Page 1
A Symbolic Approach to Safety LTL Synthesis
Shufang Zhu 1 Lucas M. Tabajara 2 Jianwen Li 2
Geguang Pu 1 Moshe Y. Vardi 2
1East China Normal University
2Rice University
Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 1 / 25
Page 2
Reactive Synthesis
System
2. Update stateInternal
State
Environment
1. Receive inputs
3. Emit outputs
Goal: Automatically design reactive systems that are guaranteed to followa temporal specification.
Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 2 / 25
Page 3
LTL Synthesis
Linear Temporal Logic (LTL):
ϕ ::= > | ⊥ | p | ¬ϕ | ϕ1 ∧ ϕ2 | ϕ1 ∨ ϕ2 | Xϕ | ϕ1Rϕ2 | ϕ1Uϕ2
Gϕ ≡ ⊥Rϕ Fϕ ≡ >Uϕ
LTL Synthesis:
Given: LTL formula ϕ over a set of propositional variables P = X ∪ YI Input variables: XI Output variables: Y
Obtain: Set of states S and strategy g : 2X × S → 2Y × S such thatevery trace satisfies ϕ.
Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 3 / 25
Page 4
Classical Approach to LTL Synthesis
LTL Formula
Nondeterministic Buchi Automaton
Construct automaton (Vardi, Wolper; 1994)
Parity Game
Determinize
Strategy
Solve game
Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 4 / 25
Page 5
Synthesis of LTL Fragments
LTL synthesis remains a challenging problem:
I 2EXPTIME theoretical complexity.
I Lack of scalable algorithms for determinization and solving games.
Solution: Focus on synthesis procedures for fragments of LTL.
Example: Generalized Reactivity(1) (GR(1)) fragment:
(θe ∧ Gρe ∧ GFϕe1 ∧ . . . ∧ GFϕe
m)→ (θs ∧ Gρs ∧ GFϕs1 ∧ . . . ∧ GFϕs
n)
I GR(1) games can be solved in time cubic in size of game graph.
Other easier fragments of LTL?
Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 5 / 25
Page 6
Synthesis of LTL Fragments
LTL synthesis remains a challenging problem:
I 2EXPTIME theoretical complexity.
I Lack of scalable algorithms for determinization and solving games.
Solution: Focus on synthesis procedures for fragments of LTL.
Example: Generalized Reactivity(1) (GR(1)) fragment:
(θe ∧ Gρe ∧ GFϕe1 ∧ . . . ∧ GFϕe
m)→ (θs ∧ Gρs ∧ GFϕs1 ∧ . . . ∧ GFϕs
n)
I GR(1) games can be solved in time cubic in size of game graph.
Other easier fragments of LTL? Safety LTL
Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 5 / 25
Page 7
Safety Properties
“Bad things don’t happen”
Safety property:pRq
(q doesn’t become false until after p becomes true)
Non-safety property:G (r → Fg)
(every request is eventually granted)
All eventualities are bounded.
Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 6 / 25
Page 8
Safety Properties
“Bad things don’t happen”
Safety property:pRq
(q doesn’t become false until after p becomes true)
Safety property:G (r → (g ∨ Xg ∨ XXg))
(every request is granted within two time steps)
All eventualities are bounded.
Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 6 / 25
Page 9
Safety Properties
“Bad things don’t happen”
Safety property:pRq
(q doesn’t become false until after p becomes true)
Safety property:G (r → (g ∨ Xg ∨ XXg))
(every request is granted within two time steps)
All eventualities are bounded.
Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 6 / 25
Page 10
Bad prefix
For a given temporal formula ϕ, a finite trace π = π1π2 . . . πn is a badprefix if π cannot be extended to a satisfying trace.
ϕ = pRq
{q}, {q}, . . . , {q}, {p, q}, {p}, . . . |= ϕ
{q}, {q}, . . . , {q}, {}, {p}, . . . 6|= ϕ
A temporal formula ϕ is safe if every trace that does not satisfy ϕ has abad prefix.
Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 7 / 25
Page 11
Syntactical Safety
Purely syntactical sufficient condition for safety:
Theorem (Sistla; 1994)
If ϕ is an LTL formula in Negation Normal Form and ϕ is Until-free, thenϕ is safe.
Allows us to define an LTL fragment that guarantees safety.
Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 8 / 25
Page 12
Safety LTL
Linear Temporal Logic (LTL):
ϕ ::= > | ⊥ | p | ¬ϕ | ϕ1 ∧ ϕ2 | ϕ1 ∨ ϕ2 | Xϕ | ϕ1Rϕ2 | ϕ1Uϕ2
Safety LTL:
ϕ ::= > | ⊥ | p | ¬p | ϕ1 ∧ ϕ2 | ϕ1 ∨ ϕ2 | Xϕ | ϕ1Rϕ2
Safety LTL corresponds to the fragment of Until-free LTL formulas inNegation Normal Form.
Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 9 / 25
Page 13
Synthesis of the Safety LTL Fragment
Safety LTL Synthesis:
Given: Safety LTL formula ϕ over a set of propositional variablesP = X ∪ Y
I Input variables: XI Output variables: Y
Obtain: Set of states S and strategy g : 2X × S → 2Y × S such thatevery trace satisfies ϕ.
Our work: Safety LTL synthesis can be reduced to safety games.
Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 10 / 25
Page 14
Deterministic Safety Automata (DSA)
Every Safety LTL formula can be converted to a DSA:
s0start
s1
s2
{x1,x2,
y1}
{x1 , x2 , y2}
{x1, y1},{x2, y2},{}
{y2}, {x2, y2}
{x1, x2, y2},{x1, y2}
{y1}, {x1, y1}
{x1, x2, y1},{x2, y1}
I Buchi with partial transition function and all states accepting.
Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 11 / 25
Page 15
Deterministic Safety Automata (DSA)
Every Safety LTL formula can be converted to a DSA:
s0start
s1
s2
{x1,x2,
y1}
{x1 , x2 , y2}
{x1, y1},{x2, y2},{}
{y2}, {x2, y2}
{x1, x2, y2},{x1, y2}
{y1}, {x1, y1}
{x1, x2, y1},{x2, y1}
I Run is accepting iff never takes an undefined transition (bad prefix).
Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 11 / 25
Page 16
Safety Games
s0start
s1
s2
{x1,x2,
y1}
{x1 , x2 , y2}
{x1, y1},{x2, y2},{}
{y2}, {x2, y2}
{x1, x2, y2},{x1, y2}
{y1}, {x1, y1}
{x1, x2, y1},{x2, y1}
I Environment controls input variables X , wins if automaton rejects.
I System controls output variables Y, wins if automaton never rejects.
Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 12 / 25
Page 17
Safety Games for Safety LTL Synthesis
Winning strategy for the system encodes solution to Safety LTL synthesis:
System wins ⇒ Automaton never rejects
⇒ No undefined transition
⇒ No bad prefix
⇒ Formula is satisfied
Safety games can be solved efficiently: linear time in size of game graph.
Our goal: Efficient techniques for Safety LTL synthesis via safety games.
Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 13 / 25
Page 18
First Approach: Horn-SAT
Key idea: Reduce safety games to Horn-SAT.
Horn-SAT
Given a boolean formula ϕ = ϕ1 ∧ . . . ∧ ϕm where every ϕi is of the form(p1 ∧ . . . ∧ pn)→ q, is ϕ satisfiable?
Horn-SAT can be solved in linear time by SAT solvers using constraintpropagation.
Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 14 / 25
Page 19
First Approach: Horn-SAT
Key idea: Reduce safety games to Horn-SAT.
1. Use SPOT (Duret-Lutz, et al; 2016): LTL to Buchi automata.
I Safety LTL is special case of LTL.I Safety automaton is special case of Buchi automaton.
2. Encode safety game as Horn formula.
I Satisfying assignment encodes winning strategy.
3. Solve Horn-SAT using SAT solver.
Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 14 / 25
Page 20
The State Explosion Problem
SafetyLTL
SafetyAutomaton
Horn-SAT Strategy
Linear Linear
Solution: Represent the safety automaton symbolically using BinaryDecision Diagrams (BDDs).
I State space of size n encoded using log2(n) boolean variables Z.
I Every state represented by an assignment 2Z .
I Transition function as boolean function 2X × 2Y × 2Z → 2Z .
Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 15 / 25
Page 21
The State Explosion Problem
SafetyLTL
SafetyAutomaton
Horn-SAT Strategy
2EXPTIME Linear Linear
Solution: Represent the safety automaton symbolically using BinaryDecision Diagrams (BDDs).
I State space of size n encoded using log2(n) boolean variables Z.
I Every state represented by an assignment 2Z .
I Transition function as boolean function 2X × 2Y × 2Z → 2Z .
Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 15 / 25
Page 22
The State Explosion Problem
SafetyLTL
SafetyAutomaton
Horn-SAT Strategy
2EXPTIME Linear Linear
Solution: Represent the safety automaton symbolically using BinaryDecision Diagrams (BDDs).
I State space of size n encoded using log2(n) boolean variables Z.
I Every state represented by an assignment 2Z .
I Transition function as boolean function 2X × 2Y × 2Z → 2Z .
Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 15 / 25
Page 23
Second Approach: Symbolic Safety LTL Synthesis
Key idea: Leverage tools for symbolic construction of automata overfinite words.
I MONA (Henrikson, et al; 1995): First-Order Logic over finite wordsto symbolic Deterministic Finite Automata (using BDDs).
I Safety LTL: like LTL, interpreted over infinite words.
I However: every falsifying trace of ϕ has finite bad prefix.
{q}, {q}, . . . , {q}, {}, {p}, . . . 6|= pRq
I Therefore: can translate ¬ϕ to FOL over finite bad prefixes.
Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 16 / 25
Page 24
Finite Automaton to Safety Automaton
MONA constructs DFA for the bad prefixes of ϕ:
s0
s1
s2
s3
{x1,x2,
y1}
{x1 , x2 , y2}
{x1, y1},{x2, y2},{}
{y2}, {x2, y2}
{x1, x2, y2},{x1, y2}
{y1}, {x1, y1}
{x1, x2, y1},{x2, y1}
∗
∗
∗
∗
Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 17 / 25
Page 25
Finite Automaton to Safety Automaton
By deleting bad states, we can view DFA as DSA for ϕ:
s0
s1
s2
s3
{x1,x2,
y1}
{x1 , x2 , y2}
{x1, y1},{x2, y2},{}
{y2}, {x2, y2}
{x1, x2, y2},{x1, y2}
{y1}, {x1, y1}
{x1, x2, y1},{x2, y1}
∗
∗
∗
∗
Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 17 / 25
Page 26
Symbolic Safety LTL Synthesis
Given Safety LTL formula ϕ:
1. Use MONA to construct symbolic DFA for bad prefixes of ϕ.
2. Interpret symbolic DFA as symbolic DSA.
3. Compute winning states as a fixpoint:
3.1 Start with set of all accepting states.3.2 At each step, remove states where Environment can move to bad state.3.3 Stop when fixpoint is reached.
4. Compute strategy as a boolean function using boolean-synthesisprocedure (Fried, Tabajara, Vardi; CAV’2016).
Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 18 / 25
Page 27
Two Approaches for Safety LTL Synthesis
I Explicit synthesis framework:
SafetyLTL
SafetyAutomaton
Horn-SAT Strategy
I Symbolic synthesis framework:
SafetyLTL
SymbolicDFA
SymbolicDSA
Strategy
Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 19 / 25
Page 28
Experimental Evaluation
Comparison between:
I Explicit approach using Horn-SAT.
I SSyft tool implementing symbolic approach.
I LTL Synthesis tools Unbeast (Ehlers; 2010) and Acacia+ (Bohy,et al; 2012).
Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 20 / 25
Page 29
Benchmarks
LoadBalancer formulas from (Ehlers; 2010):
I Converted to Negation Normal Form.
I Since not all formulas are safe, expanded Until operator:
Not safe: ϕ1Uϕ2
Expansion length 0: ϕ2
Expansion length 1: ϕ2 ∨ (ϕ1 ∧ Xϕ2)Expansion length 2: ϕ2 ∨ (ϕ1 ∧ X (ϕ2 ∨ (ϕ1 ∧ Xϕ2))). . .
I Varied expansion length.
Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 21 / 25
Page 30
Symbolic Approach Dominates
0
50
100
150
200
250
300
350
400
0 10 20 30 40 50 60
Num
ber
of
solv
ed c
ase
s
Total time
SSyft Acacia+ Horn_SAT Unbeast
Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 22 / 25
Page 31
Symbolic Approach Dominates
0
20
40
60
80
100
0 1 2 3 4
Expansion length
Solved cases of LoadBalancer
SSyftHorn_SAT
Acacia+Unbeast
Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 22 / 25
Page 32
Summary
I Contribution: Two frameworks for Safety LTL synthesis - explicitand symbolic.
I Results: Symbolic framework outperforms tools for general LTLsynthesis.
I Conclusion: Can benefit from focusing on specific LTL fragments forsynthesis.
Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 23 / 25
Page 33
Future Work
I On-the-fly synthesis to avoid bottleneck of automaton construction.
I Comparison with other LTL fragments, such as GR(1) (Bloem,Jobstmann, Piterman, Pnueli; 2012).
I Safety games as a subproblem of general LTL synthesis.
Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 24 / 25
Page 34
Questions?
I Explicit synthesis framework:
SafetyLTL
SafetyAutomaton
Horn-SAT Strategy
I Symbolic synthesis framework:
SafetyLTL
SymbolicDFA
SymbolicDSA
Strategy
Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 25 / 25
Page 35
Extra Slides
Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 26 / 25
Page 36
Safety LTL vs. GR(1)
GR(1) formula:
(θe ∧ Gρe ∧ GFϕe1 ∧ . . . ∧ GFϕe
m)→ (θs ∧ Gρs ∧ GFϕs1 ∧ . . . ∧ GFϕs
n)
For α ∈ {e, s}:I θα: Safety
I Gρα: Safety
I GFϕα: Non-safety
A GR(1) formula with m = n = 0 is a safety formula.
Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 27 / 25
Page 37
Safety Game to Horn-SAT
Given a Safety Automaton A = (2P ,S , s0, δ), build a Horn formula where:
I Variables encode bad states:
bs : s is a losing state for the System
b(s,X ,Y ): Y is a losing move of the System on state s for input X
I Constraints encode bad transitions:
b(s,X ,Y ), for δ(s,X ∪ Y ) undefined (1)
bs′ → b(s,X ,Y ), for δ(s,X ∪ Y ) = s ′ (2)( ∧Y∈Y
b(s,X ,Y )
)→ bs , for every s ∈ S , X ∈ 2X (3)
bs0 → ⊥ (4)
Lucas M. Tabajara (Rice University) Safety LTL Synthesis November 15th, 2017 28 / 25