Delta-Complete Decision Procedures for Satisfiability over the Reals

We introduce the notion of"\delta-complete decision procedures"for solving SMT problems over the real numbers, with the aim of handling a wide range of nonlinear functions including transcendental functions and solutions of Lipschitz-continuous ODEs. Given an SMT problem \varphi and a positive rational number \delta, a \delta-complete decision procedure determines either that \varphi is unsatisfiable, or that the"\delta-weakening"of \varphi is satisfiable. Here, the \delta-weakening of \varphi is a variant of \varphi that allows \delta-bounded numerical perturbations on \varphi. We prove the existence of \delta-complete decision procedures for bounded SMT over reals with functions mentioned above. For functions in Type 2 complexity class C, under mild assumptions, the bounded \delta-SMT problem is in NP^C. \delta-Complete decision procedures can exploit scalable numerical methods for handling nonlinearity, and we propose to use this notion as an ideal requirement for numerically-driven decision procedures. As a concrete example, we formally analyze the DPLLframework, which integrates Interval Constraint Propagation (ICP) in DPLL(T), and establish necessary and sufficient conditions for its \delta-completeness. We discuss practical applications of \delta-complete decision procedures for correctness-critical applications including formal verification and theorem proving.

contain nonlinear polynomials, transcendental functions, and differential equations. Solving formulas with these functions is inherently intractable. Decision algorithms [9] for formulas with nonlinear polynomials have very high complexity [6]. When the sine function is involved, the SMT problem is undecidable, and only partial algorithms can be developed [2,1].
Recently much attention has been given to developing practical solvers that incorporate scalable numerical computations. Examples of numerical algorithms that have been exploited include optimization algorithms [4,27], interval-based algorithms [13,11,12,16], Bernstein polynomials [25], and linearization algorithms [14]. These solvers have shown promising results on various nonlinear benchmarks in terms of scalability.
However, for correctness-critical problems, there is always the concern that numerical errors can result in incorrect answers from numerically-driven solvers. For example, safety problems for hybrid systems can not be decided by numerical methods [28]. The problem is compounded by, for instance, the difficulty in understanding the effect of floating-point arithmetic in place of exact computation. There are two common ways of addressing these concerns. One is to use exact versions of the numerical algorithms, replacing floating-point operations by exact symbolic arithmetic [25]; the other is to use post-processing (validation) procedures to ensure that only correct results are returned. Both options reduce the full power of numerical algorithms and are usually hard to implement as well. For instance, in the Flyspeck project [18] for the formal proof of the Kepler conjecture, validating the numerical procedures used in the original proof turns out to be the hardest computational part (and unfinished yet). In general, there has been no framework for understanding the actual performance guarantees of numerical algorithms in the context of decision problems.
In this paper we aim to fill this gap by formally establishing the applicability of numerical algorithms in decision procedures, and the correctness guarantees they can actually provide. We do this as follows.
First, we introduce "the δ-SMT problem" over real numbers, to capture what can in fact be correctly solved by numerically-driven procedures. Given an SMT formula ϕ, and any positive rational number δ, the δ-SMT problem asks for one of the following decisions: unsat: ϕ is unsatisfiable.
Here, the δ-weakening of ϕ is defined as a numerical relaxation of the original formula. For instance, the δ-weakening of x = 0 is |x| ≤ δ. Note that if a formula is satisfiable, its δ-weakening is always satisfiable. Thus, when a formula is δ-sat, either it is indeed satisfiable, or it is unsatisfiable but a δ-perturbation on its numerical terms would make it satisfiable. The effect of this slight relaxation is striking. In sharp contrast to the undecidability of SMT for any signature extending real arithmetic by sine, we show that the bounded δ-SMT problem for a wide range of nonlinear functions is decidable. In fact, we show that the bounded δ-SMT problem for the theory with exponentiation and trigonometric functions is NP-complete, and PSPACE-complete for theories with Lipschitzcontinuous ODEs. We obtain these results using techniques from computable analysis [30,5]. These results serve as the theoretical basis for our investigation of numerically-driven procedures.
Next, if a decision algorithm can solve the δ-SMT problem correctly, we say it is "δ-complete". We propose to use δ-completeness as the ideal correctness requirement on numerically-driven procedures, replacing the conventional notion of complete solvers (which can never be met in this context). This new notion makes it worthwhile to develop formally analyze numerical methods for decision problems and compare their strength, instead of viewing them as partial heuristics. As an example, we study DPLL ICP , the integration of Interval Constraint Propagation (ICP) [19] in DPLL(T) [24]. It is a general solving framework for nonlinear formulas and has shown promising results [13,16,12]. We obtain conditions that are sufficient and necessary for the δ-completeness of DPLL ICP .
Further, we show the applicability of δ-complete procedures in correctnesscritical practical problems. In bounded model checking [7,8], using a δ-complete solver we return one of the following answers: either a system is absolutely safe up to some depth (unsat answers), or it would become unsafe under some δbounded numerical perturbations (δ-sat answers). Since δ can be made very small, in the latter case the algorithm is essentially detecting robustness problems in the system: If a system would be unsafe under some small perturbations, it can hardly be regarded as safe in practice. Similar guarantees can be given for invariant validation and theorem proving. The conclusion is that, under suitable interpretations, the answers of numerically-driven decision procedures can indeed be relied on in correctness-critical applications, as long as they are δ-complete.
Related Work. Our goal is to provide a formal basis for the promising trend of numerically-driven decision procedures [4,27,13,11,12,16,25,14]. Related attempt can be seen in Ratschan's work [29], in which he investigated the stability of first-order constraints under numerical perturbations. Our approach is, instead, to take numerical perturbations as a given and study its implications in practical applications. Results in this paper are related to our more theoretical results [15] for arbitrarily-quantified sentences, where we do not analyze practical procedures. A preliminary notion of δ-completeness was proposed by us earlier in [16] where only polynomials are considered.
The paper is organized as follows. In Section 2 and 3 we define the bounded δ-SMT problem and establish its decidability and complexity. In Section 4 we formally analyze DPLL ICP and discuss applications in Section 5.

Basics of Computable Analysis
Real numbers can be encoded as infinite strings, and a computability theory of real functions can be developed with oracle machines that perform operations using function-oracles encoding real numbers. This is the approach developed in Computable Analysis or Type 2 Computability [30,22,5]. We briefly review results of importance to us.
Throughout the paper we use || · || to denote || · || ∞ over R n for various n.
Thus the name of a real number is a sequence of rational numbers converging to it. For a ∈ R n , we write Γ (a) = {γ : γ is a name of a}.
A real function f is computable if there is an oracle Turing machine that can take any argument x of f as a function oracle, and output the value of f (x) up to an arbitrary precision.
In the definition, i specifies the desired error bound on the output of M f with respect to f (x). For any x ∈ dom(f ), M f has access to an oracle encoding the name γ x of x, and output a 2 −i -approximation of f (x). In other words, the . Intuitively, f is computable if an arbitrarily good approximation of f (x) can be obtained using any good enough approximation to any x ∈ dom(f ). A key property of this notion of computability is that computable functions over reals are continuous [30]. Moreover, over any compact set D ⊆ R n , computable functions are uniformly continuous with a computable modulus of continuity defined as follows.
Proposition 2.1 ( [30]). Let f :⊆ R n → R be computable and D ⊆ dom(f ) a compact set. Then f has a computable uniform modulus of continuity over D.
Intuitively, if a function has a computable uniform modulus of continuity, then fixing any desired error bound 2 −i on the outputs, we can compute a global precision 2 −m f (i) on the inputs from D such that using any 2 −m f (i) -approximation of any x ∈ D, f (x) can be computed within the error bound.
Most common continuous real functions are computable [30]. Addition, multiplication, absolute value, min, max, exp, sin and solutions of Lipschitz-continuous ordinary differential equations are all computable functions. Compositions of computable functions are computable.
Moreover, complexity of real functions can be defined over compact domains. (i) that halts in polynomial-time (polynomial-space) for every i ∈ N and every x ∈ dom(f ).
We say f is in Type 2 complexity class C if it is C-computable. f is C-complete if it is C-computable and C-hard [22]. If f : D → R is C-computable, then it has a C-computable modulus of continuity over D. Polynomials, exp, and sin are all P-computable functions. A recent result [21] established that the complexity of computing solutions of Lipschitz-continuous ODEs over compact domains is a PSPACE-complete problem.

Bounded SMT over R F
We now let F denote an arbitrary collection of Type 2 computable functions. L F denotes the first-order signature and R F is the standard structure R, F . We can then consider the SMT problem over R F , namely, satisfiability of quantifierfree L F -formulas over R F . We consider formulas whose variables take values from bounded intervals. Because of this, it is more convenient to directly write the bounds on existential quantifiers and express bounded SMT problems as Σ 1 -sentences with bounded quantifiers. We can write a bounded Σ 1 -sentence as ∃ I x.ψ(x) for short.

Lemma 2.1 (Standard Form).
Any bounded Σ 1 -sentence ϕ in L F is equivalent over R F to a sentence of the following form: We apply the following transformations: 1. (Eliminate =) Substitute each atomic formula of the form g ij = 0 by where v ij is a newly introduced variable, and add an innermost bounded existential Here, m vij ∈ Q is any value greater than the maximum of g ′ ij over dom(ϕ). Note that such maximum of g ′ ij always exists over dom(ϕ), since g ′ ij is continuous on dom(ϕ), which is a compact, and is computable [22].
The formula is now in the form The new formula is in the standard form and equivalent to the original.
⊓ ⊔ Recall that we allow the interval bounds on variables to be either open or closed. Let S and S o denote the closure and interior of any set S over the reals. Based on our need we can consider the closure or the interior of the domains in a Σ 1 -sentence. Definition 2.6 (Closure and Interior). Let ϕ := ∃ I1 x 1 · · · ∃ In x n .ψ(x) be a bounded Σ 1 -sentence in L F , we define the closure and interior of ϕ as:

The Bounded δ-SMT Problem
The key for bridging numerical procedures and SMT problems is to introduce syntactic perturbations on Σ 1 -sentences in L F . Definition 3.1 (δ-Weakening and Perturbations). Let δ ∈ Q + ∪ {0} be a constant and ϕ be a Σ 1 -sentence in standard form: The δ-weakening of ϕ defined as: Also, a δ-perturbation is a constant vector c = (c 11 , ..., c mkm ), c ij ∈ Q, satisfying ||c|| ≤ δ, such that the c-perturbed form of ϕ is given by: Proposition 3.1. ϕ δ is true iff there exists a δ-perturbation c such that ϕ c is true. In particular, c can be the zero vector, and thus ϕ → ϕ δ .
We now define the bounded δ-SMT problem. We follow the convention that SMT solvers return sat/unsat, which is equivalent to the corresponding Σ 1sentence being true/false.
The bounded δ-SMT problem asks for one of the following two decisions on ϕ: When the two cases overlap, either decision can be returned.
Our main theoretical claim is that the bounded δ-SMT problem is decidable for δ ∈ Q + . This is essentially a special case of our more general results for arbitrarily-quantified L F -sentences [15]. However, different from [15], here we defined the standard forms of SMT problems to contain only equalities in the matrix, on which the original proof does not work directly. Also, in [15] we relied on results from computable analysis that are not needed here. We now give a direct proof for the decidability of δ-SMT and analyze its complexity.
Theorem 3.1 (Decidability). Let F be a finite collection of Type 2 computable functions and δ ∈ Q + . The bounded δ-SMT problem in L F is decidable.
Proof. We describe a decision procedure which, given any bounded Σ 1 -sentence ϕ in L F and δ ∈ Q + , decides whether ϕ is false or ϕ δ is true. Assume that ϕ is in the form of Definition 3.1.
First, we need a uniform bound on all the variables so that a modulus of continuity for each function can be computed. Suppose each x i is bounded by I i , whose closure is From now on, g ij = f ij (l 1 + (u 1 − l 1 )x 1 , ..., l n + (u n − l n )x n ). After the transformation, we have dom(ϕ) = [0, 1] × · · · × [0, 1], on which each g ij is computable (it is a composition of the finitely many computable functions in F ) and has a computable modulus of continuity m gij . We write ψ(x) to denote the matrix of ϕ after the transformation.
Choose r ∈ N such that 2 −r < δ/4. Then for each g ij , we use m gij to obtain e ij = m gij (r). Choose e ∈ N such that e ≥ max(e 11 , ..., e mkm ) (1) and write ε = 2 −e . We then have We now consider a finite ε-net of dom(ϕ), i.e., a finite S ε ⊆ dom(ϕ), satisfying In fact, S ε can be explicitly defined as Next, we evaluate the matrix ψ(x) on each point in S ε , as follows. Let a ∈ S ε be arbitrary. For each g ij in ψ, we compute g ij (a) up to an error bound of δ/8, and write the result of the evaluation as g ij (a) δ/8 . Then |g ij (a) − g ij (a) δ/8 | < δ/8.
Note g ij (a) δ/8 is a rational number. We then define Then for each a, evaluating ψ(a) only involves comparison of rational numbers and Boolean evaluation, and ψ(a) is either true or false. Now, by collecting the value of ψ on every point in S ε , we have the following two cases.
• Case 1: For some a ∈ S ε , ψ(a) is true. We show that ϕ δ is true. Note that We need to be careful about a, since it is an element in dom(ϕ), not dom(ϕ). If a ∈ dom(ϕ), then ϕ δ is true, witnessed by a. Otherwise, a ∈ ∂(dom(ϕ)). Then by continuity of g ij , there exists a ′ ∈ dom(ϕ) such that m i=1 ki j=1 |g ij (a ′ )| < δ. (Just let a small enough ball around a intersect dom(ϕ) at a ′ .) That means ϕ δ is also true in this case, witnessed by a ′ .

Now recall condition
This means ¬ϕ is true, and ϕ is false.
In all, the procedure that decides either that ϕ δ is true, or that ϕ is false. ⊓ ⊔ We now analyze the complexity of the δ-SMT problem. The decision procedure given above essentially evaluates the formula on each sample point. Thus, given an oracle for evaluating the functions, we can construct a nondeterministic Turing machine that randomly picks the sample points and decides the formula.
Most of the functions we are interested in (exp, sin, ODEs) are in Type 2 complexity class P or PSPACE. To prove interesting complexity results, a technical restriction is that we need to bound the number of function compositions in a formula, because otherwise evaluating nested polynomial-time functions can be exponential in the number of nesting. Formally we define: Definition 3.3 (Uniformly Bounded Σ 1 -class). Let F be a finite set of Type 2 computable functions, and S a class of bounded Σ 1 -sentences in L F . Let l, u ∈ Q satisfy l ≤ u. We say S is uniformly (l, u, F )-bounded, if ∀ϕ ∈ S of the form

Proposition 3.2 ([22]
). Let C be a Type 2 complexity class contained in PSPACE. Then given any compact domain D, a C-computable function has a uniform modulus of continuity over D given by a polynomial function.
We are now ready to prove the main complexity claim.
Theorem 3.2 (Complexity). Let F be a finite set of functions in Type 2 complexity class C, P ⊆ C ⊆ PSPACE. The δ-SMT problem for uniformly bounded Proof. We describe a nondeterministic Turing machine with a function oracle of complexity C, that can decide in polynomial-time the δ-SMT problem for a uniformly bounded class.
The function oracle θ we use behaves as follows. Given strings s, t, and d on the query tape, θ(s, t, d) looks up the function f s ∈ F encoded by s and returns the value of f s (x t ) up to an error bound of 2 −d , where x t is a rational vector encoded by t taken as the argument of f s . Since all the functions in F are in complexity class C, θ(s, t, d) is a C-oracle.
For any symbol s, we write len(s) to denote its bit-length. For an integer i, we know len(i) = O(log(i)). For a rational number d, which is the ratio of coprime integers p and q, len(d) = O(len(p) + len(q)) = O(log(pq)). For a function f , len(f ) is the length of its name. We write O(poly(n)) to denote k O(n k ).
Let ϕ be the input formula as in Definition 3.1, where each f ij ∈ F . Suppose ϕ is in a uniformly (l, u, F )-bounded class.
Then for each f ij , we use its uniform modulus of continuity over [l, u], given by a polynomial m fij (Proposition 3.2), and obtain e f ij = m fij (r), in time O(poly(len(r))) and e f ij = O(poly(r)). Then we compute e ij for the function g ij by scaling e f ij , using e ij = ⌈− log(2 −e f ij / max 1≤i≤n {u i − l i })⌉. Thus e ij = O(e f ij + log(max i (u i − l i ))) = O(poly(len(δ) + len(ϕ))). Finally, let e be the biggest e ij . It is then clear that e = O(poly(len(ϕ) + len(δ))), obtainable in polynomial time. Next, our procedure evaluates the matrix of the formula on each point a ∈ S ε . Note from (4) that S ε is of size exponential in e. Here we exploit the nondeterminism of the machine by randomly picking 0 ≤ k ≤ 2 e on each dimension. Note that since log(k) ≤ e, we have len(k) = O(e) = O(poly(len(ϕ) + len(δ))). Let a = (a 1 , ..., a n ) be the randomly picked point in S ε . Following the above estimate of len(k) and len(ε) = O(log(2 −e )) = O(e), we have len(a) = O(poly(len(ϕ) + len(δ))). Now we evaluate ϕ(a). With access to the C-oracle specified above, this can be done in polynomial-time, as follows. For each g ij (a), we query the oracle with θ(f ij , a lu , δ/8), where a lu is a scaled by [l i , u i ] on each dimension. This query uses O(poly(len(ϕ) + len(δ)))-space on the query tape. The oracle then return the value of f ij (a lu ) δ/8 = g ij (a) δ/8 , and since C ⊆ PSPACE, len(g ij (a) δ/8 ) is polynomial in the input. Next we evaluate each atom by comparing these values obtained from the oracle with δ/2. This uses time O(poly(len(ϕ) + len(δ))). Finally, if ψ(x) is true, we return δ-sat. Thus the problem is decided in nondeterministic polynomial-time using access to the C-oracle. We can conclude that the δ-SMT problem for a uniformly bounded class is in NP C . ⊓ ⊔ Remark 3.1. The restriction of a uniformly bounded class of formulas is a technical one. For a class of formulas of interest, we can always choose a rich enough F that contains the compositions we need, and a loose enough uniform bound on the variables.
We can now obtain a precise characterization of the complexity for δ-SMT problems in signatures of interest. Recall that most common functions, such as polynomials, exp, sin, are all P-computable and Lipschitz-continuous ODEs are PSPACE-complete. Proof. Since the functions in F are P-time computable, the δ-SMT problem is in NP P = NP. We only need to encode Boolean satisfiability for hardness. We need to be careful that no negations can be used. For any propositional formula φ(p 1 , ..., p n ), substitute p i by x i < 0 and ¬p i by x i > 1, and add (x i = 0∨x i = 1) as a clause to the formula. Add the quantifiers ∃ [− 1,2] x i for each x i . Then for any δ < 0.5, φ is satisfiable iff the translation is δ-true, and unsatisfiable iff the translation is false. Note that the cases do not overlap. ⊓ ⊔ Corollary 3.2. Let F be a finite set of Lipschitz-continuous ODEs over compact domains. Then the uniformly-bounded δ-SMT problem in L F is in PSPACE, and there exists L F such that it is PSPACE-complete.
Proof. We have NP PSPACE = PSPACE. Since some ODEs are PSPACE-complete to solve [21], there exists L F for which δ-SMT problem is PSPACE-complete. ⊓ ⊔ We now give a formal analysis of the integration of ICP and DPLL(T) for solving bounded δ-SMT. Our goal is to establish sufficient and necessary conditions under which such an integration is δ-complete.

Interval Constraint Propagation
The method of Interval Constraint Propagation (ICP) [3] finds solutions of real constraints using a "branch-and-prune" method, combining interval arithmetic and constraint propagation. The idea is to use interval extensions of functions to "prune" out sets of points that are not in the solution set, and "branch" on intervals when such pruning can not be done, until a small enough box that may contain a solution is found. A high-level description of the decision version of ICP is given in Algorithm 1 and we give formal definitions as follows.
In Algorithm 1, Branch(B, i) is an operator that returns two smaller boxes B ′ = I 1 × · · · × I ′ i × · · · × I n and B ′′ = I 1 × · · · × I ′′ i × · · · × I n , where I i ⊆ I ′ i ∪ I ′′ i . To ensure termination it is assumed that there exists some constant 0 < c < 1 such that c · |I i | ≤ |I ′ i | and c · |I i | ≤ |I ′′ i | for all i. The key component of the algorithm is the Prune(B, f ) operation. A simple example of a pruning operation is as follows. In principle, any operation that contracts the intervals on variables can be seen as pruning. However, for correctness we need several formal requirements on the pruning operator in ICP ε .

Algorithm 1: High-Level ICP ε (decision version of Branch-and-Prune)
input : Constraints f1(x1, ..., xn) = 0, ..., fm(x1, ..., xn) = 0, initial box B 0 = I 0 1 × · · · × I 0 n , box stack S = ∅, and precision ε ∈ Q + . output: sat or unsat.  . Let F be a collection of real functions, and ♯ be an interval extension operator on F . A well-defined (equality) pruning operator with respect to ♯ is a partial function Prune ♯ :⊆ BF × F → BF, such that ∀f ∈ F , B, B ′ ∈ BF, When ♯ is clear, we simply write Prune. It specifies the following requirements. (W1) requires contraction, so that the algorithm always makes progress: branching always decreases the size of boxes, and pruning never increases them. (W2) requires that the result of a pruning is always a reasonable box that may contain a zero. Otherwise B should have been pruned out. (W3) ensures that the real solutions are never discarded in pruning (called "completeness" in [3]). We use Prune (B, f 1 , ..., f m ) to denote the iterative application of Prune(·,  If it returns unsat then ∀a ∈ B 0 , there exists B ⊆ B 0 such that a ∈ B and Prune (B, f 1 , ..., f m ) = ∅. Now we prove the main theorem.
Theorem 4.2 (δ-Completeness of ICP ε ). Let δ ∈ Q + be arbitrary. We can find an ε ∈ Q + such that the ICP ε algorithm is δ-complete for conjunctive Σ 1sentences in L F (where sat is interpreted as δ-sat) if and only if the pruning operator in ICP ε is well-defined.
Proof. We consider an arbitrary bounded existential L F -sentence containing only conjunctions, written as ϕ : Since all the functions in ϕ are computable over B 0 , each f i has a uniform modulus of continuity over B 0 , which we write as m fi . Choose any k ∈ N such that 2 −k < δ. Then for any ε i < m fi (k), we have We now fix ε to be any positive rational number smaller than min(ε 1 , ..., ε m ). By the previous lemma, we know ICP ε terminates and returns either sat or unsat. We now prove the two directions of the biconditional.
Suppose ICP ε returns "unsat". Suppose ϕ is in fact satisfiable. Then there is a point a ∈ B 0 such that ψ(a) is true. However, following Lemma 4.1, a ∈ B for some B ⊆ B 0 and Prune(B 0 , f 1 , ..., f m ) = ∅. However, this contradicts condition (W3) of the pruning operator.
⇒: We only need to show that without any one of the three conditions in Definition 4.3, we can define a pruning operator that fails δ-completeness.
Without (W1), we define a pruning operator that always outputs intervals bigger than ε (such as the initial intervals). Then the procedure never terminates. Note that the other two conditions are trivially satisfied in this case (for any f and B 0 satisfying 0 ∈ ♯f (B 0 )). Without (W2), consider the function f (x) = x 2 +1 with x ∈ [−1, 1]. We can define a pruning operator such that Prune([−1, 1], f ) = [1,1]. This operator satisfies the other two conditions. However, the returned result [1,1] fails δ-completeness for any δ smaller than 2, since f (1) = 2. Without (W3), we simply prune any set to ∅ and always return unsat. This violates δcompleteness, which requires that if unsat is returned the formula must be indeed unsatisfiable. The other two conditions are also satisfied in this case.
⊓ ⊔ In practice, pruning operators are defined based on consistency conditions from constraint propagation techniques. Many pruning operators are used in practice [3]. Following Theorem 4.2, we only need to prove their well-definedness to ensure δ-completeness. For instance: Definition 4.4 (Box-consistent Pruning [19]). We say π B : BF × F → BF is box-consistent, if for all f ∈ F and B = I 1 × · · · × I n ⊆ dom(f ), the i-th interval of π B (B, f ) is I i ∩ Hull {a i ∈ R : 0 ∈ ♯f (I 1 , ..., Hull({a i }), ..., I n } .
Proposition 4.2. The Box-consistent Pruning operator is well-defined.

Handling ODEs
In this section we expand our language to consider solutions of the initial value problems (IVP) of Lipschitz-continuous ODEs. Let t 0 , T ∈ R and g : R n → R be a Lipschitz-continuous function, i.e., for all x 1 , x 2 ∈ R n , |g(x 1 ) − g(x 2 )| ≤ c||x 1 − x 2 || for some constant c. Let t 0 , T ∈ R satisfy t 0 ≤ T and y 0 ∈ R n . An IVP problem is given by where y : [t 0 , T ] → R n is called the solution of the IVP. Consider y(t) as (y 1 (t), ..., y n (t)), then each component y i : [t, T ] → R is a Type 2 computable function, and can appear in some signature F . In fact, we can also regard y 0 as an argument of y i and write y i (t 0 , y 0 ). This does not change computability properties of y i , since following the Picard-Lindelöf representation y(t) = t t0 g(y(s))ds + y 0 , y i (t) is only linearly dependent on y 0 . In practice, with an ICP framework, we can exploit interval solvers for IVP problems [26], for pruning intervals on variables that appear in constraints involving ODEs. This direction has received much recent attention [12,11,17,20].
Consider the IVP problem defined above, with y 0 contained in a box B t0 ⊆ R n . Let t 0 ≤ t 1 ≤ ... ≤ t m = T be a set of points in [t 0 , T ]. An interval-based ODE solver returns a set of boxes B t1 , ..., B tm such that Now let y i : [t 0 , T ] × B 0 → R be the i-th component of the solution y of an IVP problem. Then interval-based ODE solvers compute interval extensions of y i . Thus, pruning operators that respect the interval extension computed by interval ODE solvers can be defined. It can be concluded from Theorem 4.2 that ICP ε is δ-complete for equalities involving ODEs, as long as the pruning operator is well-defined. A simplest strategy is just to prune out any set of points outside the interval extension: Proposition 4.3 (Simple ODE-Pruning). Let y i (t, y 0 ) be the i-th component function of an IVP problem. Suppose ♯y i is computed by an interval ODE solver. Then the pruning operator Prune(I, y i ) = I ∩ ♯y i (I t , B y 0 ) is well-defined.

DPLL ICP
Now consider the integration of ICP into the framework of DPLL(T), so that the full δ-SMT problem can be solved. Given a formula ϕ, a DPLL ICP solver uses SAT solvers to enumerate solutions to the Boolean abstraction ϕ B of the formula, and uses ICP ε to decide the satisfiability of conjunctions of atomic formulas. DPLL ICP returns sat when ICP ε returns sat to some conjunction of theory atoms witnessing the satisfiability of ϕ B , and returns unsat when ICP ε returns unsat on all the solutions to ϕ B . Thus, it follows naturally that using a δ-complete theory solver ICP ε , DPLL ICP is also δ-complete. Proof. Let ϕ be a bounded SMT problem ∃ I x i j f ij (x) = 0. Its Boolean abstraction ϕ B is given by i j p ij , where p ij is the propositional abstraction of f ij (x) = 0.
Choose ε to satisfy that ∀x, y ∈ I|f ij (x) − f ij (y)| < δ for all f ij that appear in the ϕ. Now, in the DPLL(T) framework, the SAT solver returns an assignment to p ij such that ϕ B evaluates to true, then ICP ε is used for checking the satisfiability of the corresponding conjunction of theory atoms. It is important to note that ϕ B does not contain negations.
Suppose the pruning operator in ICP ε is well-defined. Then ICP ε is δ-complete. Now, suppose DPLL ICP returns sat. Then ϕ B is true witnessed by a set {p 1 , ..., p m } assigned to true, which in turn corresponds to a set {f 1 (x) = 0, ..., f m (x) = 0} of the theory atoms. By δ-completeness of ICP ε , we know that ϕ δ is true. On the other hand, suppose ϕ is decided as unsat. Then either there is no assignment such that ϕ B is true, or for each satisfying assigment to ϕ B , ICP ε decides that the corresponding set of theory atoms is not satisfiable. By δ-completeness of ICP ε , the unsat answers are always correct. In all, DPLL ICP is also δ-complete.
Suppose the pruning operator in ICP ε is not well-defined, then DPLL ICP is simply not δ-complete for conjunctions of theory atoms, and thus not δ-complete for bounded SMT in L F . ⊓ ⊔

Applications
δ-Complete solvers return answers that allow one-sided, δ-bounded errors. The framework allows us to easily understand the implications of such errors in practical problems. Indeed, δ-complete solvers can be directly used in the following correctness-critical problems.
Bounded Model Checking and Invariant Validation. Let S = X, Init, Trans be a transition system over X, which can by continuous or hybrid. Then given a subset U ⊆ X, the bounded model checking problem asks whether ϕ n := ∃x 0 , ..., x n (x 0 ∧ n−1 i=0 Trans(x i , x i+1 ) ∧ x n ∈ U ) is true. Here U denotes the "unsafe" values of the system, and we say S is safe up to n if ϕ n is false. Thus, using a δ-complete solver for ϕ n , we can determine the following: If ϕ n is unsat, then S is indeed safe up to n; on the other hand, if ϕ n is δ-sat, then either the system is unsafe, or it would be unsafe under a δ-perturbation, and a counterexample is provided by the certificate for δ-sat. This δ can be set by the user based on the intended tolerance of errors of the system. Thus, a δ-complete solver can be directly used.
For invariant validation, a proposed invariant Inv can prove safety if the sentence ϕ := ∀x, x ′ ((Init(x) → Inv(x)) ∧ (Inv(x) ∧ Trans(x, x ′ ) → Inv(x ′ )) ∧ Inv(x) → ¬(U (x))) is true. We then use a δ-complete solver on ¬ϕ, which is existential. When unsat is returned, Inv is indeed an inductive invariant proving safety. When δ-sat is returned, either Inv is not an inductive invariant, or under a small numerical perturbation, Inv would violate the inductive conditions. Theorem Proving. For theorem proving, one-sided errors are not directly useful since no robustness problem is involved. We can still approach a statement ϕ by making δ-decisions on ¬ϕ, and refine δ when needed. Starting from any δ, whenever unsat is returned, ϕ is proved; when δ-sat, we can try a smaller δ. This reflects the common practice in proving these statements.

Conclusion
We introduced the notion of "δ-complete decision procedures" for solving SMT problems over real numbers. Our aim is to provide a general framework for solving a wide range of nonlinear functions including transcendental functions and solutions of Lipschitz-continuous ODEs. δ-Completeness serves as a replacement of the conventional completeness requirement on exact solvers, which is impossible to satisfy in this domain. We proved the existence of δ-complete decision procedures for bounded SMT over reals with Type 2 computable functions and showed the complexity of the problem. We use δ-completeness as the standard correctness requirement on numerically-driven decision procedures, and formally analyzed the solving framework DPLL ICP . We proved sufficient and necessary conditions for its δ-completeness. We believe our results serve as a foundation for the development of scalable numerically-driven decision procedures and their application in formal verification and theorem proving.