keymaera x theorem proving for hybrid systems
play

KeYmaera X: Theorem Proving for Hybrid Systems Nathan Fulton - PowerPoint PPT Presentation

Sep 19, 2023 •179 likes •525 views

KeYmaera X: Theorem Proving for Hybrid Systems Nathan Fulton Carnegie Mellon University May 6, 2016 1 Milieu Safety-critical control software is pervasive and increasingly complicated. 2 Milieu Safety-critical control software is

  1. KeYmaera X: Theorem Proving for Hybrid Systems Nathan Fulton Carnegie Mellon University May 6, 2016 1

  2. Milieu Safety-critical control software is pervasive and increasingly complicated. 2

  3. Milieu Safety-critical control software is pervasive and increasingly complicated. 2

  4. KeYmaera X Small Core Increases trust, enables experimentation System LOC KeYmaera X 1 682 Isabelle/Pure 8 113 Coq 20 000 dReal 50 000 SpaceEx 100 000 3

  5. KeYmaera X Small Core Increases trust, enables experimentation System LOC KeYmaera X 1 682 Isabelle/Pure 8 113 Coq 20 000 dReal 50 000 SpaceEx 100 000 Tactics Maintainable and readable proof automation 3

  6. KeYmaera X Small Core Increases trust, enables experimentation System LOC KeYmaera X 1 682 Isabelle/Pure 8 113 Coq 20 000 dReal 50 000 SpaceEx 100 000 Tactics Maintainable and readable proof automation GUI A point-and-prove interface for interacting with deeply nested formulas 3

  7. Hybrid Programs Assign x := θ Sequence α ; β Iteration α ∗ Choice α ∪ β Test ? ϕ ODEs { x ′ 1 = θ 1 , . . . , x ′ n = θ n & P } 4

  8. A Hybrid System Specification vel ≥ 0 ∧ A > 0 ∧ B > 0 → [ {{ acc := A ∪ acc := − B } ; { pos ′ = vel , vel ′ = acc & vel ≥ 0 }} ∗ ] vel ≥ 0 5

  9. A Hybrid System Specification vel ≥ 0 ∧ A > 0 ∧ B > 0 → [ {{ acc := A ∪ acc := − B } ; { pos ′ = vel , vel ′ = acc & vel ≥ 0 }} ∗ ] vel ≥ 0 5

  10. Core: Uniform Substitution UniformSubstitution φ σ ( φ ) Where σ performs admissible substitutions on functions, predicates, and program constants. 6

  11. Core: Axioms Axiom "K�modal�modus�ponens". [a;](p(?)->q(?)) -> (([a;]p(?)) -> ([a;]q(?))) End. Axiom "DC�differential �cut". ([c&H(?);]p(?) <-> [c&(H(?)&r(?));]p(?)) <- [c&H(?);]r(? End. Axiom "[++]�choice". [a ++ b]p(?) <-> ([a;]p(?) & [b;]p(?)). End. 7

  12. Tactics: Sketching and Searching Theorem v ≥ 0 ∧ A > 0 ∧ B > 0 → [ {{ a := A ∪ a := − B } ; { x ′ = v , v ′ = a & v ≥ 0 }} ∗ ] v ≥ 0 8

  13. Tactics: Sketching and Searching Theorem v ≥ 0 ∧ A > 0 ∧ B > 0 → [ {{ a := A ∪ a := − B } ; { x ′ = v , v ′ = a & v ≥ 0 }} ∗ ] v ≥ 0 A Prototypical Proof Outline for a ϕ → [ { ctrl; plant } ∗ ] ψ Model: 1. Propositional Reasoning 8

  14. Tactics: Sketching and Searching Theorem v ≥ 0 ∧ A > 0 ∧ B > 0 → [ {{ a := A ∪ a := − B } ; { x ′ = v , v ′ = a & v ≥ 0 }} ∗ ] v ≥ 0 A Prototypical Proof Outline for a ϕ → [ { ctrl; plant } ∗ ] ψ Model: 1. Propositional Reasoning 2. Identify System Loop Invariant 8

