optimizations for ltl synthesis

Download Optimizations for LTL Synthesis

Post on 01-Feb-2016

22 views

Category:

Documents

0 download

Embed Size (px)

DESCRIPTION

Barbara Jobstmann Roderick Bloem Graz University of Technology, Austria 15 November 2006. Optimizations for LTL Synthesis. Motivation. Synthesis from specification Correct by construction - no verification You say what, it says how Theory well established - PowerPoint PPT Presentation

TRANSCRIPT

  • Optimizations for LTL SynthesisBarbara JobstmannRoderick Bloem

    Graz University of Technology, Austria15 November 2006

  • MotivationSynthesis from specificationCorrect by construction - no verificationYou say what, it says howTheory well establishedLong history: Church (early 60s)Theory: Rabin, Ramadge/Woham, Pnueli/RosnerWhat has changed since then?

  • OutlineIntroduction Approaches and optimizations for LTL synthesis Lily Conclusion

  • LTL SynthesisAutomatically build design from specificationInputSet of LTL formulae, e.g. G(s1 s2), (s1 U s2),Partition of the atomic propositions (input/output signals) Reactive systems: Some signals controlled by system others notOutputAutomatically created functionally correct finite-state machine (Moore)Proposed for LTL by Pnueli, Rosner (POPL'89)Difference between monitoring and synthesisMonitoring: build passive system (nondeterministic)Synthesis: build reactive system (deterministic)

  • Key ObservationMoore machineInput signal r, output signal ar=1,r=0 ....input alphabeta=1,a=0 ..output alphabetTree (regular)r=1,r=0 ....directions Da=1,a=0 ..alphabet (labeling)-labeled D-tree

  • Idea Build a tree automaton Accepts all trees representing moore machines that fulfill spec Directions are input values (D=2I, input signals I)Alphabet are output values (=2O, output signals O)Automaton accepts all -labeled D-trees where all paths satisfy the given formula Compute language emptiness Build FSM from the witness (a -labeled D-tree)

  • Necessary TheoryInfinite game theoryAutomata theoryBranching mode (Deterministic, Nondeterministic, Universal, Alternating)Acceptance condition (Bchi, Co-Bchi, Weak, ..)Input element (Word,Tree)Use of KV's abbreviation (e.g.,NBW,UCT,...)

  • Alternating Word AutomataN+U branching (edges we can follow and edges we must follow)

    Notation:Circles represent statesBoxes represent universal edgesEdges are labeled with sets of labels

  • Tree AutomataUniversal edges:Foreach direction, follow onlythe matching edges

  • Universal and tree branching

  • Safraful Approach [PR89]Build an NBW for Convert to DRWSafra's determinizations algorithm Split alphabet into I/O DRT Check Language EmptinessBuild transducer (fsm)

  • Issues2EXP worst case complexitySafra's determinization constructionexpblow-upexpblow-up

  • SolutionsConcentrate on subsets of LTLAlur, Madhusudan, Nam (BMC'03, STTT'05)Wallmeier, Htter, Thomas (CIAA'03)Harding, Ryan, Schobbens (TACAS'05)Piterman, Pnueli, Sa'ar (VMCAI'06)Full LTL (Safraless approach)Kupferman, Vardi (FOCS'05)Kupferman, Piterman, Vardi (CAV'06)

  • Safraless Approach [KV05]Build a UCT Negate Build an NBW for Invert NBW UCTConvert to AWT Convert to NBT Check Language EmptinessL(UCT) = Ltree()L(AWT) LT()LT() L(AWT) L(NBT) LT()LT() L(NBT)

  • List of OptimizationsGame-based Heuristic language emptiness Simulation-based cf. Alur, Henzinger, Kupferman, Vardi (CONCUR98) cf. Fritz, Wilke (FSTTCS02) Simplify KV-constructions Build AWT, Build NBT cf. Gurumurthy, Kupferman, Somenzi, Vardi (CHARME05) Process steps incremental Combine steps

  • Game-based OptimizationHeuristic language emptinessAlternating Tree AutomatonIdeaFind states with empty language (accept no tree)Runs with non-accepting path are rejectedEnvironment can force a non-accepting pathSufficient (but not necessary) for language emptiness

  • Game-based OptimizationGameSystem picks the label and the nondeterminismEnvironment picks direction and universalityState s is winning for environment LT(s) empty

  • Example (1)=GF timer G(light light U timer) UCT with co-Bchi state (n3)

  • Example (2)Game:Systems aims to avoid infinitely many visits to n3Environment aims to force those visitsCo-Bchi gameweak automaton=GF timer G(light light U timer)

  • List of OptimizationsGame-based Heuristic language emptiness Simulation-based cf. Alur, Henzinger, Kupferman, Vardi (CONCUR98) cf. Fritz, Wilke (FSTTCS02) Simplify KV-constructions Build AWT, Build NBT cf. Gurumurthy, Kupferman, Somenzi, Vardi (CHARME05) Process steps incremental Combine steps

  • Lily - Linear Logic sYnthesizerFirst tool to offer synthesis for full LTLBased on Fabio Somenzi's Wring Implements KV05 and all mentioned optimizationshttp://www.ist.tugraz.at/staff/jobstmann/lily/

  • LTL Specification: Traffic LightG(F(timer=1)) -> (G(fl=1 -> (fl=1 U timer=1))G(hl=1 -> (hl=1 U timer=1))G(car=1 -> F(fl=1))G(F(hl=1))G(!(hl=1 * fl=1))).inputs timer car.outputs fl hl

  • Generated System: Traffic Lightmodule traffic(hl,fl,clk,car,timer); input clk,car,timer; output fl,hl; wire clk,fl,hl,car,timer; reg state; assign hl = (state == 0); assign fl = (state == 1); initial state=0; always @(posedge clk) begin case(state) 0: begin if (timer==0) state = 0; if (timer==1 && car==1) state = 1; if (car==0) state=0; end 1: begin if (timer==1) state = 0; if (timer==0) state = 1; end endcase endendmodule //traffic

  • ConclusionFirst implementation of synthesis for full LTLOptimizations are enabling factorOur examples are small but useful for property debugging (or learning LTL)Future

  • Thank you for your attention!

    These are subsets, but i want to talk about full LTL.

    Pretty long way

    never practical...to hard..no end in sightmany think it will never go that fare, we should try at least...