Structural Synthesis for GXW Specifications by Cheng, Chih-Hong et al.
Structural Synthesis for GXW Specifications
Chih-Hong Cheng, Yassine Hamza, and Harald Ruess
fortiss - An-Institut Technische Universita¨t Mu¨nchen
Guerickestr. 25, 80805 Munich, Germany
{cheng,ruess}@fortiss.org, yassine.hamza@in.tum.de
Abstract. We define the GXW fragment of linear temporal logic (LTL) as the basis for synthe-
sizing embedded control software for safety-critical applications. Since GXW includes the use
of a weak-until operator we are able to specify a number of diverse programmable logic control
(PLC) problems, which we have compiled from industrial training sets. For GXW controller
specifications, we develop a novel approach for synthesizing a set of synchronously communi-
cating actor-based controllers. This synthesis algorithm proceeds by means of recursing over the
structure of GXW specifications, and generates a set of dedicated and synchronously communi-
cating sub-controllers according to the formula structure. In a subsequent step, 2QBF constraint
solving identifies and tries to resolve potential conflicts between individual GXW specifications.
This structural approach to GXW synthesis supports traceability between requirements and
the generated control code as mandated by certification regimes for safety-critical software.
Synthesis for GXW specifications is in PSPACE compared to 2EXPTIME-completeness of full-
fledged LTL synthesis. Indeed our experimental results suggest that GXW synthesis scales well
to industrial-sized control synthesis problems with 20 input and output ports and beyond.
1 Introduction
Embedded control software in the manufacturing and processing industries is usually developed
using specialized programming languages such as ladder diagrams or other IEC 61131-3 defined
languages. Programming in these rather low-level languages is not only error-prone but also time-
and resource-intensive. Therefore we are addressing the problem of correct-by-construction and au-
tomated generation of embedded control software from high-level requirements, which are expressed
in a suitable fragment of linear temporal logic.
Moreover, an explicit correspondence between the high-level requirements and the generated
control code is essential, since embedded control software is usually an integral part of safety-critical
systems such as supervisory control and data acquisition (SCADA) systems for controlling critical
machinery or infrastructure. In particular current industrial standards for safety-related development
such as IEC 61508, DO 178C for avionics, and ISO 26262 for automotive applications mandate
traceability between the control code and it requirements. Controllers generated by state-of-the-art
LTL synthesis algorithms and tools such as generalized reactivity(1) (GR(1)) [15,25] or bounded LTL
synthesis [8,11,28], however, usually do not explicitly support such traceability requirements. For
example, the GR(1) synthesis tool Anzu generates circuit descriptions in Verilog from BDDs [15].
We are therefore proposing a novel approach for synthesizing structured control software. In
essence, the control code is generated by means of structural recursion on the given LTL formulas.
Therefore, the structure of the control code corresponds closely to the syntactic structure of the given
requirements, and there is a direct correspondence between controller components and sub-formulas
of the specification.
In a first step towards this goal, we identify a fragment of LTL for specifying the input-output
behavior of typical embedded control components. Besides the specification of input assumptions,
invariance conditions on outputs, and transition-like reactions of the form G(input → Xioutput),
this fragment also contains specifications of reactions of the form G(input→ Xi(output W release)),
where input is an LTL formula containing at most i consecutive X operators (i.e., an LTL formula
whose validity is determined by the next i input valuations). The latter reaction formula states
that if there is a temporal input event satisfying the constraint input, then the output constraint
should hold on output events until there is a release event (or output always holds). The operator
ar
X
iv
:1
60
5.
01
15
3v
3 
 [c
s.L
O]
  6
 Ju
l 2
01
6
G is the universal path quantifier, Xi abbreviates i consecutive next-steps, W denotes the weak
until temporal operator, the constraint output contains no temporal operator, and the subformula
release may contain certain numbers of consecutive next-steps but no other temporal operators. The
resulting fragment of LTL is called GXW.
So far we have successfully modelled more than 70 different embedded control scenarios in GXW.
The main source for this set of benchmarking problems are publicly available collections of industrial
training materials for PLCs (including CODESYS 3.0 and AC500) [2,16,24]. The proposed GXW
fragment of LTL is also similar to established requirements templates for specifying embedded control
software in the aerospace domain, such as EARS [23].
Previous work on LTL synthesis (e.g., [8,11,28,14,10,15,25,5,31,7]) usually generates gate-level de-
scriptions for the synthesized control strategies. In contrast, we generate control software in an actor
language with high-level behavioral constructs and synchronous dataflow communication between
connected actors. This choice of generating structured controllers is motivated by current practice of
programming controllers using, say, Matlab Simulink [4], continuous function charts (IEC 61131-3),
and Ptolemy II [12], which also supports synchronous dataflow (SDF) models [19]. Notice, however,
that the usual notions of LTL synthesis also apply to synthesis for SDF, since the composition of
actors in SDF may also be viewed as Mealy machines with synchronous cycles [30].
Synthesis of structured controllers from GXW specifications proceeds in two subsequent phases.
In the first phase, the procedure recurses on the structure of the given GXW formulas for generating
dedicated actors for monitoring inputs events, for generating corresponding control events, and for
wiring these actors according to the structure of the given GXW formulas. In the second phase,
appropriate values for unknown parameters are synthesized in order to realize the conjunction of all
given GXW specifications. Here we use satisfiability checking for quantified Boolean formula (2QBF)
for examining if there exists such conflicts between multiple GXW specifications. More precisely,
existential variables of generated 2QBF problems capture the remaining design freedom when an
output variable is not constrained by any trigger of low-level events.
We demonstrate that controller synthesis for the GXW fragment is in PSPACE as compared to
the 2EXPTIME-completeness result of full-fledged LTL [27]. Under some further reasonable syntactic
restrictions on the GXW fragment we show that synthesis is in coNP.
An implementation of our GXW structural synthesis algorithm and application to our benchmark
studies demonstrates a substantial speed-up compared to existing LTL synthesis tools. Moreover, the
structure of the generated control code in SDF follows the structure of the given GXW specifications,
and is more compact and, arguably, also more readable and understandable than commonly used
gate-level representations for synthesized control strategies.
The paper is structured as follows. We introduce in Section 2 some basic notation for LTL syn-
thesis, a definition of the GXW fragment of LTL and SDF actor systems together with the problem of
actor-based LTL synthesis under GXW fragment. Section 3 illustrates GXW and actor-based control
for such specifications by means of an example. Section 4 includes the main technical contributions
and describes algorithmic workflow for generating structured controllers from GXW, together with
soundness and complexity results for GXW synthesis. A summary of our experimental results is pro-
vided in Section 5, and a comparison of GXW synthesis with closely related work on LTL synthesis
is included in Section 6. The paper closes with concluding remarks in Section 7.
2 Problem Formulation
We present basic concepts and notations of LTL synthesis, and we define the GXW fragment of LTL
together with the problem of synthesizing actor-based synchronous dataflow controllers for GXW.
2.1 LTL Synthesis
Given two disjoint sets of Boolean variables Vin and Vout, the linear temporal logic (LTL) formulae
over 2Vin∪Vout is the smallest set such that (1) v ∈ 2Vin∪Vout is an LTL formula, (2) if φ1, φ2 are
LTL-formulae, then so are ¬φ1, ¬φ2, φ1 ∨ φ2, φ1 ∧ φ2, φ1 → φ2, and (3) if φ1, φ2 are LTL-formulae,
ID Meaning Pattern
P1 Initial-Until %outWφ
i
in
P2 Trigger-Until G(φiin → Xi(%outW (ϕjin ∨ ρ0out)))
P3 If-Then G(φiin → Xi%out)
P4 Iff G(φiin ↔ Xi%out)
P5 Invariance G(φ0out)
P6 Assumption G(φ0in)
Table 1. Patterns defined in GXW specifications
Pattern ID High-level Control Specification
P1 outputW input
P2 G(input→ (outputW release))
P3 G(input→ output)
Table 2. Specification patterns and correspond-
ing skeleton specification.
then so are Gφ1, Xφ1, φ1Uφ2. Given an ω-word σ, define σ(i) to be the i-th element in σ, and define
σi to be the suffix ω-word of σ obtained by truncating σ(0) . . . σ(i−1). The satisfaction relation σ  φ
between an ω-word σ and an LTL formula φ is defined in the usual way. The weak until operator,
denoted W, is similar to the until operator but the stop condition is not required to occur; therefore
φ1Wφ2 is simply defined as (φ1Uφ2) ∨ Gφ1. Also, we use the abbreviation Xiφ to abbreviate i
consecutive X operators before φ.
