Sayan Mitra Verifying cyberphysicalsystems mitras@illinois
32
Transcript of Sayan Mitra Verifying cyberphysicalsystems mitras@illinois
β’ HW3 outβ’ Read chapter 5
What is composition?
β’ Complex models and systems are built by putting together components or modules
β’ Composition is the mathematical operation of putting together
β’ Leads to precise definition of moduleinterfaces
β’ What properties are preserved undercomposition?
model of a network of oscillators [Huang et. al 14]
Powertrain model from Toyota [Jin et al. 15]
β’ Give an example of how youβve built something more complex from simple components
β’ Throughout the lecture, think if your notion ofcomposition is captured by what we define
Outline
β’ Composition operationβ Input/output interfaces
β’ I/O automataβ’ hybrid I/O automataβ’ Examplesβ’ Properties of composition
Composition of automata
β’ Complex systems are built by βputting togetherβ simpler subsystems
β’ Recall π = β¨π, Ξ, π΄, π«β©β’ π = π*||π,βπ*,π, are the component automata and βπis the composed automatonβ || symbol for the composition operator
Composition: asynchronous modules
a
b
c
π
d
e
f
β¬π||β¬
a d
a e
a f
b d
b e
b f
c d
c e
c f
composition: modules synchronize
a d
a e
a f
b d
b e
b f
c d
c e
c f
a
b
c
π
d
e
f
β¬
Composition of (discrete) automata
β’ More generally, some transitions of π and β¬ may synchronize, while others may not synchronize
β’ Further, some transitions may be controlled byπ which when occurs forces the corresponding transition of β¬
β’ Thus, we will partition the set of actions π΄ of π = β¨π, Ξ, π΄, π«β© intoβ π»: internal (do not synchronize)β π: output (synchronized and controlled by π)β πΌ: input (synchronized and controlled by some other automaton)
β’ π΄ = π» βͺ π βͺ πΌβ’ This gives rise to I/O automata [Lynch, Tuttle 1996]
Reactivity: Input enablingβ’ Consider a shared action brakeOn controlled by π1 and listend-to or
read by π2
β’ Input enabling ensures that when π1 and π2 are composed then π2can react to brakeOn
Definition. An input/output automaton is a tuple π =β¨π, Ξ, π΄, πβ© whereβ’ π is a set of names of variablesβ’ Ξ β π£ππ(π) is the set of initial statesβ’ π΄ = πΌ βͺ π βͺ π» is a set of names of actionsβ’ π β π£ππ π Γπ΄Γπ£ππ π is the set of transitions and π
satisfies the input enabling condition:E1. For each π β π£ππ π , π β πΌ there exists π@ β π£ππ π such that π βB πβ²
Controllerπ*
Vehicle
π,
πππππππPre ProxSensorCritEff (do nothing)
πππππππPre ???Eff accel := -5
MovePre β¦Eff β¦
πππππππ
Compatibility IOAA pair of I/O automata π* and π, are compatible if π»I β© π΄K = β no unintended interactionsπI β© πK = β no duplication of authority
Extended to collection of automata in thenatural way
π*
π,d
e
f
a
b
c
πM
πN
Composition of I/O automaton
Definition. For compatible automata π1 and π2 their composition π1 || π2 is the structure π= π, Ξ, π΄, π
β π = π* βͺ π,β Ξ = π β π£ππ(π) β π β 1,2 : πβππ β Ξπ}β π» = π»1 βͺ π»2
β O = π1 βͺ π2β I = πΌ1 βͺ πΌ, β πβ π, π, πβ² β π iff for π β {1,2}
β’ π β π΄I and (πβπI, π, π@βπ) β πIβ’ π β π΄I πβπI = πβπI
} π΄ = π» βͺ π βͺ πΌ
Theorem. The class of IO-automata is closed under composition. If π1and π2 are compatible I/O automata thenπ = π1||π2 is also an I/O automaton.Proof. Only 2 things to check- Input, output, and internal actions are disjoint---by construction- π satisfies E1. Consider any state π β π£ππ π* βͺ π, and any input
action a β πΌ1 βͺ πΌ, β π such that a is enabled in π. - Suppose, w.lo.g. a β πΌ1- We know by E1 of π1 that there exists ππ@ β π£ππ(π*) such that πβπ* βB ππ@
- π β π,, πΌ,, π», (by compatibility)- Therefore, π βB (ππ@ , π₯ π, is a valid transition of π (by definition
of composition)
Example: Sending process and channel
Automaton Sender(u)variables internal
failed:Boolean := F output send(m:M)input failtransitions:
output send(m)pre ~failedeff
input failpre trueeff failed := T
Loc 1
failed
send(m)~failed
failtrue
failed := T
Sender Channelsend(m) receive(m)fail
ReceiverSystem
FIFO channel & Simple Failure Detector
Automaton Channel(M)variables internal queue: Queue[M] := {}actions input send(m:M)
output receive(m:M)transitions:
input send(m)pre trueeff queue := append(m, queue)
output receive(m)pre head(queue)=m
eff queue := queue.tail
Automaton System(M)variables queue: Queue[M] := {}, failed: Boolactions input fail
output send(m:M), receive(m:M)transitions:
output send(m)pre ~failedeff queue := append(m, queue)
output receive(m)pre head(queue)=m
eff queue := queue.tailinput fail
pre trueeff failed := true
Automaton Sender(u)variables internal
failed:Boolean := F output send(m:M)input failtransitions:
output send(m)pre ~failedeff
input failpre trueeff failed := T
COMPOSING HYBRID SYSTEMS
Hybrid IO AutomatonIn addition to interaction through shared actions hybrid input/output automata (HIOA) will allow interaction through shared variables
Recall a hybrid automaton π = β¨π, Ξ, π΄, π«, π»β©
We will partition the set of variables π of π intoβ π: internal or state variables (do not
interact)
β π: output variables
β π: input variables
β’ π = π βͺ π βͺ π
This gives rise to hybrid I/O automata (HIOA) [Lynch, Segala, Vaandrager 2002]
Plant
π₯* = π* π₯*, π₯,π¦* = π₯*
Controller
π₯, = π π₯,, π₯*π¦, = π₯,
π¦*π¦,
Reactivity: Input trajectory enablingConsider a shared variable throttle controlled by π1 and listened-to or read by π2
Input trajectory enabling ensures that when π1 and π2 are composed then π2can react to any signal generated by π*
If the trajectories of π, are defined by ordinary differential equations, then input enabling is guaranteed if π* only generates piece-wise continuous signals (throttle)
Definition. An hybrid input/output automaton is a tuple π = β¨π, Ξ, π΄,π, π»β© where
β’ π = π βͺ π βͺ π is a set of variables
β’ Ξ β π£ππ(π) is the set of initial states
β’ π΄ = πΌ βͺ π βͺ π» is a set of actions
β’ π β π£ππ π Γπ΄Γπ£ππ π is the set of transitions
β’ π» is a set of trajectories for π closed under prefix, suffix, and concatenation
E1. For each π β π£ππ π , π β πΌ there exists π@ β π£ππ π such that π βB πβ²
E2. For each π β π£ππ π ,π should be able to react to any trajectory π of π.
i.e, β π β π» with π. ππ π‘ππ‘π = π such that π β π is a prefix of π and either (a) π βπ = π or (b) π is closed and some π β π» βͺ π is enabled at π. ππ π‘ππ‘π.
Controllerπ*
Vehicle
π,
π‘βπππ‘π‘ππ
Compatibility of hybrid automata
β’ For the interaction of hybrid automata π1 and π2 to be well-defined we need to ensure that they have the right interfaces
β’ compatibility conditions
Controller
π*
Vehicle
π,
Output πππππ Input ππππππππππ
πππππππOutput πππππππ Input πππππππ
πππ ππ‘πππ
Compatibility HIOAA pair of hybrid I/O automata π* and π, are compatible if π»I β© π΄K = β no unintended discrete interactionsπI β© πK = β no duplication of discrete authorityπI β© πK = β no unintended continuous interactions
πI β© πK = β no duplication of continuous authority
Extended to collection of automata in the natural way and captures most common notions of composition in, for example, Matlab/Simulink
Compositionβ’ For compatible π1 and π2 their composition π1 || π2 is the
structure π= π, Ξ, π΄, π, π―β’ Variables π = π βͺ π βͺ π
β π = π1 βͺ π2, Y = π1 βͺ π2 ,π = π1 βͺ π, β π
β’ Ξ = π β π£ππ(π) β π β 1,2 : πβππ β Ξπ}β’ Actions π΄ = π» βͺ π βͺ πΌ
β π» = π»1 βͺ π»2, O = π1 βͺ π2 ,I = πΌ1 βͺ πΌ, β π,β’ π, π, πβ² β π iff for π β {1,2}
β π β π΄I and (πβπI, π, π@βπI) β πIβ π β π΄I πβπI = πβπI
β’ π―: set of trajectories for Vβ π β π― iff β π β 1,2 ,π β πI β π―i
π,
οΏ½οΏ½* = π(π₯*, π’,)
e
f
πM
πN
a1
a1
a1
a1
u2
e
f
u2
Closure under composition
β’ Conjecture. The class of HIOA is closed under composition. If π1 and π2 are compatible HIOA then π1||π2 is also a HIOA.
β’ Can we ensure that input trajectory enabled condition is satisfied in the composed automaton?
β’ No, in generalβ Additional conditions are needed Plant
Input π’}π₯* = π’}
output π¦~ = π₯*
ControllerInput yοΏ½
π₯, = π¦~ + 1Output π’} = π₯,
π¦~π’}
Example 2: Periodically Sending Process
Automaton PeriodicSend(u)variables internal clock: Reals := 0, z:Reals, failed:Boolean := F signature output send(m:Reals)
input failtransitions:
output send(m)pre clock = u /\ m = z /\ ~failedeff clock := 0input failpre trueeff failed := T
trajectories:evolve d(clock) = 1, d(z) = f(z)invariant failed \/ clockβ€u
Loc 1π πππππ = 1π π§ = π(π§)
~failedβπππππ β€ π
send(m)clock = u /\ m = z /\ ~failed
clock := 0
clock:= 0
failtrue
failed := T
Time bounded channel & Simple Failure Detector
Automaton Timeout(u,M)variables: suspected: Boolean := F,
clock: Reals := 0signature input receive(m:M)
output timeouttransitions:
input receive(m)pre trueeff clock := 0; suspected := false;output timeoutpre ~suspected /\ clock = ueff suspected := true
trajectories:evolve d(clock) = 1invariant clockβ€ u\/suspected
Automaton Channel(b,M)variables internal queue: Queue[M,Reals] := {}
clock: Reals := 0signature input send(m:M)
output receive(m:M)transitions:
input send(m)pre trueeff queue := append(<m, clock+b>, queue)output receive(m)pre head(queue)[1]=mβ§
head(queue)[2]=clockeff queue := queue.tail
trajectories:evolve d(clock) = 1invariant β<m,d>βqueue:d β₯ clock
Example 3: Oscillator and pulse generator
pulseGen Oscillator
pre:πππ€β₯π οΏ½
οΏ½οΏ½ef
f:πππ€β0
Composed automatonOn,Mode
π πππ€ = 1π π₯* = βπ₯* π₯*, + 0.9π₯* + 0.9 β π₯, + 1π π₯, = π₯* β 2π₯,πππ€ β€ ποΏ½Β’
Off,Modeπ πππ€ = 1π π₯* = βπ₯* π₯*, + 0.9π₯* + 0.9 β π₯, + 0π π₯, = π₯* β 2π₯,πππ€ β€ ποΏ½οΏ½οΏ½
pre:πππ€β₯π οΏ½
Β’ef
f:πππ€β0
pulseGen
Oscillator1
Oscillator2
Oscillator3
Oscillator4
Oscillator6
Oscillator5
Cardiac oscillator network models, Grosu et al. CAV, HSCC 2007-2015
Restriction operation on exections
β’ Sometimes it is useful to restrict our attention to only some subset of variables and actions in an execution
β’ Recall the restriction operations π₯βπ πππ π β πβ’ Let πΌ = πΒ€π*π*π, be an execution fragment of a hybrid automaton with
set of variables π and set of actions π΄. Let π΄β² be a set of actions and πβ² be a set of variables.
β’ Restriction of πΌ to (π΄β², πβ²), written as πΌβ(π΄β², πβ²) is the sequence defined inductively as:β πΌβ π΄@, π@ = π β π@ if πΌ = πβ πΌ π π β π΄@, π@ =
β’ πΌ β π΄@, π@ π (π β π@) if a β π΄β²β’ πΌ β π΄@, π@ ππππππ‘ (π β π@) if a β π΄@
β’ From the definition it follows πΌ. ππ π‘ππ‘π βπ@ = πΌβ π΄β², π@ . ππ π‘ππ‘π for any π΄@, πβ²
Properties of CompositionsProposition. Let π = π*||π,. πΌ is an execution fragment of π iffπΌβ π΄I, πI , π β 1,2 are both execution fragments of πI.
β’ Proof of the forward direction. Fix πΌ and i. We prove this by induction on the length of πΌ.
β’ Base case: πΌ = π. πΌβ π΄I, πI = π β πI by definition of composition π β πI β πI. So, π β πI β πΉπππI
β’ πΌ = πΌβ² π π β π΄I, πI and π β π΄I and by induction hypothesis πΌβ²β π΄I, πI β πΉπππI. Let πΌβ²β π΄I, πI . lstate = π£. By the definition of composition: π β πI β πI. β It remains to show that π£βπI βB π β πI . ππ π‘ππ‘π. Since π β π΄I, by the definition of
composition: πΌβ²β π΄I, πI . lstate βB π β πI. ππ π‘ππ‘π
β’ πΌ = πΌβ² π π β π΄I, πI and π β π΄I and by induction hypothesis πΌβ²β π΄I, πI βπΈπ₯ππI. Let πβ² be the last trajectory in that execution.β Since π β π΄I, by the definition of composition:π@. ππ π‘ππ‘π = π β πI. ππ π‘ππ‘π . By concatenation
closure of Ξ€I, it follows that π@ππππππ‘ π β πI β Ξ€I. Therefore πΌβ π΄I, πI β πΈπ₯ππI.
properties of executions of composed automata
β’ πΌ is an execution iff πΌβ π΄I, πI , π β 1,2 are both executions.
β’ πΌ is time bounded iff πΌβ π΄I, πI , π β 1,2 are both time bounded.
β’ πΌ is admissible iff πΌβ π΄I, πI , π β 1,2 are both admissible.
β’ πΌ is closed iff πΌβ π΄I, πI , π β 1,2 are both closed.
β’ πΌ is non-Zeno iff πΌβ π΄I, πI , π β 1,2 are both time non-Zeno.
Summary
β’ Composition operationβ I/O interfaces: actions and variablesβ Reactivity/input enablingβ (non) Closure under composition
β’ Properties of executions preserved under composition
β’ Inductive invariants
Example Inductive Invariance ProofS:β<m,d>βx.queue:x.clock β€ d β€ x.clock+bIs an invariant for the timed channel.
Proof. Use the theorem. β’ Check start condition. Holds vacuously as x.queue ={}[Def ofinitial
states]β’ Checktrajectorycondition.Consideranyπ, let x = π.fstate and xβ =
π.lstate and π.ltime = t. Assume x satisfies (1) and show that xβ also.β x.queue =xβ.queue [trajectoryDef],Fix<m,d> inx.queueβ x.clock β€d[ByAssumption]β Supposexβ.clock >dβ xβ.clock - x.clock >d- x.clockβ t>d- x.clock,thenthereexiststββπ.dom andtβ<twhereπ(tβ).clock=dβ Byinvariantπ.ltime =tβwhichisacontradictionβ Also,since d β€x.clock+b, dβ€xβ.clock+t+b
β’ Checktransitions:β π βπππππππ(π) πβ.Followsfromassumptionπ β πΊ.β π βππππ (π) πβ β¦
