On the decidability of the existence of polyhedral invariants in transition systems

Automated program verification often proceeds by exhibiting inductive invariants entailing the desired properties.For numerical properties, a classical class of invariants is convex polyhedra: solution sets of system of linear (in)equalities.Forty years of research on convex polyhedral invariants have focused, on the one hand, on identifying "easier" subclasses, on the other hand on heuristics for finding general convex polyhedra.These heuristics are however not guaranteed to find polyhedral inductive invariants when they exist.To our best knowledge, the existence of polyhedral inductive invariants has never been proved to be undecidable.In this article, we show that the existence of convex polyhedral invariants is undecidable, even if there is only one control state in addition to the "bad" one.The question is still open if one is not allowed any nonlinear constraint

The Hardness of Finding Linear Ranking Functions for Lasso Programs

Finding whether a linear-constraint loop has a linear ranking function is an important key to understanding the loop behavior, proving its termination and establishing iteration bounds. If no preconditions are provided, the decision problem is known to be in coNP when variables range over the integers and in PTIME for the rational numbers, or real numbers. Here we show that deciding whether a linear-constraint loop with a precondition, specifically with partially-specified input, has a linear ranking function is EXPSPACE-hard over the integers, and PSPACE-hard over the rationals. The precise complexity of these decision problems is yet unknown. The EXPSPACE lower bound is derived from the reachability problem for Petri nets (equivalently, Vector Addition Systems), and possibly indicates an even stronger lower bound (subject to open problems in VAS theory). The lower bound for the rationals follows from a novel simulation of Boolean programs. Lower bounds are also given for the problem of deciding if a linear ranking-function supported by a particular form of inductive invariant exists. For loops over integers, the problem is PSPACE-hard for convex polyhedral invariants and EXPSPACE-hard for downward-closed sets of natural numbers as invariants.Comment: In Proceedings GandALF 2014, arXiv:1408.5560. I thank the organizers of the Dagstuhl Seminar 14141, "Reachability Problems for Infinite-State Systems", for the opportunity to present an early draft of this wor

Weak Singular Hybrid Automata

The framework of Hybrid automata, introduced by Alur, Courcourbetis, Henzinger, and Ho, provides a formal modeling and analysis environment to analyze the interaction between the discrete and the continuous parts of cyber-physical systems. Hybrid automata can be considered as generalizations of finite state automata augmented with a finite set of real-valued variables whose dynamics in each state is governed by a system of ordinary differential equations. Moreover, the discrete transitions of hybrid automata are guarded by constraints over the values of these real-valued variables, and enable discontinuous jumps in the evolution of these variables. Singular hybrid automata are a subclass of hybrid automata where dynamics is specified by state-dependent constant vectors. Henzinger, Kopke, Puri, and Varaiya showed that for even very restricted subclasses of singular hybrid automata, the fundamental verification questions, like reachability and schedulability, are undecidable. In this paper we present \emph{weak singular hybrid automata} (WSHA), a previously unexplored subclass of singular hybrid automata, and show the decidability (and the exact complexity) of various verification questions for this class including reachability (NP-Complete) and LTL model-checking (PSPACE-Complete). We further show that extending WSHA with a single unrestricted clock or extending WSHA with unrestricted variable updates lead to undecidability of reachability problem

Decidability and Synthesis of Abstract Inductive Invariants

Decidability and synthesis of inductive invariants ranging in a given domain play an important role in many software and hardware verification systems. We consider here inductive invariants belonging to an abstract domain $A$ as defined in abstract interpretation, namely, ensuring the existence of the best approximation in $A$ of any system property. In this setting, we study the decidability of the existence of abstract inductive invariants in $A$ of transition systems and their corresponding algorithmic synthesis. Our model relies on some general results which relate the existence of abstract inductive invariants with least fixed points of best correct approximations in $A$ of the transfer functions of transition systems and their completeness properties. This approach allows us to derive decidability and synthesis results for abstract inductive invariants which are applied to the well-known Kildall's constant propagation and Karr's affine equalities abstract domains. Moreover, we show that a recent general algorithm for synthesizing inductive invariants in domains of logical formulae can be systematically derived from our results and generalized to a range of algorithms for computing abstract inductive invariants

