Toward Structured Proofs for Dynamic Logics

We present Kaisar, a structured interactive proof language for differential dynamic logic (dL), for safety-critical cyber-physical systems (CPS). The defining feature of Kaisar is *nominal terms*, which simplify CPS proofs by making the frequently needed historical references to past program states first-class. To support nominals, we extend the notion of structured proof with a first-class notion of *structured symbolic execution* of CPS models. We implement Kaisar in the theorem prover KeYmaera X and reproduce an example on the safe operation of a parachute and a case study on ground robot control. We show how nominals simplify common CPS reasoning tasks when combined with other features of structured proof. We develop an extensive metatheory for Kaisar. In addition to soundness and completeness, we show a formal specification for Kaisar's nominals and relate Kaisar to a nominal variant of dL.

[1]  Markus Wenzel,et al.  Eisbach: A Proof Method Language for Isabelle , 2016, Journal of Automated Reasoning.

[2]  Enrico Tassi,et al.  A Language of Patterns for Subterm Selection , 2012, ITP.

[4]  Markus Wenzel,et al.  Isar - A Generic Interpretative Approach to Readable Formal Proof Documents , 1999, TPHOLs.

[5]  André Platzer,et al.  Formally verified differential dynamic logic , 2017, CPP.

[6]  Swarat Chaudhuri,et al.  Abstract Interpretation with Infinitesimals - Towards Scalability in Nonstandard Static Analysis , 2015, VMCAI.

[7]  André Platzer,et al.  On Provably Safe Obstacle Avoidance for Autonomous Robotic Ground Vehicles , 2013, Robotics: Science and Systems.

[8]  Lars Birkedal,et al.  Interactive proofs in higher-order concurrent separation logic , 2017, POPL.

[9]  Jean-Baptiste Jeannin,et al.  Formal verification of ACAS X, an industrial airborne collision avoidance system , 2015, 2015 International Conference on Embedded Software (EMSOFT).

[10]  André Platzer,et al.  A Uniform Substitution Calculus for Differential Dynamic Logic , 2015, CADE.

[11]  Edmund M. Clarke Proving correctness of coroutines without history variables , 1980, Acta Informatica.

[12]  Piotr Rudnicki Obvious inferences , 2004, Journal of Automated Reasoning.

[13]  Tommaso Dreossi,et al.  Sapo: Reachability Computation and Parameter Synthesis of Polynomial Dynamical Systems , 2016, HSCC.

[14]  Lawrence Charles Paulson,et al.  Isabelle/HOL: A Proof Assistant for Higher-Order Logic , 2002 .

[15]  André Platzer,et al.  A Complete Axiomatization of Quantified Differential Dynamic Logic for Distributed Hybrid Systems , 2012, Log. Methods Comput. Sci..

[16]  Goran Frehse PHAVer: Algorithmic Verification of Hybrid Systems Past HyTech , 2005, HSCC.

[17]  Lars Noschinski,et al.  Pattern-based Subterm Selection in Isabelle , 2021, ArXiv.

[18]  K. Rustan M. Leino,et al.  The Spec# Programming System: An Overview , 2004, CASSIS.

[19]  James H. Davenport,et al.  Real Quantifier Elimination is Doubly Exponential , 1988, J. Symb. Comput..

[20]  Adam Naumowicz,et al.  Mizar: State-of-the-art and Beyond , 2015, CICM.

[21]  André Platzer,et al.  KeYmaera: A Hybrid Theorem Prover for Hybrid Systems (System Description) , 2008, IJCAR.

[22]  Michael Norrish,et al.  seL4: formal verification of an operating-system kernel , 2010, Commun. ACM.

[23]  André Platzer,et al.  Adaptive Cruise Control: Hybrid, Distributed, and Now Formally Verified , 2011, FM.

[24]  André Platzer,et al.  The KeYmaera X Proof IDE - Concepts on Usability in Hybrid Systems Theorem Proving , 2017, F-IDE@FM.

[25]  André Platzer,et al.  European Train Control System: A Case Study in Formal Verification , 2009, ICFEM.

[26]  Zhong Shao,et al.  VeriML: typed computation of logical terms inside a language with effects , 2010, ICFP '10.

[27]  K. Rustan M. Leino,et al.  Dafny: An Automatic Program Verifier for Functional Correctness , 2010, LPAR.

[28]  André Platzer,et al.  A Complete Uniform Substitution Calculus for Differential Dynamic Logic , 2016, Journal of Automated Reasoning.

[29]  Edmund M. Clarke,et al.  dReal: An SMT Solver for Nonlinear Theories over the Reals , 2013, CADE.

[30]  G. Malecha,et al.  Rtac: A Fully Reflective Tactic Language , 2014 .

[31]  Vaughan R. Pratt,et al.  SEMANTICAL CONSIDERATIONS ON FLOYD-HOARE LOGIC , 1976, FOCS 1976.

[32]  Martin D. Davis,et al.  Obvious Logical Inferences , 1981, IJCAI.

[33]  Antoine Girard,et al.  SpaceEx: Scalable Verification of Hybrid Systems , 2011, CAV.

[34]  Pierre Corbineau,et al.  A Declarative Language for the Coq Proof Assistant , 2007, TYPES.

[35]  Xin Chen,et al.  Flow*: An Analyzer for Non-linear Hybrid Systems , 2013, CAV.

[36]  Edmund M. Clarke,et al.  Satisfiability modulo ODEs , 2013, 2013 Formal Methods in Computer-Aided Design.

[37]  André Platzer,et al.  Verified Traffic Networks: Component-Based Verification of Cyber-Physical Flow Systems , 2015, 2015 IEEE 18th International Conference on Intelligent Transportation Systems.

[38]  Susan S. Owicki,et al.  Axiomatic Proof Techniques for Parallel Programs , 1975, Outstanding Dissertations in the Computer Sciences.

[39]  Maurice Clint Program proving: Coroutines , 2004, Acta Informatica.

[40]  L. Lamport How to write a 21st century proof , 2012 .

[41]  Makarius Wenzel Isabelle/Isar — a Generic Framework for Human-Readable Proof Documents , 2007 .

[42]  Ernst-Rüdiger Olderog,et al.  Verification of Sequential and Concurrent Programs , 1997, Graduate Texts in Computer Science.

[43]  Jan A. Bergstra,et al.  Recursive Assertions are not enough - or are they? , 1979, Theor. Comput. Sci..

[44]  Thomas A. Henzinger,et al.  Battery transition systems , 2014, POPL.

[45]  André Platzer,et al.  Formal verification of distributed aircraft controllers , 2013, HSCC '13.

[46]  André Platzer,et al.  Differential Dynamic Logic for Verifying Parametric Hybrid Systems , 2007, TABLEAUX.

[47]  Nathan Fulton,et al.  Bellerophon: Tactical Theorem Proving for Hybrid Systems , 2017, ITP.

[48]  Ichiro Hasuo,et al.  Programming with Infinitesimals: A While-Language for Hybrid System Modeling , 2011, ICALP.

[49]  Cezary Kaliszyk,et al.  Towards a Mizar environment for Isabelle: foundations and language , 2016, CPP.

[50]  George E. Collins,et al.  Cylindrical Algebraic Decomposition I: The Basic Algorithm , 1984, SIAM J. Comput..

[51]  Albert L. Baker,et al.  JML: A Notation for Detailed Design , 1999, Behavioral Specifications of Businesses and Systems.

[52]  John Harrison,et al.  A Mizar Mode for HOL , 1996, TPHOLs.

[53]  Thomas A. Henzinger,et al.  HYTECH: a model checker for hybrid systems , 1997, International Journal on Software Tools for Technology Transfer.

[54]  Freek Wiedijk,et al.  A Comparison of Mizar and Isar , 2004, Journal of Automated Reasoning.

[55]  Andreas Lochbihler Jinja with Threads , 2007, Arch. Formal Proofs.

[56]  Susan Owicki,et al.  An axiomatic proof technique for parallel programs I , 1976, Acta Informatica.

[57]  Zhong Shao,et al.  Static and user-extensible proof checking , 2012, POPL '12.

[58]  André Platzer,et al.  Differential Dynamic Logic for Hybrid Systems , 2008, Journal of Automated Reasoning.

[59]  Nathan Fulton,et al.  KeYmaera X: An Axiomatic Tactical Theorem Prover for Hybrid Systems , 2015, CADE.

[60]  C. A. R. HOARE,et al.  An axiomatic basis for computer programming , 1969, CACM.

[61]  Assia Mahboubi,et al.  An introduction to small scale reflection in Coq , 2010, J. Formaliz. Reason..

[62]  George E. Collins,et al.  Partial Cylindrical Algebraic Decomposition for Quantifier Elimination , 1991, J. Symb. Comput..

[63]  André Platzer,et al.  Logics of Dynamical Systems , 2012, 2012 27th Annual IEEE Symposium on Logic in Computer Science.

[64]  André Platzer,et al.  Towards a Hybrid Dynamic Logic for Hybrid Dynamic Systems , 2007, HyLo@FLoC.

[65]  André Platzer,et al.  The Structure of Differential Invariants and Differential Cut Elimination , 2011, Log. Methods Comput. Sci..

[66]  André Platzer,et al.  Differential-algebraic Dynamic Logic for Differential-algebraic Programs , 2010, J. Log. Comput..

[67]  Don Syme DECLARE: A Prototype Declarative Proof System for Higher Order Logic , 1997 .

[68]  Peter Kazanzides,et al.  Certifying the safe design of a virtual fixture control algorithm for a surgical robot , 2013, HSCC '13.

[69]  Edmund M. Clarke,et al.  Formal Verification of Curved Flight Collision Avoidance Maneuvers: A Case Study , 2009, FM.

[70]  Thomas A. Henzinger,et al.  The theory of hybrid automata , 1996, Proceedings 11th Annual IEEE Symposium on Logic in Computer Science.

[71]  Stephan Merz,et al.  TLA + Proofs , 2012, FM.

[72]  Leslie Lamport,et al.  Hybrid Systems in TLA+ , 1992, Hybrid Systems.

[73]  David Delahaye,et al.  A Tactic Language for the System Coq , 2000, LPAR.

[74]  Markus Wenzel Structured Induction Proofs in Isabelle/Isar , 2006, MKM.

[75]  Jan Smans,et al.  Verification of Concurrent Programs with Chalice , 2009, FOSAD.