mm 40 60 80 100 120 Parameter Synthesis for Signal Temporal Logic 40 Alexandre Donzé University of California, Berkeley 60 April 7, 2014 80 Alexandre Donzé SynCoP’14 1 / 52 Formal methods and parameter synthesis mm 40 Model 60 Verification |= ? 80 100 120 Specifications 40 Synthesis Problematics I 60 For complex systems (large-scale, hybrid dynamics), synthesis is intractable I Parameter synthesis reduces to finding valid values for “a few” parameters I We consider here model parameters and specification parameters 80 Alexandre Donzé Introduction SynCoP’14 2 / 52 Formal methods and parameter synthesis mm 40 Model 60 Verification |= ? 80 100 120 Specifications 40 Synthesis Problematics I 60 For complex systems (large-scale, hybrid dynamics), synthesis is intractable I Parameter synthesis reduces to finding valid values for “a few” parameters I We consider here model parameters and specification parameters 80 Alexandre Donzé Introduction SynCoP’14 2 / 52 Formal methods and parameter synthesis mm 40 Model 60 Verification |= ? 80 100 120 Specifications 40 Synthesis Problematics I 60 For complex systems (large-scale, hybrid dynamics), synthesis is intractable I Parameter synthesis reduces to finding valid values for “a few” parameters I We consider here model parameters and specification parameters 80 Alexandre Donzé Introduction SynCoP’14 2 / 52 Formal methods and parameter synthesis mm 40 Model 60 Verification |= ? 80 100 120 Specifications 40 Synthesis Problematics I 60 For complex systems (large-scale, hybrid dynamics), synthesis is intractable I Parameter synthesis reduces to finding valid values for “a few” parameters I We consider here model parameters and specification parameters 80 Alexandre Donzé Introduction SynCoP’14 2 / 52 Example 1 : modeling iron homeostasis I Specifications Qualitative knowledge, quantitative measurements, partially formalizable mm 40 60 80 100 120 ϕ = alw[0,5] (Fe_stable and Fe_high) and ev[5,10] (Fe_stable and Fe_low) until[tau, 50] (Fe_depleted) 40 I Model 60 80 ⇒ synthesis of model parameters 1 (joint work with N. Mobilia, E. Fanchon, J-M Moulis et al) Alexandre Donzé Introduction SynCoP’14 3 / 52 Example 1 : modeling iron homeostasis I Specifications Qualitative knowledge, quantitative measurements, partially formalizable mm 40 60 80 100 120 ϕ = alw[0,5] (Fe_stable and Fe_high) and ev[5,10] (Fe_stable and Fe_low) until[tau, 50] (Fe_depleted) 40 I Model 60 d Fe = k1 TfR1 Tf − k2 Fe FPN1a dt +k3 Fe 80 ⇒ synthesis of model parameters 1 (joint work with N. Mobilia, E. Fanchon, J-M Moulis et al) Alexandre Donzé Introduction SynCoP’14 3 / 52 Example 1 : modeling iron homeostasis I Specifications Qualitative knowledge, quantitative measurements, partially formalizable mm 40 60 80 100 120 ϕ = alw[0,5] (Fe_stable and Fe_high) and ev[5,10] (Fe_stable and Fe_low) until[tau, 50] (Fe_depleted) 40 I Model 60 d Fe = k1 TfR1 Tf − k2 Fe FPN1a dt +k3 Fe Problem: values for k1 , k2 , k3 , etc 80 ⇒ synthesis of model parameters 1 (joint work with N. Mobilia, E. Fanchon, J-M Moulis et al) Alexandre Donzé Introduction SynCoP’14 3 / 52 Example 1 : modeling iron homeostasis I Specifications Qualitative knowledge, quantitative measurements, partially formalizable mm 40 60 80 100 120 ϕ = alw[0,5] (Fe_stable and Fe_high) and ev[5,10] (Fe_stable and Fe_low) until[tau, 50] (Fe_depleted) 40 I Model 60 d Fe = k1 TfR1 Tf − k2 Fe FPN1a dt +k3 Fe Problem: values for k1 , k2 , k3 , etc 80 ⇒ synthesis of model parameters 1 (joint work with N. Mobilia, E. Fanchon, J-M Moulis et al) Alexandre Donzé Introduction SynCoP’14 3 / 52 Example 2 : faulty behaviors of a robot Goal: autograding a robotic lab Assignement: obstacles mm climb hills+avoid 40 60 80 100 120 40 60 Faulty behavior specifications E.g.: “The robot does not reach the top of the hill in τ seconds” What is a value of τ that discriminate faulty from acceptable solutions ? 80 ⇒ synthesis of specification parameters 2 (joint work with G. Juniwal, J. C. Jensen, S. A. Seshia) Alexandre Donzé Introduction SynCoP’14 4 / 52 Example 2 : faulty behaviors of a robot Goal: autograding a robotic lab Assignement: obstacles mm climb hills+avoid 40 60 80 100 120 40 60 Faulty behavior specifications E.g.: “The robot does not reach the top of the hill in τ seconds” What is a value of τ that discriminate faulty from acceptable solutions ? 