Want to impress your boy friend / girl friend? SAT Modulo Ordinary Diﬀerential Equations · 2012....

SAT Modulo Ordinary Differential EquationsAn Analysis Method for Hybrid Systems

Martin Fränzle1

with slides, LATEX souce, etc., by

Andreas Eggers1 · Christian Herde1

Nacim Ramdani2 · Nedialko S. Nedialkov3

SFB/TR 14 AVACS

1 Carl von Ossietzky Universität · Oldenburg, Germany2 Université d’Orléans · PRISME · Bourges, France3 McMaster University · Hamilton, Ontario, Canada

Want to impress your boy friend / girl friend?

[YouTube video]

Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 2 / 85

Want to impress your boy friend / girl friend?

[www.popsci.com]

That’s why we build hybrid systems!


What is a hybrid system?



Hybrid (from Greece) means arrogant,presumptuous.

After H. Menge: Griechisch/Deutsch,Langenscheidt 1984



Hybrid (from Greece) means arrogant,presumptuous.

After H. Menge: Griechisch/Deutsch,Langenscheidt 1984

Hybrid stems from Latin hybrida ’off-spring of a tame sow and wild boar,child of a freeman and slave, etc.’

From the Compact Oxford EnglishDictionary, 2008


Hybrid Systems

Plant

ControlAnalogswitch

Continuouscontrollers

D/A

Discretesupervisor

A/D

Plant

observablestate

environmental

influence

disturbances ("noise")

control

selection

setpoints

active control law

setpointspart ofobservablestate

task selection


Hybrid Systems

Loads of

continuous

computations

interleaved

with discrete

decisions

Plant

ControlAnalogswitch

Continuouscontrollers

D/A

Discretesupervisor

A/D

Plant

observablestate

environmental

influence

disturbances ("noise")

control

selection

setpoints

active control law

setpointspart ofobservablestate

task selection


Hybrid systems

are ensembles of interacting discrete and continuous subsystems:� Technical systems:

� physical plant + multi-modal control� physical plant + embedded digital system� mixed-signal circuits� multi-objective scheduling problems (computers / distrib. energy

management / traffic management / ...)

� Biological systems:� Delta-Notch signaling in cell differentiation� Blood clotting� ...

� Economy:� cash/good flows + decisions� ...

� Medicine/health/epidemiology:� infectious diseases + vaccination strategies� ...


Hybrid Systems

The Formal Model


A Formal Model: Hybrid Automata

ball is moving down

ball is moving up

vertical position of the ball

velocity

−10

0

−20

10

0 5 10 15 20

20

y

x

•x= y

x ≥ 0

•y= −9.81

x = 0.0 ∧ y ≤ 0.0 /y′ = −0.8 · y

x = 20.0 ∧ y = 0.0

y < 0

y > 0

x :

y :



ball is moving down

ball is moving up


velocity

−10

0

−20

10

0 5 10 15 20

20

y

x

y < 0

y > 0

x :

y :

•x= y

x ≥ 0

•y= −9.81

x = 0.0 ∧ y ≤ 0.0 /y′ = −0.8 · y

x = 20.0 ∧ y = 0.0



ball is moving down

ball is moving up


velocity

−10

0

−20

10

0 5 10 15 20

20

y

x

y < 0

y > 0

x :

y :

•x= y

x ≥ 0

•y= −9.81

x = 0.0 ∧ y ≤ 0.0 /y′ = −0.8 · y

x = 20.0 ∧ y = 0.0



ball is moving down

ball is moving up


velocity

−10

0

−20

10

0 5 10 15 20

20

y

x

y < 0

y > 0

x :

y :

•x= y

x ≥ 0

•y= −9.81

x = 0.0 ∧ y ≤ 0.0 /y′ = −0.8 · y

x = 20.0 ∧ y = 0.0



ball is moving down

ball is moving up


velocity

−10

0

−20

10

0 5 10 15 20

20

y

x

y < 0

y > 0

x :

y :

•x= y

x ≥ 0

•y= −9.81

x = 0.0 ∧ y ≤ 0.0 /y′ = −0.8 · y

x = 20.0 ∧ y = 0.0



ball is moving down

ball is moving up


velocity

−10

0

−20

10

0 5 10 15 20

20

y

x

y < 0

y > 0

x :

y :

•x= y

x ≥ 0

•y= −9.81

x = 0.0 ∧ y ≤ 0.0 /y′ = −0.8 · y

x = 20.0 ∧ y = 0.0



ball is moving down

ball is moving up


velocity

−10

0

−20

10

0 5 10 15 20

20

y

x

y < 0

y > 0

x :

y :

•x= y

x ≥ 0

•y= −9.81

x = 0.0 ∧ y ≤ 0.0 /y′ = −0.8 · y

x = 20.0 ∧ y = 0.0



ball is moving down

ball is moving up


velocity

−10

0

−20

10

0 5 10 15 20

20

y

x

y < 0

y > 0

x :

y :

•x= y

x ≥ 0

•y= −9.81

x = 0.0 ∧ y ≤ 0.0 /y′ = −0.8 · y

x = 20.0 ∧ y = 0.0



ball is moving down

ball is moving up


velocity

−10

0

−20

10

0 5 10 15 20

20

y

x

y < 0

y > 0

x :

y :

•x= y

x ≥ 0

•y= −9.81

x = 0.0 ∧ y ≤ 0.0 /y′ = −0.8 · y

x = 20.0 ∧ y = 0.0


State and Dimension Explosion

Number of continuous variables linear in num-ber of cars� Positions, speeds, accelerations,� torque, slip, ...

Number of discrete states exponential in num-ber of cars� Operational modes, control modes,� state of communication subsystem, ...

Size-dependent dynamics� Latency in ctrl. loop depends on number

of cars due to communication subsystem.� Coupled dynamics yields long hidden

channels chaining signal transducers.


State and Dimension Explosion

Number of continuous variables linear in num-ber of cars� Positions, speeds, accelerations,� torque, slip, ...

Number of discrete states exponential in num-ber of cars� Operational modes, control modes,� state of communication subsystem, ...

Size-dependent dynamics� Latency in ctrl. loop depends on number

of cars due to communication subsystem.� Coupled dynamics yields long hidden

channels chaining signal transducers.

⇒ Need a scalable approach⇒ Let’s try to achieve this through SAT/SMT-based methods.


Hybrid Control — A Case Study

!!

!!

!!

α

(x, y)

vsatellite position

target position

ω =•

α



omega

5

v

4

alpha

3

y

2

x

1

cos

sin

P_v

3

P_omega

1.6

1

s

1

s

1

s 1

s

1

s

v_set

2

robot motioncontinuous−time

proportional control

omega_set

1

alpha

vx

vy

xx

yyv

omega

•

ω

•

v= a



alpha_target

3

v

2

omega

1

controller

alpha

alpha_target

dist_to_target

omega

v

pi

asin

>= 0

Sqrt

u

u2

u2

y_target

6

x_target

5

ypos

4

xpos

3

alpha

2

trigger1

distance

time−triggered controller

alpha_target

−1 −0.5 0 0.5 1−1.5

−1

−0.5

0

0.5

1

1.5

asin(x)

(x, y)

α′T

(xT , yT )

α′T

π − α′T

α′T = sin−1( yT−y√

(xT−x)2+(yT−y)2)

dista

nce



all

rotation1

m0

speed 2

m1

[alpha > alpha_target] / omega = − 0.1;2

[alpha == alpha_target] / omega = 0;

3

[alpha < alpha_target] / omega = 0.1;

1


2

[alpha > alpha_target] / omega = − 0.1;

1

/v=0.4;

[dist_to_target < 0.1] / v = 0;

3

[dist_to_target > 0.5 && dist_to_target < 5] / v = 0.2;

1

[dist_to_target > 0.1 && dist_to_target < 0.5] / v = 0.1 ;

2



all

rotation1

m0

speed

m1



3


1


2


1

/v=0.4;

[dist_to_target > 0.5 && dist_to_target <

1

[dist_to_target >



1 speed 2

m1

0.1;


/v=0.4;


3


1


2



plant_dynamics

omega_set

v_set

x

y

alpha

v

omega

every_two_time_units

controller

trigger

alpha

xpos

ypos

x_target

y_target

omega

v

alpha_target

3

−5



plant_dynamics

omega_set

v_set

x

y

alpha

v

omega


controller

trigger

alpha

xpos

ypos

x_target

y_target

omega

v

alpha_target

3

−5

continuous controller + plant dynamics

nonlinear computations

parallel composition

bang−bang control

time−triggered controller invocation

uncountably infinitely many target positions



plant_dynamics

omega_set

v_set

x

y

alpha

v

omega


controller

trigger

alpha

xpos

ypos

x_target

y_target

omega

v

alpha_target

3

−5




bang−bang control



Does this system work as specified?


Simulated Trajectory Reaching Target


Multiple Simulated Trajectories Reaching Targets


CDCL + Interval Constraint Propagation

An engine for Bounded Model Checkingof non-linear discrete-time HA


Bounded Model Checking of NonlinearDiscrete-Time Hybrid Systems (1)

Given:

Delay

in on

xn+1xn

xn+1 = f(xn, in)on = g(xn, in)

Nonlinear discrete-time hybriddynamical system

x — state vectori — input vectoro — output vectorf — next-state functiong — output function

f, g potentially nonlinear.

Goal:

Check whether some unsafe state is reachable within k steps of thesystem


Bounded Model Checking of NonlinearDiscrete-Time Hybrid Systems (2)

Method:� Construct formula that is satisfiable if error trace of length k exists

� Formula is a k–fold unrolling of the transition relation, concatenated witha characterization of the initial state(s) and the (unsafe) state to bereached

i0 i1 i2o0 o1 o2

x1 = f(x0, i0)o0 = g(x0, i0)

x2 = f(x1, i1)o1 = g(x1, i1)

x3 = f(x2, i2)o2 = g(x2, i2)

x0 x3x1 x2

I(x0) P (x3)

� Use appropriate procedure to “decide” satisfiability of the formula

Needed:

Solvers for large, non-linear arithmetic formulae with a rich Booleanstructure


Bounded Model Checking with HySAT / iSAT

HySAT

There’s no sequence of

input values such that

3.14 ≤ x ≤ 3.15

Safety property:

DECL

boole b;

float [0.0, 1000.0] x;

INIT

– Characterization of initial state.

x = 2.0;

TRANS

– Transition relation.

b -> x’ = xˆ2 + 1;!b -> x’ = nrt(x, 3);

TARGET

– State(s) to be reached.

x >= 3.14 and x

The Task

Find satisfying assignments (or prove absence thereof) for large(thousands of Boolean connectives) formulae of shape

(b1 =⇒ x21 − cos y1 < 2y1 + sin z1 + eu1)∧ (x5 = tan y4 ∨ tan y4 > z4 ∨ . . .)∧ . . .∧ (dx

dt= − sinx ∧ x3 > 5 ∧ x3 < 7 ∧ x4 > 12 ∧ . . .)

∧ . . .


The Task

Find satisfying assignments (or prove absence thereof) for large(thousands of Boolean connectives) formulae of shape

(b1 =⇒ x21 − cos y1 < 2y1 + sin z1 + eu1)∧ (x5 = tan y4 ∨ tan y4 > z4 ∨ . . .)∧ . . .∧ (dx

dt= − sinx ∧ x3 > 5 ∧ x3 < 7 ∧ x4 > 12 ∧ . . .)

∧ . . .

Most conventional solvers� do either address much smaller fragments of arithmetic

� decidable theories: no transcendental fct.s, no ODEs

� or tackle only small formulae� some dozens of Boolean connectives.


Interval Arithmetic

� an ancient mathematical technique, already used by Archimedes,

� systematized by Rosalind Cecily Young in the 1930s [Young, 1931]

� brought to computing by Paul Dwyer [ Dwaer, 1951], MieczyslawWarmus [Warmus, 1956, Teruo Sunaga [Sunaga, 1958], and RamonE. Moore [Moore, 1966] in the 1950s

� is an approach to putting safe bounds on computational results,irrespective of� rounding errors during computations,� inaccuracies in measurements of entities entering the computation,� uncertain parameters.

� when applied to an expression over the reals, it yields a set-valuedresult, namely an interval over the reals, which is guaranteed tocontain the exact value of the expression.

� can be used for efficiently computing a safe overapproximation (i.e.,a superset) of the image f(X) of a set X ⊆ Rn under a functionf : Rn → R


Interval Arithmetic

For non-empty argument intervals [a, b] ∈ II \ {∅} and [c, d] ∈ II \ {∅}, define

[a, b]⊢⊣

+ [c, d] = [a←

+ c, b→

+ d]

[a, b]⊢⊣

− [c, d] = [a←

− d, b→

− c]

[a, b]⊢⊣· [c, d] = [min(a

←· c, a

←· d, b

←· c, b

←· d),max(a

→· c, a

→· d, b

→· c, b

→· d)]

⊢⊣

sin [a, b] =

[min(←

sin a,←

sin b),max(→

sin a,→

sin b)] iff (2n + 12)π 6∈ [a, b] and

(2m− 12)π 6∈ [a, b],

[min(←

sin a,←

sin b), 1], iff (2n + 12)π ∈ [a, b] but

(2m− 12)π 6∈ [a, b],

[−1,max(→

sin a,→

sin b), 1], iff (2n + 12)π 6∈ [a, b] but

(2m− 12)π ∈ [a, b],

[−1, 1] iff (2n + 12)π ∈ [a, b] and

(2m− 12)π ∈ [a, b]

for any n,m ∈ Z.

where

�←· and →· denote rounding down/up to computational reals,

� II denotes the set of intervals with representable bounds.


Interval Arithmetic: Example

� Assume fixed-point arithmetic with just 1 bit fractional part:representable numbers are of the form k

2for k ∈ Z

� Given x1 = [0, 0.5] and x2 = [0.5, 1], IA computes

x1⊢⊣

− x1⊢⊣

+ x2⊢⊣· x2 = ([0, 0.5]

⊢⊣

− [0, 0.5])⊢⊣

+ ([0.5, 1]⊢⊣· [0.5, 1])

= [0←

− 0.5, 0.5→

− 0]⊢⊣

+ ([0.5, 1]⊢⊣· [0.5, 1])

= [−0.5, 0.5]⊢⊣

+ ([0.5, 1]⊢⊣· [0.5, 1])

= [−0.5, 0.5]⊢⊣

+ [min(0.5←· 0.5, 0.5

←· 1, 1

←· 0.5, 1

←· 1),

max(0.5→· 0.5, 0.5

→· 1, 1

→· 0.5, 1

→· 1)]

= [−0.5, 0.5]⊢⊣

+ [min(0, 0.5, 0.5, 1),max(0.5, 0.5, 0.5, 1)]

= [−0.5, 0.5]⊢⊣

+ [0, 1]

= [−0.5←

+ 0, 0.5→

+ 1]

= [−0.5, 1.5]

⇒ the computed interval [−0.5, 1.5] covers the set of values{x1 − x1 + x2 · x2 | x1 ∈ [0, 0.5], x2 ∈ [0.5, 1]} = [0.25, 1],yet not tightly so. −→ rounding + dependency problem of IA


Interval Constraint Propagation (1) [Cleary, 1986]� Complex constraints are rewritten to “triplets” (primitive constraints):

x2 + y ≤ 6 c1 : h1 =̂x

∧ 2c2 : ∧ h2 =̂h1 + y

∧ h2 ≤ 6



x2 + y ≤ 6 c1 : h1 =̂x

∧ 2c2 : ∧ h2 =̂h1 + y

∧ h2 ≤ 6� “Forward” interval propagation yields justification for constraint

satisfaction:

x ∈ [−2, 2]∧ y ∈ [−2, 2]

2

6

y

≤

+

∧

x

[−2, 2]

[0, 4]

[−2, 6]

[−2, 2]

h2

h1

satisfied in box

h2 ≤ 6 is

⇓



x2 + y ≤ 6 c1 : h1 =̂x

∧ 2c2 : ∧ h2 =̂h1 + y

∧ h2 ≤ 6� Interval propagation (fwd & bwd) yields witness for unsatisfiability:

2

6

y

≤

+

∧

x

[3, 4]

[9, 16]

[9, 19]

[0, 3]

h2

h1

unsat. in box

h2 ≤ 6 is

⇓

x ∈ [3, 4]∧ y ∈ [0, 3]



x2 + y ≤ 6 c1 : h1 =̂x

∧ 2c2 : ∧ h2 =̂h1 + y

∧ h2 ≤ 6� Interval prop. (fwd & bwd until fixpoint is reached) yields contraction of

box:

2

6

y

≤

+

∧

x

[−10, 10]

[0, 100]

[−10, 110]

[−10, 10]

h2

h1

∧ y ∈ [−10, 10]x ∈ [−10, 10]



x2 + y ≤ 6 c1 : h1 =̂x

∧ 2c2 : ∧ h2 =̂h1 + y


box:

2

6

y

≤

+

∧

x

[−4, 4]

[0, 16]

[−10, 6]

[−10, 6]

h2

h1

⇓

∧ y ∈ [−10, 10]x ∈ [−10, 10]

∧ y ∈ [−10, 6]x ∈ [−4, 4]



x2 + y ≤ 6 c1 : h1 =̂x

∧ 2c2 : ∧ h2 =̂h1 + y


box:

Constraint is not satisfied

by the contracted box!

2

6

y

≤

+

∧

x

[−4, 4]

[0, 16] [−10, 6]

h2

h1

∧ y ∈ [−10, 6]x ∈ [−4, 4]

[−10, 22]

(details & alternatives: see Benhamou in Handbook of Constraint Progr.)


y ∈ [0, 9]

y ∈ [0, 6]

y ∈ [−100, 100]

x ∈ [−100, 100]

x ∈ [−2.3, 2.3]

y ∈ [0, 100]

y ∈ [0, 20]

y ∈ [0, 5]

y ∈ [0, 4.6]

y ≤ 2·x

y = x2

x ∈ [−√

5,√

5]

x ∈ [−√

6,√

6]

x ∈ [−2.5, 2.5]

x ∈ [−4.5, 4.5]

x ∈ [−√

20,√

20]

x ∈ [−3, 3]

x ∈ [−10, 10]


Incompleteness of Interval Contraction

Backward propagation yields rectangular overapproximation ofnon-rectangular pre-images.

Thus, interval contraction provides a highly incomplete deductionsystem:

x ∈ [0,∞)∧ h =̂x · y∧ h > 5

=⇒ x ∈ (0,∞)∧ y ∈ (0,∞) =⇒ h ∈ (0,∞) 6=⇒ h > 5


Incompleteness of Interval Contraction

Backward propagation yields rectangular overapproximation ofnon-rectangular pre-images.

Thus, interval contraction provides a highly incomplete deductionsystem:

x ∈ [0,∞)∧ h =̂x · y∧ h > 5

=⇒ x ∈ (0,∞)∧ y ∈ (0,∞) =⇒ h ∈ (0,∞) 6=⇒ h > 5

enhance through branch-and-prune approach.


iSAT: Non-linear Arithmetic Constraint Solving

h3 = h1 + h2∧c8 :

h2 = −2 · y∧c7 :

h1 = x2∧c6 :

(x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2)∧c5 :

∧ (b ∨ x ≥ −2)c4 :

∧ (¬c ∨ ¬d)c3 :

∧ (¬a ∨ ¬b ∨ c)c2 :

(¬a ∨ ¬c ∨ d)c1 :rewrite input formula into a conjunction of constraints:

⊲ n-ary disjunctions of bounds⊲ arithmetic constraints having at most one operation symbol

• Boolean variables are regarded as 0-1 integer variables.Allows identification of literals with bounds on Booleans:

≡ b ≥ 1b¬b ≡ b ≤ 0

• Float variables h1, h2, h3 are used for decompositionof complex constraint x2 − 2y ≥ 6.2.

• Use Tseitin-style (i.e. definitional) transformation to



a ≥ 1

h3 = h1 + h2∧c8 :

h2 = −2 · y∧c7 :

h1 = x2∧c6 :

(x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2)∧c5 :

∧ (b ∨ x ≥ −2)c4 :

∧ (¬c ∨ ¬d)c3 :

∧ (¬a ∨ ¬b ∨ c)c2 :

(¬a ∨ ¬c ∨ d)c1 : DL 1:



c2

c3

c1a ≥ 1

b ≥ 1

h3 = h1 + h2∧c8 :

h2 = −2 · y∧c7 :

h1 = x2∧c6 :

(x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2)∧c5 :

∧ (b ∨ x ≥ −2)c4 :

∧ (¬c ∨ ¬d)c3 :

∧ (¬a ∨ ¬b ∨ c)c2 :

(¬a ∨ ¬c ∨ d)c1 :

c ≥ 1 d ≥ 1

d ≤ 0

DL 1:

DL 2:



c3

c2

c1

b ≥ 1

h3 = h1 + h2∧c8 :

h2 = −2 · y∧c7 :

h1 = x2∧c6 :

(x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2)∧c5 :

∧ (b ∨ x ≥ −2)c4 :

∧ (¬c ∨ ¬d)c3 :

∧ (¬a ∨ ¬b ∨ c)c2 :

(¬a ∨ ¬c ∨ d)c1 :

∧ (¬a ∨ ¬c)c9 :

d ≥ 1

d ≤ 0

c ≥ 1

a ≥ 1DL 1:

DL 2:



c9 c2 c4a ≥ 1 c ≤ 0 b ≤ 0 x ≥ −2

h3 = h1 + h2∧c8 :

h2 = −2 · y∧c7 :

h1 = x2∧c6 :

(x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2)∧c5 :

∧ (b ∨ x ≥ −2)c4 :

∧ (¬c ∨ ¬d)c3 :

∧ (¬a ∨ ¬b ∨ c)c2 :

(¬a ∨ ¬c ∨ d)c1 :

∧ (¬a ∨ ¬c)c9 :

DL 1:



c9 c2 c4

c7

a ≥ 1 c ≤ 0 b ≤ 0

y ≥ 4

x ≥ −2

h3 = h1 + h2∧c8 :

h2 = −2 · y∧c7 :

h1 = x2∧c6 :

(x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2)∧c5 :

∧ (b ∨ x ≥ −2)c4 :

∧ (¬c ∨ ¬d)c3 :

∧ (¬a ∨ ¬b ∨ c)c2 :

(¬a ∨ ¬c ∨ d)c1 :

∧ (¬a ∨ ¬c)c9 :

DL 1:

DL 2: h2 ≤ −8



c9 c2 c4

c7

c8

c6

c5

a ≥ 1 c ≤ 0 b ≤ 0

y ≥ 4

x ≤ 3 h3 ≥ 6.2

h1 ≤ 9

h2 ≥ −2.8

x ≥ −2

h3 = h1 + h2∧c8 :

h2 = −2 · y∧c7 :

h1 = x2∧c6 :

(x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2)∧c5 :

∧ (b ∨ x ≥ −2)c4 :

∧ (¬c ∨ ¬d)c3 :

∧ (¬a ∨ ¬b ∨ c)c2 :

(¬a ∨ ¬c ∨ d)c1 :

∧ (¬a ∨ ¬c)c9 :

DL 1:

DL 2: h2 ≤ −8

DL 3:



c9 c2 c4

c7

c8

c6

c5

a ≥ 1 c ≤ 0 b ≤ 0

y ≥ 4

x ≤ 3 h3 ≥ 6.2

h1 ≤ 9

h2 ≥ −2.8

x ≥ −2

∧ (x < −2 ∨ y < 3 ∨ x > 3)c10 :∧ (¬a ∨ ¬c)c9 :

h3 = h1 + h2∧c8 :

h2 = −2 · y∧c7 :

h1 = x2∧c6 :

(x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2)∧c5 :

∧ (b ∨ x ≥ −2)c4 :

∧ (¬c ∨ ¬d)c3 :

∧ (¬a ∨ ¬b ∨ c)c2 :

(¬a ∨ ¬c ∨ d)c1 :

← conflict clause = symbolic description

of a rectangular region of the search space

which is excluded from future search

DL 1:

DL 2: h2 ≤ −8

DL 3:



c9 c2 c4

c7

c6c10

a ≥ 1 c ≤ 0 b ≤ 0

∧ (x < −2 ∨ y < 3 ∨ x > 3)c10 :

∧ (¬a ∨ ¬c)c9 :

h3 = h1 + h2∧c8 :

h2 = −2 · y∧c7 :

h1 = x2∧c6 :

(x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2)∧c5 :

∧ (b ∨ x ≥ −2)c4 :

∧ (¬c ∨ ¬d)c3 :

∧ (¬a ∨ ¬b ∨ c)c2 :

(¬a ∨ ¬c ∨ d)c1 :

y ≥ 4

x ≥ −2

x > 3

h2 ≤ −8

h1 > 9

DL 1:

DL 2:



c9 c2 c4

c7

c6c10

a ≥ 1 c ≤ 0 b ≤ 0

(x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2)∧c5 :

∧ (b ∨ x ≥ −2)c4 :

∧ (¬c ∨ ¬d)c3 :

∧ (¬a ∨ ¬b ∨ c)c2 :

(¬a ∨ ¬c ∨ d)c1 :

y ≥ 4

x ≥ −2

x > 3

h2 ≤ −8

h1 > 9

∧ (x < −2 ∨ y < 3 ∨ x > 3)c10 :

∧ (¬a ∨ ¬c)c9 :

h2 = −2 · y∧c7 :

h1 = x2∧c6 :

h3 = h1 + h2c8 : ∧

DL 1:

DL 2:

• Continue do split and deduce until either

⊲ solver is left with ‘sufficiently small’ portion of the

search space for which it cannot derive any contradiction

⊲ formula turns out to be UNSAT (unresolvable conflict)



c9 c2 c4

c7

c6c10

a ≥ 1 c ≤ 0 b ≤ 0

(x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2)∧c5 :

∧ (b ∨ x ≥ −2)c4 :

∧ (¬c ∨ ¬d)c3 :

∧ (¬a ∨ ¬b ∨ c)c2 :

(¬a ∨ ¬c ∨ d)c1 :

y ≥ 4

x ≥ −2

x > 3

h2 ≤ −8

h1 > 9

∧ (x < −2 ∨ y < 3 ∨ x > 3)c10 :

∧ (¬a ∨ ¬c)c9 :

h2 = −2 · y∧c7 :

h1 = x2∧c6 :

h3 = h1 + h2c8 : ∧

DL 1:

DL 2:





Results can be verified by sorting to “single assignment form”.



c9 c2 c4

c7

c6c10

a ≥ 1 c ≤ 0 b ≤ 0

(x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2)∧c5 :

∧ (b ∨ x ≥ −2)c4 :

∧ (¬c ∨ ¬d)c3 :

∧ (¬a ∨ ¬b ∨ c)c2 :

(¬a ∨ ¬c ∨ d)c1 :

y ≥ 4

x ≥ −2

x > 3

h2 ≤ −8

h1 > 9

∧ (x < −2 ∨ y < 3 ∨ x > 3)c10 :

∧ (¬a ∨ ¬c)c9 :

h2 = −2 · y∧c7 :

h1 = x2∧c6 :

h3 = h1 + h2c8 : ∧

DL 1:

DL 2:





Essentially, a tight integration of interval constraint propagation withrecent propositional SAT-solving techniques.

[Fränzle, Herde, Ratschan, Schubert, Teige: J. on Satisfiability. . ., 2007]



c9 c2 c4

c7

c6c10

a ≥ 1 c ≤ 0 b ≤ 0

(x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2)∧c5 :

∧ (b ∨ x ≥ −2)c4 :

∧ (¬c ∨ ¬d)c3 :

∧ (¬a ∨ ¬b ∨ c)c2 :

(¬a ∨ ¬c ∨ d)c1 :

y ≥ 4

x ≥ −2

x > 3

h2 ≤ −8

h1 > 9

∧ (x < −2 ∨ y < 3 ∨ x > 3)c10 :

∧ (¬a ∨ ¬c)c9 :

h2 = −2 · y∧c7 :

h1 = x2∧c6 :

h3 = h1 + h2c8 : ∧

DL 1:

DL 2:





Essentially, a tight integration of interval constraint propagation withrecent propositional SAT-solving techniques.

[Fränzle, Herde, Ratschan, Schubert, Teige: J. on Satisfiability. . ., 2007]

A DPLL(T)-based alternative, including LP solving, has beenimplemented by Gao et al.

[Gao, Ganai, Ivancic, Gupta, Sankaranarayanan, Clarke: FMCAD 2010]Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 28 / 85

The Impact of Learning: Runtime

0.001

0.01

0.1

1

10

100

1000

10000

100000

0.001 0.01 0.1 1 10 100 1000

with

ou

t le

arn

ing

[s]

with learning [s]

> 1:1

> 10:1

> 100:1

> 1k:1

> 10k:1

> 100k:1

> 1m:1

> 10m:1

time out

0.001

0.01

0.1

1

10

100

1000

10000

100000

0.001 0.01 0.1 1 10 100 1000

with

ou

t le

arn

ing

[s]

with learning [s]

> 1:1

> 10:1

> 100:1

> 1k:1

> 10k:1

> 100k:1

> 1m:1

> 10m:1

time out

0.001

0.01

0.1

1

10

100

1000

10000

100000

0.001 0.01 0.1 1 10 100 1000

with

ou

t le

arn

ing

[s]

with learning [s]

> 1:1

> 10:1

> 100:1

> 1k:1

> 10k:1

> 100k:1

> 1m:1

> 10m:1

time out

0.001

0.01

0.1

1

10

100

1000

10000

100000

0.001 0.01 0.1 1 10 100 1000

with

ou

t le

arn

ing

[s]

with learning [s]

> 1:1

> 10:1

> 100:1

> 1k:1

> 10k:1

> 100k:1

> 1m:1

> 10m:1

time out

0.001

0.01

0.1

1

10

100

1000

10000

100000

0.001 0.01 0.1 1 10 100 1000

with

ou

t le

arn

ing

[s]

with learning [s]

> 1:1

> 10:1

> 100:1

> 1k:1

> 10k:1

> 100k:1

> 1m:1

> 10m:1

time out

0.001

0.01

0.1

1

10

100

1000

10000

100000

0.001 0.01 0.1 1 10 100 1000

with

ou

t le

arn

ing

[s]

with learning [s]

> 1:1

> 10:1

> 100:1

> 1k:1

> 10k:1

> 100k:1

> 1m:1

> 10m:1

time out

0.001

0.01

0.1

1

10

100

1000

10000

100000

0.001 0.01 0.1 1 10 100 1000

with

ou

t le

arn

ing

[s]

with learning [s]

> 1:1

> 10:1

> 100:1

> 1k:1

> 10k:1

> 100k:1

> 1m:1

> 10m:1

time out

0.001

0.01

0.1

1

10

100

1000

10000

100000

0.001 0.01 0.1 1 10 100 1000

with

ou

t le

arn

ing

[s]

with learning [s]

> 1:1

> 10:1

> 100:1

> 1k:1

> 10k:1

> 100k:1

> 1m:1

> 10m:1

time out

0.001

0.01

0.1

1

10

100

1000

10000

100000

0.001 0.01 0.1 1 10 100 1000

with

ou

t le

arn

ing

[s]

with learning [s]

> 1:1

> 10:1

> 100:1

> 1k:1

> 10k:1

> 100k:1

> 1m:1

> 10m:1

time out

0.001

0.01

0.1

1

10

100

1000

10000

100000

0.001 0.01 0.1 1 10 100 1000

with

ou

t le

arn

ing

[s]

with learning [s]

> 1:1

> 10:1

> 100:1

> 1k:1

> 10k:1

> 100k:1

> 1m:1

> 10m:1

time out

Examples:BMC of� platoon control� bouncing ball� gingerbread map� oscillatory logistic map

Intersection of geometricbodies

Size:Up to 2400 variables,≫ 103 Boolean connec-tives.

[2.5 GHz AMD Opteron, 4 GByte physical memory, Linux]


CDCL + ICP + Numeric ODE Enclosure

An engine for Bounded Model Checkingof non-linear continuous-time HA


[Alur, Courcoubetis, Henzinger, and Ho, 1993]

Hybrid Automata – Semantics

height x

velocity v

time

time

x ≥ 0

•

v= −9.81

•

x= v

x = 0

x = 10, v = 0

/v′ := −v

A = (Vars,Modes, Init, Flow, Jump)

Init = {(m, Initm) | m ∈ Modes}

Flow = {(m,ODEm, Invarm) | m ∈ Modes}

Jump = {(m,Guardm,m′ ,Actionm,m′ ,m′) | m,m′ ∈ Modes}

Valuation σ : Vars→ R

Run ρ : 〈m0, σ0〉 ∆t0 〈m0, σ̂0〉 → 〈m1, σ1〉 ∆t1 〈m1, σ̂1〉 → . . .

where

〈m0, σ0〉 |= Init

〈mi, σi〉 ∆ti 〈mi, σ̂i〉 |= Flow

〈mi, σ̂i〉 → 〈mi+1, σi+1〉 |= Jump




!!!!!!

!!!!!!!!!

!!!!!!!!!!!!!!!!!!

height x

velocity v

time

time

x ≥ 0

•

v= −9.81

•

x= v

x = 0

x = 10, v = 0

/v′ := −v






Run ρ : 〈m0, σ0〉 ∆t0 〈m0, σ̂0〉 → 〈m1, σ1〉 ∆t1 〈m1, σ̂1〉 → . . .

where

〈m0, σ0〉 |= Init


〈mi, σ̂i〉 → 〈mi+1, σi+1〉 |= Jump




height x

velocity v

time

time

x ≥ 0

•

v= −9.81

•

x= v

x = 0

x = 10, v = 0

/v′ := −v






Run ρ : 〈m0, σ0〉 ∆t0 〈m0, σ̂0〉 → 〈m1, σ1〉 ∆t1 〈m1, σ̂1〉 → . . .

where

〈m0, σ0〉 |= Init


〈mi, σ̂i〉 → 〈mi+1, σi+1〉 |= Jump




height x

velocity v

time

time

x ≥ 0

•

v= −9.81

•

x= v

x = 0

x = 10, v = 0

/v′ := −v






Run ρ : 〈m0, σ0〉 ∆t0 〈m0, σ̂0〉 → 〈m1, σ1〉 ∆t1 〈m1, σ̂1〉 → . . .

where

〈m0, σ0〉 |= Init


〈mi, σ̂i〉 → 〈mi+1, σi+1〉 |= Jump




height x

velocity v

time

time

x ≥ 0

•

v= −9.81

•

x= v

x = 0

x = 10, v = 0

/v′ := −v






Run ρ : 〈m0, σ0〉 ∆t0 〈m0, σ̂0〉 → 〈m1, σ1〉 ∆t1 〈m1, σ̂1〉 → . . .

where

〈m0, σ0〉 |= Init


〈mi, σ̂i〉 → 〈mi+1, σi+1〉 |= Jump




height x

velocity v

time

time

x ≥ 0

•

v= −9.81

•

x= v

x = 0

x = 10, v = 0

/v′ := −v






Run ρ : 〈m0, σ0〉 ∆t0 〈m0, σ̂0〉 → 〈m1, σ1〉 ∆t1 〈m1, σ̂1〉 → . . .

where

〈m0, σ0〉 |= Init


〈mi, σ̂i〉 → 〈mi+1, σi+1〉 |= Jump


[Audemard, Bozzano, Cimatti, and Sebastiani, 2005], [Fränzle and Herde, 2005], [Eggers, Fränzle, and Herde, 2008]

Bounded Model Checking

ϑi ≤ 21

Heat off

Heat on

dϑi / d t = −0.1 · (ϑi − ϑo)

ϑi ≥ 19 ∨ c ≥ 0.04

d c / d t = −0.05 · c

d c / d t = 0.01− 0.05 · c

ϑi ≤ 19

c ≤ 0.04

ϑi ∈ [19, 25]

ϑi ∈ [15, 21]

c = 0

c = 0

ϑi ≥ 21

dϑi / d t = 0.2 · (35− ϑi)−0.1 · (ϑi − ϑo)

Bounded Model Checking (BMC):

Are there any trajectories leading from an inital to an unsafe state in k steps?


[Audemard, Bozzano, Cimatti, and Sebastiani, 2005], [Fränzle and Herde, 2005], [Eggers, Fränzle, and Herde, 2008]

Bounded Model Checking and Constraint Solving

ϑi ≤ 21

Heat off

Heat on

dϑi / d t = −0.1 · (ϑi − ϑo)

ϑi ≥ 19 ∨ c ≥ 0.04

d c / d t = −0.05 · c

d c / d t = 0.01− 0.05 · c

ϑi ≤ 19

c ≤ 0.04

ϑi ∈ [19, 25]

ϑi ∈ [15, 21]

c = 0

c = 0

ϑi ≥ 21

dϑi / d t = 0.2 · (35− ϑi)−0.1 · (ϑi − ϑo)

init =−10 ≤ ϑo ≤ 20 ∧ c = 0

∧

(19 ≤ ϑi ≤ 25 ∧ ¬on

∨ 15 ≤ ϑi ≤ 21 ∧ on

)

trans =( ¬on ∧ on′ ∧ ϑi ≤ 19 ∧ c ≤ 0.04∧ ϑ′i = ϑi ∧ ϑ

′

o = ϑo ∧ c′ = c)

∨ ( on ∧ ¬on′ ∧ ϑi ≥ 21∧ ϑ′i = ϑi ∧ ϑ

′

o = ϑo ∧ c′ = c)

∨ ( ¬on ∧ ¬on′

∧ dϑidt = −0.1(ϑi − ϑo)

∧ dcdt = −0.05c∧ (ϑ′i ≥ 19 ∨ c

′ ≥ 0.04) ∧ ϑ′o = ϑo)∨ ( on ∧ on′

∧ dϑidt = 0.2 · 35− 0.3ϑi + 0.1ϑo∧ dcdt = 0.01− 0.05c∧ ϑ′i ≤ 21 ∧ ϑ

′

o = ϑo)

target =(c > 0.1)

Bounded Model Checking (BMC): Check satisfiability of SMT formula

Φk := init[0] ∧ trans[0, 1] ∧ · · · ∧ trans[k − 1, k] ∧ target[k]


The Basic Idea

1 Continuous flows, described by ODEs, define pre-post-constraintson continuous states:� Given an ODE dx

dt= f(x) and a (convex) invariant I ⊂ dom(x),

� [[dxdt

]] = {(f(0), f(t)) | f solution of dxdt

= f(x), ∀t′ ≤ t : f(t′) ∈ I}

2 Adding direct support for such “ODE constraints” in arithmeticconstraint solving facilitates BMC of continuous-time hybridsystems

[Eggers & Fränzle: ATVA’08; Ishii, Ueda, Hosobe, Goldsztejn: ADHS’09]


odeSAT: Adding Forward and BackwardPropagation for ODE Constraints

0

1

2

3

4

5

0 1 2 3 4 5 0

1

2

3

4

5

0 1 2 3 4 5

time of interesthorizon

x(1)prebox

x(2)

postbox

backward propagationforward propagation

...yields a classical interval propagator!


iSAT+ODE: Integrated Algorithm (Example)

(x1 + x2 > y) ∧ (y ≥ 28 ∨ a) ∧ (¬a ∨dxdt

= 320 · (3− x))

a ∈ {0, 1}, x1 ∈ [10, 20], x2 ∈ [−5, 7], y ∈ [0, 30]

x2

y

x1



( x1 + x2 > y ) ∧ (y ≥ 28 ∨ a) ∧ (¬a ∨dxdt

= 320 · (3− x))

a ∈ {0, 1}, x1 ∈ [10, 20], x2 ∈ [−5, 7], y ∈ [0, 30]

x2

y

x1



( x1 + x2 > y ) ∧ (y ≥ 28 ∨ a) ∧ (¬a ∨dxdt

= 320 · (3− x))

a ∈ {0, 1}, x1 ∈ [10, 20], x2 ∈ [−5, 7], y ∈ [0, 27]

y < 30

y < 27

x2 ∈ [−5, 7]

x1 ∈ [10, 20]

x1 + x2 > y

y < x1 + x2 ≤ 27

x2

y

x1



(x1 + x2 > y) ∧ ( y ≥ 28 ∨ a) ∧ (¬a ∨dxdt

= 320 · (3− x))

a ∈ {0, 1}, x1 ∈ [10, 20], x2 ∈ [−5, 7], y ∈ [0, 27]

x2

y

x1



(x1 + x2 > y) ∧ (y ≥ 28∨ a ) ∧ (¬a ∨dxdt

= 320 · (3− x))

a ∈ { 1} , x1 ∈ [10, 20], x2 ∈ [−5, 7], y ∈ [0, 27]

x2

y

x1



(x1 + x2 > y) ∧ (y ≥ 28 ∨ a) ∧ ( ¬a ∨dxdt

= 320 · (3− x))

a ∈ { 1} , x1 ∈ [10, 20], x2 ∈ [−5, 7], y ∈ [0, 27]

x2

y

x1



(x1 + x2 > y) ∧ (y ≥ 28 ∨ a) ∧ (¬a∨dxdt

= 320 · (3− x) )

a ∈ { 1}, x1 ∈ [10, 20], x2 ∈ [3, 7] , y ∈ [0, 27]

−15

−10

−5

0

5

10

15

20

25

30

0 5 10 15 20 25 30 35 40 45

x2 ≥ −5

x2 ≥ 3 3

7

x2

y

x1

7

x2

x1

x2


[Eggers, Fränzle, and Herde, 2008], [Ishii, Ueda, and Hosobe, 2011]

Satisfiability Modulo ODE

� Boolean-, real-, and integer-valued variables with boundeddomains

� Quantifier-free Boolean combination of� Simple bounds, e.g. x ≤ 3.2� Arithmetic constraints, e.g. z = sin(y)� Sufficiently smooth, time invariant ordinary differential equations

(ODEs), e.g.•

x= 2.4 · x− y2

� Bounded Model Checking (BMC) formula structure:Φ = init[0] ∧ trans[0, 1] ∧ · · · ∧ trans[k − 1, k] ∧ target[k]

� ODEs occur only in transition system

Goal: Find a satisfying valuation for Φ or prove its unsatisfiability.


Solving SAT Modulo ODE Formulae


Satisfiability of SAT Modulo ODE Formulae

� Point-valued satisfaction: standard for arithmetic constraintsand simple bounds, e.g. point (x = 6, y = 3) satisfies x = 2y

� Definitionally-closed systems of ODEs, e.g.•

x= −y, •y= x satisfiedby valuation

((x1 = 1, y1 = 0), (x2 = 0, y2 = −1), delta_time = π/2) ,with (x1, y1), (x2, y2) being successive BMC instances of (x, y) anddelta_time the duration of continuous flow:

−1

−0.5

0

0.5

1 y

−1 −0.5 0 0.5 1 1.5

x

(x1, y1)

(x2, y2)


Need to lift this to intervals for ICP

Given: a system of time-invariant ODEs

dx1dt

= f1(x1, . . . , xn)...

dxndt

= fn(x1, . . . , xn)

plus three boxes B, I, E ⊂ Rn.Problem: determine whether E is reachable from B along a

trajectory satisfying the ODE and not leaving I.




dx1dt

= f1(x1, . . . , xn)...

dxndt

= fn(x1, . . . , xn)



Added value: Prune unconnected parts of B and E:

B

E




dx1dt

= f1(x1, . . . , xn)...

dxndt

= fn(x1, . . . , xn)




E’B’

B

E




dx1dt

= f1(x1, . . . , xn)...

dxndt

= fn(x1, . . . , xn)




E’B’

B

E

. . . and determine dwell-time interval delta_time.


Problem: Safely determine whether E is unreachable from B alonga trajectory satisfying the ODE and not leaving I.

Some approaches:

1 Interval-based safe numeric approximation of ODEs[Moore 1965, Lohner 1987, Stauning 1997]

(used in Hypertech [Henzinger, Horowitz, Majumdar,

Wong-Toi 2000])

2 CLP(F): a symbolic, constraint-based technology forreasoning about ODEs grounded in (in-)equationalconstraints obtained from Taylor expansions[Hickey, Wittenberg 2004]


Towards SAT modulo ODE

Safe Enclosure Methods for ODEs


ODE Enclosure Problem

Given a system of (sufficiently-smooth, first order, time-invariant,Lipschitz-continuous) ordinary differential equations (ODEs), we wantto enclose all trajectories emerging from a set of starting points overa limited temporal horizon.

dx

dt(t) = f (x(t)) , x(0) ∈

[x1(0), x1(0)]...

[xn(0), xn(0)]

Safely enclose all x(t) over t ∈ [0, horizon].


Safe Approximation

!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!

ti t

x

startbox

flowbox

postbox


Safe Approximation

!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!

t

x

ti ∈ TOI

flowbox

postbox

startbox


Safe Approximation

!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!

t

x

ti ∈ TOI

flowbox

postbox

startbox

Should also be tight!


Safe Approximation

!!!!!!!!!!!!!!!!!!

!!!!!!!!!!!!!!!!!!

t

x

ti ∈ TOI

flowbox

postbox

startbox

Should also be tight! And efficient to compute!


Euler’s Method

t

x


Euler’s Method

t

x


Euler’s Method

t

x


Euler’s Method

t

x


Euler’s Method

t

x


Taylor Series

Exact solution x(t) has slope determined by f in each point:

dx

dt(t) = f(x(t))

Taylor expansion of exact solution:

x(t0 + h) = x(t0) +h1

1!

dx

dt(t0) (Euler’s Method)

+h2

2!

d2x

dt2(t0) + . . .

+hn

n!

dnx

dtn(t0)

+hn+1

(n + 1)!

dn+1x

dtn+1(t0 + θh), with 0 < θ < 1


Taylor Series


dx

dt(t) = f(x(t))


x(t0 + h) = x(t0) +h1

1!

dx

dt(t0)

+h2

2!

d2x

dt2(t0) + . . .

+hn

n!

dnx

dtn(t0)

(Lagrange Remainder)

+hn+1

(n + 1)!

dn+1x

dtn+1(t0 + θh), with 0 < θ < 1


Taylor Series


dx

dt(t) = f(x(t))


x(t0 + h) = x(t0) +h1

1!

dx

dt(t0)

+h2

2!

d2x

dt2(t0) + . . .

+hn

n!

dnx

dtn(t0)

+hn+1

(n + 1)!

dn+1x

dtn+1(t0 + θh), with 0 < θ < 1


Taylor Series

x(t0 + h) = x(t0) +h1

1!

dx

dt(t0)

︸︷︷︸

f(x(t0))

+h2

2!

d2x

dt2(t0)

︸︷︷︸dfdt

(x(t0))·f(x(t0))

+ . . .

+hn

n!

dnx

dtn(t0)

+hn+1

(n + 1)!

dn+1x

dtn+1(t0 + θh)

︸︷︷︸

unknown

, with 0 < θ < 1


Taylor Series

x(t0 + h) = x(t0) +h1

1!

dx

dt(t0)

︸︷︷︸

f(x(t0))

+h2

2!

d2x

dt2(t0)

︸︷︷︸dfdt

(x(t0))·f(x(t0))

+ . . .

+hn

n!

dnx

dtn(t0)

+hn+1

(n + 1)!

dn+1x

dtn+1(t0 + θh)

︸︷︷︸

unknown

, with 0 < θ < 1

Can use interval arithmetic to evaluate f(x(t0)), etc.,whenever x(t0) is set-valued!

Automatic differentiation computes derivatives.


Bounding Box

t

x

B

t0

for all t ∈ [t0, t0 + h]dxdt (t) ≤ max(f (B))dxdt (t) ≥ min(f (B))

t0 + h

x(t)

dxdt (t) = f (x(t))


Bounding Box

t

x

B

t0

for all t ∈ [t0, t0 + h]dxdt (t) ≤ max(f (B))dxdt (t) ≥ min(f (B))

t0 + h

x(t)

dxdt (t) = f (x(t))

If we only knew B...


Bounding Box [Lohner]

Given: Initial value problem:dxdt

= f(x), x(t0) = x0

Theorem (Lohner): If[B1] := x0 + [0, h] · f([B0])

and[B1] ⊆ [B0]

then the initial value problem above has exactly onesolution over [t0, t0 + h] which lies entirely within [B

1]→ Bounding Box.


Bounding Box [Lohner]

Given: Initial value problem:dxdt

= f(x), x(t0) = x0 may also be a box

Theorem (Lohner): If[B1] := x0 + [0, h] · f([B0])

and[B1] ⊆ [B0]

then the initial value problem above has exactly onesolution over [t0, t0 + h] which lies entirely within [B

1]→ Bounding Box.


Algorithm

To get an enclosure . . .

� Determine bounding box and stepsize

� Evaluate Taylor series up to desired order over startbox

� Evaluate remainder term over bounding box


Bounding Box

0 1

1.5

2

2.5

3

3.5

4

4.5

5

0.05 0.1 0.15 0.2

0.25 0.3 0.35 0.4

0.45

0.5

1

1.5

2

2.5

3

3.5

t

y

x


Algorithm

� Find bounding box with greedy algorithm

� Generate derivatives symbolically

� Simplify expressions to reduce alias effects on variables� Evaluate expressions with interval arithmetic

� Taylor series� Lagrange remainder


Example

dxdt

= −x + 3, dydt

= x, x0 = [2, 4], y0 = [1, 1]

x

y

t

01

23

45

2

2.5

3

3.5

4

0

2

4

6

8

10

12

14

16

18


Example II: Stable Oscillator

dxdt

= y, dydt

= −x, x0 = [10, 12], y0 = [−1, 0]

−30

−20

−10

0

10

20

30

40

50

0.5 1 1.5 2

2.5 3 3.5 4

4.5 5

−40−30

−20−10 0

10 20

30 40

x

y

t


Wrapping Effect

dxdt

= y, dydt

= −x, x0 = [10, 12], y0 = [−1, 0]

8.5 9 9.5 10 10.5 11

11.5 12

0 0.1 0.2 0.3

0.4 0.5

−6

−5

−4

−3

−2

−1

0

tx

y

t0

t1

t2


Fight Wrapping Effect

Lohner, Stauning, . . . : use coordinate transformation

x[a, b]

y

[c, d]


Fight Wrapping Effect

Lohner, Stauning, . . . : use coordinate transformation

[r, s]

[t, u]

p

q

x[a, b]

y

[c, d]


Stable Oscillator

dxdt

= y, dydt

= −x, x0 = [10, 12], y0 = [−1, 0]

−15

−10

−5

0

5

10

15

−15 −10 −5 0 5 10 15x

y

t = 6.00748

t = 0.286473

t = 0.593339

t = 0.900205

t = 1.20707

t = 0


Stable Oscillator

dxdt

= y, dydt

= −x, x0 = [10, 12], y0 = [−1, 0]

−15

−10

−5

0

5

10

15

0 50

100 150

200

−15

−10

−5

0

5

10

15

t

xt = [0, 10]

t = [190, 200]

y


Damped Oscillator

dxdt

= y − 0.8 · x, dydt

= −x + 0.3 · y, x0 = [10, 15], y0 = [−2, 1]

−25

−20

−15

−10

−5

0

5

10

15

0

0.5

1

1.5

2

2.5

3

3.5

−30

−20

−10

0

10

20

30

x

y

t


[Moore, 1966], [Lohner, 1988], [Stauning, 1997]

Taylor-Series-Based Enclosures: Summary


x(t0 + h) = x(t0) +h1

1!

dx

dt(t0) (Euler’s Method)

+h2

2!

d2x

dt2(t0) + . . .

+hn

n!

dnx

dtn(t0)

(Lagrange Remainder)

+hn+1

(n + 1)!

dn+1x

dtn+1(t0 + θh), with 0 < θ < 1 x

y

� First, calculate rough a-priori enclosure (bounding box)

� Second, compute tighter enclosure with Taylor series and encloseremainder term over a-priori enclosure

� Use Automatic Differentiation to obtain Taylor terms

� Compute coordinate transformation to fight wrapping effect


Use in ICP: Tighten Target Box

−20−15

−10−5

0 5

10 15

0

2

4

6

8

10

12

14

−20

−15

−10

−5

0

5

10

15

y

xtinitial postbox

� Given target box (including phase space and time)


Use in ICP: Tighten Target Box

−20−15

−10−5

0 5

10 15

0

2

4

6

8

10

12

14

−20

−15

−10

−5

0

5

10

15

tightened postbox and TOI

y

xtinitial postbox

� Given target box (including phase space and time)

� Intersect target box with enclosure

� Remove elements with empty intersection(narrows also time-window of interest)


Backward Propagation

� Use temporally reversed ODEs

� Use start box as target box and do normal forward propagation

� Intersect resulting target box with original start box


Backward Propagation

� Use temporally reversed ODEs

� Use start box as target box and do normal forward propagation

� Intersect resulting target box with original start box

Fwd. and bwd. propagation do

� narrow the start box B and target box E — also iteratively!

� narrow the time window for both B and E,

� thus give fresh meat to constraint propagation along adjacent partsof the transition sequence!


Summary: Taylor-Based Enclosure

� Taylor-based numerical method with error enclosure� Tightly integrated with non-linear arithmetic constraint solving:

� provides an interval contractor, just like ICP

E’B’

B

E

� temporally symmetric (fwd. and bwd. contraction), unlike traditionalimage computation

� refutes trajectory bundles based on partial knowledge

� First proof of concept had implemented in 2008.[Eggers, Fränzle, Herde, ATVA 2008]


[Nedialkov and Jackson, 1999], [Nedialkov, Jackson, and Pryce, 2001], [Nedialkov, 2006]

Beyond Taylor Series: VNODE-LP

� Hermite-Obreschkoff method: generalization of Taylor series� VNODE-LP:

� Use High-Order Enclosure (HOE) to obtain a-priori enclosure ofODE

� Use Interval Taylor Series (ITS) with coordinate transformation andQR-method as predictor

� Use Interval Hermite-Obreschkoff (IHO) method as corrector

� IHO allows larger stepsize than ITS (ITS becomes numericallyunstable for smaller stepsizes than IHO)

� Local error for nonlinear ODEs much lower for IHO than for ITS


[Eggers, Fränzle, and Herde, 2009], [Eggers, Ramdani, Nedialkov, and Fränzle, 2011]

VNODE-LP as an Enclosure Method in iSAT-ODE

� VNODE-LP: safe interval enclosures for ODEs� Output: tight enclosures at end of step, a-priori enclosures covering

timespan in between

determined by VNODE−LP

enclosures at (very tight) time intervals

... up to a given horizon

−15

−10

−5

0

5

10

15

0 5 10 15 20





timespan in between

a−priori enclosures determined by VNODE−LP

−15

−10

−5

0

5

10

15

0 5 10 15 20





timespan in between� iSAT-ODE layer: re-evaluate extreme parts of enclosure with

refined stepsize for tighter result → expensive

selectively tightenedboxes

boxes that finally

intersect with the

postbox

given postbox

a−priori enclosures

−15

−10

−5

0

5

10

15

0 5 10 15 20


Bracketing Systems: Rationale

� Direct VNODE-LP enclosures tend to diverge quickly for largeinitial domains

� Point-wise (or small interval) reasoning thus preferable, if applicable

� A natural idea is to follow extremal trajectories:


Bracketing Systems: Rationale

� Direct VNODE-LP enclosures tend to diverge quickly for largeinitial domains

� Point-wise (or small interval) reasoning thus preferable, if applicable

� A natural idea is to follow extremal trajectories:

� Problem 1: Number of spanning nodes exponential in systemdimension.

� Problem 2: Reachable set need not be spanned by trajectoriesoriginating in extremal points.


[Müller, 1927]

Bracketing Systems: Essence of Müller’s Theorem

Bounding

box

xx− x+

y−

y

y+

dxdt = f (x, y)

dydt = g(x, y)

If, e.g., f monotonic in x, antitonic in y within bounding box,g monotonic in x and y within bounding box

then [x−(t), x+(t)]× [y−(t), y+(t)] yields an enclosure for(x(t), y(t)) if x−, . . . , y+ are solutions to

dx−

dt= f(x−, y+) dy

−

dt= g(x−, y−)

dx+

dt= f(x+, y−) dy

+

dt= f(x+, y+)

with IVs x−(0) ≤ x(0) ≤ x+(0), y−(0) ≤ y(0) ≤ y+(0).


[Ramdani, Meslem, and Candau, 2009], [Eggers, Ramdani, Nedialkov, and Fränzle, 2011]

Bracketing Systems

� Direct VNODE-LP enclosures may diverge quickly for large initialdomains

� Evaluate signs of partial derivatives of ODE’s right-hand side overcurrent enclosure

� If all relevant entries each strictly positive / negative, proceed

� Using Müller’s theorem, generate a bracketing system: replaceoriginal variables by upper and lower bracketing variablesdepending on signs in Jacobian [Müller, 1927]

� Enclose bracketing system using VNODE-LP: twice thedimensionality but point-valued initial conditions

� Re-evaluate Jacobian, check validity of signs (a-posteriorivalidation)


Comparison: Direct vs. Bracketing

denselower bracketing a prioriupper bracketing a priori

direct a prioridirect enclosure

lower bracketing enclosureupper bracketing enclosure

−3

−2

−1

0

1

2

0 2 4 6 8 10 12

x dimension of•

x = −p4x−p1x

1 + p2y+ p3y + 0.1

•

y = p4x− p3y

x(0) ∈ [1, 1.2], y(0) ∈ [0.8, 1], p1 ∈ [0.8, 1], p2 ∈ [1.0, 1.2], p3 ∈ [0.3, 0.5],

and p4 ∈ [0.20, 0.25].Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 67 / 85

[Eggers, Ramdani, Nedialkov, and Fränzle, 2011]

Comparison: Direct vs. Bracketing

denselower bracketing a prioriupper bracketing a priori

direct a prioridirect enclosure

lower bracketing enclosureupper bracketing enclosure

−30

−20

−10

0

10

20

30

0 2 4 6 8 10 12

x dimension of•

x= y,•

y= −x,x(0), y(0) ∈ [1, 2].

� Complementary strengths

⇒ iSAT-ODE: Intersect both enclosures for tighter result.



Learning ODE Deductions

� ODE enclosures very expensive compared to simple intervalconstraint propagations

� Preserve once-learnt facts from deletion during backjumps (similarto learning conflict clauses [Marques-Silva and Sakallah, 1996])

� Learn deduced facts for all isomorphic instances (constraintsreplication [Shtrichman, 2000])

� Two main ingredients:� iSAT core: learn new clauses during search (multiple at once, not

necessarily conflicts, potentially introducing new variables to safelyrepresent constants)

� ODE layer: recognize enclosure requests that have already beenanswered (or can be subsumed under previously answered requests)

� Additionally: store limited number of VNODE’s intermediateresults for reuse, when partial request is detected (e.g. compatibleinitial box but tighter delta_time range)


SAT Modulo ODE

Solving the Case Study


Hybrid Systems – Example: Plant & Controller

plant_dynamics

omega_set

v_set

x

y

alpha

v

omega


controller

trigger

alpha

xpos

ypos

x_target

y_target

omega

v

alpha_target

3

−5




bang−bang control



Does this system work as specified?


Predicative Encoding

−− A robot that is being given a target location to which it shall move.

DECLdefine MAX_TIME = 100; −− Maximum global time.define MAX_STEP = 2; −− Maximum duration.float [0, MAX_TIME] time; −− Global time.float [0, MAX_STEP] delta_time; −− Step duration.float [−100, 100] x; −− Position, x coordinate .float [−100, 100] y; −− Position, y coordinate .float [−100, 100] delta_x; −− Position change by flow, x coordinate .float [−100, 100] delta_y; −− Position change by flow, y coordinate .float [−8, 8] alpha; −− Direction.float [−1, 1] omega; −− Angular velocity.float [−0.1, 0.1] omega_set; −− Angular velocity set point.float [−10, 10] v; −− Velocity.float [0, 0.4] v_set; −− Velocity set point .define P_v = 3; −− Proportional gain in analog velocity control .define P_omega = 1.6; −− Proportional gain in analog angular velocity ctrl .

define PI_LB = 3.141592; −− Lower bound for PI.define PI_UB = 3.141593; −− Upper bound for PI.

define PI_UB_HALF = 1.5708; −− Upper bound for 0.5 ∗ PI.

float [−100, 100] x_target; −− Position of target , x coordinate .float [−100, 100] y_target; −− Position of target , y coordinate .float [0, 142] distance ; −− Distance to target.float [−100, 100] dx; −− Distance to target, x component.float [−100, 100] dy; −− Distance to target, y component.float [−1, 1] tmp_quot_dy_dist; −− Quotient dy / distance.−− Reduce nondeterminism in model by enforcing that alpha cannot be less and−− more than alpha_target at the same time and distance must be in one−− category (−−0.1−−−0.5−−−5−−).boole alpha_leq_alpha_target;boole alpha_geq_alpha_target;boole distance_geq_5;boole distance_geq_05;boole distance_geq_01;

−− Result of asin(tmp_quot_dy_dist) is limited to standard branch used by−− ctrl’s asin implementation.float [−PI_UB_HALF, PI_UB_HALF] alpha_target_tmp;

float [−8, 8] alpha_target; −− Direction to target .define CTRL_PI = 3.1415927; −− PI constant used by controller.−− Note that the real controller will be using such a fixed constant , i .e.−− here it is not necessary to safely enclose PI by an interval when the−− same calculations are performed as done by the controller (which we−− assume here).

boole flow ;

INITtime = 0;x = 0;y = 0;alpha = 0;omega = 0;v = 0;

−− Target position.−− OPEN: Looking for a target position that cannot be reached within given−− number of steps.x_target >= 6;x_target = −4;y_target = −1 and tmp_quot_dy_dist ( alpha_target_tmp >= 3 ∗ (tmp_quot_dy_dist + 0.5) − 0.3

and alpha_target_tmp = −0.64 and tmp_quot_dy_dist ( alpha_target_tmp >= tmp_quot_dy_dist

+ 0.16 ∗ (tmp_quot_dy_dist^3) − 0.05and alpha_target_tmp = 0.64 and tmp_quot_dy_dist ( alpha_target_tmp >= 2.29 ∗ tmp_quot_dy_dist − 1

and alpha_target_tmp = −1.570797;alpha_target_tmp = 0 −> alpha_target = alpha_target_tmp;dx < 0 −> alpha_target = CTRL_PI − alpha_target_tmp;

alpha_leq_alpha_target alpha = alpha_target;

alpha_leq_alpha_target and !alpha_geq_alpha_target −> omega_set = 0.1;!alpha_leq_alpha_target and alpha_geq_alpha_target −> omega_set = −0.1;alpha_leq_alpha_target and alpha_geq_alpha_target −> omega_set = 0;

distance_geq_5 distance >= 5;distance_geq_05 distance >= 0.5;distance_geq_01 distance >= 0.1;

distance_geq_5 −> v_set = 0.4;distance_geq_05 and !distance_geq_5 −> v_set = 0.2;distance_geq_01 and !distance_geq_05 −> v_set = 0.1;!distance_geq_01 −> v_set = 0;

flow ;TRANS

!flow ’ flow;time ’ = time + delta_time;

−− System dynamics including analog controller feedback for velocities .−− Since the actual movement is independent from the absolute position ,−− we use relative positions instead and benefit from better caching.flow −> x’ = x + delta_x’; −− Add relative movement to absolute position.flow −> y’ = y + delta_y’;flow −> delta_x = 0; −− Start relative movement in (0,0).flow −> delta_y = 0;flow −> (d.delta_x / d.time = v ∗ cos(alpha));flow −> (d.delta_y / d.time = v ∗ sin(alpha ));flow −> (d.alpha / d.time = omega);flow −> (d.v / d.time = P_v ∗ (v_set − v));flow −> (d.v_set / d.time = 0);flow −> (d.omega / d.time = P_omega ∗ (omega_set − omega));flow −> (d.omega_set / d.time = 0);

flow −> delta_time = 2;

−− Target stays constant.x_target’ = x_target;y_target’ = y_target;

!flow −> delta_time = 0;!flow −> x’ = x

and y’ = yand alpha’ = alphaand v’ = vand omega’ = omega;

−− Controller calculates the current direction to target location at every−− step.dy’ = y_target’ − y’;dx’ = x_target’ − x’;

distance ’ = nrt(dx’^2 + dy’^2, 2);−− tmp_quot_dy_dist’ = dy’ / distance’.distance ’ ∗ tmp_quot_dy_dist’ = dy’;sin (alpha_target_tmp’) = tmp_quot_dy_dist’;−− Adding a redundant encoding to reduce search effort induced by−− iSAT’s lack of an inverse sine propagation.(tmp_quot_dy_dist’ >= −1 and tmp_quot_dy_dist’ ( alpha_target_tmp’ >= 3 ∗ (tmp_quot_dy_dist’ + 0.5) − 0.3

and alpha_target_tmp’ = −0.64 and tmp_quot_dy_dist’ ( alpha_target_tmp’ >= tmp_quot_dy_dist’

+ 0.16 ∗ (tmp_quot_dy_dist’^3) − 0.05and alpha_target_tmp’ = 0.64 and tmp_quot_dy_dist’ ( alpha_target_tmp’ >= 2.29 ∗ tmp_quot_dy_dist’ − 1

and alpha_target_tmp’ = −1.570797;alpha_target_tmp’ = 0 −> alpha_target’ = alpha_target_tmp’;dx’ < 0 −> alpha_target’ = CTRL_PI − alpha_target_tmp’;

−− The discrete controller can set new omega_set and new v_set every step.−− Would need to adjust this if BMC steps and controller steps became−− seperated.alpha_leq_alpha_target’ alpha’ = alpha_target’;

! flow and alpha_leq_alpha_target’ and !alpha_geq_alpha_target’−> omega_set’ = 0.1;

!flow and !alpha_leq_alpha_target’ and alpha_geq_alpha_target’−> omega_set’ = −0.1;

!flow and alpha_leq_alpha_target’ and alpha_geq_alpha_target’−> omega_set’ = 0;

distance_geq_5’ distance’ >= 5;distance_geq_05’ distance’ >= 0.5;distance_geq_01’ distance’ >= 0.1;

!flow and distance_geq_5’ −> v_set’ = 0.4;!flow and distance_geq_05’ and !distance_geq_5’ −> v_set’ = 0.2;!flow and distance_geq_01’ and !distance_geq_05’ −> v_set’ = 0.1;!flow and !distance_geq_01’ −> v_set’ = 0;

TARGETdistance > 0.1;


Predicative Encoding – Continuous Dynamics

omega

5

v

4

alpha

3

y

2

x

1

cos

sin

P_v

3

P_omega

1.6

1

s

1

s

1

s 1

s

1

s

v_set

2

robot motioncontinuous−time

proportional control

omega_set

1

alpha

vx

vy

xx

yyv

omega

•

ω

•

v= a

time ’ = time + delta_time;

−− System dynamics including analog controller feedback for velocities .−− Since the actual movement is independent from the absolute position ,−− we use relative positions instead and benefit from better caching.flow −> x’ = x + delta_x’; −− Add relative movement to absolute position.flow −> y’ = y + delta_y’;flow −> delta_x = 0; −− Start relative movement in (0,0).flow −> delta_y = 0;flow −> (d.delta_x / d.time = v ∗ cos(alpha));flow −> (d.delta_y / d.time = v ∗ sin(alpha ));flow −> (d.alpha / d.time = omega);flow −> (d.v / d.time = P_v ∗ (v_set − v));flow −> (d.v_set / d.time = 0);flow −> (d.omega / d.time = P_omega ∗ (omega_set − omega));flow −> (d.omega_set / d.time = 0);

flow −> delta_time = 2;


Predicative Encoding – Discrete Controller

all

rotation1

m0

speed 2

m1



3


1


2


1

/v=0.4;


3


1


2

alpha_leq_alpha_target’ alpha’ = alpha_target’;

! flow and alpha_leq_alpha_target’ and !alpha_geq_alpha_target’ −> omega_set’ = 0.1;!flow and !alpha_leq_alpha_target’ and alpha_geq_alpha_target’ −> omega_set’ = −0.1;!flow and alpha_leq_alpha_target’ and alpha_geq_alpha_target’ −> omega_set’ = 0;

distance_geq_5’ distance’ >= 5;distance_geq_05’ distance’ >= 0.5;distance_geq_01’ distance’ >= 0.1;

!flow and distance_geq_5’ −> v_set’ = 0.4;!flow and distance_geq_05’ and !distance_geq_5’ −> v_set’ = 0.2;!flow and distance_geq_01’ and !distance_geq_05’ −> v_set’ = 0.1;!flow and !distance_geq_01’ −> v_set’ = 0;


Predicative Encoding – Proof Obligation

E.g., looking for a target position that cannot be reached within given

number of steps:

INIT...−− Target position.−− OPEN: Looking for a target position that cannot be reached within given−− number of steps.x_target >= 6;x_target = −4;y_target 0.1;

Note: Target position not determined!


Candidate Solution Box from iSAT-ODE

Extracting (x, y)-trace from candidate solution box.

0

0.5

1

1.5

2

2.5

3

0 1 2 3 4 5 6 7 8

’robot_motion_14.hys_out_prabs1e−6_k42_wilkinson_defs_plot_0.plot_data’

x

y

BMC unwindin

Want to impress your boy friend / girl friend? SAT Modulo Ordinary Diﬀerential Equations · 2012....

Documents

Transcript of Want to impress your boy friend / girl friend? SAT Modulo Ordinary Diﬀerential Equations · 2012....