Modeling, Optimization and Computation for Software Verification

Transcription

1 odeling, Optimization and Computation for Software Verification ardavij Roozbehani 1,EricFeron 2, and Alexandre egrestki 3 1 mardavij@mit.edu, 2 feron@mit.edu, 3 ameg@mit.edu Laboratory for Information and Decision Systems (LIDS), assachusetts Institute of Technology, Cambridge, A, U.S.A Abstract. odeling and analysis techniques are presented for real-time, safety-critical software. Software analysis is the task of verifying whether the computer code will execute safely, free of run-time errors. The critical properties that prove safe execution include bounded-ness of variables and termination of the program in a finite number of steps. In this paper, dynamical system representations of computer programs along with specific models that are pertinent to analysis via an optimization-based search for system invariants are developed. It is shown that the automatic search for system invariants that establish the desired properties of computer code, can be formulated as a convex optimization problem, such as linear programming, semidefinite programming, and/or sum of squares programming. 1 Introduction Failure of real-time control systems, such as those used in spacecrafts, satellites, multiple coordinating UVAs, automobiles and therapy machines may lead to loss of human life or a huge loss in capital and products. However, safe operation of these safety-critical control systems relies heavily on the embedded software. According to Boing Co. and Honeywell Inc., software development accounts for 60 80% of the effort spent on the development of complex control systems, while much of this effort is expended on validation and verification of the software after or during its development. While real-time software must satisfy various resource allocation, timing, computation and performance constraints, the very least to require is that the software must execute safely, free of run-time errors. The critical software properties that must be verified/validated for safe execution include: (1) absence of variable overflow, (2) absence of array index out-of-bounds calls, and (3) termination of the functions and sub-functions and if required, the program itself in finite time. Some additional properties that might be desired in a reliable, safetycritical software include: (4) robustness to uncertain inputs, including feedback from analog systems, (5) validity of certain inequalities relating inputs and outputs, for instance, passivity and (6) absence of dead-code. Software analysis, is the task of verification of some or all of the above properties.

2 Patrick Cousot [5],[7], published one of the most noteworthy results in the literature that deal with software analysis. The main method of verification is based on the notion of abstract interpretation of computer programs. See also [8],[17]. According to [5, 6], abstract interpretation is defined as an approximate program semantics derived from the domain of concrete semantic operations by replacing it with a domain of abstract semantic operations. A drawback associated with these methods is the introduction of a narrowing or widening operator, which often causes the method to generate weak invariants, resulting in considerable conservatism in analysis [4]. Nevertheless, these methods appear to be practical for the verification of limited properties of real-time, safety-critical systems such as large-sized avionics systems. Alternative methods aiming at generating stronger statements about the evolution of variables in software systems might be found, for example, in the model-checking literature; however, the trade-off oftenachievedbythesemethodsisthatof increased accuracy and the generation of stronger properties of software (or software model) variables, often at the cost of increased computational requirements and limited scalability to large systems. oreover, construction of the program models often cannot be fully automated. Recently, there have been renewed efforts at establishing properties of software systems by the combined use of abstractions or, better, bisimulation mechanisms, and applying control theoretic principles to them. uch of the relevant literature in that regard may be found in the recent field of hybrid systems [13]. See for instance [9]. In general, it was found that many methods developed in system and control theory for systems driven by differential equations were in principle applicable to hybrid systems, possibly at the price of having to re-develop some elements of theory, e.g. optimal control theory on hybrid systems [16, 12, 3] or control of hybrid systems using bisimulations [15, 14]. In this paper we introduce a systems theoretic approach for software analysis. We present modeling techniques through the introduction of linear-like models that may represent a broad range of computer programs of interest to this paper. These include single flow programs and gain scheduled piecewise linear systems, used to control physical devices such as aerospace systems or automotive control systems. The main method of verification is an optimization-based search for system invariants. We therefore, suggest specific Lyapunov-like functions, whose properties guarantee variable bounded-ness as well as other desired properties, such as guaranteed program termination. We also show how the search for these system invariants may be formulated as a convex optimization problem, such as linear programming, semi-definite programming and/or a sums of squares problem. At the end, we sketch the block-wise analysis procedure for improving the scalability of the proposed methods as analysis of large-size computer programs is undertaken. 2 Automated Software Analysis: Preliminaries In this section we introduce the fundamentals of software analysis through dynamical system models. We consider computer programs as dynamical systems

