Academia.eduAcademia.edu

Outline

Title
Abstract
Figures
Introduction
Methodology
Reachability Analysis Over a Path
Limitations
Results
Experimental Setup
Related Works
Conclusion
References
All Topics
Computer Science
Distributed Systems

SAT-Reach : A Bounded Model Checker for Affine Hybrid Systems

Profile image of rajarshi rayrajarshi ray

ACM Transactions on Embedded Computing Systems

https://doi.org/10.1145/3567425
visibility

description

36 pages

link

1 file

Abstract

Bounded model checking (BMC) is well-known to be undecidable even for simple hybrid systems. Existing work targeted for a wide class of non-linear hybrid systems reduces the BMC problem to the satisfiability problem of an SMT formula encoding the hybrid system dynamics. Consequently, the satisfiability of the formula is deduced with a δ -decision procedure. However, the encoded formula can be complex for large automaton and for deep exploration causing the decision procedure to be inefficient. Additionally, a generalized decision procedure can be inefficient for hybrid systems with simple dynamics. In this paper, we propose a BMC algorithm built upon the foundation of the CEGAR technique and targeted for hybrid systems with piecewise affine dynamics, modeled as a hybrid automaton. In particular, our algorithm begins by searching an abstract counterexample in the discrete state-space of the automaton. We check whether a discovered abstract counterexample is spurious or real by a two-...

