satisfiability modulo theories applications to real time
play

Satisfiability Modulo Theories Applications to Real-time - PowerPoint PPT Presentation

Jan 23, 2023 •518 likes •1.17k views

Computer Science Laboratory, SRI International Satisfiability Modulo Theories Applications to Real-time Fault-Tolerant Systems SAT/SMT Summer School Trento, Italy, June 2012 Bruno Dutertre SRI International Computer Science Laboratory, SRI

  1. Computer Science Laboratory, SRI International Satisfiability Modulo Theories Applications to Real-time Fault-Tolerant Systems SAT/SMT Summer School Trento, Italy, June 2012 Bruno Dutertre SRI International

  2. Computer Science Laboratory, SRI International Outline Fault-tolerant Systems SMT-Based Model Checking Three Examples ◦ Timed Systems ◦ TTA Startup Protocol ◦ TTE Clock Synchronization 1

  3. Computer Science Laboratory, SRI International Fault Tolerance 2

  4. Computer Science Laboratory, SRI International Example: Avionics Control Systems Flight Control System (Fly-by-Wire) ◦ Reads pilot input + physical sensors (airspeed, pressure, angle of attack, etc.) ◦ Computes commands that moves the planes control surfaces ◦ Must be extremely reliable: the probability of failure must be less than 10 − 9 per flight hour (for civil aircraft) ◦ Hardware is not reliable enough (estimates are about 10 − 6 to 10 − 7 failure probability per hour for CPU, RAM, etc.) 3

  5. Computer Science Laboratory, SRI International Highly Reliable Digital Systems +/12*1%*$ +/12*1%*$ +/12*1%*$ ./*.)+. %3$2%$)+. 3)042$/+. !"#"$%&'()*$+)& ,-.$/0 !"#"$%&'()*$+)& ,-.$/0 !"#"$%&'()*$+)& ,-.$/0 Redundant system of sensors, actuators, computers, communication links 4

  6. Computer Science Laboratory, SRI International Fault Tolerance Issues Goal ◦ The full system must work (possibly in a degraded mode) even if some of its components are faulty Issues ◦ Ensure the non-faulty computers agree on the control output (within some margin), under some fault assumptions on the number and types of faults ◦ Example Fault Types – Fail-stop (crash, sends nothing) – Inconsistent omissions (send correct data to some component, nothing to others) – Symmetric faults (sends same incorrect data to all) – Byzantine faults (arbitrary, asymmetric behavior) 5

  7. Computer Science Laboratory, SRI International Approaches to Fault Tolerance Synchronous Systems ◦ maintain all the non-faulty components synchronized ◦ use voting algorithms to ensure that they process the same input data ◦ all redundant computers are exact replicas of each other: they maintain identical states, process the same input, produce identical output Asynchronous Systems ◦ each controller works at its own rate: no synchronization ◦ lack of synchronization implies: distinct controllers may operate on different input values, so exact agreement on output is impossible ◦ voting + thresholding + error detection scheme are used to select one control value of out those produced by the redundant controllers 6

  8. Computer Science Laboratory, SRI International Example Architecture: Timed-Triggered Ethernet (TTE) End System Dataflow Switch Switch Switch End System Ethernet for fault-tolerant, real-time distributed systems: ◦ Guarantees for real-time messages: low jitter, predictable latency, no collisions ◦ All nodes are synchronized (fault-tolerant clock synchronization protocol) ◦ All communication and computation follow a system-wide, cyclic schedule 7

  9. Computer Science Laboratory, SRI International Main Fault-Tolerant Protocols in TTE Startup: ◦ bring up the network into the synchronized state Clock Synchronization: ◦ executed periodically to maintain all clocks within a fixed bound of each other Clique Detection and Resolution: ◦ to recover from network-wide transient upsets Fault Assumptions: ◦ Single Fault Configuration: at most one faulty component – Faulty end system: Byzantine – Faulty switch: inconsistent omission ◦ Dual Fault Configuration: no more than two faulty components – Fault type: inconsistent omission 8

  10. Computer Science Laboratory, SRI International Verification Problems for TTE Goal ◦ Show protocol correctness under the stated fault assumption(s) ◦ Get counterexamples if the protocols are not correct Issues ◦ deal with real-time protocol aspects (timers, communication delays, etc.) ◦ model fault assumptions ◦ model clocks and clock drift ◦ make the proofs as automatic as possible 9

