Implicit Definitions with Differential Equations for KeYmaera X (System Description)

Definition packages in theorem provers provide users with means of defining and organizing concepts of interest. This system description presents a new definition package for the hybrid systems theorem prover KeYmaera X based on differential dynamic logic (dL). The package adds KeYmaera X support for user-defined smooth functions whose graphs can be implicitly characterized by dL formulas. Notably, this makes it possible to implicitly characterize functions, such as the exponential and trigonometric functions, as solutions of differential equations and then prove properties of those functions using dL's differential equation reasoning principles. Trustworthiness of the package is achieved by minimally extending KeYmaera X's soundness-critical kernel with a single axiom scheme that expands function occurrences with their implicit characterization. Users are provided with a high-level interface for defining functions and non-soundness-critical tactics that automate low-level reasoning over implicit characterizations in hybrid system proofs.


Introduction
KeYmaera X [FMQ + 15] is a theorem prover implementing differential dynamic logic dL [Pla08,Pla12,Pla17,Pla18] for specifying and verifying properties of hybrid systems mixing discrete dynamics and differential equations. Definitions enable users to express complex theorem statements in concise terms, e.g., by modularizing hybrid system models and their proofs [Mit21]. Prior to this work, KeYmaera X had only one mechanism for definition, namely, non-recursive abbreviations via uniform substitution [Mit21,Pla17]. This restriction meant that common and useful functions, e.g., the trigonometric and exponential functions, could not be directly used in KeYmaera X, even though they can be uniquely characterized by dL formulas [Pla08].
This system description introduces a new KeYmaera X definitional mechanism where functions are implicitly defined in dL as solutions of ordinary differential equations (ODEs). Although definition packages are available in most general-purpose proof assistants, our package is novel in tackling the question of how best to support userdefined functions in the domain-specific setting for hybrid systems. In contrast to tools with builtin support for some fixed subsets of special functions [AP10, GKC13,RS07]; or higher-order logics that can work with functions via their infinitary series expansions [BLM16], e.g., exp(t) = ∞ i=0 t i i! ; our package strikes a balance between practicality and generality by allowing users to define and reason about any function characterizable in dL as the solution of an ODE (Section 2), e.g., exp(t) solves the ODE e = e with initial value e(0) = 1.
Theoretically, implicit definitions strictly expand the class of ODE invariants amenable to dL's complete ODE invariance proof principles [PT20]; such invariants play a key role in ODE safety proofs [Pla18] (see Proposition 3). In practice, arithmetical identities and other specifications involving user-defined functions are proved by automatically unfolding their implicit ODE characterizations and re-using existing KeYmaera X support for ODE reasoning (Section 3). The package is designed to provide seamless integration of implicit definitions in KeYmaera X and its usability is demonstrated on several hybrid system verification examples drawn from the literature that involve special functions (Section 4). Stay in the current state if φ is true, otherwise abort and discard run.
Store the value of term e in variable x. x := * Store an arbitrary real value in variable x.
All proofs and examples are in Appendix A and B. The definitions package is part of KeYmaera X with a usage guide at: http://keymaeraX.org/keymaeraXfunc/.

Interpreted Functions in Differential Dynamic Logic
This section briefly recalls differential dynamic logic (dL) [Pla08,Pla10,Pla17,Pla18] and explains how its term language is extended to support implicit function definitions.
Syntax. Terms e,ẽ and formulas φ, ψ in dL are generated by the following grammar, with variable x, rational constant c, k-ary function symbols h (for any k ∈ N), comparison operator ∼ ∈ {=, =, ≥, >, ≤, <}, and hybrid program α: e,ẽ ::= x | c | e +ẽ | e ·ẽ | h(e1, . . . , e k ) (1) The terms and formulas above extend the first-order language of real arithmetic (FOL R ) with the box ([α]φ) and diamond ( α φ) modality formulas which express that all or some runs of hybrid program α satisfy postcondition φ, respectively. Table 1 gives an intuitive overview of dL's hybrid programs language for modeling systems featuring discrete and continuous dynamics and their interactions thereof. In dL's uniform substitution calculus, function symbols h are uninterpreted, i.e., they semantically correspond to an arbitrary (smooth) function. Such uninterpreted function symbols (along with uninterpreted predicate and program symbols) are crucially used to give a parsimonious axiomatization of dL based on uniform substitution [Pla17] which, in turn, enables a trustworthy microkernel implementation of the logic in the theorem prover KeYmaera X [FMQ + 15, MP20].
Running Example. Adequate modeling of hybrid systems often requires the use of interpreted function symbols that denote specific functions of interest. As a running example, consider the swinging pendulum shown in Fig. 1. The ODEs describing its continuous motion are θ = ω, ω = − g L sin(θ) − kω, where θ is the swing angle, ω is the angular velocity, and g, k, L are the gravitational constant, coefficient of friction, and length of the rigid rod suspending the pendulum, respectively. The hybrid program α s models an external force that repeatedly pushes the pendulum and changes its angular velocity by a nondeterministically chosen value p; the guard if(. . . ) condition is designed to ensure that the push does not cause the pendulum to swing above the horizontal as specified by φ s . Importantly, the function symbols sin, cos must denote the usual real trigonometric functions in α s . Programα s shows the same pendulum modeled in dL without the use of interpreted symbols, but instead using auxiliary variables s, c. Note that α s is cumbersome and subtle to get right: the implicit characterizations φ sin (s, θ), φ cos (c, θ) from (4), (5) are lengthy and the differential equations s = ωc, c = −ωs must be manually calculated and added to ensure that s, c correctly track the trigonometric functions as θ evolves continuously [Pla10,PT20].
Interpreted Functions. To enable extensible use of interpreted functions in dL, the term grammar (1) is enriched with k-ary function symbols h that carry an interpretation annotation [BDD07,Wie09], h φ , where φ ≡ φ(x 0 , y 1 , . . . , y k ) Hybrid program model (trigonometric functions): dL safety specification: is a dL formula with free variables in x 0 , y 1 , . . . , y k and no uninterpreted symbols. Intuitively, φ is a formula that characterizes the graph of the intended interpretation for h, where y 1 , . . . , y k are inputs to the function and x 0 is the output. ] ⊆ R × R k is the graph of some smooth C ∞ functionĥ : R k → R, then the annotated syntactic symbol h φ is interpreted semantically asĥ. Note that the graph relation uniquely defineŝ h (if it exists). Otherwise, h φ is interpreted as the constant zero function which ensures that the term semantics remain well-defined for all terms. An alternative is to leave the semantics of some terms (possibly) undefined, but this would require more extensive changes to the semantics of dL and extra case distinctions during proofs [BFP19].
Axiomatics and Differentially-Defined Functions. To support reasoning for implicit definitions, annotated interpretations are reified to characterization axioms for expanding interpreted functions in the following lemma.
Lemma 1 (Function interpretation). The FI axiom (below) for dL is sound where h is a k-ary function symbol and the formula semantics Axiom FI enables reasoning for terms h φ (e 1 , . . . , e k ) through their implicit interpretation φ, but Lemma 1 does not directly yield an implementation because it has a soundness-critical side condition that interpretation φ characterizes the graph of a smooth C ∞ function. It is possible to syntactically characterize this side condition [BFP19], e.g., the formula ∀y 1 , . . . , y k ∃x 0 φ(x 0 , y 1 , . . . , y k ) expresses that the graph represented by φ has at least one output value x 0 for each input value y 1 , . . . , y k , but this burdens users with the task of proving this side condition in dL before working with their desired function. The KeYmaera X definition package opts for a middle ground between generality and ease-of-use by implementing FI for univariate, differentially-defined functions, i.e., the interpretation φ has the following shape, where x = (x 0 , x 1 , . . . , x n ) abbreviates a vector of variables, there is one input t = y 1 , and X = (X 0 , X 1 , . . . , X n ), T are dL terms that do not mention any free variables, e.g., are rational constants, which have constant value in any dL state: Formula (3) says from point x 0 , there exists a choice of the remaining coordinates x 1 , . . . , x n such that it is possible to follow the defining ODE either forward x = f (x, t), t = 1 or backward x = −f (x, t), t = −1 in time to reach the initial values x = X at time t = T . In other words, the implicitly defined function h φ(x0,t) is the x 0 -coordinate projected solution of the ODE starting from initial values X at initial time T . For example, the trigonometric functions used in Fig. 1 are differentially-definable as respective projections: [Pla17]. Therefore, the side condition for Lemma 1 reduces to showing that Φ exists globally, i.e., it is defined on t ∈ (−∞, ∞).
Lemma 2 enables an implementation of axiom FI in KeYmaera X that combines a syntactic check (the interpretation has the shape of formula (3)) and a side condition check (requiring users to prove existence for their interpretations).
The addition of differentially-defined functions to dL strictly increases the deductive power of ODE invariants, a key tool in deductive ODE safety reasoning [Pla18]. Intuitively, the added functions allow direct, syntactic descriptions of invariants, e.g., the exponential or trigonometric functions, that have effective invariance proofs using dL's complete ODE invariance reasoning principles [PT20].
Proposition 3 (Invariant expressivity). There are valid polynomial dL differential equation safety properties which are provable using differentially-defined function invariants but are not provable using polynomial invariants.

KeYmaera X Implementation
The implicit definition package adds interpretation annotations and axiom FI based on Lemma 2 in ≈170 lines of code extensions to KeYmaera X's soundness-critical core [FMQ + 15, MP20]. This section focuses on non-soundnesscritical usability features provided by the package that build on those core changes.

Core-Adjacent Changes
KeYmaera X has a browser-based user interface with concrete, ASCII-based dL syntax [Mit21]. The package extends KeYmaera X's parsers and pretty printers with support for interpretation annotations h«...»(...) and users can simultaneously define a family of functions as respective coordinate projections of the solution of an n-dimensional ODE (given initial conditions) with sugared syntax: implicit Real h1(Real t), ..., hn(Real t) = {{initcond};{ODE}} For example, the implicit definitions (4), (5) can be written with the following sugared syntax; KeYmaera X automatically inserts the associated interpretation annotations for the trigonometric function symbols, see Appendix B for a KeYmaera X snippet of formula φ s from Fig. 1 using this sugared definition. In fact, the functions sin, cos, exp are so ubiquitous in hybrid system models that the package builds their definitions in automatically without requiring users to write them explicitly. In addition, although arithmetic involving those functions is undecidable [Göd31,Ric68], KeYmaera X can export those functions whenever its external arithmetic tools have partial arithmetic support for those functions.

Intermediate and User-Level Proof Automation
The package automatically proves three important lemmas about user-defined functions that can be transparently reused in all subsequent proofs: 1. It proves the side condition of axiom FI using KeYmaera X's automation for proving sufficient duration existence of solutions for ODEs [TP21] which automatically shows global existence of solutions for all affine ODEs and some univariate nonlinear ODEs. As an example of the latter, the hyperbolic tanh function is differentiallydefined as the solution of ODE x = 1 − x 2 with initial value x = 0 at t = 0 whose global existence is proved automatically.
3. It proves the differential axiom [Pla17] for each function that is used to enable syntactic derivative calculations in dL, e.g., the differential axioms for sin, cos are (sin(e)) = cos(e)(e) and (cos(e)) = − sin(e)(e) , respectively. Briefly, these axioms are automatically derived in a correct-by-construction manner using dL's syntactic version of the chain rule for differentials [Pla17, Fig. 3], so the rate of change of sin(e) is the rate of change of sin(·) with respect to its argument e, multiplied by the rate of change of its argument (e) .
These lemmas enable the use of differentially-defined functions alongside all existing ODE automation in KeYmaera X [PT20,TP21]. In particular, since differentially-defined functions are univariate Noetherian functions, they admit complete ODE invariance reasoning principles in dL [PT20] as implemented in KeYmaera X.
The package also adds specialized support for arithmetical reasoning over differential definitions to supplement external arithmetic tools in proofs. First, it allows users to manually prove identities and bounds using KeYmaera X's ODE reasoning. For example, the bound tanh(λx) 2 < 1 used in the example α n from Section 4 is proved by differential unfolding as follows (see Appendix B): This deduction step says that, to show the conclusion (below rule bar), it suffices to prove the premises (above rule bar), i.e., the bound is true at v = 0 (left premise) and it is preserved as v is evolved forward v = 1 or backward v = −1 along the real line until it reaches x (right premise). The left premise is proved using the initial value lemma for tanh while the right premise is proved by ODE invariance reasoning with the differential axiom for tanh [PT20].
Second, the package uses KeYmaera X's uniform substitution mechanism [Pla17] to implement (untrusted) abstraction of functions with fresh variables when solving arithmetic subgoals, e.g., the following arithmetic bound for example α n is proved by abstraction after adding the bounds tanh(λx) 2 < 1, tanh(λy) 2 < 1.

Examples
The definition package enables users to work with differentially-defined functions in KeYmaera X, including modeling and expressing their design intuitions in proofs. This section applies the package to verify various continuous and hybrid system examples from the literature featuring such functions.
Discretely driven pendulum. The specification φ s from Fig. 1 contains a discrete loop whose safety property is proved by a loop invariant, i.e., a formula that is preserved by the discrete and continuous dynamics in each loop iteration [Pla18]. The key invariant is Inv ≡ g L (1 − cos θ) + 1 2 ω 2 < g L , which expresses that the total energy of the system (sum of potential and kinetic energy on the LHS) is less than the energy needed to cross the horizontal (RHS). The main steps are as follows (proofs for these steps are automated by KeYmaera X): Inv, which shows that the discrete guard only allows push p if it preserves the energy invariant, and 2. Inv → [{θ = ω, ω = − g L sin(θ) − kω}]Inv, which shows that Inv is an energy invariant of the pendulum's ODE.
Neuron interaction. The ODE α n models the interaction between a pair of neurons [Kha92]; its specification φ n nests dL's diamond and box modalities to express that the system norm ( x 2 + y 2 ) is asymptotically bounded by 2τ .
The verification of φ n uses differentially-defined functions in concert with KeYmaera X's symbolic ODE safety and liveness reasoning [TP21]. The proof uses a decaying exponential bound x 2 + y 2 ≤ exp(− t τ ) x 2 0 + y 2 0 + 2τ (1 − exp(− t τ )), where the constants x 0 , y 0 are symbolic initial values for x, y at initial time t = 0, respectively. Notably, the arithmetic subgoals from this example are all proved using abstraction and differential unfolding (Section 3) without relying on external arithmetic solver support for tanh.
Longitudinal flight dynamics. The differential equations α a below describe the 6th order longitudinal motion of an airplane while climbing or descending [GP14,Ste04]. The airplane adjusts its pitch angle θ with pitch rate q, which determines its axial velocity u and vertical velocity w, and, in turn, range x and altitude z (illustrated on the right). The physical parameters are: gravity g, mass m, aerodynamic thrust and moment M along the lateral axis, aerodynamic and thrust forces X, Z along x and z, respectively, and the moment of inertia I yy , see [GP14, Section 6.2].
The verification of specification J → [α a ]J shows that the safety envelope J ≡ J 1 ∧ J 2 ∧ J 3 is invariant along the flow of α a with algebraic invariants J i : Additional examples are available in Appendix B, including: a bouncing ball on a sinusoidal surface [Den15,LZZZ15] and a robot collision avoidance model [MGVP17].

Conclusion
This work presents a convenient mechanism for extending the dL term language with differentially-defined functions, thereby furthering the class of real-world systems amenable to modeling and formalization in KeYmaera X. Minimal soundness-critical changes are made to the KeYmaera X kernel, which maintains its trustworthiness while allowing the use of newly defined functions in concert with all existing dL hybrid systems reasoning principles implemented in KeYmaera X. Future work could formally verify these kernel changes by extending the existing formalization of dL [BRV + 17]. Further integration of external arithmetic tools [AP10, GKC13,RS07] will also help to broaden the classes of arithmetic sub-problems that can be solved effectively in hybrid systems proofs.

