logical foundations of cyber physical systems
play

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr - PowerPoint PPT Presentation

Oct 05, 2022 •246 likes •1.96k views

18: Axioms & Uniform Substitutions Logical Foundations of Cyber-Physical Systems Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 1

  1. Axiom Schema Matches Many Formulas But Not All Algorithm [ ∪ ] [ α ∪ β ] φ ↔ [ α ] φ ∧ [ β ] φ � [ x := x + 1 ∪ x ′ = x 2 ] x ≥ 0 ↔ [ x := x + 1 ] x ≥ 0 ∧ [ x ′ = x 2 ] x ≥ 0 Same φ Match Schema � [ x ′ = 5 ∪ x ′ = − x ] x 2 ≥ 5 ↔ [ x ′ = 5 ] x 2 ≥ 5 ∧ [ x ′ = − x ] x 2 ≥ 5 shape variable every- × [ v := v + 1 ; x ′ = v ∪ x ′ = 2 ] x ≥ 5 ↔ [ v := v + 1 ; x ′ = v ] x ≥ 5 ∧ [ x ′ = 2 ] x ≥ 4 α ∪ β α match where V φ → [ α ] φ ( FV ( φ ) ∩ BV ( α ) = / 0 ) � y ≥ 0 → [ x ′ = − 5 ] y ≥ 0 rule out × x ≥ 0 → [ x ′ = − 5 ] x ≥ 0 by side � y ≥ z → [ x ′ = − 5 ] y ≥ z conditions [:=] [ x := θ ] φ ( x ) ↔ φ ( θ ) ( θ free for x in φ ) � [ x := x + y ] x ≤ y 2 ↔ x + y ≤ y 2 no x oc- Match Replace × [ x := x + y ][ y := 5 ] x ≥ 0 ↔ [ y := 5 ] x + y ≥ 0 currence all free by θ � [ y := 2 b ][( x := x + y ; x ′ = y ) ∗ ] x ≥ y ↔ [( x := x + 2 b ; x ′ = 2 b ) ∗ ] x ≥ 2 b where x occur- every- θ bound rences where � [ x := x + y ][ x := x + 1 ] x ≥ 0 ↔ [ x := x + y + 1 ] x ≥ 0 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 5 / 24

  2. Axiom Schema Side Conditions: ODE Solving [ ′ ] [ x ′ = θ ] φ ↔ ∀ t ≥ 0 [ x := y ( t )] φ André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 6 / 24

  3. Axiom Schema Side Conditions: ODE Solving [ ′ ] [ x ′ = θ ] φ ↔ ∀ t ≥ 0 [ x := y ( t )] φ ( t fresh and y ′ ( t ) = θ ) Axiom schema with side conditions: Occurs check: t fresh 1 Solution check: y ( · ) solves the ODE y ′ ( t ) = θ 2 with y ( · ) plugged in for x in term θ Initial value check: y ( · ) solves the symbolic IVP y ( 0 ) = x 3 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 6 / 24

  4. Axiom Schema Side Conditions: ODE Solving [ ′ ] [ x ′ = θ ] φ ↔ ∀ t ≥ 0 [ x := y ( t )] φ ( t fresh and y ′ ( t ) = θ ) Axiom schema with side conditions: Occurs check: t fresh 1 Solution check: y ( · ) solves the ODE y ′ ( t ) = θ 2 with y ( · ) plugged in for x in term θ Initial value check: y ( · ) solves the symbolic IVP y ( 0 ) = x 3 y ( · ) covers all solutions parametrically 4 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 6 / 24

  5. Axiom Schema Side Conditions: ODE Solving [ ′ ] [ x ′ = θ ] φ ↔ ∀ t ≥ 0 [ x := y ( t )] φ ( t fresh and y ′ ( t ) = θ ) Axiom schema with side conditions: Occurs check: t fresh 1 Solution check: y ( · ) solves the ODE y ′ ( t ) = θ 2 with y ( · ) plugged in for x in term θ Initial value check: y ( · ) solves the symbolic IVP y ( 0 ) = x 3 y ( · ) covers all solutions parametrically 4 x ′ cannot occur free in φ 5 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 6 / 24

  6. Axiom Schema Side Conditions: ODE Solving [ ′ ] [ x ′ = θ ] φ ↔ ∀ t ≥ 0 [ x := y ( t )] φ ( t fresh and y ′ ( t ) = θ ) Axiom schema with side conditions: Occurs check: t fresh 1 Solution check: y ( · ) solves the ODE y ′ ( t ) = θ 2 with y ( · ) plugged in for x in term θ Initial value check: y ( · ) solves the symbolic IVP y ( 0 ) = x 3 y ( · ) covers all solutions parametrically 4 x ′ cannot occur free in φ 5 Quite nontrivial soundness-critical side condition algorithms . . . André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 6 / 24

  7. What Axioms Want V φ → [ α ] φ André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 7 / 24

  8. What Axioms Want V φ → [ α ] φ V p → [ a ] p V predicate symbol p of arity 0 has no bound variable of HP a free “Formula p has no explicit permission to depend on anything” (except implicitly on what doesn’t change in a anyhow) V program constant symbol a could have arbitrary behavior André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 7 / 24

  9. What Axioms Want V φ → [ α ] φ V p → [ a ] p [:=] [ x := θ ] φ ( x ) ↔ φ ( θ ) V predicate symbol p of arity 0 has no bound variable of HP a free “Formula p has no explicit permission to depend on anything” (except implicitly on what doesn’t change in a anyhow) V program constant symbol a could have arbitrary behavior André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 7 / 24

  10. What Axioms Want V φ → [ α ] φ V p → [ a ] p [:=] [ x := θ ] φ ( x ) ↔ φ ( θ ) [:=] [ x := c ] p ( x ) ↔ p ( c ) V predicate symbol p of arity 0 has no bound variable of HP a free “Formula p has no explicit permission to depend on anything” (except implicitly on what doesn’t change in a anyhow) [:=] predicate symbol p of arity 1 has different arguments in different places “Formula p ( x ) has explicit permission to depend on x ” [:=] function symbol c of arity 0 takes no arguments V program constant symbol a could have arbitrary behavior André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 7 / 24

  11. What Axioms Want [ ∪ ] [ α ∪ β ] φ ↔ [ α ] φ ∧ [ β ] φ V φ → [ α ] φ V p → [ a ] p [:=] [ x := θ ] φ ( x ) ↔ φ ( θ ) [:=] [ x := c ] p ( x ) ↔ p ( c ) V predicate symbol p of arity 0 has no bound variable of HP a free “Formula p has no explicit permission to depend on anything” (except implicitly on what doesn’t change in a anyhow) [:=] predicate symbol p of arity 1 has different arguments in different places “Formula p ( x ) has explicit permission to depend on x ” [:=] function symbol c of arity 0 takes no arguments V program constant symbol a could have arbitrary behavior André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 7 / 24

  12. What Axioms Want [ ∪ ] [ a ∪ b ] p (¯ x ) ↔ [ a ] p (¯ x ) ∧ [ b ] p (¯ [ ∪ ] [ α ∪ β ] φ ↔ [ α ] φ ∧ [ β ] φ x ) V φ → [ α ] φ V p → [ a ] p [:=] [ x := θ ] φ ( x ) ↔ φ ( θ ) [:=] [ x := c ] p ( x ) ↔ p ( c ) V predicate symbol p of arity 0 has no bound variable of HP a free “Formula p has no explicit permission to depend on anything” (except implicitly on what doesn’t change in a anyhow) [:=] predicate symbol p of arity 1 has different arguments in different places “Formula p ( x ) has explicit permission to depend on x ” [ ∪ ] predicate symbol p of arity n takes all variables ¯ x as arguments “Formula p (¯ x ) has explicit permission to depend on all variables ¯ x ” [:=] function symbol c of arity 0 takes no arguments V program constant symbol a could have arbitrary behavior André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 7 / 24

  13. Outline Learning Objectives 1 Axioms Versus Axiom Schemata 2 Differential Dynamic Logic with Interpretations 3 Syntax Semantics 4 Uniform Substitution Uniform Substitution Application Uniform Substitution Lemmas 5 Axiomatic Proof Calculus for dL Summary 6 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 7 / 24

  14. Differential Dynamic Logic with Interpretations: Syntax Definition (Hybrid program α ) α , β ::= a | x := θ | ? Q | x ′ = f ( x )& Q | α ∪ β | α ; β | α ∗ Definition (dL Formula φ ) φ , ψ ::= p ( θ 1 ,..., θ k ) | θ ≥ η | ¬ φ | φ ∧ ψ | ∀ x φ | ∃ x φ | [ α ] φ | � α � φ Definition (Term θ ) θ , η ::= f ( θ 1 ,..., θ k ) | x | θ + η | θ · η | ( θ ) ′ André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 8 / 24

  15. Differential Dynamic Logic with Interpretations: Syntax Discrete Test Differential Nondet. Seq. Nondet. Assign Equation Compose Repeat Condition Choice Definition (Hybrid program α ) α , β ::= a | x := θ | ? Q | x ′ = f ( x )& Q | α ∪ β | α ; β | α ∗ Definition (dL Formula φ ) φ , ψ ::= p ( θ 1 ,..., θ k ) | θ ≥ η | ¬ φ | φ ∧ ψ | ∀ x φ | ∃ x φ | [ α ] φ | � α � φ Definition (Term θ ) θ , η ::= f ( θ 1 ,..., θ k ) | x | θ + η | θ · η | ( θ ) ′ All All Some Some Reals Reals Runs Runs André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 8 / 24