Remedies for building reliable cyber-physical systems

Cyber-physical systems (CPS) are systems that are tight integration of computer programs as controllers or cyber parts, and physical environments. The interaction is carried out by obtaining information about the physical environment through reading sensors and responding to the current knowledge through actuators. Examples of such systems are autonomous automobile systems, avionic systems, robotic systems, and medical devices. Perhaps the most common feature of all these systems is that they are all safety critical systems and failure most likely causes catastrophic consequences. This means that while testing continues to increase confidence in cyber-physical systems, formal or mathematical proofs are needed at the very least for the safety requirements of these systems. Hybrid automata is the main modeling language for cyber-physical systems. However, verifying safety properties is undecidable for all but very restricted known classes of these automata. Our first result introduces a new subclass of hybrid automata for which bounded time safety model checking problem is decidable. We also prove that unbounded time model checking for this subclass is undecidable which suggests this is the best one can hope for the new class. Our second result in this thesis is a counter-example guided abstraction refinement algorithm for unbounded time model checking of non- linear hybrid automata. Clearly, this is an undecidable problem and that is the main reason for using abstraction refinement techniques. Our CEGAR framework for this class is sound but not complete, meaning the algorithm never incorrectly says a system is safe, but may output unsafe incorrectly. We have also implemented our algorithm and compared it with seven other tools. There are multiple inherent problems with traditional model checking approaches. First, it is well-known that most models do not depict physical environments precisely. Second, the model checking problem is undecidable for most classes of hybrid automata. And third, even when model checking is decidable, controller part in most models cannot be implemented. These problems suggest that current methods of modeling cyber-physical systems and problems might not be the right ones. Our last result focuses on robust model checking of cyber-physical systems. In this part of the thesis, we focus on the implementability issue and show how to solve four different robust model checking problem for timed automata. We also introduce an optimal algorithm for robust time bounded safety model checking of monotonic rectangular automata

Reachability and liveness in parametric timed automata

We study timed systems in which some timing features are unknown parameters. Parametric timed automata (PTAs) are a classical formalism for such systems but for which most interesting problems are undecidable. Notably, the parametric reachability emptiness problem, i.e., whether at least one parameter valuation allows to reach some given discrete state, is undecidable. Lower-bound/upper-bound parametric timed automata (L/U-PTAs) achieve decidability for reachability properties by enforcing a separation of parameters used as upper bounds in the automaton constraints, and those used as lower bounds. In this paper, we first study reachability. We exhibit a subclass of PTAs (namely integer-points PTAs) with bounded rational-valued parameters for which the parametric reachability emptiness problem is decidable. Using this class, we present further results improving the boundary between decidability and undecidability for PTAs and their subclasses such as L/U-PTAs. We then study liveness. We prove that: (1) the existence of at least one parameter valuation for which there exists an infinite run in an L/U-PTA is PSPACE-complete; (2) the existence of a parameter valuation such that the system has a deadlock is however undecidable; (3) the problem of the existence of a valuation for which a run remains in a given set of locations exhibits a very thin border between decidability and undecidability.Comment: This manuscript is an extended version of two conference papers published in the proceedings of ICFEM 2016 and ACSD 201

Report on "Geometry and representation theory of tensors for computer science, statistics and other areas."

This is a technical report on the proceedings of the workshop held July 21 to July 25, 2008 at the American Institute of Mathematics, Palo Alto, California, organized by Joseph Landsberg, Lek-Heng Lim, Jason Morton, and Jerzy Weyman. We include a list of open problems coming from applications in 4 different areas: signal processing, the Mulmuley-Sohoni approach to P vs. NP, matchgates and holographic algorithms, and entanglement and quantum information theory. We emphasize the interactions between geometry and representation theory and these applied areas