Logical Foundations of Cyber-Physical Systems Andr Platzer Andr - PowerPoint PPT Presentation

Propositional Equivalences of Differential Invariants Lemma (Differential invariants and propositional logic) If F ↔ G is a propositional tautology then F differential invariant of x ′ = f ( x )& Q G differential invariant of x ′ = f ( x )& Q iff Proof. ∗ [:=] Q ⊢ [ x ′ := f ( x )]( F ) ′ F ↔ G propositionally equivalent, so ( F ) ′ ↔ ( G ) ′ propositionally equivalent G ⊢ [ x ′ = f ( x )& Q ] G dI since ( F 1 ∧ F 2 ) ′ ≡ ( F 1 ) ′ ∧ ( F 2 ) ′ . . . MR,cut F ⊢ [ x ′ = f ( x )& Q ] F Can use any propositional normal form André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 7 / 23

Arithmetic Equivalences of Differential Invariants Lemma (Differential invariants and propositional logic) If F ↔ G is real-arithmetic equivalence then F differential invariant of x ′ = f ( x )& Q G differential invariant of x ′ = f ( x )& Q iff Proof. André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 8 / 23

Arithmetic Equivalences of Differential Invariants Lemma (Differential invariants and propositional logic) If F ↔ G is real-arithmetic equivalence then F differential invariant of x ′ = f ( x )& Q G differential invariant of x ′ = f ( x )& Q iff Proof. dI − 5 ≤ x ∧ x ≤ 5 ⊢ [ x ′ = − x ]( − 5 ≤ x ∧ x ≤ 5 ) André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 8 / 23

Arithmetic Equivalences of Differential Invariants Lemma (Differential invariants and propositional logic) If F ↔ G is real-arithmetic equivalence then F differential invariant of x ′ = f ( x )& Q G differential invariant of x ′ = f ( x )& Q iff Proof. [:=] ⊢ [ x ′ := − x ]( 0 ≤ x ′ ∧ x ′ ≤ 0 ) dI − 5 ≤ x ∧ x ≤ 5 ⊢ [ x ′ = − x ]( − 5 ≤ x ∧ x ≤ 5 ) André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 8 / 23

Arithmetic Equivalences of Differential Invariants Lemma (Differential invariants and propositional logic) If F ↔ G is real-arithmetic equivalence then F differential invariant of x ′ = f ( x )& Q G differential invariant of x ′ = f ( x )& Q iff Proof. ⊢ 0 ≤ − x ∧− x ≤ 0 [:=] ⊢ [ x ′ := − x ]( 0 ≤ x ′ ∧ x ′ ≤ 0 ) dI − 5 ≤ x ∧ x ≤ 5 ⊢ [ x ′ = − x ]( − 5 ≤ x ∧ x ≤ 5 ) André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 8 / 23

Arithmetic Equivalences of Differential Invariants Lemma (Differential invariants and propositional logic) If F ↔ G is real-arithmetic equivalence then F differential invariant of x ′ = f ( x )& Q G differential invariant of x ′ = f ( x )& Q iff Proof. not valid ⊢ 0 ≤ − x ∧− x ≤ 0 [:=] ⊢ [ x ′ := − x ]( 0 ≤ x ′ ∧ x ′ ≤ 0 ) dI − 5 ≤ x ∧ x ≤ 5 ⊢ [ x ′ = − x ]( − 5 ≤ x ∧ x ≤ 5 ) André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 8 / 23

Arithmetic Equivalences of Differential Invariants Lemma (Differential invariants and propositional logic) If F ↔ G is real-arithmetic equivalence then F differential invariant of x ′ = f ( x )& Q G differential invariant of x ′ = f ( x )& Q iff Proof. not valid ⊢ 0 ≤ − x ∧− x ≤ 0 [:=] ⊢ [ x ′ := − x ]( 0 ≤ x ′ ∧ x ′ ≤ 0 ) dI − 5 ≤ x ∧ x ≤ 5 ⊢ [ x ′ = − x ]( − 5 ≤ x ∧ x ≤ 5 ) dI x 2 ≤ 5 2 ⊢ [ x ′ = − x ] x 2 ≤ 5 2 arithmetic equivalence − 5 ≤ x ∧ x ≤ 5 ↔ x 2 ≤ 5 2 André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 8 / 23

Arithmetic Equivalences of Differential Invariants Lemma (Differential invariants and propositional logic) If F ↔ G is real-arithmetic equivalence then F differential invariant of x ′ = f ( x )& Q G differential invariant of x ′ = f ( x )& Q iff Proof. not valid ⊢ 0 ≤ − x ∧− x ≤ 0 [:=] [:=] ⊢ [ x ′ := − x ]( 0 ≤ x ′ ∧ x ′ ≤ 0 ) ⊢ [ x ′ := − x ] 2 xx ′ ≤ 0 dI − 5 ≤ x ∧ x ≤ 5 ⊢ [ x ′ = − x ]( − 5 ≤ x ∧ x ≤ 5 ) dI x 2 ≤ 5 2 ⊢ [ x ′ = − x ] x 2 ≤ 5 2 arithmetic equivalence − 5 ≤ x ∧ x ≤ 5 ↔ x 2 ≤ 5 2 André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 8 / 23

Arithmetic Equivalences of Differential Invariants Lemma (Differential invariants and propositional logic) If F ↔ G is real-arithmetic equivalence then F differential invariant of x ′ = f ( x )& Q G differential invariant of x ′ = f ( x )& Q iff Proof. not valid R ⊢ 0 ≤ − x ∧− x ≤ 0 ⊢ − x 2 x ≤ 0 [:=] [:=] ⊢ [ x ′ := − x ]( 0 ≤ x ′ ∧ x ′ ≤ 0 ) ⊢ [ x ′ := − x ] 2 xx ′ ≤ 0 dI − 5 ≤ x ∧ x ≤ 5 ⊢ [ x ′ = − x ]( − 5 ≤ x ∧ x ≤ 5 ) dI x 2 ≤ 5 2 ⊢ [ x ′ = − x ] x 2 ≤ 5 2 arithmetic equivalence − 5 ≤ x ∧ x ≤ 5 ↔ x 2 ≤ 5 2 André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 8 / 23

Arithmetic Equivalences of Differential Invariants Lemma (Differential invariants and propositional logic) If F ↔ G is real-arithmetic equivalence then F differential invariant of x ′ = f ( x )& Q G differential invariant of x ′ = f ( x )& Q iff Proof. ∗ not valid R ⊢ 0 ≤ − x ∧− x ≤ 0 ⊢ − x 2 x ≤ 0 [:=] [:=] ⊢ [ x ′ := − x ]( 0 ≤ x ′ ∧ x ′ ≤ 0 ) ⊢ [ x ′ := − x ] 2 xx ′ ≤ 0 dI − 5 ≤ x ∧ x ≤ 5 ⊢ [ x ′ = − x ]( − 5 ≤ x ∧ x ≤ 5 ) dI x 2 ≤ 5 2 ⊢ [ x ′ = − x ] x 2 ≤ 5 2 arithmetic equivalence − 5 ≤ x ∧ x ≤ 5 ↔ x 2 ≤ 5 2 André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 8 / 23

Arithmetic Equivalences of Differential Invariants Lemma (Differential invariants and propositional logic) If F ↔ G is real-arithmetic equivalence then F differential invariant of x ′ = f ( x )& Q G differential invariant of x ′ = f ( x )& Q iff Proof. ∗ not valid R ⊢ 0 ≤ − x ∧− x ≤ 0 ⊢ − x 2 x ≤ 0 [:=] [:=] ⊢ [ x ′ := − x ]( 0 ≤ x ′ ∧ x ′ ≤ 0 ) ⊢ [ x ′ := − x ] 2 xx ′ ≤ 0 dI − 5 ≤ x ∧ x ≤ 5 ⊢ [ x ′ = − x ]( − 5 ≤ x ∧ x ≤ 5 ) dI x 2 ≤ 5 2 ⊢ [ x ′ = − x ] x 2 ≤ 5 2 Despite arithmetic equivalence − 5 ≤ x ∧ x ≤ 5 ↔ x 2 ≤ 5 2 Differential structure matters! Higher degree helps here André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 8 / 23

Different Differential Structure for Equivalent Solutions ≥ 0 p � p 8 15 6 4 10 2 4 x � 3 � 2 � 1 1 2 3 5 � 2 � 4 4 x � 3 � 2 � 1 1 2 3 � 6 p p � 4000 3000 3000 2000 1000 2000 4 x � 3 � 2 � 1 1 2 3 1000 � 1000 � 2000 4 x � 3 � 2 � 1 1 2 3 p � p 30 20 25 10 20 15 6 x � 2 2 4 10 � 10 5 6 x � 2 2 4 � 20 André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 9 / 23

Different Differential Structure for Equivalent Solutions ≥ 0 Same p ≥ 0. p � p 8 15 But different p ′ ≥ 0. 6 4 10 2 4 x � 3 � 2 � 1 1 2 3 5 � 2 � 4 4 x � 3 � 2 � 1 1 2 3 � 6 p p � 4000 3000 3000 2000 1000 2000 4 x � 3 � 2 � 1 1 2 3 1000 � 1000 � 2000 4 x � 3 � 2 � 1 1 2 3 p � p 30 20 25 10 20 15 6 x � 2 2 4 10 � 10 5 6 x � 2 2 4 � 20 André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 9 / 23

Different Differential Structure for Equivalent Solutions ≥ 0 Same p ≥ 0. p � p 8 15 But different p ′ ≥ 0. 6 4 10 2 Can still normalize 4 x � 3 � 2 � 1 1 2 3 5 � 2 atomic formulas to � 4 4 x e = 0 , e ≥ 0 , e > 0 � 3 � 2 � 1 1 2 3 � 6 p p � 4000 3000 3000 2000 1000 2000 4 x � 3 � 2 � 1 1 2 3 1000 � 1000 � 2000 4 x � 3 � 2 � 1 1 2 3 p � p 30 20 25 10 20 15 6 x � 2 2 4 10 � 10 5 6 x � 2 2 4 � 20 André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 9 / 23

Differential Invariant Equations Proposition (Equational deductive power [6, 2]) DI = DI = , ∧ , ∨ Proof core. Full: [6, 2]. André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 10 / 23

Differential Invariant Equations Proposition (Equational deductive power [6, 2]) DI = ≡ DI = , ∧ , ∨ atomic equations are enough: Proof core. Full: [6, 2]. André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 10 / 23

Differential Invariant Equations Proposition (Equational deductive power [6, 2]) DI = ≡ DI = , ∧ , ∨ atomic equations are enough: Proof core. Full: [6, 2]. e 1 = e 2 ∨ k 1 = k 2 e 1 = e 2 ∧ k 1 = k 2 André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 10 / 23

Differential Invariant Equations Proposition (Equational deductive power [6, 2]) DI = ≡ DI = , ∧ , ∨ atomic equations are enough: Proof core. Full: [6, 2]. e 1 = e 2 ∨ k 1 = k 2 ↔ ( e 1 − e 2 )( k 1 − k 2 ) = 0 e 1 = e 2 ∧ k 1 = k 2 ↔ ( e 1 − e 2 ) 2 +( k 1 − k 2 ) 2 = 0 André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 10 / 23

Differential Invariant Equations Proposition (Equational deductive power [6, 2]) DI = ≡ DI = , ∧ , ∨ atomic equations are enough: Proof core. Full: [6, 2]. e 1 = e 2 ∨ k 1 = k 2 ↔ ( e 1 − e 2 )( k 1 − k 2 ) = 0 [ x ′ := f ( x )](( e 1 ) ′ = ( e 2 ) ′ ∧ ( k 1 ) ′ = ( k 2 ) ′ ) e 1 = e 2 ∧ k 1 = k 2 ↔ ( e 1 − e 2 ) 2 +( k 1 − k 2 ) 2 = 0 André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 10 / 23

Differential Invariant Equations Proposition (Equational deductive power [6, 2]) DI = ≡ DI = , ∧ , ∨ atomic equations are enough: Proof core. Full: [6, 2]. e 1 = e 2 ∨ k 1 = k 2 ↔ ( e 1 − e 2 )( k 1 − k 2 ) = 0 [ x ′ := f ( x )](( e 1 ) ′ = ( e 2 ) ′ ∧ ( k 1 ) ′ = ( k 2 ) ′ ) So [ x ′ := f ( x )](( e 1 − e 2 )( k 1 − k 2 )) ′ = 0 (( e 1 ) ′ − ( e 2 ) ′ )( k 1 − k 2 )+( e 1 − e 2 )(( k 1 ) ′ − ( k 2 ) ′ ) = 0 ≡ [ x ′ := f ( x )] � � e 1 = e 2 ∧ k 1 = k 2 ↔ ( e 1 − e 2 ) 2 +( k 1 − k 2 ) 2 = 0 André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 10 / 23

Differential Invariant Equations Proposition (Equational deductive power [6, 2]) DI = ≡ DI = , ∧ , ∨ atomic equations are enough: Proof core. Full: [6, 2]. e 1 = e 2 ∨ k 1 = k 2 ↔ ( e 1 − e 2 )( k 1 − k 2 ) = 0 [ x ′ := f ( x )](( e 1 ) ′ = ( e 2 ) ′ ∧ ( k 1 ) ′ = ( k 2 ) ′ ) So [ x ′ := f ( x )](( e 1 − e 2 )( k 1 − k 2 )) ′ = 0 (( e 1 ) ′ − ( e 2 ) ′ )( k 1 − k 2 )+( e 1 − e 2 )(( k 1 ) ′ − ( k 2 ) ′ ) = 0 ≡ [ x ′ := f ( x )] � � e 1 = e 2 ∧ k 1 = k 2 ↔ ( e 1 − e 2 ) 2 +( k 1 − k 2 ) 2 = 0 André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 10 / 23

Differential Invariant Equations Proposition (Equational deductive power [6, 2]) DI = ≡ DI = , ∧ , ∨ atomic equations are enough: Proof core. Full: [6, 2]. e 1 = e 2 ∨ k 1 = k 2 ↔ ( e 1 − e 2 )( k 1 − k 2 ) = 0 [ x ′ := f ( x )](( e 1 ) ′ = ( e 2 ) ′ ∧ ( k 1 ) ′ = ( k 2 ) ′ ) So [ x ′ := f ( x )](( e 1 − e 2 )( k 1 − k 2 )) ′ = 0 (( e 1 ) ′ − ( e 2 ) ′ )( k 1 − k 2 )+( e 1 − e 2 )(( k 1 ) ′ − ( k 2 ) ′ ) = 0 ≡ [ x ′ := f ( x )] � � e 1 = e 2 ∧ k 1 = k 2 ↔ ( e 1 − e 2 ) 2 +( k 1 − k 2 ) 2 = 0 André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 10 / 23

Differential Invariant Equations Proposition (Equational deductive power [6, 2]) DI = ≡ DI = , ∧ , ∨ atomic equations are enough: Proof core. Full: [6, 2]. e 1 = e 2 ∨ k 1 = k 2 ↔ ( e 1 − e 2 )( k 1 − k 2 ) = 0 [ x ′ := f ( x )](( e 1 ) ′ = ( e 2 ) ′ ∧ ( k 1 ) ′ = ( k 2 ) ′ ) So [ x ′ := f ( x )](( e 1 − e 2 )( k 1 − k 2 )) ′ = 0 (( e 1 ) ′ − ( e 2 ) ′ )( k 1 − k 2 )+( e 1 − e 2 )(( k 1 ) ′ − ( k 2 ) ′ ) = 0 ≡ [ x ′ := f ( x )] � � e 1 = e 2 ∧ k 1 = k 2 ↔ ( e 1 − e 2 ) 2 +( k 1 − k 2 ) 2 = 0 ( e 1 ) ′ = ( e 2 ) ′ ∧ ( k 1 ) ′ = ( k 2 ) ′ � [ x ′ := f ( x )] � André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 10 / 23

Differential Invariant Equations Proposition (Equational deductive power [6, 2]) DI = ≡ DI = , ∧ , ∨ atomic equations are enough: Proof core. Full: [6, 2]. e 1 = e 2 ∨ k 1 = k 2 ↔ ( e 1 − e 2 )( k 1 − k 2 ) = 0 [ x ′ := f ( x )](( e 1 ) ′ = ( e 2 ) ′ ∧ ( k 1 ) ′ = ( k 2 ) ′ ) So [ x ′ := f ( x )](( e 1 − e 2 )( k 1 − k 2 )) ′ = 0 (( e 1 ) ′ − ( e 2 ) ′ )( k 1 − k 2 )+( e 1 − e 2 )(( k 1 ) ′ − ( k 2 ) ′ ) = 0 ≡ [ x ′ := f ( x )] � � e 1 = e 2 ∧ k 1 = k 2 ↔ ( e 1 − e 2 ) 2 +( k 1 − k 2 ) 2 = 0 ( e 1 ) ′ = ( e 2 ) ′ ∧ ( k 1 ) ′ = ( k 2 ) ′ � [ x ′ := f ( x )] � (( e 1 − e 2 ) 2 +( k 1 − k 2 ) 2 ) ′ = 0 So [ x ′ := f ( x )] � � ≡ [ x ′ := f ( x )] 2 ( e 1 − e 2 )(( e 1 ) ′ − ( e 2 ) ′ )+ 2 ( k 1 − k 2 )(( k 1 ) ′ − ( k 2 ) ′ )= 0 � � André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 10 / 23

