Institute for Applied Information Processing and Communications 1 Karin Greimel Semmering, Open Implication

Institute for Applied Information Processing and Communications 2 Karin Greimel Semmering, Open Implication Outline Context Introduction –LTL specifications, systems –example Formal Definition, Complexity Algorithms –with optimal complexity –Safraless –GR(1) Experimental Results Summary

Institute for Applied Information Processing and Communications 3 Karin Greimel Semmering, Open Implication Big Picture What do HW and SW designers do? 1.Write a specification 2.Implement system 3.Check if sys. realizes spec. 4.Debug Our idea of HW/SW design: 1.Write specification 2.Automatically construct 3.Relax

Institute for Applied Information Processing and Communications 4 Karin Greimel Semmering, Open Implication LTL Specifications Linear Temporal Logic: High level specification language Boolean logic + temporal operators (X, G, F, U) Semantics defined over infinite sequences (= words = traces) Describe behavior of open systems Open system ( = Moore machine = transducer): Interacts with its environment (output and input variables) Examples: controller for elevator, traffic light, arbiter for a bus Definitions: An open system realizes an LTL formula iff all traces of the open system satisfy the formula. Verification: Does a given system realize the specification. Realizability: Is there an open system that realizes a given spec.? Synthesis: Automatically construct an open system realizing the spec..

Institute for Applied Information Processing and Communications 5 Karin Greimel Semmering, Open Implication LTL Specifications - Example Part of a requirement for an arbiter: a... acknowledgement, output variable r... request, input variable f = GF(r) → G(a→X(¬a)) If there is always a request at some point, then always if there is an ack., there is no ack. in the next step. Open system realizing f, all traces satisfy f:

Institute for Applied Information Processing and Communications 6 Karin Greimel Semmering, Open Implication Example Equivalence Are f and g equivalent? Consider w = (a,¬r) ω, w satisfies f but not g. Find an open system which realizes f but not g? f = GF(r) → G(a→X(¬a)) g = G(a→X(¬a)) Not equivalent!

Institute for Applied Information Processing and Communications 7 Karin Greimel Semmering, Open Implication Definitions Motivation: Synthesis of g: find a smaller specification f such that f → o g and synthesise f. Verification of g: find a smaller specification f such that f → o g and f → o g and verify f. Definition: Given two LTL formulas f and g, f open-implies g (f → o g) if all open systems realizing f also realize g. Definition: Given two LTL formulas f and g, f trace-implies g if all traces satisfying f also satisfy g.

Institute for Applied Information Processing and Communications 8 Karin Greimel Semmering, Open Implication Comparison Definition of equivalence of LTL specifications with respect to open systems and with respect to traces. + Open-implication is weaker: f = GF(r) → G(a→X(¬a)) and g = G(a→X(¬a)) are not trace equivalent but open equivalent. - Open-implication has a very high complexity: same complexity as realizability, consider f → o false, 2EXP.

Institute for Applied Information Processing and Communications 9 Karin Greimel Semmering, Open Implication Characteristic f = GF(r) → G(a→X(¬a)) g = G(a→X(¬a)) Not trace equivalent (a,¬r) ω but open equivalent. Start with (a,¬r). Can not continue with a. (a,¬r) ω is f-clairvoyant. The difference between f trace-implies g and f open-implies g are f-clairvoyant words.

Institute for Applied Information Processing and Communications 10 Karin Greimel Semmering, Open Implication Algorithm - Idea Find an open system that realizes f but not g, then ¬(f → o g): –An open system does not realize g iff there exists a trace that satisfies ¬g. Calculate realizability for f and satisfiability for ¬g simultaneously. An open system can be represented by a tree: every trace of the open system corresponds to a path in the tree.

Institute for Applied Information Processing and Communications 11 Karin Greimel Semmering, Open Implication Algorithm with optimal complexity 1) Realizability (2EXP): –f → Deterministic Parity Tree automaton –f realizable iff language of the DPT is not empty –tree accepted by the DPT ≙ open system realizing f 2) Satisfiability (PSPACE): –¬g → Nondeterministic Büchi Word automaton –¬g satisfiable iff language of NBW is not empty –word accepted by the NBW ≙ word satisfying ¬g

Institute for Applied Information Processing and Communications 12 Karin Greimel Semmering, Open Implication Algorithm - Safraless Calculate realizability avoiding Safra’s determinization construction (O. Kupferman and M. Y. Vardi. Safraless decision procedures.): f → Universal Co-Büchi Tree automaton tree accepted by the UCT ≙ open system realizing f UCT → Nondeterministic Büchi Tree automaton with bound k tree accepted by the NBT k ≙ open system of size ≤ k realizing f + easier to implement + incremental approach, useful to find counter examples - does not meet the lower bound

Institute for Applied Information Processing and Communications 13 Karin Greimel Semmering, Open Implication Implementation Consider a subset of LTL: General Reactivity of Rank 1 (GR(1)) (N. Piterman, A. Pnueli and Y. Sa‘ar. Synthesis of reactive(1) designs) : g = g e → g s environment assumption → system guaranty Environment assumptions and system guaranties can be represented by deterministic Büchi automata. Example: f = GFr → G(a→X(¬a)) f → o g?: Calculate realizability for f and satisfiability for ¬g simultaneously, by solving a fixpoint formula. Symbolic algorithm in P.

Institute for Applied Information Processing and Communications 14 Karin Greimel Semmering, Open Implication Results of Arbiter Case Study: new → o old R. Bloem, S. Galler, B. Jobstmann, N. Piterman, A. Pnueli und M. Weiglhofer: - Automatic hardware synthesis from specification: A case study - Specify, compile, run: Hardware from PSL Time for synthesis new + open implication << time for old synthesis

Institute for Applied Information Processing and Communications 15 Karin Greimel Semmering, Open Implication Summary Defined open implication: –Compared to trace-implication Developed 3 algorithms: –Automata theoretic with optimal complexity –Automata theoretic avoiding Safras construction –Fixpoint formula for GR(1) with implementation Case study

Institute for Applied Information Processing and Communications 16 Karin Greimel Semmering, Open Implication Thank you for your attention References: O. Kupferman and M. Y. Vardi. Safraless decision procedures. In Symposium on Foundations of Computer Science (FOCS’05), pages , N. Piterman, A. Pnueli and Y. Sa‘ar. Synthesis of reactive(1) designs. In Proc. Verification, Model Checking and Abstract Interpretation, pages , 2006 R. Bloem, S. Galler, B. Jobstmann, N. Piterman, A. Pnueli und M. Weiglhofer. Automatic hardware synthesis from specifications: A case study. In DATE, R. Bloem, S. Galler, B. Jobstmann, N. Piterman, A. Pnueli und M. Weiglhofer. Specify, compile, run: Hardware from PSL. In 6 th International Workshop on Compiler Optimization Meets Compiler Verification, pages 3-16, 2007.