Proving and Explaining the Unfeasibility of Message Sequence Charts - - PowerPoint PPT Presentation

Proving and Explaining the Unfeasibility of Message Sequence Charts for Hybrid Systems

Alessandro Cimatti Sergio Mover Stefano Tonetta

Fondazione Bruno Kessler

October 31, 2011

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 1 / 28

Motivations

Hybrid Systems Mix discrete (e.g. hardware) and continuous (e.g. sensor) behaviors. Complex critical systems: train control system (ETCS), airplane traffic control system (TCAS), . . . Network of components.

Add1, Remove1 Add2, Remove2

Rod1 Rod2 Controller

Scenario-verification Is there a run of the system compatible with the scenario?

If such a run exists, the scenario is feasible.

Rem2 Add2 time ≥ 19 Rem1 Rem1 time ≥ 80 Add1 time ≤ 19 Add1 Rod2 Controller Rod1

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 2 / 28

Motivations

Existing approaches:

1

Reduction to reachability:

Can prove both feasibility and unfeasibility. Inefficient.

2

Scenario-based encoding [CAV11]:

Cannot prove unfeasibility. Efficient.

Our contribution is a SMT-based technique that: Efficiently proves unfeasibility. Extracts explanations for the unfeasibility.

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 3 / 28

Outline

1

Background SMT analysis of Hybrid Systems Scenario-Verification

2

Proving the unfeasibility of scenarios

3

Explanations of Unfeasibility

4

Experimental Evaluation

5

Conclusions and future work

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 4 / 28

Outline

1

Background SMT analysis of Hybrid Systems Scenario-Verification

2

Proving the unfeasibility of scenarios

3

Explanations of Unfeasibility

4

Experimental Evaluation

5

Conclusions and future work

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 5 / 28

Outline

1

Background SMT analysis of Hybrid Systems Scenario-Verification

2

Proving the unfeasibility of scenarios

3

Explanations of Unfeasibility

4

Experimental Evaluation

5

Conclusions and future work

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 6 / 28

Hybrid Automata

Hybrid automata ([Henzinger 96]): Framework for representing hybrid systems. Discrete instantaneous mode switches. Continuous evolution according to flow conditions.

Ready ˙ x ∈ [0.9, 1.1] TRUE x = 0 In ˙ x ∈ [0.9, 1.1] x ≤ 5.9 Recovering ˙ x ∈ [0.9, 1.1] x ≤ 16 Add1/x′ := 0 Remove1/x′ := 0 x ≥ 16/τ/x′ := x Rod1

time x Recovering

1 2 3 4 5 6 7 8 9 1 2 3

time

location

Ready In Recovering

1 2 3 4 5 6 7 8 9

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 7 / 28

Hybrid Automata Network

Network of hybrid automata H = H1|| . . . ||Hn: Move asynchronously on local events (τ). Synchronize on shared events.

Ready ˙ x ∈ [0.9, 1.1] TRUE x = 0 In ˙ x ∈ [0.9, 1.1] x ≤ 5.9 Recovering ˙ x ∈ [0.9, 1.1] x ≤ 16 Add1/x′ := 0 Remove1/x′ := 0 x ≥ 16/τ/x′ := x Rod1 Ready ˙ x ∈ [0.9, 1.1] TRUE x = 0 In ˙ x ∈ [0.9, 1.1] x ≤ 5.9 Recovering ˙ x ∈ [0.9, 1.1] x ≤ 16 Add2/x′ := 0 Remove2/x′ := 0 x ≥ 16/τ/x′ := x Rod2 No Rod ˙ x ∈ [0.9, 1.1] x ≤ 16 x = 0 Rod 1 ˙ x ∈ [0.9, 1.1] x ≤ 5.9 Rod 2 ˙ x ∈ [0.9, 1.1] x ≤ 5.9 x ≥ 16/Add1/x′ := 0 x ∈ [5, 5.9]/Remove1/ x′ := 0 x ≥ 16/Add2/x′ := 0 x ∈ [5, 5.9]/Remove2/ x′ := 0 Controller

Add1, Remove1 Add2, Remove2

Rod1 Rod2 Controller

Different semantics:

1

Global-time ([Henzinger 96]).

