Bellerophon: Tactical Theorem Proving for Hybrid...
Transcript of Bellerophon: Tactical Theorem Proving for Hybrid...
![Page 1: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/1.jpg)
Bellerophon: Tactical Theorem Proving for Hybrid Systems
Nathan Fulton, Stefan Mitsch, Brandon Bohrer, André PlatzerCarnegie Mellon University
![Page 2: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/2.jpg)
![Page 3: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/3.jpg)
Cyber-Physical Systems
Cyber-Physical Systems combine computation and control.
Hybrid Systems model combinations of discrete and continuous dynamics.
![Page 4: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/4.jpg)
Bellerophon
Verifying hybrid systems is hard.
![Page 5: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/5.jpg)
Bellerophon
Verifying hybrid systems is hard.Bellerophon demonstrates how to tackle hybrid systems with tactics:
![Page 6: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/6.jpg)
Bellerophon
Verifying hybrid systems is hard.Bellerophon demonstrates how to tackle hybrid systems with tactics:● Build on a sound core.
![Page 7: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/7.jpg)
Bellerophon
Verifying hybrid systems is hard.Bellerophon demonstrates how to tackle hybrid systems with tactics:● Build on a sound core.● Implement high-level primitives for hybrid
systems proofs.
![Page 8: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/8.jpg)
Bellerophon
Verifying hybrid systems is hard.Bellerophon demonstrates how to tackle hybrid systems with tactics:● Build on a sound core.● Implement high-level primitives for hybrid
systems proofs.● Automate common constructions (for
ODEs and control software)
![Page 9: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/9.jpg)
Theorem Bellerophon LOC
Conceptual Proof Steps
Hybrid Systems Axiom Applications
Static Safety 12 71 30,355
Passive-Friendly Safety
45 140 68,620
Orientation Safety 15 108 173,989
Pass Intersection Liveness
234 440 61,878
Bellerophon
![Page 10: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/10.jpg)
KeYmaera X: Trustworthy Foundations
Interactive Reachability Analysis➢ Bellerophon combinator language ➢ Bellerophon standard library for hybrid systems➢ Demonstration
Bellerophon for Automation and Tooling
Conclusions & Resources
![Page 11: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/11.jpg)
Trustworthy Foundations
KeYmaera X enables trustworthy automation for hybrid systems analysis:● A well-defined logical foundations,● implemented in a small trustworthy core● that ensures correctness of automation and tooling.
![Page 12: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/12.jpg)
Trustworthy FoundationsHybrid Programs
a := t a=a0b=b0c=c0
...
a=tb=b0c=c0
...
![Page 13: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/13.jpg)
Trustworthy FoundationsHybrid Programs
a := t a=a0b=b0c=c0
...
a=tb=b0c=c0
...
a;ba;b
a b
![Page 14: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/14.jpg)
Trustworthy FoundationsHybrid Programs
a := t
?P
a=a0b=b0c=c0
...
a=tb=b0c=c0
...
a;ba;b
a b
If P is true: no change
If P is false: terminate
![Page 15: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/15.jpg)
Trustworthy FoundationsHybrid Programs
a := t
a∪b?P
a=a0b=b0c=c0
...
a=tb=b0c=c0
...
a;ba;b
a b
If P is true: no change
If P is false: terminate
![Page 16: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/16.jpg)
Trustworthy FoundationsHybrid Programs
a := t
a∪b?P
a=a0b=b0c=c0
...
a=tb=b0c=c0
...
a;ba;b
a b
If P is true: no change
If P is false: terminate
![Page 17: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/17.jpg)
Trustworthy FoundationsHybrid Programs
a := t
a∪b?P
a=a0b=b0c=c0
...
a=tb=b0c=c0
...
a;ba;b
a b
If P is true: no change
If P is false: terminate
a* a ...a...
![Page 18: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/18.jpg)
Trustworthy FoundationsHybrid Programs
a := t
a∪b?P
a=a0b=b0c=c0
...
a=tb=b0c=c0
...
a;ba;b
a b
If P is true: no change
If P is false: terminate
a* x’=f x=x0...
x=F(0)...
x=F(T)...
⋮a ...a...
