=Paper=
{{Paper
|id=Vol-3428/paper8
|storemode=property
|title=Set-Based Invariants over Polynomial Systems
|pdfUrl=https://ceur-ws.org/Vol-3428/paper8.pdf
|volume=Vol-3428
|authors=Alberto Casagrande,Alessandro Cimatti,Luca Dorigo,Carla Piazza,Stefano Tonetta
|dblpUrl=https://dblp.org/rec/conf/cilc/CasagrandeCDPT23
}}
==Set-Based Invariants over Polynomial Systems==
https://ceur-ws.org/Vol-3428/paper8.pdf
Set-Based Invariants over Polynomial Systems
Alberto Casagrande1,* , Alessandro Cimatti2 , Luca Dorigo2,3 , Carla Piazza3 and
Stefano Tonetta2
1
Dip. di Matematica e Geoscienze, UniversitΓ di Trieste, via Alfonso Valerio 12/1, 34127, Trieste, Italy
3
Dip. di Matematica, Informatica e Fisica, UniversitΓ di Udine, via delle Scienze 205, 33100, Udine, Italy
2
Fondazione Bruno Kessler, Via Sommarive 18, 38123 Povo, Trento, Italy
Abstract
Dynamical systems model the time evolution of both natural and engineered processes. The automatic
analysis of such models relies on different techniques ranging from reachability analysis, model checking,
theorem proving, and abstractions. In this context, invariants are subsets of the state space containing
all the states reachable from themself. The verification and synthesis of invariants is still a challenging
problem over many classes of dynamical systems, since it involves the analysis of an infinite time horizon.
In this paper we propose a method for computing invariants through sets of trajectories propagation.
The method has been implemented and tested in the tool Sapo which provides reachability methods
over discrete time polynomial dynamical systems.
Keywords
Dynamical Systems, Infinite State Systems, Invariants, K-Induction
1. Introduction
Invariants are subsets of the state space of dynamical systems that contain all the states reach-
able from themself. This notion is crucial in may fields such as control theory [1], software
verification [2, 3], and analysis of both continuous and hybrid systems [4, 5].
Many studies investigating the verification and synthesis of invariants have been published
in the literature so far. Some of them deals with polynomial systems and investigated semi-
algebraic invariants [4, 6, 7]. Some others focus on invariant sets representable by using
polytopes [8, 5] to avoid the double exponential decision procedure of the semi-algebraic theory.
The vast majorities of the works in the literature take advantage of the system continuity to
either validate or identify an invariant set.
This work focuses on discrete-time transition systems. The applications of this kind of
systems go from biology [9, 10] to engineering [11, 12]. We rely on a strengthening of a special
case of induction, π-inductiveness [13], to validate a possible invariant π . We start from an
initial set of states and we enlarge it to include all the states reachable in πβ1 discrete transitions.
CILCβ23: 38th Italian Conference on Computational Logic, June 21β23, 2023, Udine, Italy
*
Corresponding author.
$ acasagrande@units.it (A. Casagrande); cimatti@fbk.eu (A. Cimatti); dorigo.luca001@spes.uniud.it (L. Dorigo);
carla.piazza@uniud.it (C. Piazza); tonetta@fbk.eu (S. Tonetta)
� 0000-0002-8681-1482 (A. Casagrande); 0000-0002-1315-6990 (A. Cimatti); 0000-0002-1396-2167 (L. Dorigo);
0000-0002-2072-1628 (C. Piazza); 0000-0001-9091-7899 (S. Tonetta)
Β© 2023 Copyright for this paper by its authors. Use permitted under Creative Commons License Attribution 4.0 International (CC BY 4.0).
CEUR
Workshop
Proceedings
http://ceur-ws.org
ISSN 1613-0073
CEUR Workshop Proceedings (CEUR-WS.org)
�This is the candidate invariant and it has to be included in the invariant π . If this is the case,
we have to prove that if π is a path of length π starting from π and having the first π β 1 steps
in π itself, then π does not exit from π .
Other approaches involving π-inductiveness have been proposed in the literature (see, e.g.,
[14, 15]). However, they assume the possibility of computing the reverse transition, which is
not always possible when dealing with discrete polynomial systems. Indeed our goal was to
develop a general method for (possibly) non-reversible discrete transition systems.
When all operations are computed without approximations the proposed method converges
if and only if reachability converges within a finite number of steps. Surprisingly, when
reachability, unions and intersections are over-approximated, convergence is achieved on a
larger class of systems.
The paper is organized as follows. Section 2 introduces the problem, the notation, and the
basic tools. Section 3 incrementally presents our proposal for a set-based algorithm deciding
π-inductiveness. In Section 4 we detail the approach over polynomial systems as implemented
in Sapo and discuss an example. Section 5 draws concluding remarks.
2. Preliminaries
In this section, we present some central notions for this work.
Definition 1 (Transition System). A transition system is a pair β¨π, π
β©, where π is the set of
states and π
β π Γ π is the transition relation. An initial set for a transition system TS = β¨π, π
β©
is a set of states πΌ β π.
The transition relation π
induces a transition function π that maps any set π΄ β π into the
forward image of π΄ itself, i.e. π (π΄) = {π β π | βπ β² β π΄ (π β² , π ) β π
}.
def
For any function πΉ : 2π β 2π mapping a subset of the states into another subset of the
states, we define the πΉ image of π΄ restricted to π΅ as πΉπ΅ (π΄) = πΉ (π΄) β© π΅. We write πΉ π (π΄) to
def
denote π consecutive applications of πΉ to π΄, i.e.,
{οΈ
π΄ if π = 0
πΉ π (π΄) =
def
(οΈ πβ1 )οΈ .
πΉ πΉ (π΄) if π > 0
So, ππ΅ (π΄), π π (π΄) and ππ΅π (π΄) stand for the forward image of π΄ restricted to π΅, π consecutive
applications of the forward image, and π consecutive applications of the forward image restricted
to π΅, respectively.
A set πΆ under-approximates a set πΆ β² when πΆ β πΆ β² . A set πΆ over-approximates a set πΆ β²
when πΆ β πΆ β² . A function π β² : π β π under-approximates (over-approximates) a function π β²β²
when π β² (π΄) β π β²β² (π΄) (π β² (π΄) β π β²β² (π΄), respectively) for all π΄ β π. It is easy to see that, if π
π π
over/under-approximates π , then π π΅ , π , and π π΅ do the same for ππ΅ , π π , and ππ΅π , respectively.
Definition 2 (Reachability). Given a transition system TS and an initial set πΌ, the βοΈset of states
reachable from πΌ in π-steps is the set π (πΌ) and the set of states reachable from πΌ is πβN π π (πΌ).
π
� A property for a system is a set of states of the system. An invariant for a system and an
initial set of states, πΌ, is a property that contains all the states reachable from πΌ.
Definition 3 (Property and Invariant). Let TS = β¨π, π
β© be a transition system and let πΌ β π
be an initial set of states for TS. A property of TS is a set of states π β π. An invariant for TS and
πΌ is a set π β π such that βοΈ
π π (πΌ) β π. (1)
πβN
A well-know problem in the context of verification is that of checking whether a given
property π is an invariant for a system (see, e.g., [7, 8, 5]).
One could consider the problem of constructing the smallest invariant for a system. The
problem is well defined since if both π1 and π2 are invariants for TS and πΌ, then also π1 β© π2 is
an invariant. In other terms, a given property π is an invariant for the system if and only if it
includes the smallest invariant. However, as one could imagine finding the smallest invariant
could be far more difficult than checking whether a given property is an invariant.
In this paper, we will describe a method for checking whether a property is an invariant,
while trying to construct the smallest invariant. The method has to work also on infinite state
systems assuming that only a restricted number of operations are computable. For instance,
we will be able to over-approximate the forward image computation, but not the backward
one. This is a reasonable compromise in term of computability and efficiency in the case of
non-linear systems [16].
K-Inductiveness
A standard approach for verifying invariants is the use of k-induction [13] in combination with
Bounded Model Checking (BMC) [17, 18]. If TS reaches from πΌ a state outside π in π steps, i.e.,
π π (πΌ) ΜΈβ π , then π is not an invariant and we have a counter-example of length π. If this is
not the case, then we try to prove that π is π-inductive, which implies that it is an invariant.
We now briefly explain the meaning of π-inductiveness. By Equation 1 and by induction
principle over the naturals, π is an invariant if and only if
π 0 (πΌ) β π (basis)
π π (πΌ) β π β π π+1 (πΌ) β π (step)
Induction and π-induction are equivalent over N. Thus, π is an invariant if and only if
βοΈπβ1 π
(οΈβοΈ )οΈ β π
π=0 π (πΌ) (π-basis)
πβ1 π+π π+π
π=0 π (πΌ) β π β π (πΌ) β π (π-step)
Unfortunately, the inductive π-step has to be proven for a generic π β N, which makes the
technique not algorithmic for infinite systems. A stronger approach, named π-inductiveness,
can be used to automatize invariant verification. Intuitively, π-inductiveness strengthens π-steps
by requiring that all the paths laying inside π for π β 1 steps stay inside π also after π steps,
no matter whether they started from πΌ or not. Considering all the possible paths starting from
π and not only those from πΌ allows to drop the dependence on π. The following definition is a
set-based version of the definition given in [19].
�Definition 4 (π-Inductive Property). Given a transition system TS and an initial set πΌ, a π-
inductive property for TS and πΌ is a set of states π β π such that
βοΈπβ1 π
π=0 π (πΌ) β π (π-init)
π (πππβ1 (π )) β π (π-ind)
It is well known that π-inductiveness implies invariance.
Lemma 2.1. Let TS be a transition system and πΌ be and initial set for TS. If π is π-inductive for
TS and πΌ, then π is an invariant for TS and πΌ.
The reader should be aware that this is a specialized use of induction: a property could be an
invariant and not π-inductive. Moreover, a set could be π + 1-inductive and not π-inductive.
Example 1. Let TS be the transition system β¨π, π
β©, with π = {0, 1, 2, 3} and π
= {(0, 0),
(1, 3), (3, 2), (2, 2)}, and let πΌ be the set {0}. The set {0, 1} is an invariant for TS and πΌ, but it is
not π-inductive for any π. Moreover, π = {0, 1, 2} is 2-inductive because ππ1 (π ) = π (π ) β© π =
{0, 2, 3} β© {0, 1, 2} = {0, 2} and π ({0, 2}) = {0, 2} β π . However, π is not 1-inductive. As a
matter of the fact, ππ0 (π ) = π and π (π ) = {0, 2, 3} ΜΈβ π .
If π-init does not hold, not only π is not π-inductive, but it is not an invariant. If both π-init
and π-ind succeed, π is π-inductive and it is an invariant. If π-init succeeds, but π-ind does not,
then π is not π-inductive, but it could be π + 1-inductive, i.e., π has to be incremented. This
forces Algorithm 1 to return True if and only if there exists π such that π is π-inductive. Using
two auxiliary variables, we can implement Algorithm 1 to require only 2 forward images, 1
intersection, and 2 subset tests at each iteration. Unfortunately, Algorithm 1 is not complete
and, if π is not π-inductive for any π, but it is an invariant, it does not terminate.
Algorithm 1 K-Inductiveness
1: function π-inductive(TS = β¨π, π
β©, πΌ, π )
2: if πΌ ΜΈβ π then
3: return False
4: πβ1
5: while True do
6: if π π (πΌ) ΜΈβ π then
7: return False
8: if π (πππβ1 (π )) β π then
9: return True
10: π βπ+1
Set-Based Reachability
In formal verification of infinite state systems and more in general in the context of symbolical
representations of transition systems, traces representing punctual evolutions are not always
�feasible because of the infinite domain. Processing sets of traces, potentially infinite in number,
even though involving a finite set of states, is certainly computationally more expensive than
computing the evolution of sets consisting in an infinite number of states. Moreover, it is usually
not reasonable to work on single points/traces when we do not have knowledge of the system
at infinite precision level [20]. In such a context, set-based analysis aims at defining techniques
for dealing with possible infinite sets of states, processing each set as a single object.
In particular, in the case of infinite states systems and reachability computation a generic
set-based technique depends on the choice of:
β’ A domain π β 2π providing finite representations for the set of points to be manipulated.
The most used domains are ellipsoids, polytopes, zonotopes.
β’ Methods for computing/approximating basic set operations and tests over π, e.g., union,
intersection, and inclusion.
β’ A family π― of admissible transition relations. For instance, linear or polynomial systems
could be considered.
β’ For all the transition functions π β π― , a method π : π β π that computes/approximates
the image of any set π β π through π .
Such tools are sufficient to obtain an implementation of Algorithm 1 instantiated on a
specific domain. In particular, as far as basic set operations are concerned, it only requires
the computation/approximation of intersections and the tests of inclusion. If both forward
images and intersections are over-approximated and inclusion tests never provide false positive
answers, then the procedure returns True if and only if π is π-inductive for some π.
It is worth to notice that computing backward images, which could be problematic in the
case of non-linear transition relations, is not required. This is a crucial difference with respect
to algorithms such as IC3/PDR [14, 15] which use transition reversibility to compute counter-
examples and refine over-approximations of the reachability sets.
Algorithm 1 has two main flaws: 1) if π is an invariant, but it is not π-inductive for any π,
Algorithm 1 does not terminate; 2) the algorithm is not able to refine π and discover possible
π-inductive invariant included in π . Section 3 tries to overcome both issues by presenting
algorithms that, along the computation, search for the βsmallestβ invariant included in π that is
also π-inductive for some π.
3. Set-Based K-Inductiveness
We propose a set-based algorithm that takes in input a system TS, a set of initial states πΌ and a
property π and aims at constructing a π-inductive property CI, candidate inductive, included
in π . Intuitively, if TS reaches a state outside π in π transition steps from πΌ, then π is not an
invariant and the algorithm returns False. If this is not the case, then the algorithm considers
the candidate invariant CI built so far. CI has two main properties: it is included in π and it
includes all the states reachable from πΌ in π β 1 steps. If CI is π-inductive, then π is an invariant
and the algorithm returns True. Otherwise, CI is augmented with the states reachable in π-steps
and π is incremented. If π is an invariant, but it does not includes any π-inductive set, then
the algorithm does not terminate. These ideas are formalized in Algorithm 2 which describes
�sets by using a finite representation domain π and the method π to compute/approximate the
images of π as discussed in Section 2. In particular, while π maps any subsets of π in another
subset of π according to π
, π : π β π with π β 2π .
Algorithm 2 Setβbased Kβinductiveness
1: function candidate-inductive(TS = β¨π, π
β©, πΌ, π )
2: if πΌ ΜΈβ π then
3: return False
4: πβ1
5: CI β πΌ
6: while True do
π
7: if π (πΌ) ΜΈβ π then
8: return
(οΈ πβ1 False
)οΈ
9: if π π CI (CI) β CI then
10: return True
π
11: CI β CI βͺ π (πΌ)
12: π βπ+1
It is easy to see that the variable CI in Algorithm 2 accumulates the reachability set of TS
and πΌ as the computation βοΈ proceeds. In particular, if π under/over-approximates π , then CI
under/over-approximates πβ1 π
π=0 π (πΌ). This observation allows us to prove some properties
about the results of Algorithm 2.
Theorem 3.1 (Correctness of Algorithm 2). If π under-approximates π and Algorithm 2 re-
turns False, then π is not an invariant for TS and πΌ. If π over-approximates π and Algorithm 2
returns True after π while-loop iterations, then CI is π-inductive for TS and πΌ and π is an invariant
for them. Furthermore, if π (π΄) = π (π΄) for all π΄ β π, Algorithm 2 returns False if and only if
π is not an invariant for TS and πΌ and, when it returns True, any πΆ β CI is not an invariant for
TS and πΌ.
Let us underline that both the termination of Algorithm 2 and the meaning of its outcomes de-
pend on the approximation of π done by π . Figure 1 depicts two examples in which Algorithm 2
terminates, but does not return the aimed answer.
When instead π exactly represents π , Algorithm 2 does not terminate only when π is an
invariant of the system by Theorem 3.1. Moreover, when the algorithm loops forever, the set
reachable fromβοΈπΌ does not converge after a finiteβοΈnumber of while-loop iterations.
of points βοΈ
Indeed, if πβN π π (πΌ) = πβ€β π π (πΌ) for some β, then CI = πβN π π (πΌ) after β iterations, CI is
β-inductive, and the algorithm returns True. Hence, if we are assuming that all set-operations
are implemented without approximations and π exactly represents π , Algorithm 2 terminates
if and only if either π is not an invariant or the set of reachable states can be computed with a
finite number of forward transitions.
Corollary 3.1.1 (Termination). If π (π΄) exactly represents π (π΄) for any π΄ β π, then Al-
gorithm 2 terminates if and only if either π is not an invariant or there exists β such that
π (πΌ) = π (πΌ).
βοΈ βοΈ
πβN π πβ€β π
� π (πΌ) π (πΌ)
π (πΌ) π (πΌ)
π (πΌ)
π π
2 2
πΌ π (πΌ) πΌ π (πΌ)
(a) Algorithm 2 returns True even though π (b) Algorithm 2 returns False even though π
is not an invariant for TS and πΌ when π is an invariant for TS and πΌ when π over-
under-approximates π . However, π (πΌ) is approximates π . However, π (πΌ) is a subset
3
not a subset of π and, as a consequence, π of π and π (πΌ) = π (πΌ). Thus, π is an
is not an invariant for TS and πΌ. invariant for TS and πΌ.
Figure 1: Two scenarios in which, when the forward image function is approximated, Algorithm 2
terminates, but does not return the aimed answer. The dashed blue line rectangle depicts π (πΌ).
While the number of while-loop iterations of Algorithm 2 cannot be upper-bounded in the
general case, we can provide a cost depending on the number of iterations for it. Each repetition
of the while-loop in Algorithm 2 requires Ξ(π) forward image computations, 2 inclusion tests,
Ξ(π) intersection and 1 union. Such operations are denoted as set-operations, since they
transform sets of states.
Theorem 3.2 (Set Complexity). If Algorithm 2 terminates exactly after π iterations of the
while-loop, then it requires Ξ(π 2 ) set operations.
Without increasing the asymptotic complexity of the algorithm we could modify line 9 by
considering the test
πβ1 πβ1
π (π CI (CI)) β CI β¨ π (π π (π )) β π,
i.e., at each step we also check whether π is π-inductive. This would guarantee termination also
in the case in which π is π-inductive. However, we are interested in classes of systems where it
is not reasonable to assume that π can be represented/approximated in the domain π of sets,
for instance, π and π can be a half-space and the set of all the ellipsoids in the same space,
respectively. This was one of the reasons for which we moved from Algorithm 1 to Algorithm 2.
Theorem 3.2 provides a complexity bound for Algorithm 2 in terms of set operations. However,
the cost of each operation actually depends on the complexity of the involvedβοΈsets. For instance,
if π and π are the union of π1 and π2 basic sets, respectively, e.g., π = ππ=1 1
ππ and π =
βοΈπ2
π=1 ππ , the evaluation of π β© π may consists in up to π1 * π2 basic sets: the non-empty
intersections between each ππ and each ππ . In the context of Algorithm 2, if we assume that
both πΌ and its forward image are basic sets, after π iterations of the algorithm while-loop, CI
0 π πβ1
consists in the list [π (πΌ), . . . , π (πΌ)]. Thus, the evaluation of π CI (CI) at line 9 may produce
a set consisting of up to π π basic sets and, as a consequence, requires π(π π ) basic set operations.
The complexity of Algorithm 2 in terms of basic set operations pushes us to either avoid the
test of line 9 or replace the exact union performed at line 11 with an approximate version of it
that reduces the number of basic sets in CI.
�Over-Approximation of the Union
In order to overcome the limits pointed out by both Corollary 3.1.1 and other complexity issues
discussed at the end of the previous section, we consider a different approach that aims to
reduce the number of basic sets in CI. This is done by replacing the line 11 in Algorithm 2 with
the assignment:
π
CI β Join(CI, π (π½)),
where the operator Join over-approximates the set union and returns one single basic set and
π½ is a new variable initially set to πΌ. Please notice that we are not forcing Join to be a specific
function, but instead we are requiring it to return one single basic set over-approximating the
union of its parameters. For instance, depending on the adopted set representation, Join may
be implemented by the convex-hull function, the bounding box function, or the Halbwachs
widening operator [21].
π
Due to the proposed change, CI may be not included in π even when π (π½) β π for all
π β N (e.g., see Figure 2). When this happens we can either return Unknown, since we do not
have a counter-example, but our π-inductive set is growing outside π , or re-initialize π½, CI, and
π. Algorithm 3 implements this approach.
Algorithm 3 Set-based Join K-inductiveness
1: function join-candidate-inductive(TS = β¨π, π
β©, πΌ, π )
2: if πΌ ΜΈβ π then
3: return False
4: π½ βπΌ
5: πβ1
6: CI β π½
7: while True do
π
8: if π (π½) ΜΈβ π then
9: return
(οΈ πβ1 False
)οΈ
10: if π π CI (CI) β CI then
11: return True
π
12: CI β Join(CI, π (π½))
13: if CI ΜΈβ π then
π
14: π½ β π (π½)
15: πβ0
16: CI β π½
17: π βπ+1
Figure 2 depicts a situation in which π½ and CI have to be re-initialized, i.e., CI ΜΈβ π at line 13
of Algorithm 3. In this example the domain π consists in rectangles in R2 and the Join over-
approximates the union of two rectangles with the smallest rectangle including both of them,
i.e., their bounding box. The violation of π is clearly an artifact of the over-approximation.
Hence, the algorithm can safely re-initialize π½ and CI.
As done for Algorithm 2, we aim to investigate the correctness of Algorithm 3 when π is an
� π (π½)
2
π (π½) π
π½ CI
βοΈπ π
Figure 2: A scenario in which CI ΜΈβ π despite π=0 π (π½) β π when the Join operator of Algorithm 3
approximates the union as the bounding box.
under-approximation, an over-approximation, and the exact representation of the forward image
function π . In order to achieve this goal, we must notice two main properties of the algorithm.
First of all, CI is a subset of π at the beginning of each while-loop iteration. Moreover, if π
under-approximates (over-approximates) the forward image function π , then, after β iterations
π
of the while-loop, π (π½) under-approximates (over-approximates) π β (πΌ). These properties
allow us to prove the following correctness result.
Theorem 3.3 (Correctness of Algorithm 3). If π under-approximates π and Algorithm 3
returns False, then π is not an invariant for TS and πΌ. If π over-approximates π and Algorithm 3
returns True, then π is an invariant for TS and πΌ. Let π (π΄) equal π (π΄) for any π΄ β π. If
Algorithm 3 returns True, then π is an invariant for TS and πΌ. Moreover, Algorithm 3 returns
False if and only if π is not an invariant for TS and πΌ.
The set complexity of Algorithm 3 equals that of Algorithm 2 where the cost of exact unions
is replaced by that of the Join operations. Nevertheless, the number of basic sets represented
in CI and the costs of line 10 depend on Join. If Join always returns one single basic set, then
the evaluation of the condition at line 10 requires to compute π forward images of a single basic
set and π β 1 intersections and 1 inclusion test between two basic sets. Thus, in this case, the
asymptotic complexity of the test at line 10, whose costs in Algorithm 2 was π(π π ), becomes
π(π). In Section 4, we present two possible semantics for the Join operator and one of them
achieves this complexity.
As far as termination is concerned, a lot depend once more on the choice of Join. Algorithm 3
can loop forever only when π is an invariant as Algorithm 2 did too. Intuitively, if there exists
a π-inductive set which includes the forward images of π β (πΌ) for a given β β₯ 0 and such set
can be obtained through successive Join operations, then the algorithm terminates. However,
it is no more necessary that the forward images converge within a finite number of steps.
Approximating Intersections
The analysis of Algorithm 3 in the previous section relies on the hypothesis that intersections,
πβ1
needed to compute π CI (CI) at line 10, are computed without approximations. However, this is
not always feasible and depends on the choice of the domain π. For instance, let us consider the
domain of ellipsoids; the intersection of two incomparable ellipsoids is not an ellipsoid. So, we
now discuss the properties of Algorithm 3 under the hypothesis that the intersections between
sets in π are approximated.
� As already observed, the intersections are exclusively used to evaluate the condition at line 10
and do not affect the correctness of the result when False is returned. Because of this, we
focus on the cases in which Algorithm 3 returns True which, by Theorem 3.3, implies π is
an invariant for TS and πΌ only when π is an over-approximation of π . It is easy to see that
if we over-approximate β©, the algorithm still has no false positive outcomes. Intuitively, if CI
contains the over-approximation of the reachable sets it also contains the exact ones, and if the
over-approximation of the states reachable from CI after π β 1 steps inside it are still inside CI,
then this also holds for the exact reachable sets.
Corollary 3.3.1 (Over-approximation of π and β©). Let π (π΄) and π π΅ (π΄) over-approximate
π (π΄) and π (π΄) β© π΅, respectively, for any π΄, π΅ β π. If Algorithm 3 returns True, then π is an
invariant for TS and πΌ.
4. Implementation and Tests over Polynomial Systems
We now consider transition systems defined through discrete time polynomial dynamical
systems, i.e., dynamical systems described by equations of the form xπ+1 = f (xπ ), where
x β Rπ and f : Rπ β Rπ is a vector of π-variate polynomial functions. The transition
system TS = β¨π, π
β© associated to a dynamical system of this form has π = Rπ and π
=
{(xπ , xπ+1 ) | xπ , xπ+1 β Rπ , xπ+1 = f (xπ )}.
Sapo [10, 22, 16] implements bounded reachability, verification of Signal Temporal Logic
specifications, and parameter synthesis for such systems. The framework supports state sets
specified as polytopes, i.e., closed and bounded subsets of Rπ enclosed by a finite number of
hyperplanes. A direction of the polytope is a unit vector normal to one of the enclosing hyper-
plane. Forward images of polytopes are over-approximated exploiting Bernsteinβs coefficients.
The forward image of a polytope is a new polytope specified by the same directions of the initial
one, but with new thresholds. A detailed description of both algorithms and data structures
implemented by Sapo is given in [16].
Since Sapo can exclusively over-approximate forward images, we can only aim to validate
candidate invariants as proved in Theorem 3.3. Indeed, nothing can be deduced when Al-
gorithm 3 returns False as highlighted by Figure 1b which depicts a scenario in which the
algorithm returns False and π is an invariant.
Sapo natively represents exact unions of polytopes as list of polytopes. Moreover, it supports
exact intersections and inclusion test of exact union polytopes. Thus, in order to implement
Algorithm 3 we need to:
1. choose a specification for candidate invariants to be tested. Sapo already supports
polytopes, but we aimed to deal with a broader class of properties;
2. implement the test π΄ β π where π΄ is a generic polytope and π is the candidate invariant;
3. define a function Join to over-approximate the union of polytopes.
As far as the candidate invariant specification is concerned, we decided to admit convex
linear sets, i.e., sets corresponding to the solutions of a linear system. This specification includes
polytopes, but it also covers an infinite number of non-bounded sets.
�Example 2. A possible candidate invariant π for the Sapo implementation of Algorithm 3 is the
set of unbounded solutions of the linear system
{οΈ
π₯+2*π¦ β€5
π : .
3*π₯β₯π¦+1
We implemented the test π΄ ΜΈβ π , where π΄ is a generic polytope and π is the candidate
invariant, by using linear programming. Any polytope π΄ is specified as a system of linear
inequalities, βπ΄ . Testing π΄ ΜΈβ π is equivalent to test whether there exists an inequality π(x) β€ π
in the specification of π such that βπ΄ enriched with π(x) > π has a feasible solution. As a
matter of the fact, such a solution does exist if and only if there exists a state, i.e., the solution
itself, that belongs to π΄, because it satisfies βπ΄ , and does not belong to π , because it satisfies
π(x) > π that is the negation of one of the constraints of π . Once π΄ ΜΈβ π has been implemented,
π΄ β π can be trivially computed as Β¬(π΄ ΜΈβ π ).
The implementation of the test π΄ ΜΈβ π relies on the solution of up to π linear programming
problems where π is the number of linear inequalities in βπ . If the problems are solved by
using Karmarkarβs algorithm [23], the asymptotic complexity of the algorithm is polynomial
with respect to both the space dimension and the number of constraints in βπ΄ and βπ .
We consider two alternative semantics for the function Join: Listing and Packaging.
The most naΓ―ve semantics for Join is the exact union, i.e., Join(π΄, π΅) = π΄ βͺ π΅. Since exact
unions are usually represented as lists of basic sets, we refer to this approach as Listing. An
alternative semantics for the function Join(π΄, π΅) consists in finding the smallest polytope,
having the same directions of π΄, that includes both π΄ and π΅. We call this approach Packaging
because it packs many polytopes into a new one. Figures 2 and 3 depicts CI during an evaluation
of Algorithm 3 when the Join implements the Packaging semantic.
Packaging usually produces coarser union approximations than Listing or, for instance,
convex hull. However, it preserves the number of directions needed to represent sets and, as
a consequence, it guarantees that both the memory required to represent a single set and the
cost of set functions do not change during the computation. Neither Listing nor convex hull
ensure these features: the former increases the number of polytopes per set as the computation
proceeds, the latter produces only one polytopes per set, but tends to increase the number of
directions required to represent it.
While Packaging is usually more effective than Listing, there are cases in which the
former leads to an infinite computation, while the latter produces an answer.
Example 3. Consider the following system
{οΈ
π₯π+1 = π¦π
.
π¦π+1 = π₯π
If the system initial state is (π₯, π¦), this system keeps flipping π₯ and π¦ values at each evolution
step. For instance, if the initial set is πΌ = [2.9, 3.1] Γ [0.9, 1.1], after one step the system reaches
π (πΌ) = [0.9, 1.1] Γ [2.9, 3.1], and one further step brings back the system to its initial condition
since π 2 (πΌ) = πΌ. So, if we select as candidate invariant π₯ + π¦ β€ 5, the packaging of any pair of
consecutive forward images violates it and Algorithm 3 resets CI and π½ to the last one of the two.
� π¦ π¦
π₯
+
π¦
=
5
πΌ πΌ
π₯
+
π¦
=
5
CI
CI
π (πΌ) π (πΌ)
π :π₯+π¦ β€5
π :π₯+π¦ β€5
π₯ π₯
(a) Algorithm 3 with the Packaging se- (b) Algorithm 3 with the enhanced
mantics cannot validate the invariant Packaging semantics that adds the
π₯ + π¦ β€ 5. The bounding box of πΌ and candidate invariant directions to the
π (πΌ) violates π₯ + π¦ β€ 5 and the algo- packaging can validate the invariant
rithm loops forever. π₯ + π¦ β€ 5 in 2 while-loop iterations.
Figure 3: A graphical representation of Example 3. The system evolution starts from set labelled πΌ. One
step brings the system in the state set π (πΌ) and one further step let it go back to its initial condition.
Despite this, the packaging of the new pair of consecutive forward images still does not satisfy
π₯ + π¦ β€ 5 and the algorithm loops forever (see Figure 3a).
Intriguingly, Algorithm 3 with Listing can easily prove that π₯ + π¦ β€ 5 is an actual invariant
for the system and πΌ = [2.9, 3.1] Γ [0.9, 1.1]. The reachability computation converges after 1
step and all reachable points satisfies the candidate invariant, hence, in this scenario, Listing is
preferable to Packaging.
In Example 3, Listing and Packaging produce different outcomes because the packaging
of two polytopes π΄ and π΅ may not satisfy a property even when π΄ and π΅ individually do it (see
Figure 3a). We can mitigate this issue by adding the property directions to the packaging and
minimizing and maximizing them on π΄ and π΅. This approach is called enhanced Packaging.
Since we focus on convex linear properties, π΄ and π΅ satisfy a property π if and only if the
enhanced packaging of π΄ and π΅ satisfies π too. Indeed, the packaging does not satisfy π if and
only if there exists an inequality π(x) β€ π in the specification of π that is not satisfied. However,
the enhanced packaging of π΄ and π΅ is also defined by a set of inequalities among which there is
π(x) β€ max(ππ΄ , ππ΅ ) where ππ΄ and ππ΅ are the maxima of π(x) in π΄ and π΅, respectively. Thus,
if the packaging does not satisfy π(x) β€ π either π΄ or π΅ do not satisfy it too. The enhanced
Packaging may increase the complexity of the packaging representation with respect to π΄
and π΅. However, this only happens when the property directions are not yet present in the
representation of the two sets. Figure 3b shows enhanced Packaging on Example 3.
The algorithms presented in Sections 3 and 4 have been implemented in Sapo [16]. We now
briefly illustrate their effectiveness on the following transition system over R2
{οΈ
π₯π+1 = 2π₯π π¦π + π
π¦π+1 = π¦π2 β π₯2π + π
where π, π β R. This system represents the complex quadratic generator function ππ (π§) = π§ 2 +π
with π§, π β C which is used to define Mandelbrot set [24, 25]. The variables π₯ and π¦ are the real
�and imaginary components of π§, respectively, and similarly π and π are the components of π.
The dynamical system iterates the computation of ππ .
Let [0.09, 0.11] Γ [0.09, 0.11] be the system initial set πΌ. Different choices of π and π can
produce very different behaviours. We focus on the behaviour obtained with π β [0.19, 0.2]
and π β [0.29, 0.3] and we consider the candidate invariant π1 : π¦ β€ 0.3. Sapo proved that
π1 is an invariant for the system by using Listing in less than 1 second on a MacBook Pro
2020 with 16GB of RAM. The proof ended after 12 iterations of the Algorithm 3 while-loop.
Packaging can achieve the same result after only 4 iterations. Packaging can also be used to
prove that π2 : π₯ + π¦ β€ 0.6 is an invariant for the investigated system in 5 while-loop iterations;
enhanced Packaging requires only 4 while-loop iterations for the same goal (see Figure 4b).
π¦ π¦
0.2 0.2
π2
0.15 0.15
CI
0.1 πΌ 0.1 πΌ
CI
0.05 0.05
π2
0.1 0.2 0.3 0.4 π₯ 0.1 0.2 0.3 0.4 π₯
(a) Packaging: CI is not included in π2 at (b) enhanced Packaging: the candidate in-
the beginning the second iteration of Algo- variant directions are added to πΌ specifica-
π
rithm 3 while-loop, thus, CI is assigned to tion. The set CI and all the π (πΌ) with π > 0
2
π (πΌ). After 3 further while-loop iterations, are no more rectangles and π2 always in-
CI becomes the bounding box of the forward cludes them. Thus, CI is never re-initialized
images which is 3-inductive. and it eventually becomes 4-inductive.
Figure 4: The Mandelbrot system with π β [0.19, 0.2] and π β [0.29, 0.3], initial set πΌ = [0.09, 0.11] Γ
[0.09, 0.11], and π2 : π₯+π¦ β€ 0.6 as candidate invariant. The red area represents the candidate invariant,
the green region is CI during the π-th and final iteration of the while-loop, the blue regions are the
over-approximation of the set reachable in up to π steps.
5. Conclusions and Future Work
We presented a set-based method for checking invariant properties over discrete time dynamical
systems. The method exploits the notion of π-inductiveness together with over-approximation
procedures for reachability, unions, and intersections. When it converges to a positive answer,
it computes the βsmallestβ invariant that is a subset of the given one. Our approach achieves
convergence on a larger class of systems when set-based operations are over-approximated
rather then when exact computations are performed.
The approach has been implemented and tested in Sapo providing two possible semantics
for the over-approximation of unions. The implementation was able to prove two invariants
over a well-known and deeply investigated fractal example [24, 25].
� As future work we plan to investigate other examples and eventually include heuristics for
allowing convergence in limit cases.
Acknowledgments
This work is partially supported by PRIN project NiRvAna CUP G23C22000400005 and National
Recovery and Resilience Plan (NRRP), Mission 4 Component 2 Investment 1.4 - Call for tender
No. 3138 of 16 December 202, rectified by Decree n.3175 of 18 December 2021 of Italian Ministry
of University and Research funded by the European Union - NextGenerationEU; Project code
CN_00000033, Concession Decree No. 1034 of 17 June 2022 adopted by the Italian Ministry of
University and Research, CUP G23C22001110007, Project title βNational Biodiversity Future
Center - NBFCβ .
References
[1] F. Blanchini, Set invariance in control, Automatica 35 (1999) 1747β1767.
[2] X. Deng, M. B. Dwyer, J. Hatcliff, M. Mizuno, Invariant-based specification, synthesis,
and verification of synchronization in concurrent programs, in: Proceedings of the 24th
international conference on software engineering, 2002, pp. 442β452.
[3] B. Becker, D. Beyer, H. Giese, F. Klein, D. Schilling, Symbolic invariant verification for
systems with dynamic structural adaptation, in: Proceedings of the 28th international
conference on Software engineering, 2006, pp. 72β81.
[4] A. Platzer, E. M. Clarke, Computing differential invariants of hybrid systems as fixedpoints,
Formal Methods in System Design 35 (2009) 98β120.
[5] M. A. B. Sassi, A. Girard, Computation of polytopic invariants for polynomial dynamical
systems using linear programming, Automatica 48 (2012) 3114β3121.
[6] S. Sankaranarayanan, Automatic invariant generation for hybrid systems using ideal fixed
points, in: Proceedings of the 13th ACM international conference on Hybrid systems:
computation and control, 2010, pp. 221β230.
[7] A. Sogokon, K. Ghorbal, P. B. Jackson, A. Platzer, A method for invariant generation
for polynomial continuous systems, in: International Conference on Verification, Model
Checking, and Abstract Interpretation, Springer, 2016, pp. 268β288.
[8] S. Sankaranarayanan, T. Dang, F. IvanΔiΔ, Symbolic model checking of hybrid systems
using template polyhedra, in: TACAS β08, Springer, 2008, pp. 188β202.
[9] A. Veliz-Cuba, A. S. Jarrah, R. Laubenbacher, Polynomial algebra of discrete models in
systems biology, Bioinformatics 26 (2010) 1637β1643.
[10] T. Dang, T. Dreossi, C. Piazza, Parameter synthesis using parallelotopic enclosure and
applications to epidemic models, in: Hybrid Systems and Biology, HSB, 2014, pp. 67β82.
[11] H. Ichihara, S. Tanabe, Y. Ebihara, D. Peaucelle, Analysis and synthesis of discrete-time
interconnected positive systems, SICE Journal of Control, Measurement, and System
Integration 11 (2018) 91β99.
[12] T. Dreossi, T. Dang, C. Piazza, Reachability computation for polynomial dynamical systems,
Formal Methods in System Design 50 (2017) 1β38.
�[13] M. Sheeran, S. Singh, G. StΓ₯lmarck, Checking safety properties using induction and a
sat-solver, in: W. A. Hunt, S. D. Johnson (Eds.), Formal Methods in Computer-Aided Design,
Springer Berlin Heidelberg, Berlin, Heidelberg, 2000, pp. 127β144.
[14] A. R. Bradley, Sat-based model checking without unrolling, in: International Workshop
on Verification, Model Checking, and Abstract Interpretation (VMCAI 2011), volume 6538
of Lecture Notes in Computer Science, Springer, 2011, pp. 70β87.
[15] N. EΓ©n, A. Mishchenko, R. Brayton, Efficient implementation of property directed reachabil-
ity, in: International Conference on Formal Methods in Computer-Aided Design (FMCAD
2011), IEEE, 2011, pp. 125β134.
[16] A. Casagrande, T. Dang, L. Dorigo, T. Dreossi, C. Piazza, E. Pippia, Parameter synthesis of
polynomial dynamical systems, Information and Computation 289 (2022) 104941.
[17] A. Biere, A. Cimatti, E. Clarke, Y. Zhu, Symbolic model checking without BDDs, in: TACAS
β99, volume 1579 of Lecture Notes in Computer Science, Springer, 1999, pp. 193β207.
[18] A. Biere, A. Cimatti, E. M. Clarke, O. Strichman, Y. Zhu, Bounded model checking,
Handbook of satisfiability 185 (2009) 457β481.
[19] A. F. Donaldson, L. Haller, D. Kroening, P. RΓΌmmer, Software Verification Using k-Induction,
in: E. Yahav (Ed.), Static Analysis, Springer, Berlin, Heidelberg, 2011, pp. 351β368.
[20] A. Casagrande, T. Dreossi, C. Piazza, Hybrid automata and π-analysis on a neural oscillator,
Electronic Proceedings in Theoretical Computer Science, EPTCS 92 (2012) 58 β 72.
[21] P. Cousot, N. Halbwachs, Automatic discovery of linear restraints among variables of a
program, in: Proceedings of the 5th ACM SIGACT-SIGPLAN Symposium on Principles of
Programming Languages, POPL β78, Association for Computing Machinery, New York,
NY, USA, 1978, pp. 84β96.
[22] T. Dang, T. Dreossi, C. Piazza, Parameter synthesis through temporal logic specifications,
in: Formal Methods, FM, 2015, pp. 213β230.
[23] N. Karmarkar, A new polynomial-time algorithm for linear programming, in: Symposium
on Theory of computing, STOC, ACM, 1984, pp. 302β311.
[24] R. Brooks, J. P. Matelski, The dynamics of 2-generator subgroups of PSL(2, π), in: Riemann
surfaces and related topics: Proceedings of the 1978 Stony Brook Conference, Ann. of
Math. Stud, volume 97, 1981, pp. 65β71.
[25] B. B. Mandelbrot, Fractal aspects of the iteration of π§ β π π§(1 β π§) for complex π and π§,
Annals of the New York Academy of Sciences 357 (1980) 249β259.
