Optimization-based Modeling and Analysis Techniques for Safety-Critical Software Verification

Similar documents
Distributed lyapunov functions in analysis of graph models of software

COMPLEX behaviors that can be exhibited by modern engineering

Lecture Note 5: Semidefinite Programming for Stability Analysis

Lecture 6 Verification of Hybrid Systems

A Framework for Worst-Case and Stochastic Safety Verification Using Barrier Certificates

Complexity of 10 Decision Problems in Continuous Time Dynamical Systems. Amir Ali Ahmadi IBM Watson Research Center

Gramians based model reduction for hybrid switched systems

Polynomial level-set methods for nonlinear dynamical systems analysis

L 2 -induced Gains of Switched Systems and Classes of Switching Signals

LMI Methods in Optimal and Robust Control

Analytical Validation Tools for Safety Critical Systems

ECE7850 Lecture 8. Nonlinear Model Predictive Control: Theoretical Aspects

ECE7850 Lecture 9. Model Predictive Control: Computational Aspects

Analysis and synthesis: a complexity perspective

Semidefinite and Second Order Cone Programming Seminar Fall 2012 Project: Robust Optimization and its Application of Robust Portfolio Optimization

Certified Roundoff Error Bounds using Semidefinite Programming

Stability lectures. Stability of Linear Systems. Stability of Linear Systems. Stability of Continuous Systems. EECE 571M/491M, Spring 2008 Lecture 5

Periodic Stabilization of Discrete-Time Controlled Switched Linear Systems

Safety Verification of Hybrid Systems Using Barrier Certificates

16.410/413 Principles of Autonomy and Decision Making

Nonlinear Control. Nonlinear Control Lecture # 3 Stability of Equilibrium Points

Hybrid Systems Course Lyapunov stability

The ϵ-capacity of a gain matrix and tolerable disturbances: Discrete-time perturbed linear systems

V&V MURI Overview Caltech, October 2008

Modeling & Control of Hybrid Systems Chapter 4 Stability

Optimization over Nonnegative Polynomials: Algorithms and Applications. Amir Ali Ahmadi Princeton, ORFE

Global Analysis of Piecewise Linear Systems Using Impact Maps and Surface Lyapunov Functions

Minimum-Phase Property of Nonlinear Systems in Terms of a Dissipation Inequality

Lecture 5. Theorems of Alternatives and Self-Dual Embedding

Converse Results on Existence of Sum of Squares Lyapunov Functions

GLOBAL ANALYSIS OF PIECEWISE LINEAR SYSTEMS USING IMPACT MAPS AND QUADRATIC SURFACE LYAPUNOV FUNCTIONS

Discrete abstractions of hybrid systems for verification

Local Stability Analysis For Uncertain Nonlinear Systems Using A Branch-and-Bound Algorithm

I.3. LMI DUALITY. Didier HENRION EECI Graduate School on Control Supélec - Spring 2010

Disturbance Attenuation Properties for Discrete-Time Uncertain Switched Linear Systems

Nonlinear Control. Nonlinear Control Lecture # 8 Time Varying and Perturbed Systems

LP Infeasibility - The Pursuit of Intelligent Discretization

Nonlinear Control Design for Linear Differential Inclusions via Convex Hull Quadratic Lyapunov Functions

Tube Model Predictive Control Using Homothety & Invariance

OPTIMAL CONTROL OF SWITCHING SURFACES IN HYBRID DYNAMIC SYSTEMS. Mauro Boccadoro Magnus Egerstedt,1 Yorai Wardi,1

Lecture 4. Chapter 4: Lyapunov Stability. Eugenio Schuster. Mechanical Engineering and Mechanics Lehigh University.