A deterministic Mealy machine is a finite automaton C = (Q, q0,2Vin ,2Vout , δ), where Q is set of
(Boolean) state variables (thus 2Q is the set of states), q0 ∈ 2Q is the initial state, 2Vin and 2Vout
are sets of all input and output assignments defined by two disjoint sets of variables Vin and Vout.
δ := 2Q × 2Vin → 2Vout × 2Q is the transition function that takes (1) a state q ∈ 2Q and (2) input
assignment vin ∈ 2Vin , and returns (1) an output assignment vout ∈ 2Vout and (2) the successor
state q′ ∈ 2Q. Let δout and δs be the projection of δ which considers only output assignments and
only successor states. Given a sequence a0 . . . ak where ∀i = 0 . . . k, ai ∈ 2Vin , let δks (q0, a0 . . . ak)
abbreviate the output state derived by executing a0 . . . ak as an input sequence on the Mealy machine.
Given a set of input and output Boolean variables Vin and Vout, together with an LTL formula
φ on Vin and Vout the LTL synthesis problem asks the existence of a controller as a deterministic
Mealy machine Cφ such that, for every input sequence a = a0a1a2 . . ., where ai ∈ 2Vin : (1) given
the prefix a0 produce b0 = δout(q0, a0), (2) given the prefix a0a1 produce b1 = δout(δs(q0, a0), a1),
(3) given the prefix a0 . . . akak+1, produce bk+1 = δout(δ
k
s (q0, a0 . . . ak), ak+1), and (4) the produced
output sequence b = b0b1 . . . ensures that the word σ = σ1σ2 . . ., where σi = aibi ∈ 2Vin∪Vout , σ  φ.
2.2 GXW Synthesis
We formally define the GXW fragment of LTL. Let φi, ϕi, ψi be LTL formulae over input variables
Vin and output variables Vout, where all formulas are (without loss of generality) assumed to be
in disjunctive normal form (DNF), and each literal is of form Xj v or ¬Xj v with 0 ≤ j ≤ i and
v ∈ Vin ∪Vout. Clauses in DNF are also called clause formulae. Moreover, a formula φiin is restricted
to contain only input variables in Vin, and similarly, φ
i
out contains only output variables in Vout.
Finally, %out denotes either vout or ¬vout, where vout is an output variable.
For given input variables Vin and output variables Vout, a GXW formula is an LTL formula of one
of the forms (P1)-(P6) as specified in Table 1. For example, GXW formulas of the form (P2) stop
locking %out as soon as (ϕ
j
in ∨ ρ0out) holds. GXW specifications are of the form
%→
∧
m=1...k
ηm , (1)
where % matches the GXW pattern (P6), and ηm matches one of the patterns (P1) through (P5)
in Table 1. Furthermore, the notation “.” is used for projecting subformulas from ηm, when it
satisfies a given type. For example, assuming that sub-specification ηm is of pattern P3, i.e., it
matches G(φiin → Xi%out), ηm.%out specifies the matching subformula for %out. Notice also that
GXW specifications, despite including the W operator, have the finite model property, since the
smallest number of unrolling steps for disproving the existence of an implementation is linear with
respect to the structure of the given formula (cmp. Section 4.4).
Instead of directly synthesizing a Mealy machine as in standard LTL synthesis, we are considering
here the generation of actor-based controllers using the computational model of synchronous dataflow
(a)
in1
in2
out
f1
f3
f2
f4
in1
in2
out
f1
f3
f2
f4
(c)
i
i
o
o
o
o
i1
i1
i2
i2
f1
(b)
¬v v
o := ¬i
o := i
i o
f2
o
i1
i2
∧
f4
oi1
i2
∨
f3
oi ¬
Fig. 1. An actor system allowing functional composition
and corresponding actors f1 (a)(b), feedback loops such
as (c) are not considered here.
in0
in1 in2
(opening limit switch)
in2
out0 out1
(closing limit switch)
(opening limit switch)
(open the door) (close the door)
(infrared sensor)
Fig. 2. Control of automatic door switch.
(SDF) without feedback loops. An actor-based controller is a tuple S = (Vin,Vout, Act, τ), where Vin
and Vout are disjoint sets of external input and output ports. Each port is a variable which may be
assigned a Boolean value or undefined if no such value is available at the port. In addition, actors
A ∈ Act may be associated with internal input ports Uin and output ports Uout (all named apart),
which are also three-valued. The projection A.u denotes the port u of A. An actor A ∈ Act defines
Mealy machine C whose input and output assignments are based on 2Uin and 2Uout , i.e., the output
update function of C sets each output port to true or false, when each input port has value in {true,
false}. Lastly, A(i) denotes a copy of A which is indexed by i.
Let Act.Uin and Act.Uout be the set of all internal input and output ports for Act. The wiring
τ ⊆ (Vin ∪ Act.Uin)× (Vout ∪ Act.Uout) connects one (external, internal) input port to one or more
(external, internal) output ports. For convenience, denote the wiring from port out of A1 to port in
of A2 as (A1.out 99K A2.in). All ports are supposed to be connected, and every internal input port
and every external output port is only connected to one wire (thus a port does not receive data from
two different sources). Also, we do not consider actor systems with feedback loops here (therefore
no cycles such as the one in Figure 1(c)), since systems without feedback loops can be statically
scheduled [18].
Evaluation cycles are triggered externally under the semantics of synchronous dataflow. In each
such cycle, the data received at the external input ports is processed and corresponding values are
transferred to external output ports. Notice also that the composition of actors under SDF acts
cycle-wise as a Mealy machine [30]. We illustrate the operational semantics of actor-based systems
under SDF by means of the example in Figure 1(a), with input ports in1, in2, output port out, and
actors f1, f2, f3, f4 (see also Figure 1(b))
1. Now, assume that in the first cycle, the input ports in1
and in2 receive the value (false, true) and in the second cycle the value (false, true). The false value in
in1 is copied to f1.i. As f1 is initially at state where v = false, it creates the output value true (places
it to f1.o) and changes its internal state to v = true. The value true from f1.o is then transferred to
f4.i1 and f2.i1. However, at this stage one cannot evaluate f2 or f4, as the i2 port is not yet filled
with a value. f3 receives the value from in2 and produces f3.o to false. Continuing this process, at
the end of first cycle out is set to true, while in the second cycle, out is set to false.
As we do not consider feedback loops between actors in Act, from input read to output write,
one can, using the enumeration method as exemplified above, create a static linear list Ξ of size
|Act|+ |τ |, where each element ξind ∈ Ξ is either in Act or in τ , for specifying the linear order (from
the partial order) how data is transferred between wires and actors. Such a total order Ξ is also
called an evaluation ordering of the actor system S.
One may wrap any Mealy machine C as an actor A(C) by simply creating corresponding ports in
A(C) and by setting the underlying Mealy machine of A(C) to C. Therefore, actor-based controllers
1 The formal operational semantics, as it is standardized notation from SDF, is relegated to the appendix.
may be synthesized for a given LTL specification φ by first synthesizing a Mealy machine C realizing
φ, followed by the wrapping C as A(C), creating external I/O ports, and connecting external I/O
ports with A(C).
Given a GXW specification φ over the input variables Vin and output variables Vout, the problem
of GXW synthesis is to generate an actor-based SDF controller S realizing φ. As one can always
synthesize a Mealy machine followed by wrapping it to an actor-based controller, GXW synthesis has
the same complexity for Mealy machine and for actor-based controllers.
3 Example
We exemplify the use of GXW specifications and actor-based synthesis for these kinds of specification
by means of an automatic sliding door [1], which is visualized in Figure 2. Inputs and outputs are
as follows: in0 is true when someone enters the sensing field; in1 denotes a closing limit switch - it is
true when two doors touch each other; in2 denotes an opening limit switch - it is true when the door
reaches the end; out0 denotes the opening motor - when it is set to true the motor rotates clockwise,
thereby triggering the door opening action; and out1 denotes closing motor - when it is set to true the
motor rotates counter-clockwise, thereby triggering the door closing action. Finally, the triggering of
a timer t0 is modeled by means a (controllable) output variable t0start and the expiration of a timer
is modeled using an (uncontrollable) input variable t0expire.
Before stating the formal GXW specification for the example we introduce some mnemonics.
