Logical Foundations of Cyber-Physical Systems Andr Platzer Andr - PowerPoint PPT Presentation

A Simple Discrete Loop Example loop Γ ⊢ J , ∆ J ⊢ [ α ] J J ⊢ P Γ ⊢ [ α ∗ ] P , ∆ x ≥ 8 ∧ 5 ≥ y ∧ y ≥ 0 ⊢ J J ⊢ [ x := x + y ; y := x − 2 · y ] J J ⊢ x ≥ 0 loop x ≥ 8 ∧ 5 ≥ y ∧ y ≥ 0 ⊢ [( x := x + y ; y := x − 2 · y ) ∗ ] x ≥ 0 → R ⊢ x ≥ 8 ∧ 5 ≥ y ∧ y ≥ 0 → [( x := x + y ; y := x − 2 · y ) ∗ ] x ≥ 0 J ≡ x ≥ 0 stronger: Lacks info about y 1 J ≡ x ≥ 8 ∧ 5 ≥ y ∧ y ≥ 0 weaker: Changes immediately 2 J ≡ x ≥ 0 ∧ y ≥ 0 3 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 8 / 16

A Simple Discrete Loop Example loop Γ ⊢ J , ∆ J ⊢ [ α ] J J ⊢ P Γ ⊢ [ α ∗ ] P , ∆ x ≥ 8 ∧ 5 ≥ y ∧ y ≥ 0 ⊢ J J ⊢ [ x := x + y ; y := x − 2 · y ] J J ⊢ x ≥ 0 loop x ≥ 8 ∧ 5 ≥ y ∧ y ≥ 0 ⊢ [( x := x + y ; y := x − 2 · y ) ∗ ] x ≥ 0 → R ⊢ x ≥ 8 ∧ 5 ≥ y ∧ y ≥ 0 → [( x := x + y ; y := x − 2 · y ) ∗ ] x ≥ 0 J ≡ x ≥ 0 stronger: Lacks info about y 1 J ≡ x ≥ 8 ∧ 5 ≥ y ∧ y ≥ 0 weaker: Changes immediately 2 J ≡ x ≥ 0 ∧ y ≥ 0 no: y may become negative if x < y 3 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 8 / 16

A Simple Discrete Loop Example loop Γ ⊢ J , ∆ J ⊢ [ α ] J J ⊢ P Γ ⊢ [ α ∗ ] P , ∆ x ≥ 8 ∧ 5 ≥ y ∧ y ≥ 0 ⊢ J J ⊢ [ x := x + y ; y := x − 2 · y ] J J ⊢ x ≥ 0 loop x ≥ 8 ∧ 5 ≥ y ∧ y ≥ 0 ⊢ [( x := x + y ; y := x − 2 · y ) ∗ ] x ≥ 0 → R ⊢ x ≥ 8 ∧ 5 ≥ y ∧ y ≥ 0 → [( x := x + y ; y := x − 2 · y ) ∗ ] x ≥ 0 J ≡ x ≥ 0 stronger: Lacks info about y 1 J ≡ x ≥ 8 ∧ 5 ≥ y ∧ y ≥ 0 weaker: Changes immediately 2 J ≡ x ≥ 0 ∧ y ≥ 0 no: y may become negative if x < y 3 J ≡ x ≥ y ∧ y ≥ 0 4 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 8 / 16

A Simple Discrete Loop Example loop Γ ⊢ J , ∆ J ⊢ [ α ] J J ⊢ P Γ ⊢ [ α ∗ ] P , ∆ x ≥ 8 ∧ 5 ≥ y ∧ y ≥ 0 ⊢ J J ⊢ [ x := x + y ; y := x − 2 · y ] J J ⊢ x ≥ 0 loop x ≥ 8 ∧ 5 ≥ y ∧ y ≥ 0 ⊢ [( x := x + y ; y := x − 2 · y ) ∗ ] x ≥ 0 → R ⊢ x ≥ 8 ∧ 5 ≥ y ∧ y ≥ 0 → [( x := x + y ; y := x − 2 · y ) ∗ ] x ≥ 0 J ≡ x ≥ 0 stronger: Lacks info about y 1 J ≡ x ≥ 8 ∧ 5 ≥ y ∧ y ≥ 0 weaker: Changes immediately 2 J ≡ x ≥ 0 ∧ y ≥ 0 no: y may become negative if x < y 3 J ≡ x ≥ y ∧ y ≥ 0 correct loop invariant 4 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 8 / 16

Forgot to Add Sequent Context Γ , ∆ to Premises Γ ⊢ J , ∆ Γ?? , J ⊢ [ α ] J , ∆?? Γ?? , J ⊢ P , ∆?? Γ ⊢ [ α ∗ ] P , ∆ André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 9 / 16

Forgot to Add Sequent Context Γ , ∆ to Premises Γ ⊢ J , ∆ Γ?? , J ⊢ [ α ] J , ∆?? Γ?? , J ⊢ P , ∆?? Γ ⊢ [ α ∗ ] P , ∆ x = 0 ⊢ x ≤ 1 x = 0 , x ≤ 1 ⊢ [ x := x + 1 ] x ≤ 1 x ≤ 1 ⊢ x ≤ 1 � x = 0 , x ≤ 1 ⊢ [( x := x + 1 ) ∗ ] x ≤ 1 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 9 / 16

Forgot to Add Sequent Context Γ , ∆ to Premises Γ ⊢ J , ∆ Γ?? , J ⊢ [ α ] J , ∆?? Γ?? , J ⊢ P , ∆?? Γ ⊢ [ α ∗ ] P , ∆ x = 0 ⊢ x ≤ 1 x = 0 , x ≤ 1 ⊢ [ x := x + 1 ] x ≤ 1 x ≤ 1 ⊢ x ≤ 1 � x = 0 , x ≤ 1 ⊢ [( x := x + 1 ) ∗ ] x ≤ 1 x = 0 ⊢ x ≥ 0 x ≥ 0 ⊢ [ x := x + 1 ] x ≥ 0 x = 0 , x ≥ 0 ⊢ x = 0 � x = 0 ⊢ [( x := x + 1 ) ∗ ] x = 0 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 9 / 16

Forgot to Add Sequent Context Γ , ∆ to Premises Γ ⊢ J , ∆ Γ?? , J ⊢ [ α ] J , ∆?? Γ?? , J ⊢ P , ∆?? Γ ⊢ [ α ∗ ] P , ∆ x = 0 ⊢ x ≤ 1 x = 0 , x ≤ 1 ⊢ [ x := x + 1 ] x ≤ 1 x ≤ 1 ⊢ x ≤ 1 � x = 0 , x ≤ 1 ⊢ [( x := x + 1 ) ∗ ] x ≤ 1 x = 0 ⊢ x ≥ 0 x ≥ 0 ⊢ [ x := x + 1 ] x ≥ 0 x = 0 , x ≥ 0 ⊢ x = 0 � x = 0 ⊢ [( x := x + 1 ) ∗ ] x = 0 Unsound! Be careful where your assumptions go, or your CPS might go where it shouldn’t. André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 9 / 16

Outline Learning Objectives 1 Induction for Loops 2 Iteration Axiom Induction Axiom Induction Rule for Loops Loop Invariants Simple Example Contextual Soundness Requirements Operationalize Invariant Construction 3 Bouncing Ball Rescuing Misplaced Constants Safe Quantum Summary 4 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 9 / 16

