Presentation is loading. Please wait.

Presentation is loading. Please wait.

LPV: a new technique, based on linear programming, to formally prove or disprove safety properties J-L Lambert, valiosys.

Published byLambert Evans Modified over 6 years ago

Similar presentations

Presentation on theme: "LPV: a new technique, based on linear programming, to formally prove or disprove safety properties J-L Lambert, valiosys."— Presentation transcript:

1 LPV: a new technique, based on linear programming, to formally prove or disprove safety properties
J-L Lambert, valiosys

2 Contents What is LPV ? LPV in details 1 An example LPV in details 2
LPV in brief The counter-example in real numbers LPV in details 1 The linear programming model The proof engine An example LPV in details 2 A completeness theorem The refinement process Conclusion 23/05/2018 2

3 What is LPV ?

4 LPV in brief LPV is a theorem prover
No state space exploration nor representation of the state space The performance depends on the complexity of the proof, not on the size of the system Based on linear programming computations Efficiency (polynomial time) Real numbers used (the gap between real numbers and integers is always the problem) High level modeling (state machines) LPV can generate counter-examples The technology is complete: if the proof fails there exists a counter-example Beware: the counter-example may not be a real one. It may be in real numbers 23/05/2018 4

5 What is a counter-example in real numbers ?
1/2 1/2 1/2 1/2 t=1 1/2 1/2 1/2 1/2 t=2 23/05/2018 5

6 What to do with counter-examples in real numbers ?
Real number counter-examples are the price to pay for having a polynomial and complete proof system Analyzing a counter-example allows to understand why the proof engine failed That analyze gives some indications on how the model can be modified to make the proof succeed The modification of the model is called the refinement the analysis is the refinement algorithm 23/05/2018 6

7 LPV in details 1

8 communicating automata synchronized by blocking rendez-vous
The model used The model is communicating automata synchronized by blocking rendez-vous c d a b c a d b 23/05/2018 8

9 The translation into linear equations
State e Variable X (e) Transition t Variable Y(t) b Message b Variable M(b) out State e’ Variable X (e’) 23/05/2018 9

10 The translation into linear equations
X (e) = S Y(t) in t exiting e One equation for each state M(b) = S Y(t) t emitting b One equation for each message and each automaton emitting the message X (e) = S Y(t) out t entering e One equation for each state S Y(t)=1 t in the automaton One equation for each automaton 23/05/

11 The epsilon transitions
The model is supposed to contain epsilon transitions: epsilon transitions carry no message each state carry one epsilon transition the epsilon transition has the same input and output state the epsilon transitions allow an automaton to do nothing a b c d epsilon transitions 23/05/

12 The linear system of equations generated
It has the form: X = AY M = BY X = CY 1 = DY in out _ And its integer solutions are the global transitions of the system where: X (e) = 1 iff the automaton is in the state e at the begining of the global transition M(b)=1 iff b is emitted Y(t) = 1 iff t is fired X (e)=1 iff the automaton is in the state e at the end of the global transition in out 23/05/

13 i.e. some states are empty in the final state
The proof engine The LPV proof engine works under the following assumptions: The system is described as communicating automata (following the lines mentionned previously) Each state of each automaton has an epsilon transition The initial state of the system is implicitely given by an equation: EXi = 0 (E positive) i.e. some states are empty in the initial state The objective is described as an additional constraint concerning the last state: FXf = 0 (F positive) i.e. some states are empty in the final state 23/05/

14 The first engine: interpretation
The first engine can be be interpreted as the computation of a set of states such that any transition entering the set must synchronize with one that exits it States e such that u(e) >0 23/05/

15 The first engine It computes a positive vector u (one component per state) such that: E.X =0 implies u.X=0 u.X = 0 X = AY M = BY X = CY 1 = DY in out _ implies u.X =0 u has the maximum number of non zero components 23/05/

16 The first engine: conclusion
The first engine proves that: The invariant u.X = 0 is satisfied on any sequence having Xi as initial state This leads to the conclusions: all the states of the system for which u(e) > 0 remain empty on any sequence satisfying the request If for all the states e of an automaton we have u(e) > 0 or F(e) > 0 then the final state must verify: S Xf (e) = 0 which is impossible In consequence we get that Either there is no possible final state for the request Or all the states of the system for which u(e) > 0 can be removed from the model e state of the automaton 23/05/

17 The second engine: interpretation
The second engine can be interpreted as the computation of a set of states such that any transition exiting the set must synchronize with one that enters it States e such that u(e) >0 23/05/

18 The second engine It computes a positive vector u (one component per state) such that: F.X =0 implies u.X=0 u.X = 0 X = AY M = BY X = CY 1 = DY out _ in implies u.X =0 u has the maximum number of non zero components 23/05/

19 The second engine: conclusion
The second engine proves that: The invariant u.X = 0 is satisfied on any sequence having Xf as final state This leads to the conclusions: all the states of the system for which u(e) > 0 remain empty on any sequence satisfying the request If for all the states e of an automaton we have u(e) > 0 or E(e) > 0 then the initial state must verify: S Xi (e) = 0 which is impossible In consequence we get that Either there is no possible initial state for the request Or all the states of the system for which u(e) > 0 can be removed from the model e state of the automaton 23/05/

20 The third engine: interpretation
Xi Xf C.X = b C.X < b C.X > b 23/05/

21 The third engine: interpretation
The third engine can be interpreted as the computation of a potential function that increases at each global transition of the system The value of that function is increased iff some specified transitions are fired Moreover that function is decreased between the initial and the final state 23/05/

22 The third engine It computes a vector C (one component per state)
and a vector V positive (one component per transition) such that: E.X=0, F.X’=0 implies C.X ≥ C.X’ X = AY M = BY X = CY 1 = DY out _ in implies C.X - C.X = V.Y V has the maximum number of non zero components 23/05/

23 The third engine: conclusion
The third engine proves that: The linear function C.X increases with any global transition of the system and strictly increases when a transition such that V(t) > 0 is fired This leads to the conclusions: all the transitions of the system for which V(t) > 0 cannot be fired in any sequence satisfying the request If the inequality C.Xi ≥ C.Xf is strict: C.Xi > C.Xf then the request is impossible In consequence we get that Either the request is impossible Or all the transitions of the system for which V(t) > 0 can be removed from the model 23/05/

24 Behaviour of the proof engine
While no result has been returned Choose one of the engines and apply it If the engine proves impossibility then Returns « proof done » Else suppress transitions or states If the three engines were tried and none of them suppressed a transition or a state then Returns « proof failed » The above process works in polynomial time wrt the number of transitions 23/05/

25 An example

26 An example E1 A1 A2 a ra b a rb ra E0 rb b B1 B2 E2 23/05/

27 An example: the first question
ra b a rb ra E0 rb b B1 B2 E2 The question is: Can the state: (A1,E1,B2) be reached ? 23/05/

28 An example: the first answer
ra b a rb ra E0 Q rb b B1 B2 E2 The answer is: no since the set: Q={B1,E2,E0,A2} cannot be emptied 23/05/

29 An example: the second question
ra b a rb ra E0 rb b B1 B2 E2 The question is: Can a state in: {(A1,E1,B2), (B1,E1,B2)} be reached ? 23/05/

30 An example: the second answer
ra b a rb ra E0 rb b B1 B2 E2 The answer is: no since the function: -2X(B1)-X(E0)+X(E1)-3X(E2)+2X(B2) is constant 23/05/

31 An example: the second answer
Xi Xf C.X = 0 3 C.X  1 C.X = -1 23/05/

32 LPV in details 2

33 The failure of the proof engine: a completeness theorem
When the proof engine fails in finding a proof, it provides an answer that is not simply « the proof failed » It can provide a counter-example showing why the proof failed The counter-example is composed of a number n and a real positive number solution of the system of equations: E.X = 0 _ X = AY M = BY X = CY 1 = DY i i-1 for i=1 to n: n F.X = 0 23/05/

34 Meaning of the counter-examples
A counter-example is a scenario on n steps contradicting the property: X 1 2 n-1 n Y M If the counter-example is in integers, it is a valid counter-example to the property If the counter-example is in real numbers one doesn’t know the status of the property 23/05/

35 What to do with counter-examples in real numbers ?
Real number counter-examples are the price to pay for having a polynomial and complete proof system Analyzing a counter-example allows to understand why the proof engine failed That analyze gives some indications on how the model can be modified to make the proof succeed The modification of the model is called the refinement the analysis is the refinement algorithm 23/05/

36 An example of refinement
b.0 c.0 a.0 b.0 d.0 0,5 0,5 a.1 b.1 c.0 a.1 b.0 c.1 a.1 b.1 d.0 a.1 b.0 d.1 0,5 0,5 a.0 b.1 c.1 a.0 b.1 d.1 a 0,5 1 c d 0,5 b 23/05/

37 Typical refinement situation
d.1 1/2b.0 1/2b.1 1/2b.1 1/b.0 On the refined system: c=0 and d=1 is impossible: a.0 a.1 c.0 d.1 b.0a.0 b.0a.1 b.1 23/05/

38 The refined system 1 a.0 b.0a.0 c.0 a.0 b.0a.0 d.0 a.1 b.1 c.0 a.1
a.1 b.1 c.0 a.1 b.0a.1 c.1 a.1 b.1 d.0 a.1 b.0a.1 d.1 a.0 b.1 c.1 a.0 b.1 d.1 a 1 c d b 23/05/

39 More general refinements
na b ma n n m¬a m m n(¬ a ¬ b) ca b ca b ca b a b c c c(¬ a ¬ b) 23/05/

40 Conclusion LPV is a new theorem prover
LPV manipulates new concepts that are not manipulated by other verification techniques LPV applies well at the level of communicating state machines LPV’s proof system works in polynomial time and is then scalable In case of failure, a counter-example is generated, this counter-example permits to modify the system and do the proof The refinement process is not polynomial time The success and scalability of LPV depends on both the adequacy of the underlying proof concepts and the description level of the model The linear invariants manipulated by LPV are often preserved by system complications 23/05/

Download ppt "LPV: a new technique, based on linear programming, to formally prove or disprove safety properties J-L Lambert, valiosys."

Similar presentations

The simplex algorithm The simplex algorithm is the classical method for solving linear programs. Its running time is not polynomial in the worst case.

The simplex algorithm The simplex algorithm is the classical method for solving linear programs. Its running time is not polynomial in the worst case.
1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.

1 Model checking. 2 And now... the system How do we model a reactive system with an automaton ? It is convenient to model systems with Transition systems.
6.1 Vector Spaces-Basic Properties. Euclidean n-space Just like we have ordered pairs (n=2), and ordered triples (n=3), we also have ordered n-tuples.

6.1 Vector Spaces-Basic Properties. Euclidean n-space Just like we have ordered pairs (n=2), and ordered triples (n=3), we also have ordered n-tuples.
1 Mechanical Verification of Timed Automata Myla Archer and Constance Heitmeyer Presented by Rasa Bonyadlou 24 October 2002.

1 Mechanical Verification of Timed Automata Myla Archer and Constance Heitmeyer Presented by Rasa Bonyadlou 24 October 2002.
ECE 720T5 Fall 2012 Cyber-Physical Systems Rodolfo Pellizzoni.

ECE 720T5 Fall 2012 Cyber-Physical Systems Rodolfo Pellizzoni.
1 Introduction to Computability Theory Lecture15: Reductions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture15: Reductions Prof. Amos Israeli.
1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture12: Reductions Prof. Amos Israeli.
CPSC 411, Fall 2008: Set 12 1 CPSC 411 Design and Analysis of Algorithms Set 12: Undecidability Prof. Jennifer Welch Fall 2008.

CPSC 411, Fall 2008: Set 12 1 CPSC 411 Design and Analysis of Algorithms Set 12: Undecidability Prof. Jennifer Welch Fall 2008.
© Love Ekenberg The Algorithm Concept, Big O Notation, and Program Verification Love Ekenberg.

© Love Ekenberg The Algorithm Concept, Big O Notation, and Program Verification Love Ekenberg.
Abstract Verification is traditionally done by determining the truth of a temporal formula (the specification) with respect to a timed transition system.

Abstract Verification is traditionally done by determining the truth of a temporal formula (the specification) with respect to a timed transition system.
ECE 720T5 Winter 2014 Cyber-Physical Systems Rodolfo Pellizzoni.

ECE 720T5 Winter 2014 Cyber-Physical Systems Rodolfo Pellizzoni.
1 Program Correctness CIS 375 Bruce R. Maxim UM-Dearborn.

1 Program Correctness CIS 375 Bruce R. Maxim UM-Dearborn.
Section 4.1 Vectors in ℝ n. ℝ n Vectors Vector addition Scalar multiplication.

Section 4.1 Vectors in ℝ n. ℝ n Vectors Vector addition Scalar multiplication.
1 Inference Rules and Proofs (Z); Program Specification and Verification Inference Rules and Proofs (Z); Program Specification and Verification.

1 Inference Rules and Proofs (Z); Program Specification and Verification Inference Rules and Proofs (Z); Program Specification and Verification.
Pushdown Automata (PDAs)

Pushdown Automata (PDAs)
Dina Workshop Analysing Properties of Hybrid Systems Rafael Wisniewski Aalborg University.

Dina Workshop Analysing Properties of Hybrid Systems Rafael Wisniewski Aalborg University.
The Integers. The Division Algorithms A high-school question: Compute 58/17. We can write 58 as 58 = 3 (17) + 7 This forms illustrates the answer: “3.

The Integers. The Division Algorithms A high-school question: Compute 58/17. We can write 58 as 58 = 3 (17) + 7 This forms illustrates the answer: “3.
Lecture 81 Regional Automaton CS 5270 Lecture 8. Lecture 82 What We Need to Do Problem: –We need to analyze the timed behavior of a TTS. –The timed behavior.

Lecture 81 Regional Automaton CS 5270 Lecture 8. Lecture 82 What We Need to Do Problem: –We need to analyze the timed behavior of a TTS. –The timed behavior.
Introduction to Problem Solving. Steps in Programming A Very Simplified Picture –Problem Definition & Analysis – High Level Strategy for a solution –Arriving.

Introduction to Problem Solving. Steps in Programming A Very Simplified Picture –Problem Definition & Analysis – High Level Strategy for a solution –Arriving.
ECSE 6780- Software Engineering 1I - 1 - HO 4 © HY 2012 Lecture 4 Formal Methods A Library System Specification (Continued) From Specification to Design.

ECSE Software Engineering 1I HO 4 © HY 2012 Lecture 4 Formal Methods A Library System Specification (Continued) From Specification to Design.

Similar presentations

Ads by Google