Differential Invariant Equations Proposition (Equational deductive power [6, 2]) DI = ≡ DI = , ∧ , ∨ atomic equations are enough: Proof core. Full: [6, 2]. e 1 = e 2 ∨ k 1 = k 2 ↔ ( e 1 − e 2 )( k 1 − k 2 ) = 0 [ x ′ := f ( x )](( e 1 ) ′ = ( e 2 ) ′ ∧ ( k 1 ) ′ = ( k 2 ) ′ ) So [ x ′ := f ( x )](( e 1 − e 2 )( k 1 − k 2 )) ′ = 0 (( e 1 ) ′ − ( e 2 ) ′ )( k 1 − k 2 )+( e 1 − e 2 )(( k 1 ) ′ − ( k 2 ) ′ ) = 0 ≡ [ x ′ := f ( x )] � � e 1 = e 2 ∧ k 1 = k 2 ↔ ( e 1 − e 2 ) 2 +( k 1 − k 2 ) 2 = 0 ( e 1 ) ′ = ( e 2 ) ′ ∧ ( k 1 ) ′ = ( k 2 ) ′ � [ x ′ := f ( x )] � (( e 1 − e 2 ) 2 +( k 1 − k 2 ) 2 ) ′ = 0 So [ x ′ := f ( x )] � � ≡ [ x ′ := f ( x )] 2 ( e 1 − e 2 )(( e 1 ) ′ − ( e 2 ) ′ )+ 2 ( k 1 − k 2 )(( k 1 ) ′ − ( k 2 ) ′ )= 0 � � André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 10 / 23

Differential Invariant Equations Proposition (Equational deductive power [6, 2]) DI = ≡ DI = , ∧ , ∨ atomic equations are enough: Proof core. Full: [6, 2]. e 1 = e 2 ∨ k 1 = k 2 ↔ ( e 1 − e 2 )( k 1 − k 2 ) = 0 [ x ′ := f ( x )](( e 1 ) ′ = ( e 2 ) ′ ∧ ( k 1 ) ′ = ( k 2 ) ′ ) So [ x ′ := f ( x )](( e 1 − e 2 )( k 1 − k 2 )) ′ = 0 (( e 1 ) ′ − ( e 2 ) ′ )( k 1 − k 2 )+( e 1 − e 2 )(( k 1 ) ′ − ( k 2 ) ′ ) = 0 ≡ [ x ′ := f ( x )] � � e 1 = e 2 ∧ k 1 = k 2 ↔ ( e 1 − e 2 ) 2 +( k 1 − k 2 ) 2 = 0 ( e 1 ) ′ = ( e 2 ) ′ ∧ ( k 1 ) ′ = ( k 2 ) ′ � [ x ′ := f ( x )] � (( e 1 − e 2 ) 2 +( k 1 − k 2 ) 2 ) ′ = 0 So [ x ′ := f ( x )] � � ≡ [ x ′ := f ( x )] 2 ( e 1 − e 2 )(( e 1 ) ′ − ( e 2 ) ′ )+ 2 ( k 1 − k 2 )(( k 1 ) ′ − ( k 2 ) ′ )= 0 � � André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 10 / 23

Equational Proposition (Equational [2]) DI = ≡ DI = , ∧ , ∨ DI DI ≥ DI = Proof core. André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 11 / 23

Equational Incompleteness Proposition (Equational incompleteness [2]) DI = ≡ DI = , ∧ , ∨ < DI since DI ≥ �≤ DI = Equations are not enough: Proof core. André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 11 / 23

Equational Incompleteness Proposition (Equational incompleteness [2]) DI = ≡ DI = , ∧ , ∨ < DI since DI ≥ �≤ DI = Equations are not enough: Proof core. Provable with DI ≥ Unprovable with DI = André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 11 / 23

Equational Incompleteness Proposition (Equational incompleteness [2]) DI = ≡ DI = , ∧ , ∨ < DI since DI ≥ �≤ DI = Equations are not enough: Proof core. Provable with DI ≥ Unprovable with DI = dI x ≥ 0 ⊢ [ x ′ = 5 ] x ≥ 0 André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 11 / 23

Equational Incompleteness Proposition (Equational incompleteness [2]) DI = ≡ DI = , ∧ , ∨ < DI since DI ≥ �≤ DI = Equations are not enough: Proof core. Provable with DI ≥ Unprovable with DI = ⊢ [ x ′ := 5 ] x ′ ≥ 0 [:=] dI x ≥ 0 ⊢ [ x ′ = 5 ] x ≥ 0 André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 11 / 23

Equational Incompleteness Proposition (Equational incompleteness [2]) DI = ≡ DI = , ∧ , ∨ < DI since DI ≥ �≤ DI = Equations are not enough: Proof core. Provable with DI ≥ Unprovable with DI = R ⊢ 5 ≥ 0 ⊢ [ x ′ := 5 ] x ′ ≥ 0 [:=] dI x ≥ 0 ⊢ [ x ′ = 5 ] x ≥ 0 André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 11 / 23

Equational Incompleteness Proposition (Equational incompleteness [2]) DI = ≡ DI = , ∧ , ∨ < DI since DI ≥ �≤ DI = Equations are not enough: Proof core. Provable with DI ≥ Unprovable with DI = ∗ R ⊢ 5 ≥ 0 ⊢ [ x ′ := 5 ] x ′ ≥ 0 [:=] dI x ≥ 0 ⊢ [ x ′ = 5 ] x ≥ 0 André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 11 / 23

Proving Differences in Set Theory & Linear Algebra Example (Sets Bijective or Not) 3 5 6 1 2 4 a c e b d f Example (Vector Spaces Isomorphic or Not) y ′ y x ′ x André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 12 / 23

Proving Differences in Set Theory & Linear Algebra Example (Sets Bijective or Not) 3 5 6 1 2 4 a c e b d f Example (Vector Spaces Isomorphic or Not) y ′ y x ′ x André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 12 / 23

Proving Differences in Set Theory & Linear Algebra Example (Sets Bijective or Not) 3 5 6 5 1 2 4 1 2 3 4 6 a c e a c e b d f b d Example (Vector Spaces Isomorphic or Not) y ′ y x ′ x André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 12 / 23

Proving Differences in Set Theory & Linear Algebra Example (Sets Bijective or Not) 3 5 6 5 1 2 4 1 2 3 4 6 a c e a c e b d f b d criterion: cardinality |{ 1 ,..., 6 }| = 6 � = |{ a , b , c , d , e }| = 5 Need an indirect criterion especially if these sets are infinite Example (Vector Spaces Isomorphic or Not) y ′ y x ′ x André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 12 / 23

Proving Differences in Set Theory & Linear Algebra Example (Sets Bijective or Not) 3 5 6 5 1 2 4 1 2 3 4 6 a c e a c e b d f b d criterion: cardinality |{ 1 ,..., 6 }| = 6 � = |{ a , b , c , d , e }| = 5 Need an indirect criterion especially if these sets are infinite Example (Vector Spaces Isomorphic or Not) y ′ y x ′ x André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 12 / 23

Proving Differences in Set Theory & Linear Algebra Example (Sets Bijective or Not) 3 5 6 5 1 2 4 1 2 3 4 6 a c e a c e b d f b d criterion: cardinality |{ 1 ,..., 6 }| = 6 � = |{ a , b , c , d , e }| = 5 Need an indirect criterion especially if these sets are infinite Example (Vector Spaces Isomorphic or Not) y ′ y ′ y y x ′ x ′ x x z André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 12 / 23

Proving Differences in Set Theory & Linear Algebra Example (Sets Bijective or Not) 3 5 6 5 1 2 4 1 2 3 4 6 a c e a c e b d f b d criterion: cardinality |{ 1 ,..., 6 }| = 6 � = |{ a , b , c , d , e }| = 5 Need an indirect criterion especially if these sets are infinite Example (Vector Spaces Isomorphic or Not) y ′ y ′ y y x ′ x ′ x x criterion: dimension 3 � = 2 z André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 12 / 23

Equational Incompleteness Proposition (Equational incompleteness [2]) DI = ≡ DI = , ∧ , ∨ < DI since DI ≥ �≤ DI = Equations are not enough: Proof core. Provable with DI ≥ Unprovable with DI = ∗ R ⊢ 5 ≥ 0 ⊢ [ x ′ := 5 ] x ′ ≥ 0 [:=] dI x ≥ 0 ⊢ [ x ′ = 5 ] x ≥ 0 André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 13 / 23

Equational Incompleteness Proposition (Equational incompleteness [2]) DI = ≡ DI = , ∧ , ∨ < DI since DI ≥ �≤ DI = Equations are not enough: Proof core. Provable with DI ≥ Unprovable with DI = ∗ R ⊢ 5 ≥ 0 ⊢ [ x ′ := 5 ] x ′ ≥ 0 [:=] x ≥ 0 ⊢ [ x ′ = 5 ] x ≥ 0 dI x ≥ 0 ⊢ [ x ′ = 5 ] x ≥ 0 cut,MR André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 13 / 23

Equational Incompleteness Proposition (Equational incompleteness [2]) DI = ≡ DI = , ∧ , ∨ < DI since DI ≥ �≤ DI = Equations are not enough: Proof core. Provable with DI ≥ Unprovable with DI = ∗ R ⊢ 5 ≥ 0 p ( x ) = 0 ⊢ [ x ′ = 5 ] p ( x ) = 0 dI ⊢ [ x ′ := 5 ] x ′ ≥ 0 [:=] x ≥ 0 ⊢ [ x ′ = 5 ] x ≥ 0 dI x ≥ 0 ⊢ [ x ′ = 5 ] x ≥ 0 cut,MR André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 13 / 23

Equational Incompleteness Proposition (Equational incompleteness [2]) DI = ≡ DI = , ∧ , ∨ < DI since DI ≥ �≤ DI = Equations are not enough: Proof core. Provable with DI ≥ Unprovable with DI = ∗ ⊢ [ x ′ := 5 ]( p ( x )) ′ = 0 R ⊢ 5 ≥ 0 p ( x ) = 0 ⊢ [ x ′ = 5 ] p ( x ) = 0 dI ⊢ [ x ′ := 5 ] x ′ ≥ 0 [:=] x ≥ 0 ⊢ [ x ′ = 5 ] x ≥ 0 dI x ≥ 0 ⊢ [ x ′ = 5 ] x ≥ 0 cut,MR André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 13 / 23

Equational Incompleteness Proposition (Equational incompleteness [2]) DI = ≡ DI = , ∧ , ∨ < DI since DI ≥ �≤ DI = Equations are not enough: Proof core. Provable with DI ≥ Unprovable with DI = ??? ∗ ⊢ [ x ′ := 5 ]( p ( x )) ′ = 0 R ⊢ 5 ≥ 0 p ( x ) = 0 ⊢ [ x ′ = 5 ] p ( x ) = 0 dI ⊢ [ x ′ := 5 ] x ′ ≥ 0 [:=] x ≥ 0 ⊢ [ x ′ = 5 ] x ≥ 0 dI x ≥ 0 ⊢ [ x ′ = 5 ] x ≥ 0 cut,MR André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 13 / 23

Equational Incompleteness Proposition (Equational incompleteness [2]) DI = ≡ DI = , ∧ , ∨ < DI since DI ≥ �≤ DI = Equations are not enough: Proof core. Provable with DI ≥ Unprovable with DI = ??? ∗ ⊢ [ x ′ := 5 ]( p ( x )) ′ = 0 R ⊢ 5 ≥ 0 p ( x ) = 0 ⊢ [ x ′ = 5 ] p ( x ) = 0 dI ⊢ [ x ′ := 5 ] x ′ ≥ 0 [:=] x ≥ 0 ⊢ [ x ′ = 5 ] x ≥ 0 dI x ≥ 0 ⊢ [ x ′ = 5 ] x ≥ 0 cut,MR Univariate polynomial p ( x ) is 0 if 0 on all x ≥ 0 André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 13 / 23

Strict Inequality Proposition (Strict barrier ) DI > DI DI = DI > Proof core. André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 14 / 23

Strict Inequality Incompleteness Proposition (Strict barrier incompleteness) DI > < DI because DI = �≤ DI > Strict inequalities are not enough: Proof core. André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 14 / 23

Strict Inequality Incompleteness Proposition (Strict barrier incompleteness) DI > < DI because DI = �≤ DI > Strict inequalities are not enough: Proof core. Provable with DI = Unprovable with DI > André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 14 / 23

