19: Game Proofs & Separations 15-424: Foundations of - PowerPoint PPT Presentation

19: Game Proofs & Separations 15-424: Foundations of Cyber-Physical Systems Andr´ e Platzer aplatzer@cs.cmu.edu Computer Science Department Carnegie Mellon University, Pittsburgh, PA 0.5 0.4 0.3 0.2 1.0 0.1 0.8 0.6 0.4 0.2 Andr´ e Platzer (CMU) FCPS / 19: Game Proofs & Separations 1 / 24

Outline Learning Objectives 1 Hybrid Game Proofs 2 Soundness Separations Soundness & Completeness Expressiveness Example Proofs Differential Hybrid Games 3 Syntax Example: Zeppelin Differential Game Invariants Example: Zeppelin Proof Summary 4 Andr´ e Platzer (CMU) FCPS / 19: Game Proofs & Separations 2 / 24

Outline Learning Objectives 1 Hybrid Game Proofs 2 Soundness Separations Soundness & Completeness Expressiveness Example Proofs Differential Hybrid Games 3 Syntax Example: Zeppelin Differential Game Invariants Example: Zeppelin Proof Summary 4 Andr´ e Platzer (CMU) FCPS / 19: Game Proofs & Separations 2 / 24

Learning Objectives Game Proofs & Separations rigorous reasoning for adversarial dynamics miracle of soundness power of completeness expressiveness separations axiomatization of dG L multi-dynamical systems game invariants CT M&C CPS discrete+adversarial multi-scale feedback continuous+adversarial Andr´ e Platzer (CMU) FCPS / 19: Game Proofs & Separations 3 / 24

Differential Game Logic: Syntax Discrete Differential Test Choice Seq. Repeat Dual Assign Equation Game Game Game Game Game Definition (Hybrid game α ) x := e | ? Q | x ′ = f ( x ) | α ∪ β | α ; β | α ∗ | α d Definition (dG L Formula P ) p ( e 1 , . . . , e n ) | e ≥ ˜ e | ¬ P | P ∧ Q | ∀ x P | ∃ x P | � α � P | [ α ] P All Some Angel Demon Reals Reals Wins Wins TOCL’15 Andr´ e Platzer (CMU) FCPS / 19: Game Proofs & Separations 4 / 24

Differential Game Logic: Denotational Semantics Definition (Hybrid game α ) [ [ · ] ] : HG → ( ℘ ( S ) → ℘ ( S )) ς x := e ( X ) = { ω ∈ S : ω [ [ e ] ] ω ∈ X } x ς x ′ = f ( x ) ( X ) = { ϕ (0) ∈ S : ϕ ( r ) ∈ X , d ϕ ( t )( x ) ( ζ ) = [ [ f ( x )] ] ϕ ( ζ ) for all ζ } d t ς ? Q ( X ) = [ [ Q ] ] ∩ X ς α ∪ β ( X ) = ς α ( X ) ∪ ς β ( X ) ς α ; β ( X ) = ς α ( ς β ( X )) ς α ∗ ( X ) = � { Z ⊆ S : X ∪ ς α ( Z ) ⊆ Z } ς α d ( X ) = ( ς α ( X ∁ )) ∁ Definition (dG L Formula P ) [ [ · ] ] : Fml → ℘ ( S ) [ [ e 1 ≥ e 2 ] ] = { ω ∈ S : [ [ e 1 ] ] ω ≥ [ [ e 2 ] ] ω } ]) ∁ [ [ ¬ P ] ] = ([ [ P ] [ [ P ∧ Q ] ] = [ [ P ] ] ∩ [ [ Q ] ] [ [ � α � P ] ] = ς α ([ [ P ] ]) [ [[ α ] P ] ] = δ α ([ [ P ] ]) Andr´ e Platzer (CMU) FCPS / 19: Game Proofs & Separations 5 / 24

Differential Game Logic: Axiomatization P → Q [ · ] [ α ] P ↔ ¬� α �¬ P M � α � P → � α � Q � := � � x := e � p ( x ) ↔ p ( e ) FP P ∨ � α � Q → Q � α ∗ � P → Q � ′ � � x ′ = f ( x ) � P ↔ ∃ t ≥ 0 � x := y ( t ) � P MP P P → Q � ? � � ? Q � P ↔ ( Q ∧ P ) Q p → Q �∪� � α ∪ β � P ↔ � α � P ∨ � β � P ∀ ( x �∈ FV( p )) p → ∀ x Q � ; � � α ; β � P ↔ � α �� β � P ϕ US ϕ ψ ( · ) � ∗ � � α ∗ � P ↔ P ∨ � α �� α ∗ � P p ( · ) � d � � α d � P ↔ ¬� α �¬ P TOCL’15 Andr´ e Platzer (CMU) FCPS / 19: Game Proofs & Separations 6 / 24

Outline Learning Objectives 1 Hybrid Game Proofs 2 Soundness Separations Soundness & Completeness Expressiveness Example Proofs Differential Hybrid Games 3 Syntax Example: Zeppelin Differential Game Invariants Example: Zeppelin Proof Summary 4 Andr´ e Platzer (CMU) FCPS / 19: Game Proofs & Separations 6 / 24

Differential Game Logic: Axiomatization P → Q [ · ] [ α ] P ↔ ¬� α �¬ P M � α � P → � α � Q � := � � x := e � p ( x ) ↔ p ( e ) FP P ∨ � α � Q → Q � α ∗ � P → Q � ′ � � x ′ = f ( x ) � P ↔ ∃ t ≥ 0 � x := y ( t ) � P MP P P → Q � ? � � ? Q � P ↔ ( Q ∧ P ) Q p → Q �∪� � α ∪ β � P ↔ � α � P ∨ � β � P ∀ ( x �∈ FV( p )) p → ∀ x Q � ; � � α ; β � P ↔ � α �� β � P ϕ US ϕ ψ ( · ) � ∗ � � α ∗ � P ↔ P ∨ � α �� α ∗ � P p ( · ) � d � � α d � P ↔ ¬� α �¬ P TOCL’15 Andr´ e Platzer (CMU) FCPS / 19: Game Proofs & Separations 7 / 24

Soundness Theorem (Soundness) dG L proof calculus is sound Andr´ e Platzer (CMU) FCPS / 19: Game Proofs & Separations 8 / 24

Soundness Theorem (Soundness) dG L proof calculus is sound Do we have to prove anything at all? Andr´ e Platzer (CMU) FCPS / 19: Game Proofs & Separations 8 / 24

More Axioms P → Q K [ α ]( P → Q ) → ([ α ] P → [ α ] Q ) M [ · ] [ α ] P → [ α ] Q ← − M � α � ( P ∨ Q ) → � α � P ∨ � α � Q M � α � P ∨ � α � Q → � α � ( P ∨ Q ) [ α ∗ ]( P → [ α ] P ) → ( P → [ α ∗ ] P ) Cl ∀ ( P → [ α ] P ) → ( P → [ α ∗ ] P ) I ∀ I ( x �∈ α ) ← − B � α �∃ x P → ∃ x � α � P B ∃ x � α � P → � α �∃ x P P P → Q G M [ · ] [ α ] P [ α ] P → [ α ] Q P 1 ∧ P 2 → Q P 1 ∧ P 2 → Q R M [ · ] [ α ] P 1 ∧ [ α ] P 2 → [ α ] Q [ α ]( P 1 ∧ P 2 ) → [ α ] Q FA � α ∗ � P → P ∨ � α ∗ � ( ¬ P ∧ � α � P ) Andr´ e Platzer (CMU) FCPS / 19: Game Proofs & Separations 9 / 24

More Axioms ??? P → Q K [ α ]( P → Q ) → ([ α ] P → [ α ] Q ) M [ · ] [ α ] P → [ α ] Q ← − M � α � ( P ∨ Q ) → � α � P ∨ � α � Q M � α � P ∨ � α � Q → � α � ( P ∨ Q ) [ α ∗ ]( P → [ α ] P ) → ( P → [ α ∗ ] P ) Cl ∀ ( P → [ α ] P ) → ( P → [ α ∗ ] P ) I ∀ I ( x �∈ α ) ← − B � α �∃ x P → ∃ x � α � P B ∃ x � α � P → � α �∃ x P P P → Q G M [ · ] [ α ] P [ α ] P → [ α ] Q P 1 ∧ P 2 → Q P 1 ∧ P 2 → Q R M [ · ] [ α ] P 1 ∧ [ α ] P 2 → [ α ] Q [ α ]( P 1 ∧ P 2 ) → [ α ] Q FA � α ∗ � P → P ∨ � α ∗ � ( ¬ P ∧ � α � P ) Andr´ e Platzer (CMU) FCPS / 19: Game Proofs & Separations 9 / 24

Separating Axioms Theorem (Axiomatic separation: hybrid systems vs. hybrid games) Axiomatic separation is exactly K, I, C, B, V, G. dG L is a subregular, sub-Barcan, monotonic modal logic without loop induction axioms. P → Q K [ α ]( P → Q ) → ([ α ] P → [ α ] Q ) M [ · ] [ α ] P → [ α ] Q ← − M � α � ( P ∨ Q ) → � α � P ∨ � α � Q M � α � P ∨ � α � Q → � α � ( P ∨ Q ) [ α ∗ ]( P → [ α ] P ) → ( P → [ α ∗ ] P ) Cl ∀ ( P → [ α ] P ) → ( P → [ α ∗ ] P ) I ∀ I ( x �∈ α ) ← − B � α �∃ x P → ∃ x � α � P B ∃ x � α � P → � α �∃ x P P P → Q G M [ · ] [ α ] P [ α ] P → [ α ] Q P 1 ∧ P 2 → Q P 1 ∧ P 2 → Q R M [ · ] [ α ] P 1 ∧ [ α ] P 2 → [ α ] Q [ α ]( P 1 ∧ P 2 ) → [ α ] Q FA � α ∗ � P → P ∨ � α ∗ � ( ¬ P ∧ � α � P ) Andr´ e Platzer (CMU) FCPS / 19: Game Proofs & Separations 9 / 24

Soundness Theorem (Soundness) dG L proof calculus is sound Do we have to prove anything at all? Andr´ e Platzer (CMU) FCPS / 19: Game Proofs & Separations 10 / 24

Soundness Theorem (Soundness) dG L proof calculus is sound i.e. all provable formulas are valid Axiomatics Syntax Semantics Andr´ e Platzer (CMU) FCPS / 19: Game Proofs & Separations 10 / 24

Soundness Theorem (Soundness) dG L proof calculus is sound i.e. all provable formulas are valid Proof. �∪� � α ∪ β � P ↔ � α � P ∨ � β � P � ; � � α ; β � P ↔ � α �� β � P [ · ] [ α ] P ↔ ¬� α �¬ P P → Q M � α � P → � α � Q Andr´ e Platzer (CMU) FCPS / 19: Game Proofs & Separations 10 / 24

Soundness Theorem (Soundness) dG L proof calculus is sound i.e. all provable formulas are valid Proof. �∪� [ [ � α ∪ β � P ] ] = ς α ∪ β ([ [ P ] ]) = ς α ([ [ P ] ]) ∪ ς β ([ [ P ] ]) = [ [ � α � P ] ] ∪ [ [ � β � P ] ] = [ [ � α � P ∨ � β � P ] ] �∪� � α ∪ β � P ↔ � α � P ∨ � β � P � ; � [ [ � α ; β � P ] ] = ς α ; β ([ [ P ] ]) = ς α ( ς β ([ [ P ] ])) = ς α ([ [ � β � P ] ]) = [ [ � α �� β � P ] ] � ; � � α ; β � P ↔ � α �� β � P [ · ] is sound by determinacy [ · ] [ α ] P ↔ ¬� α �¬ P M Assume the premise P → Q is valid, i.e. [ [ P ] ] ⊆ [ [ Q ] ]. Then the conclusion � α � P → � α � Q is valid, i.e. [ [ � α � P ] ] = ς α ([ [ P ] ]) ⊆ ς α ([ [ Q ] ]) = [ [ � α � Q ] ] by monotonicity. P → Q M � α � P → � α � Q Andr´ e Platzer (CMU) FCPS / 19: Game Proofs & Separations 10 / 24