d L : Definite Descriptions in Differential Dynamic Logic Brandon - - PowerPoint PPT Presentation

dLι: Definite Descriptions in Differential Dynamic Logic

Brandon Bohrer, Manuel Fern´ andez, and Andr´ e Platzer

Logical Systems Lab Computer Science Department Carnegie Mellon University

CADE-27 August 29 2019

1 / 22

Outline

1 Introduction 2 CPS Needs Partiality, Discontinuity 3 Semantics 4 Proof Calculus 5 Theory

2 / 22

We Can Trust Theorem Provers

Prover NuPRL Coq KeYmaera X HOL4 Verification Foundation PRL CIC dL HOL [AR14] [Bar10] [BRV+17] [KAMO16]

3 / 22

We Can Almost Trust Theorem Provers

Prover NuPRL Coq KeYmaera X HOL4 Challenge Foundation PRL CIC dL HOL Γ ⇓ ⇀, C ∞ [KAMO16]

4 / 22

We Help dL Foundation Catch Up

Prover NuPRL Coq KeYmaera X HOL4 Challenge Foundation PRL CIC dLι HOL Γ ⇓ ⇀, C ∞ [BFP19] [KAMO16]

5 / 22

Safety-Critical CPS Deserve Proofs

Planes Drones Robots How can we design cyber-physical systems people can bet their lives on? – Jeanette Wing

6 / 22

dL + KeYmaera X Provides Proofs

Planes Drones Robots Γ ⊢ A Γ ⊢ A ∧ B Discrete Control Continuous Dynamics Syntactic Proof

6 / 22

dL + KeYmaera X Provides Proofs

Planes Drones Robots Γ ⊢ A Γ ⊢ A ∧ B Discrete Control Continuous Dynamics Syntactic Proof How do proofs cope when control, dynamics are partial, discontinuous?

6 / 22

Outline

1 Introduction 2 CPS Needs Partiality, Discontinuity 3 Semantics 4 Proof Calculus 5 Theory

7 / 22

Example System: Robot Water Cooler

αB ≡

• {?h > 0; a := 1} ∪ a := 0
• ;

h′ = −

• 2gh a

A & h ≥ 0 ∗

Proposition (Leakiness)

g > 0 ∧ h = h0 ∧ h0 > 0 ∧ A > 0 → [αB](h ≤ h0)

8 / 22

Example System: Robot Water Cooler

αB ≡

• {?h > 0; a := 1} ∪ a := 0
• ;

h′ = −

• 2gh a

A & h ≥ 0 ∗ Choose control case

Proposition (Leakiness)

g > 0 ∧ h = h0 ∧ h0 > 0 ∧ A > 0 → [αB](h ≤ h0)

8 / 22

Example System: Robot Water Cooler

αB ≡

• {?h > 0; a := 1} ∪ a := 0
• ;

h′ = −

• 2gh a

A & h ≥ 0 ∗ Choose control case Test h > 0

Proposition (Leakiness)

g > 0 ∧ h = h0 ∧ h0 > 0 ∧ A > 0 → [αB](h ≤ h0)

8 / 22

Example System: Robot Water Cooler

αB ≡

• {?h > 0; a := 1} ∪ a := 0
• ;

h′ = −

• 2gh a

A & h ≥ 0 ∗ Choose control case Test h > 0 Set a to 1

Proposition (Leakiness)

g > 0 ∧ h = h0 ∧ h0 > 0 ∧ A > 0 → [αB](h ≤ h0)

8 / 22

Example System: Robot Water Cooler

αB ≡

• {?h > 0; a := 1} ∪ a := 0
• ;

h′ = −

• 2gh a

A & h ≥ 0 ∗ Choose control case Test h > 0 Set a to 1 Evolve physics

Proposition (Leakiness)

g > 0 ∧ h = h0 ∧ h0 > 0 ∧ A > 0 → [αB](h ≤ h0)

8 / 22

Example System: Robot Water Cooler

αB ≡

• {?h > 0; a := 1} ∪ a := 0
• ;

h′ = −

• 2gh a

A & h ≥ 0 ∗ Choose control case Test h > 0 Set a to 1 Evolve physics

Proposition (Leakiness)

g > 0 ∧ h = h0 ∧ h0 > 0 ∧ A > 0 → [αB](h ≤ h0) F.O. Arithmetic

8 / 22

Example System: Robot Water Cooler

αB ≡

• {?h > 0; a := 1} ∪ a := 0
• ;

h′ = −

• 2gh a

A & h ≥ 0 ∗ Choose control case Test h > 0 Set a to 1 Evolve physics

Proposition (Leakiness)

g > 0 ∧ h = h0 ∧ h0 > 0 ∧ A > 0 → [αB](h ≤ h0) F.O. Arithmetic Conjunction

8 / 22

Example System: Robot Water Cooler

αB ≡

• {?h > 0; a := 1} ∪ a := 0
• ;

h′ = −

• 2gh a

A & h ≥ 0 ∗ Choose control case Test h > 0 Set a to 1 Evolve physics

Proposition (Leakiness)

g > 0 ∧ h = h0 ∧ h0 > 0 ∧ A > 0 → [αB](h ≤ h0) F.O. Arithmetic Conjunction Implication

8 / 22

Example System: Robot Water Cooler

αB ≡

• {?h > 0; a := 1} ∪ a := 0
• ;

h′ = −

• 2gh a

A & h ≥ 0 ∗ Choose control case Test h > 0 Set a to 1 Evolve physics

Proposition (Leakiness)

g > 0 ∧ h = h0 ∧ h0 > 0 ∧ A > 0 → [αB](h ≤ h0) F.O. Arithmetic Conjunction Implication All runs

8 / 22

Example System: Robot Water Cooler

αB ≡

• {?h > 0; a := 1} ∪ a := 0
• ;

h′ = −

• 2gh a

A & h ≥ 0 ∗ Choose control case Test h > 0 Set a to 1 Evolve physics

Proposition (Leakiness)

g > 0 ∧ h = h0 ∧ h0 > 0 ∧ A > 0 → [αB](h ≤ h0) F.O. Arithmetic Conjunction Implication All runs

8 / 22

Outline

1 Introduction 2 CPS Needs Partiality, Discontinuity 3 Semantics 4 Proof Calculus 5 Theory

9 / 22

dL Needs Lots of Extensions

Definition (dL Terms)

θ, η ::= x | q | θ + η | θ · η | (θ)′

10 / 22

dL Needs Lots of Extensions

Definition (dL Terms)

θ, η ::= x | q | θ + η | θ · η | (θ)′ | θ/η

10 / 22

dL Needs Lots of Extensions

Definition (dL Terms)

θ, η ::= x | q | θ + η | θ · η | (θ)′ | θ/η | √ θ

10 / 22

dL Needs Lots of Extensions

Definition (dL Terms)

θ, η ::= x | q | θ + η | θ · η | (θ)′ | θ/η | √ θ | max(θ, eta) | min(θ, η) | |θ| | (if(φ)(θ)else(η))

10 / 22

dL Needs Lots of Extensions

Definition (dL Terms)

θ, η ::= x | q | θ + η | θ · η | (θ)′ | θ/η | √ θ | max(θ, eta) | min(θ, η) | |θ| | (if(φ)(θ)else(η)) | sin(θ) | cos(θ) | (θ, η) | π1θ | π2θ | inR(θ) | isT(θ) | map2(T, f (x, y)) | zip(L1, L2) |

• L1

+L2

• | L1

·L2

10 / 22

dLι Generalizes Foundations

Definition (dLι Terms)

θ, η ::= · · · | (θ, η) | ιx φ(x)

• Lukasiewicz

Free Logic R Analysis

• U. Subst. Ind. Types

dLι Partiality Discontinuity Extensibility Vectoriality Examples:

(if(φ)(θ1)else(θ2)) = ιx (φ ∧ x=θ1) ∨ (¬φ ∧ x=θ2) √ θ = ιx (x2=θ ∧ x ≥ 0) θ1/θ2 = ιx (x · θ2=θ1)

11 / 22

dLι Generalizes Foundations

Definition (dLι Terms)

θ, η ::= · · · | (θ, η) | ιx φ(x) Pairing

• Lukasiewicz

Free Logic R Analysis

• U. Subst. Ind. Types

dLι Partiality Discontinuity Extensibility Vectoriality Examples:

(if(φ)(θ1)else(θ2)) = ιx (φ ∧ x=θ1) ∨ (¬φ ∧ x=θ2) √ θ = ιx (x2=θ ∧ x ≥ 0) θ1/θ2 = ιx (x · θ2=θ1)

11 / 22

dLι Generalizes Foundations

Definition (dLι Terms)

θ, η ::= · · · | (θ, η) | ιx φ(x) Pairing Unique x s.t. φ

• Lukasiewicz

Free Logic R Analysis

• U. Subst. Ind. Types

dLι Partiality Discontinuity Extensibility Vectoriality Examples:

(if(φ)(θ1)else(θ2)) = ιx (φ ∧ x=θ1) ∨ (¬φ ∧ x=θ2) √ θ = ιx (x2=θ ∧ x ≥ 0) θ1/θ2 = ιx (x · θ2=θ1)

11 / 22

Term Semantics

dL dLι

12 / 22

Formula Semantics

Compare And

• 1.0
• 0.5

0.0 0.5 1.0

• 1.0
• 0.5

0.0 0.5 1.0

• 1.0
• 0.5

0.0 0.5 1.0

• 1.0
• 0.5

0.0 0.5 1.0

x/y = 1 x/y ≥ 1 ∧ y/x ≥ 1 Not Or

• 1.0
• 0.5

0.0 0.5 1.0

• 1.0
• 0.5

0.0 0.5 1.0

• 1.0
• 0.5

0.0 0.5 1.0

• 1.0
• 0.5

0.0 0.5 1.0

¬(x/y = 1) x/y ≥ 1 ∨ y/x ≥ 1

13 / 22

Outline

1 Introduction 2 CPS Needs Partiality, Discontinuity 3 Semantics 4 Proof Calculus 5 Theory

14 / 22

Program Axioms Decompose Dynamics

[:=] ([x := f ]p(x) ↔ p(f )) [?] [?Q]P ↔ (Q → P) ∪ a ∪ bP ↔ (aP ∨ bP) in

• ut
• ut

α β α ∪ β

Figure: Selected Program Axioms (dLι)