2

Local-time ([Bengstsson 98]).

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 8 / 28

Local-time semantics

The time evolves independently in each automaton:

Local time scale. The continuous evolution is a local transition.

The local time of the automata must be the same:

On synchronizations. At the end of a run.

τ τ A

τ B τ

τ

A

B

τ = local event (no stutter or time).

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 9 / 28

SMT analysis of Hybrid Systems

Each automaton is encoded in a symbolic transition system Hi = Initi, Transi. Bounded model checking:

BMCH1(k) 1 2 T 3 T 4 T ... k T T BMCH2(k) 1 2 T 3 T 4 T ... k T T . . .

k-induction.

Base case: BMC up to k. Inductive case: BMC and simple path condition up to k + 1.

Use SMT solvers as decision procedure.

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 10 / 28

Outline

1

Background SMT analysis of Hybrid Systems Scenario-Verification

2

Proving the unfeasibility of scenarios

3

Explanations of Unfeasibility

4

Experimental Evaluation

5

Conclusions and future work

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 11 / 28

Constrained Message Sequence Charts

m, φ: Message sequence chart m with constraints φ. m: parallel composition of instances. φ = φg ∧ φ1 ∧ . . . ∧ φn: formulas over the network variables on synchronization. Global (φg): over all the network variables. Local φi: over variable of Hi.

Rem2 Add2 time ≥ 19 Rem1 Rem1 time ≥ 80 Add1 time ≤ 19 Add1 Rod2 Controller Rod1

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 12 / 28

MSC verification via reachability

The CMSC is translated in a monitor automaton Sm. The automaton is composed with the network. Enables off-the-shelf verification techniques:

BMC: feasibility. k-induction: unfeasibility.

B D A C

σ3 σ4 σ1 σ2

m = σ1||σ2||σ3||σ4

l0

1, l0 2, l0 3, l0 4

l1

1, l1 2, l0 3, l0 4

l0

1, l0 2, l1 3, l1 4

l1

1, l1 2, l1 3, l1 4

l0

1, l0 2, l2 3, l2 4

l1

1, l1 2, l2 3, l2 4

l1

1, l2 2, l3 3, l2 4

τ τ τ τ τ τ A B B A C C A D

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 13 / 28

MSC verification via reachability

The CMSC is translated in a monitor automaton Sm. The automaton is composed with the network. Enables off-the-shelf verification techniques:

BMC: feasibility. k-induction: unfeasibility.

B D A C

σ3 σ4 σ1 σ2

Cut: l0

1, l0 2, l0 3, l0 4

l0

1, l0 2, l0 3, l0 4

l1

1, l1 2, l0 3, l0 4

l0

1, l0 2, l1 3, l1 4

l1

1, l1 2, l1 3, l1 4

l0

1, l0 2, l2 3, l2 4

l1

1, l1 2, l2 3, l2 4

l1

1, l2 2, l3 3, l2 4

τ τ τ τ τ τ A B B A C C A D

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 13 / 28

MSC verification via reachability

The CMSC is translated in a monitor automaton Sm. The automaton is composed with the network. Enables off-the-shelf verification techniques:

BMC: feasibility. k-induction: unfeasibility.

B D A C

σ3 σ4 σ1 σ2

Cut: l1

1, l1 2, l0 3, l0 4

l0

1, l0 2, l0 3, l0 4

l1

1, l1 2, l0 3, l0 4

l0

1, l0 2, l1 3, l1 4

l1

1, l1 2, l1 3, l1 4

l0

1, l0 2, l2 3, l2 4

l1

1, l1 2, l2 3, l2 4

l1

1, l2 2, l3 3, l2 4

τ τ τ τ τ τ A B B A C C A D

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 13 / 28

MSC verification via reachability

The CMSC is translated in a monitor automaton Sm. The automaton is composed with the network. Enables off-the-shelf verification techniques:

BMC: feasibility. k-induction: unfeasibility.

