lecture 1university of illinois at urbana-champaign lecture 1 jan 1-5st2018 sayan mitra1and...
TRANSCRIPT
University of Illinoisat Urbana-Champaign
Lecture1Jan1-5st 2018
SayanMitra1 andPurandar Bhaduri21UniversityofIllinoisatUrbana-Champaign2IndianInstituteofTechnologyGuwahati
Modelingandverificationofcyber-physicalsystems
Planforthelecture1
• Courseadministration• Motivation–Whatarecyber-physicalsystems?–WhycareaboutverificationofCPS?
• ModelingDiscreteSystems• Invarianceandsafety
Algorithmsmakedecisionsforuseveryday
Software- physicsinclosedloop
Cyber-physicalSystems
ControlSoftware
PhysicalPlant
ActuatorSensor
CPS:softwaremonitoringandcontrollingadynamicalsystem
Wewilltakearigorous viewofmodeling,analyzing,anddesigningengineeringsystems
Why?
Isthealgorithm safe?secure?private?fair?
AdvancedDrivingAssistfeatures(ADAS)toDriverlesscars
2004DARPAGrandchallengeI:nocardrivesmorethan7milesin
desert2005DARPAchallengeII:
Stanfordcarwinsdriving131miles2007DARPAUrbanchallenge*
Manysuccesses,CMUwins
Google,Uber,Tesla,GM,Nissan,Toyota,Ford,…
2016:PublictestsatSingapore(nuTonomy),Pittsburgh(Uber),BostonVerificationofPeriodicHybridSystems:ApplicationtoAnAutonomousVehicleWongpiromsarn,Mitra,Lamperski andMurray2009
Algorithmsforpredictivepolicing
Crimerecords+Surveillance->Predictions
2008:LAPDstartsexplorationsonforecastingcrimeusingdata2013:BetterpredictionofcrimehotspotsinSantaCruzevaluation2016:Usedin50+policedepartment
ZachFriend."PredictivePolicing:UsingTechnologytoReduceCrime".FederalBureauofInvestigation.Dec.2013.
Technologyisneithergoodnorbad; norisitneutral.
DriverlesscarswillbegoodforProductivity:Americansspend300hoursdrivingeachyear
Realestate:40%ofcitysurfaceisparking
Environment:Betterfuelefficiency,scheduling,charging
Safety:32,675vehiclefatalitiesin2014intheUS10%increaseinfirsthalfof2016!!
ZA002Incident.EVERETT, Wash., Nov. 10, 2010-- During approachto Laredo, Texas, yesterday, airplane ZA002 lostprimary electrical power as a result of an onboardelectrical fire. Backup systems, including thedeployment of the Ram Air Turbine (RAT),functioned as expected and allowed the crew tocomplete a safe landing. The cause of the fire isstill under investigation by Boeing.
Initial inspection appears to indicate that a powercontrol panel in the aft electronics bay will needto be replaced on ZA002. We are inspecting thepower panel and surrounding area near that panelto determine if other repairs will be necessary.
Boeing:ChangestoPowerPanelDesignNov.24,2010Boeinghasacknowledgedtherumorscirculatingaroundthatitwasindeed FOD (foreignobjectdamage)thathadcausedashortcircuitthatledtothefireintheP100powerpanel.
AsaconsequenceBoeingwillundertakeaminorredesignofthepowerpaneltoreducethechanceof FOD creatingandelectricalarcorshortcircuit.Boeingwillalsoimplementsoftwarechangestomakesurethatpowerdistributionisimproved.Thisappearstobeanacknowledgementthattheelectricalpowerredundanciesfailedaswell.
NewinDO178Cstandard
FormalMethods.ModelBasedDevelopment
ObjectOrientedTechniques
Overflowresultsintheflightcomputercrash(2005)• Unlike“one-shot”function
computations,computationsofembeddedsystemsareinfinitestreams– Example:Rudderpositions
computedbyanautopilotprogram:L,R,R,R,C,L,…
• Testingandsimulations(atleasttheirnaïveapplications)cancheckforonlyfinitelymanybehaviors
• Notsufficientforcovering allbehaviorsoftheprogramanditsphysicalenvironment
“June 4, 1996 -- Ariane 5 Flight 501. Working code forthe Ariane 4 rocket is reused in the Ariane 5, but theAriane 5's faster engines trigger a bug in an arithmeticroutine inside the rocket's flight computer. The error isin the code that converts a 64-bit floating-pointnumber to a 16-bit signed integer. The faster enginescause the 64-bit numbers to be larger in the Ariane 5than in the Ariane 4, triggering an overflow conditionthat results in the flight computer crashing.”