![Page 19: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/19.jpg)
Trustworthy FoundationsReachability Specifications
[a]P “after every execution of a, P”<a>P “after some execution of a, P”
![Page 20: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/20.jpg)
Trustworthy FoundationsReachability Specifications
[a]P “after every execution of a, P”<a>P “after some execution of a, P”
init → [{x := u(x); x’ = f(x)}*]safe
![Page 21: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/21.jpg)
Trustworthy FoundationsHello, World
{{?Dive ∪ r := rp};t:=0;
{x’ = v, V’ = f(v,g,r), t’=1 & 0≤x & t≤T}
}*Control: Continue diving if safe, else open parachute.Plant: Downward velocity determined by gravity, air resistance.
xv’=f(v,g,r)
![Page 22: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/22.jpg)
Trustworthy FoundationsHello, World
{{?Dive ∪ r := rp};t:=0;
{x’ = v, V’ = f(v,g,r), t’=1 & 0≤x & t≤T}
}*Control: Continue diving if safe, else open parachute.Plant: Downward velocity determined by gravity, air resistance.
xv’=f(v,g,r)
![Page 23: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/23.jpg)
Trustworthy FoundationsHello, World
{{?Dive ∪ r := rp};t:=0;
{x’ = v, V’ = f(v,g,r), t’=1 & 0≤x & t≤T}
}*Control: Continue diving if safe, else open parachute.Plant: Downward velocity determined by gravity, air resistance.
xv’=f(v,g,r)
![Page 24: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/24.jpg)
Trustworthy FoundationsHello, World
{{?Dive ∪ r := rp};t:=0;
{x’ = v, V’ = f(v,g,r), t’=1 & 0≤x & t≤T}
}*Control: Continue diving if safe, else open parachute.Plant: Downward velocity determined by gravity, air resistance.
xv’=f(v,g,r)
![Page 25: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/25.jpg)
Trustworthy FoundationsHello, World
{{?Dive ∪ r := rp};t:=0;
{x’ = v, V’ = f(v,g,r), t’=1 & 0≤x & t≤T}
}*Control: Continue diving if safe, else open parachute.Plant: Downward velocity determined by gravity, air resistance.
xv’=f(v,g,r)
![Page 26: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/26.jpg)
Trustworthy FoundationsHello, World
{{?Dive ∪ r := rp};t:=0;
{x’ = v, V’ = f(v,g,r), t’=1 & 0≤x & t≤T}
}*Control: Continue diving if safe, else open parachute.Plant: Downward velocity determined by gravity, air resistance.
xv’=f(v,g,r)
![Page 27: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/27.jpg)
(Dive & g>0 & …)→[{{?Dive ∪ r := rp};
{x’ = v, V’ = f(v,g,r) & 0≤x}
}*](x=0→m≤v)x v’=f(v,g,r)
Trustworthy FoundationsReachability Specifications
![Page 28: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/28.jpg)
(Dive & g>0 & …)→[{{?Dive ∪ r := rp};
{x’ = v, V’ = f(v,g,r) & 0≤x}
}*](x=0→m≤v)x v’=f(v,g,r)
If the parachuter is on the ground, their speed is safe (m≤v≤0)
Trustworthy FoundationsReachability Specifications
![Page 29: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/29.jpg)
Introduction to Differential Dynamic LogicDynamical Axioms
[x:=t]f(x) ↔ f(t)[a;b]P ↔ [a][b]P[a∪b]P ↔ ([a]P & [b]P)[x’=f&Q]P → (Q → P)...
![Page 30: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/30.jpg)
Introduction to Differential Dynamic LogicTrusted Core
[x:=t]f(x) ↔ f(t)[a;b]P ↔ [a][b]P[a∪b]P ↔ ([a]P & [b]P)[x’=f&Q]P → (Q → P)...
AXIOM BASE
KeYmaera X Core Q.E.D.
![Page 31: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/31.jpg)
Introduction to Differential Dynamic LogicTrustworthy Implementations
[x:=t]f(x) ↔ f(t)[a;b]P ↔ [a][b]P[a∪b]P ↔ ([a]P & [b]P)[x’=f&Q]P → (Q → P)...
AXIOM BASE
KeYmaera X Core Q.E.D.
Bellerophon Tooling Automated Analyses
![Page 32: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/32.jpg)
Introduction to Differential Dynamic LogicProver Core Comparison
![Page 33: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/33.jpg)
Bellerophon
Bellerophon enables interactive verification and tool development:
![Page 34: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/34.jpg)
Bellerophon
Bellerophon enables interactive verification and tool development:● A standard library of common proof
techniques.
