Keywords

These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

1 Introduction

Template polyhedra are convex polyhedra whose defining halfspaces are orthogonal to a template, i.e., a finite set of directions. In other words, they are those conjunctions of linear inequalities where all coefficients are fixed and constants can vary. Template polyhedra naturally generalize geometrical representations like intervals or octagons, yet maintain low computational cost for several set operations. Template polyhedra have been employed for the abstract interpretation of programs [17, 38], but in particular they have recently gained popularity with the abstract interpretation of hybrid automata [12, 18, 25, 27, 37], i.e., the extension of finite automata with continuous dynamics [26]. In fact, verification of hybrid automata via template polyhedra has shown promise in practice [8, 13, 20, 23, 35], in spite of the theoretical undecidability even for the reachability question [29]. In this paper, we develop a novel abstraction refinement procedure for template polyhedra and we evaluate its use in the time-unbounded reachability analysis of hybrid automata.

Efficiency often comes at the price of precision, and template polyhedra are no exception. The precision is sensitive to the choice of template and a bad one might cause several problems. First, even computing the tightest of the template polyhedra around a set won’t necessarily bring to an exact representation. This holds for linear sets, think about using intervals or octagons for representing arbitrary polyhedra, and for non linear sets, think about using any finite set of directions for representing ellipses or parabolae. Second, template polyhedra suffer from the so called wrapping effect, that is to say that even if you represent initial and guard constraints of a hybrid automaton precisely, discrete transitions and time elapse might make new directions necessary. Think about representing a box using intervals, applying a slight rotation, and representing it again using intervals. Thus the question is: how do you choose the template?

The current approaches for the abstract interpretation by means of template polyhedra are affected by multiple problems. First, they do not guarantee avoidance of spurious counterexamples. In fact, they either assume a priori fixed templates or derive directions from initial and guard constraints [37, 38]. The online refinement techniques focus on improving local errors rather than inductively eliminating and generalizing whole paths [6, 22]. Counterexample-guided methods have been developed, but not for template polyhedra [4, 7, 15, 19]. Second, they partition and bound the time domain. Differential equations are in general hard to solve, thus time partitioning is often necessary [23, 25]. Efforts in taking larger time intervals have been made, but not for unbounded time [24]. Third, the approaches to the analysis of non-linear systems do not handle template refinement, even offline. The abstraction refinement of Bernstein and Taylor expansion-based approximations relies on global parameters that are hard to infer from counterexamples [12, 13, 18, 20, 39].

We propose a method which, for the first time, discovers template directions from spurious counterexamples and adds to the template a few of them at a time. Let us look at a refinement workflow. Initially, we search for a spurious counterexample using a fixed (and possibly empty) template. Once such a counterexample is found, we extract an inductive sequence of halfspace interpolants, i.e., Craig’s interpolants that consist of single linear inequalities [2]. We take their outward pointing directions and we add them to the template. Such directions eliminate the counterexample and generalize to all other counterexamples with the same switching sequence and any (and possibly unbounded) time elapse. We repeat the procedure in CEGAR fashion [16].

We target the time-unbounded reachability analysis of convex hybrid automata (CHA), i.e., hybrid automata whose flow constraints consist of differential inclusions (on derivatives only) and all constraints (flow, guards, and invariants) are (possibly non-linear) closed convex sets, and the special cases of linear hybrid automata (LHA) and quadratic hybrid automata (QHA). A large class of systems belongs to CHA, e.g., timed systems with convex non-linear clock drifts, or can be approximated as CHA, e.g., systems with Gaussian disturbances truncated by elliptic sets. The reachability analysis of LHA has a long history [5], while for QHA or beyond only bounded reachability analysis has been explored [11, 14].

We show that (i) for every CHA halfspace interpolants suitable for refinement always exist and that (ii) they can be computed efficiently using convex optimization [10], in particular using linear programming for LHA and second-order conic programming for QHA. We implement a tool based of this technology and evaluate it on several linear and quadratic benchmarks, comparing (favorably) against PHAVer where that tool applies [21, 23], namely LHA. This gives the following new results. First, we enable the use of template polyhedra for the abstract interpretation and the abstraction refinement of CHA, thus enabling the efficient time-unbounded reachability analysis for the full class where efficient convex optimizers are available, namely QHA. Second, we achieve greater practical performance against the state-of-the-art techniques for the time-unbounded reachability of even LHA. We evaluate our tool on multiple scaling and linear and non-linear variants of three different benchmarks, namely Fischer’s protocol [31], the TTEthernet protocol [9], and an adaptive cruise controller [30].

In summary, our contribution is threefold. First, we develop the first complete counterexample-guided procedure for the discovery of template directions. Second, we enable, for the first time, abstraction refinement for the time-unbounded reachability analysis for all CHA. Third, we build an efficient tool for the new class of time-unbounded QHA verification, which shows superior performance also for the special case of LHA.

Fig. 1.
figure 1

A CHA with two variables x and y, three good modes zero, one, and two, two bad modes badone and badtwo, and four switches a, b, c, and d. The good modes have three different relative speeds for x and y with an additional spherical drift. All invariants, the jump guards of a and of b are linear and the jump guards of c and of d are spherical.

Full size image

2 Motivating Example

Consider a system with two real-valued variables x and y whose dynamics follows some differential equation, which in turn is discontinuously switched by an automaton with three modes. Figure 1 shows such an example. The trajectory starts in the origin and enters mode zero and follows any differential equation whose derivative is \(\dot{x} = 1\) and \(\dot{y} = 2\) with possibly some drift in the ball of radius \(10^{-\frac{1}{2}}\) around this value. The invariant allows the trajectory to stay in mode zero as long as \(y \le 2\). The trajectory can take a if \(y \ge 1\) and switch to mode one, where the derivative of y halves. The dynamics continues similarly on mode one, switch c, and mode two, and similarly can take a switch to badone and badtwo when the respective guards are satisfied. We know that there does not exists a trajectory that leads to one of the bad modes, namely the system is safe. We want to prove it automatically by means of template polyhedra.

The set of states that are respectively reachable on modes zero, one, and two are the cones spanned by the points that enter the mode and take any possible trajectory, as respectively depicted in Fig. 2 in three shades on gray. We abstract the whole systems by representing each of these sets using template polyhedra. But first, we need to discover a suitable template. In fact, different templates produce different abstractions and not all of them can prove safety. Figure 2 shows three different such abstractions (striped polyhedra), but (a) and (b) hit the guards (dashed circled) to the bad modes while only (c) accomplishes the task. Our goal is to construct a good template like in (c).

Fig. 2.
figure 2

Template-polyhedral abstraction refinement for the CHA in Fig. 1. In dark gray, gray, and light gray the points reachable on the modes zero, one, and two, resp., and the striped polyhedra \(X_0\), \(X_1\), and \(X_2\) are the resp. template polyhedra. The lower and the upper dashed circles are, resp., the guards of the switches c and d to the bad modes. The variant (a) show the octagonal abstraction, and (b) and (c) show resp. the results of the templates obtained after refinement of the paths to badone and then to badtwo.

Full size image

We begin with abstraction (a) which uses the octagonal template, i.e., the 8 orthogonal directions to the facets of an octagon. The abstract interpreter will produce several abstract paths (sequences of pairs of modes and polyhedra interleaved by switches) among which will occur the path \(\mathtt{zero}, \mathtt{a}, \mathtt{one}, \mathtt{c}, \mathtt{badone}\), for the regions \(X_0,X_1 \subseteq \mathbb {R}^{n}\) where \(X_0 = \mathsf {init}_\mathtt{zero}\) abstracts the flow on zero, and \(X_1 = \mathsf {post}_\mathtt{a}(X_0)\) abstracts the flow on one (see Fig. 2a). This path reaches a bad mode, but it is spurious, namely it does not have a concrete counterpart. We prove it by computing a sequence of halfspace interpolants, i.e., two halfspaces \(H_0\) and \(H_1\) such that \(\mathsf {init}_\mathtt{zero} \subseteq H_0\) and \(\mathsf {post}_\mathtt{a}(H_0) \subseteq H_1\) and \(H_1\) does not intersect with the guard of the switch c (see Fig. 3b). The outward pointing directions \(d_0\) and \(d_1\) of \(H_0\) and \(H_1\) are the directions that generalize and eliminate all counterexamples with the switching sequence zero, a, one, c, badone (see Fig. 3c). We add them to the template and we recompute the abstraction, obtaining a necessarily different counterexample (see Fig. 2b). We repeat and eventually obtain Fig. 2c, finally proving the safety of the hybrid automaton.

In the next section we define the modeling and the (template-polyhedral) abstraction framework for CHA. In Sect. 4 we present our interpolant-based refinement technique and in Sect. 5 we phrase it as a convex optimization problem. In Sect. 6 we instantiate it to QHA and in Sect. 7 we show our experimental results.

3 Template-Polyhedral Abstractions for Convex Systems

Hybrid automata extend finite automata adding constraints on the (discrete and continuous) dynamics of a set of real variables [26]. Convex hybrid automata (CHA) are the class whose constraint define non-linear convex sets that exclusively constrain either variables or variable derivatives, as it is the case for the well-know class of linear hybrid automata (LHA) [26], which is thus generalized by CHA.

Definition 1

(Convex hybrid automata). A convex hybrid automaton \(\mathcal {H}\) with n real-valued variables consists of a finite directed multigraph \((V, E)\) where the vertices \(v\in V\) are called control modes and the edges \(e\in E\) are called control switches. Each \(v\in V\) is decorated by an initial constraint \(Z_{v} \subseteq \mathbb {R}^{n}\), an invariant constraint \(I_{v} \subseteq \mathbb {R}^{n}\), and a flow constraint \(F_{v} \subseteq \mathbb {R}^{n}\), each \(e\in E\) is decorated by a jump constraint \(J_{e} \subseteq \mathbb {R}^{2n}\), and all constraints define closed convex sets.

A finite control path \(v_0, e_1, v_1, \dots , e_k, v_k\) of the CHA \(\mathcal {H}\) is a path of the control graph of \(\mathcal {H}\), i.e., for all \(0 \le i \le k\) it holds that \(v_i \in V\) and for all \(1 \le i \le k\) it holds that \(e_i \in E\) and is a switch with source \(v_{i-1}\) and destination \(v_i\). When a control path is clear from the context, we abbreviate any object indexed by \(v_i\) or \(e_i\) as the same object indexed by i, e.g., we abbreviate \(F_{v_i}\) as \(F_{i}\). The semantics associates modes to points \(x \in \mathbb {R}^{n}\). For every two points \(x,x' \in \mathbb {R}^{n}\), for every control mode \(v\in V\) we say that \(x'\) is a \(v\)-successor of x if there exists a derivable function \(f :\mathbb {R}_{\ge 0} \rightarrow \mathbb {R}^{n}\) and a time delay \(\delta \in \mathbb {R}_{\ge 0}\) such that \(f(0) = x\), \(f(\delta ) = x'\), and for all \(0 \le \gamma \le \delta \) it holds that \(\dot{f}(\gamma ) \in F_{v}\) and \(f(\gamma ) \in I_{v}\), and for every control switch \(e\in E\) we say that \(x'\) is an \(e\) -successor of x if \((x, x') \in J_{e}\).

Definition 2

( \(\mathcal {H}\) -feasibility). A finite control path \(v_0, e_1, v_1, \dots , e_k, v_k\) is \(\mathcal {H}\)-feasible if for some \(x_0, x_0', x_1, x_1', \dots , x_k, x_k' \in \mathbb {R}^{n}\) it holds that \(x_0 \in Z_{0}\), and for all \(0 \le i \le k\), \(x_i'\) is a \(v_i\)-successor of \(x_i\) and \(x_i\) is a \(e_i\)-successor of \(x_{i-1}'\).

The semantics of \(\mathcal {H}\) is the maximal set of \(\mathcal {H}\)-feasible paths. A mode \(v\in V\) is reachable if there exists an \(\mathcal {H}\)-feasible control path whose last mode is \(v\), and a point \(x' \in \mathbb {R}^{n}\) is reachable on \(v\) if \(x'\) is the last point of a sequence as in Definition 2.

The abstraction associates modes to regions of \(\mathbb {R}^{n}\) into abstract paths whose elements are related by the init and post operator of an abstraction structure \(\mathcal {A}\).

Definition 3

(Abstraction structure). An abstraction structure \(\mathcal {A}\) for the CHA \(\mathcal {H}\) consists of an init operator \(\mathsf {init}_{v} \in \wp (\mathbb {R}^{n})\) for every \(v\in V\) and of a post operator \(\mathsf {post}_{e} :\wp (\mathbb {R}^{n}) \rightarrow \wp (\mathbb {R}^{n})\) for every \(e\in E\).

Similarly as for \(\mathcal {H}\), a control path with an abstract counterpart is called \(\mathcal {A}\)-feasible.

Definition 4

( \(\mathcal {A}\) -feasibility). A finite control path \(v_0, e_1, v_1, \dots , e_k, v_k\) is \(\mathcal {A}\)-feasible if for some non-empty sets \(X_0, X_1, \dots , X_k \subseteq \mathbb {R}^{n}\) holds that \(X_0 = \mathsf {init}_{0}\) and for all \(1 \le i \le k\), \(X_{i} = \mathsf {post}_{i}(X_{i-1})\).

An \(\mathcal {A}\)-feasible path is genuine if it is also \(\mathcal {H}\)-feasible, and spurious otherwise. An abstraction structure \(\mathcal {A}\) is sound if all \(\mathcal {H}\)-feasible control paths are \(\mathcal {A}\)-feasible.

The support function [36] in direction \(d \in \mathbb {R}^{n}\) of a convex set \(X \subseteq \mathbb {R}^{n}\) is

$$\begin{aligned} \rho _{X}(d) \overset{{\mathrm {def}}}{=}\sup \{ d \cdot x \mid x \in X \}. \end{aligned}$$
(1)

The support function of X characterizes the template polyhedron [25, 38] of X for the template \(\varDelta \subseteq \mathbb {R}^{n}\) (a finite set). We call it the \(\varDelta \)-polyhedron of X, that is

$$\begin{aligned} \bigcap _{d \in \varDelta } \{ x \in \mathbb {R}^{n} \mid d \cdot x \le \rho _X(d) \}\text {.} \end{aligned}$$
(2)

We aim at computing template polyhedra for the (continuous) flow and the (discrete) jump post operators (and their compositions) of the hybrid automaton. The flow operator of mode \(v\in V\) gives the points reachable by time elapse on \(v\):Footnote 1

$$\begin{aligned} {{\mathrm{flow}}}_{v}(X) \overset{{\mathrm {def}}}{=}(X \oplus {{\mathrm{coni}}}F_{v}) \cap I_{v}. \end{aligned}$$
(3)

The jump operator of switch \(e\in E\) gives the points reachable through \(e\):Footnote 2

$$\begin{aligned} {{\mathrm{jump}}}_{e}(X) \overset{{\mathrm {def}}}{=}\begin{bmatrix} 0_{n\times n}&I_n \end{bmatrix} \left( \left( \begin{bmatrix} I_n\\0_{n\times n} \end{bmatrix} X \oplus \begin{bmatrix} 0_{n\times n}\\ I_n \end{bmatrix} \mathbb {R}^{n} \right) \cap J_{e} \right) \text {\!.} \end{aligned}$$
(4)

Flow and jump operators are an exact symbolical characterization for the semantics of CHA, and follow as an extension of the symbolic analysis of LHA [26].

Lemma 1

For every CHA \(\mathcal {H}\) and every set \(X \subseteq \mathbb {R}^{n}\) it holds that (i) \(x' \in {{\mathrm{flow}}}_{v}(X)\) if and only if \(x'\) is a \(v\)-successor of some \(x \in X\) for every control mode \(v\in V\) and (ii) \(x' \in {{\mathrm{jump}}}_{e}(X)\) if and only if \(x'\) is a \(e\)-successor of some \(x \in X\) for every control switch \(e\in E\).

The exact symbolic analysis of CHA has in general high complexity, as it requires eliminating quantifiers, and possibly from formulae that contain non-linear constraints. For this reason we approximate them using template polyhedra.

The template-polyhedral abstraction computes the template polyhedra of the flow and jump operators above and, in our definition, using a different template for each mode, given by the precision function \(\mathsf {prec}:V\rightarrow \wp (\mathbb {R}^{n})\).

Definition 5

(Template-polyhedral abstraction). The template-polyhedral abstraction for the CHA \(\mathcal {H}\) and the precision function \(\mathsf {prec}:V\rightarrow \wp (\mathbb {R}^{n})\) is the abstraction structure where the init operator \(\mathsf {init}_v\) is the \(\mathsf {prec}(v)\)-polyhedron of \(\text{ flow }_v(Z_{v})\), and the post operator \(\mathsf {post}_e(X)\) is the \(\mathsf {prec}(t)\)-polyhedron of \(\text{ flow }_{t} \circ \text{ jump }_e(X)\) where \(t \in V\) is the destination of \(e\).

It is well-know that the template-polyhedral abstraction constructs a conservative over-approximation for linear systems [38], and the same holds for CHA.

Theorem 1

For every CHA \(\mathcal {H}\) and every precision function \(\mathsf {prec}\) the template-polyhedral abstraction for \(\mathcal {H}\) and \(\mathsf {prec}\) is sound.

The obvious difficulty is in finding a precision function that is suitable for proving or disproving reachability. In the next section, we show how to form one such automatically by means of counter-example guided abstraction refinement.

4 Refining the Template-Polyhedral Abstraction

A counter-example guided abstraction refinement (CEGAR) loop [16] for a hybrid automaton \(\mathcal {H}\) and a set of bad modes T consists of an abstractor and a refiner interacting with each other. At each iteration i, the abstractor takes an abstraction structure \(\mathcal {A}_i\) and attempts to construct the finite state machine that recognizes all \(\mathcal {A}_i\)-feasible paths. If it terminates and it does not find a counterexample, i.e., a path leading to a bad mode, then it returns no. Otherwise, it passes \(\mathcal {A}_i\) and a set of counterexamples \(W_i\) to the refiner. The refiner attempts to construct an abstraction structure \(\mathcal {A}_{i+1}\) that refines \(\mathcal {A}_i\) and eliminates all counterexamples in \(W_i\). If it fails, then it reports yes and a set \(\bar{W}_i \subseteq W_i\) of genuine counterexamples. Otherwise, it passes \(\mathcal {A}_{i+1}\) to the abstractor.

The above procedure is sound (upon termination), provided \(\mathcal {A}_i\) is sound, in the sense that if it reports no then no mode in T is reachable. It is complete (upon termination), namely if it reports yes then some mode in T is reachable, if it returns an abstraction \(\mathcal {A}_{i+1}\) that is locally complete w.r.t. \(W_i\) when one exists.

  • Local completeness. An abstraction structure \(\mathcal {A}\) for the CHA \(\mathcal {H}\) is locally complete w.r.t. the set W of control paths of \(\mathcal {H}\) if all \(\mathcal {H}\)-infeasible control paths in W are \(\mathcal {A}\)-infeasible.

Moreover, if it ensures local completeness w.r.t. \(\cup \{ W_j | 0 \le j \le i \}\), then it ensures progress of the procedure if the counterexamples are given one by one.

Whenever we find a spurious counterexample, we augment the precision of the modes along the path with additional template directions, so to make it \(\mathcal {A}\)-infeasible. First of all, we start with finding a sequence of Craig’s interpolants and only Craig’s interpolants that are halfspaces [2]. Formally, let \(w = v_0, e_1, v_1, \dots , e_k, v_k\) be a control path of \(\mathcal {H}\), then a sequence of halfspace interpolants for w is a sequence of sets \(H_0, H_1, \dots , H_k \subseteq \mathbb {R}^{n}\) such that each element is either the universe, a closed halfspace, or the empty set and

$$\begin{aligned} {{\mathrm{flow}}}_{0}(Z_{0}) \subseteq H_0, {{\mathrm{flow}}}_{1} \circ {{\mathrm{jump}}}_{1}(H_0) \subseteq H_1, \dots , {{\mathrm{flow}}}_{k} \circ {{\mathrm{jump}}}_{k}(H_{k-1}) \subseteq H_k, \end{aligned}$$
(5)

and \(H_k \subseteq \emptyset \). If such sequence exists, then the path is clearly \(\mathcal {H}\)-infeasible. Conversely, it is not trivial that for every \(\mathcal {H}\)-infeasible path such sequence exists.

Lemma 2

For every CHA \(\mathcal {H}\) and every control path w of \(\mathcal {H}\) it holds that w is \(\mathcal {H}\)-infeasible if (and only if)Footnote 3 there exists a sequence \(H_0, H_1, \dots , H_k \subseteq \mathbb {R}^{n}\) of halfspace interpolants for w as in Eq. 5.

Indeed, existence relies on further technical conditions that are out of the scope of this paper [36]. With this in mind, simply assuming all non-linear constraints to be bounded (e.g., Fig. 1) ensures existence, yet without preventing time-unbounded reachability. Computing interpolants is the subject of the next section.

The refining directions are the outward pointing directions of the halfspace interpolants, respectively for each mode along the path. In fact, it is enough to observe that every abstraction we obtain after adding such directions also satisfy

$$\begin{aligned} \mathsf {init}_0 \subseteq H_0, \mathsf {post}_1(H_0) \subseteq H_1, \dots , \mathsf {post}_k(H_{k-1}) \subseteq H_k\text {.} \end{aligned}$$
(6)

Figure 3 shows such an example. The path is the one leading to badone from the CHA of Fig. 1, which is spurious with octagonal template (see Fig. 3a), and, in fact, a sequence \(H_0\) and \(H_1\) of halfspace interpolants exists (see Fig. 3b). The halfspace \(H_1\) is disjoint from the guard of c (dashed circle) and includes the points reachable from \(H_0\) (light gray), which in its turn includes the points reachable from \(Z_\mathtt{zero}\), i.e., \({{\mathrm{flow}}}_\mathtt{zero}(Z_\mathtt{zero}) \subseteq H_0\), \({{\mathrm{flow}}}_\mathtt{one} \circ {{\mathrm{jump}}}_\mathtt{a}(H_0) \subseteq H_1\), and \({{\mathrm{jump}}}_\mathtt{c}(H_1) \subseteq \emptyset \). Taking the supporting halfspaces in the same directions preserves these inclusions, hence adding \(d_0\) to \(\mathsf {prec}(\mathtt{zero})\) and \(d_1\) to \(\mathsf {prec}(\mathtt one)\) causes \(\mathsf {init}_\mathtt{zero} \subseteq H_0\), \(\mathsf {post}_\mathtt{a}(H_0) \subseteq H_1\), and \(\mathsf {post}_\mathtt{c}(H_1) \subseteq \emptyset \). Thus \(d_0\) and \(d_1\) eliminate the counterexample, and regardless of whether \(\mathsf {prec}\) contains further directions (see Fig. 3c).

Fig. 3.
figure 3

Refinement for the control path zero, a, one, b, badone of the CHA in Fig. 1. In dark gray, the points reachable on mode zero. In (a), (b), and (c), in light gray are the points reachable on mode one resp. from \(X_0\), \(H_0\), and \(X_0\). In (a) the spurious path, in (b) the interpolants, and in (c) the abstraction with the outward pointing directions.

Full size image

Definition 6

(Template-polyhedral refinement). Let \(\mathcal {H}\) be a CHA and let \(w = v_0, e_1, v_1, \dots , e_k, v_k\) be a control path. Define the precision function \(\mathsf {prec}\) such that for some (if one exists) sequence of halfspace interpolants \(H_0, H_1, \dots , H_k \subseteq \mathbb {R}^{n}\) for w as in Eq. 5 then for all \(0 \le i \le k\) set \(d_i \in \mathsf {prec}(v_i)\) where \(d_i\) is the outward pointing direction of \(H_i\). We define the template-polyhedral refinement for \(\mathcal {H}\) and w as the template-polyhedral abstraction for \(\mathcal {H}\) and \(\mathsf {prec}\).

Local completeness w.r.t. a single path easily generalizes to local completeness w.r.t. multiple paths by taking the union of the discovered directions.

Theorem 2

For every CHA \(\mathcal {H}\) and every set W of finite control paths of \(\mathcal {H}\) the unionFootnote 4 over all \(w \in W\) of the template-polyhedral refinements for \(\mathcal {H}\) and w is locally complete w.r.t. W.

Summarizing, we search for abstract counterexamples and we accumulate all outward pointing directions of the respective halfspace interpolants. If either the abstractor finds a fixpoint or interpolation fails, then we obtain a sound and complete answer. In the following section, we show how to compute init and post operators and sequences of halfspace interpolants by using convex optimization.

5 Craig’s Interpolation as Convex Optimization

The support function is a central actor both in abstraction, as it defines template polyhedra, and refinement, as it gives a powerful formalism to talk about inclusion in halfspaces and separation of convex sets. In either case, the sets we deal with are arbitrary compositions of flow and jump operators, which in their turn are compositions of Minkowski sums, linear transformations, conical combinations, and intersections. We characterize the support functions of such operations as convex programs, with the aim of characterizing abstraction and refinement as convex programs.

We present a characterization of support functions that is compositional for the set operations above. The classic support function representation frameworkFootnote 5 offers a very similar machinery [25], but it suffers from the following shortcomings. First, it requires the operand sets in Minkowski sums and intersections to be compact (i.e., closed and bounded) and boundedness cannot be easily relaxed, e.g., \(\rho _{\mathbb {R}^{n}}(d) + \rho _\emptyset (d) = +\infty -\infty \) while \(\rho _{\mathbb {R}^{n} \oplus \emptyset }(d) = -\infty \) for every \(d\ne 0\). Since we aim at time-unbounded reachability, is would be too restrictive to assume boundedness. Second, substituting boundedness with nonemptiness might cause uncorrect results, e.g., for the sets \(A = \{ (x,y) \mid x \le -1\}\), \(B = \{ (x,y) \mid x \ge 1\}\), and the direction \(c = (0,1)\) we obtain \(\inf \{ \rho _A(c-a) + \rho _B(a)\} = +\infty \), while \(\rho _{A \cap B}(c) = -\infty \). We relax both the assumptions of boundedness and nonemptiness by characterizing the support function \(\rho _X(d)\) with a convex program

$$\begin{aligned} \begin{array}{ll} \text{ minimize } &{} \bar{\rho }_X(\lambda )\\ \text{ subject } \text{ to } &{} (\lambda , d) \in \varLambda _X\text {,} \end{array} \end{aligned}$$
(7)

with objective function \(\bar{\rho }_X :\mathbb {R}^m \rightarrow \mathbb {R}\) and constraint \(\varLambda _X \subseteq \mathbb {R}^{m+n}\). The minimum of \(\bar{\rho }_X(\lambda )\) over \(\lambda \) characterizes \(\rho _X(d)\) for directions in which X is bounded, while \(\varLambda _X\) characterizes boundedness. This is encapsulated by the notion of duality.

  • Duality. Let \(X \subseteq \mathbb {R}^{n}\) be a nonempty closed convex set. The convex program of Eq. 7 is dual to \(\rho _X\) if for all \(d \in \mathbb {R}^{n}\) it holds that

    1. (i)

      \(\rho _X(d) = +\infty \) if and only if there does not exist \(\lambda \) such that \((\lambda ,d) \in \varLambda _X\),

    2. (ii)

      \(\rho _X(d) < +\infty \) if and only if \(\rho _X(d) = \min \{ \bar{\rho }_X(\lambda ) \mid (\lambda ,d) \in \varLambda _X \}\).

We define inductive rules for constructing dual convex programs for the support functions of set operations, provided dual convex programs for their operands (whose instantiation for sets defined by symbolic constraints is subject of Sect. 6):

$$\begin{aligned} \begin{aligned} \bar{\rho }_{X \oplus Y}(\lambda , \mu )&\overset{{\mathrm {def}}}{=}\bar{\rho }_X(\lambda ) + \bar{\rho }_Y(\mu ),\\ \varLambda _{X \oplus Y}&\overset{{\mathrm {def}}}{=}\{(\lambda , \mu , d) \mid (\lambda ,d) \in \varLambda _X, (\mu ,d) \in \varLambda _Y\}, \end{aligned} \end{aligned}$$
(8)
$$\begin{aligned} \begin{aligned} \bar{\rho }_{MX}(\lambda )&\overset{{\mathrm {def}}}{=}\bar{\rho }_X(\lambda ),\\ \varLambda _{MX}&\overset{{\mathrm {def}}}{=}\{(\lambda , d) \mid (\lambda ,M^\mathsf {T}d) \in \varLambda _X\}, \end{aligned} \end{aligned}$$
(9)
$$\begin{aligned} \begin{aligned} \bar{\rho }_{{{\mathrm{coni}}}X}(\lambda )&\overset{{\mathrm {def}}}{=}0,\\ \varLambda _{{{\mathrm{coni}}}X}&\overset{{\mathrm {def}}}{=}\{ (\lambda , d) \mid \bar{\rho }_X(\lambda ) \le 0, (\lambda ,d) \in \varLambda _X\}, \end{aligned} \end{aligned}$$
(10)
$$\begin{aligned} \begin{aligned} \bar{\rho }_{X \cap Y}(\lambda , \mu )&\overset{{\mathrm {def}}}{=}\bar{\rho }_X(\lambda ) + \bar{\rho }_Y(\mu ),\text { and}\\ \varLambda _{X \cap Y}&\overset{{\mathrm {def}}}{=}\{(\lambda , \mu , a, d) \mid (\lambda ,a) \in \varLambda _X, (\mu ,d - a) \in \varLambda _Y\}. \end{aligned} \end{aligned}$$
(11)

Nevertheless, duality is not sufficient to characterize operations producing the empty set. Considering the examples above, the constraint \(\varLambda _{\mathbb {R}^{n} \oplus \emptyset }\) is infeasible for every direction \(d \ne 0\) and the constraint \(\varLambda _{A \cap B}\) is infeasible for direction c, contradicting (i). However, it suffices that the convex program is unbounded for at least \(d = 0\), providing an alternative for deciding emptiness beforehand.

  • Alternativity. The convex program of Eq. 7 is alternative to \(\rho _\emptyset \) if for every \(\epsilon < 0\) there exists \((\lambda , 0) \in \varLambda _\emptyset \) such that \(\bar{\rho }_\emptyset (\lambda ) \le \epsilon \).

Altogether, we compute the support of X in direction d as follows. We decide whether there exists a negative solution in direction 0. If so we return \(-\infty \), otherwise we decide whether \(\varLambda _X\) is infeasible in direction d. If so we return \(+\infty \), otherwise we solve the convex program. This is permitted on any combination of the set operations above, as our construction preserves duality and alternativity.

Lemma 3

Let \(X,Y \subseteq \mathbb {R}^{n}\) be closed convex sets. If the convex programs for \(\bar{\rho }_X, \varLambda _X\) and \(\bar{\rho }_Y, \varLambda _Y\) are dual and alternative to resp. \(\rho _X\) and \(\rho _Y\) then the convex programs for Eqs. 8, 9, and 10 are dual and alternative to the respective support functions. If either X and Y intersect or they admit a separating hyperplane then also the convex program for Eq. 11 is dual and alternative to \(\rho _{X\cap Y}\).

In addition, the construction allows us to inductively extract separating hyperplanes and therefore sequences of halfspace interpolants.

The emptiness check or more generally deciding whether a support function is below a threshold permits us to inductively extract interpolants. For each of the four set operation we wish first to prove inclusion within a given halfspace (or the empty set) H and then to find a second halfspace \(H'\) which interpolates the operand. For instance, for an intersection \(X \cap Y\) such that \(X \cap Y \subseteq H\), we wish to find a \(H'\) such that \(X \subseteq H'\) and \(H' \cap Y \subseteq H\). Indeed, we just need their outward pointing directions, and our construction carries this information.

Lemma 4

Let \(X,Y \subseteq \mathbb {R}^{n}\) be closed convex sets. Let the convex programs for \(\bar{\rho }_X, \varLambda _X\) and \(\bar{\rho }_Y, \varLambda _Y\) be dual and alternative to \(\rho _X\) and \(\rho _Y\). Let H be the set \(\{ x \in \mathbb {R}^{n} \mid d \cdot x \le \epsilon \}\), which is empty if and only if \(d=0\) and \(\epsilon < 0\).

  • If either X and Y are both nonempty or H is empty then for every \((\lambda ^\star , \mu ^\star , d) \in \varLambda _{X \oplus Y}\) such that \(\bar{\rho }_{X \oplus Y}(\lambda ^\star , \mu ^\star ) \le \epsilon \) there exists \(H' = \{ x \in \mathbb {R}^{n} \mid d \cdot x \le \epsilon '\}\) such that \(\bar{\rho }_X(\lambda ^\star ) \le \epsilon '\) and \(H' \oplus Y \subseteq H\).

  • If either X is nonempty or H is empty then for every \((\lambda ^\star ,d) \in \varLambda _{MX}\) such that \(\bar{\rho }_{MX}(\lambda ^\star ) \le \epsilon \) there exists \(H' = \{ x \in \mathbb {R}^{n} \mid (M^\mathsf {T}d)\cdot x \le \epsilon '\}\) such that \(\bar{\rho }_X(\lambda ^\star ) \le \epsilon '\) and \(MH' \subseteq H\).

  • For every \((\lambda ^\star ,d) \in \varLambda _{{{\mathrm{coni}}}X}\) such that \(\bar{\rho }_{{{\mathrm{coni}}}X}(\lambda ^\star ) \le \epsilon \) there exists \(H' = \{ x \in \mathbb {R}^{n} \mid d\cdot x \le \epsilon '\}\) such that \(\bar{\rho }_{X}(\lambda ^\star ) \le \epsilon '\) and \({{\mathrm{coni}}}H' \subseteq H\).

  • If either X and Y intersect or H is empty and they admit a separating hyperplane then for every \((\lambda ^\star ,\mu ^\star ,a^\star , d) \in \varLambda _{X \cap Y}\) such that \(\bar{\rho }_{X \cap Y}(\lambda ^\star , \mu ^\star ) \le \epsilon \) there exists \(H' = \{ x \in \mathbb {R}^{n} \mid a^\star \cdot x \le \epsilon '\}\) such that \(\bar{\rho }_X(\lambda ^\star ) \le \epsilon '\) and \(H' \cap Y \subseteq H\).

We can extract the outward pointing directions by looking at the arguments instantiated by an emptiness check. Inductively, if d is the outward pointing direction of H, then the outward pointing direction of \(H'\) is d for the Minkowski sum, \(M^\mathsf {T}d\) for the linear transformation, d for the conical combination, and a for the intersection. As a result, we can extract sequences of interpolants for arbitrary combinations of basic set operations from one single emptiness check.

We build such a construction for arbitrary sequences of flow and jump operators induced by control paths. More concretely, let \(w = v_0, e_1, v_1, \dots , e_k, v_k\) be a control path of some CHA \(\mathcal {H}\) then the path operator of w is

$$\begin{aligned} P_w \overset{{\mathrm {def}}}{=}{{\mathrm{flow}}}_{k} \circ {{\mathrm{jump}}}_{k} \circ \dots \circ {{\mathrm{flow}}}_{1} \circ {{\mathrm{jump}}}_{1} \circ {{\mathrm{flow}}}_{0}(Z_0)\text {.} \end{aligned}$$
(12)

Similarly to Lemma 2, we assume every path operator to be either nonempty or to admit a separating hyperplane at some intersection. By applying the above rules, we construct the convex program for the support function of \(P_w\) as follows:

(13)

Duality and alternativity is preserved, therefore we can use such construction to compute the support functions for init and post (which are special cases of path).

Lemma 5

For every CHA \(\mathcal {H}\), every control path w of \(\mathcal {H}\), if the convex programs for every constraint X along the path are dual and alternative to \(\rho _X\) then the convex program in Eq. 13 is dual and alternative to \(\rho _{P_w}\).

We identify the arguments that determine a suitable sequence of halfspace interpolants after the emptiness check.

Lemma 6

For every CHA \(\mathcal {H}\), every control path w of \(\mathcal {H}\), every \(\epsilon < 0\), and every \((\lambda ^\star ,0) \in \varLambda _{P_w}\) whose projection on \(a_0, a_1, \dots , a_k\) is \(a_0^\star , a_1^\star , \dots , a_k^\star \in \mathbb {R}^{n}\), if the convex programs for the constraints X along the path are dual and alternative to \(\rho _X\) then \(\bar{\rho }_{P_w}(\lambda ^\star ) \le \epsilon \) if and only if \(a_0^\star , a_1^\star , \dots , a_k^\star \) are the outward pointing directions of a sequence of halfspace interpolants \(H_0, H_1, \dots , H_k\) for w as in Eq. 5.

In summary, we search by convex optimization for an argument for which the convex program of Eq. 13 for \(d=0\) has negative solution. If so, the argument \(a_i^\star \) for the parameter \(a_i\) is the outward pointing direction for the interpolant at mode \(v_i\). Adding \(a_i^\star \) to \(\mathsf {prec}(v_i)\) eliminates the spurious counterexample w.

In this section, we have built a refiner for every spurious path of every CHA, assuming dual and alternative convex programs for the constraints along the path. In the following section, we discuss such functions and show how to instantiate interpolation for the special case of quadratic hybrid automata.

6 Abstraction Refinement for Quadratic Systems

The interpolation technique in Sect. 5 relies on the notions of duality and alternativity. Duality and alternativity are preserved by Minkowski sum, linear transformation, conical combination, and intersection, but whether they hold in the first place depends on the constraint of the automaton. We discuss these properties for (convex) quadratic programs, and we show their implications to the classes of quadratic and linear hybrid automata.

Closed convex quadratic sets are sets of the form \(\bigcap _{i=1}^m \{ x\in \mathbb {R}^{n} \mid xQ_i x^\mathsf {T}+ p_i^\mathsf {T}x\le r_i \}\) where \(Q_1, \dots , Q_m \in \mathbb {R}^{n \times n}\) are positive semidefinite matrices of coefficients, \(p_1, \dots , p_m \in \mathbb {R}^{n}\) are vectors of coefficients, and \(r_1, \dots , r_m \in \mathbb {R}\) are constants. Closed convex quadratic sets characterize quadratic hybrid automata.

Definition 7

(Quadratic hybrid automata). A quadratic hybrid automaton (QHA) is a CHA whose constraints define closed convex quadratic sets.

The support function of a convex quadratic set is a quadratically constrained (convex) quadratic program, which is known to cast to second-order conic programming (SOCP) [3]. We cast the support function to an optimization problem over a (rotated) second-order cone and we take its dual [3], so obtaining

$$\begin{aligned} \begin{array}{ll} \text{ minimize } &{} r_1 \lambda _1 + \dots + r_m \lambda _m\\ \text{ subject } \text{ to } &{} p_1 \lambda _1 + L_1^\mathsf {T}\mu _1 + \dots + p_m \lambda _m + L_m^\mathsf {T}\mu _m = d\text {,}\\ &{}\lambda _1 \ge \Vert \mu _1 \Vert _2^2, \dots , \lambda _m \ge \Vert \mu _m \Vert _2^2\text {,} \end{array} \end{aligned}$$
(14)

where \(L_1, \dots , L_m\) are the Cholesky decompositions of \(Q_1, \dots , Q_m\) respectively, and \(\lambda _1, \dots , \lambda _m \in \mathbb {R}\) and \(\mu _1, \dots , \mu _m \in \mathbb {R}^{n}\) are the optimization arguments. Under the regularity conditions for non-linear optimization, e.g., Slater’s condition, duality and alternativity hold [3, 10]. Encodings that do not need such conditions exist [34], but are not discussed in this paper.

Every algorithm that solves feasibility and optimization of SOCP solves init and post computation and halfspace interpolation for QHA, thus enabling their template-polyhedral abstraction and abstraction refinement.

Theorem 3

Let \(\mathcal {H}\) be a QHA with n variables and m inequalities. Let the time complexity of SOCP be \(\mathsf {socp}(\alpha , \beta , \gamma )\) for \(\alpha \) variables, \(\beta \) equalities, and \(\gamma \) cones.

  • Init and post operators time complexity is \(p \times \mathsf {socp}(n\times m,n, m)\) where \(p = \max \{|\mathsf {prec}(v)| \mid v\in V\}\) for the precision function \(\mathsf {prec}\).

  • Refinement time complexity is \(c \times \mathsf {socp}(n\times m,n\times k, m \times k)\) where \(c = |W|\) and \(k = \max \{|w| \mid w \in W\}\) for the set of counterexamples W.

Nevertheless, the complexity SOCP remains an open problem on the Turing machine, while it is known to be in NP \(\cap \) coNP on the real number model [34]. On the other hand, several efficient (but incomplete) numerical procedures are available, therefore in practice we can obtain support functions and interpolants, but with weaker guarantees. We are in a better position for the case of linear hybrid automata (LHA) [26], i.e., the special case of QHA where all constraints define polyhedra. For linear hybrid automata, the program of Eq. 14 is always a linear program, i.e., all cones are positive orthants, where duality holds, alternativity is given by Farkas’ lemma, and time complexity is polynomial. Hence, for LHA, init operator, post operator, and refinement time complexities are as well polynomial.

7 Experimental Evaluation

We evaluate our algorithms on three main classes of benchmarks, namely Fischer’s protocol [31], an adaptive cruise controller [30], and the TTEthernet protocol [9]. For each class, we consider a linear version and a non-linear version, as well as for each a safe version and an unsafe version.

Fischer’s protocol is a time based protocol of mutual exclusion between processes. The protocol is correct if two processes are never in the critical section at the same time. For the linear version, the flow constraints are given by \(\frac{1}{2} \le \dot{x}_\mathtt{1} \le \frac{3}{2}, \dots , \frac{1}{2} \le \dot{x}_\mathtt{m} \le \frac{3}{2}\), where \(x_\mathtt{i}\) is the clock of the \(\mathtt{i}\)-th process, and for the non-linear case, \(\sqrt{\dot{x}_\mathtt{1}^2 + \dots + \dot{x}_\mathtt{m}^2} \le 1\). We verify the linear version up to 5 processes and the non-linear version up to 3 processes.

The adaptive cruise controller is a distributed system for safety distance of platoon of cars. Each car either cruises or recovers by slowing down. The relative velocity has a drift \(|\dot{x} - \dot{x}_\mathtt{ldr}| \le \frac{1}{2}\) when cruising and \(|\dot{x} - \dot{x}_\mathtt{ldr} + \varepsilon | \le \frac{1}{2}\) when recovering, where x and \(x_\mathtt{ldr}\) are the positions of each car the car in front, resp, and \(\varepsilon \) is the slow-down. We check for car crashes in platoons up to 7 cars.

Finally, we consider the TTEthernet protocol for the remote synchronization of possibly drifted clocks distributed over multiple components. Similarly to previous case studies, we consider flows defined in terms of intervals and unit balls for linear and non-linear cases, respectively. We verify both linear and non-linear systems with 3, 5, 9, and 17 components.

Table 1. Results of the experimental evaluation. Empty and octagonal indicate the initial precision. #spu is number of discovered spurious counterexamples, #dir is the number of discovered directions (empty case) or initial directions + discovered directions (octagonal case). cgr is the total time spent in unsuccessful abstractions (with spurious counterexample), itp is the total time spent in discovering halfspace interpolants, ver is the time spent in successful abstractions. oot indicates out of time (24 h), oom indicates out of memory (4 Gb), and dash indicates unsupported. The benchmark names are structured as follows. fsr indicates Fischer’s protocol, acc indicates adaptive cruise controller, tte indicates TTEthernet, lnr indicates linear, qdr indicates quadratic, the following number indicates the number of components, and sf and usf resp. indicate safe and unsafe.
Full size table

We implemented a CEGAR loop based on our procedure in C++ and conducted the following experiments on a machine with 2.6 GHz CPU and 4 GB of dedicated RAM. We use the GLPK for solving LPs and MOSEK for solving SOCPs [1, 33]. We executed our tool under the empty strategy and the octagonal strategy. With the empty strategy, the initial precision is empty, which means that the very first abstraction computation consists of a simple exploration of the control graph. With the octagonal strategy, the precision at every mode consists of the octagonal template, with a total of \(2|V|n^2\) directions over all modes. For all linear instances, we compared against PHAVer [21] (SpaceEx v0.9.8c with PHAVer scenario).

Table 1 shows the results. The empty strategy has on average the best runtime and always outperforms PHAVer. It also outperforms the octagonal strategy for most of the instances. Both strategies spend most of the time in the first phase (CEGAR iterations ending in a spurious counterexample), and take a very short time for the final verification step. For Fischer’s protocol the octagonal strategy is always slower than the empty. For the other benchmarks the difference is less stunning, in particular for the unsafe cases of the TTEthernet benchmarks, where the first phase penalizes considerably. On the other hand, we can observe that, under the assumption that we are not aware of the safety of the systems, our method shows to be the most scalable. The octagonal strategy tends to run out of time because the higher number of directions causes the generation of bigger and bigger abstract regions. In fact, we have verified that for these instances a spurious counter-example is never found. The same argument likely holds for PHAVer, as its dump shows that new symbolic states are always found. Not surprisingly, for QHA the performance is generally worse than for LHA.

In summary, template polyhedra coupled with our abstraction refinement technique are faster than the exact polyhedral reachability analysis. Noteworthy is how negligible is the time required in the final verification step on all instances. Our tool recomputes the whole abstraction after every refinement phase, as all our efforts have been strictly focused on implementing an efficient template refinement. The final time sets a lower bound for the verification time achievable by an incremental abstraction. Furthermore, we could observe that inferring small template sets plays an important role in the convergence of the whole analysis.

8 Conclusion

We have presented the first template refinement technique that iteratively derives template directions from spurious counterexamples. These directions eliminate all counterexamples that pass through the same switching sequence, independently of any time delays. These directions can refute further spurious paths, so that a small number of directions may suffice to show safety. This is supported by our experiments, which terminate with small templates in all cases. Our procedure can be implemented efficiently for LHA and QHA using convex optimization, and in principle it applies to every CHA. Our implementation outperforms polyhedral reachability (PHAVer), and yet has room for further substantial improvement since the abstraction is constructed from scratch at each iteration and could be made incremental [28, 32]. In terms of modeling power, extending template refinement to affine or general polynomial systems also brings further challenges, as the reachable regions lose the convexity property, thus requiring more powerful techniques for halfspace interpolation [2].