KeYmaera X: Theorem Proving for Hybrid Systems Nathan Fulton - - PowerPoint PPT Presentation

keymaera x theorem proving for hybrid systems
SMART_READER_LITE
LIVE PREVIEW

KeYmaera X: Theorem Proving for Hybrid Systems Nathan Fulton - - PowerPoint PPT Presentation

Sep 19, 2023 179 likes •525 views

KeYmaera X: Theorem Proving for Hybrid Systems Nathan Fulton Carnegie Mellon University May 6, 2016 1 Milieu Safety-critical control software is pervasive and increasingly complicated. 2 Milieu Safety-critical control software is

slide-1
SLIDE 1

KeYmaera X: Theorem Proving for Hybrid Systems

Nathan Fulton Carnegie Mellon University May 6, 2016

1

slide-2
SLIDE 2

Milieu

Safety-critical control software is pervasive and increasingly complicated.

2

slide-3
SLIDE 3

Milieu

Safety-critical control software is pervasive and increasingly complicated.

2

slide-4
SLIDE 4

KeYmaera X

Small Core Increases trust, enables experimentation System LOC KeYmaera X 1 682 Isabelle/Pure 8 113 Coq 20 000 dReal 50 000 SpaceEx 100 000

3

slide-5
SLIDE 5

KeYmaera X

Small Core Increases trust, enables experimentation System LOC KeYmaera X 1 682 Isabelle/Pure 8 113 Coq 20 000 dReal 50 000 SpaceEx 100 000 Tactics Maintainable and readable proof automation

3

slide-6
SLIDE 6

KeYmaera X

Small Core Increases trust, enables experimentation System LOC KeYmaera X 1 682 Isabelle/Pure 8 113 Coq 20 000 dReal 50 000 SpaceEx 100 000 Tactics Maintainable and readable proof automation GUI A point-and-prove interface for interacting with deeply nested formulas

3

slide-7
SLIDE 7

Hybrid Programs

Assign x := θ Sequence α; β Iteration α∗ Choice α ∪ β Test ?ϕ ODEs {x′

1 = θ1, . . . , x′ n = θn&P}

4

slide-8
SLIDE 8

A Hybrid System Specification

vel ≥ 0 ∧ A > 0 ∧ B > 0 → [{{acc := A ∪ acc := −B}; {pos′ = vel, vel′ = acc & vel ≥ 0}}∗]vel ≥ 0

5

slide-9
SLIDE 9

A Hybrid System Specification

vel ≥ 0 ∧ A > 0 ∧ B > 0 → [{{acc := A ∪ acc := −B}; {pos′ = vel, vel′ = acc & vel ≥ 0}}∗]vel ≥ 0

5

slide-10
SLIDE 10

Core: Uniform Substitution

UniformSubstitution

φ σ(φ) Where σ performs admissible substitutions on functions, predicates, and program constants.

6

slide-11
SLIDE 11

Core: Axioms

Axiom "Kmodalmodusponens". [a;](p(?)->q(?)) -> (([a;]p(?)) -> ([a;]q(?))) End. Axiom "DCdifferential cut". ([c&H(?);]p(?) <-> [c&(H(?)&r(?));]p(?)) <- [c&H(?);]r(? End. Axiom "[++]choice". [a ++ b]p(?) <-> ([a;]p(?) & [b;]p(?)). End.

7

slide-12
SLIDE 12

Tactics: Sketching and Searching

Theorem

v ≥ 0 ∧ A > 0 ∧ B > 0 → [{{a := A ∪ a := −B}; {x′ = v, v′ = a&v ≥ 0}}∗]v ≥ 0

8

slide-13
SLIDE 13

Tactics: Sketching and Searching

Theorem

v ≥ 0 ∧ A > 0 ∧ B > 0 → [{{a := A ∪ a := −B}; {x′ = v, v′ = a&v ≥ 0}}∗]v ≥ 0 A Prototypical Proof Outline for a ϕ → [{ctrl; plant}∗]ψ Model:

  • 1. Propositional Reasoning

8

slide-14
SLIDE 14

Tactics: Sketching and Searching

Theorem

v ≥ 0 ∧ A > 0 ∧ B > 0 → [{{a := A ∪ a := −B}; {x′ = v, v′ = a&v ≥ 0}}∗]v ≥ 0 A Prototypical Proof Outline for a ϕ → [{ctrl; plant}∗]ψ Model:

  • 1. Propositional Reasoning
  • 2. Identify System Loop Invariant

8

slide-15
SLIDE 15

Tactics: Sketching and Searching

Theorem

v ≥ 0 ∧ A > 0 ∧ B > 0 → [{{a := A ∪ a := −B}; {x′ = v, v′ = a&v ≥ 0}}∗]v ≥ 0 A Prototypical Proof Outline for a ϕ → [{ctrl; plant}∗]ψ Model:

  • 1. Propositional Reasoning
  • 2. Identify System Loop Invariant
  • 3. Symbolically Execute Control Program

8

slide-16
SLIDE 16

Tactics: Sketching and Searching

Theorem

v ≥ 0 ∧ A > 0 ∧ B > 0 → [{{a := A ∪ a := −B}; {x′ = v, v′ = a&v ≥ 0}}∗]v ≥ 0 A Prototypical Proof Outline for a ϕ → [{ctrl; plant}∗]ψ Model:

  • 1. Propositional Reasoning
  • 2. Identify System Loop Invariant
  • 3. Symbolically Execute Control Program
  • 4. Solve ODE or identify Differential Invariant(s)

8

slide-17
SLIDE 17

Tactics: Sketching and Searching

Theorem

v ≥ 0 ∧ A > 0 ∧ B > 0 → [{{a := A ∪ a := −B}; {x′ = v, v′ = a&v ≥ 0}}∗]v ≥ 0 A Prototypical Proof Outline for a ϕ → [{ctrl; plant}∗]ψ Model:

  • 1. Propositional Reasoning
  • 2. Identify System Loop Invariant
  • 3. Symbolically Execute Control Program
  • 4. Solve ODE or identify Differential Invariant(s)
  • 5. Appeal to Decision Procedure for Real Arithmetic

8

slide-18
SLIDE 18

Tactics: Sketching and Searching

Theorem

v ≥ 0 ∧ A > 0 ∧ B > 0 → [{{a := A ∪ a := −B}; {x′ = v, v′ = a&v ≥ 0}}∗]v ≥ 0 A Prototypical Proof Outline for a ϕ → [{ctrl; plant}∗]ψ Model:

  • 1. Propositional Reasoning
  • 2. Identify System Loop Invariant
  • 3. Symbolically Execute Control Program
  • 4. Solve ODE or identify Differential Invariant(s)
  • 5. Appeal to Decision Procedure for Real Arithmetic

9

slide-19
SLIDE 19

Tactics: Sketching and Searching

Theorem

v ≥ 0 ∧ A > 0 ∧ B > 0 → [{{a := A ∪ a := −B}; {x′ = v, v′ = a&v ≥ 0}}∗]v ≥ 0 A Prototypical Proof Outline for a ϕ → [{ctrl; plant}∗]ψ Model: ImplyR &

  • 2. Identify System Loop Invariant
  • 3. Symbolically Execute Control Program
  • 4. Solve ODE or identify Differential Invariant(s)
  • 5. Appeal to Decision Procedure for Real Arithmetic

9

slide-20
SLIDE 20

Tactics: Sketching and Searching

Theorem

v ≥ 0 ∧ A > 0 ∧ B > 0 → [{{a := A ∪ a := −B}; {x′ = v, v′ = a&v ≥ 0}}∗]v ≥ 0 A Prototypical Proof Outline for a ϕ → [{ctrl; plant}∗]ψ Model: ImplyR & Loop("v ≥ 0")<(QE,QE,

  • 3. Symbolically Execute Control Program
  • 4. Solve ODE or identify Differential Invariant(s)
  • 5. Appeal to Decision Procedure for Real Arithmetic

9

slide-21
SLIDE 21

Tactics: Sketching and Searching

Theorem

v ≥ 0 ∧ A > 0 ∧ B > 0 → [{{a := A ∪ a := −B}; {x′ = v, v′ = a&v ≥ 0}}∗]v ≥ 0 A Prototypical Proof Outline for a ϕ → [{ctrl; plant}∗]ψ Model: ImplyR & Loop("v ≥ 0")<(QE,QE, Seq & Choice & BoxAssign &

  • 4. Solve ODE or identify Differential Invariant(s)
  • 5. Appeal to Decision Procedure for Real Arithmetic

9

slide-22
SLIDE 22

Tactics: Sketching and Searching

Theorem

v ≥ 0 ∧ A > 0 ∧ B > 0 → [{{a := A ∪ a := −B}; {x′ = v, v′ = a&v ≥ 0}}∗]v ≥ 0 A Prototypical Proof Outline for a ϕ → [{ctrl; plant}∗]ψ Model: ImplyR & Loop("v ≥ 0")<(QE,QE, Seq & Choice & BoxAssign & DiffInv("v ≥ 0") &

  • 5. Appeal to Decision Procedure for Real Arithmetic

9

slide-23
SLIDE 23

Tactics: Sketching and Searching

Theorem

v ≥ 0 ∧ A > 0 ∧ B > 0 → [{{a := A ∪ a := −B}; {x′ = v, v′ = a&v ≥ 0}}∗]v ≥ 0 A Prototypical Proof Outline for a ϕ → [{ctrl; plant}∗]ψ Model: ImplyR & Loop("v ≥ 0")<(QE,QE, Seq & Choice & BoxAssign & DiffInv("v ≥ 0") & Arithmetic & Close)

9

slide-24
SLIDE 24

Tactics: Sketching and Searching

Theorem

v ≥ 0 ∧ A > 0 ∧ B > 0 → [{{a := A ∪ a := −B}; {x′ = v, v′ = a&v ≥ 0}}∗]v ≥ 0 A Prototypical Proof Outline for a ϕ → [{ctrl; plant}∗]ψ Model: Prop &

Loop("v ≥ 0")<(QE,QE, SymbolicExecution &

DiffInv("v ≥ 0") & Arithmetic & Close)

9

slide-25
SLIDE 25

Tactics: Sketching and Searching

Theorem

v ≥ 0 ∧ A > 0 ∧ B > 0 → [{{a := A ∪ a := −B}; {x′ = v, v′ = a&v ≥ 0}}∗]v ≥ 0 A Prototypical Proof Outline for a ϕ → [{ctrl; plant}∗]ψ Model: Prop & Loop("v ≥ 0")<(QE,QE, SymbolicExecution & DiffInv(DIGen) &

Arithmetic & Close)

9

slide-26
SLIDE 26

Tactics: Sketching and Searching

Theorem

v ≥ 0 ∧ A > 0 ∧ B > 0 → [{{a := A ∪ a := −B}; {x′ = v, v′ = a&v ≥ 0}}∗]v ≥ 0 A Prototypical Proof Outline for a ϕ → [{ctrl; plant}∗]ψ Model: Prop & Loop(LoopInvGen)<(QE,QE &

SymbolicExecution & DiffInv(DIGen) & Arithmetic & Close)

9

slide-27
SLIDE 27

Tactics: Sketching and Searching

Theorem

v ≥ 0 ∧ A > 0 ∧ B > 0 → [{{a := A ∪ a := −B}; {x′ = v, v′ = a&v ≥ 0}}∗]v ≥ 0 A Prototypical Proof Outline for a ϕ → [{ctrl; plant}∗]ψ Model: Prop & Loop(LoopInvGen)<(QE,QE & SymbolicExecution & DiffInv(DIGen) & Arithmetic & Close)

⇐ 9

slide-28
SLIDE 28

Tactics: Sketching and Searching

Theorem

v ≥ 0 ∧ A > 0 ∧ B > 0 → [{{a := A ∪ a := −B}; {x′ = v, v′ = a&v ≥ 0}}∗]v ≥ 0 A Prototypical Proof Outline for a ϕ → [{ctrl; plant}∗]ψ Model: Prop & Loop(LoopInvGen) <(QE,QE & SymbolicExecution & DiffInv(DIGen) & Arithmetic & Close)

9

slide-29
SLIDE 29

Applications and Uses

◮ Education: Foundations of CPS Course at CMU ◮ ACAS X ◮ ModelPlex

10

slide-30
SLIDE 30

Challenge 1: Steep learning curve

◮ Commonplace mathematical objects are not primitives

e, π, sin(x), cos(x), . . .

11

slide-31
SLIDE 31

Challenge 1: Steep learning curve

◮ Commonplace mathematical objects are not primitives

e, π, sin(x), cos(x), . . .

◮ Subtle modeling mistakes are easy

Vacuous models: [?H]P, [x′ = θ ∧ H]P, . . . Non-implementable models . . .

11

slide-32
SLIDE 32

Challenge 1: Steep learning curve

◮ Commonplace mathematical objects are not primitives

e, π, sin(x), cos(x), . . .

◮ Subtle modeling mistakes are easy

Vacuous models: [?H]P, [x′ = θ ∧ H]P, . . . Non-implementable models . . .

◮ Abrupt transitions as models become more difficult

◮ From automated proving to interactive proving ◮ From web UI to custom tactics

11

slide-33
SLIDE 33

Challenge 2: Large Proofs are Difficult and Fragile

ACAS X

◮ Existing implementation: MDP ⇒ large lookup table. ◮ Idea: Verify model, compare to outputs. ◮ Possible! But painful.

12

slide-34
SLIDE 34

Conclusion

Small Core Increases trust, enables experimentation Tactics Prover automation and proof reuse Extensible New logics, proof rules, axioms GUI point-and-click proofs for deeply nested formulas. Developers: Andr´ e Platzer, Stefan Mitsch, Nathan Fulton, Jan-David Quesel, Marcus V¨

  • lp, Brandon Bohrer

Thanks: Ran Ji, Jean-Baptiste Jeannin, Sarah Loos, Jo˜ ao Martins, Khalil Ghorbal Download: http://keymaeraX.org

13