Proving and Explaining the Unfeasibility of Message Sequence Charts for Hybrid Systems Alessandro Cimatti Sergio Mover Stefano Tonetta Fondazione Bruno Kessler
October 31, 2011
Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
October 31, 2011
1 / 28
Motivations Hybrid Systems Mix discrete (e.g. hardware) and continuous (e.g. sensor) behaviors. Complex critical systems: train control system (ETCS), airplane traffic control system (TCAS), . . .
Rod1
Rod2
x =0
x =0
Ready x˙ ∈ [0.9, 1.1] TRUE
Ready x˙ ∈ [0.9, 1.1] TRUE
x ≥ 16/τ /x 0 := x
Recovering x˙ ∈ [0.9, 1.1] x ≤ 16
x ≥ 16/τ /x 0 := x
Add1 /x 0 := 0
In x˙ ∈ [0.9, 1.1] x ≤ 5.9
Remove1 /x 0 := 0
Recovering x˙ ∈ [0.9, 1.1] x ≤ 16
Add2 /x 0 := 0
Remove2 /x 0 := 0
In x˙ ∈ [0.9, 1.1] x ≤ 5.9
Rod1
Rod2
Add1, Remove1
Add2, Remove2 x =0 x ≥ 16/Add1 /x 0 := 0 x ≥ 16/Add2 /x 0 := 0
Rod 1 x˙ ∈ [0.9, 1.1] x ≤ 5.9
No Rod x˙ ∈ [0.9, 1.1] x ≤ 16
x ∈ [5, 5.9]/Remove1 / x 0 := 0
Network of components.
Rod 2 x˙ ∈ [0.9, 1.1] x ≤ 5.9
x ∈ [5, 5.9]/Remove2 / x 0 := 0
Controller
Controller
Scenario-verification Rod1
Controller
Rod2
Add1
Is there a run of the system compatible with the scenario?
time ≤ 19
Rem1 Add2
If such a run exists, the scenario is feasible.
time ≥ 19
Rem2 Add1 time ≥ 80
Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
Rem1
October 31, 2011
2 / 28
Motivations Existing approaches: 1 Reduction to reachability: Can prove both feasibility and unfeasibility. Inefficient. 2
Scenario-based encoding [CAV11]: Cannot prove unfeasibility. Efficient.
Our contribution is a SMT-based technique that: Efficiently proves unfeasibility. Extracts explanations for the unfeasibility.
Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
October 31, 2011
3 / 28
Outline
1
Background SMT analysis of Hybrid Systems Scenario-Verification
2
Proving the unfeasibility of scenarios
3
Explanations of Unfeasibility
4
Experimental Evaluation
5
Conclusions and future work
Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
October 31, 2011
4 / 28
Outline
1
Background SMT analysis of Hybrid Systems Scenario-Verification
2
Proving the unfeasibility of scenarios
3
Explanations of Unfeasibility
4
Experimental Evaluation
5
Conclusions and future work
Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
October 31, 2011
5 / 28
Outline
1
Background SMT analysis of Hybrid Systems Scenario-Verification
2
Proving the unfeasibility of scenarios
3
Explanations of Unfeasibility
4
Experimental Evaluation
5
Conclusions and future work
Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
October 31, 2011
6 / 28
Hybrid Automata Hybrid automata ([Henzinger 96]): Framework for representing hybrid systems. Discrete instantaneous mode switches. Continuous evolution according to flow conditions. x Recovering x =0
3 2
Ready x˙ ∈ [0.9, 1.1] TRUE
0
x ≥ 16/τ /x 0 := x
Recovering x˙ ∈ [0.9, 1.1] x ≤ 16
1
0
Add1 /x 0 := 0
Remove1 /x 0 := 0
In x˙ ∈ [0.9, 1.1] x ≤ 5.9 Rod1
1
2
3
4
5
6
7
8
9
1
2
3
4
5
6
7
8
9
time
location
Recovering In Ready 0
Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
time
October 31, 2011
7 / 28
Hybrid Automata Network Network of hybrid automata H = H1 || . . . ||Hn : Move asynchronously on local events (τ ). Synchronize on shared events. Rod1
x =0
Ready x˙ ∈ [0.9, 1.1] TRUE
Ready x˙ ∈ [0.9, 1.1] TRUE
x ≥ 16/τ /x 0 := x
Recovering x˙ ∈ [0.9, 1.1] x ≤ 16
Rod2
x =0
x ≥ 16/τ /x 0 := x
Add1 /x 0 := 0
In x˙ ∈ [0.9, 1.1] x ≤ 5.9
Remove1 /x 0 := 0
Recovering x˙ ∈ [0.9, 1.1] x ≤ 16
Add2 /x 0 := 0
Remove2 /x 0 := 0
Rod1
In x˙ ∈ [0.9, 1.1] x ≤ 5.9 Rod2
Add1, Remove1
Add2, Remove2 x =0 x ≥ 16/Add1 /x 0 := 0 x ≥ 16/Add2 /x 0 := 0
Rod 1 x˙ ∈ [0.9, 1.1] x ≤ 5.9
No Rod x˙ ∈ [0.9, 1.1] x ≤ 16
x ∈ [5, 5.9]/Remove1 / x 0 := 0
Rod 2 x˙ ∈ [0.9, 1.1] x ≤ 5.9
x ∈ [5, 5.9]/Remove2 / x 0 := 0
Controller
Controller
Different semantics: 1 Global-time ([Henzinger 96]). 2 Local-time ([Bengstsson 98]). Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
October 31, 2011
8 / 28
Local-time semantics The time evolves independently in each automaton: Local time scale. The continuous evolution is a local transition.
The local time of the automata must be the same: On synchronizations. At the end of a run. 11
12
1
10
11 3
8 6
5
11
12
1
10
11 3 4
6
5
12
A
3
6
11 3 4
5
12
1 2 3
8
4 7
6
5
2
9
B
τ
1
10
2
6
5
1
8
12
9
B
τ
4 7
9 7
11 10
2
8
10
2
8 7
A
τ
9
τ
1
9
τ
4 7
12
10
2
9
3
8
4 7
6
5
τ = local event (no stutter or time).
Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
October 31, 2011
9 / 28
SMT analysis of Hybrid Systems Each automaton is encoded in a symbolic transition system Hi = hIniti , Transi i. Bounded model checking: T BMCH1 (k) 1
T
T 3
2
T 4
...
T k
... T BMCH2 (k) 1
T 2
T 3
T 4
...
T k
k-induction. Base case: BMC up to k. Inductive case: BMC and simple path condition up to k + 1.
Use SMT solvers as decision procedure. Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
October 31, 2011
10 / 28
Outline
1
Background SMT analysis of Hybrid Systems Scenario-Verification
2
Proving the unfeasibility of scenarios
3
Explanations of Unfeasibility
4
Experimental Evaluation
5
Conclusions and future work
Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
October 31, 2011
11 / 28
Constrained Message Sequence Charts
hm, φi: Message sequence chart m with constraints φ.
Rod1
m: parallel composition of instances. φ = φg ∧ φ1 ∧ . . . ∧ φn : formulas over the time ≤ 19
Controller
Rod2
Add1 Rem1
network variables on synchronization.
Add2
Global (φg ): over all the network variables.
time ≥ 19
Rem2 Add1
Local φi : over variable of Hi . time ≥ 80
Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
Rem1
October 31, 2011
12 / 28
MSC verification via reachability The CMSC is translated in a monitor automaton Sm . The automaton is composed with the network. Enables off-the-shelf verification techniques: BMC: feasibility. k-induction: unfeasibility.
σ1
σ2
σ4
σ3
hl10 , l20 , l30 , l40 i
τ
B A
A
B
τ
hl11 , l21 , l30 , l40 i
τ
hl11 , l21 , l31 , l41 i
B
C
hl10 , l20 , l31 , l41 i
τ
C
A
hl10 , l20 , l32 , l42 i
τ
C
D
A τ
hl11 , l21 , l32 , l42 i D
m = σ1 ||σ2 ||σ3 ||σ4 Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
hl11 , l22 , l33 , l42 i October 31, 2011
13 / 28
MSC verification via reachability The CMSC is translated in a monitor automaton Sm . The automaton is composed with the network. Enables off-the-shelf verification techniques: BMC: feasibility. k-induction: unfeasibility.
σ1
σ2
σ4
σ3
hl10 , l20 , l30 , l40 i
τ
B A
A
B
τ
hl11 , l21 , l30 , l40 i
τ
hl11 , l21 , l31 , l41 i
B
C
hl10 , l20 , l31 , l41 i
τ
C
A
hl10 , l20 , l32 , l42 i
τ
C
D
A τ
hl11 , l21 , l32 , l42 i D
Cut: hl10 , l20 , l30 , l40 i Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
hl11 , l22 , l33 , l42 i October 31, 2011
13 / 28
MSC verification via reachability The CMSC is translated in a monitor automaton Sm . The automaton is composed with the network. Enables off-the-shelf verification techniques: BMC: feasibility. k-induction: unfeasibility.
σ1
σ2
σ4
σ3
hl10 , l20 , l30 , l40 i
τ
B A
A
B
τ
hl11 , l21 , l30 , l40 i
τ
hl11 , l21 , l31 , l41 i
B
C
hl10 , l20 , l31 , l41 i
τ
C
A
hl10 , l20 , l32 , l42 i
τ
C
D
A τ
hl11 , l21 , l32 , l42 i D
Cut: hl11 , l21 , l30 , l40 i Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
hl11 , l22 , l33 , l42 i October 31, 2011
13 / 28
MSC verification via reachability The CMSC is translated in a monitor automaton Sm . The automaton is composed with the network. Enables off-the-shelf verification techniques: BMC: feasibility. k-induction: unfeasibility.
σ1
σ2
σ4
σ3
hl10 , l20 , l30 , l40 i
τ
B A
A
B
τ
hl11 , l21 , l30 , l40 i
τ
hl11 , l21 , l31 , l41 i
B
C
hl10 , l20 , l31 , l41 i
τ
C
A
hl10 , l20 , l32 , l42 i
τ
C
D
A τ
hl11 , l21 , l32 , l42 i D
Cut: hl11 , l21 , l31 , l41 i Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
hl11 , l22 , l33 , l42 i October 31, 2011
13 / 28
MSC verification via reachability The CMSC is translated in a monitor automaton Sm . The automaton is composed with the network. Enables off-the-shelf verification techniques: BMC: feasibility. k-induction: unfeasibility.
σ1
σ2
σ4
σ3
hl10 , l20 , l30 , l40 i
τ
B A
A
B
τ
hl11 , l21 , l30 , l40 i
τ
hl11 , l21 , l31 , l41 i
B
C
hl10 , l20 , l31 , l41 i
τ
C
A
hl10 , l20 , l32 , l42 i
τ
C
D
A τ
hl11 , l21 , l32 , l42 i D
Cut: hl11 , l21 , l32 , l42 i Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
hl11 , l22 , l33 , l42 i October 31, 2011
13 / 28
MSC verification via reachability The CMSC is translated in a monitor automaton Sm . The automaton is composed with the network. Enables off-the-shelf verification techniques: BMC: feasibility. k-induction: unfeasibility.
σ1
σ2
σ4
σ3
hl10 , l20 , l30 , l40 i
τ
B A
A
B
τ
hl11 , l21 , l30 , l40 i
τ
hl11 , l21 , l31 , l41 i
B
C
hl10 , l20 , l31 , l41 i
τ
C
A
hl10 , l20 , l32 , l42 i
τ
C
D
A τ
hl11 , l21 , l32 , l42 i D
Cut: hl11 , l23 , l33 , l42 i Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
hl11 , l22 , l33 , l42 i October 31, 2011
13 / 28
Scenario-based encoding Rod1
For all the automata: Fix the position of the shared events. transitions are simplified wrt shared event
Controller
Rod2
Add1 Rem1 Add2
...
...
Add1
Add1
...
...
Rem1
Rem1
...
Add2
Add2
...
Sergio Mover (FBK)
...
Unfeasibility and Explanations of MSC
October 31, 2011
...
...
14 / 28
Scenario-based encoding Rod1
For all the automata: Fix the position of the shared events. transitions are simplified wrt shared event Add the synchronization constraints.
Controller
Rod2
Add1 Rem1 Add2
...
...
Add1
Add1
...
...
Rem1
Rem1
...
Add2
Add2
...
Sergio Mover (FBK)
...
Unfeasibility and Explanations of MSC
October 31, 2011
...
...
14 / 28
Scenario-based encoding Rod1
For all the automata: Fix the position of the shared events. transitions are simplified wrt shared event Add the synchronization constraints. Encode the “local segments”. transitions are simplified wrt τ τ
τ
τ
τ
τ
τ
...
...
Add1
τ
τ
Add1
τ
τ
...
...
Rod2
Add1 Rem1 Add2
Rem1
τ
τ
Rem1
τ
τ
...
Sergio Mover (FBK)
Controller
Unfeasibility and Explanations of MSC
...
...
Add2
τ
τ
Add2
τ
τ
October 31, 2011
...
...
14 / 28
Outline
1
Background SMT analysis of Hybrid Systems Scenario-Verification
2
Proving the unfeasibility of scenarios
3
Explanations of Unfeasibility
4
Experimental Evaluation
5
Conclusions and future work
Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
October 31, 2011
15 / 28
Efficient unfeasibility check
Reduction to reachability
SMT-based approach
BMC Inefficient
Scenario-driven encoding Efficient
K-induction Inefficient
Partitioned k-induction Efficient
Feasibility
Unfeasibility
Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
October 31, 2011
16 / 28
Partitioned K-induction - Algorithm Rod1
Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.
Controller
Rod2
Add1 Rem1 Add2
.
Unfeasible iff UNSAT Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
October 31, 2011
17 / 28
Partitioned K-induction - Algorithm Rod1
Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.
Controller
Rod2
Add1 Rem1 Add2
. τ
Unfeasible iff UNSAT Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
October 31, 2011
17 / 28
Partitioned K-induction - Algorithm Rod1
Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.
Controller
Rod2
Add1 Rem1 Add2
. τ
SAT - new states are reachable
simple path
Unfeasible iff UNSAT Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
October 31, 2011
17 / 28
Partitioned K-induction - Algorithm Rod1
Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.
Controller
Rod2
Add1 Rem1 Add2
. τ
τ
Unfeasible iff UNSAT Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
October 31, 2011
17 / 28
Partitioned K-induction - Algorithm Rod1
Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.
Controller
Rod2
Add1 Rem1 Add2
. τ
τ
SAT - new states are reachable
simple path
Unfeasible iff UNSAT Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
October 31, 2011
17 / 28
Partitioned K-induction - Algorithm Rod1
Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.
Controller
Rod2
Add1 Rem1 Add2
. τ
τ
τ
Unfeasible iff UNSAT Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
October 31, 2011
17 / 28
Partitioned K-induction - Algorithm Rod1
Controller
Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.
Rod2
Add1 Rem1 Add2
. τ
τ
τ
UNSAT - no new states are reachable
simple path
Unfeasible iff UNSAT Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
October 31, 2011
17 / 28
Partitioned K-induction - Algorithm Rod1
Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.
Controller
Rod2
Add1 Rem1 Add2
. τ
τ
Unfeasible iff UNSAT Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
October 31, 2011
17 / 28
Partitioned K-induction - Algorithm Rod1
Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.
Controller
Rod2
Add1 Rem1 Add2
. τ
τ
Add1
Unfeasible iff UNSAT Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
October 31, 2011
17 / 28
Partitioned K-induction - Algorithm Rod1
Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.
Controller
Rod2
Add1 Rem1 Add2
. τ
τ
Add1
τ
Unfeasible iff UNSAT Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
October 31, 2011
17 / 28
Partitioned K-induction - Algorithm Rod1
Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.
Controller
Rod2
Add1 Rem1 Add2
. τ
τ
τ
Add1
SAT - new states are reachable
simple path
Unfeasible iff UNSAT Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
October 31, 2011
17 / 28
Partitioned K-induction - Algorithm Rod1
Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.
Controller
Rod2
Add1 Rem1 Add2
. τ
τ
τ
τ
Add1
Unfeasible iff UNSAT Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
October 31, 2011
17 / 28
Partitioned K-induction - Algorithm Rod1
Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.
Controller
Rod2
Add1 Rem1 Add2
. τ
τ
τ
τ
Add1
SAT - new states are reachable
simple path
Unfeasible iff UNSAT Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
October 31, 2011
17 / 28
Partitioned K-induction - Algorithm Rod1
Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.
Controller
Rod2
Add1 Rem1 Add2
. τ
τ
Add1
τ
τ
τ
Unfeasible iff UNSAT Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
October 31, 2011
17 / 28
Partitioned K-induction - Algorithm Rod1
Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.
Controller
Rod2
Add1 Rem1 Add2
. τ
τ
Add1
τ
τ
τ
UNSAT - no new states are reachable
simple path Unfeasible iff UNSAT Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
October 31, 2011
17 / 28
Partitioned K-induction - Algorithm Rod1
Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.
Controller
Rod2
Add1 Rem1 Add2
. τ
τ
τ
τ
Add1
Unfeasible iff UNSAT Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
October 31, 2011
17 / 28
Partitioned K-induction - Algorithm Rod1
Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.
Controller
Rod2
Add1 Rem1 Add2
. τ
τ
Add1
τ
τ
Add1
Unfeasible iff UNSAT Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
October 31, 2011
17 / 28
Partitioned K-induction - Algorithm Rod1
Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.
Controller
Rod2
Add1 Rem1 Add2
. τ
τ
Add1
τ
τ
Add1
Unfeasible iff UNSAT Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
October 31, 2011
17 / 28
Partitioned K-induction - Algorithm Rod1
Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.
Controller
Rod2
Add1 Rem1 Add2
. τ
τ
Add1
τ
τ
Add1
τ
Unfeasible iff UNSAT Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
October 31, 2011
17 / 28
Partitioned K-induction - Algorithm Rod1
Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.
Controller
Rod2
Add1 Rem1 Add2
. τ
τ
Add1
τ
SAT - new states are reachable
simple path τ
τ
Add1
Unfeasible iff UNSAT Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
October 31, 2011
17 / 28
Partitioned K-induction - Algorithm Rod1
Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.
Controller
Rod2
Add1 Rem1 Add2
. τ
τ
Add1
τ
τ
Add1
τ
τ
Unfeasible iff UNSAT Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
October 31, 2011
17 / 28
Partitioned K-induction - Algorithm Rod1
Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.
Controller
Rod2
Add1 Rem1 Add2
. τ
τ
Add1
τ
τ
Add1
τ
τ
SAT - new states are reachable
simple path
Unfeasible iff UNSAT Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
October 31, 2011
17 / 28
Partitioned K-induction - Algorithm Rod1
Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.
Controller
Rod2
Add1 Rem1 Add2
. τ
τ
Add1
τ
τ
Add1
τ
τ
τ
Unfeasible iff UNSAT Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
October 31, 2011
17 / 28
Partitioned K-induction - Algorithm Rod1
Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.
Controller
Rod2
Add1 Rem1 Add2
. τ
τ
Add1
τ
τ
Add1
τ
τ
τ
UNSAT - no new states are reachable
simple path
Unfeasible iff UNSAT Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
October 31, 2011
17 / 28
Partitioned K-induction - Algorithm Rod1
Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.
Controller
Rod2
Add1 Rem1 Add2
. τ
τ
Add1
τ
τ
Add1
τ
τ
Unfeasible iff UNSAT Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
October 31, 2011
17 / 28
Partitioned K-induction - Algorithm Rod1
Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.
Controller
Rod2
Add1 Rem1 Add2
. τ
τ
Add1
τ
τ
Add1
τ
τ
Rem1
Unfeasible iff UNSAT Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
October 31, 2011
17 / 28
Partitioned K-induction - Algorithm Rod1
Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.
Controller
Rod2
Add1 Rem1 Add2
. τ
τ
Add1
τ
τ
τ
Add1
τ
τ
Rem1
Unfeasible iff UNSAT Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
October 31, 2011
17 / 28
Partitioned K-induction - Algorithm Rod1
Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.
Controller
Rod2
Add1 Rem1 Add2
. τ
τ
Add1
τ
τ
τ
Add1
τ
τ
Rem1
SAT - new states are reachable
simple path
Unfeasible iff UNSAT Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
October 31, 2011
17 / 28
Partitioned K-induction - Algorithm Rod1
Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.
Controller
Rod2
Add1 Rem1 Add2
. τ
τ
Add1
τ
τ
τ
τ
Add1
τ
τ
Rem1
Unfeasible iff UNSAT Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
October 31, 2011
17 / 28
Partitioned K-induction - Algorithm Rod1
Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.
Controller
Rod2
Add1 Rem1 Add2
. τ
τ
Add1
τ
τ
τ
τ
Add1
τ
τ
Rem1
SAT - new states are reachable
simple path
Unfeasible iff UNSAT Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
October 31, 2011
17 / 28
Partitioned K-induction - Algorithm Rod1
Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.
Controller
Rod2
Add1 Rem1 Add2
. τ
τ
Add1
τ
τ
Rem1
τ
τ
Add1
τ
τ
τ
Unfeasible iff UNSAT Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
October 31, 2011
17 / 28
Partitioned K-induction - Algorithm Rod1
Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.
Controller
Rod2
Add1 Rem1 Add2
. τ
τ
Add1
τ
τ
Rem1
τ
τ
Add1
τ
τ
τ
UNSAT - no new states are reachable
simple path Unfeasible iff UNSAT Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
October 31, 2011
17 / 28
Partitioned K-induction - Algorithm Rod1
Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.
Controller
Rod2
Add1 Rem1 Add2
. τ
τ
Add1
τ
τ
τ
τ
Add1
τ
τ
Rem1
Unfeasible iff UNSAT Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
October 31, 2011
17 / 28
Partitioned K-induction - Algorithm Rod1
Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.
Controller
Rod2
Add1 Rem1 Add2
. τ
τ
Add1
τ
τ
Rem1
τ
τ
Add1
τ
τ
Rem1
Unfeasible iff UNSAT Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
October 31, 2011
17 / 28
Partitioned K-induction - Algorithm Rod1
Inductive step: proved incrementally following the partial order of the MSC. Base case: bounded feasibility check.
Controller
Rod2
Add1 Rem1 Add2
. τ
τ
Add1
τ
τ
Rem1
τ
τ
Add1
τ
τ
Rem1
Unfeasible iff UNSAT Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
October 31, 2011
17 / 28
Partitioned K-induction - Algorithm Rod1
Inductive step: proved incrementally following the partial order of the MSC.
Controller
Rod2
Add1 Rem1
Base case: bounded feasibility check.
Add2
. τ
τ
Add1
τ
τ
Rem1
τ
τ
τ
Add1
τ
τ
Rem1
τ
τ
τ
...
...
...
Add2
τ
Add2
τ
...
...
Rem2
τ
Rem2
τ
...
...
Unfeasible iff UNSAT Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
October 31, 2011
17 / 28
Partitioned K-induction - Algorithm Rod1
Inductive step: proved incrementally following the partial order of the MSC.
Controller
Rod2
Add1 Rem1
Base case: bounded feasibility check.
Add2
. τ
τ
Add1
τ
τ
Rem1
τ
τ
τ
Add1
τ
τ
Rem1
τ
τ
τ
...
...
...
Add2
τ
Add2
τ
...
...
Rem2
τ
Rem2
τ
...
...
Unfeasible iff UNSAT Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
October 31, 2011
17 / 28
Outline
1
Background SMT analysis of Hybrid Systems Scenario-Verification
2
Proving the unfeasibility of scenarios
3
Explanations of Unfeasibility
4
Experimental Evaluation
5
Conclusions and future work
Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
October 31, 2011
18 / 28
Explanations of unfeasibility
Typical use case: We expect that a scenario is feasible. The analysis proves that the scenario is unfeasible in the network. How do we explain the unfeasibility?
We extract three types of explanations for the unfeasibility.
Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
October 31, 2011
19 / 28
Unfeasibility due to a component Explained with a formula that: Is required by the component when simulating its MSC events. Is not consistent with the other components when they simulate the events of the MSC.
Rod2
x =0
Recovering x˙ ∈ [0.9, 1.1] x ≤ 16
Add1
x =0
Ready x˙ ∈ [0.9, 1.1] TRUE x ≥ 16/τ /x 0 := x
Rod2
Controller
Rod1 Rod1
Ready x˙ ∈ [0.9, 1.1] TRUE Add1
/x 0
x ≥ 16/τ /x 0 := x
:= 0
In x˙ ∈ [0.9, 1.1] x ≤ 5.9
Remove1 /x 0 := 0
Recovering x˙ ∈ [0.9, 1.1] x ≤ 16
Add2 /x 0 := 0
Remove2 /x 0 := 0
Rod1
In x˙ ∈ [0.9, 1.1] x ≤ 5.9
time ≤ 19
Rem1
Rod2
Add2 Add1, Remove1
Add2, Remove2 x ≥ 16/Add1
Rod 1 x˙ ∈ [0.9, 1.1] x ≤ 5.9
/x 0
∆time ≤
379 9
No Rod x˙ ∈ [0.9, 1.1] x ≤ 16
x ∈ [5, 5.9]/Remove1 / x 0 := 0
Rod 2 x˙ ∈ [0.9, 1.1] x ≤ 5.9
x ∈ [5, 5.9]/Remove2 / x 0 := 0
time ≥ 19
Rem2
x =0 := 0 x ≥ 16/Add2 /x 0 := 0
Add1
Controller
Controller
time ≥ 80 Sergio Mover (FBK)
Rem1
Unfeasibility and Explanations of MSC
October 31, 2011
20 / 28
Unfeasibility due to a component Explained with a formula that: Is required by the component when simulating its MSC events. Is not consistent with the other components when they simulate the events of the MSC. It is the interpolant of A and B: A is the encoding of the component and its MSC events. B is the encoding of the other components and their MSC events. Rod2
x =0
Recovering x˙ ∈ [0.9, 1.1] x ≤ 16
Add1
x =0
Ready x˙ ∈ [0.9, 1.1] TRUE x ≥ 16/τ /x 0 := x
Rod2
Controller
Rod1 Rod1
Ready x˙ ∈ [0.9, 1.1] TRUE Add1
/x 0
x ≥ 16/τ /x 0 := x
:= 0
In x˙ ∈ [0.9, 1.1] x ≤ 5.9
Remove1 /x 0 := 0
Recovering x˙ ∈ [0.9, 1.1] x ≤ 16
Add2 /x 0 := 0
Remove2 /x 0 := 0
Rod1
In x˙ ∈ [0.9, 1.1] x ≤ 5.9
time ≤ 19
Rem1
Rod2
Add2 Add1, Remove1
Add2, Remove2 x ≥ 16/Add1
Rod 1 x˙ ∈ [0.9, 1.1] x ≤ 5.9
/x 0
∆time ≤
379 9
No Rod x˙ ∈ [0.9, 1.1] x ≤ 16
x ∈ [5, 5.9]/Remove1 / x 0 := 0
Rod 2 x˙ ∈ [0.9, 1.1] x ≤ 5.9
x ∈ [5, 5.9]/Remove2 / x 0 := 0
time ≥ 19
Rem2
x =0 := 0 x ≥ 16/Add2 /x 0 := 0
Add1
Controller
Controller
time ≥ 80 Sergio Mover (FBK)
Rem1
Unfeasibility and Explanations of MSC
October 31, 2011
20 / 28
Unfeasibility due the network Explained with a formula that: Is required by the network when simulating the MSC. Is not consistent with the additional constraints of the MSC.
Rod1 Rod1
Rod2
x =0
Recovering x˙ ∈ [0.9, 1.1] x ≤ 16
Add1
x =0
Ready x˙ ∈ [0.9, 1.1] TRUE x ≥ 16/τ /x 0 := x
Rod2
Controller
Ready x˙ ∈ [0.9, 1.1] TRUE Add1
/x 0
x ≥ 16/τ /x 0 := x
:= 0
In x˙ ∈ [0.9, 1.1] x ≤ 5.9
Remove1 /x 0 := 0
Recovering x˙ ∈ [0.9, 1.1] x ≤ 16
Add2 /x 0 := 0
Remove2 /x 0 := 0
Rod1
In x˙ ∈ [0.9, 1.1] x ≤ 5.9
time ≤ 19
Rem1
Rod2
Add2 Add1, Remove1
Add2, Remove2 x ≥ 16/Add1
Rod 1 x˙ ∈ [0.9, 1.1] x ≤ 5.9
/x 0
x =0 := 0 x ≥ 16/Add2 /x 0 := 0 No Rod x˙ ∈ [0.9, 1.1] x ≤ 16
x ∈ [5, 5.9]/Remove1 / x 0 := 0
∆time ≤
146 3
Rod 2 x˙ ∈ [0.9, 1.1] x ≤ 5.9
x ∈ [5, 5.9]/Remove2 / x 0 := 0
time ≥ 19
Rem2 Add1
Controller
Controller
time ≥ 80
Sergio Mover (FBK)
Rem1
Unfeasibility and Explanations of MSC
October 31, 2011
21 / 28
Unfeasibility due the network Explained with a formula that: Is required by the network when simulating the MSC. Is not consistent with the additional constraints of the MSC. It is the interpolant of A and B: A is the encoding of the network and the MSC. B are the CMSC constraints. Rod1 Rod1
Rod2
x =0
Recovering x˙ ∈ [0.9, 1.1] x ≤ 16
Add1
x =0
