Logical Foundations of Cyber-Physical Systems Andr Platzer Andr - PowerPoint PPT Presentation

17: Game Proofs & Separations Logical Foundations of Cyber-Physical Systems André Platzer Logical Foundations of Cyber-Physical Systems André Platzer André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 1 / 25

Outline Learning Objectives 1 Hybrid Game Proofs 2 Soundness Separations Soundness & Completeness Expressiveness Repetitive Diamonds – Convergence Versus Iteration Example Proofs Differential Hybrid Games 3 Syntax Example: Zeppelin Differential Game Invariants Example: Zeppelin Proof Summary 4 André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 2 / 25

Outline Learning Objectives 1 Hybrid Game Proofs 2 Soundness Separations Soundness & Completeness Expressiveness Repetitive Diamonds – Convergence Versus Iteration Example Proofs Differential Hybrid Games 3 Syntax Example: Zeppelin Differential Game Invariants Example: Zeppelin Proof Summary 4 André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 2 / 25

Learning Objectives Game Proofs & Separations rigorous reasoning for adversarial dynamics miracle of soundness separations axiomatization of dGL multi-dynamical systems differential game invariants CT M&C CPS differential games CPS semantics systems vs. games multi-scale feedback André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 3 / 25

Differential Game Logic: Syntax Definition (Hybrid game α ) α , β ::= x := e | ? Q | x ′ = f ( x )& Q | α ∪ β | α ; β | α ∗ | α d Definition (dGL Formula P ) P , Q ::= e ≥ ˜ e | ¬ P | P ∧ Q | ∀ x P | ∃ x P | � α � P | [ α ] P André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 4 / 25

Differential Game Logic: Syntax Discrete Differential Test Choice Seq. Repeat Assign Equation Game Game Game Game Definition (Hybrid game α ) α , β ::= x := e | ? Q | x ′ = f ( x )& Q | α ∪ β | α ; β | α ∗ | α d Definition (dGL Formula P ) P , Q ::= e ≥ ˜ e | ¬ P | P ∧ Q | ∀ x P | ∃ x P | � α � P | [ α ] P All Some Reals Reals André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 4 / 25

Differential Game Logic: Syntax Discrete Differential Test Choice Seq. Repeat Dual Assign Equation Game Game Game Game Game Definition (Hybrid game α ) α , β ::= x := e | ? Q | x ′ = f ( x )& Q | α ∪ β | α ; β | α ∗ | α d Definition (dGL Formula P ) P , Q ::= e ≥ ˜ e | ¬ P | P ∧ Q | ∀ x P | ∃ x P | � α � P | [ α ] P All Some Reals Reals André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 4 / 25

Differential Game Logic: Syntax Discrete Differential Test Choice Seq. Repeat Dual Assign Equation Game Game Game Game Game Definition (Hybrid game α ) α , β ::= x := e | ? Q | x ′ = f ( x )& Q | α ∪ β | α ; β | α ∗ | α d Definition (dGL Formula P ) P , Q ::= e ≥ ˜ e | ¬ P | P ∧ Q | ∀ x P | ∃ x P | � α � P | [ α ] P All Some Angel Reals Wins Reals André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 4 / 25

Differential Game Logic: Syntax Discrete Differential Test Choice Seq. Repeat Dual Assign Equation Game Game Game Game Game Definition (Hybrid game α ) α , β ::= x := e | ? Q | x ′ = f ( x )& Q | α ∪ β | α ; β | α ∗ | α d Definition (dGL Formula P ) P , Q ::= e ≥ ˜ e | ¬ P | P ∧ Q | ∀ x P | ∃ x P | � α � P | [ α ] P All Some Angel Demon Reals Wins Wins Reals André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 4 / 25

Differential Game Logic: Syntax Discrete Differential Test Choice Seq. Repeat Dual Assign Equation Game Game Game Game Game Definition (Hybrid game α ) α , β ::= x := e | ? Q | x ′ = f ( x )& Q | α ∪ β | α ; β | α ∗ | α d Definition (dGL Formula P ) P , Q ::= e ≥ ˜ e | ¬ P | P ∧ Q | ∀ x P | ∃ x P | � α � P | [ α ] P “Angel has Wings � α � ” All Some Angel Demon Reals Wins Wins Reals André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 4 / 25

Differential Game Logic: Denotational Semantics Definition (Hybrid game α ) [ [ · ] ] : HG → ( ℘ ( S ) → ℘ ( S ) ) ς x := e ( X ) = { ω ∈ S : ω ω [ [ e ] ] ∈ X } x = x ′ = f ( x ) } ς x ′ = f ( x ) ( X ) = { ϕ ( 0 ) ∈ S : ϕ ( r ) ∈ X for some ϕ :[ 0 , r ] → S , ϕ | ς ? Q ( X ) = [ [ Q ] ] ∩ X ς α ∪ β ( X ) = ς α ( X ) ∪ ς β ( X ) ς α ; β ( X ) = ς α ( ς β ( X )) ς α ∗ ( X ) = � { Z ⊆ S : X ∪ ς α ( Z ) ⊆ Z } ς α d ( X ) = ( ς α ( X ∁ )) ∁ [ [ · ] ] : Fml → ℘ ( S ) Definition (dGL Formula P ) [ [ e 1 ≥ e 2 ] ] = { ω ∈ S : ω [ [ e 1 ] ] ≥ ω [ [ e 2 ] ] } ]) ∁ [ [ ¬ P ] ] = ([ [ P ] [ [ P ∧ Q ] ] = [ [ P ] ] ∩ [ [ Q ] ] [ [ � α � P ] ] = ς α ([ [ P ] ]) [ [[ α ] P ] ] = δ α ([ [ P ] ]) André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 5 / 25

Differential Game Logic: Axiomatization P → Q [ · ] [ α ] P ↔ ¬� α �¬ P M � α � P → � α � Q � := � � x := e � p ( x ) ↔ p ( e ) P ∨� α � Q → Q FP � α ∗ � P → Q � ′ � � x ′ = f ( x ) � P ↔ ∃ t ≥ 0 � x := y ( t ) � P P P → Q MP � ? � � ? Q � P ↔ ( Q ∧ P ) Q p → Q �∪� � α ∪ β � P ↔ � α � P ∨� β � P ∀ ( x �∈ FV ( p ) ) p → ∀ x Q � ; � � α ; β � P ↔ � α �� β � P ϕ US ϕ ψ ( · ) � ∗ � � α ∗ � P ↔ P ∨� α �� α ∗ � P p ( · ) � d � � α d � P ↔ ¬� α �¬ P André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 6 / 25

Outline Learning Objectives 1 Hybrid Game Proofs 2 Soundness Separations Soundness & Completeness Expressiveness Repetitive Diamonds – Convergence Versus Iteration Example Proofs Differential Hybrid Games 3 Syntax Example: Zeppelin Differential Game Invariants Example: Zeppelin Proof Summary 4 André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 6 / 25

Differential Game Logic: Axiomatization P → Q [ · ] [ α ] P ↔ ¬� α �¬ P M � α � P → � α � Q � := � � x := e � p ( x ) ↔ p ( e ) P ∨� α � Q → Q FP � α ∗ � P → Q � ′ � � x ′ = f ( x ) � P ↔ ∃ t ≥ 0 � x := y ( t ) � P P P → Q MP � ? � � ? Q � P ↔ ( Q ∧ P ) Q p → Q �∪� � α ∪ β � P ↔ � α � P ∨� β � P ∀ ( x �∈ FV ( p ) ) p → ∀ x Q � ; � � α ; β � P ↔ � α �� β � P ϕ US ϕ ψ ( · ) � ∗ � � α ∗ � P ↔ P ∨� α �� α ∗ � P p ( · ) � d � � α d � P ↔ ¬� α �¬ P André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 7 / 25

Soundness Theorem (Soundness) dGL proof calculus is sound André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 8 / 25

Soundness Theorem (Soundness) dGL proof calculus is sound Do we have to prove anything at all? André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 8 / 25

More Axioms P → Q K [ α ]( P → Q ) → ([ α ] P → [ α ] Q ) M [ · ] [ α ] P → [ α ] Q ← − M � α � ( P ∨ Q ) → � α � P ∨� α � Q � α � P ∨� α � Q → � α � ( P ∨ Q ) M P → [ α ] P [ α ∗ ] P ↔ P ∧ [ α ∗ ]( P → [ α ] P ) I ind P → [ α ∗ ] P ( x �∈ α ) ← − B � α �∃ x P → ∃ x � α � P B ∃ x � α � P → � α �∃ x P P P → Q G M [ · ] [ α ] P [ α ] P → [ α ] Q P 1 ∧ P 2 → Q P 1 ∧ P 2 → Q R M [ · ] [ α ] P 1 ∧ [ α ] P 2 → [ α ] Q [ α ]( P 1 ∧ P 2 ) → [ α ] Q ← − FA � α ∗ � P → P ∨� α ∗ � ( ¬ P ∧� α � P ) [ ∗ ] [ α ∗ ] P ↔ P ∧ [ α ∗ ][ α ] P André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 9 / 25

More Axioms ??? P → Q K [ α ]( P → Q ) → ([ α ] P → [ α ] Q ) M [ · ] [ α ] P → [ α ] Q ← − M � α � ( P ∨ Q ) → � α � P ∨� α � Q � α � P ∨� α � Q → � α � ( P ∨ Q ) M P → [ α ] P [ α ∗ ] P ↔ P ∧ [ α ∗ ]( P → [ α ] P ) I ind P → [ α ∗ ] P ( x �∈ α ) ← − B � α �∃ x P → ∃ x � α � P B ∃ x � α � P → � α �∃ x P P P → Q G M [ · ] [ α ] P [ α ] P → [ α ] Q P 1 ∧ P 2 → Q P 1 ∧ P 2 → Q R M [ · ] [ α ] P 1 ∧ [ α ] P 2 → [ α ] Q [ α ]( P 1 ∧ P 2 ) → [ α ] Q ← − FA � α ∗ � P → P ∨� α ∗ � ( ¬ P ∧� α � P ) [ ∗ ] [ α ∗ ] P ↔ P ∧ [ α ∗ ][ α ] P André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 9 / 25