A LTL Fragment for GR(1)-Synthesis

Johannes Reich and Bernd Finkbeiner (Eds): International W orkshop on Interactions, Games and Protocols (iWIGP) EPTCS 50, 2011, pp. 33–45, doi:10.4204/EPTCS.50.3 c  A. Morgenstern and K. Schneider This work is licensed under the Creativ e Commons Attribution License. A L TL Fragment f or GR(1)-Synthesis Andreas Morgenstern and Klaus Schneider Univ ersity of Kaiserslautern P .O. Box 3049 67653 Kaiserslautern, Germany email: { morgenstern,schneider } @cs.uni-kl.de The idea of automatic synthesis of reactiv e programs starting from temporal logic ( L TL ) specifica- tions is quite old, but was commonly thought to be infeasible due to the kno wn double e xponential complexity of the problem. Howe ver , new ideas ha ve recently rene wed the interest in L TL synthesis: One major new contrib ution in this area is the recent work of Piterman et al. who sho wed ho w poly- nomial time synthesis can be achie ved for a large class of L TL specifications that is expressiv e enough to cover many practical examples. These L TL specifications are equiv alent to ω -automata having a so-called GR(1) acceptance condition. This approach has been used to automatically synthesize im- plementations of real-world applications. T o this end, manually written deterministic ω -automata having GR(1) conditions were used instead of the original L TL specifications. Howe ver , manually generating deterministic monitors is, of course, a hard and error-prone task. In this paper , we there- fore present algorithms to automatically translate specifications of a remarkable large fragment of L TL to deterministic monitors having a GR(1) acceptance condition so that the synthesis algorithms can start with more readable L TL specifications. 1 Intr oduction In the last decades, the influence of computer systems on our e veryday life has been constantly gro wing. As computer systems enter more and more safety-critical areas, their correctness is essentially important to av oid malfunctioning systems. Thus, one of the main challenges in computer science is the design of prov ably correct systems. Many of these safety-critical computer systems are reactiv e embedded systems. These are non-terminating systems that interact with their en vironments during their infinite computations. T ypically , concurrency and infinite computations with respect to the en vironment make it dif ficult to analyze and design such systems correctly . There are currently two main approaches to the design of prov ably correct reacti ve systems: In the first approach, called formal verification , one checks that a manually written implementation satisfies a giv en specification that is typically formulated in the temporal logic L TL [21, 9]. In the second ap- proach, called L TL synthesis, a prov ably correct implementation is automatically deriv ed from the given L TL specification. While formal verification is nowadays e ven routinely used in safety-critical system designs, L TL synthesis is still immature. Of course, the double e xponential complexity of L TL synthe- sis compared to the single exponential one of L TL model checking is one reason for this situation. W e belie ve, ho wev er , that the applicability of tools based on both methods can be significantly improv ed by better data structures and algorithms. For example, a major breakthrough in formal verification has been achiev ed by symbolic represen- tations of states and transitions with propositional formulas which became kno wn as symbolic model checking [7]. W ith the adv ent of these succinct data structures and ef ficient decision procedures for propositional formulas, it has become possible to v erify comple x systems. In a similar way , ne w meth- ods for SA T checking and SMT solv ers opened the way to v erify ev en larger systems. 34 A L TL Fragment for GR(1)-Synthesis It is natural to try to make use of such data structures and algorithms also for L TL synthesis. Howe v er , this is not directly possible, since the currently a vailable L TL synthesis procedures consist of two steps: The first step is the translation of the L TL specification to an equiv alent ω -automaton. The usual trans- lation procedures generate a nondeterministic automaton that can be directly used for symbolic model checking. Ho wev er , nondeterministic automata can, in general, not be used for L TL synthesis. Even though there are pseudo-deterministic automata like the good-for-games automata that can still be used for L TL synthesis, the second step usually consists of a determinization of the obtained automata (since deterministic automata can be definitely used without further restrictions). The problem is, howe ver , that determinization is considerably more complex for ω -automata than for automata on finite words. In particular , a major drawback of the currently kno wn determinization procedures is