Reachability for Linear Hybrid Automata Using Iterative Relaxation Abstraction

1. Reachability for Linear Hybrid Automata Using Iterative Relaxation Abstraction Sumit K. Jha, Bruce H. Krogh, James E. Weimer, Edmund M. Clarke Carnegie Mellon University

2. CEGAR(CounterExample Guided Abstraction Refinement) concrete system construct initial abstraction construct new abstraction abstraction infeasible constraints model checking validate counterexample counterexample specification satisfied specification not satisfied

3. CEGAR concrete system complete detailed model construct initial abstraction construct new abstraction abstraction infeasible constraints model checking validate counterexample counterexample specification satisfied specification not satisfied

4. CEGAR concrete system reduced, conservative model construct initial abstraction construct new abstraction abstraction infeasible constraints model checking validate counterexample counterexample specification satisfied specification not satisfied

5. CEGAR concrete system model check the abstraction (faster than for the concrete system) construct initial abstraction construct new abstraction abstraction infeasible constraints specification model checking validate counterexample counterexample specification satisfied specification not satisfied

6. CEGAR concrete system no counterexample  specification satisfied for the concrete system construct initial abstraction construct new abstraction abstraction infeasible constraints model checking validate counterexample counterexample specification satisfied specification not satisfied

7. CEGAR concrete system counterexample for the abstraction corresponds to a state-transition pathin the concrete system construct initial abstraction construct new abstraction abstraction infeasible constraints model checking validate counterexample counterexample specification satisfied specification not satisfied

8. CEGAR concrete system Can the constraints along the counterexample path be satisfied in the concrete system? construct initial abstraction construct new abstraction abstraction infeasible constraints model checking validate counterexample counterexample specification satisfied specification not satisfied

9. CEGAR concrete system feasible constraints  there exists a feasible counterexample for the concrete system construct initial abstraction construct new abstraction abstraction infeasible constraints model checking validate counterexample counterexample specification satisfied specification not satisfied

10. CEGAR concrete system create a new abstraction (refinement) that eliminates the spurious counterexample construct initial abstraction construct new abstraction abstraction infeasible constraints model checking validate counterexample counterexample specification satisfied specification not satisfied

11. CEGAR concrete system Success: CEGAR iterations often terminate much more quickly than model checking the concrete system. construct initial abstraction construct new abstraction abstraction infeasible constraints model checking validate counterexample counterexample specification satisfied specification not satisfied

12. CEGAR for Discrete Systems state transition system with Boolean variables concrete system construct initial abstraction construct new abstraction abstraction infeasible constraints model checking validate counterexample counterexample specification satisfied specification not satisfied

13. CEGAR for Discrete Systems concrete system eliminate some variables construct initial abstraction construct new abstraction abstraction infeasible constraints model checking validate counterexample counterexample specification satisfied specification not satisfied

14. CEGAR for Discrete Systems concrete system construct initial abstraction decision procedures/SAT solvers construct new abstraction abstraction infeasible constraints model checking validate counterexample counterexample specification satisfied specification not satisfied

15. CEGAR for Discrete Systems concrete system add variables in the unsatisfiable core construct initial abstraction construct new abstraction abstraction infeasible constraints model checking validate counterexample counterexample specification satisfied specification not satisfied

16. CEGAR for Discrete Systems • Leverages • Power of model checking on simpler models • Power of decision procedures / SAT solvers to validate counterexamples • Empirically a very powerful approach • Many success stories • SLAM : Verifying Device Drivers at Microsoft • Actually ships as a commercial product Static Driver Verifier (SDV) • Many software model checkers developed • MAGIC, BLAST, CBMC

17. CEGAR for Hybrid Systems(our previous work) concrete system hybrid automaton construct initial abstraction construct new abstraction abstraction infeasible constraints model checking validate counterexample counterexample specification satisfied specification not satisfied

18. CEGAR for Hybrid Systems concrete system start with location transition graph construct initial abstraction construct new abstraction abstraction infeasible constraints model checking validate counterexample counterexample specification satisfied specification not satisfied

19. CEGAR for Hybrid Systems concrete system reachability specifications construct initial abstraction construct new abstraction abstraction infeasible constraints forbidden locations model checking validate counterexample counterexample specification satisfied specification not satisfied

20. CEGAR for Hybrid Systems concrete system HS reachability: apply increasingly precise approximations construct initial abstraction construct new abstraction abstraction infeasible constraints forbidden locations model checking validate counterexample counterexample specification satisfied specification not satisfied

21. CEGAR for Hybrid Systems concrete system compute reachable sets along the counterexample path construct initial abstraction construct new abstraction abstraction infeasible constraints model checking validate counterexample counterexample specification satisfied specification not satisfied

22. CEGAR for Hybrid Systems concrete system identify point where the reachable set becomes empty construct initial abstraction construct new abstraction abstraction infeasible constraints model checking validate counterexample counterexample specification satisfied specification not satisfied

23. CEGAR for Hybrid Systems concrete system introduce new locations (“splitting”) to eliminate the infeasible path construct initial abstraction construct new abstraction abstraction infeasible constraints model checking validate counterexample counterexample specification satisfied specification not satisfied

24. CEGAR for Hybrid Systems concrete system • Limitations: • slow convergence: refinement eliminates one path at a time • HS reachability limited to low dimensional systems construct initial abstraction construct new abstraction abstraction infeasible constraints model checking validate counterexample counterexample specification satisfied specification not satisfied

25. Iterative Relaxation Abstraction (IRA) for Linear Hybrid Automata (LHA) concrete system construct initial abstraction construct new abstraction abstraction infeasible constraints model checking validate counterexample counterexample specification satisfied specification not satisfied

26. IRA for LHA LHA (with several continuous variables) concrete system construct initial abstraction construct new abstraction abstraction infeasible constraints model checking validate counterexample counterexample specification satisfied specification not satisfied

27. IRA for LHA concrete system relaxation abstraction: fewer continuous variables construct initial abstraction construct new abstraction abstraction infeasible constraints model checking validate counterexample counterexample specification satisfied specification not satisfied

28. IRA for LHA concrete system start with the location graph (zero continuous variables) construct initial abstraction construct new abstraction abstraction infeasible constraints model checking validate counterexample counterexample specification satisfied specification not satisfied

29. IRA for LHA concrete system LHA reachability construct initial abstraction construct new abstraction abstraction infeasible constraints forbidden locations model checking validate counterexample counterexample specification satisfied specification not satisfied

30. IRA for LHA concrete system check feasibility of linear constraints using LP construct initial abstraction construct new abstraction abstraction infeasible constraints model checking validate counterexample counterexample specification satisfied specification not satisfied

31. IRA for LHA concrete system use variables from an irreducible infeasible subset (IIS) of constraints construct initial abstraction construct new abstraction abstraction infeasible constraints model checking validate counterexample counterexample specification satisfied specification not satisfied

32. IRA for LHA concrete system new relaxation abstraction each time: NOT a refinement construct initial abstraction construct new abstraction abstraction infeasible constraints model checking validate counterexample counterexample specification satisfied specification not satisfied

33. IRA for LHA – Leverages: • Power of LHA reachability on low-order LHA models • Power of LP to validate counterexamples involving huge number of continuous variables. • Ability of a LP solver to identify an irreducible infeasible subset for an infeasible LP • Inspired by CEGAR for discrete systems, but variables are not added to refine abstractions

34. Relaxation Abstractions • LHA • discrete transition structure (locations/transitions) • linear constraints for invariants, guards, jumps • Given a subset of continuous variables V • Replace linear constraints with relaxed constraints involving only variables in V • x<100 /\ x>20 /\ y<30 /\ x<y can be relaxed to x<100 /\ x>20 • Not unique – various relaxations • Drop constraints involving variables not in V (localization) • Quantifier Elimination (Fourier-Motzkin)

