No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
Revisiting Polyhedral Analysis for Hybrid Systems
Abstract
Thanks to significant progress in the adopted implementation techniques, the recent years have witnessed a renewed interest in the development of analysis tools based on the domain of convex polyhedra. In this paper we revisit the application of this abstract domain to the case of reachability analysis for hybrid systems, focusing on the lesson learned during the development of the tool PHAVerLite. In particular, we motivate the implementation of specialized versions of several well known abstract operators, as well as the adoption of a heuristic technique (boxed polyhedra) for the handling of finite collections of polyhedra, showing their impact on the efficiency of the analysis tool.
... This new abstract domain operator, initially proposed in [9], filters the input abstract element on a predicate and on its complement ¬ at the same time, allowing for the factorization of any replicated computational effort. Note that, if no optimization is possible, the abstract domain can just resort to the default implementation, which clones the abstract element and invokes (twice) the filter operator. ...
... The split operator proposed in [9,Sect. 5] was focusing on the case of rational splits on linear (strict or non-strict) inequalities, i.e., splits on predicates to be interpreted on an abstract domain modeling non-integral valued variables; the operator was defined for both convex polyhedra domains P and CP . ...
... As discussed in [9], in order to obtain precise approximations, the rational split operator should be defined on the abstract domain P of NNC polyhedra, which provides full support for strict inequalities. In this case, it is possible to implement the split operator so that for each ∈ P and a non-strict linear inequality constraint, split( , ) = ( 1 , 2 ) will satisfy Pseudocode 3 (Filter-based rational split) 1: function filter-based-Q-split( , ) 2: ...
In the context of abstract interpretation-based static analysis, we propose a new abstract operator modeling the split of control flow paths: the goal of the operator is to enable a more efficient analysis when using abstract domains that are computationally expensive, having no negative effect on precision, and occasionally resulting in a more precise analysis. We focus on the case of conditional branches guarded by numeric linear constraints, including implicit numerical branches. We provide an experimental evaluation of real-world test cases, showing that by using the split operator we can achieve significant efficiency improvements with respect to the classical approach for a static analysis based on the domain of convex polyhedra. We also briefly discuss the applicability of this new operator to different, possibly non-numeric abstract domains.
... The main loop (lines [6][7][8][9][10][11][12][13][14] of the procedure analyzes the elements in the waiting list. At each iteration of the loop, an abstract state is extracted from the waiting list and the effects of all the enabled external events in E are considered. ...
... Such reachability analysis can be performed in various ways. We use the finite powerset of convex polyhedra with a tailored version of the fixpoint computation from [10,29], where discrete steps (for the internal transitions only) are interleaved with calls to the time elapse operator, modeling the continuous evolution steps. All the contributions are conservatively stored in evol S until a fixpoint is reached. ...
... All the contributions are conservatively stored in evol S until a fixpoint is reached. As in other reachability tools using polyhedra [10,26], a delayed widening technique [16] can be adopted to guarantee termination: the user can choose to apply a convergence accelerator after a parametric number of iterations. ...
Stability is a fundamental requirement of dynamical systems. Most of the works concentrate on verifying stability for a given stability region. In this paper, we tackle the problem of synthesizing P - stable abstractions . Intuitively, the P -stable abstraction of a dynamical system characterizes the transitions between stability regions in response to external inputs. The stability regions are not given—rather, they are synthesized as their most precise representation with respect to a given set of predicates P . A P -stable abstraction is enriched by timing information derived from the duration of stabilization. We implement a synthesis algorithm in the framework of Abstract Interpretation that allows different degrees of approximation. We show the representational power of P -stable abstractions that provide a high-level account of the behavior of the system with respect to stability, and we experimentally evaluate the effectiveness of the algorithm in synthesizing P -stable abstractions for significant systems.
... This new abstract domain operator, initially proposed in [7], filters the input abstract element on a predicate and on its complement ¬ at the same time, allowing for the factorization of any replicated computational effort. Note that, if no optimization is possible, the abstract domain can just resort to the default implementation, which clones the abstract element and invokes (twice) the filter operator. ...
... The split operator proposed in [7] for the domain of convex polyhedra focuses on the case of rational splits: since in this 1 The experimental evaluation reported in [7] targets the analysis of a particular class of hybrid systems. ...
... The split operator proposed in [7] for the domain of convex polyhedra focuses on the case of rational splits: since in this 1 The experimental evaluation reported in [7] targets the analysis of a particular class of hybrid systems. ...
In the context of static analysis based on Abstract Interpretation, we propose a new abstract operator modeling the split of control flow paths: the goal of the operator is to enable a more efficient analysis when using abstract domains that are computationally expensive, having no effect on precision.
Focusing on the case of conditional branches guarded by numeric linear constraints, we provide a preliminary experimental evaluation showing that, by using the split operator, we can achieve significant efficiency improvements for a static analysis based on the domain of convex polyhedra. We also briefly discuss the applicability of this new operator to different, possibly non-numeric abstract domains.
