cs/ids 142: lecture 2.2 safety properties

CS/IDS 142: Lecture 2.2 Safety Properties

Richard M. Murray 9 October 2019

Goals: • Define safety properties, program invariants • New properties: next, stable, invariant

Reading: • P. Sivilotti, Introduction to Distributed Algorithms, Section 3.3

Richard M. Murray, Caltech CDSCS/IDS142, 7 Oct 2017

The ‘Stable’ PropertyDefinition: stable(P) • Informal: once P becomes true, it remains true

• Formally: stable(P) ≡ P next P

• Note: stable(P) does not mean that P is true for all (or even any) program executions

When do we use stable in a proof? • Termination: stable({p})

• Often combined with progress (Wed + W3) - Show that if we satisfy some conditions

then we eventually get to a good set of states (and stay there)

Some useful results (will prove on the homework) •

- Interpretation: if P is stable and Q is stable, then at the point that both of them are true, they will both remain true

• - Note: not true that

2

12

0

3

4

5

6

78

9P2

P1

stable(P ) _ stable(Q) =) stable(P _Q)

stable(P ) ^ stable(Q) =) stable(P _Q)

Pstable

Q

not stable


False

False

True

True

_____

_____

_____

_____

Reachable(P) is the smallest stable set that includes P • Reachable(P) = set of points that we can reach from states that satisfy predicate P

• Proof sketch (exercise: turn into a formal proof = sequence of implications/equivals) - Let Q = reachable(P). Clear that and stable(Q) - Suppose Q’ is a smaller set ( ) with and stable(Q’) -

• Algorithm for finding reachable(P): start with P add neighbors until you stop growing

Which of the following formulas are true?

3

There can be an edge from a vertex which is in Q and not in P to a vertex outside Q

Q0 ⇢ Q

Q0 ⇢ Q ^ stable(Q) =) Q = reachable(P ) ⇢ Q0 ) Q = Q0P ✓ Q0

P ✓ Q

Q

P

X

stable(P ) ^ (P ✓ Q) =) stable(Q)<latexit sha1_base64="fjgds2XncXRDRHG/DuYN/jVLzfw=">AAACL3icbVDJSgNBEO1xjXEb9eilMQjJJcxEwRwDgnhMwCyQCaGnU5M0mc3uGjUM+SMv/kouIop49S/sLAdNfNDweFWvuuq5sS8UWtabsba+sbm1ndnJ7u7tHxyaR8cNFSWSQ51HfiRbLlPgixDqKNCHViyBBa4PTXd4Pa03H0AqEYV3OIqhE7B+KDzBGWqpa944CE/oeqlCpj3jfLVAnUfo9YHmqzTrqMRVgHBPa1oXgV4JFF321ApdM2cVrRnoKrEXJEcWqHbNidOLeBJAiNxnSrVtK8ZOyiQKrkdmnURBzPiQ9aGtacgCUJ10du+YnmulR71I6hcinam/HSkLlBoFru4MGA7Ucm0q/ldrJ+iVO6kI4wQh5POPvMSnGNFpeLQnJHD0R5owLoXelfIBk4yjjjirQ7CXT14ljVLRviiWape5SnkRR4ackjOSJza5IhVyS6qkTjh5JhPyTj6MF+PV+DS+5q1rxsJzQv7A+P4BUwOolw==</latexit>

stable(P ) ^ (Q ✓ P ) =) stable(Q)<latexit sha1_base64="4y6iei0ELh9FknjteW1i3muapns=">AAACL3icbVDJSgNBEO1xjXEb9eilMQjJJcxEwRwDgnhMwCyQCaGnU5M0mc3uGjUM+SMv/kouIop49S/sLAdNfNDweFWvuuq5sS8UWtabsba+sbm1ndnJ7u7tHxyaR8cNFSWSQ51HfiRbLlPgixDqKNCHViyBBa4PTXd4Pa03H0AqEYV3OIqhE7B+KDzBGWqpa944CE/oeqlCpj3jfLVAnUfo9YHmazTrqMRVgHBPp7oI9Eqg6LKnVuiaOatozUBXib0gObJAtWtOnF7EkwBC5D5Tqm1bMXZSJlFwPTLrJApixoesD21NQxaA6qSze8f0XCs96kVSvxDpTP3tSFmg1ChwdWfAcKCWa1Pxv1o7Qa/cSUUYJwghn3/kJT7FiE7Doz0hgaM/0oRxKfSulA+YZBx1xFkdgr188ipplIr2RbFUu8xVyos4MuSUnJE8sckVqZBbUiV1wskzmZB38mG8GK/Gp/E1b10zFp4T8gfG9w9TEKiX</latexit>

