logical foundations of cyber physical systems
play

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr - PowerPoint PPT Presentation

May 19, 2023 •250 likes •1.45k views

07: Control Loops & Invariants Logical Foundations of Cyber-Physical Systems Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 1 / 16

  1. A Simple Discrete Loop Example loop Γ ⊢ J , ∆ J ⊢ [ α ] J J ⊢ P Γ ⊢ [ α ∗ ] P , ∆ x ≥ 8 ∧ 5 ≥ y ∧ y ≥ 0 ⊢ J J ⊢ [ x := x + y ; y := x − 2 · y ] J J ⊢ x ≥ 0 loop x ≥ 8 ∧ 5 ≥ y ∧ y ≥ 0 ⊢ [( x := x + y ; y := x − 2 · y ) ∗ ] x ≥ 0 → R ⊢ x ≥ 8 ∧ 5 ≥ y ∧ y ≥ 0 → [( x := x + y ; y := x − 2 · y ) ∗ ] x ≥ 0 J ≡ x ≥ 0 stronger: Lacks info about y 1 J ≡ x ≥ 8 ∧ 5 ≥ y ∧ y ≥ 0 weaker: Changes immediately 2 J ≡ x ≥ 0 ∧ y ≥ 0 3 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 8 / 16

  2. A Simple Discrete Loop Example loop Γ ⊢ J , ∆ J ⊢ [ α ] J J ⊢ P Γ ⊢ [ α ∗ ] P , ∆ x ≥ 8 ∧ 5 ≥ y ∧ y ≥ 0 ⊢ J J ⊢ [ x := x + y ; y := x − 2 · y ] J J ⊢ x ≥ 0 loop x ≥ 8 ∧ 5 ≥ y ∧ y ≥ 0 ⊢ [( x := x + y ; y := x − 2 · y ) ∗ ] x ≥ 0 → R ⊢ x ≥ 8 ∧ 5 ≥ y ∧ y ≥ 0 → [( x := x + y ; y := x − 2 · y ) ∗ ] x ≥ 0 J ≡ x ≥ 0 stronger: Lacks info about y 1 J ≡ x ≥ 8 ∧ 5 ≥ y ∧ y ≥ 0 weaker: Changes immediately 2 J ≡ x ≥ 0 ∧ y ≥ 0 no: y may become negative if x < y 3 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 8 / 16

  3. A Simple Discrete Loop Example loop Γ ⊢ J , ∆ J ⊢ [ α ] J J ⊢ P Γ ⊢ [ α ∗ ] P , ∆ x ≥ 8 ∧ 5 ≥ y ∧ y ≥ 0 ⊢ J J ⊢ [ x := x + y ; y := x − 2 · y ] J J ⊢ x ≥ 0 loop x ≥ 8 ∧ 5 ≥ y ∧ y ≥ 0 ⊢ [( x := x + y ; y := x − 2 · y ) ∗ ] x ≥ 0 → R ⊢ x ≥ 8 ∧ 5 ≥ y ∧ y ≥ 0 → [( x := x + y ; y := x − 2 · y ) ∗ ] x ≥ 0 J ≡ x ≥ 0 stronger: Lacks info about y 1 J ≡ x ≥ 8 ∧ 5 ≥ y ∧ y ≥ 0 weaker: Changes immediately 2 J ≡ x ≥ 0 ∧ y ≥ 0 no: y may become negative if x < y 3 J ≡ x ≥ y ∧ y ≥ 0 4 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 8 / 16

  4. A Simple Discrete Loop Example loop Γ ⊢ J , ∆ J ⊢ [ α ] J J ⊢ P Γ ⊢ [ α ∗ ] P , ∆ x ≥ 8 ∧ 5 ≥ y ∧ y ≥ 0 ⊢ J J ⊢ [ x := x + y ; y := x − 2 · y ] J J ⊢ x ≥ 0 loop x ≥ 8 ∧ 5 ≥ y ∧ y ≥ 0 ⊢ [( x := x + y ; y := x − 2 · y ) ∗ ] x ≥ 0 → R ⊢ x ≥ 8 ∧ 5 ≥ y ∧ y ≥ 0 → [( x := x + y ; y := x − 2 · y ) ∗ ] x ≥ 0 J ≡ x ≥ 0 stronger: Lacks info about y 1 J ≡ x ≥ 8 ∧ 5 ≥ y ∧ y ≥ 0 weaker: Changes immediately 2 J ≡ x ≥ 0 ∧ y ≥ 0 no: y may become negative if x < y 3 J ≡ x ≥ y ∧ y ≥ 0 correct loop invariant 4 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 8 / 16

  5. Forgot to Add Sequent Context Γ , ∆ to Premises Γ ⊢ J , ∆ Γ?? , J ⊢ [ α ] J , ∆?? Γ?? , J ⊢ P , ∆?? Γ ⊢ [ α ∗ ] P , ∆ André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 9 / 16

  6. Forgot to Add Sequent Context Γ , ∆ to Premises Γ ⊢ J , ∆ Γ?? , J ⊢ [ α ] J , ∆?? Γ?? , J ⊢ P , ∆?? Γ ⊢ [ α ∗ ] P , ∆ x = 0 ⊢ x ≤ 1 x = 0 , x ≤ 1 ⊢ [ x := x + 1 ] x ≤ 1 x ≤ 1 ⊢ x ≤ 1 � x = 0 , x ≤ 1 ⊢ [( x := x + 1 ) ∗ ] x ≤ 1 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 9 / 16

  7. Forgot to Add Sequent Context Γ , ∆ to Premises Γ ⊢ J , ∆ Γ?? , J ⊢ [ α ] J , ∆?? Γ?? , J ⊢ P , ∆?? Γ ⊢ [ α ∗ ] P , ∆ x = 0 ⊢ x ≤ 1 x = 0 , x ≤ 1 ⊢ [ x := x + 1 ] x ≤ 1 x ≤ 1 ⊢ x ≤ 1 � x = 0 , x ≤ 1 ⊢ [( x := x + 1 ) ∗ ] x ≤ 1 x = 0 ⊢ x ≥ 0 x ≥ 0 ⊢ [ x := x + 1 ] x ≥ 0 x = 0 , x ≥ 0 ⊢ x = 0 � x = 0 ⊢ [( x := x + 1 ) ∗ ] x = 0 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 9 / 16

  8. Forgot to Add Sequent Context Γ , ∆ to Premises Γ ⊢ J , ∆ Γ?? , J ⊢ [ α ] J , ∆?? Γ?? , J ⊢ P , ∆?? Γ ⊢ [ α ∗ ] P , ∆ x = 0 ⊢ x ≤ 1 x = 0 , x ≤ 1 ⊢ [ x := x + 1 ] x ≤ 1 x ≤ 1 ⊢ x ≤ 1 � x = 0 , x ≤ 1 ⊢ [( x := x + 1 ) ∗ ] x ≤ 1 x = 0 ⊢ x ≥ 0 x ≥ 0 ⊢ [ x := x + 1 ] x ≥ 0 x = 0 , x ≥ 0 ⊢ x = 0 � x = 0 ⊢ [( x := x + 1 ) ∗ ] x = 0 Unsound! Be careful where your assumptions go, or your CPS might go where it shouldn’t. André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 9 / 16

  9. Outline Learning Objectives 1 Induction for Loops 2 Iteration Axiom Induction Axiom Induction Rule for Loops Loop Invariants Simple Example Contextual Soundness Requirements Operationalize Invariant Construction 3 Bouncing Ball Rescuing Misplaced Constants Safe Quantum Summary 4 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 9 / 16

  10. Proving Quantum the Acrophobic Bouncing Ball � ∗ ] B ( x , v ) � A ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 ) A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 10 / 16

  11. Proving Quantum the Acrophobic Bouncing Ball A ⊢ j ( x , v ) j ( x , v ) ⊢ B ( x , v ) j ( x , v ) ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 )] j ( x , v ) loop � ∗ ] B ( x , v ) � A ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 ) A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 10 / 16

  12. Proving Quantum the Acrophobic Bouncing Ball j ( x , v ) ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 )] j ( x , v ) A ⊢ j ( x , v ) j ( x , v ) ⊢ B ( x , v ) j ( x , v ) ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 )] j ( x , v ) loop � ∗ ] B ( x , v ) � A ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 ) A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 10 / 16

  13. Proving Quantum the Acrophobic Bouncing Ball j ( x , v ) ⊢ [ grav ][? x = 0 ; v := − cv ∪ ? x � = 0 ] j ( x , v ) [;] j ( x , v ) ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 )] j ( x , v ) A ⊢ j ( x , v ) j ( x , v ) ⊢ B ( x , v ) j ( x , v ) ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 )] j ( x , v ) loop � ∗ ] B ( x , v ) � A ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 ) A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 10 / 16

  14. Proving Quantum the Acrophobic Bouncing Ball j ( x , v ) ⊢ [ grav ] j ( x , v ) j ( x , v ) ⊢ [? x = 0 ; v := − cv ∪ ? x � = 0 ] j ( x , v ) MR j ( x , v ) ⊢ [ grav ][? x = 0 ; v := − cv ∪ ? x � = 0 ] j ( x , v ) [;] j ( x , v ) ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 )] j ( x , v ) A ⊢ j ( x , v ) j ( x , v ) ⊢ B ( x , v ) j ( x , v ) ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 )] j ( x , v ) loop � ∗ ] B ( x , v ) � A ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 ) A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 10 / 16

  15. Proving Quantum the Acrophobic Bouncing Ball j ( x , v ) ⊢ [? x = 0 ; v := − cv ] j ( x , v ) ∧ [? x � = 0 ] j ( x , v ) j ( x , v ) ⊢ [ grav ] j ( x , v ) [ ∪ ] j ( x , v ) ⊢ [? x = 0 ; v := − cv ∪ ? x � = 0 ] j ( x , v ) MR j ( x , v ) ⊢ [ grav ][? x = 0 ; v := − cv ∪ ? x � = 0 ] j ( x , v ) [;] j ( x , v ) ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 )] j ( x , v ) A ⊢ j ( x , v ) j ( x , v ) ⊢ B ( x , v ) j ( x , v ) ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 )] j ( x , v ) loop � ∗ ] B ( x , v ) � A ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 ) A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 10 / 16

  16. Proving Quantum the Acrophobic Bouncing Ball ∧ R j ( x , v ) ⊢ [? x = 0 ; v := − cv ] j ( x , v ) j ( x , v ) ⊢ [? x � = 0 ] j ( x , v ) j ( x , v ) ⊢ [? x = 0 ; v := − cv ] j ( x , v ) ∧ [? x � = 0 ] j ( x , v ) j ( x , v ) ⊢ [ grav ] j ( x , v ) [ ∪ ] j ( x , v ) ⊢ [? x = 0 ; v := − cv ∪ ? x � = 0 ] j ( x , v ) MR j ( x , v ) ⊢ [ grav ][? x = 0 ; v := − cv ∪ ? x � = 0 ] j ( x , v ) [;] j ( x , v ) ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 )] j ( x , v ) A ⊢ j ( x , v ) j ( x , v ) ⊢ B ( x , v ) j ( x , v ) ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 )] j ( x , v ) loop � ∗ ] B ( x , v ) � A ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 ) A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 10 / 16

  17. Proving Quantum the Acrophobic Bouncing Ball [;] j ( x , v ) ⊢ [? x = 0 ][ v := − cv ] j ( x , v ) j ( x , v ) ⊢ [? x = 0 ; v := − cv ] j ( x , v ) j ( x , v ) ⊢ [? x � = 0 ] j ( x , v ) ∧ R j ( x , v ) ⊢ [? x = 0 ; v := − cv ] j ( x , v ) ∧ [? x � = 0 ] j ( x , v ) j ( x , v ) ⊢ [ grav ] j ( x , v ) [ ∪ ] j ( x , v ) ⊢ [? x = 0 ; v := − cv ∪ ? x � = 0 ] j ( x , v ) MR j ( x , v ) ⊢ [ grav ][? x = 0 ; v := − cv ∪ ? x � = 0 ] j ( x , v ) [;] j ( x , v ) ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 )] j ( x , v ) A ⊢ j ( x , v ) j ( x , v ) ⊢ B ( x , v ) j ( x , v ) ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 )] j ( x , v ) loop � ∗ ] B ( x , v ) � A ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 ) A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 10 / 16

  18. Proving Quantum the Acrophobic Bouncing Ball [?] , → R j ( x , v ) , x = 0 ⊢ [ v := − cv ] j ( x , v ) j ( x , v ) ⊢ [? x = 0 ][ v := − cv ] j ( x , v ) [;] j ( x , v ) ⊢ [? x = 0 ; v := − cv ] j ( x , v ) j ( x , v ) ⊢ [? x � = 0 ] j ( x , v ) ∧ R j ( x , v ) ⊢ [? x = 0 ; v := − cv ] j ( x , v ) ∧ [? x � = 0 ] j ( x , v ) j ( x , v ) ⊢ [ grav ] j ( x , v ) [ ∪ ] j ( x , v ) ⊢ [? x = 0 ; v := − cv ∪ ? x � = 0 ] j ( x , v ) MR j ( x , v ) ⊢ [ grav ][? x = 0 ; v := − cv ∪ ? x � = 0 ] j ( x , v ) [;] j ( x , v ) ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 )] j ( x , v ) A ⊢ j ( x , v ) j ( x , v ) ⊢ B ( x , v ) j ( x , v ) ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 )] j ( x , v ) loop � ∗ ] B ( x , v ) � A ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 ) A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 10 / 16

  19. Proving Quantum the Acrophobic Bouncing Ball j ( x , v ) , x = 0 ⊢ j ( x , − cv ) [:=] j ( x , v ) , x = 0 ⊢ [ v := − cv ] j ( x , v ) [?] , → R j ( x , v ) ⊢ [? x = 0 ][ v := − cv ] j ( x , v ) [;] j ( x , v ) ⊢ [? x = 0 ; v := − cv ] j ( x , v ) j ( x , v ) ⊢ [? x � = 0 ] j ( x , v ) ∧ R j ( x , v ) ⊢ [? x = 0 ; v := − cv ] j ( x , v ) ∧ [? x � = 0 ] j ( x , v ) j ( x , v ) ⊢ [ grav ] j ( x , v ) [ ∪ ] j ( x , v ) ⊢ [? x = 0 ; v := − cv ∪ ? x � = 0 ] j ( x , v ) MR j ( x , v ) ⊢ [ grav ][? x = 0 ; v := − cv ∪ ? x � = 0 ] j ( x , v ) [;] j ( x , v ) ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 )] j ( x , v ) A ⊢ j ( x , v ) j ( x , v ) ⊢ B ( x , v ) j ( x , v ) ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 )] j ( x , v ) loop � ∗ ] B ( x , v ) � A ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 ) A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 10 / 16

  20. Proving Quantum the Acrophobic Bouncing Ball j ( x , v ) , x = 0 ⊢ j ( x , − cv ) [:=] j ( x , v ) , x = 0 ⊢ [ v := − cv ] j ( x , v ) [?] , → R j ( x , v ) , x � = 0 ⊢ j ( x , v ) j ( x , v ) ⊢ [? x = 0 ][ v := − cv ] j ( x , v ) [;] [?] j ( x , v ) ⊢ [? x = 0 ; v := − cv ] j ( x , v ) j ( x , v ) ⊢ [? x � = 0 ] j ( x , v ) ∧ R j ( x , v ) ⊢ [? x = 0 ; v := − cv ] j ( x , v ) ∧ [? x � = 0 ] j ( x , v ) j ( x , v ) ⊢ [ grav ] j ( x , v ) [ ∪ ] j ( x , v ) ⊢ [? x = 0 ; v := − cv ∪ ? x � = 0 ] j ( x , v ) MR j ( x , v ) ⊢ [ grav ][? x = 0 ; v := − cv ∪ ? x � = 0 ] j ( x , v ) [;] j ( x , v ) ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 )] j ( x , v ) A ⊢ j ( x , v ) j ( x , v ) ⊢ B ( x , v ) j ( x , v ) ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 )] j ( x , v ) loop � ∗ ] B ( x , v ) � A ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 ) A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 10 / 16

  21. Proving Quantum the Acrophobic Bouncing Ball j ( x , v ) , x = 0 ⊢ j ( x , − cv ) [:=] j ( x , v ) , x = 0 ⊢ [ v := − cv ] j ( x , v ) [?] , → R j ( x , v ) , x � = 0 ⊢ j ( x , v ) j ( x , v ) ⊢ [? x = 0 ][ v := − cv ] j ( x , v ) [;] [?] j ( x , v ) ⊢ [? x = 0 ; v := − cv ] j ( x , v ) j ( x , v ) ⊢ [? x � = 0 ] j ( x , v ) ∧ R j ( x , v ) ⊢ [? x = 0 ; v := − cv ] j ( x , v ) ∧ [? x � = 0 ] j ( x , v ) j ( x , v ) ⊢ [ grav ] j ( x , v ) [ ∪ ] j ( x , v ) ⊢ [? x = 0 ; v := − cv ∪ ? x � = 0 ] j ( x , v ) MR j ( x , v ) ⊢ [ grav ][? x = 0 ; v := − cv ∪ ? x � = 0 ] j ( x , v ) [;] j ( x , v ) ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 )] j ( x , v ) A ⊢ j ( x , v ) j ( x , v ) ⊢ B ( x , v ) j ( x , v ) ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 )] j ( x , v ) loop � ∗ ] B ( x , v ) � A ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 ) A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 10 / 16

  22. Proving Quantum the Acrophobic Bouncing Ball A ⊢ j ( x , v ) j ( x , v ) ⊢ [ grav ]( j ( x , v ) ) j ( x , v ) , x = 0 ⊢ j ( x , ( − cv )) j ( x , v ) , x � = 0 ⊢ j ( x , v ) j ( x , v ) ⊢ B ( x , v ) A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 11 / 16

  23. Proving Quantum the Acrophobic Bouncing Ball 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ⊢ j ( x , v ) j ( x , v ) ⊢ [ { x ′ = v , v ′ = − g & x ≥ 0 } ]( j ( x , v ) ) j ( x , v ) , x = 0 ⊢ j ( x , ( − cv )) j ( x , v ) , x � = 0 ⊢ j ( x , v ) j ( x , v ) ⊢ 0 ≤ x ∧ x ≤ H A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 11 / 16

  24. Proving Quantum the Acrophobic Bouncing Ball 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ⊢ j ( x , v ) j ( x , v ) ⊢ [ { x ′ = v , v ′ = − g & x ≥ 0 } ]( j ( x , v ) ) j ( x , v ) , x = 0 ⊢ j ( x , ( − cv )) j ( x , v ) , x � = 0 ⊢ j ( x , v ) j ( x , v ) ⊢ 0 ≤ x ∧ x ≤ H j ( x , v ) ≡ 0 ≤ x ∧ x ≤ H 2 A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 11 / 16

  25. Proving Quantum the Acrophobic Bouncing Ball 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ⊢ j ( x , v ) j ( x , v ) ⊢ [ { x ′ = v , v ′ = − g & x ≥ 0 } ]( j ( x , v ) ) j ( x , v ) , x = 0 ⊢ j ( x , ( − cv )) j ( x , v ) , x � = 0 ⊢ j ( x , v ) j ( x , v ) ⊢ 0 ≤ x ∧ x ≤ H j ( x , v ) ≡ 0 ≤ x ∧ x ≤ H weak: fails ODE if v ≫ 0 2 A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 11 / 16

  26. Proving Quantum the Acrophobic Bouncing Ball 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ⊢ j ( x , v ) j ( x , v ) ⊢ [ { x ′ = v , v ′ = − g & x ≥ 0 } ]( j ( x , v ) ) j ( x , v ) , x = 0 ⊢ j ( x , ( − cv )) j ( x , v ) , x � = 0 ⊢ j ( x , v ) j ( x , v ) ⊢ 0 ≤ x ∧ x ≤ H j ( x , v ) ≡ x ≥ 0 1 j ( x , v ) ≡ 0 ≤ x ∧ x ≤ H weak: fails ODE if v ≫ 0 2 A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 11 / 16

  27. Proving Quantum the Acrophobic Bouncing Ball 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ⊢ j ( x , v ) j ( x , v ) ⊢ [ { x ′ = v , v ′ = − g & x ≥ 0 } ]( j ( x , v ) ) j ( x , v ) , x = 0 ⊢ j ( x , ( − cv )) j ( x , v ) , x � = 0 ⊢ j ( x , v ) j ( x , v ) ⊢ 0 ≤ x ∧ x ≤ H j ( x , v ) ≡ x ≥ 0 weaker: fails postcondition if x > H 1 j ( x , v ) ≡ 0 ≤ x ∧ x ≤ H weak: fails ODE if v ≫ 0 2 A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 11 / 16

  28. Proving Quantum the Acrophobic Bouncing Ball 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ⊢ j ( x , v ) j ( x , v ) ⊢ [ { x ′ = v , v ′ = − g & x ≥ 0 } ]( j ( x , v ) ) j ( x , v ) , x = 0 ⊢ j ( x , ( − cv )) j ( x , v ) , x � = 0 ⊢ j ( x , v ) j ( x , v ) ⊢ 0 ≤ x ∧ x ≤ H j ( x , v ) ≡ x ≥ 0 weaker: fails postcondition if x > H 1 j ( x , v ) ≡ 0 ≤ x ∧ x ≤ H weak: fails ODE if v ≫ 0 2 j ( x , v ) ≡ x = 0 ∧ v = 0 3 A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 11 / 16

  29. Proving Quantum the Acrophobic Bouncing Ball 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ⊢ j ( x , v ) j ( x , v ) ⊢ [ { x ′ = v , v ′ = − g & x ≥ 0 } ]( j ( x , v ) ) j ( x , v ) , x = 0 ⊢ j ( x , ( − cv )) j ( x , v ) , x � = 0 ⊢ j ( x , v ) j ( x , v ) ⊢ 0 ≤ x ∧ x ≤ H j ( x , v ) ≡ x ≥ 0 weaker: fails postcondition if x > H 1 j ( x , v ) ≡ 0 ≤ x ∧ x ≤ H weak: fails ODE if v ≫ 0 2 j ( x , v ) ≡ x = 0 ∧ v = 0 strong: fails initial condition if x > 0 3 A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 11 / 16

  30. Proving Quantum the Acrophobic Bouncing Ball 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ⊢ j ( x , v ) j ( x , v ) ⊢ [ { x ′ = v , v ′ = − g & x ≥ 0 } ]( j ( x , v ) ) j ( x , v ) , x = 0 ⊢ j ( x , ( − cv )) j ( x , v ) , x � = 0 ⊢ j ( x , v ) j ( x , v ) ⊢ 0 ≤ x ∧ x ≤ H j ( x , v ) ≡ x ≥ 0 weaker: fails postcondition if x > H 1 j ( x , v ) ≡ 0 ≤ x ∧ x ≤ H weak: fails ODE if v ≫ 0 2 j ( x , v ) ≡ x = 0 ∧ v = 0 strong: fails initial condition if x > 0 3 j ( x , v ) ≡ x = 0 ∨ x = H ∧ v = 0 4 A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 11 / 16

  31. Proving Quantum the Acrophobic Bouncing Ball 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ⊢ j ( x , v ) j ( x , v ) ⊢ [ { x ′ = v , v ′ = − g & x ≥ 0 } ]( j ( x , v ) ) j ( x , v ) , x = 0 ⊢ j ( x , ( − cv )) j ( x , v ) , x � = 0 ⊢ j ( x , v ) j ( x , v ) ⊢ 0 ≤ x ∧ x ≤ H j ( x , v ) ≡ x ≥ 0 weaker: fails postcondition if x > H 1 j ( x , v ) ≡ 0 ≤ x ∧ x ≤ H weak: fails ODE if v ≫ 0 2 j ( x , v ) ≡ x = 0 ∧ v = 0 strong: fails initial condition if x > 0 3 j ( x , v ) ≡ x = 0 ∨ x = H ∧ v = 0 no space for intermediate states 4 A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 11 / 16

  32. Proving Quantum the Acrophobic Bouncing Ball 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ⊢ j ( x , v ) j ( x , v ) ⊢ [ { x ′ = v , v ′ = − g & x ≥ 0 } ]( j ( x , v ) ) j ( x , v ) , x = 0 ⊢ j ( x , ( − cv )) j ( x , v ) , x � = 0 ⊢ j ( x , v ) j ( x , v ) ⊢ 0 ≤ x ∧ x ≤ H j ( x , v ) ≡ x ≥ 0 weaker: fails postcondition if x > H 1 j ( x , v ) ≡ 0 ≤ x ∧ x ≤ H weak: fails ODE if v ≫ 0 2 j ( x , v ) ≡ x = 0 ∧ v = 0 strong: fails initial condition if x > 0 3 j ( x , v ) ≡ x = 0 ∨ x = H ∧ v = 0 no space for intermediate states 4 j ( x , v ) ≡ 2 gx = 2 gH − v 2 ∧ x ≥ 0 5 A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 11 / 16

  33. Proving Quantum the Acrophobic Bouncing Ball 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ⊢ j ( x , v ) j ( x , v ) ⊢ [ { x ′ = v , v ′ = − g & x ≥ 0 } ]( j ( x , v ) ) j ( x , v ) , x = 0 ⊢ j ( x , ( − cv )) j ( x , v ) , x � = 0 ⊢ j ( x , v ) j ( x , v ) ⊢ 0 ≤ x ∧ x ≤ H j ( x , v ) ≡ x ≥ 0 weaker: fails postcondition if x > H 1 j ( x , v ) ≡ 0 ≤ x ∧ x ≤ H weak: fails ODE if v ≫ 0 2 j ( x , v ) ≡ x = 0 ∧ v = 0 strong: fails initial condition if x > 0 3 j ( x , v ) ≡ x = 0 ∨ x = H ∧ v = 0 no space for intermediate states 4 j ( x , v ) ≡ 2 gx = 2 gH − v 2 ∧ x ≥ 0 works: implicitly links v and x 5 A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 11 / 16

  34. Proving Quantum the Acrophobic Bouncing Ball 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ⊢ 2 gx = 2 gH − v 2 ∧ x ≥ 0 2 gx = 2 gH − v 2 ∧ x ≥ 0 ⊢ [ { x ′ = v , v ′ = − g & x ≥ 0 } ]( 2 gx = 2 gH − v 2 ∧ x ≥ 0 ) 2 gx = 2 gH − v 2 ∧ x ≥ 0 , x = 0 ⊢ 2 gx = 2 gH − ( − cv ) 2 ∧ x ≥ 0 2 gx = 2 gH − v 2 ∧ x ≥ 0 , x � = 0 ⊢ 2 gx = 2 gH − v 2 ∧ x ≥ 0 2 gx = 2 gH − v 2 ∧ x ≥ 0 ⊢ 0 ≤ x ∧ x ≤ H j ( x , v ) ≡ x ≥ 0 weaker: fails postcondition if x > H 1 j ( x , v ) ≡ 0 ≤ x ∧ x ≤ H weak: fails ODE if v ≫ 0 2 j ( x , v ) ≡ x = 0 ∧ v = 0 strong: fails initial condition if x > 0 3 j ( x , v ) ≡ x = 0 ∨ x = H ∧ v = 0 no space for intermediate states 4 j ( x , v ) ≡ 2 gx = 2 gH − v 2 ∧ x ≥ 0 works: implicitly links v and x 5 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 11 / 16

