ENES 489p

Verification and Validation: Logic and Control Synthesis

Mumu Xu mumu@umd.edu

November 18, 2014

Institute for Systems Research | Aerospace Engineering

University of Maryland, College Park

11/18/14 1

Table of Contents • Verification and Validation •  Logic Synthesis

• Reactive Control Synthesis

*Slides from EECI2013 Lecture, T. Wongpiromsarn, U. Topcu, R.M. Murray

11/18/14 2

• Verification: "Are we building the product right" •  The software should conform to its specification

• Validation: "Are we building the right product" •  The software should do what the user really requires

• V & V must be applied at each stage in the software process

•  Two principal objectives •  Discovery of defects in a system

•  Assessment of whether the system is usable in an operational situation

Verification vs. validation

11/18/14 3

Basic Concepts • Planning for V&V needs to be begin in the early stages

of requirements development

•  Fundamental law of faults •  Failures: externally visible incorrect behavior of a system •  Error: incorrect internal state

•  Fault: mistake in a system which causes one or more errors and failures

•  FIND AND FIX THE CAUSE OF FAILURES

11/18/14 4

Validation and Verification Plans •  Two ways to detect and remove defects

•  Consitency checking

•  Simulation

• Diversity and Redundancy • Design Requirement: Weight of the item shall be less

than or equal to 134 pounds

• Verification Requirement: The item weight shall be determined by a scale, the calibration for which is correct, with an accuracy of plus or minus 6 ounces. The item shall be placed on the scale located on a level, stable surface and a reading taken. The measured weight shall be less than 134 pounds and 11 ounces.

11/18/14 5

Verification Traceability Matrices Design Requirement

Verification Method Verification Requirement

Level of Application

Test Analysis Demo Exam

Req 1.1 X … … …

…

…

Req 1.2 …

…

X …

…

…

Req 1.3 …

X …

…

…

…

11/18/14 6

Model Checking Process Flow

11/18/14 7

7

The process flow of model checking

Efficient model checking tools automate the process: SPIN, nuSMV, TLC,...

•  “Temporal” refers to underlying nature of time •  Linear •  Branching

•  Two key operators •  <> eventually – property satisfied at some point in future •  [] always – property satisfied now and forever in future

•  Linear Temporal Logic (LTL) •  Introduced in 1970s (A. Pnueli)

•  Large collection of tools for specification, design, analysis

•  Other temporal logics •  CTL – Computation Tree Logic •  TCTL – Timed CTL •  MTL – Metric Temporal Logic (timed LTL) •  TLA – temporal logic of actions (Leslie Lamport)

•  μ-calculus – “least fixed point” operator

Temporal Logic 8

(A. Prior, 1950s)

11/18/14

Linear Temporal Logic 9 11/18/14

Closed system synthesis

Closed system: behaviors are generated purely by the system itself without any external influence

12

Given:• A transition system P• An LTL formula �

⇡Compute: A path of P such that

⇡ |= �

� = ⇤¬(g1 � g2) �⇤⌃g1 �⇤⌃g2

Sample paths of P:

�1 = (hs0s0ihs1s0ihs1s1ihs0s1i)!

�2 = (hs0s0ihs0s1i)!

�3 = (hs0s0ihs1s0ihs0s0ihs0s1i)!

s1,s1

s0,s0

s1,s0 s0,s1

P↵1

�1

�1

↵1

↵2

↵2

�2

�2

{g1} {g2}

{g1, g2}

;

P: composition of two traffic lights

✓

✗

✗

Logic (closed system) Synthesis

• Closed system: behaviors are generated by the system and not affected by external influences

• Given: •  Transition system P

•  LTL formula

• Compute: •  A path of P such that

�

11/18/14 10

⇡⇡ |= �

A “Controls” Interpretation • Controller C is a function

11/18/14 11

C : M ⇥ S ! Act

Closed system synthesis--a “controls” interpretation

13

The controller C is a function• The controller keeps some history of states• It picks the next action for P such that the resulting path satisfies the specification (i.e., C constrains the paths system can take.

C : M ⇥ S ! Act

memory domain

�

output y

C

P

s1,s1

s0,s0

s1,s0 s0,s1

P↵1

�1

�1

↵1

↵2

↵2

�2

�2

{g1} {g2}

{g1, g2}

;

C

s0,s0

s0,s0

s1,s0 s0,s1

�1

↵1

↵2

�2

� = (hs0s0ihs1s0ihs0s0ihs0s1i)!

C(;, hs0s0i) = ⇥1

C(hs0s1i, hs0s0i) = ⇥1

C(hs1s0i, hs0s0i) = ⇥2

C(hs0s0i, hs1s0i) = �1

C(hs0s0i, hs0s1i) = �2

Let M be a sequence of length 1, i.e., the controller keeps only the previous state

⇒� = ⇤¬(g1 � g2) �⇤⌃g1 �⇤⌃g2⇡ |=and

Closed system synthesis--a “controls” interpretation

13

The controller C is a function• The controller keeps some history of states• It picks the next action for P such that the resulting path satisfies the specification (i.e., C constrains the paths system can take.

C : M ⇥ S ! Act

memory domain

�

output y

C

P

s1,s1

s0,s0

s1,s0 s0,s1

P↵1

�1

�1

↵1

↵2

↵2

�2

�2

{g1} {g2}

{g1, g2}

;

C

s0,s0

s0,s0

s1,s0 s0,s1

�1

↵1

↵2

�2

� = (hs0s0ihs1s0ihs0s0ihs0s1i)!

C(;, hs0s0i) = ⇥1

C(hs0s1i, hs0s0i) = ⇥1

C(hs1s0i, hs0s0i) = ⇥2

C(hs0s0i, hs1s0i) = �1

C(hs0s0i, hs0s1i) = �2

Let M be a sequence of length 1, i.e., the controller keeps only the previous state

⇒� = ⇤¬(g1 � g2) �⇤⌃g1 �⇤⌃g2⇡ |=and

Closed system synthesis--a “controls” interpretation

13

The controller C is a function• The controller keeps some history of states• It picks the next action for P such that the resulting path satisfies the specification (i.e., C constrains the paths system can take.

C : M ⇥ S ! Act

memory domain

�

output y

C

P

s1,s1

s0,s0

s1,s0 s0,s1

P↵1

�1

�1

↵1

↵2

↵2

�2

�2

{g1} {g2}

{g1, g2}

;

C

s0,s0

s0,s0

s1,s0 s0,s1

�1

↵1

↵2

�2

� = (hs0s0ihs1s0ihs0s0ihs0s1i)!

C(;, hs0s0i) = ⇥1

C(hs0s1i, hs0s0i) = ⇥1

C(hs1s0i, hs0s0i) = ⇥2

C(hs0s0i, hs1s0i) = �1

C(hs0s0i, hs0s1i) = �2

Let M be a sequence of length 1, i.e., the controller keeps only the previous state

⇒� = ⇤¬(g1 � g2) �⇤⌃g1 �⇤⌃g2⇡ |=and

never(both lights green) [safety] Always eventually light 1 green [liveness] Always eventually light 2 green [liveness]

A Solution Approach • Closed system synthesis: non-emptiness of satisfiability

problem

•  In synthesis, “interesting” behaviors are “good” •  In verification, “interesting” behaviors are “bad”

• Construct a verification model and claim that •  Counterexample with negative

result is a path that satisfies •  Positive results means path

does not exist

11/18/14 12

Trace(P ) \Words(�) = ;

�

15

s0: red

s1: green

;

{g2}

TS 2

↵2 �2

s0: red

s1: green

;

{g1}

TS 1

↵1 �1 kP =

System model:

� = ⇤¬(g1 � g2) �⇤⌃g1 �⇤⌃g2

Aq0

q1 q2

¬(g1 � g2)

¬(g1 � g2)

g1 � ¬g2

¬g1 � g2

g1 � ¬g2

¬(g1 � g2)

L!(A) = Words(�)

Specification:

Example: traffic lights

bool g1 = 0, g2 = 0;

active proctype TL1() {do

:: atomic{ g1 == 0 -> g1 = 1}:: atomic{ g1 == 1 -> g1 = 0 }od

}active proctype TL2() {

do

:: atomic{ g2 == 0 -> g2 = 1}:: atomic{ g2 == 1 -> g2 = 0 }od

}

never {T0 init:

if

:: (!g1) || (!g2) -> goto T0 init

:: (g1 && !g2) -> goto T1 S1

fi;T1 S1:

if

:: (!g1) || (!g2) -> goto T1 S1

:: (!g1 && g2) -> goto accept S1

fi;accept S1:

if

:: (!g1) || (!g2) -> goto T0 init

:: (g1 && !g2) -> goto T1 S1

fi;}

System model (asynchronous composition):

SPIN code:

Automaton from LTL2BA:

Traffic Light 11/18/14 13

15

s0: red

s1: green

;

{g2}

TS 2

↵2 �2

s0: red

s1: green

;

{g1}

TS 1

↵1 �1 kP =

System model:

� = ⇤¬(g1 � g2) �⇤⌃g1 �⇤⌃g2

Aq0

q1 q2

¬(g1 � g2)

¬(g1 � g2)

g1 � ¬g2

¬g1 � g2

g1 � ¬g2

¬(g1 � g2)

L!(A) = Words(�)

Specification:

Example: traffic lights

bool g1 = 0, g2 = 0;

active proctype TL1() {do

:: atomic{ g1 == 0 -> g1 = 1}:: atomic{ g1 == 1 -> g1 = 0 }od

}active proctype TL2() {

do

:: atomic{ g2 == 0 -> g2 = 1}:: atomic{ g2 == 1 -> g2 = 0 }od

}

never {T0 init:

if

:: (!g1) || (!g2) -> goto T0 init

:: (g1 && !g2) -> goto T1 S1

fi;T1 S1:

if

:: (!g1) || (!g2) -> goto T1 S1

:: (!g1 && g2) -> goto accept S1

fi;accept S1:

if

:: (!g1) || (!g2) -> goto T0 init

:: (g1 && !g2) -> goto T1 S1

fi;}

System model (asynchronous composition):

SPIN code:

Automaton from LTL2BA:

Traffic Light 11/18/14 14

Solution to the traffic light problem

s0,s0 s1,s0 s0,s0

s0,s1s0,s0s0,s1

� = (hs0s0ihs1s0ihs0s0ihs0s1ihs0s0ihs0s1i)!

16

s0: red

s1: green

;

{g2}

TS 2

↵2 �2

s0: red

s1: green

;

{g1}

TS 1

↵1 �1 kP =

System model:

� = ⇤¬(g1 � g2) �⇤⌃g1 �⇤⌃g2

Aq0

q1 q2

¬(g1 � g2)

¬(g1 � g2)

g1 � ¬g2

¬g1 � g2

g1 � ¬g2

¬(g1 � g2)

L!(A) = Words(�)

Specification:

Solution from SPIN output:

Example: Frog Puzzle (http://www.hellam.net/maths2000/frogs.html)

• Move all yellow frogs to the right side of pond, and all brown frogs to left side of pond •  Frogs can only jump in direction they’re facing

•  Frogs can either jump one rock forward if the rock is empty or jump over a frog if the next rock has a frog on it and the rock after it is empty

11/18/14 15

11/18/14 16

Solving the frog puzzle as logic synthesis

22

r1r0 r2 r3 r4 r5 r6ri � {0, 1}

P = F1 � F2 � · · · � F6

• Rock i is not occupied or occupied• State of frog i: • Transition system of frog i:• Overall system model:

s(Fi) � {s0, s1 . . . , s6}Fi s0 s1 s2 s3 s4 s5 s6

s0

s1 s2

s3 s4

s5 s6

¬r1 r1 � ¬r2

¬r2

¬r4

¬r6

r2 � ¬r3 r3 � ¬r4

r4 � ¬r5 r5 � ¬r6

F1

s1 s2

s3 s4

s5 s6

¬r2

¬r4

¬r6

r2 � ¬r3 r3 � ¬r4

r4 � ¬r5 r5 � ¬r6

F2s2

s3 s4

s5 s6

¬r4

¬r6

r2 � ¬r3 r3 � ¬r4

r4 � ¬r5 r5 � ¬r6

F3

� = ⌃�s(F1), s(F2), s(F3) � {s4, s5, s6} ⇥ s(F4), s(F5), s(F6) � {s0, s1, s2}

�

Aq0 q1ptrue true

p ,�s(F1), s(F2), s(F3) � {s4, s5, s6} ⇥

s(F4), s(F5), s(F6) � {s0, s1, s2}�

Logic Synthesis: Frog Puzzle 11/18/14 17

Open System Synthesis 11/18/14 18

Open System SynthesisP

C

y

An open system is a system whose behaviors can be affected by external influencey

E x

Open (synchronous) synthesis:

Given

• a system that describes all the possible actions- plant actions y are controllable- environment actions x are uncontrollable

• a specification

find a strategy for the controllable actions which will maintain the specification against all possible adversary moves, i.e.,

�(x, y)

8x · �(x, f(x))

f(x)

E CPx0

x1

x2

x3

time

y0 = f(x0)

y1 = f(x0x1)

y2 = f(x0x1x2)

y3 = f(x0x1x2x3)

y

x

E

CP

3

Reactive Control Synthesis

11/18/14 19

Consider the synthesis of a reactive system with input x and output y, specified by the linear temporal formula .

• The system contains 2 components S1 (i.e., “environment”) and S2 (i.e., “reactive module”)

- Only S1 can modify x- Only S2 can modify y

• Want to show that S2 has a winning strategy for y against all possible x scenarios the environment may present to it.

- Two-person game: treat environment as adversary‣ S2 does its best, by manipulating y, to maintain

‣ S1 does its best, by manipulating x, to falsify

• If a winning strategy for S2 exists, we say that is realizable

Reactive System Synthesis

Reactive systems are open systems that maintain an ongoing interaction with their environment rather than producing an output on termination.

�(x, y)

�(x, y)�(x, y)

�(x, y)

4

yx

S1

S2

The Runner Blocker System

R B Goal

Runner R tries to reach Goal. Blocker B tries to intercept and stop R.

6

Runner-Blocker System

11/18/14 20

win

lose lose

The Runner Blocker System

7

Runner-Blocker System 11/18/14 21

Solving Reactive Control Synthesis •  Solution given as the winning set

•  Winning set is set of states starting from which there exists a strategy for S2 to satisfy the specification for all possible behaviors of S1

•  A winning strategy can be constructed by saving intermediate values in winning set computation

•  Worst case complexity is double exponential •  1st exponent: Specification to nondeterministic Buchi automaton •  2nd exponent: Covert NBA into deterministic Rabin automaton •  Similar to closed system synthesis: construct product of system and

DRA •  Find set of states starting from which all possible runs in product

automaton are accepting •  Lower Complexity Cases

•  For specifications of form controller can be synthesized in O(N2), with N is size of the state space.

11/18/14 22

⇤p, ⇧p,⇤ ⇧ p, ⇧⇤p

Game Structures: Runner Blocker

11/18/14 23

Runner Blocker Example

19

s0B

s1

s2

s3

s4R

Game Structure G = (V,X ,Y, ✓e, ✓s, ⇢e, ⇢s,AP , L,')

• X := {x}, ⌃X = {s0, s1, s2, s3, s4}

• Y := {y}, ⌃Y = {s0, s1, s3, s4}

• ✓e := (x = s2)

• ✓s := (y = s0)

• ⇢e :=

�(x = s2) =) (x

0 6= s2)�^

�(x 6= s2) =)

(x

0= s2)

�

• ⇢s :=

�(y = s0 _ y = s4) =) (y

0= s1 _ y

0=

s3)�^

�(y = s1 _ y = s3) =) (y

0= s0 _ y

0=

s4)�^ (y

0 6= x

0)

• ' describes the winning condition, e.g., ⇧(y = s4)

Runner Blocker 11/18/14 24

Runner Blocker Example

Play: An infinite sequence of system (blocker + runner) states such that s0 is a valid initial state and (sj, sj+1) satisfies the transition relation of the blocker and the runner

Strategy: A function that gives the next runner state, given a finite number of previous system states of the current play, the current system state and the next blocker state

Winning state: A state starting from which there exists a strategy for the runner to satisfy the winning condition for all the possible behaviors of the blocker

� = s0s1 . . .

Winning game: For any valid initial blocker state sx, there exists a valid initial runner state sy such that (sx, sy) is a winning state

Solving game: Identify the set of winning states

20

q0B

q1

q2

q3

q4R

11/18/14 25

Richard M. Murray, Caltech CDSEECI, Mar 2013

Solving Game StructuresGeneral solutions are hard

• Worst case complexity is double exponential (roughly in number of states)

Special cases are easier

• For a specification of the form or , the controller can be synthesized in O(N2) time where N is the size of the state space

Another special case: GR(1) formulas

Thm (Piterman, Sa’ar, Pneuli, 2007) A game structure G with a GR(1) winning condition can be solved by a symbolic algorithm in time proportional to

More useful form:

• Can show that this can be “converted” to GR(1) form

21

⇤p,⌃p,⇤⌃p ⌃⇤p

' = (⇤⌃p1 ^ . . . ^⇤⌃pm)| {z }'e

=) (⇤⌃q1 ^ . . . ^⇤⌃qn)| {z }'s

nm�⌃V �3

Solving Game Structures