Presentation is loading. Please wait.

Presentation is loading. Please wait.

Ichiro Hasuo University of Tokyo Kohei Suenaga JSPS Research Fellow (PD) Kyoto University Programming with Infinitesimals A WHILE-Language for Hybrid System.

Published byFrancine Bridges Modified over 7 years ago

Similar presentations

Presentation on theme: "Ichiro Hasuo University of Tokyo Kohei Suenaga JSPS Research Fellow (PD) Kyoto University Programming with Infinitesimals A WHILE-Language for Hybrid System."— Presentation transcript:

1 Ichiro Hasuo University of Tokyo Kohei Suenaga JSPS Research Fellow (PD) Kyoto University Programming with Infinitesimals A WHILE-Language for Hybrid System Modeling Infinitely small values

2 Hybrid systems  Flow + Jump  Jump is familiar  Flow is not Accel. rate Veloc. flow jump flow t t x

3 Hybrid System Verification  Existing work  Hybrid automata [Alur et al.]  Differential dynamic logic [Platzer et al.]  Flow by differential equations

4 This work  Turns flow into jump

5 This work  Turns flow into jump  With infinitesimals Infinitely small values

6 This work  Turns flow into jump  With infinitesimals Accel. rate Veloc. flow jump flow jump t t x Infinitely small values Infinitely-many infinitesimal jumps

7 Concretely  Modeling language WHILE dt  WHILE + dt  Hoare-style program logic (HOARE dt ) for WHILE dt  Sound and (relatively) complete t := 0; while (t < 1) t := t + dt infinitesimal constant (“infinitely small”)

8 Modeling in WHILE dt t := 0; x := 0; v := 0; a := 1; while (t < 4) { v’ := v + a * dt; x’ := x + v * dt; v := v’; x := x’; t := t + dt; a := (t < 2) ? 1 : -1; }

9 Verification in Hoare dt A {} B { } c

10 true {} x < 4.01 {} t := 0; x := 0; v := 0; a := 1; while (t < 4) { v’ := v + a * dt; x’ := x + v * dt; v := v’; x := x’; t := t + dt; a := (t < 2) ? 1 : -1; }

11 Challenges  Mathematically rigorous basis t := 0; while (t < 1) t := t + dt dt: denotation? infinite iteration? Non-standard analysis [Robinson’60] Section-wise approximation of while-loops

12 Outline  WHILE dt  Syntax and example  Brief introduction of non-standard analysis  Semantics  HOARE dt  Related work  Conclusion

13 WHILE dt  WHILE + reals + dt c (commands) ::= skip | x := a | c1;c2 | if (b) then c1 else c2 | while (b) do c (inaction) (assignment) (sequential) (conditional) (loop) b ::= true | false | b1 and b2 | b1 or b2 | not b a ::= x | r | dt | a1+a2 | … real infinitesimal

14 Example 1 : Differential equation t := 0; x := 1; while (t < 1) { t := t + dt; x := x + x * dt }  Computes x(1) of dx dt = x, x(0) = 1 x(t+dt) – x(t) dt = x(t) x(t + dt) = x(t) + x(t) * dt x = exp(1) at the end

15 Example: Bus t := 0; x := 0; v := 0; a := 1; while (t < 4) { v := v + a * dt; x := x + v * dt; if (t < 2) then a := 1 else a:= -1; t := t + dt; } dv/dt = a dx/dt = v Gas pedal if t < 2. Brake otherwise. Infinitesimal clock tick

16 Challenges  Mathematically rigorous basis t := 0; while (t < 1) t := t + dt dt: denotation? “infinite”-time iterations? Non-standard analysis [Robinson’60] Section-wise approximation of while-loops

17 Outline  WHILE dt  Syntax and sample programs  Brief introduction of non-standard analysis  Semantics  HOARE dt  Answer to FAQs  Conclusion

18 () () + =  Hyperreal ≒ sequence of reals  Operations: Pointwise  Predicates: Pointwise “almost everywhere” Non-standard analysis in nutshell Reals + dt ()

19 Hyperreal ≒ sequence of reals (1, 1, 1, 1,…) ( (1, 2, 3, 4,…)  A component of a sequence is called a section (1, 2, 3, 4,…) 0th section 2nd section NB. Precisely, Hyperreal = (sequence of reals) / ultrafilter )