  35. Proving Quantum the Acrophobic Bouncing Ball 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ⊢ 2 gx = 2 gH − v 2 ∧ x ≥ 0 2 gx = 2 gH − v 2 ∧ x ≥ 0 ⊢ [ { x ′ = v , v ′ = − g & x ≥ 0 } ]( 2 gx = 2 gH − v 2 ∧ x ≥ 0 ) 2 gx = 2 gH − v 2 ∧ x ≥ 0 , x = 0 ⊢ 2 gx = 2 gH − ( − cv ) 2 ∧ x ≥ 0 2 gx = 2 gH − v 2 ∧ x ≥ 0 , x � = 0 ⊢ 2 gx = 2 gH − v 2 ∧ x ≥ 0 2 gx = 2 gH − v 2 ∧ x ≥ 0 ⊢ 0 ≤ x ∧ x ≤ H j ( x , v ) ≡ x ≥ 0 weaker: fails postcondition if x > H 1 j ( x , v ) ≡ 0 ≤ x ∧ x ≤ H weak: fails ODE if v ≫ 0 2 j ( x , v ) ≡ x = 0 ∧ v = 0 strong: fails initial condition if x > 0 3 j ( x , v ) ≡ x = 0 ∨ x = H ∧ v = 0 no space for intermediate states 4 j ( x , v ) ≡ 2 gx = 2 gH − v 2 ∧ x ≥ 0 works: implicitly links v and x 5 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 11 / 16

  36. Proving Quantum the Acrophobic Bouncing Ball 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ⊢ 2 gx = 2 gH − v 2 ∧ x ≥ 0 2 gx = 2 gH − v 2 ∧ x ≥ 0 ⊢ [ { x ′ = v , v ′ = − g & x ≥ 0 } ]( 2 gx = 2 gH − v 2 ∧ x ≥ 0 ) � 2 gx = 2 gH − v 2 ∧ x ≥ 0 , x = 0 ⊢ 2 gx = 2 gH − ( − cv ) 2 ∧ x ≥ 0 if c = 1 ... 2 gx = 2 gH − v 2 ∧ x ≥ 0 , x � = 0 ⊢ 2 gx = 2 gH − v 2 ∧ x ≥ 0 2 gx = 2 gH − v 2 ∧ x ≥ 0 ⊢ 0 ≤ x ∧ x ≤ H j ( x , v ) ≡ x ≥ 0 weaker: fails postcondition if x > H 1 j ( x , v ) ≡ 0 ≤ x ∧ x ≤ H weak: fails ODE if v ≫ 0 2 j ( x , v ) ≡ x = 0 ∧ v = 0 strong: fails initial condition if x > 0 3 j ( x , v ) ≡ x = 0 ∨ x = H ∧ v = 0 no space for intermediate states 4 j ( x , v ) ≡ 2 gx = 2 gH − v 2 ∧ x ≥ 0 works: implicitly links v and x 5 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 11 / 16

  37. Proving Quantum the Acrophobic Bouncing Ball 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ⊢ 2 gx = 2 gH − v 2 ∧ x ≥ 0 2 gx = 2 gH − v 2 ∧ x ≥ 0 ⊢ [ { x ′ = v , v ′ = − g & x ≥ 0 } ]( 2 gx = 2 gH − v 2 ∧ x ≥ 0 ) � 2 gx = 2 gH − v 2 ∧ x ≥ 0 , x = 0 ⊢ 2 gx = 2 gH − ( − cv ) 2 ∧ x ≥ 0 if c = 1 ... 2 gx = 2 gH − v 2 ∧ x ≥ 0 , x � = 0 ⊢ 2 gx = 2 gH − v 2 ∧ x ≥ 0 2 gx = 2 gH − v 2 ∧ x ≥ 0 ⊢ 0 ≤ x ∧ x ≤ H j ( x , v ) ≡ x ≥ 0 weaker: fails postcondition if x > H 1 j ( x , v ) ≡ 0 ≤ x ∧ x ≤ H weak: fails ODE if v ≫ 0 2 j ( x , v ) ≡ x = 0 ∧ v = 0 strong: fails initial condition if x > 0 3 j ( x , v ) ≡ x = 0 ∨ x = H ∧ v = 0 no space for intermediate states 4 j ( x , v ) ≡ 2 gx = 2 gH − v 2 ∧ x ≥ 0 works: implicitly links v and x 5 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 11 / 16

  38. Proving Quantum the Acrophobic Bouncing Ball 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ⊢ 2 gx = 2 gH − v 2 ∧ x ≥ 0 2 gx = 2 gH − v 2 ∧ x ≥ 0 ⊢ [ { x ′ = v , v ′ = − g & x ≥ 0 } ]( 2 gx = 2 gH − v 2 ∧ x ≥ 0 ) � 2 gx = 2 gH − v 2 ∧ x ≥ 0 , x = 0 ⊢ 2 gx = 2 gH − ( − cv ) 2 ∧ x ≥ 0 if c = 1 ... � 2 gx = 2 gH − v 2 ∧ x ≥ 0 , x � = 0 ⊢ 2 gx = 2 gH − v 2 ∧ x ≥ 0 2 gx = 2 gH − v 2 ∧ x ≥ 0 ⊢ 0 ≤ x ∧ x ≤ H j ( x , v ) ≡ x ≥ 0 weaker: fails postcondition if x > H 1 j ( x , v ) ≡ 0 ≤ x ∧ x ≤ H weak: fails ODE if v ≫ 0 2 j ( x , v ) ≡ x = 0 ∧ v = 0 strong: fails initial condition if x > 0 3 j ( x , v ) ≡ x = 0 ∨ x = H ∧ v = 0 no space for intermediate states 4 j ( x , v ) ≡ 2 gx = 2 gH − v 2 ∧ x ≥ 0 works: implicitly links v and x 5 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 11 / 16

  39. Proving Quantum the Acrophobic Bouncing Ball 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ⊢ 2 gx = 2 gH − v 2 ∧ x ≥ 0 2 gx = 2 gH − v 2 ∧ x ≥ 0 ⊢ [ { x ′ = v , v ′ = − g & x ≥ 0 } ]( 2 gx = 2 gH − v 2 ∧ x ≥ 0 ) � 2 gx = 2 gH − v 2 ∧ x ≥ 0 , x = 0 ⊢ 2 gx = 2 gH − ( − cv ) 2 ∧ x ≥ 0 if c = 1 ... � 2 gx = 2 gH − v 2 ∧ x ≥ 0 , x � = 0 ⊢ 2 gx = 2 gH − v 2 ∧ x ≥ 0 2 gx = 2 gH − v 2 ∧ x ≥ 0 ⊢ 0 ≤ x ∧ x ≤ H j ( x , v ) ≡ x ≥ 0 weaker: fails postcondition if x > H 1 j ( x , v ) ≡ 0 ≤ x ∧ x ≤ H weak: fails ODE if v ≫ 0 2 j ( x , v ) ≡ x = 0 ∧ v = 0 strong: fails initial condition if x > 0 3 j ( x , v ) ≡ x = 0 ∨ x = H ∧ v = 0 no space for intermediate states 4 j ( x , v ) ≡ 2 gx = 2 gH − v 2 ∧ x ≥ 0 works: implicitly links v and x 5 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 11 / 16

  40. Proving Quantum the Acrophobic Bouncing Ball 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ⊢ 2 gx = 2 gH − v 2 ∧ x ≥ 0 2 gx = 2 gH − v 2 ∧ x ≥ 0 ⊢ [ { x ′ = v , v ′ = − g & x ≥ 0 } ]( 2 gx = 2 gH − v 2 ∧ x ≥ 0 ) � 2 gx = 2 gH − v 2 ∧ x ≥ 0 , x = 0 ⊢ 2 gx = 2 gH − ( − cv ) 2 ∧ x ≥ 0 if c = 1 ... � 2 gx = 2 gH − v 2 ∧ x ≥ 0 , x � = 0 ⊢ 2 gx = 2 gH − v 2 ∧ x ≥ 0 � 2 gx = 2 gH − v 2 ∧ x ≥ 0 ⊢ 0 ≤ x ∧ x ≤ H because g > 0 j ( x , v ) ≡ x ≥ 0 weaker: fails postcondition if x > H 1 j ( x , v ) ≡ 0 ≤ x ∧ x ≤ H weak: fails ODE if v ≫ 0 2 j ( x , v ) ≡ x = 0 ∧ v = 0 strong: fails initial condition if x > 0 3 j ( x , v ) ≡ x = 0 ∨ x = H ∧ v = 0 no space for intermediate states 4 j ( x , v ) ≡ 2 gx = 2 gH − v 2 ∧ x ≥ 0 works: implicitly links v and x 5 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 11 / 16

