Ichiro Hasuo University of Tokyo Kohei Suenaga JSPS Research Fellow (PD) Kyoto University Programming with Infinitesimals A WHILE-Language for Hybrid System Modeling Infinitely small values

Hybrid systems  Flow + Jump  Jump is familiar  Flow is not Accel. rate Veloc. flow jump flow t t x

Hybrid System Verification  Existing work  Hybrid automata [Alur et al.]  Differential dynamic logic [Platzer et al.]  Flow by differential equations

This work  Turns flow into jump

This work  Turns flow into jump  With infinitesimals Infinitely small values

This work  Turns flow into jump  With infinitesimals Accel. rate Veloc. flow jump flow jump t t x Infinitely small values Infinitely-many infinitesimal jumps

Concretely  Modeling language WHILE dt  WHILE + dt  Hoare-style program logic (HOARE dt ) for WHILE dt  Sound and (relatively) complete t := 0; while (t < 1) t := t + dt infinitesimal constant (“infinitely small”)

Modeling in WHILE dt t := 0; x := 0; v := 0; a := 1; while (t < 4) { v’ := v + a * dt; x’ := x + v * dt; v := v’; x := x’; t := t + dt; a := (t < 2) ? 1 : -1; }

Verification in Hoare dt A {} B { } c

true {} x < 4.01 {} t := 0; x := 0; v := 0; a := 1; while (t < 4) { v’ := v + a * dt; x’ := x + v * dt; v := v’; x := x’; t := t + dt; a := (t < 2) ? 1 : -1; }

Challenges  Mathematically rigorous basis t := 0; while (t < 1) t := t + dt dt: denotation? infinite iteration? Non-standard analysis [Robinson’60] Section-wise approximation of while-loops

Outline  WHILE dt  Syntax and example  Brief introduction of non-standard analysis  Semantics  HOARE dt  Related work  Conclusion

WHILE dt  WHILE + reals + dt c (commands) ::= skip | x := a | c1;c2 | if (b) then c1 else c2 | while (b) do c (inaction) (assignment) (sequential) (conditional) (loop) b ::= true | false | b1 and b2 | b1 or b2 | not b a ::= x | r | dt | a1+a2 | … real infinitesimal

Example 1 : Differential equation t := 0; x := 1; while (t < 1) { t := t + dt; x := x + x * dt }  Computes x(1) of dx dt = x, x(0) = 1 x(t+dt) – x(t) dt = x(t) x(t + dt) = x(t) + x(t) * dt x = exp(1) at the end

Example: Bus t := 0; x := 0; v := 0; a := 1; while (t < 4) { v := v + a * dt; x := x + v * dt; if (t < 2) then a := 1 else a:= -1; t := t + dt; } dv/dt = a dx/dt = v Gas pedal if t < 2. Brake otherwise. Infinitesimal clock tick

Challenges  Mathematically rigorous basis t := 0; while (t < 1) t := t + dt dt: denotation? “infinite”-time iterations? Non-standard analysis [Robinson’60] Section-wise approximation of while-loops

Outline  WHILE dt  Syntax and sample programs  Brief introduction of non-standard analysis  Semantics  HOARE dt  Answer to FAQs  Conclusion

() () + =  Hyperreal ≒ sequence of reals  Operations: Pointwise  Predicates: Pointwise “almost everywhere” Non-standard analysis in nutshell Reals + dt ()

Hyperreal ≒ sequence of reals (1, 1, 1, 1,…) ( (1, 2, 3, 4,…)  A component of a sequence is called a section (1, 2, 3, 4,…) 0th section 2nd section NB. Precisely, Hyperreal = (sequence of reals) / ultrafilter )

Real as hyperreal  Reals are naturally embedded to hyperreals 1 Real (1, 1, 1, 1,…) Hyperreal 2 (2, 2, 2, 2,…)  ( , , , ,…)

Operations: Sectionwise ( ) ( ) + =

Predicates: Sectionwise “almost everywhere”  Predicate holds if it holds except for finitely-many sections (0, 0, 0, 0, …) (1, 2, 3, 4, …) <<<< < ? ✓ …

? ✓ Predicates: Sectionwise “almost everywhere”  Predicate holds if it holds except for finitely-many sections (1, 1, 1, 1, …) (1, 2, 3, 4, …) <<< < < …

< Predicates: Sectionwise “almost everywhere” (NB “almost every section” is defined with an ultrafilter in the paper)  Predicate holds if it holds except for finitely-many sections (1, 2, 3, 4, …) (0, 1, 2, 3, …) <<<< ? …

dt = ( ) is an infinitesimal () …… () <<<<<<< < ? ✓  Infinitesimal = Smaller than any positive real

Outline  WHILE dt  Syntax and sample programs  Brief introduction of non-standard analysis  Semantics  HOARE dt  Answer to FAQs  Conclusion

Idea of the semantics  Section-wise execution  Execute a program on each section and merge the result t := 0; while (t < 1) t := t + dt;

Idea of the semantics  Section-wise execution  Execute a program on each section and merge the result t := 0; while (t < 1) t := t + dt;

Idea of the semantics  Section-wise execution  Execute a program on each section and merge the result t := (0, 0, 0, …); while (t < (1, 1, 1, …)) t := t + (1, 1/2, 1/3, …);

Idea of the semantics  Section-wise execution  Execute a program on each section and merge the result t := 0; while (t < 1) t := t + 1; t := 0; while (t < 1) t := t + 1/2; t := 0; while (t < 1) t := t + 1/3; … 0th section1st section2nd section

Idea of the semantics  Section-wise execution  Execute a program on each section and merge the result t := 0; while (t < 1) t := t + 1; t := 0; while (t < 1) t := t + 1/2; t := 0; while (t < 1) t := t + 1/3; … 0th section1st section2nd section t = 1

Idea of the semantics  Section-wise execution  Execute a program on each section and merge the result t := (0, 0, 0, …); while (t < (1, 1, 1, …)) t := t + (1, 1/2, 1/3, …); t = (1, 1, 1, …)

Idea of the semantics  Section-wise execution  Execute a program on each section and merge the result t := 0; while (t < 1) t := t + dt; t = 1

Idea of the semantics  Section-wise execution  Execute a program on each section and merge the result t := 0; while (t <= 1) t := t + dt;

Idea of the semantics  Section-wise execution  Execute a program on each section and merge the result t := 0; while (t <= 1) t := t + dt;

Idea of the semantics  Section-wise execution  Execute a program on each section and merge the result t := (0, 0, 0, …); while (t <= (1, 1, 1, …)) t := t + (1, 1/2, 1/3, …);

Idea of the semantics  Section-wise execution  Execute a program on each section and merge the result t := 0; while (t <= 1) t := t + 1; t := 0; while (t <= 1) t := t + 1/2; t := 0; while (t <= 1) t := t + 1/3; … 0th section1st section2nd section

Idea of the semantics  Section-wise execution  Execute a program on each section and merge the result t := 0; while (t <= 1) t := t + 1; t := 0; while (t <= 1) t := t + 1/2; t := 0; while (t <= 1) t := t + 1/3; … 0th section1st section2nd section t = t = 1 + 1/2t = 1 + 1/3

Idea of the semantics  Section-wise execution  Execute a program on each section and merge the result t := (0, 0, 0, …); while (t <= (1, 1, 1, …)) t := t + (1, 1/2, 1/3, …); t = (1, 1, 1, …) + (1, 1/2, 1/3, …)

Idea of the semantics  Section-wise execution  Execute a program on each section and merge the result t := 0; while (t <= 1) t := t + dt; t = 1 + dt

Sectionwise Execution Lemma  Def. (Section) The i-th section e| i of a WHILE dt expression e is obtained by replacing dt with  Lem. (Sectionwise Execution) For each program c and a memory state , Usual program, usual semantics stores reals stores hyperreals

Q: Is WHILE dt program executable?  A: No  WHILE dt is for modeling and verification of hybrid systems

Outline  WHILE dt  HOARE dt  Related work  Conclusion

Assertion language A (assertion) ::= true | false | A 1 and A 2 | not A | a 1 < a 2 | ∀ x ∈ *N. A | ∀ x ∈ *R. A  Almost the same as the standard Hoare logic Set of hypernaturals Set of hyperreals  Cf. Transfer Principle in Non-Standard Analysis

Hoare triples and inference rules {A}skip{A}  Exactly the same as the standard Hoare logic {[a/x]A}x := a{A} {A 1 }c 1 ;c 2 {A 3 } {A 1 }c 1 {A 2 }{A 2 }c 1 {A 3 } {A 1 }if b then c 1 else c 2 {A 2 } {A 1 and b}c 1 {A 2 } {A 2 and not b}c 2 {A 2 } {A}while b do c{A and not b} {A and b}c{A}

Verification example t := 0; x := 0; v := 0; a := 1; while (t < 4) { v’ := v + a * dt; x’ := x + v * dt; v := v’; x := x’; if (t < 2) then a := 1 else a:= -1; t := t + dt; } Loop invariant: ∃ n ∈ *N. t = n * dt & t = 2 + dt  v = (2n – n) * dt & a = -1 & x = x 0 + (3n – n)(n – n 0 - 2)*dt 2 / 2

Verification example t := 0; x := 0; v := 0; a := 1; while (t < 4) { v’ := v + a * dt; x’ := x + v * dt; v := v’; x := x’; if (t < 2) then a := 1 else a:= -1; t := t + dt; } Loop invariant: ∃ n ∈ *N. t = n * dt & t = 2 + dt  v = (2n – n) * dt & a = -1 & x = x 0 + (3n – n)(n – n 0 - 2)*dt 2 / 2

Verification example t := 0; x := 0; v := 0; a := 1; while (t < 4) { v’ := v + a * dt; x’ := x + v * dt; v := v’; x := x’; if (t < 2) then a := 1 else a:= -1; t := t + dt; } Loop invariant: ∃ n ∈ *N. t = n * dt & t = 2 + dt  v = (2n – n) * dt & a = -1 & x = x 0 + (3n – n)(n – n 0 - 2)*dt 2 / 2

Verification example true {} x < 4.01 {} t := 0; x := 0; v := 0; a := 1; while (t < 4) { v’ := v + a * dt; x’ := x + v * dt; v := v’; x := x’; t := t + dt; a := (t < 2) ? 1 : -1; } …… Using the loop invariant

Properties Thm. HOARE dt is sound Thm. HOARE dt is relatively complete

Related work Features Hybrid automata [Alur et al.] Differential dynamic logic [Platzer et al.] WHILE dt + HOARE dt  Diff. eqns. for flow  dt for flow  Diff. eqns. for flow  Auto. verif.  Sound  Rel. Compl.  Concurrency

Related work  Hybrid automata [Alur et al.]  Extension of automata with diff. eqn.  Supports concurrency  Automated verification  Differential dynamic logic [Platzer et al.]  Extension of dynamic logic with diff. eqn.  Sound & relatively complete  Automated verification

Conclusion t := 0; x := 0; v := 0; a := 1; while (t < 4) { v’ := v + a * dt; x’ := x + v * dt; v := v’; x := x’; t := t + dt; a := (t < 2) ? 1 : -1; } ModelingVerification WHILE dt HOARE dt Semantics by > Non-Standard Analysis > Sectionwise exec. > Sound > Relatively complete

Future direction  Verifier based on this approach  Current prototype: WHILE dt w/ invariants  Verif. cond.  Coq  Automated verification?  MetiTarski  Invariant generators  Application of other software verification methods  Extension of the language  Feasibility study with more examples

Does the choice of dt matter?  A: Yes t := 0; while (t = 1) t := t + dt; Terminates with dt = (1, 1/2, 1/3, …) Doesn’t with dt = (1/ , 1/2 , 1/3 , …)

 forall x in R. A is prohibited  Excludes, e.g., x is infinitely close to 1 forall r in R. r > 0  |x – 1| < r

Zeno behavior  Problematic?  No  There is no special notion of “time”  Variable “t” in the examples is just a variable  Progression of t is not required by the framework  Proving “progress” of a variable is an interesting future direction

Verification example true {} x < 4 + 6dt – dt 2 {} t := 0; x := 0; v := 0; a := 1; while (t < 4) { v’ := v + a * dt; x’ := x + v * dt; v := v’; x := x’; t := t + dt; a := (t < 2) ? 1 : -1; } …… Using the loop invariant