Table 1 - uploaded by André Platzer
Content may be subject to copyright.
Source publication
Hybrid systems combine discrete and continuous dynamics, which makes them attractive as models for systems that combine computer control with physical motion. Verification is undecidable for hybrid systems and challenging for many models and properties of practical interest. Thus, human interaction and insight are essential for verification. Intera...
Context in source publication
Context 1
... though these ingredients can be found scattered across a multitude of theorem provers, their combination to a tactical theorem proving technique for hybrid systems is non-obvious. Table 1 compares several tools along the di- mensions that we identify as crucial to productive hybrid systems verification (SC indicates a soundness-critical dependency on user-defined tactics or on an external implementation of a more scalable arithmetic decision procedure). ...
Similar publications
This paper uses the DEA-Malmquist model to study the efficiency and changes of the overall technological innovation activities of high-tech industries in Hubei Province from 2010 to 2016, and finds that the total factor productivity of Hubei Province has declined slightly in recent years, and the efficiency of overall technological innovation activ...
Citations
... Model of parachute dynamics, adopted from [12] The program runs under a set of assumptions A, and under all iterations of the program, postcondition P holds. The postcondition expresses that when the skydiver hits the ground, their velocity v will be bounded by the maximal (w.r.t. ...
Modeling languages like differential dynamic logic (dL) have proof calculi capable of proving guarantees for safety-critical applications. However, dL programmers may unintentionally over-specify assumptions and program statements, which results in overly constrained models, and consequently, weak or vacuous guarantees. In hybrid systems models, such constraints come from multiple places, ranging from initial conditions to domain constraints in the middle of differential equations, thereby making it nontrivial to consistently track the conglomerate. We present a novel sequent calculus for dL that tracks which constraints to weaken or remove while preserving correctness guarantees. When properties follow entirely from constraints uninfluenced by program statements, this analysis spots outright flaws in models. We prove soundness and completeness of our proof calculus.
... KeYmaera X is an interactive, tactical prover: users interactively pick proof techniques at each step. Each technique is implemented as a tactic [15] program. Tactics range from propositional rules (e.g., conjunction and implication) to complex search procedures. ...
Safety-critical chemical processes are well-studied in the formal methods literature, including hybrid systems models which combine discrete and continuous dynamics. This paper is the first to use a theorem-prover to verify hybrid chemical models: the KeYmaera X prover for differential dynamic logic. KeYmaera X provides parametric results that hold for a whole range of parameter values, non-linear physical dynamics, and a small trusted computing base.We tell a general story about KeYmaera X: recent advances in automated reasoning about safety and liveness for differential equations have enabled elegant proofs about reaction dynamics.KeywordsHybrid SystemsTheorem ProvingChemical Reactor
... KeYmaera X is an interactive, tactic-based prover. This means that the user interactively tells the prover which proof technique to use, but each technique is implemented as a tactic [10], i.e., a program. A proof technique can be a simple, specific rule or a complex proof search procedure. ...
Safety-critical chemical processes are the backbone of multi-billion-dollar industries, thus society deserves the strongest possible guarantees that they are safe. To that end, models of chemical processes are well-studied in the formal methods literature, including hybrid systems models which combine discrete and continuous dynamics. This paper is the first to use the KeYmaera X theorem-prover to verify chemical models with differential dynamic logic. Our case studies are novel in combining the following: we provide strong general-case correctness theorems, use particularly rich hybrid dynamics, and have particularly rigorous proofs. This novel combination is made possible by KeYmaera X. Simultaneously, we tell a general story about KeYmaera X: recent advances in automated reasoning about safety and liveness for differential equations have enabled elegant proofs about reaction dynamics.
... The SwitchedSystem interface provides default stability and pre-attractivity specifications, which can be adapted by users on the UI if needed. Corollaries 3-6 are implemented as UG-pAS proof tactics in KeYmaera X's Bellerophon tactic language [11]. These tactics automate all of the reasoning steps underlying stability proofs for their respective switching mechanisms, so that users only need to input candidate Lyapunov functions for KeYmaera X to (attempt to) complete their proofs. ...
... Stability Analysis and Verification. Corollaries 3-6 formalize various Lyapunov function-based stability arguments from the literature [5,48] using loop invariants, yielding trustworthy, computerchecked stability proofs in KeYmaera X [11,12]. Other computeraided approaches for switched system stability analysis are based on finding Lyapunov functions that satisfy the requisite arithmetical conditions [20,26,29,38,41,42]. ...
... First steps have meanwhile been taken [12] with respect to more refined hybrid stores and a more user-friendly specification language for hybrid programs and their correctness properties, as already mentioned. More important, however, seems the integration of external solvers and decision procedures, to which much work in the hybrid systems community has already been devoted [13,39,54,58,60]. Such procedures already increase the proof automation of KeYmaera X, and we foresee no reason why similar integrations should not lead to similar benefits within our own framework. ...
We present a semantic framework for the deductive verification of hybrid systems with Isabelle/HOL. It supports reasoning about the temporal evolutions of hybrid programs in the style of differential dynamic logic modelled by flows or invariant sets for vector fields. We introduce the semantic foundations of this framework and summarise their Isabelle formalisation as well as the resulting verification components. A series of simple examples shows our approach at work.
... But usually people will resort to a proof system. Two proof systems have been proposed: Bellerophon (Fulton et al., 2017) and a Proof-Term style proof system (Fulton and Platzer, 2016). The former one is more like a tactic system (Delahaye, 2000) that can guide the proof search and proof check, the latter one is seemingly utilizing Curry-Howard correspondence (Howard, 1980;Wadler, 2015) by assigning each proof rule with a proof term. ...
This survey focuses on the intersection between formal methods and reinforcement learning. We will focus on the desired property including rigorousness, expressiveness, adaptability and accessibility of each surveyed technique.
... × by users on the UI if needed. Corollaries 3-6 are implemented as UG-pAS proof tactics in KeYmaera X's Bellerophon tactic language [11]. These tactics automate all of the reasoning steps underlying stability proofs for their respective switching mechanisms, so that users only need to input candidate Lyapunov functions for KeYmaera X to (attempt to) complete their proofs. ...
... Stability Analysis and Verification. Corollaries 3-6 formalize various Lyapunov function-based stability arguments from the literature [5,48] using loop invariants, yielding trustworthy, computerchecked stability proofs in KeYmaera X [11,12]. Other computeraided approaches for switched system stability analysis are based on finding Lyapunov functions that satisfy the requisite arithmetical conditions [20,26,29,38,41,42]. ...
Switched systems are known to exhibit subtle (in)stability behaviors requiring system designers to carefully analyze the stability of closed-loop systems that arise from their proposed switching control laws. This paper presents a formal approach for verifying switched system stability that blends classical ideas from the controls and verification literature using differential dynamic logic (dL), a logic for deductive verification of hybrid systems. From controls, we use standard stability notions for various classes of switching mechanisms and their corresponding Lyapunov function-based analysis techniques. From verification, we use dL's ability to verify quantified properties of hybrid systems and dL models of switched systems as looping hybrid programs whose stability can be formally specified and proven by finding appropriate loop invariants, i.e., properties that are preserved across each loop iteration. This blend of ideas enables a trustworthy implementation of switched system stability verification in the KeYmaera X prover based on dL. For standard classes of switching mechanisms, the implementation provides fully automated stability proofs, including searching for suitable Lyapunov functions. Moreover, the generality of the deductive approach also enables verification of switching control laws that require non-standard stability arguments through the design of loop invariants that suitably express specific intuitions behind those control laws. This flexibility is demonstrated on three case studies: a model for longitudinal flight control by Branicky, an automatic cruise controller, and Brockett's nonholonomic integrator.
... KeYmaera X provides limited annotations for CPS proofs: loops and ODEs can be annotated with invariants that are consumed by a fully-automatic proof procedure. The crucial limitation is that the verification paradigm changes entirely once fully-automated proofs fail: the user writes a proof in Bellerophon [13] or equivalently interacts with a user interface that generates the proof script. ...
... The prover's implementation language may be used, or a domainspecific language may be provided. We give special attention to KeYmaera X's Bellerophon [13] proof language, because its underlying logics dL and dGL are direct ancestors of the logic CdGL which Kaisar targets and because Bellerophon is applied to the same application domain: CPS. Though the application domains and underlying logics of Bellerophon and Kaisar are intimately related, the two languages could not be more different, when considered as languages. ...
... We evaluate Kaisar against Bellerophon [13], the unstructured proof language of KeYmaera X, a theorem prover for (classical) hybrid systems and games in dL and dGL. We ported three driving case studies from the literature (PLDI-DC [6], IJRR [25,Thm. ...
Many cyber-physical systems (CPS) are safety-critical, so it is important to formally verify them, e.g. in formal logics that show a model’s correctness specification always holds. Constructive Differential Game Logic ( CdGL ) is such a logic for (constructive) hybrid games, including hybrid systems. To overcome undecidability, the user first writes a proof, for which we present a proof-checking tool.