DOMAIN OF ATTRACTION: ESTIMATES FOR NON-POLYNOMIAL SYSTEMS VIA LMIS. Graziano Chesi

Notes on the decomposition result of Karlin et al. [2] for the hierarchy of Lasserre by M. Laurent, December 13, 2012

Static Program Analysis using Abstract Interpretation

Nonlinear Control. Nonlinear Control Lecture # 8 Time Varying and Perturbed Systems

Chapter 2. Reductions and NP. 2.1 Reductions Continued The Satisfiability Problem (SAT) SAT 3SAT. CS 573: Algorithms, Fall 2013 August 29, 2013

Outline. Input to state Stability. Nonlinear Realization. Recall: _ Space. _ Space: Space of all piecewise continuous functions

Global Analysis of Piecewise Linear Systems Using Impact Maps and Quadratic Surface Lyapunov Functions

Computation of CPA Lyapunov functions

Hybrid Systems - Lecture n. 3 Lyapunov stability

MCE693/793: Analysis and Control of Nonlinear Systems

47-831: Advanced Integer Programming Lecturer: Amitabh Basu Lecture 2 Date: 03/18/2010

Scalable Control of Positive Systems. Traffic Networks Need Control. The Power Grid Needs Control. Towards a Scalable Control Theory

Introduction to Abstract Interpretation. ECE 584 Sayan Mitra Lecture 18

The Polyranking Principle

4. Algebra and Duality

Vector Barrier Certificates and Comparison Systems

where c R and the content of f is one. 1

MCE/EEC 647/747: Robot Dynamics and Control. Lecture 8: Basic Lyapunov Stability Theory

Algorithmic Verification of Stability of Hybrid Systems

Technical Notes and Correspondence

Lyapunov Stability Analysis: Open Loop

Hybrid Control and Switched Systems. Lecture #7 Stability and convergence of ODEs

Theory in Model Predictive Control :" Constraint Satisfaction and Stability!

be any ring homomorphism and let s S be any element of S. Then there is a unique ring homomorphism

Approximation Metrics for Discrete and Continuous Systems

Analysis of Systems with State-Dependent Delay

6-1 The Positivstellensatz P. Parrilo and S. Lall, ECC

Convex Analysis and Optimization Chapter 2 Solutions

Semidefinite Programming Basics and Applications

Symmetric Matrices and Eigendecomposition

Two hours. To be provided by Examinations Office: Mathematical Formula Tables. THE UNIVERSITY OF MANCHESTER. xx xxxx 2017 xx:xx xx.

Testing System Conformance for Cyber-Physical Systems

Enhanced Fritz John Optimality Conditions and Sensitivity Analysis

Math 273a: Optimization Subgradients of convex functions

E5295/5B5749 Convex optimization with engineering applications. Lecture 5. Convex programming and semidefinite programming

Simulation-aided Reachability and Local Gain Analysis for Nonlinear Dynamical Systems

Two hours. Examination definition sheet is available at the back of the examination. UNIVERSITY OF MANCHESTER SCHOOL OF COMPUTER SCIENCE

Computation of the Joint Spectral Radius with Optimization Techniques

Markov Decision Processes

Convexification of Mixed-Integer Quadratically Constrained Quadratic Programs

An Exact Stability Analysis Test for Single-Parameter. Polynomially-Dependent Linear Systems

Constructing Lyapunov-Krasovskii Functionals For Linear Time Delay Systems

The Real Number System

MATH 614 Dynamical Systems and Chaos Lecture 3: Classification of fixed points.

arxiv: v1 [math.oc] 31 Jan 2017

Deductive Verification of Continuous Dynamical Systems

Optimality Conditions for Constrained Optimization

Lecture 8. Chapter 5: Input-Output Stability Chapter 6: Passivity Chapter 14: Passivity-Based Control. Eugenio Schuster.

Lyapunov stability ORDINARY DIFFERENTIAL EQUATIONS

arzelier

Lecture 8 Plus properties, merit functions and gap functions. September 28, 2008

1 The Observability Canonical Form

Example: feasibility. Interpretation as formal proof. Example: linear inequalities and Farkas lemma

Solving conic optimization problems via self-dual embedding and facial reduction: a unified approach

Lecture 2: Convex Sets and Functions

Week 2: Sequences and Series

Review of Optimization Methods

Generating Functions of Switched Linear Systems: Analysis, Computation, and Stability Applications

A Solution Method for Semidefinite Variational Inequality with Coupled Constraints

Transcription:

Optimization-based Modeling and Analysis Techniques for Safety-Critical Software Verification Mardavij Roozbehani Eric Feron Laboratory for Information and Decision Systems Department of Aeronautics and Astronautics Massachusetts Institute of Technology Workshop on Critical Research Areas in Aerospace Software, Tuesday August 9 th, 005, MIT

