Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid...
Transcript of Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid...
![Page 1: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/1.jpg)
Proving Hybrid Systems
Andre Platzer
Computer Science DepartmentCarnegie Mellon University, Pittsburgh, PA
0.20.4
0.60.8
1.00.1
0.2
0.3
0.4
0.5
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 1 / 40
![Page 2: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/2.jpg)
Outline
1 CPS are Multi-Dynamical SystemsHybrid SystemsHybrid Games
2 Dynamic Logic of Dynamical SystemsSyntaxSemanticsExample: Car Control Design
3 Proofs for CPSCompositional Proof CalculusExample: Safe Car Control
4 Theory of CPSSoundness and CompletenessDifferential InvariantsExample: Elementary Differential InvariantsDifferential Axioms
5 Applications6 Summary
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 1 / 40
![Page 3: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/3.jpg)
Outline
1 CPS are Multi-Dynamical SystemsHybrid SystemsHybrid Games
2 Dynamic Logic of Dynamical SystemsSyntaxSemanticsExample: Car Control Design
3 Proofs for CPSCompositional Proof CalculusExample: Safe Car Control
4 Theory of CPSSoundness and CompletenessDifferential InvariantsExample: Elementary Differential InvariantsDifferential Axioms
5 Applications6 Summary
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 1 / 40
![Page 4: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/4.jpg)
CPSs Promise Transformative Impact!
Prospects: Safe & Efficient
Driver assistanceAutonomous cars
Pilot decision supportAutopilots / UAVs
Train protectionRobots help people
Prerequisite: CPS need to be safe
How do we make sure CPS make the world a better place?
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 2 / 40
![Page 5: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/5.jpg)
Can you trust a computer to control physics?
Rationale1 Safety guarantees require analytic foundations.
2 Foundations revolutionized digital computer science & our society.
3 Need even stronger foundations when software reaches out into ourphysical world.
Cyber-physical Systems
CPS combine cyber capabilities with physical capabilities to solve problemsthat neither part could solve alone.
How can we provide people with cyber-physical systems they can bet theirlives on? — Jeannette Wing
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 3 / 40
![Page 6: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/6.jpg)
Can you trust a computer to control physics?
Rationale1 Safety guarantees require analytic foundations.
2 Foundations revolutionized digital computer science & our society.
3 Need even stronger foundations when software reaches out into ourphysical world.
Cyber-physical Systems
CPS combine cyber capabilities with physical capabilities to solve problemsthat neither part could solve alone.
How can we provide people with cyber-physical systems they can bet theirlives on? — Jeannette Wing
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 3 / 40
![Page 7: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/7.jpg)
CPSs are Multi-Dynamical Systems
dis
cre
te contin
uo
us
nondet
sto
chastic
advers
arial
CPS Dynamics
CPS are characterized by multiplefacets of dynamical systems.
CPS Compositions
CPS combine multiplesimple dynamical effects.
Tame Parts
Exploiting compositionalitytames CPS complexity.
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 4 / 40
![Page 8: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/8.jpg)
CPS Analysis
Challenge (Hybrid Systems)
Fixed rule describing stateevolution with both
Discrete dynamics(control decisions)
Continuous dynamics(differential equations)
0 1 2 3 4 5 60.0
0.5
1.0
1.5
2.0
2.5
3.0
3.5
2 4 6 8 10t
-0.8
-0.6
-0.4
-0.2
0.2
a
2 4 6 8 10t
0.2
0.4
0.6
0.8
1.0
v
2 4 6 8 10t
2
4
6
8
p
px
py
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 5 / 40
![Page 9: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/9.jpg)
CPS Analysis
Challenge (Hybrid Systems)
Fixed rule describing stateevolution with both
Discrete dynamics(control decisions)
Continuous dynamics(differential equations)
0 1 2 3 4 5 60.0
0.5
1.0
1.5
2.0
2.5
3.0
3.5
2 4 6 8 10t
-0.8
-0.6
-0.4
-0.2
0.2
a
2 4 6 8 10t
-1.0
-0.5
0.5
Ω
2 4 6 8 10t
-0.5
0.5
1.0
d
dx
dy
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 5 / 40
![Page 10: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/10.jpg)
CPS Analysis
Challenge (Hybrid Systems)
Fixed rule describing stateevolution with both
Discrete dynamics(control decisions)
Continuous dynamics(differential equations)
0 1 2 3 4 5 60.0
0.5
1.0
1.5
2.0
2.5
3.0
3.5
2 4 6 8 10t
-4
-3
-2
-1
a
2 4 6 8 10t
0.2
0.4
0.6
0.8
1.0
v
2 4 6 8 10t
1
2
3
4
ppx
py
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 6 / 40
![Page 11: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/11.jpg)
CPS Analysis
Challenge (Hybrid Systems)
Fixed rule describing stateevolution with both
Discrete dynamics(control decisions)
Continuous dynamics(differential equations)
0 1 2 3 4 5 60.0
0.5
1.0
1.5
2.0
2.5
3.0
3.5
2 4 6 8 10t
-4
-3
-2
-1
a
2 4 6 8 10t
-1.0
-0.5
0.5
Ω
2 4 6 8 10t
-0.5
0.5
1.0
d
dx
dy
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 6 / 40
![Page 12: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/12.jpg)
CPS Analysis: Other Agents
Challenge (Hybrid Games)
Game rules describing playchoices with
Discrete dynamics(control decisions)
Continuous dynamics(differential equations)
Adversarial dynamics(Angel vs. Demon )
2 4 6 8 10t
-0.6
-0.4
-0.2
0.2
0.4
a
2 4 6 8 10t
0.2
0.4
0.6
0.8
1.0
1.2
v
2 4 6 8 10t
1
2
3
4
5
6
7
p
px
py
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 7 / 40
![Page 13: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/13.jpg)
CPS Analysis: Other Agents
Challenge (Hybrid Games)
Game rules describing playchoices with
Discrete dynamics(control decisions)
Continuous dynamics(differential equations)
Adversarial dynamics(Angel vs. Demon )
2 4 6 8 10t
-0.6
-0.4
-0.2
0.2
0.4
a
2 4 6 8 10t
-1.0
-0.5
0.5
Ω
2 4 6 8 10t
-0.5
0.5
1.0
d
dx
dy
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 7 / 40
![Page 14: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/14.jpg)
CPSs are Multi-Dynamical Systems
dis
cre
te contin
uo
us
nondet
sto
chastic
advers
arial
hybrid systems
HS = discrete + ODE
stochastic hybrid sys.
SHS = HS + stochastics
5 10 15 20
-0.3
-0.2
-0.1
0.1
0.2
0.3
hybrid games
HG = HS + adversary
distributed hybrid sys.
DHS = HS + distributed
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 8 / 40
![Page 15: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/15.jpg)
Dynamic Logics for Dynamical Systems
dis
cre
te contin
uo
us
nondet
sto
chastic
advers
arial
differential dynamic logic
dL = DL + HP[α]φ φ
α
stochastic differential DL
SdL = DL + SHP
〈α〉φφ
differential game logic
dGL = GL + HG
〈α〉φφ
quantified differential DL
QdL = FOL + DL + QHPJAR’08,CADE’11,LMCS’12,LICS’12 LICS’12,CADE’15,TOCL’15
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 9 / 40
![Page 16: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/16.jpg)
Outline
1 CPS are Multi-Dynamical SystemsHybrid SystemsHybrid Games
2 Dynamic Logic of Dynamical SystemsSyntaxSemanticsExample: Car Control Design
3 Proofs for CPSCompositional Proof CalculusExample: Safe Car Control
4 Theory of CPSSoundness and CompletenessDifferential InvariantsExample: Elementary Differential InvariantsDifferential Axioms
5 Applications6 Summary
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 9 / 40
![Page 17: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/17.jpg)
Outline
1 CPS are Multi-Dynamical SystemsHybrid SystemsHybrid Games
2 Dynamic Logic of Dynamical SystemsSyntaxSemanticsExample: Car Control Design
3 Proofs for CPSCompositional Proof CalculusExample: Safe Car Control
4 Theory of CPSSoundness and CompletenessDifferential InvariantsExample: Elementary Differential InvariantsDifferential Axioms
5 Applications6 Summary
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 9 / 40
![Page 18: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/18.jpg)
CPS Analysis
Concept (Differential Dynamic Logic) (JAR’08,LICS’12)
0 1 2 3 4 5 60.0
0.5
1.0
1.5
2.0
2.5
3.0
3.5
x 6= m ∧ b > 0︸ ︷︷ ︸init
→[(
(if(SB(x ,m)) a :=−b) ; x ′ = v , v ′ = a)∗]
x 6= m︸ ︷︷ ︸post
1 2 3 4 5 6 7t
-2.5
-2.0
-1.5
-1.0
-0.5
0.0
0.5
a
1 2 3 4 5 6 7t
-2
0
2
4
6
v
m
1 2 3 4 5 6 7t
-2
0
2
4
6
8
10
x
[α]φ φα
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 10 / 40
![Page 19: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/19.jpg)
CPS Analysis
Concept (Differential Dynamic Logic) (JAR’08,LICS’12)
x 6= m
x 6= m ∧ b > 0︸ ︷︷ ︸init
→[(
(if(SB(x ,m)) a :=−b) ; x ′ = v , v ′ = a)∗]
x 6= m︸ ︷︷ ︸post
1 2 3 4 5 6 7t
-2.5
-2.0
-1.5
-1.0
-0.5
0.0
0.5
a
1 2 3 4 5 6 7t
-2
0
2
4
6
v
m
1 2 3 4 5 6 7t
-2
0
2
4
6
8
10
x
[α]φ φα
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 10 / 40
![Page 20: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/20.jpg)
CPS Analysis
Concept (Differential Dynamic Logic) (JAR’08,LICS’12)
x 6= m
x 6= m
x 6= m
x 6= m
x 6= m ∧ b > 0︸ ︷︷ ︸init
→[(
(if(SB(x ,m)) a :=−b) ; x ′ = v , v ′ = a)∗]
x 6= m︸ ︷︷ ︸post
1 2 3 4 5 6 7t
-2.5
-2.0
-1.5
-1.0
-0.5
0.0
0.5
a
1 2 3 4 5 6 7t
-2
0
2
4
6
v
m
1 2 3 4 5 6 7t
-2
0
2
4
6
8
10
x
[α]φ φα
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 10 / 40
![Page 21: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/21.jpg)
CPS Analysis
Concept (Differential Dynamic Logic) (JAR’08,LICS’12)
[ ]x 6= m
x 6= m
x 6= m
x 6= m
x 6= m ∧ b > 0︸ ︷︷ ︸init
→[(
(if(SB(x ,m)) a :=−b) ; x ′ = v , v ′ = a)∗]
x 6= m︸ ︷︷ ︸post
1 2 3 4 5 6 7t
-2.5
-2.0
-1.5
-1.0
-0.5
0.0
0.5
a
1 2 3 4 5 6 7t
-2
0
2
4
6
v
m
1 2 3 4 5 6 7t
-2
0
2
4
6
8
10
x
[α]φ φα
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 10 / 40
![Page 22: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/22.jpg)
CPS Analysis
Concept (Differential Dynamic Logic) (JAR’08,LICS’12)
[ ]x 6= m
x 6= m
x 6= m
x 6= m
x 6= m ∧ b > 0︸ ︷︷ ︸init
→[(
(if(SB(x ,m)) a :=−b) ;
x ′ = v , v ′ = a
)∗]x 6= m︸ ︷︷ ︸
post
1 2 3 4 5 6 7t
-2.5
-2.0
-1.5
-1.0
-0.5
0.0
0.5
a
1 2 3 4 5 6 7t
-2
0
2
4
6
v
m
1 2 3 4 5 6 7t
-2
0
2
4
6
8
10
x
ODE
[α]φ φα
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 10 / 40
![Page 23: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/23.jpg)
CPS Analysis
Concept (Differential Dynamic Logic) (JAR’08,LICS’12)
[ ]x 6= m
x 6= m
x 6= m
x 6= m
x 6= m ∧ b > 0︸ ︷︷ ︸init
→[(
(if(SB(x ,m))
a :=−b
) ;
x ′ = v , v ′ = a
)∗]x 6= m︸ ︷︷ ︸
post
1 2 3 4 5 6 7t
-2.5
-2.0
-1.5
-1.0
-0.5
0.0
0.5
a
1 2 3 4 5 6 7t
-2
0
2
4
6
v
m
1 2 3 4 5 6 7t
-2
0
2
4
6
8
10
x
ODEassign
[α]φ φα
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 10 / 40
![Page 24: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/24.jpg)
CPS Analysis
Concept (Differential Dynamic Logic) (JAR’08,LICS’12)
[ ]x 6= m
x 6= m
x 6= m
x 6= m
x 6= m ∧ b > 0︸ ︷︷ ︸init
→[(
(if(SB(x ,m)) a :=−b)
;
x ′ = v , v ′ = a
)∗]x 6= m︸ ︷︷ ︸
post
1 2 3 4 5 6 7t
-2.5
-2.0
-1.5
-1.0
-0.5
0.0
0.5
a
1 2 3 4 5 6 7t
-2
0
2
4
6
v
m
1 2 3 4 5 6 7t
-2
0
2
4
6
8
10
x
ODEassigntest
[α]φ φα
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 10 / 40
![Page 25: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/25.jpg)
CPS Analysis
Concept (Differential Dynamic Logic) (JAR’08,LICS’12)
x 6= m ∧ b > 0︸ ︷︷ ︸init
→[(
(if(SB(x ,m)) a :=−b) ; x ′ = v , v ′ = a
)∗]x 6= m︸ ︷︷ ︸
post
1 2 3 4 5 6 7t
-2.5
-2.0
-1.5
-1.0
-0.5
0.0
0.5
a
1 2 3 4 5 6 7t
-2
0
2
4
6
v
m
1 2 3 4 5 6 7t
-2
0
2
4
6
8
10
x
ODEassigntest
seq.compose
[α]φ φα
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 10 / 40
![Page 26: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/26.jpg)
CPS Analysis
Concept (Differential Dynamic Logic) (JAR’08,LICS’12)
x 6= m ∧ b > 0︸ ︷︷ ︸init
→[
((if(SB(x ,m)) a :=−b) ; x ′ = v , v ′ = a
)∗
]x 6= m︸ ︷︷ ︸
post
1 2 3 4 5 6 7t
-2.5
-2.0
-1.5
-1.0
-0.5
0.0
0.5
a
1 2 3 4 5 6 7t
-2
0
2
4
6
v
m
1 2 3 4 5 6 7t
-2
0
2
4
6
8
10
x
ODEassigntest
seq.compose
nondet.repeat
[α]φ φα
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 10 / 40
![Page 27: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/27.jpg)
CPS Analysis
Concept (Differential Dynamic Logic) (JAR’08,LICS’12)
[ ]x 6= m
x 6= m
x 6= m
x 6= m
x 6= m ∧ b > 0︸ ︷︷ ︸init
→
[((if(SB(x ,m)) a :=−b) ; x ′ = v , v ′ = a
)∗]x 6= m︸ ︷︷ ︸
post
1 2 3 4 5 6 7t
-2.5
-2.0
-1.5
-1.0
-0.5
0.0
0.5
a
1 2 3 4 5 6 7t
-2
0
2
4
6
v
m
1 2 3 4 5 6 7t
-2
0
2
4
6
8
10
xall runs
[α]φ φα
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 10 / 40
![Page 28: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/28.jpg)
CPS Analysis
Concept (Differential Dynamic Logic) (JAR’08,LICS’12)
[ ]x 6= m
x 6= m
x 6= m
x 6= m
x 6= m ∧ b > 0︸ ︷︷ ︸init
→[(
(if(SB(x ,m)) a :=−b) ; x ′ = v , v ′ = a)∗]
x 6= m︸ ︷︷ ︸post
1 2 3 4 5 6 7t
-2.5
-2.0
-1.5
-1.0
-0.5
0.0
0.5
a
1 2 3 4 5 6 7t
-2
0
2
4
6
v
m
1 2 3 4 5 6 7t
-2
0
2
4
6
8
10
x
[α]φ φα
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 10 / 40
![Page 29: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/29.jpg)
CPS Analysis
Concept (Differential Dynamic Logic) (JAR’08,LICS’12)
[ ]x 6= m
x 6= m
x 6= m
x 6= m
x 6= m ∧ b > 0︸ ︷︷ ︸init
→[(
(?¬SB(x ,m) ∪a :=−b) ; x ′ = v , v ′ = a)∗]
x 6= m︸ ︷︷ ︸post
1 2 3 4 5 6 7t
-2.5
-2.0
-1.5
-1.0
-0.5
0.0
0.5
a
1 2 3 4 5 6 7t
-2
0
2
4
6
v
m
1 2 3 4 5 6 7t
-2
0
2
4
6
8
10
x
nondet.choice
[α]φ φα
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 10 / 40
![Page 30: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/30.jpg)
CPS Analysis
Concept (Differential Dynamic Logic) (JAR’08,LICS’12)
[ ]x 6= m
x 6= m
x 6= m
x 6= m
x 6= m ∧ b > 0︸ ︷︷ ︸init
→[(
(?¬SB(x ,m) ∪a :=−b) ; x ′ = v , v ′ = a)∗]
x 6= m︸ ︷︷ ︸post
1 2 3 4 5 6 7t
-2.5
-2.0
-1.5
-1.0
-0.5
0.0
0.5
a
1 2 3 4 5 6 7t
-2
0
2
4
6
v
m
1 2 3 4 5 6 7t
-2
0
2
4
6
8
10
x
nondet.choice
test
[α]φ φα
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 10 / 40
![Page 31: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/31.jpg)
Hybrid Programs vs. Hybrid Automata
Want: Compositional verification
far
cls
brk
fsa
x 6= m
NotCompositional
far ≡ x ′ = v , v ′ = A&¬SB(x ,m)
brk ≡ x ′ = v , v ′ = −b & SB(x ,m) ∨ true
cls ≡ x ′ = v , v ′ = . . .& . . .
fsa ≡ x ′ = 0, v ′ = 0 & v = 0
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 11 / 40
![Page 32: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/32.jpg)
Hybrid Programs vs. Hybrid Automata
Want: Compositional verification
far
cls
brk
fsa
cls x 6= m
NotCompositional
far ≡ x ′ = v , v ′ = A&¬SB(x ,m)
brk ≡ x ′ = v , v ′ = −b & SB(x ,m) ∨ true
cls ≡ x ′ = v , v ′ = . . .& . . .
fsa ≡ x ′ = 0, v ′ = 0 & v = 0
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 11 / 40
![Page 33: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/33.jpg)
Hybrid Programs vs. Hybrid Automata
Want: Compositional verification
far
cls
brk
fsa
cls x 6= m
NotCompositional
far ≡ x ′ = v , v ′ = A&¬SB(x ,m)
brk ≡ x ′ = v , v ′ = −b & SB(x ,m) ∨ true
cls ≡ x ′ = v , v ′ = . . .& . . .
fsa ≡ x ′ = 0, v ′ = 0 & v = 0
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 11 / 40
![Page 34: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/34.jpg)
Hybrid Programs vs. Hybrid Automata
Want: Compositional verification
far
cls
brk
fsa
cls x 6= m
NotCompositional
far ≡ x ′ = v , v ′ = A&¬SB(x ,m)
brk ≡ x ′ = v , v ′ = −b & SB(x ,m) ∨ true
cls ≡ x ′ = v , v ′ = . . .& . . .
fsa ≡ x ′ = 0, v ′ = 0 & v = 0
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 11 / 40
![Page 35: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/35.jpg)
Differential Dynamic Logic dL: Syntax
Definition (Hybrid program a)
x := f (x) | ?Q | x ′ = f (x) &Q | a ∪ b | a; b | a∗
Definition (dL Formula P)
e1 ≥ e2 | ¬P | P ∧ Q | ∀x P | ∃x P | [a]P | 〈a〉P
DiscreteAssign
TestCondition
DifferentialEquation
Nondet.Choice
Seq.Compose
Nondet.Repeat
AllReals
SomeReals
AllRuns
SomeRuns
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 12 / 40
![Page 36: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/36.jpg)
Differential Dynamic Logic dL: Syntax
Definition (Hybrid program a)
x := f (x) | ?Q | x ′ = f (x) &Q | a ∪ b | a; b | a∗
Definition (dL Formula P)
e1 ≥ e2 | ¬P | P ∧ Q | ∀x P | ∃x P | [a]P | 〈a〉P
DiscreteAssign
TestCondition
DifferentialEquation
Nondet.Choice
Seq.Compose
Nondet.Repeat
AllReals
SomeReals
AllRuns
SomeRuns
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 12 / 40
![Page 37: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/37.jpg)
Differential Dynamic Logic dL: Semantics
Definition (Hybrid program semantics) ([[·]] : HP→ ℘(S × S))
[[x := f (x)]] = (v ,w) : w = v except [[x ]]w = [[f (x)]]v[[?Q]] = (v , v) : v ∈ [[Q]]
[[x ′ = f (x)]] = (ϕ(0), ϕ(r)) : ϕ |= x ′ = f (x) for some duration r[[a ∪ b]] = [[a]] ∪ [[b]]
[[a; b]] = [[a]] [[b]]
[[a∗]] =⋃n∈N
[[an]]
Definition (dL semantics) ([[·]] : Fml→ ℘(S))
[[e1 ≥ e2]] = v : [[e1]]v ≥ [[e2]]v[[¬P]] = ([[P]])
[[P ∧ Q]] = [[P]] ∩ [[Q]][[〈a〉P]] = [[a]] [[P]] = v : w ∈ [[P]] for some w (v ,w) ∈ [[a]][[[a]P]] = [[¬〈a〉¬P]] = v : w ∈ [[P]] for all w (v ,w) ∈ [[a]][[∃x P]] = v : v rx ∈ [[P]] for some r ∈ R
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 13 / 40
![Page 38: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/38.jpg)
Differential Dynamic Logic dL: Transition Semantics
v wx := f (x)
t
x
0
v
w if w(x) = [[f (x)]]vand w(z) = v(z) for z 6= x
v wx ′ = f (x) &Q
t
x
Qw
v
ϕ(t)
0 rx ′ = f (x) &Q
v
?Q
if v ∈ [[Q]]t
x
0
v no change if v ∈ [[Q]]otherwise no transition
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 14 / 40
![Page 39: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/39.jpg)
Differential Dynamic Logic dL: Transition Semantics
v
w1
w2
a
b
a ∪ b
t
xv w1
w2
v s w
a ; b
a b t
x
s
v w
v v1 v2 w
a∗
a a a
a b a b a b
t
xv w
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 14 / 40
![Page 40: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/40.jpg)
Differential Dynamic Logic dL: Transition Semantics
v
w1
w2
a
b
a ∪ b
t
xv w1
w2
v s w
a ; b
a b t
x
s
v w
v v1 v2 w
a∗
a a a
a b a b a b
t
xv w
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 14 / 40
![Page 41: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/41.jpg)
Differential Dynamic Logic dL: Transition Semantics
v
w1
w2
a
b
a ∪ b
t
xv w1
w2
v s w
a ; b
a b t
x
s
v w
v v1 v2 w
(a; b)∗
a b a b a b t
xv w
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 14 / 40
![Page 42: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/42.jpg)
Differential Dynamic Logic dL: Semantics
Definition (dL Formulas)
v[a]P
P
P
P
a-span
[a]P
〈b〉P
b-span
〈b〉[a
]-sp
an
compositional semantics ⇒ compositional proofs!
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 15 / 40
![Page 43: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/43.jpg)
Differential Dynamic Logic dL: Semantics
Definition (dL Formulas)
v〈a〉P
P
a-span
[a]P
〈b〉P
b-span
〈b〉[a
]-sp
an
compositional semantics ⇒ compositional proofs!
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 15 / 40
![Page 44: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/44.jpg)
Differential Dynamic Logic dL: Semantics
Definition (dL Formulas)
v a-span
[a]P
〈b〉P
b-span
〈b〉[a
]-sp
an
compositional semantics ⇒ compositional proofs!
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 15 / 40
![Page 45: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/45.jpg)
Differential Dynamic Logic dL: Semantics
Definition (dL Formulas)
v a-span
[a]P
〈b〉P
b-span
〈b〉[a
]-sp
an
compositional semantics ⇒ compositional proofs!
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 15 / 40
![Page 46: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/46.jpg)
Differential Dynamic Logic dL: Semantics
Definition (dL Formulas)
v a-span
[a]P
〈b〉P
b-span
〈b〉[a
]-sp
an
compositional semantics ⇒ compositional proofs!
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 15 / 40
![Page 47: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/47.jpg)
Differential Dynamic Logic dL: Semantics
Definition (dL Formulas)
v a-span
[a]P
〈b〉P
b-span
〈b〉[a
]-sp
an
compositional semantics ⇒ compositional proofs!
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 15 / 40
![Page 48: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/48.jpg)
Ex: Car Control
Accelerate condition ?H
depends on A
Example ( Single car cars)(((?H; a := A) ∪ a :=−b); x ′ = v , v ′ = a& v ≥ 0
)∗
1 2 3 4 5 6 7t
-2.5
-2.0
-1.5
-1.0
-0.5
0.0
0.5
a
1 2 3 4 5 6 7t
-2
0
2
4
6
v
m
1 2 3 4 5 6 7t
-2
0
2
4
6
8
10
x
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 16 / 40
![Page 49: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/49.jpg)
Ex: Car Control Properties time-triggered
H ≡ 2b(m − x) ≥ v2 +(A + b
)(Aε2 + 2εv
)
Example (Single car carε time-triggered)(((?H; a := A) ∪ a :=−b); t := 0; x ′ = v , v ′ = a, t ′ = 1 & v ≥ 0 ∧ t ≤ ε
)∗Example ( Safely stays before traffic light m)
v2 ≤ 2b(m − x) ∧ A ≥ 0 ∧ b > 0→ [carε]x ≤ m
1 2 3 4 5 6 7t
-2.5
-2.0
-1.5
-1.0
-0.5
0.0
0.5
a
1 2 3 4 5 6 7t
-2
0
2
4
6
v
m
1 2 3 4 5 6 7t
-2
0
2
4
6
8
10
x
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 17 / 40
![Page 50: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/50.jpg)
Ex: Car Control Properties time-triggered
H ≡ 2b(m − x) ≥ v2 +(A + b
)(Aε2 + 2εv
)
Example (Single car carε time-triggered)(((?H; a := A) ∪ a :=−b); t := 0; x ′ = v , v ′ = a, t ′ = 1 & v ≥ 0 ∧ t ≤ ε
)∗Example ( Live, can move everywhere)
ε > 0 ∧ A > 0 ∧ b > 0→ ∀p ∃m 〈carε〉 x ≥ p
1 2 3 4 5 6 7t
-2.5
-2.0
-1.5
-1.0
-0.5
0.0
0.5
a
1 2 3 4 5 6 7t
-2
0
2
4
6
v
m
1 2 3 4 5 6 7t
-2
0
2
4
6
8
10
x
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 17 / 40
![Page 51: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/51.jpg)
Outline
1 CPS are Multi-Dynamical SystemsHybrid SystemsHybrid Games
2 Dynamic Logic of Dynamical SystemsSyntaxSemanticsExample: Car Control Design
3 Proofs for CPSCompositional Proof CalculusExample: Safe Car Control
4 Theory of CPSSoundness and CompletenessDifferential InvariantsExample: Elementary Differential InvariantsDifferential Axioms
5 Applications6 Summary
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 17 / 40
![Page 52: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/52.jpg)
Differential Dynamic Logic: Axioms
[:=] [x := f ]p(x)↔ p(f )
[?] [?q]p ↔ (q → p)
[∪] [a ∪ b]p(x)↔ [a]p(x) ∧ [b]p(x)
[;] [a; b]p(x)↔ [a][b]p(x)
[∗] [a∗]p(x)↔ p(x) ∧ [a][a∗]p(x)
K [a](p(x)→ q(x))→ ([a]p(x)→ [a]q(x))
I [a∗](p(x)→ [a]p(x))→ (p(x)→ [a∗]p(x))
V p → [a]p
DS [x ′ = f ]p(x)↔ ∀t≥0 [x := x + ft]p(x)LICS’12,CADE’15
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 18 / 40
![Page 53: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/53.jpg)
Proofs for Hybrid Systems
compositional semantics ⇒ compositional rules!
[a]p(x) ∧ [b]p(x)
[a ∪ b]p(x)v
w1
w2
ap(x)
bp(x)
a ∪ b
[a][b]p(x)
[a; b]p(x)v s w
a; b
[a][b]p(x)a
[b]p(x)b
p(x)
p(x) p(x)→ [a]p(x)
[a∗]p(x) v w
a∗
p(x)
a
p(x)→ [a]p(x)
a a
p(x)
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 19 / 40
![Page 54: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/54.jpg)
Proofs for Hybrid Systems
[a]p(x) ∧ [b]p(x)
[a ∪ b]p(x)v
w1
w2
ap(x)
bp(x)
a ∪ b
[a][b]p(x)
[a; b]p(x)v s w
a; b
[a][b]p(x)a
[b]p(x)b
p(x)
p(x) p(x)→ [a]p(x)
[a∗]p(x) v w
a∗
p(x)
a
p(x)→ [a]p(x)
a a
p(x)
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 19 / 40
![Page 55: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/55.jpg)
Proofs for Hybrid Systems
[a]p(x) ∧ [b]p(x)
[a ∪ b]p(x)v
w1
w2
ap(x)
bp(x)
a ∪ b
[a][b]p(x)
[a; b]p(x)v s w
a; b
[a][b]p(x)a
[b]p(x)b
p(x)
p(x) p(x)→ [a]p(x)
[a∗]p(x) v w
a∗
p(x)
a
p(x)→ [a]p(x)
a a
p(x)
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 19 / 40
![Page 56: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/56.jpg)
Proofs for Hybrid Systems
[a]p(x) ∧ [b]p(x)
[a ∪ b]p(x)v
w1
w2
ap(x)
bp(x)
a ∪ b
[a][b]p(x)
[a; b]p(x)v s w
a; b
[a][b]p(x)a
[b]p(x)b
p(x)
p(x) p(x)→ [a]p(x)
[a∗]p(x) v w
a∗
p(x)
a
p(x)→ [a]p(x)
a a
p(x)
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 19 / 40
![Page 57: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/57.jpg)
Example Proof: Safe Driving
J(x , v) ≡ x ≤ m
J(x , v) →v2 ≤ 2b(m − x)
QEJ(x , v) →∀t≥0 (−b2 t
2 + vt + x ≤ m)
[:=]J(x , v) →∀t≥0 [x :=−b2 t
2 + vt + x ]J(x , v)
[′] J(x , v) →[x ′ = v , v ′ = −b]J(x , v)
[:=]J(x , v) →[a :=−b][x ′ = v , v ′ = a]J(x , v)
[;] J(x , v) →[a :=−b; (x ′ = v , v ′ = a)]J(x , v)
CADE’15Andre Platzer (CMU) Proving Hybrid Systems FMCAD 20 / 40
![Page 58: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/58.jpg)
Example Proof: Safe Driving
J(x , v) ≡ x ≤ m
J(x , v) →v2 ≤ 2b(m − x)
QEJ(x , v) →∀t≥0 (−b2 t
2 + vt + x ≤ m)
[:=]J(x , v) →∀t≥0 [x :=−b2 t
2 + vt + x ]J(x , v)
[′] J(x , v) →[x ′ = v , v ′ = −b]J(x , v)
[:=]J(x , v) →[a :=−b][x ′ = v , v ′ = a]J(x , v)[;] J(x , v) →[a :=−b; (x ′ = v , v ′ = a)]J(x , v)
CADE’15Andre Platzer (CMU) Proving Hybrid Systems FMCAD 20 / 40
![Page 59: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/59.jpg)
Example Proof: Safe Driving
J(x , v) ≡ x ≤ m
J(x , v) →v2 ≤ 2b(m − x)
QEJ(x , v) →∀t≥0 (−b2 t
2 + vt + x ≤ m)
[:=]J(x , v) →∀t≥0 [x :=−b2 t
2 + vt + x ]J(x , v)
[′] J(x , v) →[x ′ = v , v ′ = −b]J(x , v)[:=]J(x , v) →[a :=−b][x ′ = v , v ′ = a]J(x , v)[;] J(x , v) →[a :=−b; (x ′ = v , v ′ = a)]J(x , v)
CADE’15Andre Platzer (CMU) Proving Hybrid Systems FMCAD 20 / 40
![Page 60: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/60.jpg)
Example Proof: Safe Driving
J(x , v) ≡ x ≤ m
J(x , v) →v2 ≤ 2b(m − x)
QEJ(x , v) →∀t≥0 (−b2 t
2 + vt + x ≤ m)
[:=]J(x , v) →∀t≥0 [x :=−b2 t
2 + vt + x ]J(x , v)[′] J(x , v) →[x ′ = v , v ′ = −b]J(x , v)
[:=]J(x , v) →[a :=−b][x ′ = v , v ′ = a]J(x , v)[;] J(x , v) →[a :=−b; (x ′ = v , v ′ = a)]J(x , v)
CADE’15Andre Platzer (CMU) Proving Hybrid Systems FMCAD 20 / 40
![Page 61: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/61.jpg)
Example Proof: Safe Driving
J(x , v) ≡ x ≤ m
J(x , v) →v2 ≤ 2b(m − x)
QEJ(x , v) →∀t≥0 (−b2 t
2 + vt + x ≤ m)[:=]J(x , v) →∀t≥0 [x :=−b
2 t2 + vt + x ]J(x , v)
[′] J(x , v) →[x ′ = v , v ′ = −b]J(x , v)[:=]J(x , v) →[a :=−b][x ′ = v , v ′ = a]J(x , v)[;] J(x , v) →[a :=−b; (x ′ = v , v ′ = a)]J(x , v)
CADE’15Andre Platzer (CMU) Proving Hybrid Systems FMCAD 20 / 40
![Page 62: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/62.jpg)
Example Proof: Safe Driving
J(x , v) ≡ x ≤ m
J(x , v) →v2 ≤ 2b(m − x)QEJ(x , v) →∀t≥0 (−b
2 t2 + vt + x ≤ m)
[:=]J(x , v) →∀t≥0 [x :=−b2 t
2 + vt + x ]J(x , v)[′] J(x , v) →[x ′ = v , v ′ = −b]J(x , v)
[:=]J(x , v) →[a :=−b][x ′ = v , v ′ = a]J(x , v)[;] J(x , v) →[a :=−b; (x ′ = v , v ′ = a)]J(x , v)
CADE’15Andre Platzer (CMU) Proving Hybrid Systems FMCAD 20 / 40
![Page 63: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/63.jpg)
Example Proof: Safe Driving
x
v
m
J(x , v) ≡ v2 ≤ 2b(m − x)
J(x , v) →v2 ≤ 2b(m − x)QEJ(x , v) →∀t≥0 (−b
2 t2 + vt + x ≤ m)
[:=]J(x , v) →∀t≥0 [x :=−b2 t
2 + vt + x ]J(x , v)[′] J(x , v) →[x ′ = v , v ′ = −b]J(x , v)
[:=]J(x , v) →[a :=−b][x ′ = v , v ′ = a]J(x , v)[;] J(x , v) →[a :=−b; (x ′ = v , v ′ = a)]J(x , v)
CADE’15Andre Platzer (CMU) Proving Hybrid Systems FMCAD 20 / 40
![Page 64: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/64.jpg)
Example Proof: Safe Driving
x
v
m
J(x , v) ≡ v2 ≤ 2b(m − x)
J(x , v) →¬SB→ (Aε+ v)2 ≤ 2b(m − A2 ε
2 − vε− x)
QEJ(x , v) →¬SB→ ∀t≥0 (t ≤ ε→ (At + v)2 ≤ 2b(m − A2 t
2 − vt − x))
J(x , v) →¬SB→ ∀t≥0 (t ≤ ε→ J(A2 t2 + vt + x ,At + v))
[:=]J(x , v) →¬SB→ ∀t≥0 (t ≤ ε→ [x := A2 t
2 + vt + x ]J(x , v))
[′] J(x , v) →¬SB→ [x ′ = v , v ′ = A, t ′ = 1 & t ≤ ε]J(x , v)
[:=]J(x , v) →¬SB→ [a := A][x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε]J(x , v)
[;] J(x , v) →¬SB→ [a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)
[?] J(x , v) →[?¬SB][a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)
[;] J(x , v) →[?¬SB; a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)
CADE’15Andre Platzer (CMU) Proving Hybrid Systems FMCAD 20 / 40
![Page 65: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/65.jpg)
Example Proof: Safe Driving
x
v
m
J(x , v) ≡ v2 ≤ 2b(m − x)
J(x , v) →¬SB→ (Aε+ v)2 ≤ 2b(m − A2 ε
2 − vε− x)
QEJ(x , v) →¬SB→ ∀t≥0 (t ≤ ε→ (At + v)2 ≤ 2b(m − A2 t
2 − vt − x))
J(x , v) →¬SB→ ∀t≥0 (t ≤ ε→ J(A2 t2 + vt + x ,At + v))
[:=]J(x , v) →¬SB→ ∀t≥0 (t ≤ ε→ [x := A2 t
2 + vt + x ]J(x , v))
[′] J(x , v) →¬SB→ [x ′ = v , v ′ = A, t ′ = 1 & t ≤ ε]J(x , v)
[:=]J(x , v) →¬SB→ [a := A][x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε]J(x , v)
[;] J(x , v) →¬SB→ [a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)
[?] J(x , v) →[?¬SB][a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)[;] J(x , v) →[?¬SB; a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)
CADE’15Andre Platzer (CMU) Proving Hybrid Systems FMCAD 20 / 40
![Page 66: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/66.jpg)
Example Proof: Safe Driving
x
v
m
J(x , v) ≡ v2 ≤ 2b(m − x)
J(x , v) →¬SB→ (Aε+ v)2 ≤ 2b(m − A2 ε
2 − vε− x)
QEJ(x , v) →¬SB→ ∀t≥0 (t ≤ ε→ (At + v)2 ≤ 2b(m − A2 t
2 − vt − x))
J(x , v) →¬SB→ ∀t≥0 (t ≤ ε→ J(A2 t2 + vt + x ,At + v))
[:=]J(x , v) →¬SB→ ∀t≥0 (t ≤ ε→ [x := A2 t
2 + vt + x ]J(x , v))
[′] J(x , v) →¬SB→ [x ′ = v , v ′ = A, t ′ = 1 & t ≤ ε]J(x , v)
[:=]J(x , v) →¬SB→ [a := A][x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε]J(x , v)
[;] J(x , v) →¬SB→ [a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)[?] J(x , v) →[?¬SB][a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)[;] J(x , v) →[?¬SB; a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)
CADE’15Andre Platzer (CMU) Proving Hybrid Systems FMCAD 20 / 40
![Page 67: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/67.jpg)
Example Proof: Safe Driving
x
v
m
J(x , v) ≡ v2 ≤ 2b(m − x)
J(x , v) →¬SB→ (Aε+ v)2 ≤ 2b(m − A2 ε
2 − vε− x)
QEJ(x , v) →¬SB→ ∀t≥0 (t ≤ ε→ (At + v)2 ≤ 2b(m − A2 t
2 − vt − x))
J(x , v) →¬SB→ ∀t≥0 (t ≤ ε→ J(A2 t2 + vt + x ,At + v))
[:=]J(x , v) →¬SB→ ∀t≥0 (t ≤ ε→ [x := A2 t
2 + vt + x ]J(x , v))
[′] J(x , v) →¬SB→ [x ′ = v , v ′ = A, t ′ = 1 & t ≤ ε]J(x , v)
[:=]J(x , v) →¬SB→ [a := A][x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε]J(x , v)[;] J(x , v) →¬SB→ [a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)[?] J(x , v) →[?¬SB][a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)[;] J(x , v) →[?¬SB; a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)
CADE’15Andre Platzer (CMU) Proving Hybrid Systems FMCAD 20 / 40
![Page 68: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/68.jpg)
Example Proof: Safe Driving
x
v
m
J(x , v) ≡ v2 ≤ 2b(m − x)
J(x , v) →¬SB→ (Aε+ v)2 ≤ 2b(m − A2 ε
2 − vε− x)
QEJ(x , v) →¬SB→ ∀t≥0 (t ≤ ε→ (At + v)2 ≤ 2b(m − A2 t
2 − vt − x))
J(x , v) →¬SB→ ∀t≥0 (t ≤ ε→ J(A2 t2 + vt + x ,At + v))
[:=]J(x , v) →¬SB→ ∀t≥0 (t ≤ ε→ [x := A2 t
2 + vt + x ]J(x , v))
[′] J(x , v) →¬SB→ [x ′ = v , v ′ = A, t ′ = 1 & t ≤ ε]J(x , v)[:=]J(x , v) →¬SB→ [a := A][x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε]J(x , v)[;] J(x , v) →¬SB→ [a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)[?] J(x , v) →[?¬SB][a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)[;] J(x , v) →[?¬SB; a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)
CADE’15Andre Platzer (CMU) Proving Hybrid Systems FMCAD 20 / 40
![Page 69: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/69.jpg)
Example Proof: Safe Driving
x
v
m
J(x , v) ≡ v2 ≤ 2b(m − x)
J(x , v) →¬SB→ (Aε+ v)2 ≤ 2b(m − A2 ε
2 − vε− x)
QEJ(x , v) →¬SB→ ∀t≥0 (t ≤ ε→ (At + v)2 ≤ 2b(m − A2 t
2 − vt − x))
J(x , v) →¬SB→ ∀t≥0 (t ≤ ε→ J(A2 t2 + vt + x ,At + v))
[:=]J(x , v) →¬SB→ ∀t≥0 (t ≤ ε→ [x := A2 t
2 + vt + x ]J(x , v))[′] J(x , v) →¬SB→ [x ′ = v , v ′ = A, t ′ = 1 & t ≤ ε]J(x , v)
[:=]J(x , v) →¬SB→ [a := A][x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε]J(x , v)[;] J(x , v) →¬SB→ [a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)[?] J(x , v) →[?¬SB][a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)[;] J(x , v) →[?¬SB; a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)
CADE’15Andre Platzer (CMU) Proving Hybrid Systems FMCAD 20 / 40
![Page 70: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/70.jpg)
Example Proof: Safe Driving
x
v
m
J(x , v) ≡ v2 ≤ 2b(m − x)
J(x , v) →¬SB→ (Aε+ v)2 ≤ 2b(m − A2 ε
2 − vε− x)
QEJ(x , v) →¬SB→ ∀t≥0 (t ≤ ε→ (At + v)2 ≤ 2b(m − A2 t
2 − vt − x))
J(x , v) →¬SB→ ∀t≥0 (t ≤ ε→ J(A2 t2 + vt + x ,At + v))
[:=]J(x , v) →¬SB→ ∀t≥0 (t ≤ ε→ [x := A2 t
2 + vt + x ]J(x , v))[′] J(x , v) →¬SB→ [x ′ = v , v ′ = A, t ′ = 1 & t ≤ ε]J(x , v)
[:=]J(x , v) →¬SB→ [a := A][x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε]J(x , v)[;] J(x , v) →¬SB→ [a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)[?] J(x , v) →[?¬SB][a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)[;] J(x , v) →[?¬SB; a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)
CADE’15Andre Platzer (CMU) Proving Hybrid Systems FMCAD 20 / 40
![Page 71: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/71.jpg)
Example Proof: Safe Driving
x
v
m
J(x , v) ≡ v2 ≤ 2b(m − x)
J(x , v) →¬SB→ (Aε+ v)2 ≤ 2b(m − A2 ε
2 − vε− x)
QEJ(x , v) →¬SB→ ∀t≥0 (t ≤ ε→ (At + v)2 ≤ 2b(m − A2 t
2 − vt − x))
J(x , v) →¬SB→ ∀t≥0 (t ≤ ε→ J(A2 t2 + vt + x ,At + v))
[:=]J(x , v) →¬SB→ ∀t≥0 (t ≤ ε→ [x := A2 t
2 + vt + x ]J(x , v))[′] J(x , v) →¬SB→ [x ′ = v , v ′ = A, t ′ = 1 & t ≤ ε]J(x , v)
[:=]J(x , v) →¬SB→ [a := A][x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε]J(x , v)[;] J(x , v) →¬SB→ [a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)[?] J(x , v) →[?¬SB][a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)[;] J(x , v) →[?¬SB; a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)
CADE’15Andre Platzer (CMU) Proving Hybrid Systems FMCAD 20 / 40
![Page 72: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/72.jpg)
Example Proof: Safe Driving
x
v
m
J(x , v) ≡ v2 ≤ 2b(m − x)
J(x , v) →¬SB→ (Aε+ v)2 ≤ 2b(m − A2 ε
2 − vε− x)QEJ(x , v) →¬SB→ ∀t≥0 (t ≤ ε→ (At + v)2 ≤ 2b(m − A
2 t2 − vt − x))
J(x , v) →¬SB→ ∀t≥0 (t ≤ ε→ J(A2 t2 + vt + x ,At + v))
[:=]J(x , v) →¬SB→ ∀t≥0 (t ≤ ε→ [x := A2 t
2 + vt + x ]J(x , v))[′] J(x , v) →¬SB→ [x ′ = v , v ′ = A, t ′ = 1 & t ≤ ε]J(x , v)
[:=]J(x , v) →¬SB→ [a := A][x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε]J(x , v)[;] J(x , v) →¬SB→ [a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)[?] J(x , v) →[?¬SB][a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)[;] J(x , v) →[?¬SB; a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)
CADE’15Andre Platzer (CMU) Proving Hybrid Systems FMCAD 20 / 40
![Page 73: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/73.jpg)
Example Proof: Safe Driving
x
v
m
J(x , v) ≡ v2 ≤ 2b(m − x)SB ≡ 2b(m− x) < v2 + (A+b)(Aε2 + 2εv)
J(x , v) →¬SB→ (Aε+ v)2 ≤ 2b(m − A2 ε
2 − vε− x)QEJ(x , v) →¬SB→ ∀t≥0 (t ≤ ε→ (At + v)2 ≤ 2b(m − A
2 t2 − vt − x))
J(x , v) →¬SB→ ∀t≥0 (t ≤ ε→ J(A2 t2 + vt + x ,At + v))
[:=]J(x , v) →¬SB→ ∀t≥0 (t ≤ ε→ [x := A2 t
2 + vt + x ]J(x , v))[′] J(x , v) →¬SB→ [x ′ = v , v ′ = A, t ′ = 1 & t ≤ ε]J(x , v)
[:=]J(x , v) →¬SB→ [a := A][x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε]J(x , v)[;] J(x , v) →¬SB→ [a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)[?] J(x , v) →[?¬SB][a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)[;] J(x , v) →[?¬SB; a := A; (x ′ = v , v ′ = a, t ′ = 1 & t ≤ ε)]J(x , v)
CADE’15Andre Platzer (CMU) Proving Hybrid Systems FMCAD 20 / 40
![Page 74: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/74.jpg)
Example Proof: Safe Driving
x
v
m
J(x , v) ≡ v2 ≤ 2b(m − x)SB ≡ 2b(m− x) < v2 + (A+b)(Aε2 + 2εv)
previous proofs for braking and acceleration
J(x , v) →[a :=−b][x ′′ = a . .]J(x , v) ∧ [?¬SB; a := A][x ′′ = a . .]J(x , v)
[∪]J(x , v) →[a :=−b ∪ ?¬SB; a := A][x ′′ = a, t ′ = 1 & t ≤ ε]J(x , v)
[;] J(x , v) →[(a :=−b ∪ ?¬SB; a := A); x ′′ = a, t ′ = 1 & t ≤ ε]J(x , v)
indJ(x , v) →[((a :=−b ∪ ?¬SB; a := A); x ′′ = a, t ′ = 1 & t ≤ ε
)∗]J(x , v)
CADE’15Andre Platzer (CMU) Proving Hybrid Systems FMCAD 20 / 40
![Page 75: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/75.jpg)
Example Proof: Safe Driving
x
v
m
J(x , v) ≡ v2 ≤ 2b(m − x)SB ≡ 2b(m− x) < v2 + (A+b)(Aε2 + 2εv)
previous proofs for braking and acceleration
J(x , v) →[a :=−b][x ′′ = a . .]J(x , v) ∧ [?¬SB; a := A][x ′′ = a . .]J(x , v)
[∪]J(x , v) →[a :=−b ∪ ?¬SB; a := A][x ′′ = a, t ′ = 1 & t ≤ ε]J(x , v)
[;] J(x , v) →[(a :=−b ∪ ?¬SB; a := A); x ′′ = a, t ′ = 1 & t ≤ ε]J(x , v)indJ(x , v) →[
((a :=−b ∪ ?¬SB; a := A); x ′′ = a, t ′ = 1 & t ≤ ε
)∗]J(x , v)
CADE’15Andre Platzer (CMU) Proving Hybrid Systems FMCAD 20 / 40
![Page 76: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/76.jpg)
Example Proof: Safe Driving
x
v
m
J(x , v) ≡ v2 ≤ 2b(m − x)SB ≡ 2b(m− x) < v2 + (A+b)(Aε2 + 2εv)
previous proofs for braking and acceleration
J(x , v) →[a :=−b][x ′′ = a . .]J(x , v) ∧ [?¬SB; a := A][x ′′ = a . .]J(x , v)
[∪]J(x , v) →[a :=−b ∪ ?¬SB; a := A][x ′′ = a, t ′ = 1 & t ≤ ε]J(x , v)[;] J(x , v) →[(a :=−b ∪ ?¬SB; a := A); x ′′ = a, t ′ = 1 & t ≤ ε]J(x , v)indJ(x , v) →[
((a :=−b ∪ ?¬SB; a := A); x ′′ = a, t ′ = 1 & t ≤ ε
)∗]J(x , v)
CADE’15Andre Platzer (CMU) Proving Hybrid Systems FMCAD 20 / 40
![Page 77: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/77.jpg)
Example Proof: Safe Driving
x
v
m
J(x , v) ≡ v2 ≤ 2b(m − x)SB ≡ 2b(m− x) < v2 + (A+b)(Aε2 + 2εv)
previous proofs for braking and acceleration
J(x , v) →[a :=−b][x ′′ = a . .]J(x , v) ∧ [?¬SB; a := A][x ′′ = a . .]J(x , v)[∪]J(x , v) →[a :=−b ∪ ?¬SB; a := A][x ′′ = a, t ′ = 1 & t ≤ ε]J(x , v)[;] J(x , v) →[(a :=−b ∪ ?¬SB; a := A); x ′′ = a, t ′ = 1 & t ≤ ε]J(x , v)indJ(x , v) →[
((a :=−b ∪ ?¬SB; a := A); x ′′ = a, t ′ = 1 & t ≤ ε
)∗]J(x , v)
CADE’15Andre Platzer (CMU) Proving Hybrid Systems FMCAD 20 / 40
![Page 78: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/78.jpg)
Example Proof: Safe Driving
x
v
m
J(x , v) ≡ v2 ≤ 2b(m − x)SB ≡ 2b(m− x) < v2 + (A+b)(Aε2 + 2εv)
previous proofs for braking and accelerationJ(x , v) →[a :=−b][x ′′ = a . .]J(x , v) ∧ [?¬SB; a := A][x ′′ = a . .]J(x , v)
[∪]J(x , v) →[a :=−b ∪ ?¬SB; a := A][x ′′ = a, t ′ = 1 & t ≤ ε]J(x , v)[;] J(x , v) →[(a :=−b ∪ ?¬SB; a := A); x ′′ = a, t ′ = 1 & t ≤ ε]J(x , v)indJ(x , v) →[
((a :=−b ∪ ?¬SB; a := A); x ′′ = a, t ′ = 1 & t ≤ ε
)∗]J(x , v)
CADE’15Andre Platzer (CMU) Proving Hybrid Systems FMCAD 20 / 40
![Page 79: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/79.jpg)
Example Proof: Safe Driving
x
v
m
J(x , v) ≡ v2 ≤ 2b(m − x)SB ≡ 2b(m− x) < v2 + (A+b)(Aε2 + 2εv)
previous proofs for braking and accelerationJ(x , v) →[a :=−b][x ′′ = a . .]J(x , v) ∧ [?¬SB; a := A][x ′′ = a . .]J(x , v)
[∪]J(x , v) →[a :=−b ∪ ?¬SB; a := A][x ′′ = a, t ′ = 1 & t ≤ ε]J(x , v)[;] J(x , v) →[(a :=−b ∪ ?¬SB; a := A); x ′′ = a, t ′ = 1 & t ≤ ε]J(x , v)indJ(x , v) →[
((a :=−b ∪ ?¬SB; a := A); x ′′ = a, t ′ = 1 & t ≤ ε
)∗]J(x , v)
1 Proof is essentially deterministic “follow your nose”
2 Synthesize invariant J(, ) and parameter constraint SB
3 J(x , v) is a predicate symbol to prove only once and instantiate later
CADE’15Andre Platzer (CMU) Proving Hybrid Systems FMCAD 20 / 40
![Page 80: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/80.jpg)
Outline
1 CPS are Multi-Dynamical SystemsHybrid SystemsHybrid Games
2 Dynamic Logic of Dynamical SystemsSyntaxSemanticsExample: Car Control Design
3 Proofs for CPSCompositional Proof CalculusExample: Safe Car Control
4 Theory of CPSSoundness and CompletenessDifferential InvariantsExample: Elementary Differential InvariantsDifferential Axioms
5 Applications6 Summary
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 20 / 40
![Page 81: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/81.jpg)
Complete Proof Theory of Hybrid Systems
Theorem (Sound & Complete) (J.Autom.Reas. 2008, LICS’12)
dL calculus is a sound & complete axiomatization of hybrid systemsrelative to either differential equations or discrete dynamics. Proof 25pp
Corollary (Complete Proof-theoretical Alignment & Bridging)
proving continuous = proving hybrid = proving discrete
JAutomReas’08,LICS’12Andre Platzer (CMU) Proving Hybrid Systems FMCAD 21 / 40
![Page 82: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/82.jpg)
Complete Proof Theory of Hybrid Systems
Theorem (Sound & Complete) (J.Autom.Reas. 2008, LICS’12)
dL calculus is a sound & complete axiomatization of hybrid systemsrelative to either differential equations or discrete dynamics. Proof 25pp
Corollary (Complete Proof-theoretical Alignment & Bridging)
proving continuous = proving hybrid = proving discrete
System
Continuous Discrete
Hybrid
JAutomReas’08,LICS’12Andre Platzer (CMU) Proving Hybrid Systems FMCAD 21 / 40
![Page 83: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/83.jpg)
Complete Proof Theory of Hybrid Systems
Theorem (Sound & Complete) (J.Autom.Reas. 2008, LICS’12)
dL calculus is a sound & complete axiomatization of hybrid systemsrelative to either differential equations or discrete dynamics. Proof 25pp
Corollary (Complete Proof-theoretical Alignment & Bridging)
proving continuous = proving hybrid = proving discrete
System
Continuous Discrete
Hybrid
HybridTheory
DiscreteTheory
Contin.Theory
JAutomReas’08,LICS’12Andre Platzer (CMU) Proving Hybrid Systems FMCAD 21 / 40
![Page 84: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/84.jpg)
Differential Invariants for Differential Equations
Differential Invariant Differential Cut Differential Ghost
0 t
x
x ′= f (x)
y′ =
g(x, y
)
inv
DI= DI=,∧,∨
DI> DI>,∧,∨
DI≥ DI≥,∧,∨
DI
DI≥,=,∧,∨
DI>,=,∧,∨
Logic
Provabilitytheory
Math
Character-istic PDE
JLogComput’10,CAV’08,FMSD’09,LMCS’12,ITP’12Andre Platzer (CMU) Proving Hybrid Systems FMCAD 22 / 40
![Page 85: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/85.jpg)
Differential Invariants for Differential Equations
Differential Invariant Differential Cut Differential Ghost
0 t
x
x ′= f (x)
y′ =
g(x, y
)
inv
DI= DI=,∧,∨
DI> DI>,∧,∨
DI≥ DI≥,∧,∨
DI
DI≥,=,∧,∨
DI>,=,∧,∨
Logic
Provabilitytheory
Math
Character-istic PDE
JLogComput’10,CAV’08,FMSD’09,LMCS’12,ITP’12Andre Platzer (CMU) Proving Hybrid Systems FMCAD 22 / 40
![Page 86: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/86.jpg)
Differential Invariants for Differential Equations
Differential Invariant Differential Cut Differential Ghost
0 t
x
x ′= f (x)
y′ =
g(x, y
)
inv
DI= DI=,∧,∨
DI> DI>,∧,∨
DI≥ DI≥,∧,∨
DI
DI≥,=,∧,∨
DI>,=,∧,∨
Logic
Provabilitytheory
Math
Character-istic PDE
JLogComput’10,CAV’08,FMSD’09,LMCS’12,ITP’12Andre Platzer (CMU) Proving Hybrid Systems FMCAD 22 / 40
![Page 87: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/87.jpg)
Differential Invariants for Differential Equations
Differential Invariant Differential Cut Differential Ghost
0 t
x
x ′= f (x)
y′ =
g(x, y
)
inv
DI= DI=,∧,∨
DI> DI>,∧,∨
DI≥ DI≥,∧,∨
DI
DI≥,=,∧,∨
DI>,=,∧,∨
Logic
Provabilitytheory
Math
Character-istic PDE
JLogComput’10,CAV’08,FMSD’09,LMCS’12,ITP’12Andre Platzer (CMU) Proving Hybrid Systems FMCAD 22 / 40
![Page 88: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/88.jpg)
Differential Invariants for Differential Equations
Differential Invariant Differential Cut Differential Ghost
0 t
x
x ′= f (x)
y′ =
g(x, y
)
inv
DI= DI=,∧,∨
DI> DI>,∧,∨
DI≥ DI≥,∧,∨
DI
DI≥,=,∧,∨
DI>,=,∧,∨
Logic
Provabilitytheory
Math
Character-istic PDE
JLogComput’10,CAV’08,FMSD’09,LMCS’12,ITP’12Andre Platzer (CMU) Proving Hybrid Systems FMCAD 22 / 40
![Page 89: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/89.jpg)
Differential Invariants for Differential Equations
Differential Invariant Differential Cut Differential Ghost
0 t
x
x ′= f (x)
y′ =
g(x, y
)
inv
DI= DI=,∧,∨
DI> DI>,∧,∨
DI≥ DI≥,∧,∨
DI
DI≥,=,∧,∨
DI>,=,∧,∨
Logic
Provabilitytheory
Math
Character-istic PDE
JLogComput’10,CAV’08,FMSD’09,LMCS’12,ITP’12Andre Platzer (CMU) Proving Hybrid Systems FMCAD 22 / 40
![Page 90: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/90.jpg)
Differential Invariants for Differential Equations
Differential Invariant Differential Cut Differential Ghost
0 t
x
x ′= f (x)
y′ =
g(x, y
)
inv
DI= DI=,∧,∨
DI> DI>,∧,∨
DI≥ DI≥,∧,∨
DI
DI≥,=,∧,∨
DI>,=,∧,∨
Logic
Provabilitytheory
Math
Character-istic PDE
JLogComput’10,CAV’08,FMSD’09,LMCS’12,ITP’12Andre Platzer (CMU) Proving Hybrid Systems FMCAD 22 / 40
![Page 91: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/91.jpg)
Differential Invariants for Differential Equations
Differential Invariant Differential Cut Differential Ghost
0 t
x
x ′= f (x)
y′ =
g(x, y
)
inv
DI= DI=,∧,∨
DI> DI>,∧,∨
DI≥ DI≥,∧,∨
DI
DI≥,=,∧,∨
DI>,=,∧,∨
Logic
Provabilitytheory
Math
Character-istic PDE
JLogComput’10,CAV’08,FMSD’09,LMCS’12,ITP’12Andre Platzer (CMU) Proving Hybrid Systems FMCAD 22 / 40
![Page 92: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/92.jpg)
Differential Invariants for Differential Equations
Differential Invariant Differential Cut Differential Ghost
0 t
x
x ′= f (x)
y′ =
g(x, y
)
inv
DI= DI=,∧,∨
DI> DI>,∧,∨
DI≥ DI≥,∧,∨
DI
DI≥,=,∧,∨
DI>,=,∧,∨
Logic
Provabilitytheory
Math
Character-istic PDE
JLogComput’10,CAV’08,FMSD’09,LMCS’12,ITP’12Andre Platzer (CMU) Proving Hybrid Systems FMCAD 22 / 40
![Page 93: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/93.jpg)
Differential Invariants for Differential Equations
Differential Invariant Differential Cut Differential Ghost
0 t
x
x ′= f (x)
y′ =
g(x, y
)
inv
DI= DI=,∧,∨
DI> DI>,∧,∨
DI≥ DI≥,∧,∨
DI
DI≥,=,∧,∨
DI>,=,∧,∨
Logic
Provabilitytheory
Math
Character-istic PDE
JLogComput’10,CAV’08,FMSD’09,LMCS’12,ITP’12Andre Platzer (CMU) Proving Hybrid Systems FMCAD 22 / 40
![Page 94: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/94.jpg)
Differential Invariants for Differential Equations
Differential Invariant
H → [x ′ := f (x)]F ′
F→[x ′ = f (x) &H]F
Differential Cut
F→[x ′ = f (x)]C F→[x ′ = f (x) &C ]F
F→[x ′ = f (x)]F
Differential Ghost
F ↔ ∃y G G→[x ′ = f (x), y ′ = g(x , y) &H]G
F→[x ′ = f (x) &H]F0 t
x
x ′= f(x)
y′ =
g(x,y)
inv
if new y ′ = g(x , y) has a global solution
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 23 / 40
![Page 95: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/95.jpg)
Differential Invariants for Differential Equations
Differential Invariant
H → [x ′ := f (x)]F ′
F→[x ′ = f (x) &H]F
Differential Cut
F→[x ′ = f (x) &H]C F→[x ′ = f (x) &H ∧ C ]F
F→[x ′ = f (x) &H]F
Differential Ghost
F ↔ ∃y G G→[x ′ = f (x), y ′ = g(x , y) &H]G
F→[x ′ = f (x) &H]F0 t
x
x ′= f(x)
y′ =
g(x,y)
inv
if new y ′ = g(x , y) has a global solution
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 23 / 40
![Page 96: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/96.jpg)
Differential Invariants for Differential Equations
∗
ω≥0 ∧ d≥0 →2ω2xy + 2y(−ω2x − 2dωy) ≤ 0
ω≥ 0 ∧ d≥0 →[x ′ := y ][y ′ :=−ω2x − 2dωy ]2ω2xx ′ + 2yy ′ ≤ 0
ω2x2+y2≤c2 →[x ′ = y , y ′ = −ω2x − 2dωy & (ω≥0 ∧ d≥0)]ω2x2+y2≤c2
x
y1 2 3 4 5 6
-1.5
-1.0
-0.5
0.5
1.0
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 24 / 40
![Page 97: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/97.jpg)
Differential Invariants for Differential Equations
∗
ω≥0 ∧ d≥0 →2ω2xy + 2y(−ω2x − 2dωy) ≤ 0
ω≥ 0 ∧ d≥0 →[x ′ := y ][y ′ :=−ω2x − 2dωy ]2ω2xx ′ + 2yy ′ ≤ 0
ω2x2+y2≤c2 →[x ′ = y , y ′ = −ω2x − 2dωy & (ω≥0 ∧ d≥0)]ω2x2+y2≤c2
x
y1 2 3 4 5 6
-1.5
-1.0
-0.5
0.5
1.0
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 24 / 40
![Page 98: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/98.jpg)
Differential Invariants for Differential Equations
∗
ω≥0 ∧ d≥0 →2ω2xy + 2y(−ω2x − 2dωy) ≤ 0
ω≥ 0 ∧ d≥0 →[x ′ := y ][y ′ :=−ω2x − 2dωy ]2ω2xx ′ + 2yy ′ ≤ 0
ω2x2+y2≤c2 →[x ′ = y , y ′ = −ω2x − 2dωy & (ω≥0 ∧ d≥0)]ω2x2+y2≤c2
x
y1 2 3 4 5 6
-1.5
-1.0
-0.5
0.5
1.0
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 24 / 40
![Page 99: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/99.jpg)
Differential Invariants for Differential Equations
∗ω≥0 ∧ d≥0 →2ω2xy + 2y(−ω2x − 2dωy) ≤ 0
ω≥ 0 ∧ d≥0 →[x ′ := y ][y ′ :=−ω2x − 2dωy ]2ω2xx ′ + 2yy ′ ≤ 0
ω2x2+y2≤c2 →[x ′ = y , y ′ = −ω2x − 2dωy & (ω≥0 ∧ d≥0)]ω2x2+y2≤c2
x
y1 2 3 4 5 6
-1.5
-1.0
-0.5
0.5
1.0
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 24 / 40
![Page 100: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/100.jpg)
Differential Invariants for Differential Equations
∗ω≥0 ∧ d≥0 →2ω2xy + 2y(−ω2x − 2dωy) ≤ 0
ω≥ 0 ∧ d≥0 →[x ′ := y ][y ′ :=−ω2x − 2dωy ]2ω2xx ′ + 2yy ′ ≤ 0
ω2x2+y2≤c2 →[x ′ = y , y ′ = −ω2x − 2dωy & (ω≥0 ∧ d≥0)]ω2x2+y2≤c2
x
y1 2 3 4 5 6
-1.5
-1.0
-0.5
0.5
1.0
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 24 / 40
![Page 101: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/101.jpg)
Differential Invariants for Differential Equations
x2 + x3 − y2 − c = 0→ [x ′ = −2y , y ′ = −2x − 3x2] x2 + x3 − y2 − c = 0
SAS’14Andre Platzer (CMU) Proving Hybrid Systems FMCAD 25 / 40
![Page 102: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/102.jpg)
Differential Invariants for Differential Equations
[x ′ = 2x4y+4x2y3−6x2y , y ′ = −4x3y2−2xy4+6xy2]x4y2+x2y4−3x2y2≤c
SAS’14Andre Platzer (CMU) Proving Hybrid Systems FMCAD 26 / 40
![Page 103: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/103.jpg)
Assuming Differential Invariance
¬ ¬FF F ¬ ¬FF F
H → [x ′ := f (x)]F ′
F→[x ′ = f (x) &H]F
F ∧ H → [x ′ := f (x)]F ′
F→[x ′ = θ&H]F
Example (Restrictions)
(unsound)
d2 − 2d + 1 = 0 →2de − 2e = 0
d2 − 2d + 1 = 0 →[d ′ := e][e ′ :=−d ]2dd ′ − 2d ′ = 0
d2 − 2d + 1 = 0 →[d ′ = e, e ′ = −d ]d2 − 2d + 1 = 0
0 y
x
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 27 / 40
![Page 104: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/104.jpg)
Assuming Differential Invariance
¬ ¬FF F ¬ ¬FF F
H → [x ′ := f (x)]F ′
F→[x ′ = f (x) &H]F
F ∧ H → [x ′ := f (x)]F ′
F→[x ′ = θ&H]F
Example (Restrictions)
(unsound)
d2 − 2d + 1 = 0 →2de − 2e = 0
d2 − 2d + 1 = 0 →[d ′ := e][e ′ :=−d ]2dd ′ − 2d ′ = 0
d2 − 2d + 1 = 0 →[d ′ = e, e ′ = −d ]d2 − 2d + 1 = 0
0 y
x
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 27 / 40
![Page 105: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/105.jpg)
Assuming Differential Invariance
¬ ¬FF F ¬ ¬FF F
H → [x ′ := f (x)]F ′
F→[x ′ = f (x) &H]F
F ∧ H → [x ′ := f (x)]F ′
F→[x ′ = θ&H]F
Example (Restrictions)
(unsound)
d2 − 2d + 1 = 0 →2de − 2e = 0
d2 − 2d + 1 = 0 →[d ′ := e][e ′ :=−d ]2dd ′ − 2d ′ = 0
d2 − 2d + 1 = 0 →[d ′ = e, e ′ = −d ]d2 − 2d + 1 = 0
0 y
x
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 27 / 40
![Page 106: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/106.jpg)
Assuming Differential Invariance
¬ ¬FF F ¬ ¬FF F
H → [x ′ := f (x)]F ′
F→[x ′ = f (x) &H]F
F ∧ H → [x ′ := f (x)]F ′
F→[x ′ = θ&H]F
Example (Restrictions)
(unsound)
d2 − 2d + 1 = 0 →2de − 2e = 0
d2 − 2d + 1 = 0 →[d ′ := e][e ′ :=−d ]2dd ′ − 2d ′ = 0
d2 − 2d + 1 = 0 →[d ′ = e, e ′ = −d ]d2 − 2d + 1 = 0
0 y
x
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 27 / 40
![Page 107: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/107.jpg)
Assuming Differential Invariance
¬ ¬FF F ¬ ¬FF F
H → [x ′ := f (x)]F ′
F→[x ′ = f (x) &H]F
F ∧ H → [x ′ := f (x)]F ′
F→[x ′ = θ&H]F
Example (Restrictions are unsound!)
(unsound)
d2 − 2d + 1 = 0 →2de − 2e = 0
d2 − 2d + 1 = 0 →[d ′ := e][e ′ :=−d ]2dd ′ − 2d ′ = 0
d2 − 2d + 1 = 0 →[d ′ = e, e ′ = −d ]d2 − 2d + 1 = 0
0 y
x
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 27 / 40
![Page 108: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/108.jpg)
Differential Invariants for Differential Equations
Differential Invariant Differential Cut Differential Ghost
0 t
x
x ′= f (x)
y′ =
g(x, y
)
inv
DI= DI=,∧,∨
DI> DI>,∧,∨
DI≥ DI≥,∧,∨
DI
DI≥,=,∧,∨
DI>,=,∧,∨
Logic
Provabilitytheory
Math
Character-istic PDE
JLogComput’10,CAV’08,FMSD’09,LMCS’12,ITP’12Andre Platzer (CMU) Proving Hybrid Systems FMCAD 28 / 40
![Page 109: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/109.jpg)
Differential Invariants for Differential Equations
Differential Invariant Differential Cut Differential Ghost
0 t
x
x ′= f (x)
y′ =
g(x, y
)
inv
DI= DI=,∧,∨
DI> DI>,∧,∨
DI≥ DI≥,∧,∨
DI
DI≥,=,∧,∨
DI>,=,∧,∨
Logic
Provabilitytheory
Math
Character-istic PDE
JLogComput’10,CAV’08,FMSD’09,LMCS’12,ITP’12Andre Platzer (CMU) Proving Hybrid Systems FMCAD 28 / 40
![Page 110: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/110.jpg)
Ex: Differential Cuts
∗
QE y5 ≥ 0 →2x2((x − 2)4 + y5) ≥ 0
y5 ≥ 0 →[x ′ := (x − 2)4 + y5][y ′ := y2]2x2x ′ ≥ 0
DI x3 ≥ −1 →[x ′ = (x − 2)4 + y5, y ′ = y2 & y5 ≥ 0]x3 ≥ −1 .
DCx3 ≥ −1 ∧ y5 ≥ 0 →[x ′ = (x − 2)4 + y5, y ′ = y2]x3 ≥ −1
∗
QE 5y4y2 ≥ 0
[x ′ := (x − 2)4 + y5][y ′ := y2]5y4y ′ ≥ 0
DIy5 ≥ 0 →[x ′ = (x − 2)4 + y5, y ′ = y2]y5 ≥ 0
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 29 / 40
![Page 111: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/111.jpg)
Ex: Differential Cuts
∗
QE y5 ≥ 0 →2x2((x − 2)4 + y5) ≥ 0
y5 ≥ 0 →[x ′ := (x − 2)4 + y5][y ′ := y2]2x2x ′ ≥ 0
DI x3 ≥ −1 →[x ′ = (x − 2)4 + y5, y ′ = y2 & y5 ≥ 0]x3 ≥ −1 .
DCx3 ≥ −1 ∧ y5 ≥ 0 →[x ′ = (x − 2)4 + y5, y ′ = y2]x3 ≥ −1
∗
QE 5y4y2 ≥ 0
[x ′ := (x − 2)4 + y5][y ′ := y2]5y4y ′ ≥ 0
DIy5 ≥ 0 →[x ′ = (x − 2)4 + y5, y ′ = y2]y5 ≥ 0
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 29 / 40
![Page 112: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/112.jpg)
Ex: Differential Cuts
∗
QE y5 ≥ 0 →2x2((x − 2)4 + y5) ≥ 0
y5 ≥ 0 →[x ′ := (x − 2)4 + y5][y ′ := y2]2x2x ′ ≥ 0
DI x3 ≥ −1 →[x ′ = (x − 2)4 + y5, y ′ = y2 & y5 ≥ 0]x3 ≥ −1 .
DCx3 ≥ −1 ∧ y5 ≥ 0 →[x ′ = (x − 2)4 + y5, y ′ = y2]x3 ≥ −1
∗
QE 5y4y2 ≥ 0
[x ′ := (x − 2)4 + y5][y ′ := y2]5y4y ′ ≥ 0
DIy5 ≥ 0 →[x ′ = (x − 2)4 + y5, y ′ = y2]y5 ≥ 0
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 29 / 40
![Page 113: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/113.jpg)
Ex: Differential Cuts
∗
QE y5 ≥ 0 →2x2((x − 2)4 + y5) ≥ 0
y5 ≥ 0 →[x ′ := (x − 2)4 + y5][y ′ := y2]2x2x ′ ≥ 0
DI x3 ≥ −1 →[x ′ = (x − 2)4 + y5, y ′ = y2 & y5 ≥ 0]x3 ≥ −1 .
DCx3 ≥ −1 ∧ y5 ≥ 0 →[x ′ = (x − 2)4 + y5, y ′ = y2]x3 ≥ −1
∗
QE 5y4y2 ≥ 0
[x ′ := (x − 2)4 + y5][y ′ := y2]5y4y ′ ≥ 0
DIy5 ≥ 0 →[x ′ = (x − 2)4 + y5, y ′ = y2]y5 ≥ 0
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 29 / 40
![Page 114: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/114.jpg)
Ex: Differential Cuts
∗
QE y5 ≥ 0 →2x2((x − 2)4 + y5) ≥ 0
y5 ≥ 0 →[x ′ := (x − 2)4 + y5][y ′ := y2]2x2x ′ ≥ 0
DI x3 ≥ −1 →[x ′ = (x − 2)4 + y5, y ′ = y2 & y5 ≥ 0]x3 ≥ −1 .
DCx3 ≥ −1 ∧ y5 ≥ 0 →[x ′ = (x − 2)4 + y5, y ′ = y2]x3 ≥ −1
∗QE 5y4y2 ≥ 0
[x ′ := (x − 2)4 + y5][y ′ := y2]5y4y ′ ≥ 0
DIy5 ≥ 0 →[x ′ = (x − 2)4 + y5, y ′ = y2]y5 ≥ 0
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 29 / 40
![Page 115: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/115.jpg)
Ex: Differential Cuts
∗
QE y5 ≥ 0 →2x2((x − 2)4 + y5) ≥ 0
y5 ≥ 0 →[x ′ := (x − 2)4 + y5][y ′ := y2]2x2x ′ ≥ 0
DI x3 ≥ −1 →[x ′ = (x − 2)4 + y5, y ′ = y2 & y5 ≥ 0]x3 ≥ −1 .
DCx3 ≥ −1 ∧ y5 ≥ 0 →[x ′ = (x − 2)4 + y5, y ′ = y2]x3 ≥ −1
∗QE 5y4y2 ≥ 0
[x ′ := (x − 2)4 + y5][y ′ := y2]5y4y ′ ≥ 0
DIy5 ≥ 0 →[x ′ = (x − 2)4 + y5, y ′ = y2]y5 ≥ 0
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 29 / 40
![Page 116: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/116.jpg)
Ex: Differential Cuts
∗
QE y5 ≥ 0 →2x2((x − 2)4 + y5) ≥ 0
y5 ≥ 0 →[x ′ := (x − 2)4 + y5][y ′ := y2]2x2x ′ ≥ 0
DI x3 ≥ −1 →[x ′ = (x − 2)4 + y5, y ′ = y2 & y5 ≥ 0]x3 ≥ −1 .
DCx3 ≥ −1 ∧ y5 ≥ 0 →[x ′ = (x − 2)4 + y5, y ′ = y2]x3 ≥ −1
∗QE 5y4y2 ≥ 0
[x ′ := (x − 2)4 + y5][y ′ := y2]5y4y ′ ≥ 0
DIy5 ≥ 0 →[x ′ = (x − 2)4 + y5, y ′ = y2]y5 ≥ 0
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 29 / 40
![Page 117: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/117.jpg)
Ex: Differential Cuts
∗
QE y5 ≥ 0 →2x2((x − 2)4 + y5) ≥ 0
y5 ≥ 0 →[x ′ := (x − 2)4 + y5][y ′ := y2]2x2x ′ ≥ 0
DI x3 ≥ −1 →[x ′ = (x − 2)4 + y5, y ′ = y2 & y5 ≥ 0]x3 ≥ −1 .
DCx3 ≥ −1 ∧ y5 ≥ 0 →[x ′ = (x − 2)4 + y5, y ′ = y2]x3 ≥ −1
∗QE 5y4y2 ≥ 0
[x ′ := (x − 2)4 + y5][y ′ := y2]5y4y ′ ≥ 0
DIy5 ≥ 0 →[x ′ = (x − 2)4 + y5, y ′ = y2]y5 ≥ 0
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 29 / 40
![Page 118: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/118.jpg)
Ex: Differential Cuts
∗QE y5 ≥ 0 →2x2((x − 2)4 + y5) ≥ 0
y5 ≥ 0 →[x ′ := (x − 2)4 + y5][y ′ := y2]2x2x ′ ≥ 0
DI x3 ≥ −1 →[x ′ = (x − 2)4 + y5, y ′ = y2 & y5 ≥ 0]x3 ≥ −1 .
DCx3 ≥ −1 ∧ y5 ≥ 0 →[x ′ = (x − 2)4 + y5, y ′ = y2]x3 ≥ −1
∗QE 5y4y2 ≥ 0
[x ′ := (x − 2)4 + y5][y ′ := y2]5y4y ′ ≥ 0
DIy5 ≥ 0 →[x ′ = (x − 2)4 + y5, y ′ = y2]y5 ≥ 0
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 29 / 40
![Page 119: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/119.jpg)
Differential Cuts
Differential Cut
F→[x ′ = f (x) &H]C F→[x ′ = f (x) &H ∧ C ]F
F→[x ′ = f (x) &H]F
Theorem (Gentzen’s Cut Elimination)
A→B ∨ C A ∧ C→B
A→Bcut can be eliminated
Theorem (No Differential Cut Elimination) (LMCS 2012)
Deductive power with differential cut exceeds deductive power without.DCI > DI
JLogComput’10,LMCS’12Andre Platzer (CMU) Proving Hybrid Systems FMCAD 30 / 40
![Page 120: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/120.jpg)
Differential Equation Axioms & Differential Axioms
DW [x ′ = f (x) & q(x)]q(x)
DC
([x ′ = f (x) & q(x)]p(x)↔ [x ′ = f (x) & q(x)∧r(x)]p(x)
)← [x ′ = f (x) & q(x)]r(x)
DE [x ′ = f (x) & q(x)]p(x , x ′)↔ [x ′ = f (x) & q(x)][x ′ := f (x)]p(x , x ′)
DI [x ′ = f (x) & q(x)]p(x)←(q(x)→ p(x) ∧ [x ′ = f (x) & q(x)](p(x))′
)DG [x ′ = f (x) & q(x)]p(x)↔ ∃y [x ′ = f (x), y ′ = a(x)y + b(x) & q(x)]p(x)
DS [x ′ = f & q(x)]p(x)↔ ∀t≥0((∀0≤s≤t q(x + fs))→ [x := x + ft]p(x)
)[′:=] [x ′ := f ]p(x ′)↔ p(f )
+′ (f (x) + g(x))′ = (f (x))′ + (g(x))′
·′ (f (x) · g(x))′ = (f (x))′ · g(x) + f (x) · (g(x))′
′ [y := g(x)][y ′ := 1]((f (g(x)))′ = (f (y))′ · (g(x))′
)CADE’15
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 31 / 40
![Page 121: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/121.jpg)
Differential Equation Axioms
Axiom (Differential Weakening) (CADE’15)
(DW) [x ′ = f (x) & q(x)]q(x)
t
x
q(x)
w
u
0 rx ′ = f (x) & q(x)
¬q(x)
Differential equations cannot leave their evolution domains. Implies:
[x ′ = f (x) & q(x)]p(x)↔ [x ′ = f (x) & q(x)](q(x)→ p(x)
)Andre Platzer (CMU) Proving Hybrid Systems FMCAD 32 / 40
![Page 122: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/122.jpg)
Differential Equation Axioms
Axiom (Differential Cut) (CADE’15)
(DC)
([x ′ = f (x) & q(x)]p(x)↔ [x ′ = f (x) & q(x)∧r(x)]p(x)
)← [x ′ = f (x) & q(x)]r(x)
t
x
q(x)
w
u
0 rx ′ = f (x) & q(x)
DC is a cut for differential equations.DC is a differential modal modus ponens K.Can’t leave r(x), then might as well restrict state space to r(x).
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 32 / 40
![Page 123: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/123.jpg)
Differential Equation Axioms
Axiom (Differential Cut) (CADE’15)
(DC)
([x ′ = f (x) & q(x)]p(x)↔ [x ′ = f (x) & q(x)∧r(x)]p(x)
)← [x ′ = f (x) & q(x)]r(x)
t
x
q(x)
w
u
0 rx ′ = f (x) & q(x)
w
q(x)
DC is a cut for differential equations.DC is a differential modal modus ponens K.Can’t leave r(x), then might as well restrict state space to r(x).
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 32 / 40
![Page 124: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/124.jpg)
Differential Equation Axioms
Axiom (Differential Cut) (CADE’15)
(DC)
([x ′ = f (x) & q(x)]p(x)↔ [x ′ = f (x) & q(x)∧r(x)]p(x)
)← [x ′ = f (x) & q(x)]r(x)
t
x
q(x)
w
u
0 rx ′ = f (x) & q(x)
w
DC is a cut for differential equations.DC is a differential modal modus ponens K.Can’t leave r(x), then might as well restrict state space to r(x).
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 32 / 40
![Page 125: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/125.jpg)
Differential Equation Axioms
Axiom (Differential Cut) (CADE’15)
(DC)
([x ′ = f (x) & q(x)]p(x)↔ [x ′ = f (x) & q(x)∧r(x)]p(x)
)← [x ′ = f (x) & q(x)]r(x)
t
x
q(x)
w
u
0 rx ′ = f (x) & q(x)
w
DC is a cut for differential equations.DC is a differential modal modus ponens K.Can’t leave r(x), then might as well restrict state space to r(x).
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 32 / 40
![Page 126: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/126.jpg)
Differential Equation Axioms
Axiom (Differential Cut) (CADE’15)
(DC)
([x ′ = f (x) & q(x)]p(x)↔ [x ′ = f (x) & q(x)∧r(x)]p(x)
)← [x ′ = f (x) & q(x)]r(x)
t
x
q(x)
w
u
0 rx ′ = f (x) & q(x)
DC is a cut for differential equations.DC is a differential modal modus ponens K.Can’t leave r(x), then might as well restrict state space to r(x).
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 32 / 40
![Page 127: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/127.jpg)
Differential Equation Axioms
Axiom (Differential Cut) (CADE’15)
(DC)
([x ′ = f (x) & q(x)]p(x)↔ [x ′ = f (x) & q(x)∧r(x)]p(x)
)← [x ′ = f (x) & q(x)]r(x)
t
x
q(x)
w
u
0 rx ′ = f (x) & q(x)
w
DC is a cut for differential equations.DC is a differential modal modus ponens K.Can’t leave r(x), then might as well restrict state space to r(x).
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 32 / 40
![Page 128: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/128.jpg)
Differential Equation Axioms
Axiom (Differential Cut) (CADE’15)
(DC)
([x ′ = f (x) & q(x)]p(x)↔ [x ′ = f (x) & q(x)∧r(x)]p(x)
)← [x ′ = f (x) & q(x)]r(x)
t
x
q(x)
w
u
0 rx ′ = f (x) & q(x)
w
DC is a cut for differential equations.DC is a differential modal modus ponens K.Can’t leave r(x), then might as well restrict state space to r(x).
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 32 / 40
![Page 129: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/129.jpg)
Differential Equation Axioms
Axiom (Differential Cut) (CADE’15)
(DC)
([x ′ = f (x) & q(x)]p(x)↔ [x ′ = f (x) & q(x)∧r(x)]p(x)
)← [x ′ = f (x) & q(x)]r(x)
t
x
q(x)
w
u
0 rx ′ = f (x) & q(x)
w
DC is a cut for differential equations.DC is a differential modal modus ponens K.Can’t leave r(x), then might as well restrict state space to r(x).
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 32 / 40
![Page 130: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/130.jpg)
Differential Equation Axioms
Axiom (Differential Cut) (CADE’15)
(DC)
([x ′ = f (x) & q(x)]p(x)↔ [x ′ = f (x) & q(x)∧r(x)]p(x)
)← [x ′ = f (x) & q(x)]r(x)
t
x
q(x)
w
u
0 rx ′ = f (x) & q(x)
w
DC is a cut for differential equations.DC is a differential modal modus ponens K.Can’t leave r(x), then might as well restrict state space to r(x).
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 32 / 40
![Page 131: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/131.jpg)
Differential Equation Axioms
Axiom (Differential Invariant) (CADE’15)
(DI) [x ′ = f (x) & q(x)]p(x)←(q(x)→ p(x) ∧ [x ′ = f (x) & q(x)](p(x))′
)
t
x
q(x)
w
u
0 rx ′ = f (x) & q(x)
¬ ¬FF F
Differential invariant: p(x) true now and its differential (p(x))′ true alwaysWhat’s the differential of a formula???What’s the meaning of a differential term . . . in a state???
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 32 / 40
![Page 132: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/132.jpg)
Differential Equation Axioms
Axiom (Differential Effect) (CADE’15)
(DE) [x ′ = f (x) & q(x)]p(x , x ′)↔ [x ′ = f (x) & q(x)][x ′ := f (x)]p(x , x ′)
t
x
q(x)
w
u
0 rx ′ = f (x) & q(x)
x′
f (x)
Effect of differential equation on differential symbol x ′
[x ′ := f (x)] instantly mimics continuous effect [x ′ = f (x)] on x ′
[x ′ := f (x)] selects vector field x ′ = f (x) for subsequent differentials
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 32 / 40
![Page 133: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/133.jpg)
Differential Equation Axioms
Axiom (Differential Ghost) (CADE’15)
(DG) [x ′ = f (x) & q(x)]p(x)↔ ∃y [x ′ = f (x), y ′ = a(x)y + b(x) & q(x)]p(x)
t
x
q(x)
w
u
0 rx ′ = f (x) & q(x)y ′ = a(x)y + b(x)
Differential ghost/auxiliaries: extra differential equations that existCan cause new invariants“Dark matter” counterweight to balance conserved quantities
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 32 / 40
![Page 134: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/134.jpg)
Differential Equation Axioms
Axiom (Differential Solution) (CADE’15)
(DS) [x ′ = f & q(x)]p(x)↔ ∀t≥0((∀0≤s≤t q(x+fs))→ [x := x + ft]p(x)
)
t
x
q(x)
w
u
0 rx ′ = f (x) & q(x)
t
x
q(x)u
w
0 rx ′ = f & q(x)
Differential solutions: solve differential equationswith DG,DC and inverse companions
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 32 / 40
![Page 135: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/135.jpg)
Example: Differential Invariants Don’t Solve. Prove!
1 DI proves a property of an ODE inductively by its differentials2 DE exports vector field, possibly after DW exports evolution domain3 CE+CQ reason efficiently in Equivalence or eQuational context4 G isolates postcondition5 [′:=] differential substitution uses vector field6 ·′ differential computations are axiomatic (US)
∗QE x3·x + x ·x3 ≥ 0
[′:=] [x ′ := x3]x ′·x + x ·x ′ ≥ 0G [x ′ = x3][x ′ := x3]x ′·x+x ·x ′≥0
∗·′ (f (x)·g(x))′ = (f (x))′·g(x)+f (x)·(g(x))′
US (x ·x)′ = (x)′·x + x ·(x)′
(x ·x)′ = x ′·x + x ·x ′CQ (x ·x)′ ≥ 0 ↔ x ′·x + x ·x ′ ≥ 0
(x ·x ≥ 1)′ ↔ x ′·x + x ·x ′ ≥ 0CE [x ′ = x3][x ′ := x3](x ·x ≥ 1)′DE [x ′ = x3](x ·x ≥ 1)′DI x ·x ≥ 1 →[x ′ = x3]x ·x ≥ 1
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 33 / 40
![Page 136: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/136.jpg)
The Meaning of Primes
Differential Forms
[[(θ)′]]u = ???
[[(x2)′]]u
= [[2x ]]u ?
depends on the differential equation . . .
well-defined locally in an isolated state at all?
[[(θ)′]]u =∑x
u(x ′)∂[[θ]]I
∂x(u) =
∑x
u(x ′)∂[[θ]]uXx∂X
[[(θ)′]] = d [[θ]] =n∑
i=1
∂[[θ]]
∂x idx i
u(x ′) is the local shadow ofdx
dtif that existed
(θ)′ represents how θ changes locally, depending on x ′
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 34 / 40
![Page 137: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/137.jpg)
The Meaning of Primes
Differential Forms
[[(θ)′]]u = ???
[[(x2)′]]u = [[2x ]]u ?
depends on the differential equation . . .
well-defined locally in an isolated state at all?
[[(θ)′]]u =∑x
u(x ′)∂[[θ]]I
∂x(u) =
∑x
u(x ′)∂[[θ]]uXx∂X
[[(θ)′]] = d [[θ]] =n∑
i=1
∂[[θ]]
∂x idx i
u(x ′) is the local shadow ofdx
dtif that existed
(θ)′ represents how θ changes locally, depending on x ′
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 34 / 40
![Page 138: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/138.jpg)
The Meaning of Primes
Differential Forms
[[(θ)′]]u = ???
[[(x2)′]]u = [[2x ]]u ?
depends on the differential equation . . .
well-defined locally in an isolated state at all?
[[(θ)′]]u =∑x
u(x ′)∂[[θ]]I
∂x(u) =
∑x
u(x ′)∂[[θ]]uXx∂X
[[(θ)′]] = d [[θ]] =n∑
i=1
∂[[θ]]
∂x idx i
u(x ′) is the local shadow ofdx
dtif that existed
(θ)′ represents how θ changes locally, depending on x ′
→ R
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 34 / 40
![Page 139: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/139.jpg)
The Meaning of Primes
Differential Forms
[[(θ)′]]u = ???
[[(x2)′]]u = [[2x ]]u ?
depends on the differential equation . . .
well-defined locally in an isolated state at all?
[[(θ)′]]u =∑x
u(x ′)∂[[θ]]I
∂x(u) =
∑x
u(x ′)∂[[θ]]uXx∂X
[[(θ)′]] = d [[θ]] =n∑
i=1
∂[[θ]]
∂x idx i
u(x ′) is the local shadow ofdx
dtif that existed
(θ)′ represents how θ changes locally, depending on x ′
→ R
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 34 / 40
![Page 140: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/140.jpg)
The Meaning of Primes Differential Forms
[[(θ)′]]u = ???
[[(x2)′]]u = [[2x ]]u ?
depends on the differential equation . . .
well-defined locally in an isolated state at all?
[[(θ)′]]u =∑x
u(x ′)∂[[θ]]I
∂x(u) =
∑x
u(x ′)∂[[θ]]uXx∂X
[[(θ)′]] = d [[θ]] =n∑
i=1
∂[[θ]]
∂x idx i
depends onstate u
tangentspace basis
cotangentspace basis
depends onu(x ′i ) = dx i
u(x ′) is the local shadow ofdx
dtif that existed
(θ)′ represents how θ changes locally, depending on x ′
→ R
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 34 / 40
![Page 141: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/141.jpg)
The Meaning of Primes Differential Forms
[[(θ)′]]u = ???
[[(x2)′]]u = [[2x ]]u ?
depends on the differential equation . . .
well-defined locally in an isolated state at all?
[[(θ)′]]u =∑x
u(x ′)∂[[θ]]I
∂x(u) =
∑x
u(x ′)∂[[θ]]uXx∂X
[[(θ)′]] = d [[θ]] =n∑
i=1
∂[[θ]]
∂x idx i
u(x ′) is the local shadow ofdx
dtif that existed
(θ)′ represents how θ changes locally, depending on x ′
→ R
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 34 / 40
![Page 142: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/142.jpg)
Differential Substitution Lemmas
Lemma (Differential lemma)
If ϕ |= x ′ = f (x) ∧ Q for duration r > 0, then for all 0 ≤ ζ ≤ r :
Syntactic [[(η)′]]ϕ(ζ) =d[[η]]ϕ(t)
dt(ζ) Analytic
Lemma (Differential assignment)
If ϕ |= x ′ = f (x) ∧ Q then ϕ |= φ↔ [x ′ := f (x)]φ
Lemma (Derivations)
(θ + η)′ = (θ)′ + (η)′
(θ · η)′ = (θ)′ · η + θ · (η)′
[y := θ][y ′ := 1]((f (θ))′ = (f (y))′ · (θ)′
)for y , y ′ 6∈ θ
(f )′ = 0 for arity 0 functions/numbers f
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 35 / 40
![Page 143: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/143.jpg)
Outline
1 CPS are Multi-Dynamical SystemsHybrid SystemsHybrid Games
2 Dynamic Logic of Dynamical SystemsSyntaxSemanticsExample: Car Control Design
3 Proofs for CPSCompositional Proof CalculusExample: Safe Car Control
4 Theory of CPSSoundness and CompletenessDifferential InvariantsExample: Elementary Differential InvariantsDifferential Axioms
5 Applications6 Summary
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 35 / 40
![Page 144: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/144.jpg)
Verified CPS Applications
-
-
-
x
y
c
c
Qxentry
exit
Q
y
c
Q Q
cQx
Q
y
Q
z
xHiL
xH jL
p xHkL
xHlL
xHmL
ICFEM’09,JAIS’14,TACAS’15,CAV’08,FM’09,HSCC’11,HSCC’13, TACAS’14Andre Platzer (CMU) Proving Hybrid Systems FMCAD 36 / 40
![Page 145: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/145.jpg)
Verified CPS Applications
ey
fy
xb(lx, ly) ex fx
(rx, ry)
(vx, vy)
FM’11,LMCS’12,ICCPS’12,ITSC’11,ITSC’13,IJCAR’12Andre Platzer (CMU) Proving Hybrid Systems FMCAD 36 / 40
![Page 146: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/146.jpg)
Verified CPS Applications
0 1 2 3 4 5 60.0
0.5
1.0
1.5
2.0
2.5
3.0
3.5
0 1 2 3 4 5 60.0
0.5
1.0
1.5
2.0
2.5
3.0
3.5
0 1 2 3 4 5 60.0
0.5
1.0
1.5
2.0
2.5
3.0
3.5
0 1 2 3 4 5 60.0
0.5
1.0
1.5
2.0
2.5
3.0
3.5
0 1 2 3 4 5 60.0
0.5
1.0
1.5
2.0
2.5
3.0
3.5
5 10 15 20
-0.3
-0.2
-0.1
0.1
0.2
0.3
-0.3 -0.2 -0.1 0.0 0.1 0.2 0.3
-0.3
-0.2
-0.1
0.0
0.1
0.2
0.3
0.2 0.4 0.6 0.8 1.0
1
1
-
HSCC’13,RSS’13,CADE’12Andre Platzer (CMU) Proving Hybrid Systems FMCAD 36 / 40
![Page 147: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/147.jpg)
Verified CPS Applications By Undergrads
0 1 2 3 4 5 60.0
0.5
1.0
1.5
2.0
2.5
3.0
3.5
0 1 2 3 4 5 60.0
0.5
1.0
1.5
2.0
2.5
3.0
3.5
0 1 2 3 4 5 60.0
0.5
1.0
1.5
2.0
2.5
3.0
3.5
0 1 2 3 4 5 60.0
0.5
1.0
1.5
2.0
2.5
3.0
3.5
0 1 2 3 4 5 60.0
0.5
1.0
1.5
2.0
2.5
3.0
3.5
0 1 2 3 4 5 60.0
0.5
1.0
1.5
2.0
2.5
3.0
3.5
15-424/624 Foundations of Cyber-Physical Systems studentsAndre Platzer (CMU) Proving Hybrid Systems FMCAD 36 / 40
![Page 148: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/148.jpg)
Outline
1 CPS are Multi-Dynamical SystemsHybrid SystemsHybrid Games
2 Dynamic Logic of Dynamical SystemsSyntaxSemanticsExample: Car Control Design
3 Proofs for CPSCompositional Proof CalculusExample: Safe Car Control
4 Theory of CPSSoundness and CompletenessDifferential InvariantsExample: Elementary Differential InvariantsDifferential Axioms
5 Applications6 Summary
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 36 / 40
![Page 149: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/149.jpg)
KeYmaera X Kernel: Qualifies as a Microkernel
≈LOC
KeYmaera X 1 682KeYmaera 65 989
KeY 51 328HOL Light 396Isabelle/Pure 8 113Nuprl 15 000 + 50 000Coq 20 000
HSolver 20 000Flow∗ 25 000PHAVer 30 000dReal 50 000 + millionsSpaceEx 100 000HyCreate2 6 081 + user model analysis
Disclaimer: These self-reported estimates of the soundness-critical lines of code +rules are to be taken with a grain of salt. Different languages, capabilities, styles. . . Andre Platzer (CMU) Proving Hybrid Systems FMCAD 37 / 40
![Page 150: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/150.jpg)
Proving Hybrid Systems
differential dynamic logic
dL = DL + HP [α]φ φα
Multi-dynamical systems
Combine simple dynamics
Tame complexity
Logic & proofs for CPS
Theory of CPS
Applications
KeYmaera Prover
dis
cre
te contin
uo
us
nondet
sto
chastic
advers
arial
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 38 / 40
![Page 151: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/151.jpg)
Proving Hybrid Systems
differential dynamic logic
dL = DL + HP [α]φ φα
Multi-dynamical systems
Combine simple dynamics
Tame complexity
Logic & proofs for CPS
Theory of CPS
Applications
KeYmaera Xd
iscre
te contin
uo
us
nondet
sto
chastic
advers
arial
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 38 / 40
![Page 152: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/152.jpg)
Acknowledgments
Students and postdocs of the Logical Systems Lab at Carnegie MellonNathan Fulton, David Henriques, Sarah Loos, Joao Martins, Erik Zawadzki
Khalil Ghorbal, Jean-Baptiste Jeannin, Stefan Mitsch
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 39 / 40
![Page 153: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/153.jpg)
How to trust a computer to control physics
Recipe
1 CPS promise a transformative impact
2 CPS have to be safe to make the world a better place
3 Safety needs a safety analysis
4 Analytic tools for CPS have to be sound
5 Sound analysis needs sound and strong foundations
6 Foundations themselves have to be challenged, e.g., by applications
7 Logic has a lot to offer for CPS
8 CPS bring excitement and new challenges to logic
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 40 / 40
![Page 154: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/154.jpg)
LogicalFoundations
ofCyber-Physical
Systems
Logic
TheoremProving
ProofTheory
ModalLogic Model
Checking
Algebra
ComputerAlgebra
RAlgebraicGeometry
DifferentialAlgebra
LieAlgebra
Analysis
DifferentialEquations
CarathedorySolutions
ViscosityPDE
Solutions
DynamicalSystems
Stochastics Doob’sSuper-
martingales
Dynkin’sInfinitesimalGenerators
DifferentialGenerators
StochasticDifferentialEquations
Numerics
HermiteInterpolation
WeierstraßApprox-imation
ErrorAnalysis
NumericalIntegration
Algorithms
DecisionProcedures
ProofSearch
Procedures
Fixpoints& Lattices
ClosureOrdinals
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 1 / 9
![Page 155: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/155.jpg)
LogicalFoundations
ofCyber-Physical
Systems
Logic
TheoremProving
ProofTheory
ModalLogic Model
Checking
Algebra
ComputerAlgebra
RAlgebraicGeometry
DifferentialAlgebra
LieAlgebra
Analysis
DifferentialEquations
CarathedorySolutions
ViscosityPDE
Solutions
DynamicalSystems
Stochastics Doob’sSuper-
martingales
Dynkin’sInfinitesimalGenerators
DifferentialGenerators
StochasticDifferentialEquations
Numerics
HermiteInterpolation
WeierstraßApprox-imation
ErrorAnalysis
NumericalIntegration
Algorithms
DecisionProcedures
ProofSearch
Procedures
Fixpoints& Lattices
ClosureOrdinals
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 1 / 9
![Page 156: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/156.jpg)
Differential Dynamic Logic: Axioms
([:=]) [x := f ]p(x)↔ p(f )
([?]) [?q]p ↔ (q → p)
([∪]) [a ∪ b]p(x)↔ [a]p(x) ∧ [b]p(x)
([;]) [a; b]p(x)↔ [a][b]p(x)
([∗]) [a∗]p(x)↔ p(x) ∧ [a][a∗]p(x)
(K) [a](p(x)→ q(x))→ ([a]p(x)→ [a]q(x))
(I) [a∗](p(x)→ [a]p(x))→ (p(x)→ [a∗]p(x))
(V) p → [a]p
(DS) [x ′ = f ]p(x)↔ ∀t≥0 [x := x + ft]p(x)LICS’12,CADE’15
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 2 / 9
![Page 157: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/157.jpg)
Differential Dynamic Logic: Axioms
(G)p(x)
[a]p(x)
(∀)p(x)
∀x p(x)
(MP)p → q p
q
(CT)f (x) = g(x)
c(f (x)) = c(g(x))
(CQ)f (x) = g(x)
p(f (x))↔ p(g(x))
(CE)p(x)↔ q(x)
C (p(x))↔ C (q(x))
LICS’12,CADE’15Andre Platzer (CMU) Proving Hybrid Systems FMCAD 2 / 9
![Page 158: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/158.jpg)
Differential Equation Axioms & Differential Axioms
(DW) [x ′ = f (x) & q(x)]q(x)
(DC)
([x ′ = f (x) & q(x)]p(x)↔ [x ′ = f (x) & q(x)∧r(x)]p(x)
)← [x ′ = f (x) & q(x)]r(x)
(DE) [x ′ = f (x) & q(x)]p(x , x ′)↔ [x ′ = f (x) & q(x)][x ′ := f (x)]p(x , x ′)
(DI) [x ′ = f (x) & q(x)]p(x)←(q(x)→ p(x) ∧ [x ′ = f (x) & q(x)](p(x))′
)(DG) [x ′ = f (x) & q(x)]p(x)↔ ∃y [x ′ = f (x), y ′ = a(x)y + b(x) & q(x)]p(x)
(DS) [x ′ = f & q(x)]p(x)↔ ∀t≥0((∀0≤s≤t q(x + fs))→ [x := x + ft]p(x)
)([′:=]) [x ′ := f ]p(x ′)↔ p(f )
(+′) (f (x) + g(x))′ = (f (x))′ + (g(x))′
(·′) (f (x) · g(x))′ = (f (x))′ · g(x) + f (x) · (g(x))′
(′) [y := g(x)][y ′ := 1]((f (g(x)))′ = (f (y))′ · (g(x))′
)CADE’15
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 3 / 9
![Page 159: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/159.jpg)
Andre Platzer.Logics of dynamical systems.In LICS [17], pages 13–24.doi:10.1109/LICS.2012.13.
Andre Platzer.Foundations of cyber-physical systems.Lecture Notes 15-424/624, Carnegie Mellon University, 2014.URL: http://www.cs.cmu.edu/~aplatzer/course/fcps14/fcps14.pdf.
Andre Platzer.Logical Analysis of Hybrid Systems: Proving Theorems for ComplexDynamics.Springer, Heidelberg, 2010.doi:10.1007/978-3-642-14509-4.
Andre Platzer.Differential dynamic logic for hybrid systems.J. Autom. Reas., 41(2):143–189, 2008.
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 3 / 9
![Page 160: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/160.jpg)
doi:10.1007/s10817-008-9103-8.
Andre Platzer.A uniform substitution calculus for differential dynamic logic.In Amy Felty and Aart Middeldorp, editors, CADE, volume 9195 ofLNCS, pages 467–481. Springer, 2015.doi:10.1007/978-3-319-21401-6_32.
Andre Platzer.Differential game logic.ACM Trans. Comput. Log., 2015.To appear. Preprint at arXiv 1408.1980.doi:10.1145/2817824.
Andre Platzer.The complete proof theory of hybrid systems.In LICS [17], pages 541–550.doi:10.1109/LICS.2012.64.
Andre Platzer.
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 3 / 9
![Page 161: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/161.jpg)
A complete axiomatization of quantified differential dynamic logic fordistributed hybrid systems.Log. Meth. Comput. Sci., 8(4):1–44, 2012.Special issue for selected papers from CSL’10.doi:10.2168/LMCS-8(4:17)2012.
Andre Platzer.Stochastic differential dynamic logic for stochastic hybrid programs.In Nikolaj Bjørner and Viorica Sofronie-Stokkermans, editors, CADE,volume 6803 of LNCS, pages 431–445. Springer, 2011.doi:10.1007/978-3-642-22438-6_34.
Andre Platzer.Differential-algebraic dynamic logic for differential-algebraic programs.J. Log. Comput., 20(1):309–352, 2010.doi:10.1093/logcom/exn070.
Andre Platzer and Edmund M. Clarke.Computing differential invariants of hybrid systems as fixedpoints.In Aarti Gupta and Sharad Malik, editors, CAV, volume 5123 ofLNCS, pages 176–189. Springer, 2008.Andre Platzer (CMU) Proving Hybrid Systems FMCAD 3 / 9
![Page 162: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/162.jpg)
doi:10.1007/978-3-540-70545-1_17.
Andre Platzer and Edmund M. Clarke.Computing differential invariants of hybrid systems as fixedpoints.Form. Methods Syst. Des., 35(1):98–120, 2009.Special issue for selected papers from CAV’08.doi:10.1007/s10703-009-0079-8.
Andre Platzer.The structure of differential invariants and differential cut elimination.Log. Meth. Comput. Sci., 8(4):1–38, 2012.doi:10.2168/LMCS-8(4:16)2012.
Andre Platzer.A differential operator approach to equational differential invariants.In Lennart Beringer and Amy Felty, editors, ITP, volume 7406 ofLNCS, pages 28–48. Springer, 2012.doi:10.1007/978-3-642-32347-8_3.
Khalil Ghorbal, Andrew Sogokon, and Andre Platzer.
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 3 / 9
![Page 163: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/163.jpg)
Invariance of conjunctions of polynomial equalities for algebraicdifferential equations.In Markus Muller-Olm and Helmut Seidl, editors, SAS, volume 8723 ofLNCS, pages 151–167. Springer, 2014.doi:10.1007/978-3-319-10936-7_10.
Khalil Ghorbal and Andre Platzer.Characterizing algebraic invariants by differential radical invariants.In Erika Abraham and Klaus Havelund, editors, TACAS, volume 8413of LNCS, pages 279–294. Springer, 2014.doi:10.1007/978-3-642-54862-8_19.
Proceedings of the 27th Annual ACM/IEEE Symposium on Logic inComputer Science, LICS 2012, Dubrovnik, Croatia, June 25–28, 2012.IEEE, 2012.
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 3 / 9
![Page 164: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/164.jpg)
Outline
7 Differential Radical InvariantsDifferential Radical Invariants
8 ACAS X
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 3 / 9
![Page 165: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/165.jpg)
Differential Radical Invariants
Theorem (Differential radical invariant characterization)
h = 0→N−1∧i=0
(h(i))p
x ′ = 0
h = 0→ [x ′ = p]h = 0
characterizes all algebraic invariants, where N = ord′√
(h), i.e.
(h(N))p
x ′ =N−1∑i=0
gi (h(i))
p
x ′ (gi ∈ R[x ])
Corollary (Algebraic Invariants Decidable)
Algebraic invariants of algebraic differential equations are decidable.
with Khalil Ghorbal TACAS’14Andre Platzer (CMU) Proving Hybrid Systems FMCAD 4 / 9
![Page 166: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/166.jpg)
Case Study: Longitudinal Dynamics of an Airplane
Study (6th Order Longitudinal Flight Equations)
u′ = Xm − g sin(θ)− qw axial velocity
w ′ = Zm + g cos(θ) + qu vertical velocity
x ′ = cos(θ)u + sin(θ)w range
z ′ = − sin(θ)u + cos(θ)w altitude
θ′ = q pitch angle
q′ = MIyy
pitch rate2 4 6 8 10 12 14
x
2
4
6
8
10
12
z
X : thrust along u Z : thrust along w M : thrust moment for wg : gravity m : mass Iyy : inertia second diagonal
with Khalil Ghorbal TACAS’14Andre Platzer (CMU) Proving Hybrid Systems FMCAD 5 / 9
![Page 167: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/167.jpg)
Case Study: Longitudinal Dynamics of an Airplane
Result (DRI Automatically Generates Invariant Functions)
Mz
Iyy+ gθ +
(X
m− qw
)cos(θ) +
(Z
m+ qu
)sin(θ)
Mx
Iyy−(Z
m+ qu
)cos(θ) +
(X
m− qw
)sin(θ)
− q2 +2Mθ
Iyy
with Khalil Ghorbal TACAS’14Andre Platzer (CMU) Proving Hybrid Systems FMCAD 6 / 9
![Page 168: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/168.jpg)
Case Study: Dubins Dynamics of 2 Airplanes
Result (DRI Automatically Generates Invariants)
ω1 = 0∧ω2 = 0→ v2 sinϑx = (v2 cosϑ− v1)y > p(v1 + v2)
ω1 6= 0∨ω2 6= 0→ −ω1ω2(x2 + y2) + 2v2ω1 sinϑx + 2(v1ω2 − v2ω1 cosϑ)y
+ 2v1v2 cosϑ > 2v1v2 + 2p(v2|ω1|+ v1|ω2|) + p2|ω1ω2|
-
-
-
- - -
-
-
JAIS’14Andre Platzer (CMU) Proving Hybrid Systems FMCAD 7 / 9
![Page 169: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/169.jpg)
Outline
7 Differential Radical InvariantsDifferential Radical Invariants
8 ACAS X
Andre Platzer (CMU) Proving Hybrid Systems FMCAD 7 / 9
![Page 170: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/170.jpg)
Airborne Collision Avoidance System ACAS X: Verify
Developed by the FAA to replace current TCAS in aircraft
Approximately optimizes Markov Decision Process on a grid
Advisory from lookup tables with numerous 5D interpolation regions
1 Identified safe region for each advisory symbolically
2 Proved safety for hybrid systems flight model in KeYmaera
TACAS’15Andre Platzer (CMU) Proving Hybrid Systems FMCAD 8 / 9
![Page 171: Proving Hybrid Systems - symbolaris.comsymbolaris.com/pub/fmcad-slides.pdf · Proving Hybrid Systems ... Jeannette Wing Andr e Platzer (CMU) ... t-0.8-0.6-0.4-0.2 0.2 a 2 46 8 10](https://reader035.fdocuments.net/reader035/viewer/2022062909/5b16a0ae7f8b9a4f6d8cfdaa/html5/thumbnails/171.jpg)
Airborne Collision Avoidance System ACAS X: Compare
ACAS X table comparison shows safe advisory in 97.7% of the648,591,384,375 states compared (15,160,434,734 counterexamples).
ACAS X issues DNC advisory, which induces collision unless corrected
TACAS’15Andre Platzer (CMU) Proving Hybrid Systems FMCAD 9 / 9