Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI.

Slides:

Advertisements

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

Advertisements

Translation-Based Compositional Reasoning for Software Systems Fei Xie and James C. Browne Robert P. Kurshan Cadence Design Systems.

Introducing Formal Methods, Module 1, Version 1.1, Oct., Formal Specification and Analytical Verification L 5.

Abstraction and Modular Reasoning for the Verification of Software Corina Pasareanu NASA Ames Research Center.

Testing and Quality Assurance

 (x) f(x,u) u x f(x,  (x) x. Example: Using feed-forward, what should be canceled?

1 Symbolic Execution for Model Checking and Testing Corina Păsăreanu (Kestrel) Joint work with Sarfraz Khurshid (MIT) and Willem Visser (RIACS)

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 13.

Zonotopes Techniques for Reachability Analysis Antoine Girard Workshop “Topics in Computation and Control” March 27 th 2006, Santa Barbara, CA, USA

Efficient Reachability Analysis for Verification of Asynchronous Systems Nishant Sinha.

AA278A: Supplement to Lecture Notes 10. Controller Synthesis for Hybrid Systems Claire J. Tomlin Department of Aeronautics and Astronautics Department.

ECE 720T5 Fall 2012 Cyber-Physical Systems Rodolfo Pellizzoni.

Dynamic Bayesian Networks (DBNs)

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur

© Janice Regan, CMPT 102, Sept CMPT 102 Introduction to Scientific Computer Programming The software development method algorithms.

Robust Hybrid and Embedded Systems Design Jerry Ding, Jeremy Gillula, Haomiao Huang, Michael Vitus, and Claire Tomlin MURI Review Meeting Frameworks and.

GM-CMU Collaborative Research Laboratory Temporal Logics for Analyzing Hybrid Systems Simulation Traces.

Model Checking. Used in studying behaviors of reactive systems Typically involves three steps: Create a finite state model (FSM) of the system design.

11/11/2009Software Design Laboratory1 The solution to a cyclic relaxation problem Edsger W. Dijkstra Presenter Aly Farahat Ph.D. Student Software Design.

Nov 14 th  Homework 4 due  Project 4 due 11/26.

What Went Wrong? Alex Groce Carnegie Mellon University Willem Visser NASA Ames Research Center.

Approximate Abstraction for Verification of Continuous and Hybrid Systems Antoine Girard Guest lecture ESE601: Hybrid Systems 03/22/2006

ESE601: Hybrid Systems Introduction to verification Spring 2006.

Model-based Analysis of Distributed Real-time Embedded System Composition Gabor Madl Sherif Abdelwahed

1 Formal Engineering of Reliable Software LASER 2004 school Tutorial, Lecture1 Natasha Sharygina Carnegie Mellon University.

Code Generation from CHARON Rajeev Alur, Yerang Hur, Franjo Ivancic, Jesung Kim, Insup Lee, and Oleg Sokolsky University of Pennsylvania.

Flavio Lerda 1 LTL Model Checking Flavio Lerda. 2 LTL Model Checking LTL –Subset of CTL* of the form: A f where f is a path formula LTL model checking.

Antoine Girard VAL-AMS Project Meeting April 2007 Behavioral Metrics for Simulation-based Circuit Validation.

272: Software Engineering Fall 2012 Instructor: Tevfik Bultan Lecture 4: SMT-based Bounded Model Checking of Concurrent Software.

1 Carnegie Mellon UniversitySPINFlavio Lerda Bug Catching SPIN An explicit state model checker.

Software Testing Sudipto Ghosh CS 406 Fall 99 November 9, 1999.

Cheng/Dillon-Software Engineering: Formal Methods Model Checking.

Reverse Engineering State Machines by Interactive Grammar Inference Neil Walkinshaw, Kirill Bogdanov, Mike Holcombe, Sarah Salahuddin.

ECE 720T5 Winter 2014 Cyber-Physical Systems Rodolfo Pellizzoni.

1  (x) f(x,u) u x f(x,  (x) x Example: Using feed-forward, what should be canceled?

Department of Computer Science A Static Program Analyzer to increase software reuse Ramakrishnan Venkitaraman and Gopal Gupta.

Benjamin Gamble. What is Time?  Can mean many different things to a computer Dynamic Equation Variable System State 2.

1 Automatic Refinement and Vacuity Detection for Symbolic Trajectory Evaluation Orna Grumberg Technion Haifa, Israel Joint work with Rachel Tzoref.

1 Software Reliability Assurance for Real-time Systems Joel Henry, Ph.D. University of Montana NASA Software Assurance Symposium September 4, 2002.

Johann Schumann and Pramod Gupta NASA Ames Research Center Bayesian Verification & Validation tools.

Dynamic Analysis of Multithreaded Java Programs Dr. Abhik Roychoudhury National University of Singapore.

November 21, 2005 Center for Hybrid and Embedded Software Systems Example To illustrate how changes in DB can be used to efficiently update a block diagram,

COBXXXX EXPERIMENTAL FRAMEWORK FOR EVALUATION OF GUIDANCE AND CONTROL ALGORITHMS FOR UAVS Sérgio Ronaldo Barros dos Santos,

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur

The System and Software Development Process Instructor: Dr. Hany H. Ammar Dept. of Computer Science and Electrical Engineering, WVU.

September Bound Computation for Adaptive Systems V&V Giampiero Campa September 2008 West Virginia University.

Mobile Agent Migration Problem Yingyue Xu. Energy efficiency requirement of sensor networks Mobile agent computing paradigm Data fusion, distributed processing.

Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University July 21, 2008WODA.

1 Model Checking of Robotic Control Systems Presenting: Sebastian Scherer Authors: Sebastian Scherer, Flavio Lerda, and Edmund M. Clarke.

Verification & Validation By: Amir Masoud Gharehbaghi

Constraints Assisted Modeling and Validation Presented in CS294-5 (Spring 2007) Thomas Huining Feng Based on: [1]Constraints Assisted Modeling and Validation.

CSCI1600: Embedded and Real Time Software Lecture 11: Modeling IV: Concurrency Steven Reiss, Fall 2015.

Hybrid Systems Controller Synthesis Examples EE291E Tomlin/Sastry.

Randomized Kinodynamics Planning Steven M. LaVelle and James J

USING MODEL CHECKING TO DISCOVER AUTOMATION SURPRISES Java class User: - getExpectation() - checkExpectation() FAULTY EXECUTION start incrMCPAlt pullAltKnob.

Winter 2007SEG2101 Chapter 121 Chapter 12 Verification and Validation.

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur

Symbolic Model Checking of Software Nishant Sinha with Edmund Clarke, Flavio Lerda, Michael Theobald Carnegie Mellon University.

Beard & McLain, “Small Unmanned Aircraft,” Princeton University Press, 2012, Chapter 12: Slide 1 Chapter 12 Path Planning.

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur

Virtual Gravity Control for Swing-Up pendulum K.Furuta *, S.Suzuki ** and K.Azuma * * Department of Computers and Systems Engineering, TDU, Saitama Japan.

Optimal Acceleration and Braking Sequences for Vehicles in the Presence of Moving Obstacles Jeff Johnson, Kris Hauser School of Informatics and Computing.

PREPARED BY G.VIJAYA KUMAR ASST.PROFESSOR

Model-Driven Analysis Frameworks for Embedded Systems

CSCI1600: Embedded and Real Time Software

Propositional Calculus: Boolean Algebra and Simplification

Model Checking for an Executable Subset of UML

Test Case Test case Describes an input Description and an expected output Description. Test case ID Section 1: Before execution Section 2: After execution.

Optimal Control and Reachability with Competing Inputs

CSCI1600: Embedded and Real Time Software

Presentation transcript:

Model Checker In-The-Loop Flavio Lerda, Edmund M. Clarke Computer Science Department Jim Kapinski, Bruce H. Krogh Electrical & Computer Engineering MURI Review Meeting Frameworks and Tools for High-Confidence Design of Adaptive, Distributed Embedded Control Systems Berkeley, CA September 6, 2007

2 Motivation Designing control software is difficult: Designing software is difficult Interaction between software and the plant Simulation is not always sufficient: Difficult to model software accurately: Concurrent tasks User inputs Only some specific cases

3 Accomplishments A tool that combines a software model checker with continuous-time plant models: Model checker uses simulation traces produced by MATLAB/Simulink Control code reacts to plant at fixed sample times Simulation is used to determine behaviors of plant between sampling instants

4 Accomplishments More than simple simulation: Using a model checker to efficiently search for counterexamples Non-deterministic model Able to handle concurrency Model the software in detail Able to evaluate concurrency issues more efficiently than simulation

5 Accomplishments Analyzed the Simulink model of the STARMAC Quadrotor from the Stanford group: Designed a concurrent supervisory controller Detected a bug in our controller: Due to the interleaving of concurrent tasks

6 System Model The controller: Discrete time Stateflow diagrams Interleaving semantics The plant: Continuous time Simulink model

7 Systematic Simulation Simulations traces are not independent Common prefixes Explore a tree of simulations The model checker generates the traces Exploration can be done efficiently Standard Simulation Systematic Simulation

8 Trace Generation Finite set of initial states States are composed of both Controller state Plant state Discrete transitions: Corresponding to the controller Continuous transitions: Corresponding to the plant Duration is determined by the period of the tasks Generate traces by alternating transitions Discrete Transitions Continuous Transitions Discrete Transitions Initial State Continuous Transitions

9 Approximate Equivalence Some simulation traces are similar: Reach a state near a previous simulation state We expect the evolution to be similar to the previous trace The same controller state and proximity of the plant state

10 Approximate Equivalence Some simulation traces are similar: Reach a state near a previous simulation state We expect the evolution to be similar to the previous trace Heuristic approach: Ignore traces that lead close to a previously visited point

11 Approximate Equivalence Non-conservative: The ignored trace may lead to new behavior Useful heuristic for efficiently searching for counterexamples [1] Dynamically choose a subset of simulations to perform, based on proximity [1] J. Kapinski, O. Maler, O. Stursberg, and B. H. Krogh. On Systematic Simulation of Open Continuous Systems.

12 STARMAC Example Supervisory controller constructed for the STARMAC Flies the vehicle through a given sequence of waypoints Safety property The altitude is never lower than the minimum safe altitude (1 meter) unless the vehicle is taking off or landing Modeled in Stateflow but we assume implementation uses interleaving semantics

13 Controller Tasks Waypoint Tracking task: Checks the proximity to a waypoint Picks next waypoint from a list Generates the next command Waypoint Monitoring task: Checks if altitude value of the next waypoint is less than 1.1 meters If so, it fixes the altitude command to be equal to 1.1 meters, unless it is the first of last waypoint ADC task Samples the state of the environment Command Latch task: Maintains the command until the next waypoint is issued

14 STARMAC Example Waypoint Tracking Task Waypoint Monitoring Task ADC Task Command Latch Task

15 Systematic Simulation The controller is given a list of waypoints Given by the table on the right One waypoint is belong the minimum safe altitude The model checker generates a large number of traces: They represent different possible executions They correspond to the different interleaving of tasks Waypoints: WP 1 : z = 0 WP 2 : z = 1.2 WP 3 : z = 1.5 WP 4 : z = 0.5 WP 5 : z = 1.5 WP 6 : z = 0

16 Systematic Simulation I will show only two traces: The first trace satisfies the property The STARMAC takes off, goes through the waypoints, lands safely In the second one, the vehicle goes below the minimum safe altitude The error is due to the particular interleaving of tasks

17 Waypoints: WP 1 : z = 0 WP 2 : z = 1.2 WP 3 : z = 1.5 WP 4 : z = 0.5 WP 5 : z = 1.5 WP 6 : z = 0 Successful trace The fourth waypoint is below 1.1 meters The Waypoint Tracking task generates the invalid command The Waypoint Monitor task corrects the value The UAV remains above the minimum altitude and lands safely

18 Waypoints: WP 1 : z = 0 WP 2 : z = 1.2 WP 3 : z = 1.5 WP 4 : z = 0.5 WP 5 : z = 1.5 WP 6 : z = 0 Counterexample A different interleaving is possible at time t = 7.5 The Waypoint Monitor task executes first and sees a valid waypoint The Waypoint Tracking task generates the invalid value The UAV received the lower waypoint and flies below the minimum altitude

19 Conservative Approach Approximate equivalence is a heuristic: Proximity of states at the current time not of future evolutions originating from these states Determine a set around each simulation state which is guaranteed to be safe Special case: Affine dynamics Bounded time

20 Safe Ellipsoidal Set For stable affine systems, we can determine a Lyapunov function and the level sets are ellipsoids Given a trajectory from x 0 to x 1, consider a point y within a level set of the Lyapunov function centered around x 0 The trajectory starting at y 0 ends within the corresponding level set centered around x 1 We can use the Lyapunov function to determine safe sets of states Efficient operations on ellipsoids y0y0 x0x0 x1x1 y1y1

21 Illustrative Example Consider a UAV flying from an initial location to a waypoint The flight path must avoid an unsafe region given by a minimum altitude There is an external input to the system the maximum vertical velocity two possible values V 1 and V 2

22 Negative Vertical Velocity Altitude V2V2 V1V1 initial waypoint minimum altitude

23 Conclusion How to use a software model checker for systematic simulation Using Matlab/Simulink for the plant A model checker for the automatically generated code from Stateflow Heuristic for ignoring traces that are similar Currently working on a conservative approach for affine systems

24 Future Work Develop the conservative approach Integrate with Vanderbilt’s code generator Extend results to unbounded time Use Lyapunov functions for non-linear systems

25 Questions?