Embed Size (px)
Citation preview
Automatic Rectangular Automatic Rectangular Refinement of Affine Hybrid Refinement of Affine Hybrid
AutomataAutomata
Tom HenzingerTom Henzinger
EPFLEPFL
Laurent DoyenLaurent Doyen
ULBULB
Jean-François RaskinJean-François Raskin
ULBULB
FORMATS 2005 – Sep 27FORMATS 2005 – Sep 27thth - Uppsala - Uppsala
OverviewOverview
• Automatic analysis of affine hybrid systems
OverviewOverview
• Automatic analysis of affine hybrid systems• Example:
Navigation Benchmark
vx
)( dvvAv {
OverviewOverview
• Automatic analysis of affine hybrid systems• Example:
Two trajectories
vx
)( dvvAv {
OverviewOverview
• Automatic analysis of affine hybrid systems• Example:
Navigation Benchmark
vx
)( dvvAv {Affine dynamics
OverviewOverview
• Automatic analysis of affine hybrid systems• Example:
vx
)( dvvAv {Affine dynamicsDiscrete states
B 2
+
A2 2
4
44 3
• Some classes of hybrid automata:– Timed automata ( )– Rectangular automata ( )– Linear automata ( )
ReminderReminder
1x][ ,bax
bxa ii ~
• Some classes of hybrid automata:– Timed automata ( )– Rectangular automata ( )– Linear automata ( )
ReminderReminder
1x][ ,bax
bxa ii ~
Limit for decidability of Language Emptiness
ReminderReminder
• Some classes of hybrid automata:– Timed automata ( )– Rectangular automata ( )– Linear automata ( )– Affine automata ( )– Polynomial automata ( )– etc.
1x][ ,bax
bxa ii ~ cxbxa iiii ~
cxxp ii ~),(
Limit for decidability of Language Emptiness
ReminderReminder
• Some classes of hybrid automata:– Timed automata ( )– Rectangular automata ( )– Linear automata ( )– Affine automata ( )– Polynomial automata ( )– etc.
1x][ ,bax
bxa ii ~ cxbxa iiii ~
cxxp ii ~),(
Limit for symbolic computation of Post with HyTech
Limit for decidability of Language Emptiness
MethodologyMethodology
• Affine automaton A and set of states Bad
• Check that Reach(A) Bad = Ø
MethodologyMethodology
• Affine dynamics is too complex ?Abstract it !
• Affine automaton A and set of states Bad
• Check that Reach(A) Bad = Ø
MethodologyMethodology
• Affine dynamics is too complex ?Abstract it !
• Abstraction is too coarse ? Refine it !
HOW ?
• Affine automaton A and set of states Bad
• Check that Reach(A) Bad = Ø
MethodologyMethodology
Affine dynamics Rectangular dynamics
xx 2
30 x
• 1. Abstraction: over-approximation
Let Then
MethodologyMethodology
Affine dynamics Rectangular dynamics
xx 2
30 x
]2,1[x
30 x
• 1. Abstraction: over-approximation
30Inv x)](max),([min InvInv]2,1[ xfxf xx
-x f(x) 2{
xx 2
30 x
MethodologyMethodology
Line l
• 2. Refinement: split locations by a line cut
23x
l
0 3
xx 2
30 x
323 x
MethodologyMethodology
Line l
230 x
• 2. Refinement: split locations by a line cut
23x xx 2
xx 2l
0 3
MethodologyMethodology
Abstract
Reach(A’)Bad Ø?=
A’
A
Yes
Original Automaton
Property verified
MethodologyMethodology
Abstract
Reach(A’)Bad Ø?=
A’
A
Yes
Original Automaton
(Undecidable)Property verified
MethodologyMethodology
Abstract Refine
Reach(A’)Bad Ø?=
A’
A
No
Yes
Original Automaton
(Undecidable)Property verified
•using Reach(A’)•using Pre*(Bad)
RefinementRefinement
• 2. Refinement: split locations by a line cut
• Which location(s) ?– Loc1 = Locations reachable in the last step– Loc2 = Reachable locations that can reach Bad– Better: replace the state space by Loc2
RefinementRefinement
• 2. Refinement: split locations by a line cut
• Which location(s) ?– Loc1 = Locations reachable in the last step– Loc2 = Reachable locations that can reach Bad– Better: replace the state space by Loc2
• Which line cut ?– The best cut for some criterion characterizing the goodness of the resulting approximation.
NotationsNotations
NotationsNotations
NotationsNotations
l
P+
P-A
B
NotationsNotations
l
P+
P-A
B
• ?
Goodness of a cutGoodness of a cut
• A good cut should minimize
• ?
• ?
Goodness of a cutGoodness of a cut
• A good cut should minimize
• ?
• ?
• ?
• …
Goodness of a cutGoodness of a cut
• A good cut should minimize
• ?
• ?
• ?
• …
Goodness of a cutGoodness of a cut
Our choice
• A good cut should minimize
Finding the optimal cutFinding the optimal cut
P
Extremal level sets of f(x,y)Extremal level sets of f(x,y)
P
Extremal level sets of g(x,y)Extremal level sets of g(x,y)
P
ExampleExample
P
Assume
Then any line separating { } and { }
is better than any other line.
ExampleExample
P
Assume
ExampleExample
P
ExampleExample
Any line separating { } and { }
is better than any other line.
P
ExampleExample
Any line separating { } and { }
is better than any other line.
P
ExampleExample
Thus, for every
the best line separates and
P
ExampleExample
Thus, for every
the best line separates and
P
ExampleExample
Thus, for every
the best line separates and
P
ExampleExample
Thus, for every
the best line separates and
P
ExampleExample
P
When
ExampleExample
P
When the best line cut must separate both
from and from
ExampleExample
P
The best line cut must separate both
from and from
ExampleExample
Intersection
P
The process continues because it is still possible to separate
both from and from
When an intersection occurs…
ExampleExample
P
ExampleExample
P
ExampleExample
P
ExampleExample
P
ExampleExample
Intersection
P
When a second intersection occurs…
ExampleExample
Intersection
P
In this case, we have reached the "limit of separability"
ExampleExample
An optimal cut
P
How to compute the How to compute the intersection ?intersection ?
P
How to compute the How to compute the intersection ?intersection ?
P
We have to find the minimal such that:
(u,v)
How to compute the How to compute the intersection ?intersection ?
P
We have to find the minimal such that:
This is a linear program !
(u,v)
The algorithmThe algorithm
• Applies in the plane (2D)– Several particular cases
The algorithmThe algorithm
• Applies in the plane (2D)– Several particular cases
• What for higher dimension ?– An option: discretize the problem using a grid– Apply a (more) discrete algorithm– The exact solution can be arbitrarily closely approximated
The algorithmThe algorithm
• Applies in the plane (2D)– Several particular cases
• What for higher dimension ?– An option: discretize the problem using a grid– Apply a (more) discrete algorithm– The exact solution can be arbitrarily closely approximated
N.B.: it is possible to define a general algorithm in nD, but it requires to solve difficult
geometrical problems (parametric convex hulls).
The algorithmThe algorithm
• Applies in the plane (2D)– Several particular cases
• What for higher dimension ?– An option: discretize the problem using a grid– Apply a (more) discrete algorithm– The exact solution can be arbitrarily closely approximated
N.B.: it is possible to define a general algorithm in nD, but it requires to solve difficult
geometrical problems (parametric convex hulls).
Navigation benchmarkNavigation benchmark
In each location, the dynamics has the form:
We cut in the plane v1-v2
Navigation benchmarkNavigation benchmark
In each location, the dynamics has the form:
We cut in the plane v1-v2
ResultsResults
NAV 04 NAV 07
Initial states Bad states Good states
Results: NAV 04Results: NAV 04
Forward Backward
Results: NAV 04Results: NAV 04
Forward Forward
Results: NAV 07Results: NAV 07
Backward
ConclusionConclusion
• Approximations• Rectangular• Over-approximations
ConclusionConclusion
• Approximations• Rectangular• Over-approximations
• Refinements• Automatic• Optimal split for some criterion (at least in 2D)
ConclusionConclusion
• Approximations• Rectangular• Over-approximations
• Refinements• Automatic• Optimal split for some criterion (at least in 2D)
• Possible future work• Under-approximations• Optimal split for some other criterion• Combine with other approaches (barrier certificates, ellipsoïds, …)
ReferencesReferences
• [FI04] A. Fehnker and F. Ivancic. Benchmarks for hybrid systems verification. In HSCC 2004, LNCS 2993, pp 326-341.
• [Fre05] G. Frehse. Phaver: Algorithmic verification of hybrid systems past hytech. In HSCC 2005, LNCS 3414, pp 258-273.
