Table Of ContentInput Synthesis for Sampled Data Systems by Program Logic
TakumiAkazaki IchiroHasuo
DepartmentofComputerScience
TheUniversityofTokyo,Japan
[email protected] [email protected]
KoheiSuenaga
GraduateSchoolofInformatics
KyotoUniversity,Japan
[email protected]
Inspiredbyaconcreteindustryproblemweconsidertheinputsynthesisproblemforhybridsystems:
given a hybrid system that is subject to input from outside (also called disturbance or noise), find
an input sequence that steers the system to the desired postcondition. In this paper we focus on
sampleddatasystems—systemsinwhichadigitalcontrollerinterruptsaphysicalplantinaperiodic
manner, a class commonly known in control theory—and furthermore assume that a controller is
given in the form of an imperative program. We develop a structural approach to input synthesis
thatfeaturesforwardandbackwardreasoninginprogramlogicforthepurposeofreducingasearch
space. Althoughtheexampleswecoverarelimitedbothinsizeandinstructure,experimentswitha
prototypeimplementationsuggestpotentialofourprogramlogicbasedapproach.
1 Introduction
Cyber-physical systems (CPS)—integration of digital control with physical environments—are gaining
yet more and more importance, with cars, airplanes and all others controlled by computers. Hybrid
systems capture one of the crucial aspects of CPS, by focusing on the combination of continuous flow
dynamicsanddiscretejumpdynamics. Qualityassuranceofhybridsystemsisthereforeabigconcernin
industryaswellasinacademia.
In this paper we study the input synthesis problem of hybrid systems: given a hybrid system that
is subject to input from outside (also commonly called disturbance or noise), we aim to find an input
sequence that steers the system to the desired postcondition. Our interest in input synthesis stems from
the following concrete problem; it was provided by our research partner in car manufacturing industry
asaprototypeoftheproblemstheyoftenencounterintheirdesignprocess.
Example1.1. InthesystembelowinFig.1,thecontrollerinterruptstheplant(acar)onceeverysecond
andmanagesthevelocityvofthecar. Thecontrollerchoosesonemodem andtheplantoperatesinthat
i
modeforonesecond,afterwhichthevalueofvisfedbacktothecontrollerviathesensor. Theproblem
is to come up with an initial state of the whole system together with an input sequence i ···i , such
0 999
that:
• (precondition)theinitialstatesatisfiescnt=0andx∈[−0.1,0.1];and
• (postcondition)after1000seconds,thesystemsatisfiescnt=100.
The input synthesis problem can arise in many different contexts in quality assurance of hybrid
systems. Oneexampleistesting: thedesiredpostconditionisthetriggerforsomecountermeasure(e.g.
a fuse) against certain extremity (the countermeasure is outside the model); and we seek for input (i.e.
M.Bujorianu(Ed.)andR.Wisniewski(Ed.):4thWorkshopon (cid:13)c T.Akazaki,I.Hasuo&K.Suenaga
HybridAutonomousSystems2014(HAS2014). Thisworkislicensedunderthe
EPTCS174,2015,pp.22–39,doi:10.4204/EPTCS.174.3 CreativeCommonsAttributionLicense.
T.Akazaki,I.Hasuo&K.Suenaga 23
ifxs Controller
thencnt:=cnt+1
xs(Boolean) (cid:47)(cid:47) elsecnt:=0;
switch
cnt<25: xa:=m1
Sensor 25≤cnt<50: xa:=m2
i∈R (cid:47)(cid:47) 50≤cnt: xa:=m3 xa
xs: (cid:107)v−i(cid:79)(cid:79)(cid:107)≤0.25?
m1: v˙=0.02(−v+19) (cid:111)(cid:111)
v m2: v˙=0.02(−v+5)
m3: v˙=0.02(−v+4) Plant
Figure1: Ahybridsystem
atestcase)thatdrivesthesystemtoactivatingthecountermeasure. Theinputsequencethusdiscovered
in the model can be fed to the physical realization of the system to see if the countermeasure works
properly.
Thispapercontributesanalgorithmforsolvingtheinputsynthesisproblem. Itsnoveltyistheuseof
program logic: we make the most of the structures expressed in the digital controller given in the form
ofaprogram. Infact,alikelyhumaneffortfortheprobleminExample1.1is:
(∗) “for the system to have cnt=100 at time k=1000, the Boolean value x must be true
s
fromk=900throughk=999,and...”;
thisisnothingbutreasoninginprogramlogicandisincludedinourproposedalgorithm.
More specifically, we restrict our attention to a class of hybrid systems commonly called sampled
datasystems. Onesuchsystemconsistsofaphysicalplant,adigitalcontrollerthatperiodicallyinterrupts
theplant(forsimplicityweassumeafixedinterval),andasensorthatfeedsthestateoftheplantbackto
the controller. This structural assumption—restrictive yet realistic—allows us to think of the behaviors
ofsuchsystemsquitemuchasthesemanticsofprograms,andenablesforwardandbackwardreasoning
in program logic. In our algorithm for solving the input synthesis problem, reasoning in program logic
(liketheabove(∗))contributestothereductionofthesearchspace. Indeedourprototypeimplementation
successfullysolvestheprobleminExample1.1.
Related Work The closest to the current work is one by Zutshi, Sankaranarayanan and Tiwari [17],
where they verify safety properties of sampled data systems. Their model is more expressive, in that
a plant can autonomously change its modes without interruption by a controller. While their goal is
reachability analysis and is different from the current paper’s, their relational abstraction technique can
beusefulinouralgorithm,too,inparticularfortheforwardapproximationphase.
SMT-solver based approaches [6,8] to hybrid system analysis are related, too, especially in their
emphasesondiscretejumpdynamicsratherthancontinuousflow. Theireffectivityintheinputsynthesis
problem is not yet clear, though: the only available implementation (that of dReal [8]) returned ‘unsat’
toExample1.1.
Moregenerally,animportantfeatureofourmodelingisthatadigitalcontrollerisgivenintheform
of a program, unlike an automaton used in a majority of existing work (including [8,17]). The contrast
is comparable to the difference between the theorem proving (or type-based) approach and software
model checking in program verification. While there have been results [11,12] that suggest these two
approaches are equivalent on a fundamental level, differences do remain especially in applications. In
our proposed algorithm it is an advantage that we can exploit rich structural information that is explicit
inaprogramininferringimpossibility(false)morequickly.
24 InputSynthesisforSampledDataSystemsbyProgramLogic
The backward search phase of our algorithm resembles a membership question addressed in the
seminal work by Alur et al. [2]. Since our plant (flow) dynamics is not necessarily linear, it is not
easy to see how the results in [2] can be used in our problem. They could nevertheless be applied to
meta-propertiesoftheproblemsuchascomplexity.
Fainekos and his colleagues have developed several techniques for analyzing robustness of hybrid
systems. AmongthemisatoolcalledS-Taliro[3]: itsearchesforatrajectorybyoptimizationthatrelies
on the continuous nature of the system dynamics. It is possible to encode the input synthesis problem
into an input to S-Taliro. However our leading example (Example 1.1), of a jump-heavy nature, seems
tofalloutofthetool’sfocus(ittimedoutwithasmallerproblemof15,not1000,timeunits).
Several techniques for testing hybrid systems have been proposed [1,4,5,7,10]. Although they
synthesizetestcasesandthereforeseemsimilartowhatwedohere,theirgoalistomeetcertaincoverage
criteria(suchasstardiscrepancyin[5])andnottocomeupwithinputthatsteersthesystemtoaspecific
desiredpostcondition.
The current work is on logical analysis of hybrid systems; and in that respect it is close to Platzer’s
recent series of work (see e.g. [13]) where dynamic logic is extended in a systematic way so that it
encompassescontinuousdynamicstoo. Alsorelatedisthework[14,15]bysomeoftheauthorswhere:
flow is turned into jump with the help of nonstandard analysis; and (discrete) program logic is applied
asitistohybridsystems.
Future Work In this paper we applied program logic to the specific problem of input synthesis. We
believethetechniquehaveagreaterpotentialandplantolookatotherapplications.
The current implementation can only handle continuous plants of dimension 1. Its extension to
larger dimensions seems feasible. Specifically, the forward approximation phase of our algorithm will
beunproblematic,whileinthebackwardsearchphasewewillhavetogiveupcompleteness.
Currently our modeling of a sampled data system has a fixed clock cycle. It does not seem hard to
accommodatevariableintervals;suchextensionaswellasitsuseisatopicofourfuturework.
Ourmodelingbenefitsalotfromtheassumptionthatthecontrollercommunicateswiththeplantand
thesensorusingfinitedatatypes. Somehybridsystemsdocallforrelaxationofthisassumptionintheir
modeling; it is our future work to see how the current input synthesis algorithm carries over to such
relaxation.
Organization of the Paper In §2 we introduce our modeling of sampled data systems and formalize
the input synthesis problem. In §3 we describe our algorithm, explaining its three phases one by one.
In§4ourimplementationisdescribed,togetherwiththeexperimentalresults. Theproofsaredeferredto
theappendix.
Acknowledgments Wearegratefultothereviewersofanearlierversionfortheirusefulcommentsand
suggestions. T.A.and I.H.are supportedby Grants-in-Aid forYoung Scientists(A) No.24680001, and
by Aihara Innovative Mathematical Modeling Project, FIRST Program, JSPS/CSTP; K.S. is supported
byGrants-in-AidforYoungScientists(B)No. 70633692andTheHakubiProjectofKyotoUniversity.
Notations R is the set of real numbers; B={tt,ff} is the set of Boolean values. We let f[x (cid:55)→y ]
0 0
denotefunctionupdate: itcarriesx toy andactsas f ontheotherinput.
0 0
T.Akazaki,I.Hasuo&K.Suenaga 25
2 Modeling Sampled Data Systems
2.1 Overview
Sampled data systems are a class of hybrid systems commonly known
in control theory. In those systems a physical plant is interrupted by a
digital controller in a periodic manner. In the current paper where our
interests are in input synthesis, it is convenient to explicitly separate
the third component called a sensor. The three components are then
organizedinaloop,asshownontherightin(1).
In the execution of sampled data systems thus modeled, we refer
to the three stages in which the sensor, the controller, and the plant
operates, respectively, asthesense, think, andact stages. Notethatthe
(1)
sensoralsotakesinputfromoutsidethesystem.
Forsimplificationwefurtherassumethefollowing.
1. A(digital)controlleriswritteninanimperativeprogramminglanguage.
2. Intheexecutionofasampleddatasystem,thesense-think-actloopisexecutedatfixedintervals—
onceeveryonesecond. 1
3. Thesenseandcontrolstagestakenotimefortheirexecution.
4. The controller governs the plant by picking a mode, from a finite set {m ,...,m }. In particular,
1 M
thecontrollercannotfeedtheplantwithacontinuousvaluer.
5. Intheactstagetheplantoperatesaccordingto(theODEassociatedwith)themodem pickedby
i
thecontroller. Theactstagelastsforonesecond(afactthatfollowsfrom2.and3).
6. ThedatasentfromthesensortothecontrollerisfinitelymanyBooleanvalues.
While there are many actual systems that fall out of the realm of this modeling, it does cover fairly
many—amongwhicharefixedintervaldigitalcontrollers,aclassofhybridsystemsubiquitousinindus-
try. Sampled data systems, especially under the above assumptions, come to exhibit pleasant structural
properties: its behaviors are much like those of programs and we can apply forward and backward rea-
soning in program logic. Assumptions 2. and 3. are common (see e.g. [17]). For example, Assumption
3. is reasonable considering the speed of digital circuits and typical sensing intervals (∆≈1ms). As-
sumptions4.and6.—thatthecontrollercommunicatesviafinitedatatypes—areessentialinreducingthe
inputsynthesisproblemtoasearchproblem.
2.2 TheLanguageIMP
Ctrl
WestartwithdefininganimperativeprogramminglanguageIMP thatisusedtodescribethe(digital)
Ctrl
controller of a sampled data system. It is a standard one and is much like IMP in [16], but lacks the
whileconstruct. Itisindeedunrealistictohavewhileloopsinreal-timeapplicationslikecyber-physical
systems. Moreover,withoutwhileloopswecansuccinctlyexpressweakestpreconditionsandstrongest
preconditions—thelatterarefullyexploitedinouralgorithmforinputsynthesis.
1Theclockcyclecanbeanarbitrarynumber∆;inthispaperweassume∆=1forsimplicity.
26 InputSynthesisforSampledDataSystemsbyProgramLogic
InIMP thesetVar=Var ∪Var ∪Var ofvariables
Ctrl t s a
is divided into three classes: the think, sense and act vari-
ables. The distinction is for the purpose of communicating
withtheothertwocomponents(plantandsensor)ofasystem.
As we will see, a think variable x ∈Var stores a real num-
t t
ber(whichwillbeafloating-pointnumberinanactualimple-
mentation); a sense variable x ∈Var represents a Boolean
s s
value sent from the sensor; and the (only) act variable x in Var ={x } tells the plant which mode m
a a a i
theplantshouldtakeinthecominginterval.
Definition 2.1 (the language IMP ). Let Modes={m ,...,m } be a fixed finite set of modes; Var
Ctrl 1 M t
beacountablesetofthinkvariables;Var beafinitesetofsensevariables;andVar ={x }. Thesyntax
s a a
ofIMP isasfollows.
Ctrl
AExp(cid:51) a ::= r|x |a aopa arithmeticexpr.
t 1 2
BExp(cid:51) b ::= true|false|x |a ropa |¬b|b ∨b |b ∧b Booleanexpr.
s 1 2 1 2 1 2
Cmd(cid:51) c ::= skip|x :=a|x :=m |c ;c |ifbthenc elsec commands
t a i 1 2 1 2
Herer∈R,m ∈Modes,x ∈Var ,x ∈Var ,aop∈{+,−,×}androp∈{=,<,≤,>,≥}.
i t t s s
ThesemanticsofIMP isasusual,likein[16]. SeeDef.A.1fordetails.
Ctrl
2.3 AssertionsforIMP
Ctrl
We now introduce an assertion language for IMP . Its formulas are used to express pre- and post-
Ctrl
conditions in the input synthesis problem, as well as in program logic. The semantics of the first-order
languageAssn isasusual. SeeDef.A.2.
Ctrl
Definition2.2(theassertionlanguageAssn ). WefixasetVar(cid:48) of“logical”variablessuchthatVar∩
Ctrl
Var(cid:48)(cid:54)=0/. TheassertionlanguageAssn isdefinedasfollows.
Ctrl
AExp(cid:51) a ::= r|x |v(cid:48)|a aopa arithmeticexpressions
t 1 2
MExp(cid:51) m ::= m |x modeexpressions
i a
Fml(cid:51) Φ ::= true|false|x |a ropa |m=m|¬Φ| formulas
s 1 2
Φ ∨Φ |Φ ∧Φ |∀v(cid:48)∈R.Φ|∃v(cid:48)∈R.Φ
1 2 1 2
Here r ∈ R, m ∈ Modes, x ∈ Var , x ∈ Var , and v(cid:48) ∈ Var(cid:48). Intuitively, σ ∈ Σ is a valuation that
i t t s s
depends on the state of a sampled data system; and γ ∈RVar(cid:48) is another valuation of (logical) variables
inAssn .
Ctrl
2.4 CalculiforWeakestPreconditionsandStrongestPostconditions
We introduce program logic for IMP in the form of a weakest precondition calculus (see e.g. [16])
Ctrl
and a strongest postcondition calculus (see e.g. [9]). The calculi will be exploited for the search space
reductionininputsynthesis.
Definition 2.3 (weakest precondition w c,Φ ; strongest postcondition s c,Φ ). Given c ∈ Cmd of
(cid:74) (cid:75) (cid:74) (cid:75)
IMP andΦ∈FmlofAssn ,wedefineaformulaw c,Φ ∈Fmlinductivelyonc.
Ctrl Ctrl
(cid:74) (cid:75)
w skip,Φ ≡ Φ , w c ;c ,Φ ≡ w c ,w c ,Φ ,
1 2 1 2
w x(cid:74) :=a,Φ(cid:75) ≡ Φ[a/x ] , w x (cid:74):=m,Φ(cid:75) ≡ Φ(cid:74)[m/x(cid:74)] , (cid:75)(cid:75) (2)
t t a i i a
w(cid:74)ifbthen(cid:75)c elsec ,Φ ≡ (b∧(cid:74)w c ,Φ )∨(cid:75)(¬b∧w c ,Φ ) ;
1 2 1 2
(cid:74) (cid:75) (cid:74) (cid:75) (cid:74) (cid:75)
T.Akazaki,I.Hasuo&K.Suenaga 27
Aformulas c,Φ ∈Fmlisdefinedasfollows,similarlybyinduction.
(cid:74) (cid:75)
s skip,Φ ≡ Φ , s c ;c ,Φ ≡ s c ,s c ,Φ ,
1 2 2 1
s x(cid:74) :=a,Φ(cid:75) ≡ ∃v(cid:48)∈R.(Φ(cid:74)[v(cid:48)/x ]∧(cid:75)x =a(cid:74)[v(cid:48)/x(cid:74)]) , (cid:75)(cid:75)
t t t t
(3)
s x(cid:74) :=m,Φ(cid:75) ≡ (Φ[m /x ]∨···∨Φ[m /x ])∧x =m ,
a i 1 a M a a i
s ifbthenc(cid:74)elsec ,Φ(cid:75) ≡ s c ,b∧Φ ∨s c ,¬b∧Φ .
