150 likes | 239 Views
Open Implication. Outline. Context Introduction LTL specifications, systems example Formal Definition, Complexity Algorithms with optimal complexity Safraless GR(1) Experimental Results Summary. Big Picture. What do HW and SW designers do? Write a specification Implement system
E N D
Outline • Context • Introduction • LTL specifications, systems • example • Formal Definition, Complexity • Algorithms • with optimal complexity • Safraless • GR(1) • Experimental Results • Summary
Big Picture • What do HW and SW designers do? • Write a specification • Implement system • Check if sys. realizes spec. • Debug • Our idea of HW/SW design: • Write specification • Automatically construct • Relax
LTL Specifications • Linear Temporal Logic: • High level specification language • Boolean logic + temporal operators (X, G, F, U) • Semantics defined over infinite sequences (= words = traces) • Describe behavior of open systems • Open system ( = Moore machine = transducer): • Interacts with its environment (output and input variables) • Examples: controller for elevator, traffic light, arbiter for a bus • Definitions: An open system realizes an LTL formula iff all traces of the open system satisfy the formula. • Verification: Does a given system realize the specification. • Realizability: Is there an open system that realizes a given spec.? • Synthesis: Automatically construct an open system realizing the spec..
LTL Specifications - Example • Part of a requirement for an arbiter: • a ... acknowledgement, output variable • r ... request, input variable • f = GF(r) → G(a→X(¬a)) • If there is always a request at some point, then always if there is an ack., there is no ack. in the next step. • Open system realizing f, all traces satisfy f:
Example Equivalence f = GF(r) → G(a→X(¬a)) g = G(a→X(¬a)) • Are f and g equivalent? • Consider w = (a,¬r)ω, w satisfies f but not g. Find an open system which realizes f but not g? Not equivalent!
Definitions • Motivation: • Synthesis of g: find a smaller specification f such that • f→o g and synthesise f. • Verification of g: find a smaller specification f such that • f→o g and f→o g and verify f. Definition: Given two LTL formulas f and g, ftrace-implies g if all traces satisfying f also satisfy g. Definition: Given two LTL formulas f and g, f open-implies g (f→o g) if all open systems realizing f also realize g.
Comparison • Definition of equivalence of LTL specifications with respect to open systems and with respect to traces. • + Open-implication is weaker: • f = GF(r) → G(a→X(¬a)) and g = G(a→X(¬a)) • are not trace equivalent but open equivalent. • - Open-implication has a very high complexity: • same complexity as realizability, • consider f →o false, • 2EXP.
Algorithm - Idea • Find an open system that realizes f but not g, then ¬(f→o g): • An open system does not realize g iff there exists a trace that satisfies ¬g. • Calculate realizability for f and satisfiability for ¬g simultaneously. • An open system can be represented by a tree: • every trace of the open system corresponds to a path in the tree.
Algorithm with optimal complexity • 1) Realizability (2EXP): • f →Deterministic Parity Tree automaton • f realizable iff language of the DPT is not empty • tree accepted by the DPT ≙ open system realizing f • 2) Satisfiability (PSPACE): • ¬g→Nondeterministic Büchi Word automaton • ¬g satisfiable iff language of NBW is not empty • word accepted by the NBW ≙ word satisfying ¬g
Algorithm - Safraless • Calculate realizability avoiding Safra’s determinization construction (O. Kupferman and M. Y. Vardi. Safraless decision procedures.): • f →Universal Co-Büchi Tree automaton • tree accepted by the UCT ≙ open system realizing f • UCT →Nondeterministic Büchi Tree automaton with bound k • tree accepted by the NBTk≙ open system of size ≤ k realizing f • + easier to implement • + incremental approach, useful to find counter examples • - does not meet the lower bound
Implementation • Consider a subset of LTL: General Reactivity of Rank 1 (GR(1)) • (N. Piterman, A. Pnueli and Y. Sa‘ar. Synthesis of reactive(1) designs): • g = ge→ gs • environment assumption → system guaranty • Environment assumptions and system guaranties can be represented by deterministic Büchi automata. • Example: f = GFr → G(a→X(¬a)) • f→o g?: • Calculate realizability for f and satisfiability for ¬g simultaneously, • by solving a fixpoint formula. • Symbolic algorithm in P.
Results of Arbiter Case Study: new →o old • R. Bloem, S. Galler, • B. Jobstmann, N. Piterman, A. Pnueli und M. Weiglhofer: • Automatic hardware • synthesis from specification: • A case study • Specify, compile, run: • Hardware from PSL Time for synthesis new + open implication << time for old synthesis
Summary • Defined open implication: • Compared to trace-implication • Developed 3 algorithms: • Automata theoretic with optimal complexity • Automata theoretic avoiding Safras construction • Fixpoint formula for GR(1) with implementation • Case study
Thank you for your attention • References: • O. Kupferman and M. Y. Vardi. Safraless decision procedures. In Symposium on Foundations of Computer Science (FOCS’05), pages 531-542, 2005. • N. Piterman, A. Pnueli and Y. Sa‘ar. Synthesis of reactive(1) designs. In Proc. Verification, Model Checking and Abstract Interpretation, pages 364-380, 2006 • R. Bloem, S. Galler, B. Jobstmann, N. Piterman, A. Pnueli und M. Weiglhofer. Automatic hardware synthesis from specifications: A case study. In DATE, 2007. • R. Bloem, S. Galler, B. Jobstmann, N. Piterman, A. Pnueli und M. Weiglhofer. Specify, compile, run: Hardware from PSL. In 6th International Workshop on Compiler Optimization Meets Compiler Verification, pages 3-16, 2007.