Skip to main content
SpringerLink
Log in
Book cover

Deductive Software Verification: Future Perspectives pp 21–64Cite as

A Retrospective on Developing Hybrid System Provers in the KeYmaera Family

A Tale of Three Provers

  • Chapter
  • First Online:

Part of the book series: Lecture Notes in Computer Science ((LNPSE,volume 12345))

Abstract

This chapter provides a retrospective on the developments of three theorem provers for hybrid systems. While all three theorem provers implement closely related logics of the family of differential dynamic logic, they pursue fundamentally different styles of theorem prover implementations. Since the three provers KeYmaera, KeYmaeraD, and KeYmaera X share a common core logic, yet no line of code, and differ vastly in prover implementation technology, their logical proximity yet technical distance enables us to draw conclusions about the various advantages and disadvantages of different prover implementation styles for different purposes, which we hope are of generalizable interest.

This material is based upon work supported by the Air Force Office of Scientific Research under grant number FA9550-16-1-0288 and FA9550-18-1-0120. Any opinions, finding, and conclusion or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the United States Air Force.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

      versions 1–3 are available at http://symbolaris.com/info/KeYmaera.html.

  2. 2.

    The meta operator introduces , because and KeYmaera distinguish categories of variables. They do not allow quantification over program variables x and do not allow assignment to logical variables X, so a mix with both is needed.

  3. 3.

      is available at http://symbolaris.com/info/KeYmaeraD.html.

  4. 4.

    Besides unification, the implementation of the generic useAt tactic identifies the ( ) key of an axiom to unify with and generically handles, e.g., equivalence transformations and implicational assumptions that arise during the use of the axiom.

  5. 5.

    Ironically, minor notational differences still exist as concessions to ASCII and curly-brace language notation, but major changes such as different proof notations, updates or static-single-assignment-renamed versions of variables are avoided.

  6. 6.

    Earlier implementations of the assignment tactic attempted to syntactically analyze the formula to decide which axiom to use, which is essentially the task of the update simplifier in . This approach turned out to be too error-prone, unless the tactic exactly mimics the uniform substitution algorithm.

  7. 7.

    The Orbital library is a Java library providing object-oriented representations and algorithms for logic, mathematics, and computer science.

  8. 8.

    The main taclet code complexity, however, is hidden in the soundness-critical implementation code that is backing the taclets.

  9. 9.

      , in addition to axioms, uses host-language rule implementations for propositional rules, which are included in the count.

References

  1. Ahrendt, W., et al.: The KeY tool. Softw. Syst. Model. 4(1), 32–54 (2005). https://doi.org/10.1007/s10270-004-0058-x

    Article  Google Scholar 

  2. Ahrendt, W., Beckert, B., Bubel, R., Hähnle, R., Schmitt, P.H., Ulbrich, M. (eds.): Deductive Software Verification - The KeY Book. LNCS, vol. 10001. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-49812-6

    Book  Google Scholar 

  3. Alur, R., et al.: The algorithmic analysis of hybrid systems. Theor. Comput. Sci. 138(1), 3–34 (1995). https://doi.org/10.1016/0304-3975(94)00202-T

    Article  MathSciNet  MATH  Google Scholar 

  4. Bartocci, E., et al.: TOOLympics 2019: an overview of competitions in formal methods. In: Beyer, D., Huisman, M., Kordon, F., Steffen, B. (eds.) TACAS 2019. LNCS, vol. 11429, pp. 3–24. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17502-3_1

    Chapter  Google Scholar 

  5. Beckert, B., et al.: Taclets: a new paradigm for constructing interactive theorem provers. Revista de la Real Academia de Ciencias Exactas, Físicas y Naturales, Serie A: Matemáticas (RACSAM) 98(1) (2004)

    Google Scholar 

  6. Beckert, B., Hähnle, R., Schmitt, P.H. (eds.): Verification of Object-Oriented Software: The KeY Approach. LNCS, vol. 4334. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-69061-0

    Book  Google Scholar 

  7. Beckert, B., Platzer, A.: Dynamic logic with non-rigid functions. In: Furbach, U., Shankar, N. (eds.) IJCAR 2006. LNCS (LNAI), vol. 4130, pp. 266–280. Springer, Heidelberg (2006). https://doi.org/10.1007/11814771_23

    Chapter  Google Scholar 

  8. ter Beek, M.H., McIver, A., Oliveira, J.N. (eds.): FM 2019. LNCS, vol. 11800. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-30942-8