80 ⇒ synthesis of specification parameters 2 (joint work with G. Juniwal, J. C. Jensen, S. A. Seshia) Alexandre Donzé Introduction SynCoP’14 4 / 52 Example 3 : specification mining Design of an automatic transmission system: mm 40Ti 1 throttle 60 Throttle gear gear CALC_TH Nout up_th ShiftLogic down_th run() up_th 120 gear Ne Engine 40 100 3 Ne EngineRPM speed down_th 2 RPM 80 ImprellerTorque Ti Tout OutputTorque Transmission Vehicle gear throttle ThresholdCalculation TransmissionRPM 2 60 I I I VehicleSpeed 1 speed What is the maximum speed that the vehicule can reach ? What is the minimum dwell time in a given gear ? etc 80 ⇒ synthesis of both specification and model parameters 3 (joint work with X. Jing, J. Deshmuhk, S.A. Seshia) Alexandre Donzé Introduction SynCoP’14 5 / 52 Outline mm 1 40 60 80 100 120 Preliminaries: Signal Temporal Logic From LTL to STL Robust semantics 40 2 Parameter synthesis Property parameters Model parameters 60 3 Putting it all together: specification mining 80 Alexandre Donzé Preliminaries: Signal Temporal Logic SynCoP’14 6 / 52 Outline mm 1 40 60 80 100 120 Preliminaries: Signal Temporal Logic From LTL to STL Robust semantics 40 2 Parameter synthesis Property parameters Model parameters 60 3 Putting it all together: specification mining 80 Alexandre Donzé Preliminaries: Signal Temporal Logic SynCoP’14 6 / 52 Temporal logics in a nutshell mm 40 60 80 100 120 Temporal logics specify patterns that timed behaviors of systems may or may not satisfy. 40 The most intuitive is the Linear Temporal Logic (LTL), dealing with discrete sequences of states. Based on logic operators (¬, ∧, ∨) and temporal operators: “next”, “always” (G), “eventually” 60 (F) and “until” (U) 80 Alexandre Donzé Preliminaries: Signal Temporal Logic SynCoP’14 7 / 52 Linear Temporal Logic mm 40 60 80 100 120 An LTL formula ϕ is evaluated on a sequence, e.g., w = aaabbaaa . . . At each step of w, we can define a truth value of ϕ, noted χϕ (w, i) 40 are symbols: a, b: LTL atoms 60 i= w= χa (w, i) = χb (w, i) = 0 a 1 0 1 a 1 0 2 a 1 0 3 b 0 1 4 b 0 1 5 a 1 0 6 a 1 0 7 a 1 0 ... ... ... ... 80 Alexandre Donzé Preliminaries: Signal Temporal Logic SynCoP’14 8 / 52 LTL, temporal operators mm 40 60 80 100 120 (“next”), G (“globally”), F (“eventually”) and U (“until”). They are evaluated at each step wrt the future of sequences 40 w= a b (next) χb (w, i) = 0 Ga (always) χGa (w, i) = 0 F b 60 (eventually) χFb (w, i) = 1 aUb a U b (until) χ (w, i) = 1 a 0 0 1 1 a 1 0 1 1 b b a 1 0 0 0 0 1? 1 1 0? 0 0 0? a 0 1? 0? 0? a ? 1? 0? 0? ... ... ... ... ... 80 Alexandre Donzé Preliminaries: Signal Temporal Logic SynCoP’14 9 / 52 LTL, temporal operators mm 40 60 80 100 120 (“next”), G (“globally”), F (“eventually”) and U (“until”). They are evaluated at each step wrt the future of sequences 40 w= a b (next) χb (w, i) = 0 Ga (always) χGa (w, i) = 0 F b 60 (eventually) χFb (w, i) = 1 aUb a U b (until) χ (w, i) = 1 a 0 0 1 1 a 1 0 1 1 b b a 1 0 0 0 0 1? 1 1 0? 0 0 0? a 0 1? 0? 0? a ? 1? 0? 0? ... ... ... ... ... 80 Alexandre Donzé Preliminaries: Signal Temporal Logic SynCoP’14 9 / 52 LTL, temporal operators mm 40 60 80 100 120 (“next”), G (“globally”), F (“eventually”) and U (“until”). They are evaluated at each step wrt the future of sequences 40 w= a b (next) χb (w, i) = 0 Ga (always) χGa (w, i) = 0 F b 60 (eventually) χFb (w, i) = 1 aUb a U b (until) χ (w, i) = 1 a 0 0 1 1 a 1 0 1 1 b b a 1 0 0 0 0 1? 1 1 0? 0 0 0? a a 0 0? 1? 1? 0? 0? 0? 0? ... ... ... ... ... 80 Alexandre Donzé Preliminaries: Signal Temporal Logic SynCoP’14 9 / 52 LTL, temporal operators mm 40 60 80 100 120 (“next”), G (“globally”), F (“eventually”) and U (“until”). They are evaluated at each step wrt the future of sequences 40 w= a b (next) χb (w, i) = 0 Ga (always) χGa (w, i) = 0 F b 60 (eventually) χFb (w, i) = 1 aUb a U b (until) χ (w, i) = 1 a 0 0 1 1 a 1 0 1 1 b b a 1 0 0 0 0 1? 1 1 0? 0 0 0? a 0 1? 0? 0? a ? 1? 0? 0? ... ... ... ... ... 80 Alexandre Donzé Preliminaries: Signal Temporal Logic SynCoP’14 9 / 52 From LTL to STL mm 40 60 80 100 Extension of LTL with real-time and real-valued constraints 120 Ex: request-grant property LTL G( r40 => F g) Boolean predicates, discrete-time 60 80 Alexandre Donzé Preliminaries: Signal Temporal Logic SynCoP’14 10 / 52 From LTL to STL mm 40 60 80 100 Extension of LTL with real-time and real-valued constraints 120 Ex: request-grant property LTL G( r40 => F g) Boolean predicates, discrete-time 60 80 Alexandre Donzé Preliminaries: Signal Temporal Logic SynCoP’14 10 / 52 From LTL to STL mm 40 60 80 100 Extension of LTL with real-time and real-valued constraints 120 Ex: request-grant property LTL G( r40 => F g) Boolean predicates, discrete-time MTL G( r => F[0,.5s] g ) Boolean predicates, real-time 60 80 Alexandre Donzé Preliminaries: Signal Temporal Logic SynCoP’14 10 / 52 From LTL to STL mm 40 60 80 100 Extension of LTL with real-time and real-valued constraints 120 Ex: request-grant property LTL G( r40 => F g) Boolean predicates, discrete-time MTL G( r => F[0,.5s] g ) Boolean predicates, real-time 60 STL G( x[t] > 0 => F[0,.5s] y[t] > 0 ) Predicates over real values , real-time 80 Alexandre Donzé Preliminaries: Signal Temporal Logic SynCoP’14 10 / 52 STL syntax MTL/STL mm Formulas40 60 80 100 120 ϕ := > | µ | ¬ϕ | ϕ ∧ ψ | ϕ U[a,b] ψ I ⊥ = ¬> I 40 Eventually is F[a,b] ϕ = > U[a,b] ϕ I Always is G[a,b] ϕ = ¬( F[a,b] ¬ϕ) 60 STL Predicates STL adds an analog layer to MTL. Assume signals x1 [t], x2 [t], . . . , xn [t], then atomic predicates are of the form: 80 Alexandre Donzé µ = f (x1 [t], . . . , xn [t]) > 0 Preliminaries: Signal Temporal Logic SynCoP’14 11 / 52 STL