3 and introduce certain Lyapunov-like functions as certificates for the behavior of these systems. 2.1 Computer programs as dynamical systems We view a computer program as a dynamical system which defines the rules for iterative modification of operating memory, possibly in response to real-time inputs. In particular, we consider models defined in general by a state space set X with selected subsets X 0 X of initial states and X X of terminal states, and by a set-valued function f : X 7 2 X, such that f(x) X, x X.The dynamical system S = S(X, f, X 0,X ) defined by X, f, X 0,X is understood as the set of all sequences X =(x(0),x(1),...,x(t),...) of elements from X satisfying x (0) X 0, x(t +1) f (x (t)) t Z + (1) s.t. f(x) X, x X The uncertainty in the definition of x(0) represents the programs s dependence on parameters, and the uncertainty in the definition of x(t+1) represents program s ability to respond to real-time inputs. From this viewpoint, analysis of software means verification of certain properties of system (1). In Section 4, we elaborate on the dynamical systems view of computer programs and suggest specific models that are essentially equivalent to (1), yet are more suitable for analysis purposes. Definition 1. A computer program represented by a dynamical system S = S(X, f, X 0,X ) is said to terminate in finite time if every solution X = x(t) of (1) satisfies x(t) X for some t Z +. In addition, we say that the state variables remain bounded (do not overflow) if t Z +,x(t) does not belong to a certain (unsafe) subset X of X for every solution X = x(t) of (1). 2.2 Lyapunov functions as behavior certificates Definition 2. A Lyapunov function for system (1) is defined to be a function V : X 7 R such that V (x) <θv(x) x X, x f (x) :x/ X. (2) where θ R + is a positive constant. Remark 1. The parameter θ in the above definition, is very important in providing the flexibility required for designing appropriate Lyapunov functions that establish finite-time termination and/or bounded-ness. For instance if V (x 0 ) < 0 and θ 1, (2) implies that V must strictly monotonically decrease along the trajectories of (1) until they reach a terminal state. As we will see in the sequel, this is suitable for establishing finite-time termination. However, with V (x 0 ) < 0 and θ<1, V is not required to decrease along the trajectories of (1), while it remains negative. This is very important in proving absence of overflow in computer programs without the finite-time termination property.

4 Termination in finite time The following Theorem provides a useful criterion for verifying finite-time termination in software analysis. Theorem 1. If there exists a bounded function V : X 7 R, and a constant θ>1 satisfying V (x) <θv(x) x X, x f (x) :x/ X. (3) then a terminal state X will be reached in a finite number of steps. Proof. Since V is bounded, there exists R +, such that V (x) < 0, x X. Now, assume that there exists a sequence X =(x(0),x(1),...,x(t),...) of elements from X satisfying (1) that does not reach a terminal state in finite time. I.e. x (t) / X, t Z +. Then, V (x (t)) < for log log V (x (0)) t>, (4) log θ which contradicts bounded-ness of V. Absence of overflow We already saw that absence of overflow can be characterized by avoidance of an unsafe subset X of the state space X. Consider a Lyapunov function V, defined according to (2). Define the level sets L r (V ) of V,by L r (V )={x X : V (x) <r} These level sets are invariant with respect to (1), in the sense that x(t +1) L r (V ) whenever x(t) L r (V ). We use this fact, along with the monotonicity property of V, to establish a separation between the reachable set and the unsafe region of the state space. Theorem 2. Consider the system (1) and let V denote the space of all Lyapunov functions for this system satisfying (2) with some θ 1. An unsafe subset X of the state space X can never be reached along all the trajectories of (1) if there exists V V satisfying In addition, if then, θ>0 is sufficient. inf x X V (x) sup V (x) (5) x X 0 inf x X V (x) 0 (6) Proof. The proof proceeds by contradiction. First consider the θ 1 case and assume that (1) has a solution X =(x (0),x(1),..., x (t ),...), where x (0) X 0 and x (t ) X. Since V (x) is strictly monotonically decreasing along any solution of (1), we must have: inf x X V (x) V (x (t )) <V(x (0)) sup V (x) (7) x X 0