    Book  MATH  Google Scholar 

  9. Belta, C., Ivancic, F. (eds.): Hybrid Systems: Computation and Control (part of CPS Week 2013), HSCC 2013, Philadelphia, PA, USA, 8–13 April 2013. ACM, New York (2013)

    Google Scholar 

  10. Bohrer, B., Fernandez, M., Platzer, A.: dL\(_\iota \): definite descriptions in differential dynamic logic. In: Fontaine [16], pp. 94–110. https://doi.org/10.1007/978-3-030-29436-6_6

  11. Bohrer, B., Rahli, V., Vukotic, I., Völp, M., Platzer, A.: Formally verified differential dynamic logic. In: Bertot, Y., Vafeiadis, V. (eds.) Certified Programs and Proofs - 6th ACM SIGPLAN Conference, CPP 2017, Paris, France, 16–17 January 2017, pp. 208–221. ACM, New York (2017). https://doi.org/10.1145/3018610.3018616

  12. Bohrer, B., Tan, Y.K., Mitsch, S., Myreen, M.O., Platzer, A.: VeriPhy: verified controller executables from verified cyber-physical system models. In: Grossman, D. (ed.) Proceedings of the 39th ACM SIGPLAN Conference on Programming Language Design and Implementation, PLDI 2018, pp. 617–630. ACM (2018). https://doi.org/10.1145/3192366.3192406

  13. Bohrer, B., Tan, Y.K., Mitsch, S., Sogokon, A., Platzer, A.: A formal safety net for waypoint following in ground robots. IEEE Robot. Autom. Lett. 4(3), 2910–2917 (2019). https://doi.org/10.1109/LRA.2019.2923099

    Article  Google Scholar 

  14. Church, A.: Introduction to Mathematical Logic. Princeton University Press, Princeton (1956)

    MATH  Google Scholar 

  15. Doyen, L., Frehse, G., Pappas, G.J., Platzer, A.: Verification of hybrid systems. In: Clarke, E., Henzinger, T., Veith, H., Bloem, R. (eds.) Handbook of Model Checking, pp. 1047–1110. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-10575-8_30

    Chapter  MATH  Google Scholar 

  16. Fontaine, P. (ed.): CADE 2019. LNCS (LNAI), vol. 11716. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-29436-6

    Book  MATH  Google Scholar 

  17. Frehse, G., Althoff, M. (eds.): ARCH19. 6th International Workshop on Applied Verification of Continuous and Hybrid Systemsi, part of CPS-IoT Week 2019, Montreal, QC, Canada, 15 April 2019, EPiC Series in Computing, vol. 61. EasyChair (2019)

    Google Scholar 

  18. Frehse, G., et al.: SpaceEx: scalable verification of hybrid systems. In: Gopalakrishnan, G., Qadeer, S. (eds.) CAV 2011. LNCS, vol. 6806, pp. 379–395. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-22110-1_30

    Chapter  Google Scholar 

  19. Fulton, N., Mitsch, S., Bohrer, B., Platzer, A.: Bellerophon: tactical theorem proving for hybrid systems. In: Ayala-Rincón, M., Muñoz, C.A. (eds.) ITP 2017. LNCS, vol. 10499, pp. 207–224. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-66107-0_14

    Chapter  MATH  Google Scholar 

  20. Fulton, N., Mitsch, S., Quesel, J.-D., Völp, M., Platzer, A.: KeYmaera X: an axiomatic tactical theorem prover for hybrid systems. In: Felty, A.P., Middeldorp, A. (eds.) CADE 2015. LNCS (LNAI), vol. 9195, pp. 527–538. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-21401-6_36

    Chapter  Google Scholar 

  21. Fulton, N., Platzer, A.: Verifiably safe off-model reinforcement learning. In: Vojnar, T., Zhang, L. (eds.) TACAS 2019. LNCS, vol. 11427, pp. 413–430. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17462-0_28

    Chapter  Google Scholar 

  22. Grebing, S.: User interaction in deductive interactive program verification. Ph.D. thesis, Karlsruhe Institute of Technology, Germany (2019). https://nbn-resolving.org/urn:nbn:de:101:1-2019103003584227760922

  23. Jeannin, J.-B., et al.: A formally verified hybrid system for the next-generation airborne collision avoidance system. In: Baier, C., Tinelli, C. (eds.) TACAS 2015. LNCS, vol. 9035, pp. 21–36. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46681-0_2

