AVACS Automatic Verification and Analysis of Complex Systems

ALBERT-LUDWIGS-

UNIVERSITÄT FREIBURG

Menuestarters

14 selected delicacies from our

International Cuisine

Main course4 specialities

AVACS GVD Survey 2-ALBERT-LUDWIGS

UNIVERSITÄT FREIBURG

Parametetrized

Real-Time

CSP

Object Z

Duration Calculus

R1 Automatic verification of parameterized real time systems

• Automatic Translation of CSP-OZ-DC specifications to Phase-Event Automata

• Constraint-based Semantics of Phase Event Automata

• Integration with ARMC constraint-based abstraction refinement model-checker

• Joint work OL-SB

AVACS GVD Survey 3-ALBERT-LUDWIGS

UNIVERSITÄT FREIBURG

R2: Scheduling distributed real-time systems

• Allocate task networks to distributed architecture, and

• determine scheduling on bus and processor,

• i.e. the worst case run-time of a task network is less than its time requirement (End-to-End deadline)

• Successfully applied to systems of up to 45 tasks and architectures with more than 8 nodes to compute optimal solution

• Supports different paradigms of bus systems (time-triggered, event-triggered)• Joint work of Oldenburg and Saarbrücken• Publication submitted

CANCAN

FlexRay

tDE2E

t

1

2

3

• Binary decision variables for allocation

• Scheduling analysis modeled as formulae (over integer)

• Binary decision variables for allocation

• Scheduling analysis modeled as formulae (over integer)

Reduction of integer arithmeticReduction of integer arithmetic

Binary search based callingBinary search based calling

SATSAT

Rounding heuristicsRounding heuristics

Cutting planesCutting planes

MILPMILPBranch and Bound searchBranch and Bound search

AVACS GVD Survey 4-ALBERT-LUDWIGS

UNIVERSITÄT FREIBURG

R2: Automatic identification of Timing Anomalies

• First approach to automatically detect timing anamolies• Demonstrated on a mini processor

– Two functional units, a Tomasulo scheduler– ADD: 4 cycles– MUL: 12 cycles, 3 if an operand is 0

• Query: prove that a processor with the MUL speed-up disabled cannot overtake– Can compute maximal diameter of processor model needed for

detecting timing anamoly– Bounded Model Checker used

• The counterexample yields the timing anomaly• Paper being born, expected in March• Cooperation between Saarbrücken and Freiburg

Thomas Lundqvist Per StenströmTiming Anomalies in Dynamically Scheduled Microprocessors

R3: Highlights in Real-Time Verification

Improved PLC automata checking • Deriving heuristics from PLC automata and feeding this into UPPAAL using

the cost-optimisation in UPPAAL– For some examples of our benchmarks derived from realistic examples, a

speed-up of more than 2 ordrs of magnitude was achieved• submitted to FM05

Integrating automatically derived heuristics in UPPAAL• Using the “ignored delete list” heuristic for BMC of timed automata

– Started cooperation with UPPAAL group– Dramatic reduction of actual search space (10-20) compared with UPPAALs

BFS and random DFS– No significant time-savings yet (due to prototypical implementation)

• submitted to CAV05

Abstraction of Synchronization• Composition with bounded memory as an over-approximation

– Search heuristic accounts for synchronization between parallel processes – Dramatic increase in the number of parallel processes that can be model

checked in UPPAAL

AVACS GVD Survey 6-ALBERT-LUDWIGS

UNIVERSITÄT FREIBURG

H1: FO-constraint solving approach to hybrid syst. verification

• Automata-based constraint solving accelerated by appropriate decision diagrams– Tight bounds on automata

size for Presburger arithmetic [Klaedtke 2004]

• Provides provably optimal automata constructions leading to triple exponential tight bound

• Proves automata-based constraint solving competitive

• Constraint-propagation-based abstraction refinement in safety verification of non-

linear hybr. syst. [Ratschan & She 2004]

– Generates (non-linear) constraints from flow-predicates allowing drastic improvements in number of abstraction refinement loops by pruning non-reachable states

– E.g. non-linear Predator-Prey example proved in 117 seconds

AVACS GVD Survey 7-ALBERT-LUDWIGS

UNIVERSITÄT FREIBURG

H1: Exploiting Robustness in hybrid system verification

• Robust interpretation of validity of metric-time temporal logic [Fränzle & Hansen 2004/2005]– Based on Nonstandard

semantics of DC characterizing level of slackness in invalidating formula, e.g

– Defines robust satisfaction as being insensitive to small perturbations of constants

– Lypschitz continuity and linearity on non-standard semantics allows safe and scalable discrete time underapproaximation of robust dense time satisfaction

– Proves decidability of robust validity over discrete time

H2: Integrating SAT and LP for BMC of Hybrid SystemsTwo Accepted Publications (OL and FR)

• Optimized schemes for BMC– provide encodings of hybrid dynamics tailored for lazy theorem proving – exploit linear, symmetric structure of BMC formulas to apply custom-

made decision strategies and isomorphic replication of learned facts

• Lazy integration of pseudo-Boolean SAT and LP plus for solving BMC and IV instances: SAT+LP = HySAT

increase of the tractable unwinding depth by several orders of magnitude successfully applied to models with up to 15 continuous variables,

H3: Decomposition Theorem for Traffic Collision Avoidance Protocols

Reduce NC verification<C1||P1>||<C2||P2> |= “no collision”

• Cj hybrid automata representing collision avoidance protocol

• Pj differential equations characterizing dynamics of traffic agent

to verification tasks of type (A) Off-line analysis of the dynamics of the plant assuming worst-cases dynamics

(B) Mode invariants for C1|| C2

(C) Real-time properties for Cj

(D) Local safety properties, i.e. hybrid verification tasks for Cj ||Pj

Published at FMCO 03

AVACS GVD Survey 11-ALBERT-LUDWIGS

UNIVERSITÄT FREIBURG

H3: Guaranteed Termination in the verification of discrete time non-linear robust hybrid systems

• Exploits natural concept of “robust satisfaction”• Full LTL: covers both safety and stability• Fully Automatic Abstraction Refinement Based

Approach with guaranteed termination for valid LTL requirements

• Submitted, joint between OL and SB

H4: Model Checking for Stability Properties of Linear Hybrid Systems

• Automatic approach for proving that plant dynamics eventually converges to desired region R for linear regions and linear hybrid automata

• Submitted for publication, builds on results published in

– POPL 2005 – ESOP 2005 – TACAS 2005

Relational composition and widening until fixpoint is reached

Automatic construction of ranking function for mode m by linear constraint solving showing convergence while in m

Show that R is maintained when taking transitions

Extract Constraint Based Representation

H4: Automatic Proofs of exponential stability of linear hybrid systems

• Heuristics for finding partitioning

• Automatic construction of quadratic Lyapunov functions to prove exponential stability in region

• Derive conditions extending local stability to global stability

• Published in RTAS 2005

AVACS GVD Survey 14-ALBERT-LUDWIGS

UNIVERSITÄT FREIBURG

S1 Compositional Approaches to System Verification

Verification of partial designs

Partial designs may contain black-box components with unknown implementations.

Is there an implementation that satisfies the specification? (Realizability)

Do all implementations satisfy the specification? (Validity)

Applications

• Accelerated model checking (complex parts are hidden as black boxes)

• Early recognition of design errors (before the implementation is complete)

• Error localization• Modular correctness proofs

21

54 6

3

AVACS GVD Survey 15-ALBERT-LUDWIGS

UNIVERSITÄT FREIBURG

S1 Highlights

• Complete characterization of the system architectures for which the verification problem is decidable (submitted)

• Exact verification algorithm (sound and complete) for the decidable architectures.

• Approximate verification algorithms (sound but not complete) for all architectures.

• Different trade-offs between completeness and computational cost.

1

10

100

1000

10000

2 4 8 10 16 32 48 64

time (sec)

word width (bits)

Pipelined ALU case study

[Nopper/Scholl 2004]

Adder, multiplier, and 75% of the register file replaced by black boxes

Complete designPartial design

AVACS GVD Survey 16-ALBERT-LUDWIGS

UNIVERSITÄT FREIBURG

S2: Specification of Dynamically Communicating Systems

Cooperation OL+SB

Submitted to ICALP’05

Development of a Modelling Language for Dynamic Communicating Systems,like Car Platoons, ETCS, Ad-hoc Networks,…

Main Features: • Unbounded Number of Processes• Changing Communication Topology• Strictly more expressive than CSFM [Brand, Zafiropulo]

• Amenable to Formal Verification• Applied to Car Platoon Scenario

S2: Analysis of DCS

• Shape Analysis of DCS• Automatic Construction of

finite abstraction sufficiently precise to maintain knowledge on roles in DCS and their interrelation

• Allows to automatically proof properties such as– Maneuvers guarantee shape

of Platoons

– There is always a unique leader

• Submitted for publication

• Automatic finite state abstraction of DCS by symmetry reduction and folding– Journal publication

• Can use shape invariances to increase preciseness of abstraction

• First experimental results

abstraction

It is never the case that two cars, that are in the follower mode,consider each other to be each

other's leader.

S3: Formal Analysis of Dependability

Symbolic Fault injection and analysis

VIS(symbolic)

jointeffort

GSM-R

ETCS application study

requirement &system definition

extended Statechart model

Model checking question: Is the risk to violate a critical distance margin due to wireless miss-communication low enough?

methodology

0

20

40

60

80

100

S3: Formal Analysis of Dependability First results

ETCS application study

• Consistent model checking results via approximative and simulation-based checks

• Identification of critical verification parameters

MPI and UdS

prototypical Tool Chain

Statemate++

VIS(symbolic)

ETMCCmodel checker(explicit state)

prototypemodel checker(symbolic state)

symbolic stochastic branching

minimizer

jointeffort

OL

FR UdS

Verification of Hybrid Systems

Verification of Hybrid Systems

Verification of RT

Systems

Complete System

Verification

AVACS Knowledge Layers

V&A Kernel TechnologiesAbstraction – BDDs – Constraint Solving – Heuristic Search – Integer Linear Programming – Model Checking –

Lyapunov Method – SAT Solver – Decision Procedures

Combining V&A Technology( x1&x2& …xn for s )*

xj v&a kernel technologies, s systems

Models of Complex Systemsreal-time – hybrid –distributed system architectures

Complex SystemsFuture European Train Systems Standard

ERTMS/ETCS Level 3

AVACS

Apply divide-and-conquer approach:

Tackle in first phase each dimension of complexity in isolation

Establish decomposition results

Master complexity of analysis problems by focused combination of powerful v&a kernel technologies and focused extension of verification engines

ALBERT-LUDWIGS-UNIVERSITÄT FREIBURG

AVACS GVD Survey 22-ALBERT-LUDWIGS

UNIVERSITÄT FREIBURG

To Cover the Model- and Requirement Space of Complex Safety Critical Systems

with Automatic Verification Methods

Giving Mathematical Evidenceof Compliance of Models

To Reliability, Coordination, Control and Real-Time Requirements

The AVACS Vision