Kaisar is a structured proof language for differential dynamic logic that introduces nominals to simplify reasoning about historical states in safety-critical cyber-physical systems, supported by formal metatheory.
Contribution
The paper introduces Kaisar, a novel structured proof language with first-class nominals for differential dynamic logic, enhancing CPS proofs and providing formal semantics and metatheory.
Findings
01
Successfully implemented Kaisar in KeYmaera X
02
Reproduced safety proofs for parachute and robot control
03
Proved soundness, completeness, and formal properties of Kaisar
Abstract
We present Kaisar, a structured interactive proof language for differential dynamic logic (dL), for safety-critical cyber-physical systems (CPS). The defining feature of Kaisar is *nominal terms*, which simplify CPS proofs by making the frequently needed historical references to past program states first-class. To support nominals, we extend the notion of structured proof with a first-class notion of *structured symbolic execution* of CPS models. We implement Kaisar in the theorem prover KeYmaera X and reproduce an example on the safe operation of a parachute and a case study on ground robot control. We show how nominals simplify common CPS reasoning tasks when combined with other features of structured proof. We develop an extensive metatheory for Kaisar. In addition to soundness and completeness, we show a formal specification for Kaisar's nominals and relate Kaisar to a nominal…
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
We present Kaisar, a structured interactive proof language for differential dynamic logic (dL), for safety-critical cyber-physical systems (CPS).
The defining feature of Kaisar is nominal terms, which simplify CPS proofs by making the frequently needed historical references to past program states first-class.
To support nominals, we extend the notion of structured proof with a first-class notion of structured symbolic execution of CPS models.
We implement Kaisar in the theorem prover KeYmaera X and reproduce an example on the safe operation of a parachute and a case study on ground robot control.
We show how nominals simplify common CPS reasoning tasks when combined with other features of structured proof.
We develop an extensive metatheory for Kaisar.
In addition to soundness and completeness, we show a formal specification for Kaisar’s nominals and relate Kaisar to a nominal variant of dL.
††journalvolume: 1††journalnumber: 1††article: 1††journalyear: 2019††publicationmonth: 1††doi: 10.1145/nnnnnnn.nnnnnnn††journalyear: 2019††isbn: 978-x-xxxx-xxxx-x/YY/MM††doi: 10.1145/nnnnnnn.nnnnnnn††ccs: Theory of computation Logic and verification
1. Introduction
Many cyber-physical systems (CPS) such as autonomous cars (Loos
et al., 2011), airborne collision-avoidance systems (Jeannin et al., 2015) and surgical robots (Kouskoulas et al., 2013) are safety-critical, and thus their correctness is of utmost importance.
Differential dynamic logic (dL) (Platzer, 2008) is a domain-specific logic which expresses correctness theorems such as safety and liveness for hybrid dynamical systems models of CPS, which combine discrete computation with ordinary differential equations (ODEs).
Because safety and liveness for hybrid systems are undecidable, (Henzinger, 1996) achieving strong correctness results for nontrivial systems demands an interactive technique that allows users to provide human insight when automation does not suffice.
The KeYmaera X (Fulton et al., 2015) theorem prover for dL (in comparison to, e.g. model checking (Frehse et al., 2011; Dreossi, 2017; Frehse, 2005; Boker
et al., 2014; Henzinger
et al., 1997; Kido
et al., 2016; Suenaga and Hasuo, 2011; Gao
et al., 2013b, a) approaches) enables human insight through interactive theorem proving.
The advantage of this interaction-based approach is its flexibility.
For any given hybrid system, the proof difficulty may lie in the complexity of discrete dynamics, continuous dynamics, solving first-order real arithmetic at the leaves, or all three.
Through interactivity, the proof author can address the difficult aspects of their system, while letting automation handle simpler parts.
Interactive theorem-proving for CPS verification has proven fruitful through a number of case studies (Loos
et al., 2011; Jeannin et al., 2015; Kouskoulas et al., 2013; Platzer and
Clarke, 2009; Platzer and
Quesel, 2009; Loos
et al., 2013; Müller
et al., 2015, 2015).
While these results demonstrate the significant potential that deduction has in CPS, it remains to be seen what the most productive way is for writing interactive CPS proofs.
Interactive point-and-click interfaces are available for KeYmaera X (Mitsch and
Platzer, 2016) and its predecessor KeYmaera (Platzer and
Quesel, 2008), which are useful for learning, but become tedious at scale.
Tactical theorem proving is available for CPS (Fulton
et al., 2017), which is useful for programming generic proof search procedures, but requires a certain level of aptitude in the proof system and is harder to scale for complex applications.
We, thus, argue that CPS proofs are to be taken seriously and merit the full attention of a first-class approach.
We focus on the opportunity provided by the hybrid mixture of discrete and continuous invariants inherent to hybrid systems.
Typical proofs combine discrete and continuous invariants, which in turn combine continuously-evolving, discretely-evolving, and constant variables.
CPS invariant proofs often relate the present state to multiple historical system states.
It has long been known that historical reference, implementable with ghost state, is an essential component of proof in many domains (Apt
et al., 1979; Owicki and Gries, 1976; Owicki, 1975; Apt
et al., 2010; Clint, 1973).
It has been known equally long (Clarke, 1980) that manual ghost arguments can make proofs clumsy.
For example, stating even a single invariant might require multiple non-local changes to introduce ghost state.
This is especially noticeable for CPS proofs, which typically contain nested invariants with references to multiple states.
In this paper, we devise a proof language Kaisar for CPS that addresses the problem of automating historical reference.
The distinguishing feature of Kaisar is nominal proof: proof authors can give names t to abstract proof states and then refer to the value of any term θ in proof state t by a nominal termt(θ).
We show through the examples of this paper (Fulton
et al., 2017)
that nominal terms simplify the complex historical reasoning necessary for CPS verification:
Instead of cluttering a proof with explicit ghosts of each term, the author can write down values from past states directly when needed, and the Kaisar nominal system will automatically supply the necessary ghost state.
The automation of historical reference in Kaisar is supported by structured symbolic execution, an extension of the structured proof paradigm introduced in Mizar (Bancerek et al., 2015), and seen in Isabelle’s Isar (Wenzel, 1999) and TLA+’s TLAPS (Cousineau et al., 2012; Lamport, 1992).
Symbolic execution is a first-class proof language feature in Kaisar,
enabling the language to automatically maintain an abstract execution trace, introducing ghost variables when needed.
This trace enables automatically reducing nominal terms to ghost state, solving the historical reference automation problem.
Hence the name: Kaisar is to KeYmaera X as Isar is to Isabelle: A structured proof language tailored to the needs of each prover’s logic.
In structuring proofs around first-class symbolic execution, it is non-obvious but essential that we do not restrict which formulas are provable.
To this end, we develop a comprehensive metatheory for Kaisar, showing it is not only sound, but complete with respect to existing calculi (Platzer, 2008), which are themselves sound and relatively complete for hybrid systems (Platzer, 2016, 2012b, 2008).
We also give a precise semantics to nominal terms via dynamic execution traces: the nominal term computed by Kaisar for t(θ) equals the value of θ in the concrete program state corresponding to abstract state t.
We relate nominal terms to a nominal dialect of dL called dLh: (Platzer, 2007b) the meaning of proof-level named states t can be understood via the logic-level nominal states of dLh.
The above applies for both discrete and continuous dynamics and for both initial and intermediate states.
In adopting structured symbolic execution, we import the existing benefits of structured proof to hybrid systems for the first time.
It has long been noted (Wenzel, 2006) that structured proof languages improve scalability and maintainability via block structure, and improve readability via their declarative style, with readability benefits extending to natural-language structured proofs (Lamport, 2012, 1995).
This is important for CPS verification as the scale of systems verified continues to grow (Jeannin et al., 2015; Müller
et al., 2015).
Lastly, we believe the nominal mechanism of Kaisar is of interest beyond CPS verification.
A number of verification tools (Ahrendt et al., 2016; Fulton et al., 2015; Leino, 2010, 2008; Barnett
et al., 2005; Leino
et al., 2009; Leavens
et al., 1999) offer ad-hoc constructs without theoretical justification which can reference only the initial program state.
We generalize and formally justify them.
We show that Kaisar works in practice with a prototype for Kaisar in KeYmaera X.
We evaluate our implementation using the examples in this paper, including a representative proof on parachute control.
We evaluate further by reproducing a case study on the control of ground robots (Section 9).
In Section 2 we provide a primer on dL, hybrid systems and dynamic logics, giving an informal structured proof following Lamport (Lamport, 2012, 1995).
In Section 3, we present the propositional fragment of Kaisar, introducing structural constructs and pattern-matching to aid in making proofs concise.
This fragment borrows from Isar; we present it separately to show its relationship with prior work.
In Section 4, we detail the technical challenge and solution for nominals.
In Section 5 we add that solution to Kaisar, generalizing it to the discrete fragment of dL by introducing nominal terms.
In Section 6 we show that our notion of nominal terms generalizes to full dL.
In Section 7 we validate Kaisar by developing its metatheory.
In Section 8 we compare Kaisar with other proof languages.
2. Background: Differential Dynamic Logic
Differential dynamic logic (dL) (Platzer, 2012b, 2008) is a dynamic logic (Pratt, 1976; Harel
et al., 2000) for formally verifying hybrid (dynamical) systems models of cyber-physical systems (CPS), which is implemented in the theorem prover KeYmaera X (Fulton et al., 2015) and has seen successful
application in a number of case studies (Mitsch
et al., 2013; Jeannin et al., 2015; Kouskoulas et al., 2013; Loos
et al., 2011).
In dL, a hybrid systems model of a CPS is expressed as a (nondeterministic) program in the language of hybrid programs.
The distinguishing feature of hybrid programs is the ability to model continuous physics with ordinary differential equations (ODEs).
Combined with nondeterminism, real arithmetic, and standard discrete constructs, this suffices to express hybrid systems.
As usual in dynamic logic, dL internalizes program execution with first-class modal operators [α]ϕ and ⟨α⟩ϕ stating ϕ is true after all or some execution paths of the program α, respectively.
Dynamic logics are a generalization of Hoare logics, e.g. any Hoare triple {P}α{Q} can be expressed in dynamic logic as the formula P→[α]Q.
Dynamic logic is more general because the modal operators are first-class and may be nested freely.
Throughout this paper, we let e,f,g range over expressions of dL.
Expressions are divided into propositions ϕ,ψ, hybrid programs α,β, and real-valued terms θ.
The proposition language of dL combines first-order arithmetic (FOLR) with the dynamic logic modalities [α]ϕ and ⟨α⟩ϕ:
ϕ,ψ,P,Q::=ϕ∧ψ∣ϕ∨ψ∣¬ϕ∣∀xϕ∣∃xϕ∣[α]ϕ∣⟨α⟩ϕ∣θ1∼θ2
where ∼ is a comparison operator on the (classical) reals, i.e. ∼∈{<,≤,=,≥,>,=}.
The term language of dL consists of basic arithmetic operations on real-valued variables with rational literals q∈Q and rational exponentiation θq:
θ::=x∣q∣θ1+θ2∣θ1−θ2∣θ1⋅θ2∣θ1/θ2∣θq
This means that the program-free fragment of dL is equivalent to first-order classical logic over real-closed fields (FOLR), which is decidable but unscalable, requiring doubly-exponential time (Davenport and
Heintz, 1988). The hybrid programs of dL include typical discrete constructs and differential equation systems:
α,β::=x:=θ∣x:=∗∣?ϕ∣α;β∣α∪β∣α∗∣x′=θ&Q
•
Assignmentx:=θ Sets a variable x to the current value of term θ.
•
Nondeterministic Assignmentx:=∗ Sets x nondeterministically to an arbitrary real.
•
Assertion?ϕ Execution transitions to the current state if formula ϕ is true, else the program has no transitions.
In typical models ϕ is first-order arithmetic.
•
Sequential Compositionα;β Runs program α, then runs β in some resulting state.
•
Choiceα∪β Nondeterministically runs either program α or β.
•
Iterationα∗ Nondeterministically runs program α zero or more times.
•
ODE Evolution{x′=θ&Q} Evolves the ODE system x′=θ nondeterministically for any duration r∈R≥0 that never leaves the evolution domain formula Q.
We illustrate dL with a running example in Model 1, which models the decision-making of a skydiver opening their parachute at a safe time.
We intentionally chose this example because it demonstrates the techniques necessary for more complex systems within the space provided.
As further validation we reproduced a larger case study (Mitsch
et al., 2013), see Section 9.
Model 1 (Safety specification for the skydiver model).
[TABLE]
This structure is typical: the system is a control-plant loop, alternating between the skydiver’s control decisions and evolution of the environment or plant (i.e. gravity and drag).
The diver has a downward velocity v<0, with a maximum safe landing speed m.
The chute is initially closed (r=a) until opened by the controller (r:=p).
The controller can choose not to open the chute if it will not exceed the equilibrium velocity−pg, where g is gravity and p is the resistance of an open chute.
The plant evolves altitude x at velocity v, which itself evolves at v′=v2⋅r−g: Newton drag is proportional to v2 by a factor r and gravity g is constant.
The domain constraint stops the ODE upon hitting the ground (x=0) or reaching the next control time (t=ε for time limit ε).
It also simplifies the proof by providing an assumption v<0, which is always true for a falling diver.
In this hybrid program model, when the diver lands (x=0), they have a safe velocity v≥m.
2.1. A Structured Natural-Language Proof
We introduce the reasoning principles for dL by giving an informal structured proof of skydiver safety.
Beyond discrete program reasoning and first-order real arithmetic, the defining proof techniques of dL are differential induction (Platzer, 2016, 2012a, 2010, 2007a) and differential ghosts (Platzer, 2011).
Differential induction and ghosts are important because they enable rigorous proofs about ODEs whose solutions are outside the decidable fragment of arithmetic, in our example the drag equation.
Differential induction states that a formula ϕ is invariant if it is true initially and its differential (ϕ)′ is invariant, e.g. θ1>θ2 is invariant if θ1>θ2 initially and (θ1)′≥(θ2)′ is invariant.
Differential ghosts enable augmenting ODEs with continuously-evolving ghost state.
If a formula ϕ is invariant, but not inductive, ghosts enable restating it as a formula that holds by differential induction.
This occurs, e.g. if θ1 converges asymptotically toward θ2 like velocity converges to the equilibrium in Model 1.
In this proof, we loosely follow the Lamport’s (Lamport, 2012, 1995) hierarchical style with numbered proof steps, but use our own keywords, such as State for giving names to states and Introduce for introducing differential ghost variables.
We restate in abbreviated form the theorem of Model 1:
Theorem 2.1 (Skydiver Safety).
pre→[(ctrl;plant∗)](x=0→∣v∣≤m)is valid**
State init: Assume init(pre).
Invariant: const vacuously because the free variables of const are not written in (ctrl;plant).
Invariant: dc by loop induction.Base Case: by arithmetic and 1.
Inductive Case: dc→[(ctrl;plant&dc)]dc holds by the domain constraint.
Invariant: dyn by loop induction. Base Case: by arithmetic and 2.
Inductive Case: We establish differential invariants for each control case.
State loop:. Here dc,const,dyn hold by
2, 3,4
Control Case: ?(r=a∧∣v∣+g⋅ϵ>pg);t:=0
Invariant: g>0∧p>0 vacuously.
Invariant: ∣v∣<∣loop(v)∣+g⋅t by differential induction.
Base Case: by arithmetic and 4.2.
Inductive Case: ∣v∣′≤∣loop(v)∣+g⋅t′ holds because (v)′=r⋅v2−g≥−g=(loop(v)−g⋅t)′ by arithmetic and 4.2.1.
Invariant: t≤ϵ∧v≥0 by domain constraint.
Invariant: loop(∣v∣)+g⋅t≤loop(∣v∣)+g⋅ϵ by arithmetic, 4.2.1, and 4.2.3.
Invariant: loop(∣v∣)+g⋅ϵ<pg by arithmetic and 4.2.
Q.E.D. Because ∣v∣>pg by transitivity, 4.2.2, 4.2.4, and 4.2.5.
Control Case: r:=p;t:=0. Safety is invariant but not inductive: ∣v∣′>(−pg)′.
We augment the ODE with a differential ghost variable, enabling an inductive invariant.
Invariant: g>0∧p>0 is invariant.
Introduce y′=−2p⋅(∣v∣+pg)⋅y with loop(y)2⋅(−∣v∣+pg)=1 for fresh variable y.
This is sound since y′ is linear in y and thus duration of the ODE is unchanged, and since y is fresh the augmented ODE agrees with the original on all other variables.
Invariant: y2⋅(−∣v∣+pg)=1 by differential induction. The base case holds by 4.3.2; the inductive step holds by construction of y′ and arithmetic.
Invariant: ∣v∣<pg because it is arithmetically equivalent to 4.3.3.
Q.E.D. Because 4 implies the postcondition by arithmetic.
We mechanize this proof in Kaisar as a guiding example throughout the paper.
3. First-Order Kaisar
We present the first-order (real-arithmetic, i.e. FOLR) fragment of Kaisar alone before considering dynamic logic.
The examples of Figure 1 demonstrate the key features of First-Order Kaisar:
•
Block-structuring elements (have, note, let, show) introduce intermediate facts, definitions, and conclusions.
Facts ϕ are assigned names x:ϕ for later reference.
•
Unstructured proof methods (usingfactsby⟨method⟩) close the leaves of proofs.
Forward-chaining proof terms (notex=FP) make arithmetic lemmas convenient.
•
Patterns and abbreviations (letx_=…) improve conciseness.
All of these features have appeared previously in some form in the literature (Wenzel, 2006).
Here we make clear any differences specific to Kaisar and in doing so lay a solid foundation for the development of nominals.
We do so by expanding upon the examples with formal syntax and semantics, given as a proof-checking relation.
Note that the examples in this section, because they fall under FOLR, are in principle decidable.
For that reason we focus here on techniques that vastly improve the speed of decision procedures (arithmetic proving with note and have), and which generalize to the undecidable fragments of dL handled in Sections 5 and 6 (block-structuring and pattern-matching).
Examples
For a first-order example, consider the transitivity reasoning of Step ?? in Section 2.1.
Figure 1 presents four proofs of the following arithmetic subgoal in dL:
[TABLE]
Figure 1 develops a proof as one might in interactive proof.
Examples 1a and 1b both appeal immediately to an arithmetic solver, with Example 1b using pattern-matching to introduce concise names, e.g. vt_=loop(∣v∣)+g⋅t.
Pattern-matching makes Example 1b more flexible: it will work even if the definition of vt_,vEps_, or vBound_ changes.
However, the R will be prohibitively slow if vt_,vEps_,vBound_ become too large (all reasoning is performed on the expanded terms).
Example 1c restores speed by isolating the transitivity axiom in the fact trans and instantiating it with note to recover the result.
The note step supplies term inputs v,vt_,vEps_,vBound_ first, then propositions v, gt, gEps, matching the structure of the formula trans.
The id proof method closes the proof once we provide a proof of the goal with using.
The let statement reuses the pattern-matching mechanism to introduce definitions for readability at will.
Example 1d uses let to ensure that the bound vBound_ is specifically pg.
This provides machine-checked documentation if, e.g. we did not intend this proof to be general or if the proof depended on the value of vBound_.
Definitions
The proof-checking judgements of Kaisar maintain a context Γ which maps names to assumptions (or conclusions for succedents Δ) and abbreviations introduced through pattern-matching.
Abbreviation variables are suffixed with an underscore , so Γ≡{xz↦(x>0),y_↦y0+5} means we have the assumption that x>0 via the name xz and we have abbreviated y0+5 as y.
Throughout the paper, subscripts are mnemonic, e.g. Γϕ could be a context associated with ϕ in any way.
Kaisar expands abbreviations before reasoning to ensure no extensions to dL are necessary.
Substitution of x with θ in ϕ is denoted ϕxθ.
The primary proof-checking judgement SP:(Γ⊢Δ) says that SP is a structured proof of the classical sequent Γ⊢Δ (i.e. the formula ⋀ϕ∈Γϕ→⋁ψ∈Δψ).
In proving safety theorems ϕ→[α]ψ, the succedent Δ typically consists of a single formula.
The auxilliary judgement FP:(Γ⊢Δ) for forward-chaining proofs is analogous.
In Section 5 we will extend the judgement SP:(Γ⊢Δ) with static execution traces to support structured symbolic execution.
Expressions written in proofs can contain abbreviations, but sequents, being pure dL, do not.
We write eˉΓ (or, when clear, simply eˉ) for the expansion of e which replaces all abbreviations with their values.
We also use matching of patterns p with matchΓ(p,e)=Γp where Γp extends Γ with bindings produced by matching e against p.
Block Structure
The top level of a Kaisar proof is a structured proof (SP)
[TABLE]
The propositional rules (PR) assume and case perform propositional reasoning.
The case construct is multi-purpose, supporting the connectives ∨,↔,∧.
Here a vertical bar ∣ outside parentheses separates syntactic productions, while a bar inside parentheses is syntax to separate cases:
[TABLE]
We give only right rules: left rules are analogous and derivable with the focus construct of Section 5.
In each rule we assume fresh variables x,y:
[TABLE]
Pattern-matching reduces verbosity vs. writing complete formulas.
In Example 1b, we shorten the Kaisar proof of Example 1a by applying variable patterns x_ and y_ to the assumption (thus matching any conjunction) and a wildcard pattern _ to the goal (thus matching any goal).
[TABLE]
The have construct cuts, proves, and names an intermediate fact ψ with SP1, then continues the main proof SP2.
When SP1 immediately show’s ϕ, as in Example 1c, we omit the show keyword in the concrete syntax.
The use of have in Example 1c is typical: the direct application of R in Example 1(a,b) does not scale if vt_,mathitvε,vBound_ are large terms.
By isolating the trans axiom with have, we enable the arithmetic reasoning to scale.
The let keyword, as used in Example 1d, performs a general-purpose pattern-match, which in this case simply binds goal_ to v>−pg, then continues the proof SP.
The note construct is similar to have, except that the intermediate fact is proven by a forward-chaining proof term.
It is often convenient for instantiating (derived) axioms or performing propositional reasoning, as in Example 1c.
Because note uses a forward-chaining proof, we need not specify the proven formula, but rather the proof-checking judgement synthesizes it as an output.
Unstructured Proof Methods
As shown in Example 1, show closes a proof leaf by specifying facts (using) and an automatic proof method (R, id, auto).
In contrast to other languages (Wenzel, 2006), these methods are the only unstructured language construct, as we have found no need for a full-fledged unstructured language.
The ident method is extremely fast but expects the conclusion to appear verbatim in the context or using clause.
The R method invokes a FOLR decision procedure (Collins and Hong, 1991; Arnon
et al., 1984).
We typically assist R on difficult goals by specifying facts with a using clause for speed.
The using clause can specify both assumptions from the context and additional facts by forward proof.
When the using block is empty, it defaults to the entire context.
The auto method applies general-purpose but incomplete proof heuristics including symbolic execution and also benefits from using.
Note the auto method does not have a simple proof rule.
This is okay at the unstructured proof level: any sound proof method is adequate for closing leaves of a proof.111The auto method (tactic) of KeYmaera X is sound because it uses only operations of a sound LCF-style core (Fulton et al., 2015).
facts(ps,FPs) defines the facts available to the proof method (assumptions and FP conclusions).
The pattern q selects a conclusion from Δ, else we default to the entire succedent.
Throughout the examples of Figure 1, we use pattern-matching to describe the shapes of expressions and select assumptions for use in automation.
The above features suffice for structural proof steps.
The pattern language of Kaisar is defined inductively:
[TABLE]
Pattern-matching is formalized as a judgement matchΓ(p,e)=Γp, where Γp extends Γ with bindings resulting from the match (we omit Γp when it is not used and omit Γ when it is clear from context).
We write match(p,e)=⊥ when no pattern-matching rule applies.
In the definition below, we use the notation ⊗(e,f) to generically say that all operators ⊗ (where the arguments are expressions e,f) of the dL language are supported in patterns.
The dL operators are matched structurally.
[TABLE]
The meaning of a variable pattern ident_ depends on whether it is bound in Γ.
If ident is free, the pattern matches anything and binds it to ident.
If ident is bound, the pattern matches only the value of ident.
Wildcard patterns _ match anything and do not introduce a binding.
[TABLE]
The above patterns often suffice for selecting individual facts, as done in forward proofs.
However, when referencing a large number of facts (e.g. in show), it helps to select facts in bulk, for which the following patterns are also useful.
Variable occurrence patterns p(vars) and p(¬vars) select all formulas ϕ where the given variables do or do not occur in its free variables FV(ϕ), respectively:
[TABLE]
Patterns support set operations.
Set patterns proceed left-to-right. Union short-circuits on success and intersection short-circuits on failure.
Negation patterns ¬p match only when p fails to match, so we require that p binds no variables in this case for the sake of clarity.
This is not a restriction because any free variable patterns in p can be replaced with wildcards, which never bind.
[TABLE]
Extended Expression Evaluation
In order to keep abbreviations ident_ outside the core language of dL, we automatically expand extended terms featuring abbreviations ident_ to proper terms
with the term expansion function eˉΓ=f (we omit Γ when clear).
As in pattern-matching, expression constructors map through homomorphically and identifiers are substituted with their values:
[TABLE]
Forward-Chaining Proof Terms
A comprehensive structured language should provide both backward and forward-chaining proof.
Wenzel (Wenzel, 1999) observes that backward chaining is often most natural for major steps and forward chaining more natural for minor intermediate steps.
Backward chaining works well when the proof can be guided either by the structure of a formula (e.g. during symbolic execution) or by human intuition (e.g. when choosing invariants).
The addition of forward chaining becomes desireable when we wish to experiment with free-form compositions of known facts, e.g. when trying to assist an arithmetic solver with manual simplifications.
In Kaisar, forward-chaining proofs are built from atomic facts in Γ and a standard library of first-order logic rules, which are composed with application (FPFP) and instantiation (FPθ).
[TABLE]
The judgement Γ⊢Σe:ϕ says e is a proof of ϕ using assumptions Γ, where Σ is a library of builtin propositional rules.
Facts and rules can be selected from Γ and Σ with patterns:
[TABLE]
4. Static and Dynamic Execution Traces
We describe the static execution trace mechanism used to implement nominals and automate historical reference.
We present the challenges of historical reference by an easy example with sequent calculus proofs for assignment.
Consider the sequent calculus assignment rules:
[TABLE]
In [:=]sub, reference to the initial state stays simple, while the final value does not.
In the resulting goal Γ⊢ϕxθ,Δ, the variable x refers to the initial value, but we must write θ (which may be a large term) to refer to the final value.
In [:=]eq, the opposite is true: x now refers to the final value, but the initial value of x is stored in a fresh ghost variable xi, which we must remember.
Complicating matters further, in practice we wish to use a combination of [:=]sub and [:=]eq.
The [:=]sub rule only applies when the substitution ϕxθ is admissible, e.g. when FV(θ)∩BV(ϕ)=∅.
However, we wish to use it whenever it applies to reduce the total number of variables and formulas in the context, which are essential to the performance of real-arithmetic decision procedures (Collins and Hong, 1991).
Therefore the natural approach is to use [:=]sub when it applies and [:=]eq otherwise.
After a number of such reasoning steps, the meaning of a variable x in a sequent (we call this the sequent-level meaning) may disagree with the value of both the initial and final values of the program variable x (we call these the program-level meaning in the initial and final states).
To observe this issue in action, consider the following (trivial) sequent proof:
[TABLE]
There are four program states in the above proof: one before each assignment and one at the end.
Throughout the first two steps, the sequent-level meaning of x corresponds exactly with its program-level meaning in the current state.
At the final state of the program, the value of x in the program corresponds to x+5 in the sequent, whereas x in the sequent refers to the value of x from its previous state.
This is a problem: It is non-trivial to reference initial and final, let alone intermediate state in a proof regime that mixes [:=]eq and [:=]sub, yet we want them all.
We address this problem by automating state-change bookkeeping in a static execution trace data structure.
Static execution traces automate state navigation by providing a static, finitary abstraction of a dynamic program execution trace.
Definition 4.1 (Static Traces).
A static trace is an ordered list of four kinds of trace records (tr):
[TABLE]
We denote the empty trace by ϵ.
For any state name t appearing in H (i.e. t∈Dom(H)) we denote by t(H) the unique prefix of η ending at state t.
By maintaining a substitution record sub(x,θ) for each substitution, we can automatically translate between the sequent-level and (current) program-level meaning of an expression.
For example, if you wish to know the sequent-level value of the program-level term x2 in the final state, after sub(x,x+5), it suffices to compute (x2)xx+5=(x+5)2.
We enable nominal references to past states by adding a t record at each named state t and an eq(x,xi,θ) any time the [:=]eq rule is used to rename xi=x and introduce an assumption x=θ.
This allows us to determine, e.g. that the second value of x was ultimately renamed to x0.
The case for x:=∗ is marked with any(x,xi), which is analogous to eq(x,xi,θ), without any assumption on the x value.
Given a trace, we can reconstruct the value at any proof state by replaying the composition of all substitutions since the renaming of interest.
We begin by defining the pseudo-nominal nowH(x) which computes the current sequent-level equivalent for a program-level variable x at the end of trace H.
All expressions are by default assumed to occur at state now.
Because expressions depend only on the values of variables, it suffices to define the variable case:
[TABLE]
We recurse until we find a record for the x of interest.
If it is a sub record, we stop immediately and return θ: even if the trace contains multiple subs for the same x, they are cumulative (the last record contains the composition of all subs).
If it is a eq record, then we use the current value of x.
To compute a nominal tH(x), we determine the name x has at state t in the history H, which is either x or some ghost xi (if x has been ghosted since state t).
We then compute nowH′,t(x) or nowH′,t(xi) accordingly where H′ is the prefix of H preceding state t.
As in the program variable case, nowH(xi) can either be exactly xi or the result of a substitution.
[TABLE]
It is now natural to ask the question: If nowH(x) converts between the program-level state and sequent-level state, can we give a precise meaning to the notion of sequent-level state?
The answer is yes, but in general the sequent-level state will not be identical to any specific state the program passed through, but rather each variable might take its meaning from different past states.
To this end, we define a notion of dynamic trace encapsulating all past program states.
Definition 4.2 (Dynamic Traces).
A dynamic traceη is a non-empty list of program states ω, possibly interleaved with state names t (but always containing at least one state).
The first state is denoted fst(η), the last state last(η).
As with static traces, for any state name t appering in the trace (i.e. t∈Dom(η)), we denote by t(η) the longest prefix of η preceding state name t.
We denote singleton traces (ω).
Definition 4.3 (Sequent-Level State).
We define sequent-level stateS(η;H) for dynamic and static traces η and H.
Recall that after eq(x,xi,θ) the variable x represents the end state of the assignment, while after sub(x,θ) it represents the start state.
We take each program variable x from its most recent eq(x,xi,θ) or any(x,xi) state, or the initial state if none exists.
Each ghost is assigned at most once and takes its value from the state in which it was assigned.
We give an inductive definition:
[TABLE]
5. Discrete Dynamic Kaisar
We now extend Kaisar with its core feature: nominal terms.
We add a construct statet which gives a name t to the current abstract proof state, after which we can write nominal terms t(θ) to reference the value of term θ at state t from future states.
Nominal terms are supported by structured symbolic execution rules for each program construct, which automatically maintain the corresponding static execution trace.
As before we proceed from examples to syntax and proof-checking rules.
Examples
We continue the proof of Model 1, augmenting it with loop invariants and other discrete program reasoning, but we leave differential equation reasoning for Section 6.
Recall the program and statement of Theorem 2.1 (Skydiver Safety for Model 1):
[TABLE]
Proposition 5.1.
r=a∧dc∧const∧dyn→[{ctrl;plant}∗](x=0→v≤m)* is valid.*
Examples 2(a-c) are proofs of this Proposition 2.1 (with differential equation reasoning postponed until Section 6).
As before, we proceed from basic to advanced proof techniques.
Examples 2(a,b) both use a single loop invariant, and begin by splitting the conclusion into [{ctrl;plant}](dc∧const) and [{ctrl;plant}]dyn to separate the discrete and continuous reasoning.
Example 2a splits eagerly on the control decision, which is straightforward but often requires duplication of proofs about the plant.
Example 2b uses Hoare-style composition reasoning instead, which reduces duplication.
In general, Hoare-style composition adds the cost of the user supplying a composition formula I, but I is trivial in this case.
Example 2c proves the loop invariants dc,const,dyn separately, which is useful in interactive proofs when some invariants (dc,const) prove trivially while others (dyn) are complex.
Example 2d proves a slightly different theorem which establishes a bound on the position x, showcasing discrete nominals (init(v),init(x)).
More advanced uses of nominals are in the full proof in Section 6.
Structured Symbolic Execution
Symbolic execution is implemented by adding to the class of structured proofs (SP) a set of box rules (BRs) for proving formulas of the form [α]ϕ and a set of diamond rules (DR) for proving formulas of form ⟨α⟩ϕ.
The diamond rules are largely symmetric to the box rules, so we only present the box rules here and give the full list of rules in Appendix C:
[TABLE]
To improve concision, many proof languages automate steps deemed obvious (Rudnicki, 1987; Davis, 1981).
For us, these include the rules for the α;β and ?(ϕ) connectives, i.e. reducing sequential compositions [α;β]ϕ to nested modalities [α][β]ϕ and assertions [?P]Q to implications P→Q.
Negations are implicitly pushed inside other connectives, e.g. ¬(P∧Q)↔(¬P)∨(¬Q) and ¬[α]ϕ↔⟨α⟩¬ϕ.
These implicit rules reduce verbosity by automating obvious steps.
This also enables us, for example, to reuse the (assumex:pSP) rule for implication as if it applied to tests as well, as in Example 2a.
Because structured symbolic execution rules affect the trace, we now extend the SP checking judgment to (H1⇝H2)SP:(Γ⊢Δ) where H1 is the initial trace and H2 is the final trace.
The final trace helps reference the internal states of one subproof within another: see the after rule.
[TABLE]
The assignment rule itself is completely transparent to the user, but its presence as an explicit rule aids readability and supports the implementation of nominals.
As discussed in Section 4, assignments update the trace because they modify the state.
How they update the trace depends on whether we can perform assignment by substitution or whether we must add an equality to Γ:
[TABLE]
Nondeterministic assignment is analogous to the equality case of assignment:
[TABLE]
Nondeterministic choices are proven by proving both branches, matched by patterns p and q:
[TABLE]
This case rule is notable because it produces non-exhaustive final traces.
In general, an execution of α∪β executes α or β, but not both.
We return the input trace H because the final trace only contains changes which (are syntactically obvious to) occur in every branch.
This means any states introduced in SPα or SPβ have local scope and cannot be accessed externally.
Definition 5.2 (Abstraction).
When executing certain programs α, it is not known exactly which variables are bound on a given run of α.
In these cases, we can reason by abstraction over all bound variables BV(α): we treat their final values as arbitrary.
Abstraction is denoted with superscripts ϕα, not to be confused with subscripts, which are mnemonic.
Let BV(α)=x1,…,xn and y1,…,yn fresh ghost variables.
We define Hα=H,any(x1,y1),…any(xn,yn),
ϕα=ϕx1y1⋯xnyn, and
ωα=η,ωx1ω(y1)⋯ynω(xn)).
In Section 7 we show soundness and nominalization results for abstraction.
As shown in Example 2a, using case too soon increases the complexity of a proof: in a proof of {α∪β};γ, the proof of γ may be duplicated.
Example 2b reduces proof size with Hoare-style (Hoare, 1969) composition by specifying an intermediate condition ψ which holds between {α∪β} and γ.
[TABLE]
Hoare composition is notable because Hψ contains only changes that happened with certainty: the bound variables of α may have been modified in ways not reflected by Hα.
Thus we treat the values of bound variables after running α as arbitrary, abstracting over them.
The state construct gives a name to the current program state.
This has no effect on the proof state, but allows that state to be referenced later on by nominal terms, as shown in Example 2c:
[TABLE]
Invariant Proofs
We verify discrete loops via invariants.
Consider the proofs in Figure 2.
In Examples 2a and 2b we prove a single loop invariant, where the base case proves automatically, as is often the case.
In Example 2c we subdivide the proof into several invariants which we prove successively.
These styles of proof are interchangeable, but the latter is convenient during proof development to separate simple cases from difficult cases.
If (as in Example 2c) an invariant is provable automatically, we may omit the branches Pre and Ind.
After proving invariants, the finally keyword returns us to a standard structured proof with all invariants available as assumptions.
[TABLE]
While checking invariant proofs, we add a context Js of all the invariants, which are made available both while proving further invariants and at the end of the invariant chain.
As in Hoare composition, we abstract over the history because the inductive step must work after any number of iterations.
[TABLE]
[TABLE]
Focus
The box rules presented here implicitly operate on the first formula of the succedent.
In the common case of proving a safety theorem ϕ→[α]ψ where all tests ?(ϕ) contain only first-order arithmetic, this is enough.
Hewever, this does not provide completeness for liveness properties ⟨α⟩ϕ which produce multi-formula succedents, or for tests containing modalities.
We restore completeness for these cases, extending the class SP with a focus construct which brings an arbitrary formula (selected by pattern-matching) to the first succedent position:
A focus in the antecedent is the inverse of ¬R; in the succedent it is the exchange rule:
[TABLE]
Recall that negations are pushed inward implicitly, so upon focusing a formula [α]ϕ from the antecedent, we will ultimately have ⟨α⟩¬ϕ in the succedent, for example.
As with case, the subproof SP can access both the initial trace H and any local changes from the proof of ¬ϕ, but any such changes leave scope here.
Regardless of the origin of ¬ϕ, any structured symbolic execution proof can employ state-based reasoning, but as with case it does not follow that those state changes remain meaningful in any broader context.
In Section 7 we show that focus, combined with the execution rules for boxes and diamonds in the succedent, provides completeness.
This formulation minimizes the core proof calculus, but focus-based derived rules for antecedent execution may be useful in practice.
The completeness proof of Section 7 provides intuition for how such constructs would be derived.
Extended Expressions and Patterns
Discrete Dynamic Kaisar adds nominal terms t(θ) (where t is the name of some named state) to the language of expressions e.
This change raises a design question: when defining an abbreviation, should program variables refer to their bind-time values, or their expand-time values?
We choose bind-time evaluation as the default, so eˉ evaluates nominals, performing structural recursion and using the rules of Section 4 in the variable case.
When a variable x appears outside a nominal, it is interpreted at the current state, which we denote here using the notation now(x).
For pattern-matching to work with nominals, matching against (program) variable patterns performs expansion before matching:
[TABLE]
We also want the option to mix bind-time and expand-time reference, for example in Section 6.
This enables reusable definitions that still refer to fixed past values.
We support this with a new functional variant of the let construct, which is parameterized by a state t.
Any subterm θ under the nominal t(_) uses the expand-time state, while plain subterms use the bind-time state:
[TABLE]
Functional let uses a let mobilization helper judgment, which (a) expands references to current-state variables and (b) wraps all references to arguments in the now(x) pseudo-nominal:
[TABLE]
Note that due to the addition of functional let, the context Γ may now contain extended terms.
As before, any unadorned variable x in Γ refers to the current sequent-level meaning of x.
Elements of Γ can contain extended subterms now(θ) (for proper terms θ), which are adequately resolved by recursively evaluating any extended terms found during expansion:
[TABLE]
6. Differential Dynamic Kaisar
We extend Kaisar to support differential equations, the defining feature of differential dynamic logic.
The examples of this section illustrate the necessity of historical reference to both initial and intermediate states.
We show that nominals work even when mixing discrete and continuous invariants, continuous ghosts necessary for ODEs and first-order reasoning necessary for arithmetic.
Examples
First we complete the proof of Model 1.
Recall the statement of Theorem 2.1:
[TABLE]
Theorem 6.1 (Skydiver Safety).
r=a∧dc∧const∧dyn→[(ctrl;plant)∗](x=0→v≤m)* valid*
The proof mirrors the natural-language proof of Section 2.1 and builds upon Examples 1 and 2.
Recall that we use differential invariants to reason about the drag equation, because it does not have a closed-form solution in decidable real arithmetic.
In the open-parachute case, recall that while dyn is invariant (∣v∣ never reaches the bound pg) it is not inductive because it approaches the bound asymptotically.
Adding a differential ghost (Platzer, 2011) variable y, makes it possible to write an equivalent invariant that holds inductively.
An equivalent invariant can be derived mechanically: in this case y2⋅(v+pg)=1 which implies ∣v∣<pg.
Having finished the proof of Model 1, we consider a second example system that does have solvable continuous dynamics, in which case ODEs can be symbolically executed directly without appealing to differential invariants.
Consider a one-dimensional model of a bouncing ball, with vertical position y, vertical velocity v, acceleration due to gravity g and initial height H.
This perfectly-elastic bouncing ball discretely inverts its velocity whenever it hits the ground (y=0).
Because it started with v=0, we will prove that it never exceeds the initial height.
At the same time, we prove that it never goes through the floor (y≥0):
Model 2 (Safety specification for bouncing ball).
[TABLE]
The proof in Figure 4 follows physical intuitions: total energy (E_) is conserved, from which we show arithmetically that the height bound always holds.
Because this example has a solvable ODE, it suffices to add a construct for solving ODEs (below, dom is short for domain constraint):
[TABLE]
Lastly, consider the proof in Example 3.
We reason about unsolvable ODEs using differential invariants (Platzer, 2016, 2012a, 2010) and differential ghosts (Platzer, 2011),
which we add to the syntax of invariant proofs:
[TABLE]
Unlike in loops, it is essential for soundness that we do not assume the current invariant (only previous invariants) while proving it.
Differential invariant (Platzer, 2007a) reasoning uses the differential of a formula (ϕ)′ to compute its Lie derivative, and then proves it to be inductive.
Traces are general enough to support loops and differental equations uniformly.
Because the differential equation α will modify x, we abstract over the variables of α≡{x′=θ&Q} (i.e. x):
[TABLE]
[TABLE]
[TABLE]
When introducing a new variable y, we ensure the right-hand side of y′ is linear in y to ensure the existence interval of the ODE does not change, which is essential for soundness (Platzer, 2011).
7. Metatheory
The value of a nominal t(θ) in the sequent-level state agrees with the value of θ in the corresponding program state.
We begin here with the simplest case, pseudo-nominals of variables nowH(x), from which we then derive nominals of variables tH(x) and arbitrary nominals tH(θ).
Lemma 7.1.
For all η∼H and all variables x, [\joinrel[nowH(x)]\joinrel]S(η;H)=last(η)(x).
Straightforward induction on the derivation of η∼H.
Case(ν)∼ϵ: Then [\joinrel[nowH(x)]\joinrel]S(η;H)=[\joinrel[now(ν)(x)]\joinrel]ν=ν(x)=last(η)x.
Caseη′,ω∼H′,any(x,xi): Then [\joinrel[nowH(x)]\joinrel]S(η;H)=S(η;H)(x)=ω(x)=last(η)(x).
Caseη′,ω∼H′,eq(x,xi,θ): Then [\joinrel[nowH(x)]\joinrel]S(η;H)=S(η;H)(x)=ω(x)=last(η)(x).
Caseη′,ω∼H′,sub(x,θ): Then [\joinrel[nowH(x)]\joinrel]S(η;H)=[\joinrel[θ]\joinrel]S(η′;H′)=last(η)(x), where the last equation is from the definition of ∼.
Caseη′,t∼H′,t: Then [\joinrel[nowH(x)]\joinrel]S(η;H)=[\joinrel[nowH′(x)]\joinrel]S(η′;H′)=last(η′)(x)=last(η)x.
The remaining cases are symmetric.
This lemma generalizes to arbitrary nominals, but first it will require the generalization of the coincidence theorem for dL formulas (Platzer, 2015) to nominals:
Lemma 7.2 (Coincidence for “now”).
If η∼H and y∈/FV(H) then [\joinrel[nowH(x)]\joinrel]S(η;H)=[\joinrel[nowH(x)]\joinrel]S(η;H)yr for all y=x and r∈R.
By induction on η∼H.
Case(()ω)∼ϵ: [\joinrel[nowH(x)]\joinrel]S(η;H)=ω(x)=ωyr(x) because x=y.
Caseη′,ω∼H′,any(x,xi): [\joinrel[nowH(x)]\joinrel]S(η;H)=[\joinrel[x]\joinrel]S(η;H)=ω(x)=ωyr(x) because y=x.
Caseη′,ω∼H′,eq(x,xi,θ): [\joinrel[nowH(x)]\joinrel]S(η;H)=[\joinrel[x]\joinrel]S(η;H)=ω(x)=ωyr(x) because y=x.
Caseη′,ω∼H′,sub(x,θ): [\joinrel[nowH(x)]\joinrel]S(η;H)=[\joinrel[θ]\joinrel]S(η′;H′)=[\joinrel[θ]\joinrel]S(η′;H′)yr by term coincidence (Platzer, 2015) and because y∈/FV(θ) when y∈/FV(H).
Caseη′,t∼H,t: [\joinrel[nowH(x)]\joinrel]S(η;H)=[\joinrel[nowH′(x)]\joinrel]S(η′;H′)=[\joinrel[nowH′(x)]\joinrel]S(η′;H′)yr=[\joinrel[nowH(x)]\joinrel]S(η;H)yr. The remaining cases are symmetric.
Lemma 7.3 (Coincidence for Nominals).
If η∼H and y=FV(H) and x=y then [\joinrel[tH(x)]\joinrel]S(η;H)=[\joinrel[tH(x)]\joinrel]S(η;H)yr.
Case(ω)∼ϵ: True by contradiction.
Caseη,ω∼H,any(x,xi): [\joinrel[tH(x)]\joinrel]S(η;H)=def[\joinrel[tH′(xi)]\joinrel]S(η′;H′)=IH[\joinrel[tH′(xi)]\joinrel]S(η′;H′)yr=def[\joinrel[tH(x)]\joinrel]S(η′;H′)yr by invariants for ∼. The proof for h,eq(x,xi,) is symmetric.
Caseη,ω∼H,sub(x,θ): [\joinrel[tH(x)]\joinrel]S(η;H)=[\joinrel[tH′(x)]\joinrel]S(η′;H′)=[\joinrel[tH′(x)]\joinrel]S(η′;H′)yr=[\joinrel[tH(x)]\joinrel]S(η;H)yr.
All other cases except H,t are symmetric.
Caseη,t∼H,t: [\joinrel[tH(x)]\joinrel]S(η;H)=[\joinrel[nowH(x)]\joinrel]S(η′;H′)=[\joinrel[nowH(x)]\joinrel]S(η′;H′)yr=[\joinrel[tH(x)]\joinrel]S(η;H)yr by Lemma 7.2.
Given the coincidence lemmas above, we have correspondence for nominals of variables:
Lemma 7.4 (Correspondence for Nominals).
For all η∼H, all state names t∈Dom(H), and all variables x, [\joinrel[tH(x)]\joinrel]S(η;H)=t(η)(x).
Caseη′,ω∼H′,any(x,xi): [\joinrel[tH(x)]\joinrel]S(η;H)=[\joinrel[tH′(x)]\joinrel]S(η′;H′)xω(x)=[\joinrel[tH′(x)]\joinrel]S(η′;H′)=t(η′)(xi)=t(η′)(x)=t(η)(x), by definition of tH(x) and S, induction, definition of ∼ and definition of t(η) respectively.
Caseη′,t∼H,t: [\joinrel[tH(x)]\joinrel]S(η;H)=[\joinrel[nowH′(x)]\joinrel]S(η′;H′)=last(η′)(x)=t(η)(x) by Lemma 7.3.
Case other: Symmetric.
Furthermore, note that prefixes preserve correctness of nominalization, thus nominals behave correctly even when evaluated from an intermediate state of η:
Corollary 7.5.
For all η∼H, all state names s≤t∈Dom(H), all variables x, [\joinrel[st(H)(x)]\joinrel]S(η;t(H))=s(t(η))(x)
From Lemma 7.4, it suffices to show for any η∼H and t∈Dom(H) that t(η)∼t(H), which holds by a trivial induction since η∼H contains a derivation η′∼H′ for all same-length prefixes η′ and H′, including t(η) and H(η). Then note since s≤t∈H then s∈Dom(t(H)), so the preconditions of the lemma are satisfied.
Because the meaning of nominal terms is uniquely determined by the meaning of nominal variables, the above lemmas suffice to show that all nominal and pseudo-nominal terms are well-behaved:
Theorem 7.6 (Nominal Term Correspondence).
For all η∼H, all state names s≤t∈Dom(H), all terms θ, [\joinrel[st(H)(θ)]\joinrel]S(η;t(H))=[\joinrel[θ]\joinrel]s(t(η)).
By induction on the structure of terms θ.
Caseθ=x: Then [\joinrel[st(H)(θ)]\joinrel]S(η;t(H))=[\joinrel[st(H)(x)]\joinrel]S(η;t(H))=s(t(η))(x)=[\joinrel[θ]\joinrel]s(t(η)) by corollary above.
Caseθ=q∈Q: Then [\joinrel[st(H)(θ)]\joinrel]S(η;t(H))=q=[\joinrel[θ]\joinrel]s(t(η)).
Caseθ=⊗(θ1,θ2) for any operator ⊗: Then [\joinrel[st(H)(θ)]\joinrel]S(η;t(H))=[\joinrel[st(H)(⊗(θ1,θ2))]\joinrel]S(η;t(H))=⊗([\joinrel[st(H)(θ1)]\joinrel]S(η;t(H)),[\joinrel[st(H)(θ2)]\joinrel]S(η;t(H)))=⊗([\joinrel[θ1]\joinrel]s(t(η)),[\joinrel[θ2]\joinrel]s(t(η)))=[\joinrel[⊗(θ1,θ2)]\joinrel]s(t(η))=[\joinrel[θ]\joinrel]s(t(η)).
In the above theorems, we assumed that the dynamic and static traces are always in correspondence η∼H holds.
We now show that this is always the case at every proof state within a proof:
Theorem 7.7 (Intermediate Nominal Term Correspondence).
For any program α with (ω,ν)∈[\joinrel[α]\joinrel] and any ηω∼H where last(ηω)=ω and (H⇝H1)SP:(Γ⊢nowH([α]ϕ)) there exists ην where fst(ην)=ν and ηωην∼H1.
Note that last(ην) is not always ν:
Following the proof-checking rules, any states defined inside the nondeterministic constructs α∪β and α∗ leave scope and are absent in the final trace.
Since the theorem holds inductively at every proof state it thus shows that even for choices and loops, nominals have their intended meaning in the local context.
The proof is by induction on the derivation (H⇝H′)SP:(Γ⊢[α]ϕ).
The only significant cases are those which modify the trace.
Case show: Let ηω′=ηω and ην=(last(ηω)), then ηω′ην=ηω and H′=H so ηω′ην∼H′ because ηω∼H by assumption.
Case(casepα⇒SP1∣pβ⇒SP2): Let ηω′=ηω and ην=(last(ηω)), then ηω′ην=ηω and H′=H so ηω′ην∼H′ because ηω∼H by assumption.
Caseassignx:=θ~SP, α=x:=nowH(θ);nowH(α′),x∈/BV(α′):
Let H∗=H,sub(x,now(H)θ),η∗=η,ω,ωx[\joinrel[θ]\joinrel]ω.
To show η∗∼H∗ it suffices to show [\joinrel[now(H)θ]\joinrel]S(η,ω;H)=[\joinrel[θ]\joinrel]ω which holds by Theorem 7.6.
To apply the IH, lastly observe nowH∗(α′)=nowH(α′)xnowH(θ).
Then by IH, ∃ην∗fst(ν)=ωx[\joinrel[θ]\joinrel]ω, so let ην=ω,ην∗ and observe η,ω,ωx[\joinrel[θ]\joinrel]ω,ην∗=η,ω,η∗ so η,ω,η∗∼H′ by IH.
Caseassignx:=θ~SP, α=x:=nowH(θ);nowH(α′),x∈BV(α′):
By symmetry since the rule for η,ω∼H,eq(x,xi,θ) is symmetric with η,ω∼H,sub(x,θ).
To apply the IH observe hnowH∗α′=nowH(α′).
Lemma 7.8 (Ghosting).
If η,ω∼H
and (ω,ν)∈[\joinrel[α]\joinrel]
then ∃ην(η,ω,ην)∼Hα.
Let x1,…,xn=BV(α).
Define ω1=ωx1ν(x1),ωi=ωi−1xiν(xi) for all i≤n.
Then ωn=ν because by bound effect ω and ν differ only by BV(α).
By definition, Hα=H,any(x1,x1∗),…,any(xn,xn∗) for ghosts xi∗.
Then let ην=η,ω,ω1,…,ωn and the result holds.
Case ((after{SP1}havex:ϕthen{SP2}) and (α=α1;α2)):
By inversion on (ω,ν)∈[\joinrel[α]\joinrel],∃μ(ω,μ)∈[\joinrel[α1]\joinrel] and (μ,ν)∈[\joinrel[α2]\joinrel].
By the IH on SP1,∃ημ∼H′. Let x=x1,…,xn=BV(α) then define H∗=H,any(x1,x1,i),…,any(xn,xn,i) and define ω1=ωx1μ(x1),ωi=ωi−1xiμ(xi) for all i≤n, then observe ωn=μ because by bound effect (Platzer, 2015) for programs, ω and μ differ only on BV(α).
Let η∗=η,ω,ω1,…,ωn and observe η∗∼H∗ so we can apply the IH on SP2, yielding ∃ην∗∼H′′.
Now let ην=any(x1,x1,i),…,any(xn,xn,i),ην∗ and observe η,ω,η∗=η,ω,any(x1,x1,i),…,any(xn,xn,i),ην∗ so
η,ω,ην∼H′′, concluding the case.
Caseassumex:ϕ~SP,α=?(ϕ);α1: Let H∗=H,η∗=η then η∗∼H∗ and by IH ∃ην∗ where η∗ην∗∼H′.
Let ην=ην∗ and the result holds by definition of η∗ and ην.
Caseletp=e~SP: Symmetric.
Caselett(?x)=e~SP: Symmetric.
Casenotex=FPSP: Symmetric.
Casehavex:e~SP1SP2: Symmetric, except apply the IH on SP2.
CasestatetSP: Let H∗=H,t and η∗=η,t so η∗∼H∗ so the result follows by IH.
Casesolvepodet:ptdom:pdomSP:
By inversion on (ω,ν)∈[\joinrel[x′=θ;α1]\joinrel] there exists μ=ωxy(t) for some t≥0 such that ∀s∈[0,t]Q(s) and where (ω,μ)∈[\joinrel[x′=θ]\joinrel] and (μ,ν)∈[\joinrel[α1]\joinrel].
Let H∗=H,sub(x,y(t)) and η∗=η,ω,ωx[\joinrel[y(t)]\joinrel]ω then have η∗∼H∗ by Theorem 7.6 saying [\joinrel[y(t)]\joinrel]ω=[\joinrel[nowH(y(t))]\joinrel]S(η,ω;H) for any such t.
Then we can apply the IH since nowH∗(α1)=nowH(α1x[\joinrel[y(t)]\joinrel]ω), yielding ην∗ where η,ω,ωx[\joinrel[y(t)]\joinrel]ω,ην∗∼H′.
So let ην=ωx[\joinrel[y(t)]\joinrel]ω,ην∗ and the result holds.
CaseinvJ:ϕ~{Pre⇒SP1∣Ind⇒SP2}IP,α=α1∗;α2:
Let H∗=H,η∗=η then η∗∼H∗. by IH ∃ην∗ where η,ω,ην∗∼H′ so let ην=ην∗ and then η,ω,ην∼H′.
CasefinallySP,α=α1∗;α2:
By inversion, exists μ where (ω,μ)∈[\joinrel[α1∗]\joinrel] and (μ,ν)∈[\joinrel[α2]\joinrel].
By Lemma 7.9 have η,ωα∼Hα
(where (η,ω)α=η,ω,ω1,…,ωn)
and by bound effect (Platzer, 2015) lemma have ωn=μ.
By IH have ην∗ where η,ω,ω1,…,ωn,ην∗∼H′ so let ην=ω1,…,ωn,ην∗.
CaseinvJ:ϕ~{Pre⇒SP1∣Ind⇒SP2}IP,α={x′=θ};α2:
Symmetric to the case for loops.
CaseGhosty:=θ3;y′=θ2IP,α={x′=θ};α2:
By inversion, ∃μ=ωxφ(t) for some t≥0 such that φ(t) is the solution of x′=θ for time t and ∀s∈[0,t]ωxφ(t)∈[\joinrel[Q]\joinrel]
and (ω,μ)∈[\joinrel[{x′=θ}]\joinrel] and (μ,ν)∈[\joinrel[α2]\joinrel].
By linearity of {y′=θ2}, the solution of {x′=θ,y′=θ2} exists for the same time t and the solution agrees on x.
Since y is a ghost variable then y∈/FV(α2) and so (μ,ν)∈[\joinrel[α2]\joinrel] so the IH applies and ∃ην∗ where ηω,ην∗∼H′ and letting ην=ην∗ the result holds.
CasefinallySP,α={x′=θ};α2:
Symmetric to the case for loops, except note BV({x′=θ})={x,x′} so we apply the bound effect (Platzer, 2015) lemma only for x.
We assume as a side condition that x′∈/FV(η) in which case η∗∼H∗ still holds when setting ωn(x′)=μ(x′).
7.1. Nominalization
The relation η∼H relates static and dynamic traces, but not the executed program α.
We wish for the trace ην to assign each nominal t the actual state that α had during the state t in the proof.222Since we can add names at any point in a proof, this implies that the proof and program agree at every state.
We show this with semantics of the nominal hybrid logic dLh, (Platzer, 2007b) which extends the logic of dL with propositions t which are true iff the current state is the unique state identified by t.333dLh also adds propositions @iϕ indicating truth of ϕ in state ϕ, but they are not needed to specify our metatheory.
Accordingly, we extend the semantics with interpretations that assign a specific state to each t.
We write the interpretation corresponding to a trace η as interp(η), i.e. the interpretation which maps each t to last(t(η)).
Thus ω∈[\joinrel[ϕ]\joinrel]interp(η) means ϕ holds in state ω in the interpretation constructed from η, and likewise for (ω,ν)∈[\joinrel[α]\joinrel]interp(η).
We give a nominalization judgmentnom(α,SP)=αh which augments a program α with a test ?(t) for each named state statet in SP, producing a dLh program αh.
Every transition of αh is a transition of α because we do not introduce state mutation.
We show the converse holds too: all our additional tests (which depend solely on interp(η)) pass.
This formally justifies the claim that the states of η match the states of α:
Theorem 7.9.
If (H⇝Hα)SP:(Γ⊢[α]ϕ,Δ) for η,ω∼H and η,ω,ην∼Hα then let ν such that (ω,ν)∈[\joinrel[α]\joinrel].
Then in dLh, (ω,ν)∈[\joinrel[nom(α,SP)]\joinrel]interp(η).
By induction on the derivation of (H⇝H′)SP:(Γ⊢[α]ϕ).
The essence of the proof is the definition of nom(α,SP)=α′:
[TABLE]
Throughout the proof, let η′≡η,ω,ων∗, that is the trace resulting from the IH, such that η′∼H′.
Casenom(?(ϕ);α,assumex:ϕSP)=?(ϕ);nom(α,SP):
By inversion ω∈[\joinrel[ϕ]\joinrel] and (ω,ν)∈[\joinrel[α]\joinrel].
By IH, ∃α′nom(SP,α)=α′ and (ω,ν)∈[\joinrel[]\joinrel].
Then nom(assumex:ϕSP,?(ϕ);α)=?(ϕ),α′ and since ω∈[\joinrel[ϕ]\joinrel] and ϕ is nominal-free, then ω∈[\joinrel[ϕ]\joinrel]interp(η′) for any η′ and also (ω,ν)∈[\joinrel[α′]\joinrel] so (ω,ν)∈[\joinrel[?(ϕ);α′]\joinrel]interp(η′).
Casenom(α,havex:ϕSP1SP2)=nom(α,SP2):
By the IH, ∃α′nom(SP,α)=α′ and (ω,ν)∈[\joinrel[α′]\joinrel]interp(η′) then by inversion nom(α,havex:ϕSP1SP2)=α′ for the same α′, completing the case.
Casenom(α,letp=e~SP)=nom(α,SP):
Symmetric.
Casenom(α,lett(?X)=e~SP)=nom(α,SP):
Symmetric.
Casenom(α,notex=FPSP)=nom(α,SP):
Symmetric.
Casenom(α∗,(casepϕ⇒SPϕ∣pα⇒SPα)):
Symmetric.
Casenom(α,focuspSP):
Symmetric.
Caseafter{SPψ}haveψthen{SPϕ}:
By inversion, ∃μ((ω,μ)∈[\joinrel[α]\joinrel]∧(μ,ν)∈[\joinrel[β]\joinrel]).
Split the trace η,ω¸ην into η,ω,ημ,μ,ην∗.
By IH1, (ω,μ)∈[\joinrel[nom(SP1,α)]\joinrel]interp(η,ω,ημ,μ).
By interpretation weakening, (ω,μ)∈[\joinrel[nom(SP1,α)]\joinrel]interp(η,ω¸ην).
By Lemma , IH2 is applicable and (μ,ν)∈[\joinrel[nom(SP2,β)]\joinrel]interp(η,ω¸ην).
The result holds by semantics of [;].
Casenom(α,statetSP)=?t;nom(α,SP):
Then by IH with η∗=η,ω,t and H∗=H,t have ∃α′nom(SP,α)=α′ for some α′ where (ω,ν)∈interp(η′)[\joinrel[α′]\joinrel].
Then nom(α,statetSP)=?t;α′.
We have interp(η′)=interp(η∗)tω. Since interp(η′)=interp(η∗) on Σ(α′) then by coincidence (Platzer, 2015), (ω,ν)∈[\joinrel[α′]\joinrel]interp(η∗).
And by the definition of η∗ we have interp(η∗)(t)=ω so ω∈[\joinrel[t]\joinrel]interp(η∗) and thus (ω,ν)∈?t;α′interp(η∗).
Casenom(α∪β,SP)=α∪β:
Since (ω,ν)[\joinrel[α∪β]\joinrel] then (ω,ν)∈[\joinrel[α∪β]\joinrel]interp(η∗) and since nom(α∪β,SP)=α∪β the case is complete.
Casenom(x:=θ;α,assignx:=θ~SP)=x:=θ;nom(α,SP):
By IH ∃α′nom(SP,α)=α′ then nom(x:=θ;α,assignx:=θ~SP)=x:=θ;α′ and (ωx[\joinrel[θ]\joinrel]ω,ν)∈[\joinrel[α′]\joinrel]interp(η∗) and since (by inversion) (ω,ωx[\joinrel[θ]\joinrel]ω)∈[\joinrel[x:=θ]\joinrel] then also (ω,ωx[\joinrel[θ]\joinrel]ω)∈[\joinrel[x:=θ]\joinrel]interp(η′)
and finally (ω,ν)∈[\joinrel[x:=θ;α′]\joinrel]interp(η′).
Casenom(x:=∗;α,assignx:=∗SP)=x:=∗;nom(α,SP):
By IH ∃α′nom(SP,α)=α′ then nom(x:=θ;α,assignx:=∗SP)=x:=∗;α′ and (ωxr,ν)∈[\joinrel[α′]\joinrel]interp(η∗) and since (by inversion) (ω,ωxr)∈[\joinrel[x:=∗]\joinrel]ω then also (ω,ωxr)∈[\joinrel[x:=∗]\joinrel]interp(η′)
and finally (ω,ν)∈[\joinrel[x:=∗;α′]\joinrel]interp(η′).
Casenom(x′=θ&H;α,solvepodet:ptdom:pdomSP)=x′=θ&H;nom(α,SP):
By IH have ∃α′nom(SP,α)=α′ then nom(x′=θ&Q;α,solvepodet:ptdom:pdomSP)=x′=θ&H;α′ and (ωxφ(t),ν)∈[\joinrel[α′]\joinrel]interp(η∗) for some t≥0 such that ∀s∈[0,t]φ(s)∈[\joinrel[Q]\joinrel] and where φ is the unique solution to x′=θ on [0,t].
Since (by inversion) (ω,ωxφ(t))∈[\joinrel[x′=θ&Q]\joinrel]ω then also (ω,ωxφ(t))∈[\joinrel[x′=θ&Qinterp(η′)]\joinrel]
and finally (ω,ν)∈[\joinrel[x′=θ&Q]\joinrel]interp(η′).
Casenom(α∗;β,invpre:SP1{Pre⇒ind∣Ind⇒SP2}SP)=nom(α∗;β,SP):
By IH, have ∃β′nom(SP,α∗;β)=α∗;β′, and
nom(α∗;β,finallySP)=α∗;β′ for the same β′
and by IH, (ω,ν)∈α∗;β′interp(η′).
Casenom(α∗;β,finallySP)=α∗;nom(β,SP):
By inversion, ∃μ(ω,μ)∈[\joinrel[α∗]\joinrel] and (μ,ν)∈[\joinrel[β]\joinrel].
By IH, ∃β′nom(SP,β)=β′ and (μ,ν)∈[\joinrel[β′]\joinrel]interp(η′).
Then since (ω,μ)∈[\joinrel[α∗]\joinrel] then also (ω,μ)∈[\joinrel[α∗]\joinrel]interp(η′) and thus (ω,ν)∈[\joinrel[α∗;β′]\joinrel]interp(η′) as desired.
Casenom(x′=θ&H;α,Ghosty:=θ3;y′=θ2IP)=y′=θ,α&Q;β′:
By inversion, ∃μ(ω,μ)∈[\joinrel[x′=θ&Q]\joinrel] and (μ,ν)∈[\joinrel[β]\joinrel] and μ=ωxφx(t) for some t≥0 such that ∀s∈[0,t]ωxφx(t)∈[\joinrel[Q]\joinrel].
By applying the IH, we then have ∃β′nom(SP,x′=θ,y′=θ2&H;β)=x′=θ,y′=θ2&H;β′, and
nom(x′=θ,y′=θ2&;β,Ghosty:=θ3;y′=θ2IP)=x′=θ&H;β′ for the same β′ and by IH, (ωyy0,ν)∈[\joinrel[x′=θ,y′=θ2&;β′]\joinrel]interp(η′).
By soundness for dG, (ω,ν)∈[\joinrel[x′=θ&;β′]\joinrel]interp(η′).
Casenom(x′=θ&H;α,invpre:SP1{Pre⇒ind∣Ind⇒SP2}SP)=nom(x′=θ&H;α,SP):
By IH, ∃β′nom(SP,x′=θ&H;β)=x′=θ&H;β′,
and nom(α∗;β,finallySP)=x′=θ&H;β′
for the same β′ and by IH, (ω,ν)∈[\joinrel[x′=θ&H;β′]\joinrel]interp(η′).
Casenom(x′=θ&H;α,finallySP)=x′=θ&H;nom(α,SP):
By inversion, ∃μ(ω,μ)∈[\joinrel[x′=θ&Q]\joinrel] and (μ,ν)∈[\joinrel[β]\joinrel].
By IH, ∃β′nom(SP,β)=β′ and (μ,ν)∈[\joinrel[β′]\joinrel]interp(η′).
Then since (ω,μ)∈[\joinrel[x′=θ&Q]\joinrel] then also (ω,μ)∈[\joinrel[x′=θ&Q]\joinrel]interp(η′) and thus (ω,ν)∈[\joinrel[x′=θ&Q;β′]\joinrel]η′ as desired.
Note that, as with the traces themselves, nondeterministic choices and loops discard nominals from their subprograms.
As before, this does not weaken the theorem, it simply means those nominals are local in scope.
Theorem 7.10.
*Nominalization is sound when applied to proofs that check.
That is, for all (H⇝Hϕ)SP:(Γ⊢[α]ϕ) and all dLh interpretations interp(η), we have Γ⊢interp(η)[nom(α,SP)]ϕ.
*
The claim holds by observing that the transitions for α1 (which holds easily by induction) are a subset of those for α, regardless of η, and the result holds from soundness for Kaisar:
[α]ϕ implies [β]ϕ for any β where [\joinrel[β]\joinrel]⊆[\joinrel[α]\joinrel] by the semantics of the box modality.
Lastly we show standard soundness and completeness theorems:
7.2. Soundness and Completeness
Lemma 7.11 (Soundness of Pattern Matching).
If matchΓ1(p,e)=Γ2 then [\joinrel[Γ1]\joinrel]=[\joinrel[Γ2]\joinrel].
That is, pattern-matching never affects the assumptions of a context, only the abbreviations, which are not soundness-critical.
By induction on matchΓ1(p,e).
In every case, Γ1=Γ2 or Γ1 adds a definition to Γ2 or Γ2 comes from an inductive call.
Lemma 7.12.
If ω∈[\joinrel[Γ]\joinrel] and (ω,ν)∈[\joinrel[α]\joinrel] then να∈[\joinrel[Γα]\joinrel], where να ghosts all x∈BV(α) in ω.
By renaming, ωα∈[\joinrel[Γα]\joinrel].
By program coincidence (Platzer, 2016), there exists ν~ where (ωα,ν~)∈[\joinrel[α]\joinrel] and ν~ agrees with ωα on Dom(ω).
Then (Dom(ω~)∖Dom(ω))∩BV(α)=∅, so
by bound effect lemma (Platzer, 2016) ν~=να.
Since ωα and να agree on ghosts, by formula coincidence ωα∈[\joinrel[Γα]\joinrel].
Lemma 7.13 (Soundness of Forward Proof).
If FP:(Γ;H⊢Δ) then Γ⊢Δ is valid formula of dL.
Casep: If ϕ∈Γ then the conclusion holds by the hypothesis rule, otherwise ϕ∈Σ and since Σ consists only of the axiom schemata of first-order arithmetic, which are sound, the result also holds.
CaseFP1FP2: Assume ω∈[\joinrel[Γ]\joinrel] then by IH both ω∈[\joinrel[ϕ→ψ]\joinrel] and ω∈[\joinrel[ϕ]\joinrel] so by modus ponens ω∈[\joinrel[ψ]\joinrel] as desired.
CaseFP1θ:
Assume ω∈[\joinrel[Γ]\joinrel] and then by IH
ω∈[\joinrel[∀xϕ]\joinrel] and
by forall instantiation/substitution ω∈[\joinrel[ϕxθ]\joinrel].
Theorem 7.14 (Soundness of SP).
If (H⇝H′′)SP:(Γ⊢Δ) then Γ⊢Δ is a valid formula of dL.
Recall that while the LCF architecture ensures the implementation of Kaisar is sound, this soundness theorem is still essential to validate our calculus.
(Note: This proof has a lot of cases. Even for the extended version of the proof, we leave out the diamond rules, which are analogous to the box rules, and the implict rules, which follow directly from soundness of propositional logic and a handful of dL axioms).
By induction on the derivation.
Caseassumex:ϕSP:
By definition of [?(ψ)]ϕ suffices to show Γ⊢(ψ→ϕ),Δ is valid, i.e.
Γ,ψ⊢ϕ,Δ.
This holds directly by IH.
Casehavex:ψSP1SP2:
Assume ω∈[\joinrel[Γ]\joinrel].
By IH1, ω∈[\joinrel[ψ,Δ]\joinrel].
If ω∈[\joinrel[Δ]\joinrel] then we’re done.
Else ω∈[\joinrel[ψ]\joinrel] so ω∈[\joinrel[Γ,ψ]\joinrel].
Then IH2 is applicable and ω∈[\joinrel[Δ]\joinrel] as desired.
Caseletp=e~SP: Note the context Γ′ produced by pattern matching contains only definitions, so for all ω∈[\joinrel[Γ]\joinrel] also have ω∈[\joinrel[Γ,Γ′]\joinrel] and the IH applies directly, giving ω∈[\joinrel[Δ]\joinrel] as desired.
Caselett(?x)=e~SP: Symmetric.
Casenotex=FPSP:
Assume ω∈[\joinrel[Γ]\joinrel] then by Lemma 7.13, ω∈[\joinrel[ψ]\joinrel] and thus ω∈[\joinrel[ψ∧Γ]\joinrel] and by IH, ω∈[\joinrel[Δ]\joinrel] as desired.
CaseshowxϕUP:
First note all facts in the using clause hold.
Those on the LHS of the union are in Γ and thus hold by hypothesis rule.
Those on the RHS are the results of forward proofs and thus hold by soundness of forward proof.
Thus ω∈[\joinrel[Γ′]\joinrel].
Proceed by cases on the proof method.
Case id: Holds by hypothesis rule.
CaseR: Holds by the side condition that Γ→Δ is valid in first-order logic over the reals and the fact that dL conservatively extends FOL.
Case auto: We do not give a precise proof rule for this case since auto is ever-changing heuristic automation, we merely note that it is the result of operations in an LCF-style which itself has been verified, and thus soundness follows as a result.
Case(H⇝H)(casepϕ⇒SPϕ∣pα⇒SPα):(Γ⊢[α∗]ϕ,Δ):
By the IH, Γϕ⊢ϕ,Δ and Γψ⊢[α][α∗]ϕ,Δ where match(pϕ,ϕ)=Γϕmatch(pα,α)=Γα. By Lemma LABEL:lem:pat-mon, Γ and Γψ contain the same facts, as do Γ andΓα, so Γ⊢ϕ,Δ and Γ⊢[α][α∗]ϕ.
Then by the semantics of loops (or soundness of the [∗] axiom of dL), Γ⊢[α∗]ϕ,Δ.
CasestatetSP:
Directly by the IH on (H,t⇝Hϕ)SP:(Γ⊢ϕ,Δ).
CasefocuspSP on the left:
By the IH, Γ1,Γ2⊢¬ϕ,Δ.
The inverse of ¬R is sound (derivable from cut and double negation elimination and ¬L),
so Γ1,ϕΓ2⊢Δ as desired.
CasefocuspSP on the right:
By the IH, Γ⊢ϕ,Δ1,Δ2 and
Γ⊢Δ1,ϕ,Δ2 follows by soundness of exchange.
Case(casepα⇒SPα∣pβ⇒SPβ):
Assume ω∈[\joinrel[Γ]\joinrel].
Note Γ1 and Γ2 contain only pattern-matching definitions.
So we can apply both IHs and get ω∈[\joinrel[[α]ϕ∨Δ]\joinrel] and ω∈[\joinrel[[β]ϕ∨Δ]\joinrel].
In the case that ω∈[\joinrel[Δ]\joinrel] then we’re done, else ω∈[\joinrel[[α]ϕ]\joinrel] and ω∈[\joinrel[[β]ϕ]\joinrel] and by the semantics of ∪ then ω∈[\joinrel[[α∪β]ϕ]\joinrel] as desired.
Caseassignx:=pθSP,x∈/BV(ϕ):
Assume ω∈[\joinrel[Γ]\joinrel].
By IH have ω∈[\joinrel[ϕxθ,Δ]\joinrel].
If ω∈[\joinrel[Δ]\joinrel] we’re done, else by substitution ωx[\joinrel[θ]\joinrel]ω∈[\joinrel[ϕ]\joinrel] and by definition ω∈[\joinrel[[x:=θ]ϕ]\joinrel] as desired.
Caseassignx:=pθSP,x∈BV(ϕ):
Assume ω∈[\joinrel[Γ]\joinrel].
Define ω1=(ω,xi=ω(x))x[\joinrel[ω]\joinrel]θ for fresh xi.
Observe by construction and freshness of i.e. and soundness of renaming that ω1∈[\joinrel[Γxix]\joinrel] and ω1(x)=[\joinrel[θxxi]\joinrel]ω1 so the IH applies, giving
ω1∈[\joinrel[ϕ,Δxix]\joinrel] which again by renaming and construction of ω1 gives either ωx[\joinrel[θ]\joinrel]ω∈[\joinrel[ϕ]\joinrel] or ω∈[\joinrel[Δ]\joinrel] and in either case the result holds.
Caseassignx:=∗SP:
Assume ω∈[\joinrel[Γ]\joinrel].
Define ω1=(ω,xi=ω(x))xr for fresh xi and some r∈R.
Observe by construction and freshness of i.e. and soundness of renaming that ω1∈[\joinrel[Γxix]\joinrel] so the IH applies, giving
ω1∈[\joinrel[ϕ,Δxix]\joinrel] which again by renaming and construction of ω1 gives either ωxr∈[\joinrel[ϕ]\joinrel] or ω∈[\joinrel[Δ]\joinrel] and in either case the result holds (since this is true for all such r).
Case(H⇝Hα)after{SP1}haveψthen{SP2}:(Γ⊢[α]ϕ,Δ):
By IH, Γ⊢[α]ψˉ,Δ and Γα,ψˉ⊢ϕ,Δα.
Assume (ω,ν)∈[\joinrel[Γ]\joinrel]∖[\joinrel[Δ]\joinrel] (else the sequent is trivially true).
Then by IH1 ν∈[\joinrel[ψˉ]\joinrel].
Also by Lemma 7.12ν∈[\joinrel[Γα]\joinrel]∖[\joinrel[argΔ]\joinrel]α and so by IH2 ν∈[\joinrel[ϕ]\joinrel].
Since this holds for all such ν then ω∈[\joinrel[Γ⊢[α]ϕ,Δ]\joinrel] as desired.
Casesolvepodet:ptdom:pdomSP:
Assume ω∈[\joinrel[Γ]\joinrel], then let ν=ωxφ(t) for any t≥0 where ∀s∈[0,t]ωxφ(s)∈[\joinrel[Q]\joinrel] and φ is the solution for x′=θ.
Then let t be a fresh variable which agrees everywhere with the above time t.
Note that ω∈[\joinrel[t≥0]\joinrel] and ω∈[\joinrel[∀s∈[0,t]Q]\joinrel] by choice of t.
Then the IH applies and ω∈[\joinrel[ϕxy(t),Δ]\joinrel].
If ω∈[\joinrel[Δ]\joinrel] we’re done, else note by choice of ν we have ν∈[\joinrel[ϕ]\joinrel] by substitution and this holds for all such ν and so ω∈[\joinrel[[x′=θ&Q]ϕ]\joinrel] as desired.
The cases for invariants are proven by simultaneous induction, where for the additional context of invariants δ∈Δ we assume [α]δ instead of δ.
Caseinvx:J{Pre⇒SPpre∣Ind⇒sproofinv}IP, loop α∗:
Assume ω∈[\joinrel[Γ]\joinrel].
By IH1, ω∈[\joinrel[ψ,Δ]\joinrel].
If ω∈[\joinrel[Δ]\joinrel] we’re done, else ω∈[\joinrel[ψ]\joinrel].
By Lemma 7.12ωα∈[\joinrel[Γα]\joinrel] and
(ωα,ωα)∈[\joinrel[α∗]\joinrel]
and ωα∈[\joinrel[Γα]\joinrel].
Thus by IH2 ωα∈[\joinrel[[α]ϕ,Δα]\joinrel].
If ωα∈[\joinrel[Δα]\joinrel] then by coincedence and renaming ω∈[\joinrel[Δ]\joinrel] and we’re done.
Else ωα∈[\joinrel[[α]ϕ]\joinrel] and this holds for all such ωα so ωα∈[\joinrel[[α∗](ϕ→[α]ϕ)]\joinrel] and by renaming so is ω, and by the induction axiom ω∈[\joinrel[[α∗]ϕ]\joinrel].
CasefinallySP, loop α∗:
Let ω∈[\joinrel[Γ]\joinrel] and let ν such that (ω,ν)∈[\joinrel[α∗]\joinrel].
Then ωα∈[\joinrel[Γα]\joinrel]
and να∈[\joinrel[Γα]\joinrel] by Lemma 7.12.
By IH να∈[\joinrel[ϕ,Δα]\joinrel].
In the latter case by renaming we’re done.
Else since this holds for all possible ν we have ω∈[\joinrel[[α∗]ϕ]\joinrel] as desired (by renaming again also).
Caseinvx:J{Pre⇒SPpre∣Ind⇒SPinv}IP, ODE α=x′=θ&Q:
Assume ω∈[\joinrel[Γ∧[α]Δ]\joinrel] then by IH ω∈[\joinrel[ψ,Δ]\joinrel].
If ω∈[\joinrel[Δ]\joinrel] we’re done else ω∈[\joinrel[ψ]\joinrel].
Then let ν=ωxφ(t) for any t≥0 where ∀s∈[0,t]ωxφ(s)∈[\joinrel[Q]\joinrel] and φ is the solution to x′=θ for time t.
By renaming and unpacking semantics in Δ then ν∈[\joinrel[Γ1]\joinrel]Δ and so by IH ω∈[\joinrel[(ϕ)′x′θ,Δ1]\joinrel].
In the case ω∈[\joinrel[Δ1]\joinrel] then by renaming ω∈[\joinrel[Δ]\joinrel] and we’re done, else by soundness of differential effects, ν∈[\joinrel[(ϕ)′]\joinrel].
Since this holds for any such ν, then by soundness of differential invariants, ν∈[\joinrel[ψ]\joinrel] for all such ν and so ω∈[\joinrel[[α]ψ]\joinrel] so we can apply the second IH from which the result follows.
CasefinallySP, ODE x′=θ&Q:
Assume ω∈[\joinrel[Γ]\joinrel].
Then let ν=ωxφ(t) for any t≥0 where ∀s∈[0,t]ωxφ(s)∈[\joinrel[Q]\joinrel] and φ is the solution to x′=θ for time t.
By renaming ν∈[\joinrel[Γ1]\joinrel] and by diff weakening ν∈[\joinrel[Q]\joinrel] and by unpacking semantics ν∈[\joinrel[Δ]\joinrel] so the IH applies giving ν∈[\joinrel[ϕ]\joinrel].
Since this held for all ν then by renaming again ω∈[\joinrel[[α]ϕ]\joinrel] as desired.
CaseGhosty:=θ3;y′=θ2IP:
Let ω1=ω,y=[\joinrel[θ3]\joinrel]ω.
Then by coincidence (Platzer, 2015) ω1∈[\joinrel[Γ,Δ]\joinrel] and by construction ωI∈[\joinrel[y=θ3]\joinrel]
So by IH, ω1∈[\joinrel[x′=θ1,y′=θ2&Q]\joinrel]
By linearity of θ2 the existence interval of x′=θ1,y′=θ2&Q agrees with x′=θ1&Q so they have transitions for all the same times t.
And since y was fresh they agree on all variables but y and by coincidence (Platzer, 2015) ν∈[\joinrel[ϕ]\joinrel] whenever ν1∈[\joinrel[ϕ]\joinrel] and so by renaming ω∈[\joinrel[[x′=θ1&Q]ϕ]\joinrel] as desired.
Theorem 7.15 (Completeness).
Kaisar is complete with respect to sequent calculus for dL, that is for all Γ,Δ if Γ⊢Δ is provable in dL sequent calculus then (H⇝HSP)SP:(Γ⊢Δ) for some H,HSP,SP.
(Note: This proof has a lot of cases. Even for the extended version of the proof, we present only the cases for right rules for boxes and left rules for diamonds — the other cases are analogous).
The proof proceeds by induction on sequent calculus proofs of dL, but we first establish several preliminary observations resolving the key differences between sequent calculus and Kaisar.
Observation 1: Rules such as ∀ instantiation require specifying an input.
Inputs in Kaisar are extended terms, thus completeness requires all terms are expressible as extended terms (i.e. expansion is surjective).
This is true when all states are named, in which case we call the trace complete, a property we maintain as an invariant.
By induction on the term θ we wish to express.
All cases except variables hold by IH.
In the (ghost or program) variable case, produce a nominal for the state at which the name was introduced.
Observation 2: All Kaisar proofs produced in this proof support weakening, so if (H⇝HSP)SP:(Γ1⊢Δ1) then (H⇝HSP)SP:(Γ1,Γ2⊢Δ1,Δ2) for any contexts Γ2,Δ2 that introduce only fresh variables, i.e. contexts where Dom(Γ1)∩Dom(Γ2)=Dom(Δ1)∩Dom(Δ2)=∅.
By inspection on the cases of the completeness proof.
Weakening could only fail if adding assumptions caused a pattern-match to be ambiguous, but we fully disambiguate all patterns.
Observation 3: Kaisar is complete even ignoring forward proof, abbreviations and using clauses.
While these features are essential in practical usage, they will not be needed in this proof.
An essential part of the proof is our choice of induction metric, because we often induct on formulas that are not strict subformulas of the input.
We define a total ordering on sequents (Γ1⊢Δ1)≺(Γ2⊢Δ2) as the lexicographic ordering of:
(1)
The number of formulas containing modalities in the antecedent.
2. (2)
The number of nondeterministic choices α∪β.
3. (3)
The number of loops α∗
4. (4)
The number of compositions α;β
5. (5)
The total number of modalities [α]ϕ or ⟨α⟩phi.
6. (6)
The number of symbols occuring under some negation (i.e. sum of the number of symbols in ϕ for each ¬(ϕ))
7. (7)
The total number of formula connectives, (which does not include the comma separator, nor term connectives.)
Rule (1) ensures the focus rule can be used to implement antecedent structured execution.
Rules (2-4) support the cases for the compound programs and (5) supports the atomic programs.
Rule (6) supports the negation-normal form implicit rules, e.g. this definition ensures (Γ⊢¬P∨¬P,Δ)≺(Γ⊢¬(P∧Q),Δ)
Rule (7) supports the propositional and quantifier cases.
The main proof now proceeds by induction on sequent calculus proofs of dL under ≺.
In each case, let ϕ refer to the formula acted upon by the SC rule.
The structured execution rules assume a formula in the first succedent position, thus (at the beginning of each case) we immediately pull ϕ to first succedent position with focus.
Well-ordering is preserved here: For right rules, the metric ≺ is unchanged when acting on the succedent.
For left rules, it strictly decreases by Rule (1).
Case cut: Can be assumed not to happen by admissibility of discrete cut elimination, but even without that, reduces to have.
Caseϕ∈FOLR: By decidability of FOLR, (H⇝H)showx_auto:(Γ⊢ϕ,Δ).
Caseϕ∈Γ: By hypothesis rule, (H⇝H)showx_id:(Γ,ϕ⊢ϕ,Δ).
Caseϕ=ϕ1∧ϕ2:
By invertibility of the ∧R sequent calculus rule, Γ⊢ϕ1,Δ and Γ⊢ϕ2,Δ are derivable.
By IH, ∃SP1,SP2 where (H⇝H)SP1:(Γ⊢ϕ1) and (H⇝H)SP2:(Γ⊢ϕ2), from which we apply the case rule for conjunctions on the right: (H⇝H)(caseϕ1⇒SP1∣ϕ2⇒SP2):(Γ⊢ϕ1∧ϕ2,Δ).
Caseϕ=ϕ1∨ϕ2: Let Δ1=ϕ1,ϕ2,Δ.
Notice Δ1≺ϕ1∨ϕ2,Δ
so apply the IH yielding (H⇝H′)SP:(Γ⊢ϕ1,ϕ2,Δ)
then apply the case rule for disjunction on the right and we get:
(H⇝H′)(caseϕ1⇒ϕ2∣SP⇒:)(Γ⊢ϕ1∨ϕ2,Δ).
Caseϕ=¬ϕ1:
By rule (6) we apply whichever negation-normal form (NNF) implicit rule applies based on the shape of ϕ.
Because SC is sufficient to implement NNF normalization, if Γ⊢ϕ,Δ is true in SC then Γ⊢nnf(ϕ),Δ is as well, and is simpler, so true in Kaisar as well, then by the implicit normalization rules of Kaisar, Γ⊢ϕ,Δ is as well.
Caseϕ=ϕ1→ϕ2:
By IH (applicable because we removed propositional connectives), ∃SP(H⇝H′)SP:(Γ,ϕ1⊢ϕ2,Δ),
Then (H⇝H′)assumex:ϕ1SP:(Γ⊢ϕ1→ϕ2,Δ)
Caseϕ=ϕ1↔ϕ2:
By IH (applicable because we removed propositional connectives), both (H⇝H1)SP1:(Γ,ϕ1⊢ϕ2,Δ) and (H⇝H2)SP2:(Γ,ϕ2⊢ϕ1,Δ)
and then we apply the casing form for equivalences:
(H⇝H)(caseϕ1→ϕ2⇒assumex1:ϕ1SP1∣ϕ2→ϕ1⇒assumex2:ϕ2SP2):(Γ⊢ϕ1↔ϕ2,Δ).
Caseϕ=∀xϕ1: Symmetric with the case for [x:=∗]ϕ1, except the reason for well-foundedness is that we removed a quantifier and added only term connectives.
Caseϕ=∃xϕ1: Symmetric with the case for ⟨x:=∗⟩ϕ1.
Caseϕ=[x:=θ]ϕ1 where x∈/BV(ϕ1) :
By IH (because we remove a modality), we then have ∃SP(H,sub(x,θ)⇝H′)SP:(Γ⊢ϕ1xθ,Δ).
Then (H⇝H′)statetassignx:=θSP:(Γ⊢[x:=θ]ϕ1,Δ) and H,t,sub(x,θ) is a complete history and the inner proof still holds by weakening (i.e. addition of state namesm).
Caseϕ=[x:=θ]ϕ1 where x∈/FV(Γ,Δ,θ):
By IH (because we remove a modality), we then have ∃SP(H,eq(x,xi,θ)⇝H′)SP:(Γ⊢ϕ1,Δ).
Then (H⇝H′)statetassignx:=θSP:(Γ⊢[x:=θ]ϕ1,Δ) and H,t,eq(x,θ,) is a complete history and the inner proof still holds by weakening (i.e. addition of state names).
Caseϕ=[x:=∗]ϕ1 where x∈/FV(Γ,Δ,):
By IH (because we remove a modality), we then have ∃SP(H,any(x,xi)⇝H′)SP:(Γ⊢ϕ1,Δ).
Then (H⇝H′)statetassignx:=∗SP:(Γ⊢[x:=∗]ϕ1,Δ) and H,t,any(x,xi) is a complete history and the inner proof still holds by weakening (i.e. addition of state names).
Caseϕ=[α;β]ϕ1:
By IH (because we remove a sequential composition), ∃SP(H⇝H′)SP:(Γ⊢[α][β]ϕ1,Δ) then by the implicit rule for [;] have (H⇝H′)SP:(Γ⊢[α;β]ϕ1).
Caseϕ=[α∪β]ϕ1:
By IH (because we remove a ∪ operator), ∃SP1(H⇝H′)SP1:(Γ⊢[α]ϕ1,Δ) and ∃SP2(H⇝H′)SP2:(Γ⊢[β]ϕ1,Δ).
By [∪] casing have (H⇝H)(caseα⇒SP1∣β⇒SP2):(Γ⊢[α∪β]ϕ1,Δ).
CaseΓ,⟨α∪β⟩ϕ⊢Δ\lx@proof@logical@andD1=Γ,⟨α⟩ϕ⊢ΔD2=Γ,⟨β⟩ϕ⊢Δ:
Observe in SC Γ⊢[α∪β]¬ϕ,Δ by the following derivation:
[TABLE]
And then since this sequent is simpler (less modalities on the left), it’s derivable by some SP in Kaisar by IH, so we derive (H⇝H)focus⟨α∪β⟩ϕSP:(Γ⊢⟨α∪β⟩ϕ,Δ).
CaseΓ,⟨α;β⟩ϕ⊢ΔD1=Γ,⟨α⟩⟨β⟩ϕ⊢Δ:
Observe in SC Γ⊢[α][β]¬ϕ,Δ by the following derivation:
[TABLE]
And then since this sequent is simpler (less modalities on the left), it’s derivable by some SP in Kaisar by IH, so we derive (H⇝H)focus⟨α;β⟩ϕSP:(Γ⊢⟨α;β⟩ϕ,Δ).
CaseΓ,⟨x:=θ⟩ϕ⊢ΔD1=Γ,ϕxθ⊢Δ(ifx∈/BV(ϕ)):
Observe Γ⊢[x:=θ]¬ϕ,Δ in SC by (noting ¬(ϕxθ)=(¬ϕ)xθ)
[TABLE]
And then since this sequent is simpler (less modalities on the left), it’s derivable by some SP in Kaisar by IH, so we derive (H⇝H)focus⟨x:=θ⟩ϕSP:(Γ⊢⟨x:=θ⟩ϕ,Δ).
CaseΓ,⟨x:=θ⟩ϕ⊢ΔD1=Γ,ϕxθ⊢Δ(ifx∈/FV(Γ,Δ)):
Observe Γ⊢[x:=θ]¬ϕ,Δ in SC by (noting ¬(ϕxθ)=(¬ϕ)xθ)
[TABLE]
And then since this sequent is simpler (less modalities on the left), it’s derivable by some SP in Kaisar by IH, so we derive (H⇝H)focus⟨x:=θ⟩ϕSP:(Γ⊢⟨x:=θ⟩ϕ,Δ).
CaseΓ,⟨x:=∗⟩ϕ⊢ΔD1=Γ,∃xϕ⊢Δ:
Observe Γ⊢[x:=∗]¬ϕ,Δ in SC by
[TABLE]
And then since this sequent is simpler (less modalities on the left), it’s derivable by some SP in Kaisar by IH, so we derive (H⇝H)focus⟨x:=∗⟩ϕSP:(Γ⊢⟨x:=∗⟩ϕ,Δ).
CaseΓ,⟨?(ψ)⟩ϕ⊢ΔD1=Γ,ψ∧ϕ⊢Δ:
Observe Γ⊢[?(ψ)]¬ϕ,Δ in SC by
[TABLE]
And then since this sequent is simpler (less modalities on the left), it’s derivable by some SP in Kaisar by IH, so we derive (H⇝H)focus⟨?(ψ)⟩ϕSP:(Γ⊢⟨?(ψ)⟩ϕ,Δ).
CaseΓ,⟨α∗⟩ϕ⊢ΔΓ,ϕ∨⟨α⟩⟨α∗⟩ϕ⊢Δ:
Observe Γ⊢[α∗]¬ϕ,Δ in SC by
[TABLE]
And then since this sequent is simpler (less modalities on the left), it’s derivable by some SP in Kaisar by IH, so we derive (H⇝H)focus⟨α∗⟩ϕSP:(Γ⊢⟨α∗⟩ϕ,Δ).
CaseΓ,⟨x′=θ&Q⟩ϕ(x)⊢ΔΓ,t≥0,∀s∈[0,t]Qxy(t),ϕ(y(t))⊢Δ:
Observe Γ⊢[x′=θ&Q]¬ϕ,Δ in SC by
[TABLE]
And then since this sequent is simpler (less modalities on the left), it’s derivable by some SP in Kaisar by IH, so we derive (H⇝H)focus⟨x′=θ&Q⟩ϕ(x)SP:(Γ⊢⟨x′=θ&Q⟩ϕ(x),Δ).
Case ([α∗]ϕ, rule I):
We have by assumption
[TABLE]
And the proof follows trivially from Inv and finally.
Case[M]: In the case of a box monotonicity proof, note that the mid rule as presented in the paper is simply a special case of:
[TABLE]
We presented it in its special-case form due to its close analogy with Hoare logic for explanatory purposes, but structured symbolic execution works just as well with the general form, and with the general form [M] falls out by propositional reasoning.
Case⟨M⟩: Symmetric.
Case[∗] iter on the right:
Direct from the IH and from the rule:
[TABLE]
Case⟨α∗⟩ϕ on the right:
Rule
[TABLE]
translates to
[TABLE]
CaseΓ⊢[x′=θ&Q]ϕ,Δ:
In the ODE case, we assume without loss of generality that the proof is not a proof by the solve axiom [′] since [′] is implementable with DG,DC, and DI (Platzer, 2015).
Further note we can restrict our consideration to a simplied fragment of ODE proofs which is in turn complete for SC.
We say an ODE proof is in linear-normal form if it consists of 0 or more DG’s, followed by zero or more DCs (where the proof of each cut is a single DI), ending in DW.
We notate linear-normal proofs as (DGs,DCsDIs,DW) with empty lists denoted ϵ and concatenation (D1::D2)
Lemma 7.16.
Linear-normal ODE proofs in SC are complete for ODE proofs in SC.
We define normalization D\Mapsto(DGs,DCsDIs,DW), then show the proofs check:
Proceed by induction on the derivation.
Case DW:: The proof is already linear-normal.
Case DI:: We cut in ϕ, the formula proved by DI(ϕ), thus the cut holds.
The cut holds because DI(ϕ) is a proof of some
Case DG:: Direct by the IH.
Case DC::
DGs1 check trivially by IH. DGs2 check by IH and because the ghosted system after DGs1 with the input system on non-ghost variables.
DCs1 and DIs1 check because all invariants of the input system are invariants of the ghosted system.
DCs2 and DIs2 check for this reason and because the addition of further invariants DCs1 does not reduce provability.
DC(ϕ) and DW1 prove because addition of DCs1 and DCs2 never reduces provability.
DW2 proves because ϕ is available in the domain constraint and the addition of DCs1 does not reduce provability.
Lemma 7.17.
Kaisar is complete for linear-normal SC proofs.
We proceed by a simultaneous induction on invariant proofs in normal
form:
CaseΓ⊢[x′=θ&Q]ϕ,ΔQ⊢ϕ:
By the outer IH Q⊢ϕ is provable by some SP because it eliminates a modality.
The proof follows by applying the finally rule:
[TABLE]
CaseΓ⊢[x′=θ&Q]ϕ,Δ\lx@proof@logical@andΓ⊢[x′=θ&Q]ψ,ΔQ⊢(ψ)′x′θΓ⊢[x′=θ&Q∧ψ]ϕ,Δ:
By the inner IH, the “use” case is provable by some IP.
By the linear-normal assumption, the “show” case is a single DI, and thus follows from the Inv rule:
[TABLE]
CaseΓ⊢[x′=θ&Q]ϕ,Δ\lx@proof@logical@andϕ↔∃yψΓ⊢[x′=θ,y′=θ2&Q]ψ,Δ:
By inner IH, the use case is provable by some IP, and the result follows by ghosting:
[TABLE]
By composing the above lemmas, Kaisar is complete for ODE proofs in sequent calculus.
Corollary 7.18.
By Gödel’s incompleteness theorem, any sound calculus for dL is incomplete in the absolute sense (Platzer, 2008) and thus so is Kaisar.
However, sequent calculus for dL is relatively complete (Platzer, 2008) both with respect to any differentially expressive logic and with respect to discrete dynamics.
Thus Kaisar is as well.
8. Related Work
Structured proof languages were first introduced in the theorem prover Mizar (Bancerek et al., 2015; Wenzel and
Wiedijk, 2002), then expanded upon in systems such as Isar (Wenzel, 2006, 1999, 2007).
Other structured proof languages/extensions include the DECLARE (Syme, 1997) proof system for HOL, TLAPS for TLA+ (Cousineau et al., 2012; Lamport, 1992), Coq’s declarative proof language (Corbineau, 2007) and SSReflect extension (Gonthier and
Mahboubi, 2010), and several “Mizar modes” implementing structured languages in provers including Cambridge HOL (Harrison, 1996), Isabelle (Kaliszyk
et al., 2016), and HOL Light (Wiedijk, 2001).
Kaisar is heavily inspired by Isar specifically, though we do not use every feature of Isar.
The assume, note, show, and have are taken directly from Isar, and Kaisar’s let construct is a straightforward generalization of Isar’s let construct with pattern-matching.
The use of pattern-matching for formula selection has been investigated, e.g. by Traut (Traut and
Noschinski, 2014) and by Gonthier (Gonthier and
Tassi, 2012).
In contrast with all the above, Kaisar has an extensive metatheory to justify its defining features: nominal terms and structured symbolic execution.
While Isar and Coq’s declarative language have formally defined semantics, we know of only one interactive proof language besides Kaisar with significant metatheoretic results: VeriML (Stampoulis and
Shao, 2010, 2012).
We share with VeriML the goal of solving practical interactive proof problems via principled proof languages with metatheoretic guarantees.
We differ in that VeriML addresses extending logical frameworks with automation while we address verification of concrete systems in a domain-specific logic for CPS.
Nominal terms are unique to Kaisar among interactive proof languages, and give it a unique advantage in expressing the rich ghost state of hybrid systems proofs.
Other structured languages such as Isar have been used extensively for program verification (for example: (Nipkow, 2002; Klein et al., 2010; Lochbihler, 2007)).
However, because the above languages target general logics, they lack the language-level awareness of state change required for nominals.
We provide this language-level support through the novel technical features of structured symbolic execution and static traces.
We then implement the resulting language, reusing the infrastructure of an existing prover KeYmaera X.
An alternate approach is to implement a language at the user-level, in the tactics language of an existing prover.
This approach was taken, e.g. by the Iris Proof Mode (IPM) for Coq, (Krebbers
et al., 2017) which implements reasoning for concurrent separation logic in Coq’s Ltac language.
We work in the implementation language of KeYmaera X because it is far more expressive than its tactics language.
Language choice is incidental: the key is preserving the underlying prover’s soundness guarantees.
As with Coq (Barras and Werner, 1997), KeYmaera X has an LCF-style core supported by mechanized soundness results for the underlying calculus (Bohrer et al., 2017), making the Kaisar implementation highly trustworthy.
Kaisar and IPM share a goal of building generalizable interactive proof technology for program logics, but they target vastly different logics and address different aspects of proof:
IPM uses Coq’s unstructured proof style and focuses (a) on embedding object logics in metalogics and (b) on the concerns of separation logic (e.g. managing of different context types, state ownership).
In contrast, we augment structured proof with nominals to provide natural reasoning across states as needed in hybrid systems.
We conjecture that our basic approach applies to many logics, including separation logics.
Two closely related language classes are tactics languages (which implement reuseable automation) and unstructured proof languages (which implement concrete proofs).
Automation can often be written in the prover’s implementation language: OCaml in Coq, ML in Isabelle, or Scala in KeYmaera X.
Domain-specific languages for tactics include untyped Ltac (Delahaye, 2000), reflective Rtac (Malecha and
Bengtson, 2015), and dependently typed Mtac (Ziliani et al., 2013) in Coq, Eisbach (Matichuk
et al., 2016) in Isabelle, and VeriML (Stampoulis and
Shao, 2010, 2012).
Examples of unstructured languages are
the Coq (Team, 2017) script language and the Isabelle (Nipkow
et al., 2002) apply-script language.
KeYmaera X features a language named Bellerophon (Fulton
et al., 2017) for unstructured proofs and tactics.
The Bellerophon language consists of regular expression-style tactic combinators (sequential composition, repetition, etc.) and a standard tactics library featuring, e.g. sequent calculus rules and general-purpose automation.
Bellerophon’s strength is in tactics that compose the significant automation provided in its library.
Its weakness is in performing large-scale concrete proofs.
It lacks both the nominals unique to Kaisar and the constructs shared by Isar and Kaisar.
For example, assumptions in Bellerophon are unnamed and referred to by their index or by search, which can become unreadable or brittle at scale.
Our nominal terms relate to nominal differential dynamic logic (Platzer, 2007b) dLh.
In dLh, nominal formulas enable stating and proving theorems about named states.
Our goal differs: we apply named states to simplify proofs of theorems of plain dL.
In our metatheory, dLh formulas provide a clean specification for the nominal terms of Kaisar.
The main hybrid systems verification alternative to theorem proving is model-checking.
Because the uncountable state spaces of hybrid systems do not admit equivalent finite-state abstractions (Henzinger, 1996), model-checking approaches (Frehse, 2005; Frehse et al., 2011; Dreossi, 2017; Henzinger
et al., 1997; Gao
et al., 2013a, b; Chen et al., 2013) must approximate continuous dynamics, whereas dL can reason about exact dynamics.
All of the above have limitations including (1) finite time horizons, (2) compact (and thus bounded) starting regions, (3) discrete notions of time, (4) and/or restriction to linear ODEs.
Restrictions (1) and (2) greatly reduce the scope of safety results, (3) reduces their accuracy and (4) reduces the class of systems considered. In contrast, dL supports unbounded continuous time with non-linear ODEs.
9. Conclusion
To simplify and systematize historical reference for verification of safety-critical CPS, we developed the Kaisar proof language for dL, which introduces nominal terms supported by structured symbolic execution.
Our metatheory shows Kaisar is sound and as expressive as other calculi.
It shows that nominal automation is correct and nominals are the proof-language analog of nominal dL.
In doing so we provide a foundation for ad-hoc historical reference in other provers.
Through our parachute example, we showed that nominals are desirable in CPS practice and that Kaisar proofs can be concise.
We provided empirical support by prototyping Kaisar in KeYmaera X, an implementation which supports the parachute example and other examples of this paper.
For evaluation, we reproduced a series of 5 safety proofs for ground robots (Mitsch
et al., 2013), combining differential invariant reasoning for nonsolvable dynamics with nontrivial arithmetic proofs, for models supporting avoidance of moving obstacles under position and actuator uncertainty.
Appendix A Sequent Calculus for dL
First-Order Rules
[TABLE]
[TABLE]
[TABLE]
Symmetric Program Rules
[TABLE]
[TABLE]
[TABLE]
[TABLE]
[TABLE]
Asymetric Program Rules
[TABLE]
[TABLE]
Appendix B Denotational Semantics
The denotational semantics of dL are given as interpretation functions [\joinrel[θ]\joinrel]ω for terms, [\joinrel[ϕ]\joinrel] for formulas, and [\joinrel[α]\joinrel] for programs.
Terms denote reals, formulas denote sets of states, and programs denote transition relations (i.e. sets of pairs of states).
Term Semantics
[TABLE]
The differential (θ)′ of a term θ is denoted by the total derivative, the sum of all partial derivatives.
Formula Semantics
[TABLE]
Program Semantics
[TABLE]
Appendix C Complete Proof Rules of Kaisar
Pattern-Matching
[TABLE]
[TABLE]
Forward-Chaining Proof
[TABLE]
[TABLE]
[TABLE]
Structural Rules
[TABLE]
[TABLE]
Backward-Chaining First-Order Proof
[TABLE]
[TABLE]
Backward-Chaining Structured Box Execution
[TABLE]
Backward-Chaining Structured Diamond Execution
[TABLE]
Invariant (and Variant) Execution
[TABLE]
[TABLE]
[TABLE]
Implicit Conversion Rules
The implicit conversions leave the proof and history untouched, so we write only their effect on the sequent.
[TABLE]
[TABLE]
[TABLE]
Bibliography84
The reference list from the paper itself. Each links out to its DOI / PubMed record.
1(1)
2Ahrendt et al . (2016) Wolfgang Ahrendt, Bernhard Beckert, Richard Bubel, Reiner Hähnle, Peter H. Schmitt, and Mattias Ulbrich. 2016. Deductive Software Verification - The Ke Y Book . Springer.
3Apt et al . (2010) Krzysztof Apt, Frank S De Boer, and Ernst-Rüdiger Olderog. 2010. Verification of sequential and concurrent programs. (2010).
4Apt et al . (1979) Krzysztof R. Apt, Jan A. Bergstra, and Lambert G. L. T. Meertens. 1979. Recursive Assertions are not enough - or are they? Theor. Comput. Sci. 8 (1979), 73–87. https://doi.org/10.1016/0304-3975(79)90058-6 · doi ↗
5Arnon et al . (1984) Dennis S. Arnon, George E. Collins, and Scott Mc Callum. 1984. Cylindrical Algebraic Decomposition I: The Basic Algorithm. SIAM J. Comput. 13, 4 (Nov. 1984), 865–877. https://doi.org/10.1137/0213054 · doi ↗
6Bancerek et al . (2015) Grzegorz Bancerek, Czeslaw Bylinski, Adam Grabowski, Artur Kornilowicz, Roman Matuszewski, Adam Naumowicz, Karol Pak, and Josef Urban. 2015. Mizar: State-of-the-art and Beyond.. In CICM (Lecture Notes in Computer Science) , Manfred Kerber, Jacques Carette, Cezary Kaliszyk, Florian Rabe, and Volker Sorge (Eds.), Vol. 9150. Springer, 261–279. https://doi.org/10.1007/978-3-319-20615-8 · doi ↗
7Barnett et al . (2005) Mike Barnett, K Rustan M Leino, and Wolfram Schulte. 2005. The Spec { # } Programming System: An Overview . Springer Berlin Heidelberg, Berlin, Heidelberg, 49–69. https://doi.org/10.1007/978-3-540-30569-9_3 · doi ↗
8Barras and Werner (1997) Bruno Barras and Benjamin Werner. 1997. Coq in Coq . Technical Report. INRIA Rocquencourt.