Differential Game Logic Andr e Platzer Summer School Marktoberdorf - - PowerPoint PPT Presentation

Differential Game Logic

Andr´ e Platzer Summer School Marktoberdorf 2017

0.2 0.4 0.6 0.8 1.0

0.1 0.2 0.3 0.4 0.5

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 1 / 40

Outline

1

CPS Game Motivation

2

Differential Game Logic Syntax Example: Push-around Cart Example: Robot Dance Differential Hybrid Games Denotational Semantics Determinacy Strategic Closure Ordinals

3

Axiomatization Axiomatics Example: Robot Soccer Soundness and Completeness Separating Axioms

4

Expressiveness

5

Differential Hybrid Games

6

Summary

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 1 / 40

Outline

1

CPS Game Motivation

2

Differential Game Logic Syntax Example: Push-around Cart Example: Robot Dance Differential Hybrid Games Denotational Semantics Determinacy Strategic Closure Ordinals

3

Axiomatization Axiomatics Example: Robot Soccer Soundness and Completeness Separating Axioms

4

Expressiveness

5

Differential Hybrid Games

6

Summary

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 1 / 40

Cyber-Physical Systems Analysis: Aircraft Example

Which control decisions are safe for aircraft collision avoidance?

Cyber-Physical Systems

CPSs combine cyber capabilities with physical capabilities to solve problems that neither part could solve alone.

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 2 / 40

Can you trust a computer to control physics?

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 3 / 40

Can you trust a computer to control physics?

1 Depends on how it has been programmed 2 And on what will happen if it malfunctions

Rationale

1 Safety guarantees require analytic foundations. 2 A common foundational core helps all application domains. 3 Foundations revolutionized digital computer science & our society. 4 Need even stronger foundations when software reaches out into our

physical world.

CPSs deserve proofs as safety evidence!

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 3 / 40

CPSs are Multi-Dynamical Systems

d i s c r e t e c

• n

t i n u

• u

s nondet stochastic a d v e r s a r i a l

CPS Dynamics

CPS are characterized by multiple facets of dynamical systems.

CPS Compositions

CPS combines multiple simple dynamical effects. Descriptive simplification

Tame Parts

Exploiting compositionality tames CPS complexity. Analytic simplification

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 4 / 40

CPS Analysis: Robot Control

Challenge (Hybrid Systems)

Fixed rule describing state evolution with both Discrete dynamics (control decisions) Continuous dynamics (differential equations)

2 4 6 8 10 t 0.8 0.6 0.4 0.2 0.2

a

2 4 6 8 10 t 0.2 0.4 0.6 0.8 1.0v 2 4 6 8 10 t 2 4 6 8

p

px py Andr´ e Platzer (CMU) Differential Game Logic MOD’17 5 / 40

CPS Analysis: Robot Control

Challenge (Hybrid Systems)

Fixed rule describing state evolution with both Discrete dynamics (control decisions) Continuous dynamics (differential equations)

2 4 6 8 10 t 0.8 0.6 0.4 0.2 0.2

a

2 4 6 8 10 t 1.0 0.5 0.5

Ω

2 4 6 8 10 t 0.5 0.5 1.0

d

dx dy Andr´ e Platzer (CMU) Differential Game Logic MOD’17 5 / 40

CPS Analysis: Robot Control

Challenge (Games)

Game rules describing play evolution with both Angelic choices (player ⋄ Angel) Demonic choices (player ⋄ Demon) 0,0 2,1 1,2 3,1 ⋄\ ⋄ Tr Pl Trash 1,2 0,0 Plant 0,0 2,1

8 rmbl0skZ 7 ZpZ0ZpZ0 6 0Zpo0ZpZ 5 o0ZPo0Zp 4 PZPZPZ0O 3 Z0Z0ZPZ0 2 0O0J0ZPZ 1 SNAQZBMR a b c d e f g h Andr´ e Platzer (CMU) Differential Game Logic MOD’17 6 / 40

CPS Analysis: Robot Control

Challenge (Hybrid Games)

Game rules describing play evolution with Discrete dynamics (control decisions) Continuous dynamics (differential equations) Adversarial dynamics (Angel ⋄ vs. Demon ⋄ )

2 4 6 8 10 t 0.6 0.4 0.2 0.2 0.4

a

2 4 6 8 10 t 0.2 0.4 0.6 0.8 1.0 1.2v 2 4 6 8 10 t 1 2 3 4 5 6 7p

px py Andr´ e Platzer (CMU) Differential Game Logic MOD’17 7 / 40

CPS Analysis: Robot Control

Challenge (Hybrid Games)

Game rules describing play evolution with Discrete dynamics (control decisions) Continuous dynamics (differential equations) Adversarial dynamics (Angel ⋄ vs. Demon ⋄ )

2 4 6 8 10 t 0.6 0.4 0.2 0.2 0.4

a

2 4 6 8 10 t 1.0 0.5 0.5

Ω

2 4 6 8 10 t 0.5 0.5 1.0

d

dx dy Andr´ e Platzer (CMU) Differential Game Logic MOD’17 7 / 40

CPS Analysis: RoboCup Soccer

Challenge (Hybrid Games)

Game rules describing play evolution with Discrete dynamics (control decisions) Continuous dynamics (differential equations) Adversarial dynamics (Angel ⋄ vs. Demon ⋄ )

2 4 6 8 10 t 0.6 0.4 0.2 0.2 0.4

a

2 4 6 8 10 t 1.0 0.5 0.5

Ω

2 4 6 8 10 t 0.5 0.5 1.0

d

dx dy Andr´ e Platzer (CMU) Differential Game Logic MOD’17 8 / 40

CPSs are Multi-Dynamical Systems

d i s c r e t e c

• n

t i n u

• u

s nondet stochastic a d v e r s a r i a l

CPS Dynamics

CPS are characterized by multiple facets of dynamical systems.

CPS Compositions

CPS combines multiple simple dynamical effects. Descriptive simplification

Tame Parts

Exploiting compositionality tames CPS complexity. Analytic simplification

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 9 / 40

Dynamic Logics for Dynamical Systems

d i s c r e t e c

• n

t i n u

• u

s nondet stochastic a d v e r s a r i a l

differential dynamic logic

dL = DL + HP [α]φ φ α

stochastic differential DL

SdL = DL + SHP αφ φ

differential game logic

dG L = GL + HG αφ φ

quantified differential DL

QdL = FOL + DL + QHP

JAR’08,CADE’11,LMCS’12,LICS’12,LICS’12 TOCL’15,CADE’15,JAR’17,TOCL’17 Andr´ e Platzer (CMU) Differential Game Logic MOD’17 10 / 40

Dynamic Logics for Dynamical Systems

Dynamic Logics DL has been introduced for programs Pratt’76,Harel,Kozen Its real calling are dynamical systems DL excels at providing simple+elegant logical foundations for dynamical systems CPSs are multi-dynamical systems DL for CPS are multi-dynamical

d i s c r e t e c

• n

t i n u

• u

s nondet stochastic a d v e r s a r i a l

JAR’08,CADE’11,LMCS’12,LICS’12,LICS’12 TOCL’15,CADE’15,JAR’17,TOCL’17 Andr´ e Platzer (CMU) Differential Game Logic MOD’17 10 / 40

Contributions

Logical foundations for hybrid games

1 Compositional programming language for hybrid games 2 Compositional logic and proof calculus for winning strategy existence 3 Hybrid games determined 4 Winning region computations terminate after ≥ωCK

1

iterations

5 Separate truth (∃ winning strategy) vs. proof (winning certificate) vs.

proof search (automatic construction)

6 Sound & relatively complete 7 Expressiveness 8 Fragments successful in applications 9 Generalizations in logic enable more applications

TOCL’15

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 11 / 40

Outline

1

CPS Game Motivation

2

Differential Game Logic Syntax Example: Push-around Cart Example: Robot Dance Differential Hybrid Games Denotational Semantics Determinacy Strategic Closure Ordinals

3

Axiomatization Axiomatics Example: Robot Soccer Soundness and Completeness Separating Axioms

4

Expressiveness

5

Differential Hybrid Games

6

Summary

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 11 / 40

Differential Game Logic: Syntax

Definition (Hybrid game α)

x := f (x) | ?Q | x′ = f (x) | α ∪ β | α; β | α∗ | αd

Definition (dGL Formula P)

p(e1, . . . , en) | e ≥ ˜ e | ¬P | P ∧ Q | ∀x P | ∃x P | αP | [α]P TOCL’15

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 12 / 40

Differential Game Logic: Syntax

Definition (Hybrid game α)

x := f (x) | ?Q | x′ = f (x) | α ∪ β | α; β | α∗ | αd

Definition (dGL Formula P)

p(e1, . . . , en) | e ≥ ˜ e | ¬P | P ∧ Q | ∀x P | ∃x P | αP | [α]P Discrete Assign Test Game Differential Equation Choice Game Seq. Game Repeat Game All Reals Some Reals TOCL’15

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 12 / 40

Differential Game Logic: Syntax

Definition (Hybrid game α)

x := f (x) | ?Q | x′ = f (x) | α ∪ β | α; β | α∗ | αd

Definition (dGL Formula P)

p(e1, . . . , en) | e ≥ ˜ e | ¬P | P ∧ Q | ∀x P | ∃x P | αP | [α]P Discrete Assign Test Game Differential Equation Choice Game Seq. Game Repeat Game All Reals Some Reals Dual Game TOCL’15

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 12 / 40

Differential Game Logic: Syntax

Definition (Hybrid game α)

x := f (x) | ?Q | x′ = f (x) | α ∪ β | α; β | α∗ | αd

Definition (dGL Formula P)

p(e1, . . . , en) | e ≥ ˜ e | ¬P | P ∧ Q | ∀x P | ∃x P | αP | [α]P Discrete Assign Test Game Differential Equation Choice Game Seq. Game Repeat Game All Reals Some Reals Dual Game Angel Wins TOCL’15

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 12 / 40

Differential Game Logic: Syntax

Definition (Hybrid game α)

x := f (x) | ?Q | x′ = f (x) | α ∪ β | α; β | α∗ | αd

Definition (dGL Formula P)

p(e1, . . . , en) | e ≥ ˜ e | ¬P | P ∧ Q | ∀x P | ∃x P | αP | [α]P Discrete Assign Test Game Differential Equation Choice Game Seq. Game Repeat Game All Reals Some Reals Dual Game Angel Wins Demon Wins TOCL’15

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 12 / 40

Differential Game Logic: Syntax

Definition (Hybrid game α)

x := f (x) | ?Q | x′ = f (x) | α ∪ β | α; β | α∗ | αd

Definition (dGL Formula P)

p(e1, . . . , en) | e ≥ ˜ e | ¬P | P ∧ Q | ∀x P | ∃x P | αP | [α]P Discrete Assign Test Game Differential Equation Choice Game Seq. Game Repeat Game All Reals Some Reals Dual Game Angel Wins Demon Wins “Angel has Wings α” TOCL’15

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 12 / 40

Game Operators

⋄ Angel Ops ∪ choice

∗

repeat x′ = f (x) evolve ?Q challenge ⋄

Demon Ops

∩ choice

×

repeat x′ = f (x)d evolve ?Qd challenge

d d

Duality operator d passes control between players

8 0Z0Z0s0Z 7 o0Z0Z0j0 6 Po0o0ZpZ 5 Z0oPZ0Z0 4 0Z0Z0Znl 3 Z0Z0Z0Z0 2 0OPZ0OQZ 1 Z0Z0Z0ZB a b c d e f g h Andr´ e Platzer (CMU) Differential Game Logic MOD’17 13 / 40

Game Operators

⋄ Angel Ops ∪ choice

∗

repeat x′ = f (x) evolve ?Q challenge ⋄

Demon Ops

∩ choice

×

repeat x′ = f (x)d evolve ?Qd challenge

d d

Duality operator d passes control between players

8 0Z0Z0s0Z 7 o0Z0Z0j0 6 Po0o0ZpZ 5 Z0oPZ0Z0 4 0Z0Z0Znl 3 Z0Z0Z0Z0 2 0OPZ0OQZ 1 Z0Z0Z0ZB a b c d e f g h Andr´ e Platzer (CMU) Differential Game Logic MOD’17 13 / 40

Definable Game Operators

⋄ Angel Ops ∪ choice

∗

repeat x′ = f (x) evolve ?Q challenge ⋄

Demon Ops

∩ choice

×

repeat x′ = f (x)d evolve ?Qd challenge

d d

if(Q) α else β ≡ while(Q) α ≡ α ∩ β ≡ α× ≡ (x′ = f (x) & Q)d x′ = f (x) & Q (x := f (x))d x := f (x) ?Qd ?Q

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 13 / 40

Definable Game Operators

⋄ Angel Ops ∪ choice

∗

repeat x′ = f (x) evolve ?Q challenge ⋄

Demon Ops

∩ choice

×

repeat x′ = f (x)d evolve ?Qd challenge

d d

if(Q) α else β ≡ (?Q; α) ∪ (?¬Q; β) while(Q) α ≡ (?Q; α)∗; ?¬Q α ∩ β ≡ (αd ∪ βd)d α× ≡ ((αd)

∗)d

(x′ = f (x) & Q)d ≡ x′ = f (x) & Q (x := f (x))d ≡ x := f (x) ?Qd ≡ ?Q

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 13 / 40

Example: Push-around Cart

x v d a v ≥ 1 →

• (d := 1 ∪ d := −1)d; (a := 1 ∪ a := −1); {x′ = v, v′ = a + d}

∗ v ≥ 0

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 14 / 40

Example: Push-around Cart

x v d a v ≥ 1 →

• (d := 1 ∪ d := −1)d; (a := 1 ∪ a := −1); {x′ = v, v′ = a + d}

∗ v ≥ 0

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 14 / 40

Example: Push-around Cart

x v d a v ≥ 1 →

• (d := 1 ∩ d := −1); (a := 1 ∪ a := −1); {x′ = v, v′ = a + d}

∗ v ≥ 0

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 14 / 40

Example: Push-around Cart

x v d a v ≥ 1 → d before a can compensate

• (d := 1 ∩ d := −1); (a := 1 ∪ a := −1); {x′ = v, v′ = a + d}

∗ v ≥ 0 x ≥ 0 ∧ v ≥ 0 →

• (d := 1 ∩ d := −1); (a := 1 ∪ a := −1); {x′ = v, v′ = a + d}

∗ x ≥ 0

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 14 / 40

Example: Push-around Cart

x v d a v ≥ 1 → d before a can compensate

• (d := 1 ∩ d := −1); (a := 1 ∪ a := −1); {x′ = v, v′ = a + d}

∗ v ≥ 0 x ≥ 0 ∧ v ≥ 0 →

• (d := 1 ∩ d := −1); (a := 1 ∪ a := −1); {x′ = v, v′ = a + d}

∗ x ≥ 0

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 14 / 40

Example: Push-around Cart

x v d a v ≥ 1 → d before a can compensate

• (d := 1 ∩ d := −1); (a := 1 ∪ a := −1); {x′ = v, v′ = a + d}

∗ v ≥ 0 x ≥ 0 →

• (d := 1 ∩ d := −1); (a := 1 ∪ a := −1); {x′ = v, v′ = a + d}

∗ x ≥ 0

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 14 / 40

Example: Push-around Cart

x v d a v ≥ 1 → d before a can compensate

• (d := 1 ∩ d := −1); (a := 1 ∪ a := −1); {x′ = v, v′ = a + d}

∗ v ≥ 0 x ≥ 0 → boring by skip

• (d := 1 ∩ d := −1); (a := 1 ∪ a := −1); {x′ = v, v′ = a + d}

∗ x ≥ 0

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 14 / 40

Example: Push-around Cart

x v d a v ≥ 1 → d before a can compensate

• (d := 1 ∩ d := −1); (a := 1 ∪ a := −1); {x′ = v, v′ = a + d}

∗ v ≥ 0

• (d := 1 ∩ d := −1); (a := 1 ∪ a := −1); {x′ = v, v′ = a + d}

∗ x ≥ 0

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 14 / 40

Example: Push-around Cart

x v d a v ≥ 1 → d before a can compensate

• (d := 1 ∩ d := −1); (a := 1 ∪ a := −1); {x′ = v, v′ = a + d}

∗ v ≥ 0

• counterstrategy d := −1
• (d := 1 ∩ d := −1); (a := 1 ∪ a := −1); {x′ = v, v′ = a + d}

∗ x ≥ 0

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 14 / 40

Example: Push-around Cart

x v d a v ≥ 1 → d before a can compensate

• (d := 1 ∩ d := −1); (a := 1 ∪ a := −1); {x′ = v, v′ = a + d}

∗ v ≥ 0

• counterstrategy d := −1
• (d := 1 ∩ d := −1); (a := 1 ∪ a := −1); {x′ = v, v′ = a + d}

∗ x ≥ 0

• (d := 1 ∩ d := −1); (a := 2 ∪ a := −2); {x′ = v, v′ = a + d}

∗ x ≥ 0

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 14 / 40

Example: Push-around Cart

x v d a v ≥ 1 → d before a can compensate

• (d := 1 ∩ d := −1); (a := 1 ∪ a := −1); {x′ = v, v′ = a + d}

∗ v ≥ 0

• counterstrategy d := −1
• (d := 1 ∩ d := −1); (a := 1 ∪ a := −1); {x′ = v, v′ = a + d}

∗ x ≥ 0

• (d := 1 ∩ d := −1); (a := 2 ∪ a := −2); {x′ = v, v′ = a + d}

∗ x ≥ 0

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 14 / 40

Example: Push-around Cart

x v d a v ≥ 1 → d before a can compensate

• (d := 1 ∩ d := −1); (a := 1 ∪ a := −1); {x′ = v, v′ = a + d}

∗ v ≥ 0

• counterstrategy d := −1
• (d := 1 ∩ d := −1); (a := 1 ∪ a := −1); {x′ = v, v′ = a + d}

∗ x ≥ 0

• (d := 1 ∩ d := −1); (a := 2 ∪ a := −2); {x′ = v, v′ = a + d}

∗ x ≥ 0

• (d := 2 ∩ d := −2); (a := 2 ∪ a := −2);

t := 0; {x′ = v, v′ = a + d, t′ = 1 & t ≤ 1} ∗ x2 ≥ 100

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 14 / 40

Example: Push-around Cart

x v d a v ≥ 1 → d before a can compensate

• (d := 1 ∩ d := −1); (a := 1 ∪ a := −1); {x′ = v, v′ = a + d}

∗ v ≥ 0

• counterstrategy d := −1
• (d := 1 ∩ d := −1); (a := 1 ∪ a := −1); {x′ = v, v′ = a + d}

∗ x ≥ 0

• (d := 1 ∩ d := −1); (a := 2 ∪ a := −2); {x′ = v, v′ = a + d}

∗ x ≥ 0

• (d := 2 ∩ d := −2); (a := 2 ∪ a := −2);

a := d then a := 2 sign v t := 0; {x′ = v, v′ = a + d, t′ = 1 & t ≤ 1} ∗ x2 ≥ 100

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 14 / 40

Example: EVE and WALL·E

(w − e)2 ≤ 1 ∧ v = f →

• (u := 1 ∩ u := −1);

(g := 1 ∪ g := −1); t := 0; (w′ = v, v′ = u, e′ = f , f ′ = g, t′ = 1 & t ≤ 1)d × (w − e)2 ≤ 1 EVE at e plays Angel’s part controlling g WALL·E at w plays Demon’s part controlling u

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 15 / 40

Example: EVE and WALL·E and the World

(w − e)2 ≤ 1 ∧ v = f →

• (u := 1 ∩ u := −1);

(g := 1 ∪ g := −1); t := 0; (w′ = v, v′ = u, e′ = f , f ′ = g, t′ = 1 & t ≤ 1)d × (w − e)2 ≤ 1 EVE at e plays Angel’s part controlling g WALL·E at w plays Demon’s part controlling u EVE assigned environment’s time to WALL·E

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 15 / 40

Example: WALL·E and EVE

(w − e)2 ≤ 1 ∧ v = f →

• (u := 1 ∩ u := −1);

(g := 1 ∪ g := −1); t := 0; (w′ = v, v′ = u, e′ = f , f ′ = g, t′ = 1 & t ≤ 1) × (w − e)2 > 1 WALL·E at w plays Demon’s part controlling u EVE at e plays Angel’s part controlling g WALL·E assigned environment’s time to EVE

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 16 / 40

Zeppelin Obstacle Parcours

avoid obstacles changing wind local turbulence TOCL’17

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 17 / 40

Zeppelin Obstacle Parcours

avoid obstacles changing wind local turbulence TOCL’17

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 17 / 40

Zeppelin Obstacle Parcours

avoid obstacles changing wind local turbulence TOCL’17

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 17 / 40

Differential Game Logic: Denotational Semantics

Definition (Hybrid game α) [ [·] ] : HG → (℘(S) → ℘(S))

ςx:=f (x)(X) = {s ∈ S : s[

[f (x)] ]s x

∈ X} ςx′=f (x)(X) = {ϕ(0) ∈ S : ϕ(r) ∈ X, d ϕ(t)(x)

dt

(ζ) = [ [f (x)] ]ϕ(ζ) for all ζ} ς?Q(X) = [ [Q] ] ∩ X ςα∪β(X) = ςα(X) ∪ ςβ(X) ςα;β(X) = ςα(ςβ(X)) ςα∗(X) = {Z ⊆ S : X ∪ ςα(Z) ⊆ Z} ςαd(X) = (ςα(X ∁))∁

Definition (dGL Formula P) [ [·] ] : Fml → ℘(S)

[ [e1 ≥ e2] ] = {s ∈ S : [ [e1] ]s ≥ [ [e2] ]s} [ [¬P] ] = ([ [P] ])∁ [ [P ∧ Q] ] = [ [P] ] ∩ [ [Q] ] [ [αP] ] = ςα([ [P] ]) [ [[α]P] ] = δα([ [P] ])

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 18 / 40

Differential Game Logic: Denotational Semantics

Definition (Hybrid game α: denotational semantics)

ςx:=f (x)(X) = X

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 19 / 40

Differential Game Logic: Denotational Semantics

Definition (Hybrid game α: denotational semantics)

ςx:=f (x)(X) = {s ∈ S : s[

[f (x)] ]s x

∈ X} X ςx:=f (x)(X)

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 19 / 40

Differential Game Logic: Denotational Semantics

Definition (Hybrid game α: denotational semantics)

ςx′=f (x)(X) = X x′ = f ( x )

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 19 / 40

Differential Game Logic: Denotational Semantics

Definition (Hybrid game α: denotational semantics)

ςx′=f (x)(X) = {ϕ(0) ∈ S : ϕ(r) ∈ X, d ϕ(t)(x)

dt

(ζ) = [ [f (x)] ]ϕ(ζ) for all ζ} X x′ = f ( x ) ςx′=f (x)(X)

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 19 / 40

Differential Game Logic: Denotational Semantics

Definition (Hybrid game α: denotational semantics)

ς?Q(X) = X [ [Q] ]

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 19 / 40

Differential Game Logic: Denotational Semantics

Definition (Hybrid game α: denotational semantics)

ς?Q(X) = [ [Q] ] ∩ X X [ [Q] ] ς?Q(X)

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 19 / 40

Differential Game Logic: Denotational Semantics

Definition (Hybrid game α: denotational semantics)

ςα∪β(X) = ςα ( X ) ςβ ( X ) X

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 19 / 40

Differential Game Logic: Denotational Semantics

Definition (Hybrid game α: denotational semantics)

ςα∪β(X) = ςα(X) ∪ ςβ(X) ςα ( X ) ςβ ( X ) X ςα∪β(X)

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 19 / 40

Differential Game Logic: Denotational Semantics

Definition (Hybrid game α: denotational semantics)

ςα;β(X) = X

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 19 / 40

Differential Game Logic: Denotational Semantics

Definition (Hybrid game α: denotational semantics)

ςα;β(X) = ςα(ςβ(X)) ςα(ςβ(X)) ςβ(X) X ςα;β(X)

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 19 / 40

Differential Game Logic: Denotational Semantics

Definition (Hybrid game α: denotational semantics)

ςα∗(X) = X

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 19 / 40

Differential Game Logic: Denotational Semantics

Definition (Hybrid game α: denotational semantics)

ςα∗(X) = ςα(X) X

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 19 / 40

Differential Game Logic: Denotational Semantics

Definition (Hybrid game α: denotational semantics)

ςα∗(X) = ς2

α(X) ςα(X) X

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 19 / 40

Differential Game Logic: Denotational Semantics

Definition (Hybrid game α: denotational semantics)

ςα∗(X) = ς3

α(X) ς2 α(X) ςα(X) X

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 19 / 40

Differential Game Logic: Denotational Semantics

Definition (Hybrid game α: denotational semantics)

ςα∗(X) = ς∞

α (X) · · · ς3 α(X) ς2 α(X) ςα(X) X

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 19 / 40

Differential Game Logic: Denotational Semantics

Definition (Hybrid game α: denotational semantics)

ςα∗(X) = {Z ⊆ S : X ∪ ςα(Z) ⊆ Z} ςα(ςα∗(X)) \ ςα∗(X) ∅ ς∞

α (X) · · · ς3 α(X) ς2 α(X) ςα(X) X

ςα∗(X)

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 19 / 40

Differential Game Logic: Denotational Semantics

Definition (Hybrid game α: denotational semantics)

ςαd(X) = X

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 19 / 40

Differential Game Logic: Denotational Semantics

Definition (Hybrid game α: denotational semantics)

ςαd(X) = X ∁ X

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 19 / 40

Differential Game Logic: Denotational Semantics

Definition (Hybrid game α: denotational semantics)

ςαd(X) = X ∁ X ςα(X ∁) ςα(X ∁)∁

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 19 / 40

Differential Game Logic: Denotational Semantics

Definition (Hybrid game α: denotational semantics)

ςαd(X) = (ςα(X ∁))∁ X ∁ X ςα(X ∁) ςα(X ∁)∁ ςαd(X)

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 19 / 40

Filibusters

(x := 0 ∩ x := 1)∗x = 0 X X 1 1 1 1 ⋄ repeat ⋄ stop repeat 1 ⋄ stop 1 ⋄ repeat ⋄ stop repeat X stop

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 20 / 40

Filibusters & The Significance of Finitude

(x := 0 ∩ x := 1)∗x = 0

wfd

false unless x = 0 X X 1 1 1 1 ⋄ repeat ⋄ stop repeat 1 ⋄ stop 1 ⋄ repeat ⋄ stop repeat X stop

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 20 / 40

Filibusters & The Significance of Finitude

(x := 0 ∩ x := 1)∗x = 0

wfd

false unless x = 0 (x := 0; x′ = 1d)∗x = 0 (x′ = 1d; x := 0)∗x = 0 X X 1 1 1 1 ⋄ repeat ⋄ stop repeat 1 ⋄ stop 1 ⋄ repeat ⋄ stop repeat X stop

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 20 / 40

Filibusters & The Significance of Finitude

(x := 0 ∩ x := 1)∗x = 0

wfd

false unless x = 0 (x := 0; x′ = 1d)∗x = 0 (x′ = 1d; x := 0)∗x = 0

<∞

true X X 1 1 1 1 ⋄ repeat ⋄ stop repeat 1 ⋄ stop 1 ⋄ repeat ⋄ stop repeat X stop

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 20 / 40

Filibusters & The Significance of Finitude

(x := 0 ∩ x := 1)∗x = 0

wfd

false unless x = 0 (x := 0; x′ = 1d)∗x = 0 (x′ = 1d; x := 0)∗x = 0

<∞

true X X 1 1 1 1 ⋄ repeat ⋄ stop repeat 1 ⋄ stop 1 ⋄ repeat ⋄ stop repeat X stop Well-defined games can’t be postponed forever

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 20 / 40

Consistency & Determinacy

Theorem (Consistency & determinacy)

Hybrid games are consistent and determined, i.e. ¬α¬φ ↔ [α]φ.

Corollary (Determinacy: At least one player wins)

¬α¬φ → [α]φ, thus α¬φ ∨ [α]φ.

Corollary (Consistency: At most one player wins)

[α]φ → ¬α¬φ, thus ¬([α]φ ∧ α¬φ)

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 21 / 40

Winning Region Fixpoint Iterations

Definition (Hybrid game α)

ςα∗(X) = {Z ⊆ S : X ∪ ςα(Z) ⊆ Z}

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 22 / 40

Winning Region Fixpoint Iterations

Definition (Hybrid game α)

ςα∗(X) = {Z ⊆ S : X ∪ ςα(Z) ⊆ Z} X

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 22 / 40

Winning Region Fixpoint Iterations

Definition (Hybrid game α)

ςα∗(X) = {Z ⊆ S : X ∪ ςα(Z) ⊆ Z} ςα(X) X

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 22 / 40

Winning Region Fixpoint Iterations

Definition (Hybrid game α)

ςα∗(X) = {Z ⊆ S : X ∪ ςα(Z) ⊆ Z} ς2

α(X) ςα(X) X

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 22 / 40

Winning Region Fixpoint Iterations

Definition (Hybrid game α)

ςα∗(X) = {Z ⊆ S : X ∪ ςα(Z) ⊆ Z} ς3

α(X) ς2 α(X) ςα(X) X

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 22 / 40

Winning Region Fixpoint Iterations

Definition (Hybrid game α)

ςα∗(X) = {Z ⊆ S : X ∪ ςα(Z) ⊆ Z} = ς∞

α (X)

(Knaster-Tarski) ςα∗(X) · · · ς3

α(X) ς2 α(X) ςα(X) X

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 22 / 40

Winning Region Fixpoint Iterations

Definition (Hybrid game α)

ςα∗(X) = {Z ⊆ S : X ∪ ςα(Z) ⊆ Z} = ς∞

α (X)

(Knaster-Tarski)

Alternative (Advance notice semantics)

ςα∗(X)

?

=

n<ω ςαn(X)

where αn+1 ≡ αn; α α0 ≡ ?true

11 11 01 01 01 ⋄ 10 10 repeat 10 stop r e p e a t 01 ⋄ s t

• p

10 10 00 ⋄ 00 ⋄ r e p e a t 10 ⋄ s t

• p

repeat 11 ⋄ stop 11 11 01 01 01 ⋄ 10 ⋄ 10 00 ⋄ 00 ⋄ 10 00 00 ⋄ 00 ⋄ 00 00 ⋄ 00 ⋄ 3 11 01 01 ⋄ 10 ⋄ 10 00 ⋄ 00 ⋄ 2 11 01 ⋄ 10 ⋄ 1 11 ⋄ . . .

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 22 / 40

Winning Region Fixpoint Iterations

Definition (Hybrid game α)

ςα∗(X) = {Z ⊆ S : X ∪ ςα(Z) ⊆ Z} = ς∞

α (X)

(Knaster-Tarski)

Alternative (ω semantics)

ςα∗(X)

?

=

n<ω ςn α(X)

ς0

α(X) def

= X ςκ+1

α

(X) def = X ∪ ςα(ςκ

α(X))

Example

(x := 1; x′ = 1d ∪ x := x − 1)∗ (0 ≤ x < 1)

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 22 / 40

Winning Region Fixpoint Iterations

Definition (Hybrid game α)

ςα∗(X) = {Z ⊆ S : X ∪ ςα(Z) ⊆ Z} = ς∞

α (X)

(Knaster-Tarski)

Alternative (ω semantics)

ςα∗(X)

?

=

n<ω ςn α(X)

ς0

α(X) def

= X ςκ+1

α

(X) def = X ∪ ςα(ςκ

α(X))

Example

(x := 1; x′ = 1d ∪ x := x − 1)∗ (0 ≤ x < 1) ςn

α([0, 1)) = [0, n) = R

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 22 / 40

Winning Region Fixpoint Iterations

Definition (Hybrid game α)

ςα∗(X) = {Z ⊆ S : X ∪ ςα(Z) ⊆ Z} = ς∞

α (X)

(Knaster-Tarski)

Alternative (ω semantics)

ςα∗(X)

?

=

n<ω ςn α(X)

ς0

α(X) def

= X ςκ+1

α

(X) def = X ∪ ςα(ςκ

α(X))

ςλ

α(X) def

=

• κ<λ

ςκ

α(X)

λ = 0 a limit ordinal

Example

(x := 1; x′ = 1d ∪ x := x − 1)∗ (0 ≤ x < 1) ςn

α([0, 1)) = [0, n) = R

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 22 / 40

Strategic Closure Ordinal ≥ ωCK

1

Theorem

Hybrid game closure ordinal ≥ωCK

1

1 2 3 ω

ω+1 ω+2

ω+3

ω·2

ω·3

ω·2+1

ω·2+2

ω·4

ω²

ω ² + 1 ω²+2

ω²+ω

ω ² + ω · 2

ω²·2

ω²·3 ω²·4

ω³

ω³+ω

ω³+ω²

ω · 5

4 5

ω+4

ω

ω ω4

ω³·2

ω·2+3

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 23 / 40

Outline

1

CPS Game Motivation

2

Differential Game Logic Syntax Example: Push-around Cart Example: Robot Dance Differential Hybrid Games Denotational Semantics Determinacy Strategic Closure Ordinals

3

Axiomatization Axiomatics Example: Robot Soccer Soundness and Completeness Separating Axioms

4

Expressiveness

5

Differential Hybrid Games

6

Summary

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 23 / 40

Differential Game Logic: Axiomatization

[·] [α]P ↔ := x := f (x)p(x) ↔ ′ x′ = f (x)P ↔ ? ?QP ↔ ∪ α ∪ βP ↔ ; α; βP ↔ ∗ α∗P ↔ d αdP ↔ TOCL’15

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 24 / 40

Differential Game Logic: Axiomatization

[·] [α]P ↔ ¬α¬P := x := f (x)p(x) ↔ p(f (x)) ′ x′ = f (x)P ↔ ∃t≥0 x := y(t)P ? ?QP ↔ (Q ∧ P) ∪ α ∪ βP ↔ αP ∨ βP ; α; βP ↔ αβP ∗ α∗P ↔ P ∨ αα∗P d αdP ↔ ¬α¬P M P → Q αP → αQ FP P ∨ αQ → Q α∗P → Q MP P P → Q Q ∀ p → Q p → ∀x Q (x ∈ FV(p)) US ϕ ϕψ(·)

p(·)

TOCL’15

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 24 / 40

Defining Evolution Domain Constraints x′

0 = 1

x′ = f (x) & Q x′ = f (x); ?(Q) t

• x

Q t x

′

= f ( x ) r

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 25 / 40

Defining Evolution Domain Constraints x′

0 = 1

x′ = f (x) & Q x′ = f (x); ?(Q) t

• x

Q t Q x

′

= f ( x ) r

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 25 / 40

Defining Evolution Domain Constraints x′

0 = 1

x′ = f (x) & Q x′ = f (x); (z := x; z′ = −f (z))d; ?(Q(z)) t

• x

Q t revert flow, Demon checks Q backwards x

′

= f ( x ) r z′ = −f (z)

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 25 / 40

Defining Evolution Domain Constraints x′

0 = 1

x′ = f (x) & Q x′ = f (x); (z := x; z′ = −f (z))d; ?(Q(z)) t

• x

Q t ¬Q revert flow, Demon checks Q backwards x

′

= f ( x ) r z′ = −f (z)

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 25 / 40

Defining Evolution Domain Constraints x′

0 = 1

x′ = f (x) & Q ≡ t0 := x0; x′ = f (x); (z := x; z′ = −f (z))d; ?(z0≥t0 → Q(z)) t

• x

Q t revert flow, time x0; Demon checks Q backwards x

′

= f ( x ) t0 := x0 r z′ = −f (z)

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 25 / 40

“There and Back Again” Game

x′ = f (x) & Q ≡ t0 := x0; x′ = f (x); (z := x; z′ = −f (z))d; ?(z0≥t0 → Q(z)) t

• x

Q t revert flow, time x0; Demon checks Q backwards x

′

= f ( x ) t0 := x0 r z′ = −f (z)

Lemma

Evolution domains definable by games

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 25 / 40

Example Proof: Dual Filibuster

∗

R x = 0 →0 = 0 ∨ 1 = 0 :=x = 0 →x := 0x = 0 ∨ x := 1x = 0 ∪ x = 0 →x := 0 ∪ x := 1x = 0 d x = 0 →¬x := 0 ∩ x := 1¬x = 0 [·] x = 0 →[x := 0 ∩ x := 1]x = 0 ind x = 0 →[(x := 0 ∩ x := 1)∗]x = 0 d x = 0 →(x := 0 ∪ x := 1)×x = 0

X X 1 1 1 1 ⋄ repeat ⋄ stop repeat 1 ⋄ stop 1 ⋄ repeat ⋄ stop repeat X stop

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 26 / 40

Example: Goalie in Robot Soccer

x y, g (x, y) g x < 0 ∧ v > 0 ∧ y = g →

• (w := +w ∩ w := −w);
• (u := +u ∪ u := −u); {x′ = v, y′ = w, g′ = u}

∗ x2 + (y − g)2 ≤ 1

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 27 / 40

Example: Goalie in Robot Soccer

x y, g (v, +w) (x, y) g x < 0 ∧ v > 0 ∧ y = g →

• (w := +w ∩ w := −w);
• (u := +u ∪ u := −u); {x′ = v, y′ = w, g′ = u}

∗ x2 + (y − g)2 ≤ 1

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 27 / 40

Example: Goalie in Robot Soccer

x y, g (v, +w) (v, −w) (x, y) g x < 0 ∧ v > 0 ∧ y = g →

• (w := +w ∩ w := −w);
• (u := +u ∪ u := −u); {x′ = v, y′ = w, g′ = u}

∗ x2 + (y − g)2 ≤ 1

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 27 / 40

Example: Goalie in Robot Soccer

x y, g (v, +w) (v, −w) +u (x, y) g x < 0 ∧ v > 0 ∧ y = g →

• (w := +w ∩ w := −w);
• (u := +u ∪ u := −u); {x′ = v, y′ = w, g′ = u}

∗ x2 + (y − g)2 ≤ 1

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 27 / 40

Example: Goalie in Robot Soccer

x y, g (v, +w) (v, −w) +u −u (x, y) g x < 0 ∧ v > 0 ∧ y = g →

• (w := +w ∩ w := −w);
• (u := +u ∪ u := −u); {x′ = v, y′ = w, g′ = u}

∗ x2 + (y − g)2 ≤ 1

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 27 / 40

Example: Goalie in Robot Soccer

x y, g (v, +w) (v, −w) +u −u (x, y) g x v 2 (u − w)2 ≤ 1 ∧ x < 0 ∧ v > 0 ∧ y = g →

• (w := +w ∩ w := −w);
• (u := +u ∪ u := −u); {x′ = v, y′ = w, g′ = u}

∗ x2 + (y − g)2 ≤ 1

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 27 / 40

Soundness

Theorem (Soundness)

dG L proof calculus is sound i.e. all provable formulas are valid Axiomatics Syntax Semantics

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 28 / 40

Soundness

Theorem (Soundness)

dG L proof calculus is sound i.e. all provable formulas are valid

Proof.

∪ α ∪ βP ↔ αP ∨ βP ; α; βP ↔ αβP [·] [α]P ↔ ¬α¬P M P → Q αP → αQ

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 28 / 40

Soundness

Theorem (Soundness)

dG L proof calculus is sound i.e. all provable formulas are valid

Proof.

∪ [ [α ∪ βP] ] = ςα∪β([ [P] ]) = ςα([ [P] ]) ∪ ςβ([ [P] ]) = [ [αP] ] ∪ [ [βP] ] = [ [αP ∨ βP] ] ∪ α ∪ βP ↔ αP ∨ βP ; [ [α; βP] ] = ςα;β([ [P] ]) = ςα(ςβ([ [P] ])) = ςα([ [βP] ]) = [ [αβP] ] ; α; βP ↔ αβP [·] is sound by determinacy [·] [α]P ↔ ¬α¬P M Assume the premise P → Q is valid, i.e. [ [P] ] ⊆ [ [Q] ]. Then the conclusion αP → αQ is valid, i.e. [ [αP] ] = ςα([ [P] ]) ⊆ ςα([ [Q] ]) = [ [αQ] ] by monotonicity. M P → Q αP → αQ

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 28 / 40

Soundness & Completeness

Theorem (Completeness)

dG L calculus is a sound & complete axiomatization of hybrid games relative to any (differentially) expressive logic L. ϕ iff TautL ⊢ ϕ TOCL’15

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 29 / 40

Soundness & Completeness: Consequences

Corollary (Constructive)

Constructive and Moschovakis-coding-free. (Minimal: x′ = f (x), ∃, [α∗])

Remark (Coquand & Huet) (Inf.Comput’88)

Modal analogue for α∗ of characterizations in Calculus of Constructions

Corollary (Meyer & Halpern) (J.ACM’82)

F → αG semidecidable for uninterpreted programs.

Corollary (Schmitt) (Inf.Control.’84)

[α]-free semidecidable for uninterpreted programs.

Corollary

Uninterpreted game logic with even d in α is semidecidable.

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 30 / 40

Soundness & Completeness: Consequences

Corollary

Harel’77 convergence rule unnecessary for hybrid games, hybrid systems, discrete programs.

Corollary (Characterization of hybrid game challenges)

[α∗]G: Succinct invariants discrete Π0

2

[x′ = f (x)]G and x′ = f (x)G: Succinct differential (in)variants ∆1

1

∃x G: Complexity depends on Herbrand disjunctions: discrete Π1

1

uninterpreted reals × ∃x [α∗]G Π1

1-complete for discrete α

Corollary (Hybrid version of Parikh’s result) (FOCS’83)

∗-free dG

L complete relative to dL, relative to continuous, or to discrete

d-free dG

L complete relative to dL, relative to continuous, or to discrete

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 31 / 40

Soundness & Completeness: Consequences

Corollary

Harel’77 convergence rule unnecessary for hybrid games, hybrid systems, discrete programs.

Corollary (Characterization of hybrid game challenges)

[α∗]G: Succinct invariants discrete Π0

2

[x′ = f (x)]G and x′ = f (x)G: Succinct differential (in)variants ∆1

1

∃x G: Complexity depends on Herbrand disjunctions: discrete Π1

1

uninterpreted reals × ∃x [α∗]G Π1

1-complete for discrete α

set is Π0

n iff it’s {x : ∀y1 ∃y2 ∀y3 . . . yn ϕ(x, y1, . . . , yn)} for a decidable ϕ

set is Σ0

n iff it’s {x : ∃y1 ∀y2 ∃y3 . . . yn ϕ(x, y1, . . . , yn)} for a decidable ϕ

set is Π1

1 iff it’s {x : ∀f ∃y ϕ(x, y, f )} for a decidable ϕ and functions f

set is Σ1

1 iff it’s {x : ∃f ∀y ϕ(x, y, f )} for a decidable ϕ and functions f

∆i

n = Σi n ∩ Πi n

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 31 / 40

Soundness & Completeness: Consequences

Corollary (ODE Completeness) (+LICS’12)

dG L complete relative to ODE for hybrid games with finite-rank Borel winning regions.

Corollary (Continuous Completeness)

dG L complete relative to LµD, continuous modal µ, over R

Corollary (Discrete Completeness) (+LICS’12)

dG L + Euler axiom complete relative to discrete Lµ over R

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 32 / 40

Soundness & Completeness: Consequences

(x := 1; x′ = 1d

• β

∪ x := x − 1

• γ

)

• α

∗0 ≤ x < 1

Fixpoint style proof technique

∗

R

∀x (0≤x<1 ∨ ∀t≥0 p(1 + t) ∨ p(x − 1) → p(x)) → (true → p(x))

:= ∀x (0≤x<1∨x := 1¬∃t≥0 x := x+t¬p(x)∨p(x−1)→p(x)) → (true→p(x)) ′

∀x (0≤x<1 ∨ x := 1¬x′ = 1¬p(x) ∨ p(x − 1) → p(x)) → (true → p(x))

;,d

∀x (0≤x<1 ∨ βp(x) ∨ γp(x) → p(x)) → (true → p(x))

∪

∀x (0≤x<1 ∨ β ∪ γp(x) → p(x)) → (true → p(x))

US

∀x (0≤x<1∨αα∗0≤x<1 → α∗0≤x<1) → (true → α∗0≤x<1)

∗

true → α∗0≤x<1

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 33 / 40

More Axioms

K [α](P → Q) → ([α]P → [α]Q) M[·] P → Q [α]P → [α]Q ← − M α(P ∨ Q) → αP ∨ αQ M αP ∨ αQ → α(P ∨ Q) I [α∗](P → [α]P) → (P → [α∗]P) ∀I (P→[α]P) → (P→[α∗]P) B α∃x P → ∃x αP (x∈α) ← − B ∃x αP → α∃x P G P [α]P M[·] P → Q [α]P → [α]Q R P1 ∧ P2 → Q [α]P1 ∧ [α]P2 → [α]Q M[·] P1 ∧ P2 → Q [α](P1 ∧ P2) → [α]Q FA α∗P → P ∨ α∗(¬P ∧ αP) ← − [∗] [α∗]P ↔ P ∧ [α∗][α]P

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 34 / 40

More Axioms ???

K [α](P → Q) → ([α]P → [α]Q) M[·] P → Q [α]P → [α]Q ← − M α(P ∨ Q) → αP ∨ αQ M αP ∨ αQ → α(P ∨ Q) I [α∗](P → [α]P) → (P → [α∗]P) ∀I (P→[α]P) → (P→[α∗]P) B α∃x P → ∃x αP (x∈α) ← − B ∃x αP → α∃x P G P [α]P M[·] P → Q [α]P → [α]Q R P1 ∧ P2 → Q [α]P1 ∧ [α]P2 → [α]Q M[·] P1 ∧ P2 → Q [α](P1 ∧ P2) → [α]Q FA α∗P → P ∨ α∗(¬P ∧ αP) ← − [∗] [α∗]P ↔ P ∧ [α∗][α]P

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 34 / 40

Separating Axioms

Theorem (Axiomatic separation: hybrid systems vs. hybrid games)

Axiomatic separation is exactly K, I, C, B, V, G. dG L is a subregular, sub-Barcan, monotonic modal logic without loop induction axioms. K [α](P → Q) → ([α]P → [α]Q) M[·] P → Q [α]P → [α]Q ← − M α(P ∨ Q) → αP ∨ αQ M αP ∨ αQ → α(P ∨ Q) I [α∗](P → [α]P) → (P → [α∗]P) ∀I (P→[α]P) → (P→[α∗]P) B α∃x P → ∃x αP (x∈α) ← − B ∃x αP → α∃x P G P [α]P M[·] P → Q [α]P → [α]Q R P1 ∧ P2 → Q [α]P1 ∧ [α]P2 → [α]Q M[·] P1 ∧ P2 → Q [α](P1 ∧ P2) → [α]Q FA α∗P → P ∨ α∗(¬P ∧ αP) ← − [∗] [α∗]P ↔ P ∧ [α∗][α]P

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 34 / 40

Outline

1

CPS Game Motivation

2

Differential Game Logic Syntax Example: Push-around Cart Example: Robot Dance Differential Hybrid Games Denotational Semantics Determinacy Strategic Closure Ordinals

3

Axiomatization Axiomatics Example: Robot Soccer Soundness and Completeness Separating Axioms

4

Expressiveness

5

Differential Hybrid Games

6

Summary

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 34 / 40

Expressiveness

Theorem (Expressive Power: hybrid systems < hybrid games)

dG L for hybrid games strictly more expressive than dL for hybrid games: dL < dG L

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 35 / 40

Expressiveness

Theorem (Expressive Power: hybrid systems < hybrid games)

dG L for hybrid games strictly more expressive than dL for hybrid games: dL < dG L First-order

• adm. R

Inductive

• adm. R

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 35 / 40

Outline

1

CPS Game Motivation

2

Differential Game Logic Syntax Example: Push-around Cart Example: Robot Dance Differential Hybrid Games Denotational Semantics Determinacy Strategic Closure Ordinals

3

Axiomatization Axiomatics Example: Robot Soccer Soundness and Completeness Separating Axioms

4

Expressiveness

5

Differential Hybrid Games

6

Summary

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 35 / 40

Zeppelin Obstacle Parcours

avoid obstacles changing wind local turbulence TOCL’17

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 36 / 40

Zeppelin Obstacle Parcours

avoid obstacles changing wind local turbulence TOCL’17

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 36 / 40

Zeppelin Obstacle Parcours

avoid obstacles changing wind local turbulence TOCL’17

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 36 / 40

Zeppelin Obstacle Parcours

c > 0 ∧ x − o2 ≥ c2 →

• v := ∗; o := ∗; c := ∗; ?C;

{x′ = v + py + rz&

dy ∈ B&z ∈ B}

∗ x − o2 ≥ c2 airship at x ∈ R2 propeller p controlled in any direction y ∈ B, i.e. y2

1 + y2 2 ≤ 1

× sporadically changing homogeneous wind field v ∈ R2 × sporadically changing obstacle o ∈ R2 of size c subject to C × continuously local turbulence of magnitude r in any direction z ∈ B

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 37 / 40

Zeppelin Obstacle Parcours

c > 0 ∧ x − o2 ≥ c2 →

• v := ∗; o := ∗; c := ∗; ?C;

{x′ = v + py + rz&

dy ∈ B&z ∈ B}

∗ x − o2 ≥ c2 r > p p > v + r v + r > p > r airship at x ∈ R2 propeller p controlled in any direction y ∈ B, i.e. y2

1 + y2 2 ≤ 1

× sporadically changing homogeneous wind field v ∈ R2 × sporadically changing obstacle o ∈ R2 of size c subject to C × continuously local turbulence of magnitude r in any direction z ∈ B

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 37 / 40

Zeppelin Obstacle Parcours

c > 0 ∧ x − o2 ≥ c2 →

• v := ∗; o := ∗; c := ∗; ?C;

{x′ = v + py + rz&

dy ∈ B&z ∈ B}

∗ x − o2 ≥ c2 × r > p hopeless p > v + r v + r > p > r airship at x ∈ R2 propeller p controlled in any direction y ∈ B, i.e. y2

1 + y2 2 ≤ 1

× sporadically changing homogeneous wind field v ∈ R2 × sporadically changing obstacle o ∈ R2 of size c subject to C × continuously local turbulence of magnitude r in any direction z ∈ B

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 37 / 40

Zeppelin Obstacle Parcours

c > 0 ∧ x − o2 ≥ c2 →

• v := ∗; o := ∗; c := ∗; ?C;

{x′ = v + py + rz&

dy ∈ B&z ∈ B}

∗ x − o2 ≥ c2 × r > p hopeless p > v + r super-powered v + r > p > r airship at x ∈ R2 propeller p controlled in any direction y ∈ B, i.e. y2

1 + y2 2 ≤ 1

× sporadically changing homogeneous wind field v ∈ R2 × sporadically changing obstacle o ∈ R2 of size c subject to C × continuously local turbulence of magnitude r in any direction z ∈ B

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 37 / 40

Zeppelin Obstacle Parcours

c > 0 ∧ x − o2 ≥ c2 →

• v := ∗; o := ∗; c := ∗; ?C;

{x′ = v + py + rz&

dy ∈ B&z ∈ B}

∗ x − o2 ≥ c2 × r > p hopeless p > v + r super-powered ? v + r > p > r our challenge airship at x ∈ R2 propeller p controlled in any direction y ∈ B, i.e. y2

1 + y2 2 ≤ 1

× sporadically changing homogeneous wind field v ∈ R2 × sporadically changing obstacle o ∈ R2 of size c subject to C × continuously local turbulence of magnitude r in any direction z ∈ B

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 37 / 40

Differential Game Invariants

Theorem (Differential Game Invariants)

DGI ∃y ∈ Y ∀z ∈ Z [x′:=f (x, y, z)](F)′ F → [x′ = f (x, y, z)&

dy ∈ Y &z ∈ Z]F

Theorem (Differential Game Refinement)

∀u ∈ U ∃y ∈ Y ∀z ∈ Z ∃v ∈ V ∀x (f (x, y, z) = g(x, u, v)) [x′ = g(x, u, v)&

du ∈ U&v ∈ V ]F → [x′ = f (x, y, z)& dy ∈ Y &z ∈ Z]F

F

¬F

TOCL’17

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 38 / 40

Differential Game Invariants

Theorem (Differential Game Invariants)

DGI ∃y ∈ Y ∀z ∈ Z [x′:=f (x, y, z)](F)′ F → [x′ = f (x, y, z)&

dy ∈ Y &z ∈ Z]F

Theorem (Differential Game Refinement)

∀u ∈ U ∃y ∈ Y ∀z ∈ Z ∃v ∈ V ∀x (f (x, y, z) = g(x, u, v)) [x′ = g(x, u, v)&

du ∈ U&v ∈ V ]F → [x′ = f (x, y, z)& dy ∈ Y &z ∈ Z]F

F

¬F

∗ ∃y∈I ∀z∈I 0 ≤ 3x2(−1+2y+z)

??

∃y∈I ∀z∈I [x′:=−1+2y+z]0≤3x2x′

DGI1≤x3 →[x′ = −1+2y+z& dy ∈ I&z ∈ I]1≤x3

where y ∈ I

def

≡ −1 ≤ y ≤ 1 TOCL’17

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 38 / 40

Outline

1

CPS Game Motivation

2

Differential Game Logic Syntax Example: Push-around Cart Example: Robot Dance Differential Hybrid Games Denotational Semantics Determinacy Strategic Closure Ordinals

3

Axiomatization Axiomatics Example: Robot Soccer Soundness and Completeness Separating Axioms

4

Expressiveness

5

Differential Hybrid Games

6

Summary

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 38 / 40

Future Work

Several extensions . . .

1 Draws 2 Cooperative games with coalitions 3 Rewards 4 Payoffs other than ±1

. . . are all expressible already. Direct syntactic support?

1 Compositional concurrent hybrid games 2 Imperfect information hybrid games 3 Constructive dG

L to retain winning strategies as proof terms

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 39 / 40

Differential Game Logic

differential game logic

dG L = GL + HG = dL + d αφ φ Logic for hybrid games Compositional PL + logic Discrete + continuous + adversarial Winning region iteration ≥ωCK

1

Sound & rel. complete axiomatization Hybrid games > hybrid systems

d radical challenge yet smooth extension

Stochastic ≈ adversarial

d i s c r e t e c

• n

t i n u

• u

s nondet stochastic a d v e r s a r i a l

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 40 / 40

Logical Foundations

• f

Cyber-Physical Systems

Logic

Theorem Proving Proof Theory Modal Logic Model Checking

Algebra

Computer Algebra R Algebraic Geometry Differential Algebra Lie Algebra

Analysis

Differential Equations Carath´ edory Solutions Viscosity PDE Solutions Dynamical Systems

Stochastics

Doob’s Super- martingales Dynkin’s Infinitesimal Generators Differential Generators Stochastic Differential Equations

Numerics

Hermite Interpolation Weierstraß Approx- imation Error Analysis Numerical Integration

Algorithms

Decision Procedures Proof Search Procedures Fixpoints & Lattices Closure Ordinals

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 1 / 2

Andr´ e Platzer. Differential game logic. ACM Trans. Comput. Log., 17(1):1:1–1:51, 2015. doi:10.1145/2817824. Andr´ e Platzer. Differential hybrid games. ACM Trans. Comput. Log., 18(3):19:1–19:44, 2017. doi:10.1145/3091123. Andr´ e Platzer. Logics of dynamical systems. In LICS [13], pages 13–24. doi:10.1109/LICS.2012.13. Andr´ e Platzer. Logic & proofs for cyber-physical systems. In Nicola Olivetti and Ashish Tiwari, editors, IJCAR, volume 9706 of LNCS, pages 15–21. Springer, 2016. doi:10.1007/978-3-319-40229-1_3.

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 1 / 2

Andr´ e Platzer. Differential dynamic logic for hybrid systems.

• J. Autom. Reas., 41(2):143–189, 2008.

doi:10.1007/s10817-008-9103-8. Andr´ e Platzer. A complete uniform substitution calculus for differential dynamic logic.

• J. Autom. Reas., 59(2):219–265, 2017.

doi:10.1007/s10817-016-9385-1. Andr´ e Platzer. The complete proof theory of hybrid systems. In LICS [13], pages 541–550. doi:10.1109/LICS.2012.64. Andr´ e Platzer. A complete axiomatization of quantified differential dynamic logic for distributed hybrid systems.

• Log. Meth. Comput. Sci., 8(4):1–44, 2012.

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 1 / 2

Special issue for selected papers from CSL’10. doi:10.2168/LMCS-8(4:17)2012. Andr´ e Platzer. Stochastic differential dynamic logic for stochastic hybrid programs. In Nikolaj Bjørner and Viorica Sofronie-Stokkermans, editors, CADE, volume 6803 of LNCS, pages 431–445. Springer, 2011. doi:10.1007/978-3-642-22438-6_34. Andr´ e Platzer. A uniform substitution calculus for differential dynamic logic. In Amy Felty and Aart Middeldorp, editors, CADE, volume 9195 of LNCS, pages 467–481. Springer, 2015. doi:10.1007/978-3-319-21401-6_32. Andr´ e Platzer. Logical Foundations of Cyber-Physical Systems. Springer, Switzerland, 2017. URL: http://www.springer.com/978-3-319-63587-3. Andr´ e Platzer.

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 1 / 2

Logical Analysis of Hybrid Systems: Proving Theorems for Complex Dynamics. Springer, Heidelberg, 2010. doi:10.1007/978-3-642-14509-4. Proceedings of the 27th Annual ACM/IEEE Symposium on Logic in Computer Science, LICS 2012, Dubrovnik, Croatia, June 25–28, 2012. IEEE, 2012.

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 1 / 2

Outline

7

Operational Semantics

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 1 / 2

Differential Game Logic: Operational Semantics

Definition (Hybrid game α: operational semantics)

s x := f (x) s[

[f (x)] ]s x

x := f (x)

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 2 / 2

Differential Game Logic: Operational Semantics

Definition (Hybrid game α: operational semantics)

s x′ = f (x) & Q ϕ(r) r ϕ(t) t ϕ(0)

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 2 / 2

Differential Game Logic: Operational Semantics

Definition (Hybrid game α: operational semantics)

s ?Q s ?Q s | = Q

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 2 / 2

Differential Game Logic: Operational Semantics

Definition (Hybrid game α: operational semantics)

s α ∪ β s tκ β tj β t1 β r i g h t s sλ α si α s1 α l e f t

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 2 / 2

Differential Game Logic: Operational Semantics

Definition (Hybrid game α: operational semantics)

s α; β tλ rλ1

λ

β rj

λ

β r1

λ

β α ti rλi

i

β r1

i

β α t1 rλ1

1

β rj

1

β r1

1

β α

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 2 / 2

Differential Game Logic: Operational Semantics

Definition (Hybrid game α: operational semantics)

s α∗ s α α r e p e a t stop α α α r e p e a t stop α r e p e a t stop α α α r e p e a t stop α α α r e p e a t stop α r e p e a t stop α repeat s stop

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 2 / 2

Differential Game Logic: Operational Semantics

Definition (Hybrid game α: operational semantics)

s α t0 tκ tj t1 s0 sλ si s1 s αd t0 tκ tj t1 s0 sλ si s1

d

Andr´ e Platzer (CMU) Differential Game Logic MOD’17 2 / 2