Uniform Substitution for Differential Game Logic Andr e Platzer - - PowerPoint PPT Presentation

Uniform Substitution for Differential Game Logic

Andr´ e Platzer

0.2 0.4 0.6 0.8 1.0

0.1 0.2 0.3 0.4 0.5

Andr´ e Platzer (CMU) Uniform Substitution for Differential Game Logic IJCAR’18 1 / 20

Outline

1

Motivation Game Proofs Hybrid Games

2

Differential Game Logic Syntax Example: Robot Soccer Denotational Semantics

3

Uniform Substitution Mechanism Axioms Example

4

Static Semantics

5

Axiomatization

6

Summary

Andr´ e Platzer (CMU) Uniform Substitution for Differential Game Logic IJCAR’18 1 / 20

Uniform Substitution is Fundamental but Crucial

Q: How to build a prover with a small soundness-critical core? A: Uniform substitution [Church] Q: Impact on hybrid systems prover core? A: 65 989 ց 1 651 LOC (2.5%) [KeYmaera X] Q: Impact on hybrid games prover core? A: months ց minutes (+10 LOC) [KeYmaera X] Q: How to prove soundness? A: Uniform substitution enables modular soundness [Modularity] Q: Biggest challenges for uniform substitution on games? A: State transition relation impossible for games [Complications] A: Transfinite induction for least fixpoint of loops >ωω A: Conservative extension of formulas, not of axioms

Andr´ e Platzer (CMU) Uniform Substitution for Differential Game Logic IJCAR’18 2 / 20

KeYmaera X Small Kernel for Soundness 1 700 LOC

25,000 50,000 75,000 100,000 K e Y m a e r a X K e Y m a e r a K e Y N u p r l M e t a P R L I s a b e l l e / P u r e C

• q

H O L L i g h t P H A V e r H S

• l

v e r S p a c e E x C

• r

a F l

• w

* d R e a l H y C r e a t e 2

1,652

Disclaimer: Self-reported estimates of the soundness-critical lines of code + rules

Andr´ e Platzer (CMU) Uniform Substitution for Differential Game Logic IJCAR’18 3 / 20

CPS Analysis: Robot Control

Challenge (Hybrid Systems)

Fixed rule describing state evolution with both Discrete dynamics (control decisions) Continuous dynamics (differential equations)

2 4 6 8 10 t 0.8 0.6 0.4 0.2 0.2

a

2 4 6 8 10 t 0.2 0.4 0.6 0.8 1.0v 2 4 6 8 10 t 2 4 6 8

p

px py Andr´ e Platzer (CMU) Uniform Substitution for Differential Game Logic IJCAR’18 4 / 20

CPS Analysis: Robot Control

Challenge (Hybrid Systems)

Fixed rule describing state evolution with both Discrete dynamics (control decisions) Continuous dynamics (differential equations)

2 4 6 8 10 t 0.8 0.6 0.4 0.2 0.2

a

2 4 6 8 10 t 1.0 0.5 0.5

Ω

2 4 6 8 10 t 0.5 0.5 1.0

d

dx dy Andr´ e Platzer (CMU) Uniform Substitution for Differential Game Logic IJCAR’18 4 / 20

CPS Analysis: Robot Control

Challenge (Games)

Game rules describing play evolution with both Angelic choices (player ⋄ Angel) Demonic choices (player ⋄ Demon) 0,0 2,1 1,2 3,1 ⋄\ ⋄ Tr Pl Trash 1,2 0,0 Plant 0,0 2,1

8 rmbl0skZ 7 ZpZ0ZpZ0 6 0Zpo0ZpZ 5 o0ZPo0Zp 4 PZPZPZ0O 3 Z0Z0ZPZ0 2 0O0J0ZPZ 1 SNAQZBMR a b c d e f g h Andr´ e Platzer (CMU) Uniform Substitution for Differential Game Logic IJCAR’18 5 / 20

CPS Analysis: Robot Control

Challenge (Hybrid Games)

Game rules describing play evolution with Discrete dynamics (control decisions) Continuous dynamics (differential equations) Adversarial dynamics (Angel ⋄ vs. Demon ⋄ )

2 4 6 8 10 t 0.6 0.4 0.2 0.2 0.4

a

2 4 6 8 10 t 0.2 0.4 0.6 0.8 1.0 1.2v 2 4 6 8 10 t 1 2 3 4 5 6 7p

px py Andr´ e Platzer (CMU) Uniform Substitution for Differential Game Logic IJCAR’18 6 / 20

CPS Analysis: Robot Control

Challenge (Hybrid Games)

Game rules describing play evolution with Discrete dynamics (control decisions) Continuous dynamics (differential equations) Adversarial dynamics (Angel ⋄ vs. Demon ⋄ )

2 4 6 8 10 t 0.6 0.4 0.2 0.2 0.4

a

2 4 6 8 10 t 1.0 0.5 0.5

Ω

2 4 6 8 10 t 0.5 0.5 1.0

d

dx dy Andr´ e Platzer (CMU) Uniform Substitution for Differential Game Logic IJCAR’18 6 / 20

CPS Analysis: RoboCup Soccer

Challenge (Hybrid Games)

Game rules describing play evolution with Discrete dynamics (control decisions) Continuous dynamics (differential equations) Adversarial dynamics (Angel ⋄ vs. Demon ⋄ )

2 4 6 8 10 t 0.6 0.4 0.2 0.2 0.4

a

2 4 6 8 10 t 1.0 0.5 0.5

Ω

2 4 6 8 10 t 0.5 0.5 1.0

d

dx dy Andr´ e Platzer (CMU) Uniform Substitution for Differential Game Logic IJCAR’18 7 / 20

Differential Game Logic: Syntax

Definition (Hybrid game α)

a | x := θ | ?q | x′ = θ | α ∪ β | α; β | α∗ | αd

Definition (dGL Formula φ)

p(θ1, . . . , θn) | θ ≥ η | ¬φ | φ ∧ ψ | ∀x φ | ∃x φ | αφ | [α]φ TOCL’15

Andr´ e Platzer (CMU) Uniform Substitution for Differential Game Logic IJCAR’18 8 / 20

Differential Game Logic: Syntax

Definition (Hybrid game α)

a | x := θ | ?q | x′ = θ | α ∪ β | α; β | α∗ | αd

Definition (dGL Formula φ)

p(θ1, . . . , θn) | θ ≥ η | ¬φ | φ ∧ ψ | ∀x φ | ∃x φ | αφ | [α]φ Discrete Assign Test Game Differential Equation Choice Game Seq. Game Repeat Game All Reals Some Reals TOCL’15

Andr´ e Platzer (CMU) Uniform Substitution for Differential Game Logic IJCAR’18 8 / 20

Differential Game Logic: Syntax

Definition (Hybrid game α)

a | x := θ | ?q | x′ = θ | α ∪ β | α; β | α∗ | αd

Definition (dGL Formula φ)

p(θ1, . . . , θn) | θ ≥ η | ¬φ | φ ∧ ψ | ∀x φ | ∃x φ | αφ | [α]φ Discrete Assign Test Game Differential Equation Choice Game Seq. Game Repeat Game All Reals Some Reals Dual Game Game Symb. TOCL’15

Andr´ e Platzer (CMU) Uniform Substitution for Differential Game Logic IJCAR’18 8 / 20

Differential Game Logic: Syntax

Definition (Hybrid game α)

a | x := θ | ?q | x′ = θ | α ∪ β | α; β | α∗ | αd

Definition (dGL Formula φ)

p(θ1, . . . , θn) | θ ≥ η | ¬φ | φ ∧ ψ | ∀x φ | ∃x φ | αφ | [α]φ Discrete Assign Test Game Differential Equation Choice Game Seq. Game Repeat Game All Reals Some Reals Dual Game Game Symb. Angel Wins Demon Wins TOCL’15

Andr´ e Platzer (CMU) Uniform Substitution for Differential Game Logic IJCAR’18 8 / 20

Example: Goalie in Robot Soccer

x y, g (x, y) g x < 0 ∧ v > 0 ∧ y = g →

• (w := +w ∩ w := −w);
• (u := +u ∪ u := −u); {x′ = v, y′ = w, g′ = u}

∗ x2 + (y − g)2 ≤ 1

Andr´ e Platzer (CMU) Uniform Substitution for Differential Game Logic IJCAR’18 9 / 20

Example: Goalie in Robot Soccer

x y, g (v, +w) (x, y) g x < 0 ∧ v > 0 ∧ y = g →

• (w := +w ∩ w := −w);
• (u := +u ∪ u := −u); {x′ = v, y′ = w, g′ = u}

∗ x2 + (y − g)2 ≤ 1

Andr´ e Platzer (CMU) Uniform Substitution for Differential Game Logic IJCAR’18 9 / 20

Example: Goalie in Robot Soccer

x y, g (v, +w) (v, −w) (x, y) g x < 0 ∧ v > 0 ∧ y = g →

• (w := +w ∩ w := −w);
• (u := +u ∪ u := −u); {x′ = v, y′ = w, g′ = u}

∗ x2 + (y − g)2 ≤ 1

Andr´ e Platzer (CMU) Uniform Substitution for Differential Game Logic IJCAR’18 9 / 20

Example: Goalie in Robot Soccer

x y, g (v, +w) (v, −w) +u (x, y) g x < 0 ∧ v > 0 ∧ y = g →

• (w := +w ∩ w := −w);
• (u := +u ∪ u := −u); {x′ = v, y′ = w, g′ = u}

∗ x2 + (y − g)2 ≤ 1

Andr´ e Platzer (CMU) Uniform Substitution for Differential Game Logic IJCAR’18 9 / 20

Example: Goalie in Robot Soccer

x y, g (v, +w) (v, −w) +u −u (x, y) g x < 0 ∧ v > 0 ∧ y = g →

• (w := +w ∩ w := −w);
• (u := +u ∪ u := −u); {x′ = v, y′ = w, g′ = u}

∗ x2 + (y − g)2 ≤ 1

Andr´ e Platzer (CMU) Uniform Substitution for Differential Game Logic IJCAR’18 9 / 20

Example: Goalie in Robot Soccer

x y, g (v, +w) (v, −w) +u −u (x, y) g x v 2 (u − w)2 ≤ 1 ∧ x < 0 ∧ v > 0 ∧ y = g →

• (w := +w ∩ w := −w);
• (u := +u ∪ u := −u); {x′ = v, y′ = w, g′ = u}

∗ x2 + (y − g)2 ≤ 1 Goalie’s Secret

Andr´ e Platzer (CMU) Uniform Substitution for Differential Game Logic IJCAR’18 9 / 20

Differential Game Logic: Denotational Semantics

Definition (Hybrid game α) [ [·] ] : HG → (℘(S) → ℘(S))

[ [x := θ] ](X) = {ω ∈ S : ωω[

[θ] ] x

∈ X} [ [x′ = θ] ](X) = {ϕ(0) ∈ S : ϕ(r) ∈ X, d ϕ(t)(x)

dt

(ζ) = ϕ(ζ)[ [θ] ] for all ζ} [ [?q] ](X) = [ [q] ] ∩ X [ [α ∪ β] ](X) = [ [α] ](X) ∪ [ [β] ](X) [ [α; β] ](X) = [ [α] ]([ [β] ](X)) [ [α∗] ](X) = {Z ⊆ S : X ∪ [ [α] ](Z) ⊆ Z} [ [αd] ](X) = ([ [α] ](X ∁))∁

Definition (dGL Formula φ) [ [·] ] : Fml → ℘(S)

[ [θ ≥ η] ] = {ω ∈ S : ω[ [θ] ] ≥ ω[ [η] ]} [ [¬φ] ] = ([ [φ] ])∁ [ [φ ∧ ψ] ] = [ [φ] ] ∩ [ [ψ] ] [ [αφ] ] = [ [α] ]([ [φ] ]) [ [[α]φ] ] = [ [α] ]([ [φ] ]∁)∁

Andr´ e Platzer (CMU) Uniform Substitution for Differential Game Logic IJCAR’18 10 / 20

Differential Game Logic: Denotational Semantics

X [ [x := θ] ](X) X x

′

= θ [ [x′ = θ] ](X) X [ [q] ] [ [?q] ](X) [ [α] ](X) [ [β] ](X) X [ [α ∪ β] ](X) [ [α] ]([ [β] ](X)) [ [β] ](X) X [ [α; β] ](X) [ [α] ]([ [α∗] ](X)) \ [ [α∗] ](X) ∅

[ [α] ]∞(X) ··· [ [α] ]3(X) [ [α] ]2(X) [ [α] ](X) X

[ [α∗] ](X) X ∁ X [ [α] ](X ∁) [ [α] ](X ∁)∁ [ [αd] ](X)

Andr´ e Platzer (CMU) Uniform Substitution for Differential Game Logic IJCAR’18 11 / 20

Uniform Substitution

Theorem (Soundness) replace all occurrences of p(·)

(US) φ σφ provided FV(σ|Σ(θ)) ∩ BV(⊗(·)) = ∅ for each operation ⊗(θ) in φ i.e. bound variables U = BV(⊗(·)) of operator ⊗ are not free in the substitution on its argument θ (U-admissible) “If you bind a free variable, you go to logic jail!”

US

a ∪ bp(¯ x) ↔ ap(¯ x) ∨ bp(¯ x) v := v + 1 ∪ x′ = vx > 0 ↔ v := v + 1x > 0 ∨ x′ = vx > 0

Andr´ e Platzer (CMU) Uniform Substitution for Differential Game Logic IJCAR’18 13 / 20

Uniform Substitution

Theorem (Soundness) replace all occurrences of p(·)

(US) φ σφ provided FV(σ|Σ(θ)) ∩ BV(⊗(·)) = ∅ for each operation ⊗(θ) in φ i.e. bound variables U = BV(⊗(·)) of operator ⊗ are not free in the substitution on its argument θ (U-admissible) “If you bind a free variable, you go to logic jail!” Uniform substitution σ replaces all occurrences of p(θ) for any θ by ψ(θ) function symb. f (θ) for any θ by η(θ) game symbol a by α

US

a ∪ bp(¯ x) ↔ ap(¯ x) ∨ bp(¯ x) v := v + 1 ∪ x′ = vx > 0 ↔ v := v + 1x > 0 ∨ x′ = vx > 0

Andr´ e Platzer (CMU) Uniform Substitution for Differential Game Logic IJCAR’18 13 / 20

Uniform Substitution

Theorem (Soundness) replace all occurrences of p(·)

(US) φ σφ provided FV(σ|Σ(θ)) ∩ BV(⊗(·)) = ∅ for each operation ⊗(θ) in φ i.e. bound variables U = BV(⊗(·)) of operator ⊗ are not free in the substitution on its argument θ (U-admissible) “If you bind a free variable, you go to logic jail!” Uniform substitution σ replaces all occurrences of p(θ) for any θ by ψ(θ) function symb. f (θ) for any θ by η(θ) game symbol a by α Modular interface: Prover vs. Logic

US

a ∪ bp(¯ x) ↔ ap(¯ x) ∨ bp(¯ x) v := v + 1 ∪ x′ = vx > 0 ↔ v := v + 1x > 0 ∨ x′ = vx > 0

Andr´ e Platzer (CMU) Uniform Substitution for Differential Game Logic IJCAR’18 13 / 20

Differential Game Logic: Axiomatization

Axiom = one formula Infinite axiom schema [a]p(¯ x) ↔ ¬a¬p(¯ x) x := f p(x) ↔ p(f ) x′ = f p(x) ↔ ∃t≥0 x := x + ftp(x) ?qp ↔ (q ∧ p) a ∪ bp(¯ x) ↔ ap(¯ x) ∨ bp(¯ x) a; bp(¯ x) ↔ abp(¯ x) a∗p(¯ x) ↔ p(¯ x) ∨ aa∗p(¯ x) adp(¯ x) ↔ ¬a¬p(¯ x) [·] [α]φ ↔ ¬α¬φ := x := θφ ↔ φ(θ) ′ x′ = θφ ↔ ∃t≥0 x := y(t)φ ? ?ψφ ↔ (ψ ∧ φ) ∪ α ∪ βφ ↔ αφ ∨ βφ ; α; βφ ↔ αβφ ∗ α∗φ ↔ φ ∨ αα∗φ d αdφ ↔ ¬α¬φ IJCAR’18 TOCL’15

Andr´ e Platzer (CMU) Uniform Substitution for Differential Game Logic IJCAR’18 14 / 20

Example Proof

; j(x) ⊢ (v := 2 ∪ v := x)d; x′ = vx>0

Andr´ e Platzer (CMU) Uniform Substitution for Differential Game Logic IJCAR’18 15 / 20

Example Proof

σ = {a → (v := 2 ∪ v := x)d, b → x′ = v, p(¯ x) → x > 0} a; bp(¯ x) ↔ abp(¯ x)

US(v := 2 ∪ v := x)d; x′ = vx>0 ↔ (v := 2 ∪ v := x)dx′ = vx>0 d j(x) ⊢ (v := 2 ∪ v := x)dx′ = vx>0 ; j(x) ⊢ (v := 2 ∪ v := x)d; x′ = vx>0

Andr´ e Platzer (CMU) Uniform Substitution for Differential Game Logic IJCAR’18 15 / 20

Example Proof

σ = {a → v := 2 ∪ v := x, p(¯ x) → x′ = vx > 0} adp(¯ x) ↔ ¬a¬p(¯ x)

US(v := 2 ∪ v := x)dx′ = vx>0 ↔ ¬v := 2 ∪ v := x¬x′ = vx>0 ∪ j(x) ⊢ ¬v := 2 ∪ v := x¬x′ = vx>0 d j(x) ⊢ (v := 2 ∪ v := x)dx′ = vx>0 ; j(x) ⊢ (v := 2 ∪ v := x)d; x′ = vx>0

Andr´ e Platzer (CMU) Uniform Substitution for Differential Game Logic IJCAR’18 15 / 20

Example Proof

σ = {a → v := 2, b → v := x, p(¯ x) → ¬x′ = vx > 0}

a ∪ bp(¯ x) ↔ ap(¯ x) ∨ bp(¯ x)

USv := 2 ∪ v := x¬x′ = vx>0 ↔ v := 2¬x′ = vx>0 ∨ v := x¬x′ = vx>0

:=j(x) ⊢ ¬(v := 2¬x′ = vx>0 ∨ v := x¬x′ = vx>0) ∪ j(x) ⊢ ¬v := 2 ∪ v := x¬x′ = vx>0 d j(x) ⊢ (v := 2 ∪ v := x)dx′ = vx>0 ; j(x) ⊢ (v := 2 ∪ v := x)d; x′ = vx>0

Andr´ e Platzer (CMU) Uniform Substitution for Differential Game Logic IJCAR’18 15 / 20

Example Proof

σ = {f → 2, p(·) → ¬x′=·x>0} v := f p(v) ↔ p(f ) v := 2¬x′=vx>0 ↔ ¬x′=2x>0 σ = {f → x, p(·) → ¬x′=·x>0} v := f p(v) ↔ p(f ) v := x¬x′=vx>0 ↔ ¬x′=xx>0

• ′ j(x) ⊢ ¬(¬x′ = 2x>0 ∨ v := x¬x′ = vx>0)

:=j(x) ⊢ ¬(v := 2¬x′ = vx>0 ∨ v := x¬x′ = vx>0) ∪ j(x) ⊢ ¬v := 2 ∪ v := x¬x′ = vx>0 d j(x) ⊢ (v := 2 ∪ v := x)dx′ = vx>0 ; j(x) ⊢ (v := 2 ∪ v := x)d; x′ = vx>0

Andr´ e Platzer (CMU) Uniform Substitution for Differential Game Logic IJCAR’18 15 / 20

Example Proof

σ = {f → v, p(·) → ·>0} v can’t have ODE x′ = f p(x) ↔ ∃t≥0 x := x+ftp(x)

USx′ = vx>0 ↔ ∃t≥0 x := x+vtx>0 :=j(x) ⊢ ¬(¬∃t≥0 x := x+2tx>0 ∨ v := x¬∃t≥0 x := x+vtx>0) ′ j(x) ⊢ ¬(¬x′ = 2x>0 ∨ v := x¬x′ = vx>0) :=j(x) ⊢ ¬(v := 2¬x′ = vx>0 ∨ v := x¬x′ = vx>0) ∪ j(x) ⊢ ¬v := 2 ∪ v := x¬x′ = vx>0 d j(x) ⊢ (v := 2 ∪ v := x)dx′ = vx>0 ; j(x) ⊢ (v := 2 ∪ v := x)d; x′ = vx>0

Andr´ e Platzer (CMU) Uniform Substitution for Differential Game Logic IJCAR’18 15 / 20

Example Proof

j(x) ⊢ ¬(¬∃t≥0 x+2t>0 ∨ ¬∃t≥0 x+(x)t>0)

:=j(x) ⊢ ¬(¬∃t≥0 x := x+2tx>0 ∨ v := x¬∃t≥0 x := x+vtx>0) ′ j(x) ⊢ ¬(¬x′ = 2x>0 ∨ v := x¬x′ = vx>0) :=j(x) ⊢ ¬(v := 2¬x′ = vx>0 ∨ v := x¬x′ = vx>0) ∪ j(x) ⊢ ¬v := 2 ∪ v := x¬x′ = vx>0 d j(x) ⊢ (v := 2 ∪ v := x)dx′ = vx>0 ; j(x) ⊢ (v := 2 ∪ v := x)d; x′ = vx>0

Andr´ e Platzer (CMU) Uniform Substitution for Differential Game Logic IJCAR’18 15 / 20

Example Proof

Summarize: j(x) ⊢ ¬(¬∃t≥0 x+2t>0 ∨ ¬∃t≥0 x+(x)t>0) j(x) ⊢ (v := 2 ∪ v := x)d; x′ = vx > 0

Andr´ e Platzer (CMU) Uniform Substitution for Differential Game Logic IJCAR’18 15 / 20

Example Proof

Summarize: j(x) ⊢ ¬(¬∃t≥0 x+2t>0 ∨ ¬∃t≥0 x+(x)t>0) j(x) ⊢ (v := 2 ∪ v := x)d; x′ = vx > 0 Using σ = {j(·) → ·>−1} on above derived rule proves:

R x > −1 ⊢ ¬(¬∃t≥0 x + 2t > 0 ∨ ¬∃t≥0 x + (x)t > 0) USRx > −1 ⊢ (v := 2 ∪ v := x)d; x′ = vx > 0

Andr´ e Platzer (CMU) Uniform Substitution for Differential Game Logic IJCAR’18 15 / 20

Static Semantics

Lemma (Coincidence for formulas) (Only F V(φ) determine truth)

If ω=˜ ω on F V(φ) and I=J on Σ(φ), then: ω ∈ [ [φ] ] iff ˜ ω ∈ [ [φ] ]

Andr´ e Platzer (CMU) Uniform Substitution for Differential Game Logic IJCAR’18 17 / 20

Static Semantics

Lemma (Coincidence for games) (Only F V(α) determine victory)

If ω=˜ ω on V ⊇ F V(α), I=J on Σ(α): ω ∈ [ [α] ](X↑V ) iff ˜ ω ∈ [ [α] ](X↑V )

X [ [α] ](X) ω α

Lemma (Bound effect) (Only B V(α) change value)

ω ∈ [ [α] ](X) iff ω ∈ [ [α] ](X↓ω(B

V(α)∁))

X ω α

Andr´ e Platzer (CMU) Uniform Substitution for Differential Game Logic IJCAR’18 17 / 20

Static Semantics

Lemma (Coincidence for games) (Only F V(α) determine victory)

If ω=˜ ω on V ⊇ F V(α), I=J on Σ(α): ω ∈ [ [α] ](X↑V ) iff ˜ ω ∈ [ [α] ](X↑V )

X↑V X [ [α] ](X) ω ˜ ω

• n V ⊇ F

V(α) α α

Lemma (Bound effect) (Only B V(α) change value)

ω ∈ [ [α] ](X) iff ω ∈ [ [α] ](X↓ω(B

V(α)∁))

X ω α

Andr´ e Platzer (CMU) Uniform Substitution for Differential Game Logic IJCAR’18 17 / 20

Static Semantics

Lemma (Coincidence for games) (Only F V(α) determine victory)

If ω=˜ ω on V ⊇ F V(α), I=J on Σ(α): ω ∈ [ [α] ](X↑V ) iff ˜ ω ∈ [ [α] ](X↑V )

X↑V X [ [α] ](X) ω ˜ ω

• n V ⊇ F

V(α) α α

Lemma (Bound effect) (Only B V(α) change value)

ω ∈ [ [α] ](X) iff ω ∈ [ [α] ](X↓ω(B

V(α)∁))

X X↓ω

[ [α] ](X↓ω(B V(α)∁))

ω α α

Andr´ e Platzer (CMU) Uniform Substitution for Differential Game Logic IJCAR’18 17 / 20

Uniform Substitution

Theorem (Soundness) replace all occurrences of p(·)

US φ σφ provided FV(σ|Σ(θ)) ∩ BV(⊗(·)) = ∅ for each operation ⊗(θ) in φ i.e. bound variables U = BV(⊗(·)) of operator ⊗ are not free in the substitution on its argument θ (U-admissible) “If you bind a free variable, you go to logic jail!” Uniform substitution σ replaces all occurrences of p(θ) for any θ by ψ(θ) function symb. f (θ) for any θ by η(θ) game symbol a by α Modular interface: Prover vs. Logic

US

a ∪ bp(¯ x) ↔ ap(¯ x) ∨ bp(¯ x) v := v + 1 ∪ x′ = vx > 0 ↔ v := v + 1x > 0 ∨ x′ = vx > 0

Andr´ e Platzer (CMU) Uniform Substitution for Differential Game Logic IJCAR’18 18 / 20

Soundness & Completeness

Theorem (Completeness)

dGL calculus is a sound & complete axiomatization of hybrid games relative to any (differentially) expressive1logic L. ϕ iff TautL ⊢ ϕ TOCL’15

1∀ϕ ∈ dGL ∃ϕ♭ ∈ L

ϕ ↔ ϕ♭ x′ = θG ↔ (x′ = θG)♭ provable for G ∈ L

Andr´ e Platzer (CMU) Uniform Substitution for Differential Game Logic IJCAR’18 19 / 20

Uniform Substitution for Differential Game Logic

differential game logic

dGL = GL + HG = dL + d αφ φ Uniform substitution for hybrid games Compositional PL + logic Sound & rel. complete axiomatization Modular: Logic Prover Straightforward to implement (+10 LOC) Transfinite induction No transition relation Not conservative: [α∗]φ ↔ φ ∧ [α∗; α]φ

d i s c r e t e c

• n

t i n u

• u

s nondet stochastic a d v e r s a r i a l

Andr´ e Platzer (CMU) Uniform Substitution for Differential Game Logic IJCAR’18 20 / 20

• A. Platzer. Logical Foundations of Cyber-Physical Systems. Springer 2018

I Part: Elementary Cyber-Physical Systems

• 1. Differential Equations & Domains
• 2. Choice & Control
• 3. Safety & Contracts
• 4. Dynamical Systems & Dynamic Axioms
• 5. Truth & Proof
• 6. Control Loops & Invariants
• 7. Events & Responses
• 8. Reactions & Delays

II Part: Differential Equations Analysis

• 9. Differential Equations & Differential Invariants
• 10. Differential Equations & Proofs
• 11. Ghosts & Differential Ghosts
• 12. Differential Invariants & Proof Theory

III Part: Adversarial Cyber-Physical Systems 13-16. Hybrid Systems & Hybrid Games IV Part: Comprehensive CPS Correctness

1

Logical Foundations of Cyber-Physical Systems

André Platzer

Andr´ e Platzer (CMU) Uniform Substitution for Differential Game Logic IJCAR’18 21 / 20

Andr´ e Platzer. Uniform substitution for differential game logic. In Didier Galmiche, Stephan Schulz, and Roberto Sebastiani, editors, IJCAR, volume 10900 of LNCS, pages 211–227. Springer, 2018. doi:10.1007/978-3-319-94205-6_15. Andr´ e Platzer. Differential game logic. ACM Trans. Comput. Log., 17(1):1:1–1:51, 2015. doi:10.1145/2817824. Andr´ e Platzer. Differential hybrid games. ACM Trans. Comput. Log., 18(3):19:1–19:44, 2017. doi:10.1145/3091123. Andr´ e Platzer. A uniform substitution calculus for differential dynamic logic. In Amy Felty and Aart Middeldorp, editors, CADE, volume 9195 of LNCS, pages 467–481, Berlin, 2015. Springer.

Andr´ e Platzer (CMU) Uniform Substitution for Differential Game Logic IJCAR’18 21 / 20

doi:10.1007/978-3-319-21401-6_32. Andr´ e Platzer. Logical Foundations of Cyber-Physical Systems. Springer, Switzerland, 2018. URL: http://www.springer.com/978-3-319-63587-3, doi:10.1007/978-3-319-63588-0.

Andr´ e Platzer (CMU) Uniform Substitution for Differential Game Logic IJCAR’18 22 / 20

Differential Game Logic: Axiomatization

Axiom = one formula Infinite axiom schema [a]p(¯ x) ↔ ¬a¬p(¯ x) x := f p(x) ↔ p(f ) x′ = f p(x) ↔ ∃t≥0 x := x + ftp(x) ?qp ↔ (q ∧ p) a ∪ bp(¯ x) ↔ ap(¯ x) ∨ bp(¯ x) a; bp(¯ x) ↔ abp(¯ x) a∗p(¯ x) ↔ p(¯ x) ∨ aa∗p(¯ x) adp(¯ x) ↔ ¬a¬p(¯ x) [·] [α]φ ↔ ¬α¬φ := x := θφ ↔ φ(θ) ′ x′ = θφ ↔ ∃t≥0 x := y(t)φ ? ?ψφ ↔ (ψ ∧ φ) ∪ α ∪ βφ ↔ αφ ∨ βφ ; α; βφ ↔ αβφ ∗ α∗φ ↔ φ ∨ αα∗φ d αdφ ↔ ¬α¬φ IJCAR’18 TOCL’15

Andr´ e Platzer (CMU) Uniform Substitution for Differential Game Logic IJCAR’18 22 / 20

Differential Game Logic: Axiomatization

c⊤ uniformly substitutes to ?φ⊤ alias φ [a]c⊤ ↔ ¬a¬c⊤ x := f p(x) ↔ p(f ) x′ = f p(x) ↔ ∃t≥0 x := x + ftp(x) ?qp ↔ (q ∧ p) a ∪ bc⊤ ↔ ac⊤ ∨ bc⊤ a; bc⊤ ↔ abc⊤ a∗c⊤ ↔ c⊤ ∨ aa∗c⊤ adc⊤ ↔ ¬a¬c⊤ [·] [α]φ ↔ ¬α¬φ := x := θφ ↔ φ(θ) ′ x′ = θφ ↔ ∃t≥0 x := y(t)φ ? ?ψφ ↔ (ψ ∧ φ) ∪ α ∪ βφ ↔ αφ ∨ βφ ; α; βφ ↔ αβφ ∗ α∗φ ↔ φ ∨ αα∗φ d αdφ ↔ ¬α¬φ IJCAR’18 TOCL’15

Andr´ e Platzer (CMU) Uniform Substitution for Differential Game Logic IJCAR’18 22 / 20

Axiom Schemata Need Side Conditions: Solving ODEs

′ x′ = θφ ↔ ∃t≥0 x := y(t)φ Axiom schema with side conditions:

1 Occurs check: t fresh 2 Solution check: y(·) solves the ODE y′(t) = θ

with x(·) plugged in for x in term θ

3 Initial value check: y(·) solves the symbolic IVP y(0) = x 4 x(·) covers all solutions parametrically 5 x′ cannot occur free in φ

Quite nontrivial soundness-critical algorithms . . .

Andr´ e Platzer (CMU) Uniform Substitution for Differential Game Logic IJCAR’18 23 / 20

Static Semantics

F V(θ) =

• x ∈ V : ∃I, ω, ˜

ω such that ω = ˜ ω on {x}∁ and ω[ [θ] ] = ˜ ω[ [θ] ]

• F

V(φ) =

• x ∈ V : ∃I, ω, ˜

ω such that ω = ˜ ω on {x}∁ and ω ∈ [ [φ] ] ∋ ˜ ω

• F

V(α) =

• x ∈ V : ∃I, ω, ˜

ω, X with ω = ˜ ω on {x}∁, ω ∈ [ [α] ](X↑{x}∁) ∋ ˜ ω

• B

V(α) =

• x ∈ V : ∃I, ω, X such that [

[α] ](X) ∋ ω ∈ [ [α] ](X↓ω({x}))

• Andr´

e Platzer (CMU) Uniform Substitution for Differential Game Logic IJCAR’18 24 / 20

Soundness of Uniform Substitutions

“Syntactic uniform substitution = semantic replacement”

Lemma (Uniform substitution lemma)

Uniform substitution σ and adjoint σ∗

ωI to σ for I, ω have same semantics:

Iω[ [σθ] ] = σ∗

ωIω[

[θ] ] ω ∈ [ [σφ] ] iff ω ∈ [ [φ] ] ω ∈ I[ [σα] ](X) iff ω ∈ σ∗

ωI[

[α] ](X) θ σθ Iω[ [σθ] ] σ∗

ωIω[

[θ] ] σ σ∗

ωI

I

Andr´ e Platzer (CMU) Uniform Substitution for Differential Game Logic IJCAR’18 25 / 20

Uniform Substitution of Rules

Theorem (Soundness) (FV(σ) = ∅)

φ1 . . . φn ψ locally sound implies σφ1 . . . σφn σψ locally sound

Andr´ e Platzer (CMU) Uniform Substitution for Differential Game Logic IJCAR’18 26 / 20

Uniform Substitution of Rules

Theorem (Soundness) (FV(σ) = ∅)

φ1 . . . φn ψ locally sound implies σφ1 . . . σφn σψ locally sound

Andr´ e Platzer (CMU) Uniform Substitution for Differential Game Logic IJCAR’18 26 / 20

Uniform Substitution of Rules

Theorem (Soundness) (FV(σ) = ∅)

φ1 . . . φn ψ locally sound implies σφ1 . . . σφn σψ locally sound Locally sound The conclusion is valid in any interpretation I in which the premises are.

Andr´ e Platzer (CMU) Uniform Substitution for Differential Game Logic IJCAR’18 26 / 20

Differential Game Logic: Operational Semantics

Definition (Hybrid game α: operational semantics)

I, ω x := θ ωω[

[θ] ] x

x := θ

Andr´ e Platzer (CMU) Uniform Substitution for Differential Game Logic IJCAR’18 27 / 20

Differential Game Logic: Operational Semantics

Definition (Hybrid game α: operational semantics)

I, ω x′ = θ & q ϕ(r) r ϕ(t) t ϕ(0)

Andr´ e Platzer (CMU) Uniform Substitution for Differential Game Logic IJCAR’18 27 / 20

Differential Game Logic: Operational Semantics

Definition (Hybrid game α: operational semantics)

I, ω ?q I, ω ?q ω ∈ [ [q] ]

Andr´ e Platzer (CMU) Uniform Substitution for Differential Game Logic IJCAR’18 27 / 20

Differential Game Logic: Operational Semantics

Definition (Hybrid game α: operational semantics)

I, ω α ∪ β I, ω tκ β tj β t1 β right I, ω sλ α si α s1 α left

Andr´ e Platzer (CMU) Uniform Substitution for Differential Game Logic IJCAR’18 27 / 20

Differential Game Logic: Operational Semantics

Definition (Hybrid game α: operational semantics)

I, ω α; β tλ rλ1

λ

β rj

λ

β r1

λ

β α ti rλi

i

β r1

i

β α t1 rλ1

1

β rj

1

β r1

1

β α

Andr´ e Platzer (CMU) Uniform Substitution for Differential Game Logic IJCAR’18 27 / 20

Differential Game Logic: Operational Semantics

Definition (Hybrid game α: operational semantics)

I, ω α∗ I, ω α α r e p e a t stop α α α r e p e a t stop α r e p e a t stop α α α r e p e a t stop α α α r e p e a t stop α r e p e a t stop α repeat I, ω stop

Andr´ e Platzer (CMU) Uniform Substitution for Differential Game Logic IJCAR’18 27 / 20

Differential Game Logic: Operational Semantics

Definition (Hybrid game α: operational semantics)

I, ω α t0 tκ tj t1 s0 sλ si s1 I, ω αd t0 tκ tj t1 s0 sλ si s1

d

Andr´ e Platzer (CMU) Uniform Substitution for Differential Game Logic IJCAR’18 27 / 20