slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Synthesis of Reactive systems PowerPoint Presentation
Download Presentation
Synthesis of Reactive systems

Loading in 2 Seconds...

play fullscreen
1 / 52

Synthesis of Reactive systems - PowerPoint PPT Presentation


  • 130 Views
  • Uploaded on

Synthesis of Reactive systems. Orna Kupferman Hebrew University. Moshe Vardi Rice University. Is the system correct?. The system has the required behavior. M satisfies . Formal Verification:. It Works!. System  A mathematical model M

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Synthesis of Reactive systems' - gasha


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

Synthesis of Reactive systems

Orna Kupferman Hebrew University

Moshe Vardi Rice University

slide3

The system has the required behavior

M satisfies 

Formal Verification:

It Works!

System A mathematical model M

Desired behavior A formal specification 

But…

Model checking

slide4

It’s hard to design systems:

It’s even harder to design correct systems:

slide5

Synthesis:

Input:a specification .

Output:a system satisfying .

WOW!!!

An unusual effectiveness of logic in computer science!

slide6

truth assignment

for pq.

synthesis

satisfiability

Synthesis:

Input:a specification .

Output:a system satisfying .

Input:pq.

Output:p,q

slide7

A state of the system:   2AP

p,q

p,q

p

q

p,q

A computations of the system: 2)AP ( 

Satisfiability

Synthesis

of temporal logic specifications:

IsGpFpsatisfiable?

A specification:L 2)AP ( 

specifications  languages

slide8

An LTL specification .

LTL  nondeterministic Büchi word automata

 is satisfiable

A is nonempty

[VW86]

An automaton A.

L(A)=  :  satisfies  

 =G (req XF grant)

A:

req

req

req grant

req  grant

The automata-theoretic approach:

slide9

Date: Mon, 28 Dec 92 18:12:25 PST

From: Moshe Vardi vardi@almaden.ibm.com

To: ornab@cs.technion.ac.il (Orna Bernholtz)

Yes, the VW86 algorithm can be easily extended to give you a finite representation of an accepting run. Thus, it can be used as a synthesis algorithm.

You can view this as the automata-theoretic prespective on the Clarke&Emerson-style synthesis. For further elaboration on this perspective, see the paper by P. Wolper: On the relations of programs and computations to models of temporal logic, LNCS 398, 1989.

Moshe

P.S. Let me know if you’d like me to mail you the paper.

slide10

user 1

user 2

An example:

  • Whenever user i sends a job, the job is eventually printed.
  • The printer does not serve the two users simultaneously.
  • G(j1 F p1)  G(j2  F p2)
  • G((p1)  (p2))

Let’s synthesize a scheduler that satisfies the specification …

slide11

j1j2p1p2

Satisfiability of 

such a scheduler exists?

NO!

A model for 

help in constructing a scheduler?

NO!

A model for :a scheduler that is guaranteed to satisfy  forsomeinput sequence.

Wanted:a scheduler that is guaranteed to satisfy  forall input sequences.

slide12

synthesis

satisfiability

Closed vs. open systems

Closed system:no input!

o0, o1,o2,…,oi

o0

o0, o1

o0, o1,o2

all input sequences=some input sequence

slide13

Closed vs. open systems

Open system:interacts with an environment!

o0

o1=f(i0)

i0

o2=f(i0,i1)

i1

o3=f(i0,i1,i2)

i2

AP=IO

f:(2I)*  2O

An open system:labeled state-transition graph

slide14

synthesis

satisfiability

Closed vs. open systems

Open system:f:(2I)* 2O

In the printer example:I={j1,j2}, O={p1,p2}

f:({{},{j1},{j2},{j1,j2}})* {{},{p1},{p2},{p1,p2}}

slide15

A computation of f:

(f())  (i0,f(i0))  (i1,f(i0,i1))  (i2,f(i0,i1,i2))  …

A path in the computation tree, which embodies all computations:

(2IO)

The computation tree of f (|I|=2):

2IO-labeled 2I-tree I-exhaustive

f()

00 01 10 11

f(00)

f(01)

f(10)

f(11)

slide16

A computation of f:

(f())  (i0,f(i0))  (i1,f(i0,i1))  (i2,f(i0,i1,i2))  …

A path in the computation tree, which embodies all computations:

(2IO)

The specification  is realizable if there is f:(2I)*2O such that all the computations of f satisfy .

 is satisfiable   is realizable ?

 is satisfiable   is realizable ?

Yes! (for all  exists)

NO!

slide17

Date: Thu, 27 Jan 94 13:46:43 IST

From: ornab@cs.technion.ac.il (Orna Bernholtz)

To: vardi@cs.rice.edu

Subject: Church’s problem

We mentioned it in the summer. You referred me to Pnueli and Rozner work about “synthesis as a game between the environment and the system”.

Orna

slide18

women

men

proofs

bugs

R

R

love(x,y)

in(x,y)

16 4

y2=x

slide19

Suppose that we have…

f: women  men

love(x,f(x))

f: proofs  bug

in(x,f(x))

f: R  R

f2(x)=x

16 4

Can we find such f?

slide20

X

Y

RX  Y

Can we find f: X  Y such that

R(x,f(x)) for every x  X?

Any f: does every x have y such that R(x,y)?

Church’s problem1963

We will search for a “constructable” f.

slide21

X

(2I)

Y

(2O)

constructable

Synthesis:

R (2I)(2O)

R (2IO)

An LTL formulaover I  O

Can we find f: (2I) (2O) such that

R(x,f(x)) for every x (2I)?

Can we find f: (2I)* 2O such that

all the computations of f satisfy ?

slide22

X

(2I)

Y

(2O)

Synthesis:

Linear appraoch:

Branching appraoch:

An LTL formulaover I  O

CTL* formula

Can we find f: (2I) (2O) such that

R(x,f(x)) for every x (2I)?

Can we find f: (2I)* 2O such that

all the computations of f satisfy ?

Can we find f: (2I)* 2O such that

the computation tree of f satisfies ?

slide23

Date: Sat, 6 Jan 1996 10:28:16 CST

From: Moshe Vardi vardi@cs.rice.edu

To: ok@research.att.com

We need some motivation for the branching specs. I think Antioniotti looked at synthesis with CTL specs, but I am not sure that he fully solved it.

Didn’t I give you some of his papers?

Moshe

“Whenever user 1 sends a job, the printer may print it”

AG(j1  EFp1)

Exists an input sequence…

slide24

For linear specifications

We easily extend to branching specifications

Solving the synthesis problem: [Rabin 70, Pnueli Rozner 88]

slide25

Solving the synthesis problem: [Rabin 70, Pnueli Rozner 88]

  • Given a CTL* specification  over IO:
  • Construct an automaton A on 2IO-labeled 2I-trees such that A accepts exactly all the trees that satisfy .
  • Construct an automaton AI-exh on 2IO-labeled 2I-trees such that AI-exh accepts exactly all the I-exhaustive trees.

A tree accepted by both A and AI-exh:

f: (2I)*  2Owhose computation tree satisfies !

  • Check A  AI-exh for emptiness.
  • (with respect to regular trees)
slide26

Synthesis with incomplete information:

“The printer should not print papers containing bugs.”

Hidden information, unknown to the system!

  • Partial observability…
  • Internal signals…
  • Incomplete information…

The system does not see the full picture!

slide27

The system does not see the full picture!

Still has to be correct with respect to the most hostile environment

slide28

Independent of H…

What about the computation tree?

Synthesis with incomplete information:

“The printer should not print papers containing bugs.”

Hidden information, unknown to the system!

  • The setting:
  • I: input signals
  • O: output signals
  • H: hidden signals.

A strategy for the system:

f:(2I)*  2O

slide29

The system’s computation tree:

10

0

11

1

00

01

A tree with a binary branching degree

For someone that has incomplete information:

I={job}

2I={{},{job}}

For someone that has complete information:

I={job}, H={bug}

2I x2H={{},{job}}x{{},{bug}}

A tree with branching degree four

slide30

The system’s computation tree:

11

10

0

0

0

01

0

0

10

00

1

11

1

00

01

For someone that has complete information:

I={job}, H={bug}

2I x2H={{},{job}}x{{},{bug}}

slide31

2I-tree

What the system sees

The fat tree:

2IH-tree

10

11

00

01

0000

0001

0100

0101

0010

0011

0110

0111

1000

1001

1100

1101

1010

1011

1110

What reality is; the thing that should satisfy .

The system’s computation tree:

The thin tree:

0

1

10

11

00

01

1111

slide32

The system’s computation tree:

The thin tree:

0

1

10

11

00

01

The fat tree:

10

11

00

01

0000

0001

0100

0101

0010

0011

0110

0111

1000

1001

1100

1101

1010

1011

1110

1111

A consistent tree: indistinguishable nodes agree on their label.

indistinguishable by the system

slide33

Solving the synthesis problem:

  • Given a CTL* specification  over IOH :
  • Construct an automaton A on 2IOH -labeled 2IH -trees such that A accepts exactly all the trees that satisfy .
  • Construct an automaton Aexh on 2IOH -labeled 2IH -trees such that Aexh accepts exactly all the consistent (IH)-exhaustive trees.

A tree accepted by both A and Aexh:

f: (2I)*  2Owhose fat computation tree satisfies !

  • Check A  Aexh for emptiness.
  • (with respect to regular trees)
slide34

Solving the synthesis problem:

  • Given a CTL* specification  over IOH :
  • Construct an automaton A on 2IOH-labeled 2IH-trees such that A accepts exactly all the trees that satisfy .
  • Construct an automaton Aexh on 2IOH-labeled 2IH-trees such that Aexh accepts exactly all the consistent (IH)-exhaustive trees.

A tree accepted by both A and Aexh:

f: (2I)*  2Owhose fat computation tree satisfies !

  • Check A  Aexh for emptiness.
  • (with respect to regular trees)
slide36

The idea:

Wanted: is there a fat tree that is both good and consistent?

 We cannot check whether a tree is consistent.

 There is a transformation g:thin trees  fat trees that generates only consistent fat trees.

So we check: is there a thin tree t such that g(t) is good?

The automaton reads t, but pretends to read g(t).

Unusual effectiveness of alternating automata!

slide37

Solving the synthesis problem:

Given a CTL* specification  over IOH :

Construct an alternating automaton A on 2IO -labeled 2I -trees such that A accepts an I-exhaustive (thin) tree iff its fat version satisfies .

Construct an alternating automaton A on 2IO -labeled 2I -trees such that A accepts an I-exhaustive (thin) tree iff its fat version satisfies .

A tree accepted by A:

f: (2I)*  2Owhose fat computation tree satisfies !

Check A for emptiness.

(with respect to regular trees)

slide38

A is a Rabin automaton with exponentially many states and a linear index

A is a Büchi automaton with linearly many states

Complexity:

  • Satisfiability:
  • LTL: PSPACE-complete.
  • CTL: EXPTIME-complete.
  • CTL*: 2EXPTIME-complete.
  • Synthesis with complete information:
  • LTL: 2EXPTIME-complete.
  • CTL: EXPTIME-complete.
  • CTL*: 2EXPTIME-complete.
  • Synthesis with incomplete information:
  • LTL: 2EXPTIME-complete.
  • CTL: EXPTIME-complete.
  • CTL*: 2EXPTIME-complete.
slide39

Let’s synthesis five dining philosophers.

So far…

O I

...systems with a single component.

HMMMM…

slide40

P0

P2

P1

  • An architecture:
  • I0Oenv
  • I1Oenv
  • I2O0
  • I3O1 O2

Synthesis of distributed systems:

P3

Each process Pi has Ii, Oi, and Hi

slide41

composition??

Synthesis of distributed systems:

  • Input:
  • A specification  overIOH.
  • An architecture A.

Output:

Strategiesfi: (2Ii)* 2IiHisuch that their composition satisfies  (if exist).

slide42

P0

P1

Two independent input streams

Two player games with incomplete information

[Peterson Reif 79]

Solving synthesis of distributed systems:

Pnueli Rozner 90: distributed systems are hard to synthesize; undecidable in the general case.

can simulate a Turing machine.

slide43

Pn

Solving synthesis of distributed systems:

[PR90]:hierarchical architectures are decidable.

P0

P1

P2

slide44

Date: Sun, 7 Feb 1999 17:07:19 +0200

From: Orna Kupferman <orna@cs.huji.ac.il>

To: vardi@cs.rice.edu

Subject: Re: hierarchies

We should be able to generalize even more… …the dependencies induce a flow that alternating automata can handle.

Orna

Date: Sat, 6 Feb 1999 10:34:25 –0600 (CST)

From: Moshe Vardi <vardi@cs.rice.edu>

To: ornak@cs.huji.ac.il

Subject: Re: hierarchies

In fact, I think we might be able to handle even a more general case, where I_j \subset O_{j_1} \cup O_{j+1}, which allows information to flow up and down the chain.

Moshe

slide45

P0

P1

P2

Pn

P0

P1

P2

Pn

Solving synthesis of distributed systems:

[PR90]:hierarchical architectures are decidable.

[KV00]:using alternating automata:

One/two-way chains are decidable.

P0

P1

P2

Pn

One/two-way rings are decidable.

slide46

Date: Sun, 7 Feb 1999 22:17:29 –0600 (CST)

From: Moshe Vardi <vardi@cs.rice.edu>

To: ornak@cs.huji.ac.il

Subject: Re: hierarchies

This is nice because these architectures are actually quite realistic. In communication protocol architecture, we typically have layers, where the upper layer is the application layer and the lower level is the physical layer, and information flows between the layers.

Moshe

slide47

The solution:

  • A specification   an alternating automaton A.
  • Reapet:
  • A and an architecture with n components.
  • A’ (of size exponential in A) and an architecture with n-1 components.

Complexity:

nonelementary.

slide48

Date: Mon, 8 Feb 1999 14:18:13 –0600 (CST)

From: Moshe Vardi <vardi@cs.rice.edu>

To: ornak@cs.huji.ac.il

Subject: Re: hierarchies

BTW, regarding the nonelementary complexity, we can cite the MONA experience that shows that nonelementary algorithms can nevertheless be practical, since the worst-case complexity does not always arise.

Moshe

slide49

More about the nonelementary complexity:

Synthesis is not harder than verification!

How come? Verification is linear in the system and at most exponential in the specification.

slide50

More about the nonelementary complexity:

Input to verification: M and .

Input to synthesis:  and A.

[Rozner92]: a specification  such that the smallest system satisfying  has a nonelementary size.

slide51

Other related work:

Synthesis against a non-maximal environment.

The computatin tree may not be I-exhaustive; makes a difference for existential requirements [joint work with P. Madhusudan and P.S. Thiagaragan].

-calculus synthesis.

Many technical problems…

slide52

Date: Thu, 27 Aug 1998 12:08:42 –0500 (CST)

From: Moshe Vardi <vardi@cs.rice.edu>

To: orna@eecs.berkeley.edu

I think we are done.

Moshe