![Imandrabot](../images/kostya_ros_medium_1.png)

*At AI, we've been working on an IML (Imandra Modelling Language) interface to ROS, allowing one to develop ROS nodes and use Imandra to verify their properties. In this notebook, we will go through creation and verification of a Robotic Operating System (ROS) node in Imandra. We will make a robot control node that controls the motion of a simple 2-wheeler bot:*

![Imandrabot](../images/Imandrabot.png)

We'll create a controller that uses the laser scanner to avoid obstacles and drive around the scene. The Imandra ML code can be compiled in OCaml and plugged into the ROS system - the behaviour of the bot can be observed in the Gazebo simulator.

Then we'll illustrate how to use Imandra to formally verify various statements about the model and how to find bugs and corner cases by exploring the Imandra-generated counterexamples for false conjectures.

# 1. ROS message OCaml types

For our Imandra-ROS project we’ve processed all the standard ROS messages with our code generation tool creating a collection of strongly-typed IML/OCaml bindings for them. But, in order to keep this notebook self-contained we'll define the necessary messaging modules here.  

First, we'll need to declare the message type that will control our robot. This is typically done with a `Twist` message from the `geometry_msgs` standard ROS package. We want to mimic ROS messaging nomenclauture as close as possible, so we'll create an OCaml/Imadra `module` with the same name as the package and will place the necessary type/message declaraions inside:

In [1]:
module Geometry_msgs = struct
  type vector3 = 
    { vector3_x : int
    ; vector3_y : int
    ; vector3_z : int
    }
  type twist = 
    { twist_linear  : vector3
    ; twist_angular : vector3
    }    
end

module Geometry_msgs :
  sig
    type vector3 = { vector3_x : int; vector3_y : int; vector3_z : int; }
    type twist = { twist_linear : vector3; twist_angular : vector3; }
  end


You might have noticed that we've replaced floating point values for vector coordinates with integers. In this context, it is more straight-forward for Imandra to reason about integers, so we assume that there is a common factor of 100,000 multiplying all the incoming floating point values and divides all the outgoing integers. (That effectively makes our unit of measurement of length to be 10 micrometres).

Let's move on and declare the incoming messages: 
 - `LaserScan` sensor input message from the `sensor_msgs` ROS package
 - and the `Clock` message from the `Rosgraph_msg` ROS package  
 
We define the wrapping modules for both messages and declare their datatypes:

In [2]:
module Sensor_msgs = struct
  type laserScan = 
    { laserScan_range_min : int 
    ; laserScan_range_max : int 
    ; laserScan_ranges : int list 
    }
end
module Rosgraph_msgs = struct
  type time = 
    { seconds     : int
    ; nanoseconds : int
    }
  type clock = { clock : time }
end

module Sensor_msgs :
  sig
    type laserScan = {
      laserScan_range_min : int;
      laserScan_range_max : int;
      laserScan_ranges : int list;
    }
  end
module Rosgraph_msgs :
  sig
    type time = { seconds : int; nanoseconds : int; }
    type clock = { clock : time; }
  end


Robotics OS middleware will communicate with our node via messages of these three types. The code that we'll write for of our node will represent the formal mathematical model of the controller algorithm - we can use Imandra to reason and verify various statements about the code. Since IML is valid OCaml, we'll leverage its compiler to create an executable from the verified IML code.

# 2. Creating a simple ROS Node model

We want to create some simple but non-trivial robot controller that makes our bot drive around avoiding the obstacles. The bot is going to drive forward until one of the laser scanner ranges becomes too low, meaning that we've gotten too close to some obstacle - in that case, we want the bot to stop and turn until the scanner tells us that the road ahead is clear. To make the model a bit more complicated, we'd like to implement the ability to choose the turning direction depending on the laser scanner ranges.

One might try to make a "naive" controller that doesn't have any memory about its previous states and observations - such a bot reacts to the currently observed scanner values and decides its actions based solely on that information. Such an approach will quickly lead to the bot being "stuck" in infinite oscillatory loops. E.g. here is a bot that decides which side to turn depending on the first value in the `ranges` array:

![Imandrabot](../images/Stuck.gif)

To avoid this kind of oscillations we need the model to have some memory of its previous states. The idea is to introduce two modes of model's operation: driving forward and turning in one place. The bot is in the "driving" mode by default, but it can transition to the turning mode if it gets dangerously close to surrounding objects.

The turning direction is calculated using the direction of the minimum of the distances that the scanner returns. While the robot is turning in one place, it stores the minimal range that the scanner has detected at that location. If at some point the scanner detects a range that is lower than the stored one - the turning direction gets recalculated, and the minimal range gets updated.

## 2.1 State datatype

Working with Imandra we’ve adopted a standard way to construct formal models of message-driven systems. At the top of the model we have a single OCaml datatype that holds all the data needed to describe the system at a given moment, including incoming and outgoing messages. We call this record type `state`. Together with this `state` type we define a `one_step` transition `state -> state` function, which performs a single logically isolated step of the simulation and returns the new `state` after the transition.

As an example, consider an IML/OCaml type declaration for a simple ROS node that is able to accept `rosgraph_msgs/Clock` and `sensor_msgs/LaserScan` standard ROS messages. We also want the state to store three values: 
 - the current mode of the bot -- whether we are driving forward or turning in a preferred direction
 - the latest minimal value of the ranges that the laser sensor returns
 - the preferred side for the robot to turn -- either clockwise (`CW`) or counter-clockwise (`CCW`) 
 
Finally, we want the node to be able to send `geometry_msgs/Twist` ROS message depending on the stored `min_range` data:

In [3]:
type incoming_msg = 
  | Clock  of Rosgraph_msgs.clock
  | Sensor of Sensor_msgs.laserScan
  
type outgoing_msg =
  | Twist of Geometry_msgs.twist

type direction = CW | CCW 

type mode = Driving | Turning

type state =
  { mode : mode
  ; min_range : int option
  ; direction : direction option
  ; incoming  : incoming_msg option
  ; outgoing  : outgoing_msg option 
  }

type incoming_msg =
    Clock of Rosgraph_msgs.clock
  | Sensor of Sensor_msgs.laserScan
type outgoing_msg = Twist of Geometry_msgs.twist
type direction = CW | CCW
type mode = Driving | Turning
type state = {
  mode : mode;
  min_range : int option;
  direction : direction option;
  incoming : incoming_msg option;
  outgoing : outgoing_msg option;
}


## 2.2 State transition `one_step` function

To implement our node, we'll need a function that scans through a list of values and returns the minimum value and its index. We'll make a generic function `foldi` that does an indexed version of the `List.fold_right`:

In [4]:
let rec foldi ~base ?(i=0) f l =
  match l with
  | [] -> base
  | x :: tail -> f i x ( foldi f ~base ~i:(i+1) tail )

val foldi : base:'a -> ?i:Z.t -> (Z.t -> 'b -> 'a -> 'a) -> 'b list -> 'a =
  <fun>


0,1
original,foldi base *opt* f_2 l
sub,"foldi base (Some ((if Is_a(Some, *opt*) then Option.get *opt* else 0) + 1)) f_2 (List.tl l)"
original ordinal,Ordinal.Int (Ordinal.count l)
sub ordinal,Ordinal.Int (Ordinal.count (List.tl l))
path,[not (l = [])]
proof,"detailed proofsummaryfullground_instances3definitions0inductions0search_time0.010sdetailsExpandsmt_statsnum checks7arith assert lower6arith pivots5rlimit count1908mk clause3datatype occurs check43mk bool var54arith assert upper6datatype splits3decisions7arith add rows15propagations2conflicts7arith fixed eqs5datatype accessor ax5arith conflicts1datatype constructor ax8num allocs562868257final checks6added eqs34del clause1arith eq adapter4memory11.290000max memory19.550000 require(['nbextensions/nbimandra/fold'], function (fold) {  var target = '#fold-ba4838a1-8800-4bf3-967a-0cb0dc3374ff';  fold.hydrate(target); }); Expandstart[0.010s]  not (l = []) && Ordinal.count l >= 0 && Ordinal.count (List.tl l) >= 0  ==> List.tl l = []  || Ordinal.Int (Ordinal.count (List.tl l)) Ordinal.<<  Ordinal.Int (Ordinal.count l)simplifyinto(not  ((not (l = []) && Ordinal.count l >= 0) && Ordinal.count (List.tl l) >= 0)  || List.tl l = []) || Ordinal.Int (Ordinal.count (List.tl l)) Ordinal.<<  Ordinal.Int (Ordinal.count l)expansions[]rewrite_stepsforward_chainingunrollexpr(Ordinal.<<_131 (Ordinal.Int_122 (|count_`ty_1 list`_2228|  (|get.…expansionsunrollexpr(|count_`ty_1 list`_2228| (|get.::.1_2206| l_2217))expansionsunrollexpr(|count_`ty_1 list`_2228| l_2217)expansionsunsat(let ((a!1 (ite (>= (|count_`ty_1 list`_2228| (|get.::.1_2206| l_2217)) 0)  (|count_`… require(['nbextensions/nbimandra/fold'], function (fold) {  var target = '#fold-05e0f337-614f-43cb-a4a7-467e57076ecb';  fold.hydrate(target); }); require(['nbextensions/nbimandra/alternatives'], function (alternatives) {  var target = '#alt-bf2d100f-5eac-4c32-ba35-463e296331e6';  alternatives.hydrate(target); }); require(['nbextensions/nbimandra/fold'], function (fold) {  var target = '#fold-afa7466b-2db0-4d90-b06b-799f3fa4b23d';  fold.hydrate(target); });"

0,1
ground_instances,3
definitions,0
inductions,0
search_time,0.010s
details,"Expandsmt_statsnum checks7arith assert lower6arith pivots5rlimit count1908mk clause3datatype occurs check43mk bool var54arith assert upper6datatype splits3decisions7arith add rows15propagations2conflicts7arith fixed eqs5datatype accessor ax5arith conflicts1datatype constructor ax8num allocs562868257final checks6added eqs34del clause1arith eq adapter4memory11.290000max memory19.550000 require(['nbextensions/nbimandra/fold'], function (fold) {  var target = '#fold-ba4838a1-8800-4bf3-967a-0cb0dc3374ff';  fold.hydrate(target); });"

0,1
smt_stats,num checks7arith assert lower6arith pivots5rlimit count1908mk clause3datatype occurs check43mk bool var54arith assert upper6datatype splits3decisions7arith add rows15propagations2conflicts7arith fixed eqs5datatype accessor ax5arith conflicts1datatype constructor ax8num allocs562868257final checks6added eqs34del clause1arith eq adapter4memory11.290000max memory19.550000

0,1
num checks,7.0
arith assert lower,6.0
arith pivots,5.0
rlimit count,1908.0
mk clause,3.0
datatype occurs check,43.0
mk bool var,54.0
arith assert upper,6.0
datatype splits,3.0
decisions,7.0

0,1
into,(not  ((not (l = []) && Ordinal.count l >= 0) && Ordinal.count (List.tl l) >= 0)  || List.tl l = []) || Ordinal.Int (Ordinal.count (List.tl l)) Ordinal.<<  Ordinal.Int (Ordinal.count l)
expansions,[]
rewrite_steps,
forward_chaining,

0,1
expr,(Ordinal.<<_131 (Ordinal.Int_122 (|count_`ty_1 list`_2228|  (|get.…
expansions,

0,1
expr,(|count_`ty_1 list`_2228| (|get.::.1_2206| l_2217))
expansions,

0,1
expr,(|count_`ty_1 list`_2228| l_2217)
expansions,


When accepting this function, Imandra constructs its "termination proof" - that means that Imandra managed to prove that recursive calls in this function will not end up in an infinite loop. Imandra proves such things using inductive reasoning and is able to prove further statements about other properties of such functions.

In [5]:
let get_min_range max lst =
  List.fold_right ~base:max
    (fun x a -> if x < a then x else a) lst

val get_min_range : int -> int list -> int = <fun>


On an incoming `Clock` tick we are simply sending out a `Twist` message which tells the robot to either move forward or turn, depending on the mode that it is currently in. We encode it by introducing the `make_twist_message` helper function and the `process_clock_message : state -> state` function.

In [6]:
let make_twist_message v omega=
  let open Geometry_msgs in
  let mkvector x y z =  { vector3_x = x; vector3_y = y; vector3_z = z   } in 
  Twist { twist_linear  = mkvector v 0 0 ; twist_angular = mkvector 0 0 omega }

let process_clock_message state =
  match state.mode with 
  | Driving -> { state with outgoing = Some (make_twist_message 10000 0) } 
  | Turning -> begin
  match state.direction with 
    | None
    | Some ( CW ) -> { state with outgoing = Some (make_twist_message 0   10000) } 
    | Some (CCW ) -> { state with outgoing = Some (make_twist_message 0 (-10000))} 
  end

val make_twist_message : int -> int -> outgoing_msg = <fun>
val process_clock_message : state -> state = <fun>


On incoming `Scan` message, we want to find the minimum of the received ranges and the index of that minimum in the list. Depending on the index, we decide in which direction to turn. To implement this, we create another helper function and the `process_sensor_message` one:

In [7]:
let get_min_and_direction msg =
  let max = msg.Sensor_msgs.laserScan_range_max in
  let lst = msg.Sensor_msgs.laserScan_ranges in
  let min_range = get_min_range max lst in
  let mini = foldi ~base:(max, 0)
    (fun i a b -> if a < fst b then (a,i) else b) in
  let _ , idx = mini lst in
  if idx < List.length lst / 2 then min_range, CW else min_range, CCW

let process_sensor_message state min_range min_direction =
  let dirving_state = 
    { state with mode = Driving; min_range = None; direction = None } in
  let turning_state = 
    { state with 
      mode      = Turning
    ; direction = Some min_direction
    ; min_range = Some min_range 
    } in  
  match state.mode , state.min_range with 
  | Driving , _    -> if min_range < 20000 then turning_state else dirving_state
  | Turning , None -> if min_range > 25000 then dirving_state else turning_state
  | Turning , Some old_range -> 
    if min_range > 25000 then dirving_state
    else if min_range > old_range then state else turning_state

val get_min_and_direction : Sensor_msgs.laserScan -> int * direction = <fun>
val process_sensor_message : state -> int -> direction -> state = <fun>


With the help of these functions, we can create our `one_step` transition function, which just dispatches the messages to the appropriate helper function above.

In [8]:
let one_step state =
  match state.incoming with None -> state | Some in_msg ->
  let state = { state with incoming = None; outgoing = None } in
  match in_msg with 
  | Sensor laserScan -> 
    let min_range, min_direction = get_min_and_direction laserScan in
    process_sensor_message state min_range min_direction
  | Clock  _ -> process_clock_message state

val one_step : state -> state = <fun>


## 2.3 Running the model as a ROS node

Now that we have an early model, let's compile it with our ROS node wrapper into an executable. Here is the model, controlling our "imandrabot" in the Gazebo simulation environment:

![Imandrabot](../images/Imandra_Demo.gif)

# 3. Verifying the ROS node model

Formal verification is the process of reasoning mathematically about the correctness of computer programs. We'll use Imandra to formally verify some properties of the ROS node model we've created.

## 3.1 Verifying outgoing `Twist` message at `Clock` ticks 

Our model is designed in such a way that it updates its state parameters upon `LaserScan` messages and sends out `Twist` control messages in response to `Clock` messages. Let's verify a simple theorem that on every incoming `Clock` message, there is an outgoing `Twist` message. 

We can formally write this statement down as:

$$ \forall s. IsClock(IncomingMessage(s)) \,\Rightarrow\, IsTwist(OutgoingMessage(OneStep(s))) $$

eaning that for every state $s$, if the state contains an incoming message and this message is a `Clock` message, then the state's `outgoing` message is a `Twist` after we've called `one_step` on it.  

We can almost literally encode this formal expression as an Imandra `theorem`:

In [9]:
let is_clock msg = match msg with  Some ( Clock _ ) -> true | _ -> false ;;
let is_twist msg = match msg with  Some ( Twist _ ) -> true | _ -> false ;;

theorem clock_creates_outbound state =
  is_clock state.incoming ==> is_twist (one_step state).outgoing

val is_clock : incoming_msg option -> bool = <fun>
val is_twist : outgoing_msg option -> bool = <fun>
val clock_creates_outbound : state -> bool = <fun>


0,1
ground_instances,0
definitions,0
inductions,0
search_time,0.007s
details,"Expandsmt_statsnum checks2arith assert lower2rlimit count1799mk clause39mk bool var209arith assert upper2datatype splits26decisions17propagations35conflicts10datatype accessor ax47datatype constructor ax33num allocs582648532added eqs284del clause3arith eq adapter1memory14.260000max memory19.550000 require(['nbextensions/nbimandra/fold'], function (fold) {  var target = '#fold-2d50c510-8cfc-4042-a711-abf2690cad77';  fold.hydrate(target); });"

0,1
smt_stats,num checks2arith assert lower2rlimit count1799mk clause39mk bool var209arith assert upper2datatype splits26decisions17propagations35conflicts10datatype accessor ax47datatype constructor ax33num allocs582648532added eqs284del clause3arith eq adapter1memory14.260000max memory19.550000

0,1
num checks,2.0
arith assert lower,2.0
rlimit count,1799.0
mk clause,39.0
mk bool var,209.0
arith assert upper,2.0
datatype splits,26.0
decisions,17.0
propagations,35.0
conflicts,10.0

0,1
into,"not (Is_a(Clock, Option.get :var_0:.incoming) && Is_a(Some, :var_0:.incoming)) || Is_a(Twist,  Option.get (if :var_0:.incoming = None then :var_0: else …).outgoing)  && Is_a(Some, (if :var_0:.incoming = None then :var_0: else …).outgoing)"
expansions,[]
rewrite_steps,
forward_chaining,


One can see that Imandra says that it "Proved" the theorem, meaning that Imandra has formally checked that this property holds for all possible input states. 

## 3.2 Verifying that we never drive backwards 

As another example, let us check that, no matter what, the node will never send out a message with negative linear velocity.

In [10]:
let no_moving_back msg = 
    let open Geometry_msgs in
    match msg with None -> true 
    | Some (Twist data) -> data.twist_linear.vector3_x >= 0
  
verify ( fun state -> no_moving_back (one_step state).outgoing  )

val no_moving_back : outgoing_msg option -> bool = <fun>
- : state -> bool = <fun>
module CX : sig val state : state end


We have failed to prove the statement and Imandra have created a counterexample `CX` module for us. This module  contains concrete values for the parameters of the verified statement, that violate the statement's condition. Let's examine the value of `CX.state`:

In [11]:
CX.state

- : state =
{mode = Turning; min_range = Some 2282; direction = None; incoming = None;
 outgoing =
  Some
   (Twist
     {Geometry_msgs.twist_linear =
       {Geometry_msgs.vector3_x = -1; vector3_y = 9; vector3_z = 10};
      twist_angular =
       {Geometry_msgs.vector3_x = 11; vector3_y = 12; vector3_z = 13}})}


The counterexample `state` produced by imandra has the `incoming` message set to `None` and the `outgoing` message set to a `Twist` message with negative `linear.x`. Our `one_step` function keeps the state unchanged if the incoming message is empty. 

We can either consider this behavior as a bug and change our `one_step` implementation; or we can consider this a normal behavior and amend our theorem, adding the non-empty incoming message as an extra premise of the theorem: 

In [12]:
theorem never_goes_back state = 
  state.incoming <> None
  ==>
  no_moving_back (one_step state).outgoing  

val never_goes_back : state -> bool = <fun>


0,1
ground_instances,0
definitions,0
inductions,0
search_time,0.008s
details,"Expandsmt_statsnum checks2arith assert lower3rlimit count2372mk clause48mk bool var282arith assert upper14datatype splits28decisions56propagations162conflicts21datatype accessor ax57minimized lits7arith assert diseq2datatype constructor ax74num allocs631211767added eqs534del clause3arith eq adapter5memory20.910000max memory20.910000 require(['nbextensions/nbimandra/fold'], function (fold) {  var target = '#fold-d61d29fc-3a1f-4799-bfad-aea8dd8caaeb';  fold.hydrate(target); });"

0,1
smt_stats,num checks2arith assert lower3rlimit count2372mk clause48mk bool var282arith assert upper14datatype splits28decisions56propagations162conflicts21datatype accessor ax57minimized lits7arith assert diseq2datatype constructor ax74num allocs631211767added eqs534del clause3arith eq adapter5memory20.910000max memory20.910000

0,1
num checks,2.0
arith assert lower,3.0
rlimit count,2372.0
mk clause,48.0
mk bool var,282.0
arith assert upper,14.0
datatype splits,28.0
decisions,56.0
propagations,162.0
conflicts,21.0

0,1
into,"(:var_0:.incoming = None  || (if :var_0:.incoming = None then :var_0:  else  if Is_a(Sensor, Option.get :var_0:.incoming)  then if :var_0:.mode = Driving then … else …  else if :var_0:.mode = Driving then … else …).outgoing  = None) || (Destruct(Twist, 0,  Option.get  (if :var_0:.incoming = None then :var_0:  else  if Is_a(Sensor, Option.get :var_0:.incoming)  then if :var_0:.mode = Driving then … else …  else if :var_0:.mode = Driving then … else …).outgoing)).Geometry_msgs.twist_linear.Geometry_msgs.vector3_x  >= 0"
expansions,[]
rewrite_steps,
forward_chaining,


We've proven that the model never creates negative linear speed in response to any incoming message - alternatively we can set `state.outgoing = None` as a premise, proving that an empty `outgoing` message is never filled with a `Twist` with negative velocity:

In [13]:
theorem never_goes_back_alt state = 
  state.outgoing = None
  ==>
  no_moving_back (one_step state).outgoing  

val never_goes_back_alt : state -> bool = <fun>


0,1
ground_instances,0
definitions,0
inductions,0
search_time,0.009s
details,"Expandsmt_statsnum checks2arith assert lower3rlimit count2521mk clause51mk bool var265arith assert upper10datatype splits27decisions53propagations178conflicts23datatype accessor ax58minimized lits5arith assert diseq2datatype constructor ax63num allocs663326816added eqs495del clause5arith eq adapter5memory24.860000max memory24.860000 require(['nbextensions/nbimandra/fold'], function (fold) {  var target = '#fold-4d9bb8d7-616d-4394-a1fa-fbf65226c344';  fold.hydrate(target); });"

0,1
smt_stats,num checks2arith assert lower3rlimit count2521mk clause51mk bool var265arith assert upper10datatype splits27decisions53propagations178conflicts23datatype accessor ax58minimized lits5arith assert diseq2datatype constructor ax63num allocs663326816added eqs495del clause5arith eq adapter5memory24.860000max memory24.860000

0,1
num checks,2.0
arith assert lower,3.0
rlimit count,2521.0
mk clause,51.0
mk bool var,265.0
arith assert upper,10.0
datatype splits,27.0
decisions,53.0
propagations,178.0
conflicts,23.0

0,1
into,"(not (:var_0:.outgoing = None)  || (if :var_0:.incoming = None then :var_0:  else  if Is_a(Sensor, Option.get :var_0:.incoming)  then if :var_0:.mode = Driving then … else …  else if :var_0:.mode = Driving then … else …).outgoing  = None) || (Destruct(Twist, 0,  Option.get  (if :var_0:.incoming = None then :var_0:  else  if Is_a(Sensor, Option.get :var_0:.incoming)  then if :var_0:.mode = Driving then … else …  else if :var_0:.mode = Driving then … else …).outgoing)).Geometry_msgs.twist_linear.Geometry_msgs.vector3_x  >= 0"
expansions,[]
rewrite_steps,
forward_chaining,


# 4. Inductive proofs. Stopping near objects.

As a final formal verification goal, we want to be able to prove that the robot stops and starts turning if one of the values in the scanner `ranges` is lower than 0.2 meters. In general, reasoning about variable-sized lists requires inductive proofs - and these might require proving some lemmas to guide Imandra to the proof. So, we will first try to prove a simpler version of the theorem - if all the ranges in the incoming laser scan message are less than 0.2 meters, then we definitely transition to the `Turning` state. We'll try to encode our theorem using `List.for_all` standard function:

In [14]:
verify ( fun state ->
  let open Sensor_msgs in
  match state.incoming with None | Some (Clock _ ) -> true 
  | Some ( Sensor data ) ->
  (  List.for_all (fun x -> x < 20000) data.laserScan_ranges    
  ) ==> (one_step state).mode = Turning
)

- : state -> bool = <fun>
module CX : sig val state : state end


We have failed to prove the statement and Imandra has created a counterexample `CX` module for us. Examining the counterexample state we notice that the incoming `laserScan_ranges list` is empty.

In [15]:
CX.state

- : state =
{mode = Turning; min_range = Some 7719; direction = None;
 incoming =
  Some
   (Sensor
     {Sensor_msgs.laserScan_range_min = 3; laserScan_range_max = 25001;
      laserScan_ranges = []});
 outgoing = None}


Adding the extra requirement that the list is not `[]`, we successfully verify the statement:

In [16]:
theorem stopping_if_for_all state =
  let open Sensor_msgs in
  match state.incoming with None | Some (Clock _ ) -> true 
  | Some ( Sensor data ) ->
  (  data.laserScan_ranges <> []
  && List.for_all (fun x -> x < 20000) data.laserScan_ranges    
  ) ==> (one_step state).mode = Turning

val stopping_if_for_all : state -> bool = <fun>


0,1
ground_instances,4
definitions,0
inductions,0
search_time,0.015s
details,"Expandsmt_statsarith offset eqs5num checks10arith assert lower36arith pivots18rlimit count7652mk clause67datatype occurs check1584mk bool var571arith assert upper46datatype splits49decisions361arith add rows25propagations284conflicts27arith fixed eqs9datatype accessor ax56minimized lits2arith conflicts3arith assert diseq9datatype constructor ax301num allocs734733737final checks12added eqs1385del clause35arith eq adapter18memory32.000000max memory32.000000 require(['nbextensions/nbimandra/fold'], function (fold) {  var target = '#fold-b6254dd7-d38b-4ffa-bcf5-b914b1808b43';  fold.hydrate(target); });"

0,1
smt_stats,arith offset eqs5num checks10arith assert lower36arith pivots18rlimit count7652mk clause67datatype occurs check1584mk bool var571arith assert upper46datatype splits49decisions361arith add rows25propagations284conflicts27arith fixed eqs9datatype accessor ax56minimized lits2arith conflicts3arith assert diseq9datatype constructor ax301num allocs734733737final checks12added eqs1385del clause35arith eq adapter18memory32.000000max memory32.000000

0,1
arith offset eqs,5.0
num checks,10.0
arith assert lower,36.0
arith pivots,18.0
rlimit count,7652.0
mk clause,67.0
datatype occurs check,1584.0
mk bool var,571.0
arith assert upper,46.0
datatype splits,49.0

0,1
into,"((:var_0:.incoming = None  || Is_a(Some, :var_0:.incoming) && Is_a(Clock, Option.get :var_0:.incoming))  || not  (not  ((Destruct(Sensor, 0, Option.get :var_0:.incoming)).Sensor_msgs.laserScan_ranges  = [])  && List.for_all anon_fun.stopping_if_for_all.0  (Destruct(Sensor, 0, Option.get :var_0:.incoming)).Sensor_msgs.laserScan_ranges)) || (if :var_0:.incoming = None then :var_0:  else  if Is_a(Sensor, Option.get :var_0:.incoming)  then if :var_0:.mode = Driving then … else …  else if :var_0:.mode = Driving then … else …).mode  = Turning"
expansions,[]
rewrite_steps,
forward_chaining,

0,1
expr,(let ((a!1 (Sensor_msgs.laserScan_range_max_2143  (get.Sensor.0_2723 (get.Some.0_2725 (i…
expansions,

0,1
expr,(let ((a!1 (Sensor_msgs.laserScan_range_max_2143  (get.Sensor.0_2723 (get.Some.0_2725 (i…
expansions,

0,1
expr,(let ((a!1 (Sensor_msgs.laserScan_ranges_2144  (get.Sensor.0_2723 (get.Some.0_2725 (inco…
expansions,

0,1
expr,(let ((a!1 (Sensor_msgs.laserScan_ranges_2144  (get.Sensor.0_2723 (get.Some.0_2725 (inco…
expansions,


Imandra successfully proves the `stopping_if_for_all` theorem, but our ultimate goal is to prove the theorem when **some** of the values in `laserScan_ranges` are less than the cutoff. If we simply try to replace the `List.for_all` with `List.exists`, Imandra will fail to either prove or disprove the theorem.  The inductive structure of this proof is too complex for Imandra to figure out automatically without any hints from the user. We need to help it with the overall logic of the proof. To do that we will break this final theorem into several smaller steps, making a rough "sketch" of the inductive proof we want and and ask Imandra to fill in the gaps.

As a first step, we extract the anonymous threshold function and prove a lemma that if the `get_min_range` function returns a value satisfying the threshold, then the conclusion about the `one_step` function holds:

In [17]:
let under_threshold x = x < 20000

lemma lemma1 state =
  let open Sensor_msgs in
  match state.incoming with None | Some (Clock _ ) -> true 
  | Some ( Sensor data ) ->
  (  data.laserScan_ranges <> []
  && under_threshold (get_min_range data.laserScan_range_max data.laserScan_ranges)
  ) ==> (one_step state).mode = Turning

val under_threshold : int -> bool = <fun>
val lemma1 : state -> bool = <fun>


0,1
ground_instances,0
definitions,0
inductions,0
search_time,0.009s
details,"Expandsmt_statsnum checks2arith assert lower6arith pivots3rlimit count2362mk clause45mk bool var244arith assert upper17datatype splits26decisions60arith add rows1propagations101conflicts16arith fixed eqs2datatype accessor ax49minimized lits1arith conflicts1arith assert diseq1datatype constructor ax57num allocs774595714added eqs361del clause25arith eq adapter5memory35.710000max memory35.710000 require(['nbextensions/nbimandra/fold'], function (fold) {  var target = '#fold-e5209cfa-98c8-4f96-af2d-295805128d4a';  fold.hydrate(target); });"

0,1
smt_stats,num checks2arith assert lower6arith pivots3rlimit count2362mk clause45mk bool var244arith assert upper17datatype splits26decisions60arith add rows1propagations101conflicts16arith fixed eqs2datatype accessor ax49minimized lits1arith conflicts1arith assert diseq1datatype constructor ax57num allocs774595714added eqs361del clause25arith eq adapter5memory35.710000max memory35.710000

0,1
num checks,2.0
arith assert lower,6.0
arith pivots,3.0
rlimit count,2362.0
mk clause,45.0
mk bool var,244.0
arith assert upper,17.0
datatype splits,26.0
decisions,60.0
arith add rows,1.0

0,1
into,"((:var_0:.incoming = None  || Is_a(Some, :var_0:.incoming) && Is_a(Clock, Option.get :var_0:.incoming))  || not  (not  ((Destruct(Sensor, 0, Option.get :var_0:.incoming)).Sensor_msgs.laserScan_ranges  = [])  && not  (20000 <=  List.fold_right anon_fun.get_min_range.0  (Destruct(Sensor, 0, Option.get :var_0:.incoming)).Sensor_msgs.laserScan_range_max  (Destruct(Sensor, 0, Option.get :var_0:.incoming)).Sensor_msgs.laserScan_ranges))) || (if :var_0:.incoming = None then :var_0:  else  if Is_a(Sensor, Option.get :var_0:.incoming)  then if :var_0:.mode = Driving then … else …  else if :var_0:.mode = Driving then … else …).mode  = Turning"
expansions,[]
rewrite_steps,
forward_chaining,


Next, we prove a "bridge" lemma that translates between the `get_min_range`
concept and the `List.exists` concept for the `under_threshold` function. Then, we `[@@apply]` the two lemmas above to prove our final theorem with the `List.exists` condition: these proofs require induction - to tell Imandra to use induction one should add the `[@@induct]` attribute to the theorem declaration:

In [None]:
lemma bridge max lst =
  List.exists under_threshold lst ==> under_threshold (get_min_range max lst)
  [@@induct]

theorem stopping_if_exists state =
  let open Sensor_msgs in
  match state.incoming with None | Some (Clock _ ) -> true 
  | Some ( Sensor data ) ->
  (  data.laserScan_ranges <> []
  && List.exists under_threshold data.laserScan_ranges
  ) ==> (one_step state).mode = Turning
[@@apply lemma1 state]
[@@apply bridge
    (match state.incoming with Some (Sensor data) -> data.laserScan_range_max | _ -> 0)
    (match state.incoming with Some (Sensor data) -> data.laserScan_ranges | _ -> []) ]
[@@induct]