Differential Game Logic Andr e Platzer aplatzer@cs.cmu.edu - - PowerPoint PPT Presentation

Differential Game Logic

Andr´ e Platzer

aplatzer@cs.cmu.edu Computer Science Department Carnegie Mellon University, Pittsburgh, PA

0.2 0.4 0.6 0.8 1.0

0.1 0.2 0.3 0.4 0.5

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 1 / 26

Outline

1

CPS Applications

2

Differential Game Logic Differential Hybrid Games Denotational Semantics Determinacy

3

Proofs for CPS Axiomatization Soundness and Completeness Corollaries Separating Axioms

4

Expressiveness

5

Summary

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 1 / 26

Can you trust a computer to control physics?

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 2 / 26

Can you trust a computer to control physics?

Rationale

1 Safety guarantees require analytic foundations. 2 Foundations revolutionized digital computer science & our society. 3 Need even stronger foundations when software reaches out into our

physical world. How can we provide people with cyber-physical systems they can bet their lives on? — Jeannette Wing

Cyber-physical Systems

CPS combine cyber capabilities with physical capabilities to solve problems that neither part could solve alone.

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 2 / 26

Outline

1

CPS Applications

2

Differential Game Logic Differential Hybrid Games Denotational Semantics Determinacy

3

Proofs for CPS Axiomatization Soundness and Completeness Corollaries Separating Axioms

4

Expressiveness

5

Summary

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 2 / 26

CPS Analysis: Robot Control

Challenge (Hybrid Systems)

Fixed rule describing state evolution with both Discrete dynamics (control decisions) Continuous dynamics (differential equations)

2 4 6 8 10 t 0.8 0.6 0.4 0.2 0.2

a

2 4 6 8 10 t 0.2 0.4 0.6 0.8 1.0v 2 4 6 8 10 t 2 4 6 8

p

px py Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 3 / 26

CPS Analysis: Robot Control

Challenge (Hybrid Systems)

Fixed rule describing state evolution with both Discrete dynamics (control decisions) Continuous dynamics (differential equations)

2 4 6 8 10 t 0.8 0.6 0.4 0.2 0.2

a

2 4 6 8 10 t 1.0 0.5 0.5

Ω

2 4 6 8 10 t 0.5 0.5 1.0

d

dx dy Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 3 / 26

CPS Analysis: Robot Control

Challenge (Games)

Game rules describing play evolution with both Angelic choices (player ⋄ Angel) Demonic choices (player ⋄ Demon) 0,0 2,1 1,2 3,1 ⋄\ ⋄ Tr Pl Trash 1,2 0,0 Plant 0,0 2,1

8 rmbl0skZ 7 ZpZ0ZpZ0 6 0Zpo0ZpZ 5 o0ZPo0Zp 4 PZPZPZ0O 3 Z0Z0ZPZ0 2 0O0J0ZPZ 1 SNAQZBMR a b c d e f g h Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 4 / 26

CPS Analysis: Robot Control

Challenge (Hybrid Games)

Game rules describing play evolution with Discrete dynamics (control decisions) Continuous dynamics (differential equations) Adversarial dynamics (Angel ⋄ vs. Demon ⋄ )

2 4 6 8 10 t 0.6 0.4 0.2 0.2 0.4

a

2 4 6 8 10 t 0.2 0.4 0.6 0.8 1.0 1.2v 2 4 6 8 10 t 1 2 3 4 5 6 7p

px py Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 5 / 26

CPS Analysis: Robot Control

Challenge (Hybrid Games)

Game rules describing play evolution with Discrete dynamics (control decisions) Continuous dynamics (differential equations) Adversarial dynamics (Angel ⋄ vs. Demon ⋄ )

2 4 6 8 10 t 0.6 0.4 0.2 0.2 0.4

a

2 4 6 8 10 t 1.0 0.5 0.5

Ω

2 4 6 8 10 t 0.5 0.5 1.0

d

dx dy Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 5 / 26

CPS Analysis: RoboCup Soccer

Challenge (Hybrid Games)

Game rules describing play evolution with Discrete dynamics (control decisions) Continuous dynamics (differential equations) Adversarial dynamics (Angel ⋄ vs. Demon ⋄ )

2 4 6 8 10 t 0.6 0.4 0.2 0.2 0.4

a

2 4 6 8 10 t 1.0 0.5 0.5

Ω

2 4 6 8 10 t 0.5 0.5 1.0

d

dx dy Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 6 / 26

Contributions

Logical foundations for hybrid games

1 Compositional programming language for hybrid games 2 Compositional logic and proof calculus for winning strategy existence 3 Hybrid games determined 4 Winning region computations terminate after ≥ωCK

1

iterations

5 Separate truth (∃ winning strategy) vs. proof (winning certificate) vs.

proof search (automatic construction)

6 Sound & relatively complete 7 Expressiveness 8 Fragments quite successful in applications 9 Generalizations in logic enable more applications Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 7 / 26

Outline

1

CPS Applications

2

Differential Game Logic Differential Hybrid Games Denotational Semantics Determinacy

3

Proofs for CPS Axiomatization Soundness and Completeness Corollaries Separating Axioms

4

Expressiveness

5

Summary

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 7 / 26

Differential Game Logic dGL: Syntax

Definition (Hybrid game a)

x := f (x) | ?Q | x′ = f (x) | a ∪ b | a; b | a∗ | ad

Definition (dGL Formula P)

p(e1, . . . , en) | e1 ≥ e2 | ¬P | P ∧ Q | ∀x P | ∃x P | aP | [a]P TOCL’15

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 8 / 26

Differential Game Logic dGL: Syntax

Definition (Hybrid game a)

x := f (x) | ?Q | x′ = f (x) | a ∪ b | a; b | a∗ | ad

Definition (dGL Formula P)

p(e1, . . . , en) | e1 ≥ e2 | ¬P | P ∧ Q | ∀x P | ∃x P | aP | [a]P Discrete Assign Test Game Differential Equation Choice Game Seq. Game Repeat Game All Reals Some Reals TOCL’15

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 8 / 26

Differential Game Logic dGL: Syntax

Definition (Hybrid game a)

x := f (x) | ?Q | x′ = f (x) | a ∪ b | a; b | a∗ | ad

Definition (dGL Formula P)

p(e1, . . . , en) | e1 ≥ e2 | ¬P | P ∧ Q | ∀x P | ∃x P | aP | [a]P Discrete Assign Test Game Differential Equation Choice Game Seq. Game Repeat Game All Reals Some Reals Dual Game TOCL’15

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 8 / 26

Differential Game Logic dGL: Syntax

Definition (Hybrid game a)

x := f (x) | ?Q | x′ = f (x) | a ∪ b | a; b | a∗ | ad

Definition (dGL Formula P)

p(e1, . . . , en) | e1 ≥ e2 | ¬P | P ∧ Q | ∀x P | ∃x P | aP | [a]P Discrete Assign Test Game Differential Equation Choice Game Seq. Game Repeat Game All Reals Some Reals Dual Game Angel Wins TOCL’15

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 8 / 26

Differential Game Logic dGL: Syntax

Definition (Hybrid game a)

x := f (x) | ?Q | x′ = f (x) | a ∪ b | a; b | a∗ | ad

Definition (dGL Formula P)

p(e1, . . . , en) | e1 ≥ e2 | ¬P | P ∧ Q | ∀x P | ∃x P | aP | [a]P Discrete Assign Test Game Differential Equation Choice Game Seq. Game Repeat Game All Reals Some Reals Dual Game Angel Wins Demon Wins TOCL’15

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 8 / 26

Definable Game Operators

⋄ Angel Ops ∪ choice

∗

repeat x′ = f (x) evolve ?Q challenge ⋄

Demon Ops

∩ choice

×

repeat x′ = f (x)d evolve ?Qd challenge

d d

if(Q) a else b ≡ (?Q; a) ∪ (?¬Q; b) while(Q) a ≡ (?Q; a)∗; ?¬Q a ∩ b ≡ (ad ∪ bd)d a× ≡ ((ad)

∗)d

(x′ = f (x) & Q)d ≡ x′ = f (x) & Q (x := f (x))d ≡ x := f (x) ?Qd ≡ ?Q

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 9 / 26

Simple Examples

(x := x + 1; (x′ = x2)d ∪ x := x − 1)

∗ (0 ≤ x < 1)

(x := x + 1; (x′ = x2)d ∪ (x := x − 1 ∩ x := x − 2))

∗(0 ≤ x < 1)

(w − e)2 ≤ 1 ∧ v = f →

• (u := 1 ∩ u := −1);

(g := 1 ∪ g := −1); t := 0; (w′ = v, v′ = u, e′ = f , f ′ = g, t′ = 1 & t ≤ 1)d × (w − e)2 ≤ 1

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 10 / 26

Simple Examples

(x := x + 1; (x′ = x2)d ∪ x := x − 1)

∗ (0 ≤ x < 1)

(x := x + 1; (x′ = x2)d ∪ (x := x − 1 ∩ x := x − 2))

∗(0 ≤ x < 1)

(w − e)2 ≤ 1 ∧ v = f →

• (u := 1 ∩ u := −1);

(g := 1 ∪ g := −1); t := 0; (w′ = v, v′ = u, e′ = f , f ′ = g, t′ = 1 & t ≤ 1)d × (w − e)2 ≤ 1

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 10 / 26

Simple Examples

(x := x + 1; (x′ = x2)d ∪ x := x − 1)

∗ (0 ≤ x < 1)

(x := x + 1; (x′ = x2)d ∪ (x := x − 1 ∩ x := x − 2))

∗(0 ≤ x < 1)

(w − e)2 ≤ 1 ∧ v = f →

• (u := 1 ∩ u := −1);

(g := 1 ∪ g := −1); t := 0; (w′ = v, v′ = u, e′ = f , f ′ = g, t′ = 1 & t ≤ 1)d × (w − e)2 ≤ 1

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 10 / 26

Simple Examples

(x := x + 1; (x′ = x2)d ∪ x := x − 1)

∗ (0 ≤ x < 1)

(x := x + 1; (x′ = x2)d ∪ (x := x − 1 ∩ x := x − 2))

∗(0 ≤ x < 1)

(w − e)2 ≤ 1 ∧ v = f →

• (u := 1 ∩ u := −1);

(g := 1 ∪ g := −1); t := 0; (w′ = v, v′ = u, e′ = f , f ′ = g, t′ = 1 & t ≤ 1)d × (w − e)2 ≤ 1

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 10 / 26

Differential Hybrid Games: Zeppelin Obstacle Parcours

arXiv

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 11 / 26

Differential Hybrid Games: Zeppelin Obstacle Parcours

arXiv

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 11 / 26

Differential Hybrid Games: Zeppelin Obstacle Parcours

arXiv

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 11 / 26

Differential Game Invariants

Theorem (Differential Game Invariants)

(DGI) ∃y ∈ Y ∀z ∈ Z F ′f (x,y,z)

x′

F → [x′ = f (x, y, z)&

dy ∈ Y &z ∈ Z]F

arXiv

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 12 / 26

Differential Game Logic: Denotational Semantics

Definition (Hybrid game a: denotational semantics)

ςx:=f (x)(X) = {s ∈ S : s[

[f (x)] ]s x

∈ X} ςx′=f (x)(X) = {ϕ(0) ∈ S : ϕ(r) ∈ X, d ϕ(t)(x)

dt

(ζ) = [ [f (x)] ]ϕ(ζ) for all ζ} ς?P(X) = [ [P] ] ∩ X ςa∪b(X) = ςa(X) ∪ ςb(X) ςa;b(X) = ςa(ςb(X)) ςa∗(X) = {Z ⊆ S : X ∪ ςa(Z) ⊆ Z} ςad(X) = (ςa(X ∁))∁

Definition (dGL Formula P)

[ [e1 ≥ e2] ] = {s ∈ S : [ [e1] ]s ≥ [ [e2] ]s} [ [¬P] ] = ([ [P] ])∁ [ [P ∧ Q] ] = [ [P] ] ∩ [ [Q] ] [ [aP] ] = ςa([ [P] ]) [ [[a]P] ] = δa([ [P] ])

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 13 / 26

Differential Game Logic: Denotational Semantics

Definition (Hybrid game a: denotational semantics)

ςx:=f (x)(X) = {s ∈ S : s[

[f (x)] ]s x

∈ X} X ςx:=f (x)(X)

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 14 / 26

Differential Game Logic: Denotational Semantics

Definition (Hybrid game a: denotational semantics)

ςx′=f (x)(X) = {ϕ(0) ∈ S : ϕ(r) ∈ X, d ϕ(t)(x)

dt

(ζ) = [ [f (x)] ]ϕ(ζ) for all ζ} X x′ = f ( x ) ςx′=f (x)(X)

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 14 / 26

Differential Game Logic: Denotational Semantics

Definition (Hybrid game a: denotational semantics)

ς?P(X) = [ [P] ] ∩ X X [ [P] ] ς?P(X)

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 14 / 26

Differential Game Logic: Denotational Semantics

Definition (Hybrid game a: denotational semantics)

ςa∪b(X) = ςa(X) ∪ ςb(X) ςa ( X ) ςb ( X ) X ςa∪b(X)

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 14 / 26

Differential Game Logic: Denotational Semantics

Definition (Hybrid game a: denotational semantics)

ςa;b(X) = ςa(ςb(X)) ςa(ςb(X)) ςb(X) X ςa;b(X)

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 14 / 26

Differential Game Logic: Denotational Semantics

Definition (Hybrid game a: denotational semantics)

ςa∗(X) = {Z ⊆ S : X ∪ ςa(Z) ⊆ Z} X

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 14 / 26

Differential Game Logic: Denotational Semantics

Definition (Hybrid game a: denotational semantics)

ςa∗(X) = {Z ⊆ S : X ∪ ςa(Z) ⊆ Z} ςa(X) X

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 14 / 26

Differential Game Logic: Denotational Semantics

Definition (Hybrid game a: denotational semantics)

ςa∗(X) = {Z ⊆ S : X ∪ ςa(Z) ⊆ Z} ς2

a(X) ςa(X) X

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 14 / 26

Differential Game Logic: Denotational Semantics

Definition (Hybrid game a: denotational semantics)

ςa∗(X) = {Z ⊆ S : X ∪ ςa(Z) ⊆ Z} ς3

a(X) ς2 a(X) ςa(X) X

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 14 / 26

Differential Game Logic: Denotational Semantics

Definition (Hybrid game a: denotational semantics)

ςa∗(X) = {Z ⊆ S : X ∪ ςa(Z) ⊆ Z} ς∞

a (X) · · · ς3 a(X) ς2 a(X) ςa(X) X

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 14 / 26

Differential Game Logic: Denotational Semantics

Definition (Hybrid game a: denotational semantics)

ςa∗(X) = {Z ⊆ S : X ∪ ςa(Z) ⊆ Z} ςa(ςa∗(X)) \ ςa∗(X) ∅ ς∞

a (X) · · · ς3 a(X) ς2 a(X) ςa(X) X

ςa∗(X)

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 14 / 26

Differential Game Logic: Denotational Semantics

Definition (Hybrid game a: denotational semantics)

ςa∗(X) = {Z ⊆ S : X ∪ ςa(Z) ⊆ Z} ≥ωCK

1

iterations ςa(ςa∗(X)) \ ςa∗(X) ∅ ς∞

a (X) · · · ς3 a(X) ς2 a(X) ςa(X) X

ςa∗(X)

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 14 / 26

Differential Game Logic: Denotational Semantics

Definition (Hybrid game a: denotational semantics)

ςad(X) = (ςa(X ∁))∁ X ∁ X

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 14 / 26

Differential Game Logic: Denotational Semantics

Definition (Hybrid game a: denotational semantics)

ςad(X) = (ςa(X ∁))∁ X ∁ X ςa(X ∁) ςa(X ∁)∁ ςad(X)

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 14 / 26

Consistency & Determinacy

Theorem (Consistency & determinacy)

Hybrid games are consistent and determined, i.e. ¬a¬P ↔ [a]P.

Corollary (Determinacy: At least one player wins)

¬a¬P → [a]P, thus a¬P ∨ [a]P.

Corollary (Consistency: At most one player wins)

[a]P → ¬a¬P, thus ¬([a]P ∧ a¬P)

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 15 / 26

Outline

1

CPS Applications

2

Differential Game Logic Differential Hybrid Games Denotational Semantics Determinacy

3

Proofs for CPS Axiomatization Soundness and Completeness Corollaries Separating Axioms

4

Expressiveness

5

Summary

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 15 / 26

Differential Game Logic: Axiomatization

[·] [a]P ↔ ¬a¬P := x := f (x)p(x) ↔ p(f (x)) ′ x′ = f (x)P ↔ ∃t≥0 x := y(t)P ? ?QP ↔ (Q ∧ P) ∪ a ∪ bP ↔ aP ∨ bP ; a; bP ↔ abP ∗ P ∨ aa∗P → a∗P d adP ↔ ¬a¬P M P → Q aP → aQ FP P ∨ aQ → Q a∗P → Q MP P P → Q Q ∀ p → Q p → ∀x Q (x ∈ FV(p)) US ϕ ϕQ(·)

p(·)

TOCL’15

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 16 / 26

“There and Back Again” Game

x′ = f (x) & Q ≡ t0 := x0; x′ = f (x); (z := x; z′ = −f (z))d; ?(z0≥t0 → Q(z)) t

• x

Q t revert flow, time x0; Demon checks Q backwards x

′

= f ( x ) t0 := x0 r z′ = −f (z)

Lemma

Evolution domains definable by games

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 17 / 26

Example Proof: Dual Filibuster

d x = 0 →(x := 0 ∪ x := 1)×x = 0

X X 1 1 1 1 ⋄ repeat ⋄ stop repeat 1 ⋄ stop 1 ⋄ repeat ⋄ stop repeat X stop

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 18 / 26

Example Proof: Dual Filibuster

ind x = 0 →[(x := 0 ∩ x := 1)∗]x = 0 d x = 0 →(x := 0 ∪ x := 1)×x = 0

X X 1 1 1 1 ⋄ repeat ⋄ stop repeat 1 ⋄ stop 1 ⋄ repeat ⋄ stop repeat X stop

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 18 / 26

Example Proof: Dual Filibuster

[·] x = 0 →[x := 0 ∩ x := 1]x = 0 ind x = 0 →[(x := 0 ∩ x := 1)∗]x = 0 d x = 0 →(x := 0 ∪ x := 1)×x = 0

X X 1 1 1 1 ⋄ repeat ⋄ stop repeat 1 ⋄ stop 1 ⋄ repeat ⋄ stop repeat X stop

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 18 / 26

Example Proof: Dual Filibuster

d x = 0 →¬x := 0 ∩ x := 1¬x = 0 [·] x = 0 →[x := 0 ∩ x := 1]x = 0 ind x = 0 →[(x := 0 ∩ x := 1)∗]x = 0 d x = 0 →(x := 0 ∪ x := 1)×x = 0

X X 1 1 1 1 ⋄ repeat ⋄ stop repeat 1 ⋄ stop 1 ⋄ repeat ⋄ stop repeat X stop

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 18 / 26

Example Proof: Dual Filibuster

∪ x = 0 →x := 0 ∪ x := 1x = 0 d x = 0 →¬x := 0 ∩ x := 1¬x = 0 [·] x = 0 →[x := 0 ∩ x := 1]x = 0 ind x = 0 →[(x := 0 ∩ x := 1)∗]x = 0 d x = 0 →(x := 0 ∪ x := 1)×x = 0

X X 1 1 1 1 ⋄ repeat ⋄ stop repeat 1 ⋄ stop 1 ⋄ repeat ⋄ stop repeat X stop

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 18 / 26

Example Proof: Dual Filibuster

:=x = 0 →x := 0x = 0 ∨ x := 1x = 0 ∪ x = 0 →x := 0 ∪ x := 1x = 0 d x = 0 →¬x := 0 ∩ x := 1¬x = 0 [·] x = 0 →[x := 0 ∩ x := 1]x = 0 ind x = 0 →[(x := 0 ∩ x := 1)∗]x = 0 d x = 0 →(x := 0 ∪ x := 1)×x = 0

X X 1 1 1 1 ⋄ repeat ⋄ stop repeat 1 ⋄ stop 1 ⋄ repeat ⋄ stop repeat X stop

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 18 / 26

Example Proof: Dual Filibuster

R x = 0 →0 = 0 ∨ 1 = 0 :=x = 0 →x := 0x = 0 ∨ x := 1x = 0 ∪ x = 0 →x := 0 ∪ x := 1x = 0 d x = 0 →¬x := 0 ∩ x := 1¬x = 0 [·] x = 0 →[x := 0 ∩ x := 1]x = 0 ind x = 0 →[(x := 0 ∩ x := 1)∗]x = 0 d x = 0 →(x := 0 ∪ x := 1)×x = 0

X X 1 1 1 1 ⋄ repeat ⋄ stop repeat 1 ⋄ stop 1 ⋄ repeat ⋄ stop repeat X stop

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 18 / 26

Example Proof: Dual Filibuster

∗

R x = 0 →0 = 0 ∨ 1 = 0 :=x = 0 →x := 0x = 0 ∨ x := 1x = 0 ∪ x = 0 →x := 0 ∪ x := 1x = 0 d x = 0 →¬x := 0 ∩ x := 1¬x = 0 [·] x = 0 →[x := 0 ∩ x := 1]x = 0 ind x = 0 →[(x := 0 ∩ x := 1)∗]x = 0 d x = 0 →(x := 0 ∪ x := 1)×x = 0

X X 1 1 1 1 ⋄ repeat ⋄ stop repeat 1 ⋄ stop 1 ⋄ repeat ⋄ stop repeat X stop

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 18 / 26

Soundness & Completeness

Theorem (Completeness)

dGL calculus is a sound & complete axiomatization of hybrid games relative to any (differentially) expressive logic L. ϕ iff TautL ⊢ ϕ TOCL’15

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 19 / 26

Soundness & Completeness: Consequences

Corollary (Constructive)

Constructive and Moschovakis-coding-free. (Minimal: x′ = f (x), ∃, [a∗])

Remark (Coquand & Huet) (Inf.Comput’88)

Modal analogue for a∗ of characterizations in Calculus of Constructions

Corollary (Meyer & Halpern) (J.ACM’82)

F → aG semidecidable for uninterpreted programs.

Corollary (Schmitt) (Inf.Control.’84)

[a]-free semidecidable for uninterpreted programs.

Corollary

Uninterpreted game logic with even d in a is semidecidable.

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 20 / 26

Soundness & Completeness: Consequences

Corollary

Harel’77 convergence rule unnecessary for hybrid games, hybrid systems, discrete programs.

Corollary (Characterization of hybrid game challenges)

[a∗]G: Succinct invariants discrete Π0

2

[x′ = f (x)]G and x′ = f (x)G: Succinct differential (in)variants ∆1

1

∃x G: Complexity depends on Herbrand disjunctions: discrete Π1

1

uninterpreted reals × ∃x [a∗]G Π1

1-complete for discrete a

Corollary (Hybrid version of Parikh’s result) (FOCS’83)

∗-free dGL complete relative to dL, relative to continuous, or to discrete d-free dGL complete relative to dL, relative to continuous, or to discrete

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 21 / 26

Soundness & Completeness: Consequences

Corollary (ODE Completeness) (+LICS’12)

dGL complete relative to ODE for hybrid games with finite-rank Borel winning regions.

Corollary (Continuous Completeness)

dGL complete relative to LµD, continuous modal µ, over R

Corollary (Discrete Completeness) (+LICS’12)

dGL + Euler axiom complete relative to discrete Lµ over R

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 22 / 26

Soundness & Completeness: Consequences

(x := 1; x′ = 1d

• b

∪ x := x − 1

• c

)

• a

∗0 ≤ x < 1

Fixpoint style proof technique

∗ ∀x (0≤x<1 ∨ ∀t≥0 p(0 + t) ∨ p(x − 1) → p(x)) → (true → p(x)) ∀x (0≤x<1 ∨ x := 1¬∃t≥0 x := x+t¬p(x) ∨ p(x−1) → p(x)) → (true → p(x)) ∀x (0≤x<1 ∨ x := 1¬x′ = 1¬p(x) ∨ p(x − 1) → p(x)) → (true → p(x)) ∀x (0≤x<1 ∨ bp(x) ∨ cp(x) → p(x)) → (true → p(x)) ∀x (0≤x<1 ∨ b ∪ cp(x) → p(x)) → (true → p(x)) ∀x (0≤x<1 ∨ aa∗0≤x<1 → a∗0≤x<1) → (true → a∗0≤x<1) true → a∗0≤x<1

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 23 / 26

Separating Axioms

Theorem (Axiomatic separation: hybrid systems vs. hybrid games)

Axiomatic separation is exactly K, I, C, B, V, G. dGL is a subregular, sub-Barcan, monotonic modal logic without loop induction axioms. K [a](P → Q) → ([a]P → [a]Q) M[·] P → Q [a]P → [a]Q ← − M a(P ∨ Q) → aP ∨ aQ M aP ∨ aQ → a(P ∨ Q) I [a∗](P → [a]P) → (P → [a∗]P) ∀I (P → [a]P) → (P → [a∗]P) C [a∗]∀v>0 (p(v) → ap(v − 1)) → ∀v (p(v) → a∗∃v≤0 p(v)) (v∈a) B a∃x P → ∃x aP (x∈a) ← − B ∃x aP → a∃x P V p → [a]p (FV(p) ∩ BV(a) = ∅) VK p → ([a]true→[a]p) G P [a]P M[·] P → Q [a]P → [a]Q R P1 ∧ P2 → Q M P1 ∧ P2 → Q

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 24 / 26

Outline

1

CPS Applications

2

Differential Game Logic Differential Hybrid Games Denotational Semantics Determinacy

3

Proofs for CPS Axiomatization Soundness and Completeness Corollaries Separating Axioms