... In our first solution, we reduce the Lmon membership problem to reachability analysis of LHAs. In practice, we will use PHAVerLite, one of the most efficient tools for reachability analysis of hybrid systems according to [BZ19]. The idea of reducing monitoring to reachability analysis of extensions of finite-state automata is not new and was already proposed in the literature e. g., [AHW18]. ...
... We experimentally evaluated our model-bounded monitoring scheme using the two procedures for Lmon membership. For the first procedure via reachability analysis (in Section 6), we used PHAVerLite [BZ19] for conducting reachability analysis. For the second direct procedure (in Section 7), we implemented a prototypical tool HAMoni. ...
... For the procedure presented in Section 7, we implemented HAMoni in C++ with Parma Polyhedra Library (PPL) [BHZ08] and compiled using GCC 7.4.0. In both PHAVerLite and HAMoni, closed convex polyhedra are used to analyze the reachability [BZ19]. ...
Monitoring of hybrid systems attracts both scientific and practical attention. However, monitoring algorithms suffer from the methodological difficulty of only observing sampled discrete-time signals, while real behaviors are continuous-time signals. To mitigate this problem of sampling uncertainties, we introduce a model-bounded monitoring scheme, where we use prior knowledge about the target system to prune interpolation candidates. Technically, we express such prior knowledge by linear hybrid automata (LHAs) - the LHAs are called bounding models. We introduce a novel notion of monitored language of LHAs, and we reduce the monitoring problem to the membership problem of the monitored language. We present two partial algorithms - one is via reduction to reachability in LHAs and the other is a direct one using polyhedra - and show that these methods, and thus the proposed model-bounded monitoring scheme, are efficient and practically relevant.
... This over-approximated knowledge is given in [WAH22a] in the form of a linear hybrid automaton (LHA) [HPR94]. We use in [WAH22a] both an ad-hoc implementation, and another one based on PHAVerLite [BZ19]. In this work, we share with [WAH22a] the principle of using an over-approximation of the model to rule out some violation of the specification, which comes in contrast with the aforementioned works. ...
We introduce MoULDyS, that implements efficient offline and online monitoring algorithms of black-box cyber-physical systems w.r.t. safety properties. MoULDyS takes as input an uncertain log (with noisy and missing samples), as well as a bounding model in the form of an uncertain linear system; this latter model plays the role of an over-approximation so as to reduce the number of false alarms. MoULDyS is Python-based and available under the GNU General Public License v3.0 (gpl-3.0). We further provide easy-to-use scripts to recreate the results of two case studies introduced in an earlier work.
... This over-approximated knowledge is given in [WAH22a] in the form of a linear hybrid automaton (LHA) [HPR94], an extension of finite-state automata with continuous variables; their flow in each location ("mode") is given as a linear constraint over derivatives; location invariants and transition guards are given by linear constraints over the system variables. We use in [WAH22a] both an ad-hoc implementation, and another one based on PHAVerLite [Fre08,BZ19]. In this work, we share with [WAH22a] the principle of using an over-approximation of the model to rule out some violation of the specification. ...
Monitoring the correctness of distributed cyber-physical systems is essential. Detecting possible safety violations can be hard when some samples are uncertain or missing. We monitor here black-box cyber-physical system, with logs being uncertain both in the state and timestamp dimensions: that is, not only the logged value is known with some uncertainty, but the time at which the log was made is uncertain too. In addition, we make use of an over-approximated yet expressive model, given by a non-linear extension of dynamical systems. Given an offline log, our approach is able to monitor the log against safety specifications with a limited number of false alarms. As a second contribution, we show that our approach can be used online to minimize the number of sample triggers, with the aim at energetic efficiency. We apply our approach to three benchmarks, an anesthesia model, an adaptive cruise controller and an aircraft orbiting system.
... More recently, [34] propose an offline pre-analysis to tailor the configuration of the static analysis tool to the specific program being analyzed. Online (i.e., dynamically computed) meta-analyses include, for instance, variable partitioning techniques [30,39] and the optimized implementation of semantic operators using boxed polyhedra [9]. While there certainly are static analysis tools that perform a non-uniform analysis (i.e., they use different abstract domains for different portions of the program being analyzed), to the best of our knowledge our approach is the first example of an analysis where the whole abstract domain (and not just one of its operators) is changed during the analysis of a single portion of code. ...
Abstract Interpretation approximates the semantics of a program by mimicking its concrete fixpoint computation on an abstract domain A. The abstract (post-) fixpoint computation is classically divided into two phases: the ascending phase, using widenings as extrapolation operators to enforce termination, is followed by a descending phase, using narrowings as interpolation operators, so as to mitigate the effect of the precision losses introduced by widenings. In this paper we propose a simple variation of this classical approach where, to more effectively recover precision, we decouple the two phases: in particular, before starting the descending phase, we replace the domain A with a more precise abstract domain D. The correctness of the approach is justified by casting it as an instance of the A2I framework. After demonstrating the new technique on a simple example, we summarize the results of a preliminary experimental evaluation, showing that it is able to obtain significant precision improvements for several choices of the domains A and D.
... More recently, [31] propose an offline pre-analysis to tailor the configuration of the static analysis tool to the specific program being analyzed. Online (i.e., dynamically computed) meta-analyses include, for instance, variable partitioning techniques [27,36] and the optimized implementation of semantic operators using boxed polyhedra [7]. While there certainly are static analysis tools that perform a non-uniform analysis (i.e., they use different abstract domains for different portions of the program being analyzed), to the best of our knowledge our approach is the first example of an analysis where the whole abstract domain (and not just one of its operators) is changed during the analysis of a single portion of code. ...
Interpretation approximates the semantics of a program by mimicking its concrete fixpoint computation on an abstract domain . The abstract (post-) fixpoint computation is classically divided into two phases: the ascending phase, using widenings as extrapolation operators to enforce termination, is followed by a descending phase, using narrowings as interpolation operators, so as to mitigate the effect of the precision losses introduced by widenings. In this paper we propose a simple variation of this classical approach where, to more effectively recover precision, we decouple the two phases: in particular, before starting the descending phase, we replace the domain with a more precise abstract domain . The correctness of the approach is justified by casting it as an instance of the AI framework. After demonstrating the new technique on a simple example, we summarize the results of a preliminary experimental evaluation, showing that it is able to obtain significant precision improvements for several choices of the domains and .
... IMITATOR's input syntax also shares some similarities with that of PHAVer-Lite [33] (a fork of PHAVer and predecessor of SpaceEx, that uses PPLite [34] instead of PPL [32]), coming from the fact that both IMITATOR and PHAVerLite originate from the HyTech syntax. ...
Real-time systems are notoriously hard to verify due to nondeterminism, concurrency and timing constraints. When timing constants are uncertain (in early the design phase, or due to slight variations of the timing bounds), timed model checking techniques may not be satisfactory. In contrast, parametric timed model checking synthesizes timing values ensuring correctness. IMITATOR takes as input an extension of parametric timed automata (PTAs), a powerful formalism to formally verify critical real-time systems. IMITATOR extends PTAs with multi-rate clocks, global rational-valued variables and a set of additional useful features. We describe here the new features and algorithms offered by IMITATOR 3, that moved along the years from a simple prototype dedicated to robustness analysis to a standalone parametric model checker for timed systems.
... For efficiency, a dual representation for polyhedra combines both H-polyhedra and V-polyhedra (V-polytopes extended with rays to represent unbounded sets) [108]. Further improvements in representation and targeted algorithms for both Post D and Post C can lead to significant speed-ups [109]. ...
Reachability analysis consists in computing the set of states that are reachable by a dynamical system from all initial states and for all admissible inputs and parameters. It is a fundamental problem motivated by many applications in formal verification, controller synthesis, and estimation, to name only a few. This article focuses on a class of methods for computing a guaranteed overapproximation of the reachable set of continuous and hybrid systems, relying predominantly on set propagation; starting from the set of initial states, these techniques iteratively propagate a sequence of sets according to the system dynamics. After a review of set representation and computation, the article presents the state of the art of set propagation techniques for reachability analysis of linear, nonlinear, and hybrid systems. It ends with a discussion of successful applications of reachability analysis to real-world problems.
Expected final online publication date for the Annual Review of Control, Robotics, and Autonomous Systems, Volume 4 is May 3, 2021. Please see http://www.annualreviews.org/page/journal/pubdates for revised estimates.
We present a collection of advances in the algorithmic verification of hybrid automata with piecewise linear derivatives, so-called Linear Hybrid Automata. New ways to represent and compute with polyhedra, in combination with heuristic algorithmic improvements, have led to considerable speed-ups in checking safety properties through set propagation. We also showcase a CEGAR-style approach that iteratively constructs a polyhedral abstraction. We illustrate the efficiency and scalability of both approaches with two sets of benchmarks.
