Compositional Algorithms for Succinct Safety Games Romain Brenguier, - - PowerPoint PPT Presentation

Compositional Algorithms for Succinct Safety Games

Romain Brenguier, Guillermo A. P´ erez, Jean-Franc ¸ois Raskin, Ocan Sankur SYNT’15

Reactive Synthesis for circuits

AbsSynthe https://github.com/gaperez64/AbsSynthe i1 i2 i3 i4 i5

• 1 o2 o3 o4 o5

ℓ1 ℓ2 ℓ3 Specification: G(¬(o1 ∧ o2)) ∧ G(i1 → Xo3) i1 i2 i3 i4 i5 ℓ1 ℓ2 ℓ3

• 1 o2 o3 o4 o5

Contr.

Brenguier, P´ erez, Raskin, Sankur (ULB) Compositional Algo. for Succ. Safety Games SYNT’15 2 / 17

Succinct Safety Games

Safety game: Stat, Actu, Actc, δ, U Succinct representation: Stat = {0, 1}L, Actu = {0, 1}Xu, Actc = {0, 1}Xc, δ and U are given by And-Inverter Graphs (AIG) → standard file format for sequential synchronous circuits → used in model checking and synthesis competitions a1 a2 ℓ1 ℓ′

1

Brenguier, P´ erez, Raskin, Sankur (ULB) Compositional Algo. for Succ. Safety Games SYNT’15 3 / 17

Succinct Safety Games

Safety game: Stat, Actu, Actc, δ, U Succinct representation: Stat = {0, 1}L, Actu = {0, 1}Xu, Actc = {0, 1}Xc, δ and U are given by And-Inverter Graphs (AIG) → standard file format for sequential synchronous circuits → used in model checking and synthesis competitions a1 a2 ℓ1 ℓ′

1

∧ ∧ ∧ ¬

Brenguier, P´ erez, Raskin, Sankur (ULB) Compositional Algo. for Succ. Safety Games SYNT’15 3 / 17

The classical algorithm: attractor computation

For the safety game Stat, Actu, Actc, δ, U:

1 uncontrollable predecessors: states where environment can force S in

1 step: UPRE(S) = {s | ∃au, ∀ac, δ(s, au, ac) ∈ S}

2 Compute the least fixpoint of UPRE starting from the error states U.

→ if s0 ∈ Stat \ UPRE∗(U), controller has a winning strategy s0 U

Brenguier, P´ erez, Raskin, Sankur (ULB) Compositional Algo. for Succ. Safety Games SYNT’15 4 / 17

The classical algorithm: attractor computation

For the safety game Stat, Actu, Actc, δ, U:

1 uncontrollable predecessors: states where environment can force S in

1 step: UPRE(S) = {s | ∃au, ∀ac, δ(s, au, ac) ∈ S}

2 Compute the least fixpoint of UPRE starting from the error states U.

→ if s0 ∈ Stat \ UPRE∗(U), controller has a winning strategy s0 UPRE1(U) U

Brenguier, P´ erez, Raskin, Sankur (ULB) Compositional Algo. for Succ. Safety Games SYNT’15 4 / 17

The classical algorithm: attractor computation

For the safety game Stat, Actu, Actc, δ, U:

1 uncontrollable predecessors: states where environment can force S in

1 step: UPRE(S) = {s | ∃au, ∀ac, δ(s, au, ac) ∈ S}

2 Compute the least fixpoint of UPRE starting from the error states U.

→ if s0 ∈ Stat \ UPRE∗(U), controller has a winning strategy s0 UPRE∗(U)

( ( (

UPRE2(U) UPRE1(U) U

Brenguier, P´ erez, Raskin, Sankur (ULB) Compositional Algo. for Succ. Safety Games SYNT’15 4 / 17

Implementation with BDDs

We use Binary Decision Diagrams (BDDs): data structure to represent Boolean functions efficient Boolean operations (∧, ∨, ∀, ∃,. . . ) and equality test 2 basic approaches:

1 Compute a transition relation

T(L, Xu, Xc, L′) =

• ℓ∈L

ℓ′ ⇔ fℓ(L, Xu, Xc) and then set UPRE(S) = ∃Xu, ∀Xc, ∃L′. T(L, Xu, Xc, L′) ∧ S(L′).

(solved approximately 150 out of 530 benchmarks from last year’s competition)

2 Keep a partitioned transition relation, and substitute fℓ for each ℓ in S

UPRE(S) = ∃Xu, ∀Xc : S(L′)[ℓ′ ← fℓ(Xu, Xc, L)]ℓ∈L.

