22: Axioms & Uniform Substitutions 15-424: Foundations of - - PowerPoint PPT Presentation

22: Axioms & Uniform Substitutions

15-424: Foundations of Cyber-Physical Systems Andr´ e Platzer

aplatzer@cs.cmu.edu Computer Science Department Carnegie Mellon University, Pittsburgh, PA

The Secret for Simpler Sound Hybrid Systems Provers

0.2 0.4 0.6 0.8 1.0

0.1 0.2 0.3 0.4 0.5

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 1 / 44

Outline

1

CPS are Multi-Dynamical Systems

2

Uniform Substitution Calculus for Differential Dynamic Logic Uniform Substitution Calculus Axiom vs. Axiom Schema Uniform Substitutions Uniform Substitution Lemmas Differential Axioms Differential Invariants Examples

3

Differential-form Differential Dynamic Logic Syntax Semantics Differential Substitution Lemmas Contextual Congruences Parametric Computational Proofs Static Semantics

4

Summary

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 1 / 44

Outline

1

CPS are Multi-Dynamical Systems

2

Uniform Substitution Calculus for Differential Dynamic Logic Uniform Substitution Calculus Axiom vs. Axiom Schema Uniform Substitutions Uniform Substitution Lemmas Differential Axioms Differential Invariants Examples

3

Differential-form Differential Dynamic Logic Syntax Semantics Differential Substitution Lemmas Contextual Congruences Parametric Computational Proofs Static Semantics

4

Summary

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 1 / 44

Can you trust a computer to control physics?

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 2 / 44

Can you trust a computer to control physics?

Rationale

1 Safety guarantees require analytic foundations. 2 Foundations revolutionized digital computer science & our society. 3 Need even stronger foundations when software reaches out into our

physical world. How can we provide people with cyber-physical systems they can bet their lives on? — Jeannette Wing

Cyber-physical Systems

CPS combine cyber capabilities with physical capabilities to solve problems that neither part could solve alone.

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 2 / 44

CPSs are Multi-Dynamical Systems

d i s c r e t e c

• n

t i n u

• u

s nondet stochastic a d v e r s a r i a l

CPS Dynamics

CPS are characterized by multiple facets of dynamical systems.

CPS Compositions

CPS combine multiple simple dynamical effects.

Tame Parts

Exploiting compositionality tames CPS complexity.

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 3 / 44

CPS Analysis

Challenge (CPS)

Fixed rule describing state evolution with both Discrete dynamics (control decisions) Continuous dynamics (differential equations)

1 2 3 4 5 6 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5

2 4 6 8 10 t 0.8 0.6 0.4 0.2 0.2

a

2 4 6 8 10 t 0.2 0.4 0.6 0.8 1.0v 2 4 6 8 10 t 2 4 6 8

p

px py Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 4 / 44

CPS Analysis

Challenge (CPS)

Fixed rule describing state evolution with both Discrete dynamics (control decisions) Continuous dynamics (differential equations)

1 2 3 4 5 6 0.0 0.5 1.0 1.5 2.0 2.5 3.0 3.5

2 4 6 8 10 t 0.8 0.6 0.4 0.2 0.2

a

2 4 6 8 10 t 1.0 0.5 0.5

Ω

2 4 6 8 10 t 0.5 0.5 1.0

d

dx dy Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 4 / 44

CPS Analysis

Differential Dynamic Logic

x = o ∧ b > 0

• init

→

• if(tooClose(x, o)) a := −b
• discrete control

; x′ = v, v′ = a

• ODE

∗ x = o

post

Seq. Compose Nondet. Repeat [α]φ φ α

2 4 6 8 10 t 0.8 0.6 0.4 0.2 0.2

a

2 4 6 8 10 t 0.2 0.4 0.6 0.8 1.0v 2 4 6 8 10 t 2 4 6 8

p

px py Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 5 / 44

Dynamic Logics for Dynamical Systems

d i s c r e t e c

• n

t i n u

• u

s nondet stochastic a d v e r s a r i a l

differential dynamic logic

dL = DL + HP [α]φ φ α

stochastic differential DL

SdL = DL + SHP αφ φ

differential game logic

dGL = GL + HG αφ φ

quantified differential DL

QdL = FOL + DL + QHP

JAR’08,CADE’11,LMCS’12,LICS’12 LICS’12,CADE’15,TOCL’15 Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 6 / 44

Key Contributions

Q: How to build a prover with a small soundness-critical core? A: Uniform substitution [Church] Q: How to enable flexible yet sound reasoning? A: Axioms with local meaning [Philosophy, Algebraic Geometry] Q: What’s the local meaning of a differential equation? A: Differential forms [Differential Geometry] Q: How to do hybrid systems proving? A: Uniform substitution calculus for differential dynamic logic Q: What’s the impact of uniform substitution on a prover core? A: 65 989 ց 1 677 LOC (2.5%) [KeYmaera X]

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 7 / 44

Outline

1

CPS are Multi-Dynamical Systems

2

Uniform Substitution Calculus for Differential Dynamic Logic Uniform Substitution Calculus Axiom vs. Axiom Schema Uniform Substitutions Uniform Substitution Lemmas Differential Axioms Differential Invariants Examples

3

Differential-form Differential Dynamic Logic Syntax Semantics Differential Substitution Lemmas Contextual Congruences Parametric Computational Proofs Static Semantics

4

Summary

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 7 / 44

Differential Dynamic Logic: Axiomatization

[:=] [x := θ]φ(x) ↔ φ(θ) (θ free for x in φ) [?] [?χ]φ ↔ (χ → φ) [∪] [α ∪ β]φ ↔ [α]φ ∧ [β]φ [;] [α; β]φ ↔ [α][β]φ [∗] [α∗]φ ↔ φ ∧ [α][α∗]φ K [α](φ → ψ) → ([α]φ → [α]ψ) I [α∗](φ → [α]φ) → (φ → [α∗]φ) V φ → [α]φ (FV (φ) ∩ BV (α) = ∅) [′] [x′ = θ]φ ↔ ∀t≥0 [x := x(t)]φ (t fresh and x′(t) = θ) LICS’12

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 8 / 44

Differential Dynamic Logic: Axioms

[:=] [x := f ]p(x) ↔ p(f ) [?] [?q]p ↔ (q → p) [∪] [a ∪ b]p(¯ x) ↔ [a]p(¯ x) ∧ [b]p(¯ x) [;] [a; b]p(¯ x) ↔ [a][b]p(¯ x) [∗] [a∗]p(¯ x) ↔ p(¯ x) ∧ [a][a∗]p(¯ x) K [a](p(¯ x) → q(¯ x)) → ([a]p(¯ x) → [a]q(¯ x)) I [a∗](p(¯ x) → [a]p(¯ x)) → (p(¯ x) → [a∗]p(¯ x)) V p → [a]p CADE’15

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 9 / 44

Differential Dynamic Logic: Comparison

[x := f ]p(x) ↔ p(f ) [?q]p ↔ (q → p) [a ∪ b]p(¯ x) ↔ [a]p(¯ x) ∧ [b]p(¯ x) [a; b]p(¯ x) ↔ [a][b]p(¯ x) [a∗]p(¯ x) ↔ p(¯ x) ∧ [a][a∗]p(¯ x) [a](p(¯ x) → q(¯ x)) → ([a]p(¯ x) → [a]q(¯ x)) [a∗](p(¯ x) → [a]p(¯ x)) → (p(¯ x) → [a∗]p(¯ x)) p → [a]p [:=] [x := θ]φ(x) ↔ φ(θ) [?] [?χ]φ ↔ (χ → φ) [∪] [α ∪ β]φ ↔ [α]φ ∧ [β]φ [;] [α; β]φ ↔ [α][β]φ [∗] [α∗]φ ↔ φ ∧ [α][α∗]φ K [α](φ → ψ) → ([α]φ → [α]ψ) I [α∗](φ → [α]φ) → (φ → [α∗]φ) V φ → [α]φ [′] [x′ = θ]φ ↔ ∀t≥0 [x := x(t)]φ CADE’15 LICS’12

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 10 / 44

Differential Dynamic Logic: Comparison

[x := f ]p(x) ↔ p(f ) [?q]p ↔ (q → p) Axiom [a ∪ b]p(¯ x) ↔ [a]p(¯ x) ∧ [b]p(¯ x) [a; b]p(¯ x) ↔ [a][b]p(¯ x) [a∗]p(¯ x) ↔ p(¯ x) ∧ [a][a∗]p(¯ x) [a](p(¯ x) → q(¯ x)) → ([a]p(¯ x) → [a]q(¯ x)) [a∗](p(¯ x) → [a]p(¯ x)) → (p(¯ x) → [a∗]p(¯ x)) Axiom p → [a]p [:=] [x := θ]φ(x) ↔ φ(θ) [?] [?χ]φ ↔ (χ → φ) Schema [∪] [α ∪ β]φ ↔ [α]φ ∧ [β]φ [;] [α; β]φ ↔ [α][β]φ [∗] [α∗]φ ↔ φ ∧ [α][α∗]φ K [α](φ → ψ) → ([α]φ → [α]ψ) I [α∗](φ → [α]φ) → (φ → [α∗]φ) Schema V φ → [α]φ [′] [x′ = θ]φ ↔ ∀t≥0 [x := x(t)]φ CADE’15 LICS’12

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 10 / 44

Axiom vs. Axiom Schema

[a ∪ b]p(¯ x) ↔ [a]p(¯ x) ∧ [b]p(¯ x) Axiom [α ∪ β]φ ↔ [α]φ ∧ [β]φ Schema p → [a]p Axiom φ → [α]φ . . . Schema

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 11 / 44

Axiom vs. Axiom Schema

[a ∪ b]p(¯ x) ↔ [a]p(¯ x) ∧ [b]p(¯ x) Axiom [α ∪ β]φ ↔ [α]φ ∧ [β]φ Schema p → [a]p Axiom φ → [α]φ . . . Schema Pattern match formulas for shape α ∪ β Placeholder α schema variable matcher Same instance

• f φ in

all places

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 11 / 44

Axiom vs. Axiom Schema

[a ∪ b]p(¯ x) ↔ [a]p(¯ x) ∧ [b]p(¯ x) Axiom [α ∪ β]φ ↔ [α]φ ∧ [β]φ Schema p → [a]p Axiom φ → [α]φ . . . x = 0 → [y′ = 5]x = 0 x = y → [y′ = 5]x = y x = z → [y′ = 5]x = z Schema Pattern match formulas for shape α ∪ β Placeholder α schema variable matcher Same instance

• f φ in

all places

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 11 / 44

Axiom vs. Axiom Schema

[a ∪ b]p(¯ x) ↔ [a]p(¯ x) ∧ [b]p(¯ x) Axiom [α ∪ β]φ ↔ [α]φ ∧ [β]φ Schema p → [a]p Axiom φ → [α]φ . . . x = 0 → [y′ = 5]x = 0 × x = y → [y′ = 5]x = y x = z → [y′ = 5]x = z special vs. degenerate instances rule out by side conditions Schema Pattern match formulas for shape α ∪ β Placeholder α schema variable matcher Same instance

• f φ in

all places

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 11 / 44

Axiom vs. Axiom Schema: Formula vs. Algorithm

[a ∪ b]p(¯ x) ↔ [a]p(¯ x) ∧ [b]p(¯ x) Axiom 1 Formula [α ∪ β]φ ↔ [α]φ ∧ [β]φ Schema Algorithm p → [a]p Axiom φ → [α]φ . . . x = 0 → [y′ = 5]x = 0 × x = y → [y′ = 5]x = y x = z → [y′ = 5]x = z special vs. degenerate instances rule out by side conditions Schema Pattern match formulas for shape α ∪ β Placeholder α schema variable matcher Same instance

• f φ in

all places Generic formula. No exceptions.

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 11 / 44

Generic Formulas in Axioms are like Generic Points

An analogy from algebraic geometry Axiom schemata with side conditions are like concrete points ∃x ax2 + bx + c = 0 iff b2 ≥ 4ac except a = 0 This Way

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 12 / 44

Generic Formulas in Axioms are like Generic Points

An analogy from algebraic geometry Axiom schemata with side conditions are like concrete points ∃x ax2 + bx + c = 0 iff b2 ≥ 4ac except a = 0 except b = 0 This Way

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 12 / 44

Generic Formulas in Axioms are like Generic Points

An analogy from algebraic geometry Axiom schemata with side conditions are like concrete points ∃x ax2 + bx + c = 0 iff b2 ≥ 4ac except a = 0 except b = 0 except c = 0 This Way

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 12 / 44

Generic Formulas in Axioms are like Generic Points

An analogy from algebraic geometry Axiom schemata with side conditions are like concrete points ∃x ax2 + bx + c = 0 iff b2 ≥ 4ac except a = 0 except b = 0 except c = 0 This Way Axioms Generic formulas in axioms are like generic points ax2 + bx + c = 0 iff x = −b ± √ b2 − 4ac/(2a) Paying attention during substitutions to avoid degenerates (no /0, √−1)

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 12 / 44

Axioms vs. Axiom Schemata: Philosophy Affects Provers

Soundness easier: literal formula, not instantiation mechanism An axiom is one formula. Axiom schema is a decision algorithm. Generic formula, not some shape with characterization of exceptions No schema variable or meta variable algorithms No matching mechanisms / unification in prover kernel No side condition subtlety or occurrence pattern checks (per schema) × Need other means of instantiating axioms: uniform substitution (US) US + renaming: isolate static semantics US independent from axioms: modular logic vs. prover separation More flexible by syntactic contextual equivalence × Extra proofs branches since instantiation is explicit proof step

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 13 / 44

Axioms vs. Axiom Schemata: Philosophy Affects Provers

Soundness easier: literal formula, not instantiation mechanism An axiom is one formula. Axiom schema is a decision algorithm. Generic formula, not some shape with characterization of exceptions No schema variable or meta variable algorithms No matching mechanisms / unification in prover kernel No side condition subtlety or occurrence pattern checks (per schema) × Need other means of instantiating axioms: uniform substitution (US) US + renaming: isolate static semantics US independent from axioms: modular logic vs. prover separation More flexible by syntactic contextual equivalence × Extra proofs branches since instantiation is explicit proof step Net win for soundness since significantly simpler prover

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 13 / 44

KeYmaera X Kernel is a Microkernel for Soundness

≈LOC KeYmaera X 1 677 KeYmaera 65 989 KeY 51 328 HOL Light 396 Isabelle/Pure 8 113 Nuprl 15 000 + 50 000 Coq 20 000 HSolver 20 000 Flow∗ 25 000 PHAVer 30 000 dReal 50 000 + millions SpaceEx 100 000 HyCreate2 6 081 + user model analysis

Disclaimer: These self-reported estimates of the soundness-critical lines of code + rules are to be taken with a grain of salt. Different languages, capabilities, styles . . . hybrid prover Java

• general

math hybrid verifier

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 14 / 44

Uniform Substitution

Theorem (Soundness) replace all occurrences of p(·)

US φ σ(φ) provided FV(σ|Σ(θ)) ∩ BV(⊗(·)) = ∅ for each operation ⊗(θ) in φ i.e. bound variables U = BV(⊗(·)) of operator ⊗ are not free in the substitution on its argument θ (U-admissible)

US

[a ∪ b]p(¯ x) ↔ [a]p(¯ x) ∧ [b]p(¯ x) [x := x + 1 ∪ x′ = 1]x ≥ 0 ↔ [x := x + 1]x ≥ 0 ∧ [x′ = 1]x ≥ 0

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 15 / 44

Uniform Substitution

Theorem (Soundness) replace all occurrences of p(·)

US φ σ(φ) provided FV(σ|Σ(θ)) ∩ BV(⊗(·)) = ∅ for each operation ⊗(θ) in φ i.e. bound variables U = BV(⊗(·)) of operator ⊗ are not free in the substitution on its argument θ (U-admissible) Uniform substitution σ replaces all occurrences of p(θ) for any θ by ψ(θ) function f (θ) for any θ by η(θ) quantifier C(φ) for any φ by ψ(θ) program const. a by α

US

[a ∪ b]p(¯ x) ↔ [a]p(¯ x) ∧ [b]p(¯ x) [x := x + 1 ∪ x′ = 1]x ≥ 0 ↔ [x := x + 1]x ≥ 0 ∧ [x′ = 1]x ≥ 0

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 15 / 44

Uniform Substitution: Definition expanded explicitly

σ(f (θ)) = for function symbol f ∈ σ

def

= σ(θ + η) = σ((θ)′) = σ(p(θ)) ≡ for predicate symbol p ∈ σ σ(C(φ)) ≡ σ(φ ∧ ψ) ≡ σ(∀x φ) = σ([α]φ) = σ(a) ≡ for program constant a ∈ σ σ(x := θ) ≡ σ(x′ = f (x) & Q) ≡ σ(α ∪ β) ≡ σ(α; β) ≡ σ(α∗) ≡

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 16 / 44

Uniform Substitution: Definition expanded explicitly

σ(f (θ)) = (σ(f ))(σ(θ)) for function symbol f ∈ σ

def

= {· → σ(θ)}(σf (·)) σ(θ + η) = σ((θ)′) = σ(p(θ)) ≡ for predicate symbol p ∈ σ σ(C(φ)) ≡ σ(φ ∧ ψ) ≡ σ(∀x φ) = σ([α]φ) = σ(a) ≡ for program constant a ∈ σ σ(x := θ) ≡ σ(x′ = f (x) & Q) ≡ σ(α ∪ β) ≡ σ(α; β) ≡ σ(α∗) ≡

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 16 / 44

Uniform Substitution: Definition expanded explicitly

σ(f (θ)) = (σ(f ))(σ(θ)) for function symbol f ∈ σ

def

= {· → σ(θ)}(σf (·)) σ(θ + η) = σ(θ) + σ(η) σ((θ)′) = σ(p(θ)) ≡ for predicate symbol p ∈ σ σ(C(φ)) ≡ σ(φ ∧ ψ) ≡ σ(∀x φ) = σ([α]φ) = σ(a) ≡ for program constant a ∈ σ σ(x := θ) ≡ σ(x′ = f (x) & Q) ≡ σ(α ∪ β) ≡ σ(α; β) ≡ σ(α∗) ≡

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 16 / 44

Uniform Substitution: Definition expanded explicitly

σ(f (θ)) = (σ(f ))(σ(θ)) for function symbol f ∈ σ

def

= {· → σ(θ)}(σf (·)) σ(θ + η) = σ(θ) + σ(η) σ((θ)′) = (σ(θ))′ if σ V ∪ V′-admissible for θ σ(p(θ)) ≡ for predicate symbol p ∈ σ σ(C(φ)) ≡ σ(φ ∧ ψ) ≡ σ(∀x φ) = σ([α]φ) = σ(a) ≡ for program constant a ∈ σ σ(x := θ) ≡ σ(x′ = f (x) & Q) ≡ σ(α ∪ β) ≡ σ(α; β) ≡ σ(α∗) ≡

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 16 / 44

Uniform Substitution: Definition expanded explicitly

σ(f (θ)) = (σ(f ))(σ(θ)) for function symbol f ∈ σ

def

= {· → σ(θ)}(σf (·)) σ(θ + η) = σ(θ) + σ(η) σ((θ)′) = (σ(θ))′ if σ V ∪ V′-admissible for θ σ(p(θ)) ≡ (σ(p))(σ(θ)) for predicate symbol p ∈ σ σ(C(φ)) ≡ σ(φ ∧ ψ) ≡ σ(∀x φ) = σ([α]φ) = σ(a) ≡ for program constant a ∈ σ σ(x := θ) ≡ σ(x′ = f (x) & Q) ≡ σ(α ∪ β) ≡ σ(α; β) ≡ σ(α∗) ≡

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 16 / 44

Uniform Substitution: Definition expanded explicitly

σ(f (θ)) = (σ(f ))(σ(θ)) for function symbol f ∈ σ

def

= {· → σ(θ)}(σf (·)) σ(θ + η) = σ(θ) + σ(η) σ((θ)′) = (σ(θ))′ if σ V ∪ V′-admissible for θ σ(p(θ)) ≡ (σ(p))(σ(θ)) for predicate symbol p ∈ σ σ(C(φ)) ≡ σ(C)(σ(φ)) if σ V ∪ V′-admissible for φ, C ∈ σ(φ ∧ ψ) ≡ σ(∀x φ) = σ([α]φ) = σ(a) ≡ for program constant a ∈ σ σ(x := θ) ≡ σ(x′ = f (x) & Q) ≡ σ(α ∪ β) ≡ σ(α; β) ≡ σ(α∗) ≡

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 16 / 44

Uniform Substitution: Definition expanded explicitly

σ(f (θ)) = (σ(f ))(σ(θ)) for function symbol f ∈ σ

def

= {· → σ(θ)}(σf (·)) σ(θ + η) = σ(θ) + σ(η) σ((θ)′) = (σ(θ))′ if σ V ∪ V′-admissible for θ σ(p(θ)) ≡ (σ(p))(σ(θ)) for predicate symbol p ∈ σ σ(C(φ)) ≡ σ(C)(σ(φ)) if σ V ∪ V′-admissible for φ, C ∈ σ(φ ∧ ψ) ≡ σ(φ) ∧ σ(ψ) σ(∀x φ) = σ([α]φ) = σ(a) ≡ for program constant a ∈ σ σ(x := θ) ≡ σ(x′ = f (x) & Q) ≡ σ(α ∪ β) ≡ σ(α; β) ≡ σ(α∗) ≡

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 16 / 44

Uniform Substitution: Definition expanded explicitly

σ(f (θ)) = (σ(f ))(σ(θ)) for function symbol f ∈ σ

def

= {· → σ(θ)}(σf (·)) σ(θ + η) = σ(θ) + σ(η) σ((θ)′) = (σ(θ))′ if σ V ∪ V′-admissible for θ σ(p(θ)) ≡ (σ(p))(σ(θ)) for predicate symbol p ∈ σ σ(C(φ)) ≡ σ(C)(σ(φ)) if σ V ∪ V′-admissible for φ, C ∈ σ(φ ∧ ψ) ≡ σ(φ) ∧ σ(ψ) σ(∀x φ) = ∀x σ(φ) if σ {x}-admissible for φ σ([α]φ) = σ(a) ≡ for program constant a ∈ σ σ(x := θ) ≡ σ(x′ = f (x) & Q) ≡ σ(α ∪ β) ≡ σ(α; β) ≡ σ(α∗) ≡

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 16 / 44

Uniform Substitution: Definition expanded explicitly

σ(f (θ)) = (σ(f ))(σ(θ)) for function symbol f ∈ σ

def

= {· → σ(θ)}(σf (·)) σ(θ + η) = σ(θ) + σ(η) σ((θ)′) = (σ(θ))′ if σ V ∪ V′-admissible for θ σ(p(θ)) ≡ (σ(p))(σ(θ)) for predicate symbol p ∈ σ σ(C(φ)) ≡ σ(C)(σ(φ)) if σ V ∪ V′-admissible for φ, C ∈ σ(φ ∧ ψ) ≡ σ(φ) ∧ σ(ψ) σ(∀x φ) = ∀x σ(φ) if σ {x}-admissible for φ σ([α]φ) = [σ(α)]σ(φ) if σ BV(σ(α))-admissible for φ σ(a) ≡ for program constant a ∈ σ σ(x := θ) ≡ σ(x′ = f (x) & Q) ≡ σ(α ∪ β) ≡ σ(α; β) ≡ σ(α∗) ≡

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 16 / 44

Uniform Substitution: Definition expanded explicitly

σ(f (θ)) = (σ(f ))(σ(θ)) for function symbol f ∈ σ

def

= {· → σ(θ)}(σf (·)) σ(θ + η) = σ(θ) + σ(η) σ((θ)′) = (σ(θ))′ if σ V ∪ V′-admissible for θ σ(p(θ)) ≡ (σ(p))(σ(θ)) for predicate symbol p ∈ σ σ(C(φ)) ≡ σ(C)(σ(φ)) if σ V ∪ V′-admissible for φ, C ∈ σ(φ ∧ ψ) ≡ σ(φ) ∧ σ(ψ) σ(∀x φ) = ∀x σ(φ) if σ {x}-admissible for φ σ([α]φ) = [σ(α)]σ(φ) if σ BV(σ(α))-admissible for φ σ(a) ≡ σa for program constant a ∈ σ σ(x := θ) ≡ σ(x′ = f (x) & Q) ≡ σ(α ∪ β) ≡ σ(α; β) ≡ σ(α∗) ≡

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 16 / 44

Uniform Substitution: Definition expanded explicitly

σ(f (θ)) = (σ(f ))(σ(θ)) for function symbol f ∈ σ

def

= {· → σ(θ)}(σf (·)) σ(θ + η) = σ(θ) + σ(η) σ((θ)′) = (σ(θ))′ if σ V ∪ V′-admissible for θ σ(p(θ)) ≡ (σ(p))(σ(θ)) for predicate symbol p ∈ σ σ(C(φ)) ≡ σ(C)(σ(φ)) if σ V ∪ V′-admissible for φ, C ∈ σ(φ ∧ ψ) ≡ σ(φ) ∧ σ(ψ) σ(∀x φ) = ∀x σ(φ) if σ {x}-admissible for φ σ([α]φ) = [σ(α)]σ(φ) if σ BV(σ(α))-admissible for φ σ(a) ≡ σa for program constant a ∈ σ σ(x := θ) ≡ x := σ(θ) σ(x′ = f (x) & Q) ≡ σ(α ∪ β) ≡ σ(α; β) ≡ σ(α∗) ≡

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 16 / 44

Uniform Substitution: Definition expanded explicitly

σ(f (θ)) = (σ(f ))(σ(θ)) for function symbol f ∈ σ

def

= {· → σ(θ)}(σf (·)) σ(θ + η) = σ(θ) + σ(η) σ((θ)′) = (σ(θ))′ if σ V ∪ V′-admissible for θ σ(p(θ)) ≡ (σ(p))(σ(θ)) for predicate symbol p ∈ σ σ(C(φ)) ≡ σ(C)(σ(φ)) if σ V ∪ V′-admissible for φ, C ∈ σ(φ ∧ ψ) ≡ σ(φ) ∧ σ(ψ) σ(∀x φ) = ∀x σ(φ) if σ {x}-admissible for φ σ([α]φ) = [σ(α)]σ(φ) if σ BV(σ(α))-admissible for φ σ(a) ≡ σa for program constant a ∈ σ σ(x := θ) ≡ x := σ(θ) σ(x′ = f (x) & Q) ≡ x′ = σ(f (x)) & σ(Q) if σ {x, x′}-admissible for f (x), Q σ(α ∪ β) ≡ σ(α; β) ≡ σ(α∗) ≡

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 16 / 44

Uniform Substitution: Definition expanded explicitly

σ(f (θ)) = (σ(f ))(σ(θ)) for function symbol f ∈ σ

def

= {· → σ(θ)}(σf (·)) σ(θ + η) = σ(θ) + σ(η) σ((θ)′) = (σ(θ))′ if σ V ∪ V′-admissible for θ σ(p(θ)) ≡ (σ(p))(σ(θ)) for predicate symbol p ∈ σ σ(C(φ)) ≡ σ(C)(σ(φ)) if σ V ∪ V′-admissible for φ, C ∈ σ(φ ∧ ψ) ≡ σ(φ) ∧ σ(ψ) σ(∀x φ) = ∀x σ(φ) if σ {x}-admissible for φ σ([α]φ) = [σ(α)]σ(φ) if σ BV(σ(α))-admissible for φ σ(a) ≡ σa for program constant a ∈ σ σ(x := θ) ≡ x := σ(θ) σ(x′ = f (x) & Q) ≡ x′ = σ(f (x)) & σ(Q) if σ {x, x′}-admissible for f (x), Q σ(α ∪ β) ≡ σ(α) ∪ σ(β) σ(α; β) ≡ σ(α∗) ≡

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 16 / 44

Uniform Substitution: Definition expanded explicitly

σ(f (θ)) = (σ(f ))(σ(θ)) for function symbol f ∈ σ

def

= {· → σ(θ)}(σf (·)) σ(θ + η) = σ(θ) + σ(η) σ((θ)′) = (σ(θ))′ if σ V ∪ V′-admissible for θ σ(p(θ)) ≡ (σ(p))(σ(θ)) for predicate symbol p ∈ σ σ(C(φ)) ≡ σ(C)(σ(φ)) if σ V ∪ V′-admissible for φ, C ∈ σ(φ ∧ ψ) ≡ σ(φ) ∧ σ(ψ) σ(∀x φ) = ∀x σ(φ) if σ {x}-admissible for φ σ([α]φ) = [σ(α)]σ(φ) if σ BV(σ(α))-admissible for φ σ(a) ≡ σa for program constant a ∈ σ σ(x := θ) ≡ x := σ(θ) σ(x′ = f (x) & Q) ≡ x′ = σ(f (x)) & σ(Q) if σ {x, x′}-admissible for f (x), Q σ(α ∪ β) ≡ σ(α) ∪ σ(β) σ(α; β) ≡ σ(α); σ(β) if σ BV(σ(α))-admissible for β σ(α∗) ≡

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 16 / 44

Uniform Substitution: Definition expanded explicitly

σ(f (θ)) = (σ(f ))(σ(θ)) for function symbol f ∈ σ

def

= {· → σ(θ)}(σf (·)) σ(θ + η) = σ(θ) + σ(η) σ((θ)′) = (σ(θ))′ if σ V ∪ V′-admissible for θ σ(p(θ)) ≡ (σ(p))(σ(θ)) for predicate symbol p ∈ σ σ(C(φ)) ≡ σ(C)(σ(φ)) if σ V ∪ V′-admissible for φ, C ∈ σ(φ ∧ ψ) ≡ σ(φ) ∧ σ(ψ) σ(∀x φ) = ∀x σ(φ) if σ {x}-admissible for φ σ([α]φ) = [σ(α)]σ(φ) if σ BV(σ(α))-admissible for φ σ(a) ≡ σa for program constant a ∈ σ σ(x := θ) ≡ x := σ(θ) σ(x′ = f (x) & Q) ≡ x′ = σ(f (x)) & σ(Q) if σ {x, x′}-admissible for f (x), Q σ(α ∪ β) ≡ σ(α) ∪ σ(β) σ(α; β) ≡ σ(α); σ(β) if σ BV(σ(α))-admissible for β σ(α∗) ≡ (σ(α))∗ if σ BV(σ(α))-admissible for α

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 16 / 44

Uniform Substitution: Examples

[x := f ]p(x) ↔ p(f ) [x := x + 1]x = x ↔ x + 1 = x σ = {f → x + 1, p(·) → (· = x)} [x := f ]p(x) ↔ p(f ) [x := x2][(z := x+z)∗; z := x+yz]y≥x ↔ [(z := x2+z∗); z := x2+yz]y≥x2 with σ = {f → x2, p(·) → [(z := · + z)∗; z := · + yz]y ≥ ·} p → [a]p x ≥ 0 → [x′ = −1]x ≥ 0 σ = {a → x′ = −1, p → x ≥ 0} (−x)2 ≥ 0 [x′ = −1](−x)2 ≥ 0 by p(¯ x) [a]p(¯ x) σ = {a → x′ = −1, p(·) → (−·)2 ≥ 0}

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 17 / 44

Uniform Substitution: Examples

[x := f ]p(x) ↔ p(f ) [x := x + 1]x = x ↔ x + 1 = x σ = {f → x + 1, p(·) → (· = x)} [x := f ]p(x) ↔ p(f ) [x := x2][(z := x+z)∗; z := x+yz]y≥x ↔ [(z := x2+z∗); z := x2+yz]y≥x2 with σ = {f → x2, p(·) → [(z := · + z)∗; z := · + yz]y ≥ ·} p → [a]p x ≥ 0 → [x′ = −1]x ≥ 0 σ = {a → x′ = −1, p → x ≥ 0} (−x)2 ≥ 0 [x′ = −1](−x)2 ≥ 0 by p(¯ x) [a]p(¯ x) σ = {a → x′ = −1, p(·) → (−·)2 ≥ 0}

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 17 / 44

Uniform Substitution: Examples

[x BV := f ]p(x) ↔ p(f ) Clash [x := x + 1]x = x ↔ x + 1 = x σ = {f → x + 1, p(·) → (· = x FV )} [x := f ]p(x) ↔ p(f ) [x := x2][(z := x+z)∗; z := x+yz]y≥x ↔ [(z := x2+z∗); z := x2+yz]y≥x2 with σ = {f → x2, p(·) → [(z := · + z)∗; z := · + yz]y ≥ ·} p → [a]p x ≥ 0 → [x′ = −1]x ≥ 0 σ = {a → x′ = −1, p → x ≥ 0} (−x)2 ≥ 0 [x′ = −1](−x)2 ≥ 0 by p(¯ x) [a]p(¯ x) σ = {a → x′ = −1, p(·) → (−·)2 ≥ 0}

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 17 / 44

Uniform Substitution: Examples

[x := f ]p(x) ↔ p(f ) Clash [x := x + 1]x = x ↔ x + 1 = x σ = {f → x + 1, p(·) → (· = x)} [x := f ]p(x) ↔ p(f ) [x := x2][(z := x+z)∗; z := x+yz]y≥x ↔ [(z := x2+z∗); z := x2+yz]y≥x2 with σ = {f → x2, p(·) → [(z := · + z)∗; z := · + yz]y ≥ ·} p → [a]p x ≥ 0 → [x′ = −1]x ≥ 0 σ = {a → x′ = −1, p → x ≥ 0} (−x)2 ≥ 0 [x′ = −1](−x)2 ≥ 0 by p(¯ x) [a]p(¯ x) σ = {a → x′ = −1, p(·) → (−·)2 ≥ 0}

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 17 / 44

Uniform Substitution: Examples

[x := f ]p(x) ↔ p(f ) Clash [x := x + 1]x = x ↔ x + 1 = x σ = {f → x + 1, p(·) → (· = x)} [x := f ]p(x) ↔ p(f ) Correct [x := x2][(z := x+z)∗; z := x+yz]y≥x ↔ [(z := x2+z∗); z := x2+yz]y≥x2 with σ = {f → x2, p(·) → [(z := · + z)∗; z := · + yz]y ≥ ·} p → [a]p x ≥ 0 → [x′ = −1]x ≥ 0 σ = {a → x′ = −1, p → x ≥ 0} (−x)2 ≥ 0 [x′ = −1](−x)2 ≥ 0 by p(¯ x) [a]p(¯ x) σ = {a → x′ = −1, p(·) → (−·)2 ≥ 0}

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 17 / 44

Uniform Substitution: Examples

[x := f ]p(x) ↔ p(f ) Clash [x := x + 1]x = x ↔ x + 1 = x σ = {f → x + 1, p(·) → (· = x)} [x := f ]p(x) ↔ p(f ) Correct [x := x2][(z := x+z)∗; z := x+yz]y≥x ↔ [(z := x2+z∗); z := x2+yz]y≥x2 with σ = {f → x2, p(·) → [(z := · + z)∗; z := · + yz]y ≥ ·} p → [a]p Clash x ≥ 0 → [ BV x′ = −1]x ≥ 0 σ = {a → x′ = −1, p → x FV ≥ 0} (−x)2 ≥ 0 [x′ = −1](−x)2 ≥ 0 by p(¯ x) [a]p(¯ x) σ = {a → x′ = −1, p(·) → (−·)2 ≥ 0}

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 17 / 44

Uniform Substitution: Examples

[x := f ]p(x) ↔ p(f ) Clash [x := x + 1]x = x ↔ x + 1 = x σ = {f → x + 1, p(·) → (· = x)} [x := f ]p(x) ↔ p(f ) Correct [x := x2][(z := x+z)∗; z := x+yz]y≥x ↔ [(z := x2+z∗); z := x2+yz]y≥x2 with σ = {f → x2, p(·) → [(z := · + z)∗; z := · + yz]y ≥ ·} p → [a]p Clash x ≥ 0 → [x′ = −1]x ≥ 0 σ = {a → x′ = −1, p → x ≥ 0} (−x)2 ≥ 0 Correct [x′ = −1](−x)2 ≥ 0 by p(¯ x) [a]p(¯ x) σ = {a → x′ = −1, p(·) → (−·)2 ≥ 0}

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 17 / 44

Uniform Substitution: Contextual Congruence Example

CE p(¯ x) ↔ q(¯ x) C(p(¯ x)) ↔ C(q(¯ x))

CE

[x := x2]x ≤ 1 ↔ x2 ≤ 1 [x′ = x3 ∪ x′ = −1][x := x2]x ≤ 1 ↔ [x′ = x3 ∪ x′ = −1]x2 ≤ 1

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 18 / 44

Uniform Substitution: Contextual Congruence Example

CE p(¯ x) ↔ q(¯ x) C(p(¯ x)) ↔ C(q(¯ x))

CE

[x := x2]x ≤ 1 ↔ x2 ≤ 1 [x′ = x3 ∪ x′ = −1][x := x2]x ≤ 1 ↔ [x′ = x3 ∪ x′ = −1]x2 ≤ 1

Theorem (Soundness) (FV(σ) = ∅)

φ1 . . . φn ψ locally sound implies σ(φ1) . . . σ(φn) σ(ψ) locally sound

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 18 / 44

Uniform Substitution: Contextual Congruence Example

CE p(¯ x) ↔ q(¯ x) C(p(¯ x)) ↔ C(q(¯ x))

CE

[x := x2]x ≤ 1 ↔ x2 ≤ 1 [x′ = x3 ∪ x′ = −1][x := x2]x ≤ 1 ↔ [x′ = x3 ∪ x′ = −1]x2 ≤ 1

Theorem (Soundness) (FV(σ) = ∅)

φ1 . . . φn ψ locally sound implies σ(φ1) . . . σ(φn) σ(ψ) locally sound Locally sound The conclusion is valid in any interpretation I in which the premises are.

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 18 / 44

Correctness of Uniform Substitutions

“Syntactic uniform substitution = semantic replacement”

Lemma (Uniform substitution lemma)

Uniform substitution σ and its adjoint interpretation σ∗

uI to σ for I, u have

the same semantics: [ [σ(θ)] ]Iu = [ [θ] ]σ∗

uIu

u ∈ [ [σ(φ)] ]I iff u ∈ [ [φ] ]σ∗

uI

(u, w) ∈ [ [σ(α)] ]I iff (u, w) ∈ [ [α] ]σ∗

uI

θ σ(θ) [ [σ(θ)] ]Iu [ [θ] ]σ∗

uIu

σ σ∗

uI

I

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 19 / 44

Solving Differential Equations? By Axiom Schema?

[′] [x′ = θ]φ ↔ ∀t≥0 [x := x(t)]φ (t fresh and x′(t) = θ) LICS’12

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 20 / 44

Solving Differential Equations? By Axiom Schema?

[′] [x′ = θ]φ ↔ ∀t≥0 [x := x(t)]φ (t fresh and x′(t) = θ) Axiom schema with side conditions:

1 Occurs check: t fresh 2 Solution check: x(·) solves the ODE x′(t) = θ

with x(·) plugged in for x in θ

3 Initial value check: x(·) solves the symbolic IVP x(0) = x

Quite nontrivial soundness-critical algorithms . . . LICS’12

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 20 / 44

Solving Differential Equations? By Axiom Schema?

[′] [x′ = θ]φ ↔ ∀t≥0 [x := x(t)]φ (t fresh and x′(t) = θ) Axiom schema with side conditions:

1 Occurs check: t fresh 2 Solution check: x(·) solves the ODE x′(t) = θ

with x(·) plugged in for x in θ

3 Initial value check: x(·) solves the symbolic IVP x(0) = x 4 x(·) covers all solutions parametrically

Quite nontrivial soundness-critical algorithms . . . LICS’12

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 20 / 44

Differential Equation Axioms & Differential Axioms

DW [x′ = f (x) & q(x)]q(x) DC

• [x′ = f (x) & q(x)]p(x) ↔ [x′ = f (x) & q(x)∧r(x)]p(x)
• ← [x′ = f (x) & q(x)]r(x)

DE [x′ = f (x) & q(x)]p(x, x′) ↔ [x′ = f (x) & q(x)][x′ := f (x)]p(x, x′) DI [x′ = f (x) & q(x)]p(x) ←

• q(x) → p(x) ∧ [x′ = f (x) & q(x)](p(x))′

DG [x′ = f (x) & q(x)]p(x) ↔ ∃y [x′ = f (x), y′ = a(x)y + b(x) & q(x)]p(x) DS [x′ = f & q(x)]p(x) ↔ ∀t≥0

• (∀0≤s≤t q(x+fs)) → [x := x+ft]p(x)
• [′:=] [x′ := f ]p(x′) ↔ p(f )

+′ (f (¯ x) + g(¯ x))′ = (f (¯ x))′ + (g(¯ x))′ ·′ (f (¯ x) · g(¯ x))′ = (f (¯ x))′ · g(¯ x) + f (¯ x) · (g(¯ x))′

• ′ [y := g(x)][y′ := 1]
• (f (g(x)))′ = (f (y))′ · (g(x))′

CADE’15

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 21 / 44

Differential Invariants for Differential Equations

Differential Invariant Differential Cut Differential Ghost

t x x′ = f (x)

DI= DI=,∧,∨ DI> DI>,∧,∨ DI≥ DI≥,∧,∨ DI DI≥,=,∧,∨ DI>,=,∧,∨

Logic

Provability theory

Math

Character- istic PDE JLogComput’10,CAV’08,FMSD’09,LMCS’12,LICS’12,ITP’12,CADE’15

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 22 / 44

Differential Invariants for Differential Equations

Differential Invariant Differential Cut Differential Ghost

t x x′ = f (x)

DI= DI=,∧,∨ DI> DI>,∧,∨ DI≥ DI≥,∧,∨ DI DI≥,=,∧,∨ DI>,=,∧,∨

Logic

Provability theory

Math

Character- istic PDE JLogComput’10,CAV’08,FMSD’09,LMCS’12,LICS’12,ITP’12,CADE’15

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 22 / 44

Differential Invariants for Differential Equations

Differential Invariant Differential Cut Differential Ghost

t x x′ = f (x)

DI= DI=,∧,∨ DI> DI>,∧,∨ DI≥ DI≥,∧,∨ DI DI≥,=,∧,∨ DI>,=,∧,∨

Logic

Provability theory

Math

Character- istic PDE JLogComput’10,CAV’08,FMSD’09,LMCS’12,LICS’12,ITP’12,CADE’15

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 22 / 44

Differential Invariants for Differential Equations

Differential Invariant Differential Cut Differential Ghost

t x x′ = f (x)

DI= DI=,∧,∨ DI> DI>,∧,∨ DI≥ DI≥,∧,∨ DI DI≥,=,∧,∨ DI>,=,∧,∨

Logic

Provability theory

Math

Character- istic PDE JLogComput’10,CAV’08,FMSD’09,LMCS’12,LICS’12,ITP’12,CADE’15

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 22 / 44

Differential Invariants for Differential Equations

Differential Invariant Differential Cut Differential Ghost

t x x′ = f (x)

DI= DI=,∧,∨ DI> DI>,∧,∨ DI≥ DI≥,∧,∨ DI DI≥,=,∧,∨ DI>,=,∧,∨

Logic

Provability theory

Math

Character- istic PDE JLogComput’10,CAV’08,FMSD’09,LMCS’12,LICS’12,ITP’12,CADE’15

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 22 / 44

Differential Invariants for Differential Equations

Differential Invariant Differential Cut Differential Ghost

t x x′ = f (x)

DI= DI=,∧,∨ DI> DI>,∧,∨ DI≥ DI≥,∧,∨ DI DI≥,=,∧,∨ DI>,=,∧,∨

Logic

Provability theory

Math

Character- istic PDE JLogComput’10,CAV’08,FMSD’09,LMCS’12,LICS’12,ITP’12,CADE’15

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 22 / 44

Differential Invariants for Differential Equations

Differential Invariant Differential Cut Differential Ghost

t x x′ = f (x)

DI= DI=,∧,∨ DI> DI>,∧,∨ DI≥ DI≥,∧,∨ DI DI≥,=,∧,∨ DI>,=,∧,∨

Logic

Provability theory

Math

Character- istic PDE JLogComput’10,CAV’08,FMSD’09,LMCS’12,LICS’12,ITP’12,CADE’15

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 22 / 44

Differential Invariants for Differential Equations

Differential Invariant Differential Cut Differential Ghost

t x x′ = f (x)

DI= DI=,∧,∨ DI> DI>,∧,∨ DI≥ DI≥,∧,∨ DI DI≥,=,∧,∨ DI>,=,∧,∨

Logic

Provability theory

Math

Character- istic PDE JLogComput’10,CAV’08,FMSD’09,LMCS’12,LICS’12,ITP’12,CADE’15

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 22 / 44

Differential Invariants for Differential Equations

Differential Invariant Differential Cut Differential Ghost

t x x′ = f (x) y′ = g(x, y)

DI= DI=,∧,∨ DI> DI>,∧,∨ DI≥ DI≥,∧,∨ DI DI≥,=,∧,∨ DI>,=,∧,∨

Logic

Provability theory

Math

Character- istic PDE JLogComput’10,CAV’08,FMSD’09,LMCS’12,LICS’12,ITP’12,CADE’15

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 22 / 44

Differential Invariants for Differential Equations

Differential Invariant Differential Cut Differential Ghost

t x x′ = f (x) y′ = g(x, y) inv

DI= DI=,∧,∨ DI> DI>,∧,∨ DI≥ DI≥,∧,∨ DI DI≥,=,∧,∨ DI>,=,∧,∨

Logic

Provability theory

Math

Character- istic PDE JLogComput’10,CAV’08,FMSD’09,LMCS’12,LICS’12,ITP’12,CADE’15

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 22 / 44

Differential Equation Axioms

Axiom (Differential Weakening) (CADE’15)

DW [x′ = f (x) & q(x)]q(x) t x q(x) w u r x′ = f (x) & q(x) ¬q(x) Differential equations cannot leave their evolution domains. Implies: [x′ = f (x) & q(x)]p(x) ↔ [x′ = f (x) & q(x)]

• q(x) → p(x)
• Andr´

e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 23 / 44

Differential Equation Axioms

Axiom (Differential Cut) (CADE’15)

DC

• [x′ = f (x) & q(x)]p(x) ↔ [x′ = f (x) & q(x)∧r(x)]p(x)
• ← [x′ = f (x) & q(x)]r(x)

t x q(x) w u r x′ = f (x) & q(x) DC is a cut for differential equations. DC is a differential modal modus ponens K. Can’t leave r(x), then might as well restrict state space to r(x).

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 23 / 44

Differential Equation Axioms

Axiom (Differential Cut) (CADE’15)

DC

• [x′ = f (x) & q(x)]p(x) ↔ [x′ = f (x) & q(x)∧r(x)]p(x)
• ← [x′ = f (x) & q(x)]r(x)

t x q(x) w u r x′ = f (x) & q(x) w q(x) DC is a cut for differential equations. DC is a differential modal modus ponens K. Can’t leave r(x), then might as well restrict state space to r(x).

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 23 / 44

Differential Equation Axioms

Axiom (Differential Cut) (CADE’15)

DC

• [x′ = f (x) & q(x)]p(x) ↔ [x′ = f (x) & q(x)∧r(x)]p(x)
• ← [x′ = f (x) & q(x)]r(x)

t x q(x) w u r x′ = f (x) & q(x) w DC is a cut for differential equations. DC is a differential modal modus ponens K. Can’t leave r(x), then might as well restrict state space to r(x).

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 23 / 44

Differential Equation Axioms

Axiom (Differential Cut) (CADE’15)

DC

• [x′ = f (x) & q(x)]p(x) ↔ [x′ = f (x) & q(x)∧r(x)]p(x)
• ← [x′ = f (x) & q(x)]r(x)

t x q(x) w u r x′ = f (x) & q(x) w DC is a cut for differential equations. DC is a differential modal modus ponens K. Can’t leave r(x), then might as well restrict state space to r(x).

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 23 / 44

Differential Equation Axioms

Axiom (Differential Cut) (CADE’15)

DC

• [x′ = f (x) & q(x)]p(x) ↔ [x′ = f (x) & q(x)∧r(x)]p(x)
• ← [x′ = f (x) & q(x)]r(x)

t x q(x) w u r x′ = f (x) & q(x) DC is a cut for differential equations. DC is a differential modal modus ponens K. Can’t leave r(x), then might as well restrict state space to r(x).

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 23 / 44

Differential Equation Axioms

Axiom (Differential Cut) (CADE’15)

DC

• [x′ = f (x) & q(x)]p(x) ↔ [x′ = f (x) & q(x)∧r(x)]p(x)
• ← [x′ = f (x) & q(x)]r(x)

t x q(x) w u r x′ = f (x) & q(x) w DC is a cut for differential equations. DC is a differential modal modus ponens K. Can’t leave r(x), then might as well restrict state space to r(x).

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 23 / 44

Differential Equation Axioms

Axiom (Differential Cut) (CADE’15)

DC

• [x′ = f (x) & q(x)]p(x) ↔ [x′ = f (x) & q(x)∧r(x)]p(x)
• ← [x′ = f (x) & q(x)]r(x)

t x q(x) w u r x′ = f (x) & q(x) w DC is a cut for differential equations. DC is a differential modal modus ponens K. Can’t leave r(x), then might as well restrict state space to r(x).

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 23 / 44

Differential Equation Axioms

Axiom (Differential Cut) (CADE’15)

DC

• [x′ = f (x) & q(x)]p(x) ↔ [x′ = f (x) & q(x)∧r(x)]p(x)
• ← [x′ = f (x) & q(x)]r(x)

t x q(x) w u r x′ = f (x) & q(x) w DC is a cut for differential equations. DC is a differential modal modus ponens K. Can’t leave r(x), then might as well restrict state space to r(x).

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 23 / 44

Differential Equation Axioms

Axiom (Differential Cut) (CADE’15)

DC

• [x′ = f (x) & q(x)]p(x) ↔ [x′ = f (x) & q(x)∧r(x)]p(x)
• ← [x′ = f (x) & q(x)]r(x)

t x q(x) w u r x′ = f (x) & q(x) w DC is a cut for differential equations. DC is a differential modal modus ponens K. Can’t leave r(x), then might as well restrict state space to r(x).

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 23 / 44

Differential Equation Axioms

Axiom (Differential Invariant) (CADE’15)

DI [x′ = f (x) & q(x)]p(x) ←

• q(x) → p(x) ∧ [x′ = f (x) & q(x)](p(x))′

t x q(x) w u r x′ = f (x) & q(x)

¬ ¬F

F F

Differential invariant: p(x) true now and its differential (p(x))′ true always What’s the differential of a formula??? What’s the meaning of a differential term . . . in a state???

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 23 / 44

Differential Equation Axioms

Axiom (Differential Effect) (CADE’15)

DE [x′ = f (x) & q(x)]p(x, x′) ↔ [x′ = f (x) & q(x)][x′ := f (x)]p(x, x′) t x q(x) w u r x′ = f (x) & q(x) x′ f (x) Effect of differential equation on differential symbol x′ [x′ := f (x)] instantly mimics continuous effect [x′ = f (x)] on x′ [x′ := f (x)] selects vector field x′ = f (x) for subsequent differentials

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 23 / 44

Differential Equation Axioms

Axiom (Differential Ghost) (CADE’15)

DG [x′ = f (x) & q(x)]p(x) ↔ ∃y [x′ = f (x), y′ = a(x)y + b(x) & q(x)]p(x) t x q(x) w u r x′ = f (x) & q(x) y′ = a(x)y + b(x) Differential ghost/auxiliaries: extra differential equations that exist Can cause new invariants “Dark matter” counterweight to balance conserved quantities

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 23 / 44

Differential Equation Axioms

Axiom (Differential Solution) (CADE’15)

DS [x′ = f & q(x)]p(x) ↔ ∀t≥0

• (∀0≤s≤t q(x+fs)) → [x := x+ft]p(x)
• t

x q(x) w u r x′ = f (x) & q(x) t x q(x) u w r x′ = f & q(x) Differential solutions: solve differential equations with DG,DC and inverse companions

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 23 / 44

Example: Differential Invariants Don’t Solve. Prove!

DI

x·x ≥ 1 →[x′ = x3]x·x ≥ 1

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 24 / 44

Example: Differential Invariants Don’t Solve. Prove!

1 DI proves a property of an ODE inductively by its differentials

DE

[x′ = x3](x·x ≥ 1)′

DI

x·x ≥ 1 →[x′ = x3]x·x ≥ 1

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 24 / 44

Example: Differential Invariants Don’t Solve. Prove!

1 DI proves a property of an ODE inductively by its differentials 2 DE exports vector field, possibly after DW exports evolution domain

CE

[x′ = x3][x′ := x3](x·x ≥ 1)′

DE

[x′ = x3](x·x ≥ 1)′

DI

x·x ≥ 1 →[x′ = x3]x·x ≥ 1

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 24 / 44

Example: Differential Invariants Don’t Solve. Prove!

1 DI proves a property of an ODE inductively by its differentials 2 DE exports vector field, possibly after DW exports evolution domain 3 CE+CQ reason efficiently in Equivalence or eQuational context

G

[x′ = x3][x′ := x3]x′·x+x·x′≥0 (x·x ≥ 1)′ ↔ x′·x + x·x′ ≥ 0

CE

[x′ = x3][x′ := x3](x·x ≥ 1)′

DE

[x′ = x3](x·x ≥ 1)′

DI

x·x ≥ 1 →[x′ = x3]x·x ≥ 1

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 24 / 44

Example: Differential Invariants Don’t Solve. Prove!

1 DI proves a property of an ODE inductively by its differentials 2 DE exports vector field, possibly after DW exports evolution domain 3 CE+CQ reason efficiently in Equivalence or eQuational context 4 G isolates postcondition

[′:=] [x′ := x3]x′·x + x·x′ ≥ 0 G

[x′ = x3][x′ := x3]x′·x+x·x′≥0 (x·x ≥ 1)′ ↔ x′·x + x·x′ ≥ 0

CE

[x′ = x3][x′ := x3](x·x ≥ 1)′

DE

[x′ = x3](x·x ≥ 1)′

DI

x·x ≥ 1 →[x′ = x3]x·x ≥ 1

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 24 / 44

Example: Differential Invariants Don’t Solve. Prove!

1 DI proves a property of an ODE inductively by its differentials 2 DE exports vector field, possibly after DW exports evolution domain 3 CE+CQ reason efficiently in Equivalence or eQuational context 4 G isolates postcondition 5 [′:=] differential substitution uses vector field

R

x3·x + x·x3 ≥ 0

[′:=] [x′ := x3]x′·x + x·x′ ≥ 0 G

[x′ = x3][x′ := x3]x′·x+x·x′≥0 (x·x ≥ 1)′ ↔ x′·x + x·x′ ≥ 0

CE

[x′ = x3][x′ := x3](x·x ≥ 1)′

DE

[x′ = x3](x·x ≥ 1)′

DI

x·x ≥ 1 →[x′ = x3]x·x ≥ 1

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 24 / 44

Example: Differential Invariants Don’t Solve. Prove!

1 DI proves a property of an ODE inductively by its differentials 2 DE exports vector field, possibly after DW exports evolution domain 3 CE+CQ reason efficiently in Equivalence or eQuational context 4 G isolates postcondition 5 [′:=] differential substitution uses vector field

∗

R

x3·x + x·x3 ≥ 0

[′:=] [x′ := x3]x′·x + x·x′ ≥ 0 G

[x′ = x3][x′ := x3]x′·x+x·x′≥0 (x·x ≥ 1)′ ↔ x′·x + x·x′ ≥ 0

CE

[x′ = x3][x′ := x3](x·x ≥ 1)′

DE

[x′ = x3](x·x ≥ 1)′

DI

x·x ≥ 1 →[x′ = x3]x·x ≥ 1

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 24 / 44

Example: Differential Invariants Don’t Solve. Prove!

1 DI proves a property of an ODE inductively by its differentials 2 DE exports vector field, possibly after DW exports evolution domain 3 CE+CQ reason efficiently in Equivalence or eQuational context 4 G isolates postcondition 5 [′:=] differential substitution uses vector field

∗

R

x3·x + x·x3 ≥ 0

[′:=] [x′ := x3]x′·x + x·x′ ≥ 0 G

[x′ = x3][x′ := x3]x′·x+x·x′≥0

CQ

(x·x)′ ≥ 0 ↔ x′·x + x·x′ ≥ 0 (x·x ≥ 1)′ ↔ x′·x + x·x′ ≥ 0

CE

[x′ = x3][x′ := x3](x·x ≥ 1)′

DE

[x′ = x3](x·x ≥ 1)′

DI

x·x ≥ 1 →[x′ = x3]x·x ≥ 1

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 24 / 44

Example: Differential Invariants Don’t Solve. Prove!

1 DI proves a property of an ODE inductively by its differentials 2 DE exports vector field, possibly after DW exports evolution domain 3 CE+CQ reason efficiently in Equivalence or eQuational context 4 G isolates postcondition 5 [′:=] differential substitution uses vector field

∗

R

x3·x + x·x3 ≥ 0

[′:=] [x′ := x3]x′·x + x·x′ ≥ 0 G

[x′ = x3][x′ := x3]x′·x+x·x′≥0 (x·x)′ = x′·x + x·x′

CQ

(x·x)′ ≥ 0 ↔ x′·x + x·x′ ≥ 0 (x·x ≥ 1)′ ↔ x′·x + x·x′ ≥ 0

CE

[x′ = x3][x′ := x3](x·x ≥ 1)′

DE

[x′ = x3](x·x ≥ 1)′

DI

x·x ≥ 1 →[x′ = x3]x·x ≥ 1

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 24 / 44

Example: Differential Invariants Don’t Solve. Prove!

1 DI proves a property of an ODE inductively by its differentials 2 DE exports vector field, possibly after DW exports evolution domain 3 CE+CQ reason efficiently in Equivalence or eQuational context 4 G isolates postcondition 5 [′:=] differential substitution uses vector field

∗

R

x3·x + x·x3 ≥ 0

[′:=] [x′ := x3]x′·x + x·x′ ≥ 0 G

[x′ = x3][x′ := x3]x′·x+x·x′≥0

US

(x·x)′ = (x)′·x + x·(x)′ (x·x)′ = x′·x + x·x′

CQ

(x·x)′ ≥ 0 ↔ x′·x + x·x′ ≥ 0 (x·x ≥ 1)′ ↔ x′·x + x·x′ ≥ 0

CE

[x′ = x3][x′ := x3](x·x ≥ 1)′

DE

[x′ = x3](x·x ≥ 1)′

DI

x·x ≥ 1 →[x′ = x3]x·x ≥ 1

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 24 / 44

Example: Differential Invariants Don’t Solve. Prove!

1 DI proves a property of an ODE inductively by its differentials 2 DE exports vector field, possibly after DW exports evolution domain 3 CE+CQ reason efficiently in Equivalence or eQuational context 4 G isolates postcondition 5 [′:=] differential substitution uses vector field 6 ·′ differential computations are axiomatic (US)

∗

R

x3·x + x·x3 ≥ 0

[′:=] [x′ := x3]x′·x + x·x′ ≥ 0 G

[x′ = x3][x′ := x3]x′·x+x·x′≥0

·′ (f (¯

x)·g(¯ x))′ = (f (¯ x))′·g(¯ x)+f (¯ x)·(g(¯ x))′

US

(x·x)′ = (x)′·x + x·(x)′ (x·x)′ = x′·x + x·x′

CQ

(x·x)′ ≥ 0 ↔ x′·x + x·x′ ≥ 0 (x·x ≥ 1)′ ↔ x′·x + x·x′ ≥ 0

CE

[x′ = x3][x′ := x3](x·x ≥ 1)′

DE

[x′ = x3](x·x ≥ 1)′

DI

x·x ≥ 1 →[x′ = x3]x·x ≥ 1

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 24 / 44

Example: Differential Invariants Don’t Solve. Prove!

1 DI proves a property of an ODE inductively by its differentials 2 DE exports vector field, possibly after DW exports evolution domain 3 CE+CQ reason efficiently in Equivalence or eQuational context 4 G isolates postcondition 5 [′:=] differential substitution uses vector field 6 ·′ differential computations are axiomatic (US)

∗

R

x3·x + x·x3 ≥ 0

[′:=] [x′ := x3]x′·x + x·x′ ≥ 0 G

[x′ = x3][x′ := x3]x′·x+x·x′≥0 ∗

·′ (f (¯

x)·g(¯ x))′ = (f (¯ x))′·g(¯ x)+f (¯ x)·(g(¯ x))′

US

(x·x)′ = (x)′·x + x·(x)′ (x·x)′ = x′·x + x·x′

CQ

(x·x)′ ≥ 0 ↔ x′·x + x·x′ ≥ 0 (x·x ≥ 1)′ ↔ x′·x + x·x′ ≥ 0

CE

[x′ = x3][x′ := x3](x·x ≥ 1)′

DE

[x′ = x3](x·x ≥ 1)′

DI

x·x ≥ 1 →[x′ = x3]x·x ≥ 1

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 24 / 44

Example: Soundly Solving Differential Equations

1 DG introduces time t, DC cuts solution in, that DI proves and 2 DW exports to postcondition 3 inverse DC removes evolution domain constraints 4 inverse DG removes original ODE 5 DS solves remaining ODE for time

∗

R φ →∀s≥0 (x0 + a

2s2 + v0s ≥ 0) [:=]φ →∀s≥0 [t := 0 + 1s]x0 + a 2t2 + v0t ≥ 0 DSφ →[t′ = 1]x0 + a 2t2 + v0t ≥ 0 DGφ →[v ′ = a, t′ = 1]x0 + a 2t2 + v0t ≥ 0 DGφ →[x′ = v, v ′ = a, t′ = 1]x0 + a 2t2 + v0t ≥ 0 DCφ →[x′ = v, v ′ = a, t′ = 1 & v = v0 + at]x0 + a 2t2 + v0t ≥ 0 DCφ →[x′ = v, v ′ = a, t′ = 1 & v = v0 + at ∧ x = x0 + a 2t2 + v0t]x0 + a 2t2 + v0t ≥ 0 G,Kφ →[x′ = v, v ′ = a, t′ = 1 & v = v0 + at ∧ x = x0 + a 2t2 + v0t](x=x0+ a 2t2+v0t → x≥0) DWφ →[x′ = v, v ′ = a, t′ = 1 & v = v0 + at ∧ x = x0 + a 2t2 + v0t]x ≥ 0 DCφ →[x′ = v, v ′ = a, t′ = 1 & v = v0 + at]x ≥ 0 DCφ →[x′ = v, v ′ = a, t′ = 1]x ≥ 0

φ →∃t [x′ = v, v ′ = a, t′ = 1]x ≥ 0

DGφ →[x′ = v, v ′ = a]x ≥ 0 Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 25 / 44

The Meaning of Prime

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 26 / 44

The Meaning of Prime

Semantics [ [(θ)′] ]Iu =

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 26 / 44

The Meaning of Prime

Semantics [ [(θ)′] ]Iu = depends on the differential equation?

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 26 / 44

The Meaning of Prime Differential Forms

Semantics [ [(θ)′] ]Iu = depends on the differential equation? well-defined in isolated state u at all?

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 26 / 44

The Meaning of Prime Differential Forms

Semantics [ [(θ)′] ]Iu =

• x

u(x′)∂[ [θ] ] ∂x (u) depends on the differential equation? well-defined in isolated state u at all?

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 26 / 44

The Meaning of Prime Differential Forms

Semantics [ [(θ)′] ]Iu =

• x

u(x′)∂[ [θ] ] ∂x (u) depends on the differential equation? well-defined in isolated state u at all? → R

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 26 / 44

Differential Substitution Lemmas

Lemma (Differential lemma)

If I, ϕ | = x′ = f (x) ∧ Q for duration r > 0, then for all 0 ≤ ζ ≤ r: Syntactic [ [(θ)′] ]Iϕ(ζ) = d[ [θ] ]Iϕ(t) dt (ζ) Analytic

Lemma (Differential assignment)

If I, ϕ | = x′ = f (x) ∧ Q then I, ϕ | = φ ↔ [x′ := f (x)]φ

Lemma (Derivations)

(f (¯ x) + g(¯ x))′ = (f (¯ x))′ + (g(¯ x))′ (f (¯ x) · g(¯ x))′ = (f (¯ x))′ · g(¯ x) + f (¯ x) · (g(¯ x))′ [y := f (¯ x)][y′ := 1]

• (f (f (¯

x)))′ = (f (y))′ · (f (¯ x))′ for y, y′ ∈ f (¯ x) (f )′ = 0 for arity 0 functions/numb

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 27 / 44

Outline

1

CPS are Multi-Dynamical Systems

2

Uniform Substitution Calculus for Differential Dynamic Logic Uniform Substitution Calculus Axiom vs. Axiom Schema Uniform Substitutions Uniform Substitution Lemmas Differential Axioms Differential Invariants Examples

3

Differential-form Differential Dynamic Logic Syntax Semantics Differential Substitution Lemmas Contextual Congruences Parametric Computational Proofs Static Semantics

4

Summary

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 27 / 44

Differential Equation Axioms

Axiom (Differential Invariant) (CADE’15)

DI [x′ = f (x) & q(x)]p(x) ←

• q(x) → p(x) ∧ [x′ = f (x) & q(x)](p(x))′

t x q(x) w u r x′ = f (x) & q(x)

¬ ¬F

F F

Differential invariant: p(x) true now and its differential (p(x))′ true always What’s the differential of a formula??? What’s the meaning of a differential term . . . in a state???

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 28 / 44

Differential-form Differential Dynamic Logic: Syntax

Definition (Hybrid program α)

a | x := θ | x′ := θ | ?Q | x′ = f (x) & Q | α ∪ β | α; β | α∗

Definition (dL Formula φ)

θ ≥ η | p(θ1, . . . , θk) | ¬φ | φ ∧ ψ | ∀x φ | ∃x φ | [α]φ | αφ

Definition (Term θ)

x | x′ | f (θ1, . . . , θk) | θ + η | θ · η | (θ)′

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 29 / 44

Differential-form Differential Dynamic Logic: Syntax

Definition (Hybrid program α)

a | x := θ | x′ := θ | ?Q | x′ = f (x) & Q | α ∪ β | α; β | α∗

Definition (dL Formula φ)

θ ≥ η | p(θ1, . . . , θk) | ¬φ | φ ∧ ψ | ∀x φ | ∃x φ | [α]φ | αφ

Definition (Term θ)

x | x′ | f (θ1, . . . , θk) | θ + η | θ · η | (θ)′ Discrete Assign Test Condition Differential Equation Nondet. Choice Seq. Compose Nondet. Repeat All Reals Some Reals All Runs Some Runs

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 29 / 44

Differential-form Differential Dynamic Logic: Syntax

Definition (Hybrid program α)

a | x := θ | x′ := θ | ?Q | x′ = f (x) & Q | α ∪ β | α; β | α∗

Definition (dL Formula φ)

θ ≥ η | p(θ1, . . . , θk) | ¬φ | φ ∧ ψ | ∀x φ | ∃x φ | [α]φ | αφ

Definition (Term θ)

x | x′ | f (θ1, . . . , θk) | θ + η | θ · η | (θ)′ Program Constant Discrete Assign Differential Assign Differential Symbol Differential

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 29 / 44

Differential-form Differential Dynamic Logic: Semantics

Definition (Term semantics) ([ [·] ] : Trm → (S → R))

[ [(θ)′] ]Iu =

• x

u(x′)∂[ [θ] ]I ∂x (u) =

• x

u(x′)∂[ [θ] ]IuX

x

∂X

Definition (dL semantics) ([ [·] ] : Fml → ℘(S))

[ [C(φ)] ]I = I(C)

• [

[φ] ]I

• [

[αφ] ]I = [ [α] ]I ◦ [ [φ] ]I [ [[α]φ] ]I = [ [¬α¬φ] ]I

Definition (Program semantics) ([ [·] ] : HP → ℘(S × S))

[ [x′ = f (x) & Q] ]I = {(ϕ(0)|{x′}∁, ϕ(r)) : I, ϕ | = x′ = f (x) ∧ Q} [ [α ∪ β] ]I = [ [α] ]I ∪ [ [β] ]I [ [α; β] ]I = [ [α] ]I ◦ [ [β] ]I [ [α∗] ]I =

• [

[α] ]I ∗ =

• n∈N

[ [αn] ]I

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 30 / 44

Differential Substitution Lemmas

Lemma (Differential lemma)

If I, ϕ | = x′ = f (x) ∧ Q for duration r > 0, then for all 0 ≤ ζ ≤ r: Syntactic [ [(η)′] ]Iϕ(ζ) = d[ [η] ]Iϕ(t) dt (ζ) Analytic

Lemma (Differential assignment)

If I, ϕ | = x′ = f (x) ∧ Q then I, ϕ | = φ ↔ [x′ := f (x)]φ

Lemma (Derivations)

(θ + η)′ = (θ)′ + (η)′ (θ · η)′ = (θ)′ · η + θ · (η)′ [y := θ][y′ := 1]

• (f (θ))′ = (f (y))′ · (θ)′

for y, y′ ∈ θ (f )′ = 0 for arity 0 functions/numbers f

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 31 / 44

Differential Equation Axioms & Differential Axioms

DW [x′ = f (x) & q(x)]q(x) DC

• [x′ = f (x) & q(x)]p(x) ↔ [x′ = f (x) & q(x)∧r(x)]p(x)
• ← [x′ = f (x) & q(x)]r(x)

DE [x′ = f (x) & q(x)]p(x, x′) ↔ [x′ = f (x) & q(x)][x′ := f (x)]p(x, x′) DI [x′ = f (x) & q(x)]p(x) ←

• q(x) → p(x) ∧ [x′ = f (x) & q(x)](p(x))′

DG [x′ = f (x) & q(x)]p(x) ↔ ∃y [x′ = f (x), y′ = a(x)y + b(x) & q(x)]p(x) DS [x′ = f & q(x)]p(x) ↔ ∀t≥0

• (∀0≤s≤t q(x+fs)) → [x := x+ft]p(x)
• [′:=] [x′ := f ]p(x′) ↔ p(f )

+′ (f (¯ x) + g(¯ x))′ = (f (¯ x))′ + (g(¯ x))′ ·′ (f (¯ x) · g(¯ x))′ = (f (¯ x))′ · g(¯ x) + f (¯ x) · (g(¯ x))′

• ′ [y := g(x)][y′ := 1]
• (f (g(x)))′ = (f (y))′ · (g(x))′

CADE’15

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 32 / 44

Differential Dynamic Logic: Axioms

G p(¯ x) [a]p(¯ x) ∀ p(x) ∀x p(x) MP p → q p q CT f (¯ x) = g(¯ x) c(f (¯ x)) = c(g(¯ x)) CQ f (¯ x) = g(¯ x) p(f (¯ x)) ↔ p(g(¯ x)) CE p(¯ x) ↔ q(¯ x) C(p(¯ x)) ↔ C(q(¯ x)) CADE’15

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 33 / 44

Example: Differential Invariants Don’t Solve. Prove!

1 DI proves a property of an ODE inductively by its differentials 2 DE exports vector field, possibly after DW exports evolution domain 3 CE+CQ reason efficiently in Equivalence or eQuational context 4 G isolates postcondition 5 [′:=] differential substitution uses vector field

∗

R

x3·x + x·x3 ≥ 0

[′:=] [x′ := x3]x′·x + x·x′ ≥ 0 G

[x′ = x3][x′ := x3]x′·x+x·x′≥0 (x·x)′ = x′·x + x·x′

CQ

(x·x)′ ≥ 0 ↔ x′·x + x·x′ ≥ 0 (x·x ≥ 1)′ ↔ x′·x + x·x′ ≥ 0

CE

[x′ = x3][x′ := x3](x·x ≥ 1)′

DE

[x′ = x3](x·x ≥ 1)′

DI

x·x ≥ 1 →[x′ = x3]x·x ≥ 1

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 34 / 44

Example: Syntactic Contextual Congruence by US

CQ f (¯ x) = g(¯ x) p(f (¯ x)) ↔ p(g(¯ x))

CQ

(x · x)′ = x′ · x + x · x′ (x · x)′ ≥ 0 ↔ x′ · x + x · x′ ≥ 0 CE p(¯ x) ↔ q(¯ x) C(p(¯ x)) ↔ C(q(¯ x))

CE

(x · x ≥ 1)′ ↔ x′ · x + x · x′ ≥ 0 [x′ = x3][x′ := x3](x · x ≥ 1)′ ↔ [x′ = x3][x′ := x3]x′ · x + x · x′ ≥ 0

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 35 / 44

Example: Syntactic Contextual Congruence by US

CQ f (¯ x) = g(¯ x) p(f (¯ x)) ↔ p(g(¯ x))

CQ

(x · x)′ = x′ · x + x · x′ (x · x)′ ≥ 0 ↔ x′ · x + x · x′ ≥ 0 with σ ≈ p(·) → · ≥ 0, f (·) → ((·) · (·))′, g(·) → (·′) · (·) + (·) · (·′) CE p(¯ x) ↔ q(¯ x) C(p(¯ x)) ↔ C(q(¯ x))

CE

(x · x ≥ 1)′ ↔ x′ · x + x · x′ ≥ 0 [x′ = x3][x′ := x3](x · x ≥ 1)′ ↔ [x′ = x3][x′ := x3]x′ · x + x · x′ ≥ 0 with σ ≈ C( ) → [x′ = x3][x′ := x3] , p(¯ x) → ((·)(·) ≥ 1)′, q(¯ x) → ·′· + · · ·′

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 35 / 44

Example: Syntactic Contextual Congruence by US

CQ f (¯ x) = g(¯ x) p(f (¯ x)) ↔ p(g(¯ x))

CQ

(x · x)′ = x′ · x + x · x′ (x · x)′ ≥ 0 ↔ x′ · x + x · x′ ≥ 0 with σ ≈ p(·) → · ≥ 0, f (¯ x) → (x · x)′, g(¯ x) → x′ · x + x · x′ CE p(¯ x) ↔ q(¯ x) C(p(¯ x)) ↔ C(q(¯ x))

CE

(x · x ≥ 1)′ ↔ x′ · x + x · x′ ≥ 0 [x′ = x3][x′ := x3](x · x ≥ 1)′ ↔ [x′ = x3][x′ := x3]x′ · x + x · x′ ≥ 0 with σ ≈ C( ) → [x′ = x3]p(¯ x) → (x · x ≥ 1)′, q(¯ x) → x′ · x + x · x′ ≥ 0

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 35 / 44

Example: Differential Invariants Parametric

CE

[x′ = x3][x′ := x3](x·x ≥ 1)′

DE

[x′ = x3](x·x ≥ 1)′

DI

x·x ≥ 1 →[x′ = x3]x·x ≥ 1

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 36 / 44

Example: Differential Invariants Parametric

1 Free function j(x, x′) for parametric differential computation

G

[x′ = x3][x′ := x3]j(x, x′) ≥ 0 (x·x ≥ 1)′ ↔ j(x, x′) ≥ 0

CE

[x′ = x3][x′ := x3](x·x ≥ 1)′

DE

[x′ = x3](x·x ≥ 1)′

DI

x·x ≥ 1 →[x′ = x3]x·x ≥ 1

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 36 / 44

Example: Differential Invariants Parametric

1 Free function j(x, x′) for parametric differential computation 2 Again G,[′:=] to isolate differentially substituted postcondition

[′:=] [x′ := x3]j(x, x′) ≥ 0 G

[x′ = x3][x′ := x3]j(x, x′) ≥ 0 (x·x ≥ 1)′ ↔ j(x, x′) ≥ 0

CE

[x′ = x3][x′ := x3](x·x ≥ 1)′

DE

[x′ = x3](x·x ≥ 1)′

DI

x·x ≥ 1 →[x′ = x3]x·x ≥ 1

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 36 / 44

Example: Differential Invariants Parametric

1 Free function j(x, x′) for parametric differential computation 2 Again G,[′:=] to isolate differentially substituted postcondition

j(x, x3) ≥ 0

[′:=] [x′ := x3]j(x, x′) ≥ 0 G

[x′ = x3][x′ := x3]j(x, x′) ≥ 0 (x·x ≥ 1)′ ↔ j(x, x′) ≥ 0

CE

[x′ = x3][x′ := x3](x·x ≥ 1)′

DE

[x′ = x3](x·x ≥ 1)′

DI

x·x ≥ 1 →[x′ = x3]x·x ≥ 1

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 36 / 44

Example: Differential Invariants Parametric

1 Free function j(x, x′) for parametric differential computation 2 Again G,[′:=] to isolate differentially substituted postcondition 3 Construct parametric j(x, x′) by axiomatic differential computation

j(x, x3) ≥ 0

[′:=] [x′ := x3]j(x, x′) ≥ 0 G

[x′ = x3][x′ := x3]j(x, x′) ≥ 0

CQ(x·x)′ ≥ 0 ↔ j(x, x′) ≥ 0

(x·x ≥ 1)′ ↔ j(x, x′) ≥ 0

CE

[x′ = x3][x′ := x3](x·x ≥ 1)′

DE

[x′ = x3](x·x ≥ 1)′

DI

x·x ≥ 1 →[x′ = x3]x·x ≥ 1

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 36 / 44

Example: Differential Invariants Parametric

1 Free function j(x, x′) for parametric differential computation 2 Again G,[′:=] to isolate differentially substituted postcondition 3 Construct parametric j(x, x′) by axiomatic differential computation

j(x, x3) ≥ 0

[′:=] [x′ := x3]j(x, x′) ≥ 0 G

[x′ = x3][x′ := x3]j(x, x′) ≥ 0 (x·x)′ = j(x, x′)

CQ(x·x)′ ≥ 0 ↔ j(x, x′) ≥ 0

(x·x ≥ 1)′ ↔ j(x, x′) ≥ 0

CE

[x′ = x3][x′ := x3](x·x ≥ 1)′

DE

[x′ = x3](x·x ≥ 1)′

DI

x·x ≥ 1 →[x′ = x3]x·x ≥ 1

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 36 / 44

Example: Differential Invariants Parametric

1 Free function j(x, x′) for parametric differential computation 2 Again G,[′:=] to isolate differentially substituted postcondition 3 Construct parametric j(x, x′) by axiomatic differential computation 4 USR instantiates proof by {j(x, x′) → x′ · x + x · x′}

j(x, x3) ≥ 0

[′:=] [x′ := x3]j(x, x′) ≥ 0 G

[x′ = x3][x′ := x3]j(x, x′) ≥ 0 (x·x)′ = j(x, x′)

CQ(x·x)′ ≥ 0 ↔ j(x, x′) ≥ 0

(x·x ≥ 1)′ ↔ j(x, x′) ≥ 0

CE

[x′ = x3][x′ := x3](x·x ≥ 1)′

DE

[x′ = x3](x·x ≥ 1)′

DI

x·x ≥ 1 →[x′ = x3]x·x ≥ 1

R x3·x + x·x3 ≥ 0 x′

(x·x)′ = x′·x + x·x′

USR

x·x ≥ 1 →[x′ = x3]x·x ≥ 1

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 36 / 44

Example: Differential Invariants Parametric

1 Free function j(x, x′) for parametric differential computation 2 Again G,[′:=] to isolate differentially substituted postcondition 3 Construct parametric j(x, x′) by axiomatic differential computation 4 USR instantiates proof by {j(x, x′) → x′ · x + x · x′}

j(x, x3) ≥ 0

[′:=] [x′ := x3]j(x, x′) ≥ 0 G

[x′ = x3][x′ := x3]j(x, x′) ≥ 0 (x·x)′ = j(x, x′)

CQ(x·x)′ ≥ 0 ↔ j(x, x′) ≥ 0

(x·x ≥ 1)′ ↔ j(x, x′) ≥ 0

CE

[x′ = x3][x′ := x3](x·x ≥ 1)′

DE

[x′ = x3](x·x ≥ 1)′

DI

x·x ≥ 1 →[x′ = x3]x·x ≥ 1 ∗

R x3·x + x·x3 ≥ 0 x′

(x·x)′ = x′·x + x·x′

USR

x·x ≥ 1 →[x′ = x3]x·x ≥ 1

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 36 / 44

Example: Differential Invariants Parametric

1 Free function j(x, x′) for parametric differential computation 2 Again G,[′:=] to isolate differentially substituted postcondition 3 Construct parametric j(x, x′) by axiomatic differential computation 4 USR instantiates proof by {j(x, x′) → x′ · x + x · x′}

j(x, x3) ≥ 0

[′:=] [x′ := x3]j(x, x′) ≥ 0 G

[x′ = x3][x′ := x3]j(x, x′) ≥ 0 (x·x)′ = j(x, x′)

CQ(x·x)′ ≥ 0 ↔ j(x, x′) ≥ 0

(x·x ≥ 1)′ ↔ j(x, x′) ≥ 0

CE

[x′ = x3][x′ := x3](x·x ≥ 1)′

DE

[x′ = x3](x·x ≥ 1)′

DI

x·x ≥ 1 →[x′ = x3]x·x ≥ 1 ∗

R x3·x + x·x3 ≥ 0 US

(x·x)′ = (x)′·x + x·(x)′

x′

(x·x)′ = x′·x + x·x′

USR

x·x ≥ 1 →[x′ = x3]x·x ≥ 1

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 36 / 44

Example: Differential Invariants Parametric

1 Free function j(x, x′) for parametric differential computation 2 Again G,[′:=] to isolate differentially substituted postcondition 3 Construct parametric j(x, x′) by axiomatic differential computation 4 USR instantiates proof by {j(x, x′) → x′ · x + x · x′}

j(x, x3) ≥ 0

[′:=] [x′ := x3]j(x, x′) ≥ 0 G

[x′ = x3][x′ := x3]j(x, x′) ≥ 0 (x·x)′ = j(x, x′)

CQ(x·x)′ ≥ 0 ↔ j(x, x′) ≥ 0

(x·x ≥ 1)′ ↔ j(x, x′) ≥ 0

CE

[x′ = x3][x′ := x3](x·x ≥ 1)′

DE

[x′ = x3](x·x ≥ 1)′

DI

x·x ≥ 1 →[x′ = x3]x·x ≥ 1 ∗

R x3·x + x·x3 ≥ 0 ·′ (f (¯

x)·g(¯ x))′ = (f (¯ x))′·g(¯ x) + f (¯ x)·(g(¯ x))′

US

(x·x)′ = (x)′·x + x·(x)′

x′

(x·x)′ = x′·x + x·x′

USR

x·x ≥ 1 →[x′ = x3]x·x ≥ 1

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 36 / 44

Example: Differential Invariants Parametric

1 Free function j(x, x′) for parametric differential computation 2 Again G,[′:=] to isolate differentially substituted postcondition 3 Construct parametric j(x, x′) by axiomatic differential computation 4 USR instantiates proof by {j(x, x′) → x′ · x + x · x′}

j(x, x3) ≥ 0

[′:=] [x′ := x3]j(x, x′) ≥ 0 G

[x′ = x3][x′ := x3]j(x, x′) ≥ 0 (x·x)′ = j(x, x′)

CQ(x·x)′ ≥ 0 ↔ j(x, x′) ≥ 0

(x·x ≥ 1)′ ↔ j(x, x′) ≥ 0

CE

[x′ = x3][x′ := x3](x·x ≥ 1)′

DE

[x′ = x3](x·x ≥ 1)′

DI

x·x ≥ 1 →[x′ = x3]x·x ≥ 1 ∗

R x3·x + x·x3 ≥ 0

∗

·′ (f (¯

x)·g(¯ x))′ = (f (¯ x))′·g(¯ x) + f (¯ x)·(g(¯ x))′

US

(x·x)′ = (x)′·x + x·(x)′

x′

(x·x)′ = x′·x + x·x′

USR

x·x ≥ 1 →[x′ = x3]x·x ≥ 1

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 36 / 44

Example: Differential Invariants Computation

CE

[x′ = x3][x′ := x3](x·x ≥ 1)′

DE

[x′ = x3](x·x ≥ 1)′

DI

x·x ≥ 1 →[x′ = x3]x·x ≥ 1

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 37 / 44

Example: Differential Invariants Computation

1 Start with identity differential computation result

R

(x·x)′ = (x·x)′

·′ x′ CT CE

[x′ = x3][x′ := x3](x·x ≥ 1)′

DE

[x′ = x3](x·x ≥ 1)′

DI

x·x ≥ 1 →[x′ = x3]x·x ≥ 1

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 37 / 44

Example: Differential Invariants Computation

1 Start with identity differential computation result which proves

∗

R

(x·x)′ = (x·x)′

·′ x′ CT CE

[x′ = x3][x′ := x3](x·x ≥ 1)′

DE

[x′ = x3](x·x ≥ 1)′

DI

x·x ≥ 1 →[x′ = x3]x·x ≥ 1

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 37 / 44

Example: Differential Invariants Computation

1 Start with identity differential computation result which proves 2 Construct differential computation result forward by ·′

∗

R

(x·x)′ = (x·x)′

·′

(x·x)′ = (x)′·x + x·(x)′

x′ CT CE

[x′ = x3][x′ := x3](x·x ≥ 1)′

DE

[x′ = x3](x·x ≥ 1)′

DI

x·x ≥ 1 →[x′ = x3]x·x ≥ 1

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 37 / 44

Example: Differential Invariants Computation

1 Start with identity differential computation result which proves 2 Construct differential computation result forward by ·′ x′

∗

R

(x·x)′ = (x·x)′

·′

(x·x)′ = (x)′·x + x·(x)′

x′

(x·x)′ = x′·x + x·x′

CT CE

[x′ = x3][x′ := x3](x·x ≥ 1)′

DE

[x′ = x3](x·x ≥ 1)′

DI

x·x ≥ 1 →[x′ = x3]x·x ≥ 1

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 37 / 44

Example: Differential Invariants Computation

1 Start with identity differential computation result which proves 2 Construct differential computation result forward by ·′ x′ 3 Embed differential computation result forward by CT

∗

R

(x·x)′ = (x·x)′

·′

(x·x)′ = (x)′·x + x·(x)′

x′

(x·x)′ = x′·x + x·x′

CT(x·x)′ ≥ 0 ↔ x′·x + x·x′ ≥ 0 CE

[x′ = x3][x′ := x3](x·x ≥ 1)′

DE

[x′ = x3](x·x ≥ 1)′

DI

x·x ≥ 1 →[x′ = x3]x·x ≥ 1

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 37 / 44

Example: Differential Invariants Computation

1 Start with identity differential computation result which proves 2 Construct differential computation result forward by ·′ x′ 3 Embed differential computation result forward by CT 4 Construct differential invariant computation result forward accordingly

∗

R

(x·x)′ = (x·x)′

·′

(x·x)′ = (x)′·x + x·(x)′

x′

(x·x)′ = x′·x + x·x′

CT(x·x)′ ≥ 0 ↔ x′·x + x·x′ ≥ 0

(x·x ≥ 1)′ ↔ x′·x + x·x′ ≥ 0

CE

[x′ = x3][x′ := x3](x·x ≥ 1)′

DE

[x′ = x3](x·x ≥ 1)′

DI

x·x ≥ 1 →[x′ = x3]x·x ≥ 1

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 37 / 44

Example: Differential Invariants Computation

1 Start with identity differential computation result which proves 2 Construct differential computation result forward by ·′ x′ 3 Embed differential computation result forward by CT 4 Construct differential invariant computation result forward accordingly 5 Resume backward proof with result computed by forward proof right

G

[x′ = x3][x′ := x3]x′·x+x·x′≥0 ∗

R

(x·x)′ = (x·x)′

·′

(x·x)′ = (x)′·x + x·(x)′

x′

(x·x)′ = x′·x + x·x′

CT(x·x)′ ≥ 0 ↔ x′·x + x·x′ ≥ 0

(x·x ≥ 1)′ ↔ x′·x + x·x′ ≥ 0

CE

[x′ = x3][x′ := x3](x·x ≥ 1)′

DE

[x′ = x3](x·x ≥ 1)′

DI

x·x ≥ 1 →[x′ = x3]x·x ≥ 1

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 37 / 44

Example: Differential Invariants Computation

1 Start with identity differential computation result which proves 2 Construct differential computation result forward by ·′ x′ 3 Embed differential computation result forward by CT 4 Construct differential invariant computation result forward accordingly 5 Resume backward proof with result computed by forward proof right

[′:=] [x′ := x3]x′·x + x·x′ ≥ 0 G

[x′ = x3][x′ := x3]x′·x+x·x′≥0 ∗

R

(x·x)′ = (x·x)′

·′

(x·x)′ = (x)′·x + x·(x)′

x′

(x·x)′ = x′·x + x·x′

CT(x·x)′ ≥ 0 ↔ x′·x + x·x′ ≥ 0

(x·x ≥ 1)′ ↔ x′·x + x·x′ ≥ 0

CE

[x′ = x3][x′ := x3](x·x ≥ 1)′

DE

[x′ = x3](x·x ≥ 1)′

DI

x·x ≥ 1 →[x′ = x3]x·x ≥ 1

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 37 / 44

Example: Differential Invariants Computation

1 Start with identity differential computation result which proves 2 Construct differential computation result forward by ·′ x′ 3 Embed differential computation result forward by CT 4 Construct differential invariant computation result forward accordingly 5 Resume backward proof with result computed by forward proof right

R

x3·x + x·x3 ≥ 0

[′:=] [x′ := x3]x′·x + x·x′ ≥ 0 G

[x′ = x3][x′ := x3]x′·x+x·x′≥0 ∗

R

(x·x)′ = (x·x)′

·′

(x·x)′ = (x)′·x + x·(x)′

x′

(x·x)′ = x′·x + x·x′

CT(x·x)′ ≥ 0 ↔ x′·x + x·x′ ≥ 0

(x·x ≥ 1)′ ↔ x′·x + x·x′ ≥ 0

CE

[x′ = x3][x′ := x3](x·x ≥ 1)′

DE

[x′ = x3](x·x ≥ 1)′

DI

x·x ≥ 1 →[x′ = x3]x·x ≥ 1

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 37 / 44

Example: Differential Invariants Computation

1 Start with identity differential computation result which proves 2 Construct differential computation result forward by ·′ x′ 3 Embed differential computation result forward by CT 4 Construct differential invariant computation result forward accordingly 5 Resume backward proof with result computed by forward proof right

∗

R

x3·x + x·x3 ≥ 0

[′:=] [x′ := x3]x′·x + x·x′ ≥ 0 G

[x′ = x3][x′ := x3]x′·x+x·x′≥0 ∗

R

(x·x)′ = (x·x)′

·′

(x·x)′ = (x)′·x + x·(x)′

x′

(x·x)′ = x′·x + x·x′

CT(x·x)′ ≥ 0 ↔ x′·x + x·x′ ≥ 0

(x·x ≥ 1)′ ↔ x′·x + x·x′ ≥ 0

CE

[x′ = x3][x′ := x3](x·x ≥ 1)′

DE

[x′ = x3](x·x ≥ 1)′

DI

x·x ≥ 1 →[x′ = x3]x·x ≥ 1

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 37 / 44

Uniform Substitution

Theorem (Soundness) replace all occurrences of p(·)

US φ σ(φ) provided FV(σ|Σ(θ)) ∩ BV(⊗(·)) = ∅ for each operation ⊗(θ) in φ i.e. bound variables U = BV(⊗(·)) of operator ⊗ are not free in the substitution on its argument θ (U-admissible) Uniform substitution σ replaces all occurrences of p(θ) for any θ by ψ(θ) function f (θ) for any θ by η(θ) quantifier C(φ) for any φ by ψ(θ) program const. a by α

US

[a ∪ b]p(¯ x) ↔ [a]p(¯ x) ∧ [b]p(¯ x) [x := x + 1 ∪ x′ = 1]x ≥ 0 ↔ [x := x + 1]x ≥ 0 ∧ [x′ = 1]x ≥ 0

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 38 / 44

Uniform Substitution

Theorem (Soundness) replace all occurrences of p(·)

US φ σ(φ) provided FV(σ|Σ(θ)) ∩ BV(⊗(·)) = ∅ for each operation ⊗(θ) in φ i.e. bound variables U = BV(⊗(·)) of operator ⊗ are not free in the substitution on its argument θ (U-admissible) Uniform substitution σ replaces all occurrences of p(θ) for any θ by ψ(θ) function f (θ) for any θ by η(θ) quantifier C(φ) for any φ by ψ(θ) program const. a by α Modular interface: Prover vs. Logic

US

[a ∪ b]p(¯ x) ↔ [a]p(¯ x) ∧ [b]p(¯ x) [x := x + 1 ∪ x′ = 1]x ≥ 0 ↔ [x := x + 1]x ≥ 0 ∧ [x′ = 1]x ≥ 0

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 38 / 44

Correctness of Static Semantics

Lemma (Bound effect lemma) (Only BV(·) change)

If (u, w) ∈ [ [α] ]I, then u = w on BV(α)∁.

Lemma (Coincidence lemma) (Only FV(·) determine truth)

If u = ˜ u on FV(θ) and I = J on Σ(θ), then [ [θ] ]Iu = [ [θ] ]J ˜ u u ∈ [ [φ] ]I iff ˜ u ∈ [ [φ] ]J u w ˜ u ˜ w

• n V ⊇ FV(α)

α α ∃

• n V ∪ MBV(α)
• n BV(α)∁
• n BV(α)∁

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 39 / 44

Correctness of Static Semantics

Lemma (Bound effect lemma) (Only BV(·) change)

If (u, w) ∈ [ [α] ]I, then u = w on BV(α)∁.

Lemma (Coincidence lemma) (Only FV(·) determine truth)

If u = ˜ u on FV(θ) and I = J on Σ(θ), then [ [θ] ]Iu = [ [θ] ]J ˜ u u ∈ [ [φ] ]I iff ˜ u ∈ [ [φ] ]J u w ˜ u ˜ w

• n V ⊇ FV(α)

α α ∃

• n V ∪ MBV(α)
• n BV(α)∁
• n BV(α)∁

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 39 / 44

Differential Dynamic Logic dL: Static Semantics

FV((θ)′) FV(p(θ1, . . . , θk)) FV(C(φ)) FV(φ ∧ ψ) FV(∀x φ) = FV(∃x φ) FV([α]φ) = FV(αφ) FV(a) FV(x := θ) = FV(x′ := θ) FV(?Q) FV(x′ = f (x) & Q) FV(α ∪ β) FV(α; β) FV(α∗)

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 40 / 44

Differential Dynamic Logic dL: Static Semantics

FV((θ)′) = FV(θ) FV(p(θ1, . . . , θk)) = FV(θ1) ∪ · · · ∪ FV(θk) FV(C(φ)) = V ∪ V′ FV(φ ∧ ψ) = FV(φ) ∪ FV(ψ) FV(∀x φ) = FV(∃x φ) = FV(φ) \ {x} FV([α]φ) = FV(αφ) = FV(α) ∪ (FV(φ) \ BV(α)) FV(a) = V ∪ V′ for program const. a FV(x := θ) = FV(x′ := θ) = FV(θ) FV(?Q) = FV(Q) FV(x′ = f (x) & Q) = {x} ∪ FV(f (x)) ∪ FV(Q) FV(α ∪ β) = FV(α) ∪ FV(β) FV(α; β) = FV(α) ∪ (FV(β) \ BV(α)) FV(α∗) = FV(α)

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 40 / 44

Differential Dynamic Logic dL: Static Semantics

FV((θ)′) = FV(θ) ∪ FV(θ)′ caution FV(p(θ1, . . . , θk)) = FV(θ1) ∪ · · · ∪ FV(θk) FV(C(φ)) = V ∪ V′ FV(φ ∧ ψ) = FV(φ) ∪ FV(ψ) FV(∀x φ) = FV(∃x φ) = FV(φ) \ {x} FV([α]φ) = FV(αφ) = FV(α) ∪ (FV(φ) \ MBV(α)) caution FV(a) = V ∪ V′ for program const. a FV(x := θ) = FV(x′ := θ) = FV(θ) FV(?Q) = FV(Q) FV(x′ = f (x) & Q) = {x} ∪ FV(f (x)) ∪ FV(Q) FV(α ∪ β) = FV(α) ∪ FV(β) FV(α; β) = FV(α) ∪ (FV(β) \ MBV(α)) caution FV(α∗) = FV(α)

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 40 / 44

Differential Dynamic Logic dL: Static Semantics

BV(θ ≥ η) = BV(p(θ1, . . . , θk)) BV(C(φ)) BV(φ ∧ ψ) BV(∀x φ) = BV(∃x φ) BV([α]φ) = BV(αφ) BV(a) BV(x := θ) BV(x′ := θ) BV(?Q) BV(x′ = f (x) & Q) BV(α ∪ β) = BV(α; β) BV(α∗)

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 41 / 44

Differential Dynamic Logic dL: Static Semantics

BV(θ ≥ η) = BV(p(θ1, . . . , θk)) = ∅ BV(C(φ)) = V ∪ V′ BV(φ ∧ ψ) = BV(φ) ∪ BV(ψ) BV(∀x φ) = BV(∃x φ) = {x} ∪ BV(φ) BV([α]φ) = BV(αφ) = BV(α) ∪ BV(φ) BV(a) = V ∪ V′ for program constant a BV(x := θ) = {x} BV(x′ := θ) = {x′} BV(?Q) = ∅ BV(x′ = f (x) & Q) = {x, x′} BV(α ∪ β) = BV(α; β) = BV(α) ∪ BV(β) BV(α∗) = BV(α)

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 41 / 44

Differential Dynamic Logic dL: Static Semantics

MBV(a) MBV(α) MBV(α ∪ β) MBV(α; β) MBV(α∗)

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 41 / 44

Differential Dynamic Logic dL: Static Semantics

MBV(a) = ∅ for program constant a MBV(α) = BV(α) for other atomic HPs α MBV(α ∪ β) = MBV(α) ∩ MBV(β) MBV(α; β) = MBV(α) ∪ MBV(β) MBV(α∗) = ∅

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 41 / 44

Correctness of Static Semantics

Lemma (Bound effect lemma) (Only BV(·) change)

If (u, w) ∈ [ [α] ]I, then u = w on BV(α)∁.

Lemma (Coincidence lemma) (Only FV(·) determine truth)

If u = ˜ u on FV(θ) and I = J on Σ(θ), then [ [θ] ]Iu = [ [θ] ]J ˜ u u ∈ [ [φ] ]I iff ˜ u ∈ [ [φ] ]J u w ˜ u ˜ w

• n V ⊇ FV(α)

α α ∃

• n V ∪ MBV(α)
• n BV(α)∁
• n BV(α)∁

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 42 / 44

Outline

1

CPS are Multi-Dynamical Systems

2

Uniform Substitution Calculus for Differential Dynamic Logic Uniform Substitution Calculus Axiom vs. Axiom Schema Uniform Substitutions Uniform Substitution Lemmas Differential Axioms Differential Invariants Examples

3

Differential-form Differential Dynamic Logic Syntax Semantics Differential Substitution Lemmas Contextual Congruences Parametric Computational Proofs Static Semantics

4

Summary

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 42 / 44

Uniform Substitution for Differential Dynamic Logic

differential dynamic logic

dL = DL + HP [α]φ φ α Multi-dynamical systems Differential forms local axioms of ODEs Uniform substitution modular generic axioms (not schemata) Modular: Logic Prover Straightforward to implement Tactics regain efficiency Fast contextual equivalence KeYmaera X

d i s c r e t e c

• n

t i n u

• u

s nondet stochastic a d v e r s a r i a l

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 43 / 44

Key Contributions

Q: How to build a prover with a small soundness-critical core? A: Uniform substitution [Church] Q: How to enable flexible yet sound reasoning? A: Axioms with local meaning [Philosophy, Algebraic Geometry] Q: What’s the local meaning of a differential equation? A: Differential forms [Differential Geometry] Q: How to do hybrid systems proving? A: Uniform substitution calculus for differential dynamic logic Q: What’s the impact of uniform substitution on a prover core? A: 65 989 ց 1 677 LOC (2.5%) [KeYmaera X]

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 44 / 44

Logical Foundations

• f

Cyber-Physical Systems

Logic

Theorem Proving Proof Theory Modal Logic Model Checking

Algebra

Computer Algebra R Algebraic Geometry Differential Algebra Lie Algebra

Analysis

Differential Equations Carath´ edory Solutions Viscosity PDE Solutions Dynamical Systems

Stochastics

Doob’s Super- martingales Dynkin’s Infinitesimal Generators Differential Generators Stochastic Differential Equations

Numerics

Hermite Interpolation Weierstraß Approx- imation Error Analysis Numerical Integration

Algorithms

Decision Procedures Proof Search Procedures Fixpoints & Lattices Closure Ordinals

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 1 / 6

KeYmaera X Kernel is a Microkernel for Soundness

≈LOC KeYmaera X 1 677 KeYmaera 65 989 KeY 51 328 HOL Light 396 Isabelle/Pure 8 113 Nuprl 15 000 + 50 000 Coq 20 000 HSolver 20 000 Flow∗ 25 000 PHAVer 30 000 dReal 50 000 + millions SpaceEx 100 000 HyCreate2 6 081 + user model analysis

Disclaimer: These self-reported estimates of the soundness-critical lines of code + rules are to be taken with a grain of salt. Different languages, capabilities, styles . . . hybrid prover Java

• general

math hybrid verifier

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 2 / 6

Andr´ e Platzer. A uniform substitution calculus for differential dynamic logic. In Amy Felty and Aart Middeldorp, editors, CADE, volume 9195 of LNCS, pages 467–481. Springer, 2015. doi:10.1007/978-3-319-21401-6_32. Andr´ e Platzer. A uniform substitution calculus for differential dynamic logic. CoRR, abs/1503.01981, 2015. arXiv:1503.01981. Andr´ e Platzer. A complete uniform substitution calculus for differential dynamic logic. CoRR, abs/1507.04943, 2016. arXiv:1507.04943. Andr´ e Platzer. Logics of dynamical systems. In LICS [15], pages 13–24.

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 2 / 6

doi:10.1109/LICS.2012.13. Andr´ e Platzer. Differential dynamic logic for hybrid systems.

• J. Autom. Reas., 41(2):143–189, 2008.

doi:10.1007/s10817-008-9103-8. Andr´ e Platzer. Differential game logic. ACM Trans. Comput. Log., 17(1):1:1–1:51, 2015. doi:10.1145/2817824. Andr´ e Platzer. The complete proof theory of hybrid systems. In LICS [15], pages 541–550. doi:10.1109/LICS.2012.64. Andr´ e Platzer. A complete axiomatization of quantified differential dynamic logic for distributed hybrid systems.

• Log. Meth. Comput. Sci., 8(4):1–44, 2012.

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 2 / 6

Special issue for selected papers from CSL’10. doi:10.2168/LMCS-8(4:17)2012. Andr´ e Platzer. Stochastic differential dynamic logic for stochastic hybrid programs. In Nikolaj Bjørner and Viorica Sofronie-Stokkermans, editors, CADE, volume 6803 of LNCS, pages 431–445. Springer, 2011. doi:10.1007/978-3-642-22438-6_34. Andr´ e Platzer. Differential-algebraic dynamic logic for differential-algebraic programs.

• J. Log. Comput., 20(1):309–352, 2010.

doi:10.1093/logcom/exn070. Andr´ e Platzer and Edmund M. Clarke. Computing differential invariants of hybrid systems as fixedpoints. In Aarti Gupta and Sharad Malik, editors, CAV, volume 5123 of LNCS, pages 176–189. Springer, 2008. doi:10.1007/978-3-540-70545-1_17. Andr´ e Platzer and Edmund M. Clarke.

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 2 / 6

Computing differential invariants of hybrid systems as fixedpoints.

• Form. Methods Syst. Des., 35(1):98–120, 2009.

Special issue for selected papers from CAV’08. doi:10.1007/s10703-009-0079-8. Andr´ e Platzer. The structure of differential invariants and differential cut elimination.

• Log. Meth. Comput. Sci., 8(4):1–38, 2012.

doi:10.2168/LMCS-8(4:16)2012. Andr´ e Platzer. A differential operator approach to equational differential invariants. In Lennart Beringer and Amy Felty, editors, ITP, volume 7406 of LNCS, pages 28–48. Springer, 2012. doi:10.1007/978-3-642-32347-8_3. Proceedings of the 27th Annual ACM/IEEE Symposium on Logic in Computer Science, LICS 2012, Dubrovnik, Croatia, June 25–28, 2012. IEEE, 2012.

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 3 / 6

Differential Dynamic Logic: Axioms

[:=] [x := f ]p(x) ↔ p(f ) [?] [?q]p ↔ (q → p) [∪] [a ∪ b]p(¯ x) ↔ [a]p(¯ x) ∧ [b]p(¯ x) [;] [a; b]p(¯ x) ↔ [a][b]p(¯ x) [∗] [a∗]p(¯ x) ↔ p(¯ x) ∧ [a][a∗]p(¯ x) K [a](p(¯ x) → q(¯ x)) → ([a]p(¯ x) → [a]q(¯ x)) I [a∗](p(¯ x) → [a]p(¯ x)) → (p(¯ x) → [a∗]p(¯ x)) V p → [a]p CADE’15

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 3 / 6

Differential Dynamic Logic: Axioms

G p(¯ x) [a]p(¯ x) ∀ p(x) ∀x p(x) MP p → q p q CT f (¯ x) = g(¯ x) c(f (¯ x)) = c(g(¯ x)) CQ f (¯ x) = g(¯ x) p(f (¯ x)) ↔ p(g(¯ x)) CE p(¯ x) ↔ q(¯ x) C(p(¯ x)) ↔ C(q(¯ x)) CADE’15

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 3 / 6

Differential Equation Axioms & Differential Axioms

DW [x′ = f (x) & q(x)]q(x) DC

• [x′ = f (x) & q(x)]p(x) ↔ [x′ = f (x) & q(x)∧r(x)]p(x)
• ← [x′ = f (x) & q(x)]r(x)

DE [x′ = f (x) & q(x)]p(x, x′) ↔ [x′ = f (x) & q(x)][x′ := f (x)]p(x, x′) DI [x′ = f (x) & q(x)]p(x) ←

• q(x) → p(x) ∧ [x′ = f (x) & q(x)](p(x))′

DG [x′ = f (x) & q(x)]p(x) ↔ ∃y [x′ = f (x), y′ = a(x)y + b(x) & q(x)]p(x) DS [x′ = f & q(x)]p(x) ↔ ∀t≥0

• (∀0≤s≤t q(x+fs)) → [x := x+ft]p(x)
• [′:=] [x′ := f ]p(x′) ↔ p(f )

+′ (f (¯ x) + g(¯ x))′ = (f (¯ x))′ + (g(¯ x))′ ·′ (f (¯ x) · g(¯ x))′ = (f (¯ x))′ · g(¯ x) + f (¯ x) · (g(¯ x))′

• ′ [y := g(x)][y′ := 1]
• (f (g(x)))′ = (f (y))′ · (g(x))′

CADE’15

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 4 / 6

Differential Equation Axioms

Axiom (Differential Weakening) (CADE’15)

DW [x′ = f (x) & q(x)]q(x) t x q(x) w u r x′ = f (x) & q(x) ¬q(x) Differential equations cannot leave their evolution domains. Implies: [x′ = f (x) & q(x)]p(x) ↔ [x′ = f (x) & q(x)]

• q(x) → p(x)
• Andr´

e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 5 / 6

Differential Equation Axioms

Axiom (Differential Cut) (CADE’15)

DC

• [x′ = f (x) & q(x)]p(x) ↔ [x′ = f (x) & q(x)∧r(x)]p(x)
• ← [x′ = f (x) & q(x)]r(x)

t x q(x) w u r x′ = f (x) & q(x) DC is a cut for differential equations. DC is a differential modal modus ponens K. Can’t leave r(x), then might as well restrict state space to r(x).

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 5 / 6

Differential Equation Axioms

Axiom (Differential Cut) (CADE’15)

DC

• [x′ = f (x) & q(x)]p(x) ↔ [x′ = f (x) & q(x)∧r(x)]p(x)
• ← [x′ = f (x) & q(x)]r(x)

t x q(x) w u r x′ = f (x) & q(x) w q(x) DC is a cut for differential equations. DC is a differential modal modus ponens K. Can’t leave r(x), then might as well restrict state space to r(x).

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 5 / 6

Differential Equation Axioms

Axiom (Differential Cut) (CADE’15)

DC

• [x′ = f (x) & q(x)]p(x) ↔ [x′ = f (x) & q(x)∧r(x)]p(x)
• ← [x′ = f (x) & q(x)]r(x)

t x q(x) w u r x′ = f (x) & q(x) w DC is a cut for differential equations. DC is a differential modal modus ponens K. Can’t leave r(x), then might as well restrict state space to r(x).

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 5 / 6

Differential Equation Axioms

Axiom (Differential Cut) (CADE’15)

DC

• [x′ = f (x) & q(x)]p(x) ↔ [x′ = f (x) & q(x)∧r(x)]p(x)
• ← [x′ = f (x) & q(x)]r(x)

t x q(x) w u r x′ = f (x) & q(x) w DC is a cut for differential equations. DC is a differential modal modus ponens K. Can’t leave r(x), then might as well restrict state space to r(x).

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 5 / 6

Differential Equation Axioms

Axiom (Differential Cut) (CADE’15)

DC

• [x′ = f (x) & q(x)]p(x) ↔ [x′ = f (x) & q(x)∧r(x)]p(x)
• ← [x′ = f (x) & q(x)]r(x)

t x q(x) w u r x′ = f (x) & q(x) DC is a cut for differential equations. DC is a differential modal modus ponens K. Can’t leave r(x), then might as well restrict state space to r(x).

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 5 / 6

Differential Equation Axioms

Axiom (Differential Cut) (CADE’15)

DC

• [x′ = f (x) & q(x)]p(x) ↔ [x′ = f (x) & q(x)∧r(x)]p(x)
• ← [x′ = f (x) & q(x)]r(x)

t x q(x) w u r x′ = f (x) & q(x) w DC is a cut for differential equations. DC is a differential modal modus ponens K. Can’t leave r(x), then might as well restrict state space to r(x).

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 5 / 6

Differential Equation Axioms

Axiom (Differential Cut) (CADE’15)

DC

• [x′ = f (x) & q(x)]p(x) ↔ [x′ = f (x) & q(x)∧r(x)]p(x)
• ← [x′ = f (x) & q(x)]r(x)

t x q(x) w u r x′ = f (x) & q(x) w DC is a cut for differential equations. DC is a differential modal modus ponens K. Can’t leave r(x), then might as well restrict state space to r(x).

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 5 / 6

Differential Equation Axioms

Axiom (Differential Cut) (CADE’15)

DC

• [x′ = f (x) & q(x)]p(x) ↔ [x′ = f (x) & q(x)∧r(x)]p(x)
• ← [x′ = f (x) & q(x)]r(x)

t x q(x) w u r x′ = f (x) & q(x) w DC is a cut for differential equations. DC is a differential modal modus ponens K. Can’t leave r(x), then might as well restrict state space to r(x).

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 5 / 6

Differential Equation Axioms

Axiom (Differential Cut) (CADE’15)

DC

• [x′ = f (x) & q(x)]p(x) ↔ [x′ = f (x) & q(x)∧r(x)]p(x)
• ← [x′ = f (x) & q(x)]r(x)

t x q(x) w u r x′ = f (x) & q(x) w DC is a cut for differential equations. DC is a differential modal modus ponens K. Can’t leave r(x), then might as well restrict state space to r(x).

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 5 / 6

Differential Equation Axioms

Axiom (Differential Invariant) (CADE’15)

DI [x′ = f (x) & q(x)]p(x) ←

• q(x) → p(x) ∧ [x′ = f (x) & q(x)](p(x))′

t x q(x) w u r x′ = f (x) & q(x)

¬ ¬F

F F

Differential invariant: p(x) true now and its differential (p(x))′ true always What’s the differential of a formula??? What’s the meaning of a differential term . . . in a state???

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 5 / 6

Differential Equation Axioms

Axiom (Differential Effect) (CADE’15)

DE [x′ = f (x) & q(x)]p(x, x′) ↔ [x′ = f (x) & q(x)][x′ := f (x)]p(x, x′) t x q(x) w u r x′ = f (x) & q(x) x′ f (x) Effect of differential equation on differential symbol x′ [x′ := f (x)] instantly mimics continuous effect [x′ = f (x)] on x′ [x′ := f (x)] selects vector field x′ = f (x) for subsequent differentials

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 5 / 6

Differential Equation Axioms

Axiom (Differential Ghost) (CADE’15)

DG [x′ = f (x) & q(x)]p(x) ↔ ∃y [x′ = f (x), y′ = a(x)y + b(x) & q(x)]p(x) t x q(x) w u r x′ = f (x) & q(x) y′ = a(x)y + b(x) Differential ghost/auxiliaries: extra differential equations that exist Can cause new invariants “Dark matter” counterweight to balance conserved quantities

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 5 / 6

Differential Equation Axioms

Axiom (Differential Solution) (CADE’15)

DS [x′ = f & q(x)]p(x) ↔ ∀t≥0

• (∀0≤s≤t q(x+fs)) → [x := x+ft]p(x)
• t

x q(x) w u r x′ = f (x) & q(x) t x q(x) u w r x′ = f & q(x) Differential solutions: solve differential equations with DG,DC and inverse companions

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 5 / 6

Differential-form Differential Dynamic Logic: Semantics

Definition (Term semantics) ([ [·] ] : Trm → (S → R))

[ [(θ)′] ]Iu =

• x

u(x′)∂[ [θ] ]I ∂x (u) =

• x

u(x′)∂[ [θ] ]IuX

x

∂X

Definition (dL semantics) ([ [·] ] : Fml → ℘(S))

[ [C(φ)] ]I = I(C)

• [

[φ] ]I

• [

[αφ] ]I = [ [α] ]I ◦ [ [φ] ]I [ [[α]φ] ]I = [ [¬α¬φ] ]I

Definition (Program semantics) ([ [·] ] : HP → ℘(S × S))

[ [x′ = f (x) & Q] ]I = {(ϕ(0)|{x′}∁, ϕ(r)) : I, ϕ | = x′ = f (x) ∧ Q} [ [α ∪ β] ]I = [ [α] ]I ∪ [ [β] ]I [ [α; β] ]I = [ [α] ]I ◦ [ [β] ]I [ [α∗] ]I =

• [

[α] ]I ∗ =

• n∈N

[ [αn] ]I

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 6 / 6

Differential-form Differential Dynamic Logic: Semantics

Definition (Term semantics) ([ [·] ] : Trm → (S → R))

[ [x] ]Iu = u(x) for variable x ∈ V [ [x′] ]Iu = u(x′) for differential symbol x′ ∈ V′ [ [f (θ1, . . . , θk)] ]Iu = I(f )

• [

[θ1] ]Iu, . . . , [ [θk] ]Iu

• for function symbol f

[ [θ + η] ]Iu = [ [θ] ]Iu + [ [η] ]Iu [ [θ · η] ]Iu = [ [θ] ]Iu · [ [η] ]Iu [ [(θ)′] ]Iu =

• x

u(x′)∂[ [θ] ]I ∂x (u) =

• x

u(x′)∂[ [θ] ]IuX

x

∂X

Definition (dL semantics) ([ [·] ] : Fml → ℘(S))

[ [C(φ)] ]I = I(C)

• [

[φ] ]I

• [

[αφ] ]I = [ [α] ]I ◦ [ [φ] ]I [ [[α]φ] ]I = [ [¬α¬φ] ]I

Definition (Program semantics) ([ [·] ] : HP → ℘(S × S))

[ [x′ = f (x) & Q] ]I = {(ϕ(0)|{x′}∁, ϕ(r)) : I, ϕ | = x′ = f (x) ∧ Q}

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 6 / 6

Differential-form Differential Dynamic Logic: Semantics

Definition (Term semantics) ([ [·] ] : Trm → (S → R))

[ [(θ)′] ]Iu =

• x

u(x′)∂[ [θ] ]I ∂x (u) =

• x

u(x′)∂[ [θ] ]IuX

x

∂X

Definition (dL semantics) ([ [·] ] : Fml → ℘(S))

[ [θ ≥ η] ]I = {u : [ [θ] ]Iu ≥ [ [η] ]Iu} [ [p(θ1, . . . , θk)] ]I = {u : ([ [θ1] ]Iu, . . . , [ [θk] ]Iu) ∈ I(p)} [ [C(φ)] ]I = I(C)

• [

[φ] ]I

• [

[¬φ] ]I = ([ [φ] ]I)∁ [ [φ ∧ ψ] ]I = [ [φ] ]I ∩ [ [ψ] ]I [ [∃x φ] ]I = {u ∈ S : ur

x ∈ [

[φ] ]I for some r ∈ R} [ [αφ] ]I = [ [α] ]I ◦ [ [φ] ]I = {u : w ∈ [ [φ] ]I for some w (u, w) ∈ [ [α] ]I} [ [[α]φ] ]I = [ [¬α¬φ] ]I = {u : w ∈ [ [φ] ]I for all w (u, w) ∈ [ [α] ]I}

Definition (Program semantics) ([ [·] ] : HP → ℘(S × S))

[ [x′ = f (x) & Q] ]I = {(ϕ(0)|{ ′}∁, ϕ(r)) : I, ϕ | = x′ = f (x) ∧ Q}

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 6 / 6

Differential-form Differential Dynamic Logic: Semantics

Definition (Term semantics) ([ [·] ] : Trm → (S → R))

[ [(θ)′] ]Iu =

• x

u(x′)∂[ [θ] ]I ∂x (u) =

• x

u(x′)∂[ [θ] ]IuX

x

∂X

Definition (dL semantics) ([ [·] ] : Fml → ℘(S))

[ [C(φ)] ]I = I(C)

• [

[φ] ]I

• [

[αφ] ]I = [ [α] ]I ◦ [ [φ] ]I [ [[α]φ] ]I = [ [¬α¬φ] ]I

Definition (Program semantics) ([ [·] ] : HP → ℘(S × S))

[ [a] ]I = I(a) [ [x := θ] ]I = {(u, w) : w = u except [ [x] ]Iw = [ [θ] ]Iu} [ [x′ := θ] ]I = {(u, w) : w = u except [ [x′] ]Iw = [ [θ] ]Iu} [ [?Q] ]I = {(u, u) : u ∈ [ [Q] ]I} [ [x′ = f (x) & Q] ]I = {(ϕ(0)|{x′}∁, ϕ(r)) : I, ϕ | = x′ = f (x) ∧ Q} [ [α ∪ β] ]I = [ [α] ]I ∪ [ [β] ]I [ [α; β] ]I = [ [α] ]I ◦ [ [β] ]I

Andr´ e Platzer (CMU) FCPS / 22: Axioms & Uniform Substitutions 6 / 6