A Verified ODE Solver and the Lorenz Attractor

Because of Isabelle/HOL’s restrictive type system (no dependent types), the abstract concept of vectors is notorious for demanding workarounds. In Isabelle/HOL, one tends to use a type class based encoding. We work with a type class for Euclidean space that fixes an order on the Basis elements and therefore enables operations \({{\textsf {\textit{eucl-of-list}}}}\,:\mathbb {R}\,{{\textsf {\textit{list}}}}\,\rightarrow \alpha \) and \({{\textsf {\textit{list-of-eucl}}}}\,:\alpha \rightarrow \mathbb {R}\,{{\textsf {\textit{list}}}}\,\) if \(\alpha \) is a Euclidean space.

All (finite) vectors of real numbers are instances of the class Euclidean space. This includes real numbers \(\mathbb {R}\), complex numbers \(\mathbb {C}\), tuples \(\alpha \times \beta \) for Euclidean spaces \(\alpha , \beta \), and Harrison-style² [12] vectors \(\alpha ^\iota \) for a finite type \(\iota \).

We motivate bounded continuous functions with the Picard–Lindelöf theorem, which guarantees the existence of a unique solution to an initial value problem. For an ODE f with initial value \(x_0\) at time \(t_0\), a unique solution on the time interval \([t_0, t_1]\) is constructed by considering iterations of the following operator for continuous functions \(\phi : [t_0, t_1] \rightarrow \mathbb {R}^{n}\):From a mathematician’s point of view, P operates on the Banach space of continuous functions on the compact domain \([t_0, t_1]\) and therefore the Banach fixed point theorem guarantees the existence of a unique fixed point (which is by construction the unique solution).

In order to formalize this in Isabelle/HOL, there are two obstructions to overcome: First, the concept of Banach space is a type class in Isabelle/HOL, so we need to introduce a type for the mappings \(\phi : [t_0, t_1] \rightarrow \mathbb {R}^{n}\) from above. But this poses the second problem: functions in Isabelle/HOL are total and types must not depend on term parameters like \(t_0\) and \( t_1\).

We work around these restrictions by introducing a type of bounded continuous functions, which is a Banach space and comprises (with a suitable choice of representations) all continuous functions on all compact domains.In order to define operations on type \(\alpha \rightarrow _{{{\textsf {\textit{bc}}}}\,}\beta \), the Lifting and Transfer package [15] is an essential tool: operations on the plain function type \(\alpha \rightarrow \beta \) are automatically lifted to definitions on the type \(\alpha \rightarrow _{{{\textsf {\textit{bc}}}}\,}\beta \) when supplied with a proof that functions in the result are bounded continuous under the assumption that argument functions are bounded continuous. We write application \(\;\$_{{{\textsf {\textit{bc}}}}\,}\;\) of a bounded continuous function \(f:\alpha \rightarrow _{{{\textsf {\textit{bc}}}}\,}\beta \) to an element \(x:\alpha \) as follows.

Bounded continuous functions form a normed vector space. The norm on \(\alpha \rightarrow _{{{\textsf {\textit{bc}}}}\,}\beta \) is the supremum of the range and the vector space operations \({+}\), \({\cdot }\) are defined pointwise.

The type \(\rightarrow _{{{\textsf {\textit{bc}}}}\,}\) with the above operations forms a complete normed vector space (a Banach space). This allows us to use the Banach fixed point theorem for operators on this type.

In order to be able to use this for the operator P from above, we represent functions on a compact interval [a, b] as an element of type \(\rightarrow _{{{\textsf {\textit{bc}}}}\,}\) by extending the function continuously outside the domain with the help of \({{\textsf {\textit{clamp}}}}\,\):With the help of \({{\textsf {\textit{ext-cont}}}}\,\) we can apply \(P:(\mathbb {R}\rightarrow _{{{\textsf {\textit{bc}}}}\,}\mathbb {R}^{n})\rightarrow (\mathbb {R}\rightarrow _{{{\textsf {\textit{bc}}}}\,}\mathbb {R}^{n})\) to a continuous function \(\phi : \mathbb {R}\rightarrow \mathbb {R}^{n}\) (that is assumed to be continuous on an interval [a, b]) by writing \(P ({{\textsf {\textit{ext-cont}}}}\,_{[t_0, t_1]} \phi )\). According to the Banach fixed point theorem there exists a unique fixed point \(\phi _{bc}:\mathbb {R}\rightarrow _{{{\textsf {\textit{bc}}}}\,}\mathbb {R}^{n}\) where \(P(\phi _{bc}) = \phi _{bc}\) and the unique solution of the initial value problem is the function \(\lambda t.~\phi _{bc} \;\$_{{{\textsf {\textit{bc}}}}\,}\;t\) of type \(\mathbb {R}\rightarrow \mathbb {R}^{n}\).

The usage of the type \(\rightarrow _{{{\textsf {\textit{bc}}}}\,}\) caused minor technical obstructions, but otherwise enabled a natural and abstract proof.

For vector spaces \(\alpha \) and \(\beta \), a linear function is a function \(f : \alpha \rightarrow \beta \) that is compatible with addition and scalar multiplication.Let us assume normed vector spaces \(\alpha \) and \(\beta \). Linear functions are continuous if the norm of the result is linearly bounded by the norm of the argument. We cast bounded linear functions \(\alpha \rightarrow \beta \) as a type \(\alpha \rightarrow _{{{\textsf {\textit{bl}}}}\,}\beta \) in order to make it an instance of Banach space.The construction is very similar to bounded continuous functions and we write bounded linear function application \((f \cdot _{{{\textsf {\textit{bl}}}}\,}x)\). Vector space operations are also analogous to \(\rightarrow _{{{\textsf {\textit{bc}}}}\,}\). The usual choice of a norm for bounded linear functions is the operator norm: the maximum of the image of the bounded linear function on the unit ball. With this norm, \(\alpha \rightarrow _{{{\textsf {\textit{bl}}}}\,}\beta \) forms a normed vector space and we prove that it is Banach if \(\alpha \) is a normed vector space and \(\beta \) is Banach.

Having (bounded) linear functions as a separate type makes many formulations easier. For example, consider Harrison’s formalization of multivariate analysis (from which Isabelle/HOL’s analysis descended). In Harrison’s formalization continuity is formalized for functions f of type \(\mathbb {R}^{n}\rightarrow \mathbb {R}^{m}\).Most of Harrison’s formalization is geared towards viewing derivatives as linear functions of type \(\mathbb {R}^{n} \rightarrow \mathbb {R}^{m}\). For continuously differentiable functions, one therefore needs to reason about functions \(f' : \mathbb {R}^{n} \rightarrow (\mathbb {R}^{n} \rightarrow \mathbb {R}^{m})\), where \(f'~x\) is the derivative of f at a point x. Continuity of \(f'\) is written in an explicit \(\varepsilon \)-\(\delta \) form and involves the operator norm \({{\textsf {\textit{onorm}}}}\,: (\mathbb {R}^{n}\rightarrow \mathbb {R}^{m})\rightarrow \mathbb {R}\), which is quite verbose:The \(\varepsilon \)-\(\delta \) form could of course be captured in a separate definition, but this would be very similar to the definition of continuity and would introduce redundancy.

In the Isabelle/HOL formalization, \({{\textsf {\textit{continuous}}}}\,\) is defined for functions \(f : \alpha \rightarrow \beta \) for topological spaces \(\alpha \) and \(\beta \). If \(\alpha \) and \(\beta \) are normed vector spaces, the above equality for \({{\textsf {\textit{continuous}}}}\,\) holds in Isabelle/HOL, too. And indeed, the norm of bounded linear functions is defined using \({{\textsf {\textit{onorm}}}}\,\) such that \({{\textsf {\textit{onorm}}}}\,(\lambda v.~(f'~x)\cdot _{{{\textsf {\textit{bl}}}}\,}v - (f'~y) \cdot _{{{\textsf {\textit{bl}}}}\,}v) = \Vert f' x - f' y\Vert \) holds. Then, continuity of a derivative \(f' : \alpha \rightarrow (\alpha \rightarrow _{{{\textsf {\textit{bl}}}}\,}\beta )\) can simply be written as \(({{\textsf {\textit{continuous}}}}\,~f'~({{\textsf {\textit{at}}}}\,~x))\), which is a better abstraction to work with and also avoids redundant formalizations for different kinds of continuity.

We consider an autonomous ODE with right hand side f. Under mild assumptions, there exists a solution \(\phi (t)\), which is unique for an initial condition \(x(0) = x_0\) and satisfies the differential equation:To emphasize the dependence on the initial condition, one writes \(\phi (x_0, t)\) for the solution. This solution depending on initial conditions is called the flow of the differential equation:

The flow is only well-defined on the so-called existence interval of the solution, which depends on the initial value.

The flow \(\phi \) and the existence interval \({{\textsf {\textit{ex-ivl}}}}\,\) provide a clean interface to talk about solutions of ODEs. The property of the generic notion of flow makes it possible to easily state composition of solutions and to algebraically reason about them. Flowing from \(x_0\) for time \(s + t\) is equivalent to first flowing for time s, and from there flowing for time t:

For Tucker’s proof, one needs to study how sensitive the flow depends on perturbations of the initial value. We use two main results: One, the flow depends continuously on initial values. Two, if the ODE f is continuously differentiable, then so is the flow. We first take a look at the domain \({\varOmega }= \left\{ (x, t)\mid ~t \in {{\textsf {\textit{ex-ivl}}}}\,(x)\right\} \subseteq X \times T\) of the flow. \((t, x) \in {\varOmega }\) means that we can flow a point starting at x for at least time t. Intuitively, solutions starting close to x can be followed for times that are close to t. In topological parlance, the state space is open.

One can show that solutions deviate at most exponentially fast: \(\exists K.~\Vert \phi (x, t) - \phi (y, t)\Vert < \Vert x - y\Vert e^{K|t|}\) (using Grönwall’s lemma). Therefore, by choosing x and y close enough, one can make the distance of the solutions arbitrarily small. In other words, the flow is a continuous function on the state space:

Continuity states that small deviations in the initial values result in small deviations of the flow. One can be more precise on the way initial deviations propagate. The propagation of initial deviations through the flow (\(\phi _t {:}= \lambda x.~\phi (x, t)\)) can be approximated by a linear function, the derivative \(\mathsf {D}\phi |_{x} \cdot v \approx \phi (x, t) - \phi (x + v, t)\).

We formalize the fact that the derivative of the flow is the solution of a differential equation in the space of bounded linear mappings, the so-called variational equation.

Solving this ODE numerically gives a means to obtain numerical bounds on the derivative, which is the approach that we pursue in our algorithms.

The Poincaré map is an important tool for studying dynamical systems. Whereas the flow describes the evolution of a continuous system with respect to time, it is the Poincaré map that allows us to study the evolution with respect to some space variables. A Poincaré section is a subset \({\varSigma }\) of the state space, which is in general given as an implicit surface \({\varSigma }= \{x \mid s(x) = c\}\) with continuously differentiable s. For Tucker’s proof, one chooses \(s(x, y, z) = z\) and \(c = 27\).

The Poincaré map P(x) is defined as the point where the flow starting from x first hits the Poincaré section \({\varSigma }\). It is defined with the help of the first return time \(\tau (x)\). \(\tau \) depends on the flow \(\phi \) (and therefore on the ODE f) and the Poincaré section \({\varSigma }\), but we keep those dependencies implicit.

Obviously, \(\tau \) is only well-defined for values that actually return to \({\varSigma }\), which we encode in the predicate \({{\textsf {\textit{returns-to}}}}\,\):

The return time can then be used to define the Poincaré map as follows:

It is interesting to note that this way of defining the return time and Poincaré map differs from the usual approach in textbooks. Textbooks study Poincaré maps in a neighborhood around a periodic point \(x \in {\varSigma }\), i.e., \(P(x) = x\). This makes it easy to directly apply the implicit function theorem and transfer continuity and differentiability from the flow to the Poincaré map while guaranteeing that \(\tau \) and P are well-defined. Also, one views P as a mapping on \({\varSigma }\), i.e. \(P : {\varSigma }\rightarrow {\varSigma }\).

Tucker’s proof, however, requires a more flexible notion of Poincaré map and our notion of \(\tau \) is more flexible: it is well-defined also for values outside of \({\varSigma }\). This enables reasoning about intermediate sections: Tucker, e.g., composes a sequence of local Poincaré maps between intermediate sections \({\varSigma }, {\varSigma }_1, \cdots , {\varSigma }_n, {\varSigma }\) in order to get bounds on the global Poincaré map \({\varSigma }\rightarrow {\varSigma }\).

The goal of Tucker’s computations is a sensitivity analysis of the flow of the Lorenz system and of its Poincaré map. Its derivative can be given in terms of the derivative of the flow and the function s defining the implicit surface for \({\varSigma }= \{x \mid s(x) = c\}\).

For a rough intuition, the derivative \(\mathsf {D}P|_{x}\cdot h\) of the Poincaré map is related to the derivative of the flow \(\mathsf {D}\phi |_{(x, \tau (x))}\cdot h\). But it needs to corrected in the direction f(P(x)) in which the flow passes through \({\varSigma }\), because P varies only on \({\varSigma }\) and not through it. This correction factor also depends on the tangent space \(\mathsf {D}s|_{P(x))}\) of the section \({\varSigma }\) at P(x).

As sketched earlier, in order to compute the edges of a zonotope, we need to be able to select a “rightmost” element of a set of vectors. With the transitivity relation presented before, we can obtain a total order on vectors which allows us to do just that: Given a center t and another point s, the orientation predicate tpq can be used to define a total order on points p, q in the half-plane left of ts, i.e., \(p < q\) iff tpq. From Antisymmetry and Nondegeneracy of the ccw system, we get antisymmetry and totality for the order <. Transitivity of the order < follows from the axiom Transitivity of the ccw system and the assumption that all points are in the half-plane left of ts. This ordering is then used to sort the list of generators such that they actually “wrap up” the zonotope.

Up to now, our reasoning was based abstractly on ccw systems, but of course we also want to use the results for a concrete ccw predicate. Well known from analytic geometry is the fact that ccw orientation is given by the sign of the following determinant |pqr|:Points are collinear iff \(|pqr| = 0\). Under the assumption that one works with a finite set of points where no three points are collinear, the following predicate \(pqr^>\) satisfies the axioms of a ccw system.Most axioms can easily be proved using Isabelle/HOL’s rewriting for algebraic structures. Transitivity is slightly more complicated, but can also be solved automatically after a proper instantiation of Cramer’s rule, which is easily proved automatically:

Knuth presented his axioms with a finite set of discrete points in mind, in our case we need to talk about orientation of arbitrary points in a continuous set. We therefore require consistency of the orientation predicate when vector space operations are involved.

One obvious requirement is that orientation is invariant under translation (Fig. 8a). With translation invariance, we can reduce every ccw triple to a triple with 0 as origin, and from there it is easy to state consistency with respect to scaling: If at q, there is a ccw turn to r, then every point on the ray from 0 through q will induce a ccw turn to r (Fig. 8b). Negative scalars can be treated by requiring that reflecting one point at the origin inverts the ccw predicate (Reflection). Furthermore, the addition of vectors q and r, which are both ccw of a line p needs to be ccw of p as well.

The predicate \(pqr^>\) simplifies much of the reasoning, because it satisfies the axioms of a ccw system. It does, however, ignore collinear points and therefore all the points of the zonotope that lie on its edges. In order to also include those into the reasoning, we define the slightly relaxed ccw predicate \(pqr^\ge \), which holds for all points on the line through pq and for all points on the half-plane left of pq.The situation is as follows: \(pqr^\ge \) is the actual specification that we care about. But it does not satisfy the axioms of a ccw system, which makes reasoning very convenient. We therefore first prove the corresponding properties for the ccw system \(pqr^>\). With a simple argument on continuity, the results about \(pqr^>\) carry over to \(pqr^\ge \) and therefore the whole zonotope.

An important insight when verifying algorithms that use rigorous numerical enclosures is the fact that, for correctness, any enclosure of the real quantity suffices. We model this with appropriate nondeterministic specifications.

Autoref is based on a nondeterminism monad \(\alpha ~{{\textsf {\textit{nres}}}}\,\), where programs can either fail or yield a set of values as result.The refinement relation \(\le \) on \({{\textsf {\textit{nres}}}}\,\) has \({{\textsf {\textit{FAIL}}}}\,\) as top element and \({{\textsf {\textit{RES}}}}\,~S \le {{\textsf {\textit{RES}}}}\,~T\) iff \(S \subseteq T\). For deterministic results, we write \({{\textsf {\textit{return}}}}\,~x {:}= {{\textsf {\textit{RES}}}}\,~\{s\}\). We write for specifications \({{\textsf {\textit{spec}}}}\,~P {:}= {{\textsf {\textit{RES}}}}\,\{x.~P~x\}\) the result of all values satisfying the predicate P.

This allows one to specify correctness, e.g, of a program f whose inputs x satisfy the precondition P and every possible value y in its nondeterministic result satisfies the postcondition Q: \(\forall x.~P~x \implies f~x \le {{\textsf {\textit{spec}}}}\,(\lambda y.~Q~y)\).

In this setting, we specify a set of operations that are useful in the context of verifying rigorous numerical algorithms, i.e., algorithms that manipulate enclosures. These operations are best modeled nondeterministically, because one is often only interested in some safe result.

Subdivisions are a means to maintain precision, we therefore have the following abstract specifications for splitting a set (with or without the possibility to perform overapproximations):The following specifications yield some lower/upper bound on the set, not necessarily exact:Depending on the concrete representation of sets, one might not be able to decide certain properties, but only give a positive answer if the precision is sufficient. We therefore have a specification that may guarantee disjointness.As seen in the previous Sect. 4, depending on the data structure, one can not (or does not want to) compute an exact representation for the intersection of sets. These specifications allow one to overapproximate an intersection, while guaranteeing that the result does not exceed one of the arguments:To bridge the gap to concrete numerical computations and the results from Sect. 3, we use a specification for overapproximations of evaluating straight line programs:

In Autoref, specifications in the \({{\textsf {\textit{nres}}}}\,\) monad are transferred to executable constructs in a structured way. Autoref is centered around a collection of so-called transfer rules. Transfer rules relate abstract with concrete operations. A transfer rule involves a transfer relation \(R{:}{:}(\gamma \times \alpha )\,{{\textsf {\textit{set}}}}\,\), which relates a concrete implementation \(c{:}{:}\gamma \) with an abstract element \(a{:}{:}\alpha \) and is of the following form.Transfer rules are used to structurally synthesize concrete algorithms from abstract ones. Relations and relators (which combine relations) are used to express the relationship between concrete and abstract types.

\({{\textsf {\textit{br}}}}\,\) is used to build a relation from an abstraction function \(a{:}{:}\gamma \rightarrow \alpha \) and an invariant I on the concrete type.Natural Relators For the types of functions, products, sets, or data types like lists and \({{\textsf {\textit{nres}}}}\,\), one uses the natural relators \(A \rightarrow _{{\textsf {\textit{r}}}}\,B, A \times _{{\textsf {\textit{r}}}}\,B, \langle A \rangle {{\textsf {\textit{set}}}}\,_{{\textsf {\textit{r}}}}\,, \langle A \rangle {{\textsf {\textit{list-rel}}}}\,, \langle A \rangle {{\textsf {\textit{nres}}}}\,_{{\textsf {\textit{r}}}}\,\) with relations A, B for the argument types.Representing Vectors We represent vectors (an arbitrary type \(\alpha \) of class Euclidean space) as lists of real numbers where the length matches the dimension of the Euclidean space.This way, the concrete algorithm is monomorphic, which has the advantage that it can be generated once and for all and can therefore be used as a stand-alone tool.

Representing Enclosures We provide several implementations for the sets that can be used as enclosures. Intervals are represented by pairs of element types (which, in turn are implemented via some relation A):Zonotopes are represented using the joint range \({{\textsf {\textit{joint-range}}}}\,\) of affine formsWe use a symbolic representation of planes using the data type constructor \({{\textsf {\textit{Sctn}}}}\,\) that keeps normal vector n and translation c of a hyperplane. It is interpreted usingfor the hyperplane itself or for the halfspace below the hyperplane, where \(\langle x, n\rangle \) is the inner product (also called dot product). \(\langle A \rangle {{\textsf {\textit{sctn}}}}\,_{{\textsf {\textit{r}}}}\,\) is the natural relator that allows one to change the representation of the normal vector. With this, we can give a concrete implementation for hyperplanes and half-spaces.For those relations, \({{\textsf {\textit{plane-of}}}}\,\), \({{\textsf {\textit{halfspace}}}}\,\), and \(\cap \) are easily implemented with the identity function or as pair. On the abstract level, they describe useful objects that are convenient to reason about.We will see that in some algorithms, one maintains a collection of enclosures, but abstractly one likes to see them as just one enclosure. For a relation \(A:(\beta \times \alpha \,{{\textsf {\textit{set}}}}\,)\,{{\textsf {\textit{set}}}}\,\) that implements single enclosures for sets of type \(\alpha \) with some concrete representation of type \(\beta \), and a relation \(S:(\sigma \times \beta \,{{\textsf {\textit{set}}}}\,)\,{{\textsf {\textit{set}}}}\,\) that implements sets of concrete elements \(\beta \), we define a relation that represents the union of all those elements as follows:Currently, we use lists to implement the set of concrete representations S, for which we write \(\langle A\rangle {{\textsf {\textit{Union}}}}\,_{{{\textsf {\textit{lr}}}}\,}{:}= \langle {{\textsf {\textit{list-set}}}}\,_{{\textsf {\textit{r}}}}\,, A \rangle {{\textsf {\textit{Union}}}}\,_{{\textsf {\textit{r}}}}\,\), and operations like union or extracting one element (with the specification \({{\textsf {\textit{split-spec}}}}\,_{=}\)) can be implemented with the respective operations on lists/sets:Relations to Guide Heuristics Often, in particular to guide heuristics, an algorithm needs to carry around information, which does not influence correctness proofs. An ODE solver for example, modifies its step size, also based on previous values. An implementation needs to carry this information around, but for verifying the algorithm, this only introduces unnecessary clutter. We therefore introduce a relation that carries more information (implemented via A) in the implementation, but keeps the abstract semantics (implemented via B):Adding information is simply done by using a pair in the implementation side. Semantically, this information is simply discarded (\({{\textsf {\textit{put-info}}}}\,~a~b {:}= b\)). Information can be extracted with \({{\textsf {\textit{get-info}}}}\,\), which is semantically just an arbitrary element (\({{\textsf {\textit{get-info}}}}\,~b {:}= {{\textsf {\textit{spec}}}}\,(\lambda \_.~{{\textsf {\textit{True}}}}\,)\)). The implementations are straightforward:An example of its usage is illustrated later on in Algorithm 1.

Concerning the checking of cone conditions, first note that \(\mathfrak {C}~res\) is an infinite cone, i.e., an unbounded set of vectors. In contrast to that, all of our numerical algorithms are tailored towards bounded enclosures. We therefore perform the computations with the line segment connecting the two tangent vectors with unit length. \({{\textsf {\textit{matrix-segment}}}}\,~x_1~y_1~x_2~y_2~e\) encodes a line segment (parameterized by e) in a matrix (such that it can be used as matrix initial condition DX of \({{\textsf {\textit{poincare}}}}\,\), compare Theorem 13). \({{\textsf {\textit{mat-seg-of-deg}}}}\,\) uses this to define the line segment between the endpoints of unit vectors with given angles u, v to the x axis. A cone can therefore represented with the help of \({{\textsf {\textit{mat-seg-of-deg}}}}\,\):

Algorithm 3 outlines how to check that a single result element \(res \in {{\textsf {\textit{input-data}}}}\,\) represents correct numerical bounds. It works as follows: \(X_0\) is the initial rectangle, \(DX_0\) the initial data for the derivatives, which encodes the associated cone with angles \({{\textsf {\textit{angle}}}}\,^{-}~res\) and \({{\textsf {\textit{angle}}}}\,^{+}~res\). Then the ODE solver returns with a union of return images RES, which are split along the boundaries of the individual rectangles making up N. This splitting ensures that each individual element \((X_i, DX_i)\) resulting from the splitting is contained in exactly on individual element of N. We write singleton parts of the result of this splitting \(X_i, DX_i\). In RET, there are all elements of the \({{\textsf {\textit{input-data}}}}\,\) within which res is specified to return. The final check makes sure that every part \(X_i, DX_i\) of the splitting returns within one element ret of the collection RET. It is defined as follows and precisely formulates that X and DX, which emanate from a result res and hit the result ret, satisfy the prescribed bounds on cones and expansion.\({{\textsf {\textit{check-cone-bounds}}}}\,\) is checked using affine arithmetic: It assumes that \(u_x\) and \(u_y\) are on the line segment encoding a cone according to \({{\textsf {\textit{mat-seg-of-deg}}}}\,\), therefore checks that \(u_z = 0\) and ignores the other entries of the argument matrix. It further checks that the segment is on the right side (\(0 < u_x\)) and that the boundary angles L and U (given in degrees) also represent a cone pointing to the right side. The main purpose is in the last line, the check that the angle of the vector \((u_x, u_y)\) with the horizontal axis is between L and U.Correctness of \({{\textsf {\textit{check-line-c1}}}}\,\) states that the set N(res) is mapped into the part \({{\textsf {\textit{return-of}}}}\,~res\) of the forward invariant set. Vectors in the cone \(\mathfrak {C}(res)\) are mapped by the derivative \(\mathsf {D}P\) into the cone field with the prescribed expansion estimates. The theorem states that the derivative exists and is defined when approaching x within \({\varSigma }_{\le }= \{(x, y, z)\mid z \le 27 \}\).

The theorem follows rather directly from the definition of algorithm 3 and the specifications and definitions of the occurring functions.

We have indeed the theorem that all \({{\textsf {\textit{input-data}}}}\,\) is correct:

We prove formally that under the Assumption 14, Theorem 16 implies Theorems 1 and 2, which is the main result of this article. It follows from combining the individual instances of Theorem 15 in a suitable way.

Theorem 16 is proved by computing \({{\textsf {\textit{check-line-c1}}}}\,(res)\) for every \(res \in {{\textsf {\textit{input-data}}}}\,\). The computations are carried out using by evaluating the statementwith Isabelle/HOL’s evaluation engine \(\texttt {eval}\). \({{\textsf {\textit{Parallel.forall}}}}\,\) results in parallel processing of the 400 individual elements of \({{\textsf {\textit{input-data}}}}\,\). Further parallelism is introduced when enclosures are split during reachability analysis. Split sets can be processed in parallel until they reach the next (intermediate) Poincaré section, where they might be (partially merged) upon resolving the intersection (Sect. 6.5).

Figure 11 shows the plot of an enclosure for the Lorenz attractor resulting from the verified computation. The plot hints at the intermediate Poincaré sections that were manually set up (for some initial rectangles) at about \(z=27\), \(z=30\), \(x=\pm 5\), \(x=\pm 1.5\), \(x=\pm 1\), \(x=\pm 0.75\), \(x=\pm 0.1\), and \(z=0.1\). The black part of Fig. 10 is an enclosure for \(P(N^+)\) resulting from these computations, and it is as expected and verified contained in N.

The timing results of a computation on a machine with 22 cores⁴ are given below:To compare this with Tucker’s C\({++}\) program, I compiled Tucker’s program in a Virtual Machine running Ubuntu 4.20 and gcc version 3.3.4 on a machine with a 2,6 GHz Intel® Core™ i7 CPU and 16 GB RAM. Tucker’s program finished after a total CPU time of 30h and 24min. The algorithms and data structures are very different, so a direct comparison is hard. But with regard to the total CPU time (131 h) of our algorithm, a factor of less than five compared to a C\({++}\) program signifies reasonable performance for a verified algorithm.

In earlier developments [20], an enclosure for the Lorenz attractor was computed with neither derivative nor cones. This earlier version verified an enclosure for the Lorenz attractor in about 7000 CPU hours. With the present version algorithms, such a computation (without derivatives and cones) can be performed in about 3 CPU hours. The speedup compared to the earlier work is mostly due to less aggressive splitting of reachable sets, and a smaller number of intermediate Poincaré sections: In the earlier work [20], intermediate Poincaré sections were introduced heuristically on-the-fly, and in the present work only where they are really effective. This is beneficial, because resolving the intersection incurs overapproximations.