KeYmaera: A Hybrid Theorem Prover for Hybrid Systems Andr e - - PowerPoint PPT Presentation

KeYmaera: A Hybrid Theorem Prover for Hybrid Systems

Andr´ e Platzer Jan-David Quesel

University of Oldenburg, Department of Computing Science, Germany

International Joint Conference on Automated Reasoning, Sydney 2008

Andr´ e Platzer, Jan-David Quesel KeYmaera: A Hybrid Theorem Prover for Hybrid Systems IJCAR 2008 1 / 11

Motivation

KeYmaera: Verification tool for hybrid systems

Hybrid System Continuous evolutions (differential equations) Discrete jumps (control decisions)

1 2 3 4 t 2 1 1 2 a 1 2 3 4 t 0.5 1.0 1.5 2.0 2.5 3.0 v 1 2 3 4 t 1 2 3 4 5 6 z

Andr´ e Platzer, Jan-David Quesel KeYmaera: A Hybrid Theorem Prover for Hybrid Systems IJCAR 2008 2 / 11

Differential Dynamic Logic (dL)

m z v

Example

• −

→ [

• ]( )

Precondition Operational model Property

Andr´ e Platzer, Jan-David Quesel KeYmaera: A Hybrid Theorem Prover for Hybrid Systems IJCAR 2008 3 / 11

Differential Dynamic Logic (dL)

m z v

Example

v2 ≤ 2b(m − z)

• −

→ [

• ](z ≤ m

) Precondition Operational model Property

Andr´ e Platzer, Jan-David Quesel KeYmaera: A Hybrid Theorem Prover for Hybrid Systems IJCAR 2008 3 / 11

Differential Dynamic Logic (dL)

m z v

Example

v2 ≤ 2b(m − z)

• −

→ [ z′ = v, v′ = a

• ](z ≤ m

) Precondition Operational model Property Continuous evolution: differential equation

Andr´ e Platzer, Jan-David Quesel KeYmaera: A Hybrid Theorem Prover for Hybrid Systems IJCAR 2008 3 / 11

Differential Dynamic Logic (dL)

m z v

Example

v2 ≤ 2b(m − z)

• −

→ [a := ∗; z′ = v, v′ = a

• ](z ≤ m

) Precondition Operational model Property Random assignment

Andr´ e Platzer, Jan-David Quesel KeYmaera: A Hybrid Theorem Prover for Hybrid Systems IJCAR 2008 3 / 11

Differential Dynamic Logic (dL)

m z v

Example

v2 ≤ 2b(m − z)

• −

→ [a := ∗; ?a ≤ −b; z′ = v, v′ = a

• ](z ≤ m

) Precondition Operational model Property Test

Andr´ e Platzer, Jan-David Quesel KeYmaera: A Hybrid Theorem Prover for Hybrid Systems IJCAR 2008 3 / 11

Syntax of Differential Dynamic Logic

dL Formulas

φ ::= θ1 ∼ θ2 | ¬φ | φ ∧ ψ | ∀xφ | ∃xφ | [α]φ | αφ

Hybrid Program | Effect

α; β sequential composition α ∪ β nondeterministic choice α∗ nondeterministic repetition x := θ discrete assignment (jump) x := ∗ nondeterministic assignment

• x′

1 = θ1, . . . , x′ n = θn, F

• continuous evolution of xi

?F check if formula F holds

• A. Platzer.

Differential Dynamic Logic for Hybrid Systems. Journal of Automated Reasoning, 41(2), 2008, to appear.

Andr´ e Platzer, Jan-David Quesel KeYmaera: A Hybrid Theorem Prover for Hybrid Systems IJCAR 2008 4 / 11

KeYmaera Architecture

Strategy Rule Engine Proof Input File Rule base Mathematica QEPCAD Orbital KeYmaera Prover Solvers Quantifier eliminiation

Andr´ e Platzer, Jan-David Quesel KeYmaera: A Hybrid Theorem Prover for Hybrid Systems IJCAR 2008 5 / 11

KeYmaera Architecture

Strategy Rule Engine Proof Input File Rule base Mathematica QEPCAD Orbital KeYmaera Prover Solvers Quantifier eliminiation

Andr´ e Platzer, Jan-David Quesel KeYmaera: A Hybrid Theorem Prover for Hybrid Systems IJCAR 2008 5 / 11

Proof Sketch

Init ⊢ [ETCS∗]z ≤ m Init ⊢ Inv Inv ⊢ [ETCS]Inv . . . Drive v ≥ vdes m − z ≤ SB m − z > SB v ≤ vdes m − z ≤ SB m − z > SB Brake Inv ⊢ z ≤ m

Example

m − z ≥ A

b + 1

εv + A

2 ε2

+ v2−d2

2b

∧ 0 ≤ a ≤ A ∧ 0 ≤ v ≤ vdes ∧v2 − d2 ≤ 2b(m − z) ∧ d ≥ 0 ∧ ε > 0 ∧ b > 0 ∧ A > 0 ⊢ ∀t ≥ 0 ((∀0 ≤ ˜ t ≤ t (a˜ t + v ≥ 0 ∧ ˜ t ≤ ε)) → (at + v)2 − d2 ≤ 2b(m − (1

