# ???? ?? PowerPoint

Document Sample

```					Synthesis of Reactive systems

Orna Kupferman   Hebrew University

Moshe Vardi   Rice University
Is the system correct?
Formal Verification:

System            A mathematical model M
Desired behavior  A formal specification 

It Works!
The system has
the required
M satisfies 
behavior

But…
Model checking
even to design design correct systems:
It’s hard harder to systems:
Synthesis:

Input: a specification .
Output: a system satisfying .

WOW!!!
An unusual effectiveness of logic in
computer science!
Synthesis:
Input: a specification .
Output: a system satisfying .
truth assignment
Input: pq.
for pq.
Output: p,q

synthesis           satisfiability
Synthesis
Satisfiability of temporal logic specifications:

Is GpFp   2AP
A state of the system:satisfiable?
p,q

A computations of the system:   )2       AP   (

p,q        p           q         p,q

A specification: L  )2   AP   (

specifications  languages
The automata-theoretic approach:
An LTL specification .

LTL  nondeterministic                       is satisfiable
Büchi word automata       [VW86]

A is nonempty
An automaton A.
L(A)=  :  satisfies  

 =G (req XF grant)
req
A:

req                                             req grant

req  grant
Date: Mon, 28 Dec 92 18:12:25 PST
To: ornab@cs.technion.ac.il (Orna Bernholtz)

Yes, the VW86 algorithm can be easily extended to give you a finite
representation of an accepting run. Thus, it can be used as a synthesis algorithm.
You can view this as the automata-theoretic prespective on the
Clarke&Emerson-style synthesis. For further elaboration on this perspective, see
the paper by P. Wolper: On the relations of programs and computations to
models of temporal logic, LNCS 398, 1989.
Moshe

P.S. Let me know if you’d like me to mail you the paper.
An example:                                   user 1

user 2
1. Whenever user i sends a job, the job is
eventually printed.
2. The printer does not serve the two users
simultaneously.

1. G(j1  F p1)  G(j2  F p2)
2. G((p1)  (p2))

Let’s synthesize a scheduler that
satisfies the specification …
Satisfiability of         such a scheduler exists?
NO!

A model for           help in constructing a scheduler?

NO!

j1 j2 p1 p2

A model for : a scheduler that is guaranteed to
satisfy  for some input sequence.

Wanted: a scheduler that is guaranteed to
satisfy  for all input sequences.
Closed vs. open systems

Closed system: no input!

o0, 2,…,o2
o1, o1
o0, o1,oo0, o0i

all input sequences=some input sequence

synthesis             satisfiability
Closed vs. open systems

Open system: interacts with an environment!
o0
o1=f(i0)             i0
o2=f(i0,i1)             i1
o3=f(i0,i1,i2)            i2

AP=IO

f:(2I)*  2O
An open system: labeled state-transition graph
Closed vs. open systems

Open system: f:(2I)*  2O

In the printer example: I={j1,j2}, O={p1,p2}

f:({{},{j1},{j2},{j1,j2}})* {{},{p1},{p2},{p1,p2}}

synthesis                  satisfiability
A computation of f:
(f())  (i0,f(i0))  (i1,f(i0,i1))  (i2,f(i0,i1,i2))  …

A path in the computation tree,
(2IO)         which embodies all computations:

The computation tree of f (|I|=2):
2IO-labeled 2I-tree
I-exhaustive
f()
00        01           10          11

f(00)         f(01)           f(10)             f(11)
A computation of f:
(f())  (i0,f(i0))  (i1,f(i0,i1))  (i2,f(i0,i1,i2))  …

A path in the computation tree,
(2IO)        which embodies all computations:

The specification  is realizable if
there is f:(2I)*2O such that all the
computations of f satisfy .

 is satisfiable        
        is realizable ?
NO!
Yes! (for all  exists)
Date: Thu, 27 Jan 94 13:46:43 IST
From: ornab@cs.technion.ac.il (Orna Bernholtz)
To: vardi@cs.rice.edu
Subject: Church’s problem

We mentioned it in the summer. You referred me to Pnueli and Rozner
work about “synthesis as a game between the environment and the
system”.
Orna
women    men

proofs       bugs

love(x,y)

in(x,y)

R           R

16      4
y2=x
Suppose that we have…
f: women  men
love(x,f(x))

f: proofs  bug
in(x,f(x))

f: R  R
16   4
f2(x)=x

Can we find such f?
Church’s problem       1963

X          Y

RX  Y

Can we find f: X  Y such that
R(x,f(x)) for every x  X?

Any f: does every x have y
such that R(x,y)?

We will search for a “constructable” f.
