THESE` Pour obtenir le grade de DOCTEUR DE L’UNIVERSITE´ DE GRENOBLE Specialit´ e´ : Informatique Arretˆ e´ ministerial´ : Present´ ee´ par Christian von Essen These` dirigee´ par Saddek Bensalem et codirigee´ par Barbara Jobstmann prepar´ ee´ au sein du Laboratoire VERIMAG et de l’Ecole´ Doctorale Mathematiques,´ Sciences et Technologies de l’Information, Informatique (EDMSTII) Quantitative Verification and Syn- thesis These` soutenue publiquement le 28 avril 2014, devant le jury compose´ de : Dr. Alain Girault INRIA Rhone-Alpes,ˆ President´ Prof. Marta Zofia Kwiatkowska University of Oxford, Rapporteur Prof. Jean-Franc¸ois Raskin Universite´ Libre de Bruxelles, Rapporteur Prof. Ahmed Bouajjani Universite´ Paris Diderot, Examinateur Prof. Saddek Bensalem Universite´ Joseph Fourier, Verimag, Directeur de these` Dr. Barbara Jobstmann EPFL, Verimag, Jasper, Co-Directeur de these` Once upon a time, in a land far far away. Abstract This thesis contributes to the theoretical study and application of quantitative verification and synthesis. We first study strategies that optimize the ratio of two rewards in MDPs. The goal is the synthesis of efficient controllers in probabilistic environments. We prove that deterministic and memoryless strategies are sufficient. Based on these results we suggest 3 algorithms to treat explicitly encoded models. Our evaluation of these algorithms shows that one of these is clearly faster than the others. To extend its scope, we propose and implement a symbolic variant based on binary decision diagrams, and show that it cope with millions of states. Second, we study the problem of program repair from a quantitative per- spective. This leads to a reformulation of program repair with the requirement that only faulty runs of the program be changed. We study the limitations of this approach and show how we can relax the new requirement. We devise and implement an algorithm to automatically find repairs, and show that it improves the changes made to programs. Third, we study a novel approach to a quantitative verification and synthe- sis framework. In this, verification and synthesis work in tandem to analyze the quality of a controller with respect to, e.g., robustness against modeling errors. We also include the possibility to approximate the Pareto curve that emerges from combining the model with multiple rewards. This allows us to both study the trade-offs inherent in the system and choose a configuration to our liking. We apply our framework to several case studies. The major case study is concerned with the currently proposed next generation airborne collision avoidance system (ACAS X). We use our framework to help analyze the design space of the system and to validate the controller as currently under investigation by the FAA. In particular, we contribute analysis via PCTL and stochastic model checking to add to the confidence in the controller. Acknowledgements I would first of all like to thank my advisers Barbara Jobstmann and Saddek Bensalem. Barbara was always there to support me in my research and oth- erwise. Saddek gave me the freedom to follow my ideas and find applications for them. I am also very grateful to Marta Kwiatkowska, Jean-Fran¸coisRaskin and Ahmed Bouajjani and Alain Girault who, in their role as my jury, took on the task of reading this lengthy document and attending the defense. I hope I can pay their effort with an interesting thesis and an exciting presentation. I want to thank the whole former and present Verimag group for making my stay as fun and entertaining as it was. Special thanks go to Jannik Dreier, Mathilde Duclos and Julien Le Guen, for welcoming me in Grenoble and many entertaining exploits. I want to say thank you to Aditya Nori and Sriram Rajamani for welcom- ing me in India and at Microsoft Research. They allowed me to explore the application of formal methods to sampling and the Indian cuisine. A special thanks goes out to Dimitra Giannakopoulou and the whole NASA Ames team. They allowed me to see that there is hope for the application of formal methods to exciting and important real-life topics. Dimitra's enthusiasm is contagious, her belief in me incredibly supporting and her people skills unsurpassed. She taught me that working over two continents poses no big challenge, if only the motivation is high enough. I want to thank my family for supporting me in all my decisions and for always being welcoming. They gave me the feeling that I am able to do the things to which I aspire. I want to thank my wife Elena for putting up with many a grumpy mood and for much moral support and belay service (I bet the feeling is mutual). She is an inspiration in many ways, and I wish I was as tough as her. Christian Contents 1 Introduction 1 1.1 On quantitative verification and synthesis . 1 1.2 Relation to artificial intelligence . 4 1.3 Outline and contributions . 4 1.4 Preliminaries . 6 1.5 State of the art . 28 1.6 Tools . 33 2 Efficient Systems in Probabilistic Environments 35 2.1 Introduction . 35 2.2 The system and its environment . 37 2.3 Analysis . 44 2.4 Algorithms . 54 2.5 Symbolic implementation . 68 2.6 Conclusion . 83 3 Program repair without regret 85 3.1 Introduction . 85 3.2 On languages . 86 3.3 Example . 88 3.4 Repair . 90 3.5 Discussion and limitations . 98 3.6 Empirical results . 105 3.7 Future work and conclusions . 111 4 Quantitative verification and synthesis framework 113 4.1 Introduction . 113 4.2 Implementation description . 115 4.3 Discretization of spaces and distributions . 121 4.4 Specifying models in Java . 125 4.5 Approximating Pareto curves . 135 4.6 Case studies . 141 5 Analyzing the Next Generation Airborne Collision Avoid- ance System 159 5.1 Introduction . 159 5.2 The ACAS X system . 161 5.3 Verification . 170 5.4 ACAS X design challenges . 176 5.5 Implementation . 183 5.6 Conclusions and Future Work . 184 6 Conclusion 185 6.1 Future work . 187 1 Introduction In which we introduce our subject matter, study the difference between quantitative and qualitative, give an overview of related work and drive a poor little robot crazy. R´esum´e Ce chapitre est une introduction dans la th`ese.Nous consid´ererons la motiva- tion de la v´erification et la synth`esequantitatives. Ensuite nous montrerons les relations de ce sujet avec l'intelligence artificielle. Finallement nous indro- duirons notation appliqu´eedans le cadre de ce travail et motiv´eepar un petit robot, qui doit nettoyer un gros appartement. 1.1 On quantitative verification and synthesis Synthesis. Synthesis aims to automatically generate a program or system from a higher-level specification. These specifications leave a lot of details open, and it is the synthesizer's task to resolve the non-determinism such that the specification is fulfilled. This higher level allows a programmer or designer to express his wishes concisely while leaving implementation details to an as- sistant as willing as he is stupid (the computer). This form of abstraction becomes ever more important as the programs that we write become ever more complex because of the arrival of multi-processor systems, heterogeneous sys- tems, pressing security questions, ever more computers in life-critical systems etc. Programs also influence the lives of ever more people, so ever more people should be able to influence programs. A high-level language and a synthesizer might be able to lower the bar of creating custom programs. Take Excel as CHAPTER 1: INTRODUCTION an example. it allows many users that do not know how to program to create spread-sheets and now special-purpose programs customized to their needs. Synthesis looks promising in the area of embedded systems. Firstly, these systems are often small and not equipped for interactive development and hence debugging becomes especially challenging. Secondly, embedded systems are the most prevalent computer systems today, ranging from thermometers to vehicles on Mars. Finally, embedded systems, by their very nature, have to be customized to each new kind of hardware they entail. Removing unnecessary bugs altogether is therefore desirable and cost-effective. Qualitative synthesis. Specifications are usually given with qualitative mean- ing, i.e., they classify systems either as good (meaning the system satisfies the specification) or as bad (meaning the system violates the specification). In this thesis we explore how we can add more information to this process. We call this \quantitative synthesis" Quantitative specifications assign to each system a value that provides additional information. Quantitative synthesis. Manichaeism was a religion that postulated that the world is the battle-ground for good and evil | black and white. To us, it appears that there are many shades of gray | quantitative information is important to us in the real world. We can either just pass an exam (qualita- tive), or pass it well (quantitative). A thesis can be acceptable or cum laude (quantitative), but both are enough for graduation (qualitative). Tradition- ally, quantitative techniques have been used to analyze properties like response time, throughput, or reliability (cf. [dA97, Hav98, BK08, KNP09]). Recently, quantitative reasoning has been used to state preference relations between systems satisfying the same qualitative specification [BCHJ09]. For example, we can compare systems with respect to robustness, i.e., how reason- able they behave under unexpected behaviors of their environments [BGHJ09]. A preference relation between systems is particularly useful in synthesis, be- cause it allows the user to guide the synthesizer and ask for \the best" system. In many settings a better system comes with a higher price. For example, con- sider an assembly line that can be operated in several speeds i.e., the number of units produced per time unit.