Learning-based Synthesis of Safety Controllers Oliver Markgraf 1,2 - - PowerPoint PPT Presentation
Learning-based Synthesis of Safety Controllers Oliver Markgraf 1,2 Daniel Neider 1 1 Max Planck Institute for Software Systems 2 Technical University of Kaiserslautern FMCAD 2019, San Jose, California, USA 24 October 2019 Motivation Oliver
Oliver Markgraf 1,2 Daniel Neider 1
1Max Planck Institute for Software Systems 2Technical University of Kaiserslautern
FMCAD 2019, San Jose, California, USA 24 October 2019
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 2
Specification + Environment Infinite duration, two-player game
Strategy / Controller
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 2
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 3
◮ Vertices of Player 0 V0
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 3
◮ Vertices of Player 0 V0, vertices of Player 1 V1
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 3
◮ Vertices of Player 0 V0, vertices of Player 1 V1 ◮ Edges E
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 3
◮ Vertices of Player 0 V0, vertices of Player 1 V1 ◮ Edges E ◮ Initial vertices I
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 3
◮ Vertices of Player 0 V0, vertices of Player 1 V1 ◮ Edges E ◮ Initial vertices I ◮ Safe vertices F
:= Player 0 := Player 1 := Initial := Safe
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 3
◮ Vertices of Player 0 V0, vertices of Player 1 V1 ◮ Edges E ◮ Initial vertices I ◮ Safe vertices F
:= Player 0 := Player 1 := Initial := Safe
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 3
◮ Vertices of Player 0 V0, vertices of Player 1 V1 ◮ Edges E ◮ Initial vertices I ◮ Safe vertices F
:= Player 0 := Player 1 := Initial := Safe
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 3
◮ Vertices of Player 0 V0, vertices of Player 1 V1 ◮ Edges E ◮ Initial vertices I ◮ Safe vertices F
:= Player 0 := Player 1 := Initial := Safe
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 3
◮ Vertices of Player 0 V0, vertices of Player 1 V1 ◮ Edges E ◮ Initial vertices I ◮ Safe vertices F
:= Player 0 := Player 1 := Initial := Safe
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 3
◮ Successively remove vertices from which a stay inside the safe
vertices cannot be enforced := Player 0 := Player 1 := Initial := Safe := Winning region
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 3
◮ Successively remove vertices from which a stay inside the safe
vertices cannot be enforced := Player 0 := Player 1 := Initial := Safe := Winning region
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 3
◮ Successively remove vertices from which a stay inside the safe
vertices cannot be enforced := Player 0 := Player 1 := Initial := Safe := Winning region
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 3
◮ Successively remove vertices from which a stay inside the safe
vertices cannot be enforced := Player 0 := Player 1 := Initial := Safe := Winning region
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 3
◮ Successively remove vertices from which a stay inside the safe
vertices cannot be enforced
◮ Winning strategy for Player 0, winning strategy for Player 1
:= Player 0 := Player 1 := Initial := Safe := Winning region
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 3
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 4
Arithmetic
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 5
Definition
A safety game is a five-tuple G = (V0, V1, E, I, F) consisting of
◮ a set V0 encoding the vertices of Player 0 ◮ a set V1 encoding the vertices of Player 1 ◮ a set I encoding the initial vertices ◮ a set F encoding the safe vertices ◮ a relation E ⊆ V × V encoding the edges
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 6
Definition
A safety game is a five-tuple G = (V0, V1, E, I, F) consisting of
◮ a set V0 encoding the vertices of Player 0 ◮ a set V1 encoding the vertices of Player 1 ◮ a set I encoding the initial vertices ◮ a set F encoding the safe vertices ◮ a relation E ⊆ V × V encoding the edges
Assumption
Each vertex has only a finite number of successors
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 6
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 7
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 7
1 2 3 4 5 . . .
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 7
1 2 3 4 5 . . .
. . . . . . . . . 0.27 1.27 2.27 3.27 4.27
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 7
. . . . . . . . . 0.27 1.27 2.27 3.27 4.27
Let x ∈ R be the position of the robot and p ∈ {0, 1} indicate which player is in control of the robot φV0(x, p) := p = 0 φV1(x, p) := p = 1
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 8
. . . . . . . . . 0.27 1.27 2.27 3.27 4.27
φI(x, p) := x ≥ 3 ∧ x < 4 ∧ p = 0 φF(x, p) := x ≥ 2
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 8
. . . . . . . . . 0.27 1.27 2.27 3.27 4.27
Model robot movements φMove_Right(x, p, x′, p′) := x′ = x + 1 ∧ p = 1 − p′ φMove_Left(x, p, x′, p′) := x′ = x − 1 ∧ p = 1 − p′
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 8
. . . . . . . . . 0.27 1.27 2.27 3.27 4.27
Model the edge relation E φE(x, p, x′, p′) := φMove_Right ∨ φMove_Left
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 8
. . . . . . . . . 0.27 1.27 2.27 3.27 4.27
Winning set W W = x ≥ 3
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 8
F I
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 9
F W I
Winning Set
A W of vertices is a winning set if is satisfies
◮ I ⊆ W ◮ W ⊆ F ◮ E({v}) ∩ W = ∅ for all v ∈ W ∩ V0 (existential closedness) ◮ E({v}) ⊆ W for all v ∈ W ∩ V1 (universal closedness).
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 9
Hypothesis H ⊆ V Counterexample
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 10
Hypothesis H ⊆ V Counterexample
Teacher
◮ implementation based on SMT-solver
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 10
F W I
Winning Set
A W of vertices is a winning set if is satisfies
◮ I ⊆ W ◮ W ⊆ F ◮ E({v}) ∩ W = ∅ for all v ∈ W ∩ V0 (existential closedness) ◮ E({v}) ⊆ W for all v ∈ W ∩ V1 (universal closedness).
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 11
F I
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 12
F I
v
Counterexample
Let H be the Hypothesis
◮ Positive counterexample: v ∈ I \ H
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 12
F I
v
Counterexample
Let H be the Hypothesis
◮ Positive counterexample: v ∈ I \ H ◮ Negative counterexample: v ∈ H \ F
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 12
F I
v
Counterexample
Let H be the Hypothesis
◮ Positive counterexample: v ∈ I \ H ◮ Negative counterexample: v ∈ H \ F ◮ Existential counterexample: v ∈ H ∩ V0 with E({v}) ∩ H = ∅,
v → (v1 ∨ . . . ∨ vn) with {v1, . . . , vn} = E({v}).
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 12
F I
v
Counterexample
Let H be the Hypothesis
◮ Positive counterexample: v ∈ I \ H ◮ Negative counterexample: v ∈ H \ F ◮ Existential counterexample: v ∈ H ∩ V0 with E({v}) ∩ H = ∅,
v → (v1 ∨ . . . ∨ vn) with {v1, . . . , vn} = E({v}).
◮ Universal counterexample:v ∈ H ∩ V1 with E({v}) ⊆ H,
v → (v1 ∧ . . . ∧ vn) with {v1, . . . , vn} = E({v}).
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 12
. . . . . . . . . 0.27 1.27 2.27 3.27 4.27
Counterexample
Let H = x ≥ 1 be the Hypothesis
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 13
. . . . . . . . . 0.27 1.27 2.27 3.27 4.27
Counterexample
Let H = x ≥ 1 be the Hypothesis
◮ Negative counterexample: 1.27 ∈ H \ F
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 13
. . . . . . . . . 0.27 1.27 2.27 3.27 4.27
Counterexample
Let H = x ≥ 2 be the Hypothesis
◮ Universal counterexample: 2.27 ∈ H ∩ V1 ◮ E({2.27}) = {1.27, 3.27} ⊆ H
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 13
. . . . . . . . . 0.27 1.27 2.27 3.27 4.27
Winning set as decision tree
The winning set is W = x ≥ 3 x ≥ 3 1
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 13
Hypothesis H ⊆ V Counterexample
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 14
Hypothesis H ⊆ V Counterexample
Learner
◮ Horn ICE learner from software verification [1]
[1] P. Ezudheen, D. Neider, D. D’Souza, P. Garg, P. Madhusudan: Horn-ICE learning for synthesizing invariants and contracts. Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 14
Hypothesis H ⊆ V Counterexample
Horn constraints
◮ d1 ∧ . . . ∧ dn → d ◮ d1 ∧ . . . ∧ dn → false ◮ true → d
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 14
The learners maintain a game sample SG = (Pos, Neg, Ex, Un) to store counterexamples
Learning Task
Given a game sample SG, construct a set H that is consistent with SG:
v → (v1 ∨ . . . ∨ vn) ∈ Ex
v → (v1 ∧ . . . ∧ vn) ∈ Un.
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 15
Game sample SG Horn sample SH Decision tree tG Decision tree tH Sample Transformation Horn ICE Learner Tree Transformation
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 16
Sample Transformation
Game sample Horn sample d ∈ Pos d → false d ∈ Neg true → d d → (d1 ∨ . . . ∨ dn) (d1 ∧ . . . ∧ dn) → d d → (d1 ∧ . . . ∧ dn) d1 → d, . . . , dn → d
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 16
Game sample SG Horn sample SH Decision tree tG Decision tree tH Sample Transformation Horn ICE Learner Tree Transformation
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 16
◮ d → (d1 ∨ · · · ∨ dn) ∈ Ex ◮ . . . ◮ (d1 ∧ · · · ∧ dn) → d ∈ SH ◮ . . .
Decision tree tG Tree Transformation y < 2 1 x ≥ 0 1 Horn ICE Learner
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 16
Lemma
Let SG be a game sample and P a finite set of predicates, both over the domain D. Moreover, let SH be a Horn sample, tH the decision tree over the Horn sample, and tG be the decision tree over the game
consistent with SG.
Decision tree definitions
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 16
◮ d → (d1 ∨ · · · ∨ dn) ∈ Ex ◮ . . . ◮ (d1 ∧ · · · ∧ dn) → d ∈ SH ◮ . . .
y < 2 1 x ≥ 0 1 Horn ICE Learner y < 2 x ≥ 0 1 Map 0 → 1; 1 → 0
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 16
Example
◮ Given R2 = D and d = (x, y) = (−1, 2) ◮ Assume d ∈ Pos and d → false ∈ SH
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 17
Example
◮ Given R2 = D and d = (x, y) = (−1, 2) ◮ Assume d ∈ Pos and d → false ∈ SH
tH : y < 2 x ≥ 0 1 tG : y < 2 1 x ≥ 0 1
Transform tree
Evaluation of d
◮ tH(d) = 0
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 17
Example
◮ Given R2 = D and d = (x, y) = (−1, 2) ◮ Assume d ∈ Pos and d → false ∈ SH
tH : y < 2 x ≥ 0 1 tG : y < 2 1 x ≥ 0 1
Transform tree
Evaluation of d
◮ tH(d) = 0 ◮ tG(d) = 1
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 17
Theorem
Let G be a safety game. DT-Synth is guaranteed to learn a winning set after a finite number of iterations if there exists one that is expressible as a decision tree over P.[1]
[1] P. Ezudheen, D. Neider, D. D’Souza, P. Garg, P. Madhusudan: Horn-ICE learning for synthesizing invariants and contracts. Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 18
D i a g
a l D i a g
a l D i a g
a l D i a g
a l 5 10 # of games solved
DT-synth SAT-synth[2] RPNI-synth[2] CONSYNTH[3]
Benchmarks
◮ Cinderella game ◮ Program repair games ◮ Robot motion planning games
[2] Daniel Neider, Ufuk Topcu: An Automaton Learning Approach to Solving Safety Games over Infinite Graphs. TACAS 2016 [3] Beyene et al.: A constraint-based approach to solving games on infinite graphs. POPL 2014 Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 19
D i a g
a l D i a g
a l D i a g
a l D i a g
a l 5 10 # of games solved
DT-synth SAT-synth[2] RPNI-synth[2] CONSYNTH[3]
D i a g
a l D i a g
a l D i a g
a l D i a g
a l 200 400 600 800 1,000 total time in s
DT-synth SAT learner
[2] Daniel Neider, Ufuk Topcu: An Automaton Learning Approach to Solving Safety Games over Infinite Graphs. TACAS 2016 [3] Beyene et al.: A constraint-based approach to solving games on infinite graphs. POPL 2014 Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 19
Tool Easy to Easy to Guarantees No help model interpret to find a
games solution strategy required DT-Synth ✓ ✓ ✓ ✓ CONSYNTH ✓ ✗ ✓ ✗ SAT-Synth ✗ ✗ ✓ ✓ RPNI-Synth ✗ ✗ ✗ ✓
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 20
We have presented . . .
◮ . . . safety games, a symbolic representation of safety games ◮ . . . how a Horn learner interacts with a teacher for solving safety
games
Future Work
◮ Apply our technique to distributed synthesis
problems and more complex problems
◮ Consider different winning conditions such as
reachability and liveness Many thanks to Anthony W. Lin for the travel support.
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 21
Definition
A safety game is a five-tuple G = (V0, V1, E, I, F) consisting of
◮ a set V0 encoding the vertices of Player 0 ◮ a set V1 encoding the vertices of Player 1 ◮ a set I encoding the initial vertices ◮ a set F encoding the safe vertices ◮ a relation E ⊆ V × V encoding the edges
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 22
Definition
A safety game is a five-tuple G = (V0, V1, E, I, F) consisting of
◮ a set V0 encoding the vertices of Player 0 ◮ a set V1 encoding the vertices of Player 1 ◮ a set I encoding the initial vertices ◮ a set F encoding the safe vertices ◮ a relation E ⊆ V × V encoding the edges
Assumption
Each vertex has only a finite number of successors
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 22
Idea
Use Horn constraints to learn a hypothesis H
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 23
Idea
Use Horn constraints to learn a hypothesis H
Horn constraints
◮ (d1 ∧ . . . ∧ dn) → d ◮ (d1 ∧ . . . ∧ dn) → false ◮ true → d
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 23
Idea
Use Horn constraints to learn a hypothesis H
Horn constraints
◮ (d1 ∧ . . . ∧ dn) → d ◮ (d1 ∧ . . . ∧ dn) → false ◮ true → d
What are those di?
◮ abstract Domain D ◮ d ∈ D is called a data point ◮ e.g. (1, 2) ∈ R2
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 23
Idea
Hypothesis H is a decision tree t with a valuation t(d) ∈ B
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 24
Idea
Hypothesis H is a decision tree t with a valuation t(d) ∈ B
Decision tree
◮ Given R2 = D and d = (x, y) = (−1, 2)
y < 2 1 x ≥ 0 1
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 24
Idea
Hypothesis H is a decision tree t with a valuation t(d) ∈ B
Decision tree
◮ Given R2 = D and d = (x, y) = (−1, 2)
y < 2 1 x ≥ 0 1
Evaluation of d
◮ left branch for predicate p if p(d) = true
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 24
Idea
Hypothesis H is a decision tree t with a valuation t(d) ∈ B
Decision tree
◮ Given R2 = D and d = (x, y) = (−1, 2)
y < 2 1 x ≥ 0 1
Evaluation of d
◮ right branch for predicate p if p(d) = false
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 24
Idea
Hypothesis H is a decision tree t with a valuation t(d) ∈ B
Decision tree
◮ Given R2 = D and d = (x, y) = (−1, 2)
y < 2 1 x ≥ 0 1
Evaluation of d
◮ t(d) ≡ label reached at a leaf ◮ t(d) = true
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 24
◮ A Horn sample SH stores Horn constraints. ◮ A game sample SG stores counterexamples.
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 25
◮ A Horn sample SH stores Horn constraints. ◮ A game sample SG stores counterexamples.
Translation
◮ d ∈ Pos d → false ∈ SH ◮ d ∈ Neg true → d ∈ SH ◮ d → (d1 ∨ . . . ∨ dn) ∈ Ex (d1 ∧ . . . ∧ dn) → d ∈ SH ◮ d → (d1 ∧ . . . ∧ dn) ∈ Un di → d ∈ SH ∀i ∈ {1, . . . , n}
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 25
◮ A Horn sample SH stores Horn constraints. ◮ A game sample SG stores counterexamples.
Translation
◮ d ∈ Pos d → false ∈ SH ◮ d ∈ Neg true → d ∈ SH ◮ d → (d1 ∨ . . . ∨ dn) ∈ Ex (d1 ∧ . . . ∧ dn) → d ∈ SH ◮ d → (d1 ∧ . . . ∧ dn) ∈ Un di → d ∈ SH ∀i ∈ {1, . . . , n}
Decision tree
◮ Learner constructs decision tree based on Horn samples
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 25
◮ A Horn sample SH stores Horn constraints. ◮ A game sample SG stores counterexamples.
Translation
◮ d ∈ Pos d → false ∈ SH ◮ d ∈ Neg true → d ∈ SH ◮ d → (d1 ∨ . . . ∨ dn) ∈ Ex (d1 ∧ . . . ∧ dn) → d ∈ SH ◮ d → (d1 ∧ . . . ∧ dn) ∈ Un di → d ∈ SH ∀i ∈ {1, . . . , n}
Decision tree
◮ Learner constructs decision tree based on Horn samples ◮ Transform decision tree to use Game samples
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 25
Translation
◮ d ∈ Pos d → false ∈ SH ◮ d ∈ Neg true → d ∈ SH ◮ d → (d1 ∨ . . . ∨ dn) ∈ Ex (d1 ∧ . . . ∧ dn) → d ∈ SH ◮ d → (d1 ∧ . . . ∧ dn) ∈ Un di → d ∈ SH ∀i ∈ {1, . . . , n}
Decision Tree transformation
y < 2 1 x ≥ 0 1 y < 2 x ≥ 0 1
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 26
C i n d e r e l l a ( c = 2 ) C i n d e r e l l a ( c = 3 ) P r
r a m
e p a i r R e p a i r
r i t i c a l S y n t h
y n c h r
i z a t i
0.1 1 10 100 timeout time in s
DT-synth SAT-Synth RPNI-Synth CONSYNTH
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 27
B
B
L i m i t e d D i a g
a l E v a s i
F
l
S
i t a r y B
S q u a r e 5 x 5 0.1 1 10 100 timeout time in s
DT-synth SAT-Synth RPNI-Synth CONSYNTH
Oliver Markgraf and Daniel Neider: Learning-based Synthesis of Safety Controllers 28