differential refinement logic - carnegie mellon …sloos/loosproposalslides.pdf1 sarah m. loos csd,...

Sarah M. Loos

CSD, Carnegie Mellon University

Differential Refinement Logic Thesis Proposal

Thesis Committee: André Platzer (chair) Frank Pfenning Bruce Krogh George Pappas (UPenn) Dexter Kozen (Cornell)

Challenge: Cyber-Physical Systems

Verified Cyber-Physical Systems

[FM11]

p x!k"

[FM11, HSCC13]

p x!k"

[FM11, ITSC11, ICCPS12, HSCC13]

We observed that if only we had direct proof support for relating systems, our proofs could be greatly simplified. In this thesis, we propose to develop proof support for directly comparing cyber-physical systems.

Proof support for relating two hybrid programs can help in four ways:

Break the system into parts Modular proof structure

Iterative system design

γ"β"α"

xHiLxH jLp xHkL

dHiLdH jLp

xHiLxH jLp xHkL

α"β"Abstraction

Proof support for relating two hybrid programs can help in four ways:

γ"β"α"

xHiLxH jLp xHkL

dHiLdH jLp

xHiLxH jLp xHkL

α"β"Abstraction

Distributed Car Control

Sensor limits on actual cars are always local.

Sometimes a maneuver may look safe locally… Sensor limits on actual cars are always local.

But is a terrible idea when implemented globally. Sometimes a maneuver may look safe locally… Sensor limits on actual cars are always local.

Car Control: Proof Sketch

Local Lane Control •  2 vehicles •  1 lane •  no lane change

[FM11]

(a := ✓;x00 = a)⇤

[FM11]

Global Lane Control •  n vehicles •  1 lane •  no lane change

[FM11]

Global Lane Control •  n vehicles •  1 lane •  no lane change

⌘8i : C

⇣8i, j : C ji

Local Lane Control

Global Lane Control

•  2 vehicles •  1 lane •  no lane change

•  n vehicles •  1 lane •  no lane change

[FM11]

Local Lane Control

Global Lane Control

Local Highway Control

•  n vehicles •  1 lane •  lane changes

[FM11]

Local Lane Control

Global Lane Control

[FM11]

⌘⇤⇣⇣delete⇤; create⇤;

Local Lane Control

Global Lane Control

[FM11]

Local Lane Control

Global Lane Control

Global Highway Control

[FM11]

•  n vehicles •  m lanes •  lane changes

Local Lane Control

Global Lane Control

[FM11]

⌘8l : L

Local Lane Control

Global Lane Control

[FM11]

Car Control: Proof

[FM11]

Car Control: Proof

[FM11]

Car Control: Proof

[FM11]

Car Control: Proof

[FM11]

⇣delete⇤; create⇤;

Car Control: Proof

[FM11]

Car Control: Proof

γ"β"α"

xHiLxH jLp xHkL

dHiLdH jLp

xHiLxH jLp xHkL

α"β"Abstraction

γ"β"α"

xHiLxH jLp xHkL

dHiLdH jLp

xHiLxH jLp xHkL

α"β"Abstraction

γ"β"α"

xHiLxH jLp xHkL

dHiLdH jLp

xHiLxH jLp xHkL

α"β"Abstraction

• Each aircraft is associated with a buffer disc. • The discs should never come within p of each other. • Discs follow aircraft when not in collision avoidance. • Each aircraft circles its stationary disc when in collision avoidance.

Distributed Aircraft Control

[PallottinoSBF07, LoosRP13]

xHiLxH jLp xHkL

Modular Proof for Distributed Aircraft

xHiLxH jLp xHkL

[LoosRP13]

To Prove: Safe separation of aircraft.

8i 6= j : A

kx(i) � x(j)k � p

To Prove: Safe separation of aircraft.

xHiLxH jLp xHkL

xHmLdHiL

dH jLp =)

xHiLxH jLp xHkL

xHmL =)^

[LoosRP13]

8i : Akx(i) � d(i)k = r

8i 6= j : A

kd(i) � d(j)k � 2r + p

8i 6= j : A

kx(i) � x(j)k � p

Safety Property

xHiLxH jLp xHkL

xHmL[LoosRP13]

Safety Property

xHiLxH jLp xHkL

dHiLdH jLp

[LoosRP13]

Safety Property

xHiLxH jLp xHkL

dHiLdH jLp

Proved in KeYmaeraD

[LoosRP13]

Safety Property

xHiLxH jLp xHkL

dHiLdH jLp

But these proofs are hard. Could we simplify them by changing the model in a sound way?

Proved in KeYmaeraD

Safety Property

xHiLxH jLp xHkL

dHiLdH jLp

Safety Property

xHiLxH jLp xHkL

dHiLdH jLp

xHiLxH jLp xHkL

Safety Property

xHiLxH jLp xHkL

dHiLdH jLp

xHiLxH jLp xHkL

γ"β"α"

xHiLxH jLp xHkL

dHiLdH jLp

xHiLxH jLp xHkL

α"β"Abstraction

γ"β"α"

xHiLxH jLp xHkL

dHiLdH jLp

xHiLxH jLp xHkL

α"β"Abstraction

γ"β"α"

xHiLxH jLp xHkL

dHiLdH jLp

xHiLxH jLp xHkL

α"β"Abstraction

Abstracting implementation-specific design

Implicit vs. Explicit control Explicit control sets the control variable to a specific

value, in this case θ.#

[a := ✓;x00 = a]x s a := ✓

[a := ✓;x00 = a]x s

Implicit control can set the control variable nondeterministically to any value… #

[a := ⇤; x00 = a]x s

a := ⇤blah

a := ✓

[a := ✓;x00 = a]x s

[a := ⇤; x00 = a]x s

[a := ⇤; ? (a); x00 = a]x s

… or to a range of values that satisfy some formula, in this case # (a)

a := ⇤blah

a := ✓

a := ⇤blah

[a := ✓;x00 = a]x s

[a := ⇤; x00 = a]x s

… or to a range of values that satisfy some formula, in this case # (a)

[a := ⇤; ? (a); x00 = a]x s

γ"β"α"

xHiLxH jLp xHkL

dHiLdH jLp

xHiLxH jLp xHkL

α"β"Abstraction

γ"β"α"

xHiLxH jLp xHkL

dHiLdH jLp

xHiLxH jLp xHkL

α"β"Abstraction

γ"β"α"

xHiLxH jLp xHkL

dHiLdH jLp

xHiLxH jLp xHkL

α"β"Abstraction

[a := ⇤; ? ;x00 = a]x sα"

[a := ⇤; ?�[x00 = a]x s

�;x00 = a]x s

[a := ⇤; ?�[x00 = a]x s

�;x00 = a]x sα"

[a := ⇤; ?�[x00 = a]x s

�;x00 = a]x s

[a := ⇤; ?�[x00 = a]x s

�;x00 = a]x sα"

[a := ⇤; ?�[x00 = a]x s

�;x00 = a]x s

[a := ⇤; ? ;x00 = a]x s

[a := ⇤; ?�[x00 = a]x s

�;x00 = a]x sα"

[a := ⇤; ?�[x00 = a]x s

�;x00 = a]x s

[a := ⇤; ? ;x00 = a]x s

[a := ✓;x00 = a]x s

[a := ⇤; ? ;x00 = a]x s

γ"β"α"

xHiLxH jLp xHkL

dHiLdH jLp

xHiLxH jLp xHkL

α"β"Abstraction

γ"β"α"

xHiLxH jLp xHkL

dHiLdH jLp

xHiLxH jLp xHkL

α"β"Abstraction

These four benefits are the motivation for

Differential Refinement Logic (dRL)

Refinement Relation

↵ �

Refinement Relation

↵ �

�(?�; a := ⇤ [ a := �B);x00 = a

�⇤ �

�(?�; a := ✓ [ a := �B);x00 = a &

�⇤

Refinement Relation

↵ �

�(?�; a := ⇤ [ a := �B);x00 = a

�⇤

�(?�; a := ✓ [ a := �B);x00 = a &

�⇤

Refinement Relation

↵ �

�(?�; a := ⇤ [ a := �B);x00 = a

�⇤

�(?�; a := ✓ [ a := �B);x00 = a &

�⇤

Refinement Relation

↵ �

�(?�; a := ⇤ [ a := �B);x00 = a

�⇤

�(?�; a := ✓ [ a := �B);x00 = a &

�⇤

Refinement Relation

↵ �

�(?�; a := ⇤ [ a := �B);x00 = a

�⇤

�(?�; a := ✓ [ a := �B);x00 = a &

�⇤

↵ � ↵ �

Refinement Relation

↵ �

�(?�; a := ⇤ [ a := �B);x00 = a

�⇤

�(?�; a := ✓ [ a := �B);x00 = a &

�⇤

↵ �

So, what does dRL look like exactly?

Syntax of a dRL formula:

�, ::= ✓1 ✓2 | ¬� | � ^ | 8x� | [↵]� | h↵i� | ↵ �

�, ::= ✓1 ✓2 | ¬� | � ^ | 8x� | [↵]� | h↵i� | ↵ �FOLR

�, ::= ✓1 ✓2 | ¬� | � ^ | 8x� | [↵]� | h↵i� | ↵ �

�, ::= ✓1 ✓2 | ¬� | � ^ | 8x� | [↵]� | h↵i� | ↵ � + dL

�, ::= ✓1 ✓2 | ¬� | � ^ | 8x� | [↵]� | h↵i� | ↵ �

�, ::= ✓1 ✓2 | ¬� | � ^ | 8x� | [↵]� | h↵i� | ↵ � + refinement

Syntax of a hybrid program:

�, ::= ✓1 ✓2 | ¬� | � ^ | 8x� | [↵]� | h↵i� | ↵ �

↵,� ::= x := ✓ | x0 = ✓ & | ? | ↵ [ � | ↵;� | ↵⇤↵,� ::= x := ✓ | x0 = ✓ & | ? | ↵ [ � | ↵;� | ↵⇤

[Platzer08]

�, ::= ✓1 ✓2 | ¬� | � ^ | 8x� | [↵]� | h↵i� | ↵ �

↵,� ::= x := ✓ | x0 = ✓ & | ? | ↵ [ � | ↵;� | ↵⇤↵,� ::= x := ✓ | x0 = ✓ & | ? | ↵ [ � | ↵;� | ↵⇤

dRL extends dL by adding refinement directly into the grammar of formulas

Hybrid Programs are what we use to model cyber-physical systems, just as in differential dynamic logic (dL).

[Platzer08]

v w↵

Semantics of hybrid programs

⇢(↵) = {(v, w) : when starting in state and then following transitions of , state can be reached.

[Platzer08]

v w⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}

[Platzer08]

v w⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}iff except for the value of

v = w⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}

[Platzer08]

⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}

[Platzer08]

⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}

[Platzer08]

⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}

[Platzer08]

v ? ? Iff holds in state v |= v

[Platzer08]

v? Iff holds in state v |= v

[Platzer08]

⇢(? ) = {(v, v) : v |= }

[Platzer08]

⇢(? ) = {(v, v) : v |= }⇢(? ) = {(v, v) : v |= }

[Platzer08]

0 = ✓

⇢(? ) = {(v, v) : v |= }⇢(? ) = {(v, v) : v |= }

[Platzer08]

0 = ✓

⇢(? ) = {(v, v) : v |= }⇢(? ) = {(v, v) : v |= }

If solves y(t) x

0 = ✓

[Platzer08]

0 = ✓

x := y(t)

⇢(? ) = {(v, v) : v |= }⇢(? ) = {(v, v) : v |= }

If solves y(t) x

0 = ✓

[Platzer08]

0 = ✓

x := y(t)

0= ✓) = {('(0),'(t)) : '(s) |= x

0= ✓ for all 0 s t}

⇢(? ) = {(v, v) : v |= }⇢(? ) = {(v, v) : v |= }

If solves y(t) x

0 = ✓

[Platzer08]

v wu↵ �

↵;�

[Platzer08]

v wu↵ �

↵;�

⇢(↵;�) = {(v, w) : (v, u) 2 ⇢(↵), (u,w) 2 ⇢(�)}

[Platzer08]

v wu↵ �

↵;�

⇢(↵;�) = {(v, w) : (v, u) 2 ⇢(↵), (u,w) 2 ⇢(�)}

[Platzer08]

v wu↵ �

↵;�

⇢(↵;�) = {(v, w) : (v, u) 2 ⇢(↵), (u,w) 2 ⇢(�)}⇢(↵;�) = {(v, w) : (v, u) 2 ⇢(↵), (u,w) 2 ⇢(�)}

[Platzer08]

v wu↵ �

↵;�

⇢(↵;�) = {(v, w) : (v, u) 2 ⇢(↵), (u,w) 2 ⇢(�)}⇢(↵;�) = {(v, w) : (v, u) 2 ⇢(↵), (u,w) 2 ⇢(�)}

Etc…

Semantics of box modality

[Platzer08]

v |= [↵]�

Box Modality:

[Platzer08]

v ↵↵

v |= [↵]�

Box Modality: �

[Platzer08]

v ↵↵

v |= [↵]�

Box Modality: �

[Platzer08]

v ↵↵

v |= [↵]�

Box Modality: �

[Platzer08]

v ↵↵

v |= [↵]�

Box Modality: �

[Platzer08]

v ↵↵

v |= [↵]�

Box Modality: �

w |= � for all w with (v, w) 2 ⇢(↵)

Semantics of refinement

Refinement Relation:

v |= ↵ �

v |= ↵ � ↵

v |= ↵ �

v |= ↵ �v |= ↵ �

v |= ↵ �

v |= ↵ �v |= ↵ �

v |= ↵ �↵

v |= ↵ �

v |= ↵ �v |= ↵ �

v |= ↵ �

{w : (v, w) 2 ⇢(↵)} ✓ {w : (v, w) 2 ⇢(�)}

v |= ↵ �

v |= ↵ �v |= ↵ �

v |= ↵ �

{w : (v, w) 2 ⇢(↵)} ✓ {w : (v, w) 2 ⇢(�)}

v |= ↵ �

v |= ↵ �v |= ↵ �

v |= ↵ �

{w : (v, w) 2 ⇢(↵)} ✓ {w : (v, w) 2 ⇢(�)}

dRL proof rules

Combining refinement and box modality:

dRL proof rules

To Prove:

dRL proof rules

To Prove:

dRL proof rules

To Prove:

dRL proof rules

To Prove:

dRL proof rules

We Know:

dRL proof rules

We Know:

dRL proof rules

v |= ↵ �v |= ↵ �

v |= ↵ �↵

We Know:

dRL proof rules

v |= ↵ �v |= ↵ �

v |= ↵ �↵

We Know:

dRL proof rules

v |= ↵ �v |= ↵ �

v |= ↵ �↵

We Know:

dRL proof rules

v |= ↵ �v |= ↵ �

v |= ↵ �↵

A note on diamond modality

We can continue using the proof logic for dL to handle box and diamond modalities.

A note on diamond modality

But we need to add proof rules to handle refinements.

dRL Proof Rules: Partial Order

Reflexive: Transitive:

Antisymmetric:

dRL Proof Rules: Partial Order

Reflexive: Transitive:

Antisymmetric: This rule is by definition, since is syntactically defined as

dRL Proof Rules: KAT style

[Kozen97]

dRL Proof Rules

dRL Proof Rules: Structural

dRL Proof Rules: Differential Equations

Differential Refinement:

But that isn’t the end of the story…

But that isn’t the end of the story… ?

(x0 = 1) (x0 = 9)

(x0 = 1) = (x0 = 9)?

(x0 = 1) = (x0 = 9)

We have proved that the refinement relation can be embedded in dL. As a result, dL and dRL are equivalent in terms of expressibility and provability.

Comparing dRL and dL

We plan to analyze dRL on familiar (challenging) case studies. We can consider:

• Number of proof steps • Computation time • Qualitative difficulty to complete proof • Proof structure

Analyzing dRL

γ"β"α"

xHiLxH jLp xHkL

dHiLdH jLp

xHiLxH jLp xHkL

αβAbstraction

To analyze whether dRL can ease the complexity of proving tasks for hybrid systems, we can start with these four categories:

  Designing proof search heuristics that exploit refinement to automatically create more hierarchical proof structures.

  Shifting the proof responsibility completely to determining refinement.

  Code synthesis – verifying that refinement relation is satisfied with each transformation step.

Additional dRL applications

Timeline

  Completed work indicates that building complex hybrid programs from simpler ones is a good idea.

Timeline

Completed"

  We aim to add rigor to this approach by introducing a refinement relation to differential dynamic logic.

Timeline

Completed"

  We then need to show how refinement integrates with dL by creating a proof calculus for dRL.

Timeline

In Progress"

Completed"

Timeline

Completed"

Feb 2015"

  We will show that refinement makes proofs easier by revisiting familiar and challenging case studies.

Timeline

Next Step"

Feb 2015"

Completed"

Timeline

May 2015"

Feb 2015"

Completed"

  As a stretch goal, we will examine additional applications of dRL.

Timeline

Stretch Goal"

May 2015"

Feb 2015"

Completed"

  As a stretch goal, we will examine additional applications of dRL (e.g. synthesis and proof search)

Thesis defense.

Timeline

Aug 2015"

May 2015"

Feb 2015"

Completed"

Stretch Goal"

Appendix

Table of Case Studies

p x!k"

safety envelopes

differential refinement logic - carnegie mellon …sloos/loosproposalslides.pdf1 sarah m. loos csd,...

Documents

carnegie mellon university

carnegie melloncarnegie melloncarnegie mellon...

paul luo li (carnegie mellon university) james herbsleb...

carnegie mellon,

carnegie mellon facts 1993 · carnegie mellon facts 1993...

carnegie mellon universitycschafer/cmspbs.pdf · 2009. 2....

swsi update carnegie mellon university katia sycara carnegie...

carnegie mellon google_ad_study

yudi chen, carnegie mellon university catherine groschner,...

carnegie mellon universitycarnegie mellon university

carnegie mellon universitygenovese/talks/ipam-04.pdf ·...

carnegie mellon university notice · carnegie mellon...

ryan ’donnell carnegie mellon university o. ryan...

carnegie mellon electricity industry center carnegie...

carnegie mellon