### End-to-End Verification of Initial & Transition Properties of GR(1) Designs in SPARK Laura Humphrey, James Hamil AFRL, Aerospace Systems Directorate, Autonomous Controls Branch (AFRL/RQQA) Joffrey Huguet AdaCore September 2020 ### Outline - GR(1) specifications & synthesis - "End-to-end" verification in this context - SPARK for end-to-end verification of synthesized GR(1) designs - Case study: Multi-vehicle controller - Results on a corpus of GR(1) specifications - Summary: lessons learned & future work ### GR(1) Specifications - GR(1) or Generalized Reactivity(1) specifications - Describe reactive systems that respond to an environment - Subset of linear temporal logic - General form: $\varphi_e \to \varphi_s$ - Interpreted as two-player game between system & environment - Environment e goes first, controls "input" variables from set ${\mathcal I}$ - System s goes second, controls "output" variables from set $\mathcal O$ - Are "realizable" if system strategy/design exists such that - System can satisfy $arphi_s$ after each step environment satisfies $arphi_e$ - Environment is forced to violate $\varphi_e$ - Result is "controller" with states S encoding strategy/design $c: S \times \Sigma_{\mathcal{I}} \mapsto S \times \Sigma_{\mathcal{O}}$ ### GR(1) Specifications as Properties $\varphi^e \& \varphi^s$ each broken into initial, transition, & liveness property terms $$\varphi_i^e \wedge \varphi_t^e \wedge \varphi_l^e \rightarrow \varphi_i^s \wedge \varphi_t^s \wedge \varphi_l^s$$ ### Temporal operators $\bigcirc$ – "next" $\square$ – "always" $\square\Diamond$ – "always eventually" ### Property term definitions $\varphi_i^e, \varphi_i^s$ - Initial : Boolean formulas over $\mathcal{I} \& \mathcal{O}$ , respectively $\varphi_t^e, \varphi_t^s$ - Transition : $\bigwedge_{i \in J} \Box B_i$ , where each $B_i$ is a Boolean formula over • Variables from $\mathcal{I} \cup \mathcal{O}$ • Expressions $\bigcirc v$ , where $v \in \mathcal{I}$ for $\varphi_t^e \& v \in \mathcal{I} \cup \mathcal{O}$ for $\varphi_t^s$ $\varphi_l^e$ , $\varphi_l^s$ - Liveness : $\bigwedge_{i \in J} \Box \Diamond B_j$ , where each $B_j$ is a Boolean formula over $\mathcal{I} \cup \mathcal{O}$ ### GR(1) Example - Consider a traffic light - Input: "tick" - Outputs: "red," "yellow," "green" - Output changes when "tick" is true, stays the same when "tick" is false - Ex. 1: red, red, red, ... - Ex. 2: red, yellow, green, red, ... - Ex. 3: red, red, yellow, yellow, green, green, ... - Environment properties $$\varphi_i^e = \top \quad \varphi_t^e = \top \quad \varphi_l^e = \Box \Diamond tick$$ System initial & liveness properties $$\varphi_i^s = red \land \neg yellow \land \neg green$$ $$\varphi_l^s = \Box \Diamond green$$ System transition properties ### Mutual exclusion $$\varphi_s^t = \Box \bigcirc ((red \land \neg yellow \land \neg green) \lor (\neg red \land yellow \land \neg green) \lor (\neg red \land \neg yellow \land green)) \land$$ ### Change on tick $$\Box ((red \land \bigcirc tick \rightarrow \bigcirc green) \land \\ (green \land \bigcirc tick \rightarrow \bigcirc yellow) \land \\ (yellow \land \bigcirc tick \rightarrow \bigcirc red)) \land$$ ### No change without tick $$\Box ((red \land \bigcirc \neg tick \rightarrow \bigcirc red) \land \\ (green \land \bigcirc \neg tick \rightarrow \bigcirc green) \land \\ (yellow \land \bigcirc \neg tick \rightarrow \bigcirc yellow))$$ ### GR(1) & Synthesis - Given a GR(1) specification, we can - Verify design satisfies it - Efficiently