Synthesis of coordination programs from linear temporal logic
11Synthesis of Coordination Programs from Linear TemporalSpecifications
SUGUMAN BANSAL,
Rice University, USA
KEDAR S. NAMJOSHI,
Bell Labs, Nokia, USA
YANIV SA’AR,
Bell Labs, Nokia, IsraelThis paper presents a method for synthesizing a reactive program which coordinates the actions of a group ofother reactive programs, so that the combined system satisfies a temporal specification of its desired long-termbehavior. Traditionally, reactive synthesis has been applied to the construction of a stateful hardware circuit.This work is motivated by applications to other domains, such as the IoT (the Internet of Things) and robotics,where it is necessary to coordinate the actions of multiple sensors, devices, and robots. The mathematicalmodel represents such entities as individual processes in Hoare’s CSP model. Given a network of interactingentities, called an environment , and a temporal specification of long-term behavior, the synthesis methodconstructs a coordinator process (if one exists) that guides the actions of the environment entities so thatthe combined system is deadlock-free and satisfies the given specification. The main technical challenge isthat a coordinator may have only partial knowledge of the environment state, due to non-determinism withinthe environment, and environment actions that are hidden from the coordinator. This is the first method tohandle both sources of partial knowledge, and to do so for arbitrary linear temporal logic specifications. It isshown that the coordination synthesis problem is
PSPACE -hard in the size of the environment. A prototypeimplementation is able to synthesize compact solutions for a number of coordination problems.CCS Concepts: •
Theory of computation → Concurrency ; Formal languages and automata theory ; •
Software and its engineering → Correctness ;Additional Key Words and Phrases: coordination, synthesis, temporal logic
ACM Reference Format:
Suguman Bansal, Kedar S. Namjoshi, and Yaniv Sa’ar. 2020. Synthesis of Coordination Programs from LinearTemporal Specifications.
Proc. ACM Program. Lang.
1, POPL, Article 1 (January 2020), 29 pages.
Coordination problems arise naturally in many settings. In a so-called “smart” building, varioussensors, heating and cooling devices must work in concert to maintain comfortable conditions. In afully automated factory, a number of robots with specialized capabilities must collaborate to carryout manufacturing tasks. Typically, the individual agents are reactive and a centralized coordinatorprovides the necessary guidance to carry out a task.A coordination program must work in the presence of several complicating factors such asconcurrency, asynchrony, and distribution; it should recover gracefully from agent failures andhandle noisy sensor data. All this complicates the design of coordination programs. It is often thecase, however, that the task itself can be specified easily and compactly. We therefore considerwhether it is possible to automatically synthesize a reactive coordination program from a descriptionof the agents and a specification of the desired long-term system behavior.We formulate the coordination problem within the extensively studied framework of Commu-nicating Sequential Processes (CSP) [Hoare 1978, 1985], as illustrated in Fig. 1. Agents and the
Authors’ addresses: Suguman Bansal, Rice University, Houston, TX, 77005-1892, USA, [email protected]; Kedar S. Namjoshi,Bell Labs, Nokia, Murray Hill, NJ, 07974, USA, [email protected]; Yaniv Sa’ar, Bell Labs, Nokia, KfarSaba, 4464321, Israel, [email protected]. 2475-1421/2020/1-ART1 $15.00https://doi.org/ Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2020. a r X i v : . [ c s . P L ] N ov :2 Suguman Bansal, Kedar S. Namjoshi, and Yaniv Sa’ar Fig. 1. The coordination model. The coordinator M communicates with the agents { E i } through an interface(shown as solid green lines); it need not have a direct link to every agent. Agent-to-agent interactions (shownas dashed red lines) are hidden from the coordinator, as are actions internal to an agent (not shown). Thespecification φ , however, is “all-seeing” - it may refer to any action. coordinator are represented as CSP processes. Each process has a set of private actions , which arespecial to the process, and a set of public actions , which may be shared with other processes. The coordination synthesis problem considered here is defined as follows: given CSP processes E , . . . , E n ,each modeling a reactive agent, and a temporal specification φ over their public and private actions,construct a coordinator CSP process M over the interface actions such that all computations ofthe combined system satisfy the specification φ . We represent the agents as a single environment process E , formed by the parallel composition of the individual processes E , . . . , E n . An instanceof the problem is realizable if there is such a CSP process M ; otherwise, the given problem instanceis unrealizable . The temporal specification is expressed in linear temporal logic (LTL) [Pnueli 1977]or, more generally, as an automaton.This formulation differs from the existing literature on reactive synthesis in several importantways. A major difference is the choice of CSP as a modeling language. Nearly all of the prior workis based on a synchronous, shared-variable model of computation (cf. [Alur et al. 2016; Bloem et al.2012; Bohy et al. 2012; Büchi and Landweber 1969; Church 1957, 1963; Finkbeiner and Schewe 2013;Kupferman and Vardi 2005; Moarref and Kress-Gazit 2018; Pnueli and Rosner 1989a; Rabin 1969]).That is an appropriate model for hardware design but not for the coordination scenarios describedabove, simply because those systems are naturally asynchronous: there is no common clock. Pnueliand Rosner [Pnueli and Rosner 1989b] formulate an asynchronous shared-variable model, but that isbased on a highly adversarial scheduler and is quite weak as a result: for instance, the requirementthat an input data stream is copied faithfully to the output has no solution in that model, while ithas a simple solution in CSP.A second difference is the communication model. In the prior work, communication is modeledby reads and writes to a shared memory. This is not a good fit for the targeted application domains,where the natural mode of communication is message passing. For instance, a coordinator maysend a message to a robot asking it to lift up its arm, or to move to a given location. Implementingsuch handshakes in shared memory requires a dedicated synchronization protocol, complicatingmodeling as well as synthesis. On the other hand, such communication is easily and directlyexpressed in CSP, at a high level of atomicity that permits more specifications to be realized, asillustrated by the data-copying example.The new formulation crucially differs from prior work on synthesis for CSP [Ciolek et al. 2017;D’Ippolito et al. 2013; Manna and Wolper 1981; Wolper 1982] in its treatment of hidden actions. Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2020. ynthesis of Coordination Programs 1:3
The prior methods require that every environment action is visible to a coordinator. That can resultin unnecessarily complex coordinators, which are forced to respond to every action, even if notall of those actions are relevant to achieving a goal. Moreover, full visibility goes against the keyprinciple of information hiding in software design: indeed, the CSP language includes operators tolimit the scope and visibility of actions, making models with hidden actions the common case.A coordinator must, therefore, operate correctly with only partial information about the state ofthe environment agents. First, the state of an agent may be changed autonomously by a privateaction. Such transitions are hidden from the coordinator, introducing one form of partial information.Second, agents may interact and exchange information via a shared public action; such interactionsare also unobserved by the coordinator, introducing yet another form of partial information.Finally, any interaction – including one between an agent and the coordinator – may have anon-deterministic effect, so that the precise next state is not known to the coordinator, introducinga third form of partial information.The specification, on the other hand, is “all-seeing” and can refer to any action of the combinedsystem. For instance, a specification may include a fairness assumption that rules out an infinitesequence of agent-to-agent interactions.Models with hidden actions alter the synthesis problem in fundamental ways, requiring thedevelopment of new algorithms. In the absence of hidden actions, the environment and the coordi-nator are synchronized. If the coordinator takes n steps, the environment must also have taken n steps. The inclusion of hidden actions introduces asynchrony : if the coordinator has taken n steps, the environment may have taken n + m steps, where m is the number of hidden actions; m isunknown to the coordinator and could be unbounded. Although the m hidden actions are invisibleto the coordinator, they could be referenced in the specification and cannot simply be ignored. Theheart of our algorithm is a transformation that incorporates the effects of the hidden actions intothe original temporal specification, producing a new specification that is expressed purely in termsof the interface actions. The transformed specification is then synthesized using existing synthesismethods.Our work handles specifications written in LTL, and carries out the specification transformationusing automata-theoretic methods. The transformed automaton has a number of states that is linear in the size of the automaton for the negated LTL specification and in the size of the environmentmodel. We show how to express the transformation fully symbolically, as the number of transitionsis exponential in the number of interface actions. This is in contrast to prior algorithms for CSPsynthesis [Ciolek et al. 2017], which require explicit determinization steps that may introduce expo-nential blowup in the number of states. The final synthesis step using the transformed specificationis also carried out symbolically, via a translation to a Boolean SAT/QBF problem.An LTL synthesis method is needed for this final step. The GR(1) subset of LTL is often used forspecification, as it has efficient symbolic synthesis algorithms in the synchronous model [Bloemet al. 2012; Piterman et al. 2006]. The efficiency advantage is unfortunately lost under asynchrony,as it is not known whether GR(1) is closed under the specification transformation. Thus, even if theoriginal specification is in GR(1), the transformed specification may lie outside GR(1), necessitatingthe use of a general LTL synthesizer.Coordination synthesis has a high inherent complexity: we show that the question is PSPACE -hard in the size of E for a fixed specification; in comparison, model-checking E is in NLOGSPACE .This rather severe hardness result is not entirely unexpected since problems in reactive synthesistypically exhibit high worst-case complexity. For instance, synthesis in the Pnueli-Rosner model is -complete in the size of the LTL specification [Pnueli and Rosner 1989a,b].A prototype implementation of our algorithm successfully synthesizes solutions to severalcoordination problems. It uses Ordered Binary Decision Diagrams (OBDDs) [Bryant 1986] for
Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2020. :4 Suguman Bansal, Kedar S. Namjoshi, and Yaniv Sa’ar symbolic manipulation. The transformed specification is then checked for realizability using thestate-of-the-art symbolic synthesis tool BoSy [Faymonville et al. 2017b]. We present case studiesthat synthesize a smart thermostat and an arbiter for a number of concurrent processes. Thesestudies illustrate the capabilities of the model and show how synthesis improves the experience ofdesigning coordination programs. The prototype has limited scalability, the primary bottleneckbeing the capacity of the back-end synthesis tools. Improvements to these tools (an active researchtopic) will therefore have a positive effect on the scalability of coordination synthesis. The mostimpressive impact on scalability is, however, likely to come from entirely new methods for synthesisthat use symmetry, modularity, and abstraction strategies to effectively handle large state spaces,drawing inspiration from the success of such techniques in formal verification.
We present a series of small examples to illustrate the important features of the model and theconsiderations that must go into the design of a synthesis algorithm. This section focuses on givinga reader an intuitive view of the issues, precise definitions follow in later sections.
CSP notation and semantics.
The full CSP language has a rich structure (cf. [Hoare 1985; Roscoe1997]); here we use only the most basic “flat” form of a CSP process, specified by a set of equationsof the form below. P = a → Q | a → Q | . . . | a n − → Q n − The meaning is that process P evolves to process Q on action a ; to Q on action a ; and soforth. The actions need not be distinct: P = a → Q | a → Q represents a non-deterministicchoice between Q and Q on action a . One may also view P as a state in a state machine, withthe equation specifying the transitions at state P : the machine moves to state Q on action a ; tostate Q on action a ; and so forth. The special process STOP has no outgoing transitions at all andthus represents a dead-end state. An entire state machine is thus described by a set of interrelatedequations, one for each state.In CSP, processes communicate only through an instantaneous, synchronized interaction on acommon action. If processes P and Q have a common action a , and if P may evolve to P ′ on a while Q may evolve to Q ′ on a , then their concurrent composition, denoted P ∥ Q , may jointly evolve to P ′ ∥ Q ′ through synchronization on action a . On the other hand, a process may also have internalactions, which are unsynchronized; so that if P may evolve to P ′′ on an internal action b , then thecomposition P ∥ Q may evolve to P ′′ ∥ Q on b . Coordination Problems.
In the examples below, E denotes the single environment process; wedenote its public (i.e., interface) actions by a , a , . . . , and its private (i.e., internal) action as b . Thetemporal specification of desired behavior, φ , is fixed to be “finitely many b actions”; this maybe represented in temporal logic as ♢□ ( ¬ b ) . The goal is to construct a coordinator process, M ,such that the combined system, E ∥ M , is (1) free of deadlock, and (2) satisfies φ on each of itsinfinite executions. If such a process exists, it is called a solution to the coordination problem ( E , φ ) .A coordination problem is called realizable if it has a solution, and unrealizable otherwise. Theexamples illustrate both outcomes. Example 0: Non-blocking.
The first example illustrates how a coordinator can guide the systemso that it is deadlock-free. Consider E defined as follows. E = a → E | a → STOP E = a → E Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2020. ynthesis of Coordination Programs 1:5 E start E E a a a b Fig. 2. Example 1. Public actions a , a ; Private action b M start a Fig. 3. Coordinator M E | | M start E | | Ma a Fig. 4. E || M satisfies ♢□ ( ¬ b ) Let M = a → M . As E and M may synchronize only on a , the composition E ∥ M has onlythe single infinite computation E ∥ M a −→ E ∥ M a −→ E ∥ M . . . , which trivially satisfies thespecification. Hence M is a solution to this coordination problem. Example 1: Realizability.
Consider E defined as follows (Fig 2). E = a → E | a → E E = a → E E = b → E The self-loop of b -actions at E violates the specification. Defining M = a → M (Fig 3) ensuresthat the composed system E ∥ M has a single joint computation, E ∥ M a −→ E ∥ M a −→ E ∥ M . . . (Fig 4), that entirely avoids the state E . As in Example 0, the structure of M guides the systemaway from an execution that would violate the specification. Example 2: Unrealizability.
Let E be defined as follows. E = a → E | a → E E = a → E E = b → E In this case, the coordination problem has no solution. Assume, to the contrary, that M is a solution.Then M must have a transition on a , otherwise the system E ∥ M deadlocks. Denote the successorof this transition as M . But then E ∥ M has the infinite joint computation E ∥ M a −→ E ∥ M b −→ E ∥ M b −→ . . . on which b occurs infinitely often, violating the specification. Fairness for CSP Programs.
A natural notion of fairness for a group of CSP processes, analogousto strong fairness, considers a computation to be unfair if there is a pair of processes that are readyto interact at infinitely many points along the computation, but do so only finitely many times.The assumption of fairness can make a synthesis problem easier to solve, as it limits the set ofcomputations that must be examined for violations of the specification. Unfortunately, the jointcomputation of E ∥ M constructed in the impossibility proof in Example 2 is fair, as E and M cannever interact once the environment is in state E , which only offers the private action b . So thecoordination problem in Example 2 has no solution even under fairness. Example 3: Realizability under fairness.
Let E be defined as follows. E = a → E | a → E E = a → E E = b → E | a → E Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2020. :6 Suguman Bansal, Kedar S. Namjoshi, and Yaniv Sa’ar
Let M = a → M . Then E ∥ M has a computation which violates the specification, where theenvironment enters state E and then loops forever on the b action. That computation is unfair,however, as it is possible throughout for M and E to synchronize on a , but such an interactionnever occurs. All other computations of E ∥ M satisfy the specification. So the synthesis problem isrealizable under fairness, with M as a solution. Example 4: Partial Knowledge: Non-deterministic Interface.
Define E as follows. E = a → E | a → E E = a → E E = a → E Any coordinator must have an initial synchronization on a , otherwise the system deadlocks. Afterperforming a , the environment may be either in state E or in state E . In the first state, only action a is enabled, while in the second, only a is enabled. Hence, a coordinator must be structuredto synchronize on either of these two actions: if it offers to synchronize only on a , then if theenvironment is actually in state E , the system will deadlock; and vice-versa if it offers only a . Anysynthesis algorithm must resolve such situations where the coordinator has only partial knowledgeof the environment state. In this case, the process M = a → M where M = a → M | a → M is a solution. Example 5: Partial Knowledge: Hidden Actions.
Consider E defined as follows. E = a → E E = b → E This problem is unrealizable. Assume, to the contrary, that M is a solution. To avoid deadlock, M must synchronize on action a . Let M denote the successor state. Note that E synchronouslyevolves to E on a . To avoid deadlock, it must again be possible to synchronize on a from M .Proceeding in this manner, one constructs an infinite computation of E ∥ M with infinitely many a actions; but this computation must also have infinitely many b actions in-between successive a actions, so it violates the specification. A synthesis algorithm must, therefore, track hidden as wellas interface actions. CSP has a rich notation and extensive algebraic theory [Hoare 1985; Roscoe 1997]. As describedpreviously, we use only the basic “flat” format of top-level concurrency between processes definedas state machines. A
CSP process , or process (in short) is defined by a tuple P = ( S , ι , Σ , Γ , δ ) , where S is a finite set of states, ι ∈ S is a special start state, Σ are the publicly visible actions of the process,and Γ are the privately visible actions of the process. The sets Σ and Γ are disjoint. The transitionrelation δ : S × ( Σ ∪ Γ ) → S maps each state and action to a set of successor states. A transitionfrom state s on action a to state t exists if t ∈ δ ( s , a ) ; it is also written as ( s , a , t ) or sometimes as s a −→ t .A process is deterministic if for all state s and all actions e , | δ ( s , e )| ≤
1, and non-deterministic otherwise. A public action a is said to be enabled at state s if there is a transition on the action a from state s .An execution , π , of a process from state s is an alternating sequence of states and actions π = s , a , s , a , . . . , ending at a state if finite, such that s i + ∈ δ ( s i , a i ) for every i (where i ≥ i < n − n states on the sequence). The sub-sequence a , a , . . . of actions is the trace of Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2020. ynthesis of Coordination Programs 1:7 the execution, denoted trace ( π ) for an execution π . A computation is an execution from the initialstate. It is maximal if either it is infinite, or it is finite, and no transitions are enabled from the laststate of the computation. A state s is reachable if there is a finite computation ending at s . Process Composition and Interaction.
Let P and Q be CSP processes. Let X be a subset of theircommon public actions, i.e., X ⊆ ( Σ P ∩ Σ Q ) . The composition of P and Q relative to X , denoted P ∥ X Q , is a CSP process, with state set S P × S Q , initial state ( ι P , ι Q ) , public actions ( Σ P ∪ Σ Q ) \ X ,private actions ( Γ P ∪ Γ Q ∪ X ) , and a transition relation defined by the following rules. • (Synchronized) For an action a in X , there is a transition from ( s , t ) to ( s ′ , t ′ ) on a if ( s , a , s ′ ) is a transition in P and ( t , a , t ′ ) a transition in Q . • (Unsynchronized) For an action b in Γ P or in Σ P \ X (i.e., private, or unsynchronized publicaction), there is a transition from ( s , t ) to ( s ′ , t ) on b if there is a transition ( s , b , s ′ ) in P . Asimilar rule applies to Q .The definition forces processes P and Q to synchronize on actions in X ; for other actions, theprocesses may act independently. For simpler notation, we write ∥ instead of ∥ X when X equals Σ P ∩ Σ Q . Fairness.
There are several ways of defining fairness in CSP (cf. [Francez 1986]). We use thefollowing notion, analogous to strong fairness. Let system S be defined as the parallel composition ofa number of processes S , S , . . . , S n . A computation of S is unfair if there is a pair of processes S i , S j (for distinct i , j ) such that some interaction between S i and S j is enabled at infinitely many pointsalong the computation, but the computation contains only finitely many interactions between S i and S j . Intuitively, a computation is unfair if a system scheduler ignores a pairwise processinteraction even if it is infinitely often possible. We formulate
Linear Temporal Logic (LTL) [Pnueli 1977] over an alphabet Σ , using the syntax φ :: = True | a ∈ Σ | ¬ φ | φ ∧ φ | X φ | φ U φ . The temporal operators are X (Next) and U (Until). TheLTL semantics is standard. For an infinite sequence π over Σ , the satisfaction relation, π , i | = φ fora natural number i , is defined as follows: • π , i | = True holds for all i ; • π , i | = a ∈ Σ if π ( i ) = a ; • π , i | = ¬ φ if π , i | = φ does not hold; • π , i | = φ ∧ φ if π , i | = φ and π , i | = φ ; • π , i | = X φ if π , i + | = φ ; and • π , i | = φ U φ if there is j : j ≥ i such that π , j | = φ and for all k ∈ [ i , j ) , it is the case that π , k | = φ .The Boolean constant False and Boolean operators are defined as usual. Other temporal operatorsare also defined in the standard way: ♢ φ (“Eventually φ ”) is defined as True U φ ; □ φ (“Always φ ”)is defined as ¬ ♢ (¬ φ ) . For an LTL formula φ , let L( φ ) denote the set of infinite sequences π over Σ such that π , | = φ . In the standard formulation of LTL, the alphabet Σ is the powerset of a set of“atomic propositions”. LTL formulas can be turned into equivalent
Büchi automata , using standard constructions(e.g., [Babiak et al. 2012]). A
Büchi automaton , A , is specified by the tuple ( Q , Q , Σ , δ , G ) , where Q is a set of states, Q ⊆ Q defines the initial states, Σ is the alphabet, δ ⊆ Q × Σ × Q is the transitionrelation, and G ⊆ Q defines the “green” (also known as “accepting”) states. A run r of the automaton Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2020. :8 Suguman Bansal, Kedar S. Namjoshi, and Yaniv Sa’ar on an infinite word σ = a , a , . . . over Σ is an infinite sequence r = q , a , q , a , . . . such that q is an initial state, and for each k , ( q k , a k , q k + ) is in the transition relation. Run r is accepting if agreen state appears on it infinitely often; the language of A , denoted L( A ) , is the set of words thathave an accepting run in A .A universal co-Büchi automaton , U , is also specified by the tuple ( Q , Q , Σ , δ , G ) . In this case,green states are also known as “rejecting" states. A run r of the automaton on an infinite word σ over Σ is defined as before. The difference arises in the definition of acceptance: run r is acceptingif a green state appears on it finitely many times . The language of U , denoted L( U ) , is the set ofwords for which all runs are accepting in this sense.The complement of the language of a Büchi automaton can be viewed as the language ofa universal co-Büchi automaton with the identical structure. Thus, every LTL formula has anequivalent universal co-Büchi automaton. In the standard (synchronous) formulation of temporal synthesis, the goal is to generate a deter-ministic reactive program M that transforms inputs from domain I to outputs from domain O .Such a program can be represented as a function f : I ∗ → O . The program M (or its functionalform f ) is viewed as a generator of an output sequence in response to an input sequence. For aninfinite input sequence x = x , x , . . . , the generated output sequence y = y , y , . . . is defined by: y i = f ( x , . . . , x i − ) , for all i ≥
0. (In particular, y is the value of f on the empty sequence.) Thefunction f can also be viewed as a strategy for Alice in a turn-based two-player game where Bobchooses the input sequence, while Alice responds at the i -th step with the value y i defined on thehistory of the play so far. Note that Alice plays first in each step of the game.Pnueli and Rosner [Pnueli and Rosner 1989a] represent f equivalently as a labeled infinitefull-tree, a form that we also use to formulate a solution to the coordination synthesis problem. Afull-tree over I is the set I ∗ . Each finite string over I represents a node of the tree: the root is ϵ ,and for σ ∈ I ∗ and a ∈ I , the string σ ; a is the a -successor of the node σ . A labeling of the tree is afunction µ : I ∗ → O that maps each node of the tree to an output value. It is easy to see that thefunction f defines a labeling, and vice-versa.The advantage of this view is that the set of deterministic reactive programs is isomorphic tothe set of labeled full-trees. Thus, given an LTL specification φ over the alphabet (I × O) , Pnueliand Rosner solve the LTL synthesis question (following Rabin [Rabin 1969]) by constructing a treeautomaton that accepts only those labeled trees that represent programs that are solutions, andchecking whether this automaton has a non-empty language. A labeled tree represents a solutionif it is a full tree and if for every input sequence x = x , x , . . . , the labels y = y , y , . . . on the pathin the tree defined by x are such that the sequence of pairs ( x , y ) , ( x , y ) , . . . satisfies φ .The formulation of M (or f ) here corresponds to a Moore machine; there is an analogousformulation for Mealy machines. A specification is said to be realizable if there is a program thatsatisfies it; it is unrealizable otherwise. We have already seen the tree-automaton view of the synthesis question. This has not turned out tobe a viable approach for LTL synthesis in practice, however, as the construction of a tree automatoninvolves complex constructions for determinization and complementation of automata on infinitewords.In practice, tools such as BoSy [Faymonville et al. 2017a] and Acacia+ [Bohy et al. 2012] adopt adifferent strategy called bounded synthesis [Filiot et al. 2009; Schewe and Finkbeiner 2007]. Theessential idea is to pick a bound, N , on either the number of states in a solution, or the number of Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2020. ynthesis of Coordination Programs 1:9 visits to a rejecting state in a universal co-Büchi automaton. The tool Acacia+ uses this bound toformulate the problem as a safety game, and searches for a winning strategy for Alice. In BoSy, thesearch is for a transition relation for M that has at most N states.We summarize the BoSy search here, as we use BoSy as the back-end synthesis tool in ourimplementation. Given a universal co-Büchi automaton representing the LTL specification φ overalphabet I × O and state space Q , and a bound N : N > M , the searchis for a deterministic Moore machine with state space S = { . . . ( N − )} . The synthesis questionreduces to whether there exist (1) a transition function T : S × I → S , (2) an output function O : S → O , (3) an inductive invariant θ ⊆ Q × S , and (4) a rank function ρ : Q × S → [ N ] , such thatthese objects satisfy the standard deductive verification proof rule for universal automata [Mannaand Pnueli 1987].As described in [Faymonville et al. 2017b], these constraints can be encoded and solved in variousways, either as a propositional satisfiability (SAT) problem, or as a quantified boolean constraint(QBF) problem. The bounded synthesis approach is complete, as there is a known (worst-caseexponential) limit on the size of a model for a specification automaton. Specifications.
The maximal computations of a CSP process may either be finite, ending in a statewith no successor, or are infinite. The semantics of LTL is defined only over infinite sequencesof actions, but a correctness specification should accommodate both types. To do so, we define aspecification φ over an action alphabet, say κ , as a pair ( φ S , φ L ) , where φ S is a set of finite sequencesover κ , specified, say, as a regular expression, and φ L is a set of infinite sequences over κ , specifiedin LTL.A maximal computation of a CSP process satisfies φ in one of two ways: • The projection π of its trace on κ is finite and is in φ S , or • The projection π of its trace on κ is infinite and belongs to φ L .Note that an infinite computation could have a trace whose projection on κ is finite.To formulate a synthesis algorithm, we assume that the complement sets of φ S and φ L aredefinable by finite automata over κ . For φ S , this is a finite automaton over finite words, while for φ L , this is a finite Büchi automaton over infinite words in κ . Coordination Synthesis.
The synthesis problem has been explained informally in prior sections; itis defined precisely as follows.
Definition 4.1 (Coordination Synthesis Problem).
Given an environment process E = ( S , ι , Σ , Γ , δ ) and a specification φ over actions in ( Σ ∪ Γ ) , construct a process M (if one exists) with publicaction set Σ such that all of the maximal finite computations of E ∥ Σ M satisfy φ S and all of itsinfinite fair computations satisfy φ L .A problem instance ( E , φ ) is realizable if there is a process M meeting the requirements statedabove; it is unrealizable otherwise.A process M is non-blocking for process E if all maximal computations of E ∥ M are infinite; i.e.,the composition is free of deadlock. By setting φ S to the empty set, every solution to the probleminstance ( E , φ ) is non-blocking, as no maximal finite trace can satisfy φ S = ∅ . Restricting the solution space.
This problem formulation allows a solution M to be non-deterministicand have its own set of internal actions, distinct from Σ and Γ (although the specification cannot, ofcourse, mention those actions). A CSP process can exhibit two types of non-determinism: internalnondeterminism , where a state has more than one possible successor on a private action, and external Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2020. :10 Suguman Bansal, Kedar S. Namjoshi, and Yaniv Sa’ar nondeterminism , where a state has more than one possible successor on a public action. Intuitively,the first defines a choice that is always enabled and is to be resolved by the process itself, while thesecond is a choice that is enabled only through synchronization with an external process.The theorem below shows that there is no loss of generality in restricting the search to determin-istic processes without internal actions. This is a simple but important observation, as the behaviorof a deterministic process can be viewed as a tree, and automata-theoretic operations on such treesare the basis of our solution to the coordination synthesis problem, as described in the followingsection.Theorem 4.2.
A synthesis instance ( E , φ ) is realizable if, and only if, it has a deterministic solutionprocess that has no internal actions. The full proof is in [ ? ]. Given a solution M , the proof constructs a solution M ′′ that has therequired properties. It proceeds in two stages. In the first stage, a solution M ′ is constructed from M by hiding any internal actions of M – i.e., ( s , a , t ) is a transition of M ′ if, and only if, there is apath in M with the trace β ; a ; β ′ from s to t , where β , β ′ are sequences of internal actions of M . Asthe internal actions of M cannot be referenced in φ , this is a valid reduction. In the second stage,external non-determinism is removed from M ′ . This could be done by determinizing M ′ using thestandard subset construction, but we also provide a simpler construction that does not incur theworst-case exponential blowup; it merely restricts transitions so that at any state s and any action a , at most one of the transitions of M ′ on a from s is retained. By construction, the resulting M ′′ isexternally deterministic and has no internal actions. As M ′′ is simulated by M ′ while preservingenablement of transitions, E ∥ M ′′ satisfies φ . This section formulates the automaton-based synthesis procedure. As described in Section 3.4, theidea is to formulate conditions under which a labeled fulltree defines a solution to the synthesisquestion. However, one cannot simply reuse the results of Pnueli and Rosner, as the coordinationsynthesis question has a distinct formulation from the input-output form they consider. Thetheorems in this section pin down the conditions for validity and show how to represent them asautomata.In a nutshell, the technical development proceeds as follows.(1) The consequence of Theorem 4.2 is that it suffices to limit a solution M to be externally deter-ministic and free from internal actions. The semantics of such a process can be representedas an infinite labeled fulltree, where each node is labeled with a set of public actions and eachedge with a public action.(2) We show that a labeled fulltree is invalid –i.e., it does not represent a solution M – if and onlyif it has an infinite path satisfying a linear-time property derived from the specification φ and the environment process E .(3) We show that this failure property may be represented by a non-deterministic Büchi automa-ton, B , that is (roughly) the product of E with an automaton, A , for the negation of φ . Partialknowledge and asynchrony are both handled in this construction.(4) The valid fulltrees are, therefore, those where every path in the tree is accepted by thecomplement of B . We complement B implicitly, avoiding a subset construction, by viewingthe same structure as a universal complemented-Büchi automaton. The automaton B has anumber of states that is linear in the number of states of E and of A . Its transition relation,however, is of size exponential in the number of public interface actions.(5) We give a fully symbolic construction of B to ameliorate the exponential blowup in the sizeof its transition relation. The symbolic B is in a form that can be solved by a number of Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2020. ynthesis of Coordination Programs 1:11 temporal synthesis tools. The constructed solution (if one exists) is in the form of a Mooremachine. We show how to transform this back to a CSP process representing the coordinator M (Section 6).(6) We prove a complexity hardness result on the scalability of the synthesis problem, showingthat it is at least PSPACE -hard in the size of the environment. It is well known that thesynthesis problem is -complete in the size of the LTL specification [Pnueli andRosner 1989a].The first few steps explain the issues in terms of fulltrees, which we find easier to follow; thefinal synthesis procedure is not based on tree-automaton constructions, instead it uses co-Büchiword-automaton constructions, which are supported by current tools. A tree t over alphabet Σ is a prefix-closed subset of Σ ∗ . A node of tree t is an element of Σ ∗ . Fora set L of labels , a L -labeled tree is a pair ( t , µ ) where µ : t → L . I.e., µ assigns to each nodeof the tree an element of L , its label. The full-tree over Σ is the set Σ ∗ . For a deterministic CSPprocess M , one can generate a full Σ -tree labeled with 2 Σ as follows. The labeling function, whichwe denote µ M , assigns to tree node σ the label defined as follows. By determinism, there is at mostone computation of M with trace σ . If this computation exists, let the label µ M ( σ ) be the set ofactions that are enabled at the state at the end of the computation. Otherwise, let µ M ( σ ) be theempty set. We refer to this labeled tree as fulltree ( M ) .Conversely, given a full Σ -tree ( t , µ ) labeled with 2 Σ , one can extract a deterministic (infinite-state)CSP process, P = proc ( t , µ ) , as follows. The state space of P is the set of tree nodes. The initial stateis the node ϵ . A triple ( σ , a , δ ) is in the transition relation of P iff a ∈ µ ( σ ) and δ = σ ; a .Theorem 5.1. For a deterministic CSP process M , the process M ′ = proc ( fulltree ( M )) is bisimularto M . Corollary 5.2.
The coordination synthesis instance ( E , φ ) is realizable iff there is a full labeled Σ -tree ( t , µ ) , labeled by Σ , such that proc ( t , µ ) is a solution. We focus on recognizing the kinds of fulltrees defined by Corollary 5.2. It is actually easier toformulate properties of a fulltree t that exclude proc ( t , µ ) from being a solution. From now on, wefix a “labeled tree” to mean a Σ fulltree labeled with 2 Σ .A path in a labeled tree ( t , µ ) is an alternating sequence L ; a ; L ; a ; . . . where for each i , L i = µ ( a , . . . , a i − ) is the label of the node ( a , . . . , a i − ) . If the path is finite, we postulate that itmust end with a label. The label at the end of a finite path π is referred to as endL ( π ) . A path iscalled consistent iff a i ∈ L i for all i . The trace of a path π = L ; a ; L ; a ; . . . , denoted trace ( π ) , is thesequence of actions on it, i.e., a ; a ; . . . . Every consistent path π in tree ( t , µ ) is in correspondencewith a computation of proc ( t , µ ) . As a computation is a process in itself, we abuse notation slightlyand refer to this computation as the process proc ( π ) . Definition 5.3 (Full-tree violation).
We say that a labeled fulltree ( t , µ ) violates ( E , φ ) if one of thefollowing holds.(A) There is a consistent finite path π in the tree such that some finite computation γ in E ∥ proc ( π ) is maximal and trace ( γ ) is not in φ S , or(B) There is a consistent finite path π in the tree such that for some infinite computation γ of E ∥ proc ( π ) , trace ( γ ) is not in φ L , and no action from endL ( π ) is enabled from some point onin γ , or Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2020. :12 Suguman Bansal, Kedar S. Namjoshi, and Yaniv Sa’ar { a }· · · · · · a a (a) { a , a }· · · · · · a a (b) { a }· · · { a } a a (c)Fig. 5. Candidate trees (showing only two-levels of tree). Nodes represent label, and · · · indicates "don’t care".Tree branches correspond to public actions. (C) There is a consistent infinite path π in the tree such that for some infinite computation γ of E ∥ proc ( π ) , trace ( γ ) is not in φ L . Illustrative Example.
Consider the CSP environment E defined as follows. E = a → STOP | a → E | b → E E = b → E E = a → E The environment public actions are a and a , and private actions are b and b . Let φ S be the emptyset and φ L be the set of sequences with infinitely many a . Figure 5 depicts candidate trees for thecoordinating process. The composition of tree (a) with E contains a maximal finite computationwith trace a , which violates ( E , φ ) by condition (A), as φ S = ∅ . The composition of tree (b) with E results in an infinite computation with trace a ( b ) ω (cid:60) φ L , and therefore violates ( E , φ ) by condition(B), while also violating condition (A), as with tree (a). Finally, the composition of tree (c) with E results in the trace b ( a ) ω , which satisfies φ L . Therefore tree (c) is valid for ( E , φ ) ; it represents thesolution M = a → M .Theorem 5.4. Fix a synthesis instance ( E , φ ). For any labeled fulltree ( t , µ ) , the CSP process proc ( t , µ ) is a solution if, and only if, ( t , µ ) is not violating for ( E , φ ) . Proof. We will show the contrapositive.(left-to-right) Suppose that ( t , µ ) violates ( E , φ ) . Then one of (A)-(C) holds. We show that process M = proc ( t , µ ) cannot be a solution.Suppose case (A) holds. The maximal finite computation γ of E ∥ proc ( π ) is also a maximalcomputation of E ∥ M , as π corresponds to a computation of M = proc ( t , µ ) . Since trace ( γ ) is notin φ S , M is not a solution.Suppose case (B) holds. The infinite computation γ of E ∥ proc ( π ) is also a computation of E ∥ M .As π is finite, γ has only finitely many synchronization actions. Moreover, none of the actionsof endL ( π ) are enabled on γ from some point on. Thus, no synchronization between M and E isenabled on γ from that point on, so the computation γ is a fair computation of E ∥ M whose traceis not in φ L .Suppose case (C) holds. The computation γ of E ∥ proc ( π ) is an infinite computation of E ∥ M ,which is fair as it has infinitely many synchronizations. However, trace ( γ ) is not in φ L .(right-to-left) Suppose M = proc ( t , µ ) is not a solution for ( E , φ ) . We show that ( t , µ ) must violate ( E , φ ) . As E ∥ M fails to satisfy φ , there are two possibilities.The first possibility is that of a maximal finite computation of E ∥ M whose trace is not in φ S .This computation corresponds to a finite consistent path π in the tree ( t , µ ) that meets condition(A). Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2020. ynthesis of Coordination Programs 1:13
The other possibility is that there is an infinite fair computation γ of E ∥ M whose trace is not in φ L . There are two types of fair computations.In the first type, γ has only finitely many synchronization actions followed by an infinite suffixwhere no synchronization is enabled with M . As M has no internal actions, the suffix of γ consistssolely of internal actions of E . The shortest finite prefix of γ containing all synchronization actionsdefines a consistent finite path π in ( t , µ ) . The set of enabled actions of M at the end of this prefix of γ is (by the definition of M = proc ( t , µ ) ) the label at the end of π . Thus, π satisfies the requirementsof condition (B).In the second type, γ has infinitely many synchronization actions. This induces an infinitecomputation of M , and a corresponding consistent infinite path π of ( t , µ ) meeting condition(C). □ We now describe how to construct Büchi automata that recognizes each of the properties (A)-(C) onpaths of a fulltree. From these, one can construct a universal co-Büchi automaton that accepts a pathof the tree either if it is inconsistent, or if it does not satisfy either of (A)-(C), called the specificationautomaton . In the classical setting (cf. [Pnueli and Rosner 1989a]), this universal automaton islifted to a tree automaton that runs on all paths of a tree. Conjoined with a tree automaton thatchecks whether the tree is a fulltree, one obtains a tree automaton that accepts the set of validfull-trees. The synthesis problem is realizable iff the language of that automaton is non-empty. Inthe alternative setting of bounded synthesis [Finkbeiner and Schewe 2013], this universal co-Büchiautomaton is used directly in the check for realizability.The automata for properties (A)-(C) run on infinite sequences over an input alphabet Σ × Σ . Aninput sequence of the form ( a , L ) , ( a , L ) , . . . represents the labeled fulltree path L ; a ; L ; a ; . . . .The size of the automaton transition relation is thus exponential in | Σ | . Note that the Γ actions donot appear in the input alphabet, they are eliminated in the process of constructing the automaton. Checking for consistency.
The first automaton accepts an input sequence of the form above if itcorresponds to a consistent path, i.e., if a i ∈ L i for all i . This automaton has a constant number ofstates. Checking condition (A).
Let A S be a finite automaton for the negation of φ S . The automa-ton for (A) is a product of A S and E . It guesses a finite computation γ of E , of the form e ; [ β , a , β ′ ] ; e ; [ β , a , β ′ ] ; . . . ; [ β n , a n , β ′ n ] ; e n , where the β and β ′ symbols represent sequencesof private actions of E (the intermediate states of E are not shown, and the grouping in squarebrackets, e.g., [ β , a , β ′ ] , is just for clarity). The automaton also concurrently guesses a run of thefinite-word automaton A S on trace ( γ ) = β , a , β ′ , . . . , β n , a n , β ′ n . It accepts if the automaton isin an accepting state, the final state e n of γ has no transitions on private actions, and none of itsenabled public transitions are in L n , the final label. This automaton has |A S | ∗ | E | states. Checking condition (B).
Let A L be a finite Büchi automaton for the negation of φ L . The automa-ton for (B) guesses, as in the construction for case (A), a finite computation γ of E of the form e ; [ β , a , β ′ ] ; e ; [ β , a , β ′ ] ; . . . ; [ β n , a n , β ′ n ] ; e n , where the β and β ′ symbols represent sequencesof private actions of E , and it concurrently also guesses a run of the infinite word automaton A L on trace ( γ ) = β , a , β ′ , . . . , β n , a n , β ′ n to an automaton state, say, q . It then guesses a furtherinfinite execution γ ′ of E , starting at the final state e n of γ , such that all transitions on γ ′ are onprivate actions of E , and it checks that at each intermediate state of γ ′ , none of the enabled publictransitions are in L n . It concurrently simulates an extension to the run of A L on trace ( γ ′ ) fromstate q and accepts if this run is accepting for A L . This automaton has |A L | ∗ | E | states. Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2020. :14 Suguman Bansal, Kedar S. Namjoshi, and Yaniv Sa’ar
Checking condition (C).
Let A L be a finite Büchi automaton for the negation of φ L . The automatonfor (C) guesses an infinite computation γ of E of the form e ; [ β , a , β ′ ] ; e ; [ β , a , β ′ ] ; . . . on theinfinite trace a , a , . . . , and it concurrently simulates a run of the automaton A L on trace ( γ ) (whichcontains private actions represented by the β and β ′ symbols), accepting if this run accepts. Thisautomaton has |A L | ∗ | E | states. Constructing the Specification automaton.
We construct an automaton by taking the union ofthe automata for (A)-(C) and intersecting the union with the automaton that checks consistencyof the input sequence. This is then a non-deterministic Büchi automaton which accepts an inputsequence if it is consistent and satisfies one of (A)-(C). Its complement co-Büchi automaton acceptsan input sequence if it is inconsistent or it fails to meet either of (A)-(C). This co-Büchi automatonis the specification automaton . The specification automaton has a number of states proportional to (|A S | + |A L |) ∗ | E | . The number of transitions is, however, exponential in the number of publicactions, as transitions are labeled with subsets of public actions. We show that the coordination synthesis problem is
PSPACE -hard in terms of the size of theenvironment, E , keeping the specification formula fixed.Theorem 5.5. Coordination Synthesis is
PSPACE -hard in | E | for a fixed specification. Proof. The proof is by reduction from a standard
PSPACE -complete problem: given a finiteautomaton, A , determine whether the language of A is not the universal language over its alphabet, Σ . Without loss of generality, we suppose that A is complete – i.e., each state has a transition onevery letter in Σ .From A , we construct a synthesis instance ( E , φ ) as follows. The environment E is a copy of A ,with two additional states, accept and reject , and three additional letters, ♯ , + , and − . Its transitionrelation is that of A , together with the following additional transitions. First, from each acceptingstate of A , there is a transition on ♯ to the accept state. The accept state has a self-loop transitionon + . Second, from each non-accepting state of A , there is a transition on ♯ to the reject state. The reject state has a self-loop transition on letter − . Note that E has no internal actions but, in general,will have non-deterministic choice on interface actions.The specification φ is given by φ S = ∅ (i.e., non-blocking solutions are required) and φ L beingthe LTL formula ♢ ( ♯ ∧ X □ (−))) . We show that the language of A is non-universal if, and only if,the synthesis problem ( E , φ ) has a solution.In the left-to-right direction, suppose that A has a non-universal language. Let w be a word thatis not accepted by A . Let M be the deterministic process with a single execution with trace w ♯ (−) ω .We claim that M is a solution for ( E , φ ) . As A is complete, there can be no maximal computation of E ∥ M with a trace that is a strict prefix of w . And as every run of w on A ends in a non-acceptingstate, every maximal computation of E ∥ M is infinite and has the trace w ♯ (−) ω , which meets thespecification. Hence, M is a solution to the synthesis problem.In right-to-left direction, let M be any solution to the synthesis problem. Thus, M is non-blocking,every maximal computation of E ∥ M is infinite and its trace satisfies φ L . From Theorem 4.2, wemay suppose that M is deterministic and has no internal actions. As M is non-blocking and E hasno dead-end states by construction, there is at least one infinite joint computation, denoted x , of E ∥ M . As E ∥ M satisfies φ L , the trace of x must have the pattern w ♯ (−) ω , for some w ∈ Σ ∗ . Weshow that w is rejected by A . Let s be the state of M in x following the prefix with trace w . Then s has a transition on ♯ . Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2020. ynthesis of Coordination Programs 1:15
Suppose, to the contrary, that there is an accepting run of A on w ending in some state t . Thus,there is a joint computation of E ∥ M that follows this run and ends at the joint state ( t , s ) . As both t and s have transitions on ♯ , this computation can be extended to ( accept , s ′ ) on ♯ , for s ′ . As accept only has transitions on + , and as M is non-blocking, this computation must extend further to acomputation with trace w ♯ ( + ) ω . But that computation does not satisfy φ L , a contradiction. □ In this section, we give a fully symbolic construction for the automaton of the transformed specifi-cation. The symbolic form ameliorates the exponential blowup in the size of its transition relation.The structure of the automaton is defined as follows. • The states are either (1) special states
Fail and
Sink , or (2) normal states of the form ( q , r , e ) ,where q is a state of A L , r is a state of A S , and e is an environment state. • The initial state is ( q , r , e ) where all components are initial in their respective structures. • The input symbols have the form ( a , L , д ) , where a is an public action, L is a set of publicactions, and д is a Boolean marking the transition as being “green” (accepting) if true. • The transition relation of the joint automaton is described as a predicate, T ( current _ state , input _ symbol , next _ state ) . On all input symbols, the special states Fail and
Sink have a selfloop; i.e., the next state is the same as the current state. The transition relation for normalstates is defined below. • The green (accepting) edges of the automaton are all transitions where д is true. • The green (accepting) states of the automaton are the special state
Fail and every state ( q , r , e ) where q is a green state of A L .For a normal state ( q , r , e ) and input symbol ( a , L , д ) , the transition relation T is defined as follows.It relies on several auxiliary relations which are defined below.(1) (Condition (A)) If Efail ( r , e , L ) holds, the successor state is Fail .(2) (Condition (B)) Otherwise, if noSynch ( q , r , e , L ) holds, the successor state is Fail .(3) (Non-blocking) Otherwise, if
Esink ( a , e , L ) holds, the successor state is Sink .(4) (Condition (C)) Otherwise, if normalTrans (( q , r , e ) , ( a , д ) , ( q ′ , r ′ , e ′ )) holds, the successor isthe normal state ( q ′ , r ′ , e ′ ) .The auxiliary relations represent the existence of paths, and are defined in the form of a leastfixpoint. Each of these fixpoint computations, as well as the construction of the transition relation,can be computed symbolically using BDDs. We provide the fixpoint formulations below. In theseformulations, for an action c (public or private), the joint transition Joint (( q , r , e ) , c , ( q ′ , r ′ , e ′ )) holdsiff A L ( q , c , q ′ ) , A S ( r , c , r ′ ) , and E ( e , c , e ′ ) all hold.Following condition (A), predicate Efail ( r , e , L ) holds if there is a path consisting only of privatetransitions from state e in E to an end-state e ′ that fails the φ S property. The state e ′ can have noprivate transitions and no enabled public actions in L . Being a reachability property, the predicateis defined as the least fixpoint of Y ( r , e , L ) where • (Base case) If r is a final state of A S , e has no private transitions, and none of its enabledpublic actions is in L , then Y ( r , e , L ) is true, and • (Induction) If there exists r ′ , e ′ and a private action b such that Y ( r ′ , e ′ , L ) , A S ( r , b , r ′ ) and E ( e , b , e ′ ) hold, then Y ( r , e , L ) holds.Following condition (B), predicate noSynch ( q , r , e , L ) holds if there exists a infinite path consistingof only private transitions that fails the φ S property, and from some point on L does not synchronizewith the public actions enabled on the path. One can easily argue that it is sufficient to find an infinite lasso path consisting of only private transitions that fails the φ S property, and no state in Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2020. :16 Suguman Bansal, Kedar S. Namjoshi, and Yaniv Sa’ar the loop of the lasso synchronizes with L . Formally, noSynch ( q , r , e , L ) holds if there exists a privateaction b , states q , r , e , д and q , r , e , д such that all of the the following conditions hold • Eprivate (( q , r , e ) , д , ( q , r , e )) , • Joint (( q , r , e ) , b , ( q , r , e ))• GenEprivate (( q , r , e ) , д , L , ( q , r , e )) , and • д ≡ д .The predicate Eprivate (( q , r , e ) , д , ( q ′ , r ′ , e ′ )) holds if there is a path consisting only of privatetransitions from state e in E to e ′ , a run of the A S automaton on this path from state r to r ′ , a runof the A L automaton on the same path from state q to q ′ , and д is true if one of the states on the A L automaton run is a green (i.e., Büchi accepting) state. Being a reachability property, this can bedefined as the least fixpoint of Z (( q , r , e ) , д , ( q ′ , r ′ , e ′ )) , where • (Base case) If q = q ′ , r = r ′ , e = e ′ then Z (( q , r , e ) , д , ( q ′ , r ′ , e ′ )) holds, and д is true iff q isgreen, and • (Induction) If Z (( q , r , e ) , д , ( q , r , e )) and J (( q , r , e ) , b , ( q ′ , r ′ , e ′ )) for a private action b ,then Z (( q , r , e ) , д , ( q ′ , r ′ , e ′ )) holds, with д being true if д is true or q ′ is green.Predicate GenEprivate (( q , r , e ) , д , L , ( q ′ , r ′ , e ′ )) generalizes Eprivate (( q , r , e ) , д , ( q ′ , r ′ , e ′ )) by addi-tionally ensuring that no state along the run from e to e ′ in E enables a public action in L . Predicate Esink ( a , e , L ) holds if either a (cid:60) L (inconsistent), or ¬ enabled ( a , e ) (blocking) where predicate enabled ( a , e ) holds if there is a path in E consisting only of private transitions from state e to a statefrom which there is a transition on public symbol a . Being a reachability property, this predicate isdefined as the least fixpoint of X ( a , e ) where • (Base case) If e has a transition on a , then X ( a , e ) holds. • (Induction) If there exists e ′ and a private action b such that E ( e , b , e ′ ) and X ( a , e ′ ) hold, then X ( a , e ) holds.Following condition (C), predicate normalTrans (( q , r , e ) , ( a , д ) , ( q ′ , r ′ , e ′ )) holds if there is apath of private actions to the normal target state ( q ′ , r ′ , e ′ ) with a single public transitionon a , along with matching runs of the two automata that fails the φ S property. Formally, normalTrans (( q , r , e ) , ( a , д ) , ( q ′ , r ′ , e ′ )) holds if there exists states q , r , e , д and q , r , e , д suchthat all of the the following conditions hold • Eprivate (( q , r , e ) , д , ( q , r , e )) , • Joint (( q , r , e ) , a , ( q , r , e )) , • Eprivate (( q , r , e ) , д , ( q ′ , r ′ , e ′ )) , and • д ≡ д ∨ д . Encoding into Pnueli-Rosner synthesis.
The resulting automaton has transitions on ( a , L , д ) . Thegreen transitions can be converted to green states by a simple construction (omitted) that adds acopy of the state space. This automaton operates on input sequences of the form ( a , L ) , ( a , L ) , . . . .That matches the form of the synchronous Pnueli-Rosner model where automata operate on inputsequences of the form ( x , y ) , ( x , y ) , . . . , where the x ’s represent input values and the y ’s theoutput value chosen by the synthesized process. By reinterpreting the a ’s as x ’s and L ’s as y ’s, onecan use existing tools for synchronous synthesis, to check for realizability and produce a solutionif realizable. In this re-interpretation, if the public alphabet has n symbols, there are log ( n ) bits for x (i.e., a ), and n bits for y (i.e., L ). Mapping a solution back to CSP.
The synchronous synthesis tools produce a deterministic Mooremachine as a solution to the reinterpreted synthesis problem. Such a machine maps a sequence of x -values (i.e., a sequence of public actions, reinterpreted) to a y -value (i.e., a set of public actions, Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2020. ynthesis of Coordination Programs 1:17 reinterpreted). That is precisely the CSP process M , defined as follows. The states of M are thestates of the Moore machine. There is a transition ( s , a , t ) in M if, and only if, a is included in theoutput label y of the Moore machine at state s , and the machine has a transition from s to t oninput x = a . We implement the coordination synthesis algorithm in about 1500 lines of Python code. Theimplementation uses the
FDR4
CSP tool [fdr [n. d.]; Gibson-Robinson et al. 2016] to read in a CSPdescription of the environment written in the language
CSP M , and produce a flattened descriptionin the form of a state machine for the environment E . It uses features of the SPOT system [spo [n.d.]; Duret-Lutz et al. 2016] to read in LTL formulas that define the specifications φ S and φ L , and toconvert those to the appropriate automaton form. The core of the construction (about 1000 lines ofPython) implements the symbolic specification automaton construction described in Sections 5and 6. The resulting automaton, B , is simplified using the SPOT tool autfilt to, for instance, removedead states. It is then supplied to the synchronous synthesis engine BoSy [Bos [n. d.]; Faymonvilleet al. 2017b]. BoSy produces a Moore machine, which is converted into a CSP process as describedat the end of Section 6. We are grateful to the authors of these and supporting tools for making thetools freely available.As defined in Section 5, the automaton B operates on inputs from the alphabet Σ × Σ , where Σ is the set of public interface actions of the environment E . Thus, an input symbol has the form ( a , L ) , where a ∈ Σ and L is a subset of Σ . BoSy expects these values to be encoded as bit vectorsdefining the input, denoted x , and output, denoted y , of the synchronous synthesis problem. Forsimplicity, we choose a 1-hot encoding for the symbol a ; i.e., we have a bit x m for each symbol m in Σ , and ensure that exactly one of those bits is true – to represent symbol a , the bit x a is set totrue while all others are set to false. To encode the set L , we define bits y m for each symbol m in Σ .Thus, a set L is encoded by setting y m to be true for all m in L , and y m to false for all m not in L .Recall from Section 3 that BoSy encodes the synchronous synthesis problem as constraint solving,either propositional (with SAT solvers) or quantified (with QBF solvers). The QBF form has thequantifier prefix ∃∀∃ , where the universal quantification is over the input variables; in effect, theSAT encoding is obtained by replacing the ∀ quantifier with a conjunction over all values of theinput variables. In our case, the input variables represent elements of Σ , as explained above. As thisset is not very large (for our examples), we can replace the ∀ quantifier with a conjunction overall elements of Σ , and obtain an equivalent SAT problem. Doing this in practice required a smallmodification to BoSy, as its default is to expand over all assignments to input variables, whichwould lead to a | Σ | blowup in the expansion for our 1-hot encoding. Instead, we modify BoSy toexpand over only 1-hot assignments to the input variables, which gives the expected linear | Σ | blowup. We refer to our SAT encoding by OneHot-SAT.In prior work on BoSy [Faymonville et al. 2017b] the authors report that QBF outperformsSAT. Much to our surprise, we observed the reverse: the SAT encoding handily outperforms QBF,as shown in the experiment tables later in this section. We use the state-of-the-art SAT solver CryptominiSAT [Soos et al. 2009].All experiments were run on 8 CPU cores at 2.4GHz, 16GB RAM, running 64-bit Linux.
The objective of our case studies is to demonstrate the utility of coordination synthesis in designingcoordination programs under various aspects of asynchrony, partial information and concurrency.
Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2020. :18 Suguman Bansal, Kedar S. Namjoshi, and Yaniv Sa’ar
Table 1. Evaluation of implementation on Illustrative examples. Safety spec is False, liveness spec is ♢□ (¬ b ) . CSP Synthesized coordinator Run time (in milliseconds, timeout=10s)Spec. aut. construction Sync. synthesisQBF (Default) OneHot-SATExample 0 M = a → M
138 955 86Example 1 M = a → M
135 1082 89Example 2
None
137 Timeout TimeoutExample 3 M = a → M
136 798 86Example 4 M = a → M | a → M
138 773 77Example 5
None
138 Timeout TimeoutWe begin by testing our implementation on examples from Section 2 (Section 7.2.1), and thenfollow it up by designing a coordination program for a smart thermostat (Section 7.2.2) and an arbiter for concurrent processes (Section 7.2.3). We explore different aspects of the applicabilityof coordination synthesis in each of these studies, ranging from modeling choices to fairness inconcurrency. Finally, we discuss the scalability challenges in Section 7.2.4.
We begin with demonstrating the correctness of our imple-mentation by synthesizing all specifications from the illustrative examples given in Section 2. Thisset of examples is representative of the major features and complexities of the program model thatour synthesis procedure must account for, and hence make for a test bench with good coverage.Each input specification consists of an environment process, a safety LTL specification and aliveness LTL specification. In this set of inputs, the safety and liveness specifications are fixedto
False and ♢□ (¬ b ) , respectively. Each input instance is run twice, once when the synchronoussynthesis tool BoSy invokes its default QBF encoding, and once when BoSy invokes our domain-specific OneHot-SAT encoding. If realizable, we output the synthesized coordinator as a CSP process.Our observations are summarized in Table 1. Our main observations are:(1) Our implementation returned the expected outcomes for realizable specifications. The tooltimes out on unrealizable specifications, which is expected as the bound N (Section 3.5) forBoSy to guarantee unrealizability is very large.(2) For all but one example (Example 4) the coordination programs obtained from both theencoding options of BoSy were identical to the ones constructed by hand in Section 2.In Example 4, both encodings returned the same coordinator, but different from the one inSection 2. The synthesized program is smaller than the ones made by hand.These observations indicate that our implementation is faithful to the theoretical developmentof coordination synthesis. Synthesis can be thought of as a declarativeparadigm for programming where a developer can focus on the “what”s of the coordinationproblem rather than on the “how"s. Through this case study we illustrate how synthesis simplifiesthe development of coordination programs. Our objective is to design a smart thermostat .A smart thermostat interacts with a room-temperature sensor (sensor, in short), a heater, andan air-conditioner in order to maintain a comfortable room temperature. The temperature can beaffected by the mode (switch-on or switch-off) of the heater and air-conditioner, and by externalphysical factors such as weather fluctuations, which are unpredictable and cannot be controlled.These factors prevent the smart thermostat from assessing the room temperature correctly from the
Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2020. ynthesis of Coordination Programs 1:19 JR start TWTC JustRight HeatisOnACisOnHeatisOnACisOn Cold ACisOn HeatisOnWarm
Fig. 6. Room temperature Sensor CSP (JR: Just right, TW:Too warm, TC: Too cold)
OFF start
ONswitchHeatOn HeatisOnswitchHeatOff
Fig. 7. Heater CSP
OFF start
ONswitchACOn ACisOnswitchACOff
Fig. 8. AC CSP modes of the devices alone. As a result, the smart thermostat must communicate with the sensor tocheck the room temperature, and respond accordingly to maintain ambient temperature.CSP processes modeling the sensor, heater and air-conditioner are given in Figures 6-8. Thestates of the sensor denote the current temperature, while states of the heater and air-conditionerdenote their mode. The dashed-transitions in the sensor model fluctuations in room temperaturecaused by changing external physical conditions and cause internal actions. The actions
HeatIsOn (red transitions) and
AcIsOn (blue transitions) cause private agent-to-agent interactions betweenthe sensor and the heater or air-conditioner, respectively. Finally, the sensor communicates thecurrent room temperature to the smart thermostat through actions
Cold , JustRight , Warm , and theheater and air-conditioner interact with the smart thermostat through the
Switch actions (blacktransitions). Therefore, the flat environment in represented by
ENV = Heater || { HeatisOn } Sensor || { ACisOn } AC Its interface with the coordinator consists of public actions { JustRight , Cold , Warm , switchACOff , switchACOn , switchHeatOff , switchHeatOn } .The safety specification is simply deadlock freedom, given by the formula False . The goal is tomaintain ambient temperature. So, we begin with the following liveness specification, assertingthat the temperature is infinitely often just right:
AmbientTemp : = □♢ ( JustRight ) This coordination synthesis specification was satisfied by the trivial coordinator M = JustRight → M Clearly, this coordinator relies on the internal actions of the sensor (dashed transitions) tomaintain ambient temperature. It never interacts with the Heater or the AC. To ensure that thesynthesized coordinator interacts with the heater and AC, we append the following condition tothe liveness specification:
Interact : = □♢ switchACOn ∧ □♢ switchHeatOn With the modified liveness specification, i.e.,
AmbientTemp ∧ Interact , the coordination synthesisprocedure returned a 4-processes coordinator depicted in Fig 9. It overcomes the deficiency from theprevious coordinator by engaging the heater and AC infinitely often. This engagement is guaranteeddue to the cycle M −−−−−−−−−→ M −−−−−−−−−−→ M −−−−−−−−−−→ M −−−−−−−→ M −−−−−−−−−→ M −−−−−−−→ M . In all executions of the coordinated system, the coordinator will be forced to visitstate M . From here on, the coordinator is forced to take the actions as shown in the cycle. Butthis is still unsatisfactory, as it allows the Heater and AC to be both switched on at the same time. Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2020. :20 Suguman Bansal, Kedar S. Namjoshi, and Yaniv Sa’ar M M M start M switchACOffswitchACOnswitchHeatOffJustRightColdJustRightswitchHeatOff switchHeatOnswitchHeatOff Fig. 9. Coordinator when liveness spec. is AmbientTemp ∧ Interact M start M M switchACOn switchHeatOffJustRightswitchACOffswitchHeatOff switchHeatOn Fig. 10. Coordinator when livenessspec. is AmbientTemp ∧ Interact ∧ EnergyEfficientTable 2. Runtime analysis of thermostat case-study. CSP process is ENV, Safety spec is False.
Liveness spec Synthesized Coordinator Run time ( in seconds, timeout=1000s)Spec. aut.construction Sync. synthesisQBF (Default) OneHot-SAT
AmbientTemp M = JustRight → M AmbientTemp ∧ Interact
Fig 9 0.177 Timeout 40.152
AmbientTemp ∧ Interact ∧ EnergyEfficient
Fig 10 0.188 Timeout 90.292This can be observed along the execution M −−−−−−−→ M −−−−−−−−−→ M −−−−−−−−−−→ M · · · .Therefore, we add another condition to the liveness specification that enforces that the Heater andAC are not switched on at the same time: EnergyEfficient : = ¬ ♢ (cid:0) ( switchACOn ) ∧ (¬ switchACOff U switchHeatOn ) (cid:1) ∧¬ ♢ (cid:0) ( switchHeatOn ) ∧ (¬ switchHeatOff U switchACOn ) (cid:1) The coordinator obtained by modifying the liveness specification to
AmbientTemp ∧ Interact ∧ EnergyEfficient is given in Fig 10. It is a simple 3-state coordinator. The runtime analysis has beenpresented in Table 2.
In this case study we synthesize an arbiter that allocates ashared resource to multiple concurrent processes. The arbiter must guarantee that the resource isnot accessed by multiple processes at the same time, and ensure that every requesting process iseventually granted the resource. The study shows how fairness can be incorporated in specificationsin order to construct appropriate solutions.Formally, a process P ( i ) is defined as follows. The process does a cycle of (a). request to accessthe common resource, (b) the request is granted and it accesses the resource, and (c). it releases theresource. P ( i ) = request . i → grant . i → release . i → P ( i ) For n >
1, let
ENV n = || i ∈{ ... n − } P ( i ) denote the environment process, which is the parallelcomposition of n copies of P ( i ) . Each processes synchronizes with the arbiter (coordinator) onactions request . i , grant . i , and release . i . Therefore request . i , grant . i , and release . i actions for allprocesses are public actions at the interface of ENV n with the arbiter. As these process do not Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2020. ynthesis of Coordination Programs 1:21 interact internally with each other, and neither do they have an internal action action of their own,
ENV n does not have any private action and is a fully synchronous environment.The safety specification is simply deadlock freedom, indicated by the LTL formula False . Theliveness specification includes mutual exclusion and starvation freedom for every process. Anarbiter can guarantee mutual exclusion if it ensures that each process must release access to theresource before another process is granted access to it:
Mutex n : = (cid:219) i ∈[ n ] ¬ (cid:0) ♢ ( grant . i ∧ (cid:0) ¬ release . i U (cid:220) j (cid:44) i grant . j (cid:1)(cid:1) Starvation freedom is guaranteed if every requesting process is eventually granted access:
StarveFreedom n : = (cid:219) i ∈[ n ] □ (cid:0) request . i → ♢ grant . i (cid:1) At n =
2, i.e., with two processes, our synthesis procedure generated the following arbiter theliveness specification given by
Mutex ∧ StarveFreedom : M = request . → grant . → release . → M The arbiter M trivially satisfies the safety and liveness specifications on the environment processas requests from processes other than P ( ) are never enabled. By construction, M is also fair w.r.t. ENV . Yet this is clearly not our intended coordinator. We observe that the degree of fairness for M may differ with respect to individual processes. Specifically, M is fair to process P ( ) , but is only vacuously fair to P ( ) , as it never offers to synchronize with P ( ) .An even stronger notion of fairness than the one assumed here would rule out such vacuoussolutions, but that would require modifications to the algorithm. Instead, we modify the livenessspecification by appending a condition that forces computations where the coordinator accepts arequest from each process: SimulateStrongFairness n : = (cid:219) i ∈[ n ] □♢ request . i Our synthesis procedure returned the following arbiter on modifying the liveness specificationto
Mutex ∧ StarveFreedom ∧ SimulateStrongFairness M Arbiter2 = request . → M | grant . → M Arbiter2 | release . → M Arbiter2 M = request . → M Arbiter2 | grant . → M | release . → M This solution satisfies the conditions of desired arbiter for 2-process environment and exhibits astronger notion of fairness. In fact, it exhibits round-robin behavior despite the specification notincluding that as a requirement. This suggests that using higher-level models such as CSP couldhave advantages in generating good controllers despite under-specification.Similar observations were made for n =
3. The synthesized coordination program is as follows: M Arbiter3 = grant . → M | request . → M | release . → M M = request . → M Arbiter3 | request . → M | grant . → M M = request . → M Arbiter3 | grant . → M | release . → M M = grant . → M | release . → M | release . → M | request . → M The runtime analysis has been presented in Table 3. Unfortunately, the implementation did notscale beyond n =
4. But scalability is a challenge in temporal synthesis generally, e.g., recent
Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2020. :22 Suguman Bansal, Kedar S. Namjoshi, and Yaniv Sa’ar
Table 3. Runtime analysis of arbiter case-study. For n > , the CSP process is ENV n , Safety spec is False, andLiveness spec is Mutex n ∧ StarveFreedom n ∧ SimulateStrongFairness n Number ofprocesses ( n ) SynthesizedCoordinator Run time (in seconds, timeout=1500s)Spec. aut.construction Sync. synthesisQBF (Default) OneHot-SAT2 M Arbiter2 M Arbiter3
Our case studies have demonstrated the promise of synthesis in thedesign of coordination programs. Synthesis raises the level of abstraction and offers considerableflexibility to adjust specifications to alter or introduce requirements. Automated synthesis mayeven result in simpler and smaller coordination programs than those written by hand. The casestudies also show, however, that the prototype implementation is limited to solving small probleminstances. We analyze why this is so, which suggests new and interesting directions for furtherresearch.The automaton-theoretic constructions of Section 6 crucially reduce a coordination synthesisproblem to a question of synchronous synthesis. Tables 1- 3 show that the time taken by thisprocedure is a small fraction of the total time taken by the coordination synthesis procedure.Furthermore, as the size of problem increases, the fraction of time spent inside this reduction phasedecreases considerably.The bulk of the time and space requirements are taken in the synchronous synthesis step. Asdescribed earlier in this Section, we use BoSy as the synchronous (bounded) synthesis engine. BoSyencodes a synchronous synthesis problem into a constraint-solving problem, using either SAT orQBF solvers. Although prior investigations suggest that QBF is more effective [Faymonville et al.2017b], our domain-specific OneHot-SAT encoding handily outperforms QBF, even though the sizeof the encoded constraint is larger. This, we believe, is because SAT solvers are more mature thanQBF solvers.The scalability of the BoSy encoding is influenced by two factors: the number of states inthe co-Büchi automaton given as input to BoSy, and the size of the automaton alphabet. In ourexperiments, the symbolic encoding of the alphabet, coupled with the OneHot-SAT encoding overthe inputs keeps the second factor under control. Although the number of states of the co-Büchiautomaton generated by our transformation procedure is linear in the size of the environment andthe automaton for the LTL specification, this size appears to be the key limiting factor for the BoSyencoding (and for related tools, such as Acacia+). The limit appears to be automata with more thanabout 250 states.This limit explains why the arbiter case-study did not scale well beyond 4 processes. The numberof states in the flat CSP environment with 4 processes is 3 = 81 , and the automaton for safety areliveness specifications have 1 and 14 states, respectively. As a result, the naive construction of theuniversal co-Büchi automaton consists of 2 · · = Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2020. ynthesis of Coordination Programs 1:23 such as abstraction and modular reasoning to tackle these large state spaces. For instance, thearbiter environment is fully symmetric across the processes, which suggests that a combination ofsymmetry and modular reasoning should help reduce the complexity of synthesis. New research isneeded to formulate such algorithms.
The task of coordinating independent processes is one that is of importance in many domains.Coordination must work in the face of concurrency, asynchrony, partial information, noisy data,and unreliable components. Automated synthesis methods could be of considerable help in tacklingthese challenges.In this work, we have formalized the synthesis question as follows. The component processesand the coordinator are modeled as CSP processes that interact using the standard CSP hand-shake mechanism. The specification is given in linear temporal logic, or as a co-Büchi automaton,describing desired sequences of interactions. The main contributions are (1) in formulating anexpressive model for the problem, as existing models turn out to be inadequate in various ways;(2) in the solution method, which is the first (to the best of our knowledge) to fully handle partialinformation, and do so for arbitrary LTL specifications; and (3) by giving a complexity-theoreticanalysis of the coordination synthesis problem. We show that there are significant practical andcomplexity-theoretic limitations to scalability, which suggests that research should be directedtowards new synthesis methods that can handle large state spaces.Reactive synthesis has been studied for several decades, starting with Church’s formulationof this question in the 1950s (cf. [Thomas 2009]). Much of the prior work is on synthesis for the synchronous, shared-variable model which, as argued in the introduction, is not a good match forthe coordination problems that arise in the motivating domains of multi-robot and IoT coordination.We review the relevant related work in detail below.
Reactive Synchronous Synthesis.
Church’s formulation of reactive synthesis was inspired by ap-plications to synthesis of hardware circuits, and thus assumes a synchronous model, where thesynthesized component alternates between input and output cycles. This question has been thor-oughly studied. In particular, the tree-based view of synthesis originates from this line of work, inparticular the seminal results of Rabin [Rabin 1969].The seminal work of Pnueli and Rosner [Pnueli and Rosner 1989a] on synchronous synthesis fromLTL specifications was followed by the discovery of efficient solutions for the GR(1) subclass [Bloemet al. 2012; Piterman et al. 2006], “Safraless” procedures [Kupferman and Vardi 2005], and boundedsynthesis methods [Filiot et al. 2010; Schewe and Finkbeiner 2007]. Those methods, in particular,have been implemented in a number of tools, e.g., [Bohy et al. 2012; Ehlers 2010, 2011; Faymonvilleet al. 2017a; Jobstmann and Roderick 2006; Pnueli et al. 2010] and applied in diverse settings(cf. [D’Ippolito et al. 2013; Kress-Gazit and Pappas 2010; Liu et al. 2013; Maoz and Sa’ar 2011, 2012]).We re-use the results of this line of research, transforming the asynchronous coordination synthesisproblem to an input-output synchronous synthesis problem, which can be solved by several ofthese tools.
Reactive Asynchronous Synthesis.
The seminal work in asynchronous synthesis from linear temporalspecifications, also for a shared-variable model, is that of Pnueli and Rosner [Pnueli and Rosner1989b]. This model is motivated by applications to asynchronous hardware design. In the model,an adversarial scheduler chooses when the synthesized system can sample the input stream. Thespecification, however, has a full view of all inputs and outputs. The highly adversarial nature ofthe scheduler coupled with the low-atomicity reads and writes to shared memory makes it difficult,however, to find specifications that are realizable. The original algorithm of Pnueli-Rosner for
Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2020. :24 Suguman Bansal, Kedar S. Namjoshi, and Yaniv Sa’ar asynchronous synthesis transforms the problem into a canonical synthesis problem which fitsthe synchronous model. That algorithm is, however, too complex for practical implementation,although work in [Klein et al. 2012; Pnueli and Klein 2009] has devised heuristics that help solvecertain cases.In recent work [Bansal et al. 2018] present a significantly simpler and exponentially more compactconstruction that has been implemented. Our method for incorporating hidden actions is similar tothe mechanism used there to compress unobserved input values, while going beyond it to handleother forms of partial knowledge in the richer CSP model. Indeed, one can encode the asynchronousproblem as a coordination synthesis problem in CSP.Schewe and Finkbeiner [Schewe and Finkbeiner 2006] model asynchronous synthesis as thedesign of “black-box” processes (unknowns) that interact with known “white-box” processes. Thereare significant differences in modeling and in the solution strategy. Their model assumes thatprocesses are deterministic. In our model, processes may be non-deterministic, which permitsthe abstraction of complex internal behavior when representing real devices or robots. A secondimportant difference is that of the communication mechanism. In their model, communication isvia individual reads and writes to shared variables. As argued in the introduction, the message-passing model of CSP permits a higher degree of atomicity; it is also a better fit for the motivatingdomains. There are other differences as well: their solution strategy is based on tree automata, asin [Pnueli and Rosner 1989a], which has proved to be difficult to implement as it requires complex ω -automaton determinization constructions; ours is based on significantly simpler constructionsthat do not require determinization. Reactive Synthesis for CSP and similar models.
Manna and Wolper were the first to consider synthesisof CSP processes from LTL specifications [Manna and Wolper 1981; Wolper 1982]; in their model,environment entities can interact only with the controller and have no hidden actions. This isrelaxed in recent work [Ciolek et al. 2017], where the environment can be non-deterministic;however, all actions are visible except a distinguished τ action. The model, therefore, cannotdistinguish between multiple hidden actions; neither can the specification refer to such actions. Asargued in the introduction, hidden actions arise naturally from information hiding principles; ourwork removes both these limitations. Web services composition has been formulated in CSP-likemodels: in [Berardi et al. 2003], a coordinator is constructed based on a branching-time specificationin Deterministic Propositional Dynamic Logic, but only in a model with full knowledge.The seminal work of Ramadge and Wonham [Ramadge and Wonham 1989] on discrete eventcontrol considers a control problem with restricted specifications – in particular, the only non-safetyspecification is that of non-blocking. The synthesis algorithm in [Madhusudan 2001] extends theRamadge-Wonham model with a CSP-like formulation and allows branching-time specifications,but is also based on full knowledge of environment actions. To the best of our knowledge, this workis the first to consider partial knowledge from hidden actions and to allow arbitrary linear-timespecifications. Process-algebraic Synthesis.
In a different setting, work by Larsen, Thomsen and Liu [Larsen and Liu1990; Larsen and Thomsen 1988] considers how to solve process algebraic inequalities of the form E ∥ X ⪯ S where E is the environment process, X is the unknown process, S is a process definingthe specification, and ⪯ is a suitable process pre-order. They formulate an elegant method, usingalgebraic manipulations to systematically modify S based on E so that the inequality is transformedto a form X ⪯ S ′ which has a clear solution; the transformed specification S ′ can be viewed as a“quotient” process S / E . The construction of a quotient can incur exponential blowup, as shownin [Benes et al. 2013]. Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2020. ynthesis of Coordination Programs 1:25
Other Synthesis Methods.
Synthesis methods for shared-memory systems with branching-timespecifications were developed in Emerson and Clarke’s seminal work [Emerson and Clarke 1982].Wong and Dill [Wong-Toi and Dill 1990] also consider the synthesis of a controller under synchro-nous and asynchronous models for shared-variable communication. In [Lustig and Vardi 2009], theauthors study a different but related problem of linking together a library of finite-state machinesto satisfy a temporal specification.As discussed in Section 3, synthesis questions may also be solved by producing winning strategiesfor infinite games. The complexity of games with partial information is studied in [Reif 1984],while symbolic algorithms for solving such games are presented in [Raskin et al. 2007]. These gameformulations, however, do not allow for asynchrony.There is a large literature on synthesis from input-output examples, representative results includesynthesis of expressions to fill “holes” in programs [Solar-Lezama et al. 2006] and the synthesis ofstring transformations [Harris and Gulwani 2011]. In most such instances, the synthesized programis terminating and non-reactive. One may view a LTL specification as describing an unboundedset of examples. The methods used for example-based synthesis are quite different, however; andit would be fruitful to attempt a synthesis (pun intended) of the example-driven and logic-basedapproaches.
ACKNOWLEDGMENTS
This work was supported, in part, by the National Science Foundation under Grant No. CCF-1563393.Any opinions, findings, and conclusions or recommendations expressed are those of the author(s)and do not necessarily reflect the views of the National Science Foundation.
REFERENCES [n. d.].
FDR4
BoSy
SPOT . https://spot.lrde.epita.fr/.Rajeev Alur, Salar Moarref, and Ufuk Topcu. 2016. Compositional synthesis of reactive controllers for multi-agent systems.In
Proc. of CAV . Springer, 251–269.Tomás Babiak, Mojmír Kretínský, Vojtech Rehák, and Jan Strejcek. 2012. LTL to Büchi Automata Translation: Fast and MoreDeterministic. In
Proc. of TACAS . 95–109.Suguman Bansal, Kedar S. Namjoshi, and Yaniv Sa’ar. 2018. Synthesis of Asynchronous Reactive Programs from TemporalSpecifications. In
Proc. of CAV . 367–385.Nikola Benes, Benoît Delahaye, Uli Fahrenberg, Jan Kretínský, and Axel Legay. 2013. Hennessy-Milner Logic with GreatestFixed Points as a Complete Behavioural Specification Theory. In
Proc. of CONCUR . 76–90.Daniela Berardi, Diego Calvanese, Giuseppe De Giacomo, Maurizio Lenzerini, and Massimo Mecella. 2003. AutomaticComposition of E-services That Export Their Behavior. In
In proceedings of ICSOC . 43–58.Roderick Bloem, Barbara Jobstmann, Nir Piterman, Amir Pnueli, and Yaniv Sa’ar. 2012. Synthesis of Reactive(1) designs.
J.Comput. System Sci.
78, 3 (2012), 911–938.Aaron Bohy, Véronique Bruyère, Emmanuel Filiot, Naiyong Jin, and Jean-François Raskin. 2012. Acacia+, a Tool for LTLSynthesis. In
Proc. of CAV . 652–657.Randal E. Bryant. 1986. Graph-Based Algorithms for Boolean Function Manipulation.
IEEE Trans. Computers
35, 8 (1986),677–691.J. Richard Büchi and L.H. Landweber. 1969. Solving sequential conditions by finite-state strategies.
Trans. Amer. Math. Soc.
138 (1969), 367–378.Alonzo Church. 1957. Applications of recursive arithmetic to the problem of circuit synthesis. In
Summaries of the SummerInstitute of Symbolic Logic . Vol. I. Cornell Univ., Ithaca, N.Y., 3–50.Alonzo Church. 1963. Logic, arithmetic, and automata. In
Proc. Int. Congr. Math. 1962 . Inst. Mittag-Leffler, Djursholm,Sweden, 23–35.Daniel Ciolek, Víctor A. Braberman, Nicolás D’Ippolito, Nir Piterman, and Sebastián Uchitel. 2017. Interaction Models andAutomated Control under Partial Observable Environments.
IEEE Trans. Software Eng.
43, 1 (2017), 19–33.Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2020. :26 Suguman Bansal, Kedar S. Namjoshi, and Yaniv Sa’ar
Nicolás D’Ippolito, Victor Braberman, Nir Piterman, and Sebastián Uchitel. 2013. Synthesizing nonanomalous event-basedcontrollers for liveness goals.
Transactions on Software Engineering and Methodology
22, 1 (2013), 9.Alexandre Duret-Lutz, Alexandre Lewkowicz, Amaury Fauchille, Thibaud Michaud, Etienne Renault, and Laurent Xu. 2016.Spot 2.0 - A Framework for LTL and \omega -Automata Manipulation. In
Proc. of ATVA . 122–129.Rüdiger Ehlers. 2010. Symbolic Bounded Synthesis. In
Proc. of CAV . 365–379.Rüdiger Ehlers. 2011. Unbeast: Symbolic Bounded Synthesis. In
Proc. of TACAS . 272–275.E Allen Emerson and Edmund M Clarke. 1982. Using branching time temporal logic to synthesize synchronization skeletons.
Science of Computer programming
2, 3 (1982), 241–266.Peter Faymonville, Bernd Finkbeiner, Markus N. Rabe, and Leander Tentrup. 2017b. Encodings of Bounded Synthesis. In
Proc. of TACAS . 354–370.Peter Faymonville, Bernd Finkbeiner, and Leander Tentrup. 2017a. BoSy: An Experimentation Framework for BoundedSynthesis. In
Proc. of CAV . 325–332.Emmanuel Filiot, Naiyong Jin, and Jean-François Raskin. 2009. An Antichain Algorithm for LTL Realizability. In
Proc. ofCAV . 263–277.Emmanuel Filiot, Naiyong Jin, and Jean-François Raskin. 2010. Compositional Algorithms for LTL Synthesis. In
Proc. ofATVA . 112–127.Bernd Finkbeiner and Sven Schewe. 2013. Bounded synthesis.
STTT
15, 5-6 (2013), 519–539.Nissim Francez. 1986.
Fairness . Springer.Thomas Gibson-Robinson, Philip J. Armstrong, Alexandre Boulgakov, and A. W. Roscoe. 2016. FDR3: a parallel refinementchecker for CSP.
International Journal on Software Tools for Technology Transfer
18, 2 (2016), 149–167.William R. Harris and Sumit Gulwani. 2011. Spreadsheet table transformations from examples. In
Symposium on Principlesof Programming Languages (POPL) , Vol. 46. 317–328.C. A. R. Hoare. 1978. Communicating Sequential Processes.
Commun. ACM
21, 8 (1978), 666–677.C. A. R. Hoare. 1985.
Communicating Sequential Processes . Prentice-Hall.Barbara Jobstmann and Roderick. 2006. Optimizations for LTL Synthesis. In
Proc. of FMCAD . 117–124.Uri Klein, Nir Piterman, and Amir Pnueli. 2012. Effective Synthesis of Asynchronous Systems from GR(1) Specifications.. In
International Conference on VMCAI . Springer, 283–298.Hadas Kress-Gazit and George J Pappas. 2010. Automatic synthesis of robot controllers for tasks with locative prepositions.In
International Conference on Robotics and Automation (ICRA) . IEEE, 3215–3220.Orna Kupferman and Moshe Y Vardi. 2005. Safraless decision procedures. In
Proc. of FOCS . IEEE, IEEE, 531–540.Kim Guldstrand Larsen and Xinxin Liu. 1990. Equation Solving Using Modal Transition Systems. In
Proc. of LICS .Kim Guldstrand Larsen and Bent Thomsen. 1988. A Modal Process Logic. In
Proc. of LICS . 203–210.Jun Liu, Necmiye Ozay, Ufuk Topcu, and Richard M. Murray. 2013. Synthesis of Reactive Switching Protocols From TemporalLogic Specifications.
IEEE Trans. Automat. Contr.
58, 7 (2013), 1771–1785.Yoad Lustig and Moshe Y. Vardi. 2009. Synthesis from Component Libraries. In
Proc. of FOSSACS . 395–409.P. Madhusudan. 2001.
CONTROL AND SYNTHESIS OF OPEN REACTIVE SYSTEMS . Ph.D. Dissertation. Institute of Mathe-matical Sciences, University of Madras.Zohar Manna and Amir Pnueli. 1987. Specification and Verification of Concurrent Programs By Forall-Automata. In
Prof. ofPOPL . 1–12.Zohar Manna and Pierre Wolper. 1981. Synthesis of Communicating Processes from Temporal Logic Specifications. In
Logics of Programs, Workshop . 253–281.Shahar Maoz and Yaniv Sa’ar. 2011. AspectLTL: an aspect language for LTL specifications. In
In Proc. of the AOSD . 19–30.Shahar Maoz and Yaniv Sa’ar. 2012. Assume-Guarantee Scenarios: Semantics and Synthesis. In
Proc. of MODELS . 335–351.S. Moarref and H. Kress-Gazit. 2018. Reactive Synthesis for Robotic Swarms.
Formal Modeling and Analysis of Timed Systems ,71–87.Nir Piterman, Amir Pnueli, and Yaniv Sa’ar. 2006. Synthesis of reactive (1) designs. In
International Conference on VMCAI ,Vol. 3855. Springer, Springer, 364–380.Amir Pnueli. 1977. The temporal logic of programs. In
Proc. of FOCS . IEEE, IEEE, 46–57.Amir Pnueli and Uri Klein. 2009. Synthesis of programs from temporal property specifications. In
Proc. of MEMOCODE .IEEE, 1–7.Amir Pnueli and Roni Rosner. 1989a. On the Synthesis of a Reactive Module. In
Prof. of POPL . 179–190.Amir Pnueli and Roni Rosner. 1989b. On the synthesis of an asynchronous reactive module.
Automata, Languages andProgramming (1989), 652–671.Amir Pnueli, Yaniv Sa’ar, and Lenore D. Zuck. 2010. JTLV: A Framework for Developing Verification Algorithms. In
Proc. ofCAV . 171–174.M.O. Rabin. 1969. Decidability of second-order theories and automata on infinite trees.
Trans. Amer. Math. Soc.
141 (1969),1–35.Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2020. ynthesis of Coordination Programs 1:27
P.J.G. Ramadge and W.M. Wonham. 1989. The control of discrete event systems.
IEEE Transactions on Control Theory
Logical Methods in Computer Science
3, 3 (2007).John H. Reif. 1984. The Complexity of Two-Player Games of Incomplete Information.
J. Comput. Syst. Sci.
29, 2 (1984),274–301.A. W. Roscoe. 1997.
The Theory and Practice of Concurrency . Prentice Hall PTR, Upper Saddle River, NJ, USA.Sven Schewe and Bernd Finkbeiner. 2006. Synthesis of Asynchronous Systems. In
Proc. of LOPSTR . 127–142.Sven Schewe and Bernd Finkbeiner. 2007. Bounded synthesis.
Proc. of ATVA (2007), 474–488.Armando Solar-Lezama, Liviu Tancau, Rastislav Bodik, Sanjit Seshia, and Vijay Saraswat. 2006. Combinatorial sketching forfinite programs.
Proc. of (ASPLOS)
34, 5 (2006), 404–415.Mate Soos, Karsten Nohl, and Claude Castelluccia. 2009. Extending SAT Solvers to Cryptographic Problems. In
InternationalConference on SAT . 244–257.Wolfgang Thomas. 2009. Facets of Synthesis: Revisiting Church’s Problem. In
Proc. of FOSSACS . 1–14.Pierre Wolper. 1982. Specification and Synthesis of Communicating Processes using an Extended Temporal Logic. In
Prof. ofPOPL . 20–33.Howard Wong-Toi and David L. Dill. 1990. Synthesizing Processes and Schedulers from Temporal Specifications. In
Proc. ofCAV . 272–281.
APPENDIXA.1 Simulating The Pnueli-Rosner Asynchronous Model in CSP
We show how to encode the Pnueli-Rosner asynchronous model, which is described in the intro-duction. The input x is encoded by the process definitions below, X and X represent the twopossible values of x . Here, r , r are public actions used to “read” the value (0 or 1) of x , while h , h are hidden transitions which model the non-reading points as chosen by an adversarial scheduler. X = r → X | r → X | h → X | h → X X = r → X | r → X | h → X | h → X The encoding of output y is simpler. Here, w , w are public actions that simulate “writes” to y ofthe values 0 and 1, respectively. Y = w → Y | w → Y Y = w → Y | w → Y Finally, we let the coordinator choose the starting Y state, via the processˆ Y = w → Y | w → Y But leave the choice of starting X state undetermined, via the process below, where τ is a privateaction. ˆ X = τ → X | τ → X The original specification φ , is interpreted over an infinite sequence of pairs of x , y values: ( x , y ) , ( x , y ) , . . . . This has to be transformed to be interpreted over action sequences that mimicthe behavior. Such a “well-formed” sequence satisfies several conditions: • The sequence begins with a τ action, then alternates actions from Σ y = { w , w } and Σ x = { r , r , h , h } . • Read actions, i.e. { r , r } , appear infinitely often. • Between successive read actions, there is at most one change in the write action. (For instance,the sequence w , w , w is not allowed.) This mimics the fact that there is only a single writeto y following the latest read. Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2020. :28 Suguman Bansal, Kedar S. Namjoshi, and Yaniv Sa’ar
It is easy to program a finite automaton to check these conditions. The automaton for the negatedtransformed specification ¬ φ ′ , is constructed as the product of an automaton that checks well-formedness and the automaton for the negated original specification φ , converted to analyzesequences of the alternating form defined in the first condition above. The conversion simplyreplaces an original transition on a pair ( x = i , y = j ) by a sequence of transitions: the first on w j ,the second on { r i , h i } .With these transformations, it is straightforward to show that φ is asynchronously realizableover sequences of the form ( x , y ) , ( x , y ) , . . . if and only if φ ′ is realizable for the environment E = ˆ X ∥ ˆ Y . □ A.2 Simulating The Pnueli-Rosner Synchronous Model in CSP
This is a simpler simulation. The process representing the input x is just the following, where thereare no internal actions. Thus, all reads are synchronized. X = r → X | r → X X = r → X | r → X The process representing y is as before, as are the initial process definitions for ˆ Y and ˆ X . Thewell-formedness conditions are also the same, except that Σ x is now only { r , r } . With thesedefinitions and transformations, it is straightforward to show that φ is synchronously realizableover sequences of the form ( x , y ) , ( x , y ) , . . . if and only if φ ′ is realizable for the environment E = ˆ X ∥ ˆ Y . □ A.3 Proof of Theorem 4.2
Theorem.
A synthesis instance ( E , φ ) is realizable if, and only if, it has a deterministic solutionprocess that has no internal actions. Proof. Let M be a process that is a solution to the instance ( E , φ ) . Let ∆ = Σ ∪ Γ .In the first stage, we eliminate private transitions in M (this set is necessarily disjoint from ∆ )to obtain M ′ that is also a solution but has no internal non-determinism. The states of M ′ arethose of M . The transition relation of M ′ is defined as follows: for states s , t and public action a , atriple ( s , a , t ) is in the transition relation of M ′ if, and only if, there is a path with the trace β ; a ; β ′ from s to t , where β and β ′ are both sequences of internal actions of M . Consider any maximalcomputation x of E ∥ M ′ . This computation can be turned into a maximal computation y of E ∥ M simply by restoring the sequences of internal actions of M used in defining each transition of M ′ (A subtle point is that it is possible for x to be finite and the corresponding maximal sequence y tobe infinite if there is an infinite path (a “tail”) of private transitions of M originating at the finalstate of x .) The two computations have identical traces when projected on ∆ , and if x is infiniteand fair, so is y . As y satisfies φ by the assumption that M is a solution, so does x .In the second stage, we eliminate external nondeterminism from M ′ to obtain M ′′ that is also asolution but has no external non-determinism. This could be done by determinizing M ′ using thestandard subset construction, but there is a simpler construction that does not incur the worst-caseexponential blowup; it simply restricts the transition relation. M ′′ has the same states and initialstate as M ′ ; however, its transition relation, T ′′ , is such that T ′′ ( s , a ) ⊆ T ′ ( s , a ) , and | T ′′ ( s , a )| = | T ′ ( s , a )| ≥
1. Informally, T ′′ chooses one of the successors of T ′ on action a from each state. Byconstruction, M ′′ is externally deterministic and has no internal actions.Unlike with the subset construction, the traces of M ′′ obtained by restriction could be a propersubset of those of M ′ , but it is still a solution. Consider any maximal computation x of E ∥ M ′′ . Byconstruction, x is also a maximal computation of E ∥ M ′ . As this satisfies φ by assumption, so does Proc. ACM Program. Lang., Vol. 1, No. POPL, Article 1. Publication date: January 2020. ynthesis of Coordination Programs 1:29 x . (A subtle point is that if x ends in a dead-end state of M ′′ , this state is also a dead-end state of M ′ , as the restriction only removes duplicate transitions.) □ A.4 Proof of Theorem 5.1
Theorem.
For a deterministic CSP process M , the process M ′ = proc ( fulltree ( M )) is bisimular to M . Proof. Let M ′ = proc ( fulltree ( M )) , where fulltree ( M ) = ( t , µ M ) . Define a relation B between thestates of M ′ and those of M by ( σ , s ) is in B iff s is reachable in M by the unique (by determinism)computation with trace σ . We show that B is a bisimulation relation. By its definition, ( ϵ , ι M ) is in B . Consider a pair ( σ , s ) in B . • Let ( σ , a , δ ) be a transition in M ′ . By definition, δ = σ ; a and a ∈ µ M ( σ ) . By the definition of µ M , and as s is the unique state reachable by σ in M , µ M ( σ ) is the set of actions enabled at s in M . Thus, there is a transition ( s , a , t ) in M , to some t . Then ( δ , t ) is in B . • Consider a transition ( s , a , t ) in M . As s is reachable by σ , t is reachable by δ = σ ; a . Bydefinition, µ M ( σ ) is the set of actions enabled at s , so it contains a . Thus, the transition ( σ , a , δ ) is present in M ′ , and ( δ , t ) is in B . □ A.5 Formulation of
GenEprivate
Predicate
GenEprivate (( q , r , e ) , д , L , ( q ′ , r ′ , e ′ )) holds if there is a path of 0-length or more consistingonly of private transitions from state e in E to e ′ , a run of the A S automaton on this path fromstate r to r ′ , a run of the A L automaton on the same path from state q to q ′ , set L does not intersectwith the public actions enabled on all states of the run in E , and д is true if one of the states onthe A L automaton run is a green (i.e., Büchi accepting) state. Let public ( e ) denote the set of publicactions enabled in state e in E . Being a reachability property, this can be defined as the least fixedpoint of ZG (( q , r , e ) , д , ( q ′ , r ′ , e ′ )) , where • (Base case) If q = q ′ , r = r ′ , e = e ′ , L ∩ public ( e ) = ∅ , then ZG (( q , r , e ) , д , L , ( q ′ , r ′ , e ′ )) holds,and д is true iff q is green, and • (Induction) If ZG (( q , r , e ) , д , L , ( q , r , e )) , J (( q , r , e ) , b , ( q ′ , r ′ , e ′ )) for a private action b ,and L ∩ public ( e ′ ) = ∅ , then ZG (( q , r , e ) , д , L , ( q ′ , r ′ , e ′ )) holds, with д being true if д is trueor q ′ is green. A.6 Arbiter for 3-processes
The coordination program obtained from synthesis of the arbiter for 3-processes is M M = grant . → M | request . → M | release . → M M = request . → M | request . → M | grant . → M M = request . → M | grant . → M | release . → M M = grant . → M | release . → M | release . → M | request . → M3