Kerstin Eder | University of Bristol (original) (raw)
Papers by Kerstin Eder
This paper presents the deductive formal verification of high-level properties of control systems... more This paper presents the deductive formal verification of high-level properties of control systems with theorem proving, using the Why3 tool. Properties that can be verified with this approach include stability, feedback gain, and robustness, among others. For the systems, modelled in Simulink, we propose three main steps to achieve the verification: specifying the properties of interest over the signals within the model using Simulink blocks, an automatic translation of the model into Why3, and the automatic verification of the properties with theorem provers in Why3. We present a methodology to specify the properties in the model and a library of relevant assertion blocks (logic expressions), currently in development. The functionality of the blocks in the Simulink models are automatically translated to Why3 as theories and verification goals by our tool implemented in MATLAB. A library of theories in Why3 corresponding to each supported block has been developed to facilitate the process of translation. The goals are automatically verified in Why3 with relevant theorem provers. A simple first-order discrete system is used to exemplify the specification of the Simulink model, the translation process from Simulink to the Why3 formal logic language, and the verification of Lyapunov stability.
Lecture Notes in Computer Science, 2015
ACM Transactions on Embedded Computing Systems, 2015
The emergent global behaviours of robotic swarms are important to achieve their navigation task g... more The emergent global behaviours of robotic swarms are important to achieve their navigation task goals. These emergent behaviours can be verified to assess their correctness, through techniques like model checking. Model checking exhaustively explores all possible behaviours, based on a discrete model of the system, such as a swarm in a grid. A common problem in model checking is the state-space explosion that arises when the states of the model are numerous. We propose a novel implementation of symmetry reduction, in the form of encoding navigation algorithms relatively with respect to a reference, based on the symmetrical properties of swarms in grids. We applied the relative encoding to a swarm navigation algorithm, Alpha, modelled for the NuSMV model checker. A comparison of the state-space and verification results with an absolute (or global) and a relative encoding of the Alpha algorithm highlights the advantages of our approach, allowing model checking larger grid sizes and number of robots, and consequently, verifying more complex emergent behaviours. For example, a property was verified for a grid with 3 robots and a maximum allowed size of 8 × 8 cells in a global encoding, whereas this size was increased to 16 × 16 using a relative encoding. Also, the time to verify a property for a swarm of 3 robots in a 6 × 6 grid was reduced from almost 10 hours to only 7 minutes. Our approach is transferable to other swarm navigation algorithms.
This paper presents the verification of control systems implemented in Simulink. The goal is to e... more This paper presents the verification of control systems implemented in Simulink. The goal is to ensure that high-level requirements on control performance, like stability, are satisfied by the Simulink diagram. A two stage process is proposed. First, the high-level requirements are decomposed into specific parametrized sub-requirements and implemented as assertions in Simulink. Second, the verification takes place. On one hand, the sub-requirements are verified through assertion checks in simulation. On the other hand, according to their scope, some of the sub-requirements are verified through assertion checks in simulation, and others via automatic theorem proving over an ideal mathematical model of the diagram. We compare performing only assertion checks against the use of theorem proving, to highlight the advantages of the latter. Theorem proving performs verification by computing a mathematical proof symbolically, covering the entire state space of the variables. An automatic translation tool from Simulink to the language of the theorem proving tool Why3 is also presented. The paper demonstrates our approach by verifying the stability of a simple discrete linear system.
Robotics, 2015
In this paper we propose a probabilistic sequential model of Human-Robot Spatial Interaction (HRS... more In this paper we propose a probabilistic sequential model of Human-Robot Spatial Interaction (HRSI) using a well-established Qualitative Trajectory Calculus (QTC) to encode HRSI between a human and a mobile robot in a meaningful, tractable, and systematic manner. Our key contribution is to utilise QTC as a state descriptor and model HRSI as a probabilistic sequence of such states. Apart from the sole direction of movements of human and robot modelled by QTC, attributes of HRSI like proxemics and velocity profiles play vital roles for the modelling and generation of HRSI behaviour. In this paper, we particularly present how the concept of proxemics can be embedded in QTC to facilitate richer models. To facilitate reasoning on HRSI with qualitative representations, we show how we can combine the representational power of QTC with the concept of proxemics in a concise framework, enriching our probabilistic representation by implicitly modelling distances. We show the appropriateness of our sequential model of QTC by encoding different HRSI behaviours observed in two spatial interaction experiments. We classify these encounters, creating a comparative measurement, showing the representational capabilities of the model.
