Compositional Semantics and Analysis of Hierarchical Block Diagrams - - PowerPoint PPT Presentation

Compositional Semantics and Analysis of Hierarchical Block Diagrams

Iulia Dragomir1 joint work with Viorel Preoteasa1 and Stavros Tripakis1,2

1Aalto University, Finland 2UC Berkeley, USA

Hierarchical block diagrams

1 Constant Scope Inport Outport DelaySum

g f e c a

1 Outport 1 Inport z 1 UnitDelay Add

Consist of: atomic components composed components (or subsystems) communication links (instantaneous) Simulink is a HBD language for embedded control system design. Goal: compositional semantics and analysis of HBDs

Iulia Dragomir (Aalto Univ.) Compositional Semantics and Analysis of Hierarchical Block Diagrams December 8, 2016 2 / 34

Compositional semantics and analysis of HBDs

Compositional semantics:

How to translate HBDs into a formal compositional reasoning framework

Compositional analysis:

Compositional verification Compatibility checking

Iulia Dragomir (Aalto Univ.) Compositional Semantics and Analysis of Hierarchical Block Diagrams December 8, 2016 3 / 34

Refinement Calculus of Reactive Systems (RCRS): a compositional reasoning framework

Introduced in [Tripakis et al., TOPLAS 2011], and [Preoteasa et al., EMSOFT 2014] Formal model:

monotonic predicate transformers 3 composition operators: serial (◦), parallel () and feedback (feedback) refinement operator

Allows for:

modeling open, non-deterministic, and non-input-receptive systems modeling safety and liveness properties component substitutability, reusability compositional and incremental design

Iulia Dragomir (Aalto Univ.) Compositional Semantics and Analysis of Hierarchical Block Diagrams December 8, 2016 4 / 34

A non-trivial problem: translating HBDs into RCRS

Translation

A a b c d B c a

Input diagram

Iulia Dragomir (Aalto Univ.) Compositional Semantics and Analysis of Hierarchical Block Diagrams December 8, 2016 5 / 34

A non-trivial problem: translating HBDs into RCRS

Translation 1

A a b c d B c a

Input diagram

A b B Id d d a c RCRS term: feedbacka(PA ◦ (PB Id))

Iulia Dragomir (Aalto Univ.) Compositional Semantics and Analysis of Hierarchical Block Diagrams December 8, 2016 5 / 34

A non-trivial problem: translating HBDs into RCRS

Translation 2

A a b c d B c a

Input diagram

A d B Id b b a c RCRS term: feedbackc((PB Id) ◦ PA)

Iulia Dragomir (Aalto Univ.) Compositional Semantics and Analysis of Hierarchical Block Diagrams December 8, 2016 5 / 34

A non-trivial problem: translating HBDs into RCRS

Translation 3

A a b c d B c a

Input diagram

A b c d B a RCRS term: feedbacka,c(PA PB)

Iulia Dragomir (Aalto Univ.) Compositional Semantics and Analysis of Hierarchical Block Diagrams December 8, 2016 5 / 34

A non-trivial problem: translating HBDs into RCRS

Questions

A a b c d B c a

Input diagram

A b B Id d d a c

feedbacka(PA ◦ (PB Id))

A d B Id b b a c feedbackc((PB Id) ◦ PA) A b c d B a feedbacka,c(PA PB)

What are the advantages/drawbacks of these expressions? → How efficiently can these terms be analyzed? Are these expressions semantically equivalent?

