Nonlinear Real Arithmetic and δ-satisfiability. Paolo Zuliani

Transcription

1 Nonlinear Real Arithmetic and δ-satisfiability Paolo Zuliani School of Computing Science Newcastle University, UK (Slides courtesy of Sicun Gao, UCSD) 1 / 27

2 Introduction We use hybrid systems for modelling and verifying biological and cyber-physical system models: atrial fibrillation (CMSB 2014) prostate cancer therapy (HSCC 2015) psoriasis UVB treatment (HVC 2016) artificial pancreas (this tutorial paper coming soon) Hybrid systems combine continuous dynamics with discrete state changes. 2 / 27

3 Why Nonlinear Real Arithmetic and Hybrid Systems? (I) A prostate cancer model 1 ( ) ) dx dt = α x β x 1 + e (k 1 z)k e (z k m 1 (1 zz0 c 1 x + c 2 3)k 4 ) ( ) ) dy dt =m 1 (1 zz0 z x + (α y 1 d 0 β y y z 0 dz dt = zγ c 3 v =x + y v - prostate specific antigen (PSA) x - hormone sensitive cells (HSCs) y - castration resistant cells (CRCs) z - androgen 1 A.M. Ideta, G. Tanaka, T. Takeuchi, K. Aihara: A mathematical model of intermittent androgen suppression for prostate cancer. Journal of Nonlinear Science, 18(6), (2008) 3 / 27

4 Why Nonlinear Real Arithmetic and Hybrid Systems? (I) Intermittent androgen deprivation therapy on-therapy dx dt = α x β x 1 + e k 1 z k e z k 3 k m 1 1 z c 4 z 1 x + c 2 0 dy dt = m 1 1 z z 0 dz dt = zγ + c 3 x + α y 1 d 0z z 0 β y x + y r 0 x + y r 1 off-therapy dx dt = α x β x 1 + e k 1 z k e z k 3 k m 1 1 z c 4 z 1 x + c 2 0 dy dt = m 1 1 z z 0 dz dt = z 0 z γ + c 3 x + α y 1 d 0z z 0 β y 4 / 27

5 Why Nonlinear Real Arithmetic and Hybrid Systems? (II) A model of psoriasis development and UVB treatment 2 dsc dt dta = dt ω(1 SC+λSC d )SC SCmax = γ (ω 1)( TA+TA β 1In A SC d ) P n ta,h k 1a,s ωsc 1 + (ω 1)( TA+TA + d ) P n ta,h k 1s ω 1 + (ω 1)( TA+TA d ) P n SC + k 1 TA ta,h 2k 1sω 1 + (ω 1)( TA+TA d ) P n + γ 2 GA β 2 In A TA k 2s TA k 1 TA ta,h dga = (k 2a,s + 2k 2s )TA k 2 GA k 3 GA β 3 GA dt dsc d = γ 1d (1 SC + SC d SC d β 1d In A SC d k 1sd SC d kpsc 2 d dt SC max,t ka 2 + SC d 2 + k 1d TA d ) dta d dt dga d dt = k 1a,sd SC d + 2k 1sd SC d + γ 2d TA d + k 2d GA d β 2d In A TA d k 2sd TA d k 1d TA d = (k 2a,sd + 2k 2sd )TA d k 2d GA d k 3d GA d β 3d GA d Therapy episode: 48 hours of irradiation + 8 hours of rest 2 H. Zhang, W. Hou, L. Henrot, S. Schnebert, M. Dumas, C. Heusèle, and J. Yang. Modelling epidermis homoeostasis and psoriasis pathogenesis. Journal of The Royal Society Interface, 12(103), / 27

6 Why Nonlinear Real Arithmetic and Hybrid Systems? (II) A model of psoriasis development and UVB treatment 2 dsc dt dta = dt ω(1 SC+λSC d )SC SCmax = γ (ω 1)( TA+TA β d ) P n 1 In ASC ta,h k 1a,s ωsc 1 + (ω 1)( TA+TA + d ) P n ta,h k 1s ω 1 + (ω 1)( TA+TA d ) P n SC + k 1 TA ta,h 2k 1sω 1 + (ω 1)( TA+TA d P ta,h ) n + γ 2 GA β 2 In A TA k 2s TA k 1 TA dga = (k 2a,s + 2k 2s )TA k 2 GA k 3 GA β 3 GA dt dsc d = γ 1d (1 SC + SC d SC d β 1d In A SC d k 1sd SC d kpsc 2 d dt SC max,t ka 2 + SC d 2 + k 1d TA d ) dta d dt dga d dt = k 1a,sd SC d + 2k 1sd SC d + γ 2d TA d + k 2d GA d β 2d In A TA d k 2sd TA d k 1d TA d = (k 2a,sd + 2k 2sd )TA d k 2d GA d k 3d GA d β 3d GA d Therapy episode: 48 hours of irradiation + 8 hours of rest Therapy episode = multiply β 1 and β 2 by a constant In A 2 H. Zhang, W. Hou, L. Henrot, S. Schnebert, M. Dumas, C. Heusèle, and J. Yang. Modelling epidermis homoeostasis and psoriasis pathogenesis. Journal of The Royal Society Interface, 12(103), / 27

7 Bounded Reachability Reachability is a key property in verification, also for hybrid systems. Reachability is undecidable even for linear hybrid systems (Alur, Courcoubetis, Henzinger, Ho. 1993). [Bounded Reachability] Does the hybrid system reach a goal state within a finite time and number of (discrete) steps? Can a 5-episode UVB therapy remit psoriasis for a year? 6 / 27

8 Bounded Reachability Reachability is a key property in verification, also for hybrid systems. Reachability is undecidable even for linear hybrid systems (Alur, Courcoubetis, Henzinger, Ho. 1993). [Bounded Reachability] Does the hybrid system reach a goal state within a finite time and number of (discrete) steps? Can a 5-episode UVB therapy remit psoriasis for a year? Nonlinear arithmetics over the reals is undecidable (Tarski 1951, Richardson 1968). Hence, the problem needs to be simplified if we want to solve it algorithmically! 6 / 27

9 Formal Reasoning for Nonlinear Arithmetics Novak and Woźniakowski (J of Complexity, 1992) studied the relaxed verification problem: verify that a candidate is close to a problem solution introduce a parametric safety zone for which either answer is deemed correct focus on computational complexity 7 / 27

10 Formal Reasoning for Nonlinear Arithmetics Novak and Woźniakowski (J of Complexity, 1992) studied the relaxed verification problem: verify that a candidate is close to a problem solution introduce a parametric safety zone for which either answer is deemed correct focus on computational complexity Fränzle s work on hybrid automata (since 1999). 7 / 27

11 Formal Reasoning for Nonlinear Arithmetics Novak and Woźniakowski (J of Complexity, 1992) studied the relaxed verification problem: verify that a candidate is close to a problem solution introduce a parametric safety zone for which either answer is deemed correct focus on computational complexity Fränzle s work on hybrid automata (since 1999). Ratschan s work on constraint solving (since 2001). 7 / 27

12 Formal Reasoning for Nonlinear Arithmetics Novak and Woźniakowski (J of Complexity, 1992) studied the relaxed verification problem: verify that a candidate is close to a problem solution introduce a parametric safety zone for which either answer is deemed correct focus on computational complexity Fränzle s work on hybrid automata (since 1999). Ratschan s work on constraint solving (since 2001). Gao, Avigad, Clarke (LICS 2012): bounded δ-satisfiability over the reals is decidable: δ-complete decision procedure. 7 / 27

13 Background: Type 2 Computability Turning machines operate on finite strings, i.e., integers, which cannot capture real-valued functions. Real numbers can be encoded on infinite tapes. Real numbers are functions over integers. Real functions can be computed by machines that take infinite tapes as inputs, and output infinite tapes encoding the values. Definition (Name of a real number) A real number a can be encoded by an infinite sequence of rationals γ a : N Q such that i N a γ a (i) < 2 i. 8 / 27

14 Background: Type 2 Computability A function f (x) = y is computable if any name of x can be algorithmically mapped to a name of y y 1 y k.... k input tapes... } M } work tapes y... output tape f M (y 1,...,y k )=y Writing on any finite segment of the output tape takes finite time. 9 / 27

15 Background: Type 2 Computability Type 2 computability implies continuity. Numerically computable roughly means Type 2 computable. Approximation up to arbitrary numerical precisions. Ker-I Ko. Complexity Theory of Real Functions / 27

16 Background: Type 2 Computability Type 2 Computable: polynomials, sin, exp,... numerically feasible ODEs, PDEs,... Type 2 Complexity: sin, exp, etc. are in P [0,1] Lipschitz-continuous ODEs are in PSPACE [0,1] ; in fact, can be PSPACE [0,1] -complete (Kawamura, CCC 2009). See Ko s book for many more results / 27

17 L RF -Formulas (Gao, Avigad, and Clarke. LICS 2012) Let F be the class of all Type 2 computable real functions. Definition (L RF -Formulas) First-order language over >, F : t := x f (t( x)) ϕ := t( x) > 0 ϕ ϕ ϕ x i ϕ x i ϕ Example Let dx/dt = f (x) be an n-dimensional dynamical system. Lyapunov stability is expressed as: ε δ t x 0 x t. ( t x 0 < δ x t = x 0 + f (s)ds ) x t < ε 0 12 / 27

18 Hybrid Automata A hybrid automaton is a tuple H = X, Q, {flow q ( x, y, t) : q Q}, {jump q q ( x, y) : q, q Q}, {inv q ( x) : q Q}, {init q ( x) : q Q} X R n for some n N Q = {q 1,..., q m } is a finite set of modes Other components are finite sets of quantifier-free L RF -formulas. 13 / 27

19 Example: Nonlinear Bouncing Ball X = R 2 and Q = {q u, q d }. flow qd (x 0, v 0, x t, v t, t), dynamics in the falling phase: t t (x t = x 0 + v(s)ds) (v t = v 0 + g(1 + βv(s) 2 )ds) 0 0 jump qu q d (x, v, x, v ): inv qd : (x >= 0 v >= 0). init qd : (x = 10 v = 0). (v = 0 x = x v = v) 14 / 27

20 Encode Reachability Continuous case: init( x 0 ) flow( x 0, t, x t ) goal( x t ) Make one jump: init( x 0 ) flow( x 0, t, x t ) jump( x t, x t) goal( x t) 15 / 27

21 Encode Reachability: invariant-free case X x 0 X x 0 t X x k X x k t [0,M] t 0 [0,M] t k ( ) init q ( x 0 ) flow q ( x 0, x 0, t t 0 ) q Q k 1 i=0 ( q,q Q (goal q ( x k t )) q Q (There s some simplification here.) ( ) ) jump q q ( x i t, x i+1 ) flow q ( x i+1, x i+1, t t i+1 ) 16 / 27

22 Difficulty Suppose F is {+, }. R = a b c (ax 2 + bx + c > 0)? Decidable [Tarski 1948] but double-exponential lower-bound. Suppose F further contains sine. R = x, y, z (sin 2 (πx) + sin 2 (πy) + sin 2 (πz) = 0 x 3 + y 3 = z 3 )? Undecidable. 17 / 27

23 Towards δ-decisions Defining δ-decision problems of L RF -formulas leads to a totally different outlook. 18 / 27

24 Bounded L F -Sentences Definition (Normal Form) Any bounded L F -sentence ϕ can be written in the form Q [u 1,v 1 ] 1 x n Q [un,vn] n x n ( t( x) > 0 t( x) 0) Negations are pushed into atoms. Bounded quantifiers: the bounds can use any terms that contain previously-quantified variables. 19 / 27

25 δ-variants Definition (Numerical Perturbation) Let δ Q + {0}. The δ-weakening ϕ δ of ϕ is Q [u 1,v 1 ] 1 x 1 Q n [un,vn] x n ( t( x) > δ t( x) δ) Obviously, ϕ ϕ δ (but not the other way round!) δ-strengthening ϕ +δ is defined by replacing δ by δ. 20 / 27

26 δ-decisions Let δ Q + be arbitrary. Definition (δ-decisions) Decide, for any given bounded ϕ and δ Q +, whether ϕ is false, or ϕ δ is true. When the two cases overlap, either answer can be returned. The dual can be defined on δ-strengthening. 21 / 27

27 δ-decisions There is a grey area that a δ-complete algorithm can be wrong about. UNSAT delta SAT SAT Corollary In undecidable theories, it is undecidable whether a formula falls into this grey area. 22 / 27

28 δ-decidability Let F be an arbitrary collection of Type 2 computable functions. Theorem The δ-decision problem over R F is decidable. See [Gao et al. LICS 2012]. It stands in sharp contrast to the high undecidability of simple formulas containing sine. 23 / 27

29 δ-robustness A bounded L R -sentence φ is δ-robust iff φ δ φ. φ is robust if it is δ-robust for some δ > 0. Suppose φ is robust if φ is true, then δ > 0 : φ δ φ, if φ is false, then δ > 0 : φ φ δ. Theorem Given a robust bounded L R -sentence φ, there exists δ > 0 for which a δ-complete decision procedure correctly decides whether φ is true or false. Thus, robustness decidability. However, decidability robustness. 24 / 27

30 Complexity Let S be some class of L F -sentences such that all the terms appearing in S are in Type 2 complexity class C. Then for any δ Q + : Theorem The δ-decision problem for a Σ k -sentence from S is in (Σ P k )C. Corollary F = {+,, exp, sin,...}: Σ P k -complete. F = {ODEs with P right-hand sides}: PSPACE-complete. These are very reasonable! 25 / 27

31 Exactness The definition of δ-decisions is exact in the following sense. Theorem If F is allowed to be arbitrary, then ϕ is decidable iff we consider bounded δ-decisions. Theorem Bounded sentences are δ-decidable iff F is computable. 26 / 27

32 Conclusions The notion of δ-complete decision procedures allows formal analysis and use of numerical algorithms in decision procedures. Standard completeness is impossible. δ-completeness: strong enough and achievable. Correctness guarantees on both sides 27 / 27