Synthesizing Robust Systems

Transcription

1 Synthesizing Robust Systems Roderick Bloem and Karin Greimel (TU-Graz) Thomas Henzinger (EPFL and IST-Austria) Barbara Jobstmann (CNRS/Verimag) FMCAD 2009 in Austin, Texas Barbara Jobstmann 1

2 Motivation When designing systems: environment might not be known, or cannot be precisely modeled, e.g., physical environment behaves differently from expected program in libraries, might be used in other than the intended way transmission and other errors environment model necessary Barbara Jobstmann 2

3 Motivation A system should not only be correct, it should also behave reasonably, even in circumstances that were not anticipated in the requirements specification[... ] [ Fundamentals of software engineering by GJM] In short, it should also be robust. Barbara Jobstmann 3

4 Simple Example Resource controller for two clients Clients send requests using signals, Controller grant resource using signals, Client 1 Client 2 Controller Barbara Jobstmann 4

5 Specification Assumption A on clients never( ) Guarantee G of controller always( next( )) always( next( )) never( ) Specification A G Barbara Jobstmann 5

6 Two Correct Controllers Specification: A G M1 M2 Input trace:( )( ) ω Output trace:( )( ) ω ( )( ) ω ( )( ) ω Barbara Jobstmann 6

7 Two Correct Controllers Does not recover from an error! Does not recover from an error! Does recover from an error! Does recover from an error! M1 M2 Input trace:( )( ) ω Output trace:( )( ) ω ( )( ) ω ( )( ) ω Barbara Jobstmann 7

8 Definition Outline Error specifications Robustness (our proposal) Verify Robustness Synthesize Robust Systems Conclusion Barbara Jobstmann 8

9 Setting Reactive finite-state system M (signals I/O) Alphabet Σ= 2 I O (evaluations of I O) Behavior of M is a sequence σ Σ ω Set of all behavior: L(M) Specification ϕ = A G A is assumption on environment G is guarantee of system A and G are safety specifications over Σ σ satisfies or does not satisfy ϕ Barbara Jobstmann 9

10 Error Specification (1) Error function d: Σ ω Σ * N { } maps all behaviors/prefixes to number or Idea: count errors (violations of specification), higher value means more errors Quantitative specification M2 M1 M2 M1 good bad good bad Barbara Jobstmann 10

11 Error Specification (2) Error function d: Σ ω Σ * N { } Det. Automaton A with weight function w mapping edges to weights d(σ) = sum of weights of run over σ Error specification is pair (d e,d s ) d e error function for environment d s error function for systems q 0 (1) q 1 Barbara Jobstmann 11

12 From Spec to Error Function In general, a design choice We show: one way of going from spec to error function Safety Spec Automaton Automaton + weight fct Error Function ϕ Σ ω safe Trap ? d: Σ */ω N Barbara Jobstmann 12

13 From Spec to Error Function Recall, example: always( next( ))... q 0 (1) g1 (1) q 1 q 2 Safe region={q 0,q 1 } Good properties of this error function: - If behavior σ is error-free, then d(σ)=0 - If behavior σ has errors d(σ)>0 Bad properties: - Does not distinguish between single and multiple errors (it s a trap) Barbara Jobstmann 13

14 Example What to do with traps? (a) Reset go to initial states (restart property) (b) Skip self loop (ignore input) (c) Follow closest correct letter in alphabet q 0 g1 (1) q 1 q 2 (1) A: never( ) G 1 :always( next( )) G 2 :always( next( )) G 3 :never( ) Barbara Jobstmann 14 q 0 (1) d e =#( ) d s1 =#( next( )) d s2 =#( next( )) d s3 =#( ) q 1 d s =d s1 +d s2 +d s3

15 Robustness System M is robust wrt error spec (d e,d s ) if forallσ L(M): d e (σ) implies d s (σ) System M is k-robust wrt (d e,d s ) if exists c N s.t. forallσ prefix(l(m)) d s (σ) k d e (σ) + c k-robustness classifies robust systems wrt infinite behavior Barbara Jobstmann 15

