Verifying Safety Properties of Hybrid Systems.

Transcription

1 Verifying Safety Properties of Hybrid Systems. Sriram Sankaranarayanan University of Colorado, Boulder, CO. October 22, 2010.

2 Talk Outline 1. Formal Verification 2. Hybrid Systems 3. Invariant Synthesis 4. Algebraic Invariants 5. Results

3 Proving Programs Correct Example: Compute n, for n 0. int computesqrt ( int n n 0 1: int i, j = (0, 0); 2: while ( j n ) { 3: i := i + 1; 4: j := j + 2 i 1; 5: i 2 n (i 1) 2 n Verification Problem: Is this program correct?

4 What is Verification?

5 Finding an Error Discover input n that violates property. [ i 2 < n (i 1) 2 > n ] Error States { Erroneous Computation Initial States [ i = j = 0, n 0 ]

6 Proving Safety Start inside invariant set remain in invariant set. [ i 2 < n (i 1) 2 > n ] Error States Invariant Set Initial States [ i = j = 0, n 0 ]

7 The Program Verifier Program Error! Verifier Property Safe!

8 Undecidability Theorem There is no program P, that takes a program Q and a non-trivial property ϕ as inputs, and decides if every run of P satisfies ϕ. Cf. Turing, Alan. M. (1936). On Computable Numbers, with an Application to the Entscheidungsproblem. Proceedings of the London Mathematical Society. 2 42:

9 Verification Techniques Nearly 40+ years of research on program verification. Model Checking: Best effort search for a counter example. Static Analysis: Best effort search for a property proof. Semi-Formal Methods: Ad-hoc approaches inspired by above.

10 Verification: Achievements Model Checking: Popular in hardware verification. Arithmetic-Logic Unit Verification (Intel, AMD). Cache Coherence Protocols. Symbolic techniques (BDDs, SAT solvers): states.

11 Verification: Achievements Model Checking: Popular in hardware verification. Arithmetic-Logic Unit Verification (Intel, AMD). Cache Coherence Protocols. Symbolic techniques (BDDs, SAT solvers): states. Static Analysis: Proving correctness of programs. Astreé project: Runtime error freedom in Airbus A380 command & control systems. Commercial products: Absint: Timing verification in real-time systems. Polyspace: Verification of control systems (Mathworks).

12 Verification: Achievements Model Checking: Popular in hardware verification. Arithmetic-Logic Unit Verification (Intel, AMD). Cache Coherence Protocols. Symbolic techniques (BDDs, SAT solvers): states. Static Analysis: Proving correctness of programs. Astreé project: Runtime error freedom in Airbus A380 command & control systems. Commercial products: Absint: Timing verification in real-time systems. Polyspace: Verification of control systems (Mathworks). Semi-Formal Tools: Finding bugs in programs. CoVerity: Gaining wide usage in software industry. Varvel (NEC), Slam (Microsoft), Findbugs (Google),...

13 Proving Programs Correct Example: Compute n, for n 0. int computesqrt ( int n n 0 1: int i, j = (0, 0); 2: while ( j n ) { 3: i := i + 1; 4: j := j + 2 i 1; 5: i 2 n (i 1) 2 n Verification Problem: Is this program correct? Yes: Automatically synthesized invariant. j = i 2, n 0, j n + 1, j n 2i 1.

14 Challenge: Verify Hybrid Systems.

15 Dynamical Systems Discrete dynamical systems: defined by maps. x(n + 1) = F (n, x(n)). x 4 while(x 2 + y 2 3) x := x + y 1 2 y := y x 1 2 x 1 x 2 x 3

16 Dynamical Systems Continuous dynamical systems: defined by flows. d x dt = F (t, x). x(t) x(0) dx 1 dt = x 1 sin ψ x 2 cos ψ dx 2 dt = x 2 1 x 1x 2 sin(2ψ) dx 3 dt = cosψ dψ dt = 0

