1 Model Checking of Robotic Control Systems Presenting: Sebastian Scherer Authors: Sebastian Scherer, Flavio Lerda, and Edmund M. Clarke.

Slides:



Advertisements
Similar presentations
1 Verification by Model Checking. 2 Part 1 : Motivation.
Advertisements

Applications of Synchronization Coverage A.Bron,E.Farchi, Y.Magid,Y.Nir,S.Ur Tehila Mayzels 1.
Modular and Verified Automatic Program Repair Francesco Logozzo, Thomas Ball RiSE - Microsoft Research Redmond.
Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.
1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)
Chapter 1 An Overview of Computers and Programming Languages.
Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI.
Programming Languages Marjan Sirjani 2 2. Language Design Issues Design to Run efficiently : early languages Easy to write correctly : new languages.
Iterative Context Bounding for Systematic Testing of Multithreaded Programs Madan Musuvathi Shaz Qadeer Microsoft Research.
MotoHawk Training Model-Based Design of Embedded Systems.
Software Development Methodology for Robotic and Embedded Systems (from drawing to coding) Presented by Iwan Setiawan for Robot and Technology Fair ( )-
© Janice Regan Problem-Solving Process 1. State the Problem (Problem Specification) 2. Analyze the problem: outline solution requirements and design.
Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.
OOP #10: Correctness Fritz Henglein. Wrap-up: Types A type is a collection of objects with common behavior (operations and properties). (Abstract) types.
Predicate Abstraction for Software and Hardware Verification Himanshu Jain Model checking seminar April 22, 2005.
WSN Simulation Template for OMNeT++
November 18, 2004 Embedded System Design Flow Arkadeb Ghosal Alessandro Pinto Daniele Gasperini Alberto Sangiovanni-Vincentelli
Multithreading in Java Nelson Padua-Perez Chau-Wen Tseng Department of Computer Science University of Maryland, College Park.
1 Formal Engineering of Reliable Software LASER 2004 school Tutorial, Lecture1 Natasha Sharygina Carnegie Mellon University.
Formal Verification of SpecC Programs using Predicate Abstraction Himanshu Jain Daniel Kroening Edmund Clarke Carnegie Mellon University.
Formal Techniques for Verification Using SystemC By Nasir Mahmood.
Cheng/Dillon-Software Engineering: Formal Methods Model Checking.
Regular Model Checking Ahmed Bouajjani,Benget Jonsson, Marcus Nillson and Tayssir Touili Moran Ben Tulila
Real-Time Software Design Yonsei University 2 nd Semester, 2014 Sanghyun Park.
REAL-TIME SOFTWARE SYSTEMS DEVELOPMENT Instructor: Dr. Hany H. Ammar Dept. of Computer Science and Electrical Engineering, WVU.
A Shaft Sensorless Control for PMSM Using Direct Neural Network Adaptive Observer Authors: Guo Qingding Luo Ruifu Wang Limei IEEE IECON 22 nd International.
Computer Security and Penetration Testing
An Introduction to Programming and Algorithms. Course Objectives A basic understanding of engineering problem solving process. A basic understanding of.
1 Module Objective & Outline Module Objective: After completing this Module, you will be able to, appreciate java as a programming language, write java.
Week 1 - Friday.  What did we talk about last time?  Our first Java program.
Low-Level Detailed Design SAD (Soft Arch Design) Mid-level Detailed Design Low-Level Detailed Design Design Finalization Design Document.
BE-SECBS FISA 2003 November 13th 2003 page 1 DSR/SAMS/BASP IRSN BE SECBS – IRSN assessment Context application of IRSN methodology to the reference case.
Complexity of Algorithms
DEBUGGING. BUG A software bug is an error, flaw, failure, or fault in a computer program or system that causes it to produce an incorrect or unexpected.
Java PathFinder (JPF) cs498dm Software Testing January 19, 2012.
Chapter 1 Introduction to Databases. 1-2 Chapter Outline   Common uses of database systems   Meaning of basic terms   Database Applications  
Interfacing NGSIM Lane Selection Algorithm with TSIS/CORSIM Li Zhang, Ph.D., P.E. Guanghua Zhang, JiZhan Gou Fatemeh Sayyady, Di Wu & Fan Ye January 20,
Introduction to Problem Solving. Steps in Programming A Very Simplified Picture –Problem Definition & Analysis – High Level Strategy for a solution –Arriving.
REAL-TIME SOFTWARE SYSTEMS DEVELOPMENT Instructor: Dr. Hany H. Ammar Dept. of Computer Science and Electrical Engineering, WVU.
Conformance Test Experiments for Distributed Real-Time Systems Rachel Cardell-Oliver Complex Systems Group Department of Computer Science & Software Engineering.
BEGINNING PROGRAMMING.  Literally – giving instructions to a computer so that it does what you want  Practically – using a programming language (such.
Software Engineering 4, Julian Richardson, 30 April Static Analysis Software Engineering HX3 Julian Richardson
CSCI1600: Embedded and Real Time Software Lecture 8: Modeling III: Hybrid Systems Steven Reiss, Fall 2015.
Testing OO software. State Based Testing State machine: implementation-independent specification (model) of the dynamic behaviour of the system State:
Verification & Validation By: Amir Masoud Gharehbaghi
Constraints Assisted Modeling and Validation Presented in CS294-5 (Spring 2007) Thomas Huining Feng Based on: [1]Constraints Assisted Modeling and Validation.
Concurrency Properties. Correctness In sequential programs, rerunning a program with the same input will always give the same result, so it makes sense.
Introduction to Hardware Verification ECE 598 SV Prof. Shobha Vasudevan.
Winter 2007SEG2101 Chapter 121 Chapter 12 Verification and Validation.
( = “unknown yet”) Our novel symbolic execution framework: - extends model checking to programs that have complex inputs with unbounded (very large) data.
/ PSWLAB Thread Modular Model Checking by Cormac Flanagan and Shaz Qadeer (published in Spin’03) Hong,Shin Thread Modular Model.
1 1 Nastaran Shafiei VERIFICATION OF A NON-BLOCKING ARRAY-BASED QUEUE ALGORITHM.
Onlinedeeneislam.blogspot.com1 Design and Analysis of Algorithms Slide # 1 Download From
T imed Languages for Embedded Software Ethan Jackson Advisor: Dr. Janos Szitpanovits Institute for Software Integrated Systems Vanderbilt University.
Symbolic Model Checking of Software Nishant Sinha with Edmund Clarke, Flavio Lerda, Michael Theobald Carnegie Mellon University.
RealTimeSystems Lab Jong-Koo, Lim
CS5270 Lecture 41 Timed Automata I CS 5270 Lecture 4.
John Backes, Rockwell Collins Dan DaCosta, Rockwell Collins
Formally Specified Monitoring of Temporal Properties
Program Synthesis is a Game
Introduction Enosis Learning.
Introduction Enosis Learning.
CS-0401 INTERMEDIATE PROGRAMMING USING JAVA
Over-Approximating Boolean Programs with Unbounded Thread Creation
Algorithm Correctness
CSCI1600: Embedded and Real Time Software
CSCI1600: Embedded and Real Time Software
John Backes, Rockwell Collins Dan DaCosta, Rockwell Collins
Foundations and Definitions
Presentation transcript:

1 Model Checking of Robotic Control Systems Presenting: Sebastian Scherer Authors: Sebastian Scherer, Flavio Lerda, and Edmund M. Clarke

2 Outline ● Motivation – Why verification – Scope – Control software ● Method ● Case Study ● Conclusions

3 Why verify robot software? ● Failure is expensive: – Interplanetary exploration – Crash / Rollover ● Autonomy increases responsibility: – Human interaction – Large forces and momenta

4 The scope of our approach Start by verifying this part. Typical mobile robot architecture Environment Actuators Sensors PreprocessingController AccumulationPlanning Goal Software Hardware Specified

5 Control systems are implemented in software ● Main loop is only a small fraction of the control software: – Initialization – Exception handling – Conversion ● Fatal bugs can be in any line of the code. Typical mobile robot architecture Environment Actuators Sensors PreprocessingController AccumulationPlanning Goal Software Hardware Specified

6 Outline ● Motivation ● Method – Capabilities & Limitations – Method – Model Checking ● Case Study ● Conclusions import gov.nasa.jpf.jvm.Verify; import com.ajile.jem.PeriodicThread; import com.ajile.jem.PianoRoll; import com.ajile.drivers.gptc.*; import intermediate.*; import drivers.*; import controller.*; import model.*; public class Mobot { static final int PR_DURATION_MSEC = 80; static final int PR_BEAT_MSEC = 1; static PianoRoll Piano_Roll = new PianoRoll (PR_DURATION_MSEC, PR_BEAT_MSEC); public static void main(String[] args) { DecsionPoints.runSys=true; //Initialize threads PWM2 pwm = PWM2.getInstance(); Gate gate = Gate.getInstance(); SpeedOMeter encoder = SpeedOMeter.getInstance(); LightArray lightsensor = LightArray.getInstance(); TLC2543 tlc = TLC2543.getInstance(); * if(Environment.isMC) { lightsensor.initDefault(); SpeedControl speedcontrol = SpeedControl.getInstance(); SteeringControl steeringcontrol = SteeringControl.getInstance(); Environment env = Environment.getInstance(); + Code of controller + environment(plant)

7 Capabilities of our method ● Utilizes environment (plant) of the control system. ● Simulates behaviour: – Determines stability. – Models influence of noise. – Checks performance specifications. – Computes ranges of trajectories. ● Checks programming errors: – Null pointer exceptions. – Dead lock, concurrency bugs. – Errors affecting the behavior. ● Code checked is identical to executed code.

8 Limitations of our method ● Discrete method: – Makes assertions only about a particular initial condition. – Continuous states are approximated up to a fixed point precision. – Precision often determines the length of a simulation trace and the size of the state space to explore. – Noise is approximated by a discrete set of values. ● Detailed model: – Requires model relating inputs and outputs. – Additional memory and computation time. ● Assumptions: – Time elapses only while tasks sleep. – Unbounded variables like time and distance must be abstracted manually.

9 Model check software with a physical environment import gov.nasa.jpf.jvm.Verify; import com.ajile.jem.PeriodicThread; import com.ajile.jem.PianoRoll; import com.ajile.drivers.gptc.*; import intermediate.*; import drivers.*; import controller.*; import model.*; public class Mobot { static final int PR_DURATION_MSEC = 80; static final int PR_BEAT_MSEC = 1; static PianoRoll Piano_Roll = new PianoRoll (PR_DURATION_MSEC, PR_BEAT_MSEC); public static void main(String[] args) { DecsionPoints.runSys=true; //Initialize threads PWM2 pwm = PWM2.getInstance(); Gate gate = Gate.getInstance(); SpeedOMeter encoder = SpeedOMeter.getInstance(); LightArray lightsensor = LightArray.getInstance(); TLC2543 tlc = TLC2543.getInstance(); * if(Environment.isMC) { lightsensor.initDefault(); SpeedControl speedcontrol = SpeedControl.getInstance(); SteeringControl steeringcontrol = SteeringControl.getInstance(); Environment env = Environment.getInstance(); + Code of controller + environment(plant) import gov.nasa.jpf.jvm.Verify; import com.ajile.jem.PeriodicThread; import com.ajile.jem.PianoRoll; import com.ajile.drivers.gptc.*; import intermediate.*; import drivers.*; import controller.*; import model.*; public class Mobot { static final int PR_DURATION_MSEC = 80; static final int PR_BEAT_MSEC = 1; static PianoRoll Piano_Roll = new PianoRoll (PR_DURATION_MSEC, PR_BEAT_MSEC); public static void main(String[] args) { DecsionPoints.runSys=true; //Initialize threads PWM2 pwm = PWM2.getInstance(); Gate gate = Gate.getInstance(); SpeedOMeter encoder = SpeedOMeter.getInstance(); LightArray lightsensor = LightArray.getInstance(); TLC2543 tlc = TLC2543.getInstance(); * if(Environment.isMC) { lightsensor.initDefault(); SpeedControl speedcontrol = SpeedControl.getInstance(); SteeringControl steeringcontrol = SteeringControl.getInstance(); Environment env = Environment.getInstance(); Source code of controller Abstract controller Source code including the environment Verify actual source code

10 Method import gov.nasa.jpf.jvm.Verify; import com.ajile.jem.PeriodicThread; import com.ajile.jem.PianoRoll; import com.ajile.drivers.gptc.*; import intermediate.*; import drivers.*; import controller.*; import model.*; public class Mobot { static final int PR_DURATION_MSEC = 80; static final int PR_BEAT_MSEC = 1; static PianoRoll Piano_Roll = new PianoRoll (PR_DURATION_MSEC, PR_BEAT_MSEC); public static void main(String[] args) { DecsionPoints.runSys=true; //Initialize threads PWM2 pwm = PWM2.getInstance(); Gate gate = Gate.getInstance(); SpeedOMeter encoder = SpeedOMeter.getInstance(); LightArray lightsensor = LightArray.getInstance(); TLC2543 tlc = TLC2543.getInstance(); * if(Environment.isMC) { lightsensor.initDefault(); SpeedControl speedcontrol = SpeedControl.getInstance(); SteeringControl steeringcontrol = SteeringControl.getInstance(); Environment env = Environment.getInstance(); Actual Robot Sensors Actuators Software executed on robot Environment model ● Execute the source code. ● After all tasks sleep execute the environment. ● Equivalent states are not revisited.

11 Method import gov.nasa.jpf.jvm.Verify; import com.ajile.jem.PeriodicThread; import com.ajile.jem.PianoRoll; import com.ajile.drivers.gptc.*; import intermediate.*; import drivers.*; import controller.*; import model.*; public class Mobot { static final int PR_DURATION_MSEC = 80; static final int PR_BEAT_MSEC = 1; static PianoRoll Piano_Roll = new PianoRoll (PR_DURATION_MSEC, PR_BEAT_MSEC); public static void main(String[] args) { DecsionPoints.runSys=true; //Initialize threads PWM2 pwm = PWM2.getInstance(); Gate gate = Gate.getInstance(); SpeedOMeter encoder = SpeedOMeter.getInstance(); LightArray lightsensor = LightArray.getInstance(); TLC2543 tlc = TLC2543.getInstance(); * if(Environment.isMC) { lightsensor.initDefault(); SpeedControl speedcontrol = SpeedControl.getInstance(); SteeringControl steeringcontrol = SteeringControl.getInstance(); Environment env = Environment.getInstance(); Actual Robot Software executed on robot Environment model ● Software executes until all tasks yield.

12 Method import gov.nasa.jpf.jvm.Verify; import com.ajile.jem.PeriodicThread; import com.ajile.jem.PianoRoll; import com.ajile.drivers.gptc.*; import intermediate.*; import drivers.*; import controller.*; import model.*; public class Mobot { static final int PR_DURATION_MSEC = 80; static final int PR_BEAT_MSEC = 1; static PianoRoll Piano_Roll = new PianoRoll (PR_DURATION_MSEC, PR_BEAT_MSEC); public static void main(String[] args) { DecsionPoints.runSys=true; //Initialize threads PWM2 pwm = PWM2.getInstance(); Gate gate = Gate.getInstance(); SpeedOMeter encoder = SpeedOMeter.getInstance(); LightArray lightsensor = LightArray.getInstance(); TLC2543 tlc = TLC2543.getInstance(); * if(Environment.isMC) { lightsensor.initDefault(); SpeedControl speedcontrol = SpeedControl.getInstance(); SteeringControl steeringcontrol = SteeringControl.getInstance(); Environment env = Environment.getInstance(); Actual Robot Software executed on robot Environment model ● Software executes until all tasks yield. ● Commands are set. Sensors are read. Time elapses

13 Method import gov.nasa.jpf.jvm.Verify; import com.ajile.jem.PeriodicThread; import com.ajile.jem.PianoRoll; import com.ajile.drivers.gptc.*; import intermediate.*; import drivers.*; import controller.*; import model.*; public class Mobot { static final int PR_DURATION_MSEC = 80; static final int PR_BEAT_MSEC = 1; static PianoRoll Piano_Roll = new PianoRoll (PR_DURATION_MSEC, PR_BEAT_MSEC); public static void main(String[] args) { DecsionPoints.runSys=true; //Initialize threads PWM2 pwm = PWM2.getInstance(); Gate gate = Gate.getInstance(); SpeedOMeter encoder = SpeedOMeter.getInstance(); LightArray lightsensor = LightArray.getInstance(); TLC2543 tlc = TLC2543.getInstance(); * if(Environment.isMC) { lightsensor.initDefault(); SpeedControl speedcontrol = SpeedControl.getInstance(); SteeringControl steeringcontrol = SteeringControl.getInstance(); Environment env = Environment.getInstance(); Actual Robot Software executed on robot Environment model ● Software executes until all tasks yield. ● Commands are set. Sensors are read. Time elapses ● Software executes with new sensor values.

14 Method import gov.nasa.jpf.jvm.Verify; import com.ajile.jem.PeriodicThread; import com.ajile.jem.PianoRoll; import com.ajile.drivers.gptc.*; import intermediate.*; import drivers.*; import controller.*; import model.*; public class Mobot { static final int PR_DURATION_MSEC = 80; static final int PR_BEAT_MSEC = 1; static PianoRoll Piano_Roll = new PianoRoll (PR_DURATION_MSEC, PR_BEAT_MSEC); public static void main(String[] args) { DecsionPoints.runSys=true; //Initialize threads PWM2 pwm = PWM2.getInstance(); Gate gate = Gate.getInstance(); SpeedOMeter encoder = SpeedOMeter.getInstance(); LightArray lightsensor = LightArray.getInstance(); TLC2543 tlc = TLC2543.getInstance(); * if(Environment.isMC) { lightsensor.initDefault(); SpeedControl speedcontrol = SpeedControl.getInstance(); SteeringControl steeringcontrol = SteeringControl.getInstance(); Environment env = Environment.getInstance(); Actual Robot Software executed on robot Environment model ● Software executes until all tasks yield. ● Commands are set. Sensors are read. Time elapses. ● Software executes with new sensor values. ● Commands are set. Sensors are read. Time elapses with new commands.

15 Model checking ● Model consists of states and transitions. ● Java byte code specifies a model. ● Verify a model against a specification given as logic properties. ● The algorithm visits all states of the model to verify that none of the specified properties are violated. ● If the same state is reached twice backtrack. import gov.nasa.jpf.jvm.Verify; import com.ajile.jem.PeriodicThread; import com.ajile.jem.PianoRoll; import com.ajile.drivers.gptc.*; import intermediate.*; import drivers.*; import controller.*; import model.*; public class Mobot { static final int PR_DURATION_MSEC = 80; static final int PR_BEAT_MSEC = 1; static PianoRoll Piano_Roll = new PianoRoll (PR_DURATION_MSEC, PR_BEAT_MSEC); public static void main(String[] args) { DecsionPoints.runSys=true; //Initialize threads PWM2 pwm = PWM2.getInstance(); Gate gate = Gate.getInstance(); SpeedOMeter encoder = SpeedOMeter.getInstance(); LightArray lightsensor = LightArray.getInstance(); TLC2543 tlc = TLC2543.getInstance(); * if(Environment.isMC) { lightsensor.initDefault(); SpeedControl speedcontrol = SpeedControl.getInstance(); SteeringControl steeringcontrol = SteeringControl.getInstance(); Environment env = Environment.getInstance(); States Transitions

16 Java PathFinder ● All states are explored to find a violation of the properties. ● Executing the byte code generates successors. ● If no new successors are generated the search backtracks. ● Environment byte code is executed on host JVM. No intermediate states are generated from it. ● Environment stores only necessary state variables. Robot source code Host JVM running Java PathFinder Java Virtual Machine of Model Checker Environment

17 Outline ● Motivation ● Method ● Case Study – Architecture – Verification – Model – Results ● Conclusions

18 Overview Robot has to follow a line and maintain a constant speed. Native Java microcontroller executes the code. Check source code without change.

19 Architecture ● Actuators – Steering – Motors ● Sensors – Light sensors – Encoder

20 Software ● 3 tasks running with a fixed frequency of 33Hz. ● Task 1: Reads sensor values. ● Task 2: Controls the steering. ● Task 3: Controls the velocity. ● A fixed rate scheduler determines the execution order and duration. Task 1Task 2 Task 3

21 Verification ● Need model of the environment. ● Need definition of states. ● Verify robot starting from initial condition offset from center of line and on a straight line.

22 Environment model ● Two models necessary ● Model relate commands to sensor information ● Sensed position over line depends on – Steering command – Velocity command ● Sensed encoder velocity depends on the velocity command. Sensed position model Sensed velocity model Input: Velocity command Output: Encoder velocity Inputs: Velocity command Steering command Output: Encoder velocity

23 Determining the model One way to obtain a model of the environment is system identification. Performed experiments and obtained a second- order model for velocity and a fourth-order model for steering Quality of sensor gave a better fit for the velocity

24 States ● Continuous state: – 6 state variables – 2 inputs ● States are discretized up to a fixed precision to terminate on stability and disambiguate quasi-equal states. ● Monotonic variables such as time or distance are (manually) abstracted. ● DESCRIBE PICTURE import gov.nasa.jpf.jvm.Verify; import com.ajile.jem.PeriodicThread; import com.ajile.jem.PianoRoll; import com.ajile.drivers.gptc.*; import intermediate.*; import drivers.*; import controller.*; import model.*; public class Mobot { static final int PR_DURATION_MSEC = 80; static final int PR_BEAT_MSEC = 1; static PianoRoll Piano_Roll = new PianoRoll (PR_DURATION_MSEC, PR_BEAT_MSEC); public static void main(String[] args) { DecsionPoints.runSys=true; //Initialize threads PWM2 pwm = PWM2.getInstance(); Gate gate = + State space model Discrete StateContinuous State

25 Non-Determinism ● Possible to explore non- determinism in the software and environment. ● Model checking explores a wider spread of trajectories. ● Non-determinism is discrete. Differential equations are deterministic. Blue region is the spread of trajectories covered by the model checker. Red trajectory shows an actual trace of the robot.

26 Results ● Added different kinds of non-determinism to model. – Encoder reading off by - 10, 0, +10 ticks – Failure of one sensor in the array of light sensors – Commanded steering and velocity pulsewidth is not accurate. Ground Wh eel Slip

27 Results ● We verified a set of properties of the control software. ● No programming errors (e.g. Null pointer exceptions) were found.

28 Outline ● Motivation ● Method ● Case Study ● Conclusions

29 Conclusion ● Model checker covers a sufficient range of trajectories to simulate all inputs to program. ● Seeded type conversion bug was found. ● Verifies software for robot controllers directly. ● Discretization, abstraction and extraction of continuous states enable efficient verification. ● Exhaustive exploration of non-determinism such as random sensor failure. ● Aids the control system designer by direct verification of all reachable states of the model.

30 Future work ● Prove correctness of model checking algorithm ● Extend notion of discretization of state space to be an over-approximation. ● Provide integrated support for modeling the environment ● Integrate with higher level software interfaces ● Check complex systems ● Extend to languages other than Java

31 Questions? Comments? Contact Information: Sebastian Scherer

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.