Synthesis from Probabilistic Components
SYNTHESIS FROM PROBABILISTIC COMPONENTS
YOAD LUSTIG a , SUMIT NAIN b , AND MOSHE Y. VARDI c Department of Computer Science, Rice University, Houston, TX 77005, USA e-mail address : [email protected], { nain,vardi } @cs.rice.edu Abstract.
Synthesis is the automatic construction of a system from its specification. Inclassical synthesis algorithms, it is always assumed that the system is “constructed fromscratch” rather than composed from reusable components. This, of course, rarely happensin real life, where almost every non-trivial commercial software system relies heavily onusing libraries of reusable components. Furthermore, other contexts, such as web-serviceorchestration, can be modeled as synthesis of a system from a library of components.Recently, Lustig and Vardi introduced dataflow and control-flow synthesis from librariesof reusable components. They proved that dataflow synthesis is undecidable, while control-flow synthesis is decidable. In this work, we consider the problem of control-flow synthesisfrom libraries of probabilistic components . We show that this more general problem is alsodecidable. Introduction
Hardware and software systems are rarely built from scratch. Almost every non-trivialsystem is based on existing components. A typical component might be used in the designof multiple systems. Examples of such components include function libraries, web APIs, andASICs. Consider the mapping application in a typical smartphone. Such an applicationmight call the location service provided by the phone’s operating system to get the user’sco-ordinates, then call a web API to obtain the correct map image tiles, and finally calla graphics library to display the user’s location on the screen. None of these componentsare exclusive to the mapping application and all of them are commonly used by otherapplications.The construction of systems from reusable components is an area of active research.Examples of important work on the subject can be found in Sifakis’ work on component-based construction [21], and de Alfaro and Henzinger’s work on “interface-based design” [9].Furthermore, other situations, such as web-service orchestration [1], can be viewed as theconstruction of systems from libraries of reusable components. [ Software and its engineering ]: Software organization and properties—Softwarefunctional properties—Formal methods—Software verification.
Key words and phrases: temporal synthesis, probabilistic components. c Work supported in part by NSF grants CNS 1049862 and CCF-1139011, by NSF Expeditions in Comput-ing project “ExCAPE: Expeditions in Computer Augmented Program Engineering”, by BSF grant 9800096,and by gift from Intel.
LOGICAL METHODS l IN COMPUTER SCIENCE DOI:10.2168/LMCS-10(2:17)2014 c (cid:13)
Y. Lustig, S. Nain, and M. Y. Vardi CC (cid:13) Creative Commons
Y. LUSTIG, S. NAIN, AND M. Y. VARDI
Synthesis is the automated construction of a system from its specification. In contrastto model checking, which involves verifying that a system satisfies the given specification,synthesis aims to automatically construct the required system from its formal specification.The modern approach to temporal synthesis was initiated by Pnueli and Rosner who intro-duced linear temporal logic (LTL) synthesis [17]. In LTL synthesis, the specification is givenin LTL and the system constructed is a finite-state transducer modeling a reactive system.In this setting it is always assumed that the system is “constructed from scratch” ratherthan “composed” from existing components. Recently, Lustig and Vardi [14] introducedthe study of synthesis from reusable components. The use of components abstracts much ofthe detailed behavior of a sub-system, and allows one to write specifications that mentiononly the aspects of sub-systems relevant for the synthesis of the system at large.A major concern in the study of synthesis from reusable components is the choice ofa mathematical model for the components and their composition. The exact nature of thereusable components in a software library may differ. One finds in the literature manydifferent types of components; for example, function libraries (for procedural programminglanguages) or object libraries (for object-oriented programming languages). Indeed, thereis no single “right” model encompassing all possible facets of the problem. The problem ofsynthesis from reusable components is a general problem to which there are as many facetsas there are models for components and types of composition [21].As a basic model for a component, following [14], we abstract away the precise detailsof the component and model a component as a transducer , i.e., a finite-state machine withoutputs. Transducers constitute a canonical model for reactive components, abstractingaway internal architecture and focusing on modeling input/output behavior. In [14], twomodels of composition were studied. In dataflow composition, the output of one componentis fed as input to another component. The synthesis problem for dataflow composition wasshown to be undecidable. In control-flow composition control is held by a single componentat every point in time. The synthesis problem can then be viewed as constructing a super-visory transducer that switches control between the component transducers. Control-flowcomposition is motivated by software (and web services) in which a single function is incontrol at every point during the execution. LTL synthesis in this setting was shown in [14]to be 2EXPTIME-complete, just like classical LTL synthesis [17].In this paper, we extend the control-flow synthesis model of [14] to probabilistic com-ponents, which are transducers with a probabilistic transition function. This is a wellknown approach to modeling systems where there is probabilistic uncertainty about theresults of input actions. Intuitively, we aim at constructing a reliable system from unreli-able components. There is a rich literature about verification and analysis of such systems,cf. [22, 7, 8, 23], as well about synthesis in the face of probabilistic uncertainty [2]. Theintroduction of probability requires us to use a probabilistic notion of correctness; here wechoose the qualitative criterion that the specification be satisfied with probability 1, leavingthe study of quantitative criteria to future work.Here, our focus is on proving decidability, rather than on establishing precise complexitybounds, leaving the study of precise bounds to future work. Consequently, we abstract awayfrom the details of the specification formalism and assume that the specification is givenin terms of deterministic parity word automata (DPW). This allows us to consider all ω -regular properties. We define and study the DPW probabilistic realizability and synthesisproblems, where the input is a library L of probabilistic components and a DPW A , andthe question is whether one can construct a finite system S from the components in L , YNTHESIS FROM PROBABILISTIC COMPONENTS 3 such that, regardless of the external environment, the traces generated by the system S areaccepted by A with probability 1. Each component in the library can be used an arbitrarynumber of times in the construction and there is no apriori bound on the size of the systemobtained. The technical challenge here is dealing with the finiteness of the system underconstruction. In [14], as well as in [17], one need not deal with finiteness from the start. Infact, one can test realizability without being concerned with finiteness of the constructedsystem, as finiteness is a consequence of the construction. This is not the case here, wherewe need to deal with finiteness from the start. Nevertheless, we are able to show that theproblem is in 2EXPTIME.Before tackling the full problem, we first consider a restricted version of the problem,where the specification is given in the form of a parity index on the states of the components,and the composed system must satisfy the parity condition. We call this the embedded parityrealizability problem. We solve this problem and then show how solving the embeddedparity realizability problem directly allows us to solve the more general DPW probabilisticrealizability problem as well. The key idea here is that by taking the product of thespecification DPW with each of the components, we can obtain larger components each ofwhose states has a parity associated with it. The challenge in completing the reductionis the need to generate a static composition, which does not depend on the history of thecomputation. Here we use ideas about synthesis with incomplete information from [13].2. Background
Preliminaries.
Labeled Trees.
Given a set D of directions, a D -tree is a set T ⊆ D ∗ such that (a)there is an element x ∈ T , called the root of T, such that, for all x ∈ T there exists y ∈ D ∗ with x = x · y , and (b) if x · c is a non-root element of T , where x ∈ D ∗ and c ∈ D , then x is also an element of T . The elements of T are called its nodes . For every node x ∈ T , theset of successors of x is given by { x · c ∈ T : c ∈ D } . A node with no successors is called a leaf . A path π of a tree T is a set π ⊆ T such for every pair of nodes x, y in π , there exists z ∈ D ∗ such that x = y · z or y = x · z . A path is infinite if it has no leaf nodes, otherwiseit is finite. A subtree of T is a tree T ′ ⊆ T . For a node x ∈ T , the subtree rooted at x is thetree { x · y ∈ T : y ∈ D ∗ } . The full D -tree is D ∗ . The full subtree at x is the tree whose setof nodes is x · D ∗ .Given an alphabet Σ, a Σ -labeled D -tree is a pair h T, τ i , where T is a tree and τ : T → Σmaps each node of T to a letter in Σ. A subtree of h T, τ i , is a Σ-labeled D -tree h T ′ , τ ′ i ,where T ′ is a subtree of T and τ ′ ( x ) = τ ( x ), for all x ∈ T ′ .2.1.2. Tree Automata.
For a set X , let B + ( X ) be the set of positive Boolean formulas over X (i.e., Boolean formulas built from elements in X using ∧ and ∨ ), including the formulas True (an empty conjunction) and
False (an empty disjunction). For a set Y ⊆ X anda formula θ ∈ B + ( X ), we say that Y satisfies θ iff assigning True to elements in Y andassigning False to elements in X − Y makes θ true. An alternating tree automaton is tuple A = h Σ , D, Q, q , δ, β i , where Σ is the input alphabet, D is a set of directions, Q is a finiteset of states, q ∈ Q is an initial state, δ : Q × Σ → B + ( D × Q ) is a transition function,and β specifies the acceptance condition that defines a subset of Q ω . Each element of Y. LUSTIG, S. NAIN, AND M. Y. VARDI B + ( D × Q ) is called an atom . The alternating automaton A runs on Σ-labeled full D -trees.A run of A over a Σ-labeled D -tree h T, τ i is a ( T × Q )-labeled N -tree h T r , r i . Each nodeof T r corresponds to a node of T . A node in T r , labeled by ( x, q ), describes a copy of theautomaton that reads the node x of T and visits the state q . Note that multiple nodes of T r can correspond to the same node of T . The labels of a node and its successors have tosatisfy the transition function. Formally, h T r , r i satisfies the following conditions:(1) ǫ ∈ T r and r ( ǫ ) = ( ǫ, q ).(2) Let y ∈ T r with r ( y ) = ( x, q ) and δ ( q, τ ( x )) = θ . Then there exists a set S = { ( c , q ) , ( c , q ) , . . ., ( c n , q n ) } ⊆ D × Q such that S satisfies θ , and for all 0 ≤ i ≤ n , wehave y · i ∈ T r and r ( y · i ) = ( x · c i , q i ). S is allowed to be empty.An infinite path π of a run h T r , r i is labeled by a word in Q ω . Let inf ( π ) be the set of statesin Q that occur infinitely often in r ( π ). The B¨uchi acceptance condition is given as β ⊆ Q ,and π satisfies β if inf ( π ) ∩ β = ∅ . The parity acceptance condition is given as a function β : Q → { , . . ., k } , and π satisfies β if min( { β ( q ) : q ∈ inf ( π ) } ) is even. A run h T r , r i isaccepting if all its infinite paths satisfy the acceptance condition. An automaton acceptsa tree iff there exists a run that accepts it. We denote by L ( A ) the set of all Σ-labeled D -trees accepted by A .The transition function δ of an alternating tree automaton is nondeterministic if everyformula produced by δ can be written in disjunctive normal form such that if two atoms( c , q ) and ( c , q ) occur in the same conjunction then c and c must be different. A nondeterministic tree automaton A is an alternating tree automaton with a nondeterministictransition function. In this case the transition function returns a set of | D | -ary tuples ofstates and can be represented as a function δ : Q × Σ → Q | D | .2.1.3. Transducers. A deterministic transducer is a tuple B = h Σ I , Σ O , Q, q , δ, L i , where:Σ I is a finite input alphabet, Σ O is a finite output alphabet, Q is a finite set of states, q ∈ Q is an initial state, L : Q → Σ O is an output function labeling states with outputletters, and δ : Q × Σ I → Q is a transition function. We define δ ∗ : Σ ∗ I → Q as follows: δ ∗ ( ǫ ) = q and for x ∈ Σ ∗ I and a ∈ Σ I , δ ∗ ( x · a ) = δ ( δ ∗ ( x ) , a ). We denote by tree ( B ), theΣ O -labeled Σ I -tree h Σ ∗ I , τ i , where for all x ∈ Σ ∗ I , we have τ ( x ) = L ( δ ∗ ( x )). We say tree ( B )is the unwinding of B . A Σ-labeled D -tree T is called regular , if there exists a deterministictransducer C such that T = tree ( C ).A probability distribution on a finite set X is a function f : X → [0 ,
1] such that P x ∈ X f ( x ) = 1. We use Dist ( X ) to denote the set of all probability distributions on set X . A probabilistic transducer , is a tuple T = h Σ I , Σ O , Q, q , δ, F, L i , where: Σ I is a finiteinput alphabet, Σ O is a finite output alphabet, Q is a finite set of states, q ∈ Q is aninitial state, δ : ( Q − F ) × Σ I → Dist ( Q ) is a probabilistic transition function, F ⊆ Q is a set of exit states, and L : Q → Σ O is an output function labeling states with outputletters. Note that there are no transitions out of an exit state. If F is empty, we say T isa probabilistic transducer without exits. Note that deterministic transducers are a specialcase of probabilistic transducers.Given a probabilistic transducer M = (Σ I , Σ o , Q, q , δ, F, L ), a strategy for M is afunction f : Q ∗ → Dist (Σ I ) that probabilistically chooses an input for each sequence ofstates. A strategy is memoryless if the choice depends only on the last state in the sequence.A memoryless strategy can be written as a function g : Q → Dist (Σ I ). A strategy is pure YNTHESIS FROM PROBABILISTIC COMPONENTS 5 if the choice is deterministic. A pure strategy is a function h : Q ∗ → Σ I , and a memorylessand pure strategy is a function h : Q → Σ I .A strategy f along with a probabilistic transducer M , with set of states Q , induces aprobability distribution on Q ω , denoted µ f . By standard measure theoretic arguments, itsuffices to define µ f for the cylinders of Q ω , which are sets of the form β · Q ω , where β ∈ Q ∗ .First we extend δ to exit states as follows: for a ∈ Σ I , q ∈ F , q ′ ∈ Q , δ ( q, a )( q ) = 1 and δ ( q, a )( q ′ ) = 0 when q ′ = q . Then we define µ f ( q · Q ω ) = 1, and for β ∈ Q ∗ , q, q ′ ∈ Q , µ f ( βqq ′ · Q ω ) = µ f ( βq )( P a ∈ Σ I f ( βq )( a ) × δ ( q, a )( q ′ )). These conditions say that there is aunique start state, and the probability of visiting a state q ′ , after visiting βq , is the same asthe probability of the strategy picking a particular letter multiplied by the probability thatthe transducer transitions from q to q ′ on that input letter, summed over all input letters.2.1.4. Graph Induced by a Strategy.
Given a directed graph G = ( V, E ), a strongly connectedcomponent of G is a subset U of V , such that for all u, v ∈ U , u is reachable from v . Wecan define a natural partial order on the set of maximal strongly connected components of G as follows: U ≤ U if there exists u ∈ U and u ∈ U such that u is reachable from u . Then U ⊆ V is an ergodic set of G if it is a minimal element of the partial order.Let M be a probabilistic transducer, Q be its set of states, and f be a memorylessstrategy for M . We define the graph induced by f on Q , denoted by G M,f , as the directedgraph (
Q, E ), where ( q , q ) ∈ E if P a ∈ Σ I f ( q )( a ) δ ( q , a )( q ) >
0. That is, there is an edgefrom q to q if the transducer can transition from the state q to the state q on an inputletter that the strategy chooses with positive probability. Given q , q ∈ Q , we say that q is reachable from q if there is a path from q to q in G M,f . We say a state is ergodic if itbelongs to some ergodic set of G M,f . An ergodic set is reachable if there is a path from thestart state to some state in the ergodic set. A state q of M is reachable under f , if there isa path in G M,f from q to q .2.1.5. Library of Components. A library is a set of probabilistic transducers that share thesame input and output alphabets. Each transducer in the library is called a component .Given a finite set of directions D , we say a library L has width D , if each component inthe library has exactly | D | exit states. Since we can always add dummy unreachable exitstates to any component, we assume, w.l.o.g., that all libraries have an associated width,usually denoted D . In the context of a particular component, we often refer to elements of D as exits, and subsets of D as sets of exits. Given a component M from library L , and astrategy f for M , we say that the exit i ∈ D is selected by f , if the i th exit state of M isreachable under f .An index function for a transducer is a function that assigns a natural number, called apriority index, to each state of the transducer. An index function for a library is a functionthat assigns a priority to every state of every component in the library. Given an indexfunction α for a library L , we define max( α ) to be the highest priority assigned by α . Wecan assume, w.l.o.g., that max( α ) is not larger than twice the maximal number of states inthe components of the library. Given a transducer M , index function α , and a strategy f for M , we say f visits priority p if there exists a state q of M such that α ( q ) = p and q isreachable under f . Y. LUSTIG, S. NAIN, AND M. Y. VARDI
Reactive Synthesis.
Reactive synthesis involves the automated construction of reac-tive programs from specifications. Given sets I and O of input and output signals, respec-tively, we can view a program as a function P : (2 I ) ∗ → O that maps a finite sequenceof sets of input signals into a set of output signals. A reactive system can be viewed as anon-terminating program that interacts with an adversarial environment. The environmentgenerates an infinite sequence of input signals, which are modeled as infinite words over thealphabet 2 I . The execution of the program for a particular input word results in an infinitecomputation, which is represented as an infinite word over 2 ( I ∪ O ) .Given an LTL formula ψ over I ∪ O , realizability of ψ is the problem of determiningwhether there exists a program P all of whose computations satisfy the specification ψ . Thecorrect synthesis of ψ then amounts to constructing such P [17].The complete behavior of the system can be described by the set of all possible exe-cutions (i.e. the traces of the system), which is represented as a 2 O -labeled 2 I -tree, calledan execution tree . The automata-theoretic approach involves constructing a tree automa-ton that accepts all computation trees all of whose paths satisfy ψ . The solution to theLTL synthesis problem then consists of a reduction to the nonemptiness problem of treeautomata [17] (an earlier and more complicated solution can be found in [3]). The LTLsynthesis problem is closely related to Church’s problem [4, 18].The automata-theoretic approach to synthesis has been quite fruitful since the originalwork of Pnueli and Rosner [17]. Automata-theoretic methods have been applied successfullyto the synthesis of branching specifications [11] and to synthesis in the presence of incompleteor hidden information [13]. The work reported in this paper extends the reactive-synthesisframework to synthesis from probabilistic components.3. Control-flow Composition from Libraries
We first informally describe our notion of control-flow composition of components from alibrary. The components in the composition take turns interacting with the environment,and at each point in time, exactly one component is active. When the active componentreaches an exit state, control is transferred to some other component. Thus, to define acontrol flow composition, it suffices to name the components used and describe how controlshould be transferred between them. We use a deterministic transducer to define the transferof control. Each library component can be used multiple times in a composition, and wetreat these occurrences as distinct component instances . We emphasize that the compositioncan contain potentially arbitrarily many repetitions of each component inside it. Thus, thesize of the composition, a priori, is not bounded. Note that our notion of composition is static , where the components called are determined before run time, rather than dynamic ,where the components called are determined during run time.Let L be a library with width D . A composer over L is a deterministic tranducer C = ( D, L , M , M , ∆ , λ ). Here M is an arbitrary finite set of states. There is no boundon the size of M . Each M i ∈ M is the name of an instance of a component from L and λ ( M i ) ∈ L is the type of M i . We use the following notational convention for componentinstances and names: the upright letter M always denotes component names (i.e. statesof a composer) and the italicized letter M always denotes the corresponding componentinstances (i.e. elements of L ). Further, for notational convenience we often write M i directlyinstead of λ ( M i ). Note that while each M i is distinct, the corresponding components M i need not be distinct. Each composer defines a unique composition over components from YNTHESIS FROM PROBABILISTIC COMPONENTS 7 L . The current state of the composer corresponds to the component that is in control. Thetransition function ∆ describes how to transfer control between components: ∆( M , i ) = M ′ denotes that when the composition is in the i th final state of component M it moves to thestart state of component M ′ . A composer can be viewed as an implicit representation of acomposition. We give an explicit definition of composition below. Definition 3.1 (Control-flow Composition) . Let C = ( D, L , M , M , ∆ , λ ) be a composerover library L with width D , where M = { M , . . ., M n } , λ ( M i ) = (Σ I , Σ O , Q i , q i , δ i , F i , L i )and F i = { q ix : x ∈ D } . The composition defined by C , denoted T C , is a probabilistictransducer h Σ I , Σ O , Q, q , δ, ∅ , L i , where Q = S ni =0 ( Q i × { i } ), q = h q , i , L ( h q, i i ) = L i ( q ),and the transition function δ is defined as follows: For σ ∈ Σ I , h q, i i ∈ Q and h q ′ , j i ∈ Q ,(1) If q ∈ Q i \ F i , then δ ( h q, i i , σ )( h q ′ , j i ) = ( δ i ( q, σ )( q ′ ) if i = j q = q ix ∈ F i , where ∆( M i , x ) = M k , then δ ( h q, i i , σ )( h q ′ , j i ) = ( j = k and q ′ = q k h q, i i corresponding to a non-exit state q of component M i , it behaveslike M i . When the composition is in a state h q f , i i corresponding to an exit state q f ofcomponent M i , the control is transferred to the start state of another component as deter-mined by the transition function of the composer. Thus, at each point in time, only onecomponent is active and interacting with the environment.4. Synthesis for Embedded Parity
In this section we consider a simplified version of the general synthesis problem, where eachstate of a component in the library has a priority associated with it and the specificationto be satisfied is that the highest priority visited i.o. must be even with probability 1.Let M be a probabilistic tranducer and α be an index function. A strategy f for M is winning for the environment if with positive probability the highest priority visited infinitelyoften (i.o.) is odd. We say that M satisfies α if there exists no winning strategy for theenvironment. Given a composer C over library L , we say that C satisfies α if T C satisfies α . Given a library L with width D , an exit control relation is a set R ⊆ D × L . We saythat a composer C = ( D, L , M , M , ∆ , λ ) over L is compatible with R , if the following holds:for all M , M ′ ∈ M and i ∈ D , if ∆( M , i ) = M ′ then ( i, M ′ ) ∈ R . Thus, each element of R can be viewed as a constraint on how the composer is allowed to connect components. Definition 4.1.
The embedded parity realizability problem is: Given a library L with width D , an exit control relation R for L , and an index function α for L , decide whether thereexists a composer C over L , such that C satisfies α and C is compatible with R . If such acomposer exists, we say that L realizes α under R . The embedded parity synthesis problem is to find such a composer C if it exists. Y. LUSTIG, S. NAIN, AND M. Y. VARDI
The following theorem allows us to restrict attention to memoryless strategies. It statesthat if a winning strategy exists, then a memoryless winning strategy must also exist. Herewe give a direct combinatorial proof, but we note that the result can also be obtained byadapting the methods in [6], where a similar result was proved for 2–1 / Theorem 4.2.
Given a probabilistic transducer M , and index function α , if there existsa winning strategy for the environment then there exists a pure and memoryless winningstrategy.Proof. We break up the proof of this theorem in two parts in Lemma 4.3 and Lemma 4.4.In the first part we show that given a winning strategy f we can find a memoryless winningstrategy f ′ from f . In the second part we show that given a memoryless winning strategy f ′ , we can obtain a pure and memoryless strategy f ′′ from f ′ . Together the two lemmassuffice to complete the proof. Lemma 4.3.
Let M be a transducer and f be a winning strategy for the environment. Thenthere exists a memoryless strategy g such that g is winning.Proof. Let f be a strategy that is winning for the environment. Let Q be the set of statesof M , and let G = ( Q, Q × Q ) be the complete directed graph on Q . Given q , q ∈ Q , simple ( q , q ) is the set of finite simple paths in G from q to q . Since G is finite, simple ( q , q ) is also finite. Given a finite path β ∈ Q ∗ , edges ( β ) is the set of edges in β .Given a set of edges W ⊆ ( Q × Q ), IO ( W ) ⊆ Q ω is the set of infinite paths in which eachedge in W is visited i.o.Let V ∞ ⊆ Q be the set of states which have positive probability of being visited i.o.under f , that is, for each state q in V ∞ , the set of paths in Q ω that visit q i.o. has positivemeasure under µ f . Similarly, let E ∞ ⊆ V ∞ × V ∞ be the set of edges that have positiveprobability of being followed infinitely often, i.e., E ∞ = { e ∈ ( Q × Q ) : µ f ( IO ( { e } )) > } . Let G ∞ be the directed graph ( V ∞ , E ∞ ). We first show that each maximal stronglyconnected component (MSCC) of G ∞ is also an ergodic set.If e = ( q , q ) is an edge in E ∞ , then in order for an infinite path to to follow thisedge i.o., it must also travel from q to q i.o. Every finite path from q to q can bepartitioned into a simple path from q to q and a finite number of cycles. Thus for each w ∈ IO ( { e } ), there exists β ∈ simple ( q , q ), such that w ∈ IO ( edges ( β )). Therefore IO ( { e } ) ⊆ S β ∈ simple ( q ,q ) IO ( edges ( β )). Since µ f ( IO ( { e } )) >
0, there exists at least one β ∈ simple ( q , q ) such that µ f ( IO ( edges ( β )) > edges ( β ) ∈ E ∞ . Thus each edge in G ∞ can in effect be traversed in the opposite direction by following some path in G ∞ . So G ∞ does not have an MSCC with an outgoing edge, and thus, is a collection of ergodic sets.Next we show that there exists some ergodic set X in G ∞ such that the highest parityin X is odd. Given q ∈ Q , let A q ⊆ Q ω denote the event that q is the highest parity statevisited i.o. Since f is winning, there must be some q ∈ Q such that q has odd parity andthe event A q has positive probability. Then q ∈ V ∞ , and let X ⊆ V ∞ be the ergodic set in G ∞ that contains q . Let B q ⊆ Q ω be the set of paths that visit q i.o. and leave X at mostfinitely many times. Since, by the definition of G ∞ , it is not possible for a path to leave X i.o. with positive probability, we get µ f ( A q − B q ) = 0, and therefore µ f ( A q ) = µ f ( A q ∩ B q ).Now the probability that a suffix of a path remains in X , but does not visit some q ′ ∈ X iszero. This is because, X is strongly connected, and so avoiding q ′ loses a positive amount ofprobability infinitely many times. In the limit, the probability of remaining in X and never YNTHESIS FROM PROBABILISTIC COMPONENTS 9 visiting q ′ goes to zero. If there is some p ∈ X such that the parity of p is greater than theparity of q , then all paths in A q ∩ B q must have suffixes that avoid p , and so µ f ( A q ∩ B q ) = 0,which contradicts that A q has positive probability. Therefore q has the highest parity in X .Finally, since each state in X is visited i.o. with positive probability, then the probabilityof visiting some state in X starting from the start state q must be positive. Let π ∈ Q ∗ bethe shortest finite path starting from q and ending in X , such that µ f ( π · Q ω ) > g : Q → Dist (Σ I ) that is winning for the envi-ronment. We first consider the case when q ∈ V ∞ . Let succ ( q ) = { q ′ : ∃ ( q, q ′ ) ∈ E ∞ } bethe successors of q in G ∞ . Given a ∈ Σ I , we define N q ( a ) = { q ′ ∈ Q : δ ( q, a )( q ′ ) > } , and D q = { b ∈ Σ I : N q ( b ) ⊆ succ ( q ) } . Given p ∈ Q and β ∈ Q ∗ , we say that p is activated by f at β · q , if Σ a ∈ Σ I f ( β · q )( a ) δ ( q, a )( p ) >
0. If D q is empty, then this implies that, for all β ∈ Q ∗ , whenever some q ′ ∈ succ ( q ) is activated by f at β · q , some q ′′ V ∞ must alsobe activated by f at β · q . Then any time a path visits q , there is a positive probabilityof visiting a state in Q − V ∞ next. So a path that visits q and remains in V ∞ loses somefinite amount of probability. In the limit, a path visiting q i.o. must have probability zerobecause any such path has a suffix in V ω ∞ . This contradicts q ∈ V ∞ . Thus D q is non-emptyfor all q ∈ V ∞ . We define g : V ∞ → Dist (Σ I ) as follows: for q ∈ V ∞ , g ( q ) is distributeduniformly over D q and is 0 elsewhere. We extend g to all of Q as follows: for states in π ,we chose the value of g such that edges in π have positive probability under µ g , and for allother states we let g take an arbitrary value. Then g is a memoryless strategy since it is afunction Q → Dist (Σ I ). Consider the graph G g induced by g on Q . Every edge in E ∞ isalso an edge in G g , and no edges that leave V ∞ have been added. Also, all edges in π arealso in G g . So the set X ⊆ V ∞ is a reachable ergodic set of g . Since the highest parity in X is odd, g is a winning strategy. Lemma 4.4.
Let M be a transducer and f be a winning memoryless strategy for the envi-ronment. Then there exists a memoryless and pure strategy g such that g is winning.Proof. Let M = (Σ I , Σ O , Q, q , δ, F, L ). Given two memoryless strategies f and g , wesay that g refines f , iff ∀ q ∈ Q , ∀ a ∈ Σ I , g ( q )( a ) > f ( q )( a ) >
0. The setof inputs chosen with positive probability at state q by memoryless strategy f is simplythe support of the distribution f ( q ), denoted support ( f ( q )). Then g refines f iff ∀ q ∈ Q , support ( g ( q )) ⊆ support ( f ( q )). Note that, if g refines f , then G g is a subgraph of G f , andeach connected component of G g is contained in a connected component of G f .Now assume that f is a winning memoryless strategy for the environment. Since f iswinning, by Lemma 4.5, there must be at least one reachable ergodic set P ⊆ Q of G f suchthat the highest parity in P is odd. Let q ∈ P be a state with the highest parity. Then ifa memoryless strategy g refines f , such that q lies in a reachable ergodic set of G g , then g is also winning. This is because every ergodic set of G g that contains q must be containedwithin some connected component of G f containing q , and P contains all such components.So the highest parity in such an ergodic set of G g must also be odd. Thus it suffices togive a procedure of stepwise refinement of f , keeping q in a reachable ergodic set at eachstep, that terminates in a pure strategy. This is because, at each step of the procedure,the refined strategy is winning, and so it is also winning at the end. We detail a two stageprocedure below. Stage 1:
In the first stage we only modify f for states within the ergodic set P and eachstate is only modified once. At each step we maintain a set S ⊆ P of previously selected states. The modified strategy at step k is denoted f k . The set of already selected statesat step k is denoted S k . The procedure is then defined inductively as follows:(1) S = { q } , and f agrees with f on Q − { q } and chooses some input a ∈ support ( f ( q ))deterministically at q .(2) S k +1 = S k ∪ { p k } , where p k ∈ P − S k is chosen such that there is an edge ( p k , p ′ k ) in G f k for some state p ′ k ∈ S k . f k +1 agrees with f k on Q − { p k } , and f k +1 ( p k ) choosesinput a k ∈ support ( f k ( p k )) deterministically such that δ ( p k , a k )( p ′ k ) > P − S decreases by one. The prodecure terminates when P − S is empty. This happens in | P | steps. In order to ensure that the inductive procedureis sound, we need to show that a suitable choice for p k and a k exists at each step. Wefirst prove that, for all k < | P | , for all q ′ ∈ Q − S k , all edges leaving q ′ in G f are alsopresent in G f k . This is true at the first step. If this is true at step k , then it is also trueat step k + 1, since Q − S k +1 ⊆ Q − S k and f k +1 and f k have the same value on statesin Q − S k +1 , so no edges that leave states in Q − S k +1 are removed at step k + 1. Sothe statement holds by induction. Since P is an ergodic set of G f , for all k < | P | , thereis some edge e k in G f that starts in P − S k and ends S k . Now, by the claim provenabove, e k is also an edge in G f k . Then the source vertex of e k can be chosen as p k instep k + 1. Also, because e k = ( p k , p ′ k ) is an edge in G f k , there must be some b ∈ Σ I such that f k ( p k )( b ) > δ ( p k , b )( p ′ k ) >
0. Then we can choose b as a k . Therefore theinductive construction is well defined.Next we show that, for all k ≤ | P | , f k refines f , and q is reachable in G f K fromevery state in S k . Let f k refine f . Since f k +1 and f k agree on states in Q − { p k } , and support ( f k +1 ( p k )) ⊆ support ( f k ( p k )), we have f k +1 refines f . Let q be reachable in G f k from every state in S k . Since S k +1 = S k ∪ { p k } , it suffices to show that q is reachable in G f k +1 from every vertex in S k , and there is an edge in G f k +1 from p k to some vertex in S k . The first part is true because f k +1 and f k take the same value on states in Q k , andthe second part follows directly from the definition of f k +1 ( p k ).Let f ′ = f | P | . Then f ′ refines f , all edges leaving Q − P in G f are also edges in G f ′ ,and q is reachable in G f ′ from all states in P . Stage 2:
Since P is a reachable ergodic set of G f , there exists a minimal path π in G f that starts from q and ends in some state in P . Since the path is minimal, none of itsedges lie in P . Then π is also a path in G f ′ . Let π = q , q , . . ., q n where q n ∈ P . Thenthere exists b k ∈ Σ I such that f ′ ( b k ) > δ ( q k , b k )( q k +1 ) >
0. We define a purememoryless strategy g as follows: for states in P , q agrees with f ′ ; for a state q k in π , g chooses input b k deterministically; and for a state q ′ that is not in P or π , g choosessome input b ∈ support ( f ′ ( q ′ )) deterministically.Then g refines f ′ by construction, and thus g refines f . In order to prove that g isalso a winning strategy, it suffices to show that q belongs to a reachable ergodic set of G g .Now, by construction, π is also a path in G g , and so some state in P is reachablefrom the start state in G g . Also, q is reachable in G g from all states in P . Therefore q is reachable from the start state in G g . Since P is an ergodic set of G f , and G g is asubgraph of G f , therefore there is no path in G g from q to a state in Q − P . Therefore,if p ∈ Q is reachable from q in G g , then q is also reachable from p in G g . Thus q lies ina reachable ergodic set of G g . YNTHESIS FROM PROBABILISTIC COMPONENTS 11
Memoryless strategies are important because they induce an ergodic structure on the setof states. Ergodic sets are useful because they enable us to replace probabilistic reasoningwith combinatorial reasoning. In particular, they have the following crucial properties: (a)the suffix of a path is contained in some ergodic set with probability 1, and (b) the suffixof a path is contained in a proper subset of an ergodic set with probability zero [12]. Thisallows us to define the winning strategy condition in terms of graph reachability.
Lemma 4.5.
Let M be a probabilistic transducer and f be a memoryless strategy for M .Then f is winning for the environment iff G M,f has a reachable ergodic set whose highestpriority is odd.Proof.
Let Q be the set of states of M , E ⊆ Q be the set of ergodic sets of G M,f and X = S Y ∈ E Y be the set of all ergodic states. We use the following useful property ofergodic sets [12]: (a)the suffix of a path is contained in some ergodic set with probability 1, and (b) the suffix ofa path is contained in a proper subset of an ergodic set with probability zero. Formally, wehave, for all β ∈ Q ∗ , µ f ( β · ( Q − X ) ω ) = 0, and for all Y ∈ E , q ∈ Y , µ f ( β · ( Y − { q } ) ω ) = 0.Let odd ( Q ω ) be the set of paths in Q ω whose highest parity visited i.o. is odd. If thehighest parity in each ergodic set is even, then every path in odd ( Q ω ) must have a suffixthat is either contained in ( Q − X ) ω or is contained in Z ω , where Z is a proper subsetof some ergodic set. Thus odd ( Q ω ) is contained in the union of S β ∈ Q ∗ β · ( Q − X ) ω and S β ∈ Q ∗ ,Y ∈ E,q ∈ Y β · ( Y − { q } ) ω . The probability of both these sets of paths is zero under µ f .Thus µ f ( odd ( Q ω )) = 0, and f is not winning for the environment.Next, assume that there is a reachable ergodic set Y ′ such that the highest parity in Y ′ is odd. Let q ′ ∈ Y ′ be a state with this parity. Since Y ′ is reachable from the start state,there exists a path π ∈ Q ∗ , such that π starts from q and ends in Y ′ and µ f ( π · Q ω ) > Y ′ is an ergodic set, the probability of a path leaving Y ′ after reaching it is 0 [12]. Sowe also have µ f ( π · Y ′ ω ) >
0. Consider the set of paths S = π · Y ′ ω − π · ( Y ′ − { q ′ } ) ω . Theneach path in S visits q ′ i.o., and therefore, S ⊆ odd ( Q ω ). Now µ f ( π · ( Y ′ − { q ′ } ) ω ) = 0, andtherefore, µ f ( odd ( Q ω )) ≥ µ f ( S ) = µ f ( π · Y ′ ω ) >
0. Thus, f is winning for the environment.When the underlying probabilistic transducer is a composition, ergodic sets acquireadditional structure. Given a composer C and a memoryless strategy f for T C , if a reachableergodic set X of G T C ,f contains some state from a component M of T C , then either X iscontained in M or all the reachable states of M are contained in X . Formally: Lemma 4.6.
Let C = ( D, L , M , M , ∆ , λ ) be a composer over L and f be a memorylessstrategy for T C . Let M i ∈ M and Q i be the state space of M i . Let X be a reachable ergodicset of G T C ,f such that X ∩ ( Q i × { i } ) = ∅ . Then either X ⊆ Q i × { i } or ( Q i × { i } ) ∩ Y ⊆ X ,where Y is the set of states of T C that are reachable under f .Proof. Assume that X ∩ ( Q i × { i } ) = ∅ and X is not contained in Q i × { i } . Let ( q, i ) ∈ X ∩ ( Q i ×{ i } ) and ( q ′ , j ) ∈ X − ( Q i ×{ i } ), for some j = i . Since X is ergodic, there is a path π in G T C ,f from ( q ′ , j ) to ( q, i ). Let s be the first state along π such that s = ( q ′′ , i ) ∈ Q i × { i } .We claim that q ′′ = q i , where q i is the start state of M i . Let s ′ = ( q ′′′ , k ), where k = i , bethe predecessor of s in π . By the definition of G T C ,f , there is an edge from s ′ to s only if T C can transition from s ′ to s on some input with positive probability. By Definition 3.1, T C can transition from ( q ′′′ , k ) to ( q ′′ , i ) only if q ′′′ is a final state of M k and q ′′ is the initialstate of M i . Thus ( q i , i ) is in X . Since X is an ergodic set, if it contains a state s of T C , then it also contains all statesreachable under f from s . By definition, every state in ( Q i × { i } ) ∩ Y is reachable under f from ( q i , i ). Since X contains ( q i , i ), it also contains all states in ( Q i × { i } ) ∩ Y .Given a graph G , each of whose vertices is assigned a priority, we say that G has the oddergodic property if it has a reachable ergodic set whose highest priority is odd. Considera composer C and a memoryless strategy f for T C . Then, by Lemma 4.5, f is winningfor the environment iff G T C ,f has the odd ergodic property. So the probabilistic notion ofwinning strategy is reduced to a combinatorial one. However, the graph G T C ,f is very largeas it contains all the internal states of each component explicitly. Further, to show that C satisfies α , we have to consider every possible memoryless strategy for C . We tackle thiscomplexity by simplifying the description of a strategy f and graph G T C ,f so as to abstractaway the inner states of components and the choices that f makes on those inner states.Let M be the state space of C . We aim to replace G T C ,f by a simpler graph G ′ , whoseset of vertices is M , such that the odd ergodic property is preserved. We first discuss thistransformation informally, and then give formal definitions and proofs.Let M be a component of T C . If some reachable ergodic set of G T C ,f lies entirely within M , we say M is a sink . When the highest priority in the ergodic set is odd (resp. even)we say M is an odd (resp. even ) sink for f . Note that a component can be both an oddand an even sink for a given strategy. Intuitively, we aim to replace the subgraph of G T C ,f that corresponds to states of M by a single new vertex x M to obtain a new graph G ′ andassign a suitable priority to x M such that the odd ergodic property is preserved by thetransformation. Now if M is not a sink, then, by Lemma 4.6, x M lies in a reachable ergodicset of G ′ iff all reachable states of M lie in a reachable ergodic set of G T C ,f . In this case, wecan simply assign the highest reachable priority in M to x M and the odd ergodic propertyis preserved. If, however, M is a sink, then the collapse of M to a single vertex mightintroduce new ergodic sets in the graph. That is, x M might lie in an ergodic set of G ′ whichhas no analogue in G T C ,f . We then have to choose the priority of x M such that the oddergodic property is still preserved. There are two cases to consider: • M is an odd sink for f . Then, by Lemma 4.5, f is winning for the environment. Let f M denote f restricted to the states in M . Then f M is a memoryless strategy for M thatis winning for the environment, and in every composition involving M , the environmentcan simply play f M on the states in M to win. So a component that is an odd sink is notuseful for synthesizing compositions. We note that it is easy to check for and remove anyodd sinks from L in a preprocessing step before attempting synthesis. Checking whether aparticular component is a sink is equivalent to model checking Markov decision processesand can be done in polynomial time [22]. In the rest of the paper, we assume that thegiven library L does not contain components that are odd sinks. • M is an even sink for f but not an odd sink for f . Then, by Lemma 4.6, every reachablestate in M either lies in an even sink or does not lie in an ergodic set. So no reachablestate in M is part of an ergodic set with odd highest priority. Thus collapsing M to x M does not remove any ergodic sets with odd highest priority. It only remains to considerthe possibility that the transformation can introduce a new ergodic set whose highestpriority is odd. We can avoid this by assigning a priority of 2 max( α ) to x M , wheremax( α ) is the highest parity assigned by the index function α . Then if x M is part ofa reachable ergodic set X ′ in G ′ , then X ′ has highest priority 2 max( α ), which is even.Thus the odd ergodic property is preserved. YNTHESIS FROM PROBABILISTIC COMPONENTS 13
In formalizing the approach given above, instead of explicitly transforming G T C ,f into a moreabstract graph, it is simpler to directly define a suitable graph on the state space M of thecomposer C such that the odd ergodic property is preserved. Just as a memoryless strategy f applied to the composition T C gives rise to the graph G T C ,f , we define a combinatorialobject, called a choice function , such that choice function g together with composer C givesrise to a graph G C,g . Definition 4.7 (Choice Function) . Given a library L with width D and index function α , we define the set LABELS ( L ) ⊆ D × { , . . ., α ) } × L as follows: ( X, j, M ) ∈ LABELS ( L ) iff there exists a memoryless strategy f for M such that • X ⊆ D is the set of exits of selected by f in M . • If M is an even sink for f , then j = 2 max( α ). • Otherwise j is the highest priority visited by f in M .Given a composer C = ( D, L , M , M , ∆ , λ ) over L , a choice function for C , is a function g : M → D × { , . . ., α ) } , such that, for all M i ∈ M , ( g ( M i ) , M i ) ∈ LABELS ( L ). Thegraph induced by g on C , denoted G C,g , is the directed graph ( M , E ), where ( M , M ) ∈ E if ∆( M , i ) = M for some i ∈ D such that i ∈ X where g ( M ) = ( X, j ). The priority of avertex M ∈ M of G C,g is j where g ( M ) = ( X, j ). We say that g has rank r , if G C,g has areachable ergodic set whose highest priority is r .The size of the set LABELS ( L ) is at most max( α ) |L| | D | . For an arbitrary triple( X, j, M ), we can check whether (
X, j, M ) ∈ LABELS ( L ) in time polynomial in | M | usingstandard techniques for solving Markov decision processes [22]. Thus LABELS ( L ) can becomputed in time exponential in the size of L . Theorem 4.8.
Let C be a composer over L . Then there exists a strategy for T C that iswinning for the environment iff there exists a choice function for C that has an odd rank.Proof. Let C = ( D, L , M , M , ∆ , λ ). Let Q i be the state space of M i = λ ( M i ), for M i ∈ M ,and let Q = S ( Q i × { i } ) be the state space of T C . Only If : Assume there exists a strategy for T C that is winning for the environment. Then,by Theorem 4.2, there exists a memoryless winning strategy f . We construct a choicefunction g for C as follows: for all M i ∈ M , g ( M i ) = ( X, p ), where X is the set of exitsof M i selected by f , and p = 2 max( α ) if M i is an even sink for f and otherwise p is thehighest priority in M i visited by f . Since f is winning, G T C ,f has a reachable ergodicset H with odd highest priority r . Consider the set H ⊆ M defined as follows: for all M i ∈ M , M i ∈ H if ( Q i × { i } ) ∩ H = ∅ . Thus, H contains a state of the composer C ifthe corresponding component of T C overlaps with the ergodic set H . Since L containsno components that are odd sinks, and even sinks can not be a part of an ergodic setwhose highest priority is odd, H must contain all the reachable states in each componentnamed in H .We claim that H is an ergodic set of G C,g . We first show that H is strongly connected.Let M i and M k be in H . Since all the reachable states of M i and M k are containedin H , in particular their start states are also contained in H . Let these be q i and q k respectively. Then there is a path in G T C ,f from ( q i , i ) to ( q k , k ) because H is an ergodicset of G T C ,f . Consider the path π from ( q i , i ) to ( q k , k ) that contains the least numberof exit states. Let the length of π be n and let ( q ′ i , i ) be the first exit state along π .Suppose ∆( M i , x ) = M j , where q ′ i is the exit state of M i in direction x , and let q j be the start state of M j . Then, if g ( M i ) = ( X, p ), we have x ∈ X , so there is an edge from M i to M j in G C,g , and the immediate next state after ( q ′ i , i ) in π is ( q j , j ). The suffix of π starting from ( q j , j ) is a path π ′ from ( q j , j ) to ( q k , k ) of length less than n . Further, byconstruction, among all such paths it has the least number of exit states. Assume, bythe induction hypothesis, there is a path from M j to M k in G C,g . Since ( M i , M j ) is alsoan edge in G C,g , therefore, by induction, there is a path from M i to M k in G C,g . M i and M k were chosen arbitrarily in H . So H is strongly connected.Next, we show that there are no edges that leave H . Assume there is some edge in G C,g from a vertex M i ∈ H to a vertex M j ∈ M − H . Let g ( M i ) = ( X, p ′ ). Then thereexists x ∈ X such that ∆( M i , x ) = M j . Let ( q ′ , i ) be the exit state of M i in direction x . Then ( q ′ , i ) is reachable under f and so is ( q j , j ), where q j is the start state of M j .Therefore, there is an edge in G T C ,f from ( q ′ , i ) ∈ H to ( q j , j ) H , which contradictsthat H is an ergodic set. Thus no edges leave H in G C,g and H is ergodic.Finally, we show that the highest priority in H is r . By construction of g , since H does not contain any even sinks, the priority of a vertex M i in H is the highest priorityvisited in M i by f . Thus, the highest priority in H is at most the highest priority in H , which is r . Let ( q, j ) ∈ H be such that q has priority r . Then the highest priorityvisited by f in M j is r , so g ( M j ) = ( X, r ) for some X ⊆ D . Since M j ∈ H , the highestpriority in H is r , and g has rank r . If : Now assume that g is a choice function for C with rank p , for some odd p ≤ max( α ).Then, by the definition of choice function, for all M i ∈ M , there exists a memorylessstrategy f i for M i , such that g ( M i ) = ( X i , p i ) where X i is the set of exit directions of M i under f i , and p i = 2 max( α ) if M i is an even sink for f i and otherwise p i is the highestpriority visited by f i .We define a memoryless strategy f for T C as follows: for all q ∈ Q i , f ( q, i ) = f i ( q ).Since g has rank p , there exists a reachable ergodic set H ⊆ M of G C,g with highestpriority p . Consider the set H = { ( q, i ) : q ∈ Q i , M i ∈ H} , which consists of all states inall components corresponding to the set H . Let H f be the subset of H that is reachableunder f from the start state of T C . We first show that H f is strongly connected. Let( q i , i ) and ( q k , k ) be two arbitrary states in H f . Then q i is a state of M i and q k is a stateof M k . Further, M i and M k are both in H . We have the following two cases:(1) q i is the start state of M i . Consider the shortest path in G C,g from M i to M k . Sucha path exists because H is an ergodic set of G C,g . Let the length of the path be n and let M j be the successor of M i in this path. So there is path of length n − G C,g from M j to M k . Now, by the definition of G C,g , there exists x ∈ D such that∆( M i , x ) = M j and the exit state in direction x is reachable from the start state of M i under f i . Thus there is a path in G T C ,f from ( q i , i ) to ( q j , j ) where q j is the startstate of M j . By induction, there is a path in G T C ,f from ( q i , i ) to ( q k , k ).(2) q i is not the start state of M i . Let g ( M i ) = ( X, p ′ ), where X ⊆ D . Since p is thehighest priority in H and M i ∈ H , we have p ′ ≤ p ≤ max( α ). Thus p ′ = 2 max( α )and so M i is not an even sink for f . Also, the library L is assumed to have nocomponents that are odd sinks. Thus, some exit of M i must be reachable from q i under f i . Let this exit be in direction x ∈ D , and let ∆( M i , x ) = M j . Then there isa path in G T C ,f from ( q i , i ) to ( q j , j ) where q j is the start state of M j . Now, since q j is a start state, by the previous case, there is a path from ( q j , j ) to ( q k , k ) in G T C ,f .So there is a path from ( q i , i ) to ( q k , k ) and therefore H f is strongly connected. YNTHESIS FROM PROBABILISTIC COMPONENTS 15
Assume that some edge in G T C ,f leaves H f . Let there be an edge between ( q, i ) ∈ H f and ( q ′ , j ) ∈ Q − H f . Now M j can not belong to H because otherwise ( q ′ , j ) would bein H f . So we have i = j and ( q, i ) must be an exit state of M i . Therefore there is anedge in G C,g from M i ∈ H to M j ∈ M − H , which contradicts that H is ergodic. Thus H f is also an ergodic set.By Lemma 4.5, it suffices to show that the highest priority in H f is odd. Now p isthe highest priority in H , and p is odd, which means p = 2 max( α ). So there must exist M i ∈ H such that some state q in M i has priority p and is reachable under f i . Then( q, i ) is in H f and so H f has highest priority at least p . Assume some state ( q ′ , j ) in H f has priority p ′ > p . Since q ′ is reachable under f j , therefore, we have g ( M j ) = ( X, p ′′ ),for some X ⊆ D and p ′′ ≥ p ′ > p . This contradicts the fact that M j ∈ H . Thus thehighest priority in the ergodic set H f is p , which is odd.Let Γ = LABELS ( L ). A composer and choice function pair has a natural representationas a regular Γ-labeled D -tree. Given a composer C = ( D, L , M , M , ∆ , λ ) over L , and achoice function g for C , we denote by tree ( C, g ), the regular Γ-labeled full D -tree h D ∗ , τ i ,where for all x ∈ D ∗ , we have that τ ( x ) = ( g (∆ ∗ ( x )) , λ (∆ ∗ ( x ))). Thus tree ( C, g ) is thetree obtained as a result of adding labels to tree ( C ) such that a node x corresponding to M i ∈ M that is labeled with M i in tree ( C ) is labeled with ( X, j, M i ) where ( X, j ) = g ( M i ).As we show in the next lemma, the mapping is reversible, in the sense that given a regularΓ-labeled D -tree, we can obtain a composer and choice function in a natural way. Lemma 4.9.
Let T be a regular Γ -labeled full D -tree. Then there exist a composer C over L and a choice function g for C such that tree ( C, g ) = T .Proof. Since T is regular, there exists a deterministic transducer A = ( D, Γ , Q, q , δ, λ ) thatgenerates T . We define C = ( D, L , M , M q , δ ′ , λ ′ ) as follows: for all q ∈ Q , • there is a state M q in M• if λ ( q ) = ( X, j, M i ) then λ ′ ( M q ) = M i • for all x ∈ D , δ ′ ( M q , x ) = M q ′ where q ′ = δ ( q, x )We define g : M → D × { , . . ., k } as follows: for all q ∈ Q , g ( M q ) = ( X, j ) where λ ( q ) = ( X, j, M i ). Then, since ( X, j, M i ) ∈ Γ =
LABELS ( L ), g is a choice function.Let T = h D ∗ , τ i and tree ( C, g ) = h D ∗ , τ i . We need to show that τ = τ . Consider anode x ∈ D ∗ . We have τ ( x ) = λ ( δ ∗ ( x )) and τ ( x ) = ( g ( δ ′∗ ( x )) , λ ′ ( δ ′∗ ( x ))). Let δ ∗ ( x ) = q and λ ( q ) = ( X, j, M ). Then, by construction of C and g , δ ′∗ ( x ) = M q , g ( δ ′∗ ( x )) = g ( M q ) =( X, j ), and λ ′ ( δ ′∗ ( x )) = λ ′ ( M q ) = M . Therefore τ ( x ) = ( X, j, M ) = τ ( x ).In light of Lemma 4.9, we can represent an arbitrary regular Γ-labeled full D -tree as tree ( C, g ) for some composer C over L and some choice function g for C . Similarly, we canrepresent an arbitrary regular L -labeled full D -tree as tree ( C ) for some composer C over L . Since the question of whether a given composition satisfies α boils down to whetherits composer has a choice function that has an odd rank, we find it useful to characterizeregular trees that correspond to choice functions having a particular rank (see [19] forrelated results). First, we inductively define the set of marked nodes of a Γ-labeled D -treeas follows: the root is always marked, and a node y · i , where i ∈ D and y ∈ D ∗ , is markedif y is marked and i ∈ X , where ( X, j, M ) is the label on y · i . Lemma 4.10.
Let C = ( D, L , M , M , ∆ , λ ) be a composer over library L with width D , α be an index function for L , g be a choice function for C , and p ≤ max ( α ) . Then g has rank p iff tree ( C, g ) has a full subtree T such that: (1) The root of T is marked. (2) Every node in T that is marked has priority label at most p . (3) From each marked node in T there is a path in T to a marked node with priority label p .Proof. Only If: Assume g has rank p . Then, by definition, there exists a reachable ergodicset of G C,g whose highest priority is p . Let M i ∈ M be a vertex of G C,g that lies in thisergodic set such that there is a path in G C,g from M to M i and M i has priority p . Since M i is reachable from M in G C,g , there exists some x ∈ D ∗ such that ∆ ∗ ( x ) = M i and x is marked. Then the node x ∈ tree ( C, g ) is labeled with (
X, p, M i ) for some X ⊆ D . Let T x be the full subtree of tree ( C, g ) rooted at x . We show that T x has the desired property.Let y be a node in T x that is marked and let ∆ ∗ ( y ) = M j . Then M j must lie in the ergodicset of G C,g containing M i and g ( M j ) = ( Y, p ′ ) for some Y ⊆ D and p ′ ≤ p . So y is labeled( Y, p ′ , M j ) and has a priority label less than or equal to p . All that remains is to show thatsome marked node in T x with a priority label p is reachable from y . Since M i is reachablefrom M j in G C,g , there must exist x ′ ∈ D ∗ such that ∆ ∗ ( y · x ′ ) = M i and yx ′ is marked.Then z = yx ′ is also labeled ( X, p, M i ). Since T x is a full subtree, and y ∈ T x , therefore z also lies in T x and there is a path from y to z . If:
Let T be a full subtree of tree ( C, g ) that satisfies the given property. Consider theset
H ⊆ M of vertices in G C,g defined as follows: M i ∈ H if there exists some marked node x ∈ T such that ∆ ∗ ( x ) = M i . Note that every vertex in H is reachable from M in G C,g and has priority at most p . Consider the subgraph G H of G C,g induced by H . Let H ′ bean ergodic set of G H and let M be an arbitrary vertex in H ′ . Then there exists a markednode y ∈ T such that ∆ ∗ ( y ) = M . Let z = a a . . .a n ∈ D ∗ be such that yz is markedand has priority label p . Then every node along the path from y to yz is also marked. Let M ′ = ∆ ∗ ( y ) and M ′ i +1 = ∆ ∗ ( ya . . .a i ), for 1 ≤ i < n . Then the priority of M ′ n is p and M ′ , M ′ , . . ., M ′ n is a path in G H . Since M ′ ∈ H ′ and H ′ is an ergodic set of G H , M ′ n mustalso lie in H ′ . Thus the highest priority in H ′ is p .Finally, it suffices to show that no edges leave H in G C,g , as this implies that H ′ is alsoan ergodic set of G C,g . Consider an edge in G C,g from a vertex M ∈ H to a vertex M ′ ∈ M .Then there exist X ⊆ D and c ∈ X such that ∆( M , c ) = M ′ and g ( M ) = ( X, j ) for somepriority j . Since M lies in H , there exists a marked node x ∈ T such that ∆ ∗ ( x ) = M . Then x · c is also marked and ∆ ∗ ( x · c ) = M ′ . By the construction of H , M ′ lies in H . Thus thereare no edges that leave H .The conditions given by Lemma 4.10 can be checked by a suitable tree automaton asfollows: Lemma 4.11.
Let L be a library with width D and let p ≤ k . Then there exists annondeterministic B¨uchi tree automaton (NBT) A p such that A p accepts a Γ -labeled regular D -tree T iff T = tree ( C, g ) for some composer C over L and choice function g with rank p .Proof. By Lemma 4.9 and 4.10, it suffices to construct an NBT A p such that A p acceptsa tree T ′ iff T ′ has a full subtree T that satisfies the three conditions in Lemma 4.10. Forsimplicity, the automaton is defined over binary trees, where D = { , } , but the definitioncan be easily extended to n -ary trees. YNTHESIS FROM PROBABILISTIC COMPONENTS 17
Let A p = (Γ , Q, q , δ, β ). We define Q = { search , cut , wait , reach , visit , err } , q = search and β = { visit , wait , cut } . The states of the automaton can then be described as follows: • search : In this state the automaton is searching for the root of the special subtree. • cut : This represents a branch not taken. • wait and reach : In these states the automaton has entered the subtree and is looking fornodes labeled with p . • visit : In this state the automaton has just visited a node with label p in the subtree. • err : This is an error state that is entered if there is a label higher than p in the subtree.The transition function δ is defined as follows: For all ρ = ( X, j, M i ) ∈ Γ,(1) For q ∈ { cut , err } , δ ( q, ρ ) = { ( q, q ) } .(2) For q = search δ ( q, ρ ) = { ( search , cut ) , ( wait , cut ) } if X = { }{ ( cut , search ) , ( cut , wait ) } if X = { }{ ( search , cut ) , ( cut , search ) , ( wait , wait ) } if X = { , } (3) For q ∈ { wait , reach , visit } , if j > p then δ ( q, ρ ) = { ( err , err ) } , if j = p then δ ( q, ρ ) = { ( visit , cut ) } if X = { }{ ( cut , visit ) } if X = { }{ ( visit , visit ) } if X = { , } and if j < p then δ ( q, ρ ) = { ( reach , cut ) } if X = { }{ ( cut , reach ) } if X = { }{ ( reach , wait ) , ( wait , reach ) } if X = { , } In the first stage, A p guesses the location of the root of the special subtree T . Whilesearching for this root, A p remains in the state search . When it encounters the root, itenters the state wait for the first time. This starts the second stage, where A p considersonly marked nodes in T . In directions that correspond to a non-marked node, A p movesto the state cut and remains there perpetually. From every marked node in T , A p guessesa path to another marked node with label p , using the states wait and reach . It starts thissearch in state wait , moves to state reach immediately, remains there until it encounters amarked node with label p , and then moves to state visit . If there is no path from somenode to another node with label p , all runs corresponding to the choice of T as subtree willeventually get stuck in reach . Thus, some run corresponding to T as the required subtreeis accepting iff T satisfies the required conditions. Theorem 4.12.
Let L be a library with width D , R be an exit control relation for L , and α be an index function for L . There exists a non-deterministic parity tree automaton (NPT) B such that, for all composers C over L , B accepts tree ( C ) iff C satisfies α and C iscompatible with R . Consequently, B is non-empty iff L realizes α under R .Proof. We define B = B R ∩ B α , where B R is a safety tree automaton that accepts tree ( C )iff C is compatible with R , and B α is an NPT that accepts tree ( C ) iff C satisfies α . Sincethe intersection of a safety automaton and an NPT is again an NPT, B is also an NPT. Construction of B R : For simplicity, we define the automaton for the case D = { , } ,and note that the definition can be easily extended for arbitrary D . B R = {L , { start } ∪ D, start , δ R } , where δ R is defined as follows: For all M ∈ L , • δ R ( start , M ) = { (0 , }• For q ∈ D , if ( q, M ) ∈ R then δ R ( q, M ) = { (0 , } Note that B R has no transitions out of the states 0 and 1 iff the exit control relation R isviolated. Thus B R accepts tree ( C ) iff C is compatible with R . Construction of B α : Let Γ = LABELS ( L ) and let A p = (Γ , Q, q , δ, β ) be the NBTdefined in Lemma 4.11. We define A ′ p = ( L , Q, q , δ ′ , β ), where δ ′ ( q, M i ) = _ ( X,j,M i ) ∈ LABELS ( L ) δ ( q, ( X, j, M i ))While A p accepts Γ-labeled D -trees, A ′ p accepts L -labeled D -trees. A ′ p simply simulates A p by using its larger transition function to guess the missing portion of the labels. Wecan characterize the regular trees accepted by A ′ p as follows: for a composer C over L , A ′ p accepts tree ( C ) iff there exists a choice function for C which has rank p .Consider the automaton A ′ α whose language is the union of the language of each A ′ p ,for all odd p ≤ max( α ). Let C be a composer over L . Then A ′ α accepts tree ( C ) iff thereexists a choice function for C that has an odd rank. Thus, by Theorem 4.8, A ′ α accepts tree ( C ) iff C does not satisfy α . Finally, consider the automaton B α = A ′ α , which is thecomplement of A ′ α . Then B α accepts tree ( C ) iff C satisfies α .Since an NPT is nonempty iff it accepts a regular tree, and L realizes α under R iffsome composer C over L satisfies α and C is compatible with R , therefore B is non-emptyiff L realizes α under R .The NBT A ′ p accepts | D | -ary trees and has O (1) states, with an alphabet of size |L| ,so A ′ α is an NBT with O ( k ) states, where k = max( α ). It follows that B α is a non-deterministic parity tree automaton (NPT) with k O ( k ) states and parity index O ( k ) [15].Also, B R is a safety automaton with O ( | D | ) states. Thus, their intersection B is an NPTwith | D | k O ( k ) states and parity index O ( k ), whose nonemptiness can be tested in time |L|| D | O ( k + | D | ) k O ( k + k | D | ) [15]. We thus obtain the following: Theorem 4.13.
The embedded parity realizability problem is in EXPTIME.
If an alternating tree automaton is nonempty, then it must accept some regular tree[15]. Given a regular tree accepted by B , we can obtain a finite transducer that generatesthat tree. This transducer is a composer that realizes α under R . Thus, we also obtain asolution to the embedded parity synthesis problem. Theorem 4.14.
The embedded parity synthesis problem is in EXPTIME.
The complexity of our solution is exponential in both k , where k is the highest parityindex, as well as | D | , which is the number of exit states in each component. The exponentialdependence on k is expected, as typical algorithms for solving parity games are exponentialin the parity index, cf. [10, 20]. Improving k to k is an open challenge. It is also an openquestion whether the exponential dependence on | D | can be avoided.We remark that the embedded parity synthesis problem can be viewed as a 2-playerpartial information stochastic parity game. Informally, the game can be described as fol-lows: The two players are the composer C and the environment E. The C player chooses YNTHESIS FROM PROBABILISTIC COMPONENTS 19 components and the E player chooses paths through the components chosen by C. C cannotsee the moves E makes inside a component. At the start C chooses a component M fromthe library L . The turn passes to E, who chooses a sequence of inputs, inducing a path in M from its start state to some exit x in D . The turn then passes to C, which must choose somecomponent M ′ in L and pass the turn to E and so on. As C cannot see the moves made byE inside M , C cannot base its choice on the run of E in M , but only on the exit induced bythe inputs selected by E and previous moves made by C. So C must choose the same nextcomponent M ′ for different runs that reach exit x of M . In general, different runs will visitdifferent priorities inside M . This is a two-player stochastic parity game where one of theplayers does not have full information. If C has a winning strategy that requires a finiteamount of memory, then we can use such a strategy to obtain a suitable finite composerthat satisfies the index function α , thus solving the embedded parity synthesis problem. IfC has no winning strategy or if every winning strategy requires infinite memory, then α isnot realizable from the library L .We also note that, when viewed in the framework of games, our result is a rare positiveresult for partial-information stochastic games. In general, 2-player partial informationstochastic games are known to be undecidable even for co-Buchi objectives (and thus forparity objectives) [5]. 5. Synthesis for DPW Specifications
Let A be a deterministic parity automaton (DPW), M be a probabilistic transducer and L be a library of components. We say A is a monitor for M (resp. L ) if the input alphabet of A is the same as the output alphabet of M (resp. L ). Let A be a monitor for M and let L A be the language accepted by A . We say a strategy f for M is winning for the environmentiff µ f ( L A ) <
1, i.e., the output of M is rejected by A with positive probability. We say that M satisfies A if there exists no winning strategy for the environment. Definition 5.1.
The
DPW probabilistic realizability problem is: Given a library L and aDPW A that is a monitor for L , decide whether there exists a composer C over L , such that T C satisfies A . If such a composer exists, we say that L realizes A . The DPW probabilisticsynthesis problem is to find such a composer C if it exists.We transform this problem into a version of the embedded parity problem solved inSection 4. Let A = (Σ O , Q A , s , δ A , α A ) be a DPW and M = (Σ I , Σ O , Q M , q , δ M , F, L ) bea probabilistic transducer. For s ∈ Q A , we denote by M × A s , the probabilistic transducer(Σ I , Σ O , Q M × Q A , ( q , s ) , δ, F × Q A , L ′ ), where δ (( q, s ′ ) , a )( q ′ , s ′′ ) = δ M ( q, a )( q ′ ) if s ′′ = δ A ( s ′ , L ( q )) and 0 otherwise. Given a library L with width D , we define the augmentedlibrary L A = { M × A s : M ∈ L , s ∈ Q A } . The width of L A is D × Q A . We define theexit control relation R A ⊆ D × Q A × L A for L A as follows: for all i ∈ D , s ∈ Q A , M ∈ L ,we have ( i, s, M × A s ) ∈ R A . We also extend α A to L A as follows: for ( q, s ′ ) ∈ Q M × Q A , α A ( q, s ′ ) = α A ( s ′ ). Thus α A is an index function for L A .Our first step is to treat this augmented library as a new library and solve the embeddedparity synthesis problem for L A with α A as the index function and R A as the exit controlrelation. This gives us a tree automaton that accepts L A -labeled ( D × Q A )-trees and thatis empty iff L A does not realize α A under R A . Later, we show how to transform thisautomaton into another that accepts L -labeled D -trees and is empty iff L does not realize A . Since, by definition, L A bijectively maps to L × Q A , we find it convenient to use labels from L× Q A in place of L A . We now define a composer for the augmented library. The statesof the composer are pairs of the form ( M , s ), where s is a monitor state and M representsan instance of a component from L . A composer for L A , is a deterministic transducer C = ( D × Q A , L × Q A , M × Q A , ( M , s ) , ∆ , λ ). The following lemma follows directly fromTheorem 4.12 . Lemma 5.2.
Let L be a library and A be a DPW that is a monitor for L . There exists anNPT B that accepts a regular tree T iff T = tree ( C ) for some composer C over L A suchthat T C satisfies α A and C is compatible with R A . Given a composer C over a library L and a monitor A for L , we can extend C to acomposer over the augmented library L A . Definition 5.3 (Augmented Composer) . Let L be a library and A be a monitor for L . Let C = ( D, L , M , M , ∆ , λ ) be a composer over L . The augmentation of C by A , denoted C A ,is a composer over L A such that C A = ( D × Q A , L × Q A , M × Q A , ( M , s ) , ∆ ′ , λ ′ ), where • For all s ∈ Q A , M ∈ M , λ ′ ( M , s ) = ( λ ( M ) , s ). • For all i ∈ D , M ∈ M and s, s ′ ∈ Q A , ∆(( M , s ) , ( i, s ′ )) = (∆( M , i ) , s ′ ).We say C A is an augmented composer. While a composer only keeps track of the transferof control between components, the augmented composer also keeps track of the state ofthe monitor before and after the control is transferred. To go from augmented composersto composers, we use techniques from synthesis with incomplete information [13]. We startby describing a relation between tree ( C ) and tree ( C A ). First we need to introduce someconvenient notation.Let X , Y and Z be finite sets. For a Z -labeled ( X × Y )-tree h T, V i , we denote by xray ( Y, h T, V i ), the ( Z × Y )-labeled ( X × Y )-tree h T, V ′ i in which each node is labeled byboth its direction in Y and its labeling in h T, V i . We define operators hide Y and wide Y .The operator hide Y : ( X × Y ) ∗ → X ∗ replaces each letter x · y , where x ∈ X and y ∈ Y ,by the letter x . The operator wide Y maps Z -labeled X -trees to Z -labeled ( X × Y )-treesas follows: wide Y ( h X ∗ , V i ) = h ( X × Y ) ∗ , V ′ i , where for each node w ∈ ( X × Y ) ∗ , we have V ′ ( w ) = V ( hide Y ( w )). Lemma 5.4.
Let L be a library and A be a monitor for L . Let C be a composer over L and C A be the augmentation of C by A . Then tree ( C A ) = xray ( Q A , wide Q A ( tree ( C ))) .Proof. Let T be the unlabeled full D -tree and T ′ be the unlabeled full ( D × Q A )-tree. Let tree ( C ) = h T, V i . Since tree ( C ) is a L -labeled D -tree, wide Q A ( tree ( C )) is a L -labeled( D × Q A )-tree, and xray ( Q A , wide Q A ( tree ( C ))) is a ( L × Q A )-labeled ( D × Q A )-tree. Let xray ( Q A , wide Q A ( tree ( C ))) = h T ′ , V ′ i . Now, by definition, tree ( C A ) is also a ( L × Q A )-labeled ( D × Q A )-tree. Let tree ( C A ) = h T ′ , V ′′ i . It suffices to prove that V ′′ = V ′ .Let C = ( D, L , M , M , ∆ , λ ) and C A = ( D × Q A , L × Q A , M × Q A , ( M , s ) , ∆ ′ , λ ′ ). Let w ∈ T ′ and let ( M, s ) ∈ L × Q A be the direction of w . Then V ′ ( w ) = ( V ( hide Q A ( w )) , s ) =( λ ( M ) , s ). Then V ′′ ( u ) = λ ′ ( M, s ) = ( λ ( M ) , s ). Therefore V ′′ = V ′ . Note that even with the slightly modified definition of composer, the results of the previous section stillapply because a pair (
M, s ) ∈ L × Q A still uniquely identifies an element of L A . YNTHESIS FROM PROBABILISTIC COMPONENTS 21
Theorem 5.5.
Let L be a library and A be a monitor for L . Let C be a composer over L and C A be the augmentation of C by A . Then C satisfies A iff C A satisfies α A .Proof. Let A = (Σ O , Q A , s , δ A , α A ) and C = ( D, L , M , M , ∆ , λ ). Let Q and Q ′ be thestate spaces of T C and T C A , respectively. Then Q ′ = Q × Q A . Let q be the start state of T C . Then ( q , s ) is the start state of T C A . Let L A be the language of A . Given w ∈ Q ω ,we denote by out ( w ), the output sequence produced by T C corresponding to state sequence w . We define L = { w ∈ Q ω : out ( w ) ∈ L A } . Then a strategy f for T C is winning for theenvironment iff µ f ( L ) < Q ′∗ as follows: ( q , s ) is consistent, andif β ∈ Q ′∗ is consistent then, for all q ∈ Q , β · ( q, δ A ( s, q ′ )) is consistent, where ( q ′ , s ) is thelast letter of β . An infinite path in Q ′ ω is consistent if all of its finite prefixes are consistent.We let H denote the set of all consistent paths in Q ′ ω , and T H denote the subtree of Q ′∗ that contains all consistent words in Q ′∗ . Then T H contains all paths in H . We define R tobe the set of paths in Q ′ ω where the highest parity visited i.o. is even.Let g be a strategy for T C A and µ g be the probability measure it induces on Q ′ ω . Then,by the definition of L A , for every β ∈ Q ′∗ that is not consistent, we have µ g ( β · Q ′ ω ) = 0.Therefore, the probability that an infinite path over Q ′ is not consistent is zero. So consistentpaths are the only ones that matter probabilistically. In particular, given two strategies g and g ′ for T C A , such that g ( w ) = g ′ ( w ) for all w ∈ T H , we have µ g = µ ′ g . Thus, in orderto define a strategy for all of Q ′∗ it suffices to define it for T H . Also, g is winning for theenvironment iff µ g ( H ∩ R ) <
1, i.e., the probability that the highest parity visted i.o. in aconsistent path is positive.Similarly, given a strategy f over T C , we have µ f ( q · Q ω ) = 1, i.e., the probability of apath not beginning from the start state is zero. This means that two strategies that agreeon nodes in q · Q ∗ induce the same distribution on Q ω . Thus, in order to define a strategyfor all of Q ∗ , it suffices to define it for q · Q ∗ .Finally, we note that T H is isomorphic to q · Q ω , with the isomorphism h : T H → q · Q ∗ given by h ( w ) = hide Q A ( w ). Let G be the set of all strategies g : T H → Dist (Σ I ), and F be the set of all strategies f : q · Q ∗ → Dist (Σ I ). Then h can be lifted to a bijectionfrom F to G as follows: for f ∈ F , g ∈ G , h ( f ) = f ◦ h and h − ( g ) = g ◦ h − . Then µ f ( L ) = µ h ( f ) ( H ∩ R ) and µ g ( H ∩ R ) = µ h − ( g ) ( L ). Thus f ∈ F (resp. g ∈ G ) is winningfor the environment iff h ( f ) (resp. h − ( g )) is winning for the environment.Given a library L and monitor A , we can solve the embedded realizability problem forthe augmented library L A to obtain a regular tree T , where T = tree ( C ) for some composer C over L A such that C satisfies α A . Then the tree T ′ = xray ( Q A , wide Q A ( tree ( C ))) isalso regular, so T ′ = tree ( C ′ ) for some composer C ′ over L . Now we would like to use C ′ to solve the DPW realizability problem, but C ′ is only guaranteed to satisfy A if C isthe augmentation of C ′ by A . Therefore, to solve the DPW realizability problem, we haveto obtain an automaton that accepts a tree T ′ = tree ( C ′ ) if the augmentation of C ′ by A satisfies α A . Theorem 5.6.
Let X , Y and Z be finite sets. Given an alternating automaton B over ( Z × Y ) -labeled ( X × Y ) -trees, we can construct an alternating automaton B ′ over Z -labeled X -trees such that B ′ accepts a labeled tree h X ∗ , V i iff B accepts xray ( Y, wide Y ( h X ∗ , V i )) .Further, B and B ′ have the same acceptance condition and |B ′ | = O ( |B| ) . Proof.
Let B = ( Z × Y, Q, δ, q , α ) be an alternating automaton that accepts ( Z × Y )-labeled( X × Y )-trees. We define automaton B = ( Z, Q × Y, δ ′ , ( q , y ) , α × Y ) over Z -labeled( X × Y )-trees, where for each q ∈ Q , y ∈ Y and z ∈ Z , δ ′ (( q, y ) , z ) is obtained from δ ( q, ( z, y )) by replacing each atom (( x ′ , y ′ ) , q ′ ) by the atom (( x ′ , y ′ ) , ( q ′ , y ′ )). So a state( q, y ) in B corresponds to a state q in B that reads only nodes in direction y . Then B accepts a Z -labeled ( X × Y )-tree h ( X × Y ) ∗ , V i iff B accepts xray ( Y, h ( X × Y ) ∗ , V i ).Next, we define alternating automaton B ′ = ( Z, Q × Y, δ ′′ , ( q , y ) , α × Y ) over Z -labeled X -trees, where for every ( q, y ) ∈ Q × Y and z ∈ Z , δ ′′ (( q, y ) , z ) is obtained from δ ′ (( q, y ) , z )by replacing each atom (( x, y ′ ) , ( q ′ , y ′ )) by the atom ( x, q ′ ). Then for every Z -labeled X -tree h X ∗ , V i , we have h X ∗ , V i ∈ L ( B ′ ) iff wide Y ( h X ∗ , V i ) ∈ L ( B ) (See [13] for proof).Therefore, B ′ accepts h X ∗ , V i iff B accepts xray ( Y, wide Y ( h X ∗ , V i )), and B ′ is therequired automaton.Given an alternating automaton B , let narrow Y ( B ) denote the corresponding automa-ton constructed in Theorem 5.6. Theorem 5.7.
Let L be a library and A be a monitor for L . Then there exists an alternatingparity tree automaton (APT) B such that, for all composers C over L , B accepts tree ( C ) iff C satisfies A . Consequently, B is non-empty iff L realizes A .Proof. Let A = (Σ O , Q A , s , δ A , α A ). Let B ′ be the NPT that accepts tree ( C ′ ) iff C ′ satisfies α A and C ′ is compatible with R A , for all composers C ′ over L A . Such a B ′ exists by Lemma5.2. Let B = narrow Q A ( B ′ ). We show that B , which is an APT, is the required automaton.Let C be a composer over L . By Theorem 5.5, C satisfies A iff C A satisfies α A . There-fore, B ′ accepts tree ( C A ) iff C satisfies A . By Lemma 5.4, tree ( C A ) = xray ( Q A , wide Q A ( tree ( C )))and by Theorem 5.6, B accepts a tree T iff B ′ accepts xray ( Q A , wide Q A ( T )). Thus, B accepts tree ( C ) iff C satisfies A . Since an APT is nonempty iff it accepts a regular tree,and L realizes A iff some composer C over L satisfies A , therefore B is non-empty iff L realizes A .Each transducer in the augmented library L A has a set of final states of size | D || Q A | .Thus the automaton B ′ has size exponential in both | D | and | Q A | . The translation from B ′ to B adds no blowup, but B is an APT, while B ′ is an NPT. Since emptiness for analternating parity tree automaton can be checked in time exponential in the size of theautomaton [15], therefore B can be be checked for emptiness in time doubly exponential in | D | and | Q A | . Theorem 5.8.
The DPW probabilistic realizability problem is in 2EXPTIME.
Again, if an alternating tree automaton is nonempty, then it must accept some regulartree [15], and given a regular tree accepted by B , we can obtain a finite transducer thatgenerates that tree. This transducer is a composer that realizes A . Thus, we also obtain asolution to the DPW probabilistic synthesis problem. Theorem 5.9.
The DPW probabilistic synthesis problem is in 2EXPTIME.
The doubly exponential upper bound for our solution can be viewed as follows: weinherit one exponential from the embedded parity solution and the second exponential isintroduced by the use of an APT to deal with incomplete information. It is an open questionwhether the second exponential can be avoided.
YNTHESIS FROM PROBABILISTIC COMPONENTS 23 Discussion and Future Work
Component-based synthesis seeks to build systems that satisfy a given specification usingpre-existing components. This contrasts with classical synthesis, where the aim is to build asystem from scratch. The component-based approach is closer in spirit to how systems arebuilt in the real world. In this paper, we generalize the component-based synthesis problemto a probabilistic setting. Our components are modeled as probabilistic transducers andthe specification is given as a deterministic parity automaton. The composition itself isdescribed by a deterministic transducer, called a composer , which governs the transitionsbetween components.We break the problem down in two stages. First we solve a simpler version, which wecall the embedded parity synthesis problem , where the specification is embedded as parities inthe components themselves. Our solution combines techniques from Markov chain analysisand automata theoretic verification. Then we show how to solve the more general case of aseparate specification, which we call the
DPW probabilistic synthesis problem , by reducingit to the simpler case using techniques from synthesis with incomplete information.We show that the embedded parity synthesis problem is in EXPTIME and the DPWprobabilistic synthesis problem is in 2EXPTIME. The question of tighter lower and upperbounds we leave for future work. In particular, it is an open question whether the DPWprobabilistic synthesis problem is in EXPTIME. Another line of work is suggested by thepossibility of probabilistic composers. In recent work, we show that allowing the composerto be a probabilistic transducer makes the synthesis problem sensitive to the specificationformalism [16]. It turns out that probabilistic composers are more expressive than theirdeterministic counterparts for DPW specifications, but they have the same expressive powerfor embedded parity specifications.
References [1] D. Berardi, D. Calvanese, G. De Giacomo, M. Lenzerini, and M. Mecella. Automatic composition ofe-services that export their behavior. In
Proc. ICSOC’03 , LNCS 2910, pages 43–58. Springer, 2003.[2] C. Baier, M. Gr¨oßer, M. Leucker, B. Bollig, and F. Ciesinski. Controller synthesis for probabilisticsystems. In
Proc. IFIP TCS’04 , pages 493–506. Kluwer, 2004.[3] J.R. B¨uchi and L.H.G. Landweber. Solving sequential conditions by finite-state strategies.
Trans. AMS ,138:295311, 1969.[4] A. Church. Logic, arithmetics, and automata. In
Proc. International Congress of Mathematicians , 1962,pages 2335. institut Mittag-Leffler, 1963.[5] K. Chatterjee and L. Doyen. The complexity of partial-observation parity games. In
Proc. LPAR’10 ,LNCS 6397. Springer, 2010.[6] K. Chatterjee, M. Jurdzinski, and T. A. Henzinger. Simple stochastic parity games. In
Proc. CSL’03 ,LNCS 2803, pages 100–113. Springer, 2003.[7] C. Courcoubetis and M. Yannakakis. Markov decision processes and regular events. In
Proc. ICALP’90 ,LNCS 443, pages 336–349. Springer, 1990.[8] C. Courcoubetis and M. Yannakakis. The complexity of probabilistic verification.
Journal of the ACM ,42:857–907, 1995.[9] L. de Alfaro and T.A. Henzinger. Interface-based design. In
Engineering Theories of Software-intensiveSystems , NATO Science Series: Mathematics, Physics, and Chemistry 195, pages 83–104. Springer,2005.[10] E. A. Emerson, C. S. Jutla, and A. P. Sistla. On model-checking for fragments of µ -calculus. In Proc.CAV93 , LNCS 697, pages 385396. Springer, 1993.[11] O. Kupferman, P. Madhusudan, P.S. Thiagarajan and M.Y. Vardi. Open systems in reactive environ-ments: control and synthesis. In
Proc. CONCUR’00 , LNCS 1877, pages 92 – 107. Springer, 2000. [12] J.G. Kemeny and J.L. Snell.
Finite Markov Chains . Van Nostrad, 1960.[13] O. Kupferman and M.Y. Vardi. Synthesis with incomplete informatio. In , pages 91–106. Kluwer, 1997.[14] Y. Lustig and Moshe Y. Vardi. Synthesis from component libraries. In
Proc. FOSSACS’09 , LNCS 5504,pages 395 – 409. Springer, 2009.[15] D.E. Muller and P.E. Schupp. Simulating alternating tree automata by nondeterministic automata: Newresults and new proofs of theorems of Rabin, McNaughton and Safra.
Theoretical Computer Science ,141:69–107, 1995.[16] S. Nain and Moshe Y. Vardi. Synthesizing probabilistic composers. In
Proc. FOSSACS’12 , to appear. [17] A. Pnueli and R. Rosner. On the synthesis of a reactive module. In Proc. 16th ACM Symp. on Principlesof Programming Languages , pages 179–190, 1989.[18] M.O. Rabin. Weakly definable relations and special automata. In
Proc. Symp. Math. Logic and Foun-dations of Set Theory , pages 123. North Holland, 1970.[19] S. Schewe. Synthesis for probabilistic environments. In
Proc. ATVA’06 , LNCS 4218. Springer, 2006.[20] S. Schewe. Solving Parity Games in Big Steps. In
Proc. FSTTCS’07 , LNCS 4855. Springer, 2007.[21] J. Sifakis. A framework for component-based construction extended abstract. In
Proc. 3rd Int. Conf.on Software Engineering and Formal Methods , pages 293–300. IEEE, 2005.[22] M.Y. Vardi. Automatic verification of probabilistic concurrent finite-state programs. In
Proc. FOCS’85 ,pages 327–338. IEEE, 1985.[23] M.Y. Vardi. Probabilistic linear-time model checking: An overview of the automata-theoretic approach.In
Formal Methods for Real-Time and Probabilistic Systems , LNCS 1601, pages 265–276. Springer, 1999.
This work is licensed under the Creative Commons Attribution-NoDerivs License. To viewa copy of this license, visit http://creativecommons.org/licenses/by-nd/2.0/http://creativecommons.org/licenses/by-nd/2.0/