17 Hybrid Trajectories 1. Flows + Discrete jumps. 2. Multi-Modal: Dynamics depend on the mode. x(0) Switching Region Discrete Jump Continuous Flow

18 Example # 1: Bouncing Ball if(y = 0 v y < 0) do :v y := 1 2 v y dx dt = v x dy dt = v y dv x dt = 0 dv y dt = 9.8

19 Example # 2: Conflict Resolution Maneuvers Conflict resolution protocol. [Tomlin et al. 98] Aircraft 2 Aircraft 1

20 Collision Avoidance Model Hybrid automaton for each aircraft: p (x1 x 2 ) 2 + (y 1 y 2 ) 2 ) D cruise x 1 = v 1 y 1 = v 2 v 1 = 0 v 2 = 0 back on orig. heading roundabout x 1 = v x1 y 1 = v y1 v 1 = v x2 cos ω v 2 = v y2 sin ω ω = 0

21 Software Enabled Control Physical Subsystem S A S A S A S A S: Sense, A: Actuate Time Software Controller

22 Hybrid Automaton [Alur et al. 96; Sastry et al. 98] mode 1 d x dt = F 1 ( x) if γ 1 ( x), do: x := G 1 ( x) if γ j ( x), do: x := G j ( x) mode 2 d x dt = F 2 ( x) mode n d x dt = F n ( x) Finite set of modes. Q : {q 1,..., q m } Continuous state variables. x : (x 1,..., x n ). Dynamics for each mode. Discrete Transitions between modes.

23 Verification of Hybrid Systems.

24 Verification of Hybrid Systems. Two possible approaches. Initial States Error States { Error Trace Initial States Positive Invariant Error States Rest of this talk: Generating Positive Invariants.

25 Positive Invariant Set S x(0) Set S is positive invariant for flow ϕ iff x(0) S, ϕ( x(0), t) S. Start inside set S flow remains in S.

26 Positive Invariants for Hybrid Systems x(0) Disjoint union of sets. Preserved by discrete transitions.

27 Positive Invariant Computation. [Henzinger et al. 96,...] x(0) Start with Initial States.

28 Positive Invariant Computation. [Henzinger et al. 96,...] x(0) Start with Initial States. Positive Invariant computation for differential equations.

29 Positive Invariant Computation. [Henzinger et al. 96,...] x(0) Start with Initial States. Positive Invariant computation for differential equations. Computing images across discrete transitions.

30 Positive Invariant Computation. [Henzinger et al. 96,...] x(0) Start with Initial States. Positive Invariant computation for differential equations. Computing images across discrete transitions. Iterate until convergence.

31 Positive Invariant Computation. [Henzinger et al. 96,...] x(0) Start with Initial States. Positive Invariant computation for differential equations. Computing images across discrete transitions. Iterate until convergence.

32 Positive Invariant Computation. [Henzinger et al. 96,...] x(0) Start with Initial States. Positive Invariant computation for differential equations. Computing images across discrete transitions. Iterate until convergence.

33 Polyhedral Invariant Generation. x 0 Polyhedra [Halbwachs 94, Henzinger et al. 96, Sank.et al. 06] Zonotopes. [Girard 05] (Linear) Support Functions. [Girard 09, 10] Templatized Polyhedra. [Sank.et al. 08, 09] Orthogonal Polyhedra. [Asarin et al. 02] Tools: PHaver, Mattisse, TimePass,... Q: What about non-linear invariants and non-linear dynamics?

34 Algebraic Techniques for Non-Linear Invariants. Generate positive invariants that are algebraic varieties. x 2 1 2x 3 x 2 2 = 5 x 1 x 2 = x 3 Using techniques from computational algebraic geometry.

35 Algebraic Varieties 2 x 1 1 Variety = { x 1, x 2 } x 2 Zeros of a set of multi-variate polynomials. V : { x R n p 1 ( x) = 0, p 2 ( x) = 0,..., p m ( x) = 0}

36 Ideals Set of polynomials I closed under 1. Addition. p 1, p 2 I p 1 + p 2 I 2. Multiplication by any other polynomial in the ring. p I, g R[ x], g p I Ideal Generated by Set: p 1,..., p m.

37 Background: Ideals and Varieties. IdealOf(V ) : {p K[ x] p vanishes everywhere on V } VarietyOf(I ) : { x K n p I, p( x) = 0} Example: I = {(x + 1) 2 + y 2 4, (x 1) 2 + y 2 1 }{{}}{{} p 1 p 2 }. 2 Variety(I ) = { x 1, x 2 } x 1 1 x 2

38 Hilbert s Nullstellensatz For any ideal I and polynomial p, Variety(I ) { x p( x) = 0} }{{} (i.e, p is a consequence of the equations in I )

39 Hilbert s Nullstellensatz For any ideal I and polynomial p, Variety(I ) { x p( x) = 0} }{{} (i.e, p is a consequence of the equations in I ) if and only if there is some power p m of p, such that p m I

40 Computing with Ideals Hilbert Finite Basis Theorem: Any ideal in K[ x] for field K is finitely generated.

41 Computing with Ideals Hilbert Finite Basis Theorem: Any ideal in K[ x] for field K is finitely generated. Groebner Basis: Finite basis with nice properties. [Buchberger 60] Computing using Varieties. 1. Ideal Membership (subsumption of varieties) 2. Ideal Intersection (union of varieties) 3. Ideal Union (intersection of varieties) 4. Ideal Inclusion (inclusion of varieties) 5. Image under a Map 6. Syzygy Modules 7....

42 Positive Algebraic Invariants. Invariant synthesis for flows. Inputs: (a) Polynomial vector field: F. (b) Initial Set (variety): V 0. Problem: Generate positive invariant algebraic variety. Smaller variety is more desirable/useful.

43 Positive Invariant Variety S x(0) 1. Contain initial variety 2. Vector field must lie on the tangent space.

44 Positive Invariant Ideal. Ideal(V 0 ) Lie Der. p dp dt Inv. Ideal I 1. Contained in initial ideal: Ideal(V 0 ). 2. Closed under Lie-Derivatives w.r.t vector field. Problem: Given V 0 and field F, compute invariant ideal.

45 Example # 1: Mechanical System Initial condition: dp 1 dt = 2q 1 q2 2, dp 2 dt = 2q1 2q 2, dq 1 dt = 2p 1, dq 2 dt = 2p 2 V 0 : { x : (p 1, q 1, p 2, q 2 ) p p = 0, q 2 1 = 0, q 2 = 0}. Positive Invariant: p p2 2 + q2 1 q2 2 = 4.

46 A More Complex Example Invariant Ideal: dx 1 dt = v 1, dx 2 dt = v 2, dv 1 dt = kx 1 k 5 (x 1 x 2 ), dv 2 dt = k(x 1 x 2 ), dk dt = 0 V 0 : x 1 = x 2 = 0, v 1 = 1, v 2 = 1, k R p 1 : v v v 1v v1 3v v v 1 2v v 1v v kx kv 1 2x kv 1v 2 x kv2 2x k2 x2 4 = 0, p 2 : 240x v1 2x v 1 v 2 x v2 2x x 2 525v1 2x 2 260v 1 v 2 x 2 131v2 2x 2 105kx2 3 = 0, p 3 : v v 1v v kx 1x 2 + 5kx2 2 = 0 p v v 1v 2 + 6v kx kx 2 2 = 0

47 Strategy I 0 1. Start with initial ideal I 0 and iterate. 2. Iterative Step: I j+1 = I j {p Lie F (p) I j }. 3. Stop if I n = I n+1.

48 Strategy : Lie deriv. p I 1 inside I 0. : Lie deriv. p I 1 outside I 0. I 0 I 1 1. Start with initial ideal I 0 and iterate. 2. Iterative Step: I j+1 = I j {p Lie F (p) I j }. 3. Stop if I n = I n+1.

49 Strategy I 1 I 2 I 0 1. Start with initial ideal I 0 and iterate. 2. Iterative Step: I j+1 = I j {p Lie F (p) I j }. 3. Stop if I n = I n+1.

50 Strategy I 1 I 2 I n+1 I 0 Fixed Point 1. Start with initial ideal I 0 and iterate. 2. Iterative Step: I j+1 = I j {p Lie F (p) I j }. 3. Stop if I n = I n+1.

51 Ideal Refinement F I = I {p Lie F (p) I }. I.e, retain p I such that L F (p) I.

52 Ideal Refinement F I = I {p Lie F (p) I }. I.e, retain p I such that L F (p) I. Algorithm: 1. Compute Groebner basis G of I. 2. Compute Lie derivative of each generator G. 3. Intersect ideal generated by Lie derivatives with I. 4. Compute Syzygies for each generator of the intersection. 5. Multiply matrix representing syzygies with generators in G. 6. Result is the set of generators of F I.

53 Convergence Convergence if the ring K[ x] satisfies descending chain condition. But ideals in R[ x] do not satisfy descending chain condition. Solution: Under-approximate iteration inside a vector space.

54 Pseudo-Ideal Finite dimensional vector-space inside an ideal. [Colón, 2004] Closure under addition. Multiplication closure with polynomials with degree d. Vector space of polynomials. Descending chain condition holds.

55 Further Details Sank., Automatic Invariant Generation for Algebraic Systems using Ideal Fixed Points, Hybrid Systems: Computation and Control, Apr. 2010

56 Implementation Combine ideal and pseudo-ideal iterations: Ideal Refinement I 0 F I 1 F I 2 F I 3 J 3 Pseudo Ideal J 4 PseudoIdeal Refinement F ideal I J N Converged!

57 Aircraft Collision Avoidance Vector Field: Initial set x 1 = d 1 x 2 = d 2 d 1 = ωd 2 d 2 = ωd 1 y 1 = e 1 y 2 = e 2 e 1 = θe 2 e 2 = θe 1 a = 0 b = 0 r 1 = 0 r 2 = 0 [ x1 = y 1 = r 1 x 2 = y 2 = r 2 d 1 = a d 2 = 0 e 1 = b e 2 = 0 ]

58 Positive Invariant Set Obtained: p 1 : e e2 2 b2, p 2 : d d 2 2 a2 p 3 : e 1 r 2 θ + θy 2, p 4 : a + d 1 r 2 ω + ωx 2 p 5 :b e 2 r 1 θ + θy 1, p 6 : br 1 + by 1 + e 1 r 2 e 1 y 2 e 2 r 1 + e 2 y 1 p 7 :br 2 by 2 e 1 r 1 + e 1 y 1 e 2 r 2 + e 2 y 2 p 8 : d 2 r 1 ω + ωx 1 p 9 :ad 2 r 2 ad 2 x 2 + d 1 d 2 r 2 d 1 d 2 x 2 r 1 d 2 2 r 1 + d 2 2 x 1 p 10 :ar 1 ax 1 d 1 r 1 + d 1 x 1 d 2 r 2 + d 2 x 2

59 Ongoing Work Polynomial inequality invariants: Refinement over cones of positive semi-definite (psd) polynomials. Using sum-of-squares relaxation and semi-definite programming. [Shor 87, Parillo 03]

60 Ongoing Work Polynomial inequality invariants: Refinement over cones of positive semi-definite (psd) polynomials. Using sum-of-squares relaxation and semi-definite programming. [Shor 87, Parillo 03] Study homomorphisms between dynamical systems. Similar topological semi-conjugacy. Algorithm for computing linearizing homomorphisms. Encouraging results. [Sank.(draft) 10]