STLmc: Robust STL Model Checking of Hybrid Systems Using SMT

Abstract

We present the STLmc model checker for signal temporal logic (STL) properties of hybrid systems. The STLmc tool can perform STL model checking up to a robustness threshold for a wide range of hybrid systems. Our tool utilizes the refutation-complete SMT-based bounded model checking algorithm by reducing the robust STL model checking problem into Boolean STL model checking. If STLmc does not find a counterexample, the system is guaranteed to be correct up to the given bounds and robustness threshold. We demonstrate the effectiveness of STLmc on a number of hybrid system benchmarks.

1 Introduction

Signal temporal logic (STL) [31] has emerged as a popular property specification formalism for hybrid systems. STL formulas describe linear-time properties of continuous real-valued signals. Because hybrid systems exhibit both discrete and continuous behaviors, STL provides a convenient and expressive way to specify important requirements of hybrid systems. STL has a vast range of applications on hybrid systems, including automotive systems [26], robotics [24, 40], medical systems [36], IoT [7], smart cities [30], etc.

Due to the infinite-state nature of hybrid systems with continuous dynamics, most techniques and tools for analyzing STL properties focus on monitoring and falsification. These techniques analyze concrete samples of signals obtained by simulating hybrid automata to monitor the system’s behavior [13, 15, 32] or find counterexamples [1, 37, 43], often combined with stochastic optimization. To this end, STL monitoring and falsification use quantitative semantics that defines the robustness degree to indicate how well the formula is satisfied. However, these methods cannot be used to guarantee correctness.

Recently, several STL model checking techniques have been proposed for hybrid systems [3, 29, 35]. In particular, the SMT-based bounded model checking algorithms [3, 29] are refutation-complete, i.e., they can guarantee correctness up to given bounds. However, these techniques are based on the Boolean semantics of STL instead of quantitative semantics. This is a limitation for hybrid systems as small perturbations of signals can cause the system to violate the properties verified by Boolean STL model checking. Moreover, there exists no tool with a convenient user interface implementing STL model checking techniques.

This paper presents the STLmc tool for robust STL model checking of hybrid systems. Our tool can verify that, up to given bounds, the robustness degree of an STL formula \(\varphi \) is greater than a robustness threshold \(\epsilon > 0\) for all possible behaviors of the system. We reduce the robust STL model checking problem to Boolean STL model checking using \(\epsilon \)-strengthening (perturbing the problem by \(\epsilon \) to make it harder to be true), first proposed in [21] for first-order logic and extended to STL. We then apply the refutation-complete bounded model checking algorithm [3, 29] to build the SMT encoding of the resulting Boolean STL model checking problem, which can be solved using SMT solvers.

Apart from the robust STL model checking method, STLmc also implements several techniques to improve the usability and scalability of the tool:

• STLmc implements a generic interface to connect with various SMT solvers, such as Z3 [12], Yices2 [17], and dReal [22]. Since dReal can (approximately) deal with nonlinear ordinary differential equations (ODEs), STLmc can also support hybrid systems with nonlinear ODE dynamics.

• STLmc implements parallelized two-step SMT solving to improve scalability. Instead of directly solving the complex encoding with ODEs, we first obtain a discrete abstraction without ODEs and find satisfying scenarios. We then check the discrete refinements of such scenarios using dReal in parallel.

• STLmc provides a visualization command to draw counterexample signals and robustness degrees. Such graphs intuitively explain why the robustness degree of the formula is greater than a given threshold, and thus greatly help in analyzing counterexamples and debugging hybrid systems.

We demonstrate the effectiveness of the STLmc tool on a number of hybrid system benchmarks— including linear, polynomial, and ODE dynamics— and nontrivial STL properties. The tool is available at https://stlmc.github.io.

2 Background: Robust STL Model Checking

Hybrid Automata. Hybrid systems are often formalized as hybrid automata [25], defined as a tuple \(H = (Q, X, init , inv , jump , flow )\). A set of modes Q specifies discrete states. A set of real-valued variables \(X=\{x_1,....,x_l \}\) gives continuous states. A pair \(\langle q, \vec {v} \rangle \) of mode \(q \in Q\) and vector \(\vec {v} \in \mathbb {R}^l\) constitutes a state of H. An initial condition \( init (q, \vec {v})\) defines a set of initial states. An invariant condition \( inv (q, \vec {v})\) defines a set of valid states. A jump condition \( jump (q, \vec {v}, q', \vec {v'})\) defines a discrete transition from \(\langle q, \vec {v} \rangle \) to \(\langle q', \vec {v'} \rangle \). A flow condition \( flow (q, \vec {v},\vec {v}_t, t)\) defines a continuous evolution of X’s values from \(\vec {v}\) to \(\vec {v}_t\) over time t in mode q.

A signal \(\sigma \) represents a continuous execution of a hybrid automaton H, given by a function \([0,\tau ) \rightarrow Q \times \mathbb {R}^l\) with a time bound \(\tau > 0\). A signal \(\sigma \) is called a trajectory of a hybrid automaton H, written \(\sigma \in H\), if \(\sigma \) describes a valid behavior of H: formally, there exists a sequence of times \(0 = t_0< t_1< ... < \tau \) such that: (i) \(\sigma (t_0)\) is an initial state by \( init \); (ii) for \(i \ge 1\), H’s state evolves from \(\sigma (t_i)\) according to \( flow \), while satisfying \( inv \), for each time interval \([t_{i-1}, t_{i})\); and (iii) for \(i \ge 1\), a discrete transition occurs by \( jump \) at each time point \(t_i\).

Signal Temporal Logic. Signal temporal logic (STL) is widely used to specify properties of hybrid systems [31]. The syntax of STL is defined by:

$$ \varphi \,{:}{:}\!= p \,\mid \, \lnot \varphi \,\mid \, \varphi \wedge \varphi \,\mid \, \varphi \mathop {\mathbf {U}_{I}}\varphi $$

where p denotes state propositions, and \(I \subseteq \mathbb {R}_{\ge 0}\) is any interval of nonnegative real numbers. Examples of state propositions include relational expressions of the form \(f(\vec {x}) \ge 0\) over variables X with a real-valued function \(f: \mathbb {R}^l \rightarrow \mathbb {R}\). Other common Boolean and temporal operators can be derived by equivalences: e.g., \(\varphi \vee \varphi ' \equiv \lnot (\lnot \varphi \wedge \lnot \varphi ')\), \(\mathop {\Diamond _{I}} \varphi \equiv \top \mathop {\mathbf {U}_{I}} \varphi \), \(\mathop {\square _{I}} \varphi \equiv \lnot \mathop {\Diamond _{I}} \lnot \varphi \), etc.

We consider a quantitative semantics of STL based on robustness degrees [15]. The semantics of a state proposition p is defined as a function \(p: Q \times \mathbb {R}^l \rightarrow \overline{\mathbb {R}}\) that assigns to a state the degree to which p is true, where \(\overline{\mathbb {R}} = \mathbb {R} \cup \{ - \infty , \infty \}\). Specifically, the robustness degree of a state proposition \(f(\vec {x}) \ge 0\) is the value of \(f(\vec {x})\). E.g., the robustness degree of \(x \ge 4\) is the value of \(x - 4\) at a given state. The robustness degree of an STL formula can be defined as follows [15], where a time bound \(\tau \) of a signal is explicitly taken into account.¹

Definition 1

Given an STL formula \(\varphi \), a signal \(\sigma : [0, \tau ) \rightarrow \mathbb {R}^l\), and a time \(t \in [0, \tau )\), the robustness degree \(\rho _{\tau }(\varphi , \sigma , t) \in \overline{\mathbb {R}}\) is defined inductively by:²

$$\begin{aligned} \rho _{\tau }(p, \sigma , t)&= p(\sigma (t)) \\ \rho _{\tau }(\lnot \varphi , \sigma , t)&= - \rho _{\tau }(\varphi , \sigma , t) \\ \rho _{\tau }(\varphi _1 \wedge \varphi _2, \sigma , t)&= \min ( \rho _{\tau }(\varphi _1, \sigma , t), \rho _{\tau }(\varphi _2, \sigma , t) ) \\ \rho _{\tau }(\varphi _1 \mathop {\mathbf {U}_{I}} \varphi _2, \sigma , t)&= \textstyle \sup _{t' \in (t+I) \cap [0, \tau )} \min (\rho _{\tau }(\varphi _2, \sigma , t'), \inf _{t'' \in [t,t']} \rho _{\tau }(\varphi _1, \sigma ,t'')) \end{aligned}$$

The robust STL model checking problem is to determine if the robustness degree of an STL formula \(\varphi \) is always greater than a given robustness threshold \(\epsilon > 0\) for all possible trajectories of a hybrid automaton H.

Definition 2 (Robust STL Model Checking)

For a time bound \(\tau > 0\), an STL formula \(\varphi \) is satisfied at time \(t \in [0, \tau )\) on a hybrid automaton H with respect to a robustness threshold \(\epsilon > 0\) iff for every trajectory \(\sigma \in H\), \(\rho _{\tau }(\varphi , \sigma , t) > \epsilon \).

A Running Example. Consider two rooms interconnected by an open door. The temperature \(x_i\) of each room, \(i = 0, 1\), changes depending on the heater’s mode \(q_i \in \{\textsf {On}, \textsf {Off}\}\) and the temperature of the other room. The continuous dynamics of \(x_i\) can be specified as the following ODEs, where \(K_i, h_i, c_i, d_i\) are determined by the size of the room, the heater’s power, and the size of the door [2, 19, 25]:

$$\begin{aligned} \dot{x_i}&= {\left\{ \begin{array}{ll} K_i(h_i-(c_ix_i-d_ix_{1-i}))&{} \textsf {(On)}\\ -K_i(c_ix_i-d_ix_{1-i}) &{} \textsf {(Off)}, \end{array}\right. } \end{aligned}$$

Fig. 1.

A hybrid automaton for the networked thermostats.

Figure 1 shows a hybrid automaton of our networked thermostat controllers. Initially, both heaters are off and the temperatures are between 18 and 22. The jumps between modes then define a control logic to keep the temperatures within a certain range using only one heater. We are interested in robust model checking of nontrivial STL properties, such as:

• \(\phi _1\): \(\mathop {\Diamond _{[0,15]}}(x_0 \ge 14 \,\mathop {\mathbf {U}_{[0,\infty )}} \, x_1 \le 19)\): at some moment in the first 15 s, \(x_1\) is less than or equal to 19; until then, \(x_0\) is greater than or equal to 14.

• \(\phi _2\): \(\mathop {\square _{[2, 4]}} (x_0 - x_1 \ge 4 \rightarrow \mathop {\Diamond _{[3, 10]}} x_0 - x_1 \le -3)\): between 2 and 4 s, whenever \(x_0 - x_1 \ge 4\), \(x_0 - x_1 \le -3\) holds within 10 s after 3 s.

3 The STLmc Model Checker

The STLmc tool can model check STL properties of hybrid automata, given three parameters \(\epsilon > 0\) (robustness threshold), \(\tau > 0\) (time bound), and \(N \in \mathbb {N}\) (discrete bound). STLmc provides an expressive input format to easily specify a wide range of hybrid automata. STLmc also provides a visualization command to give an intuitive description of counterexamples.

Fig. 2.

An input model example

3.1 Input Format

The input format of STLmc, inspired by dReach [28], consists of five sections: variable declarations, mode definitions, initial conditions, state propositions, and STL properties. Mode and continuous variables define discrete and continuous states of hybrid automata. Mode definitions specify flow, jump, and invariant conditions. STL formulas can also include user-defined state propositions.

Figure 2 shows the input model of the hybrid automaton described in the running example above. Constants are introduced with the const keyword. Two mode variables on0 and on1 denote the heaters’ modes. Continuous variables x0 and x1 are declared with domain intervals. There are three “mode blocks” that specify the three modes in Fig. 1 and their invariant, flow, and jump conditions.

In mode blocks, a mode component includes a set of logic formulas over mode variables. An inv component contains a set of logic formulas over continuous variables. A flow component can include ODEs over continuous variables. A jump component contains a set of jump conditions of the form \( guard \) \(\mathtt {=>}\) \( reset \), where \( guard \) and \( reset \) are logic formulas over mode and continuous variables, and “primed” variables denote states after the jump has occurred.

STL properties are declared in the goal section, and “named” propositions are declared in the proposition section. State propositions are arithmetic and relational expressions over mode and continuous variables. For example, in Fig. 2, the STL formula f1 contains two state propositions \(x_0 \ge 14\) and \(x_1 \le 19\), and the formula f2 contains the user-defined propositions p1 and p2.

3.2 Command Line Options

STLmc provides a command-line interface with various options in Table 1. The options -two-step and -parallel enable the two-step solving optimization in Sect. 4.3. STLmc supports three SMT solvers to choose from based on continuous dynamics: Z3 [12] and Yices2 [17] can deal with linear and polynomial dynamics (solutions of ODEs are linear functions or polynomials), and dReal [22] can approximately deal with ODE dynamics with Lipschitz-continuous ODEs.

A discrete bound N limits the number of mode changes and variable points at which the truth value of some STL subformula changes. This is a distinctive parameter of STL model checking that cannot typically be derived from a time bound \(\tau \) or the maximal number of jumps (say, m). E.g., for any positive natural number \(n \in \mathbb {N}\), consider the function \(y(t)=\sin (\frac{\pi }{\tau }\cdot n \cdot t)\); the state proposition \(y > 0\) has \(n-1\) variable points even if there is no mode change (\(m = 0\)).³

Table 1. Some command line options for STLmc.

Fig. 3.

Visualization of a counterexample (horizontal dotted lines denote \(\epsilon = 2\)).

For the input model in Fig. 2, the following command found a counterexample of the formula f2 at bound 2 with respect to \(\epsilon = 2\) in 15 s using dReal:

Similarly, the following command verified the formula f1 up to bounds \(N = 5\) and \(\tau = 25\) with respect to \(\epsilon = 0.5\) in 819 s using dReal:

STLmc provides a command to visualize counterexamples for robust STL model checking. It can generate images representing counterexample trajectories and robustness degrees. Figure 3 shows the visualization graphs, showing the values of variables or robustness degrees over time, generated for the formula \(\mathtt {f2} = \mathop {\square _{[2, 4]}} (x_0 - x_1 \ge 4 \rightarrow \mathop {\Diamond _{[3, 10]}} (x_0 - x_1 \le -3))\) with the subformulas:

$$\begin{aligned} \mathtt {f2_1}&= x_0 - x_1 \ge 4 \rightarrow \mathop {\Diamond _{[3, 10]}} (x_0 - x_1 \le -3)&\mathtt {f2_2}&= \lnot (x_0 - x_1 \ge 4) \\ \mathtt {f2_3}&= \mathop {\Diamond _{[3, 10]}} (x_0 - x_1 \le -3) \qquad \mathtt {p_1} = x_0 - x_1 \ge 4&\mathtt {p_2}&= x_0 - x_1 \le -3 \end{aligned}$$

The robustness degree of \(\mathtt {f2}\) is less than \(\epsilon \) at time 0, since the robustness degree of \(\mathtt {f2_1}\) goes below \(\epsilon \) in the interval [2, 4], which is because both the degrees of \(\mathtt {f2_2}\) and \(\mathtt {f2_3}\) are less than \(\epsilon \) in [2, 4]. The robustness degree of \(\mathtt {f2_3}\) is less than \(\epsilon \) in [2, 4], since the robustness degree of \(\mathtt {p_2}\) is less than \(\epsilon \) in \([5,14] = [2,4] + [3, 10]\).

Fig. 4.

The STLmc architecture

4 Algorithms and Implementation

Figure 4 shows the architecture of the STLmc tool. The tool first reduces robust STL model checking into Boolean STL model checking using \(\epsilon \)-strengthening. It then applies an existing SMT-based STL model checking algorithm [3, 29]. The satisfiability of the SMT encoding can be checked directly using an SMT solver or using the two-step solving algorithm to improve the performance for ODE dynamics. Our tool is implemented in around 9,500 lines of Python code.

4.1 Reduction to Boolean STL Model Checking

As usual for model checking, robust STL model checking is equivalent to finding a counterexample. Specifically, an STL formula \(\varphi \) is not satisfied on a hybrid automata H with respect to a robustness threshold \(\epsilon >0\) iff there exists a counterexample for which the robustness degree of \(\lnot \varphi \) is greater than or equal to \(- \epsilon \). (Formally, \(\lnot (\forall \sigma \in H.\; \rho _{\tau }(\varphi , \sigma , t) > \epsilon )\) iff \(\exists \sigma \in H.\; \rho _{\tau }(\lnot \varphi , \sigma , t) \ge - \epsilon \).)

Consider a state proposition \(x < 0\). Its robust model checking is equivalent to finding a counterexample \(\sigma \in H\) with \(\rho _{\tau }(x \ge 0, \sigma , t) \ge - \epsilon \), which is equivalent to \(\rho _{\tau }(x \ge - \epsilon , \sigma , t) \ge 0\). Observe that \(x \ge - \epsilon \) is weaker than \(x \ge 0\) by \(\epsilon \). The notion of \(\epsilon \)-weakening is first introduced in [21] for first-order logic, and we extend the definitions of \(\epsilon \)-weakening and \(\epsilon \)-strengthening to STL as follows.

Definition 3

The \(\epsilon \)-weakening \(\varphi ^{- \epsilon }\) and \(\epsilon \)-strengthening \(\varphi ^{+ \epsilon }\) of \(\varphi \) are defined as follows: \((p^{-\epsilon })(s) = p(s) -\epsilon \) and \((p^{+\epsilon })(s) = p(s) +\epsilon \) for a state s, and:

$$\begin{aligned} (\lnot \varphi )^{- \epsilon }&\equiv \lnot (\varphi ^{+ \epsilon })&(\varphi _1 \wedge \varphi _2)^{- \epsilon }&\equiv \varphi _1^{- \epsilon } \wedge \varphi _2^{- \epsilon }&(\varphi _1 \mathop {\mathbf {U}_{I}} \varphi _2)^{- \epsilon }&\equiv \varphi _1^{- \epsilon } \mathop {\mathbf {U}_{I}} \varphi _2^{- \epsilon } \\ (\lnot \varphi )^{+ \epsilon }&\equiv \lnot (\varphi ^{- \epsilon })&(\varphi _1 \wedge \varphi _2)^{+ \epsilon }&\equiv \varphi _1^{+ \epsilon } \wedge \varphi _2^{+ \epsilon }&(\varphi _1 \mathop {\mathbf {U}_{I}} \varphi _2)^{+ \epsilon }&\equiv \varphi _1^{+ \epsilon } \mathop {\mathbf {U}_{I}} \varphi _2^{+ \epsilon } \end{aligned}$$

Finding a counterexample of \(\varphi \) for robust STL model checking can be reduced to finding a counterexample of the \(\epsilon \)-strengthening \(\varphi ^{+ \epsilon }\) for Boolean STL model checking. The satisfaction of \(\varphi \) by the Boolean STL semantics [29, 31] is denoted by \(\sigma , t \models _\tau \varphi \). We have the following theorem (see our report [42] for details).

Theorem 1

(1) \(\exists \sigma \in H.\; \sigma , t \models _\tau \lnot (\varphi ^{+ \epsilon })\) implies \(\exists \sigma \in H.\; \rho _{\tau }(\lnot \varphi , \sigma , t) \ge - \epsilon \), and (2) \(\forall \sigma \in H.\; \sigma , t \not \models _\tau \lnot (\varphi ^{+ \epsilon })\) implies \(\forall \sigma \in H.\; \rho _{\tau }(\varphi , \sigma , t) \ge \epsilon \).

As a consequence, a counterexample of \(\varphi ^{+ \epsilon }\) for Boolean STL model checking is also a counterexample of \(\varphi \) for robust STL model checking. If there is no counterexample of \(\varphi ^{+ \epsilon }\) for Boolean STL model checking, then \(\varphi \) is satisfied on H with respect to any robustness threshold \(0< \epsilon ' < \epsilon \). It is worth noting that \(\varphi \) may not be satisfied on H with respect to \(\epsilon \) itself.

4.2 Boolean STL Model Checking Algorithm

For Boolean STL model checking, there exist refutationally complete bounded model checking algorithms [3, 29] with two bound parameters: \(\tau \) for the time domain, and N for the number of mode changes and variable points. A time point t is a variable point if a truth value of \(\varphi \)’s subformula changes at t. The algorithms build an SMT encoding \(\varPsi _{H, \lnot \varphi }^{N,\tau }\) of Boolean STL model checking:

Theorem 2

[3, 29] \(\varPsi _{H, \lnot \varphi }^{N,\tau }\) is satisfiable iff there is a counterexample trajectory \(\sigma \in H\), with at most N variable points and mode changes, such that \(\sigma , t \not \models _\tau \varphi \).

For hybrid automata with polynomial continuous dynamics, the satisfiability of the encoding \(\varPsi \) can be precisely determined using standard SMT solvers, including Z3 [12] and Yices2 [17]. For ODE dynamics, the satisfiability of \(\varPsi \) is undecidable in general, but there exist specialized solvers, such as dReal [22] and iSAT-ODE [18], that can approximately determine the satisfiability.

To support various SMT solvers, the implementation of STLmc utilizes a generic wrapper interface based on the SMT-LIB standard [5]. Therefore, if it follows SMT-LIB, a new SMT solver can be easily integrated with our tool. Moreover, STLmc can also detect the most suitable solver for a given input model; e.g., if the model has ODE dynamics, then the tool chooses dReal.

The encoding \(\varPsi \) includes universal quantification over time, e.g., because of invariant conditions. Several SMT solvers (including Z3 and Yice2) support these \(\exists \forall \)-conditions but at high computational costs [27]. For polynomial dynamics, we implement the encoding method [10] to simplify \(\exists \forall \)-conditions to quantifier-free formulas. For ODE dynamics, dReal natively supports \(\exists \forall \)-conditions [23].

4.3 Two-Step Solving Algorithm

To reduce the complexity of ODE dynamics, we propose a two-step solving algorithm in Algorithm 1, inspired by the lazy SMT solving approach [38]:

1. 1.

   We obtain the discrete abstraction of the encoding \(\varPsi \) by substituting the flow and invariant conditions with Boolean variables. We then enumerate a satisfying scenario \(\pi \), a conjunction of literals, where \(\pi \) implies \(\varPsi \).

2. 2.

   For each scenario \(\pi \), we check the satisfiability of its discrete refinement with the flow and invariant conditions using dReal. If any refinement is satisfiable, we obtain a counterexample; otherwise, there is no counterexample.

We also implement a simple method to avoid redundant scenarios by minimizing a scenario. A scenario \(\pi = l_1 \wedge \cdots \wedge l_m\) is minimal if \((\lnot l_i \wedge \bigwedge _{j \ne i} l_j) \rightarrow \varPsi \)— one literal in \(\pi \) is false— is not valid. To minimize a scenario \(\pi \), we use a dual propagation approach [33]. Since \(\pi \) implies \(\varPsi \), \(\pi \wedge \lnot \varPsi \) is unsatisfiable. We compute the unsatisfiable core of \(\pi \wedge \lnot \varPsi \) using Z3 to extract a minimal scenario from \(\pi \).

We parallelize the two-step solving algorithm by running the satisfiability checking of refinements in parallel. If any of such refinements is satisfied and a counterexample is found, then all other jobs are terminated. If all refinements, checking in parallel, are unsatisfiable, then there is no counterexample. As shown in Sect. 5, it greatly improves the performance for the ODE cases in practice.

5 Experimental Evaluation

We evaluate the effectiveness of the STLmc model checker using a number of hybrid system benchmarks and nontrivial STL properties.⁴ We use the following models, adapted from existing benchmarks [2, 6, 19, 20, 25, 34]: load management for two batteries (Bat), two networked water tank systems (Wat), autonomous driving of two cars (Car), a railroad gate (Rail), two networked thermostats (Thm), a spacecraft rendezvous (Space), navigation of a vehicle (Nav), and a filtered oscillator (Oscil). We use a modified model with either linear, polynomial, or ODE dynamics to analyze the effect of different continuous dynamics. For each model, we use three STL formulas with nested temporal operators. More details on the benchmark models can be found in the longer report [42].

Table 2. Robust Bounded Model Checking of STL (Time in seconds)

We measure the SMT encoding size and execution time for robust STL model checking, up to discrete bound \(N = 20\) for linear models, \(N = 10\) for polynomial models, and \(N = 5\) for ODEs models, with a timeout of 60 min. We use different time bounds \(\tau \) and robustness thresholds \(\epsilon \) for different models, since \(\tau \) and \(\epsilon \) depend on each model. As an underlying SMT solver, we use Yices for linear and polynomial models, and dReal for ODE models with a precision \(\delta = 0.001\). We run both direct SMT solving (1-step) and two-step SMT solving (2-step). We use 25 cores for parallelizing the two-phase solving algorithm. We have run all experiments on Intel Xeon 2.8 GHz with 256 GB memory.

The experimental results are summarized in Table 2, where \(|\varPsi |\) denotes the size of the SMT encoding \(\varPsi \) (in thousands) as the number of connectives in \(\varPsi \). For the model checking results, \(\top \) indicates that the tool found no counterexample up to bound N, and \(\bot \) indicates that the tool found a counterexample at bound \(k \le N\). For the algorithms (Alg.), we write one of the results with a better performance. For the 2-step case, we also write the number of minimal scenarios generated (\(\#\pi \)). Actually, two-step SMT solving timed out for all linear and polynomial models, and direct SMT solving timed out for all ODE models.

As shown in Table 2, our tool can perform robust model checking of nontrivial STL formulas for hybrid systems with different continuous dynamics. The cases of ODE models generally take longer than the cases of linear and polynomial models, because of the high computational costs for ODE solving. Nevertheless, our parallelized two-step SMT solving method works well and all model checking analyses are finished before the timeout. In contrast, for linear and polynomial models with a larger discrete bound \(N \ge 10\), direct SMT solving is usually effective but the two-step SMT solving method is not. There are too many scenarios, and the scenario generation does not terminate within 60 min. Therefore, the two algorithms implemented in our tool are complementary.

6 Related Work

There exist many tools for falsifying STL properties of hybrid systems, including Breach [14], S-talrio [1], and TLTk [11]. STL falsification techniques are based on STL monitoring [13, 32], and often use stochastic optimization techniques, such as Ant-Colony Optimization [1], Monte-Carlo tree search [43], deep reinforcement learning [41], and so on. These techniques are often quite useful for finding counterexamples in practice, but, as mentioned, cannot be used to verify STL properties of hybrid systems.

There exist many tools for analyzing reachability properties of hybrid systems based on reachable-set computation, including C2E2 [16], Flow* [8], Hylaa [4], and SpaceEx [20]. They can be used to guarantee the correctness of invariant properties of the form \(p \rightarrow \mathop {\square _{I}} q\), but cannot verify general STL properties. In contrast, STLmc uses a refutation-complete bounded STL model checking algorithm to verify general STL properties, including complex ones.

Our tool is also related to SMT-based tools for analyzing hybrid systems, including dReach [28], HyComp [9], and HybridSAL [39]. These techniques also focus on analyzing invariant properties of hybrid systems, but some SMT-based tools, such as HyComp, can verify LTL properties of hybrid systems. Unlike STLmc, they cannot deal with general STL properties of hybrid systems.

7 Concluding Remarks

We have presented the STLmc tool for robust bounded model checking of STL properties for hybrid systems. STLmc can verify that, up to given bounds, the robustness degree of an STL formula \(\varphi \) is always greater than a given robustness threshold for all possible behaviors of a hybrid system. STLmc also provides a convenient user interface with an intuitive counterexample visualization.

Our tool leverages the reduction from robust model checking to Boolean model checking, and utilizes the refutation-complete SMT-based Boolean STL model checking algorithm to guarantee correctness up to given bounds and find subtle counterexamples. STLmc can deal with hybrid systems with (nonlinear) ODEs using dReal. We have shown using various hybrid system benchmarks that STLmc can effectively analyze nontrivial STL properties.

Future work includes extending our tool with other hybrid system analysis methods, such as reachable-set computation, besides SMT-based approaches.