  11. Computer Science Laboratory, SRI International SMT-Based Models + Induction 10

  12. Computer Science Laboratory, SRI International Symbolic Modeling State-transition systems M = � X, I ( X ) , T ( X, X ′ ) � ◦ X set of state variables ◦ formula I ( X ) defines the initial states ◦ formula T ( X, X ′ ) defines the transition relation Traces ◦ Sequences of states x 0 → x 1 → x 2 . . . such that – x 0 satisfies I ( X ) – for every t ∈ N , ( x t , x t +1 ) satisfies T ( X, X ′ ) 11

  13. Computer Science Laboratory, SRI International Bounded Model Checking Goal ◦ Find counterexamples to a property ◦ Usually the property is an invariant ✷ P ◦ The goal is then to find a reachable state that does not satisfy P . Technique ◦ Fix a bound k ◦ Search for a state reachable in k steps that falsifies P ◦ This is the same as checking the satisfiability of the formula I ( x 0 ) ∧ T ( x 0 , x 1 ) ∧ T ( x 1 , x 2 ) ∧ . . . ∧ T ( x k − 1 , x k ) ∧ ¬ P ( x k ) 12

  14. Computer Science Laboratory, SRI International Induction Goal ◦ Prove that P is invariant Standard Induction ◦ Show that the following formulas are valid (their negation is not satisfiable) I ( x 0 ) → P ( x 0 ) P ( x 0 ) ∧ T ( x 0 , x 1 ) → P ( x 1 ) ◦ If this succeeds then P is an inductive invariant 13

  15. Computer Science Laboratory, SRI International What if induction fails? Case 1: I ( x 0 ) → P ( x 0 ) is not valid ◦ some initial state x 0 fails to satisfy P , so P is not invariant Case 2: P ( x 0 ) ∧ T ( x 0 , x 1 ) → P ( x 1 ) is not valid ◦ there are two successive states x 0 and x 1 such that x 0 satisfies P and x 1 does not satisfy P ◦ if x 0 is reachable, then P is not invariant (but checking whether x 0 is reachable is not easy) ◦ otherwise, we can’t tell whether P is invariant or not we can try other things: – invariant strengthening – use an auxiliary invariant as a lemma – use k -induction, a stronger induction rule 14

  16. Computer Science Laboratory, SRI International Invariant Strengthening Idea: find an inductive invariant Q that implies P This amounts to showing that the following formulas are valid I ( x 0 ) → Q ( x 0 ) Q ( x 0 ) ∧ T ( x 0 , x 1 ) → Q ( x 1 ) Q ( x 0 ) → P ( x 0 ) If they are, then P is invariant 15

  17. Computer Science Laboratory, SRI International Auxiliary Lemma Assume we know another auxiliary invariant L , we can try to use it as a lemma to prove that P is invariant Proof Rule: If the following formulas are valid I ( x 0 ) ⇒ P ( x 0 ) P ( x 0 ) ∧ L ( x 0 ) ∧ T ( x 0 , x 1 ) ⇒ P ( x 1 ) and L is invariant, then P is invariant ( P is inductive relative to L ) 16

  18. Computer Science Laboratory, SRI International k -induction Generalizes induction to k steps ◦ Base case: I ( x 0 ) ∧ T ( x 0 , x 1 ) ∧ . . . ∧ T ( x k − 1 , x k ) ⇒ P ( x 0 ) ∧ . . . ∧ P ( x k ) ◦ Induction step: T ( x 0 , x 1 ) ∧ . . . ∧ T ( x k , x k +1 ) ∧ P ( x 0 ) ∧ . . . ∧ P ( x k ) ⇒ P ( x k +1 ) How good is it? ◦ In most cases, k -induction is stronger than standard induction (when k � 2 ) ✷ P is provable by k -induction iff ✷ ( P ∧ ◦ P ∧ . . . ∧ ◦ k P ) is provable by induction, so k -induction can be viewed as a form of invariant strengthening ◦ There are counterexamples: For example, if T is reflexive, then ✷ P is provable by k -induction iff ✷ P is provable by standard induction. 17