A Proofs
This appendix presents proofs for the lemmas presented in Section 2 that justify the soundness of axiom FI for differentially-defined functions.
Proof of Lemma 1. Let h φ be a k-ary function symbol with annotated interpretation φ ≡ φ(x 0 , x 1 , . . . , x k ), where φ characterizes a smooth function, i.e., [[φ]] ⊆ R × R k is the graph of a smooth C ∞ functionĥ : R k → R. Soundness of axiom FI is shown by proving its equivalence true in an arbitrary dL state ν. The proof proceeds by calculation with the dL semantics [Pla17,Pla18] extended with term semantics for interpreted functions from Section 2.
Proof of Lemma 2. Let h φ be a unary function symbol with annotated interpretation φ ≡ φ(x 0 , t) according to the shape specified by formula (3). To prove soundness of axiom FI for h φ , by Lemma 1, it suffices to show that LetX = (X 0 ,X 1 , . . . ,X n ) ∈ R n+1 ,T ∈ R denote the constant real value of terms X = (X 0 , X 1 , . . . , X n ), T , respectively. By dL formula semantics [Pla17,Pla18], the interpretation φ is true from state (x 0 ,t) ∈ R 2 iff there existsx 1 , . . . ,x n ∈ R n such that either the solution of the forward ODE x = f (x, t), t = 1 or the solution of the corresponding backward ODE x = −f (x, t), t = −1 reaches the initial state (X,T ). Since solutions of the forward ODE are time-reversed solutions of the backward ODE (and vice-versa) [PT20] and variable t tracks the forward progression of time with t = 1 (or backward with t = −1), the interpretation φ is true in state (x 0 ,t) iff the solution of the nonautonomous ODE x = f (x, t) from initial stateX and timeT reaches timet with valuex 0 for its x 0 -coordinate (and there exist real valuesx 1 , . . . ,x n for the remaining coordinates).
By the Picard-Lindelöf theorem [Pla18, Thm. 2.2], for any initial stateX and initial timeT , the nonautonomous ODE x = f (x, t) has a unique solution Φ(t) : (a, b) → R n+1 on an open time interval t ∈ (a, b) for some −∞ ≤ a <T < b ≤ ∞. In particular, formula φ is true in state (x 0 ,t) ifft ∈ (a, b) and the x 0 -coordinate of Φ(t) isx 0 . Moreover, Φ(t) is C ∞ smooth in its argument t because the ODE right-hand side f (x, t) are dL terms with smooth interpretations [Pla17]. Therefore, [[φ]] is the graph of the smooth function Φ x0 : (a, b) → R which projects the x 0 -coordinate of solution Φ(t) at time t ∈ (a, b). Finally, by assumption, formula ∃x 0 φ(x 0 , t) is valid, i.e., true for all values of free variable t. Thus, Φ x0 (t) is defined for all t ∈ (−∞, ∞).
Proof of Proposition 3. The dL ODE safety property Γ [x = f (x) & Q]P expresses that, for all initial states satisfying assumptions Γ, all solutions of the ODE x = f (x) from those states within domain Q stay in the safe set characterized by formula P . For the purposes of this proof, all formulas are assumed to only mention propositional connectives and (in)equalities over dL terms, i.e., they neither contain the first-order quantifiers nor dL's dynamic modalities. The safety property is called polynomial if formulas Γ, Q, P and ODE x = f (x) mention only polynomial terms, i.e., grammar (1) without additional function symbols. The key technique for proving ODE safety properties is to find a suitable invariant I of the ODE [Pla18] such that i) it contains the initial states Γ I, ii) it is safe I P , and iii) solutions of the ODEs cannot escape it I [x = f (x) & Q]I. Formally, formula I is chosen such that all three premises of the following derived dL proof rule are provable.
The formula I is a polynomial invariant iff it only mentions polynomial terms. Notably, dL has complete ODE invariance reasoning principles [PT20], i.e., premise I [x = f (x) & Q]I is provably equivalent to an arithmetical formula in dL; this completeness result holds not only for polynomial invariants but also more general term language extensions of dL, including the Noetherian functions [PT20], of which differentially-defined functions are a special case. Consider the following polynomial ODE safety property: The ODE x = x(2t−1), t = 1 has an explicit solution with x(τ ) = x 0 exp ((t 0 + τ ) 2 − (t 0 + τ )), t(τ ) = t 0 +τ for all times τ and initial values x(0) = x 0 , t(0) = t 0 . The ODE safety property (6) is provable using invariant I ≡ x ≤ exp (t 2 − t), where exp(·) is the differentially-definable real exponential function.

B Extended Examples
This appendix provides additional details for the examples which were elided in Section 4.
Discretely driven pendulum (KeYmaera X model). The formula φ s from Fig. 1 is shown in the following KeYmaera X model snippet using a sugared definition which automatically inserts interpretation annotations for the trigonometric functions, following (4), (5). The proof of this model is described in Section 4.

Definitions
Real Neuron interaction (differential unfolding). The general differential unfolding proof rule derived in KeYmaera X is as follows: This proof rule says that, to show the conclusion P (x) (below rule bar), it suffices to prove the premises (above rule bar), i.e., the property P (v 0 ) is true at an initial value v = v 0 (left premise) and P (v) is preserved as v is evolved forward v = 1 or backward v = −1 along the real line until it reaches x (right premise). The proof rule is useful when formula P mentions differentially-defined functions because it enables reasoning for those functions using properties of their implicit differential equations. For example, the bound P (x) ≡ tanh(λx) 2 < 1 used in example α n from Section 4 is proved by differential unfolding on x with v 0 = 0: The left premise proves using the initial value lemma for tanh, i.e., tanh(0) = 0, while the right premise is proved by ODE invariance reasoning with the differential axiom for tanh, i.e., (tanh(e)) = (1 − tanh(e) 2 )(e) [PT20]. Both initial value lemma and differential axiom for tanh are derived automatically by the definition package (Section 3.2).
Bouncing ball on sinusoidal wave surface. The following hybrid program model α b of a ball bouncing on a sine wave is drawn from the literature [Den15,LZZZ15]. Compared to the literature, the model α b given below is parametric in g > 0 and proportion 0 ≤ k ≤ 1 of the energy lost in an inelastic collision.
verifies 1 a safety property of α b : if the ball is released at rest within a trough y < 1∧ π 2 < x < 5π 2 of the sinusoidal surface, then it always stays within that trough. This safety property is specified as follows: The KeYmaera X verification of φ b uses a bound gy + 1 2 (v 2 x + v 2 y ) < g on the total energy of the system, similar to φ s . The main proof step is to show that the kinetic energy is reduced on an inelastic collision (or preserved on a fully elastic collision k = 1), as modeled by the discrete assignments in α b . This results in the following (simplified) arithmetic subgoal, which proves automatically using the variable abstraction c ≡ cos(x): Notably, the example is verified fully parametrically in the constants g, k, which makes its direct verification out of reach for numerical techniques [Den15,LZZZ15].
Robot collision avoidance. We model passive orientation safety in robot collision avoidance [MGVP17] to analyze responsibility in collisions with an account of the vision limits of the robot: we consider a robot responsible for collisions with obstacles if it could have stopped before the collision point, or if it ignored the vision limits, but it does not need to actively step out of the way.
The motion of the robot and obstacle are modeled in the differential equations below, where (x, y) is the position of the robot that changes according to the trajectory depicted in Fig. 2a, s ≥ 0 is its driving speed that changes with acceleration a, θ is the angle measuring progress along the trajectory, and ω the angular velocity influenced by steering a r . The obstacle is at position (x o , y o ) and drives in a straight line with velocity vector (v x , v y ).
αr ≡ x = − sin(θ)s, y = cos(θ)s, s = a, θ = ω, ω = a r , x o = vx, y o = vy&s ≥ 0 The vision limit angle γ of the robot extends symmetrically to the left and right of its direction vector and the obstacle is d = (x o − x) 2 + (y o − y) 2 distance away from the robot, see Fig. 2b. In order to determine whether an r r obstacle is visible to the robot, we compute sin(η) by translating and rotating (x o , y o ) into the robot's local coordinate frame (robot at (0, 0) and direction pointing upwards), and then compare to sin π 2 − γ 2 of the vision limit angle γ: The robot controller is allowed to steer and accelerate only if it can stop before hitting any obstacles in its visible range (condition safe d ), and before leaving the area that was visible when making the decision (condition safe r ), otherwise it must use emergency braking: The collision distance and trajectory distance are computed conservatively using maximum acceleration A for the full reaction time ε followed by full braking b when obstacles approach with maximum speed V . For simplicity, the model is phrased in terms of · ∞ , and so the verification succeeds by exploiting sin 2 (θ) + cos 2 (θ) = 1 and by remembering the state at the time of the robot decision in order to determine who is at fault in case of a collision.