Two Synthesis Approaches for CTL* Roderick Bloem 1 , Ayrat Khalimov - PowerPoint PPT Presentation

Two Synthesis Approaches for CTL* Roderick Bloem 1 , Ayrat Khalimov 1 , Sven Schewe 2 2 1 1 Rigorous Systems Engineering

LTL/CTL* synthesis problem Specification: • LTL formula: 𝑯(𝑠 → 𝑮 𝑕) • Inputs: 𝑠 , outputs: 𝑕 Find a state machine with such inputs/outputs that satisfies the formula. An example solution Another solution 𝑠 𝑠 ¬𝑠 ¬𝑠 ¬𝑕 𝑕 ¬𝑕 𝑕 ¬𝑠 𝑠 1 2

LTL/CTL* synthesis problem Specification: • CTL* formula: 𝑩𝑯 𝑠 → 𝑮 𝑕 ∧ 𝑩𝑯𝑭𝑮¬𝑕 • Inputs: 𝑠 , outputs: 𝑕 Find a state machine with such inputs/outputs that satisfies the formula. An example solution Another solution 𝑠 𝑠 ¬𝑠 ¬𝑠 ¬𝑕 𝑕 ¬𝑕 𝑕 ¬𝑠 𝑠 1 3

Talk outline • SMT-based bounded CTL* synthesis - “model checking, but with unknown system functions” (bounded synthesis) • Reducing CTL* synthesis to LTL synthesis - explicit models • Conclusion 4

CTL* synthesis: approach #1 bottom-up CTL* model checking with uninterpreted functions • Encode CTL* model checking into SMT - the query is satisfiable iff the system is correct • Replace the known system with UFs - possible if we bound the number of system states 5

Encoding 𝑫𝑼𝑴 ∗ model checking into SMT 𝒒 𝐁 𝒕𝒛𝒕𝒖𝒇𝒏 ⊨ 𝐁𝐻 𝐅𝐺𝐻𝑕 𝒒 𝑭 • Proposition for each sub-formula • For every 𝑡 and sub-formula 𝜚 , encode into SMT “ 𝑞 𝜚 𝑡 → 𝑡 ⊨ 𝜚 ” - 𝑞 𝐵 𝑡 → 𝑡 ⊨ 𝐵𝐻𝑞 𝐹 How to encode into SMT? - 𝑞 𝐹 𝑡 → 𝑡 ⊨ 𝐹𝐺𝐻𝑕 • Require 𝑞 𝑢𝑝𝑞 𝑡 0 = 𝑢𝑠𝑣𝑓 - 𝑞 𝐵 𝑡 0 = 𝑢𝑠𝑣𝑓

Encode 𝒕 ⊨ 𝑭𝝌 into SMT Build the product graph 𝑡𝑧𝑡𝑢𝑓𝑛 × 𝑏𝑣𝑢𝑝𝑛𝑏𝑢𝑝𝑜 𝜒 • Buchi automaton • 𝑡 ⊨ 𝐹𝜒 ⇔ the product has an accepting path • • Buchi ranking exit normal state: < • 3 • exit accepting state: reset < • SMT query is satisfiable < iff the product is accepting 2 1 𝐬𝐟𝐭𝐟𝐮 3

From model checking to synthesis • SMT constraints look like this: 𝑠𝑑ℎ 𝑟, 𝑡 ∧ 𝒉𝒔𝒃𝒐𝒖 𝑡 → ∧ 𝜍(𝑟, 𝑡) > 𝜍(𝑟 ′ , 𝝊(𝑡, 𝑠)) 𝑠𝑑ℎ 𝑟, 𝝊 𝑡, 𝑠 𝑡∈𝑇, 𝑠∈𝐶 • To do synthesis, replace given system functions ( 𝒉𝒔𝒃𝒐𝒖 and 𝝊 ) with uninterpreted functions! 8

CTL* bounded synthesis: summary CTL* Φ , inputs, - bad at establishing outputs CTL* unrealizability automata 𝑇 = {𝑡 0 } 𝑓𝑦𝑢𝑓𝑜𝑒 𝑇 build SMT query where 𝝊, 𝒑𝒗𝒖 are NO uninterpreted YES 𝑇 > 2 2 |Φ| ? YES SMT solve NO unrealizable system 𝝊, 𝒑𝒗𝒖 9

CTL* synthesis: approach #2 reduce CTL* synthesis to LTL synthesis • Overcome the bounded synthesis limitation - - efficiently handle unrealizable CTL* + • Avoid building specialized CTL* synthesizers + - • Be fast by using state-of-the-art LTL synthesizers 10

Idea of reduction CTL* -> LTL • Synthesize explicit models - for each sub-formula 𝐵𝜒 or 𝐹𝜒 , introduce new system outputs 𝑞 𝐵𝜒 or 𝑞 𝐹𝜒 - for each 𝐹𝜒 , introduce direction-output 𝑒 𝐹𝜒 that encodes system path that satisfies 𝜒 • LTL formula says: - 𝐇 𝑞 𝐵𝜒 → 𝜒 - "𝐇 𝑞 𝐹𝜒 → 𝐇𝑒 𝐹𝜒 → 𝜒 " (roughly) - The top-level proposition holds initially 11

Example • The top-level proposition holds initially • 𝐇 𝑞 𝐵𝜒 → 𝜒 • "𝐇 𝑞 𝐹𝜒 → 𝐇𝑒 𝐹𝜒 → 𝜒 " (roughly) • 𝚾 𝐃𝐔𝐌∗ = 𝐅𝐘 𝑕 ∧ 𝐆𝑕 , inputs={r}, outputs={g} • inputs={r}, outputs= {𝑕, 𝑞, 𝑒} 𝚾 𝐌𝐔𝐌 = 𝒒 ∧ 𝑯(𝒒 → 𝑯𝒆 → 𝒀 𝒉 ∧ 𝑮𝒉 ) 𝑞 𝑒 = 𝑠 𝑒 = 𝑠 12

Counterexample to ‘rough’ Eφ reduction • 𝜲 𝑫𝑼𝑴∗ = 𝐁𝐇 𝐅𝐘 𝒉 ∧ 𝑮𝒉 • outputs= {𝑕, 𝑞 𝐵 , 𝑞, 𝑒} 𝜲 𝑴𝑼𝑴 = 𝒒 𝑩 ∧ 𝑯 𝒒 𝑩 → 𝑯𝒒 ∧ 𝑯(𝒒 → 𝑯𝒆 → 𝒀 𝒉 ∧ 𝑮𝒉 ) 𝑞 𝐵 𝑞 𝑞 𝑒 =? ? 𝑒 = 𝑠 13

Correct translation of E-formulas • For each 𝐹𝜒 , add outputs 𝑒 1 , … , 𝑒 |𝑅| , 𝑤: {0 … |𝑅|} • Add LTL formula: 𝐇[ 𝑤 𝐹𝜒 = 𝑗 → 𝐇𝑒 𝑗 → 𝜒 ] 𝒋∈{𝟐… 𝑹 } 14

Example • 𝜲 𝑫𝑼𝑴∗ = 𝑩𝑯𝑭𝒀 𝒉 ∧ 𝑮𝒉 • outputs= {𝑕, 𝑞 𝐵 , 𝑤: {0 … 4}, 𝑒 1 , 𝑒 2 , 𝑒 3 , 𝑒 4 } 𝚾 𝑴𝑼𝑴 = 𝒒 𝑩 ∧ 𝑯 𝒒 𝑩 → 𝑯𝒘 ≠ 𝟏 ∧ ) 𝑯(𝒘 = 𝒋 → 𝑯𝒆 𝒋 → 𝒀 𝒉 ∧ 𝑮𝒉 𝒋∈{𝟐…𝟓} 𝑞 𝐵 𝑤 = 𝟐 𝑤 = 𝟑 𝑤 = 1 𝒆 𝟑 = 𝒔 𝒆 𝟐 = 𝒔 𝒆 𝟐 = 𝒔, 𝒆 𝟐 = 𝒔 , 𝒆 𝟑 = 𝒔 𝑠 𝑠 𝑕 𝑕 𝑕 𝑠 𝑠, 𝑠 𝑠 15

CTL* via LTL synthesis: summary • Φ 𝑀𝑈𝑀 is realizable  Φ 𝐷𝑈𝑀 ∗ is realizable Φ 𝑀𝑈𝑀 ≈ 2 |Φ 𝐷𝑈𝑀∗ | • • Yet the synthesis complexity stays in 2EXPTIME • Systems can get larger • Experiments: faster when the # of E-formulas is small 16

Conclusion CTL*-via-LTL synthesis SMT-based bounded CTL* synthesis Future directions: • How to establish unrealizability of CTL*? • Synthesizers for ATL* • Satisfiability of CTL* 17