Embed Size (px)
Citation preview
CoasterX: A Case Study in Component-DrivenHybrid Systems Proof Automation
Based on ADHS ’18 [BLCP18]
Brandon Bohrer(joint work with Adriel Luo, Xuean Chuang, Andre Platzer)
Logical Systems LabComputer Science DepartmentCarnegie Mellon University
Speaking Skills, Mar 26 2018
1 / 49
Outline
1 Motivation
2 Approach
3 Modeling and VerificationBackground: dLIdentifying AssumptionsFormal SpecificationFormal Verification
4 Evaluation
5 Future Work and Conclusion
2 / 49
Roller Coasters are Safety-Critical Systems
Top Thrill Steel Phantom Mindbender
Joker’s Jinx Phantom’s Revenge Fujin Raijin II
Rollback Head Injury Derailment
[BLCP18]
3 / 49
Formal Proofs in dL Ensure Safe Designs
Top Thrill Steel Phantom Mindbender
Rollback Head Injury Derailment
[BLCP18]
⇓Pre→ [phys]Post
Identify:
• Notion of safety Post (acc < acchi)
• Safe conditions Pre (v = v0)
Verify physical environment design phys ({x ′ = . . . , y ′ = . . .})
4 / 49
Formal Proofs in dL Ensure Safe Designs
Top Thrill Steel Phantom Mindbender
Rollback Head Injury Derailment
[BLCP18]
⇓Pre→ [phys]Post
Identify:
• Notion of safety Post (acc < acchi)
• Safe conditions Pre (v = v0)
Verify physical environment design phys ({x ′ = . . . , y ′ = . . .})
4 / 49
Formal Proofs in dL Ensure Safe Designs
Top Thrill Steel Phantom Mindbender
Rollback Head Injury Derailment
[BLCP18]
⇓Pre→ [phys]Post
Identify:
• Notion of safety Post (acc < acchi)
• Safe conditions Pre (v = v0)
Verify physical environment design phys ({x ′ = . . . , y ′ = . . .})
4 / 49
Design Verification SupplementsSimulation
Simulations typically used today [XXLY12, Wei15]
Approach Pro Con
Simulate Rich dynamics, easy Low rigor+precisionVerify High rigor+precision Simple dynamics, hard
5 / 49
Verifying Physical Designs is a Challenge
• How do we verify models at scale?
• How do we make verification accessible to non-experts?
6 / 49
Verifying Environment Designs isImportant
⇓
7 / 49
Outline
1 Motivation
2 Approach
3 Modeling and VerificationBackground: dLIdentifying AssumptionsFormal SpecificationFormal Verification
4 Evaluation
5 Future Work and Conclusion
8 / 49
Component-Driven Proof AutomationEnables Design Verification
GUI BuilderCoasterXBackend
KeYmaera XProver Core(1700 Lines)[FMQ+15]
Componentmodel
dL fml.
dL pf.
Goal Solution
Accessible High-level graphical modeling
Rigorous Formal proof checked by small prover coreScalable Proof scales by exploiting component structure
9 / 49
Component-Driven Proof AutomationEnables Design Verification
GUI BuilderCoasterXBackend
KeYmaera XProver Core(1700 Lines)[FMQ+15]
Componentmodel
dL fml.
dL pf.
Goal Solution
Accessible High-level graphical modelingRigorous Formal proof checked by small prover core
Scalable Proof scales by exploiting component structure
9 / 49
Component-Driven Proof AutomationEnables Design Verification
GUI BuilderCoasterXBackend
KeYmaera XProver Core(1700 Lines)[FMQ+15]
Componentmodel
dL fml.
dL pf.
