Uniform Substitution At One Fell Swoop
André Platzer
In Shakespeare’s 1611 play, “at one fell swoop” was likened to thesuddenness with which a bird of prey fiercely attacks a whole nest at once.
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 1 / 23
Outline1 Motivation
Parsimonious Hybrid Game ProofsFoundation for Verification
2 Differential Game LogicSyntaxExample: Push-around CartDenotational Semantics
3 Uniform SubstitutionApplicationUniform Substitution LemmaUniform Substitution of RulesStatic SemanticsAxiomsDifferential Hybrid Games
4 Summary
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 1 / 23
Outline1 Motivation
Parsimonious Hybrid Game ProofsFoundation for Verification
2 Differential Game LogicSyntaxExample: Push-around CartDenotational Semantics
3 Uniform SubstitutionApplicationUniform Substitution LemmaUniform Substitution of RulesStatic SemanticsAxiomsDifferential Hybrid Games
4 Summary
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 1 / 23
CPS Analysis: Robot Control
Challenge (Hybrid Systems)
Fixed rule describing stateevolution with both
Discrete dynamics(control decisions)
Continuous dynamics(differential equations)
2 4 6 8 10t
-0.8
-0.6
-0.4
-0.2
0.2
a
2 4 6 8 10t
0.2
0.4
0.6
0.8
1.0
v
2 4 6 8 10t
2
4
6
8
p
px
py
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 2 / 23
CPS Analysis: Robot Control
Challenge (Games)
Game rules describing playevolution with both
Angelic choices(player Angel)
Demonic choices(player Demon)
0,0
2,1
1,2
3,1
\ Tr PlTrash 1,2 0,0Plant 0,0 2,1
8rmbl0skZ7ZpZ0ZpZ060Zpo0ZpZ5o0ZPo0Zp4PZPZPZ0O3Z0Z0ZPZ020O0J0ZPZ1SNAQZBMR
a b c d e f g h
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 3 / 23
CPS Analysis: Robot Control
Challenge (Hybrid Games)
Game rules describing playevolution with
Discrete dynamics(control decisions)
Continuous dynamics(differential equations)
Adversarial dynamics(Angel vs. Demon )
2 4 6 8 10t
-0.6
-0.4
-0.2
0.2
0.4
a
2 4 6 8 10t
0.2
0.4
0.6
0.8
1.0
1.2
v
2 4 6 8 10t
1
2
3
4
5
6
7
p
px
py
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 4 / 23
CPS Analysis: RoboCup Soccer
Challenge (Hybrid Games)
Game rules describing playevolution with
Discrete dynamics(control decisions)
Continuous dynamics(differential equations)
Adversarial dynamics(Angel vs. Demon )
2 4 6 8 10t
-0.6
-0.4
-0.2
0.2
0.4
a
2 4 6 8 10t
-1.0
-0.5
0.5
Ω
2 4 6 8 10t
-0.5
0.5
1.0
d
dx
dy
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 5 / 23
Foundation for Verification−−−−−−−−−→
Foun
datio
nfo
r−−−−−−−−−→ FOL Functional Language Imperative Language
Formula Functional program Imperative program/game
Predicate calculus Function calculus Program calculus
Subst + rename α,β ,η-conversion USubst + rename
Functional
α-conversion for bound variablesβ -reduction capture-avoiding subst.η-conversion versus free variables
Imperative
Uniform substitution replacespredicate/function/program sym.mindful of free/bound variables
Substitution is fundamental but subtle. Henkin wants it banished!
Now: Make USubst even more subtle, but faster, and still sound.
Beware: Imperative free and bound variables may overlap!
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 6 / 23
KeYmaera X Microkernel for Soundness 1 700 LOC
0
25,000
50,000
75,000
100,000
KeYm
aera
XKe
Ymae
raKe
YNu
prl
Met
aPRL
Isab
elle
/Pur
eCo
qHO
L Li
ght
PHAV
erHS
olve
rSp
aceE
xCo
raFl
ow*
dRea
lHy
Crea
te2
1,652
Games:months
minutes
Disclaimer: Self-reported estimates of the soundness-critical lines of code + rules
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 7 / 23
Experiments
Church checks exponentially (sometimes & in unoptimized implementations)
0
10000
20000
30000
40000
0 20 40 60 80
Church One-pass
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 7 / 23
Experiments
Church checks quadratically (invasive space-time tradeoff optimizations)
0
225
450
675
900
0 550 1100 1650 2200
y = 3.596E-5x2 - 0.0107x + 2.4344
y = 0.0002x2 - 0.0409x + 10.772Church-opt One-pass
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 7 / 23
Outline1 Motivation
Parsimonious Hybrid Game ProofsFoundation for Verification
2 Differential Game LogicSyntaxExample: Push-around CartDenotational Semantics
3 Uniform SubstitutionApplicationUniform Substitution LemmaUniform Substitution of RulesStatic SemanticsAxiomsDifferential Hybrid Games
4 Summary
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 7 / 23
Differential Game Logic: Syntax
Definition (Hybrid game α)
a | x := θ | ?q | x ′ = θ | α ∪β | α;β | α∗ | αd
Definition (dGL Formula φ )
p(θ1, . . . ,θn) | θ ≥ η | ¬φ | φ ∧ψ | ∀x φ | ∃x φ | 〈α〉φ | [α]φ
DiscreteAssign
TestGame
DifferentialEquation
ChoiceGame
Seq.Game
RepeatGame
AllReals
SomeReals
DualGame
GameSymb.
AngelWins
DemonWins
TOCL’15André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 8 / 23
Differential Game Logic: Syntax
Definition (Hybrid game α)
a | x := θ | ?q | x ′ = θ | α ∪β | α;β | α∗ | αd
Definition (dGL Formula φ )
p(θ1, . . . ,θn) | θ ≥ η | ¬φ | φ ∧ψ | ∀x φ | ∃x φ | 〈α〉φ | [α]φ
DiscreteAssign
TestGame
DifferentialEquation
ChoiceGame
Seq.Game
RepeatGame
AllReals
SomeReals
DualGame
GameSymb.
AngelWins
DemonWins
TOCL’15André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 8 / 23
Differential Game Logic: Syntax
Definition (Hybrid game α)
a | x := θ | ?q | x ′ = θ | α ∪β | α;β | α∗ | αd
Definition (dGL Formula φ )
p(θ1, . . . ,θn) | θ ≥ η | ¬φ | φ ∧ψ | ∀x φ | ∃x φ | 〈α〉φ | [α]φ
DiscreteAssign
TestGame
DifferentialEquation
ChoiceGame
Seq.Game
RepeatGame
AllReals
SomeReals
DualGame
GameSymb.
AngelWins
DemonWins
TOCL’15André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 8 / 23
Differential Game Logic: Syntax
Definition (Hybrid game α)
a | x := θ | ?q | x ′ = θ | α ∪β | α;β | α∗ | αd
Definition (dGL Formula φ )
p(θ1, . . . ,θn) | θ ≥ η | ¬φ | φ ∧ψ | ∀x φ | ∃x φ | 〈α〉φ | [α]φ
DiscreteAssign
TestGame
DifferentialEquation
ChoiceGame
Seq.Game
RepeatGame
AllReals
SomeReals
DualGame
GameSymb.
AngelWins
DemonWins
TOCL’15André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 8 / 23
Example: Push-around Cart
xv
d a
v ≥ 1→
d before a can compensate
[((d := 1∪d :=−1)d ; (a := 1∪a :=−1);x ′ = v ,v ′ = a + d
)∗]v ≥ 0
⟨(
(d := 1∩d :=−1); (a := 1∪a :=−1); a := d then a := signv
t := 0; x ′ = v ,v ′ = a + d , t ′ = 1& t ≤ 1)∗⟩x2 ≥ 100
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 9 / 23
Example: Push-around Cart
xv
d a
v ≥ 1→ d before a can compensate[((d := 1∩d :=−1); (a := 1∪a :=−1);x ′ = v ,v ′ = a + d
)∗]v ≥ 0
⟨(
(d := 1∩d :=−1); (a := 1∪a :=−1); a := d then a := signv
t := 0; x ′ = v ,v ′ = a + d , t ′ = 1& t ≤ 1)∗⟩x2 ≥ 100
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 9 / 23
Example: Push-around Cart
xv
d a
v ≥ 1→ d before a can compensate[((d := 1∩d :=−1); (a := 1∪a :=−1);x ′ = v ,v ′ = a + d
)∗]v ≥ 0
⟨((d := 1∩d :=−1); (a := 1∪a :=−1);
a := d then a := signv
t := 0; x ′ = v ,v ′ = a + d , t ′ = 1& t ≤ 1)∗⟩x2 ≥ 100
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 9 / 23
Example: Push-around Cart
xv
d a
v ≥ 1→ d before a can compensate[((d := 1∩d :=−1); (a := 1∪a :=−1);x ′ = v ,v ′ = a + d
)∗]v ≥ 0
⟨(
(d := 1∩d :=−1); (a := 1∪a :=−1); a := d then a := signv
t := 0; x ′ = v ,v ′ = a + d , t ′ = 1& t ≤ 1)∗⟩x2 ≥ 100
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 9 / 23
Differential Game Logic: Denotational Semantics
Definition (Hybrid game α) [[·]] : HG→ (℘(S)→℘(S))
[[x := θ ]](X)
= ω ∈S : ωω[[θ ]]x ∈ X
[[x ′ = θ ]](X)
= ϕ(0) ∈S : ϕ(r) ∈ X , dϕ(t)(x)dt (ζ ) = ϕ(ζ )[[θ ]] for all ζ
[[?q]](X)
= [[q]]∩X[[α ∪β ]]
(X)
= [[α]](X)∪ [[β ]]
(X)
[[α;β ]](X)
= [[α]]([[β ]](X))
[[α∗]](X)
=⋂Z ⊆S : X ∪ [[α]]
(Z)⊆ Z
[[αd ]](X)
= ([[α]](X ))
Definition (dGL Formula φ ) [[·]] : Fml→℘(S)[[θ ≥ η]] = ω ∈S : ω[[θ ]]≥ ω[[η]][[¬φ ]] = ([[φ ]])
[[φ ∧ψ]] = [[φ ]]∩ [[ψ]][[〈α〉φ ]] = [[α]]
([[φ ]])
[[[α]φ ]] = [[α]]([[φ ]]
)
WinningRegion
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 10 / 23
Differential Game Logic: Denotational Semantics
X
[[x := θ ]](X)
Xx′ =
θ
[[x ′ = θ ]](X)
X
[[q]]
[[?q]](X)
[[α]](X )
[[β]]( X) X[[α ∪β ]]
(X)
[[α]]([[β ]](X))
[[β ]](X)
X
[[α;β ]](X)
[[α]]([[α∗]]
(X))\ [[α∗]]
(X) /0
[[α]]∞(X) ··· [[α]]3(X) [[α]]2(X) [[α]](X) X
[[α∗]](X) X
X
[[α]](X )[[α]]
(X ) [[αd ]]
(X)
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 11 / 23
Outline1 Motivation
Parsimonious Hybrid Game ProofsFoundation for Verification
2 Differential Game LogicSyntaxExample: Push-around CartDenotational Semantics
3 Uniform SubstitutionApplicationUniform Substitution LemmaUniform Substitution of RulesStatic SemanticsAxiomsDifferential Hybrid Games
4 Summary
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 12 / 23
Uniform Substitution
Theorem (Soundness) replace all occurrences of p(·)
USφ
σφ
provided FV(σ |Σ(θ))∩BV(⊗(·)) = /0 for each operation ⊗(θ) in φ
i.e. bound variables U = BV(⊗(·)) of no operator ⊗are free in the substitution on its argument θ (U-admissible)
US〈a∪b〉p(x)↔ 〈a〉p(x)∨〈b〉p(x)
〈v := v + 1∪ x ′ = v〉x > 0↔ 〈v := v + 1〉x > 0∨〈x ′ = v〉x > 0
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 13 / 23
Uniform Substitution
Theorem (Soundness) replace all occurrences of p(·)
USφ
σφ
provided FV(σ |Σ(θ))∩BV(⊗(·)) = /0 for each operation ⊗(θ) in φ
i.e. bound variables U = BV(⊗(·)) of no operator ⊗are free in the substitution on its argument θ (U-admissible)
〈v := f 〉p(v)↔ p(f )
〈v :=−x〉〈x ′ = v〉x ≥ 0↔ 〈x ′ =−x〉x ≥ 0
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 13 / 23
Uniform Substitution
Theorem (Soundness) replace all occurrences of p(·)
USφ
σφ
provided FV(σ |Σ(θ))∩BV(⊗(·)) = /0 for each operation ⊗(θ) in φ
i.e. bound variables U = BV(⊗(·)) of no operator ⊗are free in the substitution on its argument θ (U-admissible)
If you bind a free variable, you go to logic jail!
Modular interface:Prover vs. Logic
〈v := f 〉p(v)↔ p(f )
〈v :=−x〉〈x ′ = v〉x ≥ 0↔ 〈x ′ =−x〉x ≥ 0Clash
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 13 / 23
Uniform Substitution
Theorem (Soundness) replace all occurrences of p(·)
USφ
σφ
provided FV(σ |Σ(θ))∩BV(⊗(·)) = /0 for each operation ⊗(θ) in φ
i.e. bound variables U = BV(⊗(·)) of no operator ⊗are free in the substitution on its argument θ (U-admissible)
If you bind a free variable, you go to logic jail!
Modular interface:Prover vs. Logic
〈x ′ = f (x),y ′ = a(x)y〉x ≥ 1↔ 〈x ′ = f (x)〉x ≥ 1
〈x ′ = x2,y ′ = zyy〉x ≥ 1↔ 〈x ′ = x2〉x ≥ 1
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 13 / 23
Uniform Substitution
Theorem (Soundness) replace all occurrences of p(·)
USφ
σφ
provided FV(σ |Σ(θ))∩BV(⊗(·)) = /0 for each operation ⊗(θ) in φ
i.e. bound variables U = BV(⊗(·)) of no operator ⊗are free in the substitution on its argument θ (U-admissible)
If you bind a free variable, you go to logic jail!
Modular interface:Prover vs. Logic
〈x ′ = f (x),y ′ = a(x)y〉x ≥ 1↔ 〈x ′ = f (x)〉x ≥ 1
〈x ′ = x2,y ′ = zyy〉x ≥ 1↔ 〈x ′ = x2〉x ≥ 1Clash
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 13 / 23
Uniform Substitution Application: Church-styleσ(f (θ)) = (σ f )(σθ)
def= · 7→ σθσ f (·)
σ(θ + η) = σθ + ση
σ((θ)′) = (σθ)′ if σ V-admissible for θ
σ(p(θ)) = (σp)(σθ)σ(φ ∧ψ) = σφ ∧σψ
σ(∀x φ) = ∀x σφ if σ x-admissible for φ
σ(〈α〉φ) = 〈σα〉σφ if σ BV(σα)-admissible for φ
σ(a) = σaσ(x := θ) = x := σθ
σ(x ′ = θ &q) = x ′ = σθ &σq if σ x ,x ′-admissible for θ ,qσ(α ∪β ) = σα ∪σβ
σ(α;β ) = σα;σβ if σ BV(σα)-admissible for β
σ(α∗) = (σα)∗ if σ BV(σα)-admissible for α
σ(αd ) = (σα)d
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 14 / 23
Uniform Substitution Application: Church-styleσ(f (θ)) = (σ f )(σθ)
def= · 7→ σθσ f (·)
σ(θ + η) = σθ + ση
σ((θ)′) = (σθ)′ if σ V-admissible for θ
σ(p(θ)) = (σp)(σθ)σ(φ ∧ψ) = σφ ∧σψ
σ(∀x φ) = ∀x σφ if σ x-admissible for φ
σ(〈α〉φ) = 〈σα〉σφ if σ BV(σα)-admissible for φ
σ(a) = σaσ(x := θ) = x := σθ
σ(x ′ = θ &q) = x ′ = σθ &σq if σ x ,x ′-admissible for θ ,qσ(α ∪β ) = σα ∪σβ
σ(α;β ) = σα;σβ if σ BV(σα)-admissible for β
σ(α∗) = (σα)∗ if σ BV(σα)-admissible for α
σ(αd ) = (σα)d
IdeaCheck side conditions at each operatoragain where soundness demands it.
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 14 / 23
Uniform Substitution Application: One-pass with Taboo UσU(f (θ)) = (σU f )(σUθ)
def= · 7→ σUθ /0
σ f (·) if FV(σ f (·))∩U = /0σU(θ + η) = σUθ + σUη
σU((θ)′) = (σVθ)′
σU(p(θ)) = (σUp)(σUθ) if FV(σp(·))∩U = /0σU(φ ∧ψ) = σUφ ∧σUψ
σU(∀x φ) = ∀x σU∪xφσU(〈α〉φ) = 〈σU
V α〉σV φ
σUU∪BV(σa)(a) = σa
σUU∪x(x := θ) = x := σUθ
σUU∪x ,x ′(x ′ = θ &q) = (x ′ = σU∪x ,x ′θ &σU∪x ,x ′q)
σUV∪W (α ∪β ) = σU
V α ∪σUW β
σUW (α;β ) = σU
V α;σVW β
σUV (α∗) = (σV
V α)∗ where σU
V α definedσU
V (αd ) = (σUV α)d
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 15 / 23
Uniform Substitution Application: One-pass with Taboo UσU(f (θ)) = (σU f )(σUθ)
def= · 7→ σUθ /0
σ f (·) if FV(σ f (·))∩U = /0σU(θ + η) = σUθ + σUη
σU((θ)′) = (σVθ)′
σU(p(θ)) = (σUp)(σUθ) if FV(σp(·))∩U = /0σU(φ ∧ψ) = σUφ ∧σUψ
σU(∀x φ) = ∀x σU∪xφσU(〈α〉φ) = 〈σU
V α〉σV φ
σUU∪BV(σa)(a) = σa
σUU∪x(x := θ) = x := σUθ
σUU∪x ,x ′(x ′ = θ &q) = (x ′ = σU∪x ,x ′θ &σU∪x ,x ′q)
σUV∪W (α ∪β ) = σU
V α ∪σUW β
σUW (α;β ) = σU
V α;σVW β
σUV (α∗) = (σV
V α)∗ where σU
V α definedσU
V (αd ) = (σUV α)d
output
input
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 15 / 23
Uniform Substitution Application: One-pass with Taboo UσU(f (θ)) = (σU f )(σUθ)
def= · 7→ σUθ /0
σ f (·) if FV(σ f (·))∩U = /0σU(θ + η) = σUθ + σUη
σU((θ)′) = (σVθ)′
σU(p(θ)) = (σUp)(σUθ) if FV(σp(·))∩U = /0σU(φ ∧ψ) = σUφ ∧σUψ
σU(∀x φ) = ∀x σU∪xφσU(〈α〉φ) = 〈σU
V α〉σV φ
σUU∪BV(σa)(a) = σa
σUU∪x(x := θ) = x := σUθ
σUU∪x ,x ′(x ′ = θ &q) = (x ′ = σU∪x ,x ′θ &σU∪x ,x ′q)
σUV∪W (α ∪β ) = σU
V α ∪σUW β
σUW (α;β ) = σU
V α;σVW β
σUV (α∗) = (σV
V α)∗ where σU
V α definedσU
V (αd ) = (σUV α)d
IdeaLinear homomorphic pass postponing admissibility.Recover with taboos at replacements.
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 15 / 23
Uniform Substitution
Theorem (Soundness) replace all occurrences of p(·)
USφ
σ /0φ
provided σ /0φ is defined
If you bind a free variable, you go to logic jail!
Such a clash can only happen with taboos U arising while forming σ /0φ
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 16 / 23
Soundness of Uniform Substitutions
“Syntactic uniform substitution = semantic replacement”
Lemma (Uniform substitution lemma)Uniform substitution σ and adjoint σ∗ω I to σ for I,ω have the same semanticsfor all ν such that ν = ω except on U:
Iν[[σUθ ]] = σ
∗ω Iν[[θ ]]
ν ∈ I[[σUφ ]] iff ν ∈ σ
∗ω I[[φ ]]
ν ∈ I[[σUV α]]
(X)
iff ν ∈ σ∗ω I[[α]]
(X)
Induction lexicographically on σ and φ + α simultaneously,with nested induction over closure ordinal, simultaneously for all ν ,ω,U,X
θ σθ Iν[[σθ ]]
σ∗ω Iν[[θ ]]
σ
σ∗ω I
I
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 17 / 23
Uniform Substitution of Rules
Theorem (Soundness)
φ1 . . . φn
ψlocally sound implies
σVφ1 . . . σVφn
σVψlocally sound
Locally sound
The conclusion is valid in any interpretation in which the premises are.
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 18 / 23
Static SemanticsLemma (Coincidence for formulas) (Only FV(φ) determine truth)
If ω=ω on FV(φ) then: ω ∈ [[φ ]] iff ω ∈ [[φ ]]
Lemma (Coincidence for games) (Only FV(α) determine victory)
If ω=ω on V⊇FV(α) then:ω ∈ [[α]]
(X↑V
)iff ω ∈ [[α]]
(X↑V
)X↑V
X[[α]](X)ω
ω
on V ⊇ FV(α)
α
α
Lemma (Bound effect) (Only BV(α) change value)
ω ∈ [[α]](X)
iff ω ∈ [[α]](X↓ω(BV(α))
)X
X↓ω
[[α]](X↓ω(BV(α)
))
ωα
α
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 20 / 23
Differential Game Logic: Axiomatization
Axiom = one formula Infinite axiom schema
[a]p(x)↔¬〈a〉¬p(x)
〈x := f 〉p(x)↔ p(f )
〈x ′ = f 〉p(x)↔∃t≥0〈x := x + ft〉p(x)
〈?q〉p↔ (q∧p)
〈a∪b〉p(x)↔ 〈a〉p(x)∨〈b〉p(x)
〈a;b〉p(x)↔ 〈a〉〈b〉p(x)
〈a∗〉p(x)↔ p(x)∨〈a〉〈a∗〉p(x)
〈ad〉p(x)↔¬〈a〉¬p(x)
[·] [α]φ ↔¬〈α〉¬φ
〈:=〉 〈x := θ〉φ ↔ φ θx
〈′〉 〈x ′ = θ〉φ ↔∃t≥0〈x := y(t)〉φ
〈?〉 〈?ψ〉φ ↔ (ψ ∧φ)
〈∪〉 〈α ∪β 〉φ ↔ 〈α〉φ ∨〈β 〉φ
〈;〉 〈α;β 〉φ ↔ 〈α〉〈β 〉φ
〈∗〉 〈α∗〉φ ↔ φ ∨〈α〉〈α∗〉φ
〈d〉 〈αd〉φ ↔¬〈α〉¬φ
IJCAR’18 TOCL’15André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 21 / 23
Differential Game Logic: Axiomatization
Axiom = one formula Infinite axiom schema
[a]〈c〉>↔ ¬〈a〉¬〈c〉>
〈x := f 〉〈c〉>↔ ∃x (x = f ∧〈c〉>)
〈x ′ = f 〉p(x)↔∃t≥0〈x := x + ft〉p(x)
〈?q〉p↔ (q∧p)
〈a∪b〉〈c〉>↔ 〈a〉〈c〉>∨〈b〉〈c〉>
〈a;b〉〈c〉>↔ 〈a〉〈b〉〈c〉>
〈a∗〉〈c〉>↔ 〈c〉>∨〈a〉〈a∗〉〈c〉>
〈ad〉〈c〉>↔ ¬〈a〉¬〈c〉>
[·] [α]φ ↔¬〈α〉¬φ
〈:=〉 〈x := θ〉φ ↔ φ θx
〈′〉 〈x ′ = θ〉φ ↔∃t≥0〈x := y(t)〉φ
〈?〉 〈?ψ〉φ ↔ (ψ ∧φ)
〈∪〉 〈α ∪β 〉φ ↔ 〈α〉φ ∨〈β 〉φ
〈;〉 〈α;β 〉φ ↔ 〈α〉〈β 〉φ
〈∗〉 〈α∗〉φ ↔ φ ∨〈α〉〈α∗〉φ
〈d〉 〈αd〉φ ↔¬〈α〉¬φ
CADE’19 TOCL’15André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 21 / 23
Differential Game Logic: Axiomatization〈c〉> uniformly substitutes to 〈?φ〉> alias φ
[a]〈c〉>↔ ¬〈a〉¬〈c〉>
〈x := f 〉〈c〉>↔ ∃x (x = f ∧〈c〉>)
〈x ′ = f 〉p(x)↔∃t≥0〈x := x + ft〉p(x)
〈?q〉p↔ (q∧p)
〈a∪b〉〈c〉>↔ 〈a〉〈c〉>∨〈b〉〈c〉>
〈a;b〉〈c〉>↔ 〈a〉〈b〉〈c〉>
〈a∗〉〈c〉>↔ 〈c〉>∨〈a〉〈a∗〉〈c〉>
〈ad〉〈c〉>↔ ¬〈a〉¬〈c〉>
[·] [α]φ ↔¬〈α〉¬φ
〈:=〉 〈x := θ〉φ ↔ φ θx
〈′〉 〈x ′ = θ〉φ ↔∃t≥0〈x := y(t)〉φ
〈?〉 〈?ψ〉φ ↔ (ψ ∧φ)
〈∪〉 〈α ∪β 〉φ ↔ 〈α〉φ ∨〈β 〉φ
〈;〉 〈α;β 〉φ ↔ 〈α〉〈β 〉φ
〈∗〉 〈α∗〉φ ↔ φ ∨〈α〉〈α∗〉φ
〈d〉 〈αd〉φ ↔¬〈α〉¬φ
CADE’19 TOCL’15André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 21 / 23
Uniform Substitution for Differential Hybrid Games
avoid obstacleschanging windlocal turbulencex ′ = f (x ,y ,z)
TOCL’17André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 22 / 23
Uniform Substitution for Differential Hybrid Games
avoid obstacleschanging windlocal turbulencex ′ = f (x ,y ,z)
TOCL’17André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 22 / 23
Outline1 Motivation
Parsimonious Hybrid Game ProofsFoundation for Verification
2 Differential Game LogicSyntaxExample: Push-around CartDenotational Semantics
3 Uniform SubstitutionApplicationUniform Substitution LemmaUniform Substitution of RulesStatic SemanticsAxiomsDifferential Hybrid Games
4 Summary
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 22 / 23
Uniform Substitution At One Fell Swoop
differential game logic
dGL = GL + HG = dL + d 〈α〉ϕϕ
Faster sound uniform substitution
Replace all at once, check all at once
Modular: Logic ‖ Prover
Isabelle/HOL formalization 3,500 lines
Sound & rel. complete axiomatization
Sound for differential hybrid games
Future: Benefit from USubst elsewhere
dis
cre
te contin
uo
us
nondet
sto
chastic
advers
arial
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 23 / 23
A. Platzer. Logical Foundations of Cyber-Physical Systems. Springer 2018
I Part: Elementary Cyber-Physical Systems
2. Differential Equations & Domains
3. Choice & Control
4. Safety & Contracts
5. Dynamical Systems & Dynamic Axioms
6. Truth & Proof
7. Control Loops & Invariants
8. Events & Responses
9. Reactions & Delays
II Part: Differential Equations Analysis
10. Differential Equations & Differential Invariants
11. Differential Equations & Proofs
12. Ghosts & Differential Ghosts
13. Differential Invariants & Proof Theory
III Part: Adversarial Cyber-Physical Systems
14-17. Hybrid Systems & Hybrid Games
IV Part: Comprehensive CPS Correctness
Logical Foundations of Cyber-Physical Systems
André Platzer
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 24 / 23
Foundation for Verification−−−−−−−−−→
Foun
datio
nfo
r−−−−−−−−−→ FOL Functional Language Imperative Language
Formula Functional program Imperative program/game
Predicate calculus Function calculus Program calculus
Subst + rename α,β ,η-conversion USubst + rename
Functional
α-conversion for bound variablesβ -reduction capture-avoiding subst.η-conversion versus free variables
Imperative
Uniform substitution replacespredicate/function/program sym.mindful of free/bound variables
Substitution is fundamental but subtle. Henkin wants it banished!
Now: Make USubst even more subtle, but faster, and still sound.
Beware: Imperative free and bound variables may overlap!
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 25 / 23
André Platzer.Uniform substitution at one fell swoop.In Pascal Fontaine, editor, CADE, volume 11716 of LNCS, pages425–441. Springer, 2019.doi:10.1007/978-3-030-29436-6_25.
André Platzer.Uniform substitution for differential game logic.In Didier Galmiche, Stephan Schulz, and Roberto Sebastiani, editors,IJCAR, volume 10900 of LNCS, pages 211–227. Springer, 2018.doi:10.1007/978-3-319-94205-6_15.
André Platzer.Differential game logic.ACM Trans. Comput. Log., 17(1):1:1–1:51, 2015.doi:10.1145/2817824.
André Platzer.Differential hybrid games.ACM Trans. Comput. Log., 18(3):19:1–19:44, 2017.doi:10.1145/3091123.
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 25 / 23
André Platzer.Logical Foundations of Cyber-Physical Systems.Springer, Cham, 2018.URL: http://www.springer.com/978-3-319-63587-3,doi:10.1007/978-3-319-63588-0.
André Platzer.A complete uniform substitution calculus for differential dynamic logic.J. Autom. Reas., 59(2):219–265, 2017.doi:10.1007/s10817-016-9385-1.
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 25 / 23
Outline
5 AppendixODE SchemaStatic SemanticsOperational SemanticsCompleteness
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 25 / 23
Axiom Schemata Need Side Conditions: Solving ODEs
〈′〉 〈x ′ = θ〉φ ↔∃t≥0〈x := y(t)〉φ
Axiom schema with side conditions:1 Occurs check: t fresh2 Solution check: y(·) solves the ODE y ′(t) = θ
with x(·) plugged in for x in term θ
3 Initial value check: y(·) solves the symbolic IVP y(0) = x4 x(·) covers all solutions parametrically5 x ′ cannot occur free in φ
Quite nontrivial soundness-critical algorithms . . .
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 26 / 23
Static Semantics
FV(θ) =
x ∈ V : ∃,ω, ω such that ω = ω on x and ω[[θ ]] 6= ω[[θ ]]
FV(φ) =
x ∈ V : ∃,ω, ω such that ω = ω on x and ω ∈ [[φ ]] 63 ω
FV(α) =
x ∈ V : ∃,ω, ω,X with ω = ω on x, ω ∈ [[α]](X↑x
)63 ω
BV(α) =
x ∈ V : ∃,ω,X such that [[α]]
(X)3 ω 6∈ [[α]]
(X↓ω(x)
)
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 27 / 23
Differential Game Logic: Operational SemanticsDefinition (Hybrid game α : operational semantics)
ω
x := θ
ωω[[θ ]]x
x:=
θ
ω
x ′ = θ &q
ϕ(r)
r
ϕ(t)
t
ϕ(0)
0
ω
?q
ω
?q ω ∈ [[q]]
ω
α ∪β
ω
tκ
β
tj
β
t1
β
right
ω
sλ
α
si
α
s1
α
left
ω
α;β
tλ
rλ1λ
β
r jλ
β
r1λ
β
α
ti
rλii
β
r1i
β
α
t1
rλ11
β
r j1
β
r11
β
α
ω
α∗
ω
...
α
...
α
repeatstop
α
...
α
...
α
repeatstop
α
repeatstop
α
...
α
...
α
repeatstop
α
...
α
...
α
repeatstop
αrepeatst
op
α
repeat
ω
stop
ω
α
t0
tκtjt1
s0
sλsis1
ω
αd
t0
tκtjt1
s0
sλsis1
d
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 28 / 23
Differential Game Logic: Operational SemanticsDefinition (Hybrid game α : operational semantics)
ω
x := θ
ωω[[θ ]]x
x:=
θ
ω
x ′ = θ &q
ϕ(r)
r
ϕ(t)
t
ϕ(0)
0
ω
?q
ω
?q ω ∈ [[q]]
ω
α ∪β
ω
tκ
β
tj
β
t1
β
right
ω
sλ
α
si
α
s1
α
left
ω
α;β
tλ
rλ1λ
β
r jλ
β
r1λ
β
α
ti
rλii
β
r1i
β
α
t1
rλ11
β
r j1
β
r11
β
α
ω
α∗
ω
...
α
...
α
repeatstop
α
...
α
...
α
repeatstop
α
repeatstop
α
...
α
...
α
repeatstop
α
...
α
...
α
repeatstop
αrepeatst
op
α
repeat
ω
stop
ω
α
t0
tκtjt1
s0
sλsis1
ω
αd
t0
tκtjt1
s0
sλsis1
d
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 28 / 23
Differential Game Logic: Operational SemanticsDefinition (Hybrid game α : operational semantics)
ω
x := θ
ωω[[θ ]]x
x:=
θ
ω
x ′ = θ &q
ϕ(r)
r
ϕ(t)
t
ϕ(0)
0
ω
?q
ω
?q ω ∈ [[q]]
ω
α ∪β
ω
tκ
β
tj
β
t1
β
right
ω
sλ
α
si
α
s1
α
left
ω
α;β
tλ
rλ1λ
β
r jλ
β
r1λ
β
α
ti
rλii
β
r1i
β
α
t1
rλ11
β
r j1
β
r11
β
α
ω
α∗
ω
...
α
...
α
repeatstop
α
...
α
...
α
repeatstop
α
repeatstop
α
...
α
...
α
repeatstop
α
...
α
...
α
repeatstop
αrepeatst
op
α
repeat
ω
stop
ω
α
t0
tκtjt1
s0
sλsis1
ω
αd
t0
tκtjt1
s0
sλsis1
d
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 28 / 23
Differential Game Logic: Operational SemanticsDefinition (Hybrid game α : operational semantics)
ω
x := θ
ωω[[θ ]]x
x:=
θ
ω
x ′ = θ &q
ϕ(r)
r
ϕ(t)
t
ϕ(0)
0
ω
?q
ω
?q ω ∈ [[q]]
ω
α ∪β
ω
tκ
β
tj
β
t1
β
right
ω
sλ
α
si
α
s1
α
left
ω
α;β
tλ
rλ1λ
β
r jλ
β
r1λ
β
α
ti
rλii
β
r1i
β
α
t1
rλ11
β
r j1
β
r11
β
α
ω
α∗
ω
...
α
...
α
repeatstop
α
...
α
...
α
repeatstop
α
repeatstop
α
...
α
...
α
repeatstop
α
...
α
...
α
repeatstop
αrepeatst
op
α
repeat
ω
stop
ω
α
t0
tκtjt1
s0
sλsis1
ω
αd
t0
tκtjt1
s0
sλsis1
d
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 28 / 23
Differential Game Logic: Operational SemanticsDefinition (Hybrid game α : operational semantics)
ω
x := θ
ωω[[θ ]]x
x:=
θ
ω
x ′ = θ &q
ϕ(r)
r
ϕ(t)
t
ϕ(0)
0
ω
?q
ω
?q ω ∈ [[q]]
ω
α ∪β
ω
tκ
β
tj
β
t1
β
right
ω
sλ
α
si
α
s1
α
left
ω
α;β
tλ
rλ1λ
β
r jλ
β
r1λ
β
α
ti
rλii
β
r1i
β
α
t1
rλ11
β
r j1
β
r11
β
α
ω
α∗
ω
...
α
...
α
repeatstop
α
...
α
...
α
repeatstop
α
repeatstop
α
...
α
...
α
repeatstop
α
...
α
...
α
repeatstop
αrepeatst
op
α
repeat
ω
stop
ω
α
t0
tκtjt1
s0
sλsis1
ω
αd
t0
tκtjt1
s0
sλsis1
d
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 28 / 23
Differential Game Logic: Operational SemanticsDefinition (Hybrid game α : operational semantics)
ω
x := θ
ωω[[θ ]]x
x:=
θ
ω
x ′ = θ &q
ϕ(r)
r
ϕ(t)
t
ϕ(0)
0
ω
?q
ω
?q ω ∈ [[q]]
ω
α ∪β
ω
tκ
β
tj
β
t1
β
right
ω
sλ
α
si
α
s1
α
left
ω
α;β
tλ
rλ1λ
β
r jλ
β
r1λ
β
α
ti
rλii
β
r1i
β
α
t1
rλ11
β
r j1
β
r11
β
α
ω
α∗
ω
...
α
...
α
repeatstop
α
...
α
...
α
repeatstop
α
repeatstop
α
...
α
...
α
repeatstop
α
...
α
...
α
repeatstop
αrepeatst
op
α
repeat
ω
stop
ω
α
t0
tκtjt1
s0
sλsis1
ω
αd
t0
tκtjt1
s0
sλsis1
d
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 28 / 23
Differential Game Logic: Operational SemanticsDefinition (Hybrid game α : operational semantics)
ω
x := θ
ωω[[θ ]]x
x:=
θ
ω
x ′ = θ &q
ϕ(r)
r
ϕ(t)
t
ϕ(0)
0
ω
?q
ω
?q ω ∈ [[q]]
ω
α ∪β
ω
tκ
β
tj
β
t1
β
right
ω
sλ
α
si
α
s1
α
left
ω
α;β
tλ
rλ1λ
β
r jλ
β
r1λ
β
α
ti
rλii
β
r1i
β
α
t1
rλ11
β
r j1
β
r11
β
α
ω
α∗
ω
...
α
...
α
repeatstop
α
...
α
...
α
repeatstop
α
repeatstop
α
...
α
...
α
repeatstop
α
...
α
...
α
repeatstop
αrepeatst
op
α
repeat
ω
stop
ω
α
t0
tκtjt1
s0
sλsis1
ω
αd
t0
tκtjt1
s0
sλsis1
d
André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 28 / 23
Soundness & Completeness
Theorem (Completeness)dGL calculus is a sound & complete axiomatization relative to any(differentially) expressive1logic L.
ϕ iff TautL ` ϕ
TOCL’15
1∀ϕ ∈ dGL ∃ϕ[ ∈ L ϕ ↔ ϕ[
〈x ′ = θ〉G↔ (〈x ′ = θ〉G)[ provable for G ∈ LAndré Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 29 / 23