1 2 1 2
(cid:74) (cid:75) (cid:74) (cid:75) (cid:74) (cid:75)
Inourimplementation,Assn isrestrictedtoitspropositionalfragmentfortractability. Thequan-
Ctrl
tifier in (3) is thus immediately eliminated using the quantifier elimination mechanism in Mathematica.
Thethirdlinein(3)isessentiallythesameasthesecond;therewecandispensewithaquantifier∃since
Modes={m ,...,m }isafiniteset.
1 M
Proposition2.4. Foranyσ ∈Σandγ ∈RVar(cid:48),
1. (weakestprecondition)σ,γ |=w c,Φ ifandonlyif c (σ),γ |=Φ;
(cid:74) (cid:75) (cid:74) (cid:75)
2. (strongestpostcondition)σ,γ |=Φifandonlyif c (σ),γ |=s c,Φ .
(cid:74) (cid:75) (cid:74) (cid:75)
2.5 ModelingSampledDataSystems,Formally
Wepresenttheformaldefinitionofourmodelingofsampleddatasystems,undertheassumptionsin§2.1.
Definition 2.5 (sampled data system). Let n be a natural number, and I ⊆Rn be a fixed set called the
inputdomain. Ann-dimensionalsampleddatasystemisatripleS =(c,p,s)where:
• c∈CmdisacommandofIMP (§2.2),calledacontroller;
Ctrl
(cid:0) (cid:1)
• p= x˙= p (t,x) is a family of (explicit, n-dimensional) ODEs indexed by Modes=
mi mi∈Modes
{m ,...,m },calledaplant;and
1 M
• s:Rn×I→BVars isafunction,calledasensor.
Astateofasampleddatasystemisapair(σ,x)ofσ ∈Σandx∈Rn. Inastate(σ,x),thecomponentσ
iscalledacontrollerstate(C-state),andxaplantstate(P-state).
Thedimensionnreferstothatofthe(continuous)plant,meaningthatxandx˙intheplant p=(x˙=
p (t,x)) arevectorsinRn.
mi mi∈Modes
Example 2.6 (count and brake). In Fig. 2 is a simplification of Example 1.1; this will be our running
example. Thevaluevisintendedtobethevelocityofacar.
ifxs Controller
thencnt:=cnt+1
xs(Boolean) (cid:47)(cid:47) elsecnt:=0;
ifcnt<2
thenx :=Acl
a
elsex :=Brk
Sensor a x
i∈[−0.2,0.2] (cid:47)(cid:47) a
x : v+i≥1?
s (cid:79)(cid:79)
Acl: v˙=(2−v)log2 (cid:111)(cid:111)
v Brk: v˙=−0.5
Plant
Figure2: Asampleddatasystem(runningexample)
The example follows a pattern of fixed interval controllers commonly used in industry. Namely, a
countercntisusedtotellifextremity(v+i≥1)hascontinuedforacertaincriticalnumberofintervals
(2 here). If cnt reaches the critical number a countermeasure is taken: the plant is set to the braking
28 InputSynthesisforSampledDataSystemsbyProgramLogic
mode (Brk) and the velocity v decreases. Otherwise the plant operates in the acceleration mode (Acl),
whichisafirst-orderlagsystemwherethevelocityvapproachestowards2.
Thesystemtakesinputi—whosedomainisassumedtobe[−0.2,0.2]—thatmodelsdisturbancefrom
outside. For example, the road can be slippery, which can make the actual velocity v different from the
valuethatisusedbythecontroller.
2.6 SemanticsofSampledDataSystems
We formally define the semantics of a sampled data system. Our current concern is not so much on
the solution of ODEs as on the interaction between a controller and a plant. Therefore we adopt the
followingblack-boxviewofaplant.
Definition 2.7 (execPlant(p,x)). In what follows we assume that all the ODEs used for a plant have
unique solutions. That is, for any n-dimensional ODE x˙ = p(t,x) and an initial value x ∈ Rn, we
0
assume that there exists a unique function F :[0,1]→Rn such that: F(0)=x ; and for any t ∈[0,1],
0
F˙(t)= p(t,F(t)).
ByexecPlant(p,x )wedenotethestateoftheplantx˙=p(t,x)attimet=1,assumingthattheinitial
0
state(attimet =0)isx . Thatis,execPlant(p,x )=F(1)whereF isthefunctionintheabove.
0 0
In our implementation we actually use the result of numerical calculations (by MATLAB) as the
valueexecPlant(p,x),ignoringnumericalerrors.
Definition2.8(semanticsofasampleddatasystems). LetS =(c,p,s)beasampleddatasystem. The
one-steptransitionisaternaryrelation→amongtwostates(σ,x),(σ(cid:48),x(cid:48))andinputi∈I;thisisdenoted
by(σ,x)→−i (σ(cid:48),x(cid:48)). Itisdefinedasfollows.
We have (σ,x)→−i (σ(cid:48),x(cid:48)) if (σ(cid:48),x(cid:48))=(actS ◦thinkS ◦senseS)(σ,x,i), where the three functions
aredefinedby:
(cid:0) (cid:1)
senseS : Σ×X×I−→Σ×X , (σ,x,i)(cid:55)−→ σ[xs(cid:55)→s(x,i)(xs)],x ;
(cid:0) (cid:1)
thinkS : Σ×X −→Σ×X , (σ,x)(cid:55)−→ c (σ),x ; (4)
actS : Σ×X −→Σ×X , (σ,x)(cid:55)−→(cid:0)(cid:74)σ,(cid:75)execPlant(pσ(xa),x)(cid:1) .
Here c is as in Def. A.1. It is clear that, given a state (σ,x) and i ∈ I, the post-state (σ(cid:48),x(cid:48)) such
that (σ(cid:74),(cid:75)x)→−i (σ(cid:48),x(cid:48)) is uniquely determined. A succession (σ ,x )−→i0 (σ ,x )−→i1 ···−iT−−→1 (σ ,x ) of
0 0 1 1 T T
one-steptransitioniscalledarunofthesystemS.
Aspecificationofastateofasampleddatasystemisgivenbyapairofanassertionformula(onthe
controller)andasubsetofRn (ontheplant).
Definition2.9(CP-condition). LetS =(c,p,s)beann-dimensionalsampleddatasystem. Acontroller-
plant condition (CP-condition) for S is a pair (Φ,X) of an assertion Φ ∈ Fml called the controller
condition and a condition X ⊆ Rn called the plant condition. The projection to each component is
denotedbyπ andπ respectively.
C P
Given a state (σ,x)∈Σ×Rn of S and a CP-condition (Φ,X), we write (σ,x)|=(Φ,X) if σ |=Φ
andx∈X. (Φ,X)issatisfiableifthereisastatethatsatisfiesit.
2.7 TheInputSynthesisProblemforSampledDataSystems
Definition2.10(inputsynthesisproblem). Theinputsynthesisproblemis:
T.Akazaki,I.Hasuo&K.Suenaga 29
given: • S =(c,p,s),ann-dimensionalsampleddatasystem;
• (Φ ,X )and(Φ ,X ),apre-andapost-CP-condition;and
init init final final
• T ∈N,thenumberofsteps,
return: • aninitialstate(σ ,x )∈Σ×Rn suchthat(σ ,x)|=(Φ ,X );and
0 0 0 init init
i
• an input sequence i ,...,i ∈ I such that, for the corresponding run (σ ,x ) −→0
0 T−1 0 0
(σ ,x )−→i1 ···−iT−−→1 (σ ,x )ofS,wehave(σ ,x )|=(Φ ,X ).
1 1 T T T T final final
Example2.11. LetS bethesampleddatasysteminExample2.6. Consider
apre-CP-condition (cnt=0, [0,1]) andapost-CP-condition (true, [1.5,2])
and T =4 as the number of steps. In the input synthesis problem, we seek for an initial state (σ ,x )
0 0
andaninputsequencei ,i ,i ,i ∈[−0.2,0.2]suchthat
0 1 2 3
(σ ,x )|=(cnt=0, [0,1]) , (σ ,x )−→i0 (σ ,x )−→i1 ···−→i3 (σ ,x )and(σ ,x )|=(true, [1.5,2]) .
0 0 0 0 1 1 4 4 4 4
3 An Algorithm for Input Synthesis for Sampled Data Systems
In this section we present our algorithm. We identify the core of the input synthesis problem to be the
discovery of suitable input and output of the controller at each step. More specifically, we seek for a
successfulpath
−−−−→
(σ ,m) := (cid:10)(σ(T−1),m(T−1)),(σ(T−2),m(T−2)),...,(σ(0),m(0))(cid:11) (5)
s s s s
where σ(k) :Var →B is a valuation of sense variables—which shall be henceforth called sensor out-
s s
put—and m(k) ∈Modes is a mode.2 Together with an initial state (σ ,x ), the sensor output σ(k) de-
0 0 s
termines the behavior of the controller, and the mode m(k) determines that of the plant, at each step k.
Thereforeapathlikein(5)determinesthebehaviorofthewholesampleddatasystemfromstep0through
stepT;a“successful”pathisthenonethatsteersthegivenpreconditiontothegivenpostcondition.
Towardsthediscoveryofasuccessfulpath,ourapproachistoexploittheprogramlogicin§2.4—i.e.
to make most of the structure of the controller as a program. In our modeling of sampled data systems
(§2)wehavemadeassumptionssothattheprogram-logicapproachispossible.
Concretely,ouralgorithmconsistsofthefollowingthreephases.
1. (Forward approximation) We overapproximate the set of CP-states that the system can reach,
startingfromthepre-CP-condition(Φ ,X )andgoingforwardstepbystep. Thisfirstphaseis
init init
seenasapreparationforthesecond(main)phase.
2. (Backward search) A successful path (5) will be a path in a so-called backward search tree. Its
branching degree is 2|Vars|×|Modes|; its nodes are labeled with CP-conditions; and its root is
labeledwiththepost-CP-condition(Φ ,X ). Wesearchforasuccessfulpathinthetree,ina
final final
depth-firstmanner.
3. (Synthesis of actual input) We choose an initial state (σ,x) and go on to synthesize an input
−−−−→
sequencei ,...,i ,usingthesuccessfulpath(σ ,m)discoveredinthepreviousphase. Thiscan
0 T−1 s
bedoneinastraightforwardlinearmanner.
The second phase (backward search) is where an actual (depth-first) search is done. Program logic is
usedtheretoprunebranchesandreducethesearchspace.
2Notethattimeisreversedin(5).Thisispurelyforthepurposeofpresentation.
30 InputSynthesisforSampledDataSystemsbyProgramLogic
3.1 ForwardApproximation
In this phase of the algorithm, we overapproximate the behavior of the given sampled data system and
(cid:0) (cid:1)
obtainasequence k-FA(Φ ,X ) ofCP-conditions. Theseareobtainediterativelyasfollows.
init init 0≤k≤T
Notation 3.1 (s−1). Let S =(c,p,s) be an n-dimensional sampled data system; I be its input domain;
andσs∈BVars besensoroutput. Weabusenotationanddenotebys−1(σs)thesetofplantstatesthatcan
be“steered”toσ . Precisely,s−1(σ ) := {x∈Rn|∃i∈I.s(x,i)=σ } .
s s s
Forexample, letσ suchthatσ (x )=ttinthesettingofExample2.6. Wehaves−1(σ )={x∈X |
s s s s
∃i∈[−0.2,0.2].x+i≥1}=[0.8,∞).
Definition3.2(1-FA,k-FA). LetS =(c,p,s)beasampleddatasystem. Letusfirstdefinethefunctions
1-FApre ,1-FApre and1-FApre asfollows. Theirtypesshouldbeobvious.
sense think act
1-FApre (σ )(Φ,X) := (cid:0)s x :=σ (x ),Φ ,X∩s−1(σ )(cid:1)
sense s s s s s
1-FApre (Φ,X) := (cid:0)s(cid:74)c,Φ ,X(cid:1) , (cid:75) (6)
think
1-FApre(m)(Φ,X) := (cid:0)Φ(cid:74)∧x(cid:75)=m,execPlant(p ,X)(cid:1) .
act a m
Here s c,Φ in the second line is the strongest postcondition (Def. 2.3); execPlant(p ,X) in the third
m
line is(cid:74)the d(cid:75)irect image of X ⊆Rn by the function in Def. 2.7; and s x :=σ (x ),Φ in the first line is
s s s
(cid:74) (cid:75)
definedasfollows,similarlytoDef.2.3.
(cid:40)
(Φ[true/x ]∨Φ[false/x ])∧x ifσ (x )=true
s s s s s
s x :=σ (x ),Φ :≡
s s s
(cid:74) (cid:75) (Φ[true/xs]∨Φ[false/xs])∧¬xs ifσs(xs)=false
Thesethreefunctionsarecomposedtoyield:
1-FApre(σ ,m)(Φ,X) := 1-FApre(m)(cid:0)1-FApre (cid:0)1-FApre (σ )(Φ,X)(cid:1)(cid:1) ;
s act think sense s
this is understood as the strongest postcondition after the one-step execution of S, assuming that the
sensoroutputσ andthemodemhavebeenchosen.
s
Finally, the one-step forward approximation function is defined as the following disjunction/union
overdifferentσ andm:
s
(cid:18) (cid:19)
1-FA(Φ,X):= (cid:87)(σs,m)∈MπC(cid:0)1-FApre(σs,m)(Φ,X)(cid:1),(cid:83)(σs,m)∈MπP(cid:0)1-FApre(σs,m)(Φ,X)(cid:1) ,
where M :={(σ,m)∈BVar×Modes|1-FApre(σ ,m)(Φ,X)issatisfiable.}
s s
(7)
Theprojectionsπ andπ ,aswellassatisfiabilityofCP-conditions,arefromDef.2.9.
C P
Wewritek-FA(Φ,X)for(1-FA)k(Φ,X). Thesequence(cid:0)k-FA(Φ ,X )(cid:1) ofCP-conditionsis
init init 0≤k≤T
calledtheforwardapproximationsequenceforS.
As an example we present forward approximation for Example 2.11. The first one-step approxima-
T.Akazaki,I.Hasuo&K.Suenaga 31
tion(fromk=0to1)isshownbelow,stagebystage.
sense (cid:43)(cid:51) think (cid:43)(cid:51) act (cid:43)(cid:51) unify (cid:43)(cid:51)
k=0 k=1
cnt=1
Acl (cid:51)(cid:51) ∧xa=Acl∧xs
cnt=1 [1.4,1.5]
xs(cid:55)→tt (cid:54)(cid:54) cnt[0=.80,1∧]xs (cid:47)(cid:47) ∧xa[=0.8A,c1l]∧xs Brk (cid:44)(cid:44) [0f.a3l,0s.e5] ((cid:38)(cid:38)cnt=0∨cnt=1) (8)
cnt=0
[0,1] (cid:50)(cid:50) ∧xa=Acl
cnt=0 [1,1.5]
xs(cid:55)→ff (cid:38)(cid:38) cnt=0 Acl(cid:51)(cid:51) ∧xa=[1A,1c.l5]∧¬xs
cnt=[0,01∧]¬xs (cid:47)(cid:47) ∧xa=Acl∧¬xs (cid:44)(cid:44)
[0,1] false
Brk [−0.5,0.5]
ObservethatwehavefourCP-conditionsinthefourthcolumn fromtheleft. Eachofthemcorresponds
toachoiceof(σ ,m). TwoamongthefourCP-conditionsareunsatisfiableandhencediscarded(i.e.they
s
arenotinM);theremainingtwoareunifiedandyield1-FA(cnt=0,[0,1])intherightmostcolumn. 3
By continuing further we obtain the forward approximation sequence shown on the below in (9),
presentedpictorially.
Forthecompletenessofouralgorithmweneed
to prove that our forward approximation is indeed
anover-approximation.
Proposition 3.3. Let i ,...,i ∈I be any input
0 k−1
sequence;(σ,x)−→i0 ···−i−k−→1 (σ(cid:48),x(cid:48))bearunofS;
and (σ,x)|=(Φ,X). Then (σ(cid:48),x(cid:48))|=k-FA(Φ,X).
(cid:50)
3.2 BackwardSearch
Inthisphaseofthealgorithmwesearchforasuc-
−−−−→
cessfulpath(σ ,m)ofsensoroutputandmodes—
s
i.e.onethatsteersaninitialstatetoadesiredpost-
(9)
condition. Thesearchisconductedinabackwarddepth-firstmannerinatreecalledthebackwardsearch
tree.
Fortheinputsynthesisproblem,itisnotnecessarytoconstructthewholebackwardsearchtree: find-
ing a leaf whose CP-condition is compatible with the precondition suffices. We will use program logic
(§2.4)—and the forward approximation sequence obtained in the previous phase—in pruning branches
andreducingthesearchspace.
Definition 3.4 (backward search tree). Given an input synthesis problem, its backward search tree is a
tree with branching degree 2|Vars|×|Modes| and with height T +1. The nodes of the tree are defined
inductivelyasfollows.
• Therootofthetreeislabeledwiththepostcondition(Φ ,X ).
final final
3 Ourapproximationcanbefiner: in(8),intheunificationstage,thecorrelationbetweenaC-conditionandaP-condition
isforgottenbyseparatelytakingthedisjunctionofC-conditionsandtheunionofP-conditions(see(7)). Finerapproximation,
however,makestheapproximantsgrowmuchbiggerandslowsdownthebackwardsearchphaseofthealgorithm.