20 Real as hyperreal  Reals are naturally embedded to hyperreals 1 Real (1, 1, 1, 1,…) Hyperreal 2 (2, 2, 2, 2,…)  ( , , , ,…)

21 Operations: Sectionwise ( ) ( ) + =

22 Predicates: Sectionwise “almost everywhere”  Predicate holds if it holds except for finitely-many sections (0, 0, 0, 0, …) (1, 2, 3, 4, …) <<<< < ? ✓ …

23 ? ✓ Predicates: Sectionwise “almost everywhere”  Predicate holds if it holds except for finitely-many sections (1, 1, 1, 1, …) (1, 2, 3, 4, …) <<< < < …

24 < Predicates: Sectionwise “almost everywhere” (NB “almost every section” is defined with an ultrafilter in the paper)  Predicate holds if it holds except for finitely-many sections (1, 2, 3, 4, …) (0, 1, 2, 3, …) <<<< ? …

25 dt = ( ) is an infinitesimal () …… () <<<<<<< < ? ✓  Infinitesimal = Smaller than any positive real

26 Outline  WHILE dt  Syntax and sample programs  Brief introduction of non-standard analysis  Semantics  HOARE dt  Answer to FAQs  Conclusion

27 Idea of the semantics  Section-wise execution  Execute a program on each section and merge the result t := 0; while (t < 1) t := t + dt;

28 Idea of the semantics  Section-wise execution  Execute a program on each section and merge the result t := 0; while (t < 1) t := t + dt;

29 Idea of the semantics  Section-wise execution  Execute a program on each section and merge the result t := (0, 0, 0, …); while (t < (1, 1, 1, …)) t := t + (1, 1/2, 1/3, …);

30 Idea of the semantics  Section-wise execution  Execute a program on each section and merge the result t := 0; while (t < 1) t := t + 1; t := 0; while (t < 1) t := t + 1/2; t := 0; while (t < 1) t := t + 1/3; … 0th section1st section2nd section

31 Idea of the semantics  Section-wise execution  Execute a program on each section and merge the result t := 0; while (t < 1) t := t + 1; t := 0; while (t < 1) t := t + 1/2; t := 0; while (t < 1) t := t + 1/3; … 0th section1st section2nd section t = 1

32 Idea of the semantics  Section-wise execution  Execute a program on each section and merge the result t := (0, 0, 0, …); while (t < (1, 1, 1, …)) t := t + (1, 1/2, 1/3, …); t = (1, 1, 1, …)

33 Idea of the semantics  Section-wise execution  Execute a program on each section and merge the result t := 0; while (t < 1) t := t + dt; t = 1

34 Idea of the semantics  Section-wise execution  Execute a program on each section and merge the result t := 0; while (t <= 1) t := t + dt;

35 Idea of the semantics  Section-wise execution  Execute a program on each section and merge the result t := 0; while (t <= 1) t := t + dt;

36 Idea of the semantics  Section-wise execution  Execute a program on each section and merge the result t := (0, 0, 0, …); while (t <= (1, 1, 1, …)) t := t + (1, 1/2, 1/3, …);

37 Idea of the semantics  Section-wise execution  Execute a program on each section and merge the result t := 0; while (t <= 1) t := t + 1; t := 0; while (t <= 1) t := t + 1/2; t := 0; while (t <= 1) t := t + 1/3; … 0th section1st section2nd section

38 Idea of the semantics  Section-wise execution  Execute a program on each section and merge the result t := 0; while (t <= 1) t := t + 1; t := 0; while (t <= 1) t := t + 1/2; t := 0; while (t <= 1) t := t + 1/3; … 0th section1st section2nd section t = 1 + 1 t = 1 + 1/2t = 1 + 1/3

39 Idea of the semantics  Section-wise execution  Execute a program on each section and merge the result t := (0, 0, 0, …); while (t <= (1, 1, 1, …)) t := t + (1, 1/2, 1/3, …); t = (1, 1, 1, …) + (1, 1/2, 1/3, …)

40 Idea of the semantics  Section-wise execution  Execute a program on each section and merge the result t := 0; while (t <= 1) t := t + dt; t = 1 + dt

