16 x ≤ 5 . 9 x ∈ [ 5 , 5 . 9 ] / Remove 1 / x ∈ [ 5 , 5 . 9 ] / Remove 2 / Network of components. x ′ := 0 x ′ := 0 Controller Controller Scenario-verification Rod 1 Controller Rod 2 Add 1 Is there a run of the system compatible with the Rem 1 time ≤ 19 scenario? Add 2 time ≥ 19 If such a run exists, the scenario is feasible. Rem 2 Add 1 Rem 1 time ≥ 80 Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 2 / 28
Motivations Existing approaches: Reduction to reachability: 1 Can prove both feasibility and unfeasibility. Inefficient. Scenario-based encoding [CAV11]: 2 Cannot prove unfeasibility. Efficient. Our contribution is a SMT-based technique that: Efficiently proves unfeasibility. Extracts explanations for the unfeasibility. Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 3 / 28
Outline Background 1 SMT analysis of Hybrid Systems Scenario-Verification Proving the unfeasibility of scenarios 2 Explanations of Unfeasibility 3 Experimental Evaluation 4 Conclusions and future work 5 Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 4 / 28
Outline Background 1 SMT analysis of Hybrid Systems Scenario-Verification Proving the unfeasibility of scenarios 2 Explanations of Unfeasibility 3 Experimental Evaluation 4 Conclusions and future work 5 Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 5 / 28
Outline Background 1 SMT analysis of Hybrid Systems Scenario-Verification Proving the unfeasibility of scenarios 2 Explanations of Unfeasibility 3 Experimental Evaluation 4 Conclusions and future work 5 Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 6 / 28
Hybrid Automata Hybrid automata ([Henzinger 96]): Framework for representing hybrid systems. Discrete instantaneous mode switches. Continuous evolution according to flow conditions. x Recovering x = 0 3 2 Ready ˙ x ∈ [ 0 . 9 , 1 . 1 ] 1 TRUE time 0 x ≥ 16 /τ/ x ′ := x 0 1 2 3 4 5 6 7 8 9 Add 1 / x ′ := 0 location Recovering In ˙ ˙ x ∈ [ 0 . 9 , 1 . 1 ] x ∈ [ 0 . 9 , 1 . 1 ] Remove 1 / x ′ := 0 Recovering x ≤ 16 x ≤ 5 . 9 In Rod1 Ready time 0 1 2 3 4 5 6 7 8 9 Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 7 / 28
Hybrid Automata Network Network of hybrid automata H = H 1 || . . . || H n : Move asynchronously on local events ( τ ). Synchronize on shared events. Rod 1 Rod 2 x = 0 x = 0 Ready Ready x ∈ [ 0 . 9 , 1 . 1 ] ˙ x ∈ [ 0 . 9 , 1 . 1 ] ˙ TRUE TRUE x ≥ 16 /τ/ x ′ := x x ≥ 16 /τ/ x ′ := x Add 1 / x ′ := 0 Add 2 / x ′ := 0 Recovering In Recovering In x ∈ [ 0 . 9 , 1 . 1 ] ˙ ˙ x ∈ [ 0 . 9 , 1 . 1 ] x ∈ [ 0 . 9 , 1 . 1 ] ˙ ˙ x ∈ [ 0 . 9 , 1 . 1 ] Remove 1 / x ′ := 0 Remove 2 / x ′ := 0 x ≤ 16 x ≤ 5 . 9 x ≤ 16 x ≤ 5 . 9 Rod1 Rod2 Add 1 , Remove 1 Add 2 , Remove 2 x = 0 x ≥ 16 / Add 1 / x ′ := 0 x ≥ 16 / Add 2 / x ′ := 0 Rod 1 No Rod Rod 2 ˙ ˙ ˙ x ∈ [ 0 . 9 , 1 . 1 ] x ∈ [ 0 . 9 , 1 . 1 ] x ∈ [ 0 . 9 , 1 . 1 ] x ≤ 5 . 9 x ≤ 16 x ≤ 5 . 9 x ∈ [ 5 , 5 . 9 ] / Remove 1 / x ∈ [ 5 , 5 . 9 ] / Remove 2 / x ′ := 0 x ′ := 0 Controller Controller Different semantics: Global-time ([Henzinger 96]). 1 Local-time ([Bengstsson 98]). 2 Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 8 / 28
Local-time semantics The time evolves independently in each automaton: Local time scale. The continuous evolution is a local transition. The local time of the automata must be the same: On synchronizations. At the end of a run. 12 12 12 11 1 11 1 11 1 10 2 10 2 10 2 9 3 9 3 9 3 τ τ A τ B τ 8 4 8 4 8 4 7 5 7 5 7 5 6 6 6 11 12 1 11 12 1 11 12 1 10 2 10 2 10 2 9 3 9 3 9 3 τ 8 4 A 8 4 B 8 4 7 5 7 5 7 5 6 6 6 τ = local event (no stutter or time). Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 9 / 28
SMT analysis of Hybrid Systems Each automaton is encoded in a symbolic transition system H i = � Init i , Trans i � . Bounded model checking: T T T T T ... BMC H 1 ( k ) 1 2 3 4 k . . . T T T T T ... BMC H 2 ( k ) 1 2 3 4 k k-induction. Base case: BMC up to k . Inductive case: BMC and simple path condition up to k + 1. Use SMT solvers as decision procedure. Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 10 / 28
Outline Background 1 SMT analysis of Hybrid Systems Scenario-Verification Proving the unfeasibility of scenarios 2 Explanations of Unfeasibility 3 Experimental Evaluation 4 Conclusions and future work 5 Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 11 / 28
Constrained Message Sequence Charts � m , φ � : Message sequence chart m with constraints φ . Rod 1 Controller Rod 2 m : parallel composition of instances. Add 1 φ = φ g ∧ φ 1 ∧ . . . ∧ φ n : formulas over the Rem 1 time ≤ 19 network variables on synchronization. Add 2 time ≥ 19 Global ( φ g ): over all the network Rem 2 variables. Add 1 Local φ i : over variable of H i . Rem 1 time ≥ 80 Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 12 / 28
MSC verification via reachability The CMSC is translated in a monitor automaton S m . The automaton is composed with the network. Enables off-the-shelf verification techniques: BMC: feasibility. k-induction: unfeasibility. � l 0 1 , l 0 2 , l 0 3 , l 0 σ 1 σ 2 σ 3 σ 4 τ 4 � B A A B � l 1 1 , l 1 2 , l 0 3 , l 0 � l 0 1 , l 0 2 , l 1 3 , l 1 τ 4 � 4 � τ B C C A � l 1 1 , l 1 2 , l 1 3 , l 1 � l 0 1 , l 0 2 , l 2 3 , l 2 τ 4 � 4 � τ C D A τ � l 1 1 , l 1 2 , l 2 3 , l 2 4 � D � l 1 1 , l 2 2 , l 3 3 , l 2 4 � m = σ 1 || σ 2 || σ 3 || σ 4 Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 13 / 28
MSC verification via reachability The CMSC is translated in a monitor automaton S m . The automaton is composed with the network. Enables off-the-shelf verification techniques: BMC: feasibility. k-induction: unfeasibility. � l 0 1 , l 0 2 , l 0 3 , l 0 σ 1 σ 2 σ 3 σ 4 τ 4 � B A A B τ � l 1 1 , l 1 2 , l 0 3 , l 0 � l 0 1 , l 0 2 , l 1 3 , l 1 τ 4 � 4 � B C C A � l 1 1 , l 1 2 , l 1 3 , l 1 � l 0 1 , l 0 2 , l 2 3 , l 2 τ 4 � 4 � τ D C A � l 1 1 , l 1 2 , l 2 3 , l 2 τ 4 � D � l 1 1 , l 2 2 , l 3 3 , l 2 4 � Cut: � l 0 1 , l 0 2 , l 0 3 , l 0 4 � Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 13 / 28
MSC verification via reachability The CMSC is translated in a monitor automaton S m . The automaton is composed with the network. Enables off-the-shelf verification techniques: BMC: feasibility. k-induction: unfeasibility. � l 0 1 , l 0 2 , l 0 3 , l 0 σ 1 σ 2 σ 3 σ 4 τ 4 � B A A B τ � l 1 1 , l 1 2 , l 0 3 , l 0 � l 0 1 , l 0 2 , l 1 3 , l 1 τ 4 � 4 � B C C A � l 1 1 , l 1 2 , l 1 3 , l 1 � l 0 1 , l 0 2 , l 2 3 , l 2 τ 4 � 4 � τ D C A � l 1 1 , l 1 2 , l 2 3 , l 2 τ 4 � D � l 1 1 , l 2 2 , l 3 3 , l 2 4 � Cut: � l 1 1 , l 1 2 , l 0 3 , l 0 4 � Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 13 / 28
MSC verification via reachability The CMSC is translated in a monitor automaton S m . The automaton is composed with the network. Enables off-the-shelf verification techniques: BMC: feasibility. k-induction: unfeasibility. � l 0 1 , l 0 2 , l 0 3 , l 0 σ 1 σ 2 σ 3 σ 4 τ 4 � B A A B τ � l 1 1 , l 1 2 , l 0 3 , l 0 � l 0 1 , l 0 2 , l 1 3 , l 1 τ 4 � 4 � B C C A � l 1 1 , l 1 2 , l 1 3 , l 1 � l 0 1 , l 0 2 , l 2 3 , l 2 τ 4 � 4 � τ D C A � l 1 1 , l 1 2 , l 2 3 , l 2 τ 4 � D � l 1 1 , l 2 2 , l 3 3 , l 2 4 � Cut: � l 1 1 , l 1 2 , l 1 3 , l 1 4 � Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 13 / 28
Recommend
More recommend