Quantified Differential Dynamic Logic for Distributed Hybrid - - PowerPoint PPT Presentation

Quantified Differential Dynamic Logic for Distributed Hybrid Systems

Andr´ e Platzer

Carnegie Mellon University, Pittsburgh, PA

0.2 0.4 0.6 0.8 1.0

0.1 0.2 0.3 0.4 0.5

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 1 / 16

Outline

1

Motivation

2

Quantified Differential Dynamic Logic QdL Design Syntax Semantics

3

Proof Calculus for Distributed Hybrid Systems Compositional Verification Calculus Deduction Modulo with Free Variables & Skolemization Actual Existence and Creation Soundness and Completeness

4

Conclusions

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 1 / 16

Complex Physical Systems:

Q: I want to verify my car

Challenge

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 2 / 16

Complex Physical Systems: Hybrid Systems

Q: I want to verify my car A: Hybrid systems

Challenge (Hybrid Systems)

Continuous dynamics (differential equations) Discrete dynamics (control decisions)

1 2 3 4 t 2 1 1 2 a 1 2 3 4 t 0.5 1.0 1.5 2.0 2.5 3.0 v 1 2 3 4 t 1 2 3 4 5 6 z

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 2 / 16

Complex Physical Systems: Hybrid Systems

Q: I want to verify my car A: Hybrid systems Q: But there’s a lot of cars!

Challenge (Hybrid Systems)

Continuous dynamics (differential equations) Discrete dynamics (control decisions)

1 2 3 4 t 2 1 1 2 a 1 2 3 4 t 0.5 1.0 1.5 2.0 2.5 3.0 v 1 2 3 4 t 1 2 3 4 5 6 z

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 2 / 16

Complex Physical Systems:

Q: I want to verify a lot of cars

Challenge

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 3 / 16

Complex Physical Systems: Distributed Systems

Q: I want to verify a lot of cars A: Distributed systems

Challenge (Distributed Systems)

Local computation (finite state automaton) Remote communication (network graph)

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 3 / 16

Complex Physical Systems: Distributed Systems

Q: I want to verify a lot of cars A: Distributed systems Q: But they move!

Challenge (Distributed Systems)

Local computation (finite state automaton) Remote communication (network graph)

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 3 / 16

Complex Physical Systems:

Q: I want to verify lots of moving cars

Challenge

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 4 / 16

Complex Physical Systems: Distributed Hybrid Systems

Q: I want to verify lots of moving cars A: Distributed hybrid systems

Challenge (Distributed Hybrid Systems)

Continuous dynamics (differential equations) Discrete dynamics (control decisions) Structural dynamics (remote communication)

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 4 / 16

Complex Physical Systems: Distributed Hybrid Systems

Q: I want to verify lots of moving cars A: Distributed hybrid systems

Challenge (Distributed Hybrid Systems)

Continuous dynamics (differential equations) Discrete dynamics (control decisions) Structural dynamics (remote communication) Dimensional dynamics (appearance)

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 4 / 16

Complex Physical Systems: Distributed Hybrid Systems

Q: I want to verify lots of moving cars A: Distributed hybrid systems Q: How?

Challenge (Distributed Hybrid Systems)

Continuous dynamics (differential equations) Discrete dynamics (control decisions) Structural dynamics (remote communication) Dimensional dynamics (appearance)

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 4 / 16

State of the Art:

Shift [DGV96] The Hybrid System Simulation Programming Language R-Charon [KSPL06] Modeling Language for Reconfigurable Hybrid Systems Hybrid CSP [CJR95] Semantics in Extended Duration Calculus HyPA [CR05] Translate fragment into normal form. χ process algebra [vBMR+06] Simulation, translation of fragments to PHAVER, UPPAAL Φ-calculus [Rou04] Semantics in rich set theory ACPsrt

hs [BM05] Modeling language

proposal OBSHS [MS06] Partial random simulation of objects

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 5 / 16

State of the Art: Modeling and Simulation

Shift [DGV96] The Hybrid System Simulation Programming Language R-Charon [KSPL06] Modeling Language for Reconfigurable Hybrid Systems Hybrid CSP [CJR95] Semantics in Extended Duration Calculus HyPA [CR05] Translate fragment into normal form. χ process algebra [vBMR+06] Simulation, translation of fragments to PHAVER, UPPAAL Φ-calculus [Rou04] Semantics in rich set theory ACPsrt

hs [BM05] Modeling language

proposal OBSHS [MS06] Partial random simulation of objects

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 5 / 16

State of the Art: Modeling and Simulation

No formal verification of distributed hybrid systems Shift [DGV96] The Hybrid System Simulation Programming Language R-Charon [KSPL06] Modeling Language for Reconfigurable Hybrid Systems Hybrid CSP [CJR95] Semantics in Extended Duration Calculus HyPA [CR05] Translate fragment into normal form. χ process algebra [vBMR+06] Simulation, translation of fragments to PHAVER, UPPAAL Φ-calculus [Rou04] Semantics in rich set theory ACPsrt

hs [BM05] Modeling language

proposal OBSHS [MS06] Partial random simulation of objects

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 5 / 16

Contributions

1 System model and semantics for distributed hybrid systems: QHP 2 Specification and verification logic: QdL 3 Proof calculus for QdL 4 First verification approach for distributed hybrid systems 5 Sound and complete axiomatization relative to differential equations 6 Prove collision freedom in a (simple) distributed car control system,

where new cars may appear dynamically on the road

7 Logical foundation for analysis of distributed hybrid systems 8 Fundamental extension: first-order x(i) versus primitive x Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 6 / 16

Outline

1

Motivation

2

Quantified Differential Dynamic Logic QdL Design Syntax Semantics

3

Proof Calculus for Distributed Hybrid Systems Compositional Verification Calculus Deduction Modulo with Free Variables & Skolemization Actual Existence and Creation Soundness and Completeness

4

Conclusions

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 6 / 16

Outline (Conceptual Approach)

1

Motivation

2

Quantified Differential Dynamic Logic QdL Design Syntax Semantics

3

Proof Calculus for Distributed Hybrid Systems Compositional Verification Calculus Deduction Modulo with Free Variables & Skolemization Actual Existence and Creation Soundness and Completeness

4

Conclusions

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 6 / 16

Model for Distributed Hybrid Systems

Q: How to model distributed hybrid systems

Model (Distributed Hybrid Systems)

Continuous dynamics (differential equations) Discrete dynamics (control decisions) Structural dynamics (communication/coupling)

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 7 / 16

Model for Distributed Hybrid Systems

Q: How to model distributed hybrid systems

Model (Distributed Hybrid Systems)

Continuous dynamics (differential equations) x′′ = a Discrete dynamics (control decisions) Structural dynamics (communication/coupling)

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 7 / 16

Model for Distributed Hybrid Systems

Q: How to model distributed hybrid systems

Model (Distributed Hybrid Systems)

Continuous dynamics (differential equations) x′′ = a Discrete dynamics (control decisions) a := if .. then A else −b Structural dynamics (communication/coupling)

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 7 / 16

Model for Distributed Hybrid Systems

Q: How to model distributed hybrid systems

Model (Distributed Hybrid Systems)

Continuous dynamics (differential equations) x′′ = a Discrete dynamics (control decisions) a := if .. then A else −b Structural dynamics (communication/coupling)

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 7 / 16

Model for Distributed Hybrid Systems

Q: How to model distributed hybrid systems

Model (Distributed Hybrid Systems)

Continuous dynamics (differential equations) x′′ = a Discrete dynamics (control decisions) a := if .. then A else −b Structural dynamics (communication/coupling)

(4) (4) (3) (3) (2) (2) (1) (1)

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 7 / 16

Model for Distributed Hybrid Systems

Q: How to model distributed hybrid systems

Model (Distributed Hybrid Systems)

Continuous dynamics (differential equations) x(i)′′ = a(i) Discrete dynamics (control decisions) a(i) := if .. then A else −b Structural dynamics (communication/coupling)

(4) (4) (3) (3) (2) (2) (1) (1)

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 7 / 16

Model for Distributed Hybrid Systems

Q: How to model distributed hybrid systems

Model (Distributed Hybrid Systems)

Continuous dynamics (differential equations) ∀i x(i)′′ = a(i) Discrete dynamics (control decisions) ∀i a(i) := if .. then A else −b Structural dynamics (communication/coupling)

(4) (4) (3) (3) (2) (2) (1) (1)

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 7 / 16

Model for Distributed Hybrid Systems

Q: How to model distributed hybrid systems

Model (Distributed Hybrid Systems)

Continuous dynamics (differential equations) ∀i x(i)′′ = a(i) Discrete dynamics (control decisions) ∀i a(i) := if .. then A else −b Structural dynamics (communication/coupling) ℓ(i) := carInFrontOf(i)

(4) (4) (3) (3) (2) (2) (1) (1)

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 7 / 16

Model for Distributed Hybrid Systems

Q: How to model distributed hybrid systems A: Quantified Hybrid Programs

Model (Distributed Hybrid Systems)

Continuous dynamics (differential equations) ∀i x(i)′′ = a(i) Discrete dynamics (control decisions) ∀i a(i) := if .. then A else −b Structural dynamics (communication/coupling) ℓ(i) := carInFrontOf(i) Dimensional dynamics (appearance)

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 7 / 16

Model for Distributed Hybrid Systems

Q: How to model distributed hybrid systems A: Quantified Hybrid Programs

Model (Distributed Hybrid Systems)

Continuous dynamics (differential equations) ∀i x(i)′′ = a(i) Discrete dynamics (control decisions) ∀i a(i) := if .. then A else −b Structural dynamics (communication/coupling) ℓ(i) := carInFrontOf(i) Dimensional dynamics (appearance) n := new Car

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 7 / 16

Quantified Differential Dynamic Logic QdL: Syntax

Definition (Quantified hybrid program α)

∀i : C x(s)′ = θ (quantified ODE) ∀i : C x(s) := θ (quantified assignment)

• jump & test

?χ (conditional execution) α; β (seq. composition)

• Kleene algebra

α ∪ β (nondet. choice) α∗ (nondet. repetition)

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 8 / 16

Quantified Differential Dynamic Logic QdL: Syntax

Definition (Quantified hybrid program α)

∀i : C x(s)′ = θ (quantified ODE) ∀i : C x(s) := θ (quantified assignment)

• jump & test

?χ (conditional execution) α; β (seq. composition)

• Kleene algebra

α ∪ β (nondet. choice) α∗ (nondet. repetition) DCCS ≡ (ctrl ; drive)∗ ctrl ≡ ∀i : C a(i) := if ∀j : C far(i, j) then A else −b drive ≡ ∀i : C x(i)′′ = a(i)

( ) ( ) (2) (2) (1) (1) (3) (3) (4) (4)

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 8 / 16

Quantified Differential Dynamic Logic QdL: Syntax

Definition (Quantified hybrid program α)

∀i : C x(s)′ = θ (quantified ODE) ∀i : C x(s) := θ (quantified assignment)

• jump & test

?χ (conditional execution) α; β (seq. composition)

• Kleene algebra

α ∪ β (nondet. choice) α∗ (nondet. repetition) DCCS ≡ (appear ; ctrl ; drive)∗ appear ≡ n := new C; ?(∀j : C far(j, n)) ctrl ≡ ∀i : C a(i) := if ∀j : C far(i, j) then A else −b drive ≡ ∀i : C x(i)′′ = a(i)

( ) ( ) (2) (2) (1) (1) (3) (3) (4) (4)

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 8 / 16

Quantified Differential Dynamic Logic QdL: Syntax

Definition (Quantified hybrid program α)

∀i : C x(s)′ = θ (quantified ODE) ∀i : C x(s) := θ (quantified assignment)

• jump & test

?χ (conditional execution) α; β (seq. composition)

• Kleene algebra

α ∪ β (nondet. choice) α∗ (nondet. repetition) DCCS ≡ (appear ; ctrl ; drive)∗ appear ≡ n := new C; ?(∀j : C far(j, n)) ctrl ≡ ∀i : C a(i) := if ∀j : C far(i, j) then A else −b drive ≡ ∀i : C x(i)′′ = a(i) new C is definable!

( ) ( ) (2) (2) (1) (1) (3) (3) (4) (4)

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 8 / 16

Quantified Differential Dynamic Logic QdL: Syntax

Definition (QdL Formula φ)

¬, ∧, ∨, →, ∀x , ∃x , =, ≤, +, · (R-first-order part) [α]φ, αφ (dynamic part) ∀i, j : C far(i, j) → [(appear ; ctrl ; drive)∗] ∀i=j : C x(i) = x(j) far(i, j) ≡ i = j → x(i) < x(j) ∧ v(i) ≤ v(j) ∧ a(i) ≤ a(j) ∨ x(i) > x(j) ∧ v(i) ≥ v(j) ∧ a(i) ≥ a(j) . . .

( ) ( ) (2) (2) (1) (1) (3) (3) (4) (4)

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 8 / 16

Quantified Differential Dynamic Logic QdL: Semantics

Definition (Quantified hybrid program α: transition semantics)

v w ∀i : C x(s) := θ

Details

t x v w if w(x)(ve

i [

[s] ]) = ve

i [

[θ] ] (for all e) and otherwise unchanged

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 9 / 16

Quantified Differential Dynamic Logic QdL: Semantics

Definition (Quantified hybrid program α: transition semantics)

v w ∀i : C x(s)′ = θ

Details

t x w v ϕ(t) ∀i x(s)′ = θ d ϕ(t)e

i [

[x(s)] ] dt (ζ) = ϕ(ζ)e

i [

[θ] ] (for all e)

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 9 / 16

Quantified Differential Dynamic Logic QdL: Semantics

Definition (Quantified hybrid program α: transition semantics)

v s w α; β α β

Details Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 9 / 16

Quantified Differential Dynamic Logic QdL: Semantics

Definition (Quantified hybrid program α: transition semantics)

v s w α; β α β

Details

t x s v w

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 9 / 16

Quantified Differential Dynamic Logic QdL: Semantics

Definition (Quantified hybrid program α: transition semantics)

v s w α; β α β

Details

t x s v w

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 9 / 16

Quantified Differential Dynamic Logic QdL: Semantics

Definition (Quantified hybrid program α: transition semantics)

v s1 s2 sn w α∗ α α α

Details Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 9 / 16

Quantified Differential Dynamic Logic QdL: Semantics

Definition (Quantified hybrid program α: transition semantics)

v s1 s2 sn w α∗ α α α

Details

t x v w

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 9 / 16

Quantified Differential Dynamic Logic QdL: Semantics

Definition (Quantified hybrid program α: transition semantics)

v w1 w2 α β α ∪ β

Details Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 9 / 16

Quantified Differential Dynamic Logic QdL: Semantics

Definition (Quantified hybrid program α: transition semantics)

v w1 w2 α β α ∪ β

Details

t x v w1 w2

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 9 / 16

Quantified Differential Dynamic Logic QdL: Semantics

Definition (Quantified hybrid program α: transition semantics)

v ?χ if v | = χ

Details

t x v no change if v | = χ

• therwise no transition

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 9 / 16

Quantified Differential Dynamic Logic QdL: Semantics

Definition (Quantified hybrid program α: transition semantics)

v if v | = χ

Details

t x v no change if v | = χ

• therwise no transition

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 9 / 16

Quantified Differential Dynamic Logic QdL: Semantics

Definition (QdL Formula φ)

v [α]φ φ φ φ

Details Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 10 / 16

Quantified Differential Dynamic Logic QdL: Semantics

Definition (QdL Formula φ)

v αφ φ

Details Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 10 / 16

Quantified Differential Dynamic Logic QdL: Semantics

Definition (QdL Formula φ)

v α-span [α]φ

Details Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 10 / 16

Quantified Differential Dynamic Logic QdL: Semantics

Definition (QdL Formula φ)

v α-span [α]φ βφ β-span

Details Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 10 / 16

Quantified Differential Dynamic Logic QdL: Semantics

Definition (QdL Formula φ)

v α-span [α]φ βφ β-span β[α]-span

Details Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 10 / 16

Quantified Differential Dynamic Logic QdL: Semantics

Definition (QdL Formula φ)

v α-span [α]φ βφ β-span β[α]-span

Details

compositional semantics ⇒ compositional calculus!

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 10 / 16

Outline (Verification Approach)

1

Motivation

2

Quantified Differential Dynamic Logic QdL Design Syntax Semantics

3

Proof Calculus for Distributed Hybrid Systems Compositional Verification Calculus Deduction Modulo with Free Variables & Skolemization Actual Existence and Creation Soundness and Completeness

4

Conclusions

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 10 / 16

Proof Calculus for Quantified Differential Dynamic Logic

if ∃i s = u then ∀i (s = u → φ(θ)) else φ(x(u)) φ([∀i x(s) := θ

• ]x(u))

v w ∀i x(s) := θ φ

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 11 / 16

Proof Calculus for Quantified Differential Dynamic Logic

if ∃i s = u then ∀i (s = u → φ(θ)) else φ(x(u)) φ([∀i x(s) := θ

• ]x(u))

v w ∀i x(s) := θ φ

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 11 / 16

Proof Calculus for Quantified Differential Dynamic Logic

if ∃i s = u then ∀i (s = u → φ(θ)) else φ(x(u)) φ([∀i x(s) := θ

• ]x(u))

v w ∀i x(s) := θ φ

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 11 / 16

Proof Calculus for Quantified Differential Dynamic Logic

if ∃i s = u then ∀i (s = u → φ(θ)) else φ(x(u)) φ([∀i x(s) := θ

• ]x(u))

v w ∀i x(s) := θ φ

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 11 / 16

Proof Calculus for Quantified Differential Dynamic Logic

if ∃i s = [A]u then ∀i (s = [A]u → φ(θ)) else φ(x([A]u)) φ([∀i x(s) := θ

• A

]x(u)) v w ∀i x(s) := θ φ

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 11 / 16

Proof Calculus for Quantified Differential Dynamic Logic

if ∃i s = [A]u then ∀i (s = [A]u → φ(θ)) else φ(x([A]u)) φ([∀i x(s) := θ

• A

]x(u)) v w ∀i x(s) := θ φ ∃t≥0 ∀i S(t)φ ∀i x(s)′ = θφ v w ∀i x(s)′ = θ φ

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 11 / 16

Proof Calculus for Quantified Differential Dynamic Logic

if ∃i s = [A]u then ∀i (s = [A]u → φ(θ)) else φ(x([A]u)) φ([∀i x(s) := θ

• A

]x(u)) v w ∀i x(s) := θ φ ∃t≥0 ∀i S(t)φ ∀i x(s)′ = θφ v w ∀i x(s)′ = θ φ ∀i S(t)

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 11 / 16

Proof Calculus for Quantified Differential Dynamic Logic

compositional semantics ⇒ compositional rules!

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 12 / 16

Proof Calculus for Quantified Differential Dynamic Logic

[α]φ ∧ [β]φ [α ∪ β]φ v w1 w2 α φ β φ α ∪ β

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 12 / 16

Proof Calculus for Quantified Differential Dynamic Logic

[α]φ ∧ [β]φ [α ∪ β]φ v w1 w2 α φ β φ α ∪ β [α][β]φ [α; β]φ v s w α; β [α][β]φ α [β]φ β φ

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 12 / 16

Proof Calculus for Quantified Differential Dynamic Logic

[α]φ ∧ [β]φ [α ∪ β]φ v w1 w2 α φ β φ α ∪ β [α][β]φ [α; β]φ v s w α; β [α][β]φ α [β]φ β φ φ (φ → [α]φ) [α∗]φ v w α∗ φ α φ → [α]φ α α φ

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 12 / 16

Deduction Modulo with Free Variables & Skolemization

∀i=j x(i)=x(j) → [∀i x(i)′′ = −b] ∀j=k x(j)=x(k)

( ) ( ) (2) (2) (1) (1) (3) (3) (4) (4)

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 13 / 16

Deduction Modulo with Free Variables & Skolemization

∀i=j x(i)=x(j) →[∀i x(i)′ = v(i), v(i)′ = −b] ∀j=k x(j)=x(k) ∀i=j x(i)=x(j) → [∀i x(i)′′ = −b] ∀j=k x(j)=x(k)

( ) ( ) (2) (2) (1) (1) (3) (3) (4) (4)

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 13 / 16

Deduction Modulo with Free Variables & Skolemization

∀i=j x(i)=x(j) →∀t≥0 [∀i x(i) := − b

2t2 + v(i)t + x(i)]∀j=k x(j)=x(k)

∀i=j x(i)=x(j) →[∀i x(i)′ = v(i), v(i)′ = −b] ∀j=k x(j)=x(k) ∀i=j x(i)=x(j) → [∀i x(i)′′ = −b] ∀j=k x(j)=x(k)

( ) ( ) (2) (2) (1) (1) (3) (3) (4) (4)

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 13 / 16

Deduction Modulo with Free Variables & Skolemization

∀i=j x(i)=x(j) →s≥0 → [∀i x(i) := − b

2s2 + v(i)s + x(i)] ∀j=k x(j)=x(k)

∀i=j x(i)=x(j) →∀t≥0 [∀i x(i) := − b

2t2 + v(i)t + x(i)]∀j=k x(j)=x(k)

∀i=j x(i)=x(j) →[∀i x(i)′ = v(i), v(i)′ = −b] ∀j=k x(j)=x(k) ∀i=j x(i)=x(j) → [∀i x(i)′′ = −b] ∀j=k x(j)=x(k)

( ) ( ) (2) (2) (1) (1) (3) (3) (4) (4)

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 13 / 16

Deduction Modulo with Free Variables & Skolemization

∀i=j x(i)=x(j),s≥0 →[∀i x(i) := − b 2s2 + v(i)s + x(i)] ∀j=k x(j)=x(k)

∀i=j x(i)=x(j) →s≥0 → [∀i x(i) := − b

2s2 + v(i)s + x(i)] ∀j=k x(j)=x(k)

∀i=j x(i)=x(j) →∀t≥0 [∀i x(i) := − b

2t2 + v(i)t + x(i)]∀j=k x(j)=x(k)

∀i=j x(i)=x(j) →[∀i x(i)′ = v(i), v(i)′ = −b] ∀j=k x(j)=x(k) ∀i=j x(i)=x(j) → [∀i x(i)′′ = −b] ∀j=k x(j)=x(k)

( ) ( ) (2) (2) (1) (1) (3) (3) (4) (4)

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 13 / 16

Deduction Modulo with Free Variables & Skolemization

∀i=j x(i)=x(j),s≥0 →∀j=k (− b 2s2 + v(j)s + x(j) = − b 2s2 + v(k)s + x(k)) ∀i=j x(i)=x(j),s≥0 →[∀i x(i) := − b 2s2 + v(i)s + x(i)] ∀j=k x(j)=x(k)

∀i=j x(i)=x(j) →s≥0 → [∀i x(i) := − b

2s2 + v(i)s + x(i)] ∀j=k x(j)=x(k)

∀i=j x(i)=x(j) →∀t≥0 [∀i x(i) := − b

2t2 + v(i)t + x(i)]∀j=k x(j)=x(k)

∀i=j x(i)=x(j) →[∀i x(i)′ = v(i), v(i)′ = −b] ∀j=k x(j)=x(k) ∀i=j x(i)=x(j) → [∀i x(i)′′ = −b] ∀j=k x(j)=x(k)

( ) ( ) (2) (2) (1) (1) (3) (3) (4) (4)

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 13 / 16

Deduction Modulo with Free Variables & Skolemization

∀i=j x(i)=x(j) →∀j=k ∀s≥0(− b

2s2 + v(j)s + x(j) = − b 2s2 + v(k)s + x( ∀i=j x(i)=x(j),s≥0 →∀j=k (− b 2s2 + v(j)s + x(j) = − b 2s2 + v(k)s + x(k)) ∀i=j x(i)=x(j),s≥0 →[∀i x(i) := − b 2s2 + v(i)s + x(i)] ∀j=k x(j)=x(k)

∀i=j x(i)=x(j) →s≥0 → [∀i x(i) := − b

2s2 + v(i)s + x(i)] ∀j=k x(j)=x(k)

∀i=j x(i)=x(j) →∀t≥0 [∀i x(i) := − b

2t2 + v(i)t + x(i)]∀j=k x(j)=x(k)

∀i=j x(i)=x(j) →[∀i x(i)′ = v(i), v(i)′ = −b] ∀j=k x(j)=x(k) ∀i=j x(i)=x(j) → [∀i x(i)′′ = −b] ∀j=k x(j)=x(k)

( ) ( ) (2) (2) (1) (1) (3) (3) (4) (4)

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 13 / 16

Deduction Modulo with Free Variables & Skolemization

∀i=j x(i)=x(j) →∀j=k QE∀s≥0(− b

2s2 + v(j)s + x(j) = − b 2s2 + v(k)s + x( ∀i=j x(i)=x(j),s≥0 →∀j=k (− b 2s2 + v(j)s + x(j) = − b 2s2 + v(k)s + x(k)) ∀i=j x(i)=x(j),s≥0 →[∀i x(i) := − b 2s2 + v(i)s + x(i)] ∀j=k x(j)=x(k)

∀i=j x(i)=x(j) →s≥0 → [∀i x(i) := − b

2s2 + v(i)s + x(i)] ∀j=k x(j)=x(k)

∀i=j x(i)=x(j) →∀t≥0 [∀i x(i) := − b

2t2 + v(i)t + x(i)]∀j=k x(j)=x(k)

∀i=j x(i)=x(j) →[∀i x(i)′ = v(i), v(i)′ = −b] ∀j=k x(j)=x(k) ∀i=j x(i)=x(j) → [∀i x(i)′′ = −b] ∀j=k x(j)=x(k)

( ) ( ) (2) (2) (1) (1) (3) (3) (4) (4)

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 13 / 16

Deduction Modulo with Free Variables & Skolemization

∀i=j x(i)=x(j) →∀j=k (x(j)≤x(k)∧v(j)≤v(k) ∨ x(j)≥x(k)∧v(j)≥v(k))

∀i=j x(i)=x(j),s≥0 →∀j=k (− b 2s2 + v(j)s + x(j) = − b 2s2 + v(k)s + x(k)) ∀i=j x(i)=x(j),s≥0 →[∀i x(i) := − b 2s2 + v(i)s + x(i)] ∀j=k x(j)=x(k)

∀i=j x(i)=x(j) →s≥0 → [∀i x(i) := − b

2s2 + v(i)s + x(i)] ∀j=k x(j)=x(k)

∀i=j x(i)=x(j) →∀t≥0 [∀i x(i) := − b

2t2 + v(i)t + x(i)]∀j=k x(j)=x(k)

∀i=j x(i)=x(j) →[∀i x(i)′ = v(i), v(i)′ = −b] ∀j=k x(j)=x(k) ∀i=j x(i)=x(j) → [∀i x(i)′′ = −b] ∀j=k x(j)=x(k)

( ) ( ) (2) (2) (1) (1) (3) (3) (4) (4)

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 13 / 16

Deduction Modulo with Free Variables & Skolemization

∀X, Y , V , W (X=Y → X≤Y ∧V ≤W ∨ X≥Y ∧V ≥W ) ∀i=j x(i)=x(j) →∀j=k (x(j)≤x(k)∧v(j)≤v(k) ∨ x(j)≥x(k)∧v(j)≥v(k))

∀i=j x(i)=x(j),s≥0 →∀j=k (− b 2s2 + v(j)s + x(j) = − b 2s2 + v(k)s + x(k)) ∀i=j x(i)=x(j),s≥0 →[∀i x(i) := − b 2s2 + v(i)s + x(i)] ∀j=k x(j)=x(k)

∀i=j x(i)=x(j) →s≥0 → [∀i x(i) := − b

2s2 + v(i)s + x(i)] ∀j=k x(j)=x(k)

∀i=j x(i)=x(j) →∀t≥0 [∀i x(i) := − b

2t2 + v(i)t + x(i)]∀j=k x(j)=x(k)

∀i=j x(i)=x(j) →[∀i x(i)′ = v(i), v(i)′ = −b] ∀j=k x(j)=x(k) ∀i=j x(i)=x(j) → [∀i x(i)′′ = −b] ∀j=k x(j)=x(k)

( ) ( ) (2) (2) (1) (1) (3) (3) (4) (4)

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 13 / 16

Deduction Modulo with Free Variables & Skolemization

∀X, Y , V , W (X=Y → X≤Y ∧V ≤W ∨ X≥Y ∧V ≥W ) ∀i=j x(i)=x(j) →∀j=k (x(j)≤x(k)∧v(j)≤v(k) ∨ x(j)≥x(k)∧v(j)≥v(k))

∀i=j x(i)=x(j),s≥0 →∀j=k (− b 2s2 + v(j)s + x(j) = − b 2s2 + v(k)s + x(k)) ∀i=j x(i)=x(j),s≥0 →[∀i x(i) := − b 2s2 + v(i)s + x(i)] ∀j=k x(j)=x(k)

∀i=j x(i)=x(j) →s≥0 → [∀i x(i) := − b

2s2 + v(i)s + x(i)] ∀j=k x(j)=x(k)

∀i=j x(i)=x(j) →∀t≥0 [∀i x(i) := − b

2t2 + v(i)t + x(i)]∀j=k x(j)=x(k)

∀i=j x(i)=x(j) →[∀i x(i)′ = v(i), v(i)′ = −b] ∀j=k x(j)=x(k) ∀i=j x(i)=x(j) → [∀i x(i)′′ = −b] ∀j=k x(j)=x(k)

( ) ( ) (2) (2) (1) (1) (3) (3) (4) (4)

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 13 / 16

Actual Existence and Creation

Actual Existence Function ∃ (·)

∃ (i) =

• if i denotes a possible object

1 if i denotes an actively existing objects

( ) ( ) (2) (2) (1) (1) (3) (3) (4) (4)

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 14 / 16

Actual Existence and Creation

Actual Existence Function ∃ (·)

∃ (i) =

• if i denotes a possible object

1 if i denotes an actively existing objects [n := new C]φ

( ) ( ) (2) (2) (1) (1) (3) (3) (4) (4)

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 14 / 16

Actual Existence and Creation

Actual Existence Function ∃ (·)

∃ (i) =

• if i denotes a possible object

1 if i denotes an actively existing objects [(∀j : C n := j); ]φ [n := new C]φ

( ) ( ) (2) (2) (1) (1) (3) (3) (4) (4)

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 14 / 16

Actual Existence and Creation

Actual Existence Function ∃ (·)

∃ (i) =

• if i denotes a possible object

1 if i denotes an actively existing objects [(∀j : C n := j); ?( ∃ (n) = 0); ]φ [n := new C]φ

( ) ( ) (2) (2) (1) (1) (3) (3) (4) (4)

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 14 / 16

Actual Existence and Creation

Actual Existence Function ∃ (·)

∃ (i) =

• if i denotes a possible object

1 if i denotes an actively existing objects [(∀j : C n := j); ?( ∃ (n) = 0); ∃ (n) := 1]φ [n := new C]φ

( ) ( ) (2) (2) (1) (1) (3) (3) (4) (4)

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 14 / 16

Actual Existence and Creation

Actual Existence Function ∃ (·)

∃ (i) =

• if i denotes a possible object

1 if i denotes an actively existing objects [(∀j : C n := j); ?( ∃ (n) = 0); ∃ (n) := 1]φ [n := new C]φ ∀i : C! φ ≡ ∀i : C ( ∃ (i) = 1 → φ) ∀i : C! f (s) := θ ≡ ∀i : C f (s) := (if ∃ (i) = 1 then θ else f (s)) ∀i : C! f (s)′ = θ ≡ ∀i : C f (s)′ = ∃ (i)θ

( ) ( ) (2) (2) (1) (1) (3) (3) (4) (4)

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 14 / 16

Soundness and Completeness

Theorem (Relative Completeness)

QdL calculus is a sound & complete axiomatisation of distributed hybrid systems relative to quantified differential equations.

Proof 16p. Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 15 / 16

Soundness and Completeness

Theorem (Relative Completeness)

QdL calculus is a sound & complete axiomatisation of distributed hybrid systems relative to quantified differential equations.

Proof 16p.

Corollary (Proof-theoretical Alignment)

proving distributed hybrid systems = proving dynamical systems!

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 15 / 16

Soundness and Completeness

Theorem (Relative Completeness)

QdL calculus is a sound & complete axiomatisation of distributed hybrid systems relative to quantified differential equations.

Proof 16p.

Corollary (Proof-theoretical Alignment)

proving distributed hybrid systems = proving dynamical systems!

Corollary (Yes, we can!)

distributed hybrid systems can be verified by recursive decomposition

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 15 / 16

Outline

1

Motivation

2

Quantified Differential Dynamic Logic QdL Design Syntax Semantics

3

Proof Calculus for Distributed Hybrid Systems Compositional Verification Calculus Deduction Modulo with Free Variables & Skolemization Actual Existence and Creation Soundness and Completeness

4

Conclusions

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 15 / 16

Conclusions

quantified differential dynamic logic

QdL = FOL + DL + QHP [α]φ φ α Distributed hybrid systems everywhere System model and semantics Logic for distributed hybrid systems Compositional proof calculus First verification approach Sound & complete / diff. eqn. Simple distributed car control verified

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 16 / 16

Conclusions

quantified differential dynamic logic

QdL = FOL + DL + QHP [α]φ φ α Distributed hybrid systems everywhere System model and semantics Logic for distributed hybrid systems Compositional proof calculus First verification approach Sound & complete / diff. eqn. Simple distributed car control verified

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 16 / 16

Jan A. Bergstra and C. A. Middelburg. Process algebra for hybrid systems.

• Theor. Comput. Sci., 335(2-3):215–280, 2005.

Zhou Chaochen, Wang Ji, and Anders P. Ravn. A formal description of hybrid systems. In Rajeev Alur, Thomas A. Henzinger, and Eduardo D. Sontag, editors, Hybrid Systems, volume 1066 of LNCS, pages 511–530. Springer, 1995. Pieter J. L. Cuijpers and Michel A. Reniers. Hybrid process algebra.

• J. Log. Algebr. Program., 62(2):191–245, 2005.

Akash Deshpande, Aleks G¨

• ll¨

u, and Pravin Varaiya. SHIFT: A formalism and a programming language for dynamic networks of hybrid automata. In Panos J. Antsaklis, Wolf Kohn, Anil Nerode, and Shankar Sastry, editors, Hybrid Systems, volume 1273 of LNCS, pages 113–133. Springer, 1996.

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 16 / A

Jo˜ ao P. Hespanha and Ashish Tiwari, editors. Hybrid Systems: Computation and Control, 9th International Workshop, HSCC 2006, Santa Barbara, CA, USA, March 29-31, 2006, Proceedings, volume 3927 of LNCS. Springer, 2006. Fabian Kratz, Oleg Sokolsky, George J. Pappas, and Insup Lee. R-Charon, a modeling language for reconfigurable hybrid systems. In Hespanha and Tiwari [HT06], pages 392–406. Jos´ e Meseguer and Raman Sharykin. Specification and analysis of distributed object-based stochastic hybrid systems. In Hespanha and Tiwari [HT06], pages 460–475. Andr´ e Platzer. Quantified differential dynamic logic for distributed hybrid systems. In Anuj Dawar and Helmut Veith, editors, CSL, volume 6247 of LNCS, pages 469–483. Springer, 2010. Andr´ e Platzer.

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 16 / A

A complete axiomatization of quantified differential dynamic logic for distributed hybrid systems. Logical Methods in Computer Science, 2012. Special issue for selected papers from CSL’10. William C. Rounds. A spatial logic for the hybrid π-calculus. In Rajeev Alur and George J. Pappas, editors, HSCC, volume 2993 of LNCS, pages 508–522. Springer, 2004.

• D. A. van Beek, Ka L. Man, Michel A. Reniers, J. E. Rooda, and

Ramon R. H. Schiffelers. Syntax and consistent equation semantics of hybrid Chi.

• J. Log. Algebr. Program., 68(1-2):129–210, 2006.

Andr´ e Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 16 / A