Refining Constructive Hybrid Games Brandon Bohrer and Andr e Platzer - - PowerPoint PPT Presentation

Refining Constructive Hybrid Games

Brandon Bohrer and Andr´ e Platzer

Logical Systems Lab Computer Science Department Carnegie Mellon University

FSCD’20

1 / 11

Why Refine Constructive Hybrid Games?

2 / 11

Why Refine Constructive Hybrid Games?

2 / 11

Why Refine Constructive Hybrid Games?

2 / 11

Why Refine Constructive Hybrid Games?

2 / 11

Why Refine Constructive Hybrid Games?

2 / 11

Constructive Hybrid Game: Push-pull

safe ≡ xl < x0 = x < xr → [PP](x = x0)

PP ≡ {{vd := −1 ∪ vd := 1}; {va := ∗; ?(−1 ≤ va ≤ 1)}d; {x′ = vd + va & xl ≤ x ≤ xr}}∗

3 / 11

Constructive Hybrid Game: Push-pull

safe ≡ xl < x0 = x < xr → [PP](x = x0)

PP ≡ {{vd := −1 ∪ vd := 1}; {va := ∗; ?(−1 ≤ va ≤ 1)}d; {x′ = vd + va & xl ≤ x ≤ xr}}∗

Either speed

3 / 11

Constructive Hybrid Game: Push-pull

safe ≡ xl < x0 = x < xr → [PP](x = x0)

PP ≡ {{vd := −1 ∪ vd := 1}; {va := ∗; ?(−1 ≤ va ≤ 1)}d; {x′ = vd + va & xl ≤ x ≤ xr}}∗

Either speed Speed Limits Switch

3 / 11

Constructive Hybrid Game: Push-pull

safe ≡ xl < x0 = x < xr → [PP](x = x0)

PP ≡ {{vd := −1 ∪ vd := 1}; {va := ∗; ?(−1 ≤ va ≤ 1)}d; {x′ = vd + va & xl ≤ x ≤ xr}}∗

Either speed Speed Limits Switch Physics Constraint

3 / 11

Constructive Hybrid Game: Push-pull

safe ≡ xl < x0 = x < xr → [PP](x = x0)

PP ≡ {{vd := −1 ∪ vd := 1}; {va := ∗; ?(−1 ≤ va ≤ 1)}d; {x′ = vd + va & xl ≤ x ≤ xr}}∗

Either speed Speed Limits Switch Physics Constraint Loop

3 / 11

Constructive Hybrid Game: Push-pull

safe ≡ xl < x0 = x < xr → [PP](x = x0)

PP ≡ {{vd := −1 ∪ vd := 1}; {va := ∗; ?(−1 ≤ va ≤ 1)}d; {x′ = vd + va & xl ≤ x ≤ xr}}∗ αPP =

• {{vd := −1; va := 1};

∪{vd := 1; va := −1}}; x := ∗; x′ := vd + va; ?x = x0 ∗

Either speed Speed Limits Switch Physics Constraint Loop Mirror

3 / 11

Types Give Constructive Semantics

P

: (state ⇒ type )

?QP s

= Q s * P s

[?Q]P s

= Q s ⇒ P s Prove test Assume test

4 / 11

Types Give Constructive Semantics

P

: (state ⇒ type )

?QP s

= Q s * P s

x := ∗P s

= Σv : R. P (set s x v)

[?Q]P s

= Q s ⇒ P s

[x := ∗]P s

= Πv : R. P (set s x v) Prove test Choose x Assume test Receive x

4 / 11

Types Give Constructive Semantics

P

: (state ⇒ type )

?QP s

= Q s * P s

x := ∗P s

= Σv : R. P (set s x v)

α ∪ βP s

= αP s + βP s

[?Q]P s

= Q s ⇒ P s

[x := ∗]P s

= Πv : R. P (set s x v)

[α ∪ β]P s

= [α]P s * [β]P s Prove test Choose x Choose branch Assume test Receive x Can’t choose

4 / 11

Types Give Constructive Semantics

P

: (state ⇒ type )

?QP s

= Q s * P s

x := ∗P s

= Σv : R. P (set s x v)

α ∪ βP s

= αP s + βP s

αdP s

= [α]P s

[?Q]P s

= Q s ⇒ P s

[x := ∗]P s

= Πv : R. P (set s x v)

[α ∪ β]P s

= [α]P s * [β]P s

[αd]P s

= αP s Prove test Choose x Choose branch Switch Assume test Receive x Can’t choose Switch

4 / 11

Types Give Constructive Semantics

P

: (state ⇒ type )

?QP s

= Q s * P s

x := ∗P s

= Σv : R. P (set s x v)

α ∪ βP s

= αP s + βP s

αdP s

= [α]P s

[?Q]P s

= Q s ⇒ P s

[x := ∗]P s

= Πv : R. P (set s x v)

[α ∪ β]P s

= [α]P s * [β]P s

[αd]P s

= αP s

α ≤[ ] β s

=

• ΠP : (state ⇒ type ).

[α]P s ⇒ [β]P s

• Prove test

Choose x Choose branch Switch Assume test Receive x Can’t choose Switch

4 / 11

Types Give Constructive Semantics

P

: (state ⇒ typei+1)

?QP s

= Q s * P s

x := ∗P s

= Σv : R. P (set s x v)

α ∪ βP s

= αP s + βP s

αdP s

= [α]P s

[?Q]P s

= Q s ⇒ P s

[x := ∗]P s

= Πv : R. P (set s x v)

[α ∪ β]P s

= [α]P s * [β]P s

[αd]P s

= αP s

α ≤ i [ ] β s

=

• ΠP : (state ⇒ typei).

[α]P s ⇒ [β]P s

• Prove test

Choose x Choose branch Switch Assume test Receive x Can’t choose Switch

4 / 11

Types Give Constructive Semantics

P

: (state ⇒ typei+1)

?QP s

= Q s * P s

x := ∗P s

= Σv : R. P (set s x v)

α ∪ βP s

= αP s + βP s

αdP s

= [α]P s

[?Q]P s

= Q s ⇒ P s

[x := ∗]P s

= Πv : R. P (set s x v)

[α ∪ β]P s

= [α]P s * [β]P s

[αd]P s

= αP s

α ≤ i [ ] β s

=

• ΠP : (state ⇒ typei).

[α]P s ⇒ [β]P s

• R[·]

Γ ⊢ [α]P Γ ⊢ α ≤ i

[ ] β

Γ ⊢ [β]P R· Γ ⊢ αP Γ ⊢ α ≤ i

β

Γ ⊢ βP Prove test Choose x Choose branch Switch Assume test Receive x Can’t choose Switch

4 / 11

Refinements Subsume Game Algebra

trans Γ ⊢ α ≤[ ] β Γ ⊢ β ≤[ ] γ Γ ⊢ α ≤[ ] γ ∪A Γ ⊢ {α ∪ β} ∪ γ ∼ = α ∪ {β ∪ γ} ;dr Γ ⊢ {α ∪ β}; γ ∼ = {α; γ} ∪ {β; γ} refl Γ ⊢ α ≤[ ] α ∪c Γ ⊢ α ∪ β ∼ = β ∪ α

5 / 11

Refinements Resolve Strategic Choice

[∪]L1 Γ ⊢ αd ≤[ ] {α ∪ β}d [:∗] Γ ⊢ {x := f }d ≤[ ] {x := ∗}d [∪]L2 Γ ⊢ βd ≤[ ] {α ∪ β}d ;G · ⊢ α1 ≤[ ] α2 · ⊢ β1 ≤[ ] β2 · ⊢ α1; β1 ≤[ ] α2; β2

6 / 11

Refinements Resolve Strategic Choice

[∪]L1 Γ ⊢ αd ≤[ ] {α ∪ β}d [:∗] Γ ⊢ {x := f }d ≤[ ] {x := ∗}d [∪]L2 Γ ⊢ βd ≤[ ] {α ∪ β}d ;G · ⊢ α1 ≤[ ] α2 · ⊢ β1 ≤[ ] β2 · ⊢ α1; β1 ≤[ ] α2; β2 ;S Γ ⊢ α1 ≤[ ] α2 Γ ⊢ [α1]β1 ≤[ ] β2 Γ ⊢ α1; β1 ≤[ ] α2; β2

1

1α1 is a hybrid system 6 / 11

ODEs are Solved or Abstracted

solve Γ ⊢ t = 0 ∧ d ≥ 0 Γ ⊢ [t := ∗; ?0 ≤ t ≤ d; x := sol]Q Γ ⊢ {t := d; x := sol; t′ := 1; x′ := f } ≤[ ] {t′ = 1, x′ = f & Q}d

1

DC Γ ⊢ [x′ = f & P]Q Γ ⊢ {x′ = f & P} ∼ = {x′ = f & P ∧ Q} DW Γ ⊢ {x := ∗; x′ := f ; ?Q} ≤[ ] {x′ = f & Q}

1sol solves ODE, {t, t′, x, x′} not free in d

Assignment ODE

7 / 11

Game Proofs are Reified as Systems

(Proof of [α]P or αP) System

:=IΓ(x0), x = f x0 x

⊢ P Γ(x) ⊢ x := f P x := f ; α

:∗IΓ(x0), x = f x0 x

⊢ P Γ(x) ⊢ x := ∗P x := f ; α

dw

Γ(x0), Q ⊢ P Γ(x) ⊢ [x′ = f & Q]P x := ∗; x′ := f ; ?Q; α

dcΓ ⊢ [x′ = f & Q]R

Γ ⊢ [x′ = f & Q ∧ R]P Γ ⊢ [x′ = f & Q]P β First IH α Second IH β

8 / 11

Cart Proof Reifies Strategy

safe ≡ xl < x0 = x < xr → [PP](x = x0)

PP ≡ {{vd := −1 ∪ vd := 1}; {va := ∗; ?(−1 ≤ va ≤ 1)}d; {x′ = vd + va & xl ≤ x ≤ xr}}∗ αPP =

• {{vd := −1; va := 1};

∪{vd := 1; va := −1}}; x := ∗; x′ := vd + va; ?x = x0 ∗

Let A be standard mirroring strategy for PP, then A αPP

9 / 11

Theory

Let A be a proof of (Γ ⊢ [α]P) and let A α. 1

Theorem (Systemhood)

α is a system, i.e., it does not contain dualities.

Theorem (Reification transfer)

Γ ⊢ [α]P is provable.

Theorem (Reification refinement)

Γ ⊢ α ≤[ ] α is provable.

1Recursively assume Γ free of duals βd 10 / 11

Conclusion

11 / 11