Graz University of Technology Professor Horst Cerjak, 19.12.2005 1 Barbara Jobstmann San Jose, Nov 15Optimizations for LTL Synthesis Barbara Jobstmann.

Slides:

Advertisements

Similar presentations

Model Checking Lecture 3. Specification Automata Syntax, given a set A of atomic observations: Sfinite set of states S 0 Sset of initial states S S transition.

Advertisements

Model Checking Lecture 2. Three important decisions when choosing system properties: 1automata vs. logic 2branching vs. linear time 3safety vs. liveness.

Avoiding Determinization Orna Kupferman Hebrew University Joint work with Moshe Vardi.

Black Box Checking Book: Chapter 9 Model Checking Finite state description of a system B. LTL formula. Translate into an automaton P. Check whether L(B)

Auto-Generation of Test Cases for Infinite States Reactive Systems Based on Symbolic Execution and Formula Rewriting Donghuo Chen School of Computer Science.

4b Lexical analysis Finite Automata

CS 267: Automated Verification Lecture 8: Automata Theoretic Model Checking Instructor: Tevfik Bultan.

Knowledge Based Synthesis of Control for Distributed Systems Doron Peled.

Table 7.1 Verilog Operators.

Synthesis of Reactive systems Orna Kupferman Hebrew University Moshe Vardi Rice University.

Equivalence of Extended Symbolic Finite Transducers Presented By: Loris D’Antoni Joint work with: Margus Veanes.

ECE Synthesis & Verification - L271 ECE 697B (667) Spring 2006 Synthesis and Verification of Digital Systems Model Checking basics.

FSM Revisit Synchronous sequential circuit can be drawn like below  These are called FSMs  Super-important in digital circuit design FSM is composed.

1 1 CDT314 FABER Formal Languages, Automata and Models of Computation Lecture 3 School of Innovation, Design and Engineering Mälardalen University 2012.

Determinization of Büchi Automata

Model Checking Inputs: A design (in some HDL) and a property (in some temporal logic) Outputs: Decision about whether or not the property always holds.

Nir Piterman Department of Computer Science TexPoint fonts used in EMF. Read the TexPoint manual before you delete this box.: AAAAA Bypassing Complexity.

Krishnendu Chatterjee1 Partial-information Games with Reachability Objectives Krishnendu Chatterjee Formal Methods for Robotics and Automation July 15,

Presenter: PCLee – This paper outlines the MBAC tool for the generation of assertion checkers in hardware. We begin with a high-level presentation.

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur

Introduction to Computability Theory

Introduction to Computability Theory

On the Use of Automata Techniques to Decide Satisfiability Mia Minnes May 3, 2005.

Approaches to Reactive System Synthesis J.-H. Roland Jiang.

Review of the automata-theoretic approach to model-checking.

1 Coverage Metrics in Formal Verification Hana Chockler Hebrew University.

1 Completeness and Complexity of Bounded Model Checking.

Automata and Formal Lanugages Büchi Automata and Model Checking Ralf Möller based on slides by Chang-Beom Choi Provable Software Lab, KAIST.

FORMAL LANGUAGES, AUTOMATA AND COMPUTABILITY

1 Lecture 11 – Partial Programs, Program Repair, and Sketching Eran Yahav.

LTL – model checking Jonas Kongslund Peter Mechlenborg Christian Plesner Kristian Støvring Sørensen.

Flavio Lerda 1 LTL Model Checking Flavio Lerda. 2 LTL Model Checking LTL –Subset of CTL* of the form: A f where f is a path formula LTL model checking.

Quantitative Languages Krishnendu Chatterjee, UCSC Laurent Doyen, EPFL Tom Henzinger, EPFL CSL 2008.

Solving Games Without Determinization Nir Piterman École Polytechnique Fédéral de Lausanne (EPFL) Switzerland Joint work with Thomas A. Henzinger.

1 Carnegie Mellon UniversitySPINFlavio Lerda Bug Catching SPIN An explicit state model checker.

15-820A 1 LTL to Büchi Automata Flavio Lerda A 2 LTL to Büchi Automata LTL Formulas Subset of CTL* –Distinct from CTL AFG p  LTL  f  CTL. f.

Regular Model Checking Ahmed Bouajjani,Benget Jonsson, Marcus Nillson and Tayssir Touili Moran Ben Tulila

Rosen 5th ed., ch. 11 Ref: Wikipedia

Institute for Applied Information Processing and Communications 1 Karin Greimel Semmering, Open Implication.

Basics of automata theory

Model Checking Lecture 3 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.

Languages of nested trees Swarat Chaudhuri University of Pennsylvania (with Rajeev Alur and P. Madhusudan)

4b 4b Lexical analysis Finite Automata. Finite Automata (FA) FA also called Finite State Machine (FSM) –Abstract model of a computing entity. –Decides.

CIS 842: Specification and Verification of Reactive Systems Lecture Specifications: LTL Model Checking Copyright , Matt Dwyer, John Hatcliff,

Avoiding Determinization Orna Kupferman Hebrew University Joint work with Moshe Vardi.

Games, Logic and Automata Seminar Rotem Zach 1. Overview 2.

Constraints Assisted Modeling and Validation Presented in CS294-5 (Spring 2007) Thomas Huining Feng Based on: [1]Constraints Assisted Modeling and Validation.

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur

Learning Universally Quantified Invariants of Linear Data Structures Pranav Garg 1, Christof Loding, 2 P. Madhusudan 1 and Daniel Neider 2 1 University.

Variants of LTL Query Checking Hana ChocklerArie Gurfinkel Ofer Strichman IBM Research SEI Technion Technion - Israel Institute of Technology.

Specify, Compile, Run: Hardware from PSL Speaker: Chen-Hsuan Adonis Lin Advisor: Jie-Hong Roland Jiang 2016年2月22日星期一 2016年2月22日星期一 2016年2月22日星期一 1.

About Alternating Automata Daniel Choi Provable Software Laboratory KAIST.

Today’s Agenda  Quiz 4  Temporal Logic Formal Methods in Software Engineering1.

CS 404Ahmed Ezzat 1 CS 404 Introduction to Compiler Design Lecture 1 Ahmed Ezzat.

Symbolic Model Checking of Software Nishant Sinha with Edmund Clarke, Flavio Lerda, Michael Theobald Carnegie Mellon University.

CIS 540 Principles of Embedded Computation Spring Instructor: Rajeev Alur

Model Checking Lecture 2. Model-Checking Problem I |= S System modelSystem property.

Model Checking Lecture 2 Tom Henzinger. Model-Checking Problem I |= S System modelSystem property.

Theory of Computation Automata Theory Dr. Ayman Srour.

Theory of Computation Automata Theory Dr. Ayman Srour.

Four Lectures on Model Checking Tom Henzinger University of California, Berkeley.

Lexical analysis Finite Automata

Pushdown Automata.

Program Synthesis is a Game

Alternating tree Automata and Parity games

4b Lexical analysis Finite Automata

Quantitative Modeling, Verification, and Synthesis

4b Lexical analysis Finite Automata

Translating Linear Temporal Logic into Büchi Automata

Presentation transcript:

Graz University of Technology Professor Horst Cerjak, Barbara Jobstmann San Jose, Nov 15Optimizations for LTL Synthesis Barbara Jobstmann Roderick Bloem Graz University of Technology, Austria 15 November 2006

Graz University of Technology Professor Horst Cerjak, Barbara Jobstmann San Jose, Nov 15Optimizations for LTL Synthesis Motivation ● Synthesis from specification ● Correct by construction - no verification ● You say what, it says how ● Theory well established ● Long history: Church (early 60’s) ● Theory: Rabin, Ramadge/Woham, Pnueli/Rosner ● What has changed since then?

Graz University of Technology Professor Horst Cerjak, Barbara Jobstmann San Jose, Nov 15Optimizations for LTL Synthesis Outline ● Introduction ● Approaches and optimizations for LTL synthesis ● Lily ● Conclusion

Graz University of Technology Professor Horst Cerjak, Barbara Jobstmann San Jose, Nov 15Optimizations for LTL Synthesis LTL Synthesis ● Automatically build design from specification ● Input ● Set of LTL formulae, e.g. G(s1→ ¬s2), (s1 U s2),… ● Partition of the atomic propositions (input/output signals) Reactive systems: Some signals controlled by system others not ● Output ● Automatically created functionally correct finite-state machine (Moore) ● Proposed for LTL by Pnueli, Rosner (POPL'89) ● Difference between monitoring and synthesis ● Monitoring: build passive system (nondeterministic) ● Synthesis: build reactive system (deterministic)

