Yoad Lustig

Reasoning with Temporal Logic on Truncated Paths

We consider the problem of reasoning with linear temporal logic on truncated paths. A truncated path is a path that is finite, but not necessarily maximal. Truncated paths arise naturally in several areas, among which are incomplete verification methods (such as simulation or bounded model checking) and hardware resets. We present a formalism for reasoning about truncated paths, and analyze its characteristics.

Rational synthesis

Synthesis is the automated construction of a system from its specification. The system has to satisfy its specification in all possible environments. Modern systems often interact with other systems, or agents. Many times these agents have objectives of their own, other than to fail the system. Thus, it makes sense to model system environments not as hostile, but as composed of rational agents; i.e., agents that act to achieve their own objectives. We introduce the problem of synthesis in the context of rational agents (rational synthesis, for short). The input consists of a temporal-logic formula specifying the system, temporal-logic formulas specifying the objectives of the agents, and a solution concept definition. The output is an implementation T of the system and a profile of strategies, suggesting a behavior for each of the agents. The output should satisfy two conditions. First, the composition of T with the strategy profile should satisfy the specification. Second, the strategy profile should be an equilibrium in the sense that, in view of their objectives, agents have no incentive to deviate from the strategies assigned to them, where “no incentive to deviate” is interpreted as dictated by the given solution concept. We provide a method for solving the rational-synthesis problem, and show that for the classical definitions of equilibria studied in game theory, rational synthesis is not harder than traditional synthesis. We also consider the multi-valued case in which the objectives of the system and the agents are still temporal logic formulas, but involve payoffs from a finite lattice.

On verifying fault tolerance of distributed protocols

Distributed systems are composed of processes connected in some network. Distributed systems may suffer from faults: processes may stop, be interrupted, or be maliciously attacked. Fault-tolerant protocols are designed to be resistant to faults. Proving the resistance of protocols to faults is a very challenging problem, as it combines the parameterized setting that distributed systems are based-on, with the need to consider a hostile environment that produces the faults. Considering all the possible fault scenarios for a protocol is very difficult. Thus, reasoning about fault-tolerance protocols utterly needs formal methods. In this paper we describe a framework for verifying the fault tolerance of (synchronous or asynchronous) distributed protocols. In addition to the description of the protocol and the desired behavior, the user provides the fault type (e.g., failstop, Byzantine) and its distribution (e.g., at most half of the processes are faulty). Our framework is based on augmenting the description of the configurations of the system by a mask describing which processes are faulty. We focus on regular model checking and show how it is possible to compile the input for the model-checking problem to one that takes the faults and their distribution into an account, and perform regular model-checking on the compiled input. We demonstrate the effectiveness of our framework and argue for its generality.

Temporal Synthesis for Bounded Systems and Environments

Temporal synthesis is the automated construction of a system from its temporal specification. It is by now realized that requiring the synthesized system to satisfy the specifications against all possible environments may be too demanding, and, dually, allowing all systems may be not demanding enough. In this work we study bounded temporal synthesis, in which bounds on the sizes of the state space of the system and the environment are additional parameters to the synthesis problem. This study is motivated by the fact that such bounds may indeed change the answer to the synthesis problem, as well as the theoretical and computational aspects of the synthesis problem. In particular, a finer analysis of synthesis, which takes system and environment sizes into account, yields deeper insight into the quantificational structure of the synthesis problem and the relationship between strong synthesis -- there exists a system such that for all environments, the specification holds, and weak synthesis -- for all environments there exists a system such that the specification holds. We first show that unlike the unbounded setting, where determinacy of regular games implies that strong and weak synthesis coincide, these notions do not coincide in the bounded setting. We then turn to study the complexity of deciding strong and weak synthesis. We show that bounding the size of the system or both the system and the environment, turns the synthesis problem into a search problem, and one cannot expect to do better than brute-force search. In particular, the synthesis problem for bounded systems and environment is Sigma^P_2-complete (in terms of the bounds, for a specification given by a deterministic automaton). We also show that while bounding the environment may lead to the synthesis of specifications that are otherwise unrealizable, such relaxation of the problem comes at a high price from a complexity-theoretic point of view.

Synthesis from component libraries

Synthesis is the automated construction of a system from its specification. In the classical temporal synthesis algorithms, it is always assumed the system is “constructed from scratch” rather than “composed” from reusable components. This, of course, rarely happens in real life. In real life, almost every non-trivial commercial system, either in hardware or in software system, relies heavily on using libraries of reusable components. Furthermore, other contexts, such as web-service orchestration, can be modeled as synthesis of a system from a library of components. In this work, we define and study the problem of LTL synthesis from libraries of reusable components. We define two notions of composition: data-flow composition, for which we prove the problem is undecidable, and control-flow composition, for which we prove the problem is 2EXPTIME-complete. As a side benefit, we derive an explicit characterization of the information needed by the synthesizer on the underlying components. This characterization can be used as a specification formalism between component providers and integrators.

What Triggers a Behavior

We introduce and study trigger querying. Given a model M and a temporal behavior \vartheta, trigger querying is the problem of finding the set of scenarios that trigger \vartheta in M. That is, if a computation of M has a prefix that follows the scenario, then its suffix satisfies \vartheta. Trigger querying enables one to find, for example, given a program with a function f, the scenarios that lead to calling f with some parameter value, or to find, given a hardware design with signal err, the scenarios after which the signal err ought to be eventually raised. We formalize trigger querying using the temporal operator \mapsto (triggers), which is the most useful operator in modern industrial specification languages. A regular expression r triggers an LTL formula \vartheta in a system M, denoted M {\text{M | = r }} \mapsto \vartheta, if for every computation \pi of M and index i \geqslant 0, if the prefix of \pi up to position i is a word in the language of r, then the suffix of \pi from position i satisfies \vartheta. The solution to the trigger query {\text{M | = ?}} \mapsto \vartheta is the maximal regular expression that triggers \vartheta in M. Trigger querying is useful for studying systems, and it significantly extends the practicality of traditional query checking [6]. Indeed, in traditional query checking, solutions are restricted to propositional assertions about states of the systems, whereas in our setting the solutions are temporal scenarios. We show that the solution to a trigger query {\text{M | = ?}} \mapsto \vartheta is regular, and can be computed in polynomial space. Unfortunately, the polynomial-space complexity is in the size of M. Consequently, we also study partial trigger querying, which returns a (non empty) subset of the solution, and is more feasible. Other extensions we study are observable trigger querying, where the partial solution has to refer only to a subset of the atomic propositions, constrained trigger querying, where in addition to M and \vartheta, the user provides a regular constraint c and the solution is the set of scenarios respecting c that trigger \vartheta in M, and relevant trigger querying, which excludes vacuous triggers - scenarios that are not induced by a prefix of a computation of M. Trigger querying can be viewed as the problem of finding sufficient conditions for a behavior \vartheta in M. We also consider the dual problem, of finding necessary conditions to \vartheta, and show that it can be solved in space complexity that is only logarithmic in M.

A Modular Approach for Büchi Determinization

The problem of Buchi determinization is a fundamental problem with important applications in reactive synthesis, multi-agent systems and probabilistic verification. The first asymptotically optimal Buchi determinization (a.k.a the Safra construction), was published in 1988. While asymptotically optimal, the Safra construction is notorious for its technical complexity and opaqueness in terms of intuition. While some improvements were published since the Safra construction, notably Kahler and Wilke’s construction, understanding the constructions remains a non-trivial task. In this paper we present a modular approach to Buchi determinization, where the difficulties are addressed one at a time, rather than simultaneously, making the solutions natural and easy to understand. We build on the notion of the skeleton trees of Kahler and Wilke. We first show how to construct a deterministic automaton in the case the skeletons width is one. Then we show how to construct a deterministic automaton in the case the skeletons width is k (for any given k). The overall construction is obtained by running in parallel the automata for all widths.

Supporting SAT based BMC on Finite Path Models

The standard translation of a Bounded Model Checking (BMC) instance into a satisfiability problem, (a.k.a SAT), might produce misleading results in the case when the model under verification contains finite paths. Models with finite paths might be produced unknowingly when using modern verification languages such as PSL-Sugar [Property Specification Language: Reference Manual. Version 1.1, Accellera, June 2004]. Specifically, the use of language constructs such as restrict, assume etc. might lead to such models. Thus the user may receive misleading results from SAT based tools. In this paper we describe in what circumstances the finite path problem occurs and present an improved translation of the BMC problem into a SAT instance. The new translation does not suffer from the discussed shortcoming. Our translation is only slightly longer then the usual one introducing one extra Boolean variable in the model. We also show that this translation may improve the SAT solver runtime even for models without finite paths.

Multi-valued logics, automata, simulations, and games

Multi-valued systems are systems in which the atomic propositions and the transitions are not Boolean and can take values from some set. Latticed systems, in which the elements in the set are partially ordered, are useful in abstraction, query checking, and reasoning about multiple view-points. For example, abstraction involves systems in which an atomic proposition can take values from {true, unknown, false}, and these values can be partially ordered according to a “being more true” order (true ≥ unknown ≥ false) or according to a “being more informative” order (true ≥ unknown and false ≥ unknown). For Boolean temporal logics, researchers have developed a rich and beautiful theory that is based on viewing formulas as descriptors of languages of infinite words or trees. This includes a relation between temporal-logic formulas and automata on infinite objects, a theory of simulation relation between systems, a theory of two-player games, and a study of the relations among these notions. The theory is very useful in practice, and is the key to almost all algorithms and tools we see today in verification.