![Page 35: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/35.jpg)
Bellerophon
Bellerophon enables interactive verification and tool development:● A standard library of common proof
techniques.● A combinator language/library for
decomposing theorems and composing proof strategies.
![Page 36: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/36.jpg)
BellerophonStandard Library
Tactic Meaning
prop Applies propositional reasoning exhaustively.
unfold Symbolically executes discrete, loop-free programs.
loop(J, i) Applies loop invariance axiom to position i.
dI,dG,dC,dW Reasoning principles for differential equations.
![Page 37: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/37.jpg)
BellerophonStandard Library
Tactic Meaning
prop Applies propositional reasoning exhaustively.
unfold Symbolically executes discrete, loop-free programs.
loop(J, i) Applies loop invariance axiom to position i.
dI,dG,dC,dW Reasoning principles for differential equations.
1000+
![Page 38: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/38.jpg)
BellerophonCombinators
Combinator Meaning
A ; B Execute A on current goal, then execute B on the result.
A | B Try executing A on current goal. If A fails, execute B on current goal.
A* Run A until it no longer applies.
A<( B1,B2, … ,BN ) Execute A on current goal to create N subgoals. Run Bi on subgoal i.
Tactic Meaning
prop Applies propositional reasoning exhaustively.
unfold Symbolically executes discrete, loop-free programs.
loop(J, i) Applies loop invariance axiom to position i, extends J with constants.
dI,dG,dC,dW Reasoning principles for differential equations.
1000+
![Page 39: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/39.jpg)
BellerophonIsolating Interesting Questions
(Dive & g>0 & …)→[{
}*](x=0→m≤v)
![Page 40: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/40.jpg)
BellerophonIsolating Interesting Questions
(Dive & g>0 & …)→[{
}*](x=0→m≤v)
prop ; loop(J,1)
(Dive & g>0 & …)→J
J →x=0→m≤v
J→[
]J
Loop invariant holds initially
Loop invariant is preserved
Loop invariant implies safety
![Page 41: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/41.jpg)
BellerophonIsolating Interesting Questions
(Dive & g>0 & …)→[{
}*](x=0→m≤v)
prop ; loop(J,1)
(Dive & g>0 & …)→J
J →x=0→m≤v
J→[
]J
Loop invariant holds initially
Loop invariant is preserved
Loop invariant implies safety
![Page 42: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/42.jpg)
BellerophonIsolating Interesting Questions
(Dive & g>0 & …)→[{
}*](x=0→m≤v)
prop ; loop(J,1)
(Dive & g>0 & …)→J
J →x=0→m≤v
J→[
]J
unfold
J & Dive & r=ra→[x’=v,v’=...]J
J & r=rp→[x’=v,v’=...]J
![Page 43: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/43.jpg)
BellerophonIsolating Interesting Questions
(Dive & g>0 & …)→[{
}*](x=0→m≤v)
prop ; loop(J,1)
(Dive & g>0 & …)→J
J →x=0→m≤v
J→[
]J
unfold
J & Dive & r=ra→[x’=v,v’=...]J
J & r=rp→[x’=v,v’=...]J
![Page 44: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/44.jpg)
BellerophonIsolating Interesting Questions
prop ; loop(J, 1) <( QE, /* Real arith. solver */ QE, unfold ; <( … /* parachute open case */ … /* parachute closed case */ ))
![Page 45: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/45.jpg)
Interactive Verification in BellerophonTrustworthy Standard Library at High Abstraction Level
J → [{ctrl; plant}*]JJ = v > -sqrt(g/pr) > m & …
Parachute Open Case:v ≥ v0 - gt ≥ v0 - gT > -sqrt(g/pr)
x v’=rv2-gInductive invariants
![Page 46: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/46.jpg)
Interactive Verification in BellerophonFrom Axioms to Proof Steps
DI Axiom:[{x'=f&Q}]P↔([?Q]P←(Q→[{x'=f&Q}]P'))
![Page 47: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/47.jpg)
Interactive Verification in BellerophonFrom Axioms to Proof Steps
DI Axiom:[{x'=f&Q}]P↔([?Q]P←(Q→[{x'=f&Q}]P'))
Example:[v’=rpv
2-g,t’=1]v ≥ v0 - gt
![Page 48: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/48.jpg)
Interactive Verification in BellerophonFrom Axioms to Proof Steps
DI Axiom:[{x'=f&Q}]P↔([?Q]P←(Q→[{x'=f&Q}]P'))
Example:[v’=rpv
2-g,t’=1]v ≥ v0 - gt ↔… ↔[v’:=rpv
2-g][t’:=1]v’ ≥ -g*t’ ↔rpv
2-g ≥ -g ↔rp≥0
![Page 49: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/49.jpg)
Interactive Verification in BellerophonFrom Axioms to Proof Steps
DI Axiom:[{x'=f&Q}]P↔([?Q]P←(Q→[{x'=f&Q}]P'))
Example:[v’=rpv
2-g,t’=1]v ≥ v0 - gt ↔… ↔[v’:=rpv
2-g][t’:=1]v’ ≥ -g*t’ ↔rpv
2-g ≥ -g ↔H→rp≥0
Side derivation:(v ≥ v0 - gt)’ ↔(v)’≥ (v0 - gt)’ ↔(v)’≥ (v0 - gt)’ ↔(v)’≥ (v0)’-(gt) ’ ↔(v)’≥(v0)’- (t(g)’+g(t’)) ↔
V’ ≥v0’- (tg’+gt’)
dI Tactic:
H=rp≥0 & ra≥0 & g>0 & ...
![Page 50: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/50.jpg)
Automation and Tooling
Hybrid Systems Analyses can be built on top of KeYmaera X.
Examples:● ODE Solver● Runtime Monitoring
![Page 51: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/51.jpg)
Automation and ToolingSolving Differential Equations
[x:=t]f(x) ↔ f(t)[a;b]P ↔ [a][b]P[a∪b]P ↔ ([a]P & [b]P)[a*]P ↔ (J→P & J→[b]J)[x’=f&Q]P → (Q → P)...
AXIOM BASE
KeYmaera X Core Q.E.D.
Untrusted ODE Solver
Axiomatic Solver(Bellerophon Program)
1. Use untrusted code to find a conjecture.
2. Prove the conjecture systematically, leveraging standard library.
![Page 52: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/52.jpg)
Automation and ToolingSolving Differential Equations
[x:=t]f(x) ↔ f(t)[a;b]P ↔ [a][b]P[a∪b]P ↔ ([a]P & [b]P)[a*]P ↔ (J→P & J→[b]J)[x’=f&Q]P → (Q → P)...
AXIOM BASE
KeYmaera X Core Q.E.D.
Untrusted ODE Solver
Axiomatic Solver(Bellerophon Program)
1. Use untrusted code to find a conjecture.
2. Prove the conjecture systematically, leveraging standard library.
![Page 53: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/53.jpg)
Automation and ToolingModelPlex Tactic
![Page 54: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/54.jpg)
Toward Automated DeductionOther Proof Automation & Tooling
● Taylor Series● Bifurcations● Limit Cycles● Numerical tools● ...
[x:=t]f(x) ↔ f(t)[a;b]P ↔ [a][b]P[a∪b]P ↔ ([a]P & [b]P)[a*]P ↔ (J→P & J→[b]J)[x’=f&Q]P → (Q → P)...
AXIOM BASE
KeYmaera X Core Q.E.D.
ODE & Controls Tooling
Clever Bellerophon Programs
![Page 55: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/55.jpg)
Toward Automated DeductionOther Proof Automation & Tooling
● Taylor Series● Bifurcations● Limit Cycles● Numerical tools● ...
[x:=t]f(x) ↔ f(t)[a;b]P ↔ [a][b]P[a∪b]P ↔ ([a]P & [b]P)[a*]P ↔ (J→P & J→[b]J)[x’=f&Q]P → (Q → P)...
AXIOM BASE
KeYmaera X Core Q.E.D.
ODE & Controls Tooling
Clever Bellerophon Programs
Other Tooling:● Component-based
Verification● Web UI
![Page 56: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/56.jpg)
Conclusion
There is a wide gap between sound foundations for hybrid systems and practical interactive theorem proving technology for cyber-physical systems verification.
![Page 57: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/57.jpg)
Conclusion
There is a wide gap between sound foundations for hybrid systems and practical interactive theorem proving technology for cyber-physical systems verification.
Bellerophon demonstrates how to verify hybrid systems using tactics.
![Page 58: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/58.jpg)
Conclusion
There is a wide gap between sound foundations for hybrid systems and practical interactive theorem proving technology for cyber-physical systems verification.
Bellerophon demonstrates how to verify hybrid systems using tactics.
![Page 59: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/59.jpg)
Conclusion
There is a wide gap between sound foundations for hybrid systems and practical interactive theorem proving technology for cyber-physical systems verification.
Bellerophon demonstrates how to verify hybrid systems using tactics.
DI Axiom:[{x'=f&Q}]P↔([?Q]P←(Q→[{x'=f&Q}]P'))
Example:[v’=rpv
2-g,t’=1]v ≥ v 0 - gt ↔… ↔[v’:=rpv
2-g][t’:=1]v’ ≥ -g*t’ ↔rpv
2-g ≥ -g ↔H→rp≥0
Side derivation:(v ≥ v0 - gt)’ ↔...↔...↔...
dI Tactic:
H=rp≥0 & ra≥0 & g>0 & ...
![Page 60: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/60.jpg)
Conclusion
There is a wide gap between sound foundations for hybrid systems and practical interactive theorem proving technology for cyber-physical systems verification.
Bellerophon demonstrates how to verify hybrid systems using tactics.
DI Axiom:[{x'=f&Q}]P↔([?Q]P←(Q→[{x'=f&Q}]P'))
Example:[v’=rpv
2-g,t’=1]v ≥ v 0 - gt ↔… ↔[v’:=rpv
2-g][t’:=1]v’ ≥ -g*t’ ↔rpv
2-g ≥ -g ↔H→rp≥0
Side derivation:(v ≥ v0 - gt)’ ↔...↔...↔...
dI Tactic:
H=rp≥0 & ra≥0 & g>0 & ...
Axioms KyX qed
ODE & Controls Tooling
Clever Bellerophon Programs
![Page 61: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/61.jpg)
Conclusion
There is a wide gap between sound foundations for hybrid systems and practical interactive theorem proving technology for cyber-physical systems verification.
Bellerophon demonstrates how to verify hybrid systems using tactics.Project Website (start here) keymaeraX.org
Online Demo web.keymaeraX.org
Open Source (GPL) github.com/ls-lab/KeYmaeraX-release
Thanks: 15-424 students, Jean-Baptiste Jeannin, Khalil Ghorbal, Yanni Kouskoulas et al., and many others!
![Page 62: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/62.jpg)
Developers: ● Stefan Mitsch● Nathan Fulton● André Platzer● Brandon Bohrer● Jan-David Quesel● Yong Kiam Tan● Markus Völp
![Page 63: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/63.jpg)
![Page 64: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/64.jpg)
Interactive Reachability Analysis in KeYmaera XDifferential Ghosts
Parachute Closed:J & t=0 & r=rp →[x’=v,v’=rv2-g & 0≤x & t≤T]v>-sqrt(g/pr) > m
x v’=rv2-g
Proof requires a differential ghost because the property is not inductive.
![Page 65: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/65.jpg)
Interactive Reachability Analysis in KeYmaera XDifferential Ghosts
An example differential ghost.
x>0 → [x’=-x]x>0
![Page 66: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/66.jpg)
Interactive Reachability Analysis in KeYmaera XDifferential Ghosts
An example differential ghost.
x>0 → [x’=-x]x>0Ghost: y’=y/2Conserved: 1=xy2
![Page 67: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/67.jpg)
Interactive Reachability Analysis in KeYmaera XDifferential Ghosts
An example differential ghost.
x>0 → [x’=-x]x>0Ghost: y’=y/2Conserved: 1=xy2
Notice:x>0 ↔ ∃y.1=xy2 Therefore, suffices to show:1=xy2→∃y.[x’=-x,y’=y/2]1=xy2
![Page 68: Bellerophon: Tactical Theorem Proving for Hybrid Systemsaplatzer/pub/bellerophon-slides.pdfBellerophon Verifying hybrid systems is hard. Bellerophon demonstrates how to tackle hybrid](https://reader036.fdocuments.us/reader036/viewer/2022081518/612755a346783c42406fdc12/html5/thumbnails/68.jpg)
Introduction to Differential Dynamic LogicProver Core Comparison
Tool Trusted LOC (approx.)KeYmaera X 1,682 (out of 100,000+)
KeYmaera 65,989
Isabelle/Pure 8,113
Coq 20,000
HSolver 20,000
dReal 50,000
SpaceEx 100,000