Reachability Analysis in the KeYmaera X Theorem Prover SNR 2017 | - PowerPoint PPT Presentation

Reachability Analysis in the KeYmaera X Theorem Prover SNR 2017 | Uppsala, Sweden | April 22, 2017 Nathan Fulton Other System Contributors: Stefan Mitsch, André Platzer, Brandon Bohrer, Yong Kiam Tan, Jan-David Quesel, ...

Trustworthy Foundations Interactive Reachability Analysis Demonstration ➢ Bellerophon language and library ➢ Automation and Tooling Conclusions & Resources

Trustworthy Foundations KeYmaera X enables trustworthy automation for hybrid systems analysis: ● A well defined logical foundations, ● implemented in a small trustworthy core ● that ensures correctness of automation and tooling .

Trustworthy Foundations Hybrid Programs a=a 0 a=t a := t b=b 0 b=b 0 c=c 0 c=c 0 ... ...

Trustworthy Foundations Hybrid Programs a;b a=a 0 a=t a := t a;b b=b 0 b=b 0 c=c 0 c=c 0 a b ... ...

Trustworthy Foundations Hybrid Programs a;b a=a 0 a=t a := t a;b b=b 0 b=b 0 c=c 0 c=c 0 a b ... ... If P is true: no change ?P If P is false: terminate

Trustworthy Foundations Hybrid Programs a;b a=a 0 a=t a := t a;b b=b 0 b=b 0 c=c 0 c=c 0 a b ... ... a ∪ b If P is true: no change ?P If P is false: terminate

Trustworthy Foundations Hybrid Programs a;b a=a 0 a=t a := t a;b b=b 0 b=b 0 c=c 0 c=c 0 a b ... ... a ∪ b If P is true: no change ?P If P is false: terminate a* a ...a...

Trustworthy Foundations Hybrid Programs a;b a=a 0 a=t a := t a;b b=b 0 b=b 0 c=c 0 c=c 0 a b ... ... a ∪ b If P is true: no change ?P If P is false: terminate x=F(0) ... x’=f x=x 0 a* ⋮ a ...a... ... x=F(T) ...

Trustworthy Foundations Hello, World { {?Dive ∪ r := r p }; t:=0; {x’ = v, V’ = f(v,g,r), t’=1 v’=f(v,g,r) x & 0≤x & t≤T} }* Control : Continue diving if safe, else open parachute. Plant : Downward velocity determined by gravity, air resistance.

Trustworthy Foundations Hello, World { {?Dive ∪ r := r p }; t:=0; {x’ = v, V’ = f(v,g,r), t’=1 v’=f(v,g,r) x & 0≤x & t≤T} }* Control : Continue diving if safe, else open parachute. Plant : Downward velocity determined by gravity, air resistance.

Trustworthy Foundations Hello, World { {?Dive ∪ r := r p }; t:=0; {x’ = v, V’ = f(v,g,r), t’=1 v’=f(v,g,r) x & 0≤x & t≤T} }* Control : Continue diving if safe, else open parachute. Plant : Downward velocity determined by gravity, air resistance.

Trustworthy Foundations Hello, World { {?Dive ∪ r := r p }; t:=0; {x’ = v, V’ = f(v,g,r), t’=1 v’=f(v,g,r) x & 0≤x & t≤T} }* Control : Continue diving if safe, else open parachute. Plant : Downward velocity determined by gravity, air resistance.

Trustworthy Foundations Hello, World { {?Dive ∪ r := r p }; t:=0; {x’ = v, V’ = f(v,g,r), t’=1 v’=f(v,g,r) x & 0≤x & t≤T } }* Control : Continue diving if safe, else open parachute. Plant : Downward velocity determined by gravity, air resistance.

Trustworthy Foundations Reachability Specifications [a]P “after every execution of a, P” <a>P “after some execution of a, P”

Trustworthy Foundations Reachability Specifications (Dive & g>0 & …)→ [{ {?Dive ∪ r := r p }; {x’ = v, V’ = f(v,g,r) & 0≤x} v’=f(v,g,r) x }*] (x=0→m≤v)

Trustworthy Foundations Reachability Specifications (Dive & g>0 & …)→ [{ {?Dive ∪ r := r p }; {x’ = v, V’ = f(v,g,r) & 0≤x} v’=f(v,g,r) x }*] (x=0→m≤v) If the parachuter is on the ground, their speed is safe (m≤v≤0)

Introduction to Differential Dynamic Logic Dynamical Axioms [x:=t]f(x) ↔ f(t) [a ; b]P ↔ [a][b]P [a ∪ b]P ↔ ([a]P & [b]P) [a*]P ↔ (J → P & J → [b]J) [x’=f&H]P ↔ H →P ...

Introduction to Differential Dynamic Logic Trusted Core AXIOM BASE Q.E.D. KeYmaera X Core [x:=t]f(x) ↔ f(t) [a;b]P ↔ [a][b]P [a ∪ b]P ↔ ([a]P & [b]P) [a*]P↔(J→P & J→[b]J) [x’=f&H]P ↔ H→P ...

Introduction to Differential Dynamic Logic Trustworthy Implementations Automated Control Tooling Analyses Software AXIOM BASE Q.E.D. [x:=t]f(x) ↔ f(t) KeYmaera X Core [a;b]P ↔ [a][b]P [a ∪ b]P ↔ ([a]P & [b]P) [a*]P ↔ (J→P & J→[b]J) [x’=f&H]P ↔ H→P ...

Introduction to Differential Dynamic Logic Prover Core Comparison Tool Trusted LOC (approx.) KeYmaera X 1,682 (out of 100,000+) KeYmaera 65,989 Isabelle/Pure 8,113 Coq 20,000 HSolver 20,000 dReal 50,000 SpaceEx 100,000

Interactive Reachability Analysis in KeYmaera X KeYmaera X enables interactive verification and tool development:

Interactive Reachability Analysis in KeYmaera X KeYmaera X enables interactive verification and tool development: ● A standard library of common proof techniques.

Interactive Reachability Analysis in KeYmaera X KeYmaera X enables interactive verification and tool development: ● A standard library of common proof techniques. ● A combinator language/library for decomposing theorems and composing proof strategies.

Interactive Reachability Analysis in KeYmaera X Bellerophon Tactic Meaning Applies propositional reasoning exhaustively. prop Symbolically executes discrete, loop-free programs. unfold Applies loop invariance axiom to position i. loop(J, i) Reasoning principles for differential equations. dI,dG,dC,dW

Interactive Reachability Analysis in KeYmaera X Bellerophon Tactic Meaning 100+ Applies propositional reasoning exhaustively. prop Symbolically executes discrete, loop-free programs. unfold Applies loop invariance axiom to position i. loop(J, 1) Reasoning principles for differential equations. dI,dG,dC,dW

Interactive Reachability Analysis in KeYmaera X Bellerophon Tactic Meaning 100+ Applies propositional reasoning exhaustively. prop Symbolically executes discrete, loop-free programs. unfold Applies loop invariance axiom to position i. loop(J, i) Reasoning principles for differential equations. dI,dG,dC,dW Combinator Meaning A ; B Execute A on current goal, then execute B on the result. A | B Try executing A on current goal. If A fails, execute B on current goal. A * Run A until it no longer applies. A<( B 0 ,B 1 , … ,B N ) Execute A on current goal to create N subgoals. Run B i on subgoal i.

Interactive Reachability Analysis in KeYmaera X Isolating Interesting Questions (Dive & g>0 & …)→ [{ }*] (x=0→m≤v)

Interactive Reachability Analysis in KeYmaera X Isolating Interesting Questions (Dive & g>0 & Loop invariant holds initially …)→ (Dive & g>0 J & …)→ [{ J →[ Loop invariant is preserved prop ; loop(J,1) ]J J → }*] (x=0→m≤v) Loop invariant implies safety x=0→m≤v

Interactive Reachability Analysis in KeYmaera X Isolating Interesting Questions (Dive & g>0 & Loop invariant holds initially …)→ (Dive & g>0 J & …)→ [{ J →[ Loop invariant is preserved prop ; loop(J,1) ]J J → }*] (x=0→m≤v) Loop invariant implies safety x=0→m≤v

Interactive Reachability Analysis in KeYmaera X Isolating Interesting Questions (Dive & g>0 & …)→ (Dive & g>0 J & …)→ [{ J →[ J & Dive & r=r a → [x’=v,v’=...]J prop ; loop(J,1) u n f o l d J & r=r p → ]J [x’=v,v’=...]J J → }*] (x=0→m≤v) x=0→m≤v

Interactive Reachability Analysis in KeYmaera X Isolating Interesting Questions (Dive & g>0 & …)→ (Dive & g>0 J & …)→ [{ J →[ J & Dive & r=r a → [x’=v,v’=...]J prop ; loop(J,1) u n f o l d J & r=r p → ]J [x’=v,v’=...]J J → }*] (x=0→m≤v) x=0→m≤v

Interactive Reachability Analysis in KeYmaera X Isolating Interesting Questions prop ; loop(J, 1) <( QE, /* Real arith. solver */ QE, Unfold <( … /* parachute open case */ … /* parachute closed case */ ) )

Interactive Reachability Analysis in KeYmaera X Differential Induction J = v > -sqrt(g/pr) > m & … Parachute Open Case: v ≥ v 0 - gt ≥ v 0 - gT > -sqrt(g/pr) v’=rv 2 -g x Inductive invariants

Interactive Reachability Analysis in KeYmaera X Differential Induction DI Axiom: [x’=f&H]P↔(P & (H→[x’:=f]P’))

Interactive Reachability Analysis in KeYmaera X Differential Induction DI Axiom: [x’=f&H]P↔(P & (H→[x’:=f]P’)) Example: [v’=r p v 2 -g,t’=1]v ≥ v 0 - gt

Interactive Reachability Analysis in KeYmaera X Differential Induction DI Axiom: [x’=f&H]P↔(P & (H→[x’:=f]P’)) Example: [v’=r p v 2 -g,t’=1]v ≥ v 0 - gt ↔ … ↔ [v’:=r p v 2 -g][t’:=1]v’ ≥ -g*t’ ↔ r p v 2 -g ≥ -g ↔ r p ≥0