4

Expressiveness

5

Summary

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 24 / 26

Expressiveness

Theorem (Expressive Power: hybrid systems < hybrid games)

dGL for hybrid games strictly more expressive than dL for hybrid games: dL < dGL

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 25 / 26

Expressiveness

Theorem (Expressive Power: hybrid systems < hybrid games)

dGL for hybrid games strictly more expressive than dL for hybrid games: dL < dGL First-order

• adm. R

Inductive

• adm. R

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 25 / 26

Outline

1

CPS Applications

2

Differential Game Logic Differential Hybrid Games Denotational Semantics Determinacy

3

Proofs for CPS Axiomatization Soundness and Completeness Corollaries Separating Axioms

4

Expressiveness

5

Summary

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 25 / 26

Differential Game Logic

differential game logic

dGL = GL + HG = dL + d aP P Logic for hybrid games Compositional PL + logic Discrete + continuous + adversarial Winning region iteration ≥ωCK

1

Sound & rel. complete axiomatization Hybrid games > hybrid systems

d radical challenge yet smooth extension

Stochastic ≈ adversarial

d i s c r e t e c

• n

t i n u

• u

s nondet stochastic a d v e r s a r i a l

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 26 / 26

Logical Foundations

• f

Cyber-Physical Systems

Logic

Theorem Proving Proof Theory Modal Logic Model Checking

Algebra

Computer Algebra R Algebraic Geometry Differential Algebra Lie Algebra

Analysis

Differential Equations Carath´ edory Solutions Viscosity PDE Solutions Dynamical Systems

Stochastics

Doob’s Super- martingales Dynkin’s Infinitesimal Generators Differential Generators Stochastic Differential Equations

Numerics

Hermite Interpolation Weierstraß Approx- imation Error Analysis Numerical Integration

Algorithms

Decision Procedures Proof Search Procedures Fixpoints & Lattices Closure Ordinals

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 1 / 5

Andr´ e Platzer. Differential game logic. ACM Trans. Comput. Log., 2015. To appear. Preprint at arXiv 1408.1980. doi:10.1145/2817824. Andr´ e Platzer. Differential hybrid games. CoRR, abs/1507.04943, 2015. arXiv:1507.04943. Andr´ e Platzer. Logics of dynamical systems. In LICS [9], pages 13–24. doi:10.1109/LICS.2012.13. Andr´ e Platzer. The complete proof theory of hybrid systems. In LICS [9], pages 541–550. doi:10.1109/LICS.2012.64.

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 1 / 5

Andr´ e Platzer. Differential game logic for hybrid games. Technical Report CMU-CS-12-105, School of Computer Science, Carnegie Mellon University, Pittsburgh, PA, March 2012. Jan-David Quesel and Andr´ e Platzer. Playing hybrid games with KeYmaera. In Bernhard Gramlich, Dale Miller, and Ulrike Sattler, editors, IJCAR, volume 7364 of LNCS, pages 439–453. Springer, 2012. doi:10.1007/978-3-642-31365-3_34. Andr´ e Platzer. A complete axiomatization of differential game logic for hybrid games. Technical Report CMU-CS-13-100R, School of Computer Science, Carnegie Mellon University, Pittsburgh, PA, January, Revised and extended in July 2013. Andr´ e Platzer. Differential game logic. CoRR, abs/1408.1980, 2014.

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 1 / 5

arXiv:1408.1980. Proceedings of the 27th Annual ACM/IEEE Symposium on Logic in Computer Science, LICS 2012, Dubrovnik, Croatia, June 25–28, 2012. IEEE, 2012.

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 2 / 5

Differential Game Logic: Operational Semantics

Definition (Hybrid game a: operational semantics)

s x := θ s[

[θ] ]s x

x := θ

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 2 / 5

Differential Game Logic: Operational Semantics

Definition (Hybrid game a: operational semantics)

s x′ = θ & Q ϕ(r) r ϕ(t) t ϕ(0)

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 2 / 5

Differential Game Logic: Operational Semantics

Definition (Hybrid game a: operational semantics)

s ?P s ?P s | = P

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 2 / 5

Differential Game Logic: Operational Semantics

Definition (Hybrid game a: operational semantics)

s a ∪ b s tκ b tj b t1 b r i g h t s sλ a si a s1 a l e f t

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 2 / 5

Differential Game Logic: Operational Semantics

Definition (Hybrid game a: operational semantics)

s a; b tλ rλ1

λ

b rj

λ

b r1

λ

b a ti rλi

i

b r1

i

b a t1 rλ1

1

b rj

1

b r1

1

b a

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 2 / 5

Differential Game Logic: Operational Semantics

Definition (Hybrid game a: operational semantics)

s a∗ s a a r e p e a t stop a a a r e p e a t stop a r e p e a t stop a a a r e p e a t stop a a a r e p e a t stop a r e p e a t stop a repeat s stop

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 2 / 5

Differential Game Logic: Operational Semantics

Definition (Hybrid game a: operational semantics)

s a t0 tκ tj t1 s0 sλ si s1 s ad t0 tκ tj t1 s0 sλ si s1

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 2 / 5

Successful Hybrid Games Proofs

Verification Challenge:

ey fy xb (lx, ly) ex fx (rx, ry) (vx, vy)

Hybrid games proving also for proving relaxed notions of system similarity

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 3 / 5

Robotic Factory Automation (RF)

Example (Environment vs. Robot)

• (?true ∩ (?(x < ex ∧ y < ey ∧ eff1 = 1); vx := vx + cx; eff1 := 0)

∩ (?(ex ≤ x ∧ y ≤ fy ∧ eff2 = 1); vy := vy + cy; eff2 := 0) ) ; ×

ey fy xb (lx, ly) ex fx (rx, ry) (vx, vy)

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 4 / 5

Robotic Factory Automation (RF)

Example (Environment vs. Robot)

• (?true ∩ (?(x < ex ∧ y < ey ∧ eff1 = 1); vx := vx + cx; eff1 := 0)

∩ (?(ex ≤ x ∧ y ≤ fy ∧ eff2 = 1); vy := vy + cy; eff2 := 0) ) ; (ax := ∗; ?(−A ≤ ax ≤ A); ay := ∗; ?(−A ≤ ay ≤ A); ts := 0 ) ; ×

ey fy xb (lx, ly) ex fx (rx, ry) (vx, vy)

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 4 / 5

Robotic Factory Automation (RF)

Example (Environment vs. Robot)

• (?true ∩ (?(x < ex ∧ y < ey ∧ eff1 = 1); vx := vx + cx; eff1 := 0)

∩ (?(ex ≤ x ∧ y ≤ fy ∧ eff2 = 1); vy := vy + cy; eff2 := 0) ) ; (ax := ∗; ?(−A ≤ ax ≤ A); ay := ∗; ?(−A ≤ ay ≤ A); ts := 0 ) ; (x′ = vx, y ′ = vy, v ′

x = ax, v ′ y = ay, t′ = 1, t′ s = 1&ts ≤ ε )d ;

×

ey fy xb (lx, ly) ex fx (rx, ry) (vx, vy)

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 4 / 5

Robotic Factory Automation (RF)

Example (Environment vs. Robot)

• (?true ∩ (?(x < ex ∧ y < ey ∧ eff1 = 1); vx := vx + cx; eff1 := 0)

∩ (?(ex ≤ x ∧ y ≤ fy ∧ eff2 = 1); vy := vy + cy; eff2 := 0) ) ; (ax := ∗; ?(−A ≤ ax ≤ A); ay := ∗; ?(−A ≤ ay ≤ A); ts := 0 ) ;

• (x′ = vx, y ′ = vy, v ′

x = ax, v ′ y = ay, t′ = 1, t′ s = 1&ts ≤ ε )d ;

∪ ((?axvx ≤ 0 ∧ ayvy ≤ 0; if vx = 0 then ax := 0 fi; if vy = 0 then ay := 0 fi ) ; (x′ = vx, y ′ = vy, v ′

x = ax, v ′ y = ay, t′ = 1, t′ s = 1

&ts ≤ ε ∧ axvx ≤ 0 ∧ ayvy ≤ 0)d) ×

ey fy xb (lx, ly) ex fx (rx, ry) (vx, vy)

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 4 / 5

Robotic Factory Automation (RF)

Proposition (Robot stays in )

| = (x = y = 0 ∧ vx = vy = 0∧

Controllability Assumptions )

→ (RF)(x ∈ [lx, rx] ∧ y ∈ [ly, ry])

Proposition (Stays in + leaves shaded region in time)

RF|x: RF projected to the x-axis | = (x = 0 ∧ vx = 0∧

Controllability Assumptions )

→ (RF|x)(x ∈ [lx, rx] ∧ (t ≥ ε → (x ≥ xb)))

Andr´ e Platzer (CMU) Differential Game Logic TOCL’15 5 / 5