Proceedings of the 29th Annual ACM Symposium on Applied Computing - SAC '14, 2014
Making energy consumption data accessible to software developers is an essential step towards ene... more Making energy consumption data accessible to software developers is an essential step towards energy efficient software engineering. The presence of various different, bespoke and incompatible, methods of instrumentation to obtain energy readings is currently limiting the widespread use of energy data in software development. This paper presents EACOF, a modular Energy-Aware Computing Framework that provides a layer of abstraction between sources of energy data and the applications that exploit them. EACOF replaces platform specific instrumentation through two APIsone accepts input to the framework while the other provides access to application software. This allows developers to profile their code for energy consumption in an easy and portable manner using simple API calls. We outline the design of our framework and provide details of the API functionality. In a use case, where we investigate the impact of data bit width on the energy consumption of various sorting algorithms, we demonstrate that the data obtained using EACOF provides interesting, sometimes counter-intuitive, insights. All the code is available online under an open source license.
2014 IEEE/RSJ International Conference on Intelligent Robots and Systems, 2014
ABSTRACT Navigation algorithms are fundamental for mobile robots. While the correctness of the al... more ABSTRACT Navigation algorithms are fundamental for mobile robots. While the correctness of the algorithms is important, it is equally important that they do not fail because of bugs in their implementation. Yet, even widely-used robot navigation code lacks proofs of correctness or credible coverage reports from testing. Robot software developers usually point towards the cost of manual verification or lack of automated tools that would handle their code. We demonstrate that the choice of programming language is essential both for finding bugs in the code and for proving their absence. Our re-implementation of three robot navigation algorithms in SPARK revealed bugs that for years have not been detected in their original code in C/C++. For one of the implementations we demonstrate that it is free from run-time errors. Our code and results are available online to encourage uptake by the robot software developers community.
Lecture Notes in Computer Science, 2012
... The prize for Best Paper was awarded to Stefan Staber, Gerschwin Fey, Roderick Bloem and Rolf... more ... The prize for Best Paper was awarded to Stefan Staber, Gerschwin Fey, Roderick Bloem and Rolf Drechsler from Graz University of Technology and the University of Bremen, for their paper titled Automatic Fault Localization for Property ... ibm. com) Laurent Fournier (laurent@ il. ...
2006 IEEE International High Level Design Validation and Test Workshop, 2006
Functional verification is a complex and time-consuming task in the design process. Recently, var... more Functional verification is a complex and time-consuming task in the design process. Recently, various approaches have been developed to improve verification efficiency, including advanced coverage analysis techniques, coverage-driven verification methodologies and coverage-directed stimulus generation techniques. One remaining challenge is to fully automate functional coverage closure. This paper presents a novel approach for coverage-directed stimulus generation based on inductive learning from
2014 UKACC International Conference on Control (CONTROL), 2014
This paper presents the deductive formal verification of high-level properties of control systems... more This paper presents the deductive formal verification of high-level properties of control systems with theorem proving, using the Why3 tool. Properties that can be verified with this approach include stability, feedback gain, and robustness, among others. For the systems, modelled in Simulink, we propose three main steps to achieve the verification: specifying the properties of interest over the signals within the model using Simulink blocks, an automatic translation of the model into Why3, and the automatic verification of the properties with theorem provers in Why3. We present a methodology to specify the properties in the model and a library of relevant assertion blocks (logic expressions), currently in development. The functionality of the blocks in the Simulink models are automatically translated to Why3 as 'theories' and verification goals by our tool implemented in MATLAB. A library of theories in Why3 corresponding to each supported block has been developed to facilitate the process of translation. The goals are automatically verified in Why3 with relevant theorem provers. A simple first-order discrete system is used to exemplify the specification of the Simulink model, the translation process from Simulink to the Why3 formal logic language, and the verification of Lyapunov stability.
ieeexplore.ieee.org
Yamine Ait Ameur, ENSMA, France Simone Barbosa, Pontificia Universidade Catolica do Rio de Janeir... more Yamine Ait Ameur, ENSMA, France Simone Barbosa, Pontificia Universidade Catolica do Rio de Janeiro, Brazil Phil Brooke, University of Teesside, United Kingdom Michael Butler, University of Southampton, United Kingdom Jordi Cabot, University of Toronto, Canada Antonio Cerone, United Nations University, Macau Corina Cirstea, University of Southampton, United Kingdom Jim Davies, University of Oxford, United Kingdom Mieso Denko, University of Guelph, Canada Juergen Dingel, Queen's University, Canada Simon Dobson, University ...
Lecture Notes in Computer Science, 2011
Although there are quite a few approaches to Coverage Directed test Generation aided by Machine L... more Although there are quite a few approaches to Coverage Directed test Generation aided by Machine Learning which have been applied successfully to small and medium size digital designs, it is not clear how they would scale on more elaborate industrial-level designs. This paper evaluates one of these techniques, called MicroGP, on a fully fledged industrial design. The results indicate relative success evidenced by a good level of code coverage achieved with reasonably compact tests when compared to traditional test generation approaches. However, there is scope for improvement especially with respect to the diversity of the tests evolved.
Proceedings of the 13th annual conference on Genetic and evolutionary computation - GECCO '11, 2011
In this paper we applied the eXtended Classifier System (XCS) on a novel real world problem, name... more In this paper we applied the eXtended Classifier System (XCS) on a novel real world problem, namely digital Design Verification (DV). We witnessed the inadequacy of XCS on binary problems that contain high overlap between optimal rules especially when the focus is on population and not system level performance. The literature attempts to underplay the importance of the aforementioned weakness and in short, supports that a) XCS can potentially learn any Boolean function given enough resources are allocated (right parameters used) and b) the main metric deciding the learning difficulty of a Boolean function is the amount of classifiers required to represent it (i.e. |[O]|). With this work we experimentally refuted the aforementioned propositions and as a result of the work, we introduce new insights on the behavior of XCS when solving two-valued Boolean functions using a binary reward scheme (1000/0). We also introduce a new population metric (%[EPI]) that should necessarily be used to guide future research on improving XCS performance on the aforementioned problems.
2011 IEEE Congress of Evolutionary Computation (CEC), 2011
Extended classifier systems (XCS) suffer from suboptimal performance when the optimal classifiers... more Extended classifier systems (XCS) suffer from suboptimal performance when the optimal classifiers of the functions they deal with overlap. As this overlap is the property of Boolean functions and the generalization capabilities of the ternary alphabet {0,1,#}, it is necessary to improve XCS to better deal with those functions that make up most of the possible Boolean functions. This paper proposes two techniques that improve XCS performance, both in terms of system and population state metrics. The first technique, termed Essentiality Assessment, alters the current fitness update mechanism by disallowing competition between potentially essential classifiers. The second technique, named Individualized Learning Rate, proposes an individually computed learning rate for each classifier based on the level of generality of each classifier. The results obtained show improvement and significance both in absolute and statistical terms, for the vast majority of system and population state metrics. This paper is a contribution toward improving XCS performance when dealing with single-step problems that necessarily require overlapping classifiers for their optimal solution.
This paper presents the deductive formal verification of high-level properties of control systems... more This paper presents the deductive formal verification of high-level properties of control systems with theorem proving, using the Why3 tool. Properties that can be verified with this approach include stability, feedback gain, and robustness, among others. For the systems, modelled in Simulink, we propose three main steps to achieve the verification: specifying the properties of interest over the signals within the model using Simulink blocks, an automatic translation of the model into Why3, and the automatic verification of the properties with theorem provers in Why3. We present a methodology to specify the properties in the model and a library of relevant assertion blocks (logic expressions), currently in development. The functionality of the blocks in the Simulink models are automatically translated to Why3 as theories and verification goals by our tool implemented in MATLAB. A library of theories in Why3 corresponding to each supported block has been developed to facilitate the process of translation. The goals are automatically verified in Why3 with relevant theorem provers. A simple first-order discrete system is used to exemplify the specification of the Simulink model, the translation process from Simulink to the Why3 formal logic language, and the verification of Lyapunov stability.
Lecture Notes in Computer Science, 2015
ACM Transactions on Embedded Computing Systems, 2015
The emergent global behaviours of robotic swarms are important to achieve their navigation task g... more The emergent global behaviours of robotic swarms are important to achieve their navigation task goals. These emergent behaviours can be verified to assess their correctness, through techniques like model checking. Model checking exhaustively explores all possible behaviours, based on a discrete model of the system, such as a swarm in a grid. A common problem in model checking is the state-space explosion that arises when the states of the model are numerous. We propose a novel implementation of symmetry reduction, in the form of encoding navigation algorithms relatively with respect to a reference, based on the symmetrical properties of swarms in grids. We applied the relative encoding to a swarm navigation algorithm, Alpha, modelled for the NuSMV model checker. A comparison of the state-space and verification results with an absolute (or global) and a relative encoding of the Alpha algorithm highlights the advantages of our approach, allowing model checking larger grid sizes and number of robots, and consequently, verifying more complex emergent behaviours. For example, a property was verified for a grid with 3 robots and a maximum allowed size of 8 × 8 cells in a global encoding, whereas this size was increased to 16 × 16 using a relative encoding. Also, the time to verify a property for a swarm of 3 robots in a 6 × 6 grid was reduced from almost 10 hours to only 7 minutes. Our approach is transferable to other swarm navigation algorithms.
This paper presents the verification of control systems implemented in Simulink. The goal is to e... more This paper presents the verification of control systems implemented in Simulink. The goal is to ensure that high-level requirements on control performance, like stability, are satisfied by the Simulink diagram. A two stage process is proposed. First, the high-level requirements are decomposed into specific parametrized sub-requirements and implemented as assertions in Simulink. Second, the verification takes place. On one hand, the sub-requirements are verified through assertion checks in simulation. On the other hand, according to their scope, some of the sub-requirements are verified through assertion checks in simulation, and others via automatic theorem proving over an ideal mathematical model of the diagram. We compare performing only assertion checks against the use of theorem proving, to highlight the advantages of the latter. Theorem proving performs verification by computing a mathematical proof symbolically, covering the entire state space of the variables. An automatic translation tool from Simulink to the language of the theorem proving tool Why3 is also presented. The paper demonstrates our approach by verifying the stability of a simple discrete linear system.
Robotics, 2015
In this paper we propose a probabilistic sequential model of Human-Robot Spatial Interaction (HRS... more In this paper we propose a probabilistic sequential model of Human-Robot Spatial Interaction (HRSI) using a well-established Qualitative Trajectory Calculus (QTC) to encode HRSI between a human and a mobile robot in a meaningful, tractable, and systematic manner. Our key contribution is to utilise QTC as a state descriptor and model HRSI as a probabilistic sequence of such states. Apart from the sole direction of movements of human and robot modelled by QTC, attributes of HRSI like proxemics and velocity profiles play vital roles for the modelling and generation of HRSI behaviour. In this paper, we particularly present how the concept of proxemics can be embedded in QTC to facilitate richer models. To facilitate reasoning on HRSI with qualitative representations, we show how we can combine the representational power of QTC with the concept of proxemics in a concise framework, enriching our probabilistic representation by implicitly modelling distances. We show the appropriateness of our sequential model of QTC by encoding different HRSI behaviours observed in two spatial interaction experiments. We classify these encounters, creating a comparative measurement, showing the representational capabilities of the model.
Proceedings of the 29th Annual ACM Symposium on Applied Computing - SAC '14, 2014
Making energy consumption data accessible to software developers is an essential step towards ene... more Making energy consumption data accessible to software developers is an essential step towards energy efficient software engineering. The presence of various different, bespoke and incompatible, methods of instrumentation to obtain energy readings is currently limiting the widespread use of energy data in software development. This paper presents EACOF, a modular Energy-Aware Computing Framework that provides a layer of abstraction between sources of energy data and the applications that exploit them. EACOF replaces platform specific instrumentation through two APIsone accepts input to the framework while the other provides access to application software. This allows developers to profile their code for energy consumption in an easy and portable manner using simple API calls. We outline the design of our framework and provide details of the API functionality. In a use case, where we investigate the impact of data bit width on the energy consumption of various sorting algorithms, we demonstrate that the data obtained using EACOF provides interesting, sometimes counter-intuitive, insights. All the code is available online under an open source license.
2014 IEEE/RSJ International Conference on Intelligent Robots and Systems, 2014
ABSTRACT Navigation algorithms are fundamental for mobile robots. While the correctness of the al... more ABSTRACT Navigation algorithms are fundamental for mobile robots. While the correctness of the algorithms is important, it is equally important that they do not fail because of bugs in their implementation. Yet, even widely-used robot navigation code lacks proofs of correctness or credible coverage reports from testing. Robot software developers usually point towards the cost of manual verification or lack of automated tools that would handle their code. We demonstrate that the choice of programming language is essential both for finding bugs in the code and for proving their absence. Our re-implementation of three robot navigation algorithms in SPARK revealed bugs that for years have not been detected in their original code in C/C++. For one of the implementations we demonstrate that it is free from run-time errors. Our code and results are available online to encourage uptake by the robot software developers community.
Lecture Notes in Computer Science, 2012
... The prize for Best Paper was awarded to Stefan Staber, Gerschwin Fey, Roderick Bloem and Rolf... more ... The prize for Best Paper was awarded to Stefan Staber, Gerschwin Fey, Roderick Bloem and Rolf Drechsler from Graz University of Technology and the University of Bremen, for their paper titled Automatic Fault Localization for Property ... ibm. com) Laurent Fournier (laurent@ il. ...
2006 IEEE International High Level Design Validation and Test Workshop, 2006
Functional verification is a complex and time-consuming task in the design process. Recently, var... more Functional verification is a complex and time-consuming task in the design process. Recently, various approaches have been developed to improve verification efficiency, including advanced coverage analysis techniques, coverage-driven verification methodologies and coverage-directed stimulus generation techniques. One remaining challenge is to fully automate functional coverage closure. This paper presents a novel approach for coverage-directed stimulus generation based on inductive learning from
2014 UKACC International Conference on Control (CONTROL), 2014
This paper presents the deductive formal verification of high-level properties of control systems... more This paper presents the deductive formal verification of high-level properties of control systems with theorem proving, using the Why3 tool. Properties that can be verified with this approach include stability, feedback gain, and robustness, among others. For the systems, modelled in Simulink, we propose three main steps to achieve the verification: specifying the properties of interest over the signals within the model using Simulink blocks, an automatic translation of the model into Why3, and the automatic verification of the properties with theorem provers in Why3. We present a methodology to specify the properties in the model and a library of relevant assertion blocks (logic expressions), currently in development. The functionality of the blocks in the Simulink models are automatically translated to Why3 as 'theories' and verification goals by our tool implemented in MATLAB. A library of theories in Why3 corresponding to each supported block has been developed to facilitate the process of translation. The goals are automatically verified in Why3 with relevant theorem provers. A simple first-order discrete system is used to exemplify the specification of the Simulink model, the translation process from Simulink to the Why3 formal logic language, and the verification of Lyapunov stability.
ieeexplore.ieee.org
Yamine Ait Ameur, ENSMA, France Simone Barbosa, Pontificia Universidade Catolica do Rio de Janeir... more Yamine Ait Ameur, ENSMA, France Simone Barbosa, Pontificia Universidade Catolica do Rio de Janeiro, Brazil Phil Brooke, University of Teesside, United Kingdom Michael Butler, University of Southampton, United Kingdom Jordi Cabot, University of Toronto, Canada Antonio Cerone, United Nations University, Macau Corina Cirstea, University of Southampton, United Kingdom Jim Davies, University of Oxford, United Kingdom Mieso Denko, University of Guelph, Canada Juergen Dingel, Queen's University, Canada Simon Dobson, University ...
Lecture Notes in Computer Science, 2011
Although there are quite a few approaches to Coverage Directed test Generation aided by Machine L... more Although there are quite a few approaches to Coverage Directed test Generation aided by Machine Learning which have been applied successfully to small and medium size digital designs, it is not clear how they would scale on more elaborate industrial-level designs. This paper evaluates one of these techniques, called MicroGP, on a fully fledged industrial design. The results indicate relative success evidenced by a good level of code coverage achieved with reasonably compact tests when compared to traditional test generation approaches. However, there is scope for improvement especially with respect to the diversity of the tests evolved.
Proceedings of the 13th annual conference on Genetic and evolutionary computation - GECCO '11, 2011
In this paper we applied the eXtended Classifier System (XCS) on a novel real world problem, name... more In this paper we applied the eXtended Classifier System (XCS) on a novel real world problem, namely digital Design Verification (DV). We witnessed the inadequacy of XCS on binary problems that contain high overlap between optimal rules especially when the focus is on population and not system level performance. The literature attempts to underplay the importance of the aforementioned weakness and in short, supports that a) XCS can potentially learn any Boolean function given enough resources are allocated (right parameters used) and b) the main metric deciding the learning difficulty of a Boolean function is the amount of classifiers required to represent it (i.e. |[O]|). With this work we experimentally refuted the aforementioned propositions and as a result of the work, we introduce new insights on the behavior of XCS when solving two-valued Boolean functions using a binary reward scheme (1000/0). We also introduce a new population metric (%[EPI]) that should necessarily be used to guide future research on improving XCS performance on the aforementioned problems.
2011 IEEE Congress of Evolutionary Computation (CEC), 2011
Extended classifier systems (XCS) suffer from suboptimal performance when the optimal classifiers... more Extended classifier systems (XCS) suffer from suboptimal performance when the optimal classifiers of the functions they deal with overlap. As this overlap is the property of Boolean functions and the generalization capabilities of the ternary alphabet {0,1,#}, it is necessary to improve XCS to better deal with those functions that make up most of the possible Boolean functions. This paper proposes two techniques that improve XCS performance, both in terms of system and population state metrics. The first technique, termed Essentiality Assessment, alters the current fitness update mechanism by disallowing competition between potentially essential classifiers. The second technique, named Individualized Learning Rate, proposes an individually computed learning rate for each classifier based on the level of generality of each classifier. The results obtained show improvement and significance both in absolute and statistical terms, for the vast majority of system and population state metrics. This paper is a contribution toward improving XCS performance when dealing with single-step problems that necessarily require overlapping classifiers for their optimal solution.