their explicit repre- sentation of the automata that does not make use of symbolic data structures. Since a translation from L TL to deterministic automata may lead to automata having a double exponential size in terms of the length of the formula, explicit state space representations are limited to handle very sma ll L TL formulas. One possibility to ov ercome the complexity problem of L TL synthesis is to consider restricted classes of L TL . For example, [1, 14] consider subsets of L TL to obtain deterministic automata with less than double exponential size. W allmeier et al. [27] dev eloped a synthesis algorithm to synthesize request- response specifications which are of the form G ( ϕ i → F ψ i ) for multiple i which leads to a synthesis procedure with only e xponential complexity . Piterman et. al proposed in [20] an approach to synthesize generalized reacti vity formulas with rank 1 (abbreviated as GR(1) formulas), i. e. formulas of the form  V N i = 0 GF ϕ i  →  V M j = 0 GF ϕ j  . Their algorithm runs in time K 3 where K is the size of the state space of the design. If a collection Φ i of L TL formulas representing assumptions on the environment, and a collection Ψ j of formulas representing conclusions for the system, can all be represented by deterministic B ¨ uchi automata, this approach can be used to obtain a synthesis procedure for the entire L TL specification  V N i = 0 Φ i  →  V M j = 0 Ψ j  . The work reported in [20] has been extensiv ely used. Its feasibility was demonstrated in [4, 5, 11] which considers ARM’ s Advance Micro-System Bus Architecture as well as a case study of a generalized buf fer example included in IBM’ s RuleBase system. In those case studies, an implementation realizing the gi ven formal specification has been deri ved and has been afterwards con verted to a circuit. In fact, those case studies hav e been the first real-life blocks that hav e been automatically synthesized from high-le vel temporal logic specifications. Further applications include usage in the context of production of robot systems [28]. The main drawback of previously published works using the GR(1)-approach of Piterman et al. is that the unavoidable determinization step was carried out manually by a human developer , since no tool support for the translation of temporal logic formulas to corresponding ω -automata was a vailable. The translation to deterministic automata is considerably hard in general [12] and may introduce errors due to the human intervention. T o eliminate this drawback from the GR(1)-approach, we present in this article a remarkable large subset of L TL that can be translated to sets of deterministic B ¨ uchi automata representing the assumptions on the environment and the guarantees a system has to satisfy . T o this end, we reconsider the temporal logic hierarchy that has been in vestigated by Chang, Manna, Pnueli, Schneider and others [15, 8, 16, 17, 22, 23]. This temporal logic hierarchy defines subsets of L TL that correspond to the well-known automaton hierarch y , consisting of safety , guarantee/li veness, f airness/response/B ¨ uchi, persistence/co- B ¨ uchi properties as well as their boolean closures (obligation and reacti vity properties). Using a syntactic characterization of this hierarchy [22, 23], we can, in particular, syntactically determine for gi ven L TL formulas whether the formula can be represented by a deterministic B ¨ uchi automaton. Hence, giv en a set of formulas representing assumptions and conclusions, we can determine whether the y can be used A. Morgenstern and K. Schneider 35 as an input for GR(1)-synthesis. Clearly , since we only check this syntactically , it may be the case that we reject formulas that could be used for GR(1)-synthesis, but we nev er produce an error . In practice, it turned out that essentially no GR(1) formula is rejected by our syntactic check. The syntactic approximation to determine GR(1) membership is one contribution of this paper . An- other one is the observ ation that the negation of each formula that can be translated to a deterministic B ¨ uchi automaton can be translated to a non-deterministic co-B ¨ uchi automaton. It is well-known that non-deterministic co-B ¨ uchi automata can be determinized by the Breakpoint construction [18] that is well-suited for a symbolic implementation [19, 6]. From this co-B ¨ uchi automaton, we can easily obtain a deterministic B ¨ uchi automaton (again via negation, which is trivial for deterministic automata [23]) that is equiv alent to the original formula. Hence, our second observ ation leads to a very ef ficient translation procedure for the identified L TL formulas to deterministic B ¨ uchi and co-B ¨ uchi automata. W e have implemented this synthesis procedure that (1) syntactically determines whether a formula can be represented with a GR(1)-property and (2) applies the mentioned symbolic determinization pro- cedure for B ¨ uchi/co-B ¨ uchi automata. Finally , we apply the GR(1)-synthesis using an e xisting implemen- tation of the GR(1)-Synthesis approach [3]. 2 Pr eliminaries 2.1 Linear T emporal Logic L TL For a giv en set of Boolean variables V , we define the set of L TL formulas by the follo wing recursiv e definition: Definition 1 (Syntax of Linear T emporal Logic ( L TL )) The set of LTL formulas over a set of variables V is the smallest set with the following pr operties: • 1 , 0 ∈ L TL • a ∈ L TL for a ∈ V • boolean operators: ¬ ϕ , ϕ ∧ ψ , ϕ ∨ ψ ∈ L TL if ϕ , ψ ∈ L TL • futur e temporal oper ators: X ϕ , [ ϕ U ψ ] , [ ϕ B ψ ] if ϕ , ψ ∈ L TL • past temporal operator s: ← − X ϕ , ← − X ϕ , [ ϕ ← − U ψ ] , [ ϕ ← − B ψ ] if ϕ , ψ ∈ L TL The semantics of L TL can be giv en with respect to a path through a structure (e.g. an ω -automaton), where a path is an infinite word o ver the alphabet 2 V . X ϕ holds on a path π at position t 0 if ϕ holds at position t 0 + 1 on the path. [ ϕ U ψ ] holds at t 0 if f ψ holds for some position δ ≥ t 0 and ϕ holds in variantly for e very position t with t 0 ≤ t < δ i. e. ϕ holds until ψ holds. The weak befor e operator [ ϕ B ψ ] holds at t 0 if f either ϕ holds before ψ becomes true for the first time after t 0 or ψ nev er holds after t 0 . In addition to the future time temporal operators, there are also the corresponding past time temporal operators. These are defined analogously with the only dif ference that the direction of the flo w of time is rev ersed. F or example, [ ϕ ← − U ψ ] holds on a path at position t 0 if f there is a point of time δ with δ ≤ t such that ψ holds on that path at position δ and ϕ holds for all positions t with δ < t ≤ t 0 . The past time correspondence of the next-time operator is called the pre vious operator: ← − X ϕ holds on a path at position t 0 if f t 0 > 0 and ϕ holds at position t 0 − 1. Additionally , there is a weak v ariant, where ← − X ϕ holds on a path at position t 0 if f t 0 = 0 holds or ϕ holds at position t 0 − 1. 36 A L TL Fragment for GR(1)-Synthesis Other operators can be defined in terms of the abov e ones: G ϕ = [ 0 B ¬ ϕ ] ← − G ϕ = [ 0 ← − B ¬ ϕ ] F ϕ = [ 1 U ϕ ] ← − F ϕ = [ 1 ← − U ϕ ] [ ϕ B ψ ] = ¬ [ ¬ ϕ U ψ ] [ ϕ ← − B ψ ] = ¬ [ ¬ ϕ ← − U ψ ] [ ϕ U ψ ] = [ ψ B ( ¬ ϕ ∧ ¬ ψ )] [ ϕ ← − U ψ ] = [ ψ ← − B ( ¬ ϕ ∧ ¬ ψ )] [ ϕ B ψ ] = [ ¬ ψ U ( ϕ ∧ ¬ ψ )] [ ϕ ← − B ψ ] = [ ¬ ψ ← − U ( ϕ ∧ ¬ ψ )] [ ϕ W ψ ] = [( ϕ ∧ ψ ) B ( ¬ ϕ ∧ ψ )] [ ϕ ← − W ψ ] = [( ϕ ∧ ψ ) ← − B ( ¬ ϕ ∧ ψ )] [ ϕ W ψ ] = [ ¬ ψ U ( ϕ ∧ ψ )] [ ϕ ← − W ψ ] = [ ¬ ψ ← − U ( ϕ ∧ ψ )] For example, [ ϕ U ψ ] is the weak until operator that can be alternati vely defined as [ ϕ U ψ ] : = [ ϕ U ψ ] ∨ G ϕ , i. e. the e vent ψ that is a waited for need not hold in the future. T o distinguish weak and strong operators, the strong v ariants of a temporal operator are underlined in this paper (as done above). 2.2 ω -A utomata Definition 2 ( ω -A utomata ) A ω -automaton A = ( Q , Σ , I , R , A ) over the alphabet Σ is given by a finite set of states Q , a set I of initial states, a transition r elation R ⊆ Q × Σ × Q and an acceptance condition A : Q ω → { 0 , 1 } . Gi ven an automaton A = ( Q , Σ , I , R , A ) and an infinite w ord α = a 0 , a 1 , . . . over Σ . Each infinite word β = q 0 , q 1 , . . . with q 0 ∈ I and q i + 1 ∈ δ ( q i , α i ) for i > 0 is called a run of α through A . The run is accepting if A ( β ) = 1 . W e say that A accepts α whenev er an accepting run of α through A exists. Using standard terminology , we say that A is deterministic , if exactly one initial state e xists and for each q ∈ Q and each input σ ∈ Σ there exists exactly one s 0 ∈ S with ( s , σ , s 0 ) ∈ R . In that case we write A = ( Q , Σ , q 0 , δ , A ) with an initial state q 0 and a deterministic transition function δ : Q × Σ → Q . In the follo wing, we assume that Q = 2 V for a set V of state v ariables. Moreov er , we assume sets X and Y of input and output variables that form the inputs X = 2 X and outputs Y = 2 Y of the system such that Σ = X × Y . Having this view , we define a state set Q ϕ to contain exactly those states where the propositional encoding of the state v ariables V satisfy ϕ . Thus, we can con veniently define acceptance conditions by L TL specifications. 2.3 Classical Acceptance Conditions In the past, sev eral kinds of acceptance conditions ha ve been proposed and their different expressi ve- nesses have been studied in depth. In particular, the follo wing acceptance conditions have been consid- ered [26, 25, 23]. • A run is accepted by a safety condition G ϕ if the run exclusiv ely runs through the set Q ϕ . • A run is accepted by a liv eness condition F ϕ if the run visits at least one state of the set Q ϕ at least once. • A run is accepted by a prefix 1 condition V i ( G ϕ i ∨ F ψ i ) if for all i either the run exclusi vely runs through the set Q ϕ i or visits Q ψ i at least once. 1 These condititions are also called Staiger-W agner or obligation conditions. A. Morgenstern and K. Schneider 37 • A run is accepted by a B ¨ uchi condition GF ϕ if the run visits at least one state of the set Q ϕ infinitely often. • A run is accepted by a co-B ¨ uchi condition F G ϕ if the run visits only states of the set Q ϕ infinitely often. • Finally , a run is accepted by a Streett (or reactivity) condition V f i = 0 GF ϕ j ∨ F G ψ i if for all i either the run visits at least one state from Q ϕ i or the run visits only states of the set Q ψ i infinitely often. 