synthesize design directly from it - Ref. [1] contains proof synthesis procedure is "correct-by-construction" - Synthesis tools exist for different domains<sup>[2-6]</sup>: robotic systems, hybrid systems, multi-agent systems, digital circuits, etc. - Only a few generate software implementations of synthesized designs ### GR(1) Synthesis & End-to-End Verification - Question: If synthesis from GR(1) specifications is "correct-by-construction," why care about end-to-end verification? - Answer: Three possible sources of errors - Theoretical "proof" of the synthesis procedure<sup>[7-8]</sup> - Implementation of the synthesis procedure - Translation of a synthesized design to a software implementation ### GR(1) Synthesis & End-to-End Verification - Question: If synthesis from GR(1) specifications is "correct-by-construction," why care about end-to-end verification? - Answer: Three possible sources of errors - Theoretical "proof" of the synthesis procedure<sup>[7-8]</sup> - Implementation of the synthesis procedure - Translation of a synthesized design to a software implementation - Additional answer: specification errors # AFRL SPARK for End-to-End Verification of GR(1) Designs ### SPARK for End-to-End Verification of GR(1) Designs - SPARK<sup>[9-10]</sup> is - Programming language based on Ada - Associated set of auto-active verification tools - Our goal - Translate synthesized GR(1) designs to SPARK - Verify SPARK implementations satisfy original specifications - Our broad approach - Modify tool Salty<sup>[6]</sup> to generate SPARK implementations & annotations needed for SPARK to automatically verify implementations against specifications - Perform synthesis & verification on examples from many sources<sup>[2-6]</sup> - Limitations - Currently only address initial & transition properties: $\varphi_i^e \wedge \varphi_t^e \to \varphi_i^s \wedge \varphi_t^s$ ### SPARK Implementation of GR(1) Design: Summary - Multiple inputs wrapped in Environment record - Multiple outputs wrapped in System record - Synthesized design implemented as type Controller - Has field to store state - Has fields to store most recent input & output values (for evaluating transition properties with "next" operator) - Type Controller has Move procedure that takes inputs & produces outputs - Functions Env\_Init, Env\_Trans, Sys\_Init, Sys\_Trans to evaluate $\varphi_i^e, \varphi_t^e, \varphi_i^e, \varphi_t^s, \varphi_t^s$ - Function Is Init to check whether Controller is in initial state ### SPARK Implementation of GR(1) Design: Proof Notes - Preconditions & postconditions on Move encode $\varphi_i^e \wedge \varphi_t^e \to \varphi_i^s \wedge \varphi_t^s$ - In GR(1) designs, each state corresponds to unique set of input & output values. - Define Type\_Invariant for Controller over Boolean functions State\_To\_Input\_Mapping & State\_To\_Output\_Mapping - This is the only thing SPARK needed to automatically prove Move postconditions - "Ghost" code versus executable code - Is\_Init, Env\_Init, Env\_Trans executable so user can monitor for violations of $\varphi_e$ - Sys\_Init, Sys\_Trans, State\_To\_Input\_Mapping, State\_To\_Output\_Mapping are "ghost" code mainly used for proof ### SPARK Implementation of GR(1) Design: Traffic Light - Let's briefly walk through parts of synthesized traffic light design in SPARK - Omit Salty-formatted specifications & stick with mathematical representation - Briefly note Salty has features that make GR(1) specifications easier to write - Use of enumeration & integer types for inputs & outputs - Arithmetic operators in specifications with integer types - User-defined macros Enumeration & integer types retained in synthesized SPARK implementations ### SPARK package specification for the synthesized traffic light design ``` package TrafficLight with SPARK Mode is type Controller is private; type System is record red: Boolean; yellow: Boolean; green: Boolean; end record: function Is Init(C: Controller) return Boolean; function Env Init(tick: Boolean) return Boolean is (True); function Sys Init(S: System) return Boolean is (S.red and not S.yellow and not S.green) with Ghost; function Env Trans(C: Controller; tick: Boolean) return Boolean with Pre => (not Is Init(C)); function Sys Trans(C: Controller; tick: Boolean; S: System) return Boolean with Pre => (not Is Init(C)), Ghost; procedure Move(C: in out Controller; tick: in Boolean; S: out System) with Pre => (if Is Init(C) then Env Init(tick) else Env Trans(C, tick)), Contract Cases => (Is Init(C) => Sys Init(S) and (not Is Init(C)), others => Sys Trans(C'Old, tick, S) and (not Is Init(C))); private subtype State Num is Integer range 1 .. 7; function State To Input Mapping(C: Controller) return Boolean with Ghost; function State To Output Mapping(C: Controller) return Boolean with Ghost; type Controller is record State: State Num := State Num'Last; tick: Boolean; S: System; end record: with Type Invariant => (State To Input Mapping(Controller) and State To Output Mapping(Controller)); end TrafficLight; ``` ### SPARK body for the Move procedure for the synthesized traffic light design ``` procedure Move(C: in out Controller; tick: in Boolean; S: out System) is begin case C.State is when 1 => case tick is when False => C.State := 1; C.S.red := True; C.S.yellow := False; C.S.green := False; when True => C.State := 3; C.S.red := False; C.S.yellow := False; C.S.green := True; when others => raise Program Error; end case; . . . when 7 => case tick is when False => C.State := 1; C.S.red := True; C.S.yellow := False; C.S.green := False; when True => C.State := 2; C.S.red := True; C.S.yellow := False; C.S.green := False; when others => raise Program Error; end case; end case; C.tick := tick; S := C.S; end Move; ``` ### Case Study: Multi-Vehicle Controller - Team of "friendly"/system unmanned air vehicles (UAVs) evading "enemy"/environment UAV - One friendly UAV is a "Very Important Person" or VIP - Two friendly "surveillance" UAVs must "protect" & "escort" the VIP - Map is divided into five regions - "Protection": VIP is never in the same region as the enemy - "Escorting": VIP can only move - Into region previously visited/ surveilled by a surveillance UAV - Surveillance UAV moves with it - Certain regions only reachable from Region 3 - Enemy UAV must infinitely often leave certain regions - VIP must infinitely often move to certain regions ### Specification Inputs & Outputs | Inputs | | | | |---------|---------------------------|--|--| | $loc_e$ | - enemy<br>location | | | | $sr_i$ | - location $i$ surveilled | | | THE AIR FORCE RESEARCH LABORATORY 20 ### **Environment Specifications** $$\varphi_{e}^{i} = (loc_{e} = 4) \land \neg sr_{1} \land \neg sr_{2} \land sr_{3} \land \neg sr_{4} \land sr_{5}$$ $$\varphi_{e}^{t} = \bigwedge_{i=\{1...5\}} \Box \Big( (loc_{s1} = i) \lor (loc_{s2} = i) \to \bigcirc sr_{i} \Big) \land$$ $$\bigwedge_{i=\{1...5\}} \Box \Big( (\neg (loc_{s1} = i) \land \neg (loc_{s2} = i) \land \neg sr_{i} \to \bigcirc \neg sr_{i} ) \land$$ $$(sr_{i} \to \bigcirc sr_{i}) \Big) \land$$ $$\Box \neg (loc_{e} = 1) \land \Box \neg (loc_{e} = 2)$$ $$\varphi_{e}^{l} = \Box \lozenge \neg (loc_{e} = 3) \land \Box \lozenge \neg (loc_{e} = 4) \land \Box \lozenge \neg (loc_{e} = 5)$$ | Inputs | | | | |---------|---------------------------|--|--| | $loc_e$ | - enemy<br>location | | | | $sr_i$ | - location $i$ surveilled | | | | Outputs | | | | | |------------|---|------------------------------------------|--|--| | $loc_v$ | - | VIP location | | | | $loc_{si}$ | - | Surveillance<br>UAV <i>i</i><br>location | | | | $vTrack_i$ | - | Surveillance UAV $i$ is tracking VIP | | | ### System Specifications $$\begin{array}{ll} \varphi_{s}^{i} = & (loc_{v} = 2) \land (loc_{s1} = 3) \land (loc_{s2} = 5) \land \neg vTrack_{1} \land \neg vTrack_{2} \\ \varphi_{s}^{t} = & \Box \Big( \neg (loc_{v} = \bigcirc loc_{v}) \rightarrow (\bigcirc vTrack_{1} \lor \bigcirc vTrack_{2}) \Big) \land \\ & \bigwedge_{i=\{1...2\}} \Box \Big( vTrack_{i} \rightarrow (sloc_{i} = loc_{v}) \Big) \land \\ & \bigwedge_{i=\{1...5\}} \Box \Big( (loc_{v} = i) \rightarrow \neg (loc_{e} = i) \Big) \land \\ & \bigwedge_{i=\{v,s1,s2\}} \Box \Big( (\bigcirc (loc_{i} = 1) \rightarrow (loc_{i} = 1) \lor (loc_{i} = 2) \lor (loc_{i} = 3)) \land \\ & (\bigcirc (loc_{i} = 2) \rightarrow (loc_{i} = 1) \lor (loc_{i} = 2) \lor (loc_{i} = 3)) \land \\ & (\bigcirc (loc_{i} = 3) \rightarrow \bigvee_{j=\{1...5\}} (loc_{i} = j)) \land \\ & (\bigcirc (loc_{i} = 4) \rightarrow (loc_{i} = 3) \lor (loc_{i} = 4) \lor (loc_{i} = 5)) \land \\ & (\bigcirc (loc_{i} = 5) \rightarrow (loc_{i} = 3) \lor (loc_{i} = 4) \lor (loc_{i} = 5)) \end{pmatrix} \\ \varphi_{s}^{l} = \Box \Diamond (loc_{v} = 1) \land \Box \Diamond (loc_{v} = 5) \end{array}$$ ### $loc_e$ - enemy location $sr_i$ - location i surveilled ## $\begin{array}{c|c} & \text{Outputs} \\ loc_v & \text{-} & \text{VIP location} \\ loc_{si} & \text{-} & \text{Surveillance} \\ & & \text{UAV } i \\ & & \text{location} \\ \\ vTrack_i & \text{-} & \text{Surveillance} \\ & & \text{UAV } i \text{ is} \\ & & \text{tracking VIP} \\ \end{array}$ ### Case Study: Results - Previously synthesized Python controller, interfaced it to OpenUxAS<sup>[11-12]</sup> to implement low-level UAV behaviors, simulated in OpenAMASE<sup>[13]</sup> - Implementation in SPARK found undetected issue! - Issue was part of specification for $\varphi_t^e$ : $\Box \neg (loc_e = i)$ for $i = \{1, 2\}$ - Specification should be written $\varphi_t^e$ : $\square \bigcirc \neg (loc_e = i)$ for $i = \{1, 2\}$ - Reason: $\Box \neg p$ not the same as $\Box \bigcirc \neg p$ - If environment chooses p for next time step, does not violate $\Box \neg p$ in current time step - However, it necessarily violates $\Box \neg p$ in next time step - $\varphi_t^e$ should have terms of the form $\Box \bigcirc \neg p$ , not $\Box \neg p$ - Salty now produces warning in this case - In Python implementation, result was states with no successors, leading to runtime errors after reaching those states ### SPARK Implementation of GR(1) Design: Summary - Pulled 40 examples from GR(1) repos<sup>[2-6]</sup>: Salty, Slugs, Anzu, TuLiP, LTLMoP - Plot shows CPU time for 33 examples with up to 4000 controller transitions - 7 examples with more transitions required too much memory (not plotted) - 2 examples had errors because of unusually large specifications - 2 examples only partially proven: - One with ~2000 transitions - One with Integer terms & arithmetic operators in specification