Synthesis of Designs from Property Specifications

Similar documents
Lecture 7 Synthesis of Reactive Control Protocols

Lecture 9 Synthesis of Reactive Control Protocols

Revisiting Synthesis of GR(1) Specifications

Games and Synthesis. Nir Piterman University of Leicester Telč, July-Autugst 2014

Synthesis of Reactive(1) Designs

Reactive Synthesis. Swen Jacobs VTSA 2013 Nancy, France u

Synthesis of Reactive(1) Designs

ENES 489p. Verification and Validation: Logic and Control Synthesis

Semi-Automatic Distributed Synthesis

Strategy Logic. 1 Introduction. Krishnendu Chatterjee 1, Thomas A. Henzinger 1,2, and Nir Piterman 2

Automata, Logic and Games: Theory and Application

PSL Model Checking and Run-time Verification via Testers

Linear Temporal Logic and Büchi Automata

Topics in Formal Synthesis and Modeling

Robust Controller Synthesis in Timed Automata

Bounded Synthesis. Sven Schewe and Bernd Finkbeiner. Universität des Saarlandes, Saarbrücken, Germany

On Synthesizing Controllers from Bounded-Response Properties

Bridging the Gap between Reactive Synthesis and Supervisory Control

Temporal Logic Model Checking

IC3 and Beyond: Incremental, Inductive Verification

A Symbolic Approach to Safety LTL Synthesis

Synthesis weakness of standard approach. Rational Synthesis

Synthesis of Winning Strategies for Interaction under Partial Information

Bridging the Gap Between Fair Simulation and Trace Inclusion

Integrating Induction and Deduction for Verification and Synthesis

Computer-Aided Program Design

Effective Synthesis of Asynchronous Systems from GR(1) Specifications

From Liveness to Promptness

Infinite Games. Sumit Nain. 28 January Slides Credit: Barbara Jobstmann (CNRS/Verimag) Department of Computer Science Rice University

Games with Costs and Delays

A brief history of model checking. Ken McMillan Cadence Berkeley Labs

Timo Latvala. March 7, 2004

Temporal logics and explicit-state model checking. Pierre Wolper Université de Liège

Helsinki University of Technology Laboratory for Theoretical Computer Science Research Reports 66

Logic Model Checking

Automatic Synthesis of Distributed Protocols

Complexity Bounds for Muller Games 1

Generalized Parity Games

2. Elements of the Theory of Computation, Lewis and Papadimitrou,

Controller Synthesis with UPPAAL-TIGA. Alexandre David Kim G. Larsen, Didier Lime, Franck Cassez, Jean-François Raskin

The State Explosion Problem

CHURCH SYNTHESIS PROBLEM and GAMES

Synthesizing Robust Systems

CS256/Spring 2008 Lecture #11 Zohar Manna. Beyond Temporal Logics

Synthesis of Asynchronous Systems

Alternating Time Temporal Logics*

Robust Reachability in Timed Automata: A Game-based Approach

Asynchronous Games over Tree Architectures

Probabilistic Model Checking and Strategy Synthesis for Robot Navigation

An Incremental Approach to Model Checking Progress Properties

Minimising Deterministic Büchi Automata Precisely using SAT Solving

From Liveness to Promptness

SVEN SCHEWE Universität des Saarlandes, Fachrichtung Informatik, Saarbrücken, Germany

(a1 b 1 ) (a 1 b 2 ) (a 2 b 1 ) Fig. 1. A simple game. (a2 b 2 ) Trivial as it might seem, this is the essence of any synthesis algorithm, a

Computation Tree Logic (CTL) & Basic Model Checking Algorithms

Failure Diagnosis of Discrete Event Systems With Linear-Time Temporal Logic Specifications

Decision Procedures for CTL

Automata-Theoretic LTL Model-Checking

Language Stability and Stabilizability of Discrete Event Dynamical Systems 1

Safraless Compositional Synthesis

LTL Generalized Model Checking Revisited

Synthesis from Probabilistic Components

From Nondeterministic Büchi and Streett Automata to Deterministic Parity Automata

