Synthesizing Robust Software - University of Pennsylvania · Lab Synthesizing Robust Software Paulo...

Synthesizing Robust Software

Paulo Tabuada

Rupak Majumdar (MPI), Ayca Balkan, Sina Caliskan,Elaine Render, Matthias Rungger, Yasser Shoukry

Cyber-Physical Systems LaboratoryDepartment of Electrical Engineering

University of California at Los Angeles

Paulo Tabuada (CyPhyLab - UCLA) Synthesizing Robust Software UPenn, June 4, 2012 1 / 14

Robustness

Software systems are designed based on assumptions about their environment.

But the real environment is either unknown at design time or changing over time.

Hence, the assumptions will be violated and current design methodologies offerno assurance on how software behaves when such violations occur.

Ideally, we would like a modest deviation from the assumptionsto lead to a modest deviation from the nominal correctness guarantees.

Robustness!

Robustness

Robustness!

Robustness

Robustness!

Robustness

Robustness!

Robustness

Robustness!

Robustness

Our starting point:

Robustness is a very familiar concept in control theory;

It is well understood that the models used for controller design (assumptions) areprecious but always wrong:

Weight of a car (1 passenger vs 5 passengers);Aerodynamic characteristics of a car (surfboard on the top of the car orbicycle mounted on a rack in the back);etc.

The most basic controller designs do not explicitly address robustness, but theyare robust against unmodeled disturbances.

Can the same be done for software?

Robustness

Our starting point:

Robustness

Our starting point:

Robustness

Our starting point:

RobustnessWhat is known about software robustness?

In Computer Science:

Recent work by Bloem, Chatterjee, Chaudhuri, Gulwani, Henzinger, Jobstman,Majumdar, ...

Older work by Dijkstra (self-stabilizing algorithms).

In Control Theory:

There is a subfield of control theory called robust control;

The following classification will be useful:

State based methods (modern view);Input-output based methods (older view originated by the analysis ofamplifiers and other circuits).

RobustnessWhat is known about software robustness?

In Computer Science:

Recent work by Bloem, Chatterjee, Chaudhuri, Gulwani, Henzinger, Jobstman,Majumdar, ...

Older work by Dijkstra (self-stabilizing algorithms).

In Control Theory:

There is a subfield of control theory called robust control;

The following classification will be useful:

State based methods (modern view);Input-output based methods (older view originated by the analysis ofamplifiers and other circuits).

State based robustness

We start with a plain automaton.

DefinitionA finite-state automaton is a triple A = (Q,Σ, δ) consisting of:

A finite set of states Q;

A finite set of actions Σ;

A transition function δ : Q × Σ→ Q.

How to reason about modest deviations from the nominal behavior?

We start with a plain automaton.

DefinitionA finite-state automaton is a triple A = (Q,Σ, δ) consisting of:

A transition function δ : Q × Σ→ Q.

How to reason about modest deviations from the nominal behavior?

We introduce metric automata.

DefinitionA finite-state metric automaton is a sextuple Aβ = (Q, d ,Σ,X , β, δ) consisting of:

A metric d : Q ×Q → R+0 ;

A finite set of environment actions X including a special symbol ε denotingnominal (no disturbance) behavior;

A parameter β ∈ R+0 defining the “power” of the disturbance;

A transition function δ : Q × Σ×X → Q.

It seems that we are explicitly modeling the disturbances through the transitionfunction δ.

We introduce metric automata.

DefinitionA finite-state metric automaton is a sextuple Aβ = (Q, d ,Σ,X , β, δ) consisting of:

A metric d : Q ×Q → R+0 ;

A finite set of environment actions X including a special symbol ε denotingnominal (no disturbance) behavior;

A parameter β ∈ R+0 defining the “power” of the disturbance;

A transition function δ : Q × Σ×X → Q.

It seems that we are explicitly modeling the disturbances through the transitionfunction δ.

State based robustnessDisturbance model

We assume that we have:

d(δ(q, σ, ε), δ(q, σ, x)) ≤ β ∀q ∈ Q, σ ∈ Σ, x ∈ X .

q δ(q, σ, ε)

δ(q, σ, x1)

δ(q, σ, x2)

(σ, ε)

(σ, x1)

(σ, x2)

The parameter β does not need to be known: results will be parameterized by β.

State based robustnessDisturbance model

We assume that we have:

d(δ(q, σ, ε), δ(q, σ, x)) ≤ β ∀q ∈ Q, σ ∈ Σ, x ∈ X .

q δ(q, σ, ε)

δ(q, σ, x1)

δ(q, σ, x2)

(σ, ε)

(σ, x1)

(σ, x2)

The parameter β does not need to be known: results will be parameterized by β.

DefinitionA winning strategy (S : Q → 2Σ) for the automaton A0 and (reachability or Büchi)winning objective F ⊆ Q is γ-robust if for any β ∈ R+

0 it is winning for the automatonAβ with (reachability, Büchi) winning objective Bγβ(F ):

Bγβ(F ) = {q ∈ Q | d(q,F ) ≤ γβ} .

Note that if there are no disturbances, β = 0 and Bγβ(F ) = F .

The parameter γ describes how much F is inflated to obtain Bγβ(F ).

The map transforming environment strategies to the language accepted by Aβ isuniformly continuous with modulus of continuity γ.

Bγβ(F ) = {q ∈ Q | d(q,F ) ≤ γβ} .

State based robustnessVerification and synthesis

Given an automaton A0, γ ∈ R+0 , and a strategy S one can ask:

Verification: Is S γ-robust?

Optimal verification: What is the smallest γ ∈ R+0 for which S is γ-robust?

Synthesis: Can we synthesize a γ-robust strategy?

Optimal synthesis: What is the smallest γ ∈ R+0 for which we can synthesize a

γ-robust strategy?

All the above problems can be reduced to dynamic programmingand are thus polynomially solvable.

γ-robust strategy?

State based robustnessCritical assessment

On the positive side, state based robustness:

handles ω-regular objectives (Büchi and parity) as a simple extension ofreachability;

the analysis makes use of an extension of rank functions inspired on controltechniques (Lyapunov functions).

On the less positive side, state based robustness:

requires a metric. What if I have two different automata defining the samelanguage? How to reason about robustness before having an implementationwith states?

State based robustnessCritical assessment

On the positive side, state based robustness:

handles ω-regular objectives (Büchi and parity) as a simple extension ofreachability;

the analysis makes use of an extension of rank functions inspired on controltechniques (Lyapunov functions).

On the less positive side, state based robustness:

requires a metric. What if I have two different automata defining the samelanguage? How to reason about robustness before having an implementationwith states?

Input/output based robustnessTowards a definition

Rather than automata we now consider transducers f : Σ∗ → Λ∗;

Rather than a metric we use cost functions I : Σ∗ → N+0 and O : Λ∗ → N+

0 toplace costs on input and output strings, respectively;

A notion of robustness should have the following two properties:

Bounded disturbances should lead to bounded consequences;The effect of a sporadic disturbance should disappear in finitely manysteps;Well known requirements in control theory that recently appeared as twoseparate notions of robustness proposed by Henzinger and co-workers.

Bounded disturbances should lead to bounded consequences;

The effect of a sporadic disturbance should disappear in finitely manysteps;Well known requirements in control theory that recently appeared as twoseparate notions of robustness proposed by Henzinger and co-workers.

Bounded disturbances should lead to bounded consequences;The effect of a sporadic disturbance should disappear in finitely manysteps;

Well known requirements in control theory that recently appeared as twoseparate notions of robustness proposed by Henzinger and co-workers.

Input/output based robustnessA definition

Adapting and simplifying the control theoretic notion of Input-to-State DynamicStability we propose:

DefinitionGiven parameters γ, η ∈ N, we say the transducer f : Σ∗ → Λ∗ is (γ, η)-input-outputstable if for each σ ∈ Σ∗ we have

O (f (σ)) ≤ maxσ′�σ

˘γ I

`σ′

´− η

`|σ| −

˛̨σ′

˛̨´¯.

The parameter γ is called the robustness gain. It measures how much thedisturbance is amplified.

The parameter η is called the rate of decay. It measures how quickly the effectsof a disturbance disappear.

The notion of (γ, η)-input-output stability captures the two desired properties.

The verification and synthesis problems are polynomially solvable when f , I, andO are described by finite-state (cost/weighted) automata;

˘γ I

`σ′

´− η

`|σ| −

˛̨σ′

˛̨´¯.

˘γ I

`σ′

´− η

`|σ| −

˛̨σ′

˛̨´¯.

˘γ I

`σ′

´− η

`|σ| −

˛̨σ′

˛̨´¯.

˘γ I

`σ′

´− η

`|σ| −

˛̨σ′

˛̨´¯.

Robustness

Issues for discussion:

It should be possible to robustify any synthesis methodology.

How to migrate these ideas from automata and transducers to programinglanguages in order to make them usable by programmers?

Specifying robustness requires the programer to rank all the possibleenvironment behaviors and all the possible program behaviors. This is notalways easy to do!

I am looking forward to working with all of you to make robustness practical.

Robustness

Issues for discussion:

It should be possible to robustify any synthesis methodology.

How to migrate these ideas from automata and transducers to programinglanguages in order to make them usable by programmers?

Specifying robustness requires the programer to rank all the possibleenvironment behaviors and all the possible program behaviors. This is notalways easy to do!

I am looking forward to working with all of you to make robustness practical.

Robustness

Relevant recent references:

Robust Discrete Synthesis Against Unspecified DisturbancesRupak Majumdar, Elaine Render, and Paulo Tabuada14th International Conference on Hybrid Systems: Computation and Control2011.

A theory of ω-regular robust software synthesisRupak Majumdar, Elaine Render, and Paulo TabuadaTo appear in the ACM Transactions on Embedded Computing Systems, 2012.

Input-Output Stability for Discrete SystemsPaulo Tabuada, Ayca Balkan, Sina Caliskan, Yasser Shoukry, and RupakMajumdarSubmitted to EMSOFT 2012.

For preprints send an email to [email protected].

Synthesizing Robust Software - University of Pennsylvania · Lab Synthesizing Robust Software Paulo...

Documents

Transcript of Synthesizing Robust Software - University of Pennsylvania · Lab Synthesizing Robust Software Paulo...