open implication

Institute for Applied Information Processing and Communications

1

Karin Greimel Semmering, 2008-05-19 Open Implication

Open Implication


2


Outline

• Context• Introduction

– LTL specifications, systems– example

• Formal Definition, Complexity• Algorithms

– with optimal complexity– Safraless– GR(1)

• Experimental Results• Summary


3


Big Picture

What do HW and SW designers do?

1. Write a specification

2. Implement system

3. Check if sys. realizes spec.

4. Debug

Our idea of HW/SW design:

1. Write specification

2. Automatically construct

3. Relax


4


LTL Specifications

Linear Temporal Logic:• High level specification language• Boolean logic + temporal operators (X, G, F, U)• Semantics defined over infinite sequences (= words = traces)• Describe behavior of open systems

Open system ( = Moore machine = transducer):• Interacts with its environment (output and input variables)• Examples: controller for elevator, traffic light, arbiter for a bus

Definitions: An open system realizes an LTL formula iff all traces of the open system satisfy the formula.

Verification: Does a given system realize the specification.Realizability: Is there an open system that realizes a given spec.?Synthesis: Automatically construct an open system realizing the spec..


5


LTL Specifications - Example

Part of a requirement for an arbiter:• a ... acknowledgement, output variable• r ... request, input variable

f = GF(r) → G(a→X(¬a)) If there is always a request at some point, then always if there is an

ack., there is no ack. in the next step.

Open system realizing f, all traces satisfy f:


6


Example Equivalence

Are f and g equivalent?

Consider w = (a,¬r)ω, w satisfies f but not g.

Find an open system which realizes f but not g?

f = GF(r) → G(a→X(¬a))g = G(a→X(¬a)) Not equivalent!


7


Definitions

Motivation:• Synthesis of g: find a smaller specification f such that

f →o g and synthesise f.

• Verification of g: find a smaller specification f such that

f →o g and f →o g and verify f.

Definition: Given two LTL formulas f and g, f open-implies g (f →o g) if all open systems realizing f also realize g.

Definition: Given two LTL formulas f and g, f trace-implies g if all traces satisfying f also satisfy g.


8


Comparison

Definition of equivalence of LTL specifications with respect to open systems and with respect to traces.

+ Open-implication is weaker:• f = GF(r) → G(a→X(¬a)) and g = G(a→X(¬a))• are not trace equivalent but open equivalent.

- Open-implication has a very high complexity:• same complexity as realizability,

• consider f →o false,

• 2EXP.


10


Algorithm - Idea

Find an open system that realizes f but not g, then ¬(f →o g): – An open system does not realize g iff there exists a trace that

satisfies ¬g.

Calculate realizability for f and satisfiability for ¬g simultaneously.

An open system can be represented by a tree:

every trace of the open system corresponds to a path in the tree.


11


Algorithm with optimal complexity

1) Realizability (2EXP):– f → Deterministic Parity Tree automaton– f realizable iff language of the DPT is not empty– tree accepted by the DPT ≙ open system realizing f

2) Satisfiability (PSPACE): – ¬g → Nondeterministic Büchi Word automaton– ¬g satisfiable iff language of NBW is not empty– word accepted by the NBW ≙ word satisfying ¬g


12


Algorithm - Safraless

Calculate realizability avoiding Safra’s determinization construction (O. Kupferman and M. Y. Vardi. Safraless decision procedures.):

• f → Universal Co-Büchi Tree automaton• tree accepted by the UCT ≙ open system realizing f• UCT → Nondeterministic Büchi Tree automaton with bound k

• tree accepted by the NBTk ≙ open system of size ≤ k realizing f

+ easier to implement

+ incremental approach, useful to find counter examples

- does not meet the lower bound


13


Implementation

Consider a subset of LTL: General Reactivity of Rank 1 (GR(1))(N. Piterman, A. Pnueli and Y. Sa‘ar. Synthesis of reactive(1) designs) :

g = ge → gs environment assumption → system guaranty

Environment assumptions and system guaranties can be represented by deterministic Büchi automata.

Example: f = GFr → G(a→X(¬a))

f →o g?:• Calculate realizability for f and satisfiability for ¬g simultaneously,• by solving a fixpoint formula.• Symbolic algorithm in P.


14


Results of Arbiter Case Study: new →o old

Time needed for calculations

1

10

100

1000

10000

100000

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15

number of masters

tim

e (s

)

synthesis old

synthesis new

open implication

R. Bloem, S. Galler, B. Jobstmann, N. Piterman, A. Pnueli und M. Weiglhofer:

- Automatic hardware synthesis from specification: A case study- Specify, compile, run: Hardware from PSL

Time for synthesis new + open implication << time for old synthesis


15


Summary

• Defined open implication:– Compared to trace-implication

• Developed 3 algorithms:– Automata theoretic with optimal complexity– Automata theoretic avoiding Safras construction– Fixpoint formula for GR(1) with implementation

• Case study


16


Thank you for your attention

References:O. Kupferman and M. Y. Vardi. Safraless decision procedures. In

Symposium on Foundations of Computer Science (FOCS’05), pages 531-542, 2005.

N. Piterman, A. Pnueli and Y. Sa‘ar. Synthesis of reactive(1) designs. In Proc. Verification, Model Checking and Abstract Interpretation, pages 364-380, 2006

R. Bloem, S. Galler, B. Jobstmann, N. Piterman, A. Pnueli und M. Weiglhofer. Automatic hardware synthesis from specifications: A case study. In DATE, 2007.

R. Bloem, S. Galler, B. Jobstmann, N. Piterman, A. Pnueli und M. Weiglhofer. Specify, compile, run: Hardware from PSL. In 6th International Workshop on Compiler Optimization Meets Compiler Verification, pages 3-16, 2007.

open implication

Documents