Safraless Compositional Synthesis

Admissible Strategies for Synthesizing Systems

Dynamic and Adversarial Reachavoid Symbolic Planning

Reasoning about Strategies: From module checking to strategy logic

Alan Bundy. Automated Reasoning LTL Model Checking

Model Checking of Safety Properties

As Soon As Probable. O. Maler, J.-F. Kempf, M. Bozga. March 15, VERIMAG Grenoble, France

Complexity Bounds for Regular Games (Extended Abstract)

Automata, Logic and Games: Theory and Application

Chapter 5: Linear Temporal Logic

Languages, logics and automata

EE249 - Fall 2012 Lecture 18: Overview of Concrete Contract Theories. Alberto Sangiovanni-Vincentelli Pierluigi Nuzzo

Control Synthesis of Discrete Manufacturing Systems using Timed Finite Automata

SUPERVISORY CONTROL AND FAILURE DIAGNOSIS OF DISCRETE EVENT SYSTEMS: A TEMPORAL LOGIC APPROACH

Relational Interfaces and Refinement Calculus for Compositional System Reasoning

From Löwenheim to Pnueli, from Pnueli to PSL and SVA

A Survey of Stochastic ω-regular Games

On the Succinctness of Nondeterminizm

Weak Alternating Automata and Tree Automata Emptiness

Realizable and Unrealizable Specifications of Reactive Systems

Temporal Logic and Fair Discrete Systems

Alternating nonzero automata

Finite-Delay Strategies In Infinite Games

Randomness for Free. 1 Introduction. Krishnendu Chatterjee 1, Laurent Doyen 2, Hugo Gimbert 3, and Thomas A. Henzinger 1

Recent Challenges and Ideas in Temporal Synthesis

Büchi Automata and Linear Temporal Logic

Learning Regular ω-languages

Overview. Discrete Event Systems Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for?

Digital Systems. Validation, verification. R. Pacalet January 4, 2018

Generating Deterministic ω-automata for most LTL Formulas by the Breakpoint Construction

A Survey of Partial-Observation Stochastic Parity Games

Modal and Temporal Logics

A Brief Introduction to Model Checking

Synthesis of Reactive Switching Protocols from Temporal Logic Specifications

arxiv: v4 [cs.lo] 1 Nov 2016

Cooperative Reactive Synthesis

Generalized Parity Games

Transcription:

Synthesis of Designs from Property Specifications Amir Pnueli New York University and Weizmann Institute of Sciences FMCAD 06 San Jose, November, 2006 Joint work with Nir Piterman, Yaniv Sa ar, Research Supported in part by SRC grant 2004-TJ-1256 and the European Union project Prosyd. Synthesis of Designs, FMCAD 06, San Jose, November 2006

Motivation Why verify, if we can automatically synthesize a program which is correct by construction? Synthesis of Designs, FMCAD 06, San Jose, November 2006 1

A Brief History of System Synthesis In 1965 Church formulated the following Church problem: Given a circuit interface specification (identification of input and output variables) and a behavioral specification, e.g. an LTL formula. Determine if there exists an automaton (sequential circuit) which realizes the specification. If the specification is realizable, construct an implementing circuit Originally, the specification was given in the sequence calculus which is an explicit-time temporal logic. Synthesis of Designs, FMCAD 06, San Jose, November 2006 2

Example of a Specification x y Behavioral Specification: ( x = (y y)) Is this specification realizable? The essence of synthesis is the conversion From relations to Functions. Synthesis of Designs, FMCAD 06, San Jose, November 2006 3

From Relations to Functions Consider a computational program: x y The relation x = y 2 is a specification for the program computing the function y = x. The relation x = y is a specification for the program that finds a satisfying assignment to the CNF boolean formula x. Checking is easier than computing. Synthesis of Designs, FMCAD 06, San Jose, November 2006 4

Solutions to Church s Problem In 1969, M. Rabin provided a first solution to Church s problem. Solution was based on automata on Infinite Trees. All the concepts involving ω-automata were invented for this work. At the same year, Büchi and Landweber provided another solution, based on infinite games. These two techniques (Trees and Games) are still the main techniques for performing synthesis. Synthesis of Designs, FMCAD 06, San Jose, November 2006 5

Synthesis of Reactive Modules from Temporal Specifications Around 1981 Wolper and Emerson, each in his preferred brand of temporal logic (linear and branching, respectively), considered the problem of synthesis of reactive systems from temporal specifications. Their (common) conclusion was that specification ϕ is realizable iff it is satisfiable, and that an implementing program can be extracted from a satisfying model in the tableau. A typical solution they would obtain for the arbiter problem is: r 1 r 2 g 1 g 2 r 1 r 2 g 1 g 2 r 1 r 2 g 1 g 2 r 1 r 2 g 1 g 2 r 1 r 2 g 1 g 2 r 1 r 2 g 1 g 2 r 1 r 2 g 1 g 2 r 1 r 2 g 1 g 2 Such solutions are acceptable only in circumstances when the environment fully cooperate with the system. Synthesis of Designs, FMCAD 06, San Jose, November 2006 6

Next Step: Realizability Satisfiability There are two different reasons why a specification may fail to be realizable. Inconsistency g g Unrealizability For a system r g Realizing the specification g r requires clairvoyance. Synthesis of Designs, FMCAD 06, San Jose, November 2006 7

A Synthesized Module Should Maintain Specification Against Adversarial Environment In 1988, Rosner claimed that realizability should guarantee the specification against all possible (including adversarial) environments. In a related work he has shown [1989] that the synthesis process has worst case complexity which is doubly exponential. The first exponent comes from the translation of ϕ into a non-deterministic Büchi automaton. The second exponent is due to the determinization of the automaton. This result doomed synthesis to be considered highly untractable, discouraged further research on the subject for a long time. and Synthesis of Designs, FMCAD 06, San Jose, November 2006 8

Simple Cases of Lower Complexity In 1989, Ramadge and Wonham introduced the notion of controller synthesis and showed that for a specification of the form p, the controller can be synthesized in linear time. In 1995, Asarin, Maler, P, and Sifakis, extended controller synthesis to timed systems, and showed that for specifications of the form p and q, the problem can be solved by symbolic methods in linear time. Synthesis of Designs, FMCAD 06, San Jose, November 2006 9

Property-Based System Design While the rest of the world seems to be moving in the direction of modelbased design (see UML), some of us persisted with the vision of property-based approach. Specification is stated declaratively as a set of properties, from which a design can be extracted. This is currently studied in the hardware-oriented European project PROSYD. Design synthesis is needed in two places in the development flow: Automatic synthesis of small blocks whose time and space efficiency are not critical. As part of the specification analysis phase, ascertaining that the specification is realizable. Synthesis of Designs, FMCAD 06, San Jose, November 2006 10

The Control Framework Classical (Continuous Time) Control Environment Plant Controller Required: A design for a controller which will cause the plant to behave correctly under all possible (appropriately constrained) environments. Discrete Event Systems Controller: [Ramadge and Wonham 89]. Given a Plant which describes the possible events and actions. Some of the actions are controllable while the others are uncontrollable. Required: Find a strategy for the controllable actions which will maintain a correct behavior against all possible adversary moves. The strategy is obtained by pruning some controllable transitions. Synthesis of Designs, FMCAD 06, San Jose, November 2006 11

Application to Reactive Module Synthesis: [PR88], [ALW89] The Plant represents all possible actions. Module actions are controllable. Environment actions are uncontrollable. Required: Find a strategy for the controllable actions which will maintain a temporal specification against all possible adversary moves. Derive a program from this strategy. View as a two-persons game. Synthesis of Designs, FMCAD 06, San Jose, November 2006 12

Apply to Programs Let us apply the controller synthesis paradigm to synthesis of programs (or designs, in general). Synthesis of Designs, FMCAD 06, San Jose, November 2006 13

Example Design: Arbiter Consider a specification for an arbiter. r 1 g 1 Arbiter r n g n The protocol for each client: r i g i r i g i r i g i r i g i Required to satisfy (g i g j ) (g i = r i ) i =j i Synthesis of Designs, FMCAD 06, San Jose, November 2006 14

Start by Controller Synthesis Assume a given platform (plant), identifying controllable (system) and uncontrollable (environment) transitions: Due to idling, every node is connected to itself by both green and red transitions, which for simplicity we do not explicitly draw. A complete move consists of a red edge followed by a green edge. Also given is an LTL specification (winning condition): ϕ : (g 1 g 2 ) (g 1 = r 1 ) (g 2 = r 2 ) Synthesis of Designs, FMCAD 06, San Jose, November 2006 15

For Simplicity We added to the specification the requirement that, at every complete move, at most one of the four variables r 1, r 2, g 1, g 2 may change its value. Synthesis of Designs, FMCAD 06, San Jose, November 2006 16

Controller Synthesis Via Game Playing A game is given by G : V = x y, Θ 1,Θ 2,ρ 1, ρ 2, ϕ, where V = x y are the state variables, with x being the environment s (player 1) variables, and y being the system s (player 2) variables. A state of the game is an interpretation of V. Let Σ denote the set of all states. Θ 1 ( x) the initial condition for player 1 (Environment). characterizing the environment s initial states. Θ 2 ( x, y) the initial condition for player 2 (system). ρ 1 ( x, y, x ) Transition relation for player 1 (Environment). ρ 2 ( x, y, x, y ) Transition relation for player 2 (system). An assertion ϕ The winning condition. An LTL formula characterizing the plays which are winning for player 2. A state s 2 is said to be a G-successor of state s 1, if both ρ 1 (s 1 [V ],s 2 [ x]) and ρ 2 (s 1 [V ],s 2 [V ]) are true. We denote by D x and D y the domains of variables x and y, respectively. Synthesis of Designs, FMCAD 06, San Jose, November 2006 17

Plays and Strategies Let G : V, Θ 1, Θ 2,ρ 1,ρ 2, ϕ be a game. A play of G is an infinite sequence of states π : s 0, s 1,s 2,..., satisfying the requirement: Consecution: For each j 0, the state s j+1 is a G-successor of the state s j. A play π is said to be winning for player 2 if π = ϕ. Otherwise, it is said to be winning for player 1. A strategy for player 1 is a function σ 1 : Σ + D x, which determines the next set of values for x following any history h Σ +. A play π : s 0,s 1,... is said to be compatible with strategy σ 1 if, for every j 0, s j+1 [ x] = σ 1 (s 0,...,s j ). Strategy σ 1 is winning for player 1 from state s if all s-originated plays (i.e., plays π : s = s 0, s 1,...) compatible with σ 1 are winning for player 1. If such a winning strategy exists, we call s a winning state for player 1. Similar definitions hold for player 2 with strategies of the form σ 2 : Σ + D x D y. Synthesis of Designs, FMCAD 06, San Jose, November 2006 18

From Winning Games to Programs A game G is said to be winning for player 2 if, every x-interpretation ξ satisfying Θ 1 (ξ) = 1 can be matched by a y-interpretation η satisfying Θ 2 (ξ, η) = 1, such that the state x : ξ, y : η is winning for 2. Otherwise, i.e., there exists an interpretation x : ξ satisfying Θ 1 (ξ) such that, for all interpretations y : η satisfying Θ 2 (ξ, η), the state x : ξ, y : η is winning for 1, the game is winning for player 1. We solve the game, attempting to decide whether the game is winning for player 1 or 2. If it is winning for player 1 the specification is unrealizable. If it is winning for player 2, we can extract a winning strategy which is a working implementation. When applying controller synthesis, the platform provides the transition relations ρ 1 and ρ 2, as well as the initial condition. Thus, the essence of synthesis under the controller framework is an algorithm for computing the set of winning states for a given platform and specification ϕ. Synthesis of Designs, FMCAD 06, San Jose, November 2006 19

The Game for the Sample Specification For the sample specification in which the client-server protocol is: r i g i r i g i r i g i and was required to satisfy (g i g j ) i =j We take the following game structure: i r i g i (g i = r i ) x y : {r i i = 1,...,n} {g i i = 1,...,n} Θ 1 : i r i Θ 2 : i g i ρ 1 : i ((r i g i ) (r i = r i)) ρ 2 : i ((r i = g i ) (g i = g i)) ϕ : i (g i = r i ) Note that the safety parts of the specification are placed in the local components (Θ 1,Θ 2, ρ 1, ρ 2 ) while the liveness parts are relegated to the winning condition. Synthesis of Designs, FMCAD 06, San Jose, November 2006 20

The Controlled Predecessor As in symbolic model checking, computing the winning states involves fix-point computations over a basic predecessor operator. For model checking the operator is EXp satisfied by all states which have a p-state as a successor. For synthesis, we use the controlled predecessor operator be defined by p. Its semantics can p : x : ρ 1 (V, x ) y : ρ 2 (V,V ) p(v ) where ρ 1 and ρ 2 are the transition relations of the environment and system, respectively. In our graphical notation, s = p iff s has at least one green p-successor, and all red successors different from s satisfy p. Synthesis of Designs, FMCAD 06, San Jose, November 2006 21

Solving p Games, Iteration 0 The set of winning states for a specification p can be computed by the fix-point expression: νy.p Y = 1 p p p We illustrate this on the specification (g 1 g 2 ). Iteration 0, Y 0 : 1 Synthesis of Designs, FMCAD 06, San Jose, November 2006 22

Solving p Games, Iteration 1 The set of winning states for a specification p can be computed by the fix-point expression: νy.p Y = 1 p p p We illustrate this on the specification (g 1 g 2 ). Iteration 1, Y 1 : (g 1 g 2 ) 1 Synthesis of Designs, FMCAD 06, San Jose, November 2006 23

Solving q Games, Iteration 1 The set of winning states for a specification q can be computed by the fix-point expression: µy.q Y = q q q We illustrate this on the specification (g 1 = r 1 ). Iteration 1, Y 1 : (g 1 = r 1 ) Synthesis of Designs, FMCAD 06, San Jose, November 2006 24

Solving q Games, Iteration 2 The set of winning states for a specification q can be computed by the fix-point expression: µy.q Y = q q q We illustrate this on the specification (g 1 = r 1 ). Iteration 2, Y 2 : Y 1 Y 1 Synthesis of Designs, FMCAD 06, San Jose, November 2006 25

Solving q Games, Iteration 3 The set of winning states for a specification q can be computed by the fix-point expression: µy.q Y = q q q We illustrate this on the specification (g 1 = r 1 ). Iteration 3, Y 3 : Y 2 Y 2 Synthesis of Designs, FMCAD 06, San Jose, November 2006 26

Solving q Games, Iteration 4 (Final) The set of winning states for a specification q can be computed by the fix-point expression: µy.q Y = q q q We illustrate this on the specification (g 1 = r 1 ). Iteration 4, Y 4 : Y 3 Y 3 Synthesis of Designs, FMCAD 06, San Jose, November 2006 27

Solving q Games A game for a winning condition of the form expression: q can be solved by the fix-point νzµy.q Z Y This is based on the maximal fix-point solution of the equation Z = µy.(q Z) Y This nested fix-point computation can be computed iteratively by the program: Z := 1 Fix (Z) G := q Z Y := 0 Fix (Y ) [Y := G Y ] Z := Y Synthesis of Designs, FMCAD 06, San Jose, November 2006 28

Solving (g 1 = r 1 ) for the Arbiter Example Applying the above fix-point iterations to the Arbiter example, we obtain: Note that the obtained strategy, keeps g 2 = 0 permanently. This suggests that we will have difficulties finding a solution that will maintain (g 1 = r 1 ) (g 2 = r 2 ) Synthesis of Designs, FMCAD 06, San Jose, November 2006 29

Generalized Response (Büchi) Solving the game for q 1 q n. ( ) Z 1 µy (q 1 Z 2 ) Y Z 2 ( ) µy (q ϕ = ν 2 Z 3 ) Y... (. ) µy (q n Z 1 ) Y Z n Iteratively: For (i 1..n) do [Z[i] := 1] Fix (Z[1]) For (i 1..n) do Y := 0 Fix [ (Y ) ] Y := (q[i] Z[i n 1]) Y Z[i] := Y Return Z[1] Synthesis of Designs, FMCAD 06, San Jose, November 2006 30

Specification is Unrealizable Applying the above algorithm to the specification (g 1 = r 1 ) (g 2 = r 2 ) we find that it fails. Conclusion: The considered specification is unrealizable Indeed, without an environment obligation of releasing the resource once it has been granted, the arbiter cannot satisfy any other client. Synthesis of Designs, FMCAD 06, San Jose, November 2006 31

A Realizable Specification Consider a specification consisting of the protocol: r i g i r i g i r i g i r i g i and the temporal specification ( (g i g j ) i =j We take the following game components: i (r i g i ) i x y : {r i i = 1,...,n} {g i i = 1,...,n} Θ 1 : i r i Θ 2 : i g i ρ 1 : i ((r i g i ) (r i = r i)) ρ 2 : i =j (g i g j ) i ((r i = g i ) (g i = g i)) ϕ : i (r i g i ) i (g i = r i ) (g i = r i ) ) Synthesis of Designs, FMCAD 06, San Jose, November 2006 32

Solving in Polynomial Time a Doubly Exponential Problem In [1989] Roni Rosner provided a general solution to the Synthesis problem. He showed that any approach that starts with the standard translation from LTL to Büchi automata, has a doubly exponential lower bound. One of the messages resulting from the work reported here is Do not be too hasty to translate LTL into automata. Try first to locate the formula within the temporal hierarchy. For each class of formulas, synthesis can be performed in polynomial time. Synthesis of Designs, FMCAD 06, San Jose, November 2006 33

Hierarchy of the Temporal Properties Reactivity k ( p i q i ) i=1 Response p Persistence p Progress Safety p Obligation k ( p i q i ) i=1 Guarantee p where p, p i, q, q i are past formulas. Synthesis of Designs, FMCAD 06, San Jose, November 2006 34

Solving Games for Generalized Reactivity[1] (Streett[1]) Following [KPP03], we present an n 3 algorithm for solving games whose winning condition is given by the (generalized) Reactivity[1] condition ( p 1 p 2 p m ) q 1 q 2 q n This class of properties is bigger than the properties specifiable by deterministic Büchi automata. It covers a great majority of the properties we have seen so far. For example, it covers the realizable version of the specification for the Arbiter design. Synthesis of Designs, FMCAD 06, San Jose, November 2006 35

The Solution The winning states in a React[1] game can be computed by ϕ = ν Z 1 Z 2.. Z n µy µy µy m j=1 m j=1 m j=1 νx(q 1 Z 2 Y p j X) νx(q 2 Z 3 Y p j X).. νx(q n Z 1 Y p j X) where ϕ : x : ρ 1 (V, x ) y : ρ 2 (V,V ) ϕ(v ) Synthesis of Designs, FMCAD 06, San Jose, November 2006 36

Results of Synthesis The design realizing the specification can be extracted as the winning strategy for Player 2. Applying this to the Arbiter specification, we obtain the following design: r 1 r 2 ;g 1 g 2 r 1 r 2 ;g 1 g 2 r 1 r 2 ;g 1 g 2 r 1 r 2 ;g 1 g 2 r 1 r 2 ;g 1 g 2 r 1 r 2 ;g 1 g 2 r 1 r 2 ;g 1 g 2 There exists a symbolic algorithm for extracting the implementing design/winning strategy. Synthesis of Designs, FMCAD 06, San Jose, November 2006 37

Execution Times and Programs Size for Arbiter(N) 150 300 Program size (x 1000) 125 100 75 50 25 Program Size Execution Time 250 200 150 100 50 Time (seconds) 0 10 20 30 40 50 60 70 80 90 Synthesis of Designs, FMCAD 06, San Jose, November 2006 38

Conclusions It is possible to perform design synthesis for restricted fragments of LTL in acceptable time. The tractable fragment (React(1)) covers most of the properties that appear in standard specifications. It is worthwhile to invest an effort in locating the formula within the temporal hierarchy. Solving a game in React(k) has complexity N (2k+1). The methodology of property-based system design (Prosyd) is an option worth considering. It is greatly helped by improved algorithms for synthesis. Synthesis of Designs, FMCAD 06, San Jose, November 2006 39

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback