Differential Refinement Logic - Carnegie Mellon …sloos/LoosProposalSlides.pdf1 Sarah M. Loos CSD,...

1

Sarah M. Loos

CSD, Carnegie Mellon University

Differential Refinement Logic Thesis Proposal

Thesis Committee: André Platzer (chair) Frank Pfenning Bruce Krogh George Pappas (UPenn) Dexter Kozen (Cornell)

2

Challenge: Cyber-Physical Systems

3

Verified Cyber-Physical Systems

[FM11]

4

x!i"

x! j"

p x!k"

x!l"

x!m"


[FM11, HSCC13]

5

x!i"

x! j"

p x!k"

x!l"

x!m"


[FM11, ITSC11, ICCPS12, HSCC13]

6

We observed that if only we had direct proof support for relating systems, our proofs could be greatly simplified. In this thesis, we propose to develop proof support for directly comparing cyber-physical systems.


7

Proof support for relating two hybrid programs can help in four ways:

8


Break the system into parts Modular proof structure

Iterative system design

γ"β"α"

xHiLxH jLp xHkL

xHiL

xHmL

dHiLdH jLp

xHiLxH jLp xHkL

xHiL

xHmL

xHiLxH jLp xHkL

xHiL

xHmL

xHiLxH jLp xHkL

xHiL

xHmL

α"β"Abstraction

9




γ"β"α"

xHiLxH jLp xHkL

xHiL

xHmL

dHiLdH jLp

xHiLxH jLp xHkL

xHiL

xHmL

xHiLxH jLp xHkL

xHiL

xHmL

xHiLxH jLp xHkL

xHiL

xHmL

α"β"Abstraction

10

Distributed Car Control

Sensor limits on actual cars are always local.

11

Sometimes a maneuver may look safe locally… Sensor limits on actual cars are always local.


12

!

But is a terrible idea when implemented globally. Sometimes a maneuver may look safe locally… Sensor limits on actual cars are always local.


13

Car Control: Proof Sketch

Local Lane Control •  2 vehicles •  1 lane •  no lane change

[FM11]

14



[FM11]

(a := ✓;x00 = a)⇤

15



[FM11]

16



[FM11]

Global Lane Control •  n vehicles •  1 lane •  no lane change

17



[FM11]

Global Lane Control •  n vehicles •  1 lane •  no lane change

⌘8i : C

⇣8i, j : C ji

18


Local Lane Control

Global Lane Control

•  2 vehicles •  1 lane •  no lane change

•  n vehicles •  1 lane •  no lane change

[FM11]

19


Local Lane Control

Global Lane Control

Local Highway Control



•  n vehicles •  1 lane •  lane changes

[FM11]

20


Local Lane Control

Global Lane Control





[FM11]

⌘⇤⇣⇣delete⇤; create⇤;

21


Local Lane Control

Global Lane Control





[FM11]

22


Local Lane Control

Global Lane Control


Global Highway Control

[FM11]




•  n vehicles •  m lanes •  lane changes

23


Local Lane Control

Global Lane Control



[FM11]





⌘8l : L

⇣

24


Local Lane Control

Global Lane Control



[FM11]





25

Car Control: Proof

[FM11]

26

Car Control: Proof

[FM11]

27

Car Control: Proof

[FM11]

28

Car Control: Proof

[FM11]

⇣delete⇤; create⇤;

29

Car Control: Proof

[FM11]

30

Car Control: Proof

31



γ"β"α"

xHiLxH jLp xHkL

xHiL

xHmL

dHiLdH jLp

xHiLxH jLp xHkL

xHiL

xHmL

xHiLxH jLp xHkL

xHiL

xHmL

xHiLxH jLp xHkL

xHiL

xHmL

α"β"Abstraction

32



γ"β"α"

xHiLxH jLp xHkL

xHiL

xHmL

dHiLdH jLp

xHiLxH jLp xHkL

xHiL

xHmL

xHiLxH jLp xHkL

xHiL

xHmL

xHiLxH jLp xHkL

xHiL

xHmL

α"β"Abstraction

33



γ"β"α"

xHiLxH jLp xHkL

xHiL

xHmL

dHiLdH jLp

xHiLxH jLp xHkL

xHiL

xHmL

xHiLxH jLp xHkL

xHiL

xHmL

xHiLxH jLp xHkL

xHiL

xHmL

α"β"Abstraction

34

• Each aircraft is associated with a buffer disc. • The discs should never come within p of each other. • Discs follow aircraft when not in collision avoidance. • Each aircraft circles its stationary disc when in collision avoidance.

Distributed Aircraft Control

[PallottinoSBF07, LoosRP13]

xHiLxH jLp xHkL

xHlL

xHmL

35

Modular Proof for Distributed Aircraft

xHiLxH jLp xHkL

xHiL

xHmL

xHiLxH jLp xHkL

xHiL

xHmL

xHiLxH jLp xHkL

xHiL

xHmL

[LoosRP13]

To Prove: Safe separation of aircraft.

8i 6= j : A

kx(i) � x(j)k � p

36


To Prove: Safe separation of aircraft.

xHiLxH jLp xHkL

xHiL

xHmL

xHiLxH jLp xHkL

xHiL

xHmL

xHiLxH jLp xHkL

xHiL

xHmLdHiL

dH jLp =)

xHiLxH jLp xHkL

xHiL

xHmL =)^

^

[LoosRP13]

8i : Akx(i) � d(i)k = r

8i 6= j : A

kd(i) � d(j)k � 2r + p

8i 6= j : A

kx(i) � x(j)k � p

37


Safety Property

Model

xHiLxH jLp xHkL

xHiL

xHmL

xHiLxH jLp xHkL

xHiL

xHmL

xHiLxH jLp xHkL

xHiL

xHmL[LoosRP13]

38


Safety Property

Model

xHiLxH jLp xHkL

xHiL

xHmL

xHiLxH jLp xHkL

xHiL

xHmL

xHiLxH jLp xHkL

xHiL

xHmL

xHiLxH jLp xHkL

xHiL

xHmL

dHiLdH jLp

[LoosRP13]

39


Safety Property

Model

xHiLxH jLp xHkL

xHiL

xHmL

xHiLxH jLp xHkL

xHiL

xHmL

xHiLxH jLp xHkL

xHiL

xHmL

xHiLxH jLp xHkL

xHiL

xHmL

dHiLdH jLp

Proved in KeYmaeraD

Proved in KeYmaeraD

[LoosRP13]

40


Safety Property

Model

xHiLxH jLp xHkL

xHiL

xHmL

xHiLxH jLp xHkL

xHiL

xHmL

xHiLxH jLp xHkL

xHiL

xHmL

xHiLxH jLp xHkL

xHiL

xHmL

dHiLdH jLp

But these proofs are hard. Could we simplify them by changing the model in a sound way?

Proved in KeYmaeraD

Proved in KeYmaeraD

41


Safety Property

Model

xHiLxH jLp xHkL

xHiL

xHmL

xHiLxH jLp xHkL

xHiL

xHmL

xHiLxH jLp xHkL

xHiL

xHmL

xHiLxH jLp xHkL

xHiL

xHmL

dHiLdH jLp

42


Safety Property

Model

xHiLxH jLp xHkL

xHiL

xHmL

xHiLxH jLp xHkL

xHiL

xHmL

xHiLxH jLp xHkL

xHiL

xHmL

xHiLxH jLp xHkL

xHiL

xHmL

dHiLdH jLp

xHiLxH jLp xHkL

xHiL

xHmL

43


Safety Property

Model

xHiLxH jLp xHkL

xHiL

xHmL

xHiLxH jLp xHkL

xHiL

xHmL

xHiLxH jLp xHkL

xHiL

xHmL

xHiLxH jLp xHkL

xHiL

xHmL

dHiLdH jLp

dHiLdH jLp

xHiLxH jLp xHkL

xHiL

xHmL

44



γ"β"α"

xHiLxH jLp xHkL

xHiL

xHmL

dHiLdH jLp

xHiLxH jLp xHkL

xHiL

xHmL

xHiLxH jLp xHkL

xHiL

xHmL

xHiLxH jLp xHkL

xHiL

xHmL

α"β"Abstraction

45



γ"β"α"

xHiLxH jLp xHkL

xHiL

xHmL

dHiLdH jLp

xHiLxH jLp xHkL

xHiL

xHmL

xHiLxH jLp xHkL

xHiL

xHmL

xHiLxH jLp xHkL

xHiL

xHmL

α"β"Abstraction

46



γ"β"α"

xHiLxH jLp xHkL

xHiL

xHmL

dHiLdH jLp

xHiLxH jLp xHkL

xHiL

xHmL

xHiLxH jLp xHkL

xHiL

xHmL

xHiLxH jLp xHkL

xHiL

xHmL

α"β"Abstraction

47

Abstracting implementation-specific design

Implicit vs. Explicit control Explicit control sets the control variable to a specific

value, in this case θ.#

[a := ✓;x00 = a]x s a := ✓

48




[a := ✓;x00 = a]x s

Implicit control can set the control variable nondeterministically to any value… #

[a := ⇤; x00 = a]x s

a := ⇤blah

a := ✓

49




[a := ✓;x00 = a]x s


[a := ⇤; x00 = a]x s

[a := ⇤; ? (a); x00 = a]x s

… or to a range of values that satisfy some formula, in this case # (a)

? (a)

a := ⇤blah

a := ✓

50

? (a)

a := ✓

a := ⇤blah




[a := ✓;x00 = a]x s


[a := ⇤; x00 = a]x s

… or to a range of values that satisfy some formula, in this case # (a)

[a := ⇤; ? (a); x00 = a]x s

51



γ"β"α"

xHiLxH jLp xHkL

xHiL

xHmL

dHiLdH jLp

xHiLxH jLp xHkL

xHiL

xHmL

xHiLxH jLp xHkL

xHiL

xHmL

xHiLxH jLp xHkL

xHiL

xHmL

α"β"Abstraction

52



γ"β"α"

xHiLxH jLp xHkL

xHiL

xHmL

dHiLdH jLp

xHiLxH jLp xHkL

xHiL

xHmL

xHiLxH jLp xHkL

xHiL

xHmL

xHiLxH jLp xHkL

xHiL

xHmL

α"β"Abstraction

53



γ"β"α"

xHiLxH jLp xHkL

xHiL

xHmL

dHiLdH jLp

xHiLxH jLp xHkL

xHiL

xHmL

xHiLxH jLp xHkL

xHiL

xHmL

xHiLxH jLp xHkL

xHiL

xHmL

α"β"Abstraction

54


α"

β"

γ"

55


[a := ⇤; ? ;x00 = a]x sα"

β"

γ"

[a := ⇤; ?�[x00 = a]x s

�;x00 = a]x s

56


[a := ⇤; ?�[x00 = a]x s

�;x00 = a]x sα"

β"

γ"

[a := ⇤; ?�[x00 = a]x s

�;x00 = a]x s

57


[a := ⇤; ?�[x00 = a]x s

�;x00 = a]x sα"

β"

γ"

[a := ⇤; ?�[x00 = a]x s

�;x00 = a]x s

[a := ⇤; ? ;x00 = a]x s

[a := ⇤; ? ;x00 = a]x s

58


[a := ⇤; ?�[x00 = a]x s

�;x00 = a]x sα"

β"

γ"

[a := ⇤; ?�[x00 = a]x s

�;x00 = a]x s

[a := ⇤; ? ;x00 = a]x s

[a := ⇤; ? ;x00 = a]x s

[a := ✓;x00 = a]x s

[a := ⇤; ? ;x00 = a]x s

59



γ"β"α"

xHiLxH jLp xHkL

xHiL

xHmL

dHiLdH jLp

xHiLxH jLp xHkL

xHiL

xHmL

xHiLxH jLp xHkL

xHiL

xHmL

xHiLxH jLp xHkL

xHiL

xHmL

α"β"Abstraction

60



γ"β"α"

xHiLxH jLp xHkL

xHiL

xHmL

dHiLdH jLp

xHiLxH jLp xHkL

xHiL

xHmL

xHiLxH jLp xHkL

xHiL

xHmL

xHiLxH jLp xHkL

xHiL

xHmL

α"β"Abstraction


These four benefits are the motivation for

Differential Refinement Logic (dRL)

61

Refinement Relation

↵ �

62

Refinement Relation

↵ �

�(?�; a := ⇤ [ a := �B);x00 = a

�⇤ �

�(?�; a := ✓ [ a := �B);x00 = a &

�⇤

63

Refinement Relation

↵ �

�(?�; a := ⇤ [ a := �B);x00 = a

�⇤

�(?�; a := ✓ [ a := �B);x00 = a &

�⇤

64

Refinement Relation

↵ �

�(?�; a := ⇤ [ a := �B);x00 = a

�⇤

�(?�; a := ✓ [ a := �B);x00 = a &

�⇤

65

Refinement Relation

↵ �

�(?�; a := ⇤ [ a := �B);x00 = a

�⇤

�(?�; a := ✓ [ a := �B);x00 = a &

�⇤

66

Refinement Relation

↵ �

�(?�; a := ⇤ [ a := �B);x00 = a

�⇤

�(?�; a := ✓ [ a := �B);x00 = a &

�⇤

↵ � ↵ �

67

Refinement Relation

↵ �

�(?�; a := ⇤ [ a := �B);x00 = a

�⇤

�(?�; a := ✓ [ a := �B);x00 = a &

�⇤

↵ �

68

So, what does dRL look like exactly?

Syntax of a dRL formula:

69



�, ::= ✓1 ✓2 | ¬� | � ^ | 8x� | [↵]� | h↵i� | ↵ �

70



�, ::= ✓1 ✓2 | ¬� | � ^ | 8x� | [↵]� | h↵i� | ↵ �FOLR

71



�, ::= ✓1 ✓2 | ¬� | � ^ | 8x� | [↵]� | h↵i� | ↵ �

�, ::= ✓1 ✓2 | ¬� | � ^ | 8x� | [↵]� | h↵i� | ↵ �

72



�, ::= ✓1 ✓2 | ¬� | � ^ | 8x� | [↵]� | h↵i� | ↵ �

�, ::= ✓1 ✓2 | ¬� | � ^ | 8x� | [↵]� | h↵i� | ↵ � + dL

73



�, ::= ✓1 ✓2 | ¬� | � ^ | 8x� | [↵]� | h↵i� | ↵ �

�, ::= ✓1 ✓2 | ¬� | � ^ | 8x� | [↵]� | h↵i� | ↵ �

�, ::= ✓1 ✓2 | ¬� | � ^ | 8x� | [↵]� | h↵i� | ↵ �

74



�, ::= ✓1 ✓2 | ¬� | � ^ | 8x� | [↵]� | h↵i� | ↵ �

�, ::= ✓1 ✓2 | ¬� | � ^ | 8x� | [↵]� | h↵i� | ↵ �

�, ::= ✓1 ✓2 | ¬� | � ^ | 8x� | [↵]� | h↵i� | ↵ � + refinement

75



Syntax of a hybrid program:

�, ::= ✓1 ✓2 | ¬� | � ^ | 8x� | [↵]� | h↵i� | ↵ �

�, ::= ✓1 ✓2 | ¬� | � ^ | 8x� | [↵]� | h↵i� | ↵ �

�, ::= ✓1 ✓2 | ¬� | � ^ | 8x� | [↵]� | h↵i� | ↵ �

76




�, ::= ✓1 ✓2 | ¬� | � ^ | 8x� | [↵]� | h↵i� | ↵ �

�, ::= ✓1 ✓2 | ¬� | � ^ | 8x� | [↵]� | h↵i� | ↵ �

�, ::= ✓1 ✓2 | ¬� | � ^ | 8x� | [↵]� | h↵i� | ↵ �

↵,� ::= x := ✓ | x0 = ✓ & | ? | ↵ [ � | ↵;� | ↵⇤↵,� ::= x := ✓ | x0 = ✓ & | ? | ↵ [ � | ↵;� | ↵⇤

[Platzer08]

77




�, ::= ✓1 ✓2 | ¬� | � ^ | 8x� | [↵]� | h↵i� | ↵ �

�, ::= ✓1 ✓2 | ¬� | � ^ | 8x� | [↵]� | h↵i� | ↵ �

�, ::= ✓1 ✓2 | ¬� | � ^ | 8x� | [↵]� | h↵i� | ↵ �

↵,� ::= x := ✓ | x0 = ✓ & | ? | ↵ [ � | ↵;� | ↵⇤↵,� ::= x := ✓ | x0 = ✓ & | ? | ↵ [ � | ↵;� | ↵⇤

dRL extends dL by adding refinement directly into the grammar of formulas

78

Hybrid Programs are what we use to model cyber-physical systems, just as in differential dynamic logic (dL).

[Platzer08]

v w↵

Semantics of hybrid programs

⇢(↵) = {(v, w) : when starting in state and then following transitions of , state can be reached.

v↵

w }

79


[Platzer08]

v w⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}

80


[Platzer08]

v w⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}iff except for the value of

v = w⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}

81


[Platzer08]

⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}



82


[Platzer08]

⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}



83


[Platzer08]




⇢(x := ✓) = {(v, w) : w = v except [[x]]w = [[✓]]v}

84


[Platzer08]




v ? ?

85


[Platzer08]




v ? ? Iff holds in state v |= v

86


[Platzer08]




v? Iff holds in state v |= v

87


[Platzer08]





⇢(? ) = {(v, v) : v |= }

88


[Platzer08]





⇢(? ) = {(v, v) : v |= }⇢(? ) = {(v, v) : v |= }

89


[Platzer08]





v wx

0 = ✓

⇢(? ) = {(v, v) : v |= }⇢(? ) = {(v, v) : v |= }

90


[Platzer08]





v wx

0 = ✓

⇢(? ) = {(v, v) : v |= }⇢(? ) = {(v, v) : v |= }

If solves y(t) x

0 = ✓

91


[Platzer08]





v wx

0 = ✓

x := y(t)

⇢(? ) = {(v, v) : v |= }⇢(? ) = {(v, v) : v |= }

If solves y(t) x

0 = ✓

92


[Platzer08]





v wx

0 = ✓

x := y(t)

⇢(x

0= ✓) = {('(0),'(t)) : '(s) |= x

0= ✓ for all 0 s t}

⇢(? ) = {(v, v) : v |= }⇢(? ) = {(v, v) : v |= }

If solves y(t) x

0 = ✓

93


[Platzer08]

v wu↵ �

↵;�

94


[Platzer08]

v wu↵ �

↵;�

⇢(↵;�) = {(v, w) : (v, u) 2 ⇢(↵), (u,w) 2 ⇢(�)}

95


[Platzer08]

v wu↵ �

↵;�

⇢(↵;�) = {(v, w) : (v, u) 2 ⇢(↵), (u,w) 2 ⇢(�)}

96


[Platzer08]

v wu↵ �

↵;�

⇢(↵;�) = {(v, w) : (v, u) 2 ⇢(↵), (u,w) 2 ⇢(�)}⇢(↵;�) = {(v, w) : (v, u) 2 ⇢(↵), (u,w) 2 ⇢(�)}

97


[Platzer08]

v wu↵ �

↵;�

⇢(↵;�) = {(v, w) : (v, u) 2 ⇢(↵), (u,w) 2 ⇢(�)}⇢(↵;�) = {(v, w) : (v, u) 2 ⇢(↵), (u,w) 2 ⇢(�)}

Etc…

98

Semantics of box modality

[Platzer08]

v |= [↵]�

Box Modality:

99


[Platzer08]

v ↵↵

↵

w1

w2

w3

v |= [↵]�

Box Modality: �

100


[Platzer08]

v ↵↵

↵

w1

w2

w3

v |= [↵]�

Box Modality: �

�

101


[Platzer08]

v ↵↵

↵

w1

w2

w3

v |= [↵]�

Box Modality: �

�

�

102


[Platzer08]

v ↵↵

↵

w1

w2

w3

v |= [↵]�

Box Modality: �

�

�

Iff

103


[Platzer08]

v ↵↵

↵

w1

w2

w3

v |= [↵]�

Box Modality: �

�

�

w |= � for all w with (v, w) 2 ⇢(↵)

Iff

104

Semantics of refinement

Refinement Relation:

v |= ↵ �

105


v

w1

w2

w3


v |= ↵ � ↵

↵

106


v

w1

w2

w3


v |= ↵ �

v |= ↵ �v |= ↵ �

v |= ↵ �

107


v

w1

w2

w3


v |= ↵ �

v |= ↵ �v |= ↵ �

v |= ↵ �↵

↵

108


v

w1

w2

w3


Iff

v |= ↵ �

v |= ↵ �v |= ↵ �

v |= ↵ �

↵

↵

{w : (v, w) 2 ⇢(↵)} ✓ {w : (v, w) 2 ⇢(�)}

109


v

w1

w2

w3


Iff

v |= ↵ �

v |= ↵ �v |= ↵ �

v |= ↵ �

↵

↵

{w : (v, w) 2 ⇢(↵)} ✓ {w : (v, w) 2 ⇢(�)}

110


v

w1

w2

w3


Iff

v |= ↵ �

v |= ↵ �v |= ↵ �

v |= ↵ �

↵

↵

{w : (v, w) 2 ⇢(↵)} ✓ {w : (v, w) 2 ⇢(�)}

111

dRL proof rules

Combining refinement and box modality:

112

dRL proof rules


To Prove:

113

dRL proof rules


v

w1

w2

w3

To Prove:

114

dRL proof rules


v

w1

w2

w3

↵

↵

To Prove:

115

dRL proof rules


v

w1

w2

w3

↵

↵

�

�

To Prove:

116

dRL proof rules


v

w1

w2

w3

We Know:

117

dRL proof rules


v

w1

w2

w3

↵

↵

We Know:

118

dRL proof rules


v

w1

w2

w3

v |= ↵ �v |= ↵ �

v |= ↵ �↵

↵

We Know:

119

dRL proof rules


v

w1

w2

w3

v |= ↵ �v |= ↵ �

v |= ↵ �↵

↵

We Know:

120

dRL proof rules


v

w1

w2

w3

v |= ↵ �v |= ↵ �

v |= ↵ �↵

↵

�

�

�

We Know:

121

dRL proof rules


v

w1

w2

w3

v |= ↵ �v |= ↵ �

v |= ↵ �↵

↵

�

�

�

122

A note on diamond modality

123


124


We can continue using the proof logic for dL to handle box and diamond modalities.

125


But we need to add proof rules to handle refinements.

126

dRL Proof Rules: Partial Order

Reflexive: Transitive:

Antisymmetric:

127

dRL Proof Rules: Partial Order

Reflexive: Transitive:

Antisymmetric: This rule is by definition, since is syntactically defined as

128

dRL Proof Rules: KAT style

[Kozen97]

129


[Kozen97]

130


[Kozen97]

131


[Kozen97]

132


[Kozen97]

133

dRL Proof Rules

134

dRL Proof Rules: Structural

135

dRL Proof Rules: Differential Equations

Differential Refinement:

136



But that isn’t the end of the story…

137



But that isn’t the end of the story… ?

(x0 = 1) (x0 = 9)

138




(x0 = 1) = (x0 = 9)?

139




(x0 = 1) = (x0 = 9)

140

We have proved that the refinement relation can be embedded in dL. As a result, dL and dRL are equivalent in terms of expressibility and provability.

Comparing dRL and dL

We plan to analyze dRL on familiar (challenging) case studies. We can consider:

• Number of proof steps • Computation time • Qualitative difficulty to complete proof • Proof structure

141

Analyzing dRL



γ"β"α"

xHiLxH jLp xHkL

xHiL

xHmL

dHiLdH jLp

xHiLxH jLp xHkL

xHiL

xHmL

xHiLxH jLp xHkL

xHiL

xHmL

xHiLxH jLp xHkL

xHiL

xHmL

αβAbstraction

To analyze whether dRL can ease the complexity of proving tasks for hybrid systems, we can start with these four categories:

142

  Designing proof search heuristics that exploit refinement to automatically create more hierarchical proof structures.

  Shifting the proof responsibility completely to determining refinement.

  Code synthesis – verifying that refinement relation is satisfied with each transformation step.

Additional dRL applications

143

Timeline

144

  Completed work indicates that building complex hybrid programs from simpler ones is a good idea.

Timeline

Completed"

145


  We aim to add rigor to this approach by introducing a refinement relation to differential dynamic logic.

Timeline

Completed"

Completed"

146



  We then need to show how refinement integrates with dL by creating a proof calculus for dRL.

Timeline

In Progress"

Completed"

Completed"

147




Timeline

Completed"

Completed"

Feb 2015"

148




  We will show that refinement makes proofs easier by revisiting familiar and challenging case studies.

Timeline

Next Step"

Feb 2015"

Completed"

Completed"

149





Timeline

May 2015"

Feb 2015"

Completed"

Completed"

150





  As a stretch goal, we will examine additional applications of dRL.

Timeline

Stretch Goal"

May 2015"

Feb 2015"

Completed"

Completed"

151





  As a stretch goal, we will examine additional applications of dRL (e.g. synthesis and proof search)

 

Thesis defense.

Timeline

Aug 2015"

May 2015"

Feb 2015"

Completed"

Completed"

Stretch Goal"

152

Appendix

153

Table of Case Studies

x!i"

x! j"

p x!k"

x!l"

x!m"

safety envelopes

Differential Refinement Logic - Carnegie Mellon …sloos/LoosProposalSlides.pdf1 Sarah M. Loos CSD,...

Documents

Transcript of Differential Refinement Logic - Carnegie Mellon …sloos/LoosProposalSlides.pdf1 Sarah M. Loos CSD,...