Certifying Differential Equation Solutions from Computer Algebra Systems in Isabelle/HOL Thomas Hickman, Christian Pardillo Laursen, and Simon Foster University of York Abstract. The Isabelle/HOL proof assistant has a powerful library for continuous analysis, which provides the foundation for verification of hybrid systems. However, Isabelle lacks automated proof support for continuous artifacts, which means that verification is often manual. In contrast, Computer Algebra Systems (CAS), such as Mathematica and SageMath, contain a wealth of efficient algorithms for matrices, differen- tial equations, and other related artifacts. Nevertheless, these algorithms are not verified, and thus their outputs cannot, of themselves, be trusted for use in a safety critical system. In this paper we integrate two CAS systems into Isabelle, with the aim of certifying symbolic solutions to or- dinary differential equations. This supports a verification technique that is both automated and trustworthy. 1 Introduction Verification of Cyber-Physical and Autonomous Systems requires that we can verify both discrete control, and continuous evolution, as envisaged by the hy- brid systems domain [1]. Whilst powerful bespoke verification tools exist, such as the KeYmaera X [2] proof assistant, software engineering requires a gen- eral framework, which can support a variety of notations and paradigms [3]. Isabelle/HOL [4] is a such a framework. Its combination of an extensible fron- tend for syntax processing, and a plug-in oriented backend, based in ML, which supports a wealth of heterogeneous semantic models and proof tools, supports a flexible platform for software development, verification, and assurance [5,6,7]. Verification of hybrid systems in Isabelle is supported by several detailed li- braries of Analysis, including Multivariate Analysis [8], Affine Arithmetic [9], and arXiv:2102.02679v1 [cs.LO] 4 Feb 2021 HOL-ODE [10], which supports reasoning for Systems of Ordinary Differential Equations (SODEs). These libraries essentially build all of calculus from the ground up, and thus provide the highest level of rigour. However, Isabelle cur- rently does not offer many automated proof facilities for hybrid systems. KeY- maera X [2], in contrast, is highly automated and thus very usable, even by non-experts. This is partly due to the inclusion of efficient algorithms for dif- ferential equation solving and quantifier elimination, which are both vital tech- niques. Several of these techniques are supported by integration with Computer Algebra Systems (CAS), which support these and several other algorithms, in particular the Wolfram Engine, which is the foundation for Mathematica. Nevertheless, whilst CAS systems are efficient, they do not achieve the same level of rigour as Isabelle, and thus the results cannot be used without care in a high assurance development. In Isabelle, all results are certified using a small kernel against the core axioms of the object logic, following the LCF architecture. The correctness of external tools does not need to be demonstrated, but only that particular results can be certified. This approach has been highly successful, and in particular has allowed the creation of the famous sledgehammer tool [11,12], which soundly integrates external automated theorem proving systems. In this paper, we apply this approach to integration of CAS systems into Isabelle/HOL1. We focus on generation and certification of solutions to SODEs, though our approach is more generally applicable. We integrate two CAS sys- tems: the Wolfram Engine and SageMath, the latter of which is open source. We show how SODEs and their solutions can be described and certified in Isabelle. We then show how we have integrated the two CAS systems, using their APIs, and several new high level Isabelle commands. We evaluate our approach using a large test set of SODEs, including a large fragment of the KeYmaera X example library. Our approach is largely successful, but we highlight some future work for improving the certification proof process in Isabelle. The structure of our paper is as follows. In §2, we highlight related work and necessary context. In §3, we describe our tactic for certification of SODEs. In §4 and §5, we present our integrations with SageMath and Wolfram, respectively. In §6, we evaluate our approach using our test set, and in §7 we conclude. 2 Background The dominant approach for CPS verification is differential dynamic logic (dL), a proof calculus for reasoning about hybrid programs [13]. Hybrid programs allow modelling of hybrid systems by providing operators for discrete transitions, such as assignment and nondeterministic composition, together with modelling dynamics via continuous evolution of a SODE. The most advanced tool for deductive verification of hybrid systems is KeY- maera X [2], a theorem prover for dL. Its capabilities have been shown in numer- ous case studies, such as in [14] for verifying various classes of robotic collision- avoidance algorithms, and in [15] for proving that the ACAS X aircraft collision avoidance system provides safe guidance under a set of assumptions. KeYmaera X uses the Wolfram Engine for SODE solving and quantifier elimination. KeYmaera X is, however, restricted to reasoning about dL hybrid programs, and cannot be applied directly to other notations. In particular, we cannot show that a controller specification is refined by a given implementation in a language like C [16], although tools such as VeriPhy [17] and ModelPlex [18] somewhat bridge this gap. It also cannot handle transcendental functions, such as sin and log, which are often used by control engineers. 1 The code supporting our approach can be found in the following GitHub repository: https://github.com/ThomasHickman/Isabelle-CAS-Integration dL has also been implemented [19,20,21] in the Isabelle proof assistant [4], as both a deep [19] and shallow embedding [20,21]. Verification in Isabelle brings the advantage of generality, whereby the hybrid systems proof could be used to show correctness of an implementation [16], or used in a larger proof about a complex system. It also allows integration with several notations in a single development, which is the goal of our target verification framework, Isabelle/UTP [22]. A present disadvantage of Isabelle is the lack of automated proof, in compar- ison to KeYmaera X. Consequently, our goal is to improve automation by safe integration of a CAS. Mathematica has previously been integrated into Isabelle for quantifier elimination problems over univariate polynomials [23]. Here, we integrate two CAS systems for the purpose of certifying SODE solutions. Plugins in Isabelle, like our CAS integration, are written using the ML lan- guage, and manipulate terms of the logic. Terms are used to encode a typed λ-calculus, and are encoded using the following ML data type. datatype term = Const of string * typ | Free of string * typ | Var of indexname * typ | Bound of int | Abs of string * typ * term | $ of term * term The type typ describes Isabelle types. The basic constructors include constants (Const), free variables (Var), schematic variables (Var), and bound variables (Bound) with de Bruijn indices. With the exception of Bound, these all consist of a name and a type. The remaining two constructors represent λ-abstractions and applications of one term to another. For example, the term λx y : R: x + y, a function that adds together two real numbers, is represented as follows: Abs ("x", "real", Abs ("y", "real", Const ("Groups.plus_class.plus", "real => real => real") $ Bound 1 $ Bound 0)) As usual, λx y: e is syntactic sugar for λx.λy: e. Predefined functions, such as +, are represented by constant terms are are fully qualified. Our CAS plugin takes as input a SODE encoded as a term, which it turns into input for a CAS. The CAS returns a solution in its own internal representation, if one exists, and this is turned into another Isabelle term, and certification of the solution is attempted. Our approach builds on both on Immler's library for representing SODEs and their solutions [10,9](HOL-ODE). In the next section we describe the approach for SODE certification. 3 Certifying SODE Solutions In this section we describe how SODE solutions can be certified using our ode_cert proof tactic. We assume a SODE of the formx _(t) = f t (x t), de- scribed by a function f : R ! Rn ! Rn, which gives a vector of derivatives for each continuous variable at time t and current state x t. A candidate solution to this SODE is a function x : R ! Rn, which can potentially have a restricted domain T ⊆ R and range D ⊆ Rn. For example, consider the following SODE: Fig. 1. SODE representation in Isabelle Example 1. (_x(t); y_(t); z_(t)) = (t; x(t); 1) It has three continuous variables, and can be represented with the function g , (λ t (x; y; z): (t; x; 1) whose type is R ! R3 ! R3. Its representation in Isabelle is shown in Figure1, where a name is introduced for it by an abbreviation. The goal of the ode cert tactic, then, is to prove conjectures of the form x solves-ode f T D which specifies that x is indeed a solution to f, and is defined within the HOL- ODE package [10]. It requires that we solve the following two predicates: (8t 2 T: (x has-vector-derivative (f t (x t)) (at t within T ))) and x 2 T ! D We need to show that at every t in the domain, the derivative of x matches the one predicted by f, and that x has the correct domain and range. The predicate has-vector-derivative is defined within the HOL-Analysis package [8], which also provides a large library of differentiation theorems. For brevity, we use the syntax 0 0 f B f [t 2 T ] to mean (f has-vector-derivative f )(at t within T ). Theorem 1 (Derivative Introduction Theorems).
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages16 Page
-
File Size-