History's Worst Software Bugs, SimsonGarfinkel, Wired 2005
Howmanymilesmustanautonomouscardrivebeforewecallitsafe?
200millionmiles?
0.07fatalitiesperbillionpassengermiles(commercialflight)
Probabilityoffatalfailureperhourofdriving10#$ [Amnon Shashua,CTOMobileye]
Howisair-travelsosafe?
Dev.Assurance Level(DAL)
HazardClassification
Objectives
A Catastrophic 71
B Hazardous 69
C Major 62
D Minor 26
E NoEffect 0
RegulationsandAudits
DO178C
PrimarydocumentbywhichFAA&EASAapprovessoftware-basedaerospacesystems.
DALestablishestherigornecessarytodemonstratecompliance
StatementCoverage:EverystatementofthesourcecodemustbecoveredbyatestcaseConditionCoverage:Everyconditionwithinabranchstatementmustbecoveredbyatestcase
WhatfractionofthecostofdevelopinganewaircraftisinSW?
VerificationofCPS:Weneedstandards,processes,tools,andtrainedindividualsto
ensurethatcyber-physicalsystemsmeetthestandards
Defectsbecomemoreexpensivewithtime
time
costofb
ug
How to Cut Software-Related Medical Device Failures and Recalls, Lisa Weeks
AuditalgorithmswithAlgorithmsandfindproblemsearly
certificate
algorithm/systemmodel bugtraceOurverification
toolrequirements
Relevantcourses:Theoryofcomputation,ProgramVerification,FormalSystemDevelopment,AutomatedDeduction,Controltheory,EmbeddedSystemVerification
ExamplerequirementsSafety:“Forallnominalbehaviorsofthecar,theseparationbetweenthecarsmustbealways>1m”
Efficiency:“Forallnominaldriverinputs,theair-fuelratiomustbeintherange[1,4]”
Privacy:“UsingGPSdoesnotcompromiseuser’slocation”
Fairness:“Similarpeoplearetreatedsimilarly”
Examplemodelingframeworks
Discretetransitionsystems,automata
DynamicalsystemsDifferentialinclusions
Hybridsystems
Markovchains
Probabilisticautomata,Markovdecisionprocesses(MDP)
Continuoustime,continuousstateMDPs
StochasticHybridsystems
Young&promisingareawithrichproblemsorwhyyoushouldstopworryingandlovethiscourse
• IntersectionofCSandcontroltheory– Discreteandcontinuousmath,differentanalysistechniques
• Formalanalysisgainingtractioninindustry– Hardwareverificationisengineeringpracticeintheindustry– Manytoolsusedinsoftware,avionics,automotiveindustries.e.g.SDV
(Microsoft),ESTEREL,ASTREE.– MarsCode:GerardHolzman,JPL(seevideo)
• Bigandsmallcommercialenterprisessupportabovecustomers– Synopsis,MentorGraphics,Cadence,Jasper,Coverity,Galois,SRI,
• Vibrantacademicresearchactivities– RelatedTuringAwards:Lamport (2014),Clarke,Sifakis &Emerson(2008),Pnueli
