Skip to main content

Pegasus: A Framework for Sound Continuous Invariant Generation

  • Conference paper
  • First Online:
Formal Methods – The Next 30 Years (FM 2019)

Abstract

Continuous invariants are an important component in deductive verification of hybrid and continuous systems. Just like discrete invariants are used to reason about correctness in discrete systems without unrolling their loops forever, continuous invariants are used to reason about differential equations without having to solve them. Automatic generation of continuous invariants remains one of the biggest practical challenges to automation of formal proofs of safety in hybrid systems. There are at present many disparate methods available for generating continuous invariants; however, this wealth of diverse techniques presents a number of challenges, with different methods having different strengths and weaknesses. To address some of these challenges, we develop Pegasus: an automatic continuous invariant generator which allows for combinations of various methods, and integrate it with the KeYmaera X theorem prover for hybrid systems. We describe some of the architectural aspects of this integration, comment on its methods and challenges, and present an experimental evaluation on a suite of benchmarks.

This material is based upon work supported by the National Science Foundation under Award CNS-1739629 and under Graduate Research Fellowship Grant No. DGE-1252522, by AFOSR under grant number FA9550-16-1-0288, and by the Alexander von Humboldt Foundation. The third author was supported by A\(^*\)STAR, Singapore. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of any sponsoring institution, the U.S. government or any other entity.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    An etymological note on naming conventions. The KeY [3] prover provided the foundation for developing KeYmaera [37], an interactive theorem prover for hybrid systems. The name KeYmaera was a pun on Chimera, a hybrid monster from Classical Greek mythology. The tactic language of the new KeYmaera X prover [15] is called Bellerophon [14] after the hero who defeats the Chimera in the myth. In keeping with an established tradition, the invariant generation framework is called Pegasus because the aid of this winged horse was crucial to Bellerophon in his feat.

  2. 2.

    Evolution domain constraints are also called mode invariants in the context of hybrid automata. We avoid this name to prevent confusion with generated invariants.

  3. 3.

    Unfortunately, reachable sets rarely have a simple description as semi-algebraic sets.

  4. 4.

    Quantifier elimination algorithms used in practice have doubly-exponential time complexity in the number of variables [43]. Template enumeration introduces a fresh variable per monomial coefficient, so the approach quickly hits scalability barriers.

  5. 5.

    Pegasus (http://pegasus.keymaeraX.org/) is linked to KeYmaera X through the Mathematica interface of KeYmaera X, which translates between the internal data structures of the prover core and the Mathematica data structures.

  6. 6.

    Naturally, the output from Pegasus can also be checked using a trusted implementation of the LZZ decision procedure before anything is returned. When used with KeYmaera X, though, this additional (soundness-critical) check is unnecessary.

  7. 7.

    Pegasus analyses problems according to variable dependencies present in their differential equations [36]. For \(x_1'=x_1, x_2'= x_1 + x_2\), for example, Pegasus first searches for invariants involving only \(x_1\), before searching for those involving both \(x_1\) and \(x_2\).

  8. 8.

    For this high-dimensional (9D) problem, differential saturation runs out of time trying qualitative analysis methods before attempting to find first integrals.

References

  1. Alur, R., Henzinger, T.A., Lafferriere, G., Pappas, G.J.: Discrete abstractions of hybrid systems. Proc. IEEE 88(7), 971–984 (2000). https://doi.org/10.1109/5.871304

    Article  Google Scholar 

  2. Arrowsmith, D., Place, C.M.: Dynamical Systems: Differential Equations, Maps, and Chaotic Behaviour, vol. 5. CRC Press, Boca Raton (1992)

    Book  Google Scholar 

  3. Beckert, B., et al.: The KeY system 1.0 (deduction component). In: Pfenning, F. (ed.) CADE 2007. LNCS (LNAI), vol. 4603, pp. 379–384. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-73595-3_26

    Chapter  Google Scholar 

  4. Sassi, M.A.B., Girard, A., Sankaranarayanan, S.: Iterative computation of polyhedral invariants sets for polynomial dynamical systems. In: CDC 2014, pp. 6348–6353. IEEE (2014). https://doi.org/10.1109/CDC.2014.7040384

  5. Böhme, S., Weber, T.: Fast LCF-style proof reconstruction for Z3. In: Kaufmann, M., Paulson, L.C. (eds.) ITP 2010. LNCS, vol. 6172, pp. 179–194. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14052-5_14

