keymaera x theorem proving for hybrid systems
play

KeYmaera X: Theorem Proving for Hybrid Systems Nathan Fulton - PowerPoint PPT Presentation

Sep 19, 2023 •179 likes •525 views

KeYmaera X: Theorem Proving for Hybrid Systems Nathan Fulton Carnegie Mellon University May 6, 2016 1 Milieu Safety-critical control software is pervasive and increasingly complicated. 2 Milieu Safety-critical control software is

  1. KeYmaera X: Theorem Proving for Hybrid Systems Nathan Fulton Carnegie Mellon University May 6, 2016 1

  2. Milieu Safety-critical control software is pervasive and increasingly complicated. 2

  3. Milieu Safety-critical control software is pervasive and increasingly complicated. 2

  4. KeYmaera X Small Core Increases trust, enables experimentation System LOC KeYmaera X 1 682 Isabelle/Pure 8 113 Coq 20 000 dReal 50 000 SpaceEx 100 000 3

  5. KeYmaera X Small Core Increases trust, enables experimentation System LOC KeYmaera X 1 682 Isabelle/Pure 8 113 Coq 20 000 dReal 50 000 SpaceEx 100 000 Tactics Maintainable and readable proof automation 3

  6. KeYmaera X Small Core Increases trust, enables experimentation System LOC KeYmaera X 1 682 Isabelle/Pure 8 113 Coq 20 000 dReal 50 000 SpaceEx 100 000 Tactics Maintainable and readable proof automation GUI A point-and-prove interface for interacting with deeply nested formulas 3

  7. Hybrid Programs Assign x := θ Sequence α ; β Iteration α ∗ Choice α ∪ β Test ? ϕ ODEs { x ′ 1 = θ 1 , . . . , x ′ n = θ n & P } 4

  8. A Hybrid System Specification vel ≥ 0 ∧ A > 0 ∧ B > 0 → [ {{ acc := A ∪ acc := − B } ; { pos ′ = vel , vel ′ = acc & vel ≥ 0 }} ∗ ] vel ≥ 0 5

  9. A Hybrid System Specification vel ≥ 0 ∧ A > 0 ∧ B > 0 → [ {{ acc := A ∪ acc := − B } ; { pos ′ = vel , vel ′ = acc & vel ≥ 0 }} ∗ ] vel ≥ 0 5

  10. Core: Uniform Substitution UniformSubstitution φ σ ( φ ) Where σ performs admissible substitutions on functions, predicates, and program constants. 6

  11. Core: Axioms Axiom "K�modal�modus�ponens". [a;](p(?)->q(?)) -> (([a;]p(?)) -> ([a;]q(?))) End. Axiom "DC�differential �cut". ([c&H(?);]p(?) <-> [c&(H(?)&r(?));]p(?)) <- [c&H(?);]r(? End. Axiom "[++]�choice". [a ++ b]p(?) <-> ([a;]p(?) & [b;]p(?)). End. 7

  12. Tactics: Sketching and Searching Theorem v ≥ 0 ∧ A > 0 ∧ B > 0 → [ {{ a := A ∪ a := − B } ; { x ′ = v , v ′ = a & v ≥ 0 }} ∗ ] v ≥ 0 8

  13. Tactics: Sketching and Searching Theorem v ≥ 0 ∧ A > 0 ∧ B > 0 → [ {{ a := A ∪ a := − B } ; { x ′ = v , v ′ = a & v ≥ 0 }} ∗ ] v ≥ 0 A Prototypical Proof Outline for a ϕ → [ { ctrl; plant } ∗ ] ψ Model: 1. Propositional Reasoning 8

  14. Tactics: Sketching and Searching Theorem v ≥ 0 ∧ A > 0 ∧ B > 0 → [ {{ a := A ∪ a := − B } ; { x ′ = v , v ′ = a & v ≥ 0 }} ∗ ] v ≥ 0 A Prototypical Proof Outline for a ϕ → [ { ctrl; plant } ∗ ] ψ Model: 1. Propositional Reasoning 2. Identify System Loop Invariant 8

  15. Tactics: Sketching and Searching Theorem v ≥ 0 ∧ A > 0 ∧ B > 0 → [ {{ a := A ∪ a := − B } ; { x ′ = v , v ′ = a & v ≥ 0 }} ∗ ] v ≥ 0 A Prototypical Proof Outline for a ϕ → [ { ctrl; plant } ∗ ] ψ Model: 1. Propositional Reasoning 2. Identify System Loop Invariant 3. Symbolically Execute Control Program 8

  16. Tactics: Sketching and Searching Theorem v ≥ 0 ∧ A > 0 ∧ B > 0 → [ {{ a := A ∪ a := − B } ; { x ′ = v , v ′ = a & v ≥ 0 }} ∗ ] v ≥ 0 A Prototypical Proof Outline for a ϕ → [ { ctrl; plant } ∗ ] ψ Model: 1. Propositional Reasoning 2. Identify System Loop Invariant 3. Symbolically Execute Control Program 4. Solve ODE or identify Differential Invariant(s) 8

  17. Tactics: Sketching and Searching Theorem v ≥ 0 ∧ A > 0 ∧ B > 0 → [ {{ a := A ∪ a := − B } ; { x ′ = v , v ′ = a & v ≥ 0 }} ∗ ] v ≥ 0 A Prototypical Proof Outline for a ϕ → [ { ctrl; plant } ∗ ] ψ Model: 1. Propositional Reasoning 2. Identify System Loop Invariant 3. Symbolically Execute Control Program 4. Solve ODE or identify Differential Invariant(s) 5. Appeal to Decision Procedure for Real Arithmetic 8

  18. Tactics: Sketching and Searching Theorem v ≥ 0 ∧ A > 0 ∧ B > 0 → [ {{ a := A ∪ a := − B } ; { x ′ = v , v ′ = a & v ≥ 0 }} ∗ ] v ≥ 0 A Prototypical Proof Outline for a ϕ → [ { ctrl; plant } ∗ ] ψ Model: 1. Propositional Reasoning 2. Identify System Loop Invariant 3. Symbolically Execute Control Program 4. Solve ODE or identify Differential Invariant(s) 5. Appeal to Decision Procedure for Real Arithmetic 9

  19. Tactics: Sketching and Searching Theorem v ≥ 0 ∧ A > 0 ∧ B > 0 → [ {{ a := A ∪ a := − B } ; { x ′ = v , v ′ = a & v ≥ 0 }} ∗ ] v ≥ 0 A Prototypical Proof Outline for a ϕ → [ { ctrl; plant } ∗ ] ψ Model: ImplyR & 2. Identify System Loop Invariant 3. Symbolically Execute Control Program 4. Solve ODE or identify Differential Invariant(s) 5. Appeal to Decision Procedure for Real Arithmetic 9

  20. Tactics: Sketching and Searching Theorem v ≥ 0 ∧ A > 0 ∧ B > 0 → [ {{ a := A ∪ a := − B } ; { x ′ = v , v ′ = a & v ≥ 0 }} ∗ ] v ≥ 0 A Prototypical Proof Outline for a ϕ → [ { ctrl; plant } ∗ ] ψ Model: ImplyR & Loop(" v ≥ 0 ")<(QE,QE, 3. Symbolically Execute Control Program 4. Solve ODE or identify Differential Invariant(s) 5. Appeal to Decision Procedure for Real Arithmetic 9

  21. Tactics: Sketching and Searching Theorem v ≥ 0 ∧ A > 0 ∧ B > 0 → [ {{ a := A ∪ a := − B } ; { x ′ = v , v ′ = a & v ≥ 0 }} ∗ ] v ≥ 0 A Prototypical Proof Outline for a ϕ → [ { ctrl; plant } ∗ ] ψ Model: ImplyR & Loop(" v ≥ 0 ")<(QE,QE, Seq & Choice & BoxAssign & 4. Solve ODE or identify Differential Invariant(s) 5. Appeal to Decision Procedure for Real Arithmetic 9

  22. Tactics: Sketching and Searching Theorem v ≥ 0 ∧ A > 0 ∧ B > 0 → [ {{ a := A ∪ a := − B } ; { x ′ = v , v ′ = a & v ≥ 0 }} ∗ ] v ≥ 0 A Prototypical Proof Outline for a ϕ → [ { ctrl; plant } ∗ ] ψ Model: ImplyR & Loop(" v ≥ 0 ")<(QE,QE, Seq & Choice & BoxAssign & DiffInv(" v ≥ 0 ") & 5. Appeal to Decision Procedure for Real Arithmetic 9

  23. Tactics: Sketching and Searching Theorem v ≥ 0 ∧ A > 0 ∧ B > 0 → [ {{ a := A ∪ a := − B } ; { x ′ = v , v ′ = a & v ≥ 0 }} ∗ ] v ≥ 0 A Prototypical Proof Outline for a ϕ → [ { ctrl; plant } ∗ ] ψ Model: ImplyR & Loop(" v ≥ 0 ")<(QE,QE, Seq & Choice & BoxAssign & DiffInv(" v ≥ 0 ") & Arithmetic & Close ) 9

  24. Tactics: Sketching and Searching Theorem v ≥ 0 ∧ A > 0 ∧ B > 0 → [ {{ a := A ∪ a := − B } ; { x ′ = v , v ′ = a & v ≥ 0 }} ∗ ] v ≥ 0 A Prototypical Proof Outline for a ϕ → [ { ctrl; plant } ∗ ] ψ Model: ⇐ Prop & Loop(" v ≥ 0 ")<(QE,QE, ⇐ SymbolicExecution & DiffInv(" v ≥ 0 ") & Arithmetic & Close ) 9

  25. Tactics: Sketching and Searching Theorem v ≥ 0 ∧ A > 0 ∧ B > 0 → [ {{ a := A ∪ a := − B } ; { x ′ = v , v ′ = a & v ≥ 0 }} ∗ ] v ≥ 0 A Prototypical Proof Outline for a ϕ → [ { ctrl; plant } ∗ ] ψ Model: Prop & Loop(" v ≥ 0 ")<(QE,QE, SymbolicExecution & ⇐ DiffInv(DIGen) & Arithmetic & Close ) 9

  26. Tactics: Sketching and Searching Theorem v ≥ 0 ∧ A > 0 ∧ B > 0 → [ {{ a := A ∪ a := − B } ; { x ′ = v , v ′ = a & v ≥ 0 }} ∗ ] v ≥ 0 A Prototypical Proof Outline for a ϕ → [ { ctrl; plant } ∗ ] ψ Model: Prop & ⇐ Loop(LoopInvGen)<(QE,QE & SymbolicExecution & DiffInv(DIGen) & Arithmetic & Close ) 9

  27. Tactics: Sketching and Searching Theorem v ≥ 0 ∧ A > 0 ∧ B > 0 → [ {{ a := A ∪ a := − B } ; { x ′ = v , v ′ = a & v ≥ 0 }} ∗ ] v ≥ 0 A Prototypical Proof Outline for a ϕ → [ { ctrl; plant } ∗ ] ψ Model: Prop & Loop(LoopInvGen)<(QE,QE & SymbolicExecution & DiffInv(DIGen) & ⇐ Arithmetic & Close ) 9

  28. Tactics: Sketching and Searching Theorem v ≥ 0 ∧ A > 0 ∧ B > 0 → [ {{ a := A ∪ a := − B } ; { x ′ = v , v ′ = a & v ≥ 0 }} ∗ ] v ≥ 0 A Prototypical Proof Outline for a ϕ → [ { ctrl; plant } ∗ ] ψ Model: Prop & Loop(LoopInvGen) <(QE,QE & SymbolicExecution & DiffInv(DIGen) & Arithmetic & Close ) 9

  29. Applications and Uses ◮ Education: Foundations of CPS Course at CMU ◮ ACAS X ◮ ModelPlex 10

  30. Challenge 1: Steep learning curve ◮ Commonplace mathematical objects are not primitives e , π , sin ( x ), cos ( x ), . . . 11

  31. Challenge 1: Steep learning curve ◮ Commonplace mathematical objects are not primitives e , π , sin ( x ), cos ( x ), . . . ◮ Subtle modeling mistakes are easy Vacuous models: [? H ] P , [ x ′ = θ ∧ H ] P , . . . Non-implementable models . . . 11

  32. Challenge 1: Steep learning curve ◮ Commonplace mathematical objects are not primitives e , π , sin ( x ), cos ( x ), . . . ◮ Subtle modeling mistakes are easy Vacuous models: [? H ] P , [ x ′ = θ ∧ H ] P , . . . Non-implementable models . . . ◮ Abrupt transitions as models become more difficult ◮ From automated proving to interactive proving ◮ From web UI to custom tactics 11

  33. Challenge 2: Large Proofs are Difficult and Fragile ACAS X ◮ Existing implementation: MDP ⇒ large lookup table. ◮ Idea: Verify model, compare to outputs. ◮ Possible! But painful. 12

Recommend

KeYmaera: A Hybrid Theorem Prover for Hybrid Systems Andr e Platzer Jan-David Quesel

KeYmaera: A Hybrid Theorem Prover for Hybrid Systems Andr e Platzer Jan-David Quesel

KeYmaera: A Hybrid Theorem Prover for Hybrid Systems Andr e Platzer Jan-David Quesel University of Oldenburg, Department of Computing Science, Germany International Joint Conference on Automated Reasoning, Sydney 2008 Andr e Platzer,

533 views • 25 slides
Bellerophon: Tactical Theorem Proving for Hybrid Systems Nathan Fulton , Stefan Mitsch, Brandon

Bellerophon: Tactical Theorem Proving for Hybrid Systems Nathan Fulton , Stefan Mitsch, Brandon

Bellerophon: Tactical Theorem Proving for Hybrid Systems Nathan Fulton , Stefan Mitsch, Brandon Bohrer, Andr Platzer Carnegie Mellon University Cyber-Physical Systems Cyber-Physical Systems combine computation and control. Hybrid Systems

964 views • 68 slides
Improving KeYmaera Less clicking, more proving Motivation &amp; Initial Idea improve the

Improving KeYmaera Less clicking, more proving Motivation &amp; Initial Idea improve the

Improving KeYmaera Less clicking, more proving Motivation &amp; Initial Idea improve the user-KeYmaera experience implement convenience features in KeYmaera reduce the amount of clicking Changes from initial idea moved over

291 views • 14 slides
On Theorem Proving for Program Checking Historical perspective and recent developments Maria

On Theorem Proving for Program Checking Historical perspective and recent developments Maria

Outline Introduction Where is theorem proving in program checking Inside theorem proving Big and little engines together: a new theorem proving style Decision procedures with speculative inferences Current and future challenges On Theorem

944 views • 69 slides
Automatically Robustifying Verified Hybrid Systems in KeYmaera X Nathan Fulton Carnegie Mellon

Automatically Robustifying Verified Hybrid Systems in KeYmaera X Nathan Fulton Carnegie Mellon

Automatically Robustifying Verified Hybrid Systems in KeYmaera X Nathan Fulton Carnegie Mellon University September 13, 2016 Dagstuhl, Germany Robustness A system is robust if it operates correctly despite: Disturbances in actuation

516 views • 28 slides
Visual theorem proving with the Incredible Proof Machine The idea Theorem Proving without

Visual theorem proving with the Incredible Proof Machine The idea Theorem Proving without

Interactive Theorem Proving, Nancy August 22, 2016 Joachim Breitner Karlsruhe Institute of Technology University of Pennsylvania, Philadelphia Visual theorem proving with the Incredible Proof Machine The idea Theorem Proving without Syntax

579 views • 43 slides
KeYmaera X A Tutorial on Interactive Verification for Hybrid Systems Nathan Fulton Marktoberdorf

KeYmaera X A Tutorial on Interactive Verification for Hybrid Systems Nathan Fulton Marktoberdorf

KeYmaera X A Tutorial on Interactive Verification for Hybrid Systems Nathan Fulton Marktoberdorf 2017 August 11, 2017 Examples: https://nfulton.org/marktoberdorf.zip Slides: https://nfulton.org/slides/marktoberdorf.pdf 1 Motivation KeYmaera

775 views • 46 slides
Proving Hybrid Systems Andr e Platzer aplatzer@cs.cmu.edu Computer Science Department

Proving Hybrid Systems Andr e Platzer aplatzer@cs.cmu.edu Computer Science Department

Proving Hybrid Systems Andr e Platzer aplatzer@cs.cmu.edu Computer Science Department Carnegie Mellon University, Pittsburgh, PA 0.5 0.4 0.3 0.2 1.0 0.1 0.8 0.6 0.4 0.2 Andr e Platzer (CMU) Proving Hybrid Systems FMCAD 1 / 40

2.07k views • 171 slides
Automated Theorem Proving 1/4: Introduction and Propositional Theorem Proving A.L. Lamprecht

Automated Theorem Proving 1/4: Introduction and Propositional Theorem Proving A.L. Lamprecht

Automated Theorem Proving 1/4: Introduction and Propositional Theorem Proving A.L. Lamprecht Course Program Semantics and Verfication 2020, Utrecht University September 21, 2020 Lecture Notes Automated Reasoning by Gerard A.W. Vreeswijk.

609 views • 40 slides
Automated Theorem Proving 2/4: First-Order Theorem Proving A.L. Lamprecht Course Program

Automated Theorem Proving 2/4: First-Order Theorem Proving A.L. Lamprecht Course Program

Automated Theorem Proving 2/4: First-Order Theorem Proving A.L. Lamprecht Course Program Semantics and Verfication 2020, Utrecht University September 23, 2020 Lecture Notes Automated Reasoning by Gerard A.W. Vreeswijk. Available for

1.03k views • 54 slides
Theorem-Proving Environments Nathan Ng CSC2547: Learning to Search Theorem Proving What is a

Theorem-Proving Environments Nathan Ng CSC2547: Learning to Search Theorem Proving What is a

Theorem-Proving Environments Nathan Ng CSC2547: Learning to Search Theorem Proving What is a theorem? Statement proven based on basis of previously established statements Premise: If I attend UofT, I am a student Premise: I attend

375 views • 25 slides
Artificial Intelligence in Theorem Proving Cezary Kaliszyk VTSA Overview Last Lecture theorem

Artificial Intelligence in Theorem Proving Cezary Kaliszyk VTSA Overview Last Lecture theorem

Artificial Intelligence in Theorem Proving Cezary Kaliszyk VTSA Overview Last Lecture theorem proving problems premise selection deep learning for theorem proving state estimation Today automated reasoning learning in classical ATPs

1.18k views • 97 slides
Reachability Analysis in the KeYmaera X Theorem Prover SNR 2017 | Uppsala, Sweden | April 22,

Reachability Analysis in the KeYmaera X Theorem Prover SNR 2017 | Uppsala, Sweden | April 22,

Reachability Analysis in the KeYmaera X Theorem Prover SNR 2017 | Uppsala, Sweden | April 22, 2017 Nathan Fulton Other System Contributors: Stefan Mitsch, Andr Platzer, Brandon Bohrer, Yong Kiam Tan, Jan-David Quesel, ... Trustworthy

932 views • 57 slides
Health Warning Principles, Techniques, Applications Theorem Proving is addictive Gerwin Klein

Health Warning Principles, Techniques, Applications Theorem Proving is addictive Gerwin Klein

W HAT YOU WILL LEARN how to use a theorem prover background, how it works how to prove and specify NICTA Advanced Course Slide 1 Slide 3 Theorem Proving Health Warning Principles, Techniques, Applications Theorem Proving is

262 views • 9 slides
Artificial Intelligence in Theorem Proving Cezary Kaliszyk VTSA 2019 Computer Theorem Proving

Artificial Intelligence in Theorem Proving Cezary Kaliszyk VTSA 2019 Computer Theorem Proving

Artificial Intelligence in Theorem Proving Cezary Kaliszyk VTSA 2019 Computer Theorem Proving Computer used to automate reasoning in a logic Traditionally part of artificial intelligence (not machine learning) Field of research since the

1.25k views • 101 slides
Formal Verification Methods 4: Theorem Proving John Harrison Intel Corporation Need for

Formal Verification Methods 4: Theorem Proving John Harrison Intel Corporation Need for

Formal Verification Methods 4: Theorem Proving Formal Verification Methods 4: Theorem Proving John Harrison Intel Corporation Need for general theorem proving Set theory vs. higher-order logic Herbrand-based approaches

475 views • 18 slides
Learning theorem proving through self-play Stanisaw Purga Overview AlphaZero Proving

Learning theorem proving through self-play Stanisaw Purga Overview AlphaZero Proving

Learning theorem proving through self-play Stanisaw Purga Overview AlphaZero Proving game adjusting MCTS for proving game some results 2019-10 1 Neural black box game state S move policy expected outcome R n v

455 views • 45 slides
Theorem Proving and Testing for Autonomous Systems Kerstin Eder University of Bristol and

Theorem Proving and Testing for Autonomous Systems Kerstin Eder University of Bristol and

Theorem Proving and Testing for Autonomous Systems Kerstin Eder University of Bristol and Bristol Robotics Laboratory Verification and Validation for Safety in Robots To develop techniques and methodologies that can be used to design

476 views • 45 slides
Saturation-based Theorem Proving and ML Course Machine Learning and Reasoning 2020 MLR 2020 1 1

Saturation-based Theorem Proving and ML Course Machine Learning and Reasoning 2020 MLR 2020 1 1

First-order Logic and Theorem Proving Saturation-based Proving Further Tuning and the Role of Strategies Summary Saturation-based Theorem Proving and ML Course Machine Learning and Reasoning 2020 MLR 2020 1 1 Czech Technical Univeristy in

913 views • 64 slides
Automated Theorem Proving Georg Struth University of She ffi eld Motivation everybody loves my

Automated Theorem Proving Georg Struth University of She ffi eld Motivation everybody loves my

Automated Theorem Proving Georg Struth University of She ffi eld Motivation everybody loves my baby but my baby aint love nobody but me (Doris Day) Overview main goal: we will learn how ATP systems work (in theory) where ATP systems

520 views • 29 slides
Automated Reasoning Systems Resolution Theorem Proving: Prover9 Temur Kutsia RISC, Johannes

Automated Reasoning Systems Resolution Theorem Proving: Prover9 Temur Kutsia RISC, Johannes

Automated Reasoning Systems Resolution Theorem Proving: Prover9 Temur Kutsia RISC, Johannes Kepler University of Linz, Austria kutsia@risc.jku.at Prover9 Automated theorem prover from the Argonne group Successor of Otter Author:

525 views • 17 slides
Mechanical Theorem Proving in Tarskis Geometry. Julien Narboux under the supervision of Hugo

Mechanical Theorem Proving in Tarskis Geometry. Julien Narboux under the supervision of Hugo

Mechanical Theorem Proving in Tarskis Geometry. Julien Narboux under the supervision of Hugo Herbelin LIX, INRIA Futurs, Ecole Polytechnique 31/08/2006, Pontevedra, Spain Outline 1 Interactive proof / Automated theorem proving 2

1.1k views • 73 slides
Proving In fi nite Satis fi ability Peter Baumgartner Joshua Bax Goal Theorem Proving in

Proving In fi nite Satis fi ability Peter Baumgartner Joshua Bax Goal Theorem Proving in

Proving In fi nite Satis fi ability Peter Baumgartner Joshua Bax Goal Theorem Proving in Hierarchic Combinations of Speci fi cations Dis Background theory linear integer arithmetic Data structures ? Conjecture list axioms/arrays

443 views • 15 slides
Theorem Proving and the Real Numbers Applications and Challenges Lawrence C Paulson 1.

Theorem Proving and the Real Numbers Applications and Challenges Lawrence C Paulson 1.

Theorem Proving and the Real Numbers Applications and Challenges Lawrence C Paulson 1. Interactive Theorem Proving A partial, biased history A UTOMATH L. S. van Benthem Jutting, Checking Landaus Grundlagen in the A UTOMATH

920 views • 37 slides

More recommend