Guided search for hybrid systems based on coarse-grained space abstractions
Abstract
Hybrid systems represent an important and powerful formalism for modeling real-world applications such as embedded systems. A verification tool like SpaceEx is based on the exploration of a symbolic search space (the region space). As a verification tool, it is typically optimized towards proving the absence of errors. In some settings, e.g., when the verification tool is employed in a feedback-directed design cycle, one would like to have the option to call a version that is optimized towards finding an error trajectory in the region space. A recent approach in this direction is based on guided search. Guided search relies on a cost function that indicates which states are promising to be explored, and preferably explores more promising states first. In this paper, we propose an abstraction-based cost function based on coarse-grained space abstractions for guiding the reachability analysis. For this purpose, a suitable abstraction technique that exploits the flexible granularity of modern reachability analysis algorithms is introduced. The new cost function is an effective extension of pattern database approaches that have been successfully applied in other areas. The approach has been implemented in the SpaceEx model checker. The evaluation shows its practical potential.
Keywords
Hybrid system Reachability analysis Guided search Heuristics Pattern databases1 Introduction
Guided search is an approach that has recently found much attention for finding errors in large systems [14, 30]. As suggested by the name, guided search performs a search in the state space of a given system. In contrast to standard search methods like breadth-first or depth-first search (DFS), the search is guided by a cost function that estimates the search effort to reach an error state from the current state. This information is exploited by preferably exploring states with lower estimated costs. If accurate cost functions are applied, the search effort can significantly be reduced compared to uninformed search. Obviously, the cost function therefore plays a key role within the setting of guided search, as it should be as accurate as possible on the one hand, and as cheap to compute as possible on the other. Cost functions that have been proposed in the literature are mostly based on abstractions of the original system. An important class of abstraction-based cost functions is based on pattern databases (PDBs). PDBs have originally been proposed in the area of Artificial Intelligence [17] and also have successfully been applied to model checking discrete and timed systems [29, 30, 37, 42]. Roughly speaking, a PDB is a data structure that contains abstract states together with abstract cost values based on an abstraction of the original system. During the concrete search, concrete states s are mapped to corresponding abstract states in the PDB, and the corresponding abstract cost values are used to estimate the costs of s. Overall, PDBs have demonstrated to be powerful for finding errors in different formalisms. The open question is if guided search can be applied equally successfully to finding errors in hybrid systems.
A first approach in this direction [14] is to estimate the cost of a symbolic state based on the Euclidean distance from its continuous part to a given set of error states. This approach appears to be best suited for systems whose behavior is strongly influenced by the (continuous) differential equations. However, it suffers from the fact that discrete information like mode switches is completely ignored, which can lead to arbitrary degeneration of the search. To see this, consider the example presented in Fig. 1. It shows a simple hybrid system with one continuous variable which obeys the differential equation \(\dot{x}=1\) in every location (differential equations are omitted in the figure). The error states are given by the locations \(l_{e1},\dots ,l_{en}\) and invariants \(0\le x\le 8\). In this example, the box-based distance heuristic wrongly explores the whole lower branch first (where no error state is reachable) because it only relies on the continuous information given by the invariants. More precisely, for the box-based distance heuristic, the invariants suggest that the costs of the “lower” states are equal to 0, whereas the costs of the “upper” states are estimated to be equal to 4 (i. e., equal to the distance of the centers of the bounding boxes of the invariants).
To overcome these limitations, we introduce an abstraction-based cost function for hybrid systems which is motivated by PDBs. In contrast to the box-based approach based on Euclidean distances, this cost function is able to properly reflect the discrete part of the system. Compared to the “classical” discrete setting, the investigation of PDBs for hybrid systems becomes more difficult for several reasons. First, hybrid systems typically feature both discrete and continuous variables with complex dependencies and interactions. Therefore, the question arises how to compute a suitable (accurate) abstraction of the original system. Second, computations for symbolic successors and inclusion checks become more expensive than for discrete or timed systems—can these computations be performed or approximated efficiently to get an overall efficient PDB approach as well? In this paper, we provide answers to these questions, leading to an efficient guided search approach for hybrid systems. In particular, we introduce an abstraction technique leveraging properties of the set representations used in modern reachability algorithms. By simply using coarser parameters for the explicit representation, we obtain suitable and cheap coarse-grained space abstractions for the behaviors of a given hybrid system. Furthermore, we adapt the idea of partial PDBs, which has been originally proposed for solving discrete search problems [7], to the setting of hybrid systems in order to reduce the size and computation time of “classical” PDBs. Our implementation in the SpaceEx tool [23] shows the practical potential.
The remainder of the paper is organized as follows. After introducing the necessary background for this work in Sect. 2, we present our PDB approach for hybrid systems in Sect. 3. This is followed by a discussion about related work in Sect. 4. Afterwards, we present our experimental evaluation in Sect. 5. Finally, we conclude the paper in Sect. 6.
2 Preliminaries
In this section, we introduce the preliminaries that are needed for this work.
2.1 Notations
We consider models that can be represented by hybrid systems. A hybrid system is formally defined as follows.
Definition 1
The finite set of locations \( Loc \),
The set of continuous variables \( Var =\{x_1, \ldots , x_n\}\) from \(\mathbb {R}^n\),
The initial condition, given by the constraint \( Init (\ell )\subset \mathbb {R}^n\) for each location \(\ell \),
- For each location \(\ell \), a relation called \(Flow(\ell )\) over the variables and their derivatives. We assume \( Flow (\ell )\) to be of the formwhere \(x(t)\in \mathbb {R}^n\), A is a real-valued \(n \times n\) matrix and \(\mathcal {U}\subseteq \mathbb {R}^n\) is a closed and bounded convex set,$$\begin{aligned} \dot{x}(t) = Ax(t)+u(t),\quad u(t) \in \mathcal {U}, \end{aligned}$$
- The discrete transition relation, given by a set \( Trans \) of discrete transitions; a discrete transition is formally defined as a tuple \((\ell ,g,\xi ,\ell ')\) defining
The source location \(\ell \) and the target location \(\ell '\),
The guard, given by a linear constraint \(g\),
The update, given by an affine mapping \(\xi \), and
The invariant \( Inv (\ell ) \subset \mathbb {R}^n\) for each location \(\ell \).
\(\tau _0=0\), \(\tau _i<\tau _{i+1}\), and \(\tau _k=\varDelta \) – the sequence of switching points increases, starts with 0 and ends with \(\varDelta \)
\(L(0)=\ell \), \(\mathbf {X}(0)=\mathbf {x}\), \(L(\varDelta )=\ell '\), \(\mathbf {X}(\varDelta )=\mathbf {x}'\) – the trajectory starts in \(s=(\ell ,\mathbf {x})\) and ends in \(s'=(\ell ',\mathbf {x}')\)
\( \forall i\;\forall t\in [\tau _i,\tau _{i+1}): L(t)=L(\tau _i)\) – the location is not changed during the continuous evolution
\(\forall i\; \forall t \in [\tau _i,\tau _{i+1}): \;\; (\mathbf {X}(t),\dot{\mathbf {X}}(t))\in Flow (L(\tau _i))\), i.e., \(\dot{\mathbf {X}}(t) = A\mathbf {X}(t)+u(t)\) holds and thus the continuous evolution is consistent with the differential equations of the corresponding location
\(\forall i\; \forall t\in [\tau _i,\tau _{i+1}):\; \mathbf {X}(t) \in Inv (L(\tau _i))\) – the continuous evolution is consistent with the corresponding invariants
\(\forall i\; \exists (L(\tau _i),g,\xi ,L(\tau _{i+1}))\in Trans : \mathbf {X}_{end}(i) = \lim _{\tau \rightarrow \tau _{i+1}^-}\mathbf {X}(\tau )\wedge \mathbf {X}_{end}(i)\in ~g \wedge \mathbf {X}(\tau _{i+1})=\xi (\mathbf {X}_{end}(i))\) – every continuous transition is followed by a discrete one, \(\mathbf {X}_{end}(i)\) defines the values of continuous variables right before the discrete transition at the time moment \(\tau _{i+1}\), whereas \(\mathbf {X}_{start}(i)=\mathbf {X}(\tau _i)\) denotes the values of continuous variables right after the switch at the time moment \(\tau _i\).
