d L : Definite Descriptions in Differential Dynamic Logic Brandon - PowerPoint PPT Presentation

d L ι : Definite Descriptions in Differential Dynamic Logic Brandon Bohrer , Manuel Fern´ andez, and Andr´ e Platzer Logical Systems Lab Computer Science Department Carnegie Mellon University CADE-27 August 29 2019 1 / 22

Outline 1 Introduction 2 CPS Needs Partiality, Discontinuity 3 Semantics 4 Proof Calculus 5 Theory 2 / 22

We Can Trust Theorem Provers Coq Prover NuPRL KeYmaera X HOL4 [KAMO16] [BRV + 17] [Bar10] [AR14] Verification Foundation PRL CIC d L HOL 3 / 22

We Can Almost Trust Theorem Provers Coq Prover NuPRL KeYmaera X HOL4 [KAMO16] ⇀, C ∞ Γ ⇓ Challenge Foundation PRL CIC d L HOL 4 / 22

We Help d L Foundation Catch Up Coq Prover NuPRL KeYmaera X HOL4 [KAMO16] [BFP19] ⇀, C ∞ ⇓ Γ Challenge d L ι Foundation PRL CIC HOL 5 / 22

Safety-Critical CPS Deserve Proofs Planes Drones Robots How can we design cyber-physical systems people can bet their lives on? – Jeanette Wing 6 / 22

d L + KeYmaera X Provides Proofs Planes Drones Robots Γ ⊢ A Γ ⊢ A ∧ B Discrete Control Continuous Dynamics Syntactic Proof 6 / 22

d L + KeYmaera X Provides Proofs Planes Drones Robots Γ ⊢ A Γ ⊢ A ∧ B Discrete Control Continuous Dynamics Syntactic Proof How do proofs cope when control, dynamics are partial, discontinuous? 6 / 22

Outline 1 Introduction 2 CPS Needs Partiality, Discontinuity 3 Semantics 4 Proof Calculus 5 Theory 7 / 22

Example System: Robot Water Cooler �� � α B ≡ { ? h > 0; a := 1 } ∪ a := 0 ; 2 gh a � ∗ h ′ = − � A & h ≥ 0 Proposition (Leakiness) g > 0 ∧ h = h 0 ∧ h 0 > 0 ∧ A > 0 → [ α B ]( h ≤ h 0 ) 8 / 22

Example System: Robot Water Cooler Choose control case �� � α B ≡ { ? h > 0; a := 1 } ∪ a := 0 ; 2 gh a � ∗ h ′ = − � A & h ≥ 0 Proposition (Leakiness) g > 0 ∧ h = h 0 ∧ h 0 > 0 ∧ A > 0 → [ α B ]( h ≤ h 0 ) 8 / 22

Example System: Robot Water Cooler Choose Test control h > 0 case �� � α B ≡ { ? h > 0; a := 1 } ∪ a := 0 ; 2 gh a � ∗ h ′ = − � A & h ≥ 0 Proposition (Leakiness) g > 0 ∧ h = h 0 ∧ h 0 > 0 ∧ A > 0 → [ α B ]( h ≤ h 0 ) 8 / 22

Example System: Robot Water Cooler Set a to Choose Test 1 control h > 0 case �� � α B ≡ { ? h > 0; a := 1 } ∪ a := 0 ; 2 gh a � ∗ h ′ = − � A & h ≥ 0 Proposition (Leakiness) g > 0 ∧ h = h 0 ∧ h 0 > 0 ∧ A > 0 → [ α B ]( h ≤ h 0 ) 8 / 22

Example System: Robot Water Cooler Set a to Choose Test 1 control h > 0 case �� � α B ≡ { ? h > 0; a := 1 } ∪ a := 0 ; Evolve 2 gh a � ∗ h ′ = − � A & h ≥ 0 physics Proposition (Leakiness) g > 0 ∧ h = h 0 ∧ h 0 > 0 ∧ A > 0 → [ α B ]( h ≤ h 0 ) 8 / 22

Example System: Robot Water Cooler Set a to Choose Test 1 control h > 0 case �� � α B ≡ { ? h > 0; a := 1 } ∪ a := 0 ; Evolve 2 gh a � ∗ h ′ = − � A & h ≥ 0 physics Proposition (Leakiness) F.O. g > 0 ∧ h = h 0 ∧ h 0 > 0 ∧ A > 0 → [ α B ]( h ≤ h 0 ) Arithmetic 8 / 22

Example System: Robot Water Cooler Set a to Choose Test 1 control h > 0 case �� � α B ≡ { ? h > 0; a := 1 } ∪ a := 0 ; Evolve 2 gh a � ∗ h ′ = − � A & h ≥ 0 physics Conjunction Proposition (Leakiness) F.O. g > 0 ∧ h = h 0 ∧ h 0 > 0 ∧ A > 0 → [ α B ]( h ≤ h 0 ) Arithmetic 8 / 22

Example System: Robot Water Cooler Set a to Choose Test 1 control h > 0 case �� � α B ≡ { ? h > 0; a := 1 } ∪ a := 0 ; Evolve 2 gh a � ∗ h ′ = − � A & h ≥ 0 physics Conjunction Implication Proposition (Leakiness) F.O. g > 0 ∧ h = h 0 ∧ h 0 > 0 ∧ A > 0 → [ α B ]( h ≤ h 0 ) Arithmetic 8 / 22

Example System: Robot Water Cooler Set a to Choose Test 1 control h > 0 case �� � α B ≡ { ? h > 0; a := 1 } ∪ a := 0 ; Evolve 2 gh a � ∗ h ′ = − � A & h ≥ 0 physics Conjunction Implication Proposition (Leakiness) All runs F.O. g > 0 ∧ h = h 0 ∧ h 0 > 0 ∧ A > 0 → [ α B ]( h ≤ h 0 ) Arithmetic 8 / 22

Example System: Robot Water Cooler Set a to Choose Test 1 control h > 0 case �� � α B ≡ { ? h > 0; a := 1 } ∪ a := 0 ; Evolve 2 gh a � ∗ h ′ = − � A & h ≥ 0 physics Conjunction Implication Proposition (Leakiness) All runs F.O. g > 0 ∧ h = h 0 ∧ h 0 > 0 ∧ A > 0 → [ α B ]( h ≤ h 0 ) Arithmetic 8 / 22

Outline 1 Introduction 2 CPS Needs Partiality, Discontinuity 3 Semantics 4 Proof Calculus 5 Theory 9 / 22

d L Needs Lots of Extensions Definition (d L Terms) θ, η ::= x | q | θ + η | θ · η | ( θ ) ′ 10 / 22

d L Needs Lots of Extensions Definition (d L Terms) θ, η ::= x | q | θ + η | θ · η | ( θ ) ′ | θ/η 10 / 22

d L Needs Lots of Extensions Definition (d L Terms) θ, η ::= x | q | θ + η | θ · η | ( θ ) ′ √ | θ/η | θ 10 / 22

d L Needs Lots of Extensions Definition (d L Terms) θ, η ::= x | q | θ + η | θ · η | ( θ ) ′ √ | θ/η | θ | max( θ, eta ) | min( θ, η ) | | θ | | (if( φ )( θ )else( η )) 10 / 22

d L Needs Lots of Extensions Definition (d L Terms) θ, η ::= x | q | θ + η | θ · η | ( θ ) ′ √ | θ/η | θ | max( θ, eta ) | min( θ, η ) | | θ | | (if( φ )( θ )else( η )) | sin( θ ) | cos( θ ) | ( θ, η ) | π 1 θ | π 2 θ | in R ( θ ) | isT( θ ) L 1 � � � | map2( T , f ( x , y )) | zip( L 1 , L 2 ) | + L 2 | L 1 � · L 2 10 / 22

d L ι Generalizes Foundations Definition (d L ι Terms) θ, η ::= · · · | ( θ, η ) | ι x φ ( x ) Discontinuity Extensibility Partiality Vectoriality d L ι U. Subst. Ind. Types Lukasiewicz � Free Logic R Analysis Examples: (if( φ )( θ 1 )else( θ 2 )) = ι x ( φ ∧ x = θ 1 ) ∨ ( ¬ φ ∧ x = θ 2 ) √ θ = ι x ( x 2 = θ ∧ x ≥ 0) θ 1 /θ 2 = ι x ( x · θ 2 = θ 1 ) 11 / 22

d L ι Generalizes Foundations Pairing Definition (d L ι Terms) θ, η ::= · · · | ( θ, η ) | ι x φ ( x ) Discontinuity Extensibility Partiality Vectoriality d L ι U. Subst. Ind. Types Lukasiewicz � Free Logic R Analysis Examples: (if( φ )( θ 1 )else( θ 2 )) = ι x ( φ ∧ x = θ 1 ) ∨ ( ¬ φ ∧ x = θ 2 ) √ θ = ι x ( x 2 = θ ∧ x ≥ 0) θ 1 /θ 2 = ι x ( x · θ 2 = θ 1 ) 11 / 22

d L ι Generalizes Foundations Pairing Unique x s.t. φ Definition (d L ι Terms) θ, η ::= · · · | ( θ, η ) | ι x φ ( x ) Discontinuity Extensibility Partiality Vectoriality d L ι U. Subst. Ind. Types Lukasiewicz � Free Logic R Analysis Examples: (if( φ )( θ 1 )else( θ 2 )) = ι x ( φ ∧ x = θ 1 ) ∨ ( ¬ φ ∧ x = θ 2 ) √ θ = ι x ( x 2 = θ ∧ x ≥ 0) θ 1 /θ 2 = ι x ( x · θ 2 = θ 1 ) 11 / 22

Term Semantics d L d L ι 12 / 22

Formula Semantics Compare And 1.0 1.0 0.5 0.5 0.0 0.0 - 0.5 - 0.5 - 1.0 - 1.0 - 1.0 - 0.5 0.0 0.5 1.0 - 1.0 - 0.5 0.0 0.5 1.0 x / y = 1 x / y ≥ 1 ∧ y / x ≥ 1 Not Or 1.0 1.0 0.5 0.5 0.0 0.0 - 0.5 - 0.5 - 1.0 - 1.0 - 1.0 - 0.5 0.0 0.5 1.0 - 1.0 - 0.5 0.0 0.5 1.0 ¬ ( x / y = 1) x / y ≥ 1 ∨ y / x ≥ 1 13 / 22

Outline 1 Introduction 2 CPS Needs Partiality, Discontinuity 3 Semantics 4 Proof Calculus 5 Theory 14 / 22

Program Axioms Decompose Dynamics [:=] ([ x := f ] p ( x ) ↔ p ( f )) [?] [? Q ] P ↔ ( Q → P ) �∪� � a ∪ b � P ↔ ( � a � P ∨ � b � P ) out α α ∪ β in β out Figure: Selected Program Axioms (d L ι ) 15 / 22

Program Axioms Decompose Dynamics [:=] ([ x := f ] p ( x ) ↔ p ( f )) ← E( f ) [?] [? Q ] P ↔ (D( Q ) → P ) �∪� � a ∪ b � P ↔ ( � a � P ∨ � b � P ) out α α ∪ β in β out Figure: Selected Program Axioms (d L ι ) 15 / 22

Program Axioms Decompose Dynamics Denotes [:=] ([ x := f ] p ( x ) ↔ p ( f )) ← E( f ) [?] [? Q ] P ↔ (D( Q ) → P ) �∪� � a ∪ b � P ↔ ( � a � P ∨ � b � P ) out α α ∪ β in β out Figure: Selected Program Axioms (d L ι ) 15 / 22

Program Axioms Decompose Dynamics Denotes [:=] ([ x := f ] p ( x ) ↔ p ( f )) ← E( f ) [?] [? Q ] P ↔ (D( Q ) → P ) Definitely true �∪� � a ∪ b � P ↔ ( � a � P ∨ � b � P ) out α α ∪ β in β out Figure: Selected Program Axioms (d L ι ) 15 / 22

Outline 1 Introduction 2 CPS Needs Partiality, Discontinuity 3 Semantics 4 Proof Calculus 5 Theory 16 / 22

U. Subst is Clean Foundation Axioms are single formulas, substitution is explicit : φ US σ ( φ ) Sound for admissible σ : Definition (Admissibility (d L )) No new free variable ref. under formula, program binders Definition (Admissibility (d L ι )) No new free variable ref. under formula, program, term binders Takeaway: Admissibility generalizes cleanly to definite description 17 / 22