B D A C

σ3 σ4 σ1 σ2

Cut: l1

1, l1 2, l1 3, l1 4

l0

1, l0 2, l0 3, l0 4

l1

1, l1 2, l0 3, l0 4

l0

1, l0 2, l1 3, l1 4

l1

1, l1 2, l1 3, l1 4

l0

1, l0 2, l2 3, l2 4

l1

1, l1 2, l2 3, l2 4

l1

1, l2 2, l3 3, l2 4

τ τ τ τ τ τ A B B A C C A D

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 13 / 28

MSC verification via reachability

The CMSC is translated in a monitor automaton Sm. The automaton is composed with the network. Enables off-the-shelf verification techniques:

BMC: feasibility. k-induction: unfeasibility.

B D A C

σ3 σ4 σ1 σ2

Cut: l1

1, l1 2, l2 3, l2 4

l0

1, l0 2, l0 3, l0 4

l1

1, l1 2, l0 3, l0 4

l0

1, l0 2, l1 3, l1 4

l1

1, l1 2, l1 3, l1 4

l0

1, l0 2, l2 3, l2 4

l1

1, l1 2, l2 3, l2 4

l1

1, l2 2, l3 3, l2 4

τ τ τ τ τ τ A B B A C C A D

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 13 / 28

MSC verification via reachability

The CMSC is translated in a monitor automaton Sm. The automaton is composed with the network. Enables off-the-shelf verification techniques:

BMC: feasibility. k-induction: unfeasibility.

B D A C

σ3 σ4 σ1 σ2

Cut: l1

1, l3 2, l3 3, l2 4

l0

1, l0 2, l0 3, l0 4

l1

1, l1 2, l0 3, l0 4

l0

1, l0 2, l1 3, l1 4

l1

1, l1 2, l1 3, l1 4

l0

1, l0 2, l2 3, l2 4

l1

1, l1 2, l2 3, l2 4

l1

1, l2 2, l3 3, l2 4

τ τ τ τ τ τ A B B A C C A D

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 13 / 28

Scenario-based encoding

For all the automata:

Fix the position of the shared events. transitions are simplified wrt shared event

Add2 Add1 Rem1 Rod2 Controller Rod1

. . .

Add1

. . .

Rem1

. . . . . .

Add1

. . .

Rem1

. . .

Add2

. . . . . .

Add2

. . . Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 14 / 28

Scenario-based encoding

For all the automata:

Fix the position of the shared events. transitions are simplified wrt shared event Add the synchronization constraints.

Add2 Add1 Rem1 Rod2 Controller Rod1

. . .

Add1

. . .

Rem1

. . . . . .

Add1

. . .

Rem1

. . .

Add2

. . . . . .

Add2

. . . Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 14 / 28

Scenario-based encoding

For all the automata:

Fix the position of the shared events. transitions are simplified wrt shared event Add the synchronization constraints. Encode the “local segments”. transitions are simplified wrt τ

Add2 Add1 Rem1 Rod2 Controller Rod1

. . . . . .

τ τ Add1

. . . . . .

τ τ Rem1

. . . . . .

τ τ

. . . . . .

τ τ Add1

. . . . . .

τ τ Rem1

. . . . . .

τ τ Add2

. . . . . .

τ τ

. . . . . .

τ τ Add2

. . . . . .

τ τ

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 14 / 28

Outline

1

Background SMT analysis of Hybrid Systems Scenario-Verification

2

Proving the unfeasibility of scenarios

3

Explanations of Unfeasibility

4

Experimental Evaluation

5

Conclusions and future work

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 15 / 28

Efficient unfeasibility check

Reduction to reachability SMT-based approach Feasibility BMC Scenario-driven encoding Inefficient Efficient Unfeasibility K-induction Partitioned k-induction Inefficient Efficient

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 16 / 28

Partitioned K-induction - Algorithm

Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.

Add2 Add1 Rem1 Rod2 Controller Rod1

Unfeasible iff UNSAT . .

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 17 / 28

Partitioned K-induction - Algorithm

Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.

Add2 Add1 Rem1 Rod2 Controller Rod1

Unfeasible iff UNSAT τ . .

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 17 / 28

Partitioned K-induction - Algorithm

Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.

Add2 Add1 Rem1 Rod2 Controller Rod1

Unfeasible iff UNSAT τ simple path SAT - new states are reachable . .

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 17 / 28

Partitioned K-induction - Algorithm

Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.

Add2 Add1 Rem1 Rod2 Controller Rod1

Unfeasible iff UNSAT τ τ . .

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 17 / 28

Partitioned K-induction - Algorithm

Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.

Add2 Add1 Rem1 Rod2 Controller Rod1

Unfeasible iff UNSAT τ τ simple path SAT - new states are reachable . .

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 17 / 28

Partitioned K-induction - Algorithm

Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.

Add2 Add1 Rem1 Rod2 Controller Rod1

Unfeasible iff UNSAT τ τ τ . .

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 17 / 28

Partitioned K-induction - Algorithm

Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.

Add2 Add1 Rem1 Rod2 Controller Rod1

Unfeasible iff UNSAT τ τ τ simple path UNSAT - no new states are reachable . .

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 17 / 28

Partitioned K-induction - Algorithm

Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.

Add2 Add1 Rem1 Rod2 Controller Rod1

Unfeasible iff UNSAT τ τ . .

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 17 / 28

Partitioned K-induction - Algorithm

Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.

Add2 Add1 Rem1 Rod2 Controller Rod1

Unfeasible iff UNSAT τ τ Add1 . .

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 17 / 28

Partitioned K-induction - Algorithm

Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.

Add2 Add1 Rem1 Rod2 Controller Rod1

Unfeasible iff UNSAT τ τ Add1 τ . .

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 17 / 28

Partitioned K-induction - Algorithm

Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.

Add2 Add1 Rem1 Rod2 Controller Rod1

Unfeasible iff UNSAT τ τ Add1 τ simple path SAT - new states are reachable . .

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 17 / 28

Partitioned K-induction - Algorithm

Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.

Add2 Add1 Rem1 Rod2 Controller Rod1

Unfeasible iff UNSAT τ τ Add1 τ τ . .

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 17 / 28

Partitioned K-induction - Algorithm

Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.

Add2 Add1 Rem1 Rod2 Controller Rod1

Unfeasible iff UNSAT τ τ Add1 τ τ simple path SAT - new states are reachable . .

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 17 / 28

Partitioned K-induction - Algorithm

Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.

Add2 Add1 Rem1 Rod2 Controller Rod1

Unfeasible iff UNSAT τ τ Add1 τ τ τ . .

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 17 / 28

Partitioned K-induction - Algorithm

Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.

Add2 Add1 Rem1 Rod2 Controller Rod1

Unfeasible iff UNSAT τ τ Add1 τ τ τ simple path UNSAT - no new states are reachable . .

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 17 / 28

Partitioned K-induction - Algorithm

Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.

Add2 Add1 Rem1 Rod2 Controller Rod1

Unfeasible iff UNSAT τ τ Add1 τ τ . .

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 17 / 28

Partitioned K-induction - Algorithm

Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.

Add2 Add1 Rem1 Rod2 Controller Rod1

Unfeasible iff UNSAT τ τ Add1 τ τ Add1 . .

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 17 / 28

Partitioned K-induction - Algorithm

Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.

Add2 Add1 Rem1 Rod2 Controller Rod1

Unfeasible iff UNSAT τ τ Add1 τ τ Add1 . .

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 17 / 28

Partitioned K-induction - Algorithm

Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.

Add2 Add1 Rem1 Rod2 Controller Rod1

Unfeasible iff UNSAT τ τ Add1 τ τ τ Add1 . .

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 17 / 28

Partitioned K-induction - Algorithm

Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.

Add2 Add1 Rem1 Rod2 Controller Rod1

Unfeasible iff UNSAT τ τ Add1 τ simple path SAT - new states are reachable τ τ Add1 . .

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 17 / 28

Partitioned K-induction - Algorithm

Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.

Add2 Add1 Rem1 Rod2 Controller Rod1

Unfeasible iff UNSAT τ τ Add1 τ τ τ τ Add1 . .

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 17 / 28

Partitioned K-induction - Algorithm

Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.

Add2 Add1 Rem1 Rod2 Controller Rod1

Unfeasible iff UNSAT τ τ Add1 τ τ simple path SAT - new states are reachable τ τ Add1 . .

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 17 / 28

Partitioned K-induction - Algorithm

Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.

Add2 Add1 Rem1 Rod2 Controller Rod1

Unfeasible iff UNSAT τ τ Add1 τ τ τ τ τ Add1 . .

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 17 / 28

Partitioned K-induction - Algorithm

Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.

