keymaera x
play

KeYmaera X A Tutorial on Interactive Verification for Hybrid Systems - PowerPoint PPT Presentation

KeYmaera X A Tutorial on Interactive Verification for Hybrid Systems Nathan Fulton Marktoberdorf 2017 August 11, 2017 Examples: https://nfulton.org/marktoberdorf.zip Slides: https://nfulton.org/slides/marktoberdorf.pdf 1 Motivation KeYmaera


  1. KeYmaera X A Tutorial on Interactive Verification for Hybrid Systems Nathan Fulton Marktoberdorf 2017 August 11, 2017 Examples: https://nfulton.org/marktoberdorf.zip Slides: https://nfulton.org/slides/marktoberdorf.pdf 1

  2. Motivation KeYmaera X provides strong evidence that Cyber-Physical Systems are safe. But you need to provide the model and sometimes help the proof. 2

  3. Motivation KeYmaera X provides strong evidence that Cyber-Physical Systems are safe. But you need to provide the model and sometimes help the proof. Andr´ e’s Lectures: ◮ Differential Dynamic Logics – Syntax and Semantics ◮ Sound and relatively complete axiomatizations ◮ Some examples 2

  4. Motivation KeYmaera X provides strong evidence that Cyber-Physical Systems are safe. But you need to provide the model and sometimes help the proof. Andr´ e’s Lectures: This Lecture: ◮ Differential Dynamic Logics ◮ Practical advice for – Syntax and Semantics modeling systems ◮ Sound and relatively ◮ Hands-on Exercise proving complete axiomatizations theorems ◮ Some examples ◮ Example-driven 2

  5. Outline Straight Line Dynamics The Stop Sign Model Circular Dynamics Loitering Outside Prohibited Airspace Logarithmic Dynamics Safe SCUBA Diving Extras The ODE Solver Taylor Approximations as Successive Differential Cuts 3

  6. The Stop Sign Model 4

  7. Take-Aways from the Stop Sign Model ◮ Focus on interesting questions by unfold ing. 5

  8. Take-Aways from the Stop Sign Model ◮ Focus on interesting questions by unfold ing. ◮ Use contextual reasoning to avoid repetition of expensive or difficult proof steps. 5

  9. Take-Aways from the Stop Sign Model ◮ Focus on interesting questions by unfold ing. ◮ Use contextual reasoning to avoid repetition of expensive or difficult proof steps. ◮ KeYmaera X’s edit tool checks your arithmetic (common and annoying source of errors, both in proofs and implementations!) 5

  10. Take-Aways from the Stop Sign Model ◮ Focus on interesting questions by unfold ing. ◮ Use contextual reasoning to avoid repetition of expensive or difficult proof steps. ◮ KeYmaera X’s edit tool checks your arithmetic (common and annoying source of errors, both in proofs and implementations!) ◮ Quantifier Elimination is a powerful tool useful for more than just decision procedures: ◮ Find assumptions and loop invariants by reducing the system to arithmetic and eliminating quantifiers. ◮ ModelPlex : ∀ x 0 , x 1 , . . . , x n . ∃ y 0 , . . . , x n .ϕ is kinda hard to check at runtime... 5

  11. Outline Straight Line Dynamics The Stop Sign Model Circular Dynamics Loitering Outside Prohibited Airspace Logarithmic Dynamics Safe SCUBA Diving Extras The ODE Solver Taylor Approximations as Successive Differential Cuts 6

  12. Loitering Outside Prohibited Airspace 7

  13. Loitering Outside Prohibited Airspace y ≤ h → [ r := ∗ ; ? r ≤ h ∧ x 2 + y 2 = r 2 ; x ′ = y , y ′ = − x ] y ≤ h � �� � � �� � Choose circle below h Circular dynamics 8

  14. Lie Derivative Computations ( y ≤ h ) ′ ≡ ( y ) ′ ≤ ( h ) ′ ≡ − x ≤ 0 FALSE 9

  15. Lie Derivative Computations ( y ≤ h ) ′ ≡ ( y ) ′ ≤ ( h ) ′ ≡ − x ≤ 0 FALSE ( x 2 + y 2 = r 2 ) ′ ≡ ( x 2 + y 2 ) ′ = ( r 2 ) ′ ≡ 2 xx ′ +2 yy ′ = 0 ≡ 2 xy − 2 xy = 0 9

  16. Lie Derivative Computations ( y ≤ h ) ′ ≡ ( y ) ′ ≤ ( h ) ′ ≡ − x ≤ 0 FALSE ( x 2 + y 2 = r 2 ) ′ ≡ ( x 2 + y 2 ) ′ = ( r 2 ) ′ ≡ 2 xx ′ +2 yy ′ = 0 ≡ 2 xy − 2 xy = 0 r ≤ h ∧ x 2 + y 2 = r 2 → ? y ≤ h 9

  17. Lie Derivative Computations ( y ≤ h ) ′ ≡ ( y ) ′ ≤ ( h ) ′ ≡ − x ≤ 0 FALSE ( x 2 + y 2 = r 2 ) ′ ≡ ( x 2 + y 2 ) ′ = ( r 2 ) ′ ≡ 2 xx ′ +2 yy ′ = 0 ≡ 2 xy − 2 xy = 0 r ≤ h ∧ x 2 + y 2 = r 2 → ? y ≤ h FALSE COUNTER-EXAMPLE: − 2 ≤ − 2 ∧ 3 + 1 = 4 �→ − 1 ≤ − 2 9

  18. On Annoying Assumptions 10

  19. Take-aways from Loitering Example ◮ Like loop invariants, differential invariants sometimes need strengthening . 11

  20. Take-aways from Loitering Example ◮ Like loop invariants, differential invariants sometimes need strengthening . ◮ In these cases, try using differential cuts to describe geometric constraints on the system. 11

  21. Take-aways from Loitering Example ◮ Like loop invariants, differential invariants sometimes need strengthening . ◮ In these cases, try using differential cuts to describe geometric constraints on the system. ◮ Most early proof attempts fail due to missing obvious assumptions: ◮ Upper/lower-bounds (esp. positivity). ◮ Missing t ′ = 1 in time-triggered systems. ◮ Missing control epsilon t ≤ T in evolution domain. ◮ Interesting dynamics (e.g., missing v ≥ 0). Use counter-examples to find these errors. 11

  22. Outline Straight Line Dynamics The Stop Sign Model Circular Dynamics Loitering Outside Prohibited Airspace Logarithmic Dynamics Safe SCUBA Diving Extras The ODE Solver Taylor Approximations as Successive Differential Cuts 12

  23. Safe SCUBA diving 13

  24. Heart Rate Function x ′ = − ( x − HR max ) b 14

  25. SCUBA Ascent Case Control Goal: Find a condition that ensures the diver reaches the surface before running out of oxygen. 15

  26. SCUBA Proof Idea x ′ = − ( x − a ) b , t ′ = − τ x , d ′ = v , c ′ = C & c ≤ C ∧ d ≥ 0 Idea: Bound time and all non-linear terms, then prove linear inequalities on these bounds by integrating. 16

  27. SCUBA Proof Idea x ′ = − ( x − a ) b , t ′ = − τ x , d ′ = v , c ′ = C & c ≤ C ∧ d ≥ 0 Idea: Bound time and all non-linear terms, then prove linear inequalities on these bounds by integrating. ◮ Non-linear term: x ≤ HR max 16

  28. SCUBA Proof Idea x ′ = − ( x − a ) b , t ′ = − τ x , d ′ = v , c ′ = C & c ≤ C ∧ d ≥ 0 Idea: Bound time and all non-linear terms, then prove linear inequalities on these bounds by integrating. ◮ Non-linear term: x ≤ HR max ◮ Bound time: d 0 + vc ≥ 0 ⇒ bound on time (denote as z = − d v 0 ). 16

  29. SCUBA Proof Idea x ′ = − ( x − a ) b , t ′ = − τ x , d ′ = v , c ′ = C & c ≤ C ∧ d ≥ 0 Idea: Bound time and all non-linear terms, then prove linear inequalities on these bounds by integrating. ◮ Non-linear term: x ≤ HR max ◮ Bound time: d 0 + vc ≥ 0 ⇒ bound on time (denote as z = − d v 0 ). t = t 0 − τ xc ≥ t 0 − τ HR max c ≥ t 0 − τ HR max z ≥ 0 � �� � Initial safe states! 16

  30. SCUBA Proof Idea x ′ = − ( x − a ) b , t ′ = − τ x , d ′ = v , c ′ = C & c ≤ C ∧ d ≥ 0 Idea: Bound time and all non-linear terms, then prove linear inequalities on these bounds by integrating. ◮ Non-linear term: x ≤ HR max ◮ Bound time: d 0 + vc ≥ 0 ⇒ bound on time (denote as z = − d v 0 ). t = t 0 − τ xc ≥ t 0 − τ HR max c ≥ t 0 − τ HR max z ≥ 0 � �� � Initial safe states! The first step requires x ≤ HR max . This is the only interesting lemma. 16

  31. Computing the Differential Ghost Let’s prove x < HR max instead to avoid extra case splitting due to the x = HR max bifurcation point. 17

  32. Computing the Differential Ghost Let’s prove x < HR max instead to avoid extra case splitting due to the x = HR max bifurcation point. ◮ Step 1: Find an existential condition equivalent to our goal: | = R C F x < HR max ↔ ∃ y . ? 17

  33. Computing the Differential Ghost Let’s prove x < HR max instead to avoid extra case splitting due to the x = HR max bifurcation point. ◮ Step 1: Find an existential condition equivalent to our goal: = R C F x < HR max ↔ ∃ y . y 2 ( x − HRmax ) = − 1 | 17

  34. Computing the Differential Ghost Let’s prove x < HR max instead to avoid extra case splitting due to the x = HR max bifurcation point. ◮ Step 1: Find an existential condition equivalent to our goal: = R C F x < HR max ↔ ∃ y . y 2 ( x − HRmax ) = − 1 | ◮ Step 2: Find y ′ s.t. ( y 2 ( x − HR max ) = − 1) ′ is true: 17

  35. Computing the Differential Ghost Let’s prove x < HR max instead to avoid extra case splitting due to the x = HR max bifurcation point. ◮ Step 1: Find an existential condition equivalent to our goal: = R C F x < HR max ↔ ∃ y . y 2 ( x − HRmax ) = − 1 | ◮ Step 2: Find y ′ s.t. ( y 2 ( x − HR max ) = − 1) ′ is true: ( y 2 ( x − HRmax ) = − 1) ′ ≡ ( y 2 ( x − HR max )) ′ = 0 ≡ 2 yy ′ ( x − HR max ) + y 2 x ′ = 0 ≡ 2 yy ′ ( x − HR max + y 2 ( − ( x − a ) b ) = 0 ≡ . . . ≡ y ′ = b 2 y (All equivalences are with respect to the ODE.) 17

  36. Take-aways from SCUBA Example ◮ As systems become harder to model, parametric models save the day. ◮ Identifying and using differential ghosts is (sometimes) systematic. ◮ Partial solutions to fragments of an ODE’s dynamics are useful whenever you can upper-bound terms. ◮ Tactics ⇒ proof reuse 18

  37. Summary 19

  38. Resources Notes, slides, and examples from this talk: https://nfulton.org/marktoberdorf KeYmaera X website: https://keymaeraX.org Online Instance ( With Mathematica! ): https://web.keymaeraX.org Source Code (Scala): https://github.com/LS-Lab/KeYmaeraX-release KeYmaera X Credits: Stefan Mitsch, Jan-David Quesel, Marcus V¨ olp, Brandon Bohrer, Yong Kiam Tan, Andr´ e Platzer, . . . SCUBA Credits: Karim Elmaaroufi and Viren Bajaj 20

Recommend


More recommend