Reactive Synthesis Swen Jacobs <swen.jacobs@iaik.tugraz.at> VTSA 2013 Nancy, France 24.09.2013 u www.iaik.tugraz.at
2 Property Synthesis (You Will Never Code Again) VTSA 2013 Swen Jacobs
Construct Correct Systems Automatically 3 Don’t do the same thing twice! Requirements Use synthesis! Specification Implementation Synthesis Verification VTSA 2013 Swen Jacobs
Motivation 4 Coding is hard , want higher level of abstraction: Machine code ⇒ Assembly ⇒ C ⇒ Java ⇒ Ruby? ⇒ … Silicon ⇒ Gates ⇒ RTL ⇒ Transactions? ⇒ … Bugs are: very expensive , especially in security critical applications and hardware hard to kill : finding and fixing bugs takes 50%-80% of design time VTSA 2013 Swen Jacobs
Our Focus 5 Reactive systems Continuous interaction with environment Correctness statements are temporal (temporal logic, automata) Ex: Operating systems, web browsers, circuits, protocols Finite State Prototypical finite state reactive system: circuit Not our focus: functions One input, one output, non-termination is a bug Correctness is input/output relation (Hoare logic) VTSA 2013 Swen Jacobs
Other Application Areas 6 Program repair Program sketching Synthesis of synchronization skeletons … VTSA 2013 Swen Jacobs
7 Synthesis, Part I: Basics Synthesis as a Game General : LTL Synthesis Time-Efficient : GR(1) Synthesis Application : AMBA Bus Protocol Space-Efficient : Bounded/Safraless Approaches VTSA 2013 Swen Jacobs
8 Synthesis as a Game VTSA 2013 Swen Jacobs
Synthesis as a Game 9 Given Input and output signals Specification of the behavior Determine Realizability: Is there a finite state system that realizes the specification? Synthesis: If system exists, construct it ? Two player game Environment : determines inputs (not controllable) System : determines outputs (controllable) Game : finite state graph, infinite plays Winning condition for player System : formula φ VTSA 2013 Swen Jacobs
Games 10 Two player graph-based, turn-based games with infinitary winning conditions Two player graph-based, turn-based with infinitary winning conditions Antagonist controls 𝐽 Protagonist controls 𝑃 graph based: Set of states 𝑅 Initial state 𝑟 0 Transition function 𝜀: 𝑅 × 𝐽 × 𝑃 → 𝑅 turn based: Start from 𝑟 0 Antagonist selects 𝑗 𝑙 , protagonist selects 𝑝 𝑙 , proceed to 𝑟 𝑙+1 = 𝜀(𝑗 𝑙 , 𝑝 𝑙 ) Ensuing play: 𝑟 0 𝑗 0 𝑝 0 𝑟 1 𝑗 1 𝑝 1 𝑟 2 … Winning condition : objective over F ⊆ 𝑅 Strategy : 𝑅 × 𝐽 ∗ → 𝑃 For every input sequence, strategy fixes a play Winning strategy: strategy such that all resulting plays fulfill VTSA 2013 Swen Jacobs
Winning Conditions 11 Reachability : want to reach a state in F ⊆ 𝑅 Safety : want to stay in F ⊆ 𝑅 Büchi : want to visit F ⊆ 𝑅 infinitely often Co-Büchi : want to visit F ⊆ 𝑅 only finitely often others exist… (later) VTSA 2013 Swen Jacobs
Example 12 𝒋𝒐𝒒𝒗𝒖 𝒄𝒗𝒖𝒖𝒑𝒐 𝒑𝒗𝒖𝒒𝒗𝒖 𝒅𝒑𝒈𝒈𝒇𝒇 LTL game 𝐇(𝒄𝒗𝒖𝒖𝒑𝒐 𝐆 𝒅𝒑𝒈𝒈𝒇𝒇) red moves first green moves second 𝑐 ∧ ¬𝑑 green’s objective: visit 𝑟 0 infinitely often 𝑟 0 1 𝑟 1 Büchi game 𝑑 ¬𝑐 ∨ 𝑑 ¬𝑑 Possible strategy: serve coffee iff automaton is in state 𝑟 1 In this case, LTL game reduces to Büchi game VTSA 2013 Swen Jacobs
Example: Alternative Representation 13 • compact • 𝑐 ∧ ¬𝑑 looks like automaton 𝑟 0 1 𝑟 1 • order of moves (input, output) only implicit 𝑑 ¬𝑐 ∨ 𝑑 ¬𝑑 𝑑 • explicit order of moves ¬𝑑 ¬𝑐 𝑐 • need more states 𝑑 ¬𝑑 VTSA 2013 Swen Jacobs
Symbolic Computation: Fixpoints 14 0 / - 0/1,1/0 0/-,1/0 Label on edges: 1 / - A B C D • Environment input 0/0,1/1 1/1 • System output dash ( –) means don‘t 0/1,1/0 0 / - 0/-,1/0 1 / - care A B C D 0/0,1/1 1/1 Find all states from 0/1,1/0 0 / - which system can 0/-,1/0 1 / - A C B D force visit to goal state (= winning region / 0/0,1/1 1/1 attractor) Winning region + a strategy VTSA 2013 Swen Jacobs
Computing Büchi Games 𝑑 15 ¬𝑑 ¬𝑐 𝑐 𝑑 ¬𝑑 𝑮𝒑𝒔𝒅𝒇 𝟐 (𝑮) = set of states from which system can force visit to 𝑇 in one step 𝑮𝒑𝒔𝒅𝒇 𝟐 𝑮 = 𝒓 ∈ 𝑹 ∀𝑗 ∈ 𝐽 ∃𝑝 ∈ 𝑃: 𝜀 𝑟, 𝑗, 𝑝 ∈ 𝐺 } VTSA 2013 Swen Jacobs
Computing Büchi Games 𝑑 16 ¬𝑑 ¬𝑐 𝑐 𝑑 ¬𝑑 𝑮𝒑𝒔𝒅𝒇 𝟐 (𝑮) = set of states from which system can force visit to 𝐺 in one step 𝑮𝒑𝒔𝒅𝒇 ∗ 𝑮 = set of states from which system can force visit to 𝐺 in any number of steps (least fixpoint of applying 𝐺𝑝𝑠𝑑𝑓 1 to 𝐺 ) 𝑺𝒇𝒅𝒗𝒔(𝑮) = set of states from which system can repeatedly force visit to 𝐺 in any number of steps (nested fixpoint operation) VTSA 2013 Swen Jacobs
Computing Büchi Games 𝑑 17 ¬𝑑 ¬𝑐 𝑐 𝑑 ¬𝑑 Winning region is 𝑮𝒑𝒔𝒅𝒇 ∗ 𝑮 for reachability game, 𝑺𝒇𝒅𝒗𝒔 𝑮 for Büchi game. (Safety defined with dual 𝐺𝑝𝑠𝑑𝑓 operator for environment) For reachability, safety and Büchi games, memoryless strategies are sufficient, i.e., strategies 𝑅 × 𝐽 → 𝑃 VTSA 2013 Swen Jacobs
FourSteps to Synthesis 18 1. Specify LTL, Büchi automata,… 2. Obtain a game 3. Solve the game 4. Construct circuit VTSA 2013 Swen Jacobs
19 LTL Synthesis VTSA 2013 Swen Jacobs
LTL Synthesis 20 LTL Synthesis [PnueliRosner89] 1. Specify Formula 𝜒 in LTL 2. Obtain a game Convert 𝜒 to nondeterministic Büchi automaton 𝐵 (exponential blowup) Convert 𝐵 to deterministic Rabin or Parity automaton (=game) (exponential blowup) 3. Solve the game parity games can be solved in polynomial time 4. Construct Circuit VTSA 2013 Swen Jacobs
Arbiter: From LTL to Büchi 21 1. Specify 2. Obtain a game 3. Solve the game 1 , 2 𝑠 1 , 𝑠 2 Arbiter 4. Construct circuit Input: 𝑠 1 , 𝑠 2 (requests) Output: 1 , 2 (grants) Specification: 𝐇 𝑠 1 → 𝐆 1 𝐇 𝑠 2 → 𝐆 2 𝐇¬ 1 ∧ 2 VTSA 2013 Swen Jacobs
Obtaining a game 22 1. Specify 2. Obtain a game 3. Solve the game From LTL to Büchi automata 4. Construct circuit Not in detail in this tutorial – see [VardiWolper86] From Büchi automata to games Non-determinism is bad Advanced acceptance conditions VTSA 2013 Swen Jacobs
Arbiter: From LTL to Büchi 23 1. Specify 2. Obtain a game 3. Solve the game 1 , 2 𝑠 1 , 𝑠 2 Arbiter 4. Construct circuit Input: 𝑠 1 , 𝑠 2 (requests) Output: 1 , 2 (grants) Specification: 𝐇 𝑠 1 → 𝐆 1 𝐇 𝑠 2 → 𝐆 2 𝐇¬ 1 ∧ 2 VTSA 2013 Swen Jacobs
Nondeterminism is bad 24 input button, water output coffee LTL game 𝐇𝐆 𝒙𝒃𝒖𝒇𝒔 𝐇 𝒄𝒗𝒖𝒖𝒑𝒐 𝐆 𝒅𝒑𝒈𝒈𝒇𝒇 ∧ won? 𝐇( 𝒙𝒃𝒖𝒇𝒔 𝒅𝒑𝒈𝒈𝒇𝒇) Note: not complete! 𝑐 ∧ ¬𝑑 1 1 1 1 0 Büchi game 𝑑 ∧ 𝑥 won? ¬𝑐 ∨ 𝑑 ∧ 𝑥 ¬𝑥 ∧ ¬𝑑 ¬𝑑 No winning strategy because of nondeterminism, even though LTL game is won VTSA 2013 Swen Jacobs
Advanced Acceptance Conditions 25 Rabin : defined by 𝐹 1 , 𝐺 1 , … , 𝐹 𝑜 , 𝐺 , with 𝐹 𝑗 , 𝐺 𝑗 ⊆ 𝑜 𝑅 . System wins if there exists an 𝒋 such that 𝐹 𝑗 is visited finitely often and 𝐺 𝑗 is visited infinitely often. Streett : like Rabin, but System wins if for all 𝒋 , if 𝐺 𝑗 is visited infinitely often, then 𝐹 𝑗 must be visited infinitely often. (negation of Rabin) Parity : every state is assigned a priority from ℕ . System wins if minimum priority of all states visited infinitely often is even . VTSA 2013 Swen Jacobs
LTL Synthesis 26 1. Specify Formula 𝜒 in LTL, size 𝑜 2. Obtain a game Convert 𝜒 to a nondeterministic Büchi Automaton 𝐵 , size 2 𝑜 Determinize 𝐵 to a deterministic Parity automaton (=game), size 2 2 𝑜 Solve the parity game, time 2 2 𝑜 3. Will not consider this approach in detail. It is complex and not very scalable. VTSA 2013 Swen Jacobs
LTL Synthesis – Alternative Approaches 27 Synthesis problem can also be solved by decomposing 𝜒 , simplifying each part, then composing [SohailSomenzi09, MorgensternSchneider10] (not in this tutorial) Limiting size of solution, incrementally increasing bound [ScheweFinkbeiner07,FiliotJinRaskin11, Ehlers12] (Later!) Considering efficiently decidable fragments ( Now! ) VTSA 2013 Swen Jacobs
28 GR(1) Synthesis VTSA 2013 Swen Jacobs
Recommend
More recommend
