Uniform Substitution At One Fell Swoop Andr Platzer In Shakespeares - PowerPoint PPT Presentation

Uniform Substitution At One Fell Swoop André Platzer In Shakespeare’s 1611 play, “ at one fell swoop ” was likened to the suddenness with which a bird of prey fiercely attacks a whole nest at once. André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 1 / 23

Outline Motivation 1 Parsimonious Hybrid Game Proofs Foundation for Verification Differential Game Logic 2 Syntax Example: Push-around Cart Denotational Semantics Uniform Substitution 3 Application Uniform Substitution Lemma Uniform Substitution of Rules Static Semantics Axioms Differential Hybrid Games Summary 4 André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 1 / 23

Outline Motivation 1 Parsimonious Hybrid Game Proofs Foundation for Verification Differential Game Logic 2 Syntax Example: Push-around Cart Denotational Semantics Uniform Substitution 3 Application Uniform Substitution Lemma Uniform Substitution of Rules Static Semantics Axioms Differential Hybrid Games Summary 4 André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 1 / 23

CPS Analysis: Robot Control Challenge (Hybrid Systems) Fixed rule describing state evolution with both Discrete dynamics (control decisions) Continuous dynamics (differential equations) a 1.0 v p 0.2 8 0.8 10 t 2 4 6 8 6 0.6 � 0.2 p x 4 0.4 � 0.4 � 0.6 0.2 2 p y � 0.8 10 t 10 t 2 4 6 8 2 4 6 8 André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 2 / 23

CPS Analysis: Robot Control Challenge (Games) Game rules describing play evolution with both Angelic choices (player ⋄ Angel) Demonic choices ⋄ (player Demon) 8 rmbl0skZ 0,0 7 ZpZ0ZpZ0 6 0Zpo0ZpZ ⋄ ⋄ \ Tr Pl 5 o0ZPo0Zp 2,1 4 PZPZPZ0O Trash 1,2 0,0 3 Z0Z0ZPZ0 1,2 Plant 0,0 2,1 2 0O0J0ZPZ 1 SNAQZBMR 3,1 a b c d e f g h André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 3 / 23

CPS Analysis: Robot Control Challenge (Hybrid Games) Game rules describing play evolution with Discrete dynamics (control decisions) Continuous dynamics (differential equations) Adversarial dynamics ⋄ (Angel ⋄ vs. Demon ) a 1.2 v 7 p 0.4 6 1.0 0.2 5 0.8 10 t 4 2 4 6 8 0.6 p x � 0.2 3 0.4 � 0.4 2 0.2 1 � 0.6 p y 10 t 10 t 2 4 6 8 2 4 6 8 André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 4 / 23

CPS Analysis: RoboCup Soccer Challenge (Hybrid Games) Game rules describing play evolution with Discrete dynamics (control decisions) Continuous dynamics (differential equations) Adversarial dynamics ⋄ (Angel ⋄ vs. Demon ) a d Ω 1.0 d x 0.4 0.5 0.2 0.5 10 t 10 t d y 2 4 6 8 2 4 6 8 � 0.2 � 0.5 10 t 2 4 6 8 � 0.4 � 1.0 � 0.6 � 0.5 André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 5 / 23

Foundation for Verification → Foundation for → FOL Functional Language Imperative Language − − − − Formula Functional program Imperative program/game − − − − − − Predicate calculus Function calculus Program calculus − − − − − − α , β , η -conversion Subst + rename USubst + rename − − Functional Imperative α -conversion for bound variables Uniform substitution replaces β -reduction capture-avoiding subst. predicate/function/program sym. η -conversion versus free variables mindful of free/bound variables Substitution is fundamental but subtle. Henkin wants it banished! Now: Make USubst even more subtle, but faster, and still sound. Beware: Imperative free and bound variables may overlap! André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 6 / 23

KeYmaera X Microkernel for Soundness 1 700 LOC 100,000 75,000 50,000 Games: months ց 25,000 minutes 1,652 0 KeYmaera X KeYmaera KeY Nuprl MetaPRL Isabelle/Pure Coq HOL Light PHAVer HSolver SpaceEx Cora Flow* dReal HyCreate2 Disclaimer: Self-reported estimates of the soundness-critical lines of code + rules André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 7 / 23

Experiments Church checks exponentially (sometimes & in unoptimized implementations) 40000 Church One-pass 30000 20000 10000 0 0 20 40 60 80 André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 7 / 23

Experiments Church checks quadratically (invasive space-time tradeoff optimizations) 900 y = 0.0002x 2 - 0.0409x + 10.772 Church-opt One-pass y = 3.596E-5x 2 - 0.0107x + 2.4344 675 450 225 0 0 550 1100 1650 2200 André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 7 / 23

Outline Motivation 1 Parsimonious Hybrid Game Proofs Foundation for Verification Differential Game Logic 2 Syntax Example: Push-around Cart Denotational Semantics Uniform Substitution 3 Application Uniform Substitution Lemma Uniform Substitution of Rules Static Semantics Axioms Differential Hybrid Games Summary 4 André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 7 / 23