41 Sectionwise Execution Lemma  Def. (Section) The i-th section e| i of a WHILE dt expression e is obtained by replacing dt with  Lem. (Sectionwise Execution) For each program c and a memory state , Usual program, usual semantics stores reals stores hyperreals

42 Q: Is WHILE dt program executable?  A: No  WHILE dt is for modeling and verification of hybrid systems

43 Outline  WHILE dt  HOARE dt  Related work  Conclusion

44 Assertion language A (assertion) ::= true | false | A 1 and A 2 | not A | a 1 < a 2 | ∀ x ∈ *N. A | ∀ x ∈ *R. A  Almost the same as the standard Hoare logic Set of hypernaturals Set of hyperreals  Cf. Transfer Principle in Non-Standard Analysis

45 Hoare triples and inference rules {A}skip{A}  Exactly the same as the standard Hoare logic {[a/x]A}x := a{A} {A 1 }c 1 ;c 2 {A 3 } {A 1 }c 1 {A 2 }{A 2 }c 1 {A 3 } {A 1 }if b then c 1 else c 2 {A 2 } {A 1 and b}c 1 {A 2 } {A 2 and not b}c 2 {A 2 } {A}while b do c{A and not b} {A and b}c{A}

46 Verification example t := 0; x := 0; v := 0; a := 1; while (t < 4) { v’ := v + a * dt; x’ := x + v * dt; v := v’; x := x’; if (t < 2) then a := 1 else a:= -1; t := t + dt; } Loop invariant: ∃ n ∈ *N. t = n * dt & t = 2 + dt  v = (2n 0 + 4 – n) * dt & a = -1 & x = x 0 + (3n 0 + 7 – n)(n – n 0 - 2)*dt 2 / 2

47 Verification example t := 0; x := 0; v := 0; a := 1; while (t < 4) { v’ := v + a * dt; x’ := x + v * dt; v := v’; x := x’; if (t < 2) then a := 1 else a:= -1; t := t + dt; } Loop invariant: ∃ n ∈ *N. t = n * dt & t = 2 + dt  v = (2n 0 + 4 – n) * dt & a = -1 & x = x 0 + (3n 0 + 7 – n)(n – n 0 - 2)*dt 2 / 2

48 Verification example t := 0; x := 0; v := 0; a := 1; while (t < 4) { v’ := v + a * dt; x’ := x + v * dt; v := v’; x := x’; if (t < 2) then a := 1 else a:= -1; t := t + dt; } Loop invariant: ∃ n ∈ *N. t = n * dt & t = 2 + dt  v = (2n 0 + 4 – n) * dt & a = -1 & x = x 0 + (3n 0 + 7 – n)(n – n 0 - 2)*dt 2 / 2

49 Verification example true {} x < 4.01 {} t := 0; x := 0; v := 0; a := 1; while (t < 4) { v’ := v + a * dt; x’ := x + v * dt; v := v’; x := x’; t := t + dt; a := (t < 2) ? 1 : -1; } …… Using the loop invariant

50 Properties Thm. HOARE dt is sound Thm. HOARE dt is relatively complete

51 Related work Features Hybrid automata [Alur et al.] Differential dynamic logic [Platzer et al.] WHILE dt + HOARE dt  Diff. eqns. for flow  dt for flow  Diff. eqns. for flow  Auto. verif.  Sound  Rel. Compl.  Concurrency

52 Related work  Hybrid automata [Alur et al.]  Extension of automata with diff. eqn.  Supports concurrency  Automated verification  Differential dynamic logic [Platzer et al.]  Extension of dynamic logic with diff. eqn.  Sound & relatively complete  Automated verification

53 Conclusion t := 0; x := 0; v := 0; a := 1; while (t < 4) { v’ := v + a * dt; x’ := x + v * dt; v := v’; x := x’; t := t + dt; a := (t < 2) ? 1 : -1; } ModelingVerification WHILE dt HOARE dt Semantics by > Non-Standard Analysis > Sectionwise exec. > Sound > Relatively complete

54 Future direction  Verifier based on this approach  Current prototype: WHILE dt w/ invariants  Verif. cond.  Coq  Automated verification?  MetiTarski  Invariant generators  Application of other software verification methods  Extension of the language  Feasibility study with more examples

