Logic of Hybrid Games Andr e Platzer aplatzer@cs.cmu.edu Computer - - PowerPoint PPT Presentation

Logic of Hybrid Games

Andr´ e Platzer

aplatzer@cs.cmu.edu Computer Science Department Carnegie Mellon University, Pittsburgh, PA

http://symbolaris.com/

0.2 0.4 0.6 0.8 1.0

0.1 0.2 0.3 0.4 0.5

Andr´ e Platzer (CMU) Logic of Hybrid Games 1 / 26

Outline

1

Hybrid Systems Applications

2

Differential Game Logic Operational Semantics Denotational Semantics Determinacy Strategic Closure Ordinals

3

Proofs for Hybrid Systems Axiomatization Soundness and Completeness Corollaries

4

Summary

Andr´ e Platzer (CMU) Logic of Hybrid Games 1 / 26

Can you trust a computer to control physics?

Andr´ e Platzer (CMU) Logic of Hybrid Games 2 / 26

Hybrid Systems Analysis: Robot Control

Challenge (Hybrid Systems)

Fixed rule describing state evolution with both Discrete dynamics (control decisions) Continuous dynamics (differential equations)

2 4 6 8 10 t 0.8 0.6 0.4 0.2 0.2

a

2 4 6 8 10 t 0.2 0.4 0.6 0.8 1.0v 2 4 6 8 10 t 2 4 6 8

p

px py Andr´ e Platzer (CMU) Logic of Hybrid Games 3 / 26

Hybrid Systems Analysis: Robot Control

Challenge (Hybrid Systems)

Fixed rule describing state evolution with both Discrete dynamics (control decisions) Continuous dynamics (differential equations)

2 4 6 8 10 t 0.8 0.6 0.4 0.2 0.2

a

2 4 6 8 10 t 1.0 0.5 0.5

Ω

2 4 6 8 10 t 0.5 0.5 1.0

d

dx dy Andr´ e Platzer (CMU) Logic of Hybrid Games 3 / 26

Hybrid Systems Analysis: Robot Control

Challenge (Games)

Game rules describing play evolution with both Angelic choices (player ⋄ Angel) Demonic choices (player ⋄ Demon) 0,0 2,1 1,2 3,1 ⋄\ ⋄ Tr Pl Trash 1,2 0,0 Plant 0,0 2,1

8 rmbl0skZ 7 ZpZ0ZpZ0 6 0Zpo0ZpZ 5 o0ZPo0Zp 4 PZPZPZ0O 3 Z0Z0ZPZ0 2 0O0J0ZPZ 1 SNAQZBMR a b c d e f g h Andr´ e Platzer (CMU) Logic of Hybrid Games 4 / 26

Hybrid Systems Analysis: Robot Control

Challenge (Hybrid Games)

Game rules describing play evolution with Discrete dynamics (control decisions) Continuous dynamics (differential equations) Angel/demon choices

2 4 6 8 10 t 0.6 0.4 0.2 0.2 0.4

a

2 4 6 8 10 t 0.2 0.4 0.6 0.8 1.0 1.2v 2 4 6 8 10 t 1 2 3 4 5 6 7p

px py Andr´ e Platzer (CMU) Logic of Hybrid Games 5 / 26

Hybrid Systems Analysis: Robot Control

Challenge (Hybrid Games)

Game rules describing play evolution with Discrete dynamics (control decisions) Continuous dynamics (differential equations) Angel/demon choices

2 4 6 8 10 t 0.6 0.4 0.2 0.2 0.4

a

2 4 6 8 10 t 1.0 0.5 0.5

Ω

2 4 6 8 10 t 0.5 0.5 1.0

d

dx dy Andr´ e Platzer (CMU) Logic of Hybrid Games 5 / 26

Family of Differential Dynamic Logics

d i s c r e t e c

• n

t i n u

• u

s nondet stochastic a d v e r s a r i a l

Andr´ e Platzer (CMU) Logic of Hybrid Games 6 / 26

Family of Differential Dynamic Logics

d i s c r e t e c

• n

t i n u

• u

s nondet stochastic a d v e r s a r i a l

differential dynamic logic

dL = DL + HP [α]φ φ α

stochastic differential DL

SdL = DL + SHP αφ φ

differential game logic

dGL = GL + HG αφ φ

quantified differential DL

QdL = FOL + DL + QHP

Andr´ e Platzer (CMU) Logic of Hybrid Games 6 / 26

Successful Hybrid Systems Proofs

far neg cor rec fsa

x y c

 

c

• x

e n t r y e x i t

• y

c

• x1

x2 y1 y2 d ω e ¯ ϑ ̟

c

• x
• y
• z

x Andr´ e Platzer (CMU) Logic of Hybrid Games 7 / 26

Successful Hybrid Systems Proofs

ey fy xb (lx, ly) ex fx (rx, ry) (vx, vy)

Andr´ e Platzer (CMU) Logic of Hybrid Games 7 / 26

Successful Hybrid Systems Proofs

c x y z

2minri

m i n r

• i
• di

xi disci xi xj p xk xl xm

d D Virtual fixture boundary

5 10 15 20 0.3 0.2 0.1 0.1 0.2 0.3

0.2 0.4 0.6 0.8 1.0 1 1

• 0.3

0.2 0.1 0.0 0.1 0.2 0.3 Andr´ e Platzer (CMU) Logic of Hybrid Games 7 / 26

Differential Game Logic dGL: Syntax

Definition (Hybrid game α)

x := θ | ?H | x′ = θ & H | α ∪ β | α; β | α∗ | αd

Definition (dGL Formula φ)

p(θ1, . . . , θn) | θ1 ≥ θ2 | ¬φ | φ ∧ ψ | ∀x φ | ∃x φ | αφ | [α]φ

Andr´ e Platzer (CMU) Logic of Hybrid Games 8 / 26

Differential Game Logic dGL: Syntax

Definition (Hybrid game α)

x := θ | ?H | x′ = θ & H | α ∪ β | α; β | α∗ | αd

Definition (dGL Formula φ)

p(θ1, . . . , θn) | θ1 ≥ θ2 | ¬φ | φ ∧ ψ | ∀x φ | ∃x φ | αφ | [α]φ Discrete Assign Test Game Differential Equation Choice Game Seq. Game Repeat Game All Reals Some Reals

Andr´ e Platzer (CMU) Logic of Hybrid Games 8 / 26

Differential Game Logic dGL: Syntax

Definition (Hybrid game α)

x := θ | ?H | x′ = θ & H | α ∪ β | α; β | α∗ | αd

Definition (dGL Formula φ)

p(θ1, . . . , θn) | θ1 ≥ θ2 | ¬φ | φ ∧ ψ | ∀x φ | ∃x φ | αφ | [α]φ Discrete Assign Test Game Differential Equation Choice Game Seq. Game Repeat Game All Reals Some Reals Dual Game

Andr´ e Platzer (CMU) Logic of Hybrid Games 8 / 26

Differential Game Logic dGL: Syntax

Definition (Hybrid game α)

x := θ | ?H | x′ = θ & H | α ∪ β | α; β | α∗ | αd

Definition (dGL Formula φ)

p(θ1, . . . , θn) | θ1 ≥ θ2 | ¬φ | φ ∧ ψ | ∀x φ | ∃x φ | αφ | [α]φ Discrete Assign Test Game Differential Equation Choice Game Seq. Game Repeat Game All Reals Some Reals Dual Game Angel Wins

Andr´ e Platzer (CMU) Logic of Hybrid Games 8 / 26

Differential Game Logic dGL: Syntax

Definition (Hybrid game α)

x := θ | ?H | x′ = θ & H | α ∪ β | α; β | α∗ | αd

Definition (dGL Formula φ)

p(θ1, . . . , θn) | θ1 ≥ θ2 | ¬φ | φ ∧ ψ | ∀x φ | ∃x φ | αφ | [α]φ Discrete Assign Test Game Differential Equation Choice Game Seq. Game Repeat Game All Reals Some Reals Dual Game Angel Wins Demon Wins

Andr´ e Platzer (CMU) Logic of Hybrid Games 8 / 26

Definable Game Operators

if(H) α else β ≡ (?H; α) ∪ (?¬H; β) while(H) α ≡ (?H; α)∗; ?¬H α ∩ β ≡ (αd ∪ βd)d α× ≡ ((αd)

∗)d

(x′ = θ & H)d ≡ x′ = θ & H (x := θ)d ≡ x := θ

Andr´ e Platzer (CMU) Logic of Hybrid Games 9 / 26

More Operators

Repeat α as long as both Angel and Demon want to repeat: α∗∧× ≡ (c := 0 ∩ c := 1); (?c = 0; α; (c := 0 ∩ c := 1))∗ ≡ ((c := 0 ∩ c := 1); ?c = 0; α)∗

Andr´ e Platzer (CMU) Logic of Hybrid Games 10 / 26

Simple Examples

(x := x + 1; (x′ = x2)d ∪ x := x − 1)

∗ (0 ≤ x < 1)

(x := x + 1; (x′ = x2)d ∪ (x := x − 1 ∩ x := x − 2))

∗(0 ≤ x < 1)

• (ω := 1 ∪ ω := −1 ∪ ω := 0);

(̺ := 1 ∩ ̺ := −1 ∩ ̺ := 0); (x′′ = ωx′ ⊥, y′′ = ̺y′ ⊥)d ∗ x − y ≤ 1

Andr´ e Platzer (CMU) Logic of Hybrid Games 11 / 26

Simple Examples

(x := x + 1; (x′ = x2)d ∪ x := x − 1)

∗ (0 ≤ x < 1)

(x := x + 1; (x′ = x2)d ∪ (x := x − 1 ∩ x := x − 2))

∗(0 ≤ x < 1)

• (ω := 1 ∪ ω := −1 ∪ ω := 0);

(̺ := 1 ∩ ̺ := −1 ∩ ̺ := 0); (x′′ = ωx′ ⊥, y′′ = ̺y′ ⊥)d ∗ x − y ≤ 1

Andr´ e Platzer (CMU) Logic of Hybrid Games 11 / 26

Simple Examples

(x := x + 1; (x′ = x2)d ∪ x := x − 1)

∗ (0 ≤ x < 1)

(x := x + 1; (x′ = x2)d ∪ (x := x − 1 ∩ x := x − 2))

∗(0 ≤ x < 1)

• (ω := 1 ∪ ω := −1 ∪ ω := 0);

(̺ := 1 ∩ ̺ := −1 ∩ ̺ := 0); (x′′ = ωx′ ⊥, y′′ = ̺y′ ⊥)d ∗ x − y ≤ 1

Andr´ e Platzer (CMU) Logic of Hybrid Games 11 / 26

Simple Examples

(x := x + 1; (x′ = x2)d ∪ x := x − 1)

∗ (0 ≤ x < 1)

(x := x + 1; (x′ = x2)d ∪ (x := x − 1 ∩ x := x − 2))

∗(0 ≤ x < 1)

• (ω := 1 ∪ ω := −1 ∪ ω := 0);

(̺ := 1 ∩ ̺ := −1 ∩ ̺ := 0); (x′′ = ωx′ ⊥, y′′ = ̺y′ ⊥)d ∗ x − y ≤ 1

Andr´ e Platzer (CMU) Logic of Hybrid Games 11 / 26

Differential Game Logic: Operational Semantics

Definition (Hybrid game α: operational semantics)

s x := θ s[

[θ] ]s x

x := θ

Andr´ e Platzer (CMU) Logic of Hybrid Games 12 / 26

Differential Game Logic: Operational Semantics

Definition (Hybrid game α: operational semantics)

s x′ = θ & H ϕ(r) r ϕ(t) t ϕ(0)

Andr´ e Platzer (CMU) Logic of Hybrid Games 12 / 26

Differential Game Logic: Operational Semantics

Definition (Hybrid game α: operational semantics)

s ?φ s ?φ s | = φ

Andr´ e Platzer (CMU) Logic of Hybrid Games 12 / 26

Differential Game Logic: Operational Semantics

Definition (Hybrid game α: operational semantics)

s α ∪ β s tκ β tj β t1 β r i g h t s sλ α si α s1 α l e f t

Andr´ e Platzer (CMU) Logic of Hybrid Games 12 / 26

Differential Game Logic: Operational Semantics

Definition (Hybrid game α: operational semantics)

s α; β tλ rλ1

λ

β rj

λ

β r1

λ

β α ti rλi

i

β r1

i

β α t1 rλ1

1

β rj

1

β r1

1

β α

Andr´ e Platzer (CMU) Logic of Hybrid Games 12 / 26

Differential Game Logic: Operational Semantics

Definition (Hybrid game α: operational semantics)

s α∗ s α α r e p e a t stop α α α r e p e a t stop α r e p e a t stop α α α r e p e a t stop α α α r e p e a t stop α r e p e a t stop α repeat s stop

Andr´ e Platzer (CMU) Logic of Hybrid Games 12 / 26

Differential Game Logic: Operational Semantics

Definition (Hybrid game α: operational semantics)

s α t0 tκ tj t1 s0 sλ si s1 s αd t0 tκ tj t1 s0 sλ si s1

Andr´ e Platzer (CMU) Logic of Hybrid Games 12 / 26

Differential Game Logic: Denotational Semantics

Definition (Hybrid game α: denotational semantics)

ςx:=θ(X) = {s ∈ S : s[

[θ] ]s x

∈ X} ςx′=θ(X) = {ϕ(0) ∈ S : ϕ(r) ∈ X, d ϕ(t)(x)

dt

(ζ) = [ [θ] ]ϕ(ζ) for all ζ} ς?φ(X) = [ [φ] ] ∩ X ςα∪β(X) = ςα(X) ∪ ςβ(X) ςα;β(X) = ςα(ςβ(X)) ςα∗(X) = {Z ⊆ S : X ∪ ςα(Z) ⊆ Z} ςαd(X) = (ςα(X ∁))∁

Definition (dGL Formula φ)

[ [θ1 ≥ θ2] ] = {s ∈ S : [ [θ1] ]s ≥ [ [θ2] ]s} [ [¬φ] ] = ([ [φ] ])∁ [ [φ ∧ ψ] ] = [ [φ] ] ∩ [ [ψ] ] [ [αφ] ] = ςα([ [φ] ]) [ [[α]φ] ] = δα([ [φ] ])

Andr´ e Platzer (CMU) Logic of Hybrid Games 13 / 26

Filibusters & The Importance of Determinacy

(x := 0 ∩ x := 1)∗x = 0 X X 1 1 1 1 ⋄ repeat ⋄ stop repeat 1 ⋄ stop 1 ⋄ repeat ⋄ stop repeat X stop

Andr´ e Platzer (CMU) Logic of Hybrid Games 14 / 26

Filibusters & The Importance of Determinacy

(x := 0 ∩ x := 1)∗x = 0

wfd

false unless x = 0 X X 1 1 1 1 ⋄ repeat ⋄ stop repeat 1 ⋄ stop 1 ⋄ repeat ⋄ stop repeat X stop

Andr´ e Platzer (CMU) Logic of Hybrid Games 14 / 26

Filibusters & The Importance of Determinacy

(x := 0 ∩ x := 1)∗x = 0

wfd

false unless x = 0 (x := 0; x′ = 1d)∗x = 0 X X 1 1 1 1 ⋄ repeat ⋄ stop repeat 1 ⋄ stop 1 ⋄ repeat ⋄ stop repeat X stop

Andr´ e Platzer (CMU) Logic of Hybrid Games 14 / 26

Consistency & Determinacy

Theorem (Consistency & determinacy)

Hybrid games are consistent and determined, i.e. ¬α¬φ ↔ [α]φ.

Corollary (Determinacy: At least one player wins)

¬α¬φ → [α]φ, thus α¬φ ∨ [α]φ.

Corollary (Consistency: At most one player wins)

[α]φ → ¬α¬φ, thus ¬([α]φ ∧ α¬φ)

Andr´ e Platzer (CMU) Logic of Hybrid Games 15 / 26

“When Strategizing Stops”

Definition (Hybrid game α)

ςα∗(X) = {Z ⊆ S : X ∪ ςα(Z) ⊆ Z} = ς∞

α (x)

(Knaster-Tarski)

Andr´ e Platzer (CMU) Logic of Hybrid Games 16 / 26

“When Strategizing Stops”

Definition (Hybrid game α)

ςα∗(X) = {Z ⊆ S : X ∪ ςα(Z) ⊆ Z} = ς∞

α (x)

(Knaster-Tarski)

Alternative (Advance notice semantics)

ςα∗(X)

?

=

n∈N ςαn(X)

11 11 01 01 01 ⋄ 10 10 repeat 10 stop r e p e a t 01 ⋄ s t

• p

10 10 00 ⋄ 00 ⋄ r e p e a t 10 ⋄ s t

• p

repeat 11 ⋄ stop 11 11 01 01 01 ⋄ 10 ⋄ 10 00 ⋄ 00 ⋄ 10 00 00 ⋄ 00 ⋄ 00 00 ⋄ 00 ⋄ 3 11 01 01 ⋄ 10 ⋄ 10 00 ⋄ 00 ⋄ 2 11 01 ⋄ 10 ⋄ 1 11 ⋄ . . .

Andr´ e Platzer (CMU) Logic of Hybrid Games 16 / 26

“When Strategizing Stops”

Definition (Hybrid game α)

ςα∗(X) = {Z ⊆ S : X ∪ ςα(Z) ⊆ Z} = ς∞

α (x)

(Knaster-Tarski)

Alternative (ω semantics)

ςα∗(X)

?

=

n∈N ςn α(X)

ς0

α(x) def

= x ςκ+1

α

(x) def = x ∪ ςα(ςκ

α(x))

Example

(x := 1; x′ = 1d ∪ x := x − 1)∗ (0 ≤ x < 1)

Andr´ e Platzer (CMU) Logic of Hybrid Games 16 / 26

“When Strategizing Stops”

Definition (Hybrid game α)

ςα∗(X) = {Z ⊆ S : X ∪ ςα(Z) ⊆ Z} = ς∞

α (x)

(Knaster-Tarski)

Alternative (ω semantics)

ςα∗(X)

?

=

n∈N ςn α(X)

ς0

α(x) def

= x ςκ+1

α

(x) def = x ∪ ςα(ςκ

α(x))

Example

(x := 1; x′ = 1d ∪ x := x − 1)∗ (0 ≤ x < 1) ςn

α([0, 1)) = [0, n) = R

Andr´ e Platzer (CMU) Logic of Hybrid Games 16 / 26

“When Strategizing Stops”

Definition (Hybrid game α)

ςα∗(X) = {Z ⊆ S : X ∪ ςα(Z) ⊆ Z} = ς∞

α (x)

(Knaster-Tarski)

Alternative (ω semantics)

ςα∗(X)

?

=

n∈N ςn α(X)

ς0

α(x) def

= x ςκ+1

α

(x) def = x ∪ ςα(ςκ

α(x))

ςλ

α(x) def

=

• κ<λ

ςκ

α(x)

λ = 0 a limit ordinal

Example

(x := 1; x′ = 1d ∪ x := x − 1)∗ (0 ≤ x < 1) ςn

α([0, 1)) = [0, n) = R

Andr´ e Platzer (CMU) Logic of Hybrid Games 16 / 26

Strategic Closure Ordinal ≥ ωω

1 2 3 ω

ω+1 ω+2

ω+3

ω·2

ω·3

ω·2+1

ω·2+2

ω·4

ω²

ω ² + 1 ω²+2

ω²+ω

ω ² + ω · 2

ω²·2

ω²·3 ω²·4

ω³

ω³+ω

ω³+ω²

ω · 5

4 5

ω+4

ω

ω ω4

ω³·2

ω·2+3

Andr´ e Platzer (CMU) Logic of Hybrid Games 17 / 26

Differential Game Logic: Axiomatization

[·] [α]φ ↔ ¬α¬φ := x := θφ(x) ↔ φ(θ) ′ x′ = θφ ↔ ∃t≥0 x := y(t)φ (y′(t) = θ) ? ?ψφ ↔ (ψ ∧ φ) ∪ α ∪ βφ ↔ αφ ∨ βφ ; α; βφ ↔ αβφ ∗ φ ∨ αα∗φ → α∗φ d αdφ ↔ ¬α¬φ

Andr´ e Platzer (CMU) Logic of Hybrid Games 18 / 26

Differential Game Logic: Axiomatization

M φ → ψ αφ → αψ FP φ ∨ αψ → ψ α∗φ → ψ

Andr´ e Platzer (CMU) Logic of Hybrid Games 18 / 26

Differential Game Logic: Axiomatization

MP φ φ → ψ ψ ∀ φ → ψ φ → ∀x ψ (x ∈ FV(φ)) US φ φψ(·)

p(·)

Andr´ e Platzer (CMU) Logic of Hybrid Games 18 / 26

Defining Evolution Domain Constraints x′

0 = 1

x′ = θ & H x′ = θ; ?(H) t

• x

H t x

′

= θ r

Andr´ e Platzer (CMU) Logic of Hybrid Games 19 / 26

Defining Evolution Domain Constraints x′

0 = 1

x′ = θ & H x′ = θ; ?(H) t

• x

H t H x

′

= θ r

Andr´ e Platzer (CMU) Logic of Hybrid Games 19 / 26

Defining Evolution Domain Constraints x′

0 = 1

x′ = θ & H x′ = θ; (z := x; z′ = −θ)d; ?(H(z)) t

• x

H t revert flow, Demon checks H backwards x

′

= θ r z′ = −θ

Andr´ e Platzer (CMU) Logic of Hybrid Games 19 / 26

Defining Evolution Domain Constraints x′

0 = 1

x′ = θ & H x′ = θ; (z := x; z′ = −θ)d; ?(H(z)) t

• x

H t ¬H revert flow, Demon checks H backwards x

′

= θ r z′ = −θ

Andr´ e Platzer (CMU) Logic of Hybrid Games 19 / 26

Defining Evolution Domain Constraints x′

0 = 1

x′ = θ & H ≡ t0 := x0; x′ = θ; (z := x; z′ = −θ)d; ?(z0 ≥ t0 → H(z)) t

• x

H t revert flow, time x0; Demon checks H backwards x

′

= θ t0 := x0 r z′ = −θ

Andr´ e Platzer (CMU) Logic of Hybrid Games 19 / 26

“There and Back Again” Game

x′ = θ & H ≡ t0 := x0; x′ = θ; (z := x; z′ = −θ)d; ?(z0 ≥ t0 → H(z)) t

• x

H t revert flow, time x0; Demon checks H backwards x

′

= θ t0 := x0 r z′ = −θ

Lemma

Evolution domain is definable by game

Andr´ e Platzer (CMU) Logic of Hybrid Games 19 / 26

Soundness & Completeness

Theorem (Completeness)

dGL calculus is a sound & complete axiomatization of hybrid games relative to fixpoints of differential equations. φ iff TautLµD ⊢ φ

Remark (LµD = modal µ-calculus of differential equations)

φ ::= X(θ) | p(θ) | θ1 ≥ θ2 | ¬φ | φ ∧ ψ | x′ = θφ | µX.φ

Andr´ e Platzer (CMU) Logic of Hybrid Games 20 / 26

Soundness & Completeness

Theorem (Completeness)

dGL calculus is a sound & complete axiomatization of hybrid games relative to fixpoints of differential equations. φ iff TautLµD ⊢ φ

System Continuous Discrete Hybrid

Remark (LµD = modal µ-calculus of differential equations)

φ ::= X(θ) | p(θ) | θ1 ≥ θ2 | ¬φ | φ ∧ ψ | x′ = θφ | µX.φ

Andr´ e Platzer (CMU) Logic of Hybrid Games 20 / 26

Soundness & Completeness

Theorem (Completeness)

dGL calculus is a sound & complete axiomatization of hybrid games relative to fixpoints of differential equations. φ iff TautLµD ⊢ φ

System Continuous Discrete Hybrid Hybrid Theory Discrete Theory Contin. Theory

Remark (LµD = modal µ-calculus of differential equations)

φ ::= X(θ) | p(θ) | θ1 ≥ θ2 | ¬φ | φ ∧ ψ | x′ = θφ | µX.φ

Andr´ e Platzer (CMU) Logic of Hybrid Games 20 / 26

Soundness & Completeness: Consequences

Corollary

Constructive and (except x′ = θ, ∃ and [β∗]) coding-free.

Corollary (Conquand & Huet) (Inf.Comput’88)

Modal analogue for α∗ of characterizations in Calculus of Constructions

Corollary (Meyer & Halpern) (J.ACM’82)

F → αG semidecidable for uninterpreted programs.

Corollary (Schmitt) (Inf.Control.’84)

[α]-free semidecidable for uninterpreted programs (if ∃-free).

Corollary

Uninterpreted game logic with even d in α is semidecidable.

Andr´ e Platzer (CMU) Logic of Hybrid Games 21 / 26

Soundness & Completeness: Consequences

Corollary

Harel’77 convergence rule unnecessary for hybrid games, hybrid systems, discrete programs.

Corollary (Characterization of hybrid game challenges)

[α∗]G: Find succinct weaker invariants [x′ = θ]G and x′ = θG: Find succinct differential (in)variants ∃x G: Complexity depends on Herbrand disjunctions: uninterpreted reals × ∃x [α∗]G Π1

1-complete for discrete α

Corollary (Hybrid version of Parikh’s result) (FOCS’83)

∗-free dGL complete relative to dL, relative to continuous, or to discrete d-free dGL complete relative to dL, relative to continuous, or to discrete

Andr´ e Platzer (CMU) Logic of Hybrid Games 22 / 26

Soundness & Completeness: Consequences

Corollary () (+LICS’12)

dGL complete relative to ODE for hybrid games with finite-rank Borel winning regions.

Corollary () (+LICS’12)

dGL + Euler axiom complete relative to discrete Lµ over R

Andr´ e Platzer (CMU) Logic of Hybrid Games 23 / 26

Soundness & Completeness: Consequences

(x := 1; x′ = 1d

• β

∪ x := x − 1

• γ

)

• α

∗0 ≤ x < 1

Fixpoint style proof technique

∗ ∀x (0≤x<1 ∨ ∀t≥0 p(0 + t) ∨ p(x − 1) → p(x)) → (true → p(x)) ∀x (0≤x<1 ∨ x := 1¬∃t≥0 x := x+t¬p(x) ∨ p(x−1) → p(x)) → (true → p(x)) ∀x (0≤x<1 ∨ x := 1¬x′ = 1¬p(x) ∨ p(x − 1) → p(x)) → (true → p(x)) ∀x (0≤x<1 ∨ βp(x) ∨ γp(x) → p(x)) → (true → p(x)) ∀x (0≤x<1 ∨ β ∪ γp(x) → p(x)) → (true → p(x)) ∀x (0≤x<1 ∨ αα∗0≤x<1 → α∗0≤x<1) → (true → α∗0≤x<1) true → α∗0≤x<1

Andr´ e Platzer (CMU) Logic of Hybrid Games 24 / 26

Separating Axioms

Theorem (Hybrid system vs. hybrid game)

dGL is a subregular, sub-Barcan, monotonic modal logic without the induction axiom of dynamic logic. K [α](φ → ψ) → ([α]φ → [α]ψ) M αφ ∨ αψ → α(φ ∨ ψ) G φ [α]φ M[·] φ → ψ [β]φ → [β]ψ R φ1 ∧ φ2 → ψ [α]φ1 ∧ [α]φ2 → [α]ψ B α∃x φ → ∃x αφ (x ∈ α) ← − B ∃x αφ → α∃x φ (x ∈ α) I [α∗](φ → [α]φ) → (φ → [α∗]φ) ∀I Cl∀(φ → [α]φ) → (φ → [α∗]φ) FA α∗φ → φ ∨ α∗(¬φ ∧ αφ)

Andr´ e Platzer (CMU) Logic of Hybrid Games 25 / 26

Logic of Hybrid Games

differential game logic

dGL = GL + HG αφ φ Logic for hybrid games Game logic + logic for hybrid Sound & complete / LµD Fixpoint-style proofs Complete fragments expressibility Stochastic ≈ adversarial

d i s c r e t e c

• n

t i n u

• u

s nondet stochastic a d v e r s a r i a l

Andr´ e Platzer (CMU) Logic of Hybrid Games 26 / 26

Proceedings of the 27th Annual ACM/IEEE Symposium on Logic in Computer Science, LICS 2012, Dubrovnik, Croatia, June 25–28, 2012. IEEE, 2012. Andr´ e Platzer. The complete proof theory of hybrid systems. In LICS [1], pages 541–550. Andr´ e Platzer. Differential game logic for hybrid games. Technical Report CMU-CS-12-105, School of Computer Science, Carnegie Mellon University, Pittsburgh, PA, March 2012. Andr´ e Platzer. Logics of dynamical systems. In LICS [1], pages 13–24. Andr´ e Platzer. A complete axiomatization of differential game logic for hybrid games. Technical Report CMU-CS-13-100, School of Computer Science, Carnegie Mellon University, Pittsburgh, PA, January 2013.

Andr´ e Platzer (CMU) Logic of Hybrid Games 0 / 3

Jan-David Quesel and Andr´ e Platzer. Playing hybrid games with KeYmaera. In Bernhard Gramlich, Dale Miller, and Ulrike Sattler, editors, IJCAR, volume 7364 of LNCS, pages 439–453. Springer, 2012.

Andr´ e Platzer (CMU) Logic of Hybrid Games 1 / 3

Successful Hybrid Games Proofs

Verification Challenge:

ey fy xb (lx, ly) ex fx (rx, ry) (vx, vy)

Hybrid games proving also for proving relaxed notions of system similarity

Andr´ e Platzer (CMU) Logic of Hybrid Games 1 / 3

Robotic Factory Automation (RF)

Example (Environment vs. Robot)

• (?true ∩ (?(x < ex ∧ y < ey ∧ eff1 = 1); vx := vx + cx; eff1 := 0)

∩ (?(ex ≤ x ∧ y ≤ fy ∧ eff2 = 1); vy := vy + cy; eff2 := 0) ) ; ×

ey fy xb (lx, ly) ex fx (rx, ry) (vx, vy)

Andr´ e Platzer (CMU) Logic of Hybrid Games 2 / 3

Robotic Factory Automation (RF)

Example (Environment vs. Robot)

• (?true ∩ (?(x < ex ∧ y < ey ∧ eff1 = 1); vx := vx + cx; eff1 := 0)

∩ (?(ex ≤ x ∧ y ≤ fy ∧ eff2 = 1); vy := vy + cy; eff2 := 0) ) ; (ax := ∗; ?(−A ≤ ax ≤ A); ay := ∗; ?(−A ≤ ay ≤ A); ts := 0 ) ; ×

ey fy xb (lx, ly) ex fx (rx, ry) (vx, vy)

Andr´ e Platzer (CMU) Logic of Hybrid Games 2 / 3

Robotic Factory Automation (RF)

Example (Environment vs. Robot)

• (?true ∩ (?(x < ex ∧ y < ey ∧ eff1 = 1); vx := vx + cx; eff1 := 0)

∩ (?(ex ≤ x ∧ y ≤ fy ∧ eff2 = 1); vy := vy + cy; eff2 := 0) ) ; (ax := ∗; ?(−A ≤ ax ≤ A); ay := ∗; ?(−A ≤ ay ≤ A); ts := 0 ) ; (x′ = vx, y ′ = vy, v ′

x = ax, v ′ y = ay, t′ = 1, t′ s = 1&ts ≤ ε )d ;

×

ey fy xb (lx, ly) ex fx (rx, ry) (vx, vy)

Andr´ e Platzer (CMU) Logic of Hybrid Games 2 / 3

Robotic Factory Automation (RF)

Example (Environment vs. Robot)

• (?true ∩ (?(x < ex ∧ y < ey ∧ eff1 = 1); vx := vx + cx; eff1 := 0)

∩ (?(ex ≤ x ∧ y ≤ fy ∧ eff2 = 1); vy := vy + cy; eff2 := 0) ) ; (ax := ∗; ?(−A ≤ ax ≤ A); ay := ∗; ?(−A ≤ ay ≤ A); ts := 0 ) ;

• (x′ = vx, y ′ = vy, v ′

x = ax, v ′ y = ay, t′ = 1, t′ s = 1&ts ≤ ε )d ;

∪ ((?axvx ≤ 0 ∧ ayvy ≤ 0; if vx = 0 then ax := 0 fi; if vy = 0 then ay := 0 fi ) ; (x′ = vx, y ′ = vy, v ′

x = ax, v ′ y = ay, t′ = 1, t′ s = 1

&ts ≤ ε ∧ axvx ≤ 0 ∧ ayvy ≤ 0)d) ×

ey fy xb (lx, ly) ex fx (rx, ry) (vx, vy)

Andr´ e Platzer (CMU) Logic of Hybrid Games 2 / 3

Robotic Factory Automation (RF)

Proposition (Robot stays in )

| = (x = y = 0 ∧ vx = vy = 0∧

Controllability Assumptions )

→ (RF)(x ∈ [lx, rx] ∧ y ∈ [ly, ry])

Proposition (Stays in + leaves shaded region in time)

RF|x: RF projected to the x-axis | = (x = 0 ∧ vx = 0∧

Controllability Assumptions )

→ (RF|x)(x ∈ [lx, rx] ∧ (t ≥ ε → (x ≥ xb)))

Andr´ e Platzer (CMU) Logic of Hybrid Games 3 / 3