16 Verifying Robustness (1) Given system M and automata A e and A s for d e and d s, resp., check if M is robust Compute product M A e A s with two weight functions w s and w e Then, M is robust if forallσ L(M A e A s ) sum of w e over σ implies sum of w s. Equivalently, if infinitely often w s > 0, then infinitely often w e >0 (Streett) Barbara Jobstmann 16

17 Verifying Robustness (2) Two sets E s, E e of edges: one with w s >0 and on with w e >0 Streett cond. with pair (E s,e e ), linear in #edges (0,1) (2,1) (1,0) M A e A s q 0 (0,0) q 1 Barbara Jobstmann 17

18 Example M A e A s (s,e) d e =#( ) (0,1) d s1 =#( next( )) (1,0) d s2 =#( next( )) (1,0) d s3 =#( ) (1,0) infinitely often w s > 0 but only finitely often w e >0 (0,0) (0,0) (0,0) (0,0) (2,1) (2,1) (0,0) (1,0) (1,0) (2,1) Non-robust Barbara Jobstmann 18

19 Verifying K-Robustness (1) Recall, exists c N, forallσ prefix(l(m)) d s (σ) k d e (σ) + c 0-Robust = finitely many errors d s (σ) c k-robust = average ratio between #system errors and #environment errors is k #s-#e c #s/#e k Barbara Jobstmann 19

20 Verifying K-Robustness (2) Given robust system M, automata A e and A s, check if M is k-robust. Compute product M A e A s with two weight functions w s and w e M is k-robust if forall runs q 0 q 1 q 2 lim m liminf l sum i=m..l (w s (q i,q i+1 )) 1+sum i=m..l (w e (q i,q i+1 )) k True if maximum simple cycle ratio k, computable in O(#states 2 #edges) Barbara Jobstmann 20

21 Example M A e A s (0,0) (1,1) (0,0) (1,1) (0,0) maximum simple cycle ratio=1 (0,0) 1-robust Barbara Jobstmann 21

22 Synthesizing Systems Spec d e : Automaton + weight fct w e Spec d s : Automaton + weight fct w s Automaton + two weight functions w e and w s Streett game Synthesis game + two weight fcts Ratio game Strategy Strategy Robust System k-robust System Barbara Jobstmann 22

23 Synthesis Game: Example (w 1 ) s 0 (w 1 ) (w 2 ) s 0 s 1 (w 1 ) (w 2 ) (w 2 ) g1 s 1 s 2 Two players Alternately, pick signal assignments Add weights accordingly Winning objective? Barbara Jobstmann 23

24 Synthesizing Systems Spec d e : Automaton + weight fct w e Spec d s : Automaton + weight fct w s Automaton + two weight functions w e and w s Streett game Synthesis game + two weight fcts Ratio game Strategy Strategy Robust System k-robust System Barbara Jobstmann 24

25 Synthesizing Robust Systems Play is winning: if infinitely many edges with w s >0, then infinitely many edges with w e >0 Two sets E s, E e of edges: one with w s >0 and on with w e >0 Winning objective: Streett with 1-pair (E s,e e ) (0,0) (0,1) (0,0) (1,0) (1,2) (0,0) Barbara Jobstmann 25

26 Synthesizing Systems Spec d e : Automaton + weight fct w e Spec d s : Automaton + weight fct w s Automaton + two weight functions w e and w s Streett game Synthesis game + two weight fcts Ratio game Strategy Strategy Robust System k-robust System Barbara Jobstmann 26

27 Ratio Game A novel game type Formally, value of a play ρ=q 0 q 1 q 2 is v(ρ) = lim m liminf l sum i=m..l (w s (q i,q i+1 )) 1+sum i=m..l (w e (q i,q i+1 )) Objective of Player System: minimize v(ρ) In paper, we show that in ratio games both players have memoryless winning strategies and reduction to mean-payoff game (decision) Barbara Jobstmann 27

28 Conclusion A notion of robustness based on error functions Algorithms to verify robustness and k-robustness synthesize robust systems with minimal k (based on our ratio games) Barbara Jobstmann 28