  16. Differential Dynamic Logic with Interpretations: Syntax Program Symbol Definition (Hybrid program α ) α , β ::= a | x := θ | ? Q | x ′ = f ( x )& Q | α ∪ β | α ; β | α ∗ Definition (dL Formula φ ) φ , ψ ::= p ( θ 1 ,..., θ k ) | θ ≥ η | ¬ φ | φ ∧ ψ | ∀ x φ | ∃ x φ | [ α ] φ | � α � φ Definition (Term θ ) θ , η ::= f ( θ 1 ,..., θ k ) | x | θ + η | θ · η | ( θ ) ′ Function Predicate Differential Symbol Symbol André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 8 / 24

  17. Differential Dynamic Logic with Interpretations: Semantics ( [ [ · ] ] : Trm → ( S → R ) ) Definition (Term semantics) I ( f ) : R k → R smooth � � ω [ [ f ( θ 1 ,..., θ k )] ] = I ( f ) ω [ [ θ 1 ] ] ,..., ω [ [ θ k ] ] ω ( x ′ ) ∂ [ [ θ ] ] ] = ∑ [( θ ) ′ ] ω [ ∂ x ( ω ) x ( [ [ · ] ] : Fml → ℘ ( S ) ) Definition (dL semantics) I ( p ) ⊆ R k [ [ p ( θ 1 ,..., θ k )] ] = { ω : ( ω [ [ θ 1 ] ] ,..., ω [ [ θ k ] ]) ∈ I ( p ) } [ [ � α � φ ] ] = [ [ α ] ] ◦ [ [ φ ] ] P valid iff ω ∈ [ [ P ] ] for all states ω of all interpretations I ( [ [ · ] ] : HP → ℘ ( S × S ) ) Definition (Program semantics) [ [ a ] ] = I ( a ) I ( a ) ⊆ S × S [ x ′ = f ( x )& Q ] = x ′ = f ( x ) ∧ Q } [ ] = { ( ϕ ( 0 ) | { x ′ } ∁ , ϕ ( r )) : ϕ | [ [ α ∪ β ] ] = [ [ α ] ] ∪ [ [ β ] ] [ [ α ; β ] ] = [ [ α ] ] ◦ [ [ β ] ] � ∗ = � [ α ∗ ] � [ α n ] [ ] = [ [ α ] ] n ∈ N [ ] André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 9 / 24

  18. Soundness Proofs for Axioms Lemma (V vacuous axiom) V p → [ a ] p Lemma ( [:=] assignment axiom) [:=] [ x := c ] p ( x ) ↔ p ( c ) André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 10 / 24

  19. Soundness Proofs for Axioms Lemma (V vacuous axiom) V p → [ a ] p Proof. Truth of an arity 0 predicate symbol p depends only on interpretation I . I interprets p as true : ω ∈ [ [ p ] ] for all ω , so ω ∈ [ [[ a ] p ] ] especially. 1 I interprets p as false : ω �∈ [ [ p ] ] for all ω , so p → [ a ] p vacuously. 2 Lemma ( [:=] assignment axiom) [:=] [ x := c ] p ( x ) ↔ p ( c ) Proof. p is true of x after assigning the new value c to x ( ω ∈ [ [[ x := c ] p ( x )] ] ) iff p is true of the new value c ( ω ∈ [ [ p ( c )] ] ). André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 10 / 24

  20. Outline Learning Objectives 1 Axioms Versus Axiom Schemata 2 Differential Dynamic Logic with Interpretations 3 Syntax Semantics 4 Uniform Substitution Uniform Substitution Application Uniform Substitution Lemmas 5 Axiomatic Proof Calculus for dL Summary 6 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 10 / 24

  21. Uniform Substitution Theorem (Soundness) replace all occurrences of p ( · ) φ US σ ( φ ) [ a ∪ b ] p (¯ x ) ↔ [ a ] p (¯ x ) ∧ [ b ] p (¯ x ) US [ v := v + 1 ∪ x ′ = v ] x > 0 ↔ [ v := v + 1 ] x > 0 ∧ [ x ′ = v ] x > 0 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 11 / 24

  22. Uniform Substitution Theorem (Soundness) replace all occurrences of p ( · ) φ US σ ( φ ) Uniform substitution σ replaces all occurrences of p ( θ ) for any θ by ψ ( θ ) [ a ∪ b ] p (¯ x ) ↔ [ a ] p (¯ x ) ∧ [ b ] p (¯ x ) US [ v := v + 1 ∪ x ′ = v ] x > 0 ↔ [ v := v + 1 ] x > 0 ∧ [ x ′ = v ] x > 0 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 11 / 24

  23. Uniform Substitution Theorem (Soundness) replace all occurrences of p ( · ) φ US σ ( φ ) Uniform substitution σ replaces all occurrences of p ( θ ) for any θ by ψ ( θ ) function sym. f ( θ ) for any θ by η ( θ ) α program sym. a by [ a ∪ b ] p (¯ x ) ↔ [ a ] p (¯ x ) ∧ [ b ] p (¯ x ) US [ v := v + 1 ∪ x ′ = v ] x > 0 ↔ [ v := v + 1 ] x > 0 ∧ [ x ′ = v ] x > 0 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 11 / 24

  24. Uniform Substitution: First-Order Examples ( ¬¬ p ) ↔ p σ = { p �→ [ x ′ = x 2 ] x ≥ 0 } ( ¬¬ [ x ′ = x 2 ] x ≥ 0 ) ↔ [ x ′ = x 2 ] x ≥ 0 ( ∀ x p ) ↔ p σ = { p �→ x ≥ 0 } ∀ x ( x ≥ 0 ) ↔ x ≥ 0 ( ∀ x p ) ↔ p σ = { p �→ y ≥ 0 } ∀ x ( y ≥ 0 ) ↔ y ≥ 0 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 12 / 24

  25. Uniform Substitution: First-Order Examples Correct ( ¬¬ p ) ↔ p σ = { p �→ [ x ′ = x 2 ] x ≥ 0 } ( ¬¬ [ x ′ = x 2 ] x ≥ 0 ) ↔ [ x ′ = x 2 ] x ≥ 0 ( ∀ x p ) ↔ p σ = { p �→ x ≥ 0 } ∀ x ( x ≥ 0 ) ↔ x ≥ 0 ( ∀ x p ) ↔ p σ = { p �→ y ≥ 0 } ∀ x ( y ≥ 0 ) ↔ y ≥ 0 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 12 / 24

  26. Uniform Substitution: First-Order Examples Correct ( ¬¬ p ) ↔ p σ = { p �→ [ x ′ = x 2 ] x ≥ 0 } ( ¬¬ [ x ′ = x 2 ] x ≥ 0 ) ↔ [ x ′ = x 2 ] x ≥ 0 FV Clash BV ( ∀ x p ) ↔ p σ = { p �→ x ≥ 0 } ∀ x ( x ≥ 0 ) ↔ x ≥ 0 ( ∀ x p ) ↔ p σ = { p �→ y ≥ 0 } ∀ x ( y ≥ 0 ) ↔ y ≥ 0 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 12 / 24

  27. Uniform Substitution: First-Order Examples Correct ( ¬¬ p ) ↔ p σ = { p �→ [ x ′ = x 2 ] x ≥ 0 } ( ¬¬ [ x ′ = x 2 ] x ≥ 0 ) ↔ [ x ′ = x 2 ] x ≥ 0 Clash ( ∀ x p ) ↔ p σ = { p �→ x ≥ 0 } ∀ x ( x ≥ 0 ) ↔ x ≥ 0 Correct ( ∀ x p ) ↔ p σ = { p �→ y ≥ 0 } ∀ x ( y ≥ 0 ) ↔ y ≥ 0 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 12 / 24

  28. Uniform Substitution: Argument Examples [ x := c ] p ( x ) ↔ p ( c ) σ = { c �→ x 2 − 1 , p ( · ) �→ ( · ≥ 0 ) } [ x := x 2 − 1 ] x ≥ 0 ↔ x 2 − 1 ≥ 0 [ x := c ] p ( x ) ↔ p ( c ) σ = { c �→ x 2 − 1 , p ( · ) �→ ( · ≥ x ) } [ x := x 2 − 1 ] x ≥ x ↔ x 2 − 1 ≥ x [ x := c ] p ( x ) ↔ p ( c ) σ = { c �→ x 2 − 1 , p ( · ) �→ ( · ≥ · ) } [ x := x 2 − 1 ] x ≥ x ↔ x 2 − 1 ≥ x 2 − 1 [ x := c ] p ( x ) ↔ p ( c ) σ = { c �→ x 2 − 1 , p ( · ) �→ ( · ≥ y ) } [ x := x 2 − 1 ] x ≥ y ↔ x 2 − 1 ≥ y André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 13 / 24

  29. Uniform Substitution: Argument Examples Correct [ x := c ] p ( x ) ↔ p ( c ) σ = { c �→ x 2 − 1 , p ( · ) �→ ( · ≥ 0 ) } [ x := x 2 − 1 ] x ≥ 0 ↔ x 2 − 1 ≥ 0 [ x := c ] p ( x ) ↔ p ( c ) σ = { c �→ x 2 − 1 , p ( · ) �→ ( · ≥ x ) } [ x := x 2 − 1 ] x ≥ x ↔ x 2 − 1 ≥ x [ x := c ] p ( x ) ↔ p ( c ) σ = { c �→ x 2 − 1 , p ( · ) �→ ( · ≥ · ) } [ x := x 2 − 1 ] x ≥ x ↔ x 2 − 1 ≥ x 2 − 1 [ x := c ] p ( x ) ↔ p ( c ) σ = { c �→ x 2 − 1 , p ( · ) �→ ( · ≥ y ) } [ x := x 2 − 1 ] x ≥ y ↔ x 2 − 1 ≥ y André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 13 / 24