  19. Computer Science Laboratory, SRI International ,+ ,+ + + "#$%&$'(# "#$%&$'(# )*$*#) )*$*#) ! ! P invariant P invariant but not inductive ,+ + "#$%&$'(# - )*$*#) ! P inductive relative to L 18

  20. Computer Science Laboratory, SRI International Timed Systems 19

  21. Computer Science Laboratory, SRI International Modeling Real-time Systems Constraints ◦ Model timed systems as state-transition systems ◦ Make the model amenable to analysis using: – bounded model checking – k -induction Possible Models ◦ Implicit time – Timed Automata (Alur & Dill) and many variants. – Many other models (e.g., timed process algebras) ◦ Explicit time – use an explicit time variable (e.g., Lamport & Abadi) – transition relation encodes time progress: time’ = time + delta 20

  22. Computer Science Laboratory, SRI International Timed Automata [lock = 0] Waiting Sleeping x:=0 x<=1 [x<=1] lock := 0 lock := i, x:=0 [lock /= i] Critical Trying [lock = i, x>=2] ◦ The clock x is a real-valued variable ◦ It can be reset on discrete transitions ◦ x increases continuously at a constant rate ( ˙ x = 1 ) between discrete transitions ◦ Guards specify when transitions can be taken 21

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Satisfiability Modulo Theories SMT solvers are finding their way in many different application

Satisfiability Modulo Theories SMT solvers are finding their way in many different application

Applications of SMT solvers Alessandro Cimatti Embedded System Unit Fondazione Bruno Kessler Trento, Italy cimatti@fbk.eu Applications of SMT solvers @ SAT/SMT School, Helsinki, July 2013 Satisfiability Modulo Theories SMT solvers are

1.09k views • 27 slides
Complete Instantiation of Quantified Formulas in Satisfiability Modulo Theories Yeting Ge 1

Complete Instantiation of Quantified Formulas in Satisfiability Modulo Theories Yeting Ge 1

Complete Instantiation of Quantified Formulas in Satisfiability Modulo Theories Yeting Ge 1 Leonardo de Moura 2 1 New York University 2 Microsoft Research 7th International Workshop on Satisfiability Modulo Theories Aug 3, 2009 Montreal, Canada

1.33k views • 86 slides
Introduction to Satisfiability Modulo Theories Combinatorial Problem Solving (CPS) Albert

Introduction to Satisfiability Modulo Theories Combinatorial Problem Solving (CPS) Albert

Introduction to Satisfiability Modulo Theories Combinatorial Problem Solving (CPS) Albert Oliveras Enric Rodr guez-Carbonell May 31, 2019 Satisfiability Modulo Theories Some problems are more naturally expressed in other logics than

752 views • 33 slides
G22.2390-001 Logic in Computer Science Fall 2009 Lecture 10 1 Review Satisfiability Modulo

G22.2390-001 Logic in Computer Science Fall 2009 Lecture 10 1 Review Satisfiability Modulo

G22.2390-001 Logic in Computer Science Fall 2009 Lecture 10 1 Review Satisfiability Modulo Theories Theory Solvers Combining Decision Procedures Abstract DPLL Modulo Theories Example Application: Translation Validation 2

470 views • 35 slides
13th International Satisfiability Modulo Theories Competition SMT-COMP 2018 Matthias Heizmann

13th International Satisfiability Modulo Theories Competition SMT-COMP 2018 Matthias Heizmann

13th International Satisfiability Modulo Theories Competition SMT-COMP 2018 Matthias Heizmann Aina Niemetz Giles Reger Tjark Weber Background SMT-COMP is an annual competition between SMT solvers. It was first held in 2005. Satisfiability

470 views • 17 slides
11th International Satisfiability Modulo Theories Competition SMT-COMP 2016 Sylvain Conchon

11th International Satisfiability Modulo Theories Competition SMT-COMP 2016 Sylvain Conchon

11th International Satisfiability Modulo Theories Competition SMT-COMP 2016 Sylvain Conchon David D eharbe Matthias Heizmann Tjark Weber The Numbers 17 teams participated Solvers: Main track 25 2 non-competitive Application

695 views • 22 slides
Satisfiability Modulo Theories and Assignments Maria Paola Bonacina, Stphane Graham-Lengrand,

Satisfiability Modulo Theories and Assignments Maria Paola Bonacina, Stphane Graham-Lengrand,

