Uniform Substitution in One Fell Swoop

Uniform substitution of function, predicate, program or game symbols is the core operation in parsimonious provers for hybrid systems and hybrid games. By postponing soundness-critical admissibility checks does this paper introduce a uniform substitution mechanism that proceeds in a linear pass homomorphically along the formula. Soundness is recovered using a simple variable condition at the replacements performed by the substitution. The setting in this paper is that of differential hybrid games, in which discrete, continuous, and adversarial dynamics interact in differential game logic dGL. This paper proves soundness and completeness of one-pass uniform substitutions for dGL.


Introduction
After a number of false starts on substitution [8,9,16], even by prominent logicians, did Church's uniform substitutions [3, §35,40] provide a mechanism for substituting function and predicate symbols with terms and formulas in first-order logic. Given a mechanism for applying a uniform substitution σ to formulas φ with result denoted σφ are uniform substitutions used with Church's proof rule: Contrary to casual belief is quite some care needed in the substitution process, even of only function symbols [17], in order to prevent replacing functions with terms that denote incompatible values in different places depending on which variables are being used in the replacements and in which formula contexts. Due to their subtleties, there have even been passionate calls for banishing substitutions [7] and using more schemata. This paper moves in the opposite direction, making substitutions even more subtle, but also faster and, nevertheless, sound. The biggest theoretical advantage of uniform substitutions is that they make instantiation explicit so that proof calculi can use axioms (concrete object-level formulas) instead of axiom schemata (meta-level concepts standing for infinitely many formulas). Their biggest practical advantage is that this avoidance of schemata enables parsimonious theorem prover implementations that only consist of copies of concrete formulas as axioms together with one algorithm implementing the application of uniform substitutions (plus renaming). Similar advantages exist for concrete axiomatic proof rules instead of rule schemata [12]. This design obviates the need for algorithms that recognize all of the infinitely many instances of schemata and check all of their (sometimes pretty subtle) side conditions to soundly reject improper reasoning. These practical advantages have first been demonstrated for hybrid systems [6] and for hybrid games [14] proving, where uniform substitution led to significant reductions in size (down from 66000 to 1700 lines of soundness-critical code) and/or implementation time (down from months to minutes) compared to conventional prover implementations.
These uses of the uniform substitution principle required generalizations from first-order logic [3] to differential dynamic logic dL for hybrid systems [12] and differential game logic dGL for hybrid games [14], including substitutions of programs or games, respectively. While the presence of program variables whose values change over time, and the presence of differential equations that form intrinsic links of evolving variables x and their time-derivatives x ′ , significantly complicates affairs compared to the simplicity of single binders in first-order logic [3,17] or λ-calculi [2], uniform substitutions still generalize elegantly and in highly modular ways. Much of the conceptual simplicity in the correctness arguments in these cases, however, came from the fact that uniform substitutions were applied following Church's guiding principle directly at each operator by checking admissibility that no free variable be introduced into a context in which it is bound. While such checks simplify correctness proofs, because they check each required admissibility condition at each operator where they are necessary for soundness, the resulting substitution mechanism is elegant but computationally fairly suboptimal, because it repeatedly checks admissibility recursively again at each operator. For example, applying a uniform substitution σ checks at each sequential composition α; β again that the entire substitution σ is admissible for β compared to the bound variables of the result of having applied σ to α: σ(α; β) = (σ(α); σ(β)) if σ is BV(σ(α))-admissible for β (1) where σ is BV(σ(α))-admissible for β iff the free variables computed from the replacements for the subset of the substitution σ for function/predicate symbols that still occur in β do not intersect the bound variables BV(σ(α)) computed from the result of applying the substitution σ to α [14]. This mechanism is sound [12,14], even verified sound for hybrid systems in Isabelle/HOL and Coq [1], but computationally redundant due to its repeated admissibility computations. The point of this paper is to introduce a more liberal form of uniform substitution that substitutes in one fell swoop, forgoing admissibility checks during the operators where they would be needed, using a monadic computation of taboo sets to make up for that negligence by checking cumulative admissibility conditions locally only once at each replacement that the uniform substitution application performs. This one-pass uniform substitution is computationally attractive, because it operates linearly in the output, which matters because uniform substitution is the dominant logical inference in uniform substitution provers [6]. The biggest challenge is, precisely, that correctness of substitution can no longer be justified for the operators where it is needed (because admissibility is no longer recursively checked at each operator). The most important technical insight of this paper is that modularity of correctness arguments can be recovered, regardless, using a neighborhood semantics for taboos. 1 Another value of this paper is its straightforward completeness proof based on [11,12]. Overall, the findings of this paper make it possible to verify hybrid games (and systems) with faster 2 small soundness-critical prover cores than before [15,14], which, owing to their challenges, are the only two verification tools for hybrid games. Uniform substitutions extend to differential games [4,5], where soundness is challenging [10], leading to the first basis for a small prover core for differential hybrid games [13].

Preliminaries: Differential Game Logic
This section recalls the basics of differential game logic [11,14], the logic for specifying and verifying hybrid games of two players with differential equations.

Syntax
The set of all variables is V, including for each variable x a differential variable x ′ (e.g., for an ODE for x). Higher-order differential variables x ′′ etc. are not used in this paper, so a finite set V suffices. The terms θ of (differential-form) dGL are polynomial terms with real-valued function symbols and differential terms (θ) ′ that are used to reduce reasoning about differential equations to reasoning about equations of differentials [12]. Hybrid games α describe the permitted discrete and continuous actions by player Angel and player Demon. Besides the operators of first-order logic of real arithmetic, dGL formulas φ can be built using α φ, which expresses that Angel has a winning strategy in the hybrid game α to reach the region satisfying dGL formula φ. Likewise, [α]φ expresses that Demon has a winning strategy in the hybrid game α to reach the region satisfying φ.
Definition 3 (Hybrid games). The hybrid games of differential game logic dGL are defined by the following grammar (with α, β as hybrid games, a as game symbol, x as variable, θ as term, and ψ as dGL formula): Just like the meaning of function and predicate symbols is subject to interpretation, is the effect of game symbols a up to interpretation. In contrast, the assignment game x := θ has the specific effect of changing the value of variable x to that of term θ. The differential equation game x ′ = θ & ψ allows Angel to choose how long she wants to follow the (vectorial) differential equation x ′ = θ for any real duration within the set of states where evolution domain constraint ψ is true. The test game ?ψ challenges Angel to satisfy formula ψ, for if ψ is not true in the present state she loses the game prematurely. The choice game α ∪ β allows Angel to choose if she wants to play game α or game β. The sequential game α; β will play game β after game α terminates (unless a player prematurely lost the game while playing α). The repetition game α * allows Angel to always decide after playing any number of α repetitions whether she wants to play another round (but she cannot play forever). Finally, the dual game α d will have both players switch sides: every choice that Angel had in α will go to Demon in α d , and vice versa, while every condition that Angel needs to meet in α will be Demon's responsibility in α d , and vice versa. Substitutions in dGL are subtle. Not even prior presence of x gives license to substitute with x, which would change an exponential solution to a hyperbolic solution of limited duration, i.e., the substitution σ = {f → x} of x for arity 0 function symbol f is unsound:

Semantics
A state ω is a mapping from the set of all variables V to the reals R. The state ω r x agrees with state ω except for variable x whose value is r ∈ R in ω r x . The set of all states is denoted S. The set of all subsets of S is denoted ℘(S).
The semantics of function, predicate, and game symbols is independent from the state. They are interpreted by an interpretation I that maps each arity k function symbol f to a k-ary smooth function I(f ) : R k → R, each arity k predicate symbol p to a k-ary relation I(p) ⊆ R k , and each game symbol a to a function I(a) : ℘(S) → ℘(S) where I(a)(X) ⊆ S are the states from which Angel has a winning strategy to achieve X ⊆ S in game a. Differentials have a differential-form semantics [12]: the sum of all partial derivatives by all variables x ∈ V multiplied by the values of their associated differential variable x ′ .

Static Semantics
Sound uniform substitutions check free and bound occurrences of variables to prevent unsound replacements of expressions that might have incorrect values in the respective replacement contexts. The whole point of this paper is to skip admissibility checks such as that in (1). Free (and, indirectly, bound) variables will still have to be consulted to tell apart acceptable from unsound occurrences. Hybrid games even make it challenging to characterize free and bound variables. Both are definable based on whether or not their values affect the existence of winning strategies under variations of the winning conditions [14]. The upward projection X↑V increases the winning condition X ⊆ S from variables V ⊆ V to all states that are "on V like X", i.e., similar on V to states in X. The downward projection X↓ω(V ) shrinks the winning condition X, fixing the values of state ω on variables V ⊆ V to keep just those states of X that agree with ω on V .
Projections make it possible to define (semantic!) free and bound variables of hybrid games by expressing variable dependence and ignorance. Variable x is free iff two states that only differ in the value of x differ in membership in the winning region for hybrid game α for some condition X↑{x} ∁ that is insensitive to the value of x. Variable x is bound iff it is in the winning region for hybrid game α for some winning condition X but not for the winning condition X↓ω({x}) that limits the new value of x to stay at its initial value ω(x).
Definition 8 (Static semantics). The static semantics defines the free variables, which are all variables that the value of an expression depends on, as well as bound variables, BV(α), which can change their value during game α, as: Coincidence lemmas [14] show truth-values of dGL formulas only depend on their free variables (likewise for terms and hybrid games). The bound effect lemma [14] shows only bound variables change their value when playing games. Supersets satisfy the same lemmas, so corresponding syntactic free and bound variable computations can be used correctly and are defined accordingly [12,14].
Lemma 1 (Coincidence for terms [14]). FV(θ) is the smallest set with the coincidence property for Lemma 2 (Coincidence for formulas [14]). FV(φ) is the smallest set with the coincidence property for φ: Lemma 3 (Coincidence for games [14]). FV(α) is the smallest set with the coincidence property for α: Lemma 4 (Bound effect [14]). BV(α) is the smallest set with the bound effect property for α: The correctness of one-pass uniform substitution will become more transparent after defining when one state is a variation of another on a set of variables. For a set U ⊆ V, stateω is called a Uvariation of state ω iffω = ω on complement U ∁ . Variations satisfy monotonicity and transitivity properties. Ifω is a U-variation of ω, thenω is a V -variation of ω for all V ⊇ U. Ifω is a Uvariation of ω and ω is a V -variation of µ, thenω is a (U ∪ V )-variation of µ. Coincidence lemmas say that the semantics is insensitive to variations of nonfree variables. Ifω is a U-variation of ω and

Uniform Substitution
Uniform substitutions for dGL affect terms, formulas, and games [14]. A uniform substitution σ is a mapping from expressions of the form f (·) to terms σf (·), from p(·) to formulas σp(·), and from game symbols a to hybrid games σa. Here · is a reserved function symbol of arity 0, marking the position where the argument, e.g., argument θ to p(·) in formula p(θ), will end up in the replacement σp(·) used for p(θ). Vectorial extensions are accordingly for other arities k ≥ 0.
The key idea behind the new recursive one-pass application of uniform substitutions is that it simply applies σ by naïve homomorphic recursion without checking any admissibility conditions along the way, but the mechanism makes up for that soundness-defying negligence by passing a cumulative set U of taboo variables along the recursion that are then forbidden from being introduced free by σ at the respective replacements of function f (·) and predicate symbols p(·), respectively. No corresponding condition is required for substitutions of game symbols a, since games already have unlimited access to and effect on the state.
The result σ U φ of applying uniform substitution σ for taboo set U ⊆ V to a dGL formula φ (or term θ or hybrid game α, respectively) is defined in Fig. 2. The expression σφ in proof rule US is defined to be σ ∅ φ without taboos.
This would unsoundly equate a linear solution with an exponential solution: x ≥ 0, f → −x} violates taboos. By contrast, this is a sound use of rule US despite its change in multiple binding contexts: The case for ∃x φ in Fig. 2 conjoins the variable x to the taboo set in the homomorphic application of σ to φ, because any newly introduced free uses of x within that scope would refer to a different semantic value than outside that scope. Besides the substituted hybrid game does the recursive application of one-pass uniform substitution σ to hybrid game α under taboo set U also result in a new output taboo set V , written in subscript notation. So, σ U V α denotes the resulting hybrid game of applying σ to α with taboo U, but the subscript V also is an output indicating the resulting set of variables that will be tabooed after this hybrid game. Superscripts as inputs and subscripts as outputs makes the α; β case reminiscent of Einstein's summation convention: the output taboos V of σ U V α become the input taboos V for σ V W β, whose output W is that of σ U W (α; β). Likewise do the output taboos V resulting from the uniform substitute σ U V α of a hybrid game α become taboo during the uniform substitution application forming σ V φ in the postcondition of a modality to build σ U ( α φ).
Repetitions σ U V (α * ) are the only complication in Fig. 2, where taboo U would be too forgiving during the recursive call, because repetitions of α bind variables of α, so only the taboos V obtained after one round σ U V α are correct input taboos for the loop body. These two passes per loop are linear in the output when considering repetitions α * as their equivalent ?⊤ ∪ α; α * of double size.
Unlike in classical uniform substitution [3,12,14] is attention needed at the replacement sites of function or predicate symbols in order to make up for the neglected admissibility checks during binding operators. The result σ U (p(θ)) of applying uniform substitution σ with taboo U to a predicate application p(θ) is only defined if the replacement σp(·) for p does not introduce free any tabooed variable 3 , i.e., FV(σp(·)) ∩ U = ∅. Arguments are put in for placeholder · recursively by the taboo-free use of uniform substitution {· → σ U θ}, which replaces arity 0 function symbol · by σ U θ. Taboos U are respected when forming (once!) the uniform substitution to be used for argument ·, but empty taboos ∅ suffice when substituting the resulting σ U θ for · in the replacement σp(·) for p.
All variables V become taboos during uniform substitutions into differentials (θ) ′ , because any newly introduced occurrence of a variable would cause additional dependencies on its respective associated differential variable.
If the conditions in Fig. 2 are not met, the substitution σ is said to clash for taboo U and its result σ U φ is not defined and cannot be used. All subsequent applications of uniform substitutions are required to be defined (no clash).

Taboo Lemmas
The only soundness-critical property of output taboos is that they never forget variables that were already input taboos and correctly add bound variables.
Lemma 5 (Taboo set computation). One-pass uniform substitution application monotonously computes taboos with correct bound variables for games: Proof. The proof is by direct structural induction on α: as BV(α * ) = BV(α) for all games α.
Any superset of such taboo computations (or the free variable sets used in Fig. 2) remains correct, just more conservative. The change from input taboo U to output taboo V is a function of the hybrid game α, justifying the construction of σ U V (α * ): if σ U V α and σ V W α are defined, then σ V V α is defined and equal to σ V W α. By Lemma 5, no implementation of bound variables is needed when defining game symbols via can be computed and used correctly in one pass when U ∪ B = V .

Uniform Substitution Lemmas
Uniform substitutions are syntactic transformations on syntactic expressions. Their semantic counterpart is the semantic transformation that maps an interpretation I and a state ω to the adjoint interpretation σ * ω I that changes the meaning of all symbols according to the syntactic substitution σ.
Definition 9 (Substitution adjoints). The adjoint to substitution σ is the operation that maps I, ω to the adjoint interpretation σ * ω I in which the interpretation of each function symbol f , predicate symbol p, and game symbol a are modified according to σ (it is enough to consider those that σ changes): The central uniform substitution lemmas below are key to the soundness of uniform substitutions and equate the syntactic effect that a uniform substitution σ has on a syntactic expression in I, ω with the semantic effect that the switch to the adjoint interpretation σ * ω I has on the original expression. The technical challenge compared to Church-style uniform substitution [12,14] is that no admissibility condition is checked at the binding and program interaction operators that need them, because the whole point of one-pass uniform substitution is that it homomorphically recurses in a linear complexity sweep by postponing admissibility checks. All that happens during the substitution is that different taboo sets are passed along the homomorphic substitution application. Yet, still, there is a crucial interplay of the particular taboos set henceforth at binding operators and the retroactive checking at function and predicate symbol replacements.
In order to soundly deal with the negligence in admissibility checking of one-pass uniform substitutions in a modular way, the main insight is that it is imperative to generalize the range of applicability of uniform substitution lemmas beyond the state ω of original interest where the adjoint σ * ω I was formed, and make them affect all acceptable variations of states that are still similar enough. By demanding more comprehensive care at replacement sites does the soundness argument make up for the temporary lapses in attention during the binding operators. This gives the uniform substitution algorithm broader flexibility at binding operators without requiring admissibility checks, while simultaneously demanding broader compatibility in semantic neighborhoods of its parts.
Lemma 6 (Uniform substitution for terms). The uniform substitution σ for taboo U ⊆ V and its adjoint interpretation σ * ω I for I, ω have the same semantics on U-variations for all terms θ: Proof. The proof is by structural induction lexicographically on the structure of σ and of θ, for all U, ν, ω. Fix any U-variation ν of ω.
] since σ changes no variables x ∈ V 2. Consider the arity zero case of function application, written f () for emphasis: . The proof uses the induction hypothesis twice, once for σ U θ on the smaller θ and once for {· → σ U θ} ∅ σf (·) on the possibly bigger term σf (·) but the structurally simpler uniform substitution {· → σ U θ} that is a substitution only of the symbol · of arity zero, not a substitution of functions with arguments. For well-foundedness of the induction note that the · substitution only happens for function symbols f with at least one argument θ so not for · itself, which, as an arity zero function, is covered in case 2.
The proof for multiplication θ · η is accordingly.
] for all states ν, ω (which are trivially V-variations), including states used for partial derivatives.
All uses of uniform substitutions are only defined when they meet the side conditions from Fig. 2. A mention such as σ U θ in Lemma 6 implies that its side conditions during the application of σ to θ with taboos U are met. Substitutions are antimonotone in taboos: If σ U θ is defined, then σ V θ is defined and equal to σ U θ for all V ⊆ U (accordingly for φ, α). The more taboos a use of a substitution tolerates, the more broadly its adjoint generalizes to variations in state.
The corresponding result for formulas and games are proved by simultaneous induction since formulas and games are defined by simultaneous induction, as games may occur in formulas and, vice versa.
Lemma 7 (Uniform substitution for formulas). The uniform substitution σ for taboo U ⊆ V and its adjoint interpretation σ * ω I for I, ω have the same semantics on U-variations for all formulas φ: Proof. The proof is by structural induction lexicographically on the structure of σ and of φ, with a simultaneous induction in the proof of Lemma 8, simultaneously for all U, ν, ω. Fix any Uvariation ν of ω.
Consider a predicate symbol q that is not substituted to anything else by σ: is used on the possibly bigger formula σp(·) but the structurally simpler uniform substitution {· → σ U θ} only substitutes function symbol · of arity zero, not predicates, thus is covered by case 2.
For this, consider any BV(σ U V α)-variation µ of ν and show: . By induction hypothesis, the latter is equivalent to Proof. The proof is by lexicographic structural induction on σ and α, simultaneously with Lemma 7, for all U, ν, ω and X. Fix any U-variation ν of ω.
] by Lemma 6 and it also holds that Here, Lemma 6 and 7 are applicable, because ϕ(t) is a (U∪{x, x ′ })variation of ω, since ϕ(t) is a {x, x ′ }-variation of ν, which is a U-variation of ω. The latter two conditions are equivalent to . Both conditions equate: ] X . This holds by IH, because µ is a V -variation of ω: µ is a BV(σ U V α)-variation of ν, which, in turn, is a U-variation of ω, so µ is a (U ∪ BV(σ U V α))-variation of ω, hence a V -variation by Lemma 5.
] X (when σ V U α is defined) uses an equivalent inflationary fixpoint formulation [11,Thm. 3.5]: for all U-variations ν of ω follows, with V ⊇ U by Lemma 5, from proving: for all κ and all X and all V -variations ν of ω : ν ∈ τ κ (X) iff ν ∈ ̺ κ (X) This is proved by induction on ordinal κ (0, limit ordinal λ = 0, or successor): holds as follows. Consider any BV(σ V V α)-variation µ of ν and show: µ ∈ τ κ (X) iff µ ∈ ̺ κ (X), which is by IH on κ < κ + 1, as µ is a V -variation of ω: µ is a BV(σ V V α)variation of ν, so by V ⊇ BV(σ V V α) from Lemma 5, µ is a V -variation of ν, which, in turn, is a U-variation of ω, hence, by V ⊇ U from Lemma 5 as σ U V α is defined, also a V -variation of ω, so µ itself is a V -variation of ω.

Soundness
With the uniform substitution lemmas having established the crucial equivalence of syntactic substitution and adjoint interpretation, the soundness of uniform substitution uses in proofs is now immediate. Recall that the notation σφ in the uniform substitution proof rule US is short for σ ∅ φ, so the result of applying σ to φ without taboos (taboos may still arise during the substitution application). A proof rule is sound when its conclusion is valid if all its premises are valid. Theorem 9 is all it takes to soundly instantiate concrete axioms. Uniform substitutions can instantiate whole inferences [12], which also makes it possible to avoid proof rule schemata by instantiating axiomatic proof rules consisting of pairs of concrete formulas. This also enables uniformly substituting premises and conclusions of entire proofs of locally sound inferences, i.e., those whose conclusion is valid in any interpretation that all their premises are valid in.
Theorem 10 (Soundness of uniform substitution of rules). All uniform substitution instances for taboo V of locally sound inferences are locally sound: Proof. Fix any state ω. Let D be the locally sound inference on the left and σD the substituted inference on the right. To prove σD locally sound, consider any interpretation I in which all premises of σD are valid, i.e., I |= σ V φ j for all j, i.e., ν ∈ I[[σ V φ j ]] for all ν and j. By Lemma 7, , which also holds for all ν and j.
Consequently, all premises of D are valid in the same interpretation σ * ω I, i.e. σ * ω I |= φ j for all j. Thus, σ * ω I |= ψ by local soundness of D. That is, (since ν trivially is a V-variation of ω), which continues to hold for all ν. Thus, I |= σ V ψ, i.e., the conclusion of σD is valid in I, hence σD is locally sound.
USR marks the use of Theorem 10 in proofs. If n = 0 (so ψ has a proof), USR preserves local soundness for taboo-free σ ∅ ψ instead of σ V ψ, as US proves σ ∅ ψ from the provable ψ and soundness is equivalent to local soundness for n = 0.

Completeness
Soundness, so the question whether every formula with a proof is valid, is the most important consideration for something as fundamental as a uniform substitution mechanism. But the converse question of completeness, whether every valid formula has a proof, is of interest as well, especially given the fact that one-pass uniform substitutions check differently for soundness during the substitution application, which had better not lose otherwise perfectly valid proofs.
Completeness is proved in an easy modular style based on all the nontrivial findings summarized in schematic relative completeness results, first for schematic dGL [11,Thm. 4.5], and then for a uniform substitution formulation of dL [12,Thm. 40]. The combination of both schematic completeness results makes it fairly easy to lift completeness to the setting in this paper. The challenge is to show that all instances of axiom schemata that are used for dGL's schematic relative completeness result are provable by one-pass uniform substitution.
A dGL formula φ is called surjective iff rule US can instantiate φ to any of its axiom schema instances, i.e., those formulas that are obtained by just replacing game symbols a uniformly by any game, etc. An axiomatic rule is called surjective iff USR can instantiate it to any of its proof rule schema instances.
Lemma 11 (Surjective axioms). If φ is a dGL formula that is built only from game symbols but no function or predicate symbols, then φ is surjective. Axiomatic rules consisting of surjective dGL formulas are surjective.
Proof. Letφ be the desired instance of schema φ. So,φ is obtained from φ by uniformly replacing each game symbol a by some hybrid game, naïvely but consistently (same replacement for a in all places). A straightforward structural induction on φ proves that there is a uniform substitution σ such that σ V φ =φ simultaneously with showing for games α with desired instanceα that there is a uniform substitution σ such that σ V V α =α. The output taboo W of σ V W α equals V by Lemma 5, because all variables V are already input taboos. Nothing needs to be shown for terms as game symbols cannot occur in terms.
1. Case φ ∧ ψ with desired instanceφ ∧ψ (which has to have this shape to qualify as a schema instance). By IH, there are substitutions σ, τ such that σ V φ =φ and τ V ψ =ψ. The union φ ∪ ψ is defined, because the same replacements have been used consistently in all occurrences of the instantiation. Thus, The proof is accordingly for ¬ etc. 2. Case ∃x φ with desired instance ∃xφ. By IH, there is a substitution σ such that σ V φ =φ.
Instead of following previous completeness arguments for uniform substitution [14], this paper presents a pure game-style uniform substitution formulation in Fig. 3 of a dGL axiomatization that makes the overall completeness proof most straightforward. For that purpose, the dGL axiomatization in Fig. 3 uses properties c ⊤ of game symbol c, which, as a game, can impose arbitrary conditions on the state even for a trivial postcondition (the formula ⊤ is always true).
All axioms of Fig. 3, except test ? , equational assignment := = , and constant solution DS, are surjective by Lemma 11. The US requirement that no substitute of f may depend on x is important for the soundness of DS and := = . Axiom ? is surjective, as it has no bound variables, so generates no taboos and none of its instances clash: σ ∅ ( ?q p ↔ q ∧ p) = ( σ ∅ ∅ q σ ∅ p ↔ σ ∅ q ∧ σ ∅ p). Similarly, rule MP is surjective [12], and the other rules are surjective by Lemma 11. Other differential equation axioms are elided but work as usual [12]. Lemma 12 (Bound renaming). Rule BR, in which ψ y x is the result of uniformly renaming x to y (also x ′ to y ′ but no x ′′ etc. occur) in ψ is locally sound: Proof. This proof is the only one using that no higher-order differential variables x (i) for i ≥ 2 occur. Local soundness follows from the equivalence: Consider any state ω in which to show this equivalence.
where the state is modified for all i ( * ) Property ( * ) is proved by straightforward induction on the structure of ψ using that x and x ′ etc. are consistently swapped with y and y ′ etc. syntactically when in the uniform renamed formula ψ y x as well as semantically in the state.
Theorem 13 (Relative completeness). The dGL calculus is a sound and complete axiomatization of hybrid games relative to any differentially expressive logic 4 L, i.e., every valid dGL formula is provable in dGL from L tautologies.
Proof. The axioms and axiomatic rules in Fig. 3 are concrete instances of sound schemata or rules from prior work [11,12] except for a slight modification in axiom DS, which is sound, because the effect of a differential equation x ′ = f on x ′ is that its value equals f while following the ODE. Even if all axioms and rules in Fig. 3 except := = ,DS are surjective by Lemma 11, most do not have the form used in the schematic completeness result for dGL [11,Thm. 4.5]. All required schematic instances of all axioms (except assignments) for that completeness result can, nevertheless, be obtained by instantiating game symbol c to the test game ?ψ for the desired instance ψ, which is possible by Lemma 11. Uniform substitution then turns each respective occurrence of c ⊤ into ?ψ ⊤, which an additional use of surjective axiom ? turns into ψ∧⊤, which first-order logic equivalences in L simplify to the desired ψ.
For example, consider the representative case F → β d G, which implies F → ¬ β ¬G, which implies F → [β]G. Since [β]G ≺ β d G, because β d is more complex than β even if the modality changed, ⊢ L F → [β]G can be derived by IH. Axiom [·], thus, derives ⊢ L F → ¬ β ¬G, from which, with Lemma 11 and the above observations about axiom ? , axiom d derives Thus, Lemma 11 makes the previous completeness proof [11,Thm. 4.5] with the uniform substitution relative completeness refinements [12,Thm. 40] transfer to Fig. 3, but only if all uses of the assignment axiom, which is not surjective, can be patched. The only such case is in the proof that F → x := θ G implies that this formula can be proved in the dGL calculus from L. Since x := θ G is equivalent to [x := θ]G via axiom [·], by a variation of the corresponding case in the completeness proof for dL [12,Thm. 40] that F → [x := θ]G implies that this formula is provable by rule US from the [·] dual of assignment axiom := = .
If F → [y := θ]G, then this formula can be proved, using a fresh variable x not occurring in θ or G, with the following derivation by renaming (Lemma 12) using the dual of the assignment axiom := = that derives by axiom [·]: In the above proof, the two instantiations of axiom [:=] = succeed, because x and x ′ are fresh, so do not occur in either θ or y ′ . The above proof only used equivalence transformations, so its premise is valid iff its conclusion is, which it is by assumption, so implies F → ∀x (x = θ → ∀x ′ (x ′ = y ′ → G x y )). Since F → ∀x (x = θ → ∀x ′ (x ′ = y ′ → G x y )) ≺ (F → [y := θ]G), because there are less hybrid games, ⊢ L F → ∀x (x = θ → ∀x ′ (x ′ = y ′ → G x y )) by IH. The above proof, thus, derives ⊢ L F → [y := θ]G.

Differential Hybrid Games
Uniform substitution generalizes from dGL for hybrid games [11] to dGL for differential hybrid games [13], which add differential games as a new atomic game. A differential game x ′ = θ& d y ∈ Y &z ∈ Z allows Angel to control how long to follow the differential equation x ′ = θ (in which variables x, y, z may occur) while Demon provides a measurable input for y over time satisfying the formula y ∈ Y always and Angel, knowing Demon's current input, provides a measurable input for z satisfying the formula z ∈ Z. All occurrences of y, z in x ′ = θ& d y ∈ Y &z ∈ Z are bound, and y ∈ Y and z ∈ Z are formulas in the free variables y or z, respectively. It has been a long-standing challenge to give mathematical meaning [4,5] and sound reasoning principles [13] for differential games. Both outcomes can simply be adopted here under the usual well-definedness assumptions [13].
Uniform substitution application in Fig. 2 lifts to differential games by adding: whereŪ is U ∪ {x, x ′ , y, y ′ , z, z ′ }. Well-definedness assumptions on differential games [13] need to hold, e.g., only first-order logic formulas denoting compact sets are allowed for controls and the differential equation needs to be bounded. As terms are unaffected by adding differential games to the syntax, Lemma 1 and 6 do not change. The proofs of the coincidence lemmas 2 and 3 and bound effect lemma 4 [14] transfer to dGL with differential hybrid games in verbatim thanks to their use of semantically defined free and bound variables, which continue to work for differential games. The proof of Lemma 5 generalizes easily by adding a case for differential games. The uniform substitution lemmas 7 and 8 inductively generalize to differential hybrid games because of: z & d v ∈ σŪ Y &w ∈ σŪ Z]] X by uniform renaming of y to v and z to w (proof of Lemma 12), which are fresh. Here σŪ θ v y w z is the result of uniformly renaming y to v and z to w in the term σŪ θ and v ∈ σŪ Y the result of uniformly renaming y to v in y ∈ σŪ Y (no z occurs), and w ∈ σŪ Z the result of uniformly renaming z to w in z ∈ σŪ Z, where y does not occur. Without loss of generality (by performing two subsequent uniform substitutions), no symbol that is being replaced by σ occurs in any of σ's replacements. Hence, σ is idempotent and X . Now that both are phrased in the same interpretation, the equivalence ν ∈ σ * ω I[[x ′ = θ& d y ∈ Y &z ∈ Z]] X iff ν ∈ σ * ω I[[x ′ = σŪ θ v y w z & d v ∈ σŪ Y &w ∈ σŪ Z]] X follows provided that the following dGL formula is true in σ * ω I, ν for a fresh game symbol c with σ * ω I[[ c ⊤]] = X: Without loss of generality, replace free occurrences of variables {x, x ′ , y, y ′ , z, z ′ } ∁ by their respective real values in ν. Now (2) is true in σ * ω I, ν by the (locally sound) differential game refinement