CoasterX: A Case Study in Component-Driven Hybrid Systems Proof - - PowerPoint PPT Presentation

CoasterX: A Case Study in Component-Driven Hybrid Systems Proof Automation

Based on ADHS ’18 [BLCP18] Brandon Bohrer (joint work with Adriel Luo, Xuean Chuang, Andr´ e Platzer)

Logical Systems Lab Computer Science Department Carnegie Mellon University

Speaking Skills, Mar 26 2018

1 / 49

Outline

1 Motivation 2 Approach 3 Modeling and Verification

Background: dL Identifying Assumptions Formal Specification Formal Verification

4 Evaluation 5 Future Work and Conclusion

2 / 49

Roller Coasters are Safety-Critical Systems

Top Thrill Steel Phantom Mindbender Joker’s Jinx Phantom’s Revenge Fujin Raijin II

Rollback Head Injury Derailment

[BLCP18]

3 / 49

Formal Proofs in dL Ensure Safe Designs

Top Thrill Steel Phantom Mindbender

Rollback Head Injury Derailment

[BLCP18]

⇓

Pre → [phys]Post Identify:

• Notion of safety Post (acc < acchi)

4 / 49

Formal Proofs in dL Ensure Safe Designs

Top Thrill Steel Phantom Mindbender

Rollback Head Injury Derailment

[BLCP18]

⇓

Pre → [phys]Post Identify:

• Notion of safety Post (acc < acchi)
• Safe conditions Pre (v = v0)

4 / 49

Formal Proofs in dL Ensure Safe Designs

Top Thrill Steel Phantom Mindbender

Rollback Head Injury Derailment

[BLCP18]

⇓

Pre → [phys]Post Identify:

• Notion of safety Post (acc < acchi)
• Safe conditions Pre (v = v0)

Verify physical environment design phys ({x′ = . . . , y′ = . . .})

4 / 49

Design Verification Supplements Simulation

Simulations typically used today [XXLY12, Wei15] Approach Pro Con Simulate Rich dynamics, easy Low rigor+precision Verify High rigor+precision Simple dynamics, hard

5 / 49

Verifying Physical Designs is a Challenge

• How do we verify models at scale?
• How do we make verification accessible to non-experts?

6 / 49

Verifying Environment Designs is Important ⇓

7 / 49

Outline

1 Motivation 2 Approach 3 Modeling and Verification

Background: dL Identifying Assumptions Formal Specification Formal Verification

4 Evaluation 5 Future Work and Conclusion

8 / 49

Component-Driven Proof Automation Enables Design Verification

GUI Builder CoasterX Backend KeYmaera X Prover Core (1700 Lines) [FMQ+15]

Component model

dL fml. dL pf. Goal Solution Accessible High-level graphical modeling

9 / 49

Component-Driven Proof Automation Enables Design Verification

GUI Builder CoasterX Backend KeYmaera X Prover Core (1700 Lines) [FMQ+15]

Component model

dL fml. dL pf. Goal Solution Accessible High-level graphical modeling Rigorous Formal proof checked by small prover core

9 / 49

Component-Driven Proof Automation Enables Design Verification

GUI Builder CoasterX Backend KeYmaera X Prover Core (1700 Lines) [FMQ+15]

Component model

dL fml. dL pf. Goal Solution Accessible High-level graphical modeling Rigorous Formal proof checked by small prover core Scalable Proof scales by exploiting component structure

9 / 49

Track Sections are Components for Coasters

Generic Component

10 / 49

Track Sections are Components for Coasters

Generic Component

• Automatic Composition

10 / 49

Track Sections are Components for Coasters

Generic Component

• Automatic Composition

11 / 49

Track Sections are Components for Coasters

Generic Component

• Automatic Composition

12 / 49

Track Sections are Components for Coasters

Generic Component

• Automatic Composition

13 / 49

Track Sections are Components for Coasters

Generic Component

• Automatic Composition

14 / 49

Outline

1 Motivation 2 Approach 3 Modeling and Verification

Background: dL Identifying Assumptions Formal Specification Formal Verification

4 Evaluation 5 Future Work and Conclusion

15 / 49

Outline

1 Motivation 2 Approach 3 Modeling and Verification

Background: dL Identifying Assumptions Formal Specification Formal Verification

4 Evaluation 5 Future Work and Conclusion

16 / 49

Background: dL Formulas

P, Q ::= P ∧ Q | ¬P | ∀xP | ∃xP | θ1 ≥ θ2 | [α]P | αP Example: Pre → [phys]Post Construct Meaning P ∧ Q, ¬P Classical propositional connectives

17 / 49

Background: dL Formulas

P, Q ::= P ∧ Q | ¬P | ∀xP | ∃xP | θ1 ≥ θ2 | [α]P | αP Example: Pre → [phys]Post Construct Meaning P ∧ Q, ¬P Classical propositional connectives ∀x P, ∃x P First-order real quantifiers θ1 ≥ θ2 Real arithmetic comparisons

17 / 49

Background: dL Formulas

P, Q ::= P ∧ Q | ¬P | ∀xP | ∃xP | θ1 ≥ θ2 | [α]P | αP Example: Pre → [phys]Post Construct Meaning P ∧ Q, ¬P Classical propositional connectives ∀x P, ∃x P First-order real quantifiers θ1 ≥ θ2 Real arithmetic comparisons [α]P After α runs, P always holds αP After α runs, P sometimes holds

17 / 49

Background: Hybrid Programs

α, β ::= ?P | x := θ | {x′ = θ & P} | α ∪ β | α; β | α∗ Construct Meaning ?P Assert formula P, else fail

18 / 49

Background: Hybrid Programs

α, β ::= ?P | x := θ | {x′ = θ & P} | α ∪ β | α; β | α∗ Construct Meaning ?P Assert formula P, else fail x := θ Assign value of term θ to x

18 / 49

Background: Hybrid Programs

α, β ::= ?P | x := θ | {x′ = θ & P} | α ∪ β | α; β | α∗ Construct Meaning ?P Assert formula P, else fail x := θ Assign value of term θ to x {x′ = θ & P} Evolve x at continuous rate θ

18 / 49

Background: Hybrid Programs

α, β ::= ?P | x := θ | {x′ = θ & P} | α ∪ β | α; β | α∗ Construct Meaning ?P Assert formula P, else fail x := θ Assign value of term θ to x {x′ = θ & P} Evolve x at continuous rate θ Evolution domain constraint P asserted continuously

18 / 49

Background: Hybrid Programs

α, β ::= ?P | x := θ | {x′ = θ & P} | α ∪ β | α; β | α∗ Construct Meaning ?P Assert formula P, else fail x := θ Assign value of term θ to x {x′ = θ & P} Evolve x at continuous rate θ Evolution domain constraint P asserted continuously P must also hold initially (like ?P)

18 / 49

Background: Hybrid Programs

α, β ::= ?P | x := θ | {x′ = θ & P} | α ∪ β | α; β | α∗ Construct Meaning ?P Assert formula P, else fail x := θ Assign value of term θ to x {x′ = θ & P} Evolve x at continuous rate θ Evolution domain constraint P asserted continuously P must also hold initially (like ?P) α ∪ β Choose either α or β nondeterministically

18 / 49

Background: Hybrid Programs

α, β ::= ?P | x := θ | {x′ = θ & P} | α ∪ β | α; β | α∗ Construct Meaning ?P Assert formula P, else fail x := θ Assign value of term θ to x {x′ = θ & P} Evolve x at continuous rate θ Evolution domain constraint P asserted continuously P must also hold initially (like ?P) α ∪ β Choose either α or β nondeterministically α; β First α then β in any resulting state

18 / 49

Background: Hybrid Programs

α, β ::= ?P | x := θ | {x′ = θ & P} | α ∪ β | α; β | α∗ Construct Meaning ?P Assert formula P, else fail x := θ Assign value of term θ to x {x′ = θ & P} Evolve x at continuous rate θ Evolution domain constraint P asserted continuously P must also hold initially (like ?P) α ∪ β Choose either α or β nondeterministically α; β First α then β in any resulting state α∗ Loop α nondeterministically n ≥ 0 times

18 / 49

Outline

1 Motivation 2 Approach 3 Modeling and Verification

Background: dL Identifying Assumptions Formal Specification Formal Verification

4 Evaluation 5 Future Work and Conclusion

19 / 49

Velocity and Acceleration Bounds are Fundamental Rollback Head Injury Derailment

0 < vlo ≤ v |a| ≤ ahi |a| ≤ ahi [AST17]

20 / 49

Tracks are 2D

• 2D modeling greatly simplifies GUI
• Vertical and horizontal bounds only (no lateral bound)
• Ignores banking, wind, roll resistance (1-2%)

⇒

21 / 49

Acceleration Bound is Conservative

Top Thrill Steel Phantom Mindbender Joker’s Jinx Phantom’s Revenge Fujin Raijin II

Rollback Head Injury Derailment

(>) (<) (<)

22 / 49

Conservative Bound Suffices for Phantom

Top Thrill Steel Phantom Mindbender Joker’s Jinx Phantom’s Revenge Fujin Raijin II

Rollback Head Injury Derailment

(>) (<) (<)

23 / 49

Outline

1 Motivation 2 Approach 3 Modeling and Verification

Background: dL Identifying Assumptions Formal Specification Formal Verification

4 Evaluation 5 Future Work and Conclusion

24 / 49

Example

phys ≡ {{x′ = √ 2/2 v, y′ = √ 2/2 v, v′ = − √ 2/2 g & 0 ≤ x ≤ 100} ∪ {x′ = dx v, y′ = dy, v′ = −dy g, dx′ = −dy v/100 √ 2, dy′ = dx v/100 √ 2 & 100 ≤ x ≤ 200} ∪ {x′ = √ 2/2 v, y′ = − √ 2/2 v, v′ = √ 2/2 g & 200 ≤ x ≤ 300}}∗

25 / 49

Example

phys ≡ {{Line(. . .) & 0 ≤ x ≤ 100} ∪ {Arc(. . .) & 100 ≤ x ≤ 200} ∪ {Line(. . .) & 200 ≤ x ≤ 300}}∗

26 / 49

Example

phys ≡ {{Line(. . .) & 0 ≤ x ≤ 100} ∪ {Arc(. . .) & 100 ≤ x ≤ 200} ∪ {Line(. . .) & 200 ≤ x ≤ 300}}∗

27 / 49

Example

phys ≡ {{Line(. . .) & 0 ≤ x ≤ 100} ∪ {Arc(. . .) & 100 ≤ x ≤ 200} ∪ {Line(. . .) & 200 ≤ x ≤ 300}}∗

28 / 49

Individual Components are Modeled as ODEs

Line Segment: Line

def

≡ {x′ = v · dx, y′ = v · dy, v′ = −dy · g & InBounds(x1, x2, y1, y2)}

29 / 49

Individual Components are Modeled as ODEs

Line Segment: Line

def

≡ {x′ = v · dx, y′ = v · dy, v′ = −dy · g & InBounds(x1, x2, y1, y2)} Arc Segment: Arc

def

≡ {x′ = v · dx, y′ = v · dy, v′ = −dy · g, dx′ = −dy · v/r, dy′ = dx · v/r & InBounds(x1, x2, y1, y2)}

29 / 49

Concrete Parameters are Plugged in From GUI

Line Segment: Line

def

≡ {x′ = v · dx, y′ = v · dy, v′ = −dy · g & InBounds(x1, x2, y1, y2)}

30 / 49

Concrete Parameters are Plugged in From GUI

Line Segment: Line

def

≡ {x′ = v · dx, y′ = v · dy, v′ = −dy · g & InBounds(x1, x2, y1, y2)} ⇓Subst Line(1, 0, . . .)

def

≡ {x′ = v · 1, y′ = v · 0, v′ = −0 · g & InBounds(0, 100, 200, 200)}

30 / 49

Composition is Modeled with Discrete Programs

Let track sections seci be component instances: seci

def

≡ Line(argsi) or Arc(argsi) and system model α: phys

def

≡ (sec1 ∪ · · · ∪ secn)∗

31 / 49

Outline

1 Motivation 2 Approach 3 Modeling and Verification

Background: dL Identifying Assumptions Formal Specification Formal Verification

4 Evaluation 5 Future Work and Conclusion

32 / 49

Components Verified with Invariants and Solving

• Straight line is solvable, thus decidable.
• Arc needs invariant (energy conservation), proved manually:

E = E0 ∧ OnTrack → [Arc] (E = E0 ∧ OnTrack)

• Even for straight line, manual proof more performant

33 / 49

Instantiation is Verified by Substitution

• Conceptually simple step
• Greatly improves performance (20x in some cases)

Line

def

≡ {x′ = v · dx, y′ = v · dy, v′ = −dy · g & InBounds(x1, x2, y1, y2)} ⇓Subst Line(1, 0, . . .)

def

≡ {x′ = v · 1, y′ = v · 0, v′ = −0 · g & InBounds(0, 100, 200, 200)}

34 / 49

Composition is Verified by Contract-Checking

• At boundary, invariants for both sections hold
• Checked with arithmetic solving + custom automation

Example: J1 ≡ (x = y) J2 ≡

• y2 + (x − 200)2 = 1002

35 / 49

Outline

1 Motivation 2 Approach 3 Modeling and Verification

Background: dL Identifying Assumptions Formal Specification Formal Verification

4 Evaluation 5 Future Work and Conclusion

36 / 49

We Modeled 6 Real Coasters

Top Thrill Steel Phantom Backyard El Toro Phantom’s Revenge Lil’ Phantom

37 / 49

Analysis Distinguished Safe and Unsafe Acceleration

Top Thrill Steel Phantom (6.5g) Backyard El Toro Phantom’s Revenge (3.5g) Lil’ Phantom

38 / 49

This is the Largest dL Model Ever

Stats: CoasterX Max Previous Max (Est.) Vars 256 > 27 Components 56 > 3 Fml size 52KB > 6.5KB Proof Steps 20M (29K w/ reuse) > 100K

39 / 49

Scalability is Quadratic

37 57 107 192 232 256 500 1000 1500 # vars time(s) Runtime vs. Problem Size

(on a recent workstation)

40 / 49

Component Verification Cost Sometimes Matters

Component Time # Steps Line 140s 900K Q1 Arc 3.1s 9K Q2 Arc 5.1s 14K Q3 Arc 3.6s 10K Q4 Arc 6.3s 17K Automatic proof (Line) vastly slower than manual proof (Arcs)

41 / 49

Outline

1 Motivation 2 Approach 3 Modeling and Verification

Background: dL Identifying Assumptions Formal Specification Formal Verification

4 Evaluation 5 Future Work and Conclusion

42 / 49

Advanced Dynamical Models Answer Deeper Questions

Acceleration |a| ≤ ahi

43 / 49

Advanced Dynamical Models Answer Deeper Questions

Acceleration |a| ≤ ahi ⇒ Rollback 0 < vlo ≤ v Stuck 0 < vlo ≤ v Friction Wind

43 / 49

Advanced 3D Design 2D

Build Detect Simulate ⇓

3D

3D Modeling support enables lateral bounds and banking support

44 / 49

Rich Contracts Enable High-Impact Domains

• Transit networks: Contracts at intersections/switches
• Flight plans: Contracts at crossing points

Rail Road UAV

45 / 49

Coasters Support Pedagogical Mission

• 15-424 CPS Foundations: Fun applications motivate students
• Course feeds into undergraduate research
• Initial stages were Adriel + Xuean’s 15-424 course project

GPWS Chute Pong Coaster Chess Baseball

46 / 49

Questions?

Top Thrill Steel Phantom Backyard El Toro Phantom’s Revenge Lil’ Phantom

47 / 49

References I

ASTM, Standard Practice for Design of Amusement Rides and Devices, Standard, ASTM International, Sep 2017. Brandon Bohrer, Adriel Luo, Xuean Chuang, and Andr´ e Platzer, CoasterX: A case study in component-driven hybrid systems proof automation, IFAC, 2018. Nathan Fulton, Stefan Mitsch, Jan-David Quesel, Marcus V¨

• lp, and Andr´

e Platzer, KeYmaera X: An axiomatic tactical theorem prover for hybrid systems, CADE (Amy Felty and Aart Middeldorp, eds.), LNCS, vol. 9195, Springer, 2015,

• pp. 527–538.

Nick Weisenberger, Coasters 101: An engineer’s guide to roller coaster design, 2015.

48 / 49

References II

Gening Xu, Hujun Xin, Fengyi Lu, and Mingliang Yang, Kinematics and dynamics simulation research for roller coaster multi-body system, Advanced Materials Research, vol. 421, Trans Tech Publications, 2012, pp. 276–280.

49 / 49