Two Synthesis Approaches for CTL* Roderick Bloem 1 , Ayrat Khalimov - - PowerPoint PPT Presentation

Two Synthesis Approaches for CTL*

Roderick Bloem1, Ayrat Khalimov1, Sven Schewe2

Rigorous Systems Engineering

1 1 2

LTL/CTL* synthesis problem

Specification:

• LTL formula: 𝑯(𝑠 → 𝑮 𝑕)
• Inputs: 𝑠, outputs: 𝑕

Find a state machine with such inputs/outputs that satisfies the formula.

2

¬𝑕

𝑠

𝑕

¬𝑠 𝑠 ¬𝑠 An example solution

¬𝑕

𝑠

𝑕

¬𝑠 1 Another solution

LTL/CTL* synthesis problem

Specification:

• CTL* formula: 𝑩𝑯 𝑠 → 𝑮 𝑕 ∧ 𝑩𝑯𝑭𝑮¬𝑕
• Inputs: 𝑠, outputs: 𝑕

Find a state machine with such inputs/outputs that satisfies the formula.

3

¬𝑕

𝑠

𝑕

¬𝑠 𝑠 ¬𝑠 An example solution

¬𝑕

𝑠

𝑕

¬𝑠 1 Another solution

Talk outline

• SMT-based bounded CTL* synthesis
• “model checking, but with unknown system functions”

(bounded synthesis)

• Reducing CTL* synthesis to LTL synthesis
• explicit models
• Conclusion

4

CTL* synthesis: approach #1

• Encode CTL* model checking into SMT
• the query is satisfiable iff the system is correct
• Replace the known system with UFs
• possible if we bound the number of system states

5

bottom-up CTL* model checking with uninterpreted functions

Encoding 𝑫𝑼𝑴∗ model checking into SMT

• Proposition for each sub-formula
• For every 𝑡 and sub-formula 𝜚, encode into SMT

“𝑞𝜚 𝑡 → 𝑡 ⊨ 𝜚”

• 𝑞𝐵 𝑡 → 𝑡 ⊨ 𝐵𝐻𝑞𝐹
• 𝑞𝐹 𝑡 → 𝑡 ⊨ 𝐹𝐺𝐻𝑕
• Require 𝑞𝑢𝑝𝑞 𝑡0 = 𝑢𝑠𝑣𝑓
• 𝑞𝐵 𝑡0 = 𝑢𝑠𝑣𝑓

𝒕𝒛𝒕𝒖𝒇𝒏 ⊨ 𝐁𝐻 𝐅𝐺𝐻𝑕

𝒒𝑭 𝒒𝐁

How to encode into SMT?

• Build the product graph 𝑡𝑧𝑡𝑢𝑓𝑛 × 𝑏𝑣𝑢𝑝𝑛𝑏𝑢𝑝𝑜𝜒
• Buchi automaton
• 𝑡 ⊨ 𝐹𝜒 ⇔ the product has an accepting path
• Buchi ranking
• exit normal state: <
• exit accepting state: reset
• SMT query is satisfiable

iff the product is accepting

1

< < 𝐬𝐟𝐭𝐟𝐮

Encode 𝒕 ⊨ 𝑭𝝌 into SMT

3 2 3

From model checking to synthesis

𝑠𝑑ℎ 𝑟, 𝑡 ∧ 𝒉𝒔𝒃𝒐𝒖 𝑡 → 𝑠𝑑ℎ 𝑟, 𝝊 𝑡, 𝑠 ∧ 𝜍(𝑟, 𝑡) > 𝜍(𝑟′, 𝝊(𝑡, 𝑠))

8

𝑡∈𝑇, 𝑠∈𝐶

• To do synthesis, replace given system functions

(𝒉𝒔𝒃𝒐𝒖 and 𝝊) with uninterpreted functions!

• SMT constraints look like this:

CTL* bounded synthesis: summary

• bad at establishing

CTL* unrealizability

9

CTL* Φ, inputs,

• utputs

build SMT query where 𝝊, 𝒑𝒗𝒖 are uninterpreted

YES NO

unrealizable

YES NO

system 𝝊, 𝒑𝒗𝒖

𝑇 = {𝑡0}

SMT solve automata 𝑇 > 22|Φ|? 𝑓𝑦𝑢𝑓𝑜𝑒 𝑇

CTL* synthesis: approach #2

• Overcome the bounded synthesis limitation
• efficiently handle unrealizable CTL*
• Avoid building specialized CTL* synthesizers
• Be fast by using state-of-the-art LTL synthesizers

10

reduce CTL* synthesis to LTL synthesis

+ +-

Idea of reduction CTL* -> LTL

• Synthesize explicit models
• for each sub-formula 𝐵𝜒 or 𝐹𝜒, introduce new

system outputs 𝑞𝐵𝜒 or 𝑞𝐹𝜒

• for each 𝐹𝜒, introduce direction-output 𝑒𝐹𝜒

that encodes system path that satisfies 𝜒

• LTL formula says:
• 𝐇 𝑞𝐵𝜒 → 𝜒
• "𝐇 𝑞𝐹𝜒 → 𝐇𝑒𝐹𝜒 → 𝜒 " (roughly)
• The top-level proposition holds initially

11

Example

• 𝚾𝐃𝐔𝐌∗ = 𝐅𝐘 𝑕 ∧ 𝐆𝑕

, inputs={r}, outputs={g}

• inputs={r}, outputs={𝑕, 𝑞, 𝑒}

𝚾𝐌𝐔𝐌 = 𝒒 ∧ 𝑯(𝒒 → 𝑯𝒆 → 𝒀 𝒉 ∧ 𝑮𝒉 )

12

• The top-level proposition holds initially
• 𝐇 𝑞𝐵𝜒 → 𝜒
• "𝐇 𝑞𝐹𝜒 → 𝐇𝑒𝐹𝜒 → 𝜒 " (roughly)

𝑞 𝑒 = 𝑠 𝑒 = 𝑠

Counterexample to ‘rough’ Eφ reduction

• 𝜲𝑫𝑼𝑴∗ = 𝐁𝐇 𝐅𝐘 𝒉 ∧ 𝑮𝒉
• outputs={𝑕, 𝑞𝐵, 𝑞, 𝑒}

𝜲𝑴𝑼𝑴 = 𝒒𝑩 ∧ 𝑯 𝒒𝑩 → 𝑯𝒒 ∧ 𝑯(𝒒 → 𝑯𝒆 → 𝒀 𝒉 ∧ 𝑮𝒉 )

13

𝑞𝐵 𝑞 𝑒 = 𝑠 𝑞 𝑒 =? ?

• For each 𝐹𝜒, add outputs 𝑒1, … , 𝑒|𝑅|, 𝑤: {0 … |𝑅|}
• Add LTL formula:

𝐇[ 𝑤𝐹𝜒 = 𝑗 → 𝐇𝑒𝑗 → 𝜒 ]

𝒋∈{𝟐… 𝑹 }

14

Correct translation of E-formulas

Example

• 𝜲𝑫𝑼𝑴∗ = 𝑩𝑯𝑭𝒀 𝒉 ∧ 𝑮𝒉
• outputs={𝑕, 𝑞𝐵, 𝑤: {0 … 4}, 𝑒1, 𝑒2, 𝑒3, 𝑒4}

𝚾𝑴𝑼𝑴 = 𝒒𝑩 ∧ 𝑯 𝒒𝑩 → 𝑯𝒘 ≠ 𝟏 ∧ 𝑯(𝒘 = 𝒋 → 𝑯𝒆𝒋 → 𝒀 𝒉 ∧ 𝑮𝒉 )

𝒋∈{𝟐…𝟓}

15

𝑕 𝑕 𝑕

𝑤 = 𝟐 𝒆𝟐 = 𝒔 𝑤 = 𝟑 𝒆𝟐 = 𝒔, 𝒆𝟑 = 𝒔 𝑤 =1 𝒆𝟐 = 𝒔, 𝒆𝟑 = 𝒔 𝑠, 𝑠 𝑠 𝑠 𝑠 𝑠 𝑞𝐵

• Φ𝑀𝑈𝑀 is realizable  Φ𝐷𝑈𝑀∗ is realizable
• Φ𝑀𝑈𝑀 ≈ 2|Φ𝐷𝑈𝑀∗|
• Yet the synthesis complexity stays in 2EXPTIME
• Systems can get larger
• Experiments: faster when the # of E-formulas is small

16

CTL* via LTL synthesis: summary

Conclusion

Future directions:

• How to establish unrealizability of CTL*?
• Synthesizers for ATL*
• Satisfiability of CTL*

17

SMT-based bounded CTL* synthesis CTL*-via-LTL synthesis