A CPS Analysis of Pong

A CPS Analysis of Pong

A CPS Analysis of Pong Milda Zizyte and Felix Hutchison December 9, 2014 1 Abstract To ensure a quality product, it is imperative that video game d...

232KB Sizes 0 Downloads 1 Views

Recommend Documents

ATARI PONG E CIRCUIT ANALYSIS & LAWN TENNIS - Pong-Story
Background: In the early 1970's a new product was born. It was a digital video game which simulated table tennis. Digita

CPS economic analysis - Asian Development Bank
Economic Management under Musharraf and Coalition Rule: Key Lessons for Sustainable Growth, in. R. Amjad and S. Burki, e

CPS Poverty Analysis (Summary) - Asian Development Bank
Poverty in Pakistan is estimated using the official poverty line, and ... Poverty in rural and urban areas exhibited sim

Writing a Pong Game
hello1.c. * purpose show the minimal calls needed to use curses. * outline initialize, draw stuff, wait for input, quit.

A Little Chicken Named Pong-Pong - Project Literacy
information, visit projectliteracy.com. Together, we can rewrite lives. - Idris Elba, September 8th 2017. This isn't the

CPS: People's Republic of China 2011-2015 - Poverty Analysis
decline in poverty in the People's Republic of China (PRC). For example, the ... in the PRC is sensitive to the standard

pong: fast analysis and visualization of latent clusters in - bioRxiv
Nov 14, 2015 - 1000 Genomes Project, and show that pong outpaces current solutions .... Figure 1 displays a screenshot o

Installing pong Running pong
We have provided an example dataset on which you can run pong (download available at the. Ramachandran Lab website). Usi

Analysis of Ping-Pong Reaction Mechanisms by Positional Isotope
Analysis of Ping-Pong Reaction Mechanisms by Positional. Isotope Exchange. APPLICATION TO GALACTOSE-1-PHOSPHATE URIDYLTR

Game of Pong
Game of Pong. Produced by: Mairead Meagher. Dr. Siobhán Drohan. Department of Computing and Mathematics http://www.wit.

A CPS Analysis of Pong Milda Zizyte and Felix Hutchison December 9, 2014

1

Abstract

To ensure a quality product, it is imperative that video game developers minimize glitches in their games. This paper presents a method to formalize models of the object interactions and physics that video games rely on in order to mathematically prove their correctness. To illustrate this, we prove that the ball in a game of pong does not leave the screen with a series of controller models that increase in complexity. In all but the most complicated case, this is done with an automated proof solver. The last step is proved by hand, and from this we suggest several proof rules to be added to the automated proof software in order to assure automatic formal proofs for games in the future.

2

Introduction

Often, the complexities of video games stem from a need to reproduce some amount of physics in the gaming environment, and have the objects in the game behave consistent to these physics. The market demands quality in the industry, but, often, players still manage to find glitches in the physics implementations of these games because of faulty assumptions made by the developers. As these glitches can make gameplay counterintutive or downright illogical, developers may want some way of ensuring that the objects in their games are consistent with physics. The intent of this project is to provide an illustrative example of how this can be achieved by formalizing the model of the game and using automated proofs to formally ensure that a game behaves according to physics and intuitive play. The goal of this CPS project is to model and prove the correctness of increasingly more complex paddle controllers in the game of the game of Pong. While Pong itself is not a physical system, it is meant to mimic the dynamics of a game of table tennis. “Pong is a two-dimensional sports game that simulates table tennis. The player controls an in-game paddle by moving it vertically across the left side of the screen, and can compete against either a computer-controlled opponent or another player controlling a second paddle on the opposing side. Players use the paddles to hit a ball back and forth.” [1] This gives way to three main objects in a system modeling pong: the ball and the two paddles. The 1

paddles have vertical motion controlled by an AI or a player, and the ball has physics which respond to it hitting the walls of the arena and the ping pong paddles. For our formalisms, we use the language of linear differential logic, or DL. The systems are modeled as hybrid programs, where control is dependent on discrete assignment, nondeterministic choice, repetition, test, and ordinary differential equations. Properties are governed by first order logic and modalities. The automated proof solving software KeYmaera provides a framework for creating proofs within this formal system automatically or semi-automatically with manual interaction. We use this software to prove properties of our model, in conjunction to showing several properties by hand. Using this tool, we prove that our model of pong ensures that the ball obeys physics of the walls, and that following the ball with the paddles keeps the ball on the playing screen. Using non-automated formal proof, we further show that the ball can be kept on the screen by the player by removing strict starting conditions. This last step creates a requirement for proof rules unavailable in KeYmaera, which we prove semantically and argue for the addition of in order to automate further game verification.

3

Related Work

Surprisingly, there are not currently any papers analyzing paddle controllers in Pong, or at least none that we could find. However, there does exist some work exploring how to formalize games. [3] outlines a framework for specifying a formal model of a game before game development, and then auto-generating code based on this model. This method features an Event-B model that defines invariants in these games, and the example game the authors write is a very clear cyberphysical system - a model of a car. This paper shows that some attempts at formalizing games to ensure correct physics have been made, but makes no discussion on the actual formal proofs of the models they use. At least one other work formally outlines reachability conditions for generated Mario levels [4]. The paper is an example of how formal methods can be used to show playability of a certain game given initial conditions. While the paper makes no mention of hybrid languages for cyberphysical systems, it motivates our work to prove that certain starting configurations of playable.

