keymaera x
play

KeYmaera X A Tutorial on Interactive Verification for Hybrid Systems - PowerPoint PPT Presentation

Mar 03, 2024 •304 likes •775 views

KeYmaera X A Tutorial on Interactive Verification for Hybrid Systems Nathan Fulton Marktoberdorf 2017 August 11, 2017 Examples: https://nfulton.org/marktoberdorf.zip Slides: https://nfulton.org/slides/marktoberdorf.pdf 1 Motivation KeYmaera

  1. KeYmaera X A Tutorial on Interactive Verification for Hybrid Systems Nathan Fulton Marktoberdorf 2017 August 11, 2017 Examples: https://nfulton.org/marktoberdorf.zip Slides: https://nfulton.org/slides/marktoberdorf.pdf 1

  2. Motivation KeYmaera X provides strong evidence that Cyber-Physical Systems are safe. But you need to provide the model and sometimes help the proof. 2

  3. Motivation KeYmaera X provides strong evidence that Cyber-Physical Systems are safe. But you need to provide the model and sometimes help the proof. Andr´ e’s Lectures: ◮ Differential Dynamic Logics – Syntax and Semantics ◮ Sound and relatively complete axiomatizations ◮ Some examples 2

  4. Motivation KeYmaera X provides strong evidence that Cyber-Physical Systems are safe. But you need to provide the model and sometimes help the proof. Andr´ e’s Lectures: This Lecture: ◮ Differential Dynamic Logics ◮ Practical advice for – Syntax and Semantics modeling systems ◮ Sound and relatively ◮ Hands-on Exercise proving complete axiomatizations theorems ◮ Some examples ◮ Example-driven 2

  5. Outline Straight Line Dynamics The Stop Sign Model Circular Dynamics Loitering Outside Prohibited Airspace Logarithmic Dynamics Safe SCUBA Diving Extras The ODE Solver Taylor Approximations as Successive Differential Cuts 3

  6. The Stop Sign Model 4

  7. Take-Aways from the Stop Sign Model ◮ Focus on interesting questions by unfold ing. 5

  8. Take-Aways from the Stop Sign Model ◮ Focus on interesting questions by unfold ing. ◮ Use contextual reasoning to avoid repetition of expensive or difficult proof steps. 5

  9. Take-Aways from the Stop Sign Model ◮ Focus on interesting questions by unfold ing. ◮ Use contextual reasoning to avoid repetition of expensive or difficult proof steps. ◮ KeYmaera X’s edit tool checks your arithmetic (common and annoying source of errors, both in proofs and implementations!) 5

  10. Take-Aways from the Stop Sign Model ◮ Focus on interesting questions by unfold ing. ◮ Use contextual reasoning to avoid repetition of expensive or difficult proof steps. ◮ KeYmaera X’s edit tool checks your arithmetic (common and annoying source of errors, both in proofs and implementations!) ◮ Quantifier Elimination is a powerful tool useful for more than just decision procedures: ◮ Find assumptions and loop invariants by reducing the system to arithmetic and eliminating quantifiers. ◮ ModelPlex : ∀ x 0 , x 1 , . . . , x n . ∃ y 0 , . . . , x n .ϕ is kinda hard to check at runtime... 5

  11. Outline Straight Line Dynamics The Stop Sign Model Circular Dynamics Loitering Outside Prohibited Airspace Logarithmic Dynamics Safe SCUBA Diving Extras The ODE Solver Taylor Approximations as Successive Differential Cuts 6

  12. Loitering Outside Prohibited Airspace 7

  13. Loitering Outside Prohibited Airspace y ≤ h → [ r := ∗ ; ? r ≤ h ∧ x 2 + y 2 = r 2 ; x ′ = y , y ′ = − x ] y ≤ h � �� � � �� � Choose circle below h Circular dynamics 8