Outline Introduction Basic principles of automated software analysis Computer programs as dynamical systems Lyapunov functions as behavior certificates System specific models of computer programs Mixed integer/linear systems Linear systems with conditional switching Convex optimization of Lyapunov certificates Recursive search for system invariants to improve analysis Conclusion

Introduction and motivation Safety-critical software is becoming pervasive in aerospace systems, medical technology and embedded systems in general It is crucial to verify reliability and correctness of the embedded software. The very least to require is that the software must be free of run-time errors. Reliable software properties include but are not limited to: Absence of overflow Absence of array index out-of-bounds errors Termination in finite-time The above problems are undecidable but efficient algorithms that work reasonably well in practice can be developed.

Basic principles of automated software analysis A computer program can be viewed as a rule for iterative modification of operating memory, possibly in response to real-time inputs Dynamical systems representation of computer programs: State space X with selected subsets: X 0 X (initial states) X X (terminal states) Set-valued function f : X X is s.t. f (x) X, x X. A Program/dynamical system S=S (X, f, X 0,X ) is the set of all sequences X =(x (0),x(),...,x(t),...) of elements of X, satisfying x (0) X 0,x(t +) f (x (t)), t Z +. 3

Example Consider the program: program P : x 50; x 0; while x >x, x = x ; x = x +; end = P=S (X, f, X 0,X ) X = R X 0 = n x x R,Hx b o where: " # " # 0 50 H = and b = 0 0 X = n x x R,Lx 0 o, L = h i ; ( " # x + B, Lx > 0 f (x) = x, Lx 0, B = + For instance X = Ã" # " # 60 59,,..., 0 9 " # 5, 5 " #! 5,... 5 P 4

Basic principles of automated software analysis Definition : A computer program represented by a dynamical system S = S(X, f, X 0,X ) is said to terminate in finite time if every solution X = x(t) of S satisfies x(t) X for some t Z +. Definition : The computer program S is said to run without variable overflow if x(t) does not belong to a certain (unsafe) subset X of X for every solution X = x(t) of S. Definition 3: A Lyapunov function for system S is defined to be a real valued function V : X R, which will strictly monotonically decrease along the trajectories of S until they reach a terminal state, i.e. V (x) <V(x) x X, x f (x) :x/ X. 5

Lyapunov functions as behavior certificates Termination in finite-time: Lemma : If the state space X is finite and if there exists a function V satisfying V (x) <V(x) x X, x f (x) :x/ X. then a terminal state X willbereachedinafinite number of steps. Lemma : If there exists a bounded function V : X 7 R, and aconstantθ> satisfying V (x) <θv(x) x X, x f (x) :x/ X. then a terminal state X willbereachedinafinite number of steps. 6

Lyapunov functions as behavior certificates Absence of overflow: Lemma 3: Consider the system S and let V denote the space of all Lyapunov functions for this system. An unsafe subset X of the state space X can never be reached along all the trajectories of S if there exists V V satisfying inf V (x) x X sup V (x) x X 0 7

Certifying boundedness and/or finite-time termination Proposition : Consider the program P = S(X, f, X 0,X ) defined as before and assume that there exists a function V : X 7 R s.t. V (x) <θv(x) x X, x f (x) :x/ X. V (x) < 0 x X 0. x V (x) > x X. M where θ is a positive constant. Then, every solution X = x (t) of P remains bounded in the (safe) region defined by kxk <M. Moreover, if θ >, everysolutionx = x (t) reaches a terminal state X in finite time. Remark: As mentioned, proofs of absence of array index out-ofbounds errors are important in software verification. This property too, can be verified by employing this Proposition. 8

System specific models Mixed integer/linear models: This system model has state space X = R n, and the set of initial conditions X 0 R n. Its state transition function f : X 7 X is defined by two matrices F and H, according to f(x) = [F x F w F v ] x w v : (w, v) [, ] q {, } r s.t. [H x H w H v ] Naturally, X is defined by X = {x x R n, (w, v) [, ] q {, } r, H[x; w; v;]6= 0} x w v =0 9