Differential Game Logic: Syntax Definition (Hybrid game α ) a | x := θ | ? q | x ′ = θ | α ∪ β | α ; β | α ∗ | α d Definition (dGL Formula φ ) p ( θ 1 ,..., θ n ) | θ ≥ η | ¬ φ | φ ∧ ψ | ∀ x φ | ∃ x φ | � α � φ | [ α ] φ TOCL ’15 André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 8 / 23

Differential Game Logic: Syntax Discrete Test Differential Choice Seq. Repeat Assign Equation Game Game Game Game Definition (Hybrid game α ) a | x := θ | ? q | x ′ = θ | α ∪ β | α ; β | α ∗ | α d Definition (dGL Formula φ ) p ( θ 1 ,..., θ n ) | θ ≥ η | ¬ φ | φ ∧ ψ | ∀ x φ | ∃ x φ | � α � φ | [ α ] φ All Some Reals Reals TOCL ’15 André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 8 / 23

Differential Game Logic: Syntax Discrete Game Test Differential Choice Seq. Repeat Dual Symb. Assign Equation Game Game Game Game Game Definition (Hybrid game α ) a | x := θ | ? q | x ′ = θ | α ∪ β | α ; β | α ∗ | α d Definition (dGL Formula φ ) p ( θ 1 ,..., θ n ) | θ ≥ η | ¬ φ | φ ∧ ψ | ∀ x φ | ∃ x φ | � α � φ | [ α ] φ All Some Reals Reals TOCL ’15 André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 8 / 23

Differential Game Logic: Syntax Discrete Game Test Differential Choice Seq. Repeat Dual Symb. Assign Equation Game Game Game Game Game Definition (Hybrid game α ) a | x := θ | ? q | x ′ = θ | α ∪ β | α ; β | α ∗ | α d Definition (dGL Formula φ ) p ( θ 1 ,..., θ n ) | θ ≥ η | ¬ φ | φ ∧ ψ | ∀ x φ | ∃ x φ | � α � φ | [ α ] φ All Some Angel Demon Reals Reals Wins Wins TOCL ’15 André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 8 / 23

Example: Push-around Cart a d x v v ≥ 1 → ( d := 1 ∪ d := − 1 ) d ;( a := 1 ∪ a := − 1 ); { x ′ = v , v ′ = a + d } � ∗ � �� v ≥ 0 André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 9 / 23

Example: Push-around Cart a d x v � v ≥ 1 → d before a can compensate ( d := 1 ∩ d := − 1 );( a := 1 ∪ a := − 1 ); { x ′ = v , v ′ = a + d } � ∗ � �� v ≥ 0 André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 9 / 23

Example: Push-around Cart a d x v � v ≥ 1 → d before a can compensate ( d := 1 ∩ d := − 1 );( a := 1 ∪ a := − 1 ); { x ′ = v , v ′ = a + d } � ∗ � �� v ≥ 0 �� ( d := 1 ∩ d := − 1 ); ( a := 1 ∪ a := − 1 ); t := 0 ; { x ′ = v , v ′ = a + d , t ′ = 1 & t ≤ 1 } � ∗ � x 2 ≥ 100 André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 9 / 23

Example: Push-around Cart a d x v � v ≥ 1 → d before a can compensate ( d := 1 ∩ d := − 1 );( a := 1 ∪ a := − 1 ); { x ′ = v , v ′ = a + d } � ∗ � �� v ≥ 0 � �� ( d := 1 ∩ d := − 1 ); ( a := 1 ∪ a := − 1 ); a := d then a := sign v t := 0 ; { x ′ = v , v ′ = a + d , t ′ = 1 & t ≤ 1 } � ∗ � x 2 ≥ 100 André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 9 / 23

Differential Game Logic: Denotational Semantics Definition (Hybrid game α ) [ [ · ] ] : HG → ( ℘ ( S ) → ℘ ( S ) ) = { ω ∈ S : ω ω [ [ θ ] ] � � [ [ x := θ ] ] X ∈ X } x [ x ′ = θ ] = { ϕ ( 0 ) ∈ S : ϕ ( r ) ∈ X , d ϕ ( t )( x ) � � [ ] ( ζ ) = ϕ ( ζ )[ [ θ ] ] for all ζ } X d t � � [ [? q ] ] X = [ [ q ] ] ∩ X � � � � � � [ [ α ∪ β ] ] = [ [ α ] ] ∪ [ [ β ] ] X X X � � � � �� [ [ α ; β ] ] = [ [ α ] ] [ [ β ] ] X X [ α ∗ ] � � � � [ ] = � { Z ⊆ S : X ∪ [ [ α ] ] ⊆ Z } X Z X ∁ � ) ∁ [ α d ] � � � [ ] = ([ [ α ] ] X Definition (dGL Formula φ ) [ [ · ] ] : Fml → ℘ ( S ) [ [ θ ≥ η ] ] = { ω ∈ S : ω [ [ θ ] ] ≥ ω [ [ η ] ] } ]) ∁ [ [ ¬ φ ] ] = ([ [ φ ] [ [ φ ∧ ψ ] ] = [ [ φ ] ] ∩ [ [ ψ ] ] � � [ [ � α � φ ] ] = [ [ α ] ] [ [ φ ] ] ] ∁ � ∁ � [ [[ α ] φ ] ] = [ [ α ] ] [ [ φ ] André Platzer (CMU) Uniform Substitution At One Fell Swoop CADE’19 10 / 23