5 which contradicts (5). Now, consider the case θ < 1 for which monotonicity of V is not always implied. Partition X 0 into subsets X 0 and X 0 such that X 0 = X 0 X 0 and V (x) 0 x X 0 V (x) > 0 x X 0 Note that either of X 0 and X 0 mayhappentobeempty.now,assumethat(1) has a solution X =(x (0),x(1),..., x (t ),...), where x (0) X 0 and x (t ) X. Note that by assumption, V (x (t )) 0 and thus V (x (t)) > 0 t <t V (x (t)) is therefore strictly monotonically decreasing over the sequence x (0) to x (t ). Hence, (7) must hold which contradicts (5). Finally, assume that (1) has asolutionx =(x (0),x(1),..., x (t ),...), where x (0) X 0 and x (t ) X. In this case, we must have V (x (t)) 0, t. This implies that V (x (t )) < 0, which contradicts (6). Proof is complete. Now, we turn our attention to development of general forms for system invariants that establish the desired properties and are appropriate for use in a convex optimization framework. Among several properties of a reliable software mentioned earlier, absence of overflow and finite-time termination are expected in most applications. Theorem 3. Consider the dynamical system S = S(X, f, X 0,X ) defined by (1) and assume that there exists a real-valued function V : X 7 R such that V (x) < 0 x X 0. (8) V (x) <θv(x) x X, x f (x) :x/ X. (9) V (x) > x 2 1 x X. (10) where θ R + isaconstant,andnoconstraintonfiniteness of the state space X is imposed. Then, every solution X = x (t) of (1) remains bounded in the safe region defined by x i <,where each x i is a component of the state vector x. oreover, if θ>1, every solution X = x (t) reaches a terminal state X in finite time. Proof. Note that (8) and (9) imply non-positivity of V (x) on X \ X. oreover, by (10),V(x) is bounded from below by 1. Therefore, V (x) ( 1, 0). By Theorem 1, (9) implies finite-time termination. Also, the unsafe region X is defined by x i. Therefore, x 2 1, x X, inf V (x) =0 0= supv (x) x X x X 0 Theorem 2 then completes the proof.

6 Remark 2. By imposing a quadratic form on V, the search for a Lyapunov-like function satisfying (8) (10) reduces to semidefinite programming [1]. As an alternative, imposing a linear or piecewise linear form on V, along with replacing condition (10) with 2n constraints V (x) > x i 1 x X, i =1..n V (x) > x i 1 x X, i =1..n converts the problem of finding an appropriate system invariant to linear or mixed integer/linear programming [2]. Another possibility is to let V be a polynomial function of the state variables x i. In this case, the search for system invariants restricted to the class of polynomials with real coefficients can be formulated as a sums of squares problem [18],[19]. 3 odels of Computer Programs In this section we develop specific models of software that are convenient for analysis purposes. Practical considerations such as convenience for automated parsing/compiling, availability of an efficient relaxation technique and compatibility with a particular numerical engine for convex optimization influence the choice of modeling language. 3.1 ixed integer/linear systems With the following Proposition, we first provide the motivation/intuition behind using this model for software systems. Proposition 1. Universality of mixed-integer linear models. Let f be any arbitrary piece-wise affine function defined on a compact state space X, which consists of finite unions of finite polytopes. Then, f can be defined precisely, by imposing linear equality constraints on a finite number of binary variables and a finite number of analog variables ranging over bounded intervals. I.e. There exists matrices F and H, such that f(x) ={F [x; w; v;1]: s.t. w [ 1, 1] q, v { 1, 1} r s.t. H[x; w; v;1]=0} Proof. The proof is by construction. First, notice that without loss of generality we may assume that x [ 1, 1] n. Now, let X = i=n S X k, where each X i is defined by a finite set of linear inequality constraints. I.e. X i := x a T ª kix b ki,k=1,..., N i (11) Note that by definition f (x) =2A i x +2B i x X i, where the constant 2 appears for convenience in notation only. Now, assign a binary variable v i

7 { 1, 1}, to each X i,...n 1, according to the following rule, i=n 1 X Then we have f (x) = subject to N 1 X v i =1 x X i,v i = 1 x/ X i,,...n 1 (12) v i = N +1 x X N, i=n 1 X v i = N +3 x/ X N N 1 X (1 + v i )(A i x + B i ) (N 3) (A N x + B N ) i=n 1 X v i (A N x + B N ), v i N +3, and (12), and v i { 1, 1},...N (13) Now, we need to relate (11) and (12), which is done in the following way; x X i a T kix b ki (vi +1) 0, k=1,..., N i (14) Since by assumption, each X i is bounded, R ki := min x X i a T kix b ki exists and is finite. Therefore, the condition x X i, is equivalent to, a T kixv i +a T kix b ki v i b ki R ki (w ki +1)=0,w ki [ 1, 1],k=1,..., N i (15) Next, define auxiliary state vectors y i := xv i R n. Notice that y i is the multiplication of an analog variable x, and a binary variable v i. We represent this (nonlinear) transformation by an affine transformation involving auxiliary analog variables z i [ 1, 1] n, and z i [ 1, 1] n, subject to a set of linear constraints, in the following way, y i =4z i x v i 1 n 1 n,z i (v i +1) 1 n 2 equivalently, z i 0, z i v i 1 n,z i = 1 2 (x z i) y i =4z i x v i 1 n 1 n,,.., N (16a) z i + 1 W 1 2 i + I n 1n = (v i +1) 1 n (16b) 2 z i = 1 W 2 2 i + I n 1n (16c) z i W 3 i + I n 1n = v i 1 n (16d) z i = 1 2 (x z i) (16e)

8 where W k i is defined by W k i =diag w k ji, j=1,..,n ª,,.., N, k =1,.., 3, w k ij [ 1, 1] Now, let X e = xy 1... y n z 1... z n z 1... z n wv1 T, where w = w w NN N w wnn 1... Nn w3, and v = v1... v n. Then, " N 1 # X f (x) := A i (N 3) A N x + A 1 A N... A N 1 A N y (17) + N 1 X B 1 B N... B N 1 B N v + B i +( N +3)B N which is linear in x, y, v. oreover, (17) is subject to constraints (13), (15), (16), which are all linear equality constraints in X e. This completes the proof. So far, we have shown that imposing linear equality constraints on Boolean variables and on analog variables ranging over bounded intervals allows one to define arbitrary piecewise linear functions on finite unions of polytopes. This observation serves as the basis for introducing the widely used class of models which will be referred to as mixed integer/linear systems here. These models are capable of providing relatively brief descriptions of complicated dependencies. A mixed integer/linear system model has state space X R n.itsstate transition function f : X 7 2 X is defined by two matrices F, H of dimensions n-by-(n + q + r +1)and p-by-(n + q + r +1), according to f(x) ={F [x; w; v;1]: w [ 1, 1] q, v { 1, 1} r s.t. H[x; w; v;1]=0} Natural Lyapunov function candidates for mixed integer/linear systems are quadratic functionals. Within this class, checking monotonicity of Lyapunov functions along system trajectories can be done by application of the traditional quadratic relaxation techniques, starting with those used in deriving the bounds for the AX-CUT problem, which leads to semidefinite programming as the Lyapunov function design tool. Search for Lyapunov invariants using linear or semidefinite programming This section details our approach to compute Lyapunov invariants for mixed integer/linear software models. Looking for a function V satisfying (8) (10), may be seen an infinite-dimensional convex programming problem in the unknown V. This may be solved by first defining an appropriate, finite-dimensional parameterization of V andthensolvingtheresultingfinite-dimensional, convex optimization problem. Linear parameterization of quadratic Lyapunov functions appear as T x x V (x) := P 1 1