Graz University of Technology Professor Horst Cerjak, Barbara Jobstmann San Jose, Nov 15Optimizations for LTL Synthesis Key Observation ● Moore machine ● Input signal r, output signal a ● r=1,r=0....input alphabet ● a=1,a=0..output alphabet ● Tree (regular) ● r=1,r=0....directions D ● a=1,a=0..alphabet Σ (labeling) Σ-labeled D-tree

Graz University of Technology Professor Horst Cerjak, Barbara Jobstmann San Jose, Nov 15Optimizations for LTL Synthesis Idea 1)Build a tree automaton ● Accepts all trees representing moore machines that fulfill spec φ ● Directions are input values (D=2 I, input signals I) ● Alphabet are output values (Σ=2 O, output signals O) ● Automaton accepts all Σ-labeled D-trees where all paths satisfy the given formula φ 2)Compute language emptiness 3)Build FSM from the witness (a Σ-labeled D-tree)

Graz University of Technology Professor Horst Cerjak, Barbara Jobstmann San Jose, Nov 15Optimizations for LTL Synthesis Necessary Theory ● Infinite game theory ● Automata theory ● Branching mode (Deterministic, Nondeterministic, Universal, Alternating) ● Acceptance condition (Büchi, Co-Büchi, Weak,..) ● Input element (Word,Tree) ● Use of KV's abbreviation (e.g.,NBW,UCT,...)

Graz University of Technology Professor Horst Cerjak, Barbara Jobstmann San Jose, Nov 15Optimizations for LTL Synthesis Alternating Word Automata ● N+U branching (edges we can follow and edges we must follow) ● Notation: ● Circles represent states ● Boxes represent universal edges ● Edges are labeled with sets of labels

Graz University of Technology Professor Horst Cerjak, Barbara Jobstmann San Jose, Nov 15Optimizations for LTL Synthesis

Graz University of Technology Professor Horst Cerjak, Barbara Jobstmann San Jose, Nov 15Optimizations for LTL Synthesis Tree Automata Universal edges: Foreach direction, follow only the matching edges

Graz University of Technology Professor Horst Cerjak, Barbara Jobstmann San Jose, Nov 15Optimizations for LTL Synthesis Universal and tree branching

Graz University of Technology Professor Horst Cerjak, Barbara Jobstmann San Jose, Nov 15Optimizations for LTL Synthesis Safraful Approach [PR89] 1)Build an NBW for φ 2)Convert to DRW ● Safra's determinizations algorithm 3)Split alphabet into I/O  DRT 4)Check Language Emptiness ● Build transducer (fsm) φ NBW Build NBW DRW +i/o Build DRW DRT Build DRT FSM Lang. Emp.

Graz University of Technology Professor Horst Cerjak, Barbara Jobstmann San Jose, Nov 15Optimizations for LTL Synthesis Issues ● 2EXP worst case complexity ● Safra's determinization construction φ NBW Build NBW DRW +i/o Build DRW DRT Build DRT FSM Lang. Emp. exp blow-up exp blow-up

Graz University of Technology Professor Horst Cerjak, Barbara Jobstmann San Jose, Nov 15Optimizations for LTL Synthesis Solutions ● Concentrate on subsets of LTL ● Alur, Madhusudan, Nam (BMC'03, STTT'05) ● Wallmeier, Hütter, Thomas (CIAA'03) ● Harding, Ryan, Schobbens (TACAS'05) ● Piterman, Pnueli, Sa'ar (VMCAI'06) ● Full LTL (Safraless approach) ● Kupferman, Vardi (FOCS'05) ● Kupferman, Piterman, Vardi (CAV'06)

Graz University of Technology Professor Horst Cerjak, Barbara Jobstmann San Jose, Nov 15Optimizations for LTL Synthesis Safraless Approach [KV05] 1)Build a UCT ● Negate φ ● Build an NBW for ¬φ ● Invert NBW → UCT 2)Convert to AWT 3)Convert to NBT 4)Check Language Emptiness φ+i/o UCT Build UCT AWT Build AWT NBT Build NBT FSM Lang. Emp. L(UCT) = L tree (φ) L(AWT)  L T (φ) L T (φ)   L(AWT)  L(NBT)  L T (φ) L T (φ)   L(NBT) 

Graz University of Technology Professor Horst Cerjak, Barbara Jobstmann San Jose, Nov 15Optimizations for LTL Synthesis List of Optimizations 1)Game-based Heuristic language emptiness 2)Simulation-based cf. Alur, Henzinger, Kupferman, Vardi (CONCUR’98) cf. Fritz, Wilke (FSTTCS’02) 3)Simplify KV-constructions Build AWT, Build NBT cf. Gurumurthy, Kupferman, Somenzi, Vardi (CHARME’05) 4)Process steps incremental Combine steps φ+i/o UCT Build UCT AWT Build AWT NBT Build NBT FSM Lang. Emp.

Graz University of Technology Professor Horst Cerjak, Barbara Jobstmann San Jose, Nov 15Optimizations for LTL Synthesis Game-based Optimization ● Heuristic language emptiness ● Alternating Tree Automaton ● Idea ● Find states with empty language (accept no tree) ● Runs with non-accepting path are rejected ● Environment can force a non-accepting path ● Sufficient (but not necessary) for language emptiness φ+i/o UCT Build UCT AWT Build AWT NBT Build NBT FSM Lang. Emp.

Graz University of Technology Professor Horst Cerjak, Barbara Jobstmann San Jose, Nov 15Optimizations for LTL Synthesis Game-based Optimization ● Game ● System picks the label and the nondeterminism ● Environment picks direction and universality ● State s is winning for environment → L T (s) empty

Graz University of Technology Professor Horst Cerjak, Barbara Jobstmann San Jose, Nov 15Optimizations for LTL Synthesis Example (1) ● φ=GF timer → G(light → light U timer) ● UCT with co-Büchi state (n3)

Graz University of Technology Professor Horst Cerjak, Barbara Jobstmann San Jose, Nov 15Optimizations for LTL Synthesis Example (2) ● Game: ● Systems aims to avoid infinitely many visits to n3 ● Environment aims to force those visits ● Co-Büchi game weak automaton φ=GF timer → G(light → light U timer)

Graz University of Technology Professor Horst Cerjak, Barbara Jobstmann San Jose, Nov 15Optimizations for LTL Synthesis List of Optimizations 1)Game-based Heuristic language emptiness 2)Simulation-based cf. Alur, Henzinger, Kupferman, Vardi (CONCUR’98) cf. Fritz, Wilke (FSTTCS’02) 3)Simplify KV-constructions Build AWT, Build NBT cf. Gurumurthy, Kupferman, Somenzi, Vardi (CHARME’05) 4)Process steps incremental Combine steps φ+i/o UCT Build UCT AWT Build AWT NBT Build NBT FSM Lang. Emp.

Graz University of Technology Professor Horst Cerjak, Barbara Jobstmann San Jose, Nov 15Optimizations for LTL Synthesis Lily - Linear Logic sYnthesizer ● First tool to offer synthesis for full LTL ● Based on Fabio Somenzi's Wring ● Implements KV05 and all mentioned optimizations ●

Graz University of Technology Professor Horst Cerjak, Barbara Jobstmann San Jose, Nov 15Optimizations for LTL Synthesis LTL Specification: Traffic Light G(F(timer=1)) -> ( G(fl=1 -> (fl=1 U timer=1)) G(hl=1 -> (hl=1 U timer=1)) G(car=1 -> F(fl=1)) G(F(hl=1)) G(!(hl=1 * fl=1))).inputs timer car.outputs fl hl hl fl sensor(ec)

Graz University of Technology Professor Horst Cerjak, Barbara Jobstmann San Jose, Nov 15Optimizations for LTL Synthesis Generated System: Traffic Light module traffic(hl,fl,clk,car,timer); input clk,car,timer; output fl,hl; wire clk,fl,hl,car,timer; reg state; assign hl = (state == 0); assign fl = (state == 1); initial state=0; clk) begin case(state) 0: begin if (timer==0) state = 0; if (timer==1 && car==1) state = 1; if (car==0) state=0; end 1: begin if (timer==1) state = 0; if (timer==0) state = 1; end endcase end endmodule //traffic

Graz University of Technology Professor Horst Cerjak, Barbara Jobstmann San Jose, Nov 15Optimizations for LTL Synthesis Conclusion ● First implementation of synthesis for full LTL ● Optimizations are enabling factor ● Our examples are small but useful for property debugging (or learning LTL) ● Future

Graz University of Technology Professor Horst Cerjak, Barbara Jobstmann San Jose, Nov 15Optimizations for LTL Synthesis Thank you for your attention!