Figures (13)
Fig. 2. The graph structure of a hybrid automaton is shown for illustration. v; and v17 are the designated initial and the unsafe location respectively in the verification problem. Fig. 1. SAT-assisted reachability and-falsification procedure for BMC of affine hybrid automaton.
Fig. 2. The graph structure of a hybrid automaton is shown for illustration. v; and v17 are the designated initial and the unsafe location respectively in the verification problem. Fig. 1. SAT-assisted reachability and-falsification procedure for BMC of affine hybrid automaton.
along with the smallest infeasible subpath in z’ when z is infeasible. Line 13 checks if the infeasible path z’ is strictly a subpath of , denoted by len(z’) < len(z) to mean that the length of 7’ is shorter than that of z. When found to be a strict subpath, we add 7’ to II for pruning all its extensions. If the length of 7! and 7 are equal, we do not prune the extensions of ! because it is still possible that an unsafe trajectory may be present that follows in an extension of z. For a feasible path z', we call the trajectory splicing algorithm in line 18 to search for a counterexample trajectory along the path. If it successfully finds a counterexample trajectory, the procedure terminates by classifying the verification instance as unsafe together with the concrete trajectory. Line 26 finds
along with the smallest infeasible subpath in z’ when z is infeasible. Line 13 checks if the infeasible path z’ is strictly a subpath of , denoted by len(z’) < len(z) to mean that the length of 7’ is shorter than that of z. When found to be a strict subpath, we add 7’ to II for pruning all its extensions. If the length of 7! and 7 are equal, we do not prune the extensions of ! because it is still possible that an unsafe trajectory may be present that follows in an extension of z. For a feasible path z', we call the trajectory splicing algorithm in line 18 to search for a counterexample trajectory along the path. If it successfully finds a counterexample trajectory, the procedure terminates by classifying the verification instance as unsafe together with the concrete trajectory. Line 26 finds
The computation of R,, is expensive and therefore the overall cost of the proposed path-wise exploration algorithm can be prohibitive in automata with a large number of paths from source to the target location. To address this challenge, we propose an optimization technique based on reusing the computed symbolic states wherever possible based on the observation that paths can have multiple common sub-paths. Note that the classical method of having a closed list.and an open list in search algorithms to store the explored and waiting to be explored symbolic states respectively does not suffice in our algorithm. This is because in addition to checking whether a symbolic state, say S, is present in a closed/waiting list as done in the traditional reachability analysis algorithm, our algorithm also seeks to get the precomputed post,(S) and postg(S) for some transition when S is present in the closed list. This is because the intention is to extract the precomputed reachable states along a path. This requires additional bookkeeping which we propose in the paper. In order to reuse symbolic states computation and hence avoid duplication in computation, we propose to use two map data structures, namely the initial-to-flow and flow-trans-to-init. The initial-to-flow data-structure maps a symbolic state (v, C) to post,((u, C)). The other data-structure flow-trans-to-init maps a pair (F, 5) to a symbolic state (v, C’) = posta(F, 5), where 6 is a transition between locations u and v and F = post,((u, C)). The data structures are populated as well as referenced during the iterative computation of R,, by the rules shown in Figure 3. The rules are expressed as a precondition(s) and the corresponding effects. Rule R; starts the computation from the initial symbolic state (uj,C)), where C, = Init(v,), for a path 2 = vo, e;,U1,..., er, Ue. In the rules, (v;, C;) the largest infeasible sequence of locations L’. If len(L’) < len(L), then L’ is added to the set SL for pruning its extensions, shown in line 27. Algorithm 2 illustrates the path feasibility checking with reachability analysis.
The computation of R,, is expensive and therefore the overall cost of the proposed path-wise exploration algorithm can be prohibitive in automata with a large number of paths from source to the target location. To address this challenge, we propose an optimization technique based on reusing the computed symbolic states wherever possible based on the observation that paths can have multiple common sub-paths. Note that the classical method of having a closed list.and an open list in search algorithms to store the explored and waiting to be explored symbolic states respectively does not suffice in our algorithm. This is because in addition to checking whether a symbolic state, say S, is present in a closed/waiting list as done in the traditional reachability analysis algorithm, our algorithm also seeks to get the precomputed post,(S) and postg(S) for some transition when S is present in the closed list. This is because the intention is to extract the precomputed reachable states along a path. This requires additional bookkeeping which we propose in the paper. In order to reuse symbolic states computation and hence avoid duplication in computation, we propose to use two map data structures, namely the initial-to-flow and flow-trans-to-init. The initial-to-flow data-structure maps a symbolic state (v, C) to post,((u, C)). The other data-structure flow-trans-to-init maps a pair (F, 5) to a symbolic state (v, C’) = posta(F, 5), where 6 is a transition between locations u and v and F = post,((u, C)). The data structures are populated as well as referenced during the iterative computation of R,, by the rules shown in Figure 3. The rules are expressed as a precondition(s) and the corresponding effects. Rule R; starts the computation from the initial symbolic state (uj,C)), where C, = Init(v,), for a path 2 = vo, e;,U1,..., er, Ue. In the rules, (v;, C;) the largest infeasible sequence of locations L’. If len(L’) < len(L), then L’ is added to the set SL for pruning its extensions, shown in line 27. Algorithm 2 illustrates the path feasibility checking with reachability analysis.
Fig. 4. Rae reuses most of the regions (Q9,Q1,Q4, and Q5) which are computed for R71. The symbolic states (vi, Cj) computed by Eqn. 25 is represented by the upper portion (Cj) of the region Q;, and ¥; indicates the region computed by post, ((u;, C;)). For location o;, region Q; is the union of Cj and ¥;. During the computation of R,-2, once ¥3 is computed for C3 and stored in the initial-to-flow map, and (v4,C;) is computed by the Eqn. 25. For region Q4, C4 and ¥4 are already present in the corresponding map. Since Cj is a subset of Cy which is calculated during the computation of R71, the Rz2z computation proceeds with the symbolic state (v4, C4) due to rule Re. mentions that if flow-trans-to-init contains an entry for (Fj, 5), then fetch the data from the map and assign to (Vi+1, Ci41). The rules Ry and R; avoids redundant postg computations across paths. Rule Rg is an optimization to save post, computation on a symbolic state (vj41,Cj41) when there is a symbolic state (vi+1,Cj,,) already present in the init-to-flow map such that C;,, C Cj, ,. The effect of the rule assigns (v;41, Ci41) to (vi41, Cj,,) and stores this in the respective flow-trans-to-init stilry, The computation of R, proceeds with poste( (vis1, Ci.) retrieved from the init-to-flow map. When there are many symbolic states in the map which satisfies the above condition, (v;41, Cis1) is er to that (vi+1, Cj,,) in which C/,, is the tightest superset of C;,,. Expression {(CL 1 ECA) A (CL, BC} Ci)} states that initiar to ftowt map contains C;'_, which is neither superset nor subset of C/,,, while expression lite ¢ CCl.) = (Ci, ¢ cC.)} aiaeantees that if initial-to-flow map has C3, , which is superset of the C;,; then C/,, must be subset of C;;,. This rule trades-off precision for efficiency. The idea behind rule 7 is to store the computed (v;+1, Cj41) to the corresponding data structures for reuse (mentioned in rule R5) only when no superset of Cj; is found in the initial-to-flow map. Rule R; is applied when R, is not applicable. In order to compute R,,, the rules are applied in the order Rj,R2|R3,R4|Rs5,Ro|R7,R2|R3 and so on, where R;|Ri+1 denotes that exactly one of R; or Rj+1 will be applicable. Figure 4 illustrates the path reachability computation for two paths 2; and zg with our rules. During the computations of R,,, our reachability analysis algorithm computes the regions shown invthe figure using the OG a aia ee ede Do Rada thwk-Ehece DO aeeeexnetatetnem wma These wen hewtaw wawd xox eee aw few lmxecitan @ accel fen hx