Satisfiability Modulo Theories and Assignments Maria Paola Bonacina, Stphane Graham-Lengrand, and Natarajan Shankar Uni. degli Studi di Verona - CNRS - SRI International CADE, 8th August 2017 1/39 This talk is about the quantifier-free core

2.09k views • 180 slides
SMT: Satisfiability Modulo Theories Ranjit Jhala, UC San Diego April 9, 2013 Decision Procedures

SMT: Satisfiability Modulo Theories Ranjit Jhala, UC San Diego April 9, 2013 Decision Procedures

SMT: Satisfiability Modulo Theories Ranjit Jhala, UC San Diego April 9, 2013 Decision Procedures Last Time Propositional Logic Today 1. Combining SAT and Theory Solvers 2. Theory Solvers Theory of Equality Theory of Uninterpreted

1.14k views • 72 slides
SMT Unsat Core Minimization OFER GUTHMANN, OFER STRICHMAN, ANNA TRO STANETSKI FMCAD2016 1 SMT

SMT Unsat Core Minimization OFER GUTHMANN, OFER STRICHMAN, ANNA TRO STANETSKI FMCAD2016 1 SMT

SMT Unsat Core Minimization OFER GUTHMANN, OFER STRICHMAN, ANNA TRO STANETSKI FMCAD2016 1 SMT MUCS Satisfiability Modulo Theories Satisfiability Modulo Theories (SMT): decides satisfiability of formulas over first order theories, by

394 views • 26 slides
13th International Satisfiability Modulo Theories Competition SMT-COMP 2018 Matthias Heizmann

13th International Satisfiability Modulo Theories Competition SMT-COMP 2018 Matthias Heizmann

13th International Satisfiability Modulo Theories Competition SMT-COMP 2018 Matthias Heizmann Aina Niemetz Giles Reger Tjark Weber Outline Design and scope Main changes from last years competition Short presentation of solvers

794 views • 65 slides
Satisfiability Modulo Theories and Z3 Nikolaj Bjrner Microsoft Research ReRISE Winter School,

Satisfiability Modulo Theories and Z3 Nikolaj Bjrner Microsoft Research ReRISE Winter School,

Satisfiability Modulo Theories and Z3 Nikolaj Bjrner Microsoft Research ReRISE Winter School, Linz, Austria February 3, 2014 SMT : Basic Architecture Theory SAT SMT Solvers Equality + UF Arithmetic Case Analysis Bit-vectors Nikolaj is

681 views • 55 slides
Integrating Answer Set Programming and Satisfiability Modulo Theories Ilkka Niemel Department

Integrating Answer Set Programming and Satisfiability Modulo Theories Ilkka Niemel Department

Integrating Answer Set Programming and Satisfiability Modulo Theories Ilkka Niemel Department of Information and Computer Science Aalto University Ilkka.Niemela@aalto.fi (Joint work with Tomi Janhunen) Deduction at Scale, Schloss Ringberg,

585 views • 26 slides
Model-Constructing Satisfiability Calculus Dejan Jovanovi c Clark Barrett Leonardo de Moura

Model-Constructing Satisfiability Calculus Dejan Jovanovi c Clark Barrett Leonardo de Moura

Model-Constructing Satisfiability Calculus Dejan Jovanovi c Clark Barrett Leonardo de Moura SRI International NYU Microsoft Research Satisfiability Modulo Theories and DPLL(T) Problem Check a given formula for satisfiability modulo the

889 views • 65 slides
12th International Satisfiability Modulo Theories Competition SMT-COMP 2017 Matthias Heizmann

12th International Satisfiability Modulo Theories Competition SMT-COMP 2017 Matthias Heizmann

12th International Satisfiability Modulo Theories Competition SMT-COMP 2017 Matthias Heizmann (co-organizer) Giles Reger (co-organizer) Tjark Weber (chair) Outline Main changes over last competition Benchmarks with unknown

565 views • 45 slides
SMT-COMP 2019 14th International Satisfiability Modulo Theories Competition Liana Hadarean Antti

SMT-COMP 2019 14th International Satisfiability Modulo Theories Competition Liana Hadarean Antti

SMT-COMP 2019 14th International Satisfiability Modulo Theories Competition Liana Hadarean Antti Hyv arinen Aina Niemetz Giles Reger SMT Workshop, July 7-8, 2019, Lisbon, Portugal SMT-COMP annual competition for SMT solvers on

775 views • 40 slides
Proofs in Satisfiability Modulo Theories Clark Barrett (NYU) Leonardo de Moura (Microsoft

Proofs in Satisfiability Modulo Theories Clark Barrett (NYU) Leonardo de Moura (Microsoft

Proofs in Satisfiability Modulo Theories Clark Barrett (NYU) Leonardo de Moura (Microsoft Research) Pascal Fontaine (Inria, Loria, U. Lorraine) APPA: All about Proofs, Proofs for All X . X July 18, 2014 July 18, 2014 1 / 41 An

910 views • 76 slides
Parameterized Verification of Timed Security Protocols with Clock drift Li Li, Jun Sun and Jin

Parameterized Verification of Timed Security Protocols with Clock drift Li Li, Jun Sun and Jin

Parameterized Verification of Timed Security Protocols with Clock drift Li Li, Jun Sun and Jin Song Dong Motivation Since clock synchronization is so important in the security of the Kerberos protocol, if clocks are not synchronized within a

493 views • 23 slides
Time and Order slide credits: H. Kopetz, P. Puschner Why do we need a notion of time? Event

Time and Order slide credits: H. Kopetz, P. Puschner Why do we need a notion of time? Event

Time and Order slide credits: H. Kopetz, P. Puschner Why do we need a notion of time? Event identification and generation State before vs. after the event Event ordering Causal order (e.g., a may only have caused b if a happened

1.1k views • 57 slides
MC714 - Sistemas Distribuidos slides by Maarten van Steen (adapted from Distributed System - 3rd

MC714 - Sistemas Distribuidos slides by Maarten van Steen (adapted from Distributed System - 3rd

MC714 - Sistemas Distribuidos slides by Maarten van Steen (adapted from Distributed System - 3rd Edition) Chapter 06: Coordination Version: April 15, 2019 Coordination: Clock synchronization Physical clocks Coordination vs Synchronization

1.42k views • 52 slides
Time and synchronization (Theres never enough time) Todays outline Time in

Time and synchronization (Theres never enough time) Todays outline Time in

Time and synchronization (Theres never enough time) Todays outline Time in distributed systems A baseball example Synchronizing real clocks Cristians algorithm The Berkeley Algorithm Network

484 views • 21 slides
correcting for clock drift in uTP and LEDBAT Arvid Norberg, arvid@bittorrent.com Bram Cohen,

correcting for clock drift in uTP and LEDBAT Arvid Norberg, arvid@bittorrent.com Bram Cohen,

correcting for clock drift in uTP and LEDBAT Arvid Norberg, arvid@bittorrent.com Bram Cohen, bram@bittorrent.com A B x = now() x diff = now() - x f f i d base_delay = min(base_delay, diff) delay = diff - base_delay cwnd += (target -

498 views • 15 slides
Location Determination 1 Framework and Technologies Meaning of Location 2 Three Dimensional

Location Determination 1 Framework and Technologies Meaning of Location 2 Three Dimensional

Location Determination 1 Framework and Technologies Meaning of Location 2 Three Dimensional Space Reference Coordinate System Global GPS z Local Application Specific Multiple References {0,0,0} x Ability

1.75k views • 90 slides
Clock Synchronization Synchronization Clock Henrik Lnn Electronics &amp; Software Volvo

Clock Synchronization Synchronization Clock Henrik Lnn Electronics &amp; Software Volvo

Parallel and Distributed Systems: Clock Synchronization Clock Synchronization Synchronization Clock Henrik Lnn Electronics &amp; Software Volvo Technological Development VTD Electronics and Software Parallel and Distributed Systems: Clock

345 views • 17 slides
UMBC A B M A L T F O U M B C I M Y O R T 1 (5/1/07) I E S R C E O V U

UMBC A B M A L T F O U M B C I M Y O R T 1 (5/1/07) I E S R C E O V U

Digital Systems Clock Distribution II CMPE 650 Differential Distribution Differential clocks are more robust to noisy environments than single-ended clocks for 2 reasons: Signal swing is twice that of single-ended. Therefore, they can

632 views • 8 slides

More recommend