9 where P is a constant, symmetric matrix. For the Lyapunov invariant parameterization considered above, the problem of finding an invariant that satisfies the conditions (8) (10) is about solving a set of nonlinear constraints arising from these conditions. These conditions are often non-convex conditions, which makes their exact solution often impractical, but, fortunately also unnecessary. Instead, we will focus on using relaxed versions of these conditions, which are much easier to solve using either linear or semidefinite optimization routines. The main tool used towards obtaining these relaxations is a Lagrangian relaxation procedure also known as S-procedure. For example, the first of the three conditions does not require such a procedure, since it is a linear constraint on the coefficients of P : Indeed, the requirement V (x(0)) < 0 may also be written as, x(0) T x(0) P < 0. (18) 1 1 T where is the overflow limit. The second condition, (9), may be written as F.[x(k) v(k) w(k) 1] 1 P F.[x(k) v(k) w(k) 1] 1 <θ x(k) 1 P x(k) 1 (19) for any x(k), v(k), w(k) satisfying H. x (k) w (k) v (k) 1 T =0and w(k) [ 1, 1] q,v(k) { 1, 1} r (20) The constraint v { 1, 1} r is equivalent to the quadratic constraint v T 1 v rx µ i,1 =0, with 1 =diag ª µ 1,1,µ 2,1,...µ r,1 for arbitrary µ i,1 R, i =1,...r. Likewise, the constraint w [1, 1] q is equivalent to qx w T E 1 w η i,1 0, with E 1 =diag ª η 1,1,η 2,1,...η q,1 for arbitrary η i,1 > 0, i =1,...q. Formulating the proper Lagrangian relaxation, condition (19) holds whenever condition (20) holds if there exists P, 1, E 1 0 and y 1 R s x n H such that L T 1 PL 1 θl T 2 PL 2 <y 1 H +Hy T 1 T +L T 3 1 L 3 +L T 4 E 1 L 4 L T 5 (Tr 1 +TrE 1 ) L 5 (21) where i f 1 h f H := [h x h w h v h 1 ], F := f w f v x F L 1 := I,L 0 1 (sx 1) 1 2 := n 0 n (sx n) 0 1 (sx 1) 1 L 3 := [I n+q 0 (n+q) (r+1) ],L 4 := [0 (r+1) (n+q) I r+1 ],L 5 := [0 1 (sx 1) 1]

