C2E2: A Verification Tool For Stateflow Models Parasara Sridhar Duggirala , Sayan Mitra, Mahesh Viswanathan, Matthew Potok
Pacemaker β Cardiac Cell System + 2
Pacemaker β Cardiac Cell System stimulating pulse π 0 π 1 Pacemaker β¦ π 3 π 2 HA = Finite State Machine + Differential Equation π£(π’) π¦ 1 (π’) time time Stimulus from pacemaker Behavior of a cardiac cell 3
Features of the Model Safety Verification Unsafe Set π¦ 1 (π’) time Stateflow Model of Pacemaker β Cardiac Cell system Features: Invariants , Guards , and Resets ο§ Inputs: 1. Model of the system π΅ , Solution 2. Initial States Ξ , and Reachable Set Computation 3. Unsafe States π ο§ Output: If the system is safe or unsafe βπ¦ β Ξ, π π¦, π’ β π 4
Contributions ο§ Simulation based verification algorithm for Fully Hybrid Systems ο§ Theoretical guarantees β Soundness and Relative Completeness ο§ Tool Features β’ Stateflow Models, hyxml intermediate format β’ Graphical User Interface β’ Visualizing the reachable set 5
Overview οΌ Motivation and Problem Statement ο§ Challenges in Verification ο§ Building Blocks and Algorithm ο§ Soundness and Relative Completeness Guarantees ο§ Tool Features ο§ Annotations ο§ Future Work 6
Safety Verification Unsafe Set π£(π’) time Stateflow Model of Pacemaker β Cardiac Cell system Features: Invariants , Guards , and Resets ο§ Inputs: 1. Model of the system π΅ , Solution 2. Initial States Ξ , and Reachable Set Computation 3. Unsafe States π ο§ Output: If the system is safe or unsafe βπ¦ β Ξ, π π¦, π’ β π 7
Challenges In Reachable Set Computation Unsafe Set π£(π’) time Stateflow Model of Pacemaker β Cardiac Cell system Features: Invariants , Guards , and Resets ο§ Nonlinear ODEs β do not even have a closed form solution ο§ Switching conditions β predicates on variables (nondeterminism) Our Technique: Use simulations for computing Reachable Set 8
αΆ A Simple (Often The Only) Strategy ο§ Given start and unsafe π Ξ πΆ π (π(π¦ 0 , π’)) ο§ Compute finite cover of initial set ο§ Simulate from the center π¦ 0 of each cover ο§ Bloat simulation so that bloated tube contains all trajectories from the cover ο§ Union = over-approximation of reach set π¦ 0 π¦ = π(π¦) 9
αΆ A Simple (Often The Only) Strategy ο§ Given start and unsafe π Ξ πΆ π (π(π¦ 0 , π’)) ο§ Compute finite cover of initial set ο§ Simulate from the center π¦ 0 of each cover ο§ Bloat simulation so that bloated tube contains all trajectories from the cover ο§ Union = over-approximation of reach set π¦ 0 ο§ Check intersection/containment with π ο§ Refine π¦ = π(π¦) 10
αΆ A Simple (Often The Only) Strategy ο§ Given start and unsafe π Ξ πΆ π (π(π¦ 0 , π’)) ο§ Compute finite cover of initial set ο§ Simulate from the center π¦ 0 of each cover ο§ Bloat simulation so that bloated tube contains all trajectories from the cover ο§ Union = over-approximation of reach set π¦ 0 ο§ Check intersection/containment with π ο§ Refine π¦ = π(π¦) 11
αΆ A Simple (Often The Only) Strategy ο§ Given start and unsafe π Ξ πΆ π (π(π¦ 0 , π’)) ο§ Compute finite cover of initial set ο§ Simulate from the center π¦ 0 of each cover ο§ Bloat simulation so that bloated tube contains all trajectories from the cover ο§ Union = over-approximation of reach set π¦ 0 ο§ Check intersection/containment with π ο§ Refine π¦ = π(π¦) 1. How do we get the simulations? 2. How much to bloat? 3. How to handle mode switches? 12
Building Blocks : Simulations Simulation from π¦ 0 given as π(π¦ 0 , π’) β no closed form! ππππππππππ(π π , π, π, πΌ) gives a sequence S 0 , β¦ , π π : 1. at any time π’ β [πβ, π + 1 β] , π π¦ 0 , π’ β π π 2. πππ π π β€ π ππππ»ππ(π π , πΌ, π) generates such simulations (CAPD) 13
Building Blocks : Discrepancy Function Discrepancy Function : capturing the continuity of ODE solutions executions that start close, stay close β©πΏ, πΏβͺ is called an exponential discrepancy function of the system if for any two states π¦ 1 and π¦ 2 β π , for any t |π(π¦ 1 , π’) β π(π¦ 2 , π’)| β€ πΏ π¦ 1 β π¦ 2 π πΏπ’ π π¦ 2 , π’ π¦ 2 β€ πΏ π¦ 1 β π¦ 2 π πΏπ’ 1 |π¦ 1 β π¦ 2 | π¦ 1 π π¦ 1 , π’ = πΏ π¦ 1 β π¦ 2 π πΏπ’ 1 Discrepancy functions are given as model annotations, i.e. β©πΏ, πΏβͺ is given by the user 14
Simulations + Discrepancy Functions = ReachTubes π = ππππ πππππ π», π, πΌ of αΆ π¦ = π π¦ is a sequence π 0 , β¦ , π π such that πππ(π π ) β€ π and from any π¦ 0 β π, for each time π’ β [πβ, (π + 1)β] , π π¦ 0 , π’ β π π . How to compute a ReachTube from validated simulation and annotation? π 0 , β¦ , π π , π 1 β ππππ»ππ(π¦ 0 , π, π) 15
Simulations + Discrepancy Functions = ReachTubes π = ππππ πππππ π», π, πΌ of αΆ π¦ = π π¦ is a sequence π 0 , β¦ , π π such that πππ(π π ) β€ π and from any π¦ 0 β π, for each time π’ β [πβ, (π + 1)β] , π π¦ 0 , π’ β π π . How to compute a ReachTube from validated simulation and annotation? π 0 , β¦ , π π , π 1 β ππππ»ππ(π¦ 0 , π, π) For each π β π π’βπ π πΏπ πΏπ’ π ; π 2 β max π π β πΆ π 2 π π π 0 , β¦ , π π is a reachtube( πͺ πΊ π π , π π + π π , πΌ) οΌ How do we get the simulations? Invariants οΌ How much to bloat? β’ How to handle mode switches? Guards 16
Handling Invariants Tagging: track a region based on a predicate π ππ£π‘π’ π β π π β© π β β , ΰ΄€ ππππΊπππππ πΊ, πΈ = α πππ§ π β© π β β πππ’ π β© π = β Goal: Reachtube that respects the invariant of the mode π = ππππππππππΈπππππ(π, π±ππππππππ) is β©π 0 , π’ππ 0 , β¦ , π π , π’ππ π βͺ , such that either β² π‘ before it are must π’ππ π = ππ£π‘π’ if all the π π β² π‘ before it are tagged may or must and at least one of π’ππ π = πππ§ if all the π π them is not must 17
Handling Guards & Resets Goal: Compute set of states in Reachtube that change mode based on Guard πππππΊππππππ(π) returns a set of tagged regions N. β π iff β π β π΅, β©π π , π’ππ π βͺ β π such that π β² = πππ‘ππ’ π π π and: πβ², π’ππβ² π π β π»π£ππ π π , π’ππ π = π’ππ β² = ππ£π‘π’ π π β© π»π£ππ π π β β , π π β π»π£ππ π π , π’ππ π = ππ£π‘π’, π’ππ β² = πππ§ π π β© π»π£ππ π π β β , π’ππ π = π’ππβ² = πππ§ Tagging is essentially bookkeeping 1. πππ€ππ ππππ’ππ ππππ¦ discards the invalid trajectories (violating invariant) 2. πππ¦π’πππππππ‘ tags the regions based on the feasibility of discrete transition Utility of tagging 1. Reachable set is contained in union of may and must regions β inferring safety 2. There exists at least one reachable state in every must region β inferring violation of safety 18
Algorithm for Hybrid Systems Input: Initial Set Ξ , Unsafe set π , Time π , Number of Switches π πππ π’ππ’πππ β π’ππππππ·ππ€ππ (Ξ) β β©π, π’ππβͺ β πππ π’ππ’πππ π β π πππβππ£ππ(π, π) π¦ 0 end; 19
Algorithm for Hybrid Systems Input: Initial Set Ξ , Unsafe set π , Time π , Number of Switches π πππ π’ππ’πππ β π’ππππππ·ππ€ππ (Ξ) β β©π, π’ππβͺ β πππ π’ππ’πππ π β π πππβππ£ππ(π, π) π β πππ€ππ ππππ’ππ ππππ¦(π) invariant end; 20
Algorithm for Hybrid Systems Input: Initial Set Ξ , Unsafe set π , Time π , Number of Switches π πππ π’ππ’πππ β π’ππππππ·ππ€ππ (Ξ) β β©π, π’ππβͺ β πππ π’ππ’πππ π β π πππβππ£ππ(π, π) π β πππ€ππ ππππ’ππ ππππ¦(π) invariant if ( π is safe ) then continue; if ( π is unsafe and π’ππ is ππ£π‘π’ ) return unsafe ; else refine tagged cover; end; return safe ; 21
Recommend
More recommend