Ready x˙ ∈ [0.9, 1.1] TRUE x ≥ 16/τ /x 0 := x
Rod2
Controller
Ready x˙ ∈ [0.9, 1.1] TRUE Add1
/x 0
x ≥ 16/τ /x 0 := x
:= 0
In x˙ ∈ [0.9, 1.1] x ≤ 5.9
Remove1 /x 0 := 0
Recovering x˙ ∈ [0.9, 1.1] x ≤ 16
Add2 /x 0 := 0
Remove2 /x 0 := 0
Rod1
In x˙ ∈ [0.9, 1.1] x ≤ 5.9
time ≤ 19
Rem1
Rod2
Add2 Add1, Remove1
Add2, Remove2 x ≥ 16/Add1
Rod 1 x˙ ∈ [0.9, 1.1] x ≤ 5.9
/x 0
x =0 := 0 x ≥ 16/Add2 /x 0 := 0 No Rod x˙ ∈ [0.9, 1.1] x ≤ 16
x ∈ [5, 5.9]/Remove1 / x 0 := 0
∆time ≤
146 3
Rod 2 x˙ ∈ [0.9, 1.1] x ≤ 5.9
x ∈ [5, 5.9]/Remove2 / x 0 := 0
time ≥ 19
Rem2 Add1
Controller
Controller
time ≥ 80
Sergio Mover (FBK)
Rem1
Unfeasibility and Explanations of MSC
October 31, 2011
21 / 28
Inconsistent subset of the CMSC Subset of the original CMSC that is still unfeasible with the network.
σ1
σ4
σ3
σ2 A
B D
A
σ5
C B
A
Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
October 31, 2011
22 / 28
Inconsistent subset of the CMSC Subset of the original CMSC that is still unfeasible with the network. Extracted from the unsatisfiable core of the encoding. σ1
σ4
σ3
σ2 A
B D
A
σ5
C B
A
Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
October 31, 2011
22 / 28
Outline
1
Background SMT analysis of Hybrid Systems Scenario-Verification
2
Proving the unfeasibility of scenarios
3
Explanations of Unfeasibility
4
Experimental Evaluation
5
Conclusions and future work
Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
October 31, 2011
23 / 28
Experimental Evaluation Implementation: Approach implemented on top of the N U SMV model checker. We use the M ATH S AT SMT solver. Settings: Linear hybrid automata benchmarks. Several handcrafted (unsatisfiable) MSCs. We scaled the dimension of the benchmarks (number of automata, length of the MSCs). Comparison: MSC partitioned k-induction. Monolithic k-induction on the system composed with the monitor automata.
Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
October 31, 2011
24 / 28
Partitioned k-induction vs. Monolithic k-induction (run times)
Partitioned-induction
Run time (sec.) to 1000 100 10 1 0.1 0.1
Sergio Mover (FBK)
1 10 100 1000 Monolithic-induction
Unfeasibility and Explanations of MSC
October 31, 2011
25 / 28
Outline
1
Background SMT analysis of Hybrid Systems Scenario-Verification
2
Proving the unfeasibility of scenarios
3
Explanations of Unfeasibility
4
Experimental Evaluation
5
Conclusions and future work
Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
October 31, 2011
26 / 28
Conclusions and future work
Efficient approach for proving the unfeasibility of CMSC. The encoding exploits the structure of the CMSC. Partitioned k-induction.
Unfeasibility explanations: Useful to localize and correct the errors. Extracted exploiting the SMT solver functionalities.
Future works: More expressive MSCs (e.g. partial MSCs specifications). Validate the extracted explanations by real users. Automatic refinement loop in the abstraction. Non-linear hybrid systems.
Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
October 31, 2011
27 / 28
Thank you for your attention.
Sergio Mover (FBK)
Unfeasibility and Explanations of MSC
October 31, 2011
28 / 28