Bounded model checking (BMC) is well-known to be undecidable even for simple hybrid systems. Existing work targeted for a wide class of non-linear hybrid systems reduces the BMC problem to the satisfiability problem of an SMT formula encoding the hybrid system dynamics. Consequently, the satisfiability of the formula is deduced with a δ -decision procedure. However, the encoded formula can be complex for large automaton and for deep exploration causing the decision procedure to be inefficient. Additionally, a generalized decision procedure can be inefficient for hybrid systems with simple dynamics. In this paper, we propose a BMC algorithm built upon the foundation of the CEGAR technique and targeted for hybrid systems with piecewise affine dynamics, modeled as a hybrid automaton. In particular, our algorithm begins by searching an abstract counterexample in the discrete state-space of the automaton. We check whether a discovered abstract counterexample is spurious or real by a two-tier refinement of the state-space guided by the abstract counterexample. The primary refinement is through symbolic reachability analysis and the following refinement is via a search of a real counterexample by the trajectory splicing method, guided in turn by the outcome of reachability analysis. We show that our algorithm reaps the benefits of the CEGAR technique by directing the exploration in the regions of interest and pruning search space that is irrelevant to the property under consideration. In addition, an optimization by memoizing the computed symbolic states during reachability analysis has been proposed for efficiency. The proposed algorithm is implemented in the tool SAT-Reach and we compare its performance with dReach , XSpeed , Flow* , SpaceEx and a pattern database heuristic-guided search algorithm. Experiments demonstrate the efficacy of our algorithm.
Monitoring the correctness of distributed cyber-physical systems is essential. We address the analysis of the log of a black-box cyber-physical system. Detecting possible safety violations can be hard when some samples are uncertain or missing. In this work, the log is made of values known with some uncertainty; in addition, we make use of an over-approximated yet expressive model, given by a non-linear extension of dynamical systems. Given an offline log, our approach is able to monitor the log against safety specifications with a limited number of false alarms. As a second contribution, we show that our approach can be used online to minimize the number of sample triggers, with the aim at energetic efficiency. We apply our approach to two benchmarks, an anesthesia model and an adaptive cruise controller.
Monitoring the correctness of distributed cyber-physical systems is essential. We address the analysis of the log of a black-box cyber-physical system. Detecting possible safety violations can be hard when some samples are uncertain or missing. In this work, the log is made of values known with some uncertainty; in addition, we make use of an over-approximated yet expressive model, given by a non-linear extension of dynamical systems. Given an offline log, our approach is able to monitor the log against safety specifications with a limited number of false alarms. As a second contribution, we show that our approach can be used online to minimize the number of sample triggers, with the aim at energetic efficiency. We apply our approach to two benchmarks, an anesthesia model and an adaptive cruise controller.
Monitoring of hybrid systems attracts both scientific and practical attention. However, monitoring algorithms suffer from the methodological difficulty of only observing sampled discrete-time signals, while real behaviors are continuous-time signals. To mitigate this problem of sampling uncertainties, we introduce a model-bounded monitoring scheme, where we use prior knowledge about the target system to prune interpolation candidates. Technically, we express such prior knowledge by linear hybrid automata (LHAs)—the LHAs are called bounding models . We introduce a novel notion of monitored language of LHAs, and we reduce the monitoring problem to the membership problem of the monitored language. We present two partial algorithms—one is via reduction to reachability in LHAs and the other is a direct one using polyhedra—and show that these methods, and thus the proposed model-bounded monitoring scheme, are efficient and practically relevant.
In finite-state systems, true existential properties admit witnesses in form of lasso-shaped fair paths. When dealing with the infinite-state case (e.g. software non-termination, model checking of hybrid automata) this is no longer the case. In this paper, we propose a compositional approach for proving the existence of fair paths of infinite-state systems. First, we describe a formal approach to prove the existence of a non-empty under-approximation of the original system that only contains fair paths. Second, we define an automated procedure that, given a set of hints (in form of basic components), searches for a suitable composition proving the existence of a fair path. We experimentally evaluate the approach on examples taken from both software and hybrid systems, showing its wide applicability and expressiveness.
This chapter is about linear systems containing finitely many weak and/or strict inequalities, whose solution sets, provided they are nonempty, are called evenly convex polyhedral sets (e-polyhedra, in brief). Of course, all results in Chap. 1 on e-convex sets and their linear representations are valid here, but the finiteness of the linear representations of e-polyhedra allows to obtain specific results and methods.
We present an alternative Double Description representation for the domain of NNC (not necessarily closed) polyhedra, together with the corresponding Chernikova-like conversion procedure. The representation uses no slack variable at all and provides a solution to a few technical issues caused by the encoding of an NNC polyhedron as a closed polyhedron in a higher dimension space. We then reconstruct the abstract domain of NNC polyhedra, providing all the operators needed to interface it with commonly available static analysis tools: while doing this, we highlight the efficiency gains enabled by the new representation and we show how the canonicity of the new representation allows for the specification of proper, semantic widening operators. A thorough experimental evaluation shows that our new abstract domain achieves significant efficiency improvements with respect to classical implementations for NNC polyhedra.
The fundamental idea of Abstract² Interpretation (A²I), also called meta-abstract interpretation, is to apply abstract interpretation to abstract interpretation-based static program analyses. A²I is generally meant to use abstract interpretation to analyse properties of program analysers. A²I can be either offline or online. Offline A²I is performed either before the program analysis, such as variable packing used by the Astrée program analyser, or after the program analysis, such as in alarm diagnosis. Online A²I is performed during the program analysis, such as Venet’s cofibred domains or Halbwachs et al.’s and Singh et al.’s variable partitioning techniques for fast polyhedra/numerical abstract domains. We formalize offline and online meta-abstract interpretation and illustrate this notion with the design of widenings and the decomposition of relational abstract domains to speed-up program analyses. This shows how novel static analyses can be extracted as meta-abstract interpretations to design efficient and precise program analysis algorithms.
We present an alternative Double Description representation for the domain of NNC (not necessarily closed) polyhedra, together with the corresponding Chernikova-like conversion procedure. The representation uses no slack variable at all and provides a solution to a few technical issues caused by the encoding of an NNC polyhedron as a closed polyhedron in a higher dimension space. A preliminary experimental evaluation shows that the new conversion algorithm is able to achieve significant efficiency improvements.
Convex polyhedra capture linear relations between variables. They are used in static analysis and optimizing compilation. Their high expressiveness is however barely used in verification because of their cost, often prohibitive as the number of variables involved increases. Our goal in this article is to lower this cost. Whatever the chosen representation of polyhedra – as constraints, as generators or as both – expensive operations are unavoidable. That cost is mostly due to four operations: conversion between representations, based on Chernikova’s algorithm, for libraries in double description; convex hull, projection and minimization, in the constraints-only representation of polyhedra. Libraries operating over generators incur exponential costs on cases common in program analysis. In the Verimag Polyhedra Library this cost was avoided by a constraints-only representation and reducing all operations to variable projection, classically done by Fourier-Motzkin elimination. Since Fourier-Motzkin generates many redundant constraints, minimization was however very expensive. In this article, we avoid this pitfall by expressing projection as a parametric linear programming problem. This dramatically improves efficiency, mainly because it avoids the post-processing minimization. We show how our new approach can be up to orders of magnitude faster than the previous approach implemented in the Verimag Polyhedra Library that uses only constraints and Fourier-Motzkin elimination, and on par with the conventional double description approach, as implemented in well-known libraries.
Latest developments brought interesting theoretical results and powerful tools for the reachability analysis of hybrid systems. However, there are still challenging problems to be solved in order to make those technologies applicable to large-scale applications in industrial context. To support this development, in this paper we give a brief overview of available algorithms and tools, and point out some of their individual characteristics regarding various properties which are crucial for the verification of hybrid systems. We present exemplary evaluations on three benchmarks to motivate the need for further development and discuss some of the main challenges for future research in this area.
In this article, we apply techniques from Abstract Interpretation (a general theory of semantic abstractions) to Constraint Programming (which aims at solving hard combinatorial problems with a generic framework based on first-order logics). We highlight some links and differences between these fields: both compute fixpoints by iteration but employ different extrapolation and refinement strategies; moreover, consistencies in Constraint Programming can be mapped to non-relational abstract domains. We then use these correspondences to build an abstract constraint solver that leverages abstract interpretation techniques (such as relational domains) to go beyond classic solvers. We present encouraging experimental results obtained with our prototype implementation.
We present a scalable reachability algorithm for hybrid systems with piecewise affine, non-deterministic dynamics. It combines polyhedra and support function representations of continuous sets to compute an over-approximation of the reachable states. The algorithm improves over previous work by using variable time steps to guarantee a given local error bound. In addition, we propose an improved approximation model, which drastically improves the accuracy of the algorithm. The algorithm is implemented as part of SpaceEx, a new verification platform for hybrid systems, available at spaceex.imag.fr. Experimental results of full fixed-point computations with hybrid systems with more than 100 variables illustrate the scalability of the approach. 1
In 1995, HyTech broke new ground as a potentially powerful tool for verifying hybrid systems – yet it has remained severely
limited in its applicability to more complex systems. We address the main problems of HyTech with PHAVer, a new tool for the
exact verification of safety properties of hybrid systems with piecewise constant bounds on the derivatives. Affine dynamics
are handled by on-the-fly overapproximation and by partitioning the state space based on user-definable constraints and the
dynamics of the system. PHAVer’s exact arithmetic is robust due to the use of the Parma Polyhedra Library, which supports
arbitrarily large numbers. To manage the complexity of the polyhedral computations, we propose methods to conservatively limit
the number of bits and constraints of polyhedra. Experimental results for a navigation benchmark and a tunnel diode circuit
show the effectiveness of the approach.
The finite powerset construction upgrades an abstract domain by allowing for the representation of finite disjunctions of its elements. While most of the
operations on the finite powerset abstract domain are easily obtained by “lifting” the corresponding operations on the base-level
domain, the problem of endowing finite powersets with a provably correct widening operator is still open. In this paper we
define three generic widening methodologies for the finite powerset abstract domain. The widenings are obtained by lifting
any widening operator defined on the base-level abstract domain and are parametric with respect to the specification of a
few additional operators that allow all the flexibility required to tune the complexity/precision trade-off. As far as we
know, this is the first time that the problem of deriving non-trivial, provably correct widening operators in a domain refinement
is tackled successfully. We illustrate the proposed techniques by instantiating our widening methodologies on powersets of
convex polyhedra, a domain for which no non-trivial widening operator was previously known.
In 1995, HyTech broke new ground as a potentially powerful tool for verifying hybrid systems. But due to practical and systematic
limitations it is only applicable to relatively simple systems. We address the main problems of HyTech with PHAVer, a new
tool for the exact verification of safety properties of hybrid systems with piecewise constant bounds on the derivatives,
so-called linear hybrid automata. Affine dynamics are handled by on-the-fly overapproximation and partitioning of the state
space based on user-provided constraints and the dynamics of the system. PHAVer features exact arithmetic in a robust implementation
that, based on the Parma Polyhedra Library, supports arbitrarily large numbers. To force termination and manage the complexity
of the polyhedral computations, we propose methods to conservatively limit the number of bits and constraints of polyhedra.
Experimental results for a navigation benchmark and a tunnel diode circuit demonstrate the effectiveness of the approach.
Polyhedral analysis infers invariant linear equalities and inequalities of imperative programs. However, the exponential complexity of polyhedral operations such as image computation and convex hull limits the applicability of polyhedral analysis. Weakly relational domains such as intervals and octagons address the scalability issue by considering polyhedra whose constraints are drawn from a restricted, user-specified class. On the other hand, these domains rely solely on candidate expressions provided by the user. Therefore, they often fail to produce strong invariants.
We propose a polynomial time approach to strongly relational analysis. We provide efficient implementations of join and post condition operations, achieving a trade off between performance and accuracy. We have implemented a strongly relational polyhedral analyzer for a subset of the C language. Initial experimental results on benchmark examples are encouraging.
We present a scalable reachability algorithm for hybrid systems with piecewise affine, non-deterministic dynamics. It combines
polyhedra and support function representations of continuous sets to compute an over-approximation of the reachable states.
The algorithm improves over previous work by using variable time steps to guarantee a given local error bound. In addition,
we propose an improved approximation model, which drastically improves the accuracy of the algorithm. The algorithm is implemented
as part of SpaceEx, a new verification platform for hybrid systems, available at spaceex.imag.fr. Experimental results of full fixed-point computations with hybrid systems with more than 100 variables illustrate the scalability
of the approach.
A program denotes computations in some universe of objects. Abstract interpretation of programs consists in using that denotation to describe computations in another universe of abstract objects, so that the results of abstract execution give some information on the actual computations. An intuitive example (which we borrow from Sintzoff [72]) is the rule of signs. The text -1515 * 17 may be understood to denote computations on the abstract universe {(+), (-), (±)} where the semantics of arithmetic operators is defined by the rule of signs. The abstract execution -1515 * 17 → -(+) * (+) → (-) * (+) → (-), proves that -1515 * 17 is a negative number. Abstract interpretation is concerned by a particular underlying structure of the usual universe of computations (the sign, in our example). It gives a summary of some facets of the actual executions of a program. In general this summary is simple to obtain but inaccurate (e.g. -1515 + 17 → -(+) + (+) → (-) + (+) → (±)). Despite its fundamentally incomplete results abstract interpretation allows the programmer or the compiler to answer questions which do not need full knowledge of program executions or which tolerate an imprecise answer, (e.g. partial correctness proofs of programs ignoring the termination problems, type checking, program optimizations which are not carried in the absence of certainty about their feasibility, …).
Semantic analysis of programs is essential in optimizing compilers and program verification systems. It encompasses data flow analysis, data type determination, generation of approximate invariant assertions, etc. This paper is devoted to the systematic and correct design of program analysis frameworks with respect to a formal semantics.
Linear Relation Analysis [11] is an abstract interpretation devoted to the automatic discovery of invariant linear inequalities among numerical variables of a program. In this paper, we apply such an analysis to the verification of quantitative time properties of two kinds of systems: synchronous programs and linear hybrid systems.
Since the seminal work of Cousot and Halbwachs, the domain of convex polyhedra has been employed in several systems for the analysis and verication of hardware and software components. Although most implementations of the polyhedral operations assume that the polyhedra are topologically closed (i.e., all the constraints dening them are non-strict), several analyzers and veriers need to compute on a domain of convex polyhedra that are not necessarily closed (NNC). The usual approach to implementing NNC polyhedra is to embed them into closed polyhedra in a higher dimensional vector space and reuse the tools and techniques already available for closed polyhedra. In this work we highlight and discuss the issues underlying such an embedding for those implementations that are based on the double description method, where a polyhedron may be described by a system of linear constraints or by a system of generating rays and points. Two major achievements are the denition of a theoretically clean, high-level user interface and the specication of an ecien t procedure for removing redundancies from the descriptions of NNC polyhedra.
Convex polyhedra are often used to approximate sets of states of programs involving numerical variables. The manipulation of convex polyhedra relies on the so-called double description, consisting of viewing a polyhedron both as the set of solutions of a system of linear inequalities, and as the convex hull of a system of generators, i.e., a set of vertices and rays. The cost of these manipulations is highly dependent on the number of numerical variables, since the size of each representation can be exponential in the dimension of the space. In this paper, we investigate some ways for reducing the dimension: On one hand, when a polyhedron satisfies affine equations, these equations can obviously be used to eliminate some variables. On the other hand, when groups of variables are unrelated with each other, this means that the polyhedron is in fact a Cartesian product of polyhedra of lower dimensions. Detecting such Cartesian factoring is not very difficult, but we adapt also the operations to work on Cartesian products. Finally, we extend the applicability of Cartesian factoring by applying suitable variable change, in order to maximize the factoring.
Linear Relation Analysis [CH78] suffers from the cost of operations on convex polyhedra, which can be exponential with the number of involved variables. In order to reduce this cost, we propose to detect when a polyhedron is a Cartesian product of polyhedra of lower dimensions, i.e., when groups of variables are unrelated with each other. Classical operations are adapted to work on such factored polyhedra. Our implementation shows encouraging experimental results.
The model of abstract interpretation of programs developed by Cousot and Cousot [2nd ISOP, 1976], Cousot and Cousot [POPL 1977] and Cousot [PhD thesis 1978] is applied to the static determination of linear equality or inequality invariant relations among numerical variables of programs.
We present a new application of the abstract interpretation by means of convex polyhedra, to a class of hybrid systems, i.e., systems involving both discrete and continuous variables. The result is an efficient automatic tool for approximate, but conservative, verification of reachability properties of these systems. 1 Introduction Timed automata [AD90] have been recently introduced to model real-time systems. A timed automaton is a finite automaton associated with a finite set of clocks, each clock counting the continuous elapsing of time. Each transition of the automaton can be guarded by a simple linear condition on the clock values, and can result in resetting some clocks to zero. A nice feature of this model is that it can be abstracted into a finite state system, and that all the standard verification problems (reachability, TCTL model-checking [ACD90, HNSY92]) are decidable. However, many interesting extensions of this model have been shown to lose this decidability propert...
We present a construction of the abstract domain of NNC (not necessarily topologically closed) polyhedra based on a recently introduced variant of the double description representation and conversion procedure. We describe the implementation of the operators needed to interface the new abstract domain with commonly available static analysis tools, highlighting the efficiency gains enabled by the new representation. We also reconsider the widening operator for NNC polyhedra, proposing a more appropriate specification based on the semantics of the domain elements, rather than their low level representation details. Finally, we provide an experimental evaluation comparing the efficiency of the new abstract domain with respect to more classical implementations.
domains are an important ingredient of modern static analyzers used for verifying critical program properties (e.g., absence of buffer overflow or memory safety). Among the many numerical domains introduced over the years, Polyhedra is the most expressive one, but also the most expensive: it has worst-case exponential space and time complexity. As a consequence, static analysis with the Polyhedra domain is thought to be impractical when applied to large scale, real world programs.
In this paper, we present a new approach and a complete implementation for speeding up Polyhedra domain analysis. Our approach does not lose precision, and for many practical cases, is orders of magnitude faster than state-of-the-art solutions. The key insight underlying our work is that polyhedra arising during analysis can usually be kept decomposed, thus considerably reducing the overall complexity.
We first present the theory underlying our approach, which identifies the interaction between partitions of variables and domain operators. Based on the theory we develop new algorithms for these operators that work with decomposed polyhedra. We implemented these algorithms using the same interface as existing libraries, thus enabling static analyzers to use our implementation with little effort. In our evaluation, we analyze large benchmarks from the popular software verification competition, including Linux device drivers with over 50K lines of code. Our experimental results demonstrate massive gains in both space and time: we show end-to-end speedups of two to five orders of magnitude compared to state-of-the-art Polyhedra implementations as well as significant memory gains, on all larger benchmarks. In fact, in many cases our analysis terminates in seconds where prior code runs out of memory or times out after 4 hours.
We believe this work is an important step in making the Polyhedra abstract domain both feasible and practically usable for handling large, real-world programs.
This article describes Apron, a freely available library dedicated to the static analysis of the numerical variables of programs by abstract interpretation.
Its goal is threefold: provide analysis implementers with ready-to-use numerical abstractions under a unified API, encourage
the research in numerical abstract domains by providing a platform for integration and comparison, and provide teaching and
demonstration tools to disseminate knowledge on abstract interpretation.
In this paper we consider the following basic problem in polyhedral computation: Given two polyhedra in , P and Q, decide whether their union is convex, and, if so, compute it. We consider the three natural specializations of the problem: (1) when the polyhedra are given by halfspaces (H-polyhedra), (2) when they are given by vertices and extreme rays (V-polyhedra), and (3) when both H- and V-polyhedral representations are available. Both the bounded (polytopes) and the unbounded case are considered. We show that the first two problems are polynomially solvable, and that the third problem is strongly-polynomially solvable.
