differential refinement logic - carnegie mellon …sloos/loosproposalslides.pdf1 sarah m. loos csd,...
TRANSCRIPT
1
Sarah M. Loos
CSD, Carnegie Mellon University
Differential Refinement Logic Thesis Proposal
Thesis Committee: André Platzer (chair) Frank Pfenning Bruce Krogh George Pappas (UPenn) Dexter Kozen (Cornell)
2
Challenge: Cyber-Physical Systems
3
Verified Cyber-Physical Systems
[FM11]
4
x!i"
x! j"
p x!k"
x!l"
x!m"
Verified Cyber-Physical Systems
[FM11, HSCC13]
5
x!i"
x! j"
p x!k"
x!l"
x!m"
Verified Cyber-Physical Systems
[FM11, ITSC11, ICCPS12, HSCC13]
6
We observed that if only we had direct proof support for relating systems, our proofs could be greatly simplified. In this thesis, we propose to develop proof support for directly comparing cyber-physical systems.
Verified Cyber-Physical Systems
7
Proof support for relating two hybrid programs can help in four ways:
8
Proof support for relating two hybrid programs can help in four ways:
Break the system into parts Modular proof structure
Iterative system design
γ"β"α"
xHiLxH jLp xHkL
xHiL
xHmL
dHiLdH jLp
xHiLxH jLp xHkL
xHiL
xHmL
xHiLxH jLp xHkL
xHiL
xHmL
xHiLxH jLp xHkL
xHiL
xHmL
α"β"Abstraction
9
Proof support for relating two hybrid programs can help in four ways:
Break the system into parts Modular proof structure
Iterative system design
γ"β"α"
xHiLxH jLp xHkL
xHiL
xHmL
dHiLdH jLp
xHiLxH jLp xHkL
xHiL
xHmL
xHiLxH jLp xHkL
xHiL
xHmL
xHiLxH jLp xHkL
xHiL
xHmL
α"β"Abstraction
10
Distributed Car Control
Sensor limits on actual cars are always local.
11
Sometimes a maneuver may look safe locally… Sensor limits on actual cars are always local.
Distributed Car Control
12
!
But is a terrible idea when implemented globally. Sometimes a maneuver may look safe locally… Sensor limits on actual cars are always local.
Distributed Car Control
13
Car Control: Proof Sketch
Local Lane Control • 2 vehicles • 1 lane • no lane change
[FM11]
14
Car Control: Proof Sketch
Local Lane Control • 2 vehicles • 1 lane • no lane change
[FM11]
(a := ✓;x00 = a)⇤
15
Car Control: Proof Sketch
Local Lane Control • 2 vehicles • 1 lane • no lane change
[FM11]
16
Car Control: Proof Sketch
Local Lane Control • 2 vehicles • 1 lane • no lane change
[FM11]
Global Lane Control • n vehicles • 1 lane • no lane change
17
Car Control: Proof Sketch
Local Lane Control • 2 vehicles • 1 lane • no lane change
[FM11]
Global Lane Control • n vehicles • 1 lane • no lane change
⌘8i : C
⇣8i, j : C ji
18
Car Control: Proof Sketch
Local Lane Control
Global Lane Control
• 2 vehicles • 1 lane • no lane change
• n vehicles • 1 lane • no lane change
[FM11]
19
Car Control: Proof Sketch
Local Lane Control
Global Lane Control
Local Highway Control
• 2 vehicles • 1 lane • no lane change
• n vehicles • 1 lane • no lane change
• n vehicles • 1 lane • lane changes
[FM11]
20
Car Control: Proof Sketch
Local Lane Control
Global Lane Control
Local Highway Control
• 2 vehicles • 1 lane • no lane change
• n vehicles • 1 lane • no lane change
• n vehicles • 1 lane • lane changes
[FM11]
⌘⇤⇣⇣delete⇤; create⇤;
21
Car Control: Proof Sketch
Local Lane Control
Global Lane Control
Local Highway Control
• 2 vehicles • 1 lane • no lane change
• n vehicles • 1 lane • no lane change
• n vehicles • 1 lane • lane changes
[FM11]
22
Car Control: Proof Sketch
Local Lane Control
Global Lane Control
Local Highway Control
Global Highway Control
[FM11]
• 2 vehicles • 1 lane • no lane change
• n vehicles • 1 lane • no lane change
• n vehicles • 1 lane • lane changes
• n vehicles • m lanes • lane changes
23
Car Control: Proof Sketch
Local Lane Control
Global Lane Control
Local Highway Control
Global Highway Control
[FM11]
• 2 vehicles • 1 lane • no lane change
• n vehicles • 1 lane • no lane change
• n vehicles • 1 lane • lane changes
• n vehicles • m lanes • lane changes
⌘8l : L
⇣
24
Car Control: Proof Sketch
Local Lane Control
Global Lane Control
Local Highway Control
Global Highway Control
[FM11]
• 2 vehicles • 1 lane • no lane change
• n vehicles • 1 lane • no lane change
• n vehicles • 1 lane • lane changes
• n vehicles • m lanes • lane changes
25
Car Control: Proof
[FM11]
26
Car Control: Proof
[FM11]
27
Car Control: Proof
[FM11]
28
Car Control: Proof
[FM11]
⇣delete⇤; create⇤;
29
Car Control: Proof
[FM11]
30
Car Control: Proof
31
Break the system into parts Modular proof structure
Iterative system design
γ"β"α"
xHiLxH jLp xHkL
xHiL
xHmL
dHiLdH jLp
xHiLxH jLp xHkL
xHiL
xHmL
xHiLxH jLp xHkL
xHiL
xHmL
xHiLxH jLp xHkL
xHiL
xHmL
α"β"Abstraction
32
Break the system into parts Modular proof structure
Iterative system design
γ"β"α"
xHiLxH jLp xHkL
xHiL
xHmL
dHiLdH jLp
xHiLxH jLp xHkL
xHiL
xHmL
xHiLxH jLp xHkL
xHiL
xHmL
xHiLxH jLp xHkL
xHiL
xHmL
α"β"Abstraction
33
Break the system into parts Modular proof structure
Iterative system design
γ"β"α"
xHiLxH jLp xHkL
xHiL
xHmL
dHiLdH jLp
xHiLxH jLp xHkL
xHiL
xHmL
xHiLxH jLp xHkL
xHiL
xHmL
xHiLxH jLp xHkL
xHiL
xHmL
α"β"Abstraction
34
• Each aircraft is associated with a buffer disc. • The discs should never come within p of each other. • Discs follow aircraft when not in collision avoidance. • Each aircraft circles its stationary disc when in collision avoidance.
Distributed Aircraft Control
[PallottinoSBF07, LoosRP13]
xHiLxH jLp xHkL
xHlL
xHmL
35
Modular Proof for Distributed Aircraft
xHiLxH jLp xHkL
xHiL
xHmL
xHiLxH jLp xHkL
xHiL
xHmL
xHiLxH jLp xHkL
xHiL
xHmL
[LoosRP13]
To Prove: Safe separation of aircraft.
8i 6= j : A
kx(i) � x(j)k � p
36
Modular Proof for Distributed Aircraft
To Prove: Safe separation of aircraft.
xHiLxH jLp xHkL
xHiL
xHmL
xHiLxH jLp xHkL
xHiL
xHmL
xHiLxH jLp xHkL
xHiL
xHmLdHiL
dH jLp =)
xHiLxH jLp xHkL
xHiL
xHmL =)^
^
[LoosRP13]
8i : Akx(i) � d(i)k = r
8i 6= j : A
kd(i) � d(j)k � 2r + p
8i 6= j : A
kx(i) � x(j)k � p
37
Modular Proof for Distributed Aircraft
Safety Property
Model
xHiLxH jLp xHkL
xHiL
xHmL
xHiLxH jLp xHkL
xHiL
xHmL
xHiLxH jLp xHkL
xHiL
xHmL[LoosRP13]
38
Modular Proof for Distributed Aircraft
Safety Property
Model
xHiLxH jLp xHkL
xHiL
xHmL
xHiLxH jLp xHkL
xHiL
xHmL
xHiLxH jLp xHkL
xHiL
xHmL
xHiLxH jLp xHkL
xHiL
xHmL
dHiLdH jLp
[LoosRP13]
39
Modular Proof for Distributed Aircraft
Safety Property
Model
xHiLxH jLp xHkL
xHiL
xHmL
xHiLxH jLp xHkL
xHiL
xHmL
xHiLxH jLp xHkL
xHiL
xHmL
xHiLxH jLp xHkL
xHiL
xHmL
dHiLdH jLp
Proved in KeYmaeraD
Proved in KeYmaeraD
[LoosRP13]
40
Modular Proof for Distributed Aircraft
Safety Property
Model
xHiLxH jLp xHkL
xHiL
xHmL
xHiLxH jLp xHkL
xHiL
xHmL
xHiLxH jLp xHkL
xHiL
xHmL
xHiLxH jLp xHkL
xHiL
xHmL
dHiLdH jLp
But these proofs are hard. Could we simplify them by changing the model in a sound way?
Proved in KeYmaeraD
Proved in KeYmaeraD
41
Modular Proof for Distributed Aircraft
Safety Property
Model
xHiLxH jLp xHkL
xHiL
xHmL
xHiLxH jLp xHkL
xHiL
xHmL
xHiLxH jLp xHkL
xHiL
xHmL
xHiLxH jLp xHkL
xHiL
xHmL
dHiLdH jLp
42
Modular Proof for Distributed Aircraft
Safety Property
Model
xHiLxH jLp xHkL
xHiL
xHmL
xHiLxH jLp xHkL
xHiL
xHmL
xHiLxH jLp xHkL
xHiL
xHmL
xHiLxH jLp xHkL
xHiL
xHmL
dHiLdH jLp
xHiLxH jLp xHkL
xHiL
xHmL
43
Modular Proof for Distributed Aircraft
Safety Property
Model
xHiLxH jLp xHkL
xHiL
xHmL
xHiLxH jLp xHkL
xHiL
xHmL
xHiLxH jLp xHkL
xHiL
xHmL
xHiLxH jLp xHkL
xHiL
xHmL
dHiLdH jLp
dHiLdH jLp
xHiLxH jLp xHkL
xHiL
xHmL
44
Break the system into parts Modular proof structure
Iterative system design
γ"β"α"
xHiLxH jLp xHkL
xHiL
xHmL
dHiLdH jLp
xHiLxH jLp xHkL
xHiL
xHmL
xHiLxH jLp xHkL
xHiL
xHmL
xHiLxH jLp xHkL
xHiL
xHmL
α"β"Abstraction
45
Break the system into parts Modular proof structure
Iterative system design
γ"β"α"
xHiLxH jLp xHkL
xHiL
xHmL
dHiLdH jLp
xHiLxH jLp xHkL
xHiL
xHmL
xHiLxH jLp xHkL
xHiL
xHmL
xHiLxH jLp xHkL
xHiL
xHmL
α"β"Abstraction
46
Break the system into parts Modular proof structure
Iterative system design
γ"β"α"
xHiLxH jLp xHkL
xHiL
xHmL
dHiLdH jLp
xHiLxH jLp xHkL
xHiL
xHmL
xHiLxH jLp xHkL
xHiL
xHmL
xHiLxH jLp xHkL
xHiL
xHmL
α"β"Abstraction
47
Abstracting implementation-specific design
Implicit vs. Explicit control Explicit control sets the control variable to a specific
value, in this case θ.#
[a := ✓;x00 = a]x s a := ✓
48
Abstracting implementation-specific design
Implicit vs. Explicit control Explicit control sets the control variable to a specific
value, in this case θ.#
[a := ✓;x00 = a]x s
Implicit control can set the control variable nondeterministically to any value… #
[a := ⇤; x00 = a]x s
a := ⇤blah
a := ✓
49
Abstracting implementation-specific design
Implicit vs. Explicit control Explicit control sets the control variable to a specific
value, in this case θ.#
[a := ✓;x00 = a]x s
Implicit control can set the control variable nondeterministically to any value… #
[a := ⇤; x00 = a]x s
[a := ⇤; ? (a); x00 = a]x s
… or to a range of values that satisfy some formula, in this case # (a)
? (a)
a := ⇤blah
a := ✓
50
? (a)
a := ✓
a := ⇤blah
Abstracting implementation-specific design
Implicit vs. Explicit control Explicit control sets the control variable to a specific
value, in this case θ.#
[a := ✓;x00 = a]x s
Implicit control can set the control variable nondeterministically to any value… #
[a := ⇤; x00 = a]x s
… or to a range of values that satisfy some formula, in this case # (a)
[a := ⇤; ? (a); x00 = a]x s
51
Break the system into parts Modular proof structure
Iterative system design
γ"β"α"
xHiLxH jLp xHkL
xHiL
xHmL
dHiLdH jLp
xHiLxH jLp xHkL
xHiL
xHmL
xHiLxH jLp xHkL
xHiL
xHmL
xHiLxH jLp xHkL
xHiL
xHmL
α"β"Abstraction
52
Break the system into parts Modular proof structure
Iterative system design
γ"β"α"
xHiLxH jLp xHkL
xHiL
xHmL
dHiLdH jLp
xHiLxH jLp xHkL
xHiL
xHmL
xHiLxH jLp xHkL
xHiL
xHmL
xHiLxH jLp xHkL
xHiL
xHmL
α"β"Abstraction
53
Break the system into parts Modular proof structure
Iterative system design
γ"β"α"
xHiLxH jLp xHkL
xHiL
xHmL
dHiLdH jLp
xHiLxH jLp xHkL
xHiL
xHmL
xHiLxH jLp xHkL
xHiL
xHmL
xHiLxH jLp xHkL
xHiL
xHmL
α"β"Abstraction
54
Iterative system design
α"
β"
γ"
55
Iterative system design
[a := ⇤; ? ;x00 = a]x sα"
β"
γ"
[a := ⇤; ?�[x00 = a]x s
�;x00 = a]x s
56
Iterative system design
[a := ⇤; ?�[x00 = a]x s
�;x00 = a]x sα"
β"
γ"
[a := ⇤; ?�[x00 = a]x s
�;x00 = a]x s
57
Iterative system design
[a := ⇤; ?�[x00 = a]x s
�;x00 = a]x sα"
β"
γ"
[a := ⇤; ?�[x00 = a]x s
�;x00 = a]x s
[a := ⇤; ? ;x00 = a]x s
[a := ⇤; ? ;x00 = a]x s
58
Iterative system design
[a := ⇤; ?�[x00 = a]x s
�;x00 = a]x sα"
β"
γ"
[a := ⇤; ?�[x00 = a]x s
�;x00 = a]x s
[a := ⇤; ? ;x00 = a]x s
[a := ⇤; ? ;x00 = a]x s
[a := ✓;x00 = a]x s
[a := ⇤; ? ;x00 = a]x s
59
Break the system into parts Modular proof structure
Iterative system design
γ"β"α"
xHiLxH jLp xHkL
xHiL
xHmL
dHiLdH jLp
xHiLxH jLp xHkL
xHiL
xHmL
xHiLxH jLp xHkL
xHiL
xHmL
xHiLxH jLp xHkL
xHiL
xHmL
α"β"Abstraction
60
Break the system into parts Modular proof structure
Iterative system design
γ"β"α"
xHiLxH jLp xHkL
xHiL
xHmL
dHiLdH jLp
xHiLxH jLp xHkL
xHiL
xHmL
xHiLxH jLp xHkL
xHiL
xHmL
xHiLxH jLp xHkL
xHiL
xHmL
α"β"Abstraction
Break the system into parts Modular proof structure
These four benefits are the motivation for
Differential Refinement Logic (dRL)
61
Refinement Relation
↵ �
62
Refinement Relation
↵ �
�(?�; a := ⇤ [ a := �B);x00 = a
�⇤ �
�(?�; a := ✓ [ a := �B);x00 = a &
�⇤
63
Refinement Relation
↵ �
�(?�; a := ⇤ [ a := �B);x00 = a
�⇤
�(?�; a := ✓ [ a := �B);x00 = a &
�⇤
64
Refinement Relation
↵ �
�(?�; a := ⇤ [ a := �B);x00 = a
�⇤
�(?�; a := ✓ [ a := �B);x00 = a &
�⇤
65
Refinement Relation
↵ �
�(?�; a := ⇤ [ a := �B);x00 = a
�⇤
�(?�; a := ✓ [ a := �B);x00 = a &
�⇤
66
Refinement Relation
↵ �
�(?�; a := ⇤ [ a := �B);x00 = a
�⇤
�(?�; a := ✓ [ a := �B);x00 = a &
�⇤
↵ � ↵ �
67
Refinement Relation
↵ �
�(?�; a := ⇤ [ a := �B);x00 = a
�⇤
�(?�; a := ✓ [ a := �B);x00 = a &
�⇤
↵ �
68
So, what does dRL look like exactly?
Syntax of a dRL formula:
69
So, what does dRL look like exactly?
Syntax of a dRL formula:
�, ::= ✓1 ✓2 | ¬� | � ^ | 8x� | [↵]� | h↵i� | ↵ �
70
So, what does dRL look like exactly?
Syntax of a dRL formula:
�, ::= ✓1 ✓2 | ¬� | � ^ | 8x� | [↵]� | h↵i� | ↵ �FOLR
71
So, what does dRL look like exactly?
Syntax of a dRL formula:
�, ::= ✓1 ✓2 | ¬� | � ^ | 8x� | [↵]� | h↵i� | ↵ �
�, ::= ✓1 ✓2 | ¬� | � ^ | 8x� | [↵]� | h↵i� | ↵ �
72
So, what does dRL look like exactly?
Syntax of a dRL formula:
�, ::= ✓1 ✓2 | ¬� | � ^ | 8x� | [↵]� | h↵i� | ↵ �
�, ::= ✓1 ✓2 | ¬� | � ^ | 8x� | [↵]� | h↵i� | ↵ � + dL
73
So, what does dRL look like exactly?
Syntax of a dRL formula:
�, ::= ✓1 ✓2 | ¬� | � ^ | 8x� | [↵]� | h↵i� | ↵ �
�, ::= ✓1 ✓2 | ¬� | � ^ | 8x� | [↵]� | h↵i� | ↵ �
�, ::= ✓1 ✓2 | ¬� | � ^ | 8x� | [↵]� | h↵i� | ↵ �
74
So, what does dRL look like exactly?
Syntax of a dRL formula:
�, ::= ✓1 ✓2 | ¬� | � ^ | 8x� | [↵]� | h↵i� | ↵ �
�, ::= ✓1 ✓2 | ¬� | � ^ | 8x� | [↵]� | h↵i� | ↵ �
�, ::= ✓1 ✓2 | ¬� | � ^ | 8x� | [↵]� | h↵i� | ↵ � + refinement
75
So, what does dRL look like exactly?
Syntax of a dRL formula:
Syntax of a hybrid program:
�, ::= ✓1 ✓2 | ¬� | � ^ | 8x� | [↵]� | h↵i� | ↵ �
�, ::= ✓1 ✓2 | ¬� | � ^ | 8x� | [↵]� | h↵i� | ↵ �
�, ::= ✓1 ✓2 | ¬� | � ^ | 8x� | [↵]� | h↵i� | ↵ �
76
So, what does dRL look like exactly?
Syntax of a dRL formula:
Syntax of a hybrid program:
�, ::= ✓1 ✓2 | ¬� | � ^ | 8x� | [↵]� | h↵i� | ↵ �
�, ::= ✓1 ✓2 | ¬� | � ^ | 8x� | [↵]� | h↵i� | ↵ �
�, ::= ✓1 ✓2 | ¬� | � ^ | 8x� | [↵]� | h↵i� | ↵ �
↵,� ::= x := ✓ | x0 = ✓ & | ? | ↵ [ � | ↵;� | ↵⇤↵,� ::= x := ✓ | x0 = ✓ & | ? | ↵ [ � | ↵;� | ↵⇤
[Platzer08]
77
So, what does dRL look like exactly?
Syntax of a dRL formula:
Syntax of a hybrid program:
�, ::= ✓1 ✓2 | ¬� | � ^ | 8x� | [↵]� | h↵i� | ↵ �
�, ::= ✓1 ✓2 | ¬� | � ^ | 8x� | [↵]� | h↵i� | ↵ �
�, ::= ✓1 ✓2 | ¬� | � ^ | 8x� | [↵]� | h↵i� | ↵ �
↵,� ::= x := ✓ | x0 = ✓ & | ? | ↵ [ � | ↵;� | ↵⇤↵,� ::= x := ✓ | x0 = ✓ & | ? | ↵ [ � | ↵;� | ↵⇤
dRL extends dL by adding refinement directly into the grammar of formulas
78
Hybrid Programs are what we use to model cyber-physical systems, just as in differential dynamic logic (dL).
[Platzer08]
v w↵
Semantics of hybrid programs
⇢(↵) = {(v, w) : when starting in state and then following transitions of , state can be reached.
v↵
w }
79
Semantics of hybrid programs
[Platzer08]
v w⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}
80
Semantics of hybrid programs
[Platzer08]
v w⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}iff except for the value of
v = w⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}
81
Semantics of hybrid programs
[Platzer08]
⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}
v w⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}iff except for the value of
v = w⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}
82
Semantics of hybrid programs
[Platzer08]
⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}
v w⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}iff except for the value of
v = w⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}
83
Semantics of hybrid programs
[Platzer08]
⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}
v w⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}iff except for the value of
v = w⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}
⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}
84
Semantics of hybrid programs
[Platzer08]
⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}
v w⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}iff except for the value of
v = w⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}
v ? ?
85
Semantics of hybrid programs
[Platzer08]
⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}
v w⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}iff except for the value of
v = w⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}
v ? ? Iff holds in state v |= v
86
Semantics of hybrid programs
[Platzer08]
⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}
v w⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}iff except for the value of
v = w⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}
v? Iff holds in state v |= v
87
Semantics of hybrid programs
[Platzer08]
⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}
v w⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}iff except for the value of
v = w⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}
v? Iff holds in state v |= v
⇢(? ) = {(v, v) : v |= }
88
Semantics of hybrid programs
[Platzer08]
⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}
v w⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}iff except for the value of
v = w⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}
v? Iff holds in state v |= v
⇢(? ) = {(v, v) : v |= }⇢(? ) = {(v, v) : v |= }
89
Semantics of hybrid programs
[Platzer08]
⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}
v w⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}iff except for the value of
v = w⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}
v? Iff holds in state v |= v
v wx
0 = ✓
⇢(? ) = {(v, v) : v |= }⇢(? ) = {(v, v) : v |= }
90
Semantics of hybrid programs
[Platzer08]
⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}
v w⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}iff except for the value of
v = w⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}
v? Iff holds in state v |= v
v wx
0 = ✓
⇢(? ) = {(v, v) : v |= }⇢(? ) = {(v, v) : v |= }
If solves y(t) x
0 = ✓
91
Semantics of hybrid programs
[Platzer08]
⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}
v w⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}iff except for the value of
v = w⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}
v? Iff holds in state v |= v
v wx
0 = ✓
x := y(t)
⇢(? ) = {(v, v) : v |= }⇢(? ) = {(v, v) : v |= }
If solves y(t) x
0 = ✓
92
Semantics of hybrid programs
[Platzer08]
⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}
v w⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}iff except for the value of
v = w⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}
v? Iff holds in state v |= v
v wx
0 = ✓
x := y(t)
⇢(x
0= ✓) = {('(0),'(t)) : '(s) |= x
0= ✓ for all 0 s t}
⇢(? ) = {(v, v) : v |= }⇢(? ) = {(v, v) : v |= }
If solves y(t) x
0 = ✓
93
Semantics of hybrid programs
[Platzer08]
v wu↵ �
↵;�
94
Semantics of hybrid programs
[Platzer08]
v wu↵ �
↵;�
⇢(↵;�) = {(v, w) : (v, u) 2 ⇢(↵), (u,w) 2 ⇢(�)}
95
Semantics of hybrid programs
[Platzer08]
v wu↵ �
↵;�
⇢(↵;�) = {(v, w) : (v, u) 2 ⇢(↵), (u,w) 2 ⇢(�)}
96
Semantics of hybrid programs
[Platzer08]
v wu↵ �
↵;�
⇢(↵;�) = {(v, w) : (v, u) 2 ⇢(↵), (u,w) 2 ⇢(�)}⇢(↵;�) = {(v, w) : (v, u) 2 ⇢(↵), (u,w) 2 ⇢(�)}
97
Semantics of hybrid programs
[Platzer08]
v wu↵ �
↵;�
⇢(↵;�) = {(v, w) : (v, u) 2 ⇢(↵), (u,w) 2 ⇢(�)}⇢(↵;�) = {(v, w) : (v, u) 2 ⇢(↵), (u,w) 2 ⇢(�)}
Etc…
98
Semantics of box modality
[Platzer08]
v |= [↵]�
Box Modality:
99
Semantics of box modality
[Platzer08]
v ↵↵
↵
w1
w2
w3
v |= [↵]�
Box Modality: �
100
Semantics of box modality
[Platzer08]
v ↵↵
↵
w1
w2
w3
v |= [↵]�
Box Modality: �
�
101
Semantics of box modality
[Platzer08]
v ↵↵
↵
w1
w2
w3
v |= [↵]�
Box Modality: �
�
�
102
Semantics of box modality
[Platzer08]
v ↵↵
↵
w1
w2
w3
v |= [↵]�
Box Modality: �
�
�
Iff
103
Semantics of box modality
[Platzer08]
v ↵↵
↵
w1
w2
w3
v |= [↵]�
Box Modality: �
�
�
w |= � for all w with (v, w) 2 ⇢(↵)
Iff
104
Semantics of refinement
Refinement Relation:
v |= ↵ �
105
Semantics of refinement
v
w1
w2
w3
Refinement Relation:
v |= ↵ � ↵
↵
106
Semantics of refinement
v
w1
w2
w3
Refinement Relation:
v |= ↵ �
v |= ↵ �v |= ↵ �
v |= ↵ �
107
Semantics of refinement
v
w1
w2
w3
Refinement Relation:
v |= ↵ �
v |= ↵ �v |= ↵ �
v |= ↵ �↵
↵
108
Semantics of refinement
v
w1
w2
w3
Refinement Relation:
Iff
v |= ↵ �
v |= ↵ �v |= ↵ �
v |= ↵ �
↵
↵
{w : (v, w) 2 ⇢(↵)} ✓ {w : (v, w) 2 ⇢(�)}
109
Semantics of refinement
v
w1
w2
w3
Refinement Relation:
Iff
v |= ↵ �
v |= ↵ �v |= ↵ �
v |= ↵ �
↵
↵
{w : (v, w) 2 ⇢(↵)} ✓ {w : (v, w) 2 ⇢(�)}
110
Semantics of refinement
v
w1
w2
w3
Refinement Relation:
Iff
v |= ↵ �
v |= ↵ �v |= ↵ �
v |= ↵ �
↵
↵
{w : (v, w) 2 ⇢(↵)} ✓ {w : (v, w) 2 ⇢(�)}
111
dRL proof rules
Combining refinement and box modality:
112
dRL proof rules
Combining refinement and box modality:
To Prove:
113
dRL proof rules
Combining refinement and box modality:
v
w1
w2
w3
To Prove:
114
dRL proof rules
Combining refinement and box modality:
v
w1
w2
w3
↵
↵
To Prove:
115
dRL proof rules
Combining refinement and box modality:
v
w1
w2
w3
↵
↵
�
�
To Prove:
116
dRL proof rules
Combining refinement and box modality:
v
w1
w2
w3
We Know:
117
dRL proof rules
Combining refinement and box modality:
v
w1
w2
w3
↵
↵
We Know:
118
dRL proof rules
Combining refinement and box modality:
v
w1
w2
w3
v |= ↵ �v |= ↵ �
v |= ↵ �↵
↵
We Know:
119
dRL proof rules
Combining refinement and box modality:
v
w1
w2
w3
v |= ↵ �v |= ↵ �
v |= ↵ �↵
↵
We Know:
120
dRL proof rules
Combining refinement and box modality:
v
w1
w2
w3
v |= ↵ �v |= ↵ �
v |= ↵ �↵
↵
�
�
�
We Know:
121
dRL proof rules
Combining refinement and box modality:
v
w1
w2
w3
v |= ↵ �v |= ↵ �
v |= ↵ �↵
↵
�
�
�
122
A note on diamond modality
123
A note on diamond modality
124
A note on diamond modality
We can continue using the proof logic for dL to handle box and diamond modalities.
125
A note on diamond modality
But we need to add proof rules to handle refinements.
126
dRL Proof Rules: Partial Order
Reflexive: Transitive:
Antisymmetric:
127
dRL Proof Rules: Partial Order
Reflexive: Transitive:
Antisymmetric: This rule is by definition, since is syntactically defined as
128
dRL Proof Rules: KAT style
[Kozen97]
129
dRL Proof Rules: KAT style
[Kozen97]
130
dRL Proof Rules: KAT style
[Kozen97]
131
dRL Proof Rules: KAT style
[Kozen97]
132
dRL Proof Rules: KAT style
[Kozen97]
133
dRL Proof Rules
134
dRL Proof Rules: Structural
135
dRL Proof Rules: Differential Equations
Differential Refinement:
136
dRL Proof Rules: Differential Equations
Differential Refinement:
But that isn’t the end of the story…
137
dRL Proof Rules: Differential Equations
Differential Refinement:
But that isn’t the end of the story… ?
(x0 = 1) (x0 = 9)
138
dRL Proof Rules: Differential Equations
Differential Refinement:
But that isn’t the end of the story…
(x0 = 1) = (x0 = 9)?
139
dRL Proof Rules: Differential Equations
Differential Refinement:
But that isn’t the end of the story…
(x0 = 1) = (x0 = 9)
140
We have proved that the refinement relation can be embedded in dL. As a result, dL and dRL are equivalent in terms of expressibility and provability.
Comparing dRL and dL
We plan to analyze dRL on familiar (challenging) case studies. We can consider:
• Number of proof steps • Computation time • Qualitative difficulty to complete proof • Proof structure
141
Analyzing dRL
Break the system into parts Modular proof structure
Iterative system design
γ"β"α"
xHiLxH jLp xHkL
xHiL
xHmL
dHiLdH jLp
xHiLxH jLp xHkL
xHiL
xHmL
xHiLxH jLp xHkL
xHiL
xHmL
xHiLxH jLp xHkL
xHiL
xHmL
αβAbstraction
To analyze whether dRL can ease the complexity of proving tasks for hybrid systems, we can start with these four categories:
142
Designing proof search heuristics that exploit refinement to automatically create more hierarchical proof structures.
Shifting the proof responsibility completely to determining refinement.
Code synthesis – verifying that refinement relation is satisfied with each transformation step.
Additional dRL applications
143
Timeline
144
Completed work indicates that building complex hybrid programs from simpler ones is a good idea.
Timeline
Completed"
145
Completed work indicates that building complex hybrid programs from simpler ones is a good idea.
We aim to add rigor to this approach by introducing a refinement relation to differential dynamic logic.
Timeline
Completed"
Completed"
146
Completed work indicates that building complex hybrid programs from simpler ones is a good idea.
We aim to add rigor to this approach by introducing a refinement relation to differential dynamic logic.
We then need to show how refinement integrates with dL by creating a proof calculus for dRL.
Timeline
In Progress"
Completed"
Completed"
147
Completed work indicates that building complex hybrid programs from simpler ones is a good idea.
We aim to add rigor to this approach by introducing a refinement relation to differential dynamic logic.
We then need to show how refinement integrates with dL by creating a proof calculus for dRL.
Timeline
Completed"
Completed"
Feb 2015"
148
Completed work indicates that building complex hybrid programs from simpler ones is a good idea.
We aim to add rigor to this approach by introducing a refinement relation to differential dynamic logic.
We then need to show how refinement integrates with dL by creating a proof calculus for dRL.
We will show that refinement makes proofs easier by revisiting familiar and challenging case studies.
Timeline
Next Step"
Feb 2015"
Completed"
Completed"
149
Completed work indicates that building complex hybrid programs from simpler ones is a good idea.
We aim to add rigor to this approach by introducing a refinement relation to differential dynamic logic.
We then need to show how refinement integrates with dL by creating a proof calculus for dRL.
We will show that refinement makes proofs easier by revisiting familiar and challenging case studies.
Timeline
May 2015"
Feb 2015"
Completed"
Completed"
150
Completed work indicates that building complex hybrid programs from simpler ones is a good idea.
We aim to add rigor to this approach by introducing a refinement relation to differential dynamic logic.
We then need to show how refinement integrates with dL by creating a proof calculus for dRL.
We will show that refinement makes proofs easier by revisiting familiar and challenging case studies.
As a stretch goal, we will examine additional applications of dRL.
Timeline
Stretch Goal"
May 2015"
Feb 2015"
Completed"
Completed"
151
Completed work indicates that building complex hybrid programs from simpler ones is a good idea.
We aim to add rigor to this approach by introducing a refinement relation to differential dynamic logic.
We then need to show how refinement integrates with dL by creating a proof calculus for dRL.
We will show that refinement makes proofs easier by revisiting familiar and challenging case studies.
As a stretch goal, we will examine additional applications of dRL (e.g. synthesis and proof search)
Thesis defense.
Timeline
Aug 2015"
May 2015"
Feb 2015"
Completed"
Completed"
Stretch Goal"
152
Appendix
153
Table of Case Studies
x!i"
x! j"
p x!k"
x!l"
x!m"
safety envelopes