quantified differential dynamic logic for distributed hybrid systems › 4a5a ›...

Quantified Differential Dynamic Logicfor

Distributed Hybrid Systems

Andre Platzer

Carnegie Mellon University, Pittsburgh, PA

0.20.4

0.60.8

1.00.1

0.2

0.3

0.4

0.5

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 1 / 16

http://symbolaris.com/

Outline

1 Motivation

2 Quantified Differential Dynamic Logic QdLDesignSyntaxSemantics

3 Proof Calculus for Distributed Hybrid SystemsCompositional Verification CalculusDeduction Modulo with Free Variables & SkolemizationActual Existence and CreationSoundness and Completeness

4 Conclusions


http://symbolaris.com/meta/andre.html


Complex Physical Systems:

Hybrid Systems

Q: I want to verify my car

A: Hybrid systems Q: But there’s a lot of cars!

Challenge

(Hybrid Systems)

Continuous dynamics(differential equations)

Discrete dynamics(control decisions)




Complex Physical Systems: Hybrid Systems

Q: I want to verify my car A: Hybrid systems

Q: But there’s a lot of cars!

Challenge (Hybrid Systems)



1 2 3 4t

-2

-1

1

2a

1 2 3 4t

0.5

1.0

1.5

2.0

2.5

3.0v

1 2 3 4t

1

2

3

4

5

6z




Complex Physical Systems: Hybrid Systems

Q: I want to verify my car A: Hybrid systems Q: But there’s a lot of cars!

Challenge (Hybrid Systems)



1 2 3 4t

-2

-1

1

2a

1 2 3 4t

0.5

1.0

1.5

2.0

2.5

3.0v

1 2 3 4t

1

2

3

4

5

6z





Distributed Systems

Q: I want to verify a lot of cars

A: Distributed systems Q: But they move!

Challenge

(Distributed Systems)

Local computation(finite state automaton)

Remote communication(network graph)




Complex Physical Systems: Distributed Systems

Q: I want to verify a lot of cars A: Distributed systems

Q: But they move!

Challenge (Distributed Systems)






Complex Physical Systems: Distributed Systems

Q: I want to verify a lot of cars A: Distributed systems Q: But they move!

Challenge (Distributed Systems)







Distributed Hybrid Systems

Q: I want to verify lots of moving cars

A: Distributed hybrid systems Q: How?

Challenge

(Distributed Hybrid Systems)



Structural dynamics(remote communication)

Dimensional dynamics(appearance)




Complex Physical Systems: Distributed Hybrid Systems

Q: I want to verify lots of moving cars A: Distributed hybrid systems

Q: How?

Challenge (Distributed Hybrid Systems)








Complex Physical Systems: Distributed Hybrid Systems

Q: I want to verify lots of moving cars A: Distributed hybrid systems Q: How?

Challenge (Distributed Hybrid Systems)








State of the Art:

Modeling and Simulation

No formal verification of distributed hybrid systems

Shift [DGV96] The Hybrid SystemSimulation ProgrammingLanguage

R-Charon [KSPL06] ModelingLanguage for ReconfigurableHybrid Systems

Hybrid CSP [CJR95] Semantics inExtended Duration Calculus

HyPA [CR05] Translate fragmentinto normal form.

χ process algebra [vBMR+06]Simulation, translation offragments to PHAVER, UPPAAL

Φ-calculus [Rou04] Semantics in richset theory

ACPsrths [BM05] Modeling languageproposal

OBSHS [MS06] Partial randomsimulation of objects




State of the Art: Modeling and Simulation

No formal verification of distributed hybrid systems

Shift [DGV96] The Hybrid SystemSimulation ProgrammingLanguage

R-Charon [KSPL06] ModelingLanguage for ReconfigurableHybrid Systems

Hybrid CSP [CJR95] Semantics inExtended Duration Calculus

HyPA [CR05] Translate fragmentinto normal form.

χ process algebra [vBMR+06]Simulation, translation offragments to PHAVER, UPPAAL

Φ-calculus [Rou04] Semantics in richset theory

ACPsrths [BM05] Modeling languageproposal

OBSHS [MS06] Partial randomsimulation of objects




Contributions

1 System model and semantics for distributed hybrid systems: QHP

2 Specification and verification logic: QdL3 Proof calculus for QdL4 First verification approach for distributed hybrid systems

5 Sound and complete axiomatization relative to differential equations

6 Prove collision freedom in a (simple) distributed car control system,where new cars may appear dynamically on the road

7 Logical foundation for analysis of distributed hybrid systems

8 Fundamental extension: first-order x(i) versus primitive x




Outline

1 Motivation



4 Conclusions




Outline (Conceptual Approach)

1 Motivation



4 Conclusions




Model for Distributed Hybrid Systems

Q: How to model distributed hybrid systems

A: Quantified Hybrid Programs

Model (Distributed Hybrid Systems)



Structural dynamics(communication/coupling)


n := newCar









x ′′ = a




n := newCar









x ′′ = a


a := if .. thenA else−b



n := newCar









x ′′ = a


a := if .. thenA else−b



n := newCar

(4) (4) (3) (3) (2) (2) (1) (1)









∀i

x(i)′′ = a(i)


∀i

a(i) := if .. thenA else−b



n := newCar

(4) (4) (3) (3) (2) (2) (1) (1)








Continuous dynamics(differential equations)∀i x(i)′′ = a(i)


∀i a(i) := if .. thenA else−b



n := newCar

(4) (4) (3) (3) (2) (2) (1) (1)












`(i) := carInFrontOf(i)


n := newCar

(4) (4) (3) (3) (2) (2) (1) (1)





Q: How to model distributed hybrid systems A: Quantified Hybrid Programs








n := newCar





Q: How to model distributed hybrid systems A: Quantified Hybrid Programs








n := newCarAndre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 7 / 16



Quantified Differential Dynamic Logic QdL: Syntax

Definition (Quantified hybrid program α)

∀i : C x(s)′ = θ (quantified ODE)∀i : C x(s) := θ (quantified assignment)

}jump & test?χ (conditional execution)

α;β (seq. composition) }Kleene algebraα ∪ β (nondet. choice)

α∗ (nondet. repetition)










DCCS ≡ (ctrl ; drive)∗

appear ≡ n := newC ; ?(∀j : C far(j , n))

ctrl ≡ ∀i : C a(i) := if∀j : C far(i , j) thenA else−b

drive ≡ ∀i : C x(i)′′ = a(i)

newC is definable!

( ) ( )

(2) (2) (1) (1) (3) (3) (4) (4)










DCCS ≡ (appear ; ctrl ; drive)∗

appear ≡ n := newC ; ?(∀j : C far(j , n))

ctrl ≡ ∀i : C a(i) := if∀j : C far(i , j) thenA else−b

drive ≡ ∀i : C x(i)′′ = a(i)

newC is definable!

( ) ( )

(2) (2) (1) (1) (3) (3) (4) (4)





Definition (QdL Formula φ)

¬,∧,∨,→, ∀x ,∃x , =,≤, +, · (R-first-order part)[α]φ, 〈α〉φ (dynamic part)

∀i , j : C far(i , j)→ [(appear ; ctrl ; drive)∗] ∀i 6=j : C x(i) 6= x(j)

far(i , j) ≡ i 6= j → x(i) < x(j) ∧ v(i) ≤ v(j) ∧ a(i) ≤ a(j)

∨ x(i) > x(j) ∧ v(i) ≥ v(j) ∧ a(i) ≥ a(j) . . .

( ) ( )

(2) (2) (1) (1) (3) (3) (4) (4)




Quantified Differential Dynamic Logic QdL: Semantics

Definition (Quantified hybrid program α: transition semantics)

v w∀i : C x(s) := θ

Details

t

x

0

v

wif w(x)(v e

i [[s]]) = v ei [[θ]] (for all e)

and otherwise unchanged






v w∀i : C x(s)′ = θ

∧ χ

Details

t

x

χ

w

v

ϕ(t)

∀i x(s)′ = θ

dϕ(t)ei [[x(s)]]

dt(ζ) = ϕ(ζ)ei [[θ]] (for all e)






v s w

α;β

α β

Details






v s w

α;β

α β

Details

t

x

s

v w






v s1 s2 sn w

α∗

α α α

Details






v s1 s2 sn w

α∗

α α α

Details

t

xv

w






v

w1

w2

α

β

α ∪ β

Details






v

w1

w2

α

β

α ∪ β

Details

t

xv w1

w2






v

?χ

if v |= χ

if v 6|= χ

Details

t

x

0

v no change if v |= χotherwise no transition






v[α]φ

φ

φ

φ

α-span

[α]φ

〈β〉φ

β-span

〈β〉[α

]-sp

an

Details

compositional semantics ⇒ compositional calculus!






v〈α〉φ

φ

α-span

[α]φ

〈β〉φ

β-span

〈β〉[α

]-sp

an

Details







v α-span

[α]φ

〈β〉φ

β-span

〈β〉[α

]-sp

an

Details





Outline (Verification Approach)

1 Motivation



4 Conclusions




Proof Calculus for Quantified Differential Dynamic Logic

if ∃i s = u then∀i (s = u → φ(θ)) elseφ(x(u))

φ([∀i x(s) := θ︸︷︷︸]x(u))

v w∀i x(s) := θ

φ

∃t≥0 〈∀i S(t)〉φ〈∀i x(s)′ = θ〉φ

v w∀i x(s)′ = θ

φ

∀i S(t)

∃t≥0 (χ ∧ 〈x := yx(t)〉φ)

〈x ′ = f (x)〉φ

v wx ′ = f (x)

φ

x := yx(t)x := yx (s)

χ

χ ≡ ∀0≤s≤t 〈x := yx(s)〉χ





if ∃i s = [A]u then∀i (s = [A]u → φ(θ)) elseφ(x([A]u))

φ([∀i x(s) := θ︸︷︷︸A

]x(u))

v w∀i x(s) := θ

φ

∃t≥0 〈∀i S(t)〉φ〈∀i x(s)′ = θ〉φ


φ

∀i S(t)

∃t≥0 (χ ∧ 〈x := yx(t)〉φ)

〈x ′ = f (x)〉φ

v wx ′ = f (x)

φ

x := yx(t)x := yx (s)

χ

χ ≡ ∀0≤s≤t 〈x := yx(s)〉χ





if ∃i s = [A]u then∀i (s = [A]u → φ(θ)) elseφ(x([A]u))

φ([∀i x(s) := θ︸︷︷︸A

]x(u))

v w∀i x(s) := θ

φ

∃t≥0 〈∀i S(t)〉φ〈∀i x(s)′ = θ〉φ


φ∀i S(t)

∃t≥0 (χ ∧ 〈x := yx(t)〉φ)

〈x ′ = f (x)〉φ

v wx ′ = f (x)

φ

x := yx(t)x := yx (s)

χ

χ ≡ ∀0≤s≤t 〈x := yx(s)〉χ





compositional semantics ⇒ compositional rules!

[α]φ ∧ [β]φ

[α ∪ β]φv

w1

w2

αφ

βφ

α ∪ β

[α][β]φ

[α;β]φv s w

α;β

[α][β]φα

[β]φβ

φ

φ (φ→ [α]φ)

[α∗]φ v w

α∗

φ

α

φ→ [α]φ

α α

φ





[α]φ ∧ [β]φ

[α ∪ β]φv

w1

w2

αφ

βφ

α ∪ β

[α][β]φ

[α;β]φv s w

α;β

[α][β]φα

[β]φβ

φ

φ (φ→ [α]φ)

[α∗]φ v w

α∗

φ

α

φ→ [α]φ

α α

φ




Deduction Modulo with Free Variables & Skolemization

∀i 6=j x(i)6=x(j) →∀j 6=k

QE

∀s≥0(−b2 s2 + v(j)s + x(j) 6= −b

2 s2 + v(k)s + x(k))

∀i 6=j x(i)6=x(j),s≥0 →∀j 6=k (−b2 s2 + v(j)s + x(j) 6= −b

2 s2 + v(k)s + x(k))

∀i 6=j x(i)6=x(j),s≥0 →[∀i x(i) :=−b2 s2 + v(i)s + x(i)]∀j 6=k x(j) 6=x(k)

∀i 6=j x(i)6=x(j) →s≥0→ [∀i x(i) :=−b2 s2 + v(i)s + x(i)]∀j 6=k x(j)6=x(k)

∀i 6=j x(i)6=x(j) →∀t≥0 [∀i x(i) :=−b2 t2 + v(i)t + x(i)]∀j 6=k x(j)6=x(k)

∀i 6=j x(i)6=x(j) →[∀i x(i)′ = v(i), v(i)′ = −b]∀j 6=k x(j) 6=x(k)

∀i 6=j x(i) 6=x(j)→ [∀i x(i)′′ = −b]∀j 6=k x(j)6=x(k)

( ) ( )

(2) (2) (1) (1) (3) (3) (4) (4)





∀i 6=j x(i)6=x(j) →∀j 6=k

QE

∀s≥0(−b2 s2 + v(j)s + x(j) 6= −b

2 s2 + v(k)s + x(k))


2 s2 + v(k)s + x(k))




∀i 6=j x(i)6=x(j) →[∀i x(i)′ = v(i), v(i)′ = −b] ∀j 6=k x(j) 6=x(k)


( ) ( )

(2) (2) (1) (1) (3) (3) (4) (4)





∀i 6=j x(i)6=x(j) →∀j 6=k QE∀s≥0(−b2 s2 + v(j)s + x(j) 6= −b

2 s2 + v(k)s + x(k))


2 s2 + v(k)s + x(k))






( ) ( )

(2) (2) (1) (1) (3) (3) (4) (4)





∀i 6=j x(i)6=x(j) →∀j 6=k (x(j)≤x(k)∧v(j)≤v(k) ∨ x(j)≥x(k)∧v(j)≥v(k))


2 s2 + v(k)s + x(k))






( ) ( )

(2) (2) (1) (1) (3) (3) (4) (4)





∀X ,Y ,V ,W (X 6=Y → X≤Y∧V≤W ∨ X≥Y∧V≥W )

∀i 6=j x(i)6=x(j) →∀j 6=k (x(j)≤x(k)∧v(j)≤v(k) ∨ x(j)≥x(k)∧v(j)≥v(k))


2 s2 + v(k)s + x(k))






( ) ( )

(2) (2) (1) (1) (3) (3) (4) (4)




Actual Existence and Creation

Actual Existence Function

∃

(·)

∃

(i) =

{0 if i denotes a possible object

1 if i denotes an actively existing objects

[(∀j : C n := j);

?(

∃

(n) = 0);

∃

(n) := 1

]φ

[n := newC ]φ

∀i : C ! φ ≡ ∀i : C (

∃

(i) = 1→ φ)

∀i : C ! f (s) := θ ≡ ∀i : C f (s) := (if

∃

(i) = 1 then θ else f (s))

∀i : C ! f (s)′ = θ ≡ ∀i : C f (s)′ =

∃

(i)θ

( ) ( )

(2) (2) (1) (1) (3) (3) (4) (4)






∃

(·)

∃

(i) =



[(∀j : C n := j); ?(

∃

(n) = 0);

∃

(n) := 1

]φ

[n := newC ]φ

∀i : C ! φ ≡ ∀i : C (

∃

(i) = 1→ φ)

∀i : C ! f (s) := θ ≡ ∀i : C f (s) := (if

∃


∀i : C ! f (s)′ = θ ≡ ∀i : C f (s)′ =

∃

(i)θ

( ) ( )

(2) (2) (1) (1) (3) (3) (4) (4)






∃

(·)

∃

(i) =



[(∀j : C n := j); ?(

∃

(n) = 0);

∃

(n) := 1]φ

[n := newC ]φ

∀i : C ! φ ≡ ∀i : C (

∃

(i) = 1→ φ)

∀i : C ! f (s) := θ ≡ ∀i : C f (s) := (if

∃


∀i : C ! f (s)′ = θ ≡ ∀i : C f (s)′ =

∃

(i)θ

( ) ( )

(2) (2) (1) (1) (3) (3) (4) (4)






∃

(·)

∃

(i) =



[(∀j : C n := j); ?(

∃

(n) = 0);

∃

(n) := 1]φ

[n := newC ]φ

∀i : C ! φ ≡ ∀i : C (

∃

(i) = 1→ φ)

∀i : C ! f (s) := θ ≡ ∀i : C f (s) := (if

∃


∀i : C ! f (s)′ = θ ≡ ∀i : C f (s)′ =

∃

(i)θ ( ) ( )

(2) (2) (1) (1) (3) (3) (4) (4)




Soundness and Completeness

Theorem (Relative Completeness)

QdL calculus is a sound & complete axiomatisation of distributed hybridsystems relative to quantified differential equations. Proof 16p.

Corollary (Proof-theoretical Alignment)

proving distributed hybrid systems = proving dynamical systems!

Corollary (Yes, we can!)

distributed hybrid systems can be verified by recursive decomposition




Outline

1 Motivation



4 Conclusions




Conclusions

quantified differential dynamic logic

QdL = FOL + DL + QHP[α]φ φ

α

Distributed hybrid systems everywhere

System model and semantics

Logic for distributed hybrid systems

Compositional proof calculus

First verification approach

Sound & complete / diff. eqn.

Simple distributed car control verified



http://symbolaris.com/lahs/


Jan A. Bergstra and C. A. Middelburg.Process algebra for hybrid systems.Theor. Comput. Sci., 335(2-3):215–280, 2005.

Zhou Chaochen, Wang Ji, and Anders P. Ravn.A formal description of hybrid systems.In Rajeev Alur, Thomas A. Henzinger, and Eduardo D. Sontag,editors, Hybrid Systems, volume 1066 of LNCS, pages 511–530.Springer, 1995.

Pieter J. L. Cuijpers and Michel A. Reniers.Hybrid process algebra.J. Log. Algebr. Program., 62(2):191–245, 2005.

Akash Deshpande, Aleks Gollu, and Pravin Varaiya.SHIFT: A formalism and a programming language for dynamicnetworks of hybrid automata.In Panos J. Antsaklis, Wolf Kohn, Anil Nerode, and Shankar Sastry,editors, Hybrid Systems, volume 1273 of LNCS, pages 113–133.Springer, 1996.

Andre Platzer (CMU) Quantified Differential Dynamic Logic for Distributed Hybrid Systems CSL’10 16 / A


Joao P. Hespanha and Ashish Tiwari, editors.Hybrid Systems: Computation and Control, 9th InternationalWorkshop, HSCC 2006, Santa Barbara, CA, USA, March 29-31, 2006,Proceedings, volume 3927 of LNCS. Springer, 2006.

Fabian Kratz, Oleg Sokolsky, George J. Pappas, and Insup Lee.R-Charon, a modeling language for reconfigurable hybrid systems.In Hespanha and Tiwari [HT06], pages 392–406.

Jose Meseguer and Raman Sharykin.Specification and analysis of distributed object-based stochastic hybridsystems.In Hespanha and Tiwari [HT06], pages 460–475.

Andre Platzer.Quantified differential dynamic logic for distributed hybrid systems.In Anuj Dawar and Helmut Veith, editors, CSL, volume 6247 of LNCS,pages 469–483. Springer, 2010.

Andre Platzer.



A complete axiomatization of quantified differential dynamic logic fordistributed hybrid systems.Logical Methods in Computer Science, 2012.Special issue for selected papers from CSL’10.

William C. Rounds.A spatial logic for the hybrid π-calculus.In Rajeev Alur and George J. Pappas, editors, HSCC, volume 2993 ofLNCS, pages 508–522. Springer, 2004.

D. A. van Beek, Ka L. Man, Michel A. Reniers, J. E. Rooda, andRamon R. H. Schiffelers.Syntax and consistent equation semantics of hybrid Chi.J. Log. Algebr. Program., 68(1-2):129–210, 2006.



quantified differential dynamic logic for distributed hybrid systems › 4a5a ›...

Documents