Convex optimization of Lyapunov certificates: Our method of automated code analysis is based on using convex optimization in the search for the proposed Lyapunov functions.. Let the certificate function V (.) :X R take an appropriate form, e.g. V can be a linear, piecewise linear, quadratic, piecewise quadratic, or polynomial function of x X.. Various versions of the convex relaxation methods, including sums of squares in positivity verification, S-procedure and semidefinite relaxations of combinatorial problems can be used to formulate a convex optimization problem. 0

3. The resulting convex optimization problem is an LP, MILP or an LMI problem. 4. The appropriate choice of V (.), and the optimization method are influenced by: Availability of efficient relaxation techniques Compatibility with a particular numerical engine for convex optimization Computational costs and complexity growth with the size of the problem

Numerical Example Consider the following program: x (0) = x 0 ; c (0) = c 0 ; While x<500 if x 480 and c = x = x + a; c =; else if x> 450 x = x + b; c = ; end if x 450 c =; end end; where a [5, 45] and b [ 5, ], are uncertain input parameters, x 0 [ 450, 480] and c 0 {, } are uncertain initial conditions. Bounded-ness and finite-time termination of this program are not trivial.

The mixed integer/linear model of this program is defined with matrices F, and H, given by: F = H = " 0 7 a 0 3 b 0 0 a+b 0 6 0 3 0 0 0 u m 0 u m 0 7 0 0 u 0 l m 0 l m 0 6 0 0 l 0 3 r m 0 6 0 0 0 0 r m 0 0 5 0 4 0 0 0 0 0 5 0 4 0 0 0 0 5 0 0 4 0 0 6 0 0 0 3 0 6 0 0 3 0 where u m = u+m,l m = l M,r m = R+M,r m = R M,R= 500, u =480,l= 450. # 3

The quadratic Lyapunov certificate V (x, c) = ³ 0 3 x M c M T 0.6.50.455.50 7660.045.06.455.06.9 is the certificate for finite-time termination and bounded-ness of x, for M =750, i.e. x 750. x M c M 4

Recursive Invariant Search for Software Systems Consider the following program: x (0) = ; x (0) = 3; x 3 (0) = 0; y(0) = x (0) ; While x 3 <x y = x ; x =.5 x + x ; x = 0.5 y + x ; x 3 =8 x 3 +; end Assume that the overflow bound is M = 000. Finite-time termination and boundedness are not trivial for this example The initial attempt to prove the desired properties via Lyapunov-like functions that were introduced comes unsuccessful! System invariants that prove neither finite-time termination nor boundedness but give additional information about the system behavior can be extracted. 5

Affine functions are good (computationally very cheap) candidates for such assisting invariants. For instance, consider Lyapunov-like functions: V : X R, V (x) =Lx V (x (k +)) θv (x (k)) + α Finding such linear invariants is a mixed integer linear program. For the previous example, V (x) = x 3 is found. invariant: x 3 (k) 0 which provides the This additional information, is used via convex relaxation methods to find the appropriate Lyapunov function. 6

The quadratic function V (x (k)) = 0 6 x (k) x (k) x 3 (k) T 60 4569 0.045 904 4569 3559 0.8954 9774 0.045 0.8954 8 34904 904 9774 34904 0.948 x (k) x (k) x 3 (k) Proves boundedness and finite-time termination, with overflow bound M = 000. Additional linear invariants could be found to assist the analysis, for instance x + x 8x 3 4 x +x 0x 3 7 are other such linear invariants. With this additional information, reachability analysis can be improved even more. In this case, boundedness with overflow bound M =450is proven! 7

Conclusions An approach towards safety analysis of software was introduced. The novelty of this approach is in the transfer of fundamental concepts (Lyapunov invariants) and associated computational techniques from the control systems analysis arena to software engineering It was shown that software, as a rule for iterative modification of computer memory, can be modeled as a dynamical system. Specific modelscarryingthistaskwerealsosuggested.these include mixed integer/linear models and linear systems with conditional switching. 8

System invariants, found by Lagrangian relaxations and convex optimization of certain Lyapunov-like functions prove the desired properties of the dynamical system/software. The properties include bounded-ness of all variables within acceptable ranges and finite time termination of the program in most cases. Scalability of the technique needs to be improved for applications to large computer programs with thousands of lines of code. 9

mardavij@mit.edu feron@mit.edu 0

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback