Title: Reachability for Linear Hybrid Automata Using Iterative Relaxation Abstraction
1Reachability for Linear Hybrid Automata Using
Iterative Relaxation Abstraction
- Sumit K. Jha, Bruce H. Krogh,
- James E. Weimer, Edmund M. Clarke
- Carnegie Mellon University
2CEGAR(CounterExample Guided Abstraction
Refinement)
concrete system
construct initial abstraction
construct new abstraction
abstraction
infeasible constraints
model checking
validate counterexample
counterexample
specification satisfied
specification not satisfied
3CEGAR
concrete system
complete detailed model
construct initial abstraction
construct new abstraction
abstraction
infeasible constraints
model checking
validate counterexample
counterexample
specification satisfied
specification not satisfied
4CEGAR
concrete system
reduced, conservative model
construct initial abstraction
construct new abstraction
abstraction
infeasible constraints
model checking
validate counterexample
counterexample
specification satisfied
specification not satisfied
5CEGAR
concrete system
model check the abstraction (faster than for the
concrete system)
construct initial abstraction
construct new abstraction
abstraction
infeasible constraints
specification
model checking
validate counterexample
counterexample
specification satisfied
specification not satisfied
6CEGAR
concrete system
no counterexample ? specification satisfied for
the concrete system
construct initial abstraction
construct new abstraction
abstraction
infeasible constraints
model checking
validate counterexample
counterexample
specification satisfied
specification not satisfied
7CEGAR
concrete system
counterexample for the abstraction corresponds to
a state-transition path in the concrete system
construct initial abstraction
construct new abstraction
abstraction
infeasible constraints
model checking
validate counterexample
counterexample
specification satisfied
specification not satisfied
8CEGAR
concrete system
Can the constraints along the counterexample path
be satisfied in the concrete system?
construct initial abstraction
construct new abstraction
abstraction
infeasible constraints
model checking
validate counterexample
counterexample
specification satisfied
specification not satisfied
9CEGAR
concrete system
feasible constraints ? there exists a feasible
counterexample for the concrete system
construct initial abstraction
construct new abstraction
abstraction
infeasible constraints
model checking
validate counterexample
counterexample
specification satisfied
specification not satisfied
10CEGAR
concrete system
create a new abstraction (refinement) that
eliminates the spurious counterexample
construct initial abstraction
construct new abstraction
abstraction
infeasible constraints
model checking
validate counterexample
counterexample
specification satisfied
specification not satisfied
11CEGAR
concrete system
Success CEGAR iterations often terminate much
more quickly than model checking the concrete
system.
construct initial abstraction
construct new abstraction
abstraction
infeasible constraints
model checking
validate counterexample
counterexample
specification satisfied
specification not satisfied
12CEGAR for Discrete Systems
state transition system with Boolean variables
concrete system
construct initial abstraction
construct new abstraction
abstraction
infeasible constraints
model checking
validate counterexample
counterexample
specification satisfied
specification not satisfied
13CEGAR for Discrete Systems
concrete system
eliminate some variables
construct initial abstraction
construct new abstraction
abstraction
infeasible constraints
model checking
validate counterexample
counterexample
specification satisfied
specification not satisfied
14CEGAR for Discrete Systems
concrete system
construct initial abstraction
decision procedures/SAT solvers
construct new abstraction
abstraction
infeasible constraints
model checking
validate counterexample
counterexample
specification satisfied
specification not satisfied
15CEGAR for Discrete Systems
concrete system
add variables in the unsatisfiable core
construct initial abstraction
construct new abstraction
abstraction
infeasible constraints
model checking
validate counterexample
counterexample
specification satisfied
specification not satisfied
16CEGAR for Discrete Systems
- Leverages
- Power of model checking on simpler models
- Power of decision procedures / SAT solvers to
validate counterexamples - Empirically a very powerful approach
- Many success stories
- SLAM Verifying Device Drivers at Microsoft
- Actually ships as a commercial product Static
Driver Verifier (SDV) - Many software model checkers developed
- MAGIC, BLAST, CBMC
17CEGAR for Hybrid Systems (our previous work)
concrete system
hybrid automaton
construct initial abstraction
construct new abstraction
abstraction
infeasible constraints
model checking
validate counterexample
counterexample
specification satisfied
specification not satisfied
18CEGAR for Hybrid Systems
concrete system
start with location transition graph
construct initial abstraction
construct new abstraction
abstraction
infeasible constraints
model checking
validate counterexample
counterexample
specification satisfied
specification not satisfied
19CEGAR for Hybrid Systems
concrete system
reachability specifications
construct initial abstraction
construct new abstraction
abstraction
infeasible constraints
forbidden locations
model checking
validate counterexample
counterexample
specification satisfied
specification not satisfied
20CEGAR for Hybrid Systems
concrete system
HS reachability apply increasingly precise
approximations
construct initial abstraction
construct new abstraction
abstraction
infeasible constraints
forbidden locations
model checking
validate counterexample
counterexample
specification satisfied
specification not satisfied
21CEGAR for Hybrid Systems
concrete system
compute reachable sets along the counterexample
path
construct initial abstraction
construct new abstraction
abstraction
infeasible constraints
model checking
validate counterexample
counterexample
specification satisfied
specification not satisfied
22CEGAR for Hybrid Systems
concrete system
identify point where the reachable set becomes
empty
construct initial abstraction
construct new abstraction
abstraction
infeasible constraints
model checking
validate counterexample
counterexample
specification satisfied
specification not satisfied
23CEGAR for Hybrid Systems
concrete system
introduce new locations (splitting) to
eliminate the infeasible path
construct initial abstraction
construct new abstraction
abstraction
infeasible constraints
model checking
validate counterexample
counterexample
specification satisfied
specification not satisfied
24CEGAR for Hybrid Systems
concrete system
- Limitations
- slow convergence refinement eliminates one path
at a time - HS reachability limited to low dimensional systems
construct initial abstraction
construct new abstraction
abstraction
infeasible constraints
model checking
validate counterexample
counterexample
specification satisfied
specification not satisfied
25Iterative Relaxation Abstraction (IRA) for
Linear Hybrid Automata (LHA)
concrete system
construct initial abstraction
construct new abstraction
abstraction
infeasible constraints
model checking
validate counterexample
counterexample
specification satisfied
specification not satisfied
26IRA for LHA
LHA (with several continuous variables)
concrete system
construct initial abstraction
construct new abstraction
abstraction
infeasible constraints
model checking
validate counterexample
counterexample
specification satisfied
specification not satisfied
27IRA for LHA
concrete system
relaxation abstraction fewer continuous
variables
construct initial abstraction
construct new abstraction
abstraction
infeasible constraints
model checking
validate counterexample
counterexample
specification satisfied
specification not satisfied
28IRA for LHA
concrete system
start with the location graph (zero continuous
variables)
construct initial abstraction
construct new abstraction
abstraction
infeasible constraints
model checking
validate counterexample
counterexample
specification satisfied
specification not satisfied
29IRA for LHA
concrete system
LHA reachability
construct initial abstraction
construct new abstraction
abstraction
infeasible constraints
forbidden locations
model checking
validate counterexample
counterexample
specification satisfied
specification not satisfied
30IRA for LHA
concrete system
check feasibility of linear constraints using LP
construct initial abstraction
construct new abstraction
abstraction
infeasible constraints
model checking
validate counterexample
counterexample
specification satisfied
specification not satisfied
31IRA for LHA
concrete system
use variables from an irreducible infeasible
subset (IIS) of constraints
construct initial abstraction
construct new abstraction
abstraction
infeasible constraints
model checking
validate counterexample
counterexample
specification satisfied
specification not satisfied
32IRA for LHA
concrete system
new relaxation abstraction each time NOT a
refinement
construct initial abstraction
construct new abstraction
abstraction
infeasible constraints
model checking
validate counterexample
counterexample
specification satisfied
specification not satisfied
33IRA for LHA Leverages
- Power of LHA reachability on low-order LHA models
- Power of LP to validate counterexamples involving
huge number of continuous variables. - Ability of a LP solver to identify an irreducible
infeasible subset for an infeasible LP - Inspired by CEGAR for discrete systems, but
variables are not added to refine abstractions
34Relaxation Abstractions
- LHA
- discrete transition structure (locations/transitio
ns) - linear constraints for invariants, guards, jumps
- Given a subset of continuous variables V
- Replace linear constraints with relaxed
constraints involving only variables in V - xlt100 /\ xgt20 /\ ylt30 /\ xlty can be relaxed to
xlt100 /\ xgt20 - Not unique various relaxations
- Drop constraints involving variables not in V
(localization) - Quantifier Elimination (Fourier-Motzkin)
35Counterexamples (CEs)
- Paths in the discrete structure (sequence of
locations and transitions) - Key observations Xuandong Li, Sumit Jha, Lei Bu
BMC06 - Feasible runs along a path are defined by linear
constraints - CE exists in the concrete LHA if and only if the
corresponding linear constraints are feasible
36Irreducible Infeasible Subset (IIS)
- Given a set of infeasible linear constraints
(corresponding to a spurious CE). - IIS a subset of constraints such that
- the constraints are infeasible
- removing one constraint makes them feasible
- Use variables in the IIS for the next relaxation
abstraction
37The Language of Counterexamples
- LHA reachability gives a discrete CE automaton A
for the current relaxed LHA - A string s s0,s1 ,sn is in the language of
the discrete CE automaton A only if the
reachability analysis engine says that sn may be
reachable from s0 using the path s0 ? s1 ?? sn. - Intersect with the previous CE automaton
- to remove CE s refuted earlier by other
abstractions - also, remove previous CE in case reachability was
too conservative - Key Idea Generate relaxation abstractions with
only the most recent set of IIS variables.
38IRA for LHAselecting counterexamples
concrete system
construct initial abstraction
construct new abstraction
abstraction
infeasible constraints
model checking
validate counterexample
counterexample
specification satisfied
specification not satisfied
39IRA for LHAselecting counterexamples
abstraction CE automaton
concrete system
update CE automaton
construct initial abstraction
cumulative CE automaton
abstraction
infeasible constraints
select counterexample
model checking
validate counterexample
counterexample
specification satisfied
specification not satisfied
40IRA for LHAselecting counterexamples
abstraction CE automaton
- guarantees
- only previously discovered CEs are explored
- no CE is used twice
concrete system
update CE automaton
construct initial abstraction
cumulative CE automaton
abstraction
infeasible constraints
select counterexample
model checking
validate counterexample
counterexample
specification satisfied
specification not satisfied
41IRA for LHAconstructing new relaxation
abstractions
concrete system
construct initial abstraction
construct new abstraction
abstraction
infeasible constraints
model checking
validate counterexample
counterexample
specification satisfied
specification not satisfied
42IRA for LHAconstructing new relaxation
abstractions
concrete system
identify variables in an IIS
construct initial abstraction
continuous variables
construct new abstraction
abstraction
infeasible constraints
model checking
validate counterexample
counterexample
specification satisfied
specification not satisfied
43IRA for LHAconstructing new relaxation
abstractions
guarantees relaxation abstraction has a minimal
set of variables to eliminate the previous CE
concrete system
identify variables in an IIS
construct initial abstraction
continuous variables
construct new abstraction
abstraction
infeasible constraints
model checking
validate counterexample
counterexample
specification satisfied
specification not satisfied
44IRA for LHAimplementation
concrete system
LHA reachability PHAVer
construct initial abstraction
construct new abstraction
abstraction
infeasible constraints
model checking
validate counterexample
counterexample
specification satisfied
specification not satisfied
45IRA for LHAimplementation
concrete system
CE Automata ATT FSM Library
construct initial abstraction
construct new abstraction
abstraction
infeasible constraints
model checking
validate counterexample
counterexample
specification satisfied
specification not satisfied
46IRA for LHAimplementation
concrete system
LP IIS Analysis CPLEX
LP IIS Analysis CPLEX
construct initial abstraction
construct new abstraction
abstraction
infeasible constraints
model checking
validate counterexample
counterexample
specification satisfied
specification not satisfied
47IRA vs. PHAVer for an Adaptive Cruise Control
Example (time in sec)
48IRA vs. PHAVer for an Adaptive Cruise Control
Example (time in sec)
IRA becomes faster for ? 12 variables
49IRA vs. PHAVer for an Adaptive Cruise Control
Example (time in sec)
IRA-FM becomes faster for ? 14 variables
50IRA vs. PHAVer for an Adaptive Cruise Control
Example (time in sec)
15 Vars 19.5 hr. (PHAVer) vs. 3 min. (IRA-LOC)
51IRA vs. PHAVer for an Adaptive Cruise Control
Example (time in sec)
PHAVer fails to converge for 16 variables
52IRA-Loc vs. IRA-FM
IRA-FM
IRA-Loc
53Switched Buffer Network1
1Frehse Maler, HSCC 07
2
3
1
Valve Operation Closed Mode 0 Open Mode 10
Controller
7
5
6
Hybrid automaton controlling the valves in the
channels
4
9
10
8
11
Buffer Size 100
- Buffers connected by pipes with valves.
- Valves have several modes
- Controller observes buffers and to switch valve
modes - Specification No buffer overflow
54Switched Buffer Network
- Implemented a simple controller with three
locations and 11 continuous variables - Design sequence of actual counterexamples from
IRA used to tune the control parameters - One case led to a 101 location CE in 3 iterations
of the abstraction refinement loop - Final design (verified)
- PHAVer took over 12 minutes
- IRA took 23.7 seconds
55Nuclear Power Plant Control2
- Temperature control
- rods immersed to cool the reactor, withdrawn to
allow reaction - rods controlled temperature measurements and
local timers. - each rod can stay inside only for a certain max
time limit - Temperature should not rise beyond a critical
threshold. - Model
- 3 control rods
- 11 continuous variables
2 Variation of the problem studied by Kapur and
Shyamasundar (HART97), R Alur et al (TCS95),
P. H. Ho 95 PhD thesis and others.
56Nuclear Power Plant Control
- Iterative Design Procedure
- First attempt
- simple counterexample of 3 locations
- abstraction 3 continuous variables
- all of variables related to control rod 1
- clear that the rod was being inserted too late
- changed the cutoff temperature
- Similar CEs for control rods 2 and 3
- Final Design
- PHAVer verification 16 hours
- IRA verification 6 iterations, 30.04 seconds
57Current Work
- Further empirical studies
- Use of IRA for interactive design (actually using
the counterexamples!) - Distributed computation (we have found most of
the time is spent in FM quantifier elimination) - Extensions to more general hybrid systems (outer
refinement loops)