2at + tv + z)) ∧ at + v ≥ 0 ∧ d ≥ 0)

Andr´ e Platzer, Jan-David Quesel KeYmaera: A Hybrid Theorem Prover for Hybrid Systems IJCAR 2008 6 / 11

Proof Sketch

Init ⊢ [ETCS∗]z ≤ m Init ⊢ Inv Inv ⊢ [ETCS]Inv . . . Drive v ≥ vdes m − z ≤ SB m − z > SB v ≤ vdes m − z ≤ SB m − z > SB Brake Inv ⊢ z ≤ m

Example

m − z ≥ A

b + 1

εv + A

2 ε2

+ v2−d2

2b

∧ 0 ≤ a ≤ A ∧ 0 ≤ v ≤ vdes ∧v2 − d2 ≤ 2b(m − z) ∧ d ≥ 0 ∧ ε > 0 ∧ b > 0 ∧ A > 0 ⊢ ∀t ≥ 0 ((∀0 ≤ ˜ t ≤ t (a˜ t + v ≥ 0 ∧ ˜ t ≤ ε)) → (at + v)2 − d2 ≤ 2b(m − (1

2at + tv + z)) ∧ at + v ≥ 0 ∧ d ≥ 0)

Andr´ e Platzer, Jan-David Quesel KeYmaera: A Hybrid Theorem Prover for Hybrid Systems IJCAR 2008 6 / 11

Handling Differential Equations

Example

∀t ≥ 0 [x := y(t)] φ [x′ = f (x)] φ v w φ x′ = f (x) x := y(t) . . . ⊢ [z′ = v, v′ = −b]z ≤ m

Andr´ e Platzer, Jan-David Quesel KeYmaera: A Hybrid Theorem Prover for Hybrid Systems IJCAR 2008 7 / 11

Handling Differential Equations

Example

∀t ≥ 0 [x := y(t)] φ [x′ = f (x)] φ v w φ x′ = f (x) x := y(t) . . . ⊢ ∀t ≥ 0 [z := −1

2bt2 + tv + z]z ≤ m

. . . ⊢ [z′ = v, v′ = −b]z ≤ m

Andr´ e Platzer, Jan-David Quesel KeYmaera: A Hybrid Theorem Prover for Hybrid Systems IJCAR 2008 7 / 11

Handling Differential Equations

Example

∀t ≥ 0 [x := y(t)] φ [x′ = f (x)] φ v w φ x′ = f (x) x := y(t) . . . ⊢ ∀t ≥ 0 (−1

2bt2 + tv + z ≤ m)

. . . ⊢ ∀t ≥ 0 [z := −1

2bt2 + tv + z]z ≤ m

. . . ⊢ [z′ = v, v′ = −b]z ≤ m

Andr´ e Platzer, Jan-David Quesel KeYmaera: A Hybrid Theorem Prover for Hybrid Systems IJCAR 2008 7 / 11

KeYmaera Architecture

Strategy Rule Engine Proof Input File Rule base Mathematica QEPCAD Orbital KeYmaera Prover Solvers Quantifier eliminiation

Andr´ e Platzer, Jan-David Quesel KeYmaera: A Hybrid Theorem Prover for Hybrid Systems IJCAR 2008 7 / 11

KeYmaera Architecture

Strategy Rule Engine Proof Input File Rule base Mathematica QEPCAD Orbital KeYmaera Prover Solvers Quantifier eliminiation

Andr´ e Platzer, Jan-David Quesel KeYmaera: A Hybrid Theorem Prover for Hybrid Systems IJCAR 2008 7 / 11

Proof Sketch

Init ⊢ [ETCS∗]z ≤ m Init ⊢ Inv Inv ⊢ [ETCS]Inv . . . Drive v ≥ vdes m − z ≤ SB m − z > SB v ≤ vdes m − z ≤ SB m − z > SB Brake Inv ⊢ z ≤ m

Example

m − z ≥ A

b + 1

εv + A

2 ε2

+ v2−d2

2b

∧ 0 ≤ a ≤ A ∧ 0 ≤ v ≤ vdes ∧v2 − d2 ≤ 2b(m − z) ∧ d ≥ 0 ∧ ε > 0 ∧ b > 0 ∧ A > 0 ⊢ ∀t ≥ 0 ((∀0 ≤ ˜ t ≤ t (a˜ t + v ≥ 0 ∧ ˜ t ≤ ε)) → (at + v)2 − d2 ≤ 2b(m − (1

2at + tv + z)) ∧ at + v ≥ 0 ∧ d ≥ 0)

Andr´ e Platzer, Jan-David Quesel KeYmaera: A Hybrid Theorem Prover for Hybrid Systems IJCAR 2008 8 / 11

