KeYmaera X: An Axiomatic Tactical Theorem Prover for Hybrid Systems

  • Nathan FultonEmail author
  • Stefan Mitsch
  • Jan-David Quesel
  • Marcus Völp
  • André Platzer
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9195)


KeYmaera X is a theorem prover for differential dynamic logic (
), a logic for specifying and verifying properties of hybrid systems. Reasoning about complicated hybrid systems models requires support for sophisticated proof techniques, efficient computation, and a user interface that crystallizes salient properties of the system. KeYmaera X allows users to specify custom proof search techniques as tactics, execute these tactics in parallel, and interface with partial proofs via an extensible user interface.
Advanced proof search features—and user-defined tactics in particular—are difficult to check for soundness. To admit extension and experimentation in proof search without reducing trust in the prover, KeYmaera X is built up from a small trusted kernel. The prover kernel contains a list of sound
axioms that are instantiated using a uniform substitution proof rule. Isolating all soundness-critical reasoning to this prover kernel obviates the intractable task of ensuring that each new proof search algorithm is implemented correctly. Preliminary experiments suggest that a single layer of tactics on top of the prover kernel provides a rich language for implementing novel and sophisticated proof search techniques.


Sequent Calculus Adaptive Cruise Control Hybrid Automaton Proof Tree Proof Rule 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



The authors thank the anonymous reviewers for their helpful feedback, and Ran Ji for help with testing and extending KeYmaera X.


  1. 1.
    Ahrendt, W., Baar, T., Beckert, B., Bubel, R., Giese, M., Hähnle, R., Menzel, W., Mostowski, W., Roth, A., Schlager, S., Schmitt, P.H.: The KeY tool. Softw. Syst. Model. 4(1), 32–54 (2005)CrossRefGoogle Scholar
  2. 2.
    Alur, R., Courcoubetis, C., Henzinger, T.A., Ho, P.-H.: Hybrid automata: an algorithmic approach to the specification and verification of hybrid systems. In: Grossman, R.L., Ravn, A.P., Rischel, H., Nerode, A. (eds.) HS 1991 and HS 1992. LNCS, vol. 736, pp. 209–229. Springer, Heidelberg (1993) CrossRefGoogle Scholar
  3. 3.
    Beckert, B., Hähnle, R., Schmitt, P.H. (eds.): Verification of Object-Oriented Software. LNCS (LNAI), vol. 4334, pp. 453–479. Springer, Heidelberg (2007) Google Scholar
  4. 4.
    Bowen, J., Stavridou, V.: Safety-critical systems, formal methods and standards. Softw. Eng. J. 8(4), 189–209 (1993)CrossRefGoogle Scholar
  5. 5.
    Felty, A., Howe, D.: Tactic theorem proving with refinement-tree proofs and metavariables. In: Bundy, A. (ed.) CADE 1994. LNCS, vol. 814, pp. 605–619. Springer, Heidelberg (1994) CrossRefGoogle Scholar
  6. 6.
    Heisel, M., Reif, W., Stephan, W.: Tactical theorem proving in program verification. In: Stickel, M.E. (ed.) CADE 1990. LNCS, vol. 449, pp. 117–131. Springer, Heidelberg (1990) CrossRefGoogle Scholar
  7. 7.
    The Coq development team: The Coq proof assistant reference manual. LogiCal project, version 8.0 (2004).
  8. 8.
    Mitsch, S., Platzer, A.: ModelPlex: verified runtime validation of verified cyber-physical system models. In: Bonakdarpour, B., Smolka, S.A. (eds.) RV 2014. LNCS, vol. 8734, pp. 199–214. Springer, Heidelberg (2014) Google Scholar
  9. 9.
    Nipkow, T., Paulson, L.C., Wenzel, M. (eds.): Isabelle/HOL: A Proof Assistant for Higher-Order Logic. LNCS, vol. 2283. Springer, Heidelberg (2002) Google Scholar
  10. 10.
    Platzer, A.: Differential dynamic logic for hybrid systems. J. Autom. Reas. 41(2), 143–189 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
  11. 11.
    Platzer, A.: Logical Analysis of Hybrid Systems: Proving Theorems for Complex Dynamics. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  12. 12.
    Platzer, A.: Logics of Dynamical Systems. In: LICS, pp. 13–24. IEEE (2012)Google Scholar
  13. 13.
    Platzer, A.: Differential Game Logic. CoRR abs/1408.1980 (2014)Google Scholar
  14. 14.
    Platzer, A.: A uniform substitution calculus for differential dynamic logic. In: Felty, A.P., Middeldorp, A. (eds.) CADE-25. LNCS, vol. 9195, pp. xx–yy. Springer, Heidelberg (2015)Google Scholar
  15. 15.
    Platzer, A., Quesel, J.-D.: KeYmaera: a hybrid theorem prover for hybrid systems (system description). In: Armando, A., Baumgartner, P., Dowek, G. (eds.) IJCAR 2008. LNCS (LNAI), vol. 5195, pp. 171–178. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  16. 16.
    Quesel, J.D., Mitsch, S., Loos, S., Aréchiga, N., Platzer, A.: How to model and prove hybrid systems with KeYmaera: a tutorial on safety. STTT (2015)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Nathan Fulton
    • 1
    Email author
  • Stefan Mitsch
    • 1
  • Jan-David Quesel
    • 1
  • Marcus Völp
    • 1
    • 2
  • André Platzer
    • 1
  1. 1.Computer Science DepartmentCarnegie Mellon UniversityPittsburghUSA
  2. 2.Technische Universität DresdenDresdenGermany

Personalised recommendations