Differential Game Logic - AVACS · Contributions Logical foundations for hybrid games 1 Compositional programming language for hybrid games 2 Compositional logic and proof calculus

Differential Game Logic

Andre Platzer

[email protected]

Computer Science DepartmentCarnegie Mellon University, Pittsburgh, PA

0.20.4

0.60.8

1.00.1

0.2

0.3

0.4

0.5

Andre Platzer (CMU) Differential Game Logic TOCL’15 1 / 26

Outline

1 CPS Applications

2 Differential Game LogicDifferential Hybrid GamesDenotational SemanticsDeterminacy

3 Proofs for CPSAxiomatizationSoundness and CompletenessCorollariesSeparating Axioms

4 Expressiveness

5 Summary


http://symbolaris.com/andre.html

Can you trust a computer to control physics?

Rationale1 Safety guarantees require analytic foundations.

2 Foundations revolutionized digital computer science & our society.

3 Need even stronger foundations when software reaches out into ourphysical world.

How can we provide people with cyber-physical systems they can bet theirlives on? — Jeannette Wing

Cyber-physical Systems

CPS combine cyber capabilities with physical capabilities to solve problemsthat neither part could solve alone.


Can you trust a computer to control physics?

Rationale1 Safety guarantees require analytic foundations.

2 Foundations revolutionized digital computer science & our society.

3 Need even stronger foundations when software reaches out into ourphysical world.

How can we provide people with cyber-physical systems they can bet theirlives on? — Jeannette Wing

Cyber-physical Systems

CPS combine cyber capabilities with physical capabilities to solve problemsthat neither part could solve alone.


Outline

1 CPS Applications



4 Expressiveness

5 Summary



CPS Analysis: Robot Control

Challenge (Hybrid Systems)

Fixed rule describing stateevolution with both

Discrete dynamics(control decisions)

Continuous dynamics(differential equations)

2 4 6 8 10t

-0.8

-0.6

-0.4

-0.2

0.2

a

2 4 6 8 10t

0.2

0.4

0.6

0.8

1.0

v

2 4 6 8 10t

2

4

6

8

p

px

py




Challenge (Hybrid Systems)

Fixed rule describing stateevolution with both



2 4 6 8 10t

-0.8

-0.6

-0.4

-0.2

0.2

a

2 4 6 8 10t

-1.0

-0.5

0.5

Ω

2 4 6 8 10t

-0.5

0.5

1.0

d

dx

dy




Challenge (Games)

Game rules describing playevolution with both

Angelic choices(player Angel)

Demonic choices(player Demon)

0,0

2,1

1,2

3,1

\ Tr Pl

Trash 1,2 0,0Plant 0,0 2,1

8 rmbl0skZ7 ZpZ0ZpZ06 0Zpo0ZpZ5 o0ZPo0Zp4 PZPZPZ0O3 Z0Z0ZPZ02 0O0J0ZPZ1 SNAQZBMR

a b c d e f g hAndre Platzer (CMU) Differential Game Logic TOCL’15 4 / 26



Challenge (Hybrid Games)

Game rules describing playevolution with



Adversarial dynamics(Angel vs. Demon )

2 4 6 8 10t

-0.6

-0.4

-0.2

0.2

0.4

a

2 4 6 8 10t

0.2

0.4

0.6

0.8

1.0

1.2

v

2 4 6 8 10t

1

2

3

4

5

6

7

p

px

py









2 4 6 8 10t

-0.6

-0.4

-0.2

0.2

0.4

a

2 4 6 8 10t

-1.0

-0.5

0.5

Ω

2 4 6 8 10t

-0.5

0.5

1.0

d

dx

dy



CPS Analysis: RoboCup Soccer






2 4 6 8 10t

-0.6

-0.4

-0.2

0.2

0.4

a

2 4 6 8 10t

-1.0

-0.5

0.5

Ω

2 4 6 8 10t

-0.5

0.5

1.0

d

dx

dy



Contributions

Logical foundations for hybrid games

1 Compositional programming language for hybrid games

2 Compositional logic and proof calculus for winning strategy existence

3 Hybrid games determined

4 Winning region computations terminate after ≥ωCK1 iterations

5 Separate truth (∃ winning strategy) vs. proof (winning certificate) vs.proof search (automatic construction)

6 Sound & relatively complete

7 Expressiveness

8 Fragments quite successful in applications

9 Generalizations in logic enable more applications



Outline

1 CPS Applications



4 Expressiveness

5 Summary



Differential Game Logic dGL: Syntax

Definition (Hybrid game a)

x := f (x) | ?Q | x ′ = f (x) | a ∪ b | a; b | a∗ | ad

Definition (dGL Formula P)

p(e1, . . . , en) | e1 ≥ e2 | ¬P | P ∧ Q | ∀x P | ∃x P | 〈a〉P | [a]P

DiscreteAssign

TestGame

DifferentialEquation

ChoiceGame

Seq.Game

RepeatGame

AllReals

SomeReals

DualGame

AngelWins

DemonWins

TOCL’15Andre Platzer (CMU) Differential Game Logic TOCL’15 8 / 26


http://dx.doi.org/10.1145/2817824



x := f (x) | ?Q | x ′ = f (x) | a ∪ b | a; b | a∗ | ad



DiscreteAssign

TestGame


ChoiceGame

Seq.Game

RepeatGame

AllReals

SomeReals

DualGame

AngelWins

DemonWins



http://dx.doi.org/10.1145/2817824



x := f (x) | ?Q | x ′ = f (x) | a ∪ b | a; b | a∗ | ad



DiscreteAssign

TestGame


ChoiceGame

Seq.Game

RepeatGame

AllReals

SomeReals

DualGame

AngelWins

DemonWins



http://dx.doi.org/10.1145/2817824



x := f (x) | ?Q | x ′ = f (x) | a ∪ b | a; b | a∗ | ad



DiscreteAssign

TestGame


ChoiceGame

Seq.Game

RepeatGame

AllReals

SomeReals

DualGame

AngelWins

DemonWins



http://dx.doi.org/10.1145/2817824



x := f (x) | ?Q | x ′ = f (x) | a ∪ b | a; b | a∗ | ad



DiscreteAssign

TestGame


ChoiceGame

Seq.Game

RepeatGame

AllReals

SomeReals

DualGame

AngelWins

DemonWins



http://dx.doi.org/10.1145/2817824

Definable Game Operators

Angel Ops

∪ choice∗ repeatx ′ = f (x) evolve?Q challenge

Demon Ops

∩ choice× repeatx ′ = f (x)d evolve?Qd challenge

d

d

if(Q) a else b ≡ (?Q; a) ∪ (?¬Q; b)

while(Q) a ≡ (?Q; a)∗; ?¬Qa ∩ b ≡ (ad ∪ bd)d

a× ≡ ((ad)∗)d

(x ′ = f (x) &Q)d 6≡ x ′ = f (x) &Q

(x := f (x))d ≡ x := f (x)

?Qd 6≡ ?Q



Simple Examples

〈(x := x + 1; (x ′ = x2)d ∪ x := x − 1)∗〉 (0 ≤ x < 1)

2

〈(x := x + 1; (x ′ = x2)d ∪ (x := x − 1 ∩ x := x − 2))∗〉(0 ≤ x < 1)

(w − e)2 ≤ 1 ∧ v = f →⟨((u := 1 ∩ u :=−1);

(g := 1 ∪ g :=−1);

t := 0;

(w ′ = v , v ′ = u, e ′ = f , f ′ = g , t ′ = 1 & t ≤ 1)d)×⟩(w − e)2 ≤ 1



Simple Examples

〈(x := x + 1; (x ′ = x2)d ∪ x := x − 1)∗〉 (0 ≤ x < 1)

2

〈(x := x + 1; (x ′ = x2)d ∪ (x := x − 1 ∩ x := x − 2))∗〉(0 ≤ x < 1)

(w − e)2 ≤ 1 ∧ v = f →⟨((u := 1 ∩ u :=−1);

(g := 1 ∪ g :=−1);

t := 0;

(w ′ = v , v ′ = u, e ′ = f , f ′ = g , t ′ = 1 & t ≤ 1)d)×⟩(w − e)2 ≤ 1



Simple Examples

〈(x := x + 1; (x ′ = x2)d ∪ x := x − 1)∗〉 (0 ≤ x < 1)

2 〈(x := x + 1; (x ′ = x2)d ∪ (x := x − 1 ∩ x := x − 2))∗〉(0 ≤ x < 1)

(w − e)2 ≤ 1 ∧ v = f →⟨((u := 1 ∩ u :=−1);

(g := 1 ∪ g :=−1);

t := 0;

(w ′ = v , v ′ = u, e ′ = f , f ′ = g , t ′ = 1 & t ≤ 1)d)×⟩(w − e)2 ≤ 1



Simple Examples

〈(x := x + 1; (x ′ = x2)d ∪ x := x − 1)∗〉 (0 ≤ x < 1)

2 〈(x := x + 1; (x ′ = x2)d ∪ (x := x − 1 ∩ x := x − 2))∗〉(0 ≤ x < 1)

(w − e)2 ≤ 1 ∧ v = f →⟨((u := 1 ∩ u :=−1);

(g := 1 ∪ g :=−1);

t := 0;

(w ′ = v , v ′ = u, e ′ = f , f ′ = g , t ′ = 1 & t ≤ 1)d)×⟩(w − e)2 ≤ 1



Differential Hybrid Games: Zeppelin Obstacle Parcours

arXivAndre Platzer (CMU) Differential Game Logic TOCL’15 11 / 26


http://arxiv.org/abs/1507.04943.pdf









Differential Game Invariants

Theorem (Differential Game Invariants)

(DGI)∃y ∈ Y ∀z ∈ Z F ′

f (x ,y ,z)x ′

F → [x ′ = f (x , y , z)&dy ∈ Y&z ∈ Z ]F




Differential Game Logic: Denotational Semantics

Definition (Hybrid game a: denotational semantics)

ςx:=f (x)(X ) = s ∈ S : s[[f (x)]]sx ∈ X

ςx ′=f (x)(X ) = ϕ(0) ∈ S : ϕ(r) ∈ X , dϕ(t)(x)dt (ζ) = [[f (x)]]ϕ(ζ) for all ζ

ς?P(X ) = [[P]] ∩ Xςa∪b(X ) = ςa(X ) ∪ ςb(X )ςa;b(X ) = ςa(ςb(X ))ςa∗(X ) =

⋂Z ⊆ S : X ∪ ςa(Z ) ⊆ Z

ςad (X ) = (ςa(X ))


[[e1 ≥ e2]] = s ∈ S : [[e1]]s ≥ [[e2]]s[[¬P]] = ([[P]])

[[P ∧ Q]] = [[P]] ∩ [[Q]][[〈a〉P]] = ςa([[P]])[[[a]P]] = δa([[P]])

WinningRegion





ςx:=f (x)(X ) = s ∈ S : s[[f (x)]]sx ∈ X

X

ςx:=f (x)(X )





ςx ′=f (x)(X ) = ϕ(0) ∈ S : ϕ(r) ∈ X , dϕ(t)(x)dt (ζ) = [[f (x)]]ϕ(ζ) for all ζ

Xx′ =

f (x)

ςx ′=f (x)(X )





ς?P(X ) = [[P]] ∩ X

X

[[P]]

ς?P(X )





ςa∪b(X ) = ςa(X ) ∪ ςb(X )

ςa (X )

ςb(X )

Xςa∪b(X )





ςa;b(X ) = ςa(ςb(X ))

ςa(ςb(X )) ςb(X ) X

ςa;b(X )





ςa∗(X ) =⋂Z ⊆ S : X ∪ ςa(Z ) ⊆ Z

≥ωCK1 iterations

ςa(ςa∗(X )) \ ςa∗(X )∅

ς∞a (X ) · · · ς3a (X ) ς2

a (X ) ςa(X )

X

ςa∗(X )





ςa∗(X ) =⋂Z ⊆ S : X ∪ ςa(Z ) ⊆ Z

≥ωCK1 iterations

ςa(ςa∗(X )) \ ςa∗(X )∅

ς∞a (X ) · · · ς3a (X ) ς2

a (X )

ςa(X ) X

ςa∗(X )





ςa∗(X ) =⋂Z ⊆ S : X ∪ ςa(Z ) ⊆ Z

≥ωCK1 iterations

ςa(ςa∗(X )) \ ςa∗(X )∅

ς∞a (X ) · · · ς3a (X )

ς2a (X ) ςa(X ) X

ςa∗(X )





ςa∗(X ) =⋂Z ⊆ S : X ∪ ςa(Z ) ⊆ Z

≥ωCK1 iterations

ςa(ςa∗(X )) \ ςa∗(X )∅

ς∞a (X ) · · ·

ς3a (X ) ς2

a (X ) ςa(X ) X

ςa∗(X )





ςa∗(X ) =⋂Z ⊆ S : X ∪ ςa(Z ) ⊆ Z

≥ωCK1 iterations

ςa(ςa∗(X )) \ ςa∗(X )∅

ς∞a (X ) · · · ς3a (X ) ς2

a (X ) ςa(X ) X

ςa∗(X )





ςa∗(X ) =⋂Z ⊆ S : X ∪ ςa(Z ) ⊆ Z

≥ωCK1 iterations

ςa(ςa∗(X )) \ ςa∗(X )∅

ς∞a (X ) · · · ς3a (X ) ς2

a (X ) ςa(X ) X

ςa∗(X )





ςa∗(X ) =⋂Z ⊆ S : X ∪ ςa(Z ) ⊆ Z

≥ωCK1 iterations

ςa(ςa∗(X )) \ ςa∗(X )∅

ς∞a (X ) · · · ς3a (X ) ς2

a (X ) ςa(X ) X

ςa∗(X )





ςad (X ) = (ςa(X ))

X

X

ςa(X )

ςa(X )

ςad (X )





ςad (X ) = (ςa(X ))

X

X

ςa(X )

ςa(X )

ςad (X )



Consistency & Determinacy

Theorem (Consistency & determinacy)

Hybrid games are consistent and determined, i.e. ¬〈a〉¬P ↔ [a]P.

Corollary (Determinacy: At least one player wins)

¬〈a〉¬P → [a]P, thus 〈a〉¬P ∨ [a]P.

Corollary (Consistency: At most one player wins)

[a]P → ¬〈a〉¬P, thus ¬([a]P ∧ 〈a〉¬P)



Outline

1 CPS Applications



4 Expressiveness

5 Summary



Differential Game Logic: Axiomatization

[·] [a]P ↔ ¬〈a〉¬P

〈:=〉〈x := f (x)〉p(x)↔ p(f (x))

〈′〉〈x ′ = f (x)〉P ↔ ∃t≥0 〈x := y(t)〉P

〈?〉〈?Q〉P ↔ (Q ∧ P)

〈∪〉〈a ∪ b〉P ↔ 〈a〉P ∨ 〈b〉P

〈;〉〈a; b〉P ↔ 〈a〉〈b〉P

〈∗〉 P ∨ 〈a〉〈a∗〉P → 〈a∗〉P

〈d〉〈ad〉P ↔ ¬〈a〉¬P

MP → Q

〈a〉P → 〈a〉Q

FPP ∨ 〈a〉Q → Q

〈a∗〉P → Q

MPP P → Q

Q

∀p → Q

p → ∀x Q(x 6∈ FV(p))

USϕ

ϕQ(·)p(·)



http://dx.doi.org/10.1145/2817824

“There and Back Again” Game

x ′ = f (x) &Q ≡ t0 := x0; x ′ = f (x); (z := x ; z ′ = −f (z))d ; ?(z0≥t0 → Q(z))

t

~x

Q

t revert flow, time x0;Demon checks Qbackwards

x′ = f (x)

t0 := x0 r

z ′ = −f (z)

Lemma

Evolution domains definable by games



Example Proof: Dual Filibuster

∗

R x = 0 →0 = 0 ∨ 1 = 0

〈:=〉x = 0 →〈x := 0〉x = 0 ∨ 〈x := 1〉x = 0

〈∪〉 x = 0 →〈x := 0 ∪ x := 1〉x = 0

〈d 〉 x = 0 →¬〈x := 0 ∩ x := 1〉¬x = 0

[·] x = 0 →[x := 0 ∩ x := 1]x = 0

ind x = 0 →[(x := 0 ∩ x := 1)∗]x = 0

〈d 〉 x = 0 →〈(x := 0 ∪ x := 1)×〉x = 0

X

X

1

1

10

0

10

repeat

0

stop

repeat

1

stop

0

0

10

repeat

0

stop

repeatX

stop




∗

R x = 0 →0 = 0 ∨ 1 = 0

〈:=〉x = 0 →〈x := 0〉x = 0 ∨ 〈x := 1〉x = 0

〈∪〉 x = 0 →〈x := 0 ∪ x := 1〉x = 0

〈d 〉 x = 0 →¬〈x := 0 ∩ x := 1〉¬x = 0

[·] x = 0 →[x := 0 ∩ x := 1]x = 0

ind x = 0 →[(x := 0 ∩ x := 1)∗]x = 0〈d 〉 x = 0 →〈(x := 0 ∪ x := 1)×〉x = 0

X

X

1

1

10

0

10

repeat

0

stop

repeat

1

stop

0

0

10

repeat

0

stop

repeatX

stop




∗

R x = 0 →0 = 0 ∨ 1 = 0

〈:=〉x = 0 →〈x := 0〉x = 0 ∨ 〈x := 1〉x = 0

〈∪〉 x = 0 →〈x := 0 ∪ x := 1〉x = 0

〈d 〉 x = 0 →¬〈x := 0 ∩ x := 1〉¬x = 0

[·] x = 0 →[x := 0 ∩ x := 1]x = 0ind x = 0 →[(x := 0 ∩ x := 1)∗]x = 0〈d 〉 x = 0 →〈(x := 0 ∪ x := 1)×〉x = 0

X

X

1

1

10

0

10

repeat

0

stop

repeat

1

stop

0

0

10

repeat

0

stop

repeatX

stop




∗

R x = 0 →0 = 0 ∨ 1 = 0

〈:=〉x = 0 →〈x := 0〉x = 0 ∨ 〈x := 1〉x = 0

〈∪〉 x = 0 →〈x := 0 ∪ x := 1〉x = 0

〈d 〉 x = 0 →¬〈x := 0 ∩ x := 1〉¬x = 0[·] x = 0 →[x := 0 ∩ x := 1]x = 0ind x = 0 →[(x := 0 ∩ x := 1)∗]x = 0〈d 〉 x = 0 →〈(x := 0 ∪ x := 1)×〉x = 0

X

X

1

1

10

0

10

repeat

0

stop

repeat

1

stop

0

0

10

repeat

0

stop

repeatX

stop




∗

R x = 0 →0 = 0 ∨ 1 = 0

〈:=〉x = 0 →〈x := 0〉x = 0 ∨ 〈x := 1〉x = 0

〈∪〉 x = 0 →〈x := 0 ∪ x := 1〉x = 0〈d 〉 x = 0 →¬〈x := 0 ∩ x := 1〉¬x = 0[·] x = 0 →[x := 0 ∩ x := 1]x = 0ind x = 0 →[(x := 0 ∩ x := 1)∗]x = 0〈d 〉 x = 0 →〈(x := 0 ∪ x := 1)×〉x = 0

X

X

1

1

10

0

10

repeat

0

stop

repeat

1

stop

0

0

10

repeat

0

stop

repeatX

stop




∗

R x = 0 →0 = 0 ∨ 1 = 0

〈:=〉x = 0 →〈x := 0〉x = 0 ∨ 〈x := 1〉x = 0〈∪〉 x = 0 →〈x := 0 ∪ x := 1〉x = 0〈d 〉 x = 0 →¬〈x := 0 ∩ x := 1〉¬x = 0[·] x = 0 →[x := 0 ∩ x := 1]x = 0ind x = 0 →[(x := 0 ∩ x := 1)∗]x = 0〈d 〉 x = 0 →〈(x := 0 ∪ x := 1)×〉x = 0

X

X

1

1

10

0

10

repeat

0

stop

repeat

1

stop

0

0

10

repeat

0

stop

repeatX

stop




∗

R x = 0 →0 = 0 ∨ 1 = 0〈:=〉x = 0 →〈x := 0〉x = 0 ∨ 〈x := 1〉x = 0〈∪〉 x = 0 →〈x := 0 ∪ x := 1〉x = 0〈d 〉 x = 0 →¬〈x := 0 ∩ x := 1〉¬x = 0[·] x = 0 →[x := 0 ∩ x := 1]x = 0ind x = 0 →[(x := 0 ∩ x := 1)∗]x = 0〈d 〉 x = 0 →〈(x := 0 ∪ x := 1)×〉x = 0

X

X

1

1

10

0

10

repeat

0

stop

repeat

1

stop

0

0

10

repeat

0

stop

repeatX

stop




∗R x = 0 →0 = 0 ∨ 1 = 0〈:=〉x = 0 →〈x := 0〉x = 0 ∨ 〈x := 1〉x = 0〈∪〉 x = 0 →〈x := 0 ∪ x := 1〉x = 0〈d 〉 x = 0 →¬〈x := 0 ∩ x := 1〉¬x = 0[·] x = 0 →[x := 0 ∩ x := 1]x = 0ind x = 0 →[(x := 0 ∩ x := 1)∗]x = 0〈d 〉 x = 0 →〈(x := 0 ∪ x := 1)×〉x = 0

X

X

1

1

10

0

10

repeat

0

stop

repeat

1

stop

0

0

10

repeat

0

stop

repeatX

stop



Soundness & Completeness

Theorem (Completeness)

dGL calculus is a sound & complete axiomatization of hybrid gamesrelative to any (differentially) expressive logic L.

ϕ iff TautL ` ϕ



http://dx.doi.org/10.1145/2817824

Soundness & Completeness: Consequences

Corollary (Constructive)

Constructive and Moschovakis-coding-free. (Minimal: x ′ = f (x), ∃, [a∗])

Remark (Coquand & Huet) (Inf.Comput’88)

Modal analogue for 〈a∗〉 of characterizations in Calculus of Constructions

Corollary (Meyer & Halpern) (J.ACM’82)

F → 〈a〉G semidecidable for uninterpreted programs.

Corollary (Schmitt) (Inf.Control.’84)

[a]-free semidecidable for uninterpreted programs.

Corollary

Uninterpreted game logic with even d in 〈a〉 is semidecidable.




Corollary

Harel’77 convergence rule unnecessary for hybrid games, hybrid systems,discrete programs.

Corollary (Characterization of hybrid game challenges)

[a∗]G : Succinct invariants discrete Π02

[x ′ = f (x)]G and 〈x ′ = f (x)〉G : Succinct differential (in)variants ∆11

∃x G : Complexity depends on Herbrand disjunctions: discrete Π11

X uninterpreted X reals × ∃x [a∗]G Π11-complete for discrete a

Corollary (Hybrid version of Parikh’s result) (FOCS’83)∗-free dGL complete relative to dL, relative to continuous, or to discreted -free dGL complete relative to dL, relative to continuous, or to discrete




Corollary (ODE Completeness) (+LICS’12)

dGL complete relative to ODE for hybrid games with finite-rank Borelwinning regions.

Corollary (Continuous Completeness)

dGL complete relative to LµD, continuous modal µ, over R

Corollary (Discrete Completeness) (+LICS’12)

dGL + Euler axiom complete relative to discrete Lµ over R



http://dx.doi.org/10.1109/LICS.2012.64



〈(x := 1; x ′ = 1d︸︷︷︸b

∪ x := x − 1︸︷︷︸c

)

︸︷︷︸a

∗〉0 ≤ x < 1

Fixpoint style proof technique

∗

∀x (0≤x<1 ∨ ∀t≥0 p(0 + t) ∨ p(x − 1)→ p(x))→ (true → p(x))

∀x (0≤x<1 ∨ 〈x := 1〉¬∃t≥0 〈x := x+t〉¬p(x) ∨ p(x−1)→ p(x))→ (true → p(x))

∀x (0≤x<1 ∨ 〈x := 1〉¬〈x ′ = 1〉¬p(x) ∨ p(x − 1)→ p(x))→ (true → p(x))

∀x (0≤x<1 ∨ 〈b〉p(x) ∨ 〈c〉p(x)→ p(x))→ (true → p(x))

∀x (0≤x<1 ∨ 〈b ∪ c〉p(x)→ p(x))→ (true → p(x))

∀x (0≤x<1 ∨ 〈a〉〈a∗〉0≤x<1→ 〈a∗〉0≤x<1)→ (true → 〈a∗〉0≤x<1)

true → 〈a∗〉0≤x<1



Separating Axioms

Theorem (Axiomatic separation: hybrid systems vs. hybrid games)

Axiomatic separation is exactly K, I, C, B, V, G. dGL is a subregular,sub-Barcan, monotonic modal logic without loop induction axioms.

K [a](P → Q)→ ([a]P → [a]Q) M[·]P → Q

[a]P → [a]Q←−M 〈a〉(P ∨ Q)→ 〈a〉P ∨ 〈a〉Q M 〈a〉P ∨ 〈a〉Q → 〈a〉(P ∨ Q)

I [a∗](P → [a]P)→ (P → [a∗]P) ∀I (P → [a]P)→ (P → [a∗]P)

C[a∗]∀v>0 (p(v)→ 〈a〉p(v − 1))

→ ∀v (p(v)→ 〈a∗〉∃v≤0 p(v))(v 6∈a)

B 〈a〉∃x P → ∃x 〈a〉P (x 6∈a)←−B ∃x 〈a〉P → 〈a〉∃x P

V p → [a]p (FV(p) ∩ BV(a) = ∅) VK p → ([a]true→[a]p)

GP

[a]PM[·]

P → Q

[a]P → [a]Q

RP1 ∧ P2 → Q

[a]P1 ∧ [a]P2 → [a]QM[·]

P1 ∧ P2 → Q

[a](P1 ∧ P2)→ [a]Q

FA 〈a∗〉P → P ∨ 〈a∗〉(¬P ∧ 〈a〉P)



Outline

1 CPS Applications



4 Expressiveness

5 Summary



Expressiveness

Theorem (Expressive Power: hybrid systems < hybrid games)

dGL for hybrid games strictly more expressive than dL for hybrid games:

dL < dGL

Clue: recursive open game quantifier expressible in dGL but not dL

ay ϕ(x , y)def≡ ∀y0 ∃y1 ∀y2 ∃y3 . . .

∨n<ω

ϕ(x , (|y0, . . . , yn|))



Expressiveness

Theorem (Expressive Power: hybrid systems < hybrid games)

dGL for hybrid games strictly more expressive than dL for hybrid games:

dL < dGL

First-orderadm. R

Inductiveadm. R

Clue: recursive open game quantifier expressible in dGL but not dL

ay ϕ(x , y)def≡ ∀y0 ∃y1 ∀y2 ∃y3 . . .

∨n<ω

ϕ(x , (|y0, . . . , yn|))



Outline

1 CPS Applications



4 Expressiveness

5 Summary



Differential Game Logic

differential game logic

dGL = GL + HG = dL+ d〈a〉P

P

Logic for hybrid games

Compositional PL + logic

Discrete + continuous + adversarial

Winning region iteration ≥ωCK1

Sound & rel. complete axiomatization

Hybrid games > hybrid systemsd radical challenge yet smooth extension

Stochastic ≈ adversarial

dis

cre

te contin

uo

us

nondet

sto

chastic

advers

arial



LogicalFoundations

ofCyber-Physical

Systems

Logic

TheoremProving

ProofTheory

ModalLogic Model

Checking

Algebra

ComputerAlgebra

RAlgebraicGeometry

DifferentialAlgebra

LieAlgebra

Analysis

DifferentialEquations

CarathedorySolutions

ViscosityPDE

Solutions

DynamicalSystems

Stochastics Doob’sSuper-

martingales

Dynkin’sInfinitesimalGenerators

DifferentialGenerators

StochasticDifferentialEquations

Numerics

HermiteInterpolation

WeierstraßApprox-imation

ErrorAnalysis

NumericalIntegration

Algorithms

DecisionProcedures

ProofSearch

Procedures

Fixpoints& Lattices

ClosureOrdinals


Andre Platzer.Differential game logic.ACM Trans. Comput. Log., 2015.To appear. Preprint at arXiv 1408.1980.doi:10.1145/2817824.

Andre Platzer.Differential hybrid games.CoRR, abs/1507.04943, 2015.arXiv:1507.04943.

Andre Platzer.Logics of dynamical systems.In LICS [9], pages 13–24.doi:10.1109/LICS.2012.13.

Andre Platzer.The complete proof theory of hybrid systems.In LICS [9], pages 541–550.doi:10.1109/LICS.2012.64.


http://dx.doi.org/10.1145/2817824

http://arxiv.org/abs/1507.04943



Andre Platzer.Differential game logic for hybrid games.Technical Report CMU-CS-12-105, School of Computer Science,Carnegie Mellon University, Pittsburgh, PA, March 2012.

Jan-David Quesel and Andre Platzer.Playing hybrid games with KeYmaera.In Bernhard Gramlich, Dale Miller, and Ulrike Sattler, editors, IJCAR,volume 7364 of LNCS, pages 439–453. Springer, 2012.doi:10.1007/978-3-642-31365-3_34.

Andre Platzer.A complete axiomatization of differential game logic for hybrid games.Technical Report CMU-CS-13-100R, School of Computer Science,Carnegie Mellon University, Pittsburgh, PA, January, Revised andextended in July 2013.

Andre Platzer.Differential game logic.CoRR, abs/1408.1980, 2014.


http://dx.doi.org/10.1007/978-3-642-31365-3_34

arXiv:1408.1980.

Proceedings of the 27th Annual ACM/IEEE Symposium on Logic inComputer Science, LICS 2012, Dubrovnik, Croatia, June 25–28, 2012.IEEE, 2012.


http://arxiv.org/abs/1408.1980

Differential Game Logic: Operational Semantics

Definition (Hybrid game a: operational semantics)

s

x := θ

s[[θ]]sx

x:=θ

s

x ′ = θ&Q

ϕ(r)

r

ϕ(t)

t

ϕ(0)

0

s

?P

s

?P

s|=

P

s

a ∪ b

s

tκ

b

tj

b

t1

b

right

s

sλ

a

si

a

s1

a

left

s

a; b

tλ

rλ1λ

b

r jλ

b

r1λ

b

a

ti

rλii

b

r1i

b

a

t1

rλ11

b

r j1

b

r11

b

a

s

a∗

s

...

a

...

a

repeatst

op

a

...

a

...

a

repeatst

op

a

repeatstop

a

...

a

...

a

repeatst

op

a

...

a

...

a

repeatst

op

arepeatst

op

a

repeat

s

stop

s

a

t0

tκtjt1

s0

sλsis1

sad

t0

tκtjt1

s0

sλsis1





s

x := θ

s[[θ]]sx

x:=θ

s

x ′ = θ&Q

ϕ(r)

r

ϕ(t)

t

ϕ(0)

0

s

?P

s

?P

s|=

P

s

a ∪ b

s

tκ

b

tj

b

t1

b

right

s

sλ

a

si

a

s1

a

left

s

a; b

tλ

rλ1λ

b

r jλ

b

r1λ

b

a

ti

rλii

b

r1i

b

a

t1

rλ11

b

r j1

b

r11

b

a

s

a∗

s

...

a

...

a

repeatst

op

a

...

a

...

a

repeatst

op

a

repeatstop

a

...

a

...

a

repeatst

op

a

...

a

...

a

repeatst

op

arepeatst

op

a

repeat

s

stop

s

a

t0

tκtjt1

s0

sλsis1

sad

t0

tκtjt1

s0

sλsis1





s

x := θ

s[[θ]]sx

x:=θ

s

x ′ = θ&Q

ϕ(r)

r

ϕ(t)

t

ϕ(0)

0

s

?P

s

?P

s|=

P

s

a ∪ b

s

tκ

b

tj

b

t1

b

right

s

sλ

a

si

a

s1

a

left

s

a; b

tλ

rλ1λ

b

r jλ

b

r1λ

b

a

ti

rλii

b

r1i

b

a

t1

rλ11

b

r j1

b

r11

b

a

s

a∗

s

...

a

...

a

repeatst

op

a

...

a

...

a

repeatst

op

a

repeatstop

a

...

a

...

a

repeatst

op

a

...

a

...

a

repeatst

op

arepeatst

op

a

repeat

s

stop

s

a

t0

tκtjt1

s0

sλsis1

sad

t0

tκtjt1

s0

sλsis1





s

x := θ

s[[θ]]sx

x:=θ

s

x ′ = θ&Q

ϕ(r)

r

ϕ(t)

t

ϕ(0)

0

s

?P

s

?P

s|=

P

s

a ∪ b

s

tκ

b

tj

b

t1

b

right

s

sλ

a

si

a

s1

alef

t

s

a; b

tλ

rλ1λ

b

r jλ

b

r1λ

b

a

ti

rλii

b

r1i

b

a

t1

rλ11

b

r j1

b

r11

b

a

s

a∗

s

...

a

...

a

repeatst

op

a

...

a

...

a

repeatst

op

a

repeatstop

a

...

a

...

a

repeatst

op

a

...

a

...

a

repeatst

op

arepeatst

op

a

repeat

s

stop

s

a

t0

tκtjt1

s0

sλsis1

sad

t0

tκtjt1

s0

sλsis1





s

x := θ

s[[θ]]sx

x:=θ

s

x ′ = θ&Q

ϕ(r)

r

ϕ(t)

t

ϕ(0)

0

s

?P

s

?P

s|=

P

s

a ∪ b

s

tκ

b

tj

b

t1

b

right

s

sλ

a

si

a

s1

a

left

s

a; b

tλ

rλ1λ

b

r jλ

b

r1λ

b

a

ti

rλii

b

r1i

b

a

t1

rλ11

b

r j1

b

r11

b

a

s

a∗

s

...

a

...

a

repeatst

op

a

...

a

...

a

repeatst

op

a

repeatstop

a

...

a

...

a

repeatst

op

a

...

a

...

a

repeatst

op

arepeatst

op

a

repeat

s

stop

s

a

t0

tκtjt1

s0

sλsis1

sad

t0

tκtjt1

s0

sλsis1





s

x := θ

s[[θ]]sx

x:=θ

s

x ′ = θ&Q

ϕ(r)

r

ϕ(t)

t

ϕ(0)

0

s

?P

s

?P

s|=

P

s

a ∪ b

s

tκ

b

tj

b

t1

b

right

s

sλ

a

si

a

s1

a

left

s

a; b

tλ

rλ1λ

b

r jλ

b

r1λ

b

a

ti

rλii

b

r1i

b

a

t1

rλ11

b

r j1

b

r11

b

a

s

a∗

s

...

a

...

a

repeatst

op

a

...

a

...

a

repeatst

op

a

repeatstop

a

...

a

...

a

repeatst

op

a

...

a

...

a

repeatst

op

arepeatst

opa

repeat

s

stop

s

a

t0

tκtjt1

s0

sλsis1

sad

t0

tκtjt1

s0

sλsis1





s

x := θ

s[[θ]]sx

x:=θ

s

x ′ = θ&Q

ϕ(r)

r

ϕ(t)

t

ϕ(0)

0

s

?P

s

?P

s|=

P

s

a ∪ b

s

tκ

b

tj

b

t1

b

right

s

sλ

a

si

a

s1

a

left

s

a; b

tλ

rλ1λ

b

r jλ

b

r1λ

b

a

ti

rλii

b

r1i

b

a

t1

rλ11

b

r j1

b

r11

b

a

s

a∗

s

...

a

...

a

repeatst

op

a

...

a

...

a

repeatst

op

a

repeatstop

a

...

a

...

a

repeatst

op

a

...

a

...

a

repeatst

op

arepeatst

op

a

repeat

s

stop

s

a

t0

tκtjt1

s0

sλsis1

sad

t0

tκtjt1

s0

sλsis1



Successful Hybrid Games Proofs

Verification Challenge:

ey

fy

xb(lx, ly) ex fx

(rx, ry)

(vx, vy)

Hybrid games proving also for proving relaxed notions of system similarity



Robotic Factory Automation (RF )

Example (Environment vs. Robot)(( ?true ∩ (?(x < ex ∧ y < ey ∧ eff1 = 1); vx := vx + cx ; eff1 := 0)

∩ (?(ex ≤ x ∧ y ≤ fy ∧ eff2 = 1); vy := vy + cy ; eff2 := 0) ) ;

(ax := ∗; ?(−A ≤ ax ≤ A);

ay := ∗; ?(−A ≤ ay ≤ A);

ts := 0 ) ;

(

(x ′ = vx , y′ = vy , v

′x = ax , v

′y = ay , t

′ = 1, t ′s = 1&ts ≤ ε )d ;

∪ (( ?axvx ≤ 0 ∧ ayvy ≤ 0;

if vx = 0 then ax := 0 fi;

if vy = 0 then ay := 0 fi ) ;

(x ′ = vx , y′ = vy , v

′x = ax , v

′y = ay , t

′ = 1, t ′s = 1

&ts ≤ ε ∧ axvx ≤ 0 ∧ ayvy ≤ 0)d))

)×ey

fy

xb(lx, ly) ex fx

(rx, ry)

(vx, vy)






(ax := ∗; ?(−A ≤ ax ≤ A);

ay := ∗; ?(−A ≤ ay ≤ A);

ts := 0 ) ;

(

(x ′ = vx , y′ = vy , v

′x = ax , v

′y = ay , t

′ = 1, t ′s = 1&ts ≤ ε )d ;

∪ (( ?axvx ≤ 0 ∧ ayvy ≤ 0;



(x ′ = vx , y′ = vy , v

′x = ax , v

′y = ay , t

′ = 1, t ′s = 1

&ts ≤ ε ∧ axvx ≤ 0 ∧ ayvy ≤ 0)d))

)×ey

fy

xb(lx, ly) ex fx

(rx, ry)

(vx, vy)






(ax := ∗; ?(−A ≤ ax ≤ A);

ay := ∗; ?(−A ≤ ay ≤ A);

ts := 0 ) ;

(

(x ′ = vx , y′ = vy , v

′x = ax , v

′y = ay , t

′ = 1, t ′s = 1&ts ≤ ε )d ;

∪ (( ?axvx ≤ 0 ∧ ayvy ≤ 0;



(x ′ = vx , y′ = vy , v

′x = ax , v

′y = ay , t

′ = 1, t ′s = 1

&ts ≤ ε ∧ axvx ≤ 0 ∧ ayvy ≤ 0)d))

)×ey

fy

xb(lx, ly) ex fx

(rx, ry)

(vx, vy)






(ax := ∗; ?(−A ≤ ax ≤ A);

ay := ∗; ?(−A ≤ ay ≤ A);

ts := 0 ) ;((x ′ = vx , y

′ = vy , v′x = ax , v

′y = ay , t

′ = 1, t ′s = 1&ts ≤ ε )d ;

∪ (( ?axvx ≤ 0 ∧ ayvy ≤ 0;



(x ′ = vx , y′ = vy , v

′x = ax , v

′y = ay , t

′ = 1, t ′s = 1

&ts ≤ ε ∧ axvx ≤ 0 ∧ ayvy ≤ 0)d)))×

ey

fy

xb(lx, ly) ex fx

(rx, ry)

(vx, vy)




Proposition (Robot stays in 2)

|= (x = y = 0 ∧ vx = vy = 0∧ Controllability Assumptions )→ (RF )(x ∈ [lx , rx ] ∧ y ∈ [ly , ry ])

Proposition (Stays in 2 + leaves shaded region in time)

RF |x : RF projected to the x-axis

|= (x = 0 ∧ vx = 0∧ Controllability Assumptions )→ (RF |x)(x ∈ [lx , rx ] ∧ (t ≥ ε→ (x ≥ xb)))



Documents

Differential Game Logic - AVACS · Contributions Logical foundations for hybrid games 1 Compositional programming language for hybrid games 2 Compositional logic and proof calculus