Abstract
Uniform substitution of function, predicate, program or game symbols is the core operation in parsimonious provers for hybrid systems and hybrid games. By postponing soundnesscritical admissibility checks, this paper introduces a uniform substitution mechanism that proceeds in a linear pass homomorphically along the formula. Soundness is recovered using a simple variable condition at the replacements performed by the substitution. The setting in this paper is that of differential hybrid games, in which discrete, continuous, and adversarial dynamics interact in differential game logic . This paper proves soundness and completeness of onepass uniform substitutions for .
In Shakespeare’s Macbeth, “at one fell swoop” was likened to the suddenness with which a bird of prey fiercely attacks a whole nest at once. The idiom has since retained only its meaning of suddenly doing all at once, although the connotation of fierceness is also befitting of the ignorance with which onepass uniform substitution trespasses operator scopes. This research is supported by the Alexander von Humboldt Foundation and by the AFOSR under grant number FA95501610288.
Download conference paper PDF
1 Introduction
After a number of false starts on substitution [11, 12, 22], even by prominent logicians, did Church’s uniform substitution [5] [§35,40] provide a mechanism for substituting function and predicate symbols with terms and formulas in firstorder logic. Given a mechanism for applying a uniform substitution \(\sigma \) to formulas \(\phi \) with result denoted uniform substitutions are used with Church’s proof rule:
Contrary to casual belief, quite some care is needed in the substitution process, even of only function symbols [23], in order to prevent replacing functions with terms that denote incompatible values in different places depending on which variables are being used in the replacements and in which formula contexts. Due to their subtleties, there have even been passionate calls for banishing substitutions [10] and using more schemata. This paper moves in the opposite direction, making substitutions even more subtle, but also faster and, nevertheless, sound.
The biggest theoretical advantage of uniform substitutions is that they make instantiation explicit, so that proof calculi can use axioms (concrete objectlevel formulas) instead of axiom schemata (metalevel concepts standing for infinitely many formulas). Their biggest practical advantage is that this avoidance of schemata enables parsimonious theorem prover implementations that only consist of copies of concrete formulas as axioms together with one algorithm implementing the application of uniform substitutions (plus renaming). Similar advantages exist for concrete axiomatic proof rules instead of rule schemata [16]. This design obviates the need for algorithms that recognize all of the infinitely many instances of schemata and check all of their (sometimes pretty subtle) side conditions to soundly reject improper reasoning. These practical advantages have first been demonstrated for hybrid systems [8] and for hybrid games [18] proving, where uniform substitution led to significant reductions in soundnesscritical size (down from 66000 to 1700 lines of code) or implementation time (down from months to minutes) compared to conventional prover implementations.
These uses of the uniform substitution principle required generalizations from firstorder logic [5] to differential dynamic logic for hybrid systems [16] and differential game logic for hybrid games [18], including substitutions of programs or games, respectively. The presence of variables whose values change imperatively over time, and of differential equations that cause intrinsic links of variables x and their timederivatives , significantly complicate affairs compared to the simplicity of firstorder logic [5, 23] and \(\lambda \)calculus [4]. Pure \(\lambda \)calculus has a single binder and rests on the three pillars of \(\alpha \)conversions (for bound variables), \(\beta \)reductions (by captureavoiding substitutions), and \(\eta \)conversions (versus free variables), which provide an elegant, deep, but solid foundation for functional programs (with similar observations for firstorder logic). Despite significant additional challenges,^{Footnote 1} just two elementary operations, nevertheless, suffice as a foundation for imperative programs and even hybrid games: bound renaming and uniform substitution (based on suitably generalized notions of free and bound variables). Uniform substitutions generalize elegantly and in highly modular ways [16, 18]. Much of the conceptual simplicity in the correctness arguments in these cases, however, came from the fact that Churchstyle uniform substitutions are applied by checking at each operator admissibility, i.e., that no free variable be introduced into a context in which it is bound. Such checks simplify correctness proofs, because they check each admissibility condition at every operator where they are necessary for soundness. The resulting substitution mechanism is elegant but computationally suboptimal, because it repeatedly checks admissibility recursively again and again at every operator. For example, applying a uniform substitution \(\sigma \) checks at every sequential composition \(\alpha ;\beta \) again that the entire substitution \(\sigma \) is admissible for the remainder \(\beta \) compared to the bound variables of the result of having applied \(\sigma \) to \(\alpha \):
where \(\sigma \) is Uadmissible for \(\beta \) iff the free variables of the replacements for the part of \(\sigma \) having function/predicate symbols that occur in \(\beta \) do not intersect U, which, here, are the bound variables computed from the result of applying the substitution \(\sigma \) to \(\alpha \) [18]. This mechanism is sound [16, 18], even verified sound for hybrid systems in Isabelle/HOL and Coq [2], but computationally redundant due to its repeated substitution application and admissibility computations.
The point of this paper is to introduce a more liberal form of uniform substitution that substitutes at one fell swoop, forgoing admissibility checks during the operators where they would be needed with a monadic computation of taboo sets to make up for that negligence by checking cumulative admissibility conditions locally only once at each replacement that the uniform substitution application performs. This onepass uniform substitution is computationally attractive, because it operates linearly in the output, which matters because uniform substitution is the dominant logical inference in uniform substitution provers [8]. The biggest challenge is, precisely, that correctness of substitution can no longer be justified for all operators where it is needed (because admissibility is no longer recursively checked at every operator). The most important technical insight of this paper is that modularity of correctness arguments can be recovered, regardless, using a neighborhood semantics for taboos. Another value of this paper is its straightforward completeness proof based on [15, 16]. Overall, the findings of this paper make it possible to verify hybrid games (and systems) with faster small soundnesscritical prover cores than before [18, 21], which, owing to their challenges, are the only two verification tools for hybrid games. Uniform substitutions extend to differential games [6, 7], where soundness is challenging [13], leading to the first basis for a small prover core for differential hybrid games [17]. The accelerated proving primitives are of interest for other dynamic logics [1, 9]. All proofs are in [20] and those till Theorem 19 were then formalized [19].
2 Preliminaries: Differential Game Logic
This section recalls the basics of differential game logic [15, 18], the logic for specifying and verifying hybrid games of two players with differential equations.
2.1 Syntax
The set of all variables is \(\mathbf {V}\), including for each variable x a differential variable (e.g., for an ODE for x). Higherorder differential variables etc. are not used in this paper, so a finite set \(\mathbf {V}\) suffices. The terms \(\theta \) of (differentialform) are polynomial terms with realvalued function symbols and differential terms that are used to reduce reasoning about differential equations to reasoning about equations of differentials [16]. Hybrid games \(\alpha \) describe the permitted discrete and continuous actions by player Angel and player Demon. Besides the operators of firstorder logic of real arithmetic, formulas \(\phi \) can be built using , which expresses that Angel has a winning strategy in the hybrid game \(\alpha \) to reach the region satisfying formula \(\phi \). Likewise, expresses that Demon has a winning strategy in the hybrid game \(\alpha \) to reach the region satisfying \(\phi \).
Definition 1
(Terms). Terms are defined by the following grammar (with \(\theta \), \(\eta \), \(\theta _1\), \(\dots \), \(\theta _k\) as terms, \(x\in \mathbf {V}\) as variable, and f as function symbol of arity k):
Definition 2
(dGL formulas). The formulas of differential game logic are defined by the following grammar (with \(\phi ,\psi \) as formulas, p as predicate symbol of arity k, \(\theta ,\eta ,\theta _i\) as terms, x as variable, and \(\alpha \) as hybrid game):
The usual operators can be derived, e.g., is and similarly for and truth . Existence of Demon’s winning strategy in hybrid game \(\alpha \) to achieve \(\phi \) is expressed by the formula , which can be expressed indirectly as , thanks to the hybrid game determinacy theorem [15, Thm. 3.1].
Definition 3
(Hybrid games). The hybrid games of differential game logic are defined by the following grammar (with \(\alpha ,\beta \) as hybrid games, a as game symbol, x as variable, \(\theta \) as term, and \(\psi \) as formula):
The operator precedences make all unary operators, including modalities and quantifiers, bind stronger. Just like the meaning of function and predicate symbols is subject to interpretation, the effect of game symbol a is up to interpretation. In contrast, the assignment game has the specific effect of changing the value of variable x to that of term \(\theta \). The differential equation game allows Angel to choose how long she wants to follow the (vectorial) differential equation for any real duration within the set of states where evolution domain constraint \(\psi \) is true. Differential equation games with trivial are just written . The test game challenges Angel to satisfy formula \(\psi \), for if \(\psi \) is not true in the present state she loses the game prematurely. The choice game allows Angel to choose if she wants to play game \(\alpha \) or game \(\beta \). The sequential game \(\alpha ;\beta \) will play game \(\beta \) after game \(\alpha \) terminates (unless a player prematurely lost the game while playing \(\alpha \)). The repetition game allows Angel to decide, after having played any number of \(\alpha \) repetitions, whether she wants to play another round (but she cannot play forever). Finally, the dual game will have both players switch sides: every choice that Angel had in \(\alpha \) will go to Demon in , and vice versa, while every condition that Angel needs to meet in \(\alpha \) will be Demon’s responsibility in , and vice versa.
Substitutions are fundamental but subtle. For example, a substitution \(\sigma \) that has the effect of replacing f(x) with \(x^2\) and a(x) with is unsound for the following formula while a substitution that replaces a(x) with would be fine:
The introduction of a new variable z by the substitution \(\sigma \) is acceptable, but, even if y was already present previously, its introduction by \(\sigma \) makes the inference unsound (e.g., when \(x=y=1/z=1/2\)), because this equates a system with a solution that is exponential in y with a hyperbolic solution of more limited duration, even if both solutions are already hyperbolic of limited time from x. By contrast, the use of the previously present variable x to form is fine. The difference is that, unlike z, variable y has a differential equation that changes the value of y and, while x also does, f(x) and a(x) may explicitly depend on x. It is crucial to distinguish correct and incorrect substitutions in all cases.
2.2 Semantics
A state is a mapping from the set of all variables \(\mathbf {V}\) to the reals . The state agrees with state except for variable x whose value is in . The set of all states is denoted and the set of all its subsets is denoted .
The semantics of function, predicate, and game symbols is independent from the state. They are interpreted by an interpretation that maps each arity k function symbol f to a kary smooth function , each arity k predicate symbol p to a kary relation , and each game symbol a to a monotone where are the states from which Angel has a winning strategy to achieve in game a. Differentials have a differentialform semantics [16]: the sum of partial derivatives by all variables \(x\in \mathbf {V}\) multiplied by the values of their associated differential variable .
Definition 4
(Semantics of terms). The semantics of a term \(\theta \) in interpretation and state is its value in . It is defined inductively as

1.
for variable \(x\in \mathbf {V}\)

2.
for function symbol f
 3.
 4.

5.
for the differential of \(\theta \)
The semantics of differential game logic in interpretation defines, for each formula \(\phi \), the set of all states , in which \(\phi \) is true. Since hybrid games appear in formulas and vice versa, the semantics of hybrid game \(\alpha \) in interpretation is defined by simultaneous induction as the set of all states from which Angel has a winning strategy in hybrid game \(\alpha \) to achieve .
Definition 5
(dGL semantics). The semantics of a formula \(\phi \) for each interpretation with a corresponding set of states is the subset of states in which \(\phi \) is true. It is defined inductively as follows
 1.
 2.

3.
is the complement of
 4.
 5.
 6.
A formula \(\phi \) is valid in , written , iff it is true in all states, i.e., . Formula \(\phi \) is valid, written , iff for all interpretations .
Definition 6
(Semantics of hybrid games). The semantics of a hybrid game \(\alpha \) for each interpretation is a function that, for each set of states as Angel’s winning condition, gives the winning region, i.e., the set of states from which Angel has a winning strategy to achieve X in \(\alpha \) (whatever strategy Demon chooses). It is defined inductively as follows
 1.
 2.

3.
on and for some function of some duration satisfying
where iff and on for all \(0{\le }\zeta {\le }r\) and exists and equals for all \(0{\le }\zeta {\le }r\) if .
 4.
 5.
 6.

7.
which is a least fixpoint [15]
 8.
Along , variables x and enjoy an intrinsic link since they coevolve.
2.3 Static Semantics
Sound uniform substitutions check free and bound occurrences of variables to prevent unsound replacements of expressions that might have incorrect values in the respective replacement contexts. The whole point of this paper is to skip admissibility checks such as that in (1). Free (and, indirectly, bound) variables will still have to be consulted to tell apart acceptable from unsound occurrences.
Hybrid games even make it challenging to characterize free and bound variables. Both are definable based on whether or not their values affect the existence of winning strategies under variations of the winning conditions [18]. The upward projection increases the winning condition from variables \(V\subseteq \mathbf {V}\) to all states that are “on V like X”, i.e., similar on V to states in X. The downward projection shrinks the winning condition X, fixing the values of state on variables \(V\subseteq \mathbf {V}\) to keep just those states of X that agree with on V.
Definition 7
The set extends to the states that agree on \(V\subseteq \mathbf {V}\) with some state in X (written ). The set selects state on \(V\subseteq \mathbf {V}\) in .
Projections make it possible to (semantically!) define free and bound variables of hybrid games by expressing variable dependence and ignorance. Such semantic characterizations increase modularity and are used for the correctness of syntactic analyzes that compute supersets [16, Sect. 2.4]. Variable x is free in hybrid game \(\alpha \) iff two states that only differ in the value of x differ in membership in the winning region of \(\alpha \) for some winning condition that does not distinguish values of x. Variable x is bound in hybrid game \(\alpha \) iff it is in the winning region of \(\alpha \) for some winning condition X but not for the winning condition that limits the new value of x to stay at its initial value .
Definition 8
(Static semantics). The static semantics defines the free variables, which are all variables that the value of an expression depends on, as well as bound variables, , which can change their value during game \(\alpha \), as:
Beyond assignments, note complications with ODEs such as (2), where, due to their nature as the solution of a fixpoint condition, the same occurrences of variables are free, because they depend on their initial values, but they are also bound, because their values change along the ODE. All occurrences of x and y but not z on the righthand side of and occurrences of also after this ODE are bound, since they are affected by this change. Variables x, y, z but not are free in this ODE. The crucial need for overlap of free and bound variables is most obvious for ODEs, but also arises for loops, e.g., . If x were not classified as free, its initial value could be overwritten incorrectly. If x were not classified as bound, its initial value could be incorrectly copypropagated across the loop. This also applies to the same occurrence of x in \(x+1\) and \(x\), respectively. If it were not classified as a bound but a free occurrence, it could be incorrectly replaced by a term of the same initial value. If it were not classified as a free but a bound occurrence, it could, e.g., be boundly renamed, incorrectly losing its initial link.^{Footnote 2}
Coincidence lemmas [18] show truthvalues of formulas only depend on their free variables (likewise for terms and hybrid games). The bound effect lemma [18] shows only bound variables change their value when playing games. Supersets satisfy the same lemmas, so corresponding syntactic free and bound variable computations can be used correctly and are defined accordingly [16, 18]. Since and are the smallest such sets, no smaller sets can be correct, including, e.g., the usual definitions that classify occurrences mutually exclusively.
Lemma 9
(Coincidence for terms [18]). is the smallest set with the coincidence property for \(\theta \): If on , then .
Lemma 10
(Coincidence for formulas [18]). is the smallest set with the coincidence property for \(\phi \): If on , then iff .
Lemma 11
(Coincidence for games [18]). is the smallest set with the coincidence property for \(\alpha \): If on , then iff ; see Fig. 1(left).
Lemma 12
(Bound effect [18]). is the smallest set with the bound effect property for \(\alpha \): iff ; see Fig. 1(right).
The correctness of onepass uniform substitution will become more transparent after defining when one state is a variation of another on a set of variables. For a set \(U\subseteq \mathbf {V}\), state is called a Uvariation of state iff on complement . Variations satisfy properties of monotonicity and transitivity. If is a Uvariation of , then is a Vvariation of for all \(V\supseteq U\). If is a Uvariation of and is a Vvariation of , then is a \((U\cup V)\)variation of . Coincidence lemmas say that the semantics is insensitive to variations of nonfree variables. If is a Uvariation of and , then iff .
3 Uniform Substitution
Uniform substitutions for affect terms, formulas, and games [18]. A uniform substitution \(\sigma \) is a mapping from expressions of the form to terms , from to formulas , and from game symbols \(a\) to hybrid games . Here is a reserved function symbol of arity 0 marking the position where the argument, e.g., argument \(\theta \) to in formula \(p(\theta )\), will end up in the replacement used for \(p(\theta )\). Vectorial extensions would be accordingly for other arities \(k\ge 0\).
The key idea behind the new recursive onepass application of uniform substitutions is that it simply applies \(\sigma \) by naïve homomorphic recursion without checking any admissibility conditions along the way. But the mechanism makes up for that soundnessdefying negligence by passing a cumulative set U of taboo variables along the recursion that are then forbidden from being introduced free by \(\sigma \) at the respective replacement of function and predicate symbols , respectively. No corresponding condition is required at substitutions of game symbols a, since games already have unlimited access to and effect on the state.
The result \({\sigma }^{U}{\phi }\) of applying uniform substitution \(\sigma \) for taboo set \(U\subseteq \mathbf {V}\) to a formula \(\phi \) (or term \(\theta \) or hybrid game \(\alpha \), respectively) is defined in Fig. 2. For proof rule US, the expression is, then, defined to be without taboos.
The case for in Fig. 2 conjoins the variable x to the taboo set in the homomorphic application of \(\sigma \) to \(\phi \), because any newly introduced free uses of x within that scope would refer to a different semantic value than outside that scope. In addition to computing the substituted hybrid game \({\sigma }^{U}_{V}{\alpha }\), the recursive application of onepass uniform substitution \(\sigma \) to hybrid game \(\alpha \) under taboo set U also performs an analysis that results in a new output taboo set V, written in subscript notation, that will be tabooed after this hybrid game. Superscripts as inputs and subscripts as outputs follows static analysis notation and makes the \(\alpha ;\beta \) case reminiscent of Einstein’s summation: the output taboos V of \({\sigma }^{U}_{V}{\alpha }\) become the input taboos V for \({\sigma }^{V}_{W}{\beta }\), whose output W is that of \({\sigma }^{U}_{W}{(\alpha ;\beta )}\). Similarly, the output taboos V resulting from the uniform substitute \({\sigma }^{U}_{V}{\alpha }\) of a hybrid game \(\alpha \) become taboo during the uniform substitution application forming \({\sigma }^{V}{\phi }\) in the postcondition of a modality to build .
Repetitions are the only complication in Fig. 2, where taboo U would be too lax during the recursion, because earlier repetitions of \(\alpha \) bind variables of \(\alpha \) itself, so only the taboos V obtained after one round are correct input taboos for the loop body. These two passes per loop are linear in the output when considering repetitions as their equivalent of double size.
Unlike in Churchstyle uniform substitution [5, 16, 18], attention is needed at the replacement sites of function and predicate symbols in order to make up for the neglected admissibility checks during all other operators. The result of applying uniform substitution \(\sigma \) with taboo U to a predicate application \(p(\theta )\) is only defined if the replacement for p does not introduce free any tabooed variable, i.e., . Arguments are put in for placeholder recursively by the taboofree use of uniform substitution , which replaces arity 0 function symbol by . Taboos U are respected when forming (once!) the uniform substitution to be used for argument , but empty taboos \(\emptyset \) suffice when substituting the resulting for in the replacement for p.
All variables \(\mathbf {V}\) become taboos during uniform substitutions into differentials , because any newly introduced occurrence of a variable x would cause additional dependencies on its respective associated differential variable .
If the conditions in Fig. 2 are not met, the substitution \(\sigma \) is said to clash for taboo U and its result is not defined and cannot be used. All subsequent applications of uniform substitutions are required to be defined (no clash).
Whether a substitution clashes is only checked once at each replacement, instead of also once per operator around it as in Church style from Eq. (1). The free variables of each (function and) predicate symbol replacement are best stored with \(\sigma \) to avoid repeated computation of free variables.
This inference would unsoundly equate linear solutions with exponential ones:
Indeed, clashes so rejects the above inference since the substitute \(x\) for f has free variable x that is taboo in the context . By contrast, a sound use of rule US, despite its change in multiple binding contexts with , is:
Uniform substitution accurately distinguishes such sound inferences from unsound ones even if the substitutions take effect deep down within a formula. Uniform substitutions enable other syntactic transformations that require a solid understanding of variable occurrence patterns such as common subexpression elimination, for example, by using the above inference from right to left.
3.1 Taboo Lemmas
The only soundnesscritical property of output taboos is that they correctly add bound variables and never forget variables that were already input taboos.
Lemma 13
(Taboo set computation). Onepass uniform substitution application monotonously computes taboos with correct bound variables for games:
Any superset of such taboo computations (or the free variable sets used in Fig. 2) remains correct, just more conservative. The change from input taboo U to output taboo V is a function of the hybrid game \(\alpha \), justifying the construction of : if \({\sigma }^{U}_{V}{\alpha }\) and \({\sigma }^{V}_{W}{\alpha }\) are defined, then \({\sigma }^{V}_{V}{\alpha }\) is defined and equal to \({\sigma }^{V}_{W}{\alpha }\). By Lemma 13, no implementation of bound variables is needed when defining game symbols via where with identity substitution . But bound variable computations speed up loops via since can be computed and used correctly in one pass when \(U\cup B=V\).
3.2 Uniform Substitution Lemmas
Uniform substitutions are syntactic transformations on syntactic expressions. Their semantic counterpart is the semantic transformation that maps an interpretation and a state to the adjoint interpretation that changes the meaning of all symbols according to the syntactic substitution \(\sigma \). The interpretation agrees with I except that function symbol is interpreted as .
Definition 14
(Substitution adjoints). The adjoint to substitution \(\sigma \) is the operation that maps to the adjoint interpretation in which the interpretation of each function symbol f, predicate symbol p, and game symbol a are modified according to \(\sigma \) (it is enough to consider those that \(\sigma \) changes):
The uniform substitution lemmas below are key to the soundness and equate the syntactic effect that a uniform substitution \(\sigma \) has on a syntactic expression in with the semantic effect that the switch to the adjoint interpretation has on the original expression. The technical challenge compared to Churchstyle uniform substitution [16, 18] is that no admissibility conditions are checked at the game operators that need them, because the whole point of onepass uniform substitution is that it homomorphically recurses in a linear complexity sweep by postponing admissibility checks. All that happens during the substitution is that different taboo sets are passed along. Yet, still, there is a crucial interplay of the particular taboos imposed henceforth at binding operators and the retroactive checking at function and predicate symbol replacement sites.
In order to soundly deal with the negligence in admissibility checking of onepass uniform substitutions in a modular way, the main insight is that it is imperative to generalize the range of applicability of uniform substitution lemmas beyond the state of original interest where the adjoint was formed, and make them cover all variations of states that are so similar that they might arise during soundness justifications. By demanding more comprehensive care at replacement sites, soundness arguments make up for the temporary lapses in attention during all other operators. This gives the uniform substitution algorithm broader liberties at binding operators, while simultaneously demanding broader compatibility in semantic neighborhoods on its parts. Due to the recursive nature of function substitutions, the proof [20] of the following result is by structural induction lexicographically on the structure of \(\sigma \) and \(\theta \), for all .
Lemma 15
(Uniform substitution for terms). The uniform substitution \(\sigma \) for taboo \(U\subseteq \mathbf {V}\) and its adjoint interpretation for have the same semantics on Uvariations for all terms \(\theta \):
Recall that all uniform substitutions are only defined when they meet the side conditions from Fig. 2. A mention such as \({\sigma }^{U}{\theta }\) in Lemma 15 implies that its side conditions during the application of \(\sigma \) to \(\theta \) with taboos U are met. Substitutions are antimonotone in taboos: If \({\sigma }^{U}{\theta }\) is defined, then \({\sigma }^{V}{\theta }\) is defined and equal to \({\sigma }^{U}{\theta }\) for all \(V\subseteq U\) (accordingly for \(\phi ,\alpha \)). The more taboos a use of a substitution tolerates, the more broadly its adjoint generalizes to state variations.
The corresponding results for formulas and games are proved by simultaneous induction since formulas and games are defined by simultaneous induction, as games may occur in formulas and, vice versa. The inductive proof [20] is lexicographic over the structure of \(\sigma \) and \(\phi \) or \(\alpha \), with a nested induction over the closure ordinals of the loop fixpoints, simultaneously for all \(\nu ,\omega ,U,X\).
Lemma 16
(Uniform substitution for formulas). The uniform substitution \(\sigma \) for taboo \(U\subseteq \mathbf {V}\) and its adjoint interpretation for have the same semantics on Uvariations for all formulas \(\phi \):
Lemma 17
(Uniform substitution for games). The uniform substitution \(\sigma \) for taboo \(U\subseteq \mathbf {V}\) and its adjoint interpretation for have the same semantics on Uvariations for all games \(\alpha \):
3.3 Soundness
With the uniform substitution lemmas having established the crucial equivalence of syntactic substitution and adjoint interpretation, the soundness of uniform substitution uses in proofs is now immediate. The notation in proof rule US is short for , so the result of applying \(\sigma \) to \(\phi \) without taboos (more taboos may still arise during the substitution application), and only defined if is. A proof rule is sound when its conclusion is valid if all its premises are valid.
Theorem 18
(Soundness of uniform substitution). Proof rule US is sound.
Theorem 18 is all it takes to soundly instantiate concrete axioms. Uniform substitutions can instantiate whole inferences [16], which makes it possible to avoid proof rule schemata by instantiating axiomatic proof rules consisting of pairs of concrete formulas. This enables uniformly substituting premises and conclusions of entire proofs of locally sound inferences, i.e., those whose conclusion is valid in any interpretation that all their premises are valid in.
Theorem 19
(Soundness of uniform substitution of rules). All uniform substitution instances for taboo \(\mathbf {V}\) of locally sound inferences are locally sound:
USR marks the use of Theorem 19 in proofs. If \(n=0\) (so \(\psi \) has a proof), USR preserves local soundness for taboofree \({\sigma }^{\emptyset }{\psi }\) instead of \({\sigma }^{\mathbf {V}}{\psi }\), as US proves \({\sigma }^{\emptyset }{\psi }\) from the provable \(\psi \) and soundness is equivalent to local soundness for \(n=0\).
3.4 Completeness
Soundness is the property that every formula with a proof is valid. This is the most important consideration for something as fundamental as a uniform substitution mechanism. But the converse question of completeness, i.e., that every valid formula has a proof, is of interest as well, especially given the fact that onepass uniform substitutions check differently for soundness during the substitution application, which had better not lose otherwise perfectly valid proofs.
Completeness is proved in an easy modular style based on all the nontrivial findings summarized in schematic relative completeness results, first for schematic [15, Thm. 4.5], and then for a uniform substitution formulation of [16, Thm. 40]. The combination of both schematic completeness results makes it fairly easy to lift completeness to the setting in this paper. The challenge is to show that all instances of axiom schemata that are used for ’s schematic relative completeness result are provable by onepass uniform substitution.
A formula \(\phi \) is called surjective iff rule US can instantiate \(\phi \) to any of its axiom schema instances, i.e., those formulas that are obtained by just replacing game symbols a uniformly by any game, etc. An axiomatic rule is called surjective iff USR of Theorem 19 can instantiate it to any of its proof rule schema instances.
Lemma 20
(Surjective axioms). If \(\phi \) is a formula that is built only from game symbols but no function or predicate symbols, then \(\phi \) is surjective. Axiomatic rules consisting of surjective formulas are surjective.
Instead of following previous completeness arguments for uniform substitution [18], this paper presents a pure gamestyle uniform substitution formulation in Fig. 3 of a axiomatization that makes the overall completeness proof most straightforward. For that purpose, the axiomatization in Fig. 3 uses properties of a game symbol c, which, as a game, can impose arbitrary conditions on the state even for a trivial postcondition (the formula is always true).
All axioms of Fig. 3, except test \(\langle ?\rangle \), equational assignment \(\langle :=\rangle _{=}\), and constant solution DS, are surjective by Lemma 20. The US requirement that no substitute of f may depend on x is important for the soundness of DS and \(\langle :=\rangle _{=}\). Axiom \(\langle ?\rangle \) is surjective, as it has no bound variables, so generates no taboos and none of its instances clash: . Similarly, rule MP is surjective [16], and the other rules are surjective by Lemma 20. Other differential equation axioms are elided but work as previously [16].
Besides rule US, bound variable renaming (rule BR) is the only schematic principle, mostly for generalizing assignment axiom \(\langle :=\rangle _{=}\) to other variables.
Lemma 21
(Bound renaming). Rule BR is locally sound, where is the result of uniformly renaming x to y in \(\psi \) (also to but no etc. or game symbols occur in \(\psi \), where the rule BR for is accordingly):
Theorem 22
(Relative completeness). The calculus is a sound and complete axiomatization of hybrid games relative to any differentially expressive logic L, i.e., every valid formula is provable in from L tautologies.
This completeness result assumes that no game symbols occur, because uniform renaming otherwise needs to become a syntactic operator. A logic L closed under firstorder connectives is differentially expressive (for ) if every formula \(\phi \) has an equivalent \(\phi ^\flat \) in L and all differential equation equivalences of the form for G in L are provable in its calculus.
4 Differential Hybrid Games
Uniform substitution generalizes from for hybrid games [15] to for differential hybrid games [17], which add differential games as a new atomic game. A differential game allows Angel to control how long to follow the differential equation (in which variables x, y, z may occur) while Demon provides a measurable input for y over time satisfying the formula \(y\in Y\) always and Angel, knowing Demon’s current input, provides a measurable input for z satisfying the formula \(z\in Z\). All occurrences of y, z in are bound, and \(y\in Y\) and \(z\in Z\) are formulas in the free variables y or z, respectively. It has been a longstanding challenge to give mathematical meaning [6, 7] and sound reasoning principles [17] for differential games. Both outcomes can simply be adopted here under the usual welldefinedness assumptions [17].
Uniform substitution application in Fig. 2 lifts to differential games by adding:
where is . Welldefinedness assumptions on differential games [17] need to hold, e.g., only firstorder logic formulas denoting compact sets are allowed for controls and the differential equations need to be bounded.
As terms are unaffected by adding differential games to the syntax, Lemma 9 and 15 do not change. The proofs of the coincidence Lemmas 10 and 11 and bound effect Lemma 12 [18] transfer to with differential hybrid games in verbatim thanks to their use of semantically defined free and bound variables, which carry over to differential hybrid games. The proof of Lemma 13 generalizes easily by adding a case for differential games with the above . The uniform substitution Lemmas 16 and 17 inductively generalize to differential hybrid games because of:
Lemma 23
(Uniform substitution for differential games). Let \(U\subseteq \mathbf {V}\). For all Uvariations of :
The proof [20] makes clever use of differential game refinements [17] to avoid the significant complexities and semantic subtleties of differential games.
5 Conclusion
This paper introduced significantly faster uniform substitution mechanisms, the dominant logical inference in axiomatic small core hybrid systems/games provers. It is also first in proving soundness of uniform substitution for differential games.
Implementations exhibit a linear runtime complexity compared to the exponential complexity that direct implementations [8] of prior Churchstyle uniform substitutions exhibit, except when applying aggressive space/time optimization tradeoffs where that drops down to a quadratic runtime in practice.
Notes
 1.
The area of effect that an assignment to a variable has is noncomputable and even a single occurrence of a variable may have to be both free and bound to ensure correctness. Such overlap is an inherent consequence of change, which is an intrinsic feature of dynamical systems theory (the mathematics of change) and game theory (the mathematics of effects resulting from strategic interaction by player decisions).
 2.
References
Ahrendt, W., Beckert, B., Bubel, R., Hähnle, R., Schmitt, P.H., Ulbrich, M. (eds.): Deductive Software Verification  The KeY Book, LNCS, vol. 10001. Springer, Cham (2016). https://doi.org/10.1007/9783319498126
Bohrer, R., Rahli, V., Vukotic, I., Völp, M., Platzer, A.: Formally verified differential dynamic logic. In: Bertot, Y., Vafeiadis, V. (eds.) Certified Programs and Proofs  6th ACM SIGPLAN Conference, CPP 2017, Paris, France, pp. 208–221. ACM, New York, 16–17 January 2017. https://doi.org/10.1145/3018610.3018616
de Bruijn, N.: Lambda calculus notation with nameless dummies, a tool for automatic formula manipulation, with application to the ChurchRosser theorem. Indagationes Math. 75(5), 381–392 (1972). https://doi.org/10.1016/13857258(72)900340
Church, A.: A formulation of the simple theory of types. J. Symb. Log. 5(2), 56–68 (1940). https://doi.org/10.2307/2266170
Church, A.: Introduction to Mathematical Logic. Princeton University Press, Princeton (1956)
Elliott, R.J., Kalton, N.J.: Cauchy problems for certain IsaacsBellman equations and games of survival. Trans. Amer. Math. Soc. 198, 45–72 (1974). https://doi.org/10.1090/S00029947197403473838
Evans, L.C., Souganidis, P.E.: Differential games and representation formulas for solutions of HamiltonJacobiIsaacs equations. Indiana Univ. Math. J. 33(5), 773–797 (1984). https://doi.org/10.1512/iumj.1984.33.33040
Fulton, N., Mitsch, S., Quesel, J.D., Völp, M., Platzer, A.: KeYmaera X: an axiomatic tactical theorem prover for hybrid systems. In: Felty, A.P., Middeldorp, A. (eds.) CADE 2015. LNCS (LNAI), vol. 9195, pp. 527–538. Springer, Cham (2015). https://doi.org/10.1007/9783319214016_36
Harel, D., Kozen, D., Tiuryn, J.: Dynamic Logic. MIT Press, Cambridge (2000). https://doi.org/10.7551/mitpress/2516.001.0001
Henkin, L.: Banishing the rule of substitution for functional variables. J. Symb. Log. 18(3), 201–208 (1953). https://doi.org/10.2307/2267403
Hilbert, D., Ackermann, W.: Grundzüge der theoretischen Logik. Springer, Berlin (1928)
Hilbert, D., Bernays, P.: Grundlagen der Mathematik, vol. I, 2nd edn. Springer, Heidelberg (1934). https://doi.org/10.1007/9783642868948
Mitchell, I., Bayen, A.M., Tomlin, C.: A timedependent HamiltonJacobi formulation of reachable sets for continuous dynamic games. IEEE Trans. Autom. Control 50(7), 947–957 (2005). https://doi.org/10.1109/TAC.2005.851439
Pfenning, F., Elliott, C.: Higherorder abstract syntax. In: Wexelblat, R.L. (ed.) PLDI, pp. 199–208. ACM (1988). https://doi.org/10.1145/53990.54010
Platzer, A.: Differential game logic. ACM Trans. Comput. Logic 17(1), 1:1–1:51 (2015). https://doi.org/10.1145/2817824
Platzer, A.: A complete uniform substitution calculus for differential dynamic logic. J. Autom. Res. 59(2), 219–265 (2017). https://doi.org/10.1007/s1081701693851
Platzer, A.: Differential hybrid games. ACM Trans. Comput. Logic. 18(3), 19:1–19:44 (2017). https://doi.org/10.1145/3091123
Platzer, A.: Uniform substitution for differential game logic. In: Galmiche, D., Schulz, S., Sebastiani, R. (eds.) IJCAR 2018. LNCS (LNAI), vol. 10900, pp. 211–227. Springer, Cham (2018). https://doi.org/10.1007/9783319942056_15
Platzer, A.: Differential game logic. Archive of Formal Proofs 2019 (2019). http://isaafp.org/entries/Differential_Game_Logic.html. formal proof development
Platzer, A.: Uniform substitution at one fell swoop. CoRR abs/1902.07230 (2019). http://arxiv.org/abs/1902.07230
Quesel, J.D., Platzer, A.: Playing hybrid games with keymaera. In: Gramlich, B., Miller, D., Sattler, U. (eds.) IJCAR 2012. LNCS (LNAI), vol. 7364, pp. 439–453. Springer, Heidelberg (2012). https://doi.org/10.1007/9783642313653_34
Quine, W.V.O.: A System of Logistic. Harvard University Press, Cambridge (1934)
Schneider, H.H.: Substitutions for predicate variables and functional variables. Notre Dame J. Formal Logic 21(1), 33–44 (1980). https://doi.org/10.1305/ndjfl/1093882937
Acknowledgment
I thank Frank Pfenning for useful discussions and the anonymous reviewers for their helpful feedback. I appreciate the kind advice of the Isabelle group at TU Munich for the subsequent formalization [19] of the proofs.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Open Access This chapter is licensed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits use, sharing, adaptation, distribution and reproduction in any medium or format, as long as you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license and indicate if changes were made.
The images or other third party material in this chapter are included in the chapter's Creative Commons license, unless indicated otherwise in a credit line to the material. If material is not included in the chapter's Creative Commons license and your intended use is not permitted by statutory regulation or exceeds the permitted use, you will need to obtain permission directly from the copyright holder.
Copyright information
© 2019 The Author(s)
About this paper
Cite this paper
Platzer, A. (2019). Uniform Substitution at One Fell Swoop. In: Fontaine, P. (eds) Automated Deduction – CADE 27. CADE 2019. Lecture Notes in Computer Science(), vol 11716. Springer, Cham. https://doi.org/10.1007/9783030294366_25
Download citation
DOI: https://doi.org/10.1007/9783030294366_25
Published:
Publisher Name: Springer, Cham
Print ISBN: 9783030294359
Online ISBN: 9783030294366
eBook Packages: Computer ScienceComputer Science (R0)