SAT Modulo Ordinary Differential Equations Want to impress your ...

SAT Modulo Ordinary Differential EquationsAn Analysis Method for Hybrid Systems

Martin Fränzle1

with slides, LATEX souce, etc., by

Andreas Eggers1 · Christian Herde1

Nacim Ramdani2 · Nedialko S. Nedialkov3

SFB/TR 14 AVACS

1 Carl von Ossietzky Universität · Oldenburg, Germany2 Université d’Orléans · PRISME · Bourges, France3 McMaster University · Hamilton, Ontario, Canada

Want to impress your boy friend / girl friend?

[YouTube video]

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 2 / 85

Want to impress your boy friend / girl friend?

[www.popsci.com]

That’s why we build hybrid systems!

What is a hybrid system?

Hybrid (from Greece) means arrogant,presumptuous.

After H. Menge: Griechisch/Deutsch,Langenscheidt 1984

Hybrid (from Greece) means arrogant,presumptuous.

After H. Menge: Griechisch/Deutsch,Langenscheidt 1984

Hybrid stems from Latin hybrida ’off-spring of a tame sow and wild boar,child of a freeman and slave, etc.’

From the Compact Oxford EnglishDictionary, 2008

Hybrid Systems

ControlAnalogswitch

Continuouscontrollers

Discretesupervisor

observablestate

environmental

influence

disturbances ("noise")

control

selection

setpoints

active control law

setpointspart ofobservablestate

task selection

Hybrid Systems

Loads of

continuous

computations

interleaved

with discrete

decisions

ControlAnalogswitch

Continuouscontrollers

Discretesupervisor

observablestate

environmental

influence

disturbances ("noise")

control

selection

setpoints

active control law

setpointspart ofobservablestate

task selection

Hybrid systems

are ensembles of interacting discrete and continuous subsystems:� Technical systems:

� physical plant + multi-modal control� physical plant + embedded digital system� mixed-signal circuits� multi-objective scheduling problems (computers / distrib. energy

management / traffic management / ...)

� Biological systems:� Delta-Notch signaling in cell differentiation� Blood clotting� ...

� Economy:� cash/good flows + decisions� ...

� Medicine/health/epidemiology:� infectious diseases + vaccination strategies� ...

Hybrid Systems

The Formal Model

A Formal Model: Hybrid Automata

ball is moving down

ball is moving up

vertical position of the ball

velocity

0 5 10 15 20

•x= y

x ≥ 0

•y= −9.81

x = 0.0 ∧ y ≤ 0.0 /

y′ = −0.8 · y

x = 20.0 ∧ y = 0.0

ball is moving down

ball is moving up

velocity

0 5 10 15 20

•x= y

x ≥ 0

•y= −9.81

x = 0.0 ∧ y ≤ 0.0 /

y′ = −0.8 · y

x = 20.0 ∧ y = 0.0

ball is moving down

ball is moving up

velocity

0 5 10 15 20

•x= y

x ≥ 0

•y= −9.81

x = 0.0 ∧ y ≤ 0.0 /

y′ = −0.8 · y

x = 20.0 ∧ y = 0.0

ball is moving down

ball is moving up

velocity

0 5 10 15 20

•x= y

x ≥ 0

•y= −9.81

x = 0.0 ∧ y ≤ 0.0 /

y′ = −0.8 · y

x = 20.0 ∧ y = 0.0

ball is moving down

ball is moving up

velocity

0 5 10 15 20

•x= y

x ≥ 0

•y= −9.81

x = 0.0 ∧ y ≤ 0.0 /

y′ = −0.8 · y

x = 20.0 ∧ y = 0.0

ball is moving down

ball is moving up

velocity

0 5 10 15 20

•x= y

x ≥ 0

•y= −9.81

x = 0.0 ∧ y ≤ 0.0 /

y′ = −0.8 · y

x = 20.0 ∧ y = 0.0

ball is moving down

ball is moving up

velocity

0 5 10 15 20

•x= y

x ≥ 0

•y= −9.81

x = 0.0 ∧ y ≤ 0.0 /

y′ = −0.8 · y

x = 20.0 ∧ y = 0.0

ball is moving down

ball is moving up

velocity

0 5 10 15 20

•x= y

x ≥ 0

•y= −9.81

x = 0.0 ∧ y ≤ 0.0 /

y′ = −0.8 · y

x = 20.0 ∧ y = 0.0

ball is moving down

ball is moving up

velocity

0 5 10 15 20

•x= y

x ≥ 0

•y= −9.81

x = 0.0 ∧ y ≤ 0.0 /

y′ = −0.8 · y

x = 20.0 ∧ y = 0.0

State and Dimension Explosion

Number of continuous variables linear in num-ber of cars� Positions, speeds, accelerations,� torque, slip, ...

Number of discrete states exponential in num-ber of cars� Operational modes, control modes,� state of communication subsystem, ...

Size-dependent dynamics� Latency in ctrl. loop depends on number

of cars due to communication subsystem.� Coupled dynamics yields long hidden

channels chaining signal transducers.

State and Dimension Explosion

Number of continuous variables linear in num-ber of cars� Positions, speeds, accelerations,� torque, slip, ...

Number of discrete states exponential in num-ber of cars� Operational modes, control modes,� state of communication subsystem, ...

Size-dependent dynamics� Latency in ctrl. loop depends on number

of cars due to communication subsystem.� Coupled dynamics yields long hidden

channels chaining signal transducers.

⇒ Need a scalable approach⇒ Let’s try to achieve this through SAT/SMT-based methods.

Hybrid Control — A Case Study

(x, y)

vsatellite position

target position

ω =•

P_omega

robot motioncontinuous−time

proportional control

omega_set

alpha_target

controller

alpha_target

dist_to_target

y_target

x_target

trigger1

distance

time−triggered controller

alpha_target

−1 −0.5 0 0.5 1−1.5

−0.5

asin(x)

(x, y)

(xT , yT )

π − α′

α′T = sin−1( yT−y√(xT−x)2+(yT−y)2

rotation1

speed 2

[alpha > alpha_target] / omega = − 0.1;2

[alpha == alpha_target] / omega = 0;

[alpha < alpha_target] / omega = 0.1;

[alpha > alpha_target] / omega = − 0.1;

/v=0.4;

[dist_to_target < 0.1] / v = 0;

[dist_to_target > 0.5 && dist_to_target < 5] / v = 0.2;

[dist_to_target > 0.1 && dist_to_target < 0.5] / v = 0.1 ;

rotation1

/v=0.4;

[dist_to_target > 0.5 && dist_to_target <

[dist_to_target >

1 speed 2

/v=0.4;

plant_dynamics

omega_set

every_two_time_units

controller

trigger

x_target

y_target

alpha_target

plant_dynamics

omega_set

controller

trigger

x_target

y_target

alpha_target

continuous controller + plant dynamics

nonlinear computations

parallel composition

bang−bang control

time−triggered controller invocation

uncountably infinitely many target positions

plant_dynamics

omega_set

controller

trigger

x_target

y_target

alpha_target

bang−bang control

Does this system work as specified?

Simulated Trajectory Reaching Target

Multiple Simulated Trajectories Reaching Targets

CDCL + Interval Constraint Propagation

An engine for Bounded Model Checkingof non-linear discrete-time HA

Bounded Model Checking of NonlinearDiscrete-Time Hybrid Systems (1)

Given:

xn+1xn

xn+1 = f(xn, in)on = g(xn, in)

Nonlinear discrete-time hybriddynamical system

x — state vectori — input vectoro — output vectorf — next-state functiong — output function

f, g potentially nonlinear.

Check whether some unsafe state is reachable within k steps of thesystem

Bounded Model Checking of NonlinearDiscrete-Time Hybrid Systems (2)

Method:� Construct formula that is satisfiable if error trace of length k exists

� Formula is a k–fold unrolling of the transition relation, concatenated witha characterization of the initial state(s) and the (unsafe) state to bereached

i0 i1 i2o0 o1 o2

x1 = f(x0, i0)o0 = g(x0, i0)

x2 = f(x1, i1)o1 = g(x1, i1)

x3 = f(x2, i2)o2 = g(x2, i2)

x0 x3x1 x2

I(x0) P (x3)

� Use appropriate procedure to “decide” satisfiability of the formula

Needed:

Solvers for large, non-linear arithmetic formulae with a rich Booleanstructure

Bounded Model Checking with HySAT / iSAT

There’s no sequence of

input values such that

3.14 ≤ x ≤ 3.15

Safety property:

boole b;

float [0.0, 1000.0] x;

– Characterization of initial state.

x = 2.0;

– Transition relation.

b -> x’ = xˆ2 + 1;

!b -> x’ = nrt(x, 3);

TARGET

– State(s) to be reached.

x >= 3.14 and x <= 3.15;

SOLUTION:

b (boole):

@0: [0, 0]

@1: [1, 1]

@2: [1, 1]

@3: [0, 0]

@4: [1, 1]

@5: [1, 1]

@6: [0, 0]

@7: [1, 1]

@8: [0, 0]

@9: [1, 1]

@10: [1, 1]

@11: [0, 0]

x (float):

@0: [2, 2]

@1: [1.25992, 1.25992]

@2: [2.5874, 2.5874]

@3: [7.69464, 7.69464]

@4: [1.97422, 1.97422]

@5: [4.89756, 4.89756]

@6: [24.9861, 24.9861]

@7: [2.92347, 2.92347]

@8: [9.5467, 9.5467]

@9: [2.12138, 2.12138]

@10: [5.50024, 5.50024]

@11: [31.2526, 31.2526]

@12: [3.14989, 3.14989]

x := x2 + 1b/

¬b/x := 3

x := 2

The Task

Find satisfying assignments (or prove absence thereof) for large(thousands of Boolean connectives) formulae of shape

(b1 =⇒ x21 − cos y1 < 2y1 + sin z1 + eu1)∧ (x5 = tan y4 ∨ tan y4 > z4 ∨ . . .)∧ . . .

∧ (dxdt

= − sinx ∧ x3 > 5 ∧ x3 < 7 ∧ x4 > 12 ∧ . . .)∧ . . .

The Task

Find satisfying assignments (or prove absence thereof) for large(thousands of Boolean connectives) formulae of shape

(b1 =⇒ x21 − cos y1 < 2y1 + sin z1 + eu1)∧ (x5 = tan y4 ∨ tan y4 > z4 ∨ . . .)∧ . . .

∧ (dxdt

= − sinx ∧ x3 > 5 ∧ x3 < 7 ∧ x4 > 12 ∧ . . .)∧ . . .

Most conventional solvers� do either address much smaller fragments of arithmetic

� decidable theories: no transcendental fct.s, no ODEs

� or tackle only small formulae� some dozens of Boolean connectives.

Interval Arithmetic

� an ancient mathematical technique, already used by Archimedes,

� systematized by Rosalind Cecily Young in the 1930s [Young, 1931]

� brought to computing by Paul Dwyer [ Dwaer, 1951], MieczyslawWarmus [Warmus, 1956, Teruo Sunaga [Sunaga, 1958], and RamonE. Moore [Moore, 1966] in the 1950s

� is an approach to putting safe bounds on computational results,irrespective of� rounding errors during computations,� inaccuracies in measurements of entities entering the computation,� uncertain parameters.

� when applied to an expression over the reals, it yields a set-valuedresult, namely an interval over the reals, which is guaranteed tocontain the exact value of the expression.

� can be used for efficiently computing a safe overapproximation (i.e.,a superset) of the image f(X) of a set X ⊆ R

n under a functionf : Rn → R

Interval Arithmetic

For non-empty argument intervals [a, b] ∈ II \ {∅} and [c, d] ∈ II \ {∅}, define

[a, b]⊢⊣

+ [c, d] = [a←

+ c, b→

[a, b]⊢⊣

− [c, d] = [a←

− d, b→

− c]

[a, b]⊢⊣· [c, d] = [min(a

←· c, a

←· d, b

←· c, b

←· d),max(a

→· c, a

→· d, b

→· c, b

→· d)]

⊢⊣

sin [a, b] =

[min(←

sin a,←

sin b),max(→

sin a,→

sin b)] iff (2n + 1

2)π 6∈ [a, b] and

(2m− 1

2)π 6∈ [a, b],

[min(←

sin a,←

sin b), 1], iff (2n + 1

2)π ∈ [a, b] but

(2m− 1

2)π 6∈ [a, b],

[−1,max(→

sin a,→

sin b), 1], iff (2n + 1

2)π 6∈ [a, b] but

(2m− 1

2)π ∈ [a, b],

[−1, 1] iff (2n + 1

2)π ∈ [a, b] and

(2m− 1

2)π ∈ [a, b]

for any n,m ∈ Z.

�←· and

→· denote rounding down/up to computational reals,

� II denotes the set of intervals with representable bounds.

Interval Arithmetic: Example

� Assume fixed-point arithmetic with just 1 bit fractional part:representable numbers are of the form k

2for k ∈ Z

� Given x1 = [0, 0.5] and x2 = [0.5, 1], IA computes

⊢⊣

− x1

⊢⊣

⊢⊣· x2 = ([0, 0.5]

⊢⊣

− [0, 0.5])⊢⊣

+ ([0.5, 1]⊢⊣· [0.5, 1])

= [0←

− 0.5, 0.5→

− 0]⊢⊣

+ ([0.5, 1]⊢⊣· [0.5, 1])

= [−0.5, 0.5]⊢⊣

+ ([0.5, 1]⊢⊣· [0.5, 1])

= [−0.5, 0.5]⊢⊣

+ [min(0.5←· 0.5, 0.5

←· 1, 1

←· 0.5, 1

←· 1),

max(0.5→· 0.5, 0.5

→· 1, 1

→· 0.5, 1

→· 1)]

= [−0.5, 0.5]⊢⊣

+ [min(0, 0.5, 0.5, 1),max(0.5, 0.5, 0.5, 1)]

= [−0.5, 0.5]⊢⊣

+ [0, 1]

= [−0.5←

+ 0, 0.5→

= [−0.5, 1.5]

⇒ the computed interval [−0.5, 1.5] covers the set of values{x1 − x1 + x2 · x2 | x1 ∈ [0, 0.5], x2 ∈ [0.5, 1]} = [0.25, 1],yet not tightly so. −→ rounding + dependency problem of IA

Interval Constraint Propagation (1) [Cleary, 1986]

� Complex constraints are rewritten to “triplets” (primitive constraints):

x2 + y ≤ 6

c1 : h1 =̂x ∧ 2c2 : ∧ h2 =̂h1 + y

∧ h2 ≤ 6

x2 + y ≤ 6

c1 : h1 =̂x ∧ 2c2 : ∧ h2 =̂h1 + y

∧ h2 ≤ 6

� “Forward” interval propagation yields justification for constraintsatisfaction:

x ∈ [−2, 2]∧ y ∈ [−2, 2]

[−2, 2]

[0, 4]

[−2, 6]

[−2, 2]

satisfied in box

h2 ≤ 6 is

x2 + y ≤ 6

c1 : h1 =̂x ∧ 2c2 : ∧ h2 =̂h1 + y

∧ h2 ≤ 6

� Interval propagation (fwd & bwd) yields witness for unsatisfiability:

[3, 4]

[9, 16]

[9, 19]

[0, 3]

unsat. in box

h2 ≤ 6 is

x ∈ [3, 4]

∧ y ∈ [0, 3]

x2 + y ≤ 6

c1 : h1 =̂x ∧ 2c2 : ∧ h2 =̂h1 + y

∧ h2 ≤ 6

� Interval prop. (fwd & bwd until fixpoint is reached) yields contraction ofbox:

[−10, 10]

[0, 100]

[−10, 110]

[−10, 10]

∧ y ∈ [−10, 10]x ∈ [−10, 10]

x2 + y ≤ 6

c1 : h1 =̂x ∧ 2c2 : ∧ h2 =̂h1 + y

∧ h2 ≤ 6

[−4, 4]

[0, 16]

[−10, 6]

∧ y ∈ [−10, 10]x ∈ [−10, 10]

∧ y ∈ [−10, 6]x ∈ [−4, 4]

x2 + y ≤ 6

c1 : h1 =̂x ∧ 2c2 : ∧ h2 =̂h1 + y

∧ h2 ≤ 6

Constraint is not satisfied

by the contracted box!

[−4, 4]

[0, 16] [−10, 6]

∧ y ∈ [−10, 6]x ∈ [−4, 4]

[−10, 22]

(details & alternatives: see Benhamou in Handbook of Constraint Progr.)

y ∈ [0, 9]

y ∈ [0, 6]

y ∈ [−100, 100]

x ∈ [−100, 100]

x ∈ [−2.3, 2.3]

y ∈ [0, 100]

y ∈ [0, 20]

y ∈ [0, 5]

y ∈ [0, 4.6]

y ≤ 2·x

y = x2

x ∈ [−√

x ∈ [−2.5, 2.5]

x ∈ [−4.5, 4.5]

x ∈ [−√

20,√

x ∈ [−3, 3]

x ∈ [−10, 10]

Incompleteness of Interval Contraction

Backward propagation yields rectangular overapproximation ofnon-rectangular pre-images.

Thus, interval contraction provides a highly incomplete deductionsystem:

x ∈ [0,∞)∧ h =̂x · y∧ h > 5

=⇒ x ∈ (0,∞)∧ y ∈ (0,∞)

=⇒ h ∈ (0,∞) 6=⇒ h > 5

Incompleteness of Interval Contraction

Backward propagation yields rectangular overapproximation ofnon-rectangular pre-images.

Thus, interval contraction provides a highly incomplete deductionsystem:

x ∈ [0,∞)∧ h =̂x · y∧ h > 5

=⇒ x ∈ (0,∞)∧ y ∈ (0,∞)

=⇒ h ∈ (0,∞) 6=⇒ h > 5

enhance through branch-and-prune approach.

iSAT: Non-linear Arithmetic Constraint Solving

h3 = h1 + h2∧c8 :

h2 = −2 · y∧c7 :

h1 = x2∧c6 :

(x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2)∧c5 :

∧ (b ∨ x ≥ −2)c4 :

∧ (¬c ∨ ¬d)c3 :

∧ (¬a ∨ ¬b ∨ c)c2 :

(¬a ∨ ¬c ∨ d)c1 :

rewrite input formula into a conjunction of constraints:

⊲ n-ary disjunctions of bounds⊲ arithmetic constraints having at most one operation symbol

• Boolean variables are regarded as 0-1 integer variables.Allows identification of literals with bounds on Booleans:

≡ b ≥ 1b¬b ≡ b ≤ 0

• Float variables h1, h2, h3 are used for decompositionof complex constraint x2 − 2y ≥ 6.2.

• Use Tseitin-style (i.e. definitional) transformation to

a ≥ 1

h3 = h1 + h2∧c8 :

h2 = −2 · y∧c7 :

h1 = x2∧c6 :

(x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2)∧c5 :

∧ (b ∨ x ≥ −2)c4 :

∧ (¬c ∨ ¬d)c3 :

∧ (¬a ∨ ¬b ∨ c)c2 :

(¬a ∨ ¬c ∨ d)c1 :DL 1:

c1a ≥ 1

b ≥ 1

h3 = h1 + h2∧c8 :

h2 = −2 · y∧c7 :

h1 = x2∧c6 :

(x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2)∧c5 :

∧ (b ∨ x ≥ −2)c4 :

∧ (¬c ∨ ¬d)c3 :

∧ (¬a ∨ ¬b ∨ c)c2 :

(¬a ∨ ¬c ∨ d)c1 :

c ≥ 1 d ≥ 1

d ≤ 0

b ≥ 1

h3 = h1 + h2∧c8 :

h2 = −2 · y∧c7 :

h1 = x2∧c6 :

(x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2)∧c5 :

∧ (b ∨ x ≥ −2)c4 :

∧ (¬c ∨ ¬d)c3 :

∧ (¬a ∨ ¬b ∨ c)c2 :

(¬a ∨ ¬c ∨ d)c1 :

∧ (¬a ∨ ¬c)c9 :

d ≥ 1

d ≤ 0

c ≥ 1

a ≥ 1DL 1:

c9 c2 c4a ≥ 1 c ≤ 0 b ≤ 0 x ≥ −2

h3 = h1 + h2∧c8 :

h2 = −2 · y∧c7 :

h1 = x2∧c6 :

(x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2)∧c5 :

∧ (b ∨ x ≥ −2)c4 :

∧ (¬c ∨ ¬d)c3 :

∧ (¬a ∨ ¬b ∨ c)c2 :

(¬a ∨ ¬c ∨ d)c1 :

∧ (¬a ∨ ¬c)c9 :

c9 c2 c4

a ≥ 1 c ≤ 0 b ≤ 0

y ≥ 4

x ≥ −2

h3 = h1 + h2∧c8 :

h2 = −2 · y∧c7 :

h1 = x2∧c6 :

(x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2)∧c5 :

∧ (b ∨ x ≥ −2)c4 :

∧ (¬c ∨ ¬d)c3 :

∧ (¬a ∨ ¬b ∨ c)c2 :

(¬a ∨ ¬c ∨ d)c1 :

∧ (¬a ∨ ¬c)c9 :

DL 2: h2 ≤ −8

c9 c2 c4

a ≥ 1 c ≤ 0 b ≤ 0

y ≥ 4

x ≤ 3 h3 ≥ 6.2

h1 ≤ 9

h2 ≥ −2.8

x ≥ −2

h3 = h1 + h2∧c8 :

h2 = −2 · y∧c7 :

h1 = x2∧c6 :

(x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2)∧c5 :

∧ (b ∨ x ≥ −2)c4 :

∧ (¬c ∨ ¬d)c3 :

∧ (¬a ∨ ¬b ∨ c)c2 :

(¬a ∨ ¬c ∨ d)c1 :

∧ (¬a ∨ ¬c)c9 :

DL 2: h2 ≤ −8

c9 c2 c4

a ≥ 1 c ≤ 0 b ≤ 0

y ≥ 4

x ≤ 3 h3 ≥ 6.2

h1 ≤ 9

h2 ≥ −2.8

x ≥ −2

∧ (x < −2 ∨ y < 3 ∨ x > 3)c10 :

∧ (¬a ∨ ¬c)c9 :

h3 = h1 + h2∧c8 :

h2 = −2 · y∧c7 :

h1 = x2∧c6 :

(x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2)∧c5 :

∧ (b ∨ x ≥ −2)c4 :

∧ (¬c ∨ ¬d)c3 :

∧ (¬a ∨ ¬b ∨ c)c2 :

(¬a ∨ ¬c ∨ d)c1 :

← conflict clause = symbolic description

of a rectangular region of the search space

which is excluded from future search

DL 2: h2 ≤ −8

c9 c2 c4

a ≥ 1 c ≤ 0 b ≤ 0

∧ (x < −2 ∨ y < 3 ∨ x > 3)c10 :

∧ (¬a ∨ ¬c)c9 :

h3 = h1 + h2∧c8 :

h2 = −2 · y∧c7 :

h1 = x2∧c6 :

(x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2)∧c5 :

∧ (b ∨ x ≥ −2)c4 :

∧ (¬c ∨ ¬d)c3 :

∧ (¬a ∨ ¬b ∨ c)c2 :

(¬a ∨ ¬c ∨ d)c1 :

y ≥ 4

x ≥ −2

h2 ≤ −8

h1 > 9

c9 c2 c4

a ≥ 1 c ≤ 0 b ≤ 0

(x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2)∧c5 :

∧ (b ∨ x ≥ −2)c4 :

∧ (¬c ∨ ¬d)c3 :

∧ (¬a ∨ ¬b ∨ c)c2 :

(¬a ∨ ¬c ∨ d)c1 :

y ≥ 4

x ≥ −2

h2 ≤ −8

h1 > 9

∧ (x < −2 ∨ y < 3 ∨ x > 3)c10 :

∧ (¬a ∨ ¬c)c9 :

h2 = −2 · y∧c7 :

h1 = x2∧c6 :

h3 = h1 + h2c8 : ∧

• Continue do split and deduce until either

⊲ solver is left with ‘sufficiently small’ portion of the

search space for which it cannot derive any contradiction

⊲ formula turns out to be UNSAT (unresolvable conflict)

c9 c2 c4

a ≥ 1 c ≤ 0 b ≤ 0

(x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2)∧c5 :

∧ (b ∨ x ≥ −2)c4 :

∧ (¬c ∨ ¬d)c3 :

∧ (¬a ∨ ¬b ∨ c)c2 :

(¬a ∨ ¬c ∨ d)c1 :

y ≥ 4

x ≥ −2

h2 ≤ −8

h1 > 9

∧ (x < −2 ∨ y < 3 ∨ x > 3)c10 :

∧ (¬a ∨ ¬c)c9 :

h2 = −2 · y∧c7 :

h1 = x2∧c6 :

h3 = h1 + h2c8 : ∧

Results can be verified by sorting to “single assignment form”.

c9 c2 c4

a ≥ 1 c ≤ 0 b ≤ 0

(x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2)∧c5 :

∧ (b ∨ x ≥ −2)c4 :

∧ (¬c ∨ ¬d)c3 :

∧ (¬a ∨ ¬b ∨ c)c2 :

(¬a ∨ ¬c ∨ d)c1 :

y ≥ 4

x ≥ −2

h2 ≤ −8

h1 > 9

∧ (x < −2 ∨ y < 3 ∨ x > 3)c10 :

∧ (¬a ∨ ¬c)c9 :

h2 = −2 · y∧c7 :

h1 = x2∧c6 :

h3 = h1 + h2c8 : ∧

Essentially, a tight integration of interval constraint propagation withrecent propositional SAT-solving techniques.

[Fränzle, Herde, Ratschan, Schubert, Teige: J. on Satisfiability. . ., 2007]

c9 c2 c4

a ≥ 1 c ≤ 0 b ≤ 0

(x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2)∧c5 :

∧ (b ∨ x ≥ −2)c4 :

∧ (¬c ∨ ¬d)c3 :

∧ (¬a ∨ ¬b ∨ c)c2 :

(¬a ∨ ¬c ∨ d)c1 :

y ≥ 4

x ≥ −2

h2 ≤ −8

h1 > 9

∧ (x < −2 ∨ y < 3 ∨ x > 3)c10 :

∧ (¬a ∨ ¬c)c9 :

h2 = −2 · y∧c7 :

h1 = x2∧c6 :

h3 = h1 + h2c8 : ∧

Essentially, a tight integration of interval constraint propagation withrecent propositional SAT-solving techniques.

[Fränzle, Herde, Ratschan, Schubert, Teige: J. on Satisfiability. . ., 2007]

A DPLL(T)-based alternative, including LP solving, has beenimplemented by Gao et al.

[Gao, Ganai, Ivancic, Gupta, Sankaranarayanan, Clarke: FMCAD 2010]Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 28 / 85

The Impact of Learning: Runtime

100000

0.001 0.01 0.1 1 10 100 1000

with learning [s]

> 10:1

> 100:1

> 1k:1

> 10k:1

> 100k:1

> 1m:1

> 10m:1

time out

100000

0.001 0.01 0.1 1 10 100 1000

with learning [s]

> 10:1

> 100:1

> 1k:1

> 10k:1

> 100k:1

> 1m:1

> 10m:1

time out

100000

0.001 0.01 0.1 1 10 100 1000

with learning [s]

> 10:1

> 100:1

> 1k:1

> 10k:1

> 100k:1

> 1m:1

> 10m:1

time out

100000

0.001 0.01 0.1 1 10 100 1000

with learning [s]

> 10:1

> 100:1

> 1k:1

> 10k:1

> 100k:1

> 1m:1

> 10m:1

time out

100000

0.001 0.01 0.1 1 10 100 1000

with learning [s]

> 10:1

> 100:1

> 1k:1

> 10k:1

> 100k:1

> 1m:1

> 10m:1

time out

100000

0.001 0.01 0.1 1 10 100 1000

with learning [s]

> 10:1

> 100:1

> 1k:1

> 10k:1

> 100k:1

> 1m:1

> 10m:1

time out

100000

0.001 0.01 0.1 1 10 100 1000

with learning [s]

> 10:1

> 100:1

> 1k:1

> 10k:1

> 100k:1

> 1m:1

> 10m:1

time out

100000

0.001 0.01 0.1 1 10 100 1000

with learning [s]

> 10:1

> 100:1

> 1k:1

> 10k:1

> 100k:1

> 1m:1

> 10m:1

time out

100000

0.001 0.01 0.1 1 10 100 1000

with learning [s]

> 10:1

> 100:1

> 1k:1

> 10k:1

> 100k:1

> 1m:1

> 10m:1

time out

100000

0.001 0.01 0.1 1 10 100 1000

with learning [s]

> 10:1

> 100:1

> 1k:1

> 10k:1

> 100k:1

> 1m:1

> 10m:1

time out

Examples:BMC of� platoon control� bouncing ball� gingerbread map� oscillatory logistic map

Intersection of geometricbodies

Size:Up to 2400 variables,≫ 103 Boolean connec-tives.

[2.5 GHz AMD Opteron, 4 GByte physical memory, Linux]

CDCL + ICP + Numeric ODE Enclosure

An engine for Bounded Model Checkingof non-linear continuous-time HA

[Alur, Courcoubetis, Henzinger, and Ho, 1993]

Hybrid Automata – Semantics

height x

velocity v

x ≥ 0

v= −9.81

x = 10, v = 0

/v′ := −v

A = (Vars,Modes, Init, Flow, Jump)

Init = {(m, Initm) | m ∈ Modes}

Flow = {(m,ODEm, Invarm) | m ∈ Modes}

Jump = {(m,Guardm,m′ ,Actionm,m′ ,m′) | m,m′ ∈ Modes}

Valuation σ : Vars→ R

Run ρ : 〈m0, σ0〉 ∆t0 〈m0, σ̂0〉 → 〈m1, σ1〉 ∆t1 〈m1, σ̂1〉 → . . .

〈m0, σ0〉 |= Init

〈mi, σi〉 ∆ti 〈mi, σ̂i〉 |= Flow

〈mi, σ̂i〉 → 〈mi+1, σi+1〉 |= Jump

!!!!!!

!!!!!!!!!

!!!!!!!!!!!!!!!!!!

height x

velocity v

x ≥ 0

v= −9.81

x = 10, v = 0

/v′ := −v

Run ρ : 〈m0, σ0〉 ∆t0 〈m0, σ̂0〉 → 〈m1, σ1〉 ∆t1 〈m1, σ̂1〉 → . . .

〈m0, σ0〉 |= Init

〈mi, σ̂i〉 → 〈mi+1, σi+1〉 |= Jump

height x

velocity v

x ≥ 0

v= −9.81

x = 10, v = 0

/v′ := −v

Run ρ : 〈m0, σ0〉 ∆t0 〈m0, σ̂0〉 → 〈m1, σ1〉 ∆t1 〈m1, σ̂1〉 → . . .

〈m0, σ0〉 |= Init

〈mi, σ̂i〉 → 〈mi+1, σi+1〉 |= Jump

height x

velocity v

x ≥ 0

v= −9.81

x = 10, v = 0

/v′ := −v

Run ρ : 〈m0, σ0〉 ∆t0 〈m0, σ̂0〉 → 〈m1, σ1〉 ∆t1 〈m1, σ̂1〉 → . . .

〈m0, σ0〉 |= Init

〈mi, σ̂i〉 → 〈mi+1, σi+1〉 |= Jump

height x

velocity v

x ≥ 0

v= −9.81

x = 10, v = 0

/v′ := −v

Run ρ : 〈m0, σ0〉 ∆t0 〈m0, σ̂0〉 → 〈m1, σ1〉 ∆t1 〈m1, σ̂1〉 → . . .

〈m0, σ0〉 |= Init

〈mi, σ̂i〉 → 〈mi+1, σi+1〉 |= Jump

height x

velocity v

x ≥ 0

v= −9.81

x = 10, v = 0

/v′ := −v

Run ρ : 〈m0, σ0〉 ∆t0 〈m0, σ̂0〉 → 〈m1, σ1〉 ∆t1 〈m1, σ̂1〉 → . . .

〈m0, σ0〉 |= Init

〈mi, σ̂i〉 → 〈mi+1, σi+1〉 |= Jump

[Audemard, Bozzano, Cimatti, and Sebastiani, 2005], [Fränzle and Herde, 2005], [Eggers, Fränzle, and Herde, 2008]

Bounded Model Checking

ϑi ≤ 21

Heat off

Heat on

dϑi / d t = −0.1 · (ϑi − ϑo)

ϑi ≥ 19 ∨ c ≥ 0.04

d c / d t = −0.05 · c

d c / d t = 0.01− 0.05 · c

ϑi ≤ 19

c ≤ 0.04

ϑi ∈ [19, 25]

ϑi ∈ [15, 21]

ϑi ≥ 21

dϑi / d t = 0.2 · (35− ϑi)−0.1 · (ϑi − ϑo)

Bounded Model Checking (BMC):

Are there any trajectories leading from an inital to an unsafe state in k steps?

[Audemard, Bozzano, Cimatti, and Sebastiani, 2005], [Fränzle and Herde, 2005], [Eggers, Fränzle, and Herde, 2008]

Bounded Model Checking and Constraint Solving

ϑi ≤ 21

Heat off

Heat on

dϑi / d t = −0.1 · (ϑi − ϑo)

ϑi ≥ 19 ∨ c ≥ 0.04

d c / d t = −0.05 · c

d c / d t = 0.01− 0.05 · c

ϑi ≤ 19

c ≤ 0.04

ϑi ∈ [19, 25]

ϑi ∈ [15, 21]

ϑi ≥ 21

dϑi / d t = 0.2 · (35− ϑi)−0.1 · (ϑi − ϑo)

init =−10 ≤ ϑo ≤ 20 ∧ c = 0

(19 ≤ ϑi ≤ 25 ∧ ¬on

∨ 15 ≤ ϑi ≤ 21 ∧ on

trans =( ¬on ∧ on′ ∧ ϑi ≤ 19 ∧ c ≤ 0.04∧ ϑ′

i = ϑi ∧ ϑ′

o = ϑo ∧ c′ = c)∨ ( on ∧ ¬on′ ∧ ϑi ≥ 21∧ ϑ′

i = ϑi ∧ ϑ′

o = ϑo ∧ c′ = c)∨ ( ¬on ∧ ¬on′

∧ dϑi

dt = −0.1(ϑi − ϑo)

∧ dcdt = −0.05c

∧ (ϑ′

i ≥ 19 ∨ c′ ≥ 0.04) ∧ ϑ′

o = ϑo)∨ ( on ∧ on′

∧ dϑi

dt = 0.2 · 35− 0.3ϑi + 0.1ϑo

∧ dcdt = 0.01− 0.05c

∧ ϑ′

i ≤ 21 ∧ ϑ′

o = ϑo)

target =(c > 0.1)

Bounded Model Checking (BMC): Check satisfiability of SMT formula

Φk := init[0] ∧ trans[0, 1] ∧ · · · ∧ trans[k − 1, k] ∧ target[k]

The Basic Idea

1 Continuous flows, described by ODEs, define pre-post-constraintson continuous states:� Given an ODE dx

dt= f(x) and a (convex) invariant I ⊂ dom(x),

� [[dxdt

]] = {(f(0), f(t)) | f solution of dxdt

= f(x), ∀t′ ≤ t : f(t′) ∈ I}

2 Adding direct support for such “ODE constraints” in arithmeticconstraint solving facilitates BMC of continuous-time hybridsystems

[Eggers & Fränzle: ATVA’08; Ishii, Ueda, Hosobe, Goldsztejn: ADHS’09]

odeSAT: Adding Forward and BackwardPropagation for ODE Constraints

0 1 2 3 4 5 0

0 1 2 3 4 5

time of interesthorizon

x(1)prebox

postbox

backward propagationforward propagation

...yields a classical interval propagator!

iSAT+ODE: Integrated Algorithm (Example)

(x1 + x2 > y) ∧ (y ≥ 28 ∨ a) ∧ (¬a ∨ dxdt

= 320 · (3− x))

a ∈ {0, 1}, x1 ∈ [10, 20], x2 ∈ [−5, 7], y ∈ [0, 30]

( x1 + x2 > y ) ∧ (y ≥ 28 ∨ a) ∧ (¬a ∨ dxdt

= 320 · (3− x))

a ∈ {0, 1}, x1 ∈ [10, 20], x2 ∈ [−5, 7], y ∈ [0, 30]

( x1 + x2 > y ) ∧ (y ≥ 28 ∨ a) ∧ (¬a ∨ dxdt

= 320 · (3− x))

a ∈ {0, 1}, x1 ∈ [10, 20], x2 ∈ [−5, 7], y ∈ [0, 27]

y < 30

y < 27

x2 ∈ [−5, 7]

x1 ∈ [10, 20]

x1 + x2 > y

y < x1 + x2 ≤ 27

(x1 + x2 > y) ∧ ( y ≥ 28 ∨ a) ∧ (¬a ∨ dxdt

= 320 · (3− x))

a ∈ {0, 1}, x1 ∈ [10, 20], x2 ∈ [−5, 7], y ∈ [0, 27]

(x1 + x2 > y) ∧ (y ≥ 28∨ a ) ∧ (¬a ∨ dxdt

= 320 · (3− x))

a ∈ { 1} , x1 ∈ [10, 20], x2 ∈ [−5, 7], y ∈ [0, 27]

(x1 + x2 > y) ∧ (y ≥ 28 ∨ a) ∧ ( ¬a ∨dxdt

= 320 · (3− x))

a ∈ { 1} , x1 ∈ [10, 20], x2 ∈ [−5, 7], y ∈ [0, 27]

(x1 + x2 > y) ∧ (y ≥ 28 ∨ a) ∧ (¬a∨ dxdt

= 320 · (3− x) )

a ∈ { 1}, x1 ∈ [10, 20], x2 ∈ [3, 7] , y ∈ [0, 27]

0 5 10 15 20 25 30 35 40 45

x2 ≥ −5

x2 ≥ 33

[Eggers, Fränzle, and Herde, 2008], [Ishii, Ueda, and Hosobe, 2011]

Satisfiability Modulo ODE

� Boolean-, real-, and integer-valued variables with boundeddomains

� Quantifier-free Boolean combination of� Simple bounds, e.g. x ≤ 3.2� Arithmetic constraints, e.g. z = sin(y)� Sufficiently smooth, time invariant ordinary differential equations

(ODEs), e.g.•

x= 2.4 · x− y2

� Bounded Model Checking (BMC) formula structure:Φ = init[0] ∧ trans[0, 1] ∧ · · · ∧ trans[k − 1, k] ∧ target[k]

� ODEs occur only in transition system

Goal: Find a satisfying valuation for Φ or prove its unsatisfiability.

Solving SAT Modulo ODE Formulae

Satisfiability of SAT Modulo ODE Formulae

� Point-valued satisfaction: standard for arithmetic constraintsand simple bounds, e.g. point (x = 6, y = 3) satisfies x = 2y

� Definitionally-closed systems of ODEs, e.g.•

x= −y, •y= x satisfiedby valuation

((x1 = 1, y1 = 0), (x2 = 0, y2 = −1), delta_time = π/2) ,

with (x1, y1), (x2, y2) being successive BMC instances of (x, y) anddelta_time the duration of continuous flow:

−0.5

−1 −0.5 0 0.5 1 1.5

(x1, y1)

(x2, y2)

Need to lift this to intervals for ICP

Given: a system of time-invariant ODEs

dt= f1(x1, . . . , xn)...

dt= fn(x1, . . . , xn)

plus three boxes B, I, E ⊂ Rn.

Problem: determine whether E is reachable from B along atrajectory satisfying the ODE and not leaving I.

dt= f1(x1, . . . , xn)...

dt= fn(x1, . . . , xn)

Added value: Prune unconnected parts of B and E:

dt= f1(x1, . . . , xn)...

dt= fn(x1, . . . , xn)

E’B’

dt= f1(x1, . . . , xn)...

dt= fn(x1, . . . , xn)

E’B’

. . . and determine dwell-time interval delta_time.

Problem: Safely determine whether E is unreachable from B alonga trajectory satisfying the ODE and not leaving I.

Some approaches:

1 Interval-based safe numeric approximation of ODEs[Moore 1965, Lohner 1987, Stauning 1997]

(used in Hypertech [Henzinger, Horowitz, Majumdar,

Wong-Toi 2000])

2 CLP(F): a symbolic, constraint-based technology forreasoning about ODEs grounded in (in-)equationalconstraints obtained from Taylor expansions[Hickey, Wittenberg 2004]

Towards SAT modulo ODE

Safe Enclosure Methods for ODEs

ODE Enclosure Problem

Given a system of (sufficiently-smooth, first order, time-invariant,Lipschitz-continuous) ordinary differential equations (ODEs), we wantto enclose all trajectories emerging from a set of starting points overa limited temporal horizon.

dt(t) = f (x(t)) , x(0) ∈

[x1(0), x1(0)]...

[xn(0), xn(0)]

Safely enclose all x(t) over t ∈ [0, horizon].

Safe Approximation

!!!!!!!!!!!!!!!!!!

startbox

flowbox

postbox

Safe Approximation

!!!!!!!!!!!!!!!!!!

ti ∈ TOI

flowbox

postbox

startbox

Safe Approximation

!!!!!!!!!!!!!!!!!!

ti ∈ TOI

flowbox

postbox

startbox

Should also be tight!

Safe Approximation

!!!!!!!!!!!!!!!!!!

ti ∈ TOI

flowbox

postbox

startbox

Should also be tight! And efficient to compute!

Euler’s Method

Taylor Series

Exact solution x(t) has slope determined by f in each point:

dt(t) = f(x(t))

Taylor expansion of exact solution:

x(t0 + h) = x(t0) +h1

dt(t0) (Euler’s Method)

dt2(t0) + . . .

dtn(t0)

(n + 1)!

dtn+1(t0 + θh), with 0 < θ < 1

Taylor Series

dt(t) = f(x(t))

x(t0 + h) = x(t0) +h1

dt(t0)

dt2(t0) + . . .

dtn(t0)

(Lagrange Remainder)

(n + 1)!

dtn+1(t0 + θh), with 0 < θ < 1

Taylor Series

dt(t) = f(x(t))

x(t0 + h) = x(t0) +h1

dt(t0)

dt2(t0) + . . .

dtn(t0)

(n + 1)!

dtn+1(t0 + θh), with 0 < θ < 1

Taylor Series

x(t0 + h) = x(t0) +h1

dt(t0)

︸︷︷︸

f(x(t0))

dt2(t0)

︸︷︷︸dfdt

(x(t0))·f(x(t0))

+ . . .

dtn(t0)

(n + 1)!

dtn+1(t0 + θh)

︸︷︷︸

unknown

, with 0 < θ < 1

Taylor Series

x(t0 + h) = x(t0) +h1

dt(t0)

︸︷︷︸

f(x(t0))

dt2(t0)

︸︷︷︸dfdt

(x(t0))·f(x(t0))

+ . . .

dtn(t0)

(n + 1)!

dtn+1(t0 + θh)

︸︷︷︸

unknown

, with 0 < θ < 1

Can use interval arithmetic to evaluate f(x(t0)), etc.,whenever x(t0) is set-valued!

Automatic differentiation computes derivatives.

Bounding Box

for all t ∈ [t0, t0 + h]dxdt (t) ≤ max(f (B))dxdt (t) ≥ min(f (B))

t0 + h

dxdt (t) = f (x(t))

Bounding Box

for all t ∈ [t0, t0 + h]dxdt (t) ≤ max(f (B))dxdt (t) ≥ min(f (B))

t0 + h

dxdt (t) = f (x(t))

If we only knew B...

Bounding Box [Lohner]

Given: Initial value problem:dxdt

= f(x), x(t0) = x0

Theorem (Lohner): If[B1] := x0 + [0, h] · f([B0])

and[B1] ⊆ [B0]

then the initial value problem above has exactly onesolution over [t0, t0 + h] which lies entirely within [B1]→ Bounding Box.

Bounding Box [Lohner]

Given: Initial value problem:dxdt

= f(x), x(t0) = x0 may also be a box

Theorem (Lohner): If[B1] := x0 + [0, h] · f([B0])

and[B1] ⊆ [B0]

then the initial value problem above has exactly onesolution over [t0, t0 + h] which lies entirely within [B1]→ Bounding Box.

Algorithm

To get an enclosure . . .

� Determine bounding box and stepsize

� Evaluate Taylor series up to desired order over startbox

� Evaluate remainder term over bounding box

Bounding Box

0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45

Algorithm

� Find bounding box with greedy algorithm

� Generate derivatives symbolically

� Simplify expressions to reduce alias effects on variables� Evaluate expressions with interval arithmetic

� Taylor series� Lagrange remainder

Example

= −x + 3, dydt

= x, x0 = [2, 4], y0 = [1, 1]

Example II: Stable Oscillator

= y, dydt

= −x, x0 = [10, 12], y0 = [−1, 0]

0.5 1 1.5 2 2.5 3 3.5 4 4.5 5

−40−30

−20−10 0

Wrapping Effect

= y, dydt

= −x, x0 = [10, 12], y0 = [−1, 0]

8.5 9 9.5 10 10.5 11 11.5 12

0 0.1 0.2 0.3 0.4 0.5

Fight Wrapping Effect

Lohner, Stauning, . . . : use coordinate transformation

x[a, b]

[c, d]

Fight Wrapping Effect

Lohner, Stauning, . . . : use coordinate transformation

[r, s]

[t, u]

x[a, b]

[c, d]

Stable Oscillator

= y, dy

dt= −x, x0 = [10, 12], y0 = [−1, 0]

−15 −10 −5 0 5 10 15x

t = 6.00748

t = 0.286473

t = 0.593339

t = 0.900205

t = 1.20707

Stable Oscillator

= y, dy

dt= −x, x0 = [10, 12], y0 = [−1, 0]

100 150

xt = [0, 10]

t = [190, 200]

Damped Oscillator

= y − 0.8 · x, dy

dt= −x + 0.3 · y, x0 = [10, 15], y0 = [−2, 1]

[Moore, 1966], [Lohner, 1988], [Stauning, 1997]

Taylor-Series-Based Enclosures: Summary

x(t0 + h) = x(t0) +h1

dt(t0) (Euler’s Method)

dt2(t0) + . . .

dtn(t0)

(Lagrange Remainder)

(n + 1)!

dtn+1(t0 + θh), with 0 < θ < 1

� First, calculate rough a-priori enclosure (bounding box)

� Second, compute tighter enclosure with Taylor series and encloseremainder term over a-priori enclosure

� Use Automatic Differentiation to obtain Taylor terms

� Compute coordinate transformation to fight wrapping effect

Use in ICP: Tighten Target Box

−20−15

−10−5

xtinitial postbox

� Given target box (including phase space and time)

Use in ICP: Tighten Target Box

−20−15

−10−5

tightened postbox and TOI

xtinitial postbox

� Given target box (including phase space and time)

� Intersect target box with enclosure

� Remove elements with empty intersection(narrows also time-window of interest)

Backward Propagation

� Use temporally reversed ODEs

� Use start box as target box and do normal forward propagation

� Intersect resulting target box with original start box

Backward Propagation

� Use temporally reversed ODEs

� Use start box as target box and do normal forward propagation

� Intersect resulting target box with original start box

Fwd. and bwd. propagation do

� narrow the start box B and target box E — also iteratively!

� narrow the time window for both B and E,

� thus give fresh meat to constraint propagation along adjacent partsof the transition sequence!

Summary: Taylor-Based Enclosure

� Taylor-based numerical method with error enclosure� Tightly integrated with non-linear arithmetic constraint solving:

� provides an interval contractor, just like ICP

E’B’

� temporally symmetric (fwd. and bwd. contraction), unlike traditionalimage computation

� refutes trajectory bundles based on partial knowledge

� First proof of concept had implemented in 2008.[Eggers, Fränzle, Herde, ATVA 2008]

[Nedialkov and Jackson, 1999], [Nedialkov, Jackson, and Pryce, 2001], [Nedialkov, 2006]

Beyond Taylor Series: VNODE-LP

� Hermite-Obreschkoff method: generalization of Taylor series� VNODE-LP:

� Use High-Order Enclosure (HOE) to obtain a-priori enclosure ofODE

� Use Interval Taylor Series (ITS) with coordinate transformation andQR-method as predictor

� Use Interval Hermite-Obreschkoff (IHO) method as corrector

� IHO allows larger stepsize than ITS (ITS becomes numericallyunstable for smaller stepsizes than IHO)

� Local error for nonlinear ODEs much lower for IHO than for ITS

[Eggers, Fränzle, and Herde, 2009], [Eggers, Ramdani, Nedialkov, and Fränzle, 2011]

VNODE-LP as an Enclosure Method in iSAT-ODE

� VNODE-LP: safe interval enclosures for ODEs� Output: tight enclosures at end of step, a-priori enclosures covering

timespan in between

determined by VNODE−LP

enclosures at (very tight) time intervals

... up to a given horizon

0 5 10 15 20

timespan in between

a−priori enclosures determined by VNODE−LP

0 5 10 15 20

timespan in between� iSAT-ODE layer: re-evaluate extreme parts of enclosure with

refined stepsize for tighter result → expensive

selectively tightenedboxes

boxes that finally

intersect with the

postbox

given postbox

a−priori enclosures

0 5 10 15 20

Bracketing Systems: Rationale

� Direct VNODE-LP enclosures tend to diverge quickly for largeinitial domains

� Point-wise (or small interval) reasoning thus preferable, if applicable

� A natural idea is to follow extremal trajectories:

Bracketing Systems: Rationale

� Direct VNODE-LP enclosures tend to diverge quickly for largeinitial domains

� Point-wise (or small interval) reasoning thus preferable, if applicable

� A natural idea is to follow extremal trajectories:

� Problem 1: Number of spanning nodes exponential in systemdimension.

� Problem 2: Reachable set need not be spanned by trajectoriesoriginating in extremal points.

[Müller, 1927]

Bracketing Systems: Essence of Müller’s Theorem

Bounding

xx− x+

dxdt = f (x, y)

dydt = g(x, y)

If, e.g., f monotonic in x, antitonic in y within bounding box,g monotonic in x and y within bounding box

then [x−(t), x+(t)]× [y−(t), y+(t)] yields an enclosure for(x(t), y(t)) if x−, . . . , y+ are solutions to

dt= f(x−, y+) dy−

dt= g(x−, y−)

dt= f(x+, y−) dy+

dt= f(x+, y+)

with IVs x−(0) ≤ x(0) ≤ x+(0), y−(0) ≤ y(0) ≤ y+(0).

[Ramdani, Meslem, and Candau, 2009], [Eggers, Ramdani, Nedialkov, and Fränzle, 2011]

Bracketing Systems

� Direct VNODE-LP enclosures may diverge quickly for large initialdomains

� Evaluate signs of partial derivatives of ODE’s right-hand side overcurrent enclosure

� If all relevant entries each strictly positive / negative, proceed

� Using Müller’s theorem, generate a bracketing system: replaceoriginal variables by upper and lower bracketing variablesdepending on signs in Jacobian [Müller, 1927]

� Enclose bracketing system using VNODE-LP: twice thedimensionality but point-valued initial conditions

� Re-evaluate Jacobian, check validity of signs (a-posteriorivalidation)

Comparison: Direct vs. Bracketing

denselower bracketing a prioriupper bracketing a priori

direct a prioridirect enclosure

lower bracketing enclosureupper bracketing enclosure

0 2 4 6 8 10 12

x dimension of•

x = −p4x−p1x

1 + p2y+ p3y + 0.1

y = p4x− p3y

x(0) ∈ [1, 1.2], y(0) ∈ [0.8, 1], p1 ∈ [0.8, 1], p2 ∈ [1.0, 1.2], p3 ∈ [0.3, 0.5],

and p4 ∈ [0.20, 0.25].Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 67 / 85

[Eggers, Ramdani, Nedialkov, and Fränzle, 2011]

Comparison: Direct vs. Bracketing

denselower bracketing a prioriupper bracketing a priori

direct a prioridirect enclosure

lower bracketing enclosureupper bracketing enclosure

0 2 4 6 8 10 12

x dimension of•

x= y,•

y= −x,x(0), y(0) ∈ [1, 2].

� Complementary strengths

⇒ iSAT-ODE: Intersect both enclosures for tighter result.

Learning ODE Deductions

� ODE enclosures very expensive compared to simple intervalconstraint propagations

� Preserve once-learnt facts from deletion during backjumps (similarto learning conflict clauses [Marques-Silva and Sakallah, 1996])

� Learn deduced facts for all isomorphic instances (constraintsreplication [Shtrichman, 2000])

� Two main ingredients:� iSAT core: learn new clauses during search (multiple at once, not

necessarily conflicts, potentially introducing new variables to safelyrepresent constants)

� ODE layer: recognize enclosure requests that have already beenanswered (or can be subsumed under previously answered requests)

� Additionally: store limited number of VNODE’s intermediateresults for reuse, when partial request is detected (e.g. compatibleinitial box but tighter delta_time range)

SAT Modulo ODE

Solving the Case Study

Hybrid Systems – Example: Plant & Controller

plant_dynamics

omega_set

controller

trigger

x_target

y_target

alpha_target

bang−bang control

Does this system work as specified?

Predicative Encoding

−− A robot that is being given a target location to which it shall move.

DECLdefine MAX_TIME = 100; −− Maximum global time.define MAX_STEP = 2; −− Maximum duration.float [0, MAX_TIME] time; −− Global time.float [0, MAX_STEP] delta_time; −− Step duration.float [−100, 100] x; −− Position, x coordinate .float [−100, 100] y; −− Position, y coordinate .float [−100, 100] delta_x; −− Position change by flow, x coordinate .float [−100, 100] delta_y; −− Position change by flow, y coordinate .float [−8, 8] alpha; −− Direction.float [−1, 1] omega; −− Angular velocity.float [−0.1, 0.1] omega_set; −− Angular velocity set point.float [−10, 10] v; −− Velocity.float [0, 0.4] v_set; −− Velocity set point .define P_v = 3; −− Proportional gain in analog velocity control .define P_omega = 1.6; −− Proportional gain in analog angular velocity ctrl .

define PI_LB = 3.141592; −− Lower bound for PI.define PI_UB = 3.141593; −− Upper bound for PI.

define PI_UB_HALF = 1.5708; −− Upper bound for 0.5 ∗ PI.

float [−100, 100] x_target; −− Position of target , x coordinate .float [−100, 100] y_target; −− Position of target , y coordinate .float [0, 142] distance ; −− Distance to target.float [−100, 100] dx; −− Distance to target, x component.float [−100, 100] dy; −− Distance to target, y component.float [−1, 1] tmp_quot_dy_dist; −− Quotient dy / distance.−− Reduce nondeterminism in model by enforcing that alpha cannot be less and−− more than alpha_target at the same time and distance must be in one−− category (−−0.1−−−0.5−−−5−−).boole alpha_leq_alpha_target;boole alpha_geq_alpha_target;boole distance_geq_5;boole distance_geq_05;boole distance_geq_01;

−− Result of asin(tmp_quot_dy_dist) is limited to standard branch used by−− ctrl’s asin implementation.float [−PI_UB_HALF, PI_UB_HALF] alpha_target_tmp;

float [−8, 8] alpha_target; −− Direction to target .define CTRL_PI = 3.1415927; −− PI constant used by controller.−− Note that the real controller will be using such a fixed constant , i .e.−− here it is not necessary to safely enclose PI by an interval when the−− same calculations are performed as done by the controller (which we−− assume here).

boole flow ;

INITtime = 0;x = 0;y = 0;alpha = 0;omega = 0;v = 0;

−− Target position.−− OPEN: Looking for a target position that cannot be reached within given−− number of steps.x_target >= 6;x_target <= 10;y_target >= −4;y_target <= 4;

−− Initial Controller run.dy = y_target − y;dx = x_target − x;distance = nrt(dx^2 + dy^2, 2);−− tmp_quot_dy_dist = dy / distance.distance ∗ tmp_quot_dy_dist = dy;sin (alpha_target_tmp) = tmp_quot_dy_dist;−− Adding a redundant encoding to reduce search effort induced by−− iSAT’s lack of an inverse sine propagation.(tmp_quot_dy_dist >= −1 and tmp_quot_dy_dist <= −0.64)−> ( alpha_target_tmp >= 3 ∗ (tmp_quot_dy_dist + 0.5) − 0.3

and alpha_target_tmp <= 2.29 ∗ tmp_quot_dy_dist + 0.991);(tmp_quot_dy_dist >= −0.64 and tmp_quot_dy_dist <= 0.64)−> ( alpha_target_tmp >= tmp_quot_dy_dist

+ 0.16 ∗ (tmp_quot_dy_dist^3) − 0.05and alpha_target_tmp <= tmp_quot_dy_dist

+ 0.16 ∗ (tmp_quot_dy_dist^3) + 0.05);(tmp_quot_dy_dist >= 0.64 and tmp_quot_dy_dist <= 1)−> ( alpha_target_tmp >= 2.29 ∗ tmp_quot_dy_dist − 1

and alpha_target_tmp <= 3 ∗ (tmp_quot_dy_dist + 0.5) − 2.65);alpha_target_tmp >= −1.570797;alpha_target_tmp <= 1.570797;−− End of redundant encoding for asin.

dx >= 0 −> alpha_target = alpha_target_tmp;dx < 0 −> alpha_target = CTRL_PI − alpha_target_tmp;

alpha_leq_alpha_target <−> alpha <= alpha_target;alpha_geq_alpha_target <−> alpha >= alpha_target;

alpha_leq_alpha_target and !alpha_geq_alpha_target −> omega_set = 0.1;!alpha_leq_alpha_target and alpha_geq_alpha_target −> omega_set = −0.1;alpha_leq_alpha_target and alpha_geq_alpha_target −> omega_set = 0;

distance_geq_5 <−> distance >= 5;distance_geq_05 <−> distance >= 0.5;distance_geq_01 <−> distance >= 0.1;

distance_geq_5 −> v_set = 0.4;distance_geq_05 and !distance_geq_5 −> v_set = 0.2;distance_geq_01 and !distance_geq_05 −> v_set = 0.1;!distance_geq_01 −> v_set = 0;

flow ;TRANS

!flow ’ <−> flow;time ’ = time + delta_time;

−− System dynamics including analog controller feedback for velocities .−− Since the actual movement is independent from the absolute position ,−− we use relative positions instead and benefit from better caching.flow −> x’ = x + delta_x’; −− Add relative movement to absolute position.flow −> y’ = y + delta_y’;flow −> delta_x = 0; −− Start relative movement in (0,0).flow −> delta_y = 0;flow −> (d.delta_x / d.time = v ∗ cos(alpha));flow −> (d.delta_y / d.time = v ∗ sin(alpha ));flow −> (d.alpha / d.time = omega);flow −> (d.v / d.time = P_v ∗ (v_set − v));flow −> (d.v_set / d.time = 0);flow −> (d.omega / d.time = P_omega ∗ (omega_set − omega));flow −> (d.omega_set / d.time = 0);

flow −> delta_time = 2;

−− Target stays constant.x_target’ = x_target;y_target’ = y_target;

!flow −> delta_time = 0;!flow −> x’ = x

and y’ = yand alpha’ = alphaand v’ = vand omega’ = omega;

−− Controller calculates the current direction to target location at every−− step.dy’ = y_target’ − y’;dx’ = x_target’ − x’;

distance ’ = nrt(dx’^2 + dy’^2, 2);−− tmp_quot_dy_dist’ = dy’ / distance’.distance ’ ∗ tmp_quot_dy_dist’ = dy’;sin (alpha_target_tmp’) = tmp_quot_dy_dist’;−− Adding a redundant encoding to reduce search effort induced by−− iSAT’s lack of an inverse sine propagation.(tmp_quot_dy_dist’ >= −1 and tmp_quot_dy_dist’ <= −0.64)−> ( alpha_target_tmp’ >= 3 ∗ (tmp_quot_dy_dist’ + 0.5) − 0.3

and alpha_target_tmp’ <= 2.29 ∗ tmp_quot_dy_dist’ + 0.991);(tmp_quot_dy_dist’ >= −0.64 and tmp_quot_dy_dist’ <= 0.64)−> ( alpha_target_tmp’ >= tmp_quot_dy_dist’

+ 0.16 ∗ (tmp_quot_dy_dist’^3) − 0.05and alpha_target_tmp’ <= tmp_quot_dy_dist’

+ 0.16 ∗ (tmp_quot_dy_dist’^3) + 0.05);(tmp_quot_dy_dist’ >= 0.64 and tmp_quot_dy_dist’ <= 1)−> ( alpha_target_tmp’ >= 2.29 ∗ tmp_quot_dy_dist’ − 1

and alpha_target_tmp’ <= 3 ∗ (tmp_quot_dy_dist’ + 0.5) − 2.65);alpha_target_tmp’ >= −1.570797;alpha_target_tmp’ <= 1.570797;−− End of redundant encoding for asin.

dx’ >= 0 −> alpha_target’ = alpha_target_tmp’;dx’ < 0 −> alpha_target’ = CTRL_PI − alpha_target_tmp’;

−− The discrete controller can set new omega_set and new v_set every step.−− Would need to adjust this if BMC steps and controller steps became−− seperated.alpha_leq_alpha_target’ <−> alpha’ <= alpha_target’;alpha_geq_alpha_target’ <−> alpha’ >= alpha_target’;

! flow and alpha_leq_alpha_target’ and !alpha_geq_alpha_target’−> omega_set’ = 0.1;

!flow and !alpha_leq_alpha_target’ and alpha_geq_alpha_target’−> omega_set’ = −0.1;

!flow and alpha_leq_alpha_target’ and alpha_geq_alpha_target’−> omega_set’ = 0;

distance_geq_5’ <−> distance’ >= 5;distance_geq_05’ <−> distance’ >= 0.5;distance_geq_01’ <−> distance’ >= 0.1;

!flow and distance_geq_5’ −> v_set’ = 0.4;!flow and distance_geq_05’ and !distance_geq_5’ −> v_set’ = 0.2;!flow and distance_geq_01’ and !distance_geq_05’ −> v_set’ = 0.1;!flow and !distance_geq_01’ −> v_set’ = 0;

TARGETdistance > 0.1;

Predicative Encoding – Continuous Dynamics

P_omega

robot motioncontinuous−time

proportional control

omega_set

time ’ = time + delta_time;

−− System dynamics including analog controller feedback for velocities .−− Since the actual movement is independent from the absolute position ,−− we use relative positions instead and benefit from better caching.flow −> x’ = x + delta_x’; −− Add relative movement to absolute position.flow −> y’ = y + delta_y’;flow −> delta_x = 0; −− Start relative movement in (0,0).flow −> delta_y = 0;flow −> (d.delta_x / d.time = v ∗ cos(alpha));flow −> (d.delta_y / d.time = v ∗ sin(alpha ));flow −> (d.alpha / d.time = omega);flow −> (d.v / d.time = P_v ∗ (v_set − v));flow −> (d.v_set / d.time = 0);flow −> (d.omega / d.time = P_omega ∗ (omega_set − omega));flow −> (d.omega_set / d.time = 0);

flow −> delta_time = 2;

Predicative Encoding – Discrete Controller

rotation1

speed 2

/v=0.4;

alpha_leq_alpha_target’ <−> alpha’ <= alpha_target’;alpha_geq_alpha_target’ <−> alpha’ >= alpha_target’;

! flow and alpha_leq_alpha_target’ and !alpha_geq_alpha_target’ −> omega_set’ = 0.1;!flow and !alpha_leq_alpha_target’ and alpha_geq_alpha_target’ −> omega_set’ = −0.1;!flow and alpha_leq_alpha_target’ and alpha_geq_alpha_target’ −> omega_set’ = 0;

distance_geq_5’ <−> distance’ >= 5;distance_geq_05’ <−> distance’ >= 0.5;distance_geq_01’ <−> distance’ >= 0.1;

!flow and distance_geq_5’ −> v_set’ = 0.4;!flow and distance_geq_05’ and !distance_geq_5’ −> v_set’ = 0.2;!flow and distance_geq_01’ and !distance_geq_05’ −> v_set’ = 0.1;!flow and !distance_geq_01’ −> v_set’ = 0;

Predicative Encoding – Proof Obligation

E.g., looking for a target position that cannot be reached within given

number of steps:

INIT...−− Target position.−− OPEN: Looking for a target position that cannot be reached within given−− number of steps.x_target >= 6;x_target <= 10;y_target >= −4;y_target <= 4;

TARGETdistance > 0.1;

Note: Target position not determined!

Candidate Solution Box from iSAT-ODE

Extracting (x, y)-trace from candidate solution box.

0 1 2 3 4 5 6 7 8

’robot_motion_14.hys_out_prabs1e−6_k42_wilkinson_defs_plot_0.plot_data’

BMC unwinding depth 42, runtime 2966 s (2.4 GHz AMD Opteron)

Valuation forxtarget : (6.6888899, 6.68907593]ytarget : [1.53229439, 1.53235116)

Robot reaches target but moves on.

Candidate Solution from iSAT-ODE – Distance

y distance dx dy

0 10 20 30 40

distance_geq_01

distance_geq_05

distance_geq_5

alpha_leq_alpha_target

alpha_geq_alpha_target

0 10 20 30 40

BMC Steps

Candidate Solution from iSAT-ODE – Velocityv v_set

0 10 20 30 40

v 6= 0!

� Target speed is set to zero� Robot decelerates but reaches only speed [0.00024766, 0.0002485]

in step 32� Robot passes nearby target location but not close enough to

enforce robot standstill� Controller not built with a sink state for keeping target velocity at 0

� Robot accelerates again and final distance is ≥ 0.1Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 78 / 85

Candidate Solution from iSAT-ODE – Resultv v_set

0 10 20 30 40

v 6= 0!

� Target speed is set to zero� Robot decelerates but reaches only speed [0.00024766, 0.0002485]

in step 32 −→ P-controller might be too weak� Robot passes nearby target location but not close enough to

enforce robot standstill� Controller not built with a sink state for keeping target velocity at 0−→ Should keep target speed at 0

� Robot accelerates again and final distance is ≥ 0.1Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 78 / 85

Simulated Error Trajectory for Candidate Solution

Simulated Error Trajectory – Continued

Conclusion

Problem: Direct handling of constraints involving arbitraryBoolean combinations of

� literals,� linear, polynomial, and transcendental (in-)equations

over the reals,� (potentially non-linear) ODE constraints interpreted

as pre-post-relations,

as arising in predicative encodings of analysis problemsof non-linear hybrid systems.

Approach: Build a tight integration of

� conflict-driven clause learning (CDCL) SAT solving,� interval constraint propagation,� interval-based enclosures of sets of inital-value

problems wrt. an ODE.

Related Approaches I

� Hybridization techniques allowing nonlinear ODEs to be handledby linear ODE methods or even by methods covering piecewiseconstant ODE only, e.g. LinSAT(cf., e.g., [Asarin, Dang, and Girard, 2007])

� Constraint Logic Programming(Functions) CLP(F)[Hickey and Wittenberg, 2004]

� Arithmetic and analytic relations between real and function variables� Function-type variables constrained by derivative constraints� Derivative constraints solved by interval constraint propagation

exploiting overapproximating Taylor series� But: not fighting the wrapping effect⇒ Excessive growth of enclosures

Related Approaches II

� ODE enclosures embedded into Constraint ProgrammingFramework [Goldsztejn, Mullier, Eveillard, and Hosobe, 2010]

� Branch and prune algorithm for conjunctive systems� Interval Newton for pruning and existence proofs� Using CAPD library (“optimized for small initial conditions”)⇒ “very sharp enclosures of solutions, but poorer performances for

exploring large domains”

� hydlogic: Classic SMT with VNODE-LP and Interval Newton[Ishii, Ueda, and Hosobe, 2011]

� SAT solver enumerating abstract trajectories� Constraint Solving (Elisa + VNODE-LP)� Learning� Interval Newton to prove existence of trajectories⇒ Different approach using classical DPLL(T) integration scheme

Thanks

� to Andreas Eggers, Nacim Ramdani, and Ned Nedialkov for thejoint development of iSAT(ODE),

� to the many collaborators in the development of iSAT, in particular� C. Herde, T. Teige (both Oldenburg),

S. Kupferschmid, K Scheibler, T. Schubert, B. Becker (Freiburg),S. Ratschan (Prague)

within the� DFG-funded Transregional Research Center 14 “AVACS”

(Automatic Analysis and Verification of Complex Systems)

� and to Andreas Eggers, Christian Herde, and Tino Teige forcontributing many slides.

SAT Modulo Ordinary Differential Equations Want to impress your ...

Documents

Transcript of SAT Modulo Ordinary Differential Equations Want to impress your ...

Impress Profile

Wolfgang Küchlin: 60 Years of Boolean Satisfiability Solving...Explanations for SAT and UNSAT, Optimization, Bounded Model Checking, SAT modulo Theories (SMT), … Wolfgang Küchlin,

LibreOffice Impress

Impress Tutorial

IMPRESS PR

SAT Modulo Linear Arithmetic for Solving Polynomial Constraintsoliveras/espai/papers/JAR-nia.pdf · 2010-07-28 · SAT Modulo Linear Arithmetic for Solving Polynomial ... In general,

Trabajo impress

Impress امبريس

CSC2512 Advanced Propositional Reasoningfbacchus/csc2512/csc2512_L4.pdf•SMT == Sat Modulo Theory Solvers •Basic idea is to augment a SAT solver with special purpose “theory”

SAT Modulo Monotonic Theories - cs.ubc.ca · SAT Modulo Monotonic Theories by Sam Bayless B. Sc., The University of British Columbia, 2010 A THESIS SUBMITTED IN PARTIAL FULFILLMENT

Creating An Impress Presentation An Impress Presentation On How To Use Impress To Create An Impress Presentation.

Computer Science семинар, осень 2010: SAT and Satisfiability Modulo Theories (R. Bruttomesso, University of Lugano)

Impress 03

Impress 최종

Solving SAT and SAT Modulo Theories: From an Abstract ...oliveras/espai/papers/JACM.pdf · Solving SAT and SAT Modulo Theories: ... Mathematical Logic ... of-the-art tools and, in

Formazione SESEC Modulo 14: Strumento di autovalutazione (SAT)

Modulo 4 (Product)€¦ · Title: Modulo 4 (Product) Author: CamScanner Subject: Modulo 4 (Product)

SMELS: Sat Modulo Equality with Lazy Superposition Christopher Lynch – Clarkson Duc-Khanh Tran - MPI.

Impress aves

Impress cocktails