Synthesis:

X                  Y
(2I)           (2O)

R (2I) (2O)
R (2IO)
An LTL formula
constructable         over I  O

Can we find f: (2   (2 O such that
Can we find f: (2I)I)*  2O) such that
R(x,f(x)) for every   satisfy
all the computations ofxf (2I) ? ?
Synthesis:
Branching
Linear
appraoch:         X            Y
(2I)       (2O)

CTL* formula
An LTL formula
 over I  O

Can we find f: (2)**  2 ) such that
Can we find (2I)       (2 O such that
Can we find f:f: (2II) 2OOsuch that
all computation tree
R(x,f(x)) for every  satisfy ?
satisfies
the the computations ofxf (2I) ? ?
Date: Sat, 6 Jan 1996 10:28:16 CST
From: Moshe Vardi vardi@cs.rice.edu
To: ok@research.att.com

We need some motivation for the branching specs. I think Antioniotti looked at
synthesis with CTL specs, but I am not sure that he fully solved it.
Didn’t I give you some of his papers?
Moshe

“Whenever user 1 sends a job, the printer may print it”
AG(j1  EFp1)

Exists an input
sequence…
Solving the synthesis problem: [Rabin 70, Pnueli Rozner 88]

For linear
specifications

We easily extend
to branching
specifications
Solving the synthesis problem: [Rabin 70, Pnueli Rozner 88]

Given a CTL* specification  over IO:
1. Construct an automaton A on 2IO-labeled
2I-trees such that A accepts exactly all the
trees that satisfy .
2. Construct an automaton AI-exh on 2IO-labeled
2I-trees such that AI-exh accepts exactly all
the I-exhaustive trees.

A tree accepted by both A and AI-exh :
f: (2I)*  2O whose computation tree satisfies !

3. Check A  AI-exh for emptiness.
(with respect to regular trees)
Synthesis with incomplete information:

“The printer should not print
papers containing bugs.”
Hidden information, unknown to the system!

•Partial observability…
•Internal signals…
•Incomplete information…

The system does not see the full picture!
The system does not see the full picture!

Still has to be correct
with respect to the most
hostile environment
Synthesis with incomplete information:

“The printer should not print
papers containing bugs.”
Hidden information, unknown to the system!
The setting:
•I: input signals       Independent of H…
•O: output signals
•H: hidden signals.              What about the
computation tree?
A strategy for the system:
f:(2I)*  2O
The system’s computation tree:



0                       1

00               01          10              11

complete information:
For someone that has incomplete information:
A tree with a binary
A tree with branching
I={job},
I={job} H={bug}
branching degree
degree four
x2H={{},{job}}x{{},{bug}}
2I={{},{job}}
The system’s computation tree:



00 0 01                        1
10 0   11

00                01          10                11

For someone that has complete information:
I={job}, H={bug}
2I x2H={{},{job}}x{{},{bug}}
The system’s computation tree:

2I-tree
The thin tree:
0                              1

What the
system sees                        00            01               10                 11


The fat tree:                                                                             2IH-tree
00               01                     10                      11

0000    0001   0100   0101    0010   0011   0110   0111       1000    1001       1100    1101     1010   1011   1110   1111

What reality is; the thing that should satisfy .
The system’s computation tree:

The thin tree:
0                              1

00            01               10                 11


The fat tree:
00               01                     10                      11

0000    0001   0100   0101    0010   0011   0110   0111       1000    1001       1100    1101     1010   1011   1110   1111

indistinguishable                     A consistent tree: indistinguishable
by the system                       nodes agree on their label.
Solving the synthesis problem:

Given a CTL* specification  over IOH :
1. Construct an automaton A on 2IOH -labeled
2IH -trees such that A accepts exactly all the
trees that satisfy .
2. Construct an automaton Aexh on 2IOH -labeled
2IH -trees such that Aexh accepts exactly all
the consistent (IH)-exhaustive trees.

A tree accepted by both A and Aexh :
f: (2I)*  2O whose fat computation tree satisfies !

3. Check A  Aexh for emptiness.
(with respect to regular trees)
Solving the synthesis problem:

Given a CTL* specification  over IOH :
1. Construct an automaton A on 2IOH -labeled
2IH -trees such that A accepts exactly all the
trees that satisfy .
2. Construct an automaton Aexh on 2IOH -labeled
2IH -trees such that Aexh accepts exactly all
the consistent (IH)-exhaustive trees.

A tree accepted by both A and Aexh :
f: (2I)*  2O whose fat computation tree satisfies !

3. Check A  Aexh for emptiness.
(with respect to regular trees)
Consistency is not a regular property!

consistent
The idea:
Wanted:    is there a fat tree that is both
good and consistent?
   We cannot check whether a tree is
consistent.
   There is a transformation
g:thin trees  fat trees
that generates only consistent fat trees.
   So we check: is there a thin tree t such
that g(t) is good?

Unusual effectiveness of alternating automata!
Solving the synthesis problem:

Given a CTL* specification  over IOH :

Construct an alternating automaton A
on 2IO -labeled 2I -trees such that
A accepts an I-exhaustive (thin)
tree iff its fat version satisfies .

A tree accepted by A:
f: (2I)*  2O whose fat computation tree satisfies !

Check A for emptiness.
(with respect to regular trees)
Complexity:
Satisfiability:
•LTL: PSPACE-complete.
•CTL: EXPTIME-complete.
•CTL*: 2EXPTIME-complete.

Synthesis with complete information:      A is a Rabin automaton
with exponentially many
•LTL: 2EXPTIME-complete.                  states and a linear index
•CTL: EXPTIME-complete.
•CTL*: 2EXPTIME-complete.

Synthesis with incomplete information:
•LTL: 2EXPTIME-complete.                 A is a Büchi automaton
with linearly many states
•CTL: EXPTIME-complete.
•CTL*: 2EXPTIME-complete.
So far…

O                     I

...systems with a single component.
Let’s synthesis five dining philosophers.

HMMMM…
Synthesis of distributed systems:

P0

P1          P2

P3

Each process Pi has Ii, Oi, and Hi
An architecture:
•I0Oenv           •I2O0
•I1Oenv           •I3O1 O2
Synthesis of distributed systems:

Input:
•   A specification  over IOH.
•   An architecture A.

Output:

Strategies fi: (2Ii)* 2IiHi
such that their composition
satisfies  (if exist).

composition??
Solving synthesis of distributed systems:

Pnueli Rozner 90: distributed systems are hard to
synthesize; undecidable in the general case.

P0      P1

can simulate a Turing machine.

Two independent input streams
Two player games with incomplete information
[Peterson Reif 79]
Solving synthesis of distributed systems:

[PR90]:hierarchical architectures are decidable.

P0       P1       P2               Pn
Date: Sat, 6 Feb 1999 10:34:25 –0600 (CST)
From: Moshe Vardi <vardi@cs.rice.edu>
To: ornak@cs.huji.ac.il
Subject: Re: hierarchies

In fact, I think we might be able to handle even a more general case,
where I_j \subset O_{j_1} \cup O_{j+1}, which allows information to
flow up and down the chain.
Moshe

Date: Sun, 7 Feb 1999 17:07:19 +0200
From: Orna Kupferman <orna@cs.huji.ac.il>
To: vardi@cs.rice.edu
Subject: Re: hierarchies

We should be able to generalize even more… …the dependencies
induce a flow that alternating automata can handle.
Orna
Solving synthesis of distributed systems:

[PR90]:hierarchical architectures are decidable.

P0       P1       P2               Pn

[KV00]:using alternating automata:

One/two-way chains are decidable.

P0       P1       P2               Pn

One/two-way rings are decidable.
P0       P1       P2               Pn
Date: Sun, 7 Feb 1999 22:17:29 –0600 (CST)
From: Moshe Vardi <vardi@cs.rice.edu>
To: ornak@cs.huji.ac.il
Subject: Re: hierarchies

This is nice because these architectures are actually quite realistic. In
communication protocol architecture, we typically have layers, where the
upper layer is the application layer and the lower level is the physical
layer, and information flows between the layers.
Moshe
The solution:
1. A specification   an alternating automaton A.
2. Reapet:

A and an architecture with n components.

A’ (of size exponential in A) and an
architecture with n-1 components.

Complexity:
nonelementary.
Date: Mon, 8 Feb 1999 14:18:13 –0600 (CST)
From: Moshe Vardi <vardi@cs.rice.edu>
To: ornak@cs.huji.ac.il
Subject: Re: hierarchies

BTW, regarding the nonelementary complexity, we can cite the MONA
experience that shows that nonelementary algorithms can nevertheless be
practical, since the worst-case complexity does not always arise.
Moshe

Synthesis is not
harder than
verification!
How come? Verification is
linear in the system and at
most exponential in the
specification.
Input to verification: M and .
Input to synthesis:  and A.

[Rozner92]: a specification  such that
the smallest system satisfying  has a
nonelementary size.
Other related work:

Synthesis against a non-maximal environment.
The computatin tree may not be I-exhaustive; makes a
difference for existential requirements [joint work with

-calculus synthesis.
Many technical problems…
Date: Thu, 27 Aug 1998 12:08:42 –0500 (CST)
From: Moshe Vardi <vardi@cs.rice.edu>
To: orna@eecs.berkeley.edu

I think we are done.
Moshe

```
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
 views: 0 posted: 2/7/2013 language: English pages: 52
How are you planning on using Docstoc?