Games and Synthesis. Nir Piterman University of Leicester Telč, July-Autugst 2014

Transcription

1 Games and Synthesis Nir Piterman University of Leicester Telč, July-Autugst 2014 Games and Synthesis, EATCS Young Researchers School, Telč, Summer 2014

2 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 1: Introduction and Background Turing Machine A Turing machine is: M = Σ, Q, Δ, q 0, ƅ Where Σ finite set of symbols (alphabet). Q finite set of states. Includes special states acc(ept) and rej(ect). ƅ is a blank symbol (indicating an empty/blank cell). Δ: Q (Σ {ƅ}) (Σ,, Q) with every state and letter (where a could be ƅ) associate new letter, direction, and new state. We assume that acc and rej have no successors! q 0 is an initial state. Interesting questions about Turing machines: Does it accept input x? Does it halt on input x?

3 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 1: Introduction and Background Programming A function defines a relation between inputs and outputs.

4 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 1: Introduction and Background Doesn t quite work

5 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 1: Introduction and Background Computation vs. Reactivity

6 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 1: Introduction and Background Reactive Systems Systems whose main aim is to interact rather than compute (OS, driver, CPU, car controller). Main complexity is in maintaining communication with a user / another program / the environment. Reactive systems are notoriously hard to design. Major efforts are invested in development and validation of reactive systems.

7 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 1: Introduction and Background The Requirement Language Correctness of computational programs is expressed as Hoare triples. P C{Q} Correctness of reactive programs is expressed as behavioral specifications: The behavior of a system is a sequence of system states. Specification should tell us when a sequence is good/bad. We use temporal logic: connect states through time.

8 Lecture 1: Introduction and Background Validating Reactive Systems Simulations: Run the system and check whether behavior satisfies specifications. Model checking: Create a comprehensive model of the system and check whether all behaviors satisfy specifications. Model checking research: Automatic construction of models. Predicate extraction. Heap analysis. Counter-example guided abstraction refinement. Techniques for model exploration. Efficient enumerative graph exploration. Symbolic representation of states. Bounded model checking. Specification. Expressive specification languages. Translation to model exploration. Games and Synthesis, EATCS Young Researchers School, Telč, Summer

9 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 1: Introduction and Background Synthesis Developing systems is hard, expensive, and error prone. The common solution is extensive testing and verification. If we can verify, why not go directly from specification to correct-by-construction systems by synthesis? Church s synthesis problem: Given a circuit interface specification and a behavioral specification: Determine if there is an automaton that realizes the specification. If the specification is realizable, construct an implementing automaton. Circuit interface partition to inputs and outputs. Behavioral specification description in first order logic.

10 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 1: Introduction and Background Synthesis from Temporal Specifications i o 1 t. o 1 t o 2 t t. i t t > t. o 1 t o 2 t t. o 1 t t < t. i t t < t < t. o 1 t o 2 t t. o 2 t t < t. i t t < t < t. o 1 t o 2 t o 2 t. o 1 t t. o 1 t t > t. o 1 t t < t < t. o 2 t t > t. o 2 t t < t < t. o 1 t Is it possible to realize this specification? The formula defines a relation between i: N {0,1} and o 1, o 2 : N {0,1} We want a function.

11 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 1: Introduction and Background Causality o 0 ( t. i t ) The relation is not empty. The function needs to be causal! It cannot be clairvoyant. R = { i, o i: N 0,1, o: N 0,1, o 0 t. i t }

12 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 1: Introduction and Background Adversarial t. i t o t t. i t t > t. o(t) There are some input sequences for which this is possible. But not all! We want a function that can answer all input sequences. f: i: 0,, n 0,1 n N {0,1} Furthermore, for every i: N {0,1} the unique o: N {0,1} such that o n = f(i 0,,n ) for every n N satisfies the specification.

13 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 1: Introduction and Background Brief History Church s problem [1965]. Rabin introduces automata on infinite trees. Effectively, generalizing Büchi s work on ω-automata to trees [1969]. Büchi and Landweber define two-player games of infinite duration [1969]. We now know that the two are effectively the same. These are still the techniques we use to solve the problem.

14 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 1: Introduction and Background Modern Times Pnueli introduces linear temporal logic [1977]. Emerson and Clarke and Quielle and Sifakis invent model checking [1981]. Emerson and Clarke and Manna and Wolper ignore adversarial nature and propose reduction to satisfiability [1984]. Pnueli and Rosner establish LTL realizability to be 2EXPTIMEcomplete. This result established realizability and synthesis as highly intractable.

15 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 1: Introduction and Background In these Lectures Synthesis as a game. Simple games (safety, reachability, Büchi). LTL Synthesis reduced to solution of parity games. Bypassing determinization: Safraless approach. Restricting the specification langauge. Practical issues with synthesis: Implication problems. Unrealizability. Building hybrid controllers. Distributed synthesis.

16 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 1: Introduction and Background Lectures Outline Introduction Automata and Linear Temporal Logic Games and Synthesis General LTL Synthesis Bypassing Determinization Practical Issues with Synthesis

17 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 1: Introduction and Background A More Formal Context A specification in linear temporal logic over input and output propositions. A system will be an automaton with output. Input and output are combined to create a sequences of assignments to propositions. All possible infinite paths over the automaton should satisfy the specification.

18 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 1: Introduction and Background Linear Temporal Logic A set of propositions (Prop) denoting the basic facts about the world. Set Prop is partitioned to inputs I and outputs O. Linear Temporal Logic formulae are constructed as follows: Other temporal formulae are derived: Eventually. Always. Weak Until. Previously. Historically. BackTo.

19 Lecture 1: Introduction and Background LTL Semantics A model for an LTL formula is an infinite sequence σ = σ 0, σ 1, with a designated location j 0. Each letter σ i is a set of propositions true at time i. Formula φ holds over sequence σ in location j 0, denoted, if: If is a proposition σ, j φ φ σ j or ` and and and Derived: Games and Synthesis, EATCS Young Researchers School, Telč, Summer

20 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 1: Introduction and Background LTL Exercises

21 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 1: Introduction and Background Automata Systems with discrete states. Formally, A = Σ, Q, δ, q 0, where Σ a finite input alphabet. Q a finite set of states. δ: Q Σ 2 Q a transition function. Associates with state and an input letter a set of successor states. q 0 an initial state. An input word w = σ 0, σ 1, is a sequence of letters from Σ. A run r = q 0, q 1, over w is a sequence of states starting from q 0 such that for every i 0 we have q i+1 δ q i, σ i. An automaton is deterministic if for every q Q and σ Σ we have δ q, σ 1.

22 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 1: Introduction and Background Mealy Machines Systems with discrete states. Formally, M = Σ, Δ, Q, δ, q 0, L, where Σ a finite input alphabet. Δ a finite output alphabet. Q a finite set of states. δ: Q Σ 2 Q a transition function. Associates with every state and an input letter a set of successor states. q 0 an initial state. L: Q Σ Δ an output function. Associates with every transition an output letter. A run r = q 0, q 1, over w is a sequence of states starting from q 0 such that for every i 0 we have q i+1 δ q i, σ i. The computation correspoinding to r = q 0, q 1, over w is c = σ 0, L q 0, σ 0, σ 1, L q 1, σ 1,.

23 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 1: Introduction and Background Mealy Machines and LTL The set of computations of a machine M = Σ, Δ, Q, δ, q 0, L is denoted L M. Assume Σ = 2 I and Δ = 2 O. So input letters are assignments to input propositions and outputs are assignments to output propositions. A machine M satisfies a formula φ, denoted M φ, if every computation in L(M) satisfies φ. Given an LTL formula φ over propositions Prop = I O we say that φ is realizable if there is a Mealy machine that satisfies it. Our task is going to be to find such a Mealy machine or say that it does not exist. We will mostly be interested in deterministic machines.

24 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 1: Introduction and Background Bibliography 1. Principles of Model Checking (C. Baier and J.-P. Katoen), MIT Press, Model Checking (E. Clarke, O. Grumberg, and D. Peled), MIT Press, Handbook of Model Checking (Eds., E. Clarke, T.A. Henzinger, H. Veith), Springer-Verlag, To appear.

25 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 2: Games and Synthesis Lectures Outline Introduction Automata and Linear Temporal Logic Games and Synthesis General LTL Synthesis Bypassing Determinization Practical Issues with Synthesis

26 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 2: Games and Synthesis Realizability So, given a property φ and a partition Prop = I O find a system Msuch that M φ. For every possible input, decide on an output All paths through the machine should satisfy the property.

27 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 2: Games and Synthesis Arbiter r 1 r 2 g 1 g 2 Arbiter r n g n Client r i g i

28 Lecture 2: Games and Synthesis Games and Synthesis, EATCS Young Researchers School, Telč, Summer Arbiter 2 Propositions Prop = r 1, r 2, g 1, g 2, where I = r 1, r 2 and O = g 1, g 2. Requirements: A 1 : leave requests: r 1! g 1 r 1 (r 2! g 2 r 2 ) G 1 : leave grants: r 1 g 1 g 1 (r 2 g 2 g 2 ) G 2 : mutual exclusion:! g 1! g 2 G 3 : deliver and remove grants: g 1 r 1 g 2 r 2 Or together: A 1 G 1 G 2 G 3

29 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 2: Games and Synthesis What s the idea? Think about control: Some things are under our control. Some things are not. We want to exercise our control so that to achieve certain goals. In some cases the environment is hostile. What we want: Find a strategy that will guide our actions based on our view of the world. This leads to viewing the world as an opponent: Exercise control so that uncontrollable events do not lead to damage. We model this as two-player games.

30 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 2: Games and Synthesis Example: Nim Some rows of matches. Every player removes in turn at least one match from one row. The one to remove last match wins. Can you win?

31 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 2: Games and Synthesis Whose in Control? We still use graphs with edges for transitions. Ownership is by using two types of nodes.

32 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 2: Games and Synthesis Environment System A Play

33 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 2: Games and Synthesis Arbiter r 1 r 2 g 1 g 2 Arbiter r n g n Client r i g i

34 Lecture 2: Games and Synthesis Games and Synthesis, EATCS Young Researchers School, Telč, Summer

35 Lecture 2: Games and Synthesis Games Formally, a game is G = V, V 0, V 1, E, α, where V is a set of nodes. V 0 and V 1 form a partition of V. E V V is a set of edges. A play is π = v 0, v 1, α is a set of winning plays. A strategy for player i is a function f i : V V i V such that v, f i w v E. A play π = v 0, v 1, is compatible with f i if for every j 0 such that v j V i we have v j+1 = f i (v 0 v j ). A strategy for player 0 is winning if every play compatible with it is in α. A strategy for player 1 is winning if every play compatible with it is not in α. A node v is won by player i if she has a winning strategy for all plays starting from v. Games and Synthesis, EATCS Young Researchers School, Telč, Summer

36 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 2: Games and Synthesis Control Predecessor In control it is easier to walk backwards.

37 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 2: Games and Synthesis Environment System Game Analysis 6 th 5 th 5 th 5 th 3 rd 4 th 2 nd 3 rd 2 nd 1 st 1 st 1 st 6 th 5 th 4 th 3 rd 2 nd 1 st

38 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 2: Games and Synthesis Control Predecessor (for P0) Start from an set of nodes W V. We want to say: The system can force the environment to W in one move. That is: Nodes v V 0 for which some successor is in W. Nodes v V 1 for which all successors are in W. Formally: cpre W = v V 0 v W. v, v E {v V 1 v. v, v E v W}

39 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 2: Games and Synthesis Control Predecessor (for P1) Start from an set of nodes W V. We want to say: The environment can force the system to W in one move. That is: Nodes v V 1 for which some successor is in W. Nodes v V 0 for which all successors are in W. Formally: cpre 1 W = v V 1 v W. v, v E {v V 0 v. v, v E v W}

40 Lecture 2: Games and Synthesis Games and Synthesis, EATCS Young Researchers School, Telč, Summer Let s solve some games!

41 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 2: Games and Synthesis ap.. 3 rd 2 nd 1 st!p

42 Lecture 2: Games and Synthesis p r r r r!p!p Games and Synthesis, EATCS Young Researchers School, Telč, Summer

43 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 2: Games and Synthesis Reachability Games Check that P1 can enforce p. 1. fix (new := p) 2. new := new cpre 1 (new) 3. end // fix Lemma. The algorithm computes the set of states winning for P1 with objective p. Proof. Later. Attr i (W) the set of nodes from which player i can force reaching W.

44 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 2: Games and Synthesis Safety Games Check that P0 can enforce p. 1. fix (new := p) 2. new := new cpre(new) 3. end // fix Lemma. The algorithm computes the set of states winning for P0 with objective p. Proof. Later.

45 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 2: Games and Synthesis Safety vs Reachability Games Goals p for P0 and p for P1 are complementary. 1. fix (new := p) 2. new := new cpre(new) 3. end // fix 1. fix (new := p) 2. new := new cpre 1 (new) 3. end // fix

46 Lecture 2: Games and Synthesis r r r r r r Games and Synthesis, EATCS Young Researchers School, Telč, Summer

47 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 2: Games and Synthesis Büchi Games Check that P0 can enforce p. 1. fix (greatest := V) 2. fix (least := p cpre(greatest) 3. least := least cpre(least); 4. end // fix least 5. greatest := least; 6. end // fix greatest Lemma. The algorithm computes the set of nodes winning for P0 with objective p.

48 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 2: Games and Synthesis Strategy A strategy is the way of enforcing the goal. Let D be some memory domain and let d 0 be an initial memory value. Elements in the memory domain recall facts about the history of play so far. A strategy for player i is a function f i : V V 0 V such that v, f i w v E. We look to replace V by some (finite) domain D. Then, instead of considering V we could consider D V. The strategy is replaced by two functions: Move function: f i m : D V i V s.t. v, f d, v E. Update function: f i u : D V D.

49 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 2: Games and Synthesis Safety Games Check that P0 can enforce p. 1. fix (new := p) 2. new := new cpre(new) 3. end // fix

50 Lecture 2: Games and Synthesis Proof Suppose that new is not empty. Consider v new. Clearly, v p. But also v cpre(new). If v V 0, then v has a successor w such that w new. If v V 1, then for every successor w of v we know w new. If there is a strategy s.t. every play compliant with it wins 1. fix (new := p) 2. new := new cpre(new) 3. end // fix p. Let new 0, new 1, new 2, be the series of approximations of new. We prove by induction that for every v winning for P0, v new i for every i. Clearly, v p implies v new 0. Assume every v winning for P0 is in new i for some i. Consider v V 0 winning for P0. Then, there is w such that v, w E and w winning for P0. Then, w in new i and v in new i+1. Consider v V 1 winning for P0. Then, for every w such that v, w E we have w winning for P0. Then, every w such that v, w E is in new i. So v in new i+1. Games and Synthesis, EATCS Young Researchers School, Telč, Summer

51 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 2: Games and Synthesis Büchi Games Check that P0 can enforce p. 1. fix (greatest := V) 2. fix (least := p cpre(greatest) 3. least := least cpre(least) 4. end // fix least 5. end // fix greatest

52 Lecture 2: Games and Synthesis Proof (Control of Büchi Soundness) Suppose that greatest is not empty. For the fixpoint to terminate, the inner fixpoint starting from this value recomputes it. Let least 0, least 1, least 2, be the sequence of values that least has through the computation of this last iteration. Consider v greatest. Let i 0 be the index such that v least i0. By definition of cpre( ), P0 can force a successor w of v. But then, w least i1 for some i 1 < i 0. This shows that P0 can ensure to reach least 0 = p cpre(greatest). So it ensures a visit p. But now least 0 = p cpre(greatest). So in the next step P0 forces least j for some j and repeat this process. By induction, P0 can enforce p. 1. fix (greatest := V) 2. fix (least := p cpre(greatest) 3. least := least cpre(least); 4. end // fix least 5. greatest := least; 6. end // fix greatest Games and Synthesis, EATCS Young Researchers School, Telč, Summer

53 Lecture 2: Games and Synthesis Proof (Control of Büchi - completeness) If there is a strategy f s.t. every play compliant with it wins p. Every node v from which f is winning remains in every approximation of the fixpoint greatest: From v there is a maximum on the length of paths to reach p (König s lemma). Prove by induction on the number of iterations in the first fixpoint that win greatest. For greatest 0 = V this is clear. Assume win greatest i. Then for every node v win it must be that v least j for the distance to reach p win. 1. fix (greatest := V) 2. fix (least := p cpre(greatest) 3. least := least cpre(least); 4. end // fix least 5. greatest := least; 6. end // fix greatest Games and Synthesis, EATCS Young Researchers School, Telč, Summer

54 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 2: Games and Synthesis Symbolic vs Enumerative Algorithms so far have treated sets of states. But the proof established a ranking for the winning states the number of steps until reaching the goal. r: V N Can we compute the rank iteratively? A path that visits more than p nodes must be a losing loop. Restrict rank to r: V 0,, p. min rank(w) v V 0 v,w E best v = max rank(w) v V 1 v,w E Rank is stable if: v p and r best v <. v p and r best v < r(v).

55 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 2: Games and Synthesis Compute Rank Directly 1. r:= λv while ( v. v not stable) 3. if (v p) 4. r(v) := ; 5. else 6. r(v) := best(v)+1; 7. end // while Each v can be increased at most p times. By evaluating loop condition (and best) efficiently, all work can be restricted to O( V E ).

56 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 2: Games and Synthesis What about Synthesis? Our goal is to construct a Mealy machine that realizes the specification. A Mealy machine from every state reads input and answers with output. A node in the game corresponding to choice of input will be followed by node corresponding to choice of output. We can define a specialized game with nodes in 2 I O. We can define the winning condition with an LTL formula over I O. A play naturally corresponds to a possible model. For a set of nodes W, define cpre W = {v x 2 I. y 2 O. (x y) W} When computing the set of winning states, check that for every x 2 I there is y 2 O such that x y is winning.

57 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 2: Games and Synthesis Further Specialize Strategy Let D be some memory domain and let d 0 be an initial memory value. Elements in the memory domain recall facts about the history of play so far. A strategy for player i is a function f V i : 2 I O V 0 2V I such 2 O that. We v, f look i w to v replace E. 2 I O We look to replace V by some (finite) domain D. Then, by some (finite) domain D. Then, instead instead of considering of considering V we could 2 I O consider we could D consider V. D 2 I O. The strategy becomes is replaced f i : by D two 2 I functions: D 2 O Move function: f m i : D V i V s.t. v, f d, v E. Update function: f u i : D V D.

58 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 2: Games and Synthesis From Strategy to System Consider a strategy f 0 : D 2 I D 2 O and let d 0 D be the initial memory value. Construct the machine M = Σ, Δ, D, δ, d 0, L with: Σ = 2 I Δ = 2 O δ d, i = f 0 d, i 1 L d, i = f 0 d, i 2 What s the memory domain in the cases we ve seen?

59 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 2: Games and Synthesis Winning Realizability Consider a run r = q 0, q 1, over w = σ 0, σ 1, and the corresponding computation c = σ 0, L q 0, σ 0, σ 1, L q 1, σ 1, of M. i. For every i 2 I there is o 2 O s.t. (i, o) is winning. ii. By f winning c satisfies the formula. Realizability Winning Take a machine M and use it to construct the winning strategy. A play in the game is a computation of the machine.

60 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 2: Games and Synthesis Memorize Intermediate Values 1. fix (greatest := V) 2. fix (least := p cpre(greatest) 3. least := least cpre(least) 4. end // fix least 5. end // fix greatest 1. fix (greatest := V) 2. cy 0; 3. fix (least := p cpre(greatest) 4. y[cy]:= least; 5. least := least cpre(least) 6. cy cy + 1; 7. end // fix least 8. end // fix greatest

61 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 2: Games and Synthesis Construct the Realizing Machine Given G = 2 I O 2 I O 2 I, 2 I O 2 I, 2 I O, E, p. E = i, o, i, o, i, i, o, i, i, o Construct a M = 2 I, 2 O, 2 I O, δ, s 0, L : δ i, o, i = {(i, o ) i, o is winning} i, o p { i, o i, o y[ j]} i, o y[j + 1]

62 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 2: Games and Synthesis Summary Starting from an LTL formula φ, construct the game G = 2 I O 2 I O 2 I, 2 I O 2 I, 2 I O, E, φ. Compute the set win. If for every i 2 I there is o 2 O such that i, o win then declare φ realizable. Extract from the winning strategy a realizing Machine. But we only know to solve reachability and Büchi games. What about general LTL?

63 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 2: Games and Synthesis Bibliography 1. Infinite Games (R. Mazala), in Automata, Logic, and Infinite- Games (Eds., E. Grädel, W. Thomas, and T. Wilke), Springer- Verlag, Supervisory control of a class of discrete event processes (P. J. Ramadge and W. M. Wonham), SIAM J. Control and Optimization, Vol. 25, No. 1, pp , On the Synthesis of Discrete Controllers for Timed Systems (O. Maler, A. Pnueli, and J. Sifakis), STACS 1995: An O n 2 time algorithm for alternating Büchi games (K. Chatterjee and M. Henzinger), SODA 2012:

64 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 3: General LTL Synthesis Lectures Outline Introduction Automata and Linear Temporal Logic Games and Synthesis General LTL Synthesis Bypassing Determinization Practical Issues with Synthesis

65 Lecture 3: General LTL Synthesis Games and Synthesis, EATCS Young Researchers School, Telč, Summer From Logic to Graphs? How to embed the logical winning condition into the graph notation?

66 Lecture 3: General LTL Synthesis Nondeterministic Büchi Automata Systems with discrete states. Formally, A = Σ, Q, δ, q 0, α, where Σ a finite input alphabet. Q a finite set of states. δ: Q Σ 2 Q a transition function. Associates with state and an input letter a set of successor states. q 0 an initial state. α Q a set of accepting states. An input word w = σ 0, σ 1, is a sequence of letters from Σ. A run r = q 0, q 1, over w is a sequence of states starting from q 0 such that for every i 0 we have q i+1 δ q i, σ i. A run is accepting if for infinitely many i N we have q i α. A word is accepted if some run over it is accepting. The language of A, denoted L A, is the set of words accepted by A. Games and Synthesis, EATCS Young Researchers School, Telč, Summer

67 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 3: General LTL Synthesis From LTL to Büchi Automata Theorem. Given an LTL formula φ we can construct a nondeterministic Büchi automaton N φ such that L M φ = L φ. The size of N φ is exponential in the length of φ. Intuitively, if sub(φ) is the set of subformulas of φ, a state of N φ corresponds to a set of subformulas that are true (in an accepting run).

68 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 3: General LTL Synthesis Control with Automaton Observer Visit finitely many not-p s p Environment System p!p p

69 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 3: General LTL Synthesis NBW for p NBW for φ = p: p p, p p

70 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 3: General LTL Synthesis Nondeterminism is bad Environment System p!p p p p, p p

71 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 3: General LTL Synthesis What went wrong? The automaton is nondeterministic. It makes predictions regarding the future and aborts runs that do not match these predictions. In the context of games nondeterminism is added as choice of one side: If the system resolves nondeterminism, it has to find a solution that matches all possible futures. If the environment resolves nondeterminism, the system must force all runs to be accepting.

72 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 3: General LTL Synthesis Solution: Determinism If the automaton were deterministic, there would be no added choice! We create a synchronous parallel composition of the automaton with the game. Solve the resulting game. Extract system from winning strategy.

73 Lecture 3: General LTL Synthesis Nondeterministic parity Automata Systems with discrete states. Formally, A = Σ, Q, δ, q 0, α, where Σ a finite input alphabet. Q a finite set of states. δ: Q Σ 2 Q a transition function. Associates with state and an input letter a set of successor states. q 0 an initial state. α: Q N a ranking of states. An input word w = σ 0, σ 1, is a sequence of letters from Σ. A run r = q 0, q 1, over w is a sequence of states starting from q 0 such that for every i 0 we have q i+1 δ q i, σ i. A run is accepting if for the minimum rank to occur infinitely often is even. The language of A, denoted L M, is the set of words accepted by A. Games and Synthesis, EATCS Young Researchers School, Telč, Summer

74 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 3: General LTL Synthesis Synchronous Composition of Games Consider a game G = V, V 0, V 1, E, φ and a deterministic (with respect to entire alphabet Σ) automaton A φ = Σ, D, δ, d 0, β. Their synchronous parallel composition (G A φ ) is the game, G = V, V 0, V 1, E, γ where: V = D V a new node holds a game node and an automaton state.. E = d, v, d, v v, v E and d = δ(d, L v ) the transitions of the automaton are updated. γ d, v = β(d) acceptance only considers the acceptance of the automaton. The results is a parity game.

75 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 3: General LTL Synthesis Deterministic Automata Work! Theorem. P0 wins G with winning condition φ iff P0 wins G A φ, where A φ is a deterministic automaton for φ. If P0 wins G all she has to do in G A φ is to use the same strategy. Every play in G A φ corresponds to a play in G and the unique run of A φ that reads this play. But the play satisfies φ, so the run must be accepting. So the play in G A φ is winning for P0 as well. If P0 wins G A φ she can use the states of A φ as (part of) the memory in G. She will then be able to use the winning strategy from G A φ. Now, a play in G corresponds to an accepting run of A φ. But then the play satisfies φ, which means that P0 wins.

76 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 3: General LTL Synthesis Two tiny issues How do we get a deterministic parity automata for LTL? How do we solve a parity games?

77 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 3: General LTL Synthesis Deterministic Automata Well, the answer is simple: construct a nondeterministic automaton and determinize it! Starting from an automaton with n states: Create an automaton with O((n!) 2 ) states and 2n rank. Wolfgang showed one such construction.

78 Lecture 3: General LTL Synthesis Solving parity Games Func main() 1. Return even_parity(0, ); End // Func main Func odd_parity(i, win) 1. fix (least := ) 2. least:= win v α v i} cpre(greatest) 3. if (i!=max) 4. least := even_parity(i+1, least) 5. end // fix least 6. Return least; End // Func odd_parity Func even_parity(i, win) 1. fix (greatest := V) 2. greateast := win v α v = i} cpre(greatest) 3. if (i!=max) 4. greatest := odd_parity(i+1, greatest) 5. end // fix greatest 6. Return greatest; End // Func even_parity Games and Synthesis, EATCS Young Researchers School, Telč, Summer

79 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 3: General LTL Synthesis Proof (Soundness) Suppose that win is not empty. Have the intermediate least fixpoint approximations: least p 0, least p 1, least p 2, for an odd parity p. Consider v win. Let i 1, i 3,, i m be the indices such that v j least ij. By definition of cpre( ), P0 can force a successor w of v. But then, either (a) for some even j we have v α j and w has i 1, i 3,, i m such that for j < j we have i j i j or (b) there is some j such that w has i 1, i 3,, i m, for j < j we have i j = i j, and for j we have i j < i j. Consider an infinite path and what happens to these numbers. There must be an even priority that is reset infinitely often, showing that P0 wins.

80 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 3: General LTL Synthesis Enumerative Again The proof established a ranking for the winning states the odd nodes until an even node. r: V N odd Can we compute the rank iteratively? For odd j a path that visits more than α 1 (j) nodes must be a losing loop. Restrict rank to r: V α 1 1 α 1 m. min rank(w) v V 0 v,w E best v = max rank(w) v V 1 v,w E Rank is stable if: α(v) is even and r best v α v r v. α(v) is odd and r best v < α v r(v).

81 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 3: General LTL Synthesis Compute Rank Directly 1. r:= λv. (0,0,, 0) 2. while ( v. v not stable) 3. r(v) := inc α v (best(v)); 4. end // while Each v can be increased at most V odd times. By evaluating loop condition (and best) efficiently, all work can be restricted to V odd E. By counting better the exponent can be halved.

82 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 3: General LTL Synthesis To Summarize φ = n Start with a game structure G with winning condition φ. Construct a deterministic automaton A φ for φ. Construct the product G A φ. A φ Solve the game G A φ. Construct a winning strategy for G A φ. α = 2 n Construct from the winning strategy a Mealy machine realizing φ. 2 2O(n2 log n) The problem is 2EXPTIME-complete. Determinization does not scale. More practice required for solution of parity games (Martin?). 2O(n log n) = 2

83 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 3: General LTL Synthesis Bibliography 1. Reasoning About Infinite Computations (M.Y. Vardi and P. Wolper), Information and Computation, Vol. 115, No. 1, pp. 1-37, Simple On-The-Fly Automatic Verification of Linear Temporal Logic (R. Gerth, D. Peled, M.Y. Vardi, and P. Wolper), Protocol Specification, Testing, and Verification 1995: On the Synthesis of a Reactive Module (A. Pnueli and R. Rosner), POPL 1989: Determinization of Büchi-Automata (M. Roggenbach), in Automata, Logic, and Infinite-Games (Eds., E. Grädel, W. Thomas, and T. Wilke), Springer-Verlag, On the Complexity of ω-automata (S. Safra), FOCS 1998, From Nondeterminstic Büchi and Streett Automata to Deterministic Parity Automata (), Logical Methods in Computer Science, Vol. 3, No. 3, pp. e5, Algorithms for Parity Games (H. Klauck), in Automata, Logic, and Infinite-Games (Eds., E. Grädel, W. Thomas, and T. Wilke), Springer-Verlag, 2002.

84 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 4: Bypassing Determinization Lectures Outline Introduction Automata and Linear Temporal Logic Games and Synthesis General LTL Synthesis Bypassing Determinization Practical Issues with Synthesis

85 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 4: Bypassing Determinization Two Ways to Avoid Determinization Replace by counting: Search for bounded strategy. Express winning through universal co-büchi auotmata. Limited determinization through counting. Concentrate on simpler specifications: Both system and environment are Büchi automata. Enforce deterministic specification. State-space exponential. Exponent linear.

86 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 4: Bypassing Determinization A New Look on Winning Conditions Formally, a game is G = V, V 0, V 1, E, α, where V is a set of nodes. V 0 and V 1 form a partition of V. E V V is a set of edges. A play is π = v 0, v 1, α is a set of winning plays: Safety: α = W ω for some W V. Büchi: α = (V W) ω for some W V. LTL: α = {π V ω π φ}. NBW: α = V, Q, δ, q 0, β, where δ: Q V 2 V and β Q. DPW: α = V, Q, δ, q 0, c, where δ: Q V V and c: Q N. UCW: α = V, Q, δ, q 0, β, where δ: Q V V and β Q.

87 Lecture 4: Bypassing Determinization Universal co-büchi Automata Systems with discrete states. Formally, A = Σ, Q, δ, q 0, α, where Σ a finite input alphabet. Q a finite set of states. δ: Q Σ 2 Q a transition function. Associates with state and an input letter a set of successor states. q 0 an initial state. α Q a set of accepting rejecting states. An input word w = σ 0, σ 1, is a sequence of letters from Σ. A run r = q 0, q 1, over w is a sequence of states starting from q 0 such that for every i 0 we have q i+1 δ q i, σ i. A run is accepting if for infinitely many i N we have q 0 α. A word is accepted if some all runs over it is accepting. The language of A, denoted L A, is the set of words accepted by A. Games and Synthesis, EATCS Young Researchers School, Telč, Summer

88 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 4: Bypassing Determinization UCW for p UCW for φ = p: p p, p p

89 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 4: Bypassing Determinization UCW for p UCW for φ = p: p p p p

90 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 4: Bypassing Determinization Runs of UCW on (W.P.B.) Mealy Machines Consider a UCW U φ = 2 I O, Q, δ, q 0, α, where Q = n. Suppose we get a machine M = 2 I, 2 O, S, ρ, s 0, L such that L M L φ, where S = m. We run U on words produced by M. What is the maximum number of visits to α? A word produced by M corresponds to a run r = s 0, s 1, on w = σ 0, σ 1, by taking c = σ 0, L s 0, σ 0, σ 1, L s 1, σ 1,. Let the run of U φ on c be π = q 0, q 1,. Here, q i+1 δ(q i, (σ i, L s i, σ i ). If the number of visits to α is more than n m, there must exists i and j such that q i = q j, s i = s j, and q i α. But then q 0,, (q i,, q j 1 ) ω is a rejecting run of U φ on ω σ 0, L s 0, σ 0,, σ i, L s i, σ i,, σ j 1, L s j 1, σ j 1.

91 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 4: Bypassing Determinization Bounded Runs of UCW A UCW U accepts all computations of M iff for every computation of M every run of U visits at most U M rejecting states. Can t be any other way (as we ve seen). Well The number of visits to rejecting states is finite

92 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 4: Bypassing Determinization Specialized (Bounded) Determinization Follow all runs simultaneously. For each state count the number of visits to rejecting states it has seen so far. If number of visits exceeds maximum abort.

93 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 4: Bypassing Determinization Bounded Determinization Consider a UCW U = Σ, Q, δ, q 0, α. Determinize U for bound m by taking D = Σ, F, ρ, f 0, β, where: F = f: Q 0,, m {, } f 0 q = 0 q = q 0 Otherwise ρ f, σ q = max q q δ q, σ f q q α max q q δ q, σ 1 + f q q α here v. v, m + 1 = and + 1 = β is a safety condition: f F q Q. f q <

94 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 4: Bypassing Determinization Synchronous Composition Consider a game G = V, V 0, V 1, E, φ. Let D φ = Σ, D, δ, d 0, β be the safety automaton constructed from U φ for size m. Their synchronous parallel composition (G D φ ) is the safety game, G = V, V 0, V 1, E, γ where: V = D V a new node holds a game node and an automaton state.. E = d, v, d, v v, v E and d = δ(d, L v ) the transitions of the automaton are updated. γ d, v = β(d) acceptance only considers the acceptance of the automaton.

95 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 4: Bypassing Determinization Deterministic Automata Work (again)! Theorem. If there is a machine of size m realizing φ then P0 wins G D φ, where D φ is the deterministic automaton obtained by bounded determinization for size m. If there is a machine of size m realizing φ then this machine can be used as memory for winning G (with aim φ). All plays in the resulting game satisfy φ. The runs of U φ on them cannot visit more than m rejecting states. Adding the states of D φ alongside does not change their behavior. This is a winning strategy in G D φ.

96 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 4: Bypassing Determinization Deterministic Automata Work (again)! Theorem. If P0 wins G D φ, where D φ is the deterministic automaton obtained by bounded determinization for size m then If there is a machine of size m realizing φ then this machine can be used as memory for winning G (with aim φ). All plays in the resulting game satisfy φ. The runs of U φ on them cannot visit more than m rejecting states. Adding the states of D φ alongside does not change their behavior. This is a winning strategy in G D φ.

97 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 4: Bypassing Determinization Deterministic Automata Work (again)! Theorem. If P0 wins G D φ, where D φ is the deterministic automaton obtained by bounded determinization for size m, then φ is realizable. Use the states of D φ as memory for G with winning condition φ. Every path is accepted by D φ, which implies that it satisfies φ.

98 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 4: Bypassing Determinization Summarize Start from an LTL formula φ. Obtain a UCW U φ for φ. Construct D φ for increasing sizes. If one of the games G D φ is winning for P0 the formula is realizable. Where do I get a UCW U φ for φ? When do I stop?

99 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 4: Bypassing Determinization From LTL to co-büchi Automata Theorem. Given an LTL formula φ we can construct a universal co-büchi automaton U φ such that L U φ = L φ. The size of U φ is exponential in the length of φ. Construct the nondeterministic Büchi automaton N φ. Think about N φ as a universal co-büchi automaton U φ.

100 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 4: Bypassing Determinization How far should I go? We had a different solution with deterministic automaton: Theorem. P0 wins G with winning condition φ iff P0 wins G A φ, where A φ is a deterministic automaton for φ. In case that φ is realizable there is a machine realizing it with at most G A φ states. We can use G A φ as the bound (but start searching with smaller bounds ).

101 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 4: Bypassing Determinization Advantages Simple structure of states. Replace the tree structure over sets of states by a function from states to ranks. Determinization is a challenge for implementation. Safety games compared with parity games. Solution of safety games is much simpler. Exact complexity and practical solving of parity games are interesting open problems. Search for small machines first. By increasing the bound gradually we can ensure to find small implementations first (and compute less). Information from failed search for small sizes can be reused for searching for larger sizes. Worst case complexity is as the general technique.

102 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 4: Bypassing Determinization Two Ways to Avoid Determinization Replace by counting: Search for bounded strategy. Express winning through universal co-büchi auotmata. Limited determinization through counting. Concentrate on simpler specifications: Both system and environment are Büchi automata. Enforce deterministic specification. State-space exponential. Exponent linear.

103 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 4: Bypassing Determinization Take Another Look at Machines A machine M = Σ, Δ, Q, δ, q 0, L, where Σ = 2 I a finite input alphabet. Δ = 2 O a finite output alphabet. Q = 2 X a finite set of states. Express as an LTL formula over I O X: q 0 : θ = x 2 I x, L q 0, x δ(q 0, x) δ: Q Σ 2 Q : ρ = q Q,x 2 I q x L(q, x) q δ q,σ q We may want to add some good things happen often enough: i q Gi q Overall: θ ρ i q Gi q

104 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 4: Bypassing Determinization Arbiter r 1 r 2 g 1 g 2 Arbiter r n g n Client r i g i

105 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 4: Bypassing Determinization Variables: I = r 1, r 2 O = {g 1, g 2 } Initially: r 1 r 2 g 1 g 2 Transition: r 1 g 1 r 1 r 2 r 2 r 1 g 1 r 1 r 2 r 2 r 2 g 2 r 2 r 1 r 1 r 2 g 2 r 2 r 1 r 1 g 1 g 2 g 1 r 1 g 2 g 2 g 2 r 2 g 1 g 1 Good things: g 1 = r 1 (g 2 = r 2 ) Translate to LTL

106 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 4: Bypassing Determinization Separate to Assumptions and Guarantees Environment: Initially: r 1 r 2 Transition: r 1 g 1 r 1 r 2 r 2 r 1 g 1 r 1 r 2 r 2 r 2 g 2 r 2 r 1 r 1 r 2 g 2 r 2 r 1 r 1 r 1 r 1 r 2 r 2 System: Initially: g 1 g 2 Transition: g 1 g 2 g 1 r 1 g 2 g 2 g 2 r 2 g 1 g 1 g 1 g 1 g 2 g 2 Good things: g 1 = r 1 (g 2 = r 2 )

107 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 4: Bypassing Determinization The Goal for Synthesis θ e ρ e θ s ρ s ( i G i ) This still does not look very simple Can we do anything with the bits θ e, θ s, ρ e, and ρ s? θ s can be used to restrict the initial moves of P0: For every initial input there is initial output satisfying θ s ρ s can be used to restrict the transitions of P0. What if we use θ e and ρ e to restrict the moves of P1?

108 Lecture 4: Bypassing Determinization Games and Synthesis, EATCS Young Researchers School, Telč, Summer

109 Lecture 4: Bypassing Determinization Games and Synthesis, EATCS Young Researchers School, Telč, Summer

110 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 4: Bypassing Determinization What s left? θ e ρ e θ s ρ s ( i G i ) This is slightly more complicated than response. We call it generalized Büchi. Büchi: 1. fix (greatest := V) 2. fix (least := G cpre(greatest) 3. least := least cpre(least); 4. end // fix least 5. greatest := least; 6. end // fix greatest Generalized Büchi: 1. fix (greatest := V) 2. foreach (G i ) 3. fix (least := G i cpre(greatest) 4. least := least cpre(least); 5. end // fix least 6. greatest := least; 7. end // foreach 8. end // fix greatest

111 Lecture 4: Bypassing Determinization Proof (Generalized Büchi Soundness) Suppose that greatest is not empty. For the fixpoint to terminate, for each G i the inner fixpoint fixpoint starting from this value recomputes it. Let least i 0, least i 1, least i 2, be the sequence of values that least has through the computation of this last iteration for G i. Consider v greatest. Let j 0 be the index such that v least i j0. By definition of cpre( ), P0 can force a successor w of v. But then, w least i j1 for some j 1 < j 0. This shows that P0 can ensure to reach least i 0 = G 0 cpre(greatest). So it ensures a visit G i. i But now least 0 = G i cpre(greatest). So next P0 forces least i+1 k, for some k and repeat this process. By induction, P0 can enforce i G i. Generalized Büchi: 1. fix (greatest := V) 2. foreach (G i ) 3. fix (least := G i cpre(greatest) 4. least := least cpre(least); 5. end // fix least 6. greatest := least; 7. end // foreach 8. end // fix greatest Games and Synthesis, EATCS Young Researchers School, Telč, Summer

112 Lecture 4: Bypassing Determinization Proof (Control of Büchi - completeness) If there is a strategy f s.t. every play compliant with it wins i G i. Every node v from which f is winning remains in every approximation of the fixpoint greatest: Consider some G i. From v there is a maximum on the length of paths to reach G i cpre(greatest) (König s lemma). Prove by induction on the number of iterations in the first fixpoint that win greatest. For greatest 0 = V this is clear. Assume win greatest i. Then for every node v win it must be that v least j for the distance to reach G i cpre(win). Generalized Büchi: 1. fix (greatest := V) 2. foreach (G i ) 3. fix (least := G i cpre(greatest) 4. least := least cpre(least); 5. end // fix least 6. greatest := least; 7. end // foreach 8. end // fix greatest Games and Synthesis, EATCS Young Researchers School, Telč, Summer

113 Lecture 4: Bypassing Determinization Games and Synthesis, EATCS Young Researchers School, Telč, Summer

114 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 4: Bypassing Determinization Oops The clients do not release the bus! It s not only the system that has to do good things. The environment has to do good things as well! We need: j A j i G i We call this Generalized Reactivity (1) or GR(1).

115 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 4: Bypassing Determinization Solving GR(1) Games Generalized Reactivity (1): 1. fix (greatestz := V) 2. foreach (G i ) 3. fix (leasty := G i cpre(greatestz)) 4. leasty := leasty cpre(leasty); 5. foreach (A j ) 6. fix (greatestx := V) 7. greatestx := least ( A j cpre(greatestx)) 8. end // fix greatestx 9. leasty := leasty greatestx; 10. end // foreach A 11. end // fix leasty 12. greatestz :=leasty; 13. end // foreach G 14. end // fix greatestz

116 Lecture 4: Bypassing Determinization Proof (Control of GR(1) Soundness) Suppose that greatestz is not empty. For each G i the inner fixpoint starting from greatestz recomputes greatestz. Let leasty 0 i, leasty 1 i, leasty 2 i, be the sequence of values that leasty has during the last iteration. Each leasty k i is equal to the union of greatestx k i,1, greatestx k i,2,, greatestx k i,m. Consider v greatestz. Let k 0 be the minimal index such that i v leasty k0 and let j 0 be the minimal such that v greatestx k0 By definition of cpre, P0 can control to reach in one move i,j greatestx 1 k1 such that either (A) k 1 < k 0 or (B) k 1 = k 0 and j 1 = j 0. In case (B), we know that v A j0. So by playing this strategy, P0 can ensure that either some A is visited finitely often, or reach leasty i 0 cpre(greatestz). By repeating the same for all G i P0 can enforce j A j i G i Games and Synthesis, EATCS Young Researchers School, Telč, Summer end // fix greatestz 123 i,j fix (greatestz := V) 2. foreach (G i ) 3. fix (leasty := G i cpre(greatestz)) 4. leasty :=leasty cpre(leasty); 5. foreach (A j ) 6. fix (greatestx := V) 7. greatestx := least ( A j cpre(greate 8. end // fix greatestx 9. leasty :=leasty greatestx; 10. end // foreach A 11. end // fix leasty 12. greatestz :=leasty; 13. end // foreach G

117 Lecture 4: Bypassing Determinization Proof (Control of GR(1) completeness sketch) If there is a strategy f s.t. every play compliant with it wins j A j i G i Every v from which f is winning remains in every approximation of the fixpoint greatestz: As before, consider some G i. From v there is a maximum on the number of visits to A j before arriving to G i cpre(win) (König s lemma). Prove by induction on the number of iterations in the first fixpoint that win greatestz. For greatestz 0 = V this is clear. Assume win greatestz l. Then for every v win it must be that v leasty k i for some k. 1. fix (greatestz := V) 2. foreach (G i ) 3. fix (leasty := G i cpre(greatestz)) 4. leasty :=leasty cpre(leasty); 5. foreach (A j ) 6. fix (greatestx := V) 7. greatestx := least ( A j cpre(greate 8. end // fix greatestx 9. leasty :=leasty greatestx; 10. end // foreach A 11. end // fix leasty 12. greatestz :=leasty; 13. end // foreach G Games and Synthesis, EATCS Young Researchers School, Telč, Summer end // fix greatestz 124

118 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 4: Bypassing Determinization Ranking (again) The proof established a set of rankings for the winning states the number of assumptions met until reaching the a goal. r i : V (N A j ) Can we compute the rank iteratively? A path that visits more than A j nodes must be a losing loop. Restrict rank to r i : V ( 0,, max A j A j ). min r i (w) v V 0 v,w E best i v = max r i (w) v V 1 v,w E Rank is stable if: v G i and i. r i best i v <. v G i, v A j, r i v = (l, j), and r i best i v v G i, v A j, r i v = (l, j), and r i best i v < r i (v). r i (v).

119 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 4: Bypassing Determinization Compute Rank Directly 1. r i := λv while ( v, i. r i (v) not stable) 3. r i (v) := inc i (best(v)); 4. end // while Each v in each rank can be increased at most V A i times. By evaluating loop condition (and best) efficiently, all work can be restricted to O A i G i V E.

120 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 4: Bypassing Determinization Memorizing Intermediate Values Generalized Reactivity (1): 1. fix (greatestz := V) 2. foreach (G i ) 3. cy:= 0; 4. fix (leasty := G i cpre(greatestz)) 5. leasty := leasty cpre(leasty); 6. foreach (A j ) 7. fix (greatestx := V) 8. greatestx := least ( A j cpre(greatestx)) 9. end // fix greatestx 10. x[g i ][cy][a j ] := greatestx; 11. leasty := leasty greatestx; 12. end // foreach A 13. y[g i ][cy] := leasty; 14. cy:= cy + 1; 15. end // fix leasty 16. greatestz :=leasty; 17. end // foreach G 18. end // fix greatestz

121 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 4: Bypassing Determinization Construct the Realizing Machine θ e ρ e ( j A j ) θ s ρ s ( i G i ) Embed θ e, ρ e, θ s, and ρ s into G = V, V 0, V 1, E, φ, where φ = j A j i G i Set let m = G i and n = A i. Construct a machine M realizing φ: M = 2 I, 2 O, 2 I O 1.. m s 0, ρ, s 0, L : ρ s 0, i = θ s i θ e T i θ e ρ i, o, l, i = (i, o, l 1) i, o G l i, o win (i, o, l) i, o y[g l ][cy] i, o y[g l ][ < cy] (i, o, l) i, o A j i, o x[g l ][cy][a j ] i, o y[g l ][ cy][ A j ]

122 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 4: Bypassing Determinization Optimizing Symbolic Runtime Generalized Reactivity (1): 1. fix (greatestz := V) 2. foreach (G i ) 3. cy:= 0; 4. fix (leasty := G i cpre(greatestz)) 5. leasty := leasty cpre(leasty); 6. foreach (A j ) 7. fix (greatestx :=y[g i ][maxprev]) 8. greatestx := least ( A j cpre(greatestx)) 9. end // fix greatestx 10. x[g i ][cy][a j ] := greatestx; 11. leasty := leasty greatestx; 12. end // foreach A 13. y[g i ][cy] := leasty; 14. cy:= cy + 1; 15. end // fix leasty 16. greatestz :=leasty; 17. end // foreach G 18. end // fix greatestz

123 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 4: Bypassing Determinization Back to the Arbiter Environment: Initially: r 1 r 2 Transition: r 1 g 1 r 1 r 2 r 2 r 1 g 1 r 1 r 2 r 2 r 2 g 2 r 2 r 1 r 1 r 2 g 2 r 2 r 1 r 1 r 1 r 1 r 2 r 2 Good things: r 1 g 1 ( r 2 g 2 ) System: Initially: g 1 g 2 Transition: g 1 g 2 g 1 r 1 g 2 g 2 g 2 r 2 g 1 g 1 g 1 g 1 g 2 g 2 Good things: g 1 = r 1 (g 2 = r 2 )

124 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 4: Bypassing Determinization Result of Synthesis r 1 :0,r 2 :0,g 1 :0,g 2 :0 r 1 :0,r 2 :0,g 1 :0,g 2 :0 r 1 :0,r 2 :1,g 1 :0,g 2 :0 r 1 :0,r 2 :1,g 1 :0,g 2 :1 r 1 :0,r 2 :0,g 1 :0,g 2 :1 r 1 :1,r 2 :0,g 1 :0,g 2 :0 r 1 :1,r 2 :1,g 1 :0,g 2 :0 r 1 :1,r 2 :1,g 1 :0,g 2 :0 r 1 :1,r 2 :1,g 1 :0,g 2 :1 r 1 :1,r 2 :0,g 1 :0,g 2 :1 r 1 :1,r 2 :0,g 1 :1,g 2 :0 r 1 :1,r 2 :1,g 1 :1,g 2 :0 r 1 :0,r 2 :0,g 1 :1,g 2 :0 r 1 :0,r 2 :1,g 1 :1,g 2 :0

125 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 4: Bypassing Determinization But why do you embed safety? We started from: θ e ρ e ( j A j ) θ s ρ s ( i G i ) And ended up with: j A j i G i with some modifications to permitted moves in 2 I O. Are the two the same? No! What s the difference? Realizability in our game implies realizability of the general formula. Other direction is not true.

126 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 4: Bypassing Determinization What we actually do θ e θ s θ e ρ e ρ s θ e ρ e j A j i G i Lemma. If the above is realizable then the implication is realizable. Consider a computation c satisfying the above. Then, c satisfies the implication as well. 1. If c θ e then clearly c satisfies the implication. 2. If c ρ e then clearly c satisfies the implication. 3. If c j A j then clearly c satisfies the implication. 4. If c θ e, c ρ e, and c j A j then from the first conjunct c θ s, from the second conjunct c ρ s, and from the third conjunct c j G i.

127 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 4: Bypassing Determinization What about the other direction? Well, the other direction does not hold. Example. Let x and y be Boolean input and output variables. Consider the specification: x x y x y y It is clearly realizable (just set y to false ). But x x y

128 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 4: Bypassing Determinization Are such systems interesting? The only way to realize such a system is by violating the system s safety requirement. The implication creates a dependency between the system s safety and the environment s liveness. Intuitively, the specification should not be realizable. But it is! Actually, the second one is more natural. They are different only if the environment can be forced to violate its specification. There is a way to handle the implication. It effectively reduces safety to liveness. Does not benefit from the embedding of the safety as transitions. Not going to cover.

129 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 4: Bypassing Determinization What about saying more? The specification is composed of many parts. Conjunction on the left and conjunction on the right. What if some of these conjuncts are deterministic Buchi automata? Everything should work the same! Liveness added to the interested party.

130 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 4: Bypassing Determinization Easy way to get Deterministic Buchi Automata The past is naturally deterministic. Automata for past formulas are deterministic and acceptance free. Given a past formula,, and are easily converted to deterministic Buchi automata. Examples:

131 Lecture 4: Bypassing Determinization Games and Synthesis, EATCS Young Researchers School, Telč, Summer Some applications

132 Lecture 4: Bypassing Determinization AMBA Bus Industrial standard ARM s AMBA AHB bus High performance on-chip bus Data, address, and control signals Up to 16 masters and 16 clients Arbiter part of bus (determines control signals) Master 0 Master 1... Master 15 Client 0 Client 1... Client 15 Arbiter AMBA AHB From BGJPPW07 Games and Synthesis, EATCS Young Researchers School, Telč, Summer

133 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 4: Bypassing Determinization Generalized Buffer Tutorial model checking design from IBM. Parameterized buffer. Transfer data from n senders to 2 receivers. Senders arbitrary order. Receivers round robin.

134 Lecture 4: Bypassing Determinization Games and Synthesis, EATCS Young Researchers School, Telč, Summer

135 Lecture 4: Bypassing Determinization Games and Synthesis, EATCS Young Researchers School, Telč, Summer

136 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 4: Bypassing Determinization Bibliography 1. Safraless Decision Procedures (O. Kupferman and M.Y. Vardi), FOCS 2005, Bounded Synthesis (B. Finkbeiner and S. Schewe), STTT, Vol. 15, No. 5-6, pp , Unbeast: Symbolic Bounded Synthesis (R. Ehlers), TACAS 2011, Synthesis of Reactive(1) Designs (R. Bloem, B. Jobstmann, N. Piterman, A. Pnueli, and Y. Sa'ar), Journal of Computer and System Sciences, Vol. 78, No. 3, , Valet Parking Without a Valet (D.C. Conner, H. Kress-Gazit, H. Choset, A. Rizzi, and G.J. Pappas), Conference on Intelligent Robots and Systems 2007,

137 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 5: Practical Issues Lectures Outline Introduction Automata and Linear Temporal Logic Games and Synthesis General LTL Synthesis Bypassing Determinization Practical Issues with Synthesis

138 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 5: Practical Issues Is Implication the Right Thing? We ve seen that θ e ρ e ( j A j ) θ s ρ s ( i G i ) is handled by restricting permitted moves and solving j A j i G i Example. Let x and y be Boolean input and output variables. Consider the specification: x x y x y y It is clearly realizable (just set y to false ). But x x y

139 Lecture 5: Practical Issues Compatible Environment An environment is compatible if it does not need help to fulfil the assumptions. Stated in games form: Remove all obligations of the system. Make sure it can win only by forcing environment to lose. θ e ρ e ( j A j ) T T ( i F) Or the embedded version: θ e T θ e ρ e T θ e ρ e j A j i F Both equivalent to: θ e ρ e ( j A j ) F So we can use the same game settings. But: The environment is compatible if from every state of the modified game the system loses. For compatible environments the two are the same. Games and Synthesis, EATCS Young Researchers School, Telč, Summer

140 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 5: Practical Issues Compatibility Same θ e θ s θ e ρ e ρ s θ e ρ e j A j i G i Suppose that you win for the game with implication but lose the embedded. The winning strategy in implication uses an unsafe transition. Once the unsafe transition is crossed, the environment has a strategy that shows compatibility. Using that strategy, the environment realizes θ e ρ s i A i But then the play satisfies: θ e ρ s i A i ( ρ e θ e )

141 Lecture 5: Practical Issues Games and Synthesis, EATCS Young Researchers School, Telč, Summer

142 Lecture 5: Practical Issues Good Features Games and Synthesis, EATCS Young Researchers School, Telč, Summer Best Effort Controller: Will avoid assumptions if this is the only way to guarantee goals. Assumption Preserving: Will only avoid assumptions if it is impossible to fulfill them. In compatible environments all possible controllers are both.

143 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 5: Practical Issues Abstracting Real Time Discrete controllers are augmented with continuous controllers. The discrete model does not capture time it takes to cross a transition. How to combine?

144 Lecture 5: Practical Issues Direct Mapping Games and Synthesis, EATCS Young Researchers School, Telč, Summer States correspond to world status. A change in state corresponds to activation of continuous controller. Sense for environment actions. Upon change, activate slow controllers. Upon completion of slow controllers activate fast controllers. If something happens during execution of controller change your mind.

145 Lecture 5: Practical Issues Games and Synthesis, EATCS Young Researchers School, Telč, Summer Robot starts in region r1 with the camera off Activate the camera if and only if you see a person Visit r2

146 Lecture 5: Practical Issues Games and Synthesis, EATCS Young Researchers School, Telč, Summer

147 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 5: Practical Issues Problems with Direct Mapping Delayed response to environment changes. Fast actions wait until completion of slow actions. Unsafe continuous execution even though discrete controller is provably correct. Fast actions first: Change synthesis algorithm to ensure safety: Intermediate states in transitions. OK to complete fast before slow? Committed to a transition once part of it complete. Unable to change your mind. Even longer response time.

148 Lecture 5: Practical Issues Games and Synthesis, EATCS Young Researchers School, Telč, Summer Do not activate the camera in r1

149 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 5: Practical Issues Embedding Actions Transitions are instantaneous and states allow for time pass (timed automata ). Robot starts all continuous controllers. Environment terminates them! Every action needs a sensor for termination. All controllers start immediately. Controller active but not completed captured in the state. Discrete model captures the passage of time!

150 Lecture 5: Practical Issues Games and Synthesis, EATCS Young Researchers School, Telč, Summer camera and motion to r 2 not activated camera and motion activated, neither completed camera completed (on), motion activated camera and motion both complete

151 Games and Synthesis, EATCS Young Researchers School, Telč, Summer Lecture 5: Practical Issues Problems How to ensure continuous controllers terminate? Fairness limiting environment. Can be captured by extra state variables or... Allow transition fairness! Increased state space. Mitigated by handling transition fairness in addition to state fairness.