Want to impress your boy friend / girl friend? SAT Modulo Ordinary - - PowerPoint PPT Presentation

SLIDE 1

SAT Modulo Ordinary Differential Equations

An Analysis Method for Hybrid Systems Martin Fränzle1

with slides, L

A

T EX souce, etc., by Andreas Eggers1 · Christian Herde1 Nacim Ramdani2 · Nedialko S. Nedialkov3

SFB/TR 14 AVACS

1 Carl von Ossietzky Universität

· Oldenburg, Germany

2 Université d’Orléans

· PRISME · Bourges, France

3 McMaster University

· Hamilton, Ontario, Canada

Want to impress your boy friend / girl friend?

[YouTube video]

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 2 / 85

Want to impress your boy friend / girl friend?

[www.popsci.com]

That’s why we build hybrid systems!

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 3 / 85

What is a hybrid system?

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 4 / 85

SLIDE 2

What is a hybrid system?

Hybrid (from Greece) means arrogant, presumptuous.

After H. Menge: Griechisch/Deutsch, Langenscheidt 1984

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 4 / 85

What is a hybrid system?

Hybrid (from Greece) means arrogant, presumptuous.

After H. Menge: Griechisch/Deutsch, Langenscheidt 1984

Hybrid stems from Latin hybrida ’off- spring of a tame sow and wild boar, child of a freeman and slave, etc.’

From the Compact Oxford English Dictionary, 2008

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 4 / 85

Hybrid Systems

Plant Control

Analog switch Continuous controllers D/A Discrete supervisor A/D Plant

• bservable

state environmental influence disturbances ("noise") control selection setpoints active control law setpoints part of

• bservable

state task selection Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 5 / 85

Hybrid Systems

Loads of continuous computations interleaved with discrete decisions

Plant Control

Analog switch Continuous controllers D/A Discrete supervisor A/D Plant

• bservable

state environmental influence disturbances ("noise") control selection setpoints active control law setpoints part of

• bservable

state task selection Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 5 / 85

SLIDE 3

Hybrid systems

are ensembles of interacting discrete and continuous subsystems:

Technical systems: physical plant + multi-modal control physical plant + embedded digital system mixed-signal circuits multi-objective scheduling problems (computers / distrib. energy

management / traffic management / ...)

Biological systems: Delta-Notch signaling in cell differentiation Blood clotting ... Economy: cash/good flows + decisions ... Medicine/health/epidemiology: infectious diseases + vaccination strategies ... Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 6 / 85

Hybrid Systems The Formal Model

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 7 / 85

A Formal Model: Hybrid Automata

ball is moving down ball is moving up vertical position of the ball velocity −10 −20 10 5 10 15 20 20 y x

• x= y

x ≥ 0

• y= −9.81

x = 0.0 ∧ y ≤ 0.0 / y′ = −0.8 · y x = 20.0 ∧ y = 0.0 y < 0 y > 0 x : y :

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 8 / 85

A Formal Model: Hybrid Automata

ball is moving down ball is moving up vertical position of the ball velocity −10 −20 10 5 10 15 20 20 y x

y < 0 y > 0 x : y :

• x= y

x ≥ 0

• y= −9.81

x = 0.0 ∧ y ≤ 0.0 / y′ = −0.8 · y x = 20.0 ∧ y = 0.0

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 8 / 85

SLIDE 4

A Formal Model: Hybrid Automata

ball is moving down ball is moving up vertical position of the ball velocity −10 −20 10 5 10 15 20 20 y x

y < 0 y > 0 x : y :

• x= y

x ≥ 0

• y= −9.81

x = 0.0 ∧ y ≤ 0.0 / y′ = −0.8 · y x = 20.0 ∧ y = 0.0

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 8 / 85

A Formal Model: Hybrid Automata

ball is moving down ball is moving up vertical position of the ball velocity −10 −20 10 5 10 15 20 20 y x

y < 0 y > 0 x : y :

• x= y

x ≥ 0

• y= −9.81

x = 0.0 ∧ y ≤ 0.0 / y′ = −0.8 · y x = 20.0 ∧ y = 0.0

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 8 / 85

A Formal Model: Hybrid Automata

ball is moving down ball is moving up vertical position of the ball velocity −10 −20 10 5 10 15 20 20 y x

y < 0 y > 0 x : y :

• x= y

x ≥ 0

• y= −9.81

x = 0.0 ∧ y ≤ 0.0 / y′ = −0.8 · y x = 20.0 ∧ y = 0.0

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 8 / 85

A Formal Model: Hybrid Automata

ball is moving down ball is moving up vertical position of the ball velocity −10 −20 10 5 10 15 20 20 y x

y < 0 y > 0 x : y :

• x= y

x ≥ 0

• y= −9.81

x = 0.0 ∧ y ≤ 0.0 / y′ = −0.8 · y x = 20.0 ∧ y = 0.0

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 8 / 85

SLIDE 5

A Formal Model: Hybrid Automata

ball is moving down ball is moving up vertical position of the ball velocity −10 −20 10 5 10 15 20 20 y x

y < 0 y > 0 x : y :

• x= y

x ≥ 0

• y= −9.81

x = 0.0 ∧ y ≤ 0.0 / y′ = −0.8 · y x = 20.0 ∧ y = 0.0

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 8 / 85

A Formal Model: Hybrid Automata

ball is moving down ball is moving up vertical position of the ball velocity −10 −20 10 5 10 15 20 20 y x

y < 0 y > 0 x : y :

• x= y

x ≥ 0

• y= −9.81

x = 0.0 ∧ y ≤ 0.0 / y′ = −0.8 · y x = 20.0 ∧ y = 0.0

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 8 / 85

A Formal Model: Hybrid Automata

ball is moving down ball is moving up vertical position of the ball velocity −10 −20 10 5 10 15 20 20 y x

y < 0 y > 0 x : y :

• x= y

x ≥ 0

• y= −9.81

x = 0.0 ∧ y ≤ 0.0 / y′ = −0.8 · y x = 20.0 ∧ y = 0.0

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 8 / 85

State and Dimension Explosion

Number of continuous variables linear in num- ber of cars

Positions, speeds, accelerations, torque, slip, ...

Number of discrete states exponential in num- ber of cars

Operational modes, control modes, state of communication subsystem, ...

Size-dependent dynamics

Latency in ctrl. loop depends on number

• f cars due to communication subsystem.

Coupled dynamics yields long hidden

channels chaining signal transducers.

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 9 / 85

SLIDE 6

State and Dimension Explosion

Number of continuous variables linear in num- ber of cars

Positions, speeds, accelerations, torque, slip, ...

Number of discrete states exponential in num- ber of cars

Operational modes, control modes, state of communication subsystem, ...

Size-dependent dynamics

Latency in ctrl. loop depends on number

• f cars due to communication subsystem.

Coupled dynamics yields long hidden

channels chaining signal transducers. ⇒ Need a scalable approach ⇒ Let’s try to achieve this through SAT/SMT-based methods.

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 9 / 85

Hybrid Control — A Case Study

! ! !! ! !

α (x, y) v satellite position target position ω =

• α

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 10 / 85

Hybrid Control — A Case Study

• mega

5 v 4 alpha 3 y 2 x 1 cos sin P_v 3 P_omega 1.6 1 s 1 s 1 s 1 s 1 s v_set 2 robot motion continuous−time proportional control

• mega_set

1 alpha vx vy x y v

• mega
• ω
• v= a

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 11 / 85

Hybrid Control — A Case Study

alpha_target 3 v 2

• mega

1 controller alpha alpha_target dist_to_target

• mega

v pi asin >= 0 Sqrt u u2 u2 y_target 6 x_target 5 ypos 4 xpos 3 alpha 2 trigger 1 distance

time−triggered controller

alpha_target

−1 −0.5 0.5 1 −1.5 −1 −0.5 0.5 1 1.5 asin(x)

(x, y) α′

T

(xT, yT) α′

T

π − α′

T

α′

T = sin−1( yT −y

√

(xT −x)2+(yT −y)2) d i s t a n c e

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 12 / 85

SLIDE 7

Hybrid Control — A Case Study

all rotation

1

m0 speed

2

m1 [alpha > alpha_target] / omega = − 0.1;

2

[alpha == alpha_target] / omega = 0;

3

[alpha < alpha_target] / omega = 0.1;

1

[alpha < alpha_target] / omega = 0.1;

2

[alpha > alpha_target] / omega = − 0.1;

1

/v=0.4; [dist_to_target < 0.1] / v = 0;

3

[dist_to_target > 0.5 && dist_to_target < 5] / v = 0.2;

1

[dist_to_target > 0.1 && dist_to_target < 0.5] / v = 0.1;

2

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 13 / 85

Hybrid Control — A Case Study

all rotation

1

m0 speed m1 [alpha > alpha_target] / omega = − 0.1;

2

[alpha == alpha_target] / omega = 0;

3

[alpha < alpha_target] / omega = 0.1;

1

[alpha < alpha_target] / omega = 0.1;

2

[alpha > alpha_target] / omega = − 0.1;

1

/v=0.4; [dist_to_target > 0.5 && dist_to_target <

1

[dist_to_target > Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 13 / 85

Hybrid Control — A Case Study

1

speed

2

m1 0.1; [alpha > alpha_target] / omega = − 0.1; /v=0.4; [dist_to_target < 0.1] / v = 0;

3

[dist_to_target > 0.5 && dist_to_target < 5] / v = 0.2;

1

[dist_to_target > 0.1 && dist_to_target < 0.5] / v = 0.1;

2

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 13 / 85

Hybrid Control — A Case Study

plant_dynamics

• mega_set

v_set x y alpha v

• mega

every_two_time_units controller

trigger alpha xpos ypos x_target y_target

• mega

v alpha_target

3 −5

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 14 / 85

SLIDE 8

Hybrid Control — A Case Study

plant_dynamics

• mega_set

v_set x y alpha v

• mega

every_two_time_units controller

trigger alpha xpos ypos x_target y_target

• mega

v alpha_target

3 −5

continuous controller + plant dynamics nonlinear computations parallel composition bang−bang control time−triggered controller invocation uncountably infinitely many target positions

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 14 / 85

Hybrid Control — A Case Study

plant_dynamics

• mega_set

v_set x y alpha v

• mega

every_two_time_units controller

trigger alpha xpos ypos x_target y_target

• mega

v alpha_target

3 −5

continuous controller + plant dynamics nonlinear computations parallel composition bang−bang control time−triggered controller invocation uncountably infinitely many target positions

Does this system work as specified?