Found the same type of specification error as UAV case study in one Anzu example ### **Lessons Learned** - "End-to-end" SPARK verification found issue due to $\Box \neg p$ vs. $\Box \bigcirc \neg p$ - Case statement more efficient proof-wise than Map for controller logic - SPARK Maps have complete axiomatization, adds verification conditions - During initialization, must prove each added key/input value not already contained - After initialization, must prove every possible transition covered - Case statements automatically imply these things - Case statements have some issues: - Large/verbose - Underlying prover must reason about all alternatives at once - Still better than Map in our application, but maybe not for others - Some examples had no inputs, vacuous precondition Pre => True - Took abnormally long time to verify - Clearly could be encoded more efficiently ### **Future Work** - Investigate liveness properties - SPARK hypothetically can solve required bounded model checking problem - Other option: annotate code & use external model checker - Look at decomposition of Move procedure to handle larger examples - Fix encoding of controllers with no inputs to speed up proof - Investigate why example with Integer types & arithmetic operators takes longer than expected to prove in SPARK ### Full Paper For more details, see: Humphrey, L. R., Hamil, J., Huguet, J.: "End-to-End Verification of Initial and Transition Properties of GR(1) Designs in SPARK," In: Int. Conf. Software Engineering and Formal Methods (SEFM), 2020. ### References - 1. Bloem, R., Jobstmann, B., Piterman, N., Pnueli, A., Yaniv, S.: 7. Davis, J. A., Humphrey, L. R., Kingston, D. B.: When Human Synthesis of Reactive(1) designs. J. Computer and System Sciences 78(3), 911–938 (2012) - 2. Ehlers, R., Raman, V.: Sluas: Extensible GR(1) synthesis. In: Int. Conf. Computer Aided Verification (CAV), pp. 333-339. Springer (2016) - 3. Finucane, C., Jina, G., Kress-Gazit, H.: LTLMoP: Experimenting with language, temporal logic and robot control. In: IEEE/RSJ Int. Conf. Intelligent Robots and Systems (IROS), pp. 1988–1993, IEEE (2010) - 4. Wongpiromsarn, T., Topcu, U., Ozay, N., Xu, H., Murray, R.M.: TuLiP: A software toolbox for receding horizon temporal logic planning. In: Int. Conf. Hybrid Systems: Computation and Control (HSCC), pp. 313–314, ACM (2011) - 5. Jobstmann, B., Galler, S., Weiglhofer, M., Bloem, R.: Anzu: A tool for property synthesis. In: Int. Conf. Computer Aided Verification (CAV), pp. 258–262. Springer (2007) - 6. Elliott, T., Alshiekh, M., Humphrey, L.R., Pike, L., Topcu, U.: Salty-a domain specific language for GR(1) specifications and designs. In: 2019 Int. Conf. Robotics and Automation (ICRA), pp. 4545–4551, IEEE (2019) - Intuition Fails: Using Formal Methods to Find an Error in the "Proof" of a Multi-agent Protocol. In: Int. Conf. Computer Aided Verification (CAV), pp. 366-375, Springer (2019) - 8. Siegel, S. F.: What's wrong with on-the-fly partial order reduction. In: Int. Conf. Computer Aided Verification (CAV), pp. 478-495, Springer (2019) - 9. J. W. McCormick & P. C. Chapin, Building High Integrity Applications with SPARK, Cambridge University Press, 2015. - 10. AdaCore, "Introduction to SPARK," learn.adacore.com, 2018. - 11. Rasmussen, S., Kingston D., Humphrey, L.: A Brief Introduction to Unmanned Systems Autonomy Services (UxAS). In: Int. Conf. Unmanned Aircraft Systems (ICUAS). IEEE (2018) - 12. OpenUxAS on AFRL/RQ GitHub - 13. OpenAMASE on AFRL/RQ GitHub