Institute for Applied Information Processing and Communications
1
Karin Greimel Semmering, 2008-05-19 Open Implication
Open Implication
Institute for Applied Information Processing and Communications
2
Karin Greimel Semmering, 2008-05-19 Open Implication
Outline
• Context• Introduction
– LTL specifications, systems– example
• Formal Definition, Complexity• Algorithms
– with optimal complexity– Safraless– GR(1)
• Experimental Results• Summary
Institute for Applied Information Processing and Communications
3
Karin Greimel Semmering, 2008-05-19 Open Implication
Big Picture
What do HW and SW designers do?
1. Write a specification
2. Implement system
3. Check if sys. realizes spec.
4. Debug
Our idea of HW/SW design:
1. Write specification
2. Automatically construct
3. Relax
Institute for Applied Information Processing and Communications
4
Karin Greimel Semmering, 2008-05-19 Open Implication
LTL Specifications
Linear Temporal Logic:• High level specification language• Boolean logic + temporal operators (X, G, F, U)• Semantics defined over infinite sequences (= words = traces)• Describe behavior of open systems
Open system ( = Moore machine = transducer):• Interacts with its environment (output and input variables)• Examples: controller for elevator, traffic light, arbiter for a bus
Definitions: An open system realizes an LTL formula iff all traces of the open system satisfy the formula.
Verification: Does a given system realize the specification.Realizability: Is there an open system that realizes a given spec.?Synthesis: Automatically construct an open system realizing the spec..
Institute for Applied Information Processing and Communications
5
Karin Greimel Semmering, 2008-05-19 Open Implication
LTL Specifications - Example
Part of a requirement for an arbiter:• a ... acknowledgement, output variable• r ... request, input variable
f = GF(r) → G(a→X(¬a)) If there is always a request at some point, then always if there is an
ack., there is no ack. in the next step.
Open system realizing f, all traces satisfy f:
Institute for Applied Information Processing and Communications
6
Karin Greimel Semmering, 2008-05-19 Open Implication
Example Equivalence
Are f and g equivalent?
Consider w = (a,¬r)ω, w satisfies f but not g.
Find an open system which realizes f but not g?
f = GF(r) → G(a→X(¬a))g = G(a→X(¬a)) Not equivalent!
Institute for Applied Information Processing and Communications
7
Karin Greimel Semmering, 2008-05-19 Open Implication
Definitions
Motivation:• Synthesis of g: find a smaller specification f such that
f →o g and synthesise f.
• Verification of g: find a smaller specification f such that
f →o g and f →o g and verify f.
Definition: Given two LTL formulas f and g, f open-implies g (f →o g) if all open systems realizing f also realize g.
Definition: Given two LTL formulas f and g, f trace-implies g if all traces satisfying f also satisfy g.
Institute for Applied Information Processing and Communications
8
Karin Greimel Semmering, 2008-05-19 Open Implication
Comparison
Definition of equivalence of LTL specifications with respect to open systems and with respect to traces.
+ Open-implication is weaker:• f = GF(r) → G(a→X(¬a)) and g = G(a→X(¬a))• are not trace equivalent but open equivalent.
- Open-implication has a very high complexity:• same complexity as realizability,
• consider f →o false,
• 2EXP.
Institute for Applied Information Processing and Communications
10
Karin Greimel Semmering, 2008-05-19 Open Implication
Algorithm - Idea
Find an open system that realizes f but not g, then ¬(f →o g): – An open system does not realize g iff there exists a trace that
satisfies ¬g.
Calculate realizability for f and satisfiability for ¬g simultaneously.
An open system can be represented by a tree:
every trace of the open system corresponds to a path in the tree.
Institute for Applied Information Processing and Communications
11
Karin Greimel Semmering, 2008-05-19 Open Implication
Algorithm with optimal complexity
1) Realizability (2EXP):– f → Deterministic Parity Tree automaton– f realizable iff language of the DPT is not empty– tree accepted by the DPT ≙ open system realizing f
2) Satisfiability (PSPACE): – ¬g → Nondeterministic Büchi Word automaton– ¬g satisfiable iff language of NBW is not empty– word accepted by the NBW ≙ word satisfying ¬g
Institute for Applied Information Processing and Communications
12
Karin Greimel Semmering, 2008-05-19 Open Implication
Algorithm - Safraless
Calculate realizability avoiding Safra’s determinization construction (O. Kupferman and M. Y. Vardi. Safraless decision procedures.):
• f → Universal Co-Büchi Tree automaton• tree accepted by the UCT ≙ open system realizing f• UCT → Nondeterministic Büchi Tree automaton with bound k
• tree accepted by the NBTk ≙ open system of size ≤ k realizing f
+ easier to implement
+ incremental approach, useful to find counter examples
- does not meet the lower bound
Institute for Applied Information Processing and Communications
13
Karin Greimel Semmering, 2008-05-19 Open Implication
Implementation
Consider a subset of LTL: General Reactivity of Rank 1 (GR(1))(N. Piterman, A. Pnueli and Y. Sa‘ar. Synthesis of reactive(1) designs) :
g = ge → gs environment assumption → system guaranty
Environment assumptions and system guaranties can be represented by deterministic Büchi automata.
Example: f = GFr → G(a→X(¬a))
f →o g?:• Calculate realizability for f and satisfiability for ¬g simultaneously,• by solving a fixpoint formula.• Symbolic algorithm in P.
Institute for Applied Information Processing and Communications
14
Karin Greimel Semmering, 2008-05-19 Open Implication
Results of Arbiter Case Study: new →o old
Time needed for calculations
1
10
100
1000
10000
100000
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
number of masters
tim
e (s
)
synthesis old
synthesis new
open implication
R. Bloem, S. Galler, B. Jobstmann, N. Piterman, A. Pnueli und M. Weiglhofer:
- Automatic hardware synthesis from specification: A case study- Specify, compile, run: Hardware from PSL
Time for synthesis new + open implication << time for old synthesis
Institute for Applied Information Processing and Communications
15
Karin Greimel Semmering, 2008-05-19 Open Implication
Summary
• Defined open implication:– Compared to trace-implication
• Developed 3 algorithms:– Automata theoretic with optimal complexity– Automata theoretic avoiding Safras construction– Fixpoint formula for GR(1) with implementation
• Case study
Institute for Applied Information Processing and Communications
16
Karin Greimel Semmering, 2008-05-19 Open Implication
Thank you for your attention
References:O. Kupferman and M. Y. Vardi. Safraless decision procedures. In
Symposium on Foundations of Computer Science (FOCS’05), pages 531-542, 2005.
N. Piterman, A. Pnueli and Y. Sa‘ar. Synthesis of reactive(1) designs. In Proc. Verification, Model Checking and Abstract Interpretation, pages 364-380, 2006
R. Bloem, S. Galler, B. Jobstmann, N. Piterman, A. Pnueli und M. Weiglhofer. Automatic hardware synthesis from specifications: A case study. In DATE, 2007.
R. Bloem, S. Galler, B. Jobstmann, N. Piterman, A. Pnueli und M. Weiglhofer. Specify, compile, run: Hardware from PSL. In 6th International Workshop on Compiler Optimization Meets Compiler Verification, pages 3-16, 2007.