A Logic of Proofs for Differential Dynamic Logic Toward - PowerPoint PPT Presentation

A Logic of Proofs for Differential Dynamic Logic Toward Independently Checkable Proof Certificates for Differential Dynamic Logic Nathan Fulton Andr` e Platzer Carnegie Mellon University CPP’16 January 19, 2016 1

Motivation Strong evidence that Cyber-Physical Systems are safe. 2

Motivation Strong evidence that Cyber-Physical Systems are safe. 2

KeYmaera X 3

Criteria for Evidence of a Successful Verification Effort � � Hybrid Systems Proofs (via KeYmaera X) � Persistent – truth-preservation is insufficient! � Permanent – Tactics are not proofs � Portable – Between machines, between logics 4

Approach e : φ 5

Approach e : φ Outline: ◮ The Language of Differential Dynamic Logic ◮ Uniform Substitution Calculus of d L ◮ LPd L 5

Hybrid Programs Model Cyber-Physical Systems Definition (Hybrid Programs) Assign x := θ Test ? ϕ Sequence α ; β Choice α ∪ β Iteration α ∗ 6

Hybrid Programs Model Cyber-Physical Systems Definition (Hybrid Programs) Assign x := θ Test ? ϕ Sequence α ; β Choice α ∪ β Iteration α ∗ ODEs { x ′ 1 = θ 1 , . . . , x ′ n = θ n & ϕ } 6

d L Example � ; { pos ′ = vel , vel ′ = acc } � ∗ ] [ ( acc := A ∪ acc := 0) � �� � � �� � Control Physical System Model 7

d L FOL over Real Closed Fields + [ α ] ϕ + � α � ϕ Example vel ≥ 0 ∧ A > 0 → � �� � initial condition � ; { pos ′ = vel , vel ′ = acc } � ∗ ] [ ( acc := A ∪ acc := 0) vel ≥ 0 � �� � � �� � � �� � ctrl plant postcondition 7

Deduction in Differential Dynamic Logic v ≥ 0 , z < m ⊢ ∀ t ≥ 0[ z := − b 2 t 2 + vt + z ] z ≤ m DiffSolve v ≥ 0 , z < m ⊢ [ z ′ = v , v ′ = − b ] z ≤ m 8

Uniform Substitution Isolates Binding Structure DiffSolve as a single axiom: [ x ′ = f & q ( x )] p ( x ) ↔ ∀ t ≥ 0(( ∀ 0 ≤ s ≤ tq ( x + fs )) → [ x := x + ft ] p ( x )) Sound uniform substitutions are used in deductions: ϕ US σ ( ϕ ) 9

Significant Features of d L BoxChoice Γ ⊢ [ α ] ϕ Γ ⊢ [ β ] ϕ Γ ⊢ [ α ∪ β ] ϕ 10

Significant Features of d L BoxChoice Γ ⊢ [ α ] ϕ Γ ⊢ [ β ] ϕ Γ ⊢ [ α ∪ β ] ϕ Γ ⊢ [ x := 4 ∪ x := 5] x > 3 � �� � ψ 10

Significant Features of d L BoxChoice Γ ⊢ [ α ] ϕ Γ ⊢ [ β ] ϕ Γ ⊢ [ α ∪ β ] ϕ [ a ∪ b ] p (?) ↔ [ a ] p (?) ∧ [ b ] p (?) Γ ⊢ [ x := 4 ∪ x := 5] x > 3 � �� � ψ σ = a � x := 4 b � x := 5 p (?) � x > 3 10

Significant Features of d L BoxChoice Γ ⊢ [ α ] ϕ Γ ⊢ [ β ] ϕ Γ ⊢ [ α ∪ β ] ϕ [ a ∪ b ] p (?) ↔ [ a ] p (?) ∧ [ b ] p (?) ψ ↔ [ x := 4] x > 3 ∧ [ x := 5] x > 3 Γ ⊢ [ x := 4 ∪ x := 5] x > 3 � �� � ψ σ = a � x := 4 b � x := 5 p (?) � x > 3 10

