Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
Towards Compositional Feedback in Non-Deterministicand Non-Input-Receptive Systems
Stavros Tripakis1,2
Joint LICS’16 paper with Viorel Preoteasa2
Contributions to the RCRS framework also by Iulia Dragomir2
1UC Berkeley, USA2Aalto University, Finland
ExCAPE PI Meeting 2016
Motivation: compositional reasoning for Simulink
PowertrainControlBenchmarkModelToyotaTechnialCenter
2014
Thisisamodelofahybridautomatonwithpolynomialdynamics,andanimplementationofthe3rdmodelthatappearsin"PowertrainControlVerificationBenchmark",2014HybridSystems:ComputationandControl,X.Jin,J.V.Deshmukh,J.Kapinski,K.Ueda,andK.Butts
FuelControlSystemModel ThismodelusesonlytheODEstoimplementthedynamics.
3
controller_mode
1
A/F
1s
pe
1s
p
1s
lambda
1s
i
~=
~= ~=
StarupMode
PowerModeGuard
0.0
ODE4Open
f(u)
ODE4Closed
f(u)
ODE3
f(u)
ODE2
f(u)
ODE1
OR
f(u)
InputPoly
f(u)
FuelCmdOpenPwr
f(u)
FuelCmdOpen
f(u)
FuelCmdClosed
FaultInjection1:Failure0:Normal
theta[090]
pi/30
(rpm)to(rad/s)
2
enginespeed(rpm)[900,1100]
1
throttleinput(deg)[0,81.2]
AND
NOT
1.1s+1
Throttledelay1
8.8
Baseopeningangle
In Out
StartupModeLatch
In Out
SensorFailureDetectionLatch
boolean
boolean
2
airbyfuel_ref
~= double
14.7
12.5
Stavros Tripakis (Berkeley) Compositional Feedback in Non-Deterministic/Non-Input-Receptive Systems ExCAPE PI Meeting 2016 2 / 16
Benchmark provided by Toyota
What does “compositional reasoning for Simulink” mean?
1 Be able to model basic Simulink blocks: constants, adders, integrators, ...
2 Be able to model arbitrary Simulink models: hierarchical block diagrams.
3 Be able to check compatibility: “lightweight verification”, akin totype-checking.
4 Be able to synthesize system from subsystems: compute componentcompositions bottom-up.
5 Be able to check substitutability: component refinement.
6 Be able to express and verify safety and liveness properties.
Stavros Tripakis (Berkeley) Compositional Feedback in Non-Deterministic/Non-Input-Receptive Systems ExCAPE PI Meeting 2016 3 / 16
What does “compositional reasoning for Simulink” mean?
1 Be able to model basic Simulink blocks: constants, adders, integrators, ...
2 Be able to model arbitrary Simulink models: hierarchical block diagrams.
3 Be able to check compatibility: “lightweight verification”, akin totype-checking.
4 Be able to synthesize system from subsystems: compute componentcompositions bottom-up.
5 Be able to check substitutability: component refinement.
6 Be able to express and verify safety and liveness properties.
Stavros Tripakis (Berkeley) Compositional Feedback in Non-Deterministic/Non-Input-Receptive Systems ExCAPE PI Meeting 2016 3 / 16
What does “compositional reasoning for Simulink” mean?
1 Be able to model basic Simulink blocks: constants, adders, integrators, ...
2 Be able to model arbitrary Simulink models: hierarchical block diagrams.
3 Be able to check compatibility: “lightweight verification”, akin totype-checking.
4 Be able to synthesize system from subsystems: compute componentcompositions bottom-up.
5 Be able to check substitutability: component refinement.
6 Be able to express and verify safety and liveness properties.
Stavros Tripakis (Berkeley) Compositional Feedback in Non-Deterministic/Non-Input-Receptive Systems ExCAPE PI Meeting 2016 3 / 16
Refinement Calculus of Reactive Systems (RCRS)[EMSOFT 2009, TOPLAS 2011, SPIN 2013, EMSOFT 2014, FPS 2014, SPIN 2016, LICS 2016]
Relational interfaces: symbolic, synchronous version of Alfaro-Henzinger’sinterface automata
Example: relational interface for division component
Div
x
yz contract: y 6= 0 ∧ z = xy
Can model non-input-receptive systems:
y 6= 0 ∧ z = xy instead of y 6= 0→ z =xy
RCRS:
Extends relational interfaces to handle liveness propertiesSemantics based on monotonic property transformersCan handle stateful systems, and continuous blocks by Euler discretization,e.g., Integrator: s′ = s+ x · dt
Stavros Tripakis (Berkeley) Compositional Feedback in Non-Deterministic/Non-Input-Receptive Systems ExCAPE PI Meeting 2016 4 / 16
Refinement Calculus of Reactive Systems (RCRS)[EMSOFT 2009, TOPLAS 2011, SPIN 2013, EMSOFT 2014, FPS 2014, SPIN 2016, LICS 2016]
Relational interfaces: symbolic, synchronous version of Alfaro-Henzinger’sinterface automata
Example: relational interface for division component
Div
x
yz contract: y 6= 0 ∧ z = xy
Can model non-input-receptive systems:
y 6= 0 ∧ z = xy instead of y 6= 0→ z =xy
RCRS:
Extends relational interfaces to handle liveness propertiesSemantics based on monotonic property transformersCan handle stateful systems, and continuous blocks by Euler discretization,e.g., Integrator: s′ = s+ x · dt
Stavros Tripakis (Berkeley) Compositional Feedback in Non-Deterministic/Non-Input-Receptive Systems ExCAPE PI Meeting 2016 4 / 16
Composition operators
Serial composition (∀-∃ synthesis inside!)
Ax
Bzy
Parallel composition (conjunction)
Ax y
Bz t
Feedback composition
Sx y
How to define feedback composition?
Stavros Tripakis (Berkeley) Compositional Feedback in Non-Deterministic/Non-Input-Receptive Systems ExCAPE PI Meeting 2016 5 / 16
Composition operators
Serial composition (∀-∃ synthesis inside!)
Ax
Bzy
Parallel composition (conjunction)
Ax y
Bz t
Feedback composition
Sx y
How to define feedback composition?
Stavros Tripakis (Berkeley) Compositional Feedback in Non-Deterministic/Non-Input-Receptive Systems ExCAPE PI Meeting 2016 5 / 16
“Easy” feedback: “broken” by unit delays
g
f
e c a1
Outport1
Inportz1
UnitDelayAdd
a(k) = c(k − 1)
No instantaneous cyclic dependency.
Handled in our earlier work on relational interfaces:Tripakis, Lickly, Henzinger, Lee. A Theory of Synchronous Relational Interfaces,
TOPLAS 2011.
Stavros Tripakis (Berkeley) Compositional Feedback in Non-Deterministic/Non-Input-Receptive Systems ExCAPE PI Meeting 2016 6 / 16
“Easy” feedback: “broken” by unit delays
g
f
e c a1
Outport1
Inportz1
UnitDelayAdd
a(k) = c(k − 1)
No instantaneous cyclic dependency.
Handled in our earlier work on relational interfaces:Tripakis, Lickly, Henzinger, Lee. A Theory of Synchronous Relational Interfaces,
TOPLAS 2011.
Stavros Tripakis (Berkeley) Compositional Feedback in Non-Deterministic/Non-Input-Receptive Systems ExCAPE PI Meeting 2016 6 / 16
“Not too hard” feedback
~=
~=
f(u)
Fuel Cmd Open Pwr
f(u)
Fuel Cmd Open
f(u)
Fuel Cmd Closed
Output of FuelCmdOpen does not depend on u6:
FuelCmdOpen(u1, u2, . . . , u7) =1
14.7(−0.366 + 0.08979u7u3 − 0.0337u7u32+ 0.0001u72u3)
No instantaneous cyclic dependency
Handled in recent work:Dragomir, Preoteasa, Tripakis. Compositional Semantics and Analysis of Hierarchical
Block Diagrams, SPIN 2016.
Stavros Tripakis (Berkeley) Compositional Feedback in Non-Deterministic/Non-Input-Receptive Systems ExCAPE PI Meeting 2016 7 / 16
u1u2u3...u6u7
“Not too hard” feedback
~=
~=
f(u)
Fuel Cmd Open Pwr
f(u)
Fuel Cmd Open
f(u)
Fuel Cmd Closed
Output of FuelCmdOpen does not depend on u6:
FuelCmdOpen(u1, u2, . . . , u7) =1
14.7(−0.366 + 0.08979u7u3 − 0.0337u7u32+ 0.0001u72u3)
No instantaneous cyclic dependency
Handled in recent work:Dragomir, Preoteasa, Tripakis. Compositional Semantics and Analysis of Hierarchical
Block Diagrams, SPIN 2016.
Stavros Tripakis (Berkeley) Compositional Feedback in Non-Deterministic/Non-Input-Receptive Systems ExCAPE PI Meeting 2016 7 / 16
u1u2u3...u6u7
“Not too hard” feedback
~=
~=
f(u)
Fuel Cmd Open Pwr
f(u)
Fuel Cmd Open
f(u)
Fuel Cmd Closed
Output of FuelCmdOpen does not depend on u6:
FuelCmdOpen(u1, u2, . . . , u7) =1
14.7(−0.366 + 0.08979u7u3 − 0.0337u7u32+ 0.0001u72u3)
No instantaneous cyclic dependency
Handled in recent work:Dragomir, Preoteasa, Tripakis. Compositional Semantics and Analysis of Hierarchical
Block Diagrams, SPIN 2016.
Stavros Tripakis (Berkeley) Compositional Feedback in Non-Deterministic/Non-Input-Receptive Systems ExCAPE PI Meeting 2016 7 / 16
u1u2u3...u6u7
“Not too hard” feedback: solution
If we know the block’s internals and input-output dependencies:
u
x
f ′
f
v
y
then this feedback reduces to serial composition:
f ′
xf y
What if we don’t know the internals of the block?
Stavros Tripakis (Berkeley) Compositional Feedback in Non-Deterministic/Non-Input-Receptive Systems ExCAPE PI Meeting 2016 8 / 16
“Not too hard” feedback: solution
If we know the block’s internals and input-output dependencies:
u
x
f ′
f
v
y
then this feedback reduces to serial composition:
f ′
xf y
What if we don’t know the internals of the block?
Stavros Tripakis (Berkeley) Compositional Feedback in Non-Deterministic/Non-Input-Receptive Systems ExCAPE PI Meeting 2016 8 / 16
How to define general feedback?
Sx y
How to define feedback for any system S?
A non-trivial problem.
Even for deterministic and input-receptive systems.
Stavros Tripakis (Berkeley) Compositional Feedback in Non-Deterministic/Non-Input-Receptive Systems ExCAPE PI Meeting 2016 9 / 16
How to define general feedback?
Sx y
How to define feedback for any system S?
A non-trivial problem.
Even for deterministic and input-receptive systems.
Stavros Tripakis (Berkeley) Compositional Feedback in Non-Deterministic/Non-Input-Receptive Systems ExCAPE PI Meeting 2016 9 / 16
How to define general feedback?
Sx y
How to define feedback for any system S?
A non-trivial problem.
Even for deterministic and input-receptive systems.
Stavros Tripakis (Berkeley) Compositional Feedback in Non-Deterministic/Non-Input-Receptive Systems ExCAPE PI Meeting 2016 9 / 16
Feedback for deterministic and input-receptive systems
How to distinguish invalid feedbacks:
•
from valid ones:
0 •
Solution [Malik ’94]: fixpoint semantics, starting with unknown values(“bottom” ⊥).
Stavros Tripakis (Berkeley) Compositional Feedback in Non-Deterministic/Non-Input-Receptive Systems ExCAPE PI Meeting 2016 10 / 16
Fixpoint semantics (also called constructive semantics)
¬⊥ = ⊥
⊥⊥•
Fixpoint stabilizes to ⊥: feedback is invalid.
⊥ ∧ 0 = 0
0
⊥0 •
Fixpoint stabilizes to 0: feedback is valid.
Stavros Tripakis (Berkeley) Compositional Feedback in Non-Deterministic/Non-Input-Receptive Systems ExCAPE PI Meeting 2016 11 / 16
Fixpoint semantics (also called constructive semantics)
¬⊥ = ⊥
⊥⊥•
Fixpoint stabilizes to ⊥: feedback is invalid.
⊥ ∧ 0 = 0
0
⊥0 •
Fixpoint stabilizes to 0: feedback is valid.
Stavros Tripakis (Berkeley) Compositional Feedback in Non-Deterministic/Non-Input-Receptive Systems ExCAPE PI Meeting 2016 11 / 16
Limitations of constructive semantics
It only applies to deterministic and input-receptive systems (i.e., totalfunctions)We also want to handle non-deterministic and non-input-receptive systems(partial relations).
There is no refinement in existing constructive semantics frameworks.We not only have refinement, we also want refinement to be preserved byfeedback.
Stavros Tripakis (Berkeley) Compositional Feedback in Non-Deterministic/Non-Input-Receptive Systems ExCAPE PI Meeting 2016 12 / 16
Limitations of constructive semantics
It only applies to deterministic and input-receptive systems (i.e., totalfunctions)We also want to handle non-deterministic and non-input-receptive systems(partial relations).
There is no refinement in existing constructive semantics frameworks.We not only have refinement, we also want refinement to be preserved byfeedback.
Stavros Tripakis (Berkeley) Compositional Feedback in Non-Deterministic/Non-Input-Receptive Systems ExCAPE PI Meeting 2016 12 / 16
Preservation of refinement by composition
We want feedback to be compositional, i.e., for a composition operator ◦:
If A v A′ (A′ refines A) and B v B′ then A ◦B v A′ ◦B′.
This property is necessary for substitutability.
In particular, for feedback, we want:If A v A′ then feedback(A) v feedback(A′).
This is not easy to achieve – usual definitions don’t work [TOPLAS 2011, FPS 2014,LICS 2016].
Stavros Tripakis (Berkeley) Compositional Feedback in Non-Deterministic/Non-Input-Receptive Systems ExCAPE PI Meeting 2016 13 / 16
Preservation of refinement by composition
We want feedback to be compositional, i.e., for a composition operator ◦:
If A v A′ (A′ refines A) and B v B′ then A ◦B v A′ ◦B′.
This property is necessary for substitutability.
In particular, for feedback, we want:If A v A′ then feedback(A) v feedback(A′).
This is not easy to achieve – usual definitions don’t work [TOPLAS 2011, FPS 2014,LICS 2016].
Stavros Tripakis (Berkeley) Compositional Feedback in Non-Deterministic/Non-Input-Receptive Systems ExCAPE PI Meeting 2016 13 / 16
Preservation of refinement by composition
We want feedback to be compositional, i.e., for a composition operator ◦:
If A v A′ (A′ refines A) and B v B′ then A ◦B v A′ ◦B′.
This property is necessary for substitutability.
In particular, for feedback, we want:If A v A′ then feedback(A) v feedback(A′).
This is not easy to achieve – usual definitions don’t work [TOPLAS 2011, FPS 2014,LICS 2016].
Stavros Tripakis (Berkeley) Compositional Feedback in Non-Deterministic/Non-Input-Receptive Systems ExCAPE PI Meeting 2016 13 / 16
Results of LICS 2016 paper
1 Two feedback operators:
Instantaneous feedback: applies to stateless (“memoryless”) systems.Feedback with unit-delay: applies to stateful systems; instantaneousdependencies “broken” by a unit delay.
2 Both operators can handle non-deterministic and non-input-receptive systems.
3 Both operators proven to be compositional: they preserve refinement.
4 In the special case of deterministic and input-receptive systems, bothoperators specialize to the standard solutions (instantaneous feedbackspecializes to constructive semantics).
5 Serial composition = parallel composition followed by feedback.
A B =A
B
Stavros Tripakis (Berkeley) Compositional Feedback in Non-Deterministic/Non-Input-Receptive Systems ExCAPE PI Meeting 2016 14 / 16
Results of LICS 2016 paper
1 Two feedback operators:
Instantaneous feedback: applies to stateless (“memoryless”) systems.Feedback with unit-delay: applies to stateful systems; instantaneousdependencies “broken” by a unit delay.
2 Both operators can handle non-deterministic and non-input-receptive systems.
3 Both operators proven to be compositional: they preserve refinement.
4 In the special case of deterministic and input-receptive systems, bothoperators specialize to the standard solutions (instantaneous feedbackspecializes to constructive semantics).
5 Serial composition = parallel composition followed by feedback.
A B =A
B
Stavros Tripakis (Berkeley) Compositional Feedback in Non-Deterministic/Non-Input-Receptive Systems ExCAPE PI Meeting 2016 14 / 16
Results of LICS 2016 paper
1 Two feedback operators:
Instantaneous feedback: applies to stateless (“memoryless”) systems.Feedback with unit-delay: applies to stateful systems; instantaneousdependencies “broken” by a unit delay.
2 Both operators can handle non-deterministic and non-input-receptive systems.
3 Both operators proven to be compositional: they preserve refinement.
4 In the special case of deterministic and input-receptive systems, bothoperators specialize to the standard solutions (instantaneous feedbackspecializes to constructive semantics).
5 Serial composition = parallel composition followed by feedback.
A B =A
B
Stavros Tripakis (Berkeley) Compositional Feedback in Non-Deterministic/Non-Input-Receptive Systems ExCAPE PI Meeting 2016 14 / 16
Toolset – downloadable from: rcrs.cs.aalto.fi
Simulinkdiagram
simulink2isabelle
options(-fp, -ic, ...)
Isabelletheory
Isabelle
simplified MPT
compatibility check
Python simulation code
Powertrain Control Benchmark ModelToyota Technial Center
2014
This is a model of a hybrid automaton with polynomial dynamics, and an implementation of the 3rd model that appears in"Powertrain Control Verification Benchmark", 2014 Hybrid Systems: Computation and Control,X. Jin, J. V. Deshmukh, J.Kapinski, K. Ueda, and K. Butts
Fuel Control System Model This model uses only the ODEs to implement the dynamics.
3
controller_mode
1
A/F
1s
pe
1s
p
1s
lambda
1s
i
~=
~= ~=
Starup Mode
Power Mode Guard
0.0
ODE4 Open
f(u)
ODE4 Closed
f(u)
ODE3
f(u)
ODE2
f(u)
ODE1
OR
f(u)
InputPoly
f(u)
Fuel Cmd Open Pwr
f(u)
Fuel Cmd Open
f(u)
Fuel Cmd Closed
FaultInjection1: Failure0: Normal
theta [0 90]
pi/30
(rpm) to (rad/s)
2
engine speed (rpm)[900,1100]
1
throttle input (deg)[0, 81.2]
AND
NOT
1.1s+1
Throttle del ay1
8.8
Base opening angle
In Out
Startup Mode Latch
In Out
Sensor Failure Detection Latch
boolean
boolean
2
airbyfuel_ref~= double
14.7
12.5
RCRStheory
Another non-trivial problem: Translation of arbitrary block diagrams to termsusing the three primitive composition operators (serial, parallel, feedback).
See: Dragomir, Preoteasa, Tripakis. Compositional Semantics and Analysis ofHierarchical Block Diagrams, SPIN 2016.
Stavros Tripakis (Berkeley) Compositional Feedback in Non-Deterministic/Non-Input-Receptive Systems ExCAPE PI Meeting 2016 15 / 16
rcrs.cs.aalto.fi
Toolset – downloadable from: rcrs.cs.aalto.fi
Simulinkdiagram
simulink2isabelle
options(-fp, -ic, ...)
Isabelletheory
Isabelle
simplified MPT
compatibility check
Python simulation code
Powertrain Control Benchmark ModelToyota Technial Center
2014
This is a model of a hybrid automaton with polynomial dynamics, and an implementation of the 3rd model that appears in"Powertrain Control Verification Benchmark", 2014 Hybrid Systems: Computation and Control,X. Jin, J. V. Deshmukh, J.Kapinski, K. Ueda, and K. Butts
Fuel Control System Model This model uses only the ODEs to implement the dynamics.
3
controller_mode
1
A/F
1s
pe
1s
p
1s
lambda
1s
i
~=
~= ~=
Starup Mode
Power Mode Guard
0.0
ODE4 Open
f(u)
ODE4 Closed
f(u)
ODE3
f(u)
ODE2
f(u)
ODE1
OR
f(u)
InputPoly
f(u)
Fuel Cmd Open Pwr
f(u)
Fuel Cmd Open
f(u)
Fuel Cmd Closed
FaultInjection1: Failure0: Normal
theta [0 90]
pi/30
(rpm) to (rad/s)
2
engine speed (rpm)[900,1100]
1
throttle input (deg)[0, 81.2]
AND
NOT
1.1s+1
Throttle del ay1
8.8
Base opening angle
In Out
Startup Mode Latch
In Out
Sensor Failure Detection Latch
boolean
boolean
2
airbyfuel_ref~= double
14.7
12.5
RCRStheory
Another non-trivial problem: Translation of arbitrary block diagrams to termsusing the three primitive composition operators (serial, parallel, feedback).
See: Dragomir, Preoteasa, Tripakis. Compositional Semantics and Analysis ofHierarchical Block Diagrams, SPIN 2016.
Stavros Tripakis (Berkeley) Compositional Feedback in Non-Deterministic/Non-Input-Receptive Systems ExCAPE PI Meeting 2016 15 / 16
rcrs.cs.aalto.fi
Thank you – questions?
Bibliography:
S. Tripakis, B. Lickly, T. A. Henzinger, and E. A. Lee.
A Theory of Synchronous Relational Interfaces.
ACM Transactions on Programming Languages and Systems (TOPLAS), 33(4), July 2011.
V. Preoteasa and S. Tripakis.
Refinement Calculus of Reactive Systems.
In Proceedings of the 14th ACM & IEEE International Conference on Embedded Software(EMSOFT’14), 2014.
I. Dragomir, V. Preoteasa, and S. Tripakis.
Compositional Semantics and Analysis of Hierarchical Block Diagrams.
In 23rd International SPIN symposium on Model Checking of Software (SPIN 2016), LNCS.Springer, 2016.
V. Preoteasa and S. Tripakis.
Towards Compositional Feedback in Non-Deterministic and Non-Input-Receptive Systems.
In 31st Annual ACM/IEEE Symposium on Logic in Computer Science (LICS), 2016.
Stavros Tripakis (Berkeley) Compositional Feedback in Non-Deterministic/Non-Input-Receptive Systems ExCAPE PI Meeting 2016 16 / 16
Motivation