Synthesis of Reactive systems

1
Synthesis of Reactive systems
Orna Kupferman Hebrew University
Moshe Vardi Rice University
2
Is the system correct?
3
Formal Verification
It Works!
System ? A mathematical model
M Desired behavior ? A formal specification ?
But
Model checking
4
Its hard to design systems
Its even harder to design correct systems
5
Synthesis
Input a specification ?. Output a system
satisfying ?.
WOW!!! An unusual effectiveness of logic in
computer science!
6
Synthesis
Input a specification ?. Output a system
satisfying ?.
Input p?q. Output p,q
7
of temporal logic specifications
Synthesis
Satisfiability
Is Gp?F?p satisfiable?
A specification L ? 2)AP ( ?
specifications ? languages
8
The automata-theoretic approach
9
Date Mon, 28 Dec 92 181225 PST From Moshe
Vardi vardi_at_almaden.ibm.com To
ornab_at_cs.technion.ac.il (Orna Bernholtz)
Yes, the VW86 algorithm can be easily extended to
give you a finite representation of an accepting
run. Thus, it can be used as a synthesis
algorithm. You can view this as the
automata-theoretic prespective on the
ClarkeEmerson-style synthesis. For further
elaboration on this perspective, see the paper by
P. Wolper On the relations of programs and
computations to models of temporal logic, LNCS
398, 1989. Moshe
P.S. Let me know if youd like me to mail you the
paper.
10
An example

• Whenever user i sends a job, the job is
  eventually printed.
• The printer does not serve the two users
  simultaneously.

• G(j1 ? F p1) ? G(j2 ? F p2)
• G((?p1) ? (?p2))

Lets synthesize a scheduler that satisfies the
specification ?
11
Satisfiability of ?
such a scheduler exists?
NO!
A model for ?
help in constructing a scheduler?
NO!
A model for ? a scheduler that is guaranteed to
satisfy ? for some input sequence.
Wanted a scheduler that is guaranteed to satisfy
? for all input sequences.
12
Closed vs. open systems
Closed system no input!
o0
o0, o1
o0, o1,o2
o0, o1,o2,,oi
all input sequencessome input sequence
13
Closed vs. open systems
Open system interacts with an environment!
o0
o1f(i0)
i0
o2f(i0,i1)
i1
o3f(i0,i1,i2)
i2
API?O
f(2I) ? 2O
An open system labeled state-transition graph
14
Closed vs. open systems
Open system f(2I) ? 2O
In the printer example Ij1,j2, Op1,p2
f(,j1,j2,j1,j2) ?,p1,p2,p1,p2

15
(No Transcript)
16
The specification ? is realizable if there is
f(2I)?2O such that all the computations of f
satisfy ?.
? is satisfiable ? ? is realizable ?
? is satisfiable ? ? is realizable ?
NO!
Yes! (for all ? exists)
17
Date Thu, 27 Jan 94 134643 IST From
ornab_at_cs.technion.ac.il (Orna Bernholtz) To
vardi_at_cs.rice.edu Subject Churchs problem
We mentioned it in the summer. You referred me to
Pnueli and Rozner work about synthesis as a game
between the environment and the system. Orna
18
(No Transcript)
19
Suppose that we have
f women ? men love(x,f(x))
f proofs ? bug in(x,f(x))
f R ? R f2(x)x
16 4
Can we find such f?
20
Churchs problem 1963
We will search for a constructable f.
21
Synthesis
R? (2I)?? (2O)?
R? (2I?O)?
An LTL formula ? over I ? O
Can we find f (2I)? ? (2O)? such that R(x,f(x))
for every x ? (2I)? ?
Can we find f (2I) ? 2O such that all the
computations of f satisfy ??
22
Synthesis
Linear appraoch
Branching appraoch
An LTL formula ? over I ? O
CTL formula
Can we find f (2I)? ? (2O)? such that R(x,f(x))
for every x ? (2I)? ?
Can we find f (2I) ? 2O such that all the
computations of f satisfy ??
Can we find f (2I) ? 2O such that the
computation tree of f satisfies ??
23
Date Sat, 6 Jan 1996 102816 CST From Moshe
Vardi vardi_at_cs.rice.edu To ok_at_research.att.com
We need some motivation for the branching specs.
I think Antioniotti looked at synthesis with CTL
specs, but I am not sure that he fully solved it.
Didnt I give you some of his papers? Moshe
Whenever user 1 sends a job, the printer may
print it AG(j1 ? EFp1)
Exists an input sequence
24
Solving the synthesis problem Rabin 70, Pnueli
Rozner 88
25
Solving the synthesis problem Rabin 70, Pnueli
Rozner 88

• Given a CTL specification ? over I?O
• Construct an automaton A? on 2I?O-labeled
  2I-trees such that A? accepts exactly all the
  trees that satisfy ?.
• Construct an automaton AI-exh on 2I?O-labeled
  2I-trees such that AI-exh accepts exactly all the
  I-exhaustive trees.

A tree accepted by both A? and AI-exh
f (2I) ? 2O whose computation tree satisfies ?!

• Check A? ? AI-exh for emptiness.
• 
  (with respect to regular trees)

26
Synthesis with incomplete information
The printer should not print papers containing
bugs.
Hidden information, unknown to the system!

• Partial observability
• Internal signals
• Incomplete information

The system does not see the full picture!
27
The system does not see the full picture!
Still has to be correct with respect to the most
hostile environment
28
Synthesis with incomplete information
The printer should not print papers containing
bugs.
Hidden information, unknown to the system!

• The setting
• I input signals
• O output signals
• H hidden signals.

A strategy for the system f(2I) ? 2O
29
For someone that has incomplete information
Ijob 2I,job
For someone that has complete information
Ijob, Hbug 2I
x2H,jobx,bug
A tree with branching degree four
30
For someone that has complete information
Ijob, Hbug 2I
x2H,jobx,bug
31
The systems computation tree
The thin tree
0
1
00
01
10
11
1111
32
The systems computation tree
The thin tree
0
1
00
01
10
11
?
The fat tree
00
01
10
11
1111
1000
1001
1100
1101
0010
0011
0110
0111
0000
0001
0100
0101
1010
1011
1110
A consistent tree indistinguishable nodes agree
on their label.
indistinguishable by the system
33
(No Transcript)
34
Solving the synthesis problem

• Given a CTL specification ? over I?O?H
• Construct an automaton A? on 2I?O?H -labeled 2I?H
  -trees such that A? accepts exactly all the trees
  that satisfy ?.
• Construct an automaton Aexh on 2I?O?H -labeled
  2I?H -trees such that Aexh accepts exactly all
  the consistent (I?H)-exhaustive trees.

A tree accepted by both A? and Aexh f (2I) ?
2O whose fat computation tree satisfies ?!

• Check A? ? Aexh for emptiness.
• 
  (with respect to regular trees)

35
Consistency is not a regular property!
consistent
36
The idea
?Wanted is there a fat tree that is both
good and consistent? ? We cannot check whether a
tree is consistent. ? There is a
transformation
gthin trees ? fat trees
that generates only consistent fat trees. ?
So we check is there a thin tree t such
that g(t) is good?
The automaton reads t, but pretends to read
g(t). Unusual effectiveness of alternating
automata!
37
Solving the synthesis problem
Given a CTL specification ? over I?O?H
Construct an alternating automaton A? on 2I?O
-labeled 2I -trees such that A? accepts an
I-exhaustive (thin) tree iff its fat version
satisfies ?.
Construct an alternating automaton A? on 2I?O
-labeled 2I -trees such that A? accepts an
I-exhaustive (thin) tree iff its fat version
satisfies ?.
A tree accepted by A? f (2I) ? 2O whose fat
computation tree satisfies ?!
Check A? for emptiness.
(with
respect to regular trees)
38
Complexity

• Satisfiability
• LTL PSPACE-complete.
• CTL EXPTIME-complete.
• CTL 2EXPTIME-complete.

• Synthesis with complete information
• LTL 2EXPTIME-complete.
• CTL EXPTIME-complete.
• CTL 2EXPTIME-complete.

• Synthesis with incomplete information
• LTL 2EXPTIME-complete.
• CTL EXPTIME-complete.
• CTL 2EXPTIME-complete.

39
So far
O I
...systems with a single component.
HMMMM
40
Synthesis of distributed systems
P3
Each process Pi has Ii, Oi, and Hi
41
Synthesis of distributed systems

• Input
• A specification ? over I?O?H.
• An architecture A.

Output Strategies fi (2Ii)? 2Ii?Hi such
that their composition satisfies ? (if exist).
42
Solving synthesis of distributed systems
Pnueli Rozner 90 distributed systems are hard to
synthesize undecidable in the general case.
can simulate a Turing machine.
43
Solving synthesis of distributed systems
PR90hierarchical architectures are decidable.
P2
P0
P1
44
Date Sat, 6 Feb 1999 103425 0600 (CST) From
Moshe Vardi ltvardi_at_cs.rice.edugt To
ornak_at_cs.huji.ac.il Subject Re hierarchies
In fact, I think we might be able to handle even
a more general case, where I_j \subset O_j_1
\cup O_j1, which allows information to flow up
and down the chain. Moshe
45
Solving synthesis of distributed systems
PR90hierarchical architectures are decidable.
KV00using alternating automata
One/two-way chains are decidable.
P2
P0
P1
Pn
One/two-way rings are decidable.
46
Date Sun, 7 Feb 1999 221729 0600 (CST) From
Moshe Vardi ltvardi_at_cs.rice.edugt To
ornak_at_cs.huji.ac.il Subject Re hierarchies
This is nice because these architectures are
actually quite realistic. In communication
protocol architecture, we typically have layers,
where the upper layer is the application layer
and the lower level is the physical layer, and
information flows between the layers. Moshe
47

• The solution
• A specification ? ? an alternating automaton A?.
• Reapet
• A? and an architecture with n components.
• A? (of size exponential in A?) and an
  architecture with n-1 components.

Complexity nonelementary.
48
Date Mon, 8 Feb 1999 141813 0600 (CST) From
Moshe Vardi ltvardi_at_cs.rice.edugt To
ornak_at_cs.huji.ac.il Subject Re hierarchies
BTW, regarding the nonelementary complexity, we
can cite the MONA experience that shows that
nonelementary algorithms can nevertheless be
practical, since the worst-case complexity does
not always arise. Moshe
49
More about the nonelementary complexity
Synthesis is not harder than verification!
How come? Verification is linear in the system
and at most exponential in the specification.
50
More about the nonelementary complexity
Input to verification M and ?. Input to
synthesis ? and A.
Rozner92 a specification ? such that the
smallest system satisfying ? has a nonelementary
size.
51
Other related work
Synthesis against a non-maximal environment. The
computatin tree may not be I-exhaustive makes a
difference for existential requirements joint
work with P. Madhusudan and P.S. Thiagaragan.
?-calculus synthesis. Many technical problems
52
Date Thu, 27 Aug 1998 120842 0500 (CST) From
Moshe Vardi ltvardi_at_cs.rice.edugt To
orna_at_eecs.berkeley.edu
I think we are done. Moshe