The slides I used in my presentation of VMCAI 2020.

1. Generalized Property-Directed
Reachability for Hybrid Systems
1
Kohei Suenaga
Kyoto University
Dynamical systems exhibiting
both discrete-time dynamics
and continuous-time dynamics
A software model checking technique
proposed by Hoder and Bjørner [SAT’12]
Takuya Ishizawa
Kyoto University
Sabbatical at Arizona
State Univ. until this
March

2. This talk
• HGPDR: Extension of generalized property-
directed reachability (GPDR) to hybrid systems
• The main focus of this work is theory; an
implementation is left as future work
2

3. • Given:
– Hybrid system: S
– Safety specification: P
• Return:
– Safe: If S always satisfies P
– Unsafe: If there is an execution of S that violates P
• with a concrete execution path that lead to an
unsafe state
The problem: Safety verification
3
e.g., |x|<2

4. Outline
• Transition system and safety verification
• GPDR for software model checking
[Hoder and Bjørner SAT’12]
• HGPDR: Extension of GPDR for hybrid systems
• Conclusion
4

5. Running example of software
(w/o continuous-time dynamics)
5
Safety spec. P := x < 5
(We want to make sure that x never
reaches 5)
x0∈[-1,0],y0∈[0,1]
x := x0; y := y0;
while (true) {
if (x≧0) {
(x,y) := (-x,-y)
} else {
(x,y) := (-x,y)
}
}

6. l1
x<0
l0
x≧0
(x,y) :=
(-x,-y)
x := x0
v := v0
(x,y) :=
(-x,y)
x < 0
x ≧ 0
Software system as a transition system
6
Initial
condition
Command
executed in the
transition
Mode: Location in the
source code
Stay condition: System can
stay in this mode while this
condition is satisfied
Guard: Condition for this
transition to be enabled

7. Dynamics of the transition system
on x-y plane
7
y
x
Task: Verifying the system
does not go out of this
region
Safety spec. P := x < 5
(We want to make sure that x never
reaches 5)

8. For this initial cond.
9
v
x
x0∈[-1,0],y0∈[0,1]
x := x0; y := y0;
while (true) {
if (x≧0) {
(x,y) := (-x,-y)
} else {
(x,y) := (-x,y)
}
}

9. The reachable set
10
x0∈[-1,0],y0∈[0,1]
x := x0; y := y0;
while (true) {
if (x≧0) {
(x,y) := (-x,-y)
} else {
(x,y) := (-x,y)
}
}
10
v
x

10. Safe, indeed
11
x0∈[-1,0],y0∈[0,1]
x := x0; y := y0;
while (true) {
if (x≧0) {
(x,y) := (-x,-y)
} else {
(x,y) := (-x,y)
}
}
11
v
x

11. Outline
• Transition system and safety verification
• GPDR for software model checking
[Hoder and Bjørner SAT’12]
– IC3/PDR [Bradeley SAT’11]
– GPDR
• HGPDR: Extension of GPDR for hybrid systems
• Conclusion
13

12. IC3/PDR [Bradeley SAT’11]
• Model checking algorithm for safety
verification
– Compute an inductive invariant incrementally
– Iteratively refines a sequence of
over-approximations of the reachable set
14

13. IC3/PDR in our example
• Maintains i-step over-approximations of the reachable
set
– Typically represented as logical formulas
15
0th frame
Called frames
1st frame
Initial states Over-approx. of
1-step reachable states
(set to True here)

14. IC3/PDR in our example
• Look for a counter-example to safety
16
0th frame 1st frame
Initial states Over-approx. of
1-step reachable states
(set to True here)
(x,y)=(5,0) violates the
safety spec.
Safety spec. P := x < 5
(We want to make sure that x never
reaches 5)

15. IC3/PDR in our example
• Try to refute that (x,y)=(5,0) is 1-step reachable
from 0-th frame
17
0th frame 1st frame
Initial states Over-approx. of
1-step reachable states
(set to True here)
1-step prev. of this point
is …
This point (x,y)=(-5,0)
(-5,0) is not in 0th frame; therefore
(5,0) is not 1-step reachable from 0th frame
Reasoning is done by encoding these conditions as a query to an
SMT solver

16. IC3/PDR in our example
• Refine the 1st frame by (x,y)≠(5,0)
18
0th frame 1st frame
Initial states Over-approx. of
1-step reachable states
(x≠5 ∨ y≠0)

17. Refinement in practice
• Generalization to exclude more states
19
0th frame 1st frame
Initial states Over-approx. of
1-step reachable states
(x≠5 ∨ y≠0)
Exclude x≧5
rather than x=5
• We don’t go into a concrete generalization
strategy in this work
x<5 after
generalization

18. No counter-example in 1st frame
• Proved: The system does not violates safety in
1 step
• However, inductive invariant not reached yet
20
0th frame 1st frame
Initial states Over-approx. of
1-step reachable states
(x < 5)

19. Extend the frame sequence
21
0th frame 1st frame
Initial states Over-approx. of
1-step reachable states
(x < 5)
2nd frame
Over-approx. of
2-step reachable states
(True)

20. Counterexample in Frame 2
22
0th frame 1st frame
Initial states Over-approx. of
1-step reachable states
(x < 5)
2nd frame
Over-approx. of
2-step reachable states
(True)
(x,y)=(5,0)

21. Previous state computation
23
0th frame 1st frame
Initial states Over-approx. of
1-step reachable states
(x < 5)
2nd frame
Over-approx. of
2-step reachable states
(True)
(x,y)=(-5,0): Still in
Frame 1
(x,y)=(5,0)

22. Previous state computation
24
0th frame 1st frame
Initial states Over-approx. of
1-step reachable states
(x < 5)
2nd frame
Over-approx. of
2-step reachable states
(True)
(x,y)=(-5,0): Still in
Frame 1
(x,y)=(5,0): Not in
Frame 0 
Refinement (x,y)=(5,0)

23. Previous state computation
25
0th frame 1st frame
Initial states Over-approx. of
1-step reachable states
(-5 < x < 5)
2nd frame
Over-approx. of
2-step reachable states
(True)
(x,y)=(-5,0): Still in
Frame 1
(x,y)=(5,0): Not in
Frame 0 
Refinement
NB: By applying so called “induction” operation, we can propagate
-5<x<5 to Frame 2 from Frame 1
(x,y)=(5,0)

24. Counterexample in Frame 2
26
0th frame 1st frame
Initial states Over-approx. of
1-step reachable states
(-5 < x < 5)
2nd frame
Over-approx. of
2-step reachable states
(True)
(x,y)=(5,0)

25. Previous state computation
27
0th frame 1st frame
Initial states Over-approx. of
1-step reachable states
(-5 < x < 5)
2nd frame
Over-approx. of
2-step reachable states
(True)
(x,y)=(5,0)
(x,y)=(-5,0): Not
in Frame 1 
Refinement

26. Refinement
28
0th frame 1st frame
Initial states Over-approx. of
1-step reachable states
(-5 < x < 5)
2nd frame
Over-approx. of
2-step reachable states
(-5 < x < 5)
• Invariant found: Frame 1 and Frame 2 are
equivalent

27. Outline
• Transition system and safety verification
• GPDR for software model checking
[Hoder and Bjørner SAT’12]
– IC3/PDR [Bradeley SAT’11]
– GPDR
• HGPDR: Extension of GPDR for hybrid systems
• Conclusion
29

28. Generalized Property-Directed Reachability
(GPDR) [Hoder and Bjørner SAT’12]
• Generalization of IC3/PDR [Bradeley SAT’11]
– Abstraction of IC3/PDR as a set of rewriting rules
for frame sequences
– System dynamics is encapsulated by a forward
predicate transformer F
30
F(R) :=
(x ∈ 0 ∧ v ∈ [0,1])
∨ ∃x’,y’. (R(x’,y’) ∧ x’ ≧ 0 ∧〈D0|x’≧0〉(x’<0 ∧ x=x’ ∧ v’=v)
∨ ∃x’,y’. (R(x’,y’) ∧ x’ < 0 ∧〈D1|x’<0〉(x’≧0 ∧ x=x’ ∧ v’=v)
The set of states
1-step reachable from R

29. Invariant on frame sequence
31
R0 R1 R2 R3 R4 RN-1 RN…
Ensures the intuition that Ri is an over-approx. of i-step reachable set

30. Invariant on frame sequence
32
• Rule 1: R0 is equal to the initial states
= init.
states
R0 R1 R2 R3 R4 RN-1 RN…
Ensures the intuition that Ri is an over-approx. of i-step reachable set

31. Invariant on frame sequence
33
• Rule 1: R0 is equal to the initial states
• Rule 2: “Ri implies Ri+1” has to hold for 0≦i<N
= init.
states
R0 R1 R2 R3 R4 RN-1 RN…⇒ ⇒ ⇒ ⇒ ⇒ ⇒ ⇒
R0, R1, … becomes
weaker monotonically
Ensures the intuition that Ri is an over-approx. of i-step reachable set

32. Invariant on frame sequence
34
• Rule 1: R0 is equal to the initial states
• Rule 2: “Ri implies Ri+1” has to hold for 0≦i<N
• Rule 3: F(Ri) implies Ri+1 for i=0,…,N-1
F(R0) …F(R1) F(R2) F(R3) F(RN-1)
⇒
⇒
⇒
⇒
⇒
= init.
states
R0 R1 R2 R3 R4 RN-1 RN…⇒ ⇒ ⇒ ⇒ ⇒ ⇒ ⇒
R0, R1, … becomes
weaker monotonically
Ensures the intuition that Ri is an over-approx. of i-step reachable set

33. Invariant on frame sequence
35
• Rule 1: R0 is equal to the initial states
• Rule 2: “Ri implies Ri+1” has to hold for 0≦i<N
• Rule 3: F(Ri) implies Ri+1 for i=0,…,N-1
• Rule 4: Each of R0,…,RN-1 implies safety cond.
= init.
states F(R0) …F(R1) F(R2) F(R3) F(RN-1)
⇒
⇒
⇒
⇒
⇒
R0 R1 R2 R3 R4 RN-1 RN…⇒ ⇒ ⇒ ⇒ ⇒ ⇒ ⇒
P P P P P P…
⇒
⇒
⇒
⇒
⇒
⇒
Ensures the intuition that Ri is an over-approx. of i-step reachable set
GPDR manipulates frame sequence
respecting this invariant

34. Rewriting rules for frame sequences
(Rule [Candidate])
36
{} || R0,…,RN

{<N,σ>} || R0,…,RN
if σ witnesses RN ∧ ¬P
Set to keep found
counter-examples
If σ is a counter-example
to safety in RN
Bookkeep that
σ is found in RN

35. Rewriting rules for frame sequences
(Rule [Decide])
37
{<i+1, σ’>} ∪ M || R0,…,RN

{<i, σ>, <i+1,σ‘>} ∪ M || R0,…,RN
if σ’ is 1-step reachable from σ that witnesses Ri
If σ is a counter-example
to safety in Ri
Bookkeep that
σ is found in Ri
If σ’ is a counter-example
in Ri+1

36. Rewriting rules for frame sequences
(Rule [Conflict])
38
{<i+1, σ’>} ∪ M || R0,…,RN

{ } || R0,R1∧R, …,Ri+1∧R, Ri+2, …,RN
if 1-step reachable states to σ’ does not intersect with Ri
If σ’ is found not to be
reachable in (i+1)-step
reachable from init.
Refine R1, …, Ri+1 with R
If σ’ is a counter-example
in Ri+1
Any R that is a Craig
interpolant of F(Ri) and σ’
can be used for refinement

37. Key properties to
the soundness proof of GPDR
• If σ witnesses R and σ’ is 1-step reachable from
σ, then σ’ witnesses F(R)
• F(false) is equivalent to the initial condition
• F(R) is monotonic with respect to R
– i.e., F(R) implies F(R’) if R implies R’
39
GPDR can be applied to other kinds of
systems as long as we keep these
properties!

38. Outline
• Transition system and safety verification
• GPDR for software model checking
[Hoder and Bjørner SAT’12]
• HGPDR: Extension of GPDR for hybrid systems
• Conclusion
40

39. Hybrid systems
• Dynamical systems exhibiting discrete-time
dynamics and continuous-time dynamics
41
jump
l1
dx/dt = v
dv/dt = 1
x<0
l0
dx/dt = v
dv/dt = -1
x≧0
x := 0
v := v0
x < 0
x ≧ 0
ODE that specifies the
flow in each mode
flow

40. For extension of GPDR for hybrid systems…
• If σ witnesses R and σ’ is 1-step reachable from
σ, then σ witnesses F(R)
• F(false) is equivalent to the initial condition
• F(R) is monotonic with respect to R
– i.e., F(R) implies F(R’) if R implies R’
42
We need to define F that satisfies
these conditions!

41. For extension of GPDR for hybrid systems…
• If σ witnesses R and σ’ is 1-step reachable from
σ, then σ witnesses F(R)
• F(false) is equivalent to the initial condition
• F(R) is monotonic with respect to R
– i.e., F(R) implies F(R’) if R implies R’
43
We need to define F that satisfies
these conditions!

42. Definition of F
• In our current example…
44
F(R(x,v)) :=
(x ∈ 0 ∧ v ∈ [0,1])
∨ ∃x’,y’. (R(x’,y’) ∧ x’ ≧ 0 ∧〈D0|x’≧0〉(x’<0 ∧ x=x’ ∧ v’=v)
∨ ∃x’,y’. (R(x’,y’) ∧ x’ < 0 ∧〈D1|x’<0〉(x’≧0 ∧ x=x’ ∧ v’=v)
D0
D1

43. Definition of F
• In our current example…
45
F(R(x,v)) :=
(x ∈ 0 ∧ v ∈ [0,1])
∨ ∃x’,y’. (R(x’,y’) ∧ x’ ≧ 0 ∧〈D0|x’≧0〉(x’<0 ∧ x=x’ ∧ v’=v)
∨ ∃x’,y’. (R(x’,y’) ∧ x’ < 0 ∧〈D1|x’<0〉(x’≧0 ∧ x=x’ ∧ v’=v)
D0
D1
Continuous reachability
predicate (CRP)

44. Continuous reachability predicate (CRP)
46
〈D|φ〉φ’
• Expresses reachability via a flow specified by ODE
• Intuition: σ witnesses this formula if:
– There is a trajectory T from σ via D,
– All the point on T satisfies φ, and
– φ’ is satisfied at the end of T
• Special case of differential dynamic logic (dL)
[Platzer J. Autom. Reasoning’08]
ODE
Stay
cond.
Post
cond.

45. Definition of F
47
F(R(x,v)) :=
(x ∈ 0 ∧ v ∈ [0,1])
∨ ∃x’,y’. (R(x’,y’) ∧ x’ ≧ 0 ∧〈D0|x’≧0〉(x’<0 ∧ x=x’ ∧ v’=v)
∨ ∃x’,y’. (R(x’,y’) ∧ x’ < 0 ∧〈D1|x’<0〉(x’≧0 ∧ x=x’ ∧ v’=v)
D0
D1
If there is (x’,y’) that
satisfies R …
Such that
stay cond.
of l0 is
satisfied …
and if there is a
trajectory along
which stay cond.
is satisfied …
and at the end
guard from l0 to
l1 satisfied
Intuition: Reachable from R
by a flow in l0 and a jump from l0 to l1

46. Definition of F
48
F(R(x,v)) :=
(x ∈ 0 ∧ v ∈ [0,1])
∨ ∃x’,y’. (R(x’,y’) ∧ x’ ≧ 0 ∧〈D0|x’≧0〉(x’<0 ∧ x=x’ ∧ v’=v)
∨ ∃x’,y’. (R(x’,y’) ∧ x’ < 0 ∧〈D1|x’<0〉(x’≧0 ∧ x=x’ ∧ v’=v)
D0
D1
Intuition: Reachable from R
by a flow in l1 and a jump from l1 to l0

47. Conformance to ”key properties”
• If σ witnesses R and σ’ is 1-step reachable from
σ, then σ witnesses F(R)
• F(false) is equivalent to the initial condition
• F(R) is monotonic with respect to R
– i.e., F(R) implies F(R’) if R implies R’
49
F(R(x,v)) :=
(x ∈ 0 ∧ v ∈ [0,1])
∨ ∃x’,y’. (R(x’,y’) ∧ x’ ≧ 0 ∧〈D0|x’≧0〉(x’<0 ∧ x=x’ ∧ v’=v)
∨ ∃x’,y’. (R(x’,y’) ∧ x’ < 0 ∧〈D1|x’<0〉(x’≧0 ∧ x=x’ ∧ v’=v)

48. Problem of naïve application of GPDR
50
F(R0) …F(R1) F(R2) F(R3) F(RN-1)
⇒
⇒
⇒
⇒
⇒
R0 R1 R2 R3 R4 RN-1 RN…⇒ ⇒ ⇒ ⇒ ⇒ ⇒ ⇒
P P P P P P…⇒
⇒
⇒
⇒
⇒
⇒
Only guarantees safety for trajectories that
end with a jump

49. Tweak needed for sound procedure
51
F(R0) …F(R1) F(R2) F(R3) F(RN-1)
⇒
⇒
⇒
⇒
⇒
R0 R1 R2 R3 R4 RN-1 RN…⇒ ⇒ ⇒ ⇒ ⇒ ⇒ ⇒
P P P P P P…
⇒
⇒
⇒
⇒
⇒
⇒
R’⇒
⇒
C(R)
Remainder frame: Overapproximates reachable
states from RN by a flow (not followed by a jump)
Flow transformer: States reachable from R
by a flow (not followed by a jump)
Soundness proof in the full version (https://arxiv.org/abs/1910.03784)

50. More in the paper…
52
• Precise definitions
• Soundness statement
– Proof in the full version in the arXiv.org
• Specification of GPDR in “mode-aware” style
– Frame is a function from mode names to a
predicate
• PoC implementation
– Proves the safety of a simple system
– User provides (quite a lot of) information

51. Conclusion
53
• HGPDR: Extension of GPDR to hybrid systems
– Defines F so that it expresses the dynamics of hybrid
systems using CRP
– Tweak to the procedure
• Remainder frame
• Flow transformer
– PoC implementation
• Future direction
– Decent implementation and experiments
• Important question to be answered: Is PDR-style
model checking useful for hybrid systems?
• Requires an external solver that understands flow
dynamics …
– Hybrid system verification by Horn-clause solving?

52. Appendix
54

53. System dynamics as
forward predicate transformer
• In our current example…
55
F(R(x,y)) :=
(x ∈ [-1,0] ∧ y ∈ [0,1])
∨ ∃x’’,y’’. (R(x’’,y’’) ∧ x’’ ≧ 0 ∧ x = -x’’ ∧ y = -y’’)
∨ ∃x’’,y’’. (R(x’’,y’’) ∧ x’’ < 0 ∧ x = -x’’ ∧ y = y’’)

54. System dynamics as
forward predicate transformer
• In our current example…
56
F(R(x,y)) :=
(x ∈ [-1,0] ∧ y ∈ [0,1])
∨ ∃x’’,y’’. (R(x’’,y’’) ∧ x’’ ≧ 0 ∧ x = -x’’ ∧ y = -y’’)
∨ ∃x’’,y’’. (R(x’’,y’’) ∧ x’’ < 0 ∧ x = -x’’ ∧ y = y’’)
F is the fwd.
pred. trans.

55. System dynamics as
forward predicate transformer
• In our current example…
57
F(R(x,y)) :=
(x ∈ [-1,0] ∧ y ∈ [0,1])
∨ ∃x’’,y’’. (R(x’’,y’’) ∧ x’’ ≧ 0 ∧ x = -x’’ ∧ y = -y’’)
∨ ∃x’’,y’’. (R(x’’,y’’) ∧ x’’ < 0 ∧ x = -x’’ ∧ y = y’’)
F is the fwd.
pred. trans.
F takes a frame on
x and y

56. System dynamics as
forward predicate transformer
• In our current example…
58
F(R(x,y)) :=
(x ∈ [-1,0] ∧ y ∈ [0,1])
∨ ∃x’’,y’’. (R(x’’,y’’) ∧ x’’ ≧ 0 ∧ x = -x’’ ∧ y = -y’’)
∨ ∃x’’,y’’. (R(x’’,y’’) ∧ x’’ < 0 ∧ x = -x’’ ∧ y = y’’)
F is the fwd.
pred. trans.
F takes a frame on
x and y
• This part encodes “1-step reachable state
from R, or init. state”
• Disjunction of 3 formulae

57. System dynamics as
forward predicate transformer
• In our current example…
59
F(R(x,y)) :=
(x ∈ [-1,0] ∧ y ∈ [0,1])
∨ ∃x’’,y’’. (R(x’’,y’’) ∧ x’’ ≧ 0 ∧ x = -x’’ ∧ y = -y’’)
∨ ∃x’’,y’’. (R(x’’,y’’) ∧ x’’ < 0 ∧ x = -x’’ ∧ y = y’’)
F is the fwd.
pred. trans.
F takes a frame on
x and y
Transition from l0 to l0

58. System dynamics as
forward predicate transformer
• In our current example…
60
F(R(x,y)) :=
(x ∈ [-1,0] ∧ y ∈ [0,1])
∨ ∃x’’,y’’. (R(x’’,y’’) ∧ x’’ ≧ 0 ∧ x = -x’’ ∧ y = -y’’)
∨ ∃x’’,y’’. (R(x’’,y’’) ∧ x’’ < 0 ∧ x = -x’’ ∧ y = y’’)
F is the fwd.
pred. trans.
F takes a frame on
x and y
If there are x’’ and y’’
that satisfies R If x’’≧0 and if x=-x’’ and y=-y’’
Then, (x,y) is 1-step ahead
of the states satisfying R

59. System dynamics as
forward predicate transformer
• In our current example…
61
F(R(x,y)) :=
(x ∈ [-1,0] ∧ y ∈ [0,1])
∨ ∃x’’,y’’. (R(x’’,y’’) ∧ x’’ ≧ 0 ∧ x = -x’’ ∧ y = -y’’)
∨ ∃x’’,y’’. (R(x’’,y’’) ∧ x’’ < 0 ∧ x = -x’’ ∧ y = y’’)
F is the fwd.
pred. trans.
F takes a frame on
x and y
For x’’ and y’’ that
satisfies R If x’’<0 and if x=-x’’ and y=y’’

60. System dynamics as
forward predicate transformer
• In our current example…
62
F(R(x,y)) :=
(x ∈ [-1,0] ∧ y ∈ [0,1])
∨ ∃x’’,y’’. (R(x’’,y’’) ∧ x’’ ≧ 0 ∧ x = -x’’ ∧ y = -y’’)
∨ ∃x’’,y’’. (R(x’’,y’’) ∧ x’’ < 0 ∧ x = -x’’ ∧ y = y’’)
F is the fwd.
pred. trans.
F takes a frame on
x and y
Initial state

61. System dynamics as
forward predicate transformer
• In our current example…
63
F(R(x,y)) :=
(x ∈ [-1,0] ∧ y ∈ [0,1])
∨ ∃x’’,y’’. (R(x’’,y’’) ∧ x’’ ≧ 0 ∧ x = -x’’ ∧ y = -y’’)
∨ ∃x’’,y’’. (R(x’’,y’’) ∧ x’’ < 0 ∧ x = -x’’ ∧ y = y’’)
F is the fwd.
pred. trans.
F takes a frame on
x and y
• This part encodes “1-step reachable state
from R, or init. state”
• Disjunction of 3 formulae

62. System dynamics as
forward predicate transformer
• In our current example…
64
F(R(x,y)) :=
(x ∈ [-1,0] ∧ y ∈ [0,1])
∨ ∃x’’,y’’. (R(x’’,y’’) ∧ x’’ ≧ 0 ∧ x = -x’’ ∧ y = -y’’)
∨ ∃x’’,y’’. (R(x’’,y’’) ∧ x’’ < 0 ∧ x = -x’’ ∧ y = y’’)
F is the fwd.
pred. trans.
F takes a frame on
x and y
• This part encodes “1-step reachable state
from R, or init. state”
• Disjunction of 3 formulae
NB: In the paper, a frame is a function from mode names to formulae