Iulia Dragomir (Aalto Univ.) Compositional Semantics and Analysis of Hierarchical Block Diagrams December 8, 2016 5 / 34

Another non-trivial problem: expansion and simplification

• f RCRS terms

“DelaySum” block diagram:

g f e c a

1 Outport 1 Inport z 1 UnitDelay Add

translation

DelaySum = feedback((Add Id) ◦ UnitDelay ◦ (Split Id))

expansion and simplification

DelaySum = [e, s s, s + e]

Iulia Dragomir (Aalto Univ.) Compositional Semantics and Analysis of Hierarchical Block Diagrams December 8, 2016 6 / 34

Contributions

1

Implementation of RCRS in the Isabelle theorem prover

2

Translation of HBDs into RCRS

3

Expansion and simplification of RCRS terms in Isabelle

4

Case study: realistic Simulink model from Toyota

Iulia Dragomir (Aalto Univ.) Compositional Semantics and Analysis of Hierarchical Block Diagrams December 8, 2016 7 / 34

Outline

1

Context and motivation

2

The RCRS framework

3

Translation of HBDs to RCRS

4

Expansion and simplification

5

Implementation and evaluation

6

Conclusions

Iulia Dragomir (Aalto Univ.) Compositional Semantics and Analysis of Hierarchical Block Diagrams December 8, 2016 8 / 34

Outline

1

Context and motivation

2

The RCRS framework

3

Translation of HBDs to RCRS

4

Expansion and simplification

5

Implementation and evaluation

6

Conclusions

Iulia Dragomir (Aalto Univ.) Compositional Semantics and Analysis of Hierarchical Block Diagrams December 8, 2016 8 / 34

Monotonic predicate transformers

Classic mechanism to represent programs Weakest precondition semantics [Dijkstra et al.] Atomic Simulink components can be represented by monotonic predicate transformers (MPTs) Example: Div = {x, y : y = 0} ◦ [x, y x

y ]

Div x y z

Iulia Dragomir (Aalto Univ.) Compositional Semantics and Analysis of Hierarchical Block Diagrams December 8, 2016 9 / 34

Composition operators

Serial composition

A x B z y

Parallel composition

A x y B z t

Feedback composition

S x y

Iulia Dragomir (Aalto Univ.) Compositional Semantics and Analysis of Hierarchical Block Diagrams December 8, 2016 10 / 34

Composition operators

Serial composition

A x B z y

Parallel composition

A x y B z t

Feedback composition

S x y

Iulia Dragomir (Aalto Univ.) Compositional Semantics and Analysis of Hierarchical Block Diagrams December 8, 2016 10 / 34

Composition operators

Serial composition

A x B z y

Parallel composition

A x y B z t

Feedback composition

S x y

Iulia Dragomir (Aalto Univ.) Compositional Semantics and Analysis of Hierarchical Block Diagrams December 8, 2016 10 / 34

Outline

1

Context and motivation

2

The RCRS framework

3

Translation of HBDs to RCRS Translating atomic components Translating HBDs

4

Expansion and simplification

5

Implementation and evaluation

6

Conclusions

Iulia Dragomir (Aalto Univ.) Compositional Semantics and Analysis of Hierarchical Block Diagrams December 8, 2016 11 / 34

Outline

1

Context and motivation

2

The RCRS framework

3

Translation of HBDs to RCRS Translating atomic components Translating HBDs

4

Expansion and simplification

5

Implementation and evaluation

6

Conclusions

Iulia Dragomir (Aalto Univ.) Compositional Semantics and Analysis of Hierarchical Block Diagrams December 8, 2016 11 / 34

Translating (standard) atomic components

An atomic component becomes an atomic monotonic predicate transformer. Examples:

a Div component Div = {x, y : y = 0} ◦ [x, y x

y ]

Div x y z

an Add component Add = [x, y x + y]

Add x y z

Iulia Dragomir (Aalto Univ.) Compositional Semantics and Analysis of Hierarchical Block Diagrams December 8, 2016 12 / 34

Translating stateful atomic components

Stateful atomic components define current- and next-state variables Example:

a UnitDelay component UnitDelay = [x, s s, x]

UnitDelay x y s, s′ Simulink representation UnitDelay s x s′ y Atomic MPT representation

Iulia Dragomir (Aalto Univ.) Compositional Semantics and Analysis of Hierarchical Block Diagrams December 8, 2016 13 / 34

