bellerophon tactical theorem proving for hybrid systems
play

Bellerophon: Tactical Theorem Proving for Hybrid Systems Nathan - PowerPoint PPT Presentation

Nov 15, 2023 •273 likes •964 views

Bellerophon: Tactical Theorem Proving for Hybrid Systems Nathan Fulton , Stefan Mitsch, Brandon Bohrer, Andr Platzer Carnegie Mellon University Cyber-Physical Systems Cyber-Physical Systems combine computation and control. Hybrid Systems

  1. Bellerophon: Tactical Theorem Proving for Hybrid Systems Nathan Fulton , Stefan Mitsch, Brandon Bohrer, André Platzer Carnegie Mellon University

  3. Cyber-Physical Systems Cyber-Physical Systems combine computation and control. Hybrid Systems model combinations of discrete and continuous dynamics.

  4. Bellerophon Verifying hybrid systems is hard.

  5. Bellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid systems with tactics:

  6. Bellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid systems with tactics: ● Build on a sound core.

  7. Bellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid systems with tactics: ● Build on a sound core. ● Implement high-level primitives for hybrid systems proofs.

  8. Bellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid systems with tactics: ● Build on a sound core. ● Implement high-level primitives for hybrid systems proofs. ● Automate common constructions (for ODEs and control software)

  9. Bellerophon Theorem Bellerophon Conceptual Proof Hybrid Systems LOC Steps Axiom Applications Static Safety 12 71 30,355 Passive-Friendly 45 140 68,620 Safety Orientation Safety 15 108 173,989 Pass Intersection 234 440 61,878 Liveness

  10. KeYmaera X: Trustworthy Foundations Interactive Reachability Analysis Bellerophon combinator language ➢ Bellerophon standard library for hybrid systems ➢ Demonstration ➢ Bellerophon for Automation and Tooling Conclusions & Resources

  11. Trustworthy Foundations KeYmaera X enables trustworthy automation for hybrid systems analysis: ● A well-defined logical foundations, ● implemented in a small trustworthy core ● that ensures correctness of automation and tooling .

  12. Trustworthy Foundations Hybrid Programs a=a 0 a=t a := t b=b 0 b=b 0 c=c 0 c=c 0 ... ...

  13. Trustworthy Foundations Hybrid Programs a;b a=a 0 a=t a := t a;b b=b 0 b=b 0 c=c 0 c=c 0 a b ... ...

  14. Trustworthy Foundations Hybrid Programs a;b a=a 0 a=t a := t a;b b=b 0 b=b 0 c=c 0 c=c 0 a b ... ... If P is true: no change ?P If P is false: terminate

  15. Trustworthy Foundations Hybrid Programs a;b a=a 0 a=t a := t a;b b=b 0 b=b 0 c=c 0 c=c 0 a b ... ... a ∪ b If P is true: no change ?P If P is false: terminate

  16. Trustworthy Foundations Hybrid Programs a;b a=a 0 a=t a := t a;b b=b 0 b=b 0 c=c 0 c=c 0 a b ... ... a ∪ b If P is true: no change ?P If P is false: terminate

  17. Trustworthy Foundations Hybrid Programs a;b a=a 0 a=t a := t a;b b=b 0 b=b 0 c=c 0 c=c 0 a b ... ... a ∪ b If P is true: no change ?P If P is false: terminate a* a ...a...

  18. Trustworthy Foundations Hybrid Programs a;b a=a 0 a=t a := t a;b b=b 0 b=b 0 c=c 0 c=c 0 a b ... ... a ∪ b If P is true: no change ?P If P is false: terminate x=F(0) ... x’=f a* a ...a... x=x 0 ⋮ ... x=F(T) ...

  19. Trustworthy Foundations Reachability Specifications [a]P “after every execution of a, P” <a>P “after some execution of a, P”

  20. Trustworthy Foundations Reachability Specifications [a]P “after every execution of a, P” <a>P “after some execution of a, P” init → [{x := u(x); x’ = f(x)}*]safe

  21. Trustworthy Foundations Hello, World { {?Dive ∪ r := r p }; t:=0; {x’ = v, V’ = f(v,g,r), t’=1 v’=f(v,g,r) x & 0≤x & t≤T} }* Control : Continue diving if safe, else open parachute. Plant : Downward velocity determined by gravity, air resistance.

  22. Trustworthy Foundations Hello, World { {?Dive ∪ r := r p }; t:=0; {x’ = v, V’ = f(v,g,r), t’=1 v’=f(v,g,r) x & 0≤x & t≤T} }* Control : Continue diving if safe, else open parachute. Plant : Downward velocity determined by gravity, air resistance.

  23. Trustworthy Foundations Hello, World { {?Dive ∪ r := r p }; t:=0; {x’ = v, V’ = f(v,g,r), t’=1 v’=f(v,g,r) x & 0≤x & t≤T} }* Control : Continue diving if safe, else open parachute. Plant : Downward velocity determined by gravity, air resistance.

  24. Trustworthy Foundations Hello, World { {?Dive ∪ r := r p }; t:=0; {x’ = v, V’ = f(v,g,r), t’=1 v’=f(v,g,r) x & 0≤x & t≤T} }* Control : Continue diving if safe, else open parachute. Plant : Downward velocity determined by gravity, air resistance.

  25. Trustworthy Foundations Hello, World { {?Dive ∪ r := r p }; t:=0; { x’ = v, V’ = f(v,g,r) , t’=1 v’=f(v,g,r) x & 0≤x & t≤T} }* Control : Continue diving if safe, else open parachute. Plant : Downward velocity determined by gravity, air resistance.

  26. Trustworthy Foundations Hello, World { {?Dive ∪ r := r p }; t:=0; {x’ = v, V’ = f(v,g,r), t’=1 v’=f(v,g,r) x & 0≤x & t≤T } }* Control : Continue diving if safe, else open parachute. Plant : Downward velocity determined by gravity, air resistance.

  27. Trustworthy Foundations Reachability Specifications (Dive & g>0 & …)→ [{ {?Dive ∪ r := r p }; {x’ = v, V’ = f(v,g,r) & 0≤x} v’=f(v,g,r) x }*] (x=0→m≤v)

  28. Trustworthy Foundations Reachability Specifications (Dive & g>0 & …)→ [{ {?Dive ∪ r := r p }; {x’ = v, V’ = f(v,g,r) & 0≤x} v’=f(v,g,r) x }*] (x=0→m≤v) If the parachuter is on the ground, their speed is safe (m≤v≤0)

  29. Introduction to Differential Dynamic Logic Dynamical Axioms [x:=t]f(x) ↔ f(t) [a ; b]P ↔ [a][b]P [a ∪ b]P ↔ ([a]P & [b]P) [x’=f&Q]P → (Q → P) ...

  30. Introduction to Differential Dynamic Logic Trusted Core AXIOM BASE Q.E.D. KeYmaera X Core [x:=t]f(x) ↔ f(t) [a;b]P ↔ [a][b]P [a ∪ b]P ↔ ([a]P & [b]P) [x’=f&Q]P → (Q → P) ...

  31. Introduction to Differential Dynamic Logic Trustworthy Implementations Automated Bellerophon Tooling Analyses AXIOM BASE Q.E.D. [x:=t]f(x) ↔ f(t) KeYmaera X Core [a;b]P ↔ [a][b]P [a ∪ b]P ↔ ([a]P & [b]P) [x’=f&Q]P → (Q → P) ...

  32. Introduction to Differential Dynamic Logic Prover Core Comparison

  33. Bellerophon Bellerophon enables interactive verification and tool development:

  34. Bellerophon Bellerophon enables interactive verification and tool development: ● A standard library of common proof techniques.

  35. Bellerophon Bellerophon enables interactive verification and tool development: ● A standard library of common proof techniques. ● A combinator language/library for decomposing theorems and composing proof strategies.

  36. Bellerophon Standard Library Tactic Meaning Applies propositional reasoning exhaustively. prop Symbolically executes discrete, loop-free programs. unfold Applies loop invariance axiom to position i. loop(J, i) Reasoning principles for differential equations. dI,dG,dC,dW

  37. Bellerophon Standard Library Tactic Meaning 1000+ Applies propositional reasoning exhaustively. prop Symbolically executes discrete, loop-free programs. unfold Applies loop invariance axiom to position i. loop(J, i) Reasoning principles for differential equations. dI,dG,dC,dW

  38. Bellerophon Combinators Tactic Meaning 1000+ Applies propositional reasoning exhaustively. prop Symbolically executes discrete, loop-free programs. unfold Applies loop invariance axiom to position i, extends J with constants. loop(J, i) Reasoning principles for differential equations. dI,dG,dC,dW Combinator Meaning A ; B Execute A on current goal, then execute B on the result. A | B Try executing A on current goal. If A fails, execute B on current goal. A * Run A until it no longer applies. A<( B 1 ,B 2 , … ,B N ) Execute A on current goal to create N subgoals. Run B i on subgoal i.

  39. Bellerophon Isolating Interesting Questions (Dive & g>0 & …)→ [{ }*] (x=0→m≤v)

  40. Bellerophon Isolating Interesting Questions (Dive & g>0 & Loop invariant holds initially …)→ (Dive & g>0 J & …)→ [{ J →[ Loop invariant is preserved prop ; loop(J,1) ]J J → }*] (x=0→m≤v) Loop invariant implies safety x=0→m≤v

  41. Bellerophon Isolating Interesting Questions (Dive & g>0 & Loop invariant holds initially …)→ (Dive & g>0 J & …)→ [{ J →[ Loop invariant is preserved prop ; loop(J,1) ]J J → }*] (x=0→m≤v) Loop invariant implies safety x=0→m≤v

  42. Bellerophon Isolating Interesting Questions (Dive & g>0 & …)→ (Dive & g>0 J & …)→ [{ J →[ J & Dive & r=r a → [x’=v,v’=...]J prop ; loop(J,1) u n f o l d J & r=r p → ]J [x’=v,v’=...]J J → }*] (x=0→m≤v) x=0→m≤v

  43. Bellerophon Isolating Interesting Questions (Dive & g>0 & …)→ (Dive & g>0 J & …)→ [{ J →[ J & Dive & r=r a → [x’=v,v’=...]J prop ; loop(J,1) u n f o l d J & r=r p → ]J [x’=v,v’=...]J J → }*] (x=0→m≤v) x=0→m≤v

  44. Bellerophon Isolating Interesting Questions prop ; loop(J, 1) <( QE, /* Real arith. solver */ QE, unfold ; <( … /* parachute open case */ … /* parachute closed case */ ) )

Recommend

Combining Higher Order Abstract Syntax with Tactical Theorem Proving &amp; (Co)Induction Simon

Combining Higher Order Abstract Syntax with Tactical Theorem Proving &amp; (Co)Induction Simon

APPSEM II, Nottingham, March 2003 1 Combining Higher Order Abstract Syntax with Tactical Theorem Proving &amp; (Co)Induction Simon J. Ambler &amp; Roy L. Crole &amp; Alberto Momigliano University of Leicester, UK

131 views • 12 slides
On Theorem Proving for Program Checking Historical perspective and recent developments Maria

On Theorem Proving for Program Checking Historical perspective and recent developments Maria

Outline Introduction Where is theorem proving in program checking Inside theorem proving Big and little engines together: a new theorem proving style Decision procedures with speculative inferences Current and future challenges On Theorem

944 views • 69 slides
CS 671 Automated Reasoning Tactical Theorem Proving in NuPRL 1. Basic Tactics 2. Tacticals 3.

CS 671 Automated Reasoning Tactical Theorem Proving in NuPRL 1. Basic Tactics 2. Tacticals 3.

CS 671 Automated Reasoning Tactical Theorem Proving in NuPRL 1. Basic Tactics 2. Tacticals 3. Advanced Tactics Chaining, Induction, Case Analysis Tactics: User-defined inference rules Meta-level programs built using Basic inference rules

427 views • 8 slides
Visual theorem proving with the Incredible Proof Machine The idea Theorem Proving without

Visual theorem proving with the Incredible Proof Machine The idea Theorem Proving without

Interactive Theorem Proving, Nancy August 22, 2016 Joachim Breitner Karlsruhe Institute of Technology University of Pennsylvania, Philadelphia Visual theorem proving with the Incredible Proof Machine The idea Theorem Proving without Syntax

579 views • 43 slides
KeYmaera X: Theorem Proving for Hybrid Systems Nathan Fulton Carnegie Mellon University May 6,

KeYmaera X: Theorem Proving for Hybrid Systems Nathan Fulton Carnegie Mellon University May 6,

KeYmaera X: Theorem Proving for Hybrid Systems Nathan Fulton Carnegie Mellon University May 6, 2016 1 Milieu Safety-critical control software is pervasive and increasingly complicated. 2 Milieu Safety-critical control software is

525 views • 34 slides
Proving Hybrid Systems Andr e Platzer aplatzer@cs.cmu.edu Computer Science Department

Proving Hybrid Systems Andr e Platzer aplatzer@cs.cmu.edu Computer Science Department

Proving Hybrid Systems Andr e Platzer aplatzer@cs.cmu.edu Computer Science Department Carnegie Mellon University, Pittsburgh, PA 0.5 0.4 0.3 0.2 1.0 0.1 0.8 0.6 0.4 0.2 Andr e Platzer (CMU) Proving Hybrid Systems FMCAD 1 / 40

2.07k views • 171 slides
Automated Theorem Proving 1/4: Introduction and Propositional Theorem Proving A.L. Lamprecht

Automated Theorem Proving 1/4: Introduction and Propositional Theorem Proving A.L. Lamprecht

Automated Theorem Proving 1/4: Introduction and Propositional Theorem Proving A.L. Lamprecht Course Program Semantics and Verfication 2020, Utrecht University September 21, 2020 Lecture Notes Automated Reasoning by Gerard A.W. Vreeswijk.

609 views • 40 slides
Automated Theorem Proving 2/4: First-Order Theorem Proving A.L. Lamprecht Course Program

Automated Theorem Proving 2/4: First-Order Theorem Proving A.L. Lamprecht Course Program

Automated Theorem Proving 2/4: First-Order Theorem Proving A.L. Lamprecht Course Program Semantics and Verfication 2020, Utrecht University September 23, 2020 Lecture Notes Automated Reasoning by Gerard A.W. Vreeswijk. Available for

1.03k views • 54 slides
Theorem-Proving Environments Nathan Ng CSC2547: Learning to Search Theorem Proving What is a

Theorem-Proving Environments Nathan Ng CSC2547: Learning to Search Theorem Proving What is a

Theorem-Proving Environments Nathan Ng CSC2547: Learning to Search Theorem Proving What is a theorem? Statement proven based on basis of previously established statements Premise: If I attend UofT, I am a student Premise: I attend

375 views • 25 slides
Artificial Intelligence in Theorem Proving Cezary Kaliszyk VTSA Overview Last Lecture theorem

Artificial Intelligence in Theorem Proving Cezary Kaliszyk VTSA Overview Last Lecture theorem

Artificial Intelligence in Theorem Proving Cezary Kaliszyk VTSA Overview Last Lecture theorem proving problems premise selection deep learning for theorem proving state estimation Today automated reasoning learning in classical ATPs

1.18k views • 97 slides
KeYmaera: A Hybrid Theorem Prover for Hybrid Systems Andr e Platzer Jan-David Quesel

KeYmaera: A Hybrid Theorem Prover for Hybrid Systems Andr e Platzer Jan-David Quesel

KeYmaera: A Hybrid Theorem Prover for Hybrid Systems Andr e Platzer Jan-David Quesel University of Oldenburg, Department of Computing Science, Germany International Joint Conference on Automated Reasoning, Sydney 2008 Andr e Platzer,

533 views • 25 slides
Health Warning Principles, Techniques, Applications Theorem Proving is addictive Gerwin Klein

Health Warning Principles, Techniques, Applications Theorem Proving is addictive Gerwin Klein

W HAT YOU WILL LEARN how to use a theorem prover background, how it works how to prove and specify NICTA Advanced Course Slide 1 Slide 3 Theorem Proving Health Warning Principles, Techniques, Applications Theorem Proving is

262 views • 9 slides
Artificial Intelligence in Theorem Proving Cezary Kaliszyk VTSA 2019 Computer Theorem Proving

Artificial Intelligence in Theorem Proving Cezary Kaliszyk VTSA 2019 Computer Theorem Proving

Artificial Intelligence in Theorem Proving Cezary Kaliszyk VTSA 2019 Computer Theorem Proving Computer used to automate reasoning in a logic Traditionally part of artificial intelligence (not machine learning) Field of research since the

1.25k views • 101 slides
Formal Verification Methods 4: Theorem Proving John Harrison Intel Corporation Need for

Formal Verification Methods 4: Theorem Proving John Harrison Intel Corporation Need for

Formal Verification Methods 4: Theorem Proving Formal Verification Methods 4: Theorem Proving John Harrison Intel Corporation Need for general theorem proving Set theory vs. higher-order logic Herbrand-based approaches

475 views • 18 slides
Learning theorem proving through self-play Stanisaw Purga Overview AlphaZero Proving

Learning theorem proving through self-play Stanisaw Purga Overview AlphaZero Proving

Learning theorem proving through self-play Stanisaw Purga Overview AlphaZero Proving game adjusting MCTS for proving game some results 2019-10 1 Neural black box game state S move policy expected outcome R n v

455 views • 45 slides
Theorem Proving and Testing for Autonomous Systems Kerstin Eder University of Bristol and

Theorem Proving and Testing for Autonomous Systems Kerstin Eder University of Bristol and

Theorem Proving and Testing for Autonomous Systems Kerstin Eder University of Bristol and Bristol Robotics Laboratory Verification and Validation for Safety in Robots To develop techniques and methodologies that can be used to design

476 views • 45 slides
Saturation-based Theorem Proving and ML Course Machine Learning and Reasoning 2020 MLR 2020 1 1

Saturation-based Theorem Proving and ML Course Machine Learning and Reasoning 2020 MLR 2020 1 1

First-order Logic and Theorem Proving Saturation-based Proving Further Tuning and the Role of Strategies Summary Saturation-based Theorem Proving and ML Course Machine Learning and Reasoning 2020 MLR 2020 1 1 Czech Technical Univeristy in

913 views • 64 slides
Automated Theorem Proving Georg Struth University of She ffi eld Motivation everybody loves my

Automated Theorem Proving Georg Struth University of She ffi eld Motivation everybody loves my

Automated Theorem Proving Georg Struth University of She ffi eld Motivation everybody loves my baby but my baby aint love nobody but me (Doris Day) Overview main goal: we will learn how ATP systems work (in theory) where ATP systems

520 views • 29 slides
Automated Reasoning Systems Resolution Theorem Proving: Prover9 Temur Kutsia RISC, Johannes

Automated Reasoning Systems Resolution Theorem Proving: Prover9 Temur Kutsia RISC, Johannes

Automated Reasoning Systems Resolution Theorem Proving: Prover9 Temur Kutsia RISC, Johannes Kepler University of Linz, Austria kutsia@risc.jku.at Prover9 Automated theorem prover from the Argonne group Successor of Otter Author:

525 views • 17 slides
Mechanical Theorem Proving in Tarskis Geometry. Julien Narboux under the supervision of Hugo

Mechanical Theorem Proving in Tarskis Geometry. Julien Narboux under the supervision of Hugo

Mechanical Theorem Proving in Tarskis Geometry. Julien Narboux under the supervision of Hugo Herbelin LIX, INRIA Futurs, Ecole Polytechnique 31/08/2006, Pontevedra, Spain Outline 1 Interactive proof / Automated theorem proving 2

1.1k views • 73 slides
Proving In fi nite Satis fi ability Peter Baumgartner Joshua Bax Goal Theorem Proving in

Proving In fi nite Satis fi ability Peter Baumgartner Joshua Bax Goal Theorem Proving in

Proving In fi nite Satis fi ability Peter Baumgartner Joshua Bax Goal Theorem Proving in Hierarchic Combinations of Speci fi cations Dis Background theory linear integer arithmetic Data structures ? Conjecture list axioms/arrays

443 views • 15 slides
Theorem Proving and the Real Numbers Applications and Challenges Lawrence C Paulson 1.

Theorem Proving and the Real Numbers Applications and Challenges Lawrence C Paulson 1.

Theorem Proving and the Real Numbers Applications and Challenges Lawrence C Paulson 1. Interactive Theorem Proving A partial, biased history A UTOMATH L. S. van Benthem Jutting, Checking Landaus Grundlagen in the A UTOMATH

920 views • 37 slides
Proving and Explaining the Unfeasibility of Message Sequence Charts for Hybrid Systems Alessandro

Proving and Explaining the Unfeasibility of Message Sequence Charts for Hybrid Systems Alessandro

Proving and Explaining the Unfeasibility of Message Sequence Charts for Hybrid Systems Alessandro Cimatti Sergio Mover Stefano Tonetta Fondazione Bruno Kessler October 31, 2011 Sergio Mover (FBK) Unfeasibility and Explanations of MSC

893 views • 74 slides
Planning and Theorem Proving Slides by Svetlana Lazebnik, 9/2016 with modifications by Mark

Planning and Theorem Proving Slides by Svetlana Lazebnik, 9/2016 with modifications by Mark

Planning and Theorem Proving Slides by Svetlana Lazebnik, 9/2016 with modifications by Mark Hasegawa-Johnson, 2/2020 CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=18656684 Planning and Theorem Proving Examples Automatic

666 views • 40 slides

More recommend