24: Model Checking & Reachability Analysissymbolaris.com/course/fcps16/reachability.pdf · 24:...

24: Model Checking & Reachability Analysis15-424: Foundations of Cyber-Physical Systems

Goran Frehse Andre Platzer

Verimag

[1] Laurent Doyen, Goran Frehse, George J. Pappas, Andre Platzer.Verification of Hybrid Systems.In Edmund M. Clarke, Thomas A. Henzinger and Helmut Veith,editors, Handbook of Model Checking. Springer, 2017.

Goran Frehse, Andre Platzer () FCPS / 24: Model Checking & Reachability Analysis 1 / 36

Outline

1 Hybrid AutomataExampleDefinition and Semantics

2 Set-Based ReachabilityPiecewise Constant DynamicsPiecewise Affine DynamicsSet Representations

3 Conclusions

Outline

3 Conclusions

Outline

3 Conclusions

Example: Ball on String

xr + L

(a) extension

xr + L

(b) freefall

dynamics in freefall when x ≥ xr , with mass m

mx = Fg = −mg

dynamics in extension when x ≤ xr , spring constant k , damping d

mx = Fg + Fs = −mg + kxr − kx − dx

transition when x = xr + L, collision factor c ∈ [0, 1] x+ = −cx

xr + L

(c) extension

xr + L

(d) freefall

dynamics in freefall when x ≥ xr , with mass m

mx = Fg = −mg

dynamics in extension when x ≤ xr , spring constant k , damping d

mx = Fg + Fs = −mg + kxr − kx − dx

transition when x = xr + L, collision factor c ∈ [0, 1] x+ = −cxGoran Frehse, Andre Platzer () FCPS / 24: Model Checking & Reachability Analysis 2 / 36

Hybrid Automaton Model: Ball on String

auxiliary variable v = x , so v = x

clip from SpaceEx Model Editor1

1G. Frehse, C. L. Guernic, A. Donze, R. Ray, O. Lebeltel, R. Ripado, A. Girard, T. Dang,and O. Maler, “Spaceex: Scalable verification of hybrid systems,” in CAV’11, ser. LNCS,Springer, 2011.

Simulation

0 0.5 1 1.5 2 2.5

positionx

0 0.5 1 1.5 2 2.5

velocity

Outline

3 Conclusions

Hybrid Automata (Alur, Henzinger, ’95)[2][3]

locations Loc = ℓ1, . . . , ℓm and variables X = x1, . . . , xndefine the state space Loc× RX

transitions Edg ⊆ Loc× Lab× Loc define location changes withsynchronization labels Lab

evolution domain alias invariant Inv ⊆ Loc× RX ,

flow relation Flow, where Flow(ℓ) ⊆ RX × RX , e.g.,

x = f (x);

jump relation Jump, where Jump(e) ⊆ RX × RX+, e.g.,

Jump(e) = (x, x+) | x ∈ G ∧ x+ = r(x)

initial states Init ⊆ Inv

Except: all described by semialgebraic sets (often polyhedra)

Hybrid Automata (Alur, Henzinger, ’95)[2][3]

locations Loc = ℓ1, . . . , ℓm and variables X = x1, . . . , xndefine the state space Loc× RX

transitions Edg ⊆ Loc× Lab× Loc define location changes withsynchronization labels Lab

evolution domain alias invariant Inv ⊆ Loc× RX ,

flow relation Flow, where Flow(ℓ) ⊆ RX × RX , e.g.,

x = f (x);

jump relation Jump, where Jump(e) ⊆ RX × RX+, e.g.,

Jump(e) = (x, x+) | x ∈ G ∧ x+ = r(x)

initial states Init ⊆ Inv

Except: all described by semialgebraic sets (often polyhedra)

Run Semantics

(ℓ0, x0)δ0,ξ0−−→ (ℓ0, ξ0(δ0))

α0−→ (ℓ1, x1)δ1,ξ1−−→ (ℓ1, ξ1(δ1)) . . .

with (ℓ0, x0) ∈ Init, αi ∈ Lab ∪ τ, and for i = 0, 1, . . .:

1 Trajectories: (ξ(t), ξ(t)) ∈ Flow(ℓ) and ξi(t) ∈ Inv(ℓi)for all t ∈ [0, δi ].

2 Jumps: (ξi(δi), xi+1) ∈ Jump(ei), ei = (ℓi , αi , ℓi+1) ∈ Edg, andxi+1 ∈ Inv(ℓi+1).

A state (ℓ, x) is reachable if there exists a run with (ℓi , xi) = (ℓ, x)for some i .

Usually: Flow(ℓ) is ODE and trajectory ξ(t) its solution

Run Semantics

(ℓ0, x0)δ0,ξ0−−→ (ℓ0, ξ0(δ0))

α0−→ (ℓ1, x1)δ1,ξ1−−→ (ℓ1, ξ1(δ1)) . . .

with (ℓ0, x0) ∈ Init, αi ∈ Lab ∪ τ, and for i = 0, 1, . . .:

1 Trajectories: (ξ(t), ξ(t)) ∈ Flow(ℓ) and ξi(t) ∈ Inv(ℓi)for all t ∈ [0, δi ].

2 Jumps: (ξi(δi), xi+1) ∈ Jump(ei), ei = (ℓi , αi , ℓi+1) ∈ Edg, andxi+1 ∈ Inv(ℓi+1).

A state (ℓ, x) is reachable if there exists a run with (ℓi , xi) = (ℓ, x)for some i .

Usually: Flow(ℓ) is ODE and trajectory ξ(t) its solution

−1 −0.8 −0.6 −0.4 −0.2 0 0.2 0.4 0.6 0.8 1

ξ0(δ0) = x1

ξ3(δ3) = x4ξ1(δ1)

ξ2(δ2) = x3

ξ4(δ4) = x5

position x

velocity

Outline

3 Conclusions

Set-Based Reachability

Extending numerical simulation from numbers to sets

account for nondeterminism

exhaustive

infinite time horizon

Downsides:

only approximate for complex dynamics

generally not scalable in number of variables

trade-off between runtime and accuracy

may not terminate or degenerate to “system could be anywhere”

Reachability Algorithm

One-step successors by time elapse from set of states S ,

PostC (S) =(ℓ, ξ(δ))

∣∣ ∃(ℓ, x) ∈ S : (ℓ, x)δ,ξ−→ (ℓ, ξ(δ))

One-step successors by jump from set of states S ,

PostD(S) =(ℓ′, x′)

∣∣ ∃(ℓ′, x′) ∈ S ,∃α ∈ Lab∪τ:(ℓ, x) α−→ (ℓ′, x′)

R0 := PostC (Init),

Ri+1 := Ri ∪ PostC (PostD(Ri)).

If Ri+1 = Ri , then Ri = reachable states.

may not terminate if states unbounded (counter)

problem undecidable in general2

2T. A. Henzinger, P. W. Kopke, A. Puri, and P. Varaiya, “What’s decidable about hybridautomata?” Journal of Computer and System Sciences, vol. 57, pp. 94–124, 1998.

Ball on String: Reachable States

(clip from SpaceEx output)

Outline

3 Conclusions

HA of piecewise constant dynamics (PCDA,LHA)

initial states and invariants are conjunctions of linear constraints

xr ≤ x ∧ x ≤ xr + L

flows are conjunctions of linear constraints over derivatives X

x = 5 ∧ v = −1 ∧ 2 ≤ z ∧ z ≤ 5

jumps are conjunctive linear constraints over X ∪ X+,where X+ denote the variables after the jump.

x = xr + L ∧ v > 0 ∧ v+ = −0.5 ∗ v

One-step successors of PCDA can be computed exactly.Often: assume all constraints are compact or at least closed.

Polyhedra in Constraint Form

Conjunctive linear constraints are polyhedra

H-polyhedron (constraint form)

P =x∣∣∣ ∧m

i=1aTi x ≤ bi

with facet normals ai ∈ Rn and inhomogeneous coefficients bi ∈ R.vector-matrix notation:

P =x∣∣∣ Ax ≤ b

, with A =

(aT1...aTm

( b1...bm

Time Elapse with Polyhedra

For PCDA, it suffices to consider straight-line trajectories:3

Lemma (Constant Derivatives)

There is a trajectory ξ(t) from x = ξ(0) to x′ = ξ(δ), δ > 0, iffη(t) = x+ qt with q = (x′ − x)/δ is a trajectory from x to x′.

Proof Idea: Average slope is enough by mean-value theorem

3P.-H. Ho, “Automatic analysis of hybrid systems,” Technical Report CSD-TR95-1536,PhD thesis, Cornell University, Aug. 1995.

For PCDA, it suffices to consider straight-line trajectories:3

Lemma (Constant Derivatives)

There is a trajectory ξ(t) from x = ξ(0) to x′ = ξ(δ), δ > 0, iffη(t) = x+ qt with q = (x′ − x)/δ is a trajectory from x to x′.

Proof Idea: Average slope is enough by mean-value theorem

3P.-H. Ho, “Automatic analysis of hybrid systems,” Technical Report CSD-TR95-1536,PhD thesis, Cornell University, Aug. 1995.

Given polyhedra P = x | Ax ≤ b, Q = q | Aq ≤ bTime successors with constant slope ∈ Q (ignores evolution domain):

PQ = x′ | x ∈ P ,q ∈ Q, t ∈ R≥0, x′ = x+ qt.

Eliminating q = x′−xt

for t > 0, plug into Q, and multiplying with t:

PQ =x′∣∣∣ Ax ≤ b ∧ A(x′ − x) ≤ b · t ∧ t ≥ 0

Quantifier elimination of t squares the number of constraints. FMMore general union of two polyhedra if Q not compact.Subsequently intersect with evolution domain Inv:

postC (ℓ× P) = ℓ×(PFlow(ℓ)

)∩ Inv(ℓ).

Time Elapse with Polyhedra – Geometric Version

Qpos(Q)

(a) cone pos(Q)

P ⊕Q

(b) P ⊕Q

P ⊕ pos(Q)

(c) PQ = P ⊕ pos(Q)

cone around Q pos(Q) = q · t | q ∈ Q, t ≥ 0Minkowski sum P ⊕Q = p+ q | p ∈ P ,q ∈ Qconvex hull chull(Q) =

∑qi∈Q λi · qi

∣∣∣ λi ≥ 0,∑

i λi = 1

Polyhedra in Generator Form

H-polyhedron (constraint form)

P =x∣∣∣ Ax ≤ b

, with A =

(aT1...aTm

( b1...bm

V-polyhedron (generator form)

P = (V ,R) = chull (V )⊕ pos(chull(R)).

with vertices V ⊆ Rn and rays R ⊆ Rn

If P = (V ,R) and Q = (V ′,R ′) in generator form and closed, then

PQ = (V ,R)(V ′,R ′) = (V ,R ∪ V ′ ∪ R ′)

But: conversion between H- and V-polyhedra is expensivecube: 2n constraints, 2n verticescross-polytope (diamond): 2n vertices, 2n constraints

Discrete Successors

Edge e = (ℓ, α, ℓ′) with guard x ∈ G and nondeterministic assignmentx+ = Cx+w, w ∈ W ,

postD(ℓ× P) = ℓ′ ×(C (P ∩ G)⊕W

)∩ Inv(ℓ′).

If constant matrix C invertible and everything in constraint form

CP = x | AC−1x ≤ b where P =x∣∣∣ Ax ≤ b

Otherwise requires quantifier elimination

Computational Cost

polyhedraoperation m constraints k generators

cone pos() m2 kMinkowski sum ⊕ exp k2

linear map Ax+b m / exp kintersection ∩ 2m exp

Generator form good for continuous successors PQ = P ⊕ pos(Q)Constraint form is better for discrete successors if no uncertaintyConversion is expensive

Outline

3 Conclusions

Piecewise Affine Dynamics

Hybrid automata with piecewise affine dynamics (PWA)

initial states and invariants are conjunctive linear constraintsover X alias polyhedra

xr ≤ x ∧ x ≤ xr + L

flows are affine ODEs with compact convex polyhedra U

x = Ax+ Bu, u ∈ U ,

jumps have a guard set and assignments

x+ = Cx+w, w ∈ W .

Continuous successors

x = Ax+ Bu, u ∈ U ,

trajectory ξ(t) from ξ(0) = x0 for integrable input signal ζ(t) ∈ U :

ξx0,ζ(t) = eAtx0 +

eA(t−s)Bζ(s)ds

superposition with“backdated impact eA(t−s) of input ζ(s) at s”

reachable states from set X0 for any input signal:

Xt = eAtX0 ⊕ Yt

eAsUds = eAtX0 ⊕ limδ→0

⌊t/δ⌋⊕k=0

eAδkδU

Computing a Convex Cover

Compute Ω0,Ω1, . . . for fixed time horizon T such that∪0≤t≤T

Xt ⊆ Ω0 ∪ Ω1 ∪ . . . .

Time Discretization at Step-size δ

Semi-group property: (Xkδ)δ = X(k+1)δ

Time discretization: X(k+1)δ = eAδXkδ ⊕ Yδ

Given initial approximations Ω0 and Ψδ for the first δ such that∪0≤t≤δ

Xt ⊆ Ω0, Yδ ⊆ Ψδ,

Xt is covered by the sequence

Ωk+1 = eAδΩk ⊕Ψδ.

Initial Approximations

(a) convex hull and pushing facets (b) convex hull and bloating

By Taylor approximation or by solving optimization problems

Initial Approximations – Forward Bloating

Bloating based on norms bounding Taylor approximation error:4

Ω0 = chull(X0 ∪ eAδX0)⊕ (αδ + βδ)B,Ψδ = βδB,αδ = µ(X0) · (e∥A∥δ − 1− ∥A∥δ),βδ = 1

∥A∥µ(BU) · (e∥A∥δ − 1),

with radius µ(X ) = maxx∈X∥x∥ and unit ball B.

4A. Girard, “Reachability of uncertain linear systems using zonotopes,” in HSCC, 2005,pp. 291–305.

Initial Approximations – Forward Bloating

Forward bloating is tight on X0 and bloated on Xδ.Improvements:

intersect forward bloating with backward bloating

bloat based on interpolation error

Wrapping Effect: Error Accumulation

eAδX0

Appr(eAδX0)

Appr(eAδAppr(eAδX0))

(a) with wrapping effect

eAδX0

Appr(eAδX0)Appr(eA2δX0)

(b) with wrapping-free algorithm

Avoid increasing complexity through deliberate over-approximation

Ωk+1 = Appr(eAδΩk ⊕Ψδ).

Example: bounding box over-approximation is fast

Wrapping Effect: Wrapping-free Cases

Idea: Over-approximate each image of initial approximation separatelySolution: Split sequence5

Ψk+1 = Appr(eAkδΨδ)⊕ Ψk with Ψ0 = 0,Ωk = Appr(eAkδΩ0)⊕ Ψk from initial Ω0

satisfies Ωk = Appr(Ωk) (wrapping-free) if

Appr(P ⊕Q) = Appr(P)⊕ Appr(Q),

e.g., bounding box.

5A. Girard, C. L. Guernic, and O. Maler, “Efficient computation of reachable sets of lineartime-invariant systems with inputs,” in HSCC, 2006, pp. 257–271.

Outline

3 Conclusions

Polyhedra

polyhedraoperation m constr. k gen.

convex hull chull exp 2kMinkowski sum ⊕ exp k2

linear map Ax+b m / exp kintersection ∩ 2m exp

Ellipsoids6

polyhedra ellipsoidsoperation m constr. k gen. n × n matrix

convex hull chull exp 2k approxMinkowski sum ⊕ exp k2 approxlinear map Ax+b m / exp k O(n3)intersection ∩ 2m exp approx

6A. B. Kurzhanski and P. Varaiya, Dynamics and Control of Trajectory Tubes. Springer,2014.

Zonotopes

Zonotope with center c ∈ Rn and generators v1, . . . , vk ∈ Rn

i=1αivi

∣∣∣∣ αi ∈ [−1, 1]

linear map: (Ac, ⟨Av1, . . . ,Avk⟩)Minkowski sum: P ⊕Q = (c+ d, ⟨v1, . . . , vk ,w1, . . . ,wm⟩)Not closed under chull or ∩ so need approximations

Zonotopes7

polyhedra ellipsoids zonotopesoperation m constr. k gen. n × n matrix k generators

convex hull chull exp 2k approx approxMinkowski sum⊕ exp k2 approx 2klinear map Ax+b m / exp k O(n3) kintersection ∩ 2m exp approx approx

7A. Girard, “Reachability of uncertain linear systems using zonotopes,” in HSCC, 2005,pp. 291–305.

Support Functions of Compact Convex Set P

dρP(d)

(a) support function in direction d

⌈P⌉D

(b) outer approximation

support function ρP(·) by linear optimization (efficient!)

ρP(d) = maxdTx | x ∈ P

computed values define polyhedral outer approximation

⌈P⌉D =∩d∈D

dTx ≤ ρP(d)

Support Functions

dρP(d)

(a) support function in direction d

⌈P⌉D

(b) outer approximation

linear map: ρAX (ℓ) = ρX (ATℓ) O(mn)

convex hull: ρchull(P∪Q)(ℓ) = maxρP(ℓ), ρQ(ℓ) O(1)Minkowski sum: ρX⊕Y(ℓ) = ρX (ℓ) + ρY(ℓ) O(1)Intersection: expressible as optimization problem

Support Functions (Le Guernic, Girard,’09)[9]

support functions: lazy approximation on demand

polyhedra ellipsoids zonotopes support f.operation m constr. k gen. n × n matrix k generators —

convex hull chull exp 2k approx approx O(1)Minkowski sum ⊕ exp k2 approx 2k O(1)linear map Ax+b m / exp k O(n3) k O(n2)intersection ∩ 2m exp approx approx opt. / approx

Outline

3 Conclusions

Conclusions

Hybrid automata are challenging for model checking.

Set-based reachability is exhaustive, sufficient for safety andbounded liveness.

expensive, scalable for piecewise affine dynamics

Abstraction lifts reachability to more complex systems

progress with approximate simulation relations

Verification by numerical simulation extends properties fromtraces to sets of states

sampling of initial states limited to low dimensional sets

References

[2] R. Alur, C. Courcoubetis, N. Halbwachs, T. Henzinger, P.-H. Ho, X. Nicollin, A. Olivero,J. Sifakis, and S. Yovine, “The algorithmic analysis of hybrid systems,” TheoreticalComputer Science, vol. 138, pp. 3–34, 1995.

[3] T. A. Henzinger, “The theory of hybrid automata.,” in LICS, Los Alamitos: IEEEComputer Society, 1996, pp. 278–292.

[9] C. Le Guernic and A. Girard, “Reachability analysis of linear systems using supportfunctions,” Nonlinear Analysis: Hybrid Systems, vol. 4, no. 2, pp. 250–262, 2010.

24: Model Checking & Reachability Analysissymbolaris.com/course/fcps16/reachability.pdf · 24:...

Documents

Model Checking History

Model Checking Navigation

Lawrence Chung1 Model Checking. Lawrence Chung2 Safety and Liveness Safety properties –Invariants, deadlocks, reachability, etc. –Can be checked on finite

Jpf model checking

CHECKING BOUNDED REACHABILITY IN ASYNCHRONOUS …

Checking Reachability using Matching Logic

PDR: Property Directed Reachability AKA ic3: SAT-Based Model Checking Without Unrolling

Model Checking Example

Model Checking Algorithms

Model Checking I

Regular Model Checking

Counterexamples for Timed Reachability Analysis...8 Analysis of Stochastic Models Various model checking approaches for stochastic models have been presented. Our point of reference:

Fachgebiet RechnerSysteme 6. Model Checking · Model Checking Fachgebiet RechnerSysteme Verification Technology Content 6.1 Temporal logic 6.2 CTL 6.3 Symbolic model-checking

Algorithms for Model Checking (2IMF35) - win.tue.nltimw/downloads/amc2017/lecture2.pdf · Algorithms for Model Checking (2IMF35) - =1=Lecture 2 Symbolic Model Checking for CTL (``Model

Model Checking Basics

Software Model Checking

LTL Model Checking

Introduction to Model Checking - Forsiden - … to Model Checking Shiva Nejati Simula Research Lab May 19, 2010 Saturday, May 15, 2010 Temporal Logic Model Checking Model checking

Model checking CTL

Optimizing CTL Model checking + Model checking TCTL