-
Verification of Autonomous Neural Car Control with KeYmaera X
Authors:
Enguerrand Prebet,
Samuel Teuber,
André Platzer
Abstract:
This article presents a formal model and formal safety proofs for the ABZ'25 case study in differential dynamic logic (dL). The case study considers an autonomous car driving on a highway avoiding collisions with neighbouring cars. Using KeYmaera X's dL implementation, we prove absence of collision on an infinite time horizon which ensures that safety is preserved independently of trip length. The…
▽ More
This article presents a formal model and formal safety proofs for the ABZ'25 case study in differential dynamic logic (dL). The case study considers an autonomous car driving on a highway avoiding collisions with neighbouring cars. Using KeYmaera X's dL implementation, we prove absence of collision on an infinite time horizon which ensures that safety is preserved independently of trip length. The safety guarantees hold for time-varying reaction time and brake force. Our dL model considers the single lane scenario with cars ahead or behind. We demonstrate that dL with its tools is a rigorous foundation for runtime monitoring, shielding, and neural network verification. Doing so sheds light on inconsistencies between the provided specification and simulation environment highway-env of the ABZ'25 study. We attempt to fix these inconsistencies and uncover numerous counterexamples which also indicate issues in the provided reinforcement learning environment.
△ Less
Submitted 4 April, 2025;
originally announced April 2025.
-
Uniform Substitution for Differential Refinement Logic
Authors:
Enguerrand Prebet,
André Platzer
Abstract:
This paper introduces a uniform substitution calculus for differential refinement logic dRL. The logic dRL extends the differential dynamic logic dL such that one can simultaneously reason about properties of and relations between hybrid systems. Refinements are useful e.g. for simplifying proofs by relating a concrete hybrid system to an abstract one from which the property can be proved more eas…
▽ More
This paper introduces a uniform substitution calculus for differential refinement logic dRL. The logic dRL extends the differential dynamic logic dL such that one can simultaneously reason about properties of and relations between hybrid systems. Refinements are useful e.g. for simplifying proofs by relating a concrete hybrid system to an abstract one from which the property can be proved more easily. Uniform substitution is the key to parsimonious prover microkernels. It enables the verbatim use of single axiom formulas instead of axiom schemata with soundness-critical side conditions scattered across the proof calculus. The uniform substitution rule can then be used to instantiate all axioms soundly. Access to differential variables in dRL enables more control over the notion of refinement, which is shown to be decidable on a fragment of hybrid programs.
△ Less
Submitted 31 May, 2024; v1 submitted 25 April, 2024;
originally announced April 2024.
-
Using Pi-Calculus Names as Locks
Authors:
Daniel Hirschkoff,
Enguerrand Prebet
Abstract:
Locks are a classic data structure for concurrent programming. We introduce a type system to ensure that names of the asynchronous pi-calculus are used as locks. Our calculus also features a construct to deallocate a lock once we know that it will never be acquired again. Typability guarantees two properties: deadlock-freedom, that is, no acquire operation on a lock waits forever; and leak-freedo…
▽ More
Locks are a classic data structure for concurrent programming. We introduce a type system to ensure that names of the asynchronous pi-calculus are used as locks. Our calculus also features a construct to deallocate a lock once we know that it will never be acquired again. Typability guarantees two properties: deadlock-freedom, that is, no acquire operation on a lock waits forever; and leak-freedom, that is, all locks are eventually deallocated.
We leverage the simplicity of our typing discipline to study the induced typed behavioural equivalence. After defining barbed equivalence, we introduce a sound labelled bisimulation, which makes it possible to establish equivalence between programs that manipulate and deallocate locks.
△ Less
Submitted 13 September, 2023;
originally announced September 2023.
-
On Up-to Context Techniques in the $π$-calculus
Authors:
Enguerrand Prebet
Abstract:
We present a variant of the theory of compatible functions on relations, due to Sangiorgi and Pous. We show that the up-to context proof technique for bisimulation is compatible in this setting for two subsets of the pi-calculus: the asynchronous pi-calculus and a pi-calculus with immediately available names.
We present a variant of the theory of compatible functions on relations, due to Sangiorgi and Pous. We show that the up-to context proof technique for bisimulation is compatible in this setting for two subsets of the pi-calculus: the asynchronous pi-calculus and a pi-calculus with immediately available names.
△ Less
Submitted 3 June, 2022; v1 submitted 16 December, 2021;
originally announced December 2021.
-
On sequentiality and well-bracketing in the $π$-calculus
Authors:
Daniel Hirschkoff,
Enguerrand Prebet,
Davide Sangiorgi
Abstract:
The $π$-calculus is used as a model for programming languages. Its contexts exhibit arbitrary concurrency, making them very discriminating. This may prevent validating desirable behavioural equivalences in cases when more disciplined contexts are expected. In this paper we focus on two such common disciplines: sequentiality, meaning that at any time there is a single thread of computation, and wel…
▽ More
The $π$-calculus is used as a model for programming languages. Its contexts exhibit arbitrary concurrency, making them very discriminating. This may prevent validating desirable behavioural equivalences in cases when more disciplined contexts are expected. In this paper we focus on two such common disciplines: sequentiality, meaning that at any time there is a single thread of computation, and well-bracketing, meaning that calls to external services obey a stack-like discipline. We formalise the disciplines by means of type systems. The main focus of the paper is on studying the consequence of the disciplines on behavioural equivalence. We define and study labelled bisimilarities for sequentiality and well-bracketing. These relations are coarser than ordinary bisimilarity. We prove that they are sound for the respective (contextual) barbed equivalence, and also complete under a certain technical condition. We show the usefulness of our techniques on a number of examples, that have mainly to do with the representation of functions and store.
△ Less
Submitted 13 December, 2021; v1 submitted 22 April, 2021;
originally announced April 2021.
-
The Declining Price Anomaly is not Universal in Multi-Buyer Sequential Auctions (but almost is)
Authors:
Vishnu V. Narayan,
Enguerrand Prebet,
Adrian Vetta
Abstract:
The declining price anomaly states that the price weakly decreases when multiple copies of an item are sold sequentially over time. The anomaly has been observed in a plethora of practical applications. On the theoretical side, Gale and Stegeman proved that the anomaly is guaranteed to hold in full information sequential auctions with exactly two buyers. We prove that the declining price anomaly i…
▽ More
The declining price anomaly states that the price weakly decreases when multiple copies of an item are sold sequentially over time. The anomaly has been observed in a plethora of practical applications. On the theoretical side, Gale and Stegeman proved that the anomaly is guaranteed to hold in full information sequential auctions with exactly two buyers. We prove that the declining price anomaly is not guaranteed in full information sequential auctions with three or more buyers. This result applies to both first-price and second-price sequential auctions. Moreover, it applies regardless of the tie-breaking rule used to generate equilibria in these sequential auctions. To prove this result we provide a refined treatment of subgame perfect equilibria that survive the iterative deletion of weakly dominated strategies and use this framework to experimentally generate a very large number of random sequential auction instances. In particular, our experiments produce an instance with three bidders and eight items that, for a specific tie-breaking rule, induces a non-monotonic price trajectory. Theoretic analyses are then applied to show that this instance can be used to prove that for every possible tie-breaking rule there is a sequential auction on which it induces a non-monotonic price trajectory. On the other hand, our experiments show that non-monotonic price trajectories are extremely rare. In over six million experiments only a 0.000183 proportion of the instances violated the declining price anomaly.
△ Less
Submitted 2 May, 2019;
originally announced May 2019.
