Logical Foundations of Cyber-Physical Systems Andr Platzer Andr - - PowerPoint PPT Presentation

17: Game Proofs & Separations

Logical Foundations of Cyber-Physical Systems

Logical Foundations of Cyber-Physical Systems

André Platzer

André Platzer

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 1 / 25

Outline

1

Learning Objectives

2

Hybrid Game Proofs Soundness Separations Soundness & Completeness Expressiveness Repetitive Diamonds – Convergence Versus Iteration Example Proofs

3

Differential Hybrid Games Syntax Example: Zeppelin Differential Game Invariants Example: Zeppelin Proof

4

Summary

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 2 / 25

Outline

1

Learning Objectives

2

Hybrid Game Proofs Soundness Separations Soundness & Completeness Expressiveness Repetitive Diamonds – Convergence Versus Iteration Example Proofs

3

Differential Hybrid Games Syntax Example: Zeppelin Differential Game Invariants Example: Zeppelin Proof

4

Summary

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 2 / 25

Learning Objectives

Game Proofs & Separations

CT M&C CPS rigorous reasoning for adversarial dynamics miracle of soundness separations axiomatization of dGL multi-dynamical systems differential game invariants differential games systems vs. games CPS semantics multi-scale feedback

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 3 / 25

Differential Game Logic: Syntax

Definition (Hybrid game α) α,β ::= x := e | ?Q | x′ = f(x)&Q | α ∪β | α;β | α∗ | αd Definition (dGL Formula P)

P,Q ::= e ≥ ˜ e | ¬P | P ∧ Q | ∀x P | ∃x P | αP | [α]P

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 4 / 25

Differential Game Logic: Syntax

Definition (Hybrid game α) α,β ::= x := e | ?Q | x′ = f(x)&Q | α ∪β | α;β | α∗ | αd Definition (dGL Formula P)

P,Q ::= e ≥ ˜ e | ¬P | P ∧ Q | ∀x P | ∃x P | αP | [α]P Discrete Assign Test Game Differential Equation Choice Game Seq. Game Repeat Game All Reals Some Reals

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 4 / 25

Differential Game Logic: Syntax

Definition (Hybrid game α) α,β ::= x := e | ?Q | x′ = f(x)&Q | α ∪β | α;β | α∗ | αd Definition (dGL Formula P)

P,Q ::= e ≥ ˜ e | ¬P | P ∧ Q | ∀x P | ∃x P | αP | [α]P Discrete Assign Test Game Differential Equation Choice Game Seq. Game Repeat Game All Reals Some Reals Dual Game

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 4 / 25

Differential Game Logic: Syntax

Definition (Hybrid game α) α,β ::= x := e | ?Q | x′ = f(x)&Q | α ∪β | α;β | α∗ | αd Definition (dGL Formula P)

P,Q ::= e ≥ ˜ e | ¬P | P ∧ Q | ∀x P | ∃x P | αP | [α]P Discrete Assign Test Game Differential Equation Choice Game Seq. Game Repeat Game All Reals Some Reals Dual Game Angel Wins

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 4 / 25

Differential Game Logic: Syntax

Definition (Hybrid game α) α,β ::= x := e | ?Q | x′ = f(x)&Q | α ∪β | α;β | α∗ | αd Definition (dGL Formula P)

P,Q ::= e ≥ ˜ e | ¬P | P ∧ Q | ∀x P | ∃x P | αP | [α]P Discrete Assign Test Game Differential Equation Choice Game Seq. Game Repeat Game All Reals Some Reals Dual Game Angel Wins Demon Wins

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 4 / 25

Differential Game Logic: Syntax

Definition (Hybrid game α) α,β ::= x := e | ?Q | x′ = f(x)&Q | α ∪β | α;β | α∗ | αd Definition (dGL Formula P)

P,Q ::= e ≥ ˜ e | ¬P | P ∧ Q | ∀x P | ∃x P | αP | [α]P Discrete Assign Test Game Differential Equation Choice Game Seq. Game Repeat Game All Reals Some Reals Dual Game Angel Wins Demon Wins “Angel has Wings α”

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 4 / 25

Differential Game Logic: Denotational Semantics

Definition (Hybrid game α)

[ [·] ] : HG → (℘(S) →℘(S))

ςx:=e(X) = {ω ∈ S : ωω[

[e] ]

x

∈ X} ςx′=f(x)(X) = {ϕ(0) ∈ S : ϕ(r) ∈ X for some ϕ:[0,r]→S, ϕ | = x′ = f(x)} ς?Q(X) = [ [Q] ]∩ X ςα∪β(X) = ςα(X)∪ςβ(X) ςα;β(X) = ςα(ςβ(X)) ςα∗(X) = {Z ⊆ S : X ∪ςα(Z) ⊆ Z} ςαd(X) = (ςα(X ∁))∁ Definition (dGL Formula P)

[ [·] ] : Fml →℘(S)

[ [e1 ≥ e2] ] = {ω ∈ S : ω[ [e1] ] ≥ ω[ [e2] ]} [ [¬P] ] = ([ [P] ])∁ [ [P ∧ Q] ] = [ [P] ]∩[ [Q] ] [ [αP] ] = ςα([ [P] ]) [ [[α]P] ] = δα([ [P] ])

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 5 / 25

Differential Game Logic: Axiomatization

[·] [α]P ↔ ¬α¬P := x := ep(x) ↔ p(e) ′ x′ = f(x)P ↔ ∃t≥0x := y(t)P ? ?QP ↔ (Q ∧ P) ∪ α ∪βP ↔ αP ∨βP ; α;βP ↔ αβP ∗ α∗P ↔ P ∨αα∗P d αdP ↔ ¬α¬P

M P → Q

αP → αQ

FP P ∨αQ → Q

α∗P → Q

MP P P → Q Q

∀

p → Q p → ∀x Q (x ∈ FV(p)) US

ϕ ϕψ(·)

p(·)

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 6 / 25

Outline

1

Learning Objectives

2

Hybrid Game Proofs Soundness Separations Soundness & Completeness Expressiveness Repetitive Diamonds – Convergence Versus Iteration Example Proofs

3

Differential Hybrid Games Syntax Example: Zeppelin Differential Game Invariants Example: Zeppelin Proof

4

Summary

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 6 / 25

Differential Game Logic: Axiomatization

[·] [α]P ↔ ¬α¬P := x := ep(x) ↔ p(e) ′ x′ = f(x)P ↔ ∃t≥0x := y(t)P ? ?QP ↔ (Q ∧ P) ∪ α ∪βP ↔ αP ∨βP ; α;βP ↔ αβP ∗ α∗P ↔ P ∨αα∗P d αdP ↔ ¬α¬P

M P → Q

αP → αQ

FP P ∨αQ → Q

α∗P → Q

MP P P → Q Q

∀

p → Q p → ∀x Q (x ∈ FV(p)) US

ϕ ϕψ(·)

p(·)

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 7 / 25

Soundness

Theorem (Soundness)

dGL proof calculus is sound

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 8 / 25

Soundness

Theorem (Soundness)

dGL proof calculus is sound Do we have to prove anything at all?

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 8 / 25

More Axioms

K [α](P → Q) → ([α]P → [α]Q) M[·] P → Q

[α]P → [α]Q ← −

M α(P ∨ Q) → αP ∨αQ M

αP ∨αQ → α(P ∨ Q)

I

[α∗]P ↔ P ∧[α∗](P → [α]P)

ind P → [α]P P → [α∗]P B α∃x P → ∃x αP

(x∈α) ← −

B ∃x αP → α∃x P G P

[α]P

M[·] P → Q

[α]P → [α]Q

R P1 ∧ P2 → Q

[α]P1 ∧[α]P2 → [α]Q

M[·] P1 ∧ P2 → Q

[α](P1 ∧ P2) → [α]Q

FAα∗P → P ∨α∗(¬P ∧αP)

← − [∗] [α∗]P ↔ P ∧[α∗][α]P

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 9 / 25

More Axioms ???

K [α](P → Q) → ([α]P → [α]Q) M[·] P → Q

[α]P → [α]Q ← −

M α(P ∨ Q) → αP ∨αQ M

αP ∨αQ → α(P ∨ Q)

I

[α∗]P ↔ P ∧[α∗](P → [α]P)

ind P → [α]P P → [α∗]P B α∃x P → ∃x αP

(x∈α) ← −

B ∃x αP → α∃x P G P

[α]P

M[·] P → Q

[α]P → [α]Q

R P1 ∧ P2 → Q

[α]P1 ∧[α]P2 → [α]Q

M[·] P1 ∧ P2 → Q

[α](P1 ∧ P2) → [α]Q

FA α∗P → P ∨α∗(¬P ∧αP)

← − [∗] [α∗]P ↔ P ∧[α∗][α]P

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 9 / 25

Separating Axioms

Theorem (Axiomatic separation: hybrid systems vs. hybrid games)

Axiomatic separation is K, I, C, B, V, G. So, dGL is a subregular, sub-Barcan, monotonic modal logic without loop induction axioms. K [α](P → Q) → ([α]P → [α]Q) M[·] P → Q

[α]P → [α]Q ← −

M α(P ∨ Q) → αP ∨αQ M

αP ∨αQ → α(P ∨ Q)

I

[α∗]P ↔ P ∧[α∗](P → [α]P)

ind P → [α]P P → [α∗]P B α∃x P → ∃x αP

(x∈α) ← −

B ∃x αP → α∃x P G P

[α]P

M[·] P → Q

[α]P → [α]Q

R P1 ∧ P2 → Q

[α]P1 ∧[α]P2 → [α]Q

M[·] P1 ∧ P2 → Q

[α](P1 ∧ P2) → [α]Q

FA α∗P → P ∨α∗(¬P ∧αP)

← − [∗] [α∗]P ↔ P ∧[α∗][α]P

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 9 / 25

Separating Axioms

[αd]P ↔ αP

Theorem (Axiomatic separation: hybrid systems vs. hybrid games)

Axiomatic separation is K, I, C, B, V, G. So, dGL is a subregular, sub-Barcan, monotonic modal logic without loop induction axioms. K [α](P → Q) → ([α]P → [α]Q) M[·] P → Q

[α]P → [α]Q ← −

M α(P ∨ Q) → αP ∨αQ M

αP ∨αQ → α(P ∨ Q)

I

[α∗]P ↔ P ∧[α∗](P → [α]P)

ind P → [α]P P → [α∗]P B α∃x P → ∃x αP

(x∈α) ← −

B ∃x αP → α∃x P G P

[α]P

M[·] P → Q

[α]P → [α]Q

R P1 ∧ P2 → Q

[α]P1 ∧[α]P2 → [α]Q

M[·] P1 ∧ P2 → Q

[α](P1 ∧ P2) → [α]Q

FA α∗P → P ∨α∗(¬P ∧αP)

← − [∗] [α∗]P ↔ P ∧[α∗][α]P

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 9 / 25

Separating Axioms

[αd]P ↔ αP

Theorem (Axiomatic separation: hybrid systems vs. hybrid games)

Axiomatic separation is K, I, C, B, V, G. So, dGL is a subregular, sub-Barcan, monotonic modal logic without loop induction axioms. One game’s boxes are another game’s diamonds. Don’t use axioms that do not belong to you!

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 9 / 25

Soundness

Theorem (Soundness)

dGL proof calculus is sound Do we have to prove anything at all?

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 10 / 25

Soundness

Theorem (Soundness)

dGL proof calculus is sound i.e., all provable formulas are valid Axiomatics Syntax Semantics

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 10 / 25

Soundness

Theorem (Soundness)

dGL proof calculus is sound i.e., all provable formulas are valid

Proof. ∪ α ∪βP ↔ αP ∨βP ; α;βP ↔ αβP [·] [α]P ↔ ¬α¬P

M P → Q

αP → αQ

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 10 / 25

Soundness

Theorem (Soundness)

dGL proof calculus is sound i.e., all provable formulas are valid

Proof. ∪ [ [α ∪βP] ] = ςα∪β([ [P] ]) = ςα([ [P] ])∪ςβ([ [P] ]) = [ [αP] ]∪[ [βP] ] = [ [αP ∨βP] ] ∪ α ∪βP ↔ αP ∨βP ; [ [α;βP] ] = ςα;β([ [P] ]) = ςα(ςβ([ [P] ])) = ςα([ [βP] ]) = [ [αβP] ] ; α;βP ↔ αβP [·] is sound by determinacy [·] [α]P ↔ ¬α¬P

M Assume the premise P → Q is valid, i.e., [

[P] ] ⊆ [ [Q] ].

Then the conclusion αP → αQ is valid, i.e.,

[ [αP] ] = ςα([ [P] ]) ⊆ ςα([ [Q] ]) = [ [αQ] ] by monotonicity.

M P → Q

αP → αQ

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 10 / 25

The Miracle of Soundness

Soundness links semantics and axiomatics in perfect unison! Compositional Soundness Soundness: If P provable then P valid

⊢ P implies P

Conditio sine qua non for logic Every formula that it proves with any proof has to be valid. Fortunately, proofs are composed from axioms by proof rules. Sufficient:

1

All axioms are sound: valid formulas.

2

All proof rules are sound: take valid premises to valid conclusions. Then Proof is a long combination of many simple arguments. Each individual step is a sound axiom or sound proof rule, so sound.

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 11 / 25

The Miracle of Soundness

Soundness+Completeness links semantics and axiomatics in perfect unison! Compositional Soundness Soundness: If P provable then P valid

⊢ P implies P

Conditio sine qua non for logic Every formula that it proves with any proof has to be valid. Fortunately, proofs are composed from axioms by proof rules. Sufficient:

1

All axioms are sound: valid formulas.

2

All proof rules are sound: take valid premises to valid conclusions. Then Proof is a long combination of many simple arguments. Each individual step is a sound axiom or sound proof rule, so sound.

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 11 / 25

Soundness & Completeness

Theorem (Completeness)

dGL calculus is a sound & complete axiomatization of hybrid games relative to any (differentially) expressive1logic L.

ϕ

iff L ⊢ ϕ

1∀

ϕ ∈ dGL ∃ ϕ♭ ∈ L ϕ ↔ ϕ♭ x′ = f(x)G ↔ (x′ = f(x)G)♭ provable for G ∈ L

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 12 / 25

Soundness & Completeness: Consequences

Corollary (Constructive)

Constructive and Moschovakis-coding-free. (Minimal: x′ = f(x), ∃, [α∗])

Corollary (Characterization of hybrid game challenges) [α∗]G: Succinct invariants

discrete Π0

2

[x′ = f(x)]G and x′ = f(x)G: Succinct differential (in)variants ∆1

1

∃x G: Complexity depends on Herbrand disjunctions:

discrete Π1

1

uninterpreted reals × ∃x [α∗]G Π1

1-complete for discrete α

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 13 / 25

Soundness & Completeness: Consequences

Corollary (Constructive)

Constructive and Moschovakis-coding-free. (Minimal: x′ = f(x), ∃, [α∗])

Corollary (Characterization of hybrid game challenges) [α∗]G: Succinct invariants

discrete Π0

2

[x′ = f(x)]G and x′ = f(x)G: Succinct differential (in)variants ∆1

1

∃x G: Complexity depends on Herbrand disjunctions:

discrete Π1

1

uninterpreted reals × ∃x [α∗]G Π1

1-complete for discrete α

set is Π0

n iff it’s {x : ∀y1 ∃y2 ∀y3 ...yn ϕ(x,y1,...,yn)} for a decidable ϕ

set is Σ0

n iff it’s {x : ∃y1 ∀y2 ∃y3 ...yn ϕ(x,y1,...,yn)} for a decidable ϕ

set is Π1

1 iff it’s {x : ∀f ∃y ϕ(x,y,f)} for a decidable ϕ and functions f

set is Σ1

1 iff it’s {x : ∃f ∀y ϕ(x,y,f)} for a decidable ϕ and functions f

∆i

n = Σi n ∩Πi n

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 13 / 25

Expressiveness

Theorem (Expressive Power: hybrid systems < hybrid games)

dGL for hybrid games strictly more expressive than dL for hybrid systems: dL < dGL “≤” For every dL formula ϕ there is a dGL formula ˜

ϕ that is equivalent.

“≥” Not the other way around.

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 14 / 25

Expressiveness

Theorem (Expressive Power: hybrid systems < hybrid games)

dGL for hybrid games strictly more expressive than dL for hybrid systems: dL < dGL “≤” For every dL formula ϕ there is a dGL formula ˜

ϕ that is equivalent.

Easy: same formula where Angel plays for nondeterminism. “≥” Not the other way around. Hard: see proof. TOCL ’15

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 14 / 25

Expressiveness

Theorem (Expressive Power: hybrid systems < hybrid games)

dGL for hybrid games strictly more expressive than dL for hybrid systems: dL < dGL “≤” For every dL formula ϕ there is a dGL formula ˜

ϕ that is equivalent.

Easy: same formula where Angel plays for nondeterminism. “≥” Not the other way around. Hard: see proof. TOCL ’15

Corollary

Hybrid games are strictly more than hybrid systems.

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 14 / 25

Proving Repetitive Diamonds by Convergence

con

Γ ⊢ α∗Q,∆

⊢ x ≥ 0 → (x := x − 1)∗x < 1

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 15 / 25

Proving Repetitive Diamonds by Convergence

con Γ ⊢ ∃v p(v),∆

⊢ ∀v>0(p(v) → αp(v − 1)) ∃v≤0p(v) ⊢ Q Γ ⊢ α∗Q,∆

⊢ x ≥ 0 → (x := x − 1)∗x < 1

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 15 / 25

Proving Repetitive Diamonds by Convergence

con Γ ⊢ ∃v p(v),∆

⊢ ∀v>0(p(v) → αp(v − 1)) ∃v≤0p(v) ⊢ Q Γ ⊢ α∗Q,∆ (v∈α)

⊢ x ≥ 0 → (x := x − 1)∗x < 1

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 15 / 25

Proving Repetitive Diamonds by Convergence

con Γ ⊢ ∃v p(v),∆

⊢ ∀v>0(p(v) → αp(v − 1)) ∃v≤0p(v) ⊢ Q Γ ⊢ α∗Q,∆ (v∈α)

→R

x ≥ 0 ⊢ (x := x − 1)∗x < 1

⊢ x ≥ 0 → (x := x − 1)∗x < 1

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 15 / 25

Proving Repetitive Diamonds by Convergence

con Γ ⊢ ∃v p(v),∆

⊢ ∀v>0(p(v) → αp(v − 1)) ∃v≤0p(v) ⊢ Q Γ ⊢ α∗Q,∆ (v∈α)

→R

con x≥0 ⊢ ∃nx<n+1

x<n+1∧ n>0 ⊢ x := x−1x<n−1+1

∃n≤0x<n+1 ⊢ x<1

x ≥ 0 ⊢ (x := x − 1)∗x < 1

⊢ x ≥ 0 → (x := x − 1)∗x < 1

p(n) ≡ x < n + 1

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 15 / 25

Proving Repetitive Diamonds by Convergence

con Γ ⊢ ∃v p(v),∆

⊢ ∀v>0(p(v) → αp(v − 1)) ∃v≤0p(v) ⊢ Q Γ ⊢ α∗Q,∆ (v∈α)

→R

con

R

∗

x≥0 ⊢ ∃nx<n+1 x<n+1∧ n>0 ⊢ x := x−1x<n−1+1

∃n≤0x<n+1 ⊢ x<1

x ≥ 0 ⊢ (x := x − 1)∗x < 1

⊢ x ≥ 0 → (x := x − 1)∗x < 1

p(n) ≡ x < n + 1

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 15 / 25

Proving Repetitive Diamonds by Convergence

con Γ ⊢ ∃v p(v),∆

⊢ ∀v>0(p(v) → αp(v − 1)) ∃v≤0p(v) ⊢ Q Γ ⊢ α∗Q,∆ (v∈α)

→R

con

R

∗

x≥0 ⊢ ∃nx<n+1

:=

x<n+1∧ n>0 ⊢ x−1<n−1+1 x<n+1∧ n>0 ⊢ x := x−1x<n−1+1

∃n≤0x<n+1 ⊢ x<1

x ≥ 0 ⊢ (x := x − 1)∗x < 1

⊢ x ≥ 0 → (x := x − 1)∗x < 1

p(n) ≡ x < n + 1

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 15 / 25

Proving Repetitive Diamonds by Convergence

con Γ ⊢ ∃v p(v),∆

⊢ ∀v>0(p(v) → αp(v − 1)) ∃v≤0p(v) ⊢ Q Γ ⊢ α∗Q,∆ (v∈α)

→R

con

R

∗

x≥0 ⊢ ∃nx<n+1

:=

R

∗

x<n+1∧ n>0 ⊢ x−1<n−1+1 x<n+1∧ n>0 ⊢ x := x−1x<n−1+1

∃n≤0x<n+1 ⊢ x<1

x ≥ 0 ⊢ (x := x − 1)∗x < 1

⊢ x ≥ 0 → (x := x − 1)∗x < 1

p(n) ≡ x < n + 1

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 15 / 25

Proving Repetitive Diamonds by Convergence

con Γ ⊢ ∃v p(v),∆

⊢ ∀v>0(p(v) → αp(v − 1)) ∃v≤0p(v) ⊢ Q Γ ⊢ α∗Q,∆ (v∈α)

→R

con

R

∗

x≥0 ⊢ ∃nx<n+1

:=

R

∗

x<n+1∧ n>0 ⊢ x−1<n−1+1 x<n+1∧ n>0 ⊢ x := x−1x<n−1+1

R

∗ ∃n≤0x<n+1 ⊢ x<1

x ≥ 0 ⊢ (x := x − 1)∗x < 1

⊢ x ≥ 0 → (x := x − 1)∗x < 1

p(n) ≡ x < n + 1

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 15 / 25

Example Proof: 2-Nim-type Game

x ≥ 0 → (x := x − 1

• β

∩x := x − 2

• γ
• α

)∗0 ≤ x < 2

Fixpoint style proof technique

∗,∀,MP

x ≥ 0 → α∗0≤x<2

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 16 / 25

Example Proof: 2-Nim-type Game

x ≥ 0 → (x := x − 1

• β

∩x := x − 2

• γ
• α

)∗0 ≤ x < 2

Fixpoint style proof technique

US

∀x (0≤x<2∨αα∗0≤x<2 → α∗0≤x<2) → (x ≥ 0 → α∗0≤x<2)

∗,∀,MP

x ≥ 0 → α∗0≤x<2

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 16 / 25

Example Proof: 2-Nim-type Game

x ≥ 0 → (x := x − 1

• β

∩x := x − 2

• γ
• α

)∗0 ≤ x < 2

Fixpoint style proof technique

∪,d

∀x (0≤x<2∨αp(x) → p(x)) → (x ≥ 0 → p(x))

US

∀x (0≤x<2∨αα∗0≤x<2 → α∗0≤x<2) → (x ≥ 0 → α∗0≤x<2)

∗,∀,MP

x ≥ 0 → α∗0≤x<2

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 16 / 25

Example Proof: 2-Nim-type Game

x ≥ 0 → (x := x − 1

• β

∩x := x − 2

• γ
• α

)∗0 ≤ x < 2

Fixpoint style proof technique

:=

∀x (0≤x<2∨βp(x)∧γp(x) → p(x)) → (x ≥ 0 → p(x))

∪,d

∀x (0≤x<2∨αp(x) → p(x)) → (x ≥ 0 → p(x))

US

∀x (0≤x<2∨αα∗0≤x<2 → α∗0≤x<2) → (x ≥ 0 → α∗0≤x<2)

∗,∀,MP

x ≥ 0 → α∗0≤x<2

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 16 / 25

Example Proof: 2-Nim-type Game

x ≥ 0 → (x := x − 1

• β

∩x := x − 2

• γ
• α

)∗0 ≤ x < 2

Fixpoint style proof technique

R

∀x (0≤x<2∨ p(x − 1)∧ p(x − 2) → p(x)) → (x ≥ 0 → p(x))

:=

∀x (0≤x<2∨βp(x)∧γp(x) → p(x)) → (x ≥ 0 → p(x))

∪,d

∀x (0≤x<2∨αp(x) → p(x)) → (x ≥ 0 → p(x))

US

∀x (0≤x<2∨αα∗0≤x<2 → α∗0≤x<2) → (x ≥ 0 → α∗0≤x<2)

∗,∀,MP

x ≥ 0 → α∗0≤x<2

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 16 / 25

Example Proof: 2-Nim-type Game

x ≥ 0 → (x := x − 1

• β

∩x := x − 2

• γ
• α

)∗0 ≤ x < 2

Fixpoint style proof technique

∗

R

∀x (0≤x<2∨ p(x − 1)∧ p(x − 2) → p(x)) → (x ≥ 0 → p(x))

:=

∀x (0≤x<2∨βp(x)∧γp(x) → p(x)) → (x ≥ 0 → p(x))

∪,d

∀x (0≤x<2∨αp(x) → p(x)) → (x ≥ 0 → p(x))

US

∀x (0≤x<2∨αα∗0≤x<2 → α∗0≤x<2) → (x ≥ 0 → α∗0≤x<2)

∗,∀,MP

x ≥ 0 → α∗0≤x<2

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 16 / 25

Example Proof: Hybrid Game

(x := 1;x′ = 1d

• β

∪ x := x − 1

• γ

)

• α

∗0 ≤ x < 1

Fixpoint style proof technique

∗

true → α∗0≤x<1

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 17 / 25

Example Proof: Hybrid Game

(x := 1;x′ = 1d

• β

∪ x := x − 1

• γ

)

• α

∗0 ≤ x < 1

Fixpoint style proof technique

US

∀x (0≤x<1∨αα∗0≤x<1 → α∗0≤x<1) → (true → α∗0≤x<1)

∗

true → α∗0≤x<1

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 17 / 25

Example Proof: Hybrid Game

(x := 1;x′ = 1d

• β

∪ x := x − 1

• γ

)

• α

∗0 ≤ x < 1

Fixpoint style proof technique

∪

∀x (0≤x<1∨β ∪γp(x) → p(x)) → (true → p(x))

US

∀x (0≤x<1∨αα∗0≤x<1 → α∗0≤x<1) → (true → α∗0≤x<1)

∗

true → α∗0≤x<1

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 17 / 25

Example Proof: Hybrid Game

(x := 1;x′ = 1d

• β

∪ x := x − 1

• γ

)

• α

∗0 ≤ x < 1

Fixpoint style proof technique

;,d

∀x (0≤x<1∨βp(x)∨γp(x) → p(x)) → (true → p(x))

∪

∀x (0≤x<1∨β ∪γp(x) → p(x)) → (true → p(x))

US

∀x (0≤x<1∨αα∗0≤x<1 → α∗0≤x<1) → (true → α∗0≤x<1)

∗

true → α∗0≤x<1

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 17 / 25

Example Proof: Hybrid Game

(x := 1;x′ = 1d

• β

∪ x := x − 1

• γ

)

• α

∗0 ≤ x < 1

Fixpoint style proof technique

′

∀x (0≤x<1∨x := 1¬x′ = 1¬p(x)∨ p(x−1) → p(x)) → (true → p(x))

;,d

∀x (0≤x<1∨βp(x)∨γp(x) → p(x)) → (true → p(x))

∪

∀x (0≤x<1∨β ∪γp(x) → p(x)) → (true → p(x))

US

∀x (0≤x<1∨αα∗0≤x<1 → α∗0≤x<1) → (true → α∗0≤x<1)

∗

true → α∗0≤x<1

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 17 / 25

Example Proof: Hybrid Game

(x := 1;x′ = 1d

• β

∪ x := x − 1

• γ

)

• α

∗0 ≤ x < 1

Fixpoint style proof technique

:= ∀x (0≤x<1∨x := 1¬∃t≥0x := x+t¬p(x)∨p(x−1)→p(x))→(true→p(x)) ′

∀x (0≤x<1∨x := 1¬x′ = 1¬p(x)∨ p(x−1) → p(x)) → (true → p(x))

;,d

∀x (0≤x<1∨βp(x)∨γp(x) → p(x)) → (true → p(x))

∪

∀x (0≤x<1∨β ∪γp(x) → p(x)) → (true → p(x))

US

∀x (0≤x<1∨αα∗0≤x<1 → α∗0≤x<1) → (true → α∗0≤x<1)

∗

true → α∗0≤x<1

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 17 / 25

Example Proof: Hybrid Game

(x := 1;x′ = 1d

• β

∪ x := x − 1

• γ

)

• α

∗0 ≤ x < 1

Fixpoint style proof technique

R

∀x (0≤x<1∨∀t≥0p(1+ t)∨ p(x − 1) → p(x)) → (true → p(x))

:= ∀x (0≤x<1∨x := 1¬∃t≥0x := x+t¬p(x)∨p(x−1)→p(x))→(true→p(x)) ′

∀x (0≤x<1∨x := 1¬x′ = 1¬p(x)∨ p(x−1) → p(x)) → (true → p(x))

;,d

∀x (0≤x<1∨βp(x)∨γp(x) → p(x)) → (true → p(x))

∪

∀x (0≤x<1∨β ∪γp(x) → p(x)) → (true → p(x))

US

∀x (0≤x<1∨αα∗0≤x<1 → α∗0≤x<1) → (true → α∗0≤x<1)

∗

true → α∗0≤x<1

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 17 / 25

Example Proof: Hybrid Game

(x := 1;x′ = 1d

• β

∪ x := x − 1

• γ

)

• α

∗0 ≤ x < 1

Fixpoint style proof technique

∗

R

∀x (0≤x<1∨∀t≥0p(1+ t)∨ p(x − 1) → p(x)) → (true → p(x))

:= ∀x (0≤x<1∨x := 1¬∃t≥0x := x+t¬p(x)∨p(x−1)→p(x))→(true→p(x)) ′

∀x (0≤x<1∨x := 1¬x′ = 1¬p(x)∨ p(x−1) → p(x)) → (true → p(x))

;,d

∀x (0≤x<1∨βp(x)∨γp(x) → p(x)) → (true → p(x))

∪

∀x (0≤x<1∨β ∪γp(x) → p(x)) → (true → p(x))

US

∀x (0≤x<1∨αα∗0≤x<1 → α∗0≤x<1) → (true → α∗0≤x<1)

∗

true → α∗0≤x<1

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 17 / 25

Outline

1

Learning Objectives

2

Hybrid Game Proofs Soundness Separations Soundness & Completeness Expressiveness Repetitive Diamonds – Convergence Versus Iteration Example Proofs

3

Differential Hybrid Games Syntax Example: Zeppelin Differential Game Invariants Example: Zeppelin Proof

4

Summary

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 17 / 25

CPSs are Multi-Dynamical Systems

d i s c r e t e c

• n

t i n u

• u

s nondet stochastic a d v e r s a r i a l

CPS Dynamics

CPS are characterized by multiple facets of dynamical systems.

CPS Compositions

CPS combines multiple simple dynamical effects. Descriptive simplification

Tame Parts

Exploiting compositionality tames CPS complexity. Analytic simplification

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 18 / 25

CPSs are Multi-Dynamical Systems

d i s c r e t e c

• n

t i n u

• u

s nondet stochastic a d v e r s a r i a l

hybrid systems

HS = discrete+ ODE

stochastic hybrid sys.

SHS = HS+ stochastics

5 10 15 20 0.3 0.2 0.1 0.1 0.2 0.3

hybrid games

HG = HS+ adversary

distributed hybrid sys.

DHS = HS+ distributed

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 18 / 25

Differential Game Logic: Syntax

Definition (Differential hybrid game α) (TOCL ’17)

x := e | ?Q | x′ = f(x,y,z)&

dy ∈ Y&z ∈ Z | α ∪β | α;β | α∗ | αd

Definition (dGL Formula P)

e ≥ ˜ e | ¬P | P ∧ Q | ∀x P | ∃x P | αP | [α]P Discrete Assign Test Game Choice Game Seq. Game Repeat Game All Reals Some Reals Dual Game Angel Wins Demon Wins

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 19 / 25

Differential Game Logic: Syntax

Definition (Differential hybrid game α) (TOCL ’17)

x := e | ?Q | x′ = f(x,y,z)&

dy ∈ Y&z ∈ Z | α ∪β | α;β | α∗ | αd

Definition (dGL Formula P)

e ≥ ˜ e | ¬P | P ∧ Q | ∀x P | ∃x P | αP | [α]P Discrete Assign Test Game Choice Game Seq. Game Repeat Game All Reals Some Reals Dual Game Angel Wins Demon Wins Differential Game

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 19 / 25

Differential Game Logic: Syntax

Definition (Differential hybrid game α) (TOCL ’17)

x := e | ?Q | x′ = f(x,y,z)&

dy ∈ Y&z ∈ Z | α ∪β | α;β | α∗ | αd

Definition (dGL Formula P)

e ≥ ˜ e | ¬P | P ∧ Q | ∀x P | ∃x P | αP | [α]P Discrete Assign Test Game Choice Game Seq. Game Repeat Game All Reals Some Reals Dual Game Angel Wins Demon Wins Differential Game Demon controls y ∈ Y Angel controls z ∈ Z Demon chooses “first” Angel controls duration

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 19 / 25

Zeppelin Obstacle Parcours

avoid obstacles changing wind local turbulence

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 20 / 25

Zeppelin Obstacle Parcours

avoid obstacles changing wind local turbulence

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 20 / 25

Zeppelin Obstacle Parcours

c > 0∧x − o2 ≥ c2 →

• v :=∗;o :=∗;c :=∗;?C;

{x′ = v + py + rz&

dy ∈ B&z ∈ B}

∗ x − o2 ≥ c2 airship at x ∈ R2 propeller p controlled in any direction y ∈ B, i.e., y2

1 + y2 2 ≤ 1

× sporadically changing homogeneous wind field v ∈ R2 × sporadically changing obstacle o ∈ R2 of size c subject to C × continuously local turbulence of magnitude r in any direction z ∈ B

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 21 / 25

Zeppelin Obstacle Parcours

c > 0∧x − o2 ≥ c2 →

• v :=∗;o :=∗;c :=∗;?C;

{x′ = v + py + rz&

dy ∈ B&z ∈ B}

∗ x − o2 ≥ c2

If r > p If p > v + r If v + r > p > r

airship at x ∈ R2 propeller p controlled in any direction y ∈ B, i.e., y2

1 + y2 2 ≤ 1

× sporadically changing homogeneous wind field v ∈ R2 × sporadically changing obstacle o ∈ R2 of size c subject to C × continuously local turbulence of magnitude r in any direction z ∈ B

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 21 / 25

Zeppelin Obstacle Parcours

c > 0∧x − o2 ≥ c2 →

• v :=∗;o :=∗;c :=∗;?C;

{x′ = v + py + rz&

dy ∈ B&z ∈ B}

∗ x − o2 ≥ c2 × If r > p hopeless turbulence

If p > v + r If v + r > p > r

airship at x ∈ R2 propeller p controlled in any direction y ∈ B, i.e., y2

1 + y2 2 ≤ 1

× sporadically changing homogeneous wind field v ∈ R2 × sporadically changing obstacle o ∈ R2 of size c subject to C × continuously local turbulence of magnitude r in any direction z ∈ B

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 21 / 25

Zeppelin Obstacle Parcours

c > 0∧x − o2 ≥ c2 →

• v :=∗;o :=∗;c :=∗;?C;

{x′ = v + py + rz&

dy ∈ B&z ∈ B}

∗ x − o2 ≥ c2 × If r > p hopeless turbulence If p > v + r super-powered prop

If v + r > p > r

airship at x ∈ R2 propeller p controlled in any direction y ∈ B, i.e., y2

1 + y2 2 ≤ 1

× sporadically changing homogeneous wind field v ∈ R2 × sporadically changing obstacle o ∈ R2 of size c subject to C × continuously local turbulence of magnitude r in any direction z ∈ B

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 21 / 25

Zeppelin Obstacle Parcours

c > 0∧x − o2 ≥ c2 →

• v :=∗;o :=∗;c :=∗;?C;

{x′ = v + py + rz&

dy ∈ B&z ∈ B}

∗ x − o2 ≥ c2 × If r > p hopeless turbulence If p > v + r super-powered prop

? If v + r > p > r our challenge

airship at x ∈ R2 propeller p controlled in any direction y ∈ B, i.e., y2

1 + y2 2 ≤ 1

× sporadically changing homogeneous wind field v ∈ R2 × sporadically changing obstacle o ∈ R2 of size c subject to C × continuously local turbulence of magnitude r in any direction z ∈ B

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 21 / 25

Differential Game Invariants

Theorem (Differential Game Invariants)

DGI F → [x′ = f(x,y,z)&

dy ∈ Y&z ∈ Z]F

Theorem (Differential Game Refinement) [x′ = g(x,u,v)&

du ∈ U&v ∈ V]F → [x′ = f(x,y,z)& dy ∈ Y&z ∈ Z]F

¬ ¬F

F F

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 22 / 25

Differential Game Invariants

Theorem (Differential Game Invariants)

DGI F → [x′ = f(x,y,z)&

dy ∈ Y&z ∈ Z]F

Theorem (Differential Game Refinement) [x′ = g(x,u,v)&

du ∈ U&v ∈ V]F → [x′ = f(x,y,z)& dy ∈ Y&z ∈ Z]F

F

¬F

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 22 / 25

Differential Game Invariants

Theorem (Differential Game Invariants)

DGI F → [x′ = f(x,y,z)&

dy ∈ Y&z ∈ Z]F

Theorem (Differential Game Refinement) [x′ = g(x,u,v)&

du ∈ U&v ∈ V]F → [x′ = f(x,y,z)& dy ∈ Y&z ∈ Z]F

F

¬F

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 22 / 25

Differential Game Invariants

Theorem (Differential Game Invariants)

DGI

∃y ∈ Y ∀z ∈ Z [x′:=f(x,y,z)](F)′

F → [x′ = f(x,y,z)&

dy ∈ Y&z ∈ Z]F

Theorem (Differential Game Refinement) [x′ = g(x,u,v)&

du ∈ U&v ∈ V]F → [x′ = f(x,y,z)& dy ∈ Y&z ∈ Z]F

F

¬F

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 22 / 25

Differential Game Invariants

Theorem (Differential Game Invariants)

DGI

∃y ∈ Y ∀z ∈ Z [x′:=f(x,y,z)](F)′

F → [x′ = f(x,y,z)&

dy ∈ Y&z ∈ Z]F

Theorem (Differential Game Refinement) ∀u ∈ U ∃y ∈ Y ∀z ∈ Z ∃v ∈ V ∀x (f(x,y,z) = g(x,u,v)) [x′ = g(x,u,v)&

du ∈ U&v ∈ V]F → [x′ = f(x,y,z)& dy ∈ Y&z ∈ Z]F

F

¬F

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 22 / 25

Differential Game Invariants

Theorem (Differential Game Invariants)

DGI

∃y ∈ Y ∀z ∈ Z [x′:=f(x,y,z)](F)′

F → [x′ = f(x,y,z)&

dy ∈ Y&z ∈ Z]F

Theorem (Differential Game Refinement) ∀u ∈ U ∃y ∈ Y ∀z ∈ Z ∃v ∈ V ∀x (f(x,y,z) = g(x,u,v)) [x′ = g(x,u,v)&

du ∈ U&v ∈ V]F → [x′ = f(x,y,z)& dy ∈ Y&z ∈ Z]F

F

¬F

DGI1≤x3 ⊢ [x′ = −1+2y+z& dy ∈ I&z ∈ I]1≤x3

where y ∈ I ≡ −1 ≤ y ≤ 1

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 22 / 25

Differential Game Invariants

Theorem (Differential Game Invariants)

DGI

∃y ∈ Y ∀z ∈ Z [x′:=f(x,y,z)](F)′

F → [x′ = f(x,y,z)&

dy ∈ Y&z ∈ Z]F

Theorem (Differential Game Refinement) ∀u ∈ U ∃y ∈ Y ∀z ∈ Z ∃v ∈ V ∀x (f(x,y,z) = g(x,u,v)) [x′ = g(x,u,v)&

du ∈ U&v ∈ V]F → [x′ = f(x,y,z)& dy ∈ Y&z ∈ Z]F

F

¬F

[:=]

⊢ ∃y∈I ∀z∈I [x′:=−1+2y+z]0≤3x2x′

DGI1≤x3 ⊢ [x′ = −1+2y+z& dy ∈ I&z ∈ I]1≤x3

where y ∈ I ≡ −1 ≤ y ≤ 1

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 22 / 25

Differential Game Invariants

Theorem (Differential Game Invariants)

DGI

∃y ∈ Y ∀z ∈ Z [x′:=f(x,y,z)](F)′

F → [x′ = f(x,y,z)&

dy ∈ Y&z ∈ Z]F

Theorem (Differential Game Refinement) ∀u ∈ U ∃y ∈ Y ∀z ∈ Z ∃v ∈ V ∀x (f(x,y,z) = g(x,u,v)) [x′ = g(x,u,v)&

du ∈ U&v ∈ V]F → [x′ = f(x,y,z)& dy ∈ Y&z ∈ Z]F

F

¬F

R

⊢ ∃y∈I ∀z∈I 0 ≤ 3x2(−1+2y+z)

[:=]

⊢ ∃y∈I ∀z∈I [x′:=−1+2y+z]0≤3x2x′

DGI1≤x3 ⊢ [x′ = −1+2y+z& dy ∈ I&z ∈ I]1≤x3

where y ∈ I ≡ −1 ≤ y ≤ 1

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 22 / 25

Differential Game Invariants

Theorem (Differential Game Invariants)

DGI

∃y ∈ Y ∀z ∈ Z [x′:=f(x,y,z)](F)′

F → [x′ = f(x,y,z)&

dy ∈ Y&z ∈ Z]F

Theorem (Differential Game Refinement) ∀u ∈ U ∃y ∈ Y ∀z ∈ Z ∃v ∈ V ∀x (f(x,y,z) = g(x,u,v)) [x′ = g(x,u,v)&

du ∈ U&v ∈ V]F → [x′ = f(x,y,z)& dy ∈ Y&z ∈ Z]F

F

¬F

∗

R

⊢ ∃y∈I ∀z∈I 0 ≤ 3x2(−1+2y+z)

[:=]

⊢ ∃y∈I ∀z∈I [x′:=−1+2y+z]0≤3x2x′

DGI1≤x3 ⊢ [x′ = −1+2y+z& dy ∈ I&z ∈ I]1≤x3

where y ∈ I ≡ −1 ≤ y ≤ 1

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 22 / 25

Differential Game Invariants

Theorem (Differential Game Invariants)

DGI

∃y ∈ Y ∀z ∈ Z [x′:=f(x,y,z)](F)′

F → [x′ = f(x,y,z)&

dy ∈ Y&z ∈ Z]F

Theorem (Differential Game Refinement) ∀u ∈ U ∃y ∈ Y ∀z ∈ Z ∃v ∈ V ∀x (f(x,y,z) = g(x,u,v)) [x′ = g(x,u,v)&

du ∈ U&v ∈ V]F → [x′ = f(x,y,z)& dy ∈ Y&z ∈ Z]F DGIl−m2>0 ⊢ [m′ = My,l′ = Lz& dy∈B&z∈B]l−m2>0

if L ≤ M

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 22 / 25

Differential Game Invariants

Theorem (Differential Game Invariants)

DGI

∃y ∈ Y ∀z ∈ Z [x′:=f(x,y,z)](F)′

F → [x′ = f(x,y,z)&

dy ∈ Y&z ∈ Z]F

Theorem (Differential Game Refinement) ∀u ∈ U ∃y ∈ Y ∀z ∈ Z ∃v ∈ V ∀x (f(x,y,z) = g(x,u,v)) [x′ = g(x,u,v)&

du ∈ U&v ∈ V]F → [x′ = f(x,y,z)& dy ∈ Y&z ∈ Z]F

[:=]

⊢ ∃y ∈ B ∀z ∈ B [m′:=My][l′:=Lz](2(l − m)·(l′ − m′) ≥ 0)

DGIl−m2>0 ⊢ [m′ = My,l′ = Lz& dy∈B&z∈B]l−m2>0

if L ≤ M

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 22 / 25

Differential Game Invariants

Theorem (Differential Game Invariants)

DGI

∃y ∈ Y ∀z ∈ Z [x′:=f(x,y,z)](F)′

F → [x′ = f(x,y,z)&

dy ∈ Y&z ∈ Z]F

Theorem (Differential Game Refinement) ∀u ∈ U ∃y ∈ Y ∀z ∈ Z ∃v ∈ V ∀x (f(x,y,z) = g(x,u,v)) [x′ = g(x,u,v)&

du ∈ U&v ∈ V]F → [x′ = f(x,y,z)& dy ∈ Y&z ∈ Z]F

R

⊢ ∃y ∈ B ∀z ∈ B (2(l − m)·(Lz − My) ≥ 0)

[:=]

⊢ ∃y ∈ B ∀z ∈ B [m′:=My][l′:=Lz](2(l − m)·(l′ − m′) ≥ 0)

DGIl−m2>0 ⊢ [m′ = My,l′ = Lz& dy∈B&z∈B]l−m2>0

if L ≤ M

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 22 / 25

Differential Game Invariants

Theorem (Differential Game Invariants)

DGI

∃y ∈ Y ∀z ∈ Z [x′:=f(x,y,z)](F)′

F → [x′ = f(x,y,z)&

dy ∈ Y&z ∈ Z]F

Theorem (Differential Game Refinement) ∀u ∈ U ∃y ∈ Y ∀z ∈ Z ∃v ∈ V ∀x (f(x,y,z) = g(x,u,v)) [x′ = g(x,u,v)&

du ∈ U&v ∈ V]F → [x′ = f(x,y,z)& dy ∈ Y&z ∈ Z]F

∗

R

⊢ ∃y ∈ B ∀z ∈ B (2(l − m)·(Lz − My) ≥ 0)

[:=]

⊢ ∃y ∈ B ∀z ∈ B [m′:=My][l′:=Lz](2(l − m)·(l′ − m′) ≥ 0)

DGIl−m2>0 ⊢ [m′ = My,l′ = Lz& dy∈B&z∈B]l−m2>0

if L ≤ M

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 22 / 25

Differential Game Variants

Theorem (Differential Game Variants)

DGV

x′ = f(x,y,z)&

dy ∈ Y&z ∈ Zg ≥ 0

Theorem (Differential Game Refinement) ∀u ∈ U ∃y ∈ Y ∀z ∈ Z ∃v ∈ V ∀x (f(x,y,z) = g(x,u,v)) [x′ = g(x,u,v)&

du ∈ U&v ∈ V]P → [x′ = f(x,y,z)& dy ∈ Y&z ∈ Z]P

F

• André Platzer (CMU)

LFCPS/17: Game Proofs & Separations LFCPS/17 23 / 25

Differential Game Variants

Theorem (Differential Game Variants)

DGV

x′ = f(x,y,z)&

dy ∈ Y&z ∈ Zg ≥ 0

Theorem (Differential Game Refinement) ∀u ∈ U ∃y ∈ Y ∀z ∈ Z ∃v ∈ V ∀x (f(x,y,z) = g(x,u,v)) [x′ = g(x,u,v)&

du ∈ U&v ∈ V]P → [x′ = f(x,y,z)& dy ∈ Y&z ∈ Z]P

χ

F

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 23 / 25

Differential Game Variants

Theorem (Differential Game Variants)

DGV

x′ = f(x,y,z)&

dy ∈ Y&z ∈ Zg ≥ 0

Theorem (Differential Game Refinement) ∀u ∈ U ∃y ∈ Y ∀z ∈ Z ∃v ∈ V ∀x (f(x,y,z) = g(x,u,v)) [x′ = g(x,u,v)&

du ∈ U&v ∈ V]P → [x′ = f(x,y,z)& dy ∈ Y&z ∈ Z]P

F

• André Platzer (CMU)

LFCPS/17: Game Proofs & Separations LFCPS/17 23 / 25

Differential Game Variants

Theorem (Differential Game Variants)

DGV ∃ε>0∀x ∃z ∈ Z ∀y ∈ Y (g ≤ 0 → [x′:=f(x,y,z)](g)′ ≥ ε)

x′ = f(x,y,z)&

dy ∈ Y&z ∈ Zg ≥ 0

Theorem (Differential Game Refinement) ∀u ∈ U ∃y ∈ Y ∀z ∈ Z ∃v ∈ V ∀x (f(x,y,z) = g(x,u,v)) [x′ = g(x,u,v)&

du ∈ U&v ∈ V]P → [x′ = f(x,y,z)& dy ∈ Y&z ∈ Z]P

F

• André Platzer (CMU)

LFCPS/17: Game Proofs & Separations LFCPS/17 23 / 25

Differential Game Variants

Theorem (Differential Game Variants)

DGV ∃ε>0∀x ∃z ∈ Z ∀y ∈ Y (g ≤ 0 → [x′:=f(x,y,z)](g)′ ≥ ε)

x′ = f(x,y,z)&

dy ∈ Y&z ∈ Zg ≥ 0

Theorem (Differential Game Refinement) ∀u ∈ U ∃y ∈ Y ∀z ∈ Z ∃v ∈ V ∀x (f(x,y,z) = g(x,u,v)) [x′ = g(x,u,v)&

du ∈ U&v ∈ V]P → [x′ = f(x,y,z)& dy ∈ Y&z ∈ Z]P

⊢ x′ = zx − yu,u′ = zu + yx&

d−2≤y≤2&−1≤z≤11− x2 − u2 ≥ 0

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 23 / 25

Differential Game Variants

Theorem (Differential Game Variants)

DGV ∃ε>0∀x ∃z ∈ Z ∀y ∈ Y (g ≤ 0 → [x′:=f(x,y,z)](g)′ ≥ ε)

x′ = f(x,y,z)&

dy ∈ Y&z ∈ Zg ≥ 0

Theorem (Differential Game Refinement) ∀u ∈ U ∃y ∈ Y ∀z ∈ Z ∃v ∈ V ∀x (f(x,y,z) = g(x,u,v)) [x′ = g(x,u,v)&

du ∈ U&v ∈ V]P → [x′ = f(x,y,z)& dy ∈ Y&z ∈ Z]P

⊢ ∃ε>0∀x ∀u ∃−1≤z≤1∀−2≤y≤2

• 1−x2−u2≤0 → [x′:=][u′:=]−2xx′−2uu′≥ε
• ⊢ x′ = zx − yu,u′ = zu + yx&

d−2≤y≤2&−1≤z≤11− x2 − u2 ≥ 0

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 23 / 25

Differential Game Variants

Theorem (Differential Game Variants)

DGV ∃ε>0∀x ∃z ∈ Z ∀y ∈ Y (g ≤ 0 → [x′:=f(x,y,z)](g)′ ≥ ε)

x′ = f(x,y,z)&

dy ∈ Y&z ∈ Zg ≥ 0

Theorem (Differential Game Refinement) ∀u ∈ U ∃y ∈ Y ∀z ∈ Z ∃v ∈ V ∀x (f(x,y,z) = g(x,u,v)) [x′ = g(x,u,v)&

du ∈ U&v ∈ V]P → [x′ = f(x,y,z)& dy ∈ Y&z ∈ Z]P

⊢ ∃ε>0∀x ∀u ∃−1≤z≤1∀−2≤y≤2

• x2+u2≥1 → −2x(zx−yu)−2u(zu+yx)≥ε
• ⊢ ∃ε>0∀x ∀u ∃−1≤z≤1∀−2≤y≤2
• 1−x2−u2≤0 → [x′:=][u′:=]−2xx′−2uu′≥ε
• ⊢ x′ = zx − yu,u′ = zu + yx&

d−2≤y≤2&−1≤z≤11− x2 − u2 ≥ 0

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 23 / 25

Differential Game Variants

Theorem (Differential Game Variants)

DGV ∃ε>0∀x ∃z ∈ Z ∀y ∈ Y (g ≤ 0 → [x′:=f(x,y,z)](g)′ ≥ ε)

x′ = f(x,y,z)&

dy ∈ Y&z ∈ Zg ≥ 0

Theorem (Differential Game Refinement) ∀u ∈ U ∃y ∈ Y ∀z ∈ Z ∃v ∈ V ∀x (f(x,y,z) = g(x,u,v)) [x′ = g(x,u,v)&

du ∈ U&v ∈ V]P → [x′ = f(x,y,z)& dy ∈ Y&z ∈ Z]P

∗ ⊢ ∃ε>0∀x ∀u ∃−1≤z≤1∀−2≤y≤2

• x2+u2≥1 → −2x(zx−yu)−2u(zu+yx)≥ε
• ⊢ ∃ε>0∀x ∀u ∃−1≤z≤1∀−2≤y≤2
• 1−x2−u2≤0 → [x′:=][u′:=]−2xx′−2uu′≥ε
• ⊢ x′ = zx − yu,u′ = zu + yx&

d−2≤y≤2&−1≤z≤11− x2 − u2 ≥ 0

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 23 / 25

Zeppelin Obstacle Parcours

avoid obstacles changing wind local turbulence

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 24 / 25

Zeppelin Obstacle Parcours

avoid obstacles changing wind local turbulence

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 24 / 25

Outline

1

Learning Objectives

2

Hybrid Game Proofs Soundness Separations Soundness & Completeness Expressiveness Repetitive Diamonds – Convergence Versus Iteration Example Proofs

3

Differential Hybrid Games Syntax Example: Zeppelin Differential Game Invariants Example: Zeppelin Proof

4

Summary

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 24 / 25

Summary

differential game logic

dGL = GL+ HG = dL+ d αϕ ϕ Logic for hybrid games Compositional PL + logic Discrete + continuous + adversarial Winning regions iterate ≥ωω Sound & rel. complete axiomatization Hybrid games > hybrid systems

d radical challenge yet smooth extension

Don’t use systems thinking for games

d i s c r e t e c

• n

t i n u

• u

s nondet stochastic a d v e r s a r i a l

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 25 / 25

André Platzer. Logical Foundations of Cyber-Physical Systems. Springer, Switzerland, 2018. URL: http://www.springer.com/978-3-319-63587-3,

doi:10.1007/978-3-319-63588-0.

André Platzer. Differential game logic. ACM Trans. Comput. Log., 17(1):1:1–1:51, 2015.

doi:10.1145/2817824.

André Platzer. Differential hybrid games. ACM Trans. Comput. Log., 18(3):19:1–19:44, 2017.

doi:10.1145/3091123.

André Platzer. Logics of dynamical systems. In LICS, pages 13–24, Los Alamitos, 2012. IEEE.

doi:10.1109/LICS.2012.13.

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 25 / 25

André Platzer. Logic & proofs for cyber-physical systems. In Nicola Olivetti and Ashish Tiwari, editors, IJCAR, volume 9706 of LNCS, pages 15–21, Berlin, 2016. Springer.

doi:10.1007/978-3-319-40229-1_3.

André Platzer. Differential dynamic logic for hybrid systems.

• J. Autom. Reas., 41(2):143–189, 2008.

doi:10.1007/s10817-008-9103-8.

André Platzer. A complete uniform substitution calculus for differential dynamic logic.

• J. Autom. Reas., 59(2):219–265, 2017.

doi:10.1007/s10817-016-9385-1.

André Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 25 / 25