Proving Quantum the Acrophobic Bouncing Ball � ∗ ] B ( x , v ) � A ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 ) A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 10 / 16

Proving Quantum the Acrophobic Bouncing Ball A ⊢ j ( x , v ) j ( x , v ) ⊢ B ( x , v ) j ( x , v ) ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 )] j ( x , v ) loop � ∗ ] B ( x , v ) � A ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 ) A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 10 / 16

Proving Quantum the Acrophobic Bouncing Ball j ( x , v ) ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 )] j ( x , v ) A ⊢ j ( x , v ) j ( x , v ) ⊢ B ( x , v ) j ( x , v ) ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 )] j ( x , v ) loop � ∗ ] B ( x , v ) � A ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 ) A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 10 / 16

Proving Quantum the Acrophobic Bouncing Ball j ( x , v ) ⊢ [ grav ][? x = 0 ; v := − cv ∪ ? x � = 0 ] j ( x , v ) [;] j ( x , v ) ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 )] j ( x , v ) A ⊢ j ( x , v ) j ( x , v ) ⊢ B ( x , v ) j ( x , v ) ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 )] j ( x , v ) loop � ∗ ] B ( x , v ) � A ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 ) A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 10 / 16

Proving Quantum the Acrophobic Bouncing Ball j ( x , v ) ⊢ [ grav ] j ( x , v ) j ( x , v ) ⊢ [? x = 0 ; v := − cv ∪ ? x � = 0 ] j ( x , v ) MR j ( x , v ) ⊢ [ grav ][? x = 0 ; v := − cv ∪ ? x � = 0 ] j ( x , v ) [;] j ( x , v ) ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 )] j ( x , v ) A ⊢ j ( x , v ) j ( x , v ) ⊢ B ( x , v ) j ( x , v ) ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 )] j ( x , v ) loop � ∗ ] B ( x , v ) � A ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 ) A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 10 / 16

Proving Quantum the Acrophobic Bouncing Ball j ( x , v ) ⊢ [? x = 0 ; v := − cv ] j ( x , v ) ∧ [? x � = 0 ] j ( x , v ) j ( x , v ) ⊢ [ grav ] j ( x , v ) [ ∪ ] j ( x , v ) ⊢ [? x = 0 ; v := − cv ∪ ? x � = 0 ] j ( x , v ) MR j ( x , v ) ⊢ [ grav ][? x = 0 ; v := − cv ∪ ? x � = 0 ] j ( x , v ) [;] j ( x , v ) ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 )] j ( x , v ) A ⊢ j ( x , v ) j ( x , v ) ⊢ B ( x , v ) j ( x , v ) ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 )] j ( x , v ) loop � ∗ ] B ( x , v ) � A ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 ) A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 10 / 16

Proving Quantum the Acrophobic Bouncing Ball ∧ R j ( x , v ) ⊢ [? x = 0 ; v := − cv ] j ( x , v ) j ( x , v ) ⊢ [? x � = 0 ] j ( x , v ) j ( x , v ) ⊢ [? x = 0 ; v := − cv ] j ( x , v ) ∧ [? x � = 0 ] j ( x , v ) j ( x , v ) ⊢ [ grav ] j ( x , v ) [ ∪ ] j ( x , v ) ⊢ [? x = 0 ; v := − cv ∪ ? x � = 0 ] j ( x , v ) MR j ( x , v ) ⊢ [ grav ][? x = 0 ; v := − cv ∪ ? x � = 0 ] j ( x , v ) [;] j ( x , v ) ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 )] j ( x , v ) A ⊢ j ( x , v ) j ( x , v ) ⊢ B ( x , v ) j ( x , v ) ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 )] j ( x , v ) loop � ∗ ] B ( x , v ) � A ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 ) A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 10 / 16

Proving Quantum the Acrophobic Bouncing Ball [;] j ( x , v ) ⊢ [? x = 0 ][ v := − cv ] j ( x , v ) j ( x , v ) ⊢ [? x = 0 ; v := − cv ] j ( x , v ) j ( x , v ) ⊢ [? x � = 0 ] j ( x , v ) ∧ R j ( x , v ) ⊢ [? x = 0 ; v := − cv ] j ( x , v ) ∧ [? x � = 0 ] j ( x , v ) j ( x , v ) ⊢ [ grav ] j ( x , v ) [ ∪ ] j ( x , v ) ⊢ [? x = 0 ; v := − cv ∪ ? x � = 0 ] j ( x , v ) MR j ( x , v ) ⊢ [ grav ][? x = 0 ; v := − cv ∪ ? x � = 0 ] j ( x , v ) [;] j ( x , v ) ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 )] j ( x , v ) A ⊢ j ( x , v ) j ( x , v ) ⊢ B ( x , v ) j ( x , v ) ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 )] j ( x , v ) loop � ∗ ] B ( x , v ) � A ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 ) A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 10 / 16

Proving Quantum the Acrophobic Bouncing Ball [?] , → R j ( x , v ) , x = 0 ⊢ [ v := − cv ] j ( x , v ) j ( x , v ) ⊢ [? x = 0 ][ v := − cv ] j ( x , v ) [;] j ( x , v ) ⊢ [? x = 0 ; v := − cv ] j ( x , v ) j ( x , v ) ⊢ [? x � = 0 ] j ( x , v ) ∧ R j ( x , v ) ⊢ [? x = 0 ; v := − cv ] j ( x , v ) ∧ [? x � = 0 ] j ( x , v ) j ( x , v ) ⊢ [ grav ] j ( x , v ) [ ∪ ] j ( x , v ) ⊢ [? x = 0 ; v := − cv ∪ ? x � = 0 ] j ( x , v ) MR j ( x , v ) ⊢ [ grav ][? x = 0 ; v := − cv ∪ ? x � = 0 ] j ( x , v ) [;] j ( x , v ) ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 )] j ( x , v ) A ⊢ j ( x , v ) j ( x , v ) ⊢ B ( x , v ) j ( x , v ) ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 )] j ( x , v ) loop � ∗ ] B ( x , v ) � A ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 ) A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 10 / 16

Proving Quantum the Acrophobic Bouncing Ball j ( x , v ) , x = 0 ⊢ j ( x , − cv ) [:=] j ( x , v ) , x = 0 ⊢ [ v := − cv ] j ( x , v ) [?] , → R j ( x , v ) ⊢ [? x = 0 ][ v := − cv ] j ( x , v ) [;] j ( x , v ) ⊢ [? x = 0 ; v := − cv ] j ( x , v ) j ( x , v ) ⊢ [? x � = 0 ] j ( x , v ) ∧ R j ( x , v ) ⊢ [? x = 0 ; v := − cv ] j ( x , v ) ∧ [? x � = 0 ] j ( x , v ) j ( x , v ) ⊢ [ grav ] j ( x , v ) [ ∪ ] j ( x , v ) ⊢ [? x = 0 ; v := − cv ∪ ? x � = 0 ] j ( x , v ) MR j ( x , v ) ⊢ [ grav ][? x = 0 ; v := − cv ∪ ? x � = 0 ] j ( x , v ) [;] j ( x , v ) ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 )] j ( x , v ) A ⊢ j ( x , v ) j ( x , v ) ⊢ B ( x , v ) j ( x , v ) ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 )] j ( x , v ) loop � ∗ ] B ( x , v ) � A ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 ) A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 10 / 16

Proving Quantum the Acrophobic Bouncing Ball j ( x , v ) , x = 0 ⊢ j ( x , − cv ) [:=] j ( x , v ) , x = 0 ⊢ [ v := − cv ] j ( x , v ) [?] , → R j ( x , v ) , x � = 0 ⊢ j ( x , v ) j ( x , v ) ⊢ [? x = 0 ][ v := − cv ] j ( x , v ) [;] [?] j ( x , v ) ⊢ [? x = 0 ; v := − cv ] j ( x , v ) j ( x , v ) ⊢ [? x � = 0 ] j ( x , v ) ∧ R j ( x , v ) ⊢ [? x = 0 ; v := − cv ] j ( x , v ) ∧ [? x � = 0 ] j ( x , v ) j ( x , v ) ⊢ [ grav ] j ( x , v ) [ ∪ ] j ( x , v ) ⊢ [? x = 0 ; v := − cv ∪ ? x � = 0 ] j ( x , v ) MR j ( x , v ) ⊢ [ grav ][? x = 0 ; v := − cv ∪ ? x � = 0 ] j ( x , v ) [;] j ( x , v ) ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 )] j ( x , v ) A ⊢ j ( x , v ) j ( x , v ) ⊢ B ( x , v ) j ( x , v ) ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 )] j ( x , v ) loop � ∗ ] B ( x , v ) � A ⊢ [ grav ;(? x = 0 ; v := − cv ∪ ? x � = 0 ) A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 10 / 16

Proving Quantum the Acrophobic Bouncing Ball A ⊢ j ( x , v ) j ( x , v ) ⊢ [ grav ]( j ( x , v ) ) j ( x , v ) , x = 0 ⊢ j ( x , ( − cv )) j ( x , v ) , x � = 0 ⊢ j ( x , v ) j ( x , v ) ⊢ B ( x , v ) A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 11 / 16

Proving Quantum the Acrophobic Bouncing Ball 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ⊢ j ( x , v ) j ( x , v ) ⊢ [ { x ′ = v , v ′ = − g & x ≥ 0 } ]( j ( x , v ) ) j ( x , v ) , x = 0 ⊢ j ( x , ( − cv )) j ( x , v ) , x � = 0 ⊢ j ( x , v ) j ( x , v ) ⊢ 0 ≤ x ∧ x ≤ H A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 11 / 16

Proving Quantum the Acrophobic Bouncing Ball 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ⊢ j ( x , v ) j ( x , v ) ⊢ [ { x ′ = v , v ′ = − g & x ≥ 0 } ]( j ( x , v ) ) j ( x , v ) , x = 0 ⊢ j ( x , ( − cv )) j ( x , v ) , x � = 0 ⊢ j ( x , v ) j ( x , v ) ⊢ 0 ≤ x ∧ x ≤ H j ( x , v ) ≡ 0 ≤ x ∧ x ≤ H 2 A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 11 / 16

Proving Quantum the Acrophobic Bouncing Ball 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ⊢ j ( x , v ) j ( x , v ) ⊢ [ { x ′ = v , v ′ = − g & x ≥ 0 } ]( j ( x , v ) ) j ( x , v ) , x = 0 ⊢ j ( x , ( − cv )) j ( x , v ) , x � = 0 ⊢ j ( x , v ) j ( x , v ) ⊢ 0 ≤ x ∧ x ≤ H j ( x , v ) ≡ 0 ≤ x ∧ x ≤ H weak: fails ODE if v ≫ 0 2 A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 11 / 16

Proving Quantum the Acrophobic Bouncing Ball 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ⊢ j ( x , v ) j ( x , v ) ⊢ [ { x ′ = v , v ′ = − g & x ≥ 0 } ]( j ( x , v ) ) j ( x , v ) , x = 0 ⊢ j ( x , ( − cv )) j ( x , v ) , x � = 0 ⊢ j ( x , v ) j ( x , v ) ⊢ 0 ≤ x ∧ x ≤ H j ( x , v ) ≡ x ≥ 0 1 j ( x , v ) ≡ 0 ≤ x ∧ x ≤ H weak: fails ODE if v ≫ 0 2 A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 11 / 16

Proving Quantum the Acrophobic Bouncing Ball 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ⊢ j ( x , v ) j ( x , v ) ⊢ [ { x ′ = v , v ′ = − g & x ≥ 0 } ]( j ( x , v ) ) j ( x , v ) , x = 0 ⊢ j ( x , ( − cv )) j ( x , v ) , x � = 0 ⊢ j ( x , v ) j ( x , v ) ⊢ 0 ≤ x ∧ x ≤ H j ( x , v ) ≡ x ≥ 0 weaker: fails postcondition if x > H 1 j ( x , v ) ≡ 0 ≤ x ∧ x ≤ H weak: fails ODE if v ≫ 0 2 A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 11 / 16

Proving Quantum the Acrophobic Bouncing Ball 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ⊢ j ( x , v ) j ( x , v ) ⊢ [ { x ′ = v , v ′ = − g & x ≥ 0 } ]( j ( x , v ) ) j ( x , v ) , x = 0 ⊢ j ( x , ( − cv )) j ( x , v ) , x � = 0 ⊢ j ( x , v ) j ( x , v ) ⊢ 0 ≤ x ∧ x ≤ H j ( x , v ) ≡ x ≥ 0 weaker: fails postcondition if x > H 1 j ( x , v ) ≡ 0 ≤ x ∧ x ≤ H weak: fails ODE if v ≫ 0 2 j ( x , v ) ≡ x = 0 ∧ v = 0 3 A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 11 / 16

Proving Quantum the Acrophobic Bouncing Ball 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ⊢ j ( x , v ) j ( x , v ) ⊢ [ { x ′ = v , v ′ = − g & x ≥ 0 } ]( j ( x , v ) ) j ( x , v ) , x = 0 ⊢ j ( x , ( − cv )) j ( x , v ) , x � = 0 ⊢ j ( x , v ) j ( x , v ) ⊢ 0 ≤ x ∧ x ≤ H j ( x , v ) ≡ x ≥ 0 weaker: fails postcondition if x > H 1 j ( x , v ) ≡ 0 ≤ x ∧ x ≤ H weak: fails ODE if v ≫ 0 2 j ( x , v ) ≡ x = 0 ∧ v = 0 strong: fails initial condition if x > 0 3 A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 11 / 16

Proving Quantum the Acrophobic Bouncing Ball 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ⊢ j ( x , v ) j ( x , v ) ⊢ [ { x ′ = v , v ′ = − g & x ≥ 0 } ]( j ( x , v ) ) j ( x , v ) , x = 0 ⊢ j ( x , ( − cv )) j ( x , v ) , x � = 0 ⊢ j ( x , v ) j ( x , v ) ⊢ 0 ≤ x ∧ x ≤ H j ( x , v ) ≡ x ≥ 0 weaker: fails postcondition if x > H 1 j ( x , v ) ≡ 0 ≤ x ∧ x ≤ H weak: fails ODE if v ≫ 0 2 j ( x , v ) ≡ x = 0 ∧ v = 0 strong: fails initial condition if x > 0 3 j ( x , v ) ≡ x = 0 ∨ x = H ∧ v = 0 4 A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 11 / 16

Proving Quantum the Acrophobic Bouncing Ball 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ⊢ j ( x , v ) j ( x , v ) ⊢ [ { x ′ = v , v ′ = − g & x ≥ 0 } ]( j ( x , v ) ) j ( x , v ) , x = 0 ⊢ j ( x , ( − cv )) j ( x , v ) , x � = 0 ⊢ j ( x , v ) j ( x , v ) ⊢ 0 ≤ x ∧ x ≤ H j ( x , v ) ≡ x ≥ 0 weaker: fails postcondition if x > H 1 j ( x , v ) ≡ 0 ≤ x ∧ x ≤ H weak: fails ODE if v ≫ 0 2 j ( x , v ) ≡ x = 0 ∧ v = 0 strong: fails initial condition if x > 0 3 j ( x , v ) ≡ x = 0 ∨ x = H ∧ v = 0 no space for intermediate states 4 A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 11 / 16

Proving Quantum the Acrophobic Bouncing Ball 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ⊢ j ( x , v ) j ( x , v ) ⊢ [ { x ′ = v , v ′ = − g & x ≥ 0 } ]( j ( x , v ) ) j ( x , v ) , x = 0 ⊢ j ( x , ( − cv )) j ( x , v ) , x � = 0 ⊢ j ( x , v ) j ( x , v ) ⊢ 0 ≤ x ∧ x ≤ H j ( x , v ) ≡ x ≥ 0 weaker: fails postcondition if x > H 1 j ( x , v ) ≡ 0 ≤ x ∧ x ≤ H weak: fails ODE if v ≫ 0 2 j ( x , v ) ≡ x = 0 ∧ v = 0 strong: fails initial condition if x > 0 3 j ( x , v ) ≡ x = 0 ∨ x = H ∧ v = 0 no space for intermediate states 4 j ( x , v ) ≡ 2 gx = 2 gH − v 2 ∧ x ≥ 0 5 A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 11 / 16

Proving Quantum the Acrophobic Bouncing Ball 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ⊢ j ( x , v ) j ( x , v ) ⊢ [ { x ′ = v , v ′ = − g & x ≥ 0 } ]( j ( x , v ) ) j ( x , v ) , x = 0 ⊢ j ( x , ( − cv )) j ( x , v ) , x � = 0 ⊢ j ( x , v ) j ( x , v ) ⊢ 0 ≤ x ∧ x ≤ H j ( x , v ) ≡ x ≥ 0 weaker: fails postcondition if x > H 1 j ( x , v ) ≡ 0 ≤ x ∧ x ≤ H weak: fails ODE if v ≫ 0 2 j ( x , v ) ≡ x = 0 ∧ v = 0 strong: fails initial condition if x > 0 3 j ( x , v ) ≡ x = 0 ∨ x = H ∧ v = 0 no space for intermediate states 4 j ( x , v ) ≡ 2 gx = 2 gH − v 2 ∧ x ≥ 0 works: implicitly links v and x 5 A ≡ 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 B ( x , v ) ≡ 0 ≤ x ∧ x ≤ H grav ≡ { x ′ = v , v ′ = − g & x ≥ 0 } André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 11 / 16

Proving Quantum the Acrophobic Bouncing Ball 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ⊢ 2 gx = 2 gH − v 2 ∧ x ≥ 0 2 gx = 2 gH − v 2 ∧ x ≥ 0 ⊢ [ { x ′ = v , v ′ = − g & x ≥ 0 } ]( 2 gx = 2 gH − v 2 ∧ x ≥ 0 ) 2 gx = 2 gH − v 2 ∧ x ≥ 0 , x = 0 ⊢ 2 gx = 2 gH − ( − cv ) 2 ∧ x ≥ 0 2 gx = 2 gH − v 2 ∧ x ≥ 0 , x � = 0 ⊢ 2 gx = 2 gH − v 2 ∧ x ≥ 0 2 gx = 2 gH − v 2 ∧ x ≥ 0 ⊢ 0 ≤ x ∧ x ≤ H j ( x , v ) ≡ x ≥ 0 weaker: fails postcondition if x > H 1 j ( x , v ) ≡ 0 ≤ x ∧ x ≤ H weak: fails ODE if v ≫ 0 2 j ( x , v ) ≡ x = 0 ∧ v = 0 strong: fails initial condition if x > 0 3 j ( x , v ) ≡ x = 0 ∨ x = H ∧ v = 0 no space for intermediate states 4 j ( x , v ) ≡ 2 gx = 2 gH − v 2 ∧ x ≥ 0 works: implicitly links v and x 5 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 11 / 16

Proving Quantum the Acrophobic Bouncing Ball 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ⊢ 2 gx = 2 gH − v 2 ∧ x ≥ 0 2 gx = 2 gH − v 2 ∧ x ≥ 0 ⊢ [ { x ′ = v , v ′ = − g & x ≥ 0 } ]( 2 gx = 2 gH − v 2 ∧ x ≥ 0 ) � 2 gx = 2 gH − v 2 ∧ x ≥ 0 , x = 0 ⊢ 2 gx = 2 gH − ( − cv ) 2 ∧ x ≥ 0 if c = 1 ... 2 gx = 2 gH − v 2 ∧ x ≥ 0 , x � = 0 ⊢ 2 gx = 2 gH − v 2 ∧ x ≥ 0 2 gx = 2 gH − v 2 ∧ x ≥ 0 ⊢ 0 ≤ x ∧ x ≤ H j ( x , v ) ≡ x ≥ 0 weaker: fails postcondition if x > H 1 j ( x , v ) ≡ 0 ≤ x ∧ x ≤ H weak: fails ODE if v ≫ 0 2 j ( x , v ) ≡ x = 0 ∧ v = 0 strong: fails initial condition if x > 0 3 j ( x , v ) ≡ x = 0 ∨ x = H ∧ v = 0 no space for intermediate states 4 j ( x , v ) ≡ 2 gx = 2 gH − v 2 ∧ x ≥ 0 works: implicitly links v and x 5 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 11 / 16

Proving Quantum the Acrophobic Bouncing Ball 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ⊢ 2 gx = 2 gH − v 2 ∧ x ≥ 0 2 gx = 2 gH − v 2 ∧ x ≥ 0 ⊢ [ { x ′ = v , v ′ = − g & x ≥ 0 } ]( 2 gx = 2 gH − v 2 ∧ x ≥ 0 ) � 2 gx = 2 gH − v 2 ∧ x ≥ 0 , x = 0 ⊢ 2 gx = 2 gH − ( − cv ) 2 ∧ x ≥ 0 if c = 1 ... � 2 gx = 2 gH − v 2 ∧ x ≥ 0 , x � = 0 ⊢ 2 gx = 2 gH − v 2 ∧ x ≥ 0 2 gx = 2 gH − v 2 ∧ x ≥ 0 ⊢ 0 ≤ x ∧ x ≤ H j ( x , v ) ≡ x ≥ 0 weaker: fails postcondition if x > H 1 j ( x , v ) ≡ 0 ≤ x ∧ x ≤ H weak: fails ODE if v ≫ 0 2 j ( x , v ) ≡ x = 0 ∧ v = 0 strong: fails initial condition if x > 0 3 j ( x , v ) ≡ x = 0 ∨ x = H ∧ v = 0 no space for intermediate states 4 j ( x , v ) ≡ 2 gx = 2 gH − v 2 ∧ x ≥ 0 works: implicitly links v and x 5 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 11 / 16

Proving Quantum the Acrophobic Bouncing Ball 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ⊢ 2 gx = 2 gH − v 2 ∧ x ≥ 0 2 gx = 2 gH − v 2 ∧ x ≥ 0 ⊢ [ { x ′ = v , v ′ = − g & x ≥ 0 } ]( 2 gx = 2 gH − v 2 ∧ x ≥ 0 ) � 2 gx = 2 gH − v 2 ∧ x ≥ 0 , x = 0 ⊢ 2 gx = 2 gH − ( − cv ) 2 ∧ x ≥ 0 if c = 1 ... � 2 gx = 2 gH − v 2 ∧ x ≥ 0 , x � = 0 ⊢ 2 gx = 2 gH − v 2 ∧ x ≥ 0 � 2 gx = 2 gH − v 2 ∧ x ≥ 0 ⊢ 0 ≤ x ∧ x ≤ H because g > 0 j ( x , v ) ≡ x ≥ 0 weaker: fails postcondition if x > H 1 j ( x , v ) ≡ 0 ≤ x ∧ x ≤ H weak: fails ODE if v ≫ 0 2 j ( x , v ) ≡ x = 0 ∧ v = 0 strong: fails initial condition if x > 0 3 j ( x , v ) ≡ x = 0 ∨ x = H ∧ v = 0 no space for intermediate states 4 j ( x , v ) ≡ 2 gx = 2 gH − v 2 ∧ x ≥ 0 works: implicitly links v and x 5 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 11 / 16

Proving Quantum the Acrophobic Bouncing Ball � 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ⊢ 2 gx = 2 gH − v 2 ∧ x ≥ 0 2 gx = 2 gH − v 2 ∧ x ≥ 0 ⊢ [ { x ′ = v , v ′ = − g & x ≥ 0 } ]( 2 gx = 2 gH − v 2 ∧ x ≥ 0 ) � 2 gx = 2 gH − v 2 ∧ x ≥ 0 , x = 0 ⊢ 2 gx = 2 gH − ( − cv ) 2 ∧ x ≥ 0 if c = 1 ... � 2 gx = 2 gH − v 2 ∧ x ≥ 0 , x � = 0 ⊢ 2 gx = 2 gH − v 2 ∧ x ≥ 0 � 2 gx = 2 gH − v 2 ∧ x ≥ 0 ⊢ 0 ≤ x ∧ x ≤ H because g > 0 j ( x , v ) ≡ x ≥ 0 weaker: fails postcondition if x > H 1 j ( x , v ) ≡ 0 ≤ x ∧ x ≤ H weak: fails ODE if v ≫ 0 2 j ( x , v ) ≡ x = 0 ∧ v = 0 strong: fails initial condition if x > 0 3 j ( x , v ) ≡ x = 0 ∨ x = H ∧ v = 0 no space for intermediate states 4 j ( x , v ) ≡ 2 gx = 2 gH − v 2 ∧ x ≥ 0 works: implicitly links v and x 5 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 11 / 16

Proving Quantum the Acrophobic Bouncing Ball � 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 ≥ c ≥ 0 ⊢ 2 gx = 2 gH − v 2 ∧ x ≥ 0 j ( x , v ) ⊢ [ { x ′ = v , v ′ = − g & x ≥ 0 } ]( j ( x , v ) ) � 2 gx = 2 gH − v 2 ∧ x ≥ 0 , x = 0 ⊢ 2 gx = 2 gH − ( − cv ) 2 ∧ x ≥ 0 if c = 1 ... � 2 gx = 2 gH − v 2 ∧ x ≥ 0 , x � = 0 ⊢ 2 gx = 2 gH − v 2 ∧ x ≥ 0 � 2 gx = 2 gH − v 2 ∧ x ≥ 0 ⊢ 0 ≤ x ∧ x ≤ H because g > 0 j ( x , v ) ≡ x ≥ 0 weaker: fails postcondition if x > H 1 j ( x , v ) ≡ 0 ≤ x ∧ x ≤ H weak: fails ODE if v ≫ 0 2 j ( x , v ) ≡ x = 0 ∧ v = 0 strong: fails initial condition if x > 0 3 j ( x , v ) ≡ x = 0 ∨ x = H ∧ v = 0 no space for intermediate states 4 j ( x , v ) ≡ 2 gx = 2 gH − v 2 ∧ x ≥ 0 works: implicitly links v and x 5 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 11 / 16

Proving Quantum the Acrophobic Bouncing Ball [ ′ ] j ( x , v ) ⊢ [ x ′ = v , v ′ = − g & x ≥ 0 ] j ( x , v ) André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 12 / 16

Proving Quantum the Acrophobic Bouncing Ball [;] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ; v := − gt ]( x ≥ 0 → j ( x , v ) ) [ ′ ] j ( x , v ) ⊢ [ x ′ = v , v ′ = − g & x ≥ 0 ] j ( x , v ) André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 12 / 16

Proving Quantum the Acrophobic Bouncing Ball [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ][ v := − gt ]( x ≥ 0 → j ( x , v ) ) [;] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ; v := − gt ]( x ≥ 0 → j ( x , v ) ) [ ′ ] j ( x , v ) ⊢ [ x ′ = v , v ′ = − g & x ≥ 0 ] j ( x , v ) André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 12 / 16

Proving Quantum the Acrophobic Bouncing Ball [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ]( x ≥ 0 → j ( x , − gt ) ) [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ][ v := − gt ]( x ≥ 0 → j ( x , v ) ) [;] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ; v := − gt ]( x ≥ 0 → j ( x , v ) ) [ ′ ] j ( x , v ) ⊢ [ x ′ = v , v ′ = − g & x ≥ 0 ] j ( x , v ) André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 12 / 16

Proving Quantum the Acrophobic Bouncing Ball ∀ R j ( x , v ) ⊢ ∀ t ≥ 0 ( H − g 2 t 2 ≥ 0 → j ( H − g 2 t 2 , − gt ) ) [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ]( x ≥ 0 → j ( x , − gt ) ) [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ][ v := − gt ]( x ≥ 0 → j ( x , v ) ) [;] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ; v := − gt ]( x ≥ 0 → j ( x , v ) ) [ ′ ] j ( x , v ) ⊢ [ x ′ = v , v ′ = − g & x ≥ 0 ] j ( x , v ) André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 12 / 16

Proving Quantum the Acrophobic Bouncing Ball → R j ( x , v ) ⊢ t ≥ 0 → H − g 2 t 2 ≥ 0 → j ( H − g 2 t 2 , − gt ) ∀ R j ( x , v ) ⊢ ∀ t ≥ 0 ( H − g 2 t 2 ≥ 0 → j ( H − g 2 t 2 , − gt ) ) [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ]( x ≥ 0 → j ( x , − gt ) ) [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ][ v := − gt ]( x ≥ 0 → j ( x , v ) ) [;] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ; v := − gt ]( x ≥ 0 → j ( x , v ) ) [ ′ ] j ( x , v ) ⊢ [ x ′ = v , v ′ = − g & x ≥ 0 ] j ( x , v ) André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 12 / 16

Proving Quantum the Acrophobic Bouncing Ball j ( x , v ) , t ≥ 0 , H − g 2 t 2 ≥ 0 ⊢ j ( H − g 2 t 2 , − gt ) → R j ( x , v ) ⊢ t ≥ 0 → H − g 2 t 2 ≥ 0 → j ( H − g 2 t 2 , − gt ) ∀ R j ( x , v ) ⊢ ∀ t ≥ 0 ( H − g 2 t 2 ≥ 0 → j ( H − g 2 t 2 , − gt ) ) [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ]( x ≥ 0 → j ( x , − gt ) ) [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ][ v := − gt ]( x ≥ 0 → j ( x , v ) ) [;] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ; v := − gt ]( x ≥ 0 → j ( x , v ) ) [ ′ ] j ( x , v ) ⊢ [ x ′ = v , v ′ = − g & x ≥ 0 ] j ( x , v ) André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 12 / 16

Proving Quantum the Acrophobic Bouncing Ball j ( x , v ) ≡ 2 gx = 2 gH − v 2 ∧ x ≥ 0 2 gx = 2 gH − v 2 ∧ x ≥ 0 , H − g 2 t 2 ≥ 0 ⊢ 2 g ( H − g 2 t 2 )= 2 gH − ( gt ) 2 ∧ ( H − g 2 t 2 ) ≥ 0 j ( x , v ) , t ≥ 0 , H − g 2 t 2 ≥ 0 ⊢ j ( H − g 2 t 2 , − gt ) → R j ( x , v ) ⊢ t ≥ 0 → H − g 2 t 2 ≥ 0 → j ( H − g 2 t 2 , − gt ) ∀ R j ( x , v ) ⊢ ∀ t ≥ 0 ( H − g 2 t 2 ≥ 0 → j ( H − g 2 t 2 , − gt ) ) [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ]( x ≥ 0 → j ( x , − gt ) ) [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ][ v := − gt ]( x ≥ 0 → j ( x , v ) ) [;] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ; v := − gt ]( x ≥ 0 → j ( x , v ) ) [ ′ ] j ( x , v ) ⊢ [ x ′ = v , v ′ = − g & x ≥ 0 ] j ( x , v ) André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 12 / 16

Proving Quantum the Acrophobic Bouncing Ball 2 gx = 2 gH − v 2 ⊢ 2 g ( H − g H − g 2 t 2 ≥ 0 ⊢ H − g 2 t 2 )= 2 gH − ( gt ) 2 2 t 2 ≥ 0 ∧ R 2 gx = 2 gH − v 2 ∧ x ≥ 0 , H − g 2 t 2 ≥ 0 ⊢ 2 g ( H − g 2 t 2 )= 2 gH − ( gt ) 2 ∧ ( H − g 2 t 2 ) ≥ 0 j ( x , v ) , t ≥ 0 , H − g 2 t 2 ≥ 0 ⊢ j ( H − g 2 t 2 , − gt ) → R j ( x , v ) ⊢ t ≥ 0 → H − g 2 t 2 ≥ 0 → j ( H − g 2 t 2 , − gt ) ∀ R j ( x , v ) ⊢ ∀ t ≥ 0 ( H − g 2 t 2 ≥ 0 → j ( H − g 2 t 2 , − gt ) ) [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ]( x ≥ 0 → j ( x , − gt ) ) [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ][ v := − gt ]( x ≥ 0 → j ( x , v ) ) [;] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ; v := − gt ]( x ≥ 0 → j ( x , v ) ) [ ′ ] j ( x , v ) ⊢ [ x ′ = v , v ′ = − g & x ≥ 0 ] j ( x , v ) André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 12 / 16

Proving Quantum the Acrophobic Bouncing Ball ∗ R 2 gx = 2 gH − v 2 ⊢ 2 g ( H − g H − g 2 t 2 ≥ 0 ⊢ H − g 2 t 2 )= 2 gH − ( gt ) 2 2 t 2 ≥ 0 ∧ R 2 gx = 2 gH − v 2 ∧ x ≥ 0 , H − g 2 t 2 ≥ 0 ⊢ 2 g ( H − g 2 t 2 )= 2 gH − ( gt ) 2 ∧ ( H − g 2 t 2 ) ≥ 0 j ( x , v ) , t ≥ 0 , H − g 2 t 2 ≥ 0 ⊢ j ( H − g 2 t 2 , − gt ) → R j ( x , v ) ⊢ t ≥ 0 → H − g 2 t 2 ≥ 0 → j ( H − g 2 t 2 , − gt ) ∀ R j ( x , v ) ⊢ ∀ t ≥ 0 ( H − g 2 t 2 ≥ 0 → j ( H − g 2 t 2 , − gt ) ) [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ]( x ≥ 0 → j ( x , − gt ) ) [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ][ v := − gt ]( x ≥ 0 → j ( x , v ) ) [;] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ; v := − gt ]( x ≥ 0 → j ( x , v ) ) [ ′ ] j ( x , v ) ⊢ [ x ′ = v , v ′ = − g & x ≥ 0 ] j ( x , v ) André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 12 / 16

Proving Quantum the Acrophobic Bouncing Ball ∗ ∗ R id 2 gx = 2 gH − v 2 ⊢ 2 g ( H − g H − g 2 t 2 ≥ 0 ⊢ H − g 2 t 2 )= 2 gH − ( gt ) 2 2 t 2 ≥ 0 ∧ R 2 gx = 2 gH − v 2 ∧ x ≥ 0 , H − g 2 t 2 ≥ 0 ⊢ 2 g ( H − g 2 t 2 )= 2 gH − ( gt ) 2 ∧ ( H − g 2 t 2 ) ≥ 0 j ( x , v ) , t ≥ 0 , H − g 2 t 2 ≥ 0 ⊢ j ( H − g 2 t 2 , − gt ) → R j ( x , v ) ⊢ t ≥ 0 → H − g 2 t 2 ≥ 0 → j ( H − g 2 t 2 , − gt ) ∀ R j ( x , v ) ⊢ ∀ t ≥ 0 ( H − g 2 t 2 ≥ 0 → j ( H − g 2 t 2 , − gt ) ) [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ]( x ≥ 0 → j ( x , − gt ) ) [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ][ v := − gt ]( x ≥ 0 → j ( x , v ) ) [;] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ; v := − gt ]( x ≥ 0 → j ( x , v ) ) [ ′ ] j ( x , v ) ⊢ [ x ′ = v , v ′ = − g & x ≥ 0 ] j ( x , v ) André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 12 / 16

Proving Quantum the Acrophobic Bouncing Ball ∗ ∗ R id 2 gx = 2 gH − v 2 ⊢ 2 g ( H − g H − g 2 t 2 ≥ 0 ⊢ H − g 2 t 2 )= 2 gH − ( gt ) 2 2 t 2 ≥ 0 ∧ R 2 gx = 2 gH − v 2 ∧ x ≥ 0 , H − g 2 t 2 ≥ 0 ⊢ 2 g ( H − g 2 t 2 )= 2 gH − ( gt ) 2 ∧ ( H − g 2 t 2 ) ≥ 0 j ( x , v ) , t ≥ 0 , H − g 2 t 2 ≥ 0 ⊢ j ( H − g 2 t 2 , − gt ) → R j ( x , v ) ⊢ t ≥ 0 → H − g 2 t 2 ≥ 0 → j ( H − g 2 t 2 , − gt ) ∀ R j ( x , v ) ⊢ ∀ t ≥ 0 ( H − g 2 t 2 ≥ 0 → j ( H − g 2 t 2 , − gt ) ) [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ]( x ≥ 0 → j ( x , − gt ) ) [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ][ v := − gt ]( x ≥ 0 → j ( x , v ) ) [;] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ; v := − gt ]( x ≥ 0 → j ( x , v ) ) [ ′ ] j ( x , v ) ⊢ [ x ′ = v , v ′ = − g & x ≥ 0 ] j ( x , v ) Is Quantum done with his safety proof? André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 12 / 16

Proving Quantum the Acrophobic Bouncing Ball ∗ ∗ R id 2 gx = 2 gH − v 2 ⊢ 2 g ( H − g H − g 2 t 2 ≥ 0 ⊢ H − g 2 t 2 )= 2 gH − ( gt ) 2 2 t 2 ≥ 0 ∧ R 2 gx = 2 gH − v 2 ∧ x ≥ 0 , H − g 2 t 2 ≥ 0 ⊢ 2 g ( H − g 2 t 2 )= 2 gH − ( gt ) 2 ∧ ( H − g 2 t 2 ) ≥ 0 j ( x , v ) , t ≥ 0 , H − g 2 t 2 ≥ 0 ⊢ j ( H − g 2 t 2 , − gt ) → R j ( x , v ) ⊢ t ≥ 0 → H − g 2 t 2 ≥ 0 → j ( H − g 2 t 2 , − gt ) ∀ R j ( x , v ) ⊢ ∀ t ≥ 0 ( H − g 2 t 2 ≥ 0 → j ( H − g 2 t 2 , − gt ) ) [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ]( x ≥ 0 → j ( x , − gt ) ) [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ][ v := − gt ]( x ≥ 0 → j ( x , v ) ) [;] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ; v := − gt ]( x ≥ 0 → j ( x , v ) ) [ ′ ] j ( x , v ) ⊢ [ x ′ = v , v ′ = − g & x ≥ 0 ] j ( x , v ) Is Quantum done with his safety proof? Oh no! The solutions we sneaked into [ ′ ] only solve the ODE/IVP if x = H , v = 0 which assumption j ( x , v ) can’t guarantee! André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 12 / 16

Proving Quantum the Acrophobic Bouncing Ball ∗ ∗ R id 2 gx = 2 gH − v 2 ⊢ 2 g ( H − g H − g 2 t 2 ≥ 0 ⊢ H − g 2 t 2 )= 2 gH − ( gt ) 2 2 t 2 ≥ 0 ∧ R 2 gx = 2 gH − v 2 ∧ x ≥ 0 , H − g 2 t 2 ≥ 0 ⊢ 2 g ( H − g 2 t 2 )= 2 gH − ( gt ) 2 ∧ ( H − g 2 t 2 ) ≥ 0 j ( x , v ) , t ≥ 0 , H − g 2 t 2 ≥ 0 ⊢ j ( H − g 2 t 2 , − gt ) → R j ( x , v ) ⊢ t ≥ 0 → H − g 2 t 2 ≥ 0 → j ( H − g 2 t 2 , − gt ) ∀ R j ( x , v ) ⊢ ∀ t ≥ 0 ( H − g 2 t 2 ≥ 0 → j ( H − g 2 t 2 , − gt ) ) [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ]( x ≥ 0 → j ( x , − gt ) ) [:=] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ][ v := − gt ]( x ≥ 0 → j ( x , v ) ) [;] j ( x , v ) ⊢ ∀ t ≥ 0 [ x := H − g 2 t 2 ; v := − gt ]( x ≥ 0 → j ( x , v ) ) [ ′ ] j ( x , v ) ⊢ [ x ′ = v , v ′ = − g & x ≥ 0 ] j ( x , v ) Is Quantum done with his safety proof? Oh no! The solutions we sneaked into [ ′ ] only solve the ODE/IVP if x = H , v = 0 which assumption j ( x , v ) can’t guarantee! Todo redo proof with true solution Never use solutions without proof! André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 12 / 16

Clumsy Quantum Misplaced the Constants loop A ⊢ [ α ∗ ] B ( x , v ) j ( x , v ) ≡ 2 gx = 2 gH − v 2 ∧ x ≥ 0 1 p ≡ c = 1 ∧ g > 0 2 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 13 / 16

Clumsy Quantum Misplaced the Constants loop A ⊢ [ α ∗ ] B ( x , v ) j ( x , v ) ≡ 2 gx = 2 gH − v 2 ∧ x ≥ 0 1 p ≡ c = 1 ∧ g > 0 2 J ≡ j ( x , v ) ∧ p as loop invariant 3 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 13 / 16

Clumsy Quantum Misplaced the Constants ∗ R A ⊢ j ( x , v ) ∧ p [] ∧ R j ( x , v ) ∧ p ⊢ B ( x , v ) j ( x , v ) ∧ p ⊢ [ α ]( j ( x , v ) ∧ p ) loop A ⊢ [ α ∗ ] B ( x , v ) j ( x , v ) ≡ 2 gx = 2 gH − v 2 ∧ x ≥ 0 1 p ≡ c = 1 ∧ g > 0 2 J ≡ j ( x , v ) ∧ p as loop invariant 3 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 13 / 16

Clumsy Quantum Misplaced the Constants [] ∧ [ α ]( P ∧ Q ) ↔ [ α ] P ∧ [ α ] Q above j ( x , v ) ∧ p ⊢ [ α ] j ( x , v ) V j ( x , v ) ∧ p ⊢ [ α ] p ∧ R j ( x , v ) ∧ p ⊢ [ α ] j ( x , v ) ∧ [ α ] p ∗ R A ⊢ j ( x , v ) ∧ p [] ∧ R j ( x , v ) ∧ p ⊢ B ( x , v ) j ( x , v ) ∧ p ⊢ [ α ]( j ( x , v ) ∧ p ) loop A ⊢ [ α ∗ ] B ( x , v ) j ( x , v ) ≡ 2 gx = 2 gH − v 2 ∧ x ≥ 0 1 p ≡ c = 1 ∧ g > 0 2 J ≡ j ( x , v ) ∧ p as loop invariant 3 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 13 / 16

Clumsy Quantum Misplaced the Constants [] ∧ [ α ]( P ∧ Q ) ↔ [ α ] P ∧ [ α ] Q V p → [ α ] p ( FV ( p ) ∩ BV ( α ) = / 0 ) ∗ above V j ( x , v ) ∧ p ⊢ [ α ] p j ( x , v ) ∧ p ⊢ [ α ] j ( x , v ) ∧ R j ( x , v ) ∧ p ⊢ [ α ] j ( x , v ) ∧ [ α ] p ∗ R A ⊢ j ( x , v ) ∧ p [] ∧ R j ( x , v ) ∧ p ⊢ B ( x , v ) j ( x , v ) ∧ p ⊢ [ α ]( j ( x , v ) ∧ p ) loop A ⊢ [ α ∗ ] B ( x , v ) j ( x , v ) ≡ 2 gx = 2 gH − v 2 ∧ x ≥ 0 1 p ≡ c = 1 ∧ g > 0 2 J ≡ j ( x , v ) ∧ p as loop invariant 3 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 13 / 16

Clumsy Quantum Misplaced the Constants [] ∧ [ α ]( P ∧ Q ) ↔ [ α ] P ∧ [ α ] Q V p → [ α ] p ( FV ( p ) ∩ BV ( α ) = / 0 ) ∗ above V j ( x , v ) ∧ p ⊢ [ α ] p j ( x , v ) ∧ p ⊢ [ α ] j ( x , v ) ∧ R j ( x , v ) ∧ p ⊢ [ α ] j ( x , v ) ∧ [ α ] p ∗ ∗ R A ⊢ j ( x , v ) ∧ p [] ∧ R j ( x , v ) ∧ p ⊢ B ( x , v ) j ( x , v ) ∧ p ⊢ [ α ]( j ( x , v ) ∧ p ) loop A ⊢ [ α ∗ ] B ( x , v ) j ( x , v ) ≡ 2 gx = 2 gH − v 2 ∧ x ≥ 0 1 p ≡ c = 1 ∧ g > 0 2 J ≡ j ( x , v ) ∧ p as loop invariant 3 Note: constants c = 1 ∧ g > 0 that never change are usually elided from J André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 13 / 16

Quantum the Provably Safe Bouncing Ball Proposition (Quantum can bounce around safely) 0 ≤ x ∧ x = H ∧ v = 0 ∧ g > 0 ∧ 1 = c → { x ′ = v , v ′ = − g & x ≥ 0 } ;(? x = 0 ; v := − cv ∪ ? x � = 0 ) � ∗ ]( 0 ≤ x ∧ x ≤ H ) � [ requires ( 0 ≤ x ∧ x = H ∧ v = 0 ) requires ( g > 0 ∧ 1 = c ) ensures ( 0 ≤ x ∧ x ≤ H ) { x ′ = v , v ′ = − g & x ≥ 0 } ; � � ∗ @invariant ( 2 gx = 2 gH − v 2 ∧ x ≥ 0 ) (? x = 0 ; v := − cv ∪ ? x � = 0 )) Invariant Contracts Invariants play a crucial rôle in CPS design. Capture them if you can. Use @invariant () contracts in your hybrid programs. André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 14 / 16

Outline Learning Objectives 1 Induction for Loops 2 Iteration Axiom Induction Axiom Induction Rule for Loops Loop Invariants Simple Example Contextual Soundness Requirements Operationalize Invariant Construction 3 Bouncing Ball Rescuing Misplaced Constants Safe Quantum Summary 4 André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 14 / 16

Invariants The lion’s share of understanding comes from understanding what does change (variants/progress measures) and what doesn’t change (invariants). Invariants are a fundamental force of CS Variants are another fundamental force of CS André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 15 / 16

Summary: Loops, Generalizations, Splittings I [ α ∗ ] P ↔ P ∧ [ α ∗ ]( P → [ α ] P ) P G [ α ] P P → Q M [ · ] [ α ] P → [ α ] Q loop Γ ⊢ J , ∆ J ⊢ [ α ] J J ⊢ P Γ ⊢ [ α ∗ ] P , ∆ MR Γ ⊢ [ α ] Q , ∆ Q ⊢ P Γ ⊢ [ α ] P , ∆ [] ∧ [ α ]( P ∧ Q ) ↔ [ α ] P ∧ [ α ] Q V p → [ α ] p ( FV ( p ) ∩ BV ( α ) = / 0 ) André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 16 / 16

Outline Appendix 5 Iteration Axiom Iterations & Splitting the Box Iteration & Generalizations André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 16 / 16

Iteration Axiom compositional semantics ⇒ compositional rules! André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 17 / 16

Loops of Proofs: Iterations [ ∗ ] [ α ∗ ] P ↔ P ∧ [ α ][ α ∗ ] P A ⊢ [ α ∗ ] B André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 18 / 16

Loops of Proofs: Iterations [ ∗ ] [ α ∗ ] P ↔ P ∧ [ α ][ α ∗ ] P A ⊢ B ∧ [ α ][ α ∗ ] B [ ∗ ] A ⊢ [ α ∗ ] B André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 18 / 16

Loops of Proofs: Iterations [ ∗ ] [ α ∗ ] P ↔ P ∧ [ α ][ α ∗ ] P A ⊢ B ∧ [ α ]( B ∧ [ α ][ α ∗ ] B ) [ ∗ ] A ⊢ B ∧ [ α ][ α ∗ ] B [ ∗ ] A ⊢ [ α ∗ ] B André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 18 / 16

Loops of Proofs: Iterations [ ∗ ] [ α ∗ ] P ↔ P ∧ [ α ][ α ∗ ] P � B ∧ [ α ]( B ∧ [ α ][ α ∗ ] B ) � A ⊢ B ∧ [ α ] [ ∗ ] A ⊢ B ∧ [ α ]( B ∧ [ α ][ α ∗ ] B ) [ ∗ ] A ⊢ B ∧ [ α ][ α ∗ ] B [ ∗ ] A ⊢ [ α ∗ ] B André Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 18 / 16

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr - PowerPoint PPT Presentation

07: Control Loops & Invariants Logical Foundations of Cyber-Physical Systems Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 1 / 16

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/01:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/14:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/15:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/04:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/02:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/09:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/08:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/18:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/10:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/20:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/13:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/06:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/11:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/21:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/17:

Cyber-Physical Systems 07/24/2019 Heechul Yun University of Kansas 1 Modern Cyber-Physical

Optimal Estimation of Matching Constraints 1 Motivation & general approach 2 Parametrization

Automatic Panoramic Image Stitching Dr. Matthew Brown, University of Bath AutoStitch iPhone

Chapter 8 Shape representation and description 8.1 Matching 2 8.1 Matching we wish to

6.869 Advances in Computer Vision Prof. Bill Freeman March 1, 2005 1 2 Local Features Today

Adaptive delayed feedback control to stabilize in-phase synchronization in complex oscillator

Phase and Frequency detection Detection of sinusoidal signal characteristics Phase

Smtlink 2.0 Yan Peng 1 Mark R. Greenstreet 1 1 Department of Computer Science University of

A Coupled Oscillators-based Control Architecture for Locomotory Gaits Presented at the

Explore More Topics

Sambuz

Useful Links

Newsletter

Mail Us

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr - PowerPoint PPT Presentation

07: Control Loops & Invariants Logical Foundations of Cyber-Physical Systems Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 1 / 16

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/01:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/14:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/15:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/04:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/02:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/09:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/08:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/18:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/10:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/20:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/13:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/06:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/11:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/21:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/17:

Cyber-Physical Systems 07/24/2019 Heechul Yun University of Kansas 1 Modern Cyber-Physical

Optimal Estimation of Matching Constraints 1 Motivation &amp; general approach 2 Parametrization

Automatic Panoramic Image Stitching Dr. Matthew Brown, University of Bath AutoStitch iPhone

Chapter 8 Shape representation and description 8.1 Matching 2 8.1 Matching we wish to

6.869 Advances in Computer Vision Prof. Bill Freeman March 1, 2005 1 2 Local Features Today

Adaptive delayed feedback control to stabilize in-phase synchronization in complex oscillator

Phase and Frequency detection Detection of sinusoidal signal characteristics Phase

Smtlink 2.0 Yan Peng 1 Mark R. Greenstreet 1 1 Department of Computer Science University of

A Coupled Oscillators-based Control Architecture for Locomotory Gaits Presented at the

Explore More Topics

Sambuz

Useful Links

Newsletter

Mail Us

Optimal Estimation of Matching Constraints 1 Motivation & general approach 2 Parametrization