Add2 Add1 Rem1 Rod2 Controller Rod1

Unfeasible iff UNSAT τ τ Add1 τ τ τ simple path UNSAT - no new states are reachable τ τ Add1 . .

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 17 / 28

Partitioned K-induction - Algorithm

Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.

Add2 Add1 Rem1 Rod2 Controller Rod1

Unfeasible iff UNSAT τ τ Add1 τ τ τ τ Add1 . .

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 17 / 28

Partitioned K-induction - Algorithm

Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.

Add2 Add1 Rem1 Rod2 Controller Rod1

Unfeasible iff UNSAT τ τ Add1 τ τ Rem1 τ τ Add1 . .

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 17 / 28

Partitioned K-induction - Algorithm

Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.

Add2 Add1 Rem1 Rod2 Controller Rod1

Unfeasible iff UNSAT τ τ Add1 τ τ Rem1 τ τ Add1 τ . .

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 17 / 28

Partitioned K-induction - Algorithm

Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.

Add2 Add1 Rem1 Rod2 Controller Rod1

Unfeasible iff UNSAT τ τ Add1 τ τ Rem1 τ τ Add1 τ simple path SAT - new states are reachable . .

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 17 / 28

Partitioned K-induction - Algorithm

Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.

Add2 Add1 Rem1 Rod2 Controller Rod1

Unfeasible iff UNSAT τ τ Add1 τ τ Rem1 τ τ Add1 τ τ . .

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 17 / 28

Partitioned K-induction - Algorithm

Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.

Add2 Add1 Rem1 Rod2 Controller Rod1

Unfeasible iff UNSAT τ τ Add1 τ τ Rem1 τ τ Add1 τ τ simple path SAT - new states are reachable . .

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 17 / 28

Partitioned K-induction - Algorithm

Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.

Add2 Add1 Rem1 Rod2 Controller Rod1

Unfeasible iff UNSAT τ τ Add1 τ τ Rem1 τ τ Add1 τ τ τ . .

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 17 / 28

Partitioned K-induction - Algorithm

Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.

Add2 Add1 Rem1 Rod2 Controller Rod1

Unfeasible iff UNSAT τ τ Add1 τ τ Rem1 τ τ Add1 τ τ τ simple path UNSAT - no new states are reachable . .

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 17 / 28

Partitioned K-induction - Algorithm

Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.

Add2 Add1 Rem1 Rod2 Controller Rod1

Unfeasible iff UNSAT τ τ Add1 τ τ Rem1 τ τ Add1 τ τ . .

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 17 / 28

Partitioned K-induction - Algorithm

Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.

Add2 Add1 Rem1 Rod2 Controller Rod1

Unfeasible iff UNSAT τ τ Add1 τ τ Rem1 τ τ Add1 τ τ Rem1 . .

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 17 / 28

Partitioned K-induction - Algorithm

Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.

Add2 Add1 Rem1 Rod2 Controller Rod1

Unfeasible iff UNSAT τ τ Add1 τ τ Rem1 τ τ Add1 τ τ Rem1 . .

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 17 / 28

Partitioned K-induction - Algorithm

Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.

Add2 Add1 Rem1 Rod2 Controller Rod1

Unfeasible iff UNSAT τ τ Add1 τ τ Rem1

. . .

τ τ τ Add1 τ τ Rem1

. . .

τ Add2

. . .

τ Rem2

. . .

τ

. . .

τ τ Add2

. . .

τ Rem2

. . .

τ . .

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 17 / 28

Partitioned K-induction - Algorithm

Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.

Add2 Add1 Rem1 Rod2 Controller Rod1

Unfeasible iff UNSAT τ τ Add1 τ τ Rem1

. . .

τ τ τ Add1 τ τ Rem1

. . .

τ Add2

. . .

τ Rem2

. . .

τ

. . .

τ τ Add2

. . .

τ Rem2

. . .

τ . .

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 17 / 28

Outline

1

Background SMT analysis of Hybrid Systems Scenario-Verification

2

Proving the unfeasibility of scenarios

3

Explanations of Unfeasibility

4

Experimental Evaluation

5

Conclusions and future work

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 18 / 28

Explanations of unfeasibility

Typical use case:

We expect that a scenario is feasible. The analysis proves that the scenario is unfeasible in the network. How do we explain the unfeasibility?