  14. Lie Derivative Computations ( y ≤ h ) ′ ≡ ( y ) ′ ≤ ( h ) ′ ≡ − x ≤ 0 FALSE 9

  15. Lie Derivative Computations ( y ≤ h ) ′ ≡ ( y ) ′ ≤ ( h ) ′ ≡ − x ≤ 0 FALSE ( x 2 + y 2 = r 2 ) ′ ≡ ( x 2 + y 2 ) ′ = ( r 2 ) ′ ≡ 2 xx ′ +2 yy ′ = 0 ≡ 2 xy − 2 xy = 0 9

  16. Lie Derivative Computations ( y ≤ h ) ′ ≡ ( y ) ′ ≤ ( h ) ′ ≡ − x ≤ 0 FALSE ( x 2 + y 2 = r 2 ) ′ ≡ ( x 2 + y 2 ) ′ = ( r 2 ) ′ ≡ 2 xx ′ +2 yy ′ = 0 ≡ 2 xy − 2 xy = 0 r ≤ h ∧ x 2 + y 2 = r 2 → ? y ≤ h 9

  17. Lie Derivative Computations ( y ≤ h ) ′ ≡ ( y ) ′ ≤ ( h ) ′ ≡ − x ≤ 0 FALSE ( x 2 + y 2 = r 2 ) ′ ≡ ( x 2 + y 2 ) ′ = ( r 2 ) ′ ≡ 2 xx ′ +2 yy ′ = 0 ≡ 2 xy − 2 xy = 0 r ≤ h ∧ x 2 + y 2 = r 2 → ? y ≤ h FALSE COUNTER-EXAMPLE: − 2 ≤ − 2 ∧ 3 + 1 = 4 �→ − 1 ≤ − 2 9

  18. On Annoying Assumptions 10

  19. Take-aways from Loitering Example ◮ Like loop invariants, differential invariants sometimes need strengthening . 11

  20. Take-aways from Loitering Example ◮ Like loop invariants, differential invariants sometimes need strengthening . ◮ In these cases, try using differential cuts to describe geometric constraints on the system. 11

  21. Take-aways from Loitering Example ◮ Like loop invariants, differential invariants sometimes need strengthening . ◮ In these cases, try using differential cuts to describe geometric constraints on the system. ◮ Most early proof attempts fail due to missing obvious assumptions: ◮ Upper/lower-bounds (esp. positivity). ◮ Missing t ′ = 1 in time-triggered systems. ◮ Missing control epsilon t ≤ T in evolution domain. ◮ Interesting dynamics (e.g., missing v ≥ 0). Use counter-examples to find these errors. 11

  22. Outline Straight Line Dynamics The Stop Sign Model Circular Dynamics Loitering Outside Prohibited Airspace Logarithmic Dynamics Safe SCUBA Diving Extras The ODE Solver Taylor Approximations as Successive Differential Cuts 12

  23. Safe SCUBA diving 13

  24. Heart Rate Function x ′ = − ( x − HR max ) b 14

  25. SCUBA Ascent Case Control Goal: Find a condition that ensures the diver reaches the surface before running out of oxygen. 15

  26. SCUBA Proof Idea x ′ = − ( x − a ) b , t ′ = − τ x , d ′ = v , c ′ = C & c ≤ C ∧ d ≥ 0 Idea: Bound time and all non-linear terms, then prove linear inequalities on these bounds by integrating. 16

  27. SCUBA Proof Idea x ′ = − ( x − a ) b , t ′ = − τ x , d ′ = v , c ′ = C & c ≤ C ∧ d ≥ 0 Idea: Bound time and all non-linear terms, then prove linear inequalities on these bounds by integrating. ◮ Non-linear term: x ≤ HR max 16

  28. SCUBA Proof Idea x ′ = − ( x − a ) b , t ′ = − τ x , d ′ = v , c ′ = C & c ≤ C ∧ d ≥ 0 Idea: Bound time and all non-linear terms, then prove linear inequalities on these bounds by integrating. ◮ Non-linear term: x ≤ HR max ◮ Bound time: d 0 + vc ≥ 0 ⇒ bound on time (denote as z = − d v 0 ). 16

