Uniform Substitution At One Fell Swoop Andr Platzer In Shakespeares - - PowerPoint PPT Presentation
Uniform Substitution At One Fell Swoop Andr Platzer In Shakespeares 1611 play, at one fell swoop was likened to the suddenness with which a bird of prey fiercely attacks a whole nest at once. Andr Platzer (CMU) Uniform
André Platzer In Shakespeare’s 1611 play, “at one fell swoop” was likened to the suddenness with which a bird of prey fiercely attacks a whole nest at once.
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 1 / 23
1
Motivation Parsimonious Hybrid Game Proofs Foundation for Verification
2
Differential Game Logic Syntax Example: Push-around Cart Denotational Semantics
3
Uniform Substitution Application Uniform Substitution Lemma Uniform Substitution of Rules Static Semantics Axioms Differential Hybrid Games
4
Summary
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 1 / 23
1
Motivation Parsimonious Hybrid Game Proofs Foundation for Verification
2
Differential Game Logic Syntax Example: Push-around Cart Denotational Semantics
3
Uniform Substitution Application Uniform Substitution Lemma Uniform Substitution of Rules Static Semantics Axioms Differential Hybrid Games
4
Summary
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 1 / 23
Challenge (Hybrid Systems)
Fixed rule describing state evolution with both Discrete dynamics (control decisions) Continuous dynamics (differential equations)
2 4 6 8 10 t 0.8 0.6 0.4 0.2 0.2
a
2 4 6 8 10 t 0.2 0.4 0.6 0.8 1.0v 2 4 6 8 10 t 2 4 6 8
p
px py
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 2 / 23
Challenge (Games)
Game rules describing play evolution with both Angelic choices (player ⋄ Angel) Demonic choices (player
⋄
Demon) 0,0 2,1 1,2 3,1
⋄\ ⋄
Tr Pl Trash 1,2 0,0 Plant 0,0 2,1
8 rmbl0skZ 7 ZpZ0ZpZ0 6 0Zpo0ZpZ 5 o0ZPo0Zp 4 PZPZPZ0O 3 Z0Z0ZPZ0 2 0O0J0ZPZ 1 SNAQZBMR a b c d e f g h André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 3 / 23
Challenge (Hybrid Games)
Game rules describing play evolution with Discrete dynamics (control decisions) Continuous dynamics (differential equations) Adversarial dynamics (Angel ⋄ vs. Demon
⋄
)
2 4 6 8 10 t 0.6 0.4 0.2 0.2 0.4
a
2 4 6 8 10 t 0.2 0.4 0.6 0.8 1.0 1.2v 2 4 6 8 10 t 1 2 3 4 5 6 7p
px py
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 4 / 23
Challenge (Hybrid Games)
Game rules describing play evolution with Discrete dynamics (control decisions) Continuous dynamics (differential equations) Adversarial dynamics (Angel ⋄ vs. Demon
⋄
)
2 4 6 8 10 t 0.6 0.4 0.2 0.2 0.4
a
2 4 6 8 10 t 1.0 0.5 0.5
Ω
2 4 6 8 10 t 0.5 0.5 1.0
d
dx dy
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 5 / 23
− − − − − − − − − →
Foundation for
− − − − − − − − − →
FOL Functional Language Imperative Language Formula Functional program Imperative program/game Predicate calculus Function calculus Program calculus Subst + rename
α,β,η-conversion
USubst + rename
Functional α-conversion
for bound variables
β-reduction
capture-avoiding subst.
η-conversion
versus free variables
Imperative
Uniform substitution replaces predicate/function/program sym. mindful of free/bound variables Substitution is fundamental but subtle. Henkin wants it banished! Now: Make USubst even more subtle, but faster, and still sound. Beware: Imperative free and bound variables may overlap!
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 6 / 23
25,000 50,000 75,000 100,000 KeYmaera X KeYmaera KeY Nuprl MetaPRL Isabelle/Pure Coq HOL Light PHAVer HSolver SpaceEx Cora Flow* dReal HyCreate2
1,652
Games: months
ց
minutes
Disclaimer: Self-reported estimates of the soundness-critical lines of code + rules
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 7 / 23
Church checks exponentially (sometimes & in unoptimized implementations)
10000 20000 30000 40000 20 40 60 80 Church One-pass
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 7 / 23
Church checks quadratically (invasive space-time tradeoff optimizations)
225 450 675 900 550 1100 1650 2200 y = 3.596E-5x2 - 0.0107x + 2.4344 y = 0.0002x2 - 0.0409x + 10.772 Church-opt One-pass
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 7 / 23
1
Motivation Parsimonious Hybrid Game Proofs Foundation for Verification
2
Differential Game Logic Syntax Example: Push-around Cart Denotational Semantics
3
Uniform Substitution Application Uniform Substitution Lemma Uniform Substitution of Rules Static Semantics Axioms Differential Hybrid Games
4
Summary
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 7 / 23
Definition (Hybrid game α)
a | x :=θ | ?q | x′ = θ | α ∪β | α;β | α∗ | αd
Definition (dGL Formula φ)
p(θ1,...,θn) | θ ≥ η | ¬φ | φ ∧ψ | ∀x φ | ∃x φ | αφ | [α]φ TOCL ’15
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 8 / 23
Definition (Hybrid game α)
a | x :=θ | ?q | x′ = θ | α ∪β | α;β | α∗ | αd
Definition (dGL Formula φ)
p(θ1,...,θn) | θ ≥ η | ¬φ | φ ∧ψ | ∀x φ | ∃x φ | αφ | [α]φ Discrete Assign Test Game Differential Equation Choice Game Seq. Game Repeat Game All Reals Some Reals TOCL ’15
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 8 / 23
Definition (Hybrid game α)
a | x :=θ | ?q | x′ = θ | α ∪β | α;β | α∗ | αd
Definition (dGL Formula φ)
p(θ1,...,θn) | θ ≥ η | ¬φ | φ ∧ψ | ∀x φ | ∃x φ | αφ | [α]φ Discrete Assign Test Game Differential Equation Choice Game Seq. Game Repeat Game All Reals Some Reals Dual Game Game Symb. TOCL ’15
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 8 / 23
Definition (Hybrid game α)
a | x :=θ | ?q | x′ = θ | α ∪β | α;β | α∗ | αd
Definition (dGL Formula φ)
p(θ1,...,θn) | θ ≥ η | ¬φ | φ ∧ψ | ∀x φ | ∃x φ | αφ | [α]φ Discrete Assign Test Game Differential Equation Choice Game Seq. Game Repeat Game All Reals Some Reals Dual Game Game Symb. Angel Wins Demon Wins TOCL ’15
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 8 / 23
x v d a v ≥ 1 →
∗
v ≥ 0
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 9 / 23
x v d a
v ≥ 1 →
d before a can compensate
∗
v ≥ 0
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 9 / 23
x v d a
v ≥ 1 →
d before a can compensate
∗
v ≥ 0
t := 0; {x′ = v,v′ = a+ d,t′ = 1&t ≤ 1}
∗
x2 ≥ 100
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 9 / 23
x v d a
v ≥ 1 →
d before a can compensate
∗
v ≥ 0
a := d then a := signv t := 0; {x′ = v,v′ = a+ d,t′ = 1&t ≤ 1}
∗
x2 ≥ 100
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 9 / 23
Definition (Hybrid game α)
[ [·] ] : HG → (℘(S) →℘(S))
[ [x := θ] ]
[θ] ]
x
∈ X} [ [x′ = θ] ]
dt
(ζ) = ϕ(ζ)[ [θ] ] for all ζ} [ [?q] ]
[q] ]∩ X [ [α ∪β] ]
[α] ]
[β] ]
[α;β] ]
[α] ]
[β] ]
[α∗] ]
[α] ]
[ [αd] ]
[α] ]
)∁ Definition (dGL Formula φ)
[ [·] ] : Fml →℘(S)
[ [θ ≥ η] ] = {ω ∈ S : ω[ [θ] ] ≥ ω[ [η] ]} [ [¬φ] ] = ([ [φ] ])∁ [ [φ ∧ψ] ] = [ [φ] ]∩[ [ψ] ] [ [αφ] ] = [ [α] ]
[φ] ]
[[α]φ] ] = [ [α] ]
[φ] ]∁∁
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 10 / 23
X
[ [x :=θ] ]
x
′
= θ [ [x′ = θ] ]
[ [q] ] [ [?q] ]
[α] ]
[β] ]
[ [α ∪β] ]
[α] ]
[β] ]
[β] ]
[ [α;β] ]
[α] ]
[α∗] ]
[α∗] ]
[ [α] ]∞(X) ··· [ [α] ]3(X) [ [α] ]2(X) [ [α] ](X)
X
[ [α∗] ]
X
[ [α] ]
[ [α] ]
[ [αd] ]
Uniform Substitution At One Fell Swoop CADE’19 11 / 23
1
Motivation Parsimonious Hybrid Game Proofs Foundation for Verification
2
Differential Game Logic Syntax Example: Push-around Cart Denotational Semantics
3
Uniform Substitution Application Uniform Substitution Lemma Uniform Substitution of Rules Static Semantics Axioms Differential Hybrid Games
4
Summary
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 12 / 23
Theorem (Soundness) replace all occurrences of p(·)
US
φ σφ
provided FV(σ|Σ(θ))∩ BV(⊗(·)) = /
0 for each operation ⊗(θ) in φ
i.e. bound variables U = BV(⊗(·)) of no operator ⊗ are free in the substitution on its argument θ (U-admissible)
US
a∪ bp(¯
x) ↔ ap(¯ x)∨bp(¯ x)
v := v + 1∪ x′ = vx > 0 ↔ v := v + 1x > 0∨x′ = vx > 0
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 13 / 23
Theorem (Soundness) replace all occurrences of p(·)
US
φ σφ
provided FV(σ|Σ(θ))∩ BV(⊗(·)) = /
0 for each operation ⊗(θ) in φ
i.e. bound variables U = BV(⊗(·)) of no operator ⊗ are free in the substitution on its argument θ (U-admissible)
v := fp(v) ↔ p(f) v :=−xx′ = vx ≥ 0 ↔ x′ = −xx ≥ 0
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 13 / 23
Theorem (Soundness) replace all occurrences of p(·)
US
φ σφ
provided FV(σ|Σ(θ))∩ BV(⊗(·)) = /
0 for each operation ⊗(θ) in φ
i.e. bound variables U = BV(⊗(·)) of no operator ⊗ are free in the substitution on its argument θ (U-admissible) If you bind a free variable, you go to logic jail! Modular interface: Prover vs. Logic
v := fp(v) ↔ p(f) v :=−xx′ = vx ≥ 0 ↔ x′ = −xx ≥ 0
Clash
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 13 / 23
Theorem (Soundness) replace all occurrences of p(·)
US
φ σφ
provided FV(σ|Σ(θ))∩ BV(⊗(·)) = /
0 for each operation ⊗(θ) in φ
i.e. bound variables U = BV(⊗(·)) of no operator ⊗ are free in the substitution on its argument θ (U-admissible) If you bind a free variable, you go to logic jail! Modular interface: Prover vs. Logic
x′ = f(x),y′ = a(x)yx ≥ 1 ↔ x′ = f(x)x ≥ 1 x′ = x2,y′ = zyyx ≥ 1 ↔ x′ = x2x ≥ 1
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 13 / 23
Theorem (Soundness) replace all occurrences of p(·)
US
φ σφ
provided FV(σ|Σ(θ))∩ BV(⊗(·)) = /
0 for each operation ⊗(θ) in φ
i.e. bound variables U = BV(⊗(·)) of no operator ⊗ are free in the substitution on its argument θ (U-admissible) If you bind a free variable, you go to logic jail! Modular interface: Prover vs. Logic
x′ = f(x),y′ = a(x)yx ≥ 1 ↔ x′ = f(x)x ≥ 1 x′ = x2,y′ = zyyx ≥ 1 ↔ x′ = x2x ≥ 1
Clash
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 13 / 23
σ(f(θ)) = (σf)(σθ)
def
= {· → σθ}σf(·) σ(θ +η) = σθ +ση σ((θ)′) = (σθ)′
if σ V-admissible for θ
σ(p(θ)) = (σp)(σθ) σ(φ ∧ψ) = σφ ∧σψ σ(∀x φ) = ∀x σφ
if σ {x}-admissible for φ
σ(αφ) = σασφ
if σ BV(σα)-admissible for φ
σ(a) = σa σ(x :=θ) = x :=σθ σ(x′ = θ &q) = x′ = σθ &σq
if σ {x,x′}-admissible for θ,q
σ(α ∪β) = σα ∪σβ σ(α;β) = σα;σβ
if σ BV(σα)-admissible for β
σ(α∗) = (σα)∗
if σ BV(σα)-admissible for α
σ(αd) = (σα)d
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 14 / 23
σ(f(θ)) = (σf)(σθ)
def
= {· → σθ}σf(·) σ(θ +η) = σθ +ση σ((θ)′) = (σθ)′
if σ V-admissible for θ
σ(p(θ)) = (σp)(σθ) σ(φ ∧ψ) = σφ ∧σψ σ(∀x φ) = ∀x σφ
if σ {x}-admissible for φ
σ(αφ) = σασφ
if σ BV(σα)-admissible for φ
σ(a) = σa σ(x :=θ) = x :=σθ σ(x′ = θ &q) = x′ = σθ &σq
if σ {x,x′}-admissible for θ,q
σ(α ∪β) = σα ∪σβ σ(α;β) = σα;σβ
if σ BV(σα)-admissible for β
σ(α∗) = (σα)∗
if σ BV(σα)-admissible for α
σ(αd) = (σα)d
Idea Check side conditions at each operator again where soundness demands it.
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 14 / 23
σ U(f(θ)) = (σ Uf)(σ Uθ)
def
= {· → σ Uθ}/
0σf(·)
if F V(σf(·))∩ U = /
σ U(θ +η) = σ Uθ +σ Uη σ U((θ)′) = (σVθ)′ σ U(p(θ)) = (σ Up)(σ Uθ)
if F V(σp(·))∩ U = /
σ U(φ ∧ψ) = σ Uφ ∧σ Uψ σ U(∀x φ) = ∀x σ U∪{x}φ σ U(αφ) = σ U
V ασ Vφ
σ U
U∪B V(σa)(a) = σa
σ U
U∪{x}(x :=θ) = x :=σ Uθ
σ U
U∪{x,x′}(x′ = θ &q) = (x′ = σ U∪{x,x′}θ &σ U∪{x,x′}q)
σ U
V∪W(α ∪β) = σ U V α ∪σ U Wβ
σ U
W(α;β) = σ U V α;σ V Wβ
σ U
V (α∗) = (σ V V α)∗
where σ U
V α defined
σ U
V (αd) = (σ U V α)d
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 15 / 23
σ U(f(θ)) = (σ Uf)(σ Uθ)
def
= {· → σ Uθ}/
0σf(·)
if F V(σf(·))∩ U = /
σ U(θ +η) = σ Uθ +σ Uη σ U((θ)′) = (σVθ)′ σ U(p(θ)) = (σ Up)(σ Uθ)
if F V(σp(·))∩ U = /
σ U(φ ∧ψ) = σ Uφ ∧σ Uψ σ U(∀x φ) = ∀x σ U∪{x}φ σ U(αφ) = σ U
V ασ Vφ
σ U
U∪B V(σa)(a) = σa
σ U
U∪{x}(x :=θ) = x :=σ Uθ
σ U
U∪{x,x′}(x′ = θ &q) = (x′ = σ U∪{x,x′}θ &σ U∪{x,x′}q)
σ U
V∪W(α ∪β) = σ U V α ∪σ U Wβ
σ U
W(α;β) = σ U V α;σ V Wβ
σ U
V (α∗) = (σ V V α)∗
where σ U
V α defined
σ U
V (αd) = (σ U V α)d
input
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 15 / 23
σ U(f(θ)) = (σ Uf)(σ Uθ)
def
= {· → σ Uθ}/
0σf(·)
if F V(σf(·))∩ U = /
σ U(θ +η) = σ Uθ +σ Uη σ U((θ)′) = (σVθ)′ σ U(p(θ)) = (σ Up)(σ Uθ)
if F V(σp(·))∩ U = /
σ U(φ ∧ψ) = σ Uφ ∧σ Uψ σ U(∀x φ) = ∀x σ U∪{x}φ σ U(αφ) = σ U
V ασ Vφ
σ U
U∪B V(σa)(a) = σa
σ U
U∪{x}(x :=θ) = x :=σ Uθ
σ U
U∪{x,x′}(x′ = θ &q) = (x′ = σ U∪{x,x′}θ &σ U∪{x,x′}q)
σ U
V∪W(α ∪β) = σ U V α ∪σ U Wβ
σ U
W(α;β) = σ U V α;σ V Wβ
σ U
V (α∗) = (σ V V α)∗
where σ U
V α defined
σ U
V (αd) = (σ U V α)d
Idea Linear homomorphic pass postponing admissibility. Recover with taboos at replacements.
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 15 / 23
Theorem (Soundness) replace all occurrences of p(·)
US
φ σ /
0φ
provided σ /
0φ is defined
If you bind a free variable, you go to logic jail! Such a clash can only happen with taboos U arising while forming σ /
0φ
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 16 / 23
“Syntactic uniform substitution = semantic replacement”
Lemma (Uniform substitution lemma)
Uniform substitution σ and adjoint σ∗
ωI to σ for I,ω have the same semantics
for all ν such that ν = ω except on U: Iν[
[σ Uθ] ] = σ∗
ωIν[
[θ] ] ν ∈ I[ [σ Uφ] ] iff ν ∈ σ∗
ωI[
[φ] ] ν ∈ I[ [σ U
V α]
]
ωI[
[α] ]
with nested induction over closure ordinal, simultaneously for all ν,ω,U,X
θ σθ
Iν[
[σθ] ] σ∗
ωIν[
[θ] ] σ σ∗
ωI
I
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 17 / 23
Theorem (Soundness) φ1 ... φn ψ
locally sound implies σVφ1
... σVφn σVψ
locally sound Locally sound The conclusion is valid in any interpretation in which the premises are.
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 18 / 23
Lemma (Coincidence for formulas) (Only F V(φ) determine truth)
If ω= ˜
ω on F
V(φ) then: ω ∈ [
[φ] ] iff ˜ ω ∈ [ [φ] ] Lemma (Coincidence for games) (Only F V(α) determine victory)
If ω= ˜
ω on V⊇F
V(α) then:
ω ∈ [ [α] ]
ω ∈ [ [α] ]
X
[ [α] ]
˜ ω
V(α)
α α
Lemma (Bound effect) (Only B V(α) change value) ω ∈ [ [α] ]
[α] ]
V(α)∁)
X↓ω
[ [α] ]
V(α)∁)
α α
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 20 / 23
Axiom = one formula Infinite axiom schema
[a]p(¯
x) ↔ ¬a¬p(¯ x)
x := fp(x) ↔ p(f) x′ = fp(x) ↔ ∃t≥0x := x + ftp(x) ?qp ↔ (q ∧ p) a∪ bp(¯
x) ↔ ap(¯ x)∨bp(¯ x)
a;bp(¯
x) ↔ abp(¯ x)
a∗p(¯
x) ↔ p(¯ x)∨aa∗p(¯ x)
adp(¯
x) ↔ ¬a¬p(¯ x)
[·] [α]φ ↔ ¬α¬φ := x :=θφ ↔ φ θ
x
′ x′ = θφ ↔ ∃t≥0x := y(t)φ ? ?ψφ ↔ (ψ ∧φ) ∪ α ∪βφ ↔ αφ ∨βφ ; α;βφ ↔ αβφ ∗ α∗φ ↔ φ ∨αα∗φ d αdφ ↔ ¬α¬φ
IJCAR’18 TOCL ’15
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 21 / 23
Axiom = one formula Infinite axiom schema
[a]c⊤ ↔ ¬a¬c⊤ x := fc⊤ ↔ ∃x (x = f ∧c⊤) x′ = fp(x) ↔ ∃t≥0x := x + ftp(x) ?qp ↔ (q ∧ p) a∪ bc⊤ ↔ ac⊤∨bc⊤ a;bc⊤ ↔ abc⊤ a∗c⊤ ↔ c⊤∨aa∗c⊤ adc⊤ ↔ ¬a¬c⊤ [·] [α]φ ↔ ¬α¬φ := x :=θφ ↔ φ θ
x
′ x′ = θφ ↔ ∃t≥0x := y(t)φ ? ?ψφ ↔ (ψ ∧φ) ∪ α ∪βφ ↔ αφ ∨βφ ; α;βφ ↔ αβφ ∗ α∗φ ↔ φ ∨αα∗φ d αdφ ↔ ¬α¬φ
CADE’19 TOCL ’15
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 21 / 23
c⊤ uniformly substitutes to ?φ⊤ alias φ [a]c⊤ ↔ ¬a¬c⊤ x := fc⊤ ↔ ∃x (x = f ∧c⊤) x′ = fp(x) ↔ ∃t≥0x := x + ftp(x) ?qp ↔ (q ∧ p) a∪ bc⊤ ↔ ac⊤∨bc⊤ a;bc⊤ ↔ abc⊤ a∗c⊤ ↔ c⊤∨aa∗c⊤ adc⊤ ↔ ¬a¬c⊤ [·] [α]φ ↔ ¬α¬φ := x :=θφ ↔ φ θ
x
′ x′ = θφ ↔ ∃t≥0x := y(t)φ ? ?ψφ ↔ (ψ ∧φ) ∪ α ∪βφ ↔ αφ ∨βφ ; α;βφ ↔ αβφ ∗ α∗φ ↔ φ ∨αα∗φ d αdφ ↔ ¬α¬φ
CADE’19 TOCL ’15
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 21 / 23
avoid obstacles changing wind local turbulence x′ = f(x,y,z) TOCL ’17
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 22 / 23
avoid obstacles changing wind local turbulence x′ = f(x,y,z) TOCL ’17
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 22 / 23
1
Motivation Parsimonious Hybrid Game Proofs Foundation for Verification
2
Differential Game Logic Syntax Example: Push-around Cart Denotational Semantics
3
Uniform Substitution Application Uniform Substitution Lemma Uniform Substitution of Rules Static Semantics Axioms Differential Hybrid Games
4
Summary
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 22 / 23
differential game logic
dGL = GL+ HG = dL+ d αϕ ϕ Faster sound uniform substitution Replace all at once, check all at once Modular: Logic Prover Isabelle/HOL formalization 3,500 lines Sound & rel. complete axiomatization Sound for differential hybrid games Future: Benefit from USubst elsewhere
d i s c r e t e c
t i n u
s nondet stochastic a d v e r s a r i a l
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 23 / 23
I Part: Elementary Cyber-Physical Systems
II Part: Differential Equations Analysis
III Part: Adversarial Cyber-Physical Systems 14-17. Hybrid Systems & Hybrid Games IV Part: Comprehensive CPS Correctness
André Platzer
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 24 / 23
− − − − − − − − − →
Foundation for
− − − − − − − − − →
FOL Functional Language Imperative Language Formula Functional program Imperative program/game Predicate calculus Function calculus Program calculus Subst + rename
α,β,η-conversion
USubst + rename
Functional α-conversion
for bound variables
β-reduction
capture-avoiding subst.
η-conversion
versus free variables
Imperative
Uniform substitution replaces predicate/function/program sym. mindful of free/bound variables Substitution is fundamental but subtle. Henkin wants it banished! Now: Make USubst even more subtle, but faster, and still sound. Beware: Imperative free and bound variables may overlap!
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 25 / 23
André Platzer. Uniform substitution at one fell swoop. In Pascal Fontaine, editor, CADE, volume 11716 of LNCS, pages 425–441. Springer, 2019.
doi:10.1007/978-3-030-29436-6_25.
André Platzer. Uniform substitution for differential game logic. In Didier Galmiche, Stephan Schulz, and Roberto Sebastiani, editors, IJCAR, volume 10900 of LNCS, pages 211–227. Springer, 2018.
doi:10.1007/978-3-319-94205-6_15.
André Platzer. Differential game logic. ACM Trans. Comput. Log., 17(1):1:1–1:51, 2015.
doi:10.1145/2817824.
André Platzer. Differential hybrid games. ACM Trans. Comput. Log., 18(3):19:1–19:44, 2017.
doi:10.1145/3091123.
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 25 / 23
André Platzer. Logical Foundations of Cyber-Physical Systems. Springer, Cham, 2018. URL: http://www.springer.com/978-3-319-63587-3,
doi:10.1007/978-3-319-63588-0.
André Platzer. A complete uniform substitution calculus for differential dynamic logic.
doi:10.1007/s10817-016-9385-1.
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 25 / 23
5
Appendix ODE Schema Static Semantics Operational Semantics Completeness
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 25 / 23
′ x′ = θφ ↔ ∃t≥0x := y(t)φ
Axiom schema with side conditions:
1
Occurs check: t fresh
2
Solution check: y(·) solves the ODE y′(t) = θ with x(·) plugged in for x in term θ
3
Initial value check: y(·) solves the symbolic IVP y(0) = x
4
x(·) covers all solutions parametrically
5
x′ cannot occur free in φ Quite nontrivial soundness-critical algorithms . . .
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 26 / 23
F V(θ) =
,ω, ˜ ω such that ω = ˜ ω on {x}∁ and ω[ [θ] ] = ˜ ω[ [θ] ]
V(φ) =
,ω, ˜ ω such that ω = ˜ ω on {x}∁ and ω ∈ [ [φ] ] ∋ ˜ ω
V(α) =
,ω, ˜ ω,X with ω = ˜ ω on {x}∁, ω ∈ [ [α] ]
∋ ˜ ω
V(α) =
,ω,X such that [ [α] ]
[α] ]
Uniform Substitution At One Fell Swoop CADE’19 27 / 23
Definition (Hybrid game α: operational semantics) ω
x :=θ
ωω[
[θ] ]
x
x :=θ
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 28 / 23
Definition (Hybrid game α: operational semantics) ω
x′ = θ &q
ϕ(r)
r
ϕ(t)
t
ϕ(0)
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 28 / 23
Definition (Hybrid game α: operational semantics) ω ?q ω ?q ω ∈ [ [q] ]
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 28 / 23
Definition (Hybrid game α: operational semantics) ω α ∪β ω
tκ
β
tj
β
t1
β
r i g h t
ω
sλ
α
si
α
s1
α
l e f t
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 28 / 23
Definition (Hybrid game α: operational semantics) ω α;β
tλ rλ1
λ
β
r j
λ
β
r 1
λ
β α
ti rλi
i
β
r 1
i
β α
t1 rλ1
1
β
r j
1
β
r 1
1
β α
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 28 / 23
Definition (Hybrid game α: operational semantics) ω α∗ ω α α
r e p e a t stop
α α α
r e p e a t stop
α
repeat stop
α α α
r e p e a t stop
α α α
r e p e a t stop
α
repeat stop
α
repeat
ω
s t
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 28 / 23
Definition (Hybrid game α: operational semantics) ω α
t0 tκ tj t1 s0 sλ si s1
ω αd
t0 tκ tj t1 s0 sλ si s1
d
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 28 / 23
Theorem (Completeness)
dGL calculus is a sound & complete axiomatization relative to any (differentially) expressive1logic L.
ϕ
iff TautL ⊢ ϕ TOCL ’15
1∀
ϕ ∈ dGL ∃ ϕ♭ ∈ L ϕ ↔ ϕ♭ x′ = θG ↔ (x′ = θG)♭ provable for G ∈ L
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 29 / 23