Significant Features of d L BoxChoice Γ ⊢ [ α ] ϕ Γ ⊢ [ β ] ϕ Γ ⊢ [ α ∪ β ] ϕ [ a ∪ b ] p (?) ↔ [ a ] p (?) ∧ [ b ] p (?) ψ ↔ [ x := 4] x > 3 ∧ [ x := 5] x > 3 Γ , ψ ↔ [ x := 4] x > 3 ∧ [ x := 5] x > 3 ⊢ ψ Γ ⊢ [ x := 4 ∪ x := 5] x > 3 � �� � ψ σ = a � x := 4 b � x := 5 p (?) � x > 3 10

Significant Features of d L BoxChoice Γ ⊢ [ α ] ϕ Γ ⊢ [ β ] ϕ Γ ⊢ [ α ∪ β ] ϕ [ a ∪ b ] p (?) ↔ [ a ] p (?) ∧ [ b ] p (?) Γ , · · · ⊢ [ x := 4] x > 3 ∧ [ x := 5] x > 3 ψ ↔ [ x := 4] x > 3 ∧ [ x := 5] x > 3 Γ , ψ ↔ [ x := 4] x > 3 ∧ [ x := 5] x > 3 ⊢ ψ Γ ⊢ [ x := 4 ∪ x := 5] x > 3 � �� � ψ σ = a � x := 4 b � x := 5 p (?) � x > 3 10

Significant Features of d L BoxChoice Γ ⊢ [ α ] ϕ Γ ⊢ [ β ] ϕ Γ ⊢ [ α ∪ β ] ϕ Γ ⊢ [ x := 4] x > 3 ∧ [ x := 5] x > 3 [ a ∪ b ] p (?) ↔ [ a ] p (?) ∧ [ b ] p (?) Γ , · · · ⊢ [ x := 4] x > 3 ∧ [ x := 5] x > 3 ψ ↔ [ x := 4] x > 3 ∧ [ x := 5] x > 3 Γ , ψ ↔ [ x := 4] x > 3 ∧ [ x := 5] x > 3 ⊢ ψ Γ ⊢ [ x := 4 ∪ x := 5] x > 3 � �� � ψ σ = a � x := 4 b � x := 5 p (?) � x > 3 10

Significant Features of d L BoxChoice Γ ⊢ [ α ] ϕ Γ ⊢ [ β ] ϕ Γ ⊢ [ α ∪ β ] ϕ Γ ⊢ [ x := 4] x > 3 Γ ⊢ [ x := 5] x > 3 Γ ⊢ [ x := 4] x > 3 ∧ [ x := 5] x > 3 [ a ∪ b ] p (?) ↔ [ a ] p (?) ∧ [ b ] p (?) Γ , · · · ⊢ [ x := 4] x > 3 ∧ [ x := 5] x > 3 ψ ↔ [ x := 4] x > 3 ∧ [ x := 5] x > 3 Γ , ψ ↔ [ x := 4] x > 3 ∧ [ x := 5] x > 3 ⊢ ψ Γ ⊢ [ x := 4 ∪ x := 5] x > 3 � �� � ψ σ = a � x := 4 b � x := 5 p (?) � x > 3 10

Contribution: A Logic of Proofs for d L LPd L extends the grammar of d L with formulas of the form e : ϕ ���� ���� LPd L proof term d L formula 11

Contribution: A Logic of Proofs for d L LPd L extends the grammar of d L with formulas of the form : e ϕ ���� ���� LPd L proof term d L formula � e , d � ::= c φ Example (Proof Constants) ( i [:=] ) : ([ x := t ] p ( x ) ↔ p ( t )) ( j x > y ∧ y > z → x > z ) : ( x > y ∧ y > z → x > z ) 11

Contribution: A Logic of Proofs for d L LPd L extends the grammar of d L with formulas of the form e : ϕ ���� ���� LPd L proof term d L formula � e , d � ::= c φ | e ∧ d Example (Conjunctions) ( i := ∧ j x > 0 ) : (([ x := t ] p ( x ) ↔ p ( t )) ∧ x > 0) 11

Contribution: A Logic of Proofs for d L LPd L extends the grammar of d L with formulas of the form : e ϕ ���� ���� LPd L proof term d L formula � e , d � ::= c φ | e ∧ d | e • d | e • ← d | e • → d Example ( • ) If e : ϕ → ψ (1) d : ϕ (2) Then e • d : ψ . Directional application performs a similar operation on equivalences. 11

Contribution: A Logic of Proofs for d L LPd L extends the grammar of d L with formulas of the form e : ϕ ���� ���� LPd L proof term d L formula � e , d � ::= c φ | e ∧ d | e • d | e • ← d | e • → d | σ e | B e Example (Uniform Substitution of Axiom [ x := t ] p ( x ) ↔ p ( t )) σ { t �→ 0 , p ( · ) �→·≥ 0 } ( i [:=] ) : [ x := 0] x ≥ 0 ↔ 0 ≥ 0 11

Contribution: A Logic of Proofs for d L LPd L extends the grammar of d L with formulas of the form e : ϕ ���� ���� LPd L proof term d L formula � e , d � ::= c φ | e ∧ d | e • d | e • ← d | e • → d | σ e | B e | CT σ e | CQ σ e | CE σ e Example (US Instances of Proof Rules) CE { t � 0 , p ( · ) � ·≥ 0 } i [ x := t ] p ( t ) ↔ p ( x ) : ([ { z ′ = a } ][ x := 0] x ≥ 0) ↔ ([ { z ′ = a } ]0 ≥ 0) 11

Sampling of Axioms and Proof Rules (d L Axiom) φ i A : A (d L Constants) e : φ d : ψ (And) ( e ∧ d ) : ( φ ∧ ψ ) e : ( φ → ψ ) d : φ (Application) e • d : ψ e : φ (US Proof Term) σ e : σ ( φ ) σ e : σ ( p (¯ x ) ↔ q (¯ x )) (CE σ ) CE σ e : σ ( C ( p (¯ x ) ↔ C ( q (¯ x ))) Only side-condition: admissibility of σ s. 12

Semantics of LPd L ◮ � φ � I = � φ � I i A : A d L ◮ � i A : A � I = S for d L axioms A ◮ � j T : T � = S for FOL R α tautologies T ◮ � e ∧ d : φ ∧ ψ � I = � e : φ � I ∩ � d : ψ � I α i A : A i A : A ◮ � e • d : φ � I = ψ � e : ( ψ → φ ) � I ∩ � d : ψ � I � α ◮ . . . i A : A 13

Correctness Properties Theorem (Proof terms justify theorems) Let e be a proof term and φ a d L formula. If ⊢ LPd L e : φ then ⊢ φ . 14

Correctness Properties Theorem (Proof terms justify theorems) Let e be a proof term and φ a d L formula. If ⊢ LPd L e : φ then ⊢ φ . User Interface KeYmaera X Web UI (JavaScript) Simplified Proof Tree View Proof View Tactics Models Proof Log REST-API start/stop/pause/resume Proof Tree Simplification Searching Execution Proof Storing stores controls observes Scala-API Tactical Prover Proof Tree Proof Strategies HyDRA Server uses dL Tactics Combinators executes Scheduler combines Wrappers for Kernel Primitives manages executes tactics on tools/ CPU cores Axiomatic Core KeYmaera X Kernel (soundness-critical, Scala) Real Quantifier Elimination Proof Certificates Uniform Substitution Differential Equation Solving Bound Renaming Propositional Sequent Calculus with Skolemization ... Axioms 14

Correctness Properties Theorem (Proof terms justify theorems) Let e be a proof term and φ a d L formula. If ⊢ LPd L e : φ then ⊢ φ . User Interface KeYmaera X Web UI (JavaScript) Simplified Proof Tree View Proof View Tactics Models Proof Log REST-API start/stop/pause/resume Proof Tree Simplification Searching Execution Proof Storing stores controls observes Scala-API Tactical Prover Proof Tree Proof Strategies HyDRA Server uses dL Tactics Combinators executes Scheduler combines Wrappers for Kernel Primitives manages executes tactics on tools/ CPU cores Axiomatic Core KeYmaera X Kernel (soundness-critical, Scala) Real Quantifier Elimination Proof Certificates Uniform Substitution Differential Equation Solving Bound Renaming Propositional Sequent Calculus with Skolemization ... Axioms 14