2.4 GR(1)-Specifications f or L TL Synthesis The task of L TL synthesis is to dev elop a system that controls the output variables Y so that no matter ho w the en vironment chooses the input variables X , a L TL specification is satisfied. Thus, instead of using one of the classical acceptance conditions, it is more con venient for synthesis to consider spec- ifications of the form ϕ → ψ where ϕ represents assumptions on the en vironment and ψ represents conclusions/guarantees the system has to satisfy . In particular , Generalized Reactivity (1) acceptance [4, 5, 11, 20] attracted some interest in the community: here the assumptions and guarantees are all B ¨ uchi conditions, i. e. we seek a system satisfying the following acceptance condition: GR ( 1 ) : = n ^ i = 1 GF p i ! → m ^ j = 1 GF q j ! (1) The class of specifications to which the algorithms of [4, 5, 11, 20] can be applied is much more general than the limited form presented in equation 1: The algorithm can be applied to any specification of the form ( V n i = 1 ϕ i ) → ( V m i = 1 ψ j ) where each ϕ i , ψ j is specified by a deterministic B ¨ uchi automaton. Definition 3 ([13]) Assume we ar e given n deterministic B ¨ uchi automata A a 1 , . . . A a n for the envir on- ment’ s assumptions and m deterministic B ¨ uchi automata A g 1 , . . . A g m for the system’ s guarantees with A a i = ( Q a i , Σ , q a 0 , i , δ a i , GF p i ) and A a j = ( Q a j , Σ , q a 0 , j , δ a j , GF q j ) . Then, we define an automaton A GR ( 1 ) = ( Q , Σ , δ , q 0 , A ) as the pr oduct of all automata A a i and A g j wher e the state space is Q = Q a 1 × · · · × Q a n × Q g 1 × · · · × Q g m , the transition function is δ (( q a 1 , . . . q g m ) , σ ) = ( δ a 1 ( q a 1 , σ ) , . . . , δ g m ( q g m , σ )) and the initial state is q 0 = ( q a 0 , 1 , . . . q g 0 , m ) . The acceptance condition A = ( V n i = 1 GF p i ) →  V m j = 1 GF q j  is a GR(1) condition. Thus, a run of A GR ( 1 ) is accepting if either all sets Q q j are visited infinitely often or at least some set Q p i is visited only finitely often. 2.5 Games A game G = ( Q , Σ , q 0 , δ , A ) is a deterministic ω -automaton with an input alphabet Σ = X × Y . A play of G is an infinite sequence of states π = q 0 q 1 q 2 · · · ∈ Q ω where q i + 1 = δ ( q i , σ i ) for i ≥ 0. The letters σ i = ( x i , y i ) are successively chosen by the players: in each step, the en vironment first chooses x i , and then the system chooses y i . A play π is won by the system if A ( π ) = 1 . Otherwise, the game is w on by the en vironment. Note that the en vironment cannot react to the outputs generated by the system and thus acts like a Moore machine. In contrast, the system we would like to synthesize acts like a Mealy machine. W e solve the game, attempting to decide whether the game is winning for the environment or the system. If the en vironment is winning, the specification is unrealizable. If the system is winning, we 38 A L TL Fragment for GR(1)-Synthesis NDet G Det G NDet total F Det F Det Prefix Det GF NDet Prefix NDet F (N)Det FG NDet GF (N)Det Streett TL G TL F TL Prefix TL Streett TL GF TL FG       Figure 1: (Borel) Hierarchy of ω -Automata and T emporal Logic synthesize a winning strate gy (which is essentially a Mealy automaton) using the algorithms giv en in [4, 5, 11, 20]. Pre vious w orks re garding the synthesis with respect to GR(1)-synthesis had to manually generate the deterministic automata. In this paper , we show how to automatically obtain deterministic B ¨ uchi automata from a fragment of L TL using the well-known Breakpoint construction. This fragment of L TL is a natural fragment of L TL embedded in the well-known temporal-logic hierarchy [15, 8, 16, 17, 22, 23]. 