Transcript Document 7333474

Model Checking of Robotic Control
Systems
Presenting:
Sebastian Scherer
Authors:
Sebastian Scherer, Flavio Lerda,
and Edmund M. Clarke
1
Outline
●
Motivation
–
Why verification
–
Scope
–
Control software
●
Method
●
Case Study
●
Conclusions
2
Why verify robot software?
●
●
Failure is expensive:
–
Interplanetary
exploration
–
Crash / Rollover
Autonomy increases
responsibility:
–
Human interaction
–
Large forces and
momenta
3
The scope of our approach
Software
Hardware
Typical mobile robot
architecture
Goal
Specified
Accumulation
Planning
Preprocessing
Controller
Sensors
Actuators
Environment
Start by verifying this part.
4
Control systems are implemented in
software
●
Main loop is only a small
fraction of the control
software:
–
Initialization
–
Exception handling
–
●
Software
Hardware
Typical mobile robot
architecture
Goal
Specified
Conversion
Accumulation
Planning
Preprocessing
Controller
Sensors
Actuators
Environment
Fatal bugs can be in any line
of the code.
5
Outline
●
Motivation
●
Method
–
Capabilities &
Limitations
–
Method
–
Model Checking
●
Case Study
●
Conclusions
import
import
import
import
import
import
import
import
gov.nasa.jpf.jvm.Verify;
com.ajile.jem.PeriodicThread;
com.ajile.jem.PianoRoll;
com.ajile.drivers.gptc.*;
intermediate.*;
drivers.*;
controller.*;
model.*;
Code of controller +
environment(plant)
public class Mobot
{
static final int PR_DURATION_MSEC = 80;
static final int PR_BEAT_MSEC = 1;
static PianoRoll Piano_Roll = new PianoRoll
(PR_DURATION_MSEC, PR_BEAT_MSEC);
public static void main(String[] args)
{
DecsionPoints.runSys=true;
//Initialize threads
PWM2
pwm
= PWM2.getInstance();
Gate
gate
= Gate.getInstance();
SpeedOMeter
encoder
= SpeedOMeter.getInstance();
LightArray
lightsensor
= LightArray.getInstance();
TLC2543
tlc
= TLC2543.getInstance();
*
if(Environment.isMC)
{
lightsensor.initDefault();
xk +1 = Ad k xk + Bd k u k 
+
y k  = Cd k xk + Dd k u k 
SpeedControl
speedcontrol
= SpeedControl.getInstance();
SteeringControl steeringcontrol =
SteeringControl.getInstance();
Environment
env
= Environment.getInstance();
6
Capabilities of our method
●
Utilizes environment (plant) of the control system.
●
Simulates behaviour:
●
●
–
Determines stability.
–
Models influence of noise.
–
Checks performance specifications.
–
Computes ranges of trajectories.
Checks programming errors:
–
Null pointer exceptions.
–
Dead lock, concurrency bugs.
–
Errors affecting the behavior.
Code checked is identical to executed code.
7
Limitations of our method
●
Discrete method:
–
–
–
–
●
Detailed model:
–
–
●
Makes assertions only about a particular initial condition.
Continuous states are approximated up to a fixed point
precision.
Precision often determines the length of a simulation trace
and the size of the state space to explore.
Noise is approximated by a discrete set of values.
Requires model relating inputs and outputs.
Additional memory and computation time.
Assumptions:
–
–
Time elapses only while tasks sleep.
Unbounded variables like time and distance must be
abstracted manually.
8
Model check software with a
physical environment
Source code
of controller
import
import
import
import
import
import
import
import
Abstract controller
gov.nasa.jpf.jvm.Verify;
com.ajile.jem.PeriodicThread;
com.ajile.jem.PianoRoll;
com.ajile.drivers.gptc.*;
intermediate.*;
drivers.*;
controller.*;
model.*;
public class Mobot
{
static final int PR_DURATION_MSEC = 80;
static final int PR_BEAT_MSEC = 1;
static PianoRoll Piano_Roll = new PianoRoll
(PR_DURATION_MSEC, PR_BEAT_MSEC);
public static void main(String[] args)
{
DecsionPoints.runSys=true;
//Initialize threads
PWM2
pwm
= PWM2.getInstance();
Gate
gate
= Gate.getInstance();
SpeedOMeter
encoder
= SpeedOMeter.getInstance();
LightArray
lightsensor
= LightArray.getInstance();
TLC2543
tlc
= TLC2543.getInstance();
*
if(Environment.isMC)
{
lightsensor.initDefault();
Source code
including the
environment
SpeedControl
speedcontrol
= SpeedControl.getInstance();
SteeringControl steeringcontrol =
SteeringControl.getInstance();
Environment
env
= Environment.getInstance();
Verify actual
source code
import
import
import
import
import
import
import
import
gov.nasa.jpf.jvm.Verify;
com.ajile.jem.PeriodicThread;
com.ajile.jem.PianoRoll;
com.ajile.drivers.gptc.*;
intermediate.*;
drivers.*;
controller.*;
model.*;
Code of controller +
environment(plant)
public class Mobot
{
static final int PR_DURATION_MSEC = 80;
static final int PR_BEAT_MSEC = 1;
static PianoRoll Piano_Roll = new PianoRoll
(PR_DURATION_MSEC, PR_BEAT_MSEC);
public static void main(String[] args)
{
DecsionPoints.runSys=true;
//Initialize threads
PWM2
pwm
= PWM2.getInstance();
Gate
gate
= Gate.getInstance();
SpeedOMeter
encoder
= SpeedOMeter.getInstance();
LightArray
lightsensor
= LightArray.getInstance();
TLC2543
tlc
= TLC2543.getInstance();
*
if(Environment.isMC)
{
lightsensor.initDefault();
xk +1 = Ad k xk + Bd k u k 
+
y k  = Cd k xk + Dd k u k 
SpeedControl
speedcontrol
= SpeedControl.getInstance();
SteeringControl steeringcontrol =
SteeringControl.getInstance();
Environment
env
= Environment.getInstance();
9
Method
Software executed
on robot
Environment model
Actual Robot
import gov.nasa.jpf.jvm.Verify;
import com.ajile.jem.PeriodicThread;
import com.ajile.jem.PianoRoll;
import com.ajile.drivers.gptc.*;
import intermediate.*;
import drivers.*;
import controller.*;
import model.*;
public class Mobot
{
static final int PR_DURATION_MSEC = 80;
static final int PR_BEAT_MSEC
= 1;
static PianoRoll Piano_Roll = new PianoRoll
(PR_DURATION_MSEC, PR_BEAT_MSEC);
public static void main(String[] args)
{
DecsionPoints.runSys=true;
//Initialize threads
PWM2
pwm
= PWM2.getInstance();
Gate
gate
= Gate.getInstance();
SpeedOMeter
encoder
= SpeedOMeter.getInstance();
LightArray
lightsensor
= LightArray.getInstance();
TLC2543
tlc
= TLC2543.getInstance();
* if(Environment.isMC)
{
lightsensor.initDefault();
xk +1 = Ad k xk + Bd k u k 
Sensors
y k  = Cd k xk + Dd k u k 
SpeedControl speedcontrol
= SpeedControl.getInstance();
SteeringControl steeringcontrol =
SteeringControl.getInstance();
Environment
env
= Environment.getInstance();
Actuators
●
Execute the source code.
●
After all tasks sleep execute the environment.
●
Equivalent states are not revisited.
10
Method
Software executed
on robot
Environment model
Actual Robot
import gov.nasa.jpf.jvm.Verify;
import com.ajile.jem.PeriodicThread;
import com.ajile.jem.PianoRoll;
import com.ajile.drivers.gptc.*;
import intermediate.*;
import drivers.*;
import controller.*;
import model.*;
public class Mobot
{
static final int PR_DURATION_MSEC = 80;
static final int PR_BEAT_MSEC
= 1;
static PianoRoll Piano_Roll = new PianoRoll
(PR_DURATION_MSEC, PR_BEAT_MSEC);
public static void main(String[] args)
{
DecsionPoints.runSys=true;
//Initialize threads
PWM2
pwm
= PWM2.getInstance();
Gate
gate
= Gate.getInstance();
SpeedOMeter
encoder
= SpeedOMeter.getInstance();
LightArray
lightsensor
= LightArray.getInstance();
TLC2543
tlc
= TLC2543.getInstance();
* if(Environment.isMC)
{
lightsensor.initDefault();
xk +1 = Ad k xk + Bd k u k 
y k  = Cd k xk + Dd k u k 
SpeedControl speedcontrol
= SpeedControl.getInstance();
SteeringControl steeringcontrol =
SteeringControl.getInstance();
Environment
env
= Environment.getInstance();
●
Software executes until all tasks yield.
11
Method
Software executed
on robot
Environment model
Actual Robot
import gov.nasa.jpf.jvm.Verify;
import com.ajile.jem.PeriodicThread;
import com.ajile.jem.PianoRoll;
import com.ajile.drivers.gptc.*;
import intermediate.*;
import drivers.*;
import controller.*;
import model.*;
public class Mobot
{
static final int PR_DURATION_MSEC = 80;
static final int PR_BEAT_MSEC
= 1;
static PianoRoll Piano_Roll = new PianoRoll
(PR_DURATION_MSEC, PR_BEAT_MSEC);
public static void main(String[] args)
{
DecsionPoints.runSys=true;
//Initialize threads
PWM2
pwm
= PWM2.getInstance();
Gate
gate
= Gate.getInstance();
SpeedOMeter
encoder
= SpeedOMeter.getInstance();
LightArray
lightsensor
= LightArray.getInstance();
TLC2543
tlc
= TLC2543.getInstance();
* if(Environment.isMC)
{
lightsensor.initDefault();
xk +1 = Ad k xk + Bd k u k 
y k  = Cd k xk + Dd k u k 
SpeedControl speedcontrol
= SpeedControl.getInstance();
SteeringControl steeringcontrol =
SteeringControl.getInstance();
Environment
env
= Environment.getInstance();
●
●
Software executes until all tasks yield.
Commands are set. Sensors are read. Time
elapses
12
Method
Software executed
on robot
Environment model
Actual Robot
import gov.nasa.jpf.jvm.Verify;
import com.ajile.jem.PeriodicThread;
import com.ajile.jem.PianoRoll;
import com.ajile.drivers.gptc.*;
import intermediate.*;
import drivers.*;
import controller.*;
import model.*;
public class Mobot
{
static final int PR_DURATION_MSEC = 80;
static final int PR_BEAT_MSEC
= 1;
static PianoRoll Piano_Roll = new PianoRoll
(PR_DURATION_MSEC, PR_BEAT_MSEC);
public static void main(String[] args)
{
DecsionPoints.runSys=true;
//Initialize threads
PWM2
pwm
= PWM2.getInstance();
Gate
gate
= Gate.getInstance();
SpeedOMeter
encoder
= SpeedOMeter.getInstance();
LightArray
lightsensor
= LightArray.getInstance();
TLC2543
tlc
= TLC2543.getInstance();
* if(Environment.isMC)
{
lightsensor.initDefault();
xk +1 = Ad k xk + Bd k u k 
y k  = Cd k xk + Dd k u k 
SpeedControl speedcontrol
= SpeedControl.getInstance();
SteeringControl steeringcontrol =
SteeringControl.getInstance();
Environment
env
= Environment.getInstance();
●
●
●
Software executes until all tasks yield.
Commands are set. Sensors are read. Time
elapses
Software executes with new sensor values.
13
Method
Software executed
on robot
Environment model
Actual Robot
import gov.nasa.jpf.jvm.Verify;
import com.ajile.jem.PeriodicThread;
import com.ajile.jem.PianoRoll;
import com.ajile.drivers.gptc.*;
import intermediate.*;
import drivers.*;
import controller.*;
import model.*;
public class Mobot
{
static final int PR_DURATION_MSEC = 80;
static final int PR_BEAT_MSEC
= 1;
static PianoRoll Piano_Roll = new PianoRoll
(PR_DURATION_MSEC, PR_BEAT_MSEC);
public static void main(String[] args)
{
DecsionPoints.runSys=true;
//Initialize threads
PWM2
pwm
= PWM2.getInstance();
Gate
gate
= Gate.getInstance();
SpeedOMeter
encoder
= SpeedOMeter.getInstance();
LightArray
lightsensor
= LightArray.getInstance();
TLC2543
tlc
= TLC2543.getInstance();
* if(Environment.isMC)
{
lightsensor.initDefault();
xk +1 = Ad k xk + Bd k u k 
y k  = Cd k xk + Dd k u k 
SpeedControl speedcontrol
= SpeedControl.getInstance();
SteeringControl steeringcontrol =
SteeringControl.getInstance();
Environment
env
= Environment.getInstance();
●
●
●
●
Software executes until all tasks yield.
Commands are set. Sensors are read. Time
elapses.
Software executes with new sensor values.
Commands are set. Sensors are read. Time
elapses with new commands.
14
Model checking
import gov.nasa.jpf.jvm.Verify;
import com.ajile.jem.PeriodicThread;
import com.ajile.jem.PianoRoll;
import com.ajile.drivers.gptc.*;
import intermediate.*;
import drivers.*;
import controller.*;
import model.*;
Transitions
public class Mobot
{
static final int PR_DURATION_MSEC = 80;
static final int PR_BEAT_MSEC = 1;
static PianoRoll Piano_Roll = new PianoRoll
(PR_DURATION_MSEC, PR_BEAT_MSEC);
public static void main(String[] args)
{
DecsionPoints.runSys=true;
//Initialize threads
PWM2
pwm
= PWM2.getInstance();
Gate
gate
= Gate.getInstance();
SpeedOMeter
encoder
= SpeedOMeter.getInstance();
LightArray
lightsensor
= LightArray.getInstance();
TLC2543
tlc
= TLC2543.getInstance();
* if(Environment.isMC)
{
lightsensor.initDefault();
SpeedControl speedcontrol
= SpeedControl.getInstance();
SteeringControl steeringcontrol =
SteeringControl.getInstance();
Environment
env
= Environment.getInstance();
●
Model consists of states and transitions.
●
Java byte code specifies a model.
●
●
●
States
Verify a model against a specification given as logic
properties.
The algorithm visits all states of the model to verify that
none of the specified properties are violated.
If the same state is reached twice backtrack.
15
Java PathFinder
Robot
source code
Java Virtual Machine
of Model Checker
Environment
Host JVM running
Java PathFinder
●
All states are explored to find a violation of the properties.
●
Executing the byte code generates successors.
●
If no new successors are generated the search backtracks.
●
●
Environment byte code is executed on host JVM. No
intermediate states are generated from it.
Environment stores only necessary state variables.
16
Outline
●
Motivation
●
Method
●
Case Study
●
–
Architecture
–
Verification
–
Model
–
Results
Conclusions
17
Overview
• Robot has to follow a
line and maintain a
constant speed.
• Native Java
microcontroller
executes the code.
• Check source code
without change.
18
Architecture
●
●
Actuators
–
Steering
–
Motors
Sensors
–
Light sensors
–
Encoder
19
Software
●
●
●
●
●
3 tasks running with a
fixed frequency of 33Hz.
Task 1: Reads sensor
values.
Task 1
Task 2
Task 2: Controls the
steering.
Task 3: Controls the
velocity.
Task 3
A fixed rate scheduler
determines the execution
order and duration.
20
Verification
●
●
●
Need model of the
environment.
Need definition of
states.
Verify robot starting
from initial condition
offset from center of
line and on a straight
line.
21
Environment model
●
●
●
●
Two models necessary
Model relate commands to
sensor information
Sensed position over line
depends on
–
Steering command
–
Velocity command
Sensed encoder velocity
depends on the velocity
command.
Inputs:
Velocity command
Steering command
Sensed
position
model
Output:
Encoder velocity
Input:
Velocity command
Sensed
velocity
model
Output:
Encoder velocity
22
Determining the model
• One way to obtain a
model of the environment
is system identification.
• Performed experiments
and obtained a secondorder model for velocity
and a fourth-order model
for steering
• Quality of sensor gave a
better fit for the velocity
 0.96
  0.11
x(t  1)  
 0.096

 0.03
y  x1 (t )  0.0027
0.14 0.11
0.98 0.11
0.10 0.98
0.02  0.04
0.22
  1.4 


0.07
5   5.9 
x(t )  10
u (t )
 0.7
0.13



0.87
 8.8 
23
States
●
Continuous state:
–
–
●
●
●
6 state variables
2 inputs
States are discretized up to
a fixed precision to
terminate on stability and
disambiguate quasi-equal
states.
Monotonic variables such
as time or distance are
(manually) abstracted.
DESCRIBE PICTURE
Discrete State
import
import
import
import
import
import
import
import
gov.nasa.jpf.jvm.Verify;
com.ajile.jem.PeriodicThread;
com.ajile.jem.PianoRoll;
com.ajile.drivers.gptc.*;
intermediate.*;
drivers.*;
controller.*;
model.*;
public class Mobot
{
static final int PR_DURATION_MSEC = 80;
static final int PR_BEAT_MSEC = 1;
static PianoRoll Piano_Roll = new PianoRoll
(PR_DURATION_MSEC, PR_BEAT_MSEC);
public static void main(String[] args)
{
DecsionPoints.runSys=true;
//Initialize threads
PWM2
pwm
= PWM2.getInstance();
Gate
gate
=
Continuous State
+
State space model
xk + 1 = Ad k xk  + Bd k u k 
y k  = C d k xk  + Dd k u k 
24
Non-Determinism
●
●
●
Possible to explore nondeterminism in the
software and
environment.
Red trajectory shows
an actual trace of the
robot.
Model checking explores
a wider spread of
trajectories.
Non-determinism is
discrete. Differential
equations are
deterministic.
Blue region is the spread of
trajectories covered by the
model checker.
25
Results
●
Added different kinds
of non-determinism to
model.
–
Encoder reading off by 10, 0, +10 ticks
–
Failure of one sensor in
the array of light
sensors
–
Commanded steering
and velocity pulsewidth
is not accurate.
Wh
eel
Slip
Ground
26
Results
●
●
We verified a set of
properties of the
control software.
No programming
errors (e.g. Null
pointer exceptions)
were found.
27
Conclusion
●
Model checker covers a sufficient range of
trajectories to simulate all inputs to program.
●
Seeded type conversion bug was found.
●
Verifies software for robot controllers directly.
●
●
●
Discretization, abstraction and extraction of
continuous states enable efficient verification.
Exhaustive exploration of non-determinism such
as random sensor failure.
Aids the control system designer by direct
verification of all reachable states of the model.
29
Future work
●
●
●
Prove correctness of model checking algorithm
Extend notion of discretization of state space to
be an over-approximation.
Provide integrated support for modeling the
environment
●
Integrate with higher level software interfaces
●
Check complex systems
●
Extend to languages other than Java
30
Questions? Comments?
Contact Information:
Sebastian Scherer
[email protected]
http://www.cs.cmu.edu/~basti/
31