Pegasus: a framework for sound continuous invariant generation - - PowerPoint PPT Presentation

pegasus a framework for sound continuous invariant
SMART_READER_LITE
LIVE PREVIEW

Pegasus: a framework for sound continuous invariant generation - - PowerPoint PPT Presentation

Dec 12, 2022 8 likes •399 views

Pegasus: a framework for sound continuous invariant generation Andrew Sogokon 2 , 1 , Stefan Mitsch 1 , Yong Kiam Tan 1 , Katherine Cordwell 1 , e Platzer 1 and Andr 1 Carnegie Mellon University, USA 2 University of Southampton, UK FM 2019, 3rd

slide-1
SLIDE 1

Pegasus: a framework for sound continuous invariant generation

Andrew Sogokon2,1, Stefan Mitsch1, Yong Kiam Tan1, Katherine Cordwell1, and Andr´ e Platzer1

1Carnegie Mellon University, USA 2University of Southampton, UK

FM 2019, 3rd World Congress on Formal Methods, Porto October 20, 2019

slide-2
SLIDE 2

Introduction

What this talk is about

Theorem proving in cyber-physical systems (CPS). Why? Fully rigorous proofs of correctness. Important for safety-critical embedded systems.

, Pegasus: a framework for sound continuous invariant generation 1/24

slide-3
SLIDE 3

Introduction

What this talk is about

Theorem proving in cyber-physical systems (CPS). Why? Fully rigorous proofs of correctness. Important for safety-critical embedded systems. Problem: Theorem proving in CPS is not fully automatic. Safety verification relies on finding the right invariants.

, Pegasus: a framework for sound continuous invariant generation 1/24

slide-4
SLIDE 4

Invariants in verification

invariant

, Pegasus: a framework for sound continuous invariant generation 2/24

slide-5
SLIDE 5

Invariants in verification

invariant

inductive invariant

, Pegasus: a framework for sound continuous invariant generation 3/24

slide-6
SLIDE 6

Continuous invariants ODEs:

  • x′ = f(

x)

  • x ∈ Rn

Init ⊆ Rn

, Pegasus: a framework for sound continuous invariant generation 4/24

slide-7
SLIDE 7

Continuous invariants ODEs:

  • x′ = f(

x)

  • x ∈ Rn

Init ⊆ Rn

, Pegasus: a framework for sound continuous invariant generation 5/24

slide-8
SLIDE 8

Checking continuous invariants

Checking whether a formula defines a continuous (inductive) invariant is decidable (Liu, Zhan & Zhao, EMSOFT 2011).

, Pegasus: a framework for sound continuous invariant generation 6/24

slide-9
SLIDE 9

Checking continuous invariants

Checking whether a formula defines a continuous (inductive) invariant is decidable (Liu, Zhan & Zhao, EMSOFT 2011).

LZZ procedure formula, ODE yes/no

, Pegasus: a framework for sound continuous invariant generation 6/24

slide-10
SLIDE 10

Checking continuous invariants

Checking whether a formula defines a continuous (inductive) invariant is decidable (Liu, Zhan & Zhao, EMSOFT 2011).

LZZ procedure formula, ODE yes/no

A complete axiomatization of continuous invariants in differential dynamic logic dL (Platzer & Tan, LICS 2018).

, Pegasus: a framework for sound continuous invariant generation 6/24

slide-11
SLIDE 11

Checking continuous invariants

Checking whether a formula defines a continuous (inductive) invariant is decidable (Liu, Zhan & Zhao, EMSOFT 2011).

LZZ procedure formula, ODE yes/no

A complete axiomatization of continuous invariants in differential dynamic logic dL (Platzer & Tan, LICS 2018).

prover formula, ODE formal proof

  • f invariance

(KeYmaera X) dL prover

, Pegasus: a framework for sound continuous invariant generation 6/24

slide-12
SLIDE 12

Handling decidable problems

Design choices in proof assistants prover assistant decision procedure yes/no goal

Using external oracles

prover assistant tactics axioms ⊢ goal goal

Formal proof using tactics

, Pegasus: a framework for sound continuous invariant generation 7/24

slide-13
SLIDE 13

Handling invariants

Design choices in proof assistants prover assistant LZZ procedure yes/no goal

“PVS-style”

KeYmaera X assistant dL tactics dL axioms ⊢ goal goal

LCF-style

, Pegasus: a framework for sound continuous invariant generation 8/24

slide-14
SLIDE 14

Handling invariants

Design choices in proof assistants prover assistant LZZ procedure yes/no goal

“PVS-style” Less soundness-critical code

KeYmaera X assistant dL tactics dL axioms ⊢ goal goal

LCF-style

, Pegasus: a framework for sound continuous invariant generation 9/24

slide-15
SLIDE 15

Generating continuous invariants

Excellent progress made this decade on the invariant checking problem. {inv} ODE {inv} (in dL inv → [ODE] inv)

, Pegasus: a framework for sound continuous invariant generation 10/24

slide-16
SLIDE 16

Generating continuous invariants

Excellent progress made this decade on the invariant checking problem. {inv} ODE {inv} (in dL inv → [ODE] inv) The invariant generation problem is much more difficult. {pre} ODE {post} (in dL pre → [ODE] post)

, Pegasus: a framework for sound continuous invariant generation 10/24

slide-17
SLIDE 17

Generating continuous invariants

Excellent progress made this decade on the invariant checking problem. {inv} ODE {inv} (in dL inv → [ODE] inv) The invariant generation problem is much more difficult. {pre} ODE {post} (in dL pre → [ODE] post) pre → inv inv → [ODE] inv inv → post pre → [ODE] post

, Pegasus: a framework for sound continuous invariant generation 10/24

slide-18
SLIDE 18

Generating continuous invariants

Excellent progress made this decade on the invariant checking problem. {inv} ODE {inv} (in dL inv → [ODE] inv) The invariant generation problem is much more difficult. {pre} ODE {post} (in dL pre → [ODE] post) pre → inv inv → [ODE] inv inv → post pre → [ODE] post Practical bottleneck for proof automation.

, Pegasus: a framework for sound continuous invariant generation 10/24

slide-19
SLIDE 19

Generating continuous invariants

In theory, we can search for invariants using template formulas: a0 + a1x + a2y + a3x2 + a4xy + a5y2 < 0 ∧ b0 + b1x + b2y ≥ 0

, Pegasus: a framework for sound continuous invariant generation 11/24

slide-20
SLIDE 20

Generating continuous invariants

In theory, we can search for invariants using template formulas: a0 + a1x + a2y + a3x2 + a4xy + a5y2 < 0 ∧ b0 + b1x + b2y ≥ 0 Searching for the coefficients using algorithms from real algebraic geometry (e.g. CAD).

, Pegasus: a framework for sound continuous invariant generation 11/24

slide-21
SLIDE 21

Generating continuous invariants

In theory, we can search for invariants using template formulas: a0 + a1x + a2y + a3x2 + a4xy + a5y2 < 0 ∧ b0 + b1x + b2y ≥ 0 Searching for the coefficients using algorithms from real algebraic geometry (e.g. CAD).

∗(However, this is hardly practical)

Doubly-exponential time complexity in the number of variables (here the number of coefficients).

, Pegasus: a framework for sound continuous invariant generation 11/24

slide-22
SLIDE 22

Generating continuous invariants

In theory, we can search for invariants using template formulas: a0 + a1x + a2y + a3x2 + a4xy + a5y2 < 0 ∧ b0 + b1x + b2y ≥ 0 Searching for the coefficients using algorithms from real algebraic geometry (e.g. CAD).

∗(However, this is hardly practical)

Doubly-exponential time complexity in the number of variables (here the number of coefficients). More practical alternatives are needed.

, Pegasus: a framework for sound continuous invariant generation 11/24

slide-23
SLIDE 23

Generating continuous invariants

More practical methods for invariant generation exist. These are

◮ more specialized, ◮ incomplete, ◮ have different strengths and limitations, ◮ create a wide spectrum for what can be tried.

, Pegasus: a framework for sound continuous invariant generation 12/24

slide-24
SLIDE 24

Generating continuous invariants

More practical methods for invariant generation exist. These are

◮ more specialized, ◮ incomplete, ◮ have different strengths and limitations, ◮ create a wide spectrum for what can be tried.

Challenge:

◮ build a system for navigating this spectrum, ◮ use it to improve proof automation in KeYmaera X.

, Pegasus: a framework for sound continuous invariant generation 12/24

slide-25
SLIDE 25

Continuous invariant generator

Pegasus is an automatic continuous invariant generator.

Pegasus

{pre} ODE {post} continuous invariant (hopefully)

http://pegasus.keymaeraX.org As of version 1.0, Pegasus (implemented in Wolfram Language) has

◮ a simple continuous safety verification problem classifier, ◮ implementation of invariant generation methods, ◮ a strategy for combining invariant generation methods, ◮ proof hints for KeYmaera X.

, Pegasus: a framework for sound continuous invariant generation 13/24

slide-26
SLIDE 26

Sound integration architecture

, Pegasus: a framework for sound continuous invariant generation 14/24

slide-27
SLIDE 27

Discrete abstraction

Partition Rn into discrete states S1, . . . , Sk defined by some predicates. Compute the discrete transition relation.

, Pegasus: a framework for sound continuous invariant generation 15/24

slide-28
SLIDE 28

Qualitative analysis

In essence: discrete abstraction using information in the problem. Some sources of predicates:

◮ right-hand sides of ODEs, their factors, etc. ◮ functions defining the pre/postcondition ◮ physically meaningful quantities (e.g. divergence of the vector field)

, Pegasus: a framework for sound continuous invariant generation 16/24

slide-29
SLIDE 29

First integrals

and Darboux polynomials

Conserved quantities in the continuous system. Functions p such that p′ = 0 (i.e. the rate of change of p w.r.t. f is 0). Searching for polynomial first integrals (of bounded degree) can be done using linear algebra.

, Pegasus: a framework for sound continuous invariant generation 17/24

slide-30
SLIDE 30

First integrals

and Darboux polynomials

Conserved quantities in the continuous system. Functions p such that p′ = 0 (i.e. the rate of change of p w.r.t. f is 0). Searching for polynomial first integrals (of bounded degree) can be done using linear algebra. Darboux polynomials: p′ = αp, where α is a polynomial.

, Pegasus: a framework for sound continuous invariant generation 17/24

slide-31
SLIDE 31

Barrier certificates

Main idea: find a continuous invariant p ≤ 0 using

◮ differential inequalities, e.g. p′ ≤ 0, p′ ≤ λp (λ ∈ R), and ◮ sum-of-squares decomposition (via semidefinite programming).

First described by Prajna and Jadbabaie (HSCC 2004). Generalizes to vector barrier certificates (our work, FM 2018).

, Pegasus: a framework for sound continuous invariant generation 18/24

slide-32
SLIDE 32

Differential saturation

A strategy for combining invariant generation methods. Iteratively refine the invariant using available methods.

, Pegasus: a framework for sound continuous invariant generation 19/24

slide-33
SLIDE 33

Differential saturation

A strategy for combining invariant generation methods. Iteratively refine the invariant using available methods.

◮ Refinement 1 (using a Darboux polynomial)

, Pegasus: a framework for sound continuous invariant generation 20/24

slide-34
SLIDE 34

Differential saturation

A strategy for combining invariant generation methods. Iteratively refine the invariant using available methods.

◮ Refinement 1 (using a Darboux polynomial) ◮ Refinement 2 (using Qualitative analysis)

, Pegasus: a framework for sound continuous invariant generation 21/24

slide-35
SLIDE 35

Differential saturation

A strategy for combining invariant generation methods. Iteratively refine the invariant using available methods.

  • 2
  • 1

1 2 x1

  • 2
  • 1

1 2 x2

  • 2
  • 1

1 2 x1

  • 2
  • 1

1 2 x2

  • 2
  • 1

1 2 x1

  • 2
  • 1

1 2 x2

  • 2
  • 1

1 2 x1

  • 2
  • 1

1 2 x2

◮ Refinement 1 (using a Darboux polynomial) ◮ Refinement 2 (using Qualitative analysis) ◮ Refinement 3 (using a barrier certificate)

, Pegasus: a framework for sound continuous invariant generation 22/24

slide-36
SLIDE 36

Some results

Non-linear systems

◮ 90 benchmark safety verification problems from the literature. ◮ 71 problem could be solved by the combined strategy.

BC (T) BC (G) BC (C) DP (T) DP (G) DP (C) FI (T) FI (G) FI (C) QA (T) QA (G) QA (C) DS (T) DS (G) DS (C) 2D 3D 4D 7 8D 9 P4D P5D

Non-linear problems (dimension: 2D-9D, followed by 4D and 5D product systems)

10 100 Duration (sec)

◮ A few problems were only solved by the combined strategy

(no individual method succeeded by itself).

, Pegasus: a framework for sound continuous invariant generation 23/24

slide-37
SLIDE 37

Conclusion & future outlook

The results we observe are thus far very encouraging.

◮ Many more invariant generation methods to implement. ◮ Generation strategies that work solely in tractable theories. ◮ Larger corpus of continuous verification problems needed.

Goal: to make hybrid systems theorem proving more or less automatic.

, Pegasus: a framework for sound continuous invariant generation 24/24

slide-38
SLIDE 38

Conclusion & future outlook

The results we observe are thus far very encouraging.

◮ Many more invariant generation methods to implement. ◮ Generation strategies that work solely in tractable theories. ◮ Larger corpus of continuous verification problems needed.

Goal: to make hybrid systems theorem proving more or less automatic. The next ✚ ✚ ❩ ❩ 30 10 years?

, Pegasus: a framework for sound continuous invariant generation 24/24

slide-39
SLIDE 39

Conclusion & future outlook

The results we observe are thus far very encouraging.

◮ Many more invariant generation methods to implement. ◮ Generation strategies that work solely in tractable theories. ◮ Larger corpus of continuous verification problems needed.

Goal: to make hybrid systems theorem proving more or less automatic. The next ✚ ✚ ❩ ❩ 30 10 years? http://pegasus.keymaeraX.org

, Pegasus: a framework for sound continuous invariant generation 24/24