(1997),Lampson(1992),Milner(1991),Hoare(1980),Dijkstra (1972)…– Conferences:HSCC,EMSoft,ICCPS,CAV,TACAS,RTSS…– Alumsfromthiscourse nowfacultyatU.Conn,UTArlington,U.Minnesota,
KansasState,AirForceResearchLab,ToyotaResearchCenter,…LectureSlidesbySayanMitra
LearningObjectives
• Techniquesformodelingsystemswithdynamics,computation,andcommunication
• Techniquesforrigorouslyreasoningaboutcorrectnessofsystems
• Exposuretousingverificationtools andlibraries– modelcheckers,SMTsolvers,simulation-drivenverifiersandtheoremprovers
• UnderstanddeepandinfluentialideasinCSandControltheory(fromthelast20years)
Outline
• AnExample:TokenRing• Specificationlanguage(syntax)• Automata(semantics)• Invariants
Anexample:Informaldescription
Atoken-basedmutualexclusionalgorithmonaringnetwork
Collectionofprocessessendandreceivebitsoveraringnetworksothatonlyoneofthemhasa“token”
DiscreteEachprocesshasvariablesthattakeonlydiscretevaluesTimeelapsesindiscretesteps(Thisisamodelingchoice)
Tokenring: Informalproblemspecification
1. Thereisalwaysatleastonetoken2. Legalconfiguration=exactlyone“token”inthering3. Singletokencirculatesinthering4. Evenifmultipletokenssomehowarise,e.g.withfailures,ifthe
algorithmcontinuestoworkcorrectly,theneventuallythereisasingletoken
Legal Illegal
PropertiescanbestatedasInvariants
• Invariant (informaldef.):Apropertyofthesystemthatalways*holds
• Examples:– “Alwaysatleastoneprocesshasatoken”– “Alwaysexactlyoneprocesshasthetoken”– “Alwaysallprocesseshavevaluesatmostk-1”– “Eveniftherearemultipletokens,eventually thereisexactlyonetoken”(notstrictlyaninvariant)
Dijkstra’s Algorithm[Dijkstra 1982]
n processeswithindices0,1,…,n-1stateofprocessjisx[j]Î {0,1,2,k-1},wherek>np0 ifx[0]=x[N-1]then x[0]:=x[0]+1modkpj j>0,if x[j]≠x[j-1]then x[j]:=x[j-1]
(pi hasTOKENifandonlyiftheconditional istrue)LectureSlidesbySayanMitra
ASpecification Language:HIOAauto DijkstraTR (n:natural,k:natural)type indices:[0,…,n-1]type values:[0,…,k-1]signature
internal step(i:indices)variables
𝑥:[indices->values]initially∀𝒊 ∈ indices,𝑥 𝑖 = 0transitions
internal step(i:indices)pre i =0/\ x[i]=x[n-1]eff x[i]:=x[i]+1modk;
internal step(i:indices)pre i ≠ 0/\ x[i]≠x[i-1]eff x[i]:=x[i-1];
trajectoriesLectureSlidesbySayanMitra
DiscreteTransitionSystemorAutomaton
Anautomaton isatuple𝒜 = ⟨𝑋, Θ, 𝐴, 𝒟⟩ where1. 𝑋 isasetofnamesofvariables;eachvariable𝑥 ∈