    Chapter  Google Scholar 

  6. Bohrer, B., Tan, Y.K., Mitsch, S., Myreen, M.O., Platzer, A.: VeriPhy: verified controller executables from verified cyber-physical system models. In: Foster, J.S., Grossman, D. (eds.) PLDI 2018, pp. 617–630. ACM (2018). https://doi.org/10.1145/3192366.3192406

  7. Chen, M., et al.: MARS: a toolchain for modelling, analysis and verification of hybrid systems. In: Hinchey, M.G., Bowen, J.P., Olderog, E.-R. (eds.) Provably Correct Systems. NMSSE 2017, pp. 39–58. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-48628-4_3

  8. Collins, G.E.: Quantifier elimination for real closed fields by cylindrical algebraic decompostion. In: Brakhage, H. (ed.) GI-Fachtagung 1975. LNCS, vol. 33, pp. 134–183. Springer, Heidelberg (1975). https://doi.org/10.1007/3-540-07407-4_17

    Chapter  Google Scholar 

  9. Cox, D.A., Little, J., O’Shea, D.: Ideals, Varieties, and Algorithms. UTM 2015. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-16721-3

  10. Dai, L., Gan, T., Xia, B., Zhan, N.: Barrier certificates revisited. J. Symb. Comput. 80, 62–86 (2017). https://doi.org/10.1016/j.jsc.2016.07.010

    Article  MathSciNet  MATH  Google Scholar 

  11. Darboux, J.G.: Mémoire sur les équations différentielles algébriques du premier ordre et du premier degré. Bull. Sci. Math. 2(1), 151–200 (1878)

    MATH  Google Scholar 

  12. Denman, W., Muñoz, C.: Automated real proving in PVS via MetiTarski. In: Jones, C., Pihlajasaari, P., Sun, J. (eds.) FM 2014. LNCS, vol. 8442, pp. 194–199. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-06410-9_14

    Chapter  Google Scholar 

  13. Frehse, G., et al.: SpaceEx: scalable verification of hybrid systems. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 379–395. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22110-1_30

    Chapter  Google Scholar 

  14. Fulton, N., Mitsch, S., Bohrer, B., Platzer, A.: Bellerophon: tactical theorem proving for hybrid systems. In: Ayala-Rincón, M., Muñoz, C.A. (eds.) ITP 2017. LNCS, vol. 10499, pp. 207–224. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66107-0_14

    Chapter  MATH  Google Scholar 

  15. Fulton, N., Mitsch, S., Quesel, J.-D., Völp, M., Platzer, A.: KeYmaera X: an axiomatic tactical theorem prover for hybrid systems. In: Felty, A.P., Middeldorp, A. (eds.) CADE 2015. LNCS (LNAI), vol. 9195, pp. 527–538. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-21401-6_36

    Chapter  Google Scholar 

  16. Gan, T., Chen, M., Li, Y., Xia, B., Zhan, N.: Reachability analysis for solvable dynamical systems. IEEE Trans. Autom. Control 63(7), 2003–2018 (2018). https://doi.org/10.1109/TAC.2017.2763785

    Article  MathSciNet  MATH  Google Scholar 

  17. Ghorbal, K., Platzer, A.: Characterizing algebraic invariants by differential radical invariants. In: Ábrahám, E., Havelund, K. (eds.) TACAS 2014. LNCS, vol. 8413, pp. 279–294. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-54862-8_19

    Chapter  Google Scholar 

  18. Ghorbal, K., Sogokon, A., Platzer, A.: A hierarchy of proof rules for checking positive invariance of algebraic and semi-algebraic sets. Comput. Lang. Syst. Struct. 47, 19–43 (2017). https://doi.org/10.1016/j.cl.2015.11.003

    Article  MATH  Google Scholar 

  19. Goriely, A.: Integrability and Nonintegrability of Dynamical Systems. World Scientific, Hackensack (2001). https://doi.org/10.1142/3846

    Book  MATH  Google Scholar 

  20. Gulwani, S., Tiwari, A.: Constraint-based approach for analysis of hybrid systems. In: Gupta, A., Malik, S. (eds.) CAV 2008. LNCS, vol. 5123, pp. 190–203. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-70545-1_18

    Chapter  Google Scholar 

  21. Herbrand, J.: Recherches sur la théorie de la démonstration. Ph.D. thesis, Université de Paris, Faculté des Sciences (1930)

    Google Scholar 

  22. Immler, F., et al.: ARCH-COMP18 category report: continuous and hybrid systems with nonlinear dynamics. In: Frehse, G., Althoff, M., Bogomolov, S., Johnson, T.T. (eds.) ARCH 2018. EPiC Series in Computing, vol. 54, pp. 53–70. EasyChair (2018)

    Google Scholar 

  23. Kapinski, J., Deshmukh, J.V., Sankaranarayanan, S., Arechiga, N.: Simulation-guided Lyapunov analysis for hybrid dynamical systems. In: Fränzle, M., Lygeros, J. (eds.) HSCC 2014, pp. 133–142. ACM (2014). https://doi.org/10.1145/2562059.2562139

  24. Kong, H., Bogomolov, S., Schilling, C., Jiang, Y., Henzinger, T.A.: Safety verification of nonlinear hybrid systems based on invariant clusters. In: Frehse, G., Mitra, S. (eds.) HSCC 2017, pp. 163–172. ACM (2017). https://doi.org/10.1145/3049797.3049814

  25. Kong, H., He, F., Song, X., Hung, W.N.N., Gu, M.: Exponential-Condition-based barrier certificate generation for safety verification of hybrid systems. In: Sharygina, N., Veith, H. (eds.) CAV 2013. LNCS, vol. 8044, pp. 242–257. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39799-8_17

    Chapter  Google Scholar 

  26. Lafferriere, G., Pappas, G.J., Yovine, S.: Symbolic reachability computation for families of linear vector fields. J. Symb. Comput. 32(3), 231–253 (2001). https://doi.org/10.1006/jsco.2001.0472

    Article  MathSciNet  MATH  Google Scholar 

  27. Li, W., Passmore, G.O., Paulson, L.C.: Deciding univariate polynomial problems using untrusted certificates in Isabelle/HOL. J. Autom. Reasoning 62(1), 69–91 (2019). https://doi.org/10.1007/s10817-017-9424-6

    Article  MathSciNet  MATH  Google Scholar 

  28. Liu, J., et al.: A calculus for hybrid CSP. In: Ueda, K. (ed.) APLAS 2010. LNCS, vol. 6461, pp. 1–15. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-17164-2_1

    Chapter  Google Scholar 

  29. Liu, J., Zhan, N., Zhao, H.: Computing semi-algebraic invariants for polynomial dynamical systems. In: Chakraborty, S., Jerraya, A., Baruah, S.K., Fischmeister, S. (eds.) EMSOFT 2011, pp. 97–106. ACM (2011). https://doi.org/10.1145/2038642.2038659

  30. Loeser, T., Iwasaki, Y., Fikes, R.: Safety verification proofs for physical systems. In: Proceedings of the 12th International Workshop on Qualitative Reasoning, pp. 88–95 (1998)

    Google Scholar 

  31. Man, Y.: Computing closed form solutions of first order ODEs using the Prelle-Singer procedure. J. Symb. Comput. 16(5), 423–443 (1993). https://doi.org/10.1006/jsco.1993.1057

    Article  MathSciNet  MATH  Google Scholar 

  32. Mishra, B.: Algorithmic Algebra. Springer, Cham (1993). https://doi.org/10.1007/978-1-4612-4344-1

    Book  MATH  Google Scholar 

  33. Mitsch, S., Platzer, A.: ModelPlex: verified runtime validation of verified cyber-physical system models. Formal Methods Syst. Des. 49(1–2), 33–74 (2016). https://doi.org/10.1007/s10703-016-0241-z

    Article  MATH  Google Scholar 

  34. Platzer, A.: Differential dynamic logic for hybrid systems. J. Autom. Reasoning 41(2), 143–189 (2008)

    Article  MathSciNet  Google Scholar 

  35. Platzer, A.: The complete proof theory of hybrid systems. In: LICS 2012, pp. 541–550. IEEE (2012). https://doi.org/10.1109/LICS.2012.64

  36. Platzer, A., Clarke, E.M.: Computing differential invariants of hybrid systems as fixedpoints. Formal Methods Syst. Des. 35(1), 98–120 (2009). https://doi.org/10.1007/s10703-009-0079-8

    Article  MATH  Google Scholar 

  37. Platzer, A., Quesel, J.-D.: KeYmaera: a hybrid theorem prover for hybrid systems (system description). In: Armando, A., Baumgartner, P., Dowek, G. (eds.) IJCAR 2008. LNCS (LNAI), vol. 5195, pp. 171–178. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-71070-7_15

    Chapter  Google Scholar 

  38. Platzer, A., Quesel, J.-D., Rümmer, P.: Real world verification. In: Schmidt, R.A. (ed.) CADE 2009. LNCS (LNAI), vol. 5663, pp. 485–501. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-02959-2_35

    Chapter  Google Scholar 

  39. Platzer, A., Tan, Y.K.: Differential equation axiomatization: the impressive power of differential ghosts. In: Dawar, A., Grädel, E. (eds.) LICS 2018, pp. 819–828. ACM (2018). https://doi.org/10.1145/3209108.3209147

  40. Prajna, S., Jadbabaie, A.: Safety verification of hybrid systems using barrier certificates. In: Alur, R., Pappas, G.J. (eds.) HSCC 2004. LNCS, vol. 2993, pp. 477–492. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24743-2_32

    Chapter  MATH  Google Scholar 

  41. Prelle, M.J., Singer, M.F.: Elementary first integrals of differential equations. Trans. Am. Math. Soc. 279(1), 215–229 (1983)

    Article  MathSciNet  Google Scholar 

  42. Rebiha, R., Moura, A.V., Matringe, N.: Generating invariants for non-linear hybrid systems. Theor. Comput. Sci. 594, 180–200 (2015). https://doi.org/10.1016/j.tcs.2015.06.018

    Article  MathSciNet  MATH  Google Scholar 

  43. Renegar, J.: Recent progress on the complexity of the decision problem for the reals. In: Goodman, J.E., Pollack, R., Steiger, W. (eds.) Discrete and Computational Geometry: Papers from the DIMACS Special Year, vol. 6, pp. 287–308. DIMACS/AMS (1990)

    Google Scholar 

  44. Rodríguez-Carbonell, E., Tiwari, A.: Generating polynomial invariants for hybrid systems. In: Morari, M., Thiele, L. (eds.) HSCC 2005. LNCS, vol. 3414, pp. 590–605. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-31954-2_38

    Chapter  MATH  Google Scholar 

  45. Rouche, N., Habets, P., Laloy, M.: Stability Theory by Liapunov’s Direct Method. Applied Mathematical Sciences. Springer, Heidelberg (1977). https://doi.org/10.1007/978-1-4684-9362-7

    Book  MATH  Google Scholar 

  46. Roux, P., Voronin, Y., Sankaranarayanan, S.: Validating numerical semidefinite programming solvers for polynomial invariants. Formal Methods Syst. Des. 53(2), 286–312 (2018). https://doi.org/10.1007/s10703-017-0302-y

    Article  MATH  Google Scholar 

  47. Roy, M.F.: Basic algorithms in real algebraic geometry and their complexity: from Sturm’s theorem to the existential theory of reals. De Gruyter Expositions Math. 23, 1–67 (1996)

    MathSciNet  MATH  Google Scholar 

  48. Sankaranarayanan, S.: Automatic invariant generation for hybrid systems using ideal fixed points. In: Johansson, K.H., Yi, W. (eds.) HSCC 2010, pp. 221–230. ACM (2010). https://doi.org/10.1145/1755952.1755984

  49. Sankaranarayanan, S., Sipma, H.B., Manna, Z.: Constructing invariants for hybrid systems. Formal Methods Syst. Des. 32(1), 25–55 (2008). https://doi.org/10.1007/s10703-007-0046-1

    Article  MATH  Google Scholar 

  50. Shults, B., Kuipers, B.: Proving properties of continuous systems: qualitative simulation and temporal logic. Artif. Intell. 92(1–2), 91–129 (1997). https://doi.org/10.1016/S0004-3702(96)00050-1

    Article  MathSciNet  MATH  Google Scholar 

  51. Sogokon, A., Ghorbal, K., Jackson, P.B., Platzer, A.: A method for invariant generation for polynomial continuous systems. In: Jobstmann, B., Leino, K.R.M. (eds.) VMCAI 2016. LNCS, vol. 9583, pp. 268–288. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49122-5_13

    Chapter  Google Scholar 

  52. Sogokon, A., Ghorbal, K., Johnson, T.T.: Non-linear continuous systems for safety verification. In: Frehse, G., Althoff, M. (eds.) ARCH 2016. EPiC Series in Computing, vol. 43, pp. 42–51. EasyChair (2016)

    Google Scholar 

  53. Sogokon, A., Ghorbal, K., Tan, Y.K., Platzer, A.: Vector barrier certificates and comparison systems. In: Havelund, K., Peleska, J., Roscoe, B., de Vink, E. (eds.) FM 2018. LNCS, vol. 10951, pp. 418–437. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-95582-7_25

    Chapter  Google Scholar 

  54. Strogatz, S.H.: Nonlinear Dynamics And Chaos. Studies in Nonlinearity. Westview Press, Boulder (2001)

    Google Scholar 

  55. Sturm, T., Tiwari, A.: Verification and synthesis using real quantifier elimination. In: Schost, É., Emiris, I.Z. (eds.) ISSAC 2011, pp. 329–336. ACM (2011). https://doi.org/10.1145/1993886.1993935

  56. Tiwari, A.: Approximate reachability for linear systems. In: Maler, O., Pnueli, A. (eds.) HSCC 2003. LNCS, vol. 2623, pp. 514–525. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36580-X_37

    Chapter  MATH  Google Scholar 

  57. Tiwari, A.: Abstractions for hybrid systems. Formal Methods Syst. Des. 32(1), 57–83 (2008). https://doi.org/10.1007/s10703-007-0044-3

    Article  MATH  Google Scholar 

  58. Tiwari, A.: Generating box invariants. In: Egerstedt, M., Mishra, B. (eds.) HSCC 2008. LNCS, vol. 4981, pp. 658–661. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78929-1_58

    Chapter  Google Scholar 

  59. Tiwari, A., Khanna, G.: Series of abstractions for hybrid automata. In: Tomlin, C.J., Greenstreet, M.R. (eds.) HSCC 2002. LNCS, vol. 2289, pp. 465–478. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45873-5_36

    Chapter  MATH  Google Scholar 

  60. Tiwari, A., Khanna, G.: Nonlinear systems: approximating reach sets. In: Alur, R., Pappas, G.J. (eds.) HSCC 2004. LNCS, vol. 2993, pp. 600–614. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24743-2_40

    Chapter  MATH  Google Scholar 

  61. Wang, S., Zhan, N., Zou, L.: An improved HHL prover: an interactive theorem prover for hybrid systems. In: Butler, M., Conchon, S., Zaïdi, F. (eds.) ICFEM 2015. LNCS, vol. 9407, pp. 382–399. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-25423-4_25

    Chapter  Google Scholar 

  62. Weber, T.: Integrating a SAT solver with an LCF-style theorem prover. Electron. Notes Theor. Comput. Sci. 144(2), 67–78 (2006). https://doi.org/10.1016/j.entcs.2005.12.007

    Article  MATH  Google Scholar 

  63. Weber, T.: SMT solvers: new oracles for the HOL theorem prover. STTT 13(5), 419–429 (2011). https://doi.org/10.1007/s10009-011-0188-8

    Article  Google Scholar 

  64. Yang, Z., Huang, C., Chen, X., Lin, W., Liu, Z.: A linear programming relaxation based approach for generating barrier certificates of hybrid systems. In: Fitzgerald, J., Heitmeyer, C., Gnesi, S., Philippou, A. (eds.) FM 2016. LNCS, vol. 9995, pp. 721–738. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-48989-6_44

    Chapter  Google Scholar 

  65. Zaki, M.H., Denman, W., Tahar, S., Bois, G.: Integrating abstraction techniques for formal verification of analog designs. J. Aeros. Comp. Inf. Com. 6(5), 373–392 (2009). https://doi.org/10.2514/1.44289

    Article  Google Scholar 

  66. Zhao, F.: Extracting and representing qualitative behaviors of complex systems in phase space. Artif. Intell. 69(1–2), 51–92 (1994). https://doi.org/10.1016/0004-3702(94)90078-7

    Article  MathSciNet  MATH  Google Scholar 

Download references

Acknowledgements

The authors would like to thank the anonymous reviewers for their feedback.

Author information

Authors and Affiliations

Authors

Corresponding authors

Correspondence to Andrew Sogokon , Stefan Mitsch , Yong Kiam Tan , Katherine Cordwell or André Platzer .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Sogokon, A., Mitsch, S., Tan, Y.K., Cordwell, K., Platzer, A. (2019). Pegasus: A Framework for Sound Continuous Invariant Generation. In: ter Beek, M., McIver, A., Oliveira, J. (eds) Formal Methods – The Next 30 Years. FM 2019. Lecture Notes in Computer Science(), vol 11800. Springer, Cham. https://doi.org/10.1007/978-3-030-30942-8_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-30942-8_10

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-30941-1

  • Online ISBN: 978-3-030-30942-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics