to check for violations of correct behaviour or functionality. The checking can be done dynamically during simulation, statically using formal verification techniques, or by a combination of the two.
1.2.2 Verification of (probabilistic) hybrid systems
The verification of hybrid systems as a standalone concept appears at the beginnings of 1990’s where the hybrid automaton was proposed as a characteristic model for embedded control systems [ACHH92]. The idea of verifying hybrid system models depends on the possibility of computing an over- or under-approximation of reachable states2 of the hy-brid automaton model and then verifying the desired property within the approximated model. Proving that such a hybrid model is unsafe, requires us to prove that the unde-sired behaviour is feasible in the underapproximated model or to be able to validate the counterexample if the latter is found in the overapproximated model [CGJ+00]. However, proving such a hybrid model is safe, requires us to prove that the undesired behaviour is infeasible in the overapproximated model [CGJ+00].
Several tools and model checkers support hybrid system verification; e.g, (sorted in order of their appearances) HyTech [AHH96], its follower: HyperTech [HHMW00], HSolver [RS07], PHAver [Fre08], Hysat [FH07] with its ODE-extension; i.e. iSAT2-ODE [ERNF11], KeYmaera [PQ08], SpaceEx [FGD+11], PowerDEVS [BK11], HyEQ [SCN13], and dREAL [GKC13].
Model checking of probabilistic finite-state models is also a very active research topic and has sparked efficient probabilistic model checking tools. For example, PRISM [KNP02] ver-ifies Markov decision processes models, MRMC [KKZ05] verver-ifies continuous-time Markov chains models, SiSAT [FTE10] and ProHVer [ZSR+10] verify probabilistic hybrid tomata with discrete time steps and ProbReach [SZ14] verifies probabilistic hybrid au-tomata with continuous random parameters.
1.3 Challenges and contributions
In the previous section, a concise overview of embedded and (probabilistic) hybrid sys-tems and their verification tools and techniques was introduced. In this thesis, we make three contributions to automatic verification of embedded and (probabilistic) hybrid sys-tems beside several novel implementations of solving techniques. The high level con-tribution of this dissertation is new verification algorithms that push the frontiers of interpolation-based verification in stochastic direction and while incorporating ideas from abstraction-based techniques. This allows us to perform unbounded model checking tech-nique while verifying (probabilistic) safety properties in (probabilistic) hybrid and em-bedded models, such that we can assess the safety in the verified models at any point of time. Furthermore, applying compositional verification while verifying rely-guarantee properties in real time and hybrid system models. These contributions are elaborated on in Chapters3 to 5 which are published by the author of this thesis together with his
2These terms will be explained in Chapter2.
1.3. CHALLENGES AND CONTRIBUTIONS
timed and (probabilisitc) hybird models + arithmetic programs
safetyproperty: invariantsorcontracts
safe(95%) unsafe(7%)
safe unsafe Is probabilistic?
YES NO
Abstract the mode + eliminate the continous behaviour
Apply resolution calculus for SSMT
Use Generalized Craig interpolation for SSMT
Hastheproperty a“P→Q”form? Slicethemodelbyapplying transformationfunctions Useadmissble transformatione.g. redirctingedges
Usesemi-admissble transformatione.g. removingedges
YES
NO
convert model to CFG encode the problem in iSAT3
UseCEGAR+ Craiginterpolation UseCDCL(T)+ICP UseCraiginterpolation
Sto chastic
reachabilit y
Classical
reachabilit y
Chapter 3 Chapter
4
Chapter 5
Figure 1.1: The major contributions of this dissertation and the dependencies between them. The cut in the right upper corner separates stochastic reachability from classical one.
1.3. CHALLENGES AND CONTRIBUTIONS
co-authors [MF14,MWF14,MSN+16,SNM+16b,SNM+16a]. An overview about reach-ability analysis within its deterministic and stochastic settings is shown in Chapter 2.
Finally, Chapter 6, finalizes this thesis with a summary of the achievements and sheds some light on promising directions for future research.
In the remainder of this section, we outline the three major contributions which are de-picted in Figure1.1.
1: Verification of assumption-commitment specifications in timed and hybrid models (Chapter 3) Assumption-commitment forms or contracts fulfil the industrial needs in component-based specification schemes and help in verification as well. However, the scalability of testing and model checking of the industrial models becomes critical due to the size of verified models. Thus, compositional verification is proposed to attack the state space explosion problem which appears often in our situation. Chapter3defines the set of models that can be compositionally verified by our approach; namely any computational model where its operational semantics induces a transition system semantics. That is, timed, hybrid, finite automata and programs are under investigation in our approach.
Additionally, in Chapter 3 we introduce a general concept of assumption-based (semi-) admissible transformation functions which allows us to eliminate irrelevant traces from the state space of the verified model in a way such that the resultant model is conservative with respect to those traces that violate the commitment only. Moreover, our transformation is an edge-based procedure; it syntactically removes the transitions that always lead to the violation of the assumption. This removal depends on a new concept calledan edge supports a specification. In addition to that, our proposed technique can be forthrightly integrated with other slicing or abstraction techniques and model checkers since it acts as a sound preprocessing approach. Although sometimes just a low number of edges is removed, we observe a speedup of up to ten orders of magnitude relative to direct verification without our compositional procedure.
2: Verification of reachability in embedded systems involving non-linear arithmetics (Chapter4) Detecting dead code (unreachable code fragments) in embedded system C-programs is a challenging task of practical relevance. It is required by several embedded software standards; e.g., DO-178C to avoid critical problems due to possible hidden bugs.
In Chapter 4 we will relate the dead code detection problem to the classical reachability analysis in finding a safe invariant of a model. Finding a safe inductive invariant of a model requires a formal verification procedure; e.g., interpolation-based model checking through McMillan’s seminal work on hardware model checking [McM03]. McMillan demonstrated how to exploit the resolution proof produced by a SAT solver for a BMC problem [BCCZ99]
to over-approximate the reachable states of a finite unrolling of a transition relation. The final interpolant that acts as a guess of a safe inductive invariant is extracted from the resolution proof by rules defined by Púdlak [Pud97] and McMillan [McM03]. Kupfershmid et al. [KB11] succeeded to extend the previous work in the iSAT2 model checker by solving non-linear problems involving transcendental functions. But this extended work did not address a solution for complex generated interpolants.
In this chapter, an incomplete but promising approach is introduced to control the strength and the size of interpolants a.k.a. the slackness of interpolants. While Kupferschmid’s
ap-1.3. CHALLENGES AND CONTRIBUTIONS
proach addressed a feasible solution for non-linear problems, it fails to provide summaries for loops in the control flow and does not scale enough to cover the full branching structure of a complex program in just few sweeps. Therefore, we introduce an extension of iSAT3 – the latest implementatiom of iSAT – in two directions. The first direction introduces a well defined syntax and semantics of a control flow automaton to encode the semantics of programs in iSAT3. The second direction presents a tightly integrated framework that combines iSAT3 as a backend, conflict driven clause learning (CDCL(T)) [ZM02] with interval constraint propagation (ICP) [Ben96] and Craig interpolation (CI) [Cra57], with counterexample guided abstraction refinement [CGJ+00] as a frontend. This allows us to verify reachability in embedded software program without, however, regularly attacking the latter at the level of implementable program code even if these programs are floating points dominated C-programs which may admit non-linear behaviours. The latter problem was spotted by supporting the IEEE 754 standard for floating points.
Finally, Chapter4 shows a toolchain integration which deals with real case studies from BTC-ES AG, where simulink models are translated into their proprietary intermediate language; i.e. SMI [WBBL02] and consequently these SMI programs are encoded into the new iSAT3 control flow automaton-based language to be verified by using our framework.
3: Verification of reachability in probabilistic hybrid automata (Chapter 5) Most of the aforementioned tools [KNP02,KKZ05, ZSR+10,SZ14] and techniques introduced in the last Subsection1.2.2are only able to cope with asserting safety in probabilistic models by considering only a fixed number of model unrollings a.k.a.probabilistic bounded system behaviour. However, Teige et al. in [TF12a,FTE10] proposed an approach which verifies probabilisticunbounded reachability and stability based on a stochastic satisfiability prob-lem. They built a resolution calculus for SSAT problems by extending the classical SAT-resolution rule in order to derive resolvent clauses annotating with probabilities. After that, they extend the classical symmetric rules for systematically computing interpolants.
This enables them to encode probabilistic finite-state models; e.g., MDPs as SSAT formu-lae, whose quantitative interpretations yield upper bounds on the worst-case probability of reaching the unsafe states. However, in Chapter 5, we advance a symbolic approach that goes beyond probabilistic unbounded reachability in the stochastic satisfiability prob-lem by introducing a generalized Craig interpolation for stochastic satisfiability modulo theories (SSMT) [FHT08], where richer fragments of theories are supported. This gener-alized interpolation is computed over a sound and relatively complete resolution calculus for SSMT, where it provides an opportunity to compute a symbolic overapproximation of the (backward) reachable state set of probabilistic (in)finite-state systems. At this point, whenever the interpolant that overapproximates the (backward) reachable state set reaches a fixed point, we construct an SSMT formula whose quantitative interpretations yield upper bounds on the worst-case probability of reaching the unsafe states.
As an example, the safety property with the following shape: “the probability that the temperature of the thermostat of the oven exceeds 220◦ Celsius is at most 1%” will be verified by using the latter approach to compute the upper bound of reaching the unsafe states. Whenever an upper bound of at most 1% is computed then above probabilistic safety property is verified.