  29. SCUBA Proof Idea x ′ = − ( x − a ) b , t ′ = − τ x , d ′ = v , c ′ = C & c ≤ C ∧ d ≥ 0 Idea: Bound time and all non-linear terms, then prove linear inequalities on these bounds by integrating. ◮ Non-linear term: x ≤ HR max ◮ Bound time: d 0 + vc ≥ 0 ⇒ bound on time (denote as z = − d v 0 ). t = t 0 − τ xc ≥ t 0 − τ HR max c ≥ t 0 − τ HR max z ≥ 0 � �� � Initial safe states! 16

  30. SCUBA Proof Idea x ′ = − ( x − a ) b , t ′ = − τ x , d ′ = v , c ′ = C & c ≤ C ∧ d ≥ 0 Idea: Bound time and all non-linear terms, then prove linear inequalities on these bounds by integrating. ◮ Non-linear term: x ≤ HR max ◮ Bound time: d 0 + vc ≥ 0 ⇒ bound on time (denote as z = − d v 0 ). t = t 0 − τ xc ≥ t 0 − τ HR max c ≥ t 0 − τ HR max z ≥ 0 � �� � Initial safe states! The first step requires x ≤ HR max . This is the only interesting lemma. 16

  31. Computing the Differential Ghost Let’s prove x < HR max instead to avoid extra case splitting due to the x = HR max bifurcation point. 17

  32. Computing the Differential Ghost Let’s prove x < HR max instead to avoid extra case splitting due to the x = HR max bifurcation point. ◮ Step 1: Find an existential condition equivalent to our goal: | = R C F x < HR max ↔ ∃ y . ? 17

  33. Computing the Differential Ghost Let’s prove x < HR max instead to avoid extra case splitting due to the x = HR max bifurcation point. ◮ Step 1: Find an existential condition equivalent to our goal: = R C F x < HR max ↔ ∃ y . y 2 ( x − HRmax ) = − 1 | 17

  34. Computing the Differential Ghost Let’s prove x < HR max instead to avoid extra case splitting due to the x = HR max bifurcation point. ◮ Step 1: Find an existential condition equivalent to our goal: = R C F x < HR max ↔ ∃ y . y 2 ( x − HRmax ) = − 1 | ◮ Step 2: Find y ′ s.t. ( y 2 ( x − HR max ) = − 1) ′ is true: 17

  35. Computing the Differential Ghost Let’s prove x < HR max instead to avoid extra case splitting due to the x = HR max bifurcation point. ◮ Step 1: Find an existential condition equivalent to our goal: = R C F x < HR max ↔ ∃ y . y 2 ( x − HRmax ) = − 1 | ◮ Step 2: Find y ′ s.t. ( y 2 ( x − HR max ) = − 1) ′ is true: ( y 2 ( x − HRmax ) = − 1) ′ ≡ ( y 2 ( x − HR max )) ′ = 0 ≡ 2 yy ′ ( x − HR max ) + y 2 x ′ = 0 ≡ 2 yy ′ ( x − HR max + y 2 ( − ( x − a ) b ) = 0 ≡ . . . ≡ y ′ = b 2 y (All equivalences are with respect to the ODE.) 17

  36. Take-aways from SCUBA Example ◮ As systems become harder to model, parametric models save the day. ◮ Identifying and using differential ghosts is (sometimes) systematic. ◮ Partial solutions to fragments of an ODE’s dynamics are useful whenever you can upper-bound terms. ◮ Tactics ⇒ proof reuse 18

  37. Summary 19

  38. Resources Notes, slides, and examples from this talk: https://nfulton.org/marktoberdorf KeYmaera X website: https://keymaeraX.org Online Instance ( With Mathematica! ): https://web.keymaeraX.org Source Code (Scala): https://github.com/LS-Lab/KeYmaeraX-release KeYmaera X Credits: Stefan Mitsch, Jan-David Quesel, Marcus V¨ olp, Brandon Bohrer, Yong Kiam Tan, Andr´ e Platzer, . . . SCUBA Credits: Karim Elmaaroufi and Viren Bajaj 20

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Improving KeYmaera Less clicking, more proving Motivation &amp; Initial Idea improve the

Improving KeYmaera Less clicking, more proving Motivation &amp; Initial Idea improve the

Improving KeYmaera Less clicking, more proving Motivation &amp; Initial Idea improve the user-KeYmaera experience implement convenience features in KeYmaera reduce the amount of clicking Changes from initial idea moved over

291 views • 14 slides
Reachability Analysis in the KeYmaera X Theorem Prover SNR 2017 | Uppsala, Sweden | April 22,

Reachability Analysis in the KeYmaera X Theorem Prover SNR 2017 | Uppsala, Sweden | April 22,

Reachability Analysis in the KeYmaera X Theorem Prover SNR 2017 | Uppsala, Sweden | April 22, 2017 Nathan Fulton Other System Contributors: Stefan Mitsch, Andr Platzer, Brandon Bohrer, Yong Kiam Tan, Jan-David Quesel, ... Trustworthy

932 views • 57 slides
Automatically Robustifying Verified Hybrid Systems in KeYmaera X Nathan Fulton Carnegie Mellon

Automatically Robustifying Verified Hybrid Systems in KeYmaera X Nathan Fulton Carnegie Mellon

Automatically Robustifying Verified Hybrid Systems in KeYmaera X Nathan Fulton Carnegie Mellon University September 13, 2016 Dagstuhl, Germany Robustness A system is robust if it operates correctly despite: Disturbances in actuation

516 views • 28 slides
Logic &amp; Proofs for Cyber-Physical Systems with KeYmaera X Andr e Platzer 0.5 0.4 0.3

Logic &amp; Proofs for Cyber-Physical Systems with KeYmaera X Andr e Platzer 0.5 0.4 0.3

Logic &amp; Proofs for Cyber-Physical Systems with KeYmaera X Andr e Platzer 0.5 0.4 0.3 0.2 1.0 0.1 0.8 0.6 0.4 0.2 Andr e Platzer (CMU) Logic &amp; Proofs for Cyber-Physical Systems with KeYmaera X iFM17 1 / 29 Outline

1.38k views • 90 slides
KeYmaera: A Hybrid Theorem Prover for Hybrid Systems Andr e Platzer Jan-David Quesel

KeYmaera: A Hybrid Theorem Prover for Hybrid Systems Andr e Platzer Jan-David Quesel

KeYmaera: A Hybrid Theorem Prover for Hybrid Systems Andr e Platzer Jan-David Quesel University of Oldenburg, Department of Computing Science, Germany International Joint Conference on Automated Reasoning, Sydney 2008 Andr e Platzer,

533 views • 25 slides
KeYmaera Improving the Proof Experience Corwin de Boor Cyber-Physical Systems

KeYmaera Improving the Proof Experience Corwin de Boor Cyber-Physical Systems

KeYmaera Improving the Proof Experience Corwin de Boor Cyber-Physical Systems Safety-critical Verification Proof assistance Proof assistants Proof experience 2/10 Proof Experience Issues High iteration cost

339 views • 10 slides
Cyber-Physical Systems Verification with KeYmaera X Andr Platzer Andr Platzer Logical

Cyber-Physical Systems Verification with KeYmaera X Andr Platzer Andr Platzer Logical

Cyber-Physical Systems Verification with KeYmaera X Andr Platzer Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer (CMU) Cyber-Physical Systems Verification with KeYmaera X LFCS20 1 / 25 Outline

909 views • 76 slides
Differential-Algebraic Dynamic Logic for KeYmaera X CPS Grand Prix Benjamin Lim Yao Chong Lim

Differential-Algebraic Dynamic Logic for KeYmaera X CPS Grand Prix Benjamin Lim Yao Chong Lim

Differential-Algebraic Dynamic Logic for KeYmaera X CPS Grand Prix Benjamin Lim Yao Chong Lim School of Computer Science, Carnegie Mellon University December 11, 2018 Benjamin Lim, Yao Chong Lim (SCS) dA L for KeYmaeraX December 11, 2018 1 /

786 views • 60 slides
KeYmaera X: Theorem Proving for Hybrid Systems Nathan Fulton Carnegie Mellon University May 6,

KeYmaera X: Theorem Proving for Hybrid Systems Nathan Fulton Carnegie Mellon University May 6,

KeYmaera X: Theorem Proving for Hybrid Systems Nathan Fulton Carnegie Mellon University May 6, 2016 1 Milieu Safety-critical control software is pervasive and increasingly complicated. 2 Milieu Safety-critical control software is

525 views • 34 slides
Rapide Note Rapid Note All over the world and more specifically in democratic However in this

Rapide Note Rapid Note All over the world and more specifically in democratic However in this

Eur. Phys. J. B 25 , 403406 (2002) T HE E UROPEAN DOI: 10.1140/epjb/e20020045 P HYSICAL J OURNAL B EDP Sciences c Societ` a Italiana di Fisica Springer-Verlag 2002 Minority opinion spreading in random geometry S. Galam a Laboratoire

297 views • 4 slides
- Meet Face-to Face - Date 2010.12.17(Fri)-18(Sat) Venue Hanyang University, Seoul, Korea

- Meet Face-to Face - Date 2010.12.17(Fri)-18(Sat) Venue Hanyang University, Seoul, Korea

- Meet Face-to Face - Date 2010.12.17(Fri)-18(Sat) Venue Hanyang University, Seoul, Korea HIT(Human Institute of Technology), The symposium aims to systematically spread the new telemedicine sys tem which utilizes high-level IT

466 views • 4 slides
PUBLIC HEARING ON THE PROPOSED 2018-2019 ELEMENTARY SCHOOLS BUDGETS February 27, 2018

PUBLIC HEARING ON THE PROPOSED 2018-2019 ELEMENTARY SCHOOLS BUDGETS February 27, 2018

PUBLIC HEARING ON THE PROPOSED 2018-2019 ELEMENTARY SCHOOLS BUDGETS February 27, 2018 SEPT/OCT -Principal reviews enrollment, program and service needs of students and seeks input from staff &amp; School Council OCT - Principal submits

705 views • 12 slides
General Mee)ng March 25, 2015 Joining IEEE 1. campuslink.uc.edu 2. Log in

General Mee)ng March 25, 2015 Joining IEEE 1. campuslink.uc.edu 2. Log in

General Mee)ng March 25, 2015 Joining IEEE 1. campuslink.uc.edu 2. Log in Follow us on Twitter! 3. Click Organizations @UC_IEEE 4. Directory click T 5. Click IEEE 6. Click Join Organization

273 views • 11 slides
Interactive Deep-dive : Visualizing Terrorism Data Ella Kim, Leah Kim Project Idea Evolution of

Interactive Deep-dive : Visualizing Terrorism Data Ella Kim, Leah Kim Project Idea Evolution of

Interactive Deep-dive : Visualizing Terrorism Data Ella Kim, Leah Kim Project Idea Evolution of terrorism in the Middle East + Interactive Data Visualization + Interactive Data Deep Dive Prior Work Static visualization No interactivity

242 views • 6 slides
Pro po sing a n a lte rna tive me tho d o f de mo nstra ting c o mplia nc e with 46 CF R Pa rt

Pro po sing a n a lte rna tive me tho d o f de mo nstra ting c o mplia nc e with 46 CF R Pa rt

I MCA a nd ADCI wo rking to g e the r to b e ne fit o ffsho re c o mme rc ia l diving I mpro ving pe rfo rmanc e in the marine c o ntrac ting industry Pro po sing a n a lte rna tive me tho d o f de mo nstra ting c o mplia nc e with

456 views • 10 slides
III. A Deep Dive into the CA English Learner Roadmap Laurie Olsen, Ph.D.; Strategic Advisor,