3 T emporal Logic vs. A utomaton Hierarch y 3.1 The A utomaton Hierarch y The classical acceptance conditions, i.e., safety , guarantee/liveness, fairness/response/B ¨ uchi, persistence/co- B ¨ uchi properties, define the corresponding automaton classes ( N ) Det G , ( N ) Det F , ( N ) Det GF , and ( N ) Det FG , respecti vely . Moreover , their boolean closures can be represented by the automaton classes ( N ) Det Prefix and ( N ) Det Streett whose acceptance conditions ha ve the forms V f j = 0 G ϕ j ∨ F ψ j and V f j = 0 GF ϕ j ∨ FG ψ j , respecti vely . The expressi veness of these classes is illustrated in Figure 1, where C 1 w C 2 means that for an y automaton in C 1 , there is an equi v alent one in C 2 . Moreov er , we define C 1 ≈ C 2 : = C 1 w C 2 ∧ C 2 w C 1 and C 1  C 2 : = C 1 w C 2 ∧ ¬ ( C 1 ≈ C 2 ) . As can be seen, the hierarchy consists of six dif ferent classes, and each class has a deterministic representati ve. 3.2 The T emporal Logic Hierarchy In [8, 22, 23], corresponding hierarchies for temporal logics hav e been defined. F ollowing [22, 23], we define the hierarchy of temporal logic formulas syntactically by the grammar rules of Fig. 2: Definition 4 (T emporal Logic Classes) F or κ ∈ { G , F , Prefix , F G , GF , Streett } , we define the logics TL κ by the gr ammars given in F ig. 2, wher e TL κ is the set of formulas that can be derived fr om the nonterminal P κ ( V Σ r epr esents any variable v ∈ V Σ ). A. Morgenstern and K. Schneider 39 P G :: = V Σ | ¬ P F | P G ∧ P G | P G ∨ P G | ← − X P G | [ P G ← − U P G ] | ← − X P G | [ P G ← − U P G ] | X P G | [ P G U P G ] P F :: = V Σ | ¬ P G | P F ∧ P F | P F ∨ P F | ← − X P F | [ P F ← − U P F ] | ← − X P F | [ P F ← − U P F ] | X P F | [ P F U P F ] P Prefix :: = P G | P F | ¬ P Prefix | P Prefix ∧ P Prefix | P Prefix ∨ P Prefix P GF :: = P Prefix | ¬ P FG | P GF ∧ P GF | P GF ∨ P GF | ← − X P GF | ← − X P GF | X P GF | [ P GF ← − U P GF ] | [ P GF ← − U P GF ] | [ P GF U P GF ] | [ P GF U P F ] P FG :: = P Prefix | ¬ P GF | P FG ∧ P FG | P FG ∨ P FG | ← − X P FG | X P FG | ← − X P FG | [ P FG ← − U P FG ] | [ P FG ← − U P FG ] | [ P FG U P FG ] | [ P G U P FG ] P Streett :: = P GF | P FG | ¬ P Streett | P Streett ∧ P Streett | P Streett ∨ P Streett Figure 2: Syntactic Characterizations of the Classes of the T emporal Logic Hierarchy T ypical safety conditions like G ϕ or G [ a U b ] that state that something bad never happens, are contained in TL G . Liv eness conditions like F ϕ are contained in TL F . Finally , fairness conditions lik e GF ϕ that de- mand that something good infinitely often happens, are contained in TL GF while stabilization/persistence properties like F G ϕ that demand that after a finite interval, nothing bad happens are contained in TL FG . 3.3 Relating the T emporal Logic and the A utomata Hierarch y In [22, 23] se veral translation procedures are gi ven to translate formulas from TL κ to equiv alent ( N ) Det κ automata. In particular , the following is an important result: Theorem 1 (T emporal Logic and A utomaton Hierar chy) Given a formula Φ ∈ TL κ , we can construct a deterministic ω -automaton A = ( 2 Q , I , R , λ , A ) of the class Det κ in time O ( 2 | Φ | ) with | Q | ≤ 2 | Φ | state variables. Therefor e, A = ( 2 Q , I , R , λ , A ) is a symbolic repr esentation of a deterministic automaton with O ( 2 2 | Φ | ) states. The above results are already pro ved in detail in [23], where translation procedures from TL κ to NDet κ hav e been constructed. Moreov er , it has been sho wn in [23] that the subset construction can be used to de- terminize the automata that stem from the classes TL G and TL F and that the Miyano-Hayashi breakpoint construction is suf ficient to determinize the automata that stem from the translation of formulas from TL FG and TL GF . Since TL Prefix and TL Streett are the boolean closures of TL G ∪ TL F and TL FG ∪ TL GF , respecti vely , the remaining results for TL Prefix and TL Streett follo w from the boolean combinations of Det G / Det F and Det FG / Det GF , respecti vely . The final step consists of computing the boolean closure of the acceptance conditions. T o this end, it is sho wn in [23] ho w arbitrary boolean combinations of G ϕ and F ϕ with propositional formulas ϕ are translated to equiv alent Det Prefix automata, and analogously , ho w arbitrary boolean combinations of GF ϕ and FG ϕ with propositional formulas ϕ are translated to equi valent Det Streett automata. 4 A L TL Fragment for GR(1)-Synthesis Using the pre viously mentioned temporal logic hierarchy , we define a fragment of L TL that can be easily translated to a set of deterministic B ¨ uchi automata for the assumptions and a set of deterministic B ¨ uchi automata for the guarantees (Figure 3). 40 A L TL Fragment for GR(1)-Synthesis P G :: = V Σ | ¬ P F | P G ∧ P G | P G ∨ P G | ← − X P G | [ P G ← − U P G ] | ← − X P G | [ P G ← − U P G ] | X P G | [ P G U P G ] P F :: = V Σ | ¬ P G | P F ∧ P F | P F ∨ P F | ← − X P F | [ P F ← − U P F ] | ← − X P F | [ P F ← − U P F ] | X P F | [ P F U P F ] P Prefix :: = P G | P F | ¬ P Prefix | P Prefix ∧ P Prefix | P Prefix ∨ P Prefix P GF :: = P Prefix | ¬ P FG | P GF ∧ P GF | P GF ∨ P GF | ← − X P GF | ← − X P GF | X P GF | [ P GF ← − U P GF ] | [ P GF ← − U P GF ] | [ P GF U P GF ] | [ P GF U P F ] P FG :: = P Prefix | ¬ P GF | P FG ∧ P FG | P FG ∨ P FG | ← − X P FG | X P FG | ← − X P FG | [ P FG ← − U P FG ] | [ P FG ← − U P FG ] | [ P FG U P FG ] | [ P G U P FG ] P Assume :: = P GF | P Assume ∧ P Assume P Guarantee :: = P GF | P Guarantee ∧ P Guarantee P GR ( 1 ) :: = P Assume → P Assert Figure 3: A L TL Fragment for GR(1)-Synthesis NDet G Det G NDet total F Det F Det Prefix Det GF NDet Prefix NDet F (N)Det FG (N)Det Streett(1) (N)Det GR(1) NDet GF (N)Det Streett TL G TL F TL Prefix TL Streett TL GR(1) TL GF TL FG        Figure 4: (Borel) Hierarchy of ω -Automata and T emporal Logic with GR(1) As can be seen, our L TL fragment is naturally embedded in the temporal logic hierarchy . The formu- las that syntactically belong to our L TL fragment are those formulas that are deri ved from the nonterminal P GR ( 1 ) , thus, these are implications of formulas that are deriv ed from the nonterminals P Assume and P Assert , respecti vely , which are both conjunctions of TL GF -formulas. Concerning the automata hierarchy , we can translate these formulas to automata with a GR(1)-acceptance condition, i.e. a generalization of a Streett(1) condition. In [2], it is sho wn that a GR(1)-condition can be equi v alently e xpressed by a Streett(1)-condition, i. e. a Streett condition with only one acceptance pair . Hence, we obtain the ”enriched” automata hierarchy shown in Figure 4 together with the follo wing corollary that easily follo ws from Theorem 1: Corollary 1 Given a P GR ( 1 ) -formula of the form Φ = ( ϕ 1 ∧ . . . ∧ ϕ n ) → ( ψ 1 ∧ . . . ∧ ψ m ) , we can compute n deterministic B ¨ uchi automata A a ϕ 1 , . . . A a ϕ n and m deterministic B ¨ uchi automata A g ψ 1 , . . . A g ψ n such that A ϕ i ( A ψ j ) is initially equivalent to ϕ i (r esp. ψ j ). Hence the GR(1)-automaton obtained fr om those automata accor ding to Definition 3 is initially equivalent to Φ . A. Morgenstern and K. Schneider 41 5 Experiments In our pre vious work, we had already implemented a toolset A verest [24] whose inputs are programs written in the Esterel-like synchronous programming language Quartz [24]. A verest compiles the syn- chronous programs to guarded actions which can be used in turn to generate sequential and concurrent software, hardware or symbolic transition relations for formal v erification. Specifications can be giv en in v arious temporal logics and the µ -calculus. A verest pro vides a lot of translations from temporal logic to either ω -automata or directly to the µ -calculus (see [23] for these translations). For this paper , we implemented an additional tool Quartz2Marduk that takes as input a set of L TL formulas that represent assumptions and assertions/guarantees of a GR(1) specification (see example sho wn in Figure 5). W e then check whether these specifications belong to the class that can be used for GR(1)-synthesis. If so, we automatically generate deterministic automata that are equiv alent to the specification. The automata are automatically minimized using a form of delayed simulation [10] and are afterwards used to generate a file as input to the Marduk 2 tool [3]. Marduk is a re-implementation of Anzu [11] with some ne w features. It is basically a BDD-based implementation of the algorithm gi v en in [20]. Included with Marduk came two case studies that are described in [4, 5, 11]. The first case study is the GenBuf example that is used asa tutorial in IBMs RuleBase system. The second example is ARM’s Advanced Micr ocontr oller Bus Arc hitectur e (AMBA) which defines the Advanced High performance Bus (AHB) , an on-chip communication standard that connects de vices like processor cores, caches and DMA arbiters. In [4, 5, 11] temporal logic specifications for those case studies are gi ven along with some hints ho w deterministic automata for these specifications can be manually obtained. Marduk came with an input file that already contained those manually generated deterministic automata. In our tool, all we had to do is to simply write do wn the temporal logic specifications gi ven in [4, 5, 11] and compile it to a Marduk input file. After having compiled the Marduk input files, we ran Marduk with dynamic v ariable ordering en- abled, lea ving the other options untouched. The results of our experiments is given in table 6. The first column given there is the name of the case study , the second column is the time (in seconds) our tool needed to perform determinization. The third column lists the number of state variables that where gen- erated by our tool and the manual generated deterministic automata.The next column lists the number of BDD Nodes for the generated strategy . Finally , the last column lists the runtime of Marduk for the automatically generated automata and the respective time for the manually generated automata. In the table, TO means that the synthesis procedure could not be finished within 50000 seconds 3 . 6 Discussion The GR(1)-approach is one of the most successful approaches to L TL synthesis today [4, 5, 11] that has already found applications apart from its primary tar get [28]. One interesting question reg arding the GR(1)-synthesis approach is its good algorithmic behavior of ha ving a cubic runtime despite the fact that many specifications can be rewritten to a deterministic automaton having a GR(1)-acceptance 2 Actually , our current implementation generates an Anzu [11] file and we use a tool included with Marduk to translate this Anzu file to a Marduk file. 3 W e can not satisfactorily explain why the synthesis for the AMB A model needed more time for 6 masters than for 7 masters using our determinization procedure. Howe ver , the same holds for the manually generated automata where this observation can be done for 8 respectiv ely for 9 masters. Howe ver , a similar observation was also reported in [5]. 42 A L TL Fragment for GR(1)-Synthesis Figure 5: An Example Quartz File with a GR(1) Specification having only Assertions condition. This question has been answered in [2] where it is sho wn that in f act an automaton with GR(1)-acceptance condition is equi valent to a Streett automaton ha ving only one acceptance pair . In this article, we gav e the corresponding temporal logic view: W e presented a fragment of L TL that is ‘naturally’ embedded in the temporal logic hierarch y and that can be easily translated to a corresponding deterministic GR(1)-automaton. W e ha ve implemented a tool that is able to translate any formula from this fragment to a corresponding deterministic GR(1)-automaton. This is a useful improvement in the expressi vity and usage of the GR(1)-approach: instead of having the need to generate deterministic automata manually , the input to our tool is a more readable L TL formula. Ho wev er , this higher expressi vity comes to a cost: Not too surprisingly , running Marduk on the man- ually generated automata took a significant smaller amount of time than on the automatically generated automata and moreover , generated smaller BDDs for the strategies. Ho we ver , the manually generated automata have undergone heavy (hand-crafted) minimization steps 4 and hence we expect that further im- prov ements on the determinization or the minimization step of our tool could also significantly improv e our results. 7 Acknowledgements W e would like to thank Geor g Hofferek for his kind help with the tool Marduk. 4 Compare the difference in the runtime of the Anzu tool reported in [4] with the one reported in [5]. A. Morgenstern and K. Schneider 43 Model Det (s) State V ars Strategy Nodes Solve(t) Auto Manu Auto Manu Auto Manu GenBuf 2 0.1 12 3 8.755 3.344 0.86 0.25 GenBuf 3 0.1 12 3 19.087 4.237 1.96 0.3 GenBuf 4 0.2 12 3 25.653 5.546 2.12 0.63 GenBuf 5 0.2 12 3 39.356 11.916 12.88 1.34 GenBuf6 0.3 12 3 26.139 15.605 5.61 2.38 GenBuf7 0.3 12 3 117.625 18.894 41.92 3.75 GenBuf8 0.3 12 3 45.238 24.302 11.24 5.14 GenBuf9 0.3 12 3 27.507 24.493 12.7 7.8 GenBuf10 0.3 12 3 67.879 51.605 44.91 25.3 Amba2 0.6 9 7 38.107 50.816 3.0 1.97 Amba3 1.1 10 8 77.033 122.027 14.4 10.64 Amba4 1.8 11 9 451.456 503.622 66.9 98.32 Amba5 7.2 12 10 1.194.190 825.294 1221.7 381.34 Amba6 19.4 13 11 4.929.635 989.482 46815 420.96 Amba7 42.0 14 12 2.052.871 1.037.608 4555.2 904.78 Amba8 83.1 15 13 TO 3.625.518 TO 13617.19 Amba9 403.6 16 14 T O 1.331.441 TO 4215.94 Amba10 580.16 17 15 T O 3.034.060 T O 7325.85 Figure 6: Experimental Results Refer ences [1] R. Alur & S. La T orre (2004): Deterministic Generators and Games for L TL F ragments . A CM T ransactions on Computational Logic (TOCL) 5(1), pp. 1–15, doi:10.1145/963927.963928. [2] R. Bloem, K. Chatterjee, K. Greimel, T .A. Henzinger & B. Jobstmann (2010): Robustness in the Presence of Liveness . In T . T ouili, B. Cook & P . Jackson, editors: Computer Aided V erification (CA V) . LNCS 6174, Springer , Edinbur gh, UK, pp. 410–424, doi:10.1007/978-3-642-14295-6 36. [3] R. Bloem, A. Cimatti, K. Greimel, G. Hofferek, R. K ¨ onighofer , M. Roveri, V . Schuppan & R. Seeber (2010): RA TSY - A New Requirements Analysis T ool with Synthesis . In T . T ouili, B. Cook & P . Jackson, editors: Computer Aided V erification (CA V) . LNCS 6174, Springer , Edinburgh, UK, pp. 425–429, doi:10.1007/978- 3-642-14295-6. [4] R. Bloem, S. Galler , B. Jobstmann, N. Piterman, A. Pnueli & M. W eiglhofer (2007): A utomatic har dwar e synthesis fr om specifications: a case study . In R. Lauwereins & J. Madsen, editors: Design, Automation and T est in Europe (D A TE) . IEEE Computer Society , Nice, France, pp. 1188–1193. [5] R. Bloem, S. Galler , B. Jobstmann, N. Piterman, A. Pnueli & M. W eiglhofer (2007): Specify , Compile, Run: Har dwar e fr om PSL . Electronic Notes in Theoretical Computer Science (ENTCS) 190, pp. 3–16, doi:10.1016/j.entcs.2007.09.004. [6] U. Boker & O. Kupferman (2009): Co-ing B ¨ uchi Made T ight and Useful . In: Logic in Computer Science (LICS) . IEEE Computer Society , Los Angeles, California, USA, pp. 245–254, doi:10.1109/LICS.2009.32. [7] J.R. Burch, E.M. Clarke, K.L. McMillan, D.L. Dill & L.J. Hwang (1990): Symbolic Model Chec king: 10 20 States and Be yond . In: Logic in Computer Science (LICS) . IEEE Computer Society , W ashington, DC, USA, pp. 1–33, doi:10.1109/LICS.1990.113767. 44 A L TL Fragment for GR(1)-Synthesis [8] E.Y . Chang, Z. Manna & A. Pnueli (1992): Characterization of T emporal Pr operty Classes . In W . Kuich, editor: International Colloquium on Aut omata, Languages and Programming (ICALP ) . LNCS 623, Springer , V ienna, Austria, pp. 474–486. [9] E.A. Emerson (1990): T emporal and Modal Logic . In J. van Leeuwen, editor: Handbook of Theoretical Computer Science , chapter 16. B: Formal Models and Semantics, Else vier , pp. 995–1072. [10] C. Fritz (2005): Simulation-Based Simplification of omega-A utomata . Ph.D. thesis, T echnischen Fakult ¨ at der Christian-Albrechts-Univ ersit ¨ at zu Kiel, Germany . [11] B. Jobstmann, S. Galler , M. W eiglhofer & R. Bloem (2007): Anzu: A T ool for Pr operty Synthesis . In W . Damm & H. Hermanns, editors: Computer Aided V erification (CA V) . LNCS 4590, Springer , Berlin, Germany , pp. 258–262, doi:10.1007/978-3-540-73368-3 29. [12] O. Kupferman & M.Y . V ardi (1998): F r eedom, W eakness, and Determinism: F r om Linear-T ime to Branc hing- T ime . In: Logic in Computer Science (LICS) . IEEE Computer Society , Indianapolis, Indiana, USA, pp. 81–92, doi:10.1109/LICS.1998.705645. [13] R. K ¨ onighofer , G. Hofferek & R. Bloem (2009): Debugging formal specifications using simple counterstrate- gies . In: Formal Methods in Computer-Aided Design (FMCAD) . IEEE Computer Society , Austin, T e xas, USA, pp. 152–159, doi:10.1109/FMCAD.2009.5351127. [14] M. Maidl (2000): The Common F ra gment of CTL and LTL . In: F oundations of Computer Science (FOCS) . pp. 643–652. [15] Z. Manna & A. Pnueli (1987): A Hierar chy of T emporal Properties . In: Principles of Distributed Computing (PODC) . p. 205, doi:10.1145/41840.41857. [16] Z. Manna & A. Pnueli (1990): A hierar chy of temporal pr operties . In: Principles of Distributed Computing (PODC) . A CM, Quebec City , Quebec, Canada, pp. 377–408. [17] Z. Manna & A. Pnueli (1991): Completing the temporal pictur e . Theoretical Computer Science (TCS) 83(1), pp. 97–130, doi:10.1016/0304-3975(91)90041-Y. [18] S. Miyano & T . Hayashi (1984): Alternating automata on ω -wor ds . Theoretical Computer Science (TCS) 32, pp. 321–330, doi:10.1016/0304-3975(84)90049-5. [19] A. Morgenstern, K. Schneider & S. Lamberti (2008): Generating Deterministic ω -Automata for most LTL F ormulas by the Br eakpoint Construction . In C. Scholl & S. Disch, editors: Methoden und Beschreibungssprachen zur Modellierung und V erifikation von Schaltungen und Systemen (MBMV) . Shaker , Freibur g, Germany , pp. 119–128. [20] N. Piterman, A. Pnueli & Y . Sa’ar (2006): Synthesis of Reactive(1) Designs . In E.A. Emerson & K.S. Namjoshi, editors: V erification, Model Checking, and Abstract Interpretation (VMCAI) . LNCS 3855, Springer , Charleston, South Carolina, USA, pp. 364–380, doi:10.1007/11609773 24. [21] A. Pnueli (1977): The T emporal Logic of Pr ograms . In: Foundations of Computer Science (FOCS) . IEEE Computer Society , Providence, Rhode Island, USA, pp. 46–57, doi:10.1109/SFCS.1977.32. [22] K. Schneider (2001): Impro ving Automata Generation for Linear T emporal Logic by Considering the Au- tomata Hierar chy . In R. Nieuwenhuis & A. V oronkov , editors: Logic for Programming, Artificial Intelli- gence, and Reasoning (LP AR) . LN AI 2250, Springer , Hav ana, Cuba, pp. 39–54, doi:10.1007/3-540-45653- 8 3. [23] K. Schneider (2003): V erification of Reactive Systems - F ormal Methods and Algorithms . T exts in Theoretical Computer Science (EA TCS Series), Springer . [24] K. Schneider (2009): The Sync hr onous Pr ogramming Langua ge Quartz . Internal Report 375, Department of Computer Science, Univ ersity of Kaiserslautern, Kaiserslautern, Germany . [25] W . Thomas (1990): A utomata on Infinite Objects . In J. van Leeuwen, editor: Handbook of Theoretical Computer Science , chapter 4. B: Formal Models and Semantics, Else vier , pp. 133–191. [26] K. W agner (1979): On ω -r e gular sets . Information and Control 43(2), pp. 123–177. A. Morgenstern and K. Schneider 45 [27] N. W allmeier, P . H ¨ utten & W . Thomas (2003): Symbolic Synthesis of F inite-State Contr ollers for Request- Response Specifications . In O.H. Ibarra & Z. Dang, editors: Conference on Implementation and Application of Automata (CIAA) . LNCS 2759, Springer , Santa Barbara, California, USA, pp. 11–22, doi:10.1007/3-540- 45089-0 3. [28] T . W ongpiromsarn, U. T opcu & R.M. Murray (2010): Receding horizon contr ol for tempor al lo gic specifi- cations . In K.H. Johansson & W . Y i, editors: Hybrid Systems: Computation and Control (HSCC) . A CM, Stockholm, Sweden, pp. 101–110, doi:10.1145/1755952.1755968.