KeYmaera X: An Axiomatic Tactical Theorem Prover for Hybrid Systems

Transcription

1 KeYmaera X: An Axiomatic Tactical Theorem Prover for Hybrid Systems Nathan Fulton, Stefan Mitsch, Jan-David Quesel, Marcus Völp, André Platzer Presented at CADE-25 August 9, 2015

2 Milieu Safety-critical control software is now a fact of every-day life.

3 Milieu Safety-critical control software is now a fact of every-day life. How can we design cyber-physical systems people can bet their lives on? Jeanette Wing

4 A Prototypical Hybrid System Theorem v 0 A > 0 B > 0 [{{a := A a := B}; {x = v, v = a&v 0}} ]v 0

5 A Prototypical Hybrid System Theorem v 0 A > 0 B > 0 [{{a := A a := B}; {x = v, v = a&v 0}} ]v 0 A Prototypical Proof Outline for a ϕ [{ctrl; plant} ]ψ Model: 1. Propositional Reasoning

6 A Prototypical Hybrid System Theorem v 0 A > 0 B > 0 [{{a := A a := B}; {x = v, v = a&v 0}} ]v 0 A Prototypical Proof Outline for a ϕ [{ctrl; plant} ]ψ Model: 1. Propositional Reasoning 2. Identify System Loop Invariant

7 A Prototypical Hybrid System Theorem v 0 A > 0 B > 0 [{{a := A a := B}; {x = v, v = a&v 0}} ]v 0 A Prototypical Proof Outline for a ϕ [{ctrl; plant} ]ψ Model: 1. Propositional Reasoning 2. Identify System Loop Invariant 3. Symbolically Execute Control Program

8 A Prototypical Hybrid System Theorem v 0 A > 0 B > 0 [{{a := A a := B}; {x = v, v = a&v 0}} ]v 0 A Prototypical Proof Outline for a ϕ [{ctrl; plant} ]ψ Model: 1. Propositional Reasoning 2. Identify System Loop Invariant 3. Symbolically Execute Control Program 4. Solve ODE or identify Differential Invariant(s)

9 A Prototypical Hybrid System Theorem v 0 A > 0 B > 0 [{{a := A a := B}; {x = v, v = a&v 0}} ]v 0 A Prototypical Proof Outline for a ϕ [{ctrl; plant} ]ψ Model: 1. Propositional Reasoning 2. Identify System Loop Invariant 3. Symbolically Execute Control Program 4. Solve ODE or identify Differential Invariant(s) 5. Appeal to Decision Procedure for Real Arithmetic

10 4 Motivation: Sketching and Searching Theorem v 0 A > 0 B > 0 [{{a := A a := B}; {x = v, v = a&v 0}} ]v 0 A Prototypical Proof Outline: 1. Propositional Reasoning 2. Identify System Loop Invariant 3. Symbolically Execute Control Program 4. Solve ODE or identify Differential Invariant(s) 5. Appeal to Decision Procedure for Real Arithmetic

11 4 Motivation: Sketching and Searching Theorem v 0 A > 0 B > 0 [{{a := A a := B}; {x = v, v = a&v 0}} ]v 0 A Prototypical Proof Outline: ImplyR & 2. Identify System Loop Invariant 3. Symbolically Execute Control Program 4. Solve ODE or identify Differential Invariant(s) 5. Appeal to Decision Procedure for Real Arithmetic

12 4 Motivation: Sketching and Searching Theorem v 0 A > 0 B > 0 [{{a := A a := B}; {x = v, v = a&v 0}} ]v 0 A Prototypical Proof Outline: ImplyR & Loop("v 0") & 3. Symbolically Execute Control Program 4. Solve ODE or identify Differential Invariant(s) 5. Appeal to Decision Procedure for Real Arithmetic

13 4 Motivation: Sketching and Searching Theorem v 0 A > 0 B > 0 [{{a := A a := B}; {x = v, v = a&v 0}} ]v 0 A Prototypical Proof Outline: ImplyR & Loop("v 0") & Seq & Choice & BoxAssign & 4. Solve ODE or identify Differential Invariant(s) 5. Appeal to Decision Procedure for Real Arithmetic

14 4 Motivation: Sketching and Searching Theorem v 0 A > 0 B > 0 [{{a := A a := B}; {x = v, v = a&v 0}} ]v 0 A Prototypical Proof Outline: ImplyR & Loop("v 0") & Seq & Choice & BoxAssign & DiffInv("v 0") & 5. Appeal to Decision Procedure for Real Arithmetic

15 4 Motivation: Sketching and Searching Theorem v 0 A > 0 B > 0 [{{a := A a := B}; {x = v, v = a&v 0}} ]v 0 A Prototypical Proof Outline: ImplyR & Loop("v 0") & Seq & Choice & BoxAssign & DiffInv("v 0") & Arithmetic & Close

16 4 Motivation: Sketching and Searching Theorem v 0 A > 0 B > 0 [{{a := A a := B}; {x = v, v = a&v 0}} ]v 0 A Prototypical Proof Outline: Prop & Loop("v 0") & SymbolicExecution & DiffInv("v 0") & Arithmetic & Close

17 4 Motivation: Sketching and Searching Theorem v 0 A > 0 B > 0 [{{a := A a := B}; {x = v, v = a&v 0}} ]v 0 A Prototypical Proof Outline: Prop & Loop("v 0") & SymbolicExecution & DiffInv(DIGen) & Arithmetic & Close

18 4 Motivation: Sketching and Searching Theorem v 0 A > 0 B > 0 [{{a := A a := B}; {x = v, v = a&v 0}} ]v 0 A Prototypical Proof Outline: Prop & Loop(LoopInvGen) & SymbolicExecution & DiffInv(DIGen) & Arithmetic & Close

19 4 Motivation: Sketching and Searching Theorem v 0 A > 0 B > 0 [{{a := A a := B}; {x = v, v = a&v 0}} ]v 0 A Prototypical Proof Outline: Prop & Loop(LoopInvGen) & SymbolicExecution & DiffInv(DIGen) & Arithmetic & Close

20 4 Motivation: Sketching and Searching Theorem v 0 A > 0 B > 0 [{{a := A a := B}; {x = v, v = a&v 0}} ]v 0 A Prototypical Proof Outline: Prop & Loop(LoopInvGen) & SymbolicExecution & DiffInv(DIGen) & Arithmetic & Close

21 Contributions Small Core Increases trust, enables experimentation Tactics Bridging between a Hilbert-style Logic and a Gentzen-style deduction systems Extensible New logics, proof rules, axioms Customizable New interfaces (CPS Education, usability research, industry applications)

22 6 HyDRA Server User Interface Proof View REST-API Proof Tree Simplification Tactical Prover Axiomatic Core Scala-API Proof Tree manages KeYmaera X Web UI (JavaScript) Simplified Proof Tree View Tactics dl Tactics Proof Strategies uses Execution Combinators Models Wrappers for Kernel Primitives KeYmaera X Kernel (soundness-critical, Scala) Proof Certificates Axioms Searching start/stop/pause/resume controls Uniform Substitution Bound Renaming Propositional Sequent Calculus with Skolemization Proof Log Proof Storing observes executes combines stores Scheduler executes tactics on tools/ CPU cores Real Quantifier Elimination Differential Equation Solving...

23 7 Core: Uniform Substitution UniformSubstitution φ σ(φ) Where σ replaces all predicate symbols p( ) with a corresponding formula.

24 7 Core: Uniform Substitution UniformSubstitution φ σ(φ) Where σ replaces all predicate symbols p( ) with a corresponding formula. Similarly for other syntactic objects (e.g., program constants a).

25 Core: Uniform Substitution Theorem [x := 4 x := 5]x > 3 [x := 4]x > 3 [x := 5]x > 3 Proof. [a b]p(?) [a]p(?) [b]p(?) [x := 4 x := 5]x > 3 [x := 4]x > 3 [x := 5]x > 3 US Definition of substitution σ: a [x := 4] b [x := 5] p(?) x > 3

26 Core: Uniform Substitution Theorem [x := 4 x := 5]x > 3 [x := 4]x > 3 [x := 5]x > 3 Proof. [a b]p(?) [a]p(?) [b]p(?) Axiom [x := 4 x := 5]x > 3 [x := 4]x > 3 [x := 5]x > 3 US Definition of substitution σ: a [x := 4] b [x := 5] p(?) x > 3

27 Core: Axioms The Axiom File contains very nearly verbatim copies of axioms from papers: Axiom "K modal modus ponens ". [a ;]( p(?) - >q (?)) -> (([ a;]p (?)) -> ([a;]q (?))) End. Axiom "DC differential cut ". ([c&h (?);] p (?) <-> [c&(h (?)& r (?));] p (?)) <- [c&h (?);] r (?) End. Axiom " [++] choice ". [a ++ b]p (?) <-> ([a;]p(?) & [b;]p (?)). End.

28 10 HyDRA Server User Interface Proof View REST-API Proof Tree Simplification Tactical Prover Axiomatic Core Scala-API Proof Tree manages KeYmaera X Web UI (JavaScript) Simplified Proof Tree View Tactics dl Tactics Proof Strategies uses Execution Combinators Models Wrappers for Kernel Primitives KeYmaera X Kernel (soundness-critical, Scala) Proof Certificates Axioms Searching start/stop/pause/resume controls Uniform Substitution Bound Renaming Propositional Sequent Calculus with Skolemization Proof Log Proof Storing observes executes combines stores Scheduler executes tactics on tools/ CPU cores Real Quantifier Elimination Differential Equation Solving...

29 11 Sequent Calculus as Tactics QE(Γ ϕ θ 1 x ) Γ ϕ θ 1 x Γ [x := θ 1 ]ϕ QE(Γ ϕ θ 2 x ) Γ ϕ θ 2 x Γ [x := θ 2 ]ϕ Γ [x := θ 1 x := θ 2 ]ϕ

30 12 Sequent Calculus as Tactics QE(Γ ϕ θ 1 x ) Γ ϕ θ 1 x Γ [x := θ 1 ]ϕ QE(Γ ϕ θ 2 x ) Γ ϕ θ 2 x Γ [x := θ 2 ]ϕ Γ [x := θ 1 x := θ 2 ]ϕ

31 13 Tactical Proving BoxChoice Γ [α]ϕ Γ [α β]ϕ Γ [β]ϕ

32 13 Tactical Proving BoxChoice Γ [α]ϕ Γ [α β]ϕ Γ [β]ϕ Γ [x := 4 x := 5]x > 3 }{{} ψ

33 Tactical Proving BoxChoice Γ [α]ϕ Γ [α β]ϕ Γ [β]ϕ [a b]p(?) [a]p(?) [b]p(?) Γ [x := 4 x := 5]x > 3 }{{} ψ σ = a x := 4 b x := 5 p(?) x > 3 13

34 Tactical Proving BoxChoice Γ [α]ϕ Γ [α β]ϕ Γ [β]ϕ [a b]p(?) [a]p(?) [b]p(?) ψ [x := 4]x > 3 [x := 5]x > 3 σ = Γ [x := 4 x := 5]x > 3 }{{} ψ a x := 4 b x := 5 p(?) x > 3 13

35 Tactical Proving BoxChoice Γ [α]ϕ Γ [α β]ϕ Γ [β]ϕ [a b]p(?) [a]p(?) [b]p(?) ψ [x := 4]x > 3 [x := 5]x > 3 σ = Γ, ψ [x := 4]x > 3 [x := 5]x > 3 ψ Γ [x := 4 x := 5]x > 3 }{{} ψ a x := 4 b x := 5 p(?) x > 3 13

36 Tactical Proving BoxChoice Γ [α]ϕ Γ [α β]ϕ Γ [β]ϕ [a b]p(?) [a]p(?) [b]p(?) ψ [x := 4]x > 3 [x := 5]x > 3 σ = Γ, [x := 4]x > 3 [x := 5]x > 3 Γ, ψ [x := 4]x > 3 [x := 5]x > 3 ψ Γ [x := 4 x := 5]x > 3 }{{} ψ a x := 4 b x := 5 p(?) x > 3 13

37 Tactical Proving BoxChoice Γ [α]ϕ Γ [α β]ϕ Γ [β]ϕ [a b]p(?) [a]p(?) [b]p(?) ψ [x := 4]x > 3 [x := 5]x > 3 σ = Γ [x := 4]x > 3 [x := 5]x > 3 Γ, [x := 4]x > 3 [x := 5]x > 3 Γ, ψ [x := 4]x > 3 [x := 5]x > 3 ψ Γ [x := 4 x := 5]x > 3 }{{} ψ a x := 4 b x := 5 p(?) x > 3 13

38 Tactical Proving BoxChoice Γ [α]ϕ Γ [α β]ϕ Γ [β]ϕ [a b]p(?) [a]p(?) [b]p(?) ψ [x := 4]x > 3 [x := 5]x > 3 σ = Γ [x := 4]x > 3 Γ [x := 5]x > 3 Γ [x := 4]x > 3 [x := 5]x > 3 Γ, [x := 4]x > 3 [x := 5]x > 3 Γ, ψ [x := 4]x > 3 [x := 5]x > 3 ψ Γ [x := 4 x := 5]x > 3 }{{} ψ a x := 4 b x := 5 p(?) x > 3 13

39 Hilbert and Gentzen Meet at Church BoxChoice Γ [α]ϕ Γ [α β]ϕ Γ [β]ϕ [a b]p(?) [a]p(?) [b]p(?) ψ [x := 4]x > 3 [x := 5]x > 3 σ = Γ [x := 4]x > 3 Γ [x := 5]x > 3 Γ [x := 4]x > 3 [x := 5]x > 3 Γ, [x := 4]x > 3 [x := 5]x > 3 Γ, ψ [x := 4]x > 3 [x := 5]x > 3 ψ Γ [x := 4 x := 5]x > 3 }{{} ψ a x := 4 b x := 5 p(?) x > 3 13

40 Hilbert and Gentzen Meet at Church Contextual Box Assignment BoxChoice CtxCut("ϕ Γ [α]ϕ ") Γ [β]ϕ & onbranch( Γ [α β]ϕ ("Show", ), [a b]p(?) [a]p(?) [b]p(?) ψ [x := 4]x > 3 [x := 5]x > 3 USubst(a x := 4, b x := 5, p x > 3) & AxiomCtx("[++] choice") ("Use", Γ [x := 4]x > 3 Γ [x := 5]x > 3 Γ [x := 4]x > 3 [x := 5]x > 3 Γ, [x := 4]x > 3 [x := 5]x > 3 Γ, ψ [x := 4]x > 3 [x := 5]x > 3 ψ Γ [x := 4 x := 5]x > 3 }{{} ψ CtxEquiv(ante.length, 0) & AndR σ = ) ) a x := 4 b x := 5 p(?) x > 3 13

41 14 HyDRA Server User Interface Proof View REST-API Proof Tree Simplification Tactical Prover Axiomatic Core Scala-API Proof Tree manages KeYmaera X Web UI (JavaScript) Simplified Proof Tree View Tactics dl Tactics Proof Strategies uses Execution Combinators Models Wrappers for Kernel Primitives KeYmaera X Kernel (soundness-critical, Scala) Proof Certificates Axioms Searching start/stop/pause/resume controls Uniform Substitution Bound Renaming Propositional Sequent Calculus with Skolemization Proof Log Proof Storing observes executes combines stores Scheduler executes tactics on tools/ CPU cores Real Quantifier Elimination Differential Equation Solving...

42 Web-Based User Interface 15

43 System LOC KeYmaera X KeYmaera KeY HOL Light 396 Isabelle/Pure Nuprl Coq Kernel Comparison HSolver Flow PHAVer dreal millions SpaceEx HyCreate user model analysis Disclaimer: These self-reported estimates of the soundness-critical lines of code are to be taken with a grain of salt. Different languages, capabilities, styles...

44 Conclusion Small Core Increases trust, enables experimentation Tactics Bridging between a Hilbert-style Logic and a Gentzen-style deduction systems Extensible New logics, proof rules, axioms Customizable New interfaces (CPS Education, usability research, industry applications) Thanks: Ran Ji, Jean-Baptiste Jeannin, Sarah Loos, João Martins, Khalil Ghorbal Download: Developer contact keymaerax@keymaerax.org

45 18 HyDRA Server User Interface Proof View REST-API Proof Tree Simplification Tactical Prover Axiomatic Core Scala-API Proof Tree manages KeYmaera X Web UI (JavaScript) Simplified Proof Tree View Tactics dl Tactics Proof Strategies uses Execution Combinators Models Wrappers for Kernel Primitives KeYmaera X Kernel (soundness-critical, Scala) Proof Certificates Axioms Searching start/stop/pause/resume controls Uniform Substitution Bound Renaming Propositional Sequent Calculus with Skolemization Proof Log Proof Storing observes executes combines stores Scheduler executes tactics on tools/ CPU cores Real Quantifier Elimination Differential Equation Solving...