Presentation is loading. Please wait.

Presentation is loading. Please wait.

Synthesis from scenarios and requirements

Published byKerry Flowers Modified over 6 years ago

Similar presentations

Presentation on theme: "Synthesis from scenarios and requirements"β€” Presentation transcript:

1 Synthesis from scenarios and requirements
Joint work with R. Alur, M. Martin, M. Raghothaman, A. Udupa (UPenn), and C. Stergiou (Berkeley & Upenn) Part of NSF Expeditions Project ExCAPE (co-PI) Tripakis

2 Synthesis – raising the level of abstraction in system design
Verification: Design system β€œby hand”: 𝑆 State system requirements: πœ™ Check if system meets requirements: π‘†βŠ¨πœ™ ? Synthesis: Generate automatically (synthesize) system 𝑆 that satisfies πœ™ by construction. Tripakis

3 Limitations of synthesis
Methodologically difficult Not always easy to write complete formal specs (e.g., imagine complete formal spec for Intel Pentium) Algorithmically expensive => does not scale E.g., doubly exponential algorithms in the length of the formal spec (temporal logic formulas) Generally undecidable for distributed controllers Tripakis

4 ABP: reliable transmission over an unreliable channel
Sending client Receiving client deliver done msg O,1 O,1 Forward channel ABP sender ABP receiver O,1 O,1 Backward channel Channels are lossy but FIFO.

5 Challenge problem: synthesize the ABP automatically!
Sending client Receiving client deliver done msg O,1 O,1 Forward channel ? ? O,1 O,1 Backward channel

6 Can be formalized as a decentralized controller synthesis problem
Plant Controller 1 Controller 2 (locally) observable events controllable Unfortunately problem is undecidable …

7 Our work: Synthesis from Scenarios and Requirements
Idea: combine requirements + example scenarios Synthesis tool example scenarios formal requirements (safety, liveness, deadlock-freedom, …) synthesized protocol (state machines) These are typically not complete specs! Tripakis

8 Synthesis using Scenarios
Learn (generalize) behavior from examples Often only a few scenarios required (1-10) Synthesis becomes an automata completion problem Scenario 1 (nominal) Scenario 2 (msg loss) Scenario 3 (ack loss) Scenario 4 (delay)

9 From Scenarios to Incomplete Automata
Process S0: empty message history S1: a! S0 initial S2: a! b? a! a! b? S1 S0 S1 S2 b? S0 = S2 a! initial S1 S2 initial b?

10 Automata Completion Incomplete automata using first scenario:
ABP Receiver ABP Sender Completed automata after adding missing inputs:

11 Synthesis from Scenarios and Requirements: Results
Able to synthesize the Alternating Bit Protocol (ABP) and other simple finite-state protocols (cache coherence, consensus, …) fully automatically [HVC 2014]. Progress towards industrial-level protocols modeled as extended state machines [CAV 2015]: synthesis of symbolic expressions. Tripakis

12 Counterexample-guided
Synthesis from Scenarios and Requirements: completion of (extended) state machines At the heard of the synthesis method: completion of incomplete machines: find missing transitions, guards, assignments, etc. Counterexample-guided synthesis Tripakis

13 Back-up slides Tripakis

14 Synthesis from LTL Tripakis

15 Synthesis – state of the art
Able to automatically synthesize controller for an avionic electric power generation and distribution system (EPS) Formal spec: LTL (linear temporal logic) Using Tulip synthesis tool (Caltech) Input: ~40 lines of LTL Output: ~3k lines of Matlab Synthesis time < 1 min EPS Case study by: Pierluigi Nuzzo & Antonio Iannopollo (UC Berkeley), and Eelco Scholte (UTC)

16 Case study β€œManual” controller design vs.
Controller automatically synthesized from formal specification Tripakis

17 Case study: controller design for an avionic electric power generation and distribution system (EPS)
Case study by: Pierluigi Nuzzo & Antonio Iannopollo (UC Berkeley), and Eelco Scholte (UTC)

18 EPS requirements (in English)
Assumptions: Guarantees:

19 EPS requirements (in English)

20 β€œManual” controller design
β€œHand-written” controller: ~2 PhD student weeks Complex, not obvious that it works β‡’ Still needs to be verified

21 [](gl_healthy | gr_healthy | al_healthy | ar_healthy)
Formal specification From English to a formal specification language Linear temporal logic (LTL) Close mapping from English to LTL: [](gl_healthy | gr_healthy | al_healthy | ar_healthy)

22 Formal specification for EPS
~40 lines of LTL #Assumptions (gl_healthy & gr_healthy & al_healthy & ar_healthy) [](gl_healthy | gr_healthy | al_healthy | ar_healthy) [](!gl_healthy -> X(!gl_healthy) ) [](!gr_healthy -> X(!gr_healthy) ) [](!al_healthy -> X(!al_healthy) ) [](!ar_healthy -> X(!ar_healthy) ) #Guarantees (!c1 & !c2 & !c3 & !c4 & !c5 & !c6 & !c7 & !c8 & !c9 & !c10 & !c11 & !c12 & !c13) [](X(c7) & X(c8) & X(c11) & X(c12) & X(c13)) [](!(c2 & c3)) [](!(c1 & c5 & (al_healthy | ar_healthy))) [](!(c4 & c6 & (al_healthy | ar_healthy))) []((X(gl_healthy) & X(gr_healthy) ) -> X(!c2) & X(!c3) & X(!c9) & X(!c10)) []((X(!gl_healthy) & X(!gr_healthy) ) -> X(c9) & X(c10)) [](X(!gl_healthy)-> X(!c1) ) [](X(!gr_healthy)-> X(!c4) ) [](X(!al_healthy)-> X(!c2) ) [](X(!ar_healthy)-> X(!c3) ) [](X(gl_healthy) -> X(c1) ) [](X(gr_healthy) -> X(c4) ) … #Guarantees … [](!gl_healthy -> X(c5)) [](!gr_healthy -> X(c6)) []((X(gl_healthy) & X(gr_healthy) ) -> (X(!c5) & X(!c6) )) []((X(!gl_healthy) & X(al_healthy) & X(gr_healthy) ) -> ( X(c2) & X(c3)) ) []((X(!gl_healthy) & X(!gr_healthy) & X(al_healthy) & !c3 & !c2) -> X(c2) ) []((X(al_healthy) & c2) -> X(c2) ) []((X(ar_healthy) & c3) -> X(c3) ) []((X(!gl_healthy) & X(!al_healthy) & X(ar_healthy) & !c2) -> X(c3) ) []((X(!gr_healthy) & X(!ar_healthy) & X(al_healthy) & !c3) -> X(c2) ) []((!gl_healthy & !al_healthy & !ar_healthy) -> X(c6) ) []((!gr_healthy & !ar_healthy & !al_healthy) -> X(c5) )

23 Automatic controller synthesis from LTL spec
Controller (~3k lines of Matlab code) automatically synthesized in <1 min using the tool Tulip (Caltech)

Download ppt "Synthesis from scenarios and requirements"

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

1 Verification by Model Checking. 2 Part 1 : Motivation.
The Quest for Correctness Joseph Sifakis VERIMAG Laboratory 2nd Sogeti Testing Academy April 29th 2009.

The Quest for Correctness Joseph Sifakis VERIMAG Laboratory 2nd Sogeti Testing Academy April 29th 2009.
Synthesis of Protocol Converter Using Timed Petri-Nets Anh Dang Balaji Krishnamoorthy Manoj Iyer Presented by:

Synthesis of Protocol Converter Using Timed Petri-Nets Anh Dang Balaji Krishnamoorthy Manoj Iyer Presented by:
Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.

Copyright 2000 Cadence Design Systems. Permission is granted to reproduce without modification. Introduction An overview of formal methods for hardware.
Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur Ο• verification system.

Tintu David Joy. Agenda Motivation Better Verification Through Symmetry-basic idea Structural Symmetry and Multiprocessor Systems Mur Ο• verification system.
Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.

Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.
Catching Bugs in Software Rajeev Alur Systems Design Research Lab University of Pennsylvania www.cis.upenn.edu/~alur/

Catching Bugs in Software Rajeev Alur Systems Design Research Lab University of Pennsylvania
Knowledge Based Synthesis of Control for Distributed Systems Doron Peled.

Knowledge Based Synthesis of Control for Distributed Systems Doron Peled.
Introducing Formal Methods, Module 1, Version 1.1, Oct., 1998 1 Formal Specification and Analytical Verification L 5.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.
Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:

Automatic Verification Book: Chapter 6. What is verification? Traditionally, verification means proof of correctness automatic: model checking deductive:
PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,

PROTOCOL VERIFICATION & PROTOCOL VALIDATION. Protocol Verification Communication Protocols should be checked for correctness, robustness and performance,
Transaction Based Modeling and Verification of Hardware Protocols Xiaofang Chen, Steven M. German and Ganesh Gopalakrishnan Supported in part by Intel.

Transaction Based Modeling and Verification of Hardware Protocols Xiaofang Chen, Steven M. German and Ganesh Gopalakrishnan Supported in part by Intel.
Model Checking : Making Automatic Formal Verification Scale Shaz Qadeer EECS Department University of California at Berkeley.

Model Checking : Making Automatic Formal Verification Scale Shaz Qadeer EECS Department University of California at Berkeley.
Nir Piterman Department of Computer Science TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAA Bypassing Complexity.

Nir Piterman Department of Computer Science TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAA Bypassing Complexity.
CIS 540 Principles of Embedded Computation Spring 2015 Instructor: Rajeev Alur

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur
Run Time Monitoring of Reactive System Models Mikhail Auguston Naval Postgraduate School Mark Trakhtenbrot Holon Academic Institute of.

Run Time Monitoring of Reactive System Models Mikhail Auguston Naval Postgraduate School Mark Trakhtenbrot Holon Academic Institute of.
Software Reliability CIS 640 Adapted from the lecture notes by Doron Pelel (www.dcs.warwick.ac.uk/~doron/notes.html)

Software Reliability CIS 640 Adapted from the lecture notes by Doron Pelel (
1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture 05.

1 Formal Methods in SE Qaisar Javaid Assistant Professor Lecture 05.
Software Model Checking for Embedded Systems PIs: Matthew Dwyer 1, John Hatcliff 1, and George Avrunin 2 Post-docs: Steven Seigel 2, Radu Iosif 1 Students:

Software Model Checking for Embedded Systems PIs: Matthew Dwyer 1, John Hatcliff 1, and George Avrunin 2 Post-docs: Steven Seigel 2, Radu Iosif 1 Students:
An Automata-based Approach to Testing Properties in Event Traces H. Hallal, S. Boroday, A. Ulrich, A. Petrenko Sophia Antipolis, France, May 2003.

An Automata-based Approach to Testing Properties in Event Traces H. Hallal, S. Boroday, A. Ulrich, A. Petrenko Sophia Antipolis, France, May 2003.

Similar presentations

Ads by Google