8P : stable(reachable(P ))<latexit sha1_base64="eSVog4dsAYg9/UoPNKOUieT3Nbs=">AAACGHicbVDLSsNAFJ34rPUVdelmsAjtpiZVsLgquHEZwT6gCWUynbRDJw9mbsQS+hlu/BU3LhRx251/47TNQlsvDBzOuefOvcdPBFdgWd/G2vrG5tZ2Yae4u7d/cGgeHbdUnErKmjQWsez4RDHBI9YEDoJ1EslI6AvW9ke3M739yKTicfQA44R5IRlEPOCUgKZ65oUbxJIIgZ0b7IYEhn6QKSDaPim7wJ4g09PocEE4lUrPLFlVa154Fdg5KKG8nJ45dfsxTUMWARVEqa5tJeBlRAKnembRTRVLCB2RAetqGJGQKS+bHzbB55rpY72hfhHgOfvbkZFQqXHo687Z7mpZm5H/ad0UgrqX8ShJgUV08VGQCgwxnqWE+1wyCmKsAaGS612xDkESCjrLog7BXj55FbRqVfuyWru/KjXqeRwFdIrOUBnZ6Bo10B1yUBNR9Ixe0Tv6MF6MN+PT+Fq0rhm55wT9KWP6A4E1oAQ=</latexit>

(P ✓ Q) ^ stable(Q) =) reachable(P ) ⇢ Q<latexit sha1_base64="izLwbfshu0NmUEzJWYzuWutQvtQ=">AAACO3icbVDLSsNAFJ34tr6qLt0MFqFuSqKCXRbcuGzFqtCUMpnc1MFMEmdulBL6X278CXdu3LhQxK17J00Fbb1w4XDOfR4vCYVG2362Zmbn5hcWl5ZLK6tr6xvlza0LHaeKQ5vHYayuPKYhFBG0UWAIV4kCJr0QLr2bk1y/vAOlRRyd4yCBrmT9SASCMzRUr3xWbVJXp54GhFva2qfuPfh9oK5keO0FmUZmRg2ruSKkuQh0oSmZmT38upCb+z9TaKtXrtg1exR0GjhjUCHjaPbKT64f81RChDxkWnccO8FuxhQKboaX3FRDwvgN60PHwIhJ0N1s9PuQ7hnGp0GsTEZIR+zvjoxJrQfSM5X52XpSy8n/tE6KQb2biShJESJeLArSkGJMcyOpLxRwDAcGMK6EuZUaNxTjaOwuGROcyZenwcVBzTmsHbSOKo362I4lskN2SZU45Jg0yClpkjbh5IG8kDfybj1ar9aH9VmUzljjnm3yJ6yvbxPprYU=</latexit>


What are some stable properties for this program? [assume α = 1/2]

• ? - No what if x1 = 5, x2 = 10

• ? - No what if x1 = 5, x2 = 10, x3 = 50

• ?

- Yes This shows that all numbers will remain bounded

• ?

- Yes Can actually show that the average is constant (so we get equality)___

___

___

___

Examples: Properties for Average Consensus

4

Program AverageConsensus

constant N {number of agents}G {interconnection graph}

var x : array of N numbers

assign�8i, j : j 2 Ni : x[i] := ↵x[i] + (1� ↵)x[j]

|| x[j] := ↵x[j] + (1� ↵)x[i])�

stable(xi maxi

x0i )

stable(xi + xj x0i + x0

j )

stable(xi x0i )

stable�(+i : 0 i N � 1 : xi) (+i : 0 i N � 1 : x0

i )�

<latexit sha1_base64="jxDuOBGXTZRJSsUB7GKL70Ki8zw=">AAACSHicfVDLSgMxFM3UV62vqks3wSK0iGWmCoqrohtXUsE+oFOHTJppQzMPkzvSMvTz3Lh05ze4caGIO9PHQlvxQsjJueckN8eNBFdgmi9GamFxaXklvZpZW9/Y3Mpu79RUGEvKqjQUoWy4RDHBA1YFDoI1IsmI7wpWd3uXo379gUnFw+AWBhFr+aQTcI9TAppyso4NrA+ulygg2jO0Xd4R+fwhx+fYxLZg95hPtusjS3N9hxcm5380d6ZWjW6SBSebM4vmuPA8sKYgh6ZVcbLPdjuksc8CoIIo1bTMCFoJkcCpni9jx4pFhPZIhzU1DIjPVCsZBzHEB5ppYy+UegWAx+xPR0J8pQa+q5U+ga6a7Y3Iv3rNGLyzVsKDKAYW0MlDXiwwhHiUKm5zySiIgQaESq5nxbRLJKGgs8/oEKzZL8+DWqloHRdLNye58sU0jjTaQ/sojyx0isroClVQFVH0iF7RO/ownow349P4mkhTxtSzi35VKvUNbAusrQ==</latexit>

If time, add proof of the last property here?

Richard M. Murray, Caltech CDSCS/IDS 142, 9 Oct 2017

The ‘Invariant’ PropertyA predicate P is invariant if it is always true

• Invariants are a critical part of proofs; establish thekey properties that a problem always satisfies

• Invariants are not unique; a program can havemany invariants

Some examples of useful invariants • Amount of memory required is less than M • Values of a variable (eg, address register) is in a given range

Proving properties about invariants comes down to evaluating Hoare triples

Example: • For average consensus,

Reachability and invariants • Recall that reachable(P) is the smallest stable set of vertices that includes P. Hence:

5

invariant(P ) ⌘ initially(P ) ^ stable(P )

initially(P ) ^ (8a : a 2 G : {P} a {P})

P

initX

invariant�(+i : 0 i N � 1 : xi) = (+i : 0 i N � 1 : x0

i )�

<latexit sha1_base64="REgRBZri3puoUjT8+rEwmz4PVWg=">AAACSnicfVBNSwMxFMzWqrV+VT16CRahRSy7VVAEoeDFk1SwKnTX5W2araHZ7JpkxVL6+7x48uaP8OJBES9m2x78woGQYea9l7wJEs6Utu0nKzeVn56ZLcwV5xcWl5ZLK6vnKk4loS0S81heBqAoZ4K2NNOcXiaSQhRwehH0jjL/4pZKxWJxpvsJ9SLoChYyAtpIfgncCPR1EA6YuAXJQOihG7Aur+DKFsMH2MYupzeYja+Tbcdodz6r4sP/C67sKs4GyapfKts1ewT8mzgTUkYTNP3So9uJSRpRoQkHpdqOnWhvAFIzwumw6KaKJkB60KVtQwVEVHmDURRDvGmUDg5jaY7QeKR+7RhApFQ/Ckxltrj66WXiX1471eG+Z1JKUk0FGT8UphzrGGe54g6TlGjeNwSIZOavmFyDBKJN+kUTgvNz5d/kvF5zdmr1091yY38SRwGtow1UQQ7aQw10jJqohQi6R8/oFb1ZD9aL9W59jEtz1qRnDX1DLv8JCQaszA==</latexit>

invariant(I) =) reachable(init) ✓ I<latexit sha1_base64="qX9XiDBWWf1V1RpP02je5Cmslcs=">AAACNXicbVC7SgNBFJ31GeMramkzGITYhF0VtAzYGLCIYB6QhDA7uZsM7syuM3eFsOSnbPwPKy0sFLH1F5w8BE28cOFwzn0ePw6FQdd9cRYWl5ZXVjNr2fWNza3t3M5uzUSJ5lDlURjphs8MhEJBFQWG0Ig1MOmHUPdvL0Z6/R60EZG6wUEMbcl6SgSCM7RUJ3fVkgz7fpAKdc+0YAqHhfIRbQlpt4OhY1nL1M7kfWanDgs/lFACh7bUJL4BhDta7uTybtEdB50H3hTkyTQqndxTqxvxRIJCHjJjmp4bYztlGgW3q7KtxEDM+C3rQdNCxSSYdjr+ekgPLdOlQaRtKqRj9ndHyqQxA+nbytHFZlYbkf9pzQSD87Z9L04QFJ8sCpKQYkRHFtKu0MAxHFjAuBb2Vmq90YyjNTprTfBmX54HteOid1I8vj7Nl86ndmTIPjkgBeKRM1Iil6RCqoSTB/JM3si78+i8Oh/O56R0wZn27JE/4Xx9A3UDrP8=</latexit>

invariant�reachable(init)

�<latexit sha1_base64="MUnQ1loDK2MfmNYQ3udOstkcopg=">AAACKXicbVDLSgMxFM3UV62vUZduBovQbspMFeyy4MZlBfuAtpRMmmlDk8yQ3CmUYX7Hjb/iRkFRt/6I6bSCtl4IHM499+ae40ecaXDdDyu3sbm1vZPfLeztHxwe2ccnLR3GitAmCXmoOj7WlDNJm8CA006kKBY+p21/cjPvt6dUaRbKe5hFtC/wSLKAEQyGGtj1nsAw9oOEySlWDEtIez4b8VLGK5GYZWSMzbpS4YdikkFaznSqPLCLbsXNylkH3hIU0bIaA/ulNwxJLKgEwrHWXc+NoJ9gBYxwmhZ6saYRJhM8ol0DJRZU95PMaepcGGboBKEyT4KTsb8nEiy0ngnfKOfH6tXenPyv140hqPWNsygGKsnioyDmDoTOPDZnyBQlwGcGYKKYudUxsShMwIRbMCF4q5bXQata8S4r1burYr22jCOPztA5KiEPXaM6ukUN1EQEPaAn9IrerEfr2Xq3PhfSnLWcOUV/yvr6BjzIqGI=</latexit>


Which of the following formulas are true?

6

True

False

Transition from Q to NOT QFalse

P Q

init

P Q

initinit

______

______

______

Q

P

init


Example: FindMaxLet M. = max(A[x]). Prove that r ≤ M is an invariant

7

{ definition of stable }

{ definition of next }

______________________

________________________

r ≤ M ⇒ max(r, A[x]) ≤ M) { x ≤ max(x, y) }

Richard M. Murray, Caltech CDSEECI, Mar 09

Defensive Zone

0

a b

c

Example: RoboFlag Drill


Defensive Zone

0

a b

c

i j

α(j) is too far down for i to get

RoboFlag Control Protocol

=


Safety (Defenders do not collide)

Stability (switch predicate stays false)

Progress (we eventually reach a fixed point) • Let ρ be the number of blue robots that are too far away to reach their red robots

• Let β be the total number of conflicts in the current assignment • Define the metric that captures “energy” of current state (V = 0 is desired)

• Can show that V always decreases whenever a switch occurs

Properties for RoboFlag program

Robots are "far enough" apart.

10

V =⇤�

n

2

⇥+ 1

⌅⇥ + � � =

n⇥

i=1

n⇥

j=i+1

⇥(i, j) where ⇥(i, j) =

�1 if x�(i) > x�(j)

0 otherwise� =

n�

i=1

r(i, i)

next ¬switchi,i+1

zi < zi+1 next zi < zi+1

next V < m

Next week

Richard M. Murray, Caltech CDSIFAC World Congress 2014

What Goes Wrong: ZA002, Nov 2010

11

Loss of primary electrical power => cockpit goes “dark”

Ram Air Turbine (RAT) deployed and allows safe landing

Richard M. Murray, Caltech CDSCS 142, 2 Oct 2017

Summary: Reasoning About Programs

Initial tools for reasoning about program properties • UNITY approach: assume that any (enabled)

command can be run at any time

• Hoare triple: show that all (enabled) actions satisfying a predicate P will imply a predicate Q

• “Lift” Hoare triple to define next:

• Stability: stable(P) ≡ P next P

• Invariants:

12

P

1

2

0

3

4

5

6

7

8

9

Q

P

a1 a2

a1

a1

Hoare triple: {P} a {Q}

P next Q stable(P)

invariant(P ) ⌘ initially(P ) ^ stable(P )

cs/ids 142: lecture 2.2 safety properties

Documents