Delta-Decision Procedures for Exists-Forall Problems over the Reals

Abstract

We propose \(\delta \)-complete decision procedures for solving satisfiability of nonlinear SMT problems over real numbers that contain universal quantification and a wide range of nonlinear functions. The methods combine interval constraint propagation, counterexample-guided synthesis, and numerical optimization. In particular, we show how to handle the interleaving of numerical and symbolic computation to ensure delta-completeness in quantified reasoning. We demonstrate that the proposed algorithms can handle various challenging global optimization and control synthesis problems that are beyond the reach of existing solvers.

1 Introduction

Much progress has been made in the framework of delta-decision procedures for solving nonlinear Satisfiability Modulo Theories (SMT) problems over real numbers [1, 2]. Delta-decision procedures allow one-sided bounded numerical errors, which is a practically useful relaxation that significantly reduces the computational complexity of the problems. With such relaxation, SMT problems with hundreds of variables and highly nonlinear constraints (such as differential equations) have been solved in practical applications [3]. Existing work in this direction has focused on satisfiability of quantifier-free SMT problems. Going one level up, SMT problems with both free and universally quantified variables, which correspond to \(\exists \forall \)-formulas over the reals, are much more expressive. For instance, such formulas can encode the search for robust control laws in highly nonlinear dynamical systems, a central problem in robotics. Non-convex, multi-objective, and disjunctive optimization problems can all be encoded as \(\exists \forall \)-formulas, through the natural definition of “finding some x such that for all other \(x'\), x is better than \(x'\) with respect to certain constraints.” Many other examples from various areas are listed in [4].

Counterexample-Guided Inductive Synthesis (CEGIS) [5] is a framework for program synthesis that can be applied to solve generic exists-forall problems. The idea is to break the process of solving \(\exists \forall \)-formulas into a loop between synthesis and verification. The synthesis procedure finds solutions to the existentially quantified variables and gives the solutions to the verifier to see if they can be validated, or falsified by counterexamples. The counterexamples are then used as learned constraints for the synthesis procedure to find new solutions. This method has been shown effective for many challenging problems, frequently generating more optimized programs than the best manual implementations [5].

A direct application of CEGIS to decision problems over real numbers, however, suffers from several problems. CEGIS is complete in finite domains because it can explicitly enumerate solutions, which can not be done in continuous domains. Also, CEGIS ensures progress by avoiding duplication of solutions, while due to numerical sensitivity, precise control over real numbers is difficult. In this paper we propose methods that bypass such difficulties.

We propose an integration of the CEGIS method in the branch-and-prune framework as a generic algorithm for solving nonlinear \(\exists \forall \)-formulas over real numbers and prove that the algorithm is \(\delta \)-complete. We achieve this goal by using CEGIS-based methods for turning universally-quantified constraints into pruning operators, which is then used in the branch-and-prune framework for the search for solutions on the existentially-quantified variables. In doing so, we take special care to ensure correct handling of numerical errors in the computation, so that \(\delta \)-completeness can be established for the whole procedure.

The paper is organized as follows. We first review the background, and then present the details of the main algorithm in Sect. 3. We then give a rigorous proof of the \(\delta \)-completeness of the procedure in Sect. 4. We demonstrated the effectiveness of the procedures on various global optimization and Lyapunov function synthesis problems in Sect. 5.

Related Work. Quantified formulas in real arithmetic can be solved using symbolic quantifier elimination (using cylindrical decomposition [6]), which is known to have impractically high complexity (double exponential [7]), and can not handle problems with transcendental functions. State-of-the-art SMT solvers such as CVC4 [8] and Z3 [9] provide quantifier support [10,11,12,13] but they are limited to decidable fragments of first-order logic. Optimization Modulo Theories (OMT) is a new field that focuses on solving a restricted form of quantified reasoning [14,15,16], focusing on linear formulas. Generic approaches to solving exists-forall problems such as [17] are generally based on CEGIS framework, and not intended to achieve completeness. Solving quantified constraints has been explored in the constraint solving community [18]. In general, existing work has not proposed algorithms that intend to achieve any notion of completeness for quantified problems in nonlinear theories over the reals.

2 Preliminaries

2.1 Delta-Decisions and \(\text {CNF}^{\forall }\)-Formulas

We consider first-order formulas over real numbers that can contain arbitrary nonlinear functions that can be numerically approximated, such as polynomials, exponential, and trignometric functions. Theoretically, such functions are called Type-2 computable functions [19]. We write this language as \(\mathcal {L}_{\mathbb {R}_{\mathcal {F}}}\), formally defined as:

Definition 1

(The \(\mathcal {L}_{\mathbb {R}_{\mathcal {F}}}\) Language). Let \(\mathcal {F}\) be the set of Type-2 computable functions. We define \(\mathcal {L}_{\mathbb {R}_{\mathcal {F}}}\) to be the following first-order language:

$$\begin{aligned} t&:= x \; | \; f({{\varvec{t}}}), \text{ where } f\in \mathcal {F}\text{, } \text{ possibly } \text{0-ary } \text{(constant) };\\ \varphi&:= t({{\varvec{x}}})> 0 \; | \; t({{\varvec{x}}})\ge 0 \; | \; \varphi \wedge \varphi \; | \; \varphi \vee \varphi \; | \; \exists x_i\varphi \; |\; \forall x_i\varphi . \end{aligned}$$

Remark 1

Negations are not needed as part of the base syntax, as it can be defined through arithmetic: \(\lnot (t>0)\) is simply \(-t\ge 0\). Similarly, an equality \(t=0\) is just \(t\ge 0\wedge -t\ge 0\). In this way we can put the formulas in normal forms that are easy to manipulate.

We will focus on the \(\exists \forall \)-formulas in \(\mathcal {L}_{\mathbb {R}_{\mathcal {F}}}\) in this paper. Decision problems for such formulas are equivalent to satisfiability of SMT with universally quantified variables, whose free variables are implicitly existentially quantified.

It is clear that, when the quantifier-free part of an \(\exists \forall \) formula is in Conjunctive Normal Form (CNF), we can always push the universal quantifiers inside each conjunct, since universal quantification commute with conjunctions. Thus the decision problem for any \(\exists \forall \)-formula is equivalent to the satisfiability of formulas in the following normal form:

Definition 2

(CNF\(^{\forall }\) Formulas in \(\mathcal {L}_{\mathbb {R}_{\mathcal {F}}}\)). We say an \(\mathcal {L}_{\mathbb {R}_{\mathcal {F}}}\)-formula \(\varphi \) is in the CNF\(^{\forall }\), if it is of the form

$$\begin{aligned} \varphi ({\varvec{x}}) := \bigwedge _{i=0}^m \Big ( \forall {{\varvec{y}}} (\bigvee _{j=0}^{k_i}c_{ij}({{\varvec{x}}}, {{\varvec{y}}})) \Big ) \end{aligned}$$

(1)

where \(c_{ij}\) are atomic constraints. Each universally quantified conjunct of the formula, i.e.,

$$\begin{aligned} \forall {{\varvec{y}}} (\bigvee _{j=0}^{k_i}c_{ij}({{\varvec{x}}}, {{\varvec{y}}})) \end{aligned}$$

is called as a \(\forall \)-clause. Note that \(\forall \)-clauses only contain disjunctions and no nested conjunctions. If all the \(\forall \)-clauses are vacuous, we say \(\varphi ({\varvec{x}})\) is a ground SMT formula.

The algorithms described in this paper will assume that an input formula is in CNF\(^{\forall }\) form. We can now define the \(\delta \)-satisfiability problems for \(\text {CNF}^{\forall }\)-formulas.

Definition 3

(Delta-Weakening/Strengthening). Let \(\delta \in \mathbb {Q}^+\) be arbitrary. Consider an arbitrary \(\text {CNF}^{\forall }\)-formula of the form

$$ \varphi ({\varvec{x}}) := \bigwedge _{i=0}^m \Big ( \forall {\varvec{y}} (\bigvee _{j=0}^{k_i} f_{ij}({{\varvec{x}}}, {{\varvec{y}}})\circ 0) \Big ) $$

where \(\circ \in \{>,\ge \}\). We define the \(\delta \)-weakening of \(\varphi ({\varvec{x}})\) to be:

$$ \varphi ^{-\delta }({\varvec{x}}) := \bigwedge _{i=0}^m \Big ( \forall {{\varvec{y}}} (\bigvee _{j=0}^{k_i} f_{ij}({{\varvec{x}}}, {{\varvec{y}}})\ge -\delta ) \Big ). $$

Namely, we weaken the right-hand sides of all atomic formulas from 0 to \(-\delta \). Note how the difference between strict and nonstrict inequality becomes unimportant in the \(\delta \)-weakening. We also define its dual, the \(\delta \)-strengthening of \(\varphi ({\varvec{x}})\):

$$ \varphi ^{+\delta }({\varvec{x}}) := \bigwedge _{i=0}^m \Big ( \forall {{\varvec{y}}} (\bigvee _{j=0}^{k_i} f_{ij}({{\varvec{x}}}, {{\varvec{y}}})\ge +\delta ) \Big ). $$

Since the formulas in the normal form no longer contain negations, the relaxation on the atomic formulas is implied by the original formula (and thus weaker), as was easily shown in [1].

Proposition 1

For any \(\varphi \) and \(\delta \in \mathbb {Q}^+\), \(\varphi ^{-\delta }\) is logically weaker, in the sense that \(\varphi \rightarrow \varphi ^{-\delta }\) is always true, but not vice versa.

Example 1

Consider the formula

$$\begin{aligned} \forall y\; f(x,y)=0. \end{aligned}$$

It is equivalent to the \(\text {CNF}^{\forall }\)-formula

$$\begin{aligned} (\forall y (-f(x,y)\ge 0)\wedge \forall y (f(x,y)\ge 0)) \end{aligned}$$

whose \(\delta \)-weakening is of the form

$$\begin{aligned} (\forall y (-f(x,y)\ge -\delta )\wedge \forall y (f(x,y)\ge -\delta )) \end{aligned}$$

which is logically equivalent to

$$\begin{aligned} \forall y (||f(x,y) || \le \delta ). \end{aligned}$$

We see that the weakening of \(f(x,y)=0\) by \(||f(x,y) || \le \delta \) defines a natural relaxation.

Definition 4

(Delta-Completeness). Let \(\delta \in \mathbb {Q}^+\) be arbitrary. We say an algorithm is \(\delta \)-complete for \(\exists \forall \)-formulas in \(\mathcal {L}_{\mathbb {R}_{\mathcal {F}}}\), if for any input \(\text {CNF}^{\forall }\)-formula \(\varphi \), it always terminates and returns one of the following answers correctly:

• unsat: \(\varphi \) is unsatisfiable.

• \(\delta \)-sat: \(\varphi ^{-\delta }\) is satisfiable.

When the two cases overlap, it can return either answer.

2.2 The Branch-and-Prune Framework

A practical algorithm that has been shown to be \(\delta \)-complete for ground SMT formulas is the branch-and-prune method developed for interval constraint propagation [20]. A description of the algorithm in the simple case of an equality constraint is in Algorithm 1.

The procedure combines pruning and branching operations. Let \(\mathcal {B}\) be the set of all boxes (each variable assigned to an interval), and \(\mathcal {C}\) a set of constraints in the language. FixedPoint(g, B) is a procedure computing a fixedpoint of a function \(g : \mathcal {B} \rightarrow \mathcal {B}\) with an initial input B. A pruning operation \(\mathsf {Prune}: \mathcal {B} \times \mathcal {C} \rightarrow \mathcal {B}\) takes a box \(B\in \mathcal {B}\) and a constraint as input, and returns an ideally smaller box \(B'\in \mathcal {B}\) (Line 5) that is guaranteed to still keep all solutions for all constraints if there is any. When such pruning operations do not make progress, the Branch procedure picks a variable, divides its interval by halves, and creates two sub-problems \(B_1\) and \(B_2\) (Line 8). The procedure terminates if either all boxes have been pruned to be empty (Line 15), or if a small box whose maximum width is smaller than a given threshold \(\delta \) has been found (Line 11). In [2], it has been proved that Algorithm 1 is \(\delta \)-complete iff the pruning operators satisfy certain conditions for being well-defined (Definition 5).

3 Algorithm

The core idea of our algorithm for solving \(\text {CNF}^{\forall }\)-formulas is as follows. We view the universally quantified constraints as a special type of pruning operators, which can be used to reduce possible values for the free variables based on their consistency with the universally-quantified variables. We then use these special \(\forall \)-pruning operators in an overall branch-and-prune framework to solve the full formula in a \(\delta \)-complete way. A special technical difficulty for ensuring \(\delta \)-completeness is to control numerical errors in the recursive search for counterexamples, which we solve using double-sided error control. We also improve quality of counterexamples using local-optimization algorithms in the \(\forall \)-pruning operations, which we call locally-optimized counterexamples.

In the following sections we describe these steps in detail. For notational simplicity we will omit vector symbols and assume all variable names can directly refer to vectors of variables.

3.1 \(\forall \)-Clauses as Pruning Operators

Consider an arbitrary \(\text {CNF}^{\forall }\)-formula¹

$$ \varphi (x) := \bigwedge _{i=0}^m \Big ( \forall y (\bigvee _{j=0}^{k_i} f_{ij}(x, y)\ge 0) \Big ). $$

It is a conjunction of \(\forall \)-clauses as defined in Definition 2. Consequently, we only need to define pruning operators for \(\forall \)-clauses so that they can be used in a standard branch-and-prune framework. The full algorithm for such pruning operation is described in Algorithm 2.

In Algorithm 2, the basic idea is to use special y values that witness the negation of the original constraint to prune the box assignment on x. The two core steps are as follows.

1. 1.

   Counterexample generation (Line 4 to 9). The query for a counterexample \(\psi \) is defined as the negation of the quantifier-free part of the constraint (Line 4). The method \(\mathsf {Solve}(y, \psi , \delta )\) means to obtain a solution for the variables \(y\) \(\delta \)-satisfying the logic formula \(\psi \). When such a solution is found, we have a counterexample that can falsify the \(\forall \)-clause on some choice of x. Then we use this counterexample to prune on the domain of x, which is currently \(B_x\). The strengthening operation on \(\psi \) (Line 5), as well as the choices of \(\varepsilon \) and \(\delta '\), will be explained in the next subsection.

2. 2.

   Pruning on x (Line 10 to 13). In the counterexample generation step, we have obtained a counterexample b. The pruning operation then uses this value to prune on the current box domain \(B_x\). Here we need to be careful about the logical operations. For each constraint, we need to take the intersection of the pruned results on the counterexample point (Line 11). Then since the original clause contains the disjunction of all constraints, we need to take the box-hull (\(\bigsqcup \)) of the pruned results (Line 13).

We can now put the pruning operators defined for all \(\forall \)-clauses in the overall branch-and-prune framework shown in Algorithm 1.

The pruning algorithms are inspired by the CEGIS loop, but are different in multiple ways. First, we never explicitly compute any candidate solution for the free variables. Instead, we only prune on their domain boxes. This ensures that the size of domain box decreases (together with branching operations), and the algorithm terminates. Secondly, we do not explicitly maintain a collection of constraints. Each time the pruning operation works on previous box – i.e., the learning is done on the model level instead of constraint level. On the other hand, being unable to maintain arbitrary Boolean combinations of constraints requires us to be more sensitive to the type of Boolean operations needed in the pruning results, which is different from the CEGIS approach that treats solvers as black boxes.

3.2 Double-Sided Error Control

To ensure the correctness of Algorithm 2, it is necessary to avoid spurious counterexamples which do not satisfy the negation of the quantified part in a \(\forall \)-clause. We illustrate this condition by consider a wrong derivation of Algorithm 2 where we do not have the strengthening operation on Line 5 and try to find a counterexample by directly executing \(b \leftarrow \mathrm {Solve}(y, \psi = \bigwedge _{i=0}^k f_i(x,y)< 0, \delta )\). Note that the counterexample query \(\psi \) can be highly nonlinear in general and not included in a decidable fragment. As a result, it must employ a delta-decision procedure (i.e. Solve with \(\delta ' \in \mathbb {Q}^{+}\)) to find a counterexample. A consequence of relying on a delta-decision procedure in the counterexample generation step is that we may obtain a spurious counterexample b such that for some \(x = a\):

$$ \bigwedge _{i=0}^k f_i(a,b) \le \delta \quad \text {instead of} \quad \bigwedge _{i=0}^k f_i(a,b) < 0. $$

Consequently the following pruning operations fail to reduce their input boxes because a spurious counterexample does not witness any inconsistencies between x and y. As a result, the fixedpoint loop in this \(\forall \)-Clause pruning algorithm will be terminated immediately after the first iteration. This makes the outer-most branch-and-prune framework (Algorithm 1), which employs this pruning algorithm, solely rely on branching operations. It can claim that the problem is \(\delta \)-satisfiable while providing an arbitrary box B as a model which is small enough (\(||B || \le \delta \)) but does not include a \(\delta \)-solution.

To avoid spurious counterexamples, we directly strengthen the counterexample query with \(\varepsilon \in \mathbb {Q}^+\) to have

$$\begin{aligned} \psi ^{+\varepsilon } := \bigwedge _{i=0}^k f_i(a,b) \le -\varepsilon . \end{aligned}$$

Then we choose a weakening parameter \(\delta ' \in \mathbb {Q}\) in solving the strengthened formula. By analyzing the two possible outcomes of this counterexample search, we show the constraints on \(\delta '\), \(\varepsilon \), and \(\delta \) which guarantee the correctness of Algorithm 2:

• \(\delta '\)-sat case: We have a and b such that \(\bigwedge _{i=0}^k f_i(a,b) \le -\varepsilon + \delta '\). For \(y = b\) to be a valid counterexample, we need \(-\varepsilon + \delta ' < 0\). That is, we have

  $$\begin{aligned} \delta ' < \varepsilon . \end{aligned}$$

  (2)

  In other words, the strengthening factor \(\varepsilon \) should be greater than the weakening parameter \(\delta '\) in the counterexample search step.

• unsat case: By checking the absence of counterexamples, it proved that \(\forall y \bigvee _{i=0}^k f_i(x, y) \ge -\varepsilon \) for all \(x \in B_{x}\). Recall that we want to show that \(\forall y \bigvee _{i=0}^k f_i(x, y) \ge -\delta \) holds for some \(x = a\) when Algorithm 1 uses this pruning algorithm and returns \(\delta \)-sat. To ensure this property, we need the following constraint on \(\varepsilon \) and \(\delta \):

  $$\begin{aligned} \varepsilon < \delta . \end{aligned}$$

  (3)

3.3 Locally-Optimized Counterexamples

The performance of the pruning algorithm for \(\text {CNF}^{\forall }\)-formulas depends on the quality of the counterexamples found during the search.

Fig. 1.

Illustrations of the pruning algorithm for \(\text {CNF}^{\forall }\)-formula with and without using local optimization.

Figure 1a illustrates this point by visualizing a pruning process for an unconstrained minimization problem, \(\exists x \in X_0 \forall y \in X_0 f(x) \le f(y)\). As it finds a series of counterexamples \(\mathrm {CE}_1\), \(\mathrm {CE}_2\), \(\mathrm {CE}_3\), and \(\mathrm {CE}_4\), the pruning algorithms uses those counterexamples to contract the interval assignment on X from \(X_0\) to \(X_1\), \(X_2\), \(X_3\), and \(X_4\) in sequence. In the search for a counterexample (Line 6 of Algorithm 2), it solves the strengthened query, \(f(x) > f(y) + \delta \). Note that the query only requires a counterexample \(y = b\) to be \(\delta \)-away from a candidate x while it is clear that the further a counterexample is away from candidates, the more effective the pruning algorithm is.

Based on this observation, we present a way to improve the performance of the pruning algorithm for \(\text {CNF}^{\forall }\)-formulas. After we obtain a counterexample b, we locally-optimize it with the counterexample query \(\psi \) so that it “further violates” the constraints. Figure 1b illustrates this idea. The algorithm first finds a counterexample \(\mathrm {CE}_1\) then refines it to \(\mathrm {CE}'_1\) by using a local-optimization algorithm (similarly, \(\mathrm {CE}_2 \rightarrow \mathrm {CE}'_2\)). Clearly, this refined counterexample gives a stronger pruning power than the original one. This refinement process can also help the performance of the algorithm by reducing the number of total iterations in the fixedpoint loop.

The suggested method is based on the assumption that local-optimization techniques are cheaper than finding a global counterexample using interval propagation techniques. In our experiments, we observed that this assumption holds practically. We will report the details in Sect. 5.

4 \(\delta \)-Completeness

We now prove that the proposed algorithm is \(\delta \)-complete for arbitrary \(\text {CNF}^{\forall }\) formulas in \(\mathcal {L}_{\mathbb {R}_{\mathcal {F}}}\). In the work of [2], \(\delta \)-completeness has been proved for branch-and-prune for ground SMT problems, under the assumption that the pruning operators are well-defined. Thus, the key for our proof here is to show that the \(\forall \)-pruning operators satisfy the conditions of well-definedness.

The notion of a well-defined pruning operator is defined in [2] as follows.

Definition 5

Let \(\phi \) be a constraint, and \(\mathcal {B}\) be the set of all boxes in \(\mathbb {R}^n\). A pruning operator is a function \(\mathsf {Prune}: \mathcal {B} \times \mathcal {C} \rightarrow \mathcal {B}\). We say such a pruning operator is well-defined, if for any \(B\in \mathcal {B}\), the following conditions are true:

1. 1.

   \(\mathsf {Prune}(B,\phi )\subseteq B\).

2. 2.

   \(B\cap \{a\in \mathbb {R}^n: \phi (a) \text{ is } \text{ true. }\} \subseteq \mathsf {Prune}(B,\phi )\).

3. 3.

   Write \(\mathsf {Prune}(B,\phi ) = B'\). There exists a constant \(c \in \mathbb {Q}^+\), such that, if \(B' \ne \emptyset \) and \(||B' || < \varepsilon \) for some \(\varepsilon \in \mathbb {Q}^+\), then for all \(a\in B'\), \(\phi ^{-c\varepsilon }(a)\) is true.

We will explain the intuition behind these requirements in the next proof, which aims to establish that Algorithm 2 defines a well-defined pruning operator.

Lemma 1

(Well-Definedness of \(\forall \)-Pruning). Consider an arbitrary \(\forall \)-clause in the generic form

$$\begin{aligned} c(x):= \forall y\Big (f_1(x,y)\ge 0\vee ...\vee f_k(x,y)\ge 0\Big ). \end{aligned}$$

Suppose the pruning operators for \(f_1\ge 0,...,f_k\ge 0\) are well-defined, then the \(\forall \)-pruning operation for c(x) as described in Algorithm 2 is well-defined.

Proof

We prove that the pruning operator defined by Algorithm 2 satisfies the three conditions in Definition 5. Let \(B_0,...,B_k\) be a sequence of boxes, where \(B_0\) is the input box \(B_x\) and \(B_k\) is the returned box B, which is possibly empty.

The first condition requires that the pruning operation for c(x) is reductive. That is, we want to show that \(B_x \subseteq B_x^{\mathrm {prev}}\) holds in Algorithm 2. If it does not find a counterexample (Line 8), we have \(B_{x} = B_x^{\mathrm {prev}}\). So the condition holds trivially. Consider the case where it finds a counterexample b. The pruned box \(B_{x}\) is obtained through box-hull of all the \(B_i\) boxes (Line 13), which are results of pruning on \(B_x^{\mathrm {prev}}\) using ordinary constraints of the form \(f_i(x,b)\ge 0\) (Line 11), for a counterexample b. Following the assumption that the pruning operators are well-defined for each ordinary constraint \(f_i\) used in the algorithm, we know that \(B_i \subseteq B_x^{\mathrm {prev}}\) holds as a loop invariant for the loop from Line 10 to Line 12. Thus, taking the box-hull of all the \(B_i\), we obtain \(B_{x}\) that is still a subset of \(B_x^{\mathrm {prev}}\).

The second condition requires that the pruning operation does not eliminate real solutions. Again, by the assumption that the pruning operation on Line 11 does not lose any valid assignment on x that makes the \(\forall \)-clause true. In fact, since y is universally quantified, any choice of assignment \(y=b\) will preserve solution on x as long as the ordinary pruning operator is well-defined. Thus, this condition is easily satisfied.

The third condition is the most nontrivial to establish. It ensures that when the pruning operator does not prune a box to the empty set, then the box should not be “way off”, and in fact, should contain points that satisfy an appropriate relaxation of the constraint. We can say this is a notion of “faithfulness” of the pruning operator. For constraints defined by simple continuous functions, this can be typically guaranteed by the modulus of continuity of the function (Lipschitz constants as a special case). Now, in the case of \(\forall \)-clause pruning, we need to prove that the faithfulness of the ordinary pruning operators that are used translates to the faithfulness of the \(\forall \)-clause pruning results. First of all, this condition would not hold, if we do not have the strengthening operation when searching for counterexamples (Line 5). As is shown in Example 1, because of the weakening that \(\delta \)-decisions introduce when searching for a counterexample, we may obtain a spurious counterexample that does not have pruning power. In other words, if we keep using a wrong counterexample that already satisfies the condition, then we are not able to rule out wrong assignments on x. Now, since we have introduced \(\varepsilon \)-strengthening at the counterexample search, we know that b obtained on Line 6 is a true counterexample. Thus, for some \(x=a\), \(f_i(a,b)<0\) for every i. By assumption, the ordinary pruning operation using b on Line 11 guarantees faithfulness. That is, suppose the pruned result \(B_i\) is not empty and \(||B_i || \le \varepsilon \), then there exists constant \(c_i\) such that \(f_i(x,b)\ge -c_i \varepsilon \) is true. Thus, we can take the \(c = \min _i c_i\) as the constant for the pruning operator defined by the full clause, and conclude that the disjunction \(\bigvee _{i=0}^k f_i(x,y)<-c\varepsilon \) holds for \(||B_x || \le \varepsilon \).

Using the lemma, we follow the results in [2], and conclude that the branch-and-prune method in Algorithm 1 is delta-complete:

Theorem 1

(\(\delta \)-Completeness). For any \(\delta \in \mathbb {Q}^+\), using the proposed \(\forall \)-pruning operators defined in Algorithm 2 in the branch-and-prune framework described in Algorithm 1 is \(\delta \)-complete for the class of \(\text {CNF}^{\forall }\)-formulas in \(\mathcal {L}_{\mathbb {R}_{\mathcal {F}}}\), assuming that the pruning operators for all the base functions are well-defined.

Proof

Following Theorem 4.2 (\(\delta \)-Completeness of \(\mathrm {ICP}_{\varepsilon }\)) in [2], a branch-and-prune algorithm is \(\delta \)-complete iff the pruning operators in the algorithm are all well-defined. Following Lemma 1, Algorithm 2 always defines well-defined pruning operators, assuming the pruning operators for the base functions are well-defined. Consequently, Algorithms 2 and 1 together define a delta-complete decision procedure for \(\text {CNF}^{\forall }\)-problems in \(\mathcal {L}_{\mathbb {R}_{\mathcal {F}}}\).

5 Evaluation

Implementation. We implemented the algorithms on top of dReal [21], an open-source delta-SMT framework. We used IBEX-lib [22] for interval constraints pruning and CLP [23] for linear programming. For local optimization, we used NLopt [24]. In particular, we used SLSQP (Sequential Least-Squares Quadratic Programming) local-optimization algorithm [25] for differentiable constraints and COBYLA (Constrained Optimization BY Linear Approximations) local-optimization algorithm [26] for non-differentiable constraints. The prototype solver is able to handle \(\exists \forall \)-formulas that involve most standard elementary functions, including power, \(\exp \), \(\log \), \(\sqrt{\cdot }\), trigonometric functions (\(\sin \), \(\cos \), \(\tan \)), inverse trigonometric functions (\(\arcsin \), \(\arccos \), \(\arctan \)), hyperbolic functions (\(\sinh \), \(\cosh \), \(\tanh \)), etc.

Experiment environment. All experiments were ran on a 2017 Macbook Pro with 2.9 GHz Intel Core i7 and 16 GB RAM running MacOS 10.13.4. All code and benchmarks are available at https://github.com/dreal/CAV18.

Table 1. Experimental results for nonlinear global optimization problems: The first 19 problems (Ackley 2D – Zettl) are unconstrained optimization problems and the last five problems (Rosenbrock Cubic – Simionescu) are constrained optimization problems. We ran our prototype solver over those instances with and without local-optimization option (“L-Opt.” and “No L-Opt.” columns) and compared the results. We chose \(\delta = 0.0001\) for all instances.

Parameters. In the experiments, we chose the strengthening parameter \(\epsilon = 0.99 \delta \) and the weakening parameter in the counterexample search \(\delta ' = 0.98 \delta \). In each call to NLopt, we used 1e–6 for both of absolute and relative tolerances on function value, 1e–3 s for a timeout, and 100 for the maximum number of evaluations. These values are used as stopping criteria in NLopt.

5.1 Nonlinear Global Optimization

We encoded a range of highly nonlinear \(\exists \forall \)-problems from constrained and unconstrained optimization literature [27, 28]. Note that the standard optimization problem

$$\begin{aligned} \min f(x) \text{ s.t. } \varphi (x),\ \ x\in \mathbb {R}^n, \end{aligned}$$

can be encoded as the logic formula:

$$ \varphi (x) \wedge \forall y \Big (\varphi (y)\rightarrow f(x)\le f(y)\Big ). $$

Fig. 2.

Nonlinear global optimization examples.

As plotted in Fig. 2, these optimization problems are non-trivial: they are highly non-convex problems that are designed to test global optimization or genetic programming algorithms. Many such functions have a large number of local minima. For example, Ripple 1 Function [27].

$$ f(x_1, x_2) = \sum _{i=1}^2 -e^{-2(\log 2)\left( \frac{x_1 - 0.1}{0.8}\right) ^2} (\sin ^6(5 \pi x_i) + 0.1 \cos ^2(500 \pi x_i)) $$

defined in \(x_i \in [0, 1]\) has 252004 local minima with the global minima \(f(0.1, 0.1) = -2.2\). As a result, local-optimization algorithms such as gradient-descent would not work for these problems for itself. By encoding them as \(\exists \forall \)-problems, we can perform guaranteed global optimization on these problems.

Table 1 provides a summary of the experiment results. First, it shows that we can find minimum values which are close to the known global solutions. Second, it shows that enabling the local-optimization technique speeds up the solving process significantly for 20 instances out of 23 instances.

5.2 Synthesizing Lyapunov Function for Dynamical System

We show that the proposed algorithm is able to synthesize Lyapunov functions for nonlinear dynamic systems described by a set of ODEs:

$$ \dot{{\varvec{x}}}(t) = f_i({\varvec{x}}(t)), \quad \forall {{\varvec{x}}}(t) \in X_i. $$

Our approach is different from a recent related-work [29] where they used dReal only to verify a candidate function which was found by a simulation-guided algorithm. In contrast, we want to do both of search and verify steps by solving a single \(\exists \forall \)-formula. Note that to verify a Lyapunov candidate function \(v : X \rightarrow \mathbb {R}^+\), v satisfies the following conditions:

$$\begin{aligned} \forall {{\varvec{x}}} \in X\setminus {\mathbf {0}} \ v({{\varvec{x}}})({\mathbf {0}})&= 0\\ \forall {{\varvec{x}}} \in X \ \nabla v({{\varvec{x}}}(t))^T \cdot f_i({{\varvec{x}}}(t))&\le 0. \end{aligned}$$

We assume that a Lyapunov function is a polynomial of some fixed degrees over \({\varvec{x}}\), that is, \(v({\varvec{x}}) = {\varvec{z}}^T{\varvec{P}}{\varvec{z}}\) where \({\varvec{z}}\) is a vector of monomials over \({\varvec{x}}\) and P is a symmetric matrix. Then, we can encode this synthesis problem into the \(\exists \forall \)-formula:

$$\begin{aligned}&\exists {{\varvec{P}}} \, [(v({{\varvec{x}}}) = ({{\varvec{z}}}^T{{\varvec{P}}}{{\varvec{z}}})) \wedge \\&\qquad \!\! (\forall {{\varvec{x}}} \in X\setminus {\mathbf {0}} \ v({{\varvec{x}}})({\mathbf {0}}) = 0) \wedge \\&\qquad \!\! (\forall {{\varvec{x}}} \in X \ \nabla v({{\varvec{x}}}(t))^T \cdot f_i({{\varvec{x}}}(t)) \le 0)] \end{aligned}$$

In the following sections, we show that we can handle two examples in [29].

Normalized Pendulum. Given a standard pendulum system with normalized parameters

$$ \begin{bmatrix} \dot{x}_1\\ \dot{x}_2 \end{bmatrix} = \begin{bmatrix} x_2\\ -\sin (x_1) - x_2 \end{bmatrix} $$

and a quadratic template for a Lyapunov function \(v({\varvec{x}}) = {\varvec{x}}^T{\varvec{P}}{\varvec{x}} = c_1x_1x_2 + c_2x_1^2 + c_3 x_2^2\), we can encode this synthesis problem into the following \(\exists \forall \)-formula:

$$\begin{aligned}&\exists c_1c_2c_3 \, \forall x_1x_2\ [((50 c_3 x_1 x_2 + 50 x_1^2 c_1 + 50 x_2^2 c_2 > 0.5)\wedge \\&\qquad \qquad \qquad (100 c_1 x_1 x_2 + 50 x_2 c_3 + (- x_2 - \sin (x_1) (50 x_1 c_3 + 100 x_2 c_2)) < -0.5))\vee \\&\qquad \qquad \qquad \lnot ((0.01 \le x_1^2 + x_2^2) \wedge (x_1^2 + x_2^2 \le 1))] \end{aligned}$$

Our prototype solver takes 44.184 s to synthesize the following function as a solution to the problem for the bound \(||{\varvec{x}} || \in [0.1, 1.0]\) and \(c_{i} \in [0.1, 100]\) using \(\delta = 0.05\):

$$ v = 40.6843 x_1 x_2 + 35.6870 x_1^2 + 84.3906 x_2^2. $$

Damped Mathieu System. Mathieu dynamics are time-varying and defined by the following ODEs:

$$ \begin{bmatrix} \dot{x}_1\\ \dot{x}_2 \end{bmatrix} = \begin{bmatrix} x_2\\ -x_2 - (2 + \sin (t))x_1 \end{bmatrix}. $$

Using a quadratic template for a Lyapunov function \(v({\varvec{x}}) = {\varvec{x}}^T{\varvec{P}}{\varvec{x}} = c_1x_1x_2 + c_2x_1^2 + c_3 x_2^2\), we can encode this synthesis problem into the following \(\exists \forall \)-formula:

$$\begin{aligned}&\exists c_1c_2c_3 \, \forall x_1x_2t\ [(50 x_1 x_2 c_2 + 50 x_1^2 c_1 + 50 x_2^2 c_3 > 0)\wedge \\&\qquad \qquad \qquad (100 c_1 x_1 x_2 + 50 x_2 c_2 + (- x_2 - x_1(2 + \sin (t)))(50x_1 c_2 + 100 x_2 c_3) < 0) \\&\qquad \qquad \qquad \vee \, \lnot ((0.01 \le x_1^2 + x_2^2) \wedge (0.1 \le t) \wedge (t \le 1) \wedge (x_1^2 + x_2^2 \le 1))] \end{aligned}$$

Our prototype solver takes 26.533 s to synthesize the following function as a solution to the problem for the bound \(||{\varvec{x}} || \in [0.1, 1.0]\), \(t \in [0.1, 1.0]\), and \(c_i \in [45, 98]\) using \(\delta = 0.05\):

$$ V = 54.6950 x_1 x_2 + 90.2849 x_1^2 + 50.5376 x_2^2. $$

6 Conclusion

We have described delta-decision procedures for solving exists-forall formulas in the first-order theory over the reals with computable real functions. These formulas can encode a wide range of hard practical problems such as general constrained optimization and nonlinear control synthesis. We use a branch-and-prune framework, and design special pruning operators for universally-quantified constraints such that the procedures can be proved to be delta-complete, where suitable control of numerical errors is crucial. We demonstrated the effectiveness of the procedures on various global optimization and Lyapunov function synthesis problems.