SIMULATION TO PROOFS IN C2E2 Parasara Sridhar Duggirala 1 A simple - PowerPoint PPT Presentation

SIMULATION TO PROOFS IN C2E2 Parasara Sridhar Duggirala 1

A simple (often the only) strategy 𝑈 • Given start and target S • Compute finite cover of initial set • Simulate from the center 𝑦 0 of each cover • Bloat simulation so that bloated tube contains all trajectories from the cover 𝑦 0 • Union = over-approximation of reach set • Check intersection/containment with 𝑈 • Refine [Girard et al 2006], [Donze et al 2008],... • How much to bloat? (obviously incomplete) • How to handle mode switches? 2

Discrepancy (Spirit of Loop Invariants) . Definition. 𝛾: ℝ 2𝑜 × ℝ ≥0 → ℝ ≥0 defines a discrepancy of the system if for any two states 𝑦 1 and 𝑦 2 ∈ 𝑌 , For any t, 1. |𝜊 𝑦 1 , 𝑢 − 𝜊 𝑦 2 , 𝑢 | ≤ 𝛾 𝑦 1 , 𝑦 2 , 𝑢 and 2. 𝛾 → 0 as 𝑦 1 → 𝑦 2 𝑦 ≔ 0 invariant 𝑦 ≤ 10 until 𝑦 ≥ 10 do −𝜊 𝑦 1 , 𝑢 𝑦 ≔ 𝑦 + 1 −𝑊 𝜊 𝑦 1 , 𝑢 , 𝜊 𝑦 2 , 𝑢 −𝛾 𝑦 1 , 𝑦 2 , 𝑢 od 3

Computing Discrepancy . If L is a Lipschitz constant for f(x,t) then |𝜊 𝑦 1 , 𝑢 − 𝜊 𝑦 2 , 𝑢 | ≤ 𝑓 𝑀𝑢 𝑦 1 − 𝑦 2 . 𝑦 = 𝐵𝑦 Lyapunov function 𝑦 𝑈 𝑁𝑦 that proves exponenial If stability, then |𝜊 𝑦 1 , 𝑢 − 𝜊 𝑦 2 , 𝑢 | ≤ 𝐿𝑓 𝛿𝑢 𝑦 1 − 𝑦 2 where 𝐿 = 𝐺𝑣𝑜𝑑(𝑁) Similar observation by [Deng et al 2013] What about Nonlinear Systems? 4

Computing Discrepancy . If M is a contraction metric, that is, a positive definite matrix such that ∃𝑐 𝑁 > 0 : 𝐾 𝑈 𝑁 + 𝑁 𝐾 + 𝑐 𝑁 𝑁 ≼ 0, where J is the 2 ≤ Jacobian for f, then ∃𝑙, 𝜀 > 0 such that 𝜊 𝑦, 𝑢 − 𝜊 𝑦 ′ , 𝑢 𝑙 𝑦 − 𝑦 ′ 2 𝑓 −𝜀𝑢 [Lohmiller & Slotine ‘98]. New algorithm: computes local discrepancy by estimating maximum eigenvalue of the Jacobian matrix over a neighborhood [Fan & Mitra 2014]. Inferring Contraction Metric from simulations [Balkan et al 2014] What next? 5

Simulations+Annotation  Reachtubes 𝒕𝒋𝒏𝒗𝒎𝒃𝒖𝒋𝒑𝒐(𝒚 𝟏 , 𝒊, 𝝑, 𝑼) of gives a sequence S 0 , … , 𝑇 𝑙 : 𝑒𝑗𝑏 𝑇 𝑗 ≤ 𝜗 & at any time 𝑢 ∈ [𝑗ℎ, 𝑗 + 1 ℎ] , solution 𝜊 𝑦 0 , 𝑢 ∈ 𝑇 𝑗 . 𝒔𝒇𝒃𝒅𝒊𝒖𝒗𝒄𝒇 𝑻, 𝝑, 𝑼 of 𝑦 = 𝑔 𝑦 is a sequence 𝑆 0 , … , 𝑆 𝑙 such that 𝑒𝑗𝑏(𝑆 𝑗 ) ≤ 𝜗 and from any 𝑦 0 ∈ 𝑇, for each time 𝑢 ∈ [𝑗ℎ, (𝑗 + 1)ℎ] , 𝜊 𝑦 0 , 𝑢 ∈ 𝑆 𝑗 . 𝑇 0 , … , 𝑇 𝑙 , 𝜗 1 ← 𝑤𝑏𝑚𝑇𝑗𝑛(𝑦 0 , 𝑈, 𝑔) For each 𝑗 ∈ [𝑙] 𝜗 2 ← sup 𝛾 𝑦 1 , 𝑦 2 , 𝑢 𝑢∈𝑈 𝑗 ,𝑦,𝑦 ′ ∈𝐶 𝜀 (𝑦 0 ) 𝑆 𝑗 ← 𝐶 𝜗 2 𝑇 𝑗 6

How to get completeness for hybrid systems? Track & propagate 𝑛𝑏𝑧 and 𝑛𝑣𝑡𝑢 fragments of reachtube 𝑛𝑣𝑡𝑢 𝑆 ⊆ 𝑄 𝒖𝒃𝒉𝑺𝒇𝒉𝒋𝒑𝒐 𝑺, 𝑸 = 𝑛𝑏𝑧 𝑆 ∩ 𝑄 ≠ ∅ 𝑜𝑝𝑢 𝑆 ∩ 𝑄 = ∅ 𝒋𝒐𝒘𝒃𝒔𝒋𝒃𝒐𝒖𝑸𝒔𝒇𝒈𝒋𝒚(𝝎, 𝑻) = 〈𝑆 0 , 𝑢𝑏𝑕 0 , … , 𝑆 𝑛 , 𝑢𝑏𝑕 𝑛 〉 , such that either ′ 𝑡 before it are must 𝑢𝑏𝑕 𝑗 = 𝑛𝑣𝑡𝑢 if all the 𝑆 𝑘 ′ 𝑡 before it are at least may 𝑢𝑏𝑕 𝑗 = 𝑛𝑏𝑧 if all the 𝑆 𝑘 and at least one of them is not must 7

Hybrid Reachtubes: Guards & Resets 𝒐𝒇𝒚𝒖𝑺𝒇𝒉𝒋𝒑𝒐𝒕(𝝌) returns a set of tagged regions N. ∈ 𝑂 iff ∃ 𝑏, 𝑆 𝑗 such that 𝑆 ′ = 𝑆𝑓𝑡𝑓𝑢 𝑏 𝑆 𝑗 and: 𝑆′, 𝑢𝑏𝑕′ 𝑆 𝑗 ⊆ 𝐻𝑣𝑏𝑠𝑒 𝑏 , 𝑢𝑏𝑕 𝑗 = 𝑢𝑏𝑕 ′ = 𝑛𝑣𝑡𝑢 𝑆 𝑗 ∩ 𝐻𝑣𝑏𝑠𝑒 𝑏 ≠ ∅, 𝑆 𝑗 ∉ 𝐻𝑣𝑏𝑠𝑒 𝑏 , 𝑢𝑏𝑕 𝑗 = 𝑛𝑣𝑡𝑢, 𝑢𝑏𝑕 ′ = 𝑛𝑏𝑧 𝑆 𝑗 ∩ 𝐻𝑣𝑏𝑠𝑒 𝑏 ≠ ∅, 𝑢𝑏𝑕 𝑗 = 𝑢𝑏𝑕′ = 𝑛𝑏𝑧 8

Sound & Relatively Complete. Theorem. (Soundness). If Algorithm returns safe or unsafe, then 𝐵 is safe or unsafe. Definition Given HA 𝐵 = 〈𝑊, 𝑀𝑝𝑑, 𝐵, 𝐸, 𝑈 〉 , an 𝝑 -perturbation of A is a new HA 𝐵′ that is identical except, Θ ′ = 𝐶 𝜗 (Θ) , ∀ ℓ ∈ 𝑀𝑝𝑑, 𝐽𝑜𝑤 ′ = 𝐶 𝜗 (𝐽𝑜𝑤) (b) a ∈ A, 𝐻𝑣𝑏𝑠𝑒 𝑏 = 𝐶 𝜗 (𝐻𝑣𝑏𝑠𝑒 𝑏 ) . A is robustly safe iff ∃𝜗 > 0 , such that A’ is safe for 𝑉 𝜗 upto time bound T, and transition bound N. Robustly unsafe iff ∃ 𝜗 < 0 such that 𝐵′ is safe for 𝑉 𝜗 . Theorem. (Relative Completeness) Algorithm always terminates whenever the A is either robustly safe or robustly unsafe. 9

C2E2 10

Part II TWO APPLICATIONS Duggirala ∘ Wang ∘ Mitra ∘ Munoz ∘ Viswanathan (FM 2014) Huang ∘ Fan ∘ Meracre ∘ Mitra ∘ Kiwatkowska (CAV 2014) 11

SAPA-ALAS Parallel Landing Protocol Ownship and Intruder approaching parallel runways with small separation ALAS (at ownship) protocol is supposed to raise an 𝑇𝐼 alarm if within T time units the Intruder can violate 𝑦𝑡𝑓𝑞 safe separation based on 3 different projections 𝑇𝐺 Verify Alert ≼ 𝑐 Unsafe for different runway and aircraft 𝑇𝐶 𝑧𝑡𝑓𝑞 scenarios Scenario 1. With xsep [.11,.12] Nm ysep [.1,.21] Nm, 𝜚 = 30 𝑝 𝜚 𝑛𝑏𝑦 = 45 o vy o = 136 Nmph, vy i = 155 Nmph Duggirala, Wang, Mitra, Munoz, Viswanathan FM 2014 12

SAPA-ALAS Parallel Landing Protocol 𝐵𝑚𝑓𝑠𝑢 𝑗 = 𝑦 ∃ 𝑢 ∈ 0, 𝑈 , 𝑞𝑠𝑝𝑘 𝑗 𝑦, 𝑢 ∈ 𝑉𝑜𝑡𝑏𝑔𝑓} , where 𝑞𝑠𝑝𝑘 𝑗 defined as solution of ODE 𝑦 = 𝑕 𝑗 (𝑦, 𝑢) 𝑇𝐼 𝑦𝑡𝑓𝑞 Use simulations and annotations of 𝑕 𝑗 to compute 𝑇𝐺 𝑛𝑣𝑡𝑢 intervals when 𝑦 ∈ 𝐵𝑚𝑓𝑠𝑢 𝑗 𝑇𝐶 𝑧𝑡𝑓𝑞 𝐵𝑚𝑓𝑠𝑢 ≺ 𝑐 𝑄 2 is satisfied by Reachtube 𝜔 if ∀ 𝐽 2 ∈ 𝑁𝑣𝑡𝑢 𝑄 2 ∪ 𝑁𝑏𝑧 𝑄 2 there exists 𝐽 1 ∈ 𝑁𝑣𝑡𝑢 𝐵𝑚𝑓𝑠𝑢 such that 𝐽 1 < 𝐽 2 − 𝑐 𝐵𝑚𝑓𝑠𝑢 ≺ 𝑐 𝑄 2 is violated by Reachtube 𝜔 if ∃ 𝐽 2 ∈ 𝑁𝑣𝑡𝑢 𝑄 2 for all 𝐽 1 ∈ 𝑁𝑣𝑡𝑢 𝐵𝑚𝑓𝑠𝑢 ∪ 𝑁𝑏𝑧 𝐵𝑚𝑓𝑠𝑢 such that 𝐽 1 > 𝐽 2 − 𝑐 Duggirala, Wang, Mitra, Munoz, Viswanathan FM 2013 13

Real-time Alerting Protocol . Alert ≼ 4 Alert ≼ ? Running time Scenario Unsafe (mins:sec) Unsafe 6 False 3:27 2.16 7 True 1:13 – 8 True 2:21 – 6.1 False 7:18 1.54 7.1 True 2:34 – 8.1 True 4:55 – Sound & robustly completeness 9 False 2:18 1.8 10 False 3:04 2.4 C2E2 verifies interesting scenarios in 9.1 False 4:30 1.8 reasonable time; shows that false 10.1 False 6:11 2.4 alarms are possible; found scenarios where alarm may be missed 14

Exploiting Modularity Module 1 Module 1 ? Module 2 Module 3 Module 2 Module 3 Module 5 Module 4 𝑟 𝑏 𝑦 1 = 𝑔 𝑏 (𝑦 1 , 𝑦 2 , 𝑦 3 ) × 𝑀 𝑂 𝑦 2 = 𝑔 𝑐 (𝑦 2 , 𝑦 1 , 𝑦 3 ) 𝑦 3 = 𝑔 𝑑 (𝑦 3 , 𝑦 1 , 𝑦 2 ) 𝑟 𝑑 𝑟 𝑐 15

Input-to-State (IS) Discrepancy 𝑣(𝑢) 𝜊(𝑦, 𝑣, 𝑢) 𝑣 𝑦 𝑦 = 𝑔(𝑦, 𝑣) 𝑣′(𝑢) 𝜊(𝑦 ′ , 𝑣 ′ , 𝑢) 𝑦′ time time 𝑢 Definition. IS discrepancy is defined by 𝛾 and 𝛿 such that for any initial states 𝑦, 𝑦 ′ and any inputs 𝑣, 𝑣 ′ , 𝑢 𝛿 |𝑣 𝑡 − 𝑣 ′ 𝑡 | 𝑒𝑡 |𝜊(𝑦, 𝑣, 𝑢) − 𝜊 𝑦 ′ , 𝑣 ′ , 𝑢 | ≤ 𝛾(𝑦, 𝑦 ′ , 𝑢) + 0 𝛾 → 0 as 𝑦 → 𝑦′ , and 𝛿 → 0 as 𝑣 → 𝑣 ′ 16

Reduced System 𝑁(𝜀 1 , 𝜀 2 , 𝑊 1 , 𝑊 2 ) . 𝑦 = 𝑔 𝑁 𝑦 𝑦 = 〈𝑛 1 , 𝑛 2 , 𝑑𝑚𝑙〉 𝑛 1 𝛾 1 𝜀 1 , 𝑑𝑚𝑙 + 𝛿 1 𝑛 2 𝑛 2 = 𝑔 𝑁 𝑦 = 𝛾 2 𝜀 2 , 𝑑𝑚𝑙 + 𝛿 2 𝑛 1 𝑑𝑚𝑙 1 17

Bloating with Reduced Model 𝑛 1 = 𝛾 1 𝜀, 𝑢 𝑦 1 = 𝑔 1 (𝑦 1 , 𝑣 1 ) +𝛿 1 (𝑛 2 , 𝑛 3 ) 𝑛 2 = 𝛾 2 𝜀, 𝑢 𝑛 3 = 𝛾 3 𝜀, 𝑢 +𝛿 2 (𝑛 1 , 𝑛 3 ) 𝑦 3 = 𝑔 3 (𝑦 3 , 𝑣 3 ) +𝛿 3 (𝑛 1 , 𝑛 2 ) 𝑦 2 = 𝑔 2 (𝑦 2 , 𝑣 2 ) 𝜊(𝑢) 𝑛(𝑢) 𝜀 𝑦 𝑛(𝑢) time time The bloated tube contains all trajectories start from the 𝜀 -ball of 𝑦 . The over-approximation can be computed arbitrarily precise. 18

Reduced 𝑁 gives effective Discrepancy of 𝐵 . Theorem. For any 𝜀 = 〈𝜀 1 , 𝜀 2 〉 , 𝑊 = 〈𝑊 1 , 𝑊 2 〉 and 𝑈 𝑊 𝑆𝑓𝑏𝑑ℎ 𝐵 𝐶 𝜀 𝑦 , 𝑈 ⊆ 𝑢≤𝑈 𝐶 𝜈 𝑢 (𝜊 𝑦, 𝑢 ) Theorem. For any ϵ > 0 there exists δ = 〈δ 1 , δ 2 〉 such that 𝑊 𝑢≤𝑈 𝐶 𝜈 𝑢 (𝜊 𝑦, 𝑢 ) ⊆ 𝐶 𝜗 (𝑆𝑓𝑏𝑑ℎ 𝐵 (𝐶 𝜀 𝑦 , 𝑈) Here 𝜈 𝑢 is the solution of 𝑁(𝜀 1 , 𝜀 2 , 𝑊 1 , 𝑊 2 ) . Huang & Mitra, HSCC 2013 19

Pacemaker + Cardiac Network . Action potential remains in specific range No alternation of action potentials Nodes Thresh Sims Run time (s) Property 3 2 16 104.8 TRUE 3 1.65 16 103.8 TRUE 5 2 3 208 TRUE 5 1.65 5 281.6 TRUE 5 1.5 NA 63.4 FALSE 8 2 3 240.1 TRUE 20 8 1.65 73 2376.5 TRUE

SIMULATION TO PROOFS IN C2E2 Parasara Sridhar Duggirala 1 A simple - PowerPoint PPT Presentation

SIMULATION TO PROOFS IN C2E2 Parasara Sridhar Duggirala 1 A simple (often the only) strategy Given start and target S Compute finite cover of initial set Simulate from the center 0 of each cover Bloat

Hybrid Systems Parasara Sridhar Duggirala, Chuchu Fan, Matthew Potok, Bolun Qi, Sayan Mitra,

Proofs, Continued Today Proofs : A style guide Proofs should be easy to

Welcome to PROOFS! PROOFS: Security Proofs for Embedded Systems Introduction to the fifth

Interactive Proofs Lecture 18 AM 1 Interactive Proofs 2 Interactive Proofs IP[k] 2

Formal proofs, variable binding, and program extraction from proofs Colloquium Logicum 2016 (10

C2E2: A Verification Tool For Stateflow Models Parasara Sridhar Duggirala , Sayan Mitra, Mahesh

Proofs that, proofs why, and the analysis of paradoxes To Gerhard, on your 60th birthday Peter

NP-Hardness Proofs With What Problems We . . . What Problems We . . . Realistic Computers

proofs of proximity for distribution testing (Distribution testing now with proofs!) Tom Gur

Outline Narcisse Ngada DESY, MKK 1) What is simulation ? 14.05.2014 2) Why simulation ? 3)

UMBC A B M A L T F O U M B C I M Y O R T 1 (10/2/07) I E S R C E O V U

Foundation of proofs Jim Hefferon http://joshua.smcvt.edu/proofs The need to prove In

Lecture 8: More Proofs review: proofs Start with hypotheses and facts Use rules of

Flexiformality in Proofs: Bridging between Formal and Informal Proofs Michael Kohlhase Professur

On Hypersequents and Labelled Sequents Translating Labelled Sequent Proofs to Hypersequent Proofs

(Interactive) Proofs Proofs from 900 BCE until 1800s Pythagorass Theorem: Proof: Looks legit.

Grid simulation (AliEn) Outline GRID simulation Simulation tool Ptolemy (Berkeley)

Zero-Knowledge Proofs 1 Zero-Knowledge Proofs Lecture 15 1 Interactive Proofs 2 Interactive

Proofs Bits of Wisdom on Solving Problems, Writing Proofs, and Enjoying the Process: How to

Zero-Knowledge Proofs Lecture 15 Interactive Proofs Interactive Proofs Interactive Proofs

Projects. Probabilistically Checkable Proofs... Probabilistically Checkable Proofs Whats a

UGLY PROOFS and BOOK PROOFS Joel Spencer 1 Tournament T on n players Ranking fit = NonUpsets

Succinct Malleable NIZKs and an Application to Compact Shuffles Melissa Chase (MSR Redmond)

Why Bayesian methods in Simulation? Simulation Simulation Model Inputs BAYESIAN IDEAS