We introduce Kaisar , the first language and tool for CdGL proofs, which until now could only be written by hand with a low-level proof calculus. Kaisar’s structured proofs simplify challenging CPS proof tasks, especially by using programming language principles and high-level stateful reasoning. Kaisar exploits CdGL ’s constructivity and refinement relations to build proofs around models of game strategies. The evaluation reproduces and extends existing case studies on 1D and 2D driving. Proof metrics are compared and reported experiences are discussed for the original studies and their reproductions.
... KeYmaera X provides limited annotations for CPS proofs: loops and ODEs can be annotated with invariants that are consumed by a fully-automatic proof procedure. The crucial limitation is that the verification paradigm changes entirely once fully-automated proofs fail: the user writes a proof in Bellerophon [13] or equivalently interacts with a user interface that generates the proof script. ...
... The prover's implementation language may be used, or a domain-specific language may be provided. We give special attention to KeYmaera X's Bellerophon [13] proof language, because its underlying logics dL and dGL are direct ancestors of the logic CdGL which Kaisar targets and because Bellerophon is applied to the same application domain: CPS. Though the application domains and underlying logics of Bellerophon and Kaisar are intimately related, the two languages could not be more different, when considered as languages. ...
... We evaluate Kaisar against Bellerophon [13], the unstructured proof language of KeYmaera X, a theorem prover for (classical) hybrid systems and games in dL and dGL. We ported three driving case studies from the literature (PLDI-DC [6], IJRR [25, Thm. ...
Many cyber-physical systems (CPS) are safety-critical, so it is important to formally verify them, e.g. in formal logics that show a model's correctness specification always holds. Constructive Differential Game Logic (CdGL) is such a logic for (constructive) hybrid games, including hybrid systems. To overcome undecidability, the user first writes a proof, for which we present a proof-checking tool. We introduce Kaisar, the first language and tool for CdGL proofs, which until now could only be written by hand with a low-level proof calculus. Kaisar's structured proofs simplify challenging CPS proof tasks, especially by using programming language principles and high-level stateful reasoning. Kaisar exploits CdGL's constructivity and refinement relations to build proofs around models of game strategies. The evaluation reproduces and extends existing case studies on 1D and 2D driving. Proof metrics are compared and reported experiences are discussed for the original studies and their reproductions.
... These ideas are put into practice through an implementation of ODE existence and liveness proof rules in KeYmaera X [FMQ + 15]. Proof rules and proof support are implemented as tactics in KeYmaera X [FMBP17], which are not soundness-critical. Such an arrangement allows for the implementation of useful ODE liveness proof rules and their associated proof support with KeYmaera X's sound kernel as a safeguard against implementation errors or mistakes in their derivations and side conditions. ...
... Trusted Kernel with Untrusted Tactics. All of the proofs in Table 2 make extensive use of KeYmaera X's existing tactics framework [FMBP17] to handle low-level interactions with KeYmaera X soundness-critical kernel, as shown by the large number of kernel steps that each proof requires. The soundness guarantee provided by the KeYmaera X kernel makes this implementation effort a worthy tradeoff because it ensures that the proved results in Table 2 are trustworthy without needing to trust the implementation of the tactics. ...
This article presents an axiomatic approach for deductive
verification of existence and liveness for ordinary differential
equations (ODEs) with differential dynamic logic (dL). The approach
yields proofs that the solution of a given ODE exists long enough to
reach a given target region without leaving a given evolution
domain. Numerous subtleties complicate the generalization of
discrete liveness verification techniques, such as loop variants, to
the continuous setting. For example, ODE solutions may blow up in
finite time or their progress towards the goal may converge to zero.
These subtleties are handled in dL by successively refining ODE
liveness properties using ODE invariance properties which have a
complete axiomatization. This approach is widely applicable: several
liveness arguments from the literature are surveyed and derived as
special instances of axiomatic refinement in dL. These derivations
also correct several soundness errors in the surveyed literature,
which further highlights the subtlety of ODE liveness reasoning and
the utility of an axiomatic approach. An important special case of
this approach deduces (global) existence properties of ODEs, which
are a fundamental part of every ODE liveness argument. Thus, all
generalizations of existence properties and their proofs immediately
lead to corresponding generalizations of ODE liveness arguments.
Overall, the resulting library of common refinement steps enables
both the sound development and justification of new ODE existence
and of liveness proof rules from dL axioms. These insights are put
into practice through an implementation of ODE liveness proofs in
the KeYmaera X theorem prover for hybrid systems.