  30. Uniform Substitution: Argument Examples Correct [ x := c ] p ( x ) ↔ p ( c ) σ = { c �→ x 2 − 1 , p ( · ) �→ ( · ≥ 0 ) } [ x := x 2 − 1 ] x ≥ 0 ↔ x 2 − 1 ≥ 0 [ x := c ] p ( x ) ↔ p ( c ) σ = { c �→ x 2 − 1 , p ( · ) �→ ( · ≥ x ) } [ x := x 2 − 1 ] x ≥ x ↔ x 2 − 1 ≥ x [ x := c ] p ( x ) ↔ p ( c ) σ = { c �→ x 2 − 1 , p ( · ) �→ ( · ≥ · ) } [ x := x 2 − 1 ] x ≥ x ↔ x 2 − 1 ≥ x 2 − 1 [ x := c ] p ( x ) ↔ p ( c ) σ = { c �→ x 2 − 1 , p ( · ) �→ ( · ≥ y ) } [ x := x 2 − 1 ] x ≥ y ↔ x 2 − 1 ≥ y André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 13 / 24

  31. Uniform Substitution: Argument Examples Correct [ x := c ] p ( x ) ↔ p ( c ) σ = { c �→ x 2 − 1 , p ( · ) �→ ( · ≥ 0 ) } [ x := x 2 − 1 ] x ≥ 0 ↔ x 2 − 1 ≥ 0 FV Clash BV [ x := c ] p ( x ) ↔ p ( c ) σ = { c �→ x 2 − 1 , p ( · ) �→ ( · ≥ x ) } := x 2 − 1 ] x ≥ x ↔ x 2 − 1 ≥ x [ x [ x := c ] p ( x ) ↔ p ( c ) σ = { c �→ x 2 − 1 , p ( · ) �→ ( · ≥ · ) } [ x := x 2 − 1 ] x ≥ x ↔ x 2 − 1 ≥ x 2 − 1 [ x := c ] p ( x ) ↔ p ( c ) σ = { c �→ x 2 − 1 , p ( · ) �→ ( · ≥ y ) } [ x := x 2 − 1 ] x ≥ y ↔ x 2 − 1 ≥ y André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 13 / 24

  32. Uniform Substitution: Argument Examples Correct [ x := c ] p ( x ) ↔ p ( c ) σ = { c �→ x 2 − 1 , p ( · ) �→ ( · ≥ 0 ) } [ x := x 2 − 1 ] x ≥ 0 ↔ x 2 − 1 ≥ 0 Clash [ x := c ] p ( x ) ↔ p ( c ) σ = { c �→ x 2 − 1 , p ( · ) �→ ( · ≥ x ) } [ x := x 2 − 1 ] x ≥ x ↔ x 2 − 1 ≥ x Correct [ x := c ] p ( x ) ↔ p ( c ) σ = { c �→ x 2 − 1 , p ( · ) �→ ( · ≥ · ) } [ x := x 2 − 1 ] x ≥ x ↔ x 2 − 1 ≥ x 2 − 1 [ x := c ] p ( x ) ↔ p ( c ) σ = { c �→ x 2 − 1 , p ( · ) �→ ( · ≥ y ) } [ x := x 2 − 1 ] x ≥ y ↔ x 2 − 1 ≥ y André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 13 / 24

  33. Uniform Substitution: Argument Examples Correct [ x := c ] p ( x ) ↔ p ( c ) σ = { c �→ x 2 − 1 , p ( · ) �→ ( · ≥ 0 ) } [ x := x 2 − 1 ] x ≥ 0 ↔ x 2 − 1 ≥ 0 Clash [ x := c ] p ( x ) ↔ p ( c ) σ = { c �→ x 2 − 1 , p ( · ) �→ ( · ≥ x ) } [ x := x 2 − 1 ] x ≥ x ↔ x 2 − 1 ≥ x Correct [ x := c ] p ( x ) ↔ p ( c ) σ = { c �→ x 2 − 1 , p ( · ) �→ ( · ≥ · ) } [ x := x 2 − 1 ] x ≥ x ↔ x 2 − 1 ≥ x 2 − 1 Correct [ x := c ] p ( x ) ↔ p ( c ) σ = { c �→ x 2 − 1 , p ( · ) �→ ( · ≥ y ) } [ x := x 2 − 1 ] x ≥ y ↔ x 2 − 1 ≥ y André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 13 / 24

  34. Uniform Substitution Theorem (Soundness) replace all occurrences of p ( · ) φ US σ ( φ ) Uniform substitution σ replaces all occurrences of p ( θ ) for any θ by ψ ( θ ) function sym. f ( θ ) for any θ by η ( θ ) α program sym. a by [ a ∪ b ] p (¯ x ) ↔ [ a ] p (¯ x ) ∧ [ b ] p (¯ x ) US [ v := v + 1 ∪ x ′ = v ] x > 0 ↔ [ v := v + 1 ] x > 0 ∧ [ x ′ = v ] x > 0 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 14 / 24

  35. Uniform Substitution Theorem (Soundness) replace all occurrences of p ( · ) φ US σ ( φ ) provided FV ( σ | Σ( θ ) ) ∩ BV ( ⊗ ( · )) = / 0 for each operation ⊗ ( θ ) in φ i.e. bound variables U = BV ( ⊗ ( · )) of no operator ⊗ are free in the substitution on its argument θ ( U -admissible) Uniform substitution σ replaces all occurrences of p ( θ ) for any θ by ψ ( θ ) function sym. f ( θ ) for any θ by η ( θ ) α program sym. a by [ a ∪ b ] p (¯ x ) ↔ [ a ] p (¯ x ) ∧ [ b ] p (¯ x ) US [ v := v + 1 ∪ x ′ = v ] x > 0 ↔ [ v := v + 1 ] x > 0 ∧ [ x ′ = v ] x > 0 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 14 / 24

  36. Uniform Substitution Theorem (Soundness) replace all occurrences of p ( · ) φ US σ ( φ ) provided FV ( σ | Σ( θ ) ) ∩ BV ( ⊗ ( · )) = / 0 for each operation ⊗ ( θ ) in φ i.e. bound variables U = BV ( ⊗ ( · )) of no operator ⊗ are free in the substitution on its argument θ ( U -admissible) If you bind a free variable, you go to logic jail! Uniform substitution σ replaces all occurrences of p ( θ ) for any θ by ψ ( θ ) function sym. f ( θ ) for any θ by η ( θ ) α program sym. a by [ a ∪ b ] p (¯ x ) ↔ [ a ] p (¯ x ) ∧ [ b ] p (¯ x ) US [ v := v + 1 ∪ x ′ = v ] x > 0 ↔ [ v := v + 1 ] x > 0 ∧ [ x ′ = v ] x > 0 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 14 / 24

  37. Uniform Substitution: Recursive Application σ ( x ) = for variable x ∈ V σ ( f ( θ )) = for function symbol f ∈ σ def = σ ( θ + η ) = σ (( θ ) ′ ) = σ ( p ( θ )) ≡ for predicate symbol p ∈ σ σ ( φ ∧ ψ ) ≡ σ ( ∀ x φ ) = σ ([ α ] φ ) = σ ( a ) ≡ for program symbol a ∈ σ σ ( x := θ ) ≡ σ ( x ′ = θ & Q ) ≡ σ (? Q ) ≡ σ ( α ∪ β ) ≡ σ ( α ; β ) ≡ σ ( α ∗ ) ≡ André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 15 / 24

  38. Uniform Substitution: Recursive Application σ ( x ) = x for variable x ∈ V σ ( f ( θ )) = for function symbol f ∈ σ def = σ ( θ + η ) = σ (( θ ) ′ ) = σ ( p ( θ )) ≡ for predicate symbol p ∈ σ σ ( φ ∧ ψ ) ≡ σ ( ∀ x φ ) = σ ([ α ] φ ) = σ ( a ) ≡ for program symbol a ∈ σ σ ( x := θ ) ≡ σ ( x ′ = θ & Q ) ≡ σ (? Q ) ≡ σ ( α ∪ β ) ≡ σ ( α ; β ) ≡ σ ( α ∗ ) ≡ André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 15 / 24

  39. Uniform Substitution: Recursive Application σ ( x ) = x for variable x ∈ V σ ( f ( θ )) = ( σ ( f ))( σ ( θ )) for function symbol f ∈ σ def = {· �→ σ ( θ ) } ( σ f ( · )) σ ( θ + η ) = σ (( θ ) ′ ) = σ ( p ( θ )) ≡ for predicate symbol p ∈ σ σ ( φ ∧ ψ ) ≡ σ ( ∀ x φ ) = σ ([ α ] φ ) = σ ( a ) ≡ for program symbol a ∈ σ σ ( x := θ ) ≡ σ ( x ′ = θ & Q ) ≡ σ (? Q ) ≡ σ ( α ∪ β ) ≡ σ ( α ; β ) ≡ σ ( α ∗ ) ≡ André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 15 / 24

  40. Uniform Substitution: Recursive Application σ ( x ) = x for variable x ∈ V σ ( f ( θ )) = ( σ ( f ))( σ ( θ )) for function symbol f ∈ σ def = {· �→ σ ( θ ) } ( σ f ( · )) σ ( θ + η ) = σ ( θ )+ σ ( η ) σ (( θ ) ′ ) = σ ( p ( θ )) ≡ for predicate symbol p ∈ σ σ ( φ ∧ ψ ) ≡ σ ( ∀ x φ ) = σ ([ α ] φ ) = σ ( a ) ≡ for program symbol a ∈ σ σ ( x := θ ) ≡ σ ( x ′ = θ & Q ) ≡ σ (? Q ) ≡ σ ( α ∪ β ) ≡ σ ( α ; β ) ≡ σ ( α ∗ ) ≡ André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 15 / 24

  41. Uniform Substitution: Recursive Application σ ( x ) = x for variable x ∈ V σ ( f ( θ )) = ( σ ( f ))( σ ( θ )) for function symbol f ∈ σ def = {· �→ σ ( θ ) } ( σ f ( · )) σ ( θ + η ) = σ ( θ )+ σ ( η ) σ (( θ ) ′ ) = ( σ ( θ )) ′ if σ V -admissible for θ σ ( p ( θ )) ≡ for predicate symbol p ∈ σ σ ( φ ∧ ψ ) ≡ σ ( ∀ x φ ) = σ ([ α ] φ ) = σ ( a ) ≡ for program symbol a ∈ σ σ ( x := θ ) ≡ σ ( x ′ = θ & Q ) ≡ σ (? Q ) ≡ σ ( α ∪ β ) ≡ σ ( α ; β ) ≡ σ ( α ∗ ) ≡ André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 15 / 24

  42. Uniform Substitution: Recursive Application σ ( x ) = x for variable x ∈ V σ ( f ( θ )) = ( σ ( f ))( σ ( θ )) for function symbol f ∈ σ def = {· �→ σ ( θ ) } ( σ f ( · )) σ ( θ + η ) = σ ( θ )+ σ ( η ) σ (( θ ) ′ ) = ( σ ( θ )) ′ if σ V -admissible for θ σ ( p ( θ )) ≡ ( σ ( p ))( σ ( θ )) for predicate symbol p ∈ σ σ ( φ ∧ ψ ) ≡ σ ( ∀ x φ ) = σ ([ α ] φ ) = σ ( a ) ≡ for program symbol a ∈ σ σ ( x := θ ) ≡ σ ( x ′ = θ & Q ) ≡ σ (? Q ) ≡ σ ( α ∪ β ) ≡ σ ( α ; β ) ≡ σ ( α ∗ ) ≡ André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 15 / 24

  43. Uniform Substitution: Recursive Application σ ( x ) = x for variable x ∈ V σ ( f ( θ )) = ( σ ( f ))( σ ( θ )) for function symbol f ∈ σ def = {· �→ σ ( θ ) } ( σ f ( · )) σ ( θ + η ) = σ ( θ )+ σ ( η ) σ (( θ ) ′ ) = ( σ ( θ )) ′ if σ V -admissible for θ σ ( p ( θ )) ≡ ( σ ( p ))( σ ( θ )) for predicate symbol p ∈ σ σ ( φ ∧ ψ ) ≡ σ ( φ ) ∧ σ ( ψ ) σ ( ∀ x φ ) = σ ([ α ] φ ) = σ ( a ) ≡ for program symbol a ∈ σ σ ( x := θ ) ≡ σ ( x ′ = θ & Q ) ≡ σ (? Q ) ≡ σ ( α ∪ β ) ≡ σ ( α ; β ) ≡ σ ( α ∗ ) ≡ André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 15 / 24

  44. Uniform Substitution: Recursive Application σ ( x ) = x for variable x ∈ V σ ( f ( θ )) = ( σ ( f ))( σ ( θ )) for function symbol f ∈ σ def = {· �→ σ ( θ ) } ( σ f ( · )) σ ( θ + η ) = σ ( θ )+ σ ( η ) σ (( θ ) ′ ) = ( σ ( θ )) ′ if σ V -admissible for θ σ ( p ( θ )) ≡ ( σ ( p ))( σ ( θ )) for predicate symbol p ∈ σ σ ( φ ∧ ψ ) ≡ σ ( φ ) ∧ σ ( ψ ) σ ( ∀ x φ ) = ∀ x σ ( φ ) if σ { x } -admissible for φ σ ([ α ] φ ) = σ ( a ) ≡ for program symbol a ∈ σ σ ( x := θ ) ≡ σ ( x ′ = θ & Q ) ≡ σ (? Q ) ≡ σ ( α ∪ β ) ≡ σ ( α ; β ) ≡ σ ( α ∗ ) ≡ André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 15 / 24

  45. Uniform Substitution: Recursive Application σ ( x ) = x for variable x ∈ V σ ( f ( θ )) = ( σ ( f ))( σ ( θ )) for function symbol f ∈ σ def = {· �→ σ ( θ ) } ( σ f ( · )) σ ( θ + η ) = σ ( θ )+ σ ( η ) σ (( θ ) ′ ) = ( σ ( θ )) ′ if σ V -admissible for θ σ ( p ( θ )) ≡ ( σ ( p ))( σ ( θ )) for predicate symbol p ∈ σ σ ( φ ∧ ψ ) ≡ σ ( φ ) ∧ σ ( ψ ) σ ( ∀ x φ ) = ∀ x σ ( φ ) if σ { x } -admissible for φ σ ([ α ] φ ) = [ σ ( α )] σ ( φ ) if σ BV ( σ ( α )) -admissible for φ σ ( a ) ≡ for program symbol a ∈ σ σ ( x := θ ) ≡ σ ( x ′ = θ & Q ) ≡ σ (? Q ) ≡ σ ( α ∪ β ) ≡ σ ( α ; β ) ≡ σ ( α ∗ ) ≡ André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 15 / 24

  46. Uniform Substitution: Recursive Application σ ( x ) = x for variable x ∈ V σ ( f ( θ )) = ( σ ( f ))( σ ( θ )) for function symbol f ∈ σ def = {· �→ σ ( θ ) } ( σ f ( · )) σ ( θ + η ) = σ ( θ )+ σ ( η ) σ (( θ ) ′ ) = ( σ ( θ )) ′ if σ V -admissible for θ σ ( p ( θ )) ≡ ( σ ( p ))( σ ( θ )) for predicate symbol p ∈ σ σ ( φ ∧ ψ ) ≡ σ ( φ ) ∧ σ ( ψ ) σ ( ∀ x φ ) = ∀ x σ ( φ ) if σ { x } -admissible for φ σ ([ α ] φ ) = [ σ ( α )] σ ( φ ) if σ BV ( σ ( α )) -admissible for φ σ ( a ) ≡ σ a for program symbol a ∈ σ σ ( x := θ ) ≡ σ ( x ′ = θ & Q ) ≡ σ (? Q ) ≡ σ ( α ∪ β ) ≡ σ ( α ; β ) ≡ σ ( α ∗ ) ≡ André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 15 / 24

  47. Uniform Substitution: Recursive Application σ ( x ) = x for variable x ∈ V σ ( f ( θ )) = ( σ ( f ))( σ ( θ )) for function symbol f ∈ σ def = {· �→ σ ( θ ) } ( σ f ( · )) σ ( θ + η ) = σ ( θ )+ σ ( η ) σ (( θ ) ′ ) = ( σ ( θ )) ′ if σ V -admissible for θ σ ( p ( θ )) ≡ ( σ ( p ))( σ ( θ )) for predicate symbol p ∈ σ σ ( φ ∧ ψ ) ≡ σ ( φ ) ∧ σ ( ψ ) σ ( ∀ x φ ) = ∀ x σ ( φ ) if σ { x } -admissible for φ σ ([ α ] φ ) = [ σ ( α )] σ ( φ ) if σ BV ( σ ( α )) -admissible for φ σ ( a ) ≡ σ a for program symbol a ∈ σ σ ( x := θ ) ≡ x := σ ( θ ) σ ( x ′ = θ & Q ) ≡ σ (? Q ) ≡ σ ( α ∪ β ) ≡ σ ( α ; β ) ≡ σ ( α ∗ ) ≡ André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 15 / 24

  48. Uniform Substitution: Recursive Application σ ( x ) = x for variable x ∈ V σ ( f ( θ )) = ( σ ( f ))( σ ( θ )) for function symbol f ∈ σ def = {· �→ σ ( θ ) } ( σ f ( · )) σ ( θ + η ) = σ ( θ )+ σ ( η ) σ (( θ ) ′ ) = ( σ ( θ )) ′ if σ V -admissible for θ σ ( p ( θ )) ≡ ( σ ( p ))( σ ( θ )) for predicate symbol p ∈ σ σ ( φ ∧ ψ ) ≡ σ ( φ ) ∧ σ ( ψ ) σ ( ∀ x φ ) = ∀ x σ ( φ ) if σ { x } -admissible for φ σ ([ α ] φ ) = [ σ ( α )] σ ( φ ) if σ BV ( σ ( α )) -admissible for φ σ ( a ) ≡ σ a for program symbol a ∈ σ σ ( x := θ ) ≡ x := σ ( θ ) σ ( x ′ = θ & Q ) ≡ x ′ = σ ( θ )& σ ( Q ) if σ { x , x ′ } -admissible for θ , Q σ (? Q ) ≡ σ ( α ∪ β ) ≡ σ ( α ; β ) ≡ σ ( α ∗ ) ≡ André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 15 / 24

  49. Uniform Substitution: Recursive Application σ ( x ) = x for variable x ∈ V σ ( f ( θ )) = ( σ ( f ))( σ ( θ )) for function symbol f ∈ σ def = {· �→ σ ( θ ) } ( σ f ( · )) σ ( θ + η ) = σ ( θ )+ σ ( η ) σ (( θ ) ′ ) = ( σ ( θ )) ′ if σ V -admissible for θ σ ( p ( θ )) ≡ ( σ ( p ))( σ ( θ )) for predicate symbol p ∈ σ σ ( φ ∧ ψ ) ≡ σ ( φ ) ∧ σ ( ψ ) σ ( ∀ x φ ) = ∀ x σ ( φ ) if σ { x } -admissible for φ σ ([ α ] φ ) = [ σ ( α )] σ ( φ ) if σ BV ( σ ( α )) -admissible for φ σ ( a ) ≡ σ a for program symbol a ∈ σ σ ( x := θ ) ≡ x := σ ( θ ) σ ( x ′ = θ & Q ) ≡ x ′ = σ ( θ )& σ ( Q ) if σ { x , x ′ } -admissible for θ , Q σ (? Q ) ≡ ? σ ( Q ) σ ( α ∪ β ) ≡ σ ( α ; β ) ≡ σ ( α ∗ ) ≡ André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 15 / 24

  50. Uniform Substitution: Recursive Application σ ( x ) = x for variable x ∈ V σ ( f ( θ )) = ( σ ( f ))( σ ( θ )) for function symbol f ∈ σ def = {· �→ σ ( θ ) } ( σ f ( · )) σ ( θ + η ) = σ ( θ )+ σ ( η ) σ (( θ ) ′ ) = ( σ ( θ )) ′ if σ V -admissible for θ σ ( p ( θ )) ≡ ( σ ( p ))( σ ( θ )) for predicate symbol p ∈ σ σ ( φ ∧ ψ ) ≡ σ ( φ ) ∧ σ ( ψ ) σ ( ∀ x φ ) = ∀ x σ ( φ ) if σ { x } -admissible for φ σ ([ α ] φ ) = [ σ ( α )] σ ( φ ) if σ BV ( σ ( α )) -admissible for φ σ ( a ) ≡ σ a for program symbol a ∈ σ σ ( x := θ ) ≡ x := σ ( θ ) σ ( x ′ = θ & Q ) ≡ x ′ = σ ( θ )& σ ( Q ) if σ { x , x ′ } -admissible for θ , Q σ (? Q ) ≡ ? σ ( Q ) σ ( α ∪ β ) ≡ σ ( α ) ∪ σ ( β ) σ ( α ; β ) ≡ σ ( α ∗ ) ≡ André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 15 / 24

  51. Uniform Substitution: Recursive Application σ ( x ) = x for variable x ∈ V σ ( f ( θ )) = ( σ ( f ))( σ ( θ )) for function symbol f ∈ σ def = {· �→ σ ( θ ) } ( σ f ( · )) σ ( θ + η ) = σ ( θ )+ σ ( η ) σ (( θ ) ′ ) = ( σ ( θ )) ′ if σ V -admissible for θ σ ( p ( θ )) ≡ ( σ ( p ))( σ ( θ )) for predicate symbol p ∈ σ σ ( φ ∧ ψ ) ≡ σ ( φ ) ∧ σ ( ψ ) σ ( ∀ x φ ) = ∀ x σ ( φ ) if σ { x } -admissible for φ σ ([ α ] φ ) = [ σ ( α )] σ ( φ ) if σ BV ( σ ( α )) -admissible for φ σ ( a ) ≡ σ a for program symbol a ∈ σ σ ( x := θ ) ≡ x := σ ( θ ) σ ( x ′ = θ & Q ) ≡ x ′ = σ ( θ )& σ ( Q ) if σ { x , x ′ } -admissible for θ , Q σ (? Q ) ≡ ? σ ( Q ) σ ( α ∪ β ) ≡ σ ( α ) ∪ σ ( β ) σ ( α ; β ) ≡ σ ( α ); σ ( β ) if σ BV ( σ ( α )) -admissible for β σ ( α ∗ ) ≡ André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 15 / 24

  52. Uniform Substitution: Recursive Application σ ( x ) = x for variable x ∈ V σ ( f ( θ )) = ( σ ( f ))( σ ( θ )) for function symbol f ∈ σ def = {· �→ σ ( θ ) } ( σ f ( · )) σ ( θ + η ) = σ ( θ )+ σ ( η ) σ (( θ ) ′ ) = ( σ ( θ )) ′ if σ V -admissible for θ σ ( p ( θ )) ≡ ( σ ( p ))( σ ( θ )) for predicate symbol p ∈ σ σ ( φ ∧ ψ ) ≡ σ ( φ ) ∧ σ ( ψ ) σ ( ∀ x φ ) = ∀ x σ ( φ ) if σ { x } -admissible for φ σ ([ α ] φ ) = [ σ ( α )] σ ( φ ) if σ BV ( σ ( α )) -admissible for φ σ ( a ) ≡ σ a for program symbol a ∈ σ σ ( x := θ ) ≡ x := σ ( θ ) σ ( x ′ = θ & Q ) ≡ x ′ = σ ( θ )& σ ( Q ) if σ { x , x ′ } -admissible for θ , Q σ (? Q ) ≡ ? σ ( Q ) σ ( α ∪ β ) ≡ σ ( α ) ∪ σ ( β ) σ ( α ; β ) ≡ σ ( α ); σ ( β ) if σ BV ( σ ( α )) -admissible for β σ ( α ∗ ) ≡ ( σ ( α )) ∗ if σ BV ( σ ( α )) -admissible for α André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 15 / 24

  53. Uniform Substitution: Examples [ x := c ] p ( x ) ↔ p ( c ) σ = { c �→ x + 1 , p ( · ) �→ ( · � = x ) } [ x := x + 1 ] x � = x ↔ x + 1 � = x [ x := c ] p ( x ) ↔ p ( c ) [ x := x 2 ][( y := x + y ) ∗ ] x ≥ y ↔ [( y := x 2 + y ) ∗ ] x 2 ≥ y σ = { c �→ x 2 , p ( · ) �→ [( y := · + y ) ∗ ]( · ≥ y ) } p → [ a ] p σ = { a �→ x ′ = − 5 , p �→ x ≥ 0 } x ≥ 0 → [ x ′ = − 5 ] x ≥ 0 p → [ a ] p σ = { a �→ x ′ = − 5 , p �→ y ≥ 0 } y ≥ 0 → [ x ′ = − 5 ] y ≥ 0 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 16 / 24

  54. Uniform Substitution: Examples [ x := c ] p ( x ) ↔ p ( c ) σ = { c �→ x + 1 , p ( · ) �→ ( · � = x ) } [ x := x + 1 ] x � = x ↔ x + 1 � = x [ x := c ] p ( x ) ↔ p ( c ) [ x := x 2 ][( y := x + y ) ∗ ] x ≥ y ↔ [( y := x 2 + y ) ∗ ] x 2 ≥ y σ = { c �→ x 2 , p ( · ) �→ [( y := · + y ) ∗ ]( · ≥ y ) } p → [ a ] p σ = { a �→ x ′ = − 5 , p �→ x ≥ 0 } x ≥ 0 → [ x ′ = − 5 ] x ≥ 0 p → [ a ] p σ = { a �→ x ′ = − 5 , p �→ y ≥ 0 } y ≥ 0 → [ x ′ = − 5 ] y ≥ 0 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 16 / 24

  55. Uniform Substitution: Examples FV Clash BV [ x := c ] p ( x ) ↔ p ( c ) σ = { c �→ x + 1 , p ( · ) �→ ( · � = x ) } [ x := x + 1 ] x � = x ↔ x + 1 � = x [ x := c ] p ( x ) ↔ p ( c ) [ x := x 2 ][( y := x + y ) ∗ ] x ≥ y ↔ [( y := x 2 + y ) ∗ ] x 2 ≥ y σ = { c �→ x 2 , p ( · ) �→ [( y := · + y ) ∗ ]( · ≥ y ) } p → [ a ] p σ = { a �→ x ′ = − 5 , p �→ x ≥ 0 } x ≥ 0 → [ x ′ = − 5 ] x ≥ 0 p → [ a ] p σ = { a �→ x ′ = − 5 , p �→ y ≥ 0 } y ≥ 0 → [ x ′ = − 5 ] y ≥ 0 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 16 / 24

  56. Uniform Substitution: Examples Clash [ x := c ] p ( x ) ↔ p ( c ) σ = { c �→ x + 1 , p ( · ) �→ ( · � = x ) } [ x := x + 1 ] x � = x ↔ x + 1 � = x [ x := c ] p ( x ) ↔ p ( c ) [ x := x 2 ][( y := x + y ) ∗ ] x ≥ y ↔ [( y := x 2 + y ) ∗ ] x 2 ≥ y σ = { c �→ x 2 , p ( · ) �→ [( y := · + y ) ∗ ]( · ≥ y ) } p → [ a ] p σ = { a �→ x ′ = − 5 , p �→ x ≥ 0 } x ≥ 0 → [ x ′ = − 5 ] x ≥ 0 p → [ a ] p σ = { a �→ x ′ = − 5 , p �→ y ≥ 0 } y ≥ 0 → [ x ′ = − 5 ] y ≥ 0 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 16 / 24

  57. Uniform Substitution: Examples Clash [ x := c ] p ( x ) ↔ p ( c ) σ = { c �→ x + 1 , p ( · ) �→ ( · � = x ) } [ x := x + 1 ] x � = x ↔ x + 1 � = x Correct [ x := c ] p ( x ) ↔ p ( c ) [ x := x 2 ][( y := x + y ) ∗ ] x ≥ y ↔ [( y := x 2 + y ) ∗ ] x 2 ≥ y σ = { c �→ x 2 , p ( · ) �→ [( y := · + y ) ∗ ]( · ≥ y ) } p → [ a ] p σ = { a �→ x ′ = − 5 , p �→ x ≥ 0 } x ≥ 0 → [ x ′ = − 5 ] x ≥ 0 p → [ a ] p σ = { a �→ x ′ = − 5 , p �→ y ≥ 0 } y ≥ 0 → [ x ′ = − 5 ] y ≥ 0 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 16 / 24

  58. Uniform Substitution: Examples Clash [ x := c ] p ( x ) ↔ p ( c ) σ = { c �→ x + 1 , p ( · ) �→ ( · � = x ) } [ x := x + 1 ] x � = x ↔ x + 1 � = x Correct [ x := c ] p ( x ) ↔ p ( c ) [ x := x 2 ][( y := x + y ) ∗ ] x ≥ y ↔ [( y := x 2 + y ) ∗ ] x 2 ≥ y σ = { c �→ x 2 , p ( · ) �→ [( y := · + y ) ∗ ]( · ≥ y ) } FV Clash BV p → [ a ] p σ = { a �→ x ′ = − 5 , p �→ x ≥ 0 } x ′ = − 5 ] x ≥ 0 x ≥ 0 → [ p → [ a ] p σ = { a �→ x ′ = − 5 , p �→ y ≥ 0 } y ≥ 0 → [ x ′ = − 5 ] y ≥ 0 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 16 / 24

  59. Uniform Substitution: Examples Clash [ x := c ] p ( x ) ↔ p ( c ) σ = { c �→ x + 1 , p ( · ) �→ ( · � = x ) } [ x := x + 1 ] x � = x ↔ x + 1 � = x Correct [ x := c ] p ( x ) ↔ p ( c ) [ x := x 2 ][( y := x + y ) ∗ ] x ≥ y ↔ [( y := x 2 + y ) ∗ ] x 2 ≥ y σ = { c �→ x 2 , p ( · ) �→ [( y := · + y ) ∗ ]( · ≥ y ) } Clash p → [ a ] p σ = { a �→ x ′ = − 5 , p �→ x ≥ 0 } x ≥ 0 → [ x ′ = − 5 ] x ≥ 0 Correct p → [ a ] p σ = { a �→ x ′ = − 5 , p �→ y ≥ 0 } y ≥ 0 → [ x ′ = − 5 ] y ≥ 0 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 16 / 24

  60. Uniform Substitution Theorem (Soundness) replace all occurrences of p ( · ) φ US σ ( φ ) provided FV ( σ | Σ( θ ) ) ∩ BV ( ⊗ ( · )) = / 0 for each operation ⊗ ( θ ) in φ i.e. bound variables U = BV ( ⊗ ( · )) of no operator ⊗ are free in the substitution on its argument θ ( U -admissible) If you bind a free variable, you go to logic jail! Uniform substitution σ replaces all occurrences of p ( θ ) for any θ by ψ ( θ ) function sym. f ( θ ) for any θ by η ( θ ) α program sym. a by [ a ∪ b ] p (¯ x ) ↔ [ a ] p (¯ x ) ∧ [ b ] p (¯ x ) US [ v := v + 1 ∪ x ′ = v ] x > 0 ↔ [ v := v + 1 ] x > 0 ∧ [ x ′ = v ] x > 0 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 17 / 24

  61. Correctness of Uniform Substitutions “Syntactic uniform substitution = semantic replacement” Lemma (Uniform substitution lemma) Uniform substitution σ and its adjoint interpretation σ ∗ ω I to σ for I , ω have the same semantics: ] iff ω ∈ σ ∗ ω ∈ I [ [ σ ( φ )] ω I [ [ φ ] ] φ σ ( φ ) ω ∈ I [ [ σ ( φ )] ] σ I σ ∗ ω I ω ∈ σ ∗ ω I [ [ φ ] ] σ ∗ ω I ( f ) : R → R ; d �→ I d · ω [ [ σ f ( · )] ] σ ∗ ω I ( p ) = { d ∈ R : ω ∈ I d . [ [ σ p ( · )] ] } σ ∗ ω I ( a ) = I [ [ σ a ] ] André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 18 / 24

  62. Uniform Substitution Theorem (Soundness) replace all occurrences of p ( · ) φ US σ ( φ ) provided FV ( σ | Σ( θ ) ) ∩ BV ( ⊗ ( · )) = / 0 for each operation ⊗ ( θ ) in φ Proof. If premise φ valid, i.e. ω ∈ I [ [ φ ] ] in all I , ω ] iff ω ∈ σ ∗ Then conclusion σ ( φ ) valid, because ω ∈ I [ [ σ ( φ )] ω I [ [ φ ] ] André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 19 / 24

  63. Outline Learning Objectives 1 Axioms Versus Axiom Schemata 2 Differential Dynamic Logic with Interpretations 3 Syntax Semantics 4 Uniform Substitution Uniform Substitution Application Uniform Substitution Lemmas 5 Axiomatic Proof Calculus for dL Summary 6 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 19 / 24

  64. Differential Dynamic Logic: Comparison Part I Part IV [:=] [ x := θ ] φ ( x ) ↔ φ ( θ ) [?] [? χ ] φ ↔ ( χ → φ ) [ ∪ ] [ α ∪ β ] φ ↔ [ α ] φ ∧ [ β ] φ [;] [ α ; β ] φ ↔ [ α ][ β ] φ [ ∗ ] [ α ∗ ] φ ↔ φ ∧ [ α ][ α ∗ ] φ K [ α ]( φ → ψ ) → ([ α ] φ → [ α ] ψ ) I [ α ∗ ] φ ↔ φ ∧ [ α ∗ ]( φ → [ α ] φ ) V φ → [ α ] φ [ ′ ] [ x ′ = f ( x )] φ ↔ ∀ t ≥ 0 [ x := y ( t )] φ André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 20 / 24

  65. Differential Dynamic Logic: Comparison Part I Part IV [:=] [ x := θ ] φ ( x ) ↔ φ ( θ ) [:=] [ x := c ] p ( x ) ↔ p ( c ) [?] [? χ ] φ ↔ ( χ → φ ) [?] [? q ] p ↔ ( q → p ) [ ∪ ] [ α ∪ β ] φ ↔ [ α ] φ ∧ [ β ] φ [ ∪ ] [ a ∪ b ] p (¯ x ) ↔ [ a ] p (¯ x ) ∧ [ b ] p (¯ x ) [;] [ a ; b ] p (¯ x ) ↔ [ a ][ b ] p (¯ [;] [ α ; β ] φ ↔ [ α ][ β ] φ x ) [ ∗ ] [ α ∗ ] φ ↔ φ ∧ [ α ][ α ∗ ] φ [ ∗ ] [ a ∗ ] p (¯ x ) ∧ [ a ][ a ∗ ] p (¯ x ) ↔ p (¯ x ) K [ a ]( p (¯ x ) → q (¯ x )) → ([ a ] p (¯ x ) → [ a ] q (¯ K [ α ]( φ → ψ ) → ([ α ] φ → [ α ] ψ ) x )) I [ α ∗ ] φ ↔ φ ∧ [ α ∗ ]( φ → [ α ] φ ) I [ a ∗ ] p (¯ x ) ∧ [ a ∗ ]( p (¯ x ) ↔ p (¯ x ) → [ a ] p (¯ x )) V φ → [ α ] φ V p → [ a ] p [ ′ ] [ x ′ = f ( x )] φ ↔ ∀ t ≥ 0 [ x := y ( t )] φ André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 20 / 24

  66. Differential Dynamic Logic: Comparison Infinite axiom schema Axiom = one formula [:=] [ x := θ ] φ ( x ) ↔ φ ( θ ) [:=] [ x := c ] p ( x ) ↔ p ( c ) [?] [? χ ] φ ↔ ( χ → φ ) [?] [? q ] p ↔ ( q → p ) Schema Axiom [ ∪ ] [ α ∪ β ] φ ↔ [ α ] φ ∧ [ β ] φ [ ∪ ] [ a ∪ b ] p (¯ x ) ↔ [ a ] p (¯ x ) ∧ [ b ] p (¯ x ) [;] [ a ; b ] p (¯ x ) ↔ [ a ][ b ] p (¯ [;] [ α ; β ] φ ↔ [ α ][ β ] φ x ) [ ∗ ] [ α ∗ ] φ ↔ φ ∧ [ α ][ α ∗ ] φ [ ∗ ] [ a ∗ ] p (¯ x ) ∧ [ a ][ a ∗ ] p (¯ x ) ↔ p (¯ x ) K [ a ]( p (¯ x ) → q (¯ x )) → ([ a ] p (¯ x ) → [ a ] q (¯ K [ α ]( φ → ψ ) → ([ α ] φ → [ α ] ψ ) x )) I [ α ∗ ] φ ↔ φ ∧ [ α ∗ ]( φ → [ α ] φ ) I [ a ∗ ] p (¯ x ) ∧ [ a ∗ ]( p (¯ x ) ↔ p (¯ x ) → [ a ] p (¯ x )) Schema Axiom V φ → [ α ] φ V p → [ a ] p [ ′ ] [ x ′ = f ( x )] φ ↔ ∀ t ≥ 0 [ x := y ( t )] φ André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 20 / 24

  67. Example Proof [;] j ( x ) ⊢ [( v := 2 ∪ v := x ); x ′ = v ] x > 0 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 21 / 24

  68. Example Proof σ = { a �→ ( v := 2 ∪ v := x ) , b �→ x ′ = v , p (¯ x ) �→ x > 0 } [ a ; b ] p (¯ x ) ↔ [ a ][ b ] p (¯ x ) US [( v := 2 ∪ v := x ); x ′ = v ] x > 0 ↔ [( v := 2 ∪ v := x )][ x ′ = v ] x > 0 [ ∪ ] j ( x ) ⊢ [ v := 2 ∪ v := x ][ x ′ = v ] x > 0 [;] j ( x ) ⊢ [( v := 2 ∪ v := x ); x ′ = v ] x > 0 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 21 / 24

  69. Example Proof x ) �→ [ x ′ = v ] x > 0 } σ = { a �→ v := 2 , b �→ v := x , p (¯ [ a ∪ b ] p (¯ x ) ↔ [ a ] p (¯ x ) ∧ [ b ] p (¯ x ) US [ v := 2 ∪ v := x ][ x ′ = v ] x > 0 ↔ [ v := 2 ][ x ′ = v ] x > 0 ∧ [ v := x ][ x ′ = v ] x > 0 [:=] j ( x ) ⊢ [ v := 2 ][ x ′ = v ] x > 0 ∧ [ v := x ][ x ′ = v ] x > 0 [ ∪ ] j ( x ) ⊢ [ v := 2 ∪ v := x ][ x ′ = v ] x > 0 [;] j ( x ) ⊢ [( v := 2 ∪ v := x ); x ′ = v ] x > 0 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 21 / 24