10 Likewise, (10) may be written as x(k) T In 0 x(k) x(k) T x(k) < P (22) for any x(k), v(k), w(k) satisfying H. x (k) w (k) v (k) 1 T =0and w(k) [ 1, 1] q,v(k) { 1, 1} r (23) Thus condition (22) holds whenever condition (23) holds if there exists P, 2, E 2 0 and y 2 R sx n H such that L T 2 P 0 L 2 L T 2 PL 2 <y 2 H +H T y T 2 +L T 3 2 L 3 +L T 4 E 2 L 4 L T 5 (Tr 2 +TrE 2 ) L 5 (24) Thus, absence of overflow and finite execution time are guaranteed if there exist P, 1, 2, E 1 0, E 2 0, y 1, and y 2 satisfying constraints (18,21 and 24). 3.2 Linear systems with conditional switching In this model the state space of the system is the direct product X = {0, 1, 2,...,m} R n = {(k, v) :k Z, 0 k m, v R n } of a discrete set and an n-dimensional Euclidean space, X 0 = {(0,v 0 )}, X = {m} R n. The set-valued state transition map f : X 7 2 X is defined by matrices A k,b k,l k,g k,h k,i k,c k,d k,wherek {0, 1,...,m 1}, aswellas by a function p : {0, 1,...,m 1} 7 {0, 1,...,m}, according to the following rule: f(k, v) ={(k +1,A k v + B k w + L k ): w [ 1, 1]} when C k v + D k 0 and k<m, f(k, v) ={(p(k),g k x + H k w + I k ): w [ 1, 1]} when C k v + D k > 0 and k<m,andf(k, v) ={m, v} when k = m. In this model, the discrete component k of the state vector x =(k, v) represents the current line of the code, while v is the real state vector being processed and w represents bounded real-valued input data. All operations allowed are affine, except for the conditional go to p(k) statements allowed on every line. This model appears to be suitable for programs with simple flow, as well as real-time interactions between simple logic and gain scheduled linear systems. Natural Lyapunov function candidates for linear systems with conditional switching have the piecewise quadratic or piecewise linear form V (k, v) =σ k (v), where for every k {0, 1,...,m} the function σ k : R n 7 R is a quadratic or an affine functional.

11 3.3 Trigonometric polynomial models The models described in the previous sections are only capable of describing piecewise linear transformations of analog variables. This is not always convenient: for example, multiplication of two analog state variables can be represented this way only approximately and this representation is particularly cumbersome. In order to cover a larger class of analog operations, the trigonometric polynomial models could be useful. A trigonometric polynomial model has state space X which is a closed subgroup of a poly-thorus T n,wheret denotes the unit circle in the complex plane. Equivalently, one can think of X as a direct product of sets of the form T k or Z k q,wherez q denotes the set of all complex numbers z such that z q =1.The word trigonometric refers to the natural parameterizations T = {cos(t)+j sin(t) : t R} of the unit circle. The state transition map f : X 7 2 X is defined by a vector polynomial p with respect to 2 n + k complex variables, according to f(x) ={y X : p(y, x, z) =0for some z T k }. Natural Lyapunov function candidates for trigonometric polynomial models are real-valued trigonometric polynomials. Checking validity of a Lyapunov function candidate reduces to verification of positivity of a trigonometric polynomial subject to a set of polynomial constraints, which can be done using the Shor s sums of squares argument: A polynomial is positive if it can be represented as a sum of squares of polynomials. While it is not true that a positive polynomial can always be represented as a sum of squares of polynomials, it can be shown that the equivalence holds in the case of trigonometric polynomials. 4 A Numerical Example Consider the following program: x 1 =0;x 2 =0; while x 2 100, if x 1 0, x 1 = x 1 a; else x 1 = x 1 + b; end x 2 = x 2 +1; end where a [100, 900] and b [200, 800], are uncertain input parameters. Using 2 slack variables and 1 binary variable, a mixed integer/linear model of this piece of code is defined by matrices F, and H, given as:

12 0 x(0) =,n=2,q=2,r= a+b F = b a 2 10,H= ,R= 01 0 R 0 R , Given = 1000 as the overflow limit, using (18), (21), (24), the quadratic Lyapunov function V (x) = x x x x was found to prove bounded-ness and finite-time termination for all a and b. 5 Block-wise Analysis of Computer Programs Block-wise analysis is a method for improving the scalability/computational cost of the above techniques as analysis of large size computer programs is undertaken. The basic idea here is to consider large-size software as the interconnection of smaller size dynamical systems (functions, subfunctions and procedures that we call them "blocks"). These so called blocks interact via a subset of the program states called "global variables". Correctness of each block is established separately, known apriori, or assumed temporarily. The dynamics of each block is then abstracted/approximated by equalities and/or inequalities relating the inputs and the outputs. In obvious cases, abstractions of this level may be provided by the programmer to facilitate the analysis task. This way, the states/variables that are local to each block are eliminated from the global model. Correctness of the software will be established by verifying bounded-ness of global variables, as well as verifying that when required, a final global state will be reached in finite-time. In case correctness of some of the blocks were assumed temporarily, their correctness need to be established rigorously, subject to the bounds available now, for global variables. To further clarify the concept, we implement the method on the following example.

