deductive safety and liveness verification for ordinary
play

Deductive Safety and Liveness Verification for Ordinary Differential - PowerPoint PPT Presentation

Mar 17, 2024 •244 likes •1.14k views

Deductive Safety and Liveness Verification for Ordinary Differential Equations Yong Kiam Tan Computer Science Department, Carnegie Mellon University INRIA, 30th Apr 2020 1 / 34 Motivation: Cyber-Physical Systems (CPSs) Cyber-Physical System:

  1. Deductive Safety and Liveness Verification for Ordinary Differential Equations Yong Kiam Tan Computer Science Department, Carnegie Mellon University INRIA, 30th Apr 2020 1 / 34

  2. Motivation: Cyber-Physical Systems (CPSs) Cyber-Physical System: Discrete software controller: if (v > speed_limit) a := -1; //apply brakes else a := 0; //cruise × Testing control software on the real CPS is expensive and unsafe. 2 / 34

  3. Motivation: Cyber-Physical Systems (CPSs) Cyber-Physical System: Discrete software controller: if (v > speed_limit) a := -1; //apply brakes else a := 0; //cruise v x Continuous dynamics: x ′ = v , v ′ = a � �� � Ordinary Differential Equations (ODEs) t t × Testing control software on the real CPS is expensive and unsafe. 2 / 34

  4. Motivation: Cyber-Physical Systems (CPSs) Cyber-Physical System: Discrete software controller: if (v > speed_limit) a := -1; //apply brakes else a := 0; //cruise v x Continuous dynamics: x ′ = v , v ′ = a � �� � Need formal proofs for ODEs t t × Testing control software on the real CPS is expensive and unsafe. � Formal proofs give highest level of confidence in correctness of CPSs. 2 / 34

  5. Outline ODEs, Safety, and Liveness 1 ODE Safety Proofs 2 ODE Liveness Proofs 3 ODE Liveness Example 4 Conclusion 5 3 / 34

  6. Outline ODEs, Safety, and Liveness 1 ODE Safety Proofs 2 ODE Liveness Proofs 3 ODE Liveness Example 4 Conclusion 5 4 / 34

  7. Correctness Specifications for CPSs � Safe: always drives below the speed limit 5 / 34

  8. Correctness Specifications for CPSs � Safe: always drives below the speed limit � Safe: always drives below the speed limit 5 / 34

  9. Correctness Specifications for CPSs � Safe: always drives below the speed limit � Live: eventually gets to its destination � Safe: always drives below the speed limit × Not live: stuck in a train repair bay 5 / 34

  10. ODEs & Domain Constraints ODE : Models for the continuous physics of CPSs x ′ = y , y ′ = (1 − x 2 ) y − x Visualization: Van der Pol equations modeling an oscillating electrical circuit. 6 / 34

  11. ODEs & Domain Constraints ODE : Models for the continuous physics of CPSs Analogy: Trains are driving on tracks given by ODE solutions. x' = f ( x ) Ordinary Differential Equation (ODE) � �� � x ′ = f ( x ) 6 / 34

  12. ODEs & Domain Constraints ODE : Models for the continuous physics of CPSs Analogy: Trains are driving on tracks given by ODE solutions. Domain : Specifies the domain of x' = f ( x ) Q definition for ODEs Analogy: Domains make description ODE with domain Q � �� � of train tracks more precise. x ′ = f ( x ) & Q 6 / 34

  13. ✓ ✓ ⨯ ✓ Safety & Liveness for ODEs P Q ODE with domain Q � �� � x ′ = f ( x ) & Q ] P Safety: [ ���� Safe region � Train always stays in Pittsburgh ( P ) along its trajectory. 7 / 34

  14. ✓ ✓ ⨯ ✓ ✓ ⨯ ⨯⨯ Safety & Liveness for ODEs P P Q Q ODE with domain Q ODE with domain Q � �� � � �� � x ′ = f ( x ) & Q ] P x ′ = f ( x ) & Q � P Safety: [ Liveness: � ���� ���� Safe region Goal region � Train always stays in Pittsburgh � Train can eventually be driven to ( P ) along its trajectory. Pittsburgh ( P ). 7 / 34

  15. ⨯ ✓ ⨯⨯ ✓ ✓ ⨯ ✓ Safety & Liveness for ODEs P P Q Q ODE with domain Q ODE with domain Q � �� � � �� � x ′ = f ( x ) & Q � ¬ P x ′ = f ( x ) & Q � P Safety: ¬� Liveness: � ���� ���� Unsafe region Goal region � Train can not eventually be driven � Train can eventually be driven to out of Pittsburgh ( ¬ P ). Pittsburgh ( P ). 7 / 34

  16. ✓ ✓ ⨯ ✓ ✓ ⨯ ⨯⨯ Safety & Liveness for ODEs P P Q Q ODE with domain Q ODE with domain Q � �� � � �� � x ′ = f ( x ) & Q � ¬ P x ′ = f ( x ) & Q ] ¬ P Safety: ¬� Liveness: ¬ [ ���� ���� Unsafe region Not at goal � Train can not eventually be driven � Train does not always stay out of out of Pittsburgh ( ¬ P ). Pittsburgh ( ¬ P ). 7 / 34

  17. ✓ ✓ ⨯ ✓ ✓ ⨯ ⨯⨯ Safety & Liveness for ODEs P P Q Q ODE with domain Q ODE with domain Q � �� � � �� � x ′ = f ( x ) & Q � ¬ P x ′ = f ( x ) & Q ] ¬ P Safety: ¬� Liveness: ¬ [ ���� ���� Unsafe region Not at goal This talk: Exploiting logical duality in proofs of ODE safety and liveness. 7 / 34

  18. ⨯ ✓ ⨯⨯ Safety & Liveness for ODEs ODE Safety Proofs 2 Rigorous proofs of ODE safety using ODE invariants. P Q ODE with domain Q ODE with domain Q � �� � � �� � x ′ = f ( x ) & Q � ¬ P x ′ = f ( x ) & Q ] ¬ P Safety: ¬� Liveness: ¬ [ ���� ���� Unsafe region Not at goal This talk: Exploiting logical duality in proofs of ODE safety and liveness. 7 / 34

  19. Safety & Liveness for ODEs ODE Safety Proofs 2 ODE Liveness Proofs 3 Rigorous proofs of ODE safety Rigorous proofs of ODE liveness using ODE invariants. using ODE safety. ODE with domain Q ODE with domain Q � �� � � �� � x ′ = f ( x ) & Q � ¬ P x ′ = f ( x ) & Q ] ¬ P Safety: ¬� Liveness: ¬ [ ���� ���� Unsafe region Not at goal This talk: Exploiting logical duality in proofs of ODE safety and liveness. 7 / 34

  20. Safety & Liveness for ODEs ODE Safety Proofs 2 ODE Liveness Proofs 3 Rigorous proofs of ODE safety Rigorous proofs of ODE liveness using ODE invariants. using ODE safety. ODE Liveness Example 4 An example application of formal ODE liveness arguments. ODE with domain Q ODE with domain Q � �� � � �� � x ′ = f ( x ) & Q � ¬ P x ′ = f ( x ) & Q ] ¬ P Safety: ¬� Liveness: ¬ [ ���� ���� Unsafe region Not at goal This talk: Exploiting logical duality in proofs of ODE safety and liveness. 7 / 34

  21. Outline ODEs, Safety, and Liveness 1 ODE Safety Proofs 2 ODE Liveness Proofs 3 ODE Liveness Example 4 Conclusion 5 8 / 34

  22. ⨯ From ODE Safety to ODE Invariance Pennsylvanian ( PA ) regional trains in Pittsburgh ( P ) always stay out of Canada ( ¬ C ): P → [ x ′ = f ( x )] ¬ C PA Pitt. 9 / 34

  23. ⨯ From ODE Safety to ODE Invariance Pennsylvanian ( PA ) regional trains in Pittsburgh ( P ) always stay out of Canada ( ¬ C ): P → [ x ′ = f ( x )] ¬ C 1 Trains in Pittsburgh are in Pennsylvania: P → PA PA Pitt. 9 / 34

  24. ⨯ From ODE Safety to ODE Invariance Pennsylvanian ( PA ) regional trains in Pittsburgh ( P ) always stay out of Canada ( ¬ C ): P → [ x ′ = f ( x )] ¬ C 1 Trains in Pittsburgh are in Pennsylvania: P → PA 2 Trains in Pennsylvania are not in Canada: PA → ¬ C PA Pitt. 9 / 34

  25. ⨯ From ODE Safety to ODE Invariance Pennsylvanian ( PA ) regional trains in Pittsburgh ( P ) always stay out of Canada ( ¬ C ): P → [ x ′ = f ( x )] ¬ C 1 Trains in Pittsburgh are in Pennsylvania: P → PA 2 Trains in Pennsylvania are not in Canada: PA → ¬ C PA 3 PA regional trains always stay in-state: Pitt. PA → [ x ′ = f ( x )] PA Claim: PA is an invariant of the ODE 9 / 34

  26. ⨯ From ODE Safety to ODE Invariance Pennsylvanian ( PA ) regional trains in Pittsburgh ( P ) always stay out of Canada ( ¬ C ): P → [ x ′ = f ( x )] ¬ C 1 Trains in Pittsburgh are in Pennsylvania: P → PA 2 Trains in Pennsylvania are not in Canada: PA → ¬ C PA 3 PA regional trains always stay in-state: Pitt. PA → [ x ′ = f ( x )] PA Claim: PA is an invariant of the ODE Idea 1: ODE safety questions reduce to ODE invariance questions. 9 / 34

  27. Why take a logical approach? (ODE Safety) Theorem (Completeness for invariants [LICS’18]) The differential dynamic logic ( dL ) proof calculus is a sound and complete axiomatization for invariants of polynomial ODEs. In fact, it decides invariance for polynomial ODEs and formulas. Takeaway: Logic yields a complete understanding of ODE invariance. Benefit: Powerful automation for ODE safety from sound foundations. 10 / 34

  28. Why take a logical approach? (ODE Safety) Theorem (Completeness for invariants [LICS’18]) The differential dynamic logic ( dL ) proof calculus is a sound and complete axiomatization for invariants of polynomial ODEs. In fact, it decides invariance for polynomial ODEs and formulas. Takeaway: Logic yields a complete understanding of ODE invariance. Benefit: Powerful automation for ODE safety from sound foundations. 3 PA regional trains always stay in-state: PA → [ x ′ = f ( x )] PA Claim: PA is an invariant of the ODE � �� � � or × answer can be computed mechanically with proof. 10 / 34

  29. Why take a logical approach? (ODE Safety) Theorem (Completeness for invariants [LICS’18]) The differential dynamic logic ( dL ) proof calculus is a sound and complete axiomatization for invariants of polynomial ODEs. In fact, it decides invariance for polynomial ODEs and formulas. Polynomial ODEs (Non-Polynomial) Solutions x ′ = x , x (0) = x 0 x ( t ) = x 0 e t x ′ = y , y ′ = − x , x (0) = 0 , y (0) = 1 x ( t ) = sin t , y ( t ) = cos t x ′ = y , y ′ = (1 − x 2 ) y − x Van der Pol equations (No polynomial solutions) How is this completeness result possible? 10 / 34

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Ch. 10 Avoiding Liveness Hazards J ESPER P EDERSEN N OTANDER Liveness and Safety A liveness

Ch. 10 Avoiding Liveness Hazards J ESPER P EDERSEN N OTANDER Liveness and Safety A liveness

Ch. 10 Avoiding Liveness Hazards J ESPER P EDERSEN N OTANDER Liveness and Safety A liveness property, something good eventually happens. e.g. program termination. A safety property, something bad never happens. e.g.

338 views • 16 slides
Why3 What is why3? A platform for deductive program verification What is why3? A platform

Why3 What is why3? A platform for deductive program verification What is why3? A platform

Why3 What is why3? A platform for deductive program verification What is why3? A platform for deductive program verification Made by: Franois Bobot Martin Clochard Lon Gondelman Jean-Christophe Fillitre Claude

98 views • 9 slides
3 COMP 1 5 9 3 Algorithmic Verification Safety and Liveness, Fairness Dr. Liam OConnor

3 COMP 1 5 9 3 Algorithmic Verification Safety and Liveness, Fairness Dr. Liam OConnor

<latexit

851 views • 66 slides
3 COMP 1 5 9 3 Algorithmic Verification Safety and Liveness, Fairness Dr. Liam OConnor

3 COMP 1 5 9 3 Algorithmic Verification Safety and Liveness, Fairness Dr. Liam OConnor

<latexit

270 views • 16 slides
Design Verification: Deductive Verification Virendra Singh Associate Professor C omputer A

Design Verification: Deductive Verification Virendra Singh Associate Professor C omputer A

Design Verification: Deductive Verification Virendra Singh Associate Professor C omputer A rchitecture and D ependable S ystems L ab Department of Electrical Engineering Indian Institute of Technology Bombay http://www.ee.iitb.ac.in/~viren/

627 views • 27 slides
Liveness Checking as Safety Checking FMICS, July 12 13, Malaga, Spain Armin Biere, Cyrille

Liveness Checking as Safety Checking FMICS, July 12 13, Malaga, Spain Armin Biere, Cyrille

Liveness Checking as Safety Checking FMICS, July 12 13, Malaga, Spain Armin Biere, Cyrille Artho, Viktor Schuppan http://www.inf.ethz.ch/schuppan/ Safety vs. Liveness 1 Safety Liveness Something bad will not Something good will

480 views • 31 slides
Liveness Checking as Safety Checking for Infinite State Spaces Viktor Schuppan 1 , Armin Biere 2 1

Liveness Checking as Safety Checking for Infinite State Spaces Viktor Schuppan 1 , Armin Biere 2 1

Liveness Checking as Safety Checking for Infinite State Spaces Viktor Schuppan 1 , Armin Biere 2 1 Computer Systems Institute, ETH Z urich 2 Institute for Formal Models and Verification, JKU Linz http://www.inf.ethz.ch/schuppan/

1.23k views • 18 slides
Challenges In Deductive Software Verification Reiner Hhnle (with Marieke Huisman, U Twente)

Challenges In Deductive Software Verification Reiner Hhnle (with Marieke Huisman, U Twente)

Challenges In Deductive Software Verification Reiner Hhnle (with Marieke Huisman, U Twente) www.se.tu-darmstadt.de TU Darmstadt, Software Engineering Group Many challenges apply to AD in general Deductive Software Verification

165 views • 15 slides
Deductive Program Verification with W HY 3 Andrei Paskevich LRI, Universit Paris-Sud

Deductive Program Verification with W HY 3 Andrei Paskevich LRI, Universit Paris-Sud

Deductive Program Verification with W HY 3 Andrei Paskevich LRI, Universit Paris-Sud Toccata, Inria Saclay JCP 2016 1. A short look back 2 / 100 Introduction Software is hard. D ONALD K NUTH ... 1996: Ariane 5 explosion an

1.13k views • 100 slides
Lecture 10.1 Safety and Liveness EN 600.320/420 Instructor: Randal Burns 28 February 2018

Lecture 10.1 Safety and Liveness EN 600.320/420 Instructor: Randal Burns 28 February 2018

Lecture 10.1 Safety and Liveness EN 600.320/420 Instructor: Randal Burns 28 February 2018 Department of Computer Science, Johns Hopkins University Characterizing Concurrency Safety (correctness): what are the semantic guarantees

560 views • 8 slides
Towards Deductive Compilation: Implementing a Partial Evaluator Via a Software Verification Tool

Towards Deductive Compilation: Implementing a Partial Evaluator Via a Software Verification Tool

Towards Deductive Compilation: Implementing a Partial Evaluator Via a Software Verification Tool Reiner H ahnle (joint work with Richard Bubel and Ran Ji) Chalmers University of Technology Department of Computer Science and Engineering 10

1.11k views • 82 slides
Deductive Program Verification with W HY 3 Andrei Paskevich LRI, Universit Paris-Sud

Deductive Program Verification with W HY 3 Andrei Paskevich LRI, Universit Paris-Sud

Deductive Program Verification with W HY 3 Andrei Paskevich LRI, Universit Paris-Sud Toccata, Inria Saclay http://why3.lri.fr/ejcp-2019 JCP 2019 Software is hard. D ONALD K NUTH 2 / 171 Ensure the absence of bugs Several

2k views • 171 slides
1 Deductive Verification Extremely powerful Extremely hard One proof can cover very

1 Deductive Verification Extremely powerful Extremely hard One proof can cover very

Methods of Assessing Model Behavior Testing spot checks aspects of real system Simulation spot checks aspects of abstract (model) system Deductive verification Uses axioms and proofs on a mathematical model of

596 views • 21 slides
Deductive Verification of Object-Oriented Software Part A Bernhard Beckert | VTSA,

Deductive Verification of Object-Oriented Software Part A Bernhard Beckert | VTSA,

Deductive Verification of Object-Oriented Software Part A Bernhard Beckert | VTSA, 24.28.08.2015 KIT I NSTITUTE FOR T HEORETICAL C OMPUTER S CIENCE www.kit.edu KIT University of the State of Baden-Wuerttemberg and National Laboratory

1.29k views • 106 slides
Deductive Verification of Object-Oriented Software Part B Bernhard Beckert | VTSA,

Deductive Verification of Object-Oriented Software Part B Bernhard Beckert | VTSA,

Deductive Verification of Object-Oriented Software Part B Bernhard Beckert | VTSA, 24.28.08.2015 KIT I NSTITUTE FOR T HEORETICAL C OMPUTER S CIENCE www.kit.edu KIT University of the State of Baden-Wuerttemberg and National Laboratory

1.82k views • 158 slides
Teaching Deductive Verification to Teenagers Jean-Christophe Filli atre CNRS IFIP WG

Teaching Deductive Verification to Teenagers Jean-Christophe Filli atre CNRS IFIP WG

Teaching Deductive Verification to Teenagers Jean-Christophe Filli atre CNRS IFIP WG 1.9/2.15 Leuven, Belgium May 1112, 2017 context Universit e Paris Sud participates to a programme called Les Apprentis Chercheurs (the research

707 views • 42 slides
Analysis of Parameterised Timed Systems using Horn Constraints Hossein Hojjat Philipp Rmmer

Analysis of Parameterised Timed Systems using Horn Constraints Hossein Hojjat Philipp Rmmer

Analysis of Parameterised Timed Systems using Horn Constraints Hossein Hojjat Philipp Rmmer Pavle Subotic Wang Yi SynCoP+PV 23 April 2017 Context Starting point: Work on general-purpose fjxed-point solvers Application to timed

532 views • 27 slides
framework for regulating Network Rail Stakeholder event, 8 September 2017 Introduction and

framework for regulating Network Rail Stakeholder event, 8 September 2017 Introduction and

The overall framework for regulating Network Rail Stakeholder event, 8 September 2017 Introduction and PR18 Chris Hemsley 3 Purpose of stakeholder event To learn more about ORR policy proposals to inform your consultation responses

1.02k views • 49 slides
RAILWAY SOLUTIONS RAILWAY SOLUTIONS Development for Sustainable Change in Ethiopia Consulting

RAILWAY SOLUTIONS RAILWAY SOLUTIONS Development for Sustainable Change in Ethiopia Consulting

A PASSION FOR A PASSION FOR RAILWAY SOLUTIONS RAILWAY SOLUTIONS Development for Sustainable Change in Ethiopia Consulting Engineering Analysis Systems 1 Introduction Molinari Rail We are an independent railway consulting

254 views • 11 slides
! Institut for Informatics Digital transformation is ... ... the change of the analog to digital,

! Institut for Informatics Digital transformation is ... ... the change of the analog to digital,

Digital Transformation A Game Changer How Does the Digital Transformation Affect Informatics as a Scientific Discipline? Manfred Broy Technische Universitt Mnchen ! Institut for Informatics Digital transformation is ... ... the

887 views • 49 slides
Fourth Quarter 2015 Earnings Conference Call February 3, 2016 Cautionary Note Regarding

Fourth Quarter 2015 Earnings Conference Call February 3, 2016 Cautionary Note Regarding

Fourth Quarter 2015 Earnings Conference Call February 3, 2016 Cautionary Note Regarding Forward-Looking Statements Certain information contained in this presentation is forward looking information based on current expectations and plans that

468 views • 21 slides
HOW OUR REGIONAL TAX DOLLARS ARE BEING SPENT THE HONORABLE MARTY NOHE CHAIRMAN, NORTHERN

HOW OUR REGIONAL TAX DOLLARS ARE BEING SPENT THE HONORABLE MARTY NOHE CHAIRMAN, NORTHERN

12 th Annual What You Need To Know About Transportation HOW OUR REGIONAL TAX DOLLARS ARE BEING SPENT THE HONORABLE MARTY NOHE CHAIRMAN, NORTHERN VIRGINIA TRANSPORTATION AUTHORITY The Authority: Working Regionally 3 Regional Transportation

523 views • 49 slides
Optimizing agriculture for sustainability and productivity by ICT Seishi Ninomiya Institute for

Optimizing agriculture for sustainability and productivity by ICT Seishi Ninomiya Institute for

Optimizing agriculture for sustainability and productivity by ICT Seishi Ninomiya Institute for Sustainable Agro-ecosystem Services, The University of Tokyo 1 Agriculture and world population 10 10 6.5billion Agriculture Population

525 views • 29 slides
None of the above E Slide 2 / 43 2 In the absence of an external force a moving object will

None of the above E Slide 2 / 43 2 In the absence of an external force a moving object will

Slide 1 / 43 1 After firing a cannon ball a cannon moves in opposite direction from the ball. This an example of Newtons First law A Newtons Second Law B Newtons Third Law C Newtons Law of Gravitation D None of the above E

620 views • 43 slides

More recommend