sat modulo ordinary differential equations want to impress your
TRANSCRIPT
SAT Modulo Ordinary Differential EquationsAn Analysis Method for Hybrid Systems
Martin Fränzle1
with slides, LATEX souce, etc., by
Andreas Eggers1 · Christian Herde1
Nacim Ramdani2 · Nedialko S. Nedialkov3
SFB/TR 14 AVACS
1 Carl von Ossietzky Universität · Oldenburg, Germany2 Université d’Orléans · PRISME · Bourges, France3 McMaster University · Hamilton, Ontario, Canada
Want to impress your boy friend / girl friend?
[YouTube video]
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 2 / 85
Want to impress your boy friend / girl friend?
[www.popsci.com]
That’s why we build hybrid systems!
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 3 / 85
What is a hybrid system?
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 4 / 85
What is a hybrid system?
Hybrid (from Greece) means arrogant,presumptuous.
After H. Menge: Griechisch/Deutsch,Langenscheidt 1984
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 4 / 85
What is a hybrid system?
Hybrid (from Greece) means arrogant,presumptuous.
After H. Menge: Griechisch/Deutsch,Langenscheidt 1984
Hybrid stems from Latin hybrida ’off-spring of a tame sow and wild boar,child of a freeman and slave, etc.’
From the Compact Oxford EnglishDictionary, 2008
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 4 / 85
Hybrid Systems
Plant
ControlAnalogswitch
Continuouscontrollers
D/A
Discretesupervisor
A/D
Plant
observablestate
environmental
influence
disturbances ("noise")
control
selection
setpoints
active control law
setpointspart ofobservablestate
task selection
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 5 / 85
Hybrid Systems
Loads of
continuous
computations
interleaved
with discrete
decisions
Plant
ControlAnalogswitch
Continuouscontrollers
D/A
Discretesupervisor
A/D
Plant
observablestate
environmental
influence
disturbances ("noise")
control
selection
setpoints
active control law
setpointspart ofobservablestate
task selection
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 5 / 85
Hybrid systems
are ensembles of interacting discrete and continuous subsystems:� Technical systems:
� physical plant + multi-modal control� physical plant + embedded digital system� mixed-signal circuits� multi-objective scheduling problems (computers / distrib. energy
management / traffic management / ...)
� Biological systems:� Delta-Notch signaling in cell differentiation� Blood clotting� ...
� Economy:� cash/good flows + decisions� ...
� Medicine/health/epidemiology:� infectious diseases + vaccination strategies� ...
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 6 / 85
Hybrid Systems
The Formal Model
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 7 / 85
A Formal Model: Hybrid Automata
ball is moving down
ball is moving up
vertical position of the ball
velocity
−10
0
−20
10
0 5 10 15 20
20
y
x
•x= y
x ≥ 0
•y= −9.81
x = 0.0 ∧ y ≤ 0.0 /
y′ = −0.8 · y
x = 20.0 ∧ y = 0.0
y < 0
y > 0
x :
y :
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 8 / 85
A Formal Model: Hybrid Automata
ball is moving down
ball is moving up
vertical position of the ball
velocity
−10
0
−20
10
0 5 10 15 20
20
y
x
y < 0
y > 0
x :
y :
•x= y
x ≥ 0
•y= −9.81
x = 0.0 ∧ y ≤ 0.0 /
y′ = −0.8 · y
x = 20.0 ∧ y = 0.0
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 8 / 85
A Formal Model: Hybrid Automata
ball is moving down
ball is moving up
vertical position of the ball
velocity
−10
0
−20
10
0 5 10 15 20
20
y
x
y < 0
y > 0
x :
y :
•x= y
x ≥ 0
•y= −9.81
x = 0.0 ∧ y ≤ 0.0 /
y′ = −0.8 · y
x = 20.0 ∧ y = 0.0
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 8 / 85
A Formal Model: Hybrid Automata
ball is moving down
ball is moving up
vertical position of the ball
velocity
−10
0
−20
10
0 5 10 15 20
20
y
x
y < 0
y > 0
x :
y :
•x= y
x ≥ 0
•y= −9.81
x = 0.0 ∧ y ≤ 0.0 /
y′ = −0.8 · y
x = 20.0 ∧ y = 0.0
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 8 / 85
A Formal Model: Hybrid Automata
ball is moving down
ball is moving up
vertical position of the ball
velocity
−10
0
−20
10
0 5 10 15 20
20
y
x
y < 0
y > 0
x :
y :
•x= y
x ≥ 0
•y= −9.81
x = 0.0 ∧ y ≤ 0.0 /
y′ = −0.8 · y
x = 20.0 ∧ y = 0.0
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 8 / 85
A Formal Model: Hybrid Automata
ball is moving down
ball is moving up
vertical position of the ball
velocity
−10
0
−20
10
0 5 10 15 20
20
y
x
y < 0
y > 0
x :
y :
•x= y
x ≥ 0
•y= −9.81
x = 0.0 ∧ y ≤ 0.0 /
y′ = −0.8 · y
x = 20.0 ∧ y = 0.0
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 8 / 85
A Formal Model: Hybrid Automata
ball is moving down
ball is moving up
vertical position of the ball
velocity
−10
0
−20
10
0 5 10 15 20
20
y
x
y < 0
y > 0
x :
y :
•x= y
x ≥ 0
•y= −9.81
x = 0.0 ∧ y ≤ 0.0 /
y′ = −0.8 · y
x = 20.0 ∧ y = 0.0
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 8 / 85
A Formal Model: Hybrid Automata
ball is moving down
ball is moving up
vertical position of the ball
velocity
−10
0
−20
10
0 5 10 15 20
20
y
x
y < 0
y > 0
x :
y :
•x= y
x ≥ 0
•y= −9.81
x = 0.0 ∧ y ≤ 0.0 /
y′ = −0.8 · y
x = 20.0 ∧ y = 0.0
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 8 / 85
A Formal Model: Hybrid Automata
ball is moving down
ball is moving up
vertical position of the ball
velocity
−10
0
−20
10
0 5 10 15 20
20
y
x
y < 0
y > 0
x :
y :
•x= y
x ≥ 0
•y= −9.81
x = 0.0 ∧ y ≤ 0.0 /
y′ = −0.8 · y
x = 20.0 ∧ y = 0.0
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 8 / 85
State and Dimension Explosion
Number of continuous variables linear in num-ber of cars� Positions, speeds, accelerations,� torque, slip, ...
Number of discrete states exponential in num-ber of cars� Operational modes, control modes,� state of communication subsystem, ...
Size-dependent dynamics� Latency in ctrl. loop depends on number
of cars due to communication subsystem.� Coupled dynamics yields long hidden
channels chaining signal transducers.
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 9 / 85
State and Dimension Explosion
Number of continuous variables linear in num-ber of cars� Positions, speeds, accelerations,� torque, slip, ...
Number of discrete states exponential in num-ber of cars� Operational modes, control modes,� state of communication subsystem, ...
Size-dependent dynamics� Latency in ctrl. loop depends on number
of cars due to communication subsystem.� Coupled dynamics yields long hidden
channels chaining signal transducers.
⇒ Need a scalable approach⇒ Let’s try to achieve this through SAT/SMT-based methods.
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 9 / 85
Hybrid Control — A Case Study
!!
!!
!!
α
(x, y)
vsatellite position
target position
ω =•
α
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 10 / 85
Hybrid Control — A Case Study
omega
5
v
4
alpha
3
y
2
x
1
cos
sin
P_v
3
P_omega
1.6
1
s
1
s
1
s 1
s
1
s
v_set
2
robot motioncontinuous−time
proportional control
omega_set
1
alpha
vx
vy
xx
yyv
omega
•
ω
•
v= a
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 11 / 85
Hybrid Control — A Case Study
alpha_target
3
v
2
omega
1
controller
alpha
alpha_target
dist_to_target
omega
v
pi
asin
>= 0
Sqrt
u
u2
u2
y_target
6
x_target
5
ypos
4
xpos
3
alpha
2
trigger1
distance
time−triggered controller
alpha_target
−1 −0.5 0 0.5 1−1.5
−1
−0.5
0
0.5
1
1.5
asin(x)
(x, y)
α′
T
(xT , yT )
α′
T
π − α′
T
α′T = sin−1( yT−y√(xT−x)2+(yT−y)2
)
dista
nce
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 12 / 85
Hybrid Control — A Case Study
all
rotation1
m0
speed 2
m1
[alpha > alpha_target] / omega = − 0.1;2
[alpha == alpha_target] / omega = 0;
3
[alpha < alpha_target] / omega = 0.1;
1
[alpha < alpha_target] / omega = 0.1;
2
[alpha > alpha_target] / omega = − 0.1;
1
/v=0.4;
[dist_to_target < 0.1] / v = 0;
3
[dist_to_target > 0.5 && dist_to_target < 5] / v = 0.2;
1
[dist_to_target > 0.1 && dist_to_target < 0.5] / v = 0.1 ;
2
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 13 / 85
Hybrid Control — A Case Study
all
rotation1
m0
speed
m1
[alpha > alpha_target] / omega = − 0.1;2
[alpha == alpha_target] / omega = 0;
3
[alpha < alpha_target] / omega = 0.1;
1
[alpha < alpha_target] / omega = 0.1;
2
[alpha > alpha_target] / omega = − 0.1;
1
/v=0.4;
[dist_to_target > 0.5 && dist_to_target <
1
[dist_to_target >
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 13 / 85
Hybrid Control — A Case Study
1 speed 2
m1
0.1;
[alpha > alpha_target] / omega = − 0.1;
/v=0.4;
[dist_to_target < 0.1] / v = 0;
3
[dist_to_target > 0.5 && dist_to_target < 5] / v = 0.2;
1
[dist_to_target > 0.1 && dist_to_target < 0.5] / v = 0.1 ;
2
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 13 / 85
Hybrid Control — A Case Study
plant_dynamics
omega_set
v_set
x
y
alpha
v
omega
every_two_time_units
controller
trigger
alpha
xpos
ypos
x_target
y_target
omega
v
alpha_target
3
−5
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 14 / 85
Hybrid Control — A Case Study
plant_dynamics
omega_set
v_set
x
y
alpha
v
omega
every_two_time_units
controller
trigger
alpha
xpos
ypos
x_target
y_target
omega
v
alpha_target
3
−5
continuous controller + plant dynamics
nonlinear computations
parallel composition
bang−bang control
time−triggered controller invocation
uncountably infinitely many target positions
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 14 / 85
Hybrid Control — A Case Study
plant_dynamics
omega_set
v_set
x
y
alpha
v
omega
every_two_time_units
controller
trigger
alpha
xpos
ypos
x_target
y_target
omega
v
alpha_target
3
−5
continuous controller + plant dynamics
nonlinear computations
parallel composition
bang−bang control
time−triggered controller invocation
uncountably infinitely many target positions
Does this system work as specified?
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 14 / 85
Simulated Trajectory Reaching Target
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 15 / 85
Multiple Simulated Trajectories Reaching Targets
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 16 / 85
CDCL + Interval Constraint Propagation
An engine for Bounded Model Checkingof non-linear discrete-time HA
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 17 / 85
Bounded Model Checking of NonlinearDiscrete-Time Hybrid Systems (1)
Given:
Delay
in on
xn+1xn
xn+1 = f(xn, in)on = g(xn, in)
Nonlinear discrete-time hybriddynamical system
x — state vectori — input vectoro — output vectorf — next-state functiong — output function
f, g potentially nonlinear.
Goal:
Check whether some unsafe state is reachable within k steps of thesystem
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 18 / 85
Bounded Model Checking of NonlinearDiscrete-Time Hybrid Systems (2)
Method:� Construct formula that is satisfiable if error trace of length k exists
� Formula is a k–fold unrolling of the transition relation, concatenated witha characterization of the initial state(s) and the (unsafe) state to bereached
i0 i1 i2o0 o1 o2
x1 = f(x0, i0)o0 = g(x0, i0)
x2 = f(x1, i1)o1 = g(x1, i1)
x3 = f(x2, i2)o2 = g(x2, i2)
x0 x3x1 x2
I(x0) P (x3)
� Use appropriate procedure to “decide” satisfiability of the formula
Needed:
Solvers for large, non-linear arithmetic formulae with a rich Booleanstructure
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 19 / 85
Bounded Model Checking with HySAT / iSAT
HySAT
There’s no sequence of
input values such that
3.14 ≤ x ≤ 3.15
Safety property:
DECL
boole b;
float [0.0, 1000.0] x;
INIT
– Characterization of initial state.
x = 2.0;
TRANS
– Transition relation.
b -> x’ = xˆ2 + 1;
!b -> x’ = nrt(x, 3);
TARGET
– State(s) to be reached.
x >= 3.14 and x <= 3.15;
SOLUTION:
b (boole):
@0: [0, 0]
@1: [1, 1]
@2: [1, 1]
@3: [0, 0]
@4: [1, 1]
@5: [1, 1]
@6: [0, 0]
@7: [1, 1]
@8: [0, 0]
@9: [1, 1]
@10: [1, 1]
@11: [0, 0]
x (float):
@0: [2, 2]
@1: [1.25992, 1.25992]
@2: [2.5874, 2.5874]
@3: [7.69464, 7.69464]
@4: [1.97422, 1.97422]
@5: [4.89756, 4.89756]
@6: [24.9861, 24.9861]
@7: [2.92347, 2.92347]
@8: [9.5467, 9.5467]
@9: [2.12138, 2.12138]
@10: [5.50024, 5.50024]
@11: [31.2526, 31.2526]
@12: [3.14989, 3.14989]
x := x2 + 1b/
¬b/x := 3
√x
x := 2
CO
UN
TEREX
AM
PLE
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 20 / 85
The Task
Find satisfying assignments (or prove absence thereof) for large(thousands of Boolean connectives) formulae of shape
(b1 =⇒ x21 − cos y1 < 2y1 + sin z1 + eu1)∧ (x5 = tan y4 ∨ tan y4 > z4 ∨ . . .)∧ . . .
∧ (dxdt
= − sinx ∧ x3 > 5 ∧ x3 < 7 ∧ x4 > 12 ∧ . . .)∧ . . .
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 21 / 85
The Task
Find satisfying assignments (or prove absence thereof) for large(thousands of Boolean connectives) formulae of shape
(b1 =⇒ x21 − cos y1 < 2y1 + sin z1 + eu1)∧ (x5 = tan y4 ∨ tan y4 > z4 ∨ . . .)∧ . . .
∧ (dxdt
= − sinx ∧ x3 > 5 ∧ x3 < 7 ∧ x4 > 12 ∧ . . .)∧ . . .
Most conventional solvers� do either address much smaller fragments of arithmetic
� decidable theories: no transcendental fct.s, no ODEs
� or tackle only small formulae� some dozens of Boolean connectives.
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 21 / 85
Interval Arithmetic
� an ancient mathematical technique, already used by Archimedes,
� systematized by Rosalind Cecily Young in the 1930s [Young, 1931]
� brought to computing by Paul Dwyer [ Dwaer, 1951], MieczyslawWarmus [Warmus, 1956, Teruo Sunaga [Sunaga, 1958], and RamonE. Moore [Moore, 1966] in the 1950s
� is an approach to putting safe bounds on computational results,irrespective of� rounding errors during computations,� inaccuracies in measurements of entities entering the computation,� uncertain parameters.
� when applied to an expression over the reals, it yields a set-valuedresult, namely an interval over the reals, which is guaranteed tocontain the exact value of the expression.
� can be used for efficiently computing a safe overapproximation (i.e.,a superset) of the image f(X) of a set X ⊆ R
n under a functionf : Rn → R
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 22 / 85
Interval Arithmetic
For non-empty argument intervals [a, b] ∈ II \ {∅} and [c, d] ∈ II \ {∅}, define
[a, b]⊢⊣
+ [c, d] = [a←
+ c, b→
+ d]
[a, b]⊢⊣
− [c, d] = [a←
− d, b→
− c]
[a, b]⊢⊣· [c, d] = [min(a
←· c, a
←· d, b
←· c, b
←· d),max(a
→· c, a
→· d, b
→· c, b
→· d)]
⊢⊣
sin [a, b] =
[min(←
sin a,←
sin b),max(→
sin a,→
sin b)] iff (2n + 1
2)π 6∈ [a, b] and
(2m− 1
2)π 6∈ [a, b],
[min(←
sin a,←
sin b), 1], iff (2n + 1
2)π ∈ [a, b] but
(2m− 1
2)π 6∈ [a, b],
[−1,max(→
sin a,→
sin b), 1], iff (2n + 1
2)π 6∈ [a, b] but
(2m− 1
2)π ∈ [a, b],
[−1, 1] iff (2n + 1
2)π ∈ [a, b] and
(2m− 1
2)π ∈ [a, b]
for any n,m ∈ Z.
where
�←· and
→· denote rounding down/up to computational reals,
� II denotes the set of intervals with representable bounds.
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 23 / 85
Interval Arithmetic: Example
� Assume fixed-point arithmetic with just 1 bit fractional part:representable numbers are of the form k
2for k ∈ Z
� Given x1 = [0, 0.5] and x2 = [0.5, 1], IA computes
x1
⊢⊣
− x1
⊢⊣
+ x2
⊢⊣· x2 = ([0, 0.5]
⊢⊣
− [0, 0.5])⊢⊣
+ ([0.5, 1]⊢⊣· [0.5, 1])
= [0←
− 0.5, 0.5→
− 0]⊢⊣
+ ([0.5, 1]⊢⊣· [0.5, 1])
= [−0.5, 0.5]⊢⊣
+ ([0.5, 1]⊢⊣· [0.5, 1])
= [−0.5, 0.5]⊢⊣
+ [min(0.5←· 0.5, 0.5
←· 1, 1
←· 0.5, 1
←· 1),
max(0.5→· 0.5, 0.5
→· 1, 1
→· 0.5, 1
→· 1)]
= [−0.5, 0.5]⊢⊣
+ [min(0, 0.5, 0.5, 1),max(0.5, 0.5, 0.5, 1)]
= [−0.5, 0.5]⊢⊣
+ [0, 1]
= [−0.5←
+ 0, 0.5→
+ 1]
= [−0.5, 1.5]
⇒ the computed interval [−0.5, 1.5] covers the set of values{x1 − x1 + x2 · x2 | x1 ∈ [0, 0.5], x2 ∈ [0.5, 1]} = [0.25, 1],yet not tightly so. −→ rounding + dependency problem of IA
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 24 / 85
Interval Constraint Propagation (1) [Cleary, 1986]
� Complex constraints are rewritten to “triplets” (primitive constraints):
x2 + y ≤ 6
c1 : h1 =̂x ∧ 2c2 : ∧ h2 =̂h1 + y
∧ h2 ≤ 6
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 25 / 85
Interval Constraint Propagation (1) [Cleary, 1986]
� Complex constraints are rewritten to “triplets” (primitive constraints):
x2 + y ≤ 6
c1 : h1 =̂x ∧ 2c2 : ∧ h2 =̂h1 + y
∧ h2 ≤ 6
� “Forward” interval propagation yields justification for constraintsatisfaction:
x ∈ [−2, 2]∧ y ∈ [−2, 2]
2
6
y
≤
+
∧
x
[−2, 2]
[0, 4]
[−2, 6]
[−2, 2]
h2
h1
satisfied in box
h2 ≤ 6 is
⇓
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 25 / 85
Interval Constraint Propagation (1) [Cleary, 1986]
� Complex constraints are rewritten to “triplets” (primitive constraints):
x2 + y ≤ 6
c1 : h1 =̂x ∧ 2c2 : ∧ h2 =̂h1 + y
∧ h2 ≤ 6
� Interval propagation (fwd & bwd) yields witness for unsatisfiability:
2
6
y
≤
+
∧
x
[3, 4]
[9, 16]
[9, 19]
[0, 3]
h2
h1
unsat. in box
h2 ≤ 6 is
⇓
x ∈ [3, 4]
∧ y ∈ [0, 3]
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 25 / 85
Interval Constraint Propagation (1) [Cleary, 1986]
� Complex constraints are rewritten to “triplets” (primitive constraints):
x2 + y ≤ 6
c1 : h1 =̂x ∧ 2c2 : ∧ h2 =̂h1 + y
∧ h2 ≤ 6
� Interval prop. (fwd & bwd until fixpoint is reached) yields contraction ofbox:
2
6
y
≤
+
∧
x
[−10, 10]
[0, 100]
[−10, 110]
[−10, 10]
h2
h1
∧ y ∈ [−10, 10]x ∈ [−10, 10]
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 25 / 85
Interval Constraint Propagation (1) [Cleary, 1986]
� Complex constraints are rewritten to “triplets” (primitive constraints):
x2 + y ≤ 6
c1 : h1 =̂x ∧ 2c2 : ∧ h2 =̂h1 + y
∧ h2 ≤ 6
� Interval prop. (fwd & bwd until fixpoint is reached) yields contraction ofbox:
2
6
y
≤
+
∧
x
[−4, 4]
[0, 16]
[−10, 6]
[−10, 6]
h2
h1
⇓
∧ y ∈ [−10, 10]x ∈ [−10, 10]
∧ y ∈ [−10, 6]x ∈ [−4, 4]
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 25 / 85
Interval Constraint Propagation (1) [Cleary, 1986]
� Complex constraints are rewritten to “triplets” (primitive constraints):
x2 + y ≤ 6
c1 : h1 =̂x ∧ 2c2 : ∧ h2 =̂h1 + y
∧ h2 ≤ 6
� Interval prop. (fwd & bwd until fixpoint is reached) yields contraction ofbox:
Constraint is not satisfied
by the contracted box!
2
6
y
≤
+
∧
x
[−4, 4]
[0, 16] [−10, 6]
h2
h1
∧ y ∈ [−10, 6]x ∈ [−4, 4]
[−10, 22]
(details & alternatives: see Benhamou in Handbook of Constraint Progr.)
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 25 / 85
y ∈ [0, 9]
y ∈ [0, 6]
y ∈ [−100, 100]
x ∈ [−100, 100]
x ∈ [−2.3, 2.3]
y ∈ [0, 100]
y ∈ [0, 20]
y ∈ [0, 5]
y ∈ [0, 4.6]
y ≤ 2·x
y = x2
x ∈ [−√
5,√
5]
x ∈ [−√
6,√
6]
x ∈ [−2.5, 2.5]
x ∈ [−4.5, 4.5]
x ∈ [−√
20,√
20]
x ∈ [−3, 3]
x ∈ [−10, 10]
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 26 / 85
Incompleteness of Interval Contraction
Backward propagation yields rectangular overapproximation ofnon-rectangular pre-images.
Thus, interval contraction provides a highly incomplete deductionsystem:
x ∈ [0,∞)∧ h =̂x · y∧ h > 5
=⇒ x ∈ (0,∞)∧ y ∈ (0,∞)
=⇒ h ∈ (0,∞) 6=⇒ h > 5
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 27 / 85
Incompleteness of Interval Contraction
Backward propagation yields rectangular overapproximation ofnon-rectangular pre-images.
Thus, interval contraction provides a highly incomplete deductionsystem:
x ∈ [0,∞)∧ h =̂x · y∧ h > 5
=⇒ x ∈ (0,∞)∧ y ∈ (0,∞)
=⇒ h ∈ (0,∞) 6=⇒ h > 5
enhance through branch-and-prune approach.
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 27 / 85
iSAT: Non-linear Arithmetic Constraint Solving
h3 = h1 + h2∧c8 :
h2 = −2 · y∧c7 :
h1 = x2∧c6 :
(x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2)∧c5 :
∧ (b ∨ x ≥ −2)c4 :
∧ (¬c ∨ ¬d)c3 :
∧ (¬a ∨ ¬b ∨ c)c2 :
(¬a ∨ ¬c ∨ d)c1 :
rewrite input formula into a conjunction of constraints:
⊲ n-ary disjunctions of bounds⊲ arithmetic constraints having at most one operation symbol
• Boolean variables are regarded as 0-1 integer variables.Allows identification of literals with bounds on Booleans:
≡ b ≥ 1b¬b ≡ b ≤ 0
• Float variables h1, h2, h3 are used for decompositionof complex constraint x2 − 2y ≥ 6.2.
• Use Tseitin-style (i.e. definitional) transformation to
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 28 / 85
iSAT: Non-linear Arithmetic Constraint Solving
a ≥ 1
h3 = h1 + h2∧c8 :
h2 = −2 · y∧c7 :
h1 = x2∧c6 :
(x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2)∧c5 :
∧ (b ∨ x ≥ −2)c4 :
∧ (¬c ∨ ¬d)c3 :
∧ (¬a ∨ ¬b ∨ c)c2 :
(¬a ∨ ¬c ∨ d)c1 :DL 1:
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 28 / 85
iSAT: Non-linear Arithmetic Constraint Solving
c2
c3
c1a ≥ 1
b ≥ 1
h3 = h1 + h2∧c8 :
h2 = −2 · y∧c7 :
h1 = x2∧c6 :
(x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2)∧c5 :
∧ (b ∨ x ≥ −2)c4 :
∧ (¬c ∨ ¬d)c3 :
∧ (¬a ∨ ¬b ∨ c)c2 :
(¬a ∨ ¬c ∨ d)c1 :
c ≥ 1 d ≥ 1
d ≤ 0
DL 1:
DL 2:
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 28 / 85
iSAT: Non-linear Arithmetic Constraint Solving
c3
c2
c1
b ≥ 1
h3 = h1 + h2∧c8 :
h2 = −2 · y∧c7 :
h1 = x2∧c6 :
(x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2)∧c5 :
∧ (b ∨ x ≥ −2)c4 :
∧ (¬c ∨ ¬d)c3 :
∧ (¬a ∨ ¬b ∨ c)c2 :
(¬a ∨ ¬c ∨ d)c1 :
∧ (¬a ∨ ¬c)c9 :
d ≥ 1
d ≤ 0
c ≥ 1
a ≥ 1DL 1:
DL 2:
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 28 / 85
iSAT: Non-linear Arithmetic Constraint Solving
c9 c2 c4a ≥ 1 c ≤ 0 b ≤ 0 x ≥ −2
h3 = h1 + h2∧c8 :
h2 = −2 · y∧c7 :
h1 = x2∧c6 :
(x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2)∧c5 :
∧ (b ∨ x ≥ −2)c4 :
∧ (¬c ∨ ¬d)c3 :
∧ (¬a ∨ ¬b ∨ c)c2 :
(¬a ∨ ¬c ∨ d)c1 :
∧ (¬a ∨ ¬c)c9 :
DL 1:
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 28 / 85
iSAT: Non-linear Arithmetic Constraint Solving
c9 c2 c4
c7
a ≥ 1 c ≤ 0 b ≤ 0
y ≥ 4
x ≥ −2
h3 = h1 + h2∧c8 :
h2 = −2 · y∧c7 :
h1 = x2∧c6 :
(x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2)∧c5 :
∧ (b ∨ x ≥ −2)c4 :
∧ (¬c ∨ ¬d)c3 :
∧ (¬a ∨ ¬b ∨ c)c2 :
(¬a ∨ ¬c ∨ d)c1 :
∧ (¬a ∨ ¬c)c9 :
DL 1:
DL 2: h2 ≤ −8
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 28 / 85
iSAT: Non-linear Arithmetic Constraint Solving
c9 c2 c4
c7
c8
c6
c5
a ≥ 1 c ≤ 0 b ≤ 0
y ≥ 4
x ≤ 3 h3 ≥ 6.2
h1 ≤ 9
h2 ≥ −2.8
x ≥ −2
h3 = h1 + h2∧c8 :
h2 = −2 · y∧c7 :
h1 = x2∧c6 :
(x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2)∧c5 :
∧ (b ∨ x ≥ −2)c4 :
∧ (¬c ∨ ¬d)c3 :
∧ (¬a ∨ ¬b ∨ c)c2 :
(¬a ∨ ¬c ∨ d)c1 :
∧ (¬a ∨ ¬c)c9 :
DL 1:
DL 2: h2 ≤ −8
DL 3:
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 28 / 85
iSAT: Non-linear Arithmetic Constraint Solving
c9 c2 c4
c7
c8
c6
c5
a ≥ 1 c ≤ 0 b ≤ 0
y ≥ 4
x ≤ 3 h3 ≥ 6.2
h1 ≤ 9
h2 ≥ −2.8
x ≥ −2
∧ (x < −2 ∨ y < 3 ∨ x > 3)c10 :
∧ (¬a ∨ ¬c)c9 :
h3 = h1 + h2∧c8 :
h2 = −2 · y∧c7 :
h1 = x2∧c6 :
(x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2)∧c5 :
∧ (b ∨ x ≥ −2)c4 :
∧ (¬c ∨ ¬d)c3 :
∧ (¬a ∨ ¬b ∨ c)c2 :
(¬a ∨ ¬c ∨ d)c1 :
← conflict clause = symbolic description
of a rectangular region of the search space
which is excluded from future search
DL 1:
DL 2: h2 ≤ −8
DL 3:
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 28 / 85
iSAT: Non-linear Arithmetic Constraint Solving
c9 c2 c4
c7
c6c10
a ≥ 1 c ≤ 0 b ≤ 0
∧ (x < −2 ∨ y < 3 ∨ x > 3)c10 :
∧ (¬a ∨ ¬c)c9 :
h3 = h1 + h2∧c8 :
h2 = −2 · y∧c7 :
h1 = x2∧c6 :
(x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2)∧c5 :
∧ (b ∨ x ≥ −2)c4 :
∧ (¬c ∨ ¬d)c3 :
∧ (¬a ∨ ¬b ∨ c)c2 :
(¬a ∨ ¬c ∨ d)c1 :
y ≥ 4
x ≥ −2
x > 3
h2 ≤ −8
h1 > 9
DL 1:
DL 2:
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 28 / 85
iSAT: Non-linear Arithmetic Constraint Solving
c9 c2 c4
c7
c6c10
a ≥ 1 c ≤ 0 b ≤ 0
(x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2)∧c5 :
∧ (b ∨ x ≥ −2)c4 :
∧ (¬c ∨ ¬d)c3 :
∧ (¬a ∨ ¬b ∨ c)c2 :
(¬a ∨ ¬c ∨ d)c1 :
y ≥ 4
x ≥ −2
x > 3
h2 ≤ −8
h1 > 9
∧ (x < −2 ∨ y < 3 ∨ x > 3)c10 :
∧ (¬a ∨ ¬c)c9 :
h2 = −2 · y∧c7 :
h1 = x2∧c6 :
h3 = h1 + h2c8 : ∧
DL 1:
DL 2:
• Continue do split and deduce until either
⊲ solver is left with ‘sufficiently small’ portion of the
search space for which it cannot derive any contradiction
⊲ formula turns out to be UNSAT (unresolvable conflict)
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 28 / 85
iSAT: Non-linear Arithmetic Constraint Solving
c9 c2 c4
c7
c6c10
a ≥ 1 c ≤ 0 b ≤ 0
(x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2)∧c5 :
∧ (b ∨ x ≥ −2)c4 :
∧ (¬c ∨ ¬d)c3 :
∧ (¬a ∨ ¬b ∨ c)c2 :
(¬a ∨ ¬c ∨ d)c1 :
y ≥ 4
x ≥ −2
x > 3
h2 ≤ −8
h1 > 9
∧ (x < −2 ∨ y < 3 ∨ x > 3)c10 :
∧ (¬a ∨ ¬c)c9 :
h2 = −2 · y∧c7 :
h1 = x2∧c6 :
h3 = h1 + h2c8 : ∧
DL 1:
DL 2:
• Continue do split and deduce until either
⊲ solver is left with ‘sufficiently small’ portion of the
search space for which it cannot derive any contradiction
⊲ formula turns out to be UNSAT (unresolvable conflict)
Results can be verified by sorting to “single assignment form”.
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 28 / 85
iSAT: Non-linear Arithmetic Constraint Solving
c9 c2 c4
c7
c6c10
a ≥ 1 c ≤ 0 b ≤ 0
(x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2)∧c5 :
∧ (b ∨ x ≥ −2)c4 :
∧ (¬c ∨ ¬d)c3 :
∧ (¬a ∨ ¬b ∨ c)c2 :
(¬a ∨ ¬c ∨ d)c1 :
y ≥ 4
x ≥ −2
x > 3
h2 ≤ −8
h1 > 9
∧ (x < −2 ∨ y < 3 ∨ x > 3)c10 :
∧ (¬a ∨ ¬c)c9 :
h2 = −2 · y∧c7 :
h1 = x2∧c6 :
h3 = h1 + h2c8 : ∧
DL 1:
DL 2:
• Continue do split and deduce until either
⊲ solver is left with ‘sufficiently small’ portion of the
search space for which it cannot derive any contradiction
⊲ formula turns out to be UNSAT (unresolvable conflict)
Essentially, a tight integration of interval constraint propagation withrecent propositional SAT-solving techniques.
[Fränzle, Herde, Ratschan, Schubert, Teige: J. on Satisfiability. . ., 2007]
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 28 / 85
iSAT: Non-linear Arithmetic Constraint Solving
c9 c2 c4
c7
c6c10
a ≥ 1 c ≤ 0 b ≤ 0
(x ≥ 4 ∨ y ≤ 0 ∨ h3 ≥ 6.2)∧c5 :
∧ (b ∨ x ≥ −2)c4 :
∧ (¬c ∨ ¬d)c3 :
∧ (¬a ∨ ¬b ∨ c)c2 :
(¬a ∨ ¬c ∨ d)c1 :
y ≥ 4
x ≥ −2
x > 3
h2 ≤ −8
h1 > 9
∧ (x < −2 ∨ y < 3 ∨ x > 3)c10 :
∧ (¬a ∨ ¬c)c9 :
h2 = −2 · y∧c7 :
h1 = x2∧c6 :
h3 = h1 + h2c8 : ∧
DL 1:
DL 2:
• Continue do split and deduce until either
⊲ solver is left with ‘sufficiently small’ portion of the
search space for which it cannot derive any contradiction
⊲ formula turns out to be UNSAT (unresolvable conflict)
Essentially, a tight integration of interval constraint propagation withrecent propositional SAT-solving techniques.
[Fränzle, Herde, Ratschan, Schubert, Teige: J. on Satisfiability. . ., 2007]
A DPLL(T)-based alternative, including LP solving, has beenimplemented by Gao et al.
[Gao, Ganai, Ivancic, Gupta, Sankaranarayanan, Clarke: FMCAD 2010]Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 28 / 85
The Impact of Learning: Runtime
0.001
0.01
0.1
1
10
100
1000
10000
100000
0.001 0.01 0.1 1 10 100 1000
with
ou
t le
arn
ing
[s]
with learning [s]
> 1:1
> 10:1
> 100:1
> 1k:1
> 10k:1
> 100k:1
> 1m:1
> 10m:1
time out
0.001
0.01
0.1
1
10
100
1000
10000
100000
0.001 0.01 0.1 1 10 100 1000
with
ou
t le
arn
ing
[s]
with learning [s]
> 1:1
> 10:1
> 100:1
> 1k:1
> 10k:1
> 100k:1
> 1m:1
> 10m:1
time out
0.001
0.01
0.1
1
10
100
1000
10000
100000
0.001 0.01 0.1 1 10 100 1000
with
ou
t le
arn
ing
[s]
with learning [s]
> 1:1
> 10:1
> 100:1
> 1k:1
> 10k:1
> 100k:1
> 1m:1
> 10m:1
time out
0.001
0.01
0.1
1
10
100
1000
10000
100000
0.001 0.01 0.1 1 10 100 1000
with
ou
t le
arn
ing
[s]
with learning [s]
> 1:1
> 10:1
> 100:1
> 1k:1
> 10k:1
> 100k:1
> 1m:1
> 10m:1
time out
0.001
0.01
0.1
1
10
100
1000
10000
100000
0.001 0.01 0.1 1 10 100 1000
with
ou
t le
arn
ing
[s]
with learning [s]
> 1:1
> 10:1
> 100:1
> 1k:1
> 10k:1
> 100k:1
> 1m:1
> 10m:1
time out
0.001
0.01
0.1
1
10
100
1000
10000
100000
0.001 0.01 0.1 1 10 100 1000
with
ou
t le
arn
ing
[s]
with learning [s]
> 1:1
> 10:1
> 100:1
> 1k:1
> 10k:1
> 100k:1
> 1m:1
> 10m:1
time out
0.001
0.01
0.1
1
10
100
1000
10000
100000
0.001 0.01 0.1 1 10 100 1000
with
ou
t le
arn
ing
[s]
with learning [s]
> 1:1
> 10:1
> 100:1
> 1k:1
> 10k:1
> 100k:1
> 1m:1
> 10m:1
time out
0.001
0.01
0.1
1
10
100
1000
10000
100000
0.001 0.01 0.1 1 10 100 1000
with
ou
t le
arn
ing
[s]
with learning [s]
> 1:1
> 10:1
> 100:1
> 1k:1
> 10k:1
> 100k:1
> 1m:1
> 10m:1
time out
0.001
0.01
0.1
1
10
100
1000
10000
100000
0.001 0.01 0.1 1 10 100 1000
with
ou
t le
arn
ing
[s]
with learning [s]
> 1:1
> 10:1
> 100:1
> 1k:1
> 10k:1
> 100k:1
> 1m:1
> 10m:1
time out
0.001
0.01
0.1
1
10
100
1000
10000
100000
0.001 0.01 0.1 1 10 100 1000
with
ou
t le
arn
ing
[s]
with learning [s]
> 1:1
> 10:1
> 100:1
> 1k:1
> 10k:1
> 100k:1
> 1m:1
> 10m:1
time out
Examples:BMC of� platoon control� bouncing ball� gingerbread map� oscillatory logistic map
Intersection of geometricbodies
Size:Up to 2400 variables,≫ 103 Boolean connec-tives.
[2.5 GHz AMD Opteron, 4 GByte physical memory, Linux]
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 29 / 85
CDCL + ICP + Numeric ODE Enclosure
An engine for Bounded Model Checkingof non-linear continuous-time HA
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 30 / 85
[Alur, Courcoubetis, Henzinger, and Ho, 1993]
Hybrid Automata – Semantics
height x
velocity v
time
time
x ≥ 0
•
v= −9.81
•
x= v
x = 0
x = 10, v = 0
/v′ := −v
A = (Vars,Modes, Init, Flow, Jump)
Init = {(m, Initm) | m ∈ Modes}
Flow = {(m,ODEm, Invarm) | m ∈ Modes}
Jump = {(m,Guardm,m′ ,Actionm,m′ ,m′) | m,m′ ∈ Modes}
Valuation σ : Vars→ R
Run ρ : 〈m0, σ0〉 ∆t0 〈m0, σ̂0〉 → 〈m1, σ1〉 ∆t1 〈m1, σ̂1〉 → . . .
where
〈m0, σ0〉 |= Init
〈mi, σi〉 ∆ti 〈mi, σ̂i〉 |= Flow
〈mi, σ̂i〉 → 〈mi+1, σi+1〉 |= Jump
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 31 / 85
[Alur, Courcoubetis, Henzinger, and Ho, 1993]
Hybrid Automata – Semantics
!!!!!!
!!!!!!!!!
!!!!!!!!!!!!!!!!!!
height x
velocity v
time
time
x ≥ 0
•
v= −9.81
•
x= v
x = 0
x = 10, v = 0
/v′ := −v
A = (Vars,Modes, Init, Flow, Jump)
Init = {(m, Initm) | m ∈ Modes}
Flow = {(m,ODEm, Invarm) | m ∈ Modes}
Jump = {(m,Guardm,m′ ,Actionm,m′ ,m′) | m,m′ ∈ Modes}
Valuation σ : Vars→ R
Run ρ : 〈m0, σ0〉 ∆t0 〈m0, σ̂0〉 → 〈m1, σ1〉 ∆t1 〈m1, σ̂1〉 → . . .
where
〈m0, σ0〉 |= Init
〈mi, σi〉 ∆ti 〈mi, σ̂i〉 |= Flow
〈mi, σ̂i〉 → 〈mi+1, σi+1〉 |= Jump
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 31 / 85
[Alur, Courcoubetis, Henzinger, and Ho, 1993]
Hybrid Automata – Semantics
height x
velocity v
time
time
x ≥ 0
•
v= −9.81
•
x= v
x = 0
x = 10, v = 0
/v′ := −v
A = (Vars,Modes, Init, Flow, Jump)
Init = {(m, Initm) | m ∈ Modes}
Flow = {(m,ODEm, Invarm) | m ∈ Modes}
Jump = {(m,Guardm,m′ ,Actionm,m′ ,m′) | m,m′ ∈ Modes}
Valuation σ : Vars→ R
Run ρ : 〈m0, σ0〉 ∆t0 〈m0, σ̂0〉 → 〈m1, σ1〉 ∆t1 〈m1, σ̂1〉 → . . .
where
〈m0, σ0〉 |= Init
〈mi, σi〉 ∆ti 〈mi, σ̂i〉 |= Flow
〈mi, σ̂i〉 → 〈mi+1, σi+1〉 |= Jump
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 31 / 85
[Alur, Courcoubetis, Henzinger, and Ho, 1993]
Hybrid Automata – Semantics
height x
velocity v
time
time
x ≥ 0
•
v= −9.81
•
x= v
x = 0
x = 10, v = 0
/v′ := −v
A = (Vars,Modes, Init, Flow, Jump)
Init = {(m, Initm) | m ∈ Modes}
Flow = {(m,ODEm, Invarm) | m ∈ Modes}
Jump = {(m,Guardm,m′ ,Actionm,m′ ,m′) | m,m′ ∈ Modes}
Valuation σ : Vars→ R
Run ρ : 〈m0, σ0〉 ∆t0 〈m0, σ̂0〉 → 〈m1, σ1〉 ∆t1 〈m1, σ̂1〉 → . . .
where
〈m0, σ0〉 |= Init
〈mi, σi〉 ∆ti 〈mi, σ̂i〉 |= Flow
〈mi, σ̂i〉 → 〈mi+1, σi+1〉 |= Jump
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 31 / 85
[Alur, Courcoubetis, Henzinger, and Ho, 1993]
Hybrid Automata – Semantics
height x
velocity v
time
time
x ≥ 0
•
v= −9.81
•
x= v
x = 0
x = 10, v = 0
/v′ := −v
A = (Vars,Modes, Init, Flow, Jump)
Init = {(m, Initm) | m ∈ Modes}
Flow = {(m,ODEm, Invarm) | m ∈ Modes}
Jump = {(m,Guardm,m′ ,Actionm,m′ ,m′) | m,m′ ∈ Modes}
Valuation σ : Vars→ R
Run ρ : 〈m0, σ0〉 ∆t0 〈m0, σ̂0〉 → 〈m1, σ1〉 ∆t1 〈m1, σ̂1〉 → . . .
where
〈m0, σ0〉 |= Init
〈mi, σi〉 ∆ti 〈mi, σ̂i〉 |= Flow
〈mi, σ̂i〉 → 〈mi+1, σi+1〉 |= Jump
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 31 / 85
[Alur, Courcoubetis, Henzinger, and Ho, 1993]
Hybrid Automata – Semantics
height x
velocity v
time
time
x ≥ 0
•
v= −9.81
•
x= v
x = 0
x = 10, v = 0
/v′ := −v
A = (Vars,Modes, Init, Flow, Jump)
Init = {(m, Initm) | m ∈ Modes}
Flow = {(m,ODEm, Invarm) | m ∈ Modes}
Jump = {(m,Guardm,m′ ,Actionm,m′ ,m′) | m,m′ ∈ Modes}
Valuation σ : Vars→ R
Run ρ : 〈m0, σ0〉 ∆t0 〈m0, σ̂0〉 → 〈m1, σ1〉 ∆t1 〈m1, σ̂1〉 → . . .
where
〈m0, σ0〉 |= Init
〈mi, σi〉 ∆ti 〈mi, σ̂i〉 |= Flow
〈mi, σ̂i〉 → 〈mi+1, σi+1〉 |= Jump
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 31 / 85
[Audemard, Bozzano, Cimatti, and Sebastiani, 2005], [Fränzle and Herde, 2005], [Eggers, Fränzle, and Herde, 2008]
Bounded Model Checking
ϑi ≤ 21
Heat off
Heat on
dϑi / d t = −0.1 · (ϑi − ϑo)
ϑi ≥ 19 ∨ c ≥ 0.04
d c / d t = −0.05 · c
d c / d t = 0.01− 0.05 · c
ϑi ≤ 19
c ≤ 0.04
ϑi ∈ [19, 25]
ϑi ∈ [15, 21]
c = 0
c = 0
ϑi ≥ 21
dϑi / d t = 0.2 · (35− ϑi)−0.1 · (ϑi − ϑo)
Bounded Model Checking (BMC):
Are there any trajectories leading from an inital to an unsafe state in k steps?
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 32 / 85
[Audemard, Bozzano, Cimatti, and Sebastiani, 2005], [Fränzle and Herde, 2005], [Eggers, Fränzle, and Herde, 2008]
Bounded Model Checking and Constraint Solving
ϑi ≤ 21
Heat off
Heat on
dϑi / d t = −0.1 · (ϑi − ϑo)
ϑi ≥ 19 ∨ c ≥ 0.04
d c / d t = −0.05 · c
d c / d t = 0.01− 0.05 · c
ϑi ≤ 19
c ≤ 0.04
ϑi ∈ [19, 25]
ϑi ∈ [15, 21]
c = 0
c = 0
ϑi ≥ 21
dϑi / d t = 0.2 · (35− ϑi)−0.1 · (ϑi − ϑo)
init =−10 ≤ ϑo ≤ 20 ∧ c = 0
∧
(19 ≤ ϑi ≤ 25 ∧ ¬on
∨ 15 ≤ ϑi ≤ 21 ∧ on
)
trans =( ¬on ∧ on′ ∧ ϑi ≤ 19 ∧ c ≤ 0.04∧ ϑ′
i = ϑi ∧ ϑ′
o = ϑo ∧ c′ = c)∨ ( on ∧ ¬on′ ∧ ϑi ≥ 21∧ ϑ′
i = ϑi ∧ ϑ′
o = ϑo ∧ c′ = c)∨ ( ¬on ∧ ¬on′
∧ dϑi
dt = −0.1(ϑi − ϑo)
∧ dcdt = −0.05c
∧ (ϑ′
i ≥ 19 ∨ c′ ≥ 0.04) ∧ ϑ′
o = ϑo)∨ ( on ∧ on′
∧ dϑi
dt = 0.2 · 35− 0.3ϑi + 0.1ϑo
∧ dcdt = 0.01− 0.05c
∧ ϑ′
i ≤ 21 ∧ ϑ′
o = ϑo)
target =(c > 0.1)
Bounded Model Checking (BMC): Check satisfiability of SMT formula
Φk := init[0] ∧ trans[0, 1] ∧ · · · ∧ trans[k − 1, k] ∧ target[k]
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 32 / 85
The Basic Idea
1 Continuous flows, described by ODEs, define pre-post-constraintson continuous states:� Given an ODE dx
dt= f(x) and a (convex) invariant I ⊂ dom(x),
� [[dxdt
]] = {(f(0), f(t)) | f solution of dxdt
= f(x), ∀t′ ≤ t : f(t′) ∈ I}
2 Adding direct support for such “ODE constraints” in arithmeticconstraint solving facilitates BMC of continuous-time hybridsystems
[Eggers & Fränzle: ATVA’08; Ishii, Ueda, Hosobe, Goldsztejn: ADHS’09]
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 33 / 85
odeSAT: Adding Forward and BackwardPropagation for ODE Constraints
0
1
2
3
4
5
0 1 2 3 4 5 0
1
2
3
4
5
0 1 2 3 4 5
time of interesthorizon
x(1)prebox
x(2)
postbox
backward propagationforward propagation
...yields a classical interval propagator!
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 34 / 85
iSAT+ODE: Integrated Algorithm (Example)
(x1 + x2 > y) ∧ (y ≥ 28 ∨ a) ∧ (¬a ∨ dxdt
= 320 · (3− x))
a ∈ {0, 1}, x1 ∈ [10, 20], x2 ∈ [−5, 7], y ∈ [0, 30]
x2
y
x1
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 35 / 85
iSAT+ODE: Integrated Algorithm (Example)
( x1 + x2 > y ) ∧ (y ≥ 28 ∨ a) ∧ (¬a ∨ dxdt
= 320 · (3− x))
a ∈ {0, 1}, x1 ∈ [10, 20], x2 ∈ [−5, 7], y ∈ [0, 30]
x2
y
x1
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 35 / 85
iSAT+ODE: Integrated Algorithm (Example)
( x1 + x2 > y ) ∧ (y ≥ 28 ∨ a) ∧ (¬a ∨ dxdt
= 320 · (3− x))
a ∈ {0, 1}, x1 ∈ [10, 20], x2 ∈ [−5, 7], y ∈ [0, 27]
y < 30
y < 27
x2 ∈ [−5, 7]
x1 ∈ [10, 20]
x1 + x2 > y
y < x1 + x2 ≤ 27
x2
y
x1
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 35 / 85
iSAT+ODE: Integrated Algorithm (Example)
(x1 + x2 > y) ∧ ( y ≥ 28 ∨ a) ∧ (¬a ∨ dxdt
= 320 · (3− x))
a ∈ {0, 1}, x1 ∈ [10, 20], x2 ∈ [−5, 7], y ∈ [0, 27]
x2
y
x1
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 35 / 85
iSAT+ODE: Integrated Algorithm (Example)
(x1 + x2 > y) ∧ (y ≥ 28∨ a ) ∧ (¬a ∨ dxdt
= 320 · (3− x))
a ∈ { 1} , x1 ∈ [10, 20], x2 ∈ [−5, 7], y ∈ [0, 27]
x2
y
x1
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 35 / 85
iSAT+ODE: Integrated Algorithm (Example)
(x1 + x2 > y) ∧ (y ≥ 28 ∨ a) ∧ ( ¬a ∨dxdt
= 320 · (3− x))
a ∈ { 1} , x1 ∈ [10, 20], x2 ∈ [−5, 7], y ∈ [0, 27]
x2
y
x1
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 35 / 85
iSAT+ODE: Integrated Algorithm (Example)
(x1 + x2 > y) ∧ (y ≥ 28 ∨ a) ∧ (¬a∨ dxdt
= 320 · (3− x) )
a ∈ { 1}, x1 ∈ [10, 20], x2 ∈ [3, 7] , y ∈ [0, 27]
−15
−10
−5
0
5
10
15
20
25
30
0 5 10 15 20 25 30 35 40 45
x2 ≥ −5
x2 ≥ 33
7
x2
y
x1
7
x2
x1
x2
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 35 / 85
[Eggers, Fränzle, and Herde, 2008], [Ishii, Ueda, and Hosobe, 2011]
Satisfiability Modulo ODE
� Boolean-, real-, and integer-valued variables with boundeddomains
� Quantifier-free Boolean combination of� Simple bounds, e.g. x ≤ 3.2� Arithmetic constraints, e.g. z = sin(y)� Sufficiently smooth, time invariant ordinary differential equations
(ODEs), e.g.•
x= 2.4 · x− y2
� Bounded Model Checking (BMC) formula structure:Φ = init[0] ∧ trans[0, 1] ∧ · · · ∧ trans[k − 1, k] ∧ target[k]
� ODEs occur only in transition system
Goal: Find a satisfying valuation for Φ or prove its unsatisfiability.
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 36 / 85
Solving SAT Modulo ODE Formulae
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 37 / 85
Satisfiability of SAT Modulo ODE Formulae
� Point-valued satisfaction: standard for arithmetic constraintsand simple bounds, e.g. point (x = 6, y = 3) satisfies x = 2y
� Definitionally-closed systems of ODEs, e.g.•
x= −y, •y= x satisfiedby valuation
((x1 = 1, y1 = 0), (x2 = 0, y2 = −1), delta_time = π/2) ,
with (x1, y1), (x2, y2) being successive BMC instances of (x, y) anddelta_time the duration of continuous flow:
−1
−0.5
0
0.5
1 y
−1 −0.5 0 0.5 1 1.5
x
(x1, y1)
(x2, y2)
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 38 / 85
Need to lift this to intervals for ICP
Given: a system of time-invariant ODEs
dx1
dt= f1(x1, . . . , xn)...
dxn
dt= fn(x1, . . . , xn)
plus three boxes B, I, E ⊂ Rn.
Problem: determine whether E is reachable from B along atrajectory satisfying the ODE and not leaving I.
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 39 / 85
Need to lift this to intervals for ICP
Given: a system of time-invariant ODEs
dx1
dt= f1(x1, . . . , xn)...
dxn
dt= fn(x1, . . . , xn)
plus three boxes B, I, E ⊂ Rn.
Problem: determine whether E is reachable from B along atrajectory satisfying the ODE and not leaving I.
Added value: Prune unconnected parts of B and E:
B
E
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 39 / 85
Need to lift this to intervals for ICP
Given: a system of time-invariant ODEs
dx1
dt= f1(x1, . . . , xn)...
dxn
dt= fn(x1, . . . , xn)
plus three boxes B, I, E ⊂ Rn.
Problem: determine whether E is reachable from B along atrajectory satisfying the ODE and not leaving I.
Added value: Prune unconnected parts of B and E:
E’B’
B
E
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 39 / 85
Need to lift this to intervals for ICP
Given: a system of time-invariant ODEs
dx1
dt= f1(x1, . . . , xn)...
dxn
dt= fn(x1, . . . , xn)
plus three boxes B, I, E ⊂ Rn.
Problem: determine whether E is reachable from B along atrajectory satisfying the ODE and not leaving I.
Added value: Prune unconnected parts of B and E:
E’B’
B
E
. . . and determine dwell-time interval delta_time.
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 39 / 85
Problem: Safely determine whether E is unreachable from B alonga trajectory satisfying the ODE and not leaving I.
Some approaches:
1 Interval-based safe numeric approximation of ODEs[Moore 1965, Lohner 1987, Stauning 1997]
(used in Hypertech [Henzinger, Horowitz, Majumdar,
Wong-Toi 2000])
2 CLP(F): a symbolic, constraint-based technology forreasoning about ODEs grounded in (in-)equationalconstraints obtained from Taylor expansions[Hickey, Wittenberg 2004]
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 40 / 85
Towards SAT modulo ODE
Safe Enclosure Methods for ODEs
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 41 / 85
ODE Enclosure Problem
Given a system of (sufficiently-smooth, first order, time-invariant,Lipschitz-continuous) ordinary differential equations (ODEs), we wantto enclose all trajectories emerging from a set of starting points overa limited temporal horizon.
dx
dt(t) = f (x(t)) , x(0) ∈
[x1(0), x1(0)]...
[xn(0), xn(0)]
Safely enclose all x(t) over t ∈ [0, horizon].
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 42 / 85
Safe Approximation
!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!
ti t
x
startbox
flowbox
postbox
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 43 / 85
Safe Approximation
!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!
t
x
ti ∈ TOI
flowbox
postbox
startbox
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 43 / 85
Safe Approximation
!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!
t
x
ti ∈ TOI
flowbox
postbox
startbox
Should also be tight!
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 43 / 85
Safe Approximation
!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!
t
x
ti ∈ TOI
flowbox
postbox
startbox
Should also be tight! And efficient to compute!
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 43 / 85
Euler’s Method
t
x
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 44 / 85
Euler’s Method
t
x
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 44 / 85
Euler’s Method
t
x
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 44 / 85
Euler’s Method
t
x
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 44 / 85
Euler’s Method
t
x
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 44 / 85
Taylor Series
Exact solution x(t) has slope determined by f in each point:
dx
dt(t) = f(x(t))
Taylor expansion of exact solution:
x(t0 + h) = x(t0) +h1
1!
dx
dt(t0) (Euler’s Method)
+h2
2!
d2x
dt2(t0) + . . .
+hn
n!
dnx
dtn(t0)
+hn+1
(n + 1)!
dn+1x
dtn+1(t0 + θh), with 0 < θ < 1
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 45 / 85
Taylor Series
Exact solution x(t) has slope determined by f in each point:
dx
dt(t) = f(x(t))
Taylor expansion of exact solution:
x(t0 + h) = x(t0) +h1
1!
dx
dt(t0)
+h2
2!
d2x
dt2(t0) + . . .
+hn
n!
dnx
dtn(t0)
(Lagrange Remainder)
+hn+1
(n + 1)!
dn+1x
dtn+1(t0 + θh), with 0 < θ < 1
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 45 / 85
Taylor Series
Exact solution x(t) has slope determined by f in each point:
dx
dt(t) = f(x(t))
Taylor expansion of exact solution:
x(t0 + h) = x(t0) +h1
1!
dx
dt(t0)
+h2
2!
d2x
dt2(t0) + . . .
+hn
n!
dnx
dtn(t0)
+hn+1
(n + 1)!
dn+1x
dtn+1(t0 + θh), with 0 < θ < 1
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 45 / 85
Taylor Series
x(t0 + h) = x(t0) +h1
1!
dx
dt(t0)
︸ ︷︷ ︸
f(x(t0))
+h2
2!
d2x
dt2(t0)
︸ ︷︷ ︸dfdt
(x(t0))·f(x(t0))
+ . . .
+hn
n!
dnx
dtn(t0)
+hn+1
(n + 1)!
dn+1x
dtn+1(t0 + θh)
︸ ︷︷ ︸
unknown
, with 0 < θ < 1
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 46 / 85
Taylor Series
x(t0 + h) = x(t0) +h1
1!
dx
dt(t0)
︸ ︷︷ ︸
f(x(t0))
+h2
2!
d2x
dt2(t0)
︸ ︷︷ ︸dfdt
(x(t0))·f(x(t0))
+ . . .
+hn
n!
dnx
dtn(t0)
+hn+1
(n + 1)!
dn+1x
dtn+1(t0 + θh)
︸ ︷︷ ︸
unknown
, with 0 < θ < 1
Can use interval arithmetic to evaluate f(x(t0)), etc.,whenever x(t0) is set-valued!
Automatic differentiation computes derivatives.
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 46 / 85
Bounding Box
t
x
B
t0
for all t ∈ [t0, t0 + h]dxdt (t) ≤ max(f (B))dxdt (t) ≥ min(f (B))
t0 + h
x(t)
dxdt (t) = f (x(t))
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 47 / 85
Bounding Box
t
x
B
t0
for all t ∈ [t0, t0 + h]dxdt (t) ≤ max(f (B))dxdt (t) ≥ min(f (B))
t0 + h
x(t)
dxdt (t) = f (x(t))
If we only knew B...
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 47 / 85
Bounding Box [Lohner]
Given: Initial value problem:dxdt
= f(x), x(t0) = x0
Theorem (Lohner): If[B1] := x0 + [0, h] · f([B0])
and[B1] ⊆ [B0]
then the initial value problem above has exactly onesolution over [t0, t0 + h] which lies entirely within [B1]→ Bounding Box.
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 48 / 85
Bounding Box [Lohner]
Given: Initial value problem:dxdt
= f(x), x(t0) = x0 may also be a box
Theorem (Lohner): If[B1] := x0 + [0, h] · f([B0])
and[B1] ⊆ [B0]
then the initial value problem above has exactly onesolution over [t0, t0 + h] which lies entirely within [B1]→ Bounding Box.
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 48 / 85
Algorithm
To get an enclosure . . .
� Determine bounding box and stepsize
� Evaluate Taylor series up to desired order over startbox
� Evaluate remainder term over bounding box
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 49 / 85
Bounding Box
0 1
1.5
2
2.5
3
3.5
4
4.5
5
0.05 0.1 0.15 0.2 0.25 0.3 0.35 0.4 0.45
0.5
1
1.5
2
2.5
3
3.5
t
y
x
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 50 / 85
Algorithm
� Find bounding box with greedy algorithm
� Generate derivatives symbolically
� Simplify expressions to reduce alias effects on variables� Evaluate expressions with interval arithmetic
� Taylor series� Lagrange remainder
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 51 / 85
Example
dxdt
= −x + 3, dydt
= x, x0 = [2, 4], y0 = [1, 1]
x
y
t
01
23
45
2
2.5
3
3.5
4
0
2
4
6
8
10
12
14
16
18
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 52 / 85
Example II: Stable Oscillator
dxdt
= y, dydt
= −x, x0 = [10, 12], y0 = [−1, 0]
−30
−20
−10
0
10
20
30
40
50
0.5 1 1.5 2 2.5 3 3.5 4 4.5 5
−40−30
−20−10 0
10 20
30 40
x
y
t
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 53 / 85
Wrapping Effect
dxdt
= y, dydt
= −x, x0 = [10, 12], y0 = [−1, 0]
8.5 9 9.5 10 10.5 11 11.5 12
0 0.1 0.2 0.3 0.4 0.5
−6
−5
−4
−3
−2
−1
0
tx
y
t0
t1
t2
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 54 / 85
Fight Wrapping Effect
Lohner, Stauning, . . . : use coordinate transformation
x[a, b]
y
[c, d]
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 55 / 85
Fight Wrapping Effect
Lohner, Stauning, . . . : use coordinate transformation
[r, s]
[t, u]
p
q
x[a, b]
y
[c, d]
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 55 / 85
Stable Oscillator
dxdt
= y, dy
dt= −x, x0 = [10, 12], y0 = [−1, 0]
−15
−10
−5
0
5
10
15
−15 −10 −5 0 5 10 15x
y
t = 6.00748
t = 0.286473
t = 0.593339
t = 0.900205
t = 1.20707
t = 0
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 56 / 85
Stable Oscillator
dxdt
= y, dy
dt= −x, x0 = [10, 12], y0 = [−1, 0]
−15
−10
−5
0
5
10
15
0 50
100 150
200
−15
−10
−5
0
5
10
15
t
xt = [0, 10]
t = [190, 200]
y
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 56 / 85
Damped Oscillator
dxdt
= y − 0.8 · x, dy
dt= −x + 0.3 · y, x0 = [10, 15], y0 = [−2, 1]
−25
−20
−15
−10
−5
0
5
10
15
0
0.5
1
1.5
2
2.5
3
3.5
−30
−20
−10
0
10
20
30
x
y
t
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 57 / 85
[Moore, 1966], [Lohner, 1988], [Stauning, 1997]
Taylor-Series-Based Enclosures: Summary
Taylor expansion of exact solution:
x(t0 + h) = x(t0) +h1
1!
dx
dt(t0) (Euler’s Method)
+h2
2!
d2x
dt2(t0) + . . .
+hn
n!
dnx
dtn(t0)
(Lagrange Remainder)
+hn+1
(n + 1)!
dn+1x
dtn+1(t0 + θh), with 0 < θ < 1
x
y
� First, calculate rough a-priori enclosure (bounding box)
� Second, compute tighter enclosure with Taylor series and encloseremainder term over a-priori enclosure
� Use Automatic Differentiation to obtain Taylor terms
� Compute coordinate transformation to fight wrapping effect
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 58 / 85
Use in ICP: Tighten Target Box
−20−15
−10−5
0 5
10 15
0
2
4
6
8
10
12
14
−20
−15
−10
−5
0
5
10
15
y
xtinitial postbox
� Given target box (including phase space and time)
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 59 / 85
Use in ICP: Tighten Target Box
−20−15
−10−5
0 5
10 15
0
2
4
6
8
10
12
14
−20
−15
−10
−5
0
5
10
15
tightened postbox and TOI
y
xtinitial postbox
� Given target box (including phase space and time)
� Intersect target box with enclosure
� Remove elements with empty intersection(narrows also time-window of interest)
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 59 / 85
Backward Propagation
� Use temporally reversed ODEs
� Use start box as target box and do normal forward propagation
� Intersect resulting target box with original start box
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 60 / 85
Backward Propagation
� Use temporally reversed ODEs
� Use start box as target box and do normal forward propagation
� Intersect resulting target box with original start box
Fwd. and bwd. propagation do
� narrow the start box B and target box E — also iteratively!
� narrow the time window for both B and E,
� thus give fresh meat to constraint propagation along adjacent partsof the transition sequence!
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 60 / 85
Summary: Taylor-Based Enclosure
� Taylor-based numerical method with error enclosure� Tightly integrated with non-linear arithmetic constraint solving:
� provides an interval contractor, just like ICP
E’B’
B
E
� temporally symmetric (fwd. and bwd. contraction), unlike traditionalimage computation
� refutes trajectory bundles based on partial knowledge
� First proof of concept had implemented in 2008.[Eggers, Fränzle, Herde, ATVA 2008]
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 61 / 85
[Nedialkov and Jackson, 1999], [Nedialkov, Jackson, and Pryce, 2001], [Nedialkov, 2006]
Beyond Taylor Series: VNODE-LP
� Hermite-Obreschkoff method: generalization of Taylor series� VNODE-LP:
� Use High-Order Enclosure (HOE) to obtain a-priori enclosure ofODE
� Use Interval Taylor Series (ITS) with coordinate transformation andQR-method as predictor
� Use Interval Hermite-Obreschkoff (IHO) method as corrector
� IHO allows larger stepsize than ITS (ITS becomes numericallyunstable for smaller stepsizes than IHO)
� Local error for nonlinear ODEs much lower for IHO than for ITS
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 62 / 85
[Eggers, Fränzle, and Herde, 2009], [Eggers, Ramdani, Nedialkov, and Fränzle, 2011]
VNODE-LP as an Enclosure Method in iSAT-ODE
� VNODE-LP: safe interval enclosures for ODEs� Output: tight enclosures at end of step, a-priori enclosures covering
timespan in between
determined by VNODE−LP
enclosures at (very tight) time intervals
... up to a given horizon
−15
−10
−5
0
5
10
15
0 5 10 15 20
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 63 / 85
[Eggers, Fränzle, and Herde, 2009], [Eggers, Ramdani, Nedialkov, and Fränzle, 2011]
VNODE-LP as an Enclosure Method in iSAT-ODE
� VNODE-LP: safe interval enclosures for ODEs� Output: tight enclosures at end of step, a-priori enclosures covering
timespan in between
a−priori enclosures determined by VNODE−LP
−15
−10
−5
0
5
10
15
0 5 10 15 20
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 63 / 85
[Eggers, Fränzle, and Herde, 2009], [Eggers, Ramdani, Nedialkov, and Fränzle, 2011]
VNODE-LP as an Enclosure Method in iSAT-ODE
� VNODE-LP: safe interval enclosures for ODEs� Output: tight enclosures at end of step, a-priori enclosures covering
timespan in between� iSAT-ODE layer: re-evaluate extreme parts of enclosure with
refined stepsize for tighter result → expensive
selectively tightenedboxes
boxes that finally
intersect with the
postbox
given postbox
a−priori enclosures
−15
−10
−5
0
5
10
15
0 5 10 15 20
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 63 / 85
Bracketing Systems: Rationale
� Direct VNODE-LP enclosures tend to diverge quickly for largeinitial domains
� Point-wise (or small interval) reasoning thus preferable, if applicable
� A natural idea is to follow extremal trajectories:
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 64 / 85
Bracketing Systems: Rationale
� Direct VNODE-LP enclosures tend to diverge quickly for largeinitial domains
� Point-wise (or small interval) reasoning thus preferable, if applicable
� A natural idea is to follow extremal trajectories:
� Problem 1: Number of spanning nodes exponential in systemdimension.
� Problem 2: Reachable set need not be spanned by trajectoriesoriginating in extremal points.
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 64 / 85
[Müller, 1927]
Bracketing Systems: Essence of Müller’s Theorem
Bounding
box
xx− x+
y−
y
y+
dxdt = f (x, y)
dydt = g(x, y)
If, e.g., f monotonic in x, antitonic in y within bounding box,g monotonic in x and y within bounding box
then [x−(t), x+(t)]× [y−(t), y+(t)] yields an enclosure for(x(t), y(t)) if x−, . . . , y+ are solutions to
dx−
dt= f(x−, y+) dy−
dt= g(x−, y−)
dx+
dt= f(x+, y−) dy+
dt= f(x+, y+)
with IVs x−(0) ≤ x(0) ≤ x+(0), y−(0) ≤ y(0) ≤ y+(0).
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 65 / 85
[Ramdani, Meslem, and Candau, 2009], [Eggers, Ramdani, Nedialkov, and Fränzle, 2011]
Bracketing Systems
� Direct VNODE-LP enclosures may diverge quickly for large initialdomains
� Evaluate signs of partial derivatives of ODE’s right-hand side overcurrent enclosure
� If all relevant entries each strictly positive / negative, proceed
� Using Müller’s theorem, generate a bracketing system: replaceoriginal variables by upper and lower bracketing variablesdepending on signs in Jacobian [Müller, 1927]
� Enclose bracketing system using VNODE-LP: twice thedimensionality but point-valued initial conditions
� Re-evaluate Jacobian, check validity of signs (a-posteriorivalidation)
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 66 / 85
Comparison: Direct vs. Bracketing
denselower bracketing a prioriupper bracketing a priori
direct a prioridirect enclosure
lower bracketing enclosureupper bracketing enclosure
−3
−2
−1
0
1
2
0 2 4 6 8 10 12
x dimension of•
x = −p4x−p1x
1 + p2y+ p3y + 0.1
•
y = p4x− p3y
x(0) ∈ [1, 1.2], y(0) ∈ [0.8, 1], p1 ∈ [0.8, 1], p2 ∈ [1.0, 1.2], p3 ∈ [0.3, 0.5],
and p4 ∈ [0.20, 0.25].Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 67 / 85
[Eggers, Ramdani, Nedialkov, and Fränzle, 2011]
Comparison: Direct vs. Bracketing
denselower bracketing a prioriupper bracketing a priori
direct a prioridirect enclosure
lower bracketing enclosureupper bracketing enclosure
−30
−20
−10
0
10
20
30
0 2 4 6 8 10 12
x dimension of•
x= y,•
y= −x,x(0), y(0) ∈ [1, 2].
� Complementary strengths
⇒ iSAT-ODE: Intersect both enclosures for tighter result.
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 68 / 85
[Eggers, Fränzle, and Herde, 2009], [Eggers, Ramdani, Nedialkov, and Fränzle, 2011]
Learning ODE Deductions
� ODE enclosures very expensive compared to simple intervalconstraint propagations
� Preserve once-learnt facts from deletion during backjumps (similarto learning conflict clauses [Marques-Silva and Sakallah, 1996])
� Learn deduced facts for all isomorphic instances (constraintsreplication [Shtrichman, 2000])
� Two main ingredients:� iSAT core: learn new clauses during search (multiple at once, not
necessarily conflicts, potentially introducing new variables to safelyrepresent constants)
� ODE layer: recognize enclosure requests that have already beenanswered (or can be subsumed under previously answered requests)
� Additionally: store limited number of VNODE’s intermediateresults for reuse, when partial request is detected (e.g. compatibleinitial box but tighter delta_time range)
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 69 / 85
SAT Modulo ODE
Solving the Case Study
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 70 / 85
Hybrid Systems – Example: Plant & Controller
plant_dynamics
omega_set
v_set
x
y
alpha
v
omega
every_two_time_units
controller
trigger
alpha
xpos
ypos
x_target
y_target
omega
v
alpha_target
3
−5
continuous controller + plant dynamics
nonlinear computations
parallel composition
bang−bang control
time−triggered controller invocation
uncountably infinitely many target positions
Does this system work as specified?
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 71 / 85
Predicative Encoding
−− A robot that is being given a target location to which it shall move.
DECLdefine MAX_TIME = 100; −− Maximum global time.define MAX_STEP = 2; −− Maximum duration.float [0, MAX_TIME] time; −− Global time.float [0, MAX_STEP] delta_time; −− Step duration.float [−100, 100] x; −− Position, x coordinate .float [−100, 100] y; −− Position, y coordinate .float [−100, 100] delta_x; −− Position change by flow, x coordinate .float [−100, 100] delta_y; −− Position change by flow, y coordinate .float [−8, 8] alpha; −− Direction.float [−1, 1] omega; −− Angular velocity.float [−0.1, 0.1] omega_set; −− Angular velocity set point.float [−10, 10] v; −− Velocity.float [0, 0.4] v_set; −− Velocity set point .define P_v = 3; −− Proportional gain in analog velocity control .define P_omega = 1.6; −− Proportional gain in analog angular velocity ctrl .
define PI_LB = 3.141592; −− Lower bound for PI.define PI_UB = 3.141593; −− Upper bound for PI.
define PI_UB_HALF = 1.5708; −− Upper bound for 0.5 ∗ PI.
float [−100, 100] x_target; −− Position of target , x coordinate .float [−100, 100] y_target; −− Position of target , y coordinate .float [0, 142] distance ; −− Distance to target.float [−100, 100] dx; −− Distance to target, x component.float [−100, 100] dy; −− Distance to target, y component.float [−1, 1] tmp_quot_dy_dist; −− Quotient dy / distance.−− Reduce nondeterminism in model by enforcing that alpha cannot be less and−− more than alpha_target at the same time and distance must be in one−− category (−−0.1−−−0.5−−−5−−).boole alpha_leq_alpha_target;boole alpha_geq_alpha_target;boole distance_geq_5;boole distance_geq_05;boole distance_geq_01;
−− Result of asin(tmp_quot_dy_dist) is limited to standard branch used by−− ctrl’s asin implementation.float [−PI_UB_HALF, PI_UB_HALF] alpha_target_tmp;
float [−8, 8] alpha_target; −− Direction to target .define CTRL_PI = 3.1415927; −− PI constant used by controller.−− Note that the real controller will be using such a fixed constant , i .e.−− here it is not necessary to safely enclose PI by an interval when the−− same calculations are performed as done by the controller (which we−− assume here).
boole flow ;
INITtime = 0;x = 0;y = 0;alpha = 0;omega = 0;v = 0;
−− Target position.−− OPEN: Looking for a target position that cannot be reached within given−− number of steps.x_target >= 6;x_target <= 10;y_target >= −4;y_target <= 4;
−− Initial Controller run.dy = y_target − y;dx = x_target − x;distance = nrt(dx^2 + dy^2, 2);−− tmp_quot_dy_dist = dy / distance.distance ∗ tmp_quot_dy_dist = dy;sin (alpha_target_tmp) = tmp_quot_dy_dist;−− Adding a redundant encoding to reduce search effort induced by−− iSAT’s lack of an inverse sine propagation.(tmp_quot_dy_dist >= −1 and tmp_quot_dy_dist <= −0.64)−> ( alpha_target_tmp >= 3 ∗ (tmp_quot_dy_dist + 0.5) − 0.3
and alpha_target_tmp <= 2.29 ∗ tmp_quot_dy_dist + 0.991);(tmp_quot_dy_dist >= −0.64 and tmp_quot_dy_dist <= 0.64)−> ( alpha_target_tmp >= tmp_quot_dy_dist
+ 0.16 ∗ (tmp_quot_dy_dist^3) − 0.05and alpha_target_tmp <= tmp_quot_dy_dist
+ 0.16 ∗ (tmp_quot_dy_dist^3) + 0.05);(tmp_quot_dy_dist >= 0.64 and tmp_quot_dy_dist <= 1)−> ( alpha_target_tmp >= 2.29 ∗ tmp_quot_dy_dist − 1
and alpha_target_tmp <= 3 ∗ (tmp_quot_dy_dist + 0.5) − 2.65);alpha_target_tmp >= −1.570797;alpha_target_tmp <= 1.570797;−− End of redundant encoding for asin.
dx >= 0 −> alpha_target = alpha_target_tmp;dx < 0 −> alpha_target = CTRL_PI − alpha_target_tmp;
alpha_leq_alpha_target <−> alpha <= alpha_target;alpha_geq_alpha_target <−> alpha >= alpha_target;
alpha_leq_alpha_target and !alpha_geq_alpha_target −> omega_set = 0.1;!alpha_leq_alpha_target and alpha_geq_alpha_target −> omega_set = −0.1;alpha_leq_alpha_target and alpha_geq_alpha_target −> omega_set = 0;
distance_geq_5 <−> distance >= 5;distance_geq_05 <−> distance >= 0.5;distance_geq_01 <−> distance >= 0.1;
distance_geq_5 −> v_set = 0.4;distance_geq_05 and !distance_geq_5 −> v_set = 0.2;distance_geq_01 and !distance_geq_05 −> v_set = 0.1;!distance_geq_01 −> v_set = 0;
flow ;TRANS
!flow ’ <−> flow;time ’ = time + delta_time;
−− System dynamics including analog controller feedback for velocities .−− Since the actual movement is independent from the absolute position ,−− we use relative positions instead and benefit from better caching.flow −> x’ = x + delta_x’; −− Add relative movement to absolute position.flow −> y’ = y + delta_y’;flow −> delta_x = 0; −− Start relative movement in (0,0).flow −> delta_y = 0;flow −> (d.delta_x / d.time = v ∗ cos(alpha));flow −> (d.delta_y / d.time = v ∗ sin(alpha ));flow −> (d.alpha / d.time = omega);flow −> (d.v / d.time = P_v ∗ (v_set − v));flow −> (d.v_set / d.time = 0);flow −> (d.omega / d.time = P_omega ∗ (omega_set − omega));flow −> (d.omega_set / d.time = 0);
flow −> delta_time = 2;
−− Target stays constant.x_target’ = x_target;y_target’ = y_target;
!flow −> delta_time = 0;!flow −> x’ = x
and y’ = yand alpha’ = alphaand v’ = vand omega’ = omega;
−− Controller calculates the current direction to target location at every−− step.dy’ = y_target’ − y’;dx’ = x_target’ − x’;
distance ’ = nrt(dx’^2 + dy’^2, 2);−− tmp_quot_dy_dist’ = dy’ / distance’.distance ’ ∗ tmp_quot_dy_dist’ = dy’;sin (alpha_target_tmp’) = tmp_quot_dy_dist’;−− Adding a redundant encoding to reduce search effort induced by−− iSAT’s lack of an inverse sine propagation.(tmp_quot_dy_dist’ >= −1 and tmp_quot_dy_dist’ <= −0.64)−> ( alpha_target_tmp’ >= 3 ∗ (tmp_quot_dy_dist’ + 0.5) − 0.3
and alpha_target_tmp’ <= 2.29 ∗ tmp_quot_dy_dist’ + 0.991);(tmp_quot_dy_dist’ >= −0.64 and tmp_quot_dy_dist’ <= 0.64)−> ( alpha_target_tmp’ >= tmp_quot_dy_dist’
+ 0.16 ∗ (tmp_quot_dy_dist’^3) − 0.05and alpha_target_tmp’ <= tmp_quot_dy_dist’
+ 0.16 ∗ (tmp_quot_dy_dist’^3) + 0.05);(tmp_quot_dy_dist’ >= 0.64 and tmp_quot_dy_dist’ <= 1)−> ( alpha_target_tmp’ >= 2.29 ∗ tmp_quot_dy_dist’ − 1
and alpha_target_tmp’ <= 3 ∗ (tmp_quot_dy_dist’ + 0.5) − 2.65);alpha_target_tmp’ >= −1.570797;alpha_target_tmp’ <= 1.570797;−− End of redundant encoding for asin.
dx’ >= 0 −> alpha_target’ = alpha_target_tmp’;dx’ < 0 −> alpha_target’ = CTRL_PI − alpha_target_tmp’;
−− The discrete controller can set new omega_set and new v_set every step.−− Would need to adjust this if BMC steps and controller steps became−− seperated.alpha_leq_alpha_target’ <−> alpha’ <= alpha_target’;alpha_geq_alpha_target’ <−> alpha’ >= alpha_target’;
! flow and alpha_leq_alpha_target’ and !alpha_geq_alpha_target’−> omega_set’ = 0.1;
!flow and !alpha_leq_alpha_target’ and alpha_geq_alpha_target’−> omega_set’ = −0.1;
!flow and alpha_leq_alpha_target’ and alpha_geq_alpha_target’−> omega_set’ = 0;
distance_geq_5’ <−> distance’ >= 5;distance_geq_05’ <−> distance’ >= 0.5;distance_geq_01’ <−> distance’ >= 0.1;
!flow and distance_geq_5’ −> v_set’ = 0.4;!flow and distance_geq_05’ and !distance_geq_5’ −> v_set’ = 0.2;!flow and distance_geq_01’ and !distance_geq_05’ −> v_set’ = 0.1;!flow and !distance_geq_01’ −> v_set’ = 0;
TARGETdistance > 0.1;
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 72 / 85
Predicative Encoding – Continuous Dynamics
omega
5
v
4
alpha
3
y
2
x
1
cos
sin
P_v
3
P_omega
1.6
1
s
1
s
1
s 1
s
1
s
v_set
2
robot motioncontinuous−time
proportional control
omega_set
1
alpha
vx
vy
xx
yyv
omega
•
ω
•
v= a
time ’ = time + delta_time;
−− System dynamics including analog controller feedback for velocities .−− Since the actual movement is independent from the absolute position ,−− we use relative positions instead and benefit from better caching.flow −> x’ = x + delta_x’; −− Add relative movement to absolute position.flow −> y’ = y + delta_y’;flow −> delta_x = 0; −− Start relative movement in (0,0).flow −> delta_y = 0;flow −> (d.delta_x / d.time = v ∗ cos(alpha));flow −> (d.delta_y / d.time = v ∗ sin(alpha ));flow −> (d.alpha / d.time = omega);flow −> (d.v / d.time = P_v ∗ (v_set − v));flow −> (d.v_set / d.time = 0);flow −> (d.omega / d.time = P_omega ∗ (omega_set − omega));flow −> (d.omega_set / d.time = 0);
flow −> delta_time = 2;
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 73 / 85
Predicative Encoding – Discrete Controller
all
rotation1
m0
speed 2
m1
[alpha > alpha_target] / omega = − 0.1;2
[alpha == alpha_target] / omega = 0;
3
[alpha < alpha_target] / omega = 0.1;
1
[alpha < alpha_target] / omega = 0.1;
2
[alpha > alpha_target] / omega = − 0.1;
1
/v=0.4;
[dist_to_target < 0.1] / v = 0;
3
[dist_to_target > 0.5 && dist_to_target < 5] / v = 0.2;
1
[dist_to_target > 0.1 && dist_to_target < 0.5] / v = 0.1 ;
2
alpha_leq_alpha_target’ <−> alpha’ <= alpha_target’;alpha_geq_alpha_target’ <−> alpha’ >= alpha_target’;
! flow and alpha_leq_alpha_target’ and !alpha_geq_alpha_target’ −> omega_set’ = 0.1;!flow and !alpha_leq_alpha_target’ and alpha_geq_alpha_target’ −> omega_set’ = −0.1;!flow and alpha_leq_alpha_target’ and alpha_geq_alpha_target’ −> omega_set’ = 0;
distance_geq_5’ <−> distance’ >= 5;distance_geq_05’ <−> distance’ >= 0.5;distance_geq_01’ <−> distance’ >= 0.1;
!flow and distance_geq_5’ −> v_set’ = 0.4;!flow and distance_geq_05’ and !distance_geq_5’ −> v_set’ = 0.2;!flow and distance_geq_01’ and !distance_geq_05’ −> v_set’ = 0.1;!flow and !distance_geq_01’ −> v_set’ = 0;
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 74 / 85
Predicative Encoding – Proof Obligation
E.g., looking for a target position that cannot be reached within given
number of steps:
INIT...−− Target position.−− OPEN: Looking for a target position that cannot be reached within given−− number of steps.x_target >= 6;x_target <= 10;y_target >= −4;y_target <= 4;
...
TARGETdistance > 0.1;
Note: Target position not determined!
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 75 / 85
Candidate Solution Box from iSAT-ODE
Extracting (x, y)-trace from candidate solution box.
0
0.5
1
1.5
2
2.5
3
0 1 2 3 4 5 6 7 8
’robot_motion_14.hys_out_prabs1e−6_k42_wilkinson_defs_plot_0.plot_data’
x
y
BMC unwinding depth 42, runtime 2966 s (2.4 GHz AMD Opteron)
Valuation forxtarget : (6.6888899, 6.68907593]ytarget : [1.53229439, 1.53235116)
Robot reaches target but moves on.
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 76 / 85
Candidate Solution from iSAT-ODE – Distance
y distance dx dy
0
2
4
6
8
0 10 20 30 40
x
distance_geq_01
distance_geq_05
distance_geq_5
alpha_leq_alpha_target
alpha_geq_alpha_target
0 10 20 30 40
BMC Steps
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 77 / 85
Candidate Solution from iSAT-ODE – Velocityv v_set
0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
0.4
0 10 20 30 40
v 6= 0!
� Target speed is set to zero� Robot decelerates but reaches only speed [0.00024766, 0.0002485]
in step 32� Robot passes nearby target location but not close enough to
enforce robot standstill� Controller not built with a sink state for keeping target velocity at 0
� Robot accelerates again and final distance is ≥ 0.1Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 78 / 85
Candidate Solution from iSAT-ODE – Resultv v_set
0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
0.4
0 10 20 30 40
v 6= 0!
� Target speed is set to zero� Robot decelerates but reaches only speed [0.00024766, 0.0002485]
in step 32 −→ P-controller might be too weak� Robot passes nearby target location but not close enough to
enforce robot standstill� Controller not built with a sink state for keeping target velocity at 0−→ Should keep target speed at 0
� Robot accelerates again and final distance is ≥ 0.1Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 78 / 85
Simulated Error Trajectory for Candidate Solution
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 79 / 85
Simulated Error Trajectory – Continued
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 80 / 85
Conclusion
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 81 / 85
Conclusion
Problem: Direct handling of constraints involving arbitraryBoolean combinations of
� literals,� linear, polynomial, and transcendental (in-)equations
over the reals,� (potentially non-linear) ODE constraints interpreted
as pre-post-relations,
as arising in predicative encodings of analysis problemsof non-linear hybrid systems.
Approach: Build a tight integration of
� conflict-driven clause learning (CDCL) SAT solving,� interval constraint propagation,� interval-based enclosures of sets of inital-value
problems wrt. an ODE.
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 82 / 85
Related Approaches I
� Hybridization techniques allowing nonlinear ODEs to be handledby linear ODE methods or even by methods covering piecewiseconstant ODE only, e.g. LinSAT(cf., e.g., [Asarin, Dang, and Girard, 2007])
� Constraint Logic Programming(Functions) CLP(F)[Hickey and Wittenberg, 2004]
� Arithmetic and analytic relations between real and function variables� Function-type variables constrained by derivative constraints� Derivative constraints solved by interval constraint propagation
exploiting overapproximating Taylor series� But: not fighting the wrapping effect⇒ Excessive growth of enclosures
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 83 / 85
Related Approaches II
� ODE enclosures embedded into Constraint ProgrammingFramework [Goldsztejn, Mullier, Eveillard, and Hosobe, 2010]
� Branch and prune algorithm for conjunctive systems� Interval Newton for pruning and existence proofs� Using CAPD library (“optimized for small initial conditions”)⇒ “very sharp enclosures of solutions, but poorer performances for
exploring large domains”
� hydlogic: Classic SMT with VNODE-LP and Interval Newton[Ishii, Ueda, and Hosobe, 2011]
� SAT solver enumerating abstract trajectories� Constraint Solving (Elisa + VNODE-LP)� Learning� Interval Newton to prove existence of trajectories⇒ Different approach using classical DPLL(T) integration scheme
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 84 / 85
Thanks
� to Andreas Eggers, Nacim Ramdani, and Ned Nedialkov for thejoint development of iSAT(ODE),
� to the many collaborators in the development of iSAT, in particular� C. Herde, T. Teige (both Oldenburg),
S. Kupferschmid, K Scheibler, T. Schubert, B. Becker (Freiburg),S. Ratschan (Prague)
within the� DFG-funded Transregional Research Center 14 “AVACS”
(Automatic Analysis and Verification of Complex Systems)
� and to Andreas Eggers, Christian Herde, and Tino Teige forcontributing many slides.
Martin Fränzle · SAT/SMT School 2012 · SAT Modulo Ordinary Differential Equations · 85 / 85