Proof Sketch

Init ⊢ [ETCS∗]z ≤ m Init ⊢ Inv Inv ⊢ [ETCS]Inv . . . Drive v ≥ vdes m − z ≤ SB m − z > SB v ≤ vdes m − z ≤ SB m − z > SB Brake Inv ⊢ z ≤ m

Example

m − z ≥ A

b + 1

εv + A

2 ε2

+ v2−d2

2b

∧ 0 ≤ a ≤ A ∧ 0 ≤ v ≤ vdes ∧v2 − d2 ≤ 2b(m − z) ∧ d ≥ 0 ∧ ε > 0 ∧ b > 0 ∧ A > 0 ⊢ ∀t ≥ 0 ((∀0 ≤ ˜ t ≤ t (a˜ t + v ≥ 0 ∧ ˜ t ≤ ε)) → (at + v)2 − d2 ≤ 2b(m − (1

2at + tv + z)) ∧ at + v ≥ 0 ∧ d ≥ 0)

Andr´ e Platzer, Jan-David Quesel KeYmaera: A Hybrid Theorem Prover for Hybrid Systems IJCAR 2008 8 / 11

Iterative Background Closure

Quantifier elimination is doubly exponential Choice conflict:

1

Apply quantifier elimination

2

Split using ⊢ F ⊢ G ⊢ F ∧ G

1 2 2 4 4 8 8 16 16 16 ∗ ∗

16 8 4 2 1

Andr´ e Platzer, Jan-David Quesel KeYmaera: A Hybrid Theorem Prover for Hybrid Systems IJCAR 2008 9 / 11

Experimental Results

Case Study Interact Steps IBC(s) Eager QE(s) ETCS essentials 46 47.8 ∞ 1 46 6.6 8.8 ETCS complete 163 2045.2 ∞ 1 168 23.3 ∞ ETCS reactivity 49 76.2 ∞ ETCS liveness 3 112 17.6 16.0 Aircraft TRM 94 10.9 ∞ 1 94 1.2 1.2 TRM 3 Planes 187 171.8 ∞ 1 187 21.2 ∞ TRM 4 Planes 255 704.3 ∞ 1 255 170 ∞ Water tank

• ∞

∞ 1 375 2.0 2.0 ∞ ˆ = more than five hours

Andr´ e Platzer, Jan-David Quesel KeYmaera: A Hybrid Theorem Prover for Hybrid Systems IJCAR 2008 10 / 11

Experimental Results

Case Study Interact Steps IBC(s) Eager QE(s) ETCS essentials 46 47.8 ∞ 1 46 6.6 8.8 ETCS complete 163 2045.2 ∞ 1 168 23.3 ∞ ETCS reactivity 49 76.2 ∞ ETCS liveness 3 112 17.6 16.0 Aircraft TRM 94 10.9 ∞ 1 94 1.2 1.2 TRM 3 Planes 187 171.8 ∞ 1 187 21.2 ∞ TRM 4 Planes 255 704.3 ∞ 1 255 170 ∞ Water tank

• ∞

∞ 1 375 2.0 2.0 ∞ ˆ = more than five hours

Andr´ e Platzer, Jan-David Quesel KeYmaera: A Hybrid Theorem Prover for Hybrid Systems IJCAR 2008 10 / 11

Conclusions

KeYmaera Summary

Hybrid theorem prover for verifying hybrid systems

Differential Dynamic Logic (dL) and Hybrid Programs Sequent calculus Quantifier elimination, computer algebra

Automatic proof strategies (95 − 100%) Plugin-architecture for backends

Andr´ e Platzer, Jan-David Quesel KeYmaera: A Hybrid Theorem Prover for Hybrid Systems IJCAR 2008 11 / 11

Conclusions

Features

Verify controllability, reactivity, safety and liveness properties Counterexample generation Automatic invariant discovery Handling differential inequalities (z′′ ≤ a) Support for proof annotations Equational Gr¨

• bner basis verification support

Andr´ e Platzer, Jan-David Quesel KeYmaera: A Hybrid Theorem Prover for Hybrid Systems IJCAR 2008 11 / 11

• A. Platzer.

Differential Dynamic Logic for Verifying Parametric Hybrid Systems. In N. Olivetti, editor, TABLEAUX, volume 4548 of LNCS, pages 216–232. Springer, 2007.

• A. Platzer.

Differential Dynamic Logic for Hybrid Systems. Journal of Automated Reasoning, 41(2), 2008, to appear.

• A. Platzer and E. M. Clarke.

Computing Differential Invariants of Hybrid Systems as Fixedpoints. In A. Gupta and S. Malik, editors, CAV, volume 5123 of LNCS, pages 176–189, 2008.

• A. Platzer and J.-D. Quesel.

Logical Verification and Systematic Parametric Analysis in Train Control. In M. Egerstedt and B. Mishra, editors, HSCC, volume 4981 of LNCS, pages 646-649. Springer, 2008.

Andr´ e Platzer, Jan-David Quesel KeYmaera: A Hybrid Theorem Prover for Hybrid Systems IJCAR 2008 11 / 11