We extract three types of explanations for the unfeasibility.

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 19 / 28

Unfeasibility due to a component

Explained with a formula that: Is required by the component when simulating its MSC events. Is not consistent with the other components when they simulate the events of the MSC.

Add1, Remove1 Add2, Remove2

Rod1 Rod2 Controller ∆time ≤ 379

9

Add2 time ≥ 19 Rem2 Rod2 Rod1 Rem1 Rem1 time ≥ 80 Add1 time ≤ 19 Add1 Controller Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 20 / 28

Unfeasibility due to a component

Explained with a formula that: Is required by the component when simulating its MSC events. Is not consistent with the other components when they simulate the events of the MSC. It is the interpolant of A and B: A is the encoding of the component and its MSC events. B is the encoding of the other components and their MSC events.

Add1, Remove1 Add2, Remove2

Rod1 Rod2 Controller ∆time ≤ 379

9

Add2 time ≥ 19 Rem2 Rod2 Rod1 Rem1 Rem1 time ≥ 80 Add1 time ≤ 19 Add1 Controller Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 20 / 28

Unfeasibility due the network

Explained with a formula that: Is required by the network when simulating the MSC. Is not consistent with the additional constraints of the MSC.

Add1, Remove1 Add2, Remove2

Rod1 Rod2 Controller ∆time ≤ 146

3

time ≥ 19 Add2 Rem2 Add1 Rem1 time ≥ 80 Add1 time ≤ 19 Rem1 Rod2 Controller Rod1 Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 21 / 28

Unfeasibility due the network

Explained with a formula that: Is required by the network when simulating the MSC. Is not consistent with the additional constraints of the MSC. It is the interpolant of A and B: A is the encoding of the network and the MSC. B are the CMSC constraints.

Add1, Remove1 Add2, Remove2

Rod1 Rod2 Controller ∆time ≤ 146

3

time ≥ 19 Add2 Rem2 Add1 Rem1 time ≥ 80 Add1 time ≤ 19 Rem1 Rod2 Controller Rod1 Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 21 / 28

Inconsistent subset of the CMSC

Subset of the original CMSC that is still unfeasible with the network.

A A A D B C B σ5 σ1 σ2 σ4 σ3

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 22 / 28

Inconsistent subset of the CMSC

Subset of the original CMSC that is still unfeasible with the network. Extracted from the unsatisfiable core of the encoding.

A A A D B C B σ5 σ1 σ2 σ4 σ3

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 22 / 28

Outline

1

Background SMT analysis of Hybrid Systems Scenario-Verification

2

Proving the unfeasibility of scenarios

3

Explanations of Unfeasibility

4

Experimental Evaluation

5

Conclusions and future work

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 23 / 28

Experimental Evaluation

Implementation: Approach implemented on top of the NUSMV model checker. We use the MATHSAT SMT solver. Settings: Linear hybrid automata benchmarks. Several handcrafted (unsatisfiable) MSCs. We scaled the dimension of the benchmarks (number of automata, length of the MSCs). Comparison: MSC partitioned k-induction. Monolithic k-induction on the system composed with the monitor automata.

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 24 / 28

Partitioned k-induction vs. Monolithic k-induction (run times)

to 0.1 1 10 100 1000 0.1 1 10 100 1000 Partitioned-induction Monolithic-induction Run time (sec.)

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 25 / 28

Outline

1

Background SMT analysis of Hybrid Systems Scenario-Verification

2

Proving the unfeasibility of scenarios

3

Explanations of Unfeasibility

4

Experimental Evaluation

5

Conclusions and future work

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 26 / 28

Conclusions and future work

Efficient approach for proving the unfeasibility of CMSC.

The encoding exploits the structure of the CMSC. Partitioned k-induction.

Unfeasibility explanations:

Useful to localize and correct the errors. Extracted exploiting the SMT solver functionalities.

Future works: More expressive MSCs (e.g. partial MSCs specifications). Validate the extracted explanations by real users. Automatic refinement loop in the abstraction. Non-linear hybrid systems.

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 27 / 28

Thank you for your attention.

Sergio Mover (FBK) Unfeasibility and Explanations of MSC October 31, 2011 28 / 28