Differential-Algebraic Dynamic Logic for KeYmaera X CPS Grand Prix - - PowerPoint PPT Presentation

Differential-Algebraic Dynamic Logic for KeYmaera X

CPS Grand Prix Benjamin Lim Yao Chong Lim

School of Computer Science, Carnegie Mellon University

December 11, 2018

Benjamin Lim, Yao Chong Lim (SCS) dAL for KeYmaeraX December 11, 2018 1 / 19

Motivation

Imprecision is everywhere in actual Cyber-Physical systems...

Benjamin Lim, Yao Chong Lim (SCS) dAL for KeYmaeraX December 11, 2018 2 / 19

Motivation

Imprecision is everywhere in actual Cyber-Physical systems... but how do we precisely model its semantics and prove guarantees?

Benjamin Lim, Yao Chong Lim (SCS) dAL for KeYmaeraX December 11, 2018 2 / 19

Differential-Algebraic Dynamic Logic (dAL)

x ≤ m →

• {x′ = v, v′ = a & v ≥ 0}
• x ≤ m

Benjamin Lim, Yao Chong Lim (SCS) dAL for KeYmaeraX December 11, 2018 3 / 19

Differential-Algebraic Dynamic Logic (dAL)

x ≤ m →

• {x′ = v, v′ = a & v ≥ 0}
• x ≤ m

Benjamin Lim, Yao Chong Lim (SCS) dAL for KeYmaeraX December 11, 2018 3 / 19

Differential-Algebraic Dynamic Logic (dAL)

x ≤ m →

• {∃ δ. (x′ = v, v′ = a + δ & v ≥ 0 ∧ δ2 ≤ |v|

100)}

• x ≤ m

Benjamin Lim, Yao Chong Lim (SCS) dAL for KeYmaeraX December 11, 2018 3 / 19

Differential-Algebraic Dynamic Logic (dAL)

dAL = dL + existentially quantified ODEs {∃ ¯

• y. (x′

1 = θ1, x′ 2 = θ2, · · · , x′ n = θn & Q)}

Benjamin Lim, Yao Chong Lim (SCS) dAL for KeYmaeraX December 11, 2018 3 / 19

dAL Example (Perturbed Circular Motion)

x2 + y2 = 1 →

• {x′ = −y, y′ = x}
• x2 + y2 ≤ 1

Benjamin Lim, Yao Chong Lim (SCS) dAL for KeYmaeraX December 11, 2018 4 / 19

dAL Example (Perturbed Circular Motion)

x2 + y2 = 1 →

• {∃e.(x′ = −y + e, y′ = x & x · e ≤ 0)}
• x2 + y2 ≤ 1

Benjamin Lim, Yao Chong Lim (SCS) dAL for KeYmaeraX December 11, 2018 4 / 19

Uniform Substitution (Abridged)

[x := e]P(x) → P(e) Axiom Schema

Benjamin Lim, Yao Chong Lim (SCS) dAL for KeYmaeraX December 11, 2018 5 / 19

Uniform Substitution (Abridged)

[x := e]P(x) → P(e) Axiom Schema [x := x + x][y := 3]x > 0 → [y := 3]x + x > 0

Benjamin Lim, Yao Chong Lim (SCS) dAL for KeYmaeraX December 11, 2018 5 / 19

Uniform Substitution (Abridged)

[x := e]P(x) → P(e) Axiom Schema [x := x + x][y := 3]x > 0 → [y := 3]x + x > 0 Valid instance!

Benjamin Lim, Yao Chong Lim (SCS) dAL for KeYmaeraX December 11, 2018 5 / 19

Uniform Substitution (Abridged)

[x := e]P(x) → P(e) Axiom Schema [x := x + x][y := 3]x > 0 → [y := 3]x + x > 0 Valid instance! [x := x + y][y := 3]x > 0 → [y := 3]x + y > 0

Benjamin Lim, Yao Chong Lim (SCS) dAL for KeYmaeraX December 11, 2018 5 / 19

Uniform Substitution (Abridged)

[x := e]P(x) → P(e) Axiom Schema [x := x + x][y := 3]x > 0 → [y := 3]x + x > 0 Valid instance! [x := x + y][y := 3]x > 0 → [y := 3]x + y > 0 Invalid instance!

Benjamin Lim, Yao Chong Lim (SCS) dAL for KeYmaeraX December 11, 2018 5 / 19

Uniform Substitution (Abridged)

[x := e]P(x) → P(e) Axiom Schema [x := x + x][y := 3]x > 0 → [y := 3]x + x > 0 Valid instance! [x := x + y][y := 3]x > 0 → [y := 3]x + y > 0 Invalid instance!

Benjamin Lim, Yao Chong Lim (SCS) dAL for KeYmaeraX December 11, 2018 5 / 19

Uniform Substitution (Abridged)

[x := e]P(x) → P(e) Axiom Schema [x := x + x][y := 3]x > 0 → [y := 3]x + x > 0 Valid instance! [x := x + y][y := 3]x > 0 → [y := 3]x + y > 0 Invalid instance! Side conditions necessary...

Benjamin Lim, Yao Chong Lim (SCS) dAL for KeYmaeraX December 11, 2018 5 / 19

Uniform Substitution (Abridged)

[x := e]P(x) → P(e) Axiom Schema [x := x + x][y := 3]x > 0 → [y := 3]x + x > 0 Valid instance! [x := x + y][y := 3]x > 0 → [y := 3]x + y > 0 Invalid instance! Side conditions necessary...but which ones?

Benjamin Lim, Yao Chong Lim (SCS) dAL for KeYmaeraX December 11, 2018 5 / 19

Uniform Substitution (Abridged)

[x := e]P(x) → P(e) Axiom Schema [x := x + x][y := 3]x > 0 → [y := 3]x + x > 0 Valid instance! [x := x + y][y := 3]x > 0 → [y := 3]x + y > 0 Invalid instance! Side conditions necessary...but which ones? Key observation: Never bind a free variable that was free!

Benjamin Lim, Yao Chong Lim (SCS) dAL for KeYmaeraX December 11, 2018 5 / 19

Uniform Substitution (Abridged)

Instead of schema each with their own unique side conditions... [x := e]P(x) → P(e) (+some set of side conditions)

Benjamin Lim, Yao Chong Lim (SCS) dAL for KeYmaeraX December 11, 2018 6 / 19

Uniform Substitution (Abridged)

Instead of schema each with their own unique side conditions... [x := e]P(x) → P(e) (+some set of side conditions) You have substitution axioms (without side conditions)... [x := c()]p(x) → p(c())

Benjamin Lim, Yao Chong Lim (SCS) dAL for KeYmaeraX December 11, 2018 6 / 19

Uniform Substitution (Abridged)

Instead of schema each with their own unique side conditions... [x := e]P(x) → P(e) (+some set of side conditions) You have substitution axioms (without side conditions)... [x := c()]p(x) → p(c()) and generic admissibility rules for each logical construct (checked recursively) preventing capture of free variables.

Benjamin Lim, Yao Chong Lim (SCS) dAL for KeYmaeraX December 11, 2018 6 / 19

Uniform Substitution (Abridged)

Upshot: A significantly reduced soundness-critical core that is easier to maintain and understand

Benjamin Lim, Yao Chong Lim (SCS) dAL for KeYmaeraX December 11, 2018 7 / 19

Plan of Attack

Modernize dAL, providing a uniform substitution calculus for it similar to that for dL.

Benjamin Lim, Yao Chong Lim (SCS) dAL for KeYmaeraX December 11, 2018 8 / 19

Plan of Attack

Modernize dAL, providing a uniform substitution calculus for it similar to that for dL. Implement uniform substitution axioms into KeYmaeraX.

Benjamin Lim, Yao Chong Lim (SCS) dAL for KeYmaeraX December 11, 2018 8 / 19

Plan of Attack

Modernize dAL, providing a uniform substitution calculus for it similar to that for dL. Implement uniform substitution axioms into KeYmaeraX. Implement derived axioms and tactics into KeYmaeraX.

Benjamin Lim, Yao Chong Lim (SCS) dAL for KeYmaeraX December 11, 2018 8 / 19

Plan of Attack

Modernize dAL, providing a uniform substitution calculus for it similar to that for dL. Implement uniform substitution axioms into KeYmaeraX. Implement derived axioms and tactics into KeYmaeraX. Prove stuff!

Benjamin Lim, Yao Chong Lim (SCS) dAL for KeYmaeraX December 11, 2018 8 / 19

dL Recap

DW [c & q(¯ x)]p(¯ x) ↔ [c & q(¯ x)](q(¯ x) → p(¯ x)) DC ([c & q(¯ x)]p(¯ x) ↔ [c & q(¯ x) ∧ r(¯ x)]p(¯ x)) ← [c & q(¯ x)]r(¯ x) DE [x′ = f (¯ x), c & q(¯ x)]p(¯ x) ↔ [x′ = f (¯ x), c & q(¯ x)][x′ := f (¯ x)]p(¯ x) DI ([c & q(¯ x)]p(¯ x) ↔ [?q(¯ x)]p(¯ x)) ← [c & q(¯ x)](p(¯ x))′

Benjamin Lim, Yao Chong Lim (SCS) dAL for KeYmaeraX December 11, 2018 9 / 19

dL Recap

DW [c & q(¯ x)]p(¯ x) ↔ [c & q(¯ x)](q(¯ x) → p(¯ x)) DC ([c & q(¯ x)]p(¯ x) ↔ [c & q(¯ x) ∧ r(¯ x)]p(¯ x)) ← [c & q(¯ x)]r(¯ x) DE [x′ = f (¯ x), c & q(¯ x)]p(¯ x) ↔ [x′ = f (¯ x), c & q(¯ x)][x′ := f (¯ x)]p(¯ x) DI ([c & q(¯ x)]p(¯ x) ↔ [?q(¯ x)]p(¯ x)) ← [c & q(¯ x)](p(¯ x))′

Benjamin Lim, Yao Chong Lim (SCS) dAL for KeYmaeraX December 11, 2018 9 / 19

dL Recap

DW [c & q(¯ x)]p(¯ x) ↔ [c & q(¯ x)](q(¯ x) → p(¯ x)) DC ([c & q(¯ x)]p(¯ x) ↔ [c & q(¯ x) ∧ r(¯ x)]p(¯ x)) ← [c & q(¯ x)]r(¯ x) DE [x′ = f (¯ x), c & q(¯ x)]p(¯ x) ↔ [x′ = f (¯ x), c & q(¯ x)][x′ := f (¯ x)]p(¯ x) DI ([c & q(¯ x)]p(¯ x) ↔ [?q(¯ x)]p(¯ x)) ← [c & q(¯ x)](p(¯ x))′

Benjamin Lim, Yao Chong Lim (SCS) dAL for KeYmaeraX December 11, 2018 9 / 19

dL Recap

DW [c & q(¯ x)]p(¯ x) ↔ [c & q(¯ x)](q(¯ x) → p(¯ x)) DC ([c & q(¯ x)]p(¯ x) ↔ [c & q(¯ x) ∧ r(¯ x)]p(¯ x)) ← [c & q(¯ x)]r(¯ x) DE [x′ = f (¯ x), c & q(¯ x)]p(¯ x) ↔ [x′ = f (¯ x), c & q(¯ x)][x′ := f (¯ x)]p(¯ x) DI ([c & q(¯ x)]p(¯ x) ↔ [?q(¯ x)]p(¯ x)) ← [c & q(¯ x)](p(¯ x))′

Benjamin Lim, Yao Chong Lim (SCS) dAL for KeYmaeraX December 11, 2018 9 / 19

Attempts at Uniformity

DW [c & q(¯ x)]p(¯ x) ↔ [c & q(¯ x)](q(¯ x) → p(¯ x)) DC ([c & q(¯ x)]p(¯ x) ↔ [c & q(¯ x) ∧ r(¯ x)]p(¯ x)) ← [c & q(¯ x)]r(¯ x) DE [x′ = f (¯ x), c & q(¯ x)]p(¯ x) ↔ [x′ = f (¯ x), c & q(¯ x)][x′ := f (¯ x)]p(¯ x) DI ([c & q(¯ x)]p(¯ x) ↔ [?q(¯ x)]p(¯ x)) ← [c & q(¯ x)](p(¯ x))′

Benjamin Lim, Yao Chong Lim (SCS) dAL for KeYmaeraX December 11, 2018 10 / 19

Attempts at Uniformity

DW [c & q(¯ x)]p(¯ x) ↔ [c & q(¯ x)](q(¯ x) → p(¯ x)) DC ([c & q(¯ x)]p(¯ x) ↔ [c & q(¯ x) ∧ r(¯ x)]p(¯ x)) ← [c & q(¯ x)]r(¯ x) DE [x′ = f (¯ x), c & q(¯ x)]p(¯ x) ↔ [x′ = f (¯ x), c & q(¯ x)][x′ := f (¯ x)]p(¯ x) DI ([c & q(¯ x)]p(¯ x) ↔ [?q(¯ x)]p(¯ x)) ← [c & q(¯ x)](p(¯ x))′

Benjamin Lim, Yao Chong Lim (SCS) dAL for KeYmaeraX December 11, 2018 10 / 19

Attempts at Uniformity

DW [c & q(¯ x)]p(¯ x) ↔ [c & q(¯ x)](q(¯ x) → p(¯ x)) DC ([c & q(¯ x)]p(¯ x) ↔ [c & q(¯ x) ∧ r(¯ x)]p(¯ x)) ← [c & q(¯ x)]r(¯ x) DE [x′ = f (¯ x), c & q(¯ x)]p(¯ x) ↔ [x′ = f (¯ x), c & q(¯ x)][x′ := f (¯ x)]p(¯ x) DI ([c & q(¯ x)]p(¯ x) ↔ [?q(¯ x)]p(¯ x)) ← [c & q(¯ x)](p(¯ x))′ ([∃¯ y.(c & q(¯ x, ¯ y))]p(¯ x) ↔ ∀¯ y.[?q(¯ x, ¯ y)]p(¯ x)) ← ∀¯ y.[c & q(¯ x, ¯ y)](p(¯ x))′

Benjamin Lim, Yao Chong Lim (SCS) dAL for KeYmaeraX December 11, 2018 10 / 19

Attempts at Uniformity

DW [c & q(¯ x)]p(¯ x) ↔ [c & q(¯ x)](q(¯ x) → p(¯ x)) DC ([c & q(¯ x)]p(¯ x) ↔ [c & q(¯ x) ∧ r(¯ x)]p(¯ x)) ← [c & q(¯ x)]r(¯ x) DE [x′ = f (¯ x), c & q(¯ x)]p(¯ x) ↔ [x′ = f (¯ x), c & q(¯ x)][x′ := f (¯ x)]p(¯ x) DI ([c & q(¯ x)]p(¯ x) ↔ [?q(¯ x)]p(¯ x)) ← [c & q(¯ x)](p(¯ x))′ ([∃¯ y.(c & q(¯ x, ¯ y))]p(¯ x) ↔ ∀¯ y.[?q(¯ x, ¯ y)]p(¯ x)) ← ∀¯ y.[c & q(¯ x, ¯ y)](p(¯ x))′ Wrong!

Benjamin Lim, Yao Chong Lim (SCS) dAL for KeYmaeraX December 11, 2018 10 / 19

Attempts at Uniformity

([∃¯ y.(c & q(¯ x, ¯ y))]p(¯ x) ↔ ∀¯ y.[?q(¯ x, ¯ y)]p(¯ x)) ← ∀¯ y.[c & q(¯ x, ¯ y)](p(¯ x))′

Benjamin Lim, Yao Chong Lim (SCS) dAL for KeYmaeraX December 11, 2018 11 / 19

Attempts at Uniformity

([∃¯ y.(c & q(¯ x, ¯ y))]p(¯ x) ↔ ∀¯ y.[?q(¯ x, ¯ y)]p(¯ x)) ← ∀¯ y.[c & q(¯ x, ¯ y)](p(¯ x))′ Counterexample: (

• {∃y.(x′ = y, z′ = −1 & y ≥ z)}
• x ≥ 0 ↔ ∀y. [?y ≥ z] x ≥ 0)

← ∀y.

• {x′ = y, z′ = −1 & y ≥ z}
• (x ≥ 0)′

Benjamin Lim, Yao Chong Lim (SCS) dAL for KeYmaeraX December 11, 2018 11 / 19

Attempts at Uniformity

([∃¯ y.(c & q(¯ x, ¯ y))]p(¯ x) ↔ ∀¯ y.[?q(¯ x, ¯ y)]p(¯ x)) ← ∀¯ y.[c & q(¯ x, ¯ y)](p(¯ x))′ Counterexample: (

• {∃y.(x′ = y, z′ = −1 & y ≥ z)}
• x ≥ 0 ↔ ∀y. [?y ≥ z] x ≥ 0)

← ∀y.

• {x′ = y, z′ = −1 & y ≥ z}
• (x ≥ 0)′

Pick a state with x ≥ 0 ∧ z ≥ 0:

Benjamin Lim, Yao Chong Lim (SCS) dAL for KeYmaeraX December 11, 2018 11 / 19

Attempts at Uniformity

([∃¯ y.(c & q(¯ x, ¯ y))]p(¯ x) ↔ ∀¯ y.[?q(¯ x, ¯ y)]p(¯ x)) ← ∀¯ y.[c & q(¯ x, ¯ y)](p(¯ x))′ Counterexample: (

• {∃y.(x′ = y, z′ = −1 & y ≥ z)}
• x ≥ 0 ↔ ∀y. [?y ≥ z] x ≥ 0)

← ∀y.

• {x′ = y, z′ = −1 & y ≥ z}
• (x ≥ 0)′

Pick a state with x ≥ 0 ∧ z ≥ 0: Premise 1: ∀y. [{x′ = y, z′ = −1 & y ≥ z}] (x ≥ 0)′ True!

Benjamin Lim, Yao Chong Lim (SCS) dAL for KeYmaeraX December 11, 2018 11 / 19

Attempts at Uniformity

([∃¯ y.(c & q(¯ x, ¯ y))]p(¯ x) ↔ ∀¯ y.[?q(¯ x, ¯ y)]p(¯ x)) ← ∀¯ y.[c & q(¯ x, ¯ y)](p(¯ x))′ Counterexample: (

• {∃y.(x′ = y, z′ = −1 & y ≥ z)}
• x ≥ 0 ↔ ∀y. [?y ≥ z] x ≥ 0)

← ∀y.

• {x′ = y, z′ = −1 & y ≥ z}
• (x ≥ 0)′

Pick a state with x ≥ 0 ∧ z ≥ 0: Premise 1: ∀y. [{x′ = y, z′ = −1 & y ≥ z}] (x ≥ 0)′ True! Premise 2: ∀y. [?y ≥ z] x ≥ 0 True!

Benjamin Lim, Yao Chong Lim (SCS) dAL for KeYmaeraX December 11, 2018 11 / 19

Attempts at Uniformity

([∃¯ y.(c & q(¯ x, ¯ y))]p(¯ x) ↔ ∀¯ y.[?q(¯ x, ¯ y)]p(¯ x)) ← ∀¯ y.[c & q(¯ x, ¯ y)](p(¯ x))′ Counterexample: (

• {∃y.(x′ = y, z′ = −1 & y ≥ z)}
• x ≥ 0 ↔ ∀y. [?y ≥ z] x ≥ 0)

← ∀y.

• {x′ = y, z′ = −1 & y ≥ z}
• (x ≥ 0)′

Pick a state with x ≥ 0 ∧ z ≥ 0: Premise 1: ∀y. [{x′ = y, z′ = −1 & y ≥ z}] (x ≥ 0)′ True! Premise 2: ∀y. [?y ≥ z] x ≥ 0 True! Conclusion: [{∃y.(x′ = y, z′ = −1 & y ≥ z)}] x ≥ 0 False??

Benjamin Lim, Yao Chong Lim (SCS) dAL for KeYmaeraX December 11, 2018 11 / 19

Uniform Substitution for dAL

DC ([c & q]p ↔ [c & q ∧ r]p) ← [c & q]r DI ([c & q]p ↔ [?q]p) ← [c & q](p)′ DW [c & q]p ↔ [c & q](q → p) DE [x′ = f , c & q]p ↔ [x′ = f , c & q][x′ := f ]p DAC ([{∃¯ y.(c & q)}] p ↔ [{∃¯ y.(c & q ∧ r)}] p) ← [{∃¯ y.(c & q)}] r DAI ([{∃¯ y.(c & q)}] p ↔ ∀¯

• y. [?q] p) ← [{∃¯

y.(c & q)}] (p)′ DAW [{∃¯ y.(c & q)}] p ↔ [{∃¯ y.(c & q)}] (q → p) DAE

• {∃¯

y.(x′ = f , c & q)}

• p ↔ ∀¯

y.

• {∃¯

y.(x′ = f , c & q)} x′ := f

• p

Benjamin Lim, Yao Chong Lim (SCS) dAL for KeYmaeraX December 11, 2018 12 / 19

Uniform Substitution for dAL

DC ([c & q]p ↔ [c & q ∧ r]p) ← [c & q]r DI ([c & q]p ↔ [?q]p) ← [c & q](p)′ DW [c & q]p ↔ [c & q](q → p) DE [x′ = f , c & q]p ↔ [x′ = f , c & q][x′ := f ]p DAC ([{∃¯ y.(c & q)}] p ↔ [{∃¯ y.(c & q ∧ r)}] p) ← [{∃¯ y.(c & q)}] r DAI ([{∃¯ y.(c & q)}] p ↔ ∀¯

• y. [?q] p) ← [{∃¯

y.(c & q)}] (p)′ DAW [{∃¯ y.(c & q)}] p ↔ [{∃¯ y.(c & q)}] (q → p) DAE

• {∃¯

y.(x′ = f , c & q)}

• p ↔ ∀¯

y.

• {∃¯

y.(x′ = f , c & q)} x′ := f

• p

Benjamin Lim, Yao Chong Lim (SCS) dAL for KeYmaeraX December 11, 2018 12 / 19

Uniform Substitution for dAL

DC ([c & q]p ↔ [c & q ∧ r]p) ← [c & q]r DI ([c & q]p ↔ [?q]p) ← [c & q](p)′ DW [c & q]p ↔ [c & q](q → p) DE [x′ = f , c & q]p ↔ [x′ = f , c & q][x′ := f ]p DAC ([{∃¯ y.(c & q)}] p ↔ [{∃¯ y.(c & q ∧ r)}] p) ← [{∃¯ y.(c & q)}] r DAI ([{∃¯ y.(c & q)}] p ↔ ∀¯

• y. [?q] p) ← [{∃¯

y.(c & q)}] (p)′ DAW [{∃¯ y.(c & q)}] p ↔ [{∃¯ y.(c & q)}] (q → p) DAE

• {∃¯

y.(x′ = f , c & q)}

• p ↔ ∀¯

y.

• {∃¯

y.(x′ = f , c & q)} x′ := f

• p

Benjamin Lim, Yao Chong Lim (SCS) dAL for KeYmaeraX December 11, 2018 12 / 19

Uniform Substitution for dAL

DC ([c & q]p ↔ [c & q ∧ r]p) ← [c & q]r DI ([c & q]p ↔ [?q]p) ← [c & q](p)′ DW [c & q]p ↔ [c & q](q → p) DE [x′ = f , c & q]p ↔ [x′ = f , c & q][x′ := f ]p DAC ([{∃¯ y.(c & q)}] p ↔ [{∃¯ y.(c & q ∧ r)}] p) ← [{∃¯ y.(c & q)}] r DAI ([{∃¯ y.(c & q)}] p ↔ ∀¯

• y. [?q] p) ← [{∃¯

y.(c & q)}] (p)′ DAW [{∃¯ y.(c & q)}] p ↔ [{∃¯ y.(c & q)}] (q → p) DAE

• {∃¯

y.(x′ = f , c & q)}

• p ↔ ∀¯

y.

• {∃¯

y.(x′ = f , c & q)} x′ := f

• p

Benjamin Lim, Yao Chong Lim (SCS) dAL for KeYmaeraX December 11, 2018 12 / 19

Uniform Substitution for dAL

DAC ([{∃¯ y.(c & q)}] p ↔ [{∃¯ y.(c & q ∧ r)}] p) ← [{∃¯ y.(c & q)}] r DAI ([{∃¯ y.(c & q)}] p ↔ ∀¯

• y. [?q] p) ← [{∃¯

y.(c & q)}] (p)′ DAW [{∃¯ y.(c & q)}] p ↔ [{∃¯ y.(c & q)}] (q → p) DAE

• {∃¯

y.(x′ = f , c & q)}

• p ↔ ∀¯

y.

• {∃¯

y.(x′ = f , c & q)} x′ := f

• p

Benjamin Lim, Yao Chong Lim (SCS) dAL for KeYmaeraX December 11, 2018 13 / 19

Uniform Substitution for dAL

DAC ([{∃¯ y.(c & q)}] p ↔ [{∃¯ y.(c & q ∧ r)}] p) ← [{∃¯ y.(c & q)}] r DAI ([{∃¯ y.(c & q)}] p ↔ ∀¯

• y. [?q] p) ← [{∃¯

y.(c & q)}] (p)′ DAW [{∃¯ y.(c & q)}] p ↔ [{∃¯ y.(c & q)}] (q → p) DAE

• {∃¯

y.(x′ = f , c & q)}

• p ↔ ∀¯

y.

• {∃¯

y.(x′ = f , c & q)} x′ := f

• p

Benjamin Lim, Yao Chong Lim (SCS) dAL for KeYmaeraX December 11, 2018 13 / 19

Uniform Substitution for dAL

DAC ([{∃¯ y.(c & q)}] p ↔ [{∃¯ y.(c & q ∧ r)}] p) ← [{∃¯ y.(c & q)}] r DAI ([{∃¯ y.(c & q)}] p ↔ ∀¯

• y. [?q] p) ← [{∃¯

y.(c & q)}] (p)′ DAW [{∃¯ y.(c & q)}] p ↔ [{∃¯ y.(c & q)}] (q → p) DAE

• {∃¯

y.(x′ = f , c & q)}

• p ↔ ∀¯

y.

• {∃¯

y.(x′ = f , c & q)} x′ := f

• p

DAE too weak for technical reasons, DAW actually unnecessary!

Benjamin Lim, Yao Chong Lim (SCS) dAL for KeYmaeraX December 11, 2018 13 / 19

Uniform Substitution for dAL

DAC ([{∃¯ y.(c & q)}] p ↔ [{∃¯ y.(c & q ∧ r)}] p) ← [{∃¯ y.(c & q)}] r DAI ([{∃¯ y.(c & q)}] p ↔ ∀¯

• y. [?q] p) ← [{∃¯

y.(c & q)}] (p)′ DAS [{∃¯ y.(c & q)}] p ↔ ∀¯

• y. [{∃¯

y.(c & q)}] [{c & q}] p What we actually need is a ’differential algebraic stutter’ axiom (DAS)!

Benjamin Lim, Yao Chong Lim (SCS) dAL for KeYmaeraX December 11, 2018 14 / 19

Uniform Substitution for dAL

DAC ([{∃¯ y.(c & q)}] p ↔ [{∃¯ y.(c & q ∧ r)}] p) ← [{∃¯ y.(c & q)}] r DAI ([{∃¯ y.(c & q)}] p ↔ ∀¯

• y. [?q] p) ← [{∃¯

y.(c & q)}] (p)′ DAS [{∃¯ y.(c & q)}] p ↔ ∀¯

• y. [{∃¯

y.(c & q)}] [{c & q}] p

Theorem (Soundness of Uniform Substitution Calculus for dAL)

The above substitution axioms for dAL are sound.

Benjamin Lim, Yao Chong Lim (SCS) dAL for KeYmaeraX December 11, 2018 14 / 19

Uniform Substitution for dAL

DAC ([{∃¯ y.(c & q)}] p ↔ [{∃¯ y.(c & q ∧ r)}] p) ← [{∃¯ y.(c & q)}] r DAI ([{∃¯ y.(c & q)}] p ↔ ∀¯

• y. [?q] p) ← [{∃¯

y.(c & q)}] (p)′ DAS [{∃¯ y.(c & q)}] p ↔ ∀¯

• y. [{∃¯

y.(c & q)}] [{c & q}] p

Theorem (Soundness of Uniform Substitution Calculus for dAL)

The above substitution axioms for dAL are sound. We have created a sound and ’minimal’ uniform substitution calculus for dAL that we can implement into KeYmaeraX!

Benjamin Lim, Yao Chong Lim (SCS) dAL for KeYmaeraX December 11, 2018 14 / 19

Implementation Details

Modified the parser and core data structures in KeYmaeraX to support dAL We support singly-quantified differential systems (due to lack of vectorial support and significant compatibility changes required) Modified to unification, uniform substitution and other necessary algorithms supported by KeYmaeraX Uniform Substitution axioms added to trusted axiom base Derived axioms and derived tactics proven from trusted axioms Tested proving examples using derived axioms and tactics

Benjamin Lim, Yao Chong Lim (SCS) dAL for KeYmaeraX December 11, 2018 15 / 19

Implementation Details

Modified the parser and core data structures in KeYmaeraX to support dAL We support singly-quantified differential systems (due to lack of vectorial support and significant compatibility changes required) Modified to unification, uniform substitution and other necessary algorithms supported by KeYmaeraX Uniform Substitution axioms added to trusted axiom base Derived axioms and derived tactics proven from trusted axioms Tested proving examples using derived axioms and tactics A successful extension that minimally extends the trusted core!

Benjamin Lim, Yao Chong Lim (SCS) dAL for KeYmaeraX December 11, 2018 15 / 19

Derived Tactics

Q(x, ¯ y) ⊢ P(x) dAW Γ ⊢

• {∃¯

y.(x′ = f (x, ¯ y) & Q(x, ¯ y))}

• P(x), ∆

Q(x, ¯ y) ⊢

• x′ := f (x, ¯

y)

• (P(x))′

dAI P(x) ⊢

• {∃¯

y.(x′ = f (x, ¯ y) & Q(x, ¯ y))}

• P(x)

Γ ⊢ [{∃¯ y.(c & Q ∧ R)}] P, ∆ Γ ⊢ [{∃¯ y.(c & Q)}] R, ∆ dAC Γ ⊢ [{∃¯ y.(c & Q)}] P, ∆

Benjamin Lim, Yao Chong Lim (SCS) dAL for KeYmaeraX December 11, 2018 16 / 19

Example (Perturbed Circular Motion)

∗ R x · e ≤ 0 ⊢ 2x(−y + e) + 2yx ≤ 0 [′:=] x · e ≤ 0 ⊢

• x′ := −y + e

y′ := x

• 2xx′ + 2yy′ ≤ 0

[′], [; ] x · e ≤ 0 ⊢

• x′ := −y + e; y′ := x
• (x2 + y2 ≤ 1)′

dAI x2 + y2 = 1 ⊢

• {∃e.(x′ = −y + e, y′ = x & x · e ≤ 0)}
• x2 + y2 ≤ 1

→R ⊢ x2 + y2 = 1 →

• {∃e.(x′ = −y + e, y′ = x & x · e ≤ 0)}
• x2 + y2 ≤ 1

Q(x, ¯ y) ⊢

• x′ := f (x, ¯

y)

• (P(x))′

dAI P(x) ⊢

• {∃¯

y.(x′ = f (x, ¯ y) & Q(x, ¯ y))}

• P(x)

Benjamin Lim, Yao Chong Lim (SCS) dAL for KeYmaeraX December 11, 2018 17 / 19

Conclusion and Future Work

Constructed a uniform substitution calculus for dAL Implemented it in KeYmaeraX for a single existentially quantified variable Constructed derived axioms and rules for actual use Future extensions:

◮ Support for multiple quantifiers ◮ WebUI support ◮ ’Desugared’ syntax ◮ Support for more derived rules ◮ Support for hybrid games with differential-algebraic components Benjamin Lim, Yao Chong Lim (SCS) dAL for KeYmaeraX December 11, 2018 18 / 19

Conclusion and Future Work

Constructed a uniform substitution calculus for dAL Implemented it in KeYmaeraX for a single existentially quantified variable Constructed derived axioms and rules for actual use Future extensions:

◮ Support for multiple quantifiers ◮ WebUI support ◮ ’Desugared’ syntax ◮ Support for more derived rules ◮ Support for hybrid games with differential-algebraic components Benjamin Lim, Yao Chong Lim (SCS) dAL for KeYmaeraX December 11, 2018 18 / 19

Conclusion and Future Work

Constructed a uniform substitution calculus for dAL Implemented it in KeYmaeraX for a single existentially quantified variable Constructed derived axioms and rules for actual use Future extensions:

◮ Support for multiple quantifiers ◮ WebUI support ◮ ’Desugared’ syntax ◮ Support for more derived rules ◮ Support for hybrid games with differential-algebraic components Benjamin Lim, Yao Chong Lim (SCS) dAL for KeYmaeraX December 11, 2018 18 / 19

Conclusion and Future Work

Constructed a uniform substitution calculus for dAL Implemented it in KeYmaeraX for a single existentially quantified variable Constructed derived axioms and rules for actual use Future extensions:

◮ Support for multiple quantifiers ◮ WebUI support ◮ ’Desugared’ syntax ◮ Support for more derived rules ◮ Support for hybrid games with differential-algebraic components Benjamin Lim, Yao Chong Lim (SCS) dAL for KeYmaeraX December 11, 2018 18 / 19

Conclusion and Future Work

Constructed a uniform substitution calculus for dAL Implemented it in KeYmaeraX for a single existentially quantified variable Constructed derived axioms and rules for actual use Future extensions:

◮ Support for multiple quantifiers ◮ WebUI support ◮ ’Desugared’ syntax ◮ Support for more derived rules ◮ Support for hybrid games with differential-algebraic components Benjamin Lim, Yao Chong Lim (SCS) dAL for KeYmaeraX December 11, 2018 18 / 19

Questions?

Benjamin Lim, Yao Chong Lim (SCS) dAL for KeYmaeraX December 11, 2018 19 / 19