Packages

package root

KeYmaera X is a theorem prover for differential dynamic logic (dL), a logic for specifying and verifying properties of hybrid systems with mixed discrete and continuous dynamics.

KeYmaera X: An aXiomatic Tactical Theorem Prover

KeYmaera X is a theorem prover for differential dynamic logic (dL), a logic for specifying and verifying properties of hybrid systems with mixed discrete and continuous dynamics. Reasoning about complicated hybrid systems requires support for sophisticated proof techniques, efficient computation, and a user interface that crystallizes salient properties of the system. KeYmaera X allows users to specify custom proof search techniques as tactics, execute tactics in parallel, and interface with partial proofs via an extensible user interface.

http://keymaeraX.org/

Concrete syntax for input language Differential Dynamic Logic

Package Structure

Main documentation entry points for KeYmaera X API:

edu.cmu.cs.ls.keymaerax.core - KeYmaera X kernel, proof certificates, main data structures
- Expression - Differential dynamic logic expressions: Term, Formula, Program
- Sequent - Sequents of formulas
- Provable - Proof certificates transformed by rules/axioms
- Rule - Proof rules as well as USubstOne for (one-pass) uniform substitutions and renaming.
- StaticSemantics - Static semantics with free and bound variable analysis
- Instead of constructing dL expressions from constructors, it is easier to use the KeYmaeraXParser.
edu.cmu.cs.ls.keymaerax.parser - Parser and pretty printer with concrete syntax and notation for differential dynamic logic.
- Concrete syntax for input language Differential Dynamic Logic
- KeYmaeraXPrettyPrinter - Pretty printer producing concrete KeYmaera X syntax
- KeYmaeraXParser - Parser reading concrete KeYmaera X syntax
- KeYmaeraXArchiveParser - Parser reading KeYmaera X model and proof archive .kyx files
- DLParser - Combinator parser reading concrete KeYmaera X syntax
- DLArchiveParser - Combinator parser reading KeYmaera X model and proof archive .kyx files
edu.cmu.cs.ls.keymaerax.infrastruct - Prover infrastructure outside the kernel
- UnificationMatch - Unification algorithm
- RenUSubst - Renaming Uniform Substitution quickly combining kernel's renaming and substitution.
- Context - Representation for contexts of formulas in which they occur.
- Augmentors - Augmenting formula and expression data structures with additional functionality
- ExpressionTraversal - Generic traversal functionality for expressions
edu.cmu.cs.ls.keymaerax.bellerophon - Bellerophon tactic language and tactic interpreter
- BelleExpr - Tactic language expressions
- SequentialInterpreter - Sequential tactic interpreter for Bellerophon tactics
edu.cmu.cs.ls.keymaerax.btactics - Bellerophon tactic library for conducting proofs.
- TactixLibrary - Main KeYmaera X tactic library including many proof tactics.
- HilbertCalculus - Hilbert Calculus for differential dynamic logic
- SequentCalculus - Sequent Calculus for propositional and first-order logic
- HybridProgramCalculus - Hybrid Program Calculus for differential dynamic logic
- DifferentialEquationCalculus - Differential Equation Calculus for differential dynamic logic
- UnifyUSCalculus - Unification-based uniform substitution calculus underlying the other calculi
- [edu.cmu.cs.ls.keymaerax.btactics.UnifyUSCalculus.ForwardTactic ForwardTactic] - Forward tactic framework for conducting proofs from premises to conclusions
edu.cmu.cs.ls.keymaerax.lemma - Lemma mechanism
- Lemma - Lemmas are Provables stored under a name, e.g., in files.
- LemmaDB - Lemma database stored in files or database etc.
edu.cmu.cs.ls.keymaerax.tools.qe - Real arithmetic back-end solvers
- MathematicaQETool - Mathematica interface for real arithmetic.
- Z3QETool - Z3 interface for real arithmetic.
edu.cmu.cs.ls.keymaerax.tools.ext - Extended back-ends for noncritical ODE solving, counterexamples, algebra, simplifiers, etc.
- Mathematica - Mathematica interface for ODE solving, algebra, simplification, invariant generation, etc.
- Z3 - Z3 interface for real arithmetic including simplifiers.

Entry Points

Additional entry points and usage points for KeYmaera X API:

edu.cmu.cs.ls.keymaerax.launcher.KeYmaeraX - Command-line launcher for KeYmaera X supports command-line argument -help to obtain usage information
edu.cmu.cs.ls.keymaerax.btactics.AxIndex - Axiom indexing data structures with keys and recursors for canonical proof strategies.
edu.cmu.cs.ls.keymaerax.btactics.DerivationInfo - Meta-information on all derivation steps (axioms, derived axioms, proof rules, tactics) with user-interface info.
edu.cmu.cs.ls.keymaerax.bellerophon.UIIndex - Index determining which canonical reasoning steps to display on the KeYmaera X User Interface.
edu.cmu.cs.ls.keymaerax.btactics.Ax - Registry for derived axioms and axiomatic proof rules that are proved from the core.

References

Full references on KeYmaera X are provided at http://keymaeraX.org/. The main references are the following:

1. André Platzer. A complete uniform substitution calculus for differential dynamic logic. Journal of Automated Reasoning, 59(2), pp. 219-265, 2017.

2. Nathan Fulton, Stefan Mitsch, Jan-David Quesel, Marcus Völp and André Platzer. KeYmaera X: An axiomatic tactical theorem prover for hybrid systems. In Amy P. Felty and Aart Middeldorp, editors, International Conference on Automated Deduction, CADE'15, Berlin, Germany, Proceedings, volume 9195 of LNCS, pp. 527-538. Springer, 2015.

3. André Platzer. Logical Foundations of Cyber-Physical Systems. Springer, 2018. Videos

Definition Classes: root

package edu

Definition Classes: root

package cmu

Definition Classes: edu

package cs

Definition Classes: cmu

package ls

Definition Classes: cs

package keymaerax

Definition Classes: ls

package btactics

Tactic library in the Bellerophon tactic language.

edu.cmu.cs.ls.keymaerax.btactics.TactixLibrary Main tactic library consisting of:
- HilbertCalculus Hilbert Calculus for differential dynamic logic
- SequentCalculus Sequent Calculus for propositional and first-order logic
- HybridProgramCalculus Hybrid Program Calculus for differential dynamic logic
- DifferentialEquationCalculus Differential Equation Calculus for differential dynamic logic
- UnifyUSCalculus Unification-based Uniform Substitution Calculus
Tactic tools
- AxIndex]: Axiom Indexing data structures for canonical proof strategies.
- DerivationInfo: Meta-information for derivation steps such as axioms for user interface etc.

All tactics are implemented in the Bellerophon tactic language, including its dependent tactics, which ultimately produce edu.cmu.cs.ls.keymaerax.core.Provable proof certificates by the Bellerophon interpreter. The Provables that tactics produce can be extracted, for example, with edu.cmu.cs.ls.keymaerax.btactics.TactixLibrary.proveBy().

Proof Styles

KeYmaera X supports many different proof styles, including flexible combinations of the following styles:

Explicit proof certificates directly program the proof rules from the core.

2. Explicit proofs use tactics to describe a proof directly mentioning all or most proof steps.

3. Proof by search relies mainly on proof search with occasional additional guidance.

4. Proof by pointing points out facts and where to use them.

5. Proof by congruence is based on equivalence or equality or implicational rewriting within a context.

6. Proof by chase is based on chasing away operators at an indicated position.

Explicit Proof Certificates

The most explicit types of proofs can be constructed directly using the edu.cmu.cs.ls.keymaerax.core.Provable certificates in KeYmaera X's kernel without using any tactics. Also see edu.cmu.cs.ls.keymaerax.core.

import edu.cmu.cs.ls.keymaerax.core._
// explicit proof certificate construction of |- !!p() <-> p()
val proof = (Provable.startProof(
  "!!p() <-> p()".asFormula)
  (EquivRight(SuccPos(0)), 0)
  // right branch
    (NotRight(SuccPos(0)), 1)
    (NotLeft(AntePos(1)), 1)
    (Close(AntePos(0),SuccPos(0)), 1)
  // left branch
    (NotLeft(AntePos(0)), 0)
    (NotRight(SuccPos(1)), 0)
    (Close(AntePos(0),SuccPos(0)), 0)
)

Explicit Proofs

Explicit proofs construct similarly explicit proof steps, just with explicit tactics from TactixLibrary: The only actual difference is the order of the branches, which is fixed to be from left to right in tactic branching. Tactics also use more elegant signed integers to refer to antecedent positions (negative) or succedent positions (positive).

import TactixLibrary._
// Explicit proof tactic for |- !!p() <-> p()
val proof = TactixLibrary.proveBy("!!p() <-> p()".asFormula,
   equivR(1) & <(
     (notL(-1) &
       notR(2) &
       closeId)
     ,
     (notR(1) &
       notL(-2) &
       closeId)
     )
 )

Proof by Search

Proof by search primarily relies on proof search procedures to conduct a proof. That gives very short proofs but, of course, they are not always entirely informative about how the proof worked. It is easiest to see in simple situations where propositional logic proof search will find a proof but works well in more general situations, too.

import TactixLibrary._
// Proof by search of |- (p() & q()) & r() <-> p() & (q() & r())
val proof = TactixLibrary.proveBy("(p() & q()) & r() <-> p() & (q() & r())".asFormula,
   prop
)

Common tactics for proof by search include edu.cmu.cs.ls.keymaerax.btactics.TactixLibrary.prop(), edu.cmu.cs.ls.keymaerax.btactics.TactixLibrary.auto() and the like.

Proof by Pointing

Proof by pointing emphasizes the facts to use and is implicit about the details on how to use them exactly. Proof by pointing works by pointing to a position in the sequent and using a given fact at that position. For example, for proving

⟨v:=2*v+1;⟩v!=0 <-> 2*v+1!=0

it is enough to point to the highlighted position using the Ax.diamond axiom fact ![a;]!p(||) <-> ⟨a;⟩p(||) at the highlighted position to reduce the proof to a proof of

![v:=2*v+1;]!(v!=0) <-> 2*v+1!=0

which is, in turn, easy to prove by pointing to the highlighted position using the Ax.assignbAxiom axiom [x:=t();]p(x) <-> p(t()) at the highlighted position to reduce the proof to

!!(2*v+1!=0) <-> 2*v+1!=0

Finally, using double negation !!p() <-> p() at the highlighted position yields the following

2*v+1!=0 <-> 2*v+1!=0

which easily proves by reflexivity p() <-> p().

Proof by pointing matches the highlighted position against the highlighted position in the fact and does what it takes to use that knowledge. There are multiple variations of proof by pointing in edu.cmu.cs.ls.keymaerax.btactics.UnifyUSCalculus.useAt and edu.cmu.cs.ls.keymaerax.btactics.UnifyUSCalculus.byUS, which are also imported into edu.cmu.cs.ls.keymaerax.btactics.TactixLibrary. The above proof by pointing implements directly in KeYmaera X:

import TactixLibrary._
// Proof by pointing of  |- <v:=2*v+1;>v!=0 <-> 2*v+1!=0
val proof = TactixLibrary.proveBy("<v:=2*v+1;>q(v) <-> q(2*v+1)".asFormula,
  // use Ax.diamond axiom backwards at the indicated position on
  // |- __<v:=2*v+1;>q(v)__ <-> q(2*v+1)
  useExpansionAt(Ax.diamond)(1, 0::Nil) &
  // use Ax.assignbAxiom axiom forward at the indicated position on
  // |- !__[v:=2*v+1;]!q(v)__ <-> q(2*v+1)
  useAt(Ax.assignbAxiom(1, 0::0::Nil) &
  // use double negation at the indicated position on
  // |- __!!q(2*v+1)__ <-> q(2*v+1)
  useAt(Ax.doubleNegation)(1, 0::Nil) &
  // close by (an instance of) reflexivity |- p() <-> p()
  // |- q(2*v+1) <-> q(2*v+1)
  byUS(Ax.equivReflexive)
)

Another example is:

import TactixLibrary._
// Proof by pointing of  |- <a;++b;>p(x) <-> (<a;>p(x) | <b;>p(x))
val proof = TactixLibrary.proveBy("<a;++b;>p(x) <-> (<a;>p(x) | <b;>p(x))".asFormula,
  // use Ax.diamond axiom backwards at the indicated position on
  // |- __<a;++b;>p(x)__  <->  <a;>p(x) | <b;>p(x)
  useExpansionAt(Ax.diamond)(1, 0::Nil) &
  // use Ax.choiceb axiom forward at the indicated position on
  // |- !__[a;++b;]!p(x)__  <->  <a;>p(x) | <b;>p(x)
  useAt(Ax.choiceb)(1, 0::0::Nil) &
  // use Ax.diamond axiom forward at the indicated position on
  // |- !([a;]!p(x) & [b;]!p(x))  <->  __<a;>p(x)__ | <b;>p(x)
  useExpansionAt(Ax.diamond)(1, 1::0::Nil) &
  // use Ax.diamond axiom forward at the indicated position on
  // |- !([a;]!p(x) & [b;]!p(x))  <->  ![a;]!p(x) | __<b;>p(x)__
  useExpansionAt(Ax.diamond)(1, 1::1::Nil) &
  // use propositional logic to show
  // |- !([a;]!p(x) & [b;]!p(x))  <->  ![a;]!p(x) | ![b;]!p(x)
  prop
)

edu.cmu.cs.ls.keymaerax.btactics.TactixLibrary.stepAt also uses proof by pointing but figures out the appropriate fact to use on its own. Here's a similar proof:

import TactixLibrary._
// Proof by pointing with steps of  |- ⟨a++b⟩p(x) <-> (⟨a⟩p(x) | ⟨b⟩p(x))
val proof = TactixLibrary.proveBy("p(x) <-> (p(x) | p(x))".asFormula,
  // use Ax.diamond axiom backwards at the indicated position on
  // |- __⟨a++b⟩p(x)__  <->  ⟨a⟩p(x) | ⟨b⟩p(x)
  useExpansionAt(Ax.diamond)(1, 0::Nil) &
  // |- !__[a;++b;]!p(x)__  <->  ⟨a⟩p(x) | ⟨b⟩p(x)
  // step Ax.choiceb axiom forward at the indicated position
  stepAt(1, 0::0::Nil) &
  // |- __!([a;]!p(x) & [b;]!p(x))__  <-> ⟨a⟩p(x) | ⟨b⟩p(x)
  // step deMorgan forward at the indicated position
  stepAt(1, 0::Nil) &
  // |- __![a;]!p(x)__ | ![b;]!p(x)  <-> ⟨a⟩p(x) | ⟨b⟩p(x)
  // step Ax.diamond forward at the indicated position
  stepAt(1, 0::0::Nil) &
  // |- ⟨a⟩p(x) | __![b;]!p(x)__  <-> ⟨a⟩p(x) | ⟨b⟩p(x)
  // step Ax.diamond forward at the indicated position
  stepAt(1, 0::1::Nil) &
  // |- ⟨a⟩p(x) | ⟨b⟩p(x)  <-> ⟨a⟩p(x) | ⟨b⟩p(x)
  byUS(Ax.equivReflexive)
)

Likewise, for proving

x>5 |- !([x:=x+1; ++ x:=0;]x>=6) | x<2

it is enough to point to the highlighted position

x>5 |- !([x:=x+1; ++ x:=0;]x>=6) | x<2

and using the Ax.choiceb axiom fact [a;++b;]p(||) <-> [a;]p(||) & [b;]p(||) to reduce the proof to a proof of

x>5 |- !([x:=x+1;]x>6 & [x:=0;]x>=6) | x<2

which is, in turn, easy to prove by pointing to the assignments using Ax.assignbAxiom axioms and ultimately asking propositional logic.

More proofs by pointing are shown in edu.cmu.cs.ls.keymaerax.btactics.Ax source code.

Proof by Congruence

Proof by congruence is based on equivalence or equality or implicational rewriting within a context. This proof style can make quite quick inferences leading to significant progress using the CE, CQ, CT congruence proof rules or combinations thereof.

import TactixLibrary._
// |- x*(x+1)>=0 -> [y:=0;x:=__x^2+x__;]x>=y
val proof = TactixLibrary.proveBy("x*(x+1)>=0 -> [y:=0;x:=x^2+x;]x>=y".asFormula,
  CEat(proveBy("x*(x+1)=x^2+x".asFormula, QE)) (1, 1::0::1::1::Nil) &
  // |- x*(x+1)>=0 -> [y:=0;x:=__x*(x+1)__;]x>=y by CE/CQ using x*(x+1)=x^2+x at the indicated position
  // step uses top-level operator [;]
  stepAt(1, 1::Nil) &
  // |- x*(x+1)>=0 -> [y:=0;][x:=x*(x+1);]x>=y
  // step uses top-level operator [:=]
  stepAt(1, 1::Nil) &
  // |- x*(x+1)>=0 -> [x:=x*(x+1);]x>=0
  // step uses top-level [:=]
  stepAt(1, 1::Nil) &
  // |- x*(x+1)>=0 -> x*(x+1)>=0
  prop
)

Proof by congruence can also make use of a fact in multiple places at once by defining an appropriate context C:

import TactixLibrary._
val C = Context("x<5 & ⎵ -> [{x' = 5*x & ⎵}](⎵ & x>=1)".asFormula)
// |- x<5 & __x^2<4__ -> [{x' = 5*x & __x^2<4__}](__x^2<4__ & x>=1)
val proof = TactixLibrary.proveBy("x<5 & x^2<4 -> [{x' = 5*x & x^2<4}](x^2<4 & x>=1)".asFormula,
  CEat(proveBy("-2x^2<4".asFormula, QE), C) (1))
)
// |- x<5 & (__-2 [{x' = 5*x & __-2=1) by CE
println(proof.subgoals)

Proof by Chase

Proof by chase chases the expression at the indicated position forward until it is chased away or can't be chased further without critical choices. The canonical examples use edu.cmu.cs.ls.keymaerax.btactics.UnifyUSCalculus.chase() to chase away differential forms:

import TactixLibrary._
val proof = TactixLibrary.proveBy("[{x'=22}](2*x+x*y>=5)'".asFormula,
 // chase the differential prime away in the postcondition
 chase(1, 1 :: Nil)
 // |- [{x'=22}]2*x'+(x'*y+x*y')>=0
)
// Remaining subgoals: |- [{x'=22}]2*x'+(x'*y+x*y')>=0
println(proof.subgoals)

import TactixLibrary._
val proof = TactixLibrary.proveBy("[{x'=22}](2*x+x*y>=5)' <-> [{x'=22}]2*x'+(x'*y+x*y')>=0".asFormula,
  // chase the differential prime away in the left postcondition
  chase(1, 0:: 1 :: Nil) &
  // |- [{x'=22}]2*x'+(x'*y+x*y')>=0 <-> [{x'=22}]2*x'+(x'*y+x*y')>=0
  byUS(Ax.equivReflexive)
)

Yet edu.cmu.cs.ls.keymaerax.btactics.UnifyUSCalculus.chase() is also useful to chase away other operators, say, modalities:

import TactixLibrary._
// proof by chase of |- [?x>0;x:=x+1;x:=2*x; ++ ?x=0;x:=1;]x>=1
val proof = TactixLibrary.proveBy(
  "[?x>0;x:=x+1;x:=2*x; ++ ?x=0;x:=1;]x>=1".asFormula,
  // chase the box in the succedent away
  chase(1,Nil) &
  // |- (x>0->2*(x+1)>=1)&(x=0->1>=1)
  QE
)

Additional Mechanisms

Tactic framework for Hilbert-style Forward Tactics: Tactics are functions Provable=>Provable
- edu.cmu.cs.ls.keymaerax.btactics.UnifyUSCalculus.ForwardTactic: Forward Hilbert-style tactics Provable=>Provable
- edu.cmu.cs.ls.keymaerax.btactics.UnifyUSCalculus.ForwardPositionTactic: Positional forward Hilbert-style tactics Position=>(Provable=>Provable)
- edu.cmu.cs.ls.keymaerax.btactics.UnifyUSCalculus: Forward Hilbert-style tactic combinators.

Definition Classes: keymaerax
To do: Expand descriptions
See also: Andre Platzer. A complete uniform substitution calculus for differential dynamic logic. Journal of Automated Reasoning, 59(2), pp. 219-266, 2017.
edu.cmu.cs.ls.keymaerax.btactics.TactixLibrary
edu.cmu.cs.ls.keymaerax.btactics.HilbertCalculus
edu.cmu.cs.ls.keymaerax.btactics.SequentCalculus
edu.cmu.cs.ls.keymaerax.btactics.HybridProgramCalculus
edu.cmu.cs.ls.keymaerax.btactics.DifferentialEquationCalculus
edu.cmu.cs.ls.keymaerax.btactics.UnifyUSCalculus

package arithmetic

Definition Classes: btactics

package cexsearch

Definition Classes: btactics

package coasterx

Definition Classes: btactics

package components

Definition Classes: btactics

package dRL

Definition Classes: btactics

package helpers

Helper functions for implementing tactics.

Helper functions for implementing tactics. Note that these are **not** themselves tactics.

Definition Classes: btactics
See also: helpers.DifferentialHelper Differential Equation-specific program helpers.
helpers.ProgramHelpers Hybrid Program helpers that are not specific to Differential Equations.

package macros

Definition Classes: btactics

package robustify

Definition Classes: btactics

AnonymousLemmas

Approximator

ArithmeticLibrary

ArithmeticSimplification

AxIndex

AxiomaticODESolver

BelleLabels

BelleREPL

Bifurcation

Case

ConfigurableGenerator

DebuggingTactics

DefaultTacticIndex

DerivationInfoRegistry

Derive

DifferentialDecisionProcedures

DifferentialEquationCalculus

DifferentialSaturation

FOQuantifierTactics

FixedGenerator

Generator

HilbertCalculus

HybridProgramCalculus

Idioms

ImplicitAx

Integrator

IntegratorODESolverTool

IntervalArithmeticV2

InvGenTool

InvariantGenerator

InvariantProvers

IsabelleSyntax

Kaisar

MathematicaToolProvider

ModelPlex

ModelPlexConjecture

ModelPlexTrait

MonomialOrders

MultiToolProvider

NanoTimer

NoTimer

NoneToolProvider

ODEInvariance

ODELiveness

ODEStability

PolynomialArith

PolynomialArithV2

PolynomialArithV2Helpers

PolynomialRing

PreferredToolProvider

RicattiEquation

RicattiSystem

SOSSolve

SequentCalculus

Simplifier

SimplifierV2

SimplifierV3

SwitchedSystems

TacticFactory

TacticHelper

TacticIndex

TactixInit

TactixLibrary

TaylorModelArith

TaylorModelOptions

TaylorModelTactics

TimeStepOptions

Timer

ToolProvider

Transitivity

TwoThreeTreePolynomialRing

UnifyUSCalculus

WolframEngineToolProvider

WolframScriptToolProvider

WolframToolProvider

Z3ToolProvider

edu.cmu.cs.ls.keymaerax.btactics

ModelPlex

object ModelPlex extends ModelPlexTrait with Logging

ModelPlex: Verified runtime validation of verified cyber-physical system models.

See also: Stefan Mitsch and André Platzer. ModelPlex: Verified runtime validation of verified cyber-physical system models. Formal Methods in System Design, 42 pp. 2016. Special issue for selected papers from RV'14.
Stefan Mitsch and André Platzer. ModelPlex: Verified runtime validation of verified cyber-physical system models. In Borzoo Bonakdarpour and Scott A. Smolka, editors, Runtime Verification - 5th International Conference, RV 2014, Toronto, ON, Canada, September 22-25, 2014. Proceedings, volume 8734 of LNCS, pages 199-214. Springer, 2014.

Linear Supertypes

Logging, LazyLogging, LoggerHolder, ModelPlexTrait, (List[Variable], Symbol) ⇒ (Formula) ⇒ Formula, AnyRef, Any

Ordering

Alphabetic
By Inheritance

Inherited

ModelPlex
Logging
LazyLogging
LoggerHolder
ModelPlexTrait
Function2
AnyRef
Any

Hide All
Show All

Visibility

Public
All

Value Members

final def !=(arg0: Any): Boolean

Definition Classes
AnyRef → Any
final def ##(): Int

Definition Classes
AnyRef → Any
final def ==(arg0: Any): Boolean

Definition Classes
AnyRef → Any
val INDEXED_POST_VAR: (Variable) ⇒ Variable
Returns the post variable of v identified by index increase.
Returns the post variable of v identified by index increase.

Definition Classes
ModelPlexTrait
val NAMED_POST_VAR: (Variable) ⇒ Variable
Returns the post variable of v identified by name postfix post.
Returns the post variable of v identified by name postfix post.

Definition Classes
ModelPlexTrait
def apply(vars: List[Variable], kind: Symbol, checkProvable: Option[(ProvableSig) ⇒ Unit]): (Formula) ⇒ Formula
Synthesize the ModelPlex (Controller) Monitor for the given formula for monitoring the given variable.
Synthesize the ModelPlex (Controller) Monitor for the given formula for monitoring the given variable. @ param kind The kind of monitor, either 'ctrl or 'model.
checkProvable
true to check the Provable proof certificates (recommended).

Definition Classes
ModelPlex → ModelPlexTrait
def apply(formula: Formula, kind: Symbol, checkProvable: Option[(ProvableSig) ⇒ Unit] = Some(_ => ()), unobservable: ListMap[_ <: NamedSymbol, Option[Formula]] = ListMap.empty): Formula
Synthesize the ModelPlex (Controller) Monitor for the given formula for monitoring the given variable.
Synthesize the ModelPlex (Controller) Monitor for the given formula for monitoring the given variable.

Definition Classes
ModelPlex → ModelPlexTrait
def apply(vars: List[Variable], kind: Symbol): (Formula) ⇒ Formula

Definition Classes
ModelPlexTrait → Function2
def applyAtAllODEs(t: DependentPositionTactic): DependentPositionTactic
Applies tatic t at all ODEs underneath this tactic's position.
final def asInstanceOf[T0]: T0

Definition Classes
Any
lazy val chaseEulerAssignments: DependentPositionTactic
Chases remaining assignments.
def chaseToTests(combineTests: Boolean): BuiltInPositionTactic
def clone(): AnyRef

Attributes
protected[java.lang]
Definition Classes
AnyRef
Annotations
@native() @throws( ... )
def controllerMonitorByChase: BuiltInPositionTactic
Returns a tactic to derive a controller monitor in axiomatic style using forward chase.
Returns a tactic to derive a controller monitor in axiomatic style using forward chase. The tactic is designed to operate on input produced by createMonitorSpecificationConjecture.
returns
The tactic.
Definition Classes
ModelPlex → ModelPlexTrait
Examples:
1. |- xpost=1 ------------------------------controllerMonitorByChase(1) |- <{x:=1; {x'=2}}*>xpost=x
  In order to produce the result above, the tactic performs intermediate steps as follows.
2. |- xpost=1 ------------------------------true& |- (true & xpost=1) ------------------------------<:=> assign |- <x:=1;>(true & xpost=x) ------------------------------DX diamond differential skip |- <x:=1; {x'=2}>xpost=x ------------------------------<*> approx |- <{x:=1; {x'=2}}*>xpost=x
See also
createMonitorSpecificationConjecture
def controllerMonitorT: DependentPositionTactic
Returns a backward tactic for deriving controller monitors.
Returns a backward tactic for deriving controller monitors.

Definition Classes
ModelPlex → ModelPlexTrait
def createMonitorCorrectnessConjecture(vars: List[Variable], kind: Symbol, checkProvable: Option[(ProvableSig) ⇒ Unit], unobservable: ListMap[_ <: NamedSymbol, Option[Formula]]): (Formula) ⇒ Formula
Conjecture for double-checking a monitor formula for correctness: assumptions -> (monitor -> < prg; >Upsilon).
def createMonitorSpecificationConjecture(fml: Formula, vars: List[Variable], unobservable: ListMap[_ <: NamedSymbol, Option[Formula]], postVar: (Variable) ⇒ Variable = NAMED_POST_VAR): ModelPlexConjecture
Construct ModelPlex monitor specification conjecture corresponding to given formula.
Construct ModelPlex monitor specification conjecture corresponding to given formula.
fml
A formula of the form p -> [a]q, which was proven correct.
vars
A list of variables V, superset of BV(a).
unobservable
Unobservable variables/parameters and their optional estimation (e.g., from a sensor), keys subset of vars ++ any fns.
returns
A tuple of monitor conjecture and assumptions

Definition Classes
ModelPlex → ModelPlexTrait
See also
Mitsch, Platzer: ModelPlex (Definition 3, Lemma 4, Corollary 1).
def createNonlinearModelApprox(name: String, tactic: BelleExpr, defs: Declaration): (Expression) ⇒ (Formula, BelleExpr)
Creates a model with the ODE approximated by the evolution domain and diff.
Creates a model with the ODE approximated by the evolution domain and diff. invariants from the tactic. Returns the adapted model and a tactic to proof safety from the original proof.
def createSandbox(name: String, tactic: BelleExpr, fallback: Option[Program], kind: Symbol, checkProvable: Option[(ProvableSig) ⇒ Unit], synthesizeProofs: Boolean, defs: Declaration, postVar: (Variable) ⇒ Variable = NAMED_POST_VAR): (Formula) ⇒ ((Formula, BelleExpr), List[(String, Formula, BelleExpr)])
Creates a sandbox safety conjecture from a formula of the shape init->[?bounds;{ctrl;plant}*]safe.
Creates a sandbox safety conjecture from a formula of the shape init->[?bounds;{ctrl;plant}*]safe. The sandbox embeds an (unverified) external controller in monitor checks of kind. It approximates the external controller behavior with nondeterministic values for each of the bound variables in ctrl. Input to the external controller is measured with nondeterministic values for each of the bound variables in plant, but restricted to those satisfying the evolution domain constraints and invariants of the plant. If the monitor is satisfied, the external controller's decision are actuated. Otherwise (monitor unsatisfied) fallback (if specified, ctrl by default) is executed.
tactic
The tactic used to prove safety of the original model.
fallback
The fallback controller to embed in the sandbox, ctrl by default.
kind
The kind of monitor to derive (controller or model monitor).
checkProvable
Whether or not to check the ModelPlex provable.
returns
The sandbox formula with a tactic to prove it, and a list of lemmas used in the proof.
def createSlidingMonitorSpec(fml: Formula, vars: List[Variable], unobservable: ListMap[_ <: NamedSymbol, Option[Formula]], windowSize: Int): (Formula, List[Formula])
Construct ModelPlex monitor specification conjecture corresponding to given formula for parameter estimation over a sliding window.
Construct ModelPlex monitor specification conjecture corresponding to given formula for parameter estimation over a sliding window.
fml
A formula of the form p -> [a]q, which was proven correct.
vars
A list of variables V, superset of BV(a).
unobservable
Unobservable variables/parameters and their optional estimation (e.g., from a sensor), keys subset of vars, any fns.
windowSize
Size of sliding window for parameter estimation.
returns
A tuple of monitor conjecture and assumptions
def curried: (List[Variable]) ⇒ (Symbol) ⇒ (Formula) ⇒ Formula

Definition Classes
Function2
Annotations
@unspecialized()
def diamondDiffSolve2DT: DependentPositionTactic
Returns a tactic to solve two-dimensional differential equations.
Returns a tactic to solve two-dimensional differential equations. Introduces constant function symbols for variables that do not change in the ODE, before it hands over to the actual diff. solution tactic.
returns
The tactic.

Definition Classes
ModelPlex → ModelPlexTrait
def diamondTestRetainConditionT: DependentPositionTactic
Returns a modified test tactic for axiom <?H>p <-> H & (H->p)
Returns a modified test tactic for axiom <?H>p <-> H & (H->p)
returns
The tactic.
Definition Classes
ModelPlex → ModelPlexTrait
Example:
1. |- x>0 & (x>0 -> [x'=x]x>0) ---------------------------diamondTestRetainCondition |- <?x>0>[x'=x]x>0
Note
Unused so far, for deriving prediction monitors where DI is going to rely on knowledge from prior tests.
final def eq(arg0: AnyRef): Boolean

Definition Classes
AnyRef
def equals(arg0: Any): Boolean

Definition Classes
AnyRef → Any
def eulerAllIn: DependentPositionTactic
Euler-approximates all atomic ODEs somewhere underneath pos
def eulerSystemAllIn: DependentPositionTactic
Euler-approximates all ODEs somewhere underneath pos.
Euler-approximates all ODEs somewhere underneath pos. Systematic tactic, but not a proof.
def finalize(): Unit

Attributes
protected[java.lang]
Definition Classes
AnyRef
Annotations
@throws( classOf[java.lang.Throwable] )
def flipUniversalEulerQuantifiers(fml: Formula): Formula
Unsound approximation step
final def getClass(): Class[_]

Definition Classes
AnyRef → Any
Annotations
@native()
def hashCode(): Int

Definition Classes
AnyRef → Any
Annotations
@native()
final def isInstanceOf[T0]: Boolean

Definition Classes
Any
def locateT(tactics: List[AtPosition[_ <: BelleExpr]]): DependentPositionTactic
Performs a tactic from the list of tactics that is applicable somewhere underneath position p in sequent s, taking the outermost such sub-position of p.
Performs a tactic from the list of tactics that is applicable somewhere underneath position p in sequent s, taking the outermost such sub-position of p. Formulas only.
tactics
The list of tactics.
returns
The tactic.
Definition Classes
ModelPlex → ModelPlexTrait
Example:
1. |- a=1 & (<x:=2;>x+y>0 & <y:=3;>x+y>0) ---------------------------------------locateT(diamondSeqT :: diamondChoiceT :: Nil)(1) |- a=1 & <x:=2; ++ y:=3;>x+y>0
lazy val logger: Logger

Attributes
protected
Definition Classes
LazyLogging → LoggerHolder
final val loggerName: String

Attributes
protected
Definition Classes
LoggerHolder
def modelMonitorByChase(ode: DependentPositionTactic): DependentPositionTactic
lazy val modelMonitorByChase: DependentPositionTactic
Returns a tactic to derive a model monitor in axiomatic style using forward chase + diffSolve.
Returns a tactic to derive a model monitor in axiomatic style using forward chase + diffSolve. The tactic is designed to operate on input produced by createMonitorSpecificationConjecture.
returns
The tactic.

See also
createMonitorSpecificationConjecture
def modelMonitorT: DependentPositionTactic
Returns a backward tactic for deriving model monitors.
Returns a backward tactic for deriving model monitors.

Definition Classes
ModelPlex → ModelPlexTrait
def modelplexAxiomaticStyle(unprog: DependentPositionTactic): DependentPositionTactic
ModelPlex backward proof tactic for axiomatic-style monitor synthesis, i.e., avoids proof branching as occuring in the sequent-style synthesis technique.
ModelPlex backward proof tactic for axiomatic-style monitor synthesis, i.e., avoids proof branching as occuring in the sequent-style synthesis technique. The tactic 'unprog' determines what kind of monitor (controller monitor, model monitor) to synthesize. Operates on monitor specification conjectures.
unprog
A tactic for a specific monitor type (either controller monitor or model monitor).

Definition Classes
ModelPlex → ModelPlexTrait
See also
createMonitorSpecificationConjecture
controllerMonitorT
modelMonitorT
def modelplexSequentStyle: DependentPositionTactic
ModelPlex sequent-style synthesis technique, i.e., with branching so that the tactic can operate on top-level operators.
ModelPlex sequent-style synthesis technique, i.e., with branching so that the tactic can operate on top-level operators. Operates on monitor specification conjectures.
returns
The tactic.

Definition Classes
ModelPlex → ModelPlexTrait
def mxAbbreviateFunctions(fml: Formula, defs: Declaration): (Formula, USubst)
Abbreviates functions to nullary function symbols if all their arguments are free in fml, expand according to defs the functions that have at least one if their arguments bound.
Abbreviates functions to nullary function symbols if all their arguments are free in fml, expand according to defs the functions that have at least one if their arguments bound. Returns the formula with abbreviated/expanded functions, and the substitutions telling which functions were expanded/abbreviated how.
def mxAutoInstantiate(assumptions: List[Formula], unobservable: List[_ <: NamedSymbol], simplifier: Option[BuiltInPositionTactic]): InputTactic
def mxAutoInstantiate(assumptions: List[Formula]): InputTactic

Annotations
@Tactic( x$14 , x$15 , x$13 , x$16 , x$17 , x$18 , x$19 , x$20 , x$21 , x$22 , x$23 , x$24 )
def mxFormatShape(shape: String): InputTactic

Annotations
@Tactic( x$26 , x$27 , x$25 , x$28 , x$29 , x$30 , x$31 , x$32 , x$33 , x$34 , x$35 , x$36 )
def mxPartialQE(fmlAlts: List[Formula], defs: Declaration, tool: QETacticTool, verified: Boolean = true): ProvableSig
def mxPartialQE(fml: Formula, defs: Declaration, tool: QETacticTool): ProvableSig
Partial QE on a formula that first expands/abbreviates all uninterpreted symbols and then substitutes back in on the result.
lazy val mxSimplify: BuiltInPositionTactic
Simplifies reflexive comparisons and implications/conjunctions/disjunctions with true.
def mxSynthesize(kind: String): InputTactic

Annotations
@Tactic( x$2 , x$3 , x$1 , x$4 , x$5 , x$6 , x$7 , x$8 , x$9 , x$10 , x$11 , x$12 )
final def ne(arg0: AnyRef): Boolean

Definition Classes
AnyRef
def normalizeInputFormula(f: Formula): Formula
Normalizes formula f into the shape A -> [a;]S.
final def notify(): Unit

Definition Classes
AnyRef
Annotations
@native()
final def notifyAll(): Unit

Definition Classes
AnyRef
Annotations
@native()
def optimizationOneWithSearch(tool: Option[SimplificationTool], assumptions: List[Formula], unobservable: List[_ <: NamedSymbol], simplifier: Option[BuiltInPositionTactic], postVar: (Variable) ⇒ Variable = NAMED_POST_VAR): DependentPositionTactic
Opt.
Opt. 1 from Mitsch, Platzer: ModelPlex, i.e., instantiates existential quantifiers with an equal term phrased somewhere in the quantified formula.
Definition Classes
ModelPlex → ModelPlexTrait
Example:
1. |- xpost>0 & xpost=xpost ------------------------------optimizationOneWithSearch |- \exists x x>0 & xpost=x
def partitionUnobservable(unobservable: ListMap[_ <: NamedSymbol, Option[Formula]]): (ListMap[Variable, Option[Formula]], ListMap[(Function, Variable), Option[Formula]], ListMap[(Function, Variable), Option[Formula]])
Partitions the unobservable symbols into unobservable state variables and unknown model parameters.
lazy val simplForall1: Lemma
lazy val simplForall2: Lemma
def stepwisePartialQE(fml: Formula, assumptions: List[Formula], defs: Declaration, tool: QETacticTool with SimplificationTool, preQE: (Formula, Int) ⇒ Unit = (_, _) => {}, postQE: (Formula, Int) ⇒ Unit = (_, _) => {}): ProvableSig
Splits into separate partial QE calls and merges results.
final def synchronized[T0](arg0: ⇒ T0): T0

Definition Classes
AnyRef
def toMetric(fml: Formula): Formula
Turns the formula fml into a single inequality.
def toString(): String

Definition Classes
Function2 → AnyRef → Any
def tupled: ((List[Variable], Symbol)) ⇒ (Formula) ⇒ Formula

Definition Classes
Function2
Annotations
@unspecialized()
def unrollLoop(n: Int): DependentPositionTactic
Unrolls diamond loops
final def wait(): Unit

Definition Classes
AnyRef
Annotations
@throws( ... )
final def wait(arg0: Long, arg1: Int): Unit

Definition Classes
AnyRef
Annotations
@throws( ... )
final def wait(arg0: Long): Unit

Definition Classes
AnyRef
Annotations
@native() @throws( ... )

Packages

KeYmaera X: An aXiomatic Tactical Theorem Prover

Package Structure

Entry Points

References

Proof Styles

Explicit Proof Certificates

Explicit Proofs

Proof by Search

Proof by Pointing

Proof by Congruence

Proof by Chase

Additional Mechanisms

ModelPlex

object ModelPlex extends ModelPlexTrait with Logging

Value Members

Inherited from Logging

Inherited from LazyLogging

Inherited from LoggerHolder

Inherited from ModelPlexTrait

Inherited from (List[Variable], Symbol) ⇒ (Formula) ⇒ Formula

Inherited from AnyRef

Inherited from Any

Ungrouped

Packages

KeYmaera X: An aXiomatic Tactical Theorem Prover

Package Structure

Entry Points

References

Proof Styles

Explicit Proof Certificates

Explicit Proofs

Proof by Search

Proof by Pointing

Proof by Congruence

Proof by Chase

Additional Mechanisms

ModelPlex 

object ModelPlex extends ModelPlexTrait with Logging

Value Members

Inherited from Logging

Inherited from LazyLogging

Inherited from LoggerHolder

Inherited from ModelPlexTrait

Inherited from (List[Variable], Symbol) ⇒ (Formula) ⇒ Formula

Inherited from AnyRef

Inherited from Any

Ungrouped

ModelPlex