Formally Verified Differential Dynamic Logic (in Isabelle/HOL and - PowerPoint PPT Presentation

Formally Verified Differential Dynamic Logic (in Isabelle/HOL and Coq) Brandon Bohrer ¹ , Vincent Rahli², Ivana Vukotic², Marcus Völp², André Platzer ¹ Thanks to: Johannes Hölzl, Fabian Immler, Tobias Nipkow, et. al.³ + Coquelicot team 1 Carnegie Mellon University 2 University of Luxembourg 1 3 Technical University Munich

Safety-Critical Control Software is Everywhere  How can we design cyber-physical systems people can bet their lives on? – Jeanette Wing 2

Formal Modeling and Verification Provide Safety ● Differential Dynamic Logic enables constructing and verifying hybrid models ● KeYmaera X theorem prover implements differential dynamic logic Example theorem : v ≥ 0 & A() ≥ 0 → [a := A(); {v’ = a, x’ = v & true}]v ≥ 0 3

Formal Modeling and Verification Provide Safety ● Differential Dynamic Logic enables constructing and verifying hybrid models ● KeYmaera X theorem prover implements differential dynamic logic Example theorem : v ≥ 0 & A() ≥ 0 → [a := A(); {v’ = a, x’ = v & true}]v ≥ 0 ● Correct proof requires correct prover 4

Formal Modeling and Verification Provide Safety ● Differential Dynamic Logic enables constructing and verifying hybrid models ● KeYmaera X theorem prover implements differential dynamic logic Example theorem : v ≥ 0 & A() ≥ 0 → [a := A(); {v’ = a, x’ = v & true}]v ≥ 0 ● Correct proof requires correct prover ● Goal: Ensure correctness of KeYmaera X 5

KeYmaera X Depends on a Big Stack Pick part of the stack, try to improve it Correctness Compiler Theory Implementation You 6

KeYmaera X Depends on a Big Stack Implemented in Scala: Large stack Correctness (Not specific to hybrid systems proving) Compiler Theory Implementation You 7

KeYmaera X Depends on a Big Stack LCF Approach: Prover Lines of Code Correctness HOL Light 400 ● Abstract type of proofs Compiler KeYmaera 3 66,000 isolates critical code ● Majority of code untrusted KeYmaera X 1,700 (2%) Theory Isabelle/Pure 8,000 Coq 20,000 NuPrl 15,000 + 50,000 Implementation PHAVer 30,000 SpaceEx 100,000 You 8

Small Core Requires Simple Proof Calculus Uniform Substitution (US) Simplifies Provers Correctness [ t :=0; t ’ = 1] t ≥ 0 ↔ [t :=0][t ’ = 1]t ≥ 0 Axiom Instance Compiler Theory [ a ; b]P ↔ [a][b]P Axiom Axioms are just data 1,700 lines Implementation Substitution σ={a ↦ t:=0, b ↦ t ’ =1, P ↦ t ≥ 0 } You 9

Uniform Substitution is Easy Correctness Substitution σ maps symbols to replacements Compiler Replace recursively (Some cases not primitive recursive!) Example: σ={f ↦ x + 1, p(y) ↦ y ≠ x} Theory σ(p(f)) = σ(p(x + 1)) = x + 1 ≠ x 1,700 lines Implementation You 10

Uniform Substitution is Easy φ Correctness US Simple Proof Rule: σ(φ) Compiler Theory 1,700 lines Implementation You 11

Uniform Substitution is Easy φ Correctness US Simple Proof Rule: σ(φ) Compiler Example: [x := f]p(x) ↔ p(f) US [x := _]___ ↔ ___ Theory Substitution σ={f ↦ x + 1, p(y) ↦ y ≠ x} 1,700 lines Implementation You 12

Uniform Substitution is Easy φ Correctness US Simple Proof Rule: σ(φ) Compiler Example: [x := f]p(x) ↔ p(f) US [x := x + 1]___ ↔ _(x + 1) Theory Substitution σ={f ↦ x + 1, p(y) ↦ y ≠ x} 1,700 lines Implementation You 13

Uniform Substitution is Easy φ Correctness US Simple Proof Rule: σ(φ) Compiler Example: [x := f]p(x) ↔ p(f) US [x := x + 1]x ≠ x↔ _(x + 1) Theory Substitution σ={f ↦ x + 1, p(y) ↦ y ≠ x} 1,700 lines Implementation You 14

Uniform Substitution is Easy φ Correctness US Simple Proof Rule: σ(φ) Compiler Example: [x := f]p(x) ↔ p(f) US [x := x + 1]x ≠ x ↔ x + 1 ≠ x Theory Substitution σ={f ↦ x + 1, p(y) ↦ y ≠ x} 1,700 lines Implementation You 15

Uniform Substitution is Hard φ Correctness US Simple Proof Rule: σ(φ) Compiler Example: [x := f]p(x) ↔ p(f) US [x := x + 1]x ≠ x ↔ x + 1 ≠ x Theory False ↔ True Substitution σ={f ↦ x + 1, p(y) ↦ y ≠ x} 1,700 lines Implementation Naive Substitution: UNSOUND! You 16

Uniform Substitution is Hard Correctness Admissibility checks determine when substitution is sound Compiler Example: σ([α]φ) = [σ(α)]σ(φ) If FV(σ) ∩ BV(α)= ∅ Theory FV(σ) = {x} BV(x := f) = {x} 1,700 lines Implementation FV(σ) ∩ BV(x := f) = {x} ≠ ∅ Clash Detected You 17

Justify the Theory with Formal Verification Related Work: Correctness Verified Theorem Prover Verified Using Compiler HOL Light Self*-verified HOL Light HOL 4 Milawa HOL 4 Theory Subset of Coq Coq Theory of NuPRL Coq 1,700 lines Implementation Let’s do it for hybrid systems! You 18

Verification: Independent, Trustworthy Justification Correctness Three reasons to trust the theory Compiler Theory Theory Theory Papers Isabelle Coq (20K/25K) (8K/15K) Implementation 1,700 lines You 19

Formalization of dL in Isabelle/HOL (Also applies to Coq version) 20

What’s in the Formalization? α, β ::= Syntax datatype hp = Pvar id a | Assign id trm Dynamics | x := θ | DiffAssign id trm ⇒ | x’ := θ | Test formula Axioms | ?φ | EvolveODE ODE formula | (ODE & φ) | Choice hp hp Statics | Sequence hp hp | (α ∪ β) | Loop hp | (α; β) Substitution | α* Renaming Syntax ⇒ Datatypes Proof Checker 21

What’s in the Formalization? [[α ∪ β]]I ν = [[α]]I ν ∪ [[β]]I ν …. Syntax Dynamics fun HPsem :: "interp → hp → (state * state) set" where Axioms | "HPsem I (Pvar p) = Programs I p" | "HPsem I (Assign x t) = {(ν, ω). ω = ν (x:= (θsem I t ν))}" Statics | "HPsem I (DiffAssign x t) = {(ν, ω). ω = ν (x':= (θsem I t ν))}" | "HPsem I (Test φ) = {(ν, ν) | ν. ν ∈ fml_sem I φ}" Substitution | "HPsem I (Choice α β) = HPsem I α ∪ HPsem I β" | "HPsem I (Sequence α β) = HPsem I α O HPsem I β" | "HPsem I (Loop α) = (HPsem I α)*" Renaming Semantic Functions ⇒ Isabelle Functions Proof Checker 22

What’s in the Formalization? p() -> [a]p() Syntax Dynamics Axioms definition Vaxiom ::formula where "Vaxiom ≡ ($φ p ()) → ([[$α a]]($φ p ()))" Statics Substitution theorem V_valid: "valid Vaxiom" by (auto simp: valid_def Vaxiom_def) Renaming Proof Checker Axiom ⇒ Definition + Validity Lemma 23

Differential Induction is Harder f ≥ 0 → [x’= θ & φ ]deriv(f) ≥ 0 → [x’= θ & φ ]f ≥ 0 Syntax f(t) ≥ 0 Dynamics Axioms Statics f(t) deriv(f)(s) ≥ 0 (for all s) Substitution f(0) ≥ 0 Renaming Proof Checker 0 t (By Mean-Value Theorem) 24

Static Semantics Enable Substitution Syntax Compute FV(e), BV(e) by structural recursion Dynamics Theorem (Coincidence) : Expressions depend only free variables Axioms Theorem (Bound Effect) : Programs affect only bound variables Statics Substitution Definitions verified, not trusted Renaming Proof Checker 25

Static Semantics Enable Substitution Syntax Dynamics Axioms primrec FOTsubst::"trm ⇒ FOsubst ⇒ trm" primrec Tsubst::"trm ⇒ subst ⇒ trm" Statics inductive FOTadmit :: "FOsubst ⇒ trm ⇒ bool" Substitution inductive Tadmit :: "subst ⇒ trm ⇒ bool" Renaming Formalize primitive recursive variant instead Proof Checker (First-order substitution for arguments) 26

Static Semantics Enable Substitution Syntax φ (σ admissible for φ) US Dynamics σ(φ) Axioms Statics lemma subst_fml_valid: Substitution assumes valid:"valid φ" Renaming assumes Fadmit:"Fadmit σ φ" shows "valid (Fsubst φ σ)" Proof Checker 27

New: Uniform Renaming Syntax φ UR Dynamics φ{x ↔ y} Axioms Statics Substitution lemma URename_sound: No Admissibility! assumes "valid φ" Renaming shows "valid (FUrename x y φ)" Proof Checker 28

New: Bound Renaming Renames Destinations Syntax [x:= θ]φ BR Dynamics [y:= θ]φ{x ↔ y} Axioms Statics Substitution lemma BRename_sound: Yes Admissibility! assumes valid:"valid ([[Assign x θ]]φ)" Renaming assumes FVF:"{y, y’} ∩ FVF φ = {}" shows "valid([[Assign y θ]]FUrename x y φ)" Proof Checker 29

KeYmaera X Bound Rename Unsound Syntax [x:= x’](x=x’) BR BUG! Dynamics [y:= x’](y=y’) Axioms Statics Substitution lemma BRename_sound: assumes valid:"valid ([[Assign x θ]]φ)" Renaming assumes FVF:"{y, y’, x’} ∩ FV φ = {}" shows "valid([[Assign y θ]]FUrename x y φ)" Proof Checker 30

Proof Checker - Step Toward Implementation Γ ⊢ φ Γ ⊢ ψ Syntax Γ ⊢ Δ KeYmaera X —————— Dynamics Γ ⊢ φ ∧ ψ Axioms Statics fun seq2fml :: " sequent ⇒ formula" Substitution where "seq2fml (ante,succ) = Implies (foldr And ante TT) (foldr Or succ FF)" Renaming type pf = "sequent * derivation" Proof Checker type rule = "sequent list * sequent" 31