cs/ids 142: lecture 2.2 safety properties
Post on 02-Nov-2021
2 Views
Preview:
TRANSCRIPT
CS/IDS 142: Lecture 2.2 Safety Properties
Richard M. Murray 9 October 2019
Goals: • Define safety properties, program invariants • New properties: next, stable, invariant
Reading: • P. Sivilotti, Introduction to Distributed Algorithms, Section 3.3
Richard M. Murray, Caltech CDSCS/IDS142, 7 Oct 2017
The ‘Stable’ PropertyDefinition: stable(P) • Informal: once P becomes true, it remains true
• Formally: stable(P) ≡ P next P
• Note: stable(P) does not mean that P is true for all (or even any) program executions
When do we use stable in a proof? • Termination: stable({p})
• Often combined with progress (Wed + W3) - Show that if we satisfy some conditions
then we eventually get to a good set of states (and stay there)
Some useful results (will prove on the homework) •
- Interpretation: if P is stable and Q is stable, then at the point that both of them are true, they will both remain true
• - Note: not true that
2
12
0
3
4
5
6
78
9P2
P1
stable(P ) _ stable(Q) =) stable(P _Q)
stable(P ) ^ stable(Q) =) stable(P _Q)
Pstable
Q
not stable
Richard M. Murray, Caltech CDSCS/IDS142, 7 Oct 2017
False
False
True
True
_____
_____
_____
_____
Reachable(P) is the smallest stable set that includes P • Reachable(P) = set of points that we can reach from states that satisfy predicate P
• Proof sketch (exercise: turn into a formal proof = sequence of implications/equivals) - Let Q = reachable(P). Clear that and stable(Q) - Suppose Q’ is a smaller set ( ) with and stable(Q’) -
• Algorithm for finding reachable(P): start with P add neighbors until you stop growing
Which of the following formulas are true?
3
There can be an edge from a vertex which is in Q and not in P to a vertex outside Q
Q0 ⇢ Q
Q0 ⇢ Q ^ stable(Q) =) Q = reachable(P ) ⇢ Q0 ) Q = Q0P ✓ Q0
P ✓ Q
Q
P
X
stable(P ) ^ (P ✓ Q) =) stable(Q)<latexit sha1_base64="fjgds2XncXRDRHG/DuYN/jVLzfw=">AAACL3icbVDJSgNBEO1xjXEb9eilMQjJJcxEwRwDgnhMwCyQCaGnU5M0mc3uGjUM+SMv/kouIop49S/sLAdNfNDweFWvuuq5sS8UWtabsba+sbm1ndnJ7u7tHxyaR8cNFSWSQ51HfiRbLlPgixDqKNCHViyBBa4PTXd4Pa03H0AqEYV3OIqhE7B+KDzBGWqpa944CE/oeqlCpj3jfLVAnUfo9YHmqzTrqMRVgHBPa1oXgV4JFF321ApdM2cVrRnoKrEXJEcWqHbNidOLeBJAiNxnSrVtK8ZOyiQKrkdmnURBzPiQ9aGtacgCUJ10du+YnmulR71I6hcinam/HSkLlBoFru4MGA7Ucm0q/ldrJ+iVO6kI4wQh5POPvMSnGNFpeLQnJHD0R5owLoXelfIBk4yjjjirQ7CXT14ljVLRviiWape5SnkRR4ackjOSJza5IhVyS6qkTjh5JhPyTj6MF+PV+DS+5q1rxsJzQv7A+P4BUwOolw==</latexit>
stable(P ) ^ (Q ✓ P ) =) stable(Q)<latexit sha1_base64="4y6iei0ELh9FknjteW1i3muapns=">AAACL3icbVDJSgNBEO1xjXEb9eilMQjJJcxEwRwDgnhMwCyQCaGnU5M0mc3uGjUM+SMv/kouIop49S/sLAdNfNDweFWvuuq5sS8UWtabsba+sbm1ndnJ7u7tHxyaR8cNFSWSQ51HfiRbLlPgixDqKNCHViyBBa4PTXd4Pa03H0AqEYV3OIqhE7B+KDzBGWqpa944CE/oeqlCpj3jfLVAnUfo9YHmazTrqMRVgHBPp7oI9Eqg6LKnVuiaOatozUBXib0gObJAtWtOnF7EkwBC5D5Tqm1bMXZSJlFwPTLrJApixoesD21NQxaA6qSze8f0XCs96kVSvxDpTP3tSFmg1ChwdWfAcKCWa1Pxv1o7Qa/cSUUYJwghn3/kJT7FiE7Doz0hgaM/0oRxKfSulA+YZBx1xFkdgr188ipplIr2RbFUu8xVyos4MuSUnJE8sckVqZBbUiV1wskzmZB38mG8GK/Gp/E1b10zFp4T8gfG9w9TEKiX</latexit>
8P : stable(reachable(P ))<latexit sha1_base64="eSVog4dsAYg9/UoPNKOUieT3Nbs=">AAACGHicbVDLSsNAFJ34rPUVdelmsAjtpiZVsLgquHEZwT6gCWUynbRDJw9mbsQS+hlu/BU3LhRx251/47TNQlsvDBzOuefOvcdPBFdgWd/G2vrG5tZ2Yae4u7d/cGgeHbdUnErKmjQWsez4RDHBI9YEDoJ1EslI6AvW9ke3M739yKTicfQA44R5IRlEPOCUgKZ65oUbxJIIgZ0b7IYEhn6QKSDaPim7wJ4g09PocEE4lUrPLFlVa154Fdg5KKG8nJ45dfsxTUMWARVEqa5tJeBlRAKnembRTRVLCB2RAetqGJGQKS+bHzbB55rpY72hfhHgOfvbkZFQqXHo687Z7mpZm5H/ad0UgrqX8ShJgUV08VGQCgwxnqWE+1wyCmKsAaGS612xDkESCjrLog7BXj55FbRqVfuyWru/KjXqeRwFdIrOUBnZ6Bo10B1yUBNR9Ixe0Tv6MF6MN+PT+Fq0rhm55wT9KWP6A4E1oAQ=</latexit>
(P ✓ Q) ^ stable(Q) =) reachable(P ) ⇢ Q<latexit sha1_base64="izLwbfshu0NmUEzJWYzuWutQvtQ=">AAACO3icbVDLSsNAFJ34tr6qLt0MFqFuSqKCXRbcuGzFqtCUMpnc1MFMEmdulBL6X278CXdu3LhQxK17J00Fbb1w4XDOfR4vCYVG2362Zmbn5hcWl5ZLK6tr6xvlza0LHaeKQ5vHYayuPKYhFBG0UWAIV4kCJr0QLr2bk1y/vAOlRRyd4yCBrmT9SASCMzRUr3xWbVJXp54GhFva2qfuPfh9oK5keO0FmUZmRg2ruSKkuQh0oSmZmT38upCb+z9TaKtXrtg1exR0GjhjUCHjaPbKT64f81RChDxkWnccO8FuxhQKboaX3FRDwvgN60PHwIhJ0N1s9PuQ7hnGp0GsTEZIR+zvjoxJrQfSM5X52XpSy8n/tE6KQb2biShJESJeLArSkGJMcyOpLxRwDAcGMK6EuZUaNxTjaOwuGROcyZenwcVBzTmsHbSOKo362I4lskN2SZU45Jg0yClpkjbh5IG8kDfybj1ar9aH9VmUzljjnm3yJ6yvbxPprYU=</latexit>
Richard M. Murray, Caltech CDSCS/IDS142, 7 Oct 2017
What are some stable properties for this program? [assume α = 1/2]
• ? - No what if x1 = 5, x2 = 10
• ? - No what if x1 = 5, x2 = 10, x3 = 50
• ?
- Yes This shows that all numbers will remain bounded
• ?
- Yes Can actually show that the average is constant (so we get equality)___
___
___
___
Examples: Properties for Average Consensus
4
Program AverageConsensus
constant N {number of agents}G {interconnection graph}
var x : array of N numbers
assign�8i, j : j 2 Ni : x[i] := ↵x[i] + (1� ↵)x[j]
|| x[j] := ↵x[j] + (1� ↵)x[i])�
stable(xi maxi
x0i )
stable(xi + xj x0i + x0
j )
stable(xi x0i )
stable�(+i : 0 i N � 1 : xi) (+i : 0 i N � 1 : x0
i )�
<latexit sha1_base64="jxDuOBGXTZRJSsUB7GKL70Ki8zw=">AAACSHicfVDLSgMxFM3UV62vqks3wSK0iGWmCoqrohtXUsE+oFOHTJppQzMPkzvSMvTz3Lh05ze4caGIO9PHQlvxQsjJueckN8eNBFdgmi9GamFxaXklvZpZW9/Y3Mpu79RUGEvKqjQUoWy4RDHBA1YFDoI1IsmI7wpWd3uXo379gUnFw+AWBhFr+aQTcI9TAppyso4NrA+ulygg2jO0Xd4R+fwhx+fYxLZg95hPtusjS3N9hxcm5380d6ZWjW6SBSebM4vmuPA8sKYgh6ZVcbLPdjuksc8CoIIo1bTMCFoJkcCpni9jx4pFhPZIhzU1DIjPVCsZBzHEB5ppYy+UegWAx+xPR0J8pQa+q5U+ga6a7Y3Iv3rNGLyzVsKDKAYW0MlDXiwwhHiUKm5zySiIgQaESq5nxbRLJKGgs8/oEKzZL8+DWqloHRdLNye58sU0jjTaQ/sojyx0isroClVQFVH0iF7RO/ownow349P4mkhTxtSzi35VKvUNbAusrQ==</latexit>
If time, add proof of the last property here?
Richard M. Murray, Caltech CDSCS/IDS 142, 9 Oct 2017
The ‘Invariant’ PropertyA predicate P is invariant if it is always true
• Invariants are a critical part of proofs; establish thekey properties that a problem always satisfies
• Invariants are not unique; a program can havemany invariants
Some examples of useful invariants • Amount of memory required is less than M • Values of a variable (eg, address register) is in a given range
Proving properties about invariants comes down to evaluating Hoare triples
Example: • For average consensus,
Reachability and invariants • Recall that reachable(P) is the smallest stable set of vertices that includes P. Hence:
5
invariant(P ) ⌘ initially(P ) ^ stable(P )
initially(P ) ^ (8a : a 2 G : {P} a {P})
P
initX
invariant�(+i : 0 i N � 1 : xi) = (+i : 0 i N � 1 : x0
i )�
<latexit sha1_base64="REgRBZri3puoUjT8+rEwmz4PVWg=">AAACSnicfVBNSwMxFMzWqrV+VT16CRahRSy7VVAEoeDFk1SwKnTX5W2araHZ7JpkxVL6+7x48uaP8OJBES9m2x78woGQYea9l7wJEs6Utu0nKzeVn56ZLcwV5xcWl5ZLK6vnKk4loS0S81heBqAoZ4K2NNOcXiaSQhRwehH0jjL/4pZKxWJxpvsJ9SLoChYyAtpIfgncCPR1EA6YuAXJQOihG7Aur+DKFsMH2MYupzeYja+Tbcdodz6r4sP/C67sKs4GyapfKts1ewT8mzgTUkYTNP3So9uJSRpRoQkHpdqOnWhvAFIzwumw6KaKJkB60KVtQwVEVHmDURRDvGmUDg5jaY7QeKR+7RhApFQ/Ckxltrj66WXiX1471eG+Z1JKUk0FGT8UphzrGGe54g6TlGjeNwSIZOavmFyDBKJN+kUTgvNz5d/kvF5zdmr1091yY38SRwGtow1UQQ7aQw10jJqohQi6R8/oFb1ZD9aL9W59jEtz1qRnDX1DLv8JCQaszA==</latexit>
invariant(I) =) reachable(init) ✓ I<latexit sha1_base64="qX9XiDBWWf1V1RpP02je5Cmslcs=">AAACNXicbVC7SgNBFJ31GeMramkzGITYhF0VtAzYGLCIYB6QhDA7uZsM7syuM3eFsOSnbPwPKy0sFLH1F5w8BE28cOFwzn0ePw6FQdd9cRYWl5ZXVjNr2fWNza3t3M5uzUSJ5lDlURjphs8MhEJBFQWG0Ig1MOmHUPdvL0Z6/R60EZG6wUEMbcl6SgSCM7RUJ3fVkgz7fpAKdc+0YAqHhfIRbQlpt4OhY1nL1M7kfWanDgs/lFACh7bUJL4BhDta7uTybtEdB50H3hTkyTQqndxTqxvxRIJCHjJjmp4bYztlGgW3q7KtxEDM+C3rQdNCxSSYdjr+ekgPLdOlQaRtKqRj9ndHyqQxA+nbytHFZlYbkf9pzQSD87Z9L04QFJ8sCpKQYkRHFtKu0MAxHFjAuBb2Vmq90YyjNTprTfBmX54HteOid1I8vj7Nl86ndmTIPjkgBeKRM1Iil6RCqoSTB/JM3si78+i8Oh/O56R0wZn27JE/4Xx9A3UDrP8=</latexit>
invariant�reachable(init)
�<latexit sha1_base64="MUnQ1loDK2MfmNYQ3udOstkcopg=">AAACKXicbVDLSgMxFM3UV62vUZduBovQbspMFeyy4MZlBfuAtpRMmmlDk8yQ3CmUYX7Hjb/iRkFRt/6I6bSCtl4IHM499+ae40ecaXDdDyu3sbm1vZPfLeztHxwe2ccnLR3GitAmCXmoOj7WlDNJm8CA006kKBY+p21/cjPvt6dUaRbKe5hFtC/wSLKAEQyGGtj1nsAw9oOEySlWDEtIez4b8VLGK5GYZWSMzbpS4YdikkFaznSqPLCLbsXNylkH3hIU0bIaA/ulNwxJLKgEwrHWXc+NoJ9gBYxwmhZ6saYRJhM8ol0DJRZU95PMaepcGGboBKEyT4KTsb8nEiy0ngnfKOfH6tXenPyv140hqPWNsygGKsnioyDmDoTOPDZnyBQlwGcGYKKYudUxsShMwIRbMCF4q5bXQata8S4r1burYr22jCOPztA5KiEPXaM6ukUN1EQEPaAn9IrerEfr2Xq3PhfSnLWcOUV/yvr6BjzIqGI=</latexit>
Richard M. Murray, Caltech CDSCS/IDS 142, 9 Oct 2017
Which of the following formulas are true?
6
True
False
Transition from Q to NOT QFalse
P Q
init
P Q
initinit
______
______
______
Q
P
init
Richard M. Murray, Caltech CDSCS/IDS 142, 9 Oct 2017
Example: FindMaxLet M. = max(A[x]). Prove that r ≤ M is an invariant
7
{ definition of stable }
{ definition of next }
______________________
________________________
r ≤ M ⇒ max(r, A[x]) ≤ M) { x ≤ max(x, y) }
Richard M. Murray, Caltech CDSEECI, Mar 09
Defensive Zone
0
a b
c
i j
α(j) is too far down for i to get
RoboFlag Control Protocol
=
Richard M. Murray, Caltech CDSEECI, Mar 2011
Safety (Defenders do not collide)
Stability (switch predicate stays false)
Progress (we eventually reach a fixed point) • Let ρ be the number of blue robots that are too far away to reach their red robots
• Let β be the total number of conflicts in the current assignment • Define the metric that captures “energy” of current state (V = 0 is desired)
• Can show that V always decreases whenever a switch occurs
Properties for RoboFlag program
Robots are "far enough" apart.
10
V =⇤�
n
2
⇥+ 1
⌅⇥ + � � =
n⇥
i=1
n⇥
j=i+1
⇥(i, j) where ⇥(i, j) =
�1 if x�(i) > x�(j)
0 otherwise� =
n�
i=1
r(i, i)
next ¬switchi,i+1
zi < zi+1 next zi < zi+1
next V < m
Next week
Richard M. Murray, Caltech CDSIFAC World Congress 2014
What Goes Wrong: ZA002, Nov 2010
11
Loss of primary electrical power => cockpit goes “dark”
Ram Air Turbine (RAT) deployed and allows safe landing
Richard M. Murray, Caltech CDSCS 142, 2 Oct 2017
Summary: Reasoning About Programs
Initial tools for reasoning about program properties • UNITY approach: assume that any (enabled)
command can be run at any time
• Hoare triple: show that all (enabled) actions satisfying a predicate P will imply a predicate Q
• “Lift” Hoare triple to define next:
• Stability: stable(P) ≡ P next P
• Invariants:
12
P
1
2
0
3
4
5
6
7
8
9
Q
P
a1 a2
a1
a1
Hoare triple: {P} a {Q}
P next Q stable(P)
invariant(P ) ⌘ initially(P ) ^ stable(P )
top related