Translating continuous-time atomic components

Continuous-time atomic components are discretized and parameterized by dt Example:

an Integrator component Integrator(dt) = [x, s s, s + x · dt]

x y Integrator s, s′, dt Simulink representation Integrator dt x s y s′ Atomic MPT representation

Iulia Dragomir (Aalto Univ.) Compositional Semantics and Analysis of Hierarchical Block Diagrams December 8, 2016 14 / 34

Outline

1

Context and motivation

2

The RCRS framework

3

Translation of HBDs to RCRS Translating atomic components Translating HBDs

4

Expansion and simplification

5

Implementation and evaluation

6

Conclusions

Iulia Dragomir (Aalto Univ.) Compositional Semantics and Analysis of Hierarchical Block Diagrams December 8, 2016 15 / 34

Composite monotonic predicate transformers

g f e c a

1 Outport 1 Inport z 1 UnitDelay Add

Simulink diagram

?

translation

DelaySum = feedback((Add Id) ◦ UnitDelay ◦ (Split Id))

Composite MPT

Iulia Dragomir (Aalto Univ.) Compositional Semantics and Analysis of Hierarchical Block Diagrams December 8, 2016 16 / 34

Translation strategies

3 translation strategies: feedback-parallel incremental feedbackless

g f e c a

1 Outport 1 Inport z 1 UnitDelay Add

Simulink diagram

Add UnitDelay Split f e c a g c a s' f s

Atomic MPTs representation

Iulia Dragomir (Aalto Univ.) Compositional Semantics and Analysis of Hierarchical Block Diagrams December 8, 2016 17 / 34

Feedback-parallel translation

Key idea: compose all components in parallel and then connect outputs to inputs by applying feedback operations

g f e c a

1 Outport 1 Inport z 1 UnitDelay Add

feedback-parallel

Add UnitDelay Split f e c a g c a s' f ǁ ǁ s

DelaySum = feedbackf,c,a(Add UnitDelay Split)

Iulia Dragomir (Aalto Univ.) Compositional Semantics and Analysis of Hierarchical Block Diagrams December 8, 2016 18 / 34

Incremental translation

Key idea:

sort components topologically according to dependencies in the diagram compose components 1-by-1 for each pair of components determine which composition operator(s) to use

g f e c a

1 Outport 1 Inport z 1 UnitDelay Add

incremental

Add UnitDelay Split f e c a g s' f s

Aux = (Add Id) ◦ UnitDelay DelaySum = feedbackf(Aux ◦ (Split Id))

Iulia Dragomir (Aalto Univ.) Compositional Semantics and Analysis of Hierarchical Block Diagrams December 8, 2016 19 / 34

Feedbackless translation

Key idea: eliminate feedback by replacing it with direct operations on current- and next-state variables (like for stateful atomic components)

g f e c a

1 Outport 1 Inport z 1 UnitDelay Add Add UnitDelay Split f e c a g c a s' f s

feedbackless

Add e g s' s Id s s Add Idud1 Idsplt1 f e c a g s' s Idud2 Idsplt2 a Idud2 s s

DelaySum = [s, e s, s, e] ◦ (Id Add)

Iulia Dragomir (Aalto Univ.) Compositional Semantics and Analysis of Hierarchical Block Diagrams December 8, 2016 20 / 34

Outline

1

Context and motivation

2

The RCRS framework

3

Translation of HBDs to RCRS

4

Expansion and simplification

5

Implementation and evaluation

6

Conclusions

Iulia Dragomir (Aalto Univ.) Compositional Semantics and Analysis of Hierarchical Block Diagrams December 8, 2016 21 / 34

From composite MPTs to atomic MPTs

g f e c a

1 Outport 1 Inport z 1 UnitDelay Add

Simulink diagram translation

DelaySum = feedback((Add Id) ◦ UnitDelay ◦ (Split Id))

Composite MPT expansion and simplification

? DelaySum = [e, s s, s + e]

Simplified (atomic) MPT

Iulia Dragomir (Aalto Univ.) Compositional Semantics and Analysis of Hierarchical Block Diagrams December 8, 2016 22 / 34

Obtaining simplified MPTs

Expand definitions of MPTs, ◦, and feedback → an MPT of the form {p} ◦ [f] is obtained → but formulas p and f can grow very large ... Simplify p and f using rewriting rules 1600 lines of Isabelle code

Iulia Dragomir (Aalto Univ.) Compositional Semantics and Analysis of Hierarchical Block Diagrams December 8, 2016 23 / 34

Compatibility checking

Simplify the CPT to an MPT {p} ◦ [f] Verify that p is not false A satisfiability problem

Iulia Dragomir (Aalto Univ.) Compositional Semantics and Analysis of Hierarchical Block Diagrams December 8, 2016 24 / 34

Outline

1

Context and motivation

2

The RCRS framework

3

Translation of HBDs to RCRS

4

Expansion and simplification

5

Implementation and evaluation

6

Conclusions

Iulia Dragomir (Aalto Univ.) Compositional Semantics and Analysis of Hierarchical Block Diagrams December 8, 2016 25 / 34

Toolset

• X. Jin, J. V. Deshmukh, J.Kapinski, K. Ueda, and K. Butts

Simulink diagram Translator (simulink2isabelle) Options (translation strategy, etc.) Formal model

• f the diagram

Formal Analyzer (built on top of Isabelle theorem prover) incompatiblity detection auto generated top-level contract substitutability checking Python code generation internal variable elimination RCRS theory and component library

Publicly available at: rcrs.cs.aalto.fi

Iulia Dragomir (Aalto Univ.) Compositional Semantics and Analysis of Hierarchical Block Diagrams December 8, 2016 26 / 34

Case study: Automotive Fuel Control System by Toyota

Publicly available benchmark: http://cps-vo.org/group/ARCH/benchmarks

Simulink model: 3-level hierarchy 104 blocks: 97 atomic blocks and 7 subsystems 101 links of which 7 feedbacks

Powertrain Control Benchmark Model Toyota Technial Center 2014 This is a model of a hybrid automaton with polynomial dynamics, and an implementation of the 3rd model that appears in "Powertrain Control Verification Benchmark", 2014 Hybrid Systems: Computation and Control,

• X. Jin, J. V. Deshmukh, J.Kapinski, K. Ueda, and K. Butts

Fuel Control System Model

This model uses only the ODEs to implement the dynamics. 3 controller_mode 1 A/F 1 s pe 1 s p 1 s lambda 1 s i ~= ~= ~= Starup Mode Power Mode Guard 0.0 ODE4 Open f(u) ODE4 Closed f(u) ODE3 f(u) ODE2 f(u) ODE1 OR f(u) InputPoly f(u) Fuel Cmd Open Pwr f(u) Fuel Cmd Open f(u) Fuel Cmd Closed FaultInjection 1: Failure 0: Normal theta [0 90] pi/30 (rpm) to (rad/s) 2 engine speed (rpm) [900,1100] 1 throttle input (deg) [0, 81.2] AND NOT 1 .1s+1 Throttle delay1 8.8 Base opening angle In Out Startup Mode Latch In Out Sensor Failure Detection Latch boolean boolean 2 airbyfuel_ref ~= double 14.7 12.5

Iulia Dragomir (Aalto Univ.) Compositional Semantics and Analysis of Hierarchical Block Diagrams December 8, 2016 27 / 34

Evaluation results I

Negligible translation time (< 1sec) for all 3 strategies Expansion/simplification time:

feedback-parallel strategy: 10min to 50min (depending on translation options) incremental strategy: 2min to 40min (depending on translation options) feedbackless strategy: < 1min

Iulia Dragomir (Aalto Univ.) Compositional Semantics and Analysis of Hierarchical Block Diagrams December 8, 2016 28 / 34

Evaluation results I

Negligible translation time (< 1sec) for all 3 strategies Expansion/simplification time:

feedback-parallel strategy: 10min to 50min (depending on translation options) incremental strategy: 2min to 40min (depending on translation options) feedbackless strategy: < 1min