35. Counterexamples (CEs) • Paths in the discrete structure (sequence of locations and transitions) • Key observations [Xuandong Li, Sumit Jha, Lei Bu BMC’06] : • Feasible runs along a path are defined by linear constraints • CE exists in the concrete LHA if and only if the corresponding linear constraints are feasible

36. Irreducible Infeasible Subset (IIS) • Given a set of infeasible linear constraints (corresponding to a spurious CE). • IIS: a subset of constraints such that • the constraints are infeasible • removing one constraint makes them feasible • Use variables in the IIS for the next relaxation abstraction

37. The Language of Counterexamples • LHA reachability gives a discrete CE automaton A for the current relaxed LHA • A string s = {s0,s1 ……,sn} is in the language of the discrete CE automaton A only if the reachability analysis engine says that snmay be reachable from s0 using the path s0 s1 …… sn. • Intersect with the previous CE automaton • to remove CE s refuted earlier by other abstractions • also, remove previous CE in case reachability was too conservative • Key Idea: Generate relaxation abstractions with only the most recent set of IIS variables.

38. IRA for LHAselecting counterexamples concrete system construct initial abstraction construct new abstraction abstraction infeasible constraints model checking validate counterexample counterexample specification satisfied specification not satisfied

39. IRA for LHAselecting counterexamples abstraction CE automaton concrete system update CE automaton construct initial abstraction cumulative CE automaton abstraction infeasible constraints select counterexample model checking validate counterexample counterexample specification satisfied specification not satisfied

40. IRA for LHAselecting counterexamples abstraction CE automaton • guarantees: • only previously discovered CEs are explored • no CE is used twice concrete system update CE automaton construct initial abstraction cumulative CE automaton abstraction infeasible constraints select counterexample model checking validate counterexample counterexample specification satisfied specification not satisfied

41. IRA for LHAconstructing new relaxation abstractions concrete system construct initial abstraction construct new abstraction abstraction infeasible constraints model checking validate counterexample counterexample specification satisfied specification not satisfied

42. IRA for LHAconstructing new relaxation abstractions concrete system identify variables in an IIS construct initial abstraction continuous variables construct new abstraction abstraction infeasible constraints model checking validate counterexample counterexample specification satisfied specification not satisfied

43. IRA for LHAconstructing new relaxation abstractions guarantees relaxation abstraction has a minimal set of variables to eliminate the previous CE concrete system identify variables in an IIS construct initial abstraction continuous variables construct new abstraction abstraction infeasible constraints model checking validate counterexample counterexample specification satisfied specification not satisfied

44. IRA for LHAimplementation concrete system LHA reachability: PHAVer construct initial abstraction construct new abstraction abstraction infeasible constraints model checking validate counterexample counterexample specification satisfied specification not satisfied

45. IRA for LHAimplementation concrete system CE Automata : AT&T FSM Library construct initial abstraction construct new abstraction abstraction infeasible constraints model checking validate counterexample counterexample specification satisfied specification not satisfied

46. IRA for LHAimplementation concrete system LP & IIS Analysis : CPLEX LP & IIS Analysis : CPLEX construct initial abstraction construct new abstraction abstraction infeasible constraints model checking validate counterexample counterexample specification satisfied specification not satisfied

47. IRA vs. PHAVer for an Adaptive Cruise Control Example (time in sec)

48. IRA vs. PHAVer for an Adaptive Cruise Control Example (time in sec) IRA becomes faster for  12 variables

49. IRA vs. PHAVer for an Adaptive Cruise Control Example (time in sec) IRA-FM becomes faster for  14 variables

50. IRA vs. PHAVer for an Adaptive Cruise Control Example (time in sec) 15 Vars: 19.5 hr. (PHAVer) vs. 3 min. (IRA-LOC)