  70. Example Proof σ = { c �→ 2 , p ( · ) �→ [ x ′ = · ] x > 0 } σ = { c �→ x , p ( · ) �→ [ x ′ = · ] x > 0 } [ v := c ] p ( v ) ↔ p ( c ) [ v := c ] p ( v ) ↔ p ( c ) [ v := 2 ][ x ′ = v ] x > 0 ↔ [ x ′ = 2 ] x > 0 [ v := x ][ x ′ = v ] x > 0 ↔ [ x ′ = x ] x > 0 [:=] j ( x ) ⊢ [ v := 2 ][ x ′ = v ] x > 0 ∧ [ v := x ][ x ′ = v ] x > 0 [ ∪ ] j ( x ) ⊢ [ v := 2 ∪ v := x ][ x ′ = v ] x > 0 [;] j ( x ) ⊢ [( v := 2 ∪ v := x ); x ′ = v ] x > 0 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 21 / 24

  71. Example Proof σ = { c �→ 2 , p ( · ) �→ [ x ′ = · ] x > 0 } σ = { c �→ x , p ( · ) �→ [ x ′ = · ] x > 0 } � [ v := c ] p ( v ) ↔ p ( c ) [ v := c ] p ( v ) ↔ p ( c ) [ v := 2 ][ x ′ = v ] x > 0 ↔ [ x ′ = 2 ] x > 0 [ v := x ][ x ′ = v ] x > 0 ↔ [ x ′ = x ] x > 0 [ ′ ] j ( x ) ⊢ [ x ′ = 2 ] x > 0 ∧ [ v := x ][ x ′ = v ] x > 0 [:=] j ( x ) ⊢ [ v := 2 ][ x ′ = v ] x > 0 ∧ [ v := x ][ x ′ = v ] x > 0 [ ∪ ] j ( x ) ⊢ [ v := 2 ∪ v := x ][ x ′ = v ] x > 0 [;] j ( x ) ⊢ [( v := 2 ∪ v := x ); x ′ = v ] x > 0 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 21 / 24

  72. Example Proof σ = { c �→ v , p ( · ) �→ · > 0 } v can’t have ODE [ x ′ = c ] p ( x ) ↔ ∀ t ≥ 0 [ x := x + ct ] p ( x ) US [ x ′ = v ] x > 0 ↔ ∀ t ≥ 0 [ x := x + vt ] x > 0 [:=] j ( x ) ⊢ ∀ t ≥ 0 [ x := x + 2 t ] x > 0 ∧ [ v := x ] ∀ t ≥ 0 [ x := x + vt ] x > 0 [ ′ ] j ( x ) ⊢ [ x ′ = 2 ] x > 0 ∧ [ v := x ][ x ′ = v ] x > 0 [:=] j ( x ) ⊢ [ v := 2 ][ x ′ = v ] x > 0 ∧ [ v := x ][ x ′ = v ] x > 0 [ ∪ ] j ( x ) ⊢ [ v := 2 ∪ v := x ][ x ′ = v ] x > 0 [;] j ( x ) ⊢ [( v := 2 ∪ v := x ); x ′ = v ] x > 0 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 21 / 24

  73. Example Proof σ = { c �→ x , p ( · ) �→ ∀ t ≥ 0 [ x := x +( · ) t ] x > 0 } [ v := c ] p ( v ) ↔ p ( c ) US [ v := x ] ∀ t ≥ 0 [ x := x + vt ] x > 0 ↔ ∀ t ≥ 0 [ x := x + xt ] x > 0 [:=] j ( x ) ⊢ ∀ t ≥ 0 x + 2 t > 0 ∧∀ t ≥ 0 [ x := x + xt ] x > 0 [:=] j ( x ) ⊢ ∀ t ≥ 0 [ x := x + 2 t ] x > 0 ∧ [ v := x ] ∀ t ≥ 0 [ x := x + vt ] x > 0 [ ′ ] j ( x ) ⊢ [ x ′ = 2 ] x > 0 ∧ [ v := x ][ x ′ = v ] x > 0 [:=] j ( x ) ⊢ [ v := 2 ][ x ′ = v ] x > 0 ∧ [ v := x ][ x ′ = v ] x > 0 [ ∪ ] j ( x ) ⊢ [ v := 2 ∪ v := x ][ x ′ = v ] x > 0 [;] j ( x ) ⊢ [( v := 2 ∪ v := x ); x ′ = v ] x > 0 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 21 / 24

  74. Example Proof σ = { c �→ x + xt , p ( · ) �→ · > 0 } [ x := c ] p ( x ) ↔ p ( c ) US [ x := x + xt ] x > 0 ↔ x + xt > 0 j ( x ) ⊢ ∀ t ≥ 0 x + 2 t > 0 ∧∀ t ≥ 0 x + xt > 0 [:=] j ( x ) ⊢ ∀ t ≥ 0 x + 2 t > 0 ∧∀ t ≥ 0 [ x := x + xt ] x > 0 [:=] j ( x ) ⊢ ∀ t ≥ 0 [ x := x + 2 t ] x > 0 ∧ [ v := x ] ∀ t ≥ 0 [ x := x + vt ] x > 0 [ ′ ] j ( x ) ⊢ [ x ′ = 2 ] x > 0 ∧ [ v := x ][ x ′ = v ] x > 0 [:=] j ( x ) ⊢ [ v := 2 ][ x ′ = v ] x > 0 ∧ [ v := x ][ x ′ = v ] x > 0 [ ∪ ] j ( x ) ⊢ [ v := 2 ∪ v := x ][ x ′ = v ] x > 0 [;] j ( x ) ⊢ [( v := 2 ∪ v := x ); x ′ = v ] x > 0 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 21 / 24

  75. Example Proof j ( x ) ⊢ ∀ t ≥ 0 x + 2 t > 0 ∧∀ t ≥ 0 x + xt > 0 [:=] j ( x ) ⊢ ∀ t ≥ 0 x + 2 t > 0 ∧∀ t ≥ 0 [ x := x + xt ] x > 0 [:=] j ( x ) ⊢ ∀ t ≥ 0 [ x := x + 2 t ] x > 0 ∧ [ v := x ] ∀ t ≥ 0 [ x := x + vt ] x > 0 [ ′ ] j ( x ) ⊢ [ x ′ = 2 ] x > 0 ∧ [ v := x ][ x ′ = v ] x > 0 [:=] j ( x ) ⊢ [ v := 2 ][ x ′ = v ] x > 0 ∧ [ v := x ][ x ′ = v ] x > 0 [ ∪ ] j ( x ) ⊢ [ v := 2 ∪ v := x ][ x ′ = v ] x > 0 [;] j ( x ) ⊢ [( v := 2 ∪ v := x ); x ′ = v ] x > 0 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 21 / 24

  76. Example Proof Summarize: j ( x ) ⊢ ∀ t ≥ 0 x + 2 t > 0 ∧∀ t ≥ 0 x + xt > 0 j ( x ) ⊢ [( v := 2 ∪ v := x ); x ′ = v ] x > 0 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 21 / 24

  77. Example Proof Summarize: j ( x ) ⊢ ∀ t ≥ 0 x + 2 t > 0 ∧∀ t ≥ 0 x + xt > 0 j ( x ) ⊢ [( v := 2 ∪ v := x ); x ′ = v ] x > 0 Using σ = { j ( · ) �→ · > 0 } on above derived rule proves: ∗ R x > 0 ⊢ ∀ t ≥ 0 x + 2 t > 0 ∧∀ t ≥ 0 x + xt > 0 USR x > 0 ⊢ [( v := 2 ∪ v := x ); x ′ = v ] x > 0 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 21 / 24

  78. Outline Learning Objectives 1 Axioms Versus Axiom Schemata 2 Differential Dynamic Logic with Interpretations 3 Syntax Semantics 4 Uniform Substitution Uniform Substitution Application Uniform Substitution Lemmas 5 Axiomatic Proof Calculus for dL Summary 6 André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 21 / 24

  79. Axiom vs. Axiom Schema: Philosophy Affects Provers � Soundness easier: literal formula, not instantiation mechanism � An axiom is one formula. Axiom schema is a decision algorithm. � Generic formula, not some shape with characterization of exceptions � No schema variable or meta variable algorithms � No matching mechanisms / unification in prover kernel � No side condition subtlety or occurrence pattern checks (per schema) × Need other means of instantiating axioms: uniform substitution (US) � US + renaming: isolate static semantics � US independent from axioms: modular logic vs. prover separation � More flexible by syntactic contextual equivalence × Extra proofs branches since instantiation is explicit proof step André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 22 / 24

  80. Axiom vs. Axiom Schema: Philosophy Affects Provers � Soundness easier: literal formula, not instantiation mechanism � An axiom is one formula. Axiom schema is a decision algorithm. � Generic formula, not some shape with characterization of exceptions � No schema variable or meta variable algorithms � No matching mechanisms / unification in prover kernel � No side condition subtlety or occurrence pattern checks (per schema) × Need other means of instantiating axioms: uniform substitution (US) � US + renaming: isolate static semantics � US independent from axioms: modular logic vs. prover separation � More flexible by syntactic contextual equivalence × Extra proofs branches since instantiation is explicit proof step ∑ Net win for soundness since significantly simpler prover André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 22 / 24

  81. Differential Dynamic Logic: Comparison Part I Part IV [:=] [ x := θ ] φ ( x ) ↔ φ ( θ ) [:=] [ x := c ] p ( x ) ↔ p ( c ) [?] [? χ ] φ ↔ ( χ → φ ) [?] [? q ] p ↔ ( q → p ) [ ∪ ] [ α ∪ β ] φ ↔ [ α ] φ ∧ [ β ] φ [ ∪ ] [ a ∪ b ] p (¯ x ) ↔ [ a ] p (¯ x ) ∧ [ b ] p (¯ x ) [;] [ a ; b ] p (¯ x ) ↔ [ a ][ b ] p (¯ [;] [ α ; β ] φ ↔ [ α ][ β ] φ x ) [ ∗ ] [ α ∗ ] φ ↔ φ ∧ [ α ][ α ∗ ] φ [ ∗ ] [ a ∗ ] p (¯ x ) ∧ [ a ][ a ∗ ] p (¯ x ) ↔ p (¯ x ) K [ a ]( p (¯ x ) → q (¯ x )) → ([ a ] p (¯ x ) → [ a ] q (¯ K [ α ]( φ → ψ ) → ([ α ] φ → [ α ] ψ ) x )) I [ α ∗ ] φ ↔ φ ∧ [ α ∗ ]( φ → [ α ] φ ) I [ a ∗ ] p (¯ x ) ∧ [ a ∗ ]( p (¯ x ) ↔ p (¯ x ) → [ a ] p (¯ x )) V φ → [ α ] φ V p → [ a ] p [ ′ ] [ x ′ = f ( x )] φ ↔ ∀ t ≥ 0 [ x := y ( t )] φ André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 23 / 24

  82. Uniform Substitution for Differential Dynamic Logic differential dynamic logic φ [ α ] φ φ US α dL = DL + HP σ ( φ ) Uniform substitution � axioms not schemata KeYmaera X Modular: Logic � Prover Straightforward to implement Prover microkernel Sound & complete / ODE Fast contextual equivalence André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 24 / 24

  83. Uniform Substitution of Rules and Proofs p (¯ x ) G [ a ] p (¯ x ) André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 25 / 24

  84. Uniform Substitution of Rules and Proofs x 2 ≥ 0 p (¯ x ) G implies [ x := x + 1 ;( x ′ = x ∪ x ′ = − 2 )] x 2 ≥ 0 [ a ] p (¯ x ) (FV ( σ ) = / Theorem (Soundness) 0 ) φ 1 φ n σ ( φ 1 ) σ ( φ n ) ... ... locally sound implies locally sound ψ σ ( ψ ) André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 25 / 24

  85. Uniform Substitution of Rules and Proofs x 2 ≥ 0 p (¯ x ) G implies [ x := x + 1 ;( x ′ = x ∪ x ′ = − 2 )] x 2 ≥ 0 [ a ] p (¯ x ) (FV ( σ ) = / Theorem (Soundness) 0 ) φ 1 φ n σ ( φ 1 ) σ ( φ n ) ... ... locally sound implies locally sound ψ σ ( ψ ) Locally sound The conclusion is valid in any interpretation I in which the premises are. André Platzer (CMU) LFCPS/18: Axioms & Uniform Substitutions LFCPS/18 25 / 24

Recommend

Focusing for d L 15-824 Logical Foundations of Cyber-Physical Systems Fall 2018 Klaas Pruiksma

Focusing for d L 15-824 Logical Foundations of Cyber-Physical Systems Fall 2018 Klaas Pruiksma

Focusing for d L 15-824 Logical Foundations of Cyber-Physical Systems Fall 2018 Klaas Pruiksma December 10, 2018 1 / 10 Goal Develop a focused version of Differential Dynamic Logic(d L ) [3], with the intent that it serve as a basis for

260 views • 10 slides
Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/06:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/06:

06: Truth & Proof Logical Foundations of Cyber-Physical Systems Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/06: Truth & Proof LFCPS/06 1 / 23 Outline Learning Objectives

1.77k views • 145 slides
Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/09:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/09:

09: Reactions & Delays Logical Foundations of Cyber-Physical Systems Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/09: Reactions & Delays LFCPS/09 1 / 17 Outline Learning

799 views • 59 slides
Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/08:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/08:

08: Events & Responses Logical Foundations of Cyber-Physical Systems Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/08: Events & Responses LFCPS/08 1 / 20 Outline Learning

719 views • 56 slides
Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/04:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/04:

04: Safety & Contracts Logical Foundations of Cyber-Physical Systems Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/04: Safety & Contracts LFCPS/04 1 / 16 Outline Learning

1.12k views • 80 slides
Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/01:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/01:

Logical Foundations of Cyber-Physical Systems 01: Cyber-Physical Systems: Overview Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/01: Overview LFCPS/01 1 / 28 Outline CPS:

934 views • 49 slides
Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/21:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/21:

21: Virtual Substitution & Real Arithmetic Logical Foundations of Cyber-Physical Systems Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/21: Virtual Substitution & Real

865 views • 84 slides
Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/13:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/13:

13: Differential Invariants & Proof Theory Logical Foundations of Cyber-Physical Systems Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/13: Differential Invariants & Proof

1.53k views • 127 slides
Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/14:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/14:

14: Hybrid Systems & Games Logical Foundations of Cyber-Physical Systems Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/14: Hybrid Systems & Games LFCPS/14 1 / 24 Outline

1.07k views • 102 slides
Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/10:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/10:

10: Differential Equations & Differential Invariants Logical Foundations of Cyber-Physical Systems Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/10: Differential Equations &

1.02k views • 86 slides
Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/20:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/20:

20: Virtual Substitution & Real Equations Logical Foundations of Cyber-Physical Systems Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/20: Virtual Substitution & Real Equations

3.49k views • 114 slides
Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/17:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/17:

17: Game Proofs & Separations Logical Foundations of Cyber-Physical Systems Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/17: Game Proofs & Separations LFCPS/17 1 / 25

1.26k views • 96 slides
Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/02:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/02:

02: Differential Equations & Domains Logical Foundations of Cyber-Physical Systems Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/02: Differential Equations & Domains LFCPS/02

788 views • 78 slides
Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/11:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/11:

11: Differential Equations & Proofs Logical Foundations of Cyber-Physical Systems Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/11: Differential Equations & Proofs LFCPS/11

1.49k views • 111 slides
Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/07:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/07:

07: Control Loops & Invariants Logical Foundations of Cyber-Physical Systems Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/07: Control Loops & Invariants LFCPS/07 1 / 16

1.45k views • 118 slides
Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/15:

Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/15:

15: Winning Strategies & Regions Logical Foundations of Cyber-Physical Systems Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer Andr Platzer (CMU) LFCPS/15: Winning Strategies & Regions LFCPS/15 1 / 23

1.02k views • 101 slides
Cyber-Physical Systems Verification with KeYmaera X Andr Platzer Andr Platzer Logical

Cyber-Physical Systems Verification with KeYmaera X Andr Platzer Andr Platzer Logical

Cyber-Physical Systems Verification with KeYmaera X Andr Platzer Andr Platzer Logical Foundations of Cyber-Physical Systems Andr Platzer (CMU) Cyber-Physical Systems Verification with KeYmaera X LFCS20 1 / 25 Outline

909 views • 76 slides
22: Axioms & Uniform Substitutions 15-424: Foundations of Cyber-Physical Systems Andr e

22: Axioms & Uniform Substitutions 15-424: Foundations of Cyber-Physical Systems Andr e

22: Axioms & Uniform Substitutions 15-424: Foundations of Cyber-Physical Systems Andr e Platzer aplatzer@cs.cmu.edu Computer Science Department Carnegie Mellon University, Pittsburgh, PA The Secret for Simpler Sound Hybrid Systems

1.99k views • 181 slides
20: Virtual Substitution & Real Equations 15-424: Foundations of Cyber-Physical Systems

20: Virtual Substitution & Real Equations 15-424: Foundations of Cyber-Physical Systems

20: Virtual Substitution & Real Equations 15-424: Foundations of Cyber-Physical Systems Andr e Platzer aplatzer@cs.cmu.edu Computer Science Department Carnegie Mellon University, Pittsburgh, PA 0.5 0.4 0.3 0.2 1.0 0.1 0.8 0.6

1.48k views • 112 slides
21: Virtual Substitution & Real Arithmetic 15-424: Foundations of Cyber-Physical Systems

21: Virtual Substitution & Real Arithmetic 15-424: Foundations of Cyber-Physical Systems

21: Virtual Substitution & Real Arithmetic 15-424: Foundations of Cyber-Physical Systems Andr e Platzer aplatzer@cs.cmu.edu Computer Science Department Carnegie Mellon University, Pittsburgh, PA 0.5 0.4 0.3 0.2 1.0 0.1 0.8 0.6

1.05k views • 76 slides
Cyber-Physical Systems 07/24/2019 Heechul Yun University of Kansas 1 Modern Cyber-Physical

Cyber-Physical Systems 07/24/2019 Heechul Yun University of Kansas 1 Modern Cyber-Physical

Micro-Architectural Attacks on Cyber-Physical Systems 07/24/2019 Heechul Yun University of Kansas 1 Modern Cyber-Physical Systems Cyber Physical Systems (CPS) Cyber (Computer) + Physical (Plant) Real-time Control physical

310 views • 29 slides
02: Differential Equations & Domains 15-424: Foundations of Cyber-Physical Systems Andr e

02: Differential Equations & Domains 15-424: Foundations of Cyber-Physical Systems Andr e

02: Differential Equations & Domains 15-424: Foundations of Cyber-Physical Systems Andr e Platzer aplatzer@cs.cmu.edu Computer Science Department Carnegie Mellon University, Pittsburgh, PA 0.5 0.4 0.3 0.2 1.0 0.1 0.8 0.6 0.4

817 views • 52 slides
06: Truth & Proof 15-424: Foundations of Cyber-Physical Systems Andr e Platzer

06: Truth & Proof 15-424: Foundations of Cyber-Physical Systems Andr e Platzer

06: Truth & Proof 15-424: Foundations of Cyber-Physical Systems Andr e Platzer aplatzer@cs.cmu.edu Computer Science Department Carnegie Mellon University, Pittsburgh, PA 0.5 0.4 0.3 0.2 1.0 0.1 0.8 0.6 0.4 0.2 Andr e

642 views • 41 slides
03: Choice & Control 15-424: Foundations of Cyber-Physical Systems Andr e Platzer

03: Choice & Control 15-424: Foundations of Cyber-Physical Systems Andr e Platzer

03: Choice & Control 15-424: Foundations of Cyber-Physical Systems Andr e Platzer aplatzer@cs.cmu.edu Computer Science Department Carnegie Mellon University, Pittsburgh, PA 0.5 0.4 0.3 0.2 1.0 0.1 0.8 0.6 0.4 0.2 Andr e

847 views • 27 slides

More recommend