Semantics and Axiomatization for Stochastic Differential Dynamic Logic
SSemantics and Axiomatization for StochasticDifferential Dynamic Logic
Michael Roberts , , Alexei Kopylov , and Aleksey Nogin HRL Laboratories, LLC, Malibu, CA {mroberts, akopylov, anogin}@hrl.comhttps://csrs.hrl.com/ Cornell University, Ithaca, NY
Abstract.
Building on previous work by André Platzer, we present aformal language for Stochastic Differential Dynamic Logic, and define itssemantics, axioms and inference rules. Compared to the previous effort,our account of the Stochastic Differential Dynamic Logic follows closer toand is more compatible with the traditional account of the regular Dif-ferential Dynamic Logic. We resolve an issue with the well-definednessof the original work’s semantics, while showing how to make the logicmore expressive by incorporating nondeterministic choice, definite de-scriptions and differential terms. Definite descriptions necessitate usinga three-valued truth semantics. We also give the first Uniform Substitu-tion calculus for Stochastic Differential Dynamic Logic, making it morepractical to implement in proof assistants.
Keywords:
Stochastic reasoning · Dynamic logic · Proof calculus · Hybridsystems · Theorem proving
It is well known that safety of complex hybrid systems, such as cyber-physicalsystems (whether autonomous or not), cannot be achieved with just simulationand testing [6, 8]. The space of possible behaviors is so big that testing andsimulation cannot provide sufficient coverage. Achieving high confidence in cor-rectness requires the ability to model the system mathematically and to proveits properties with an aid of an automated reasoning system. Moreover, cyber-physical systems operate in uncertain environments and even modeling suchsystem is a nontrivial task. Thus, we need a system that is able to reason aboutproperties that incorporate such uncertainties.Differential Dynamic Logic (dDL) has proven a useful tool for certifying hy-brid systems [13, 14]. However, it and its simplest probabilistic extensions canonly reason about those systems whose continuous behavior is fully determin-istic, but many hybrid systems are best modeled as stochastic processes. Thismay be because they are deployed in a setting where the underlying dynam-ics are stochastic, such as in processes interacting with physical materials with a r X i v : . [ c s . L O ] F e b Michael Roberts, Alexei Kopylov, and Aleksey Nogin stochastic properties, or with financial markets — or because they represent acontroller acting under measurement uncertainty. Reasoning about such systemsin a dDL style was formulated in Stochastic Differential Dynamic Logic [10, 11].Part of the reason that dDL has been successful in practice is the substantialamount of work done on its theory since it was first proposed. Notably, theadoption of universal substitution based reasoning [13] allowed the move fromKeYmaera to KeYmaera X [4] with a much smaller Trusted Code Base, andthe introduction of indefinite descriptions in dL i [2] allowed for reasoning aboutterms that may not always be defined but which are required in practice (such assquare roots). In this work, we seek to develop the foundational theory requiredfor a practical implementation of stochastic differential logic, by introducing astochastic differential logic with definite descriptions in the uniform substitutionstyle.These are not the only differences between the logic presented here and theoriginal sDL [11, 12]. We also allow for programs with true non-determinism, asthis is important for reasoning about hybrid systems whose design is not fullyspecified.Defining semantics for stochastic differential dynamic logic is a non-trivialtask. We also found what we believe to be an error in the proof that the origi-nal sDL semantics are well-defined, in the sense that the semantics of formulasshould always be measurable. To resolve this, our semantics differ from thoseof most dDL–style logics in that the “continuous” programs x = θ & H can notterminate non-deterministically at any point while H is true, but instead onlyat pre-chosen stopping times.Our semantics differs from those of dL i (dDL with definite descriptions [2]) inanother key way: we define formulas to be indeterminate in the case of programfailure, and interpret program modalities to quantify over failures, while dL i ignores them. So we would evaluate [ x := 1 ∪ fail ] x = 1 to be indeterminate, whilethe original dL i would evaluate it to true. By formulating a nondeterministiccontroller as a nondeterministic guarded choice operator which would fail whenall guards are simultaneously false, we avoid the common challenge encounteredby KeYmaera X users (particularly novices), where it is easy to accidentally stateand prove a safety lemma that is vacuously true — that is, true not becausethe controller would always keep the system safe, but because the controllerdefinition accidentally excludes the unsafe trajectories from consideration.This paper is structured as follows. We first present the syntax of our SDLformulation, with a brief outline of the intended semantics in Section 2. We thenpresent the full formal semantics in Section 3. We define the semantics of ourvalidity judgment, and present some proof rules in Section 4. We present anaxiomatization of our SDL in Section 5. We extend our validity judgment tostatements about probabilities, and present proof rules and axioms for proba- Namely, the proof of measurability for the semantics of h α i f in [12, Appendix A.2]uses the right-continuity of (cid:74) α (cid:75) t to capture the value of (cid:74) f (cid:75) (cid:74) α (cid:75) t for times t withconverging sequences of rational nets. However it’s true only if (cid:74) f (cid:75) is continuous oneach path. This is not always the case.emantics and Axiomatization for Stochastic Differential Dynamic Logic 3 bilistic statements in Section 6. We then outline a uniform substitution calculusfor SDL in Section 7. We conclude and discuss the next steps in Section 8. Theproofs of correctness for our axioms with respect to the semantics are presentedin Appendix A. The paper assumes some familiarity with stochastic processesor stochastic differential equations; for relevant exposition please see [11]. θ, κ ::= c | x | θ ∗ κ | θ + κ | f d ( θ , θ ...θ d ) | d t ( θ ) | d B,x ( θ ) | ιiφ d | For c a constant, x a variable, and f d a function symbol of arity d . In the definitedescription ιiφ d , d is a positive integer, i ∈ [1 ..d ], and φ d is a formula with noprogram or formula symbols as subexpressions, and containing d special variablesymbols (cid:5) φ d ,n for n ∈ [1 ..d ], that are not used in any other context. Call the setof such special variables appearing in φ d , (cid:5) φd .Variables come from a countable set V that is closed under sub-scripting by t or B, x . The term d t ( θ ) is a differential that expresses the rate of change of θ with respect to time. d B,x is similar, but expresses the rate of change relative toa Brownian motion that is associated to variable x . α, β ::= x i := θ | x i := ∗ | d x = b dt + σdW & H | if H then α else β | α ∪ β | α ; β | α ∗ | skip | fail | γ For H a formula containing no program, γ a program symbol. x is a vector ofvariables, and b , σ respectively a vector and a square matrix of terms of corre-sponding dimension. d x = b dt + σdW & H evolves the system according to theexpressed stochastic differential equation for some non-deterministically chosenlength of time. x i := ∗ draws a new value for x i uniformly from [0,1]. α ∪ β rep-resents the nondeterministic choice between α and β (note: in some accounts ofdDL, notation α | β is used instead), alpha ; β represents the sequential executionof α and β , α ∗ represents an arbitrary (nondeterministic) number of repetitionsof program α , skip is an empty “no-op” program, and fail is a “failure” program— once executed, it causes everything to become indeterminate. φ, ψ ::= θ ≥ κ | ¬ φ | φ ∧ ψ | p d ( θ , θ , ...θ d ) | h α i φ | sure( φ )sure( φ ) is true when φ is true, and false otherwise (that is, if φ is false orindeterminate). The program modality h α i φ gives the maximum value of φ thatcould be achieved after running α .We will use φ ∨ ψ as syntactic sugar for ¬ ( ¬ φ ∧ ¬ ψ ) and [ α ] φ for ¬h α i¬ φ .Also, ind( φ ) for ¬ sure( φ ) ∧ ¬ sure( ¬ φ ). Then we define φ → φ as ¬ φ ∨ φ ∨ (ind( φ ) ∧ ind( φ )), and φ ↔ φ as ( φ → φ ) ∧ φ → φ ). Michael Roberts, Alexei Kopylov, and Aleksey Nogin
In order to account for partial definitions, we take R ⊥ := R ∪⊥ with ⊥ standing infor “undefined”, so that ⊥ added to or multiplied by anything is ⊥ . We consider R ⊥ to have the “extended topology” generated by the open sets of R and thesingleton {⊥} , and take the Borel sigma algebra on this topology. Similarly take L := {⊕ , (cid:11) , (cid:9)} the truth values of Łukasiewicz logic [15], ordered (cid:9) < (cid:11) < ⊕ .Define the negation operator as: ¯ ⊕ := (cid:9) , ¯ (cid:11) := (cid:11) , ¯ (cid:9) := ⊕ .At any point in a program, only finitely many variables will have been used.Let ˆ R V ⊥ be the set of maps from V to R ⊥ that are ⊥ in all but finitely manyplaces. Alternatively, we may be at a point where the program has crashed, (cid:79) ,or where it has gone past the bounds of its differential equation, . Call the setof valuations Val := ˆ R V ⊥ ∪ { (cid:79) , Then let a state z be a random variable on Val: Ω → Val. Let the set ofstates be Z .As in [11], we will fix a canonical sample space Ω and a sigma algebra F on it. We endow it with a probability measure P and a family of IID uniformrandom variables U : Ω → [0 , C on which we use the usual tail and head functions. Lettail( n, C ) := tail n ( C ). We will often use a choice sequence to select a natu-ral number, so define nat ( C ) : C → N , C min { p | C ( p ) = 0 } ) where C ( p ) is p -th element of C , starting the count at 0.An interpretation I assigns meanings to function, predicate, and programsymbols. That is, If d : R d ⊥ → R ⊥ , Ip d : R d ⊥ × Ω → L , such that If d and Ip d are measurable. Iγ : Val → Ω → C → Val × C such that:1. At every v ∈ Val, ω ∈ Ω , and C ∈ C , π ( Iγ ( v, ω, C )) = tail( n, C ) for some n , and if C agrees with C on the first n elements, then π ( Iγ ( v, ω, C )) = π ( Iγ ( v, ω, C )) and π ( Iγ ( v, ω, C )) = tail( n, C ), and2. For a state z ∈ Val and sequence C ∈ C , the map λω.π ( Iγ ( z ( ω ) , ω, C )) ismeasurable.An interpretation I also defines a countable subset of R + , called I times . Theseare the time values at which it is okay for a continuous program to stop. I times is indexed by N from least to greatest.We denote the set of possible interpretations I . We give term semantics as (cid:74) θ (cid:75) : I → ˆ R V ⊥ → R ⊥ , written I x (cid:74) θ (cid:75) . Then we define the function ˆ Iθ : ˆ R V ⊥ → R ⊥ as λ x .I x (cid:74) θ (cid:75) .This semantics is to be extended to I →
Val → R ⊥ by defining I (cid:79) (cid:74) θ (cid:75) ( ω ) = ⊥ = I (cid:74) θ (cid:75) ( ω ) = ⊥ for all θ, ω . This further extends to I → Z → Ω → R ⊥ as Iz (cid:74) θ (cid:75) ( ω ) := Iz ( ω ) (cid:74) θ (cid:75) . emantics and Axiomatization for Stochastic Differential Dynamic Logic 5 I x (cid:74) c (cid:75) := cI x (cid:74) x (cid:75) := x ( x ) I x (cid:74) θ ∗ κ (cid:75) := I x (cid:74) θ (cid:75) ∗ I x (cid:74) κ (cid:75) I x (cid:74) θ + κ (cid:75) := I x (cid:74) θ (cid:75) + Iz (cid:74) κ (cid:75) I x (cid:74) f d ( θ ...θ d ) (cid:75) := If d ( I x (cid:74) θ (cid:75) ...I x (cid:74) θ d (cid:75) )For definite descriptions and differentials, we will first define candidate semanticfunctions Can ( I, θ ) : ˆ R V ⊥ → R ⊥ . If the candidates are not measurable we willdiscard them in favor of the constant ⊥ function. Can ( I, ιiφ d )( x ) := ( y ( (cid:5) φ d ,i ) ∃ ! y ∈ ˆ R V ⊥ . x (cid:5) φd = y (cid:5) φd , ∀ ω.I y (cid:74) φ d (cid:75) ( ω ) = ⊕⊥ elseSince phi d doesn’t contain programs or formula symbols, its semantics areconstant across Ω Can ( I, d t ( θ )( x ) := ( X x ∈ V x t ∂ ˆ Iθ∂x ) + 12 X x,y ∈ V ∂ ˆ Iθ∂x∂y ( X j ∈ V x B,j y B,j ) ( x ) Can ( I, d
B,x ( θ )( x ) := X y ∈ V ∂ ˆ Iθ∂y y
B,x ( x )Where the last two definitions evaluate to ⊥ when derivatives are undefined.Now: I x (cid:74) ιiφ d (cid:75) := ( Can ( I, ιiφ d )( x ) Can ( I, ιiφ d )is measurable ⊥ else I x (cid:74) ιiφ d (cid:75) := ( Can ( I, d t θ )( x ) Can ( I, d t θ )is measurable ⊥ else I x (cid:74) d B,x θ (cid:75) := ( Can ( I, d
B,x θ )( x ) Can ( I, d
B,x θ )is measurable ⊥ else Program Semantics (cid:74) α (cid:75) : I →
Val → Ω → C → Val ×C , written Iv (cid:74) α (cid:75) ( ω, C ).Then we can extend this to (cid:74) α (cid:75) : I → Z → Ω → C → Val × C by setting Iz (cid:74) α (cid:75) ( ω, C ) := I ( z ( ω ) (cid:74) α (cid:75) ( ω, C ). For all I, α, ω, C , I (cid:79) (cid:74) α (cid:75) ( ω, C ) := (cid:79) , C and I (cid:74) α (cid:75) ( ω, C ) := , C . Thus these cases are ignored below. Iv (cid:74) x := θ (cid:75) ( ω, C ) := ( (cid:79) , C Iz (cid:74) θ (cid:75) ( ω ) = ⊥ v [ Iv (cid:74) θ (cid:75) ( ω ) /x ] , C else Iv (cid:74) x := ∗ (cid:75) ( ω, C ) := v [ U ( ω )] /v ] , C for U a never-before-used random variable Michael Roberts, Alexei Kopylov, and Aleksey Nogin Iv (cid:74) d x = bdt + sdW & H (cid:75) ( ω, C ) :=let R t = v [ x v ( x ) + R t (cid:74) b (cid:75) ( ω ) dt + R t (cid:74) s (cid:75) ( ω ) dW ( ω )or (cid:79) if that is undefined because b or s take on a valueof ⊥ in some location before t , or if I R t (cid:74) H (cid:75) ( ω ) = ⊕ in:let t = I times ( nat ( C )) in ( (cid:79) ∃ t .t ≤ t ∧ R t = (cid:79) R t else , tail( nat ( C ) , C ) Iv (cid:74) if H then α else β (cid:75) ( ω, C ) := Iv (cid:74) α (cid:75) ( ω, C ) Iz (cid:74) H (cid:75) ( ω ) = ⊕ Iv (cid:74) β (cid:75) ( ω, C ) Iz (cid:74) H (cid:75) ( ω ) = (cid:9) (cid:79) , C Iz (cid:74) H (cid:75) ( ω ) = (cid:11) Iv (cid:74) α ∪ β (cid:75) ( ω, C ) := ( Iv (cid:74) α (cid:75) ( ω, tail( C )) head( C ) = 0 Iv (cid:74) β (cid:75) ( ω, tail( C )) head( C ) = 1 Iv (cid:74) α ; β (cid:75) ( ω, C ) :=let ( v α , C α ) = Iv (cid:74) α (cid:75) ( ω, C ) in Iv α (cid:74) β (cid:75) ( ω, C α ) Iv (cid:74) α ∗ (cid:75) ( ω, C ) := Iv (cid:74) α nat ( C ) (cid:75) ( ω, tail ( nat ( C ) , C ))where α = skip and α k +1 = α ; α k .Iv (cid:74) γ (cid:75) ( ω, C ) :=( Iγ )( v, ω, C ) Iv (cid:74) skip (cid:75) ( ω, C ) := v, CIv (cid:74) fail (cid:75) ( ω, C ) := (cid:79) , C Formula Semantics (cid:74) φ (cid:75) : I →
Val → Ω → L , written Iv (cid:74) φ (cid:75) ( ω ). Similar toabove we can extend this to (cid:74) φ (cid:75) : I → Z → Ω → L , written Iz (cid:74) φ (cid:75) ( ω ). For all φ , we define I (cid:79) (cid:74) φ (cid:75) ( ω ) := I (cid:74) φ (cid:75) ( ω ) := (cid:11) . The behavior at all other values isdefined below: Iv (cid:74) θ ≥ κ (cid:75) ( ω ) :=let a = Iv (cid:74) θ (cid:75) ( ω ) , b = Iv (cid:74) κ (cid:75) ( ω ) in ⊕ a − b ≥ (cid:9) a − b < (cid:11) a − b = ⊥ Iv (cid:74) ¬ φ (cid:75) ( ω ) := ¯ Iv (cid:74) φ (cid:75) ( ω ) Iv (cid:74) φ ∧ κ (cid:75) ( ω ) := max( Iv (cid:74) φ (cid:75) ( ω ) , Iv (cid:74) κ (cid:75) ( ω )) Iv (cid:74) p d ( θ ...θ d ) (cid:75) ( ω ) := Ip d ( Iv (cid:74) θ (cid:75) ..Iv (cid:74) θ d (cid:75) ))( ω ) Iv (cid:74) h α i φ (cid:75) ( ω ) :=let v C = π Iv (cid:74) α (cid:75) ( ω, C ) in sup C st v C = Iv C (cid:74) φ (cid:75) ( ω ) Iv (cid:74) sure( φ ) (cid:75) := ( ⊕ Iv (cid:74) φ (cid:75) ( ω ) = ⊕(cid:9) else The following theorems are proven in Appendix A. emantics and Axiomatization for Stochastic Differential Dynamic Logic 7
Theorem 1 (Measurability of Term Semantics).
For any term φ , any in-terpretation I , any state z , Iz (cid:74) φ (cid:75) : Ω → R ⊥ is a measurable function. Theorem 2 (Measurability of Formula Semantics).
For any formula φ ,any interpretation I , any state z , Iz (cid:74) φ (cid:75) : Ω → L is a measurable function. Theorem 3 (Measurability of Determinized Program Semantics).
Forany formula α , any interpretation I , any state z , and any choice sequence C , Iz (cid:74) α (cid:75) ( C ) : Ω → Val is a state (a measurable function).
Definition 1 (Pathwise Validity).
A formula φ is valid under a countableset of stop-times T if ∀ I ∈ I st. I times = T, ∀ v ∈ ˆ R V ⊥ , ∀ ω ∈ Ω.Ivω (cid:74) φ (cid:75) = ⊕ .Then we write T (cid:15) φ . If T has the property that T ⊇ T → T (cid:15) φ , we write T (cid:14) φ . φ is pathwise valid if ∃ T st. T (cid:14) φ . Where a formula appears on a proof tree, it should be interpreted as theassertion that the formula is pathwise valid.
Note that that if φ , φ are valid, there exist T , T st T (cid:14) φ , T (cid:14) φ , so T ∪ T (cid:14) φ and T ∪ T (cid:14) φ The following proof rules are easily provable valid by inspection of the formulasemantics, considering the consequent in the union of the two antecedant’s stoptimes. φ φ AND-ELIM φ ∧ φ φ φ → φ MP φ As φ ↔ φ is valid if and only if they have the same semantics for every I, v, ω , we have a syntactic substitution rule φ ↔ φ IFF-SUB φ ↔ φ [ φ /φ ]Note that one of the usual proof rules of dynamic logic, the rule “G” thatsays we may derive the validity of [ α ] φ from that of φ , is not sound in its usualform here, because α may be a failing program. Instead, let crash( α ) be theformula ind([ α ]0 ≥ ⊕ if α may transition to (cid:79) and (cid:9) otherwise. φ G crash( α ) ∨ [ α ] φ In addition, we will use a uniform substitution proof rule to instantiate ax-ioms under some substitution σ . We will present and justify this rule in a latersection. Michael Roberts, Alexei Kopylov, and Aleksey Nogin
We present an axiom schema. Below, each θ, φ, α should be interpreted as a(term, formula, program) symbol of arity 0. Where the soundness proofs followtrivially from the defined semantics, we have omitted them (this is most cases).
We start with the axioms that manipulate formulas. Id • φ ↔ φ Higher Order Equality • ( φ ↔ φ ) ↔ ( φ ↔ φ ) • ( φ ↔ φ ) ↔ ( ¬ φ ↔ ¬ φ ) Conjunction • ( φ ∧ φ ) ↔ ( φ ∧ φ ) • φ ↔ ( φ ∧ φ ) • (( φ ∧ φ ) ∧ φ ) ↔ ( φ ∧ ( φ ∧ φ )) • φ ∧ φ → φ Double Negation Elimination • ¬¬ φ ↔ φ Note that double negation elimination is valid, but the law of the excludedmiddle is not, unless we are dealing with sure quantities.
Excluded Middle of Sureness • sure( φ ) ∨ ¬ sure( φ ) Sureness • sure( φ ) ↔ sure(sure( φ )) • sure( φ ) → φ • sure( φ ) → ( φ → φ ∧ φ ) • ( ¬ sure( φ ) ↔ ¬ φ ∨ ind( φ )) • sure( φ ∧ φ ) ↔ sure( φ ) ∧ sure( φ ) All formulas that are valid in the theory of real closed fields are valid here, sowe can take as axioms any axiomatization of real closed fields. Additionally, wehave the following axioms for differentiating terms: emantics and Axiomatization for Stochastic Differential Dynamic Logic 9 d t c = 0 ( d t c ) d B,i c = 0 ( d B c ) d t x = x t ( d t x ) d B,i x = x B,i ( d B x ) d t ( f + g ) = d t f + d t g ( d t +) d B,i ( f + g ) = d B,i f + d B,i g ( d W +) d t ( f ∗ g ) = g ∗ d t f + f ∗ d t g + P i d B,i f ∗ d B,i g ( d t ∗ ) d B,i ( f ∗ g ) = g ∗ d W f + f ∗ d W g ( d W ∗ )Finally, we have an axiom for substituting equal terms: • ( θ = θ ) → ( p ( θ ) ↔ p ( θ )) • ( h α i ( φ ∨ φ ) ↔ h α i φ ∨ h α i φ Skip and Fail • h skip ; α i φ ↔ h α i φ • h α i φ ↔ h α ; skip i φ • h skip i φ ↔ φ • ind( h fail ; α i φ ) • ind( h fail ; α i φ ) Nondeterministic Choice • h α ∪ β i φ ↔ h β ∪ α i φ • h α ∪ β i φ ↔ h α i φ ∨ h β i φ • h α i φ → h α ∪ β i φ Conditionals • h if H then α else β i φ ↔ ( H ∧ h α i φ ) ∨ ( ¬ H ∧ h β i φ ) Iteration • h α ∗ i φ ↔ φ ∨ h α ; α ∗ i φ • [ α ∗ ]sure( φ → [ α ] φ ) → sure( φ → [ α ∗ ] φ ) Composition • h α ; β i φ ↔ h α ih β i φ This one necessitates some justification:
Lemma 1 (No Look-Ahead Consumption).
There exists a natural number n C such that π ( Iv (cid:74) α (cid:75) ( ω, C )) = tail n C C . Furthermore for any C that agreeswith C in the first n C places, π ( Iv (cid:74) α (cid:75) ( ω, C )) = π ( Iv (cid:74) α (cid:75) ( ω, C )) Proof.
By structural induction on programs.
Lemma 2 (Compositionality of Supremum Semantics). Iv (cid:74) h α ; β i φ (cid:75) ( ω ) = Iv (cid:74) h α ih β i φ (cid:75) ( ω ) Proof. Iv (cid:74) h α ih β i φ (cid:75) ( ω ) = let v = π ( Iv (cid:74) α (cid:75) ( ω, C )) in max C Iv (cid:74) h β i φ (cid:75) ( ω ) =let v = π ( Iv (cid:74) α (cid:75) ( ω, C )) inlet v = π ( Iv (cid:74) β (cid:75) ( ω, C )) in max C max C Iv (cid:74) φ (cid:75) ( ω ). By Lemma 1, this= let v C = Iv (cid:74) α ; β (cid:75) ( ω, C ) in max C v C (cid:74) φ (cid:75) ( ω ) = Iv (cid:74) h α ; β i (cid:75) ( ω ) Assignment • def( θ ) → ([ x := θ ] p ( x ) ↔ p ( θ ) Differential Axioms
These axioms correspond to the differential axioms of dL i , figure 4 of [13]. The first two correspond to DW and DC, which say thatin the absence of crashes, we may move constraints into postconditions andestablished postconditions into constraints. The next two correspond to DE, andsay that after an sde is run, it has performed assignments on the differentialsof all involved variables. The fifth axiom uses the condition that it have nostochastic behavior to ensure it is exactly axiom DI of [13] - reducing to the caseof ODEs. • crash( d x = b dt + σdW & H ) ∨ [ d x = b dt + σdW & H ] H • sure([ d x = b dt + σdW & H ( x )] H ( x )) → (cid:18) [ d x = b dt + σdW & H ( x ) ∧ H ( x )] H ( x ) ↔ [ d x = b dt + σdW & H ( x )] H ( x ) (cid:19) • [ d x = b dt + σdW & H ] d t x i = b i • [ d x = b dt + σdW & H ] d B,x j x i = σ i,j • [ d x = b dt + σdW & H ] σ = 0 ∧ d t θ ≥ d t θ → ([ d x = b dt + σdW & H ] θ ≥ θ ⇐⇒ ( H → θ ≥ θ ) We have been careful to establish that our semantics is measurable. Now we canreason about real arithmetic extended with terms of the form P ( φ ). As beforea set of stop times models a formula ♠ of this language, T (cid:15) ♠ when for any I st I times = t, z a state such that P ( z = ) = P ( z = (cid:79) ) = 0, the ♠ is a trueformula of arithmetic under the substitution P ( φ )
7→ P ( Iz (cid:74) φ (cid:75) ( ω ) = ⊕ ). Againwe say that a set of stop times validates ♠ , T (cid:14) ♠ when T ⊇ T ⇒ T (cid:15) ♠ , and ♠ is valid if ∃ T that validates it.The following proof rules contain assertions about both the validity of for-mulas in this arithmetic language, as well as in the language of sDL formulas.Clearly we can take all the axioms of real arithmetic here, as well the followingaxioms and proof rules whose soundness is self-evident: • P ( φ ) ≥ emantics and Axiomatization for Stochastic Differential Dynamic Logic 11 • P ( ¬ φ ) ≤ − P ( φ ) • P ( φ ∨ φ ) ≥ P ( φ ) • P (sure( φ )) = P ( φ ) φ VALID-PROB P ( φ ) = 1(sure( φ ) → ¬ sure( φ )) ∧ (sure( φ ) → ¬ sure( φ ))DISJOINT-PROB P ( φ ∨ φ ) = P ( φ ) + P ( φ )The hardest reasoning principals are those that deal with the program modal-ity. The following axiom is valid because every time we randomize a variable, wedo so independently. • P ( h x = ∗i φ ) = R P ( < x = s > φ ds .Note that integrals aren’t a part of our language, so what we really mean is thatthe left hand side = c for some constant with the side condition that c = theright hand side.In particular we can derive from this: 0 ≤ c ≤ → P ( h x = ∗ ; if x
RV( θ ) := { x ∈ V |∃ I, v , v . v x = v x , Iv (cid:74) θ (cid:75) = Iv (cid:74) θ (cid:75) } RV( α ) := (cid:26) x ∈ V |∃ I, v , v , v , ω, C. v x = v x , Iv (cid:74) α (cid:75) ( ω, C ) = v , ( (cid:64) v . v x = v x ∧ Iv (cid:74) α (cid:75) ( ω, C ) = v ) (cid:27) RV( φ ) := { x ∈ V |∃ I, v , v , ω. v x = v x , Iv (cid:74) φ (cid:75) ( ω ) = Iv (cid:74) φ (cid:75) ( ω ) } WV( α ) := { x ∈ V |∃ I, v , v , ω, C. Iv (cid:74) α (cid:75) ( ω, C ) = v , v ( x ) = v ( x )) } WV( φ ) := ∪ α a subexpression of φ WV( φ ) Definition 3.
The signature Σ of a term, program, or formula is set of function,predicate, program symbols it contains. Along the lines of [13], define the read variables introduced by σ to a program orformula e , RV( σ, e ) := ∪ s ∈ Σ ( σ ) ∩ Σ ( e ) RV([ σs ]). σ is defined admissible for e whenfor any subexpression e of e , RV( σ, e ) ∩ WV([ σe ]) = ∅ . Syntactic Approximations
Note that along the lines of the original US paper[13], we can syntactically compute over-approximations of the sets of read andwrite variables. Thus in some cases we can prove that substitutions are admissiblesolely syntactically.
We follow the strategy of the original US paper with modifications to fit oursemantics.
Adjoint Substitutions
For q ∈ R d ⊥ , let I qσ,f d be the interpretation that isthe same as I, but with • σ,f d ,i mapped to q ( i ) for all i , and let I qσ,p d be theinterpretation that is the same as I but with • σ,p d ,i mapped to q ( i ). Definition 4.
Substitution Adjoint (Taken from paper)The adjoint to substitution σ is the operation that maps I, v to the adjoint in-terpretation σ ( I, v ) . σ ( I, v )( f d ) = λq : R d ⊥ .I qσ,f d v (cid:74) σf d (cid:75) σ ( I, v )( p d ) = λq : R d ⊥ .λω.I qσ,φ d v (cid:74) σp d (cid:75) ( ω ) σ ( I, v )( γ ) = λv , ω , C .Iv (cid:74) [ σγ ] (cid:75) ( ω , C ) σ ( I, v ) times = I times Note that σ ( I, v )( γ ) does not depend on v . The following corollary follows di-rectly from the above definitions. Corollary 1. (Equal Adjoint Interpretations) If for some e a term,program,orformula symbol v = v on RV( σ, e ) , then σ ( I, v )( e ) = σ ( I, v )( e ) . Thereforefor any program or formula e , if v = v on RV( σ, e ) , e has the same semanticsunder the interpretations σ ( I, v ) and σ ( I, v ) . The following Lemmas are proven in Appendix A.
Lemma 3.
Uniform substitution for terms For all
I, v , Iv (cid:74) [ σθ ] (cid:75) = σ ( I, v ) v (cid:74) θ (cid:75) Lemma 4.
Uniform substitution for programs When σ is admissible for α , uni-form substitution and its adjoint interpretation have the same semantics for all I, v, ω : Iv (cid:74) [ σα ] (cid:75) ( ω, C ) = σ ( I, v ) v (cid:74) α (cid:75) ( ω, C ) Lemma 5.
Uniform substitution for formulas When σ is admissible for φ , Theuniform substitution σ and its adjoint interpretation have the same semanticsfor all I, v, ω : Iv (cid:74) [ σφ ] (cid:75) ( ω ) = σ ( I, v ) v (cid:74) φ (cid:75) ( ω ) US, USP
US is thus sound: T (cid:14) φ if and only if for any I with times a supersetof T , for all v, ω , Iv (cid:74) φ (cid:75) = ⊕ . If σ is admissible for φ then by theorem 5, for any I with times a superset of T, Iv (cid:74) [ σ ] φ (cid:75) ( ω ) = σ ( I, v ) v (cid:74) φ (cid:75) ( ω ) = ⊕ as σ ( I, v ) hasthe same times as I .We obtain the soundness of USP similarly. We have given a logic for reasoning about stochastic hybrid programs, with ameasurable semantics. To make it suitable for implementation in a practicalproof-assistant, we have extended it with definite descriptions and differentials,and given it a proof calculus in a uniform substitution style.
We have maintained the measurability of our semantics by adopting an all-or-nothing approach with respect to definite descriptions and differentials, where ifthe resulting semantics isn’t measurable we throw it out. It would be interestingto see if we could handle terms more delicately by only demanding that theirsemantics be restricted to the contexts of the formulas they appear in. Addition-ally, sufficient conditions for measurability of partial derivatives are given in [7],and it may be fruitful to incorporate them into our semantics.We’ve presented just one proof rule for stochastic differential equations, basedon prior work from [11] which leverages Doob’s Martingale inequality. There isa rich literature on concentration inequalities for martingales [1, 5] as well as emantics and Axiomatization for Stochastic Differential Dynamic Logic 15 inequalities on the solutions of SDEs, such as [3]. We would like to derive soundproof rules based on these methods, and we believe that the differential termsof our languages will allow us to do so in a way that minimizes the need forsemantic side-conditions.
Appendix A Proofs
Proof (Theorem 1).
We proceed by structural induction. It is enough that thefunction ˆ Iθ be measurable; the intended result then follows from the structureof the σ -algebra on Val, and composing with z as a measurable function.The semantics of constants and variables satisfy this immediately. Term sym-bols, differentials, and definite descriptions do so by definition. Addition andmultiplication follow from the inductive hypothesis. Proof (Theorems 2, 3).
We prove these theorems simultaneously by inductionon the structure of programs and formulas.
Formulas:
The measurability of inequalities follows from Theorem 1. The casesof negations and conjunctions, and sureness follow from the inductive hypothesis.The interpreted formula symbols are measurable by definition.For h α i φ , we havelet z C ( ω ) = π Iz ( ω ) (cid:74) α (cid:75) ( ω, C ) in sup C st. z C ( ω ) = Iz C ( ω ) (cid:74) φ (cid:75) ( ω ) . By 3 and IH, each z C ( ω ) must be measurable, so by IH so is Iz C ( ω ) (cid:74) φ (cid:75) ( ω ). Thesemantics here are then the pointwise supremum of countably many measurablefunctions, which is measurable [7]. Programs:
Under a particular choice sequence, α ∪ β and α ∗ behave as otherprograms, so we don’t need to consider these cases. γ preserves measurabilityby definition. skip acts as the identity transform on states, and fail outputs aconstant function, so these trivially preserve measurability. That α ; β preservesmeasurability follows directly from the IH. Random variables and Ito integralsare measurable by definition. The semantics of assignments and conditionals canbe rewritten as compositions of the semantics of terms, formulas, and programswith projections, and thus preserve measurability by the appropriate use of IHand 1. Proof (Proof of Lemmas 3, 4, 5).
We place the following well-founded partialorder on substitutions: σ v σ if Σ ( σ ) ⊂ sym( σ ) or if every element of Σ ( σ )is of the form • σ,τ d ,i for τ d some symbol f d or p d in sym( σ ).The unique least substitution is then the identity substitution. Observe thatfrom definition 4, the lemmas always hold when σ is the identity substitution.We proceed by mutual structural induction on terms, programs, and formulas,and simultaneously on the ordering on substitutions. Note that semantics where v = (cid:79) don’t change under reinterpretation, so below we just consider the caseswhen v ∈ ˆ R V ⊥ .Let us start by considering terms: • The semantics of constants and variables don’t change under different inter-pretations, and don’t substitutions don’t change them. • The cases of additions, multiplications, and derivatives follow immediatelyby IH. • As formulas appearing in definite descriptions contain no programs, theyhave no write variables, so σ is admissible for them and this case also followsby IH. • Iv (cid:74) [ σf d ( θ ...θ d )] (cid:75) = Iv (cid:74) [ {∀ i ∈ (1 ...d ) • σ,f d ,i [ σθ i ] } ( σf d )] (cid:75) ( ω ) IH = {∀ i ∈ (1 ...d ) • σ,f d ,i [ σθ i ] } ( I, v ) v (cid:74) σf d (cid:75) Note that {∀ i ∈ (1 ...d ) • σ,f d ,i [ σθ i ] } ( I, v ) acts the same as I except thatit interprets each • σ,f d ,i as Iv (cid:74) [ σθ i ] (cid:75) . So by definition, the above expression= σ ( I, v ) f d ( Iv (cid:74) [ σθ ] (cid:75) ...Iv (cid:74) [ σθ d ] (cid:75) ) IH = σ ( I, v ) f d ( σ ( I, v ) v (cid:74) θ (cid:75) ...σ ( I, v ) v (cid:74) θ d (cid:75) ) = σ ( I, v ) v (cid:74) f d ( θ ...θ d ) (cid:75) Now consider programs: • Iv (cid:74) [ σ x := θ ] (cid:75) ( ω, C ) = Iv (cid:74) x := [ σθ ] (cid:75) ( ω, C ) = ( (cid:79) , C Iv (cid:74) [ σθ ] (cid:75) = ⊥ v [ Iv (cid:74) [ σθ ] (cid:75) /x ] , C else IH = ( (cid:79) , C σ ( I, v ) v (cid:74) θ (cid:75) = ⊥ v [ σ ( I, v ) v (cid:74) θ (cid:75) /x ] , C else = σ ( I, v ) v (cid:74) x := θ (cid:75) ( ω, C ) • Differential equations follow similarly. • The semantics of randomization, skip , fail don’t change under interpreta-tion. • Iv (cid:74) [ σγ ] (cid:75) ( ω, C ) = σ ( I, v ) Iv (cid:74) γ (cid:75) ( ω, C ) by definition. • Iv (cid:74) [ σ α ; β ] (cid:75) ( ω, C ) = Iv (cid:74) [ σα ]; [ σβ ] (cid:75) ( ω, C ) =let ( v α , C α ) = Iv (cid:74) [ σα ] (cid:75) ( ω, C ) in Iv α (cid:74) [ σβ ] (cid:75) ( ω, C α ) IH =let ( v α , C α ) = σ ( I, v ) v (cid:74) α (cid:75) ( ω, C ) in σI, v α (cid:74) β (cid:75) ( ω, C α ). By definition, v = v α on WV([ σα ]) C , which ⊇ RV( σ, α ; β ) by admissibility, hence ⊇ RV( σ, β ) bydefinition. Then by cor. 1, the above =let ( v α , C α ) = σ ( I, v ) v (cid:74) α (cid:75) ( ω, C ) in σI, v (cid:74) β (cid:75) ( ω, C α ) = σ ( I, v ) v (cid:74) α ; β (cid:75) ( ω, C ) • Conditional, union, star follow similarly from IH. Star requires a nestedinduction on n in α n .And finally formulas: • For inequalities, this follows from Theorem 3 and IH. • Since the write variables of φ are a superset of the write variables of any ofits subexpressions, σ must be admissible for each of its subexpressions. Thenwe can apply IH for the cases of conjunction, negation, and sureness • Iv (cid:74) [ σp d ( θ ...