logical foundations of cyber physical systems
play

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr - PowerPoint PPT Presentation

May 19, 2023 •250 likes •1.45k views

07: Control Loops & Invariants Logical Foundations of Cyber-Physical Systems Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 1 / 16

  1. A Simple Discrete Loop Example loop Γ ⊢ J , ∆ J ⊢ [ α ] J J ⊢ P Γ ⊢ [ α ∗ ] P , ∆ x ≥ 8 ∧ 5 ≥ y ∧ y ≥ 0 ⊢ J J ⊢ [ x := x + y ; y := x − 2 · y ] J J ⊢ x ≥ 0 loop x ≥ 8 ∧ 5 ≥ y ∧ y ≥ 0 ⊢ [( x := x + y ; y := x − 2 · y ) ∗ ] x ≥ 0 → R ⊢ x ≥ 8 ∧ 5 ≥ y ∧ y ≥ 0 → [( x := x + y ; y := x − 2 · y ) ∗ ] x ≥ 0 J ≡ x ≥ 0 stronger: Lacks info about y 1 J ≡ x ≥ 8 ∧ 5 ≥ y ∧ y ≥ 0 weaker: Changes immediately 2 J ≡ x ≥ 0 ∧ y ≥ 0 3 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 8 / 16

  2. A Simple Discrete Loop Example loop Γ ⊢ J , ∆ J ⊢ [ α ] J J ⊢ P Γ ⊢ [ α ∗ ] P , ∆ x ≥ 8 ∧ 5 ≥ y ∧ y ≥ 0 ⊢ J J ⊢ [ x := x + y ; y := x − 2 · y ] J J ⊢ x ≥ 0 loop x ≥ 8 ∧ 5 ≥ y ∧ y ≥ 0 ⊢ [( x := x + y ; y := x − 2 · y ) ∗ ] x ≥ 0 → R ⊢ x ≥ 8 ∧ 5 ≥ y ∧ y ≥ 0 → [( x := x + y ; y := x − 2 · y ) ∗ ] x ≥ 0 J ≡ x ≥ 0 stronger: Lacks info about y 1 J ≡ x ≥ 8 ∧ 5 ≥ y ∧ y ≥ 0 weaker: Changes immediately 2 J ≡ x ≥ 0 ∧ y ≥ 0 no: y may become negative if x < y 3 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 8 / 16

  3. A Simple Discrete Loop Example loop Γ ⊢ J , ∆ J ⊢ [ α ] J J ⊢ P Γ ⊢ [ α ∗ ] P , ∆ x ≥ 8 ∧ 5 ≥ y ∧ y ≥ 0 ⊢ J J ⊢ [ x := x + y ; y := x − 2 · y ] J J ⊢ x ≥ 0 loop x ≥ 8 ∧ 5 ≥ y ∧ y ≥ 0 ⊢ [( x := x + y ; y := x − 2 · y ) ∗ ] x ≥ 0 → R ⊢ x ≥ 8 ∧ 5 ≥ y ∧ y ≥ 0 → [( x := x + y ; y := x − 2 · y ) ∗ ] x ≥ 0 J ≡ x ≥ 0 stronger: Lacks info about y 1 J ≡ x ≥ 8 ∧ 5 ≥ y ∧ y ≥ 0 weaker: Changes immediately 2 J ≡ x ≥ 0 ∧ y ≥ 0 no: y may become negative if x < y 3 J ≡ x ≥ y ∧ y ≥ 0 4 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 8 / 16

  4. A Simple Discrete Loop Example loop Γ ⊢ J , ∆ J ⊢ [ α ] J J ⊢ P Γ ⊢ [ α ∗ ] P , ∆ x ≥ 8 ∧ 5 ≥ y ∧ y ≥ 0 ⊢ J J ⊢ [ x := x + y ; y := x − 2 · y ] J J ⊢ x ≥ 0 loop x ≥ 8 ∧ 5 ≥ y ∧ y ≥ 0 ⊢ [( x := x + y ; y := x − 2 · y ) ∗ ] x ≥ 0 → R ⊢ x ≥ 8 ∧ 5 ≥ y ∧ y ≥ 0 → [( x := x + y ; y := x − 2 · y ) ∗ ] x ≥ 0 J ≡ x ≥ 0 stronger: Lacks info about y 1 J ≡ x ≥ 8 ∧ 5 ≥ y ∧ y ≥ 0 weaker: Changes immediately 2 J ≡ x ≥ 0 ∧ y ≥ 0 no: y may become negative if x < y 3 J ≡ x ≥ y ∧ y ≥ 0 correct loop invariant 4 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 8 / 16

  5. Forgot to Add Sequent Context Γ , ∆ to Premises Γ ⊢ J , ∆ Γ?? , J ⊢ [ α ] J , ∆?? Γ?? , J ⊢ P , ∆?? Γ ⊢ [ α ∗ ] P , ∆ André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 9 / 16

  6. Forgot to Add Sequent Context Γ , ∆ to Premises Γ ⊢ J , ∆ Γ?? , J ⊢ [ α ] J , ∆?? Γ?? , J ⊢ P , ∆?? Γ ⊢ [ α ∗ ] P , ∆ x = 0 ⊢ x ≤ 1 x = 0 , x ≤ 1 ⊢ [ x := x + 1 ] x ≤ 1 x ≤ 1 ⊢ x ≤ 1 � x = 0 , x ≤ 1 ⊢ [( x := x + 1 ) ∗ ] x ≤ 1 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 9 / 16

  7. Forgot to Add Sequent Context Γ , ∆ to Premises Γ ⊢ J , ∆ Γ?? , J ⊢ [ α ] J , ∆?? Γ?? , J ⊢ P , ∆?? Γ ⊢ [ α ∗ ] P , ∆ x = 0 ⊢ x ≤ 1 x = 0 , x ≤ 1 ⊢ [ x := x + 1 ] x ≤ 1 x ≤ 1 ⊢ x ≤ 1 � x = 0 , x ≤ 1 ⊢ [( x := x + 1 ) ∗ ] x ≤ 1 x = 0 ⊢ x ≥ 0 x ≥ 0 ⊢ [ x := x + 1 ] x ≥ 0 x = 0 , x ≥ 0 ⊢ x = 0 � x = 0 ⊢ [( x := x + 1 ) ∗ ] x = 0 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 9 / 16

  8. Forgot to Add Sequent Context Γ , ∆ to Premises Γ ⊢ J , ∆ Γ?? , J ⊢ [ α ] J , ∆?? Γ?? , J ⊢ P , ∆?? Γ ⊢ [ α ∗ ] P , ∆ x = 0 ⊢ x ≤ 1 x = 0 , x ≤ 1 ⊢ [ x := x + 1 ] x ≤ 1 x ≤ 1 ⊢ x ≤ 1 � x = 0 , x ≤ 1 ⊢ [( x := x + 1 ) ∗ ] x ≤ 1 x = 0 ⊢ x ≥ 0 x ≥ 0 ⊢ [ x := x + 1 ] x ≥ 0 x = 0 , x ≥ 0 ⊢ x = 0 � x = 0 ⊢ [( x := x + 1 ) ∗ ] x = 0 Unsound! Be careful where your assumptions go, or your CPS might go where it shouldn’t. André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 9 / 16

  9. Outline Learning Objectives 1 Induction for Loops 2 Iteration Axiom Induction Axiom Induction Rule for Loops Loop Invariants Simple Example Contextual Soundness Requirements Operationalize Invariant Construction 3 Bouncing Ball Rescuing Misplaced Constants Safe Quantum Summary 4 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 9 / 16

  10. Proving Quantum the Acrophobic Bouncing Ball � ∗ ] B ( x , v ) � A ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 ) A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 10 / 16

  11. Proving Quantum the Acrophobic Bouncing Ball A ⊢ j ( x , v ) j ( x , v ) ⊢ B ( x , v ) j ( x , v ) ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 )] j ( x , v ) loop � ∗ ] B ( x , v ) � A ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 ) A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 10 / 16

  12. Proving Quantum the Acrophobic Bouncing Ball j ( x , v ) ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 )] j ( x , v ) A ⊢ j ( x , v ) j ( x , v ) ⊢ B ( x , v ) j ( x , v ) ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 )] j ( x , v ) loop � ∗ ] B ( x , v ) � A ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 ) A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 10 / 16

  13. Proving Quantum the Acrophobic Bouncing Ball j ( x , v ) ⊢ [ grav ][? x = 0 ; v := − cv ∪ ? x � = 0 ] j ( x , v ) [;] j ( x , v ) ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 )] j ( x , v ) A ⊢ j ( x , v ) j ( x , v ) ⊢ B ( x , v ) j ( x , v ) ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 )] j ( x , v ) loop � ∗ ] B ( x , v ) � A ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 ) A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 10 / 16

  14. Proving Quantum the Acrophobic Bouncing Ball j ( x , v ) ⊢ [ grav ] j ( x , v ) j ( x , v ) ⊢ [? x = 0 ; v := − cv ∪ ? x � = 0 ] j ( x , v ) MR j ( x , v ) ⊢ [ grav ][? x = 0 ; v := − cv ∪ ? x � = 0 ] j ( x , v ) [;] j ( x , v ) ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 )] j ( x , v ) A ⊢ j ( x , v ) j ( x , v ) ⊢ B ( x , v ) j ( x , v ) ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 )] j ( x , v ) loop � ∗ ] B ( x , v ) � A ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 ) A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 10 / 16

  15. Proving Quantum the Acrophobic Bouncing Ball j ( x , v ) ⊢ [? x = 0 ; v := − cv ] j ( x , v ) ∧ [? x � = 0 ] j ( x , v ) j ( x , v ) ⊢ [ grav ] j ( x , v ) [ ∪ ] j ( x , v ) ⊢ [? x = 0 ; v := − cv ∪ ? x � = 0 ] j ( x , v ) MR j ( x , v ) ⊢ [ grav ][? x = 0 ; v := − cv ∪ ? x � = 0 ] j ( x , v ) [;] j ( x , v ) ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 )] j ( x , v ) A ⊢ j ( x , v ) j ( x , v ) ⊢ B ( x , v ) j ( x , v ) ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 )] j ( x , v ) loop � ∗ ] B ( x , v ) � A ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 ) A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 10 / 16

  16. Proving Quantum the Acrophobic Bouncing Ball ∧ R j ( x , v ) ⊢ [? x = 0 ; v := − cv ] j ( x , v ) j ( x , v ) ⊢ [? x � = 0 ] j ( x , v ) j ( x , v ) ⊢ [? x = 0 ; v := − cv ] j ( x , v ) ∧ [? x � = 0 ] j ( x , v ) j ( x , v ) ⊢ [ grav ] j ( x , v ) [ ∪ ] j ( x , v ) ⊢ [? x = 0 ; v := − cv ∪ ? x � = 0 ] j ( x , v ) MR j ( x , v ) ⊢ [ grav ][? x = 0 ; v := − cv ∪ ? x � = 0 ] j ( x , v ) [;] j ( x , v ) ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 )] j ( x , v ) A ⊢ j ( x , v ) j ( x , v ) ⊢ B ( x , v ) j ( x , v ) ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 )] j ( x , v ) loop � ∗ ] B ( x , v ) � A ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 ) A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 10 / 16

  17. Proving Quantum the Acrophobic Bouncing Ball [;] j ( x , v ) ⊢ [? x = 0 ][ v := − cv ] j ( x , v ) j ( x , v ) ⊢ [? x = 0 ; v := − cv ] j ( x , v ) j ( x , v ) ⊢ [? x � = 0 ] j ( x , v ) ∧ R j ( x , v ) ⊢ [? x = 0 ; v := − cv ] j ( x , v ) ∧ [? x � = 0 ] j ( x , v ) j ( x , v ) ⊢ [ grav ] j ( x , v ) [ ∪ ] j ( x , v ) ⊢ [? x = 0 ; v := − cv ∪ ? x � = 0 ] j ( x , v ) MR j ( x , v ) ⊢ [ grav ][? x = 0 ; v := − cv ∪ ? x � = 0 ] j ( x , v ) [;] j ( x , v ) ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 )] j ( x , v ) A ⊢ j ( x , v ) j ( x , v ) ⊢ B ( x , v ) j ( x , v ) ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 )] j ( x , v ) loop � ∗ ] B ( x , v ) � A ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 ) A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 10 / 16

  18. Proving Quantum the Acrophobic Bouncing Ball [?] , → R j ( x , v ) , x = 0 ⊢ [ v := − cv ] j ( x , v ) j ( x , v ) ⊢ [? x = 0 ][ v := − cv ] j ( x , v ) [;] j ( x , v ) ⊢ [? x = 0 ; v := − cv ] j ( x , v ) j ( x , v ) ⊢ [? x � = 0 ] j ( x , v ) ∧ R j ( x , v ) ⊢ [? x = 0 ; v := − cv ] j ( x , v ) ∧ [? x � = 0 ] j ( x , v ) j ( x , v ) ⊢ [ grav ] j ( x , v ) [ ∪ ] j ( x , v ) ⊢ [? x = 0 ; v := − cv ∪ ? x � = 0 ] j ( x , v ) MR j ( x , v ) ⊢ [ grav ][? x = 0 ; v := − cv ∪ ? x � = 0 ] j ( x , v ) [;] j ( x , v ) ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 )] j ( x , v ) A ⊢ j ( x , v ) j ( x , v ) ⊢ B ( x , v ) j ( x , v ) ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 )] j ( x , v ) loop � ∗ ] B ( x , v ) � A ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 ) A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 10 / 16

  19. Proving Quantum the Acrophobic Bouncing Ball j ( x , v ) , x = 0 ⊢ j ( x , − cv ) [:=] j ( x , v ) , x = 0 ⊢ [ v := − cv ] j ( x , v ) [?] , → R j ( x , v ) ⊢ [? x = 0 ][ v := − cv ] j ( x , v ) [;] j ( x , v ) ⊢ [? x = 0 ; v := − cv ] j ( x , v ) j ( x , v ) ⊢ [? x � = 0 ] j ( x , v ) ∧ R j ( x , v ) ⊢ [? x = 0 ; v := − cv ] j ( x , v ) ∧ [? x � = 0 ] j ( x , v ) j ( x , v ) ⊢ [ grav ] j ( x , v ) [ ∪ ] j ( x , v ) ⊢ [? x = 0 ; v := − cv ∪ ? x � = 0 ] j ( x , v ) MR j ( x , v ) ⊢ [ grav ][? x = 0 ; v := − cv ∪ ? x � = 0 ] j ( x , v ) [;] j ( x , v ) ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 )] j ( x , v ) A ⊢ j ( x , v ) j ( x , v ) ⊢ B ( x , v ) j ( x , v ) ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 )] j ( x , v ) loop � ∗ ] B ( x , v ) � A ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 ) A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 10 / 16

  20. Proving Quantum the Acrophobic Bouncing Ball j ( x , v ) , x = 0 ⊢ j ( x , − cv ) [:=] j ( x , v ) , x = 0 ⊢ [ v := − cv ] j ( x , v ) [?] , → R j ( x , v ) , x � = 0 ⊢ j ( x , v ) j ( x , v ) ⊢ [? x = 0 ][ v := − cv ] j ( x , v ) [;] [?] j ( x , v ) ⊢ [? x = 0 ; v := − cv ] j ( x , v ) j ( x , v ) ⊢ [? x � = 0 ] j ( x , v ) ∧ R j ( x , v ) ⊢ [? x = 0 ; v := − cv ] j ( x , v ) ∧ [? x � = 0 ] j ( x , v ) j ( x , v ) ⊢ [ grav ] j ( x , v ) [ ∪ ] j ( x , v ) ⊢ [? x = 0 ; v := − cv ∪ ? x � = 0 ] j ( x , v ) MR j ( x , v ) ⊢ [ grav ][? x = 0 ; v := − cv ∪ ? x � = 0 ] j ( x , v ) [;] j ( x , v ) ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 )] j ( x , v ) A ⊢ j ( x , v ) j ( x , v ) ⊢ B ( x , v ) j ( x , v ) ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 )] j ( x , v ) loop � ∗ ] B ( x , v ) � A ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 ) A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 10 / 16

  21. Proving Quantum the Acrophobic Bouncing Ball j ( x , v ) , x = 0 ⊢ j ( x , − cv ) [:=] j ( x , v ) , x = 0 ⊢ [ v := − cv ] j ( x , v ) [?] , → R j ( x , v ) , x � = 0 ⊢ j ( x , v ) j ( x , v ) ⊢ [? x = 0 ][ v := − cv ] j ( x , v ) [;] [?] j ( x , v ) ⊢ [? x = 0 ; v := − cv ] j ( x , v ) j ( x , v ) ⊢ [? x � = 0 ] j ( x , v ) ∧ R j ( x , v ) ⊢ [? x = 0 ; v := − cv ] j ( x , v ) ∧ [? x � = 0 ] j ( x , v ) j ( x , v ) ⊢ [ grav ] j ( x , v ) [ ∪ ] j ( x , v ) ⊢ [? x = 0 ; v := − cv ∪ ? x � = 0 ] j ( x , v ) MR j ( x , v ) ⊢ [ grav ][? x = 0 ; v := − cv ∪ ? x � = 0 ] j ( x , v ) [;] j ( x , v ) ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 )] j ( x , v ) A ⊢ j ( x , v ) j ( x , v ) ⊢ B ( x , v ) j ( x , v ) ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 )] j ( x , v ) loop � ∗ ] B ( x , v ) � A ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 ) A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 10 / 16

  22. Proving Quantum the Acrophobic Bouncing Ball A ⊢ j ( x , v ) j ( x , v ) ⊢ [ grav ]( j ( x , v ) ) j ( x , v ) , x = 0 ⊢ j ( x , ( − cv )) j ( x , v ) , x � = 0 ⊢ j ( x , v ) j ( x , v ) ⊢ B ( x , v ) A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 11 / 16

  23. Proving Quantum the Acrophobic Bouncing Ball 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ⊢ j ( x , v ) j ( x , v ) ⊢ [ { x ′ = v , v ′ = − g & x ≥ 0 } ]( j ( x , v ) ) j ( x , v ) , x = 0 ⊢ j ( x , ( − cv )) j ( x , v ) , x � = 0 ⊢ j ( x , v ) j ( x , v ) ⊢ 0 ≤ x ∧ x ≤ H A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 11 / 16

  24. Proving Quantum the Acrophobic Bouncing Ball 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ⊢ j ( x , v ) j ( x , v ) ⊢ [ { x ′ = v , v ′ = − g & x ≥ 0 } ]( j ( x , v ) ) j ( x , v ) , x = 0 ⊢ j ( x , ( − cv )) j ( x , v ) , x � = 0 ⊢ j ( x , v ) j ( x , v ) ⊢ 0 ≤ x ∧ x ≤ H j ( x , v ) ≡ 0 ≤ x ∧ x ≤ H 2 A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 11 / 16

  25. Proving Quantum the Acrophobic Bouncing Ball 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ⊢ j ( x , v ) j ( x , v ) ⊢ [ { x ′ = v , v ′ = − g & x ≥ 0 } ]( j ( x , v ) ) j ( x , v ) , x = 0 ⊢ j ( x , ( − cv )) j ( x , v ) , x � = 0 ⊢ j ( x , v ) j ( x , v ) ⊢ 0 ≤ x ∧ x ≤ H j ( x , v ) ≡ 0 ≤ x ∧ x ≤ H weak: fails ODE if v ≫ 0 2 A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 11 / 16

  26. Proving Quantum the Acrophobic Bouncing Ball 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ⊢ j ( x , v ) j ( x , v ) ⊢ [ { x ′ = v , v ′ = − g & x ≥ 0 } ]( j ( x , v ) ) j ( x , v ) , x = 0 ⊢ j ( x , ( − cv )) j ( x , v ) , x � = 0 ⊢ j ( x , v ) j ( x , v ) ⊢ 0 ≤ x ∧ x ≤ H j ( x , v ) ≡ x ≥ 0 1 j ( x , v ) ≡ 0 ≤ x ∧ x ≤ H weak: fails ODE if v ≫ 0 2 A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 11 / 16

  27. Proving Quantum the Acrophobic Bouncing Ball 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ⊢ j ( x , v ) j ( x , v ) ⊢ [ { x ′ = v , v ′ = − g & x ≥ 0 } ]( j ( x , v ) ) j ( x , v ) , x = 0 ⊢ j ( x , ( − cv )) j ( x , v ) , x � = 0 ⊢ j ( x , v ) j ( x , v ) ⊢ 0 ≤ x ∧ x ≤ H j ( x , v ) ≡ x ≥ 0 weaker: fails postcondition if x > H 1 j ( x , v ) ≡ 0 ≤ x ∧ x ≤ H weak: fails ODE if v ≫ 0 2 A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 11 / 16

  28. Proving Quantum the Acrophobic Bouncing Ball 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ⊢ j ( x , v ) j ( x , v ) ⊢ [ { x ′ = v , v ′ = − g & x ≥ 0 } ]( j ( x , v ) ) j ( x , v ) , x = 0 ⊢ j ( x , ( − cv )) j ( x , v ) , x � = 0 ⊢ j ( x , v ) j ( x , v ) ⊢ 0 ≤ x ∧ x ≤ H j ( x , v ) ≡ x ≥ 0 weaker: fails postcondition if x > H 1 j ( x , v ) ≡ 0 ≤ x ∧ x ≤ H weak: fails ODE if v ≫ 0 2 j ( x , v ) ≡ x = 0 ∧ v = 0 3 A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 11 / 16

  29. Proving Quantum the Acrophobic Bouncing Ball 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ⊢ j ( x , v ) j ( x , v ) ⊢ [ { x ′ = v , v ′ = − g & x ≥ 0 } ]( j ( x , v ) ) j ( x , v ) , x = 0 ⊢ j ( x , ( − cv )) j ( x , v ) , x � = 0 ⊢ j ( x , v ) j ( x , v ) ⊢ 0 ≤ x ∧ x ≤ H j ( x , v ) ≡ x ≥ 0 weaker: fails postcondition if x > H 1 j ( x , v ) ≡ 0 ≤ x ∧ x ≤ H weak: fails ODE if v ≫ 0 2 j ( x , v ) ≡ x = 0 ∧ v = 0 strong: fails initial condition if x > 0 3 A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 11 / 16

  30. Proving Quantum the Acrophobic Bouncing Ball 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ⊢ j ( x , v ) j ( x , v ) ⊢ [ { x ′ = v , v ′ = − g & x ≥ 0 } ]( j ( x , v ) ) j ( x , v ) , x = 0 ⊢ j ( x , ( − cv )) j ( x , v ) , x � = 0 ⊢ j ( x , v ) j ( x , v ) ⊢ 0 ≤ x ∧ x ≤ H j ( x , v ) ≡ x ≥ 0 weaker: fails postcondition if x > H 1 j ( x , v ) ≡ 0 ≤ x ∧ x ≤ H weak: fails ODE if v ≫ 0 2 j ( x , v ) ≡ x = 0 ∧ v = 0 strong: fails initial condition if x > 0 3 j ( x , v ) ≡ x = 0 ∨ x = H ∧ v = 0 4 A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 11 / 16

  31. Proving Quantum the Acrophobic Bouncing Ball 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ⊢ j ( x , v ) j ( x , v ) ⊢ [ { x ′ = v , v ′ = − g & x ≥ 0 } ]( j ( x , v ) ) j ( x , v ) , x = 0 ⊢ j ( x , ( − cv )) j ( x , v ) , x � = 0 ⊢ j ( x , v ) j ( x , v ) ⊢ 0 ≤ x ∧ x ≤ H j ( x , v ) ≡ x ≥ 0 weaker: fails postcondition if x > H 1 j ( x , v ) ≡ 0 ≤ x ∧ x ≤ H weak: fails ODE if v ≫ 0 2 j ( x , v ) ≡ x = 0 ∧ v = 0 strong: fails initial condition if x > 0 3 j ( x , v ) ≡ x = 0 ∨ x = H ∧ v = 0 no space for intermediate states 4 A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 11 / 16

  32. Proving Quantum the Acrophobic Bouncing Ball 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ⊢ j ( x , v ) j ( x , v ) ⊢ [ { x ′ = v , v ′ = − g & x ≥ 0 } ]( j ( x , v ) ) j ( x , v ) , x = 0 ⊢ j ( x , ( − cv )) j ( x , v ) , x � = 0 ⊢ j ( x , v ) j ( x , v ) ⊢ 0 ≤ x ∧ x ≤ H j ( x , v ) ≡ x ≥ 0 weaker: fails postcondition if x > H 1 j ( x , v ) ≡ 0 ≤ x ∧ x ≤ H weak: fails ODE if v ≫ 0 2 j ( x , v ) ≡ x = 0 ∧ v = 0 strong: fails initial condition if x > 0 3 j ( x , v ) ≡ x = 0 ∨ x = H ∧ v = 0 no space for intermediate states 4 j ( x , v ) ≡ 2 gx = 2 gH − v 2 ∧ x ≥ 0 5 A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 11 / 16

  33. Proving Quantum the Acrophobic Bouncing Ball 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ⊢ j ( x , v ) j ( x , v ) ⊢ [ { x ′ = v , v ′ = − g & x ≥ 0 } ]( j ( x , v ) ) j ( x , v ) , x = 0 ⊢ j ( x , ( − cv )) j ( x , v ) , x � = 0 ⊢ j ( x , v ) j ( x , v ) ⊢ 0 ≤ x ∧ x ≤ H j ( x , v ) ≡ x ≥ 0 weaker: fails postcondition if x > H 1 j ( x , v ) ≡ 0 ≤ x ∧ x ≤ H weak: fails ODE if v ≫ 0 2 j ( x , v ) ≡ x = 0 ∧ v = 0 strong: fails initial condition if x > 0 3 j ( x , v ) ≡ x = 0 ∨ x = H ∧ v = 0 no space for intermediate states 4 j ( x , v ) ≡ 2 gx = 2 gH − v 2 ∧ x ≥ 0 works: implicitly links v and x 5 A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 11 / 16

  34. Proving Quantum the Acrophobic Bouncing Ball 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ⊢ 2 gx = 2 gH − v 2 ∧ x ≥ 0 2 gx = 2 gH − v 2 ∧ x ≥ 0 ⊢ [ { x ′ = v , v ′ = − g & x ≥ 0 } ]( 2 gx = 2 gH − v 2 ∧ x ≥ 0 ) 2 gx = 2 gH − v 2 ∧ x ≥ 0 , x = 0 ⊢ 2 gx = 2 gH − ( − cv ) 2 ∧ x ≥ 0 2 gx = 2 gH − v 2 ∧ x ≥ 0 , x � = 0 ⊢ 2 gx = 2 gH − v 2 ∧ x ≥ 0 2 gx = 2 gH − v 2 ∧ x ≥ 0 ⊢ 0 ≤ x ∧ x ≤ H j ( x , v ) ≡ x ≥ 0 weaker: fails postcondition if x > H 1 j ( x , v ) ≡ 0 ≤ x ∧ x ≤ H weak: fails ODE if v ≫ 0 2 j ( x , v ) ≡ x = 0 ∧ v = 0 strong: fails initial condition if x > 0 3 j ( x , v ) ≡ x = 0 ∨ x = H ∧ v = 0 no space for intermediate states 4 j ( x , v ) ≡ 2 gx = 2 gH − v 2 ∧ x ≥ 0 works: implicitly links v and x 5 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 11 / 16

  35. Proving Quantum the Acrophobic Bouncing Ball 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ⊢ 2 gx = 2 gH − v 2 ∧ x ≥ 0 2 gx = 2 gH − v 2 ∧ x ≥ 0 ⊢ [ { x ′ = v , v ′ = − g & x ≥ 0 } ]( 2 gx = 2 gH − v 2 ∧ x ≥ 0 ) 2 gx = 2 gH − v 2 ∧ x ≥ 0 , x = 0 ⊢ 2 gx = 2 gH − ( − cv ) 2 ∧ x ≥ 0 2 gx = 2 gH − v 2 ∧ x ≥ 0 , x � = 0 ⊢ 2 gx = 2 gH − v 2 ∧ x ≥ 0 2 gx = 2 gH − v 2 ∧ x ≥ 0 ⊢ 0 ≤ x ∧ x ≤ H j ( x , v ) ≡ x ≥ 0 weaker: fails postcondition if x > H 1 j ( x , v ) ≡ 0 ≤ x ∧ x ≤ H weak: fails ODE if v ≫ 0 2 j ( x , v ) ≡ x = 0 ∧ v = 0 strong: fails initial condition if x > 0 3 j ( x , v ) ≡ x = 0 ∨ x = H ∧ v = 0 no space for intermediate states 4 j ( x , v ) ≡ 2 gx = 2 gH − v 2 ∧ x ≥ 0 works: implicitly links v and x 5 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 11 / 16

  36. Proving Quantum the Acrophobic Bouncing Ball 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ⊢ 2 gx = 2 gH − v 2 ∧ x ≥ 0 2 gx = 2 gH − v 2 ∧ x ≥ 0 ⊢ [ { x ′ = v , v ′ = − g & x ≥ 0 } ]( 2 gx = 2 gH − v 2 ∧ x ≥ 0 ) � 2 gx = 2 gH − v 2 ∧ x ≥ 0 , x = 0 ⊢ 2 gx = 2 gH − ( − cv ) 2 ∧ x ≥ 0 if c = 1 ... 2 gx = 2 gH − v 2 ∧ x ≥ 0 , x � = 0 ⊢ 2 gx = 2 gH − v 2 ∧ x ≥ 0 2 gx = 2 gH − v 2 ∧ x ≥ 0 ⊢ 0 ≤ x ∧ x ≤ H j ( x , v ) ≡ x ≥ 0 weaker: fails postcondition if x > H 1 j ( x , v ) ≡ 0 ≤ x ∧ x ≤ H weak: fails ODE if v ≫ 0 2 j ( x , v ) ≡ x = 0 ∧ v = 0 strong: fails initial condition if x > 0 3 j ( x , v ) ≡ x = 0 ∨ x = H ∧ v = 0 no space for intermediate states 4 j ( x , v ) ≡ 2 gx = 2 gH − v 2 ∧ x ≥ 0 works: implicitly links v and x 5 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 11 / 16

  37. Proving Quantum the Acrophobic Bouncing Ball 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ⊢ 2 gx = 2 gH − v 2 ∧ x ≥ 0 2 gx = 2 gH − v 2 ∧ x ≥ 0 ⊢ [ { x ′ = v , v ′ = − g & x ≥ 0 } ]( 2 gx = 2 gH − v 2 ∧ x ≥ 0 ) � 2 gx = 2 gH − v 2 ∧ x ≥ 0 , x = 0 ⊢ 2 gx = 2 gH − ( − cv ) 2 ∧ x ≥ 0 if c = 1 ... 2 gx = 2 gH − v 2 ∧ x ≥ 0 , x � = 0 ⊢ 2 gx = 2 gH − v 2 ∧ x ≥ 0 2 gx = 2 gH − v 2 ∧ x ≥ 0 ⊢ 0 ≤ x ∧ x ≤ H j ( x , v ) ≡ x ≥ 0 weaker: fails postcondition if x > H 1 j ( x , v ) ≡ 0 ≤ x ∧ x ≤ H weak: fails ODE if v ≫ 0 2 j ( x , v ) ≡ x = 0 ∧ v = 0 strong: fails initial condition if x > 0 3 j ( x , v ) ≡ x = 0 ∨ x = H ∧ v = 0 no space for intermediate states 4 j ( x , v ) ≡ 2 gx = 2 gH − v 2 ∧ x ≥ 0 works: implicitly links v and x 5 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 11 / 16

  38. Proving Quantum the Acrophobic Bouncing Ball 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ⊢ 2 gx = 2 gH − v 2 ∧ x ≥ 0 2 gx = 2 gH − v 2 ∧ x ≥ 0 ⊢ [ { x ′ = v , v ′ = − g & x ≥ 0 } ]( 2 gx = 2 gH − v 2 ∧ x ≥ 0 ) � 2 gx = 2 gH − v 2 ∧ x ≥ 0 , x = 0 ⊢ 2 gx = 2 gH − ( − cv ) 2 ∧ x ≥ 0 if c = 1 ... � 2 gx = 2 gH − v 2 ∧ x ≥ 0 , x � = 0 ⊢ 2 gx = 2 gH − v 2 ∧ x ≥ 0 2 gx = 2 gH − v 2 ∧ x ≥ 0 ⊢ 0 ≤ x ∧ x ≤ H j ( x , v ) ≡ x ≥ 0 weaker: fails postcondition if x > H 1 j ( x , v ) ≡ 0 ≤ x ∧ x ≤ H weak: fails ODE if v ≫ 0 2 j ( x , v ) ≡ x = 0 ∧ v = 0 strong: fails initial condition if x > 0 3 j ( x , v ) ≡ x = 0 ∨ x = H ∧ v = 0 no space for intermediate states 4 j ( x , v ) ≡ 2 gx = 2 gH − v 2 ∧ x ≥ 0 works: implicitly links v and x 5 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 11 / 16

  39. Proving Quantum the Acrophobic Bouncing Ball 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ⊢ 2 gx = 2 gH − v 2 ∧ x ≥ 0 2 gx = 2 gH − v 2 ∧ x ≥ 0 ⊢ [ { x ′ = v , v ′ = − g & x ≥ 0 } ]( 2 gx = 2 gH − v 2 ∧ x ≥ 0 ) � 2 gx = 2 gH − v 2 ∧ x ≥ 0 , x = 0 ⊢ 2 gx = 2 gH − ( − cv ) 2 ∧ x ≥ 0 if c = 1 ... � 2 gx = 2 gH − v 2 ∧ x ≥ 0 , x � = 0 ⊢ 2 gx = 2 gH − v 2 ∧ x ≥ 0 2 gx = 2 gH − v 2 ∧ x ≥ 0 ⊢ 0 ≤ x ∧ x ≤ H j ( x , v ) ≡ x ≥ 0 weaker: fails postcondition if x > H 1 j ( x , v ) ≡ 0 ≤ x ∧ x ≤ H weak: fails ODE if v ≫ 0 2 j ( x , v ) ≡ x = 0 ∧ v = 0 strong: fails initial condition if x > 0 3 j ( x , v ) ≡ x = 0 ∨ x = H ∧ v = 0 no space for intermediate states 4 j ( x , v ) ≡ 2 gx = 2 gH − v 2 ∧ x ≥ 0 works: implicitly links v and x 5 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 11 / 16

  40. Proving Quantum the Acrophobic Bouncing Ball 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ⊢ 2 gx = 2 gH − v 2 ∧ x ≥ 0 2 gx = 2 gH − v 2 ∧ x ≥ 0 ⊢ [ { x ′ = v , v ′ = − g & x ≥ 0 } ]( 2 gx = 2 gH − v 2 ∧ x ≥ 0 ) � 2 gx = 2 gH − v 2 ∧ x ≥ 0 , x = 0 ⊢ 2 gx = 2 gH − ( − cv ) 2 ∧ x ≥ 0 if c = 1 ... � 2 gx = 2 gH − v 2 ∧ x ≥ 0 , x � = 0 ⊢ 2 gx = 2 gH − v 2 ∧ x ≥ 0 � 2 gx = 2 gH − v 2 ∧ x ≥ 0 ⊢ 0 ≤ x ∧ x ≤ H because g > 0 j ( x , v ) ≡ x ≥ 0 weaker: fails postcondition if x > H 1 j ( x , v ) ≡ 0 ≤ x ∧ x ≤ H weak: fails ODE if v ≫ 0 2 j ( x , v ) ≡ x = 0 ∧ v = 0 strong: fails initial condition if x > 0 3 j ( x , v ) ≡ x = 0 ∨ x = H ∧ v = 0 no space for intermediate states 4 j ( x , v ) ≡ 2 gx = 2 gH − v 2 ∧ x ≥ 0 works: implicitly links v and x 5 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 11 / 16

  41. Proving Quantum the Acrophobic Bouncing Ball 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ⊢ 2 gx = 2 gH − v 2 ∧ x ≥ 0 2 gx = 2 gH − v 2 ∧ x ≥ 0 ⊢ [ { x ′ = v , v ′ = − g & x ≥ 0 } ]( 2 gx = 2 gH − v 2 ∧ x ≥ 0 ) � 2 gx = 2 gH − v 2 ∧ x ≥ 0 , x = 0 ⊢ 2 gx = 2 gH − ( − cv ) 2 ∧ x ≥ 0 if c = 1 ... � 2 gx = 2 gH − v 2 ∧ x ≥ 0 , x � = 0 ⊢ 2 gx = 2 gH − v 2 ∧ x ≥ 0 � 2 gx = 2 gH − v 2 ∧ x ≥ 0 ⊢ 0 ≤ x ∧ x ≤ H because g > 0 j ( x , v ) ≡ x ≥ 0 weaker: fails postcondition if x > H 1 j ( x , v ) ≡ 0 ≤ x ∧ x ≤ H weak: fails ODE if v ≫ 0 2 j ( x , v ) ≡ x = 0 ∧ v = 0 strong: fails initial condition if x > 0 3 j ( x , v ) ≡ x = 0 ∨ x = H ∧ v = 0 no space for intermediate states 4 j ( x , v ) ≡ 2 gx = 2 gH − v 2 ∧ x ≥ 0 works: implicitly links v and x 5 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 11 / 16

  42. Proving Quantum the Acrophobic Bouncing Ball � 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ⊢ 2 gx = 2 gH − v 2 ∧ x ≥ 0 2 gx = 2 gH − v 2 ∧ x ≥ 0 ⊢ [ { x ′ = v , v ′ = − g & x ≥ 0 } ]( 2 gx = 2 gH − v 2 ∧ x ≥ 0 ) � 2 gx = 2 gH − v 2 ∧ x ≥ 0 , x = 0 ⊢ 2 gx = 2 gH − ( − cv ) 2 ∧ x ≥ 0 if c = 1 ... � 2 gx = 2 gH − v 2 ∧ x ≥ 0 , x � = 0 ⊢ 2 gx = 2 gH − v 2 ∧ x ≥ 0 � 2 gx = 2 gH − v 2 ∧ x ≥ 0 ⊢ 0 ≤ x ∧ x ≤ H because g > 0 j ( x , v ) ≡ x ≥ 0 weaker: fails postcondition if x > H 1 j ( x , v ) ≡ 0 ≤ x ∧ x ≤ H weak: fails ODE if v ≫ 0 2 j ( x , v ) ≡ x = 0 ∧ v = 0 strong: fails initial condition if x > 0 3 j ( x , v ) ≡ x = 0 ∨ x = H ∧ v = 0 no space for intermediate states 4 j ( x , v ) ≡ 2 gx = 2 gH − v 2 ∧ x ≥ 0 works: implicitly links v and x 5 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 11 / 16

  43. Proving Quantum the Acrophobic Bouncing Ball � 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ⊢ 2 gx = 2 gH − v 2 ∧ x ≥ 0 2 gx = 2 gH − v 2 ∧ x ≥ 0 ⊢ [ { x ′ = v , v ′ = − g & x ≥ 0 } ]( 2 gx = 2 gH − v 2 ∧ x ≥ 0 ) � 2 gx = 2 gH − v 2 ∧ x ≥ 0 , x = 0 ⊢ 2 gx = 2 gH − ( − cv ) 2 ∧ x ≥ 0 if c = 1 ... � 2 gx = 2 gH − v 2 ∧ x ≥ 0 , x � = 0 ⊢ 2 gx = 2 gH − v 2 ∧ x ≥ 0 � 2 gx = 2 gH − v 2 ∧ x ≥ 0 ⊢ 0 ≤ x ∧ x ≤ H because g > 0 j ( x , v ) ≡ x ≥ 0 weaker: fails postcondition if x > H 1 j ( x , v ) ≡ 0 ≤ x ∧ x ≤ H weak: fails ODE if v ≫ 0 2 j ( x , v ) ≡ x = 0 ∧ v = 0 strong: fails initial condition if x > 0 3 j ( x , v ) ≡ x = 0 ∨ x = H ∧ v = 0 no space for intermediate states 4 j ( x , v ) ≡ 2 gx = 2 gH − v 2 ∧ x ≥ 0 works: implicitly links v and x 5 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 11 / 16

  44. Proving Quantum the Acrophobic Bouncing Ball � 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ⊢ 2 gx = 2 gH − v 2 ∧ x ≥ 0 j ( x , v ) ⊢ [ { x ′ = v , v ′ = − g & x ≥ 0 } ]( j ( x , v ) ) � 2 gx = 2 gH − v 2 ∧ x ≥ 0 , x = 0 ⊢ 2 gx = 2 gH − ( − cv ) 2 ∧ x ≥ 0 if c = 1 ... � 2 gx = 2 gH − v 2 ∧ x ≥ 0 , x � = 0 ⊢ 2 gx = 2 gH − v 2 ∧ x ≥ 0 � 2 gx = 2 gH − v 2 ∧ x ≥ 0 ⊢ 0 ≤ x ∧ x ≤ H because g > 0 j ( x , v ) ≡ x ≥ 0 weaker: fails postcondition if x > H 1 j ( x , v ) ≡ 0 ≤ x ∧ x ≤ H weak: fails ODE if v ≫ 0 2 j ( x , v ) ≡ x = 0 ∧ v = 0 strong: fails initial condition if x > 0 3 j ( x , v ) ≡ x = 0 ∨ x = H ∧ v = 0 no space for intermediate states 4 j ( x , v ) ≡ 2 gx = 2 gH − v 2 ∧ x ≥ 0 works: implicitly links v and x 5 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 11 / 16

  45. Proving Quantum the Acrophobic Bouncing Ball [ ′ ] j ( x , v ) ⊢ [ x ′ = v , v ′ = − g & x ≥ 0 ] j ( x , v ) André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 12 / 16

  46. Proving Quantum the Acrophobic Bouncing Ball [;] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ; v := − gt ]( x ≥ 0 → j ( x , v ) ) [ ′ ] j ( x , v ) ⊢ [ x ′ = v , v ′ = − g & x ≥ 0 ] j ( x , v ) André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 12 / 16

  47. Proving Quantum the Acrophobic Bouncing Ball [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ][ v := − gt ]( x ≥ 0 → j ( x , v ) ) [;] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ; v := − gt ]( x ≥ 0 → j ( x , v ) ) [ ′ ] j ( x , v ) ⊢ [ x ′ = v , v ′ = − g & x ≥ 0 ] j ( x , v ) André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 12 / 16

  48. Proving Quantum the Acrophobic Bouncing Ball [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ]( x ≥ 0 → j ( x , − gt ) ) [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ][ v := − gt ]( x ≥ 0 → j ( x , v ) ) [;] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ; v := − gt ]( x ≥ 0 → j ( x , v ) ) [ ′ ] j ( x , v ) ⊢ [ x ′ = v , v ′ = − g & x ≥ 0 ] j ( x , v ) André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 12 / 16

  49. Proving Quantum the Acrophobic Bouncing Ball ∀ R j ( x , v ) ⊢ ∀ t ≥ 0 ( H − g 2 t 2 ≥ 0 → j ( H − g 2 t 2 , − gt ) ) [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ]( x ≥ 0 → j ( x , − gt ) ) [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ][ v := − gt ]( x ≥ 0 → j ( x , v ) ) [;] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ; v := − gt ]( x ≥ 0 → j ( x , v ) ) [ ′ ] j ( x , v ) ⊢ [ x ′ = v , v ′ = − g & x ≥ 0 ] j ( x , v ) André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 12 / 16

  50. Proving Quantum the Acrophobic Bouncing Ball → R j ( x , v ) ⊢ t ≥ 0 → H − g 2 t 2 ≥ 0 → j ( H − g 2 t 2 , − gt ) ∀ R j ( x , v ) ⊢ ∀ t ≥ 0 ( H − g 2 t 2 ≥ 0 → j ( H − g 2 t 2 , − gt ) ) [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ]( x ≥ 0 → j ( x , − gt ) ) [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ][ v := − gt ]( x ≥ 0 → j ( x , v ) ) [;] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ; v := − gt ]( x ≥ 0 → j ( x , v ) ) [ ′ ] j ( x , v ) ⊢ [ x ′ = v , v ′ = − g & x ≥ 0 ] j ( x , v ) André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 12 / 16

  51. Proving Quantum the Acrophobic Bouncing Ball j ( x , v ) , t ≥ 0 , H − g 2 t 2 ≥ 0 ⊢ j ( H − g 2 t 2 , − gt ) → R j ( x , v ) ⊢ t ≥ 0 → H − g 2 t 2 ≥ 0 → j ( H − g 2 t 2 , − gt ) ∀ R j ( x , v ) ⊢ ∀ t ≥ 0 ( H − g 2 t 2 ≥ 0 → j ( H − g 2 t 2 , − gt ) ) [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ]( x ≥ 0 → j ( x , − gt ) ) [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ][ v := − gt ]( x ≥ 0 → j ( x , v ) ) [;] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ; v := − gt ]( x ≥ 0 → j ( x , v ) ) [ ′ ] j ( x , v ) ⊢ [ x ′ = v , v ′ = − g & x ≥ 0 ] j ( x , v ) André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 12 / 16

  52. Proving Quantum the Acrophobic Bouncing Ball j ( x , v ) ≡ 2 gx = 2 gH − v 2 ∧ x ≥ 0 2 gx = 2 gH − v 2 ∧ x ≥ 0 , H − g 2 t 2 ≥ 0 ⊢ 2 g ( H − g 2 t 2 )= 2 gH − ( gt ) 2 ∧ ( H − g 2 t 2 ) ≥ 0 j ( x , v ) , t ≥ 0 , H − g 2 t 2 ≥ 0 ⊢ j ( H − g 2 t 2 , − gt ) → R j ( x , v ) ⊢ t ≥ 0 → H − g 2 t 2 ≥ 0 → j ( H − g 2 t 2 , − gt ) ∀ R j ( x , v ) ⊢ ∀ t ≥ 0 ( H − g 2 t 2 ≥ 0 → j ( H − g 2 t 2 , − gt ) ) [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ]( x ≥ 0 → j ( x , − gt ) ) [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ][ v := − gt ]( x ≥ 0 → j ( x , v ) ) [;] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ; v := − gt ]( x ≥ 0 → j ( x , v ) ) [ ′ ] j ( x , v ) ⊢ [ x ′ = v , v ′ = − g & x ≥ 0 ] j ( x , v ) André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 12 / 16

  53. Proving Quantum the Acrophobic Bouncing Ball 2 gx = 2 gH − v 2 ⊢ 2 g ( H − g H − g 2 t 2 ≥ 0 ⊢ H − g 2 t 2 )= 2 gH − ( gt ) 2 2 t 2 ≥ 0 ∧ R 2 gx = 2 gH − v 2 ∧ x ≥ 0 , H − g 2 t 2 ≥ 0 ⊢ 2 g ( H − g 2 t 2 )= 2 gH − ( gt ) 2 ∧ ( H − g 2 t 2 ) ≥ 0 j ( x , v ) , t ≥ 0 , H − g 2 t 2 ≥ 0 ⊢ j ( H − g 2 t 2 , − gt ) → R j ( x , v ) ⊢ t ≥ 0 → H − g 2 t 2 ≥ 0 → j ( H − g 2 t 2 , − gt ) ∀ R j ( x , v ) ⊢ ∀ t ≥ 0 ( H − g 2 t 2 ≥ 0 → j ( H − g 2 t 2 , − gt ) ) [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ]( x ≥ 0 → j ( x , − gt ) ) [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ][ v := − gt ]( x ≥ 0 → j ( x , v ) ) [;] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ; v := − gt ]( x ≥ 0 → j ( x , v ) ) [ ′ ] j ( x , v ) ⊢ [ x ′ = v , v ′ = − g & x ≥ 0 ] j ( x , v ) André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 12 / 16

  54. Proving Quantum the Acrophobic Bouncing Ball ∗ R 2 gx = 2 gH − v 2 ⊢ 2 g ( H − g H − g 2 t 2 ≥ 0 ⊢ H − g 2 t 2 )= 2 gH − ( gt ) 2 2 t 2 ≥ 0 ∧ R 2 gx = 2 gH − v 2 ∧ x ≥ 0 , H − g 2 t 2 ≥ 0 ⊢ 2 g ( H − g 2 t 2 )= 2 gH − ( gt ) 2 ∧ ( H − g 2 t 2 ) ≥ 0 j ( x , v ) , t ≥ 0 , H − g 2 t 2 ≥ 0 ⊢ j ( H − g 2 t 2 , − gt ) → R j ( x , v ) ⊢ t ≥ 0 → H − g 2 t 2 ≥ 0 → j ( H − g 2 t 2 , − gt ) ∀ R j ( x , v ) ⊢ ∀ t ≥ 0 ( H − g 2 t 2 ≥ 0 → j ( H − g 2 t 2 , − gt ) ) [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ]( x ≥ 0 → j ( x , − gt ) ) [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ][ v := − gt ]( x ≥ 0 → j ( x , v ) ) [;] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ; v := − gt ]( x ≥ 0 → j ( x , v ) ) [ ′ ] j ( x , v ) ⊢ [ x ′ = v , v ′ = − g & x ≥ 0 ] j ( x , v ) André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 12 / 16

  55. Proving Quantum the Acrophobic Bouncing Ball ∗ ∗ R id 2 gx = 2 gH − v 2 ⊢ 2 g ( H − g H − g 2 t 2 ≥ 0 ⊢ H − g 2 t 2 )= 2 gH − ( gt ) 2 2 t 2 ≥ 0 ∧ R 2 gx = 2 gH − v 2 ∧ x ≥ 0 , H − g 2 t 2 ≥ 0 ⊢ 2 g ( H − g 2 t 2 )= 2 gH − ( gt ) 2 ∧ ( H − g 2 t 2 ) ≥ 0 j ( x , v ) , t ≥ 0 , H − g 2 t 2 ≥ 0 ⊢ j ( H − g 2 t 2 , − gt ) → R j ( x , v ) ⊢ t ≥ 0 → H − g 2 t 2 ≥ 0 → j ( H − g 2 t 2 , − gt ) ∀ R j ( x , v ) ⊢ ∀ t ≥ 0 ( H − g 2 t 2 ≥ 0 → j ( H − g 2 t 2 , − gt ) ) [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ]( x ≥ 0 → j ( x , − gt ) ) [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ][ v := − gt ]( x ≥ 0 → j ( x , v ) ) [;] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ; v := − gt ]( x ≥ 0 → j ( x , v ) ) [ ′ ] j ( x , v ) ⊢ [ x ′ = v , v ′ = − g & x ≥ 0 ] j ( x , v ) André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 12 / 16

  56. Proving Quantum the Acrophobic Bouncing Ball ∗ ∗ R id 2 gx = 2 gH − v 2 ⊢ 2 g ( H − g H − g 2 t 2 ≥ 0 ⊢ H − g 2 t 2 )= 2 gH − ( gt ) 2 2 t 2 ≥ 0 ∧ R 2 gx = 2 gH − v 2 ∧ x ≥ 0 , H − g 2 t 2 ≥ 0 ⊢ 2 g ( H − g 2 t 2 )= 2 gH − ( gt ) 2 ∧ ( H − g 2 t 2 ) ≥ 0 j ( x , v ) , t ≥ 0 , H − g 2 t 2 ≥ 0 ⊢ j ( H − g 2 t 2 , − gt ) → R j ( x , v ) ⊢ t ≥ 0 → H − g 2 t 2 ≥ 0 → j ( H − g 2 t 2 , − gt ) ∀ R j ( x , v ) ⊢ ∀ t ≥ 0 ( H − g 2 t 2 ≥ 0 → j ( H − g 2 t 2 , − gt ) ) [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ]( x ≥ 0 → j ( x , − gt ) ) [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ][ v := − gt ]( x ≥ 0 → j ( x , v ) ) [;] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ; v := − gt ]( x ≥ 0 → j ( x , v ) ) [ ′ ] j ( x , v ) ⊢ [ x ′ = v , v ′ = − g & x ≥ 0 ] j ( x , v ) Is Quantum done with his safety proof? André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 12 / 16

  57. Proving Quantum the Acrophobic Bouncing Ball ∗ ∗ R id 2 gx = 2 gH − v 2 ⊢ 2 g ( H − g H − g 2 t 2 ≥ 0 ⊢ H − g 2 t 2 )= 2 gH − ( gt ) 2 2 t 2 ≥ 0 ∧ R 2 gx = 2 gH − v 2 ∧ x ≥ 0 , H − g 2 t 2 ≥ 0 ⊢ 2 g ( H − g 2 t 2 )= 2 gH − ( gt ) 2 ∧ ( H − g 2 t 2 ) ≥ 0 j ( x , v ) , t ≥ 0 , H − g 2 t 2 ≥ 0 ⊢ j ( H − g 2 t 2 , − gt ) → R j ( x , v ) ⊢ t ≥ 0 → H − g 2 t 2 ≥ 0 → j ( H − g 2 t 2 , − gt ) ∀ R j ( x , v ) ⊢ ∀ t ≥ 0 ( H − g 2 t 2 ≥ 0 → j ( H − g 2 t 2 , − gt ) ) [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ]( x ≥ 0 → j ( x , − gt ) ) [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ][ v := − gt ]( x ≥ 0 → j ( x , v ) ) [;] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ; v := − gt ]( x ≥ 0 → j ( x , v ) ) [ ′ ] j ( x , v ) ⊢ [ x ′ = v , v ′ = − g & x ≥ 0 ] j ( x , v ) Is Quantum done with his safety proof? Oh no! The solutions we sneaked into [ ′ ] only solve the ODE/IVP if x = H , v = 0 which assumption j ( x , v ) can’t guarantee! André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 12 / 16

  58. Proving Quantum the Acrophobic Bouncing Ball ∗ ∗ R id 2 gx = 2 gH − v 2 ⊢ 2 g ( H − g H − g 2 t 2 ≥ 0 ⊢ H − g 2 t 2 )= 2 gH − ( gt ) 2 2 t 2 ≥ 0 ∧ R 2 gx = 2 gH − v 2 ∧ x ≥ 0 , H − g 2 t 2 ≥ 0 ⊢ 2 g ( H − g 2 t 2 )= 2 gH − ( gt ) 2 ∧ ( H − g 2 t 2 ) ≥ 0 j ( x , v ) , t ≥ 0 , H − g 2 t 2 ≥ 0 ⊢ j ( H − g 2 t 2 , − gt ) → R j ( x , v ) ⊢ t ≥ 0 → H − g 2 t 2 ≥ 0 → j ( H − g 2 t 2 , − gt ) ∀ R j ( x , v ) ⊢ ∀ t ≥ 0 ( H − g 2 t 2 ≥ 0 → j ( H − g 2 t 2 , − gt ) ) [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ]( x ≥ 0 → j ( x , − gt ) ) [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ][ v := − gt ]( x ≥ 0 → j ( x , v ) ) [;] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ; v := − gt ]( x ≥ 0 → j ( x , v ) ) [ ′ ] j ( x , v ) ⊢ [ x ′ = v , v ′ = − g & x ≥ 0 ] j ( x , v ) Is Quantum done with his safety proof? Oh no! The solutions we sneaked into [ ′ ] only solve the ODE/IVP if x = H , v = 0 which assumption j ( x , v ) can’t guarantee! Todo redo proof with true solution Never use solutions without proof! André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 12 / 16

  59. Clumsy Quantum Misplaced the Constants loop A ⊢ [ α ∗ ] B ( x , v ) j ( x , v ) ≡ 2 gx = 2 gH − v 2 ∧ x ≥ 0 1 p ≡ c = 1 ∧ g > 0 2 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 13 / 16

  60. Clumsy Quantum Misplaced the Constants loop A ⊢ [ α ∗ ] B ( x , v ) j ( x , v ) ≡ 2 gx = 2 gH − v 2 ∧ x ≥ 0 1 p ≡ c = 1 ∧ g > 0 2 J ≡ j ( x , v ) ∧ p as loop invariant 3 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 13 / 16

  61. Clumsy Quantum Misplaced the Constants ∗ R A ⊢ j ( x , v ) ∧ p [] ∧ R j ( x , v ) ∧ p ⊢ B ( x , v ) j ( x , v ) ∧ p ⊢ [ α ]( j ( x , v ) ∧ p ) loop A ⊢ [ α ∗ ] B ( x , v ) j ( x , v ) ≡ 2 gx = 2 gH − v 2 ∧ x ≥ 0 1 p ≡ c = 1 ∧ g > 0 2 J ≡ j ( x , v ) ∧ p as loop invariant 3 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 13 / 16

  62. Clumsy Quantum Misplaced the Constants [] ∧ [ α ]( P ∧ Q ) ↔ [ α ] P ∧ [ α ] Q above j ( x , v ) ∧ p ⊢ [ α ] j ( x , v ) V j ( x , v ) ∧ p ⊢ [ α ] p ∧ R j ( x , v ) ∧ p ⊢ [ α ] j ( x , v ) ∧ [ α ] p ∗ R A ⊢ j ( x , v ) ∧ p [] ∧ R j ( x , v ) ∧ p ⊢ B ( x , v ) j ( x , v ) ∧ p ⊢ [ α ]( j ( x , v ) ∧ p ) loop A ⊢ [ α ∗ ] B ( x , v ) j ( x , v ) ≡ 2 gx = 2 gH − v 2 ∧ x ≥ 0 1 p ≡ c = 1 ∧ g > 0 2 J ≡ j ( x , v ) ∧ p as loop invariant 3 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 13 / 16

  63. Clumsy Quantum Misplaced the Constants [] ∧ [ α ]( P ∧ Q ) ↔ [ α ] P ∧ [ α ] Q V p → [ α ] p ( FV ( p ) ∩ BV ( α ) = / 0 ) ∗ above V j ( x , v ) ∧ p ⊢ [ α ] p j ( x , v ) ∧ p ⊢ [ α ] j ( x , v ) ∧ R j ( x , v ) ∧ p ⊢ [ α ] j ( x , v ) ∧ [ α ] p ∗ R A ⊢ j ( x , v ) ∧ p [] ∧ R j ( x , v ) ∧ p ⊢ B ( x , v ) j ( x , v ) ∧ p ⊢ [ α ]( j ( x , v ) ∧ p ) loop A ⊢ [ α ∗ ] B ( x , v ) j ( x , v ) ≡ 2 gx = 2 gH − v 2 ∧ x ≥ 0 1 p ≡ c = 1 ∧ g > 0 2 J ≡ j ( x , v ) ∧ p as loop invariant 3 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 13 / 16

  64. Clumsy Quantum Misplaced the Constants [] ∧ [ α ]( P ∧ Q ) ↔ [ α ] P ∧ [ α ] Q V p → [ α ] p ( FV ( p ) ∩ BV ( α ) = / 0 ) ∗ above V j ( x , v ) ∧ p ⊢ [ α ] p j ( x , v ) ∧ p ⊢ [ α ] j ( x , v ) ∧ R j ( x , v ) ∧ p ⊢ [ α ] j ( x , v ) ∧ [ α ] p ∗ ∗ R A ⊢ j ( x , v ) ∧ p [] ∧ R j ( x , v ) ∧ p ⊢ B ( x , v ) j ( x , v ) ∧ p ⊢ [ α ]( j ( x , v ) ∧ p ) loop A ⊢ [ α ∗ ] B ( x , v ) j ( x , v ) ≡ 2 gx = 2 gH − v 2 ∧ x ≥ 0 1 p ≡ c = 1 ∧ g > 0 2 J ≡ j ( x , v ) ∧ p as loop invariant 3 Note: constants c = 1 ∧ g > 0 that never change are usually elided from J André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 13 / 16

  65. Quantum the Provably Safe Bouncing Ball Proposition (Quantum can bounce around safely) 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 = c → { x ′ = v , v ′ = − g & x ≥ 0 } ;(? x = 0 ; v := − cv ∪ ? x � = 0 ) � ∗ ]( 0 ≤ x ∧ x ≤ H ) � [ requires ( 0 ≤ x ∧ x = H ∧ v = 0 ) requires ( g > 0 ∧ 1 = c ) ensures ( 0 ≤ x ∧ x ≤ H ) { x ′ = v , v ′ = − g & x ≥ 0 } ; � � ∗ @invariant ( 2 gx = 2 gH − v 2 ∧ x ≥ 0 ) (? x = 0 ; v := − cv ∪ ? x � = 0 )) Invariant Contracts Invariants play a crucial rôle in CPS design. Capture them if you can. Use @invariant () contracts in your hybrid programs. André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 14 / 16

  66. Outline Learning Objectives 1 Induction for Loops 2 Iteration Axiom Induction Axiom Induction Rule for Loops Loop Invariants Simple Example Contextual Soundness Requirements Operationalize Invariant Construction 3 Bouncing Ball Rescuing Misplaced Constants Safe Quantum Summary 4 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 14 / 16

  67. Invariants The lion’s share of understanding comes from understanding what does change (variants/progress measures) and what doesn’t change (invariants). Invariants are a fundamental force of CS Variants are another fundamental force of CS André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 15 / 16

  68. Summary: Loops, Generalizations, Splittings I [ α ∗ ] P ↔ P ∧ [ α ∗ ]( P → [ α ] P ) P G [ α ] P P → Q M [ · ] [ α ] P → [ α ] Q loop Γ ⊢ J , ∆ J ⊢ [ α ] J J ⊢ P Γ ⊢ [ α ∗ ] P , ∆ MR Γ ⊢ [ α ] Q , ∆ Q ⊢ P Γ ⊢ [ α ] P , ∆ [] ∧ [ α ]( P ∧ Q ) ↔ [ α ] P ∧ [ α ] Q V p → [ α ] p ( FV ( p ) ∩ BV ( α ) = / 0 ) André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 16 / 16

  69. Outline Appendix 5 Iteration Axiom Iterations & Splitting the Box Iteration & Generalizations André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 16 / 16

  70. Iteration Axiom compositional semantics ⇒ compositional rules! André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 17 / 16

  71. Loops of Proofs: Iterations [ ∗ ] [ α ∗ ] P ↔ P ∧ [ α ][ α ∗ ] P A ⊢ [ α ∗ ] B André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 18 / 16

  72. Loops of Proofs: Iterations [ ∗ ] [ α ∗ ] P ↔ P ∧ [ α ][ α ∗ ] P A ⊢ B ∧ [ α ][ α ∗ ] B [ ∗ ] A ⊢ [ α ∗ ] B André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 18 / 16

  73. Loops of Proofs: Iterations [ ∗ ] [ α ∗ ] P ↔ P ∧ [ α ][ α ∗ ] P A ⊢ B ∧ [ α ]( B ∧ [ α ][ α ∗ ] B ) [ ∗ ] A ⊢ B ∧ [ α ][ α ∗ ] B [ ∗ ] A ⊢ [ α ∗ ] B André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 18 / 16

  74. Loops of Proofs: Iterations [ ∗ ] [ α ∗ ] P ↔ P ∧ [ α ][ α ∗ ] P � B ∧ [ α ]( B ∧ [ α ][ α ∗ ] B ) � A ⊢ B ∧ [ α ] [ ∗ ] A ⊢ B ∧ [ α ]( B ∧ [ α ][ α ∗ ] B ) [ ∗ ] A ⊢ B ∧ [ α ][ α ∗ ] B [ ∗ ] A ⊢ [ α ∗ ] B André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 18 / 16

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Focusing for d L 15-824 Logical Foundations of Cyber-Physical Systems Fall 2018 Klaas Pruiksma

Focusing for d L 15-824 Logical Foundations of Cyber-Physical Systems Fall 2018 Klaas Pruiksma

Focusing for d L 15-824 Logical Foundations of Cyber-Physical Systems Fall 2018 Klaas Pruiksma December 10, 2018 1 / 10 Goal Develop a focused version of Differential Dynamic Logic(d L ) [3], with the intent that it serve as a basis for

260 views • 10 slides
Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/06:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/06:

06: Truth &amp; Proof Logical Foundations of Cyber-Physical Systems Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/06: Truth &amp; Proof LFCPS/06 1 / 23 Outline Learning Objectives

1.77k views • 145 slides
Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/09:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/09:

09: Reactions &amp; Delays Logical Foundations of Cyber-Physical Systems Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/09: Reactions &amp; Delays LFCPS/09 1 / 17 Outline Learning

799 views • 59 slides
Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/08:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/08:

08: Events &amp; Responses Logical Foundations of Cyber-Physical Systems Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/08: Events &amp; Responses LFCPS/08 1 / 20 Outline Learning

719 views • 56 slides
Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/04:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/04:

04: Safety &amp; Contracts Logical Foundations of Cyber-Physical Systems Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/04: Safety &amp; Contracts LFCPS/04 1 / 16 Outline Learning

1.12k views • 80 slides
Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/01:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/01:

Logical Foundations of Cyber-Physical Systems 01: Cyber-Physical Systems: Overview Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/01: Overview LFCPS/01 1 / 28 Outline CPS:

934 views • 49 slides
Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/21:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/21:

21: Virtual Substitution &amp; Real Arithmetic Logical Foundations of Cyber-Physical Systems Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/21: Virtual Substitution &amp; Real

865 views • 84 slides
Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/13:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/13:

13: Differential Invariants &amp; Proof Theory Logical Foundations of Cyber-Physical Systems Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/13: Differential Invariants &amp; Proof

1.53k views • 127 slides
Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/14:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/14:

14: Hybrid Systems &amp; Games Logical Foundations of Cyber-Physical Systems Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/14: Hybrid Systems &amp; Games LFCPS/14 1 / 24 Outline

1.07k views • 102 slides
Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/10:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/10:

10: Differential Equations &amp; Differential Invariants Logical Foundations of Cyber-Physical Systems Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/10: Differential Equations &amp;

1.02k views • 86 slides
Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/20:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/20:

20: Virtual Substitution &amp; Real Equations Logical Foundations of Cyber-Physical Systems Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/20: Virtual Substitution &amp; Real Equations

3.49k views • 114 slides
Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/17:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/17:

17: Game Proofs &amp; Separations Logical Foundations of Cyber-Physical Systems Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/17: Game Proofs &amp; Separations LFCPS/17 1 / 25

1.26k views • 96 slides
Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/02:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/02:

02: Differential Equations &amp; Domains Logical Foundations of Cyber-Physical Systems Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/02: Differential Equations &amp; Domains LFCPS/02

788 views • 78 slides
Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/11:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/11:

11: Differential Equations &amp; Proofs Logical Foundations of Cyber-Physical Systems Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/11: Differential Equations &amp; Proofs LFCPS/11

1.49k views • 111 slides
Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/15:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/15:

15: Winning Strategies &amp; Regions Logical Foundations of Cyber-Physical Systems Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/15: Winning Strategies &amp; Regions LFCPS/15 1 / 23

1.02k views • 101 slides
Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/18:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/18:

18: Axioms &amp; Uniform Substitutions Logical Foundations of Cyber-Physical Systems Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/18: Axioms &amp; Uniform Substitutions LFCPS/18 1

1.96k views • 170 slides
Optimal Estimation of Matching Constraints 1 Motivation &amp; general approach 2 Parametrization

Optimal Estimation of Matching Constraints 1 Motivation &amp; general approach 2 Parametrization

Optimal Estimation of Matching Constraints 1 Motivation &amp; general approach 2 Parametrization of matching constraints 3 Direct vs. reduced fitting 4 Numerical methods 5 Robustification 6 Summary Why Study Matching Constraint Estimation? :

392 views • 35 slides
Automatic Panoramic Image Stitching Dr. Matthew Brown, University of Bath AutoStitch iPhone

Automatic Panoramic Image Stitching Dr. Matthew Brown, University of Bath AutoStitch iPhone

Automatic Panoramic Image Stitching Dr. Matthew Brown, University of Bath AutoStitch iPhone Create gorgeous panoramic photos on your iPhone - Cult of Mac Raises the bar on iPhone panoramas - TUAW Magically combines the

414 views • 24 slides
Chapter 8 Shape representation and description 8.1 Matching 2 8.1 Matching we wish to

Chapter 8 Shape representation and description 8.1 Matching 2 8.1 Matching we wish to

Chapter 8 Shape representation and description 8.1 Matching 2 8.1 Matching we wish to match some model to the data At simplest, known binary patterns representing characters of a font may be sought in properly aligned scans of

406 views • 27 slides
6.869 Advances in Computer Vision Prof. Bill Freeman March 1, 2005 1 2 Local Features Today

6.869 Advances in Computer Vision Prof. Bill Freeman March 1, 2005 1 2 Local Features Today

6.869 Advances in Computer Vision Prof. Bill Freeman March 1, 2005 1 2 Local Features Today Matching points across images important for: Interesting points, correspondence. object identification (instance recognition) object (class)

167 views • 13 slides
Adaptive delayed feedback control to stabilize in-phase synchronization in complex oscillator

Adaptive delayed feedback control to stabilize in-phase synchronization in complex oscillator

Adaptive delayed feedback control to stabilize in-phase synchronization in complex oscillator networks Viktor Novienko September 2019, Rostock Synchronous behavior can be desirable or harmful. Power grids Parkinsons disease, essential

631 views • 33 slides
Phase and Frequency detection Detection of sinusoidal signal characteristics Phase

Phase and Frequency detection Detection of sinusoidal signal characteristics Phase

Phase and Frequency detection Detection of sinusoidal signal characteristics Phase Frequency Usually involves some type of feedback. Typically use a local oscillator (DDS) for a comparison. The Analogy PLL The digital World

374 views • 26 slides
Smtlink 2.0 Yan Peng 1 Mark R. Greenstreet 1 1 Department of Computer Science University of

Smtlink 2.0 Yan Peng 1 Mark R. Greenstreet 1 1 Department of Computer Science University of

Smtlink 2.0 Yan Peng 1 Mark R. Greenstreet 1 1 Department of Computer Science University of British Columbia November 6th 2018 Peng &amp; Greenstreet (UBC) Smtlink 2.0 ACL2 Workshop 2018 1 / 21 Why Smtlink 2.0? 1 A Simple Ring Oscillator

419 views • 27 slides
A Coupled Oscillators-based Control Architecture for Locomotory Gaits Presented at the

A Coupled Oscillators-based Control Architecture for Locomotory Gaits Presented at the

A Coupled Oscillators-based Control Architecture for Locomotory Gaits Presented at the Conference on Decision and Control Los Angeles, CA December 15-17, 2014 Amirhossein Taghvaei Joint work with: S. A. Hutchinson, and P. G. Mehta Dept. of

788 views • 68 slides

More recommend