logical foundations of cyber physical systems
play

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr - PowerPoint PPT Presentation

Oct 05, 2022 •246 likes •1.96k views

18: Axioms & Uniform Substitutions Logical Foundations of Cyber-Physical Systems Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 1

  1. Axiom Schema Matches Many Formulas But Not All Algorithm [ ∪ ] [ α ∪ β ] φ ↔ [ α ] φ ∧ [ β ] φ � [ x := x + 1 ∪ x ′ = x 2 ] x ≥ 0 ↔ [ x := x + 1 ] x ≥ 0 ∧ [ x ′ = x 2 ] x ≥ 0 Same φ Match Schema � [ x ′ = 5 ∪ x ′ = − x ] x 2 ≥ 5 ↔ [ x ′ = 5 ] x 2 ≥ 5 ∧ [ x ′ = − x ] x 2 ≥ 5 shape variable every- × [ v := v + 1 ; x ′ = v ∪ x ′ = 2 ] x ≥ 5 ↔ [ v := v + 1 ; x ′ = v ] x ≥ 5 ∧ [ x ′ = 2 ] x ≥ 4 α ∪ β α match where V φ → [ α ] φ ( FV ( φ ) ∩ BV ( α ) = / 0 ) � y ≥ 0 → [ x ′ = − 5 ] y ≥ 0 rule out × x ≥ 0 → [ x ′ = − 5 ] x ≥ 0 by side � y ≥ z → [ x ′ = − 5 ] y ≥ z conditions [:=] [ x := θ ] φ ( x ) ↔ φ ( θ ) ( θ free for x in φ ) � [ x := x + y ] x ≤ y 2 ↔ x + y ≤ y 2 no x oc- Match Replace × [ x := x + y ][ y := 5 ] x ≥ 0 ↔ [ y := 5 ] x + y ≥ 0 currence all free by θ � [ y := 2 b ][( x := x + y ; x ′ = y ) ∗ ] x ≥ y ↔ [( x := x + 2 b ; x ′ = 2 b ) ∗ ] x ≥ 2 b where x occur- every- θ bound rences where � [ x := x + y ][ x := x + 1 ] x ≥ 0 ↔ [ x := x + y + 1 ] x ≥ 0 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 5 / 24

  2. Axiom Schema Side Conditions: ODE Solving [ ′ ] [ x ′ = θ ] φ ↔ ∀ t ≥ 0 [ x := y ( t )] φ André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 6 / 24

  3. Axiom Schema Side Conditions: ODE Solving [ ′ ] [ x ′ = θ ] φ ↔ ∀ t ≥ 0 [ x := y ( t )] φ ( t fresh and y ′ ( t ) = θ ) Axiom schema with side conditions: Occurs check: t fresh 1 Solution check: y ( · ) solves the ODE y ′ ( t ) = θ 2 with y ( · ) plugged in for x in term θ Initial value check: y ( · ) solves the symbolic IVP y ( 0 ) = x 3 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 6 / 24

  4. Axiom Schema Side Conditions: ODE Solving [ ′ ] [ x ′ = θ ] φ ↔ ∀ t ≥ 0 [ x := y ( t )] φ ( t fresh and y ′ ( t ) = θ ) Axiom schema with side conditions: Occurs check: t fresh 1 Solution check: y ( · ) solves the ODE y ′ ( t ) = θ 2 with y ( · ) plugged in for x in term θ Initial value check: y ( · ) solves the symbolic IVP y ( 0 ) = x 3 y ( · ) covers all solutions parametrically 4 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 6 / 24

  5. Axiom Schema Side Conditions: ODE Solving [ ′ ] [ x ′ = θ ] φ ↔ ∀ t ≥ 0 [ x := y ( t )] φ ( t fresh and y ′ ( t ) = θ ) Axiom schema with side conditions: Occurs check: t fresh 1 Solution check: y ( · ) solves the ODE y ′ ( t ) = θ 2 with y ( · ) plugged in for x in term θ Initial value check: y ( · ) solves the symbolic IVP y ( 0 ) = x 3 y ( · ) covers all solutions parametrically 4 x ′ cannot occur free in φ 5 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 6 / 24

  6. Axiom Schema Side Conditions: ODE Solving [ ′ ] [ x ′ = θ ] φ ↔ ∀ t ≥ 0 [ x := y ( t )] φ ( t fresh and y ′ ( t ) = θ ) Axiom schema with side conditions: Occurs check: t fresh 1 Solution check: y ( · ) solves the ODE y ′ ( t ) = θ 2 with y ( · ) plugged in for x in term θ Initial value check: y ( · ) solves the symbolic IVP y ( 0 ) = x 3 y ( · ) covers all solutions parametrically 4 x ′ cannot occur free in φ 5 Quite nontrivial soundness-critical side condition algorithms . . . André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 6 / 24

  7. What Axioms Want V φ → [ α ] φ André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 7 / 24

  8. What Axioms Want V φ → [ α ] φ V p → [ a ] p V predicate symbol p of arity 0 has no bound variable of HP a free “Formula p has no explicit permission to depend on anything” (except implicitly on what doesn’t change in a anyhow) V program constant symbol a could have arbitrary behavior André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 7 / 24

  9. What Axioms Want V φ → [ α ] φ V p → [ a ] p [:=] [ x := θ ] φ ( x ) ↔ φ ( θ ) V predicate symbol p of arity 0 has no bound variable of HP a free “Formula p has no explicit permission to depend on anything” (except implicitly on what doesn’t change in a anyhow) V program constant symbol a could have arbitrary behavior André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 7 / 24

  10. What Axioms Want V φ → [ α ] φ V p → [ a ] p [:=] [ x := θ ] φ ( x ) ↔ φ ( θ ) [:=] [ x := c ] p ( x ) ↔ p ( c ) V predicate symbol p of arity 0 has no bound variable of HP a free “Formula p has no explicit permission to depend on anything” (except implicitly on what doesn’t change in a anyhow) [:=] predicate symbol p of arity 1 has different arguments in different places “Formula p ( x ) has explicit permission to depend on x ” [:=] function symbol c of arity 0 takes no arguments V program constant symbol a could have arbitrary behavior André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 7 / 24

  11. What Axioms Want [ ∪ ] [ α ∪ β ] φ ↔ [ α ] φ ∧ [ β ] φ V φ → [ α ] φ V p → [ a ] p [:=] [ x := θ ] φ ( x ) ↔ φ ( θ ) [:=] [ x := c ] p ( x ) ↔ p ( c ) V predicate symbol p of arity 0 has no bound variable of HP a free “Formula p has no explicit permission to depend on anything” (except implicitly on what doesn’t change in a anyhow) [:=] predicate symbol p of arity 1 has different arguments in different places “Formula p ( x ) has explicit permission to depend on x ” [:=] function symbol c of arity 0 takes no arguments V program constant symbol a could have arbitrary behavior André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 7 / 24

  12. What Axioms Want [ ∪ ] [ a ∪ b ] p (¯ x ) ↔ [ a ] p (¯ x ) ∧ [ b ] p (¯ [ ∪ ] [ α ∪ β ] φ ↔ [ α ] φ ∧ [ β ] φ x ) V φ → [ α ] φ V p → [ a ] p [:=] [ x := θ ] φ ( x ) ↔ φ ( θ ) [:=] [ x := c ] p ( x ) ↔ p ( c ) V predicate symbol p of arity 0 has no bound variable of HP a free “Formula p has no explicit permission to depend on anything” (except implicitly on what doesn’t change in a anyhow) [:=] predicate symbol p of arity 1 has different arguments in different places “Formula p ( x ) has explicit permission to depend on x ” [ ∪ ] predicate symbol p of arity n takes all variables ¯ x as arguments “Formula p (¯ x ) has explicit permission to depend on all variables ¯ x ” [:=] function symbol c of arity 0 takes no arguments V program constant symbol a could have arbitrary behavior André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 7 / 24

  13. Outline Learning Objectives 1 Axioms Versus Axiom Schemata 2 Differential Dynamic Logic with Interpretations 3 Syntax Semantics 4 Uniform Substitution Uniform Substitution Application Uniform Substitution Lemmas 5 Axiomatic Proof Calculus for dL Summary 6 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 7 / 24

  14. Differential Dynamic Logic with Interpretations: Syntax Definition (Hybrid program α ) α , β ::= a | x := θ | ? Q | x ′ = f ( x )& Q | α ∪ β | α ; β | α ∗ Definition (dL Formula φ ) φ , ψ ::= p ( θ 1 ,..., θ k ) | θ ≥ η | ¬ φ | φ ∧ ψ | ∀ x φ | ∃ x φ | [ α ] φ | � α � φ Definition (Term θ ) θ , η ::= f ( θ 1 ,..., θ k ) | x | θ + η | θ · η | ( θ ) ′ André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 8 / 24

  15. Differential Dynamic Logic with Interpretations: Syntax Discrete Test Differential Nondet. Seq. Nondet. Assign Equation Compose Repeat Condition Choice Definition (Hybrid program α ) α , β ::= a | x := θ | ? Q | x ′ = f ( x )& Q | α ∪ β | α ; β | α ∗ Definition (dL Formula φ ) φ , ψ ::= p ( θ 1 ,..., θ k ) | θ ≥ η | ¬ φ | φ ∧ ψ | ∀ x φ | ∃ x φ | [ α ] φ | � α � φ Definition (Term θ ) θ , η ::= f ( θ 1 ,..., θ k ) | x | θ + η | θ · η | ( θ ) ′ All All Some Some Reals Reals Runs Runs André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 8 / 24

  16. Differential Dynamic Logic with Interpretations: Syntax Program Symbol Definition (Hybrid program α ) α , β ::= a | x := θ | ? Q | x ′ = f ( x )& Q | α ∪ β | α ; β | α ∗ Definition (dL Formula φ ) φ , ψ ::= p ( θ 1 ,..., θ k ) | θ ≥ η | ¬ φ | φ ∧ ψ | ∀ x φ | ∃ x φ | [ α ] φ | � α � φ Definition (Term θ ) θ , η ::= f ( θ 1 ,..., θ k ) | x | θ + η | θ · η | ( θ ) ′ Function Predicate Differential Symbol Symbol André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 8 / 24

  17. Differential Dynamic Logic with Interpretations: Semantics ( [ [ · ] ] : Trm → ( S → R ) ) Definition (Term semantics) I ( f ) : R k → R smooth � � ω [ [ f ( θ 1 ,..., θ k )] ] = I ( f ) ω [ [ θ 1 ] ] ,..., ω [ [ θ k ] ] ω ( x ′ ) ∂ [ [ θ ] ] ] = ∑ [( θ ) ′ ] ω [ ∂ x ( ω ) x ( [ [ · ] ] : Fml → ℘ ( S ) ) Definition (dL semantics) I ( p ) ⊆ R k [ [ p ( θ 1 ,..., θ k )] ] = { ω : ( ω [ [ θ 1 ] ] ,..., ω [ [ θ k ] ]) ∈ I ( p ) } [ [ � α � φ ] ] = [ [ α ] ] ◦ [ [ φ ] ] P valid iff ω ∈ [ [ P ] ] for all states ω of all interpretations I ( [ [ · ] ] : HP → ℘ ( S × S ) ) Definition (Program semantics) [ [ a ] ] = I ( a ) I ( a ) ⊆ S × S [ x ′ = f ( x )& Q ] = x ′ = f ( x ) ∧ Q } [ ] = { ( ϕ ( 0 ) | { x ′ } ∁ , ϕ ( r )) : ϕ | [ [ α ∪ β ] ] = [ [ α ] ] ∪ [ [ β ] ] [ [ α ; β ] ] = [ [ α ] ] ◦ [ [ β ] ] � ∗ = � [ α ∗ ] � [ α n ] [ ] = [ [ α ] ] n ∈ N [ ] André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 9 / 24

  18. Soundness Proofs for Axioms Lemma (V vacuous axiom) V p → [ a ] p Lemma ( [:=] assignment axiom) [:=] [ x := c ] p ( x ) ↔ p ( c ) André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 10 / 24

  19. Soundness Proofs for Axioms Lemma (V vacuous axiom) V p → [ a ] p Proof. Truth of an arity 0 predicate symbol p depends only on interpretation I . I interprets p as true : ω ∈ [ [ p ] ] for all ω , so ω ∈ [ [[ a ] p ] ] especially. 1 I interprets p as false : ω �∈ [ [ p ] ] for all ω , so p → [ a ] p vacuously. 2 Lemma ( [:=] assignment axiom) [:=] [ x := c ] p ( x ) ↔ p ( c ) Proof. p is true of x after assigning the new value c to x ( ω ∈ [ [[ x := c ] p ( x )] ] ) iff p is true of the new value c ( ω ∈ [ [ p ( c )] ] ). André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 10 / 24

  20. Outline Learning Objectives 1 Axioms Versus Axiom Schemata 2 Differential Dynamic Logic with Interpretations 3 Syntax Semantics 4 Uniform Substitution Uniform Substitution Application Uniform Substitution Lemmas 5 Axiomatic Proof Calculus for dL Summary 6 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 10 / 24

  21. Uniform Substitution Theorem (Soundness) replace all occurrences of p ( · ) φ US σ ( φ ) [ a ∪ b ] p (¯ x ) ↔ [ a ] p (¯ x ) ∧ [ b ] p (¯ x ) US [ v := v + 1 ∪ x ′ = v ] x > 0 ↔ [ v := v + 1 ] x > 0 ∧ [ x ′ = v ] x > 0 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 11 / 24

  22. Uniform Substitution Theorem (Soundness) replace all occurrences of p ( · ) φ US σ ( φ ) Uniform substitution σ replaces all occurrences of p ( θ ) for any θ by ψ ( θ ) [ a ∪ b ] p (¯ x ) ↔ [ a ] p (¯ x ) ∧ [ b ] p (¯ x ) US [ v := v + 1 ∪ x ′ = v ] x > 0 ↔ [ v := v + 1 ] x > 0 ∧ [ x ′ = v ] x > 0 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 11 / 24

  23. Uniform Substitution Theorem (Soundness) replace all occurrences of p ( · ) φ US σ ( φ ) Uniform substitution σ replaces all occurrences of p ( θ ) for any θ by ψ ( θ ) function sym. f ( θ ) for any θ by η ( θ ) α program sym. a by [ a ∪ b ] p (¯ x ) ↔ [ a ] p (¯ x ) ∧ [ b ] p (¯ x ) US [ v := v + 1 ∪ x ′ = v ] x > 0 ↔ [ v := v + 1 ] x > 0 ∧ [ x ′ = v ] x > 0 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 11 / 24

  24. Uniform Substitution: First-Order Examples ( ¬¬ p ) ↔ p σ = { p �→ [ x ′ = x 2 ] x ≥ 0 } ( ¬¬ [ x ′ = x 2 ] x ≥ 0 ) ↔ [ x ′ = x 2 ] x ≥ 0 ( ∀ x p ) ↔ p σ = { p �→ x ≥ 0 } ∀ x ( x ≥ 0 ) ↔ x ≥ 0 ( ∀ x p ) ↔ p σ = { p �→ y ≥ 0 } ∀ x ( y ≥ 0 ) ↔ y ≥ 0 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 12 / 24

  25. Uniform Substitution: First-Order Examples Correct ( ¬¬ p ) ↔ p σ = { p �→ [ x ′ = x 2 ] x ≥ 0 } ( ¬¬ [ x ′ = x 2 ] x ≥ 0 ) ↔ [ x ′ = x 2 ] x ≥ 0 ( ∀ x p ) ↔ p σ = { p �→ x ≥ 0 } ∀ x ( x ≥ 0 ) ↔ x ≥ 0 ( ∀ x p ) ↔ p σ = { p �→ y ≥ 0 } ∀ x ( y ≥ 0 ) ↔ y ≥ 0 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 12 / 24

  26. Uniform Substitution: First-Order Examples Correct ( ¬¬ p ) ↔ p σ = { p �→ [ x ′ = x 2 ] x ≥ 0 } ( ¬¬ [ x ′ = x 2 ] x ≥ 0 ) ↔ [ x ′ = x 2 ] x ≥ 0 FV Clash BV ( ∀ x p ) ↔ p σ = { p �→ x ≥ 0 } ∀ x ( x ≥ 0 ) ↔ x ≥ 0 ( ∀ x p ) ↔ p σ = { p �→ y ≥ 0 } ∀ x ( y ≥ 0 ) ↔ y ≥ 0 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 12 / 24

  27. Uniform Substitution: First-Order Examples Correct ( ¬¬ p ) ↔ p σ = { p �→ [ x ′ = x 2 ] x ≥ 0 } ( ¬¬ [ x ′ = x 2 ] x ≥ 0 ) ↔ [ x ′ = x 2 ] x ≥ 0 Clash ( ∀ x p ) ↔ p σ = { p �→ x ≥ 0 } ∀ x ( x ≥ 0 ) ↔ x ≥ 0 Correct ( ∀ x p ) ↔ p σ = { p �→ y ≥ 0 } ∀ x ( y ≥ 0 ) ↔ y ≥ 0 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 12 / 24

  28. Uniform Substitution: Argument Examples [ x := c ] p ( x ) ↔ p ( c ) σ = { c �→ x 2 − 1 , p ( · ) �→ ( · ≥ 0 ) } [ x := x 2 − 1 ] x ≥ 0 ↔ x 2 − 1 ≥ 0 [ x := c ] p ( x ) ↔ p ( c ) σ = { c �→ x 2 − 1 , p ( · ) �→ ( · ≥ x ) } [ x := x 2 − 1 ] x ≥ x ↔ x 2 − 1 ≥ x [ x := c ] p ( x ) ↔ p ( c ) σ = { c �→ x 2 − 1 , p ( · ) �→ ( · ≥ · ) } [ x := x 2 − 1 ] x ≥ x ↔ x 2 − 1 ≥ x 2 − 1 [ x := c ] p ( x ) ↔ p ( c ) σ = { c �→ x 2 − 1 , p ( · ) �→ ( · ≥ y ) } [ x := x 2 − 1 ] x ≥ y ↔ x 2 − 1 ≥ y André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 13 / 24

  29. Uniform Substitution: Argument Examples Correct [ x := c ] p ( x ) ↔ p ( c ) σ = { c �→ x 2 − 1 , p ( · ) �→ ( · ≥ 0 ) } [ x := x 2 − 1 ] x ≥ 0 ↔ x 2 − 1 ≥ 0 [ x := c ] p ( x ) ↔ p ( c ) σ = { c �→ x 2 − 1 , p ( · ) �→ ( · ≥ x ) } [ x := x 2 − 1 ] x ≥ x ↔ x 2 − 1 ≥ x [ x := c ] p ( x ) ↔ p ( c ) σ = { c �→ x 2 − 1 , p ( · ) �→ ( · ≥ · ) } [ x := x 2 − 1 ] x ≥ x ↔ x 2 − 1 ≥ x 2 − 1 [ x := c ] p ( x ) ↔ p ( c ) σ = { c �→ x 2 − 1 , p ( · ) �→ ( · ≥ y ) } [ x := x 2 − 1 ] x ≥ y ↔ x 2 − 1 ≥ y André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 13 / 24

  30. Uniform Substitution: Argument Examples Correct [ x := c ] p ( x ) ↔ p ( c ) σ = { c �→ x 2 − 1 , p ( · ) �→ ( · ≥ 0 ) } [ x := x 2 − 1 ] x ≥ 0 ↔ x 2 − 1 ≥ 0 [ x := c ] p ( x ) ↔ p ( c ) σ = { c �→ x 2 − 1 , p ( · ) �→ ( · ≥ x ) } [ x := x 2 − 1 ] x ≥ x ↔ x 2 − 1 ≥ x [ x := c ] p ( x ) ↔ p ( c ) σ = { c �→ x 2 − 1 , p ( · ) �→ ( · ≥ · ) } [ x := x 2 − 1 ] x ≥ x ↔ x 2 − 1 ≥ x 2 − 1 [ x := c ] p ( x ) ↔ p ( c ) σ = { c �→ x 2 − 1 , p ( · ) �→ ( · ≥ y ) } [ x := x 2 − 1 ] x ≥ y ↔ x 2 − 1 ≥ y André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 13 / 24

  31. Uniform Substitution: Argument Examples Correct [ x := c ] p ( x ) ↔ p ( c ) σ = { c �→ x 2 − 1 , p ( · ) �→ ( · ≥ 0 ) } [ x := x 2 − 1 ] x ≥ 0 ↔ x 2 − 1 ≥ 0 FV Clash BV [ x := c ] p ( x ) ↔ p ( c ) σ = { c �→ x 2 − 1 , p ( · ) �→ ( · ≥ x ) } := x 2 − 1 ] x ≥ x ↔ x 2 − 1 ≥ x [ x [ x := c ] p ( x ) ↔ p ( c ) σ = { c �→ x 2 − 1 , p ( · ) �→ ( · ≥ · ) } [ x := x 2 − 1 ] x ≥ x ↔ x 2 − 1 ≥ x 2 − 1 [ x := c ] p ( x ) ↔ p ( c ) σ = { c �→ x 2 − 1 , p ( · ) �→ ( · ≥ y ) } [ x := x 2 − 1 ] x ≥ y ↔ x 2 − 1 ≥ y André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 13 / 24

  32. Uniform Substitution: Argument Examples Correct [ x := c ] p ( x ) ↔ p ( c ) σ = { c �→ x 2 − 1 , p ( · ) �→ ( · ≥ 0 ) } [ x := x 2 − 1 ] x ≥ 0 ↔ x 2 − 1 ≥ 0 Clash [ x := c ] p ( x ) ↔ p ( c ) σ = { c �→ x 2 − 1 , p ( · ) �→ ( · ≥ x ) } [ x := x 2 − 1 ] x ≥ x ↔ x 2 − 1 ≥ x Correct [ x := c ] p ( x ) ↔ p ( c ) σ = { c �→ x 2 − 1 , p ( · ) �→ ( · ≥ · ) } [ x := x 2 − 1 ] x ≥ x ↔ x 2 − 1 ≥ x 2 − 1 [ x := c ] p ( x ) ↔ p ( c ) σ = { c �→ x 2 − 1 , p ( · ) �→ ( · ≥ y ) } [ x := x 2 − 1 ] x ≥ y ↔ x 2 − 1 ≥ y André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 13 / 24

  33. Uniform Substitution: Argument Examples Correct [ x := c ] p ( x ) ↔ p ( c ) σ = { c �→ x 2 − 1 , p ( · ) �→ ( · ≥ 0 ) } [ x := x 2 − 1 ] x ≥ 0 ↔ x 2 − 1 ≥ 0 Clash [ x := c ] p ( x ) ↔ p ( c ) σ = { c �→ x 2 − 1 , p ( · ) �→ ( · ≥ x ) } [ x := x 2 − 1 ] x ≥ x ↔ x 2 − 1 ≥ x Correct [ x := c ] p ( x ) ↔ p ( c ) σ = { c �→ x 2 − 1 , p ( · ) �→ ( · ≥ · ) } [ x := x 2 − 1 ] x ≥ x ↔ x 2 − 1 ≥ x 2 − 1 Correct [ x := c ] p ( x ) ↔ p ( c ) σ = { c �→ x 2 − 1 , p ( · ) �→ ( · ≥ y ) } [ x := x 2 − 1 ] x ≥ y ↔ x 2 − 1 ≥ y André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 13 / 24

  34. Uniform Substitution Theorem (Soundness) replace all occurrences of p ( · ) φ US σ ( φ ) Uniform substitution σ replaces all occurrences of p ( θ ) for any θ by ψ ( θ ) function sym. f ( θ ) for any θ by η ( θ ) α program sym. a by [ a ∪ b ] p (¯ x ) ↔ [ a ] p (¯ x ) ∧ [ b ] p (¯ x ) US [ v := v + 1 ∪ x ′ = v ] x > 0 ↔ [ v := v + 1 ] x > 0 ∧ [ x ′ = v ] x > 0 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 14 / 24

  35. Uniform Substitution Theorem (Soundness) replace all occurrences of p ( · ) φ US σ ( φ ) provided FV ( σ | Σ( θ ) ) ∩ BV ( ⊗ ( · )) = / 0 for each operation ⊗ ( θ ) in φ i.e. bound variables U = BV ( ⊗ ( · )) of no operator ⊗ are free in the substitution on its argument θ ( U -admissible) Uniform substitution σ replaces all occurrences of p ( θ ) for any θ by ψ ( θ ) function sym. f ( θ ) for any θ by η ( θ ) α program sym. a by [ a ∪ b ] p (¯ x ) ↔ [ a ] p (¯ x ) ∧ [ b ] p (¯ x ) US [ v := v + 1 ∪ x ′ = v ] x > 0 ↔ [ v := v + 1 ] x > 0 ∧ [ x ′ = v ] x > 0 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 14 / 24

  36. Uniform Substitution Theorem (Soundness) replace all occurrences of p ( · ) φ US σ ( φ ) provided FV ( σ | Σ( θ ) ) ∩ BV ( ⊗ ( · )) = / 0 for each operation ⊗ ( θ ) in φ i.e. bound variables U = BV ( ⊗ ( · )) of no operator ⊗ are free in the substitution on its argument θ ( U -admissible) If you bind a free variable, you go to logic jail! Uniform substitution σ replaces all occurrences of p ( θ ) for any θ by ψ ( θ ) function sym. f ( θ ) for any θ by η ( θ ) α program sym. a by [ a ∪ b ] p (¯ x ) ↔ [ a ] p (¯ x ) ∧ [ b ] p (¯ x ) US [ v := v + 1 ∪ x ′ = v ] x > 0 ↔ [ v := v + 1 ] x > 0 ∧ [ x ′ = v ] x > 0 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 14 / 24

  37. Uniform Substitution: Recursive Application σ ( x ) = for variable x ∈ V σ ( f ( θ )) = for function symbol f ∈ σ def = σ ( θ + η ) = σ (( θ ) ′ ) = σ ( p ( θ )) ≡ for predicate symbol p ∈ σ σ ( φ ∧ ψ ) ≡ σ ( ∀ x φ ) = σ ([ α ] φ ) = σ ( a ) ≡ for program symbol a ∈ σ σ ( x := θ ) ≡ σ ( x ′ = θ & Q ) ≡ σ (? Q ) ≡ σ ( α ∪ β ) ≡ σ ( α ; β ) ≡ σ ( α ∗ ) ≡ André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 15 / 24

  38. Uniform Substitution: Recursive Application σ ( x ) = x for variable x ∈ V σ ( f ( θ )) = for function symbol f ∈ σ def = σ ( θ + η ) = σ (( θ ) ′ ) = σ ( p ( θ )) ≡ for predicate symbol p ∈ σ σ ( φ ∧ ψ ) ≡ σ ( ∀ x φ ) = σ ([ α ] φ ) = σ ( a ) ≡ for program symbol a ∈ σ σ ( x := θ ) ≡ σ ( x ′ = θ & Q ) ≡ σ (? Q ) ≡ σ ( α ∪ β ) ≡ σ ( α ; β ) ≡ σ ( α ∗ ) ≡ André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 15 / 24

  39. Uniform Substitution: Recursive Application σ ( x ) = x for variable x ∈ V σ ( f ( θ )) = ( σ ( f ))( σ ( θ )) for function symbol f ∈ σ def = {· �→ σ ( θ ) } ( σ f ( · )) σ ( θ + η ) = σ (( θ ) ′ ) = σ ( p ( θ )) ≡ for predicate symbol p ∈ σ σ ( φ ∧ ψ ) ≡ σ ( ∀ x φ ) = σ ([ α ] φ ) = σ ( a ) ≡ for program symbol a ∈ σ σ ( x := θ ) ≡ σ ( x ′ = θ & Q ) ≡ σ (? Q ) ≡ σ ( α ∪ β ) ≡ σ ( α ; β ) ≡ σ ( α ∗ ) ≡ André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 15 / 24

  40. Uniform Substitution: Recursive Application σ ( x ) = x for variable x ∈ V σ ( f ( θ )) = ( σ ( f ))( σ ( θ )) for function symbol f ∈ σ def = {· �→ σ ( θ ) } ( σ f ( · )) σ ( θ + η ) = σ ( θ )+ σ ( η ) σ (( θ ) ′ ) = σ ( p ( θ )) ≡ for predicate symbol p ∈ σ σ ( φ ∧ ψ ) ≡ σ ( ∀ x φ ) = σ ([ α ] φ ) = σ ( a ) ≡ for program symbol a ∈ σ σ ( x := θ ) ≡ σ ( x ′ = θ & Q ) ≡ σ (? Q ) ≡ σ ( α ∪ β ) ≡ σ ( α ; β ) ≡ σ ( α ∗ ) ≡ André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 15 / 24

  41. Uniform Substitution: Recursive Application σ ( x ) = x for variable x ∈ V σ ( f ( θ )) = ( σ ( f ))( σ ( θ )) for function symbol f ∈ σ def = {· �→ σ ( θ ) } ( σ f ( · )) σ ( θ + η ) = σ ( θ )+ σ ( η ) σ (( θ ) ′ ) = ( σ ( θ )) ′ if σ V -admissible for θ σ ( p ( θ )) ≡ for predicate symbol p ∈ σ σ ( φ ∧ ψ ) ≡ σ ( ∀ x φ ) = σ ([ α ] φ ) = σ ( a ) ≡ for program symbol a ∈ σ σ ( x := θ ) ≡ σ ( x ′ = θ & Q ) ≡ σ (? Q ) ≡ σ ( α ∪ β ) ≡ σ ( α ; β ) ≡ σ ( α ∗ ) ≡ André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 15 / 24

  42. Uniform Substitution: Recursive Application σ ( x ) = x for variable x ∈ V σ ( f ( θ )) = ( σ ( f ))( σ ( θ )) for function symbol f ∈ σ def = {· �→ σ ( θ ) } ( σ f ( · )) σ ( θ + η ) = σ ( θ )+ σ ( η ) σ (( θ ) ′ ) = ( σ ( θ )) ′ if σ V -admissible for θ σ ( p ( θ )) ≡ ( σ ( p ))( σ ( θ )) for predicate symbol p ∈ σ σ ( φ ∧ ψ ) ≡ σ ( ∀ x φ ) = σ ([ α ] φ ) = σ ( a ) ≡ for program symbol a ∈ σ σ ( x := θ ) ≡ σ ( x ′ = θ & Q ) ≡ σ (? Q ) ≡ σ ( α ∪ β ) ≡ σ ( α ; β ) ≡ σ ( α ∗ ) ≡ André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 15 / 24

  43. Uniform Substitution: Recursive Application σ ( x ) = x for variable x ∈ V σ ( f ( θ )) = ( σ ( f ))( σ ( θ )) for function symbol f ∈ σ def = {· �→ σ ( θ ) } ( σ f ( · )) σ ( θ + η ) = σ ( θ )+ σ ( η ) σ (( θ ) ′ ) = ( σ ( θ )) ′ if σ V -admissible for θ σ ( p ( θ )) ≡ ( σ ( p ))( σ ( θ )) for predicate symbol p ∈ σ σ ( φ ∧ ψ ) ≡ σ ( φ ) ∧ σ ( ψ ) σ ( ∀ x φ ) = σ ([ α ] φ ) = σ ( a ) ≡ for program symbol a ∈ σ σ ( x := θ ) ≡ σ ( x ′ = θ & Q ) ≡ σ (? Q ) ≡ σ ( α ∪ β ) ≡ σ ( α ; β ) ≡ σ ( α ∗ ) ≡ André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 15 / 24

  44. Uniform Substitution: Recursive Application σ ( x ) = x for variable x ∈ V σ ( f ( θ )) = ( σ ( f ))( σ ( θ )) for function symbol f ∈ σ def = {· �→ σ ( θ ) } ( σ f ( · )) σ ( θ + η ) = σ ( θ )+ σ ( η ) σ (( θ ) ′ ) = ( σ ( θ )) ′ if σ V -admissible for θ σ ( p ( θ )) ≡ ( σ ( p ))( σ ( θ )) for predicate symbol p ∈ σ σ ( φ ∧ ψ ) ≡ σ ( φ ) ∧ σ ( ψ ) σ ( ∀ x φ ) = ∀ x σ ( φ ) if σ { x } -admissible for φ σ ([ α ] φ ) = σ ( a ) ≡ for program symbol a ∈ σ σ ( x := θ ) ≡ σ ( x ′ = θ & Q ) ≡ σ (? Q ) ≡ σ ( α ∪ β ) ≡ σ ( α ; β ) ≡ σ ( α ∗ ) ≡ André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 15 / 24

  45. Uniform Substitution: Recursive Application σ ( x ) = x for variable x ∈ V σ ( f ( θ )) = ( σ ( f ))( σ ( θ )) for function symbol f ∈ σ def = {· �→ σ ( θ ) } ( σ f ( · )) σ ( θ + η ) = σ ( θ )+ σ ( η ) σ (( θ ) ′ ) = ( σ ( θ )) ′ if σ V -admissible for θ σ ( p ( θ )) ≡ ( σ ( p ))( σ ( θ )) for predicate symbol p ∈ σ σ ( φ ∧ ψ ) ≡ σ ( φ ) ∧ σ ( ψ ) σ ( ∀ x φ ) = ∀ x σ ( φ ) if σ { x } -admissible for φ σ ([ α ] φ ) = [ σ ( α )] σ ( φ ) if σ BV ( σ ( α )) -admissible for φ σ ( a ) ≡ for program symbol a ∈ σ σ ( x := θ ) ≡ σ ( x ′ = θ & Q ) ≡ σ (? Q ) ≡ σ ( α ∪ β ) ≡ σ ( α ; β ) ≡ σ ( α ∗ ) ≡ André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 15 / 24

  46. Uniform Substitution: Recursive Application σ ( x ) = x for variable x ∈ V σ ( f ( θ )) = ( σ ( f ))( σ ( θ )) for function symbol f ∈ σ def = {· �→ σ ( θ ) } ( σ f ( · )) σ ( θ + η ) = σ ( θ )+ σ ( η ) σ (( θ ) ′ ) = ( σ ( θ )) ′ if σ V -admissible for θ σ ( p ( θ )) ≡ ( σ ( p ))( σ ( θ )) for predicate symbol p ∈ σ σ ( φ ∧ ψ ) ≡ σ ( φ ) ∧ σ ( ψ ) σ ( ∀ x φ ) = ∀ x σ ( φ ) if σ { x } -admissible for φ σ ([ α ] φ ) = [ σ ( α )] σ ( φ ) if σ BV ( σ ( α )) -admissible for φ σ ( a ) ≡ σ a for program symbol a ∈ σ σ ( x := θ ) ≡ σ ( x ′ = θ & Q ) ≡ σ (? Q ) ≡ σ ( α ∪ β ) ≡ σ ( α ; β ) ≡ σ ( α ∗ ) ≡ André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 15 / 24

  47. Uniform Substitution: Recursive Application σ ( x ) = x for variable x ∈ V σ ( f ( θ )) = ( σ ( f ))( σ ( θ )) for function symbol f ∈ σ def = {· �→ σ ( θ ) } ( σ f ( · )) σ ( θ + η ) = σ ( θ )+ σ ( η ) σ (( θ ) ′ ) = ( σ ( θ )) ′ if σ V -admissible for θ σ ( p ( θ )) ≡ ( σ ( p ))( σ ( θ )) for predicate symbol p ∈ σ σ ( φ ∧ ψ ) ≡ σ ( φ ) ∧ σ ( ψ ) σ ( ∀ x φ ) = ∀ x σ ( φ ) if σ { x } -admissible for φ σ ([ α ] φ ) = [ σ ( α )] σ ( φ ) if σ BV ( σ ( α )) -admissible for φ σ ( a ) ≡ σ a for program symbol a ∈ σ σ ( x := θ ) ≡ x := σ ( θ ) σ ( x ′ = θ & Q ) ≡ σ (? Q ) ≡ σ ( α ∪ β ) ≡ σ ( α ; β ) ≡ σ ( α ∗ ) ≡ André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 15 / 24

  48. Uniform Substitution: Recursive Application σ ( x ) = x for variable x ∈ V σ ( f ( θ )) = ( σ ( f ))( σ ( θ )) for function symbol f ∈ σ def = {· �→ σ ( θ ) } ( σ f ( · )) σ ( θ + η ) = σ ( θ )+ σ ( η ) σ (( θ ) ′ ) = ( σ ( θ )) ′ if σ V -admissible for θ σ ( p ( θ )) ≡ ( σ ( p ))( σ ( θ )) for predicate symbol p ∈ σ σ ( φ ∧ ψ ) ≡ σ ( φ ) ∧ σ ( ψ ) σ ( ∀ x φ ) = ∀ x σ ( φ ) if σ { x } -admissible for φ σ ([ α ] φ ) = [ σ ( α )] σ ( φ ) if σ BV ( σ ( α )) -admissible for φ σ ( a ) ≡ σ a for program symbol a ∈ σ σ ( x := θ ) ≡ x := σ ( θ ) σ ( x ′ = θ & Q ) ≡ x ′ = σ ( θ )& σ ( Q ) if σ { x , x ′ } -admissible for θ , Q σ (? Q ) ≡ σ ( α ∪ β ) ≡ σ ( α ; β ) ≡ σ ( α ∗ ) ≡ André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 15 / 24

  49. Uniform Substitution: Recursive Application σ ( x ) = x for variable x ∈ V σ ( f ( θ )) = ( σ ( f ))( σ ( θ )) for function symbol f ∈ σ def = {· �→ σ ( θ ) } ( σ f ( · )) σ ( θ + η ) = σ ( θ )+ σ ( η ) σ (( θ ) ′ ) = ( σ ( θ )) ′ if σ V -admissible for θ σ ( p ( θ )) ≡ ( σ ( p ))( σ ( θ )) for predicate symbol p ∈ σ σ ( φ ∧ ψ ) ≡ σ ( φ ) ∧ σ ( ψ ) σ ( ∀ x φ ) = ∀ x σ ( φ ) if σ { x } -admissible for φ σ ([ α ] φ ) = [ σ ( α )] σ ( φ ) if σ BV ( σ ( α )) -admissible for φ σ ( a ) ≡ σ a for program symbol a ∈ σ σ ( x := θ ) ≡ x := σ ( θ ) σ ( x ′ = θ & Q ) ≡ x ′ = σ ( θ )& σ ( Q ) if σ { x , x ′ } -admissible for θ , Q σ (? Q ) ≡ ? σ ( Q ) σ ( α ∪ β ) ≡ σ ( α ; β ) ≡ σ ( α ∗ ) ≡ André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 15 / 24

  50. Uniform Substitution: Recursive Application σ ( x ) = x for variable x ∈ V σ ( f ( θ )) = ( σ ( f ))( σ ( θ )) for function symbol f ∈ σ def = {· �→ σ ( θ ) } ( σ f ( · )) σ ( θ + η ) = σ ( θ )+ σ ( η ) σ (( θ ) ′ ) = ( σ ( θ )) ′ if σ V -admissible for θ σ ( p ( θ )) ≡ ( σ ( p ))( σ ( θ )) for predicate symbol p ∈ σ σ ( φ ∧ ψ ) ≡ σ ( φ ) ∧ σ ( ψ ) σ ( ∀ x φ ) = ∀ x σ ( φ ) if σ { x } -admissible for φ σ ([ α ] φ ) = [ σ ( α )] σ ( φ ) if σ BV ( σ ( α )) -admissible for φ σ ( a ) ≡ σ a for program symbol a ∈ σ σ ( x := θ ) ≡ x := σ ( θ ) σ ( x ′ = θ & Q ) ≡ x ′ = σ ( θ )& σ ( Q ) if σ { x , x ′ } -admissible for θ , Q σ (? Q ) ≡ ? σ ( Q ) σ ( α ∪ β ) ≡ σ ( α ) ∪ σ ( β ) σ ( α ; β ) ≡ σ ( α ∗ ) ≡ André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 15 / 24

  51. Uniform Substitution: Recursive Application σ ( x ) = x for variable x ∈ V σ ( f ( θ )) = ( σ ( f ))( σ ( θ )) for function symbol f ∈ σ def = {· �→ σ ( θ ) } ( σ f ( · )) σ ( θ + η ) = σ ( θ )+ σ ( η ) σ (( θ ) ′ ) = ( σ ( θ )) ′ if σ V -admissible for θ σ ( p ( θ )) ≡ ( σ ( p ))( σ ( θ )) for predicate symbol p ∈ σ σ ( φ ∧ ψ ) ≡ σ ( φ ) ∧ σ ( ψ ) σ ( ∀ x φ ) = ∀ x σ ( φ ) if σ { x } -admissible for φ σ ([ α ] φ ) = [ σ ( α )] σ ( φ ) if σ BV ( σ ( α )) -admissible for φ σ ( a ) ≡ σ a for program symbol a ∈ σ σ ( x := θ ) ≡ x := σ ( θ ) σ ( x ′ = θ & Q ) ≡ x ′ = σ ( θ )& σ ( Q ) if σ { x , x ′ } -admissible for θ , Q σ (? Q ) ≡ ? σ ( Q ) σ ( α ∪ β ) ≡ σ ( α ) ∪ σ ( β ) σ ( α ; β ) ≡ σ ( α ); σ ( β ) if σ BV ( σ ( α )) -admissible for β σ ( α ∗ ) ≡ André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 15 / 24

  52. Uniform Substitution: Recursive Application σ ( x ) = x for variable x ∈ V σ ( f ( θ )) = ( σ ( f ))( σ ( θ )) for function symbol f ∈ σ def = {· �→ σ ( θ ) } ( σ f ( · )) σ ( θ + η ) = σ ( θ )+ σ ( η ) σ (( θ ) ′ ) = ( σ ( θ )) ′ if σ V -admissible for θ σ ( p ( θ )) ≡ ( σ ( p ))( σ ( θ )) for predicate symbol p ∈ σ σ ( φ ∧ ψ ) ≡ σ ( φ ) ∧ σ ( ψ ) σ ( ∀ x φ ) = ∀ x σ ( φ ) if σ { x } -admissible for φ σ ([ α ] φ ) = [ σ ( α )] σ ( φ ) if σ BV ( σ ( α )) -admissible for φ σ ( a ) ≡ σ a for program symbol a ∈ σ σ ( x := θ ) ≡ x := σ ( θ ) σ ( x ′ = θ & Q ) ≡ x ′ = σ ( θ )& σ ( Q ) if σ { x , x ′ } -admissible for θ , Q σ (? Q ) ≡ ? σ ( Q ) σ ( α ∪ β ) ≡ σ ( α ) ∪ σ ( β ) σ ( α ; β ) ≡ σ ( α ); σ ( β ) if σ BV ( σ ( α )) -admissible for β σ ( α ∗ ) ≡ ( σ ( α )) ∗ if σ BV ( σ ( α )) -admissible for α André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 15 / 24

  53. Uniform Substitution: Examples [ x := c ] p ( x ) ↔ p ( c ) σ = { c �→ x + 1 , p ( · ) �→ ( · � = x ) } [ x := x + 1 ] x � = x ↔ x + 1 � = x [ x := c ] p ( x ) ↔ p ( c ) [ x := x 2 ][( y := x + y ) ∗ ] x ≥ y ↔ [( y := x 2 + y ) ∗ ] x 2 ≥ y σ = { c �→ x 2 , p ( · ) �→ [( y := · + y ) ∗ ]( · ≥ y ) } p → [ a ] p σ = { a �→ x ′ = − 5 , p �→ x ≥ 0 } x ≥ 0 → [ x ′ = − 5 ] x ≥ 0 p → [ a ] p σ = { a �→ x ′ = − 5 , p �→ y ≥ 0 } y ≥ 0 → [ x ′ = − 5 ] y ≥ 0 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 16 / 24

  54. Uniform Substitution: Examples [ x := c ] p ( x ) ↔ p ( c ) σ = { c �→ x + 1 , p ( · ) �→ ( · � = x ) } [ x := x + 1 ] x � = x ↔ x + 1 � = x [ x := c ] p ( x ) ↔ p ( c ) [ x := x 2 ][( y := x + y ) ∗ ] x ≥ y ↔ [( y := x 2 + y ) ∗ ] x 2 ≥ y σ = { c �→ x 2 , p ( · ) �→ [( y := · + y ) ∗ ]( · ≥ y ) } p → [ a ] p σ = { a �→ x ′ = − 5 , p �→ x ≥ 0 } x ≥ 0 → [ x ′ = − 5 ] x ≥ 0 p → [ a ] p σ = { a �→ x ′ = − 5 , p �→ y ≥ 0 } y ≥ 0 → [ x ′ = − 5 ] y ≥ 0 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 16 / 24

  55. Uniform Substitution: Examples FV Clash BV [ x := c ] p ( x ) ↔ p ( c ) σ = { c �→ x + 1 , p ( · ) �→ ( · � = x ) } [ x := x + 1 ] x � = x ↔ x + 1 � = x [ x := c ] p ( x ) ↔ p ( c ) [ x := x 2 ][( y := x + y ) ∗ ] x ≥ y ↔ [( y := x 2 + y ) ∗ ] x 2 ≥ y σ = { c �→ x 2 , p ( · ) �→ [( y := · + y ) ∗ ]( · ≥ y ) } p → [ a ] p σ = { a �→ x ′ = − 5 , p �→ x ≥ 0 } x ≥ 0 → [ x ′ = − 5 ] x ≥ 0 p → [ a ] p σ = { a �→ x ′ = − 5 , p �→ y ≥ 0 } y ≥ 0 → [ x ′ = − 5 ] y ≥ 0 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 16 / 24

  56. Uniform Substitution: Examples Clash [ x := c ] p ( x ) ↔ p ( c ) σ = { c �→ x + 1 , p ( · ) �→ ( · � = x ) } [ x := x + 1 ] x � = x ↔ x + 1 � = x [ x := c ] p ( x ) ↔ p ( c ) [ x := x 2 ][( y := x + y ) ∗ ] x ≥ y ↔ [( y := x 2 + y ) ∗ ] x 2 ≥ y σ = { c �→ x 2 , p ( · ) �→ [( y := · + y ) ∗ ]( · ≥ y ) } p → [ a ] p σ = { a �→ x ′ = − 5 , p �→ x ≥ 0 } x ≥ 0 → [ x ′ = − 5 ] x ≥ 0 p → [ a ] p σ = { a �→ x ′ = − 5 , p �→ y ≥ 0 } y ≥ 0 → [ x ′ = − 5 ] y ≥ 0 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 16 / 24

  57. Uniform Substitution: Examples Clash [ x := c ] p ( x ) ↔ p ( c ) σ = { c �→ x + 1 , p ( · ) �→ ( · � = x ) } [ x := x + 1 ] x � = x ↔ x + 1 � = x Correct [ x := c ] p ( x ) ↔ p ( c ) [ x := x 2 ][( y := x + y ) ∗ ] x ≥ y ↔ [( y := x 2 + y ) ∗ ] x 2 ≥ y σ = { c �→ x 2 , p ( · ) �→ [( y := · + y ) ∗ ]( · ≥ y ) } p → [ a ] p σ = { a �→ x ′ = − 5 , p �→ x ≥ 0 } x ≥ 0 → [ x ′ = − 5 ] x ≥ 0 p → [ a ] p σ = { a �→ x ′ = − 5 , p �→ y ≥ 0 } y ≥ 0 → [ x ′ = − 5 ] y ≥ 0 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 16 / 24

  58. Uniform Substitution: Examples Clash [ x := c ] p ( x ) ↔ p ( c ) σ = { c �→ x + 1 , p ( · ) �→ ( · � = x ) } [ x := x + 1 ] x � = x ↔ x + 1 � = x Correct [ x := c ] p ( x ) ↔ p ( c ) [ x := x 2 ][( y := x + y ) ∗ ] x ≥ y ↔ [( y := x 2 + y ) ∗ ] x 2 ≥ y σ = { c �→ x 2 , p ( · ) �→ [( y := · + y ) ∗ ]( · ≥ y ) } FV Clash BV p → [ a ] p σ = { a �→ x ′ = − 5 , p �→ x ≥ 0 } x ′ = − 5 ] x ≥ 0 x ≥ 0 → [ p → [ a ] p σ = { a �→ x ′ = − 5 , p �→ y ≥ 0 } y ≥ 0 → [ x ′ = − 5 ] y ≥ 0 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 16 / 24

  59. Uniform Substitution: Examples Clash [ x := c ] p ( x ) ↔ p ( c ) σ = { c �→ x + 1 , p ( · ) �→ ( · � = x ) } [ x := x + 1 ] x � = x ↔ x + 1 � = x Correct [ x := c ] p ( x ) ↔ p ( c ) [ x := x 2 ][( y := x + y ) ∗ ] x ≥ y ↔ [( y := x 2 + y ) ∗ ] x 2 ≥ y σ = { c �→ x 2 , p ( · ) �→ [( y := · + y ) ∗ ]( · ≥ y ) } Clash p → [ a ] p σ = { a �→ x ′ = − 5 , p �→ x ≥ 0 } x ≥ 0 → [ x ′ = − 5 ] x ≥ 0 Correct p → [ a ] p σ = { a �→ x ′ = − 5 , p �→ y ≥ 0 } y ≥ 0 → [ x ′ = − 5 ] y ≥ 0 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 16 / 24

  60. Uniform Substitution Theorem (Soundness) replace all occurrences of p ( · ) φ US σ ( φ ) provided FV ( σ | Σ( θ ) ) ∩ BV ( ⊗ ( · )) = / 0 for each operation ⊗ ( θ ) in φ i.e. bound variables U = BV ( ⊗ ( · )) of no operator ⊗ are free in the substitution on its argument θ ( U -admissible) If you bind a free variable, you go to logic jail! Uniform substitution σ replaces all occurrences of p ( θ ) for any θ by ψ ( θ ) function sym. f ( θ ) for any θ by η ( θ ) α program sym. a by [ a ∪ b ] p (¯ x ) ↔ [ a ] p (¯ x ) ∧ [ b ] p (¯ x ) US [ v := v + 1 ∪ x ′ = v ] x > 0 ↔ [ v := v + 1 ] x > 0 ∧ [ x ′ = v ] x > 0 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 17 / 24

  61. Correctness of Uniform Substitutions “Syntactic uniform substitution = semantic replacement” Lemma (Uniform substitution lemma) Uniform substitution σ and its adjoint interpretation σ ∗ ω I to σ for I , ω have the same semantics: ] iff ω ∈ σ ∗ ω ∈ I [ [ σ ( φ )] ω I [ [ φ ] ] φ σ ( φ ) ω ∈ I [ [ σ ( φ )] ] σ I σ ∗ ω I ω ∈ σ ∗ ω I [ [ φ ] ] σ ∗ ω I ( f ) : R → R ; d �→ I d · ω [ [ σ f ( · )] ] σ ∗ ω I ( p ) = { d ∈ R : ω ∈ I d . [ [ σ p ( · )] ] } σ ∗ ω I ( a ) = I [ [ σ a ] ] André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 18 / 24

  62. Uniform Substitution Theorem (Soundness) replace all occurrences of p ( · ) φ US σ ( φ ) provided FV ( σ | Σ( θ ) ) ∩ BV ( ⊗ ( · )) = / 0 for each operation ⊗ ( θ ) in φ Proof. If premise φ valid, i.e. ω ∈ I [ [ φ ] ] in all I , ω ] iff ω ∈ σ ∗ Then conclusion σ ( φ ) valid, because ω ∈ I [ [ σ ( φ )] ω I [ [ φ ] ] André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 19 / 24

  63. Outline Learning Objectives 1 Axioms Versus Axiom Schemata 2 Differential Dynamic Logic with Interpretations 3 Syntax Semantics 4 Uniform Substitution Uniform Substitution Application Uniform Substitution Lemmas 5 Axiomatic Proof Calculus for dL Summary 6 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 19 / 24

  64. Differential Dynamic Logic: Comparison Part I Part IV [:=] [ x := θ ] φ ( x ) ↔ φ ( θ ) [?] [? χ ] φ ↔ ( χ → φ ) [ ∪ ] [ α ∪ β ] φ ↔ [ α ] φ ∧ [ β ] φ [;] [ α ; β ] φ ↔ [ α ][ β ] φ [ ∗ ] [ α ∗ ] φ ↔ φ ∧ [ α ][ α ∗ ] φ K [ α ]( φ → ψ ) → ([ α ] φ → [ α ] ψ ) I [ α ∗ ] φ ↔ φ ∧ [ α ∗ ]( φ → [ α ] φ ) V φ → [ α ] φ [ ′ ] [ x ′ = f ( x )] φ ↔ ∀ t ≥ 0 [ x := y ( t )] φ André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 20 / 24

  65. Differential Dynamic Logic: Comparison Part I Part IV [:=] [ x := θ ] φ ( x ) ↔ φ ( θ ) [:=] [ x := c ] p ( x ) ↔ p ( c ) [?] [? χ ] φ ↔ ( χ → φ ) [?] [? q ] p ↔ ( q → p ) [ ∪ ] [ α ∪ β ] φ ↔ [ α ] φ ∧ [ β ] φ [ ∪ ] [ a ∪ b ] p (¯ x ) ↔ [ a ] p (¯ x ) ∧ [ b ] p (¯ x ) [;] [ a ; b ] p (¯ x ) ↔ [ a ][ b ] p (¯ [;] [ α ; β ] φ ↔ [ α ][ β ] φ x ) [ ∗ ] [ α ∗ ] φ ↔ φ ∧ [ α ][ α ∗ ] φ [ ∗ ] [ a ∗ ] p (¯ x ) ∧ [ a ][ a ∗ ] p (¯ x ) ↔ p (¯ x ) K [ a ]( p (¯ x ) → q (¯ x )) → ([ a ] p (¯ x ) → [ a ] q (¯ K [ α ]( φ → ψ ) → ([ α ] φ → [ α ] ψ ) x )) I [ α ∗ ] φ ↔ φ ∧ [ α ∗ ]( φ → [ α ] φ ) I [ a ∗ ] p (¯ x ) ∧ [ a ∗ ]( p (¯ x ) ↔ p (¯ x ) → [ a ] p (¯ x )) V φ → [ α ] φ V p → [ a ] p [ ′ ] [ x ′ = f ( x )] φ ↔ ∀ t ≥ 0 [ x := y ( t )] φ André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 20 / 24

  66. Differential Dynamic Logic: Comparison Infinite axiom schema Axiom = one formula [:=] [ x := θ ] φ ( x ) ↔ φ ( θ ) [:=] [ x := c ] p ( x ) ↔ p ( c ) [?] [? χ ] φ ↔ ( χ → φ ) [?] [? q ] p ↔ ( q → p ) Schema Axiom [ ∪ ] [ α ∪ β ] φ ↔ [ α ] φ ∧ [ β ] φ [ ∪ ] [ a ∪ b ] p (¯ x ) ↔ [ a ] p (¯ x ) ∧ [ b ] p (¯ x ) [;] [ a ; b ] p (¯ x ) ↔ [ a ][ b ] p (¯ [;] [ α ; β ] φ ↔ [ α ][ β ] φ x ) [ ∗ ] [ α ∗ ] φ ↔ φ ∧ [ α ][ α ∗ ] φ [ ∗ ] [ a ∗ ] p (¯ x ) ∧ [ a ][ a ∗ ] p (¯ x ) ↔ p (¯ x ) K [ a ]( p (¯ x ) → q (¯ x )) → ([ a ] p (¯ x ) → [ a ] q (¯ K [ α ]( φ → ψ ) → ([ α ] φ → [ α ] ψ ) x )) I [ α ∗ ] φ ↔ φ ∧ [ α ∗ ]( φ → [ α ] φ ) I [ a ∗ ] p (¯ x ) ∧ [ a ∗ ]( p (¯ x ) ↔ p (¯ x ) → [ a ] p (¯ x )) Schema Axiom V φ → [ α ] φ V p → [ a ] p [ ′ ] [ x ′ = f ( x )] φ ↔ ∀ t ≥ 0 [ x := y ( t )] φ André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 20 / 24

  67. Example Proof [;] j ( x ) ⊢ [( v := 2 ∪ v := x ); x ′ = v ] x > 0 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 21 / 24

  68. Example Proof σ = { a �→ ( v := 2 ∪ v := x ) , b �→ x ′ = v , p (¯ x ) �→ x > 0 } [ a ; b ] p (¯ x ) ↔ [ a ][ b ] p (¯ x ) US [( v := 2 ∪ v := x ); x ′ = v ] x > 0 ↔ [( v := 2 ∪ v := x )][ x ′ = v ] x > 0 [ ∪ ] j ( x ) ⊢ [ v := 2 ∪ v := x ][ x ′ = v ] x > 0 [;] j ( x ) ⊢ [( v := 2 ∪ v := x ); x ′ = v ] x > 0 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 21 / 24

  69. Example Proof x ) �→ [ x ′ = v ] x > 0 } σ = { a �→ v := 2 , b �→ v := x , p (¯ [ a ∪ b ] p (¯ x ) ↔ [ a ] p (¯ x ) ∧ [ b ] p (¯ x ) US [ v := 2 ∪ v := x ][ x ′ = v ] x > 0 ↔ [ v := 2 ][ x ′ = v ] x > 0 ∧ [ v := x ][ x ′ = v ] x > 0 [:=] j ( x ) ⊢ [ v := 2 ][ x ′ = v ] x > 0 ∧ [ v := x ][ x ′ = v ] x > 0 [ ∪ ] j ( x ) ⊢ [ v := 2 ∪ v := x ][ x ′ = v ] x > 0 [;] j ( x ) ⊢ [( v := 2 ∪ v := x ); x ′ = v ] x > 0 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 21 / 24

  70. Example Proof σ = { c �→ 2 , p ( · ) �→ [ x ′ = · ] x > 0 } σ = { c �→ x , p ( · ) �→ [ x ′ = · ] x > 0 } [ v := c ] p ( v ) ↔ p ( c ) [ v := c ] p ( v ) ↔ p ( c ) [ v := 2 ][ x ′ = v ] x > 0 ↔ [ x ′ = 2 ] x > 0 [ v := x ][ x ′ = v ] x > 0 ↔ [ x ′ = x ] x > 0 [:=] j ( x ) ⊢ [ v := 2 ][ x ′ = v ] x > 0 ∧ [ v := x ][ x ′ = v ] x > 0 [ ∪ ] j ( x ) ⊢ [ v := 2 ∪ v := x ][ x ′ = v ] x > 0 [;] j ( x ) ⊢ [( v := 2 ∪ v := x ); x ′ = v ] x > 0 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 21 / 24

  71. Example Proof σ = { c �→ 2 , p ( · ) �→ [ x ′ = · ] x > 0 } σ = { c �→ x , p ( · ) �→ [ x ′ = · ] x > 0 } � [ v := c ] p ( v ) ↔ p ( c ) [ v := c ] p ( v ) ↔ p ( c ) [ v := 2 ][ x ′ = v ] x > 0 ↔ [ x ′ = 2 ] x > 0 [ v := x ][ x ′ = v ] x > 0 ↔ [ x ′ = x ] x > 0 [ ′ ] j ( x ) ⊢ [ x ′ = 2 ] x > 0 ∧ [ v := x ][ x ′ = v ] x > 0 [:=] j ( x ) ⊢ [ v := 2 ][ x ′ = v ] x > 0 ∧ [ v := x ][ x ′ = v ] x > 0 [ ∪ ] j ( x ) ⊢ [ v := 2 ∪ v := x ][ x ′ = v ] x > 0 [;] j ( x ) ⊢ [( v := 2 ∪ v := x ); x ′ = v ] x > 0 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 21 / 24

  72. Example Proof σ = { c �→ v , p ( · ) �→ · > 0 } v can’t have ODE [ x ′ = c ] p ( x ) ↔ ∀ t ≥ 0 [ x := x + ct ] p ( x ) US [ x ′ = v ] x > 0 ↔ ∀ t ≥ 0 [ x := x + vt ] x > 0 [:=] j ( x ) ⊢ ∀ t ≥ 0 [ x := x + 2 t ] x > 0 ∧ [ v := x ] ∀ t ≥ 0 [ x := x + vt ] x > 0 [ ′ ] j ( x ) ⊢ [ x ′ = 2 ] x > 0 ∧ [ v := x ][ x ′ = v ] x > 0 [:=] j ( x ) ⊢ [ v := 2 ][ x ′ = v ] x > 0 ∧ [ v := x ][ x ′ = v ] x > 0 [ ∪ ] j ( x ) ⊢ [ v := 2 ∪ v := x ][ x ′ = v ] x > 0 [;] j ( x ) ⊢ [( v := 2 ∪ v := x ); x ′ = v ] x > 0 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 21 / 24

  73. Example Proof σ = { c �→ x , p ( · ) �→ ∀ t ≥ 0 [ x := x +( · ) t ] x > 0 } [ v := c ] p ( v ) ↔ p ( c ) US [ v := x ] ∀ t ≥ 0 [ x := x + vt ] x > 0 ↔ ∀ t ≥ 0 [ x := x + xt ] x > 0 [:=] j ( x ) ⊢ ∀ t ≥ 0 x + 2 t > 0 ∧∀ t ≥ 0 [ x := x + xt ] x > 0 [:=] j ( x ) ⊢ ∀ t ≥ 0 [ x := x + 2 t ] x > 0 ∧ [ v := x ] ∀ t ≥ 0 [ x := x + vt ] x > 0 [ ′ ] j ( x ) ⊢ [ x ′ = 2 ] x > 0 ∧ [ v := x ][ x ′ = v ] x > 0 [:=] j ( x ) ⊢ [ v := 2 ][ x ′ = v ] x > 0 ∧ [ v := x ][ x ′ = v ] x > 0 [ ∪ ] j ( x ) ⊢ [ v := 2 ∪ v := x ][ x ′ = v ] x > 0 [;] j ( x ) ⊢ [( v := 2 ∪ v := x ); x ′ = v ] x > 0 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 21 / 24

  74. Example Proof σ = { c �→ x + xt , p ( · ) �→ · > 0 } [ x := c ] p ( x ) ↔ p ( c ) US [ x := x + xt ] x > 0 ↔ x + xt > 0 j ( x ) ⊢ ∀ t ≥ 0 x + 2 t > 0 ∧∀ t ≥ 0 x + xt > 0 [:=] j ( x ) ⊢ ∀ t ≥ 0 x + 2 t > 0 ∧∀ t ≥ 0 [ x := x + xt ] x > 0 [:=] j ( x ) ⊢ ∀ t ≥ 0 [ x := x + 2 t ] x > 0 ∧ [ v := x ] ∀ t ≥ 0 [ x := x + vt ] x > 0 [ ′ ] j ( x ) ⊢ [ x ′ = 2 ] x > 0 ∧ [ v := x ][ x ′ = v ] x > 0 [:=] j ( x ) ⊢ [ v := 2 ][ x ′ = v ] x > 0 ∧ [ v := x ][ x ′ = v ] x > 0 [ ∪ ] j ( x ) ⊢ [ v := 2 ∪ v := x ][ x ′ = v ] x > 0 [;] j ( x ) ⊢ [( v := 2 ∪ v := x ); x ′ = v ] x > 0 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 21 / 24

  75. Example Proof j ( x ) ⊢ ∀ t ≥ 0 x + 2 t > 0 ∧∀ t ≥ 0 x + xt > 0 [:=] j ( x ) ⊢ ∀ t ≥ 0 x + 2 t > 0 ∧∀ t ≥ 0 [ x := x + xt ] x > 0 [:=] j ( x ) ⊢ ∀ t ≥ 0 [ x := x + 2 t ] x > 0 ∧ [ v := x ] ∀ t ≥ 0 [ x := x + vt ] x > 0 [ ′ ] j ( x ) ⊢ [ x ′ = 2 ] x > 0 ∧ [ v := x ][ x ′ = v ] x > 0 [:=] j ( x ) ⊢ [ v := 2 ][ x ′ = v ] x > 0 ∧ [ v := x ][ x ′ = v ] x > 0 [ ∪ ] j ( x ) ⊢ [ v := 2 ∪ v := x ][ x ′ = v ] x > 0 [;] j ( x ) ⊢ [( v := 2 ∪ v := x ); x ′ = v ] x > 0 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 21 / 24

  76. Example Proof Summarize: j ( x ) ⊢ ∀ t ≥ 0 x + 2 t > 0 ∧∀ t ≥ 0 x + xt > 0 j ( x ) ⊢ [( v := 2 ∪ v := x ); x ′ = v ] x > 0 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 21 / 24

  77. Example Proof Summarize: j ( x ) ⊢ ∀ t ≥ 0 x + 2 t > 0 ∧∀ t ≥ 0 x + xt > 0 j ( x ) ⊢ [( v := 2 ∪ v := x ); x ′ = v ] x > 0 Using σ = { j ( · ) �→ · > 0 } on above derived rule proves: ∗ R x > 0 ⊢ ∀ t ≥ 0 x + 2 t > 0 ∧∀ t ≥ 0 x + xt > 0 USR x > 0 ⊢ [( v := 2 ∪ v := x ); x ′ = v ] x > 0 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 21 / 24

  78. Outline Learning Objectives 1 Axioms Versus Axiom Schemata 2 Differential Dynamic Logic with Interpretations 3 Syntax Semantics 4 Uniform Substitution Uniform Substitution Application Uniform Substitution Lemmas 5 Axiomatic Proof Calculus for dL Summary 6 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 21 / 24

  79. Axiom vs. Axiom Schema: Philosophy Affects Provers � Soundness easier: literal formula, not instantiation mechanism � An axiom is one formula. Axiom schema is a decision algorithm. � Generic formula, not some shape with characterization of exceptions � No schema variable or meta variable algorithms � No matching mechanisms / unification in prover kernel � No side condition subtlety or occurrence pattern checks (per schema) × Need other means of instantiating axioms: uniform substitution (US) � US + renaming: isolate static semantics � US independent from axioms: modular logic vs. prover separation � More flexible by syntactic contextual equivalence × Extra proofs branches since instantiation is explicit proof step André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 22 / 24

  80. Axiom vs. Axiom Schema: Philosophy Affects Provers � Soundness easier: literal formula, not instantiation mechanism � An axiom is one formula. Axiom schema is a decision algorithm. � Generic formula, not some shape with characterization of exceptions � No schema variable or meta variable algorithms � No matching mechanisms / unification in prover kernel � No side condition subtlety or occurrence pattern checks (per schema) × Need other means of instantiating axioms: uniform substitution (US) � US + renaming: isolate static semantics � US independent from axioms: modular logic vs. prover separation � More flexible by syntactic contextual equivalence × Extra proofs branches since instantiation is explicit proof step ∑ Net win for soundness since significantly simpler prover André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 22 / 24

  81. Differential Dynamic Logic: Comparison Part I Part IV [:=] [ x := θ ] φ ( x ) ↔ φ ( θ ) [:=] [ x := c ] p ( x ) ↔ p ( c ) [?] [? χ ] φ ↔ ( χ → φ ) [?] [? q ] p ↔ ( q → p ) [ ∪ ] [ α ∪ β ] φ ↔ [ α ] φ ∧ [ β ] φ [ ∪ ] [ a ∪ b ] p (¯ x ) ↔ [ a ] p (¯ x ) ∧ [ b ] p (¯ x ) [;] [ a ; b ] p (¯ x ) ↔ [ a ][ b ] p (¯ [;] [ α ; β ] φ ↔ [ α ][ β ] φ x ) [ ∗ ] [ α ∗ ] φ ↔ φ ∧ [ α ][ α ∗ ] φ [ ∗ ] [ a ∗ ] p (¯ x ) ∧ [ a ][ a ∗ ] p (¯ x ) ↔ p (¯ x ) K [ a ]( p (¯ x ) → q (¯ x )) → ([ a ] p (¯ x ) → [ a ] q (¯ K [ α ]( φ → ψ ) → ([ α ] φ → [ α ] ψ ) x )) I [ α ∗ ] φ ↔ φ ∧ [ α ∗ ]( φ → [ α ] φ ) I [ a ∗ ] p (¯ x ) ∧ [ a ∗ ]( p (¯ x ) ↔ p (¯ x ) → [ a ] p (¯ x )) V φ → [ α ] φ V p → [ a ] p [ ′ ] [ x ′ = f ( x )] φ ↔ ∀ t ≥ 0 [ x := y ( t )] φ André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 23 / 24

  82. Uniform Substitution for Differential Dynamic Logic differential dynamic logic φ [ α ] φ φ US α dL = DL + HP σ ( φ ) Uniform substitution � axioms not schemata KeYmaera X Modular: Logic � Prover Straightforward to implement Prover microkernel Sound & complete / ODE Fast contextual equivalence André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 24 / 24

  83. Uniform Substitution of Rules and Proofs p (¯ x ) G [ a ] p (¯ x ) André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 25 / 24

  84. Uniform Substitution of Rules and Proofs x 2 ≥ 0 p (¯ x ) G implies [ x := x + 1 ;( x ′ = x ∪ x ′ = − 2 )] x 2 ≥ 0 [ a ] p (¯ x ) (FV ( σ ) = / Theorem (Soundness) 0 ) φ 1 φ n σ ( φ 1 ) σ ( φ n ) ... ... locally sound implies locally sound ψ σ ( ψ ) André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 25 / 24

  85. Uniform Substitution of Rules and Proofs x 2 ≥ 0 p (¯ x ) G implies [ x := x + 1 ;( x ′ = x ∪ x ′ = − 2 )] x 2 ≥ 0 [ a ] p (¯ x ) (FV ( σ ) = / Theorem (Soundness) 0 ) φ 1 φ n σ ( φ 1 ) σ ( φ n ) ... ... locally sound implies locally sound ψ σ ( ψ ) Locally sound The conclusion is valid in any interpretation I in which the premises are. André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 25 / 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Focusing for d L 15-824 Logical Foundations of Cyber-Physical Systems Fall 2018 Klaas Pruiksma

Focusing for d L 15-824 Logical Foundations of Cyber-Physical Systems Fall 2018 Klaas Pruiksma

Focusing for d L 15-824 Logical Foundations of Cyber-Physical Systems Fall 2018 Klaas Pruiksma December 10, 2018 1 / 10 Goal Develop a focused version of Differential Dynamic Logic(d L ) [3], with the intent that it serve as a basis for

260 views • 10 slides
Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/06:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/06:

06: Truth & Proof Logical Foundations of Cyber-Physical Systems Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/06: Truth & Proof LFCPS/06 1 / 23 Outline Learning Objectives

1.77k views • 145 slides
Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/09:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/09:

09: Reactions & Delays Logical Foundations of Cyber-Physical Systems Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/09: Reactions & Delays LFCPS/09 1 / 17 Outline Learning

799 views • 59 slides
Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/08:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/08:

08: Events & Responses Logical Foundations of Cyber-Physical Systems Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/08: Events & Responses LFCPS/08 1 / 20 Outline Learning

719 views • 56 slides
Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/04:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/04:

04: Safety & Contracts Logical Foundations of Cyber-Physical Systems Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 1 / 16 Outline Learning

1.12k views • 80 slides
Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/01:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/01:

Logical Foundations of Cyber-Physical Systems 01: Cyber-Physical Systems: Overview Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/01: Overview LFCPS/01 1 / 28 Outline CPS:

934 views • 49 slides
Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/21:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/21:

21: Virtual Substitution & Real Arithmetic Logical Foundations of Cyber-Physical Systems Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/21: Virtual Substitution & Real

865 views • 84 slides
Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/13:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/13:

13: Differential Invariants & Proof Theory Logical Foundations of Cyber-Physical Systems Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/13: Differential Invariants & Proof

1.53k views • 127 slides
Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/14:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/14:

14: Hybrid Systems & Games Logical Foundations of Cyber-Physical Systems Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/14: Hybrid Systems & Games LFCPS/14 1 / 24 Outline

1.07k views • 102 slides
Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/10:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/10:

10: Differential Equations & Differential Invariants Logical Foundations of Cyber-Physical Systems Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/10: Differential Equations &

1.02k views • 86 slides
Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/20:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/20:

20: Virtual Substitution & Real Equations Logical Foundations of Cyber-Physical Systems Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/20: Virtual Substitution & Real Equations

3.49k views • 114 slides
Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/17:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/17:

17: Game Proofs & Separations Logical Foundations of Cyber-Physical Systems Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 1 / 25

1.26k views • 96 slides
Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/02:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/02:

02: Differential Equations & Domains Logical Foundations of Cyber-Physical Systems Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/02: Differential Equations & Domains LFCPS/02

788 views • 78 slides
Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/11:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/11:

11: Differential Equations & Proofs Logical Foundations of Cyber-Physical Systems Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11

1.49k views • 111 slides
Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/07:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/07:

07: Control Loops & Invariants Logical Foundations of Cyber-Physical Systems Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 1 / 16

1.45k views • 118 slides
Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/15:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/15:

15: Winning Strategies & Regions Logical Foundations of Cyber-Physical Systems Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/15: Winning Strategies & Regions LFCPS/15 1 / 23

1.02k views • 101 slides
Ordinary and partial differential equations Victor Eijkhout 335/394 fall 2011 ODEs and PDEs

Ordinary and partial differential equations Victor Eijkhout 335/394 fall 2011 ODEs and PDEs

Ordinary and partial differential equations Victor Eijkhout 335/394 fall 2011 ODEs and PDEs Time-evolving phenomena: IVP (Initial Value Problem), usually Ordinary Differential Equations Space-constraint phenomena: BVP (Boundary Value Problem),

713 views • 25 slides
ENTROPY FORMULATION FOR FORWARD-BACKWARD PARABOLIC EQUATION A.Terracina University La Sapienza,

ENTROPY FORMULATION FOR FORWARD-BACKWARD PARABOLIC EQUATION A.Terracina University La Sapienza,

ENTROPY FORMULATION FOR FORWARD- BACKWARD PARABOLIC EQUATION A. Terracina ENTROPY FORMULATION FOR FORWARD-BACKWARD PARABOLIC EQUATION A.Terracina University La Sapienza, Roma, Italy 25/06/2012 ENTROPY FORMULATION FOR Collaboration

897 views • 68 slides
An introduction to mathematical models in image processing with a focus on PDEs and optimization

An introduction to mathematical models in image processing with a focus on PDEs and optimization

ABCs of image processing Image and PDEs Image and optimization Optimization and dynamic differential system An introduction to mathematical models in image processing with a focus on PDEs and optimization techniques Yifei Lou Department of

1.16k views • 52 slides
Prr rt

Prr rt

Prr rt qts s Pttr t , sr rtr

973 views • 63 slides
ODE / IV Problems CS3220 - Summer 2008 Jonathan Kaldor Differential Equations So far, we

ODE / IV Problems CS3220 - Summer 2008 Jonathan Kaldor Differential Equations So far, we

ODE / IV Problems CS3220 - Summer 2008 Jonathan Kaldor Differential Equations So far, we have looked at problems involving one or more variables, with either linear or nonlinear relationships between them A Differential Equation is

504 views • 39 slides
22: Axioms & Uniform Substitutions 15-424: Foundations of Cyber-Physical Systems Andr e

22: Axioms & Uniform Substitutions 15-424: Foundations of Cyber-Physical Systems Andr e

22: Axioms & Uniform Substitutions 15-424: Foundations of Cyber-Physical Systems Andr e Platzer aplatzer@cs.cmu.edu Computer Science Department Carnegie Mellon University, Pittsburgh, PA The Secret for Simpler Sound Hybrid Systems

1.99k views • 181 slides
Solving mixed-integer partial differential equation constrained optimization Sven Leyffer 1 ,

Solving mixed-integer partial differential equation constrained optimization Sven Leyffer 1 ,

Solving mixed-integer partial differential equation constrained optimization Sven Leyffer 1 , Sebastian Sager 2 , and Anna Th unen 1 , 2 1 Argonne National Laboratory and 2 University of Magdeburg September 1, 2016 1 / 21 Problem Definition

233 views • 21 slides
Accessing the real part of the forward Compton & elastic J/psi scattering amplitudes off the

Accessing the real part of the forward Compton & elastic J/psi scattering amplitudes off the

Accessing the real part of the forward Compton & elastic J/psi scattering amplitudes off the proton Oleksii Gryniuk, Marc Vanderhaeghen JGU, Mainz, Germany Summer School 2016 September 22, 2016 Outline Accessing the real part of the

563 views • 31 slides

More recommend