  15. Tactics: Sketching and Searching Theorem v ≥ 0 ∧ A > 0 ∧ B > 0 → [ {{ a := A ∪ a := − B } ; { x ′ = v , v ′ = a & v ≥ 0 }} ∗ ] v ≥ 0 A Prototypical Proof Outline for a ϕ → [ { ctrl; plant } ∗ ] ψ Model: 1. Propositional Reasoning 2. Identify System Loop Invariant 3. Symbolically Execute Control Program 8

  16. Tactics: Sketching and Searching Theorem v ≥ 0 ∧ A > 0 ∧ B > 0 → [ {{ a := A ∪ a := − B } ; { x ′ = v , v ′ = a & v ≥ 0 }} ∗ ] v ≥ 0 A Prototypical Proof Outline for a ϕ → [ { ctrl; plant } ∗ ] ψ Model: 1. Propositional Reasoning 2. Identify System Loop Invariant 3. Symbolically Execute Control Program 4. Solve ODE or identify Differential Invariant(s) 8

  17. Tactics: Sketching and Searching Theorem v ≥ 0 ∧ A > 0 ∧ B > 0 → [ {{ a := A ∪ a := − B } ; { x ′ = v , v ′ = a & v ≥ 0 }} ∗ ] v ≥ 0 A Prototypical Proof Outline for a ϕ → [ { ctrl; plant } ∗ ] ψ Model: 1. Propositional Reasoning 2. Identify System Loop Invariant 3. Symbolically Execute Control Program 4. Solve ODE or identify Differential Invariant(s) 5. Appeal to Decision Procedure for Real Arithmetic 8

  18. Tactics: Sketching and Searching Theorem v ≥ 0 ∧ A > 0 ∧ B > 0 → [ {{ a := A ∪ a := − B } ; { x ′ = v , v ′ = a & v ≥ 0 }} ∗ ] v ≥ 0 A Prototypical Proof Outline for a ϕ → [ { ctrl; plant } ∗ ] ψ Model: 1. Propositional Reasoning 2. Identify System Loop Invariant 3. Symbolically Execute Control Program 4. Solve ODE or identify Differential Invariant(s) 5. Appeal to Decision Procedure for Real Arithmetic 9

  19. Tactics: Sketching and Searching Theorem v ≥ 0 ∧ A > 0 ∧ B > 0 → [ {{ a := A ∪ a := − B } ; { x ′ = v , v ′ = a & v ≥ 0 }} ∗ ] v ≥ 0 A Prototypical Proof Outline for a ϕ → [ { ctrl; plant } ∗ ] ψ Model: ImplyR & 2. Identify System Loop Invariant 3. Symbolically Execute Control Program 4. Solve ODE or identify Differential Invariant(s) 5. Appeal to Decision Procedure for Real Arithmetic 9

  20. Tactics: Sketching and Searching Theorem v ≥ 0 ∧ A > 0 ∧ B > 0 → [ {{ a := A ∪ a := − B } ; { x ′ = v , v ′ = a & v ≥ 0 }} ∗ ] v ≥ 0 A Prototypical Proof Outline for a ϕ → [ { ctrl; plant } ∗ ] ψ Model: ImplyR & Loop(" v ≥ 0 ")<(QE,QE, 3. Symbolically Execute Control Program 4. Solve ODE or identify Differential Invariant(s) 5. Appeal to Decision Procedure for Real Arithmetic 9

  21. Tactics: Sketching and Searching Theorem v ≥ 0 ∧ A > 0 ∧ B > 0 → [ {{ a := A ∪ a := − B } ; { x ′ = v , v ′ = a & v ≥ 0 }} ∗ ] v ≥ 0 A Prototypical Proof Outline for a ϕ → [ { ctrl; plant } ∗ ] ψ Model: ImplyR & Loop(" v ≥ 0 ")<(QE,QE, Seq & Choice & BoxAssign & 4. Solve ODE or identify Differential Invariant(s) 5. Appeal to Decision Procedure for Real Arithmetic 9

  22. Tactics: Sketching and Searching Theorem v ≥ 0 ∧ A > 0 ∧ B > 0 → [ {{ a := A ∪ a := − B } ; { x ′ = v , v ′ = a & v ≥ 0 }} ∗ ] v ≥ 0 A Prototypical Proof Outline for a ϕ → [ { ctrl; plant } ∗ ] ψ Model: ImplyR & Loop(" v ≥ 0 ")<(QE,QE, Seq & Choice & BoxAssign & DiffInv(" v ≥ 0 ") & 5. Appeal to Decision Procedure for Real Arithmetic 9

  23. Tactics: Sketching and Searching Theorem v ≥ 0 ∧ A > 0 ∧ B > 0 → [ {{ a := A ∪ a := − B } ; { x ′ = v , v ′ = a & v ≥ 0 }} ∗ ] v ≥ 0 A Prototypical Proof Outline for a ϕ → [ { ctrl; plant } ∗ ] ψ Model: ImplyR & Loop(" v ≥ 0 ")<(QE,QE, Seq & Choice & BoxAssign & DiffInv(" v ≥ 0 ") & Arithmetic & Close ) 9

  24. Tactics: Sketching and Searching Theorem v ≥ 0 ∧ A > 0 ∧ B > 0 → [ {{ a := A ∪ a := − B } ; { x ′ = v , v ′ = a & v ≥ 0 }} ∗ ] v ≥ 0 A Prototypical Proof Outline for a ϕ → [ { ctrl; plant } ∗ ] ψ Model: ⇐ Prop & Loop(" v ≥ 0 ")<(QE,QE, ⇐ SymbolicExecution & DiffInv(" v ≥ 0 ") & Arithmetic & Close ) 9

  25. Tactics: Sketching and Searching Theorem v ≥ 0 ∧ A > 0 ∧ B > 0 → [ {{ a := A ∪ a := − B } ; { x ′ = v , v ′ = a & v ≥ 0 }} ∗ ] v ≥ 0 A Prototypical Proof Outline for a ϕ → [ { ctrl; plant } ∗ ] ψ Model: Prop & Loop(" v ≥ 0 ")<(QE,QE, SymbolicExecution & ⇐ DiffInv(DIGen) & Arithmetic & Close ) 9

  26. Tactics: Sketching and Searching Theorem v ≥ 0 ∧ A > 0 ∧ B > 0 → [ {{ a := A ∪ a := − B } ; { x ′ = v , v ′ = a & v ≥ 0 }} ∗ ] v ≥ 0 A Prototypical Proof Outline for a ϕ → [ { ctrl; plant } ∗ ] ψ Model: Prop & ⇐ Loop(LoopInvGen)<(QE,QE & SymbolicExecution & DiffInv(DIGen) & Arithmetic & Close ) 9

  27. Tactics: Sketching and Searching Theorem v ≥ 0 ∧ A > 0 ∧ B > 0 → [ {{ a := A ∪ a := − B } ; { x ′ = v , v ′ = a & v ≥ 0 }} ∗ ] v ≥ 0 A Prototypical Proof Outline for a ϕ → [ { ctrl; plant } ∗ ] ψ Model: Prop & Loop(LoopInvGen)<(QE,QE & SymbolicExecution & DiffInv(DIGen) & ⇐ Arithmetic & Close ) 9

  28. Tactics: Sketching and Searching Theorem v ≥ 0 ∧ A > 0 ∧ B > 0 → [ {{ a := A ∪ a := − B } ; { x ′ = v , v ′ = a & v ≥ 0 }} ∗ ] v ≥ 0 A Prototypical Proof Outline for a ϕ → [ { ctrl; plant } ∗ ] ψ Model: Prop & Loop(LoopInvGen) <(QE,QE & SymbolicExecution & DiffInv(DIGen) & Arithmetic & Close ) 9

  29. Applications and Uses ◮ Education: Foundations of CPS Course at CMU ◮ ACAS X ◮ ModelPlex 10

  30. Challenge 1: Steep learning curve ◮ Commonplace mathematical objects are not primitives e , π , sin ( x ), cos ( x ), . . . 11

  31. Challenge 1: Steep learning curve ◮ Commonplace mathematical objects are not primitives e , π , sin ( x ), cos ( x ), . . . ◮ Subtle modeling mistakes are easy Vacuous models: [? H ] P , [ x ′ = θ ∧ H ] P , . . . Non-implementable models . . . 11

  32. Challenge 1: Steep learning curve ◮ Commonplace mathematical objects are not primitives e , π , sin ( x ), cos ( x ), . . . ◮ Subtle modeling mistakes are easy Vacuous models: [? H ] P , [ x ′ = θ ∧ H ] P , . . . Non-implementable models . . . ◮ Abrupt transitions as models become more difficult ◮ From automated proving to interactive proving ◮ From web UI to custom tactics 11

  33. Challenge 2: Large Proofs are Difficult and Fragile ACAS X ◮ Existing implementation: MDP ⇒ large lookup table. ◮ Idea: Verify model, compare to outputs. ◮ Possible! But painful. 12

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

KeYmaera: A Hybrid Theorem Prover for Hybrid Systems Andr e Platzer Jan-David Quesel

KeYmaera: A Hybrid Theorem Prover for Hybrid Systems Andr e Platzer Jan-David Quesel

KeYmaera: A Hybrid Theorem Prover for Hybrid Systems Andr e Platzer Jan-David Quesel University of Oldenburg, Department of Computing Science, Germany International Joint Conference on Automated Reasoning, Sydney 2008 Andr e Platzer,

533 views • 25 slides
Bellerophon: Tactical Theorem Proving for Hybrid Systems Nathan Fulton , Stefan Mitsch, Brandon

Bellerophon: Tactical Theorem Proving for Hybrid Systems Nathan Fulton , Stefan Mitsch, Brandon

Bellerophon: Tactical Theorem Proving for Hybrid Systems Nathan Fulton , Stefan Mitsch, Brandon Bohrer, Andr Platzer Carnegie Mellon University Cyber-Physical Systems Cyber-Physical Systems combine computation and control. Hybrid Systems

964 views • 68 slides
Improving KeYmaera Less clicking, more proving Motivation &amp; Initial Idea improve the

Improving KeYmaera Less clicking, more proving Motivation &amp; Initial Idea improve the

Improving KeYmaera Less clicking, more proving Motivation &amp; Initial Idea improve the user-KeYmaera experience implement convenience features in KeYmaera reduce the amount of clicking Changes from initial idea moved over

291 views • 14 slides
On Theorem Proving for Program Checking Historical perspective and recent developments Maria

On Theorem Proving for Program Checking Historical perspective and recent developments Maria

Outline Introduction Where is theorem proving in program checking Inside theorem proving Big and little engines together: a new theorem proving style Decision procedures with speculative inferences Current and future challenges On Theorem

944 views • 69 slides
Automatically Robustifying Verified Hybrid Systems in KeYmaera X Nathan Fulton Carnegie Mellon

Automatically Robustifying Verified Hybrid Systems in KeYmaera X Nathan Fulton Carnegie Mellon

Automatically Robustifying Verified Hybrid Systems in KeYmaera X Nathan Fulton Carnegie Mellon University September 13, 2016 Dagstuhl, Germany Robustness A system is robust if it operates correctly despite: Disturbances in actuation

516 views • 28 slides
Visual theorem proving with the Incredible Proof Machine The idea Theorem Proving without

Visual theorem proving with the Incredible Proof Machine The idea Theorem Proving without

Interactive Theorem Proving, Nancy August 22, 2016 Joachim Breitner Karlsruhe Institute of Technology University of Pennsylvania, Philadelphia Visual theorem proving with the Incredible Proof Machine The idea Theorem Proving without Syntax

579 views • 43 slides
KeYmaera X A Tutorial on Interactive Verification for Hybrid Systems Nathan Fulton Marktoberdorf

KeYmaera X A Tutorial on Interactive Verification for Hybrid Systems Nathan Fulton Marktoberdorf

KeYmaera X A Tutorial on Interactive Verification for Hybrid Systems Nathan Fulton Marktoberdorf 2017 August 11, 2017 Examples: https://nfulton.org/marktoberdorf.zip Slides: https://nfulton.org/slides/marktoberdorf.pdf 1 Motivation KeYmaera

775 views • 46 slides
Proving Hybrid Systems Andr e Platzer aplatzer@cs.cmu.edu Computer Science Department

Proving Hybrid Systems Andr e Platzer aplatzer@cs.cmu.edu Computer Science Department

Proving Hybrid Systems Andr e Platzer aplatzer@cs.cmu.edu Computer Science Department Carnegie Mellon University, Pittsburgh, PA 0.5 0.4 0.3 0.2 1.0 0.1 0.8 0.6 0.4 0.2 Andr e Platzer (CMU) Proving Hybrid Systems FMCAD 1 / 40

2.07k views • 171 slides
Automated Theorem Proving 1/4: Introduction and Propositional Theorem Proving A.L. Lamprecht

Automated Theorem Proving 1/4: Introduction and Propositional Theorem Proving A.L. Lamprecht

Automated Theorem Proving 1/4: Introduction and Propositional Theorem Proving A.L. Lamprecht Course Program Semantics and Verfication 2020, Utrecht University September 21, 2020 Lecture Notes Automated Reasoning by Gerard A.W. Vreeswijk.

609 views • 40 slides
Automated Theorem Proving 2/4: First-Order Theorem Proving A.L. Lamprecht Course Program

Automated Theorem Proving 2/4: First-Order Theorem Proving A.L. Lamprecht Course Program

Automated Theorem Proving 2/4: First-Order Theorem Proving A.L. Lamprecht Course Program Semantics and Verfication 2020, Utrecht University September 23, 2020 Lecture Notes Automated Reasoning by Gerard A.W. Vreeswijk. Available for

1.03k views • 54 slides
Theorem-Proving Environments Nathan Ng CSC2547: Learning to Search Theorem Proving What is a

Theorem-Proving Environments Nathan Ng CSC2547: Learning to Search Theorem Proving What is a

Theorem-Proving Environments Nathan Ng CSC2547: Learning to Search Theorem Proving What is a theorem? Statement proven based on basis of previously established statements Premise: If I attend UofT, I am a student Premise: I attend

375 views • 25 slides
Artificial Intelligence in Theorem Proving Cezary Kaliszyk VTSA Overview Last Lecture theorem

Artificial Intelligence in Theorem Proving Cezary Kaliszyk VTSA Overview Last Lecture theorem

Artificial Intelligence in Theorem Proving Cezary Kaliszyk VTSA Overview Last Lecture theorem proving problems premise selection deep learning for theorem proving state estimation Today automated reasoning learning in classical ATPs

1.18k views • 97 slides
Reachability Analysis in the KeYmaera X Theorem Prover SNR 2017 | Uppsala, Sweden | April 22,

Reachability Analysis in the KeYmaera X Theorem Prover SNR 2017 | Uppsala, Sweden | April 22,

Reachability Analysis in the KeYmaera X Theorem Prover SNR 2017 | Uppsala, Sweden | April 22, 2017 Nathan Fulton Other System Contributors: Stefan Mitsch, Andr Platzer, Brandon Bohrer, Yong Kiam Tan, Jan-David Quesel, ... Trustworthy

932 views • 57 slides
Health Warning Principles, Techniques, Applications Theorem Proving is addictive Gerwin Klein

Health Warning Principles, Techniques, Applications Theorem Proving is addictive Gerwin Klein

W HAT YOU WILL LEARN how to use a theorem prover background, how it works how to prove and specify NICTA Advanced Course Slide 1 Slide 3 Theorem Proving Health Warning Principles, Techniques, Applications Theorem Proving is

262 views • 9 slides
Artificial Intelligence in Theorem Proving Cezary Kaliszyk VTSA 2019 Computer Theorem Proving

Artificial Intelligence in Theorem Proving Cezary Kaliszyk VTSA 2019 Computer Theorem Proving

Artificial Intelligence in Theorem Proving Cezary Kaliszyk VTSA 2019 Computer Theorem Proving Computer used to automate reasoning in a logic Traditionally part of artificial intelligence (not machine learning) Field of research since the

1.25k views • 101 slides
Formal Verification Methods 4: Theorem Proving John Harrison Intel Corporation Need for

Formal Verification Methods 4: Theorem Proving John Harrison Intel Corporation Need for

Formal Verification Methods 4: Theorem Proving Formal Verification Methods 4: Theorem Proving John Harrison Intel Corporation Need for general theorem proving Set theory vs. higher-order logic Herbrand-based approaches

475 views • 18 slides
Objects and Graphics Rose-Hulman Institute of Technology Computer Science and Software

Objects and Graphics Rose-Hulman Institute of Technology Computer Science and Software

Objects and Graphics Rose-Hulman Institute of Technology Computer Science and Software Engineering Check out 05-ObjectsAndGraphics from SVN. Get help if youre stuck. Outline The object of objects Graphics Creating and using

270 views • 15 slides
Introduction to Data Analysis and Graphics with R - Session 1 Federico Vegetti University of

Introduction to Data Analysis and Graphics with R - Session 1 Federico Vegetti University of

Introduction to Data Analysis and Graphics with R - Session 1 Federico Vegetti University of Mannheim fede.vegetti@gmail.com September 4, 2012 Federico Vegetti University of Mannheim Introduction to Data Analysis and Graphics with R Goals

439 views • 14 slides
Scroll, Tilt or Move It Using Mobile Phones to Continuously Control Pointers on Large Public

Scroll, Tilt or Move It Using Mobile Phones to Continuously Control Pointers on Large Public

Scroll, Tilt or Move It Using Mobile Phones to Continuously Control Pointers on Large Public Displays Sebastian Boring 1 , Marko Jurmu 2 , Andreas Butz 1 1 University of Munich, Germany 2 University of Oulu, Finland motivation motivation how to

460 views • 30 slides
Todays lecture Human Factors for Input ! Input devices Devices ! Restrict attention to

Todays lecture Human Factors for Input ! Input devices Devices ! Restrict attention to

Todays lecture Human Factors for Input ! Input devices Devices ! Restrict attention to mechanical input devices ! Mice ! Keyboards ! Pens CSE 510 ! What are issues relating to input? Richard Anderson ! How do you evaluate different devices?

173 views • 5 slides
Computer Graphics Course 2006 Arcball user interface Arcball user interface When viewing a

Computer Graphics Course 2006 Arcball user interface Arcball user interface When viewing a

Computer Graphics Course 2006 Arcball user interface Arcball user interface When viewing a 3D model on the computer screen, often we would like to view it from a different side. How can we create an intuitive user interface for that

455 views • 8 slides
Computer Graphics (CS 543) Lecture 2 (Part 1): Shader Setup &amp; GLSL Introduction Prof Emmanuel

Computer Graphics (CS 543) Lecture 2 (Part 1): Shader Setup &amp; GLSL Introduction Prof Emmanuel

Computer Graphics (CS 543) Lecture 2 (Part 1): Shader Setup &amp; GLSL Introduction Prof Emmanuel Agu Computer Science Dept. Worcester Polytechnic Institute (WPI) Menus Adding menu that pops up on mouse click Create menu using

953 views • 34 slides
Affordances SWEN-444 What is an Affordance? To afford means to offer, yield, provide,

Affordances SWEN-444 What is an Affordance? To afford means to offer, yield, provide,

Affordances SWEN-444 What is an Affordance? To afford means to offer, yield, provide, give, furnish, help, or aid Psychologist James Gibson, Theory of Affordances, 1977 article Affordances in UX Design UX design must consider

623 views • 22 slides
13 A: External Algorithms II; Disjoint Sets; Java API Support CS1102S: Data Structures and

13 A: External Algorithms II; Disjoint Sets; Java API Support CS1102S: Data Structures and

External Sorting Disjoint Sets Java API Support for Data Structures Puzzlers 13 A: External Algorithms II; Disjoint Sets; Java API Support CS1102S: Data Structures and Algorithms Martin Henz April 15, 2009 Generated on Friday 17 th April,

706 views • 41 slides

More recommend