KeYmaera X Theorem Prover for Hybrid Systems

Self-driving cars, autonomous robots, modern airplanes, or robotic surgery: we increasingly entrust our lives to computers and therefore should strive for nothing but the highest safety standards - mathematical correctness proof. Proofs for such cyber-physical systems can be constructed with the KeYmaera X prover. As a hybrid systems theorem prover, KeYmaera X analyzes the control program and the physical behavior of the controlled system together in differential dynamic logic.

KeYmaera X features a minimal core of just about 2000 lines of code that isolates all soundness-critical reasoning. Such a small and simple prover core makes it much easier to trust verification results. Pre-defined and custom tactics built on top of the core drive automated proof search. KeYmaera X comes with a web-based front-end that provides a clean interface for both interactive and automated proving, highlighting the most crucial parts of a verification activity. Besides hybrid systems, KeYmaera X also supports the verification of hybrid games in differential game logic.

More information and precompiled binaries are available at keymaerax.org:

• The KeYmaera X Tutorial
• The Logical Foundations of Cyber-Physical Systems textbook
• The KeYmaera X API Documentation

Installation

1. Install Java Runtime Environment version 11 or later, for example from OpenJDK

2. Optionally, install and set up Wolfram Mathematica (version 10 or later) or Wolfram Engine. See below for more details on the different arithmetic solvers.

3. Download the file keymaerax.jar

4. Configure KeYmaera X according to the Configuration section below.

5. Launch KeYmaera X by opening the console in the same directory as keymaerax.jar and running java -jar keymaerax.jar. You might need to specify additional arguments as explained in the Configuration section.

For more details on installation, usage, and for troubleshooting steps, see the Install section of the website.

Configuration

KeYmaera X requires a decision procedure for real arithmetic to finalize proofs. It is compatible with these arithmetic solvers:

• Wolfram Mathematica
• Wolfram Engine, a free alternative to Mathematica that requires an active internet connection.
• The Z3 Theorem Prover, for which built-in binaries are included. This is the fallback when no other solver is configured.

KeYmaera X is extensively tested with Mathematica and some features are only available when using Mathematica. After starting KeYmaera X you can configure arithmetic tools in the KeYmaera X->Preferences menu.

Depending on the operating system, Mathematica is installed in different locations. If KeYmaera X can't find your Mathematica installation, you need to manually specify the kernel and jlink paths when starting KeYmaera X using the -mathkernel and -jlink parameters.

If you installed Mathematica at the default path, the required values on the different platforms are:

• Linux
  • -mathkernel /usr/local/Wolfram/Mathematica/13.0/Executables/MathKernel
  • -jlink /usr/local/Wolfram/Mathematica/13.0/SystemFiles/Links/JLink/SystemFiles/Libraries/Linux-x86-64
• macOS
  • -mathkernel /Applications/Mathematica.app/Contents/MacOS/MathKernel
  • -jlink /Applications/Mathematica.app/Contents/SystemFiles/Links/JLink/SystemFiles/Libraries/MacOSX-x86-64
• Windows
  • -mathkernel "C:\Program Files\Wolfram Research\Mathematica\13.0\MathKernel.exe"
  • -jlink "C:\Program Files\Wolfram Research\Mathematica\13.0\SystemFiles\Links\JLink\SystemFiles\Libraries\Windows-x86-64"

Building

To compile KeYmaera X from source or set up a development environment, see procedures.md. More detailed but outdated instructions are available in the wiki on GitHub.

Publications

KeYmaera X implements the uniform substitution calculus for differential dynamic logic in order to enable soundness assurance by way of a small trusted LCF-style kernel while still being amenable to automatic theorem proving.

https://www.ls.cs.cmu.edu/publications.html

1. André Platzer. A complete uniform substitution calculus for differential dynamic logic. Journal of Automated Reasoning 59(2), pp. 219-266, 2017. Extended version of CADE-25.

2. André Platzer. Logics of dynamical systems. ACM/IEEE Symposium on Logic in Computer Science, LICS 2012, June 25–28, 2012, Dubrovnik, Croatia, pages 13-24. IEEE 2012.

3. Nathan Fulton, Stefan Mitsch, Jan-David Quesel, Marcus Völp and André Platzer. KeYmaera X: An axiomatic tactical theorem prover for hybrid systems. In Amy P. Felty and Aart Middeldorp, editors, International Conference on Automated Deduction, CADE-25, Berlin, Germany, Proceedings, LNCS. Springer, 2015.

4. Nathan Fulton, Stefan Mitsch, Brandon Bohrer and André Platzer. Bellerophon: Tactical theorem proving for hybrid systems. In Mauricio Ayala-Rincón and César Muñoz, editors, Interactive Theorem Proving, International Conference, ITP 2017, volume 10499 of LNCS, pp. 207-224. Springer, 2017.

5. André Platzer. Logical Foundations of Cyber-Physical Systems. Springer, Cham, 2018. DOI, Videos

The soundness assurances provided by a small LCF-style kernel are further strengthened by a cross-verification of the soundness theorem for the uniform substitution calculus.

6. Brandon Bohrer, Vincent Rahli, Ivana Vukotic, Marcus Völp and André Platzer. Formally verified differential dynamic logic. ACM SIGPLAN Conference on Certified Programs and Proofs, CPP 2017, Jan 16-17, 2017, Paris, France, pages 208-221, ACM, 2017. Isabelle/HOL and Coq

A secondary goal of KeYmaera X is to also make it possible to implement extensions of differential dynamic logic, such as differential game logic for hybrid games as well as quantified differential dynamic logic for distributed hybrid systems:

7. André Platzer. Differential game logic. ACM Trans. Comput. Log. 17(1), 2015.

8. André Platzer. Differential hybrid games. ACM Trans. Comput. Log. 18(3), 2017.

9. André Platzer. A complete axiomatization of quantified differential dynamic logic for distributed hybrid systems. Logical Methods in Computer Science 8(4), pages 1-44, 2012.

KeYmaera X implements fast generalized uniform substitution algorithms, also cross-verified:

10. André Platzer. Uniform substitution for differential game logic. In Didier Galmiche, Stephan Schulz and Roberto Sebastiani, editors, Automated Reasoning, 9th International Joint Conference, IJCAR 2018, volume 10900 of LNCS, pp. 211-227. Springer 2018.

11. André Platzer. Uniform substitution at one fell swoop. In Pascal Fontaine, editor, International Conference on Automated Deduction, CADE-27, volume 11716 of LNCS, pp. 425-441. Springer, 2019. Isabelle/HOL

Automatic proofs for differential equation invariants are based on:

12. André Platzer and Yong Kiam Tan. Differential equation invariance axiomatization. J. ACM 67(1), 6:1-6:66, 2020. Extended version of LICS'18.

Liveness proofs for differential equations are based on:

13. Yong Kiam Tan and André Platzer. Yong Kiam Tan and André Platzer. An axiomatic approach to existence and liveness for differential equations. Formal Aspects of Computing 33(4), pp 461-518, 2021. Special issue for selected papers from FM'19.

KeYmaera X uses the Pegasus tool for invariant generation (which gets better when additional software is installed):

14. Andrew Sogokon, Stefan Mitsch, Yong Kiam Tan, Katherine Cordwell and André Platzer. Pegasus: Sound continuous invariant generation. Formal Methods in System Design, 58(1), pp. 5-41, 2022. Special issue for selected papers from FM'19.

KeYmaera X implements the ModelPlex method to ensure that verification results about models apply to cyber-physical system implementations. ModelPlex generates provably correct monitor conditions that, if checked to hold at runtime, are provably guaranteed to imply that the offline safety verification results about the CPS model apply to the present run of the actual CPS implementation.

15. Stefan Mitsch and André Platzer. ModelPlex: Verified runtime validation of verified cyber-physical system models. Formal Methods in System Design 49(1), pp. 33-74. 2016. Special issue for selected papers from RV'14.

16. Yong Kiam Tan, Stefan Mitsch and André Platzer. Verifying switched system stability with logic In Ezio Bartocci and Sylvie Putot, editors, Hybrid Systems: Computation and Control (part of CPS Week 2022), HSCC'22. Article No. 2, pp. 1-11. ACM, 2022.

The design principles for the user interface of KeYmaera X are described in:

17. Stefan Mitsch and André Platzer. The KeYmaera X proof IDE: Concepts on usability in hybrid systems theorem proving. In Catherine Dubois, Paolo Masci and Dominique Méry, editors, 3rd Workshop on Formal Integrated Development Environment F-IDE 2016, volume 240 of EPTCS, pp. 67-81, 2017.

Model and proof management techniques are described in:

18. Stefan Mitsch. Implicit and Explicit Proof Management in KeYmaera X In José Proença and Andrei Paskevich, editors, 6th Workshop on Formal Integrated Development Environment F-IDE 2021, volume 338 of EPTCS 338, pp. 53-67, 2021.

A comparison of KeYmaera X with its predecessor provers is described in:

19. Stefan Mitsch and André Platzer. A Retrospective on Developing Hybrid System Provers in the KeYmaera Family: A Tale of Three Provers. In Wolfgang Ahrendt et al., editors, Deductive Software Verification: Future Perspectives, volume 12345 of LNCS, pp. 21-64. Springer, 2020.

Copyright and Licenses

Copyright (C) 2014-2024 Carnegie Mellon University, Karlsruhe Institute of Technology

Developed by Andre Platzer, Stefan Mitsch, Nathan Fulton, Brandon Bohrer, Yong Kiam Tan, Andrew Sogokon, Fabian Immler, Katherine Cordwell, Enguerrand Prebet, Joscha Mennicken, Tobias Erthal. With previous contributions by Nathan Fulton, Jan-David Quesel, Marcus Voelp, Ran Ji. See COPYRIGHT.txt for details.

See LICENSE.txt for the conditions of using this software.

The KeYmaera X distribution contains external tools. A list of tools and their licenses can be found in LICENSES_THIRD_PARTY.txt.

Contact

KeYmaera X developers: keymaerax@keymaerax.org