differential game logicaplatzer/pub/dgl-slides-mod.pdf · outline 1 cps game motivation 2 di...
TRANSCRIPT
Differential Game Logic
Andre Platzer
Summer School Marktoberdorf 2017
0.20.4
0.60.8
1.00.10.20.30.40.5
Andre Platzer (CMU) Differential Game Logic MOD’17 1 / 40
Outline
1 CPS Game Motivation2 Differential Game Logic
SyntaxExample: Push-around CartExample: Robot DanceDifferential Hybrid GamesDenotational SemanticsDeterminacyStrategic Closure Ordinals
3 AxiomatizationAxiomaticsExample: Robot SoccerSoundness and CompletenessSeparating Axioms
4 Expressiveness5 Differential Hybrid Games6 Summary
Andre Platzer (CMU) Differential Game Logic MOD’17 1 / 40
Outline
1 CPS Game Motivation2 Differential Game Logic
SyntaxExample: Push-around CartExample: Robot DanceDifferential Hybrid GamesDenotational SemanticsDeterminacyStrategic Closure Ordinals
3 AxiomatizationAxiomaticsExample: Robot SoccerSoundness and CompletenessSeparating Axioms
4 Expressiveness5 Differential Hybrid Games6 Summary
Andre Platzer (CMU) Differential Game Logic MOD’17 1 / 40
Cyber-Physical Systems Analysis: Aircraft Example
Which control decisions are safe for aircraft collision avoidance?
Cyber-Physical Systems
CPSs combine cyber capabilities with physical capabilitiesto solve problems that neither part could solve alone.
Andre Platzer (CMU) Differential Game Logic MOD’17 2 / 40
Can you trust a computer to control physics?
1 Depends on how it has been programmed
2 And on what will happen if it malfunctions
Rationale1 Safety guarantees require analytic foundations.
2 A common foundational core helps all application domains.
3 Foundations revolutionized digital computer science & our society.
4 Need even stronger foundations when software reaches out into ourphysical world.
CPSs deserve proofs as safety evidence!
Andre Platzer (CMU) Differential Game Logic MOD’17 3 / 40
Can you trust a computer to control physics?
1 Depends on how it has been programmed
2 And on what will happen if it malfunctions
Rationale1 Safety guarantees require analytic foundations.
2 A common foundational core helps all application domains.
3 Foundations revolutionized digital computer science & our society.
4 Need even stronger foundations when software reaches out into ourphysical world.
CPSs deserve proofs as safety evidence!
Andre Platzer (CMU) Differential Game Logic MOD’17 3 / 40
CPSs are Multi-Dynamical Systems
dis
cre
te contin
uo
us
nondet
sto
chastic
advers
arial
CPS Dynamics
CPS are characterized by multiplefacets of dynamical systems.
CPS Compositions
CPS combines multiplesimple dynamical effects.
Descriptive simplification
Tame Parts
Exploiting compositionalitytames CPS complexity.
Analytic simplificationAndre Platzer (CMU) Differential Game Logic MOD’17 4 / 40
CPS Analysis: Robot Control
Challenge (Hybrid Systems)
Fixed rule describing stateevolution with both
Discrete dynamics(control decisions)
Continuous dynamics(differential equations)
2 4 6 8 10t
-0.8
-0.6
-0.4
-0.2
0.2
a
2 4 6 8 10t
0.2
0.4
0.6
0.8
1.0
v
2 4 6 8 10t
2
4
6
8
p
px
py
Andre Platzer (CMU) Differential Game Logic MOD’17 5 / 40
CPS Analysis: Robot Control
Challenge (Hybrid Systems)
Fixed rule describing stateevolution with both
Discrete dynamics(control decisions)
Continuous dynamics(differential equations)
2 4 6 8 10t
-0.8
-0.6
-0.4
-0.2
0.2
a
2 4 6 8 10t
-1.0
-0.5
0.5
Ω
2 4 6 8 10t
-0.5
0.5
1.0
d
dx
dy
Andre Platzer (CMU) Differential Game Logic MOD’17 5 / 40
CPS Analysis: Robot Control
Challenge (Games)
Game rules describing playevolution with both
Angelic choices(player Angel)
Demonic choices(player Demon)
0,0
2,1
1,2
3,1
\ Tr Pl
Trash 1,2 0,0Plant 0,0 2,1
8rmbl0skZ7ZpZ0ZpZ060Zpo0ZpZ5o0ZPo0Zp4PZPZPZ0O3Z0Z0ZPZ020O0J0ZPZ1SNAQZBMR
a b c d e f g h
Andre Platzer (CMU) Differential Game Logic MOD’17 6 / 40
CPS Analysis: Robot Control
Challenge (Hybrid Games)
Game rules describing playevolution with
Discrete dynamics(control decisions)
Continuous dynamics(differential equations)
Adversarial dynamics(Angel vs. Demon )
2 4 6 8 10t
-0.6
-0.4
-0.2
0.2
0.4
a
2 4 6 8 10t
0.2
0.4
0.6
0.8
1.0
1.2
v
2 4 6 8 10t
1
2
3
4
5
6
7
p
px
py
Andre Platzer (CMU) Differential Game Logic MOD’17 7 / 40
CPS Analysis: Robot Control
Challenge (Hybrid Games)
Game rules describing playevolution with
Discrete dynamics(control decisions)
Continuous dynamics(differential equations)
Adversarial dynamics(Angel vs. Demon )
2 4 6 8 10t
-0.6
-0.4
-0.2
0.2
0.4
a
2 4 6 8 10t
-1.0
-0.5
0.5
Ω
2 4 6 8 10t
-0.5
0.5
1.0
d
dx
dy
Andre Platzer (CMU) Differential Game Logic MOD’17 7 / 40
CPS Analysis: RoboCup Soccer
Challenge (Hybrid Games)
Game rules describing playevolution with
Discrete dynamics(control decisions)
Continuous dynamics(differential equations)
Adversarial dynamics(Angel vs. Demon )
2 4 6 8 10t
-0.6
-0.4
-0.2
0.2
0.4
a
2 4 6 8 10t
-1.0
-0.5
0.5
Ω
2 4 6 8 10t
-0.5
0.5
1.0
d
dx
dy
Andre Platzer (CMU) Differential Game Logic MOD’17 8 / 40
CPSs are Multi-Dynamical Systems
dis
cre
te contin
uo
us
nondet
sto
chastic
advers
arial
CPS Dynamics
CPS are characterized by multiplefacets of dynamical systems.
CPS Compositions
CPS combines multiplesimple dynamical effects.
Descriptive simplification
Tame Parts
Exploiting compositionalitytames CPS complexity.
Analytic simplificationAndre Platzer (CMU) Differential Game Logic MOD’17 9 / 40
Dynamic Logics for Dynamical Systems
dis
cre
te contin
uo
us
nondet
sto
chastic
advers
arial
differential dynamic logic
dL = DL + HP[α]φ φ
α
stochastic differential DL
SdL = DL + SHP
〈α〉φφ
differential game logic
dGL = GL + HG
〈α〉φφ
quantified differential DL
QdL = FOL + DL + QHPJAR’08,CADE’11,LMCS’12,LICS’12,LICS’12 TOCL’15,CADE’15,JAR’17,TOCL’17
Andre Platzer (CMU) Differential Game Logic MOD’17 10 / 40
Dynamic Logics for Dynamical Systems
Dynamic Logics
DL has been introduced for programsPratt’76,Harel,Kozen
Its real calling are dynamical systems
DL excels at providing simple+elegantlogical foundations for dynamical systems
CPSs are multi-dynamical systems
DL for CPS are multi-dynamical
dis
cre
te contin
uo
us
nondet
sto
chastic
advers
arial
JAR’08,CADE’11,LMCS’12,LICS’12,LICS’12 TOCL’15,CADE’15,JAR’17,TOCL’17
Andre Platzer (CMU) Differential Game Logic MOD’17 10 / 40
Contributions
Logical foundations for hybrid games
1 Compositional programming language for hybrid games
2 Compositional logic and proof calculus for winning strategy existence
3 Hybrid games determined
4 Winning region computations terminate after ≥ωCK1 iterations
5 Separate truth (∃ winning strategy) vs. proof (winning certificate) vs.proof search (automatic construction)
6 Sound & relatively complete
7 Expressiveness
8 Fragments successful in applications
9 Generalizations in logic enable more applications
TOCL’15Andre Platzer (CMU) Differential Game Logic MOD’17 11 / 40
Outline
1 CPS Game Motivation2 Differential Game Logic
SyntaxExample: Push-around CartExample: Robot DanceDifferential Hybrid GamesDenotational SemanticsDeterminacyStrategic Closure Ordinals
3 AxiomatizationAxiomaticsExample: Robot SoccerSoundness and CompletenessSeparating Axioms
4 Expressiveness5 Differential Hybrid Games6 Summary
Andre Platzer (CMU) Differential Game Logic MOD’17 11 / 40
Differential Game Logic: Syntax
Definition (Hybrid game α)
x := f (x) | ?Q | x ′ = f (x) | α ∪ β | α;β | α∗ | αd
Definition (dGL Formula P)
p(e1, . . . , en) | e ≥ e | ¬P | P ∧ Q | ∀x P | ∃x P | 〈α〉P | [α]P
DiscreteAssign
TestGame
DifferentialEquation
ChoiceGame
Seq.Game
RepeatGame
AllReals
SomeReals
DualGame
AngelWins
DemonWins
TOCL’15Andre Platzer (CMU) Differential Game Logic MOD’17 12 / 40
Differential Game Logic: Syntax
Definition (Hybrid game α)
x := f (x) | ?Q | x ′ = f (x) | α ∪ β | α;β | α∗ | αd
Definition (dGL Formula P)
p(e1, . . . , en) | e ≥ e | ¬P | P ∧ Q | ∀x P | ∃x P | 〈α〉P | [α]P
DiscreteAssign
TestGame
DifferentialEquation
ChoiceGame
Seq.Game
RepeatGame
AllReals
SomeReals
DualGame
AngelWins
DemonWins
TOCL’15Andre Platzer (CMU) Differential Game Logic MOD’17 12 / 40
Differential Game Logic: Syntax
Definition (Hybrid game α)
x := f (x) | ?Q | x ′ = f (x) | α ∪ β | α;β | α∗ | αd
Definition (dGL Formula P)
p(e1, . . . , en) | e ≥ e | ¬P | P ∧ Q | ∀x P | ∃x P | 〈α〉P | [α]P
DiscreteAssign
TestGame
DifferentialEquation
ChoiceGame
Seq.Game
RepeatGame
AllReals
SomeReals
DualGame
AngelWins
DemonWins
TOCL’15Andre Platzer (CMU) Differential Game Logic MOD’17 12 / 40
Differential Game Logic: Syntax
Definition (Hybrid game α)
x := f (x) | ?Q | x ′ = f (x) | α ∪ β | α;β | α∗ | αd
Definition (dGL Formula P)
p(e1, . . . , en) | e ≥ e | ¬P | P ∧ Q | ∀x P | ∃x P | 〈α〉P | [α]P
DiscreteAssign
TestGame
DifferentialEquation
ChoiceGame
Seq.Game
RepeatGame
AllReals
SomeReals
DualGame
AngelWins
DemonWins
TOCL’15Andre Platzer (CMU) Differential Game Logic MOD’17 12 / 40
Differential Game Logic: Syntax
Definition (Hybrid game α)
x := f (x) | ?Q | x ′ = f (x) | α ∪ β | α;β | α∗ | αd
Definition (dGL Formula P)
p(e1, . . . , en) | e ≥ e | ¬P | P ∧ Q | ∀x P | ∃x P | 〈α〉P | [α]P
DiscreteAssign
TestGame
DifferentialEquation
ChoiceGame
Seq.Game
RepeatGame
AllReals
SomeReals
DualGame
AngelWins
DemonWins
TOCL’15Andre Platzer (CMU) Differential Game Logic MOD’17 12 / 40
Differential Game Logic: Syntax
Definition (Hybrid game α)
x := f (x) | ?Q | x ′ = f (x) | α ∪ β | α;β | α∗ | αd
Definition (dGL Formula P)
p(e1, . . . , en) | e ≥ e | ¬P | P ∧ Q | ∀x P | ∃x P | 〈α〉P | [α]P
DiscreteAssign
TestGame
DifferentialEquation
ChoiceGame
Seq.Game
RepeatGame
AllReals
SomeReals
DualGame
AngelWins
DemonWins“Angel has Wings 〈α〉”
TOCL’15Andre Platzer (CMU) Differential Game Logic MOD’17 12 / 40
Definable
Game Operators
Angel Ops
∪ choice∗ repeatx ′ = f (x) evolve?Q challenge
Demon Ops
∩ choice× repeatx ′ = f (x)d evolve?Qd challenge
d
d
if(Q)α elseβ ≡
(?Q;α) ∪ (?¬Q;β)
while(Q)α ≡
(?Q;α)∗; ?¬Q
α ∩ β ≡
(αd ∪ βd)d
α× ≡
((αd)∗)d
(x ′ = f (x) &Q)d
6≡
x ′ = f (x) &Q
(x := f (x))d
≡
x := f (x)
?Qd
6≡
?Q
Duality operator d passes control between players80Z0Z0s0Z7o0Z0Z0j06Po0o0ZpZ5Z0oPZ0Z040Z0Z0Znl3Z0Z0Z0Z020OPZ0OQZ1Z0Z0Z0ZB
a b c d e f g h
Andre Platzer (CMU) Differential Game Logic MOD’17 13 / 40
Definable
Game Operators
Angel Ops
∪ choice∗ repeatx ′ = f (x) evolve?Q challenge
Demon Ops
∩ choice× repeatx ′ = f (x)d evolve?Qd challenge
d
d
if(Q)α elseβ ≡
(?Q;α) ∪ (?¬Q;β)
while(Q)α ≡
(?Q;α)∗; ?¬Q
α ∩ β ≡
(αd ∪ βd)d
α× ≡
((αd)∗)d
(x ′ = f (x) &Q)d
6≡
x ′ = f (x) &Q
(x := f (x))d
≡
x := f (x)
?Qd
6≡
?Q
Duality operator d passes control between players
80Z0Z0s0Z
7o0Z0Z0j0
6Po0o0ZpZ
5Z0oPZ0Z0
40Z0Z0Znl
3Z0Z0Z0Z0
20OPZ0OQZ
1Z0Z0Z0ZBabcdefgh
Andre Platzer (CMU) Differential Game Logic MOD’17 13 / 40
Definable Game Operators
Angel Ops
∪ choice∗ repeatx ′ = f (x) evolve?Q challenge
Demon Ops
∩ choice× repeatx ′ = f (x)d evolve?Qd challenge
d
d
if(Q)α elseβ ≡
(?Q;α) ∪ (?¬Q;β)
while(Q)α ≡
(?Q;α)∗; ?¬Q
α ∩ β ≡
(αd ∪ βd)d
α× ≡
((αd)∗)d
(x ′ = f (x) &Q)d
6≡
x ′ = f (x) &Q
(x := f (x))d
≡
x := f (x)
?Qd
6≡
?Q
Andre Platzer (CMU) Differential Game Logic MOD’17 13 / 40
Definable Game Operators
Angel Ops
∪ choice∗ repeatx ′ = f (x) evolve?Q challenge
Demon Ops
∩ choice× repeatx ′ = f (x)d evolve?Qd challenge
d
d
if(Q)α elseβ ≡ (?Q;α) ∪ (?¬Q;β)
while(Q)α ≡ (?Q;α)∗; ?¬Qα ∩ β ≡ (αd ∪ βd)d
α× ≡ ((αd)∗)d
(x ′ = f (x) &Q)d 6≡ x ′ = f (x) &Q
(x := f (x))d ≡ x := f (x)
?Qd 6≡ ?Q
Andre Platzer (CMU) Differential Game Logic MOD’17 13 / 40
Example: Push-around Cart
xv
d a
v ≥ 1→[((d := 1 ∪ d :=−1)d ; (a := 1 ∪ a :=−1); x ′ = v , v ′ = a + d
)∗]v ≥ 0
x ≥ 0 ∧ v ≥ 0→[((d := 1 ∩ d :=−1); (a := 1 ∪ a :=−1); x ′ = v , v ′ = a + d
)∗]x ≥ 0⟨(
(d := 1 ∩ d :=−1); (a := 2 ∪ a :=−2); x ′ = v , v ′ = a + d)∗⟩
x ≥ 0⟨((d := 2 ∩ d :=−2); (a := 2 ∪ a :=−2);
t := 0; x ′ = v , v ′ = a + d , t ′ = 1 & t ≤ 1)∗⟩
x2 ≥ 100
Andre Platzer (CMU) Differential Game Logic MOD’17 14 / 40
Example: Push-around Cart
xv
d a
v ≥ 1→[((d := 1 ∪ d :=−1)d ; (a := 1 ∪ a :=−1); x ′ = v , v ′ = a + d
)∗]v ≥ 0
x ≥ 0 ∧ v ≥ 0→[((d := 1 ∩ d :=−1); (a := 1 ∪ a :=−1); x ′ = v , v ′ = a + d
)∗]x ≥ 0⟨(
(d := 1 ∩ d :=−1); (a := 2 ∪ a :=−2); x ′ = v , v ′ = a + d)∗⟩
x ≥ 0⟨((d := 2 ∩ d :=−2); (a := 2 ∪ a :=−2);
t := 0; x ′ = v , v ′ = a + d , t ′ = 1 & t ≤ 1)∗⟩
x2 ≥ 100
Andre Platzer (CMU) Differential Game Logic MOD’17 14 / 40
Example: Push-around Cart
xv
d a
v ≥ 1→[((d := 1 ∩ d :=−1); (a := 1 ∪ a :=−1); x ′ = v , v ′ = a + d
)∗]v ≥ 0
x ≥ 0 ∧ v ≥ 0→[((d := 1 ∩ d :=−1); (a := 1 ∪ a :=−1); x ′ = v , v ′ = a + d
)∗]x ≥ 0⟨(
(d := 1 ∩ d :=−1); (a := 2 ∪ a :=−2); x ′ = v , v ′ = a + d)∗⟩
x ≥ 0⟨((d := 2 ∩ d :=−2); (a := 2 ∪ a :=−2);
t := 0; x ′ = v , v ′ = a + d , t ′ = 1 & t ≤ 1)∗⟩
x2 ≥ 100
Andre Platzer (CMU) Differential Game Logic MOD’17 14 / 40
Example: Push-around Cart
xv
d a
v ≥ 1→ d before a can compensate[((d := 1 ∩ d :=−1); (a := 1 ∪ a :=−1); x ′ = v , v ′ = a + d
)∗]v ≥ 0
x ≥ 0 ∧ v ≥ 0→[((d := 1 ∩ d :=−1); (a := 1 ∪ a :=−1); x ′ = v , v ′ = a + d
)∗]x ≥ 0
⟨((d := 1 ∩ d :=−1); (a := 2 ∪ a :=−2); x ′ = v , v ′ = a + d
)∗⟩x ≥ 0⟨(
(d := 2 ∩ d :=−2); (a := 2 ∪ a :=−2);
t := 0; x ′ = v , v ′ = a + d , t ′ = 1 & t ≤ 1)∗⟩
x2 ≥ 100
Andre Platzer (CMU) Differential Game Logic MOD’17 14 / 40
Example: Push-around Cart
xv
d a
v ≥ 1→ d before a can compensate[((d := 1 ∩ d :=−1); (a := 1 ∪ a :=−1); x ′ = v , v ′ = a + d
)∗]v ≥ 0
x ≥ 0 ∧ v ≥ 0→[((d := 1 ∩ d :=−1); (a := 1 ∪ a :=−1); x ′ = v , v ′ = a + d
)∗]x ≥ 0
⟨((d := 1 ∩ d :=−1); (a := 2 ∪ a :=−2); x ′ = v , v ′ = a + d
)∗⟩x ≥ 0⟨(
(d := 2 ∩ d :=−2); (a := 2 ∪ a :=−2);
t := 0; x ′ = v , v ′ = a + d , t ′ = 1 & t ≤ 1)∗⟩
x2 ≥ 100
Andre Platzer (CMU) Differential Game Logic MOD’17 14 / 40
Example: Push-around Cart
xv
d a
v ≥ 1→ d before a can compensate[((d := 1 ∩ d :=−1); (a := 1 ∪ a :=−1); x ′ = v , v ′ = a + d
)∗]v ≥ 0
x ≥ 0
∧ v ≥ 0
→⟨((d := 1 ∩ d :=−1); (a := 1 ∪ a :=−1); x ′ = v , v ′ = a + d
)∗⟩x ≥ 0
⟨((d := 1 ∩ d :=−1); (a := 2 ∪ a :=−2); x ′ = v , v ′ = a + d
)∗⟩x ≥ 0⟨(
(d := 2 ∩ d :=−2); (a := 2 ∪ a :=−2);
t := 0; x ′ = v , v ′ = a + d , t ′ = 1 & t ≤ 1)∗⟩
x2 ≥ 100
Andre Platzer (CMU) Differential Game Logic MOD’17 14 / 40
Example: Push-around Cart
xv
d a
v ≥ 1→ d before a can compensate[((d := 1 ∩ d :=−1); (a := 1 ∪ a :=−1); x ′ = v , v ′ = a + d
)∗]v ≥ 0
x ≥ 0
∧ v ≥ 0
→ boring by skip⟨((d := 1 ∩ d :=−1); (a := 1 ∪ a :=−1); x ′ = v , v ′ = a + d
)∗⟩x ≥ 0
⟨((d := 1 ∩ d :=−1); (a := 2 ∪ a :=−2); x ′ = v , v ′ = a + d
)∗⟩x ≥ 0⟨(
(d := 2 ∩ d :=−2); (a := 2 ∪ a :=−2);
t := 0; x ′ = v , v ′ = a + d , t ′ = 1 & t ≤ 1)∗⟩
x2 ≥ 100
Andre Platzer (CMU) Differential Game Logic MOD’17 14 / 40
Example: Push-around Cart
xv
d a
v ≥ 1→ d before a can compensate[((d := 1 ∩ d :=−1); (a := 1 ∪ a :=−1); x ′ = v , v ′ = a + d
)∗]v ≥ 0
x ≥ 0
∧ v ≥ 0
→
⟨((d := 1 ∩ d :=−1); (a := 1 ∪ a :=−1); x ′ = v , v ′ = a + d
)∗⟩x ≥ 0
⟨((d := 1 ∩ d :=−1); (a := 2 ∪ a :=−2); x ′ = v , v ′ = a + d
)∗⟩x ≥ 0⟨(
(d := 2 ∩ d :=−2); (a := 2 ∪ a :=−2);
t := 0; x ′ = v , v ′ = a + d , t ′ = 1 & t ≤ 1)∗⟩
x2 ≥ 100
Andre Platzer (CMU) Differential Game Logic MOD’17 14 / 40
Example: Push-around Cart
xv
d a
v ≥ 1→ d before a can compensate[((d := 1 ∩ d :=−1); (a := 1 ∪ a :=−1); x ′ = v , v ′ = a + d
)∗]v ≥ 0
2
x ≥ 0
∧ v ≥ 0
→
counterstrategy d :=−1⟨((d := 1 ∩ d :=−1); (a := 1 ∪ a :=−1); x ′ = v , v ′ = a + d
)∗⟩x ≥ 0
⟨((d := 1 ∩ d :=−1); (a := 2 ∪ a :=−2); x ′ = v , v ′ = a + d
)∗⟩x ≥ 0⟨(
(d := 2 ∩ d :=−2); (a := 2 ∪ a :=−2);
t := 0; x ′ = v , v ′ = a + d , t ′ = 1 & t ≤ 1)∗⟩
x2 ≥ 100
Andre Platzer (CMU) Differential Game Logic MOD’17 14 / 40
Example: Push-around Cart
xv
d a
v ≥ 1→ d before a can compensate[((d := 1 ∩ d :=−1); (a := 1 ∪ a :=−1); x ′ = v , v ′ = a + d
)∗]v ≥ 0
2
x ≥ 0
∧ v ≥ 0
→
counterstrategy d :=−1⟨((d := 1 ∩ d :=−1); (a := 1 ∪ a :=−1); x ′ = v , v ′ = a + d
)∗⟩x ≥ 0⟨(
(d := 1 ∩ d :=−1); (a := 2 ∪ a :=−2); x ′ = v , v ′ = a + d)∗⟩
x ≥ 0
⟨((d := 2 ∩ d :=−2); (a := 2 ∪ a :=−2);
t := 0; x ′ = v , v ′ = a + d , t ′ = 1 & t ≤ 1)∗⟩
x2 ≥ 100
Andre Platzer (CMU) Differential Game Logic MOD’17 14 / 40
Example: Push-around Cart
xv
d a
v ≥ 1→ d before a can compensate[((d := 1 ∩ d :=−1); (a := 1 ∪ a :=−1); x ′ = v , v ′ = a + d
)∗]v ≥ 0
2
x ≥ 0
∧ v ≥ 0
→
counterstrategy d :=−1⟨((d := 1 ∩ d :=−1); (a := 1 ∪ a :=−1); x ′ = v , v ′ = a + d
)∗⟩x ≥ 0
⟨(
(d := 1 ∩ d :=−1); (a := 2 ∪ a :=−2); x ′ = v , v ′ = a + d)∗⟩
x ≥ 0
⟨((d := 2 ∩ d :=−2); (a := 2 ∪ a :=−2);
t := 0; x ′ = v , v ′ = a + d , t ′ = 1 & t ≤ 1)∗⟩
x2 ≥ 100
Andre Platzer (CMU) Differential Game Logic MOD’17 14 / 40
Example: Push-around Cart
xv
d a
v ≥ 1→ d before a can compensate[((d := 1 ∩ d :=−1); (a := 1 ∪ a :=−1); x ′ = v , v ′ = a + d
)∗]v ≥ 0
2
x ≥ 0
∧ v ≥ 0
→
counterstrategy d :=−1⟨((d := 1 ∩ d :=−1); (a := 1 ∪ a :=−1); x ′ = v , v ′ = a + d
)∗⟩x ≥ 0
⟨(
(d := 1 ∩ d :=−1); (a := 2 ∪ a :=−2); x ′ = v , v ′ = a + d)∗⟩
x ≥ 0⟨((d := 2 ∩ d :=−2); (a := 2 ∪ a :=−2);
t := 0; x ′ = v , v ′ = a + d , t ′ = 1 & t ≤ 1)∗⟩
x2 ≥ 100
Andre Platzer (CMU) Differential Game Logic MOD’17 14 / 40
Example: Push-around Cart
xv
d a
v ≥ 1→ d before a can compensate[((d := 1 ∩ d :=−1); (a := 1 ∪ a :=−1); x ′ = v , v ′ = a + d
)∗]v ≥ 0
2
x ≥ 0
∧ v ≥ 0
→
counterstrategy d :=−1⟨((d := 1 ∩ d :=−1); (a := 1 ∪ a :=−1); x ′ = v , v ′ = a + d
)∗⟩x ≥ 0
⟨(
(d := 1 ∩ d :=−1); (a := 2 ∪ a :=−2); x ′ = v , v ′ = a + d)∗⟩
x ≥ 0
⟨(
(d := 2 ∩ d :=−2); (a := 2 ∪ a :=−2); a := d then a := 2 sign v
t := 0; x ′ = v , v ′ = a + d , t ′ = 1 & t ≤ 1)∗⟩
x2 ≥ 100
Andre Platzer (CMU) Differential Game Logic MOD’17 14 / 40
Example: EVE and WALL·E
and the World
(w − e)2 ≤ 1 ∧ v = f →⟨((u := 1 ∩ u :=−1);
(g := 1 ∪ g :=−1);
t := 0;
(w ′ = v , v ′ = u, e ′ = f , f ′ = g , t ′ = 1 & t ≤ 1)d)×⟩(w − e)2 ≤ 1
EVE at e plays Angel’s part controlling g
WALL·E at w plays Demon’s part controlling u
EVE assigned environment’s time to WALL·E
Andre Platzer (CMU) Differential Game Logic MOD’17 15 / 40
Example: EVE and WALL·E and the World
(w − e)2 ≤ 1 ∧ v = f →⟨((u := 1 ∩ u :=−1);
(g := 1 ∪ g :=−1);
t := 0;
(w ′ = v , v ′ = u, e ′ = f , f ′ = g , t ′ = 1 & t ≤ 1)d)×⟩(w − e)2 ≤ 1
EVE at e plays Angel’s part controlling g
WALL·E at w plays Demon’s part controlling u
EVE assigned environment’s time to WALL·E
Andre Platzer (CMU) Differential Game Logic MOD’17 15 / 40
Example: WALL·E and EVE
(w − e)2 ≤ 1 ∧ v = f →[((u := 1 ∩ u :=−1);
(g := 1 ∪ g :=−1);
t := 0;
(w ′ = v , v ′ = u, e ′ = f , f ′ = g , t ′ = 1 & t ≤ 1))×](w − e)2 > 1
WALL·E at w plays Demon’s part controlling u
EVE at e plays Angel’s part controlling g
WALL·E assigned environment’s time to EVE
Andre Platzer (CMU) Differential Game Logic MOD’17 16 / 40
Zeppelin Obstacle Parcours
avoid obstacleschanging windlocal turbulence
TOCL’17Andre Platzer (CMU) Differential Game Logic MOD’17 17 / 40
Zeppelin Obstacle Parcours
avoid obstacleschanging windlocal turbulence
TOCL’17Andre Platzer (CMU) Differential Game Logic MOD’17 17 / 40
Zeppelin Obstacle Parcours
avoid obstacleschanging windlocal turbulence
TOCL’17Andre Platzer (CMU) Differential Game Logic MOD’17 17 / 40
Differential Game Logic: Denotational Semantics
Definition (Hybrid game α) [[·]] : HG→ (℘(S)→ ℘(S))
ςx :=f (x)(X ) = s ∈ S : s[[f (x)]]sx ∈ X
ςx ′=f (x)(X ) = ϕ(0) ∈ S : ϕ(r) ∈ X , dϕ(t)(x)dt (ζ) = [[f (x)]]ϕ(ζ) for all ζ
ς?Q(X ) = [[Q]] ∩ Xςα∪β(X ) = ςα(X ) ∪ ςβ(X )ςα;β(X ) = ςα(ςβ(X ))ςα∗(X ) =
⋂Z ⊆ S : X ∪ ςα(Z ) ⊆ Z
ςαd (X ) = (ςα(X ))
Definition (dGL Formula P) [[·]] : Fml→ ℘(S)
[[e1 ≥ e2]] = s ∈ S : [[e1]]s ≥ [[e2]]s[[¬P]] = ([[P]])
[[P ∧ Q]] = [[P]] ∩ [[Q]][[〈α〉P]] = ςα([[P]])[[[α]P]] = δα([[P]])
WinningRegion
Andre Platzer (CMU) Differential Game Logic MOD’17 18 / 40
Differential Game Logic: Denotational Semantics
Definition (Hybrid game α: denotational semantics)
ςx :=f (x)(X ) =
s ∈ S : s[[f (x)]]sx ∈ X
X
ςx :=f (x)(X )
Andre Platzer (CMU) Differential Game Logic MOD’17 19 / 40
Differential Game Logic: Denotational Semantics
Definition (Hybrid game α: denotational semantics)
ςx :=f (x)(X ) = s ∈ S : s[[f (x)]]sx ∈ X
X
ςx :=f (x)(X )
Andre Platzer (CMU) Differential Game Logic MOD’17 19 / 40
Differential Game Logic: Denotational Semantics
Definition (Hybrid game α: denotational semantics)
ςx ′=f (x)(X ) =
ϕ(0) ∈ S : ϕ(r) ∈ X , dϕ(t)(x)dt (ζ) = [[f (x)]]ϕ(ζ) for all ζ
Xx′ =
f (x)
ςx ′=f (x)(X )
Andre Platzer (CMU) Differential Game Logic MOD’17 19 / 40
Differential Game Logic: Denotational Semantics
Definition (Hybrid game α: denotational semantics)
ςx ′=f (x)(X ) = ϕ(0) ∈ S : ϕ(r) ∈ X , dϕ(t)(x)dt (ζ) = [[f (x)]]ϕ(ζ) for all ζ
Xx′ =
f (x)
ςx ′=f (x)(X )
Andre Platzer (CMU) Differential Game Logic MOD’17 19 / 40
Differential Game Logic: Denotational Semantics
Definition (Hybrid game α: denotational semantics)
ς?Q(X ) =
[[Q]] ∩ X
X
[[Q]]
ς?Q(X )
Andre Platzer (CMU) Differential Game Logic MOD’17 19 / 40
Differential Game Logic: Denotational Semantics
Definition (Hybrid game α: denotational semantics)
ς?Q(X ) = [[Q]] ∩ X
X
[[Q]]
ς?Q(X )
Andre Platzer (CMU) Differential Game Logic MOD’17 19 / 40
Differential Game Logic: Denotational Semantics
Definition (Hybrid game α: denotational semantics)
ςα∪β(X ) =
ςα(X ) ∪ ςβ(X )
ςα (X )
ςβ(X )
X
ςα∪β(X )
Andre Platzer (CMU) Differential Game Logic MOD’17 19 / 40
Differential Game Logic: Denotational Semantics
Definition (Hybrid game α: denotational semantics)
ςα∪β(X ) = ςα(X ) ∪ ςβ(X )
ςα (X )
ςβ(X )
Xςα∪β(X )
Andre Platzer (CMU) Differential Game Logic MOD’17 19 / 40
Differential Game Logic: Denotational Semantics
Definition (Hybrid game α: denotational semantics)
ςα;β(X ) =
ςα(ςβ(X ))
ςα(ςβ(X )) ςβ(X )
X
ςα;β(X )
Andre Platzer (CMU) Differential Game Logic MOD’17 19 / 40
Differential Game Logic: Denotational Semantics
Definition (Hybrid game α: denotational semantics)
ςα;β(X ) = ςα(ςβ(X ))
ςα(ςβ(X )) ςβ(X ) X
ςα;β(X )
Andre Platzer (CMU) Differential Game Logic MOD’17 19 / 40
Differential Game Logic: Denotational Semantics
Definition (Hybrid game α: denotational semantics)
ςα∗(X ) =
⋂Z ⊆ S : X ∪ ςα(Z ) ⊆ Z
≥ωCK1 iterations
ςα(ςα∗(X )) \ ςα∗(X )∅
ς∞α (X ) · · · ς3α(X ) ς2
α(X ) ςα(X )
X
ςα∗(X )
Andre Platzer (CMU) Differential Game Logic MOD’17 19 / 40
Differential Game Logic: Denotational Semantics
Definition (Hybrid game α: denotational semantics)
ςα∗(X ) =
⋂Z ⊆ S : X ∪ ςα(Z ) ⊆ Z
≥ωCK1 iterations
ςα(ςα∗(X )) \ ςα∗(X )∅
ς∞α (X ) · · · ς3α(X ) ς2
α(X )
ςα(X ) X
ςα∗(X )
Andre Platzer (CMU) Differential Game Logic MOD’17 19 / 40
Differential Game Logic: Denotational Semantics
Definition (Hybrid game α: denotational semantics)
ςα∗(X ) =
⋂Z ⊆ S : X ∪ ςα(Z ) ⊆ Z
≥ωCK1 iterations
ςα(ςα∗(X )) \ ςα∗(X )∅
ς∞α (X ) · · · ς3α(X )
ς2α(X ) ςα(X ) X
ςα∗(X )
Andre Platzer (CMU) Differential Game Logic MOD’17 19 / 40
Differential Game Logic: Denotational Semantics
Definition (Hybrid game α: denotational semantics)
ςα∗(X ) =
⋂Z ⊆ S : X ∪ ςα(Z ) ⊆ Z
≥ωCK1 iterations
ςα(ςα∗(X )) \ ςα∗(X )∅
ς∞α (X ) · · ·
ς3α(X ) ς2
α(X ) ςα(X ) X
ςα∗(X )
Andre Platzer (CMU) Differential Game Logic MOD’17 19 / 40
Differential Game Logic: Denotational Semantics
Definition (Hybrid game α: denotational semantics)
ςα∗(X ) =
⋂Z ⊆ S : X ∪ ςα(Z ) ⊆ Z
≥ωCK1 iterations
ςα(ςα∗(X )) \ ςα∗(X )∅
ς∞α (X ) · · · ς3α(X ) ς2
α(X ) ςα(X ) X
ςα∗(X )
Andre Platzer (CMU) Differential Game Logic MOD’17 19 / 40
Differential Game Logic: Denotational Semantics
Definition (Hybrid game α: denotational semantics)
ςα∗(X ) =⋂Z ⊆ S : X ∪ ςα(Z ) ⊆ Z
≥ωCK1 iterations
ςα(ςα∗(X )) \ ςα∗(X )∅
ς∞α (X ) · · · ς3α(X ) ς2
α(X ) ςα(X ) X
ςα∗(X )
Andre Platzer (CMU) Differential Game Logic MOD’17 19 / 40
Differential Game Logic: Denotational Semantics
Definition (Hybrid game α: denotational semantics)
ςαd (X ) =
(ςα(X ))
X
X
ςα(X )
ςα(X )
ςαd (X )
Andre Platzer (CMU) Differential Game Logic MOD’17 19 / 40
Differential Game Logic: Denotational Semantics
Definition (Hybrid game α: denotational semantics)
ςαd (X ) =
(ςα(X ))
X
X
ςα(X )
ςα(X )
ςαd (X )
Andre Platzer (CMU) Differential Game Logic MOD’17 19 / 40
Differential Game Logic: Denotational Semantics
Definition (Hybrid game α: denotational semantics)
ςαd (X ) =
(ςα(X ))
X
X
ςα(X )
ςα(X )
ςαd (X )
Andre Platzer (CMU) Differential Game Logic MOD’17 19 / 40
Differential Game Logic: Denotational Semantics
Definition (Hybrid game α: denotational semantics)
ςαd (X ) = (ςα(X ))
X
X
ςα(X )
ςα(X )
ςαd (X )
Andre Platzer (CMU) Differential Game Logic MOD’17 19 / 40
Filibusters
& The Significance of Finitude
〈(x := 0 ∩ x := 1)∗〉x = 0
wfd; false unless x = 0
〈(x := 0; x ′ = 1d)∗〉x = 0
〈(x ′ = 1d ; x := 0)∗〉x = 0
<∞; true
X
X
1
1
10
0
10
repeat
0
stop
repeat
1
stop
0
0
10
repeat
0
stop
repeat
X
stop
Andre Platzer (CMU) Differential Game Logic MOD’17 20 / 40
Filibusters & The Significance of Finitude
〈(x := 0 ∩ x := 1)∗〉x = 0
wfd; false unless x = 0
〈(x := 0; x ′ = 1d)∗〉x = 0
〈(x ′ = 1d ; x := 0)∗〉x = 0
<∞; true
X
X
1
1
10
0
10
repeat
0
stop
repeat
1
stop
0
0
10
repeat
0
stop
repeat
X
stop
Andre Platzer (CMU) Differential Game Logic MOD’17 20 / 40
Filibusters & The Significance of Finitude
〈(x := 0 ∩ x := 1)∗〉x = 0
wfd; false unless x = 0
〈(x := 0; x ′ = 1d)∗〉x = 0
〈(x ′ = 1d ; x := 0)∗〉x = 0
<∞; true
X
X
1
1
10
0
10
repeat
0
stop
repeat
1
stop
0
0
10
repeat
0
stop
repeat
X
stop
Andre Platzer (CMU) Differential Game Logic MOD’17 20 / 40
Filibusters & The Significance of Finitude
〈(x := 0 ∩ x := 1)∗〉x = 0
wfd; false unless x = 0
〈(x := 0; x ′ = 1d)∗〉x = 0
〈(x ′ = 1d ; x := 0)∗〉x = 0
<∞; trueX
X
1
1
10
0
10
repeat
0
stop
repeat
1
stop
0
0
10
repeat
0
stop
repeat
X
stop
Andre Platzer (CMU) Differential Game Logic MOD’17 20 / 40
Filibusters & The Significance of Finitude
〈(x := 0 ∩ x := 1)∗〉x = 0
wfd; false unless x = 0
〈(x := 0; x ′ = 1d)∗〉x = 0
〈(x ′ = 1d ; x := 0)∗〉x = 0
<∞; trueX
X
1
1
10
0
10
repeat
0
stop
repeat
1
stop
0
0
10
repeat
0
stop
repeat
X
stop
Well-defined gamescan’t be postponed forever
Andre Platzer (CMU) Differential Game Logic MOD’17 20 / 40
Consistency & Determinacy
Theorem (Consistency & determinacy)
Hybrid games are consistent and determined, i.e. ¬〈α〉¬φ↔ [α]φ.
Corollary (Determinacy: At least one player wins)
¬〈α〉¬φ→ [α]φ, thus 〈α〉¬φ ∨ [α]φ.
Corollary (Consistency: At most one player wins)
[α]φ→ ¬〈α〉¬φ, thus ¬([α]φ ∧ 〈α〉¬φ)
Proof Sketch.
ςα∪β(X ) = (ςα(X ) ∪ ςβ(X )) = ςα(X ) ∩ ςβ(X ) = δα(X ) ∩ δβ(X ) =δα∪β(X )
Andre Platzer (CMU) Differential Game Logic MOD’17 21 / 40
Winning Region Fixpoint Iterations
Definition (Hybrid game α)
ςα∗(X ) =⋂Z ⊆ S : X ∪ ςα(Z ) ⊆ Z
= ς∞α (X ) (Knaster-Tarski)
ςα∗(X ) · · · ς3α(X ) ς2
α(X ) ςα(X ) X
ς0α(X )
def= X
ςκ+1α (X )
def= X ∪ ςα(ςκα(X ))
ςλα(X )def=⋃κ<λ
ςκα(X ) λ 6= 0 a limit ordinal
Example
〈(x := 1; x ′ = 1d ∪ x := x − 1)∗〉 (0 ≤ x < 1)
ςnα([0, 1)) = [0, n) 6= R
Andre Platzer (CMU) Differential Game Logic MOD’17 22 / 40
Winning Region Fixpoint Iterations
Definition (Hybrid game α)
ςα∗(X ) =⋂Z ⊆ S : X ∪ ςα(Z ) ⊆ Z
= ς∞α (X ) (Knaster-Tarski)
ςα∗(X ) · · · ς3α(X ) ς2
α(X ) ςα(X )
X
ς0α(X )
def= X
ςκ+1α (X )
def= X ∪ ςα(ςκα(X ))
ςλα(X )def=⋃κ<λ
ςκα(X ) λ 6= 0 a limit ordinal
Example
〈(x := 1; x ′ = 1d ∪ x := x − 1)∗〉 (0 ≤ x < 1)
ςnα([0, 1)) = [0, n) 6= R
Andre Platzer (CMU) Differential Game Logic MOD’17 22 / 40
Winning Region Fixpoint Iterations
Definition (Hybrid game α)
ςα∗(X ) =⋂Z ⊆ S : X ∪ ςα(Z ) ⊆ Z
= ς∞α (X ) (Knaster-Tarski)
ςα∗(X ) · · · ς3α(X ) ς2
α(X )
ςα(X ) X
ς0α(X )
def= X
ςκ+1α (X )
def= X ∪ ςα(ςκα(X ))
ςλα(X )def=⋃κ<λ
ςκα(X ) λ 6= 0 a limit ordinal
Example
〈(x := 1; x ′ = 1d ∪ x := x − 1)∗〉 (0 ≤ x < 1)
ςnα([0, 1)) = [0, n) 6= R
Andre Platzer (CMU) Differential Game Logic MOD’17 22 / 40
Winning Region Fixpoint Iterations
Definition (Hybrid game α)
ςα∗(X ) =⋂Z ⊆ S : X ∪ ςα(Z ) ⊆ Z
= ς∞α (X ) (Knaster-Tarski)
ςα∗(X ) · · · ς3α(X )
ς2α(X ) ςα(X ) X
ς0α(X )
def= X
ςκ+1α (X )
def= X ∪ ςα(ςκα(X ))
ςλα(X )def=⋃κ<λ
ςκα(X ) λ 6= 0 a limit ordinal
Example
〈(x := 1; x ′ = 1d ∪ x := x − 1)∗〉 (0 ≤ x < 1)
ςnα([0, 1)) = [0, n) 6= R
Andre Platzer (CMU) Differential Game Logic MOD’17 22 / 40
Winning Region Fixpoint Iterations
Definition (Hybrid game α)
ςα∗(X ) =⋂Z ⊆ S : X ∪ ςα(Z ) ⊆ Z
= ς∞α (X ) (Knaster-Tarski)
ςα∗(X ) · · ·
ς3α(X ) ς2
α(X ) ςα(X ) X
ς0α(X )
def= X
ςκ+1α (X )
def= X ∪ ςα(ςκα(X ))
ςλα(X )def=⋃κ<λ
ςκα(X ) λ 6= 0 a limit ordinal
Example
〈(x := 1; x ′ = 1d ∪ x := x − 1)∗〉 (0 ≤ x < 1)
ςnα([0, 1)) = [0, n) 6= R
Andre Platzer (CMU) Differential Game Logic MOD’17 22 / 40
Winning Region Fixpoint Iterations
Definition (Hybrid game α)
ςα∗(X ) =⋂Z ⊆ S : X ∪ ςα(Z ) ⊆ Z = ς∞α (X ) (Knaster-Tarski)
ςα∗(X ) · · · ς3α(X ) ς2
α(X ) ςα(X ) X
ς0α(X )
def= X
ςκ+1α (X )
def= X ∪ ςα(ςκα(X ))
ςλα(X )def=⋃κ<λ
ςκα(X ) λ 6= 0 a limit ordinal
Example
〈(x := 1; x ′ = 1d ∪ x := x − 1)∗〉 (0 ≤ x < 1)
ςnα([0, 1)) = [0, n) 6= R
Andre Platzer (CMU) Differential Game Logic MOD’17 22 / 40
Winning Region Fixpoint Iterations
Definition (Hybrid game α)
ςα∗(X ) =⋂Z ⊆ S : X ∪ ςα(Z ) ⊆ Z = ς∞α (X ) (Knaster-Tarski)
Alternative (Advance notice semantics)
ςα∗(X )?=⋃
n<ω ςαn(X ) where αn+1 ≡ αn;α α0 ≡ ?true
11
11
01
01
01
10
10
00
00
repeat
10
stop
repeat
01
stop
10
10
00
00
repeat
10
stop
repeat
11
stop
11
11
01
01
01
10
10
00
00
10
00
00
00
00
00
00
3
11
01
01
10
10
00
00
2
11
01
10
1
11
0 . . .
ς0α(X )
def= X
ςκ+1α (X )
def= X ∪ ςα(ςκα(X ))
ςλα(X )def=⋃κ<λ
ςκα(X ) λ 6= 0 a limit ordinal
Example
〈(x := 1; x ′ = 1d ∪ x := x − 1)∗〉 (0 ≤ x < 1)
ςnα([0, 1)) = [0, n) 6= R
Andre Platzer (CMU) Differential Game Logic MOD’17 22 / 40
Winning Region Fixpoint Iterations
Definition (Hybrid game α)
ςα∗(X ) =⋂Z ⊆ S : X ∪ ςα(Z ) ⊆ Z = ς∞α (X ) (Knaster-Tarski)
Alternative (ω semantics)
ςα∗(X )?=⋃
n<ω ςnα(X )
ς0α(X )
def= X
ςκ+1α (X )
def= X ∪ ςα(ςκα(X ))
ςλα(X )def=⋃κ<λ
ςκα(X ) λ 6= 0 a limit ordinal
Example
〈(x := 1; x ′ = 1d ∪ x := x − 1)∗〉 (0 ≤ x < 1)
ςnα([0, 1)) = [0, n) 6= R
Andre Platzer (CMU) Differential Game Logic MOD’17 22 / 40
Winning Region Fixpoint Iterations
Definition (Hybrid game α)
ςα∗(X ) =⋂Z ⊆ S : X ∪ ςα(Z ) ⊆ Z = ς∞α (X ) (Knaster-Tarski)
Alternative (ω semantics)
ςα∗(X )?=⋃
n<ω ςnα(X )
ς0α(X )
def= X
ςκ+1α (X )
def= X ∪ ςα(ςκα(X ))
ςλα(X )def=⋃κ<λ
ςκα(X ) λ 6= 0 a limit ordinal
Example
〈(x := 1; x ′ = 1d ∪ x := x − 1)∗〉 (0 ≤ x < 1) ςnα([0, 1)) = [0, n) 6= R
Andre Platzer (CMU) Differential Game Logic MOD’17 22 / 40
Winning Region Fixpoint Iterations
Definition (Hybrid game α)
ςα∗(X ) =⋂Z ⊆ S : X ∪ ςα(Z ) ⊆ Z = ς∞α (X ) (Knaster-Tarski)
Alternative (ω semantics)
ςα∗(X )?=⋃
n<ω ςnα(X )
ς0α(X )
def= X
ςκ+1α (X )
def= X ∪ ςα(ςκα(X ))
ςλα(X )def=⋃κ<λ
ςκα(X ) λ 6= 0 a limit ordinal
Example
〈(x := 1; x ′ = 1d ∪ x := x − 1)∗〉 (0 ≤ x < 1) ςnα([0, 1)) = [0, n) 6= R
Andre Platzer (CMU) Differential Game Logic MOD’17 22 / 40
Strategic Closure Ordinal ≥ ωCK1
Theorem
Hybrid game closure ordinal ≥ωCK1
0
1
2
3
ω
ω+1
ω+2
ω+3
ω·2
ω·3
ω·2+1
ω·2+2
ω·4
ω²
ω²+1
ω²+2
ω²+ω
ω²+ω·2
ω²·2
ω²·3
ω²·4
ω³
ω³+ω
ω³+ω²
ω·5
4
5
ω+4
ωωω4
ω³·2
ω·2+3
Andre Platzer (CMU) Differential Game Logic MOD’17 23 / 40
Outline
1 CPS Game Motivation2 Differential Game Logic
SyntaxExample: Push-around CartExample: Robot DanceDifferential Hybrid GamesDenotational SemanticsDeterminacyStrategic Closure Ordinals
3 AxiomatizationAxiomaticsExample: Robot SoccerSoundness and CompletenessSeparating Axioms
4 Expressiveness5 Differential Hybrid Games6 Summary
Andre Platzer (CMU) Differential Game Logic MOD’17 23 / 40
Differential Game Logic: Axiomatization
[·] [α]P ↔
¬〈α〉¬P
〈:=〉 〈x := f (x)〉p(x)↔
p(f (x))
〈′〉 〈x ′ = f (x)〉P ↔
∃t≥0 〈x := y(t)〉P
〈?〉 〈?Q〉P ↔
(Q ∧ P)
〈∪〉 〈α ∪ β〉P ↔
〈α〉P ∨ 〈β〉P
〈;〉 〈α;β〉P ↔
〈α〉〈β〉P
〈∗〉 〈α∗〉P ↔
P ∨ 〈α〉〈α∗〉P
〈d〉 〈αd〉P ↔
¬〈α〉¬P
M
P → Q
〈α〉P → 〈α〉Q
FP
P ∨ 〈α〉Q → Q
〈α∗〉P → Q
MP
P P → Q
Q
∀
p → Q
p → ∀x Q(x 6∈ FV(p))
US
ϕ
ϕψ(·)p(·)
TOCL’15Andre Platzer (CMU) Differential Game Logic MOD’17 24 / 40
Differential Game Logic: Axiomatization
[·] [α]P ↔ ¬〈α〉¬P
〈:=〉 〈x := f (x)〉p(x)↔ p(f (x))
〈′〉 〈x ′ = f (x)〉P ↔ ∃t≥0 〈x := y(t)〉P
〈?〉 〈?Q〉P ↔ (Q ∧ P)
〈∪〉 〈α ∪ β〉P ↔ 〈α〉P ∨ 〈β〉P
〈;〉 〈α;β〉P ↔ 〈α〉〈β〉P
〈∗〉 〈α∗〉P ↔ P ∨ 〈α〉〈α∗〉P
〈d〉 〈αd〉P ↔ ¬〈α〉¬P
MP → Q
〈α〉P → 〈α〉Q
FPP ∨ 〈α〉Q → Q
〈α∗〉P → Q
MPP P → Q
Q
∀p → Q
p → ∀x Q(x 6∈ FV(p))
USϕ
ϕψ(·)p(·)
TOCL’15Andre Platzer (CMU) Differential Game Logic MOD’17 24 / 40
Defining Evolution Domain Constraints x ′0 = 1
x ′ = f (x) &Q
≡ t0 := x0;
x ′ = f (x); ?(Q)
t
~x
Q
tx′ = f (x)
r
Andre Platzer (CMU) Differential Game Logic MOD’17 25 / 40
Defining Evolution Domain Constraints x ′0 = 1
x ′ = f (x) &Q
≡ t0 := x0;
x ′ = f (x); ?(Q)
t
~x
Q
t Qx′ = f (x)
r
Andre Platzer (CMU) Differential Game Logic MOD’17 25 / 40
Defining Evolution Domain Constraints x ′0 = 1
x ′ = f (x) &Q
≡ t0 := x0;
x ′ = f (x); (z := x ; z ′ = −f (z))d ; ?(Q(z))
t
~x
Q
t revert flow,Demon checks Qbackwards
x′ = f (x)
r
z ′ = −f (z)
Andre Platzer (CMU) Differential Game Logic MOD’17 25 / 40
Defining Evolution Domain Constraints x ′0 = 1
x ′ = f (x) &Q
≡ t0 := x0;
x ′ = f (x); (z := x ; z ′ = −f (z))d ; ?(Q(z))
t
~x
Q
t
¬Q
revert flow,Demon checks Qbackwards
x′ = f (x)
r
z ′ = −f (z)
Andre Platzer (CMU) Differential Game Logic MOD’17 25 / 40
Defining Evolution Domain Constraints x ′0 = 1
x ′ = f (x) &Q ≡ t0 := x0; x ′ = f (x); (z := x ; z ′ = −f (z))d ; ?(z0≥t0 → Q(z))
t
~x
Q
t revert flow, time x0;Demon checks Qbackwards
x′ = f (x)
t0 := x0 r
z ′ = −f (z)
Andre Platzer (CMU) Differential Game Logic MOD’17 25 / 40
“There and Back Again” Game
x ′ = f (x) &Q ≡ t0 := x0; x ′ = f (x); (z := x ; z ′ = −f (z))d ; ?(z0≥t0 → Q(z))
t
~x
Q
t revert flow, time x0;Demon checks Qbackwards
x′ = f (x)
t0 := x0 r
z ′ = −f (z)
Lemma
Evolution domains definable by games
Andre Platzer (CMU) Differential Game Logic MOD’17 25 / 40
Example Proof: Dual Filibuster
∗R x = 0 →0 = 0 ∨ 1 = 0〈:=〉x = 0 →〈x := 0〉x = 0 ∨ 〈x := 1〉x = 0〈∪〉 x = 0 →〈x := 0 ∪ x := 1〉x = 0〈d 〉 x = 0 →¬〈x := 0 ∩ x := 1〉¬x = 0[·] x = 0 →[x := 0 ∩ x := 1]x = 0ind x = 0 →[(x := 0 ∩ x := 1)∗]x = 0〈d 〉 x = 0 →〈(x := 0 ∪ x := 1)×〉x = 0
X
X
1
1
10
0
10
repeat
0
stop
repeat
1
stop
0
0
10
repeat
0
stop
repeatX
stop
Andre Platzer (CMU) Differential Game Logic MOD’17 26 / 40
Example: Goalie in Robot Soccer
x
y , g
(v,+w)
(v ,−w)
+u
−u
(x , y) g
(xv
)2(u − w)2 ≤ 1 ∧
x < 0 ∧ v > 0 ∧ y = g
→⟨(w := +w ∩ w :=−w);((u := +u ∪ u :=−u); x ′ = v , y ′ = w , g ′ = u
)∗⟩x2 + (y − g)2 ≤ 1
Andre Platzer (CMU) Differential Game Logic MOD’17 27 / 40
Example: Goalie in Robot Soccer
x
y , g
(v,+w)
(v ,−w)
+u
−u
(x , y) g
(xv
)2(u − w)2 ≤ 1 ∧
x < 0 ∧ v > 0 ∧ y = g
→⟨(w := +w ∩ w :=−w);((u := +u ∪ u :=−u); x ′ = v , y ′ = w , g ′ = u
)∗⟩x2 + (y − g)2 ≤ 1
Andre Platzer (CMU) Differential Game Logic MOD’17 27 / 40
Example: Goalie in Robot Soccer
x
y , g
(v,+w)
(v ,−w)
+u
−u
(x , y) g
(xv
)2(u − w)2 ≤ 1 ∧
x < 0 ∧ v > 0 ∧ y = g
→⟨(w := +w ∩ w :=−w);((u := +u ∪ u :=−u); x ′ = v , y ′ = w , g ′ = u
)∗⟩x2 + (y − g)2 ≤ 1
Andre Platzer (CMU) Differential Game Logic MOD’17 27 / 40
Example: Goalie in Robot Soccer
x
y , g
(v,+w)
(v ,−w)
+u
−u
(x , y) g
(xv
)2(u − w)2 ≤ 1 ∧
x < 0 ∧ v > 0 ∧ y = g
→⟨(w := +w ∩ w :=−w);((u := +u ∪ u :=−u); x ′ = v , y ′ = w , g ′ = u
)∗⟩x2 + (y − g)2 ≤ 1
Andre Platzer (CMU) Differential Game Logic MOD’17 27 / 40
Example: Goalie in Robot Soccer
x
y , g
(v,+w)
(v ,−w)
+u
−u(x , y) g
(xv
)2(u − w)2 ≤ 1 ∧
x < 0 ∧ v > 0 ∧ y = g
→⟨(w := +w ∩ w :=−w);((u := +u ∪ u :=−u); x ′ = v , y ′ = w , g ′ = u
)∗⟩x2 + (y − g)2 ≤ 1
Andre Platzer (CMU) Differential Game Logic MOD’17 27 / 40
Example: Goalie in Robot Soccer
x
y , g
(v,+w)
(v ,−w)
+u
−u(x , y) g
(xv
)2(u − w)2 ≤ 1 ∧
x < 0 ∧ v > 0 ∧ y = g
→⟨(w := +w ∩ w :=−w);((u := +u ∪ u :=−u); x ′ = v , y ′ = w , g ′ = u
)∗⟩x2 + (y − g)2 ≤ 1
Andre Platzer (CMU) Differential Game Logic MOD’17 27 / 40
Soundness
Theorem (Soundness)
dGL proof calculus is sound i.e. all provable formulas are valid
Proof.
〈∪〉 [[〈α ∪ β〉P]] = ςα∪β([[P]]) = ςα([[P]]) ∪ ςβ([[P]]) = [[〈α〉P]] ∪ [[〈β〉P]] =[[〈α〉P ∨ 〈β〉P]]
〈∪〉 〈α ∪ β〉P ↔ 〈α〉P ∨ 〈β〉P
〈;〉 [[〈α;β〉P]] = ςα;β([[P]]) = ςα(ςβ([[P]])) = ςα([[〈β〉P]]) = [[〈α〉〈β〉P]]
〈;〉 〈α;β〉P ↔ 〈α〉〈β〉P
[·] is sound by determinacy
[·] [α]P ↔ ¬〈α〉¬P
M Assume the premise P → Q is valid, i.e. [[P]] ⊆ [[Q]].Then the conclusion 〈α〉P → 〈α〉Q is valid, i.e.[[〈α〉P]] = ςα([[P]]) ⊆ ςα([[Q]]) = [[〈α〉Q]] by monotonicity.
MP → Q
〈α〉P → 〈α〉Q
Axiomatics
Syntax Semantics
Andre Platzer (CMU) Differential Game Logic MOD’17 28 / 40
Soundness
Theorem (Soundness)
dGL proof calculus is sound i.e. all provable formulas are valid
Proof.
〈∪〉 [[〈α ∪ β〉P]] = ςα∪β([[P]]) = ςα([[P]]) ∪ ςβ([[P]]) = [[〈α〉P]] ∪ [[〈β〉P]] =[[〈α〉P ∨ 〈β〉P]]
〈∪〉 〈α ∪ β〉P ↔ 〈α〉P ∨ 〈β〉P
〈;〉 [[〈α;β〉P]] = ςα;β([[P]]) = ςα(ςβ([[P]])) = ςα([[〈β〉P]]) = [[〈α〉〈β〉P]]
〈;〉 〈α;β〉P ↔ 〈α〉〈β〉P
[·] is sound by determinacy
[·] [α]P ↔ ¬〈α〉¬P
M Assume the premise P → Q is valid, i.e. [[P]] ⊆ [[Q]].Then the conclusion 〈α〉P → 〈α〉Q is valid, i.e.[[〈α〉P]] = ςα([[P]]) ⊆ ςα([[Q]]) = [[〈α〉Q]] by monotonicity.
MP → Q
〈α〉P → 〈α〉Q
Andre Platzer (CMU) Differential Game Logic MOD’17 28 / 40
Soundness
Theorem (Soundness)
dGL proof calculus is sound i.e. all provable formulas are valid
Proof.
〈∪〉 [[〈α ∪ β〉P]] = ςα∪β([[P]]) = ςα([[P]]) ∪ ςβ([[P]]) = [[〈α〉P]] ∪ [[〈β〉P]] =[[〈α〉P ∨ 〈β〉P]] 〈∪〉 〈α ∪ β〉P ↔ 〈α〉P ∨ 〈β〉P
〈;〉 [[〈α;β〉P]] = ςα;β([[P]]) = ςα(ςβ([[P]])) = ςα([[〈β〉P]]) = [[〈α〉〈β〉P]]〈;〉 〈α;β〉P ↔ 〈α〉〈β〉P
[·] is sound by determinacy [·] [α]P ↔ ¬〈α〉¬PM Assume the premise P → Q is valid, i.e. [[P]] ⊆ [[Q]].
Then the conclusion 〈α〉P → 〈α〉Q is valid, i.e.[[〈α〉P]] = ςα([[P]]) ⊆ ςα([[Q]]) = [[〈α〉Q]] by monotonicity.
MP → Q
〈α〉P → 〈α〉Q
Andre Platzer (CMU) Differential Game Logic MOD’17 28 / 40
Soundness & Completeness
Theorem (Completeness)
dGL calculus is a sound & complete axiomatization of hybrid gamesrelative to any (differentially) expressive logic L.
ϕ iff TautL ` ϕ
TOCL’15Andre Platzer (CMU) Differential Game Logic MOD’17 29 / 40
Soundness & Completeness: Consequences
Corollary (Constructive)
Constructive and Moschovakis-coding-free. (Minimal: x ′ = f (x), ∃, [α∗])
Remark (Coquand & Huet) (Inf.Comput’88)
Modal analogue for 〈α∗〉 of characterizations in Calculus of Constructions
Corollary (Meyer & Halpern) (J.ACM’82)
F → 〈α〉G semidecidable for uninterpreted programs.
Corollary (Schmitt) (Inf.Control.’84)
[α]-free semidecidable for uninterpreted programs.
Corollary
Uninterpreted game logic with even d in 〈α〉 is semidecidable.
Andre Platzer (CMU) Differential Game Logic MOD’17 30 / 40
Soundness & Completeness: Consequences
Corollary
Harel’77 convergence rule unnecessary for hybrid games, hybrid systems,discrete programs.
Corollary (Characterization of hybrid game challenges)
[α∗]G : Succinct invariants discrete Π02
[x ′ = f (x)]G and 〈x ′ = f (x)〉G : Succinct differential (in)variants ∆11
∃x G : Complexity depends on Herbrand disjunctions: discrete Π11
X uninterpreted X reals × ∃x [α∗]G Π11-complete for discrete α
Corollary (Hybrid version of Parikh’s result) (FOCS’83)∗-free dGL complete relative to dL, relative to continuous, or to discreted -free dGL complete relative to dL, relative to continuous, or to discrete
Andre Platzer (CMU) Differential Game Logic MOD’17 31 / 40
Soundness & Completeness: Consequences
Corollary
Harel’77 convergence rule unnecessary for hybrid games, hybrid systems,discrete programs.
Corollary (Characterization of hybrid game challenges)
[α∗]G : Succinct invariants discrete Π02
[x ′ = f (x)]G and 〈x ′ = f (x)〉G : Succinct differential (in)variants ∆11
∃x G : Complexity depends on Herbrand disjunctions: discrete Π11
X uninterpreted X reals × ∃x [α∗]G Π11-complete for discrete α
set is Π0n iff it’s x : ∀y1 ∃y2 ∀y3 . . . yn ϕ(x , y1, . . . , yn) for a decidable ϕ
set is Σ0n iff it’s x : ∃y1 ∀y2 ∃y3 . . . yn ϕ(x , y1, . . . , yn) for a decidable ϕ
set is Π11 iff it’s x : ∀f ∃y ϕ(x , y , f ) for a decidable ϕ and functions f
set is Σ11 iff it’s x : ∃f ∀y ϕ(x , y , f ) for a decidable ϕ and functions f
∆in = Σi
n ∩ Πin
Andre Platzer (CMU) Differential Game Logic MOD’17 31 / 40
Soundness & Completeness: Consequences
Corollary (ODE Completeness) (+LICS’12)
dGL complete relative to ODE for hybrid games with finite-rank Borelwinning regions.
Corollary (Continuous Completeness)
dGL complete relative to LµD, continuous modal µ, over R
Corollary (Discrete Completeness) (+LICS’12)
dGL + Euler axiom complete relative to discrete Lµ over R
Andre Platzer (CMU) Differential Game Logic MOD’17 32 / 40
Soundness & Completeness: Consequences
〈(x := 1; x ′ = 1d︸ ︷︷ ︸β
∪ x := x − 1︸ ︷︷ ︸γ
)
︸ ︷︷ ︸α
∗〉0 ≤ x < 1
Fixpoint style proof technique
∗R ∀x (0≤x<1 ∨ ∀t≥0 p(1 + t) ∨ p(x − 1)→ p(x))→ (true → p(x))
〈:=〉 ∀x (0≤x<1∨〈x := 1〉¬∃t≥0 〈x := x+t〉¬p(x)∨p(x−1)→p(x))→ (true→p(x))
〈′〉 ∀x (0≤x<1 ∨ 〈x := 1〉¬〈x ′ = 1〉¬p(x) ∨ p(x − 1)→ p(x))→ (true → p(x))
〈;〉,〈d〉 ∀x (0≤x<1 ∨ 〈β〉p(x) ∨ 〈γ〉p(x)→ p(x))→ (true → p(x))
〈∪〉 ∀x (0≤x<1 ∨ 〈β ∪ γ〉p(x)→ p(x))→ (true → p(x))
US ∀x (0≤x<1∨〈α〉〈α∗〉0≤x<1→ 〈α∗〉0≤x<1)→ (true → 〈α∗〉0≤x<1)
〈∗〉 true → 〈α∗〉0≤x<1
Andre Platzer (CMU) Differential Game Logic MOD’17 33 / 40
More Axioms
Theorem (Axiomatic separation: hybrid systems vs. hybrid games)
Axiomatic separation is exactly K, I, C, B, V, G. dGL is a subregular,sub-Barcan, monotonic modal logic without loop induction axioms.
K [α](P → Q)→ ([α]P → [α]Q) M[·]P → Q
[α]P → [α]Q←−M 〈α〉(P ∨ Q)→ 〈α〉P ∨ 〈α〉Q M 〈α〉P ∨ 〈α〉Q → 〈α〉(P ∨ Q)
I [α∗](P → [α]P)→ (P → [α∗]P) ∀I (P→[α]P)→ (P→[α∗]P)
B 〈α〉∃x P → ∃x 〈α〉P (x 6∈α)←−B ∃x 〈α〉P → 〈α〉∃x P
GP
[α]PM[·]
P → Q
[α]P → [α]Q
RP1 ∧ P2 → Q
[α]P1 ∧ [α]P2 → [α]QM[·]
P1 ∧ P2 → Q
[α](P1 ∧ P2)→ [α]Q
FA 〈α∗〉P → P ∨ 〈α∗〉(¬P ∧ 〈α〉P)←−[∗] [α∗]P ↔ P ∧ [α∗][α]P
Andre Platzer (CMU) Differential Game Logic MOD’17 34 / 40
More Axioms ???
Theorem (Axiomatic separation: hybrid systems vs. hybrid games)
Axiomatic separation is exactly K, I, C, B, V, G. dGL is a subregular,sub-Barcan, monotonic modal logic without loop induction axioms.
K [α](P → Q)→ ([α]P → [α]Q) M[·]P → Q
[α]P → [α]Q←−M 〈α〉(P ∨ Q)→ 〈α〉P ∨ 〈α〉Q M 〈α〉P ∨ 〈α〉Q → 〈α〉(P ∨ Q)
I [α∗](P → [α]P)→ (P → [α∗]P) ∀I (P→[α]P)→ (P→[α∗]P)
B 〈α〉∃x P → ∃x 〈α〉P (x 6∈α)←−B ∃x 〈α〉P → 〈α〉∃x P
GP
[α]PM[·]
P → Q
[α]P → [α]Q
RP1 ∧ P2 → Q
[α]P1 ∧ [α]P2 → [α]QM[·]
P1 ∧ P2 → Q
[α](P1 ∧ P2)→ [α]Q
FA 〈α∗〉P → P ∨ 〈α∗〉(¬P ∧ 〈α〉P)←−[∗] [α∗]P ↔ P ∧ [α∗][α]P
Andre Platzer (CMU) Differential Game Logic MOD’17 34 / 40
Separating Axioms
Theorem (Axiomatic separation: hybrid systems vs. hybrid games)
Axiomatic separation is exactly K, I, C, B, V, G. dGL is a subregular,sub-Barcan, monotonic modal logic without loop induction axioms.
K [α](P → Q)→ ([α]P → [α]Q) M[·]P → Q
[α]P → [α]Q←−M 〈α〉(P ∨ Q)→ 〈α〉P ∨ 〈α〉Q M 〈α〉P ∨ 〈α〉Q → 〈α〉(P ∨ Q)
I [α∗](P → [α]P)→ (P → [α∗]P) ∀I (P→[α]P)→ (P→[α∗]P)
B 〈α〉∃x P → ∃x 〈α〉P (x 6∈α)←−B ∃x 〈α〉P → 〈α〉∃x P
GP
[α]PM[·]
P → Q
[α]P → [α]Q
RP1 ∧ P2 → Q
[α]P1 ∧ [α]P2 → [α]QM[·]
P1 ∧ P2 → Q
[α](P1 ∧ P2)→ [α]Q
FA 〈α∗〉P → P ∨ 〈α∗〉(¬P ∧ 〈α〉P)←−[∗] [α∗]P ↔ P ∧ [α∗][α]P
Andre Platzer (CMU) Differential Game Logic MOD’17 34 / 40
Outline
1 CPS Game Motivation2 Differential Game Logic
SyntaxExample: Push-around CartExample: Robot DanceDifferential Hybrid GamesDenotational SemanticsDeterminacyStrategic Closure Ordinals
3 AxiomatizationAxiomaticsExample: Robot SoccerSoundness and CompletenessSeparating Axioms
4 Expressiveness5 Differential Hybrid Games6 Summary
Andre Platzer (CMU) Differential Game Logic MOD’17 34 / 40
Expressiveness
Theorem (Expressive Power: hybrid systems < hybrid games)
dGL for hybrid games strictly more expressive than dL for hybrid games:
dL < dGL
Clue: recursive open game quantifier expressible in dGL but not dL
ay ϕ(x , y)def≡ ∀y0 ∃y1 ∀y2 ∃y3 . . .
∨n<ω
ϕ(x , (|y0, . . . , yn|))
Andre Platzer (CMU) Differential Game Logic MOD’17 35 / 40
Expressiveness
Theorem (Expressive Power: hybrid systems < hybrid games)
dGL for hybrid games strictly more expressive than dL for hybrid games:
dL < dGL
First-orderadm. R
Inductiveadm. R
Clue: recursive open game quantifier expressible in dGL but not dL
ay ϕ(x , y)def≡ ∀y0 ∃y1 ∀y2 ∃y3 . . .
∨n<ω
ϕ(x , (|y0, . . . , yn|))
Andre Platzer (CMU) Differential Game Logic MOD’17 35 / 40
Outline
1 CPS Game Motivation2 Differential Game Logic
SyntaxExample: Push-around CartExample: Robot DanceDifferential Hybrid GamesDenotational SemanticsDeterminacyStrategic Closure Ordinals
3 AxiomatizationAxiomaticsExample: Robot SoccerSoundness and CompletenessSeparating Axioms
4 Expressiveness5 Differential Hybrid Games6 Summary
Andre Platzer (CMU) Differential Game Logic MOD’17 35 / 40
Zeppelin Obstacle Parcours
avoid obstacleschanging windlocal turbulence
TOCL’17Andre Platzer (CMU) Differential Game Logic MOD’17 36 / 40
Zeppelin Obstacle Parcours
avoid obstacleschanging windlocal turbulence
TOCL’17Andre Platzer (CMU) Differential Game Logic MOD’17 36 / 40
Zeppelin Obstacle Parcours
avoid obstacleschanging windlocal turbulence
TOCL’17Andre Platzer (CMU) Differential Game Logic MOD’17 36 / 40
Zeppelin Obstacle Parcours
c > 0 ∧ ‖x − o‖2 ≥ c2 →[(v := ∗; o := ∗; c := ∗; ?C ;
x ′ = v + py + rz&dy ∈ B&z ∈ B)∗] ‖x − o‖2 ≥ c2
r > p
hopeless
p > ‖v‖ + r
super-powered
‖v‖ + r > p > r
our challenge
X airship at x ∈ R2
X propeller p controlled in any direction y ∈ B, i.e. y21 + y2
2 ≤ 1
× sporadically changing homogeneous wind field v ∈ R2
× sporadically changing obstacle o ∈ R2 of size c subject to C
× continuously local turbulence of magnitude r in any direction z ∈ B
Andre Platzer (CMU) Differential Game Logic MOD’17 37 / 40
Zeppelin Obstacle Parcours
c > 0 ∧ ‖x − o‖2 ≥ c2 →[(v := ∗; o := ∗; c := ∗; ?C ;
x ′ = v + py + rz&dy ∈ B&z ∈ B)∗] ‖x − o‖2 ≥ c2
r > p
hopeless
p > ‖v‖ + r
super-powered
‖v‖ + r > p > r
our challenge
X airship at x ∈ R2
X propeller p controlled in any direction y ∈ B, i.e. y21 + y2
2 ≤ 1
× sporadically changing homogeneous wind field v ∈ R2
× sporadically changing obstacle o ∈ R2 of size c subject to C
× continuously local turbulence of magnitude r in any direction z ∈ B
Andre Platzer (CMU) Differential Game Logic MOD’17 37 / 40
Zeppelin Obstacle Parcours
c > 0 ∧ ‖x − o‖2 ≥ c2 →[(v := ∗; o := ∗; c := ∗; ?C ;
x ′ = v + py + rz&dy ∈ B&z ∈ B)∗] ‖x − o‖2 ≥ c2
× r > p hopeless
p > ‖v‖ + r
super-powered
‖v‖ + r > p > r
our challenge
X airship at x ∈ R2
X propeller p controlled in any direction y ∈ B, i.e. y21 + y2
2 ≤ 1
× sporadically changing homogeneous wind field v ∈ R2
× sporadically changing obstacle o ∈ R2 of size c subject to C
× continuously local turbulence of magnitude r in any direction z ∈ B
Andre Platzer (CMU) Differential Game Logic MOD’17 37 / 40
Zeppelin Obstacle Parcours
c > 0 ∧ ‖x − o‖2 ≥ c2 →[(v := ∗; o := ∗; c := ∗; ?C ;
x ′ = v + py + rz&dy ∈ B&z ∈ B)∗] ‖x − o‖2 ≥ c2
× r > p hopeless
X p > ‖v‖ + r super-powered
‖v‖ + r > p > r
our challenge
X airship at x ∈ R2
X propeller p controlled in any direction y ∈ B, i.e. y21 + y2
2 ≤ 1
× sporadically changing homogeneous wind field v ∈ R2
× sporadically changing obstacle o ∈ R2 of size c subject to C
× continuously local turbulence of magnitude r in any direction z ∈ B
Andre Platzer (CMU) Differential Game Logic MOD’17 37 / 40
Zeppelin Obstacle Parcours
c > 0 ∧ ‖x − o‖2 ≥ c2 →[(v := ∗; o := ∗; c := ∗; ?C ;
x ′ = v + py + rz&dy ∈ B&z ∈ B)∗] ‖x − o‖2 ≥ c2
× r > p hopeless
X p > ‖v‖ + r super-powered
? ‖v‖ + r > p > r our challenge
X airship at x ∈ R2
X propeller p controlled in any direction y ∈ B, i.e. y21 + y2
2 ≤ 1
× sporadically changing homogeneous wind field v ∈ R2
× sporadically changing obstacle o ∈ R2 of size c subject to C
× continuously local turbulence of magnitude r in any direction z ∈ B
Andre Platzer (CMU) Differential Game Logic MOD’17 37 / 40
Differential Game Invariants
Theorem (Differential Game Invariants)
DGI∃y ∈ Y ∀z ∈ Z [x ′:=f (x , y , z)](F )′
F → [x ′ = f (x , y , z)&dy ∈ Y&z ∈ Z ]F
Theorem (Differential Game Refinement)
∀u ∈ U ∃y ∈ Y ∀z ∈ Z ∃v ∈ V ∀x (f (x , y , z) = g(x , u, v))
[x ′ = g(x , u, v)&du ∈ U&v ∈ V ]F → [x ′ = f (x , y , z)&dy ∈ Y&z ∈ Z ]F
F¬F
∗
∃y∈I ∀z∈I 0 ≤ 3x2(−1+2y+z)
?? ∃y∈I ∀z∈I [x ′:=−1+2y+z ]0≤3x2x ′
DGI1≤x3 →[x ′ = −1+2y+z&dy ∈ I&z ∈ I ]1≤x3
where y ∈ Idef≡ −1 ≤ y ≤ 1
TOCL’17Andre Platzer (CMU) Differential Game Logic MOD’17 38 / 40
Differential Game Invariants
Theorem (Differential Game Invariants)
DGI∃y ∈ Y ∀z ∈ Z [x ′:=f (x , y , z)](F )′
F → [x ′ = f (x , y , z)&dy ∈ Y&z ∈ Z ]F
Theorem (Differential Game Refinement)
∀u ∈ U ∃y ∈ Y ∀z ∈ Z ∃v ∈ V ∀x (f (x , y , z) = g(x , u, v))
[x ′ = g(x , u, v)&du ∈ U&v ∈ V ]F → [x ′ = f (x , y , z)&dy ∈ Y&z ∈ Z ]F
F¬F
∗∃y∈I ∀z∈I 0 ≤ 3x2(−1+2y+z)
?? ∃y∈I ∀z∈I [x ′:=−1+2y+z ]0≤3x2x ′
DGI1≤x3 →[x ′ = −1+2y+z&dy ∈ I&z ∈ I ]1≤x3
where y ∈ Idef≡ −1 ≤ y ≤ 1 TOCL’17
Andre Platzer (CMU) Differential Game Logic MOD’17 38 / 40
Outline
1 CPS Game Motivation2 Differential Game Logic
SyntaxExample: Push-around CartExample: Robot DanceDifferential Hybrid GamesDenotational SemanticsDeterminacyStrategic Closure Ordinals
3 AxiomatizationAxiomaticsExample: Robot SoccerSoundness and CompletenessSeparating Axioms
4 Expressiveness5 Differential Hybrid Games6 Summary
Andre Platzer (CMU) Differential Game Logic MOD’17 38 / 40
Future Work
Several extensions . . .
1 Draws
2 Cooperative games with coalitions
3 Rewards
4 Payoffs other than ±1
. . . are all expressible already. Direct syntactic support?