Fig. 4. Rae reuses most of the regions (Q9,Q1,Q4, and Q5) which are computed for R71. The symbolic states (vi, Cj) computed by Eqn. 25 is represented by the upper portion (Cj) of the region Q;, and ¥; indicates the region computed by post, ((u;, C;)). For location o;, region Q; is the union of Cj and ¥;. During the computation of R,-2, once ¥3 is computed for C3 and stored in the initial-to-flow map, and (v4,C;) is computed by the Eqn. 25. For region Q4, C4 and ¥4 are already present in the corresponding map. Since Cj is a subset of Cy which is calculated during the computation of R71, the Rz2z computation proceeds with the symbolic state (v4, C4) due to rule Re. mentions that if flow-trans-to-init contains an entry for (Fj, 5), then fetch the data from the map and assign to (Vi+1, Ci41). The rules Ry and R; avoids redundant postg computations across paths. Rule Rg is an optimization to save post, computation on a symbolic state (vj41,Cj41) when there is a symbolic state (vi+1,Cj,,) already present in the init-to-flow map such that C;,, C Cj, ,. The effect of the rule assigns (v;41, Ci41) to (vi41, Cj,,) and stores this in the respective flow-trans-to-init stilry, The computation of R, proceeds with poste( (vis1, Ci.) retrieved from the init-to-flow map. When there are many symbolic states in the map which satisfies the above condition, (v;41, Cis1) is er to that (vi+1, Cj,,) in which C/,, is the tightest superset of C;,,. Expression {(CL 1 ECA) A (CL, BC} Ci)} states that initiar to ftowt map contains C;'_, which is neither superset nor subset of C/,,, while expression lite ¢ CCl.) = (Ci, ¢ cC.)} aiaeantees that if initial-to-flow map has C3, , which is superset of the C;,; then C/,, must be subset of C;;,. This rule trades-off precision for efficiency. The idea behind rule 7 is to store the computed (v;+1, Cj41) to the corresponding data structures for reuse (mentioned in rule R5) only when no superset of Cj; is found in the initial-to-flow map. Rule R; is applied when R, is not applicable. In order to compute R,,, the rules are applied in the order Rj,R2|R3,R4|Rs5,Ro|R7,R2|R3 and so on, where R;|Ri+1 denotes that exactly one of R; or Rj+1 will be applicable. Figure 4 illustrates the path reachability computation for two paths 2; and zg with our rules. During the computations of R,,, our reachability analysis algorithm computes the regions shown invthe figure using the OG a aia ee ede Do Rada thwk-Ehece DO aeeeexnetatetnem wma These wen hewtaw wawd xox eee aw few lmxecitan @ accel fen hx
Fig. 6. (a) A counterexample of length 7 for NAV_U2, and (b) length 17 for NAV_U22 navigation benchmark instances. (c) A 3-length counterexample of the F_oscillator_32 instance. (d) A counterexample of length 3 on the Two_tank_U1 benchmark instance. The gray region shows R,. The blue curve shows the counterexample.
Fig. 6. (a) A counterexample of length 7 for NAV_U2, and (b) length 17 for NAV_U22 navigation benchmark instances. (c) A 3-length counterexample of the F_oscillator_32 instance. (d) A counterexample of length 3 on the Two_tank_U1 benchmark instance. The gray region shows R,. The blue curve shows the counterexample.
Table 2. Evaluation of Safe instances. #Locs: the number of discrete locations in the hybrid automaton H. #Dims: The number of system variables in the hybrid automaton H. BMC Bnd: the bound for model checking. Time: The time is taken to decide the safety of the instance. #Paths: the number of explored abstract counterexamples in the discrete state-space. #postc: The number of poste operations by the algorithm. For DREACH, results are with a precision of 5 = 0.001. The gray cells highlight the best algorithm to classify an instance as safe in terms of time taken. Figure: 7 (c) shows the regions computed in SAT-REacu (dark gray) and BFS-REAcH (light gray) for an instance NAV_U17. The exploration in SAT-REAcH is guided towards the forbidden region. These figures show the benefit of path-wise reachability analysis. 1 bh r we: Gera ce a a et — ow 1 — <i lm . a
Table 2. Evaluation of Safe instances. #Locs: the number of discrete locations in the hybrid automaton H. #Dims: The number of system variables in the hybrid automaton H. BMC Bnd: the bound for model checking. Time: The time is taken to decide the safety of the instance. #Paths: the number of explored abstract counterexamples in the discrete state-space. #postc: The number of poste operations by the algorithm. For DREACH, results are with a precision of 5 = 0.001. The gray cells highlight the best algorithm to classify an instance as safe in terms of time taken. Figure: 7 (c) shows the regions computed in SAT-REacu (dark gray) and BFS-REAcH (light gray) for an instance NAV_U17. The exploration in SAT-REAcH is guided towards the forbidden region. These figures show the benefit of path-wise reachability analysis. 1 bh r we: Gera ce a a et — ow 1 — <i lm . a
Table 3. Comparison between SAT-REACH with optimization and SAT-REACH without our proposed path-pruning and opti- mization using memoization. The gray cells highlight the best algorithm in terms of time taken.
Table 3. Comparison between SAT-REACH with optimization and SAT-REACH without our proposed path-pruning and opti- mization using memoization. The gray cells highlight the best algorithm in terms of time taken.
Table 4. Comparison with flow*. #Locs is the number of discrete locations in H. Time and Result in Flow* denotes the time is taken to classify the verification instances and the Result of the tool when Flow* terminates respectively. The gray cells highlight the best algorithm in terms of the time taken for reachability analysis. ACM Trans. Embedd. Comput. Syst.
Table 4. Comparison with flow*. #Locs is the number of discrete locations in H. Time and Result in Flow* denotes the time is taken to classify the verification instances and the Result of the tool when Flow* terminates respectively. The gray cells highlight the best algorithm in terms of the time taken for reachability analysis. ACM Trans. Embedd. Comput. Syst.
Table 5. Comparison with SpAceEx. Time and Result in SPAcEEx denotes the time taken to classify the verification instances and the result of the tool when SpaceEx terminates respectively. The gray cells highlight the best algorithm in terms of the time taken for reachability analysis. ACM Trans. Embedd. Comput. Syst.
Table 5. Comparison with SpAceEx. Time and Result in SPAcEEx denotes the time taken to classify the verification instances and the result of the tool when SpaceEx terminates respectively. The gray cells highlight the best algorithm in terms of the time taken for reachability analysis. ACM Trans. Embedd. Comput. Syst.
Table 6. Comparison with PDB. Time and Result in PDB denotes the time taken to classify the verification instances and the result of the tool when PDB terminates respectively. The gray cells highlight the best algorithm in terms of the time taker for reachability analysis. ACM Trans. Embedd. Comput. Syst.
Table 6. Comparison with PDB. Time and Result in PDB denotes the time taken to classify the verification instances and the result of the tool when PDB terminates respectively. The gray cells highlight the best algorithm in terms of the time taker for reachability analysis. ACM Trans. Embedd. Comput. Syst.

Related papers

Efficient Proof Engines for Bounded Model Checking of Hybrid Systems
Christian Herde

Electronic Notes in Theoretical Computer Science, 2005

In this paper we present HySAT, a bounded model checker for linear hybrid systems, incorporating a tight integration of a DPLL-based pseudo-Boolean SAT solver and a linear programming routine as core engine. In contrast to related tools like MathSAT, ICS, or CVC, our tool exploits the various optimizations that arise naturally in the bounded model checking context, e.g. isomorphic replication of learned conflict clauses or tailored decision strategies, and extends them to the hybrid domain. We demonstrate that those optimizations are crucial to the performance of the tool.

View PDFchevron_right
Bounded Model Checking of Hybrid Dynamical Systems
George Pappas

Proceedings of the 44th IEEE Conference on Decision and Control, 2005

Bounded model checking (BMC) has recently emerged as a very powerful methodology for the verification of purely discrete systems. Given a horizon of interest, bounded model checking verifies whether all finite-horizon trajectories satisfy a temporal logic formula by first translating the problem to a large satisfiability SAT-problem and then relying on extremely powerful state-of-the art SAT-solvers for a counterexample or a certification of safety. In this paper we consider the problem of bounded model checking for a general class of discrete-time hybrid systems. Critical to our approach is the abstraction of continuous trajectories under discrete observations with a purely discrete system that captures the same discrete sequences. Bounded model checking can then be applied to the purely discrete, abstracted system. The performance of our approach is illustrated by verifying temporal properties of a hybrid model of an electronic height controller.

View PDFchevron_right
SpaceEx: Scalable Verification of Hybrid Systems
Alexandre Donzé

Lecture Notes in Computer Science, 2011

We present a scalable reachability algorithm for hybrid systems with piecewise affine, non-deterministic dynamics. It combines polyhedra and support function representations of continuous sets to compute an overapproximation of the reachable states. The algorithm improves over previous work by using variable time steps to guarantee a given local error bound. In addition, we propose an improved approximation model, which drastically improves the accuracy of the algorithm. The algorithm is implemented as part of SpaceEx, a new verification platform for hybrid systems, available at spaceex.imag.fr. Experimental results of full fixed-point computations with hybrid systems with more than 100 variables illustrate the scalability of the approach.

View PDFchevron_right
HySAT: An efficient proof engine for bounded model checking of hybrid systems
Martin Fränzle

Formal Methods in System Design, 2007

In this paper we present HySAT, a bounded model checker for linear hybrid systems, incorporating a tight integration of a DPLL-based pseudo-Boolean SAT solver and a linear programming routine as core engine. In contrast to related tools like MathSAT, ICS, or CVC, our tool exploits the various optimizations that arise naturally in the bounded model checking context, e.g. isomorphic replication of learned conflict clauses or tailored decision strategies, and extends them to the hybrid domain. We demonstrate that those optimizations are crucial to the performance of the tool.

View PDFchevron_right
Abstraction and Counterexample-Guided Refinement in Model Checking of Hybrid Systems
Zhi Han

International Journal of Foundations of Computer Science, 2003

Hybrid dynamic systems include both continuous and discrete state variables. Properties of hybrid systems, which have an infinite state space, can often be verified using ordinary model checking together with a finite-state abstraction. Model checking can be inconclusive, however, in which case the abstraction must be refined. This paper presents a new procedure to perform this refinement operation for abstractions of hybrid systems. Following an approach originally developed for finite-state systems [11, 25], the refinement procedure constructs a new abstraction that eliminates a counterexample generated by the model checker. For hybrid systems, analysis of the counterexample requires the computation of sets of reachable states in the continuous state space. We show how such reachability computations with varying degrees of complexity can be used to refine hybrid system abstractions efficiently. Examples illustrate our counterexample-guided refinement procedure. Experimental result...

View PDFchevron_right
Constraints for Continuous Reachability in the Verification of Hybrid Systems
Tetsuo Ida

Lecture Notes in Computer Science, 2006

We describe two new ways of efficiently deriving continuous reach set information for hybrid systems. In both cases, we overapproximate the differential equations to constraints that are then solved using a solver for first-order predicate logical formulae over the reals. We prove some properties about the amount of introduced over-approximations. Moreover, we embed the results in our earlier method for verification of hybrid systems using abstraction refinement and provide some timings that document the resulting improvement.

