Parameterized Synthesis Case Study: AMBA AHB by Bloem, Roderick et al.
K. Chatterjee, R. Ehlers, and S. Jha (Eds.):
Third Workshop on Synthesis (SYNT 2014)
EPTCS 157, 2014, pp. 68–83, doi:10.4204/EPTCS.157.9
c© R. Bloem, S. Jacobs & A. Khalimov
This work is licensed under the
Creative Commons Attribution License.
Parameterized Synthesis Case Study: AMBA AHB
Roderick Bloem Swen Jacobs Ayrat Khalimov
Graz University of Technology, Austria ∗
firstname.lastname@iaik.tugraz.at
We revisit the AMBA AHB case study that has been used as a benchmark for several reactive syn-
thesis tools. Synthesizing AMBA AHB implementations that can serve a large number of masters
is still a difficult problem. We demonstrate how to use parameterized synthesis in token rings to
obtain an implementation for a component that serves a single master, and can be arranged in a ring
of arbitrarily many components. We describe new tricks – property decompositional synthesis, and
direct encoding of simple GR(1) – that together with previously described optimizations allowed us
to synthesize a component model with 14 states in about 1 hour.
1 Introduction
By automatically generating correct implementations from a temporal logic specification, reactive syn-
thesis tools can relieve system designers from tedious and error-prone tasks like low-level manual im-
plementation and debugging. This great benefit comes at the cost of high computational complexity of
synthesis, which makes synthesis of large systems an ambitious goal. For instance, Bloem et al. [6]
synthesize an arbiter for the ARM AMBA Advanced High Performance Bus (AHB) [2]. The results,
obtained using RATSY [4], show that both the size of the implementation and the time for synthesis
increase steeply with the number of masters that the arbiter can handle. This is unexpected, since an
arbiter for n+ 1 masters is very similar to an arbiter for n masters, and manual implementations grow
only slightly with the number of masters. While recent results show that synthesis time and implementa-
tion size can be improved in standard LTL synthesis tools [8, 10], the fundamental problem of increasing
complexity with the number of masters can only be solved by adapting the synthesis approach itself.
To this end, Jacobs and Bloem [11] introduced the parameterized synthesis approach. In param-
eterized synthesis, we synthesize a component implementation that can be used as a building block,
replicating components to form a system that satisfies a specification for any number of components.
The approach is based on cutoff results that have previously only been used to reduce the verification of
parameterized systems to systems of a small, fixed size. In particular, small cutoffs exist for token-ring
networks, as shown by Emerson and Namjoshi [7]. These results can be extended to allow the reduction
of the parameterized synthesis problem to a distributed synthesis problem with a fixed number of com-
ponents, which can in turn be solved by a modification of the bounded synthesis procedure of Finkbeiner
and Schewe [9]. As experiments with the original, naı¨ve implementation of parameterized synthesis re-
vealed that only very small specifications could be handled, Khalimov et al. [14] introduced a number of
optimizations that improved runtimes for synthesis of token-ring systems by several orders of magnitude.
In this paper, we will show how the resulting synthesis method can serve as the basis for synthesizing an
implementation for the parameterized AMBA AHB specification.
Contributions. We demonstrate how to synthesize a parameterized implementation of the AMBA AHB,
with guaranteed correctness for any number of masters. To this end, we translate the LTL specification
∗This work was supported by the Austrian Science Fund (FWF) under the RiSE National Research Network (S11406).
R. Bloem, S. Jacobs & A. Khalimov 69
of the AMBA AHB (as found in [12]) into a version that is suitable for parameterized synthesis in token
rings, and address several challenges with respect to theoretical applicability and practical feasibility:
1. We show how to localize global input and output signals, i.e., those that cannot be assigned to one
particular master. This is necessary since our approach is based on the replication of components
that act only on local information.
2. We introduce theoretical extensions of the cutoff results for token rings that support some of the
features of the AMBA specification. This includes the handling of assumptions on local and global
inputs, and of the fully asynchronous timing model (which includes the synchronous behavior
intended in AMBA).
3. We show how to handle multiple process templates to support a special process with properties
different from other processes.
4. We describe some further optimizations that make synthesis feasible, in particular based on the
insight that the AMBA protocol features three different types of accesses, and the control structures
for these accesses can be synthesized (to some degree) independently.
Finally, we report on our practical experience with parameterized synthesis of the AMBA protocol,
pointing out weaknesses and open problems in current synthesis approaches.
2 The AMBA Case Study
ARMs Advanced Microcontroller Bus Architecture (AMBA) [2] is a communication bus for a num-
ber of masters and clients on a microchip. The most important part of AMBA is the Advanced High-
performance Bus (AHB), a system bus for the efficient connection of processors, memory, and devices.
The bus arbiter is the critical part of the AHB, ensuring that only one master accesses the bus at any
time. Masters send HBUSREQ to the arbiter if they want access, and receive HGRANT if they are allowed
to access it. Masters can also ask for different kinds of locked transfers that cannot be interrupted.
The exact arbitration protocol for AMBA is not specified. Our goal is to synthesize a protocol that
guarantees safety and liveness properties. According to the specification, any device that is connected to
the bus will react to an input t with a delay of one time step. I.e., we are considering Moore machines.
In the following, we introduce briefly which signals are used to realize the controller of this bus.
Requests and grants. The identifier of the master which is currently active is stored in the n+ 1-bit
signal HMASTER[n:0], with n chosen such that the number of masters fits into n+1 bits. To request the
bus, master i raises signal HBUSREQ[i]. The arbiter decides who will be granted the bus next by raising
signal HGRANT[i]. When the client raises HREADY, the bus access starts at the next tick, and there is an
update HMASTER[n:0] := i, where HGRANT[i] is currently active.
Locks and bursts. A master can request a locked access by raising both HBUSREQ[i] and HLOCK[i]. In
this case, the master additionally sets HBURST[1:0] to either SINGLE (single cycle access), BURST4 (four
cycle burst) or INCR (unspecified length burst). For a BURST4 access, the bus is locked until the client
has accepted 4 inputs from the master (each signaled by raising HREADY). In case of a INCR access, the
bus is locked until HBUSREQ[i] is lowered. The arbiter raises HMASTLOCK if the bus is currently locked.
LTL specification. The original natural-language specification [2] has been translated into a formal
specification in the GR(1) fragment of LTL before [12, 6, 10]. Figure 1 shows the environment assump-
tions and system guarantees from [12] that will be the basis for our parameterized specification. The full
specification is (A1∧ . . .∧A4)→ (G1∧ . . .∧G11).
70 Parameterized Synthesis Case Study: AMBA AHB
Assumptions :
G (HMASTLOCK∧HBURST = INCR)→ XF¬HBUSREQ[HMASTER] (A1)
GF HREADY (A2)
∀i : G HLOCK[i]→ HBUSREQ[i] (A3)
∀i : ¬HBUSREQ[i]∧¬HLOCK[i]∧¬HREADY (A4)
Guarantees :
G ¬HREADY→ X¬START (G1)
G (HMASTLOCK∧HBURST = INCR∧ START)
→ X(¬STARTW (¬START∧HBUSREQ[HMASTER])) (G2)
G (HMASTLOCK∧HBURST = BURST4∧ START∧HREADY)
→ X(¬STARTW [3](¬START∧HREADY)) (G3.1)
G (HMASTLOCK∧HBURST = BURST4∧ START∧¬HREADY)
→ X(¬STARTW [4](¬START∧HREADY)) (G3.2)
∀i : G HREADY→ (HGRANT[i]↔ X(HMASTER = i)) (G4)
G HREADY→ (LOCKED↔ X(HMASTLOCK)) (G5)
∀i : G X¬START →
(
(HMASTER = i↔ X(HMASTER = i))
∧ (HMASTLOCK↔ XHMASTLOCK)
)
(G6)
∀i : G (DECIDE∧XHGRANT[i])→ (HLOCK[i]↔ X(LOCKED)) (G7)
∀i : G ¬DECIDE →
(
HGRANT[i]↔ XHGRANT[i]
∧ LOCKED↔ XLOCKED
)
(G8)
∀i : G HBUSREQ[i] → F(¬HBUSREQ[i]∨HMASTER = i) (G9)
∀i 6= 0 : G ¬HGRANT[i] → (¬HGRANT[i]W HBUSREQ[i]) (G10.1)
G (DECIDE∧ (∀i : ¬HBUSREQ[i])) → XHGRANT[0] (G10.2)
HGRANT[0]∧ (∀i 6= 0 : ¬HGRANT[i])∧HMASTER = 0∧¬HMASTLOCK
∧DECIDE∧ START (G11)
Figure 1: Formal specification of the AMBA AHB [12], in GR(1) fragment of LTL.
3 Definitions
A labeled transition system (LTS) over sets O of output variables and I of input variables is a tuple
(Q,Q0,Σ,δ ,λ ) where Q is the set of states, Q0 ⊆ Q is the set of initial states, Σ= 2I is the set of inputs
(also called transition labels), δ ⊆ Q×Σ×Q is the transition relation, and λ : Q→ 2O is the output
function (also called state-labeling function). Variables from O∪ I will be used as atomic propositions
in our specifications.
3.1 System Model
In this section we define the token ring system – the LTS that consists of replicated copies of a process
connected in a uni-directional ring. Transitions in a token ring system are either internal or synchronized
(in which one process sends the token to the next process along the ring). The token starts in a non-
deterministically chosen process.
Fix a set Opr of (local) output variables that contain a distinguished output variable snd, and a set Ipr
of (local) input variables that contain a distinguished input variable rcv.
Process Template P. Let Σpr = 2Ipr . A process template P is a LTS (Q,Q0,Σpr,δ ,λ ) over Opr and:
R. Bloem, S. Jacobs & A. Khalimov 71
i) The state set Q is finite and can be partitioned into two non-empty disjoint sets: Q = T ∪˙NT .
States in T are said to have the token.
ii) The initial state set is Q0 = {ιt , ιn} for some ιt ∈ T, ιn ∈ NT .
iii) The output function λ : Q→ 2Opr satisfies that for every q ∈ NT , snd 6∈ λ (q).
iv) Every transition q in→ q′ with snd ∈ λ (q) satisfies that q has the token and q′ does not.
v) Every transition q in→ q′ with rcv ∈ in satisfies that q does not have the token and q′ does.
vi) Every transition q in→ q′ with snd 6∈ λ (q) and rcv 6∈ in satisfies that q has the token if and only if q′
has the token.
vii) The process template is non-terminating: for every q ∈ NT and every in ∈ Σpr there exists q in→ q′;
and for every q ∈ T and every in ∈ Σpr with rcv 6∈ in there exists q in→ q′.
†) Consider a fairness condition Aloc over Ipr∪Opr.1 From any state q with the token, under any input
sequence satisfying Aloc, the process will reach a state q′ where it sends the token. We call this
requirement †.
Ring Topology R. A ring is a directed graph R = (V,E), where the set of vertices is V = {1, . . . ,k} for
some k ∈ N, and the set of edges is E = {(i, i⊕1) | i ∈V}. Vertices are called process indices.
Token-Ring System PR. Fix a ring topology R = (V,E). Let Isys := (Iloc×V ) ∪˙ Iglob be the system input
variables, where local inputs Iloc and global inputs Iglob are such that Ipr = Iloc ∪˙ Iglob. Define Σsys = 2Isys .
For system input in ∈ Σsys, let in(v) ⊆ in denote the input to process v (including global inputs). Let
Osys := Opr×V be the system output variables. For (p, i) in Osys or in Isys \ Iglob we write pi.
Given a process template P= (Q,Q0,Σpr,δ ,λ ) over Opr and Ipr and a token ring topology R= (V,E),
define the token-ring system PR as the finite LTS (S,S0,Σsys,∆,Λ) over Osys and Isys, where:
• The set S of global states is QV , i.e., all functions from V to Q. If s ∈QV is a global state then s(i)
denotes the local state of the process with index i.
• The set of global initial states S0 contains all s0 ∈ QV0 in which exactly one of the processes has
the token.
• The labeling Λ(s) ⊆ Osys for s ∈ S is defined as follows: pi ∈ Λ(s) if and only if p ∈ λ (s(i)), for
p ∈ Opr and i ∈V .
Finally, define the global transition relation ∆. In a fully asynchronous token ring, a subset of all pro-
cesses can make a transition in each step of the system, i.e., ∆ consists of the following set of transitions:
• An internal transition is an element (s, in,s′) of S×Σsys× S for which there are process indices
M ⊆V such that
i) for all v ∈M: snd 6∈ λ (s(v)) and rcv 6∈ in(v),
ii) for all v ∈M: s(v) in(v)→ s′(v) is a transition of P,
iii) for all u ∈V \M: s(u) = s′(u).
• A token-passing transition is an element (s, in,s′) of S×Σsys×S for which there are process indices
M ⊆V and two indices v,w ∈M such that (v,w) ∈ E and
1Discussion of fairness conditions is deferred until Sect. 3.2.
72 Parameterized Synthesis Case Study: AMBA AHB
i) snd ∈ λ (s(v)), and ∀u ∈M \{v} : snd 6∈ λ (s(u)) – i.e., only process v sends the token,
ii) rcv ∈ in(w) and for all u ∈M \{w}: rcv 6∈ in(u) – i.e., only process w receives the token,
iii) for every u ∈M: s(u) in(u)→ s′(u) is a transition of P,
iv) for every u ∈V \M: s′(u) = s(u).
Special cases of the fully asynchronous token ring are the synchronous token ring and the interleaving
token ring. In a synchronous token ring, M = V for internal and token-passing transitions. I.e., always
all processes make a transition simultaneously. In an interleaving token ring, M = {v} for some v ∈ V
for internal transitions, and M = {v,w} for (v,w) ∈ E for token-passing transitions. I.e., at each moment
either exactly one process makes an internal transition, or one process sends a token to the next process.
System Run. Fix a ring topology R = (V,E). A run of a token ring system PR = (S,S0,Σsys,∆,Λ) over
Osys and Isys is a finite or infinite sequence x = (s1, in1,M1)(s2, in2,M2) . . ., where:
• s1 ∈ S0, sk ∈ S and ink ∈ Σsys for any k ≤ |x|,
• for all k < |x| : (sk, ink,sk+1) ∈ ∆,
• for all k < |x|: Mk is the set of processes making a transition (see M in the definition of ∆).
3.2 Parameterized Systems and Specifications
The parameterized ring is the functionR : n 7→R(n), where n ∈N andR(n) is the ring with n vertices.
A parameterized token ring system is a function PR : n 7→ PR(n), where n ∈ N and P is a given process
template. When necessary to disambiguate we explicitly write ‘parameterized fully asynchronous token
ring systems’ or ‘parameterized interleaving token ring systems’.
A parameterized specification is a sentence in indexed temporal logic, that is, a temporal logic for-
mula with indexed variables and quantification over indices. Variables are from the set of output and
input variables Opr∪ Ipr, and indices refer to different copies of process templates. A parameterized to-
ken ring system PR satisfies a parameterized specification φ , written PR |= φ , iff ∀n: PR(n) |= φ . This
definition assumes a fixed semantics for temporal logic formulas in labeled transition systems. Below, we
introduce a slightly non-standard semantics as a modification of the (action-based) semantics in Emerson
and Namjoshi [7] to the case of open systems.
Semantics for Open Systems. Emerson and Namjoshi [7] consider closed systems (i.e., without inputs),
but with transitions labeled by actions that can also be used in specifications. In the semantics defined
below, we simulate an action a by an input corresponding to a. Furthermore, for defining when a given
process satisfies a formula, we consider the projection of the run onto those points in time where the
process actually makes a transition, just like actions are only considered when a transition fires.
In addition, we extend our semantics to the fully asynchronous timing model, which in particular
includes the synchronous timing model that is needed for reasoning about the AMBA case study. 2 This
leads to additional problems: the natural ways to extend the semantics to properties of more than one
process is to consider either the projection to those points in time where at least one of the processes
makes a step, or to those where all processes make a step. Both cases are undesirable: in the first
case, we also consider inputs that the processes cannot read, and in the second case the property will
2Note that in the synchronous timing model, our semantics is the same as the standard semantics (every process always
makes a transition, so all inputs are considered), but we need the fully asynchronous case for the cutoff result in Thm. 3.
Intuitively, in synchronous systems an implementation can count the number of global steps until it receives the token again,
and therefore correctness of such implementations may depend on the size of the ring, making cutoff results impossible. Thus,
systems that are correct in the synchronous but not in the fully asynchronous case are of limited interest to us.
R. Bloem, S. Jacobs & A. Khalimov 73
only be guaranteed at those points in time where all processes make a step together — which is clearly
undesirable, e.g., for a mutual exclusion property. Therefore, in properties that talk about more than one
process, we do not allow input signals at all.
Fix a token ring system PR = (S,S0,Σsys,∆,Λ) over Osys and Isys. We describe the semantics of
parameterized properties 1-indexed properties over Osys and Isys, and 2-indexed properties over Osys.
Semantics of 1-indexed properties. 1-indexed properties are of the form ∀i.ϕ(i), where ϕ(i) is an LTL
formula over system variables that are indexed with i.
Fix a process index j. Given a run (s1, in1,M1)(s2, in2,M2) . . ., consider the sub-sequence that con-
tains exactly those (sk, ink,Mk) with j ∈ Mk. The local run of process j is obtained by mapping each
(sk, ink,Mk) in the sub-sequence to (sk( j), ink( j)), where sk( j) is the local state of j and ink( j) are inputs
to j. Then, a system run satisfies ϕ( j) iff the local run of process j satisfies ϕ( j). The latter satisfaction
is defined in the usual way. Note that since we consider only elements of the system run where process j
makes a step, we can use the next-time operator X (interpreted locally, cp. [14, Sect. 5.2][7, Sect. 2.5]).
Example. Consider a typical 1-indexed property of an arbiter ∀i.G(ri → Fgi) (‘for every process, ev-
ery request should be finally granted’). In the semantics of 1-indexed properties described above, this
property should be read as: ‘for every process, every request that has been seen by the process should
be finally granted’. Another example: in the new semantics the property ∀i.G(ri → Xgi) should be read
as ‘for every process, every request that has been seen by the process should be granted the next step’.
Notice that the environment cannot falsify the property by not scheduling the process.
Semantics of 2-indexed properties. 2-indexed properties are of the form ∀i, j.ϕ(i, j), where ϕ(i, j) is an
LTL\X formula over output variables (and no input variables) that are indexed with i or j. Satisfaction for
fixed process indices i, j is defined in the standard way: A system run (s1, in1,M1)(s2, in2,M2) . . . satisfies
ϕ(i, j) iff the sequence Λ(s1)Λ(s2) . . . satisfies ϕ(i, j). I.e., we consider all elements of the system run,
no matter if processes i and j make the transition or not.
Example. Consider a typical 2-indexed property of the mutual exclusion ∀i 6= j.G¬(gi ∧ g j). In the
semantics of 2-indexed properties described above, the property should be read in a usual way: ‘it is
never the case that two processes grant at the same time.
Semantics of A∀i.ass(i)ϕ . Let ϕ be a 1- or 2-indexed property as introduced above. A system satisfies
A∀i.ass(i)ϕ iff any system run that satisfies ∀i.ass(i) also satisfies ϕ , where satisfaction of 1-indexed
∀i.ass(i) and of ϕ as defined above.
Note on the Semantics of GR(1). The AMBA specification [12] is defined in the GR(1) fragment of
LTL, where the implication between assumptions and guarantees is usually interpreted with a special
semantics [15]. In this paper, we instead use the standard semantics for this implication.
3.3 Parameterized Synthesis Problem
The parameterized synthesis problem in token rings is: given a parameterized specification ϕ , find an
implementation P such that PR |= ϕ . The problem is in general undecidable:
Theorem 1 ([11], Theorem 3.5). The parameterized synthesis problem of interleaving token rings with
no global inputs is undecidable for specifications ∀i, j.Aϕ(i, j), where Aϕ(i, j) is an LTL\X formula
over processes i, j.
The proof reduces the undecidable problem of distributed synchronous synthesis [17] to distributed
synthesis of an interleaving token ring of size 2, which implies undecidability of parameterized synthesis.
Note that Theorem 1 does not apply to specifications of the form A∀i.ass(i)∀ j.ϕ( j). In fact, we can
use the hub-abstraction technique (see [14, Section 6]) to prove the following:
74 Parameterized Synthesis Case Study: AMBA AHB
Observation 1. The parameterized synthesis problem of token rings without global inputs is decidable
for specifications ∀ j.A∀i.ass(i)ϕ( j) where ass(i) and ϕ(i) are LTL formulas over process i.
4 The Existing Parameterized Synthesis Approach
The parameterized synthesis problem in token rings is in general undecidable, but Jacobs and Bloem [11]
have introduced a semi-decision procedure for the problem. It is based on i) the cutoff results of [7],
which state that model checking parameterized token rings is equivalent to model checking token rings
of a cutoff size, and ii) the bounded synthesis method [9] that turns an undecidable synthesis problem (of
synthesizing a token ring of fixed size) into a possibly infinite sequence of decidable synthesis problems
(of synthesizing a token ring of fixed size in which a process implementation is not larger than the bound)
by iterative bounding the size of process implementations.
4.1 Cutoff Results in Token Rings
A cutoff for a parameterized specification ϕ is a number c∈N s.t. PR(c) |= ϕ ⇐⇒ ∀n≥ c : PR(n) |= ϕ .
Theorem 2 ([7], Theorem 3). For interleaving parameterized token ring systems with no global inputs
and parameterized specifications ∀i.A∀i.ass(i)ϕ(i), where ϕ(i) and ass(i) are LTL formulas over process
i, the cutoff is 2.
Corollary 1 ([11]). The parameterized synthesis problem of interleaving token rings with no global
inputs for parameterized specifications ∀i.A∀i.ass(i)ϕ(i), where ϕ(i) and ass(i) are LTL formulas over
process i, can be reduced to the synthesis problem of the token ring of size 2.
4.2 Bounded Synthesis Method
By bounding the desired size of implementations, bounded synthesis [9] reduces the synthesis problem
to a sequence of SMT problems. Uninterpreted functions are used to describe the transition relation,
output functions, and auxiliary ‘ranking’ functions, and the SMT solver tries to find valuations of these
functions such that the specification is satisfied. The flow is the following:
1. Automata translation: The negation of a given specification ϕ is translated into a non-deterministic
Bu¨chi automaton A¬ϕ .
2. SMT encoding: We encode a ranking function ρ on states of the product of the specification
automaton A¬ϕ and the uninterpreted system. Consider a transition from composed state (q,s) to
(q′,s′), where q,q′ are states of A¬ϕ and s,s′ are states of the system. Then we require ρ(q′,s′)>
ρ(q,s) if q′ is an accepting state of A¬ϕ , and otherwise ρ(q′,s′) ≥ ρ(q,s). The rule ensures that
the SMT constraints are satisfiable if and only if the product does not have loops with an accepting
state of the automaton, and a solution represents a correct implementation of the system.
3. SMT solving, iteration for increasing bounds: If the SMT constraints in step 2 are satisfiable,
then return the implementation. Otherwise, there exists no implementation of the given size bound;
we increase the bound and repeat step 2.
For the details of the SMT encoding that we use for synthesis of token rings see Khalimov et al. [14].
R. Bloem, S. Jacobs & A. Khalimov 75
5 Challenges for the Existing Approach
Based on the existing approach for parameterized synthesis, we want to synthesize a system that satisfies
A((A1∧ . . .∧A4∧FairSched)→ (G1∧ . . .∧G11∧T R)) ,
where
• FairSched is the form ∀i.GFschi, specifying that every process is scheduled infinitely often.
• T R are guarantees ensuring that the process template satisfies the requirements of the token ring
process template defined in Sect. 3.1:
∀i. G(SEND[i] → TOK[i])
∀i. G(TOK[i]∧¬SEND[i] → XTOK[i])
∀i. G(¬TOK[i]∧¬SEND[i−1] → X¬TOK[i])
∀i. G(TOK[i] → F SEND[i])
As the existing cutoff results of Emerson and Namjoshi [7] (or their extensions by Aminof et al. [1])
do not support all features of the AMBA specification, we need to address the following challenges:
1. Synchronous AMBA and global inputs: The AMBA protocol uses synchronous timing and has
several global inputs (that are shared between all processes), while the cutoff results in [7, 1] are for
interleaving systems with local action labels instead of inputs. We have discussed in Sect. 3.2 how
actions simulate local inputs, but global inputs are not supported in the existing cutoff theorems.
In Sect. 6.1 we extend the cutoff results to fully asynchronous token rings with global inputs. For
our synthesis approach, we will use the fact that correctness of an implementation in the fully
asynchronous case implies correctness in the synchronous case.
2. Global outputs: The AMBA specification assumes that there are global outputs, i.e., those that
depend on the global state of the system, such as HMASTLOCK. This is not handled by [7, 1],
and in Sect. 6.2 we address this by synthesizing local outputs that can be manually converted to
suitable global outputs with simple logical operations.
3. Special 0-process, immediate reaction, global information: The AMBA specification distin-
guishes between master number 0 and all other masters. We support this by synthesizing two
different process implementations, one that serves master 0, and one for all other processes. Fur-
thermore, process 0 is supposed to immediately grant master 0 when no process receives a HBUS-
REQ[i] signal - this is a problem since only processes that have the token should give a grant, and
information about requests of other processes is not available to process 0. We show how to handle
this by weakening the specification and introducing an auxiliary global input in Sect. 6.3.
6 Obtaining and Handling a Parameterized AMBA Specification
In the following, we will show how we obtained a parameterized AMBA specification suitable to our
parameterized synthesis approach, and how we extended the approach to handle this specification.
6.1 Addressing Challenges ‘Synchronous AMBA’ and ‘Global Inputs’
We will first extend the cutoff results for token rings to fully asynchronous systems with global inputs, for
restricted classes of process templates and assumptions. Since these classes are not sufficient to model
AMBA, we will afterwards introduce a method to localize assumptions in a sound but incomplete way.
76 Parameterized Synthesis Case Study: AMBA AHB
6.1.1 Complete Approach: New Cutoff Results
We consider systems and specifications that satisfy the following assumptions:
a) P = (Q,Q0,Σpr,δ ,λ ) is such that: ∀q ∈ Q with snd ∈ λ (q) there exists unique q′ ∈ Q such that
q in→ q′ for any input in ∈ Σpr. I.e., in all sending states the process ignores inputs.
b) The assumptions ∀i.ass(i) are of the form ∀i.Gα(i) or of the form ∀i.α(i), where α(i) is a Boolean
formula over inputs (including global inputs) of process i.
Then, we can prove the following theorem:
Theorem 3. Assume conditions (a) and (b). Then, for parameterized fully asynchronous token ring
systems and parameterized specifications as stated below, the cutoffs are:
• for ∀i.A∀iGα(i)ϕ(i) the cutoff is 2,
• for ∀i, j.A∀iGα(i)ψ(i, j) the cutoff is 4,
where α(i) is a Boolean formula over inputs of process i, ϕ(i) is an LTL formula over inputs and outputs
of process i, and ψ(i, j) is an LTL\X formula over outputs of processes i, j.
Note that the problem becomes undecidable if we do not restrict fair path properties, i.e., if we
remove (b) but still assume (a):
Observation 2. The parameterized model checking problem for fully asynchronous token rings with
global inputs and properties of the form ∀i.A∀i.ass(i)ϕ(i) is undecidable, where ass(i) and ϕ(i) are LTL
formulas over inputs and outputs of process i (including global inputs).
Proofs for Theorem 3 and Observation 2 can be found in the full version of the paper [5]. Note
that Theorem 3 does not support all assumptions in the AMBA specification (Fig. 1): A3 and A4 are
supported by the theorem, but A1 and A2 are not.
6.1.2 Incomplete Approach: Localization of Assumptions
Since Theorem 3 does not support assumptions A1 and A2, we introduce an approach that localizes the
assumptions, essentially rewriting the specification ∀ j. A∀i. ass(i)ϕ( j) into a form ∀ j.A(ass( j)→ ϕ( j)).3
However, this naive form of localization strengthens the AMBA specification too much, making it
unrealizable. Instead, we use a specialized way for localizing assumptions in token rings.
Localization of assumptions in token rings. As suggested in [14, Sect.6],
A∀i. ass(i)∀ j. (gua( j)∧T R( j))
is localized into
∀i. A (ass(i) → T R(i))∧ (ass(i)∧GFTOK[i] → gua(i)),
where ass(i) includes FairSched, and T R are the token ring properties as defined in Sect. 5.
This restores realizability in our case. Intuitively, this specification guarantees that T R will be sat-
isfied under the given local assumptions, and for the rest of the guarantees we can then assume that all
other processes will eventually send the token, thus satisfying the additional assumption GFTOK[i].
Linking token possession to mutual exclusion. In addition to global assumptions, the original spec-
ification contains an implicit mutual exclusion property: G4 defines how HMASTER is updated by the
3Note that in some cases, the localized version is equivalent to the original one, e.g. for A2, since HREADY is a global input.
R. Bloem, S. Jacobs & A. Khalimov 77
HGRANT[i] signals. Note that G4 can only be satisfied if the HGRANT[i] are mutually exclusive. Since
we know that the token can (and must) be used to ensure mutual exclusion, we explicitly specify this by
adding G12: ∀i.HGRANT[i]→ TOK[i]. Together with localization of assumptions, this ensures that the
parameterized specification will be 1-indexed.
Resulting specification. The resulting specification is of the form
∀i. A((ass(i) → T R(i))∧ ((ass(i)∧GFTOK[i]) → gua(i)∧G12)) ,
i.e., a 1-indexed LTL property in prenex-indexed form.
While Theorem 3 supports some formulas of the type A∀i. ass(i)∀ j. gua( j), solving the synthesis
problem for formulas with assumptions in this form is costly. In particular, every liveness assumption
introduces a loop (with length equal to the size of the ring under consideration) for every liveness guar-
antee in the specification. This severely blows up the size of the specification automaton. Thus, even for
the liveness assumptions A3 and A4 that are supported by the theorem, we use the localization approach.
6.2 Addressing Challenge ‘Global Outputs’
To address this challenge we define what is a localizable global output, introduce a special version of
localizable global outputs we use for AMBA, and modify the specification to handle these global outputs.
Linking global to local outputs. For a given parameterized system, a localizable global output is a
global output that can be expressed as a propositional formula over terms of the form ∀i.α(i) and ∃i.α(i),
where α(i) is a propositional formula over outputs of process i.
Fixed solution for AMBA. The AMBA specification in Fig. 1 has global outputs HMASTLOCK, START,
DECIDE, and HMASTER. We restrict synthesis to search for a solution with a fixed localizable implemen-
tation of global outputs, namely: For each global output signal g we introduce a local output signal gi,
and define
• HMASTER := i whenever HMASTER[i] is high, and
• g := ∃i. TOK[i]∧gi for all other global outputs g.
Modification of the parameterized specification. According to the two previous steps, we should
replace all global outputs in the specification with their specialized localizable definitions in terms of
the new local outputs. For example, START should be replaced by ∃i.TOK[i]∧ START[i]. However, in
token ring systems the only communication between processes is token passing, and hence the value of
∃i.TOK[i]∧ START[i] is not known to a process, except when it has the token (and thus defines that value).
Thus, we replace each global output with its local version, e.g., START is replaced by START[i].
Note that the limited communication interface (via token passing) does not make AMBA unrealiz-
able, even though processes cannot access the value of global outputs when they do not possess. Intu-
itively, this is because the token is the shared resource that guarantees mutual exclusion of grants, and
therefore the values of these global signals should always be controlled by the process that has the token.
In particular, outputs DECIDE and START are signals that are used to decide when to raise a grant and
when to start and end a bus access4, which should only be done when the token is present. Similarly,
signals HMASTLOCK and HMASTER should be controlled by the process that currently controls the bus
(and hence has the token). By using only the local version of these signals in the specification, we force
the implementation to never raise them unless the process has the token.
4The original AMBA specification [2] does not have these signals – they were introduced to simplify the formalization of
the specification [12].
78 Parameterized Synthesis Case Study: AMBA AHB
6.3 Addressing Challenges ‘Special 0-process’ and ‘Global Information’
The AMBA specification is of the form A∀i.ass(i)(∀i 6= 0.ϕ(i)∧ψ(0)), i.e., it distinguishes the behavior
of process 0. Recall the AMBA guarantees G10 from Fig. 1 (after localization steps of the previous
sections):
∀i 6= 0 : G (¬HGRANT[i] → (¬HGRANT[i]W HBUSREQ[i]) (G10.1)
G (DECIDE[0]∧ (∀i : ¬HBUSREQ[i])) → XHGRANT[0] (G10.2)
The distinction between 0- and non-0-processes, as well as the required properties, present several addi-
tional challenges to the parameterized synthesis approach.
Distinguished 0-process. The process templates for 0- and non-0-processes for specifications of the form
A∀i.ass(i)(∀i 6= 0.ϕ(i)∧ψ(0)) can be synthesized separately, i.e., first, synthesize a process template Pϕ for
A∀i.ass(i)∀i.ϕ(i) and a process template Pψ for A∀i.ass(i)∀i.ψ(i). Then a combined token ring consisting of
any number of copies of Pϕ and of one copy of Pψ at 0 vertex will satisfy A∀i.ass(i)(∀i 6= 0.ϕ(i)∧ψ(0)).
Hence we introduce a separate specification for the 0-process and synthesize it separately.
To this end, we also separate G11 into two parts, G11.1: ¬HGRANT[i]∧¬HMASTLOCK[i] (for non-
0-processes) and G11.2: TOK[0] → HGRANT[0]∧HMASTER[0]∧¬HMASTLOCK[0] (for 0-process).
Immediate reaction. Guarantee G10.2 requires an immediate reaction to a state where no process
receives a bus request. This is unrealizable for AMBA in token rings because mutual exclusion of the
grants requires possession of the token and implies G(HGRANT[i] → TOK[i]). To allow the process to
wait for the token and then immediately react, we modify G10.2 to G (DECIDE[0]∧(∀i :¬HBUSREQ[i])∧
XTOK[0]) → XHGRANT[0]).
Global information. G10.2 contains an index quantifier ∀i inside the temporal operator G, which is not
supported by Thm. 3. Intuitively, G10.2 requires 0-process to have global information about inputs of
all processes, as it needs to react to a situation where HBUSREQ[i] is low for all i. This is not possible
when only HBUSREQ[0] is available as an input, so we introduce an auxiliary (global) input NO REQ, and
add the assumption ∀i.G(HBUSREQ[i] → ¬NO REQ). Then G10.2 becomes: G (DECIDE[0]∧NO REQ∧
XTOK[0]) → XHGRANT[0]). Such guarantees and assumptions are allowed by Thm. 3.
6.4 Resulting Parameterized AMBA Specification
We obtained the new specification from the one in Fig. 1 by localization of global assumptions (Sect. 6.1),
localization of global output signals HMASTER, HMASTLOCK, DECIDE, and START (Sect. 6.2), and sepa-
ration of specifications for 0- and non-0-processes (Sect. 6.3). The resulting assumptions and guarantees
for non-0-processes are given in Fig. 2, the modifications for the 0-process in Fig. 3. The specifications
to be synthesized are
∀i. A((A1∧ . . .∧A4 → T R(i))∧ (A1∧ . . .∧A5 → G1∧ . . .∧G10.1∧G11.1∧G12)) , and
∀i. A((A1∧ . . .∧A4∧A6 → T R(i))∧ (A1∧ . . .∧A6 → G1∧ . . .∧G10.2∧G11.2∧G12)) .
7 Optimizations and Experiments
In this section, we describe optimizations that proved to be crucial for the synthesis of the parameter-
ized AMBA AHB, and present the results of parameterized synthesis in form of runtimes and resulting
component implementations.
R. Bloem, S. Jacobs & A. Khalimov 79
Local Assumptions :
G ((HMASTLOCK[i]∧ (HBURST = INCR)∧HMASTER[i])→ XF¬HBUSREQ[i]) (A1)
G FHREADY (A2)
G HLOCK[i]→ HBUSREQ[i] (A3)
¬HBUSREQ[i]∧¬HLOCK[i]∧¬HREADY (A4)
G FTOK[i] (A5)
Local Guarantees :
G ¬HREADY→ X¬START[i] (G1)
G (HMASTLOCK[i]∧HBURST = INCR∧ START[i])
→ X(¬START[i]W (¬START[i]∧HBUSREQ[i])) (G2)
G (HMASTLOCK[i]∧HBURST = BURST4∧ START[i]∧HREADY)
→ X(¬START[i]W [3](¬START[i]∧HREADY)) (G3.1)
G (HMASTLOCK[i]∧HBURST = BURST4∧ START[i]∧¬HREADY)
→ X(¬START[i]W [4](¬START[i]∧HREADY)) (G3.2)
G HREADY→ (HGRANT[i]↔ XHMASTER[i]) (G4)
G HREADY→ (LOCKED[i]↔ XHMASTLOCK[i]) (G5)
G X¬START[i] →
(
HMASTER[i]↔ XHMASTER[i]
∧ HMASTLOCK[i]↔ XHMASTLOCK[i]
)
(G6)
G (DECIDE[i]∧XHGRANT[i])→ (HLOCK[i]↔ XLOCKED[i]) (G7)
G ¬DECIDE[i] →
(
HGRANT[i]↔ XHGRANT[i]
∧ LOCKED[i]↔ XLOCKED[i]
)
(G8)
G HBUSREQ[i] → F(¬HBUSREQ[i]∨HMASTER[i]) (G9)
G ¬HGRANT[i] → (¬HGRANT[i]W HBUSREQ[i]) (G10.1)
¬HGRANT[i]∧¬HMASTLOCK[i] (G11.1)
G HGRANT[i] → TOK[i] (G12)
Figure 2: Parameterized AMBA specification for non-0-processes. G10.2 is only needed for 0-process.
Local Assumptions : as before: A1,A2,A3,A4,A5
new: G HBUSREQ[i] → ¬NO REQ (A6)
Local Guarantees : as before: G1,G2,G3,G4,G5,G6,G7,G8,G9,G12
removed: G10.1,G11.1
new: G(NO REQ∧¬TOK[0]∧XTOK[0]) → XHGRANT[0]) (G10.2)
modified: TOK[0] → HGRANT[0]∧HMASTER[0]∧¬HMASTLOCK[0] (G11.2)
Figure 3: Parameterized AMBA specification for 0-process: modifications wrt. non-0-processes.
80 Parameterized Synthesis Case Study: AMBA AHB
Prototype. The basis of our experiments is PARTY, a tool for parameterized synthesis of token rings [13].
PARTY is written in Python, uses LTL3BA [3] for automata translation and Z3 [16] for SMT solving.
All experiments were done on a x86 64 machine with 2.60GHz, 12GB RAM. Prototype implementation
and specification files can be found at https://github.com/5nizza/Party/ (branch ‘amba-gr1’).
Synchronous Hub Abstraction [14, Sect.6]. Synchronous hub abstraction can be applied to 1-indexed
specifications. It lets the environment simulate all but one process, and always schedules this process.
Thus, the synthesizer searches for a process template in synchronous setting with additional assumptions
on the environment, namely: i) the environment sends the token to the process infinitely often, and ii)
the environment never sends the token to the process if it already has it. Note that synchronous hub
abstraction is sound and complete for the semantics of 1-indexed properties introduced in Sect. 3.2. Also
note that after applying this optimization any monolithic synthesis method can be applied to the resulting
specification in Sect. 6.4.
Hardcoding States With and Without the Token [14, Sect.4]. The number of states with and without
the token in a process template defines the degree of the parallelism in a token ring. Parallelism increases
with the number of states that do not have the token. In the AMBA case study, any action with grant
depends on having the token. Thus we divide states into one that does not have the token, and all others
that have the token, by hardcoding the TOK[i] output function.
Decompositional Synthesis of Different Grant Schemes. The idea of the decompositional synthesis is:
synthesize a subset of the properties, then synthesize a larger subset using the model from the previous
step as basis. Consider an example of the synthesis of the non-0-process of AMBA. The flow is:
1. Assume that every request is locked with BURST4, i.e., add the assumptionG(HLOCK[i]∧HBURST=
BURST4) to the specification. This implicitly removes guarantee G2 and assumption A1 from the
specification. Synthesize the model. The resulting model has 10 states (states t0, .., t9 and transi-
tions between them in Fig. 4).
2. Use the model found in the previous step as a basis: assert the number of states, values of output
functions in these states, transitions for inputs that satisfy the previous assumption. Transitions for
inputs that violate the assumption from step 1 are not asserted, and thus left to be synthesized.
Now relax the assumptions: allow locked and non-locked BURST4 requests, i.e., replace the pre-
vious assumption with G(HBURST = BURST4). Again, this implicitly removes G2 and A1. In
contrast to the last step, now guarantee G3 is not necessarily ‘activated’ if there is a request.
Synthesize the model. This may require increasing the number of states (and it does in the case of
non-0 process) – add new states and keep assertions on all the previous states.
3. Assert the transitions of the model found, like in the previous step.
Remove all added assumptions and consider the original specification. Synthesize the final model.
Although for AMBA this approach was successful, it is not clear how general it is. For example, it does
not work if we start with locked BURST4 and HREADY always high, and then try to relax it. Also, the
separation into sets of properties to be synthesized was done manually.
Optimization of SMT Encoding. Recall from Sect. 4 that SMT based bounded synthesis, given an au-
tomaton A¬ϕ of the negation of specification ϕ and an unknown process template P=(QP,Q0,Σpr,δP,out)
with a fixed number of states, encodes the product automaton A¬ϕ ×P into SMT constraints such that
A¬ϕ×P contains no reachable loops with an accepting state of the A¬ϕ iff SMT constraints are satisfiable.
Below is a general assertion from which the SMT query is composed:∧
q ∈ QP
∧
a
i,o→ b ∈ δA¬ϕ : ρ(a,q)≥ 0∧o = out(q) → ρ(b,δP(q, i))B ρ(a,q)
R. Bloem, S. Jacobs & A. Khalimov 81
locked
hgrant
hmaster
hmastlock
(t8)
-hready
locked
hgrant
hmaster
hmastlock
(t9)
hready
-hready
locked
hgrant
hmaster
decide
hmastlock
(t3)
hready
sends
(t6)
decide
(t0)
locked
hgrant
hmaster
start
hmastlock
(t7)
hlock
-hready
hbusreq
'single'
hlock
-hready
hbusreq
'single'
locked
hgrant
hmaster
hmastlock
(t2)
'burst4'
hready
hbusreq
'single'
-hlock
'single'
locked
hgrant
hmaster
hmastlock
(t13)'incr'
locked
hgrant
(t4)
hready
-hready
hmaster
hmastlock
(t5)
-hready
sends
start
(t1)
hready
hready
-hready
hready
hbusreq
hbusreq
'incr'
-hlock
hbusreq
'burst4'
hlock
-hready
hbusreq
'single'
prev
-hbusreq
prev
hbusreq
hlock
-prev
hgrant
decide
(t11)
prev
hbusreq
-hlock
hmaster
decide
(t10)
hready -hready
-hready
-hbusreq
-hready
hbusreq
hlock
-hready
hbusreq
-hlock
hmaster
start
(t12)hready
hready -hreadyhready-hbusreq
'incr'
-hready
-hbusreq
'incr'
-hbusreq
'burst4'
-hbusreq
'single'
hbusreq
Figure 4: Synthesized model of non-0-processes. Circle green state (t0) is without the token, other states
are with the token. Initial states are t0, t1. States are labeled with their active outputs. Edges are labeled
with inputs, a missing input variable means “don’t care”. ‘Burst4’ means HBURST = BURST4, ‘incr’
means HBURST = INCR, ‘single’ means neither of them. In the first step of decompositional synthesis
states t0, .., t9 were synthesized, in the second t10, .., t12 were added, in the final step state t13 was added.
whereB is ‘>’ if b is an accepting state of A¬ϕ , else ‘≥’. In words: for any state of the process template,
and any transition of the automaton, if the current state of the product automaton is reachable, then the
next state should also be reachable and the ranking function should be as stated.
The specification of AMBA we synthesize is derived from GR(1) specification. As a consequence it
contain assumptions (A3, A6) of the form Gα(i) where α(i) is a Boolean formula over current inputs,
and many guarantees (G1, G4, G5, G6, G7, G8, G12, G10.2) of the form Gβ (i,o,o′) where β (i,o,o′)
is a Boolean formula over current inputs and outputs and next outputs. Instead of using the standard
approach via automaton translation described above, we:
1. encode assertions of the form Gα(i) directly into SMT constraints, namely add α(i) to the the
premise of the SMT rule. Thus, the premise becomes ‘ρ(a,q)≥ 0∧o = out(q)∧α(i) → ...’
2. for all guarantees of the form Gβ (i,o,o′) add SMT constraints of the form:∧
q ∈ QP
∧
i ∈ Σpr : α(i) → β (i,out(q),out(δP(q, i)))
The first optimization is sound and complete, the second one introduces incompleteness.
For AMBA specification in Fig. 2 and 3 this optimization means that only guarantees G2, G3, G9,
G10.1, G11 require the standard flow via automata translation.
Does this optimization help in the synthesis? Preliminary experiments (considering the first step of
the decompositional synthesis of non-0 process) show:
• With the optimization the automaton for the negated specification has 24 states, without – 42 states.
• The synthesis time with optimization is 16 minutes, without – 57 minutes. Interesting to note that
the optimized and non-optimized versions spent the same time (2 minutes) checking satisfiability
of the last query (with the model size of 10), so the main difference is in checking unsatisfiable
82 Parameterized Synthesis Case Study: AMBA AHB
Table 1: Results for non-0-process.
Additional assumptions time #states
GHLOCK
GHBURST = BURST4
16min. 10
GHBURST = BURST4 13sec. 13
– (Full Specification) 1min. 14
Table 2: Results for 0-process
(bursts reduced: 3/4→ 2/3).
Additional assumptions time #states
GHLOCK
GHBURST = BURST4
3h. 11
GHBURST = BURST4 1min. 11
– (Full Specification) 1m30s. 12
queries – Z3 identifies unsatisfiability of optimized queries faster (14 vs. 53 minutes). A similar
behavior happens for a version of the same specification with reduced lengths of bursts (3/4 →
2/3): total times are 3/6 minutes, but the last query took 1m40s/30s for optimized/non-optimized
version.
Results. Synthesis times are in Tables 1 and 2, the model synthesized for non-0-process is in Fig. 4. The
table has timings for the case when all optimizations described in this section are enabled — it was not
our goal to evaluate the optimizations separately, but to find a combination that works for the AMBA
case study.
For the 0-process we considered a simpler version with burst lengths reduced to 2/3 instead of the
original 3/4 ticks. With the original length the synthesizer could not find a model within 2 hours (it
hanged checking 11 states models while the model has at least 12 states).
Without the decompositional approach, the synthesizer could not find a model for for non-0 process
of the AMBA specification within (at least) 5 hours.
8 Conclusions
We have shown that parameterized synthesis in token rings can be used to solve benchmark problems of
significant size, in particular the well-known AMBA AHB specification that has been used as a synthesis
benchmark for a long time. To achieve this goal, we extended slightly the cutoff results that parameter-
ized synthesis is based on, and used a number of optimizations in the translation of the specification and
the synthesis procedure itself to make the process feasible.
This is the first time that the AMBA case study, or any other realistic case study of significant size,
has been solved by an automatic synthesis procedure for the general, parametric case. However, some
of the steps in the procedure are manual or use an ad-hoc solution for the specific problem at hand, like
the limited extension of cutoff results for global inputs, the construction of suitable functions to convert
local to global outputs, or the decompositional synthesis for different grant schemes. Generalizing and
automating these approaches is left for future work.
Furthermore, our synthesized implementation is such that the size of the parallel composition grows
only linearly with the number of components. Thus, for this case study our approach does not only solve
the problem of increasing synthesis time for a growing number of components, but also the problem of
implementations that need an exponential amount of memory in the number of components. We pay
for this small amount of memory with a less-than-optimal reaction time, as processes have to wait for
the token in order to grant a request. This restriction could be remedied by extending the parameterized
synthesis approach to different system models, e.g., processes that coordinate by guarded transitions, or
communicate via broadcast messages.
Acknowledgments. We thank Sasha Rubin for insightful discussions on cutoff results in token rings.
R. Bloem, S. Jacobs & A. Khalimov 83
References
[1] Benjamin Aminof, Swen Jacobs, Ayrat Khalimov & Sasha Rubin (2014): Parameterized Model Checking
of Token-Passing Systems. In: VMCAI, LNCS 8318, Springer, pp. 262–281, doi:10.1007/978-3-642-54013-
4 15.
[2] ARM Ltd. (1999): AMBA Specification (Rev.2). Available from www.arm.com.
[3] Toma´s Babiak, Mojmı´r Kretı´nsky´, Vojtech Reha´k & Jan Strejcek (2012): LTL to Bu¨chi Automata Translation:
Fast and More Deterministic. In: TACAS, LNCS 7214, Springer, pp. 95–109, doi:10.1007/978-3-642-28756-
5 8.
[4] Roderick Bloem, Alessandro Cimatti, Karin Greimel, Georg Hofferek, Robert Ko¨nighofer, Marco Roveri,
Viktor Schuppan & Richard Seeber (2010): RATSY - A New Requirements Analysis Tool with Synthesis. In:
CAV, LNCS 6174, Springer, pp. 425–429, doi:10.1007/978-3-642-14295-6 37.
[5] Roderick Bloem, Swen Jacobs & Ayrat Khalimov (2014): Parameterized Synthesis Case Study: AMBA AHB
(Extended Version). arXiv:1406.7608. Available at http://arxiv.org/abs/1406.7608.
[6] Roderick Bloem, Barbara Jobstmann, Nir Piterman, Amir Pnueli & Yaniv Sa’ar (2012): Synthesis of Reac-
tive(1) designs. J. Comput. Syst. Sci. 78(3), pp. 911–938, doi:10.1016/j.jcss.2011.08.007.
[7] E. Allen Emerson & Kedar S. Namjoshi (2003): On Reasoning About Rings. Int. J. Found. Comput. Sci.
14(4), pp. 527–550, doi:10.1142/S0129054103001881.
[8] Bernd Finkbeiner & Swen Jacobs (2012): Lazy Synthesis. In: VMCAI, LNCS 7148, Springer, pp. 219–234,
doi:10.1007/978-3-642-27940-9 15.
[9] Bernd Finkbeiner & Sven Schewe (2013): Bounded synthesis. STTT 15(5-6), pp. 519–539,
doi:10.1007/s10009-012-0228-z.
[10] Yashdeep Godhal, Krishnendu Chatterjee & Thomas A. Henzinger (2013): Synthesis of AMBA AHB from
formal specification: a case study. STTT 15(5-6), pp. 585–601, doi:10.1007/s10009-011-0207-9.
[11] Swen Jacobs & Roderick Bloem (2014): Parameterized Synthesis. Logical Methods in Computer Science
10, pp. 1–29, doi:10.2168/LMCS-10(1:12)2014.
[12] Barbara Jobstmann (2007): Applications and Optimizations for LTL Synthesis. Ph.D. thesis, Graz University
of Technology.
[13] Ayrat Khalimov, Swen Jacobs & Roderick Bloem (2013): PARTY Parameterized Synthesis of Token Rings.
In: CAV, LNCS 8044, Springer, pp. 928–933, doi:10.1007/978-3-642-39799-8 66.
[14] Ayrat Khalimov, Swen Jacobs & Roderick Bloem (2013): Towards Efficient Parameterized Synthesis. In:
VMCAI, LNCS 7737, Springer, pp. 108–127, doi:10.1007/978-3-642-35873-9 9.
[15] Uri Klein & Amir Pnueli (2010): Revisiting Synthesis of GR(1) Specifications. In: Haifa Verification Confer-
ence, LNCS 6504, Springer, pp. 161–181, doi:10.1007/978-3-642-19583-9 16.
[16] Leonardo de Moura & Nikolaj Bjørner (2008): Z3: An Efficient SMT Solver. In: TACAS, LNCS 4963,
Springer, pp. 337–340, doi:10.1007/978-3-540-78800-3 24.
[17] Amir Pnueli & Roni Rosner (1990): Distributed Reactive Systems Are Hard to Synthesize. In: FOCS, IEEE
Computer Society, pp. 746–757, doi:10.1109/FSCS.1990.89597.