1 Compositional concurrent hybrid games
2 Imperfect information hybrid games
3 Constructive dGL to retain winning strategies as proof terms
Andre Platzer (CMU) Differential Game Logic MOD’17 39 / 40
Differential Game Logic
differential game logic
dGL = GL + HG = dL+ d〈α〉φ
φ
Logic for hybrid games
Compositional PL + logic
Discrete + continuous + adversarial
Winning region iteration ≥ωCK1
Sound & rel. complete axiomatization
Hybrid games > hybrid systemsd radical challenge yet smooth extension
Stochastic ≈ adversarial
dis
cre
te contin
uo
us
nondet
sto
chastic
advers
arial
Andre Platzer (CMU) Differential Game Logic MOD’17 40 / 40
LogicalFoundations
ofCyber-Physical
Systems
Logic
TheoremProving
ProofTheory
ModalLogic Model
Checking
Algebra
ComputerAlgebra
RAlgebraicGeometry
DifferentialAlgebra
LieAlgebra
Analysis
DifferentialEquations
CarathedorySolutions
ViscosityPDE
Solutions
DynamicalSystems
Stochastics Doob’sSuper-
martingales
Dynkin’sInfinitesimalGenerators
DifferentialGenerators
StochasticDifferentialEquations
Numerics
HermiteInterpolation
WeierstraßApprox-imation
ErrorAnalysis
NumericalIntegration
Algorithms
DecisionProcedures
ProofSearch
Procedures
Fixpoints& Lattices
ClosureOrdinals
Andre Platzer (CMU) Differential Game Logic MOD’17 1 / 2
Andre Platzer.Differential game logic.ACM Trans. Comput. Log., 17(1):1:1–1:51, 2015.doi:10.1145/2817824.
Andre Platzer.Differential hybrid games.ACM Trans. Comput. Log., 18(3):19:1–19:44, 2017.doi:10.1145/3091123.
Andre Platzer.Logics of dynamical systems.In LICS [13], pages 13–24.doi:10.1109/LICS.2012.13.
Andre Platzer.Logic & proofs for cyber-physical systems.In Nicola Olivetti and Ashish Tiwari, editors, IJCAR, volume 9706 ofLNCS, pages 15–21. Springer, 2016.doi:10.1007/978-3-319-40229-1_3.
Andre Platzer (CMU) Differential Game Logic MOD’17 1 / 2
Andre Platzer.Differential dynamic logic for hybrid systems.J. Autom. Reas., 41(2):143–189, 2008.doi:10.1007/s10817-008-9103-8.
Andre Platzer.A complete uniform substitution calculus for differential dynamic logic.
J. Autom. Reas., 59(2):219–265, 2017.doi:10.1007/s10817-016-9385-1.
Andre Platzer.The complete proof theory of hybrid systems.In LICS [13], pages 541–550.doi:10.1109/LICS.2012.64.
Andre Platzer.A complete axiomatization of quantified differential dynamic logic fordistributed hybrid systems.Log. Meth. Comput. Sci., 8(4):1–44, 2012.
Andre Platzer (CMU) Differential Game Logic MOD’17 1 / 2
Special issue for selected papers from CSL’10.doi:10.2168/LMCS-8(4:17)2012.
Andre Platzer.Stochastic differential dynamic logic for stochastic hybrid programs.In Nikolaj Bjørner and Viorica Sofronie-Stokkermans, editors, CADE,volume 6803 of LNCS, pages 431–445. Springer, 2011.doi:10.1007/978-3-642-22438-6_34.
Andre Platzer.A uniform substitution calculus for differential dynamic logic.In Amy Felty and Aart Middeldorp, editors, CADE, volume 9195 ofLNCS, pages 467–481. Springer, 2015.doi:10.1007/978-3-319-21401-6_32.
Andre Platzer.Logical Foundations of Cyber-Physical Systems.Springer, Switzerland, 2017.URL: http://www.springer.com/978-3-319-63587-3.
Andre Platzer.
Andre Platzer (CMU) Differential Game Logic MOD’17 1 / 2
Logical Analysis of Hybrid Systems: Proving Theorems for ComplexDynamics.Springer, Heidelberg, 2010.doi:10.1007/978-3-642-14509-4.
Proceedings of the 27th Annual ACM/IEEE Symposium on Logic inComputer Science, LICS 2012, Dubrovnik, Croatia, June 25–28, 2012.IEEE, 2012.
Andre Platzer (CMU) Differential Game Logic MOD’17 1 / 2
Outline
7 Operational Semantics
Andre Platzer (CMU) Differential Game Logic MOD’17 1 / 2
Differential Game Logic: Operational Semantics
Definition (Hybrid game α: operational semantics)
s
x := f (x)
s[[f (x)]]sx
x:=
f(x
)
s
x ′ = f (x) &Q
ϕ(r)
r
ϕ(t)
t
ϕ(0)
0
s
?Q
s
?Q s |= Q
s
α ∪ β
s
tκ
β
tj
β
t1
β
right
s
sλ
α
si
α
s1
α
left
s
α;β
tλ
rλ1λ
β
r jλ
β
r1λ
β
α
ti
rλii
β
r1i
β
α
t1
rλ11
β
r j1
β
r11
β
α
s
α∗
s
...
α
...
α
repeatst
op
α
...
α
...
α
repeatst
op
α
repeatstop
α
...
α
...
α
repeatst
op
α
...
α
...
α
repeatst
op
αrepeatst
op
α
repeat
s
stop
s
α
t0
tκtjt1
s0
sλsis1
sαd
t0
tκtjt1
s0
sλsis1
d
Andre Platzer (CMU) Differential Game Logic MOD’17 2 / 2
Differential Game Logic: Operational Semantics
Definition (Hybrid game α: operational semantics)
s
x := f (x)
s[[f (x)]]sx
x:=
f(x
)
s
x ′ = f (x) &Q
ϕ(r)
r
ϕ(t)
t
ϕ(0)
0
s
?Q
s
?Q s |= Q
s
α ∪ β
s
tκ
β
tj
β
t1
β
right
s
sλ
α
si
α
s1
α
left
s
α;β
tλ
rλ1λ
β
r jλ
β
r1λ
β
α
ti
rλii
β
r1i
β
α
t1
rλ11
β
r j1
β
r11
β
α
s
α∗
s
...
α
...
α
repeatst
op
α
...
α
...
α
repeatst
op
α
repeatstop
α
...
α
...
α
repeatst
op
α
...
α
...
α
repeatst
op
αrepeatst
op
α
repeat
s
stop
s
α
t0
tκtjt1
s0
sλsis1
sαd
t0
tκtjt1
s0
sλsis1
d
Andre Platzer (CMU) Differential Game Logic MOD’17 2 / 2
Differential Game Logic: Operational Semantics
Definition (Hybrid game α: operational semantics)
s
x := f (x)
s[[f (x)]]sx
x:=
f(x
) s
x ′ = f (x) &Q
ϕ(r)
r
ϕ(t)
t
ϕ(0)
0
s
?Q
s
?Q s |= Q
s
α ∪ β
s
tκ
β
tj
β
t1
β
right
s
sλ
α
si
α
s1
α
left
s
α;β
tλ
rλ1λ
β
r jλ
β
r1λ
β
α
ti
rλii
β
r1i
β
α
t1
rλ11
β
r j1
β
r11
β
α
s
α∗
s
...
α
...
α
repeatst
op
α
...
α
...
α
repeatst
op
α
repeatstop
α
...
α
...
α
repeatst
op
α
...
α
...
α
repeatst
op
αrepeatst
op
α
repeat
s
stop
s
α
t0
tκtjt1
s0
sλsis1
sαd
t0
tκtjt1
s0
sλsis1
d
Andre Platzer (CMU) Differential Game Logic MOD’17 2 / 2
Differential Game Logic: Operational Semantics
Definition (Hybrid game α: operational semantics)
s
x := f (x)
s[[f (x)]]sx
x:=
f(x
) s
x ′ = f (x) &Q
ϕ(r)
r
ϕ(t)
t
ϕ(0)
0
s
?Q
s
?Q s |= Q
s
α ∪ β
s
tκ
β
tj
β
t1
β
right
s
sλ
α
si
α
s1
αlef
t
s
α;β
tλ
rλ1λ
β
r jλ
β
r1λ
β
α
ti
rλii
β
r1i
β
α
t1
rλ11
β
r j1
β
r11
β
α
s
α∗
s
...
α
...
α
repeatst
op
α
...
α
...
α
repeatst
op
α
repeatstop
α
...
α
...
α
repeatst
op
α
...
α
...
α
repeatst
op
αrepeatst
op
α
repeat
s
stop
s
α
t0
tκtjt1
s0
sλsis1
sαd
t0
tκtjt1
s0
sλsis1
d
Andre Platzer (CMU) Differential Game Logic MOD’17 2 / 2
Differential Game Logic: Operational Semantics
Definition (Hybrid game α: operational semantics)
s
x := f (x)
s[[f (x)]]sx
x:=
f(x
) s
x ′ = f (x) &Q
ϕ(r)
r
ϕ(t)
t
ϕ(0)
0
s
?Q
s
?Q s |= Q
s
α ∪ β
s
tκ
β
tj
β
t1
β
right
s
sλ
α
si
α
s1
α
left
s
α;β
tλ
rλ1λ
β
r jλ
β
r1λ
β
α
ti
rλii
β
r1i
β
α
t1
rλ11
β
r j1
β
r11
β
α
s
α∗
s
...
α
...
α
repeatst
op
α
...
α
...
α
repeatst
op
α
repeatstop
α
...
α
...
α
repeatst
op
α
...
α
...
α
repeatst
op
αrepeatst
op
α
repeat
s
stop
s
α
t0
tκtjt1
s0
sλsis1
sαd
t0
tκtjt1
s0
sλsis1
d
Andre Platzer (CMU) Differential Game Logic MOD’17 2 / 2
Differential Game Logic: Operational Semantics
Definition (Hybrid game α: operational semantics)
s
x := f (x)
s[[f (x)]]sx
x:=
f(x
) s
x ′ = f (x) &Q
ϕ(r)
r
ϕ(t)
t
ϕ(0)
0
s
?Q
s
?Q s |= Q
s
α ∪ β
s
tκ
β
tj
β
t1
β
right
s
sλ
α
si
α
s1
α
left
s
α;β
tλ
rλ1λ
β
r jλ
β
r1λ
β
α
ti
rλii
β
r1i
β
α
t1
rλ11
β
r j1
β
r11
β
α
s
α∗
s
...
α
...
α
repeatst
op
α
...
α
...
α
repeatst
op
α
repeatstop
α
...
α
...
α
repeatst
op
α
...
α
...
α
repeatst
op
αrepeatst
opα
repeat
s
stop
s
α
t0
tκtjt1
s0
sλsis1
sαd
t0
tκtjt1
s0
sλsis1
d
Andre Platzer (CMU) Differential Game Logic MOD’17 2 / 2
Differential Game Logic: Operational Semantics
Definition (Hybrid game α: operational semantics)
s
x := f (x)
s[[f (x)]]sx
x:=
f(x
) s
x ′ = f (x) &Q
ϕ(r)
r
ϕ(t)
t
ϕ(0)
0
s
?Q
s
?Q s |= Q
s
α ∪ β
s
tκ
β
tj
β
t1
β
right
s
sλ
α
si
α
s1
α
left
s
α;β
tλ
rλ1λ
β
r jλ
β
r1λ
β
α
ti
rλii
β
r1i
β
α
t1
rλ11
β
r j1
β
r11
β
α
s
α∗
s
...
α
...
α
repeatst
op
α
...
α
...
α
repeatst
op
α
repeatstop
α
...
α
...
α
repeatst
op
α
...
α
...
α
repeatst
op
αrepeatst
op
α
repeat
s
stop
s
α
t0
tκtjt1
s0
sλsis1
sαd
t0
tκtjt1
s0
sλsis1
d
Andre Platzer (CMU) Differential Game Logic MOD’17 2 / 2