Scalable Dynamic Analysis of Large Linear Systems Parasara Sridhar - - PowerPoint PPT Presentation

Scalable Dynamic Analysis of Large Linear Systems

Parasara Sridhar Duggirala

Joint Work

Mahesh Viswanathan – UIUC Stanley Bak - AFRL

CPS V&V I&F - CMU 2

• P. S. Duggirala, M. Viswanathan. “Parsimonous, Simulation Based Verification of Linear Systems”

International Conference on Computer Aided Verification (CAV) 2016.

• S. Bak, P. S. Duggirala. “Rigorous Simulation Based Analysis for Linear Hybrid Systems”

Tools and Algorithms for Construction and Analysis of Systems (TACAS) 2017.

• S. Bak, P. S. Duggirala. “HyLAA: A tool for simulation–equivalent reachability for linear systems”

Hybrid Systems Computation and Control (HSCC) 2017.

• S. Bak, P. S. Duggirala. “Direct Verification of Liner Systems over 10,000 Dimensions”

Applied Continuous and Hybrid Systems Verification Workshop (ARCH) 2017. Best Paper Award

• S. Bak, P. S. Duggirala. “Simulation Equivalent Verification Of Large Linear Systems with Inputs”

International Conference on Computer Aided Verification (CAV) 2017.

Leader-Follower System

leader follower

s

velocity = 𝑤; acceleration = 𝑏; velocity = 𝑤𝑔; acceleration = 0;

CPS V&V I&F - CMU

Physical Plant 𝐃𝟐 𝐃𝟑 𝐃𝐨

⋮

Logic

ሶ 𝐲 = 𝐠𝟐(𝐲) ሶ 𝐲 = 𝐠𝟑(𝐲) ሶ 𝐲 = 𝐠𝟒(𝐲)

Linear Hybrid Automata 𝐻1 𝐻2 𝐻3 𝑔

𝑗 𝑦 = 𝐵𝑗𝑦 + 𝐶𝑗

Dynamics of the system ሶ 𝑡 = 𝑤𝑔 − 𝑤; ሶ 𝑤 = 𝑏 − 𝑙𝑏𝑓𝑠𝑝𝑤; ሶ 𝑏 = 𝑣; 𝑙𝑏𝑓𝑠𝑝 is the air–drag Control Law

if(cond1) then 𝑣 = −2𝑏 − 2(𝑤 − 𝑤𝑔); if(cond2) then 𝑣 = −3𝑏 − 2(𝑤 − 𝑤𝑔);

3

Safety Verification Problem

▪ Given a Linear Hybrid Automata 𝐼, with initial set Θ and unsafe set 𝑉, are all the behaviors starting from Θ for bounded time 𝑈𝑐 are safe?

CPS V&V I&F - CMU

ሶ 𝐲 = 𝐠𝟐(𝐲) ሶ 𝐲 = 𝐠𝟑(𝐲) ሶ 𝐲 = 𝐠𝟒(𝐲)

Θ

U

𝑔

𝑗 𝑦 = 𝐵𝑗𝑦 + 𝐶𝑗

𝐻1 𝐻2 𝐻3 Linear Hybrid Automata

4

Safety Verification Problem

▪ Given a Linear Hybrid Automata 𝐼, with initial set Θ and unsafe set 𝑉, are all the behaviors starting from Θ for bounded time 𝑈𝑐 are safe? ▪ One technique: Use a safety verification tool such as KeyMeara, SpaceEx, Flow*, or CORA, etc.

CPS V&V I&F - CMU

ሶ 𝐲 = 𝐠𝟐(𝐲) ሶ 𝐲 = 𝐠𝟑(𝐲) ሶ 𝐲 = 𝐠𝟒(𝐲)

Θ

U

𝑔

𝑗 𝑦 = 𝐵𝑗𝑦 + 𝐶𝑗

Linear Hybrid Automata 𝐻1 𝐻2 𝐻3

5

Safety Verification Problem

▪ Given a Linear Hybrid Automata 𝐼, with initial set Θ and unsafe set 𝑉, are all the behaviors starting from Θ for bounded time 𝑈𝑐 are safe? ▪ One technique: Use a safety verification tool such as KeyMeara, SpaceEx, Flow*, or CORA, etc. ▪ However, most of design analysis is done using simulations.

CPS V&V I&F - CMU

ሶ 𝐲 = 𝐠𝟐(𝐲) ሶ 𝐲 = 𝐠𝟑(𝐲) ሶ 𝐲 = 𝐠𝟒(𝐲)

Θ

U

𝑔

𝑗 𝑦 = 𝐵𝑗𝑦 + 𝐶𝑗

Linear Hybrid Automata 𝐻1 𝐻2 𝐻3

6

Safety Verification Problem

▪ Given a Linear Hybrid Automata 𝐼, with initial set Θ and unsafe set 𝑉, are all the behaviors starting from Θ for bounded time 𝑈𝑐 are safe? ▪ One technique: Use a safety verification tool such as KeyMeara, SpaceEx, Flow*, or CORA, etc. ▪ However, most of design analysis is done using simulations.

CPS V&V I&F - CMU

ሶ 𝐲 = 𝐠𝟐(𝐲) ሶ 𝐲 = 𝐠𝟑(𝐲) ሶ 𝐲 = 𝐠𝟒(𝐲)

Θ

U This work(s)

Simulations ↔ Verification

𝑔

𝑗 𝑦 = 𝐵𝑗𝑦 + 𝐶𝑗

Linear Hybrid Automata 𝐻1 𝐻2 𝐻3

7

Hybrid Automata Semantics

Linear Hybrid Automata 𝐼 = ⟨𝑀𝑝𝑑, 𝑌, 𝐺𝑚𝑝𝑥, 𝐽𝑜𝑤, 𝑈𝑠𝑏𝑜𝑡, 𝐻𝑣𝑏𝑠𝑒⟩

CPS V&V I&F - CMU

Modes State space Dynamics ሶ 𝑦 = 𝐵𝑗𝑦 + 𝐶𝑗 Invariants Discrete transitions Guards

𝐽𝑜𝑤1 𝐽𝑜𝑤2

ሶ 𝑦 = 𝐵1𝑦 + 𝐶1 ሶ 𝑦 = 𝐵2𝑦 + 𝐶2

8

Hybrid Automata Semantics

Linear Hybrid Automata 𝐼 = ⟨𝑀𝑝𝑑, 𝑌, 𝐺𝑚𝑝𝑥, 𝐽𝑜𝑤, 𝑈𝑠𝑏𝑜𝑡, 𝐻𝑣𝑏𝑠𝑒⟩

CPS V&V I&F - CMU

Modes State space Dynamics ሶ 𝑦 = 𝐵𝑗𝑦 + 𝐶𝑗 Invariants Discrete transitions Guards

𝐽𝑜𝑤1 𝐽𝑜𝑤2

ሶ 𝑦 = 𝐵1𝑦 + 𝐶1 ሶ 𝑦 = 𝐵2𝑦 + 𝐶2

Reachable Set

9

Hybrid Automata Semantics

Linear Hybrid Automata 𝐼 = ⟨𝑀𝑝𝑑, 𝑌, 𝐺𝑚𝑝𝑥, 𝐽𝑜𝑤, 𝑈𝑠𝑏𝑜𝑡, 𝐻𝑣𝑏𝑠𝑒⟩

CPS V&V I&F - CMU

Modes State space Dynamics ሶ 𝑦 = 𝐵𝑗𝑦 + 𝐶𝑗 Invariants Discrete transitions Guards

𝐽𝑜𝑤1 𝐽𝑜𝑤2

ሶ 𝑦 = 𝐵1𝑦 + 𝐶1 ሶ 𝑦 = 𝐵2𝑦 + 𝐶2

Reachable Set

Reachable set computation 1.Compute reachable set for each mode. 2.Take into account the mode invariants. 3.Handle the discrete transitions Perform steps 1, 2, and 3 using simulation based techniques

10

Pop Quiz

Q) Given dynamics ሶ 𝑦 = 𝐵𝑦 + 𝐶, initial set Θ, and time instance 𝑢, how many simulations does it take to compute 𝑆𝑓𝑏𝑑ℎ(Θ, 𝑢)?

CPS V&V I&F - CMU 11

Pop Quiz

Q) Given dynamics ሶ 𝑦 = 𝐵𝑦 + 𝐶, initial set Θ, and time instance 𝑢, how many simulations does it take to compute 𝑆𝑓𝑏𝑑ℎ(Θ, 𝑢)? A) Answer (in early 2000s), depends on Θ. If Θ is a convex polytope, simulate the vertices of Θ to get the vertices of 𝑆𝑓𝑏𝑑ℎ(Θ, 𝑢).

CPS V&V I&F - CMU 12

Pop Quiz

Q) Given dynamics ሶ 𝑦 = 𝐵𝑦 + 𝐶, initial set Θ, and time instance 𝑢, how many simulations does it take to compute 𝑆𝑓𝑏𝑑ℎ(Θ, 𝑢)? A) Answer (in early 2000s), depends on Θ. If Θ is a convex polytope, simulate the vertices of Θ to get the vertices of 𝑆𝑓𝑏𝑑ℎ(Θ, 𝑢).

Can we do better?

CPS V&V I&F - CMU 13

Pop Quiz

Q) Given dynamics ሶ 𝑦 = 𝐵𝑦 + 𝐶, initial set Θ, and time instance 𝑢, how many simulations does it take to compute 𝑆𝑓𝑏𝑑ℎ(Θ, 𝑢)? A) Answer (in early 2000s), depends on Θ. If Θ is a convex polytope, simulate the vertices of Θ to get the vertices of 𝑆𝑓𝑏𝑑ℎ(Θ, 𝑢).

Can we do better?

Yes, the number of simulations is independent of Θ. If 𝑦 is 𝑜 dimensional, you need a mere 𝑜 + 1 simulations!

CPS V&V I&F - CMU 14

Dynamic Analysis Technique

1. The representation: Generalized stars. 2. The property of linear systems: Superposition principle. 3. The reachable set computing technique: Safety verification of an 𝒐 dimensional system using 𝒐 + 𝟐 simulations.

CPS V&V I&F - CMU

P.S.Duggirala, M.Viswanathan, “Parsimonious, Simulation Based Verification of Linear Systems”, International Conference on Computer Aided Verification (CAV) 2016.

15

Representation: Generalized Stars

▪ Generalized star is represented as 〈𝑑, 𝑊, 𝑄〉 ▪ 𝑑 – center, 𝑊 – set of vectors, 𝑄 – predicate.

CPS V&V I&F - CMU

𝑑, 𝑊, 𝑄 = 𝑦 ∃ ത 𝛽 = (𝛽1, … , 𝛽𝑜), c + Σ𝑗𝛽𝑗𝑤𝑗 = 𝑦, 𝑄 ത 𝛽 = ⊤}

𝑤1 𝑤2 𝑑1

𝑄 𝛽1, 𝛽2 ≜ 𝛽1 ≤ 1 ∧ 𝛽2 ≤ 1

𝑑1 + 𝛽1𝑤1 + 𝛽2𝑤2

.

16

Representation: Generalized Stars

▪ Generalized star is represented as 〈𝑑, 𝑊, 𝑄〉 ▪ 𝑑 – center, 𝑊 – set of vectors, 𝑄 – predicate.

CPS V&V I&F - CMU

𝑑, 𝑊, 𝑄 = 𝑦 ∃ ത 𝛽 = (𝛽1, … , 𝛽𝑜), c + Σ𝑗𝛽𝑗𝑤𝑗 = 𝑦, 𝑄 ത 𝛽 = ⊤}

𝑄 𝛽1, 𝛽2 ≜ 𝛽1 ≤ 1 ∧ 𝛽2 ≤ 1 ∧ 𝛽1 + 𝛽2 ≤ 1.5

𝑤1 𝑤2 𝑑1

17

Representation: Generalized Stars

▪ Generalized star is represented as 〈𝑑, 𝑊, 𝑄〉 ▪ 𝑑 – center, 𝑊 – set of vectors, 𝑄 – predicate.

CPS V&V I&F - CMU 18

𝑑, 𝑊, 𝑄 = 𝑦 ∃ ത 𝛽 = (𝛽1, … , 𝛽𝑜), c + Σ𝑗𝛽𝑗𝑤𝑗 = 𝑦, 𝑄 ത 𝛽 = ⊤}

𝑄 𝛽1, 𝛽2 ≜ 𝛽1 ≤ 1 − 𝛽2

2 𝑤1

𝑤2 𝑑1

Representation: Generalized Stars

▪ Generalized star is represented as 〈𝑑, 𝑊, 𝑄〉 ▪ 𝑑 – center, 𝑊 – set of vectors, 𝑄 – predicate.

CPS V&V I&F - CMU 19

𝑑, 𝑊, 𝑄 = 𝑦 ∃ ത 𝛽 = (𝛽1, … , 𝛽𝑜), c + Σ𝑗𝛽𝑗𝑤𝑗 = 𝑦, 𝑄 ത 𝛽 = ⊤}

𝑄 𝛽1, 𝛽2 ≜

𝑤1 𝑤2 𝑑1

𝟐. 𝟔 ∗ 𝒕𝒓𝒔𝒖

• 𝒃𝒄𝒕 𝒃𝒄𝒕 𝒚 – 𝟐

∗ 𝒃𝒄𝒕 𝟒 – 𝒃𝒄𝒕 𝒚 𝒃𝒄𝒕 𝒚 – 𝟐 ∗ 𝟒 – 𝒃𝒄𝒕 𝒚 ∗ 𝟐 + 𝒃𝒄𝒕 𝒃𝒄𝒕 𝒚 – 𝟒 𝒃𝒄𝒕 𝒚 − 𝟒 ∗ 𝒕𝒓𝒔𝒖 𝟐 – 𝒚 𝟖

+ 𝟓. 𝟔 + 𝟏. 𝟖𝟔 ∗ 𝒃𝒄𝒕 𝒚 – 𝟏.𝟔 + 𝒃𝒄𝒕 𝒚 + 𝟏. 𝟔 – 𝟑. 𝟖𝟔 ∗ 𝒃𝒄𝒕 𝒚 − 𝟏. 𝟖𝟔 + 𝒃𝒄𝒕 𝒚 + 𝟏. 𝟖𝟔 ∗ 𝟐 + 𝒃𝒄𝒕 𝟐 – 𝒃𝒄𝒕 𝒚 𝟐 – 𝒃𝒄𝒕 𝒚

• 𝟒 ∗ 𝒕𝒓𝒔𝒖 𝟐 − 𝒚

𝟖

∗ 𝒕𝒓𝒔𝒖 𝒃𝒄𝒕 𝒃𝒄𝒕 𝒚 – 𝟓 𝒃𝒄𝒕 𝒚 − 𝟓 , 𝒃𝒄𝒕 𝒚 𝟑 – 𝟏. 𝟏𝟘𝟐𝟒𝟖𝟑𝟑 ∗ 𝒚𝟑 − 𝟒 + 𝒕𝒓𝒔𝒖 𝟐 – 𝒃𝒄𝒕 𝒃𝒄𝒕 𝒚 – 𝟑 – 𝟐 𝟑 , (𝟑. 𝟖𝟐𝟏𝟔𝟑 + 𝟐. 𝟔 – 𝟏. 𝟔 ∗ 𝒃𝒄𝒕(𝒚) – 𝟐. 𝟒𝟔𝟔𝟑𝟕 ∗ 𝒕𝒓𝒔𝒖(𝟓 – (𝒃𝒄𝒕(𝒚) – 𝟐)^𝟑)) ∗ 𝒕𝒓𝒔𝒖(𝒃𝒄𝒕(𝒃𝒄𝒕(𝒚) – 𝟐)/(𝒃𝒄𝒕(𝒚) – 𝟐))

Property: Superposition

CPS V&V I&F - CMU

𝜊(𝑦0, 𝑢) 𝜊(𝑦1, 𝑢) 𝜊(𝑦2, 𝑢)

. . .

v1

′

v2

′

𝑦0 𝑦1 𝑦2 v2 v1

. . .

20

Property: Superposition

CPS V&V I&F - CMU

𝜊(𝑦0, 𝑢) 𝜊(𝑦1, 𝑢) 𝜊(𝑦2, 𝑢)

. . .

v1

′

v2

′

𝑦0 𝑦1 𝑦2 v2 v1

. . .

𝑦0 + 𝛽1v1 + 𝛽2v2

.

21

Property: Superposition

CPS V&V I&F - CMU

𝜊(𝑦0, 𝑢) 𝜊(𝑦1, 𝑢) 𝜊(𝑦2, 𝑢) 𝜊(𝑦0 + 𝛽1𝑤1 + 𝛽2𝑤2, 𝑢)

. . .

v1

′

v2

′

𝑦0 𝑦1 𝑦2 v2 v1

. . .

𝑦0 + 𝛽1v1 + 𝛽2v2

.

22

Property: Superposition

CPS V&V I&F - CMU

𝜊(𝑦0, 𝑢) 𝜊(𝑦1, 𝑢) 𝜊(𝑦2, 𝑢)

. . .

v1

′

v2

′

.

𝛽1v1

′ + 𝛽2v2 ′

𝑦0 𝑦1 𝑦2 v2 v1

. . .

𝑦0 + 𝛽1v1 + 𝛽2v2

.

𝜊 𝑦0 + 𝛽1𝑤1 + 𝛽2𝑤2, 𝑢 = 𝜊 𝑦0, 𝑢 + 𝛽1𝑤1

′ + 𝛽2𝑤2 ′

23

Property: Superposition

CPS V&V I&F - CMU

𝜊(𝑦0, 𝑢) 𝜊(𝑦1, 𝑢) 𝜊(𝑦2, 𝑢)

. . .

v1

′

v2

′

.

𝛽1v1

′ + 𝛽2v2 ′

𝑦0 𝑦1 𝑦2 v2 v1

. . .

𝑦0 + 𝛽1v1 + 𝛽2v2

.

From simulations 𝜊0, 𝜊1, and 𝜊2, we can construct any simulation starting from a linear span of 𝑦0, 𝑤1, and 𝑤2.

𝜊 𝑦0 + 𝛽1𝑤1 + 𝛽2𝑤2, 𝑢 = 𝜊 𝑦0, 𝑢 + 𝛽1𝑤1

′ + 𝛽2𝑤2 ′

24

Technique: Basic Idea

▪ Given initial set Θ = ⟨𝑑, 𝑊, 𝑄⟩, the Reach is computed not as new predicate, but is done by changing the center and the basis vectors.

CPS V&V I&F - CMU

𝑑 𝑤1 𝑤2

Θ ≜ 〈𝑑, 𝑊, 𝑄〉

𝛽1 ≤ 1 ∧ 𝛽2 ≤ 1

𝑑′ 𝑤2

′

𝑤1

′

𝛽1 ≤ 1 ∧ 𝛽2 ≤ 1

Reach(Θ, t) ≜ 〈𝑑′, 𝑊′, 𝑄〉

P.S.Duggirala, M.Viswanathan, “Parsimonious, Simulation Based Verification of Linear Systems”, International Conference on Computer Aided Verification (CAV) 2016.

25

Technique Representation + Superposition

Given Θ ≜ 〈𝑑, 𝑊, 𝑄〉 to compute reachable set

CPS V&V I&F - CMU

𝑑 𝑤1 𝑤2

Θ ≜ 〈𝑑, 𝑊, 𝑄〉

𝛽1 ≤ 1 ∧ 𝛽2 ≤ 1

26

Technique Representation + Superposition

Given Θ ≜ 〈𝑑, 𝑊, 𝑄〉 to compute reachable set

1. Simulate from 𝑑 2. Simulate from 𝑑 + 𝑤𝑗 for each 𝑗

CPS V&V I&F - CMU

𝑑 𝑤1 𝑤2

𝛽1 ≤ 1 ∧ 𝛽2 ≤ 1

Θ ≜ 〈𝑑, 𝑊, 𝑄〉

27

Technique Representation + Superposition

Given Θ ≜ 〈𝑑, 𝑊, 𝑄〉 to compute reachable set

1. Simulate from 𝑑 2. Simulate from 𝑑 + 𝑤𝑗 for each 𝑗

Reachable set at time 𝑢 is given by 〈𝑑′, 𝑊′, 𝑄〉 where

1. 𝑑′ is the simulation corresponding to 𝑑 2. 𝑤𝑗′ is the difference of simulations from 𝑑 + 𝑤𝑗 and from 𝑑

CPS V&V I&F - CMU

𝑑 𝑤1 𝑤2 𝑑′ 𝑤2

′

𝑤1

′

𝛽1 ≤ 1 ∧ 𝛽2 ≤ 1

Θ ≜ 〈𝑑, 𝑊, 𝑄〉

28

Technique Representation + Superposition

Given Θ ≜ 〈𝑑, 𝑊, 𝑄〉 to compute reachable set

1. Simulate from 𝑑 2. Simulate from 𝑑 + 𝑤𝑗 for each 𝑗

Reachable set at time 𝑢 is given by 〈𝑑′, 𝑊′, 𝑄〉 where

1. 𝑑′ is the simulation corresponding to 𝑑 2. 𝑤𝑗′ is the difference of simulations from 𝑑 + 𝑤𝑗 and from 𝑑

CPS V&V I&F - CMU

𝑑 𝑤1 𝑤2 𝑑′ 𝑤2

′

𝑤1

′

𝛽1 ≤ 1 ∧ 𝛽2 ≤ 1 𝛽1 ≤ 1 ∧ 𝛽2 ≤ 1

Θ ≜ 〈𝑑, 𝑊, 𝑄〉 Reach(Θ, t) ≜ 〈𝑑′, 𝑊′, 𝑄〉

29

Technique Representation + Superposition

Given Θ ≜ 〈𝑑, 𝑊, 𝑄〉 to compute reachable set

1. Simulate from 𝑑 2. Simulate from 𝑑 + 𝑤𝑗 for each 𝑗

Reachable set at time 𝑢 is given by 〈𝑑′, 𝑊′, 𝑄〉 where

1. 𝑑′ is the simulation corresponding to 𝑑 2. 𝑤𝑗′ is the difference of simulations from 𝑑 + 𝑤𝑗 and from 𝑑

CPS V&V I&F - CMU

𝑑 𝑤1 𝑤2 𝑑′ 𝑤2

′

𝑤1

′

Observation: 𝑺𝒇𝒃𝒅𝒊 preserves the “shape” of the initial set.

𝛽1 ≤ 1 ∧ 𝛽2 ≤ 1 𝛽1 ≤ 1 ∧ 𝛽2 ≤ 1

Θ ≜ 〈𝑑, 𝑊, 𝑄〉 Reach(Θ, t) ≜ 〈𝑑′, 𝑊′, 𝑄〉

30

Technique Representation + Superposition

Given Θ ≜ 〈𝑑, 𝑊, 𝑄〉 to compute reachable set

1. Simulate from 𝑑 2. Simulate from 𝑑 + 𝑤𝑗 for each 𝑗

Reachable set at time 𝑢 is given by 〈𝑑′, 𝑊′, 𝑄〉 where

1. 𝑑′ is the simulation corresponding to 𝑑 2. 𝑤𝑗′ is the difference of simulations from 𝑑 + 𝑤𝑗 and from 𝑑

CPS V&V I&F - CMU

𝑑 𝑤1 𝑤2 𝑑′ 𝑤2

′

𝑤1

′

𝛽1 ≤ 1 ∧ 𝛽2 ≤ 1 ∧ 𝛽1 + 𝛽2 ≤ 1.5 𝛽1 ≤ 1 ∧ 𝛽2 ≤ 1 ∧ 𝛽1 + 𝛽2 ≤ 1.5

Observation: 𝑺𝒇𝒃𝒅𝒊 preserves the “shape” of the initial set.

Θ ≜ 〈𝑑, 𝑊, 𝑄〉 Reach(Θ, t) ≜ 〈𝑑′, 𝑊′, 𝑄〉

31

Reachable Set Computation Using Simulations For Generalized Stars

Given Θ ≜ 〈𝑑, 𝑊, 𝑄〉 to compute reachable set

1. Simulate from 𝑑 2. Simulate from 𝑑 + 𝑤𝑗 for each 𝑗

Reachable set at time 𝑢 is given by 〈𝑑′, 𝑊′, 𝑄〉 where

1. 𝑑′ is the simulation corresponding to 𝑑 2. 𝑤𝑗′ is the difference of simulations from 𝑑 + 𝑤𝑗 and from 𝑑

CPS V&V I&F - CMU 32

𝑑 𝑤1 𝑤2 𝑑′ 𝑤1

′

𝑤2

′

𝛽1 ≤ 1 − 𝛽2

2

𝛽1 ≤ 1 − 𝛽2

2

Observation: 𝑺𝒇𝒃𝒅𝒊 preserves the “shape” of the initial set.

Θ ≜ 〈𝑑, 𝑊, 𝑄〉 Reach(Θ, t) ≜ 〈𝑑′, 𝑊′, 𝑄〉

Reachable Set Computation Using Simulations For Generalized Stars

Given Θ ≜ 〈𝑑, 𝑊, 𝑄〉 to compute reachable set

1. Simulate from 𝑑 2. Simulate from 𝑑 + 𝑤𝑗 for each 𝑗

Reachable set at time 𝑢 is given by 〈𝑑′, 𝑊′, 𝑄〉 where

1. 𝑑′ is the simulation corresponding to 𝑑 2. 𝑤𝑗′ is the difference of simulations from 𝑑 + 𝑤𝑗 and from 𝑑

CPS V&V I&F - CMU 33

𝑑 𝑤1 𝑤2 𝑑′ 𝑤1

′

𝑤2

′

Problem: Exact simulations requires computing 𝒇𝑩𝒖 and is not necessarily finitely representable

𝛽1 ≤ 1 − 𝛽2

2

𝛽1 ≤ 1 − 𝛽2

2

Observation: 𝑺𝒇𝒃𝒅𝒊 preserves the “shape” of the initial set.

Θ ≜ 〈𝑑, 𝑊, 𝑄〉 Reach(Θ, t) ≜ 〈𝑑′, 𝑊′, 𝑄〉

Validated Simulations

CPS V&V I&F - CMU 34

𝜊 𝑦0, 𝑢 𝑦0

𝑤𝑏𝑚𝑇𝑗𝑛(𝑦0, 𝑢) returns sequence of regions such that 𝜊 𝑦0, 𝑢 ∈ 𝑆𝑚 when 𝑢 ∈ [𝑢𝑚, 𝑢𝑚+1] 𝑒𝑗𝑏𝑛𝑓𝑢𝑓𝑠 𝑆𝑚 → 0 as |t𝑚+1 − 𝑢𝑚| → 0

.

Over- and Under-Approximations Using Validated Simulations

▪ Problem – exact value of 𝑑, 𝑤1

′, and 𝑤2 ′ is not known!

CPS V&V I&F - CMU 35

𝑑 𝑤1 𝑤2

𝛽1 ≤ 1 ∧ 𝛽2 ≤ 1

Θ ≜ 〈𝑑, 𝑊, 𝑄〉

𝑆0 𝑆1 𝑆2

Over- and Under-Approximations Using Validated Simulations

▪ Problem – exact value of 𝑑, 𝑤1

′, and 𝑤2 ′ is not known!

CPS V&V I&F - CMU 36

𝑑 𝑤1 𝑤2

𝛽1 ≤ 1 ∧ 𝛽2 ≤ 1

Θ ≜ 〈𝑑, 𝑊, 𝑄〉

𝑑′ 𝑤1

′

𝑤2

′

Over- and Under-Approximations Using Validated Simulations

▪ Problem – exact value of 𝑑, 𝑤1

′, and 𝑤2 ′ is not known!

CPS V&V I&F - CMU 37

𝑑 𝑤1 𝑤2

𝛽1 ≤ 1 ∧ 𝛽2 ≤ 1

Θ ≜ 〈𝑑, 𝑊, 𝑄〉

Over- and Under-Approximations Using Validated Simulations

▪ Problem – exact value of 𝑑, 𝑤1

′, and 𝑤2 ′ is not known!

CPS V&V I&F - CMU 38

𝑑 𝑤1 𝑤2

𝛽1 ≤ 1 ∧ 𝛽2 ≤ 1

Θ ≜ 〈𝑑, 𝑊, 𝑄〉

𝑑′ 𝑤1

′

𝑤2

′

Over- and Under-Approximations Using Validated Simulations

▪ Problem – exact value of 𝑑, 𝑤1

′, and 𝑤2 ′ is not known!

CPS V&V I&F - CMU 39

𝑑 𝑤1 𝑤2

𝛽1 ≤ 1 ∧ 𝛽2 ≤ 1

Θ ≜ 〈𝑑, 𝑊, 𝑄〉

Over- and Under-Approximations Using Validated Simulations

▪ Problem – exact value of 𝑑, 𝑤1

′, and 𝑤2 ′ is not known!

CPS V&V I&F - CMU 40

𝑑 𝑤1 𝑤2

𝛽1 ≤ 1 ∧ 𝛽2 ≤ 1

Θ ≜ 〈𝑑, 𝑊, 𝑄〉

Over- and Under-Approximations Using Validated Simulations

▪ Problem – exact value of 𝑑, 𝑤1

′, and 𝑤2 ′ is not known!

CPS V&V I&F - CMU 41

𝑑 𝑤1 𝑤2

𝛽1 ≤ 1 ∧ 𝛽2 ≤ 1

Θ ≜ 〈𝑑, 𝑊, 𝑄〉

Over–approximation is the union of all such stars Under–approximation is the intersection of all such stars

Over- and Under-Approximations Using Validated Simulations

▪ Problem – exact value of 𝑑, 𝑤1

′, and 𝑤2 ′ is not known!

CPS V&V I&F - CMU 42

𝑑 𝑤1 𝑤2

𝛽1 ≤ 1 ∧ 𝛽2 ≤ 1

Θ ≜ 〈𝑑, 𝑊, 𝑄〉

Over–approximation is the union of all such stars Under–approximation is the intersection of all such stars 𝑃𝐵 = 𝑦 ∃𝑑, ∃𝑤1, ∃𝑤2 ∃ ത 𝛽, 𝑦 = 𝑑 + 𝛽1𝑤1 + 𝛽2𝑤2} 𝑉𝐵 = 𝑦 ∀𝑑, ∀𝑤1, ∀𝑤2 ∃ ത 𝛽, 𝑦 = 𝑑 + 𝛽1𝑤1 + 𝛽2𝑤2}

Over- and Under-Approximations Using Validated Simulations

▪ Problem – exact value of 𝑑, 𝑤1

′, and 𝑤2 ′ is not known!

CPS V&V I&F - CMU 43

𝑑 𝑤1 𝑤2

𝛽1 ≤ 1 ∧ 𝛽2 ≤ 1

Θ ≜ 〈𝑑, 𝑊, 𝑄〉

Provided in paper: 1. Computing overapproximation 2. Checking safety violation without using QE for bounded initial sets

Using Discrete Time Simulation Engine

Initial set Θ ≜ ⟨𝑑, 𝑊, 𝑄⟩; Simulation engine 𝜍; step size ℎ; For computing the reachable set at time 𝑘 ⋅ ℎ instant 1. Generate simulation 𝜍(𝑑, 𝑘 ⋅ ℎ); 2. For each 𝑤𝑗 ∈ 𝑊, generate simulation 𝜍(𝑑 + 𝑤𝑗, 𝑘 ⋅ ℎ); 3. Reachable set denoted as Θ𝑘 is defined as ⟨𝑑′, 𝑊′, 𝑄⟩ where

1. 𝑑′ = 𝜍(𝑑, 𝑘 ⋅ ℎ); 2. 𝑤𝑗

′ = 𝜍 𝑑 + 𝑤𝑗, 𝑘 ⋅ ℎ − 𝜍(𝑑, 𝑘 ⋅ ℎ);

CPS V&V I&F - CMU 44

Using Discrete Time Simulation Engine

Initial set Θ ≜ ⟨𝑑, 𝑊, 𝑄⟩; Simulation engine 𝜍; step size ℎ; For computing the reachable set at time 𝑘 ⋅ ℎ instant 1. Generate simulation 𝜍(𝑑, 𝑘 ⋅ ℎ); 2. For each 𝑤𝑗 ∈ 𝑊, generate simulation 𝜍(𝑑 + 𝑤𝑗, 𝑘 ⋅ ℎ); 3. Reachable set denoted as Θ𝑘 is defined as ⟨𝑑′, 𝑊′, 𝑄⟩ where

1. 𝑑′ = 𝜍(𝑑, 𝑘 ⋅ ℎ); 2. 𝑤𝑗

′ = 𝜍 𝑑 + 𝑤𝑗, 𝑘 ⋅ ℎ − 𝜍(𝑑, 𝑘 ⋅ ℎ);

CPS V&V I&F - CMU

Given initial set 𝚰, procedure 𝐒𝐟𝐛𝐝𝐢(𝚰, 𝐢, 𝐥 ⋅ 𝒊) returns 𝚰𝟐, 𝚰𝟑, … , 𝚰𝒍 where 𝚰𝐤 = 𝒅𝒌, 𝑾𝒌, 𝑸 is the reachable set from Θ at time instance 𝑘 ⋅ ℎ.

45

Experimental Evaluation HyLAA

Scalability with respect to number of dimensions.***

CPS V&V I&F - CMU

http://stanleybak.com/hylaa/ *** accurate comparison of tools is very hard owing to semantics and parameters during verification. HyPro might be a good solution.

46

Running HyLAA on High Dimensional Benchmarks

• Motor (11 dims)
• Building (50 dims)
• Partial Differential Equation (86 dims)
• Heat (202 dims)
• International Space Station (274 dims)
• Clamped Beam (350 dims)
• MNA1 (588 dims)
• FOM (1008 dims)
• MNA5 (10923 dims)

CPS V&V I&F - CMU

* "Large-scale linear systems from order-reduction", H. D. Tran, L. V. Nguyen, and T. T. Johnson, 3rd Applied Verification for Continuous and Hybrid Systems Workshop (ARCH 2016)

47

Highlights of Verification Results

▪ Uses floating point for computation – not “fully rigorous”. ▪ Counterexamples from safety are validated using high accuracy simulation engine – accuracy of the order 10−7. ▪ Discrete time verification – might miss safety violation in between time instances. ▪ Building benchmark (50 dims) had safety violation at time instances in 0.07,0.09 sec. So a step size of 0.1 could not catch the safety violation. ▪ Numerical simulation seems to work faster than matrix exponential. ▪ Verifying 10,000 dimensional model required a fair amount of

• engineering. Using new text-editor, modifying the parser, sparse

representation, using sparse representation for LP as well.

CPS V&V I&F - CMU 48

Won the Best Paper Award at ARCH workshop

Observations

1. The discrete time reachable set doesn’t change the predicate associated with the star.

CPS V&V I&F - CMU

𝑑 𝑤1 𝑤2

Θ ≜ 〈𝑑, 𝑊, 𝑄〉

𝛽1 ≤ 1 ∧ 𝛽2 ≤ 1

𝑑′ 𝑤2

′

𝑤1

′

𝛽1 ≤ 1 ∧ 𝛽2 ≤ 1

Θ𝑗 ≜ 〈𝑑′, 𝑊′, 𝑄〉

49

Observations

1. The discrete time reachable set doesn’t change the predicate associated with the star.

CPS V&V I&F - CMU

Θ ≜ 〈𝑑, 𝑊, 𝑄〉

𝑑 𝑤1 𝑤2

𝛽1 ≤ 1 ∧ 𝛽2 ≤ 1 ∧ 𝛽1 + 𝛽2 ≤ 1.5

𝑑′ 𝑤2

′

𝑤1

′

𝛽1 ≤ 1 ∧ 𝛽2 ≤ 1 ∧ 𝛽1 + 𝛽2 ≤ 1.5

To compute reachable set of a new initial set, just changing the predicate suffices!

Θ𝑗 ≜ 〈𝑑′, 𝑊′, 𝑄〉

50

Observations

• 2. It is easy to aggregate and de-aggregate sets on-the-fly.

CPS V&V I&F - CMU

𝑸𝟐 𝑸𝟑

𝚰𝟐 = ⟨𝒅, 𝑾, 𝑸𝟐⟩ 𝚰𝟑 = ⟨𝒅, 𝑾, 𝑸𝟑⟩

Notice: all have same center and basis in their representation

51

Observations

• 2. It is easy to aggregate and de-aggregate sets on-the-fly.

CPS V&V I&F - CMU

𝑸𝟐 𝑸𝟑 𝚰𝒃𝒉𝒉 = ⟨𝒅, 𝑾, 𝑸𝒃𝒉𝒉⟩

𝚰𝟐 = ⟨𝒅, 𝑾, 𝑸𝟐⟩ 𝚰𝟑 = ⟨𝒅, 𝑾, 𝑸𝟑⟩ (𝑸𝟐 ∨ 𝑸𝟑) ⇒ 𝑸𝒃𝒉𝒉

𝑸𝟐 𝑸𝟑

Notice: all have same center and basis in their representation

52

Observations

• 2. It is easy to aggregate and de-aggregate sets on-the-fly.

CPS V&V I&F - CMU

𝑸𝟐 𝑸𝟑 𝚰𝒃𝒉𝒉 = ⟨𝒅, 𝑾, 𝑸𝒃𝒉𝒉⟩

𝚰𝟐 = ⟨𝒅, 𝑾, 𝑸𝟐⟩ 𝚰𝟑 = ⟨𝒅, 𝑾, 𝑸𝟑⟩ (𝑸𝟐 ∨ 𝑸𝟑) ⇒ 𝑸𝒃𝒉𝒉

Notice: all have same center and basis in their representation

53

Observations

• 2. It is easy to aggregate and de-aggregate sets on-the-fly.

CPS V&V I&F - CMU

𝑸𝟐 𝑸𝟑 𝚰𝒃𝒉𝒉 = ⟨𝒅, 𝑾, 𝑸𝒃𝒉𝒉⟩

𝚰𝟐 = ⟨𝒅, 𝑾, 𝑸𝟐⟩ 𝚰𝟑 = ⟨𝒅, 𝑾, 𝑸𝟑⟩ (𝑸𝟐 ∨ 𝑸𝟑) ⇒ 𝑸𝒃𝒉𝒉

𝚰𝒃𝒉𝒉

′

= ⟨𝒅′, 𝑾′, 𝑸𝒃𝒉𝒉⟩ Want to deaggregate?

Notice: all have same center and basis in their representation

54

Observations

• 2. It is easy to aggregate and de-aggregate sets on-the-fly.

CPS V&V I&F - CMU

𝑸𝟐 𝑸𝟑 𝚰𝒃𝒉𝒉 = ⟨𝒅, 𝑾, 𝑸𝒃𝒉𝒉⟩

𝚰𝟐 = ⟨𝒅, 𝑾, 𝑸𝟐⟩ 𝚰𝟑 = ⟨𝒅, 𝑾, 𝑸𝟑⟩ (𝑸𝟐 ∨ 𝑸𝟑) ⇒ 𝑸𝒃𝒉𝒉

𝚰𝒃𝒉𝒉

′

= ⟨𝒅′, 𝑾′, 𝑸𝒃𝒉𝒉⟩

𝚰𝟐

′ = ⟨𝒅′, 𝑾′, 𝑸𝟐⟩

𝚰𝟑

′ = ⟨𝒅′, 𝑾′, 𝑸𝟑⟩

𝑸𝟐 𝑸𝟑 Want to deaggregate? Just change the predicates!

Notice: all have same center and basis in their representation

55

Handling Invariants and Discrete Transitions

CPS V&V I&F - CMU 56

The Problems With Invariants

▪ Given Θ1, Θ2, … , Θ𝑙 as discrete time reachable sets for a given mode, performing just Θ𝑘 ∩ 𝐽𝑜𝑤 only gives an overapproximation.

CPS V&V I&F - CMU

Θ𝑗 Θ𝑗+1 Θ𝑗 ∩ Inv(l) Θ𝑗+1 ∩ Inv(l) ActualReachi+1

𝐽𝑜𝑤(𝑚)

57

The Problems With Invariants

▪ Given Θ1, Θ2, … , Θ𝑙 as discrete time reachable sets for a given mode, performing just Θ𝑘 ∩ 𝐽𝑜𝑤 only gives an overapproximation.

CPS V&V I&F - CMU

Θ𝑗 Θ𝑗+1 Θ𝑗 ∩ Inv(l) Θ𝑗+1 ∩ Inv(l) ActualReachi+1

𝐽𝑜𝑤(𝑚) Q) How to compute 𝑩𝒅𝒖𝒗𝒃𝒎𝑺𝒇𝒃𝒅𝒊𝒋+𝟐? A) Use constraint propagation!

58

Forward Constraint Propagation

1. Convert 𝐽𝑜𝑤 into the center and basis of 𝑗𝑢ℎ star as ⟨𝑑𝑗, 𝑊

𝑗, 𝑅𝑗⟩.

• 2. Θ ∩ 𝐽𝑜𝑤 = ⟨𝑑𝑗, 𝑊

𝑗, 𝑄 ∧ 𝑅𝑗⟩

CPS V&V I&F - CMU

𝐽𝑜𝑤(𝑚)

Θ𝑗 = ⟨𝑑𝑗, 𝑊

𝑗, 𝑄⟩

Θ𝑗+1 = ⟨𝑑𝑗+1, 𝑊

𝑗+1, 𝑄⟩

Θ𝑗 ∩ Inv(l) Θ𝑗+1 ∩ Inv(l) Θ = ⟨𝑑, 𝑊, 𝑄⟩

59

Forward Constraint Propagation

1. Convert 𝐽𝑜𝑤 into the center and basis of 𝑗𝑢ℎ star as ⟨𝑑𝑗, 𝑊

𝑗, 𝑅𝑗⟩.

• 2. Θ ∩ 𝐽𝑜𝑤 = ⟨𝑑𝑗, 𝑊

𝑗, 𝑄 ∧ 𝑅𝑗⟩

CPS V&V I&F - CMU

𝐽𝑜𝑤(𝑚)

Θ𝑗 = ⟨𝑑𝑗, 𝑊

𝑗, 𝑄⟩

Θ𝑗+1 = ⟨𝑑𝑗+1, 𝑊

𝑗+1, 𝑄⟩

Θ𝑗 ∩ Inv(l) Θ𝑗+1 ∩ Inv(l) Θ = ⟨𝑑, 𝑊, 𝑄⟩ ⟨𝒅𝒋, 𝑾𝒋, 𝑹𝒋⟩

60

Forward Constraint Propagation

1. Convert 𝐽𝑜𝑤 into the center and basis of 𝑗𝑢ℎ star as ⟨𝑑𝑗, 𝑊

𝑗, 𝑅𝑗⟩.

• 2. Θ ∩ 𝐽𝑜𝑤 = ⟨𝑑𝑗, 𝑊

𝑗, 𝑄 ∧ 𝑅𝑗⟩

CPS V&V I&F - CMU

𝐽𝑜𝑤(𝑚)

Θ𝑗 = ⟨𝑑𝑗, 𝑊

𝑗, 𝑄⟩

Θ𝑗+1 = ⟨𝑑𝑗+1, 𝑊

𝑗+1, 𝑄⟩

Θ𝑗 ∩ Inv(l) Θ𝑗+1 ∩ Inv(l) ⟨𝒅𝒋, 𝑾𝒋, 𝑸 ∧ 𝑹𝒋⟩ Θ = ⟨𝑑, 𝑊, 𝑄⟩ ⟨𝒅𝒋, 𝑾𝒋, 𝑹𝒋⟩

61

Forward Constraint Propagation

1. Convert 𝐽𝑜𝑤 into the center and basis of 𝑗𝑢ℎ star as ⟨𝑑𝑗, 𝑊

𝑗, 𝑅𝑗⟩.

• 2. Θ ∩ 𝐽𝑜𝑤 = ⟨𝑑𝑗, 𝑊

𝑗, 𝑄 ∧ 𝑅𝑗⟩

CPS V&V I&F - CMU

𝐽𝑜𝑤(𝑚)

Θ𝑗 = ⟨𝑑𝑗, 𝑊

𝑗, 𝑄⟩

Θ𝑗+1 = ⟨𝑑𝑗+1, 𝑊

𝑗+1, 𝑄⟩

Θ𝑗 ∩ Inv(l) Θ𝑗+1 ∩ Inv(l) ⟨𝒅𝒋, 𝑾𝒋, 𝑸 ∧ 𝑹𝒋⟩ Θ = ⟨𝑑, 𝑊, 𝑄⟩ ⟨𝒅𝒋, 𝑾𝒋, 𝑹𝒋⟩ ⟨𝒅𝒋+𝟐, 𝑾𝒋+𝟐, 𝑹𝒋+𝟐⟩

62

Forward Constraint Propagation

1. Convert 𝐽𝑜𝑤 into the center and basis of 𝑗𝑢ℎ star as ⟨𝑑𝑗, 𝑊

𝑗, 𝑅𝑗⟩.

• 2. Θ ∩ 𝐽𝑜𝑤 = ⟨𝑑𝑗, 𝑊

𝑗, 𝑄 ∧ 𝑅𝑗⟩

CPS V&V I&F - CMU

𝐽𝑜𝑤(𝑚)

Θ𝑗 = ⟨𝑑𝑗, 𝑊

𝑗, 𝑄⟩

Θ𝑗+1 = ⟨𝑑𝑗+1, 𝑊

𝑗+1, 𝑄⟩

Θ𝑗 ∩ Inv(l) Θ𝑗+1 ∩ Inv(l) ⟨𝒅𝒋, 𝑾𝒋, 𝑸 ∧ 𝑹𝒋⟩ ⟨𝒅𝒋+𝟐, 𝑾𝒋+𝟐, 𝑸 ∧ 𝑹𝒋+𝟐⟩ Θ = ⟨𝑑, 𝑊, 𝑄⟩ ⟨𝒅𝒋, 𝑾𝒋, 𝑹𝒋⟩ ⟨𝒅𝒋+𝟐, 𝑾𝒋+𝟐, 𝑹𝒋+𝟐⟩

63

Forward Constraint Propagation

1. Convert 𝐽𝑜𝑤 into the center and basis of 𝑗𝑢ℎ star as ⟨𝑑𝑗, 𝑊

𝑗, 𝑅𝑗⟩.

• 2. Θ ∩ 𝐽𝑜𝑤 = ⟨𝑑𝑗, 𝑊

𝑗, 𝑄 ∧ 𝑅𝑗⟩

3. These should originate from ⟨𝑑, 𝑊, 𝑄 ∧ 𝑅𝑗⟩ in Θ

CPS V&V I&F - CMU

𝐽𝑜𝑤(𝑚)

Θ𝑗 = ⟨𝑑𝑗, 𝑊

𝑗, 𝑄⟩

Θ𝑗+1 = ⟨𝑑𝑗+1, 𝑊

𝑗+1, 𝑄⟩

Θ𝑗 ∩ Inv(l) Θ𝑗+1 ∩ Inv(l) ⟨𝒅𝒋, 𝑾𝒋, 𝑸 ∧ 𝑹𝒋⟩ ⟨𝒅𝒋+𝟐, 𝑾𝒋+𝟐, 𝑸 ∧ 𝑹𝒋+𝟐⟩ Θ = ⟨𝑑, 𝑊, 𝑄⟩ Θ𝑗 ∩ 𝐽𝑜𝑤 𝑚 Originated from ⟨𝑑, 𝑊, 𝑄 ∧ 𝑅𝑗⟩

64

Forward Constraint Propagation

1. Convert 𝐽𝑜𝑤 into the center and basis of 𝑗𝑢ℎ star as ⟨𝑑𝑗, 𝑊

𝑗, 𝑅𝑗⟩.

• 2. Θ ∩ 𝐽𝑜𝑤 = ⟨𝑑𝑗, 𝑊

𝑗, 𝑄 ∧ 𝑅𝑗⟩

3. These should originate from ⟨𝑑, 𝑊, 𝑄 ∧ 𝑅𝑗⟩ in Θ 4. Propagate constraint 𝑅𝑗 forward --- add it to predicates of itself and all future stars.

CPS V&V I&F - CMU

𝐽𝑜𝑤(𝑚)

Θ𝑗 = ⟨𝑑𝑗, 𝑊

𝑗, 𝑄⟩

Θ𝑗+1 = ⟨𝑑𝑗+1, 𝑊

𝑗+1, 𝑄⟩

Θ𝑗 ∩ Inv(l) Θ𝑗+1 ∩ Inv(l) ActualReachi+1 ⟨𝒅𝒋, 𝑾𝒋, 𝑸 ∧ 𝑹𝒋⟩ ⟨𝒅𝒋+𝟐, 𝑾𝒋+𝟐, 𝑸 ∧ 𝑹𝒋+𝟐⟩ ⟨𝒅𝒋+𝟐, 𝑾𝒋+𝟐, 𝑸 ∧ 𝑹𝒋 ∧ 𝑹𝒋+𝟐⟩ Θ = ⟨𝑑, 𝑊, 𝑄⟩ Θ𝑗 ∩ 𝐽𝑜𝑤 𝑚 Originated from ⟨𝑑, 𝑊, 𝑄 ∧ 𝑅𝑗⟩

65

Invariant Constraint Propagation

• 1. Compute reachable sets Θ1, Θ2, … , Θ𝑙.
• 2. Convert 𝐽𝑜𝑤 into star representation of Θ𝑗 as

𝑑1, 𝑊

1, 𝑅1 , 𝑑2, 𝑊 2, 𝑅2 , … , 𝑑𝑙, 𝑊 𝑙, 𝑅𝑙

• 3. Add constraint 𝑅𝑗 to the predicate of Θ𝑗, Θ𝑗+1, … , Θ𝑙.

CPS V&V I&F - CMU 66

Invariant Constraint Propagation

• 1. Compute reachable sets Θ1, Θ2, … , Θ𝑙.
• 2. Convert 𝐽𝑜𝑤 into star representation of Θ𝑗 as

𝑑1, 𝑊

1, 𝑅1 , 𝑑2, 𝑊 2, 𝑅2 , … , 𝑑𝑙, 𝑊 𝑙, 𝑅𝑙

• 3. Add constraint 𝑅𝑗 to the predicate of Θ𝑗, Θ𝑗+1, … , Θ𝑙.

CPS V&V I&F - CMU 67

Invariant Constraint Propagation

• 1. Compute reachable sets Θ1, Θ2, … , Θ𝑙.
• 2. Convert 𝐽𝑜𝑤 into star representation of Θ𝑗 as

𝑑1, 𝑊

1, 𝑅1 , 𝑑2, 𝑊 2, 𝑅2 , … , 𝑑𝑙, 𝑊 𝑙, 𝑅𝑙

• 3. Add constraint 𝑅𝑗 to the predicate of Θ𝑗, Θ𝑗+1, … , Θ𝑙.

CPS V&V I&F - CMU 68

Optimizations

1. If Θ𝑗 ⊆ 𝐽𝑜𝑤, then 𝑄 ∧ 𝑅𝑗 ≡ 𝑄. Hence, no constraint is added. 2. If Θ𝑗 ⊆ 𝐽𝑜𝑤𝑑, then 𝑄 ∧ 𝑅𝑗 ≡ ⊥. Hence, no need to add 𝑅𝑗.

CPS V&V I&F - CMU 69

Optimizations

1. If Θ𝑗 ⊆ 𝐽𝑜𝑤, then 𝑄 ∧ 𝑅𝑗 ≡ 𝑄. Hence, no constraint is added. 2. If Θ𝑗 ⊆ 𝐽𝑜𝑤𝑑, then 𝑄 ∧ 𝑅𝑗 ≡ ⊥. Hence, no need to add 𝑅𝑗. 3. Add a constraint 𝑅𝑗 to 𝑄 ∧ 𝑅1 ∧ ⋯ ∧ 𝑅𝑗−1 if and only if ¬(𝑄 ∧ 𝑅1 ∧ ⋯ ∧ 𝑅𝑗−1 ⇒ 𝑅𝑗)

CPS V&V I&F - CMU 70

Optimizations

1. If Θ𝑗 ⊆ 𝐽𝑜𝑤, then 𝑄 ∧ 𝑅𝑗 ≡ 𝑄. Hence, no constraint is added. 2. If Θ𝑗 ⊆ 𝐽𝑜𝑤𝑑, then 𝑄 ∧ 𝑅𝑗 ≡ ⊥. Hence, no need to add 𝑅𝑗. 3. Add a constraint 𝑅𝑗 to 𝑄 ∧ 𝑅1 ∧ ⋯ ∧ 𝑅𝑗−1 if and only if ¬(𝑄 ∧ 𝑅1 ∧ ⋯ ∧ 𝑅𝑗−1 ⇒ 𝑅𝑗)

• 4. [Empirical heuristic]: Compare successive constraints 𝑅𝑗 and

𝑅𝑗+1 and if 𝑅𝑗+1 is stronger than 𝑅𝑗, replace 𝑅𝑗 with 𝑅𝑗+1.

CPS V&V I&F - CMU 71

Discrete Transitions

▪ Discrete transitions are enabled when the reachable set overlaps with the guard condition. ▪ If reachable set from Θ overlaps with guard 𝐻𝑗 at Θ𝑗,1, Θ𝑗,2, … , Θ𝑗,𝑚. That is, Θ has 𝑚 successor sets. ▪ After 𝑛 discrete transitions, the number of sets to keep track will be 𝑚𝑛. (exponential blow-up).

CPS V&V I&F - CMU 72

Discrete Transitions

▪ Discrete transitions are enabled when the reachable set overlaps with the guard condition. ▪ If reachable set from Θ overlaps with guard 𝐻𝑗 at Θ𝑗,1, Θ𝑗,2, … , Θ𝑗,𝑚. That is, Θ has 𝑚 successor sets. ▪ After 𝑛 discrete transitions, the number of sets to keep track will be 𝑚𝑛. (exponential blow-up).

CPS V&V I&F - CMU 73

Aggregation – A Necessary Evil

▪Necessary to reduce the number of sets to keep track of.

CPS V&V I&F - CMU 74

Aggregation – A Necessary Evil

▪Necessary to reduce the number of sets to keep track of. ▪Aggregation introduces overapproximation that we can never get rid of! ▪Might cause spurious discrete transitions; cannot give concrete counterexamples.

CPS V&V I&F - CMU 75

Aggregation – A Necessary Evil

▪Necessary to reduce the number of sets to keep track of. ▪Aggregation introduces overapproximation that we can never get rid of! ▪Might cause spurious discrete transitions; cannot give concrete counterexamples.

CPS V&V I&F - CMU 76

Aggregation – A Necessary Evil

▪Necessary to reduce the number of sets to keep track of. ▪Aggregation introduces overapproximation that we can never get rid of! ▪Might cause spurious discrete transitions; cannot give concrete counterexamples.

Damned if you do! Damned if you don’t!

CPS V&V I&F - CMU 77

Dynamic Aggregation Illustration

1. Aggregate all the sets by default and compute reachable set.

CPS V&V I&F - CMU

𝑄

1

𝑄3 𝑄2 𝑄

𝑏𝑕𝑕

Θ𝑏𝑕𝑕

78

Dynamic Aggregation Illustration

1. Aggregate all the sets by default and compute reachable set.

CPS V&V I&F - CMU

𝑄

1

𝑄3 𝑄2 𝑄

𝑏𝑕𝑕

Θ𝑏𝑕𝑕

79

Dynamic Aggregation Illustration

1. Aggregate all the sets by default and compute reachable set. 2. When the aggregated set intersects with a guard or unsafe set, then deaggregate.

CPS V&V I&F - CMU

𝑄

1

𝑄3 𝑄2 𝑄

𝑏𝑕𝑕

Θ𝑏𝑕𝑕

80

Dynamic Aggregation Illustration

1. Aggregate all the sets by default and compute reachable set. 2. When the aggregated set intersects with a guard or unsafe set, then deaggregate.

CPS V&V I&F - CMU

𝑄

1

𝑄3 𝑄2 𝑄

𝑏𝑕𝑕

Θ𝑏𝑕𝑕

81

Dynamic Aggregation Illustration

1. Aggregate all the sets by default and compute reachable set. 2. When the aggregated set intersects with a guard or unsafe set, then deaggregate.

CPS V&V I&F - CMU

𝑄

1

𝑄3 𝑄2 𝑄

𝑏𝑕𝑕

Θ𝑏𝑕𝑕

82

Overview

✓Motivation and Contributions. ✓Dynamic analysis technique for linear systems verification. ✓Observations of the dynamic analysis technique. ✓Invariant constraint propagation. ✓Dynamic deaggregation. ▪ Experimental evaluation. ▪ Conclusions and Future work.

CPS V&V I&F - CMU 83

HyLAA Constraint Propagation

CPS V&V I&F - CMU

http://stanleybak.com/hylaa/ 84

HyLAA Aggregation and Deaggregation

▪ Expensive to not have any aggregation. ▪ Completely aggregated introduces new transitions and doesn’t terminate. ▪ Dynamic deaggregation has 1.2x – 5x speedup based on the system.

CPS V&V I&F - CMU

http://stanleybak.com/hylaa/ 85

HyLAA Aggregation and Deaggregation

▪ Automotive drivetrain system with additional masses (8 + 2𝜄). ▪ In lower dimensions, the synchronous behavior of masses gives a better performance for aggregation. ▪ In higher dimensions, the benefits of aggregation are low because deaggregation is performed more often.

CPS V&V I&F - CMU

http://stanleybak.com/hylaa/ 86

Conclusion

▪ Notion of simulation equivalent reachable set and safety verification. ▪ New invariant constraint propagation methods for handling invariants. ▪ Dynamic aggregation and deaggregation for handling discrete transitions. ▪ Implemented these in a tool called HyLAA and demonstrated the benefits of these techniques. Future work ▪ Giving guarantees over dense-time semantics. ▪ Templates for aggregation and deaggregation. Recently verified 10,000 dimensional system using enhancements on HyLAA.

CPS V&V I&F - CMU

http://stanleybak.com/hylaa/

87

Conclusion

▪ Notion of simulation equivalent reachable set and safety verification. ▪ New invariant constraint propagation methods for handling invariants. ▪ Dynamic aggregation and deaggregation for handling discrete transitions. ▪ Implemented these in a tool called HyLAA and demonstrated the benefits of these techniques. Future work ▪ Giving guarantees over dense-time semantics. ▪ Templates for aggregation and deaggregation. Recently verified 10,000 dimensional system using enhancements on HyLAA.

CPS V&V I&F - CMU

http://stanleybak.com/hylaa/

88

Simulation-Equivalent Reachability (Safety)

Assumptions 1. We are provided with a simulation engine (oracle) that provides a discrete time simulation for a differential equation ሶ 𝑦 = 𝐵𝑦 + 𝐶. 2. All the sets encountered such as invariants, guards, initial set, and unsafe set are all conjunctions of linear predicates.

CPS V&V I&F - CMU 89

Simulation-Equivalent Reachability (Safety)

Assumptions 1. We are provided with a simulation engine (oracle) that provides a discrete time simulation for a differential equation ሶ 𝑦 = 𝐵𝑦 + 𝐶. 2. All the sets encountered such as invariants, guards, initial set, and unsafe set are all conjunctions of linear predicates.

Contributions

1. Compute simulation-equivalent reachable set (safety verification). 2. New technique called forward constraint propagation for handling invariants. 3. New on-the-fly aggregation and deaggregation techniques. 4. Sound and complete with respect to the simulation engine provided.

CPS V&V I&F - CMU 90

Simulation-Equivalent Reachability (Safety)

Assumptions 1. We are provided with a simulation engine (oracle) that provides a discrete time simulation for a differential equation ሶ 𝑦 = 𝐵𝑦 + 𝐶. 2. All the sets encountered such as invariants, guards, initial set, and unsafe set are all conjunctions of linear predicates.

Contributions

1. Compute simulation-equivalent reachable set (safety verification).

• 2. New technique called forward constraint propagation for

handling invariants.

• 3. New on-the-fly aggregation and deaggregation techniques.

4. Sound and complete with respect to the simulation engine provided.

CPS V&V I&F - CMU 91

Overview

✓Motivation and Contributions. ▪ Dynamic analysis technique for linear systems verification. ▪ A Few Observations. ▪ Invariant constraint propagation. ▪ Dynamic de-aggregation. ▪ Experimental evaluation. ▪ Conclusions and Future work.

CPS V&V I&F - CMU 92

Dynamic Analysis Technique For Linear System

CPS V&V I&F - CMU 93