Since its inception as a student project in 2001, initially just for the handling (as the name implies) of convex polyhedra, the Parma Polyhedra Library has been continuously improved and extended by joining scrupulous research on the theoretical foundations of (possibly non-convex) numerical abstractions to a total adherence to the best available practices in software development. Even though it is still not fully mature and functionally complete, the Parma Polyhedra Library already offers a combination of functionality, reliability, usability and performance that is not matched by similar, freely available libraries. In this paper, we present the main features of the current version of the library, emphasizing those that distinguish it from other similar libraries and those that are important for applications in the field of analysis and verification of hardware and software systems.
Convex polyhedra constitute the most used abstract domain among,those capturing numerical relational information. Since the domain of convex polyhedra admits innite ascending chains, it has to be used in conjunction with appropriate mechanisms for enforcing and accelerating convergence of the xp,oint computation. Widening operators provide a simple and general characterization for such mechanisms. For the domain of convex polyhedra, the original widening operator proposed by Cousot and Halbwachs amply deserves the name of standard widening since most analysis and verication tools that employ convex polyhedra also employ that operator. Nonetheless, there is an unfullled demand for more precise widening operators. In this paper, after a formal introduction to the standard widening where we clarify some aspects that are often overlooked, we embark on the challenging task of improving on it. We present a framework for the systematic denition of new and precise widening operators for convex polyhedra. The framework is then instantiated so as to obtain a new widening operator that combines several heuristics and uses the standard widening as a last resort so that it is never less precise. A preliminary experimental evaluation has yielded promising results.
This paper deals with conservative reachability analysis of a class of hybrid systems with continuous dynamics described by
linear differential inclusions, convex invariants and guards, and linear reset maps. We present an approach for computing
over-approximations of the set of reachable states. It is based on the notion of support function and thus it allows us to
consider invariants, guards and constraints on continuous inputs and initial states defined by arbitrary compact convex sets.
We show how the properties of support functions make it possible to derive an effective algorithm for approximate reachability
analysis of hybrid systems. We use our approach on some examples including the navigation benchmark for hybrid systems verification.
A new solution to the mutual exclusion problem is presented that, in the absence of contention, requires only seven memory accesses. It assumes atomic reads and atomic writes to shared registers. Capsule Review To build a useful computing system from a collection of processors that communicate by sharing memory, but lack any atomic operation more complex than a memory read or write, it is necessary to implement mutual exclusion using only these operations. Solutions to this problem have been known for twenty years, but they are linear in the number of processors. Lamport presents a new algorithm which takes constant time (five writes and two reads) in the absence of contention, which is the normal case. To achieve this performance it sacrifices fairness, which is probably unimportant in practical applications. The paper gives an informal argument that the algorithm's performance in the absence of contention is optimal, and a fairly formal proof of safety and freedom from deadlock, u...
A hybrid system is a dynamical system whose behavior exhibits both discrete and continuous change. A hybrid automaton is a mathematical model for hybrid systems, which combines, in a single formalism, automaton transitions for capturing discrete change with differential equations for capturing continuous change. HyTech is a symbolic model checker for linear hybrid automata, a subclass of hybrid automata that can be analyzed automatically by computing with polyhedral state sets. A key feature of HyTech is its ability to perform parametric analysis, i.e. to determine the values of design parameters for which a linear hybrid automaton satisfies a temporal-logic requirement.
This article presents a new numerical abstract domain for static analysis by abstract interpretation. It extends a former numerical abstract domain based on Difference-Bound Matrices and allows us to represent invariants of the form (+/-x+/-y<=c), where x and y are program variables and c is a real constant. We focus on giving an efficient representation based on Difference-Bound Matrices - O(n2) memory cost, where n is the number of variables - and graph-based algorithms for all common abstract operators - O(n3) time cost. This includes a normal form algorithm to test equivalence of representation and a widening operator to compute least fixpoint approximations.
Convex polyhedra are the basis for several abstractions used in static analysis and computer-aided verification of complex and sometimes mission critical systems. For such applications, the identification of an appropriate complexity-precision trade-off is a particularly acute problem, so that the availability of a wide spectrum of alternative solutions is mandatory. We survey the range of applications of polyhedral computations in this area; give an overview of the different classes of polyhedra that may be adopted; outline the main polyhedral operations required by automatic analyzers and verifiers; and look at some possible combinations of polyhedra with other numerical abstractions that have the potential to improve the precision of the analysis. Areas where further theoretical investigations can result in important contributions are highlighted. Comment: 51 pages, 11 figures
ARCH-COMP19 category report: Hybrid systems with piecewise constant dynamics
- G Frehse
ARCH-COMP18 category report: Hybrid systems with piecewise constant dynamics
- G Frehse