SAT Modulo Ordinary Differential Equations Want to impress your ...
Transcript of SAT Modulo Ordinary Differential Equations Want to impress your ...
SAT Modulo Ordinary Differential EquationsAn Analysis Method for Hybrid Systems
Martin Fränzle1
with slides, LATEX souce, etc., by
Andreas Eggers1 · Christian Herde1
Nacim Ramdani2 · Nedialko S. Nedialkov3
SFB/TR 14 AVACS
1 Carl von Ossietzky Universität · Oldenburg, Germany2 Université d’Orléans · PRISME · Bourges, France3 McMaster University · Hamilton, Ontario, Canada
Want to impress your boy friend / girl friend?
[YouTube video]
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 2 / 85
Want to impress your boy friend / girl friend?
[www.popsci.com]
That’s why we build hybrid systems!
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 3 / 85
What is a hybrid system?
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 4 / 85
What is a hybrid system?
Hybrid (from Greece) means arrogant,presumptuous.
After H. Menge: Griechisch/Deutsch,Langenscheidt 1984
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 4 / 85
What is a hybrid system?
Hybrid (from Greece) means arrogant,presumptuous.
After H. Menge: Griechisch/Deutsch,Langenscheidt 1984
Hybrid stems from Latin hybrida ’off-spring of a tame sow and wild boar,child of a freeman and slave, etc.’
From the Compact Oxford EnglishDictionary, 2008
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 4 / 85
Hybrid Systems
Plant
ControlAnalogswitch
Continuouscontrollers
D/A
Discretesupervisor
A/D
Plant
observablestate
environmental
influence
disturbances ("noise")
control
selection
setpoints
active control law
setpointspart ofobservablestate
task selection
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 5 / 85
Hybrid Systems
Loads of
continuous
computations
interleaved
with discrete
decisions
Plant
ControlAnalogswitch
Continuouscontrollers
D/A
Discretesupervisor
A/D
Plant
observablestate
environmental
influence
disturbances ("noise")
control
selection
setpoints
active control law
setpointspart ofobservablestate
task selection
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 5 / 85
Hybrid systems
are ensembles of interacting discrete and continuous subsystems:� Technical systems:
� physical plant + multi-modal control� physical plant + embedded digital system� mixed-signal circuits� multi-objective scheduling problems (computers / distrib. energy
management / traffic management / ...)
� Biological systems:� Delta-Notch signaling in cell differentiation� Blood clotting� ...
� Economy:� cash/good flows + decisions� ...
� Medicine/health/epidemiology:� infectious diseases + vaccination strategies� ...
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 6 / 85
Hybrid Systems
The Formal Model
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 7 / 85
A Formal Model: Hybrid Automata
ball is moving down
ball is moving up
vertical position of the ball
velocity
−10
0
−20
10
0 5 10 15 20
20
y
x
•x= y
x ≥ 0
•y= −9.81
x = 0.0 ∧ y ≤ 0.0 /
y′ = −0.8 · y
x = 20.0 ∧ y = 0.0
y < 0
y > 0
x :
y :
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 8 / 85
A Formal Model: Hybrid Automata
ball is moving down
ball is moving up
vertical position of the ball
velocity
−10
0
−20
10
0 5 10 15 20
20
y
x
y < 0
y > 0
x :
y :
•x= y
x ≥ 0
•y= −9.81
x = 0.0 ∧ y ≤ 0.0 /
y′ = −0.8 · y
x = 20.0 ∧ y = 0.0
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 8 / 85
A Formal Model: Hybrid Automata
ball is moving down
ball is moving up
vertical position of the ball
velocity
−10
0
−20
10
0 5 10 15 20
20
y
x
y < 0
y > 0
x :
y :
•x= y
x ≥ 0
•y= −9.81
x = 0.0 ∧ y ≤ 0.0 /
y′ = −0.8 · y
x = 20.0 ∧ y = 0.0
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 8 / 85
A Formal Model: Hybrid Automata
ball is moving down
ball is moving up
vertical position of the ball
velocity
−10
0
−20
10
0 5 10 15 20
20
y
x
y < 0
y > 0
x :
y :
•x= y
x ≥ 0
•y= −9.81
x = 0.0 ∧ y ≤ 0.0 /
y′ = −0.8 · y
x = 20.0 ∧ y = 0.0
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 8 / 85
A Formal Model: Hybrid Automata
ball is moving down
ball is moving up
vertical position of the ball
velocity
−10
0
−20
10
0 5 10 15 20
20
y
x
y < 0
y > 0
x :
y :
•x= y
x ≥ 0
•y= −9.81
x = 0.0 ∧ y ≤ 0.0 /
y′ = −0.8 · y
x = 20.0 ∧ y = 0.0
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 8 / 85
A Formal Model: Hybrid Automata
ball is moving down
ball is moving up
vertical position of the ball
velocity
−10
0
−20
10
0 5 10 15 20
20
y
x
y < 0
y > 0
x :
y :
•x= y
x ≥ 0
•y= −9.81
x = 0.0 ∧ y ≤ 0.0 /
y′ = −0.8 · y
x = 20.0 ∧ y = 0.0
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 8 / 85
A Formal Model: Hybrid Automata
ball is moving down
ball is moving up
vertical position of the ball
velocity
−10
0
−20
10
0 5 10 15 20
20
y
x
y < 0
y > 0
x :
y :
•x= y
x ≥ 0
•y= −9.81
x = 0.0 ∧ y ≤ 0.0 /
y′ = −0.8 · y
x = 20.0 ∧ y = 0.0
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 8 / 85
A Formal Model: Hybrid Automata
ball is moving down
ball is moving up
vertical position of the ball
velocity
−10
0
−20
10
0 5 10 15 20
20
y
x
y < 0
y > 0
x :
y :
•x= y
x ≥ 0
•y= −9.81
x = 0.0 ∧ y ≤ 0.0 /
y′ = −0.8 · y
x = 20.0 ∧ y = 0.0
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 8 / 85
A Formal Model: Hybrid Automata
ball is moving down
ball is moving up
vertical position of the ball
velocity
−10
0
−20
10
0 5 10 15 20
20
y
x
y < 0
y > 0
x :
y :
•x= y
x ≥ 0
•y= −9.81
x = 0.0 ∧ y ≤ 0.0 /
y′ = −0.8 · y
x = 20.0 ∧ y = 0.0
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 8 / 85
State and Dimension Explosion
Number of continuous variables linear in num-ber of cars� Positions, speeds, accelerations,� torque, slip, ...
Number of discrete states exponential in num-ber of cars� Operational modes, control modes,� state of communication subsystem, ...
Size-dependent dynamics� Latency in ctrl. loop depends on number
of cars due to communication subsystem.� Coupled dynamics yields long hidden
channels chaining signal transducers.
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 9 / 85
State and Dimension Explosion
Number of continuous variables linear in num-ber of cars� Positions, speeds, accelerations,� torque, slip, ...
Number of discrete states exponential in num-ber of cars� Operational modes, control modes,� state of communication subsystem, ...
Size-dependent dynamics� Latency in ctrl. loop depends on number
of cars due to communication subsystem.� Coupled dynamics yields long hidden
channels chaining signal transducers.
⇒ Need a scalable approach⇒ Let’s try to achieve this through SAT/SMT-based methods.
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 9 / 85
Hybrid Control — A Case Study
!!
!!
!!
α
(x, y)
vsatellite position
target position
ω =•
α
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 10 / 85
Hybrid Control — A Case Study
omega
5
v
4
alpha
3
y
2
x
1
cos
sin
P_v
3
P_omega
1.6
1
s
1
s
1
s 1
s
1
s
v_set
2
robot motioncontinuous−time
proportional control
omega_set
1
alpha
vx
vy
xx
yyv
omega
•
ω
•
v= a
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 11 / 85
Hybrid Control — A Case Study
alpha_target
3
v
2
omega
1
controller
alpha
alpha_target
dist_to_target
omega
v
pi
asin
>= 0
Sqrt
u
u2
u2
y_target
6
x_target
5
ypos
4
xpos
3
alpha
2
trigger1
distance
time−triggered controller
alpha_target
−1 −0.5 0 0.5 1−1.5
−1
−0.5
0
0.5
1
1.5
asin(x)
(x, y)
α′
T
(xT , yT )
α′
T
π − α′
T
α′T = sin−1( yT−y√(xT−x)2+(yT−y)2
)
dista
nce
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 12 / 85
Hybrid Control — A Case Study
all
rotation1
m0
speed 2
m1
[alpha > alpha_target] / omega = − 0.1;2
[alpha == alpha_target] / omega = 0;
3
[alpha < alpha_target] / omega = 0.1;
1
[alpha < alpha_target] / omega = 0.1;
2
[alpha > alpha_target] / omega = − 0.1;
1
/v=0.4;
[dist_to_target < 0.1] / v = 0;
3
[dist_to_target > 0.5 && dist_to_target < 5] / v = 0.2;
1
[dist_to_target > 0.1 && dist_to_target < 0.5] / v = 0.1 ;
2
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 13 / 85
Hybrid Control — A Case Study
all
rotation1
m0
speed
m1
[alpha > alpha_target] / omega = − 0.1;2
[alpha == alpha_target] / omega = 0;
3
[alpha < alpha_target] / omega = 0.1;
1
[alpha < alpha_target] / omega = 0.1;
2
[alpha > alpha_target] / omega = − 0.1;
1
/v=0.4;
[dist_to_target > 0.5 && dist_to_target <
1
[dist_to_target >
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 13 / 85
Hybrid Control — A Case Study
1 speed 2
m1
0.1;
[alpha > alpha_target] / omega = − 0.1;
/v=0.4;
[dist_to_target < 0.1] / v = 0;
3
[dist_to_target > 0.5 && dist_to_target < 5] / v = 0.2;
1
[dist_to_target > 0.1 && dist_to_target < 0.5] / v = 0.1 ;
2
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 13 / 85
Hybrid Control — A Case Study
plant_dynamics
omega_set
v_set
x
y
alpha
v
omega
every_two_time_units
controller
trigger
alpha
xpos
ypos
x_target
y_target
omega
v
alpha_target
3
−5
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 14 / 85
Hybrid Control — A Case Study
plant_dynamics
omega_set
v_set
x
y
alpha
v
omega
every_two_time_units
controller
trigger
alpha
xpos
ypos
x_target
y_target
omega
v
alpha_target
3
−5
continuous controller + plant dynamics
nonlinear computations
parallel composition
bang−bang control
time−triggered controller invocation
uncountably infinitely many target positions
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 14 / 85
Hybrid Control — A Case Study
plant_dynamics
omega_set
v_set
x
y
alpha
v
omega
every_two_time_units
controller
trigger
alpha
xpos
ypos
x_target
y_target
omega
v
alpha_target
3
−5
continuous controller + plant dynamics
nonlinear computations
parallel composition
bang−bang control
time−triggered controller invocation
uncountably infinitely many target positions
Does this system work as specified?
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 14 / 85
Simulated Trajectory Reaching Target
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 15 / 85
Multiple Simulated Trajectories Reaching Targets
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 16 / 85
CDCL + Interval Constraint Propagation
An engine for Bounded Model Checkingof non-linear discrete-time HA
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 17 / 85
Bounded Model Checking of NonlinearDiscrete-Time Hybrid Systems (1)
Given:
Delay
in on
xn+1xn
xn+1 = f(xn, in)on = g(xn, in)
Nonlinear discrete-time hybriddynamical system
x — state vectori — input vectoro — output vectorf — next-state functiong — output function
f, g potentially nonlinear.
Goal:
Check whether some unsafe state is reachable within k steps of thesystem
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 18 / 85
Bounded Model Checking of NonlinearDiscrete-Time Hybrid Systems (2)
Method:� Construct formula that is satisfiable if error trace of length k exists
� Formula is a k–fold unrolling of the transition relation, concatenated witha characterization of the initial state(s) and the (unsafe) state to bereached
i0 i1 i2o0 o1 o2
x1 = f(x0, i0)o0 = g(x0, i0)
x2 = f(x1, i1)o1 = g(x1, i1)
x3 = f(x2, i2)o2 = g(x2, i2)
x0 x3x1 x2
I(x0) P (x3)
� Use appropriate procedure to “decide” satisfiability of the formula
Needed:
Solvers for large, non-linear arithmetic formulae with a rich Booleanstructure
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 19 / 85
Bounded Model Checking with HySAT / iSAT
HySAT
There’s no sequence of
input values such that
3.14 ≤ x ≤ 3.15
Safety property:
DECL
boole b;
float [0.0, 1000.0] x;
INIT
– Characterization of initial state.
x = 2.0;
TRANS
– Transition relation.
b -> x’ = xˆ2 + 1;
!b -> x’ = nrt(x, 3);
TARGET
– State(s) to be reached.
x >= 3.14 and x <= 3.15;
SOLUTION:
b (boole):
@0: [0, 0]
@1: [1, 1]
@2: [1, 1]
@3: [0, 0]
@4: [1, 1]
@5: [1, 1]
@6: [0, 0]
@7: [1, 1]
@8: [0, 0]
@9: [1, 1]
@10: [1, 1]
@11: [0, 0]
x (float):
@0: [2, 2]
@1: [1.25992, 1.25992]
@2: [2.5874, 2.5874]
@3: [7.69464, 7.69464]
@4: [1.97422, 1.97422]
@5: [4.89756, 4.89756]
@6: [24.9861, 24.9861]
@7: [2.92347, 2.92347]
@8: [9.5467, 9.5467]
@9: [2.12138, 2.12138]
@10: [5.50024, 5.50024]
@11: [31.2526, 31.2526]
@12: [3.14989, 3.14989]
x := x2 + 1b/
¬b/x := 3
√x
x := 2
CO
UN
TEREX
AM
PLE
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 20 / 85
The Task
Find satisfying assignments (or prove absence thereof) for large(thousands of Boolean connectives) formulae of shape
(b1 =⇒ x21 − cos y1 < 2y1 + sin z1 + eu1)∧ (x5 = tan y4 ∨ tan y4 > z4 ∨ . . .)∧ . . .
∧ (dxdt
= − sinx ∧ x3 > 5 ∧ x3 < 7 ∧ x4 > 12 ∧ . . .)∧ . . .
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 21 / 85
The Task
Find satisfying assignments (or prove absence thereof) for large(thousands of Boolean connectives) formulae of shape
(b1 =⇒ x21 − cos y1 < 2y1 + sin z1 + eu1)∧ (x5 = tan y4 ∨ tan y4 > z4 ∨ . . .)∧ . . .
∧ (dxdt
= − sinx ∧ x3 > 5 ∧ x3 < 7 ∧ x4 > 12 ∧ . . .)∧ . . .
Most conventional solvers� do either address much smaller fragments of arithmetic
� decidable theories: no transcendental fct.s, no ODEs
� or tackle only small formulae� some dozens of Boolean connectives.
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 21 / 85
Interval Arithmetic
� an ancient mathematical technique, already used by Archimedes,
� systematized by Rosalind Cecily Young in the 1930s [Young, 1931]
� brought to computing by Paul Dwyer [ Dwaer, 1951], MieczyslawWarmus [Warmus, 1956, Teruo Sunaga [Sunaga, 1958], and RamonE. Moore [Moore, 1966] in the 1950s
� is an approach to putting safe bounds on computational results,irrespective of� rounding errors during computations,� inaccuracies in measurements of entities entering the computation,� uncertain parameters.
� when applied to an expression over the reals, it yields a set-valuedresult, namely an interval over the reals, which is guaranteed tocontain the exact value of the expression.
� can be used for efficiently computing a safe overapproximation (i.e.,a superset) of the image f(X) of a set X ⊆ R
n under a functionf : Rn → R
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 22 / 85
Interval Arithmetic
For non-empty argument intervals [a, b] ∈ II \ {∅} and [c, d] ∈ II \ {∅}, define
[a, b]⊢⊣
+ [c, d] = [a←
+ c, b→
+ d]
[a, b]⊢⊣
− [c, d] = [a←
− d, b→
− c]
[a, b]⊢⊣· [c, d] = [min(a
←· c, a
←· d, b
←· c, b
←· d),max(a
→· c, a
→· d, b
→· c, b
→· d)]
⊢⊣
sin [a, b] =
[min(←
sin a,←
sin b),max(→
sin a,→
sin b)] iff (2n + 1
2)π 6∈ [a, b] and
(2m− 1
2)π 6∈ [a, b],
[min(←
sin a,←
sin b), 1], iff (2n + 1
2)π ∈ [a, b] but
(2m− 1
2)π 6∈ [a, b],
[−1,max(→
sin a,→
sin b), 1], iff (2n + 1
2)π 6∈ [a, b] but
(2m− 1
2)π ∈ [a, b],
[−1, 1] iff (2n + 1
2)π ∈ [a, b] and
(2m− 1
2)π ∈ [a, b]
for any n,m ∈ Z.
where
�←· and
→· denote rounding down/up to computational reals,
� II denotes the set of intervals with representable bounds.
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 23 / 85
Interval Arithmetic: Example
� Assume fixed-point arithmetic with just 1 bit fractional part:representable numbers are of the form k
2for k ∈ Z
� Given x1 = [0, 0.5] and x2 = [0.5, 1], IA computes
x1
⊢⊣
− x1
⊢⊣
+ x2
⊢⊣· x2 = ([0, 0.5]
⊢⊣
− [0, 0.5])⊢⊣
+ ([0.5, 1]⊢⊣· [0.5, 1])
= [0←
− 0.5, 0.5→
− 0]⊢⊣
+ ([0.5, 1]⊢⊣· [0.5, 1])
= [−0.5, 0.5]⊢⊣
+ ([0.5, 1]⊢⊣· [0.5, 1])
= [−0.5, 0.5]⊢⊣
+ [min(0.5←· 0.5, 0.5
←· 1, 1
←· 0.5, 1
←· 1),
max(0.5→· 0.5, 0.5
→· 1, 1
→· 0.5, 1
→· 1)]
= [−0.5, 0.5]⊢⊣
+ [min(0, 0.5, 0.5, 1),max(0.5, 0.5, 0.5, 1)]
= [−0.5, 0.5]⊢⊣
+ [0, 1]
= [−0.5←
+ 0, 0.5→
+ 1]
= [−0.5, 1.5]
⇒ the computed interval [−0.5, 1.5] covers the set of values{x1 − x1 + x2 · x2 | x1 ∈ [0, 0.5], x2 ∈ [0.5, 1]} = [0.25, 1],yet not tightly so. −→ rounding + dependency problem of IA
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 24 / 85
Interval Constraint Propagation (1) [Cleary, 1986]
� Complex constraints are rewritten to “triplets” (primitive constraints):
x2 + y ≤ 6
c1 : h1 =̂x ∧ 2c2 : ∧ h2 =̂h1 + y
∧ h2 ≤ 6
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 25 / 85
Interval Constraint Propagation (1) [Cleary, 1986]
� Complex constraints are rewritten to “triplets” (primitive constraints):
x2 + y ≤ 6
c1 : h1 =̂x ∧ 2c2 : ∧ h2 =̂h1 + y
∧ h2 ≤ 6
� “Forward” interval propagation yields justification for constraintsatisfaction:
x ∈ [−2, 2]∧ y ∈ [−2, 2]
2
6
y
≤
+
∧
x
[−2, 2]
[0, 4]
[−2, 6]
[−2, 2]
h2
h1
satisfied in box
h2 ≤ 6 is
⇓
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 25 / 85
Interval Constraint Propagation (1) [Cleary, 1986]
� Complex constraints are rewritten to “triplets” (primitive constraints):
x2 + y ≤ 6
c1 : h1 =̂x ∧ 2c2 : ∧ h2 =̂h1 + y
∧ h2 ≤ 6
� Interval propagation (fwd & bwd) yields witness for unsatisfiability:
2
6
y
≤
+
∧
x
[3, 4]
[9, 16]
[9, 19]
[0, 3]
h2
h1
unsat. in box
h2 ≤ 6 is
⇓
x ∈ [3, 4]
∧ y ∈ [0, 3]
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 25 / 85
Interval Constraint Propagation (1) [Cleary, 1986]
� Complex constraints are rewritten to “triplets” (primitive constraints):
x2 + y ≤ 6
c1 : h1 =̂x ∧ 2c2 : ∧ h2 =̂h1 + y
∧ h2 ≤ 6
� Interval prop. (fwd & bwd until fixpoint is reached) yields contraction ofbox:
2
6
y
≤
+
∧
x
[−10, 10]
[0, 100]
[−10, 110]
[−10, 10]
h2
h1
∧ y ∈ [−10, 10]x ∈ [−10, 10]
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 25 / 85
Interval Constraint Propagation (1) [Cleary, 1986]
� Complex constraints are rewritten to “triplets” (primitive constraints):
x2 + y ≤ 6
c1 : h1 =̂x ∧ 2c2 : ∧ h2 =̂h1 + y
∧ h2 ≤ 6
� Interval prop. (fwd & bwd until fixpoint is reached) yields contraction ofbox:
2
6
y
≤
+
∧
x
[−4, 4]
[0, 16]
[−10, 6]
[−10, 6]
h2
h1
⇓
∧ y ∈ [−10, 10]x ∈ [−10, 10]
∧ y ∈ [−10, 6]x ∈ [−4, 4]
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 25 / 85
Interval Constraint Propagation (1) [Cleary, 1986]
� Complex constraints are rewritten to “triplets” (primitive constraints):
x2 + y ≤ 6
c1 : h1 =̂x ∧ 2c2 : ∧ h2 =̂h1 + y
∧ h2 ≤ 6
� Interval prop. (fwd & bwd until fixpoint is reached) yields contraction ofbox:
Constraint is not satisfied
by the contracted box!
2
6
y
≤
+
∧
x
[−4, 4]
[0, 16] [−10, 6]
h2
h1
∧ y ∈ [−10, 6]x ∈ [−4, 4]
[−10, 22]
(details & alternatives: see Benhamou in Handbook of Constraint Progr.)
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 25 / 85
y ∈ [0, 9]
y ∈ [0, 6]
y ∈ [−100, 100]
x ∈ [−100, 100]
x ∈ [−2.3, 2.3]
y ∈ [0, 100]
y ∈ [0, 20]
y ∈ [0, 5]
y ∈ [0, 4.6]
y ≤ 2·x
y = x2
x ∈ [−√
5,√
5]
x ∈ [−√
6,√
6]
x ∈ [−2.5, 2.5]
x ∈ [−4.5, 4.5]
x ∈ [−√
20,√
20]
x ∈ [−3, 3]
x ∈ [−10, 10]
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 26 / 85
Incompleteness of Interval Contraction
Backward propagation yields rectangular overapproximation ofnon-rectangular pre-images.
Thus, interval contraction provides a highly incomplete deductionsystem:
x ∈ [0,∞)∧ h =̂x · y∧ h > 5
=⇒ x ∈ (0,∞)∧ y ∈ (0,∞)
=⇒ h ∈ (0,∞) 6=⇒ h > 5
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 27 / 85
Incompleteness of Interval Contraction
Backward propagation yields rectangular overapproximation ofnon-rectangular pre-images.
Thus, interval contraction provides a highly incomplete deductionsystem:
x ∈ [0,∞)∧ h =̂x · y∧ h > 5
=⇒ x ∈ (0,∞)∧ y ∈ (0,∞)
=⇒ h ∈ (0,∞) 6=⇒ h > 5
enhance through branch-and-prune approach.
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 27 / 85
iSAT: Non-linear Arithmetic Constraint Solving
h3 = h1 + h2∧c8 :
h2 = −2 · y∧c7 :
h1 = x2∧c6 :
(x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2)∧c5 :
∧ (b ∨ x ≥ −2)c4 :
∧ (¬c ∨ ¬d)c3 :
∧ (¬a ∨ ¬b ∨ c)c2 :
(¬a ∨ ¬c ∨ d)c1 :
rewrite input formula into a conjunction of constraints:
⊲ n-ary disjunctions of bounds⊲ arithmetic constraints having at most one operation symbol
• Boolean variables are regarded as 0-1 integer variables.Allows identification of literals with bounds on Booleans:
≡ b ≥ 1b¬b ≡ b ≤ 0
• Float variables h1, h2, h3 are used for decompositionof complex constraint x2 − 2y ≥ 6.2.
• Use Tseitin-style (i.e. definitional) transformation to
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 28 / 85
iSAT: Non-linear Arithmetic Constraint Solving
a ≥ 1
h3 = h1 + h2∧c8 :
h2 = −2 · y∧c7 :
h1 = x2∧c6 :
(x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2)∧c5 :
∧ (b ∨ x ≥ −2)c4 :
∧ (¬c ∨ ¬d)c3 :
∧ (¬a ∨ ¬b ∨ c)c2 :
(¬a ∨ ¬c ∨ d)c1 :DL 1:
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 28 / 85
iSAT: Non-linear Arithmetic Constraint Solving
c2
c3
c1a ≥ 1
b ≥ 1
h3 = h1 + h2∧c8 :
h2 = −2 · y∧c7 :
h1 = x2∧c6 :
(x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2)∧c5 :
∧ (b ∨ x ≥ −2)c4 :
∧ (¬c ∨ ¬d)c3 :
∧ (¬a ∨ ¬b ∨ c)c2 :
(¬a ∨ ¬c ∨ d)c1 :
c ≥ 1 d ≥ 1
d ≤ 0
DL 1:
DL 2:
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 28 / 85
iSAT: Non-linear Arithmetic Constraint Solving
c3
c2
c1
b ≥ 1
h3 = h1 + h2∧c8 :
h2 = −2 · y∧c7 :
h1 = x2∧c6 :
(x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2)∧c5 :
∧ (b ∨ x ≥ −2)c4 :
∧ (¬c ∨ ¬d)c3 :
∧ (¬a ∨ ¬b ∨ c)c2 :
(¬a ∨ ¬c ∨ d)c1 :
∧ (¬a ∨ ¬c)c9 :
d ≥ 1
d ≤ 0
c ≥ 1
a ≥ 1DL 1:
DL 2:
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 28 / 85
iSAT: Non-linear Arithmetic Constraint Solving
c9 c2 c4a ≥ 1 c ≤ 0 b ≤ 0 x ≥ −2
h3 = h1 + h2∧c8 :
h2 = −2 · y∧c7 :
h1 = x2∧c6 :
(x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2)∧c5 :
∧ (b ∨ x ≥ −2)c4 :
∧ (¬c ∨ ¬d)c3 :
∧ (¬a ∨ ¬b ∨ c)c2 :
(¬a ∨ ¬c ∨ d)c1 :
∧ (¬a ∨ ¬c)c9 :
DL 1:
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 28 / 85
iSAT: Non-linear Arithmetic Constraint Solving
c9 c2 c4
c7
a ≥ 1 c ≤ 0 b ≤ 0
y ≥ 4
x ≥ −2
h3 = h1 + h2∧c8 :
h2 = −2 · y∧c7 :
h1 = x2∧c6 :
(x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2)∧c5 :
∧ (b ∨ x ≥ −2)c4 :
∧ (¬c ∨ ¬d)c3 :
∧ (¬a ∨ ¬b ∨ c)c2 :
(¬a ∨ ¬c ∨ d)c1 :
∧ (¬a ∨ ¬c)c9 :
DL 1:
DL 2: h2 ≤ −8
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 28 / 85
iSAT: Non-linear Arithmetic Constraint Solving
c9 c2 c4
c7
c8
c6
c5
a ≥ 1 c ≤ 0 b ≤ 0
y ≥ 4
x ≤ 3 h3 ≥ 6.2
h1 ≤ 9
h2 ≥ −2.8
x ≥ −2
h3 = h1 + h2∧c8 :
h2 = −2 · y∧c7 :
h1 = x2∧c6 :
(x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2)∧c5 :
∧ (b ∨ x ≥ −2)c4 :
∧ (¬c ∨ ¬d)c3 :
∧ (¬a ∨ ¬b ∨ c)c2 :
(¬a ∨ ¬c ∨ d)c1 :
∧ (¬a ∨ ¬c)c9 :
DL 1:
DL 2: h2 ≤ −8
DL 3:
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 28 / 85
iSAT: Non-linear Arithmetic Constraint Solving
c9 c2 c4
c7
c8
c6
c5
a ≥ 1 c ≤ 0 b ≤ 0
y ≥ 4
x ≤ 3 h3 ≥ 6.2
h1 ≤ 9
h2 ≥ −2.8
x ≥ −2
∧ (x < −2 ∨ y < 3 ∨ x > 3)c10 :
∧ (¬a ∨ ¬c)c9 :
h3 = h1 + h2∧c8 :
h2 = −2 · y∧c7 :
h1 = x2∧c6 :
(x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2)∧c5 :
∧ (b ∨ x ≥ −2)c4 :
∧ (¬c ∨ ¬d)c3 :
∧ (¬a ∨ ¬b ∨ c)c2 :
(¬a ∨ ¬c ∨ d)c1 :
← conflict clause = symbolic description
of a rectangular region of the search space
which is excluded from future search
DL 1:
DL 2: h2 ≤ −8
DL 3:
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 28 / 85
iSAT: Non-linear Arithmetic Constraint Solving
c9 c2 c4
c7
c6c10
a ≥ 1 c ≤ 0 b ≤ 0
∧ (x < −2 ∨ y < 3 ∨ x > 3)c10 :
∧ (¬a ∨ ¬c)c9 :
h3 = h1 + h2∧c8 :
h2 = −2 · y∧c7 :
h1 = x2∧c6 :
(x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2)∧c5 :
∧ (b ∨ x ≥ −2)c4 :
∧ (¬c ∨ ¬d)c3 :
∧ (¬a ∨ ¬b ∨ c)c2 :
(¬a ∨ ¬c ∨ d)c1 :
y ≥ 4
x ≥ −2
x > 3
h2 ≤ −8
h1 > 9
DL 1:
DL 2:
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 28 / 85
iSAT: Non-linear Arithmetic Constraint Solving
c9 c2 c4
c7
c6c10
a ≥ 1 c ≤ 0 b ≤ 0
(x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2)∧c5 :
∧ (b ∨ x ≥ −2)c4 :
∧ (¬c ∨ ¬d)c3 :
∧ (¬a ∨ ¬b ∨ c)c2 :
(¬a ∨ ¬c ∨ d)c1 :
y ≥ 4
x ≥ −2
x > 3
h2 ≤ −8
h1 > 9
∧ (x < −2 ∨ y < 3 ∨ x > 3)c10 :
∧ (¬a ∨ ¬c)c9 :
h2 = −2 · y∧c7 :
h1 = x2∧c6 :
h3 = h1 + h2c8 : ∧
DL 1:
DL 2:
• Continue do split and deduce until either
⊲ solver is left with ‘sufficiently small’ portion of the
search space for which it cannot derive any contradiction
⊲ formula turns out to be UNSAT (unresolvable conflict)
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 28 / 85
iSAT: Non-linear Arithmetic Constraint Solving
c9 c2 c4
c7
c6c10
a ≥ 1 c ≤ 0 b ≤ 0
(x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2)∧c5 :
∧ (b ∨ x ≥ −2)c4 :
∧ (¬c ∨ ¬d)c3 :
∧ (¬a ∨ ¬b ∨ c)c2 :
(¬a ∨ ¬c ∨ d)c1 :
y ≥ 4
x ≥ −2
x > 3
h2 ≤ −8
h1 > 9
∧ (x < −2 ∨ y < 3 ∨ x > 3)c10 :
∧ (¬a ∨ ¬c)c9 :
h2 = −2 · y∧c7 :
h1 = x2∧c6 :
h3 = h1 + h2c8 : ∧
DL 1:
DL 2:
• Continue do split and deduce until either
⊲ solver is left with ‘sufficiently small’ portion of the
search space for which it cannot derive any contradiction
⊲ formula turns out to be UNSAT (unresolvable conflict)
Results can be verified by sorting to “single assignment form”.
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 28 / 85
iSAT: Non-linear Arithmetic Constraint Solving
c9 c2 c4
c7
c6c10
a ≥ 1 c ≤ 0 b ≤ 0
(x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2)∧c5 :
∧ (b ∨ x ≥ −2)c4 :
∧ (¬c ∨ ¬d)c3 :
∧ (¬a ∨ ¬b ∨ c)c2 :
(¬a ∨ ¬c ∨ d)c1 :
y ≥ 4
x ≥ −2
x > 3
h2 ≤ −8
h1 > 9
∧ (x < −2 ∨ y < 3 ∨ x > 3)c10 :
∧ (¬a ∨ ¬c)c9 :
h2 = −2 · y∧c7 :
h1 = x2∧c6 :
h3 = h1 + h2c8 : ∧
DL 1:
DL 2:
• Continue do split and deduce until either
⊲ solver is left with ‘sufficiently small’ portion of the
search space for which it cannot derive any contradiction
⊲ formula turns out to be UNSAT (unresolvable conflict)
Essentially, a tight integration of interval constraint propagation withrecent propositional SAT-solving techniques.
[Fränzle, Herde, Ratschan, Schubert, Teige: J. on Satisfiability. . ., 2007]
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 28 / 85
iSAT: Non-linear Arithmetic Constraint Solving
c9 c2 c4
c7
c6c10
a ≥ 1 c ≤ 0 b ≤ 0
(x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2)∧c5 :
∧ (b ∨ x ≥ −2)c4 :
∧ (¬c ∨ ¬d)c3 :
∧ (¬a ∨ ¬b ∨ c)c2 :
(¬a ∨ ¬c ∨ d)c1 :
y ≥ 4
x ≥ −2
x > 3
h2 ≤ −8
h1 > 9
∧ (x < −2 ∨ y < 3 ∨ x > 3)c10 :
∧ (¬a ∨ ¬c)c9 :
h2 = −2 · y∧c7 :
h1 = x2∧c6 :
h3 = h1 + h2c8 : ∧
DL 1:
DL 2:
• Continue do split and deduce until either
⊲ solver is left with ‘sufficiently small’ portion of the
search space for which it cannot derive any contradiction
⊲ formula turns out to be UNSAT (unresolvable conflict)
Essentially, a tight integration of interval constraint propagation withrecent propositional SAT-solving techniques.
[Fränzle, Herde, Ratschan, Schubert, Teige: J. on Satisfiability. . ., 2007]
A DPLL(T)-based alternative, including LP solving, has beenimplemented by Gao et al.
[Gao, Ganai, Ivancic, Gupta, Sankaranarayanan, Clarke: FMCAD 2010]Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 28 / 85
The Impact of Learning: Runtime
0.001
0.01
0.1
1
10
100
1000
10000
100000
0.001 0.01 0.1 1 10 100 1000
with
ou
t le
arn
ing
[s]
with learning [s]
> 1:1
> 10:1
> 100:1
> 1k:1
> 10k:1
> 100k:1
> 1m:1
> 10m:1
time out
0.001
0.01
0.1
1
10
100
1000
10000
100000
0.001 0.01 0.1 1 10 100 1000
with
ou
t le
arn
ing
[s]
with learning [s]
> 1:1
> 10:1
> 100:1
> 1k:1
> 10k:1
> 100k:1
> 1m:1
> 10m:1
time out
0.001
0.01
0.1
1
10
100
1000
10000
100000
0.001 0.01 0.1 1 10 100 1000
with
ou
t le
arn
ing
[s]
with learning [s]
> 1:1
> 10:1
> 100:1
> 1k:1
> 10k:1
> 100k:1
> 1m:1
> 10m:1
time out
0.001
0.01
0.1
1
10
100
1000
10000
100000
0.001 0.01 0.1 1 10 100 1000
with
ou
t le
arn
ing
[s]
with learning [s]
> 1:1
> 10:1
> 100:1
> 1k:1
> 10k:1
> 100k:1
> 1m:1
> 10m:1
time out
0.001
0.01
0.1
1
10
100
1000
10000
100000
0.001 0.01 0.1 1 10 100 1000
with
ou
t le
arn
ing
[s]
with learning [s]
> 1:1
> 10:1
> 100:1
> 1k:1
> 10k:1
> 100k:1
> 1m:1
> 10m:1
time out
0.001
0.01
0.1
1
10
100
1000
10000
100000
0.001 0.01 0.1 1 10 100 1000
with
ou
t le
arn
ing
[s]
with learning [s]
> 1:1
> 10:1
> 100:1
> 1k:1
> 10k:1
> 100k:1
> 1m:1
> 10m:1
time out
0.001
0.01
0.1
1
10
100
1000
10000
100000
0.001 0.01 0.1 1 10 100 1000
with
ou
t le
arn
ing
[s]
with learning [s]
> 1:1
> 10:1
> 100:1
> 1k:1
> 10k:1
> 100k:1
> 1m:1
> 10m:1
time out
0.001
0.01
0.1
1
10
100
1000
10000
100000
0.001 0.01 0.1 1 10 100 1000
with
ou
t le
arn
ing
[s]
with learning [s]
> 1:1
> 10:1
> 100:1
> 1k:1
> 10k:1
> 100k:1
> 1m:1
> 10m:1
time out
0.001
0.01
0.1
1
10
100
1000
10000
100000
0.001 0.01 0.1 1 10 100 1000
with
ou
t le
arn
ing
[s]
with learning [s]
> 1:1
> 10:1
> 100:1
> 1k:1
> 10k:1
> 100k:1
> 1m:1
> 10m:1
time out
0.001
0.01
0.1
1
10
100
1000
10000
100000
0.001 0.01 0.1 1 10 100 1000
with
ou
t le
arn
ing
[s]
with learning [s]
> 1:1
> 10:1
> 100:1
> 1k:1
> 10k:1
> 100k:1
> 1m:1
> 10m:1
time out
Examples:BMC of� platoon control� bouncing ball� gingerbread map� oscillatory logistic map
Intersection of geometricbodies
Size:Up to 2400 variables,≫ 103 Boolean connec-tives.
[2.5 GHz AMD Opteron, 4 GByte physical memory, Linux]
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 29 / 85
CDCL + ICP + Numeric ODE Enclosure
An engine for Bounded Model Checkingof non-linear continuous-time HA
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 30 / 85
[Alur, Courcoubetis, Henzinger, and Ho, 1993]
Hybrid Automata – Semantics
height x
velocity v
time
time
x ≥ 0
•
v= −9.81
•
x= v
x = 0
x = 10, v = 0
/v′ := −v
A = (Vars,Modes, Init, Flow, Jump)
Init = {(m, Initm) | m ∈ Modes}
Flow = {(m,ODEm, Invarm) | m ∈ Modes}
Jump = {(m,Guardm,m′ ,Actionm,m′ ,m′) | m,m′ ∈ Modes}
Valuation σ : Vars→ R
Run ρ : 〈m0, σ0〉 ∆t0 〈m0, σ̂0〉 → 〈m1, σ1〉 ∆t1 〈m1, σ̂1〉 → . . .
where
〈m0, σ0〉 |= Init
〈mi, σi〉 ∆ti 〈mi, σ̂i〉 |= Flow
〈mi, σ̂i〉 → 〈mi+1, σi+1〉 |= Jump
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 31 / 85
[Alur, Courcoubetis, Henzinger, and Ho, 1993]
Hybrid Automata – Semantics
!!!!!!
!!!!!!!!!
!!!!!!!!!!!!!!!!!!
height x
velocity v
time
time
x ≥ 0
•
v= −9.81
•
x= v
x = 0
x = 10, v = 0
/v′ := −v
A = (Vars,Modes, Init, Flow, Jump)
Init = {(m, Initm) | m ∈ Modes}
Flow = {(m,ODEm, Invarm) | m ∈ Modes}
Jump = {(m,Guardm,m′ ,Actionm,m′ ,m′) | m,m′ ∈ Modes}
Valuation σ : Vars→ R
Run ρ : 〈m0, σ0〉 ∆t0 〈m0, σ̂0〉 → 〈m1, σ1〉 ∆t1 〈m1, σ̂1〉 → . . .
where
〈m0, σ0〉 |= Init
〈mi, σi〉 ∆ti 〈mi, σ̂i〉 |= Flow
〈mi, σ̂i〉 → 〈mi+1, σi+1〉 |= Jump
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 31 / 85
[Alur, Courcoubetis, Henzinger, and Ho, 1993]
Hybrid Automata – Semantics
height x
velocity v
time
time
x ≥ 0
•
v= −9.81
•
x= v
x = 0
x = 10, v = 0
/v′ := −v
A = (Vars,Modes, Init, Flow, Jump)
Init = {(m, Initm) | m ∈ Modes}
Flow = {(m,ODEm, Invarm) | m ∈ Modes}
Jump = {(m,Guardm,m′ ,Actionm,m′ ,m′) | m,m′ ∈ Modes}
Valuation σ : Vars→ R
Run ρ : 〈m0, σ0〉 ∆t0 〈m0, σ̂0〉 → 〈m1, σ1〉 ∆t1 〈m1, σ̂1〉 → . . .
where
〈m0, σ0〉 |= Init
〈mi, σi〉 ∆ti 〈mi, σ̂i〉 |= Flow
〈mi, σ̂i〉 → 〈mi+1, σi+1〉 |= Jump
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 31 / 85
[Alur, Courcoubetis, Henzinger, and Ho, 1993]
Hybrid Automata – Semantics
height x
velocity v
time
time
x ≥ 0
•
v= −9.81
•
x= v
x = 0
x = 10, v = 0
/v′ := −v
A = (Vars,Modes, Init, Flow, Jump)
Init = {(m, Initm) | m ∈ Modes}
Flow = {(m,ODEm, Invarm) | m ∈ Modes}
Jump = {(m,Guardm,m′ ,Actionm,m′ ,m′) | m,m′ ∈ Modes}
Valuation σ : Vars→ R
Run ρ : 〈m0, σ0〉 ∆t0 〈m0, σ̂0〉 → 〈m1, σ1〉 ∆t1 〈m1, σ̂1〉 → . . .
where
〈m0, σ0〉 |= Init
〈mi, σi〉 ∆ti 〈mi, σ̂i〉 |= Flow
〈mi, σ̂i〉 → 〈mi+1, σi+1〉 |= Jump
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 31 / 85
[Alur, Courcoubetis, Henzinger, and Ho, 1993]
Hybrid Automata – Semantics
height x
velocity v
time
time
x ≥ 0
•
v= −9.81
•
x= v
x = 0
x = 10, v = 0
/v′ := −v
A = (Vars,Modes, Init, Flow, Jump)
Init = {(m, Initm) | m ∈ Modes}
Flow = {(m,ODEm, Invarm) | m ∈ Modes}
Jump = {(m,Guardm,m′ ,Actionm,m′ ,m′) | m,m′ ∈ Modes}
Valuation σ : Vars→ R
Run ρ : 〈m0, σ0〉 ∆t0 〈m0, σ̂0〉 → 〈m1, σ1〉 ∆t1 〈m1, σ̂1〉 → . . .
where
〈m0, σ0〉 |= Init
〈mi, σi〉 ∆ti 〈mi, σ̂i〉 |= Flow
〈mi, σ̂i〉 → 〈mi+1, σi+1〉 |= Jump
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 31 / 85
[Alur, Courcoubetis, Henzinger, and Ho, 1993]
Hybrid Automata – Semantics
height x
velocity v
time
time
x ≥ 0
•
v= −9.81
•
x= v
x = 0
x = 10, v = 0
/v′ := −v
A = (Vars,Modes, Init, Flow, Jump)
Init = {(m, Initm) | m ∈ Modes}
Flow = {(m,ODEm, Invarm) | m ∈ Modes}
Jump = {(m,Guardm,m′ ,Actionm,m′ ,m′) | m,m′ ∈ Modes}
Valuation σ : Vars→ R
Run ρ : 〈m0, σ0〉 ∆t0 〈m0, σ̂0〉 → 〈m1, σ1〉 ∆t1 〈m1, σ̂1〉 → . . .
where
〈m0, σ0〉 |= Init
〈mi, σi〉 ∆ti 〈mi, σ̂i〉 |= Flow
〈mi, σ̂i〉 → 〈mi+1, σi+1〉 |= Jump
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 31 / 85
[Audemard, Bozzano, Cimatti, and Sebastiani, 2005], [Fränzle and Herde, 2005], [Eggers, Fränzle, and Herde, 2008]
Bounded Model Checking
ϑi ≤ 21
Heat off
Heat on
dϑi / d t = −0.1 · (ϑi − ϑo)
ϑi ≥ 19 ∨ c ≥ 0.04
d c / d t = −0.05 · c
d c / d t = 0.01− 0.05 · c
ϑi ≤ 19
c ≤ 0.04
ϑi ∈ [19, 25]
ϑi ∈ [15, 21]
c = 0
c = 0
ϑi ≥ 21
dϑi / d t = 0.2 · (35− ϑi)−0.1 · (ϑi − ϑo)
Bounded Model Checking (BMC):
Are there any trajectories leading from an inital to an unsafe state in k steps?
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 32 / 85
[Audemard, Bozzano, Cimatti, and Sebastiani, 2005], [Fränzle and Herde, 2005], [Eggers, Fränzle, and Herde, 2008]
Bounded Model Checking and Constraint Solving
ϑi ≤ 21
Heat off
Heat on
dϑi / d t = −0.1 · (ϑi − ϑo)
ϑi ≥ 19 ∨ c ≥ 0.04
d c / d t = −0.05 · c
d c / d t = 0.01− 0.05 · c
ϑi ≤ 19
c ≤ 0.04
ϑi ∈ [19, 25]
ϑi ∈ [15, 21]
c = 0
c = 0
ϑi ≥ 21
dϑi / d t = 0.2 · (35− ϑi)−0.1 · (ϑi − ϑo)
init =−10 ≤ ϑo ≤ 20 ∧ c = 0
∧
(19 ≤ ϑi ≤ 25 ∧ ¬on
∨ 15 ≤ ϑi ≤ 21 ∧ on
)
trans =( ¬on ∧ on′ ∧ ϑi ≤ 19 ∧ c ≤ 0.04∧ ϑ′
i = ϑi ∧ ϑ′
o = ϑo ∧ c′ = c)∨ ( on ∧ ¬on′ ∧ ϑi ≥ 21∧ ϑ′
i = ϑi ∧ ϑ′
o = ϑo ∧ c′ = c)∨ ( ¬on ∧ ¬on′
∧ dϑi
dt = −0.1(ϑi − ϑo)
∧ dcdt = −0.05c
∧ (ϑ′
i ≥ 19 ∨ c′ ≥ 0.04) ∧ ϑ′
o = ϑo)∨ ( on ∧ on′
∧ dϑi
dt = 0.2 · 35− 0.3ϑi + 0.1ϑo
∧ dcdt = 0.01− 0.05c
∧ ϑ′
i ≤ 21 ∧ ϑ′
o = ϑo)
target =(c > 0.1)
Bounded Model Checking (BMC): Check satisfiability of SMT formula
Φk := init[0] ∧ trans[0, 1] ∧ · · · ∧ trans[k − 1, k] ∧ target[k]
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 32 / 85
The Basic Idea
1 Continuous flows, described by ODEs, define pre-post-constraintson continuous states:� Given an ODE dx
dt= f(x) and a (convex) invariant I ⊂ dom(x),
� [[dxdt
]] = {(f(0), f(t)) | f solution of dxdt
= f(x), ∀t′ ≤ t : f(t′) ∈ I}
2 Adding direct support for such “ODE constraints” in arithmeticconstraint solving facilitates BMC of continuous-time hybridsystems
[Eggers & Fränzle: ATVA’08; Ishii, Ueda, Hosobe, Goldsztejn: ADHS’09]
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 33 / 85
odeSAT: Adding Forward and BackwardPropagation for ODE Constraints
0
1
2
3
4
5
0 1 2 3 4 5 0
1
2
3
4
5
0 1 2 3 4 5
time of interesthorizon
x(1)prebox
x(2)
postbox
backward propagationforward propagation
...yields a classical interval propagator!
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 34 / 85
iSAT+ODE: Integrated Algorithm (Example)
(x1 + x2 > y) ∧ (y ≥ 28 ∨ a) ∧ (¬a ∨ dxdt
= 320 · (3− x))
a ∈ {0, 1}, x1 ∈ [10, 20], x2 ∈ [−5, 7], y ∈ [0, 30]
x2
y
x1
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 35 / 85
iSAT+ODE: Integrated Algorithm (Example)
( x1 + x2 > y ) ∧ (y ≥ 28 ∨ a) ∧ (¬a ∨ dxdt
= 320 · (3− x))
a ∈ {0, 1}, x1 ∈ [10, 20], x2 ∈ [−5, 7], y ∈ [0, 30]
x2
y
x1
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 35 / 85
iSAT+ODE: Integrated Algorithm (Example)
( x1 + x2 > y ) ∧ (y ≥ 28 ∨ a) ∧ (¬a ∨ dxdt
= 320 · (3− x))
a ∈ {0, 1}, x1 ∈ [10, 20], x2 ∈ [−5, 7], y ∈ [0, 27]
y < 30
y < 27
x2 ∈ [−5, 7]
x1 ∈ [10, 20]
x1 + x2 > y
y < x1 + x2 ≤ 27
x2
y
x1
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 35 / 85
iSAT+ODE: Integrated Algorithm (Example)
(x1 + x2 > y) ∧ ( y ≥ 28 ∨ a) ∧ (¬a ∨ dxdt
= 320 · (3− x))
a ∈ {0, 1}, x1 ∈ [10, 20], x2 ∈ [−5, 7], y ∈ [0, 27]
x2
y
x1
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 35 / 85
iSAT+ODE: Integrated Algorithm (Example)
(x1 + x2 > y) ∧ (y ≥ 28∨ a ) ∧ (¬a ∨ dxdt
= 320 · (3− x))
a ∈ { 1} , x1 ∈ [10, 20], x2 ∈ [−5, 7], y ∈ [0, 27]
x2
y
x1
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 35 / 85
iSAT+ODE: Integrated Algorithm (Example)
(x1 + x2 > y) ∧ (y ≥ 28 ∨ a) ∧ ( ¬a ∨dxdt
= 320 · (3− x))
a ∈ { 1} , x1 ∈ [10, 20], x2 ∈ [−5, 7], y ∈ [0, 27]
x2
y
x1
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 35 / 85
iSAT+ODE: Integrated Algorithm (Example)
(x1 + x2 > y) ∧ (y ≥ 28 ∨ a) ∧ (¬a∨ dxdt
= 320 · (3− x) )
a ∈ { 1}, x1 ∈ [10, 20], x2 ∈ [3, 7] , y ∈ [0, 27]
−15
−10
−5
0
5
10
15
20
25
30
0 5 10 15 20 25 30 35 40 45
x2 ≥ −5
x2 ≥ 33
7
x2
y
x1
7
x2
x1
x2
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 35 / 85
[Eggers, Fränzle, and Herde, 2008], [Ishii, Ueda, and Hosobe, 2011]
Satisfiability Modulo ODE
� Boolean-, real-, and integer-valued variables with boundeddomains
� Quantifier-free Boolean combination of� Simple bounds, e.g. x ≤ 3.2� Arithmetic constraints, e.g. z = sin(y)� Sufficiently smooth, time invariant ordinary differential equations
(ODEs), e.g.•
x= 2.4 · x− y2
� Bounded Model Checking (BMC) formula structure:Φ = init[0] ∧ trans[0, 1] ∧ · · · ∧ trans[k − 1, k] ∧ target[k]
� ODEs occur only in transition system
Goal: Find a satisfying valuation for Φ or prove its unsatisfiability.
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 36 / 85
Solving SAT Modulo ODE Formulae
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 37 / 85
Satisfiability of SAT Modulo ODE Formulae
� Point-valued satisfaction: standard for arithmetic constraintsand simple bounds, e.g. point (x = 6, y = 3) satisfies x = 2y
� Definitionally-closed systems of ODEs, e.g.•
x= −y, •y= x satisfiedby valuation
((x1 = 1, y1 = 0), (x2 = 0, y2 = −1), delta_time = π/2) ,
with (x1, y1), (x2, y2) being successive BMC instances of (x, y) anddelta_time the duration of continuous flow:
−1
−0.5
0
0.5
1 y
−1 −0.5 0 0.5 1 1.5
x
(x1, y1)
(x2, y2)
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 38 / 85
Need to lift this to intervals for ICP
Given: a system of time-invariant ODEs
dx1
dt= f1(x1, . . . , xn)...
dxn
dt= fn(x1, . . . , xn)
plus three boxes B, I, E ⊂ Rn.
Problem: determine whether E is reachable from B along atrajectory satisfying the ODE and not leaving I.
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 39 / 85
Need to lift this to intervals for ICP
Given: a system of time-invariant ODEs
dx1
dt= f1(x1, . . . , xn)...
dxn
dt= fn(x1, . . . , xn)
plus three boxes B, I, E ⊂ Rn.
Problem: determine whether E is reachable from B along atrajectory satisfying the ODE and not leaving I.
Added value: Prune unconnected parts of B and E:
B
E
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 39 / 85
Need to lift this to intervals for ICP
Given: a system of time-invariant ODEs
dx1
dt= f1(x1, . . . , xn)...
dxn
dt= fn(x1, . . . , xn)
plus three boxes B, I, E ⊂ Rn.
Problem: determine whether E is reachable from B along atrajectory satisfying the ODE and not leaving I.
Added value: Prune unconnected parts of B and E:
E’B’
B
E
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 39 / 85
Need to lift this to intervals for ICP
Given: a system of time-invariant ODEs
dx1
dt= f1(x1, . . . , xn)...
dxn
dt= fn(x1, . . . , xn)
plus three boxes B, I, E ⊂ Rn.
Problem: determine whether E is reachable from B along atrajectory satisfying the ODE and not leaving I.
Added value: Prune unconnected parts of B and E:
E’B’
B
E
. . . and determine dwell-time interval delta_time.
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 39 / 85
Problem: Safely determine whether E is unreachable from B alonga trajectory satisfying the ODE and not leaving I.
Some approaches:
1 Interval-based safe numeric approximation of ODEs[Moore 1965, Lohner 1987, Stauning 1997]
(used in Hypertech [Henzinger, Horowitz, Majumdar,
Wong-Toi 2000])
2 CLP(F): a symbolic, constraint-based technology forreasoning about ODEs grounded in (in-)equationalconstraints obtained from Taylor expansions[Hickey, Wittenberg 2004]
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 40 / 85
Towards SAT modulo ODE
Safe Enclosure Methods for ODEs
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 41 / 85
ODE Enclosure Problem
Given a system of (sufficiently-smooth, first order, time-invariant,Lipschitz-continuous) ordinary differential equations (ODEs), we wantto enclose all trajectories emerging from a set of starting points overa limited temporal horizon.
dx
dt(t) = f (x(t)) , x(0) ∈
[x1(0), x1(0)]...
[xn(0), xn(0)]
Safely enclose all x(t) over t ∈ [0, horizon].
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 42 / 85
Safe Approximation
!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!
ti t
x
startbox
flowbox
postbox
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 43 / 85
Safe Approximation
!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!
t
x
ti ∈ TOI
flowbox
postbox
startbox
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 43 / 85
Safe Approximation
!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!
t
x
ti ∈ TOI
flowbox
postbox
startbox
Should also be tight!
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 43 / 85
Safe Approximation
!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!
t
x
ti ∈ TOI
flowbox
postbox
startbox
Should also be tight! And efficient to compute!
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 43 / 85
Euler’s Method
t
x
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 44 / 85
Euler’s Method
t
x
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 44 / 85
Euler’s Method
t
x
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 44 / 85
Euler’s Method
t
x
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 44 / 85
Euler’s Method
t
x
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 44 / 85
Taylor Series
Exact solution x(t) has slope determined by f in each point:
dx
dt(t) = f(x(t))
Taylor expansion of exact solution:
x(t0 + h) = x(t0) +h1
1!
dx
dt(t0) (Euler’s Method)
+h2
2!
d2x
dt2(t0) + . . .
+hn
n!
dnx
dtn(t0)
+hn+1
(n + 1)!
dn+1x
dtn+1(t0 + θh), with 0 < θ < 1
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 45 / 85
Taylor Series
Exact solution x(t) has slope determined by f in each point:
dx
dt(t) = f(x(t))
Taylor expansion of exact solution:
x(t0 + h) = x(t0) +h1
1!
dx
dt(t0)
+h2
2!
d2x
dt2(t0) + . . .
+hn
n!
dnx
dtn(t0)
(Lagrange Remainder)
+hn+1
(n + 1)!
dn+1x
dtn+1(t0 + θh), with 0 < θ < 1
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 45 / 85
Taylor Series
Exact solution x(t) has slope determined by f in each point:
dx
dt(t) = f(x(t))
Taylor expansion of exact solution:
x(t0 + h) = x(t0) +h1
1!
dx
dt(t0)
+h2
2!
d2x
dt2(t0) + . . .
+hn
n!
dnx
dtn(t0)
+hn+1
(n + 1)!
dn+1x
dtn+1(t0 + θh), with 0 < θ < 1
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 45 / 85
Taylor Series
x(t0 + h) = x(t0) +h1
1!
dx
dt(t0)
︸ ︷︷ ︸
f(x(t0))
+h2
2!
d2x
dt2(t0)
︸ ︷︷ ︸dfdt
(x(t0))·f(x(t0))
+ . . .
+hn
n!
dnx
dtn(t0)
+hn+1
(n + 1)!
dn+1x
dtn+1(t0 + θh)
︸ ︷︷ ︸
unknown
, with 0 < θ < 1
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 46 / 85
Taylor Series
x(t0 + h) = x(t0) +h1
1!
dx
dt(t0)
︸ ︷︷ ︸
f(x(t0))
+h2
2!
d2x
dt2(t0)
︸ ︷︷ ︸dfdt
(x(t0))·f(x(t0))
+ . . .
+hn
n!
dnx
dtn(t0)
+hn+1
(n + 1)!
dn+1x
dtn+1(t0 + θh)
︸ ︷︷ ︸
unknown
, with 0 < θ < 1
Can use interval arithmetic to evaluate f(x(t0)), etc.,whenever x(t0) is set-valued!
Automatic differentiation computes derivatives.
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 46 / 85
Bounding Box
t
x
B
t0
for all t ∈ [t0, t0 + h]dxdt (t) ≤ max(f (B))dxdt (t) ≥ min(f (B))
t0 + h
x(t)
dxdt (t) = f (x(t))
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 47 / 85
Bounding Box
t
x
B
t0
for all t ∈ [t0, t0 + h]dxdt (t) ≤ max(f (B))dxdt (t) ≥ min(f (B))
t0 + h
x(t)
dxdt (t) = f (x(t))
If we only knew B...
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 47 / 85
Bounding Box [Lohner]
Given: Initial value problem:dxdt
= f(x), x(t0) = x0
Theorem (Lohner): If[B1] := x0 + [0, h] · f([B0])
and[B1] ⊆ [B0]
then the initial value problem above has exactly onesolution over [t0, t0 + h] which lies entirely within [B1]→ Bounding Box.
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 48 / 85
Bounding Box [Lohner]
Given: Initial value problem:dxdt
= f(x), x(t0) = x0 may also be a box
Theorem (Lohner): If[B1] := x0 + [0, h] · f([B0])
and[B1] ⊆ [B0]
then the initial value problem above has exactly onesolution over [t0, t0 + h] which lies entirely within [B1]→ Bounding Box.
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 48 / 85
Algorithm
To get an enclosure . . .
� Determine bounding box and stepsize
� Evaluate Taylor series up to desired order over startbox
� Evaluate remainder term over bounding box
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 49 / 85
Bounding Box
0 1
1.5
2
2.5
3
3.5
4
4.5
5
0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45
0.5
1
1.5
2
2.5
3
3.5
t
y
x
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 50 / 85
Algorithm
� Find bounding box with greedy algorithm
� Generate derivatives symbolically
� Simplify expressions to reduce alias effects on variables� Evaluate expressions with interval arithmetic
� Taylor series� Lagrange remainder
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 51 / 85
Example
dxdt
= −x + 3, dydt
= x, x0 = [2, 4], y0 = [1, 1]
x
y
t
01
23
45
2
2.5
3
3.5
4
0
2
4
6
8
10
12
14
16
18
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 52 / 85
Example II: Stable Oscillator
dxdt
= y, dydt
= −x, x0 = [10, 12], y0 = [−1, 0]
−30
−20
−10
0
10
20
30
40
50
0.5 1 1.5 2 2.5 3 3.5 4 4.5 5
−40−30
−20−10 0
10 20
30 40
x
y
t
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 53 / 85
Wrapping Effect
dxdt
= y, dydt
= −x, x0 = [10, 12], y0 = [−1, 0]
8.5 9 9.5 10 10.5 11 11.5 12
0 0.1 0.2 0.3 0.4 0.5
−6
−5
−4
−3
−2
−1
0
tx
y
t0
t1
t2
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 54 / 85
Fight Wrapping Effect
Lohner, Stauning, . . . : use coordinate transformation
x[a, b]
y
[c, d]
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 55 / 85
Fight Wrapping Effect
Lohner, Stauning, . . . : use coordinate transformation
[r, s]
[t, u]
p
q
x[a, b]
y
[c, d]
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 55 / 85
Stable Oscillator
dxdt
= y, dy
dt= −x, x0 = [10, 12], y0 = [−1, 0]
−15
−10
−5
0
5
10
15
−15 −10 −5 0 5 10 15x
y
t = 6.00748
t = 0.286473
t = 0.593339
t = 0.900205
t = 1.20707
t = 0
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 56 / 85
Stable Oscillator
dxdt
= y, dy
dt= −x, x0 = [10, 12], y0 = [−1, 0]
−15
−10
−5
0
5
10
15
0 50
100 150
200
−15
−10
−5
0
5
10
15
t
xt = [0, 10]
t = [190, 200]
y
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 56 / 85
Damped Oscillator
dxdt
= y − 0.8 · x, dy
dt= −x + 0.3 · y, x0 = [10, 15], y0 = [−2, 1]
−25
−20
−15
−10
−5
0
5
10
15
0
0.5
1
1.5
2
2.5
3
3.5
−30
−20
−10
0
10
20
30
x
y
t
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 57 / 85
[Moore, 1966], [Lohner, 1988], [Stauning, 1997]
Taylor-Series-Based Enclosures: Summary
Taylor expansion of exact solution:
x(t0 + h) = x(t0) +h1
1!
dx
dt(t0) (Euler’s Method)
+h2
2!
d2x
dt2(t0) + . . .
+hn
n!
dnx
dtn(t0)
(Lagrange Remainder)
+hn+1
(n + 1)!
dn+1x
dtn+1(t0 + θh), with 0 < θ < 1
x
y
� First, calculate rough a-priori enclosure (bounding box)
� Second, compute tighter enclosure with Taylor series and encloseremainder term over a-priori enclosure
� Use Automatic Differentiation to obtain Taylor terms
� Compute coordinate transformation to fight wrapping effect
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 58 / 85
Use in ICP: Tighten Target Box
−20−15
−10−5
0 5
10 15
0
2
4
6
8
10
12
14
−20
−15
−10
−5
0
5
10
15
y
xtinitial postbox
� Given target box (including phase space and time)
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 59 / 85
Use in ICP: Tighten Target Box
−20−15
−10−5
0 5
10 15
0
2
4
6
8
10
12
14
−20
−15
−10
−5
0
5
10
15
tightened postbox and TOI
y
xtinitial postbox
� Given target box (including phase space and time)
� Intersect target box with enclosure
� Remove elements with empty intersection(narrows also time-window of interest)
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 59 / 85
Backward Propagation
� Use temporally reversed ODEs
� Use start box as target box and do normal forward propagation
� Intersect resulting target box with original start box
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 60 / 85
Backward Propagation
� Use temporally reversed ODEs
� Use start box as target box and do normal forward propagation
� Intersect resulting target box with original start box
Fwd. and bwd. propagation do
� narrow the start box B and target box E — also iteratively!
� narrow the time window for both B and E,
� thus give fresh meat to constraint propagation along adjacent partsof the transition sequence!
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 60 / 85
Summary: Taylor-Based Enclosure
� Taylor-based numerical method with error enclosure� Tightly integrated with non-linear arithmetic constraint solving:
� provides an interval contractor, just like ICP
E’B’
B
E
� temporally symmetric (fwd. and bwd. contraction), unlike traditionalimage computation
� refutes trajectory bundles based on partial knowledge
� First proof of concept had implemented in 2008.[Eggers, Fränzle, Herde, ATVA 2008]
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 61 / 85
[Nedialkov and Jackson, 1999], [Nedialkov, Jackson, and Pryce, 2001], [Nedialkov, 2006]
Beyond Taylor Series: VNODE-LP
� Hermite-Obreschkoff method: generalization of Taylor series� VNODE-LP:
� Use High-Order Enclosure (HOE) to obtain a-priori enclosure ofODE
� Use Interval Taylor Series (ITS) with coordinate transformation andQR-method as predictor
� Use Interval Hermite-Obreschkoff (IHO) method as corrector
� IHO allows larger stepsize than ITS (ITS becomes numericallyunstable for smaller stepsizes than IHO)
� Local error for nonlinear ODEs much lower for IHO than for ITS
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 62 / 85
[Eggers, Fränzle, and Herde, 2009], [Eggers, Ramdani, Nedialkov, and Fränzle, 2011]
VNODE-LP as an Enclosure Method in iSAT-ODE
� VNODE-LP: safe interval enclosures for ODEs� Output: tight enclosures at end of step, a-priori enclosures covering
timespan in between
determined by VNODE−LP
enclosures at (very tight) time intervals
... up to a given horizon
−15
−10
−5
0
5
10
15
0 5 10 15 20
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 63 / 85
[Eggers, Fränzle, and Herde, 2009], [Eggers, Ramdani, Nedialkov, and Fränzle, 2011]
VNODE-LP as an Enclosure Method in iSAT-ODE
� VNODE-LP: safe interval enclosures for ODEs� Output: tight enclosures at end of step, a-priori enclosures covering
timespan in between
a−priori enclosures determined by VNODE−LP
−15
−10
−5
0
5
10
15
0 5 10 15 20
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 63 / 85
[Eggers, Fränzle, and Herde, 2009], [Eggers, Ramdani, Nedialkov, and Fränzle, 2011]
VNODE-LP as an Enclosure Method in iSAT-ODE
� VNODE-LP: safe interval enclosures for ODEs� Output: tight enclosures at end of step, a-priori enclosures covering
timespan in between� iSAT-ODE layer: re-evaluate extreme parts of enclosure with
refined stepsize for tighter result → expensive
selectively tightenedboxes
boxes that finally
intersect with the
postbox
given postbox
a−priori enclosures
−15
−10
−5
0
5
10
15
0 5 10 15 20
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 63 / 85
Bracketing Systems: Rationale
� Direct VNODE-LP enclosures tend to diverge quickly for largeinitial domains
� Point-wise (or small interval) reasoning thus preferable, if applicable
� A natural idea is to follow extremal trajectories:
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 64 / 85
Bracketing Systems: Rationale
� Direct VNODE-LP enclosures tend to diverge quickly for largeinitial domains
� Point-wise (or small interval) reasoning thus preferable, if applicable
� A natural idea is to follow extremal trajectories:
� Problem 1: Number of spanning nodes exponential in systemdimension.
� Problem 2: Reachable set need not be spanned by trajectoriesoriginating in extremal points.
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 64 / 85
[Müller, 1927]
Bracketing Systems: Essence of Müller’s Theorem
Bounding
box
xx− x+
y−
y
y+
dxdt = f (x, y)
dydt = g(x, y)
If, e.g., f monotonic in x, antitonic in y within bounding box,g monotonic in x and y within bounding box
then [x−(t), x+(t)]× [y−(t), y+(t)] yields an enclosure for(x(t), y(t)) if x−, . . . , y+ are solutions to
dx−
dt= f(x−, y+) dy−
dt= g(x−, y−)
dx+
dt= f(x+, y−) dy+
dt= f(x+, y+)
with IVs x−(0) ≤ x(0) ≤ x+(0), y−(0) ≤ y(0) ≤ y+(0).
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 65 / 85
[Ramdani, Meslem, and Candau, 2009], [Eggers, Ramdani, Nedialkov, and Fränzle, 2011]
Bracketing Systems
� Direct VNODE-LP enclosures may diverge quickly for large initialdomains
� Evaluate signs of partial derivatives of ODE’s right-hand side overcurrent enclosure
� If all relevant entries each strictly positive / negative, proceed
� Using Müller’s theorem, generate a bracketing system: replaceoriginal variables by upper and lower bracketing variablesdepending on signs in Jacobian [Müller, 1927]
� Enclose bracketing system using VNODE-LP: twice thedimensionality but point-valued initial conditions
� Re-evaluate Jacobian, check validity of signs (a-posteriorivalidation)
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 66 / 85
Comparison: Direct vs. Bracketing
denselower bracketing a prioriupper bracketing a priori
direct a prioridirect enclosure
lower bracketing enclosureupper bracketing enclosure
−3
−2
−1
0
1
2
0 2 4 6 8 10 12
x dimension of•
x = −p4x−p1x
1 + p2y+ p3y + 0.1
•
y = p4x− p3y
x(0) ∈ [1, 1.2], y(0) ∈ [0.8, 1], p1 ∈ [0.8, 1], p2 ∈ [1.0, 1.2], p3 ∈ [0.3, 0.5],
and p4 ∈ [0.20, 0.25].Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 67 / 85
[Eggers, Ramdani, Nedialkov, and Fränzle, 2011]
Comparison: Direct vs. Bracketing
denselower bracketing a prioriupper bracketing a priori
direct a prioridirect enclosure
lower bracketing enclosureupper bracketing enclosure
−30
−20
−10
0
10
20
30
0 2 4 6 8 10 12
x dimension of•
x= y,•
y= −x,x(0), y(0) ∈ [1, 2].
� Complementary strengths
⇒ iSAT-ODE: Intersect both enclosures for tighter result.
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 68 / 85
[Eggers, Fränzle, and Herde, 2009], [Eggers, Ramdani, Nedialkov, and Fränzle, 2011]
Learning ODE Deductions
� ODE enclosures very expensive compared to simple intervalconstraint propagations
� Preserve once-learnt facts from deletion during backjumps (similarto learning conflict clauses [Marques-Silva and Sakallah, 1996])
� Learn deduced facts for all isomorphic instances (constraintsreplication [Shtrichman, 2000])
� Two main ingredients:� iSAT core: learn new clauses during search (multiple at once, not
necessarily conflicts, potentially introducing new variables to safelyrepresent constants)
� ODE layer: recognize enclosure requests that have already beenanswered (or can be subsumed under previously answered requests)
� Additionally: store limited number of VNODE’s intermediateresults for reuse, when partial request is detected (e.g. compatibleinitial box but tighter delta_time range)
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 69 / 85
SAT Modulo ODE
Solving the Case Study
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 70 / 85
Hybrid Systems – Example: Plant & Controller
plant_dynamics
omega_set
v_set
x
y
alpha
v
omega
every_two_time_units
controller
trigger
alpha
xpos
ypos
x_target
y_target
omega
v
alpha_target
3
−5
continuous controller + plant dynamics
nonlinear computations
parallel composition
bang−bang control
time−triggered controller invocation
uncountably infinitely many target positions
Does this system work as specified?
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 71 / 85
Predicative Encoding
−− A robot that is being given a target location to which it shall move.
DECLdefine MAX_TIME = 100; −− Maximum global time.define MAX_STEP = 2; −− Maximum duration.float [0, MAX_TIME] time; −− Global time.float [0, MAX_STEP] delta_time; −− Step duration.float [−100, 100] x; −− Position, x coordinate .float [−100, 100] y; −− Position, y coordinate .float [−100, 100] delta_x; −− Position change by flow, x coordinate .float [−100, 100] delta_y; −− Position change by flow, y coordinate .float [−8, 8] alpha; −− Direction.float [−1, 1] omega; −− Angular velocity.float [−0.1, 0.1] omega_set; −− Angular velocity set point.float [−10, 10] v; −− Velocity.float [0, 0.4] v_set; −− Velocity set point .define P_v = 3; −− Proportional gain in analog velocity control .define P_omega = 1.6; −− Proportional gain in analog angular velocity ctrl .
define PI_LB = 3.141592; −− Lower bound for PI.define PI_UB = 3.141593; −− Upper bound for PI.
define PI_UB_HALF = 1.5708; −− Upper bound for 0.5 ∗ PI.
float [−100, 100] x_target; −− Position of target , x coordinate .float [−100, 100] y_target; −− Position of target , y coordinate .float [0, 142] distance ; −− Distance to target.float [−100, 100] dx; −− Distance to target, x component.float [−100, 100] dy; −− Distance to target, y component.float [−1, 1] tmp_quot_dy_dist; −− Quotient dy / distance.−− Reduce nondeterminism in model by enforcing that alpha cannot be less and−− more than alpha_target at the same time and distance must be in one−− category (−−0.1−−−0.5−−−5−−).boole alpha_leq_alpha_target;boole alpha_geq_alpha_target;boole distance_geq_5;boole distance_geq_05;boole distance_geq_01;
−− Result of asin(tmp_quot_dy_dist) is limited to standard branch used by−− ctrl’s asin implementation.float [−PI_UB_HALF, PI_UB_HALF] alpha_target_tmp;
float [−8, 8] alpha_target; −− Direction to target .define CTRL_PI = 3.1415927; −− PI constant used by controller.−− Note that the real controller will be using such a fixed constant , i .e.−− here it is not necessary to safely enclose PI by an interval when the−− same calculations are performed as done by the controller (which we−− assume here).
boole flow ;
INITtime = 0;x = 0;y = 0;alpha = 0;omega = 0;v = 0;
−− Target position.−− OPEN: Looking for a target position that cannot be reached within given−− number of steps.x_target >= 6;x_target <= 10;y_target >= −4;y_target <= 4;
−− Initial Controller run.dy = y_target − y;dx = x_target − x;distance = nrt(dx^2 + dy^2, 2);−− tmp_quot_dy_dist = dy / distance.distance ∗ tmp_quot_dy_dist = dy;sin (alpha_target_tmp) = tmp_quot_dy_dist;−− Adding a redundant encoding to reduce search effort induced by−− iSAT’s lack of an inverse sine propagation.(tmp_quot_dy_dist >= −1 and tmp_quot_dy_dist <= −0.64)−> ( alpha_target_tmp >= 3 ∗ (tmp_quot_dy_dist + 0.5) − 0.3
and alpha_target_tmp <= 2.29 ∗ tmp_quot_dy_dist + 0.991);(tmp_quot_dy_dist >= −0.64 and tmp_quot_dy_dist <= 0.64)−> ( alpha_target_tmp >= tmp_quot_dy_dist
+ 0.16 ∗ (tmp_quot_dy_dist^3) − 0.05and alpha_target_tmp <= tmp_quot_dy_dist
+ 0.16 ∗ (tmp_quot_dy_dist^3) + 0.05);(tmp_quot_dy_dist >= 0.64 and tmp_quot_dy_dist <= 1)−> ( alpha_target_tmp >= 2.29 ∗ tmp_quot_dy_dist − 1
and alpha_target_tmp <= 3 ∗ (tmp_quot_dy_dist + 0.5) − 2.65);alpha_target_tmp >= −1.570797;alpha_target_tmp <= 1.570797;−− End of redundant encoding for asin.
dx >= 0 −> alpha_target = alpha_target_tmp;dx < 0 −> alpha_target = CTRL_PI − alpha_target_tmp;
alpha_leq_alpha_target <−> alpha <= alpha_target;alpha_geq_alpha_target <−> alpha >= alpha_target;
alpha_leq_alpha_target and !alpha_geq_alpha_target −> omega_set = 0.1;!alpha_leq_alpha_target and alpha_geq_alpha_target −> omega_set = −0.1;alpha_leq_alpha_target and alpha_geq_alpha_target −> omega_set = 0;
distance_geq_5 <−> distance >= 5;distance_geq_05 <−> distance >= 0.5;distance_geq_01 <−> distance >= 0.1;
distance_geq_5 −> v_set = 0.4;distance_geq_05 and !distance_geq_5 −> v_set = 0.2;distance_geq_01 and !distance_geq_05 −> v_set = 0.1;!distance_geq_01 −> v_set = 0;
flow ;TRANS
!flow ’ <−> flow;time ’ = time + delta_time;
−− System dynamics including analog controller feedback for velocities .−− Since the actual movement is independent from the absolute position ,−− we use relative positions instead and benefit from better caching.flow −> x’ = x + delta_x’; −− Add relative movement to absolute position.flow −> y’ = y + delta_y’;flow −> delta_x = 0; −− Start relative movement in (0,0).flow −> delta_y = 0;flow −> (d.delta_x / d.time = v ∗ cos(alpha));flow −> (d.delta_y / d.time = v ∗ sin(alpha ));flow −> (d.alpha / d.time = omega);flow −> (d.v / d.time = P_v ∗ (v_set − v));flow −> (d.v_set / d.time = 0);flow −> (d.omega / d.time = P_omega ∗ (omega_set − omega));flow −> (d.omega_set / d.time = 0);
flow −> delta_time = 2;
−− Target stays constant.x_target’ = x_target;y_target’ = y_target;
!flow −> delta_time = 0;!flow −> x’ = x
and y’ = yand alpha’ = alphaand v’ = vand omega’ = omega;
−− Controller calculates the current direction to target location at every−− step.dy’ = y_target’ − y’;dx’ = x_target’ − x’;
distance ’ = nrt(dx’^2 + dy’^2, 2);−− tmp_quot_dy_dist’ = dy’ / distance’.distance ’ ∗ tmp_quot_dy_dist’ = dy’;sin (alpha_target_tmp’) = tmp_quot_dy_dist’;−− Adding a redundant encoding to reduce search effort induced by−− iSAT’s lack of an inverse sine propagation.(tmp_quot_dy_dist’ >= −1 and tmp_quot_dy_dist’ <= −0.64)−> ( alpha_target_tmp’ >= 3 ∗ (tmp_quot_dy_dist’ + 0.5) − 0.3
and alpha_target_tmp’ <= 2.29 ∗ tmp_quot_dy_dist’ + 0.991);(tmp_quot_dy_dist’ >= −0.64 and tmp_quot_dy_dist’ <= 0.64)−> ( alpha_target_tmp’ >= tmp_quot_dy_dist’
+ 0.16 ∗ (tmp_quot_dy_dist’^3) − 0.05and alpha_target_tmp’ <= tmp_quot_dy_dist’
+ 0.16 ∗ (tmp_quot_dy_dist’^3) + 0.05);(tmp_quot_dy_dist’ >= 0.64 and tmp_quot_dy_dist’ <= 1)−> ( alpha_target_tmp’ >= 2.29 ∗ tmp_quot_dy_dist’ − 1
and alpha_target_tmp’ <= 3 ∗ (tmp_quot_dy_dist’ + 0.5) − 2.65);alpha_target_tmp’ >= −1.570797;alpha_target_tmp’ <= 1.570797;−− End of redundant encoding for asin.
dx’ >= 0 −> alpha_target’ = alpha_target_tmp’;dx’ < 0 −> alpha_target’ = CTRL_PI − alpha_target_tmp’;
−− The discrete controller can set new omega_set and new v_set every step.−− Would need to adjust this if BMC steps and controller steps became−− seperated.alpha_leq_alpha_target’ <−> alpha’ <= alpha_target’;alpha_geq_alpha_target’ <−> alpha’ >= alpha_target’;
! flow and alpha_leq_alpha_target’ and !alpha_geq_alpha_target’−> omega_set’ = 0.1;
!flow and !alpha_leq_alpha_target’ and alpha_geq_alpha_target’−> omega_set’ = −0.1;
!flow and alpha_leq_alpha_target’ and alpha_geq_alpha_target’−> omega_set’ = 0;
distance_geq_5’ <−> distance’ >= 5;distance_geq_05’ <−> distance’ >= 0.5;distance_geq_01’ <−> distance’ >= 0.1;
!flow and distance_geq_5’ −> v_set’ = 0.4;!flow and distance_geq_05’ and !distance_geq_5’ −> v_set’ = 0.2;!flow and distance_geq_01’ and !distance_geq_05’ −> v_set’ = 0.1;!flow and !distance_geq_01’ −> v_set’ = 0;
TARGETdistance > 0.1;
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 72 / 85
Predicative Encoding – Continuous Dynamics
omega
5
v
4
alpha
3
y
2
x
1
cos
sin
P_v
3
P_omega
1.6
1
s
1
s
1
s 1
s
1
s
v_set
2
robot motioncontinuous−time
proportional control
omega_set
1
alpha
vx
vy
xx
yyv
omega
•
ω
•
v= a
time ’ = time + delta_time;
−− System dynamics including analog controller feedback for velocities .−− Since the actual movement is independent from the absolute position ,−− we use relative positions instead and benefit from better caching.flow −> x’ = x + delta_x’; −− Add relative movement to absolute position.flow −> y’ = y + delta_y’;flow −> delta_x = 0; −− Start relative movement in (0,0).flow −> delta_y = 0;flow −> (d.delta_x / d.time = v ∗ cos(alpha));flow −> (d.delta_y / d.time = v ∗ sin(alpha ));flow −> (d.alpha / d.time = omega);flow −> (d.v / d.time = P_v ∗ (v_set − v));flow −> (d.v_set / d.time = 0);flow −> (d.omega / d.time = P_omega ∗ (omega_set − omega));flow −> (d.omega_set / d.time = 0);
flow −> delta_time = 2;
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 73 / 85
Predicative Encoding – Discrete Controller
all
rotation1
m0
speed 2
m1
[alpha > alpha_target] / omega = − 0.1;2
[alpha == alpha_target] / omega = 0;
3
[alpha < alpha_target] / omega = 0.1;
1
[alpha < alpha_target] / omega = 0.1;
2
[alpha > alpha_target] / omega = − 0.1;
1
/v=0.4;
[dist_to_target < 0.1] / v = 0;
3
[dist_to_target > 0.5 && dist_to_target < 5] / v = 0.2;
1
[dist_to_target > 0.1 && dist_to_target < 0.5] / v = 0.1 ;
2
alpha_leq_alpha_target’ <−> alpha’ <= alpha_target’;alpha_geq_alpha_target’ <−> alpha’ >= alpha_target’;
! flow and alpha_leq_alpha_target’ and !alpha_geq_alpha_target’ −> omega_set’ = 0.1;!flow and !alpha_leq_alpha_target’ and alpha_geq_alpha_target’ −> omega_set’ = −0.1;!flow and alpha_leq_alpha_target’ and alpha_geq_alpha_target’ −> omega_set’ = 0;
distance_geq_5’ <−> distance’ >= 5;distance_geq_05’ <−> distance’ >= 0.5;distance_geq_01’ <−> distance’ >= 0.1;
!flow and distance_geq_5’ −> v_set’ = 0.4;!flow and distance_geq_05’ and !distance_geq_5’ −> v_set’ = 0.2;!flow and distance_geq_01’ and !distance_geq_05’ −> v_set’ = 0.1;!flow and !distance_geq_01’ −> v_set’ = 0;
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 74 / 85
Predicative Encoding – Proof Obligation
E.g., looking for a target position that cannot be reached within given
number of steps:
INIT...−− Target position.−− OPEN: Looking for a target position that cannot be reached within given−− number of steps.x_target >= 6;x_target <= 10;y_target >= −4;y_target <= 4;
...
TARGETdistance > 0.1;
Note: Target position not determined!
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 75 / 85
Candidate Solution Box from iSAT-ODE
Extracting (x, y)-trace from candidate solution box.
0
0.5
1
1.5
2
2.5
3
0 1 2 3 4 5 6 7 8
’robot_motion_14.hys_out_prabs1e−6_k42_wilkinson_defs_plot_0.plot_data’
x
y
BMC unwinding depth 42, runtime 2966 s (2.4 GHz AMD Opteron)
Valuation forxtarget : (6.6888899, 6.68907593]ytarget : [1.53229439, 1.53235116)
Robot reaches target but moves on.
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 76 / 85
Candidate Solution from iSAT-ODE – Distance
y distance dx dy
0
2
4
6
8
0 10 20 30 40
x
distance_geq_01
distance_geq_05
distance_geq_5
alpha_leq_alpha_target
alpha_geq_alpha_target
0 10 20 30 40
BMC Steps
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 77 / 85
Candidate Solution from iSAT-ODE – Velocityv v_set
0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
0.4
0 10 20 30 40
v 6= 0!
� Target speed is set to zero� Robot decelerates but reaches only speed [0.00024766, 0.0002485]
in step 32� Robot passes nearby target location but not close enough to
enforce robot standstill� Controller not built with a sink state for keeping target velocity at 0
� Robot accelerates again and final distance is ≥ 0.1Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 78 / 85
Candidate Solution from iSAT-ODE – Resultv v_set
0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
0.4
0 10 20 30 40
v 6= 0!
� Target speed is set to zero� Robot decelerates but reaches only speed [0.00024766, 0.0002485]
in step 32 −→ P-controller might be too weak� Robot passes nearby target location but not close enough to
enforce robot standstill� Controller not built with a sink state for keeping target velocity at 0−→ Should keep target speed at 0
� Robot accelerates again and final distance is ≥ 0.1Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 78 / 85
Simulated Error Trajectory for Candidate Solution
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 79 / 85
Simulated Error Trajectory – Continued
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 80 / 85
Conclusion
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 81 / 85
Conclusion
Problem: Direct handling of constraints involving arbitraryBoolean combinations of
� literals,� linear, polynomial, and transcendental (in-)equations
over the reals,� (potentially non-linear) ODE constraints interpreted
as pre-post-relations,
as arising in predicative encodings of analysis problemsof non-linear hybrid systems.
Approach: Build a tight integration of
� conflict-driven clause learning (CDCL) SAT solving,� interval constraint propagation,� interval-based enclosures of sets of inital-value
problems wrt. an ODE.
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 82 / 85
Related Approaches I
� Hybridization techniques allowing nonlinear ODEs to be handledby linear ODE methods or even by methods covering piecewiseconstant ODE only, e.g. LinSAT(cf., e.g., [Asarin, Dang, and Girard, 2007])
� Constraint Logic Programming(Functions) CLP(F)[Hickey and Wittenberg, 2004]
� Arithmetic and analytic relations between real and function variables� Function-type variables constrained by derivative constraints� Derivative constraints solved by interval constraint propagation
exploiting overapproximating Taylor series� But: not fighting the wrapping effect⇒ Excessive growth of enclosures
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 83 / 85
Related Approaches II
� ODE enclosures embedded into Constraint ProgrammingFramework [Goldsztejn, Mullier, Eveillard, and Hosobe, 2010]
� Branch and prune algorithm for conjunctive systems� Interval Newton for pruning and existence proofs� Using CAPD library (“optimized for small initial conditions”)⇒ “very sharp enclosures of solutions, but poorer performances for
exploring large domains”
� hydlogic: Classic SMT with VNODE-LP and Interval Newton[Ishii, Ueda, and Hosobe, 2011]
� SAT solver enumerating abstract trajectories� Constraint Solving (Elisa + VNODE-LP)� Learning� Interval Newton to prove existence of trajectories⇒ Different approach using classical DPLL(T) integration scheme
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 84 / 85
Thanks
� to Andreas Eggers, Nacim Ramdani, and Ned Nedialkov for thejoint development of iSAT(ODE),
� to the many collaborators in the development of iSAT, in particular� C. Herde, T. Teige (both Oldenburg),
S. Kupferschmid, K Scheibler, T. Schubert, B. Becker (Freiburg),S. Ratschan (Prague)
within the� DFG-funded Transregional Research Center 14 “AVACS”
(Automatic Analysis and Verification of Complex Systems)
� and to Andreas Eggers, Christian Herde, and Tino Teige forcontributing many slides.
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 85 / 85