key: cord-0046638-sv5ll441 authors: Bohrer, Brandon; Platzer, André title: Constructive Hybrid Games date: 2020-05-30 journal: Automated Reasoning DOI: 10.1007/978-3-030-51074-9_26 sha: 51bf2ede5d05f9294df44dc2ede16dd4e4f1df89 doc_id: 46638 cord_uid: sv5ll441 Hybrid games combine discrete, continuous, and adversarial dynamics. Differential game logic ([Image: see text]) enables proving (classical) existence of winning strategies. We introduce constructive differential game logic (CdGL) for hybrid games, where proofs that a player can win the game correspond to computable winning strategies. This constitutes the logical foundation for synthesis of correct control and monitoring code for safety-critical cyber-physical systems. Our contributions include novel semantics as well as soundness and consistency. Differential Game Logic (dGL) provides a calculus for proving the (classical) existence of winning strategies for hybrid games [42] , whose mixed discrete, continuous, and adversarial dynamics are compelling models for cyber-physical systems (CPSs). Classical existence does not necessarily imply that the resulting winning strategies are computable, however. To overcome this challenge, this paper introduces Constructive Differential Game Logic (CdGL) with a Curry-Howard correspondence: constructive proofs for constructive hybrid games correspond to programs implementing their winning strategies. We develop a new type-theoretic semantics which elucidates this correspondence and an operational semantics which describes the execution of strategies. Besides its theoretical appeal, this Curry-Howard interpretation provides the foundation for proof-driven synthesis methods, which excel at synthesizing expressive classes of games for which synthesis and correctness require interactive proof. Hybrid games are a compelling domain for proof-based synthesis both because many CPS applications are safety-critical or even life-critical, such as transportation systems, energy systems, and medical devices and because the combination of discrete, continuous, and adversarial dynamics makes verification and synthesis undecidable in both theory and practice. Our example model and proof, while short, lay the groundwork for future case studies. Challenges and Contributions. In addition to dGL [42] , we build directly on Constructive Game Logic (CGL) [9] for discrete games. Compared to CGL, we target a domain with readily-available practical applications (hybrid games), and introduce new type-theoretic and operational semantics which complement the realizability semantics of CGL while making Curry-Howard particularly clear and providing a simple notion of strategy execution. We overcome the following challenges in the process: -Our semantics must carefully capture the meaning of constructive hybrid game strategies, including strategies for differential equations (ODEs). -Soundness must be justified constructively. We adapt previous arguments to use constructive analysis [6, 12] by appealing to constructive formalizations of ODEs [17, 34] . This adaptation to our new semantics makes it possible to simplify statements of some standard lemmas. -We study 1D driving control as an example, which demonstrates the strengths of both games and constructivity. Games and constructivity both introduce uncertainties: A player is uncertain how their opponent will play, while constructive real-number comparisons are never sure of exact equality. These uncertainties demand more nuanced proof invariants, but these nuances improve our fidelity to real systems. These contributions are of likely interest to several communities. Other constructive program logics could reuse our semantic approach. Our example uses reach-avoid proofs for hybrid games, a powerful, under-explored [48] approach. We discuss related works on games, constructive logic, and hybrid systems. Games in Logic. Propositional GL was introduced by Parikh [39] . GL is a program logic in the spirit of Hoare calculi [26] or especially dynamic logics (DL) [47] : modalities capture the effect of game execution. GLs are unique in their clear delegation of strategy to the proof language rather than the model language, allowing succinct game specifications with sophisticated winning strategies. Succinct specifications are important: specifications are trusted because proving the wrong theorem would not ensure correctness. Relatives without this separation include SL [14] , ATL [2] , CATL [27] , SDGL [23] , structured strategies [49] , DEL [3, 5, 56] , evidence logic [4] , and Angelic Hoare Logic [35] . Constructive Modal Logics. We are interested in the semantics of games, thus we review constructive modal semantics generally. This should not be confused with game semantics [1] , which give a semantics to programs in terms of games. The main semantic approaches for constructive modal logics are intuitionistic Kripke semantics [58] and realizability semantics [32, 38] . CGL [9] used a realizability semantics which operate on a state, reminiscent of state in Kripke semantics, whereas we interpret CdGL formulas into type theory. Modal Curry-Howard is relatively little-studied, and each author has their own emphasis. Explicit proof terms are considered for CGL [9] and a small fragment thereof [30] . Others [13, 18, 59] focus on intuitionistic semantics for their logics, fragments of CGL. Our semantics should be of interest for these fragments. We omit proof terms for space. CdGL proof terms would extend CGL proof terms [9] with a constructive version of existing classical ODE proof terms [8] . Propositional modal logic [37] has been interpreted as a type system. Hybrid Systems Synthesis. Hybrid games synthesis is one motivation of this work. Synthesis of hybrid systems (1-player games) is an active area. The unique strength of proof-based synthesis is expressiveness: it can synthesize every provable system. CdGL proofs support first-order regular games with first-order (e.g., semi-algebraic) initial and goal regions. While synthesis and proof are both undecidable, interactive proof for undecidable logics is well-understood. The Mod-elPlex [36] synthesizer for CdGL's classical systems predecessor dL [44] recently added [11] proof-based synthesis to improve expressiveness. CdGL aims to provide a computational foundation for a more systematic proof-based synthesizer in the more general context of games. Fully automatic synthesis, in contrast, restricts itself to small fragments in order to sidestep undecidability. Studied classes include rectangular hybrid games [25] , switching systems [52] , linear systems with polyhedral sets [31, 52] , and discrete abstractions [20, 21] . A well-known [55] systems synthesis approach translates specifications into finite-alternation games. Arbitrary first-order games are our source rather than target language. Their approach is only known to terminate for simpler classes [50, 51] . Hybrid games in CdGL are 2-player, zero-sum, and perfect-information, where continuous subgames are ordinary differential equations (ODEs) whose duration is chosen by a player. Hybrid games should not be confused with differential games which compete continuously [29, 43] . The players considered in this paper are Angel and Demon where the player currently controlling choices is always called Angel, while the player waiting to play is always called Demon. For any game α and formula φ, the modal formula α φ says Angel can play α to ensure postcondition φ, while [α]φ says Demon can play α to ensure postcondition φ. These generalize safety and liveness modalities from DL. Dual games α d , unique to GLs, take turns by switching the Angel and Demon roles in game α. The Curry-Howard interpretation of a proof of a CdGL modality α φ or [α]φ is a program which performs each player's winning strategy. Games can have several winning strategies, each corresponding to a different proof and a different program. We introduce the language of CdGL with three classes of expressions e: terms f, g, games α, β, and formulas φ, ψ. We characterize terms semantically for the sake of generality: a shallow embedding of CdGL inside a proof assistant might use the host language for terms. For games and formulas, we find it more convenient to explicitly and syntactically define a closed language. A (scalar) semantic term is a function from states to reals, which are understood constructivelyà la Bishop [6, 12] . We use Bishop-style real analysis because it preserves many classical intuitions (e.g., uncountability) about R while ensuring computability. Type-2 [57] computability requires that all functions on real numbers are computable to arbitrary precision if represented as streams of bits, yet computability does not require that variables range over only computable reals. It is a theorem [57] that all such computable functions are continuous, but not always Lipschitz-continuous nor differentiable. We introduce commonly used term constructs, which are not exhaustive because the language of terms is open. The simplest terms are game variables x, y ∈ V where V is the (at most countable) set of variable identifiers. The game variables, which are mutable, contain the state of the game, which is globally scoped. For every base game variable x there is a primed counterpart x whose purpose within an ODE is to track the time derivative of x. Real-valued terms f, g are simply type-2 computable functions, usually from states to reals. It is occasionally useful for f to return a tuple of reals, which are computable when every component is computable. Since terms are functions, operators are combinators: f + g is a function which sums the results of f and g. A term f, g is any computable function over the game state. The following constructs appear in this paper: where c ∈ R is a real literal, x a game variable, f + g a sum, f · g a product, and f/g is real division of f by g. Divisors g are assumed to be nonzero. Minimum and maximum of terms f and g are written min(f, g) and max(f, g). Any differentiable term f has a definable (Sect. 4.2) spatial differential term (f ) , which agrees with the time derivative within an ODE. CdGL is constructive, so Angel strategies make choices computably. Until his turn, Demon just observes Angel's choices, and does not care whether Angel made them computably. We discuss game-playing informally here, then formally in Sect. 4. In red are the ODE and dual games, which respectively distinguish hybrid games from discrete games and games from systems. The set of games α, β is defined recursively as such: The test game ?φ, is a no-op if Angel proves φ, else Demon wins by default since Angel "broke the rules". A deterministic assignment x := f updates game variable x to the value of term f . Nondeterministic assignments x := * ask Angel to compute the new value of x : R, i.e., Angel's strategy for x := * is a term whose value is assigned to x. The ODE game x = f & ψ evolves ODE x = f for duration d ≥ 0 chosen by Angel such that Angel proves the domain constraint formula ψ is true throughout. We require that term f is effectively-locally-Lipschitz on domain ψ, meaning that at every state satisfying ψ, a neighborhood and coefficient L can be constructed such that L is a Lipschitz constant of f in the neighborhood. Effective local Lipschitz continuity guarantees unique solutions exist by constructive Picard-Lindelöf [34] . ODEs are explicit-form, so no primed variable y for y ∈ V is mentioned in f or ψ. Systems of ODEs are supported, we present single equations for readability. In the choice game α ∪ β, Angel chooses whether to play game α or game β. In the sequential composition game α; β, game α is played first, then β from the resulting state. In the repetition game α * , Angel chooses after each repetition of α whether to continue playing, but must not repeat α infinitely. The exact number of repetitions is not known in advance, because it may depend on Demon's reactions. In the dual game α d , Angel takes the Demon role and vice-versa while playing α. Demon strategies "wait" until a dual game α d is encountered, then play an Angelic strategy for α. We parenthesize games with braces {α} when necessary. The CdGL formulas φ (also ψ) are: The defining formulas of CdGL (and GL) are the modalities α φ and [α]φ. These mean that Angel or Demon respectively have a constructive strategy to play hybrid game α and prove postcondition φ. We do not develop modalities for existence of classical strategies because those cannot be synthesized to executable code. Standard connectives are defined from games and comparisons. Verum (tt) is defined 1 > 0 and falsum (ff Real quantifiers ∀x φ and ∃x φ are defined [x := * ]φ and x := * φ, respectively. As usual, equivalence φ ↔ ψ reduces to (φ → ψ) ∧ (ψ → φ), negation ¬φ is defined as φ → ff, and inequality is defined by f = g ≡ ¬(f = g). Semantics and proof rules are needed only for core constructs, but we use derived constructs when they improve readability. Keep these definitions in mind, because the semantics and rules for some game connectives mirror first-order connectives. For convenience, we also write derived operators where Demon is given control of a single choice before returning control to Angel. The Demonic choice We write φ y x (likewise for α and f ) for the renaming of variable x for y and vice versa in formula φ, and write φ f x for the result of substitution of term f for game variable x in φ, if the substitution is admissible (Definition 12 on page 14). We give an example game and theorem statements, proven in [10] . Automotive systems are a major class of CPS. As a simple indicative example we consider time-triggered 1-dimensional driving with adversarial timing. For maximum time T between control cycles, we let Demon choose any duration in [0, T ]. When we need to prohibit pathological "Zeno" behaviors while keeping constraints realistic, we can further restrict t ∈ [T /2, T ]. We write x for the current position of the car, v for its velocity, a for the acceleration, A > 0 for the maximum positive acceleration, and B > 0 for the maximum braking rate. We assume x = v = 0 initially to simplify arithmetic. In time-triggered control, the controller runs at least once every T > 0 time units. Time and physics are continuous, T gives an upper bound on how often the controller runs. Local clock t marks the current time within the current timestep, then resets at each step. The control game (ctrl) says Angel can pick any acceleration a that is physically achievable (−B ≤ a ≤ A). The clock t is then reinitialized to 0. The plant game (plant) says Demon can evolve physics for duration t ∈ [0, T ] such that v ≥ 0 throughout, then returns control to Angel. Typical theorems in DLs and GLs are safety and liveness: are unsafe states always avoided and are desirable goals eventually reached? Safety and liveness of the 1D system has been proved previously: safe driving (safety) never goes past goal g, while live driving eventually reaches g (liveness). Liveness theorem liveness requires a lower time bound ({?t ≥ T /2} d ) to rule out Zeno strategies where Demon "cheats" by exponentially decreasing durations to essentially freeze the progress of time. The limit t ≥ T /2 is chosen for simplicity. Safety theorem safety omits this constraint because even Zeno behaviors are safe. Safety and liveness theorems, if designed carelessly, have trivial solutions including but not limited to Zeno behaviors. It is safe to remain at x = 0 and is live to maintain a = A, but not vice-versa. In contrast to DLs, GLs easily express the requirement that the same strategy is both safe and live: we must remain safe while reaching the goal. We use this reach-avoid specification because it is immune to trivial solutions. We give a new reach-avoid result for 1D driving. Example 4 (Reach-avoid). The following is provable in dGL and CdGL: Angel reaches g = x ∧ v = 0 while safely avoiding states where x ≤ g does not hold. Angel is safe at every iteration for every time t ∈ [0, T ], thus safe throughout the game. The (dual) test ?t ≥ T /2 appears second, allowing Demon to win if Angel violates safety during t < T/2. 1D driving is well-studied for classical systems, but the constructive reach-avoid proof [10] is subtle. The proof constructs an envelope of safe upper and live lower bounds on velocity as a function of position (Fig. 1) . The blue point indicates where Angel must begin to brake to ensure time-triggered safety. It is surprising that Angel can achieve is constructively invalid. The key [10] is that comparison terms min(f, g) and max(f, g) are exact in Type 2 computability where bits of min and max may be computed lazily. Our exact result encourages us that constructivity is not overly burdensome in practice. When decidable comparisons (f < g + δ ∨ f > g) are needed, the alternative is a weaker guarantee g − ε ≤ x ≤ g for parameter ε > 0. This relaxation is often enough to make the theorem provable, and reflects the fact that real agents only expect to reach their goal within finite precision. In this section, we define the semantics of hybrid games and game formulas in type theory. We start with assumptions on the underlying type theory. We assume a Calculus of Inductive and Coinductive Constructions (CIC)-like type theory [15, 16, 54] with polymorphism and dependency. We write M for terms and Δ M : τ to say M has type τ in CIC context Δ. We assume first-class (indexed [19] ) inductive and coinductive types. We write τ for type families and κ for kinds: type families inhabited by other type families. Inductive type families are written μt : κ. τ, which denotes the smallest solution ty of kind κ to the fixed-point equation ty = τ ty t . Coinductive type families are written ρt : κ. τ, which denotes the largest solution ty of kind κ to the fixed-point equation ty = τ ty t . Type-expression τ must be monotone in t so smallest and largest solutions exist by Knaster-Tarski [24, Thm. 1.12]. Proof assistants like Coq reject definitions where monotonicity requires nontrivial proof; we did not mechanize our proofs because they use such definitions. We use one predicative universe which we write T and Coq writes Type 0. Predicativity is an important assumption because our semantic definition is a large elimination, a feature known to interact dangerously with impredicativity. We write Πx : τ 1 . τ 2 for a dependent function type with argument named x of type τ 1 and where return type τ 2 may mention x. We write Σx : τ 1 . τ 2 for a dependent pair type with left component named x of type τ 1 and right component of type τ 2 , possibly mentioning x. These specialize to the simple function τ 1 ⇒ τ 2 and product types τ 1 * τ 2 respectively when x is not mentioned in τ 2 . Lambdas (λx : τ. M ) inhabit dependent function types. Pairs (M, N ) inhabit dependent pair types. Application is M N. Let-binding unpacks pairs, whose left and right projection are π L M and π R M . We write τ 1 + τ 2 for a disjoint union inhabited by · M and r · M, and write case A of p ⇒ B | q ⇒ C for its case analysis. We assume a real number type R and a Euclidean state type S. The positive real numbers are written R >0 , nonnegative reals R ≥0 . We assume scalar and vector sums, products, inverses, and units. States s, t support operations s x and set s x v which respectively retrieve the value of variable x in s : S or update it to v. The usual axioms of setters and getters [22] are satisfied. We write s for the distinguished variable of type S representing the current state. We will find it useful to consider the semantics of an expression both at current state s and at states s, t defined in terms of s (e.g., set s x 5). Terms f, g are type-theoretic functions of type S ⇒ R. We will need differential terms (f ) , a definable term construct when f is differentiable. Not every term f need be differentiable, so we give a virtual definition, defining when (f ) is equal to some term g. If (f ) does not exist, then (f ) = g is not provable. We define the (total) differential as the Euclidean dot product (·) of the gradient (variable name: ∇) with s , which is the vector of values s x assigned to primed variables x . To show that ∇ is the gradient, we define the gradient as a limit, which we express in (ε, δ) style. In this definition, f and g are scalar-valued, and the minus symbol is used for both scalar and vector difference. For practical proofs, a library of standard rules for automatic, syntactic differentiation of common arithmetic operations [7] could be proven. The interpretation φ : S ⇒ T of formula φ is a predicate over states. A predicate of kind S ⇒ T is also understood as a region, e.g., φ is the region containing states where φ is provable. A CdGL context Γ is interpreted over a uniform state term s : S where s : S s : S, i.e., s usually mentions s. We define Γ (s) to be the CIC context containing s : S and φ s for each φ ∈ Γ . The sequent (Γ φ) is valid if there exists M where Γ (s) M : ( φ s). Formula φ is valid iff sequent (· φ) is valid. That is, a valid formula is provable in every state with a common proof term M . The witness may inspect the state, but must do so constructively. Formula semantics employ the Angelic and Demonic semantics of games, which determine how to win a game α whose postcondition is φ. We write α : (S ⇒ T) ⇒ (S ⇒ T) for the Angelic semantics of α and [[α]] : (S ⇒ T) ⇒ (S ⇒ T) for its Demonic semantics. [ Modality α φ is provable in s when α φ s is inhabited so Angel has an α strategy from s to reach region φ on which φ is provable. Modality [α]φ is provable in s when [[α]] φ s is inhabited so Demon has an α strategy from s to reach region φ on which φ is provable. For ∼ ∈ {≤, <, =, =, >, ≥}, the values of f and g are compared at state s in f ∼ g. The game and formula semantics are simultaneously inductive. In each case, the connectives which define α and [[α]] are duals, because [α]φ and α φ are dual. Below, P refers to the goal region of the game and s to the initial state. ?ψ P s = ψ s * P s x := f P s = P (set s x (f s)) x := * P s = Σv : Angel wins ?ψ P by proving both ψ and P at s. Angel wins the deterministic assignment x := f by performing the assignment, then proving P . Angel wins nondeterministic assignment x := * by constructively choosing a value v to assign, then proving P . Angel wins α ∪ β by choosing between playing α or β, then winning that game. Note that variable sol stands for a function of the host theory, all of which are computable and therefore continuous. When (sol, s, d x = f ) holds, sol is also continuously differentiable. Constructive Picard-Lindelöf [34] constructs a solution for every effectively-locally-Lipschitz ODEs, which need not have a closed form. The proof calculus we introduce in Sect. 5 includes both solutionbased proof rules, which are useful for ODEs with simple closed forms, and invariant-based rules, which enable proof even when closed forms do not exist. Angel strategies for α * are inductively defined: either choose to stop the loop and prove P now, else play a round of α before repeating inductively. By Knaster-Tarski [24, Thm. 1.12] , this least fixed point exists because the interpretation of a game is monotone in its postcondition (Lemma 7). Demon wins [?ψ]P by proving P under assumption ψ, which Angel must provide (Sect. 7). Demon's deterministic assignment is identical to Angel's. Demon wins x := * by proving ψ for every choice of x. Demon wins α ∪ β with a pair of winning strategies. Demon wins α; β by winning α with a postcondition of winning β. Demon wins α d if he can win α after switching roles with Angel. Demon wins x = f & ψ if for an arbitrary duration and arbitrary solution which satisfy the domain constraint, he can prove the postcondition. Demon wins [α * ]P if he can prove P no matter how many times Angel makes him play α. Demon repetition strategies are coinductive using some invariant τ . When Angel decides to stop the loop, Demon responds by proving P from τ . Whenever Angel chooses to continue, Demon proves that τ is preserved. Greatest fixed points exist by Knaster-Tarski [24, Thm. 1.12] using Lemma 7. It is worth comparing the Angelic and Demonic semantics of x := * . An Angel strategy says how to compute x. A Demon strategy simply accepts x ∈ R as its input, even uncomputable numbers. This is because Angel strategies supply a computable real while Demon acts with computable outputs given real inputs. In general, each strategy is constructive but permits its opponent to play classically. In the cyber-physical setting, the opponent is indeed rarely a computer. To enable direct syntactic proof, we give a natural deduction-style system for CdGL. We write Γ = ψ 1 , . . . , ψ n for a context of formulas and Γ φ for the natural-deduction sequent with conclusion φ and context Γ . We begin with rules shared by CGL [9] and CdGL, then give the ODE rules. We write Γ y x for the renaming of game variable x to y and vice versa in context Γ . Likewise Γ f x is the substitution of term f for game variable x. To avoid repetition, we write [α] φ to indicate that the same rule applies for α φ and [α]φ. These rules write [ α ]φ for the dual of [α] φ. We write FV(e), BV(α), and MBV(α) for the free variables of expression e, bound variables of game α, and must-bound variables of game α respectively, i.e., variables which might influence the meaning of an expression, might be modified during game execution, or are written during every execution. to indicate that the bound variables of α must be freshly renamed in Γ for soundness. Rule M is used for generalization because all GLs are subnormal, lacking axiom K (modal modus ponens) and necessitation. Common uses include concise right-to-left symbolic execution proofs and, in combination with , Hoare-style sequential composition reasoning. Nondeterministic assignments quantify over real-valued game variables. Assignments remember the initial value of x in fresh variable y (Γ y x ) for sake of completeness, then provide an assumption that x has been assigned to f . Skolemization [: * ]I bound-renames x to y in Γ , written Γ y x . Specialization [: * ]E instantiates x to a term f by substituting φ f x . Existentials are introduced by giving a witness f in : * I. Herbrandization : * E unpacks existentials, soundness requires x is not free in ψ. Figure 4 provides rules for repetitions. In rule * I, M indicates an arbitrary termination metric where and denote strict and nonstrict comparison in an arbitrary (effectively) well-founded [28] partial order. Metavariable 0 represents a terminal value at which iteration stops; we will choose 0 = 0 in our example, but 0 need not be 0 in general. M 0 is a fresh variable which remembers M. Angel plays α * by repeating an α strategy which always decreases the termination metric. Angel maintains a formula ϕ throughout, and stops once 0 M. The postcondition need only follow from termination condition 0 M and convergence formula ϕ. Simple real comparisons x ≥ y are not well-founded, but inflated comparisons like x ≥ y +1 are. Well-founded metrics ensure convergence in finitely (but often unboundedly) many iterations. In the simplest case, M is a real-valued term. Generalizing M to tuples enables, e.g., lexicographic termination metrics. For example, the metric in the proof of Example 4 is the distance to the goal, which must decrease by some minimum amount each iteration. Repetition games can be folded and unfolded ([ * ]E, [ * ]R). Rule FP says α * φ is a least pre-fixed-point. It works backwards: first show ψ holds after α * , then preserve ψ when each iteration is unwound. Rule loop is the repetition invariant rule. Demonic repetition is eliminated by [ * ]E. Like any first-order program logic, CdGL proofs contain first-order reasoning at the leaves. Decidability of constructive real arithmetic is an open problem [33] , so first-order facts are proven manually in practice. Our semantics embed CdGL into type theory; we defer first-order arithmetic proving to the host theory. Even effectively-well-founded need not have decidable guards (0 M ∨ M 0) since exact comparisons are not computable [6] . We may not be able to distinguish M = 0 from very small positive values of M, leading to one unnecessary loop iteration, after which M is certainly 0 and the loop terminates. Comparison up to ε > 0 is decidable [12] (f > g ∨ (f < g + ε)). Figure 5 gives the ODE rules, which are a constructive version of those from dGL [42] . For nilpotent ODEs such as the plant of Example 4, reasoning via solutions is possible. Since CdGL supports nonlinear ODEs which often do not have closed-form solutions, we provide invariant-based rules, which are complete [46] for invariants of polynomial ODEs. Differential induction DI [41] says φ is an invariant of an ODE if it holds initially and if its differential formula [41] (φ) holds throughout, for example (f ≥ g) ≡ ((f ) ≥ (g) ). Soundness of DI requires differentiability, and (φ) is not provable when φ mentions nondifferentiable terms. Differential cut DC proves R invariant, then adds it to the domain constraint. Differential weakening DW says that if φ follows from the domain constraint, it holds throughout the ODE. Differential ghosts DG permit us to augment an ODE system with a fresh dimension y, which enables [46] proofs of otherwise unprovable properties. We restrict the right-hand side of y to be linear in y and (uniformly) continuous in x because soundness requires that ghosting y does not change the duration of an ODE. A linear right-hand side is guaranteed to be Lipschitz on the whole existence interval of equation x = f, thus ensuring an unchanged duration by (constructive) Picard-Lindelöf [34] . Differential variants [41, 53] DV is an Angelic counterpart to DI. The schema parameters d and ε must not mention x, x , t, t . To show that f eventually exceeds g, first choose a duration d and a sufficiently high minimum rate ε at which h − g will change. Prove that h − g decreases at rate at least ε and that the ODE has a solution of duration d satisfying constraint ψ. Thus at time d, both h ≥ g and its provable consequents hold. Rules bsolve and dsolve assume as a side condition that sln is the unique solution of x = f on domain ψ. They are convenient for ODEs with simple solutions, while invariant reasoning supports complicated ODEs. Following constructive counterparts of classical soundness proofs for dGL, we prove that the CdGL proof calculus is sound: provable formulas are true in the CIC semantics. For the sake of space, we give statements and some outlines here, reporting all proofs and lemmas elsewhere [10] . Similar lemmas have been used to prove soundness of dGL [45] , but our new semantics lead to simpler statements for Lemmas 10 and 11. The coincidence property for terms is not proved but assumed, since we inherit a semantic treatment of terms from the host theory. x and φ f x be admissible. The converse implication also holds, though its witness is not necessarily M . Soundness of the proof calculus follows from the lemmas, and soundness of the ODE rules employing several known results from constructive analysis. If Γ M : φ holds, then sequent (Γ φ) is valid. As a special case, if · M : φ holds, then formula φ is valid. Proof Sketch. By induction on the derivation. The assignment case holds by Lemma 13 and Lemma 9. Lemma 10 and Lemma 11 are applied when maintaining truth of a formula across changing state. The equality and inequality cases of DI and DV employ the constructive mean-value theorem [10, Thm. 21] , which has been formalized, e.g., in Coq [17] . Rules DW, bsolve, and dsolve follow from the semantics of ODEs. Rule DC uses the fact that prefixes of solutions are solutions. Rule DG uses constructive Picard-Lindelöf [34] , which constitutes an algorithm for arbitrarily approximating the solution of any Lipschitz ODE, with a convergence rate depending on its Lipschitz constant. We have shown that every provable formula is true in the type-theoretic semantics. Because the soundness proof is constructive, it amounts to an extraction algorithm from CdGL into type theory: for each CdGL proof, there exists a program in type theory which inhabits the corresponding type of the semantics. Another perspective on constructivity is that provable properties must have witnesses. We show Existential and Disjunction properties providing witnesses for existentials and disjunctions. For modal formulas α φ and [α]φ we show proofs can be used as winning strategies: a big-step operational semantics play allows playing strategies against each other to extract a proof that their goals hold in some final state t. Our presentation is more concise than defining the language, semantics, and properties of strategies, while providing key insights. The proofs follow their counterparts in type theory. The Disjunction Property considers truth at a specific state. Validity of φ ∨ ψ does not imply validity of either φ or ψ. For example, x < 1 ∨ x > 0 is valid, but its disjuncts are not. Function play below gives a big-step semantics: Angel and Demon strategies as and ds for respective goals φ and ψ in game α suffice to construct a final state t satisfying both. By parametricity, t was found by playing α, because play cannot inspect P and Q, thus can only prove them via as and ds. Applications of play are written play α s as ds (P and Q implicit). Game consistency (Corollary 17) is by play and consistency of type theory. Note that α d is played by swapping the Angel and Demon strategies in α. play x:=f s as ds = (let t = set s x (f s) in (t, (as t, ds t))) play x:= * s as ds = let t = set s x πLas in (t, (πRas, ds πLas)) play x =f & ψ s as ds = let (d, sol, solves, c, p) = as s in (set s x (sol d), (p, ds d sol solves c) ) play ?φ s as ds = (s, (πRas, ds (πLas))) play α∪β s as ds = case (as s) of as ⇒ play α s as (πLds) | as ⇒ play β s as (πRds) play α;β s as ds = (let (t, (as , ds )) = play α s as ds in play β t as ds ) play α * s as ds = case (as s) of as ⇒ (s, (as , πLds)) | as ⇒ let (t, (as , ds )) = play α s as (πRds) in play α * t as ds play α d s as ds = play α s ds as [α]¬φ s are inhabited. Proof. Suppose as : α φ s and ds : [α]¬φ s, then π R (play α s as ds) : ⊥, contradicting consistency of type theory. The play semantics show how strategies can be executed. Consistency is a theorem which ought to hold in any GL and thus helps validate our semantics. We extended Constructive Game Logic CGL to CdGL for constructive hybrid games. We contributed new semantics. We presented a natural deduction proof calculus for CdGL and used it to prove reach-avoid correctness of 1D driving with adversarial timing. We showed soundness and constructivity results. The next step is to implement a proof checker, game interpreter, and synthesis tool for CdGL. Function play is the high-level interpreter algorithm, while synthesis would commit to one Angel strategy and allow black-box Demon implementations for an external environment. Angel strategies are positive and are synthesized by extracting witnesses from each introduction rule. Demonic invariants and test conditions describe allowed observable behaviors. Demon strategies are negative and characterized by observable behaviors, so it suffices to monitor their compliance with invariants and test conditions extracted from the proof. Full abstraction for PCF Alternating-time temporal logic Logic of strategies: what and how? In: van Benthem Dynamic logics of evidence-based beliefs Toward a theory of play: a logical perspective on games and interaction. Games Foundations of Constructive Analysis dLι: definite descriptions in differential dynamic logic Toward structured proofs for dynamic logics Constructive game logic Constructive hybrid games VeriPhy: verified controller executables from verified cyber-physical system models Techniques of Constructive Analysis A fragment of intuitionistic dynamic logic Strategy logic The calculus of constructions Inductively defined types C-CoRN, the constructive Coq repository at Nijmegen Towards intuitionistic dynamic logic Inductive families Control design for hybrid systems with TuLiP: the temporal logic planning toolbox LTLMoP: experimenting with language, temporal logic and robot control Bidirectional programming languages Strategies made explicit in dynamic game logic Rectangular hybrid games An axiomatic basis for computer programming A logic for strategic reasoning Well-foundedness in realizability Differential Games: A Mathematical Theory with Applications to Warfare and Pursuit, Control and Optimization. Series in Applied Mathematics (SIAM) Strong normalization of program-indexed lambda calculus A fully automated framework for control of linear systems from temporal logic specifications Constructive Kripke semantics and realizability Théories géométriques pour l'algèbre des nombres réels The Picard algorithm for ordinary differential equations in Coq Synthesis of strategies using the Hoare logic of angelic and demonic nondeterminism ModelPlex: verified runtime validation of verified cyberphysical system models A symmetric modal lambda calculus for distributed computing Realizability: a historical essay Propositional game logic Differential dynamic logic for hybrid systems Differential-algebraic dynamic logic for differential-algebraic programs Differential game logic Differential hybrid games Logical Foundations of Cyber-Physical Systems Uniform substitution for differential game logic Differential equation invariance axiomatization Semantical considerations on Floyd-Hoare logic Playing hybrid games with KeYmaera Dynamic logic on games with structured strategies Semi-decidable synthesis for triangular hybrid systems Decidable controller synthesis for classes of linear systems Switching logic synthesis for reachability An axiomatic approach to liveness for differential equations The Coq development team: The Coq proof assistant reference manual A game theoretic approach to controller design for hybrid systems Games in dynamic-epistemic logic Computable Analysis -An Introduction Constructive modal logics I Tableaux for constructive concurrent dynamic logic This research was sponsored by the AFOSR under grant number FA9550-16-1-0288 and the Alexander von Humboldt Foundation. The first author was also funded by an NDSEG Fellowship. We thank Jon Sterling for suggestions regarding our choice of type theory and for references to the literature. We thank the anonymous reviewers for their helpful feedback.