III. A Deep Dive into the CA English Learner Roadmap Laurie Olsen, Ph.D.; Strategic Advisor,

III. A Deep Dive into the CA English Learner Roadmap Laurie Olsen, Ph.D.; Strategic Advisor, Sobrato Family Foundation California English Learner Roadmap Launch Event At Your Tables: Have you heard about the CA EL Roadmap ? Where and from

214 views • 19 slides
Primal heuristic for MINLPs in SCIP Ambros Gleixner, and Felipe Serrano Zuse Institute Berlin

Primal heuristic for MINLPs in SCIP Ambros Gleixner, and Felipe Serrano Zuse Institute Berlin

Primal heuristic for MINLPs in SCIP Ambros Gleixner, and Felipe Serrano Zuse Institute Berlin serrano@zib.de SCIP Optimization Suite http://scip.zib.de Workshop on Discrepancy Theory and Integer Programming Amsterdam June 12, 2018

754 views • 53 slides
Computer Science 135: Diving into the Deluge of Data Contact Information: Brent Heeringa Email:

Computer Science 135: Diving into the Deluge of Data Contact Information: Brent Heeringa Email:

Computer Science 135: Diving into the Deluge of Data Contact Information: Brent Heeringa Email: heeringa@cs.williams.edu Office: Thompson Chemistry Laboratory 306 Phone: 413.597.4711 Course Information Classroom: Thompson Physics 205 Lecture

311 views • 7 slides
Scuba: Diving into Data at Facebook Presenter: Lavanya Subramanian 1 Need for Data Analysis

Scuba: Diving into Data at Facebook Presenter: Lavanya Subramanian 1 Need for Data Analysis

Scuba: Diving into Data at Facebook Presenter: Lavanya Subramanian 1 Need for Data Analysis Performance monitoring Detect unexpected performance drops/rises Pattern mining Understand user response to new features Ad revenue

605 views • 17 slides
Next Generation ACO Model Open Door Forum: Financial Deep Dive March 31, 2015 Agenda

Next Generation ACO Model Open Door Forum: Financial Deep Dive March 31, 2015 Agenda

Next Generation ACO Model Open Door Forum: Financial Deep Dive March 31, 2015 Agenda Preliminary Financial Timeline Financial Model Deep Dive Benchmark Prospective Benchmark Example Example Discount Calculations Risk

917 views • 28 slides
Initial Submission Id IHV Publication Id IHV DUA Submission Id IHV DUA Publication Id Publish

Initial Submission Id IHV Publication Id IHV DUA Submission Id IHV DUA Publication Id Publish

ID2 ID1 ID3 ID4 Initial Submission Id IHV Publication Id IHV DUA Submission Id IHV DUA Publication Id Publish to WU Initial Driver DUA Publish to WU Resell Submission Id ID6 ID7 ID5 ID8 OEM Publication Id OEM DUA Submission Id OEM

408 views • 15 slides
Insect Division of Labour Applied to Online Scheduling Koen van der Blom Leiden Institute of

Insect Division of Labour Applied to Online Scheduling Koen van der Blom Leiden Institute of

Introduction Problem Algorithms Experiments Results Conclusion Further work Summary Questions References Insect Division of Labour Applied to Online Scheduling Koen van der Blom Leiden Institute of Advanced Computer Science Leiden

522 views • 23 slides
HFST: A new division of labour between software industry and linguists Kimmo Koskenniemi

HFST: A new division of labour between software industry and linguists Kimmo Koskenniemi

HFST: A new division of labour between software industry and linguists Kimmo Koskenniemi University of Helsinki LT is not exploited in software products Very few software products make use of language technology (LT) Not because there

397 views • 21 slides
The Impact of Unpaid Work on Employment Status in Mexico UNU-WIDER Development Conference

The Impact of Unpaid Work on Employment Status in Mexico UNU-WIDER Development Conference

The Impact of Unpaid Work on Employment Status in Mexico UNU-WIDER Development Conference Transforming Economies For Better Jobs Franziska Dorn Center for Statistics at the University of G ottingen Bangkok, September, 2019 F. Dorn

482 views • 32 slides

More recommend