θ d )] (cid:75) ( ω ) = Iv (cid:74) [ {∀ i ∈ (1 ...d ) • σ,p d ,i [ σθ i ] } ( σp d )] (cid:75) ( ω ) IH = {∀ i ∈ (1 ...d ) • σ,p d ,i [ σθ i ] } ( I, v ) v (cid:74) σp d (cid:75) ( ω )Note that {∀ i ∈ (1 ...d ) • σ,p d ,i [ σθ i ] } ( I, v ) acts the same as I except that itinterprets each • σ,p d ,i as Iv (cid:74) [ σθ i ] (cid:75) ( ω ). So by definition, the above expression emantics and Axiomatization for Stochastic Differential Dynamic Logic 17 = σ ( I, v ) p d ( Iv (cid:74) [ σθ ] (cid:75) , .....Iv (cid:74) [ σθ d ] (cid:75) )( ω ) . IH = σ ( I, v ) p d ( σ ( I, v ) v (cid:74) θ (cid:75) ...σ ( I, v ) v (cid:74) θ d (cid:75) )( ω )) = σ ( I, v ) (cid:74) p d ( θ ...θ d ) (cid:75) ( ω ) • Iv (cid:74) [ σ h α i φ ] (cid:75) ( ω ) = Iv (cid:74) h [ σα ] i [ σφ ] (cid:75) ( ω ) =let v c = π Iv (cid:74) [ σα ] (cid:75) ( ω, C ) in sup C st v C = Iv c (cid:74) [ σφ ] (cid:75) ( ω ) IH =let v C = π σ ( I, v ) v (cid:74) [ σα ] (cid:75) ( ω, C ) in sup C st v C = Iv c (cid:74) [ σφ ] (cid:75) ( ω ) IH =let v C = π σ ( I, v ) v (cid:74) [ σα ] (cid:75) ( ω, C ) in sup C st v C = σ ( I, v C ) v C (cid:74) φ (cid:75) ( ω ).Now by definition, v C = v on WV([ σα ]) C , which ⊇ WV([ σ h α i φ ]) C by def-inition, which by admissibility ⊇ RV( σ, [ σ h α i φ ]), which again by definition ⊇ RV( σ, φ ). Hence by corollary 4, the above term =:let v C = π σ ( I, v ) v (cid:74) [ σα ] (cid:75) ( ω, C ) insup C st v C = σ ( I, v ) v C (cid:74) φ (cid:75) ( ω ) = σ ( I, v ) v (cid:74) < α > φ (cid:75) ( ω ) References
1. Aeckerle-Willems, C., Strauch, C.: Concentration of scalar ergodic diffusions andsome statistical implications (2019), https://arxiv.org/abs/1807.11331
2. Bohrer, B., Fernández, M., Platzer, A.: dL ι : Definite descriptions in differentialdynamic logic. In: Fontaine, P. (ed.) Automated Deduction – CADE 27. pp. 94–110.Springer International Publishing, Cham (2019). DOI: 10.1007/978-3-030-29436-6_63. Ding, X., Wu, R.: A new proof for comparison theorems for stochastic differen-tial inequalities with respect to semimartingales. Stochastic Processes and theirApplications (2), 155–171 (nov 1998). DOI: 10.1016/S0304-4149(98)00051-94. Fulton, N., Mitsch, S., Quesel, J.D., Völp, M., Platzer, A.: KeYmaera X: Anaxiomatic tactical theorem prover for hybrid systems. In: Automated Deduc-tion - CADE-25, pp. 527–538. Springer International Publishing (2015). DOI:10.1007/978-3-319-21401-6_365. Howard, S.R., Ramdas, A., McAuliffe, J., Sekhon, J.: Time-uniform Chernoffbounds via nonnegative supermartingales (2020), https://arxiv.org/abs/1808.03204
6. Loos, S.M., Platzer, A., Nistor, L.: Adaptive cruise control: Hybrid, distributed,and now formally verified. In: Butler, M., Schulte, W. (eds.) FM. Lecture Notes inComputer Science, vol. 6664, pp. 42–56. Springer (2011). DOI: 10.1007/978-3-642-21437-0_67. Marcus, M., Mizel, V.J.: Measurability of partial derivatives. Proceedings of theAmerican Mathematical Society (2), 236–238 (1977)8. Mitsch, S., Ghorbal, K., Platzer, A.: On provably safe obstacle avoidance forautonomous robotic ground vehicles. In: Newman, P., Fox, D., Hsu, D. (eds.)Robotics: Science and Systems (2013), http://roboticsproceedings.org/rss09/p14.pdf
9. Oksendal, B.: Stochastic Differential Equations (3rd Ed.): An Introduction withApplications. Springer-Verlag, Berlin, Heidelberg (1992)10. Peng, Y., Wang, S., Zhan, N., Zhang, L.: Extending hybrid CSP with probabilityand stochasticity. CoRR abs/1509.01660 (2015), https://arxiv.org/abs/1509.01660
11. Platzer, A.: Stochastic differential dynamic logic for stochastic hybrid programs.In: Bjørner, N., Sofronie-Stokkermans, V. (eds.) Automated Deduction – CADE-8 Michael Roberts, Alexei Kopylov, and Aleksey Nogin23. Lecture Notes in Computer Science, vol. 6803, pp. 446–460. Springer BerlinHeidelberg, Berlin, Heidelberg (2011). DOI: 10.1007/978-3-642-22438-6_3412. Platzer, A.: Stochastic differential dynamic logic for stochastic hybrid pro-grams. Tech. Rep. CMU-CS-11-111, Carnegie Mellon University (2011). DOI:10.1184/R1/6609920.v113. Platzer, A.: A complete uniform substitution calculus for differential dynamic logic.Journal of Automated Reasoning (2), 219–265 (08 2017). DOI: 10.1007/s10817-016-9385-114. Platzer, A.: Logical Foundations of Cyber-Physical Systems. Springer PublishingCompany, Incorporated, 1st edn. (2018)15. Łukasiewicz, J.: O logice trójwartościowej. Ruch Filozoficzne5