Synthesis of Reactive systems Orna Kupferman Hebrew University Moshe Vardi Rice University
Is the system correct?
Formal Verification: System A mathematical model M Desired behavior A formal specification The system has the required behavior M satisfies Model checking It Works! But…
It’s hard to design systems:It’s even harder to design correct systems:
Synthesis: Input: a specification . Output: a system satisfying . WOW!!! An unusual effectiveness of logic in computer science!
Synthesis: Input: a specification . Output: a system satisfying . Input: p q. Output: p,q truth assignment for p q. synthesissatisfiability
of temporal logic specifications:SynthesisSatisfiability A specification: L 2) AP ( A state of the system: 2 AP p,q A computations of the system: 2) AP ( p,qpq specifications languages Is Gp F p satisfiable?
An LTL specification . An automaton A . [VW86] L(A )= : satisfies LTL nondeterministic Büchi word automata req req grant req grant req =G (req XF grant) A:A: The automata-theoretic approach: is satisfiable A is nonempty
Date: Mon, 28 Dec 92 18:12:25 PST From: Moshe Vardi To: (Orna Yes, the VW86 algorithm can be easily extended to give you a finite representation of an accepting run. Thus, it can be used as a synthesis algorithm. You can view this as the automata-theoretic prespective on the Clarke&Emerson-style synthesis. For further elaboration on this perspective, see the paper by P. Wolper: On the relations of programs and computations to models of temporal logic, LNCS 398, Moshe P.S. Let me know if you’d like me to mail you the paper.
user 1 user 2 1.Whenever user i sends a job, the job is eventually printed. 2.The printer does not serve the two users simultaneously. 1.G(j1 F p1) G(j2 F p2) 2.G(( p1) ( p2)) Let’s synthesize a scheduler that satisfies the specification … An example:
Satisfiability of such a scheduler exists? NO! A model for help in constructing a scheduler? NO! j1 j2 p1 p2 A model for : a scheduler that is guaranteed to satisfy for some input sequence. Wanted: a scheduler that is guaranteed to satisfy for all input sequences.
Closed vs. open systems Closed system: no input! o0o0 o 0, o 1 o 0, o 1, o 2 o 0, o 1, o 2,…, o i all input sequences=some input sequence synthesissatisfiability
Closed vs. open systems Open system: interacts with an environment! o0o0 o 1 =f(i 0 ) o 2 =f(i 0,i 1 ) o 3 =f(i 0,i 1,i 2 )i2i2 i1i1 i0i0 An open system: labeled state-transition graph AP=I O f:(2 I )* 2 O
Closed vs. open systems Open system: f:(2 I )* 2 O In the printer example: I={j1,j2}, O={p1,p2} f:({{},{j1},{j2},{j1,j2}})* {{},{p1},{p2},{p1,p2}} synthesissatisfiability
f( ) f(01) f(00) f(10)f(11) The computation tree of f (|I|=2): 2 I O -labeled 2 I -tree I-exhaustive A computation of f: (f( )) (i 0,f(i 0 )) (i 1,f(i 0,i 1 )) (i 2,f(i 0,i 1,i 2 )) … A path in the computation tree, which embodies all computations: (2 I O )
The specification is realizable if there is f:(2 I )* 2 O such that all the computations of f satisfy . NO!Yes! (for all exists) is satisfiable is realizable ? is satisfiable is realizable ? A computation of f: (f( )) (i 0,f(i 0 )) (i 1,f(i 0,i 1 )) (i 2,f(i 0,i 1,i 2 )) … A path in the computation tree, which embodies all computations: (2 I O )
Date: Thu, 27 Jan 94 13:46:43 IST From: (Orna Bernholtz) To: Subject: Church’s problem We mentioned it in the summer. You referred me to Pnueli and Rozner work about “synthesis as a game between the environment and the system”. Orna
love(x,y) in(x,y) y 2 =x womenmen proofsbugs RR 16 4
f: women men love(x,f(x)) f: proofs bug in(x,f(x)) f: R R f 2 (x)=x 16 4 Suppose that we have… Can we find such f?
Church’s problem 1963 Any f: does every x have y such that R(x,y)? We will search for a “constructable” f. XY R X Y Can we find f: X Y such that R(x,f(x)) for every x X?
X (2 I ) R (2 I ) (2 O ) Can we find f: (2 I ) (2 O ) such that R(x,f(x)) for every x (2 I ) ? Y (2 O ) R (2 I O ) An LTL formula over I O constructable Can we find f: (2 I ) * 2 O such that all the computations of f satisfy ? Synthesis:
X (2 I ) Can we find f: (2 I ) (2 O ) such that R(x,f(x)) for every x (2 I ) ? Y (2 O ) An LTL formula over I O Can we find f: (2 I ) * 2 O such that all the computations of f satisfy ? Synthesis: Linear appraoch: Branching appraoch: Can we find f: (2 I ) * 2 O such that the computation tree of f satisfies ? CTL* formula
Date: Sat, 6 Jan :28:16 CST From: Moshe Vardi To: We need some motivation for the branching specs. I think Antioniotti looked at synthesis with CTL specs, but I am not sure that he fully solved it. Didn’t I give you some of his papers? Moshe “Whenever user 1 sends a job, the printer may print it” AG(j1 EFp1) Exists an input sequence…
Solving the synthesis problem: [Rabin 70, Pnueli Rozner 88] For linear specifications We easily extend to branching specifications
Solving the synthesis problem: [Rabin 70, Pnueli Rozner 88] Given a CTL* specification over I O: 1.Construct an automaton A on 2 I O -labeled 2 I -trees such that A accepts exactly all the trees that satisfy . 2.Construct an automaton A I-exh on 2 I O -labeled 2 I -trees such that A I-exh accepts exactly all the I-exhaustive trees. A tree accepted by both A and A I-exh : f: (2 I )* 2 O whose computation tree satisfies ! 3.Check A A I-exh for emptiness. (with respect to regular trees)
Synthesis with incomplete information: “The printer should not print papers containing bugs.” Hidden information, unknown to the system! Partial observability… Internal signals… Incomplete information… The system does not see the full picture!
Still has to be correct with respect to the most hostile environment
Synthesis with incomplete information: “The printer should not print papers containing bugs.” Hidden information, unknown to the system! The setting: I: input signals O: output signals H: hidden signals. A strategy for the system: f:(2 I )* 2 O Independent of H…What about the computation tree?
The system’s computation tree: For someone that has incomplete information: I={job} 2 I ={{},{job}} For someone that has complete information: I={job}, H={bug} 2 I x2 H ={{},{job}}x{{},{bug}} A tree with a binary branching degree A tree with branching degree four
The system’s computation tree: For someone that has complete information: I={job}, H={bug} 2 I x2 H ={{},{job}}x{{},{bug}}
The system’s computation tree: The thin tree: The fat tree: What the system sees What reality is; the thing that should satisfy . 2 I -tree 2 I H -tree
The system’s computation tree: The thin tree: The fat tree: indistinguishable by the system A consistent tree: indistinguishable nodes agree on their label.
Solving the synthesis problem: Given a CTL* specification over I O H : 1.Construct an automaton A on 2 I O H -labeled 2 I H -trees such that A accepts exactly all the trees that satisfy . 2.Construct an automaton A exh on 2 I O H -labeled 2 I H -trees such that A exh accepts exactly all the consistent (I H)-exhaustive trees. A tree accepted by both A and A exh : f: (2 I )* 2 O whose fat computation tree satisfies ! 3.Check A A exh for emptiness. (with respect to regular trees)
Solving the synthesis problem: Given a CTL* specification over I O H : 1.Construct an automaton A on 2 I O H -labeled 2 I H -trees such that A accepts exactly all the trees that satisfy . 2.Construct an automaton A exh on 2 I O H -labeled 2 I H -trees such that A exh accepts exactly all the consistent (I H)-exhaustive trees. A tree accepted by both A and A exh : f: (2 I )* 2 O whose fat computation tree satisfies ! 3.Check A A exh for emptiness. (with respect to regular trees)
consistent Consistency is not a regular property!
The idea: Wanted: is there a fat tree that is both good and consistent? We cannot check whether a tree is consistent. There is a transformation g:thin trees fat trees that generates only consistent fat trees. So we check: is there a thin tree t such that g(t) is good? The automaton reads t, but pretends to read g(t). Unusual effectiveness of alternating automata!
Solving the synthesis problem: Construct an alternating automaton A on 2 I O -labeled 2 I -trees such that A accepts an I-exhaustive (thin) tree iff its fat version satisfies . A tree accepted by A : f: (2 I )* 2 O whose fat computation tree satisfies ! Check A for emptiness. (with respect to regular trees) Given a CTL* specification over I O H : Construct an alternating automaton A on 2 I O -labeled 2 I -trees such that A accepts an I-exhaustive (thin) tree iff its fat version satisfies .
Synthesis with complete information: LTL: 2EXPTIME-complete. CTL: EXPTIME-complete. CTL*: 2EXPTIME-complete. Satisfiability: LTL: PSPACE-complete. CTL: EXPTIME-complete. CTL*: 2EXPTIME-complete. Complexity: Synthesis with incomplete information: LTL: 2EXPTIME-complete. CTL: EXPTIME-complete. CTL*: 2EXPTIME-complete. A is a Rabin automaton with exponentially many states and a linear index A is a Büchi automaton with linearly many states
So far… O I...systems with a single component. Let’s synthesis five dining philosophers. HMMMM…
Synthesis of distributed systems: P0P0 P2P2 P1P1 P3P3 Each process P i has I i, O i, and H i An architecture: I 0 O env I 1 O env I 2 O 0 I 3 O 1 O 2
Synthesis of distributed systems: Input: A specification over I O H. An architecture A. Output: Strategies f i : (2 Ii )* 2 Ii Hi such that their composition satisfies (if exist). composition??
Solving synthesis of distributed systems: Pnueli Rozner 90: distributed systems are hard to synthesize; undecidable in the general case. can simulate a Turing machine. Two independent input streams Two player games with incomplete information [Peterson Reif 79] P0P0 P1P1
Solving synthesis of distributed systems: [PR90]:hierarchical architectures are decidable. P2P2 PnPn P0P0 P1P1
Date: Sat, 6 Feb :34:25 –0600 (CST) From: Moshe Vardi To: Subject: Re: hierarchies In fact, I think we might be able to handle even a more general case, where I_j \subset O_{j_1} \cup O_{j+1}, which allows information to flow up and down the chain. Moshe Date: Sun, 7 Feb :07: From: Orna Kupferman To: Subject: Re: hierarchies We should be able to generalize even more… …the dependencies induce a flow that alternating automata can handle. Orna
Solving synthesis of distributed systems: [PR90]:hierarchical architectures are decidable. P2P2 PnPn P0P0 P1P1 [KV00]:using alternating automata: One/two-way chains are decidable. One/two-way rings are decidable. P2P2 PnPn P0P0 P1P1 P2P2 PnPn P0P0 P1P1
Date: Sun, 7 Feb :17:29 –0600 (CST) From: Moshe Vardi To: Subject: Re: hierarchies This is nice because these architectures are actually quite realistic. In communication protocol architecture, we typically have layers, where the upper layer is the application layer and the lower level is the physical layer, and information flows between the layers. Moshe
The solution: 1.A specification an alternating automaton A . 2.Reapet: A and an architecture with n components. A’ (of size exponential in A ) and an architecture with n-1 components. Complexity: nonelementary.
Date: Mon, 8 Feb :18:13 –0600 (CST) From: Moshe Vardi To: Subject: Re: hierarchies BTW, regarding the nonelementary complexity, we can cite the MONA experience that shows that nonelementary algorithms can nevertheless be practical, since the worst-case complexity does not always arise. Moshe
More about the nonelementary complexity: Synthesis is not harder than verification! How come? Verification is linear in the system and at most exponential in the specification.
More about the nonelementary complexity: Input to verification: M and . Input to synthesis: and A. [Rozner92]: a specification such that the smallest system satisfying has a nonelementary size.
Other related work: Synthesis against a non-maximal environment. The computatin tree may not be I-exhaustive; makes a difference for existential requirements [joint work with P. Madhusudan and P.S. Thiagaragan]. -calculus synthesis. Many technical problems…
Date: Thu, 27 Aug :08:42 –0500 (CST) From: Moshe Vardi To: I think we are done. Moshe