# Loading the ROS node model

First we need to load the ROS node model in Imandra. We do that using `System.mod_use` to first load the necessary messaging modules: 

In [1]:
System.mod_use ~quiet:true "src-messages/basic_types.ml";;
System.mod_use ~quiet:true "src-messages/std_msgs.ml";;
System.mod_use ~quiet:true "src-messages/rosgraph_msgs.ml";;
System.mod_use ~quiet:true "src-messages/geometry_msgs.ml";;
System.mod_use ~quiet:true "src-messages/sensor_msgs.ml";;
System.mod_use ~quiet:true "src-model/ros_complex_model.ml";;
open Ros_complex_model;;

- : unit = ()
- : unit = ()
- : unit = ()
- : unit = ()
- : unit = ()
- : unit = ()


The model has a `state` datatype and a `one_step : state -> state` transition function.

In [2]:
#show state;;

type nonrec state = {
  mode : Ros_complex_model.mode;
  incoming : Ros_complex_model.incoming option;
  outgoing : Ros_complex_model.outgoing option;
}


The `state` contains two "slots" for incoming and outgoing messages and a `mode` value that describes the current  behaviour mode of our robot:

In [3]:
#show mode;;

type nonrec mode = Stopped | Turning | Driving | Error


Our robot starts in the `Stopped`  mode and then transitions between `Turning` and `Driving` modes, reacting to the sensor inputs. 

In [4]:
one_step;;

- : Ros_complex_model.state -> Ros_complex_model.state = <fun>


# Verifying error mode transition

First thing that we want to verify it that our node will not go into an `Error` mode unless it receives an invalid message.  We can formalize this statement as the following logical expression:

$$ \forall s. ( Mode(s) \ne Error) \,\land\, Valid(IncomingMessage(s)) \,\Rightarrow\, (Mode(one\_step(s)) \ne Error) $$

Meaning that for every state $s$, if the state is not already in the `Error` mode and its incoming message is valid, then the state's mode after we've called `one_step` on it is never the `Error` mode.  

We can almost literally encode this formal excpresson as an Imandra `theorem`:

In [5]:
theorem error_state_invalid_message state =
  match state.incoming with None -> true | Some msg -> 
  (  state.mode <> Error 
  && valid_incoming msg  
  ) ==> (one_step state).mode <> Error


val error_state_invalid_message : Ros_complex_model.state -> bool = <fun>


0,1
ground_instances,0
definitions,0
inductions,0
search_time,0.007s
details,"Expandsmt_stats(:added-eqs 209  :conflicts 19  :datatype-accessor-ax 47  :datatype-constructor-ax 31  :datatype-splits 8  :decisions 38  :del-clause 12  :max-memory 16.21  :memory 10.42  :minimized-lits 3  :mk-bool-var 163  :mk-clause 48  :num-allocs 527480132  :num-checks 2  :propagations 98  :rlimit-count 67557  :seq-num-reductions 1) require(['nbextensions/nbimandra/fold'], function (fold) {  var target = '#fold-81eeaff4-d76f-4dfd-b541-ecfc919a549d';  fold.hydrate(target); });"

0,1
smt_stats,(:added-eqs 209  :conflicts 19  :datatype-accessor-ax 47  :datatype-constructor-ax 31  :datatype-splits 8  :decisions 38  :del-clause 12  :max-memory 16.21  :memory 10.42  :minimized-lits 3  :mk-bool-var 163  :mk-clause 48  :num-allocs 527480132  :num-checks 2  :propagations 98  :rlimit-count 67557  :seq-num-reductions 1)

0,1
into,"(:var_0:.Ros_complex_model.incoming = None  || not  (not (:var_0:.Ros_complex_model.mode = Ros_complex_model.Error)  && (not  Is_a(Ros_complex_model.Sensor,  Option.get :var_0:.Ros_complex_model.incoming)  || List.length  (Destruct(Ros_complex_model.Sensor, 0,  Option.get :var_0:.Ros_complex_model.incoming)).Sensor_msgs.laserScan_ranges  = 5))) || not  ((if :var_0:.Ros_complex_model.mode = Ros_complex_model.Error  then  {Ros_complex_model.mode = :var_0:.Ros_complex_model.mode;  Ros_complex_model.incoming = :var_0:.Ros_complex_model.incoming;  Ros_complex_model.outgoing = None}  else  if :var_0:.Ros_complex_model.incoming = None  then  {Ros_complex_model.mode = :var_0:.Ros_complex_model.mode;  Ros_complex_model.incoming = :var_0:.Ros_complex_model.incoming;  Ros_complex_model.outgoing = None}  else  if not  Is_a(Ros_complex_model.Sensor,  Option.get :var_0:.Ros_complex_model.incoming)  || List.length  (Destruct(Ros_complex_model.Sensor, 0,  Option.get :var_0:.Ros_complex_model.incoming)).Sensor_msgs.laserScan_ranges  = 5  then … else …).Ros_complex_model.mode  = Ros_complex_model.Error)"
expansions,[]
rewrite_steps,
forward_chaining,


One can see that the theorem is "Proven", meaning that Imandra has formally checked that this property holds for all possible input states. 

Let's also verify that in the `Error` mode our model ingnores all the incoming messages:

In [6]:
theorem error_state_ignores_messages state =
  match state.incoming with None -> true | Some msg -> 
  (  state.mode = Error 
  && state.outgoing = None
  ) ==> state.outgoing = None

val error_state_ignores_messages : Ros_complex_model.state -> bool = <fun>


0,1
ground_instances,0
definitions,0
inductions,0
search_time,0.009s
details,"Expandsmt_stats(:max-memory 16.21  :memory 13.28  :mk-bool-var 5  :num-allocs 560187240  :rlimit-count 67611) require(['nbextensions/nbimandra/fold'], function (fold) {  var target = '#fold-748eccb7-cc88-45a1-8eac-84f37ec315ea';  fold.hydrate(target); });"

0,1
smt_stats,(:max-memory 16.21  :memory 13.28  :mk-bool-var 5  :num-allocs 560187240  :rlimit-count 67611)

0,1
into,(:var_0:.Ros_complex_model.incoming = None  || not  (:var_0:.Ros_complex_model.mode = Ros_complex_model.Error  && :var_0:.Ros_complex_model.outgoing = None)) || :var_0:.Ros_complex_model.outgoing = None
expansions,[]
rewrite_steps,
forward_chaining,


# Verifying stopping if facing a wall

Let us verify some more complex statement about our model -- lets prove that if the robot senses that it is too close to the wall, then it always attemps to either stop or backpedal from it. More precisely, if the front-facing sensor shows a range that is too close (say, less than 0.5 m), then our node always sends out a `Twist` message with `linear.x` velocity that is less or equal to zero.

We create two helper functions that get the range of the front sensor and check that the outgoing message is a `Twist` message and its velocity is not positive:

In [7]:
let get_front_sensor_range state =
  match state.incoming with 
  | Some (Sensor sensor) -> List.nth 2 sensor.Sensor_msgs.laserScan_ranges 
  | _ -> None 

let no_positive_outgoing_velocity state =
let open Geometry_msgs in
  match state.outgoing with 
  | Some (Twist twist) -> twist.twist_linear.vector3_x <= 0
  | _ -> false

val get_front_sensor_range :
  Ros_complex_model.state -> Basic_types.float32 option = <fun>
val no_positive_outgoing_velocity : Ros_complex_model.state -> bool = <fun>


Now we can attempt to prove our goal. We require that the state incoming message is a valid `Sensor` message with the front sensor range < 0.5 m, and we want to prove that after we apply `one_call` to the state -- there is always a `Twist` message with non-positive velocity:

In [8]:
verify (fun  state ->
  match state.incoming with None -> true | Some msg -> 
  match get_front_sensor_range state with None -> true | Some range_front ->
  let state' = one_step state in
  (  range_front < 50000
  && valid_incoming msg  
  ) ==> 
  no_positive_outgoing_velocity state' 
)

- : Ros_complex_model.state -> bool = <fun>
module CX : sig val state : Ros_complex_model.state end


0,1
ground_instances,17
definitions,0
inductions,0
search_time,0.045s
details,"Expandsmt_stats(:added-eqs 1910  :arith-add-rows 21  :arith-assert-diseq 4  :arith-assert-lower 97  :arith-assert-upper 39  :arith-bound-prop 1  :arith-conflicts 1  :arith-eq-adapter 37  :arith-fixed-eqs 12  :arith-pivots 9  :conflicts 52  :datatype-accessor-ax 101  :datatype-constructor-ax 169  :datatype-occurs-check 6854  :datatype-splits 199  :decisions 836  :del-clause 152  :final-checks 53  :max-memory 16.21  :memory 16.03  :minimized-lits 5  :mk-bool-var 785  :mk-clause 192  :num-allocs 582576704  :num-checks 35  :propagations 791  :rlimit-count 83381  :seq-num-reductions 1) require(['nbextensions/nbimandra/fold'], function (fold) {  var target = '#fold-8091c90b-a373-4c88-8e86-964ca8297710';  fold.hydrate(target); });"

0,1
smt_stats,(:added-eqs 1910  :arith-add-rows 21  :arith-assert-diseq 4  :arith-assert-lower 97  :arith-assert-upper 39  :arith-bound-prop 1  :arith-conflicts 1  :arith-eq-adapter 37  :arith-fixed-eqs 12  :arith-pivots 9  :conflicts 52  :datatype-accessor-ax 101  :datatype-constructor-ax 169  :datatype-occurs-check 6854  :datatype-splits 199  :decisions 836  :del-clause 152  :final-checks 53  :max-memory 16.21  :memory 16.03  :minimized-lits 5  :mk-bool-var 785  :mk-clause 192  :num-allocs 582576704  :num-checks 35  :propagations 791  :rlimit-count 83381  :seq-num-reductions 1)

0,1
into,"((:var_0:.Ros_complex_model.incoming = None  || (if Is_a(Ros_complex_model.Sensor,  Option.get :var_0:.Ros_complex_model.incoming)  && Is_a(Some, :var_0:.Ros_complex_model.incoming)  then  List.nth 2  (Destruct(Ros_complex_model.Sensor, 0,  Option.get :var_0:.Ros_complex_model.incoming)).Sensor_msgs.laserScan_ranges  else None)  = None)  || not  (not  (50000 <=  Option.get  (if Is_a(Ros_complex_model.Sensor,  Option.get :var_0:.Ros_complex_model.incoming)  && Is_a(Some, :var_0:.Ros_complex_model.incoming)  then  List.nth 2  (Destruct(Ros_complex_model.Sensor, 0,  Option.get :var_0:.Ros_complex_model.incoming)).Sensor_msgs.laserScan_ranges  else None))  && (not  Is_a(Ros_complex_model.Sensor,  Option.get :var_0:.Ros_complex_model.incoming)  || List.length  (Destruct(Ros_complex_model.Sensor, 0,  Option.get :var_0:.Ros_complex_model.incoming)).Sensor_msgs.laserScan_ranges  = 5))) || (Is_a(Ros_complex_model.Twist,  Option.get  (if :var_0:.Ros_complex_model.mode = Ros_complex_model.Error then …  else …).Ros_complex_model.outgoing)  && Is_a(Some,  (if :var_0:.Ros_complex_model.mode = Ros_complex_model.Error then …  else …).Ros_complex_model.outgoing))  && (Destruct(Ros_complex_model.Twist, 0,  Option.get  (if :var_0:.Ros_complex_model.mode = Ros_complex_model.Error  then … else …).Ros_complex_model.outgoing)).Geometry_msgs.twist_linear.Geometry_msgs.vector3_x  <= 0"
expansions,[]
rewrite_steps,
forward_chaining,

0,1
expr,(let ((a!1 (Sensor_msgs.laserScan_ranges_2396  (get.Ros_complex_model.Sensor.0_2636  …
expansions,

0,1
expr,(let ((a!1 (Sensor_msgs.laserScan_ranges_2396  (get.Ros_complex_model.Sensor.0_2636  …
expansions,

0,1
expr,(let ((a!1 (Sensor_msgs.laserScan_ranges_2396  (get.Ros_complex_model.Sensor.0_2636  …
expansions,

0,1
expr,(let ((a!1 (Sensor_msgs.laserScan_ranges_2396  (get.Ros_complex_model.Sensor.0_2636  …
expansions,

0,1
expr,(let ((a!1 (Sensor_msgs.laserScan_ranges_2396  (get.Ros_complex_model.Sensor.0_2636  …
expansions,

0,1
expr,(let ((a!1 (Sensor_msgs.laserScan_ranges_2396  (get.Ros_complex_model.Sensor.0_2636  …
expansions,

0,1
expr,(let ((a!1 (Sensor_msgs.laserScan_ranges_2396  (get.Ros_complex_model.Sensor.0_2636  …
expansions,

0,1
expr,(let ((a!1 (Sensor_msgs.laserScan_ranges_2396  (get.Ros_complex_model.Sensor.0_2636  …
expansions,

0,1
expr,(let ((a!1 (Sensor_msgs.laserScan_ranges_2396  (get.Ros_complex_model.Sensor.0_2636  …
expansions,

0,1
expr,(let ((a!1 (Sensor_msgs.laserScan_ranges_2396  (get.Ros_complex_model.Sensor.0_2636  …
expansions,

0,1
expr,(let ((a!1 (Sensor_msgs.laserScan_ranges_2396  (get.Ros_complex_model.Sensor.0_2636  …
expansions,

0,1
expr,(let ((a!1 (Sensor_msgs.laserScan_ranges_2396  (get.Ros_complex_model.Sensor.0_2636  …
expansions,

0,1
expr,(let ((a!1 (Sensor_msgs.laserScan_ranges_2396  (get.Ros_complex_model.Sensor.0_2636  …
expansions,

0,1
expr,(let ((a!1 (Sensor_msgs.laserScan_ranges_2396  (get.Ros_complex_model.Sensor.0_2636  …
expansions,

0,1
expr,(let ((a!1 (Sensor_msgs.laserScan_ranges_2396  (get.Ros_complex_model.Sensor.0_2636  …
expansions,

0,1
expr,(let ((a!1 (Sensor_msgs.laserScan_ranges_2396  (get.Ros_complex_model.Sensor.0_2636  …
expansions,

0,1
expr,(let ((a!1 (Sensor_msgs.laserScan_ranges_2396  (get.Ros_complex_model.Sensor.0_2636  …
expansions,


We've failed to prove the theorem, and Imandra gave us a conunter example `CX` module. This module contains a state, that refutes the statement of the theorem we've attempted to prove. Lets check what is the incoming sensor range. And which outgoing message we get if we pass the state into the `one_step`:

In [9]:
get_front_sensor_range CX.state;;
(one_step CX.state).outgoing;;

- : Basic_types.float32 option = Some 49961
- : Ros_complex_model.outgoing option = None


The incoming sensor range is `49961` and it is, indeed, less than `50000`. But we have no outgoing message -- because the node is in the `Error` mode: 

In [10]:
CX.state.mode

- : Ros_complex_model.mode = Error


In the `Error` mode we are ignoring all the inputs -- so we are not getting any outgoing message (as we've proven in the theorem `error_state_ignores_messages` in the previous section). Adding the requirement that the input state is not in the `Error` mode, we successfully prove the theorem:

In [11]:
theorem stop_if_front_sensor_close state =
  match state.incoming with None -> true | Some msg -> 
  match get_front_sensor_range state with None -> true | Some range_front ->
  let state' = one_step state in
  (  range_front < 50000 
  && state.mode <> Error
  && valid_incoming msg  
  ) ==> 
  no_positive_outgoing_velocity state' 

val stop_if_front_sensor_close : Ros_complex_model.state -> bool = <fun>


0,1
ground_instances,14
definitions,0
inductions,0
search_time,0.024s
details,"Expandsmt_stats(:added-eqs 1850  :arith-add-rows 13  :arith-assert-diseq 32  :arith-assert-lower 108  :arith-assert-upper 36  :arith-bound-prop 1  :arith-eq-adapter 37  :arith-fixed-eqs 9  :arith-pivots 7  :conflicts 56  :datatype-accessor-ax 65  :datatype-constructor-ax 111  :datatype-occurs-check 5052  :datatype-splits 104  :decisions 716  :del-clause 179  :final-checks 39  :max-memory 19.02  :memory 18.96  :minimized-lits 4  :mk-bool-var 562  :mk-clause 224  :num-allocs 607751016  :num-checks 30  :propagations 625  :rlimit-count 97047  :seq-num-reductions 1) require(['nbextensions/nbimandra/fold'], function (fold) {  var target = '#fold-a015b7dc-3a0c-4613-bb65-cfa31a553b3c';  fold.hydrate(target); });"

0,1
smt_stats,(:added-eqs 1850  :arith-add-rows 13  :arith-assert-diseq 32  :arith-assert-lower 108  :arith-assert-upper 36  :arith-bound-prop 1  :arith-eq-adapter 37  :arith-fixed-eqs 9  :arith-pivots 7  :conflicts 56  :datatype-accessor-ax 65  :datatype-constructor-ax 111  :datatype-occurs-check 5052  :datatype-splits 104  :decisions 716  :del-clause 179  :final-checks 39  :max-memory 19.02  :memory 18.96  :minimized-lits 4  :mk-bool-var 562  :mk-clause 224  :num-allocs 607751016  :num-checks 30  :propagations 625  :rlimit-count 97047  :seq-num-reductions 1)

0,1
into,"((:var_0:.Ros_complex_model.incoming = None  || (if Is_a(Ros_complex_model.Sensor,  Option.get :var_0:.Ros_complex_model.incoming)  && Is_a(Some, :var_0:.Ros_complex_model.incoming)  then  List.nth 2  (Destruct(Ros_complex_model.Sensor, 0,  Option.get :var_0:.Ros_complex_model.incoming)).Sensor_msgs.laserScan_ranges  else None)  = None)  || not  ((not  (50000 <=  Option.get  (if Is_a(Ros_complex_model.Sensor,  Option.get :var_0:.Ros_complex_model.incoming)  && Is_a(Some, :var_0:.Ros_complex_model.incoming)  then  List.nth 2  (Destruct(Ros_complex_model.Sensor, 0,  Option.get :var_0:.Ros_complex_model.incoming)).Sensor_msgs.laserScan_ranges  else None))  && not (:var_0:.Ros_complex_model.mode = Ros_complex_model.Error))  && (not  Is_a(Ros_complex_model.Sensor,  Option.get :var_0:.Ros_complex_model.incoming)  || List.length  (Destruct(Ros_complex_model.Sensor, 0,  Option.get :var_0:.Ros_complex_model.incoming)).Sensor_msgs.laserScan_ranges  = 5))) || (Is_a(Ros_complex_model.Twist,  Option.get  (if :var_0:.Ros_complex_model.mode = Ros_complex_model.Error then …  else …).Ros_complex_model.outgoing)  && Is_a(Some,  (if :var_0:.Ros_complex_model.mode = Ros_complex_model.Error then …  else …).Ros_complex_model.outgoing))  && (Destruct(Ros_complex_model.Twist, 0,  Option.get  (if :var_0:.Ros_complex_model.mode = Ros_complex_model.Error  then … else …).Ros_complex_model.outgoing)).Geometry_msgs.twist_linear.Geometry_msgs.vector3_x  <= 0"
expansions,[]
rewrite_steps,
forward_chaining,

0,1
expr,(let ((a!1 (Sensor_msgs.laserScan_ranges_2396  (get.Ros_complex_model.Sensor.0_2636  …
expansions,

0,1
expr,(let ((a!1 (Sensor_msgs.laserScan_ranges_2396  (get.Ros_complex_model.Sensor.0_2636  …
expansions,

0,1
expr,(let ((a!1 (Sensor_msgs.laserScan_ranges_2396  (get.Ros_complex_model.Sensor.0_2636  …
expansions,

0,1
expr,(let ((a!1 (Sensor_msgs.laserScan_ranges_2396  (get.Ros_complex_model.Sensor.0_2636  …
expansions,

0,1
expr,(let ((a!1 (Sensor_msgs.laserScan_ranges_2396  (get.Ros_complex_model.Sensor.0_2636  …
expansions,

0,1
expr,(let ((a!1 (Sensor_msgs.laserScan_ranges_2396  (get.Ros_complex_model.Sensor.0_2636  …
expansions,

0,1
expr,(let ((a!1 (Sensor_msgs.laserScan_ranges_2396  (get.Ros_complex_model.Sensor.0_2636  …
expansions,

0,1
expr,(let ((a!1 (Sensor_msgs.laserScan_ranges_2396  (get.Ros_complex_model.Sensor.0_2636  …
expansions,

0,1
expr,(let ((a!1 (Sensor_msgs.laserScan_ranges_2396  (get.Ros_complex_model.Sensor.0_2636  …
expansions,

0,1
expr,(let ((a!1 (Sensor_msgs.laserScan_ranges_2396  (get.Ros_complex_model.Sensor.0_2636  …
expansions,

0,1
expr,(let ((a!1 (Sensor_msgs.laserScan_ranges_2396  (get.Ros_complex_model.Sensor.0_2636  …
expansions,

0,1
expr,(let ((a!1 (Sensor_msgs.laserScan_ranges_2396  (get.Ros_complex_model.Sensor.0_2636  …
expansions,

0,1
expr,(let ((a!1 (Sensor_msgs.laserScan_ranges_2396  (get.Ros_complex_model.Sensor.0_2636  …
expansions,

0,1
expr,(let ((a!1 (Sensor_msgs.laserScan_ranges_2396  (get.Ros_complex_model.Sensor.0_2636  …
expansions,


This illustrates how one can use Imandra to iteratively create theorems and prove their correctness or find logical inconsistencies in either the model or our specifications. 