55

56 Does the choice of dt matter?  A: Yes t := 0; while (t = 1) t := t + dt; Terminates with dt = (1, 1/2, 1/3, …) Doesn’t with dt = (1/ , 1/2 , 1/3 , …)

57  forall x in R. A is prohibited  Excludes, e.g., x is infinitely close to 1 forall r in R. r > 0  |x – 1| < r

58 Zeno behavior  Problematic?  No  There is no special notion of “time”  Variable “t” in the examples is just a variable  Progression of t is not required by the framework  Proving “progress” of a variable is an interesting future direction

59 Verification example true {} x < 4 + 6dt – dt 2 {} t := 0; x := 0; v := 0; a := 1; while (t < 4) { v’ := v + a * dt; x’ := x + v * dt; v := v’; x := x’; t := t + dt; a := (t < 2) ? 1 : -1; } …… Using the loop invariant

Download ppt "Ichiro Hasuo University of Tokyo Kohei Suenaga JSPS Research Fellow (PD) Kyoto University Programming with Infinitesimals A WHILE-Language for Hybrid System."

Similar presentations

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?

Automated Theorem Proving Lecture 1. Program verification is undecidable! Given program P and specification S, does P satisfy S?
In this episode of The Verification Corner, Rustan Leino talks about Loop Invariants. He gives a brief summary of the theoretical foundations and shows.

In this episode of The Verification Corner, Rustan Leino talks about Loop Invariants. He gives a brief summary of the theoretical foundations and shows.
Semantics Static semantics Dynamic semantics attribute grammars

Semantics Static semantics Dynamic semantics attribute grammars
ICE1341 Programming Languages Spring 2005 Lecture #6 Lecture #6 In-Young Ko iko.AT. icu.ac.kr iko.AT. icu.ac.kr Information and Communications University.

ICE1341 Programming Languages Spring 2005 Lecture #6 Lecture #6 In-Young Ko iko.AT. icu.ac.kr iko.AT. icu.ac.kr Information and Communications University.
Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.

Verification of Evolving Software Natasha Sharygina Joint work with Sagar Chaki and Nishant Sinha Carnegie Mellon University.
Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers

Hoare’s Correctness Triplets Dijkstra’s Predicate Transformers
Rigorous Software Development CSCI-GA 3033-011 Instructor: Thomas Wies Spring 2012 Lecture 11.

Rigorous Software Development CSCI-GA Instructor: Thomas Wies Spring 2012 Lecture 11.
Formal Semantics of Programming Languages 虞慧群 Topic 5: Axiomatic Semantics.

Formal Semantics of Programming Languages 虞慧群 Topic 5: Axiomatic Semantics.
Timed Automata.

Timed Automata.
A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.

A survey of techniques for precise program slicing Komondoor V. Raghavan Indian Institute of Science, Bangalore.
David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.

David Evans CS655: Programming Languages University of Virginia Computer Science Lecture 19: Minding Ps & Qs: Axiomatic.
Partial correctness © Marcelo d’Amorim 2010.

Partial correctness © Marcelo d’Amorim 2010.
ISBN 0-321-33025-0 Chapter 3 Describing Syntax and Semantics.

ISBN Chapter 3 Describing Syntax and Semantics.
Predicate Transformers

Predicate Transformers
Program Proving Notes Ellen L. Walker.

Program Proving Notes Ellen L. Walker.
1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.

1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.
1/22 Programs : Semantics and Verification Charngki PSWLAB Programs: Semantics and Verification Mordechai Ben-Ari Mathematical Logic for Computer.

1/22 Programs : Semantics and Verification Charngki PSWLAB Programs: Semantics and Verification Mordechai Ben-Ari Mathematical Logic for Computer.
CS 355 – Programming Languages

CS 355 – Programming Languages
Comp 205: Comparative Programming Languages Semantics of Imperative Programming Languages denotational semantics operational semantics logical semantics.

Comp 205: Comparative Programming Languages Semantics of Imperative Programming Languages denotational semantics operational semantics logical semantics.
What is an Algorithm? (And how do we analyze one?)

What is an Algorithm? (And how do we analyze one?)

Similar presentations

Ads by Google