(solved approximately 500 benchmarks in 500 seconds)

Brenguier, P´ erez, Raskin, Sankur (ULB) Compositional Algo. for Succ. Safety Games SYNT’15 5 / 17

Idea of the decomposition

Often: specifications are big conjunctions of smaller specifications

Example from amba2b9

assign sys safe err = sys safe err0 | sys safe err1 | sys safe err2 | ...| sys safe err19; assign o err = ∼env safe err & ∼env safe err happened & (sys safe err | fair err);

• err can be rewritten:

(∼env safe err & ∼env safe err happened & fair err) | φ0 | ...| φ19 where φi = ∼env safe err & ∼env safe err happened & sys safe erri

we define a game Gi for each formula φi to win the “big” game, we must win each “small” game Gi

Brenguier, P´ erez, Raskin, Sankur (ULB) Compositional Algo. for Succ. Safety Games SYNT’15 6 / 17

Decomposition of AIGs

We must recover the structure of the specifications from the AIG Explore the graph until encountering a negation This corresponds to a disjunction, and it can be distributed over a1 a2 ℓ1 err ∧ ∧ ∨ a1 a2 ℓ1 err ∨ ∧ ∧ a2 ∧ ℓ1 a1 a2 err

Brenguier, P´ erez, Raskin, Sankur (ULB) Compositional Algo. for Succ. Safety Games SYNT’15 7 / 17

Decomposition of AIGs

We must recover the structure of the specifications from the AIG Explore the graph until encountering a negation This corresponds to a disjunction, and it can be distributed over a1 a2 ℓ1 err ∧ ∧ ∨ a1 a2 ℓ1 err ∨ ∧ ∧ a2 ∧ ℓ1 a1 a2 err

Brenguier, P´ erez, Raskin, Sankur (ULB) Compositional Algo. for Succ. Safety Games SYNT’15 7 / 17

Decomposition of AIGs

We must recover the structure of the specifications from the AIG Explore the graph until encountering a negation This corresponds to a disjunction, and it can be distributed over a1 a2 ℓ1 err ∧ ∧ ∨ a1 a2 ℓ1 err ∨ ∧ ∧ a2 ∧ ℓ1 a1 a2 err

Brenguier, P´ erez, Raskin, Sankur (ULB) Compositional Algo. for Succ. Safety Games SYNT’15 7 / 17

Subgames

We obtain a decomposition err = e1 ∨ e2 ∨ · · · ∨ en If formula ei does not depend on all latches, solving the game for ei can be more efficient

Cone of influence

cone(ei): set of variables on which ei depends (directly or indirectly) → can be over-approximated efficiently by exploring the AIG We consider the game Gi where the error function is given by ei and we

• nly consider variables in cone(ei)

Brenguier, P´ erez, Raskin, Sankur (ULB) Compositional Algo. for Succ. Safety Games SYNT’15 8 / 17

Compositional algorithm 1: Global aggregation

Compute the winning region of each subgame If the intersection does not contain the initial state, then there is no controller Otherwise compute the fixpoint starting from the intersection s0 U1 U2 U3

Brenguier, P´ erez, Raskin, Sankur (ULB) Compositional Algo. for Succ. Safety Games SYNT’15 9 / 17

Compositional algorithm 1: Global aggregation

Compute the winning region of each subgame If the intersection does not contain the initial state, then there is no controller Otherwise compute the fixpoint starting from the intersection s0 UPRE∗(U1) U1 U2 U3

Brenguier, P´ erez, Raskin, Sankur (ULB) Compositional Algo. for Succ. Safety Games SYNT’15 9 / 17

Compositional algorithm 1: Global aggregation

Compute the winning region of each subgame If the intersection does not contain the initial state, then there is no controller Otherwise compute the fixpoint starting from the intersection s0 UPRE∗(U2) UPRE∗(U1) U1 U2 U3

Brenguier, P´ erez, Raskin, Sankur (ULB) Compositional Algo. for Succ. Safety Games SYNT’15 9 / 17

Compositional algorithm 1: Global aggregation

Compute the winning region of each subgame If the intersection does not contain the initial state, then there is no controller Otherwise compute the fixpoint starting from the intersection s0 UPRE∗(U3) UPRE∗(U2) UPRE∗(U1) U1 U2 U3

Brenguier, P´ erez, Raskin, Sankur (ULB) Compositional Algo. for Succ. Safety Games SYNT’15 9 / 17

Compositional algorithm 1: Global aggregation

Compute the winning region of each subgame If the intersection does not contain the initial state, then there is no controller Otherwise compute the fixpoint starting from the intersection s0 UPRE∗(U3) UPRE∗(U2) UPRE∗(U1) UPRE∗(

i UPRE∗(Ui))

U1 U2 U3

Brenguier, P´ erez, Raskin, Sankur (ULB) Compositional Algo. for Succ. Safety Games SYNT’15 9 / 17

Matrix multiplication benchmarks

err ≡

• u1,1

u1,2 u2,1 u2,2

• ·
• u′

1,1

u′

1,2

u′

2,1

u′

2,2

• =
• c1,1

c1,2 c2,1 c2,2

• y-axis: time limit (in seconds),

f x-axis: number of benchmarks that are solvable within the time limit

Brenguier, P´ erez, Raskin, Sankur (ULB) Compositional Algo. for Succ. Safety Games SYNT’15 10 / 17

Washing system benchmarks

Tank 1 Tank 2 Tank 3 Tank 4 push1 fill1 empty1

Brenguier, P´ erez, Raskin, Sankur (ULB) Compositional Algo. for Succ. Safety Games SYNT’15 11 / 17

Compositional algorithm 2: Incremental aggregation

While there are several subgames: join two of them and solve the new sub-game that is obtained s0 U1 U2 U3

Brenguier, P´ erez, Raskin, Sankur (ULB) Compositional Algo. for Succ. Safety Games SYNT’15 12 / 17

Compositional algorithm 2: Incremental aggregation

While there are several subgames: join two of them and solve the new sub-game that is obtained s0 UPRE∗(U1) U1 U2 U3

Brenguier, P´ erez, Raskin, Sankur (ULB) Compositional Algo. for Succ. Safety Games SYNT’15 12 / 17

Compositional algorithm 2: Incremental aggregation

While there are several subgames: join two of them and solve the new sub-game that is obtained s0 UPRE∗(U2) UPRE∗(U1) U1 U2 U3

Brenguier, P´ erez, Raskin, Sankur (ULB) Compositional Algo. for Succ. Safety Games SYNT’15 12 / 17

Compositional algorithm 2: Incremental aggregation

While there are several subgames: join two of them and solve the new sub-game that is obtained s0 UPRE∗(U3) UPRE∗(U2) UPRE∗(U1) U1 U2 U3

Brenguier, P´ erez, Raskin, Sankur (ULB) Compositional Algo. for Succ. Safety Games SYNT’15 12 / 17

Compositional algorithm 2: Incremental aggregation

While there are several subgames: join two of them and solve the new sub-game that is obtained s0 UPRE∗(U3) UPRE∗(U2) UPRE∗(U1) UPRE∗(UPRE∗(U1) ∪ UPRE∗(U2)) U1 U2 U3

Brenguier, P´ erez, Raskin, Sankur (ULB) Compositional Algo. for Succ. Safety Games SYNT’15 12 / 17

Compositional algorithm 2: Incremental aggregation

While there are several subgames: join two of them and solve the new sub-game that is obtained s0 UPRE∗(U3) UPRE∗(U2) UPRE∗(U1) UPRE∗(UPRE∗(U1) ∪ UPRE∗(U2)) U1 U2 U3

Brenguier, P´ erez, Raskin, Sankur (ULB) Compositional Algo. for Succ. Safety Games SYNT’15 12 / 17

Compositional algorithm 3: Back and forth

After the computation in each subgame, project the union of unsafe states in the subgames, and repeat until stabilized

→ A similar idea was used in [FJR10, Compositional Algorithms for LTL Synthesis]

Example: err = (ℓ1 ∧ ℓ2) ∨ (¬ℓ1 ∧ ℓ3) ℓ′

1 = c ∨ ℓ1;

ℓ′

2 = ℓ1;

ℓ′

3 = ¬ℓ1 ∧ ¬c;

0,0 1,0 1,1 1 Subgame ℓ1, ℓ2 0,0 1,0 0,1 1 Subgame ℓ1, ℓ3

Brenguier, P´ erez, Raskin, Sankur (ULB) Compositional Algo. for Succ. Safety Games SYNT’15 13 / 17

Compositional algorithm 3: Back and forth

After the computation in each subgame, project the union of unsafe states in the subgames, and repeat until stabilized

→ A similar idea was used in [FJR10, Compositional Algorithms for LTL Synthesis]

