Optimization of Lyapunov Invariants in Verification of Software Systems

The paper proposes a control-theoretic framework for verification of numerical software systems, and puts forward software verification as an important application of control and systems theory. The idea is to transfer Lyapunov functions and the associated computational techniques from control systems analysis and convex optimization to verification of various software safety and performance specifications. These include but are not limited to absence of overflow, absence of division-by-zero, termination in finite time, absence of dead-code, and certain user-specified assertions. Central to this framework are Lyapunov invariants. These are properly constructed functions of the program variables, and satisfy certain properties-analogous to those of Lyapunov functions-along the execution trace. The search for the invariants can be formulated as a convex optimization problem. If the associated optimization problem is feasible, the result is a certificate for the specification.National Science Foundation (U.S.) (Grant CNS-1135955)National Science Foundation (U.S.) (Grant CPS-1135843)United States. Army Research Office. Multidisciplinary University Research Initiative (Award W911NF-11-1-0046)United States. National Aeronautics and Space Administration (Grant/Cooperative Agreement NNX12AM52A

Forward Invariant Cuts to Simplify Proofs of Safety

The use of deductive techniques, such as theorem provers, has several advantages in safety verification of hybrid sys- tems; however, state-of-the-art theorem provers require ex- tensive manual intervention. Furthermore, there is often a gap between the type of assistance that a theorem prover requires to make progress on a proof task and the assis- tance that a system designer is able to provide. This paper presents an extension to KeYmaera, a deductive verification tool for differential dynamic logic; the new technique allows local reasoning using system designer intuition about per- formance within particular modes as part of a proof task. Our approach allows the theorem prover to leverage for- ward invariants, discovered using numerical techniques, as part of a proof of safety. We introduce a new inference rule into the proof calculus of KeYmaera, the forward invariant cut rule, and we present a methodology to discover useful forward invariants, which are then used with the new cut rule to complete verification tasks. We demonstrate how our new approach can be used to complete verification tasks that lie out of the reach of existing deductive approaches us- ing several examples, including one involving an automotive powertrain control system.Comment: Extended version of EMSOFT pape

Optimal Analysis of Discrete-time Affine Systems

Our very first concern is the resolution of the verification problem for the class of discrete-time affine dynamical systems. This verification problem is turned into an optimization problem where the constraint set is the reachable values set of the dynamical system. To solve this optimization problem, we truncate the infinite sequences belonging to the reachable values set at some step which is uniform with respect to the initial conditions. In theory, the best possible uniform step is the optimal solution of a non-convex semi-definite program. In practice, we propose a methodology to compute a uniform step that over-approximate the best solution.Comment: 16 page

Optimization of Lyapunov invariants in analysis and implementation of safety-critical software systems

Thesis (Ph. D.)--Massachusetts Institute of Technology, Dept. of Aeronautics and Astronautics, 2008.Includes bibliographical references (leaves 168-176).This dissertation contributes to two major research areas in safety-critical software systems, namely, software analysis, and software implementation. In reference to the software analysis problem, the main contribution of the dissertation is the development of a novel framework, based on Lyapunov invariants and convex optimization, for verification of various safety and performance specifications for software systems. The enabling elements of the framework for software analysis are: (i) dynamical system interpretation and modeling of computer programs, (ii) Lyapunov invariants as behavior certificates for computer programs, and (iii) a computational procedure for finding the Lyapunov invariants. (i) The view in this dissertation is that software defines a rule for iterative modification of the operating memory at discrete instances of time. Hence, it can be modeled as a discrete-time dynamical system with the program variables as the state variables, and the operating memory as the state space. Three specific modeling languages are introduced which can represent a broad range of computer programs of interest to the control community. These are: Mixed Integer-Linear Models, Graph Models, and Linear Models with Conditional Switching. (ii) Inspired by the concept of Lyapunov functions in stability analysis of nonlinear dynamical systems, Lyapunov invariants are introduced and proposed for analysis of behavioral properties, and verification of various safety and performance specifications for computer programs. In the same spirit as standard Lyapunov functions, a Lyapunov invariant is an appropriately defined function of the state which satisfies a difference inequality along the trajectories. It is shown that variations of Lyapunov invariants satisfying certain technical conditions can be formulated for verification of several common specifications.(cont.) These include but are not limited to: absence of overflow, absence of division-by-zero, termination in finite time, and certain user-specified program assertions. (iii) A computational procedure based on convex relaxation techniques and numerical optimization is proposed for finding the Lyapunov invariants that prove the specifications. The framework is complemented by the introduction of a notion of optimality for the graph models. This notion can be used for constructing efficient graph models that improve the analysis in a systematic way. It is observed that the application of the framework to (graph models of) programs that are semantically identical but syntactically different does not produce identical results. This suggests that the success or failure of the method is contingent on the choice of the graph model. Based on this observation, the concepts of graph reduction, irreducible graphs, and minimal and maximal realizations of graph models are introduced. Several new theorems that compare the performance of the original graph model of a computer program and its reduced offsprings are presented. In reference to the software implementation problem for safety-critical systems, the main contribution of the dissertation is the introduction of an algorithm, based on optimization of quadratic Lyapunov functions and semidefinite programming, for computing optimal state space implementations for digital filters. The particular implementation that is considered is a finite word-length implementation on a fixed-point processor with quantization before or after multiplication. The objective is to minimize the effects of finite word-length constraints on performance deviation while respecting the overflow limits. The problem is first formulated as a special case of controller synthesis where the controller has a specific structure, which is known to be a hard non-convex problem in general.(cont.) It is then shown that this special case can be convexified exactly and the optimal implementation can be computed by solving a semidefinite optimization problem. It is observed that the optimal state space implementation of a digital filter on a machine with finite memory, does not necessarily define the same transfer function as that of an ideal implementation.by Mardavij Roozbehani.Ph.D

A Framework for Worst-Case and Stochastic Safety Verification Using Barrier Certificates

This paper presents a methodology for safety verification of continuous and hybrid systems in the worst-case and stochastic settings. In the worst-case setting, a function of state termed barrier certificate is used to certify that all trajectories of the system starting from a given initial set do not enter an unsafe region. No explicit computation of reachable sets is required in the construction of barrier certificates, which makes it possible to handle nonlinearity, uncertainty, and constraints directly within this framework. In the stochastic setting, our method computes an upper bound on the probability that a trajectory of the system reaches the unsafe set, a bound whose validity is proven by the existence of a barrier certificate. For polynomial systems, barrier certificates can be constructed using convex optimization, and hence the method is computationally tractable. Some examples are provided to illustrate the use of the method

Robust Stability Analysis of Nonlinear Hybrid Systems

We present a methodology for robust stability analysis of nonlinear hybrid systems, through the algorithmic construction of polynomial and piecewise polynomial Lyapunov-like functions using convex optimization and in particular the sum of squares decomposition of multivariate polynomials. Several improvements compared to previous approaches are discussed, such as treating in a unified way polynomial switching surfaces and robust stability analysis for nonlinear hybrid systems