# Loading the ROS node model

First we need to load the ROS node model in Imandra. We do that using `System.mod_use` and load the messaging module and the model module: 

In [1]:
System.mod_use ~quiet:true "src-messages/ros_message.ml";;
System.mod_use ~quiet:true "src-model/ros_model.ml";;

open Ros_model;;
open Ros_message;;

- : unit = ()
- : unit = ()


The model has a `state` datatype and a `one_step : state -> state` transition function.

In [2]:
#show state;;

type nonrec state = {
  mode : Ros_model.mode;
  incoming : Ros_model.incoming option;
  outgoing : Ros_model.outgoing option;
}


The `state` contains two "slots" for incoming and outgoing messages and a `mode` value that describes the current  behaviour mode of our robot:

In [3]:
#show mode;;

type nonrec mode = Stopped | Turning | Driving | Error


Our robot starts in the `Stopped`  mode and then transitions between `Turning` and `Driving` modes, reacting to the sensor inputs. 

In [4]:
one_step;;

- : Ros_model.state -> Ros_model.state = <fun>


# Verifying error mode transition

First thing that we want to verify it that our node will not go into an `Error` mode unless it receives an invalid message.  We can formalize this statement as the following logical expression:

$$ \forall s. ( Mode(s) \ne Error) \,\&\, Valid(IncomingMessage(s)) \,\Rightarrow\, (Mode(one\_step(s)) \ne Error) $$

Meaning that for every state $s$, if the state is not already in the `Error` mode and its incoming message is valid, then the state's mode after we've called `one_step` on it is never the `Error` mode.  

We can almost literally encode this formal excpresson as an Imandra `theorem`:

In [5]:
theorem error_state_invalid_message state =
  match state.incoming with None -> true | Some msg -> 
  (  state.mode <> Error 
  && valid_incoming msg  
  ) ==> (one_step state).mode <> Error


val error_state_invalid_message : Ros_model.state -> bool = <fun>


0,1
ground_instances,0
definitions,0
inductions,0
search_time,0.006s
details,"Expandsmt_stats(:added-eqs 164  :conflicts 14  :datatype-accessor-ax 37  :datatype-constructor-ax 16  :datatype-splits 8  :decisions 21  :del-clause 19  :max-memory 16.21  :memory 10.43  :minimized-lits 2  :mk-bool-var 132  :mk-clause 43  :num-allocs 527483565  :num-checks 2  :propagations 59  :rlimit-count 67348) require(['nbextensions/nbimandra/fold'], function (fold) {  var target = '#fold-9f490c80-3407-48af-8604-f278e8d3b4dd';  fold.hydrate(target); });"

0,1
smt_stats,(:added-eqs 164  :conflicts 14  :datatype-accessor-ax 37  :datatype-constructor-ax 16  :datatype-splits 8  :decisions 21  :del-clause 19  :max-memory 16.21  :memory 10.43  :minimized-lits 2  :mk-bool-var 132  :mk-clause 43  :num-allocs 527483565  :num-checks 2  :propagations 59  :rlimit-count 67348)

0,1
into,"(:var_0:.Ros_model.incoming = None  || not  (not (:var_0:.Ros_model.mode = Ros_model.Error)  && (not Is_a(Ros_model.Sensor, Option.get :var_0:.Ros_model.incoming)  || List.length  (Destruct(Ros_model.Sensor, 0,  Option.get :var_0:.Ros_model.incoming)).Ros_message.Sensor_msgs.ranges  = 5))) || not  ((if :var_0:.Ros_model.mode = Ros_model.Error  then  {Ros_model.mode = :var_0:.Ros_model.mode;  Ros_model.incoming = :var_0:.Ros_model.incoming;  Ros_model.outgoing = None}  else  if :var_0:.Ros_model.incoming = None  then  {Ros_model.mode = :var_0:.Ros_model.mode;  Ros_model.incoming = :var_0:.Ros_model.incoming;  Ros_model.outgoing = None}  else  if not Is_a(Ros_model.Sensor, Option.get :var_0:.Ros_model.incoming)  || List.length  (Destruct(Ros_model.Sensor, 0,  Option.get :var_0:.Ros_model.incoming)).Ros_message.Sensor_msgs.ranges  = 5  then … else …).Ros_model.mode  = Ros_model.Error)"
expansions,[]
rewrite_steps,
forward_chaining,


One can see that the theorem is "Proven", meaning that the 

# Verifying stopping if facing a wall

Let us verify some more complex statement about our model -- lets prove that if the robot senses that it is too close to the wall, then it always attemps to either stop or backpedal from it. More precisely, if the front-facing sensor shows a range that is too close (say, less than 0.5 m), then our node always sends out a `Twist` message with `linear.x` velocity that is less or equal to zero.

We create two helper functions that get the range of the front sensor and check that the outgoing message is a `Twist` message and its velocity is not positive:

In [6]:
let get_front_sensor_range state =
  match state.incoming with 
  | Some (Sensor sensor) -> List.nth 2 sensor.Sensor_msgs.ranges 
  | _ -> None 

let no_positive_outgoing_velocity state =
  match state.outgoing with 
  | Some (Twist twist) -> twist.Geometry_msg.linear.x <= 0
  | _ -> false

val get_front_sensor_range : Ros_model.state -> Ros_message.number option =
  <fun>
val no_positive_outgoing_velocity : Ros_model.state -> bool = <fun>


Now we can attempt to prove our goal. We require that the state incoming message is a valid `Sensor` message with the front sensor range < 0.5 m, and we want to prove that after we apply `one_call` to the state -- there is always a `Twist` message with non-positive velocity:

In [7]:
theorem wrong_stop_if_front_sensor_close state =
  match state.incoming with None -> true | Some msg -> 
  match get_front_sensor_range state with None -> true | Some range_front ->
  let state' = one_step state in
  (  range_front < 500
  && valid_incoming msg  
  ) ==> 
  no_positive_outgoing_velocity state' 

val wrong_stop_if_front_sensor_close : Ros_model.state -> bool = <fun>
module CX : sig val state : Ros_model.state end
[31;1mError[0m: wrong_stop_if_front_sensor_close is not a theorem.


0,1
ground_instances,17
definitions,0
inductions,0
search_time,0.036s
details,"Expandsmt_stats(:added-eqs 2050  :arith-add-rows 25  :arith-assert-diseq 2  :arith-assert-lower 48  :arith-assert-upper 32  :arith-bound-prop 1  :arith-conflicts 1  :arith-eq-adapter 35  :arith-fixed-eqs 14  :arith-pivots 11  :conflicts 61  :datatype-accessor-ax 116  :datatype-constructor-ax 194  :datatype-occurs-check 6202  :datatype-splits 276  :decisions 923  :del-clause 137  :final-checks 55  :max-memory 16.21  :memory 13.81  :minimized-lits 3  :mk-bool-var 850  :mk-clause 187  :num-allocs 551157971  :num-checks 35  :propagations 846  :rlimit-count 84003) require(['nbextensions/nbimandra/fold'], function (fold) {  var target = '#fold-32cf71b7-69cb-49f5-a9f3-2d3db117781c';  fold.hydrate(target); });"

0,1
smt_stats,(:added-eqs 2050  :arith-add-rows 25  :arith-assert-diseq 2  :arith-assert-lower 48  :arith-assert-upper 32  :arith-bound-prop 1  :arith-conflicts 1  :arith-eq-adapter 35  :arith-fixed-eqs 14  :arith-pivots 11  :conflicts 61  :datatype-accessor-ax 116  :datatype-constructor-ax 194  :datatype-occurs-check 6202  :datatype-splits 276  :decisions 923  :del-clause 137  :final-checks 55  :max-memory 16.21  :memory 13.81  :minimized-lits 3  :mk-bool-var 850  :mk-clause 187  :num-allocs 551157971  :num-checks 35  :propagations 846  :rlimit-count 84003)

0,1
into,"((:var_0:.Ros_model.incoming = None  || (if Is_a(Ros_model.Sensor, Option.get :var_0:.Ros_model.incoming)  && Is_a(Some, :var_0:.Ros_model.incoming)  then  List.nth 2  (Destruct(Ros_model.Sensor, 0, Option.get :var_0:.Ros_model.incoming)).Ros_message.Sensor_msgs.ranges  else None)  = None)  || not  (not  (500 <=  Option.get  (if Is_a(Ros_model.Sensor, Option.get :var_0:.Ros_model.incoming)  && Is_a(Some, :var_0:.Ros_model.incoming)  then  List.nth 2  (Destruct(Ros_model.Sensor, 0, Option.get :var_0:.Ros_model.incoming)).Ros_message.Sensor_msgs.ranges  else None))  && (not Is_a(Ros_model.Sensor, Option.get :var_0:.Ros_model.incoming)  || List.length  (Destruct(Ros_model.Sensor, 0,  Option.get :var_0:.Ros_model.incoming)).Ros_message.Sensor_msgs.ranges  = 5))) || (Is_a(Ros_model.Twist,  Option.get  (if :var_0:.Ros_model.mode = Ros_model.Error then … else …).Ros_model.outgoing)  && Is_a(Some,  (if :var_0:.Ros_model.mode = Ros_model.Error then … else …).Ros_model.outgoing))  && (Destruct(Ros_model.Twist, 0,  Option.get  (if :var_0:.Ros_model.mode = Ros_model.Error then …  else …).Ros_model.outgoing)).Ros_message.Geometry_msg.linear.Ros_message.x  <= 0"
expansions,[]
rewrite_steps,
forward_chaining,

0,1
expr,(let ((a!1 (Ros_message.Sensor_msgs.ranges_2086  (get.Ros_model.Sensor.0_2177  …
expansions,

0,1
expr,(let ((a!1 (Ros_message.Sensor_msgs.ranges_2086  (get.Ros_model.Sensor.0_2177  …
expansions,

0,1
expr,(let ((a!1 (Ros_message.Sensor_msgs.ranges_2086  (get.Ros_model.Sensor.0_2177  …
expansions,

0,1
expr,(let ((a!1 (Ros_message.Sensor_msgs.ranges_2086  (get.Ros_model.Sensor.0_2177  …
expansions,

0,1
expr,(let ((a!1 (Ros_message.Sensor_msgs.ranges_2086  (get.Ros_model.Sensor.0_2177  …
expansions,

0,1
expr,(let ((a!1 (Ros_message.Sensor_msgs.ranges_2086  (get.Ros_model.Sensor.0_2177  …
expansions,

0,1
expr,(let ((a!1 (Ros_message.Sensor_msgs.ranges_2086  (get.Ros_model.Sensor.0_2177  …
expansions,

0,1
expr,(let ((a!1 (Ros_message.Sensor_msgs.ranges_2086  (get.Ros_model.Sensor.0_2177  …
expansions,

0,1
expr,(let ((a!1 (Ros_message.Sensor_msgs.ranges_2086  (get.Ros_model.Sensor.0_2177  …
expansions,

0,1
expr,(let ((a!1 (Ros_message.Sensor_msgs.ranges_2086  (get.Ros_model.Sensor.0_2177  …
expansions,

0,1
expr,(let ((a!1 (Ros_message.Sensor_msgs.ranges_2086  (get.Ros_model.Sensor.0_2177  …
expansions,

0,1
expr,(let ((a!1 (Ros_message.Sensor_msgs.ranges_2086  (get.Ros_model.Sensor.0_2177  …
expansions,

0,1
expr,(let ((a!1 (Ros_message.Sensor_msgs.ranges_2086  (get.Ros_model.Sensor.0_2177  …
expansions,

0,1
expr,(let ((a!1 (Ros_message.Sensor_msgs.ranges_2086  (get.Ros_model.Sensor.0_2177  …
expansions,

0,1
expr,(let ((a!1 (Ros_message.Sensor_msgs.ranges_2086  (get.Ros_model.Sensor.0_2177  …
expansions,

0,1
expr,(let ((a!1 (Ros_message.Sensor_msgs.ranges_2086  (get.Ros_model.Sensor.0_2177  …
expansions,

0,1
expr,(let ((a!1 (Ros_message.Sensor_msgs.ranges_2086  (get.Ros_model.Sensor.0_2177  …
expansions,


In [31]:
instance (fun state -> match state.incoming with None -> true | Some msg -> 
  match get_front_sensor_range state with None -> true | Some range_front ->
  let state' = one_step state in
  (  range_front < 500
  && valid_incoming msg  
  ) ==> 
  no_positive_outgoing_velocity state' )

- : Ros_model.state -> bool = <fun>
module CX : sig val state : Ros_model.state end
[32;1m[✔][0m Instance found.


0,1
ground_instances,4
definitions,0
inductions,0
search_time,0.025s
details,"Expandsmt_stats(:added-eqs 1288  :arith-add-rows 2  :arith-assert-lower 53  :arith-assert-upper 61  :arith-bound-prop 1  :arith-eq-adapter 26  :arith-fixed-eqs 7  :arith-pivots 4  :conflicts 32  :datatype-accessor-ax 97  :datatype-constructor-ax 135  :datatype-occurs-check 2463  :datatype-splits 145  :decisions 537  :del-clause 15  :final-checks 24  :max-memory 22.29  :memory 21.98  :minimized-lits 6  :mk-bool-var 525  :mk-clause 104  :num-allocs 714683596  :num-checks 9  :propagations 470  :rlimit-count 141950) require(['nbextensions/nbimandra/fold'], function (fold) {  var target = '#fold-1c81c997-43de-4bab-9aed-d14c88aab038';  fold.hydrate(target); });"

0,1
smt_stats,(:added-eqs 1288  :arith-add-rows 2  :arith-assert-lower 53  :arith-assert-upper 61  :arith-bound-prop 1  :arith-eq-adapter 26  :arith-fixed-eqs 7  :arith-pivots 4  :conflicts 32  :datatype-accessor-ax 97  :datatype-constructor-ax 135  :datatype-occurs-check 2463  :datatype-splits 145  :decisions 537  :del-clause 15  :final-checks 24  :max-memory 22.29  :memory 21.98  :minimized-lits 6  :mk-bool-var 525  :mk-clause 104  :num-allocs 714683596  :num-checks 9  :propagations 470  :rlimit-count 141950)

0,1
into,"((:var_0:.Ros_model.incoming = None  || (if Is_a(Ros_model.Sensor, Option.get :var_0:.Ros_model.incoming)  && Is_a(Some, :var_0:.Ros_model.incoming)  then  List.nth 2  (Destruct(Ros_model.Sensor, 0, Option.get :var_0:.Ros_model.incoming)).Ros_message.Sensor_msgs.ranges  else None)  = None)  || not  (not  (500 <=  Option.get  (if Is_a(Ros_model.Sensor, Option.get :var_0:.Ros_model.incoming)  && Is_a(Some, :var_0:.Ros_model.incoming)  then  List.nth 2  (Destruct(Ros_model.Sensor, 0, Option.get :var_0:.Ros_model.incoming)).Ros_message.Sensor_msgs.ranges  else None))  && (not Is_a(Ros_model.Sensor, Option.get :var_0:.Ros_model.incoming)  || List.length  (Destruct(Ros_model.Sensor, 0,  Option.get :var_0:.Ros_model.incoming)).Ros_message.Sensor_msgs.ranges  = 5))) || (Is_a(Ros_model.Twist,  Option.get  (if :var_0:.Ros_model.mode = Ros_model.Error then … else …).Ros_model.outgoing)  && Is_a(Some,  (if :var_0:.Ros_model.mode = Ros_model.Error then … else …).Ros_model.outgoing))  && (Destruct(Ros_model.Twist, 0,  Option.get  (if :var_0:.Ros_model.mode = Ros_model.Error then …  else …).Ros_model.outgoing)).Ros_message.Geometry_msg.linear.Ros_message.x  <= 0"
expansions,[]
rewrite_steps,
forward_chaining,

0,1
expr,(let ((a!1 (Ros_message.Sensor_msgs.ranges_2408  (get.Ros_model.Sensor.0_2499  …
expansions,

0,1
expr,(let ((a!1 (Ros_message.Sensor_msgs.ranges_2408  (get.Ros_model.Sensor.0_2499  …
expansions,

0,1
expr,(let ((a!1 (Ros_message.Sensor_msgs.ranges_2408  (get.Ros_model.Sensor.0_2499  …
expansions,

0,1
expr,(let ((a!1 (Ros_message.Sensor_msgs.ranges_2408  (get.Ros_model.Sensor.0_2499  …
expansions,


In [8]:
CX.state

File "jupyter cell 8", line 1, characters 0-8:
Error: Unbound module CX


We've failed to prove the theorem, and Imandra gave us a conunter example `CX` module. This module contains a state, that refutes the statement of the theorem we've attempted to prove. Lets check the outgoing message if we pass the state into the `one_step`:

In [29]:
CX.state

File "jupyter cell 29", line 1, characters 0-8:
Error: Unbound module CX


In [20]:
theorem stop_if_front_sensor_close state =
  match state.incoming with None -> true | Some msg -> 
  match get_front_sensor_range state with None -> true | Some range_front ->
  let state' = one_step state in
  (  range_front < 500 
  && state.mode <> Error
  && valid_incoming msg  
  ) ==> 
  no_positive_outgoing_velocity state' 

val stop_if_front_sensor_close : Ros_model.state -> bool = <fun>


0,1
ground_instances,14
definitions,0
inductions,0
search_time,0.024s
details,"Expandsmt_stats(:added-eqs 1541  :arith-add-rows 17  :arith-assert-diseq 24  :arith-assert-lower 72  :arith-assert-upper 28  :arith-bound-prop 1  :arith-eq-adapter 29  :arith-fixed-eqs 11  :arith-pivots 9  :conflicts 60  :datatype-accessor-ax 98  :datatype-constructor-ax 149  :datatype-occurs-check 5329  :datatype-splits 245  :decisions 733  :del-clause 189  :final-checks 46  :max-memory 16.80  :memory 16.80  :minimized-lits 3  :mk-bool-var 689  :mk-clause 207  :num-allocs 574346420  :num-checks 30  :propagations 722  :rlimit-count 98343) require(['nbextensions/nbimandra/fold'], function (fold) {  var target = '#fold-4710cfab-c7a4-4717-b838-84e80819f0e5';  fold.hydrate(target); });"

0,1
smt_stats,(:added-eqs 1541  :arith-add-rows 17  :arith-assert-diseq 24  :arith-assert-lower 72  :arith-assert-upper 28  :arith-bound-prop 1  :arith-eq-adapter 29  :arith-fixed-eqs 11  :arith-pivots 9  :conflicts 60  :datatype-accessor-ax 98  :datatype-constructor-ax 149  :datatype-occurs-check 5329  :datatype-splits 245  :decisions 733  :del-clause 189  :final-checks 46  :max-memory 16.80  :memory 16.80  :minimized-lits 3  :mk-bool-var 689  :mk-clause 207  :num-allocs 574346420  :num-checks 30  :propagations 722  :rlimit-count 98343)

0,1
into,"((:var_0:.Ros_model.incoming = None  || (if Is_a(Ros_model.Sensor, Option.get :var_0:.Ros_model.incoming)  && Is_a(Some, :var_0:.Ros_model.incoming)  then  List.nth 2  (Destruct(Ros_model.Sensor, 0, Option.get :var_0:.Ros_model.incoming)).Ros_message.Sensor_msgs.ranges  else None)  = None)  || not  ((not  (500 <=  Option.get  (if Is_a(Ros_model.Sensor, Option.get :var_0:.Ros_model.incoming)  && Is_a(Some, :var_0:.Ros_model.incoming)  then  List.nth 2  (Destruct(Ros_model.Sensor, 0,  Option.get :var_0:.Ros_model.incoming)).Ros_message.Sensor_msgs.ranges  else None))  && not (:var_0:.Ros_model.mode = Ros_model.Error))  && (not Is_a(Ros_model.Sensor, Option.get :var_0:.Ros_model.incoming)  || List.length  (Destruct(Ros_model.Sensor, 0,  Option.get :var_0:.Ros_model.incoming)).Ros_message.Sensor_msgs.ranges  = 5))) || (Is_a(Ros_model.Twist,  Option.get  (if :var_0:.Ros_model.mode = Ros_model.Error then … else …).Ros_model.outgoing)  && Is_a(Some,  (if :var_0:.Ros_model.mode = Ros_model.Error then … else …).Ros_model.outgoing))  && (Destruct(Ros_model.Twist, 0,  Option.get  (if :var_0:.Ros_model.mode = Ros_model.Error then …  else …).Ros_model.outgoing)).Ros_message.Geometry_msg.linear.Ros_message.x  <= 0"
expansions,[]
rewrite_steps,
forward_chaining,

0,1
expr,(let ((a!1 (Ros_message.Sensor_msgs.ranges_2408  (get.Ros_model.Sensor.0_2499  …
expansions,

0,1
expr,(let ((a!1 (Ros_message.Sensor_msgs.ranges_2408  (get.Ros_model.Sensor.0_2499  …
expansions,

0,1
expr,(let ((a!1 (Ros_message.Sensor_msgs.ranges_2408  (get.Ros_model.Sensor.0_2499  …
expansions,

0,1
expr,(let ((a!1 (Ros_message.Sensor_msgs.ranges_2408  (get.Ros_model.Sensor.0_2499  …
expansions,

0,1
expr,(let ((a!1 (Ros_message.Sensor_msgs.ranges_2408  (get.Ros_model.Sensor.0_2499  …
expansions,

0,1
expr,(let ((a!1 (Ros_message.Sensor_msgs.ranges_2408  (get.Ros_model.Sensor.0_2499  …
expansions,

0,1
expr,(let ((a!1 (Ros_message.Sensor_msgs.ranges_2408  (get.Ros_model.Sensor.0_2499  …
expansions,

0,1
expr,(let ((a!1 (Ros_message.Sensor_msgs.ranges_2408  (get.Ros_model.Sensor.0_2499  …
expansions,

0,1
expr,(let ((a!1 (Ros_message.Sensor_msgs.ranges_2408  (get.Ros_model.Sensor.0_2499  …
expansions,

0,1
expr,(let ((a!1 (Ros_message.Sensor_msgs.ranges_2408  (get.Ros_model.Sensor.0_2499  …
expansions,

0,1
expr,(let ((a!1 (Ros_message.Sensor_msgs.ranges_2408  (get.Ros_model.Sensor.0_2499  …
expansions,

0,1
expr,(let ((a!1 (Ros_message.Sensor_msgs.ranges_2408  (get.Ros_model.Sensor.0_2499  …
expansions,

0,1
expr,(let ((a!1 (Ros_message.Sensor_msgs.ranges_2408  (get.Ros_model.Sensor.0_2499  …
expansions,

0,1
expr,(let ((a!1 (Ros_message.Sensor_msgs.ranges_2408  (get.Ros_model.Sensor.0_2499  …
expansions,
