Presentation is loading. Please wait.

Presentation is loading. Please wait.

Reachability for Linear Hybrid Automata Using Iterative Relaxation Abstraction Sumit K. Jha, Bruce H. Krogh, James E. Weimer, Edmund M. Clarke Carnegie.

Published byChad Norman Modified over 9 years ago

Similar presentations

Presentation on theme: "Reachability for Linear Hybrid Automata Using Iterative Relaxation Abstraction Sumit K. Jha, Bruce H. Krogh, James E. Weimer, Edmund M. Clarke Carnegie."— Presentation transcript:

1 Reachability for Linear Hybrid Automata Using Iterative Relaxation Abstraction Sumit K. Jha, Bruce H. Krogh, James E. Weimer, Edmund M. Clarke Carnegie Mellon University

2 CEGAR ( CounterExample Guided Abstraction Refinement) concrete system construct initial abstraction abstraction model checking counterexample specification satisfied validate counterexample infeasible constraints specification not satisfied construct new abstraction

3 CEGAR concrete system construct initial abstraction abstraction model checking counterexample specification satisfied validate counterexample infeasible constraints specification not satisfied construct new abstraction complete detailed model

4 CEGAR concrete system construct initial abstraction abstraction model checking counterexample specification satisfied validate counterexample infeasible constraints specification not satisfied construct new abstraction reduced, conservative model

5 CEGAR concrete system construct initial abstraction abstraction model checking counterexample specification satisfied validate counterexample infeasible constraints specification not satisfied construct new abstraction specification model check the abstraction (faster than for the concrete system)

6 CEGAR concrete system construct initial abstraction abstraction model checking counterexample specification satisfied validate counterexample infeasible constraints specification not satisfied construct new abstraction no counterexample  specification satisfied for the concrete system

7 CEGAR concrete system construct initial abstraction abstraction model checking counterexample specification satisfied validate counterexample infeasible constraints specification not satisfied construct new abstraction counterexample for the abstraction corresponds to a state-transition path in the concrete system

8 CEGAR concrete system construct initial abstraction abstraction model checking counterexample specification satisfied validate counterexample infeasible constraints specification not satisfied construct new abstraction Can the constraints along the counterexample path be satisfied in the concrete system?

9 CEGAR concrete system construct initial abstraction abstraction model checking counterexample specification satisfied validate counterexample infeasible constraints specification not satisfied construct new abstraction feasible constraints  there exists a feasible counterexample for the concrete system

10 CEGAR concrete system construct initial abstraction abstraction model checking counterexample specification satisfied validate counterexample infeasible constraints specification not satisfied construct new abstraction create a new abstraction (refinement) that eliminates the spurious counterexample

11 CEGAR concrete system construct initial abstraction abstraction model checking counterexample specification satisfied validate counterexample infeasible constraints specification not satisfied construct new abstraction Success: CEGAR iterations often terminate much more quickly than model checking the concrete system.

12 CEGAR for Discrete Systems concrete system construct initial abstraction abstraction model checking counterexample specification satisfied validate counterexample infeasible constraints specification not satisfied construct new abstraction state transition system with Boolean variables

13 CEGAR for Discrete Systems concrete system construct initial abstraction abstraction model checking counterexample specification satisfied validate counterexample infeasible constraints specification not satisfied construct new abstraction eliminate some variables

14 CEGAR for Discrete Systems concrete system construct initial abstraction abstraction model checking counterexample specification satisfied validate counterexample infeasible constraints specification not satisfied construct new abstraction decision procedures/SAT solvers

15 CEGAR for Discrete Systems concrete system construct initial abstraction abstraction model checking counterexample specification satisfied validate counterexample infeasible constraints specification not satisfied construct new abstraction add variables in the unsatisfiable core

16 CEGAR for Discrete Systems Leverages –Power of model checking on simpler models –Power of decision procedures / SAT solvers to validate counterexamples Empirically a very powerful approach Many success stories –SLAM : Verifying Device Drivers at Microsoft Actually ships as a commercial product Static Driver Verifier (SDV) –Many software model checkers developed MAGIC, BLAST, CBMC

17 CEGAR for Hybrid Systems (our previous work) concrete system construct initial abstraction abstraction model checking counterexample specification satisfied validate counterexample infeasible constraints specification not satisfied construct new abstraction hybrid automaton

18 CEGAR for Hybrid Systems concrete system construct initial abstraction abstraction model checking counterexample specification satisfied validate counterexample infeasible constraints specification not satisfied construct new abstraction start with location transition graph

19 CEGAR for Hybrid Systems concrete system construct initial abstraction abstraction model checking counterexample specification satisfied validate counterexample infeasible constraints specification not satisfied construct new abstraction forbidden locations reachability specifications

20 CEGAR for Hybrid Systems concrete system construct initial abstraction abstraction model checking counterexample specification satisfied validate counterexample infeasible constraints specification not satisfied construct new abstraction HS reachability: apply increasingly precise approximations forbidden locations

21 CEGAR for Hybrid Systems concrete system construct initial abstraction abstraction model checking counterexample specification satisfied validate counterexample infeasible constraints specification not satisfied construct new abstraction compute reachable sets along the counterexample path

22 CEGAR for Hybrid Systems concrete system construct initial abstraction abstraction model checking counterexample specification satisfied validate counterexample infeasible constraints specification not satisfied construct new abstraction identify point where the reachable set becomes empty

23 CEGAR for Hybrid Systems concrete system construct initial abstraction abstraction model checking counterexample specification satisfied validate counterexample infeasible constraints specification not satisfied construct new abstraction introduce new locations (“splitting”) to eliminate the infeasible path

24 CEGAR for Hybrid Systems concrete system construct initial abstraction abstraction model checking counterexample specification satisfied validate counterexample infeasible constraints specification not satisfied construct new abstraction Limitations: slow convergence: refinement eliminates one path at a time HS reachability limited to low dimensional systems

25 Iterative Relaxation Abstraction (IRA) for Linear Hybrid Automata (LHA) concrete system construct initial abstraction abstraction model checking counterexample specification satisfied validate counterexample infeasible constraints specification not satisfied construct new abstraction

26 IRA for LHA concrete system construct initial abstraction abstraction model checking counterexample specification satisfied validate counterexample infeasible constraints specification not satisfied construct new abstraction LHA (with several continuous variables)

27 IRA for LHA concrete system construct initial abstraction abstraction model checking counterexample specification satisfied validate counterexample infeasible constraints specification not satisfied construct new abstraction relaxation abstraction: fewer continuous variables

28 IRA for LHA concrete system construct initial abstraction abstraction model checking counterexample specification satisfied validate counterexample infeasible constraints specification not satisfied construct new abstraction start with the location graph (zero continuous variables)

29 IRA for LHA concrete system construct initial abstraction abstraction model checking counterexample specification satisfied validate counterexample infeasible constraints specification not satisfied construct new abstraction LHA reachability forbidden locations

30 IRA for LHA concrete system construct initial abstraction abstraction model checking counterexample specification satisfied validate counterexample infeasible constraints specification not satisfied construct new abstraction check feasibility of linear constraints using LP

31 IRA for LHA concrete system construct initial abstraction abstraction model checking counterexample specification satisfied validate counterexample infeasible constraints specification not satisfied construct new abstraction use variables from an irreducible infeasible subset (IIS) of constraints

32 IRA for LHA concrete system construct initial abstraction abstraction model checking counterexample specification satisfied validate counterexample infeasible constraints specification not satisfied construct new abstraction new relaxation abstraction each time: NOT a refinement

33 IRA for LHA – Leverages: Power of LHA reachability on low-order LHA models Power of LP to validate counterexamples involving huge number of continuous variables. Ability of a LP solver to identify an irreducible infeasible subset for an infeasible LP Inspired by CEGAR for discrete systems, but variables are not added to refine abstractions

34 Relaxation Abstractions LHA –discrete transition structure (locations/transitions) –linear constraints for invariants, guards, jumps Given a subset of continuous variables V Replace linear constraints with relaxed constraints involving only variables in V –x 20 /\ y 20 Not unique – various relaxations –Drop constraints involving variables not in V (localization) –Quantifier Elimination (Fourier-Motzkin)

35 Counterexamples (CEs) Paths in the discrete structure (sequence of locations and transitions) Key observations [Xuandong Li, Sumit Jha, Lei Bu BMC’06] : –Feasible runs along a path are defined by linear constraints –CE exists in the concrete LHA if and only if the corresponding linear constraints are feasible

36 Irreducible Infeasible Subset (IIS) Given a set of infeasible linear constraints (corresponding to a spurious CE). IIS: a subset of constraints such that –the constraints are infeasible –removing one constraint makes them feasible Use variables in the IISnextUse variables in the IIS for the next relaxation abstraction

37 The Language of Counterexamples LHA reachability gives a discrete CE automaton A for the current relaxed LHA only if –A string s = {s 0,s 1 ……,s n } is in the language of the discrete CE automaton A only if the reachability analysis engine says that s n may be reachable from s 0 using the path s 0  s 1 …  …  s n. Intersect with the previous CE automaton remove CE s refuted earlier –to remove CE s refuted earlier by other abstractions –also, remove previous CE in case reachability was too conservative only the most recent set of IIS variables.Key Idea: Generate relaxation abstractions with only the most recent set of IIS variables.

38 IRA for LHA selecting counterexamples concrete system construct initial abstraction abstraction model checking counterexample specification satisfied validate counterexample infeasible constraints specification not satisfied construct new abstraction

39 IRA for LHA selecting counterexamples concrete system construct initial abstraction abstraction model checking counterexample specification satisfied validate counterexample specification not satisfied abstraction CE automaton cumulative CE automaton update CE automaton select counterexample infeasible constraints

40 IRA for LHA selecting counterexamples concrete system construct initial abstraction abstraction model checking counterexample specification satisfied validate counterexample specification not satisfied abstraction CE automaton cumulative CE automaton update CE automaton select counterexample infeasible constraints guarantees: only previously discovered CEs are explored no CE is used twice

41 IRA for LHA constructing new relaxation abstractions concrete system construct initial abstraction abstraction model checking counterexample specification satisfied validate counterexample infeasible constraints specification not satisfied construct new abstraction

42 IRA for LHA constructing new relaxation abstractions concrete system construct initial abstraction abstraction model checking counterexample specification satisfied validate counterexample infeasible constraints specification not satisfied construct new abstraction identify variables in an IIS continuous variables

43 IRA for LHA constructing new relaxation abstractions concrete system construct initial abstraction abstraction model checking counterexample specification satisfied validate counterexample infeasible constraints specification not satisfied construct new abstraction identify variables in an IIS continuous variables guarantees relaxation abstraction has a minimal set of variables to eliminate the previous CE

44 IRA for LHA implementation concrete system construct initial abstraction abstraction model checking counterexample specification satisfied validate counterexample infeasible constraints specification not satisfied construct new abstraction LHA reachability: PHAVer

45 IRA for LHA implementation concrete system construct initial abstraction abstraction model checking counterexample specification satisfied validate counterexample infeasible constraints specification not satisfied construct new abstraction CE Automata : AT&T FSM Library

46 IRA for LHA implementation concrete system construct initial abstraction abstraction model checking counterexample specification satisfied validate counterexample infeasible constraints specification not satisfied construct new abstraction LP & IIS Analysis : CPLEX LP & IIS Analysis : CPLEX

47 IRA vs. PHAVer for an Adaptive Cruise Control Example ( time in sec ) No. of VariablesPHAVer IRA – Localization IRA Fourier-Motzkin 60.261.3461.05 80.965.11170.11 108.2117.76402.15 12147.1150.04933.47 147007.51123.731521.95 1570090.06181.742503.59 16 did not complete 267.463519.51

48 IRA vs. PHAVer for an Adaptive Cruise Control Example ( time in sec ) No. of Variables PHAVer IRA – Localization IRA Fourier-Motzkin 60.261.3461.05 80.965.11170.11 108.2117.76402.15 12147.1150.04933.47 147007.51123.731521.95 1570090.06181.742503.59 16 did not complete 267.463519.51 IRA becomes faster for  12 variables

49 IRA vs. PHAVer for an Adaptive Cruise Control Example ( time in sec ) No. of Variables PHAVer IRA – Localization IRA Fourier-Motzkin 60.261.3461.05 80.965.11170.11 108.2117.76402.15 12147.1150.04933.47 147007.51123.731521.95 1570090.06181.742503.59 16 did not complete 267.463519.51 IRA-FM becomes faster for  14 variables

50 IRA vs. PHAVer for an Adaptive Cruise Control Example ( time in sec ) No. of Variables PHAVer IRA – Localization IRA Fourier-Motzkin 60.261.3461.05 80.965.11170.11 108.2117.76402.15 12147.1150.04933.47 147007.51123.731521.95 1570090.06181.742503.59 16 did not complete 267.463519.51 15 Vars: 19.5 hr. (PHAVer) vs. 3 min. (IRA-LOC)

51 IRA vs. PHAVer for an Adaptive Cruise Control Example ( time in sec ) No. of Variables PHAVer IRA – Localization IRA Fourier-Motzkin 60.261.3461.05 80.965.11170.11 108.2117.76402.15 12147.1150.04933.47 147007.51123.731521.95 1570090.06181.742503.59 16 did not complete 267.463519.51 PHAVer fails to converge for 16 variables

52 IRA-Loc vs. IRA-FM IRA-FM IRA-Loc

53 Switched Buffer Network 1 2 7 3 4 56 11 8 910 1 Buffer Size: 100 Valve Operation Closed Mode: 0 Open Mode: 10 Controller Hybrid automaton controlling the valves in the channels Buffers connected by pipes with valves. Valves have several modes Controller observes buffers and to switch valve modes Specification: No buffer overflow 1 Frehse & Maler, HSCC ‘07

54 Switched Buffer Network Implemented a simple controller with three locations and 11 continuous variables Design: sequence of actual counterexamples from IRA used to “tune” the control parameters One case led to a 101 location CE in 3 iterations of the abstraction refinement loop Final design (verified): PHAVer took over 12 minutes IRA took 23.7 seconds

55 Nuclear Power Plant Control 2 Temperature control –rods immersed to cool the reactor, withdrawn to allow reaction –rods controlled temperature measurements and local timers. –each rod can stay inside only for a certain max time limit Temperature should not rise beyond a critical threshold. Model –3 control rods –11 continuous variables 2 Variation of the problem studied by Kapur and Shyamasundar (HART’97), R Alur et al (TCS’95), P. H. Ho 95 PhD thesis and others.

56 Nuclear Power Plant Control Iterative Design Procedure –First attempt: simple counterexample of 3 locations abstraction 3 continuous variables all of variables related to control rod 1 clear that the rod was being inserted too late changed the cutoff temperature –Similar CEs for control rods 2 and 3 Final Design –PHAVer verification: 16 hours –IRA verification: 6 iterations, 30.04 seconds

57 Current Work Further empirical studies Use of IRA for interactive design (actually using the counterexamples!) Distributed computation (we have found most of the time is spent in FM quantifier elimination) Extensions to more general hybrid systems (outer refinement loops)

Download ppt "Reachability for Linear Hybrid Automata Using Iterative Relaxation Abstraction Sumit K. Jha, Bruce H. Krogh, James E. Weimer, Edmund M. Clarke Carnegie."

Similar presentations

The behavior of SAT solvers in model checking applications K. L. McMillan Cadence Berkeley Labs.

The behavior of SAT solvers in model checking applications K. L. McMillan Cadence Berkeley Labs.
Demand-driven inference of loop invariants in a theorem prover

Demand-driven inference of loop invariants in a theorem prover
Abstraction in Model Checking Nishant Sinha. Model Checking Given a: –Finite transition system M –A temporal property p The model checking problem: –Does.

Abstraction in Model Checking Nishant Sinha. Model Checking Given a: –Finite transition system M –A temporal property p The model checking problem: –Does.
Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.

Introduction to Formal Methods for SW and HW Development 09: SAT Based Abstraction/Refinement in Model-Checking Roberto Sebastiani Based on work and slides.
SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)

SAT Based Abstraction/Refinement in Model-Checking Based on work by E. Clarke, A. Gupta, J. Kukula, O. Strichman (CAV’02)
Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.

Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.
50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.

50.530: Software Engineering Sun Jun SUTD. Week 10: Invariant Generation.
© Anvesh Komuravelli Spacer Automatic Abstraction in SMT-Based Unbounded Software Model Checking Anvesh Komuravelli Carnegie Mellon University Joint work.

© Anvesh Komuravelli Spacer Automatic Abstraction in SMT-Based Unbounded Software Model Checking Anvesh Komuravelli Carnegie Mellon University Joint work.
Hybrid System Verification Synchronous Workshop 2003 A New Verification Algorithm for Planar Differential Inclusions Gordon Pace University of Malta December.

Hybrid System Verification Synchronous Workshop 2003 A New Verification Algorithm for Planar Differential Inclusions Gordon Pace University of Malta December.
Timed Automata.

Timed Automata.
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 13.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.
Verification of Hybrid Systems An Assessment of Current Techniques Holly Bowen.

Verification of Hybrid Systems An Assessment of Current Techniques Holly Bowen.
ECE 720T5 Fall 2012 Cyber-Physical Systems Rodolfo Pellizzoni.

ECE 720T5 Fall 2012 Cyber-Physical Systems Rodolfo Pellizzoni.
Multiple Shooting, CEGAR-based Falsification for Hybrid Systems

Multiple Shooting, CEGAR-based Falsification for Hybrid Systems
Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.

Symmetry-Aware Predicate Abstraction for Shared-Variable Concurrent Programs Alastair Donaldson, Alexander Kaiser, Daniel Kroening, and Thomas Wahl Computer.
Linzhang Wang Joint work with Lei Bu, You Li and Xuandong Li Department of Computer Science and Technology, National Key Laboratory for Novel Software.

Linzhang Wang Joint work with Lei Bu, You Li and Xuandong Li Department of Computer Science and Technology, National Key Laboratory for Novel Software.
SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:

SAT and Model Checking. Bounded Model Checking (BMC) A.I. Planning problems: can we reach a desired state in k steps? Verification of safety properties:
Tuning SAT-checkers for Bounded Model-Checking A bounded guided tour Ofer Strichman Carnegie Mellon University.

Tuning SAT-checkers for Bounded Model-Checking A bounded guided tour Ofer Strichman Carnegie Mellon University.
The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.

The Software Model Checker BLAST by Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala and Rupak Majumdar Presented by Yunho Kim Provable Software Lab, KAIST.
Probabilistic CEGAR* Björn Wachter Joint work with Holger Hermanns, Lijun Zhang TexPoint fonts used in EMF. Read the TexPoint manual before you delete.

Probabilistic CEGAR* Björn Wachter Joint work with Holger Hermanns, Lijun Zhang TexPoint fonts used in EMF. Read the TexPoint manual before you delete.

Similar presentations

Ads by Google