A Symbolic Approach to Safety LTL Synthesis

Similar documents
SAT-Based Explicit LTL Reasoning

arxiv: v2 [cs.lo] 21 Sep 2017

First-Order vs. Second-Order Encodings for

Reactive Synthesis. Swen Jacobs VTSA 2013 Nancy, France u

Revisiting Synthesis of GR(1) Specifications

Model Checking of Safety Properties

Generating Deterministic ω-automata for most LTL Formulas by the Breakpoint Construction

Timo Latvala. March 7, 2004

Bounded Synthesis. Sven Schewe and Bernd Finkbeiner. Universität des Saarlandes, Saarbrücken, Germany

Synthesizing controllers: On the Correspondence Between LTL Synthesis and Non-Deterministic Planning

Minimising Deterministic Büchi Automata Precisely using SAT Solving

From Liveness to Promptness

Integrating Induction and Deduction for Verification and Synthesis

Formal Verification Techniques. Riccardo Sisto, Politecnico di Torino

Temporal Logic Model Checking

Linear Temporal Logic and Büchi Automata

Synthesis of Designs from Property Specifications

Linear-time Temporal Logic

ENES 489p. Verification and Validation: Logic and Control Synthesis

Overview. Discrete Event Systems Verification of Finite Automata. What can finite automata be used for? What can finite automata be used for?

Lecture 7 Synthesis of Reactive Control Protocols

Efficient Model Checking of Safety Properties

LTL is Closed Under Topological Closure

Temporal Logic. M φ. Outline. Why not standard logic? What is temporal logic? LTL CTL* CTL Fairness. Ralf Huuck. Kripke Structure

Failure Diagnosis of Discrete Event Systems With Linear-Time Temporal Logic Specifications

LTL f Satisfiability Checking

From Löwenheim to Pnueli, from Pnueli to PSL and SVA

The State Explosion Problem

Property Checking of Safety- Critical Systems Mathematical Foundations and Concrete Algorithms

EAHyper: Satisfiability, Implication, and Equivalence Checking of Hyperproperties

Games and Synthesis. Nir Piterman University of Leicester Telč, July-Autugst 2014

Lecture 9 Synthesis of Reactive Control Protocols

Temporal logics and explicit-state model checking. Pierre Wolper Université de Liège

Infinite Games. Sumit Nain. 28 January Slides Credit: Barbara Jobstmann (CNRS/Verimag) Department of Computer Science Rice University

On the Relationship between LTL Normal Forms and Büchi Automata

Synthesis of Reactive(1) Designs

CDS 270 (Fall 09) - Lecture Notes for Assignment 8.

Computer-Aided Program Design

Model checking the basic modalities of CTL with Description Logic

Automata-Theoretic LTL Model-Checking

Controller Synthesis with UPPAAL-TIGA. Alexandre David Kim G. Larsen, Didier Lime, Franck Cassez, Jean-François Raskin

Bridging the Gap between Reactive Synthesis and Supervisory Control

Strategy Logic. 1 Introduction. Krishnendu Chatterjee 1, Thomas A. Henzinger 1,2, and Nir Piterman 2

CS256/Spring 2008 Lecture #11 Zohar Manna. Beyond Temporal Logics

A brief history of model checking. Ken McMillan Cadence Berkeley Labs

T Reactive Systems: Temporal Logic LTL

From Liveness to Promptness

Automata-Theoretic Model Checking of Reactive Systems

Bridging the Gap Between LTL Synthesis and Automated Planning

Lecture Notes on Emptiness Checking, LTL Büchi Automata

Alternating Time Temporal Logics*

Automata on Infinite words and LTL Model Checking

IC3 and Beyond: Incremental, Inductive Verification

Chapter 3: Linear temporal logic

Abstractions and Decision Procedures for Effective Software Model Checking

Synthesis via Sampling-Based Abstractions

Decision Procedures for CTL

Timo Latvala. February 4, 2004

Deterministic ω-automata for LTL: A safraless, compositional, and mechanically verified construction

Comparison of LTL to Deterministic Rabin Automata Translators

Techniques to solve computationally hard problems in automata theory

ω-automata Automata that accept (or reject) words of infinite length. Languages of infinite words appear:

Bounded Model Checking with SAT/SMT. Edmund M. Clarke School of Computer Science Carnegie Mellon University 1/39

Decision Procedures for CTL

Semi-Automatic Distributed Synthesis

The Safety Simple Subset

Automata-based Verification - III

Lecture 2: Symbolic Model Checking With SAT

Probabilistic Model Checking and Strategy Synthesis for Robot Navigation

Completeness and Complexity of Bounded Model Checking

Synthesizing Robust Systems

Temporal Logic. Stavros Tripakis University of California, Berkeley. We have designed a system. We want to check that it is correct.

A Hierarchy for Accellera s Property Specification Language

Computability and Complexity Theory: An Introduction

Computation Tree Logic (CTL) & Basic Model Checking Algorithms

Helsinki University of Technology Laboratory for Theoretical Computer Science Research Reports 66

Safraless Compositional Synthesis

Temporal Logic with Past is Exponentially More Succinct

Büchi Automata and Linear Temporal Logic

MODEL CHECKING. Arie Gurfinkel

Safraless Compositional Synthesis

Boolean decision diagrams and SAT-based representations

Effective Synthesis of Asynchronous Systems from GR(1) Specifications

Automata-based Verification - III

PSL Model Checking and Run-time Verification via Testers

Models for Efficient Timed Verification

SBMC : Symmetric Bounded Model Checking

Towards Inference and Learning in Dynamic Bayesian Networks using Generalized Evidence

Decision, Computation and Language

Matching Trace Patterns With Regular Policies

Automata, Logic and Games. C.-H. L. Ong

Games Programs Play: Analyzing Multiplayer Programs

Failure Diagnosis of Discrete-Time Stochastic Systems subject to Temporal Logic Correctness Requirements

Tecniche di Specifica e di Verifica. Automata-based LTL Model-Checking

Automata, Logic and Games. C.-H. L. Ong

LTL Generalized Model Checking Revisited

Lecture 2 Automata Theory

CSC236 Week 11. Larry Zhang

SVEN SCHEWE Universität des Saarlandes, Fachrichtung Informatik, Saarbrücken, Germany

Introduction to Model Checking

Transcription:

A Symbolic Approach to Safety LTL Synthesis Shufang Zhu 1 Lucas M. Tabajara 2 Jianwen Li Geguang Pu 1 Moshe Y. Vardi 2 1 East China Normal University 2 Rice Lucas M. Tabajara (Rice University) 2 University Safety LTL Synthesis November 15th, 2017 1 / 25

Reactive Synthesis 1. Receive inputs System 2. Update state Internal State Environment 3. Emit outputs Goal: Automatically design reactive systems that are guaranteed to follow a temporal specification. Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 2 / 25

LTL Synthesis Linear Temporal Logic (LTL): ϕ ::= p ϕ ϕ 1 ϕ 2 ϕ 1 ϕ 2 X ϕ ϕ 1 Rϕ 2 ϕ 1 Uϕ 2 Gϕ Rϕ F ϕ Uϕ LTL Synthesis: Given: LTL formula ϕ over a set of propositional variables P = X Y Input variables: X Output variables: Y Obtain: Set of states S and strategy g : 2 X S 2 Y S such that every trace satisfies ϕ. Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 3 / 25

Classical Approach to LTL Synthesis LTL Formula Construct automaton (Vardi, Wolper; 1994) Nondeterministic Büchi Automaton Determinize Parity Game Solve game Strategy Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 4 / 25

Synthesis of LTL Fragments LTL synthesis remains a challenging problem: 2EXPTIME theoretical complexity. Lack of scalable algorithms for determinization and solving games. Solution: Focus on synthesis procedures for fragments of LTL. Example: Generalized Reactivity(1) (GR(1)) fragment: (θ e Gρ e GF ϕ e 1... GF ϕ e m) (θ s Gρ s GF ϕ s 1... GF ϕ s n) GR(1) games can be solved in time cubic in size of game graph. Other easier fragments of LTL? Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 5 / 25

Synthesis of LTL Fragments LTL synthesis remains a challenging problem: 2EXPTIME theoretical complexity. Lack of scalable algorithms for determinization and solving games. Solution: Focus on synthesis procedures for fragments of LTL. Example: Generalized Reactivity(1) (GR(1)) fragment: (θ e Gρ e GF ϕ e 1... GF ϕ e m) (θ s Gρ s GF ϕ s 1... GF ϕ s n) GR(1) games can be solved in time cubic in size of game graph. Other easier fragments of LTL? Safety LTL Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 5 / 25

Safety Properties Bad things don t happen Safety property: prq (q doesn t become false until after p becomes true) Non-safety property: G(r Fg) (every request is eventually granted) Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 6 / 25

Safety Properties Bad things don t happen Safety property: prq (q doesn t become false until after p becomes true) Safety property: G(r (g Xg XXg)) (every request is granted within two time steps) Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 6 / 25

Safety Properties Bad things don t happen Safety property: prq (q doesn t become false until after p becomes true) Safety property: G(r (g Xg XXg)) (every request is granted within two time steps) All eventualities are bounded. Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 6 / 25

Bad prefix For a given temporal formula ϕ, a finite trace π = π 1 π 2... π n is a bad prefix if π cannot be extended to a satisfying trace. ϕ = prq {q}, {q},..., {q}, {p, q}, {p},... = ϕ {q}, {q},..., {q}, {}, {p},... = ϕ A temporal formula ϕ is safe if every trace that does not satisfy ϕ has a bad prefix. Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 7 / 25

