Packages

  • package root

    KeYmaera X is a theorem prover for differential dynamic logic (dL), a logic for specifying and verifying properties of hybrid systems with mixed discrete and continuous dynamics.

    KeYmaera X: An aXiomatic Tactical Theorem Prover

    KeYmaera X is a theorem prover for differential dynamic logic (dL), a logic for specifying and verifying properties of hybrid systems with mixed discrete and continuous dynamics. Reasoning about complicated hybrid systems requires support for sophisticated proof techniques, efficient computation, and a user interface that crystallizes salient properties of the system. KeYmaera X allows users to specify custom proof search techniques as tactics, execute tactics in parallel, and interface with partial proofs via an extensible user interface.

    http://keymaeraX.org/

    Concrete syntax for input language Differential Dynamic Logic

    Package Structure

    Main documentation entry points for KeYmaera X API:

    Additional entry points and usage points for KeYmaera X API:

    References

    Full references are provided elsewhere http://keymaeraX.org/, the main references are the following:

    1. André Platzer. A complete uniform substitution calculus for differential dynamic logic. Journal of Automated Reasoning, 59(2), pp. 219-265, 2017.

    2. Nathan Fulton, Stefan Mitsch, Jan-David Quesel, Marcus Völp and André Platzer. KeYmaera X: An axiomatic tactical theorem prover for hybrid systems. In Amy P. Felty and Aart Middeldorp, editors, International Conference on Automated Deduction, CADE'15, Berlin, Germany, Proceedings, LNCS. Springer, 2015.

    3. André Platzer. Logical Foundations of Cyber-Physical Systems. Springer, 2018.

    Definition Classes
    root
  • package edu
    Definition Classes
    root
  • package cmu
    Definition Classes
    edu
  • package cs
    Definition Classes
    cmu
  • package ls
    Definition Classes
    cs
  • package keymaerax
    Definition Classes
    ls
  • package api

    Scala API for proof and tactics management etc.

    Scala API for proof and tactics management etc.

    Definition Classes
    keymaerax
    To do

    Stub. Describe for real.

  • package bellerophon

    Bellerophon tactics language framework.

    Bellerophon tactics language framework. This package includes

    All Bellerophon tactic expressions are of type edu.cmu.cs.ls.keymaerax.bellerophon.BelleExpr, which provides the following tactic combinators

    • s & t sequential composition executes t on the output of s, failing if either fail.
    • s | t alternative composition executes t if applying s fails, failing if both fail.
    • t* saturating repetition executes tactic t repeatedly to a fixpoint, casting result to type annotation, diverging if no fixpoint.
    • t*n bounded repetition executes t tactic n number of times, failing if any of those repetitions fail.
    • t+ saturating repetition executes tactic t to a fixpoint, requires at least one successful application.
    • <(e1,...,en) branching to run tactic ei on branch i, failing if any of them fail or if there are not exactly n branches.
    • case _ of {fi => ei} uniform substitution case pattern applies the first ei such that fi uniformly substitutes to current provable for which ei does not fail, fails if the ei of all matching fi fail.
    • t partial partial tactic marker marks that tactic t is allowed to not close all its goals.

    Positional tactics support flexible modes of identifying what position to apply them to via edu.cmu.cs.ls.keymaerax.bellerophon.AtPosition. Applying a positional tactic t at a position supports many different ways of specifying the position:

    • t(1) applied at the first succedent formula.
    • t(-1) applied at the first antecedent formula.
    • t(-4, 0::1::1::Nil) applied at subexpression positioned at .0.1.1 of the fourth antecedent formula, that is at the second child of the second child of the first child of the fourth antecedent formula in the sequent.
    • t('L) applied at the first applicable position in the antecedent (left side of the sequent).
    • t('R) applied at the first applicable position in the succedent (right side of the sequent).
    • t('_) applied at the first applicable position in the side of the sequent to which tactic t applies. The side of the sequent is uniquely determined by type of tactic.
    • t('Llast) applied at the last antecedent position (left side of the sequent).
    • t('Rlast) applied at the last succedent position (right side of the sequent).

    In addition, the formulas expected or sought for at the respective positions identified by the locators can be provided, which is useful for tactic contract and tactic documentation purposes. It is also useful for finding a corresponding formula by pattern matching.

    • t(2, fml) applied at the second succedent formula, ensuring that the formula fml is at that position.
    • t(-2, fml) applied at the second antecedent formula, ensuring that the formula fml is at that position.
    • t(5, 0::1::1::Nil, ex) applied at subexpression positioned at .0.1.1 of the fifth succedent formula, that is at the second child of the second child of the first child of the fifth succcedent formula in the sequent, ensuring that the expression ex is at that position.
    • t('L, fml) applied at the antecedent position (left side of the sequent) where the expected formula fml can be found (on the top level).
    • t('R, fml) applied at the succedent position (right side of the sequent) where the expected formula fml can be found (on the top level).
    • t('_, fml) applied at the suitable position (uniquely determined by type of tactic) where the expected formula fml can be found (on the top level).
    Definition Classes
    keymaerax
    See also

    Nathan Fulton, Stefan Mitsch, Brandon Bohrer and Andre Platzer. Bellerophon: Tactical theorem proving for hybrid systems. In Mauricio Ayala-Rincon and Cesar Munoz, editors, Interactive Theorem Proving, International Conference, ITP 2017, volume 10499 of LNCS. Springer, 2017.

  • package btactics

    Tactic library in the Bellerophon tactic language.

    Tactic library in the Bellerophon tactic language.

    All tactics are implemented in the Bellerophon tactic language, including its dependent tactics, which ultimately produce edu.cmu.cs.ls.keymaerax.core.Provable proof certificates by the Bellerophon interpreter. The Provables that tactics produce can be extracted, for example, with edu.cmu.cs.ls.keymaerax.btactics.TactixLibrary.proveBy().

    Proof Styles

    KeYmaera X supports many different proof styles, including flexible combinations of the following styles:

    1. Explicit proof certificates directly program the proof rules from the core.

    2. Explicit proofs use tactics to describe a proof directly mentioning all or most proof steps.

    3. Proof by search relies mainly on proof search with occasional additional guidance.

    4. Proof by pointing points out facts and where to use them.

    5. Proof by congruence is based on equivalence or equality or implicational rewriting within a context.

    6. Proof by chase is based on chasing away operators at an indicated position.

    Explicit Proof Certificates

    The most explicit types of proofs can be constructed directly using the edu.cmu.cs.ls.keymaerax.core.Provable certificates in KeYmaera X's kernel without using any tactics. Also see edu.cmu.cs.ls.keymaerax.core.

    import edu.cmu.cs.ls.keymaerax.core._
    // explicit proof certificate construction of |- !!p() <-> p()
    val proof = (Provable.startProof(
      Sequent(IndexedSeq(), IndexedSeq("!!p() <-> p()".asFormula)))
      (EquivRight(SuccPos(0)), 0)
      // right branch
        (NotRight(SuccPos(0)), 1)
        (NotLeft(AntePos(1)), 1)
        (Close(AntePos(0),SuccPos(0)), 1)
      // left branch
        (NotLeft(AntePos(0)), 0)
        (NotRight(SuccPos(1)), 0)
        (Close(AntePos(0),SuccPos(0)), 0)
    )
    Explicit Proofs

    Explicit proofs construct similarly explicit proof steps, just with explicit tactics from TactixLibrary: The only actual difference is the order of the branches, which is fixed to be from left to right in tactic branching. Tactics also use more elegant signed integers to refer to antecedent positions (negative) or succedent positions (positive).

    import TactixLibrary._
    // Explicit proof tactic for |- !!p() <-> p()
    val proof = TactixLibrary.proveBy("!!p() <-> p()".asFormula,
       equivR(1) & <(
         (notL(-1) &
           notR(2) &
           closeId)
         ,
         (notR(1) &
           notL(-2) &
           closeId)
         )
     )
    Proof by Search

    Proof by search primarily relies on proof search procedures to conduct a proof. That gives very short proofs but, of course, they are not always entirely informative about how the proof worked. It is easiest to see in simple situations where propositional logic proof search will find a proof but works well in more general situations, too.

    import TactixLibrary._
    // Proof by search of |- (p() & q()) & r() <-> p() & (q() & r())
    val proof = TactixLibrary.proveBy("(p() & q()) & r() <-> p() & (q() & r())".asFormula,
       prop
    )

    Common tactics for proof by search include edu.cmu.cs.ls.keymaerax.btactics.TactixLibrary.prop(), edu.cmu.cs.ls.keymaerax.btactics.TactixLibrary.master() and the like.

    Proof by Pointing

    Proof by pointing emphasizes the facts to use and is implicit about the details on how to use them exactly. Proof by pointing works by pointing to a position in the sequent and using a given fact at that position. For example, for proving

    ⟨v:=2*v+1;⟩v!=0 <-> 2*v+1!=0

    it is enough to point to the highlighted position using the "<> diamond" axiom fact ![a;]!p(||) <-> ⟨a;⟩p(||) at the highlighted position to reduce the proof to a proof of

    ![v:=2*v+1;]!(v!=0) <-> 2*v+1!=0

    which is, in turn, easy to prove by pointing to the highlighted position using the "[:=] assign" axiom [x:=t();]p(x) <-> p(t()) at the highlighted position to reduce the proof to

    !!(2*v+1!=0) <-> 2*v+1!=0

    Finally, using double negation !!p() <-> p() at the highlighted position yields the following

    2*v+1!=0 <-> 2*v+1!=0

    which easily proves by reflexivity p() <-> p().

    Proof by pointing matches the highlighted position against the highlighted position in the fact and does what it takes to use that knowledge. There are multiple variations of proof by pointing in edu.cmu.cs.ls.keymaerax.btactics.UnifyUSCalculus.useAt and edu.cmu.cs.ls.keymaerax.btactics.UnifyUSCalculus.byUS, which are also imported into edu.cmu.cs.ls.keymaerax.btactics.TactixLibrary. The above proof by pointing implements directly in KeYmaera X:

    import TactixLibrary._
    // Proof by pointing of  |- <v:=2*v+1;>v!=0 <-> 2*v+1!=0
    val proof = TactixLibrary.proveBy("<v:=2*v+1;>q(v) <-> q(2*v+1)".asFormula,
      // use "<> diamond" axiom backwards at the indicated position on
      // |- __<v:=2*v+1;>q(v)__ <-> q(2*v+1)
      useExpansionAt("<> diamond")(1, 0::Nil) &
      // use "[:=] assign" axiom forward at the indicated position on
      // |- !__[v:=2*v+1;]!q(v)__ <-> q(2*v+1)
      useAt("[:=] assign")(1, 0::0::Nil) &
      // use double negation at the indicated position on
      // |- __!!q(2*v+1)__ <-> q(2*v+1)
      useAt("!! double negation")(1, 0::Nil) &
      // close by (an instance of) reflexivity |- p() <-> p()
      // |- q(2*v+1) <-> q(2*v+1)
      byUS("<-> reflexive")
    )

    Another example is:

    import TactixLibrary._
    // Proof by pointing of  |- <a;++b;>p(x) <-> (<a;>p(x) | <b;>p(x))
    val proof = TactixLibrary.proveBy("<a;++b;>p(x) <-> (<a;>p(x) | <b;>p(x))".asFormula,
      // use "<> diamond" axiom backwards at the indicated position on
      // |- __<a;++b;>p(x)__  <->  <a;>p(x) | <b;>p(x)
      useExpansionAt("<> diamond")(1, 0::Nil) &
      // use "[++] choice" axiom forward at the indicated position on
      // |- !__[a;++b;]!p(x)__  <->  <a;>p(x) | <b;>p(x)
      useAt("[++] choice")(1, 0::0::Nil) &
      // use "<> diamond" axiom forward at the indicated position on
      // |- !([a;]!p(x) & [b;]!p(x))  <->  __<a;>p(x)__ | <b;>p(x)
      useExpansionAt("<> diamond")(1, 1::0::Nil) &
      // use "<> diamond" axiom forward at the indicated position on
      // |- !([a;]!p(x) & [b;]!p(x))  <->  ![a;]!p(x) | __<b;>p(x)__
      useExpansionAt("<> diamond")(1, 1::1::Nil) &
      // use propositional logic to show
      // |- !([a;]!p(x) & [b;]!p(x))  <->  ![a;]!p(x) | ![b;]!p(x)
      prop
    )

    edu.cmu.cs.ls.keymaerax.btactics.TactixLibrary.stepAt also uses proof by pointing but figures out the appropriate fact to use on its own. Here's a similar proof:

    import TactixLibrary._
    // Proof by pointing with steps of  |- ⟨a++b⟩p(x) <-> (⟨a⟩p(x) | ⟨b⟩p(x))
    val proof = TactixLibrary.proveBy("p(x) <-> (p(x) | p(x))".asFormula,
      // use "<> diamond" axiom backwards at the indicated position on
      // |- __⟨a++b⟩p(x)__  <->  ⟨a⟩p(x) | ⟨b⟩p(x)
      useExpansionAt("<> diamond")(1, 0::Nil) &
      // |- !__[a;++b;]!p(x)__  <->  ⟨a⟩p(x) | ⟨b⟩p(x)
      // step "[++] choice" axiom forward at the indicated position
      stepAt(1, 0::0::Nil) &
      // |- __!([a;]!p(x) & [b;]!p(x))__  <-> ⟨a⟩p(x) | ⟨b⟩p(x)
      // step deMorgan forward at the indicated position
      stepAt(1, 0::Nil) &
      // |- __![a;]!p(x)__ | ![b;]!p(x)  <-> ⟨a⟩p(x) | ⟨b⟩p(x)
      // step "<> diamond" forward at the indicated position
      stepAt(1, 0::0::Nil) &
      // |- ⟨a⟩p(x) | __![b;]!p(x)__  <-> ⟨a⟩p(x) | ⟨b⟩p(x)
      // step "<> diamond" forward at the indicated position
      stepAt(1, 0::1::Nil) &
      // |- ⟨a⟩p(x) | ⟨b⟩p(x)  <-> ⟨a⟩p(x) | ⟨b⟩p(x)
      byUS("<-> reflexive")
    )

    Likewise, for proving

    x>5 |- !([x:=x+1; ++ x:=0;]x>=6) | x<2

    it is enough to point to the highlighted position

    x>5 |- !([x:=x+1; ++ x:=0;]x>=6) | x<2

    and using the "[++] choice" axiom fact [a;++b;]p(||) <-> [a;]p(||) & [b;]p(||) to reduce the proof to a proof of

    x>5 |- !([x:=x+1;]x>6 & [x:=0;]x>=6) | x<2

    which is, in turn, easy to prove by pointing to the assignments using "[:=] assign" axioms and ultimately asking propositional logic.

    More proofs by pointing are shown in edu.cmu.cs.ls.keymaerax.btactics.DerivedAxioms source code.

    Proof by Congruence

    Proof by congruence is based on equivalence or equality or implicational rewriting within a context. This proof style can make quite quick inferences leading to significant progress using the CE, CQ, CT congruence proof rules or combinations thereof.

    import TactixLibrary._
    // |- x*(x+1)>=0 -> [y:=0;x:=__x^2+x__;]x>=y
    val proof = TactixLibrary.proveBy("x*(x+1)>=0 -> [y:=0;x:=x^2+x;]x>=y".asFormula,
      CEat(proveBy("x*(x+1)=x^2+x".asFormula, QE)) (1, 1::0::1::1::Nil) &
      // |- x*(x+1)>=0 -> [y:=0;x:=__x*(x+1)__;]x>=y by CE/CQ using x*(x+1)=x^2+x at the indicated position
      // step uses top-level operator [;]
      stepAt(1, 1::Nil) &
      // |- x*(x+1)>=0 -> [y:=0;][x:=x*(x+1);]x>=y
      // step uses top-level operator [:=]
      stepAt(1, 1::Nil) &
      // |- x*(x+1)>=0 -> [x:=x*(x+1);]x>=0
      // step uses top-level [:=]
      stepAt(1, 1::Nil) &
      // |- x*(x+1)>=0 -> x*(x+1)>=0
      prop
    )

    Proof by congruence can also make use of a fact in multiple places at once by defining an appropriate context C:

    import TactixLibrary._
    val C = Context("x<5 & ⎵ -> [{x' = 5*x & ⎵}](⎵ & x>=1)".asFormula)
    // |- x<5 & __x^2<4__ -> [{x' = 5*x & __x^2<4__}](__x^2<4__ & x>=1)
    val proof = TactixLibrary.proveBy("x<5 & x^2<4 -> [{x' = 5*x & x^2<4}](x^2<4 & x>=1)".asFormula,
      CEat(proveBy("-2x^2<4".asFormula, QE), C) (1))
    )
    // |- x<5 & (__-2 [{x' = 5*x & __-2=1) by CE
    println(proof.subgoals)
    Proof by Chase