4

Terminology

As illustrated in Figure 1, we model the screen as a rectangle with upper-left origin and width W idth (abbreviated as W ) and height Height (abbreviated as H). The boundaries are at the upper and lower walls (black). The ball (red) is a point with location (bx , by ) and linear velocity vector (bvx , bvy ). The player and opponent paddles (blue) are line segments with y-centers Py and Oy and velocities P vy and Ovy , respectively. Both paddles have length 2 · Wp .

2

Figure 1: The pong playing screen The main property were interested in is that of the controlled paddle being always able to return the ball and prevent a point from being scored. Since the opponent paddle is assumed to be perfect, this property can be rephrased as “no point is scored”. For an actual measurable property we can instead check the position of ball and ensure it stays out of the scoring box. Since we want this to always hold true, it should be expressed as a safety property (an always). To prove this property in KeYmaera, we express this as the dL formula [α∗ ]ourScoringBox < ball < opponentScoringBox. We also have the opposite case, where the controller is not sufficient. In this situation, we want to show that a point can be scored. This corresponds to the liveness property hα∗ i(ball < ourScoringBox ∨ ball > opponentScoringBox).

5

Outline of goals

The first stepping stone in this project is to get the ball bouncing correctly off the walls. This is mostly just getting the dynamics of α, the differential equations, correct. Once we’ve shown the correctness of the ball movement in an empty course, we introduce the player paddles and prove that the ball still remains in the course. We then move on to proving perfect play under these control schema.

6 6.1

Methodology Ball physics

The control here has the ball move linearly and change direction upon hitting a wall. If it hits a vertical wall, its horizontal velocity flips sign, and if it hits 3

a horizontal wall, its vertical velocity flips sign. The ball is allowed to start anywhere inside the screen and moves with a nonzero velocity. We show two properties. First, that the ball always stays inside the court(equation 1). Second, that the velocity of the ball remains constant, even with directional changes (equation 2). α = if (bx = 0&bvx < 0) then bvx = −bvx ; ...; if (by = H&bvy > 0) then bvy = −bvy ; (b0x = bvx , b0y = bvy &bx ≥ W &0 ≤ by ≤ H)∪ ... ∪ (b0x = bvx , b0y = bvy &0 ≤ bx ≤ W &by ≥ H) Γ, bvx2 + bvy2 = v 2 → [α∗ ]bvx2 + bvy2 = v 2

(1)

Γ, 0 ≤ bx ≤ W ∧ 0 ≤ by ≤ H → [α∗ ]0 ≤ bx ≤ W ∧ 0 ≤ by ≤ H

(2)

In order to prove that the ball doesn’t exit, we need to give it the actual possibility of exiting. At the very least, we need an “inner physics” evolution domain to describe the area inside of the screen, and an “outer physics” evolution domain to describe the area outside of the screen. The two evolution domains share a boundary such that it is possible to cross from one evolution domain to the next between repetitions of the control.

Figure 2: Evolution domains for Step 1 In fact, we use 9 separate evolution domains to describe the areas the ball could go, as delineated by the borders of the screen. Figure 2 illustrates these evolution domains. The gray area corresponds to inner physics and the white areas correspond to outer physics. While first trying to prove these properties, we tried to define upper physics as a single evolution domain bx ≤ 0 ∨ bx ≥ W ∨ by ≤ 0 ∨ by ≥ H,

4

where bx and by describe the x and y coordinates of the ball. However, this did not work, as certain branches of our control loop would, for example, restrict only bx at the boundary and leave by free. This is problematic if, say, bx = 0 and by is left free, as we did not have the necessary information in our proof that by would stay within the required safe range. This, combined with the branching that results from checking if the ball is at any of the four boundaries, results in a proof that has 2701 branches. This makes sense, as each of the “if” statements adds exponential complexity on the outside of the proof, and each of the nine evolution domains creates further branching within each of the big branches, but is still cumbersome. Thankfully, for the simple model of a ball bouncing off the walls, most of the proof completes automatically, but for a proof that would require manual intervention, this would quickly become cumbersome if not intractable to prove. In subsequent steps we will be using the back walls as part of our safety conditions, so we no longer need to consider their interactions with the ball. However, we will be introducing the player paddles, which interact with the ball in a similar manner, leaving us with a similar number of differential equations to consider.

6.2

Introduction of Player Paddles

The player paddles are constrained to movement in the y-direction, and have a width 2Wp less than the height of the court. If we let the paddles move discontinuously to block the ball every time the ball gets to the paddle movement axis, in an event driven manner, we should be able to demonstrate that the ball always remains between the paddles. After showing this, we can use roughly the same proof to show that no point is ever scored. The main difference in the behavior is that we have gotten rid of the back walls. Instead we substitute in the behavior of the paddles, where the ball only bounces when it hits the paddle between the paddle’s width (2· Wp ). If it misses the paddle then it continues straight, which we show as a violation of the safety property bx ≥ 0. α = if (bx = 0&bvx < 0&py + Wp ≥ by ≥ py − Wp ) then bvx = −bvx ; ...; if (by = H&bvy > 0) then bvy = −bvy ; (b0x = bvx , b0y = bvy &bx ≥ W &0 ≤ by ≤ H)∪ ... ∪ (b0x = bvx , b0y = bvy &0 ≤ bx ≤ W &by ≥ H) The other addition we make to our hybrid program is the inclusion of the paddle controllers Player (Py ) and Opponent (Oy ). For the purposes of this step, which allows cheating by making sure the paddles are always at the height of the ball, we just use nondeterministic assignment to enforce the position of the paddle.

5

β = Py := by ; Oy := by ;

Γ, 0 ≤ bx ≤ W ∧ 0 ≤ by ≤ H → [(β, α)∗ ]0 ≤ bx ≤ W ∧ 0 ≤ by ≤ H

(3)

Equation 3 proves automatically in KeYmaera, requiring 2236 branches. Note that the number of evolution domains has been reduced to three: the inner physics evolution domain, and the areas directly to the left and to the right of the screen.

6.3

Ball-Follower Paddle

Since a paddle that automatically places itself in the right place isn’t very interesting, we will introduce continuous behavior to the paddle that we are writing the control schemes for. This also means we have to pick what control scheme we want to examine. The first one will be a y-position follower. This controller simply tries to keep the paddles y-position to that of the ball. We will show that these dynamics are correct (eq. 4), and then that this controller is capable of perfect play (eq. 5). β = P vy := bvy ; Oy := by ;

α = if (bx = 0&bvx < 0&py + Wp ≥ by ≥ py − Wp ) then bvx = −bvx ; ...; if (by = H&bvy > 0)thenbvy = −bvy ; (b0x

= bvx , b0y = bvy &bx ≥ W &0 ≤ by ≤ Py )∪

... ∪ (b0x = bvx , b0y = bvy &0 ≤ bx ≤ W &Py ≥ by ≥ H) Γ, Py = by → [(β; α)∗ ]Py = by ∗

Γ → [(β; α) ]0 ≤ bx ≤ W ∧ 0 ≤ by ≤ H 6.3.1

(4) (5)

The proof

This is the section where we first notice the importance of event ordering. Now that the player paddle is trying to respond to the ball, it is important that physical events that discretely change the state of the ball (e.g. a wall bounce) occur before the controllers observe the state and react. To fix this, we split α into two parts: α1 = if (bx = 0&bvx < 0&py + Wp ≥ by ≥ py − Wp ) then bvx = −bvx ; ...; if (by = H&bvy > 0) then bvy = −bvy ; 6

α2 = (b0x = bvx , b0y = bvy &bx ≥ W &0 ≤ by ≤ Py )∪ ... ∪ (b0x = bvx , b0y = bvy &0 ≤ bx ≤ W &Py ≥ by ≥ H) and prove equations 4 and 5 over runs of (α1 ; β; α2 )∗ instead. These properties then prove automatically, in under 10 minutes of compute time (see appendix A.3). This give us an indication that these techniques may be not only theoretically applicable to analysis of game physics interactions, but practicable too.

6.4

Fixed Speed Paddle

However, a paddle that perfectly matches the ball is relatively uninteresting, so let’s add another constraint. Here, the paddle velocity is fixed, and greater than that of the ball. We will show that the controller can still keep the ball above the paddle (eq. 6), that it can always get the ball there, (eq. 7), and that it can play perfectly (eq. 8). To make the controller respond appropriately, we need to add the y-crossing of paddle and ball to the evolution domains. β = if (by > Py ) then P vy = P vmax elseif (by < Py ) then P vy = −P vmax ; Oy := by ;

α = if (bx = 0&bvx < 0&py + Wp ≥ by ≥ py − Wp ) then bvx = −bvx ; ...; if (by = H&bvy > 0) then bvy = −bvy ; (b0x = bvx , b0y = bvy &bx ≥ W &0 ≤ by ≤ Py )∪ ... ∪ (b0x = bvx , b0y = bvy &0 ≤ bx ≤ W &Py ≤ by ≤ H) Γ, |Py − by | < Wp → [(α; β)∗ ]|Py − by | < Wp ∗

6.4.1

(6)

Γ → h(β; α) i|Py − by | < Wp

(7)

Γ → [(β; α)∗ ]0 ≤ bx ≤ W ∧ 0 ≤ by ≤ H

(8)

Keeping the ball over the paddle

Equation 6 describes the controller ensuring that the ball stays over the paddle. Since this is the differential invariant we use to show the safety property of 8, we will prove these at the same time. The proof file can be found in appendix A.4 and proves automatically. In some cases, however, manual intervention will greatly speed up the solution. For example, when the ball is at a boundary and interacting with the wall or paddle, it may be necessary to chose an intermediate time (t0 ) of 0, for the ODE solve, to give us the information we need for the branch.

7

ODE solve

∀t ≥ 0((∀0 ≤ t0 ≤ t.[x := ψ(t0 )]H) → [x := ψ(t)]φ) [x0 = θ]φ

Since this term may not arise immediately from the quantifier elimination, it can be beneficial to select this value manually using the forall left rule. t ≥ 0, [x := ψ(0)]H ` [x := ψ(t)]φ ∀L t ≥ 0, ∀0 ≤ t0 ≤ t.[x := ψ(t0 )]H ` [x := ψ(t)]φ →r t ≥ 0 ` (∀0 ≤ t0 ≤ t.[x := ψ(t0 )]H) → [x := ψ(t)]φ ∀r ∀t ≥ 0((∀0 ≤ t0 ≤ t.[x := ψ(t0 )]H) → [x := ψ(t)]φ) ODE solve ` [x0 = θ]φ The property proves in 34,285 steps (1227 of which were manual interventions, to assist when Quantifier Elimination encountered difficulty). Part of the reason for the largeness of this proof is the controller decisions and physical interactions that occur. in this particular proof, there were 6 if-then-else statements, resulting in 27 branches, with 9 possible evolution domains in each branch. This lead to a total of 3846 branches, many of which were similar. This is an example of a situation where lemmas would greatly assist the ease of proof. 6.4.2

Getting the ball over the paddle

While it is useful to know that the paddle control can keep the ball over top of the paddle, if it can’t get the ball there then this property is useless. What we’d like to show is that the paddle controller can always get the ball over the paddle no matter where it is when the opponent hits it. This property is expressed as Γ → h(β; α)∗ iφ Where φ ≡ |P y − by| ≤ Pwidth and Γ, β, and α remain the same as for equations 6 and 6. In this case, some formulas may be omitted for brevity, as can be seen in appendix A.5. The justification for these removals is given in the code, though the proof does not suffer if the formulas are not omitted. Unfortunately, this property is not provable in KeYmaera. The problem comes from the loop. For diamond properties over loops the proof rule needed is convergence. Γ ` ∃n.ψ(n)

∀n > 0.ψ(n) → hβ; αiψ(n − 1) Γ ` h(β; α)∗ iφ

∃n ≤ 0.ψ(n) → φ

The problem is that convergence relies on a strict progress step of 1 every time. While this can be scaled by multiplying n by some δ, we still need a fixed step advancement. This presents an issue when dealing with evolution domains. Since evolution domains restrict how much a system can evolve, it’s not always possible to pick a trace through one that progresses by at least δ. For example,

8

in this case, we can always end up in a situation where by =  such that  is sufficiently small that the differential equation α can’t evolve for long enough before hitting the evolution domain boundary by ≥ 0 to guarantee progress by δ, for any δ for any ψ. This means that we need to use new proof rules that can provide us with a way to navigate past the problem. Here we introduce two new rules: Convergence Substitution, and Loop Segmentation. Convergence Substitution, lets us use a convergence function ψ(n) that doesn’t necessarily prove φ. To do this, we introduce an easier convergence goal C, which can be proved with ψ(n), and a loop invariant F , which can be used in conjunction with C to prove the original property φ. (Soundness of this rule is in appendix B)

Convergence Substitution

Γ ` [α∗ ]C

Γ ` hα∗ iF Γ ` hα∗ iφ

F, C ` φ

The other rule we will introduce is Loop Segmentation. This rule allows us to split a loop into segments of size n. This is useful when you can make guarantees about behavior over n iterations that can’t be made about a single one.

Loop Segmentation

Γ ` h(αn )∗ iφ Γ ` hα∗ iφ

Using these two new rules, we will outline the skeleton of a proof for the property that the paddle controller can always get the ball over the paddle. The full proof would contain far to many branches to be practical on paper, due to the if conditions of paddle controller. If the above rules were added to KeYmaera it would be possible to prove this property in a more rigorous manner than outlined here.

Convergence Substitution

Γ ` [(β; α)∗ ]C

Γ ` h(β; α)∗ iF Γ ` h(β; α)∗ iφ

F, C ` φ

Where |p −b | bx C ≡ yH y ≤ W F ≡ bx ≤ 0 Here we use convergence substitution to let us pick a function that is much easier to prove the convergence of. Since bx is unaffected by bouncing or paddle control, we can more easily prove convergence of bx ≤ 0. Additionally we introduce the invariant C that is needed to show that φ is true. The intuition is that we’re using C as a property that will show φ under convergence and F as a way of showing progress of convergence.

9

QE

∗ F, C ` φ

This part is trivial, which is good. Selection of C and F should in general be chosen to ensure that this part is trivial. Next up is proving the invariant C branch. This is all normal proof techniques and will be skipped for brevity (the ifs create a lot of branches). Suffice to say the invariant conditions of Γ, and the occasional differential cut, are sufficient to prove C by differential weaken in the end of every branch.

∗ QE Γ`C LI

∗ DC,DW some formulas ` [α]C ;,if, ... C ` [(β; α)]C Γ ` [(β; α)∗ ]C

More interesting is the convergence branch. If we start trying to prove this as a direct convergence property we’d attempt something like bx ≤ δn. The problem is that we can always have an by =  such that  is sufficiently small that the differential equation α can’t evolve for long enough to guarantee bx can decrease by at least δ after one iteration. For example, if we have bvy = bvx = 1, a by = 2δ makes it impossible for bx to decrease by δ, as we run into the evolution domain constraint by ≥ 0.

QE

∗ ∃ bx < δn

n∈N

Here be dragons ∀ bx < δn → hβ; αibx < δ(n − 1)

QE

n>0

∗ ∃ bx < δn → x ≤ 0

n≤0

Γ ` h(β; α)∗ iF In order to prove this property, we need to evolve for two iterations. One to take us to the wall, and then one to evolve for as long as we want (until we hit the opposite wall). After two iterations by is guaranteed to be able to evolve by H at least H and thus bx can evolve by at least bvx| bvy |. This gives us a guarantee of progress. ... ∀n > 0.bx < δn → hβ; α; β; αibx < δ(n − 1) Γ ` h(β; α; β; α)∗ iF Loop Segmentation Γ ` h(β; α)∗ iF

as above

as above

The rest follows from these using existing proof rules (by selecting the path that evolves first to the wall and then to the opposite wall). While our discussion of the property ends here, this skeleton of a proof can be fleshed out in KeYmaera by adding the two proof rules discussed above.

10

7

Conclusions and Future Work

We have shown that it is possible to use dL models to formally prove several main aspects of pong. In particular, the methods we have employed show what initial conditions can guarantee that game dynamics behave in a certain way. In this paper specifically, we have shown how a pong ball can be proven to stay within bounds of the playing screen, that having paddles follow the ball and removing vertical walls preserves this property, that a paddle that follows the ball can prevent the player from losing, given certain initial conditions. Similar formal models can be applied to any other video game. We acknowledge, however, that this approach is still developmental. In particular, the discussion in section 6.4.2 shows the need for more rules in the KeYmaera tool to assist with automation. However, as progress in this space continues, the needed rules will be naturally discovered, and once they are proved semantically, they can be added to KeYmaera. Once development of KeYmaera has reach a sufficient point, the next step is to begin trying to prove interactions in actual on market video games. This will involve finding ways to automate the extraction of a model from interaction code, and techniques for invariant generation. In this paper, we have shown an immensely powerful technique for proving formal properties of game physics, and the applicability of formal proofs to this problem space. With added features to proof automation tools, the ability to automatically prove these properties will also increase. We maintain that formal guarantees are the best way to ensure high quality products, not only by proving that objects in the game obey physics, but by showing that players cannot win and lose in unexpected and unintuitive ways.

References [1] Pong, Wikipedia, http://en.wikipedia.org/wiki/Pong [2] Pong, Game Mechanics Wiki, http://gamemechanics.wikia.com/wiki/Pong [3] Perchy, S. and Catano, N, Formal Software Development of Android Games, http://www.lix.polytechnique.fr/ perchy/home/articles/formal game.pdf [4] Adelhart, K. and Kargov, N., Mario Game Solver, International Technological University, Masters Thesis, http://130.226.142.164/documents/reports/AdelhartKargov12.pdf

11

A A.1

Key files Key file for the simple physcis

S t a t i s t i c s can be o b t a i n e d from P r o o f −> Show P r o o f Statistics . Name : Milda Z i z y t e & F e l i x Hutchison KeYmaera v e r s i o n : 3 . 6 . 1 2 Backends used ( Mathematica , Z3 , . . . ) : Mathematica Nodes : 20617 Branches : 2701 I n t e r a c t i v e s t e p s : 52 Arithmetic Solver : 47.723 Time : 1 0 7 7 . 3 3 9 s P r o o f c o m p l e t e s (Y/N) : Y ∗/ \ functions { R Width ; R Height ; R vel ; } \ programVariables { R bx ; R by ; R vx ; R vy ; } /∗ Prove t h a t t h e b a l l s t a y s i n bounds when bouncing o f f t h e w a l l s ∗/ \ problem { /∗ INITIAL CONDITIONS ∗/ /∗ L i n e a r non−z e r o v e l o c i t y and non−empty p l a y i n g s p a c e with b a l l i n s i d e ∗/ ( Width > 0 & Height > 0 & bx > 0 & by > 0 & bx < Width & by < Height & vx ˆ2 + vy ˆ2 = v e l ˆ2 & v e l > 0 ) −> \[ 12

( /∗ CONTROL ∗/ /∗ Bouncing o f f t h e w a l l s . We check v e l o c i t y t o a v o i d oscillating i n c o n t r o l f o r e v e r ∗/ ( if if if if

( bx ( bx ( by ( by

= = = =

0 & vx < 0 ) then ( vx := −vx ) f i ; Width & vx > 0 ) then ( vx := −vx ) f i ; 0 & vy < 0 ) then ( vy := −vy ) f i ; Height & vy > 0 ) then ( vy := −vy ) f i

); /∗ CONTINUOUS DYNAMICS ∗/ /∗ The n i n e e v o l u t i o n domains c o r r e s p o n d t o t h e middle a r e a o f t h e f i e l d and t h e a r e a s d i r e c t l y above , below , t o t h e l e f t , to the right , and t h e f o u r c o r n e r s o u t s i d e t h e f i e l d . We need t h e s e s e p a r a t e domains i n o r d e r f o r t h e p r o o f t o work . ∗/ ( { bx ’ = vx , by ’ = vy & bx >= 0 & bx <= Width & by >= 0 & by <= Height } ++ {bx ’ = vx , by ’ = vy & bx <= 0 & by >= 0 & by <= Height } ++ {bx ’ = vx , by ’ = vy & bx <= 0 & by <= 0} ++ {bx ’ = vx , by ’ = vy & bx <= 0 & by >= Height } ++ {bx ’ = vx , by ’ = vy & bx >= Width & by >= 0 & by <= Height } ++ {bx ’ = vx , by ’ = vy & bx >= Width & by <= 0} ++ {bx ’ = vx , by ’ = vy & bx >= Width & by >= Height } ++ {bx ’ = vx , by ’ = vy & bx >= 0 & bx <= Width & by <= 0} ++ {bx ’ = vx , by ’ = vy & bx >= 0 & bx <= Width & by >= Height } ) ) ∗ @ i n v a r i a n t ( vx ˆ2 + vy ˆ2 = v e l ˆ2 & bx >= 0 & bx <= Width & by >= 0 & by <= Height ) /∗ Loop I n v a r i a n t ∗/ \] ( bx >= 0 & bx <= Width & by >= 0 & by <= Height ) /∗ S a f e t y C o n d i t i o n ∗/ }

A.2

Key file for equations 3

S t a t i s t i c s can be o b t a i n e d from P r o o f −> Show P r o o f 13

Statistics . Name : Milda Z i z y t e & F e l i x Hutchison KeYmaera v e r s i o n : 3 . 6 . 1 6 Backends used ( Mathematica , Z3 , . . . ) : Mathematica Nodes : 18832 Branches : 2236 Interactive steps : 0 Arithmetic Solver : 47.723 Time : 1 0 7 7 . 3 3 9 s P r o o f c o m p l e t e s (Y/N) : Y ∗/ \ functions { R Width ; R Height ; R vel ; } \ programVariables { R bx ; R by ; R vx ; R vy ; R paddleWidth ; //R Px ; R Py ; //R Ox ; R Oy ; } /∗ Prove t h a t t h e p a d d l e s f o l l o w i n g t h e b a l l k e e p s t h e b a l l i n t h e p l a y s c r e e n ∗/ \ problem { /∗ INITIAL CONDITIONS ∗/ ( Width > 0 & Height > 0 & bx > 0 & by > 0 & bx < Width & by < Height & vx ˆ2 + vy ˆ2 = v e l ˆ2 & v e l > 0 & paddleWidth > 0 ) /∗ & Px = 0 & Ox = Width ) ∗/ −> \[ ( /∗ CONTROL ∗/ 14

Py := by ; Oy := by ; /∗ PHYSICS EVENTS ∗/ ( /∗ Bounce o f f t h e p a d d l e s ∗/ i f ( bx = 0 & by > Py − paddleWidth & by < Py + paddleWidth & vx < 0 ) then ( vx := − vx ) f i ; i f ( bx = Width & by > Oy − paddleWidth & by < Oy + paddleWidth & vx > 0 ) then ( vx := − vx ) f i ; /∗ Bounce o f f t h e top and bottom w a l l s ∗/ i f ( by = 0 & vy < 0 ) then ( vy := −vy ) f i ; i f ( by = Height & vy > 0 ) then ( vy := −vy ) f i ); /∗ CONTINUOUS DYNAMICS ∗/ /∗ E v o l u t i o n domains c o r r e s p o n d t o p l a y s c r e e n a r e a and t h e a r e a s D i r e c t l y t o t h e s i d e s . We d i s r e g a r d t h e a r e a s above and below f o r s i m p l i c i t y , a s we proved w a l l bouncing i n ( 1 ) ∗/ ( { bx ’ = vx , by ’ = vy & bx >= 0 & bx <= Width & by >= 0 & by <= Height } ++ {bx ’ = vx , by ’ = vy & bx <= 0 & by >= 0 & by <= Height } ++ {bx ’ = vx , by ’ = vy & bx >= Width & by >= 0 & by <= Height } ) ) ∗ @ i n v a r i a n t ( vx ˆ2 + vy ˆ2 = v e l ˆ2 & bx >= 0 & bx <= Width & by >= 0 & by <= Height ) /∗ Loop I n v a r i a n t ∗/ \] ( bx >= 0 & bx <= Width & by >= 0 & by <= Height ) /∗ S a f e t y C o n d i t i o n ∗/ }

A.3

Key file for equations 4 and 5

/∗ REQUIRED INFORMATION: S t a t i s t i c s can be o b t a i n e d from P r o o f −> Show P r o o f Statistics . Name : Milda Z i z y t e & F e l i x Hutchison KeYmaera v e r s i o n : 3 . 6 . 1 6 15

Backends used ( Mathematica , Z3 , . . . ) : Mathematica Nodes : 13692 Branches : 1223 Interactive steps : 0 Arithmetic Solver : 143.34 Time : 2 2 6 . 5 2 4 P r o o f c o m p l e t e s (Y/N) : Y ∗/ \ functions { R Width ; R Height ; R vel ; } \ programVariables { R bx ; R by ; R vx ; R vy ; R paddleWidth ; //R Px ; R Py ; R Pvy ; //R Ox ; R Oy ; } \ problem { /∗ INITIAL CONDITIONS ∗/ ( Width > 0 & Height > 0 & bx > 0 & by > 0 & bx < Width & by < Height & vx ˆ2 + vy ˆ2 = v e l ˆ2 & v e l > 0 & paddleWidth > 0 & Py = by ) /∗ & Px = 0 & Ox = Width ) ∗/ −> \[ ( /∗ WALL PHYSICS EVENTS ∗/ i f ( by = 0 & vy < 0 ) then ( vy := −vy ) e l s e ( i f ( by = Height & vy > 0 ) then ( vy := −vy ) fi ) fi ; 16

/∗ PADDLE CONTROL ∗/ /∗ P l a y e r p a d d l e t r a c k s t h e b a l l ∗/ Pvy := vy ; Oy := by ;

/∗ PADDLE PHYSICS i f ( bx = 0 & by > by < Py + vx ) e l s e ( i f ( bx = by < Oy + vx ) fi ) fi ;

EVENTS ∗/ Py − paddleWidth & paddleWidth & vx < 0 ) then ( vx := − Width & by > Oy − paddleWidth & paddleWidth & vx > 0 ) then ( vx := −

/∗ CONTINUOUS DYNAMICS ∗/ ( { bx ’ = vx , by ’ = vy , Py ’ = Pvy & bx >= 0 & bx <= Width & by >= 0 & by <= Height } ++ {bx ’ = vx , by ’ = vy , Py ’ = Pvy & bx <= 0 & by >= 0 & by <= Height } ++ {bx ’ = vx , by ’ = vy , Py ’ = Pvy & bx >= Width & by >= 0 & by <= Height } ) @ i n v a r i a n t ( Py = by ) /∗ D i f f I n v a r i a n t ∗/ ) ∗ @ i n v a r i a n t ( bx >= 0 & bx <= Width & Py = by ) /∗ Loop I n v a r i a n t ∗/ \] ( bx >= 0 & bx <= Width ) /∗ S a f e t y C o n d i t i o n ∗/ }

A.4

Key file for equations 6 and 8

/∗ REQUIRED INFORMATION: S t a t i s t i c s can be o b t a i n e d from P r o o f −> Show P r o o f Statistics . Name : Milda Z i z y t e & F e l i x Hutchison KeYmaera v e r s i o n : 3 . 6 . 1 6 Backends used ( Mathematica , Z3 , . . . ) : Mathematica Nodes : 34285 Branches : 3846 I n t e r a c t i v e s t e p s : 1227 Arithmetic Solver : 2958.415 Time : 2 4 6 9 . 3 9 17

P r o o f c o m p l e t e s (Y/N) : Y ∗/ \ functions { R Width ; R Height ; R vel ; } \ programVariables { R bx ; R by ; R vx ; R vy ; R paddleWidth ; //R Px ; R Py ; R Pvy ; R Pvmax ; //R Ox ; R Oy ; } \ problem { /∗ INITIAL CONDITIONS ∗/ ( Width > 0 & Height > 0 & bx > 0 & by > 0 & bx < Width & by < Height & vx ˆ2 + vy ˆ2 = v e l ˆ2 & v e l > 0 & paddleWidth > 0 & Pvmaxˆ2 > vy ˆ2 & Pvmax > 0 & by >= Py − paddleWidth & by <= Py + paddleWidth ) /∗ & Px = 0 & Ox = Width ) ∗/ −> \[ ( /∗ WALL PHYSICS EVENTS ∗/ i f ( by = 0 & vy < 0 ) then ( vy := −vy ) e l s e ( i f ( by = Height & vy > 0 ) then ( vy := −vy ) fi ) fi ; /∗ PADDLE CONTROL ∗/ i f ( by > Py ) then ( Pvy := Pvmax) 18

e l s e ( Pvy := −Pvmax) fi ; /∗ Opponent Paddle moves non−d e t e r m i n i s t i c a l l y t o be where i t n e e d s t o be ∗/ Oy := by ;

/∗ PADDLE PHYSICS EVENTS ∗/ i f ( bx = 0 & by >= Py − paddleWidth & by <= Py + paddleWidth & vx < 0 ) then ( vx := −vx ) /∗ rebound o f f o f t h e p l a y e r p a d d l e ∗/ e l s e ( i f ( bx = Width & by >= Oy − paddleWidth & by <= Oy + paddleWidth & vx > 0 ) then ( vx := −vx ) /∗ rebound o f f t h e opponent p a d d l e ∗/ fi ) fi ; /∗ CONTINUOUS DYNAMICS ∗/ ( /∗ f i r s t t h r e e d i f f e q s a r e t h e o n e s t h a t govern r e a l b e h a v i o r ∗/ {bx ’ = vx , by ’ = vy , Py ’ = Pvy & bx >= 0 & bx <= Width & by >= 0 & by <= Py − paddleWidth } ++ {bx ’ = vx , by ’ = vy , Py ’ = Pvy & bx >= 0 & bx <= Width & by >= Py − paddleWidth & by <= Py + paddleWidth } ++ {bx ’ = vx , by ’ = vy , Py ’ = Pvy & bx >= 0 & bx <= Width & by >= Py + paddleWidth & by <= Height } ++ /∗ These t h r e e d i f f e q s govern b e h a v i o r p a s t t h e p l a y e r p a d d l e . Nothing happens i n them , c a u s e t h e b a l l p r o v a b l y n e v e r ends up t h e r e . ∗/ {bx ’ = vx , by ’ = vy , Py ’ = Pvy & bx <= 0 & by >= 0 & by <= Py − paddleWidth } ++ {bx ’ = vx , by ’ = vy , Py ’ = Pvy & bx <= 0 & by >= Py − paddleWidth & by <= Py + paddleWidth } ++ {bx ’ = vx , by ’ = vy , Py ’ = Pvy & bx <= 0 & by >= Py + paddleWidth & by <= Height } ++ /∗ These t h r e e d i f f e q s govern b e h a v i o r p a s t t h e opponent p a d d l e . Nothing happens i n them , c a u s e t h e b a l l p r o v a b l y n e v e r ends up t h e r e . ∗/ {bx ’ = vx , by ’ = vy , Py ’ = Pvy & bx >= Width & by >= 0 & by <= Py − paddleWidth } ++ 19

{bx ’ = vx , by ’ = vy , Py ’ = Pvy & bx >= Width & by >= Py − paddleWidth & by <= Py + paddleWidth } ++ {bx ’ = vx , by ’ = vy , Py ’ = Pvy & bx >= Width & by >= Py + paddleWidth & by <= Height } ) @ i n v a r i a n t ( by >= Py − paddleWidth & by <= Py + paddleWidth & Pvmaxˆ2 > vy ˆ 2 ) /∗ D i f f I n v a r i a n t ∗/ ) ∗ @ i n v a r i a n t ( bx >= 0 & bx <= Width & by >= Py − paddleWidth & by <= Py + paddleWidth & Pvmaxˆ2 > vy ˆ 2 ) /∗ Loop I n v a r i a n t ∗/ \] ( bx >= 0 & bx <= Width ) /∗ S a f e t y C o n d i t i o n ∗/ }

A.5

Key file for equations 7

/∗ REQUIRED INFORMATION: S t a t i s t i c s can be o b t a i n e d from P r o o f −> Show P r o o f Statistics . Name : Milda Z i z y t e & F e l i x Hutchison KeYmaera v e r s i o n : 3 . 6 . 1 2 Backends used ( Mathematica , Z3 , . . . ) : Mathematica Nodes : Branches : Interactive steps : Arithmetic Solver : Time : P r o o f c o m p l e t e s (Y/N) : N ∗/ \ functions { R Width ; R Height ; R vel ; } \ programVariables { R bx ; R by ; R vx ; R vy ; R paddleWidth ; 20

//R Px ; R Py ; R Pvy ; R Pvmax ; //R Ox ; R Oy ; } \ problem { /∗ INITIAL CONDITIONS ∗/ ( Width > 0 & Height > 0 & bx = Width & by > 0 & vx < 0 & by < Height & vx ˆ2 + vy ˆ2 = v e l ˆ2 & v e l > 0 & paddleWidth > 0 & Pvmaxˆ2 > vy ˆ2 & Pvmax > 0 & (− Height ∗ ( Width/ v e l ) ) <= Pvmax & Py < Height & Py > 0 ) /∗ & Px = 0 & Ox = Width ) ∗/ −> \< ( /∗ WALL PHYSICS EVENTS ∗/ i f ( by = 0 & vy < 0 ) then ( vy := −vy ) e l s e ( i f ( by = Height & vy > 0 ) then ( vy := −vy ) fi ) fi ; /∗ PADDLE CONTROL ∗/ i f ( by > Py ) then ( Pvy := Pvmax) e l s e ( Pvy := −Pvmax) fi ; /∗ Opponent Paddle moves non−d e t e r m i n i s t i c a l l y t o be where i t n e e d s t o be ∗/ Oy := by ; /∗ We don ’ t need p a d d l e i n t e r a c t i o n s s i n c e i t ’ s o n l y t r a v e l i n g on t h e c o u r t . ∗/ /∗ CONTINUOUS DYNAMICS ∗/ ( /∗ f i r s t t h r e e d i f f e q s a r e t h e o n e s t h a t govern r e a l b e h a v i o r . s i n c e we ’ r e o n l y l o o k i n g a t t h e c o u r t , t h e s e a r e t h e o n l y ∗/ {bx ’ = vx , by ’ = vy , Py ’ = Pvy & bx >= 0 & bx <= Width & by >= 0 & by <= Py − paddleWidth } ++ {bx ’ = vx , by ’ = vy , Py ’ = Pvy & bx >= 0 & bx <= Width & by >= Py − paddleWidth & by <= Py + 21

paddleWidth } ++ {bx ’ = vx , by ’ = vy , Py ’ = Pvy & bx >= 0 & bx <= Width & by >= Py + paddleWidth & by <= Height } ) )∗ \> ( by >= Py − paddleWidth & by <= Py + paddleWidth ) /∗ Termination C o n d i t i o n ∗/ }

B

Soundness proofs DChi

Γ ` [x0 = θ & H]C Γ ` hx0 = θ & (H ∧ C)iφ 0 Γ ` hx = θ & Hiφ

Assume Γ ` [x0 = θ & H]C and Γ ` hx0 = θ & (H ∧ C)iφ are valid. Then, for all ν, ν |= Γ → hx0 = θ & H ∧ Ciφ. Thus, for all ν such that ν |= Γ, there exists an ω ∈ ρ(x0 = θ & H ∧ C)(ν) such that ω |= φ. Since ω ∈ ρ(x0 = θ & H ∧ C)(ν) must also belong to ρ(x0 = θ & H)(ν) by definition of evolution domains. Thus for all ν such that ν |= Γ, there exists an ω ∈ ρ(x0 = θ & H)(ν) such that ω |= φ. So, Γ ` hx0 = θ & Hiφ is valid. (soundness) Also, for all ν, ν |= Γ → [x0 = θ & H]C. Thus, for all ν such that ν |= Γ, for all ω ∈ ρ(x0 = θ & H)(ν), ω |= C. So, for all ω ∈ ρ(x0 = θ & H)(ν) where ν |= Γ, ω ∈ ρ(x0 = θ & H ∧ C)(ν). This means that if Γ ` hx0 = θ & Hiφ is valid , then Γ ` hx0 = θ & (H ∧ C)iφ is valid. (completeness)

Convergence Substitution

Γ ` [α∗ ]C

Γ ` hα∗ iF Γ ` hα∗ iφ

F, C ` φ

Assume Γ ` [α∗ ]C and Γ ` hα∗ iF and F, C ` φ are valid Thus, for all ω ∈ ρ(α∗ )(ν) such that ν |= Γ, ω |= C It is also the case that there exists ω0 ∈ ρ(α∗ )(ν), such that ν |= Γ and ω0 |= F . This ω0 satifies both F and C by the above. Lastly, it is the case that for any state ν that satisfies F and C, ν |= φ Thus ω0 |= φ So there exists a state ω ∈ ρ(α∗ )(ν) where ν |= Γ such that ω |= φ Thus Γ ` hα∗ iφ is valid.

22

Loop Segmentation

Γ ` h(αn )∗ iφ Γ ` hα∗ iφ

Assume Γ ` h(αn )∗ iφ For all states ν, there exists ω ∈ ρ((αn )∗ )(ν) such that ω |= φ. Since all ω ∈ ρ(αn )∗ )(ν) also belong to ρ(α∗ )(ν) by definition of α∗ , we can state that for all states ν, there exists ω ∈ ρ(α∗ )(ν) such that ω |= φ. Thus Γ ` hα∗ iφ is valid.

23