Strict Inequality Incompleteness Proposition (Strict barrier incompleteness) DI > < DI because DI = �≤ DI > Strict inequalities are not enough: Proof core. Provable with DI = Unprovable with DI > dI v 2 + w 2 = c 2 ⊢ [ v ′ = w , w ′ = − v ] v 2 + w 2 = c 2 André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 14 / 23

Strict Inequality Incompleteness Proposition (Strict barrier incompleteness) DI > < DI because DI = �≤ DI > Strict inequalities are not enough: Proof core. Provable with DI = Unprovable with DI > ⊢ [ v ′ := w ][ w ′ := − v ] 2 vv ′ + 2 ww ′ = 0 [:=] dI v 2 + w 2 = c 2 ⊢ [ v ′ = w , w ′ = − v ] v 2 + w 2 = c 2 André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 14 / 23

Strict Inequality Incompleteness Proposition (Strict barrier incompleteness) DI > < DI because DI = �≤ DI > Strict inequalities are not enough: Proof core. Provable with DI = Unprovable with DI > R ⊢ 2 vw + 2 w ( − v ) = 0 ⊢ [ v ′ := w ][ w ′ := − v ] 2 vv ′ + 2 ww ′ = 0 [:=] dI v 2 + w 2 = c 2 ⊢ [ v ′ = w , w ′ = − v ] v 2 + w 2 = c 2 André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 14 / 23

Strict Inequality Incompleteness Proposition (Strict barrier incompleteness) DI > < DI because DI = �≤ DI > Strict inequalities are not enough: Proof core. Provable with DI = Unprovable with DI > ∗ R ⊢ 2 vw + 2 w ( − v ) = 0 ⊢ [ v ′ := w ][ w ′ := − v ] 2 vv ′ + 2 ww ′ = 0 [:=] dI v 2 + w 2 = c 2 ⊢ [ v ′ = w , w ′ = − v ] v 2 + w 2 = c 2 André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 14 / 23

Strict Inequality Incompleteness Proposition (Strict barrier incompleteness) DI > < DI because DI = �≤ DI > Strict inequalities are not enough: Proof core. Provable with DI = Unprovable with DI > ∗ e > 0 is open set. R ⊢ 2 vw + 2 w ( − v ) = 0 ⊢ [ v ′ := w ][ w ′ := − v ] 2 vv ′ + 2 ww ′ = 0 [:=] dI v 2 + w 2 = c 2 ⊢ [ v ′ = w , w ′ = − v ] v 2 + w 2 = c 2 v 2 + w 2 = c 2 is a closed set closed v 2 + w 2 ≤ 1 open v 2 + w 2 < 1 with full boundary without boundary André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 14 / 23

Strict Inequality Incompleteness Proposition (Strict barrier incompleteness) DI > < DI because DI = �≤ DI > Strict inequalities are not enough: Proof core. Provable with DI = Unprovable with DI > ∗ e > 0 is open set. R ⊢ 2 vw + 2 w ( − v ) = 0 Only true / false are ⊢ [ v ′ := w ][ w ′ := − v ] 2 vv ′ + 2 ww ′ = 0 [:=] both dI v 2 + w 2 = c 2 ⊢ [ v ′ = w , w ′ = − v ] v 2 + w 2 = c 2 v 2 + w 2 = c 2 is a closed set closed v 2 + w 2 ≤ 1 open v 2 + w 2 < 1 with full boundary without boundary André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 14 / 23

Strict Inequality Incompleteness Proposition (Strict barrier incompleteness) DI > < DI because DI = �≤ DI > Strict inequalities are not enough: Proof core. Provable with DI = Unprovable with DI > ∗ e > 0 is open set. R ⊢ 2 vw + 2 w ( − v ) = 0 Only true / false are ⊢ [ v ′ := w ][ w ′ := − v ] 2 vv ′ + 2 ww ′ = 0 [:=] both dI v 2 + w 2 = c 2 ⊢ [ v ′ = w , w ′ = − v ] v 2 + w 2 = c 2 but don’t help proof v 2 + w 2 = c 2 is a closed set closed v 2 + w 2 ≤ 1 open v 2 + w 2 < 1 with full boundary without boundary André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 14 / 23

Differential Invariant Equations to Inequalities Proposition (Equational ) DI = , ∧ , ∨ DI ≥ Proof core. André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 15 / 23

Differential Invariant Equations to Inequalities Proposition (Equational definability) DI = , ∧ , ∨ ≤ DI ≥ Equations are definable by weak inequalities: Proof core. André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 15 / 23

Differential Invariant Equations to Inequalities Proposition (Equational definability) DI = , ∧ , ∨ ≤ DI ≥ Equations are definable by weak inequalities: Proof core. Provable with DI = Provable with DI ≥ André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 15 / 23

Differential Invariant Equations to Inequalities Proposition (Equational definability) DI = , ∧ , ∨ ≤ DI ≥ Equations are definable by weak inequalities: Proof core. Provable with DI = Provable with DI ≥ dI e = 0 ⊢ [ x ′ = f ( x )& Q ] e = 0 André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 15 / 23

Differential Invariant Equations to Inequalities Proposition (Equational definability) DI = , ∧ , ∨ ≤ DI ≥ Equations are definable by weak inequalities: Proof core. Provable with DI = Provable with DI ≥ Q ⊢ [ x ′ := f ( x )]( e ) ′ = 0 dI e = 0 ⊢ [ x ′ = f ( x )& Q ] e = 0 André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 15 / 23

Differential Invariant Equations to Inequalities Proposition (Equational definability) DI = , ∧ , ∨ ≤ DI ≥ Equations are definable by weak inequalities: Proof core. Provable with DI = Provable with DI ≥ ∗ Q ⊢ [ x ′ := f ( x )]( e ) ′ = 0 dI e = 0 ⊢ [ x ′ = f ( x )& Q ] e = 0 André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 15 / 23

Differential Invariant Equations to Inequalities Proposition (Equational definability) DI = , ∧ , ∨ ≤ DI ≥ Equations are definable by weak inequalities: Proof core. Provable with DI = Provable with DI ≥ ∗ Q ⊢ [ x ′ := f ( x )]( e ) ′ = 0 dI e = 0 ⊢ [ x ′ = f ( x )& Q ] e = 0 dI − e 2 ≥ 0 ⊢ [ x ′ = f ( x )& Q ]( − e 2 ≥ 0 ) André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 15 / 23

Differential Invariant Equations to Inequalities Proposition (Equational definability) DI = , ∧ , ∨ ≤ DI ≥ Equations are definable by weak inequalities: Proof core. Provable with DI = Provable with DI ≥ ∗ Q ⊢ [ x ′ := f ( x )]( e ) ′ = 0 Q ⊢ [ x ′ := f ( x )] − 2 e ( e ) ′ ≥ 0 dI e = 0 ⊢ [ x ′ = f ( x )& Q ] e = 0 dI − e 2 ≥ 0 ⊢ [ x ′ = f ( x )& Q ]( − e 2 ≥ 0 ) André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 15 / 23

Differential Invariant Equations to Inequalities Proposition (Equational definability) DI = , ∧ , ∨ ≤ DI ≥ Equations are definable by weak inequalities: Proof core. Provable with DI = Provable with DI ≥ ∗ ∗ Q ⊢ [ x ′ := f ( x )]( e ) ′ = 0 Q ⊢ [ x ′ := f ( x )] − 2 e ( e ) ′ ≥ 0 dI e = 0 ⊢ [ x ′ = f ( x )& Q ] e = 0 dI − e 2 ≥ 0 ⊢ [ x ′ = f ( x )& Q ]( − e 2 ≥ 0 ) Local view of logic on differentials is crucial for this proof. Degree increases André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 15 / 23

Differential Invariant Atoms Theorem (Atomic ) DI ≥ DI ≥ , ∧ , ∨ and DI > DI >, ∧ , ∨ Proof idea. André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 16 / 23

Differential Invariant Atoms Theorem (Atomic incompleteness) DI ≥ < DI ≥ , ∧ , ∨ and DI > < DI >, ∧ , ∨ Atomic inequalities not enough: Proof idea. André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 16 / 23

Differential Invariant Atoms Theorem (Atomic incompleteness) DI ≥ < DI ≥ , ∧ , ∨ and DI > < DI >, ∧ , ∨ Atomic inequalities not enough: Proof idea. Provable with DI ≥ , ∧ , ∨ Unprovable with DI ≥ André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 16 / 23

Differential Invariant Atoms Theorem (Atomic incompleteness) DI ≥ < DI ≥ , ∧ , ∨ and DI > < DI >, ∧ , ∨ Atomic inequalities not enough: Proof idea. Provable with DI ≥ , ∧ , ∨ Unprovable with DI ≥ ∗ ⊢ 5 ≥ 0 ∧ y 2 ≥ 0 R [:=] ⊢ [ x ′ := 5 ][ y ′ := y 2 ]( x ′ ≥ 0 ∧ y ′ ≥ 0 ) dI x ≥ 0 ∧ y ≥ 0 ⊢ [ x ′ = 5 , y ′ = y 2 ]( x ≥ 0 ∧ y ≥ 0 ) André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 16 / 23

Differential Invariant Atoms Theorem (Atomic incompleteness) DI ≥ < DI ≥ , ∧ , ∨ and DI > < DI >, ∧ , ∨ Atomic inequalities not enough: Proof idea. Provable with DI ≥ , ∧ , ∨ Unprovable with DI ≥ p ( x , y ) ≥ 0 ↔ x ≥ 0 ∧ y ≥ 0 impossible since this implies ∗ p ( x , 0 ) ≥ 0 ↔ x ≥ 0 ⊢ 5 ≥ 0 ∧ y 2 ≥ 0 R so p ( x , 0 ) is 0 [:=] ⊢ [ x ′ := 5 ][ y ′ := y 2 ]( x ′ ≥ 0 ∧ y ′ ≥ 0 ) dI x ≥ 0 ∧ y ≥ 0 ⊢ [ x ′ = 5 , y ′ = y 2 ]( x ≥ 0 ∧ y ≥ 0 ) André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 16 / 23

Differential Invariant Atoms Theorem (Atomic incompleteness) DI ≥ < DI ≥ , ∧ , ∨ and DI > < DI >, ∧ , ∨ Atomic inequalities not enough: Proof idea. Provable with DI ≥ , ∧ , ∨ Unprovable with DI ≥ p ( x , y ) ≥ 0 ↔ x ≥ 0 ∧ y ≥ 0 impossible since this implies ∗ p ( x , 0 ) ≥ 0 ↔ x ≥ 0 ⊢ 5 ≥ 0 ∧ y 2 ≥ 0 R so p ( x , 0 ) is 0 [:=] ⊢ [ x ′ := 5 ][ y ′ := y 2 ]( x ′ ≥ 0 ∧ y ′ ≥ 0 ) dI x ≥ 0 ∧ y ≥ 0 ⊢ [ x ′ = 5 , y ′ = y 2 ]( x ≥ 0 ∧ y ≥ 0 ) Substantial remaining parts of the proof shown elsewhere [2]. André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 16 / 23

Differential Invariant Atoms Theorem (Atomic incompleteness) DI ≥ < DI ≥ , ∧ , ∨ and DI > < DI >, ∧ , ∨ Atomic inequalities not enough: Proof idea. Provable with DI ≥ , ∧ , ∨ Unprovable with DI ≥ p ( x , y ) ≥ 0 ↔ x ≥ 0 ∧ y ≥ 0 impossible since this implies ∗ p ( x , 0 ) ≥ 0 ↔ x ≥ 0 ⊢ 5 ≥ 0 ∧ y 2 ≥ 0 R so p ( x , 0 ) is 0 [:=] ⊢ [ x ′ := 5 ][ y ′ := y 2 ]( x ′ ≥ 0 ∧ y ′ ≥ 0 ) dI x ≥ 0 ∧ y ≥ 0 ⊢ [ x ′ = 5 , y ′ = y 2 ]( x ≥ 0 ∧ y ≥ 0 ) Substantial remaining parts of the proof shown elsewhere [2]. dC still possible here but more involved argument separates. André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 16 / 23

Outline Learning Objectives 1 Recap: Proofs for Differential Equations 2 3 Differential Equation Proof Theory Propositional Equivalences Differential Invariants & Arithmetic Differential Structure Differential Invariant Equations Equational Incompleteness Strict Differential Invariant Inequalities Differential Invariant Equations to Differential Invariant Inequalities Differential Invariant Atoms Differential Cut Power & Differential Ghost Power 4 5 Curves Playing with Norms and Degrees Summary 6 André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 16 / 23

Deductive Power of Differential Cuts & Differential Ghosts Theorem (Gentzen’s Cut Elimination) (1935) A ⊢ B ∨ C A ∧ C ⊢ B cut can be eliminated A ⊢ B Theorem (No Differential Cut Elimination) (LMCS 2012) Deductive power with differential cuts exceeds deductive power without. DI + DC > DI Theorem (Auxiliary Differential Variables) (LMCS 2012) Deductive power with differential ghosts exceeds power without. DI + DC + DG > DI + DC André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 17 / 23

Ex: The Need for Differential Cuts dI x 3 ≥ − 1 ∧ y 5 ≥ 0 ⊢ [ x ′ = ( x − 2 ) 4 + y 5 , y ′ = y 2 ] x 3 ≥ − 1 André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 18 / 23

Ex: The Need for Differential Cuts ⊢ [ x ′ :=( x − 2 ) 4 + y 5 ][ y ′ := y 2 ] 3 x 2 x ′ ≥ 0 [:=] dI x 3 ≥ − 1 ∧ y 5 ≥ 0 ⊢ [ x ′ = ( x − 2 ) 4 + y 5 , y ′ = y 2 ] x 3 ≥ − 1 André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 18 / 23

Ex: The Need for Differential Cuts ⊢ 3 x 2 (( x − 2 ) 4 + y 5 ) ≥ 0 ⊢ [ x ′ :=( x − 2 ) 4 + y 5 ][ y ′ := y 2 ] 3 x 2 x ′ ≥ 0 [:=] dI x 3 ≥ − 1 ∧ y 5 ≥ 0 ⊢ [ x ′ = ( x − 2 ) 4 + y 5 , y ′ = y 2 ] x 3 ≥ − 1 André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 18 / 23

Ex: The Need for Differential Cuts not valid ⊢ 3 x 2 (( x − 2 ) 4 + y 5 ) ≥ 0 ⊢ [ x ′ :=( x − 2 ) 4 + y 5 ][ y ′ := y 2 ] 3 x 2 x ′ ≥ 0 [:=] dI x 3 ≥ − 1 ∧ y 5 ≥ 0 ⊢ [ x ′ = ( x − 2 ) 4 + y 5 , y ′ = y 2 ] x 3 ≥ − 1 André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 18 / 23

Ex: The Need for Differential Cuts not valid ⊢ 3 x 2 (( x − 2 ) 4 + y 5 ) ≥ 0 ⊢ [ x ′ :=( x − 2 ) 4 + y 5 ][ y ′ := y 2 ] 3 x 2 x ′ ≥ 0 [:=] dI x 3 ≥ − 1 ∧ y 5 ≥ 0 ⊢ [ x ′ = ( x − 2 ) 4 + y 5 , y ′ = y 2 ] x 3 ≥ − 1 Have to know something about y 5 André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 18 / 23

Ex: Differential Cuts dC x 3 ≥ − 1 ∧ y 5 ≥ 0 ⊢ [ x ′ = ( x − 2 ) 4 + y 5 , y ′ = y 2 ] x 3 ≥ − 1 André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 19 / 23

Ex: Differential Cuts dC x 3 ≥ − 1 ∧ y 5 ≥ 0 ⊢ [ x ′ = ( x − 2 ) 4 + y 5 , y ′ = y 2 ] x 3 ≥ − 1 dI y 5 ≥ 0 ⊢ [ x ′ = ( x − 2 ) 4 + y 5 , y ′ = y 2 ] y 5 ≥ 0 André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 19 / 23

Ex: Differential Cuts dC x 3 ≥ − 1 ∧ y 5 ≥ 0 ⊢ [ x ′ = ( x − 2 ) 4 + y 5 , y ′ = y 2 ] x 3 ≥ − 1 ⊢ [ x ′ :=( x − 2 ) 4 + y 5 ][ y ′ := y 2 ] 5 y 4 y ′ ≥ 0 [:=] dI y 5 ≥ 0 ⊢ [ x ′ = ( x − 2 ) 4 + y 5 , y ′ = y 2 ] y 5 ≥ 0 André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 19 / 23

Ex: Differential Cuts dC x 3 ≥ − 1 ∧ y 5 ≥ 0 ⊢ [ x ′ = ( x − 2 ) 4 + y 5 , y ′ = y 2 ] x 3 ≥ − 1 ⊢ 5 y 4 y 2 ≥ 0 R ⊢ [ x ′ :=( x − 2 ) 4 + y 5 ][ y ′ := y 2 ] 5 y 4 y ′ ≥ 0 [:=] dI y 5 ≥ 0 ⊢ [ x ′ = ( x − 2 ) 4 + y 5 , y ′ = y 2 ] y 5 ≥ 0 André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 19 / 23

Ex: Differential Cuts dC x 3 ≥ − 1 ∧ y 5 ≥ 0 ⊢ [ x ′ = ( x − 2 ) 4 + y 5 , y ′ = y 2 ] x 3 ≥ − 1 ∗ ⊢ 5 y 4 y 2 ≥ 0 R ⊢ [ x ′ :=( x − 2 ) 4 + y 5 ][ y ′ := y 2 ] 5 y 4 y ′ ≥ 0 [:=] dI y 5 ≥ 0 ⊢ [ x ′ = ( x − 2 ) 4 + y 5 , y ′ = y 2 ] y 5 ≥ 0 André Platzer (CMU) LFCPS/13: Differential Invariants & Proof Theory LFCPS/13 19 / 23