Program Synthesis is a Game Barbara Jobstmann CNRS/Verimag, Grenoble, France
Outline Synthesis using automata- based game theory. MoBvaBon, comparison with MC and LTL. Basics Terminology Reachability/Safety games 3. Büchi/coBüchi, Generalized ReacBvity- games 4. Generalized ReacBvity- approach
Analyze, Verify, and Synthesize Synthesis System ImplementaBon Algorithm How VerificaBon SpecificaBon ProperBes Model What Analysis Synthesis translates a high- level system descripbon into an executable implementabon Benefits: implementabon and reward for wribng specs (no double effort) Techniques vary depending on specificabon language and target implementabon. 3
Today What systems/programs would we like to synthesize? What specificabons do we assume? Crash- course on how to verify that program (of this type) sabsfies spec Idea of program repair/synthesis using games Basic games 4
ReacBve Systems Synthesis Systems (e.g., servers) Interact with environment Infinite durabon (non- terminabng) Finite data (or data abstracbons) Control- oriented VerificaBon Specifica(ons Set of good behaviors (a language) Temporal logic (which includes safety and liveness) data Analysis [Z. Manna and A. Pnueli. The Temporal Logic of ReacBve and Concurrent Systems., 99] [N. Halbwachs. Synchronous Programming of ReacBve Systems. 993] Bme 5
Example: Hardware ARM s AMBA AHB bus High performance on- chip bus (connects mulbple devices) Sends data from masters to clients Data, Address, and Control signals Arbiter part of bus (determines control signals) Up to 6 masters and 6 clients 6
Examples: AMBA AHB standard....... 7
Example: Linear- Temporal Logic E.g., When a locked unspecified length burst starts, a new access does not start unbl the current master (i) releases the bus by lowering HBUSREQi. Formal specificabon: E.g., for all masters i: always((hmastlock and HBURST=INCR and START and HMASTER=i) (not START un(l not HBUSREQi)) Time progresses with clock Bck 8
Example: Concurrent Sooware unsigned int got_lock = 0; while(*) { if (*) { lock(); got_lock++; if (got_lock!= 0) { unlock(); got_lock--; lock() {LOCK:=; unlock() {LOCK:=0; Specifica(ons P: do not acquire a lock twice P: do not call unlock without holding the lock 9
Example: Concurrent Sooware unsigned int got_lock = 0; : while(*) { : if (*) { 3: lock(); 4: got_lock++; 5: if (got_lock!= 0) { 6: unlock(); 7: got_lock--; Time progresses with change of line lock() lock: {LOCK:=; unlock() unlock: {LOCK:=0; Specifica(ons P: do not acquire a lock twice P: do not call unlock without holding the lock P: always( line=lock implies next( line!=lock w- un(l line=unlock )) P: ( line!=unlock w- un(l line=lock )) and always( line=unlock implies next( line!=unlock w- un(l line=lock )) 0
How to verify a ReacBve System? Core algorithm for linear- Bme temporal logic:. Source code auto/manual transibon system (FSM). SpecificaBon auto/manual monitor violabons 3. Check if model has a violabng trace product of trans. system and monitor check for exists of a trace in product (empbness)