𝑋isassociatedwithatype,𝑡𝑦𝑝𝑒(𝑥)• Avaluation for𝑋 mapseachvariableinXtoitstype• Setofallvaluations:𝑣𝑎𝑙 𝑋 = 𝑄 thisissometimesidentifiedasthestatespaceoftheautomaton
2. Θ ⊆ 𝑣𝑎𝑙(𝑋) isthesetofinitial orstartstates3. 𝐴 isasetofnamesofactions orlabels4. 𝒟 ⊆ 𝑣𝑎𝑙 𝑋 ×𝐴×𝑣𝑎𝑙 𝑋 isthesetoftransitions
• atransitionisatriple(𝑢, 𝑎, 𝑢’)• Wewrite 𝑢, 𝑎, 𝑢’ ∈ 𝒟 inshortas𝑢
G→𝑢′
HIOASpecstoAutomata:variablesvariables s,v:Reals;a:Bools𝑋 = {𝑠, 𝑣, 𝑎}Examplevaluationsalsocalledstates:• 𝑢M = 𝑠 ↦ 0, 𝑣 ↦ 5.5, 𝑎 ↦ 0• 𝑢P = 𝑠 ↦ 10, 𝑣 ↦ −2.5, 𝑎 ↦ 1𝑣𝑎𝑙 𝑋 ={ 𝑠 ↦ 𝑐M, 𝑣 ↦ 𝑐P, 𝑎 ↦ 𝑐S |𝑐M, 𝑐P ∈ 𝑅, 𝑐S ∈ {0,1}}
type indices:[0,…,n-1]variablesx:[indices->values]• Fixn=6,k=8• x:[{0,…,5} ->{0,…,7}]• Examplevaluations:
– 𝑢 = ⟨𝑥 ↦ 0 ↦ 0, 1 ↦ 0, 2 ↦ 0, 3 ↦ 0, 4 ↦ 0, 5 ↦ 0 ⟩– 𝑣 = ⟨𝑥 ↦ 0 ↦ 7, 1 ↦ 0, 2 ↦ 0, 3 ↦ 0, 4 ↦ 0, 5 ↦ 0 ⟩– Notation:𝒖. 𝑥, 𝒖. 𝑥[4]=0
𝑣𝑎𝑙(𝑥) = 𝑥 ↦ 𝑖 ↦ 𝑐Y YZ[…] 𝑐Y ∈ {0, … , 7}}LectureSlidesbySayanMitra
StatesandpredicatesApredicate overasetofvariablesXisaformulainvolvingthevariablesinX.Forexample:
• 𝜙M:x 1 = 0• 𝜙P: ∀𝑖 ∈ 𝑖𝑛𝑑𝑖𝑐𝑒𝑠, 𝑥 𝑖 = 0Avaluationu satisfiespredicate𝝓 ifsubstitutingthevaluesofthevariablesinuin𝜙 makesitevaluatetoTrue.Wewriteu⊨ 𝝓• 𝒖 ⊨ 𝜙M, 𝒖 ⊨ 𝜙P,𝒗 ⊨ 𝝓𝟏 and𝒗 ⊭ 𝝓𝟐𝝓 = 𝑢 ∈ 𝑣𝑎𝑙 𝑥 𝑢 ⊨ 𝜙}. Examples
• 𝜙M = 𝑥 ↦ 1 ↦ 0, 𝑖 ↦ 𝑐Y YZ[,P,…,] 𝑐Y ∈ {0, … , 7}}
• 𝜙P = {⟨𝑥 ↦ 0 ↦ 0, 1 ↦ 0, 2 ↦ 0, 3 ↦ 0, 4 ↦ 0, 5 ↦ 0 ⟩}
Initialstateandinvariantassertions
• Θ ⊆ 𝑣𝑎𝑙(𝑥) initialstates– Oftenspecifiedbyapredicate– 𝝓𝟎 = (Initially∀𝒊 ∈ indices,𝑥 𝑖 = 0)– Θ = 𝜙[ = ⟨𝑥 ↦ 𝑖 ↦ 0 YZ[,…,]⟩
• Invariantproperties– “Atleastoneprocesshasthetoken”.– 𝑰𝟏 = 𝑥 0 = 𝑥 5 ∨ ∃𝑖 ∈ 1, …5 : 𝑥 𝑖 ≠ 𝑥 𝑖 − 1– 𝐼M = 0,… , 0 , 1,0, … , 0 , … , ⟨𝑘 − 1,… , 𝑘 − 1⟩ = 𝑣𝑎𝑙 𝑥 (?)– “Exactlyoneprocesshasthetoken”– 𝑰𝟐 = 𝑥 0 = 𝑥 5 ⊕ 𝑥 1 ≠ 𝑥 0 ⊕ 𝑥 2 ≠ 𝑥 1 …
Actions
• signaturedefinesthesetofActions• Examples– internal step(i:indices)– 𝐴 = {𝑠𝑡𝑒𝑝 0 ,… , 𝑠𝑡𝑒𝑝 5 }– internalbrakeOn,brakeOff– 𝐴 = {𝑏𝑟𝑎𝑘𝑒𝑂𝑛, 𝑏𝑟𝑎𝑘𝑒𝑂𝑓𝑓}
Transitions𝒟 ⊆ 𝑣𝑎𝑙 𝑋 ×𝐴×𝑣𝑎𝑙 𝑋 isthesetoftransitions
internal step(i:indices)pre i =0/\ x[i]=x[n-1]eff x[i]:=x[i]+1modk;
internal step(i:indices)pre i ≠ 0/\ x[i]≠x[i-1]eff x[i]:=x[i-1];
𝑢, 𝑎, 𝑢t ∈ 𝒟 iff𝑢 ⊨ 𝑃𝑟𝑒G and 𝑢, 𝑢t ∈ 𝐸𝑓𝑓G
𝑢, 𝑠𝑡𝑒𝑝 𝑖 , 𝑢t ∈ 𝒟iff
(a)(𝑖 = 0 ∧ 𝑢. 𝑥 0 = 𝑢. 𝑥 5
∧ 𝑢t. 𝑥 0 = 𝑢. 𝑥[0] + 1𝑚𝑜𝑑6)∨(b)(𝑖 ≠ 0 ∧ 𝑢. 𝑥 𝑖 ≠ 𝑢. 𝑥 𝑖 − 1
∧ 𝑢t. 𝑥 𝑖 = 𝑢. 𝑥[𝑖 − 1])
Nondeterminism• Foranaction𝑎 ∈ 𝐴,Pre(a)istheformuladefiningits
precondition,andEff(a)istherelationdefiningtheeffect.