Syntactical Safety Purely syntactical sufficient condition for safety: Theorem (Sistla; 1994) If ϕ is an LTL formula in Negation Normal Form and ϕ is Until-free, then ϕ is safe. Allows us to define an LTL fragment that guarantees safety. Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 8 / 25

Safety LTL Linear Temporal Logic (LTL): ϕ ::= p ϕ ϕ 1 ϕ 2 ϕ 1 ϕ 2 X ϕ ϕ 1 Rϕ 2 ϕ 1 Uϕ 2 Safety LTL: ϕ ::= p p ϕ 1 ϕ 2 ϕ 1 ϕ 2 X ϕ ϕ 1 Rϕ 2 Safety LTL corresponds to the fragment of Until-free LTL formulas in Negation Normal Form. Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 9 / 25

Synthesis of the Safety LTL Fragment Safety LTL Synthesis: Given: Safety LTL formula ϕ over a set of propositional variables P = X Y Input variables: X Output variables: Y Obtain: Set of states S and strategy g : 2 X S 2 Y S such that every trace satisfies ϕ. Our work: Safety LTL synthesis can be reduced to safety games. Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 10 / 25

Deterministic Safety Automata (DSA) Every Safety LTL formula can be converted to a DSA: start {y 2}, {x 2, y 2} {x 1, y 1}, {x 2, y 2}, {} s 0 {x 1, x 2, y 1} {x 1, x 2, y 2} {x 1, x 2, y 1}, {x 2, y 1} s 1 {x 1, x 2, y 2}, {x 1, y 2} s 2 {y 1}, {x 1, y 1} Büchi with partial transition function and all states accepting. Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 11 / 25

Deterministic Safety Automata (DSA) Every Safety LTL formula can be converted to a DSA: start {y 2}, {x 2, y 2} {x 1, y 1}, {x 2, y 2}, {} s 0 {x 1, x 2, y 1} {x 1, x 2, y 2} {x 1, x 2, y 1}, {x 2, y 1} s 1 {x 1, x 2, y 2}, {x 1, y 2} s 2 {y 1}, {x 1, y 1} Run is accepting iff never takes an undefined transition (bad prefix). Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 11 / 25

Safety Games start {y 2}, {x 2, y 2} {x 1, y 1}, {x 2, y 2}, {} s 0 {x 1, x 2, y 1} {x 1, x 2, y 2} {x 1, x 2, y 1}, {x 2, y 1} s 1 {x 1, x 2, y 2}, {x 1, y 2} s 2 {y 1}, {x 1, y 1} Environment controls input variables X, wins if automaton rejects. System controls output variables Y, wins if automaton never rejects. Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 12 / 25

Safety Games for Safety LTL Synthesis Winning strategy for the system encodes solution to Safety LTL synthesis: System wins Automaton never rejects No undefined transition No bad prefix Formula is satisfied Safety games can be solved efficiently: linear time in size of game graph. Our goal: Efficient techniques for Safety LTL synthesis via safety games. Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 13 / 25

First Approach: Horn-SAT Key idea: Reduce safety games to Horn-SAT. Horn-SAT Given a boolean formula ϕ = ϕ 1... ϕ m where every ϕ i is of the form (p 1... p n ) q, is ϕ satisfiable? Horn-SAT can be solved in linear time by SAT solvers using constraint propagation. Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 14 / 25

First Approach: Horn-SAT Key idea: Reduce safety games to Horn-SAT. 1. Use SPOT (Duret-Lutz, et al; 2016): LTL to Büchi automata. Safety LTL is special case of LTL. Safety automaton is special case of Büchi automaton. 2. Encode safety game as Horn formula. Satisfying assignment encodes winning strategy. 3. Solve Horn-SAT using SAT solver. Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 14 / 25

The State Explosion Problem Safety LTL Safety Automaton Horn-SAT Strategy Linear Linear Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 15 / 25

The State Explosion Problem Safety LTL Safety Automaton Horn-SAT Strategy 2EXPTIME Linear Linear Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 15 / 25

The State Explosion Problem Safety LTL Safety Automaton Horn-SAT Strategy 2EXPTIME Linear Linear Solution: Represent the safety automaton symbolically using Binary Decision Diagrams (BDDs). State space of size n encoded using log 2 (n) boolean variables Z. Every state represented by an assignment 2 Z. Transition function as boolean function 2 X 2 Y 2 Z 2 Z. Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 15 / 25

Second Approach: Symbolic Safety LTL Synthesis Key idea: Leverage tools for symbolic construction of automata over finite words. MONA (Henrikson, et al; 1995): First-Order Logic over finite words to symbolic Deterministic Finite Automata (using BDDs). Safety LTL: like LTL, interpreted over infinite words. However: every falsifying trace of ϕ has finite bad prefix. {q}, {q},..., {q}, {}, {p},... = prq Therefore: can translate ϕ to FOL over finite bad prefixes. Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 16 / 25

Finite Automaton to Safety Automaton MONA constructs DFA for the bad prefixes of ϕ: {y 2}, {x 2, y 2} {x 1, y 1}, {x 2, y 2}, {} s 0 {x 1, x 2, y 1} {x 1, x 2, y 2} {x 1, x 2, y 1}, {x 2, y 1} s 1 {x 1, x 2, y 2}, {x 1, y 2} s 3 s 2 {y 1}, {x 1, y 1} Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 17 / 25

Finite Automaton to Safety Automaton By deleting bad states, we can view DFA as DSA for ϕ: {y 2}, {x 2, y 2} {x 1, y 1}, {x 2, y 2}, {} s 0 {x 1, x 2, y 1} {x 1, x 2, y 2} {x 1, x 2, y 1}, {x 2, y 1} s 1 {x 1, x 2, y 2}, {x 1, y 2} {y 1}, {x 1, y 1} s 2 Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 17 / 25

Symbolic Safety LTL Synthesis Given Safety LTL formula ϕ: 1. Use MONA to construct symbolic DFA for bad prefixes of ϕ. 2. Interpret symbolic DFA as symbolic DSA. 3. Compute winning states as a fixpoint: 3.1 Start with set of all accepting states. 3.2 At each step, remove states where Environment can move to bad state. 3.3 Stop when fixpoint is reached. 4. Compute strategy as a boolean function using boolean-synthesis procedure (Fried, Tabajara, Vardi; CAV 2016). Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 18 / 25

Two Approaches for Safety LTL Synthesis Explicit synthesis framework: Safety LTL Safety Automaton Horn-SAT Strategy Symbolic synthesis framework: Safety LTL Symbolic DFA Symbolic DSA Strategy Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 19 / 25

Experimental Evaluation Comparison between: Explicit approach using Horn-SAT. SSyft tool implementing symbolic approach. LTL Synthesis tools Unbeast (Ehlers; 2010) and Acacia+ (Bohy, et al; 2012). Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 20 / 25

Benchmarks LoadBalancer formulas from (Ehlers; 2010): Converted to Negation Normal Form. Since not all formulas are safe, expanded Until operator: Not safe: ϕ 1 Uϕ 2 Expansion length 0: ϕ 2 Expansion length 1: ϕ 2 (ϕ 1 X ϕ 2 ) Expansion length 2: ϕ 2 (ϕ 1 X (ϕ 2 (ϕ 1 X ϕ 2 )))... Varied expansion length. Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 21 / 25

Symbolic Approach Dominates 400 350 SSyft Acacia+ Horn_SAT Unbeast Number of solved cases 300 250 200 150 100 50 0 0 10 20 30 40 50 60 Total time Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 22 / 25

Symbolic Approach Dominates 100 80 Solved cases of LoadBalancer SSyft Horn_SAT Acacia+ Unbeast 60 40 20 0 0 1 2 3 4 Expansion length Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 22 / 25

Summary Contribution: Two frameworks for Safety LTL synthesis - explicit and symbolic. Results: Symbolic framework outperforms tools for general LTL synthesis. Conclusion: Can benefit from focusing on specific LTL fragments for synthesis. Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 23 / 25

Future Work On-the-fly synthesis to avoid bottleneck of automaton construction. Comparison with other LTL fragments, such as GR(1) (Bloem, Jobstmann, Piterman, Pnueli; 2012). Safety games as a subproblem of general LTL synthesis. Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 24 / 25

Questions? Explicit synthesis framework: Safety LTL Safety Automaton Horn-SAT Strategy Symbolic synthesis framework: Safety LTL Symbolic DFA Symbolic DSA Strategy Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 25 / 25

Extra Slides Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 26 / 25

Safety LTL vs. GR(1) GR(1) formula: (θ e Gρ e GF ϕ e 1... GF ϕ e m) (θ s Gρ s GF ϕ s 1... GF ϕ s n) For α {e, s}: θ α : Safety Gρ α : Safety GF ϕ α : Non-safety A GR(1) formula with m = n = 0 is a safety formula. Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 27 / 25

Safety Game to Horn-SAT Given a Safety Automaton A = (2 P, S, s 0, δ), build a Horn formula where: Variables encode bad states: b s : b (s,x,y ) : s is a losing state for the System Y is a losing move of the System on state s for input X Constraints encode bad transitions: b (s,x,y ), for δ(s, X Y ) undefined (1) b s b (s,x,y ), for δ(s, X Y ) = s (2) ( ) b (s,x,y ) b s, for every s S, X 2 X (3) Y Y b s0 (4) Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 28 / 25

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback