ENES 489p
Verification and Validation: Logic and Control Synthesis
Mumu Xu [email protected]
November 18, 2014
Institute for Systems Research | Aerospace Engineering
University of Maryland, College Park
11/18/14 1
Table of Contents • Verification and Validation • Logic Synthesis
• Reactive Control Synthesis
*Slides from EECI2013 Lecture, T. Wongpiromsarn, U. Topcu, R.M. Murray
11/18/14 2
• Verification: "Are we building the product right" • The software should conform to its specification
• Validation: "Are we building the right product" • The software should do what the user really requires
• V & V must be applied at each stage in the software process
• Two principal objectives • Discovery of defects in a system
• Assessment of whether the system is usable in an operational situation
Verification vs. validation
11/18/14 3
Basic Concepts • Planning for V&V needs to be begin in the early stages
of requirements development
• Fundamental law of faults • Failures: externally visible incorrect behavior of a system • Error: incorrect internal state
• Fault: mistake in a system which causes one or more errors and failures
• FIND AND FIX THE CAUSE OF FAILURES
11/18/14 4
Validation and Verification Plans • Two ways to detect and remove defects
• Consitency checking
• Simulation
• Diversity and Redundancy • Design Requirement: Weight of the item shall be less
than or equal to 134 pounds
• Verification Requirement: The item weight shall be determined by a scale, the calibration for which is correct, with an accuracy of plus or minus 6 ounces. The item shall be placed on the scale located on a level, stable surface and a reading taken. The measured weight shall be less than 134 pounds and 11 ounces.
11/18/14 5
Verification Traceability Matrices Design Requirement
Verification Method Verification Requirement
Level of Application
Test Analysis Demo Exam
Req 1.1 X … … …
…
…
Req 1.2 …
…
X …
…
…
Req 1.3 …
X …
…
…
…
11/18/14 6
Model Checking Process Flow
11/18/14 7
7
The process flow of model checking
Efficient model checking tools automate the process: SPIN, nuSMV, TLC,...
• “Temporal” refers to underlying nature of time • Linear • Branching
• Two key operators • <> eventually – property satisfied at some point in future • [] always – property satisfied now and forever in future
• Linear Temporal Logic (LTL) • Introduced in 1970s (A. Pnueli)
• Large collection of tools for specification, design, analysis
• Other temporal logics • CTL – Computation Tree Logic • TCTL – Timed CTL • MTL – Metric Temporal Logic (timed LTL) • TLA – temporal logic of actions (Leslie Lamport)
• μ-calculus – “least fixed point” operator
Temporal Logic 8
(A. Prior, 1950s)
11/18/14
Linear Temporal Logic 9 11/18/14
Closed system synthesis
Closed system: behaviors are generated purely by the system itself without any external influence
12
Given:• A transition system P• An LTL formula �
⇡Compute: A path of P such that
⇡ |= �
� = ⇤¬(g1 � g2) �⇤⌃g1 �⇤⌃g2
Sample paths of P:
�1 = (hs0s0ihs1s0ihs1s1ihs0s1i)!
�2 = (hs0s0ihs0s1i)!
�3 = (hs0s0ihs1s0ihs0s0ihs0s1i)!
s1,s1
s0,s0
s1,s0 s0,s1
P↵1
�1
�1
↵1
↵2
↵2
�2
�2
{g1} {g2}
{g1, g2}
;
P: composition of two traffic lights
✓
✗
✗
Logic (closed system) Synthesis
• Closed system: behaviors are generated by the system and not affected by external influences
• Given: • Transition system P
• LTL formula
• Compute: • A path of P such that
�
11/18/14 10
⇡⇡ |= �
A “Controls” Interpretation • Controller C is a function
11/18/14 11
C : M ⇥ S ! Act
Closed system synthesis--a “controls” interpretation
13
The controller C is a function• The controller keeps some history of states• It picks the next action for P such that the resulting path satisfies the specification (i.e., C constrains the paths system can take.
C : M ⇥ S ! Act
memory domain
�
output y
C
P
s1,s1
s0,s0
s1,s0 s0,s1
P↵1
�1
�1
↵1
↵2
↵2
�2
�2
{g1} {g2}
{g1, g2}
;
C
s0,s0
s0,s0
s1,s0 s0,s1
�1
↵1
↵2
�2
� = (hs0s0ihs1s0ihs0s0ihs0s1i)!
C(;, hs0s0i) = ⇥1
C(hs0s1i, hs0s0i) = ⇥1
C(hs1s0i, hs0s0i) = ⇥2
C(hs0s0i, hs1s0i) = �1
C(hs0s0i, hs0s1i) = �2
Let M be a sequence of length 1, i.e., the controller keeps only the previous state
⇒� = ⇤¬(g1 � g2) �⇤⌃g1 �⇤⌃g2⇡ |=and
Closed system synthesis--a “controls” interpretation
13
The controller C is a function• The controller keeps some history of states• It picks the next action for P such that the resulting path satisfies the specification (i.e., C constrains the paths system can take.
C : M ⇥ S ! Act
memory domain
�
output y
C
P
s1,s1
s0,s0
s1,s0 s0,s1
P↵1
�1
�1
↵1
↵2
↵2
�2
�2
{g1} {g2}
{g1, g2}
;
C
s0,s0
s0,s0
s1,s0 s0,s1
�1
↵1
↵2
�2
� = (hs0s0ihs1s0ihs0s0ihs0s1i)!
C(;, hs0s0i) = ⇥1
C(hs0s1i, hs0s0i) = ⇥1
C(hs1s0i, hs0s0i) = ⇥2
C(hs0s0i, hs1s0i) = �1
C(hs0s0i, hs0s1i) = �2
Let M be a sequence of length 1, i.e., the controller keeps only the previous state
⇒� = ⇤¬(g1 � g2) �⇤⌃g1 �⇤⌃g2⇡ |=and
Closed system synthesis--a “controls” interpretation
13
The controller C is a function• The controller keeps some history of states• It picks the next action for P such that the resulting path satisfies the specification (i.e., C constrains the paths system can take.
C : M ⇥ S ! Act
memory domain
�
output y
C
P
s1,s1
s0,s0
s1,s0 s0,s1
P↵1
�1
�1
↵1
↵2
↵2
�2
�2
{g1} {g2}
{g1, g2}
;
C
s0,s0
s0,s0
s1,s0 s0,s1
�1
↵1
↵2
�2
� = (hs0s0ihs1s0ihs0s0ihs0s1i)!
C(;, hs0s0i) = ⇥1
C(hs0s1i, hs0s0i) = ⇥1
C(hs1s0i, hs0s0i) = ⇥2
C(hs0s0i, hs1s0i) = �1
C(hs0s0i, hs0s1i) = �2
Let M be a sequence of length 1, i.e., the controller keeps only the previous state
⇒� = ⇤¬(g1 � g2) �⇤⌃g1 �⇤⌃g2⇡ |=and
never(both lights green) [safety] Always eventually light 1 green [liveness] Always eventually light 2 green [liveness]
A Solution Approach • Closed system synthesis: non-emptiness of satisfiability
problem
• In synthesis, “interesting” behaviors are “good” • In verification, “interesting” behaviors are “bad”
• Construct a verification model and claim that • Counterexample with negative
result is a path that satisfies • Positive results means path
does not exist
11/18/14 12
Trace(P ) \Words(�) = ;
�
15
s0: red
s1: green
;
{g2}
TS 2
↵2 �2
s0: red
s1: green
;
{g1}
TS 1
↵1 �1 kP =
System model:
� = ⇤¬(g1 � g2) �⇤⌃g1 �⇤⌃g2
Aq0
q1 q2
¬(g1 � g2)
¬(g1 � g2)
g1 � ¬g2
¬g1 � g2
g1 � ¬g2
¬(g1 � g2)
L!(A) = Words(�)
Specification:
Example: traffic lights
bool g1 = 0, g2 = 0;
active proctype TL1() {do
:: atomic{ g1 == 0 -> g1 = 1}:: atomic{ g1 == 1 -> g1 = 0 }od
}active proctype TL2() {
do
:: atomic{ g2 == 0 -> g2 = 1}:: atomic{ g2 == 1 -> g2 = 0 }od
}
never {T0 init:
if
:: (!g1) || (!g2) -> goto T0 init
:: (g1 && !g2) -> goto T1 S1
fi;T1 S1:
if
:: (!g1) || (!g2) -> goto T1 S1
:: (!g1 && g2) -> goto accept S1
fi;accept S1:
if
:: (!g1) || (!g2) -> goto T0 init
:: (g1 && !g2) -> goto T1 S1
fi;}
System model (asynchronous composition):
SPIN code:
Automaton from LTL2BA:
Traffic Light 11/18/14 13
15
s0: red
s1: green
;
{g2}
TS 2
↵2 �2
s0: red
s1: green
;
{g1}
TS 1
↵1 �1 kP =
System model:
� = ⇤¬(g1 � g2) �⇤⌃g1 �⇤⌃g2
Aq0
q1 q2
¬(g1 � g2)
¬(g1 � g2)
g1 � ¬g2
¬g1 � g2
g1 � ¬g2
¬(g1 � g2)
L!(A) = Words(�)
Specification:
Example: traffic lights
bool g1 = 0, g2 = 0;
active proctype TL1() {do
:: atomic{ g1 == 0 -> g1 = 1}:: atomic{ g1 == 1 -> g1 = 0 }od
}active proctype TL2() {
do
:: atomic{ g2 == 0 -> g2 = 1}:: atomic{ g2 == 1 -> g2 = 0 }od
}
never {T0 init:
if
:: (!g1) || (!g2) -> goto T0 init
:: (g1 && !g2) -> goto T1 S1
fi;T1 S1:
if
:: (!g1) || (!g2) -> goto T1 S1
:: (!g1 && g2) -> goto accept S1
fi;accept S1:
if
:: (!g1) || (!g2) -> goto T0 init
:: (g1 && !g2) -> goto T1 S1
fi;}
System model (asynchronous composition):
SPIN code:
Automaton from LTL2BA:
Traffic Light 11/18/14 14
Solution to the traffic light problem
s0,s0 s1,s0 s0,s0
s0,s1s0,s0s0,s1
� = (hs0s0ihs1s0ihs0s0ihs0s1ihs0s0ihs0s1i)!
16
s0: red
s1: green
;
{g2}
TS 2
↵2 �2
s0: red
s1: green
;
{g1}
TS 1
↵1 �1 kP =
System model:
� = ⇤¬(g1 � g2) �⇤⌃g1 �⇤⌃g2
Aq0
q1 q2
¬(g1 � g2)
¬(g1 � g2)
g1 � ¬g2
¬g1 � g2
g1 � ¬g2
¬(g1 � g2)
L!(A) = Words(�)
Specification:
Solution from SPIN output:
Example: Frog Puzzle (http://www.hellam.net/maths2000/frogs.html)
• Move all yellow frogs to the right side of pond, and all brown frogs to left side of pond • Frogs can only jump in direction they’re facing
• Frogs can either jump one rock forward if the rock is empty or jump over a frog if the next rock has a frog on it and the rock after it is empty
11/18/14 15
11/18/14 16
Solving the frog puzzle as logic synthesis
22
r1r0 r2 r3 r4 r5 r6ri � {0, 1}
P = F1 � F2 � · · · � F6
• Rock i is not occupied or occupied• State of frog i: • Transition system of frog i:• Overall system model:
s(Fi) � {s0, s1 . . . , s6}Fi s0 s1 s2 s3 s4 s5 s6
s0
s1 s2
s3 s4
s5 s6
¬r1 r1 � ¬r2
¬r2
¬r4
¬r6
r2 � ¬r3 r3 � ¬r4
r4 � ¬r5 r5 � ¬r6
F1
s1 s2
s3 s4
s5 s6
¬r2
¬r4
¬r6
r2 � ¬r3 r3 � ¬r4
r4 � ¬r5 r5 � ¬r6
F2s2
s3 s4
s5 s6
¬r4
¬r6
r2 � ¬r3 r3 � ¬r4
r4 � ¬r5 r5 � ¬r6
F3
� = ⌃�s(F1), s(F2), s(F3) � {s4, s5, s6} ⇥ s(F4), s(F5), s(F6) � {s0, s1, s2}
�
Aq0 q1ptrue true
p ,�s(F1), s(F2), s(F3) � {s4, s5, s6} ⇥
s(F4), s(F5), s(F6) � {s0, s1, s2}�
Logic Synthesis: Frog Puzzle 11/18/14 17
Open System Synthesis 11/18/14 18
Open System SynthesisP
C
y
An open system is a system whose behaviors can be affected by external influencey
E x
Open (synchronous) synthesis:
Given
• a system that describes all the possible actions- plant actions y are controllable- environment actions x are uncontrollable
• a specification
find a strategy for the controllable actions which will maintain the specification against all possible adversary moves, i.e.,
�(x, y)
8x · �(x, f(x))
f(x)
E CPx0
x1
x2
x3
time
y0 = f(x0)
y1 = f(x0x1)
y2 = f(x0x1x2)
y3 = f(x0x1x2x3)
y
x
E
CP
3
Reactive Control Synthesis
11/18/14 19
Consider the synthesis of a reactive system with input x and output y, specified by the linear temporal formula .
• The system contains 2 components S1 (i.e., “environment”) and S2 (i.e., “reactive module”)
- Only S1 can modify x- Only S2 can modify y
• Want to show that S2 has a winning strategy for y against all possible x scenarios the environment may present to it.
- Two-person game: treat environment as adversary‣ S2 does its best, by manipulating y, to maintain
‣ S1 does its best, by manipulating x, to falsify
• If a winning strategy for S2 exists, we say that is realizable
Reactive System Synthesis
Reactive systems are open systems that maintain an ongoing interaction with their environment rather than producing an output on termination.
�(x, y)
�(x, y)�(x, y)
�(x, y)
4
yx
S1
S2
The Runner Blocker System
R B Goal
Runner R tries to reach Goal. Blocker B tries to intercept and stop R.
6
Runner-Blocker System
11/18/14 20
win
lose lose
The Runner Blocker System
7
Runner-Blocker System 11/18/14 21
Solving Reactive Control Synthesis • Solution given as the winning set
• Winning set is set of states starting from which there exists a strategy for S2 to satisfy the specification for all possible behaviors of S1
• A winning strategy can be constructed by saving intermediate values in winning set computation
• Worst case complexity is double exponential • 1st exponent: Specification to nondeterministic Buchi automaton • 2nd exponent: Covert NBA into deterministic Rabin automaton • Similar to closed system synthesis: construct product of system and
DRA • Find set of states starting from which all possible runs in product
automaton are accepting • Lower Complexity Cases
• For specifications of form controller can be synthesized in O(N2), with N is size of the state space.
11/18/14 22
⇤p, ⇧p,⇤ ⇧ p, ⇧⇤p
Game Structures: Runner Blocker
11/18/14 23
Runner Blocker Example
19
s0B
s1
s2
s3
s4R
Game Structure G = (V,X ,Y, ✓e, ✓s, ⇢e, ⇢s,AP , L,')
• X := {x}, ⌃X = {s0, s1, s2, s3, s4}
• Y := {y}, ⌃Y = {s0, s1, s3, s4}
• ✓e := (x = s2)
• ✓s := (y = s0)
• ⇢e :=
�(x = s2) =) (x
0 6= s2)�^
�(x 6= s2) =)
(x
0= s2)
�
• ⇢s :=
�(y = s0 _ y = s4) =) (y
0= s1 _ y
0=
s3)�^
�(y = s1 _ y = s3) =) (y
0= s0 _ y
0=
s4)�^ (y
0 6= x
0)
• ' describes the winning condition, e.g., ⇧(y = s4)
Runner Blocker 11/18/14 24
Runner Blocker Example
Play: An infinite sequence of system (blocker + runner) states such that s0 is a valid initial state and (sj, sj+1) satisfies the transition relation of the blocker and the runner
Strategy: A function that gives the next runner state, given a finite number of previous system states of the current play, the current system state and the next blocker state
Winning state: A state starting from which there exists a strategy for the runner to satisfy the winning condition for all the possible behaviors of the blocker
� = s0s1 . . .
Winning game: For any valid initial blocker state sx, there exists a valid initial runner state sy such that (sx, sy) is a winning state
Solving game: Identify the set of winning states
20
q0B
q1
q2
q3
q4R
11/18/14 25
Richard M. Murray, Caltech CDSEECI, Mar 2013
Solving Game StructuresGeneral solutions are hard
• Worst case complexity is double exponential (roughly in number of states)
Special cases are easier
• For a specification of the form or , the controller can be synthesized in O(N2) time where N is the size of the state space
Another special case: GR(1) formulas
Thm (Piterman, Sa’ar, Pneuli, 2007) A game structure G with a GR(1) winning condition can be solved by a symbolic algorithm in time proportional to
More useful form:
• Can show that this can be “converted” to GR(1) form
21
⇤p,⌃p,⇤⌃p ⌃⇤p
' = (⇤⌃p1 ^ . . . ^⇤⌃pm)| {z }'e
=) (⇤⌃q1 ^ . . . ^⇤⌃qn)| {z }'s
nm�⌃V �3
Solving Game Structures