Source Code unsigned int got_lock = 0; : while(*) { : if (*) { 3: lock(); 4: got_lock++; 5: if (got_lock!= 0) { 6: unlock(); 7: got_lock--; lock() lock: {LOCK:=; unlock() unlock: {LOCK:=0;
Step : TransiBon System int[0,,] got_lock = 0; : while(*) { : if (*) { 3: lock(); lock: {LOCK:=; 4: got_lock++; 5: if (got_lock!= 0) { 6: unlock(); unlock: {LOCK:=0; 7: got_lock--; 8:! Trans. system variables: line (l), got_lock (gl) l=, gl=0 l=, gl=0 l=lock,gl=0 l=4, gl=0 l=5, gl=0 l=, gl=. l=5, gl= l=6, gl= l=, gl= l=, gl= l=3, gl= l=lock,gl= l=4, gl= l=5, gl= l=6, gl= l=unlock,gl= l=unlock,gl= l=7, gl=0 l=7, gl= l=7, gl= l=8, gl=0.. 3
SpecificaBon P: do not acquire a lock twice P: do not call unlock without holding the lock P: always( line=lock implies next(line!=lock w- Un(l line=unlock)) P: ( line!=unlock w- un(l line=lock )) and always( line=unlock implies next( line!=unlock w- un(l line=lock )) 4
Linear- Time Temporal Logic [Pnueli77] Syntax: Atomic proposibons, e.g., line=, line!=, got_lock=0 Boolean operators: not, and, or, implies, Temporal operators: next (ϕ) ϕ un(l ϕ ϕ holds in the next step ϕ holds unbl at some point ϕ holds Used in industrial spec languages PSL/SVA Can express many interesbng properbes, e.g., mutual exclusion, deadlock freedom, terminabon 5
Linear- Time Temporal Logic SemanBcs defined with respect to infinite traces in each step atomic proposibons holds or not E.g., line=, got_lock line= line= got_lock.. Given a finite set of atomic proposition AP, a trace (or word) w over AP is an infinite sequence of truth assignments to AP, i.e., w ( AP ) ω. 6
Linear- Time Temporal Logic SemanBcs next (ϕ) ϕ holds in the next step ϕ.. ϕ un(l ϕ ϕ holds unbl at some point ϕ holds ϕ ϕ ϕ ϕ ϕ.... System S sabsfies/models ϕ, if all its behaviors sabsfy ϕ 7
Linear- Time Temporal Logic Many useful abbreviabons true = p or not p false = not true eventually(ϕ) = true un(l ϕ always(ϕ) = not (eventually(not ϕ)) ϕ w- un(l ϕ = (ϕ un(l ϕ ) or always(ϕ ) before, release, Other syntax: next:,x, unbl: U, eventually:, F, always:,g, w- unbl: W 8
How to verify a ReacBve System? Core algorithm for linear- Bme temporal logic:. Source code auto/manual transibon system (FSM). SpecificaBon auto/manual monitor violabons 3. Check if model has a violabng trace product of trans. system and monitor check for exists of a trace in product (empbness) 9
Step : Monitor for ViolaBons P: always( line=lock implies next( line!=lock w- un(l line=unlock )) = not eventually( line=lock and next( line!=unlock un(l line=lock )) line!=unlock line=lock line=lock 3 s: non- determinisbc choice s: no edge with line=unlock Automaton accepts trace/behavior is a blue state is visited infinitely ooen (Büchi ) Why do we track bad and not good behaviors? L(S) L(ϕ): forall w: w L(S) w L(ϕ) exists w: w L(S) w L( ϕ) 0
Step 3: Product l=, gl=0 l=, gl= l=, gl= l=, gl=0. l=, gl= l=3, gl= l=lock,gl=0 l=lock,gl= l=4, gl=0 l=4, gl= l=5, gl=0 l=5, gl= l=5, gl= l=6, gl= l=6, gl= l=unlock,gl= l=unlock,gl= l=7, gl=0 l=7, gl= l=7, gl= line!=unlock l=8, gl=0.. line=lock line=lock 3
Step 3: Product l=, gl=0 l=, gl= l=, gl= l=, gl=0. l=, gl= l=3, gl= l=lock,gl=0 l=4, gl=0 l=4, gl=0 l=lock,gl= l=4, gl= l=5, gl=0 l=5, gl= l=5, gl= l=5, gl= l=6, gl= l=6, gl= l=6, gl= unlock, unlock, l=unlock,gl= l=7, gl=0 l=7, gl= l=7, gl= line!=unlock l=8, gl=0.. line=lock line=lock 3
Step 3: Product l=, gl=0 l=, gl= l=, gl= l=, gl= l=, gl=0. l=, gl= l=, gl= l=3, gl= l=3, gl= l=lock,gl=0 l=lock,gl= l=lock,gl= l=4, gl=0 l=4, gl=0 l=4, gl= l=4, gl= l=4, gl= 3 l=5, gl=0 l=5, gl=0 l=5, gl= l=5, gl= l=5, gl= l=6, gl= l=6, gl= l=6, gl= unlock, unlock, l=unlock,gl= l=7, gl=0 l=7, gl=0 l=7, gl= l=7, gl= line!=unlock l=8, gl=0.. line=lock line=lock 3 Recall, we want to show a violabon: 3
Step 3: Product l=, gl=0 l=, gl= l=, gl= l=, gl= l=, gl=0. l=, gl= l=, gl= l=3, gl= l=3, gl= l=lock,gl=0 l=lock,gl= l=lock,gl= l=4, gl=0 l=4, gl=0 l=4, gl= l=4, gl= l=4, gl= 3 l=5, gl=0 l=5, gl=0 l=5, gl= l=5, gl= l=5, gl= l=6, gl= l=6, gl= l=6, gl= unlock, unlock, l=unlock,gl= l=7, gl=0 l=7, gl=0 l=7, gl= l=7, gl= line!=unlock l=8, gl=0.. line=lock line=lock Recall, we want to show a violabon: non- determinism in transibon system and in monitor pull in the same direc(on (both can be used to violate property) 3 4
Demo 5
Demo line = line = line = 5 line = 7 line = line = line = 3 line = lock line = 4 line = 5 line = 7 line = line = line = 3 line = lock 6
Source Code int[0,,] got_lock = 0; : while(*) { : if (*) { 3: lock(); lock: {LOCK:=; 4: got_lock++; 5: if (got_lock!= 0) { 6: unlock(); unlock: {LOCK:=0; 7: got_lock--; 8:! line = line = line = 5 line = 7 line = line = line = 3 line = lock line = 4 line = 5 line = 7 line = line = line = 3 line = lock 7
How to verify a ReacBve System? Core algorithm for linear- Bme temporal logic:. Source code auto/manual transibon system (FSM). SpecificaBon auto/manual monitor violabons 3. Check if model has a violabng trace product of trans. system and monitor check for exists of a trace in product (empbness) But how to repair it? 8
How to repair a ReacBve System?. Add freedom (choice for the system, allowed ways to modify system). Source code a/m transibon system (game) 3. SpecificaBon a/m monitor acceptance 4. Check if we can find system choices s.t. model is accepted by monitor product of trans. system and monitor search for winning strategy in game 9
Step : Freedom int[0,,] got_lock = 0; int[0,,] freedom; : while(*) { : if (*) { 3: lock(); lock: {LOCK:=; 4: got_lock:=freedom; 5: if (got_lock!= 0) { 6: unlock(); unlock: {LOCK:=0; 7: got_lock:=freedom; 8:! (We can also extend to fault localizabon) 30
Step : Game int[0,,] got_lock = 0; int[0,,] freedom; : while(*) { : if (*) { 3: lock(); lock: {LOCK:=; 4: got_lock:=freedom; 5: if (got_lock!= 0) { 6: unlock(); unlock: {LOCK:=0; 7: got_lock:=freedom; 8:! Trans. system variables: line (l), got_lock (gl) l=, gl=0 l=, gl=0 l=lock,gl=0 l=, gl=. l=, gl= l=, gl= l=3, gl= l=lock,gl= l=4, gl=0 f= f=0 l=4, gl= f=0 f= f= l=5, gl=0 l=5, gl= l=6, gl= l=5, gl= l=6, gl= f=0 f= l=unlock,gl= l=unlock,gl= l=7, gl=0 l=7, gl= l=7, gl= f= l=8, gl=0.. 3
Step : Game int[0,,] got_lock = 0; int[0,,] freedom; : while(*) { : if (*) { 3: lock(); lock: {LOCK:=; 4: got_lock:=freedom; 5: if (got_lock!= 0) { 6: unlock(); unlock: {LOCK:=0; 7: got_lock:=freedom; 8:! Trans. system variables: line (l), got_lock (gl) l=, gl=0 l=, gl=0 l=lock,gl=0 l=, gl=. l=, gl= l=, gl= l=3, gl= l=lock,gl= l=4, gl=0 f= f=0 l=4, gl= f=0 f= f= l=5, gl=0 l=5, gl= l=6, gl= l=5, gl= l=6, gl= f=0 f= l=unlock,gl= l=unlock,gl= l=7, gl=0 l=7, gl= l=7, gl= f= l=8, gl=0.. Two types of non- determinism! 3
Step : Game int[0,,] got_lock = 0; int[0,,] freedom; : while(*) { : if (*) { 3: lock(); lock: {LOCK:=; 4: got_lock:=freedom; 5: if (got_lock!= 0) { 6: unlock(); unlock: {LOCK:=0; 7: got_lock:=freedom; 8:! Trans. system variables: line (l), got_lock (gl) l=, gl=0 l=, gl=0 l=lock, gl=0 l=4, gl=0 l=7, gl=0 l=8, gl=0 l=, gl=. l=5, gl= l=6, gl= l=unlock, gl= l=7, gl= l=, gl= l=, gl= l=3, gl= l=lock, gl= l=4, gl= f=0 f= f= l=5, gl=0 f=0 f= f= f= f=0 Two types of non- determinism! l=5, gl= l=6, gl= l=unlock, gl= l=7, gl=.. 33
Step 3: Monitor for Acceptance P: always( line=lock implies next( line!=lock w- un(l line=unlock )) line!=lock line=lock line!=lock & line!=unlock line=unlock line=lock Since game has two types of non- determinism, we need to be careful with non- determinism in monitor. 34
Problem with Nondeterminism Coffee machine is correct if there is no water or if buwon is pressed machine serves coffee: eventually always(not water) or always(pressed implies eventually coffee) and always(not water implies not coffee) w=0 w= or c=0 p= and (w= or c=0) c=0 or w= OK p=0 and w= or c=0 OK c= and w= (Coffee machine wins if it visits a blue state infinitely ooen) 35
Step 3: Det. Monitor for Acceptance P: always( line=lock implies next( line!=lock w- un(l line=unlock )) line!=lock line=lock line!=lock & line!=unlock 3 line=unlock line=lock Classical approach: make it determinisbc (more powerful acceptance required) 36
Step 3: Product TS for got_lock in {0, DeterminisBc automaton l=, gl=0 l=, gl= l=, gl=0 l=, gl= l=lock, gl=0 l=lock, gl=0 l!=lock l=lock l!=lock & l!=unlock l=4, gl=0 l=4, gl=0 0 0 l=5, gl=0 l=5, gl= 0 l=6, gl= 0 l=unlock, gl= l=unlock l=lock 3 l=7, gl=0 l=7, gl= l=8, gl=0. 37
Step 3: Produce l=, gl=0 l=, gl= l=, gl=0 l=, gl= l=, gl=0 l=, gl= l=, gl=0 l=, gl= l=lock, gl=0 l=lock, gl=0 l=lock, gl=0 l=lock, gl=0 l=4, gl=0 0 0 l=5, gl=0 0 0 l=4, gl= l=4, gl=0 l=4, gl= l=4, gl=.. l=5, gl= l=6, gl= l=unlock, gl= 0 0 l=5, gl=0 l=5, gl= l=6, gl= l=unlock, gl= 3 l=7, gl=0 l=7, gl= l=7, gl=0 l=7, gl= l=8, gl=0 l=8, gl= l=8, gl=0 l=8, gl= l!=lock l=lock l=unlock l!=lock & l!=unlock l=lock 3 38
Step 4: Winning States l=, gl=0 l=, gl= l=, gl=0 l=, gl= l=, gl=0 l=, gl= l=, gl=0 l=, gl= l=lock, gl=0 l=lock, gl=0 l=lock, gl=0 l=lock, gl=0 l=4, gl=0 l=5, gl=0 l=4, gl= l=4, gl=0 l=4, gl= l=4, gl=.. 3 0 0 0 0 0 0 l=5, gl= l=6, gl= l=unlock, gl= l=5, gl=0 l=5, gl= l=6, gl= l=unlock, gl= l=7, gl=0 l=7, gl= l=7, gl=0 l=7, gl= l=8, gl=0 l=8, gl= l=8, gl=0 l=8, gl= l!=lock l=lock l=unlock l!=lock & l!=unlock l=lock 3 39
Step 4: Winning States l=, gl=0 l=, gl= l=, gl=0 l=, gl= l=, gl=0 l=, gl= l=, gl=0 l=, gl= l=lock, gl=0 l=lock, gl=0 l=lock, gl=0 l=lock, gl=0 l=4, gl=0 l=5, gl=0 l=4, gl= l=4, gl=0 l=4, gl= l=4, gl=.. 3 0 0 0 0 0 0 l=5, gl= l=6, gl= l=unlock, gl= l=5, gl=0 l=5, gl= l=6, gl= l=unlock, gl= l=7, gl=0 l=7, gl= l=7, gl=0 l=7, gl= l=8, gl=0 l=8, gl= l=8, gl=0 l=8, gl= l!=lock l=lock l=unlock l!=lock & l!=unlock l=lock 3 40
Step 4: Winning States l=, gl=0 l=, gl= l=, gl=0 l=, gl= l=, gl=0 l=, gl= l=, gl=0 l=, gl= l=lock, gl=0 l=lock, gl=0 l=lock, gl=0 l=lock, gl=0 l=4, gl=0 l=5, gl=0 l=4, gl= l=4, gl=0 l=4, gl= l=4, gl=.. 3 0 0 0 0 0 0 l=5, gl= l=6, gl= l=unlock, gl= l=5, gl=0 l=5, gl= l=6, gl= l=unlock, gl= l=7, gl=0 l=7, gl= l=7, gl=0 l=7, gl= l=8, gl=0 l=8, gl= l=8, gl=0 l=8, gl= l!=lock l=lock l=unlock l!=lock & l!=unlock l=lock 3 4
Step 4: Winning States l=, gl=0 l=, gl= l=, gl=0 l=lock, gl=0 l=, gl= l=lock, gl=0 l=4, gl=0 l=5, gl=0 l=4, gl= l=5, gl= l=6, gl= l=unlock, gl= l=4, gl=0 l=4, gl= 0 0 0 0 l=5, gl= l=6, gl= l=unlock, gl= l=7, gl=0 l=7, gl= l=8, gl=0 l=8, gl= 4
Step 4: Winning Strategy l=, gl=0 l=, gl= In general: strategy is funcbon of program and monitor state l=, gl=0 l=lock, gl=0 l=4, gl=0 0 l=5, gl=0 0 0 l=7, gl=0 l=, gl= l=lock, gl=0 l=4, gl= l=5, gl= l=6, gl= l=unlock, gl= l=7, gl= l=4, gl=0 l=4, gl= l=5, gl= l=6, gl= l=unlock, gl= Strategy to Repair: if (l=4 & gl=0 & s=) freedom:=0 if (l=4 & gl= & s=) freedom:= if (l=4 & gl=0 & s=0) freedom:= if (l=7 & gl=0 & s=) freedom:=0 if (l=7 & gl= & s=) freedom:=0.. freedom := f(l,gl,s) if (line=4) freedom := (gl=) (s=) if (line=7) freedom := 0 l=8, gl=0 l=8, gl= What we actually do: merge states before picking the strategy 43
Step 4: Winning Strategy l=, gl=0 l=, gl= l=, gl=0 l=, gl= l=, gl=0 l=, gl= l=, gl=0 l=, gl= l=lock, gl=0 l=lock, gl=0 l=lock, gl=0 l=lock, gl=0 l=4, gl=0 l=5, gl=0 l=4, gl= l=5, gl= l=6, gl= l=unlock, gl= l=4, gl=0 l=4, gl= 0 0 0 0 l=5, gl= l=6, gl= l=unlock, gl= l=4, gl=0 l=4, gl= l=5, gl=0 l=5, gl= 0 0 l=6, gl= l=unlock, gl= l=7, gl=0 l=7, gl= l=7, gl=0 l=7, gl= l=8, gl=0 l=8, gl= l=8, gl=0 l=8, gl= 44
Step 4: Winning Strategy l=, gl=0 l=, gl=0 l=, gl= l=, gl= l=lock, gl=0 l=lock, gl=0 (line=4): freedom= (line=7): freedom= 0 l=4, gl=0 l=5, gl=0 0 0 l=7, gl=0 l=4, gl= l=5, gl= l=6, gl= l=unlock, gl= l=7, gl= l=8, gl=0 l=8, gl= 45
Repaired Program unsigned int got_lock = 0; : while(*) { : if (*) { 3: lock(); 4: got_lock = ; 5: if (got_lock!= 0) { 6: unlock(); 7: got_lock = 0; lock() lock: {LOCK=; unlock() unlock: {LOCK=0; 46
Demo Monitor: FREEDOM: 47
Demo 48
Program Repair Program Finite- state program Game Game TS: program with freedom Solve game Monitor Monitor TS: Winning condibon (Simple) Strategy SpecificaBon Correct Program with Bloem, Griesmayer, Staber in CAV 005, CHARME 005 (+ext to fault localizabon)
Classical Controller Synthesis FSM + freedom + monitor IniBally defined for invariants Game Game TS + winning cond. Solve game (Simple) Strategy Correct Program Ramadge, Wonham 87, Book by Cassandras, Lafortune 99/07
Synthesis from Temporal Logics Game Solve game Monitor + interface definibon Monitor TS: Winning condibon (Simple) Strategy SpecificaBon Correct Program Church (96), Büchi/Landweber (969, games), Rabin (97, trees), Pnueli/Rosner (989, LTL)
Program Synthesis Program Game FSM + freedom Game TS Solve game Monitor Monitor TS: Winning condibon (Simple) Strategy SpecificaBon Correct Program Modern Controller Synthesis, see overview papers by Walukiewicz et al., Ruwen & Girault,
Issues? Program How to abstract? FSM + freedom Game Game TS Size? Solve game How to solve efficiently? How to construct efficiently? How to specify? Monitor SpecificaBon LTL Monitor TS: Winning condibon How expressive? Size? Related research areas: How to map PL, AV, Control Theory, back? Game and Automata Theory (Simple) Strategy QuanBtaBve Program Synthesis Correct Program How to pick a strategy?
Issues with Monitor for LTL DeterminizaBon construcbon (Safra s) EXP worst case complexity LTL is very succinct How to construct efficiently? Monitor Monitor TS: Winning condibon How expressive? Size?
Some SoluBons Concentrate on subsets (different types of games) Ramadge, Wonham (Proc IEEE 89) Asarin, Maler, Pnueli, Sifakis (SSC 98) Alur, La Torre (LICS'0) Alur, Madhusudan, Nam (BMC'03, STTT'05) Wallmeier, Hüwer, Thomas (CIAA'03) Harding, Ryan, Schobbens (TACAS'05) Jobstmann, Bloem (CAV 05) Piterman, Pnueli, Sa'ar (VMCAI'06) (base of our work on synthesizing AMBA) OpBmize or avoid determinzabon construcbon Althoff, Thomas, Wallmeier (CIAA'05,TCS'06) Piterman (), Piterman, Henzinger (CSL'06) Kupferman, Vardi (FOCS'05) Kupferman, Piterman, Vardi (CAV'06) Schewe, Finkbeiner (ATVA'07), Filiot, Jin, Raskin (CAV'09) Symbolic representabon (e.g., using BDDs) Safety, Reachability Büchi, co- Büchi Det. generators for several subsets Safety+ using SAT, QBF, and BDDs Request- Response Work with nondet. automaton IdenBfied syntacbc subset Generalized ReacBvity- (GR- ) Implemented Safra Improved Safra, Good- for- game Bounded Synthesis (using co- Büchi)
Next Basic of automata- based game theory terminology reachability/safety, Buchi/co- Buchi games InteresBng games for LTL synthesis Generalized Buchi, ReacBvity- games Generalized ReacBvity- (GR- ) games Why is GR- good? (back to synthesis) 56