Example: err = (ℓ1 ∧ ℓ2) ∨ (¬ℓ1 ∧ ℓ3) ℓ′

1 = c ∨ ℓ1;

ℓ′

2 = ℓ1;

ℓ′

3 = ¬ℓ1 ∧ ¬c;

0,0 1,0 1,1 1 Subgame ℓ1, ℓ2 0,0 1,0 0,1 1 Subgame ℓ1, ℓ3

Brenguier, P´ erez, Raskin, Sankur (ULB) Compositional Algo. for Succ. Safety Games SYNT’15 13 / 17

Compositional algorithm 3: Back and forth

After the computation in each subgame, project the union of unsafe states in the subgames, and repeat until stabilized

→ A similar idea was used in [FJR10, Compositional Algorithms for LTL Synthesis]

Example: err = (ℓ1 ∧ ℓ2) ∨ (¬ℓ1 ∧ ℓ3) ℓ′

1 = c ∨ ℓ1;

ℓ′

2 = ℓ1;

ℓ′

3 = ¬ℓ1 ∧ ¬c;

0,0 1,0 1,1 1 Subgame ℓ1, ℓ2 0,0 1,0 0,1 1 Subgame ℓ1, ℓ3 UPRE1 ∪ UPRE2 = ℓ1 ∨ ℓ3

Brenguier, P´ erez, Raskin, Sankur (ULB) Compositional Algo. for Succ. Safety Games SYNT’15 13 / 17

Compositional algorithm 3: Back and forth

After the computation in each subgame, project the union of unsafe states in the subgames, and repeat until stabilized

→ A similar idea was used in [FJR10, Compositional Algorithms for LTL Synthesis]

Example: err = (ℓ1 ∧ ℓ2) ∨ (¬ℓ1 ∧ ℓ3) ℓ′

1 = c ∨ ℓ1;

ℓ′

2 = ℓ1;

ℓ′

3 = ¬ℓ1 ∧ ¬c;

0,0 1,0 1,1 1 Subgame ℓ1, ℓ2 0,0 1,0 0,1 1 Subgame ℓ1, ℓ3 UPRE1 ∪ UPRE2 = ℓ1 ∨ ℓ3

Brenguier, P´ erez, Raskin, Sankur (ULB) Compositional Algo. for Succ. Safety Games SYNT’15 13 / 17

Compositional algorithm 3: Back and forth

After the computation in each subgame, project the union of unsafe states in the subgames, and repeat until stabilized

→ A similar idea was used in [FJR10, Compositional Algorithms for LTL Synthesis]

Example: err = (ℓ1 ∧ ℓ2) ∨ (¬ℓ1 ∧ ℓ3) ℓ′

1 = c ∨ ℓ1;

ℓ′

2 = ℓ1;

ℓ′

3 = ¬ℓ1 ∧ ¬c;

0,0 1,0 1,1 1 Subgame ℓ1, ℓ2 0,0 1,0 0,1 1 Subgame ℓ1, ℓ3 UPRE1 ∪ UPRE2 = ℓ1 ∨ ℓ3

Brenguier, P´ erez, Raskin, Sankur (ULB) Compositional Algo. for Succ. Safety Games SYNT’15 13 / 17

Benchmarks translated from LTL specifications / Load Balancing

Brenguier, P´ erez, Raskin, Sankur (ULB) Compositional Algo. for Succ. Safety Games SYNT’15 14 / 17

Benchmarks translated from LTL specifications / Generalized Buffer

Brenguier, P´ erez, Raskin, Sankur (ULB) Compositional Algo. for Succ. Safety Games SYNT’15 15 / 17

AMBA Benchmarks

Brenguier, P´ erez, Raskin, Sankur (ULB) Compositional Algo. for Succ. Safety Games SYNT’15 16 / 17

Conclusion

Application of a compositional approach to monolithic AIG specifications Can solve problems not handled by the classical algorithm Sometimes much more efficient Applying the different algorithms in parallel works well in practice

Brenguier, P´ erez, Raskin, Sankur (ULB) Compositional Algo. for Succ. Safety Games SYNT’15 17 / 17

Conclusion

Application of a compositional approach to monolithic AIG specifications Can solve problems not handled by the classical algorithm Sometimes much more efficient Applying the different algorithms in parallel works well in practice

Thank you

Brenguier, P´ erez, Raskin, Sankur (ULB) Compositional Algo. for Succ. Safety Games SYNT’15 17 / 17