13 typedef enum {FALSE = 0, TRUE = 1} BOOLEAN; BOOLEAN INIT1, INIT2; float P, X; void filter1 () { static float E[2], S[2]; if (INIT1) { S[0] = X; P = X; E[0] = X; E[1]=0; S[1]=0; }else{ P =0.5*X 0.7*E[0]+0.4*E[1]+1.5*S[0] S[1]*0.7; E[1] = E[0]; E[0] = X; S[1] = S[0]; S[0] = P; X=P/6+S[1]/5; } } void filter2 () { static float E2[2], S2[2]; if (INIT2) { S2[0] =0.5*X; P = X; E2[0] = 0.8*X; E2[1]=0; S2[1]=0; }else{ P =0.3*X E2[0]*0.2+E2[1]*1.4+S2[0]*0.5 S2[1]*1.7; E2[1] = 0.5*E2[0]; E2[0] = 2*X; S2[1] = S2[0]+10; S2[0] = P/2+S2[1]/3; X=P/8+S2[1]/10; } } void main () { X = 0; INIT1 = TRUE; INIT2=TRUE; while (1) { X = 0.98 * X + 85; if (abs(x)<= 400) { filter1 (); X=X+100; INIT1=FALSE; }elseif(abs(x)<=800) { filter 2(); X=X 50; INIT2=FALSE; } }}

14 For automated (block-wise) analysis of this program, the analyzer must be provided (either by a complier or by the programmer) with the system invariant that prior to each execution of filter1(), x 400. Next, filter() is modeled in the following abstracted way: w x [ 1, 1],s 0 (0) [ 400, 400],e 0 (0) [ 400, 400], P (0) [ 400, 400],s 1 (0) = 0, e 1 (0) = 0. P (k +1) e 1 (k +1) e 0 (k +1) s 1 (k +1) = s 0 (k +1) P (k) e 1 (k) e 0 (k) s 1 (k) s 0 (k) w x (k) 1 Due to the presence of static variables e and s, bounded-ness of the above recursion for an infinite number of iteration must be verified. Using LIs (18) (24) with θ =0.9, Pe 1 e 0 s 1 s was proved. Pe 1 e 0 s 1 s Ps s µ1 2 µ 2 1 x ' This proves that in the worst case, the value of X, after execution of filter1() cannot be greater than 531. Similarly, prior to each execution of filter2(), x 800 is invariant. Next, filter2() is modeled in the following abstracted way: w x [ 1, 1],s2 0 (0) [ 400, 400],e2 0 (0) [ 640, 640], P (0) [ 800, 800],s2 1 (0) = 0, e2 1 (0) = 0. P (k) P (k +1) e2 1 (k) e2 1 (k +1) e2 0 (k +1) s2 1 (k +1) = e2 0 (k) s2 1 (k) s2 0 (k +1) s2 0 (k) w x (k) 1 Again, using LIs (18) (24) with θ = 0.9, Pe 1 e 0 s 1 s was proved. Pe 1 e 0 s 1 s Ps s µ1 2 µ 2 1 x ' This in turn, proves that in the worst case, the value of X, after execution of filter2() cannot be greater than The main program is now abstracted in the following way.

15 void main () { X=0; while (1) { X = 0.98 * X + 85; if (abs(x)<= 400) { X=531*w1; %w1 [ 1, 1] X=X+100; }elseif(abs(x)<=800) { X=1591*w2; %w2 [ 1, 1] X=X 50; } } } Using the same methods, analysis of this program in turn proves that x Therefore, bounded-ness of all variables is established. 6 Conclusions A new framework for analysis of real-time software was introduced. It was shown that software can be viewed/modeled as a dynamical system. Specific models carrying this task were also introduced. System invariants, found by convex optimization of certain Lyapunov-like functions prove the desired properties of the software. These properties include bounded-ness of all variables within safe regions and finite time termination of the program. To improve scalability of these techniques for application to large-size computer programs, the method of block-wise analysis of computer code was suggested. It was shown through a numerical example, how this method can be applied. References 1. S. Boyd, L.E. Ghaoui, E. Feron, and V. Balakrishnan. Linear atrix Inequalities in Systems and Control Theory. Society for Industrial and Applied athematics, D. Bertsimas, and J. Tsitsikilis. Introduction to Linear Optimization. Athena Scientific, S.Branicky,V.S.Borkar,andS.K.itter.Aunified framework for hybrid control: model and optimal control theory. IEEE Transactions on Automatic Control, 43(1):31-45, A. Colon, S. Sankaranarayanan, H. B. Sipma. Linear invariant generation using non-linear constraint solving. In Computer Aided Verification (CAV 2003), vol of Lecture Notes in Computer Science, Springer Verlag, pp P. Cousot and R. Cousot. Abstract interpretation: a unified lattice model for static analysis of programs by construction or approximation of fixpoints. In Proc. 4th AC SIGPLAN-SIGACT Symposium on Principles of Programming Languages, POPL 77, pages , 1977.

16 6. P. Cousot, and R. Cousot. Systematic design of program analysis frameworks. In Conference Record of the Sixth Annual AC SIGPLAN-SIGACT Symposium on Principles of Programming Languages, pages , San Antonio, Texas, AC Press, New York. 7. P. Cousot. Semantic foundations of program analysis. In S. uchnick and N. Jones, editors, Program Flow Analysis: Theory and Applications, chapter 10, pages Prentice-Hall, D. Dams. Abstract interpretation and partition refinement for odel Checking. Ph.D. Thesis, Eindhoven University of Technology, S. Prajna, and A. Jadbabaie. Safety verification of hybrid systems using barrier certificates. Hybrid Systems: Computation and Control. Springer-Verlag lecture notes in computer science, arch Johansson, and A. Rantzer. On the computation of piecewise quadratic Lyapunov functions. In Proc. 36th IEEE Conference on Decision and Control, San Diego, California, December Johansson, and A. Rantzer. Computation of piecewise quadratic Lyapunov functions for hybrid systems. IEEE Transactions on Automatic Control, 43(4), pp , April S. Hedlund and A. Rantzer. Optimal control of hybrid systems. In Proc. 38th IEEE Conference on Decision and Control, Phoenix, Arizona, December R. Alur, and G. J. Pappas (Eds.): Hybrid Systems: Computation and Control, 7th International Workshop, Lecture Notes in Computer Science, volume 2993, Springer Verlag, arch G. Lafferriere, G. J. Pappas, and S. Sastry. Hybrid systems with finite bisimulations. Hybrid Systems V, Lecture Notes in Computer Science, volume 1567, Springer G. Lafferriere, G. J. Pappas, and S. Sastry. Reachability analysis of hybrid systems using bisimulations. In Proc. of the 37th IEEE Conference on Decision and Control, pages , Tampa, J. Lygeros, C. Tomlin, and S. Sastry. Controllers for reachability specifications for hybrid systems. Automatica, 35(3): , D. onniaux. Abstract interpretation of programs as arkov decision processes. In Static Analysis Symposium, volume 2694 in Lecture Notes in Computer Science, pages , Springer Verlag, P. A. Parrilo. inimizing Polynomial Functions. In Algorithmic and Quantitative Real Algebraic Geometry, DIACS Series in Discrete athematics and Theoretical Computer Science, Vol. 60, pp , AS. 19. K. Gatermann, and P.A. Parrilo. Symmetry groups, semidefinite programs, and sums of squares. Journal of Pure and Appl. Algebra, Vol. 192, No. 1-3, pp , 2004.