# Analysing Supervised Learning Models With Imandra

Two of the most common tasks within supervised learning (and machine learning more generally) are classification and regression. In this notebook we show how two of the most common kinds of model used to perform this task, neural networks and random forests, can be analysed using Imandra. For each task we use a common real-world benchmark dataset from the UCI Machine Learning Repository. We'll mostly be working with reals in this notebook so we'll start by installing a pretty printer so that we're not overrun with digits.

In [24]:
let pp_approx fmt r =
 CCFormat.fprintf fmt "%s" (Real.to_string_approx r) [@@program]

#install_printer pp_approx

val pp_approx : CCFormat.t -> Q.t -> unit = <fun>


## Classification

In a classification task we want to learn to predict the label of a datapoint based on previous data. In the classic [Wisconsin Breast Cancer (Diagnostic) dataset](https://archive.ics.uci.edu/ml/datasets/Breast+Cancer+Wisconsin+(Diagnostic)) the task is to predict whether the cancer is benign or malignant based on the features of cell nuclei. In the dataset we have the following variables:

```
1. ID number
2. Diagnosis (malignant or benign)
3-32. Real values for the mean, standard error, and the 'worst' value for each cell nucleus's:
      a) Radius (mean of distances from center to points on the perimeter)
      b) Texture (standard deviation of gray-scale values)
      c) Perimeter
      d) Area
      e) Smoothness (local variation in radius lengths)
      f) Compactness (perimeter^2 / area - 1.0)
      g) Concavity (severity of concave portions of the contour)
      h) Concave points (number of concave portions of the contour)
      i) Symmetry 
      j) Fractal dimension ("coastline approximation" - 1)
```

As is standard practice we pre-process the data before learning.

We then split the data into training (80%) and test (20%) sets and use Scikit-Learn to learn a random forest of 5 decision trees. Each tree is then converted to IML using a short Python script and can be reasoned about using Imandra.

## Regression

In a regression task we want to learn to predict the value(s) of some variable(s) based on previous data. In the commonly used [Forest Fires dataset](https://archive.ics.uci.edu/ml/datasets/forest+fires) the aim is to predict the area burned by forest fires, in the northeast region of Portugal, by using meteorological and other data. This is a fairly difficult task and while the neural network below doesn't achieve state-of-the-art performance, it's enough to demonstrate how we can analyse relatively simple models in Imandra. In the dataset we have the following variables:

```
1. X-axis spatial coordinate within the Montesinho park map
2. Y-axis spatial coordinate within the Montesinho park map
3. Month of the year
4. Day of the week
5. FFMC index from the FWI system
6. DMC index from the FWI system
7. DC index from the FWI system
8. ISI index from the FWI system
9. Temperature in degrees Celsius
10. Relative humidity in %
11. Wind speed in km/h
12. Outside rain in mm/m2
13. The burned area of the forest in ha
```

We again pre-process the data before learning by transforming the month and day variables into a numerical value and applying a `sin` transformation (so similar times are close in value), removing outliers and applying an approximate log transformation to the area variable (as recommended in the dataset description), scaling each variable to lie between 0 and 1, and shuffling. We then split the data into training (80%) and test (20%) sets and use Keras to learn a simple feed-forward neural network with one (6 neuron) hidden layer, ReLU activation functions, and stochastic gradient descent to optimise the mean squared error. After saving our model as an `.h5` file we use a short script to extract the network into an IML file and reason about it using Imandra.

In [23]:
let relu x = Real.(if x > 0.0 then x else 0.0);;

let linear x = Real.(x)

let layer_0 (x_0, x_1, x_2, x_3, x_4, x_5, x_6, x_7, x_8, x_9, x_10, x_11) = let open Real in
let y_0 = relu @@ (0.29736)*x_0 + (-0.03284)*x_1 + (0.33764)*x_2 + (0.31006)*x_3 + (0.38830)*x_4 + (-0.11433)*x_5 + (-0.22615)*x_6 + (0.30568)*x_7 + (0.24738)*x_8 + (-0.27070)*x_9 + (-0.32861)*x_10 + (-0.04558)*x_11 + -0.11147 in
let y_1 = relu @@ (0.46853)*x_0 + (0.00982)*x_1 + (0.07668)*x_2 + (0.13228)*x_3 + (-0.26862)*x_4 + (-0.24804)*x_5 + (-0.23180)*x_6 + (0.00997)*x_7 + (0.41881)*x_8 + (-0.13255)*x_9 + (0.23491)*x_10 + (0.01547)*x_11 + 0.02454 in
let y_2 = relu @@ (-0.12470)*x_0 + (0.21374)*x_1 + (-0.00985)*x_2 + (0.29477)*x_3 + (-0.16725)*x_4 + (0.49801)*x_5 + (0.18420)*x_6 + (0.27119)*x_7 + (0.03552)*x_8 + (-0.44214)*x_9 + (-0.21708)*x_10 + (-0.24895)*x_11 + -0.09070 in
let y_3 = relu @@ (-0.11102)*x_0 + (0.31046)*x_1 + (-0.17888)*x_2 + (-0.47995)*x_3 + (0.32406)*x_4 + (-0.43446)*x_5 + (0.12602)*x_6 + (-0.28886)*x_7 + (0.25140)*x_8 + (-0.58971)*x_9 + (-0.50674)*x_10 + (-0.10969)*x_11 + -0.17643 in
let y_4 = relu @@ (-0.07817)*x_0 + (0.22493)*x_1 + (-0.19861)*x_2 + (-0.53939)*x_3 + (-0.28887)*x_4 + (-0.26368)*x_5 + (-0.30336)*x_6 + (0.21727)*x_7 + (-0.27373)*x_8 + (-0.39930)*x_9 + (-0.56700)*x_10 + (-0.15258)*x_11 + 0.00000 in
let y_5 = relu @@ (-0.18358)*x_0 + (-0.21640)*x_1 + (0.05054)*x_2 + (0.11789)*x_3 + (-0.07178)*x_4 + (0.17706)*x_5 + (-0.32810)*x_6 + (-0.40519)*x_7 + (-0.39900)*x_8 + (0.43551)*x_9 + (-0.00760)*x_10 + (0.17371)*x_11 + -0.14378 in
(y_0, y_1, y_2, y_3, y_4, y_5);;

let layer_1 (x_0, x_1, x_2, x_3, x_4, x_5) = let open Real in
let y_0 = linear @@ (-0.45929)*x_0 + (0.53751)*x_1 + (0.50732)*x_2 + (-0.85146)*x_3 + (0.87902)*x_4 + (-0.57863)*x_5 + 0.33179 in
(y_0);;

let nn (x_0, x_1, x_2, x_3, x_4, x_5, x_6, x_7, x_8, x_9, x_10, x_11) = let open Real in 
(x_0, x_1, x_2, x_3, x_4, x_5, x_6, x_7, x_8, x_9, x_10, x_11)
|> layer_0
|> layer_1
;;

val relu : real -> real = <fun>
val linear : 'a -> 'a = <fun>
val layer_0 :
  real * real * real * real * real * real * real * real * real * real *
  real * real -> real * real * real * real * real * real = <fun>
val layer_1 : real * real * real * real * real * real -> real = <fun>
val nn :
  real * real * real * real * real * real * real * real * real * real *
  real * real -> real = <fun>


Given the description of the dataset above we can create some custom input types in Imandra for our model:

In [5]:
type month = Jan | Feb | Mar | Apr | May | Jun| Jul | Aug | Sep | Oct | Nov | Dec;;
type day = Mon | Tue | Wed | Thu | Fri | Sat | Sun;;
 
type input = {
  x : int;
  y : int;
  month : month;
  day : day;
  ffmc : real;
  dmc : real;
  dc : real;
  isi : real;
  temp : real;
  rh : real;
  wind : real;
  rain : real;
};;

type month =
    Jan
  | Feb
  | Mar
  | Apr
  | May
  | Jun
  | Jul
  | Aug
  | Sep
  | Oct
  | Nov
  | Dec
type day = Mon | Tue | Wed | Thu | Fri | Sat | Sun
type input = {
  x : int;
  y : int;
  month : month;
  day : day;
  ffmc : real;
  dmc : real;
  dc : real;
  isi : real;
  temp : real;
  rh : real;
  wind : real;
  rain : real;
}


However, remember that we pre-processed our data. To make things easier we'll add in a function applying this transform to each input variable. Equally, we'll need to convert back to hectares for our output variable. Here we simply use some minimum and maximum values extracted during our data pre-processing stage. After that we can define a full model which combines these pre/post-processing steps and the network above.

In [6]:
let month_2_num month = let open Real in
if month = Jan then 0.134 else
if month = Feb then 0.500 else
if month = Mar then 1.000 else
if month = Apr then 1.500 else
if month = May then 1.866 else
if month = Jun then 2.000 else
if month = Jul then 1.866 else
if month = Aug then 1.500 else
if month = Sep then 1.000 else
if month = Oct then 0.500 else
if month = Nov then 0.133 else
0.000;;

let day_2_num day = let open Real in
if day = Mon then 0.377 else
if day = Tue then 1.223 else
if day = Wed then 1.901 else
if day = Thu then 1.901 else
if day = Fri then 1.223 else
if day = Sat then 0.377 else
0.000;;

let process_input input = let open Real in
let real_month = month_2_num input.month in
let real_day = day_2_num input.day in
let real_x = Real.of_int(input.x) in
let real_y = Real.of_int(input.y) in
let x_0 =  (real_x     - 1.0)  / (9.0   - 1.0)  in
let x_1 =  (real_y     - 2.0)  / (9.0   - 2.0)  in
let x_2 =  (real_month - 0.0)  / (2.0   - 0.0)  in
let x_3 =  (real_day   - 0.0)  / (1.901 - 0.0)  in
let x_4 =  (input.ffmc - 18.7) / (96.2  - 18.7) in
let x_5 =  (input.dmc  - 1.1)  / (291.3 - 1.1)  in
let x_6 =  (input.dc   - 7.9)  / (860.6 - 7.9)  in
let x_7 =  (input.isi  - 0.0)  / (56.1  - 0.0)  in
let x_8 =  (input.temp - 2.2)  / (33.3  - 2.2)  in
let x_9 =  (input.rh   - 15.0) / (100.0 - 15.0) in
let x_10 =  (input.wind - 0.4) / (9.4   - 0.4)  in
let x_11 = (input.rain - 0.0)  / (6.40  - 0.0)  in
(x_0, x_1, x_2, x_3, x_4, x_5, x_6, x_7, x_8, x_9, x_10, x_11);;

let process_output y_0 = let open Real in
let y = 4.44323 * y_0 in
if y <= 1.0 then (y - 0.00000) * 1.71828 else 
if y <= 2.0 then (y - 0.63212) * 4.67077 else 
if y <= 3.0 then (y - 1.49679) * 12.69648 else 
if y <= 4.0 then (y - 2.44700) * 34.51261 else 
(y - 3.42868) * 93.81501;;
(* if y <= 5.0 then (y - 3.42868) * 93.81501 else 
if y <= 6.0 then (y - 4.42194) * 255.01563 else 
(y - 5.41946) * 693.20436 ;; *)

let model input = input
|> process_input
|> nn
|> process_output;;

val month_2_num : month -> Q.t = <fun>
val day_2_num : day -> Q.t = <fun>
val process_input :
  input ->
  real * real * real * real * real * real * real * real * real * real *
  real * real = <fun>
val process_output : real -> real = <fun>
val model : input -> real = <fun>


As our model is fully executable we can both query it as well as find counterexamples, prove properties, apply logical side-conditions to the input, decompose its regions, and more. As a quick sanity check to make sure everything is working, let's run a datum from our dataset through the model. In particular, we'll input  `x = (8, 6, Aug, Sat, 93.7, 231.1, 715.1, 8.4, 26.9, 31.0, 3.6, 0.0)` which has an area of `y = 4.96` hectares in the data.

In [7]:
let x = {
  x = 8;
  y = 6;
  month = Aug;
  day = Sat;
  ffmc = 93.7;
  dmc = 231.1;
  dc = 715.1;
  isi = 8.4;
  temp = 26.9;
  rh = 31.0;
  wind = 3.6;
  rain = 0.0;};;
  
let y = model x;;

val x : input =
  {x = 8; y = 6; month = Aug; day = Sat; ffmc = 93.7; dmc = 231.1;
   dc = 715.1; isi = 8.4; temp = 26.9; rh = 31.; wind = 3.6; rain = 0.}
val y : real = 3.85719795238


Our answer is both similar to the recorded datapoint value and also to the value we get from our original Keras model, `3.85708846888`. The small disparity here is due to our rounding the weight values in our network to 5 decimal places when we extracted them to IML, though it wasn't necessary to do so. Now we'll use Imandra to generate an example for us with some particular side conditions.

In [14]:
instance (fun x -> model x >. 50.0 && x.temp = 20.0 && x.month = May);;

- : input -> bool = <fun>
module CX : sig val x : input end


0,1
ground_instances,0
definitions,0
inductions,0
search_time,0.036s
details,"Expandsmt_statsnum checks1arith assert lower46arith pivots20rlimit count21728mk clause81datatype occurs check7mk bool var150arith assert upper44datatype splits4decisions72arith add rows151arith bound prop3propagations94conflicts9arith fixed eqs10datatype accessor ax10arith conflicts2arith assert diseq4datatype constructor ax7num allocs1362230817final checks1added eqs92del clause23arith eq adapter33memory19.270000max memory27.850000 require(['nbextensions/nbimandra/fold'], function (fold) {  var target = '#fold-754260cd-f592-4754-9287-6ed7e7b7b0aa';  fold.hydrate(target); });"

0,1
smt_stats,num checks1arith assert lower46arith pivots20rlimit count21728mk clause81datatype occurs check7mk bool var150arith assert upper44datatype splits4decisions72arith add rows151arith bound prop3propagations94conflicts9arith fixed eqs10datatype accessor ax10arith conflicts2arith assert diseq4datatype constructor ax7num allocs1362230817final checks1added eqs92del clause23arith eq adapter33memory19.270000max memory27.850000

0,1
num checks,1.0
arith assert lower,46.0
arith pivots,20.0
rlimit count,21728.0
mk clause,81.0
datatype occurs check,7.0
mk bool var,150.0
arith assert upper,44.0
datatype splits,4.0
decisions,72.0

0,1
into,(not  (<=.  (if <=.  (+.  (+.  (+.  (+.  (+.  (*. -20407311067/10000000000  (if <=.  (+.  (+.  (+.  (+.  (+.  (+.  (+.  (+.  (+.  (+.  (+. (*. 3717/100000 (Real.of_int :var_0:.x))  (*. -821/175000 (Real.of_int :var_0:.y)))  (*. 8441/50000  (if :var_0:.month = Jan then 67/500  else  if :var_0:.month = Feb then 1/2  else  if :var_0:.month = Mar then 1  else if :var_0:.month = Apr then 3/2 else …)))  (*. 15503/95050  (if :var_0:.day = Mon then 377/1000  else  if :var_0:.day = Tue then 1223/1000  else  if :var_0:.day = Wed then 1901/1000  else if :var_0:.day = Thu then 1901/1000 else …)))  (*. 3883/775000 :var_0:.ffmc))  (*. -11433/29020000 :var_0:.dmc))  (*. -4523/17054000 :var_0:.dc))  (*. 3821/701250 :var_0:.isi))  (*. 12369/1555000 :var_0:.temp))  (*. -2707/850000 :var_0:.rh))  (*. -32861/900000 :var_0:.wind))  (*. -2279/320000 :var_0:.rain))  23704241183297452571/127754212462947000000  then 0  else  (+.  (+.  (+.  (+.  (+.  (+.  (+.  (+.  (+.  (+.  (+.  (+. -23704241183297452571/127754212462947000000  (*. 3717/100000 (Real.of_int :var_0:.x)))  (*. -821/175000 (Real.of_int :var_0:.y)))  (*. 8441/50000  (if :var_0:.month = Jan then 67/500  else  if :var_0:.month = Feb then 1/2  else  if :var_0:.month = Mar then 1  else if :var_0:.month = Apr then 3/2 else …)))  (*. 15503/95050  (if :var_0:.day = Mon then 377/1000  else  if :var_0:.day = Tue then 1223/1000  else  if :var_0:.day = Wed then 1901/1000  else if :var_0:.day = Thu then 1901/1000 else …)))  (*. 3883/775000 :var_0:.ffmc))  (*. -11433/29020000 :var_0:.dmc))  (*. -4523/17054000 :var_0:.dc))  (*. 3821/701250 :var_0:.isi))  (*. 12369/1555000 :var_0:.temp))  (*. -2707/850000 :var_0:.rh))  (*. -32861/900000 :var_0:.wind))  (*. -2279/320000 :var_0:.rain))))  (*. 23882805573/10000000000  (if <=.  (+.  (+.  (+.  (+.  (+.  (+.  (+.  (+.  (+.  (+.  (+. (*. 46853/800000 (Real.of_int :var_0:.x))  (*. 491/350000 (Real.of_int :var_0:.y)))  (*. 1917/50000  (if :var_0:.month = Jan then 67/500  else if :var_0:.month = Feb then 1/2 else …)))  …)  …)  …)  …)  …)  …)  …)  …)  …)  -36781692621283221809/2555084249258940000000  then 0 else …)))  …)  …)  …)  …)  -4742192817/10000000000  then … else …)  50)  && …) && …
expansions,[]
rewrite_steps,
forward_chaining,


In [15]:
CX.x;;

- : input =
{x = 6906; y = 0; month = May; day = Tue; ffmc = 21214.8098752;
 dmc = -95978.2792636; dc = 0.; isi = -44180.5316266; temp = 20.;
 rh = 157957.487559; wind = -2980.58726417; rain = -32938.7738407}


This looks a bit funny however; notice how the unspecified input variables are unbounded. In general we might only care about the performance of our model when some reasonable bounds are placed on the input. For example, we can't have a negative windspeed, or a percentage humidity higher than 100. Using the description of each variable in the data (plus some reasonable assumptions about Portugal's climate) we can form the following condition describing valid inputs to the network.

In [16]:
let is_valid input = if 
    0 <= input.x && input.x <= 9 &&
    0 <= input.y && input.y <= 9 &&
    0.0 <=. input.ffmc && input.ffmc <=. 99.0 &&
    0.0 <=. input.dmc && input.dmc <=. 500.0 &&
    0.0 <=. input.dc && input.dc <=. 1000.0 &&
    0.0 <=. input.isi && input.isi <=. 100.0 &&
    0.0 <=. input.temp && input.temp <=. 40.0 &&
    0.0 <=. input.rh && input.rh <=. 100.0 &&
    0.0 <=. input.wind && input.wind <=. 15.0 &&
    0.0 <=. input.rain && input.rain <=. 15.0
    then true else false;;
    
instance (fun x -> model x >. 50.0 && x.temp = 20.0 && x.month = May && is_valid x)

val is_valid : input -> bool = <fun>
- : input -> bool = <fun>
module CX : sig val x : input end


0,1
ground_instances,0
definitions,0
inductions,0
search_time,0.826s
details,"Expandsmt_statsarith offset eqs10num checks1arith assert lower204arith pivots450rlimit count1109042mk clause256datatype occurs check9mk bool var445arith assert upper227datatype splits10decisions240arith add rows5618arith bound prop17propagations885interface eqs1conflicts75arith fixed eqs70datatype accessor ax11minimized lits50arith conflicts32arith assert diseq52datatype constructor ax19num allocs1456477920final checks2added eqs574del clause114arith eq adapter185memory23.050000max memory27.850000 require(['nbextensions/nbimandra/fold'], function (fold) {  var target = '#fold-614b6135-881c-4011-b6a6-e41f4207870a';  fold.hydrate(target); });"

0,1
smt_stats,arith offset eqs10num checks1arith assert lower204arith pivots450rlimit count1109042mk clause256datatype occurs check9mk bool var445arith assert upper227datatype splits10decisions240arith add rows5618arith bound prop17propagations885interface eqs1conflicts75arith fixed eqs70datatype accessor ax11minimized lits50arith conflicts32arith assert diseq52datatype constructor ax19num allocs1456477920final checks2added eqs574del clause114arith eq adapter185memory23.050000max memory27.850000

0,1
arith offset eqs,10.0
num checks,1.0
arith assert lower,204.0
arith pivots,450.0
rlimit count,1109042.0
mk clause,256.0
datatype occurs check,9.0
mk bool var,445.0
arith assert upper,227.0
datatype splits,10.0

0,1
into,(((((((((((((((((((((not  (<=.  (if <=.  (+.  (+.  (+.  (+.  (+.  (*. -20407311067/10000000000  (if <=.  (+.  (+.  (+.  (+.  (+.  (+.  (+.  (+.  (+.  (+.  (+.  (*. 3717/100000  (Real.of_int :var_0:.x))  (*. -821/175000  (Real.of_int :var_0:.y)))  (*. 8441/50000  (if :var_0:.month = Jan  then 67/500  else  if :var_0:.month = Feb  then 1/2  else  if :var_0:.month = Mar then 1  else  if :var_0:.month = Apr  then 3/2 else …)))  (*. 15503/95050  (if :var_0:.day = Mon  then 377/1000  else  if :var_0:.day = Tue  then 1223/1000  else  if :var_0:.day = Wed  then 1901/1000  else  if :var_0:.day = Thu  then 1901/1000 else …)))  (*. 3883/775000 :var_0:.ffmc))  (*. -11433/29020000 :var_0:.dmc))  (*. -4523/17054000 :var_0:.dc))  (*. 3821/701250 :var_0:.isi))  (*. 12369/1555000 :var_0:.temp))  (*. -2707/850000 :var_0:.rh))  (*. -32861/900000 :var_0:.wind))  (*. -2279/320000 :var_0:.rain))  23704241183297452571/127754212462947000000  then 0  else  (+.  (+.  (+.  (+.  (+.  (+.  (+.  (+.  (+.  (+.  (+.  (+.  -23704241183297452571/127754212462947000000  (*. 3717/100000  (Real.of_int :var_0:.x)))  (*. -821/175000  (Real.of_int :var_0:.y)))  (*. 8441/50000  (if :var_0:.month = Jan  then 67/500  else  if :var_0:.month = Feb  then 1/2  else  if :var_0:.month = Mar then 1  else  if :var_0:.month = Apr  then 3/2 else …)))  (*. 15503/95050  (if :var_0:.day = Mon  then 377/1000  else  if :var_0:.day = Tue  then 1223/1000  else  if :var_0:.day = Wed  then 1901/1000  else  if :var_0:.day = Thu  then 1901/1000 else …)))  (*. 3883/775000 :var_0:.ffmc))  (*. -11433/29020000 :var_0:.dmc))  (*. -4523/17054000 :var_0:.dc))  (*. 3821/701250 :var_0:.isi))  (*. 12369/1555000 :var_0:.temp))  (*. -2707/850000 :var_0:.rh))  (*. -32861/900000 :var_0:.wind))  (*. -2279/320000 :var_0:.rain))))  (*. 23882805573/10000000000  (if <=.  (+.  (+.  (+.  (+.  (+.  (+.  (+.  (+.  (+.  (+.  (+.  (*. 46853/800000  (Real.of_int :var_0:.x))  (*. 491/350000  (Real.of_int :var_0:.y)))  (*. 1917/50000  (if :var_0:.month = Jan  then 67/500  else  if :var_0:.month = Feb  then 1/2 else …)))  …)  …)  …)  …)  …)  …)  …)  …)  …)  -36781692621283221809/2555084249258940000000  then 0 else …)))  …)  …)  …)  …)  -4742192817/10000000000  then … else …)  50)  && …)  && …)  && …)  && …)  && …)  && …)  && …)  && …)  && …)  && …)  && …)  && …)  && …)  && …)  && …)  && …)  && …)  && …)  && …)  && …)  && …) && …
expansions,[]
rewrite_steps,
forward_chaining,


In [17]:
CX.x;;

- : input =
{x = 9; y = 9; month = May; day = Sun; ffmc = 0.443546818466;
 dmc = 55.6366042417; dc = 5.7199236673; isi = 100.; temp = 20.; rh = 0.;
 wind = 0.0219874941974; rain = 0.0147957129013}


These constraints mean it is slightly harder for Imandra to find a particular instance satisfying our original demand, but nonetheless it's possible. Now let's try something a bit more interesting. First of all let's check for one desirable property of the model, namely that it never outputs a negative area as a prediction.

In [18]:
verify (fun x ->  is_valid x ==> model x >=. 0.0)

- : input -> bool = <fun>
module CX : sig val x : input end


0,1
ground_instances,0
definitions,0
inductions,0
search_time,0.094s
details,"Expandsmt_statsnum checks1arith assert lower30arith pivots20rlimit count42521mk clause75datatype occurs check48mk bool var160arith gcd tests8arith assert upper27datatype splits4decisions101arith add rows183propagations135arith patches3conflicts6arith fixed eqs2datatype accessor ax18arith conflicts1arith assert diseq1datatype constructor ax7num allocs1643371239final checks4added eqs48del clause3arith ineq splits2arith eq adapter14memory17.680000max memory27.850000 require(['nbextensions/nbimandra/fold'], function (fold) {  var target = '#fold-daff9c69-a8d1-41aa-b56c-05571a373b65';  fold.hydrate(target); });"

0,1
smt_stats,num checks1arith assert lower30arith pivots20rlimit count42521mk clause75datatype occurs check48mk bool var160arith gcd tests8arith assert upper27datatype splits4decisions101arith add rows183propagations135arith patches3conflicts6arith fixed eqs2datatype accessor ax18arith conflicts1arith assert diseq1datatype constructor ax7num allocs1643371239final checks4added eqs48del clause3arith ineq splits2arith eq adapter14memory17.680000max memory27.850000

0,1
num checks,1.0
arith assert lower,30.0
arith pivots,20.0
rlimit count,42521.0
mk clause,75.0
datatype occurs check,48.0
mk bool var,160.0
arith gcd tests,8.0
arith assert upper,27.0
datatype splits,4.0

0,1
into,not (((((((((((((((((((0 <= :var_0:.x && :var_0:.x <= 9) && 0 <= :var_0:.y)  && :var_0:.y <= 9)  && <=. 0 :var_0:.ffmc)  && <=. :var_0:.ffmc 99)  && <=. 0 :var_0:.dmc)  && <=. :var_0:.dmc 500)  && <=. 0 :var_0:.dc)  && <=. :var_0:.dc 1000)  && <=. 0 :var_0:.isi)  && <=. :var_0:.isi 100)  && <=. 0 :var_0:.temp)  && <=. :var_0:.temp 40)  && <=. 0 :var_0:.rh)  && <=. :var_0:.rh 100)  && <=. 0 :var_0:.wind)  && <=. :var_0:.wind 15)  && <=. 0 :var_0:.rain)  && <=. :var_0:.rain 15) || >=.  (if <=.  (+.  (+.  (+.  (+.  (+.  (*. -20407311067/10000000000  (if <=.  (+.  (+.  (+.  (+.  (+.  (+.  (+.  (+.  (+.  (+.  (+. (*. 3717/100000 (Real.of_int :var_0:.x))  (*. -821/175000 (Real.of_int :var_0:.y)))  (*. 8441/50000  (if :var_0:.month = Jan then 67/500  else  if :var_0:.month = Feb then 1/2  else  if :var_0:.month = Mar then 1  else if :var_0:.month = Apr then 3/2 else …)))  (*. 15503/95050  (if :var_0:.day = Mon then 377/1000  else  if :var_0:.day = Tue then 1223/1000  else  if :var_0:.day = Wed then 1901/1000  else if :var_0:.day = Thu then 1901/1000 else …)))  (*. 3883/775000 :var_0:.ffmc))  (*. -11433/29020000 :var_0:.dmc))  (*. -4523/17054000 :var_0:.dc))  (*. 3821/701250 :var_0:.isi))  (*. 12369/1555000 :var_0:.temp))  (*. -2707/850000 :var_0:.rh))  (*. -32861/900000 :var_0:.wind))  (*. -2279/320000 :var_0:.rain))  23704241183297452571/127754212462947000000  then 0  else  (+.  (+.  (+.  (+.  (+.  (+.  (+.  (+.  (+.  (+.  (+.  (+. -23704241183297452571/127754212462947000000  (*. 3717/100000 (Real.of_int :var_0:.x)))  (*. -821/175000 (Real.of_int :var_0:.y)))  (*. 8441/50000  (if :var_0:.month = Jan then 67/500  else  if :var_0:.month = Feb then 1/2  else  if :var_0:.month = Mar then 1  else if :var_0:.month = Apr then 3/2 else …)))  (*. 15503/95050  (if :var_0:.day = Mon then 377/1000  else  if :var_0:.day = Tue then 1223/1000  else  if :var_0:.day = Wed then 1901/1000  else if :var_0:.day = Thu then 1901/1000 else …)))  (*. 3883/775000 :var_0:.ffmc))  (*. -11433/29020000 :var_0:.dmc))  (*. -4523/17054000 :var_0:.dc))  (*. 3821/701250 :var_0:.isi))  (*. 12369/1555000 :var_0:.temp))  (*. -2707/850000 :var_0:.rh))  (*. -32861/900000 :var_0:.wind))  (*. -2279/320000 :var_0:.rain))))  (*. 23882805573/10000000000  (if <=.  (+.  (+.  (+.  (+.  (+.  (+.  (+.  (+.  (+.  (+.  (+. (*. 46853/800000 (Real.of_int :var_0:.x))  (*. 491/350000 (Real.of_int :var_0:.y)))  (*. 1917/50000  (if :var_0:.month = Jan then 67/500  else if :var_0:.month = Feb then 1/2 else …)))  …)  …)  …)  …)  …)  …)  …)  …)  …)  -36781692621283221809/2555084249258940000000  then 0 else …)))  …)  …)  …)  …)  -4742192817/10000000000  then … else …)  0
expansions,[]
rewrite_steps,
forward_chaining,


So it seems our model might be a bit noisy in terms of its predictions. As counterexamples are first class objects we can run them back through the model and check the output.

In [19]:
model CX.x

- : real = -0.07825771616


This value is indeed negative. Perhaps we're being too demanding though, let's try the same thing again but with a greater tolerance.

In [21]:
verify (fun x -> is_valid x ==> model x >=. (-5.0));;

- : input -> bool = <fun>


0,1
ground_instances,0
definitions,0
inductions,0
search_time,2.235s
details,"Expandsmt_statsarith offset eqs8num checks1arith assert lower422arith pivots1030rlimit count2868726mk clause610mk bool var588restarts1arith assert upper332datatype splits49decisions507arith add rows11109arith bound prop24propagations1951conflicts117arith fixed eqs89datatype accessor ax18minimized lits90arith conflicts58arith assert diseq112datatype constructor ax9num allocs2046984061added eqs671del clause386arith eq adapter262memory18.560000max memory27.850000 require(['nbextensions/nbimandra/fold'], function (fold) {  var target = '#fold-ce084dec-38ea-4ade-9f39-a15adaf575bc';  fold.hydrate(target); });"

0,1
smt_stats,arith offset eqs8num checks1arith assert lower422arith pivots1030rlimit count2868726mk clause610mk bool var588restarts1arith assert upper332datatype splits49decisions507arith add rows11109arith bound prop24propagations1951conflicts117arith fixed eqs89datatype accessor ax18minimized lits90arith conflicts58arith assert diseq112datatype constructor ax9num allocs2046984061added eqs671del clause386arith eq adapter262memory18.560000max memory27.850000

0,1
arith offset eqs,8.0
num checks,1.0
arith assert lower,422.0
arith pivots,1030.0
rlimit count,2868726.0
mk clause,610.0
mk bool var,588.0
restarts,1.0
arith assert upper,332.0
datatype splits,49.0

0,1
into,not (((((((((((((((((((0 <= :var_0:.x && :var_0:.x <= 9) && 0 <= :var_0:.y)  && :var_0:.y <= 9)  && <=. 0 :var_0:.ffmc)  && <=. :var_0:.ffmc 99)  && <=. 0 :var_0:.dmc)  && <=. :var_0:.dmc 500)  && <=. 0 :var_0:.dc)  && <=. :var_0:.dc 1000)  && <=. 0 :var_0:.isi)  && <=. :var_0:.isi 100)  && <=. 0 :var_0:.temp)  && <=. :var_0:.temp 40)  && <=. 0 :var_0:.rh)  && <=. :var_0:.rh 100)  && <=. 0 :var_0:.wind)  && <=. :var_0:.wind 15)  && <=. 0 :var_0:.rain)  && <=. :var_0:.rain 15) || >=.  (if <=.  (+.  (+.  (+.  (+.  (+.  (*. -20407311067/10000000000  (if <=.  (+.  (+.  (+.  (+.  (+.  (+.  (+.  (+.  (+.  (+.  (+. (*. 3717/100000 (Real.of_int :var_0:.x))  (*. -821/175000 (Real.of_int :var_0:.y)))  (*. 8441/50000  (if :var_0:.month = Jan then 67/500  else  if :var_0:.month = Feb then 1/2  else  if :var_0:.month = Mar then 1  else if :var_0:.month = Apr then 3/2 else …)))  (*. 15503/95050  (if :var_0:.day = Mon then 377/1000  else  if :var_0:.day = Tue then 1223/1000  else  if :var_0:.day = Wed then 1901/1000  else if :var_0:.day = Thu then 1901/1000 else …)))  (*. 3883/775000 :var_0:.ffmc))  (*. -11433/29020000 :var_0:.dmc))  (*. -4523/17054000 :var_0:.dc))  (*. 3821/701250 :var_0:.isi))  (*. 12369/1555000 :var_0:.temp))  (*. -2707/850000 :var_0:.rh))  (*. -32861/900000 :var_0:.wind))  (*. -2279/320000 :var_0:.rain))  23704241183297452571/127754212462947000000  then 0  else  (+.  (+.  (+.  (+.  (+.  (+.  (+.  (+.  (+.  (+.  (+.  (+. -23704241183297452571/127754212462947000000  (*. 3717/100000 (Real.of_int :var_0:.x)))  (*. -821/175000 (Real.of_int :var_0:.y)))  (*. 8441/50000  (if :var_0:.month = Jan then 67/500  else  if :var_0:.month = Feb then 1/2  else  if :var_0:.month = Mar then 1  else if :var_0:.month = Apr then 3/2 else …)))  (*. 15503/95050  (if :var_0:.day = Mon then 377/1000  else  if :var_0:.day = Tue then 1223/1000  else  if :var_0:.day = Wed then 1901/1000  else if :var_0:.day = Thu then 1901/1000 else …)))  (*. 3883/775000 :var_0:.ffmc))  (*. -11433/29020000 :var_0:.dmc))  (*. -4523/17054000 :var_0:.dc))  (*. 3821/701250 :var_0:.isi))  (*. 12369/1555000 :var_0:.temp))  (*. -2707/850000 :var_0:.rh))  (*. -32861/900000 :var_0:.wind))  (*. -2279/320000 :var_0:.rain))))  (*. 23882805573/10000000000  (if <=.  (+.  (+.  (+.  (+.  (+.  (+.  (+.  (+.  (+.  (+.  (+. (*. 46853/800000 (Real.of_int :var_0:.x))  (*. 491/350000 (Real.of_int :var_0:.y)))  (*. 1917/50000  (if :var_0:.month = Jan then 67/500  else if :var_0:.month = Feb then 1/2 else …)))  …)  …)  …)  …)  …)  …)  …)  …)  …)  -36781692621283221809/2555084249258940000000  then 0 else …)))  …)  …)  …)  …)  -4742192817/10000000000  then … else …)  -5
expansions,[]
rewrite_steps,
forward_chaining,


Now let's test a hypothesis. All other things remaining equal, we would assume that the higher the temperature and the less rain, the larger the area that would be burned. Due to the imperfections of our model (because of limited data, stochasticity in training, the complicated patterns present in natural physical phenomena, and so on) this assertion is in fact easily falsifiable by Imandra. Let's restrict our setting in a sensible way to see if we can prove something slightly weaker:

* There is very little data from winter months, and so the model is unlikely to generalise well here
* We'll increase the tolerance in temperature to 10 degrees celsius
* We'll increase the tolerance in rainfall to 7.5 mm/m2
* We'll increase the tolerance in area burned to 20 hectares

In [22]:
let winter month = month = Oct || month = Nov || month = Dec || month = Jan || month = Feb;;

verify (fun x x1 x2 -> 
is_valid x1 &&
is_valid x2 &&
x1.x = x2.x &&
x1.y = x2.y &&
x1.month = x2.month &&
not (winter x1.month) &&
x1.day = x2.day &&
x1.ffmc = x2.ffmc &&
x1.dmc = x2.dmc &&
x1.dc = x2.dc &&
x1.isi = x2.isi &&
x1.rh = x2.rh &&
x1.wind = x2.wind &&
(x1.rain +. 10.0) <=. x2.rain &&
(x1.temp -. 10.0) >=. x2.temp ==>
(model x1 +. 20.0) >=. model x2);;

val winter : month -> bool = <fun>
- : 'a -> input -> input -> bool = <fun>


0,1
expanded,
blocked,

0,1
ground_instances,0
definitions,0
inductions,0
search_time,59.553s

0,1
into,not ((((((((((((((((((((((((((((((((((((((((((((((((((((0 <= :var_0:.x  && :var_0:.x <= 9)  && 0 <= :var_0:.y)  && :var_0:.y <= 9)  && <=. 0 :var_0:.ffmc)  && <=. :var_0:.ffmc 99)  && <=. 0 :var_0:.dmc)  && <=. :var_0:.dmc 500)  && <=. 0 :var_0:.dc)  && <=. :var_0:.dc 1000)  && <=. 0 :var_0:.isi)  && <=. :var_0:.isi 100)  && <=. 0 :var_0:.temp)  && <=. :var_0:.temp 40)  && <=. 0 :var_0:.rh)  && <=. :var_0:.rh 100)  && <=. 0 :var_0:.wind)  && <=. :var_0:.wind 15)  && <=. 0 :var_0:.rain)  && <=. :var_0:.rain 15)  && 0 <= :var_1:.x)  && :var_1:.x <= 9)  && 0 <= :var_1:.y)  && :var_1:.y <= 9)  && <=. 0 :var_1:.ffmc)  && <=. :var_1:.ffmc 99)  && <=. 0 :var_1:.dmc)  && <=. :var_1:.dmc 500)  && <=. 0 :var_1:.dc)  && <=. :var_1:.dc 1000)  && <=. 0 :var_1:.isi)  && <=. :var_1:.isi 100)  && <=. 0 :var_1:.temp)  && <=. :var_1:.temp 40)  && <=. 0 :var_1:.rh)  && <=. :var_1:.rh 100)  && <=. 0 :var_1:.wind)  && <=. :var_1:.wind 15)  && <=. 0 :var_1:.rain)  && <=. :var_1:.rain 15)  && :var_0:.x = :var_1:.x)  && :var_0:.y = :var_1:.y)  && :var_0:.month = :var_1:.month)  && not  ((((:var_0:.month = Oct || :var_0:.month = Nov)  || :var_0:.month = Dec)  || :var_0:.month = Jan)  || :var_0:.month = Feb))  && :var_0:.day = :var_1:.day)  && :var_0:.ffmc = :var_1:.ffmc)  && :var_0:.dmc = :var_1:.dmc)  && :var_0:.dc = :var_1:.dc)  && :var_0:.isi = :var_1:.isi)  && :var_0:.rh = :var_1:.rh)  && :var_0:.wind = :var_1:.wind)  && <=. :var_0:.rain (+. -10 :var_1:.rain))  && >=. :var_0:.temp (+. 10 :var_1:.temp)) || >=.  (if <=.  (+.  (+.  (+.  (+.  (+.  (*. -20407311067/10000000000  (if <=.  (+.  (+.  (+.  (+.  (+.  (+.  (+.  (+.  (+.  (+.  (+. (*. 3717/100000 (Real.of_int :var_0:.x))  (*. -821/175000 (Real.of_int :var_0:.y)))  (*. 8441/50000  (if :var_0:.month = Jan then 67/500  else  if :var_0:.month = Feb then 1/2  else  if :var_0:.month = Mar then 1  else if :var_0:.month = Apr then 3/2 else …)))  (*. 15503/95050  (if :var_0:.day = Mon then 377/1000  else  if :var_0:.day = Tue then 1223/1000  else  if :var_0:.day = Wed then 1901/1000  else if :var_0:.day = Thu then 1901/1000 else …)))  …)  …)  …)  …)  …)  …)  …)  …)  23704241183297452571/127754212462947000000  then 0 else …))  …)  …)  …)  …)  …)  -4742192817/10000000000  then … else …)  …
expansions,[]
rewrite_steps,
forward_chaining,


It should be noted of course that Imandra doesn't know the likelihood of any of the instances or counterexamples it generates. Thus in practice it may be deemed that any counterexamples are sufficiently unlikely that the model is still accurate and safe enough to use. A further safety property we might to wish to prove of our model is robustness; namely that similar inputs should generate similar outputs. Proving this for the whole model in one go is computationally very difficult, but we can instead prove a robustness property for each layer and then chain them together for our final proof.

In [None]:
let abs_dist_input a b =
let (a_0, a_1, a_2, a_3, a_4, a_5, a_6, a_7, a_8, a_9, a_10, a_11) = process_input a in
let (b_0, b_1, b_2, b_3, b_4, b_5, b_6, b_7, b_8, b_9, b_10, b_11) = process_input b in
Real.abs(a_0 -. b_0) +.
Real.abs(a_1 -. b_1) +.
Real.abs(a_2 -. b_2) +.
Real.abs(a_3 -. b_3) +.
Real.abs(a_4 -. b_4) +.
Real.abs(a_5 -. b_5) +.
Real.abs(a_6 -. b_6) +.
Real.abs(a_7 -. b_7) +.
Real.abs(a_8 -. b_8) +.
Real.abs(a_9 -. b_9) +.
Real.abs(a_10 -. b_10) +.
Real.abs(a_11 -. b_11);;

let abs_dist_hidden a b =
let (a_0, a_1, a_2, a_3, a_4, a_5) = a in
let (b_0, b_1, b_2, b_3, b_4, b_5) = b in
Real.abs(a_0 -. b_0) +.
Real.abs(a_1 -. b_1) +.
Real.abs(a_2 -. b_2) +.
Real.abs(a_3 -. b_3) +.
Real.abs(a_4 -. b_4) +.
Real.abs(a_5 -. b_5);;

let abs_dist_output a b =
let a_0 = a in
let b_0 = b in
Real.abs(a_0 -. b_0);;

(* verify (fun a b -> is_valid a && is_valid b ==> (abs_dist_input (process_input a) (process_input b)) <=. 1.0);;
 *)
 
lemma input_hidden a b = abs_dist_input a b <=. 0.5 ==> 
                         abs_dist_hidden (a |> process_input |> layer_0) (b |> process_input |> layer_0) <=. 6.0 [@@auto];;
                         
(* lemma hidden_output a b = abs_dist_hidden a b <=. 6.0 ==> 
                             abs_dist_output (a |> layer_1) (b |> layer_1) <=. 20.0;; *)

(* verify (fun a b -> (is_valid a && is_valid b && abs_dist_input a b <=. 0.5) ==> Real.abs(model a -. model b) <=. 100.0)
 *)


In [13]:
(* Decompose.top ~assuming:"is_valid" "model";; *)



In [67]:
model CX.a;;
model CX.b;;

- : real = 1.71828
- : real = 101.75783726


In [2]:
#config

----------------------------------------------------------------------------
Imandra session configuration
----------------------------------------------------------------------------
 0. Timeout: 60000
 1. Mode: Logic
 2. Allow redefinition: true
 3. Load path: []
 4. Recursion unroll depth: 100
 5. Random testing: false
 6. SAT seed: 0
 7. SMT seed: 0
 8. Solver seed: 0
 9. Eager goal-based GC: false
10. Undo (implicit push): false
11. Console tags: waterfall, suggestions
12. Console color: true
13. Top results: true
14. Interactive hints: true
15. Validate definitions: true
16. Skip proofs: false
17. Max induction depth: 3
18. Induction unroll depth: 10
19. Backchain limit: 100
20. Enable all definitions when unrolling: true
21. Algebraic number approx. precision: 10
22. Reflect approximate models: false
----------------------------------------------------------------------------