In the following, we mostly refer to symbolic states. A symbolic state \(s=(\ell ,\mathcal {R})\) is defined as a tuple, where \(\ell \in Loc \), and \(\mathcal {R}\) is a convex and bounded set consisting of points \(\mathbf {x}\in \mathbb {R}^n\). The continuous part \(\mathcal {R}\) of a symbolic state is also called region. The symbolic state space of \(\mathcal {H}\) is called the region space. The initial set of states \(\mathcal {S}_{ init }\) of \(\mathcal {H}\) is defined as \(\bigcup _{\ell }(\ell , Init (\ell ))\). The reachable state space \(\mathrm {Reach}(\mathcal {H})\) of \(\mathcal {H}\) is defined as the set of symbolic states that are reachable from an initial state in \(\mathcal {S}_{ init }\), where the definition of reachability is extended accordingly for symbolic states.
In this paper, we assume there is a given set of symbolic bad states \(\mathcal {S}_{ bad }\) that violate a given property. Our goal is to find a sequence of symbolic states which contains a trajectory from \(\mathcal {S}_{ init }\) to a symbolic error state, where a symbolic error state \(s_e\) has the property that there is a symbolic bad state in \(\mathcal {S}_{ bad }\) that agrees with \(s_e\) on the discrete part, and that has a non-empty intersection with \(s_e\) on the continuous part. A trajectory that starts in a symbolic state s and leads to a symbolic error state is called an error trajectory \(\rho _e(s)\).
2.2 Symbolic states representation
The representation of symbolic states plays a crucial role for the reachability analysis of hybrid systems. As outlined in the previous section, a symbolic state consists of a discrete location and a continuous region. The handling of continuous regions within the reachability analysis poses a special challenge as a number of operations on polyhedra (such as linear maps, Minkowski sum, and convex hull computation) need to be performed efficiently in practice. The LGG scenario [33] which is implemented in SpaceEx [23] relies on two main ingredients for this purpose: support functions [10] and template polyhedra. In the following, we will describe them in more detail.
In the rest of this section, we briefly recapitulate the computation of continuous successors for a given symbolic state, i.e., the states which are reachable according to the continuous dynamics. As the continuous post operator does not change the discrete part of a symbolic state, we consider only the continuous region of a symbolic state.
2.3 Guided search
In the following, we provide a conceptual description of the algorithm using the following terminology. A symbolic state \(s'\) is called a symbolic successor state of a symbolic state s if \(s'\) is obtained from s by first computing the continuous successor of s (according to iteratively over-approximating the successor regions of s with sets \(\varOmega _i\) as described in the previous section), and then by computing a discrete successor state of the resulting (intermediate) state. Therefore, for a given symbolic state \(s_{ curr }\), the function continuousSuccessor (line 7) returns a symbolic state which is an over-approximation of the symbolic state reachable from \(s_{ curr }\) within the given time horizon according to the continuous evolution. Accordingly, the function discreteSuccessors (line 12) returns the symbolic states that are reachable due to the outgoing discrete transitions.
A symbolic state s is called explored if its symbolic successor states have been computed. A symbolic state s is called visited if s has been computed but not yet necessarily explored. To handle encountered states, the algorithm maintains the data structures \(\mathcal {L}_{ passed }\) and \(\mathcal {L}_{ waiting }\). \(\mathcal {L}_{ passed }\) is a list containing symbolic states that are already explored; this list is used to avoid exploring cycles in the region space. \(\mathcal {L}_{ waiting }\) is a priority queue that contains visited symbolic states together with their cost values that are candidates to be explored next. The algorithm is initialized by computing the cost values for the initial symbolic states and pushing them accordingly into \(\mathcal {L}_{ waiting }\) (lines 1 – 2). The main loop iteratively considers a best symbolic state \(s_{ curr }\) from \(\mathcal {L}_{ waiting }\) according to the cost function (line 5), computes its symbolic continuous successor state \(s_{ curr }'\) (line 7), and checks if \(s_{ curr }'\) is a symbolic error state (lines 8 – 10). (Recall that \(s_{ curr }'\) is defined as a symbolic error state if there is a symbolic bad state \(s\in \mathcal {S}_{ bad }\) such that s and \(s_{ curr }'\) agree on their discrete part, and the intersection of the regions of s and \(s_{ curr }'\) is not empty.) If this is the case, the algorithm terminates. If this is not the case, then \(s_{ curr }'\) is pushed into \(\mathcal {L}_{ passed }\) (line 11). Finally, for the resulting symbolic state \(s_{ curr }'\), the symbolic discrete successor states are computed, prioritized, and pushed into \(\mathcal {L}_{ waiting }\) if they have not been considered before (lines 12 – 18). As a side remark, if a successor state \(s'=\langle l,\mathcal R\rangle \) is not contained in \(\mathcal {L}_{ passed }\) (line 14), but instead there is a symbolic state \(s''=\langle l,\mathcal R'\rangle \in \mathcal {L}_{ passed }\) with \(\mathcal R\subset \mathcal R'\), then \(s'\) is discarded as well because all transitions enabled in \(s'\) have already been enabled in \(s''\) which is already explored. Finally, the check if the given maximal number of iterations has been reached (line 4 and line 20) ensures termination, which would not be generally guaranteed otherwise (e. g., because of Zeno behavior).
Obviously, the search behavior of Algorithm 1 is crucially determined by the cost function that is applied. In the next section, we give a generic description of pattern database cost functions.
2.4 General framework of pattern databases
For a given system \(\mathcal {S}\), a pattern database (PDB) in the classical sense (i. e., in the sense PDBs have been considered for discrete and timed systems) is represented as a table-like data structure that contains abstract states together with abstract cost values. The PDB is used as a cost estimation function by mapping concrete states s to corresponding abstract states \(s^{\#}\) in the PDB, and using the abstract cost value of \(s^{\#}\) as an estimation of the cost value of s. The computation of a classical PDB is performed in three steps. First, a subset \(\mathcal {P}\) of variables and automata of the original system \(\mathcal {S}\) is selected. Such subsets \(\mathcal {P}\) are called pattern. Second, based on \(\mathcal {P}\), an abstraction \(\mathcal {S}^{\#}\) is computed that only keeps the variables occurring in \(\mathcal {P}\). Third, the entire state space of \(\mathcal {S}^{\#}\) is computed and stored in the PDB. More precisely, all reachable abstract states together with their abstract cost values are enumerated and stored. The abstract cost value for an abstract state is defined as the shortest length of a trajectory from that state to an abstract error state. The resulting PDB of these three steps is used as the \( cost \) function during the execution of Algorithm 1; in other words, the PDB is computed prior to the actual model checking process, where the resulting PDB is used as an input for Algorithm 1.
3 Pattern databases for hybrid systems
In Sect. 2.4, we have described the general approach for computing and using a PDB for guiding the search. However, for hybrid systems, there are several challenges using the classical PDB approach. First, it is not clear how to effectively design and compute suitable abstractions \(\mathcal {H}^{\#}\) for hybrid systems \(\mathcal {H}\) with complex variable dependencies. Second, in Sect. 3.2, we address the general problem that the precomputation of a PDB is often quite expensive, where in many cases, only a small fraction of the PDB is actually needed for the search [24]. This is undesirable in general, and specifically becomes problematic in the context of hybrid systems because the reachability analysis in hybrid systems is typically much more expensive than, e. g., for discrete systems. In Sect. 3.2, we introduce a variant of partial PDBs for hybrid systems to address these problems.
3.1 Coarse-grained space abstractions
A general question in the context of PDBs is how to compute suitable abstractions of a given system. In particular, for hybrid systems where variables often have rather complex dependencies, projection abstractions based on removing variables (as done for classical PDBs) can be too coarse to achieve accurate heuristics. In this paper, we propose a simple, yet elegant alternative to the classical PDB approach to obtain a coarse grained and fast analysis: As described in Sect. 2.2, the LeGuernic-Girard (LGG) algorithm implemented in SpaceEx [23] uses support function representation (based on the chosen set of template directions) to compute and store over-approximations of the reachable states. Therefore, a reduced number of template directions and an increased sampling time results in an abstraction of the original region space in the sense that the dependency graph of the reachable abstract symbolic states is a discrete abstraction of the system.
The granularity of the resulting abstraction is directly correlated with the parameter selection: Choosing coarser parameters (fewer template directions, larger sampling time) in the reachability algorithm makes this abstraction coarser, whereas finer parameters lead to finer abstractions as well. In more detail, for a given set of template directions D and sampling time N, a subset \(D'\subset D\) and a larger sampling time \(N'> N\) induce coarse-grained space abstractions with respect to the abstractions obtained by D and N: the over-approximation of regions based on \(D'\) and \(N'\) are coarser than for D and N. As an example for template directions, consider again Figs. 2 and 3: the set of box directions in Fig. 2 is a coarse-grained space abstraction of the set of octagonal directions in Fig. 3. Similarly, as an example for the sampling time, consider again Figs. 4 and 5, where Fig. 4 shows a coarse-grained space abstraction based on increased sampling time of the regions in Fig. 5.
In the following, we apply coarse-grained space abstractions to obtain abstractions as the basis for pattern databases. This is a significant difference compared to classical PDB approaches (see Sect. 2.4): Instead of computing an explicit (projection) abstraction \(\mathcal {H}^{\#}\) based on a subset of all variables, we keep all variables (and hence, the original system \(\mathcal {H}\)), and instead choose a coarser exploration of the abstract region space of \(\mathcal {H}\) to obtain the abstraction used for the PDB. (In practice, we apply unguided search provided by SpaceEx to compute this coarser abstraction.) As an additional difference to classical PDBs, we will apply a variant of partial PDBs, which are introduced in the next section.
3.2 Partial pattern databases
As already outlined, a general drawback of classical PDBs is the fact that their precomputation might become quite expensive. Even worse, in many cases, most of this precomputation time is often unnecessary because only a small fraction of the PDB is actually needed during the symbolic search in the region space [24]. One way that has been proposed in the literature to overcome this problem is to compute the PDB on demand: The so-called switchback search maintains a family of abstractions with increasing granularity; these abstractions are used to compute the PDB to guide the search in the next finer level [32].
In the following, we apply a variant of partial PDBs [7] based on coarse-grained space abstractions to address this problem: Instead of computing the whole abstract region space for a given abstraction, we restrict the abstract search to explore only a fraction of the abstract region space while focusing on those abstract states that are likely to be sufficient for the concrete search. In the following definition, we call an abstract state \(s^{\#}\)corresponding to state s if s and \(s^{\#}\) agree on their discrete part, the region of s is included in region of \(s^{\#}\), and \(s^{\#}\) is an abstract state with minimal abstract costs that satisfies these requirements.
Definition 2
Informally, a partial PDB for a hybrid system \(\mathcal {H}\) exactly contains those abstract states that are explored on some shortest trajectory (instead of containing all abstract states of a complete abstract region space exploration to all abstract error states as it would be the case for a classical PDB). In other words, partial PDBs are incomplete in the sense that there might exist concrete states without any corresponding abstract states in the PDB. In such cases, the default value +\(\infty \) is returned with the intention that corresponding concrete states are only explored if no other states are available. Obviously, this might worsen the overall search guidance compared to the fully computed PDB. However, in special cases, a partial PDB is already sufficient to obtain the same cost function as obtained with the original PDB or even obtained with a perfect cost function (that allows for exploring the region space without backtracking to find an error state). For example, this is the case when only abstract states are excluded from which no abstract error state is reachable anyway. More generally, under the idealized assumption that the abstraction is fine enough such that no spurious behavior occurs on shortest possible error trajectories, the partial PDB already delivers the same search behavior as a perfect search algorithm that finds an error trajectory without backtracking.
Proposition 1
Let \(\mathcal {H}\) be a hybrid system. Let \(n\in \mathbb {N}_0\) be the length of a shortest concrete error trajectory. If all shortest abstract error trajectories in \(\mathcal {H}\) (obtained by a coarse-grained space abstraction to build a pattern database) correspond to concrete error trajectories of the same length, then guided search with Algorithm 1 and \( cost ^{ PP }\) finds an error trajectory after n steps.
Proof
By construction, the partial PDB contains exactly those symbolic abstract states that are part of shortest possible error trajectories. By assumption, these abstract states correspond to concrete states on concrete error trajectories of the same length. Hence, for every concrete state s on a shortest error trajectory, there is a corresponding entry in the partial PDB for all concrete successor states \(s'\) of s that are part of a shortest concrete error trajectory, and \( cost ^{ PP }(s')= cost ^{ PP }(s)-1\). In addition, for all concrete successor states \(s''\) that are not part of a shortest concrete error trajectory, \( cost ^{ PP }(s'')=\infty \). Overall, the claim follows by an inductive argument: Let \(s_0\) be an initial state such that \( cost ^{ PP }(s_0)=n\) is minimal among the costs of all initial states, i. e., n is the length of a shortest concrete error trajectory. Furthermore, all concrete states on a shortest concrete error trajectory have a concrete successor state with a cost value decreased by one, whereas all other successor states have a cost value of infinity. Hence, Algorithm 1 with the \( cost ^{ PP }\) function finds a concrete error trajectory within n steps. \(\square \)
Under the idealized assumptions of Proposition 1, it follows immediately that guided search applying the full PDB cannot improve over the partial PDB.
Corollary 1
Under the assumptions of Proposition 1, guided search with Algorithm 1 and \( cost ^{ P }\) explores at least as many states as with \( cost ^{ PP }\).
Proposition 1 and Corollary 1 show that partial PDBs can provide effective search guidance in an idealized setting where the applied abstraction only introduces spurious behavior on non-relevant parts of the region space. Clearly, in practice, these assumptions will mostly not be satisfied for abstractions that are efficiently computable. However, we rather consider Proposition 1 as a proof of concept showing that the basic concept of partial PDBs is meaningful in our setting. (In our experimental analysis, we will show that partial PDBs yield an effective and efficient approach for a number of practical and challenging problems as well—we will come back to this point in Sect. 5.) Overall, we will see that although in case the requirements of Proposition 1 are not fulfilled, partial PDBs can still be a good heuristic choice that lead to cost functions that are efficiently computable and accurately guide the concrete search.
3.3 Discussion
Our pattern database approach for finding error states exploits abstractions in a different way than in common approaches for verification (see Sect. 4 for a discussion on related work). Most notably, the main focus of our abstraction is to provide the basis for the cost function to guide the search, rather than to prove correctness (although, under certain circumstances, it can be efficiently used for verification as well—we will come back to this point in the experiments section). As a short summary of the overall approach, we first compute a symbolic abstract region space (as described in Sect. 3.1), where the encountered symbolic abstract states \(s^{\#}\) are stored in a table together with the corresponding abstract cost values of \(s^{\#}\). To avoid the (possibly costly) computation of an entire PDB, we only compute the PDB partially (as described in Sect. 3.2). This partial PDB is then used as the cost function of our guided reachability algorithm. As in many other approaches that apply abstraction techniques to reason about hybrid systems, the abstraction that is used for the PDB is supposed to accurately reflect the “important” behavior of the system, which results in accurate search guidance of the resulting cost function and hence, of our guided reachability algorithm.
An essential feature of the PDB-based cost function is the ability to reflect the continuous and the discrete part of the system. To make this more clear, consider again the motivating example from the introduction (Fig. 1). As we have discussed already, the box-based distance function first wrongly explores the whole lower branch of this system because no discrete information is used to guide the search. In contrast, a partial PDB is also able to reflect the discrete behavior of the system. In this example, the partial PDB consists of an abstract trajectory to the first reachable error state, which is already sufficient to guide the (concrete) region space exploration towards to first reachable error state as well. In particular, this example shows the advantage of partial PDBs compared to fully computed PDBs (recall that fully computed PDBs would include all error states, whereas the partial PDB only contains the trajectory to a shortest one). In general, our PDB approach is particularly well suited for hybrid systems with a non-trivial amount of discrete behavior. However, the continuous behavior is still considered according to our abstraction technique as introduced in Sect. 3.1. Overall, partial PDBs appear to be an accurate approach for guided search because they accurately balance the computation time for the cost function on the one hand, and lead to efficient and still accurately informed cost functions on the other hand.
4 Related work
Abstraction techniques for hybrid systems have been mostly considered in a verification setting, i. e., in a setting where the focus is on proving that a given set of bad states cannot be reached. For this purpose, abstractions have been applied in different ways. On the one hand, a number of approaches to abstract the regions of symbolic states within the reachability analysis have been suggested, including constraint polyhedra [22], ellipsoids [31], and orthogonal polyhedra [15]. In our paper, we use the support function representation [33]. These approaches have in common that the structure of the considered hybrid system is left intact. On the other hand, it also possible to abstract a hybrid automata structure. Alur et al. [2] suggest to use predicate abstraction for the hybrid systems analysis. In addition, Tiwari et al. [40] introduce a method based on the quantifier elimination decision procedure for real closed fields. Furthermore, Tiwari [39] investigates Lie derivatives and their application to the abstraction generation. Jha et al. [25] computes abstractions by removing some of the continuous variables. Finally, Bogomolov et al. [13] abstract hybrid systems by merging locations. The abstract dynamics is computed by eliminating the state variables and computing a convex hull. Our pattern database approach belongs to the first group outlined above as we exploit the parametrization of the symbolic region representation.
A prominent model checking approach for hybrid systems is based on counterexample-guided abstraction refinement (CEGAR) [3, 4]. In a nutshell, CEGAR iteratively refines the considered abstraction until the abstraction is fine enough to prove or refute the property. Our PDB approach shares with CEGAR the general idea of using an abstraction to analyze a concrete system. However, in contrast to CEGAR, where abstract counterexamples have to be validated and possibly used in further abstraction refinement, abstractions for PDBs are never refined and only used as a heuristic to guide the search within the concrete automaton. In other words, in contrast to CEGAR, the accuracy of the abstraction influences the order in which concrete states are explored, and hence, the accuracy in turn influences the performance of the resulting model checking algorithm.
Therefore, a crucial difference lies in the fact that CEGAR does the search in the abstract space, replays the counterexample in the concrete space, and stops if the error trajectory cannot be followed. In contrast, our approach does the search in the concrete space and uses the PDBs for guidance, only. If an abstract trajectory cannot be followed, the search does not stop, but tries other branches until either a counterexample is found, or all trajectories have been exhausted. Due to this reason, our framework provides the same level of precision as the default SpaceEx reachability algorithm. The concretization of a symbolic path is known to be a highly non-trivial computational problem. A symbolic bad path found with our approach can be further concretized to the trajectory level using techniques from optimal control (see, e.g., the work by Zutshi et al. [43] for more details).
Considering more specialized techniques to find error states in faulty hybrid systems, Bhatia and Frazzoli [11] propose using rapidly exploring random trees (RRTs). In the context of hybrid systems, the objective of a basic RRTs approach is to efficiently cover the region space in an “equidistant” way in order to avoid getting stuck in some part of the region space. Recently, RRTs were extended by adding guidance of the input stimulus generation [18]. However, in contrast to our approach, RRTs approaches are based on numeric simulations, rather than symbolic executions. Applying PDBs to RRTs would be an interesting direction for future work. In a further approach, Plaku, Kavraki, and Vardi [36] propose to combine motion planning with discrete search for falsification of hybrid systems. The discrete search and continuous search components are intertwined in such a way that the discrete search extracts a high-level plan that is then used to guide the motion planning component. In a slightly different setting, Ratschan and Smaus [38] apply search to finding error states in hybrid systems that are deterministic. Hence, the search reduces to the problem of finding an accurate initial state.
Results for the navigation benchmarks
Inst. | #Loc | Uninformed DFS | Box-heuristic | PDB | ||||||
---|---|---|---|---|---|---|---|---|---|---|
#It | Length | Time | #It | Length | Time | #It | Length | Time (time abs.) | ||
1 | 400 | 122 | 15 | 206.1 | 62 | 15 | 99.883 | 16 | 15 | 28.325 (2.714) |
2 | 400 | 183 | 33 | 262.565 | 86 | 33 | 168.815 | 34 | 33 | 75.626 (10.153) |
3 | 625 | 75 | 33 | 99.758 | 34 | 33 | 52.222 | 34 | 33 | 62.283 (10.234) |
4 | 625 | 268 | 158 | 368.545 | 231 | 158 | 296.89 | 159 | 158 | 178.705 (13.992) |
5 | 625 | 85 | 79 | 167.502 | 26 | 25 | 53.164 | 26 | 25 | 58.417 (5.002) |
6 | 625 | 96 | 53 | 155.458 | 101 | 53 | 148.448 | 54 | 53 | 106.283 (13.267) |
7 | 625 | 227 | 34 | 280.406 | 105 | 34 | 137.363 | 35 | 34 | 66.315 (12.682) |
8 | 625 | 178 | 25 | 371.8 | 86 | 25 | 192.71 | 26 | 25 | 60.639 (9.609) |
9 | 625 | 297 | 17 | 502.049 | 102 | 17 | 187.003 | 18 | 17 | 42.785 (10.232) |
10 | 625 | 440 | 30 | 753.488 | 136 | 30 | 282.914 | 31 | 30 | 84.031 (18.114) |
11 | 900 | 234 | 72 | 378.906 | 129 | 21 | 208.789 | 22 | 21 | 45.085 (10.973) |
12 | 900 | 317 | 43 | 473.785 | 174 | 61 | 277.467 | 44 | 43 | 86.936 (21.097) |
13 | 900 | 367 | 37 | 596.671 | 148 | 37 | 266.718 | 38 | 37 | 97.456 (26.926) |
14 | 900 | 411 | 32 | 608.962 | 278 | 32 | 419.827 | 33 | 32 | 79.987 (14.934) |
15 | 900 | 379 | 44 | 625.685 | 107 | 44 | 194.535 | 45 | 44 | 97.138 (12.302) |
Moreover, guided search has been applied to finding error states in a subclass of hybrid systems, namely to timed systems. In particular, PDBs have been investigated in this context [29, 30, 42]. In contrast to this paper, the PDB approaches for timed systems are “classical” PDB approaches, i. e., a subset of the available automata and variables are selected to compute a projection abstraction. To select this subset, Kupferschmid et al. [29] compute an abstract error trace and select the automata and variables that occur in transitions in this abstract trace. In contrast, Kupferschmid and Wehrle [30, 42] start with the set of all automata and variables (i. e., with the complete system), and iteratively remove variables as long as the resulting projection abstraction is “precise enough” according to a certain quality measure. In both approaches, the entire PDB is computed, which is more expensive than the partial PDB approach proposed in this paper.
5 Evaluation
We have implemented \( cost ^{ PP }\) in the SpaceEx tool [23] and evaluated it on a number of challenging benchmarks. The implementation and the benchmarks are available at http://pub.ist.ac.at/~sbogomol/sttt2015.
The experiments have been performed on a machine running with AMD Opteron 6174 processors. We set a time limit of 30 min per run. In the following, we report results for our PDB implementation of \( cost ^{ PP }\) in SpaceEx. We compared \( cost ^{ PP }\) with uninformed DFS as implemented in SpaceEx, and with the recently proposed box-based distance function [14] on several challenging benchmark problems. We compare the number of iterations of SpaceEx, the length of the error trajectory found as well as the overall search time (including the computation of the PDB for \( cost ^{ PP }\)) in seconds. In the following, we will shortly denote partial PDBs with PDBs.
5.1 Results for navigation benchmarks
As a first set of benchmarks, we consider a variant of the well-known navigation benchmark [21]. This benchmark models an object moving on the plane which is divided into a grid of cells. The dynamics of the object’s planar position in each cell is governed by the differential equations \(\dot{x}=v\), \(\dot{v}=A(v-v_d)\), where \(v_d\) stands for the targeted velocity in this location. Compared to the originally proposed navigation benchmark problem, we address a slightly more complex version with the following additional constraints. First, we add inputs allowing perturbation of object coordinates, i. e., the system of differential equations is extended to: \(\dot{x}=v+u\), \(\dot{v}=A(v-v_d)\), \(u_{min} \le u \le u_{max}\). Second, to make the search task even harder, the benchmark problems also feature obstacles between certain grid elements. This is particularly challenging because, in contrast to the original benchmark system, one can get stuck in a cell where no further transitions can be taken, and consequently, backtracking might become necessary. The size of the problem instances varies from 400 to 900 locations, and all instances feature 4 variables.
5.1.1 Results for navigation benchmarks with additive vanishing perturbation
We consider another variant of the navigation benchmark with an additive vanishing perturbation (see, e.g., [28]). We use this variation for evaluating the scalability of our approach with respect to increased continuous complexity given a constant discrete complexity. For this, the benchmark is modified to model a vanishing perturbation \(w \in \mathbb {R}^p\) with increasing model order (i. e., \(p=1\), \(p=2\), etc.). In more detail, we extend the system of differential equations to \(\dot{x}=v+u\), \(\dot{v}=A(v-v_d)+\sum _{i=1}^p w_i\), \(\dot{w} = A_w w\), where \(u_{min} \le u \le u_{max}\) as before and \(A_w \in \mathbb {R}^{p \times p}\) is Hurwitz to ensure it is a vanishing perturbation.
Table 2 presents results of the same scenarios evaluated in the earlier navigation benchmark for \(p=2\) additional vanishing perturbation variables (i. e., 2 additional state variables compared to the earlier navigation benchmark, yielding \(n=6\) continuous variables overall). We observe a similar picture as for the previous results: the PDB approach outperforms uninformed DFS and also the box-based heuristic in the majority of the problems. This is also reflected in Figs. 9, 10, and 11, which, respectively, show the corresponding reachable states in the second instance for the three approaches, respectively.
Results for the navigation benchmarks with two additional continuous variables modeling an additive vanishing perturbation
Inst. | #Loc | Uninformed DFS | Box-heuristic | PDB | ||||||
---|---|---|---|---|---|---|---|---|---|---|
#It | Length | Time | #It | Length | Time | #It | Length | Time (time abs.) | ||
1 | 400 | 122 | 15 | 661.373 | 62 | 15 | 343.611 | 16 | 15 | 109.264 (4.467) |
2 | 400 | 153 | 33 | 723.719 | 86 | 33 | 592.531 | 34 | 33 | 254.383 (17.427) |
3 | 625 | 75 | 33 | 349.476 | 34 | 33 | 199.073 | 34 | 33 | 216.528 (17.998) |
4 | 625 | 268 | 158 | 1053.63 | 231 | 158 | 868.593 | 177 | 158 | 627.206 (25.12) |
5 | 625 | 85 | 79 | 525.811 | 26 | 25 | 201.759 | 26 | 25 | 211.146 (8.392) |
6 | 625 | 96 | 53 | 500.29 | 101 | 53 | 485.165 | 54 | 53 | 337.038 (23.205) |
7 | 625 | 227 | 34 | 1040.75 | 105 | 34 | 535.871 | 35 | 34 | 251.452 (24.724) |
8 | 625 | 201 | 25 | 1311.04 | 88 | 25 | 697.649 | 26 | 25 | 206.585 (15.822) |
9 | 625 | 298 | 17 | 1640.59 | 102 | 17 | 658.379 | 18 | 17 | 142.197 (17.881) |
10 | 625 | n/a | n/a | OOT | 163 | 30 | 1212.59 | 31 | 30 | 281.356 (31.616) |
11 | 900 | 201 | 72 | 1013.24 | 129 | 21 | 710.073 | 22 | 21 | 146.15 (19.058) |
12 | 900 | 316 | 43 | 1530.46 | 174 | 61 | 928.734 | 44 | 43 | 272.088 (35.26) |
13 | 900 | n/a | n/a | OOT | 148 | 37 | 858.674 | 38 | 37 | 293.259 (45.617) |
14 | 900 | n/a | n/a | OOT | 278 | 32 | 1403.78 | 33 | 32 | 260.377 (25.744) |
15 | 900 | n/a | n/a | OOT | 163 | 52 | 988.228 | 100 | 52 | 649.809 (20.265) |
5.2 Results for satellite benchmarks
Results for the satellite benchmarks
Inst. | #Loc | Uninformed DFS | Box-heuristic | PDB | ||||||
---|---|---|---|---|---|---|---|---|---|---|
#It | Length | Time | #It | Length | Time | #It | Length | Time (time abs.) | ||
1 | 36 | 116 | 32 | 37.501 | 75 | 10 | 18.393 | 16 | 10 | 14.03 (10.05) |
2 | 36 | 464 | 49 | 138.149 | 473 | 19 | 162.666 | 30 | 13 | 21.882 (16.427) |
3 | 64 | 719 | 87 | 42.198 | 281 | 91 | 14.897 | 264 | 121 | 27.067 (12.591) |
4 | 100 | 111 | 106 | 51.705 | 45 | 15 | 30.602 | 23 | 14 | 20.461 (8.106) |
5 | 100 | 109 | 104 | 426.37 | 45 | 15 | 272.133 | 23 | 14 | 92.393 (8.082) |
6 | 159 | 2170 | \(\infty \) | 107.68 | 1354 | \(\infty \) | 68.107 | 0 | \(\infty \) | 21.051 (21.051) |
7 | 324 | 580 | 135 | 251.016 | 1289 | 144 | 649.345 | 25 | 24 | 42.316 (11.921) |
8 | 557 | 1637 | 42 | 61.754 | 936 | 42 | 35.523 | 156 | 42 | 60.027 (54.115) |
9 | 574 | 7113 | 41 | 298.601 | 561 | 10 | 23.977 | 14 | 10 | 8.811 (8.309) |
10 | 575 | 9092 | 4 | 376.935 | 387 | 5 | 16.467 | 15 | 4 | 3.182 (2.651) |
11 | 576 | 1485 | 775 | 273.265 | 253 | 13 | 50.172 | 15 | 13 | 13.385 (7.899) |
12 | 576 | 1005 | 775 | 172.192 | 796 | 13 | 160.342 | 15 | 13 | 13.324 (7.841) |
13 | 576 | 1317 | 1147 | 1410.17 | 484 | 54 | 775.325 | 52 | 51 | 217.534 (104.304) |
14 | 1293 | 13691 | \(\infty \) | 526.483 | 7790 | \(\infty \) | 312.288 | 0 | \(\infty \) | 170.428 (170.428) |
15 | 1296 | n/a | n/a | OOT | n/a | n/a | OOT | 206 | 139 | 784.986 (526.336) |
The verification problem is conjunction avoidance, i. e., to determine whether there exists a trajectory where the satellites come too close to one another and may collide. Some of the benchmark instances considered are particularly challenging because they feature several sources of non-determinism, including several initial states and several bad states. As an additional source of non-determinism, some benchmarks model thrusting. A change in a satellite’s orbit is usually accomplished by firing thrusters. This is usually modeled as an instantaneous change in the orbital parameters \(e_i\) and \(a_i\). However, the angular position \(\nu _i\) in this new orbit does not, in general, equal the angular position in the original orbit, and a change of variables is necessary, which can be modeled by a reset of the \(\nu _i\) values when the thrusters are fired. The transitions introduced for thrusting add additional discrete non-determinism to the system.
The results for the satellite benchmark class are provided in Table 3. In general, we observe a similar search behavior to what we have observed in the navigation problems: The precomputation of the PDB pays off in the sense that much better search behavior can be achieved, leading to a fewer number of iterations and a lower overall runtime. For example, in instance 5, the precomputation time for the PDB amounts to roughly 5 s, leading to an overall time of around 92 s for the concrete run. In contrast, uninformed search and the box-based heuristic need around 426 and 272 s, respectively. The search behavior of the concrete and abstract run in instance 5 is also visualized in Figs. 13, 14, and 15. We observe that the part of the covered search space with our PDB approach is again lower compared to the box-based heuristic and uninformed search. Figure 15 again particularly shows the part of the search space that is covered by the abstract run (which can be performed efficiently due to our abstraction described in Sect. 3.1), showing that our PDB approach finds an accurate balance between the computation time and the accuracy of the resulting cost function.
5.3 Results for water tank benchmarks
This benchmark consists of variants of the tank benchmark [6, 26]. The tank benchmark (see Fig. 16) consists of some \(N \in \mathbb {N}\) tanks, where each tank \(i \in \{1,\ldots ,N\}\) loses volume \(x_i\) at some constant flow rate \(v_i\), so tank i has dynamics \(\dot{x}_i = -v_i\), for a real constant \(v_i \ge 0\). One of the tanks is filled from an external inlet at some constant flow rate w, so it has dynamics \(\dot{x}_i = w - v_i\), for a real constant \(w \ge 0\). In our variant, the volume lost by each tank simply vanishes and does not move from one tank to another. This benchmark class is qualitatively different than either the navigation or satellite benchmarks, as the discrete state space may be small.
Results for the tank benchmarks
Inst. | N | Top. | Uninformed DFS | Box-heuristic | PDB | ||||||
---|---|---|---|---|---|---|---|---|---|---|---|
#It | Length | Time | #It | Length | Time | #It | Length | Time (time abs.) | |||
1 | 3 | C | 4 | 3 | 254.032 | 4 | 3 | 305.309 | 4 | 3 | 166.516 (6.285) |
2 | 3 | C | 4 | 3 | 237.33 | 4 | 3 | 238.311 | 4 | 3 | 124.195 (4.71) |
3 | 3 | C | 4 | 3 | 483.083 | 4 | 3 | 479.847 | 4 | 3 | 524.132 (41.855) |
4 | 3 | C | n/a | n/a | OOT | 5 | 2 | 828.846 | 2 | 1 | 190.139 (7.856) |
5 | 3 | C | 6 | 5 | 508.693 | 8 | 2 | 76.68 | 3 | 2 | 32.141 (11.351) |
6 | 3 | C | n/a | n/a | OOT | 5 | 2 | 312.54 | 3 | 2 | 220.108 (9.272) |
7 | 3 | L | 6 | 5 | 506.076 | 5 | 2 | 281.351 | 3 | 2 | 218.484 (7.791) |
8 | 3 | L | 3 | 2 | 280.473 | 3 | 2 | 276.498 | 3 | 2 | 289.545 (6.156) |
9 | 4 | L | n/a | n/a | OOT | 5 | 4 | 6.171 | 13 | 5 | 24.972 (8.688) |
10 | 3 | L | 6 | 5 | 270.648 | 5 | 2 | 144.673 | 2 | 1 | 41.345 (0.84) |
11 | 4 | L | 18 | 6 | 30.95 | 11 | 6 | 23.81 | 4 | 3 | 8.696 (3.199) |
12 | 5 | L | 10 | 7 | 23.949 | 14 | 7 | 63.518 | 4 | 3 | 18.138 (9.289) |
13 | 6 | L | 39 | 27 | 64.091 | 28 | 21 | 51.595 | 4 | 2 | 21.208 (6.283) |
14 | 7 | L | 53 | 34 | 130.636 | 44 | 22 | 117.732 | 9 | 5 | 117.763 (9.536) |
15 | 8 | L | 37 | 29 | 108.7 | 46 | 21 | 164.349 | 33 | 29 | 140.968 (30.271) |
Results for the heater benchmarks
Inst. | #loc | Uninformed DFS | Box-heuristic | PDB | ||||||
---|---|---|---|---|---|---|---|---|---|---|
#It | Length | Time | #It | Length | Time | #It | Length | Time (time abs.) | ||
1 | 4 | 7 | 6 | 148.4 | 12 | 6 | 212.651 | 7 | 6 | 149.117 (0.625) |
2 | 4 | 9 | 8 | 305.21 | 5 | 0 | 146.311 | 1 | 0 | 10.506 (7.982) |
3 | 4 | 4 | \(\infty \) | 27.476 | 4 | \(\infty \) | 27.579 | 4 | \(\infty \) | 27.467 (0.042) |
4 | 4 | 7 | \(\infty \) | 178.781 | 7 | \(\infty \) | 177.748 | 7 | \(\infty \) | 176.566 (1.1) |
5 | 4 | 21 | 20 | 84.779 | n/a | n/a | OOT | 21 | 20 | 98.173 (12.303) |
6 | 4 | 4 | 1 | 1.284 | n/a | n/a | OOT | 4 | 1 | 1.705 (0.4) |
7 | 4 | 4 | 2 | 34.493 | 4 | 2 | 34.525 | 3 | 1 | 32.07 (3.148) |
8 | 4 | 7 | 6 | 89.724 | 49 | 48 | 907.52 | 7 | 6 | 90.778 (0.475) |
9 | 4 | 4 | 2 | 8.772 | 3 | 2 | 8.183 | 3 | 1 | 8.28 (4.687) |
10 | 4 | 5 | 4 | 27.164 | 15 | 8 | 65.249 | 5 | 4 | 27.851 (0.635) |
11 | 4 | 13 | 8 | 25.771 | 25 | 14 | 48.844 | 12 | 8 | 23.708 (0.435) |
12 | 4 | 3 | 0 | 10.603 | 3 | 0 | 10.601 | 2 | 0 | 8.212 (0.544) |
13 | 4 | n/a | n/a | OOT | n/a | n/a | OOT | 10 | 6 | 640.441 (240.583) |
14 | 4 | 7 | 6 | 58.533 | 36 | 22 | 284.592 | 7 | 6 | 59.157 (0.55) |
15 | 4 | 9 | 8 | 38.06 | 42 | 24 | 150.263 | 9 | 8 | 41.948 (3.752) |
5.4 Results for heater benchmarks
This benchmark consists of variants of the heater benchmark [21]. In our variation, we consider three rooms with one heater. The automaton is modeled with four locations, consisting of no heaters on in any room, or the heater is on in one of the three rooms. The size of the problem instances have 4 locations, and all instances feature 3 temperature variables, 1 time variable, and 16 real constants. The temperature dynamics are linear and there is coupling between temperatures in different rooms. If the heater is on in a room, its temperature rate of change has a positive additive term \(c_i\), but otherwise does not, so the temperature may decrease (subject to the temperatures in different rooms). Specifically, for room 1 (and symmetrically rooms 2 and 3), if the heater is on, the dynamics are: \(\dot{x}_1 = b_1(u-x_1) + a_{1,2}(x_2-x_1) + a_{1,3}(x_3-x_1) + c_1\), but if the heater is off, the dynamics are the same except without the \(c_1\) term. In our variant, the invariants specify only that the temperatures are all non-negative and bounded. The heater may be turned on in room \(i \in \{1,2,3\}\) if \(x_i \le T_{on}\) for some real threshold \(T_{on}\), and turned off if \(x_i \ge T_{ off }\) for some real threshold \(T_{ off }\). There is non-determinism in choosing to turn off or on the heater once the threshold condition is met, and there is a potential delay in changing the state of the heater from off to on and vice-versa.
5.5 Runtimes of partial PDBs versus full PDBs
Considering the runtime to build the partial PDBs compared to computing full PDBs, we observed that strong reductions of several orders of magnitude can indeed be obtained. In particular, the computation of the full abstract state space sometimes exceeds our time bound of 30 min, whereas the partial PDBs can still be computed efficiently. This happens in the water tank problem class, where full PDBs could not be computed within 30 min in any instance, whereas partial PDBs could be computed within less than a minute in all of the 15 instances (less than 10 s in 9 of these instances). In this respect, we conclude that the notion of partial PDBs particularly makes the overall approach tractable on a larger class of problems. In cases where full PDBs can be computed within 30 min, the runtime can be significantly higher than with partial PDBs: For example, in the satellite domain instance 10, computing the full PDB needs around 175 s, compared to roughly 3 s for computing the partial PDB.
5.6 Discussion
We have observed that PDBs can provide more informed search behavior than uninformed search or than the box-based heuristic. A potential problem is the computational overhead due to its precomputation time. We will discuss advantages and drawbacks of our PDB approach in this section.
As a general picture, we first observe that the number of iterations of SpaceEx and also the length of the found error trajectories are mostly at most as high with PDBs as with uninformed search and the box-based heuristic. In particular, our PDB approach could solve several problem instances where uninformed search and the box-based heuristic ran out of time. In some cases, the precomputation of the PDB does not pay off compared to DFS and the box-based heuristic – however, in such cases, the pure concrete search time with PDBs is still mostly similar to the pure search time of DFS and the box-based approach.
We further observe that the length of the trajectories found by the box-based heuristic and the PDB heuristic is often similar or equal, while the number of iterations is mostly decreased. This again shows that the search with the PDB approach is more focused than with the box-based heuristic in such cases, and less backtracking is needed. In particular, the box-based heuristic always tries to find a “direct” trajectory to an error state, while ignoring possible obstacles. Therefore, the search can get stuck in a dead-end state if there is an obstacle, and as a consequence, backtracking becomes necessary. Furthermore, the box-based heuristic can perform worse than the PDB if several bad states are present. In such cases, the box-based heuristic might “switch” between several bad states, whereas the better accuracy of the PDB heuristic better focuses the search towards one particular bad state. In problems that are structured more easily (e. g., where no “obstacles” exist and error states are reachable “straight ahead”), the box-based heuristic might yield better performance because the precomputation of the PDB does not pay off.
Finally, a general advantage of PDBs compared to the box-based heuristic which we did not discuss in detail so far is the broader applicability of PDBs. By definition, the box-based heuristic estimates distances by computing Euclidean distances between the region of the current and the error state. However, in problems where error states are defined solely by (discrete) locations, there is no such error region, and the box-based distance heuristic is not effectively applicable. In contrast, PDBs are more general, and applicable for all kinds of error states.
6 Conclusion
We have explored the application of coarse-grained space abstractions to compute PDBs for hybrid systems. For a given safety property and hybrid system with linear dynamics in each location, we compute an abstraction by coarsening the over-approximation SpaceEx computes in its reachability analysis. The abstraction is used to construct a PDB, which contains abstract symbolic states together with their abstract error distances. These distances are used in guiding SpaceEx in the concrete search. Given a concrete symbolic state, the guiding heuristics returns the smallest distance to the error state of an enclosing abstract symbolic state. This distance is used to choose the most promising concrete symbolic successor. In our implementation, we have taken advantage of the SpaceEx parametrization support, and were able to report a significant speedup in counterexample detection and even for verification. Our new PDB support for SpaceEx can be seen as a non-trivial extension of our previous work on guided reachability analysis for hybrid systems where the discrete system structure was ignored completely [14]. For the future, it will be interesting to further refine and extend our approach by, e. g., considering even more fine grained abstraction techniques, or by combinations of several abstraction techniques and therefore, by combining several PDBs. We expect that this will lead to even more accurate cost functions and better model checking performance.
Notes
Acknowledgments
This work is based on the SPIN 2013 paper “Abstraction-Based Guided Search for Hybrid Systems” [12]. We thank Jerome Meinke and Daniel Saier for their help with the benchmark evaluation. This work was partly supported by the German Research Foundation (DFG) as part of the Transregional Collaborative Research Center “Automatic Verification and Analysis of Complex Systems” (SFB/TR 14 AVACS, http://www.avacs.org/), by the European Research Council (ERC) under grant 267989 (QUAREM) and by the Austrian Science Fund (FWF) under grants S11402-N23 (RiSE) and Z211-N23 (Wittgenstein Award), by the Swiss National Science Foundation (SNSF) as part of the project “Abstraction Heuristics for Planning and Combinatorial Search” (AHPACS) and by STARnet, a Semiconductor Research Corporation program sponsored by MARCO and DARPA.
References
- 1.Alur, R., Courcoubetis, C., Halbwachs, N., Henzinger, T., Ho, P., Nicolin, X., Olivero, A., Sifakis, J., Yovine, S.: The algorithmic analysis of hybrid systems. Theor. Comput. Sci. 138, 3–34 (1995)MathSciNetCrossRefMATHGoogle Scholar
- 2.Alur, R., Dang, T., Ivančić, F.: Reachability analysis of hybrid systems via predicate abstraction. In: Hybrid Systems: Computation and Control (HSCC), pp. 35–48 (2002)Google Scholar
- 3.Alur, R., Dang, T., Ivancic, F.: Counter-example guided predicate abstraction of hybrid systems. In: Tools and Algorithms for the Construction and Analysis of Systems, pp. 250–271 (2003)Google Scholar
- 4.Alur, R., Dang, T., Ivancic, F.: Progress on reachability analysis of hybrid systems using predicate abstraction. In: Hybrid Systems: Computation and Control. pp. 4–19 (2003)Google Scholar
- 5.Alur, R., Grosu, R., Hur, Y., Kumar, V., Lee, I.: Modular specifications of hybrid systems in charon. In: Hybrid Systems: Computation and Control, pp. 6–19 (2000)Google Scholar
- 6.Alur, R., Henzinger, T.: Modularity for timed and hybrid systems. In: CONCUR ’97: Concurrency Theory, pp. 74–88. Springer (1997)Google Scholar
- 7.Anderson, K., Holte, R., Schaeffer, J.: Partial pattern databases. In: Symposium on abstraction, reformulation, and approximation, pp. 20–34 (2007)Google Scholar
- 8.Asarin, E., Dang, T., Girard, A.: Hybridization methods for the analysis of nonlinear systems. Acta Informatica 43(7), 451–476 (2007)MathSciNetCrossRefMATHGoogle Scholar
- 9.Balluchi, A., Benvenuti, L., Benedetto, M.D.D., Pinello, C., Sangiovanni-Vincentelli, A.L.: Automotive engine control and hybrid systems: challenges and opportunities. Proc. IEEE 88(7), 888–912 (2000)CrossRefGoogle Scholar
- 10.Bertsekas, D., Nedi, A., Ozdaglar, A., et al.: Convex Analysis and Optimization. Athena Scientific, Belmont (2003)Google Scholar
- 11.Bhatia, A., Frazzoli, E.: Incremental search methods for reachability analysis of continuous and hybrid systems. In: Hybrid Systems: Computation and Control, pp 142–156 (2004)Google Scholar
- 12.Bogomolov, S., Donzé, A., Frehse, G., Grosu, R., Johnson, T.T., Ladan, H., Podelski, A., Wehrle, M.: Abstraction-based guided search for hybrid systems. In: Model Checking Software, pp. 117–134 (2013)Google Scholar
- 13.Bogomolov, S., Frehse, G., Greitschus, M., Grosu, R., Pasareanu, C., Podelski, A., Strump, T.: Assume-guarantee abstraction refinement meets hybrid systems. In: Accepted to Haifa verification conference (2014)Google Scholar
- 14.Bogomolov, S., Frehse, G., Grosu, R., Ladan, H., Podelski, A., Wehrle, M.: A box-based distance between regions for guiding the reachability analysis of SpaceEx. Computer Aided Verification, pp. 479–494. Springer, New York (2012)CrossRefGoogle Scholar
- 15.Bournez, O., Maler, O., Pnueli, A.: Orthogonal polyhedra: representation and computation. In: Hybrid Systems: Computation and Control, pp 46–60. Springer (1999)Google Scholar
- 16.Chutinan, C., Krogh, B.: Computational techniques for hybrid system verification. IEEE Trans Autom Control 48(1), 64–75 (2003)MathSciNetCrossRefGoogle Scholar
- 17.Culberson, J.C., Schaeffer, J.: Pattern databases. Comput. Intell. 14(3), 318–334 (1998)MathSciNetCrossRefGoogle Scholar
- 18.Dang, T., Nahhal, T.: Coverage-guided test generation for continuous and hybrid systems. Form. Methods Syst. Des. 34(2), 183–213 (2009)CrossRefMATHGoogle Scholar
- 19.Deshpande, A., Godbole, D., Göllü, A., Varaiya, P.: Design and evaluation of tools for automated highway systems. Hybrid Systems III, pp. 138–148. Springer, Berlin (1996)CrossRefGoogle Scholar
- 20.Egerstedt, M.: Behavior-based robotics using hybrid automata. In: Hybrid Systems: Computation and Control, pp. 103–116 (2000)Google Scholar
- 21.Fehnker, A., Ivančić, F.: Benchmarks for hybrid systems verification. In: Hybrid Systems: Computation and Control, pp. 381–397 (2004)Google Scholar
- 22.Frehse, G.: Phaver: algorithmic verification of hybrid systems past hytech. STTT 10(3), 263–279 (2008)MathSciNetCrossRefMATHGoogle Scholar
- 23.Frehse, G., Le Guernic, C., Donzé, A., Cotton, S., Ray, R., Lebeltel, O., Ripado, R., Girard, A., Dang, T., Maler, O.: SpaceEx: Scalable verification of hybrid systems. Computer Aided Verification, pp. 379–395. Springer, Berlin (2011)CrossRefGoogle Scholar
- 24.Holte, R.C., Grajkowski, J., Tanner, B.: Hierarchical heuristic search revisited. In: Symposium on abstraction, reformulation and approximation, pp. 121–133 (2005)Google Scholar
- 25.Jha, S.K., Krogh, B.H., Weimer, J.E., Clarke, E.M.: Reachability for linear hybrid automata using iterative relaxation abstraction. Hybrid Systems: Computation and Control (HSCC), pp. 287–300. Springer, Berlin (2007)CrossRefGoogle Scholar
- 26.Johansson, K.H., Egerstedt, M., Lygeros, J., Sastry, S.: On the regularization of zeno hybrid automata. Syst. Control Lett. 38(3), 141–150 (1999)MathSciNetCrossRefMATHGoogle Scholar
- 27.Johnson, T.T., Green, J., Mitra, S., Dudley, R., Erwin, R.S.: Satellite rendezvous and conjunction avoidance: case studies in verification of nonlinear hybrid systems. Formal Methods, pp. 252–266. Springer, Berlin (2012)Google Scholar
- 28.Khalil, H.K.: Nonlinear Systems, 3rd edn. Prentice Hall, Upper Saddle River (2002)MATHGoogle Scholar
- 29.Kupferschmid, S., Hoffmann, J., Larsen, K.G.: Fast directed model checking via russian doll abstraction. Tools and Algorithms for the Construction and Analysis of Systems, pp. 203–217. Springer, Berlin (2008)CrossRefGoogle Scholar
- 30.Kupferschmid, S., Wehrle, M.: Abstractions and pattern databases: the quest for succinctness and accuracy. Tools and Algorithms for the Construction and Analysis of Systems, pp. 276–290. Springer, Berlin (2011)CrossRefGoogle Scholar
- 31.Kurzhanski, A.B., Varaiya, P.: Ellipsoidal techniques for reachability analysis. In: Hybrid Systems: Computation and Control, third international workshop, HSCC 2000, Pittsburgh, March 23–25, Proceedings, 202–214 (2000)Google Scholar
- 32.Larsen, B.J., Burns, E., Ruml, W., Holte, R.: Searching without a heuristic: efficient use of abstraction. In: AAAI conference on artificial intelligence (2010)Google Scholar
- 33.Le Guernic, C., Girard, A.: Reachability analysis of linear systems using support functions. Nonlinear Anal. Hybrid Syst. 4(2), 250–262 (2010)MathSciNetCrossRefMATHGoogle Scholar
- 34.Livadas, C., Lygeros, J., Lynch, N.A.: High-level modelling and analysis of tcas. In: IEEE Real-time systems symposium, pp. 115–125 (1999)Google Scholar
- 35.Lygeros, J., Pappas, G.J., Sastry, S.: An approach to the verification of the center-tracon automation system. Hybrid Systems: Computation and Control, pp. 289–304. Springer, Berlin (1998)CrossRefGoogle Scholar
- 36.Plaku, E., Kavraki, L., Vardi, M.: Hybrid systems: from verification to falsification. Computer Aided Verification, pp. 463–476. Springer, Berlin (2007)CrossRefGoogle Scholar
- 37.Qian, K., Nymeyer, A.: Guided invariant model checking based on abstraction and symbolic pattern databases. Tools and Algorithms for the Construction and Analysis of Systems, pp. 497–511. Springer, Berlin (2004)CrossRefGoogle Scholar
- 38.Ratschan, S., Smaus, J.-G.: Finding errors of hybrid systems by optimising an abstraction-based quality estimate. Tests and Proofs, pp. 153–168. Springer, Berlin (2009)CrossRefGoogle Scholar
- 39.Tiwari, A.: Abstractions for hybrid systems. Form. Methods Syst. Des. 32(1), 57–83 (2008)CrossRefMATHGoogle Scholar
- 40.Tiwari, A., Khanna, G.: Series of abstractions for hybrid automata. Hybrid Systems: Computation and Control, pp. 465–478. Springer, Berlin (2002)CrossRefGoogle Scholar
- 41.Varaiya, P.: Smart cars on smart roads: problems of control. IEEE Trans. Autom. Control 38(2), 195–207 (1993)MathSciNetCrossRefGoogle Scholar
- 42.Wehrle, M., Kupferschmid, S.: Downward pattern refinement for timed automata. Int. J. Softw. Tools Technol. Transf. (2014). doi:10.1007/s10009-014-0346-x
- 43.Zutshi, A., Sankaranarayanan, S., Deshmukh, J., Kapinski, J.: A trajectory splicing approach to concretizing counterexamples for hybrid systems. In: Conference on decision and control (CDC), pp. 3918–3925 (2013)Google Scholar
Copyright information
Open AccessThis article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.