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 14 / 85

Simulated Trajectory Reaching Target

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 15 / 85

Multiple Simulated Trajectories Reaching Targets

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 16 / 85

SLIDE 9

CDCL + Interval Constraint Propagation An engine for Bounded Model Checking

• f non-linear discrete-time HA

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 17 / 85

Bounded Model Checking of Nonlinear Discrete-Time Hybrid Systems (1)

Given:

Delay in

• n

xn+1 xn xn+1 = f(xn, in)

• n

= g(xn, in)

Nonlinear discrete-time hybrid dynamical system x — state vector i — input vector

• —
• utput vector

f — next-state function g —

• utput function

f, g potentially nonlinear. Goal: Check whether some unsafe state is reachable within k steps of the system

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 18 / 85

Bounded Model Checking of Nonlinear Discrete-Time Hybrid Systems (2)

Method:

Construct formula that is satisfiable if error trace of length k exists Formula is a k–fold unrolling of the transition relation, concatenated with

a characterization of the initial state(s) and the (unsafe) state to be reached

i0 i1 i2

• 1
• 2

x1 = f(x0, i0)

• 0 = g(x0, i0)

x2 = f(x1, i1)

• 1 = g(x1, i1)

x3 = f(x2, i2)

• 2 = g(x2, i2)

x0 x3 x1 x2 I(x0) P(x3)

Use appropriate procedure to “decide” satisfiability of the formula

Needed: Solvers for large, non-linear arithmetic formulae with a rich Boolean structure

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 19 / 85

Bounded Model Checking with HySAT / iSAT

HySAT There’s no sequence of input values such that 3.14 ≤ x ≤ 3.15 Safety property:

DECL boole b; float [0.0, 1000.0] x; INIT – Characterization of initial state. x = 2.0; TRANS – Transition relation. b -> x’ = xˆ2 + 1; !b -> x’ = nrt(x, 3); TARGET – State(s) to be reached. x >= 3.14 and x <= 3.15; SOLUTION: b (boole): @0: [0, 0] @1: [1, 1] @2: [1, 1] @3: [0, 0] @4: [1, 1] @5: [1, 1] @6: [0, 0] @7: [1, 1] @8: [0, 0] @9: [1, 1] @10: [1, 1] @11: [0, 0] x (float): @0: [2, 2] @1: [1.25992, 1.25992] @2: [2.5874, 2.5874] @3: [7.69464, 7.69464] @4: [1.97422, 1.97422] @5: [4.89756, 4.89756] @6: [24.9861, 24.9861] @7: [2.92347, 2.92347] @8: [9.5467, 9.5467] @9: [2.12138, 2.12138] @10: [5.50024, 5.50024] @11: [31.2526, 31.2526] @12: [3.14989, 3.14989]

x := x2 + 1 b/ ¬b/ x :=

3

√x x := 2

COUNTEREXAMPLE

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 20 / 85

SLIDE 10

The Task

Find satisfying assignments (or prove absence thereof) for large (thousands of Boolean connectives) formulae of shape (b1 = ⇒ x2

1 − cos y1 < 2y1 + sin z1 + eu1)

∧ (x5 = tan y4 ∨ tan y4 > z4 ∨ . . .) ∧ . . . ∧ ( dx

dt = − sin x ∧ x3 > 5 ∧ x3 < 7 ∧ x4 > 12 ∧ . . .)

∧ . . .

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 21 / 85

The Task

Find satisfying assignments (or prove absence thereof) for large (thousands of Boolean connectives) formulae of shape (b1 = ⇒ x2

1 − cos y1 < 2y1 + sin z1 + eu1)

∧ (x5 = tan y4 ∨ tan y4 > z4 ∨ . . .) ∧ . . . ∧ ( dx

dt = − sin x ∧ x3 > 5 ∧ x3 < 7 ∧ x4 > 12 ∧ . . .)

∧ . . . Most conventional solvers

do either address much smaller fragments of arithmetic decidable theories: no transcendental fct.s, no ODEs

• r tackle only small formulae

some dozens of Boolean connectives. Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 21 / 85

Interval Arithmetic

an ancient mathematical technique, already used by Archimedes, systematized by Rosalind Cecily Young in the 1930s [Young, 1931] brought to computing by Paul Dwyer [ Dwaer, 1951], Mieczyslaw

Warmus [Warmus, 1956, Teruo Sunaga [Sunaga, 1958], and Ramon

• E. Moore [Moore, 1966] in the 1950s

is an approach to putting safe bounds on computational results,

irrespective of

rounding errors during computations, inaccuracies in measurements of entities entering the computation, uncertain parameters. when applied to an expression over the reals, it yields a set-valued

result, namely an interval over the reals, which is guaranteed to contain the exact value of the expression.

can be used for efficiently computing a safe overapproximation (i.e.,

a superset) of the image f(X) of a set X ⊆ Rn under a function f : Rn → R

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 22 / 85

Interval Arithmetic

For non-empty argument intervals [a, b] ∈ I I \ {∅} and [c, d] ∈ I I \ {∅}, define

[a, b]

⊢ ⊣

+ [c, d] = [a

←

+ c, b

→

+ d] [a, b]

⊢ ⊣

− [c, d] = [a

←

− d, b

→

− c] [a, b]

⊢ ⊣

· [c, d] = [min(a

←

· c, a

←

· d, b

←

· c, b

←

· d), max(a

→

· c, a

→

· d, b

→

· c, b

→

· d)]

⊢ ⊣

sin [a, b] =                                    [min(

←

sin a,

←

sin b), max(

→

sin a,

→

sin b)] iff (2n + 1

2 )π ∈ [a, b] and

(2m − 1

2 )π ∈ [a, b],

[min(

←

sin a,

←

sin b), 1], iff (2n + 1

2 )π ∈ [a, b] but

(2m − 1

2 )π ∈ [a, b],

[−1, max(

→

sin a,

→

sin b), 1], iff (2n + 1

2 )π ∈ [a, b] but

(2m − 1

2 )π ∈ [a, b],

[−1, 1] iff (2n + 1

2 )π ∈ [a, b] and

(2m − 1

2 )π ∈ [a, b]

for any n, m ∈ Z.

where

←

· and

→

· denote rounding down/up to computational reals,

I

I denotes the set of intervals with representable bounds.

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 23 / 85

SLIDE 11

Interval Arithmetic: Example

Assume fixed-point arithmetic with just 1 bit fractional part:

representable numbers are of the form k

2 for k ∈ Z

Given x1 = [0, 0.5] and x2 = [0.5, 1], IA computes x1

⊢ ⊣

− x1

⊢ ⊣

+ x2

⊢ ⊣

· x2 = ([0, 0.5]

⊢ ⊣

− [0, 0.5])

⊢ ⊣

+ ([0.5, 1]

⊢ ⊣

· [0.5, 1]) = [0

←

− 0.5, 0.5

→

− 0]

⊢ ⊣

+ ([0.5, 1]

⊢ ⊣

· [0.5, 1]) = [−0.5, 0.5]

⊢ ⊣

+ ([0.5, 1]

⊢ ⊣

· [0.5, 1]) = [−0.5, 0.5]

⊢ ⊣

+ [min(0.5

←

· 0.5, 0.5

←

· 1, 1

←

· 0.5, 1

←

· 1), max(0.5

→

· 0.5, 0.5

→

· 1, 1

→

· 0.5, 1

→

· 1)] = [−0.5, 0.5]

⊢ ⊣

+ [min(0, 0.5, 0.5, 1), max(0.5, 0.5, 0.5, 1)] = [−0.5, 0.5]

⊢ ⊣

+ [0, 1] = [−0.5

←

+ 0, 0.5

→

+ 1] = [−0.5, 1.5]

⇒ the computed interval [−0.5, 1.5] covers the set of values {x1 − x1 + x2 · x2 | x1 ∈ [0, 0.5], x2 ∈ [0.5, 1]} = [0.25, 1], yet not tightly so. − → rounding + dependency problem of IA

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 24 / 85

Interval Constraint Propagation (1)

[Cleary, 1986]

Complex constraints are rewritten to “triplets” (primitive constraints):

x2 + y ≤ 6

• c1 :

h1 ˆ = x ∧ 2 c2 : ∧ h2 ˆ = h1 + y ∧ h2 ≤ 6

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 25 / 85

Interval Constraint Propagation (1)

[Cleary, 1986]

Complex constraints are rewritten to “triplets” (primitive constraints):

x2 + y ≤ 6

• c1 :

h1 ˆ = x ∧ 2 c2 : ∧ h2 ˆ = h1 + y ∧ h2 ≤ 6

“Forward” interval propagation yields justification for constraint

satisfaction: x ∈ [−2, 2] ∧ y ∈ [−2, 2]

2 6 y ≤ +

∧

x [−2, 2] [0, 4] [−2, 6] [−2, 2]

h2 h1

satisfied in box h2 ≤ 6 is

⇓

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 25 / 85

Interval Constraint Propagation (1)

[Cleary, 1986]

Complex constraints are rewritten to “triplets” (primitive constraints):

x2 + y ≤ 6

• c1 :

h1 ˆ = x ∧ 2 c2 : ∧ h2 ˆ = h1 + y ∧ h2 ≤ 6

Interval propagation (fwd & bwd) yields witness for unsatisfiability:

2 6 y ≤ +

∧

x [3, 4] [9, 16] [9, 19] [0, 3]

h2 h1

• unsat. in box

h2 ≤ 6 is

⇓

x ∈ [3, 4] ∧ y ∈ [0, 3]

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 25 / 85

SLIDE 12

Interval Constraint Propagation (1)

[Cleary, 1986]

Complex constraints are rewritten to “triplets” (primitive constraints):

x2 + y ≤ 6

• c1 :

h1 ˆ = x ∧ 2 c2 : ∧ h2 ˆ = h1 + y ∧ h2 ≤ 6

Interval prop. (fwd & bwd until fixpoint is reached) yields contraction of

box:

2 6 y ≤ +

∧

x [−10, 10] [0, 100] [−10, 110] [−10, 10]

h2 h1

∧ y ∈ [−10, 10] x ∈ [−10, 10]

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 25 / 85

Interval Constraint Propagation (1)

[Cleary, 1986]

Complex constraints are rewritten to “triplets” (primitive constraints):

x2 + y ≤ 6

• c1 :

h1 ˆ = x ∧ 2 c2 : ∧ h2 ˆ = h1 + y ∧ h2 ≤ 6

Interval prop. (fwd & bwd until fixpoint is reached) yields contraction of

box:

2 6 y ≤ +

∧

x [−4, 4] [0, 16] [−10, 6] [−10, 6]

h2 h1

⇓

∧ y ∈ [−10, 10] x ∈ [−10, 10] ∧ y ∈ [−10, 6] x ∈ [−4, 4]

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 25 / 85

Interval Constraint Propagation (1)

[Cleary, 1986]

Complex constraints are rewritten to “triplets” (primitive constraints):

x2 + y ≤ 6

• c1 :

h1 ˆ = x ∧ 2 c2 : ∧ h2 ˆ = h1 + y ∧ h2 ≤ 6

Interval prop. (fwd & bwd until fixpoint is reached) yields contraction of

box: Constraint is not satisfied by the contracted box!

2 6 y ≤ +

∧

x [−4, 4] [0, 16] [−10, 6]

h2 h1

∧ y ∈ [−10, 6] x ∈ [−4, 4]

[−10, 22]

(details & alternatives: see Benhamou in Handbook of Constraint Progr.)

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 25 / 85 y ∈ [0, 9] y ∈ [0, 6] y ∈ [−100, 100] x ∈ [−100, 100] x ∈ [−2.3, 2.3] y ∈ [0, 100] y ∈ [0, 20] y ∈ [0, 5] y ∈ [0, 4.6] y ≤ 2·x y = x2 x ∈ [− √ 5, √ 5] x ∈ [− √ 6, √ 6] x ∈ [−2.5, 2.5] x ∈ [−4.5, 4.5] x ∈ [− √ 20, √ 20] x ∈ [−3, 3] x ∈ [−10, 10] Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 26 / 85

SLIDE 13

Incompleteness of Interval Contraction

Backward propagation yields rectangular overapproximation of non-rectangular pre-images. Thus, interval contraction provides a highly incomplete deduction system:

x ∈ [0, ∞) ∧ h ˆ = x · y ∧ h > 5 = ⇒ x ∈ (0, ∞) ∧ y ∈ (0, ∞) = ⇒ h ∈ (0, ∞) = ⇒ h > 5

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 27 / 85

Incompleteness of Interval Contraction

Backward propagation yields rectangular overapproximation of non-rectangular pre-images. Thus, interval contraction provides a highly incomplete deduction system:

x ∈ [0, ∞) ∧ h ˆ = x · y ∧ h > 5 = ⇒ x ∈ (0, ∞) ∧ y ∈ (0, ∞) = ⇒ h ∈ (0, ∞) = ⇒ h > 5

enhance through branch-and-prune approach.

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 27 / 85

iSAT: Non-linear Arithmetic Constraint Solving

h3 = h1 + h2 ∧ c8 : h2 = −2 · y ∧ c7 : h1 = x2 ∧ c6 : (x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2) ∧ c5 : ∧ (b ∨ x ≥ −2) c4 : ∧ (¬c ∨ ¬d) c3 : ∧ (¬a ∨ ¬b ∨ c) c2 : (¬a ∨ ¬c ∨ d) c1 :

rewrite input formula into a conjunction of constraints: ⊲ n-ary disjunctions of bounds ⊲ arithmetic constraints having at most one operation symb

• Boolean variables are regarded as 0-1 integer variables.

Allows identification of literals with bounds on Booleans: ≡ b ≥ 1 b ¬b ≡ b ≤ 0

• Float variables h1, h2, h3 are used for decomposition
• f complex constraint x2 − 2y ≥ 6.2.
• Use Tseitin-style (i.e. definitional) transformation to

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 28 / 85

iSAT: Non-linear Arithmetic Constraint Solving

a ≥ 1 h3 = h1 + h2 ∧ c8 : h2 = −2 · y ∧ c7 : h1 = x2 ∧ c6 : (x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2) ∧ c5 : ∧ (b ∨ x ≥ −2) c4 : ∧ (¬c ∨ ¬d) c3 : ∧ (¬a ∨ ¬b ∨ c) c2 : (¬a ∨ ¬c ∨ d) c1 : DL 1: Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 28 / 85

SLIDE 14

iSAT: Non-linear Arithmetic Constraint Solving

c2 c3 c1 a ≥ 1 b ≥ 1 h3 = h1 + h2 ∧ c8 : h2 = −2 · y ∧ c7 : h1 = x2 ∧ c6 : (x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2) ∧ c5 : ∧ (b ∨ x ≥ −2) c4 : ∧ (¬c ∨ ¬d) c3 : ∧ (¬a ∨ ¬b ∨ c) c2 : (¬a ∨ ¬c ∨ d) c1 : c ≥ 1 d ≥ 1 d ≤ 0 DL 1: DL 2: Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 28 / 85

iSAT: Non-linear Arithmetic Constraint Solving

c3 c2 c1 b ≥ 1 h3 = h1 + h2 ∧ c8 : h2 = −2 · y ∧ c7 : h1 = x2 ∧ c6 : (x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2) ∧ c5 : ∧ (b ∨ x ≥ −2) c4 : ∧ (¬c ∨ ¬d) c3 : ∧ (¬a ∨ ¬b ∨ c) c2 : (¬a ∨ ¬c ∨ d) c1 : ∧ (¬a ∨ ¬c) c9 : d ≥ 1 d ≤ 0 c ≥ 1 a ≥ 1 DL 1: DL 2: Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 28 / 85

iSAT: Non-linear Arithmetic Constraint Solving

c9 c2 c4 a ≥ 1 c ≤ 0 b ≤ 0 x ≥ −2 h3 = h1 + h2 ∧ c8 : h2 = −2 · y ∧ c7 : h1 = x2 ∧ c6 : (x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2) ∧ c5 : ∧ (b ∨ x ≥ −2) c4 : ∧ (¬c ∨ ¬d) c3 : ∧ (¬a ∨ ¬b ∨ c) c2 : (¬a ∨ ¬c ∨ d) c1 : ∧ (¬a ∨ ¬c) c9 : DL 1: Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 28 / 85

iSAT: Non-linear Arithmetic Constraint Solving

c9 c2 c4 c7 a ≥ 1 c ≤ 0 b ≤ 0 y ≥ 4 x ≥ −2 h3 = h1 + h2 ∧ c8 : h2 = −2 · y ∧ c7 : h1 = x2 ∧ c6 : (x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2) ∧ c5 : ∧ (b ∨ x ≥ −2) c4 : ∧ (¬c ∨ ¬d) c3 : ∧ (¬a ∨ ¬b ∨ c) c2 : (¬a ∨ ¬c ∨ d) c1 : ∧ (¬a ∨ ¬c) c9 : DL 1: DL 2: h2 ≤ −8 Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 28 / 85

SLIDE 15

iSAT: Non-linear Arithmetic Constraint Solving

c9 c2 c4 c7 c8 c6 c5 a ≥ 1 c ≤ 0 b ≤ 0 y ≥ 4 x ≤ 3 h3 ≥ 6.2 h1 ≤ 9 h2 ≥ −2.8 x ≥ −2 h3 = h1 + h2 ∧ c8 : h2 = −2 · y ∧ c7 : h1 = x2 ∧ c6 : (x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2) ∧ c5 : ∧ (b ∨ x ≥ −2) c4 : ∧ (¬c ∨ ¬d) c3 : ∧ (¬a ∨ ¬b ∨ c) c2 : (¬a ∨ ¬c ∨ d) c1 : ∧ (¬a ∨ ¬c) c9 : DL 1: DL 2: h2 ≤ −8 DL 3: Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 28 / 85

iSAT: Non-linear Arithmetic Constraint Solving

c9 c2 c4 c7 c8 c6 c5 a ≥ 1 c ≤ 0 b ≤ 0 y ≥ 4 x ≤ 3 h3 ≥ 6.2 h1 ≤ 9 h2 ≥ −2.8 x ≥ −2 ∧ (x < −2 ∨ y < 3 ∨ x > 3) c10 : ∧ (¬a ∨ ¬c) c9 : h3 = h1 + h2 ∧ c8 : h2 = −2 · y ∧ c7 : h1 = x2 ∧ c6 : (x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2) ∧ c5 : ∧ (b ∨ x ≥ −2) c4 : ∧ (¬c ∨ ¬d) c3 : ∧ (¬a ∨ ¬b ∨ c) c2 : (¬a ∨ ¬c ∨ d) c1 :

← conflict clause = symbolic description

• f a rectangular region of the search space

which is excluded from future search

DL 1: DL 2: h2 ≤ −8 DL 3: Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 28 / 85

iSAT: Non-linear Arithmetic Constraint Solving

c9 c2 c4 c7 c6 c10 a ≥ 1 c ≤ 0 b ≤ 0 ∧ (x < −2 ∨ y < 3 ∨ x > 3) c10 : ∧ (¬a ∨ ¬c) c9 : h3 = h1 + h2 ∧ c8 : h2 = −2 · y ∧ c7 : h1 = x2 ∧ c6 : (x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2) ∧ c5 : ∧ (b ∨ x ≥ −2) c4 : ∧ (¬c ∨ ¬d) c3 : ∧ (¬a ∨ ¬b ∨ c) c2 : (¬a ∨ ¬c ∨ d) c1 : y ≥ 4 x ≥ −2 x > 3 h2 ≤ −8 h1 > 9 DL 1: DL 2: Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 28 / 85

iSAT: Non-linear Arithmetic Constraint Solving

c9 c2 c4 c7 c6 c10 a ≥ 1 c ≤ 0 b ≤ 0 (x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2) ∧ c5 : ∧ (b ∨ x ≥ −2) c4 : ∧ (¬c ∨ ¬d) c3 : ∧ (¬a ∨ ¬b ∨ c) c2 : (¬a ∨ ¬c ∨ d) c1 : y ≥ 4 x ≥ −2 x > 3 h2 ≤ −8 h1 > 9 ∧ (x < −2 ∨ y < 3 ∨ x > 3) c10 : ∧ (¬a ∨ ¬c) c9 : h2 = −2 · y ∧ c7 : h1 = x2 ∧ c6 : h3 = h1 + h2 c8 : ∧ DL 1: DL 2:

• Continue do split and deduce until either

⊲ solver is left with ‘sufficiently small’ portion of the search space for which it cannot derive any contradiction ⊲ formula turns out to be UNSAT (unresolvable conflict)

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 28 / 85

SLIDE 16

iSAT: Non-linear Arithmetic Constraint Solving

c9 c2 c4 c7 c6 c10 a ≥ 1 c ≤ 0 b ≤ 0 (x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2) ∧ c5 : ∧ (b ∨ x ≥ −2) c4 : ∧ (¬c ∨ ¬d) c3 : ∧ (¬a ∨ ¬b ∨ c) c2 : (¬a ∨ ¬c ∨ d) c1 : y ≥ 4 x ≥ −2 x > 3 h2 ≤ −8 h1 > 9 ∧ (x < −2 ∨ y < 3 ∨ x > 3) c10 : ∧ (¬a ∨ ¬c) c9 : h2 = −2 · y ∧ c7 : h1 = x2 ∧ c6 : h3 = h1 + h2 c8 : ∧ DL 1: DL 2:

• Continue do split and deduce until either

⊲ solver is left with ‘sufficiently small’ portion of the search space for which it cannot derive any contradiction ⊲ formula turns out to be UNSAT (unresolvable conflict)

Results can be verified by sorting to “single assignment form”.

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 28 / 85

iSAT: Non-linear Arithmetic Constraint Solving

c9 c2 c4 c7 c6 c10 a ≥ 1 c ≤ 0 b ≤ 0 (x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2) ∧ c5 : ∧ (b ∨ x ≥ −2) c4 : ∧ (¬c ∨ ¬d) c3 : ∧ (¬a ∨ ¬b ∨ c) c2 : (¬a ∨ ¬c ∨ d) c1 : y ≥ 4 x ≥ −2 x > 3 h2 ≤ −8 h1 > 9 ∧ (x < −2 ∨ y < 3 ∨ x > 3) c10 : ∧ (¬a ∨ ¬c) c9 : h2 = −2 · y ∧ c7 : h1 = x2 ∧ c6 : h3 = h1 + h2 c8 : ∧ DL 1: DL 2:

• Continue do split and deduce until either

⊲ solver is left with ‘sufficiently small’ portion of the search space for which it cannot derive any contradiction ⊲ formula turns out to be UNSAT (unresolvable conflict)

Essentially, a tight integration of interval constraint propagation with recent propositional SAT-solving techniques.

[Fränzle, Herde, Ratschan, Schubert, Teige: J. on Satisfiability. . ., 2007]

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 28 / 85

iSAT: Non-linear Arithmetic Constraint Solving

c9 c2 c4 c7 c6 c10 a ≥ 1 c ≤ 0 b ≤ 0 (x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2) ∧ c5 : ∧ (b ∨ x ≥ −2) c4 : ∧ (¬c ∨ ¬d) c3 : ∧ (¬a ∨ ¬b ∨ c) c2 : (¬a ∨ ¬c ∨ d) c1 : y ≥ 4 x ≥ −2 x > 3 h2 ≤ −8 h1 > 9 ∧ (x < −2 ∨ y < 3 ∨ x > 3) c10 : ∧ (¬a ∨ ¬c) c9 : h2 = −2 · y ∧ c7 : h1 = x2 ∧ c6 : h3 = h1 + h2 c8 : ∧ DL 1: DL 2:

• Continue do split and deduce until either

⊲ solver is left with ‘sufficiently small’ portion of the search space for which it cannot derive any contradiction ⊲ formula turns out to be UNSAT (unresolvable conflict)

Essentially, a tight integration of interval constraint propagation with recent propositional SAT-solving techniques.

[Fränzle, Herde, Ratschan, Schubert, Teige: J. on Satisfiability. . ., 2007]

A DPLL(T)-based alternative, including LP solving, has been implemented by Gao et al.

[Gao, Ganai, Ivancic, Gupta, Sankaranarayanan, Clarke: FMCAD 2010]

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 28 / 85

The Impact of Learning: Runtime

0.001 0.01 0.1 1 10 100 1000 10000 100000 0.001 0.01 0.1 1 10 100 1000 without learning [s] with learning [s] > 1:1 > 10:1 > 100:1 > 1k:1 > 10k:1 > 100k:1 > 1m:1 > 10m:1 time out 0.001 0.01 0.1 1 10 100 1000 10000 100000 0.001 0.01 0.1 1 10 100 1000 without learning [s] with learning [s] > 1:1 > 10:1 > 100:1 > 1k:1 > 10k:1 > 100k:1 > 1m:1 > 10m:1 time out 0.001 0.01 0.1 1 10 100 1000 10000 100000 0.001 0.01 0.1 1 10 100 1000 without learning [s] with learning [s] > 1:1 > 10:1 > 100:1 > 1k:1 > 10k:1 > 100k:1 > 1m:1 > 10m:1 time out 0.001 0.01 0.1 1 10 100 1000 10000 100000 0.001 0.01 0.1 1 10 100 1000 without learning [s] with learning [s] > 1:1 > 10:1 > 100:1 > 1k:1 > 10k:1 > 100k:1 > 1m:1 > 10m:1 time out 0.001 0.01 0.1 1 10 100 1000 10000 100000 0.001 0.01 0.1 1 10 100 1000 without learning [s] with learning [s] > 1:1 > 10:1 > 100:1 > 1k:1 > 10k:1 > 100k:1 > 1m:1 > 10m:1 time out 0.001 0.01 0.1 1 10 100 1000 10000 100000 0.001 0.01 0.1 1 10 100 1000 without learning [s] with learning [s] > 1:1 > 10:1 > 100:1 > 1k:1 > 10k:1 > 100k:1 > 1m:1 > 10m:1 time out 0.001 0.01 0.1 1 10 100 1000 10000 100000 0.001 0.01 0.1 1 10 100 1000 without learning [s] with learning [s] > 1:1 > 10:1 > 100:1 > 1k:1 > 10k:1 > 100k:1 > 1m:1 > 10m:1 time out 0.001 0.01 0.1 1 10 100 1000 10000 100000 0.001 0.01 0.1 1 10 100 1000 without learning [s] with learning [s] > 1:1 > 10:1 > 100:1 > 1k:1 > 10k:1 > 100k:1 > 1m:1 > 10m:1 time out 0.001 0.01 0.1 1 10 100 1000 10000 100000 0.001 0.01 0.1 1 10 100 1000 without learning [s] with learning [s] > 1:1 > 10:1 > 100:1 > 1k:1 > 10k:1 > 100k:1 > 1m:1 > 10m:1 time out 0.001 0.01 0.1 1 10 100 1000 10000 100000 0.001 0.01 0.1 1 10 100 1000 without learning [s] with learning [s] > 1:1 > 10:1 > 100:1 > 1k:1 > 10k:1 > 100k:1 > 1m:1 > 10m:1 time out

Examples: BMC of

platoon control bouncing ball gingerbread map

• scillatory logistic map

Intersection of geometric bodies Size: Up to 2400 variables, ≫ 103 Boolean connec- tives. [2.5 GHz AMD Opteron, 4 GByte physical memory, Linux]

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 29 / 85

SLIDE 17

CDCL + ICP + Numeric ODE Enclosure An engine for Bounded Model Checking

• f non-linear continuous-time HA

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 30 / 85 [Alur, Courcoubetis, Henzinger, and Ho, 1993]

Hybrid Automata – Semantics

height x velocity v time time x ≥ 0

• v= −9.81
• x= v

x = 0 x = 10, v = 0 /v′ := −v A = (Vars, Modes, Init, Flow, Jump) Init = {(m, Initm) | m ∈ Modes} Flow = {(m, ODEm, Invarm) | m ∈ Modes} Jump = {(m, Guardm,m′, Actionm,m′, m′) | m, m′ ∈ Modes}

Valuation σ : Vars → R Run ρ : m0, σ0 ∆t0 m0, ˆ σ0 → m1, σ1 ∆t1 m1, ˆ σ1 → . . . where m0, σ0 | = Init mi, σi ∆ti mi, ˆ σi | = Flow mi, ˆ σi → mi+1, σi+1 | = Jump Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 31 / 85 [Alur, Courcoubetis, Henzinger, and Ho, 1993]

Hybrid Automata – Semantics

!!! !!! !!! !!! !!! !!!!!! !!!!!! !!!!!!

height x velocity v time time x ≥ 0

• v= −9.81
• x= v

x = 0 x = 10, v = 0 /v′ := −v A = (Vars, Modes, Init, Flow, Jump) Init = {(m, Initm) | m ∈ Modes} Flow = {(m, ODEm, Invarm) | m ∈ Modes} Jump = {(m, Guardm,m′, Actionm,m′, m′) | m, m′ ∈ Modes}

Valuation σ : Vars → R Run ρ : m0, σ0 ∆t0 m0, ˆ σ0 → m1, σ1 ∆t1 m1, ˆ σ1 → . . . where m0, σ0 | = Init mi, σi ∆ti mi, ˆ σi | = Flow mi, ˆ σi → mi+1, σi+1 | = Jump Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 31 / 85 [Alur, Courcoubetis, Henzinger, and Ho, 1993]

Hybrid Automata – Semantics

height x velocity v time time x ≥ 0

• v= −9.81
• x= v

x = 0 x = 10, v = 0 /v′ := −v A = (Vars, Modes, Init, Flow, Jump) Init = {(m, Initm) | m ∈ Modes} Flow = {(m, ODEm, Invarm) | m ∈ Modes} Jump = {(m, Guardm,m′, Actionm,m′, m′) | m, m′ ∈ Modes}

Valuation σ : Vars → R Run ρ : m0, σ0 ∆t0 m0, ˆ σ0 → m1, σ1 ∆t1 m1, ˆ σ1 → . . . where m0, σ0 | = Init mi, σi ∆ti mi, ˆ σi | = Flow mi, ˆ σi → mi+1, σi+1 | = Jump Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 31 / 85

SLIDE 18

[Alur, Courcoubetis, Henzinger, and Ho, 1993]

Hybrid Automata – Semantics

height x velocity v time time x ≥ 0

• v= −9.81
• x= v

x = 0 x = 10, v = 0 /v′ := −v A = (Vars, Modes, Init, Flow, Jump) Init = {(m, Initm) | m ∈ Modes} Flow = {(m, ODEm, Invarm) | m ∈ Modes} Jump = {(m, Guardm,m′, Actionm,m′, m′) | m, m′ ∈ Modes}

Valuation σ : Vars → R Run ρ : m0, σ0 ∆t0 m0, ˆ σ0 → m1, σ1 ∆t1 m1, ˆ σ1 → . . . where m0, σ0 | = Init mi, σi ∆ti mi, ˆ σi | = Flow mi, ˆ σi → mi+1, σi+1 | = Jump Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 31 / 85 [Alur, Courcoubetis, Henzinger, and Ho, 1993]

Hybrid Automata – Semantics

height x velocity v time time x ≥ 0

• v= −9.81
• x= v

x = 0 x = 10, v = 0 /v′ := −v A = (Vars, Modes, Init, Flow, Jump) Init = {(m, Initm) | m ∈ Modes} Flow = {(m, ODEm, Invarm) | m ∈ Modes} Jump = {(m, Guardm,m′, Actionm,m′, m′) | m, m′ ∈ Modes}

Valuation σ : Vars → R Run ρ : m0, σ0 ∆t0 m0, ˆ σ0 → m1, σ1 ∆t1 m1, ˆ σ1 → . . . where m0, σ0 | = Init mi, σi ∆ti mi, ˆ σi | = Flow mi, ˆ σi → mi+1, σi+1 | = Jump Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 31 / 85 [Alur, Courcoubetis, Henzinger, and Ho, 1993]

Hybrid Automata – Semantics

height x velocity v time time x ≥ 0

• v= −9.81
• x= v

x = 0 x = 10, v = 0 /v′ := −v A = (Vars, Modes, Init, Flow, Jump) Init = {(m, Initm) | m ∈ Modes} Flow = {(m, ODEm, Invarm) | m ∈ Modes} Jump = {(m, Guardm,m′, Actionm,m′, m′) | m, m′ ∈ Modes}

Valuation σ : Vars → R Run ρ : m0, σ0 ∆t0 m0, ˆ σ0 → m1, σ1 ∆t1 m1, ˆ σ1 → . . . where m0, σ0 | = Init mi, σi ∆ti mi, ˆ σi | = Flow mi, ˆ σi → mi+1, σi+1 | = Jump Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 31 / 85 [Audemard, Bozzano, Cimatti, and Sebastiani, 2005], [Fränzle and Herde, 2005], [Eggers, Fränzle, and Herde, 2008]

Bounded Model Checking

ϑi ≤ 21 Heat off Heat on d ϑi / d t = −0.1 · (ϑi − ϑo) ϑi ≥ 19 ∨ c ≥ 0.04 d c / d t = −0.05 · c d c / d t = 0.01 − 0.05 · c ϑi ≤ 19 c ≤ 0.04 ϑi ∈ [19, 25] ϑi ∈ [15, 21] c = 0 c = 0 ϑi ≥ 21 d ϑi / d t = 0.2 · (35 − ϑi) −0.1 · (ϑi − ϑo)

Bounded Model Checking (BMC): Are there any trajectories leading from an inital to an unsafe state in k steps?

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 32 / 85

SLIDE 19

[Audemard, Bozzano, Cimatti, and Sebastiani, 2005], [Fränzle and Herde, 2005], [Eggers, Fränzle, and Herde, 2008]

Bounded Model Checking and Constraint Solving

ϑi ≤ 21 Heat off Heat on d ϑi / d t = −0.1 · (ϑi − ϑo) ϑi ≥ 19 ∨ c ≥ 0.04 d c / d t = −0.05 · c d c / d t = 0.01 − 0.05 · c ϑi ≤ 19 c ≤ 0.04 ϑi ∈ [19, 25] ϑi ∈ [15, 21] c = 0 c = 0 ϑi ≥ 21 d ϑi / d t = 0.2 · (35 − ϑi) −0.1 · (ϑi − ϑo)

init = −10 ≤ ϑo ≤ 20 ∧ c = 0 ∧

• 19 ≤ ϑi ≤ 25 ∧ ¬on

∨ 15 ≤ ϑi ≤ 21 ∧ on

• trans =

( ¬on ∧ on′ ∧ ϑi ≤ 19 ∧ c ≤ 0.04 ∧ ϑ′

i = ϑi ∧ ϑ′

• = ϑo ∧ c′ = c)

∨ (

• n ∧ ¬on′ ∧ ϑi ≥ 21

∧ ϑ′

i = ϑi ∧ ϑ′

• = ϑo ∧ c′ = c)

∨ ( ¬on ∧ ¬on′ ∧

dϑi dt = −0.1(ϑi − ϑo)

∧

dc dt = −0.05c

∧ (ϑ′

i ≥ 19 ∨ c′ ≥ 0.04) ∧ ϑ′

• = ϑo)

∨ (

• n ∧ on′

∧

dϑi dt = 0.2 · 35 − 0.3ϑi + 0.1ϑo

∧

dc dt = 0.01 − 0.05c

∧ ϑ′

i ≤ 21 ∧ ϑ′

• = ϑo)

target = (c > 0.1)

Bounded Model Checking (BMC): Check satisfiability of SMT formula Φk := init[0] ∧ trans[0, 1] ∧ · · · ∧ trans[k − 1, k] ∧ target[k]

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 32 / 85

The Basic Idea

1 Continuous flows, described by ODEs, define pre-post-constraints

• n continuous states:

Given an ODE dx

dt = f(x) and a (convex) invariant I ⊂ dom(x),

[

[ dx

dt ]

] = {(f(0), f(t)) | f solution of dx

dt = f(x), ∀t′ ≤ t : f(t′) ∈ I}

2 Adding direct support for such “ODE constraints” in arithmetic

constraint solving facilitates BMC of continuous-time hybrid systems

[Eggers & Fränzle: ATVA’08; Ishii, Ueda, Hosobe, Goldsztejn: ADHS’09]

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 33 / 85

• deSAT: Adding Forward and Backward

Propagation for ODE Constraints

1 2 3 4 5 1 2 3 4 5 1 2 3 4 5 1 2 3 4 5

time of interest horizon x(1) prebox x(2) postbox backward propagation forward propagation

...yields a classical interval propagator!

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 34 / 85

iSAT+ODE: Integrated Algorithm (Example)

(x1 + x2 > y) ∧ (y ≥ 28 ∨ a) ∧ (¬a ∨ dx

dt = 3 20 · (3 − x))

a ∈ {0, 1}, x1 ∈ [10, 20], x2 ∈ [−5, 7], y ∈ [0, 30]

x2 y x1

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 35 / 85

SLIDE 20

iSAT+ODE: Integrated Algorithm (Example)

( x1 + x2 > y ) ∧ (y ≥ 28 ∨ a) ∧ (¬a ∨ dx

dt = 3 20 · (3 − x))

a ∈ {0, 1}, x1 ∈ [10, 20], x2 ∈ [−5, 7], y ∈ [0, 30]

x2 y x1

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 35 / 85

iSAT+ODE: Integrated Algorithm (Example)

( x1 + x2 > y ) ∧ (y ≥ 28 ∨ a) ∧ (¬a ∨ dx

dt = 3 20 · (3 − x))

a ∈ {0, 1}, x1 ∈ [10, 20], x2 ∈ [−5, 7], y ∈ [0, 27]

y < 30 y < 27 x2 ∈ [−5, 7] x1 ∈ [10, 20] x1 + x2 > y y < x1 + x2 ≤ 27 x2 y x1

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 35 / 85

iSAT+ODE: Integrated Algorithm (Example)

(x1 + x2 > y) ∧ ( y ≥ 28 ∨ a) ∧ (¬a ∨ dx

dt = 3 20 · (3 − x))

a ∈ {0, 1}, x1 ∈ [10, 20], x2 ∈ [−5, 7], y ∈ [0, 27]

x2 y x1

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 35 / 85

iSAT+ODE: Integrated Algorithm (Example)

(x1 + x2 > y) ∧ (y ≥ 28∨ a ) ∧ (¬a ∨ dx

dt = 3 20 · (3 − x))

a ∈ { 1} , x1 ∈ [10, 20], x2 ∈ [−5, 7], y ∈ [0, 27]

x2 y x1

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 35 / 85

SLIDE 21

iSAT+ODE: Integrated Algorithm (Example)

(x1 + x2 > y) ∧ (y ≥ 28 ∨ a) ∧ ( ¬a ∨ dx

dt = 3 20 · (3 − x))

a ∈ { 1} , x1 ∈ [10, 20], x2 ∈ [−5, 7], y ∈ [0, 27]

x2 y x1

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 35 / 85

iSAT+ODE: Integrated Algorithm (Example)

(x1 + x2 > y) ∧ (y ≥ 28 ∨ a) ∧ (¬a∨ dx

dt = 3 20 · (3 − x) )

a ∈ { 1}, x1 ∈ [10, 20], x2 ∈ [3, 7] , y ∈ [0, 27]

−15 −10 −5 5 10 15 20 25 30 5 10 15 20 25 30 35 40 45

x2 ≥ −5 x2 ≥ 3

3 7

x2 y x1

7

x2 x1 x2

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 35 / 85 [Eggers, Fränzle, and Herde, 2008], [Ishii, Ueda, and Hosobe, 2011]

Satisfiability Modulo ODE

Boolean-, real-, and integer-valued variables with bounded

domains

Quantifier-free Boolean combination of Simple bounds, e.g. x ≤ 3.2 Arithmetic constraints, e.g. z = sin(y) Sufficiently smooth, time invariant ordinary differential equations

(ODEs), e.g.

• x= 2.4 · x − y2

Bounded Model Checking (BMC) formula structure:

Φ = init[0] ∧ trans[0, 1] ∧ · · · ∧ trans[k − 1, k] ∧ target[k]

ODEs occur only in transition system

Goal: Find a satisfying valuation for Φ or prove its unsatisfiability.

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 36 / 85

Solving SAT Modulo ODE Formulae

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 37 / 85

SLIDE 22

Satisfiability of SAT Modulo ODE Formulae

Point-valued satisfaction: standard for arithmetic constraints

and simple bounds, e.g. point (x = 6, y = 3) satisfies x = 2y

Definitionally-closed systems of ODEs, e.g.

• x= −y,
• y= x satisfied

by valuation ((x1 = 1, y1 = 0), (x2 = 0, y2 = −1), delta_time = π/2) , with (x1, y1), (x2, y2) being successive BMC instances of (x, y) and delta_time the duration of continuous flow:

−1 −0.5 0.5 1 y −1 −0.5 0.5 1 1.5 x (x1, y1) (x2, y2)

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 38 / 85

Need to lift this to intervals for ICP

Given: a system of time-invariant ODEs

dx1 dt = f1(x1, . . . , xn) . . . dxn dt = fn(x1, . . . , xn)

plus three boxes B, I, E ⊂ Rn. Problem: determine whether E is reachable from B along a trajectory satisfying the ODE and not leaving I.

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 39 / 85

Need to lift this to intervals for ICP

Given: a system of time-invariant ODEs

dx1 dt = f1(x1, . . . , xn) . . . dxn dt = fn(x1, . . . , xn)

plus three boxes B, I, E ⊂ Rn. Problem: determine whether E is reachable from B along a trajectory satisfying the ODE and not leaving I. Added value: Prune unconnected parts of B and E:

B E

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 39 / 85

Need to lift this to intervals for ICP

Given: a system of time-invariant ODEs

dx1 dt = f1(x1, . . . , xn) . . . dxn dt = fn(x1, . . . , xn)

plus three boxes B, I, E ⊂ Rn. Problem: determine whether E is reachable from B along a trajectory satisfying the ODE and not leaving I. Added value: Prune unconnected parts of B and E: E’ B’

B E

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 39 / 85

SLIDE 23

Need to lift this to intervals for ICP

Given: a system of time-invariant ODEs

dx1 dt = f1(x1, . . . , xn) . . . dxn dt = fn(x1, . . . , xn)

plus three boxes B, I, E ⊂ Rn. Problem: determine whether E is reachable from B along a trajectory satisfying the ODE and not leaving I. Added value: Prune unconnected parts of B and E: E’ B’

B E

. . . and determine dwell-time interval delta_time.

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 39 / 85

Problem: Safely determine whether E is unreachable from B along a trajectory satisfying the ODE and not leaving I. Some approaches:

1 Interval-based safe numeric approximation of ODEs

[Moore 1965, Lohner 1987, Stauning 1997]

(used in Hypertech [Henzinger, Horowitz, Majumdar, Wong-Toi 2000])

2 CLP(F): a symbolic, constraint-based technology for

reasoning about ODEs grounded in (in-)equational constraints obtained from Taylor expansions [Hickey, Wittenberg 2004]

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 40 / 85

Towards SAT modulo ODE Safe Enclosure Methods for ODEs

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 41 / 85

ODE Enclosure Problem

Given a system of (sufficiently-smooth, first order, time-invariant, Lipschitz-continuous) ordinary differential equations (ODEs), we want to enclose all trajectories emerging from a set of starting points over a limited temporal horizon. dx dt (t) = f (x(t)) , x(0) ∈    [x1(0), x1(0)] . . . [xn(0), xn(0)]    Safely enclose all x(t) over t ∈ [0, horizon].

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 42 / 85

SLIDE 24

Safe Approximation

!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!

ti t x startbox flowbox postbox

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 43 / 85

Safe Approximation

!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!

t x ti ∈ TOI flowbox postbox startbox

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 43 / 85

Safe Approximation

!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!

t x ti ∈ TOI flowbox postbox startbox

Should also be tight!

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 43 / 85

Safe Approximation

!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!!!!!!

t x ti ∈ TOI flowbox postbox startbox

Should also be tight! And efficient to compute!

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 43 / 85

SLIDE 25

Euler’s Method

t x Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 44 / 85

Euler’s Method

t x Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 44 / 85

Euler’s Method

t x Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 44 / 85

Euler’s Method

t x Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 44 / 85

SLIDE 26

Euler’s Method

t x Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 44 / 85

Taylor Series

Exact solution x(t) has slope determined by f in each point: dx dt (t) = f(x(t)) Taylor expansion of exact solution:

x(t0 + h) = x(t0) + h1 1! dx dt (t0) (Euler’s Method) + h2 2! d2x dt2 (t0) + . . . + hn n! dnx dtn (t0) + hn+1 (n + 1)! dn+1x dtn+1 (t0 + θh), with 0 < θ < 1

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 45 / 85

Taylor Series

Exact solution x(t) has slope determined by f in each point: dx dt (t) = f(x(t)) Taylor expansion of exact solution:

x(t0 + h) = x(t0) + h1 1! dx dt (t0) + h2 2! d2x dt2 (t0) + . . . + hn n! dnx dtn (t0) (Lagrange Remainder) + hn+1 (n + 1)! dn+1x dtn+1 (t0 + θh), with 0 < θ < 1

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 45 / 85

Taylor Series

Exact solution x(t) has slope determined by f in each point: dx dt (t) = f(x(t)) Taylor expansion of exact solution:

x(t0 + h) = x(t0) + h1 1! dx dt (t0) + h2 2! d2x dt2 (t0) + . . . + hn n! dnx dtn (t0) + hn+1 (n + 1)! dn+1x dtn+1 (t0 + θh), with 0 < θ < 1

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 45 / 85

SLIDE 27

Taylor Series

x(t0 + h) = x(t0) + h1 1! dx dt (t0)

f(x(t0))

+ h2 2! d2x dt2 (t0)

df dt (x(t0))·f(x(t0))

+ . . . + hn n! dnx dtn (t0) + hn+1 (n + 1)! dn+1x dtn+1 (t0 + θh)

• unknown

, with 0 < θ < 1

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 46 / 85

Taylor Series

x(t0 + h) = x(t0) + h1 1! dx dt (t0)

f(x(t0))

+ h2 2! d2x dt2 (t0)

df dt (x(t0))·f(x(t0))

+ . . . + hn n! dnx dtn (t0) + hn+1 (n + 1)! dn+1x dtn+1 (t0 + θh)

• unknown

, with 0 < θ < 1 Can use interval arithmetic to evaluate f(x(t0)), etc., whenever x(t0) is set-valued! Automatic differentiation computes derivatives.

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 46 / 85

Bounding Box

t x B t0 for all t ∈ [t0, t0 + h]

dx dt(t) ≤ max(f(B)) dx dt(t) ≥ min(f(B))

t0 + h x(t)

dx dt(t) = f(x(t))

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 47 / 85

Bounding Box

t x B t0 for all t ∈ [t0, t0 + h]

dx dt(t) ≤ max(f(B)) dx dt(t) ≥ min(f(B))

t0 + h x(t)

dx dt(t) = f(x(t))

If we only knew B...

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 47 / 85

SLIDE 28

Bounding Box [Lohner]

Given: Initial value problem:

dx dt = f(x), x(t0) = x0

Theorem (Lohner): If [B1] := x0 + [0, h] · f([B0]) and [B1] ⊆ [B0] then the initial value problem above has exactly one solution over [t0, t0 + h] which lies entirely within [B1] → Bounding Box.

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 48 / 85

Bounding Box [Lohner]

Given: Initial value problem:

dx dt = f(x), x(t0) = x0 may also be a box

Theorem (Lohner): If [B1] := x0 + [0, h] · f([B0]) and [B1] ⊆ [B0] then the initial value problem above has exactly one solution over [t0, t0 + h] which lies entirely within [B1] → Bounding Box.

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 48 / 85

Algorithm

To get an enclosure . . .

Determine bounding box and stepsize Evaluate Taylor series up to desired order over startbox Evaluate remainder term over bounding box Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 49 / 85

Bounding Box

1 1.5 2 2.5 3 3.5 4 4.5 5 0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45 0.5 1 1.5 2 2.5 3 3.5

t y x

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 50 / 85

SLIDE 29

Algorithm

Find bounding box with greedy algorithm Generate derivatives symbolically Simplify expressions to reduce alias effects on variables Evaluate expressions with interval arithmetic Taylor series Lagrange remainder Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 51 / 85

Example

dx dt = −x + 3, dy dt = x, x0 = [2, 4], y0 = [1, 1]

x y t

1 2 3 4 5 2 2.5 3 3.5 4 2 4 6 8 10 12 14 16 18 Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 52 / 85

Example II: Stable Oscillator

dx dt = y, dy dt = −x, x0 = [10, 12], y0 = [−1, 0]

−30 −20 −10 10 20 30 40 50 0.5 1 1.5 2 2.5 3 3.5 4 4.5 5 −40 −30 −20 −10 10 20 30 40

x y t

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 53 / 85

Wrapping Effect

dx dt = y, dy dt = −x, x0 = [10, 12], y0 = [−1, 0]

8.5 9 9.5 10 10.5 11 11.5 12 0.1 0.2 0.3 0.4 0.5 −6 −5 −4 −3 −2 −1

t x y t0 t1 t2

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 54 / 85

SLIDE 30

Fight Wrapping Effect

Lohner, Stauning, . . . : use coordinate transformation

x [a, b] y [c, d]

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 55 / 85

Fight Wrapping Effect

Lohner, Stauning, . . . : use coordinate transformation

[r, s] [t, u] p q x [a, b] y [c, d]

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 55 / 85

Stable Oscillator

dx dt = y, dy dt = −x, x0 = [10, 12], y0 = [−1, 0]

−15 −10 −5 5 10 15 −15 −10 −5 5 10 15

x y t = 6.00748 t = 0.286473 t = 0.593339 t = 0.900205 t = 1.20707 t = 0

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 56 / 85

Stable Oscillator

dx dt = y, dy dt = −x, x0 = [10, 12], y0 = [−1, 0]

−15 −10 −5 5 10 15 50 100 150 200 −15 −10 −5 5 10 15

t x t = [0, 10] t = [190, 200] y

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 56 / 85

SLIDE 31

Damped Oscillator

dx dt = y − 0.8 · x, dy dt = −x + 0.3 · y, x0 = [10, 15], y0 = [−2, 1]

−25 −20 −15 −10 −5 5 10 15 0.5 1 1.5 2 2.5 3 3.5 −30 −20 −10 10 20 30

x y t Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 57 / 85 [Moore, 1966], [Lohner, 1988], [Stauning, 1997]

Taylor-Series-Based Enclosures: Summary

Taylor expansion of exact solution:

x(t0 + h) = x(t0) + h1 1! dx dt (t0) (Euler’s Method) + h2 2! d2x dt2 (t0) + . . . + hn n! dnx dtn (t0)

(Lagrange Remainder)

+ hn+1 (n + 1)! dn+1x dtn+1 (t0 + θh), with 0 < θ < 1

x y

First, calculate rough a-priori enclosure (bounding box) Second, compute tighter enclosure with Taylor series and enclose

remainder term over a-priori enclosure

Use Automatic Differentiation to obtain Taylor terms Compute coordinate transformation to fight wrapping effect Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 58 / 85

Use in ICP: Tighten Target Box

−20 −15 −10 −5 5 10 15 2 4 6 8 10 12 14 −20 −15 −10 −5 5 10 15

y x t

initial postbox

Given target box (including phase space and time) Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 59 / 85

Use in ICP: Tighten Target Box

−20 −15 −10 −5 5 10 15 2 4 6 8 10 12 14 −20 −15 −10 −5 5 10 15

tightened postbox and TOI

y x t

initial postbox

Given target box (including phase space and time) Intersect target box with enclosure Remove elements with empty intersection

(narrows also time-window of interest)

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 59 / 85

SLIDE 32

Backward Propagation

Use temporally reversed ODEs Use start box as target box and do normal forward propagation Intersect resulting target box with original start box Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 60 / 85

Backward Propagation

Use temporally reversed ODEs Use start box as target box and do normal forward propagation Intersect resulting target box with original start box

• Fwd. and bwd. propagation do

narrow the start box B and target box E — also iteratively! narrow the time window for both B and E, thus give fresh meat to constraint propagation along adjacent parts

• f the transition sequence!

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 60 / 85

Summary: Taylor-Based Enclosure

Taylor-based numerical method with error enclosure Tightly integrated with non-linear arithmetic constraint solving: provides an interval contractor, just like ICP

E’ B’

B E

temporally symmetric (fwd. and bwd. contraction), unlike traditional

image computation

refutes trajectory bundles based on partial knowledge First proof of concept had implemented in 2008.

[Eggers, Fränzle, Herde, ATVA 2008]

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 61 / 85 [Nedialkov and Jackson, 1999], [Nedialkov, Jackson, and Pryce, 2001], [Nedialkov, 2006]

Beyond Taylor Series: VNODE-LP

Hermite-Obreschkoff method: generalization of Taylor series VNODE-LP: Use High-Order Enclosure (HOE) to obtain a-priori enclosure of

ODE

Use Interval Taylor Series (ITS) with coordinate transformation and

QR-method as predictor

Use Interval Hermite-Obreschkoff (IHO) method as corrector IHO allows larger stepsize than ITS (ITS becomes numerically

unstable for smaller stepsizes than IHO)

Local error for nonlinear ODEs much lower for IHO than for ITS Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 62 / 85

SLIDE 33

[Eggers, Fränzle, and Herde, 2009], [Eggers, Ramdani, Nedialkov, and Fränzle, 2011]

VNODE-LP as an Enclosure Method in iSAT-ODE

VNODE-LP: safe interval enclosures for ODEs Output: tight enclosures at end of step, a-priori enclosures covering

timespan in between

determined by VNODE−LP enclosures at (very tight) time intervals ... up to a given horizon

−15 −10 −5 5 10 15 5 10 15 20

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 63 / 85 [Eggers, Fränzle, and Herde, 2009], [Eggers, Ramdani, Nedialkov, and Fränzle, 2011]

VNODE-LP as an Enclosure Method in iSAT-ODE

VNODE-LP: safe interval enclosures for ODEs Output: tight enclosures at end of step, a-priori enclosures covering

timespan in between

a−priori enclosures determined by VNODE−LP

−15 −10 −5 5 10 15 5 10 15 20

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 63 / 85 [Eggers, Fränzle, and Herde, 2009], [Eggers, Ramdani, Nedialkov, and Fränzle, 2011]

VNODE-LP as an Enclosure Method in iSAT-ODE

VNODE-LP: safe interval enclosures for ODEs Output: tight enclosures at end of step, a-priori enclosures covering

timespan in between

iSAT-ODE layer: re-evaluate extreme parts of enclosure with

refined stepsize for tighter result → expensive

selectively tightened boxes boxes that finally intersect with the postbox given postbox a−priori enclosures

−15 −10 −5 5 10 15 5 10 15 20

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 63 / 85

Bracketing Systems: Rationale

Direct VNODE-LP enclosures tend to diverge quickly for large

initial domains

Point-wise (or small interval) reasoning thus preferable, if applicable A natural idea is to follow extremal trajectories: Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 64 / 85

SLIDE 34

Bracketing Systems: Rationale

Direct VNODE-LP enclosures tend to diverge quickly for large

initial domains

Point-wise (or small interval) reasoning thus preferable, if applicable A natural idea is to follow extremal trajectories: Problem 1: Number of spanning nodes exponential in system

dimension.

Problem 2: Reachable set need not be spanned by trajectories

• riginating in extremal points.

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 64 / 85 [Müller, 1927]

Bracketing Systems: Essence of Müller’s Theorem

Bounding box x x− x+ y− y y+

dx dt = f(x, y) dy dt = g(x, y)

If, e.g., f monotonic in x, antitonic in y within bounding box, g monotonic in x and y within bounding box then [x−(t), x+(t)] × [y−(t), y+(t)] yields an enclosure for (x(t), y(t)) if x−, . . . , y+ are solutions to

dx− dt = f(x−, y+) dy− dt = g(x−, y−) dx+ dt = f(x+, y−) dy+ dt = f(x+, y+)

with IVs x−(0) ≤ x(0) ≤ x+(0), y−(0) ≤ y(0) ≤ y+(0).

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 65 / 85 [Ramdani, Meslem, and Candau, 2009], [Eggers, Ramdani, Nedialkov, and Fränzle, 2011]

Bracketing Systems

Direct VNODE-LP enclosures may diverge quickly for large initial

domains

Evaluate signs of partial derivatives of ODE’s right-hand side over

current enclosure

If all relevant entries each strictly positive / negative, proceed Using Müller’s theorem, generate a bracketing system: replace

• riginal variables by upper and lower bracketing variables

depending on signs in Jacobian [Müller, 1927]

Enclose bracketing system using VNODE-LP: twice the

dimensionality but point-valued initial conditions

Re-evaluate Jacobian, check validity of signs (a-posteriori

validation)

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 66 / 85

Comparison: Direct vs. Bracketing

dense lower bracketing a priori upper bracketing a priori direct a priori direct enclosure lower bracketing enclosure upper bracketing enclosure −3 −2 −1 1 2 2 4 6 8 10 12

x dimension of

• x = −p4x −

p1x 1 + p2y + p3y + 0.1

• y = p4x − p3y

x(0) ∈ [1, 1.2], y(0) ∈ [0.8, 1], p1 ∈ [0.8, 1], p2 ∈ [1.0, 1.2], p3 ∈ [0.3, 0.5], and p4 ∈ [0.20, 0.25].

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 67 / 85

SLIDE 35

[Eggers, Ramdani, Nedialkov, and Fränzle, 2011]

Comparison: Direct vs. Bracketing

dense lower bracketing a priori upper bracketing a priori direct a priori direct enclosure lower bracketing enclosure upper bracketing enclosure −30 −20 −10 10 20 30 2 4 6 8 10 12

x dimension of

• x= y,
• y= −x,

x(0), y(0) ∈ [1, 2].

Complementary strengths

⇒ iSAT-ODE: Intersect both enclosures for tighter result.

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 68 / 85 [Eggers, Fränzle, and Herde, 2009], [Eggers, Ramdani, Nedialkov, and Fränzle, 2011]

Learning ODE Deductions

ODE enclosures very expensive compared to simple interval

constraint propagations

Preserve once-learnt facts from deletion during backjumps (similar

to learning conflict clauses [Marques-Silva and Sakallah, 1996])

Learn deduced facts for all isomorphic instances (constraints

replication [Shtrichman, 2000])

Two main ingredients: iSAT core: learn new clauses during search (multiple at once, not

necessarily conflicts, potentially introducing new variables to safely represent constants)

ODE layer: recognize enclosure requests that have already been

answered (or can be subsumed under previously answered requests)

Additionally: store limited number of VNODE’s intermediate

results for reuse, when partial request is detected (e.g. compatible initial box but tighter delta_time range)

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 69 / 85

SAT Modulo ODE Solving the Case Study

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 70 / 85

Hybrid Systems – Example: Plant & Controller

plant_dynamics

• mega_set

v_set x y alpha v

• mega

every_two_time_units controller

trigger alpha xpos ypos x_target y_target

• mega

v alpha_target

3 −5

continuous controller + plant dynamics nonlinear computations parallel composition bang−bang control time−triggered controller invocation uncountably infinitely many target positions

Does this system work as specified?

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 71 / 85

SLIDE 36

Predicative Encoding

−− A robot that is being given a target location to which it shall move. DECL define MAX_TIME = 100; −− Maximum global time. define MAX_STEP = 2; −− Maximum duration. float [0, MAX_TIME] time; −− Global time. float [0, MAX_STEP] delta_time; −− Step duration. float [−100, 100] x; −− Position, x coordinate . float [−100, 100] y; −− Position, y coordinate . float [−100, 100] delta_x; −− Position change by flow, x coordinate . float [−100, 100] delta_y; −− Position change by flow, y coordinate . float [−8, 8] alpha; −− Direction. float [−1, 1] omega; −− Angular velocity. float [−0.1, 0.1] omega_set; −− Angular velocity set point. float [−10, 10] v; −− Velocity. float [0, 0.4] v_set; −− Velocity set point . define P_v = 3; −− Proportional gain in analog velocity control . define P_omega = 1.6; −− Proportional gain in analog angular velocity ctrl . define PI_LB = 3.141592; −− Lower bound for PI. define PI_UB = 3.141593; −− Upper bound for PI. define PI_UB_HALF = 1.5708; −− Upper bound for 0.5 ∗ PI. float [−100, 100] x_target; −− Position of target , x coordinate . float [−100, 100] y_target; −− Position of target , y coordinate . float [0, 142] distance ; −− Distance to target. float [−100, 100] dx; −− Distance to target, x component. float [−100, 100] dy; −− Distance to target, y component. float [−1, 1] tmp_quot_dy_dist; −− Quotient dy / distance. −− Reduce nondeterminism in model by enforcing that alpha cannot be less and −− more than alpha_target at the same time and distance must be in one −− category (−−0.1−−−0.5−−−5−−). boole alpha_leq_alpha_target; boole alpha_geq_alpha_target; boole distance_geq_5; boole distance_geq_05; boole distance_geq_01; −− Result of asin(tmp_quot_dy_dist) is limited to standard branch used by −− ctrl’s asin implementation. float [−PI_UB_HALF, PI_UB_HALF] alpha_target_tmp; float [−8, 8] alpha_target; −− Direction to target . define CTRL_PI = 3.1415927; −− PI constant used by controller. −− Note that the real controller will be using such a fixed constant, i .e. −− here it is not necessary to safely enclose PI by an interval when the −− same calculations are performed as done by the controller (which we −− assume here). boole flow ; INIT time = 0; x = 0; y = 0; alpha = 0;

• mega = 0;

v = 0; −− Target position. −− OPEN: Looking for a target position that cannot be reached within given −− number of steps. x_target >= 6; x_target <= 10; y_target >= −4; y_target <= 4; −− Initial Controller run. dy = y_target − y; dx = x_target − x; distance = nrt(dx^2 + dy^2, 2); −− tmp_quot_dy_dist = dy / distance. distance ∗ tmp_quot_dy_dist = dy; sin (alpha_target_tmp) = tmp_quot_dy_dist; −− Adding a redundant encoding to reduce search effort induced by −− iSAT’s lack of an inverse sine propagation. (tmp_quot_dy_dist >= −1 and tmp_quot_dy_dist <= −0.64) −> ( alpha_target_tmp >= 3 ∗ (tmp_quot_dy_dist + 0.5) − 0.3 and alpha_target_tmp <= 2.29 ∗ tmp_quot_dy_dist + 0.991); (tmp_quot_dy_dist >= −0.64 and tmp_quot_dy_dist <= 0.64) −> ( alpha_target_tmp >= tmp_quot_dy_dist + 0.16 ∗ (tmp_quot_dy_dist^3) − 0.05 and alpha_target_tmp <= tmp_quot_dy_dist + 0.16 ∗ (tmp_quot_dy_dist^3) + 0.05); (tmp_quot_dy_dist >= 0.64 and tmp_quot_dy_dist <= 1) −> ( alpha_target_tmp >= 2.29 ∗ tmp_quot_dy_dist − 1 and alpha_target_tmp <= 3 ∗ (tmp_quot_dy_dist + 0.5) − 2.65); alpha_target_tmp >= −1.570797; alpha_target_tmp <= 1.570797; −− End of redundant encoding for asin. dx >= 0 −> alpha_target = alpha_target_tmp; dx < 0 −> alpha_target = CTRL_PI − alpha_target_tmp; alpha_leq_alpha_target <−> alpha <= alpha_target; alpha_geq_alpha_target <−> alpha >= alpha_target; alpha_leq_alpha_target and !alpha_geq_alpha_target −> omega_set = 0.1; !alpha_leq_alpha_target and alpha_geq_alpha_target −> omega_set = −0.1; alpha_leq_alpha_target and alpha_geq_alpha_target −> omega_set = 0; distance_geq_5 <−> distance >= 5; distance_geq_05 <−> distance >= 0.5; distance_geq_01 <−> distance >= 0.1; distance_geq_5 −> v_set = 0.4; distance_geq_05 and !distance_geq_5 −> v_set = 0.2; distance_geq_01 and !distance_geq_05 −> v_set = 0.1; !distance_geq_01 −> v_set = 0; flow ; TRANS !flow ’ <−> flow; time’ = time + delta_time; −− System dynamics including analog controller feedback for velocities . −− Since the actual movement is independent from the absolute position , −− we use relative positions instead and benefit from better caching. flow −> x’ = x + delta_x’; −− Add relative movement to absolute position. flow −> y’ = y + delta_y’; flow −> delta_x = 0; −− Start relative movement in (0,0). flow −> delta_y = 0; flow −> (d.delta_x / d.time = v ∗ cos(alpha)); flow −> (d.delta_y / d.time = v ∗ sin(alpha )); flow −> (d.alpha / d.time = omega); flow −> (d.v / d.time = P_v ∗ (v_set − v)); flow −> (d.v_set / d.time = 0); flow −> (d.omega / d.time = P_omega ∗ (omega_set − omega)); flow −> (d.omega_set / d.time = 0); flow −> delta_time = 2; −− Target stays constant. x_target’ = x_target; y_target’ = y_target; !flow −> delta_time = 0; !flow −> x’ = x and y’ = y and alpha’ = alpha and v’ = v and omega’ = omega; −− Controller calculates the current direction to target location at every −− step. dy’ = y_target’ − y’; dx’ = x_target’ − x’; distance ’ = nrt(dx’^2 + dy’^2, 2); −− tmp_quot_dy_dist’ = dy’ / distance’. distance ’ ∗ tmp_quot_dy_dist’ = dy’; sin (alpha_target_tmp’) = tmp_quot_dy_dist’; −− Adding a redundant encoding to reduce search effort induced by −− iSAT’s lack of an inverse sine propagation. (tmp_quot_dy_dist’ >= −1 and tmp_quot_dy_dist’ <= −0.64) −> ( alpha_target_tmp’ >= 3 ∗ (tmp_quot_dy_dist’ + 0.5) − 0.3 and alpha_target_tmp’ <= 2.29 ∗ tmp_quot_dy_dist’ + 0.991); (tmp_quot_dy_dist’ >= −0.64 and tmp_quot_dy_dist’ <= 0.64) −> ( alpha_target_tmp’ >= tmp_quot_dy_dist’ + 0.16 ∗ (tmp_quot_dy_dist’^3) − 0.05 and alpha_target_tmp’ <= tmp_quot_dy_dist’ + 0.16 ∗ (tmp_quot_dy_dist’^3) + 0.05); (tmp_quot_dy_dist’ >= 0.64 and tmp_quot_dy_dist’ <= 1) −> ( alpha_target_tmp’ >= 2.29 ∗ tmp_quot_dy_dist’ − 1 and alpha_target_tmp’ <= 3 ∗ (tmp_quot_dy_dist’ + 0.5) − 2.65); alpha_target_tmp’ >= −1.570797; alpha_target_tmp’ <= 1.570797; −− End of redundant encoding for asin. dx’ >= 0 −> alpha_target’ = alpha_target_tmp’; dx’ < 0 −> alpha_target’ = CTRL_PI − alpha_target_tmp’; −− The discrete controller can set new omega_set and new v_set every step. −− Would need to adjust this if BMC steps and controller steps became −− seperated. alpha_leq_alpha_target’ <−> alpha’ <= alpha_target’; alpha_geq_alpha_target’ <−> alpha’ >= alpha_target’; !flow and alpha_leq_alpha_target’ and !alpha_geq_alpha_target’ −> omega_set’ = 0.1; !flow and !alpha_leq_alpha_target’ and alpha_geq_alpha_target’ −> omega_set’ = −0.1; !flow and alpha_leq_alpha_target’ and alpha_geq_alpha_target’ −> omega_set’ = 0; distance_geq_5’ <−> distance’ >= 5; distance_geq_05’ <−> distance’ >= 0.5; distance_geq_01’ <−> distance’ >= 0.1; !flow and distance_geq_5’ −> v_set’ = 0.4; !flow and distance_geq_05’ and !distance_geq_5’ −> v_set’ = 0.2; !flow and distance_geq_01’ and !distance_geq_05’ −> v_set’ = 0.1; !flow and !distance_geq_01’ −> v_set’ = 0; TARGET distance > 0.1;

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 72 / 85

Predicative Encoding – Continuous Dynamics

• mega

5 v 4 alpha 3 y 2 x 1 cos sin P_v 3 P_omega 1.6 1 s 1 s 1 s 1 s 1 s v_set 2 robot motion continuous−time proportional control

• mega_set

1 alpha vx vy x y v

• mega
• ω
• v= a

time’ = time + delta_time; −− System dynamics including analog controller feedback for velocities . −− Since the actual movement is independent from the absolute position , −− we use relative positions instead and benefit from better caching. flow −> x’ = x + delta_x’; −− Add relative movement to absolute position. flow −> y’ = y + delta_y’; flow −> delta_x = 0; −− Start relative movement in (0,0). flow −> delta_y = 0; flow −> (d.delta_x / d.time = v ∗ cos(alpha)); flow −> (d.delta_y / d.time = v ∗ sin(alpha )); flow −> (d.alpha / d.time = omega); flow −> (d.v / d.time = P_v ∗ (v_set − v)); flow −> (d.v_set / d.time = 0); flow −> (d.omega / d.time = P_omega ∗ (omega_set − omega)); flow −> (d.omega_set / d.time = 0); flow −> delta_time = 2; Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 73 / 85

Predicative Encoding – Discrete Controller

all rotation 1 m0 speed 2 m1 [alpha > alpha_target] / omega = − 0.1; 2 [alpha == alpha_target] / omega = 0; 3 [alpha < alpha_target] / omega = 0.1; 1 [alpha < alpha_target] / omega = 0.1; 2 [alpha > alpha_target] / omega = − 0.1; 1 /v=0.4; [dist_to_target < 0.1] / v = 0; 3 [dist_to_target > 0.5 && dist_to_target < 5] / v = 0.2; 1 [dist_to_target > 0.1 && dist_to_target < 0.5] / v = 0.1; 2

alpha_leq_alpha_target’ <−> alpha’ <= alpha_target’; alpha_geq_alpha_target’ <−> alpha’ >= alpha_target’; !flow and alpha_leq_alpha_target’ and !alpha_geq_alpha_target’ −> omega_set’ = 0.1; !flow and !alpha_leq_alpha_target’ and alpha_geq_alpha_target’ −> omega_set’ = −0.1; !flow and alpha_leq_alpha_target’ and alpha_geq_alpha_target’ −> omega_set’ = 0; distance_geq_5’ <−> distance’ >= 5; distance_geq_05’ <−> distance’ >= 0.5; distance_geq_01’ <−> distance’ >= 0.1; !flow and distance_geq_5’ −> v_set’ = 0.4; !flow and distance_geq_05’ and !distance_geq_5’ −> v_set’ = 0.2; !flow and distance_geq_01’ and !distance_geq_05’ −> v_set’ = 0.1; !flow and !distance_geq_01’ −> v_set’ = 0; Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 74 / 85

Predicative Encoding – Proof Obligation

E.g., looking for a target position that cannot be reached within given number of steps:

INIT ... −− Target position. −− OPEN: Looking for a target position that cannot be reached within given −− number of steps. x_target >= 6; x_target <= 10; y_target >= −4; y_target <= 4; ... TARGET distance > 0.1;

Note: Target position not determined!

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 75 / 85

SLIDE 37

Candidate Solution Box from iSAT-ODE

Extracting (x, y)-trace from candidate solution box.

0.5 1 1.5 2 2.5 3 1 2 3 4 5 6 7 8 ’robot_motion_14.hys_out_prabs1e−6_k42_wilkinson_defs_plot_0.plot_data’

x y

BMC unwinding depth 42, runtime 2966 s (2.4 GHz AMD Opteron)

Valuation for xtarget : (6.6888899, 6.68907593] ytarget : [1.53229439, 1.53235116) Robot reaches target but moves on.

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 76 / 85

Candidate Solution from iSAT-ODE – Distance

y distance dx dy 2 4 6 8 10 20 30 40 x distance_geq_01 distance_geq_05 distance_geq_5 alpha_leq_alpha_target alpha_geq_alpha_target 10 20 30 40

BMC Steps

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 77 / 85

Candidate Solution from iSAT-ODE – Velocity

v v_set 0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4 10 20 30 40

v = 0! Target speed is set to zero Robot decelerates but reaches only speed [0.00024766, 0.0002485]

in step 32

Robot passes nearby target location but not close enough to

enforce robot standstill

Controller not built with a sink state for keeping target velocity at 0 Robot accelerates again and final distance is ≥ 0.1 Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 78 / 85

Candidate Solution from iSAT-ODE – Result

v v_set 0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4 10 20 30 40

v = 0! Target speed is set to zero Robot decelerates but reaches only speed [0.00024766, 0.0002485]

in step 32 − → P-controller might be too weak

Robot passes nearby target location but not close enough to

enforce robot standstill

Controller not built with a sink state for keeping target velocity at 0

− → Should keep target speed at 0

Robot accelerates again and final distance is ≥ 0.1 Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 78 / 85

SLIDE 38

Simulated Error Trajectory for Candidate Solution

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 79 / 85

Simulated Error Trajectory – Continued

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 80 / 85

Conclusion

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 81 / 85

Conclusion

Problem: Direct handling of constraints involving arbitrary Boolean combinations of

literals, linear, polynomial, and transcendental (in-)equations

• ver the reals,

(potentially non-linear) ODE constraints interpreted

as pre-post-relations, as arising in predicative encodings of analysis problems

• f non-linear hybrid systems.

Approach: Build a tight integration of

conflict-driven clause learning (CDCL) SAT solving, interval constraint propagation, interval-based enclosures of sets of inital-value

problems wrt. an ODE.

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 82 / 85

SLIDE 39

Related Approaches I

Hybridization techniques allowing nonlinear ODEs to be handled

by linear ODE methods or even by methods covering piecewise constant ODE only, e.g. LinSAT (cf., e.g., [Asarin, Dang, and Girard, 2007])

Constraint Logic Programming(Functions) CLP(F)

[Hickey and Wittenberg, 2004]

Arithmetic and analytic relations between real and function variables Function-type variables constrained by derivative constraints Derivative constraints solved by interval constraint propagation

exploiting overapproximating Taylor series

But: not fighting the wrapping effect

⇒ Excessive growth of enclosures

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 83 / 85

Related Approaches II

ODE enclosures embedded into Constraint Programming

Framework [Goldsztejn, Mullier, Eveillard, and Hosobe, 2010]

Branch and prune algorithm for conjunctive systems Interval Newton for pruning and existence proofs Using CAPD library (“optimized for small initial conditions”)

⇒ “very sharp enclosures of solutions, but poorer performances for exploring large domains”

hydlogic: Classic SMT with VNODE-LP and Interval Newton

[Ishii, Ueda, and Hosobe, 2011]

SAT solver enumerating abstract trajectories Constraint Solving (Elisa + VNODE-LP) Learning Interval Newton to prove existence of trajectories

⇒ Different approach using classical DPLL(T) integration scheme

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 84 / 85

Thanks

to Andreas Eggers, Nacim Ramdani, and Ned Nedialkov for the

joint development of iSAT(ODE),

to the many collaborators in the development of iSAT, in particular

• C. Herde, T. Teige (both Oldenburg),
• S. Kupferschmid, K Scheibler, T. Schubert, B. Becker (Freiburg),
• S. Ratschan (Prague)

within the

DFG-funded Transregional Research Center 14 “AVACS”

(Automatic Analysis and Verification of Complex Systems)

and to Andreas Eggers, Christian Herde, and Tino Teige for

contributing many slides.

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 85 / 85