Not Quite There Yet: The Quest for the Right Environment Player - - PowerPoint PPT Presentation
Not Quite There Yet: The Quest for the Right Environment Player Model in Games for Reactive Synthesis R udiger Ehlers University of Bremen Dagstuhl Seminar 17111, March 2017 Using joint preliminary work done together with Roderick Bloem,
1
R¨ udiger Ehlers
University of Bremen
Dagstuhl Seminar 17111, March 2017 Using joint preliminary work done together with Roderick Bloem, Robert K¨
2
Specification
Input = {u, . . .} Output = {v, . . .}
Realizable Not realizable
Input Output
3
Specification
G(r → Xg)
3
Specification Automaton
G(r → Xg)
q0 start q1 q2 r ¬r ¬g r ∧ g ¬r ∧ g tt
3
Specification Automaton Game / Tree automaton
G(r → Xg)
q0 start q1 q2 r ¬r ¬g r ∧ g ¬r ∧ g tt q0 start q1 q2 r * ¬r * ¬r ¬g g r g ¬g ∗ ∗
3
Specification Automaton Game / Tree automaton Strategy / Mealy automaton
G(r → Xg)
q0 start q1 q2 r ¬r ¬g r ∧ g ¬r ∧ g tt q0 start q1 q2 r * ¬r * ¬r ¬g g r g ¬g ∗ ∗ q0 start q1 r g ¬r g ¬r g r g
4
Specification shape
5
6
Observation
Requiring the system player to satisfy ( Assumptions) →
( Guarantees) leads to an incentive for the system player to
actively work against ( Assumptions).
6
Observation
Requiring the system player to satisfy ( Assumptions) →
( Guarantees) leads to an incentive for the system player to
actively work against ( Assumptions). Modifying the specification to exclude specific exploitive behavior would be a rat-race against the synthesis tool (and hence is no option).
6
Observation
Requiring the system player to satisfy ( Assumptions) →
( Guarantees) leads to an incentive for the system player to
actively work against ( Assumptions). Modifying the specification to exclude specific exploitive behavior would be a rat-race against the synthesis tool (and hence is no option). To obtain reasonable implementations in a game-based synthesis process, we need a winning condition for the system player that prevents her from trying to actively falsify A
6
Observation
Requiring the system player to satisfy ( Assumptions) →
( Guarantees) leads to an incentive for the system player to
actively work against ( Assumptions). Modifying the specification to exclude specific exploitive behavior would be a rat-race against the synthesis tool (and hence is no option). To obtain reasonable implementations in a game-based synthesis process, we need a winning condition for the system player that prevents her from trying to actively falsify A
Note
In well-separated specifications (Klein and Pnueli, 2010), this problem does not occur.
7
Classification criteria
T reat the two players in a symmetric fashion A ssume rationality of the environment player
Criteria / game types
Thanks go to Brenguier et al. (2017) for their excellent overview.
7
Classification criteria
T reat the two players in a symmetric fashion A ssume rationality of the environment player
Criteria / game types
1
Assume-Guarantee Synthesis (Chatterjee and Henzinger, 2007) T , A
Thanks go to Brenguier et al. (2017) for their excellent overview.
7
Classification criteria
T reat the two players in a symmetric fashion A ssume rationality of the environment player
Criteria / game types
1
Assume-Guarantee Synthesis (Chatterjee and Henzinger, 2007) T , A
2
Rational Synthesis (Fisman et al., 2010) T , A
Thanks go to Brenguier et al. (2017) for their excellent overview.
7
Classification criteria
T reat the two players in a symmetric fashion A ssume rationality of the environment player
Criteria / game types
1
Assume-Guarantee Synthesis (Chatterjee and Henzinger, 2007) T , A
2
Rational Synthesis (Fisman et al., 2010) T , A
3
Assume-Admissible Synthesis (Brenguier et al., 2017) T , A
Thanks go to Brenguier et al. (2017) for their excellent overview.
8
Reactive system environment components
Other technical systems:
Only an approximation of their behavior is known Behavior can appear to be irrational due to unmodelled goals/behavior
8
Reactive system environment components
Other technical systems:
Only an approximation of their behavior is known Behavior can appear to be irrational due to unmodelled goals/behavior
Human operators and “noise”:
May not have a goal at all and/or completely unknown goal. Yet, obstructing the human is to be avoided
8
Reactive system environment components
Other technical systems:
Only an approximation of their behavior is known Behavior can appear to be irrational due to unmodelled goals/behavior
Human operators and “noise”:
May not have a goal at all and/or completely unknown goal. Yet, obstructing the human is to be avoided
Mixture of human operator and technical system
The answer to the question in the slide title...
...is “usually not”.
9
Basic idea (Bloem et al., 2015)
For a specification ψ = A → G, we synthesize a controller that
1
satisfies ψ along all of its traces, and
2
for every prefix trace t in the controller language that can be extended to a word that satisfies A, there exists a trace extension t′ such that tt′ is a trace of the controller and tt′ |= A.
9
Basic idea (Bloem et al., 2015)
For a specification ψ = A → G, we synthesize a controller that
1
satisfies ψ along all of its traces, and
2
for every prefix trace t in the controller language that can be extended to a word that satisfies A, there exists a trace extension t′ such that tt′ is a trace of the controller and tt′ |= A.
Effect A → G is satisfied along all traces (classical corretness)
The environment assumptions A are never fully violated – the environment always has a chance to work towards A ∧ G..
10
The environment may be too weak
Problem: How should the environment know what to play in
10
The environment may be too weak
Problem: How should the environment know what to play in
However: In practice, this is most likely not a big deal (due to the structure of the game solving/synthesis algorithms).
10
The environment may be too weak
Problem: How should the environment know what to play in
However: In practice, this is most likely not a big deal (due to the structure of the game solving/synthesis algorithms).
The environment may be too strong
Problem: The environment may be able to enforce a showdown. Consequence: The specification becomes unrealizable.
11
↑↓ ↑↓ Specification
Assumptions: Wagon behaves according to its dynamics and visits both blue regions infinitely often (while standing still) Guarantees: Goods are transported between the blue regions
11
↑↓ ↑↓ Observation
The environment can get itself into a situation in which it cannot satisfy the assumption made about it any more.
11
↑↓ ↑↓ Observation
The environment can get itself into a situation in which it cannot satisfy the assumption made about it any more. No problem for classical A → G and cooperative synthesis
11
↑↓ ↑↓ Thought Experiment (1)
Let us assume that the system has the capability to slow down the wagon.
11
↑↓ ↑↓ Thought Experiment (1)
Let us assume that the system has the capability to slow down the wagon. The system then has to slow down the wagon (if the slow-down mechanism is accounted for in the system dynamics that are part of the assumptions)
11
↑↓ ↑↓ Thought Experiment (2)
Now let us furthermore assume that the wagon transports raw eggs, which break when force-slowing down the wagon
11
↑↓ ↑↓ Thought Experiment (2)
Now let us furthermore assume that the wagon transports raw eggs, which break when force-slowing down the wagon Effect: The specification becomes unrealizable
12
Analysis
For every prefix trace in the controller that can be extended to
satisfies A Thus, then the wagon speeds towards the cliff, the controller needs to stop the wagon (as the environment assumption can still be satisfied) By stopping the wagon, the raw eggs break. So if the environment speeds towards the edge every time the eggs have been loaded, eggs break during every delivery → hence, the system player loses.
Observation
But that is unreasonable: if the environment strategizes against the system, the system should not need to satisfy the guarantees.
13
Blame-free strategies (ongoing joint work with R. Majumdar)
They satisfy A → G along all plays They give the environment as many possibilities for enforcing
A as possible
If a play does not satisfy A, then this may only be the case if it is the environment player’s fault, i.e., if either:
it violated the assumptions without force on its own it forced a safety showdown with the system it repeatedly forces liveness showdowns with the system
Big question
How to formalize the term “showdown” in a way that the system cannot work towards a showdown? And how can we formalize the “many possibilities”?
14
Roderick Bloem, R¨ udiger Ehlers, and Robert K¨
Verification and Analysis - 13th International Symposium, ATVA 2015, Shanghai, China, October 12-15, 2015, Proceedings, pages 394–410, 2015. doi: 10.1007/978-3-319-24953-7 29. URL http://dx.doi.org/10.1007/978-3-319-24953-7_29. Romain Brenguier, Jean-Franc ¸ois Raskin, and Ocan Sankur. Assume-admissible synthesis. Acta Inf., 54(1):41–83, 2017. doi: 10.1007/s00236-016-0273-2. URL http://dx.doi.org/10.1007/s00236-016-0273-2. Krishnendu Chatterjee and Thomas A. Henzinger. Assume-guarantee synthesis. In Tools and Algorithms for the Construction and Analysis of Systems, 13th International Conference, TACAS 2007, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2007 Braga, Portugal, March 24 - April 1, 2007, Proceedings, pages 261–275, 2007. doi: 10.1007/978-3-540-71209-1 21. URL http://dx.doi.org/10.1007/978-3-540-71209-1_21. Dana Fisman, Orna Kupferman, and Yoad Lustig. Rational synthesis. In Tools and Algorithms for the Construction and Analysis of Systems, 16th International Conference, TACAS 2010, Held as Part of the Joint European Conferences on Theory and Practice of Software, ETAPS 2010, Paphos, Cyprus, March 20-28, 2010. Proceedings, pages 190–204,
Uri Klein and Amir Pnueli. Revisiting synthesis of GR(1) specifications. In Hardware and Software: Verification and Testing
Papers, pages 161–181, 2010. doi: 10.1007/978-3-642-19583-9 16. URL http://dx.doi.org/10.1007/978-3-642-19583-9_16.