Verifying Hybrid Systems with Interactive Theorem Provers Jonathan - PowerPoint PPT Presentation

Verifying Hybrid Systems with Interactive Theorem Provers Jonathan Juli´ an Huerta y Munive Georg Struth University of Sheffield, UK

Algebras for Program Verification Kleene algebras ⊲ modal Kleene algebras (MKAs) ⊲ concurrent Kleene algebras ⊲ rely-guarantee algebras quantales ⊲ predicate transformer algebras ⊲ convolution algebras over partial monoids ⊲ separation algebras ⊲ incidence/interval algebras . . . and more a longstanding interest

Tools for Program Verification mathematical components for these algebras verification components using them ⊲ Hoare logics and predicate transformer calculi ⊲ incl separation logic and rely-guarantee reasoning ⊲ for program verification, transformation, refinement all with Isabelle/HOL (see Archive of Formal Proofs) compositional approach ⊲ shallow embedding of program logics ⊲ algebras used for reasoning about program equivalence/refinement ⊲ in particular for structural verification condition generation ⊲ programs analysed in concrete store semantics this talk: verification components for hybrid systems/programs

Hybrid System Verification dynamics = V ′ = r 1 − r 2 r ′ r ′ 1 = f 2 = 0 safe = θ 2 ≤ V ≤ θ 1 control = . . . r 2 := c . . . tank = (control; dynamics) ∗ hybrid program safe ≤ [tank] safe correctness spec extend tools developed to reason about such systems

Previous Work differential dynamic logic (dL) ⊲ extends PDL to hybrid programs ⊲ based on intricate sequent/substitution calculus ⊲ supported by KeYmaera X tool Isabelle components ⊲ impressive analysis stack (topology → vector spaces → ODEs) ⊲ complements our verification stack idea ⊲ MKA is algebraic sister of PDL ⊲ PDL is logic of predicate transformers ⊲ integrating two stacks might yield semantic variant of dL ⊲ development hopefully incremental wrt hybrid program store

Contributions semantic Isabelle framework for hybrid program verification ⊲ semantic/algebraic reconstruction of dL (plus differential Hoare logic/refinement calculus) ⊲ based on shallow embeddings ⊲ only few additional rules for evolution commands ⊲ supports natural reasoning about continuous dynamics three workflows supported 1. solve ODEs and certify solutions 2. reason with differential invariants 3. (reason directly with flows) components correct by construction

Semantic Framework for dL modal Kleene predicate trans- predicate trans- algebras former quantales former quantaloids binary relations state transformers Lipschitz contin- continuous dynamical systems uous vector fields vector fields hybrid store dynamics

Kleene Algebras sequential composition nondeterministic choice finite iteration ( K , + , · , 0 , 1 , ∗ ) actions of programs skip abort

State Transformer Model Kleisli composition finite iteration set union � ( P A ) A ) , ∪ , ◦ K , λ x . ∅ , η A , ∗ � unit of powerset monad state transformers over A zero function forms state transformer KA Sta A over A f ∗ x = f i x � � ( f ◦ K g ) x = { g y | y ∈ f x } η X x = { x } i ∈ N isomorphic to standard relational semantics of imperative programs

Modal Kleene Algebras antidomain operation ( K , ad , ar ) Kleene algebra antirange operation ◦ ad x models states from which x can’t be executed ◦ ar x models states into which x can’t be executed ◦ d = ad 2 models states from which x can be executed ◦ r = ar 2 models states into which x can be executed

State Transformer Model in Sta A , � � η A x if f x = ∅ ∅ if f x = ∅ ad f x = d f x = ∅ otherwise otherwise η A x modal boxes/diamonds can be defined | f � Q = d ( f ◦ K Q ) | f ] Q = ad ( f ◦ K ( ad Q )) where Q ≤ η A is subidentity transformer ( Q x ⊆ η A x for all x ∈ A ) ar , r , �−| and [ −| are obtained by opposition

Algebraic Program Semantics MKA axoms induce algebra of propositions ⊲ Fix d is maximal boolean algebra between 0 and 1 ⊲ join is +, meet is · , ¬ = ad is complementation ⊲ p , q ∈ Fix d yield tests/assertions algebra of programs if p then x else y = px + ¬ py while p do x = ( px ) ∗ ¬ p while p inv i do x = while p do x algebra of modalities | x � p = d ( xp ) | x ] p = ¬| x �¬ p � x | p = r ( px ) [ x | p = ¬� x |¬ p

Dualities for Modalities De Morgan | x � p | x ] p opposition opposition � x | p [ x | p De Morgan

Structural Verification Condition Generation partial correctness spec p ≤ | x ] q predicate transformer (wlp) laws | xy ] q = | x ] | y ] q | if p then x else y ] q = ( ¬ p + | x ] q )( p + | y ] q ) p ≤ i ∧ i ¬ t ≤ q ∧ it ≤ | x ] i ⇒ p ≤ | while t inv i do x ] q recursive wlp/vc computation

Structural Verification Condition Generation partial correctness spec p ≤ | x ] q predicate transformer (wlp) laws | xy ] q = | x ] | y ] q | if p then x else y ] q = ( ¬ p + | x ] q )( p + | y ] q ) p ≤ i ∧ i ¬ t ≤ q ∧ it ≤ | x ] i ⇒ p ≤ | while t inv i do x ] q but what about assignment?

Concrete Program Store Semantics 1. state transformer semantics ⊲ ( Sta A , ∪ , ◦ K , ad , ar , λ x . ∅ , η A , ∗ ) is state transformer MKA over A ⊲ subidentities { P ∈ Sta A | P ≤ η A } form boolean subalgebra 2. simple store model ⊲ store is function V → E from variables to values ⊲ define store update function f a : V → ( S → E ) → S → S as f a v e s = s [ v �→ e s ] ⊲ lift f a v e s : S → S to state transformer v := e : S → P S as ( v := e ) s = { f a v e s } ⊲ wlp | v := e ] : P S → P S for assignments is then derivable | v := e ] Q s = Q s [ v �→ ( e s )]

Isabelle Verification Components MKA is polymorphic in Isabelle ⊲ can be instantiated to state transformers in concrete store model ⊲ Isabelle picks up facts from all three levels ... rather magically program verification in concrete semantics ⊲ yet with boiler plate program syntax components are correct by construction ⊲ algebra proved consistent via set-theoretic “soundness” proofs approach is compositional ⊲ MKA replaceable by any other program algebra (that supports vcg) ⊲ state transformer model by any other concrete semantics ⊲ store model by any alternative (records, monads, lenses, . . . )

Dynamical Systems continuous dynamical system is flow ϕ : T → S → S ⊲ T is suitable open subinterval of R modelling time ⊲ state space is open S ⊆ R n ⊲ flows are continuously differentiable ⊲ they satisfy ϕ ( t 1 + t 2 ) = ϕ t 1 ◦ ϕ t 2 and ϕ 0 = id for all t 1 , t 2 ∈ T the trajectory ϕ s : T → S of ϕ at s ∈ S is defined by ϕ s t = ϕ t s we model the orbit of s via state transformer γ ϕ : S → P S : γ ϕ s = P ϕ s T

ODEs and IVPs flows arise from vector fields f : S → S that represent (autonomous) systems of ODEs  x ′    1 t f 1 ( x 1 t ) . . . ( x n t ) x ′ 2 t f 2 ( x 1 t ) . . . ( x n t ) X ′ t =      =  = f ( X t ) . .     . .     . .   x ′ n t f n ( x 1 t ) . . . ( x n t ) initial value problem (IVP) is pair ( f , s ) of vector field f and initial value (0 , s ) ∈ T × S solution to IVP ( f , s ) is continuously differentiable X : T → S that satisfies X ′ = f ◦ X and X 0 = s for X unique (and T = R ), X is trajectory of flow ϕ f through s

Particles in Fluid autonomous system of ODEs for particles in three-dimensional fluid x ′ t = v y ′ t = 0 z ′ t = − sin ( x t ) vector field f : R 3 → R 3 attaches velocity vectors to points of R 3     x v  = 0 f y    − sin x z for s = ( s 1 , s 2 , s 3 ) T , solutions ϕ s : R → R 3 of IVP ( f , s ) satisfy     s 1 vt  + 0 ϕ s t = s 2    s 3 − cos s 1 cos ( s 1 + vt )

Particles in Fluid

Particles in Fluid we check that they are indeed solutions:     v s 1 + vt ϕ ′  = f  = f ( ϕ s t ) s t = 0 s 2   − sin ( s 1 + vt ) s 3 − cos s 1 + cos ( s 1 + vt )       s 1 v 0 s 1  +  =  = s ϕ s 0 = s 2 0 s 2    s 3 − cos s 1 cos ( s 1 + v 0) s 3 checking that ϕ : R → R 3 → R 3 is flow is similar

Existence and Uniqueness of Solutions not all IVPs admit flows ⊲ not all of them have unique solutions ⊲ only local flows on T ⊆ R may exists Picard-Lindel¨ of theorem if S ⊆ R n is open set and f : S → S Lipschitz continuous vector field then ( f , s ) has unique solution X : T s → S on open interval T s ⊆ R f is Lipschitz continuous if � f s 1 − f s 2 � ≤ ℓ � s 1 − s 2 � for some ℓ ≥ 0 intervals T s can be patched together to local flow ϕ : T → S → S

Hybrid Programs and Store hybrid programs C ::= x := e | x ′ = f & G | C ; C | if P then C else C | while P inv I do C evolution command x ′ = f & G ⊲ defines vector field f : S → S ⊲ and guard G : S → B that models boundary conditions hybrid stores are functions s : V → R ⊲ we assume S ⊆ R V ∼ = R n for some n ∈ N