Logic in Software, Dynamical and Biological Systems Ashish Tiwari - PowerPoint PPT Presentation

✬ ✩ Logic in Software, Dynamical and Biological Systems Ashish Tiwari SRI International Menlo Park, CA 94025 tiwari@csl.sri.com ✫ ✪ Ashish Tiwari, SRI Intl. Logic in Software, Dynamical and Biological Systems: 1

✬ ✩ Problem Classes From a logical perspective, we have three classes of problems: Given description E , find/check some desired description E ′ such that 1. E ⇔ E ′ Example: Linear equation solving, Gr¨ obner basis, theorem proving, computer algebra 2. E ⇒ E ′ Example: verification, abstraction, abstract interpretation, bounded synthesis 3. E ′ ⇒ E Example: learning, synthesis, diagnosis ✫ ✪ Ashish Tiwari, SRI Intl. Logic in Software, Dynamical and Biological Systems: 2

✬ ✩ Formal Methods Model and analyze systems formally Two aspects: • Formal model of dynamical system • Formal property specification language ✫ ✪ Ashish Tiwari, SRI Intl. Logic in Software, Dynamical and Biological Systems: 3

✬ ✩ Formal Models of Dynamical Systems Modeling formalisms: Time and state space Time T domain: • discrete-time: N • continuous-time: R • hybrid-time: N × R State space SS domain: • discrete space: 2 n × N m • continuous space: R n • hybrid space: 2 n × R m ✫ ✪ Semantics: T �→ SS Ashish Tiwari, SRI Intl. Logic in Software, Dynamical and Biological Systems: 4

✬ ✩ Outline I. Continuous dynamical system verification �→ ∃∀ solving II. Hybrid system verification �→ ∃∀ solving + discrete system verification III. Component-based Synthesis �→ ∃∀ solving IV. ∃∀ Solvers V. Systems Biology �→ ∀ solving VI. Program verification �→ Approximating logical operators ✫ ✪ Ashish Tiwari, SRI Intl. Logic in Software, Dynamical and Biological Systems: 5

✬ ✩ Continuous Dynamical Systems Tuple: � X, f, Inv � where Example: CDS with set of n real-valued variables X: { x 1 , x 2 } X := vector field; mapping R n �→ R n f: f ( x 1 , x 2 ) := ( − x 1 − x 2 , x 1 − x 2 ) invariant region, subset of R n Inv: R 2 Inv := 0.5 Example CDS’s dynamics are given by: 0 −0.5 dx 1 − x 1 − x 2 = dt −1 dx 2 −1.5 x 1 − x 2 = dt −2 −0.5 0 0.5 1 1.5 2 Semantics: A structure � R n , →� where → is { ( F (0) , F ( t 1 )) | ∀ 0 ≤ t ≤ t 1 : dF ( t ) = f ( F ( t )) , F ( t ) ∈ Inv } ✫ ✪ dt Ashish Tiwari, SRI Intl. Logic in Software, Dynamical and Biological Systems: 6

✬ ✩ Continuous Dynamical Systems Reachability Linear systems: d� x dt = A� x + b Exact reachable sets can be computed when either • A is diagonalizable with all rational eigenvalues • A is diagonalizable with all purely imaginary rational eigenvalues • A is nilpotent In these cases, after suitable change of variables, reachable sets are semi-algebraic and can be obtained using quantifier elimination ✫ ✪ Ashish Tiwari, SRI Intl. Logic in Software, Dynamical and Biological Systems: 7

✬ ✩ Certificate-Based Verification A certificate for M | = φ is Φ such that 1. | = Φ ⇒ φ 2. M | = Φ is locally checkable M | = Φ reduces to a formula in the (underlying FO) logic Examples: Property φ Certificate Φ safety inductive invariant stability Lyapunov function termination ranking function controlled safety controlled inductive invariant ✫ ✪ Ashish Tiwari, SRI Intl. Logic in Software, Dynamical and Biological Systems: 8

✬ ✩ Certificate-Based Verification Certificate-based verification reduces the verification problem to an ∃∀ formula. M | = φ ⇑ ∃ Φ : (( M | = Φ) ∧ (Φ ⇒ φ )) ⇑ ∃ Φ : ∀ � x : quantifier-free FO formula ⇑ ∃ � a : ∀ � x : quantifier-free FO formula The last step performed by choosing a template for Φ ✫ ✪ Ashish Tiwari, SRI Intl. Logic in Software, Dynamical and Biological Systems: 9

✬ ✩ Inductive Invariants for CDSs Used to prove safety of CDSs How to define inductiveness ? A set I is inductive if ∀ � x : � x ∈ I ∧ � x → � y ⇒ � y ∈ I Recall semantics of CDS has uncountably infinite → -successors for every state, not defined constructively ([T.2003], [Prajna and Jadbabaie 2004],[Sankaranarayanan et al. 2004]) ✫ ✪ Ashish Tiwari, SRI Intl. Logic in Software, Dynamical and Biological Systems: 10

✬ ✩ Inductiveness for CDSs Example: dx 1 − x 1 − x 2 = dt dx 2 = x 1 − x 2 dt Is x 2 1 + x 2 2 ≤ 0 . 5 inductive? Intuition: Ensure vector field points inwards at all points on the boundary of the set ✫ ✪ Ashish Tiwari, SRI Intl. Logic in Software, Dynamical and Biological Systems: 11

✬ ✩ Lie Derivative Let p := x 2 1 + x 2 2 − 0 . 5 The set p ≤ 0 is inductive if dp p = 0 ⇒ dt < 0 dt = 0 ∧ d 2 p ∨ dp dt 2 < 0 dt = d 2 p dt 2 = 0 ∧ d 3 p ∨ dp dt 3 < 0 . . . dt := � where dp ∇ p · f is Lie derivative of p wrt f . Several sound checks, but no complete check in general ✫ ✪ For special cases, finite complete checks exist Ashish Tiwari, SRI Intl. Logic in Software, Dynamical and Biological Systems: 12

✬ ✩ Example: Certificate-Based Safety dx 1 dx 2 dt = − x 1 − x 2 dt = x 1 − x 2 Example: Problem: If x 1 ≤ 0 . 5 and x 2 ≤ 0 . 5 initially, prove G ( x 2 ≤ 1) Let us find a certificate of the form p ≤ 0 where p := ax 2 1 + bx 2 2 + c We need to solve ( p = 0 ⇒ dp ∃ a, b, c : ∀ x 1 , x 2 : dt < 0) ∧ ( x 1 ≤ 0 . 5 ∧ x 2 ≤ 0 . 5 ⇒ p ≤ 0) ∧ ( p ≤ 0 ⇒ x 2 ≤ 1) We get p := x 2 1 + x 2 2 − 0 . 5 . Proved. ✫ ✪ Ashish Tiwari, SRI Intl. Logic in Software, Dynamical and Biological Systems: 13

✬ ✩ Certification-based Verification Without Solving ∃∀ A Lyapunov function is a certificate for stability We can discover Lyapunov functions by solving ∃∀ formulas But even without solving ∃∀ formulas, we can determine stability of linear systems Can we find useful invariants without solving ∃∀ formulas ? ✫ ✪ Ashish Tiwari, SRI Intl. Logic in Software, Dynamical and Biological Systems: 14

✬ ✩ Inductive Sets of Linear Systems Without solving ∃∀ formulas Consider d� x dt = A� x Bad / Unsafe If � c is a left eigenvector of A corr to λ , then States c T A c T � = λ� c T � Initial Let p := � x , we have States c T � dp d� x c T d� x c T A� c T � = = � = � x = λ� x = λp dt dt dt Hence, p ≥ 0 and p ≤ 0 are inductive sets The surface p = 0 is called a barrier certificate ✫ Inductive sets for linear systems can be obtained by analyzing matrix A ✪ Ashish Tiwari, SRI Intl. Logic in Software, Dynamical and Biological Systems: 15

✬ ✩ Example: Certificate-based Verification w/o ∃∀ Example. Consider a cruise control: v ˙ = a a ˙ = − 4 v + 3 v f − 3 a + gap − v + v f gap ˙ = where v, a is the velocity and acceleration of this car, v f is the velocity of car in front, and gap is the distance between the two cars. Prove that the cars will not crash when ACC mode is initiated in given set of states. Solution: Use inductive invariant corr to the negative real eigenvalue of A . ✫ ✪ Ashish Tiwari, SRI Intl. Logic in Software, Dynamical and Biological Systems: 16

✬ ✩ Hybrid Automata A powerful modeling language A finite collection of CDS with switching between them Tuple � Q, ( CDS q ) q ∈ Q , E � where Q : finite set of modes CDS � X, f q , Inv q � within state q CDS q : subset of ( Q × R n ) × ( Q × R n ) E : Semantics: A structure � Q × R n , →� where → is E ∪ { ( q, F (0) , q, F ( t 1 )) | ∀ 0 ≤ t ≤ t 1 : dF ( t ) = f q ( F ( t )) , F ( t ) ∈ Inv q } dt ✫ ✪ Ashish Tiwari, SRI Intl. Logic in Software, Dynamical and Biological Systems: 17

✬ ✩ Example: Hybrid Automata Bouncing Ball: Ball under vertical free fall that loses 10% of its velocity when it bounces off the ground One mode q with variables X := { y, v } and dynamics: dy dv dt = − 9 . 8 dt = v so, f q ( y, v ) := ( v, − 9 . 8) is the vector field Discrete transition given by: ( q, (0 , v ) , q, (0 , − 0 . 9 ∗ v )) ✫ ✪ Ashish Tiwari, SRI Intl. Logic in Software, Dynamical and Biological Systems: 18

✬ ✩ Hybrid Automata Verification Problem Semantics of hybrid automata are given as discrete state transition system (with uncountably infinite state space) Therefore, we can ask about the complexity of the model checking problem Even reachability is undecidable ✫ ✪ Ashish Tiwari, SRI Intl. Logic in Software, Dynamical and Biological Systems: 19

✬ ✩ Classes of Hybrid Automata Several subclasses of HA have been studied Restrictions on the continuous dynamics and the discrete dynamics Timed Automata: dx dt = 1 for all x , in all modes Guards of the form x − y ≤ c (Boolean combination) Some clocks x can be reset x := 0 Linear Hybrid Automata: dx dt = c x for all x , in all modes there are linear constraints among the c x variables Guards are linear constraint over X Model checking problems are decidable for timed automata, but undecidable for linear hybrid automata ✫ ✪ Boundary is well studied Ashish Tiwari, SRI Intl. Logic in Software, Dynamical and Biological Systems: 20