1 Introduction

After a number of false starts on substitution [11, 12, 22], even by prominent logicians, did Church’s uniform substitution [5] [§35,40] provide a mechanism for substituting function and predicate symbols with terms and formulas in first-order logic. Given a mechanism for applying a uniform substitution $$\sigma$$ to formulas $$\phi$$ with result denoted uniform substitutions are used with Church’s proof rule:

Contrary to casual belief, quite some care is needed in the substitution process, even of only function symbols [23], in order to prevent replacing functions with terms that denote incompatible values in different places depending on which variables are being used in the replacements and in which formula contexts. Due to their subtleties, there have even been passionate calls for banishing substitutions [10] and using more schemata. This paper moves in the opposite direction, making substitutions even more subtle, but also faster and, nevertheless, sound.

The biggest theoretical advantage of uniform substitutions is that they make instantiation explicit, so that proof calculi can use axioms (concrete object-level formulas) instead of axiom schemata (meta-level concepts standing for infinitely many formulas). Their biggest practical advantage is that this avoidance of schemata enables parsimonious theorem prover implementations that only consist of copies of concrete formulas as axioms together with one algorithm implementing the application of uniform substitutions (plus renaming). Similar advantages exist for concrete axiomatic proof rules instead of rule schemata [16]. This design obviates the need for algorithms that recognize all of the infinitely many instances of schemata and check all of their (sometimes pretty subtle) side conditions to soundly reject improper reasoning. These practical advantages have first been demonstrated for hybrid systems [8] and for hybrid games [18] proving, where uniform substitution led to significant reductions in soundness-critical size (down from 66000 to 1700 lines of code) or implementation time (down from months to minutes) compared to conventional prover implementations.

These uses of the uniform substitution principle required generalizations from first-order logic [5] to differential dynamic logic for hybrid systems [16] and differential game logic for hybrid games [18], including substitutions of programs or games, respectively. The presence of variables whose values change imperatively over time, and of differential equations that cause intrinsic links of variables x and their time-derivatives , significantly complicate affairs compared to the simplicity of first-order logic [5, 23] and $$\lambda$$-calculus [4]. Pure $$\lambda$$-calculus has a single binder and rests on the three pillars of $$\alpha$$-conversions (for bound variables), $$\beta$$-reductions (by capture-avoiding substitutions), and $$\eta$$-conversions (versus free variables), which provide an elegant, deep, but solid foundation for functional programs (with similar observations for first-order logic). Despite significant additional challenges,Footnote 1 just two elementary operations, nevertheless, suffice as a foundation for imperative programs and even hybrid games: bound renaming and uniform substitution (based on suitably generalized notions of free and bound variables). Uniform substitutions generalize elegantly and in highly modular ways [16, 18]. Much of the conceptual simplicity in the correctness arguments in these cases, however, came from the fact that Church-style uniform substitutions are applied by checking at each operator admissibility, i.e., that no free variable be introduced into a context in which it is bound. Such checks simplify correctness proofs, because they check each admissibility condition at every operator where they are necessary for soundness. The resulting substitution mechanism is elegant but computationally suboptimal, because it repeatedly checks admissibility recursively again and again at every operator. For example, applying a uniform substitution $$\sigma$$ checks at every sequential composition $$\alpha ;\beta$$ again that the entire substitution $$\sigma$$ is admissible for the remainder $$\beta$$ compared to the bound variables of the result of having applied $$\sigma$$ to $$\alpha$$:

(1)

where $$\sigma$$ is U-admissible for $$\beta$$ iff the free variables of the replacements for the part of $$\sigma$$ having function/predicate symbols that occur in $$\beta$$ do not intersect U, which, here, are the bound variables computed from the result of applying the substitution $$\sigma$$ to $$\alpha$$ [18]. This mechanism is sound [16, 18], even verified sound for hybrid systems in Isabelle/HOL and Coq [2], but computationally redundant due to its repeated substitution application and admissibility computations.

The point of this paper is to introduce a more liberal form of uniform substitution that substitutes at one fell swoop, forgoing admissibility checks during the operators where they would be needed with a monadic computation of taboo sets to make up for that negligence by checking cumulative admissibility conditions locally only once at each replacement that the uniform substitution application performs. This one-pass uniform substitution is computationally attractive, because it operates linearly in the output, which matters because uniform substitution is the dominant logical inference in uniform substitution provers [8]. The biggest challenge is, precisely, that correctness of substitution can no longer be justified for all operators where it is needed (because admissibility is no longer recursively checked at every operator). The most important technical insight of this paper is that modularity of correctness arguments can be recovered, regardless, using a neighborhood semantics for taboos. Another value of this paper is its straightforward completeness proof based on [15, 16]. Overall, the findings of this paper make it possible to verify hybrid games (and systems) with faster small soundness-critical prover cores than before [18, 21], which, owing to their challenges, are the only two verification tools for hybrid games. Uniform substitutions extend to differential games [6, 7], where soundness is challenging [13], leading to the first basis for a small prover core for differential hybrid games [17]. The accelerated proving primitives are of interest for other dynamic logics [1, 9]. All proofs are in [20] and those till Theorem 19 were then formalized [19].

2 Preliminaries: Differential Game Logic

This section recalls the basics of differential game logic [15, 18], the logic for specifying and verifying hybrid games of two players with differential equations.

2.1 Syntax

The set of all variables is $$\mathbf {V}$$, including for each variable x a differential variable (e.g., for an ODE for x). Higher-order differential variables etc. are not used in this paper, so a finite set $$\mathbf {V}$$ suffices. The terms $$\theta$$ of (differential-form) are polynomial terms with real-valued function symbols and differential terms that are used to reduce reasoning about differential equations to reasoning about equations of differentials [16]. Hybrid games $$\alpha$$ describe the permitted discrete and continuous actions by player Angel and player Demon. Besides the operators of first-order logic of real arithmetic, formulas $$\phi$$ can be built using , which expresses that Angel has a winning strategy in the hybrid game $$\alpha$$ to reach the region satisfying formula $$\phi$$. Likewise, expresses that Demon has a winning strategy in the hybrid game $$\alpha$$ to reach the region satisfying $$\phi$$.

Definition 1

(Terms). Terms are defined by the following grammar (with $$\theta$$, $$\eta$$, $$\theta _1$$, $$\dots$$, $$\theta _k$$ as terms, $$x\in \mathbf {V}$$ as variable, and f as function symbol of arity k):

Definition 2

(dGL formulas). The formulas of differential game logic are defined by the following grammar (with $$\phi ,\psi$$ as formulas, p as predicate symbol of arity k, $$\theta ,\eta ,\theta _i$$ as terms, x as variable, and $$\alpha$$ as hybrid game):

The usual operators can be derived, e.g., is and similarly for and truth . Existence of Demon’s winning strategy in hybrid game $$\alpha$$ to achieve $$\phi$$ is expressed by the formula , which can be expressed indirectly as , thanks to the hybrid game determinacy theorem [15, Thm. 3.1].

Definition 3

(Hybrid games). The hybrid games of differential game logic are defined by the following grammar (with $$\alpha ,\beta$$ as hybrid games, a as game symbol, x as variable, $$\theta$$ as term, and $$\psi$$ as formula):

The operator precedences make all unary operators, including modalities and quantifiers, bind stronger. Just like the meaning of function and predicate symbols is subject to interpretation, the effect of game symbol a is up to interpretation. In contrast, the assignment game has the specific effect of changing the value of variable x to that of term $$\theta$$. The differential equation game allows Angel to choose how long she wants to follow the (vectorial) differential equation for any real duration within the set of states where evolution domain constraint $$\psi$$ is true. Differential equation games with trivial are just written . The test game challenges Angel to satisfy formula $$\psi$$, for if $$\psi$$ is not true in the present state she loses the game prematurely. The choice game allows Angel to choose if she wants to play game $$\alpha$$ or game $$\beta$$. The sequential game $$\alpha ;\beta$$ will play game $$\beta$$ after game $$\alpha$$ terminates (unless a player prematurely lost the game while playing $$\alpha$$). The repetition game allows Angel to decide, after having played any number of $$\alpha$$ repetitions, whether she wants to play another round (but she cannot play forever). Finally, the dual game will have both players switch sides: every choice that Angel had in $$\alpha$$ will go to Demon in , and vice versa, while every condition that Angel needs to meet in $$\alpha$$ will be Demon’s responsibility in , and vice versa.

Substitutions are fundamental but subtle. For example, a substitution $$\sigma$$ that has the effect of replacing f(x) with $$x^2$$ and a(x) with is unsound for the following formula while a substitution that replaces a(x) with would be fine:

The introduction of a new variable z by the substitution $$\sigma$$ is acceptable, but, even if y was already present previously, its introduction by $$\sigma$$ makes the inference unsound (e.g., when $$x=y=1/z=1/2$$), because this equates a system with a solution that is exponential in y with a hyperbolic solution of more limited duration, even if both solutions are already hyperbolic of limited time from x. By contrast, the use of the previously present variable x to form is fine. The difference is that, unlike z, variable y has a differential equation that changes the value of y and, while x also does, f(x) and a(x) may explicitly depend on x. It is crucial to distinguish correct and incorrect substitutions in all cases.

2.2 Semantics

A state is a mapping from the set of all variables $$\mathbf {V}$$ to the reals . The state agrees with state except for variable x whose value is in . The set of all states is denoted and the set of all its subsets is denoted .

The semantics of function, predicate, and game symbols is independent from the state. They are interpreted by an interpretation that maps each arity k function symbol f to a k-ary smooth function , each arity k predicate symbol p to a k-ary relation , and each game symbol a to a monotone where are the states from which Angel has a winning strategy to achieve in game a. Differentials have a differential-form semantics [16]: the sum of partial derivatives by all variables $$x\in \mathbf {V}$$ multiplied by the values of their associated differential variable .

Definition 4

(Semantics of terms). The semantics of a term $$\theta$$ in interpretation and state is its value in . It is defined inductively as

1. 1.

for variable $$x\in \mathbf {V}$$

2. 2.

for function symbol f

3. 3.
4. 4.
5. 5.

for the differential of $$\theta$$

The semantics of differential game logic in interpretation defines, for each formula $$\phi$$, the set of all states , in which $$\phi$$ is true. Since hybrid games appear in formulas and vice versa, the semantics of hybrid game $$\alpha$$ in interpretation is defined by simultaneous induction as the set of all states from which Angel has a winning strategy in hybrid game $$\alpha$$ to achieve .

Definition 5

(dGL semantics). The semantics of a formula $$\phi$$ for each interpretation with a corresponding set of states is the subset of states in which $$\phi$$ is true. It is defined inductively as follows

1. 1.
2. 2.
3. 3.

is the complement of

4. 4.
5. 5.
6. 6.

A formula $$\phi$$ is valid in , written , iff it is true in all states, i.e., . Formula $$\phi$$ is valid, written , iff for all interpretations .

Definition 6

(Semantics of hybrid games). The semantics of a hybrid game $$\alpha$$ for each interpretation is a function that, for each set of states as Angel’s winning condition, gives the winning region, i.e., the set of states from which Angel has a winning strategy to achieve X in $$\alpha$$ (whatever strategy Demon chooses). It is defined inductively as follows

1. 1.
2. 2.
3. 3.

on and for some function of some duration satisfying

where iff and on for all $$0{\le }\zeta {\le }r$$ and exists and equals for all $$0{\le }\zeta {\le }r$$ if .

4. 4.
5. 5.
6. 6.
7. 7.

which is a least fixpoint [15]

8. 8.

Along , variables x and enjoy an intrinsic link since they co-evolve.

2.3 Static Semantics

Sound uniform substitutions check free and bound occurrences of variables to prevent unsound replacements of expressions that might have incorrect values in the respective replacement contexts. The whole point of this paper is to skip admissibility checks such as that in (1). Free (and, indirectly, bound) variables will still have to be consulted to tell apart acceptable from unsound occurrences.

Hybrid games even make it challenging to characterize free and bound variables. Both are definable based on whether or not their values affect the existence of winning strategies under variations of the winning conditions [18]. The upward projection increases the winning condition from variables $$V\subseteq \mathbf {V}$$ to all states that are “on V like X”, i.e., similar on V to states in X. The downward projection shrinks the winning condition X, fixing the values of state on variables $$V\subseteq \mathbf {V}$$ to keep just those states of X that agree with on V.

Definition 7

The set extends to the states that agree on $$V\subseteq \mathbf {V}$$ with some state in X (written ). The set selects state on $$V\subseteq \mathbf {V}$$ in .

Projections make it possible to (semantically!) define free and bound variables of hybrid games by expressing variable dependence and ignorance. Such semantic characterizations increase modularity and are used for the correctness of syntactic analyzes that compute supersets [16, Sect. 2.4]. Variable x is free in hybrid game $$\alpha$$ iff two states that only differ in the value of x differ in membership in the winning region of $$\alpha$$ for some winning condition that does not distinguish values of x. Variable x is bound in hybrid game $$\alpha$$ iff it is in the winning region of $$\alpha$$ for some winning condition X but not for the winning condition that limits the new value of x to stay at its initial value .

Definition 8

(Static semantics). The static semantics defines the free variables, which are all variables that the value of an expression depends on, as well as bound variables, , which can change their value during game $$\alpha$$, as:

Beyond assignments, note complications with ODEs such as (2), where, due to their nature as the solution of a fixpoint condition, the same occurrences of variables are free, because they depend on their initial values, but they are also bound, because their values change along the ODE. All occurrences of x and y but not z on the right-hand side of and occurrences of also after this ODE are bound, since they are affected by this change. Variables xyz but not are free in this ODE. The crucial need for overlap of free and bound variables is most obvious for ODEs, but also arises for loops, e.g., . If x were not classified as free, its initial value could be overwritten incorrectly. If x were not classified as bound, its initial value could be incorrectly copy-propagated across the loop. This also applies to the same occurrence of x in $$x+1$$ and $$-x$$, respectively. If it were not classified as a bound but a free occurrence, it could be incorrectly replaced by a term of the same initial value. If it were not classified as a free but a bound occurrence, it could, e.g., be boundly renamed, incorrectly losing its initial link.Footnote 2

Coincidence lemmas [18] show truth-values of formulas only depend on their free variables (likewise for terms and hybrid games). The bound effect lemma [18] shows only bound variables change their value when playing games. Supersets satisfy the same lemmas, so corresponding syntactic free and bound variable computations can be used correctly and are defined accordingly [16, 18]. Since and are the smallest such sets, no smaller sets can be correct, including, e.g., the usual definitions that classify occurrences mutually exclusively.

Lemma 9

(Coincidence for terms [18]).  is the smallest set with the coincidence property for $$\theta$$: If on , then .

Lemma 10

(Coincidence for formulas [18]).  is the smallest set with the coincidence property for $$\phi$$: If on , then iff .

Lemma 11

(Coincidence for games [18]).  is the smallest set with the coincidence property for $$\alpha$$: If on , then iff ; see Fig. 1(left).

Lemma 12

(Bound effect [18]).  is the smallest set with the bound effect property for $$\alpha$$: iff ; see Fig. 1(right).

The correctness of one-pass uniform substitution will become more transparent after defining when one state is a variation of another on a set of variables. For a set $$U\subseteq \mathbf {V}$$, state is called a U-variation of state iff on complement . Variations satisfy properties of monotonicity and transitivity. If is a U-variation of , then is a V-variation of for all $$V\supseteq U$$. If is a U-variation of and is a V-variation of , then is a $$(U\cup V)$$-variation of . Coincidence lemmas say that the semantics is insensitive to variations of nonfree variables. If is a U-variation of and , then iff .

3 Uniform Substitution

Uniform substitutions for affect terms, formulas, and games [18]. A uniform substitution $$\sigma$$ is a mapping from expressions of the form to terms , from to formulas , and from game symbols $$a$$ to hybrid games . Here is a reserved function symbol of arity 0 marking the position where the argument, e.g., argument $$\theta$$ to in formula $$p(\theta )$$, will end up in the replacement used for $$p(\theta )$$. Vectorial extensions would be accordingly for other arities $$k\ge 0$$.

The key idea behind the new recursive one-pass application of uniform substitutions is that it simply applies $$\sigma$$ by naïve homomorphic recursion without checking any admissibility conditions along the way. But the mechanism makes up for that soundness-defying negligence by passing a cumulative set U of taboo variables along the recursion that are then forbidden from being introduced free by $$\sigma$$ at the respective replacement of function and predicate symbols , respectively. No corresponding condition is required at substitutions of game symbols a, since games already have unlimited access to and effect on the state.

The result $${\sigma }^{U}{\phi }$$ of applying uniform substitution $$\sigma$$ for taboo set $$U\subseteq \mathbf {V}$$ to a formula $$\phi$$ (or term $$\theta$$ or hybrid game $$\alpha$$, respectively) is defined in Fig. 2. For proof rule US, the expression is, then, defined to be without taboos.

The case for in Fig. 2 conjoins the variable x to the taboo set in the homomorphic application of $$\sigma$$ to $$\phi$$, because any newly introduced free uses of x within that scope would refer to a different semantic value than outside that scope. In addition to computing the substituted hybrid game $${\sigma }^{U}_{V}{\alpha }$$, the recursive application of one-pass uniform substitution $$\sigma$$ to hybrid game $$\alpha$$ under taboo set U also performs an analysis that results in a new output taboo set V, written in subscript notation, that will be tabooed after this hybrid game. Superscripts as inputs and subscripts as outputs follows static analysis notation and makes the $$\alpha ;\beta$$ case reminiscent of Einstein’s summation: the output taboos V of $${\sigma }^{U}_{V}{\alpha }$$ become the input taboos V for $${\sigma }^{V}_{W}{\beta }$$, whose output W is that of $${\sigma }^{U}_{W}{(\alpha ;\beta )}$$. Similarly, the output taboos V resulting from the uniform substitute $${\sigma }^{U}_{V}{\alpha }$$ of a hybrid game $$\alpha$$ become taboo during the uniform substitution application forming $${\sigma }^{V}{\phi }$$ in the postcondition of a modality to build .

Repetitions are the only complication in Fig. 2, where taboo U would be too lax during the recursion, because earlier repetitions of $$\alpha$$ bind variables of $$\alpha$$ itself, so only the taboos V obtained after one round are correct input taboos for the loop body. These two passes per loop are linear in the output when considering repetitions as their equivalent of double size.

Unlike in Church-style uniform substitution [5, 16, 18], attention is needed at the replacement sites of function and predicate symbols in order to make up for the neglected admissibility checks during all other operators. The result of applying uniform substitution $$\sigma$$ with taboo U to a predicate application $$p(\theta )$$ is only defined if the replacement for p does not introduce free any tabooed variable, i.e., . Arguments are put in for placeholder recursively by the taboo-free use of uniform substitution , which replaces arity 0 function symbol by . Taboos U are respected when forming (once!) the uniform substitution to be used for argument , but empty taboos $$\emptyset$$ suffice when substituting the resulting for in the replacement for p.

All variables $$\mathbf {V}$$ become taboos during uniform substitutions into differentials , because any newly introduced occurrence of a variable x would cause additional dependencies on its respective associated differential variable .

If the conditions in Fig. 2 are not met, the substitution $$\sigma$$ is said to clash for taboo U and its result is not defined and cannot be used. All subsequent applications of uniform substitutions are required to be defined (no clash).

Whether a substitution clashes is only checked once at each replacement, instead of also once per operator around it as in Church style from Eq. (1). The free variables of each (function and) predicate symbol replacement are best stored with $$\sigma$$ to avoid repeated computation of free variables.

This inference would unsoundly equate linear solutions with exponential ones:

Indeed, clashes so rejects the above inference since the substitute $$-x$$ for f has free variable x that is taboo in the context . By contrast, a sound use of rule US, despite its change in multiple binding contexts with , is:

Uniform substitution accurately distinguishes such sound inferences from unsound ones even if the substitutions take effect deep down within a formula. Uniform substitutions enable other syntactic transformations that require a solid understanding of variable occurrence patterns such as common subexpression elimination, for example, by using the above inference from right to left.

3.1 Taboo Lemmas

The only soundness-critical property of output taboos is that they correctly add bound variables and never forget variables that were already input taboos.

Lemma 13

(Taboo set computation). One-pass uniform substitution application monotonously computes taboos with correct bound variables for games:

Any superset of such taboo computations (or the free variable sets used in Fig. 2) remains correct, just more conservative. The change from input taboo U to output taboo V is a function of the hybrid game $$\alpha$$, justifying the construction of : if $${\sigma }^{U}_{V}{\alpha }$$ and $${\sigma }^{V}_{W}{\alpha }$$ are defined, then $${\sigma }^{V}_{V}{\alpha }$$ is defined and equal to $${\sigma }^{V}_{W}{\alpha }$$. By Lemma 13, no implementation of bound variables is needed when defining game symbols via where with identity substitution . But bound variable computations speed up loops via since can be computed and used correctly in one pass when $$U\cup B=V$$.

3.2 Uniform Substitution Lemmas

Uniform substitutions are syntactic transformations on syntactic expressions. Their semantic counterpart is the semantic transformation that maps an interpretation and a state to the adjoint interpretation that changes the meaning of all symbols according to the syntactic substitution $$\sigma$$. The interpretation agrees with I except that function symbol is interpreted as .

Definition 14

(Substitution adjoints). The adjoint to substitution $$\sigma$$ is the operation that maps to the adjoint interpretation in which the interpretation of each function symbol f, predicate symbol p, and game symbol a are modified according to $$\sigma$$ (it is enough to consider those that $$\sigma$$ changes):

The uniform substitution lemmas below are key to the soundness and equate the syntactic effect that a uniform substitution $$\sigma$$ has on a syntactic expression in with the semantic effect that the switch to the adjoint interpretation has on the original expression. The technical challenge compared to Church-style uniform substitution [16, 18] is that no admissibility conditions are checked at the game operators that need them, because the whole point of one-pass uniform substitution is that it homomorphically recurses in a linear complexity sweep by postponing admissibility checks. All that happens during the substitution is that different taboo sets are passed along. Yet, still, there is a crucial interplay of the particular taboos imposed henceforth at binding operators and the retroactive checking at function and predicate symbol replacement sites.

In order to soundly deal with the negligence in admissibility checking of one-pass uniform substitutions in a modular way, the main insight is that it is imperative to generalize the range of applicability of uniform substitution lemmas beyond the state of original interest where the adjoint was formed, and make them cover all variations of states that are so similar that they might arise during soundness justifications. By demanding more comprehensive care at replacement sites, soundness arguments make up for the temporary lapses in attention during all other operators. This gives the uniform substitution algorithm broader liberties at binding operators, while simultaneously demanding broader compatibility in semantic neighborhoods on its parts. Due to the recursive nature of function substitutions, the proof [20] of the following result is by structural induction lexicographically on the structure of $$\sigma$$ and $$\theta$$, for all .

Lemma 15

(Uniform substitution for terms). The uniform substitution $$\sigma$$ for taboo $$U\subseteq \mathbf {V}$$ and its adjoint interpretation for have the same semantics on U-variations for all terms $$\theta$$:

Recall that all uniform substitutions are only defined when they meet the side conditions from Fig. 2. A mention such as $${\sigma }^{U}{\theta }$$ in Lemma 15 implies that its side conditions during the application of $$\sigma$$ to $$\theta$$ with taboos U are met. Substitutions are antimonotone in taboos: If $${\sigma }^{U}{\theta }$$ is defined, then $${\sigma }^{V}{\theta }$$ is defined and equal to $${\sigma }^{U}{\theta }$$ for all $$V\subseteq U$$ (accordingly for $$\phi ,\alpha$$). The more taboos a use of a substitution tolerates, the more broadly its adjoint generalizes to state variations.

The corresponding results for formulas and games are proved by simultaneous induction since formulas and games are defined by simultaneous induction, as games may occur in formulas and, vice versa. The inductive proof [20] is lexicographic over the structure of $$\sigma$$ and $$\phi$$ or $$\alpha$$, with a nested induction over the closure ordinals of the loop fixpoints, simultaneously for all $$\nu ,\omega ,U,X$$.

Lemma 16

(Uniform substitution for formulas). The uniform substitution $$\sigma$$ for taboo $$U\subseteq \mathbf {V}$$ and its adjoint interpretation for have the same semantics on U-variations for all formulas $$\phi$$:

Lemma 17

(Uniform substitution for games). The uniform substitution $$\sigma$$ for taboo $$U\subseteq \mathbf {V}$$ and its adjoint interpretation for have the same semantics on U-variations for all games $$\alpha$$:

3.3 Soundness

With the uniform substitution lemmas having established the crucial equivalence of syntactic substitution and adjoint interpretation, the soundness of uniform substitution uses in proofs is now immediate. The notation in proof rule US is short for , so the result of applying $$\sigma$$ to $$\phi$$ without taboos (more taboos may still arise during the substitution application), and only defined if is. A proof rule is sound when its conclusion is valid if all its premises are valid.

Theorem 18

(Soundness of uniform substitution). Proof rule US is sound.

Theorem 18 is all it takes to soundly instantiate concrete axioms. Uniform substitutions can instantiate whole inferences [16], which makes it possible to avoid proof rule schemata by instantiating axiomatic proof rules consisting of pairs of concrete formulas. This enables uniformly substituting premises and conclusions of entire proofs of locally sound inferences, i.e., those whose conclusion is valid in any interpretation that all their premises are valid in.

Theorem 19

(Soundness of uniform substitution of rules). All uniform substitution instances for taboo $$\mathbf {V}$$ of locally sound inferences are locally sound:

USR marks the use of Theorem 19 in proofs. If $$n=0$$ (so $$\psi$$ has a proof), USR preserves local soundness for taboo-free $${\sigma }^{\emptyset }{\psi }$$ instead of $${\sigma }^{\mathbf {V}}{\psi }$$, as US proves $${\sigma }^{\emptyset }{\psi }$$ from the provable $$\psi$$ and soundness is equivalent to local soundness for $$n=0$$.

3.4 Completeness

Soundness is the property that every formula with a proof is valid. This is the most important consideration for something as fundamental as a uniform substitution mechanism. But the converse question of completeness, i.e., that every valid formula has a proof, is of interest as well, especially given the fact that one-pass uniform substitutions check differently for soundness during the substitution application, which had better not lose otherwise perfectly valid proofs.

Completeness is proved in an easy modular style based on all the nontrivial findings summarized in schematic relative completeness results, first for schematic [15, Thm. 4.5], and then for a uniform substitution formulation of [16, Thm. 40]. The combination of both schematic completeness results makes it fairly easy to lift completeness to the setting in this paper. The challenge is to show that all instances of axiom schemata that are used for ’s schematic relative completeness result are provable by one-pass uniform substitution.

A formula $$\phi$$ is called surjective iff rule US can instantiate $$\phi$$ to any of its axiom schema instances, i.e., those formulas that are obtained by just replacing game symbols a uniformly by any game, etc. An axiomatic rule is called surjective iff USR of Theorem 19 can instantiate it to any of its proof rule schema instances.

Lemma 20

(Surjective axioms). If $$\phi$$ is a formula that is built only from game symbols but no function or predicate symbols, then $$\phi$$ is surjective. Axiomatic rules consisting of surjective formulas are surjective.

Instead of following previous completeness arguments for uniform substitution [18], this paper presents a pure game-style uniform substitution formulation in Fig. 3 of a axiomatization that makes the overall completeness proof most straightforward. For that purpose, the axiomatization in Fig. 3 uses properties of a game symbol c, which, as a game, can impose arbitrary conditions on the state even for a trivial postcondition (the formula is always true).

All axioms of Fig. 3, except test $$\langle ?\rangle$$, equational assignment $$\langle :=\rangle _{=}$$, and constant solution DS, are surjective by Lemma 20. The US requirement that no substitute of f may depend on x is important for the soundness of DS and $$\langle :=\rangle _{=}$$. Axiom $$\langle ?\rangle$$ is surjective, as it has no bound variables, so generates no taboos and none of its instances clash: . Similarly, rule MP is surjective [16], and the other rules are surjective by Lemma 20. Other differential equation axioms are elided but work as previously [16].

Besides rule US, bound variable renaming (rule BR) is the only schematic principle, mostly for generalizing assignment axiom $$\langle :=\rangle _{=}$$ to other variables.

Lemma 21

(Bound renaming). Rule BR is locally sound, where is the result of uniformly renaming x to y in $$\psi$$ (also to but no etc. or game symbols occur in $$\psi$$, where the rule BR for is accordingly):

Theorem 22

(Relative completeness). The calculus is a sound and complete axiomatization of hybrid games relative to any differentially expressive logic L, i.e., every valid formula is provable in from L tautologies.

This completeness result assumes that no game symbols occur, because uniform renaming otherwise needs to become a syntactic operator. A logic L closed under first-order connectives is differentially expressive (for ) if every formula $$\phi$$ has an equivalent $$\phi ^\flat$$ in L and all differential equation equivalences of the form for G in L are provable in its calculus.

4 Differential Hybrid Games

Uniform substitution generalizes from for hybrid games [15] to for differential hybrid games [17], which add differential games as a new atomic game. A differential game allows Angel to control how long to follow the differential equation (in which variables xyz may occur) while Demon provides a measurable input for y over time satisfying the formula $$y\in Y$$ always and Angel, knowing Demon’s current input, provides a measurable input for z satisfying the formula $$z\in Z$$. All occurrences of yz in are bound, and $$y\in Y$$ and $$z\in Z$$ are formulas in the free variables y or z, respectively. It has been a long-standing challenge to give mathematical meaning [6, 7] and sound reasoning principles [17] for differential games. Both outcomes can simply be adopted here under the usual well-definedness assumptions [17].

Uniform substitution application in Fig. 2 lifts to differential games by adding:

where is . Well-definedness assumptions on differential games [17] need to hold, e.g., only first-order logic formulas denoting compact sets are allowed for controls and the differential equations need to be bounded.

As terms are unaffected by adding differential games to the syntax, Lemma 9 and 15 do not change. The proofs of the coincidence Lemmas 10 and 11 and bound effect Lemma 12 [18] transfer to with differential hybrid games in verbatim thanks to their use of semantically defined free and bound variables, which carry over to differential hybrid games. The proof of Lemma 13 generalizes easily by adding a case for differential games with the above . The uniform substitution Lemmas 16 and 17 inductively generalize to differential hybrid games because of:

Lemma 23

(Uniform substitution for differential games). Let $$U\subseteq \mathbf {V}$$. For all U-variations of :

The proof [20] makes clever use of differential game refinements [17] to avoid the significant complexities and semantic subtleties of differential games.

5 Conclusion

This paper introduced significantly faster uniform substitution mechanisms, the dominant logical inference in axiomatic small core hybrid systems/games provers. It is also first in proving soundness of uniform substitution for differential games.

Implementations exhibit a linear runtime complexity compared to the exponential complexity that direct implementations [8] of prior Church-style uniform substitutions exhibit, except when applying aggressive space/time optimization tradeoffs where that drops down to a quadratic runtime in practice.