    Proof by chase chases the expression at the indicated position forward until it is chased away or can't be chased further without critical choices. The canonical examples use edu.cmu.cs.ls.keymaerax.btactics.UnifyUSCalculus.chase() to chase away differential forms:

    import TactixLibrary._
    val proof = TactixLibrary.proveBy("[{x'=22}](2*x+x*y>=5)'".asFormula,
     // chase the differential prime away in the postcondition
     chase(1, 1 :: Nil)
     // |- [{x'=22}]2*x'+(x'*y+x*y')>=0
    )
    // Remaining subgoals: |- [{x'=22}]2*x'+(x'*y+x*y')>=0
    println(proof.subgoals)
    import TactixLibrary._
    val proof = TactixLibrary.proveBy("[{x'=22}](2*x+x*y>=5)' <-> [{x'=22}]2*x'+(x'*y+x*y')>=0".asFormula,
      // chase the differential prime away in the left postcondition
      chase(1, 0:: 1 :: Nil) &
      // |- [{x'=22}]2*x'+(x'*y+x*y')>=0 <-> [{x'=22}]2*x'+(x'*y+x*y')>=0
      byUS("<-> reflexive")
    )

    Yet edu.cmu.cs.ls.keymaerax.btactics.UnifyUSCalculus.chase() is also useful to chase away other operators, say, modalities:

    import TactixLibrary._
    // proof by chase of |- [?x>0;x:=x+1;x:=2*x; ++ ?x=0;x:=1;]x>=1
    val proof = TactixLibrary.proveBy(
      Sequent(IndexedSeq(), IndexedSeq("[?x>0;x:=x+1;x:=2*x; ++ ?x=0;x:=1;]x>=1".asFormula)),
      // chase the box in the succedent away
      chase(1,Nil) &
      // |- (x>0->2*(x+1)>=1)&(x=0->1>=1)
      QE
    )

    Additional Mechanisms

    Definition Classes
    keymaerax
    To do

    Expand descriptions

    See also

    edu.cmu.cs.ls.keymaerax.btactics.UnifyUSCalculus

    edu.cmu.cs.ls.keymaerax.btactics.HilbertCalculus

    edu.cmu.cs.ls.keymaerax.btactics.SequentCalculus

    edu.cmu.cs.ls.keymaerax.btactics.TactixLibrary

  • package codegen

    Code-generation tools to generate C-Code etc.

    Code-generation tools to generate C-Code etc. from expressions.

    Definition Classes
    keymaerax
    To do

    Stub. Describe for real.

  • package core

    KeYmaera X Kernel: Soundness-critical core of the Axiomatic Tactical Theorem Prover KeYmaera X

    KeYmaera X Kernel: Soundness-critical core of the Axiomatic Tactical Theorem Prover KeYmaera X

    The KeYmaera X Kernel implements Differential Dynamic Logic and defines

    Usage Overview

    The KeYmaera X Kernel package provides the soundness-critical core of KeYmaera X. It provides ways of constructing proofs that, by construction, can only be constructed using the proof rules that the KeYmaera X Kernel provides. The proof tactics that KeYmaera X provides give you a more powerful and flexible and easier way of constructing and searching for proofs, but they internally reduce to what is shown here.

    Constructing Proofs

    The proof certificates of KeYmaera X are of type edu.cmu.cs.ls.keymaerax.core.Provable. edu.cmu.cs.ls.keymaerax.core.Provable.startProof begins a new proof of a edu.cmu.cs.ls.keymaerax.core.Sequent containing the conjectured differential dynamic logic formula. A proof rule of type edu.cmu.cs.ls.keymaerax.core.Rule can be applied to any subgoal of a edu.cmu.cs.ls.keymaerax.core.Provable by edu.cmu.cs.ls.keymaerax.core.Provable.apply to advance the proof until that Provable has been proved since edu.cmu.cs.ls.keymaerax.core.Provable.isProved is true. Subgoals are identified by integers.

    import scala.collection.immutable._
    val verum = new Sequent(IndexedSeq(), IndexedSeq(True))
    // conjecture
    val provable = Provable.startProof(verum)
    // construct a proof
    val proof = provable(CloseTrue(SuccPos(0)), 0)
    // check if proof successful, i.e. no remaining subgoals
    if (proof.isProved) println("Successfully proved " + proof.proved)

    Of course, edu.cmu.cs.ls.keymaerax.btactics make it much easier to describe proof search procedures compared to the above explicit proof construction. The tactics internally construct proofs this way, but add additional flexibility and provide convenient ways of expressing proof search strategies in a tactic language.

    Combining Proofs

    Multiple Provable objects for subderivations obtained from different sources can also be merged into a single Provable object by substitution with edu.cmu.cs.ls.keymaerax.core.Provable.apply()(edu.cmu.cs.ls.keymaerax.core.Provable,Int). The above example can be continued to merge proofs as follows:

    // ... continued from above
    val more = new Sequent(IndexedSeq(),
        IndexedSeq(Imply(Greater(Variable("x"), Number(5)), True)))
    // another conjecture
    val moreProvable = Provable.startProof(more)
    // construct another (partial) proof
    val moreProof = moreProvable(ImplyRight(SuccPos(0)), 0)(HideLeft(AntePos(0)), 0)
    // merge proofs by gluing their Provables together (substitution)
    val mergedProof = moreProof(proof, 0)
    // check if proof successful, i.e. no remaining subgoals
    if (mergedProof.isProved) println("Successfully proved " + mergedProof.proved)

    More styles for proof construction are shown in Provable's.

    Differential Dynamic Logic

    The language of differential dynamic logic is described in KeYmaera X by its syntax and static semantics.

    Syntax

    The immutable algebraic data structures for the expressions of differential dynamic logic are of type edu.cmu.cs.ls.keymaerax.core.Expression. Expressions are categorized according to their kind by the syntactic categories of the grammar of differential dynamic logic:

    1. terms are of type edu.cmu.cs.ls.keymaerax.core.Term of kind edu.cmu.cs.ls.keymaerax.core.TermKind

    2. formulas are of type edu.cmu.cs.ls.keymaerax.core.Formula of kind edu.cmu.cs.ls.keymaerax.core.FormulaKind

    3. hybrid programs are of type edu.cmu.cs.ls.keymaerax.core.Program of kind edu.cmu.cs.ls.keymaerax.core.ProgramKind

    4. differential programs are of type edu.cmu.cs.ls.keymaerax.core.DifferentialProgram of kind edu.cmu.cs.ls.keymaerax.core.DifferentialProgramKind

    See Section 2.1

    Static Semantics

    The static semantics of differential dynamic logic is captured in edu.cmu.cs.ls.keymaerax.core.StaticSemantics in terms of the free variables and bound variables that expressions have as well as their signatures (set of occurring symbols). See Section 2.4

    Theorem Prover

    The KeYmaera X Prover Kernel provides uniform substitutions, uniform and bound variable renaming, and axioms of differential dynamic logic. For efficiency, it also directly provides propositional sequent proof rules and Skolemization.

    Axioms

    The axioms and axiomatic rules of differential dynamic logic can be looked up with edu.cmu.cs.ls.keymaerax.core.Provable.axioms and edu.cmu.cs.ls.keymaerax.core.Provable.rules respectively. All available axioms are listed in edu.cmu.cs.ls.keymaerax.core.Provable.axioms, all available axiomatic rules are listed in edu.cmu.cs.ls.keymaerax.core.Provable.rules which both ultimately come from the file edu.cmu.cs.ls.keymaerax.core.AxiomBase. See Sections 4 and 5.0 Additional axioms are available as derived axioms and lemmas in edu.cmu.cs.ls.keymaerax.btactics.DerivedAxioms.

    Uniform Substitutions

    Uniform substitutions uniformly replace all occurrences of a given predicate p(.) by a formula in (.) and likewise for function symbols f(.) and program constants. Uniform substitutions and their application mechanism for differential dynamic logic are implemented in edu.cmu.cs.ls.keymaerax.core.USubst. See Section 3

    Uniform substitutions can be used on proof certificates with the edu.cmu.cs.ls.keymaerax.core.Provable.apply(edu.cmu.cs.ls.keymaerax.core.USubst), including uniform substitution instances of axioms or axiomatic rules. See Section 3

    Sequent Proof Rules

    All proof rules for differential dynamic logic, including the uniform substitution and bound variable renaming rules as well as efficient propositional sequent proof rules and Skolemization edu.cmu.cs.ls.keymaerax.core.Skolemize are all of type edu.cmu.cs.ls.keymaerax.core.Rule, which are the only proof rules that can ever be applied to a proof. See sequent calculus

    Additional Capabilities

    Lemma Mechanism

    A lemma storage mechanism and an interface to real arithmetic decision procedures are defined in edu.cmu.cs.ls.keymaerax.core.Lemma and edu.cmu.cs.ls.keymaerax.core.QETool.

    Error Reporting

    Errors from the prover core are reported as exceptions of type edu.cmu.cs.ls.keymaerax.core.ProverException whose main responsibility is to propagate problems in traceable ways to the user by augmenting them with contextual information. The prover core throws exceptions of type edu.cmu.cs.ls.keymaerax.core.CoreException.

    Set Lattice

    A data structure for sets (or rather lattice completions of sets) is provided in edu.cmu.cs.ls.keymaerax.core.SetLattice based on Scala's immutable sets.

    Definition Classes
    keymaerax
    Note

    Code Review 2016-08-17

    See also

    edu.cmu.cs.ls.keymaerax.core.Lemma

    edu.cmu.cs.ls.keymaerax.core.USubst

    edu.cmu.cs.ls.keymaerax.core.StaticSemantics

    edu.cmu.cs.ls.keymaerax.core.Expression

    edu.cmu.cs.ls.keymaerax.core.Provable

    Andre Platzer. Differential dynamic logic for hybrid systems. Journal of Automated Reasoning, 41(2), pages 143-189, 2008.

    Andre Platzer. The complete proof theory of hybrid systems. ACM/IEEE Symposium on Logic in Computer Science, LICS 2012, June 25–28, 2012, Dubrovnik, Croatia, pages 541-550. IEEE 2012

    Andre Platzer. Logics of dynamical systems. ACM/IEEE Symposium on Logic in Computer Science, LICS 2012, June 25–28, 2012, Dubrovnik, Croatia, pages 13-24. IEEE 2012

    Andre Platzer. Differential game logic. ACM Trans. Comput. Log. 17(1), 2015. arXiv 1408.1980

    Nathan Fulton, Stefan Mitsch, Jan-David Quesel, Marcus Volp and Andre Platzer. KeYmaera X: An axiomatic tactical theorem prover for hybrid systems. In Amy P. Felty and Aart Middeldorp, editors, International Conference on Automated Deduction, CADE'15, Berlin, Germany, Proceedings, LNCS. Springer, 2015.

    Andre Platzer. A uniform substitution calculus for differential dynamic logic. arXiv 1503.01981, 2015.

    Andre Platzer. Logical Foundations of Cyber-Physical Systems. Springer, 2018.

    Andre Platzer. A uniform substitution calculus for differential dynamic logic. In Amy P. Felty and Aart Middeldorp, editors, International Conference on Automated Deduction, CADE'15, Berlin, Germany, Proceedings, LNCS. Springer, 2015. arXiv 1503.01981

    Andre Platzer. A complete uniform substitution calculus for differential dynamic logic. Journal of Automated Reasoning, 59(2), pp. 219-266, 2017.

  • package fcpsutils

    (Course infrastructure helpers).

    (Course infrastructure helpers).

    Definition Classes
    keymaerax
  • package hydra

    HyDRA Hybrid Distributed Reasoning Architecture server with a REST-API and database.

    HyDRA Hybrid Distributed Reasoning Architecture server with a REST-API and database. HyDRA provides a simplified high-level programming interface to the KeYmaeara X prover. It provides components for proof tree simplification, tactic search, and custom tactic scheduling policies, as well as for storing and accessing proofs in files or databases. These components can be accessed remotely through a REST-API.

    Definition Classes
    keymaerax
    To do

    Stub. Describe for real.

  • package launcher

    KeYmaera X command line launcher for starting its main program with the web UI.

    KeYmaera X command line launcher for starting its main program with the web UI.

    Definition Classes
    keymaerax
    To do

    Stub. Describe for real.

  • package lemma

    Non-soundness-critical implementation of the lemma mechanism.

    Non-soundness-critical implementation of the lemma mechanism.

    Lemma Mechanism

    An implementation of a lemma data base using files edu.cmu.cs.ls.keymaerax.lemma.FileLemmaDB. A factory edu.cmu.cs.ls.keymaerax.lemma.LemmaDBFactory provides instances of lemma databases.

    Definition Classes
    keymaerax
    Examples:
    1. LemmaDBFactory.setLemmaDB(new FileLemmaDB)
      val lemmaDB = LemmaDBFactory.lemmaDB
    2. ,
    3. // prove a lemma
      val proved = TactixLibrary.proveBy(
         Sequent(IndexedSeq(), IndexedSeq("true | x>5".asFormula)),
         orR(1) & close
       )
      // store a lemma
      val lemmaDB = LemmaDBFactory.lemmaDB
      val evidence = ToolEvidence(immutable.Map("input" -> proved.toString, "output" -> "true")) :: Nil))
      val lemmaID = lemmaDB.add(
        Lemma(proved, evidence, Some("Lemma  test"))
      )
      // use a lemma
      LookupLemma(lemmaDB, lemmaID)

      The lemma database returned by the factory can be configured.

  • CachedLemmaDB
  • FileLemmaDB
  • LemmaDB
  • LemmaDBBase
  • LemmaDBFactory
  • package parser

    Parser & Pretty-Printer for Differential Dynamic Logic

    Parser & Pretty-Printer for Differential Dynamic Logic

    Defines the concrete syntax of differential dynamic logic as used in KeYmaera X. Provides a parser to read string and file inputs with differential dynamic logic. Conversely provides a pretty-printer to format differential dynamic logic expression data structure as human readable concrete syntax.

    PrettyPrinter: Expression => String
    Parser: String => Expression

    Usage Overview

    The default pretty-printer for the concrete syntax in KeYmaera X is in edu.cmu.cs.ls.keymaerax.parser.KeYmaeraXPrettyPrinter. The corresponding parser for the concrete syntax in edu.cmu.cs.ls.keymaerax.parser.KeYmaeraXParser. Also see Grammar of KeYmaera X Syntax

    val parser = KeYmaeraXParser
    val pp = KeYmaeraXPrettyPrinter
    val input = "x^2>=0 & x<44 -> [x:=2;{x'=1&x<=10}]x>=1"
    val parse = parser(input)
    println("Parsed:   " + parse)
    val print = pp(parse)
    println("Printed:  " + print)
    Printing Differential Dynamic Logic

    edu.cmu.cs.ls.keymaerax.parser.PrettyPrinter defines the interface for all differential dynamic logic pretty printers in KeYmaera X.

    PrettyPrinter: Expression => String

    edu.cmu.cs.ls.keymaerax.parser.KeYmaeraXPrettyPrinter implements the pretty-printer for the concrete syntax of differential dynamic logic used in KeYmaera X. A pretty-printer is essentially a function from differential dynamic logic expressions to strings.

    Printing formulas to strings is straightforward using edu.cmu.cs.ls.keymaerax.parser.KeYmaeraXPrettyPrinter.apply:

    val pp = KeYmaeraXPrettyPrinter
    // "x < -y"
    val fml0 = Less(Variable("x"),Neg(Variable("y")))
    val fml0str = pp(fml0)
    // "true -> [x:=1;]x>=0"
    val fml1 = Imply(True, Box(Assign(Variable("x"), Number(1)), GreaterEqual(Variable("x"), Number(0))))
    val fml1str = pp(fml1)
    Printing Fully Parenthesized Forms

    Fully parenthesized strings are obtained using the edu.cmu.cs.ls.keymaerax.parser.FullPrettyPrinter printer:

    val pp = FullPrettyPrinter
    // "x < -(y)"
    val fml0 = Less(Variable("x"),Neg(Variable("y")))
    val fml0str = pp(fml0)
    // "true -> ([x:=1;](x>=0))"
    val fml1 = Imply(True, Box(Assign(Variable("x"), Number(1)), GreaterEqual(Variable("x"), Number(0))))
    val fml1str = pp(fml1)

    The fully-parenthesized pretty printer corresponding to a pretty printer can also be obtained using edu.cmu.cs.ls.keymaerax.parser.KeYmaeraXPrinter.fullPrinter

    Parsing Differential Dynamic Logic

    edu.cmu.cs.ls.keymaerax.parser.Parser defines the interface for all differential dynamic logic parsers in KeYmaera X.

    Parser: String => Expression

    edu.cmu.cs.ls.keymaerax.parser.KeYmaeraXParser implements the parser for the concrete syntax of differential dynamic logic used in KeYmaera X. A parser is essentially a function from input string to differential dynamic logic expressions.

    Parsing formulas from strings is straightforward using edu.cmu.cs.ls.keymaerax.parser.KeYmaeraXParser.apply:

    val parser = KeYmaeraXParser
    val fml0 = parser("x!=5")
    val fml1 = parser("x>0 -> [x:=x+1;]x>1")
    val fml2 = parser("x>=0 -> [{x'=2}]x>=0")

    The parser parses any dL expression, so will also accept terms or programs from strings, which will lead to appropriate types:

    val parser = KeYmaeraXParser
    // formulas
    val fml0 = parser("x!=5")
    val fml1 = parser("x>0 -> [x:=x+1;]x>1")
    val fml2 = parser("x>=0 -> [{x'=2}]x>=0")
    // terms
    val term0 = parser("x+5")
    val term1 = parser("x^2-2*x+7")
    val term2 = parser("x*y/3+(x-1)^2+5*z")
    // programs
    val prog0 = parser("x:=1;")
    val prog1 = parser("x:=1;x:=5;x:=-1;")
    val prog2 = parser("x:=1;{{x'=5}++x:=0;}")
    Parsing Only Formulas of Differential Dynamic Logic

    The parser that only parses formulas is obtained via edu.cmu.cs.ls.keymaerax.parser.KeYmaeraXParser.formulaParser

    // the formula parser only accepts formulas
    val parser = KeYmaeraXParser.formulaParser
    // formulas
    val fml0 = parser("x!=5")
    val fml1 = parser("x>0 -> [x:=x+1;]x>1")
    val fml2 = parser("x>=0 -> [{x'=2}]x>=0")
    // terms will cause exceptions
    try { parser("x+5") } catch {case e: ParseException => println("Rejected")}
    // programs will cause exceptions
    try { parser("x:=1;") } catch {case e: ParseException => println("Rejected")}

    Similarly, a parser that only parses terms is obtained via edu.cmu.cs.ls.keymaerax.parser.KeYmaeraXParser.termParser and a parser that only parses programs is obtained via edu.cmu.cs.ls.keymaerax.parser.KeYmaeraXParser.programParser

    Parsing Pretty-Printed Strings

    Corresponding parsers and pretty-printers match with one another. Parsing a pretty-printed expression results in the original expression again:

    parse(print(e)) == e

    edu.cmu.cs.ls.keymaerax.parser.KeYmaeraXParser and are inverses in this sense. The converse print(parse(s)) == s is not quite the case, because there can be minor spacing and superfluous parentheses differences. The following slightly weaker form still holds:

    parse(print(parse(s))) == parse(s)

    Parsing the pretty-print of an expression with compatible printers and parsers always gives the original expression back:

    val parser = KeYmaeraXParser
    val pp = KeYmaeraXPrettyPrinter
    val fml = Imply(True, Box(Assign(Variable("x"), Number(1)), GreaterEqual(Variable("x"), Number(0))))
    // something like "true -> [x:=1;]x>=0" modulo spacing
    val print = pp(fml)
    val reparse = parser(print)
    if (fml == reparse) println("Print and reparse successful") else println("Discrepancy")
    Pretty-Printing Parsed Strings

    It can be quite helpful to print an expression that has been parsed to check how it got parsed:

    val parser = KeYmaeraXParser
    val pp = KeYmaeraXPrettyPrinter
    val input = "x^2>=0 & x<44 -> [x:=2;{x'=1&x<=10}]x>=1"
    val parse = parser(input)
    println("Parsed:   " + parse)
    val print = pp(parse)
    println("Printed:  " + print)
    println("Original: " + input)
    println("Can differ slightly by spacing and parentheses")

    Recall that the default pretty printer uses compact parentheses and braces. That is, it only prints them when necessary to disambiguate. For storage purposes and disambiguation it can be better to use fully parenthesized printouts, which is what edu.cmu.cs.ls.keymaerax.parser.FullPrettyPrinter achieves:

    val parser = KeYmaeraXParser
    val pp = FullPrettyPrinter
    val input = "x^2>=0 & x<44 -> [x:=2;{x'=1&x<=10}]x>=1"
    val parse = parser(input)
    println("Parsed:   " + parse)
    val print = pp(parse)
    // (((x)^(2)>=0)&(x < 44))->([{x:=2;}{{x'=1&x<=10}}](x>=1))
    println("Printed:  " + print)
    println("Original: " + input)
    Pretty-Printing Sequents

    Sequents can be pretty-printed using the default pretty printer via edu.cmu.cs.ls.keymaerax.core.Sequent.prettyString

    val parser = KeYmaeraXParser
    val sequent = Sequent(IndexedSeq(parse("x<22"), parse("x>0")), IndexedSeq(parse("[x:=x+1;]x<23")))
    println("Printed:  " + sequent.prettyString)
    Definition Classes
    keymaerax
    See also

    edu.cmu.cs.ls.keymaerax.parser.KeYmaeraXPrettyPrinter

    edu.cmu.cs.ls.keymaerax.parser.KeYmaeraXParser

    Grammar of Differential Dynamic Logic

    "Nathan Fulton, Stefan Mitsch, Jan-David Quesel, Marcus Volp and Andre Platzer. KeYmaera X: An axiomatic tactical theorem prover for hybrid systems. In Amy P. Felty and Aart Middeldorp, editors, International Conference on Automated Deduction, CADE'15, Berlin, Germany, Proceedings, LNCS. Springer, 2015."

    Andre Platzer. A uniform substitution calculus for differential dynamic logic. arXiv 1503.01981, 2015.

    Andre Platzer. A uniform substitution calculus for differential dynamic logic. In Amy P. Felty and Aart Middeldorp, editors, International Conference on Automated Deduction, CADE'15, Berlin, Germany, Proceedings, LNCS. Springer, 2015.

  • package pt

    Proof-term checker turns proof terms to proof certificates.

    Proof-term checker turns proof terms to proof certificates. edu.cmu.cs.ls.keymaerax.pt.ProofChecker turns a proof term to the edu.cmu.cs.ls.keymaerax.core.Provable that it proves.

    ProofChecker : ProofTerm * Formula => Provable

    This package defines

    Definition Classes
    keymaerax
  • package tacticsinterface

    Simple interface to the tactics exposed to the web UI and REST-API.

    Simple interface to the tactics exposed to the web UI and REST-API. Tactic combinator parser. Main tactics are provided in edu.cmu.cs.ls.keymaerax.tactics.TactixLibrary

    Definition Classes
    keymaerax
    To do

    Stub. Describe for real.

    See also

    edu.cmu.cs.ls.keymaerax.tactics

  • package tools

    Arithmetic back-ends and arithmetic utilities for tactics, including an SMT interface.

    Arithmetic back-ends and arithmetic utilities for tactics, including an SMT interface.

    Definition Classes
    keymaerax
    To do

    Stub. Describe for real.

package lemma

Non-soundness-critical implementation of the lemma mechanism.

Lemma Mechanism

An implementation of a lemma data base using files edu.cmu.cs.ls.keymaerax.lemma.FileLemmaDB. A factory edu.cmu.cs.ls.keymaerax.lemma.LemmaDBFactory provides instances of lemma databases.

Examples:
  1. LemmaDBFactory.setLemmaDB(new FileLemmaDB)
    val lemmaDB = LemmaDBFactory.lemmaDB
  2. ,
  3. // prove a lemma
    val proved = TactixLibrary.proveBy(
       Sequent(IndexedSeq(), IndexedSeq("true | x>5".asFormula)),
       orR(1) & close
     )
    // store a lemma
    val lemmaDB = LemmaDBFactory.lemmaDB
    val evidence = ToolEvidence(immutable.Map("input" -> proved.toString, "output" -> "true")) :: Nil))
    val lemmaID = lemmaDB.add(
      Lemma(proved, evidence, Some("Lemma  test"))
    )
    // use a lemma
    LookupLemma(lemmaDB, lemmaID)

    The lemma database returned by the factory can be configured.

Linear Supertypes
AnyRef, Any
Ordering
  1. Alphabetic
  2. By Inheritance
Inherited
  1. lemma
  2. AnyRef
  3. Any
  1. Hide All
  2. Show All
Visibility
  1. Public
  2. All

Type Members

  1. class CachedLemmaDB extends LemmaDB with Logging

    Extends an arbitrary LemmaDB with caching functionality to reduce the cost of repeated accesses to the same Lemma within a given KeYmaeraX session.

    Extends an arbitrary LemmaDB with caching functionality to reduce the cost of repeated accesses to the same Lemma within a given KeYmaeraX session.

    Created by bbohrer on 8/3/16.

  2. class FileLemmaDB extends LemmaDBBase with Logging

    File-based lemma DB implementation.

    File-based lemma DB implementation. Stores one lemma per file in the user's KeYmaera X home directory under cache/lemmadb/. Lemma file names are created automatically and in a thread-safe manner.

    Note

    Prefer LemmaDBFactory.lemmaDB over instantiating directly to get an instance of a lemma database and ensure thread safety. Created by smitsch on 4/27/15.

  3. trait LemmaDB extends AnyRef

    Store and retrieve lemmas from a lemma database.

    Store and retrieve lemmas from a lemma database. Use edu.cmu.cs.ls.keymaerax.lemma.LemmaDBFactory.lemmaDB to get an instance of a lemma database.

    Example:
    1. Storing and using a lemma

      import edu.cmu.cs.ls.keymaerax.lemma.LemmaDBFactory
      val lemmaDB = LemmaDBFactory.lemmaDB
      // prove a lemma
      val proved = TactixLibrary.proveBy(
         Sequent(IndexedSeq(), IndexedSeq("true | x>5".asFormula)),
         orR(1) & close
       )
      // store a lemma
      val evidence = ToolEvidence(immutable.Map("input" -> proved.toString, "output" -> "true")) :: Nil))
      val lemmaID = lemmaDB.add(
        Lemma(proved, evidence, Some("Lemma  test"))
      )
      // use a lemma
      LookupLemma(lemmaDB, lemmaID)
    See also

    Lemma

  4. abstract class LemmaDBBase extends LemmaDB

    Common Lemma Database implemented from string-based storage primitives.

    Common Lemma Database implemented from string-based storage primitives. Common logic shared by most lemma DB implementations. Most lemma DB's can (and should) be implemented by extending this class and implementing the abstract methods for basic storage operations.

    Created by bbohrer on 8/3/16.

Value Members

  1. object LemmaDBFactory

    Returns lemma database instances.

    Returns lemma database instances. Prefer using this factory over instantiating lemma databases directly.

    Example:
    1. val lemmaDB = LemmaDBFactory.lemmaDB

      Created by smitsch on 9/1/15.

Inherited from AnyRef

Inherited from Any

Ungrouped