  41. Proving Quantum the Acrophobic Bouncing Ball 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ⊢ 2 gx = 2 gH − v 2 ∧ x ≥ 0 2 gx = 2 gH − v 2 ∧ x ≥ 0 ⊢ [ { x ′ = v , v ′ = − g & x ≥ 0 } ]( 2 gx = 2 gH − v 2 ∧ x ≥ 0 ) � 2 gx = 2 gH − v 2 ∧ x ≥ 0 , x = 0 ⊢ 2 gx = 2 gH − ( − cv ) 2 ∧ x ≥ 0 if c = 1 ... � 2 gx = 2 gH − v 2 ∧ x ≥ 0 , x � = 0 ⊢ 2 gx = 2 gH − v 2 ∧ x ≥ 0 � 2 gx = 2 gH − v 2 ∧ x ≥ 0 ⊢ 0 ≤ x ∧ x ≤ H because g > 0 j ( x , v ) ≡ x ≥ 0 weaker: fails postcondition if x > H 1 j ( x , v ) ≡ 0 ≤ x ∧ x ≤ H weak: fails ODE if v ≫ 0 2 j ( x , v ) ≡ x = 0 ∧ v = 0 strong: fails initial condition if x > 0 3 j ( x , v ) ≡ x = 0 ∨ x = H ∧ v = 0 no space for intermediate states 4 j ( x , v ) ≡ 2 gx = 2 gH − v 2 ∧ x ≥ 0 works: implicitly links v and x 5 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 11 / 16

  42. Proving Quantum the Acrophobic Bouncing Ball � 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ⊢ 2 gx = 2 gH − v 2 ∧ x ≥ 0 2 gx = 2 gH − v 2 ∧ x ≥ 0 ⊢ [ { x ′ = v , v ′ = − g & x ≥ 0 } ]( 2 gx = 2 gH − v 2 ∧ x ≥ 0 ) � 2 gx = 2 gH − v 2 ∧ x ≥ 0 , x = 0 ⊢ 2 gx = 2 gH − ( − cv ) 2 ∧ x ≥ 0 if c = 1 ... � 2 gx = 2 gH − v 2 ∧ x ≥ 0 , x � = 0 ⊢ 2 gx = 2 gH − v 2 ∧ x ≥ 0 � 2 gx = 2 gH − v 2 ∧ x ≥ 0 ⊢ 0 ≤ x ∧ x ≤ H because g > 0 j ( x , v ) ≡ x ≥ 0 weaker: fails postcondition if x > H 1 j ( x , v ) ≡ 0 ≤ x ∧ x ≤ H weak: fails ODE if v ≫ 0 2 j ( x , v ) ≡ x = 0 ∧ v = 0 strong: fails initial condition if x > 0 3 j ( x , v ) ≡ x = 0 ∨ x = H ∧ v = 0 no space for intermediate states 4 j ( x , v ) ≡ 2 gx = 2 gH − v 2 ∧ x ≥ 0 works: implicitly links v and x 5 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 11 / 16

  43. Proving Quantum the Acrophobic Bouncing Ball � 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ⊢ 2 gx = 2 gH − v 2 ∧ x ≥ 0 2 gx = 2 gH − v 2 ∧ x ≥ 0 ⊢ [ { x ′ = v , v ′ = − g & x ≥ 0 } ]( 2 gx = 2 gH − v 2 ∧ x ≥ 0 ) � 2 gx = 2 gH − v 2 ∧ x ≥ 0 , x = 0 ⊢ 2 gx = 2 gH − ( − cv ) 2 ∧ x ≥ 0 if c = 1 ... � 2 gx = 2 gH − v 2 ∧ x ≥ 0 , x � = 0 ⊢ 2 gx = 2 gH − v 2 ∧ x ≥ 0 � 2 gx = 2 gH − v 2 ∧ x ≥ 0 ⊢ 0 ≤ x ∧ x ≤ H because g > 0 j ( x , v ) ≡ x ≥ 0 weaker: fails postcondition if x > H 1 j ( x , v ) ≡ 0 ≤ x ∧ x ≤ H weak: fails ODE if v ≫ 0 2 j ( x , v ) ≡ x = 0 ∧ v = 0 strong: fails initial condition if x > 0 3 j ( x , v ) ≡ x = 0 ∨ x = H ∧ v = 0 no space for intermediate states 4 j ( x , v ) ≡ 2 gx = 2 gH − v 2 ∧ x ≥ 0 works: implicitly links v and x 5 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 11 / 16

  44. Proving Quantum the Acrophobic Bouncing Ball � 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ⊢ 2 gx = 2 gH − v 2 ∧ x ≥ 0 j ( x , v ) ⊢ [ { x ′ = v , v ′ = − g & x ≥ 0 } ]( j ( x , v ) ) � 2 gx = 2 gH − v 2 ∧ x ≥ 0 , x = 0 ⊢ 2 gx = 2 gH − ( − cv ) 2 ∧ x ≥ 0 if c = 1 ... � 2 gx = 2 gH − v 2 ∧ x ≥ 0 , x � = 0 ⊢ 2 gx = 2 gH − v 2 ∧ x ≥ 0 � 2 gx = 2 gH − v 2 ∧ x ≥ 0 ⊢ 0 ≤ x ∧ x ≤ H because g > 0 j ( x , v ) ≡ x ≥ 0 weaker: fails postcondition if x > H 1 j ( x , v ) ≡ 0 ≤ x ∧ x ≤ H weak: fails ODE if v ≫ 0 2 j ( x , v ) ≡ x = 0 ∧ v = 0 strong: fails initial condition if x > 0 3 j ( x , v ) ≡ x = 0 ∨ x = H ∧ v = 0 no space for intermediate states 4 j ( x , v ) ≡ 2 gx = 2 gH − v 2 ∧ x ≥ 0 works: implicitly links v and x 5 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 11 / 16

  45. Proving Quantum the Acrophobic Bouncing Ball [ ′ ] j ( x , v ) ⊢ [ x ′ = v , v ′ = − g & x ≥ 0 ] j ( x , v ) André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 12 / 16

  46. Proving Quantum the Acrophobic Bouncing Ball [;] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ; v := − gt ]( x ≥ 0 → j ( x , v ) ) [ ′ ] j ( x , v ) ⊢ [ x ′ = v , v ′ = − g & x ≥ 0 ] j ( x , v ) André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 12 / 16

  47. Proving Quantum the Acrophobic Bouncing Ball [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ][ v := − gt ]( x ≥ 0 → j ( x , v ) ) [;] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ; v := − gt ]( x ≥ 0 → j ( x , v ) ) [ ′ ] j ( x , v ) ⊢ [ x ′ = v , v ′ = − g & x ≥ 0 ] j ( x , v ) André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 12 / 16

  48. Proving Quantum the Acrophobic Bouncing Ball [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ]( x ≥ 0 → j ( x , − gt ) ) [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ][ v := − gt ]( x ≥ 0 → j ( x , v ) ) [;] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ; v := − gt ]( x ≥ 0 → j ( x , v ) ) [ ′ ] j ( x , v ) ⊢ [ x ′ = v , v ′ = − g & x ≥ 0 ] j ( x , v ) André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 12 / 16

  49. Proving Quantum the Acrophobic Bouncing Ball ∀ R j ( x , v ) ⊢ ∀ t ≥ 0 ( H − g 2 t 2 ≥ 0 → j ( H − g 2 t 2 , − gt ) ) [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ]( x ≥ 0 → j ( x , − gt ) ) [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ][ v := − gt ]( x ≥ 0 → j ( x , v ) ) [;] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ; v := − gt ]( x ≥ 0 → j ( x , v ) ) [ ′ ] j ( x , v ) ⊢ [ x ′ = v , v ′ = − g & x ≥ 0 ] j ( x , v ) André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 12 / 16

  50. Proving Quantum the Acrophobic Bouncing Ball → R j ( x , v ) ⊢ t ≥ 0 → H − g 2 t 2 ≥ 0 → j ( H − g 2 t 2 , − gt ) ∀ R j ( x , v ) ⊢ ∀ t ≥ 0 ( H − g 2 t 2 ≥ 0 → j ( H − g 2 t 2 , − gt ) ) [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ]( x ≥ 0 → j ( x , − gt ) ) [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ][ v := − gt ]( x ≥ 0 → j ( x , v ) ) [;] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ; v := − gt ]( x ≥ 0 → j ( x , v ) ) [ ′ ] j ( x , v ) ⊢ [ x ′ = v , v ′ = − g & x ≥ 0 ] j ( x , v ) André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 12 / 16

  51. Proving Quantum the Acrophobic Bouncing Ball j ( x , v ) , t ≥ 0 , H − g 2 t 2 ≥ 0 ⊢ j ( H − g 2 t 2 , − gt ) → R j ( x , v ) ⊢ t ≥ 0 → H − g 2 t 2 ≥ 0 → j ( H − g 2 t 2 , − gt ) ∀ R j ( x , v ) ⊢ ∀ t ≥ 0 ( H − g 2 t 2 ≥ 0 → j ( H − g 2 t 2 , − gt ) ) [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ]( x ≥ 0 → j ( x , − gt ) ) [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ][ v := − gt ]( x ≥ 0 → j ( x , v ) ) [;] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ; v := − gt ]( x ≥ 0 → j ( x , v ) ) [ ′ ] j ( x , v ) ⊢ [ x ′ = v , v ′ = − g & x ≥ 0 ] j ( x , v ) André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 12 / 16

  52. Proving Quantum the Acrophobic Bouncing Ball j ( x , v ) ≡ 2 gx = 2 gH − v 2 ∧ x ≥ 0 2 gx = 2 gH − v 2 ∧ x ≥ 0 , H − g 2 t 2 ≥ 0 ⊢ 2 g ( H − g 2 t 2 )= 2 gH − ( gt ) 2 ∧ ( H − g 2 t 2 ) ≥ 0 j ( x , v ) , t ≥ 0 , H − g 2 t 2 ≥ 0 ⊢ j ( H − g 2 t 2 , − gt ) → R j ( x , v ) ⊢ t ≥ 0 → H − g 2 t 2 ≥ 0 → j ( H − g 2 t 2 , − gt ) ∀ R j ( x , v ) ⊢ ∀ t ≥ 0 ( H − g 2 t 2 ≥ 0 → j ( H − g 2 t 2 , − gt ) ) [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ]( x ≥ 0 → j ( x , − gt ) ) [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ][ v := − gt ]( x ≥ 0 → j ( x , v ) ) [;] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ; v := − gt ]( x ≥ 0 → j ( x , v ) ) [ ′ ] j ( x , v ) ⊢ [ x ′ = v , v ′ = − g & x ≥ 0 ] j ( x , v ) André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 12 / 16

  53. Proving Quantum the Acrophobic Bouncing Ball 2 gx = 2 gH − v 2 ⊢ 2 g ( H − g H − g 2 t 2 ≥ 0 ⊢ H − g 2 t 2 )= 2 gH − ( gt ) 2 2 t 2 ≥ 0 ∧ R 2 gx = 2 gH − v 2 ∧ x ≥ 0 , H − g 2 t 2 ≥ 0 ⊢ 2 g ( H − g 2 t 2 )= 2 gH − ( gt ) 2 ∧ ( H − g 2 t 2 ) ≥ 0 j ( x , v ) , t ≥ 0 , H − g 2 t 2 ≥ 0 ⊢ j ( H − g 2 t 2 , − gt ) → R j ( x , v ) ⊢ t ≥ 0 → H − g 2 t 2 ≥ 0 → j ( H − g 2 t 2 , − gt ) ∀ R j ( x , v ) ⊢ ∀ t ≥ 0 ( H − g 2 t 2 ≥ 0 → j ( H − g 2 t 2 , − gt ) ) [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ]( x ≥ 0 → j ( x , − gt ) ) [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ][ v := − gt ]( x ≥ 0 → j ( x , v ) ) [;] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ; v := − gt ]( x ≥ 0 → j ( x , v ) ) [ ′ ] j ( x , v ) ⊢ [ x ′ = v , v ′ = − g & x ≥ 0 ] j ( x , v ) André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 12 / 16

  54. Proving Quantum the Acrophobic Bouncing Ball ∗ R 2 gx = 2 gH − v 2 ⊢ 2 g ( H − g H − g 2 t 2 ≥ 0 ⊢ H − g 2 t 2 )= 2 gH − ( gt ) 2 2 t 2 ≥ 0 ∧ R 2 gx = 2 gH − v 2 ∧ x ≥ 0 , H − g 2 t 2 ≥ 0 ⊢ 2 g ( H − g 2 t 2 )= 2 gH − ( gt ) 2 ∧ ( H − g 2 t 2 ) ≥ 0 j ( x , v ) , t ≥ 0 , H − g 2 t 2 ≥ 0 ⊢ j ( H − g 2 t 2 , − gt ) → R j ( x , v ) ⊢ t ≥ 0 → H − g 2 t 2 ≥ 0 → j ( H − g 2 t 2 , − gt ) ∀ R j ( x , v ) ⊢ ∀ t ≥ 0 ( H − g 2 t 2 ≥ 0 → j ( H − g 2 t 2 , − gt ) ) [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ]( x ≥ 0 → j ( x , − gt ) ) [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ][ v := − gt ]( x ≥ 0 → j ( x , v ) ) [;] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ; v := − gt ]( x ≥ 0 → j ( x , v ) ) [ ′ ] j ( x , v ) ⊢ [ x ′ = v , v ′ = − g & x ≥ 0 ] j ( x , v ) André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 12 / 16

  55. Proving Quantum the Acrophobic Bouncing Ball ∗ ∗ R id 2 gx = 2 gH − v 2 ⊢ 2 g ( H − g H − g 2 t 2 ≥ 0 ⊢ H − g 2 t 2 )= 2 gH − ( gt ) 2 2 t 2 ≥ 0 ∧ R 2 gx = 2 gH − v 2 ∧ x ≥ 0 , H − g 2 t 2 ≥ 0 ⊢ 2 g ( H − g 2 t 2 )= 2 gH − ( gt ) 2 ∧ ( H − g 2 t 2 ) ≥ 0 j ( x , v ) , t ≥ 0 , H − g 2 t 2 ≥ 0 ⊢ j ( H − g 2 t 2 , − gt ) → R j ( x , v ) ⊢ t ≥ 0 → H − g 2 t 2 ≥ 0 → j ( H − g 2 t 2 , − gt ) ∀ R j ( x , v ) ⊢ ∀ t ≥ 0 ( H − g 2 t 2 ≥ 0 → j ( H − g 2 t 2 , − gt ) ) [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ]( x ≥ 0 → j ( x , − gt ) ) [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ][ v := − gt ]( x ≥ 0 → j ( x , v ) ) [;] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ; v := − gt ]( x ≥ 0 → j ( x , v ) ) [ ′ ] j ( x , v ) ⊢ [ x ′ = v , v ′ = − g & x ≥ 0 ] j ( x , v ) André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 12 / 16

  56. Proving Quantum the Acrophobic Bouncing Ball ∗ ∗ R id 2 gx = 2 gH − v 2 ⊢ 2 g ( H − g H − g 2 t 2 ≥ 0 ⊢ H − g 2 t 2 )= 2 gH − ( gt ) 2 2 t 2 ≥ 0 ∧ R 2 gx = 2 gH − v 2 ∧ x ≥ 0 , H − g 2 t 2 ≥ 0 ⊢ 2 g ( H − g 2 t 2 )= 2 gH − ( gt ) 2 ∧ ( H − g 2 t 2 ) ≥ 0 j ( x , v ) , t ≥ 0 , H − g 2 t 2 ≥ 0 ⊢ j ( H − g 2 t 2 , − gt ) → R j ( x , v ) ⊢ t ≥ 0 → H − g 2 t 2 ≥ 0 → j ( H − g 2 t 2 , − gt ) ∀ R j ( x , v ) ⊢ ∀ t ≥ 0 ( H − g 2 t 2 ≥ 0 → j ( H − g 2 t 2 , − gt ) ) [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ]( x ≥ 0 → j ( x , − gt ) ) [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ][ v := − gt ]( x ≥ 0 → j ( x , v ) ) [;] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ; v := − gt ]( x ≥ 0 → j ( x , v ) ) [ ′ ] j ( x , v ) ⊢ [ x ′ = v , v ′ = − g & x ≥ 0 ] j ( x , v ) Is Quantum done with his safety proof? André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 12 / 16

  57. Proving Quantum the Acrophobic Bouncing Ball ∗ ∗ R id 2 gx = 2 gH − v 2 ⊢ 2 g ( H − g H − g 2 t 2 ≥ 0 ⊢ H − g 2 t 2 )= 2 gH − ( gt ) 2 2 t 2 ≥ 0 ∧ R 2 gx = 2 gH − v 2 ∧ x ≥ 0 , H − g 2 t 2 ≥ 0 ⊢ 2 g ( H − g 2 t 2 )= 2 gH − ( gt ) 2 ∧ ( H − g 2 t 2 ) ≥ 0 j ( x , v ) , t ≥ 0 , H − g 2 t 2 ≥ 0 ⊢ j ( H − g 2 t 2 , − gt ) → R j ( x , v ) ⊢ t ≥ 0 → H − g 2 t 2 ≥ 0 → j ( H − g 2 t 2 , − gt ) ∀ R j ( x , v ) ⊢ ∀ t ≥ 0 ( H − g 2 t 2 ≥ 0 → j ( H − g 2 t 2 , − gt ) ) [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ]( x ≥ 0 → j ( x , − gt ) ) [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ][ v := − gt ]( x ≥ 0 → j ( x , v ) ) [;] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ; v := − gt ]( x ≥ 0 → j ( x , v ) ) [ ′ ] j ( x , v ) ⊢ [ x ′ = v , v ′ = − g & x ≥ 0 ] j ( x , v ) Is Quantum done with his safety proof? Oh no! The solutions we sneaked into [ ′ ] only solve the ODE/IVP if x = H , v = 0 which assumption j ( x , v ) can’t guarantee! André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 12 / 16

  58. Proving Quantum the Acrophobic Bouncing Ball ∗ ∗ R id 2 gx = 2 gH − v 2 ⊢ 2 g ( H − g H − g 2 t 2 ≥ 0 ⊢ H − g 2 t 2 )= 2 gH − ( gt ) 2 2 t 2 ≥ 0 ∧ R 2 gx = 2 gH − v 2 ∧ x ≥ 0 , H − g 2 t 2 ≥ 0 ⊢ 2 g ( H − g 2 t 2 )= 2 gH − ( gt ) 2 ∧ ( H − g 2 t 2 ) ≥ 0 j ( x , v ) , t ≥ 0 , H − g 2 t 2 ≥ 0 ⊢ j ( H − g 2 t 2 , − gt ) → R j ( x , v ) ⊢ t ≥ 0 → H − g 2 t 2 ≥ 0 → j ( H − g 2 t 2 , − gt ) ∀ R j ( x , v ) ⊢ ∀ t ≥ 0 ( H − g 2 t 2 ≥ 0 → j ( H − g 2 t 2 , − gt ) ) [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ]( x ≥ 0 → j ( x , − gt ) ) [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ][ v := − gt ]( x ≥ 0 → j ( x , v ) ) [;] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ; v := − gt ]( x ≥ 0 → j ( x , v ) ) [ ′ ] j ( x , v ) ⊢ [ x ′ = v , v ′ = − g & x ≥ 0 ] j ( x , v ) Is Quantum done with his safety proof? Oh no! The solutions we sneaked into [ ′ ] only solve the ODE/IVP if x = H , v = 0 which assumption j ( x , v ) can’t guarantee! Todo redo proof with true solution Never use solutions without proof! André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 12 / 16

  59. Clumsy Quantum Misplaced the Constants loop A ⊢ [ α ∗ ] B ( x , v ) j ( x , v ) ≡ 2 gx = 2 gH − v 2 ∧ x ≥ 0 1 p ≡ c = 1 ∧ g > 0 2 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 13 / 16

  60. Clumsy Quantum Misplaced the Constants loop A ⊢ [ α ∗ ] B ( x , v ) j ( x , v ) ≡ 2 gx = 2 gH − v 2 ∧ x ≥ 0 1 p ≡ c = 1 ∧ g > 0 2 J ≡ j ( x , v ) ∧ p as loop invariant 3 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 13 / 16

  61. Clumsy Quantum Misplaced the Constants ∗ R A ⊢ j ( x , v ) ∧ p [] ∧ R j ( x , v ) ∧ p ⊢ B ( x , v ) j ( x , v ) ∧ p ⊢ [ α ]( j ( x , v ) ∧ p ) loop A ⊢ [ α ∗ ] B ( x , v ) j ( x , v ) ≡ 2 gx = 2 gH − v 2 ∧ x ≥ 0 1 p ≡ c = 1 ∧ g > 0 2 J ≡ j ( x , v ) ∧ p as loop invariant 3 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 13 / 16

  62. Clumsy Quantum Misplaced the Constants [] ∧ [ α ]( P ∧ Q ) ↔ [ α ] P ∧ [ α ] Q above j ( x , v ) ∧ p ⊢ [ α ] j ( x , v ) V j ( x , v ) ∧ p ⊢ [ α ] p ∧ R j ( x , v ) ∧ p ⊢ [ α ] j ( x , v ) ∧ [ α ] p ∗ R A ⊢ j ( x , v ) ∧ p [] ∧ R j ( x , v ) ∧ p ⊢ B ( x , v ) j ( x , v ) ∧ p ⊢ [ α ]( j ( x , v ) ∧ p ) loop A ⊢ [ α ∗ ] B ( x , v ) j ( x , v ) ≡ 2 gx = 2 gH − v 2 ∧ x ≥ 0 1 p ≡ c = 1 ∧ g > 0 2 J ≡ j ( x , v ) ∧ p as loop invariant 3 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 13 / 16

  63. Clumsy Quantum Misplaced the Constants [] ∧ [ α ]( P ∧ Q ) ↔ [ α ] P ∧ [ α ] Q V p → [ α ] p ( FV ( p ) ∩ BV ( α ) = / 0 ) ∗ above V j ( x , v ) ∧ p ⊢ [ α ] p j ( x , v ) ∧ p ⊢ [ α ] j ( x , v ) ∧ R j ( x , v ) ∧ p ⊢ [ α ] j ( x , v ) ∧ [ α ] p ∗ R A ⊢ j ( x , v ) ∧ p [] ∧ R j ( x , v ) ∧ p ⊢ B ( x , v ) j ( x , v ) ∧ p ⊢ [ α ]( j ( x , v ) ∧ p ) loop A ⊢ [ α ∗ ] B ( x , v ) j ( x , v ) ≡ 2 gx = 2 gH − v 2 ∧ x ≥ 0 1 p ≡ c = 1 ∧ g > 0 2 J ≡ j ( x , v ) ∧ p as loop invariant 3 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 13 / 16

  64. Clumsy Quantum Misplaced the Constants [] ∧ [ α ]( P ∧ Q ) ↔ [ α ] P ∧ [ α ] Q V p → [ α ] p ( FV ( p ) ∩ BV ( α ) = / 0 ) ∗ above V j ( x , v ) ∧ p ⊢ [ α ] p j ( x , v ) ∧ p ⊢ [ α ] j ( x , v ) ∧ R j ( x , v ) ∧ p ⊢ [ α ] j ( x , v ) ∧ [ α ] p ∗ ∗ R A ⊢ j ( x , v ) ∧ p [] ∧ R j ( x , v ) ∧ p ⊢ B ( x , v ) j ( x , v ) ∧ p ⊢ [ α ]( j ( x , v ) ∧ p ) loop A ⊢ [ α ∗ ] B ( x , v ) j ( x , v ) ≡ 2 gx = 2 gH − v 2 ∧ x ≥ 0 1 p ≡ c = 1 ∧ g > 0 2 J ≡ j ( x , v ) ∧ p as loop invariant 3 Note: constants c = 1 ∧ g > 0 that never change are usually elided from J André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 13 / 16

  65. Quantum the Provably Safe Bouncing Ball Proposition (Quantum can bounce around safely) 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 = c → { x ′ = v , v ′ = − g & x ≥ 0 } ;(? x = 0 ; v := − cv ∪ ? x � = 0 ) � ∗ ]( 0 ≤ x ∧ x ≤ H ) � [ requires ( 0 ≤ x ∧ x = H ∧ v = 0 ) requires ( g > 0 ∧ 1 = c ) ensures ( 0 ≤ x ∧ x ≤ H ) { x ′ = v , v ′ = − g & x ≥ 0 } ; � � ∗ @invariant ( 2 gx = 2 gH − v 2 ∧ x ≥ 0 ) (? x = 0 ; v := − cv ∪ ? x � = 0 )) Invariant Contracts Invariants play a crucial rôle in CPS design. Capture them if you can. Use @invariant () contracts in your hybrid programs. André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 14 / 16

  66. Outline Learning Objectives 1 Induction for Loops 2 Iteration Axiom Induction Axiom Induction Rule for Loops Loop Invariants Simple Example Contextual Soundness Requirements Operationalize Invariant Construction 3 Bouncing Ball Rescuing Misplaced Constants Safe Quantum Summary 4 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 14 / 16

  67. Invariants The lion’s share of understanding comes from understanding what does change (variants/progress measures) and what doesn’t change (invariants). Invariants are a fundamental force of CS Variants are another fundamental force of CS André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 15 / 16

  68. Summary: Loops, Generalizations, Splittings I [ α ∗ ] P ↔ P ∧ [ α ∗ ]( P → [ α ] P ) P G [ α ] P P → Q M [ · ] [ α ] P → [ α ] Q loop Γ ⊢ J , ∆ J ⊢ [ α ] J J ⊢ P Γ ⊢ [ α ∗ ] P , ∆ MR Γ ⊢ [ α ] Q , ∆ Q ⊢ P Γ ⊢ [ α ] P , ∆ [] ∧ [ α ]( P ∧ Q ) ↔ [ α ] P ∧ [ α ] Q V p → [ α ] p ( FV ( p ) ∩ BV ( α ) = / 0 ) André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 16 / 16

  69. Outline Appendix 5 Iteration Axiom Iterations & Splitting the Box Iteration & Generalizations André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 16 / 16

  70. Iteration Axiom compositional semantics ⇒ compositional rules! André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 17 / 16

  71. Loops of Proofs: Iterations [ ∗ ] [ α ∗ ] P ↔ P ∧ [ α ][ α ∗ ] P A ⊢ [ α ∗ ] B André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 18 / 16

  72. Loops of Proofs: Iterations [ ∗ ] [ α ∗ ] P ↔ P ∧ [ α ][ α ∗ ] P A ⊢ B ∧ [ α ][ α ∗ ] B [ ∗ ] A ⊢ [ α ∗ ] B André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 18 / 16

  73. Loops of Proofs: Iterations [ ∗ ] [ α ∗ ] P ↔ P ∧ [ α ][ α ∗ ] P A ⊢ B ∧ [ α ]( B ∧ [ α ][ α ∗ ] B ) [ ∗ ] A ⊢ B ∧ [ α ][ α ∗ ] B [ ∗ ] A ⊢ [ α ∗ ] B André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 18 / 16

  74. Loops of Proofs: Iterations [ ∗ ] [ α ∗ ] P ↔ P ∧ [ α ][ α ∗ ] P � B ∧ [ α ]( B ∧ [ α ][ α ∗ ] B ) � A ⊢ B ∧ [ α ] [ ∗ ] A ⊢ B ∧ [ α ]( B ∧ [ α ][ α ∗ ] B ) [ ∗ ] A ⊢ B ∧ [ α ][ α ∗ ] B [ ∗ ] A ⊢ [ α ∗ ] B André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 18 / 16

Recommend

Focusing for d L 15-824 Logical Foundations of Cyber-Physical Systems Fall 2018 Klaas Pruiksma

Focusing for d L 15-824 Logical Foundations of Cyber-Physical Systems Fall 2018 Klaas Pruiksma

Focusing for d L 15-824 Logical Foundations of Cyber-Physical Systems Fall 2018 Klaas Pruiksma December 10, 2018 1 / 10 Goal Develop a focused version of Differential Dynamic Logic(d L ) [3], with the intent that it serve as a basis for

260 views • 10 slides
Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/06:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/06:

06: Truth &amp; Proof Logical Foundations of Cyber-Physical Systems Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/06: Truth &amp; Proof LFCPS/06 1 / 23 Outline Learning Objectives

1.77k views • 145 slides
Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/09:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/09:

09: Reactions &amp; Delays Logical Foundations of Cyber-Physical Systems Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/09: Reactions &amp; Delays LFCPS/09 1 / 17 Outline Learning

799 views • 59 slides
Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/08:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/08:

08: Events &amp; Responses Logical Foundations of Cyber-Physical Systems Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/08: Events &amp; Responses LFCPS/08 1 / 20 Outline Learning

719 views • 56 slides
Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/04:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/04:

04: Safety &amp; Contracts Logical Foundations of Cyber-Physical Systems Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/04: Safety &amp; Contracts LFCPS/04 1 / 16 Outline Learning

1.12k views • 80 slides
Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/01:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/01:

Logical Foundations of Cyber-Physical Systems 01: Cyber-Physical Systems: Overview Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/01: Overview LFCPS/01 1 / 28 Outline CPS:

934 views • 49 slides
Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/21:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/21:

21: Virtual Substitution &amp; Real Arithmetic Logical Foundations of Cyber-Physical Systems Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/21: Virtual Substitution &amp; Real

865 views • 84 slides
Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/13:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/13:

13: Differential Invariants &amp; Proof Theory Logical Foundations of Cyber-Physical Systems Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/13: Differential Invariants &amp; Proof

1.53k views • 127 slides
Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/14:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/14:

14: Hybrid Systems &amp; Games Logical Foundations of Cyber-Physical Systems Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/14: Hybrid Systems &amp; Games LFCPS/14 1 / 24 Outline

1.07k views • 102 slides
Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/10:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/10:

10: Differential Equations &amp; Differential Invariants Logical Foundations of Cyber-Physical Systems Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/10: Differential Equations &amp;

1.02k views • 86 slides
Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/20:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/20:

20: Virtual Substitution &amp; Real Equations Logical Foundations of Cyber-Physical Systems Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/20: Virtual Substitution &amp; Real Equations

3.49k views • 114 slides
Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/17:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/17:

17: Game Proofs &amp; Separations Logical Foundations of Cyber-Physical Systems Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/17: Game Proofs &amp; Separations LFCPS/17 1 / 25

1.26k views • 96 slides
Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/02:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/02:

02: Differential Equations &amp; Domains Logical Foundations of Cyber-Physical Systems Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/02: Differential Equations &amp; Domains LFCPS/02

788 views • 78 slides
Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/11:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/11:

11: Differential Equations &amp; Proofs Logical Foundations of Cyber-Physical Systems Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/11: Differential Equations &amp; Proofs LFCPS/11

1.49k views • 111 slides
Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/15:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/15:

15: Winning Strategies &amp; Regions Logical Foundations of Cyber-Physical Systems Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/15: Winning Strategies &amp; Regions LFCPS/15 1 / 23

1.02k views • 101 slides
Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/18:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/18:

18: Axioms &amp; Uniform Substitutions Logical Foundations of Cyber-Physical Systems Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/18: Axioms &amp; Uniform Substitutions LFCPS/18 1

1.96k views • 170 slides
Cyber-Physical Systems Verification with KeYmaera X Andr Platzer Andr Platzer Logical

Cyber-Physical Systems Verification with KeYmaera X Andr Platzer Andr Platzer Logical

Cyber-Physical Systems Verification with KeYmaera X Andr Platzer Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer (CMU) Cyber-Physical Systems Verification with KeYmaera X LFCS20 1 / 25 Outline

909 views • 76 slides
22: Axioms &amp; Uniform Substitutions 15-424: Foundations of Cyber-Physical Systems Andr e

22: Axioms &amp; Uniform Substitutions 15-424: Foundations of Cyber-Physical Systems Andr e

22: Axioms &amp; Uniform Substitutions 15-424: Foundations of Cyber-Physical Systems Andr e Platzer aplatzer@cs.cmu.edu Computer Science Department Carnegie Mellon University, Pittsburgh, PA The Secret for Simpler Sound Hybrid Systems

1.99k views • 181 slides
20: Virtual Substitution &amp; Real Equations 15-424: Foundations of Cyber-Physical Systems

20: Virtual Substitution &amp; Real Equations 15-424: Foundations of Cyber-Physical Systems

20: Virtual Substitution &amp; Real Equations 15-424: Foundations of Cyber-Physical Systems Andr e Platzer aplatzer@cs.cmu.edu Computer Science Department Carnegie Mellon University, Pittsburgh, PA 0.5 0.4 0.3 0.2 1.0 0.1 0.8 0.6

1.48k views • 112 slides
21: Virtual Substitution &amp; Real Arithmetic 15-424: Foundations of Cyber-Physical Systems

21: Virtual Substitution &amp; Real Arithmetic 15-424: Foundations of Cyber-Physical Systems

21: Virtual Substitution &amp; Real Arithmetic 15-424: Foundations of Cyber-Physical Systems Andr e Platzer aplatzer@cs.cmu.edu Computer Science Department Carnegie Mellon University, Pittsburgh, PA 0.5 0.4 0.3 0.2 1.0 0.1 0.8 0.6

1.05k views • 76 slides
Cyber-Physical Systems 07/24/2019 Heechul Yun University of Kansas 1 Modern Cyber-Physical

Cyber-Physical Systems 07/24/2019 Heechul Yun University of Kansas 1 Modern Cyber-Physical

Micro-Architectural Attacks on Cyber-Physical Systems 07/24/2019 Heechul Yun University of Kansas 1 Modern Cyber-Physical Systems Cyber Physical Systems (CPS) Cyber (Computer) + Physical (Plant) Real-time Control physical

310 views • 29 slides
02: Differential Equations &amp; Domains 15-424: Foundations of Cyber-Physical Systems Andr e

02: Differential Equations &amp; Domains 15-424: Foundations of Cyber-Physical Systems Andr e

02: Differential Equations &amp; Domains 15-424: Foundations of Cyber-Physical Systems Andr e Platzer aplatzer@cs.cmu.edu Computer Science Department Carnegie Mellon University, Pittsburgh, PA 0.5 0.4 0.3 0.2 1.0 0.1 0.8 0.6 0.4

817 views • 52 slides
06: Truth &amp; Proof 15-424: Foundations of Cyber-Physical Systems Andr e Platzer

06: Truth &amp; Proof 15-424: Foundations of Cyber-Physical Systems Andr e Platzer

06: Truth &amp; Proof 15-424: Foundations of Cyber-Physical Systems Andr e Platzer aplatzer@cs.cmu.edu Computer Science Department Carnegie Mellon University, Pittsburgh, PA 0.5 0.4 0.3 0.2 1.0 0.1 0.8 0.6 0.4 0.2 Andr e

642 views • 41 slides
03: Choice &amp; Control 15-424: Foundations of Cyber-Physical Systems Andr e Platzer

03: Choice &amp; Control 15-424: Foundations of Cyber-Physical Systems Andr e Platzer

03: Choice &amp; Control 15-424: Foundations of Cyber-Physical Systems Andr e Platzer aplatzer@cs.cmu.edu Computer Science Department Carnegie Mellon University, Pittsburgh, PA 0.5 0.4 0.3 0.2 1.0 0.1 0.8 0.6 0.4 0.2 Andr e

847 views • 27 slides

More recommend