syntax MTL/STL mm Formulas40 60 80 100 120 ϕ := > | µ | ¬ϕ | ϕ ∧ ψ | ϕ U[a,b] ψ I ⊥ = ¬> I 40 Eventually is F[a,b] ϕ = > U[a,b] ϕ I Always is G[a,b] ϕ = ¬( F[a,b] ¬ϕ) 60 STL Predicates STL adds an analog layer to MTL. Assume signals x1 [t], x2 [t], . . . , xn [t], then atomic predicates are of the form: 80 Alexandre Donzé µ = f (x1 [t], . . . , xn [t]) > 0 Preliminaries: Signal Temporal Logic SynCoP’14 11 / 52 STL semantics The satisfaction of a formula ϕ by a signal x = (x1 , . . . , xn ) at time t is mm 40 (x, t) |= µ (x, t) |= ϕ ∧ ψ (x, t) |= ¬ϕ (x, t) |= ϕ U[a,b] ψ 40 I ⇔ ⇔ ⇔ ⇔ 60 80 100 120 f (x1 [t], . . . , xn [t]) > 0 (x, t) |= ϕ ∧ (x, t) |= ψ ¬((x, t) |= ϕ) ∃t 0 ∈ [t + a, t + b] such that (x, t 0 ) |= ψ ∧ ∀t 00 ∈ [t, t 0 ], (x, t 00 ) |= ϕ} Eventually is F[a,b] ϕ = > U[a,b] ϕ 60 (x, t) |= F[a,b] ψ ⇔ ∃t 0 ∈ [t + a, t + b] such that (x, t 0 ) |= ψ I Always is G[a,b] ϕ = ¬( F[a,b] ¬ϕ) 80 (x, t) |= G[a,b] ψ ⇔ ∀t 0 ∈ [t + a, t + b] such that (x, t 0 ) |= ψ Alexandre Donzé Preliminaries: Signal Temporal Logic SynCoP’14 12 / 52 STL semantics The satisfaction of a formula ϕ by a signal x = (x1 , . . . , xn ) at time t is mm 40 (x, t) |= µ (x, t) |= ϕ ∧ ψ (x, t) |= ¬ϕ (x, t) |= ϕ U[a,b] ψ 40 I ⇔ ⇔ ⇔ ⇔ 60 80 100 120 f (x1 [t], . . . , xn [t]) > 0 (x, t) |= ϕ ∧ (x, t) |= ψ ¬((x, t) |= ϕ) ∃t 0 ∈ [t + a, t + b] such that (x, t 0 ) |= ψ ∧ ∀t 00 ∈ [t, t 0 ], (x, t 00 ) |= ϕ} Eventually is F[a,b] ϕ = > U[a,b] ϕ 60 (x, t) |= F[a,b] ψ ⇔ ∃t 0 ∈ [t + a, t + b] such that (x, t 0 ) |= ψ I Always is G[a,b] ϕ = ¬( F[a,b] ¬ϕ) 80 (x, t) |= G[a,b] ψ ⇔ ∀t 0 ∈ [t + a, t + b] such that (x, t 0 ) |= ψ Alexandre Donzé Preliminaries: Signal Temporal Logic SynCoP’14 12 / 52 STL semantics The satisfaction of a formula ϕ by a signal x = (x1 , . . . , xn ) at time t is mm 40 (x, t) |= µ (x, t) |= ϕ ∧ ψ (x, t) |= ¬ϕ (x, t) |= ϕ U[a,b] ψ 40 I ⇔ ⇔ ⇔ ⇔ 60 80 100 120 f (x1 [t], . . . , xn [t]) > 0 (x, t) |= ϕ ∧ (x, t) |= ψ ¬((x, t) |= ϕ) ∃t 0 ∈ [t + a, t + b] such that (x, t 0 ) |= ψ ∧ ∀t 00 ∈ [t, t 0 ], (x, t 00 ) |= ϕ} Eventually is F[a,b] ϕ = > U[a,b] ϕ 60 (x, t) |= F[a,b] ψ ⇔ ∃t 0 ∈ [t + a, t + b] such that (x, t 0 ) |= ψ I Always is G[a,b] ϕ = ¬( F[a,b] ¬ϕ) 80 (x, t) |= G[a,b] ψ ⇔ ∀t 0 ∈ [t + a, t + b] such that (x, t 0 ) |= ψ Alexandre Donzé Preliminaries: Signal Temporal Logic SynCoP’14 12 / 52 STL examples mm 40 60 80 100 120 40 60 80 Alexandre Donzé Preliminaries: Signal Temporal Logic SynCoP’14 13 / 52 STL examples mm The signal is never above 3.5 40 ϕ := G (x[t] 60 < 3.5) 80 100 120 40 3.5 60 80 Alexandre Donzé Preliminaries: Signal Temporal Logic SynCoP’14 13 / 52 STL examples Between 2s and 6s the signal is between -2 and 2 mm 40ϕ := G[2,6] 60(|x[t]| < 2) 80 100 40 120 6s 2s 2 60 80 Alexandre Donzé Preliminaries: Signal Temporal Logic SynCoP’14 13 / 52 STL examples Always |x| > 0.5 ⇒ after 1 s, |x| settles under 0.5 for 1.5 s mmϕ := G(x[t]40> .5 → F[0,.6] 60 ( G[0,1.5] x[t] 80 < 0.5)) 100 120 40 60 0.5 ≤1 s 1.5 s 0.5 ≤1 s 1.5 s 0.5 ≤1 s 1.5 s 80 Alexandre Donzé Preliminaries: Signal Temporal Logic SynCoP’14 13 / 52 Outline mm 1 40 60 80 100 120 Preliminaries: Signal Temporal Logic From LTL to STL Robust semantics 40 2 Parameter synthesis Property parameters Model parameters 60 3 Putting it all together: specification mining 80 Alexandre Donzé Preliminaries: Signal Temporal Logic SynCoP’14 14 / 52 STL semantics The satisfaction of a formula ϕ by a signal x = (x1 , . . . , xn ) at time t is mm 40 (x, t) |= µ (x, t) |= ϕ ∧ ψ (x, t) |= ¬ϕ (x, t) 40 |= ϕ U[a,b] ψ I 60 ⇔ ⇔ ⇔ ⇔ 80 100 120 f (x1 [t], . . . , xn [t]) > 0 (x, t) |= ϕ ∧ (x, t) |= ψ ¬((x, t) |= ϕ) ∃t 0 ∈ [t + a, t + b] such that (x, t 0 ) |= ψ ∧ ∀t 00 ∈ [t, t 0 ], (x, t 00 ) |= ϕ} Eventually is F[a,b] ϕ = > U[a,b] ϕ 60 (x, t) |= F[a,b] ψ ⇔ ∃t 0 ∈ [t + a, t + b] such that (x, t 0 ) |= ψ I Always is G[a,b] ϕ = ¬( F[a,b] ¬ϕ) 80 (x, t) |= G[a,b] ψ ⇔ ∀t 0 ∈ [t + a, t + b] such that (x, t 0 ) |= ψ Alexandre Donzé Preliminaries: Signal Temporal Logic SynCoP’14 15 / 52 STL satisfaction function The semantics χϕ (x, mm can be40defined as function 60 80t) such that: 100 120 x, t |= ϕ ⇔ χϕ (x, t) = > Considering 40 Booleans (B, <, −) as an order with involution: χµ (x, t) = f (x1 [t], . . . , xn [t]) > 0 χ¬ϕ (x, t) = −χϕ (x, t) χϕ1 ∧ϕ2 (x, t) = min(χϕ1 (x, t), χϕ2 (w, t)) 60 χϕ1 U[a,b] ϕ2 80 Alexandre Donzé (x, t) = max (min(χϕ2 (x, τ ), min χϕ1 (x, s)) τ ∈t+[a,b] Preliminaries: Signal Temporal Logic s∈[t,τ ] SynCoP’14 16 / 52 STL satisfaction function The semantics χϕ (x, mm can be40defined as function 60 80t) such that: 100 120 x, t |= ϕ ⇔ χϕ (x, t) = > Considering 40 Booleans (B, <, −) as an order with involution: χµ (x, t) = f (x1 [t], . . . , xn [t]) > 0 χ¬ϕ (x, t) = −χϕ (x, t) χϕ1 ∧ϕ2 (x, t) = min(χϕ1 (x, t), χϕ2 (w, t)) 60 χϕ1 U[a,b] ϕ2 80 Alexandre Donzé (x, t) = max (min(χϕ2 (x, τ ), min χϕ1 (x, s)) τ ∈t+[a,b] Preliminaries: Signal Temporal Logic s∈[t,τ ] SynCoP’14 16 / 52 STL satisfaction function example Consider a simple piecewise affine signal: mm 5 40 60 80 100 > 120 4 3 40x 2 1 60 1 2 3 4 5 6 ⊥ t Satisfaction signal of : I ϕ=x≥2 80 I Alexandre Donzé Preliminaries: Signal Temporal Logic SynCoP’14 17 / 52 STL satisfaction function example Consider a simple piecewise affine signal: mm 5 40 60 80 100 > 120 4 3 40x 2 1 60 1 2 3 4 5 6 ⊥ t Satisfaction signal of : I ϕ=x≥2 80 I Alexandre Donzé Preliminaries: Signal Temporal Logic SynCoP’14 17 / 52 STL satisfaction function example Consider a simple piecewise affine signal: mm 5 40 60 80 100 > 120 4 3 40x 2 1 60 1 2 3 4 5 6 ⊥ t Satisfaction signal of : I ϕ=x≥2 I ϕ = F(x ≥ 2) 80 Alexandre Donzé Preliminaries: Signal Temporal Logic SynCoP’14 17 / 52 STL satisfaction function example Consider a simple piecewise affine signal: mm 5 40 60 80 100 > 120 4 3 40x 2 1 60 1 2 3 4 5 6 ⊥ t Satisfaction signal of : I ϕ=x≥2 I ϕ = F[0,0.5] (x ≥ 2) 80 Alexandre Donzé Preliminaries: Signal Temporal Logic SynCoP’14 17 / 52 Robust satisfaction signal mm 40 60 80 100 120 The Reals (R, <, −) also form an order with involution: ρµ (x, t) 40 = f (x1 [t], . . . , xn [t]) ρ¬ϕ (x, t) = −ρϕ (x, t) ρϕ1 ∧ϕ2 (x, t) = min(ρϕ1 (x, t), ρϕ2 (w, t)) 60U[a,b] ϕ2 (x, t) = ρϕ1 sup (min(ρϕ2 (x, τ ), τ ∈t+[a,b] inf ρϕ1 (x, s)) s∈[t,τ ] 80 Alexandre Donzé Preliminaries: Signal Temporal Logic SynCoP’14 18 / 52 Properties of robust satisfaction signal mm I 40 60 Sign indicates satisfaction status 80 100 120 ρϕ (x, t) > 0 ⇒ x, t ϕ 40 I ρϕ (x, t) < 0 ⇒ x, t 2 ϕ Absolute value indicates tolerance 60 x, t ϕ and kx − x 0 k∞ ≤ ρϕ (x, t) ⇒ 0 ϕ x, t 2 ϕ and kx − x k∞ ≤ −ρ (x, t) ⇒ x 0, t ϕ x 0, t 2 ϕ 80 Alexandre Donzé Preliminaries: Signal Temporal Logic SynCoP’14 19 / 52 Properties of robust satisfaction signal mm I 40 60 Sign indicates satisfaction status 80 100 120 ρϕ (x, t) > 0 ⇒ x, t ϕ 40 I ρϕ (x, t) < 0 ⇒ x, t 2 ϕ Absolute value indicates tolerance 60 x, t ϕ and kx − x 0 k∞ ≤ ρϕ (x, t) ⇒ 0 ϕ x, t 2 ϕ and kx − x k∞ ≤ −ρ (x, t) ⇒ x 0, t ϕ x 0, t 2 ϕ 80 Alexandre Donzé Preliminaries: Signal Temporal Logic SynCoP’14 19 / 52 STL satisfaction function example mm ρϕ (x,60 ·)/χϕ (x, ·) 80 40 100 120 > 5 4 3 2 40 1 0 1 2 3 4 5 6 ⊥ −1 −2 60 Satisfaction signals of : I ϕ=x≥2 I 80 Alexandre Donzé Preliminaries: Signal Temporal Logic SynCoP’14 20 / 52 STL satisfaction function example mm ρϕ (x,60 ·)/χϕ (x, ·) 80 40 100 120 > 5 4 3 2 40 1 0 1 2 3 4 5 6 ⊥ −1 −2 60 Satisfaction signals of : I ϕ=x≥2 I 80 Alexandre Donzé Preliminaries: Signal Temporal Logic SynCoP’14 20 / 52 STL satisfaction function example mm ρϕ (x,60 ·)/χϕ (x, ·) 80 40 100 120 > 5 4 3 2 40 1 0 1 2 3 4 5 6 ⊥ −1 −2 60 Satisfaction signals of : I ϕ=x≥2 I ϕ = 80 F(x ≥ 2) Alexandre Donzé Preliminaries: Signal Temporal Logic SynCoP’14 20 / 52 STL satisfaction function example mm ρϕ (x,60 ·)/χϕ (x, ·) 80 40 100 120 > 5 4 3 2 40 1 0 1 2 3 4 5 6 ⊥ −1 −2 60 Satisfaction signals of : I ϕ=x≥2 I ϕ = 80 F[0,0.5] (x ≥ 2) Alexandre Donzé Preliminaries: Signal Temporal Logic SynCoP’14 20 / 52 Robust monitoring A robust STL monitor is a transducer that transform x into ρϕ (x, .) mm 40 60 80 100 120 40 60 In practice I Trace: time words over alphabet R, linear interpolation Input: x(·) , (ti , x(ti ))i∈N 0utput: ρϕ (x, ·) , (rj , z(rj ))j∈N 80 I Continuity, and piecewise affine property preserved Alexandre Donzé Preliminaries: Signal Temporal Logic SynCoP’14 21 / 52 Robust monitoring A robust STL monitor is a transducer that transform x into ρϕ (x, .) mm 40 60 80 8 x[t] 7 120 Quant. sat Bool. sat 3 6 2 5 1 STL Monitor Formula ϕ 4 3 40 2 0 −1 −2 1 ρϕ (x, ·)/χϕ (x, ·) −3 0 −1 0 100 4 0.5 1 1.5 2 2.5 3 3.5 −4 0 4 0.5 1 1.5 2 2.5 3 3.5 4 60 In practice I Trace: time words over alphabet R, linear interpolation Input: x(·) , (ti , x(ti ))i∈N 0utput: ρϕ (x, ·) , (rj , z(rj ))j∈N 80 I Continuity, and piecewise affine property preserved Alexandre Donzé Preliminaries: Signal Temporal Logic SynCoP’14 21 / 52 Robust monitoring A robust STL monitor is a transducer that transform x into ρϕ (x, .) mm 40 60 80 8 x[t] 7 120 Quant. sat Bool. sat 3 6 2 5 1 STL Monitor Formula ϕ 4 3 40 2 0 −1 −2 1 ρϕ (x, ·)/χϕ (x, ·) −3 0 −1 0 100 4 0.5 1 1.5 2 2.5 3 3.5 −4 0 4 0.5 1 1.5 2 2.5 3 3.5 4 60 In practice I Trace: time words over alphabet R, linear interpolation Input: x(·) , (ti , x(ti ))i∈N 0utput: ρϕ (x, ·) , (rj , z(rj ))j∈N 80 I Continuity, and piecewise affine property preserved Alexandre Donzé Preliminaries: Signal Temporal Logic SynCoP’14 21 / 52 Computing the robust satisfaction function (Donze, Ferrere, Maler, Efficient Robust Monitoring of STL Formula, CAV’13) mm I 60 80 100 120 The function ρϕ (x, t) is computed inductively on the structure of ϕ I I I 40 linear time complexity in size of x is preserved 40 exponential worst case complexity in the size of ϕ Atomic transducers compute in linear time in the size of the input I Key idea is to exploit efficient streaming algorithm (Lemire’s) 60 computing the max and min over a moving window 80 Alexandre Donzé Preliminaries: Signal Temporal Logic SynCoP’14 22 / 52 Performance results 3 mm 40 80 100 120 | ϕ| = 50, Ti me ρ ' 2. 45 × 10 − 5 n y 2.5 C omputation T ime (s) 60 2 40 1.5 601 | ϕ| = 25, Ti me ρ ' 1. 63 × 10 − 5 n y 0.5 | ϕ| = 1, Ti me ρ ' 2. 34 × 10 − 6 n y 800 0 Alexandre Donzé 2e4 4e4 6e4 Signal siz e n y Preliminaries: Signal Temporal Logic 8e4 10e4 SynCoP’14 23 / 52 1 mm Preliminaries: Signal Logic 40 Temporal 60 From LTL to STL Robust semantics 2 Parameter synthesis Property parameters Model parameters 80 100 120 40 60 3 Putting it all together: specification mining 80 Alexandre Donzé Parameter synthesis SynCoP’14 24 / 52 Parametric STL mm 40 60 80 100 120 Informally, a PSTL formula is an STL formula where (some) numeric constants are left unspecified, represented by symbolic parameters. 40 (PSTL syntax) Definition ϕ := µ(x[t]) > π | ¬ϕ | ϕ ∧ ψ | ϕ U[τ1 ,τ2 ] ψ where 60 I π is a scale parameter I τ1 , τ2 are time parameters 80 Alexandre Donzé Parameter synthesis SynCoP’14 25 / 52 Parametric STL mm “After 2s, the signal is never above 3” ϕ := F[2,∞] (x[t] < 3) 40 60 80 100 120 40 60 80 Alexandre Donzé Parameter synthesis SynCoP’14 26 / 52 Parametric STL “After 2s, the signal is never above 3” ϕ := F[2,∞] (x[t] < 3) 40 60 80 mm 40 100 120 2 3 60 80 Alexandre Donzé Parameter synthesis SynCoP’14 26 / 52 Parametric STL “After τ s, the signal is never above π” ϕ := G[τ ,∞] (x[t] < π) 40 60 80 mm 40 100 120 τ ? π? 60 80 Alexandre Donzé Parameter synthesis SynCoP’14 26 / 52 Parameter synthesis for PSTL mm 40 60 80 100 120 Problem Given a system S with a PSTL formula with n symbolic parameters ϕ(p1 , . . . , pn ), find a tight valuation function v such that 40 x, t |= ϕ(v(p1 ), . . . , v(pn )), Informally, a valuation v is tight if there exists a valuation v 0 in a δ-close 60 of v, with δ “small”, such that neighborhood x, t |= / ϕ(v 0 (p1 ), . . . , v 0 (pn )) 80 Alexandre Donzé Parameter synthesis SynCoP’14 27 / 52 Example ϕ := G x[t] > π → F[0,τ1 ] ( G[0,τ2 ] x[t] < π) I I Valuation mm 1: π ← 401.5, τ1 ← 160s, τ2 ← 1.15 80 s 100 Valuation 2 (tight): π ← .5, τ1 ← 0.65 s, τ2 ← 2 s 120 40 60 80 Alexandre Donzé Parameter synthesis SynCoP’14 28 / 52 Example ϕ := G x[t] > π → F[0,τ1 ] ( G[0,τ2 ] x[t] < π) I I Valuation mm 1: π ← 401.5, τ1 ← 160s, τ2 ← 1.15 80 s 100 Valuation 2 (tight): π ← .5, τ1 ← 0.65 s, τ2 ← 2 s 120 40 60 π τ1 s 80 Alexandre Donzé τ2 s Parameter synthesis SynCoP’14 28 / 52 Example ϕ := G x[t] > π → F[0,τ1 ] ( G[0,τ2 ] x[t] < π) I I Valuation mm 1: π ← 401.5, τ1 ← 160s, τ2 ← 1.15 80 s 100 Valuation 2 (tight): π ← .5, τ1 ← 0.65 s, τ2 ← 2 s 120 40 60 π 80 τ1 s τ2 s Alexandre Donzé Parameter synthesis SynCoP’14 28 / 52 Parameter synthesis Challenges mm 40 60 I Multiple solutions: which one to chose ? I 80 100 120 Tightness implies to “optimize” the valuation v(pi ) for each pi The problem can be greatly simplified if the formula is monotonic in each pi . 40 Definition A PSTL formula ϕ(p1 , · · · , pn ) is monotonically increasing wrt pi if 60 x |= ϕ(v(p1 ), . . . , v(pi ), . . .) 0 ⇒ x |= ϕ(v 0 (p1 ), . . . , v 0 (pi ), . . .) v(pj ) = v 0 (pj ), j 6= i ∀x, v, v , v 0 (pi ) ≥ v(pi ) It is monotonically decreasing if this holds when replacing v 0 (pi ) ≥ v(pi ) with v 0 (pi ) ≤ v(p 80 i ). Alexandre Donzé Parameter synthesis SynCoP’14 29 / 52 Parameter synthesis Challenges mm 40 60 I Multiple solutions: which one to chose ? I 80 100 120 Tightness implies to “optimize” the valuation v(pi ) for each pi The problem can be greatly simplified if the formula is monotonic in each pi . 40 Definition A PSTL formula ϕ(p1 , · · · , pn ) is monotonically increasing wrt pi if 60 x |= ϕ(v(p1 ), . . . , v(pi ), . . .) 0 ⇒ x |= ϕ(v 0 (p1 ), . . . , v 0 (pi ), . . .) v(pj ) = v 0 (pj ), j 6= i ∀x, v, v , v 0 (pi ) ≥ v(pi ) It is monotonically decreasing if this holds when replacing v 0 (pi ) ≥ v(pi ) with v 0 (pi ) ≤ v(p 80 i ). Alexandre Donzé Parameter synthesis SynCoP’14 29 / 52 Monotonic validity domains The validity domain D of ϕ and x is the set of valuations v s.t. x |= ϕ(v) mm valuation is40a valuation 60 120 I A tight in D close to 80 its boundary 100 ∂D I I In case of monoticity, ∂D has the structure of a Pareto front which can be estimated with generalized binary search heuristics 40 p1 ⊆ D(x, ϕ) * D(x, ϕ) Exact D(x, ϕ) 60 80 p2 Alexandre Donzé Parameter synthesis SynCoP’14 30 / 52 Monotonic validity domains The validity domain D of ϕ and x is the set of valuations v s.t. x |= ϕ(v) mm valuation is40a valuation 60 120 I A tight in D close to 80 its boundary 100 ∂D I I In case of monoticity, ∂D has the structure of a Pareto front which can be estimated with generalized binary search heuristics 40 * D(x, ϕ) p1 ⊆ D(x, ϕ) 60 80 x p2 Alexandre Donzé Parameter synthesis SynCoP’14 30 / 52 Monotonic validity domains The validity domain D of ϕ and x is the set of valuations v s.t. x |= ϕ(v) mm valuation is40a valuation 60 120 I A tight in D close to 80 its boundary 100 ∂D I I In case of monoticity, ∂D has the structure of a Pareto front which can be estimated with generalized binary search heuristics 40 * D(x, ϕ) p1 ⊆ D(x, ϕ) 60 80 x p2 Alexandre Donzé Parameter synthesis SynCoP’14 30 / 52 Monotonic validity domains The validity domain D of ϕ and x is the set of valuations v s.t. x |= ϕ(v) mm valuation is40a valuation 60 120 I A tight in D close to 80 its boundary 100 ∂D I I In case of monoticity, ∂D has the structure of a Pareto front which can be estimated with generalized binary search heuristics 40 * D(x, ϕ) p1 ⊆ D(x, ϕ) 60 80 x p2 Alexandre Donzé Parameter synthesis SynCoP’14 30 / 52 Monotonic validity domains The validity domain D of ϕ and x is the set of valuations v s.t. x |= ϕ(v) mm valuation is40a valuation 60 120 I A tight in D close to 80 its boundary 100 ∂D I I In case of monoticity, ∂D has the structure of a Pareto front which can be estimated with generalized binary search heuristics 40 * D(x, ϕ) p1 ⊆ D(x, ϕ) 60 80 x p2 Alexandre Donzé Parameter synthesis SynCoP’14 30 / 52 Monotonic validity domains The validity domain D of ϕ and x is the set of valuations v s.t. x |= ϕ(v) mm valuation is40a valuation 60 120 I A tight in D close to 80 its boundary 100 ∂D I I In case of monoticity, ∂D has the structure of a Pareto front which can be estimated with generalized binary search heuristics 40 ⊆ D(x, ϕ) * D(x, ϕ) p1 60 x 80 x p2 Alexandre Donzé Parameter synthesis SynCoP’14 30 / 52 Monotonic validity domains The validity domain D of ϕ and x is the set of valuations v s.t. x |= ϕ(v) mm valuation is40a valuation 60 120 I A tight in D close to 80 its boundary 100 ∂D I I In case of monoticity, ∂D has the structure of a Pareto front which can be estimated with generalized binary search heuristics 40 ⊆ D(x, ϕ) * D(x, ϕ) p1 60 x x 80 x p2 Alexandre Donzé Parameter synthesis SynCoP’14 30 / 52 Monotonic validity domains The validity domain D of ϕ and x is the set of valuations v s.t. x |= ϕ(v) mm valuation is40a valuation 60 120 I A tight in D close to 80 its boundary 100 ∂D I I In case of monoticity, ∂D has the structure of a Pareto front which can be estimated with generalized binary search heuristics 40 ⊆ D(x, ϕ) * D(x, ϕ) p1 60 x x 80 x p2 Alexandre Donzé Parameter synthesis SynCoP’14 30 / 52 Deciding monotonicity mm Simple cases 40 60 I f (x) > π & f (x) < π % I G[0,τ ] ϕ & F[0,τ ] ϕ % I 80 100 120 etc 40 General case I Deciding monotonicity can be encoded in an SMT query I 60 However, the problem is undecidable, due to undecidabilty of STL I In practice, monotonicity can be decided easily (in our experience so far) 80 Alexandre Donzé Parameter synthesis SynCoP’14 31 / 52 Deciding monotonicity mm Simple cases 40 60 I f (x) > π & f (x) < π % I G[0,τ ] ϕ & F[0,τ ] ϕ % I 80 100 120 etc 40 General case I Deciding monotonicity can be encoded in an SMT query I 60 However, the problem is undecidable, due to undecidabilty of STL I In practice, monotonicity can be decided easily (in our experience so far) 80 Alexandre Donzé Parameter synthesis SynCoP’14 31 / 52 1 mm Preliminaries: Signal Logic 40 Temporal 60 From LTL to STL Robust semantics 2 Parameter synthesis Property parameters Model parameters 80 100 120 40 60 3 Putting it all together: specification mining 80 Alexandre Donzé Parameter synthesis SynCoP’14 32 / 52 Parameter synthesis problem Problemmm 40 60 u(t), p System S 80 100 120 Given the system: S(u(t), p) 40 Find an input signal u ∈ U, p ∈ P such that S(u(t), p), 0 |= ϕ In practice 60 I We parameterize U and reduce the problem to a parameter synthesis problem within some set Pu × P I The search of a solution is guided by the quantitative measure of satisfaction of ϕ 80 Alexandre Donzé Parameter synthesis SynCoP’14 33 / 52 Parameter synthesis problem Problemmm 40 60 u(t), p System S 80 100 120 Given the system: S(u(t), p) 40 Find an input signal u ∈ U, p ∈ P such that S(u(t), p), 0 |= ϕ In practice 60 I We parameterize U and reduce the problem to a parameter synthesis problem within some set Pu × P I The search of a solution is guided by the quantitative measure of satisfaction of ϕ 80 Alexandre Donzé Parameter synthesis SynCoP’14 33 / 52 Parameterizing the input space mm 40 60 80 100 120 Input signals u(t) ∈ U Input parameter set Pu 80 70 60 40 50 40 30 20 10 0 0 5 10 15 60 Note The set of input signals generated by Pu is in general a subset of U I.e., we do not guarantee completeness. 80 Alexandre Donzé Parameter synthesis SynCoP’14 34 / 52 Parameter synthesis with quantitative satisfaction Given a formula mm ϕ, a signal 40 x and a time 60 t, recall that 80 we have:100 ϕ ρ (x, t) > 0 ⇒ x, t ϕ 120 ρϕ (x, t) < 0 ⇒ x, t 2 ϕ ok 40 System S p x(t) STL Monitor ϕ ρϕ (x, t) ¬ ok As x is obtained by simulation using input parameters p, the falsification problem 60 can be reduced to solving ρ∗ = min ρϕ (x, 0) p∈P ∗ If ρ < 0, we found a counterexample. 80 Alexandre Donzé Parameter synthesis SynCoP’14 35 / 52 Parameter synthesis with quantitative satisfaction Given a formula mm ϕ, a signal 40 x and a time 60 t, recall that 80 we have:100 ϕ ρ (x, t) > 0 ⇒ x, t ϕ 120 ρϕ (x, t) < 0 ⇒ x, t 2 ϕ ok 40 System S p x(t) STL Monitor ϕ ρϕ (x, t) ¬ ok As x is obtained by simulation using input parameters p, the falsification problem 60 can be reduced to solving ρ∗ = min ρϕ (x, 0) p∈P ∗ If ρ < 0, we found a counterexample. 80 Alexandre Donzé Parameter synthesis SynCoP’14 35 / 52 Open question: optimizing satisfaction function mm 40 60 80 100 120 Solving ρ∗ = min F (pu ) = ρϕ (x, 0) pu ∈Pu is difficult40in general, as nothing can be assumed on F . In practice, use of global nonlinear optimization algorithms Success will depend on how smooth is Fu , its local optima, etc 60 Critical is the ability to compute ρ efficiently. 80 Alexandre Donzé Parameter synthesis SynCoP’14 36 / 52 Open question (cont’d): smoothing quantitative satisfaction functions Depending on how ρ is defined, the function to optimize can have different profiles mm 40 60 80 100 120 40 60 80 Alexandre Donzé Parameter synthesis SynCoP’14 37 / 52 Open question (cont’d): smoothing quantitative satisfaction functions Depending on how ρ is defined, the function to optimize can have different profiles mm 40 60 80 100 120 (not (ev_[0, 5] (gear4w))) and (not ((ev (speed[t]>70)) and (alw_[40, inf] (speed[t]<30)))) 2 40 1 0 2 0 0 0 Quantitative Satisfaction 4 −1 −2 0 60 −4 −2 0 −6 0 0 20 −3 20 80 15 40 −4 10 60 5 80 Alexandre Donzé throttle_u0 100 dt_u0 0Parameter synthesis −5 SynCoP’14 37 / 52 Open question (cont’d): smoothing quantitative satisfaction functions Depending on how ρ is defined, the function to optimize can have different profiles mm 40 60 80 100 120 (not (ev_[0, 5] (gear4w))) and (not ((ev (speed[t]>70)) and (alw_[40, inf] (speed[t]<30)))) 60 40 50 40 60 40 0 20 30 60 0 0 Quantitative Satisfaction 80 20 0 −20 0 80 10 0 40 15 10 60 0 5 80 Alexandre Donzé 20 0 20 throttle_u0 100 dt_u0 0Parameter synthesis SynCoP’14 37 / 52 1 mm Preliminaries: Signal Logic 40 Temporal 60 From LTL to STL Robust semantics 2 Parameter synthesis Property parameters Model parameters 80 100 120 40 60 3 Putting it all together: specification mining 80 Alexandre Donzé Putting it all together: specification mining SynCoP’14 38 / 52 Specification mining Consider the following automatic transmission system: mm 40 60 2 100RPM 80 ImprellerTorque Ti 1 throttle Throttle Ne EngineRPM Ne Engine speed gear gear CALC_TH Nout up_th 40 down_th ShiftLogic down_th run() up_th 120 3 gear Ti Tout OutputTorque Transmission Vehicle gear throttle ThresholdCalculation TransmissionRPM 60 2 VehicleSpeed 1 speed I What is the maximum speed that the vehicule can reach ? I 80is the minimum dwell time in a given gear ? What I etc Alexandre Donzé Putting it all together: specification mining SynCoP’14 39 / 52 Specification synthesis mm 40 60 80 100 120 The approach takes two major ingredients I I 40 PSTL to formulate template specifications A counter-example guided inductive synthesis loop alternating parameter synthesis and falsification 60 80 Alexandre Donzé Putting it all together: specification mining SynCoP’14 40 / 52 Template specification examples I mm 40 60 80 the speed is always below π1 and RPM below π2 100 120 ϕsp_rpm (π1 , π2 ) := G ( (speed < π1 ) ∧ (RPM < π2 ) ) . I 40 the vehicle cannot reach 100 mph in τ seconds with RPM always below π ϕrpm100 (τ, π) := ¬( F[0,τ ] (speed > 100) ∧ G(RPM < π)). I whenever it shift to gear 2, it dwells in gear 2 for at least τ seconds 60 gear 6= 2 ∧ ϕstay (τ ) := G ⇒ G[ε,τ ] gear = 2 . F[0,ε] gear = 2 80 Alexandre Donzé Putting it all together: specification mining SynCoP’14 41 / 52 Template specification examples I mm 40 60 80 the speed is always below π1 and RPM below π2 100 120 ϕsp_rpm (π1 , π2 ) := G ( (speed < π1 ) ∧ (RPM < π2 ) ) . I 40 the vehicle cannot reach 100 mph in τ seconds with RPM always below π ϕrpm100 (τ, π) := ¬( F[0,τ ] (speed > 100) ∧ G(RPM < π)). I whenever it shift to gear 2, it dwells in gear 2 for at least τ seconds 60 gear 6= 2 ∧ ϕstay (τ ) := G ⇒ G[ε,τ ] gear = 2 . F[0,ε] gear = 2 80 Alexandre Donzé Putting it all together: specification mining SynCoP’14 41 / 52 Template specification examples I mm 40 60 80 the speed is always below π1 and RPM below π2 100 120 ϕsp_rpm (π1 , π2 ) := G ( (speed < π1 ) ∧ (RPM < π2 ) ) . I 40 the vehicle cannot reach 100 mph in τ seconds with RPM always below π ϕrpm100 (τ, π) := ¬( F[0,τ ] (speed > 100) ∧ G(RPM < π)). I whenever it shift to gear 2, it dwells in gear 2 for at least τ seconds 60 gear 6= 2 ∧ ϕstay (τ ) := G ⇒ G[ε,τ ] gear = 2 . F[0,ε] gear = 2 80 Alexandre Donzé Putting it all together: specification mining SynCoP’14 41 / 52 Specification mining algorithm mm + e Controller 40 u 60 Plant Model 80 init 40Simulation Traces Counterexample Traces 120 Counterexample Found Candidate Specification FindParam 100 y FalsifyAlgo 60 τ1 ← .7, π1 ← 2, π2 ← 3 F[0,τ1 ] (x1 < π1 ∧ G[0,τ2 ] (x2 > π2 )) No Counterexample F[0,1.1] (x1 < 3.7 ∧ G[0,5] (x2 > 0.1)) 80 Template Specification Alexandre Donzé Inferred Specification Putting it all together: specification mining SynCoP’14 42 / 52 Specification mining algorithm mm + e Controller 40 u 60 Plant Model 80 init 40Simulation Traces Counterexample Traces 120 Counterexample Found Candidate Specification FindParam 100 y FalsifyAlgo 60 τ1 ← .7, π1 ← 2, π2 ← 3 F[0,τ1 ] (x1 < π1 ∧ G[0,τ2 ] (x2 > π2 )) No Counterexample F[0,1.1] (x1 < 3.7 ∧ G[0,5] (x2 > 0.1)) 80 Template Specification Alexandre Donzé Inferred Specification Putting it all together: specification mining SynCoP’14 42 / 52 Specification mining algorithm mm + e Controller 40 u 60 Plant Model 80 init 40Simulation Traces Counterexample Traces 120 Counterexample Found Candidate Specification FindParam 100 y FalsifyAlgo 60 τ1 ← .7, π1 ← 2, π2 ← 3 F[0,τ1 ] (x1 < π1 ∧ G[0,τ2 ] (x2 > π2 )) No Counterexample F[0,1.1] (x1 < 3.7 ∧ G[0,5] (x2 > 0.1)) 80 Template Specification Alexandre Donzé Inferred Specification Putting it all together: specification mining SynCoP’14 42 / 52 Specification mining algorithm mm + e Controller 40 u 60 Plant Model 80 init 40Simulation Traces Counterexample Traces 120 Counterexample Found Candidate Specification FindParam 100 y FalsifyAlgo 60 τ1 ← .7, π1 ← 2, π2 ← 3 F[0,τ1 ] (x1 < π1 ∧ G[0,τ2 ] (x2 > π2 )) No Counterexample F[0,1.1] (x1 < 3.7 ∧ G[0,5] (x2 > 0.1)) 80 Template Specification Alexandre Donzé Inferred Specification Putting it all together: specification mining SynCoP’14 42 / 52 Specification mining algorithm mm + e Controller 40 u 60 Plant Model 80 init 40Simulation Traces Counterexample Traces 120 Counterexample Found Candidate Specification FindParam 100 y FalsifyAlgo 60 τ1 ← .7, π1 ← 2, π2 ← 3 F[0,τ1 ] (x1 < π1 ∧ G[0,τ2 ] (x2 > π2 )) No Counterexample F[0,1.1] (x1 < 3.7 ∧ G[0,5] (x2 > 0.1)) 80 Template Specification Alexandre Donzé Inferred Specification Putting it all together: specification mining SynCoP’14 42 / 52 Specification mining algorithm mm + e Controller 40 u 60 Plant Model 80 init 40Simulation Traces Counterexample Traces 120 Counterexample Found Candidate Specification FindParam 100 y FalsifyAlgo 60 τ1 ← .7, π1 ← 2, π2 ← 3 F[0,τ1 ] (x1 < π1 ∧ G[0,τ2 ] (x2 > π2 )) No Counterexample F[0,1.1] (x1 < 3.7 ∧ G[0,5] (x2 > 0.1)) 80 Template Specification Alexandre Donzé Inferred Specification Putting it all together: specification mining SynCoP’14 42 / 52 Specification mining algorithm mm + e Controller 40 u 60 Plant Model 80 init 40Simulation Traces Counterexample Traces 120 Counterexample Found Candidate Specification FindParam 100 y FalsifyAlgo 60 τ1 ← 1.1, π1 ← 3.7, π2 ← 5 F[0,τ1 ] (x1 < π1 ∧ G[0,τ2 ] (x2 > π2 )) No Counterexample F[0,1.1] (x1 < 3.7 ∧ G[0,5] (x2 > 0.1)) 80 Template Specification Alexandre Donzé Inferred Specification Putting it all together: specification mining SynCoP’14 42 / 52 Specification mining algorithm mm + e Controller 40 u 60 Plant Model 80 init 40Simulation Traces Counterexample Traces 120 Counterexample Found Candidate Specification FindParam 100 y FalsifyAlgo 60 τ1 ← 1.1, π1 ← 3.7, π2 ← 5 F[0,τ1 ] (x1 < π1 ∧ G[0,τ2 ] (x2 > π2 )) No Counterexample F[0,1.1] (x1 < 3.7 ∧ G[0,5] (x2 > 0.1)) 80 Template Specification Alexandre Donzé Inferred Specification Putting it all together: specification mining SynCoP’14 42 / 52 Results I I the speed is always below π1 and RPM below π2 mm 40 60 80 100 ϕsp_rpm (π1 , π2 ) := G ( (speed < π1 ) ∧ (RPM < π2 ) ) . the vehicle cannot reach 100 mph in τ seconds with RPM always below π 40 I 120 ϕrpm100 (τ, π) := ¬( F[0,τ ] (speed > 100) ∧ G(RPM < π)). whenever it shift to gear 2, it dwells in gear 2 for at least τ seconds gear 6= 2 ∧ ϕstay (τ ) := G ⇒ G[ε,τ ] gear = 2 . F[0,ε] gear = 2 60 Template ϕsp_rpm (π1 , π2 ) ϕrpm100 (π, τ ) ϕ80 rpm100 (τ, π) ϕstay (π) Alexandre Donzé Parameter values (155 mph, 4858 rpm) (3278.3 rpm, 49.91 s) (4997 rpm, 12.20 s) 1.79 s Fals. 197.2 267.7 147.8 430.9 Synth. s s s s 23.1 s 10.51 s 5.188 s 2.157 s Putting it all together: specification mining #Sim. Sat./x 496 709 411 1015 0.043 0.026 0.021 0.032 s s s s SynCoP’14 43 / 52 Results on Industrial-scale Model mm 40 60 80 100 4000+ Simulink blocks Look-up tables nonlinear dynamics 120 40 I Attempt to mine maximum observed settling time: I I stops after 4 iterations gives answer tsettle = simulation time horizon... 60 0 80 Alexandre Donzé Putting it all together: specification mining SynCoP’14 44 / 52 Results on Industrial-scale Model mm 40 60 80 100 120 0 40 I The 60 above trace found an actual (unexpected) bug in the model I The cause was identified as a wrong value in a look-up table 80 Alexandre Donzé Putting it all together: specification mining SynCoP’14 45 / 52 Conclusion and future work mm Summary 40 60 80 100 I Efficient parameter synthesis PSTL for monotonic formulas I Model parameter synthesis based on quantitative semantics I Parametric specification mining combining both 40 I Tools support: Breach toolbox 120 To dos I 60 synthesis for non-monotonic formulas ? Efficient I Better optimization algorithm for quantitative semantics I Beyond parameter synthesis (signals, formulas, systems) 80 Alexandre Donzé Conclusion and future work SynCoP’14 46 / 52
© Copyright 2026 Paperzz