Verification of Hybrid Systems in Coqherman/ModelCheckingDay2009.pdf · Advancing the Real use of...
Transcript of Verification of Hybrid Systems in Coqherman/ModelCheckingDay2009.pdf · Advancing the Real use of...
![Page 1: Verification of Hybrid Systems in Coqherman/ModelCheckingDay2009.pdf · Advancing the Real use of Proof Assistants Foundations group, Intelligent Systems, ICIS Radboud University](https://reader034.fdocuments.in/reader034/viewer/2022050506/5f98229980320c0835649b5a/html5/thumbnails/1.jpg)
Verification of Hybrid Systems in Coq
H. Geuvers, A. Koprowski, D. Synek, E. van der WeegenBRICKS AFM4
Advancing the Real use of Proof Assistants
Foundations group, Intelligent Systems, ICISRadboud University Nijmegen
The Netherlands
Dutch Model Checking DayApril 2, 2009,
University of Twente
![Page 2: Verification of Hybrid Systems in Coqherman/ModelCheckingDay2009.pdf · Advancing the Real use of Proof Assistants Foundations group, Intelligent Systems, ICIS Radboud University](https://reader034.fdocuments.in/reader034/viewer/2022050506/5f98229980320c0835649b5a/html5/thumbnails/2.jpg)
Overview
I What is Coq?
I What is a Hybrid System?
I Example: Thermostat
I Semantics: Transitions and traces
I Proving properties of Hybrid Systems by the Abstractionmethod
I What we have done in Coq and what we plan to do.
![Page 3: Verification of Hybrid Systems in Coqherman/ModelCheckingDay2009.pdf · Advancing the Real use of Proof Assistants Foundations group, Intelligent Systems, ICIS Radboud University](https://reader034.fdocuments.in/reader034/viewer/2022050506/5f98229980320c0835649b5a/html5/thumbnails/3.jpg)
What is Coq?
Coq is a proof assistant based on type theory
I Definitions, Lemmas, Proofs
I A proof p of a formula A is a term p : A.proof-checking = type checking
I Small kernel (the type checker) + Proof engine on top (tointeractively create terms)
I One can define (inductive and abstract) data typesDefine executable functions over these in Coq
I Program extraction to OCaml / Haskellp : ∀x : A.∃y : B.R(x , y) extract f : A→ B satisfying thespecification.
![Page 4: Verification of Hybrid Systems in Coqherman/ModelCheckingDay2009.pdf · Advancing the Real use of Proof Assistants Foundations group, Intelligent Systems, ICIS Radboud University](https://reader034.fdocuments.in/reader034/viewer/2022050506/5f98229980320c0835649b5a/html5/thumbnails/4.jpg)
What is a Hybrid System?
Alur, Henziger et al.: Hybrid Automaton, Hybrid SystemLocations, Invariants,Jumps, Guards, Reset functions,Continuous behaviour (Flow),Thermostat example
![Page 5: Verification of Hybrid Systems in Coqherman/ModelCheckingDay2009.pdf · Advancing the Real use of Proof Assistants Foundations group, Intelligent Systems, ICIS Radboud University](https://reader034.fdocuments.in/reader034/viewer/2022050506/5f98229980320c0835649b5a/html5/thumbnails/5.jpg)
What is a Linear Hybrid System?
〈L,X ,X0, I,F , T 〉I L finite set of locations
I X ⊂ Rn continuous state space
I X := L×X state space, X0 ⊂ X , initial states
I I assigns to l ∈ L a set of linear predicates I(l) ⊂ X , theinvariant at l .
I F assigns to l ∈ L a continuous vector fieldF(l) : X × R→ Rn. At location l , ~̇x = F(l)(~x , 1).
I T assigns to a pair of locations 〈l , l ′〉 a pair 〈g , r〉, where g isa predicate, the guard condition, and r is a linear map, thereset function.
![Page 6: Verification of Hybrid Systems in Coqherman/ModelCheckingDay2009.pdf · Advancing the Real use of Proof Assistants Foundations group, Intelligent Systems, ICIS Radboud University](https://reader034.fdocuments.in/reader034/viewer/2022050506/5f98229980320c0835649b5a/html5/thumbnails/6.jpg)
Non-determinism
Thermostat example
Invariant T ≤ 10 ∧ t ≤ 3 says when it is allowed to be in HeatGuard T ≥ 9 says when it is allowed to move to Cool
![Page 7: Verification of Hybrid Systems in Coqherman/ModelCheckingDay2009.pdf · Advancing the Real use of Proof Assistants Foundations group, Intelligent Systems, ICIS Radboud University](https://reader034.fdocuments.in/reader034/viewer/2022050506/5f98229980320c0835649b5a/html5/thumbnails/7.jpg)
Hybrid Systems as Specifications
Hybrid System = Specificationto be met bythe controller.
Spec usually allows a lot of freedom (non-determinism) for thecontroller.
Goal = Prove that a controller that satisfies the spec,keeps the system out of bad states
Reachability Problem
![Page 8: Verification of Hybrid Systems in Coqherman/ModelCheckingDay2009.pdf · Advancing the Real use of Proof Assistants Foundations group, Intelligent Systems, ICIS Radboud University](https://reader034.fdocuments.in/reader034/viewer/2022050506/5f98229980320c0835649b5a/html5/thumbnails/8.jpg)
Hybrid Systems as Specifications
Hybrid System = Specificationto be met bythe controller.
Spec usually allows a lot of freedom (non-determinism) for thecontroller.
Goal = Prove that a controller that satisfies the spec,keeps the system out of bad states
Reachability Problem
![Page 9: Verification of Hybrid Systems in Coqherman/ModelCheckingDay2009.pdf · Advancing the Real use of Proof Assistants Foundations group, Intelligent Systems, ICIS Radboud University](https://reader034.fdocuments.in/reader034/viewer/2022050506/5f98229980320c0835649b5a/html5/thumbnails/9.jpg)
Why do this in Coq?
I Verification of Hybrid systems involves discretization, floatingpoint arithmetic approximations, . . . , is this all correct?
I We have a library of (constructive) exact real arithmetic inCoq: CoRN,
I real number functions as computable functions (exp, log, sin,cos, . . . )
I arbitrarily close approximations of real numbers (real numberexpressions)
I numerical approximations to solutions of differential equations
Can CoRN be used for these type of applications?
![Page 10: Verification of Hybrid Systems in Coqherman/ModelCheckingDay2009.pdf · Advancing the Real use of Proof Assistants Foundations group, Intelligent Systems, ICIS Radboud University](https://reader034.fdocuments.in/reader034/viewer/2022050506/5f98229980320c0835649b5a/html5/thumbnails/10.jpg)
Why do this in Coq?
I Verification of Hybrid systems involves discretization, floatingpoint arithmetic approximations, . . . , is this all correct?
I We have a library of (constructive) exact real arithmetic inCoq: CoRN,
I real number functions as computable functions (exp, log, sin,cos, . . . )
I arbitrarily close approximations of real numbers (real numberexpressions)
I numerical approximations to solutions of differential equations
Can CoRN be used for these type of applications?
![Page 11: Verification of Hybrid Systems in Coqherman/ModelCheckingDay2009.pdf · Advancing the Real use of Proof Assistants Foundations group, Intelligent Systems, ICIS Radboud University](https://reader034.fdocuments.in/reader034/viewer/2022050506/5f98229980320c0835649b5a/html5/thumbnails/11.jpg)
Semantics of a Hybrid System
There are two types of transitions
Continuous transition(l ,~x)→C (l , ~y)
One location, elapse of time t, continuous variables progressaccording to the flow F(l)
Discrete transition(l ,~x)→D(l ′, ~y)
From location l to l ′, no elapse of time, guard conditions,continuous variables ~x reset to ~y := r~x .
![Page 12: Verification of Hybrid Systems in Coqherman/ModelCheckingDay2009.pdf · Advancing the Real use of Proof Assistants Foundations group, Intelligent Systems, ICIS Radboud University](https://reader034.fdocuments.in/reader034/viewer/2022050506/5f98229980320c0835649b5a/html5/thumbnails/12.jpg)
Semantics of a Hybrid System
A trace is a sequence of continuous and discrete steps:
(l1,~x1)→C (l2,~x2)→D (l3,~x3)→C (l4,~x4)→C (l5,~x5) . . .
A Hybrid System specifies a collection of traces. We want to proveproperties about these.Thermostat example: Prove that T ≥ 4.5 always in all possibletraces.(= Correctness proof of the Thermostat controller)
![Page 13: Verification of Hybrid Systems in Coqherman/ModelCheckingDay2009.pdf · Advancing the Real use of Proof Assistants Foundations group, Intelligent Systems, ICIS Radboud University](https://reader034.fdocuments.in/reader034/viewer/2022050506/5f98229980320c0835649b5a/html5/thumbnails/13.jpg)
Semantics of a Hybrid System
A trace is a sequence of continuous and discrete steps:
(l1,~x1)→C (l2,~x2)→D (l3,~x3)→C (l4,~x4)→C (l5,~x5) . . .
A Hybrid System specifies a collection of traces. We want to proveproperties about these.Thermostat example: Prove that T ≥ 4.5 always in all possibletraces.(= Correctness proof of the Thermostat controller)
![Page 14: Verification of Hybrid Systems in Coqherman/ModelCheckingDay2009.pdf · Advancing the Real use of Proof Assistants Foundations group, Intelligent Systems, ICIS Radboud University](https://reader034.fdocuments.in/reader034/viewer/2022050506/5f98229980320c0835649b5a/html5/thumbnails/14.jpg)
Semantics of a Hybrid System
Solving differential equations??
Assume for every location l a solution Φ(~x0, t) to the differential
equation ~̇x(t) = F(l)( ~x(t), 1), with begin value ~x(0) = ~x0.So Φ is a flow function:
Φ(~x , 0) = ~x
Φ(~x , t + q) = Φ(Φ(~x , t)), q)
For the Thermostat:Cool: Φ((x , y), t) = (x e−t , y + t)
Check: Φ((x , y), t) = (x e−t/2, y + t)Heat: Φ((x , y), t) = (x + 2t, y + t)
![Page 15: Verification of Hybrid Systems in Coqherman/ModelCheckingDay2009.pdf · Advancing the Real use of Proof Assistants Foundations group, Intelligent Systems, ICIS Radboud University](https://reader034.fdocuments.in/reader034/viewer/2022050506/5f98229980320c0835649b5a/html5/thumbnails/15.jpg)
Semantics of a Hybrid System
Assume for every location l a solution Φ(~x0, t) to the differential
equation ~̇x(t) = F(l)( ~x(t), 1), with begin value ~x(0) = ~x0.So Φ is a flow function:
Φ(~x , 0) = ~x
Φ(~x , t + q) = Φ(Φ(~x , t)), q)
For the Thermostat:Cool: Φ((x , y), t) = (x e−t , y + t)
Check: Φ((x , y), t) = (x e−t/2, y + t)Heat: Φ((x , y), t) = (x + 2t, y + t)
![Page 16: Verification of Hybrid Systems in Coqherman/ModelCheckingDay2009.pdf · Advancing the Real use of Proof Assistants Foundations group, Intelligent Systems, ICIS Radboud University](https://reader034.fdocuments.in/reader034/viewer/2022050506/5f98229980320c0835649b5a/html5/thumbnails/16.jpg)
Semantics of a Hybrid System
Assume for every location l a solution Φ(~x0, t) to the differential
equation ~̇x(t) = F(l)( ~x(t), 1), with begin value ~x(0) = ~x0.So Φ is a flow function:
Φ(~x , 0) = ~x
Φ(~x , t + q) = Φ(Φ(~x , t)), q)
For the Thermostat:Cool: Φ((x , y), t) = (x e−t , y + t)
Check: Φ((x , y), t) = (x e−t/2, y + t)Heat: Φ((x , y), t) = (x + 2t, y + t)
![Page 17: Verification of Hybrid Systems in Coqherman/ModelCheckingDay2009.pdf · Advancing the Real use of Proof Assistants Foundations group, Intelligent Systems, ICIS Radboud University](https://reader034.fdocuments.in/reader034/viewer/2022050506/5f98229980320c0835649b5a/html5/thumbnails/17.jpg)
Characterization of continuous and discrete steps
(l ,~x)→C (l , ~y) := ∃t ≥ 0(Φl(~x , t) = ~y ∧ ∀s ∈ [0, t] : Il(Φl(~x , s)))
(l ,~x)→D(l ′, ~y) := T 〈l , l ′〉 = 〈g , r〉 ∧ g(l ,~x) ∧ ~y = r(~x) ∧ I(l ′)(~y)
Trace: Combination of Continuous steps and Discrete steps.Goal: Verify a property for all traces.
![Page 18: Verification of Hybrid Systems in Coqherman/ModelCheckingDay2009.pdf · Advancing the Real use of Proof Assistants Foundations group, Intelligent Systems, ICIS Radboud University](https://reader034.fdocuments.in/reader034/viewer/2022050506/5f98229980320c0835649b5a/html5/thumbnails/18.jpg)
Characterization of continuous and discrete steps
(l ,~x)→C (l , ~y) := ∃t ≥ 0(Φl(~x , t) = ~y ∧ ∀s ∈ [0, t] : Il(Φl(~x , s)))
(l ,~x)→D(l ′, ~y) := T 〈l , l ′〉 = 〈g , r〉 ∧ g(l ,~x) ∧ ~y = r(~x) ∧ I(l ′)(~y)
Trace: Combination of Continuous steps and Discrete steps.Goal: Verify a property for all traces.
![Page 19: Verification of Hybrid Systems in Coqherman/ModelCheckingDay2009.pdf · Advancing the Real use of Proof Assistants Foundations group, Intelligent Systems, ICIS Radboud University](https://reader034.fdocuments.in/reader034/viewer/2022050506/5f98229980320c0835649b5a/html5/thumbnails/19.jpg)
Proving Correctness via the Abstraction method
I Hybrid Transition System: (State,→C ,→D ,State0)
I Abstract System (Finite Automaton): (AState,→A, a0)
I Abstraction function Abs : State→ AState withAbs(t0) = a0 for t0 ∈ State0.
I Lemma Correctness:
t →DC t ′ in HS⇓
Abs(t)→A Abs(t ′) in AHS
So: Reachability in HS ⇒ Reachability in AHS
So: Safety of AHS ⇒ Safety of HS[Checked by Model Checker]
![Page 20: Verification of Hybrid Systems in Coqherman/ModelCheckingDay2009.pdf · Advancing the Real use of Proof Assistants Foundations group, Intelligent Systems, ICIS Radboud University](https://reader034.fdocuments.in/reader034/viewer/2022050506/5f98229980320c0835649b5a/html5/thumbnails/20.jpg)
Proving Correctness via the Abstraction method
I Lemma Correctness:
t →DC t ′ in HS⇓
Abs(t)→A Abs(t ′) in AHS
So: Reachability in HS ⇒ Reachability in AHS
So: Safety of AHS ⇒ Safety of HS[Checked by Model Checker]
![Page 21: Verification of Hybrid Systems in Coqherman/ModelCheckingDay2009.pdf · Advancing the Real use of Proof Assistants Foundations group, Intelligent Systems, ICIS Radboud University](https://reader034.fdocuments.in/reader034/viewer/2022050506/5f98229980320c0835649b5a/html5/thumbnails/21.jpg)
Abstraction via predicates: Thermostat example
The basic predicates are:T ≥ 4.5,T ≥ 5,T ≥ 6,T ≤ 9,T ≤ 10c ≥ 0.5, c ≤ 1, c ≥ 2, c ≤ 3.This gives rise to the following abstract state space(for location Heat).Some transitions are indicated.
![Page 22: Verification of Hybrid Systems in Coqherman/ModelCheckingDay2009.pdf · Advancing the Real use of Proof Assistants Foundations group, Intelligent Systems, ICIS Radboud University](https://reader034.fdocuments.in/reader034/viewer/2022050506/5f98229980320c0835649b5a/html5/thumbnails/22.jpg)
Beware of transitivity
Which abstract traces do we consider?
If we just take the transitive closure of Abs(s0)→ Abs(s1) we getfar too many traces. (Still correct, but you can’t prove anything!)Solution: Restrict the Abstract traces to
Abs(s0)→C Abs(s1)→D Abs(s2)→C Abs(s3) . . .
![Page 23: Verification of Hybrid Systems in Coqherman/ModelCheckingDay2009.pdf · Advancing the Real use of Proof Assistants Foundations group, Intelligent Systems, ICIS Radboud University](https://reader034.fdocuments.in/reader034/viewer/2022050506/5f98229980320c0835649b5a/html5/thumbnails/23.jpg)
Beware of transitivity
Which abstract traces do we consider?
If we just take the transitive closure of Abs(s0)→ Abs(s1) we getfar too many traces. (Still correct, but you can’t prove anything!)
Solution: Restrict the Abstract traces to
Abs(s0)→C Abs(s1)→D Abs(s2)→C Abs(s3) . . .
![Page 24: Verification of Hybrid Systems in Coqherman/ModelCheckingDay2009.pdf · Advancing the Real use of Proof Assistants Foundations group, Intelligent Systems, ICIS Radboud University](https://reader034.fdocuments.in/reader034/viewer/2022050506/5f98229980320c0835649b5a/html5/thumbnails/24.jpg)
Beware of transitivity
Which abstract traces do we consider?
If we just take the transitive closure of Abs(s0)→ Abs(s1) we getfar too many traces. (Still correct, but you can’t prove anything!)Solution: Restrict the Abstract traces to
Abs(s0)→C Abs(s1)→D Abs(s2)→C Abs(s3) . . .
![Page 25: Verification of Hybrid Systems in Coqherman/ModelCheckingDay2009.pdf · Advancing the Real use of Proof Assistants Foundations group, Intelligent Systems, ICIS Radboud University](https://reader034.fdocuments.in/reader034/viewer/2022050506/5f98229980320c0835649b5a/html5/thumbnails/25.jpg)
Moving from the HS to the AHS
A→ B in AHS if ∃(x , y) ∈ A∃t ≥ 0(Φ(x , y , t) ∈ B)
This is complicated, in general undecidable ...
But in concrete situations, we have:
I “independency of variables”:
Φ(x , y , t) = (φ1(x , t), φ2(y , t))
I monotonicity of φ1(x ,−) and φ2(y ,−).
I concrete inverses to φ1(x ,−) and φ2(y ,−).
![Page 26: Verification of Hybrid Systems in Coqherman/ModelCheckingDay2009.pdf · Advancing the Real use of Proof Assistants Foundations group, Intelligent Systems, ICIS Radboud University](https://reader034.fdocuments.in/reader034/viewer/2022050506/5f98229980320c0835649b5a/html5/thumbnails/26.jpg)
Moving from the HS to the AHS
A→ B in AHS if ∃(x , y) ∈ A∃t ≥ 0(Φ(x , y , t) ∈ B)
This is complicated, in general undecidable ...But in concrete situations, we have:
I “independency of variables”:
Φ(x , y , t) = (φ1(x , t), φ2(y , t))
I monotonicity of φ1(x ,−) and φ2(y ,−).
I concrete inverses to φ1(x ,−) and φ2(y ,−).
![Page 27: Verification of Hybrid Systems in Coqherman/ModelCheckingDay2009.pdf · Advancing the Real use of Proof Assistants Foundations group, Intelligent Systems, ICIS Radboud University](https://reader034.fdocuments.in/reader034/viewer/2022050506/5f98229980320c0835649b5a/html5/thumbnails/27.jpg)
Moving from the HS to the AHS
A→ B in AHS if ∃(x , y) ∈ A∃t ≥ 0((φ1(x , t), φ2(y , t)) ∈ B)
∃(x , y) ∈ A∃t ≥ 0((φ1(x , t), φ2(y , t)) ∈ B)
if and only if
φ−11 (c1, b1) < φ−1
2 (a2, d2) ∧ φ−11 (d1, a1) > φ−1
2 (b2, c2)
where φ−1i is the inverse of φi :
φi (x , φ−1i (x , z)) = z
φ−1i (x , φi (x , t)) = t
![Page 28: Verification of Hybrid Systems in Coqherman/ModelCheckingDay2009.pdf · Advancing the Real use of Proof Assistants Foundations group, Intelligent Systems, ICIS Radboud University](https://reader034.fdocuments.in/reader034/viewer/2022050506/5f98229980320c0835649b5a/html5/thumbnails/28.jpg)
Moving from the HS to the AHS
For the Check location:φ−1
1 (x , z) = log x2 − log z2 and φ−12 (y , z) = z − y .
So:∃(x , y) ∈ A∃t ≥ 0((φ1(x , t), φ2(y , t)) ∈ B)
if and only if
log c21 − log b2
1 < d2 − a2 ∧ log d21 − log a2
1 > c2 − b2
How do we solve this?
![Page 29: Verification of Hybrid Systems in Coqherman/ModelCheckingDay2009.pdf · Advancing the Real use of Proof Assistants Foundations group, Intelligent Systems, ICIS Radboud University](https://reader034.fdocuments.in/reader034/viewer/2022050506/5f98229980320c0835649b5a/html5/thumbnails/29.jpg)
Moving from the HS to the AHS
For the Check location:φ−1
1 (x , z) = log x2 − log z2 and φ−12 (y , z) = z − y .
So:∃(x , y) ∈ A∃t ≥ 0((φ1(x , t), φ2(y , t)) ∈ B)
if and only if
log c21 − log b2
1 < d2 − a2 ∧ log d21 − log a2
1 > c2 − b2
How do we solve this?
![Page 30: Verification of Hybrid Systems in Coqherman/ModelCheckingDay2009.pdf · Advancing the Real use of Proof Assistants Foundations group, Intelligent Systems, ICIS Radboud University](https://reader034.fdocuments.in/reader034/viewer/2022050506/5f98229980320c0835649b5a/html5/thumbnails/30.jpg)
Solving inequalities in Coq
For concrete values a, b, c, d ∈ R,
log c2 − log b2 < d − a
can be “decided” by
I fixing an ε,
I approximate log c2 − log b2 and d − a “upto ε”, obtainingrational intervals I1 and I2,
I If I1 > I2, return ‘no’, otherwise, return ‘yes’
So, if we are undecisive, we do put an arrow between the abstractstates . . . an abstraction should be an over-approximation.
![Page 31: Verification of Hybrid Systems in Coqherman/ModelCheckingDay2009.pdf · Advancing the Real use of Proof Assistants Foundations group, Intelligent Systems, ICIS Radboud University](https://reader034.fdocuments.in/reader034/viewer/2022050506/5f98229980320c0835649b5a/html5/thumbnails/31.jpg)
Solving inequalities in Coq
For concrete values a, b, c, d ∈ R,
log c2 − log b2 < d − a
can be “decided” by
I fixing an ε,
I approximate log c2 − log b2 and d − a “upto ε”, obtainingrational intervals I1 and I2,
I If I1 > I2, return ‘no’, otherwise, return ‘yes’
So, if we are undecisive, we do put an arrow between the abstractstates . . . an abstraction should be an over-approximation.
![Page 32: Verification of Hybrid Systems in Coqherman/ModelCheckingDay2009.pdf · Advancing the Real use of Proof Assistants Foundations group, Intelligent Systems, ICIS Radboud University](https://reader034.fdocuments.in/reader034/viewer/2022050506/5f98229980320c0835649b5a/html5/thumbnails/32.jpg)
Solving inequalities in Coq
For concrete values a, b, c, d ∈ R,
log c2 − log b2 < d − a
can be “decided” by
I fixing an ε,
I approximate log c2 − log b2 and d − a “upto ε”, obtainingrational intervals I1 and I2,
I If I1 > I2, return ‘no’, otherwise, return ‘yes’
So, if we are undecisive, we do put an arrow between the abstractstates . . . an abstraction should be an over-approximation.
![Page 33: Verification of Hybrid Systems in Coqherman/ModelCheckingDay2009.pdf · Advancing the Real use of Proof Assistants Foundations group, Intelligent Systems, ICIS Radboud University](https://reader034.fdocuments.in/reader034/viewer/2022050506/5f98229980320c0835649b5a/html5/thumbnails/33.jpg)
The rotator example
![Page 34: Verification of Hybrid Systems in Coqherman/ModelCheckingDay2009.pdf · Advancing the Real use of Proof Assistants Foundations group, Intelligent Systems, ICIS Radboud University](https://reader034.fdocuments.in/reader034/viewer/2022050506/5f98229980320c0835649b5a/html5/thumbnails/34.jpg)
The rotator example: State space
Blue: next step is a “discrete” stepRed: next step is a “continuous” step
![Page 35: Verification of Hybrid Systems in Coqherman/ModelCheckingDay2009.pdf · Advancing the Real use of Proof Assistants Foundations group, Intelligent Systems, ICIS Radboud University](https://reader034.fdocuments.in/reader034/viewer/2022050506/5f98229980320c0835649b5a/html5/thumbnails/35.jpg)
The rotator example: All edges
![Page 36: Verification of Hybrid Systems in Coqherman/ModelCheckingDay2009.pdf · Advancing the Real use of Proof Assistants Foundations group, Intelligent Systems, ICIS Radboud University](https://reader034.fdocuments.in/reader034/viewer/2022050506/5f98229980320c0835649b5a/html5/thumbnails/36.jpg)
The rotator example: Reachable states and edges
The middle state is unreachable.
![Page 37: Verification of Hybrid Systems in Coqherman/ModelCheckingDay2009.pdf · Advancing the Real use of Proof Assistants Foundations group, Intelligent Systems, ICIS Radboud University](https://reader034.fdocuments.in/reader034/viewer/2022050506/5f98229980320c0835649b5a/html5/thumbnails/37.jpg)
How does this actually work in Coq?
1. Specify a concrete Hybrid System,
2. Specify the Abstract states (rectangles)
3. Specify the Safety condition
4. Give the inverses to the flow functions and prove they areinverses.
5. Coq generates the AHS, the abstraction function and itscorrectness proof.
6. Coq generates a proof of “Reach(AHS) = Safe ⇒ HS is safe”.
7. Computing Reach(AHS) (in Coq) proves the safety(automatic)
![Page 38: Verification of Hybrid Systems in Coqherman/ModelCheckingDay2009.pdf · Advancing the Real use of Proof Assistants Foundations group, Intelligent Systems, ICIS Radboud University](https://reader034.fdocuments.in/reader034/viewer/2022050506/5f98229980320c0835649b5a/html5/thumbnails/38.jpg)
What we plan to do / problems
1. Generate AHS + Abs function from the SpecificationNB Abstraction predicates can be derived from the Spec.
2. Support for generating inverses and proving they are inversesNB Many function are partial or partially monotone
3. Extract fast model checking to OCaml: “certified reachabilityalgorithm”.
4. Deal with flow functions where variables are not independentor not locally monotone
5. Use numeric approximations to solutions of differentialequations.
![Page 39: Verification of Hybrid Systems in Coqherman/ModelCheckingDay2009.pdf · Advancing the Real use of Proof Assistants Foundations group, Intelligent Systems, ICIS Radboud University](https://reader034.fdocuments.in/reader034/viewer/2022050506/5f98229980320c0835649b5a/html5/thumbnails/39.jpg)
Thank you!