15 / 22

Program Axioms Decompose Dynamics

[:=] ([x := f ]p(x) ↔ p(f )) ← E(f ) [?] [?Q]P ↔ (D(Q) → P) ∪ a ∪ bP ↔ (aP ∨ bP) in

• ut
• ut

α β α ∪ β

Figure: Selected Program Axioms (dLι)

15 / 22

Program Axioms Decompose Dynamics

[:=] ([x := f ]p(x) ↔ p(f )) ← E(f ) [?] [?Q]P ↔ (D(Q) → P) ∪ a ∪ bP ↔ (aP ∨ bP) Denotes in

• ut
• ut

α β α ∪ β

Figure: Selected Program Axioms (dLι)

15 / 22

Program Axioms Decompose Dynamics

[:=] ([x := f ]p(x) ↔ p(f )) ← E(f ) [?] [?Q]P ↔ (D(Q) → P) ∪ a ∪ bP ↔ (aP ∨ bP) Denotes Definitely true in

• ut
• ut

α β α ∪ β

Figure: Selected Program Axioms (dLι)

15 / 22

Outline

1 Introduction 2 CPS Needs Partiality, Discontinuity 3 Semantics 4 Proof Calculus 5 Theory

16 / 22

• U. Subst is Clean Foundation

Axioms are single formulas, substitution is explicit: US φ σ(φ) Sound for admissible σ:

Definition (Admissibility (dL))

No new free variable ref. under formula, program binders

Definition (Admissibility (dLι))

No new free variable ref. under formula, program, term binders Takeaway: Admissibility generalizes cleanly to definite description

17 / 22

Axiom Validity

Proposition (Non-conservative extension)

Formula x · x ≥ 0 is valid in dL but not dLι

Proposition (Converse reducibility)

Exists linear-time T(φ) : dL → dLι where T(φ) valid iff φ valid.

• Non-conservative implies soundness must be proved anew in

dLι (but we proved it).

• dLι axioms are single formulas, so each case of soundness only

needs to show validity of one single formula.

• Converse reducibility shows dLι supports all dL theorems in

theory and practice.

18 / 22

Forward Reducibility

Motivation: What is the expressive power of dLι?

Theorem (Forward reducibility)

Exists reduction T(φ) : dLι → dL T(x′ = θ & φ) sol(t) ∧ axiomssol T((x, y)) G¨

• delR(x, y)

T(f (x)) G¨

• delR(f (x))

19 / 22

Forward Reducibility

Motivation: What is the expressive power of dLι?

Theorem (Forward reducibility)

Exists reduction T(φ) : dLι → dL T(x′ = θ & φ) sol(t) ∧ axiomssol T((x, y)) G¨

• delR(x, y)

T(f (x)) G¨

• delR(f (x))

Implication: Reduction is hard, want dLι in practice.

19 / 22

Takeaways

• dLι (definite description) helped dL foundation catch up with

KeYmaera X implementation.

• Theory is now ahead of implementation (vectors, function

definitions, non-polynomial ODEs)

• Uniform substitution calculus generalizes smoothly to many

logics

20 / 22

References I

Abhishek Anand and Vincent Rahli, Towards a formally verified proof assistant, ITP (Gerwin Klein and Ruben Gamboa, eds.), LNCS, vol. 8558, Springer, 2014, pp. 27–44. Bruno Barras, Sets in Coq, Coq in sets, J. Formalized Reasoning 3 (2010), no. 1, 29–48. Brandon Bohrer, Manuel Fernandez, and Andr´ e Platzer, dLι: Definite descriptions in differential dynamic logic, CADE (Pascal Fontaine, ed.), LNCS, vol. 11716, Springer, 2019,

• pp. 94–110.

21 / 22

References II

Brandon Bohrer, Vincent Rahli, Ivana Vukotic, Marcus V¨

• lp,

and Andr´ e Platzer, Formally verified differential dynamic logic, Certified Programs and Proofs - 6th ACM SIGPLAN Conference, CPP 2017, Paris, France, January 16-17, 2017 (New York) (Yves Bertot and Viktor Vafeiadis, eds.), ACM, 2017, pp. 208–221. Ramana Kumar, Rob Arthan, Magnus O. Myreen, and Scott Owens, Self-formalisation of higher-order logic: Semantics, soundness, and a verified implementation, J. Autom. Reas. 56 (2016), no. 3, 221–259.

22 / 22