Iulia Dragomir (Aalto Univ.) Compositional Semantics and Analysis of Hierarchical Block Diagrams December 8, 2016 28 / 34

Evaluation results II

Length of the final, top-level, simplified MPT: 122k characters

Iulia Dragomir (Aalto Univ.) Compositional Semantics and Analysis of Hierarchical Block Diagrams December 8, 2016 29 / 34

Semantical equivalence of the translation strategies

For all studied examples, the simplified MPTs are semantically equivalent Generally: the simplified MPTs obtained with all translations strategies are semantically equivalent Results proved in Isabelle

Iulia Dragomir (Aalto Univ.) Compositional Semantics and Analysis of Hierarchical Block Diagrams December 8, 2016 30 / 34

Compatibility checking

The FCS Simulink model is proven compatible ∀dt > 0 i.e., the model’s simplified assert condition is satisfiable ∀dt > 0 → proved in Isabelle All Isabelle proofs available at rcrs.cs.aalto.fi

Iulia Dragomir (Aalto Univ.) Compositional Semantics and Analysis of Hierarchical Block Diagrams December 8, 2016 31 / 34

Compatibility checking

The FCS Simulink model is proven compatible ∀dt > 0 i.e., the model’s simplified assert condition is satisfiable ∀dt > 0 → proved in Isabelle All Isabelle proofs available at rcrs.cs.aalto.fi

Iulia Dragomir (Aalto Univ.) Compositional Semantics and Analysis of Hierarchical Block Diagrams December 8, 2016 31 / 34

Validation by simulation

From Isabelle we can automatically generate simulation code (in Python) Simulation plots obtained from the FCS model using Simulink vs. our tool are nearly identical

|error| ≤ 6.1487 · 10−5

5 10 15 20 25 30 35 40 45 50

• 0.01

0.01 5 10 15 20 25 30 35 40 45 50

• 0.01

0.01

Simulink simulation Simulation of the simplified MPT

Iulia Dragomir (Aalto Univ.) Compositional Semantics and Analysis of Hierarchical Block Diagrams December 8, 2016 32 / 34

Outline

1

Context and motivation

2

The RCRS framework

3

Translation of HBDs to RCRS

4

Expansion and simplification

5

Implementation and evaluation

6

Conclusions

Iulia Dragomir (Aalto Univ.) Compositional Semantics and Analysis of Hierarchical Block Diagrams December 8, 2016 33 / 34

Conclusion

• X. Jin, J. V. Deshmukh, J.Kapinski, K. Ueda, and K. Butts

Simulink diagram Translator (simulink2isabelle) Options (translation strategy, etc.) Formal model

• f the diagram

Formal Analyzer (built on top of Isabelle theorem prover) incompatiblity detection auto generated top-level contract substitutability checking Python code generation internal variable elimination RCRS theory and component library

Compositional semantics of HBDs 3 translation strategies of HBDs to RCRS Implementation of the RCRS framework in Isabelle Evaluation on real-life automotive case study

Thank you! Questions?

Iulia Dragomir (Aalto Univ.) Compositional Semantics and Analysis of Hierarchical Block Diagrams December 8, 2016 34 / 34

Conclusion

• X. Jin, J. V. Deshmukh, J.Kapinski, K. Ueda, and K. Butts

Simulink diagram Translator (simulink2isabelle) Options (translation strategy, etc.) Formal model

• f the diagram

Formal Analyzer (built on top of Isabelle theorem prover) incompatiblity detection auto generated top-level contract substitutability checking Python code generation internal variable elimination RCRS theory and component library

Compositional semantics of HBDs 3 translation strategies of HBDs to RCRS Implementation of the RCRS framework in Isabelle Evaluation on real-life automotive case study

Thank you! Questions?

Iulia Dragomir (Aalto Univ.) Compositional Semantics and Analysis of Hierarchical Block Diagrams December 8, 2016 34 / 34