    Chapter  Google Scholar 

  24. Jeannin, J., et al.: A formally verified hybrid system for safe advisories in the next-generation airborne collision avoidance system. STTT 19(6), 717–741 (2017). https://doi.org/10.1007/s10009-016-0434-1

    Article  Google Scholar 

  25. Kouskoulas, Y., Renshaw, D.W., Platzer, A., Kazanzides, P.: Certifying the safe design of a virtual fixture control algorithm for a surgical robot. In: Belta and Ivancic [9], pp. 263–272. https://doi.org/10.1145/2461328.2461369

  26. Lange, C., et al.: A qualitative comparison of the suitability of four theorem provers for basic auction theory. In: Carette, J., Aspinall, D., Lange, C., Sojka, P., Windsteiger, W. (eds.) CICM 2013. LNCS (LNAI), vol. 7961, pp. 200–215. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-39320-4_13

    Chapter  Google Scholar 

  27. 2012 27th Annual IEEE Symposium on Logic in Computer Science (LICS), Los Alamitos. IEEE (2012)

    Google Scholar 

  28. Loos, S.M., Platzer, A., Nistor, L.: Adaptive cruise control: hybrid, distributed, and now formally verified. In: Butler, M., Schulte, W. (eds.) FM 2011. LNCS, vol. 6664, pp. 42–56. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-21437-0_6

    Chapter  Google Scholar 

  29. Loos, S.M., Renshaw, D.W., Platzer, A.: Formal verification of distributed aircraft controllers. In: Belta and Ivancic [9], pp. 125–130. https://doi.org/10.1145/2461328.2461350

  30. Milner, R.: Logic for computable functions: description of a machine implementation. Technical report, Stanford University, Stanford, CA, USA (1972)

    Google Scholar 

  31. Mitsch, S., Gario, M., Budnik, C.J., Golm, M., Platzer, A.: Formal verification of train control with air pressure brakes. In: Fantechi, A., Lecomte, T., Romanovsky, A. (eds.) RSSRail, pp. 173–191. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-68499-4_12

    Chapter  Google Scholar 

  32. Mitsch, S., Ghorbal, K., Platzer, A.: On provably safe obstacle avoidance for autonomous robotic ground vehicles. In: Newman, P., Fox, D., Hsu, D. (eds.) Robotics: Science and Systems (2013)

    Google Scholar 

  33. Mitsch, S., Ghorbal, K., Vogelbacher, D., Platzer, A.: Formal verification of obstacle avoidance and navigation of ground robots. Int. J. Robot. Res. 36(12), 1312–1340 (2017). https://doi.org/10.1177/0278364917733549

    Article  Google Scholar 

  34. Mitsch, S., Passmore, G.O., Platzer, A.: Collaborative verification-driven engineering of hybrid systems. Math. Comput. Sci. 8(1), 71–97 (2014). https://doi.org/10.1007/s11786-014-0176-y

    Article  Google Scholar 

  35. Mitsch, S., Platzer, A.: ModelPlex: verified runtime validation of verified cyber-physical system models. In: Bonakdarpour, B., Smolka, S.A. (eds.) RV 2014. LNCS, vol. 8734, pp. 199–214. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-11164-3_17

    Chapter  Google Scholar 

  36. Mitsch, S., Platzer, A.: The KeYmaera X proof IDE: concepts on usability in hybrid systems theorem proving. In: Dubois, C., Masci, P., Méry, D. (eds.) 3rd Workshop on Formal Integrated Development Environment. EPTCS, vol. 240, pp. 67–81 (2016). https://doi.org/10.4204/EPTCS.240.5

  37. Mitsch, S., Platzer, A.: ModelPlex: verified runtime validation of verified cyber-physical system models. Form. Methods Syst. Des. 49(1–2), 33–74 (2016). https://doi.org/10.1007/s10703-016-0241-z. Special issue of selected papers from RV’14

    Article  MATH  Google Scholar 

  38. Mitsch, S., Sogokon, A., Tan, Y.K., Jin, X., Zhan, B., Wang, S., Zhan, N.: ARCH-COMP19 category report: hybrid systems theorem proving. In: Frehse and Althoff [17], pp. 141–161

    Google Scholar 

  39. Mitsch, S., et al.: ARCH-COMP18 category report: hybrid systems theorem proving. In: ARCH18. 5th International Workshop on Applied Verification of Continuous and Hybrid Systems, ARCH@ADHS 2018, Oxford, UK, 13 July 2018, pp. 110–127 (2018). http://www.easychair.org/publications/paper/tNN2

