Chapter 5 Proving Inductive Invariants
5.2 Small Model Theorem
In this section, we present the main small model result (Theorem5.2) for the restricted class of Passel assertions called LH-assertions. Thus, for a specific inductive invariant Γ(N ), The- orem 5.2 provides a threshold on size of models, written N0. If for all N ≤ N0, Γ(N) is
an inductive invariant for AN, then Γ(N) is indeed an inductive invariant for all N ∈ N.
automata AN by verifying Γ(N) for a finite number of instances of AN. If the syntactic com-
ponents of the hybrid automaton template A(N , i) are specified with this restricted class, then the small model theorem can be applied (Theorem 5.2).
Definition 5.1 An LH-assertion is an index sentence—refer to Section 2.3.2—of the form
∀t1 ∈ R ∀i1, . . . , ik ∈ [N ] ∃t2 ∈ R ∃j1, . . . , jm ∈ [N ] : ϕ(t1, i1, . . . , ik, t2, j1, . . . , jm),
where ϕ is a quantifier-free Passel assertion containing no unbounded integer variables. It is essential that the order (shape) of quantifiers is as specified (∀∗∃∗) for establishing
small model theorems like Theorem 5.2. We mention that te and tp are only used to re-
spectively model an elapse of time of length te and enforcing invariants for all trajectories of
lengths 0 ≤ tp ≤ te(refer to the semantics of continuous trajectories defined in Section2.4.2).
We provide several example LH-assertions:
∀i, j : i 6= j =⇒ (q[j] = q[j] =⇒ |x[j] − x[i]| > a), (5.2) ∀i, j : i = j ∨ q[i] = q[j] ∨ (x[j] − x[i] − a < 0) ∨ (x[i] − x[j] − a < 0), and (5.3)
∀i ∃j : p[i] = j ∧ |x[i] − x[p[i]]| > a. (5.4)
We reiterate that we only use LH-assertions with te and tp for checking the inductive invari-
ance conditions for continuous trajectories as shown in Section5.3. Reading these assertions as statements about networks of automata, the first one states that all automata with iden- tical values of the discrete local variable q[i] have a minimum gap of a between the values of their x[i] variables. The first assertion is an abbreviation of the second. The last assertion states every automaton has a pointer p[i] to another automaton and that there is a minimum separation of a between its x[i] value and the x[p[i]] value of the automaton to which p[i] points.
Theorem 5.2 Let Γ(N ) be an LH-assertion of the form ∀te ∈ R ∀i1, . . . , ik ∈ [N ] ∃tp ∈ R
∃j1, . . . , jm ∈ [N ] : ϕ(te, i1. . . , ik, tp, j1, . . . , jm), where ϕ is a quantifier-free formula in-
local variables in Vi, where i ∈ ivars(ϕ). Then, ∀N ∈ N : Γ(N ) is valid iff for all
n ≤ N0 = (e + 1)(k + 2), Γ(N ) is satisfied by all n-models (recall Definition 2.3), where
e is the number of index array variables in ϕ and k is the largest subscript of the universally quantified index variables in Γ(N ).
Proof : If ∀N ∈ N : Γ(N ) is valid, then all its models satisfy it by the definition of validity. For the other direction, we assume that all models of size n, for n ≤ (e + 1)(k + 2), satisfy Γ(n). It suffices to show that ψ = ∀N ∈ N : Γ(N ) is valid. Suppose for the sake of∆ contradiction that ψ is not valid. Then there exists a model M of size n > (e + 1)(k + 2) that satisfies ¬ψ ≡ ∃N , te, i1, . . . , ik : ∀tp, j1, . . . , jm : ¬ϕ. We will show that for any model
of size n > (e + 1)(k + 2), there exists a model of size n − 1 that contradicts the assumption that all n-models satisfy Γ(n).
The n-model M assigns a real value to the variable te and values in {1, . . . , n} to the
index variables i1, . . ., ik (in addition to providing interpretations for the other variables
and arrays). The values assigned to the universally quantified variables tp, j1, . . ., jm in the
model M are not important, because any value of these variables would satisfy ¬ψ. The set of values assigned to i1, . . . , ikcan contain at most k distinct values. Consider an index term
with one of the forms 1, N , or im, where im is an existentially quantified index variable in
¬ψ: any such term can take at most k + 2 distinct index values. Thus, an index array term p[im] can take at most k + 2 distinct values. Since there are at most e index arrays, the set of
all possible index arrays and terms can take at most (e + 1)(k + 2) distinct values. Therefore, there exists a value in {1, . . . , n}, say u, that is not assigned to any index variable or to any of the referenced values of the index arrays, in M .
Now, we define an (n − 1)-model M0 by removing u from {1, . . . , n} and shifting values assigned by M appropriately. The constant n is interpreted as n − 1 in M0. For each index variable ij, if ij < u, then we assign M0(ij) = M (ij), and otherwise we assign M0(ij) =
M (ij) − 1, where the notation M (v) is the assignment of v in model M . For each (index,
discrete, or real) array ¯z, for each i ∈ {1, . . . , n − 1}, if i < u then we assign M0(z[i]) = M (z[i]), and otherwise we assign M0(z[i]) = M (z[i + 1]). Finally, it is routine to check that M0 assigns the same binary value to each Atom in ϕ as M , and therefore M0 also satisfies ¬ψ. This contradicts the assumption that all models of size n, for n ≤ (e + 1)(k + 2), satisfy
Γ(n).
We close this section with the following result that lets us check the conditions of induc- tiveness over trajectories as assertions with the small model property. We model rectangular dynamics using an additional existential quantifier over reals in the time transition. The dis- cussion that follows is how we are able to convert the relation flow used to define the set of continuous trajectories with a function flowf defined below. An alternative would be to track
upper and lower bounds of rectangular variables using two clocks, and convert to a timed automata as done in [30]. To define TN we first define the function flow(v[i], m, t) which returns a valuation v0[i], such that for each v ∈ Vi if v’s type is not real, then v0[i].v = v[i].v,
but otherwise, v0[i].v = v[i].v + flowrate(m, v)t.
Proposition 5.3 Consider the flow function defined by flowf(v[i], m, t), which returns a
valuation v0[i], such that for each v ∈ Vi if v’s type is not real or its update type is not
continuous, then v0[i].v = v[i].v, but otherwise, v0[i].v = v[i].v + flowrate(m, v)t, where flowrate(m, v)t = δt, for any δ ∈ [a, b]. Alternatively, consider the flow relation defined by flowr(v[i], m, t), which returns a set of valuations V[i], where for each v0[i] ∈ V[i], such that
for each v ∈ Vi if v’s type is not real or its update type is not continuous, then v0[i].v = v[i].v,
but otherwise, v[i].v + at ≤ v0[i].v ≤ v[i].v + bt.
Recall from Section 2.4.3 that a pair (v, v0) ∈ TN iff:
∃ te∈ R≥0 : ∀ i : [N] : ∃ l ∈ Loc :
∧ ∀tp ≤ te : flow(v[i], l, tp) |= inv(l, i)
∧ ∀tp ≤ te : flow(v[i], l, tp) |= stop(l, i) ⇒ tp = te
Consider the alternative definition of TfN, where a pair (v, v0) ∈ TfN iff:
∃ te∈ R≥0 : ∀ i : [N] : ∃δ ∈ R≥0∃ l ∈ Modei :
∧ ∀tp ≤ te : flow(v[i], l, tp) |= inv(l, i)
∧ ∀tp ≤ te : flow(v[i], l, tp) |= stop(l, i) ⇒ tp = te
∧ v0[i] = flowf(v[i], l, te).
Then, the sets of trajectories under these definitions are the same, TN = TfN. Proof : We show TN ⊆ TN f and T N f ⊆ T N. It is clear that TN f ⊆ T N. For TN ⊆ TN f ,
take any trajectory τ ∈ TN. The valuation of any variable v at state v0 along τ satisfies v[i].v + at ≤ v0[i].v ≤ v[i].v + b[t]. Consider a trajectory under the other semantics, where the first state along this trajectory x satisfies x[i].v = v[i].v for each i ∈ [N] and each variable v. Suppose δ = 1tR0tv(t)dt, where v(t) is the actual choice of flowrate(m, v[i].v) over the length of the trajectory. This integral must exist, and thus we have picked δ as the average flow rate over the trajectory of length t. Since flowrate(m, v[i].v) ∈ [a, b] for a = lflowrate and b = uflowrate, which is a convex set, and δ ∈ [a, b] is also a convex set, we have that for this choice of δ, x[i].v + δt ∈ τ . Thus, τ ∈ TfN.