View PDFchevron_right
Model Checking for Rectangular Hybrid Systems: A Quantified Encoding Approach
Taylor T Johnson

Electronic Proceedings in Theoretical Computer Science

Satisfiability Modulo Theories (SMT) solvers have been successfully applied to solve many problems in formal verification such as bounded model checking (BMC) for many classes of systems from integrated circuits to cyber-physical systems. Typically, BMC is performed by checking satisfiability of a possibly long, but quantifier-free formula. However, BMC problems can naturally be encoded as quantified formulas over the number of BMC steps. In this approach, we then use decision procedures supporting quantifiers to check satisfiability of these quantified formulas. This approach has previously been applied to perform BMC using a Quantified Boolean Formula (QBF) encoding for purely discrete systems, and then discharges the QBF checks using QBF solvers. In this paper, we present a new quantified encoding of BMC for rectangular hybrid automata (RHA), which requires using more general logics due to the real (dense) time and real-valued state variables modeling continuous states. We have implemented a preliminary experimental prototype of the method using the HyST model transformation tool to generate the quantified BMC (QBMC) queries for the Z3 SMT solver. We describe experimental results on several timed and hybrid automata benchmarks, such as the Fischer and Lynch-Shavit mutual exclusion algorithms. We compare our approach to quantifierfree BMC approaches, such as those in the dReach tool that uses the dReal SMT solver, and the HyComp tool built on top of nuXmv that uses the MathSAT SMT solver. Based on our promising experimental results, QBMC may in the future be an effective and scalable analysis approach for RHA and other classes of hybrid automata as further improvements are made in quantifier handling in SMT solvers such as Z3.

View PDFchevron_right
Template-Based Unbounded Time Verification of Affine Hybrid Automata
Thomas Martin Gawlitza

Lecture Notes in Computer Science, 2011

Computing over-approximations of all possible time trajectories is an important task in the analysis of hybrid systems. Sankaranarayanan et al. [20] suggested to approximate the set of reachable states using template polyhedra. In the present paper, we use a max-strategy improvement algorithm for computing an abstract semantics for affine hybrid automata that is based on template polyhedra and safely over-approximates the concrete semantics. Based on our formulation, we show that the corresponding abstract reachability problem is in co−NP. Moreover, we obtain a polynomial-time algorithm for the time elapse operation over template polyhedra.

View PDFchevron_right
Automatic verification of hybrid systems with large discrete state space
Jun Pang

2006

We address the problem of model checking hybrid systems which exhibit nontrivial discrete behavior and thus cannot be treated by considering the discrete states one by one, as most currently available verification tools do. Our procedure relies on a deep integration of several techniques and tools. An extension of AND-Inverter-Graphs (AIGs) with first-order constraints serves as a compact representation format for sets of configurations which are composed of continuous regions and discrete states. Boolean reasoning on the AIGs is complemented by firstorder reasoning in various forms and on various levels. These include implication checks for simple constraints, test vector generation for fast inequality checks of boolean combinations of constraints, and an exact subsumption check for representations of two configurations.

View PDFchevron_right
An interval-based SAT modulo ODE solver for model checking nonlinear hybrid systems
Hiroshi Hosobe

International Journal on Software Tools for Technology Transfer, 2011

This paper presents a bounded model checking (BMC) tool called hydlogic for hybrid systems. It translates a reachability problem of a nonlinear hybrid system into a predicate logic formula involving arithmetic constraints, and checks the satisfiability of the formula based on a satisfiability modulo theories (SMT) method. We tightly integrate (i) an incremental SAT solver to enumerate the possible sets of constraints and (ii) an interval-based solver for hybrid constraint systems (HCSs) to solve the constraints described in the formulas. The HCS solver verifies the occurrence of a discrete change by enclosing continuous states that may cause the discrete change by a set of boxes. We adopt the existence property of a unique solution in the boxes computed by the HCS solver as (i) a proof of the reachability of a model, and (ii) a guide in the over-approximation refinement procedure. Our hydlogic implementation successfully handled several examples including those with nonlinear constraints.

View PDFchevron_right

References (41)

  1. R. Alur, C. Courcoubetis, N. Halbwachs, T. A. Henzinger, P.-H. Ho, X. Nicollin, A. Olivero, J. Sifakis, and S. Yovine. 1995. The algorithmic analysis of hybrid systems. Theoretical Computer Science 138, 1 (1995), 3ś34.
  2. Rajeev Alur, Costas Courcoubetis, Thomas A. Henzinger, and Pei-Hsin Ho. 1992. Hybrid Automata: An Algorithmic Approach to the Speciication and Veriication of Hybrid Systems. Springer-Verlag, 209ś229.
  3. Lucas V. R. Alves, Hugo J. Bravo, Patrícia Nascimento Pena, and Ricardo H. C. Takahashi. 2016. Planning on Discrete Events Systems: A logical approach. In IEEE International Conference on Automation Science and Engineering, CASE 2016, Fort Worth, TX, USA, August 21-25, 2016. IEEE, 1055ś1060. https://doi.org/10.1109/COASE.2016.7743520
  4. Gilles Audemard, Marco Bozzano, Alessandro Cimatti, and Roberto Sebastiani. 2005. Verifying industrial hybrid systems with MathSAT. Electronic Notes in Theoretical Computer Science 119, 2 (2005), 17ś32.
  5. Anna Becchi and Enea Zafanella. 2019. Revisiting Polyhedral Analysis for Hybrid Systems. In Static Analysis -26th International Symposium, SAS 2019, Porto, Portugal, October 8-11, 2019, Proceedings (Lecture Notes in Computer Science, Vol. 11822), Bor-Yuh Evan Chang (Ed.). Springer, 183ś202. https://doi.org/10.1007/978-3-030-32304-2_10
  6. I. Ben Makhlouf and S. Kowalewski. 2015. Networked Cooperative Platoon of Vehicles for Testing Methods and Veriication Tools. In Proc. of ARCH14-15. 1st and 2nd International Workshop on Applied veRiication for Continuous and Hybrid Systems. 37ś42.
  7. Armin Biere, Alessandro Cimatti, Edmund M. Clarke, Ofer Strichman, and Yunshan Zhu. 2003. Bounded model checking. Adv. Comput. 58 (2003), 117ś148. https://doi.org/10.1016/S0065-2458(03)58003-2
  8. Sergiy Bogomolov, Alexandre Donzé, Goran Frehse, Radu Grosu, Taylor T. Johnson, Hamed Ladan, Andreas Podelski, and Martin Wehrle. 2016. Guided search for hybrid systems based on coarse-grained space abstractions. Int. J. Softw. Tools Technol. Transf. 18, 4 (2016), 449ś467. https://doi.org/10.1007/s10009-015-0393-y
  9. Sergiy Bogomolov, Goran Frehse, Amit Gurung, Dongxu Li, Georg Martius, and Rajarshi Ray. 2019. Falsiication of hybrid systems using symbolic reachability and trajectory splicing. In Proceedings of the 22nd ACM International Conference on Hybrid Systems: Computation and Control, HSCC 2019, Montreal, QC, Canada, April 16-18, 2019, Necmiye Ozay and Pavithra Prabhakar (Eds.). ACM, 1ś10. https://doi.org/10.1145/3302504.3311813
  10. Lei Bu, Alessandro Abate, Dieky Adzkiya, Muhammad Syifa'ul Muid, Rajarshi Ray, Yuming Wu, and Enea Zafanella. 2020. ARCH- COMP20 Category Report: Hybrid Systems with Piecewise Constant Dynamics and Bounded Model Checking. In ARCH20. 7th International Workshop on Applied Veriication of Continuous and Hybrid Systems (ARCH20), Berlin, Germany, July 12, 2020 (EPiC Series in Computing, Vol. 74). EasyChair, 1ś15. https://doi.org/10.29007/bhwx
  11. Michael Cashmore, Maria Fox, Derek Long, and Daniele Magazzeni. 2016. A Compilation of the Full PDDL+ Language into SMT. In Proceedings of the Twenty-Sixth International Conference on International Conference on Automated Planning and Scheduling (London, UK) (ICAPS'16). AAAI Press, 79ś87.
  12. Xin Chen, Erika Ábrahám, and Sriram Sankaranarayanan. 2013. Flow*: An analyzer for non-linear hybrid systems. In International Conference on Computer Aided Veriication. Springer, 258ś263.
  13. Xin Chen, Sriram Sankaranarayanan, and Erika Ábrahám. 2015. Flow* 1.2: More Efective to Play with Hybrid Systems. In 1st and 2nd International Workshop on Applied veRiication for Continuous and Hybrid Systems, ARCH@CPSWeek 2014, Berlin, Germany, April 14, 2014 / ARCH@CPSWeek 2015, Seattle, WA, USA, April 13, 2015 (EPiC Series in Computing, Vol. 34), Goran Frehse and Matthias Althof (Eds.). EasyChair, 152ś159. https://doi.org/10.29007/1w4t
  14. Edmund M. Clarke, Orna Grumberg, Somesh Jha, Yuan Lu, and Helmut Veith. 2000. Counterexample-Guided Abstraction Reinement. In CAV (Lecture Notes in Computer Science, Vol. 1855), E. Allen Emerson and A. Prasad Sistla (Eds.). Springer, 154ś169.
  15. Edmund M. Clarke, Orna Grumberg, Somesh Jha, Yuan Lu, and Helmut Veith. 2003. Counterexample-guided abstraction reinement for symbolic model checking. J. ACM 50, 5 (2003), 752ś794. https://doi.org/10.1145/876638.876643
  16. Edmund M. Clarke, Anubhav Gupta, and Ofer Strichman. 2004. SAT-based counterexample-guided abstraction reinement. IEEE Trans. Comput. Aided Des. Integr. Circuits Syst. 23, 7 (2004), 1113ś1123. https://doi.org/10.1109/TCAD.2004.829807
  17. Martin Davis, George Logemann, and Donald Loveland. 1962. A machine program for theorem-proving. Commun. ACM 5, 7 (1962), 394ś397.
  18. Leonardo De Moura and Nikolaj Bjùrner. 2008. Z3: An eicient SMT solver. In International conference on Tools and Algorithms for the Construction and Analysis of Systems. Springer, 337ś340.
  19. Andreas Eggers, Martin Fränzle, and Christian Herde. 2008. SAT modulo ODE: A direct SAT approach to hybrid systems. In International Symposium on Automated Technology for Veriication and Analysis. Springer, 171ś185.
  20. Andreas Eggers, Nacim Ramdani, Nedialko Nedialkov, and Martin Fränzle. 2011. Improving SAT modulo ODE for hybrid systems analysis by combining diferent enclosure methods. In International Conference on Software Engineering and Formal Methods. Springer, 172ś187.
  21. Ansgar Fehnker and Franjo Ivancic. 2004. Benchmarks for Hybrid Systems Veriication. In HSCC (Lecture Notes in Computer Science, Vol. 2993), Rajeev Alur and George J. Pappas (Eds.). Springer, 326ś341.
  22. M. Fox and D. Long. 2006. Modelling mixed discrete-continuous domains for planning. Journal of Artiicial Intelligence Research 27 (10 2006), 235ś297.
  23. Martin Franzle and Christian Herde. 2005. Eicient Proof Engines for Bounded Model Checking of Hybrid Systems. Electronic Notes in Theoretical Computer Science 133 (2005), 119ś137. https://doi.org/10.1016/j.entcs.2004.08.061 Proceedings of the Ninth International Workshop on Formal Methods for Industrial Critical Systems (FMICS 2004).
  24. Goran Frehse. 2008. PHAVer: algorithmic veriication of hybrid systems past HyTech. Int. J. Softw. Tools Technol. Transf. 10, 3 (2008), 263ś279. https://doi.org/10.1007/s10009-007-0062-x
  25. Goran Frehse, Alessandro Abate, Dieky Adzkiya, Anna Becchi, Lei Bu, Alessandro Cimatti, Mirco Giacobbe, Alberto Griggio, Sergio Mover, Muhammad Syifa'ul Muid, Idriss Riouak, Stefano Tonetta, and Enea Zafanella. 2019. ARCH-COMP19 Category Report: Hybrid Systems with Piecewise Constant Dynamics. In ARCH19. 6th International Workshop on Applied Veriication of Continuous and Hybrid Systemsi, part of CPS-IoT Week 2019, Montreal, QC, Canada, April 15, 2019 (EPiC Series in Computing, Vol. 61), Goran Frehse and Matthias Althof (Eds.). EasyChair, 1ś13. https://doi.org/10.29007/rjwn
  26. Goran Frehse, Colas Le Guernic, Alexandre Donzé, Scott Cotton, Rajarshi Ray, Olivier Lebeltel, Rodolfo Ripado, Antoine Girard, Thao Dang, and Oded Maler. 2011. SpaceEx: Scalable Veriication of Hybrid Systems. In Proc. 23rd International Conference on Computer Aided Veriication (CAV) (LNCS), Shaz Qadeer Ganesh Gopalakrishnan (Ed.). Springer.
  27. Sicun Gao, Jeremy Avigad, and Edmund M. Clarke. 2012. Delta-Decidability over the Reals. In Proceedings of the 2012 27th Annual IEEE/ACM Symposium on Logic in Computer Science (New Orleans, Louisiana) (LICS '12). IEEE Computer Society, USA, 305ś314. https://doi.org/10.1109/LICS.2012.41
  28. N. Giorgetti, G. J. Pappas, and A. Bemporad. 2005. Bounded Model Checking of Hybrid Dynamical Systems. In Proceedings of the 44th IEEE Conference on Decision and Control. 672ś677.
  29. Thomas A Henzinger. 2000. The theory of hybrid automata. In Veriication of Digital and Hybrid Systems. Springer, 265ś292.
  30. Ian A. Hiskens. 2001. Stability of Limit Cycles in Hybrid Systems. In 34th Annual Hawaii International Conference on System Sciences (HICSS-34), January 3-6, 2001, Maui, Hawaii, USA. IEEE Computer Society. https://doi.org/10.1109/HICSS.2001.926280
  31. Sumit Kumar Jha, Bruce H. Krogh, James E. Weimer, and Edmund M. Clarke. 2007. Reachability for Linear Hybrid Automata Using Iterative Relaxation Abstraction. In Hybrid Systems: Computation and Control, 10th International Workshop, HSCC 2007, Pisa, Italy, April 3-5, 2007, Proceedings (Lecture Notes in Computer Science, Vol. 4416), Alberto Bemporad, Antonio Bicchi, and Giorgio C. Buttazzo (Eds.). Springer, 287ś300. https://doi.org/10.1007/978-3-540-71493-4_24
  32. Steven G. Johnson. [n. d.]. The NLopt nonlinear-optimization package. http://ab-initio.mit.edu/nlopt.
  33. Soonho Kong, Sicun Gao, Wei Chen, and Edmund Clarke. 2015. dReach: -Reachability Analysis for Hybrid Systems. In Tools and Algorithms for the Construction and Analysis of Systems: 21st International Conference, TACAS 2015, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2015, London, UK, April 11-18, 2015, Proceedings, Vol. 9035. Springer, 200.
  34. Muhammad Syifa'ul Muid, Dieky Adzkiya, and Alessandro Abate. 2018. Tropical Abstractions of Max-Plus Linear Systems. In Formal Modeling and Analysis of Timed Systems -16th International Conference, FORMATS 2018, Beijing, China, September 4-6, 2018, Proceedings (Lecture Notes in Computer Science, Vol. 11022), David N. Jansen and Pavithra Prabhakar (Eds.). Springer, 271ś287. https: //doi.org/10.1007/978-3-030-00151-3_16
  35. Rajarshi Ray, Amit Gurung, Binayak Das, Ezio Bartocci, Sergiy Bogomolov, and Radu Grosu. 2015. XSpeed: Accelerating Reachability Analysis on Multi-core Processors. In Hardware and Software: Veriication and Testing -11th International Haifa Veriication Conference, HVC 2015, Haifa, Israel, November 17-19, 2015, Proceedings (Lecture Notes in Computer Science, Vol. 9434), Nir Piterman (Ed.). Springer, 3ś18. https://doi.org/10.1007/978-3-319-26287-1_1
  36. Stuart Russell and Peter Norvig. 2009. Artiicial Intelligence: A Modern Approach (3rd ed.). Prentice Hall Press, USA.
  37. Stefan Schupp and Erika Ábrahám. 2018. Eicient Dynamic Error Reduction for Hybrid Systems Reachability Analysis. In Tools and Algorithms for the Construction and Analysis of Systems -24th International Conference, TACAS 2018, Held as Part of the European Joint Conferences on Theory and Practice of Software, ETAPS 2018, Thessaloniki, Greece, April 14-20, 2018, Proceedings, Part II (Lecture Notes in Computer Science, Vol. 10806), Dirk Beyer and Marieke Huisman (Eds.). Springer, 287ś302. https://doi.org/10.1007/978-3-319-89963-3_17
  38. Krister Svanberg. 1987. The method of moving asymptotesÐa new method for structural optimization. International journal for numerical methods in engineering 24, 2 (1987), 359ś373.
  39. Klaus Weihrauch. 2000. Computable Analysis -An Introduction. Springer. https://doi.org/10.1007/978-3-642-56999-9
  40. Dingbao Xie, Lei Bu, Jianhua Zhao, and Xuandong Li. 2014. SAT-LP-IIS joint-directed path-oriented bounded reachability analysis of linear hybrid automata. Formal Methods Syst. Des. 45, 1 (2014), 42ś62. https://doi.org/10.1007/s10703-014-0210-3
  41. Aditya Zutshi, Sriram Sankaranarayanan, Jyotirmoy V. Deshmukh, and James Kapinski. 2013. A trajectory splicing approach to concretizing counterexamples for hybrid systems. In Proceedings of the 52nd IEEE Conference on Decision and Control, CDC 2013, December 10-13, 2013, Firenze, Italy. IEEE, 3918ś3925. https://doi.org/10.1109/CDC.2013.6760488

Related papers

CEGAR based bounded model checking of discrete time hybrid systems
Federico Mari

2007

Many hybrid systems can be conveniently modeled as Piecewise Affine Discrete Time Hybrid Systems PA-DTHS. As well known Bounded Model Checking (BMC) for such systems comes down to solve a Mixed Integer Linear Programming (MILP) feasibility problem. We present a SAT based BMC algorithm for automatic verification of PA-DTHSs. Using Counterexample Guided Abstraction Refinement (CEGAR) our algorithm gradually transforms a PA-DTHS verification problem into larger and larger SAT problems.

View PDFchevron_right
Optimizing bounded model checking for linear hybrid systems
Erika Abraham

… , Model Checking, and …, 2005

View PDFchevron_right
ARCH-COMP17 Category Report: Bounded Model Checking of Hybrid Systems with Piecewise Constant Dynamics
rajarshi ray

This report presents results of a friendly competition for formal verification of continuous and hybrid systems with linear continuous dynamics. The friendly competition took place as part of the workshop Applied Verification for Continuous and Hybrid Systems (ARCH) in 2017. In its first edition, three tools have been applied to solve three different benchmark problems in the category ofbounded model checking of hybrid systems with piecewise constant dynamics (in alphabetical order): BACH, HyDRA, and XSpeed. The result is a snapshot of the current landscape of tools and the types of benchmarks they are particularly suited for. Due to the diversity of problems, we are not ranking tools and we also welcome more tools to join in this friendly competition in the future event.

View PDFchevron_right
ARCH-COMP18 Category Report: Bounded Model Checking of Hybrid Systems with Piecewise Constant Dynamics
rajarshi ray

EPiC Series in Computing

This report presents results of a friendly competition for formal verification of contin- uous and hybrid systems with linear continuous dynamics. The friendly competition took place as part of the workshop Applied Verification for Continuous and Hybrid Systems (ARCH) in 2018. In its second edition, three tools have been applied to solve three differ- ent benchmark problems in the category ofbounded model checking of hybrid systems with piecewise constant dynamics (in alphabetical order): BACH, HyDRA, and XSpeed. This report is a snapshot of the current landscape of tools and the types of benchmarks they are particularly suited for. Due to the diversity of problems, we are not ranking tools and we also welcome more tools to join in this friendly competition in the future event.

View PDFchevron_right
Appendix to SpaceEx: Scalable Verification of Hybrid Systems
rajarshi ray

2011

In SpaceEx: Scalable Verification of Hybrid Systems, we present a scalable reachability algorithm for hybrid systems with piecewise affine, non-deterministic dynamics. It combines polyhedra and support function representations of continuous sets to compute an overapproximation of the reachable set of states in the form of template polyhedra. The algorithm improves over previous work by using variable time steps, adapted separately for each template direction to guarantee a given error bound. In addition, we propose coordinate transformations to reduce the approximation error and a clustering technique to avoid an explosion in the number of continuous sets. The algorithm is implemented as part of SpaceEx, a new verification platform for hybrid systems, available at spaceex.imag.fr. Experimental results of full fixed-point computations with hybrid systems with more than 100 variables illustrrate the scalability of the approach. A Proof of Proposition 1 Before showing that the sequence...

View PDFchevron_right

Related topics

  • Computer Science
  • Distributed Computing
  • Computer Hardware
    • 580 California St., Suite 400
    San Francisco, CA, 94104
    © 2025 Academia. All rights reserved