• Statessatisfyingpreconditionaresaidtoenable theaction
• IngeneralEff(a)couldbearelation,butforthisexampleitisafunction
• Nondeterminism– Multipleactionsmaybeenabledfromthesamestate– Theremaybemultiplepost-statesfromthesameaction
Executions,Reachability,&Invariants
Anexecution of𝒜 isanalternating(possiblyinfinite)sequenceofstatesandactions
𝛼 = 𝑢[𝑎M𝑢M𝑎P𝑢S …suchthat:– 𝑢[ ∈ Θ
– ∀𝑖inthesequence,𝑢YG��� 𝑢Y�M
Astate𝑢 isreachable ifthereexistsanexecutionthatendsat𝑢.Thesetofreachablestatesisdenotedby𝑅𝑒𝑎𝑐ℎ�.
Invariants(Formal)Whatdoesitmeanfor𝐼 tohold“always”for𝒜?
– 𝐼 holdsatallstatesalonganyexecution𝑢[𝑎M𝑢M𝑎P𝑢S– 𝐼 holdsinallreachablestatesof𝒜– 𝑹𝒆𝒂𝒄𝒉𝓐 ⊆ [ 𝑰 ]
Invariantscapturemostpropertiesthatyouwillencounterinpractice
– safety:“aircraftalwaysmaintainseparation”– boundedreactiontime:“within15secondsofpress,lightmust
turntowalk”
Howtoverify if𝐼 isaninvariant?– Doesthereexistreachablestate𝑢suchthat𝑢 ⊭ 𝐼 ?
ReachabilityProblem
• Givenadirectedgraph𝐺 = (𝑉, 𝐸),andtwosetsofvertices𝑆, 𝑇 ⊆ 𝑉,𝑇 isreachablefrom𝑆 ifthereisapathfrom𝑆 to𝑇.
• ReachabilityProblem(𝐺, 𝑆, 𝑇) ∶decideif𝑇 isreachablefrom 𝑆 in𝐺.
AlgorithmfordecidingReachabilityG,S,T
SetMarked:= {}QueueQ:=SMarked:=Marked∪Swhile Qisnotempty
t←Q.dequeue()if t∈ 𝑇 return “yes”for each (t,u)∈ E
if u∉MarkedthenMarked:=Marked∪ {u}Q:=enqueue(Q,u)
return “no”
VerifyingInvariantsbysolvingReachability
Given𝒜 = ⟨𝑋, Θ, 𝐴, 𝒟⟩andacandidateinvariant𝐼,howtocheckthat𝐼isindeedaninvariantof𝒜?
DefineagraphG = ⟨𝑉, 𝐸⟩ where𝑉 = 𝑣𝑎𝑙 𝑋
𝐸 = 𝑢, 𝑢t ∃𝑎 ∈ 𝐴, 𝑢G→𝑢t}
Claim. 𝐼 �isnotreachablefromΘ in𝐺 iff 𝐼 isaninvariantof𝒜.
Summary
• Well-formedspecificationsintheHIOAlanguagedefineautomata
• Invariants:Propertiesthatholdatallreachablestates.𝑹𝒆𝒂𝒄𝒉𝓐 ⊆ [ 𝑰 ]
• BFStoverifyinvariantsautomaticallyfor(finite)automata