Goal Solution
Accessible High-level graphical modelingRigorous Formal proof checked by small prover coreScalable Proof scales by exploiting component structure
9 / 49
Track Sections are Components forCoasters
Generic Component
ww�
Automatic Composition
10 / 49
Track Sections are Components forCoasters
Generic Componentww�
Automatic Composition
10 / 49
Track Sections are Components forCoasters
Generic Componentww�
Automatic Composition
11 / 49
Track Sections are Components forCoasters
Generic Componentww�
Automatic Composition
12 / 49
Track Sections are Components forCoasters
Generic Componentww�
Automatic Composition
13 / 49
Track Sections are Components forCoasters
Generic Componentww�
Automatic Composition
14 / 49
Outline
1 Motivation
2 Approach
3 Modeling and VerificationBackground: dLIdentifying AssumptionsFormal SpecificationFormal Verification
4 Evaluation
5 Future Work and Conclusion
15 / 49
Outline
1 Motivation
2 Approach
3 Modeling and VerificationBackground: dLIdentifying AssumptionsFormal SpecificationFormal Verification
4 Evaluation
5 Future Work and Conclusion
16 / 49
Background: dL Formulas
P,Q ::= P ∧ Q | ¬P | ∀xP | ∃xP | θ1 ≥ θ2 | [α]P | 〈α〉P
Example: Pre→ [phys]Post
Construct Meaning
P ∧ Q, ¬P Classical propositional connectives
∀x P,∃x P First-order real quantifiersθ1 ≥ θ2 Real arithmetic comparisons[α]P After α runs, P always holds〈α〉P After α runs, P sometimes holds
17 / 49
Background: dL Formulas
P,Q ::= P ∧ Q | ¬P | ∀xP | ∃xP | θ1 ≥ θ2 | [α]P | 〈α〉P
Example: Pre→ [phys]Post
Construct Meaning
P ∧ Q, ¬P Classical propositional connectives∀x P,∃x P First-order real quantifiersθ1 ≥ θ2 Real arithmetic comparisons
[α]P After α runs, P always holds〈α〉P After α runs, P sometimes holds
17 / 49
Background: dL Formulas
P,Q ::= P ∧ Q | ¬P | ∀xP | ∃xP | θ1 ≥ θ2 | [α]P | 〈α〉P
Example: Pre→ [phys]Post
Construct Meaning
P ∧ Q, ¬P Classical propositional connectives∀x P,∃x P First-order real quantifiersθ1 ≥ θ2 Real arithmetic comparisons[α]P After α runs, P always holds〈α〉P After α runs, P sometimes holds
17 / 49
Background: Hybrid Programs
α, β ::= ?P | x := θ | {x ′ = θ & P} | α ∪ β | α;β | α∗
Construct Meaning
?P Assert formula P, else fail
x := θ Assign value of term θ to x{x ′ = θ & P} Evolve x at continuous rate θ
Evolution domain constraint P asserted continuouslyP must also hold initially (like ?P)
α ∪ β Choose either α or β nondeterministicallyα;β First α then β in any resulting stateα∗ Loop α nondeterministically n ≥ 0 times
18 / 49
Background: Hybrid Programs
α, β ::= ?P | x := θ | {x ′ = θ & P} | α ∪ β | α;β | α∗
Construct Meaning
?P Assert formula P, else failx := θ Assign value of term θ to x
{x ′ = θ & P} Evolve x at continuous rate θEvolution domain constraint P asserted continuouslyP must also hold initially (like ?P)
α ∪ β Choose either α or β nondeterministicallyα;β First α then β in any resulting stateα∗ Loop α nondeterministically n ≥ 0 times
18 / 49
Background: Hybrid Programs
α, β ::= ?P | x := θ | {x ′ = θ & P} | α ∪ β | α;β | α∗
Construct Meaning
?P Assert formula P, else failx := θ Assign value of term θ to x{x ′ = θ & P} Evolve x at continuous rate θ
Evolution domain constraint P asserted continuouslyP must also hold initially (like ?P)
α ∪ β Choose either α or β nondeterministicallyα;β First α then β in any resulting stateα∗ Loop α nondeterministically n ≥ 0 times
18 / 49
Background: Hybrid Programs
α, β ::= ?P | x := θ | {x ′ = θ & P} | α ∪ β | α;β | α∗
Construct Meaning
?P Assert formula P, else failx := θ Assign value of term θ to x{x ′ = θ & P} Evolve x at continuous rate θ
Evolution domain constraint P asserted continuously
P must also hold initially (like ?P)α ∪ β Choose either α or β nondeterministicallyα;β First α then β in any resulting stateα∗ Loop α nondeterministically n ≥ 0 times
18 / 49
Background: Hybrid Programs
α, β ::= ?P | x := θ | {x ′ = θ & P} | α ∪ β | α;β | α∗
Construct Meaning
?P Assert formula P, else failx := θ Assign value of term θ to x{x ′ = θ & P} Evolve x at continuous rate θ
Evolution domain constraint P asserted continuouslyP must also hold initially (like ?P)
α ∪ β Choose either α or β nondeterministicallyα;β First α then β in any resulting stateα∗ Loop α nondeterministically n ≥ 0 times
18 / 49
Background: Hybrid Programs
α, β ::= ?P | x := θ | {x ′ = θ & P} | α ∪ β | α;β | α∗
Construct Meaning
?P Assert formula P, else failx := θ Assign value of term θ to x{x ′ = θ & P} Evolve x at continuous rate θ
Evolution domain constraint P asserted continuouslyP must also hold initially (like ?P)
α ∪ β Choose either α or β nondeterministically
α;β First α then β in any resulting stateα∗ Loop α nondeterministically n ≥ 0 times
18 / 49
Background: Hybrid Programs
α, β ::= ?P | x := θ | {x ′ = θ & P} | α ∪ β | α;β | α∗
Construct Meaning
?P Assert formula P, else failx := θ Assign value of term θ to x{x ′ = θ & P} Evolve x at continuous rate θ
Evolution domain constraint P asserted continuouslyP must also hold initially (like ?P)
α ∪ β Choose either α or β nondeterministicallyα;β First α then β in any resulting state
α∗ Loop α nondeterministically n ≥ 0 times
18 / 49
Background: Hybrid Programs
α, β ::= ?P | x := θ | {x ′ = θ & P} | α ∪ β | α;β | α∗
Construct Meaning
?P Assert formula P, else failx := θ Assign value of term θ to x{x ′ = θ & P} Evolve x at continuous rate θ
Evolution domain constraint P asserted continuouslyP must also hold initially (like ?P)
α ∪ β Choose either α or β nondeterministicallyα;β First α then β in any resulting stateα∗ Loop α nondeterministically n ≥ 0 times
18 / 49
Outline
1 Motivation
2 Approach
3 Modeling and VerificationBackground: dLIdentifying AssumptionsFormal SpecificationFormal Verification
4 Evaluation
5 Future Work and Conclusion
19 / 49
Velocity and Acceleration Bounds areFundamental
Rollback Head Injury Derailment0 < vlo ≤ v |a| ≤ ahi |a| ≤ ahi
[AST17]
20 / 49
Tracks are 2D
• 2D modeling greatly simplifies GUI
• Vertical and horizontal bounds only (no lateral bound)
• Ignores banking, wind, roll resistance (1-2%)
⇒
21 / 49
Acceleration Bound is Conservative
Top Thrill Steel Phantom Mindbender
Joker’s Jinx Phantom’s Revenge Fujin Raijin II
Rollback Head Injury Derailment
(>) (<) (<)
22 / 49
Conservative Bound Suffices for Phantom
Top Thrill Steel Phantom Mindbender
Joker’s Jinx Phantom’s Revenge Fujin Raijin II
Rollback Head Injury Derailment
(>) (<) (<)
23 / 49
Outline
1 Motivation
2 Approach
3 Modeling and VerificationBackground: dLIdentifying AssumptionsFormal SpecificationFormal Verification
4 Evaluation
5 Future Work and Conclusion
24 / 49
Example
phys ≡ {{x′ =√2/2 v, y′ =
√2/2 v, v′ = −
√2/2 g & 0 ≤ x ≤ 100}
∪ {x ′ = dx v , y ′ = dy , v ′ = −dy g , dx ′ = −dy v/100√
2,
dy ′ = dx v/100√
2 & 100 ≤ x ≤ 200}∪ {x ′ =
√2/2 v , y ′ = −
√2/2 v , v ′ =
√2/2 g & 200 ≤ x ≤ 300}}∗
25 / 49
Example
phys ≡ {{Line(. . .) & 0 ≤ x ≤ 100}∪ {Arc(. . .) & 100 ≤ x ≤ 200}∪ {Line(. . .) & 200 ≤ x ≤ 300}}∗
26 / 49
Example
phys ≡ {{Line(. . .) & 0 ≤ x ≤ 100}∪ {Arc(. . .) & 100 ≤ x ≤ 200}∪ {Line(. . .) & 200 ≤ x ≤ 300}}∗
27 / 49
Example
phys ≡ {{Line(. . .) & 0 ≤ x ≤ 100}∪ {Arc(. . .) & 100 ≤ x ≤ 200}∪ {Line(. . .) & 200 ≤ x ≤ 300}}∗
28 / 49
Individual Components are Modeled asODEs
Line Segment:
Linedef≡ {x ′ = v · dx , y ′ = v · dy , v ′ = −dy · g
& InBounds(x1, x2, y1, y2)}
Arc Segment:
Arcdef≡ {x ′ = v · dx , y ′ = v · dy , v ′ = −dy · g ,
dx ′ = −dy · v/r , dy ′ = dx · v/r& InBounds(x1, x2, y1, y2)}
29 / 49
Individual Components are Modeled asODEs
Line Segment:
Linedef≡ {x ′ = v · dx , y ′ = v · dy , v ′ = −dy · g
& InBounds(x1, x2, y1, y2)}Arc Segment:
Arcdef≡ {x ′ = v · dx , y ′ = v · dy , v ′ = −dy · g ,
dx ′ = −dy · v/r , dy ′ = dx · v/r& InBounds(x1, x2, y1, y2)}
29 / 49
Concrete Parameters are Plugged in FromGUI
Line Segment:
Linedef≡ {x ′ = v · dx , y ′ = v · dy , v ′ = −dy · g
& InBounds(x1, x2, y1, y2)}
⇓Subst
Line(1, 0, . . .)def≡ {x ′ = v · 1, y ′ = v · 0, v ′ = −0 · g
& InBounds(0, 100, 200, 200)}
30 / 49
Concrete Parameters are Plugged in FromGUI
Line Segment:
Linedef≡ {x ′ = v · dx , y ′ = v · dy , v ′ = −dy · g
& InBounds(x1, x2, y1, y2)}
⇓Subst
Line(1, 0, . . .)def≡ {x ′ = v · 1, y ′ = v · 0, v ′ = −0 · g
& InBounds(0, 100, 200, 200)}
30 / 49
Composition is Modeled with DiscretePrograms
Let track sections seci be component instances:
secidef≡ Line(argsi ) or Arc(argsi )
and system model α:
physdef≡ (sec1 ∪ · · · ∪ secn)∗
31 / 49
Outline
1 Motivation
2 Approach
3 Modeling and VerificationBackground: dLIdentifying AssumptionsFormal SpecificationFormal Verification
4 Evaluation
5 Future Work and Conclusion
32 / 49
Components Verified with Invariants andSolving
• Straight line is solvable, thus decidable.
• Arc needs invariant (energy conservation), proved manually:
E = E0 ∧OnTrack→ [Arc] (E = E0 ∧OnTrack)
• Even for straight line, manual proof more performant
33 / 49
Instantiation is Verified by Substitution
• Conceptually simple step
• Greatly improves performance (20x in some cases)
Linedef≡ {x ′ = v · dx , y ′ = v · dy , v ′ = −dy · g
& InBounds(x1, x2, y1, y2)}
⇓Subst
Line(1, 0, . . .)def≡ {x ′ = v · 1, y ′ = v · 0, v ′ = −0 · g
& InBounds(0, 100, 200, 200)}
34 / 49
Composition is Verified byContract-Checking
• At boundary, invariants for both sections hold• Checked with arithmetic solving + custom automation
Example:J1 ≡ (x = y)
J2 ≡(y2 + (x − 200)2 = 1002
)
35 / 49
Outline
1 Motivation
2 Approach
3 Modeling and VerificationBackground: dLIdentifying AssumptionsFormal SpecificationFormal Verification
4 Evaluation
5 Future Work and Conclusion
36 / 49
We Modeled 6 Real Coasters
Top Thrill Steel Phantom Backyard
El Toro Phantom’s Revenge Lil’ Phantom
37 / 49
Analysis Distinguished Safe and UnsafeAcceleration
Top Thrill Steel Phantom (6.5g) Backyard
El Toro Phantom’s Revenge (3.5g) Lil’ Phantom
38 / 49
This is the Largest dL Model Ever
Stats:CoasterX Max Previous Max (Est.)
Vars 256 > 27Components 56 > 3
Fml size 52KB > 6.5KBProof Steps 20M (29K w/ reuse) > 100K
39 / 49
Scalability is Quadratic
37 57 107
192
232
256
0
500
1000
1500
# vars
tim
e(s)
Runtime vs. Problem Size
(on a recent workstation)
40 / 49
Component Verification Cost SometimesMatters
Component Time # StepsLine 140s 900KQ1 Arc 3.1s 9KQ2 Arc 5.1s 14KQ3 Arc 3.6s 10KQ4 Arc 6.3s 17K
Automatic proof (Line) vastly slower than manual proof (Arcs)
41 / 49
Outline
1 Motivation
2 Approach
3 Modeling and VerificationBackground: dLIdentifying AssumptionsFormal SpecificationFormal Verification
4 Evaluation
5 Future Work and Conclusion
42 / 49
Advanced Dynamical Models AnswerDeeper Questions
Acceleration|a| ≤ ahi
⇒
Rollback0 < vlo ≤ v
Stuck0 < vlo ≤ v
Friction Wind
43 / 49
Advanced Dynamical Models AnswerDeeper Questions
Acceleration|a| ≤ ahi
⇒
Rollback0 < vlo ≤ v
Stuck0 < vlo ≤ v
Friction Wind
43 / 49
Advanced 3D Design
2DBuild Detect Simulate
⇓
3D
3D Modeling support enables lateral bounds and banking support
44 / 49
Rich Contracts Enable High-ImpactDomains
• Transit networks: Contracts at intersections/switches
• Flight plans: Contracts at crossing points
Rail Road UAV
45 / 49
Coasters Support Pedagogical Mission
• 15-424 CPS Foundations: Fun applications motivate students
• Course feeds into undergraduate research
• Initial stages were Adriel + Xuean’s 15-424 course project
GPWS Chute Pong
Coaster Chess Baseball
46 / 49
Questions?
Top Thrill Steel Phantom Backyard
El Toro Phantom’s Revenge Lil’ Phantom
47 / 49
References I
ASTM, Standard Practice for Design of Amusement Rides andDevices, Standard, ASTM International, Sep 2017.
Brandon Bohrer, Adriel Luo, Xuean Chuang, and AndrePlatzer, CoasterX: A case study in component-driven hybridsystems proof automation, IFAC, 2018.
Nathan Fulton, Stefan Mitsch, Jan-David Quesel, MarcusVolp, and Andre Platzer, KeYmaera X: An axiomatic tacticaltheorem prover for hybrid systems, CADE (Amy Felty and AartMiddeldorp, eds.), LNCS, vol. 9195, Springer, 2015,pp. 527–538.
Nick Weisenberger, Coasters 101: An engineer’s guide to rollercoaster design, 2015.
48 / 49
References II
Gening Xu, Hujun Xin, Fengyi Lu, and Mingliang Yang,Kinematics and dynamics simulation research for roller coastermulti-body system, Advanced Materials Research, vol. 421,Trans Tech Publications, 2012, pp. 276–280.
49 / 49
