A Uniform Substitution Calculus for Differential Dynamic Logic Andr - PowerPoint PPT Presentation

A Uniform Substitution Calculus for Differential Dynamic Logic Andr´ e Platzer aplatzer@cs.cmu.edu Computer Science Department Carnegie Mellon University, Pittsburgh, PA The Secret for Simpler Sound Hybrid Systems Provers 0.5 0.4 0.3 0.2 1.0 0.1 0.8 0.6 0.4 0.2 Andr´ e Platzer (CMU) Uniform Substitution for Differential Dynamic Logic CADE 1 / 27

Outline Cyber-Physical Systems 1 Uniform Substitution Calculus for Differential Dynamic Logic 2 Uniform Substitution Calculus Axiom vs. Axiom Schemata Uniform Substitutions Differential Axioms Examples Differential-form Differential Dynamic Logic 3 Semantics: Local Differential Substitution Lemmas Static Semantics Summary 4 Andr´ e Platzer (CMU) Uniform Substitution for Differential Dynamic Logic CADE 1 / 27

Outline Cyber-Physical Systems 1 Uniform Substitution Calculus for Differential Dynamic Logic 2 Uniform Substitution Calculus Axiom vs. Axiom Schemata Uniform Substitutions Differential Axioms Examples Differential-form Differential Dynamic Logic 3 Semantics: Local Differential Substitution Lemmas Static Semantics Summary 4 Andr´ e Platzer (CMU) Uniform Substitution for Differential Dynamic Logic CADE 1 / 27

CPS Analysis Challenge (CPS) Fixed rule describing state 3.5 evolution with both 3.0 2.5 Discrete dynamics 2.0 (control decisions) 1.5 1.0 Continuous dynamics 0.5 (differential equations) 0.0 0 1 2 3 4 5 6 a 1.0 v p 0.2 8 0.8 10 t 2 4 6 8 6 0.6 � 0.2 p x 4 0.4 � 0.4 � 0.6 0.2 2 p y � 0.8 10 t 10 t 2 4 6 8 2 4 6 8 Andr´ e Platzer (CMU) Uniform Substitution for Differential Dynamic Logic CADE 2 / 27

CPS Analysis Challenge (CPS) Fixed rule describing state 3.5 evolution with both 3.0 2.5 Discrete dynamics 2.0 (control decisions) 1.5 1.0 Continuous dynamics 0.5 (differential equations) 0.0 0 1 2 3 4 5 6 a d Ω 1.0 d x 0.2 0.5 10 t 2 4 6 8 0.5 10 t 2 4 6 8 � 0.2 � 0.5 10 t � 0.4 2 4 6 8 d y � 0.6 � 1.0 � 0.5 � 0.8 Andr´ e Platzer (CMU) Uniform Substitution for Differential Dynamic Logic CADE 2 / 27

CPS Analysis Differential Dynamic Logic Seq. Nondet. [ α ] φ φ Compose Repeat α �� ; x ′ = v , v ′ = a � ∗ � x � = o ∧ b > 0 → if (tooClose( x , o )) a := − b x � = o � �� � � �� � � �� � � �� � post init ODE discrete control a 1.0 v p 0.2 8 0.8 10 t 2 4 6 8 6 0.6 � 0.2 p x 4 0.4 � 0.4 � 0.6 0.2 2 p y � 0.8 10 t 10 t 2 4 6 8 2 4 6 8 Andr´ e Platzer (CMU) Uniform Substitution for Differential Dynamic Logic CADE 3 / 27

Key Contributions Q: How to build a prover with a small soundness-critical core? A: Uniform substitution [Church] Q: How to enable flexible yet sound reasoning? A: Axioms with local meaning [Philosophy, Algebraic Geometry] Q: What’s the local meaning of a differential equation? A: Differential forms [Differential Geometry] Q: How to do hybrid systems proving? A: Uniform substitution calculus for differential dynamic logic Q: What’s the impact of uniform substitution on a prover core? A: 65 989 ց 1 682 LOC (2.5%) [KeYmaera X] Andr´ e Platzer (CMU) Uniform Substitution for Differential Dynamic Logic CADE 4 / 27

Outline Cyber-Physical Systems 1 Uniform Substitution Calculus for Differential Dynamic Logic 2 Uniform Substitution Calculus Axiom vs. Axiom Schemata Uniform Substitutions Differential Axioms Examples Differential-form Differential Dynamic Logic 3 Semantics: Local Differential Substitution Lemmas Static Semantics Summary 4 Andr´ e Platzer (CMU) Uniform Substitution for Differential Dynamic Logic CADE 4 / 27

Differential Dynamic Logic: Comparison [ x := f ] p ( x ) ↔ p ( f ) [:=] [ x := θ ] φ ( x ) ↔ φ ( θ ) [? q ] p ↔ ( q → p ) [?] [? H ] φ ↔ ( H → φ ) [ a ∪ b ] p (¯ x ) ↔ [ a ] p (¯ x ) ∧ [ b ] p (¯ x ) [ ∪ ] [ α ∪ β ] φ ↔ [ α ] φ ∧ [ β ] φ x ) ↔ [ a ][ b ] p (¯ [;] [ α ; β ] φ ↔ [ α ][ β ] φ [ a ; b ] p (¯ x ) [ a ∗ ] p (¯ x ) ∧ [ a ][ a ∗ ] p (¯ [ ∗ ] [ α ∗ ] φ ↔ φ ∧ [ α ][ α ∗ ] φ x ) ↔ p (¯ x ) x ) → q (¯ x )) → ([ a ] p (¯ x ) → [ a ] q (¯ K [ α ]( φ → ψ ) → ([ α ] φ → [ α ] ψ ) [ a ]( p (¯ x )) [ a ∗ ]( p (¯ x ) → [ a ∗ ] p (¯ I [ α ∗ ]( φ → [ α ] φ ) → ( φ → [ α ∗ ] φ ) x ) → [ a ] p (¯ x )) → ( p (¯ x )) p → [ a ] p V φ → [ α ] φ [ ′ ] [ x ′ = θ ] φ ↔ ∀ t ≥ 0 [ x := x ( t )] φ CADE’15 LICS’12 Andr´ e Platzer (CMU) Uniform Substitution for Differential Dynamic Logic CADE 6 / 27

Differential Dynamic Logic: Comparison [ x := f ] p ( x ) ↔ p ( f ) [:=] [ x := θ ] φ ( x ) ↔ φ ( θ ) [? q ] p ↔ ( q → p ) [?] [? H ] φ ↔ ( H → φ ) Axiom Schema [ a ∪ b ] p (¯ x ) ↔ [ a ] p (¯ x ) ∧ [ b ] p (¯ x ) [ ∪ ] [ α ∪ β ] φ ↔ [ α ] φ ∧ [ β ] φ x ) ↔ [ a ][ b ] p (¯ [;] [ α ; β ] φ ↔ [ α ][ β ] φ [ a ; b ] p (¯ x ) [ a ∗ ] p (¯ x ) ∧ [ a ][ a ∗ ] p (¯ [ ∗ ] [ α ∗ ] φ ↔ φ ∧ [ α ][ α ∗ ] φ x ) ↔ p (¯ x ) x ) → q (¯ x )) → ([ a ] p (¯ x ) → [ a ] q (¯ K [ α ]( φ → ψ ) → ([ α ] φ → [ α ] ψ ) [ a ]( p (¯ x )) [ a ∗ ]( p (¯ x ) → [ a ∗ ] p (¯ I [ α ∗ ]( φ → [ α ] φ ) → ( φ → [ α ∗ ] φ ) x ) → [ a ] p (¯ x )) → ( p (¯ x )) Axiom Schema p → [ a ] p V φ → [ α ] φ [ ′ ] [ x ′ = θ ] φ ↔ ∀ t ≥ 0 [ x := x ( t )] φ CADE’15 LICS’12 Andr´ e Platzer (CMU) Uniform Substitution for Differential Dynamic Logic CADE 6 / 27

Axiom vs. Axiom Schemata Axiom Schema [ a ∪ b ] p (¯ x ) ↔ [ a ] p (¯ x ) ∧ [ b ] p (¯ x ) [ α ∪ β ] φ ↔ [ α ] φ ∧ [ β ] φ Axiom Schema p → [ a ] p φ → [ α ] φ . . . Andr´ e Platzer (CMU) Uniform Substitution for Differential Dynamic Logic CADE 7 / 27

Axiom vs. Axiom Schemata Axiom Schema [ a ∪ b ] p (¯ x ) ↔ [ a ] p (¯ x ) ∧ [ b ] p (¯ x ) [ α ∪ β ] φ ↔ [ α ] φ ∧ [ β ] φ Pattern Placeholder Same match α schema instance formulas variable of φ in for shape matcher all places α ∪ β Axiom Schema p → [ a ] p φ → [ α ] φ . . . Andr´ e Platzer (CMU) Uniform Substitution for Differential Dynamic Logic CADE 7 / 27

Axiom vs. Axiom Schemata Axiom Schema [ a ∪ b ] p (¯ x ) ↔ [ a ] p (¯ x ) ∧ [ b ] p (¯ x ) [ α ∪ β ] φ ↔ [ α ] φ ∧ [ β ] φ Pattern Placeholder Same match α schema instance formulas variable of φ in for shape matcher all places α ∪ β Axiom Schema p → [ a ] p φ → [ α ] φ . . . x = 0 → [ y ′ = 5] x = 0 x = y → [ y ′ = 5] x = y x = z → [ y ′ = 5] x = z Andr´ e Platzer (CMU) Uniform Substitution for Differential Dynamic Logic CADE 7 / 27

Axiom vs. Axiom Schemata Axiom Schema [ a ∪ b ] p (¯ x ) ↔ [ a ] p (¯ x ) ∧ [ b ] p (¯ x ) [ α ∪ β ] φ ↔ [ α ] φ ∧ [ β ] φ Pattern Placeholder Same match α schema instance formulas variable of φ in for shape matcher all places α ∪ β Axiom Schema p → [ a ] p φ → [ α ] φ . . . � x = 0 → [ y ′ = 5] x = 0 special vs. rule out × x = y → [ y ′ = 5] x = y degenerate by side � x = z → [ y ′ = 5] x = z instances conditions Andr´ e Platzer (CMU) Uniform Substitution for Differential Dynamic Logic CADE 7 / 27

Axiom vs. Axiom Schemata: Formula vs. Algorithm Algorithm 1 Formula Axiom Schema [ a ∪ b ] p (¯ x ) ↔ [ a ] p (¯ x ) ∧ [ b ] p (¯ x ) [ α ∪ β ] φ ↔ [ α ] φ ∧ [ β ] φ Pattern Placeholder Generic formula. Same match α schema No exceptions. instance formulas variable of φ in for shape matcher all places α ∪ β Axiom Schema p → [ a ] p φ → [ α ] φ . . . � x = 0 → [ y ′ = 5] x = 0 special vs. rule out × x = y → [ y ′ = 5] x = y degenerate by side � x = z → [ y ′ = 5] x = z instances conditions Andr´ e Platzer (CMU) Uniform Substitution for Differential Dynamic Logic CADE 7 / 27

Generic Formulas in Axioms are like Generic Points An analogy from algebraic geometry concrete points Axiom schemata with side conditions are like ∃ x ax 2 + bx + c = 0 iff b 2 ≥ 4 ac except a = 0 except b = 0 except c = 0 This Way The generic formulas in axioms are like generic points Axioms √ ax 2 + bx + c = 0 iff x = − b ± b 2 − 4 ac / (2 a ) Paying attention during substitutions to avoid degenerates (no /0, √− 1) Andr´ e Platzer (CMU) Uniform Substitution for Differential Dynamic Logic CADE 8 / 27

Axioms vs. Axiom Schemata: Philosophy Affects Provers � Soundness easier: literal formula, not instantiation mechanism � An axiom is one formula. Axiom schema is a decision algorithm. � Generic formula, not some shape with characterization of exceptions � No schema variable or meta variable algorithms � No matching mechanisms / unification in prover kernel � No side condition subtlety or occurrence pattern checks (per schema) × Need other means of instantiating axioms: uniform substitution (US) � US + renaming: isolate static semantics � US independent from axioms: modular logic vs. prover separation � More flexible by syntactic contextual equivalence × Extra proofs branches since instantiation is explicit proof step Andr´ e Platzer (CMU) Uniform Substitution for Differential Dynamic Logic CADE 9 / 27