1 / 52

Synthesis of Reactive systems

Synthesis of Reactive systems. Orna Kupferman Hebrew University. Moshe Vardi Rice University. Is the system correct?. The system has the required behavior. M satisfies . Formal Verification:. It Works!. System  A mathematical model M

gasha
Download Presentation

Synthesis of Reactive systems

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Synthesis of Reactive systems Orna Kupferman Hebrew University Moshe Vardi Rice University

  2. Is the system correct?

  3. The system has the required behavior M satisfies  Formal Verification: It Works! System A mathematical model M Desired behavior A formal specification  But… Model checking

  4. It’s hard to design systems: It’s even harder to design correct systems:

  5. Synthesis: Input:a specification . Output:a system satisfying . WOW!!! An unusual effectiveness of logic in computer science!

  6. truth assignment for pq. synthesis satisfiability Synthesis: Input:a specification . Output:a system satisfying . Input:pq. Output:p,q

  7. A state of the system:   2AP p,q p,q p q p,q A computations of the system: 2)AP (  Satisfiability Synthesis of temporal logic specifications: IsGpFpsatisfiable? A specification:L 2)AP (  specifications  languages

  8. An LTL specification . LTL  nondeterministic Büchi word automata  is satisfiable  A is nonempty [VW86] An automaton A. L(A)=  :  satisfies    =G (req XF grant) A: req req req grant req  grant The automata-theoretic approach:

  9. Date: Mon, 28 Dec 92 18:12:25 PST From: Moshe Vardi vardi@almaden.ibm.com To: ornab@cs.technion.ac.il (Orna Bernholtz) Yes, the VW86 algorithm can be easily extended to give you a finite representation of an accepting run. Thus, it can be used as a synthesis algorithm. You can view this as the automata-theoretic prespective on the Clarke&Emerson-style synthesis. For further elaboration on this perspective, see the paper by P. Wolper: On the relations of programs and computations to models of temporal logic, LNCS 398, 1989. Moshe P.S. Let me know if you’d like me to mail you the paper.

  10. user 1 user 2 An example: • Whenever user i sends a job, the job is eventually printed. • The printer does not serve the two users simultaneously. • G(j1 F p1)  G(j2  F p2) • G((p1)  (p2)) Let’s synthesize a scheduler that satisfies the specification …

  11. j1j2p1p2 Satisfiability of  such a scheduler exists? NO! A model for  help in constructing a scheduler? NO! A model for :a scheduler that is guaranteed to satisfy  forsomeinput sequence. Wanted:a scheduler that is guaranteed to satisfy  forall input sequences.

  12. synthesis satisfiability Closed vs. open systems Closed system:no input! o0, o1,o2,…,oi o0 o0, o1 o0, o1,o2 all input sequences=some input sequence

  13. Closed vs. open systems Open system:interacts with an environment! o0 o1=f(i0) i0 o2=f(i0,i1) i1 o3=f(i0,i1,i2) i2 AP=IO f:(2I)*  2O An open system:labeled state-transition graph

  14. synthesis satisfiability Closed vs. open systems Open system:f:(2I)* 2O In the printer example:I={j1,j2}, O={p1,p2} f:({{},{j1},{j2},{j1,j2}})* {{},{p1},{p2},{p1,p2}}

  15. A computation of f: (f())  (i0,f(i0))  (i1,f(i0,i1))  (i2,f(i0,i1,i2))  … A path in the computation tree, which embodies all computations: (2IO) The computation tree of f (|I|=2): 2IO-labeled 2I-tree I-exhaustive f() 00 01 10 11 f(00) f(01) f(10) f(11)

  16. A computation of f: (f())  (i0,f(i0))  (i1,f(i0,i1))  (i2,f(i0,i1,i2))  … A path in the computation tree, which embodies all computations: (2IO) The specification  is realizable if there is f:(2I)*2O such that all the computations of f satisfy .  is satisfiable   is realizable ?  is satisfiable   is realizable ? Yes! (for all  exists) NO!

  17. Date: Thu, 27 Jan 94 13:46:43 IST From: ornab@cs.technion.ac.il (Orna Bernholtz) To: vardi@cs.rice.edu Subject: Church’s problem We mentioned it in the summer. You referred me to Pnueli and Rozner work about “synthesis as a game between the environment and the system”. Orna

  18. women men proofs bugs R R love(x,y) in(x,y) 16 4 y2=x

  19. Suppose that we have… f: women  men love(x,f(x)) f: proofs  bug in(x,f(x)) f: R  R f2(x)=x 16 4 Can we find such f?

  20. X Y RX  Y Can we find f: X  Y such that R(x,f(x)) for every x  X? Any f: does every x have y such that R(x,y)? Church’s problem1963 We will search for a “constructable” f.

  21. X (2I) Y (2O) constructable Synthesis: R (2I)(2O) R (2IO) An LTL formulaover I  O Can we find f: (2I) (2O) such that R(x,f(x)) for every x (2I)? Can we find f: (2I)* 2O such that all the computations of f satisfy ?

  22. X (2I) Y (2O) Synthesis: Linear appraoch: Branching appraoch: An LTL formulaover I  O CTL* formula Can we find f: (2I) (2O) such that R(x,f(x)) for every x (2I)? Can we find f: (2I)* 2O such that all the computations of f satisfy ? Can we find f: (2I)* 2O such that the computation tree of f satisfies ?

  23. Date: Sat, 6 Jan 1996 10:28:16 CST From: Moshe Vardi vardi@cs.rice.edu To: ok@research.att.com We need some motivation for the branching specs. I think Antioniotti looked at synthesis with CTL specs, but I am not sure that he fully solved it. Didn’t I give you some of his papers? Moshe “Whenever user 1 sends a job, the printer may print it” AG(j1  EFp1) Exists an input sequence…

  24. For linear specifications We easily extend to branching specifications Solving the synthesis problem: [Rabin 70, Pnueli Rozner 88]

  25. Solving the synthesis problem: [Rabin 70, Pnueli Rozner 88] • Given a CTL* specification  over IO: • Construct an automaton A on 2IO-labeled 2I-trees such that A accepts exactly all the trees that satisfy . • Construct an automaton AI-exh on 2IO-labeled 2I-trees such that AI-exh accepts exactly all the I-exhaustive trees. A tree accepted by both A and AI-exh: f: (2I)*  2Owhose computation tree satisfies ! • Check A  AI-exh for emptiness. • (with respect to regular trees)

  26. Synthesis with incomplete information: “The printer should not print papers containing bugs.” Hidden information, unknown to the system! • Partial observability… • Internal signals… • Incomplete information… The system does not see the full picture!

  27. The system does not see the full picture! Still has to be correct with respect to the most hostile environment

  28. Independent of H… What about the computation tree? Synthesis with incomplete information: “The printer should not print papers containing bugs.” Hidden information, unknown to the system! • The setting: • I: input signals • O: output signals • H: hidden signals. A strategy for the system: f:(2I)*  2O

  29. The system’s computation tree:  10 0 11 1 00 01 A tree with a binary branching degree For someone that has incomplete information: I={job} 2I={{},{job}} For someone that has complete information: I={job}, H={bug} 2I x2H={{},{job}}x{{},{bug}} A tree with branching degree four

  30. The system’s computation tree:  11 10 0 0 0 01 0 0 10 00 1 11 1 00 01 For someone that has complete information: I={job}, H={bug} 2I x2H={{},{job}}x{{},{bug}}

  31. 2I-tree  What the system sees  The fat tree: 2IH-tree 10 11 00 01 0000 0001 0100 0101 0010 0011 0110 0111 1000 1001 1100 1101 1010 1011 1110 What reality is; the thing that should satisfy . The system’s computation tree: The thin tree: 0 1 10 11 00 01 1111

  32. The system’s computation tree: The thin tree: 0 1 10 11 00 01  The fat tree: 10 11 00 01 0000 0001 0100 0101 0010 0011 0110 0111 1000 1001 1100 1101 1010 1011 1110 1111 A consistent tree: indistinguishable nodes agree on their label. indistinguishable by the system

  33. Solving the synthesis problem: • Given a CTL* specification  over IOH : • Construct an automaton A on 2IOH -labeled 2IH -trees such that A accepts exactly all the trees that satisfy . • Construct an automaton Aexh on 2IOH -labeled 2IH -trees such that Aexh accepts exactly all the consistent (IH)-exhaustive trees. A tree accepted by both A and Aexh: f: (2I)*  2Owhose fat computation tree satisfies ! • Check A  Aexh for emptiness. • (with respect to regular trees)

  34. Solving the synthesis problem: • Given a CTL* specification  over IOH : • Construct an automaton A on 2IOH-labeled 2IH-trees such that A accepts exactly all the trees that satisfy . • Construct an automaton Aexh on 2IOH-labeled 2IH-trees such that Aexh accepts exactly all the consistent (IH)-exhaustive trees. A tree accepted by both A and Aexh: f: (2I)*  2Owhose fat computation tree satisfies ! • Check A  Aexh for emptiness. • (with respect to regular trees)

  35. Consistency is not a regular property! consistent

  36. The idea: Wanted: is there a fat tree that is both good and consistent?  We cannot check whether a tree is consistent.  There is a transformation g:thin trees  fat trees that generates only consistent fat trees. So we check: is there a thin tree t such that g(t) is good? The automaton reads t, but pretends to read g(t). Unusual effectiveness of alternating automata!

  37. Solving the synthesis problem: Given a CTL* specification  over IOH : Construct an alternating automaton A on 2IO -labeled 2I -trees such that A accepts an I-exhaustive (thin) tree iff its fat version satisfies . Construct an alternating automaton A on 2IO -labeled 2I -trees such that A accepts an I-exhaustive (thin) tree iff its fat version satisfies . A tree accepted by A: f: (2I)*  2Owhose fat computation tree satisfies ! Check A for emptiness. (with respect to regular trees)

  38. A is a Rabin automaton with exponentially many states and a linear index A is a Büchi automaton with linearly many states Complexity: • Satisfiability: • LTL: PSPACE-complete. • CTL: EXPTIME-complete. • CTL*: 2EXPTIME-complete. • Synthesis with complete information: • LTL: 2EXPTIME-complete. • CTL: EXPTIME-complete. • CTL*: 2EXPTIME-complete. • Synthesis with incomplete information: • LTL: 2EXPTIME-complete. • CTL: EXPTIME-complete. • CTL*: 2EXPTIME-complete.

  39. Let’s synthesis five dining philosophers. So far… O I ...systems with a single component. HMMMM…

  40. P0 P2 P1 • An architecture: • I0Oenv • I1Oenv • I2O0 • I3O1 O2 Synthesis of distributed systems: P3 Each process Pi has Ii, Oi, and Hi

  41. composition?? Synthesis of distributed systems: • Input: • A specification  overIOH. • An architecture A. Output: Strategiesfi: (2Ii)* 2IiHisuch that their composition satisfies  (if exist).

  42. P0 P1 Two independent input streams Two player games with incomplete information [Peterson Reif 79] Solving synthesis of distributed systems: Pnueli Rozner 90: distributed systems are hard to synthesize; undecidable in the general case. can simulate a Turing machine.

  43. Pn Solving synthesis of distributed systems: [PR90]:hierarchical architectures are decidable. P0 P1 P2

  44. Date: Sun, 7 Feb 1999 17:07:19 +0200 From: Orna Kupferman <orna@cs.huji.ac.il> To: vardi@cs.rice.edu Subject: Re: hierarchies We should be able to generalize even more… …the dependencies induce a flow that alternating automata can handle. Orna Date: Sat, 6 Feb 1999 10:34:25 –0600 (CST) From: Moshe Vardi <vardi@cs.rice.edu> To: ornak@cs.huji.ac.il Subject: Re: hierarchies In fact, I think we might be able to handle even a more general case, where I_j \subset O_{j_1} \cup O_{j+1}, which allows information to flow up and down the chain. Moshe

  45. P0 P1 P2 Pn P0 P1 P2 Pn Solving synthesis of distributed systems: [PR90]:hierarchical architectures are decidable. [KV00]:using alternating automata: One/two-way chains are decidable. P0 P1 P2 Pn One/two-way rings are decidable.

  46. Date: Sun, 7 Feb 1999 22:17:29 –0600 (CST) From: Moshe Vardi <vardi@cs.rice.edu> To: ornak@cs.huji.ac.il Subject: Re: hierarchies This is nice because these architectures are actually quite realistic. In communication protocol architecture, we typically have layers, where the upper layer is the application layer and the lower level is the physical layer, and information flows between the layers. Moshe

  47. The solution: • A specification   an alternating automaton A. • Reapet: • A and an architecture with n components. • A’ (of size exponential in A) and an architecture with n-1 components. Complexity: nonelementary.

  48. Date: Mon, 8 Feb 1999 14:18:13 –0600 (CST) From: Moshe Vardi <vardi@cs.rice.edu> To: ornak@cs.huji.ac.il Subject: Re: hierarchies BTW, regarding the nonelementary complexity, we can cite the MONA experience that shows that nonelementary algorithms can nevertheless be practical, since the worst-case complexity does not always arise. Moshe

  49. More about the nonelementary complexity: Synthesis is not harder than verification! How come? Verification is linear in the system and at most exponential in the specification.

  50. More about the nonelementary complexity: Input to verification: M and . Input to synthesis:  and A. [Rozner92]: a specification  such that the smallest system satisfying  has a nonelementary size.

More Related