SMT-Based Verification of Hybrid Systems

ion techniques Linear Phase-Portrait Partitioning [HWT95] Abstract complex dynamics splitting each location in multiple locations. Each location has a simple dynamic of the form a ≤ ẋ ≤ b, a, b ∈ R which approximate the complex dynamic in a specific interval. Predicate Abstraction [ADI06, Tiw08] A set of predicates defines a finite-state abstraction of the hybrid systems. The finite-state system can be analyzed using finite-state techniques. Hard to choose the “right” predicates to use and to compute the resulting abstraction. Relational Abstraction [ST11] abstracts the continuous transition with a relation over X ,X ′ The relation R(X ,X ) captures all the possible trajectories of the dynamical system Time-Aware Relational Abstraction [MCTT13] extends the relation over X ,X ′ with time variables, to take into account correlation between dynamics of the abstracted variables A. Cimatti (FBK-irst) SMT-Based Verification of Hybrid Systems ATVA’13, October 2013 27 / 118 Here: SMT-based verification of HA In the rest of this talk: focus on systems with large state space, coarse dynamics fully symbolic, automated techniques from SAT-based to SMT-based algorithms dedicated techniques for hybrid systems exploit network structure with local time semantics analyze scenarios expressed as MSC’s analysis of requirements for hybrid systems A. Cimatti (FBK-irst) SMT-Based Verification of Hybrid Systems ATVA’13, October 2013 28 / 118 Outline 1 From Complex Embedded Systems to Hybrid Automata Complex Embedded Systems The formalism: Hybrid Automata Verification of Hybrid Automata 2 Satisfiability Modulo Theories 3 SMT-based Verification of Symbolic Transition Systems 4 SMT-based verification of Hybrid Automata Reachability Global-time semantic Local-time semantic Shallow-synchronization 5 SMT-based verification of Hybrid Systems Scenario Feasibility 6 SMT-based Analysis of Requirements for Hybrid Systems 7 Conclusions and future work A. Cimatti (FBK-irst) SMT-Based Verification of Hybrid Systems ATVA’13, October 2013 29 / 118 Satisfiability Modulo Theories Check satisfiability of first order formulae with respect to background theory Underlying technology: SAT solver behaves as enumerator theory (constraint) solver used to check feasibility Status of the research field: a standardized SMT-LIB2.0 language and a library of benchmarks http://www.smt-lib.org a yearly competition http://www.smt-comp.org a yearly SMT workshop SMT solvers: Yices, OpenSMT, Z3, CVC, iSAT, HySAT, MathSAT A yearly school: Boston (2011), Trento (2012), Helsinki (2013) A. Cimatti (FBK-irst) SMT-Based Verification of Hybrid Systems ATVA’13, October 2013 30 / 118 SMT: useful theories Satisfiability of a first order formula... where the atoms are interpreted modulo a background theory Theories of practical interest Equality and Uninterpreted Functions (EUF) x = f(y), h(x) = g(y) Difference constraints (DL) x − y ≤ 3 Linear Arithmetic 3x − 5y + 7z ≤ 1 reals (LRA), integers (LIA) Arrays (Ar) read(write(A, i, v), j) Bit Vectors (BV) x[15 : 8] :: (y[7 : 0] + 0d8 3) = (z&&w) Their combination A. Cimatti (FBK-irst) SMT-Based Verification of Hybrid Systems ATVA’13, October 2013 31 / 118 SMT checking SMT as an extension of boolean SAT Some atoms have non-boolean (theory) content A1 : x − y ≤ 3 A2 : y − z = 10 A3 : x − z ≥ 15 Theory interpretation for individual variables, constants, functions and predicates if x = 0, y = 20, z = 10 then A1 = T, A2 = T, A3 = F Interpretations of atoms are constrained A1, A2 and A3 can not be all true at the same time Boolean reasoning + constraint solving SAT solver for boolean reasoning theory solvers to interpret numerical constraints A. Cimatti (FBK-irst) SMT-Based Verification of Hybrid Systems ATVA’13, October 2013 32 / 118 SMT: search space DPPL-style search SAT solver looks for satisfying assignment to boolean abstraction of the formula, ignoring theory content literals on stack identify a conjunction (set) of theory constraints the same atom may be associated to a constaint or its negation, depending o the truth value it is assigned to if set of constraints solvable, then return SAT if set of constraints unsatisfiable, backtrack if search space exhausted, return UNSAT A. Cimatti (FBK-irst) SMT-Based Verification of Hybrid Systems ATVA’13, October 2013 33 / 118 SMT solvers in practice In practice, the integration is very tight SAT solver working as an enumerator Theory solver follows the stack-based search Inconsistent partial assignments are pruned on the fly conflicts clauses learnt from theory reasoning used to drive search at the boolean level Satisfiability Modulo Theories: a sweet spot? increase expressiveness retain efficiency of boolean reasoning Trade off between expressiveness and reasoning SAT solvers: boolean case, automated and very efficient theorem provers: general FOL, limited automation A. Cimatti (FBK-irst) SMT-Based Verification of Hybrid Systems ATVA’13, October 2013 34 / 118 SMT: useful functionalities Similarly to SAT solvers, SMT solvers export the following functionalities: Model construction Incremental interface Unsatisfiable core Proof production Interpolation AllSMT Cost optimization [CFG+10, ST12] A. Cimatti (FBK-irst) SMT-Based Verification of Hybrid Systems ATVA’13, October 2013 35 / 118 AllSMT AR(P,P ) =̇ ∃XX .(R(X ,X ) ∧ ∧