  40. Müller, A., Mitsch, S., Retschitzegger, W., Schwinger, W., Platzer, A.: Tactical contract composition for hybrid system component verification. STTT 20(6), 615–643 (2018). https://doi.org/10.1007/s10009-018-0502-9. Special issue for selected papers from FASE 2017

  41. Paulson, L.C., Nipkow, T., Wenzel, M.: From LCF to Isabelle/HOL. Formal Asp. Comput. 31(6), 675–698 (2019). https://doi.org/10.1007/s00165-019-00492-1

  42. Platzer, A.: Differential dynamic logic for verifying parametric hybrid systems. In: Olivetti, N. (ed.) TABLEAUX 2007. LNCS (LNAI), vol. 4548, pp. 216–232. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-73099-6_17

    Chapter  Google Scholar 

  43. Platzer, A.: Differential dynamic logic for hybrid systems. J. Autom. Reas. 41(2), 143–189 (2008). https://doi.org/10.1007/s10817-008-9103-8

    Article  MathSciNet  MATH  Google Scholar 

  44. Platzer, A.: Differential-algebraic dynamic logic for differential-algebraic programs. J. Log. Comput. 20(1), 309–352 (2010). https://doi.org/10.1093/logcom/exn070

    Article  MathSciNet  MATH  Google Scholar 

  45. Platzer, A.: Logical Analysis of Hybrid Systems: Proving Theorems for Complex Dynamics. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14509-4. http://www.springer.com/978-3-642-14508-7

    Book  MATH  Google Scholar 

  46. Platzer, A.: A complete axiomatization of quantified differential dynamic logic for distributed hybrid systems. Log. Meth. Comput. Sci. 8(4:17), 1–44 (2012). https://doi.org/10.2168/LMCS-8(4:17)2012. Special issue for selected papers from CSL’10

  47. Platzer, A.: The complete proof theory of hybrid systems. In: LICS [27], pp. 541–550. https://doi.org/10.1109/LICS.2012.64

  48. Platzer, A.: Logics of dynamical systems. In: LICS [27], pp. 13–24. https://doi.org/10.1109/LICS.2012.13

  49. Platzer, A.: Differential game logic. ACM Trans. Comput. Log. 17(1), 1:1–1:51 (2015). https://doi.org/10.1145/2817824

  50. Platzer, A.: A complete uniform substitution calculus for differential dynamic logic. J. Autom. Reas. 59(2), 219–265 (2017). https://doi.org/10.1007/s10817-016-9385-1

    Article  MathSciNet  MATH  Google Scholar 

  51. Platzer, A.: Logical Foundations of Cyber-Physical Systems. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-63588-0. http://www.springer.com/978-3-319-63587-3

    Book  MATH  Google Scholar 

  52. Platzer, A.: Uniform substitution for differential game logic. In: Galmiche, D., Schulz, S., Sebastiani, R. (eds.) IJCAR 2018. LNCS (LNAI), vol. 10900, pp. 211–227. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-94205-6_15

    Chapter  Google Scholar 

  53. Platzer, A.: Uniform substitution at one fell swoop. In: Fontaine [16], pp. 425–441. https://doi.org/10.1007/978-3-030-29436-6_25

  54. Platzer, A., Clarke, E.M.: Computing differential invariants of hybrid systems as fixedpoints. Form. Methods Syst. Des. 35(1), 98–120 (2009). https://doi.org/10.1007/s10703-009-0079-8. Special issue for selected papers from CAV’08

    Article  MATH  Google Scholar 

  55. Platzer, A., Clarke, E.M.: Formal verification of curved flight collision avoidance maneuvers: a case study. In: Cavalcanti, A., Dams, D.R. (eds.) FM 2009. LNCS, vol. 5850, pp. 547–562. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-05089-3_35

    Chapter  Google Scholar 

  56. Platzer, A., Quesel, J.-D.: KeYmaera: a hybrid theorem prover for hybrid systems (system description). In: Armando, A., Baumgartner, P., Dowek, G. (eds.) IJCAR 2008. LNCS (LNAI), vol. 5195, pp. 171–178. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-71070-7_15

    Chapter  Google Scholar 

  57. Platzer, A., Quesel, J.-D.: European train control system: a case study in formal verification. In: Breitman, K., Cavalcanti, A. (eds.) ICFEM 2009. LNCS, vol. 5885, pp. 246–265. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-10373-5_13

    Chapter  Google Scholar 

  58. Platzer, A., Quesel, J.-D., Rümmer, P.: Real world verification. In: Schmidt, R.A. (ed.) CADE 2009. LNCS (LNAI), vol. 5663, pp. 485–501. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-02959-2_35

    Chapter  Google Scholar 

  59. Platzer, A., Tan, Y.K.: Differential equation invariance axiomatization. J. ACM 67(1), 6:1–6:66 (2020). https://doi.org/10.1145/3380825

  60. Quesel, J.D.: Similarity, logic, and games - bridging modeling layers of hybrid systems. Ph.D. thesis, Department of Computing Science, University of Oldenburg (2013)

    Google Scholar 

  61. Quesel, J.-D., Platzer, A.: Playing hybrid games with KeYmaera. In: Gramlich, B., Miller, D., Sattler, U. (eds.) IJCAR 2012. LNCS (LNAI), vol. 7364, pp. 439–453. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-31365-3_34

    Chapter  Google Scholar 

  62. Renshaw, D.W., Loos, S.M., Platzer, A.: Distributed theorem proving for distributed hybrid systems. In: Qin, S., Qiu, Z. (eds.) ICFEM 2011. LNCS, vol. 6991, pp. 356–371. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-24559-6_25

    Chapter  Google Scholar 

  63. Rümmer, P., Shah, M.A.: Proving programs incorrect using a sequent calculus for java dynamic logic. In: Gurevich, Y., Meyer, B. (eds.) TAP 2007. LNCS, vol. 4454, pp. 41–60. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-73770-4_3

    Chapter  Google Scholar 

  64. Sogokon, A., Mitsch, S., Tan, Y.K., Cordwell, K., Platzer, A.: Pegasus: a framework for sound continuous invariant generation. In: ter Beek et al. [8], pp. 138–157. https://doi.org/10.1007/978-3-030-30942-8_10

  65. Sutcliffe, G., Benzmüller, C., Brown, C.E., Theiss, F.: Progress in the development of automated theorem proving for higher-order logic. In: Schmidt, R.A. (ed.) CADE 2009. LNCS (LNAI), vol. 5663, pp. 116–130. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-02959-2_8

    Chapter  MATH  Google Scholar 

  66. Tan, Y.K., Platzer, A.: An axiomatic approach to liveness for differential equations. In: ter Beek et al. [8], pp. 371–388. https://doi.org/10.1007/978-3-030-30942-8_23

  67. Wenzel, M., Wiedijk, F.: A comparison of Mizar and Isar. J. Autom. Reasoning 29(3–4), 389–411 (2002). https://doi.org/10.1023/A:1021935419355

  68. Wiedijk, F.: Comparing mathematical provers. In: Asperti, A., Buchberger, B., Davenport, J.H. (eds.) MKM 2003. LNCS, vol. 2594, pp. 188–202. Springer, Heidelberg (2003). https://doi.org/10.1007/3-540-36469-2_15

    Chapter  MATH  Google Scholar 

  69. Wiedijk, F. (ed.): The Seventeen Provers of the World. LNCS (LNAI), vol. 3600. Springer, Heidelberg (2006). https://doi.org/10.1007/11542384

    Book  Google Scholar 

Download references

Acknowledgements

The authors thank Brandon Bohrer and the chapter reviewers for helpful feedback on this article.

Author information

Authors and Affiliations

  1. Computer Science Department, Carnegie Mellon University, Pittsburgh, USA

    Stefan Mitsch & André Platzer

Authors
  1. Stefan Mitsch
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. André Platzer
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Stefan Mitsch .

Editor information

Editors and Affiliations

  1. Chalmers University of Technology, Gothenburg, Sweden

    Wolfgang Ahrendt

  2. Karlsruhe Institute of Technology, Karlsruhe, Germany

    Bernhard Beckert

  3. Technical University of Darmstadt, Darmstadt, Germany

    Richard Bubel

  4. Technical University of Darmstadt, Darmstadt, Germany

    Reiner Hähnle

  5. Karlsruhe Institute of Technology, Karlsruhe, Germany

    Mattias Ulbrich

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Mitsch, S., Platzer, A. (2020). A Retrospective on Developing Hybrid System Provers in the KeYmaera Family. In: Ahrendt, W., Beckert, B., Bubel, R., Hähnle, R., Ulbrich, M. (eds) Deductive Software Verification: Future Perspectives. Lecture Notes in Computer Science(), vol 12345. Springer, Cham. https://doi.org/10.1007/978-3-030-64354-6_2

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-64354-6_2

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-64353-9

  • Online ISBN: 978-3-030-64354-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation