Verifying Hybrid Systems with Interactive Theorem Provers Jonathan - - PowerPoint PPT Presentation

Verifying Hybrid Systems with Interactive Theorem Provers

Jonathan Juli´ an Huerta y Munive Georg Struth

University of Sheffield, UK

Algebras for Program Verification

Kleene algebras

⊲ modal Kleene algebras (MKAs) ⊲ concurrent Kleene algebras ⊲ rely-guarantee algebras

quantales

⊲ predicate transformer algebras ⊲ convolution algebras over partial monoids ⊲ separation algebras ⊲ incidence/interval algebras

. . . and more a longstanding interest

Tools for Program Verification

mathematical components for these algebras verification components using them

⊲ Hoare logics and predicate transformer calculi ⊲ incl separation logic and rely-guarantee reasoning ⊲ for program verification, transformation, refinement

all with Isabelle/HOL (see Archive of Formal Proofs) compositional approach

⊲ shallow embedding of program logics ⊲ algebras used for reasoning about program equivalence/refinement ⊲ in particular for structural verification condition generation ⊲ programs analysed in concrete store semantics

this talk: verification components for hybrid systems/programs

Hybrid System Verification

dynamics = V ′ = r1 − r2 r ′

1 = f

r ′

2 = 0

safe = θ2 ≤ V ≤ θ1 control = . . . r2 := c . . . tank = (control; dynamics)∗ hybrid program safe ≤ [tank] safe correctness spec extend tools developed to reason about such systems

Previous Work

differential dynamic logic (dL)

⊲ extends PDL to hybrid programs ⊲ based on intricate sequent/substitution calculus ⊲ supported by KeYmaera X tool

Isabelle components

⊲ impressive analysis stack (topology → vector spaces → ODEs) ⊲ complements our verification stack

idea

⊲ MKA is algebraic sister of PDL ⊲ PDL is logic of predicate transformers ⊲ integrating two stacks might yield semantic variant of dL ⊲ development hopefully incremental wrt hybrid program store

Contributions

semantic Isabelle framework for hybrid program verification

⊲ semantic/algebraic reconstruction of dL

(plus differential Hoare logic/refinement calculus)

⊲ based on shallow embeddings ⊲ only few additional rules for evolution commands ⊲ supports natural reasoning about continuous dynamics

three workflows supported

• 1. solve ODEs and certify solutions
• 2. reason with differential invariants
• 3. (reason directly with flows)

components correct by construction

Semantic Framework for dL

modal Kleene algebras state transformers predicate trans- former quantales binary relations predicate trans- former quantaloids dynamical systems Lipschitz contin- uous vector fields continuous vector fields hybrid store dynamics

Kleene Algebras

(K, +, ·, 0, 1,∗ )

actions of programs nondeterministic choice sequential composition finite iteration skip abort

State Transformer Model

• (PA)A), ∪, ◦K, λx. ∅, ηA,∗

state transformers over A set union Kleisli composition finite iteration unit of powerset monad zero function forms state transformer KA Sta A over A (f ◦K g) x =

• {g y | y ∈ f x}

ηX x = {x} f ∗ x =

• i∈N

f i x isomorphic to standard relational semantics of imperative programs

Modal Kleene Algebras

(K, ad, ar)

Kleene algebra antirange operation antidomain operation

• ad x models states from which x can’t be executed
• ar x models states into which x can’t be executed
• d = ad2 models states from which x can be executed
• r = ar 2 models states into which x can be executed

State Transformer Model

in Sta A, ad f x =

• ηA x

if f x = ∅ ∅

• therwise

d f x =

• ∅

if f x = ∅ ηA x

• therwise

modal boxes/diamonds can be defined |f Q = d (f ◦K Q) |f ]Q = ad (f ◦K (ad Q)) where Q ≤ ηA is subidentity transformer (Q x ⊆ ηA x for all x ∈ A) ar, r, −| and [−| are obtained by opposition

Algebraic Program Semantics

MKA axoms induce algebra of propositions

⊲ Fix d is maximal boolean algebra between 0 and 1 ⊲ join is +, meet is ·, ¬ = ad is complementation ⊲ p, q ∈ Fix d yield tests/assertions

algebra of programs if p then x else y = px + ¬py while p do x = (px)∗¬p while p inv i do x = while p do x algebra of modalities |xp = d (xp) |x]p = ¬|x¬p x|p = r (px) [x|p = ¬x|¬p

Dualities for Modalities

|xp |x]p x|p [x|p

De Morgan De Morgan

• pposition
• pposition

Structural Verification Condition Generation

partial correctness spec p ≤ |x]q predicate transformer (wlp) laws |xy]q = |x]|y]q |if p then x else y]q = (¬p + |x]q)(p + |y]q) p ≤ i ∧ i¬t ≤ q ∧ it ≤ |x]i ⇒ p ≤ |while t inv i do x]q recursive wlp/vc computation

Structural Verification Condition Generation

partial correctness spec p ≤ |x]q predicate transformer (wlp) laws |xy]q = |x]|y]q |if p then x else y]q = (¬p + |x]q)(p + |y]q) p ≤ i ∧ i¬t ≤ q ∧ it ≤ |x]i ⇒ p ≤ |while t inv i do x]q but what about assignment?

Concrete Program Store Semantics

• 1. state transformer semantics

⊲ (Sta A, ∪, ◦K, ad, ar, λx. ∅, ηA,∗ ) is state transformer MKA over A ⊲ subidentities {P ∈ Sta A | P ≤ ηA} form boolean subalgebra

• 2. simple store model

⊲ store is function V → E from variables to values ⊲ define store update function fa : V → (S → E) → S → S as

fa v e s = s[v → e s]

⊲ lift fa v e s : S → S to state transformer v := e : S → P S as

(v := e) s = {fa v e s}

⊲ wlp |v := e] : P S → P S for assignments is then derivable

|v := e]Q s = Q s[v → (e s)]

Isabelle Verification Components

MKA is polymorphic in Isabelle

⊲ can be instantiated to state transformers in concrete store model ⊲ Isabelle picks up facts from all three levels ... rather magically

program verification in concrete semantics

⊲ yet with boiler plate program syntax

components are correct by construction

⊲ algebra proved consistent via set-theoretic “soundness” proofs

approach is compositional

⊲ MKA replaceable by any other program algebra (that supports vcg) ⊲ state transformer model by any other concrete semantics ⊲ store model by any alternative (records, monads, lenses, . . . )

Dynamical Systems

continuous dynamical system is flow ϕ : T → S → S

⊲ T is suitable open subinterval of R modelling time ⊲ state space is open S ⊆ Rn ⊲ flows are continuously differentiable ⊲ they satisfy ϕ (t1 + t2) = ϕ t1 ◦ ϕ t2 and ϕ 0 = id for all t1, t2 ∈ T

the trajectory ϕs : T → S of ϕ at s ∈ S is defined by ϕs t = ϕ t s we model the orbit of s via state transformer γϕ : S → P S: γϕ s = P ϕs T

ODEs and IVPs

flows arise from vector fields f : S → S that represent (autonomous) systems of ODEs X ′ t =      x′

1 t

x′

2 t

. . . x′

n t

     =      f1 (x1 t) . . . (xn t) f2 (x1 t) . . . (xn t) . . . fn (x1 t) . . . (xn t)      = f (X t) initial value problem (IVP) is pair (f , s) of vector field f and initial value (0, s) ∈ T × S solution to IVP (f , s) is continuously differentiable X : T → S that satisfies X ′ = f ◦ X and X 0 = s for X unique (and T = R), X is trajectory of flow ϕf through s

Particles in Fluid

autonomous system of ODEs for particles in three-dimensional fluid x′ t = v y ′ t = 0 z′ t = − sin (x t) vector field f : R3 → R3 attaches velocity vectors to points of R3 f   x y z   =   v − sin x   for s = (s1, s2, s3)T, solutions ϕs : R → R3 of IVP (f , s) satisfy ϕs t =   s1 s2 s3 − cos s1   +   vt cos (s1 + vt)  

Particles in Fluid

Particles in Fluid

we check that they are indeed solutions: ϕ′

s t =

  v − sin (s1 + vt)   = f   s1 + vt s2 s3 − cos s1 + cos (s1 + vt)   = f (ϕs t) ϕs 0 =   s1 s2 s3 − cos s1   +   v0 cos (s1 + v0)   =   s1 s2 s3   = s checking that ϕ : R → R3 → R3 is flow is similar

Existence and Uniqueness of Solutions

not all IVPs admit flows

⊲ not all of them have unique solutions ⊲ only local flows on T ⊆ R may exists

Picard-Lindel¨

• f theorem

if S ⊆ Rn is open set and f : S → S Lipschitz continuous vector field then (f , s) has unique solution X : Ts → S on open interval Ts ⊆ R

f is Lipschitz continuous if f s1 − f s2 ≤ ℓs1 − s2 for some ℓ ≥ 0 intervals Ts can be patched together to local flow ϕ : T → S → S

Hybrid Programs and Store

hybrid programs C ::= x := e | x′ = f & G | C; C | if P then C else C | while P inv I do C evolution command x′ = f & G

⊲ defines vector field f : S → S ⊲ and guard G : S → B that models boundary conditions

hybrid stores are functions s : V → R

⊲ we assume S ⊆ RV ∼

= Rn for some n ∈ N

Semantics of Evolution Commands

fix Lipschitz-continuous f : S → S for S ⊆ RV

⊲ with local flow ϕ : T → S → S ⊲ and 0 ∈ T given by Picard-Lindel¨

• f

fix time interval of interest U ⊆ T (we assume U = [0, tmax] ) define G-guarded orbit on U at s ∈ S via γϕ

G,V : S → P S as

γϕ

G,U s = {ϕs t | t ∈ U ∧ ∀τ ∈ [0, t]. G (ϕs τ)}

define state transformer semantics of x′ = f & G as (x′ =F f & G)U = γϕ

G,U

wlp for [(x′ = f & G)U] : P S → P S is then derivable |(x′ = f & G)U]Q s = ∀t ∈ U. (∀τ ∈ [0, t]. G (ϕs τ)) → Q (ϕs t)

Categorical Remark

(x′ = f & G)U| = (γϕ

G,U)† for Kleisli extension map (−)† for P

wlp |(x′ = f & G)U] is its right adjoint thus |(x′ = f & G)U]P = {Q | (γϕ

G,U)† Q ⊆ P} = {s | γϕ G,U s ⊆ P}

previous identity can be calculated from there

First Workflow

for evolution command (x′ = f & G)U

• 1. check that f is Lipschitz continuous and S ⊆ RV open
• 2. supply (local) flow ϕ for f
• 3. check that ϕs is unique solution for (f , s) for any s ∈ S and T

3.1 ϕ′

s = f ◦ ϕs for any s ∈ S

3.2 ϕs 0 = s for any s ∈ S 3.3 U is subset of open set T containing 0

• 4. if successful calculate wlp

Bouncing Ball

ball is dropped from h ≥ 0

⊲ state space is RV for V = {x, v} (x denotes position, v velocity) ⊲ kinematics given by f : RV → RV with f (sx, sv)T = (sv, −g)T ⊲ ball bounces back from ground in elastic collision ⊲ this is modelled by discrete control: it tests sx = 0 and flips velocity

guard G = (λs. sx ≥ 0) prevents any motion below ground hybrid program is Cntrl = if (λ s. sx = 0) then v := (λ s. − sv) else skip Ball = (x′ = f & G ; Cntrl)∗

Bouncing Ball

correctness specification P ≤ |Ball]Q for P = (λs. sx = h ∧ sv = 0) and Q = (λs. 0 ≤ sx ≤ h) we also need loop invariant I =

• λs. 0 ≤ sx ∧ 1

2s2

v = g(h − sx)

Bouncing Ball

correctness proof

• 1. bring spec into form I ≤ |Ball]I (show P ≤ I and I ≤ Q)

⊲ P ≤ I because 1

202 = 0 = h − h

⊲ I ≤ Q because (i) 0 ≤ sx appears both in I and in Q and

(ii) sx ≤ h is guaranteed by g(h − sx) ≥ 0, which holds as 1

2s2 v ≥ 0

⊲ rest follows from transitivity and isotonicity of boxes

• 2. applying wlp rule for loops yields I ≤ |x′ = f & G ; Cntrl]I
• 3. we incrementally calculate wlps using sequential composition rule

J = |if (λ s. sx = 0) then v := (λ s. − sv) else skip]I K = |x′ = f & G]J and finally show that I ≤ K

Bouncing Ball

3.1. with conditional wlp rule and T = (λ s. sx = 0)

J = (T → |v := (λ s. − sv)]I) · (¬T → I) =

• T → |v := (λ s. − sv)]
• λs. 0 ≤ sx ∧ 1

2s2

v = g(h − sx)

• · (¬T → I)

=

• T →
• λs. 0 ≤ sx ∧ 1

2(−sv)2 = g(h − sx)

• · (¬T → I)

= (T → I) · (¬T → I) = I

Bouncing Ball

3.2. for the wlp of the evolution command we follow the procedure above

⊲ f is indeed Lipschitz continuous for ℓ = 1 ⊲ we supply flow ϕ : R → RV → RV defined by

ϕs t = sx sv

• +

sv −g

• t − 1

2 g

• t2

⊲ we need to check that it is indeed solution (I skip this) ⊲ after these checks we can apply the wlp rule for evolution commands K s =

• ∀t ∈ R+. (∀τ ∈ [0, t]. 0 ≤ ϕs τ x) → 0 ≤ ϕs t x ∧

1 2 (ϕs t v)2 = g(h − ϕs t x)

• =
• ∀t. (∀τ ∈ [0, t]. 0 ≤ ϕs τ x) →

1 2 (ϕs t v)2 = g(h − ϕs t x)

• =
• ∀t.
• ∀τ ∈ [0, t]. 0 ≤ sx + sv t −

1 2 gτ2

• →

1 2 (sv − gt)2 = g

• h − sx − sv t +

1 2 gt2

• 3.3. I ≤ K then follows from a similarly boring arithmetic calculation

Generalised Semantics for Evolution Commands

consider IVP (f , s) for continuous f : S → S and s ∈ S ⊆ RV for T ⊆ R with 0 ∈ T (we assume T = [, tmax]) define Sols f T s = {X | ∀t ∈ T. X ′ t = f (X t) ∧ X 0 = s} define G-guarded orbital γf

G s = {X t | X ∈ Sols f T s ∧ t ∈ T ∧ (∀τ ∈ [0, t]. G (X τ))}

we can still derive wlps, but I won’t go into details

Invariants for Evolution Commands

in dynamical systems theory, an invariant set for flow ϕ : T → S → S is set I ⊆ S satisfying γϕ s ⊆ I for all s ∈ I set I : S → B is invariant of continuous vector field f : S → S and guard G : S → B along T ⊆ R if (γf

G)† I ⊆ I

proposition: the following are equivalent

• 1. I is invariant for f and G along T
• 2. x′ = f & G|I ⊆ I
• 3. I ⊆ |x′ = f & G]I

it follows from (γf

G)†I ⊆ I ↔ x′ = f & G|I ⊆ I ↔ I ⊆ |x′ = f & G]I

in addition, for I ⊆ |x′ = f & G]I, it suffices to check that I s → ∀X ∈ Sols f T s.∀t ∈ T. I (X t)

Invariants for Evolution Commands

we have algorithm to check for invariants

• 1. µ = ν is invariant for f along T if (µ ◦ X)′ = (ν ◦ X)′ for all

X ∈ Sols f T s

• 2. µ < ν is invariant for f along T if (µ ◦ X)′ t ≤ (ν ◦ X)′ t when

t > 0, and (µ ◦ X)′ t ≥ (ν ◦ X)′ t, when t < 0, for all X ∈ Sols f T s

• 3. µ = ν is invariant for f along T if if µ < ν and µ > ν are

(and conversely if 0 is the least element in T)

• 4. µ ≤ ν is invariant for f along T if and only if µ > ν is

it extends to boolean combinations of invariants for (1), µ = ν is invariant iff µ s = ν s implies µ (X t) = ν (X t) for all X ∈ Sols f T s, which follows from µ s = ν s and (µ (X t))′ = (ν (X t))′ by mean value theorem

Second Workflow

for P ≤ |x′ = f & G]Q

• 1. Check whether I is a differential invariant:
• a. transform I into negation normal form
• b. reduce into separate statements for =, < and negations
• c. apply previous proposition
• 2. if successful prove I ≤ P and |x′ = f & G](G · I) ≤ |x′ = f & G]Q.

Bouncing Ball

as part of previous proof we wish to verify I ≤ |x′ = f & G]I we pick invariant Id =

• λs. 1

2s2

v = g(h − sx)

• for evolution command and apply procedure
• 1. we check that Id is invariant

⊲ for µ s = 1

2s2 v and ν s = g(h − sx) we need to show that

(µ ◦ X)′ = (ν ◦ X)′ for all X ∈ Sols f T s, which unfolds to 1 2(X t v)2 ′ = (X t v)(X ′ t v) = (X t v)(f (X t) v) = −(X t v)g = −g(f (X t) x) = −g(X ′ t x) = (g(h − X t x))′

⊲ Id is thus invariant for f along RV ⊲ it follows that Id ≤ |x′ = f & G]Id

Bouncing Ball

• 2. It remains to prove I ≤ Id and |x′ = f & G]Id ≤ |x′ = f & G]I

⊲ first inequality is trivial ⊲ for the second one

(G · Id) s =

• 0 ≤ sx ∧ 1

2s2

v = g(h − sx)

• = I s

it follows that |x′ = f & G]Id = |x′ = f & G](G · Id) = |x′ = f & G]I.

the remaining verification of P ≤ |Ball]Q is as before

What about Isabelle?

Isabelle supports work flows described

⊲ vcg is fully automatic ⊲ remaining proof obligations are about hybrid store dynamics ⊲ they may require substantial user interaction ⊲ boiler plate hybrid program syntax has not been optimised ⊲ apply style proofs are not very readable

alternatively, we have derived most of the dL inference rules MKA verification component covers ∼ 25 pages

⊲ relative to algebra and ODE stacks (which took years of work!) ⊲ amount of work for other components is comparable

Bouncing Ball with Flow

abbreviation fball :: real ⇒ realˆ2 ⇒ realˆ2 (f) where f g s ≡ (χ i. if i=0 then s$1 else g) lemma bouncing-ball: g < 0 = ⇒ h ≥ 0 = ⇒ {s. s$0 = h ∧ s$1 = 0} ≤ fbF (LOOP ( (x´=(f g) & (λ s. s$0 ≥ 0)) ; (IF (λ s. s$0 = 0) THEN (1 ::= (λs. − s$1)) ELSE skip)) INV (λs. 0 ≤ s$0 ∧2 · g · s$0 − 2 · g · h − s$1 · s$1 = 0)) {s. 0 ≤ s$0 ∧ s$0 ≤ h} apply(rule wp-loopI, simp-all add: local-flow.wp-g-ode[OF local-flow-ball]) by (auto simp: bb-real-arith)

this requires some auxiliary lemmas

Bouncing Ball with Flow

we have bundled lemmas for real arithmetic

named-theorems bb-real-arith

. . .

lemma [bb-real-arith]: 0 > g = ⇒ 2 · g · x − 2 · g · h = v · = ⇒ (x::real) ≤ h proof

. . . to certify flows we follow the procedure within the following lemma

abbreviation ball-flow :: real ⇒ real ⇒ realˆ2 ⇒ realˆ2 (ϕ) where ϕ g t s ≡ (χ i. if i=0 then g · t ˆ 2/2 + s$1 · t + s$0 else g · t + s$1) lemma local-flow-ball: local-flow (f g) UNIV UNIV (ϕ g) proof

dL vs Hybrid MKA

dL and KeYmaera X

• special purpose sequent

calculus with complex substitution rules

• only simple ODEs can be

solved (real arithmetic)

• invariant rules are crucial

for other classes

• aims at automated

industrial verification hybrid MKA

• semantic reasoning in

algebra with simple function updates

• open approach limited only

by HOL and Picard-Lindel¨

• f
• free calculations with

invariants are possible

• aims at interactive

experimental platform

Conclusions

first dL-inspired hybrid verification components in proof assistant extensions

⊲ Hoare-style approach via KAT ⊲ refinement calculi

• ngoing work

⊲ linear systems of ODEs ⊲ hybrid duration calculi

future work

⊲ improved tactics and proof automation ⊲ integration of CAS, solvers, decision procedures ⊲ extended case studies ⊲ ADEs and PDEs

Papers and Isabelle Components

Huerta y Munive, S. Verifying Hybrid Systems with Modal Kleene algebra, RAMiCS 2018 Huerta y Munive, S. Predicate Transformer Semantics for Hybrid Systems: Verification Components for Isabelle/HOL. ArXiv, 2019 Foster, Huerta y Munive, S. Differential Hoare Logics and Refinement Calculi for Hybrid Systems with Isabelle/HOL. RAMiCS, 2020 Huerta y Munive. Verification Components for Hybrid Systems. Archive

• f Formal Proofs, 2019

project repo: https://github.com/yonoteam/CPSVerification