– entering1 := ¬in0 ∧X in0
– expired1 := ¬t0expire ∧ (Xt0expire)
– lim reached1 := ¬in2 ∧Xin2
– closing stopped := in1 ∨ in0 ∨ out0
The superscripts denote the maximum number of consecutive next-steps. Now the automatic
sliding door controller is formalized in GXW as follows.
S1: G(entering1 → X(out0 W in2))
S2: G(expired1 → X(out1 W closing stopped))
S3: ¬out0 W entering1
S4: G(in2→ ¬out0)
S5: G(lim reached1 ↔ X(t0start))
S6: G(in0→ ¬out1)
S7: G(¬(out0 ∧ out1))
In particular, formula (S1) expresses the requirement that the opening of the door should continue
(out0 = true) until the limit is reached (in2), and formulas (S3) and (S7) specify the expected initial
behavior of the automatic sliding door. The GXW specifications for the sliding door example are
classified as follows: formulas (S1), (S2) are of type (P2), (S3) is of type (P1), (S4), (S6) is of type
(P3), (S5) is of type (P4), and (S7) of type (P5) according to Table 1.
Figure 3 visualizes an actor-based automatic sliding door controller which realizes the GXW
specification (S1)-(S7). It is constructed from a small number of building blocks, which are also
described in Figure 3. Monitor actors, for example, are used for monitoring when the entering, expired,
and lim reached constraints are fulfilled, the OR actor is introduced because of the closing stopped
release condition in specification (S1), and the two copies of the trigger-until actors are introduced
because of the (P2) shape of the specifications (S1) and (S2). The input and output ports of the
trigger-until actor are in accordance with the namings for (P2) in Table 2. Resolution actors are used
for resolving potential conflicts between individual GXW formulas in a specification. These actors are
parameterized with respect to a Boolean A, which is the output of the resolution actor in case all
inputs of this actor may be in {true, false} (this set is denoted by the shorthand “–” in Figure 3). The
presented algorithm sets up a 2QBF problem for synthesizing possible values for these parameters.
Because of the constraint (S7) on possible outputs out0 and out1, the parameter A for the resolution
actor for output out0, for example, needs to be set to A:=false. Figure 3 also includes the operational
behavior of selected actors in terms of high-level transitions and/or Mealy machines. The internal
state and behavior for monitor actors, however, is synthesized, in linear time, from a given GXW
constraint on inputs (see Section 4).
Finally, the structural correspondence of the actor-based controller in Figure 3 with the given
GXW specification of the sliding door example is being made explicit by superscripting actors with
index (i) whenever the actor has been introduced due to the i-th specification.
in0
in1
in2
t0expire
out0
out1
t0start
State variable: boolean lock := false;
if(lock & !release) {output := true}
else if(release) {output := –, lock := false}
else if(input & !release) {output := true; lock := true}
else {output := –}
TrUB /* Trigger-Until Block */input
release output
¬in2 ∧X(in2)
if(input ) {output := true}
else {output := – }
IfTB /* If-then block */
input
output
¬t0expire ∧X(t0expire)
OR
InUB /* Init-Until Block */
State variable boolean finish:= false;
if(finish) {output:= –}
else if(input) {output := -, finish:= true}
else {output := true}
input
output
InUB(3)
(a)
(b)
Resout0
/* !input & !release & !lock */
input
if (input = –) {output := – }
if (input = true) {output := false}
if (input = false) {output:=true}
Res
inputk
outputinput1
input2
. . .
if (
∧
i
inputi = –) {output := A}
if (∃i : inputi = false) {output := false}
if (∃i : inputi = true) {output := true}
The resolution is based on the assumption
that it is impossible to have two inputs
where one is true and the other is false.
Resout1
(with parameter A)
(output false for 1st cycle)
A := false
A := false
TrUB(1)
TrUB(2)
¬
¬
IfTB(4)
¬
Rest0start
A := false
Transition function
Transition function
Transition function (high-level language)
¬in0 ∧X(in0)
(output false for 1st cycle)
IfTB(6)
!lock lock
{!release}
{release}
output := –
{input & !release} output := true
{!input ∨ release }
¬
!finish
{!input } output := true
Transition function (high-level language)
finish
{input }
output := –
output := –output
Monitoring ¬in ∧X(in), 1st output to be falseinput output
State variable: mem := u
/* domain {u, true, false}; to be re-encoded to 2 bool */
m=u
m=true
m=false
Transition function (high-level language)
/* Generated by Algorithm 3 in linear time */
{!input } output := false
{input } output := false
{input } output := true
{!input } output := false
{input } output := false
{!input }
output := false
output := –
(output “–” for 1st cycle)
(2)
(3)(1)
(2)
(6)Monitor
Monitor
Monitor
output := true
Fig. 3. Actor-based controller realizing automatic sliding door.
4 Structural Synthesis
We now describe the algorithmic details for generating structured controllers from the GXW speci-
fications of the form % → ∧m=1...k ηm. The automated sliding door is used as running example for
illustrating the result of each step.
First, our algorithm prepares I/O ports, iterates through every formula ηm for creating high-level
controllers (Step 1) based on the appropriate GXW pattern. For specifications of types P1 to P3,
Table 2 lists the corresponding LTL specification (as high-level control objective), where input and
release are input Boolean variables, output is an output Boolean variable.
Then, for each GXW formula, the algorithm constructs actors and wirings for monitoring low-level
events by mimicking the DNF formula structure (Steps 2 and 3). On the structural level of clause
formulas in DNF, the algorithm constructs corresponding controllers in linear time (Algorithm 1).
Finally, the algorithm applies 2QBF satisfiability checking (and synthesis of parameters for resolution
actors) for guaranteeing nonexistence of potential conflicts between different formulas in the GXW
specifications (Step 4).
4.1 High-level Control Specifications and Resolution Actors
The initial structural recursion over GXW formulas is described in Step 1.
Step 1: Prepare external I/O ports, initiate high-level controller and resolution controllers
Input : LTL specification φ = %→ ∧m=1...k ηm, input variables Vin, output variables Vout
Output: Actor-based (partial) controller implementation S = (Vin,Vout, Act, τ), mapout
1 let mappattern := {P1 7→ InUB, P2 7→ TrUB, P3 7→ IfTB}
2 Vin := { vin | vin ∈ Vin}
3 Vout := { vout | vout ∈ Vout}
4 foreach ηm, m = 1 . . . k do
5 if (p := DetectPattern(ηm)) ∈ {P1, P2, P3} then
6 Create actor A(m) from A := mappattern.get(p), and add to S;
7 else if (p := DetectPattern(ηm)) 6∈ {P4, P5, P6} then return error
8 let mapout := NewEmptyMap();
9 foreach vout ∈ Vout do mapout.put(vout, NewEmptyList());
10 foreach ηm, m = 1 . . . k do
11 mapout.get(vout).add(m), where vout is the output variable used in τm.%out;
12 foreach vout ∈ Vout do Add actor Resvout := CreateResActor(mapout.get(vout).size()) to Act
13 foreach ηm, m = 1 . . . k do
14 let vout be the variable used in τm.%out, ind := mapout.get(vout).indexOf(m);
15 if ¬vout equals τm.%out then // negation is used in literal
16 Create a negation actor ¬ (m) and add it to Act;
17 τ := τ ∪ {(A(m).output 99K ¬ (m).input), ( ¬ (m).output 99K Resvout .inputind)};
18 else τ := τ ∪ {(A(m).output 99K Resvout .inputind)}
19 foreach vout ∈ Vout do τ := τ ∪ {(Resvout .output 99K vout )}
Step 1.1 - Controller for high-level control objectives. Line 1 associates the three high-level controller
actors InUB, TrUB, IfTB with their corresponding pattern identifier. Implementations for the ac-
tors InUB, TrUB, IfTB are listed in Figure 3(b). For example, the actor IfTB is used for realizing
G(input→ output) in Table 2. When input equals false, the output produced by this actor equals “–”.
This symbol is used as syntactic sugar for the set {true, false}. Therefore the output is unconstrained,
that is, it is feasible for output to be either true or false. The value “–” is transferred in the dataflow,
thereby allowing the delay of decisions when considering multiple specifications influencing the same
output variable.
Step 1.2 - External I/O ports. Line 2 and 3 are producing external input and output port for each
input variable vin ∈ Vin and output variable vout ∈ Vout.
Step 1.3 - High-level control controller instantiation. Lines 4 and 5 iterate through each specification
ηm for finding the corresponding pattern (using DetectPattern). Based on the corresponding type,
line 6 creates a high-level controller by copying the content stored in the map. If there exists a
specification which does not match one of the patterns, immediately reject (line 7). Notice that
pattern P4 is handled separately in Step 3. For the door example, the controller in Figure 3(a)
contains the two copies TrUB(1) and TrUB(2) of the trigger-until actor TrUB; the subscripts of
these copies are tracing the indices of the originating formulas (S1) and (S2).
Step 1.4 - Resolution Actors. This step is to consider all sub-specifications that influence the same
output variable vout. Line 9 to 11 adds, for each specification ηm using vout, its index m maintained by
mapout.get(vout). E.g., for the door example, specifications S1, S3 and S4 all output out0. Therefore
after executing line 10 and 11, we have mapout.get(out0)={1, 3, 4}, meaning that for variable out0,
the value is influenced by S1, S3 and S4.
For each output variable vout, line 12 creates one Resolution Actor Resvout which contains one
parameter equaling the number of specifications using vout in %out. Here we make it a simple memo-
ryless controller as shown in Figure 3(b) - Resvout outputs true when one of its inputs is true, outputs
false when one of its inputs is false, and outputs A (which is currently an unknown value to be syn-
thesized later) when all inputs are “–”. The number of input pins is decided by calling the map. E.g.,
for Resout0 in Figure 3(a), three inputs are needed because mapout.get(out0).size()=3. The output of
Step 2: Synthesize monitoring controllers (for pattern P1, P2, P3)
Input : φ = %→ ∧m=1...k ηm, Vin, Vout, S = (Vin,Vout, Act, τ) from Step 1.
Output: Actor-based (partial) controller S = (Vin, Vout, Act, τ) by adding more elements
1 foreach ηm, m = 1 . . . k do
2 p := DetectPattern(ηm);
3 if p ∈ {P1, P2, P3} then
4 Add an OR-gate actor ORφiin
with size(ηm.φ
i
in) inputs to Act;
5 foreach clause formula χiin from DNF of ηm.φ
i
in do
6 Add A(C) to Act, where C := Syn(G(χiin ↔ Xiout) ∧
∧i−1
z=0X
z¬out, In(χiin), {out});
7 foreach vin ∈ In(χiin) do τ := τ ∪ {( vin 99K A(C).vin)}
8 τ := τ ∪ {(A(C).out 99K ORφiin .inIndex(χiin,φiin))};
9 τ := τ ∪ {(ORφiin .out 99K A
(m).input)};
10 if p ∈ {P2} then
11 Add an OR-gate actor OR
ϕ
j
in∨ρ0out
with size(ηm.(ϕ
j
in ∨ ρ0out)) inputs to Act;
12 foreach clause formula χhin from DNF ηm.ϕ
j
in do
13 Add A(C) to Act, where C := Syn(G(χhin ↔ Xhout) ∧
∧h−1
z=0 X
z¬out, In(χhin), {out});
14 foreach vin ∈ In(χiin) do τ := τ ∪ {( vin 99K A(C).vin)} if h = 0 then Add
(A(C).out 99K OR
ϕ
j
in∨ρ0out
.in
Index(χzin,ϕ
j
in∨ρ0out)
) to τ else
15 Add A(CΘh) to Act, where CΘh := CreateThetaCtrl(h);
16 τ := τ ∪ {(ORφiin .out 99K A(CΘh).set), (A(C).out 99K A(CΘh).in), (A(CΘh).out 99K
OR
ϕ
j
in∨ρ0out
.in
Index(χzin,ϕ
j
in∨ρ0out)
)};
17 foreach clause formula χ0out from DNF of ηm.ρ
0
out do
18 Add an AND-gate actor ANDηm.χ0out with size(χ
0
out) inputs to Act;
19 foreach literal ωout of χ
0
out do
20 let vout be the variable used in ωout;
21 if ωout equals ¬vout (i.e., negation is used in literal) then
22 Create ¬
Resvout
and add it to Act (if not exists in Act);
23 Add (Resvout .output 99K ¬ Resvout .input) to τ (if not exists in τ);
24 Add ( ¬
Resvout
.output 99K ANDχ0out .inIndex(ωout,χ0out)) to τ ;
25 else τ := τ ∪ {Resvout .output 99K ANDχ0out .inIndex(ωout,χ0out)}
26 τ := τ ∪ {ANDχ0out .out 99K ORϕjin∨ρ0out .inIndex(χ0out,ϕjin∨ρ0out)}
27 τ := τ ∪ {OR
φ
j
in∨ρ0out
.out 99K A(m).release};
the high-level controller A(m) is connected to the input of Resvout . When negation is needed due to
the negation symbol in %out (line 15), one introduces a negation actor ¬ which negates A(m).output
when A(m).input is true or false (line 16,17). To ensure that connections are wired appropriately,
mapout is used such that the number “ind” records the precise input port of the Resout (line 14).
Consider again the door example. Due to the maintained list {1, 3, 4}, TrUB(1).output is connected
to Resvout .input1, i.e., the first input pin of Resvout . Also, as ¬out0 is used in S3 and S4, the wiring
from InUB(3) and IfTB(4) to Resout0 in Figure 3(a) has a negation actor in between.
Lastly, line 19 connects the output port of a resolution actor to the corresponding external output
port. If Resvout receives simultaneously true and false from two of its input ports, then Resvout .output
needs to be simultaneously true and false. These kinds of situations are causing unrealizability of GXW
specification, and Step 4 is used for detecting these kinds of inconsistencies.
4.2 Monitors and and Phase Adjustment Actors
The second step of the algorithm synthesizes controllers for monitoring the appearance of an event
matching the subformula, and connects these controllers to previously created actors for realizing
high-level control objectives. For a formula φ in DNF form, let size(φ) return the number of clauses in
φ. For clause formula χiin in φ, let In(χ
i
in) return the set of all input variables and α = Index(χ
i
in, φ
i
in)
specify that χiin is the α-th clause in φ
i
in.
Step 2.1 - Realizing “input” part for pattern P1, P2, P3. In Step 2, from line 3 to 9, the algorithm
synthesizes controller realizing the portion input listed in Table 2, or equivalently, the φiin part listed
in Table 1. Line 4 first creates an OR gate, as the formula is represented in DNF. Then synthesize
a controller for monitoring each clause formula (line 5, 6) using function Syn, with input variables
defined in In(χiin) and a newly introduced output variable {out}2. The first attempt is to synthesize
G(χiin ↔ Xiout). By doing so, the value of χiin is reflected in out. However, as the output of the
synthesized controller is connected to the input of an OR-gate (line 8) and subsequently, passed
through the port “input” of the high-level controller (line 9), one needs to also ensure that from time
0 to i − 1, out remains false, such that the high-level controller Am for specification ηm will not be
“unintentionally” triggered and subsequently restrict the output. To this end, the specification to be
synthesized is G(χiin ↔ Xiout) ∧
∧
z=0...i−1 X
z¬out, being stated in line 6.
For above mentioned property that needs to be synthesized in line 6, one does not need to use
full LTL synthesis algorithms. Instead, we present a simpler algorithm (Algorithm 1) which creates a
controller in time linear to the number of variables times the maximum number of X operators in the
formula. Here again for simplicity, each state variable is three-valued (true, false, u); in implementation
every 3-valued state variable is translated into 2 Boolean variables. In the algorithm, state variable
vin[i] is used to store the i-step history of for vin, and vin[i] = u means that the history is not
yet recorded. Therefore, for the initial state, all variables are set to u (line 4). The update of state
variable vin[i + 1] is based on the current state of vin[i], but for state variable vin[1], it is updated
based on current input vin (line 17). With state variable recording previously seen values, monitoring
the event is possible, where the value of out is based on the condition stated from line 6 to 16.
Consider a controller realizing χiin := ¬in1 ∧ Xin1 ∧ Xin2 ∧ XX¬in2, being executed under a
run prefix (false, false)(true, true)(true, false). As shown in Figure 4, the update of state variables is
demonstrated by a left shift. The first and the second output are false. After receiving the third input,
the controller is able to detect a rising edge of in1 (via in1[2]=false and in1[1]=true) is immediately
followed by a falling edge of in2 (via in2[1]=true and in2=false).
Step 2.2 - Realizing “release” part for pattern P2. Back to Step 2, the algorithm from line 10 to 29
synthesizes a controller realizing the portion release listed in Table 2, or equivalently, the ϕjin ∨ ρ0out
part listed in Table 1. The DNF structure is represented as an OR-actor (line 11), taking input from
ϕjin (line 12-18) and ρ
0
out (line 19-28).
For ρ0out (line 19-28), first create an AND-gate for each clause in DNF. Whenever output vari-
able vout is used, the wiring is established by a connection to the output port of Resvout (line 27).
Negation in the literal is done by adding a wire to connect Resvout to a dedicated negation actor
¬
Resvout
to negate the output (line 23 to 26). Consider, for example, specification S2 of the auto-
matic door running example, where the “release” part (in1 ∨ in0 ∨ out0) is a disjunction of literals
using output variable out0. As a consequence, one creates an AND-gate (line 20) which takes one
input Resout0.output (line 27), and connects this AND-gate to the OR-gate (line 28). Figure 3(a)
displays an optimized version of this construction, since the single-input AND-gate may be removed
and Resout0.output is directly wired with the OR-gate.
For ϕjin (line 12 to 23), similar to Step 2.1, one needs to synthesize a controller which tracks the
appearance of χhin (line 13). However, the start of tracking is triggered by φ
i
in (the input subformula).
That is, whenever φiin is true, start monitoring if ϕ
j
in has appeared true. This is problematic when χ
h
in
contains X operators (i.e., h > 0). To realize this mechanism, at line 19, the function CreateThetaCtrl
additionally initiates a controller which guarantees the following: Whenever input variable set turns
2 For pattern type P2 or P3, one needs to have each clause formula of φiin be of form χ
i
in, i.e., the highest
number of consecutive X should equal i. The purpose is to align χiin with the preceding X
i in G(φiin →
Xi(%outW (ϕ
j
in ∨ρ0out))) or G(φiin → Xi%out). If a clause formula in DNF contains no literal starting with
Xi, one can always pad a conjunction Xi true to the clause formula. The padding is not needed for P1.
Algorithm 1: Realizing Syn without full LTL synthesis
Input : LTL specification G(χiin ↔ Xiout) ∧
∧i−1
z=0X
z¬out), input variables In(χiin), output
variables {out}
Output: Mealy machine C = (Q, q0,2Vin ,2Vout ,∆) for realizing the specification
1 Vout := {out}, Vin := In(χiin);
2 foreach Variable vin ∈ In(χiin) do // Create all state variables in the Mealy machine
3 for j = 1 . . . i do Q := Q ∪ {vin[j]}, where vin[j] is three-valued (true, false, u)
4 q0 :=
∧
vin∈In(χiin),j∈{1,...i} vin[j] := u // Initial state;
5 let Cond := true;
6 foreach literal Xkvin in χ
i
in do
7 if k = i then
8 Cond := Cond ∧ (vin = true)
9 else
10 Cond := Cond ∧ (vin[i− k] = true)
11 foreach literal Xk¬vin in χiin do
12 if k = i then
13 Cond := Cond ∧ (vin = false)
14 else
15 Cond := Cond ∧ (vin[i− k] = false)
16 δout := (out := Cond) // Output assignment should follow the value of Cond;
17 δs := (
∧
vin∈In(χiin),j=1...i−1 vin[j + 1] := vin[j]) ∧ (
∧
vin∈In(χiin) vin[1] := vin);
true, the following h output value of out is set to false. After that, the value of output variable out
is the same as the input variable in. This property can be formulated as Θh (to trigger consecutive
h false value over out after seeing set = true) listed in Equation 2, with implementation shown in
Figure 6. By observing the Mealy machine and the high-level transition function, one infers that the
time for constructing such a controller in symbolic form is again linear to h.
Θh := (¬out W set) ∧G(set→ (
h−1∧
z=0
¬Xzout ∧Xh((in↔ out) W set))) (2)
The overall construction in Step 2 is illustrated using the example in Figure 5, which realizes the
formula
G((¬in1 ∧Xin1)→ X(out1 W(¬in2 ∧Xin2))) (3)
with Vin = {in1, in2} and Vout = {out1}. This specification requires to set output out1 to true when
a rising edge of in1 appears, and after that, out0 should remain true until detecting a raising edge
of in2. Using the algorithm listed in Step 2, line 6 synthesizes the monitor for the input part (i.e.,
detecting rising edge of in1), line 13 synthesizes the monitor for the release part (i.e., detecting rising
edge of in2), line 14 creates the wiring from input port to the monitor. As h = 1 (line 16), line 17
creates A(CΘ1), and line 18 establishes the wiring to and from A(CΘ1).
The reader may notice that it is incorrect to simply connect the monitor controller for ¬in2∧Xin2
directly to TrUB.release, as, when both ¬in1 ∧ Xin1 and ¬in2 ∧ Xin2 are true at the same time,
TrUB.output is unconstrained. On the contrary, in Figure 5, when ¬in1∧Xin1 is true and the value is
passed through TrUB.input, A(CΘ1) enforces to invalidate the incoming value of TrUB.release for 1
cycle by setting it to false.
Step 3 - Realizing ”input” for pattern P4. For pattern P4, in contrast to pattern P1, P2, and P3, the
synthesized controller (following Step 3) is directly connected to a Resolution Actor. To maintain
maximum freedom over output variable, one synthesizes the event monitor from the specification
allowing the first i output to be –, via
∧i−1
z=0 X
zdc ∧ XiG¬dc. The construction is analogous to
Algorithm 1.
Optimizations. Runtimes for Steps 2 and 3 may be optimized by using simple pattern matching
and hashing of previously synthesized controllers. We are listing three different opportunities for
in1[1]in1[2]
in2[1]in2[2]
u
State variable Input
in1
in2
false
false
out := false
in1[1]in1[2]
in2[1]in2[2]
u
u
State variable Input
in1
in2
true
true
out := false
false
false
in1[1]in1[2]
in2[1]in2[2]
State variable Input
in1
in2
true
false
out := true
true
true
false
false
u
uu
Fig. 4. Executing monitor with χiin := ¬in1∧Xin1∧Xin2∧
XX¬in2, by taking first three inputs (false, false)(true,
true)(true, false).
TrUB
in2
out1
A(CΘ1)set
in
out
release
OR
OR input
Resout1
in1
Fig. 5. Correct controller construction for specification sat-
isfying pattern P2.
State variables:
if(!1stSet & !set) {out := false;
CΘh /* Phase Adjustment Block */set
in
out
Transition function /* high-level language*/
int c := 0 /* finite domain [0 . . . h− 1] */
boolean 1stSet := false;
} else if(set) {
} else {
}
if(counter > 0) {out := false; c:= c- 1; }
else {out := in }
out := false; 1stSet := true; c := h-1;
¬1stSet
{!set} out := false
c = 0
c = h-1
1stSet
c = h-2
1stSet
c = 0
1stSet
c = 1
1stSet
. . .
{!set} out := in
{!set}!out {!set}!out
{set}
!out
{set} !out
{set} !out {set} !out
Fig. 6. Implementing Θh (state variables not
mentioned in update remain the same value).
optimized generation of monitors. First, the controller in Figure 3(a) for monitoring ¬in0 ∧ X in0
is connected to two high-level controllers. The second case can be observed in Figure 5, where by
rewriting in1 and in2 to in, the controller being synthesized is actually the same. Therefore, one
can also record the pattern for individual monitor and perform synthesis once per pattern. A third
opportunity for optimization occurs when Algorithm 1 takes i = 0 (i.e., no X operator is used). In
these case there is no need to create a controller at all and one may proceed by directly building
a combinatorial circuit, similar to the constructions of line 19 to 28 in Step 2. For example, for
specification S2 of the automatic door, the release part is in1∨ in0∨out0; since no X operator occurs,
a combinatorial circuit is created by wiring directly in1 and in0 to the OR-gate.
4.3 Parameter Synthesis for 2QBF without Unroll
Step 3 as described above constructs actors as building blocks and wires the actors according to the
structure of the given GXW specification. The resulting (partial) controller, however, does not yet
realize this specification as it may still contain unknowns in the resolution actors. Further checks are
necessary, and a controller is rejected if one of the following conditions holds.
(Condition 1) The wiring forms a directed loop in the constructed actor-based controller.
(Condition 2) It is possible for a resolution actor Resvout to receive true and false simultaneously.
(Condition 3) Outputs violate invariance conditions of pattern P5.
Condition 1 is checked by means of a simple graph analysis: (1) let all ports be nodes and wirings be
edges; (2) for each actor, create directed edges from each of its input port to each of its output port;
(3) check if there exists a strongly connected component in the resulting graph using, for example,
Tarjan’s algorithm [29].
Conditions 2 and 3 are checked by means of creating corresponding 2QBF satisfiability problems.
Recall that each resolution actor Resvout is parameterized with respect to the output A when all
incoming inputs for Resvout are “–”. The corresponding parameter assignment problem is encoded as
a 2QBF3 formula, where existential variables are the parameters to be synthesized, universal variables
are input variables, and the quantifier-free body is a logical implication specifying that the encoding
of the system guarantees condition 2 and 3.
Step 4 shows a simplified algorithm for generating 2QBF constraints which does not perform
unrolling. Stated in line 15, the quantifier free formula is of form Υa → Υg, where Υa are input
assumptions and system dynamics, and Υg are properties to be guaranteed.
3 Quantified Boolean Formula with one top-level quantifier alternation.
Step 3: Synthesize monitoring controllers (for pattern P4)
Input : LTL specification φ = %→ ∧m=1...k ηm, Vin, Vout, actor-based (partial) controller
S = (Vin, Vout, Act, τ) and mapout from Step 2.
Output: Actor-based (partial) controller S = (Vin, Vout, Act, τ) by adding more elements
1 foreach ηm, m = 1 . . . k do
2 if DetectPattern(ηm) ∈ {P4} then
3 Add a size(ηm.φ
i
in)-input OR-gate actor OR(φ
i
in) to Act;
4 foreach clause formula χiin from DNF of ηm.φ
i
in do
5 Cχ := Syn((G(χiin)↔ Xiout)) ∧
∧i−1
z=0X
zdc ∧XiG¬dc, In(χiin), {out, dc});
6 Add A(Cχiin) to Act;
7 foreach vin ∈ In(χiin) do τ := τ ∪ {( vin 99K A(Cχiin .vin))}
8 τ := τ ∪ {(ORφiin .out 99K Resvout .inputi)};
9 let vout be the variable used in τm.%out, ind := mapout.get(vout).indexOf(m);
10 if %out equals ¬vout then // negation is used in literal
11 Create a negation actor ¬ (m) and add it to Act;
12 Add (ORφiin
.out 99K ¬ (m).in), ( ¬ (m).output 99K Resvout .inputind) to τ ;
13 else Add (ORφiin
.out 99K Resvout .inputind) to τ
First, unknown parameters are added to the set of existential variables V∃ (line 2). All other
variables are universal variables. Then based on the evaluation ordering of S, perform one of the
following tasks:
• When an element ξ in the execution ordering Ξ is a wire (line 5), we add source and dest as
universal variables (as V∀ is a set, repeated variables will be neglected), and establish the logical
constraint (source↔ dest) (lines 6 to 8).
• When an element ξ in the execution ordering Ξ is an actor, we use function EncodeTransition to
encode the transition (pre-post) relation as constraints (line 11), and add all state variables (for
pre and post) in the actor (recall our definition of Mealy machine is based on state variables) to
V∀ using function GetStateVariable (line 10).
Υa is initially set to % (line 1) to reflect the allowed input patterns regulated by the specification
(specification type P6). Line 12 creates the constraint stating that no two inputs of a resolution
actor should create contradicting conditions. As the number of input ports for any resolution actor is
finite, the existential quantifier is only an abbreviation which is actually rewritten to a quantifier-free
formula describing relations between input ports of a resolution actor.
The encoding presented in Step 4 does not involve unroll (it encodes the transition relation,
but not the initial condition). Therefore, by setting all variables to be universally quantified, one
approximates the behavior of the system dynamics without considering the relation between two
successor states. Therefore, using Step 4 only guarantees soundness: If the formula is satisfiable,
then the specification is realizable (line 15, 16). Otherwise, unknown is returned (line 17).4
As each individual specification of one of the types {P1, P2, P3, P4} is trivially realizable, the
reason for rejecting a specification is (1) simultaneous true and false demanded by different sub-
specifications, (2) violation of properties over output variables (type P5), and (3) feedback loop
within S. Therefore, as Steps 1-4 guarantees non-existence of above three situations, the presented
method is sound.
Theorem 1. (Soundness) Let φ be a GXW specification, and S be an actor-based controller as
generated by Steps 1-4 from φ; then S realizes φ.
4 Even without unroll, one can infer relations over universal variables via statically analyzing the speci-
fication. As an example, consider two sub-specifications S1 : G(in1 → (outW in2)) and S2 : G(in2 →
(¬outW in1)). One can infer that it is impossible for TrUB(1) and TrUB(2) to be simultaneously have
state variable lock = true, as both starts with lock = false, and if S1 first enters lock (lock = true) due to
in1, the S2 cannot enter, as release part of S2 is also in1. Similar argument follows vice versa.
Step 4: Parameter synthesis by generating 2QBF constraints
Input : LTL specification φ = %→ ∧m=1...k ηm, input variables Vin, output variables Vout, partial
controller implementation S = (Vin, Vout, Act, τ) with unknown parameters
Output: Controller implementation S or “unknown”
1 let Υa := %, Υg := true, V∃, V∀ := NewEmptySet();
2 foreach vout ∈ Vout do V∃ := V∃ ∪ {Resvout .A}
3 let Ξ be the evaluation ordering of S ;
4 foreach ξ ∈ Ξ do
5 if ξ ∈ τ then // ξ is w wire; encode biimplication among two ports
6 Let ξ be (source 99K dest);
7 V∀.add(source), V∀.add(dest);
8 Υa := Υa ∧ (source↔ dest);
9 else
10 V∀.add(GetStateVariable(ξ));
11 Υa := Υa ∧ (EncodeTransition(ξ)) /* ξ ∈ Act */ ;
12 for vout ∈ Vout do Υg := Υg ∧ (6 ∃i, j : (Resvout .inputi = true) ∧ (Resvout .inputj = false))
13 foreach ηm, m = 1 . . . k do
14 if DetectPattern(ηm) ∈ {P5} then Υg := Υg ∧ ηm
15 if Solve2QBF(V∃, V∀, Υa → Υg).isSatisable then
16 return S by replacing each Resout.A by the value of witness in 2QBF;
17 else return unknown
in1
in2
out1
out2
TrUB
TrUB
Resout1
Resout2
Fig. 7. Incompleteness example.
The GXW synthesis algorithm as described above, however is in-
complete, as controllers with feedback loops are rejected; that is,
whenever output variables listed in the release part of P2 necessitate
simultaneous reasoning over two or more output variables. Figure 7
display an controller (with feedback loop) for realizing the specifi-
cation G(in1 → (out1Wout2)) ∧G(in2 → (out2Wout1)). However,
our workflow rejects such a controller even though the given specifi-
cation is realizable. With further structural restriction over GXW (which guarantees no feedback loop
in during construction) and by using unrolling of the generated actor-based controllers, the workflow
as presented here can be made to be completeness, as demonstrated in Section 4.4.
(Remarks) Notice that in the presented algorithm, the synthesized controller does not contain
a detector for checking if environment assumption (type P6) is violated. Practically, input assign-
ments violating P6 should never appear. If such a violation is possible, then immediately after the
assumption violation and from that time onwards, the controller is allowed to produce arbitrary
output assignment5. Here we omit details, but would like to stress that one can easily mediate such
scenarios by several ways. E.g., one can append a detection actor (by building a combinational cir-
cuit out of the specification type P6) to detect the event whether the environment assumption is
violated. At the same time, provide an additional input port on every resolution actor to override
the output (i.e., a resolution actor should consider first if environment assumption is violated: if so,
then continuously output false), and link the detection actor with the newly created port.
Also, there are unlikely scenarios such as declaring output variables without having them used in
any specification. One can mediate it by always connecting a wire from one input port to the output
port of a unused output variable, without building a resolution actor. The presented algorithm here
also omits details of such corner cases.
4.4 General Properties for GXW Synthesis
Since unrealizability of a GXW specification is due to the conditions (1) simultaneous true and false
demanded by different sub-specifications, and (2) violation of properties over output variables (type
5 In practice, if a violation is possible, it should be captured and handled properly; it is never the case that
output variables are allowed to be assigned with arbitrary value.
P5)6, one can build a counter-strategy7 by first building a tree that provides input assignments to
lead all runs to undesired states violating (1) or (2), then all leafs of the tree violating (1) or (2) are
connected to a self-looped final state, in order to accept ω-words. As the input part listed in Table 2
does not involve any output variable, a counter-strategy, if exists, can lead to violation of (1) or (2)
within Ω cycles, where Ω is a number sufficient to let each input part of the sub-specification be true
in a run.
Lemma 1. For GXW specification % → ∧m=1...k ηm, if (a) ρ0out is false for all ηm of type P2 and
(b) no specification of type P5 exists, then if the specification is not realizable, then there exists a
counter-strategy which leads to violation of (1) or (2) in Ω steps, where Ω is bounded by the sum of
(i) the number of specifications k, and (ii) the sum of all i value defined within each φiin of ηm.
in1
in2
out1
out2
IfTB
TrUB
Resout1
Resout2
in3 out3Resout3
∨
¬
Fig. 8. Control implementation.
When ρ0out is false for all ηm of type P2, our presented construc-
tion guarantees no feedback loop. As no specification of type P5
exists, the selection of A never influences whether the specifica-
tion is realizable. Therefore, quantifier alternation is removed.
To this end, checking unrealizability is equivalent to nondeter-
ministically guessing Ω input assignments and subsequently,
checking if a violation of (1) or (2) appears by executing S.
This also means that under the restriction from Lemma 1, a
slight modification of Step 4 to perform unrolling the compu-
tation Ω-times makes our synthesis algorithm complete.
Lemma 2. Deciding whether a given GXW specification, which also obeys the additional restrictions
as stated in Lemma 1, is realizable or not is in co-NP.
For the general case, the bound in Lemma 1 remains valid (as input part is not decided by the
output variable). Complexity result is achieved by, without using our construction, directly using
finite memory to store and examine all possible control strategies in Ω steps.
Lemma 3. For GXW specification %→ ∧m=1...k ηm, if the specification is not realizable, then there
exists a counter-strategy which leads to violation of (1) or (2) in Ω steps, where Ω is bounded by
condition similar to Lemma 1.
Lemma 4. Deciding whether a given GXW specification is realizable or not is in PSPACE.
The above mentioned bounds are only conditions to detect realizability of a GXW specification, while
our presented workflow in Section 4 targets generating structured implementations. Still, by unrolling
the computation Ω-times, one can detect if a controller, following our regulated structure, exists.
4.5 Extensions
One can extend the presented workflow to allow richer specification than previously presented GXW
fragment. Here we outline how these extensions are realized by considering the following sample
specification: G(in1→ out1) ∧G((in2 ∨ out1)→ ((out2 ∧ ¬out3)W in3)). The SDF controller imple-
mentation is shown in Figure 8. First, conjunctions in %out can be handled by considering each output
variable separately. E.g., for %out ≡ out2∧¬out3, in Figure 8 both are connected to the same TrUB.
Second, the use of output variables in “input” part for pattern P1, P2, P3 is also supported, provided
that in effect a combinatorial circuit is created (i.e., output variables should always proceed with
Xi), and the generated system does not create a feedback loop. E.g., for the antecedent (in2∨ out1),
it is created by wiring the Resout1.out to an OR-gate.
6 Rejecting feedback loops on the controller structure is only a restriction of our presented method and is
not the reason for unrealizability; similar to Figure 7, feedback loop can possibly be resolved by merging
all actors involving feedback to a single actor.
7 A counter-strategy in LTL synthesis a state machine where the environment can enforce to violate the
given property, regardless of all possible moves by the controller [27].
5 Experimental Evaluation
We implemented a tool for GXW synthesis in Java, which invokes DepQBF [21] (Version 5.0) for
QBF solving. Table 3 includes experimental results for a representative subset of our PLC benchmark
examples. Execution times is recorded using Ubuntu VM (Virtual Box with 3GB RAM) running on
an Intel i7-3520M 2.9 Ghz CPU and 8GB RAM). Most control problems are solved in less than a
second8. GXW synthesis always generated a controller without feedback loops for all examples.
Table 3 lists a comparison of execution times of GXW synthesis and the bounded LTL synthesis
tool Acacia+ [8] (latest version 2.3). We used the option --player 1 of Acacia+ for forcing the
environment to take a first move, but we did not do manual annotation in order to support compo-
sitional synthesis in Acacia+, as it is not needed by our tool. For many of the simpler case studies,
the reported runtimes of Acacia+ are similar to GXW synthesis. However, GXW seems to scale much
better to more complex case studies with a larger number of input and output variables such as
examples 5, 9, 11, 12, 13, 15, 16, 17, 18, 19 in Table 3. The representation of the generated con-
troller in terms of a system of interacting actors in GXW synthesis, however, allows the engineering
to trace each sub-specification with corresponding partial implementation. In fact the structure of
the controllers generated by GXW is usually similar to reference implementations by the case study
providers. In contrast, a controller expressed in terms of single Mealy machine is rather difficult to
grasp and to maintain for problems such as example 18 with 13 input and 13 output variables.
6 Related Work
Apart from the description in Section 1, here we compare GXW synthesis with related GR(1) synthesis
(e.g., [15,25,31,5]) and bounded LTL synthesis (e.g, [8,11,28]) techniques.
Synthesis for the GR(1) fragment of LTL is in time polynomial to the number of nodes of a
generated game, which is EXPTIME when considering exponential blow-up caused by input and
output variables. GXW is in PSPACE, where GXW allows W and GR(1) allows F. Even though it has
been demonstrated that the expressiveness of GR(1) is enough to cover many practical examples, the
use of an until logical operator, which is not included in GR(1), proved to be essential for encoding
a majority of our PLC case studies. Also, implementations of GR(1) synthesis such as Anzu [15] do
not generate structured controllers. Since GR(1) synthesis, however, includes a round-robin arbiter
for circulating among sub-specifications, the systematic structuring of controllers underlying GXW
synthesis may be applicable for synthesizing structured GR(1) controllers.
Bounded synthesis supports full LTL and is based on a translation of the LTL synthesis problem to
safety games. By doing so, one solves the safety game and finds smaller controllers (as demonstrated
in synthesis competitions via tools like Simple BDD solver [13], AbsSynthe [9], Demiurge [17]). The
result of solving safety games in bounded LTL synthesis usually is a monolithic Mealy (or Moore)
machine, whereas our GXW synthesis method of creating SDF actors may be understood as a way
of avoiding the expensive construction of the product of machines. Instead, we are generating con-
trollers by means of wiring smaller sub-controllers for specific monitoring and event triggering tasks.
The structure of the resulting controllers seem to be very close to what is happening in practice, as a
number of our industrial benchmark examples are shipped with reference implementation which are
usually structured in a similar way. The size of the representations of generated controllers is partic-
ularly important when considering resource-bounded embedded computing device such as a PLCs.
LTL component synthesis, however, has the same worst-case complexity as full LTL synthesis [22].
7 Conclusion
We have identified a useful subclass GXW of LTL for specifying a large class of embedded control
problems, and we developed a novel synthesis algorithm (in PSPACE) for automatically generating
structured controllers in a high-level programming language with synchronous dataflow without
8 Approximately 0.25 seconds is used for initializing JVM in every run.
ID Description Source I/O vars GXW Time (s) Acacia+ Time (s)
1 Automatic Door Ex15 [2] (4,3) 0.389 0.180
2 Simple Conveyor Belt Ex7.1.19 [24] (3,3) 0.556 0.637
3 Hydraulic Ramp Ex7.1.3[24] (5,2) 0.642 0.451
4 Waste Water Treatment V1 Ex7.1.8 [24] (6,3) 0.471 0.323
5 Waste Water Treatment V2 Ex7.1.9 [24] (8,9) 0.516 5.621
6 Container Fusing Ex10 [2] (7,6) 0.444 0.425
7 Elevator Control Mixing Plant Ex7.1.4 [24] (10,5) 0.484 2.902
8 Lifting Platform Ex21 [16] (6,3) 0.350 0.645
9 Control of Reversal Ex36 [16] (7,7) 0.395 2.901
10 Gear Wheel Ex19 [16] (4,6) 0.447 0.302
11 Two Directional Conveyor (simplified) Ex7.1.31.1 [24] (9,5) 0.789 6.552
12 Garage Door Control Ex7.1.25 [24] (13,5) 0.574 7.002
13 Contrast Agent Injection Ex7.1.18 [24] (6,8) 0.458 3.209
14 Identification Ex39 [16] (5,5) 0.430 0.392
15 Monitoring Chain Elevator Ex7.1.15[24] (10,9) 0.429 9.647
16 Two Directional Conveyor Ex7.1.31.1 [24] (12,5) 0.890 51.553
17 Control of single torque drive (simplified) Ex7.1.26 [24] (12,8) 0.538 38.010
18 Gravel transportation via 3 conveyors (simplified) Ex7.1.31.4 [24] (13,13) 1.227 > 600 (t.o.)
19 Control of two torque drives (simplified) Ex7.1.26 [24] (22,16) 0.790 > 600 (t.o.)
Table 3. Experimental Result
cycles. Our experimental results suggest that GXW synthesis scales well to industrial-sized control
problems with around 20 input and output ports and beyond.
In this way, GXW synthesis can readily be integrated with industrial design frameworks such as
CODESYS [3], Matlab Simulink, and Ptolemy II, and the generated SDF controllers (without cycles)
can be statically scheduled and implemented on single and multiple processors [18]. It would also be
interesting to use our synthesis algorithms to automatically generate control code from established
requirement frameworks for embedded control software such as EARS[23]. Moreover, our presented
method supports traceability between specifications and the generated controller code as required by
safety-critical applications. Traceability is also the basis for an incremental development methodology.
One of the main impediments of using synthesis in engineering practice, however, is the lack of
useful and automated feedback in case of unrealizable specifications [6,10,20] or realizable specifica-
tions with unintended realizations. The use of a stylized specification languages such as GXW seems
to be a good starting point for supporting design engineers in identifying and analyzing unrealizable
specifications, since there are only a relatively small number of potential sources of unrealizability
in GXW specifications9. Finally, hierarchical SDF may also be useful for modular synthesis [30].
Acknowledgement
We thank La˘cra˘mioara As¸tefa˘noaei for her feedback during the development of the paper.
References
1. The automatic door example is adapted from http://plc-scada-dcs.blogspot.com/2014/08/
basic-plc-ladder-programming-training_20.html.
2. Online training material for PLC programming. http://plc-scada-dcs.blogspot.com/.
3. CODESYS - industrial IEC 61131-3 PLC programming framework http://www.codesys.com/.
4. Simulink - Simulation and Model-Based Design http://www.mathworks.com/products/simulink/.
5. R. Bloem, A. Cimatti, K. Greimel, G. Hofferek, R. Knighofer, M. Roveri, and R. Seeber. RATSY a
new requirements analysis tool with synthesis. In: CAV, volume 6174 of LNCS, pages 425–429. Springer,
2010.
6. R. Bloem, R. Ehlers, S. Jacobs, R. Knighofer: How to Handle Assumptions in Synthesis. In: SYNT,
pages 34–50, EPTCS 157, 2014.
9 Observe the example in the paper, closing stopped contains out0. This is the only part that is not mentioned
in the textural specification, but it is required to make the specification realizable. Introducing out0 needs
creativity, and it is the part where one needs an engineer in the loop. Not mentioned in this paper, we
are also developing concepts in order to automatically add such a disjunction, similar to discovery of
environment assumptions as investigated by us and also by others (e.g., [20]).
7. R. Bloem, B. Knighofer, R. Knighofer, C. Wang. Shield Synthesis: - Runtime Enforcement for Reactive
Systems. In: TACAS, volume 9035 of LNCS, pages 533–548. Springer, 2015.
8. A. Bohy, V. Bruye`re, E. Filiot, N. Jin, and J. Raskin. Acacia+, a tool for LTL synthesis. In: CAV,
volume 7358 of LNCS, pages 652–657. Springer, 2012.
9. R. Brenguier, G. A. Prez, J.-F. Raskin, O. Sankur AbsSynthe: abstract synthesis from succinct safety
specifications In SYNT, EPTCS 157, pages 100-116, 2014.
10. C.-H. Cheng, C.-H. Huang, H. Ruess, and S. Stattelmann. G4LTL-ST: automatic generation of PLC
programs. In: CAV, volume 8559 of LNCS, pages 541–549. Springer, 2014.
11. R. Ehlers. Unbeast: Symbolic bounded synthesis. In: TACAS, volume 6605 of LNCS, pages 272–275.
Springer, 2011.
12. J. Eker, J. Janneck, E. A. Lee, J. Liu, X. Liu, J. Ludvig, S. Sachs, Y. Xiong. Taming heterogeneity - the
Ptolemy approach Proceedings of the IEEE, 91(1):127-144 (2003).
13. S. Jacobs, R. Bloem, R. Brenguier, R. Ehlers, T. Hell, R. Knighofer, G. A. Prez, J.-F. Raskin, L. Ryzhyk,
O. Sankur, M. Seidl, L. Tentrup, A. Walker. The First Reactive Synthesis Competition. (SYNTCOMP
2014). http://arxiv.org/abs/1506.08726
14. B. Jobstmann and R. Bloem. Optimizations for LTL synthesis. In: FMCAD, pages 117-124. IEEE, 2006.
15. B. Jobstmann, . Galler, M. Weiglhofer, and R. Bloem. Anzu: A tool for property synthesis. In: CAV,
volume 4590 of LNCS, pages 258–262. Springer, 2007.
16. J. Kaftan. Praktische Beispiele mit AC500 von ABB: 45 Aufgaben und Lsungen mit CoDeSys. http:
//pwww.kaftan-media.com/ ISBN 978-3-943211-05-4, 2014.
17. R. Knighofer, M. Seidl. Demiurge 1.2: A SAT-Based Synthesis Tool. Tool description for the Synt-
Comp’15 competition.
18. E. A. Lee, D. G. Messerschmitt: Static Scheduling of Synchronous Data Flow Programs for Digital Signal
Processing. IEEE Trans. Computers 36(1): 24-35 (1987).
19. E. A. Lee and D. G. Messerschmitt: Synchronous Data Flow. Proceedings of the IEEE, 75(9):1235-1245
(1987).
20. W.-C. Li. Specification Mining: New Formalisms, Algorithms and Applications. Ph.D. Thesis. UC
Berkeley, 2015.
21. F. Lonsing, A. Biere. DepQBF: A dependency-aware QBF solver. Journal on Satisfiability, Boolean
Modeling and Computation, 7, 71–76. (2010).
22. Y. Lustig, M. Y. Vardi: Synthesis from component libraries. STTT 15(5-6):603-618 (2013).
23. A. Mavin, P. Wilkinson, A. Harwood, M. Novak: Easy Approach to Requirements Syntax (EARS). In:
RE, pages 317–322. IEEE, 2009
24. J. Petry. IEC 61131-3 mit CoDeSys V3: Ein Praxisbuch fuer SPS-Programmierer. Eigenverlag 3S-Smart
Software Solutions, ISBN 978-3-000465-08-6, 2011.
25. N. Piterman, A. Pnueli, Y. Sa’ar. Synthesis of Reactive(1) Designs. In: VMCAI, volume 3855 of LNCS,
pages 364–380. Springer, 2006.
26. A. Pnueli. The temporal logic of programs. In: FOCS, pages 46–57. IEEE, 1977.
27. A. Pnueli, R. Rosner. On the Synthesis of a Reactive Module. In: POPL, pages 179–190. IEEE, 1989.
28. S. Schewe and B. Finkbeiner. Bounded synthesis. In: ATVA, volume 4762 of LNCS, pages 474–488.
Springer, 2007.
29. R. E. Tarjan. Depth-first search and linear graph algorithms. SIAM Journal on Computing 1(2):146-160
(1972).
30. S. Tripakis, D. N. Bui, M. Geilen, B. Rodiers, E. A. Lee. Compositionality in synchronous data flow:
Modular code generation from hierarchical SDF graphs. ACM Trans. on Embedded Computing Systtems
12(3): 83 (2013).
31. K.-W. Wong, R. Ehlers, and H. Kress-Gazit. Correct High-level Robot Behavior in Environments with
Unexpected Events Robotics: Science and Systems X (RSS X), 2014.
Appendix
A Operational Semantics of SDF
The operational semantics of SDF can be summarized using the below action sequence; one can use
the example in Figure 1(a)(b) to ease understanding.
(i) All ports start with initial value undefined;
(ii) A cycle is started by reading inputs andb setting the external input ports to either true or false;
(iii) For all wires connected to the same source (external input port / internal output port), copy data
to the connected destination (internal input port / external output port). Lastly, change the value
for the source port to be undefined.
(iv) When values of all input ports of an actor are not undefined, produce output and update to the
corresponding output ports, by executing the underlying Mealy machine of the actor.
(v) When all external output ports are true or false and all internal ports are undefined, proceed to
Step (vi). Otherwise, continue with Step (iii).
(vi) Produce output based on the data in the external output port, where each port can only be true
or false following Step (v). Reset each external output port to undefined, and move to Step (ii).
B Soundness
We prove that the if a controller S is produced following the workflow from Step 1 to Step 4, then
it is correct, meaning that it realizes the GXW specification %→ ∧m=1...k ηm.
The correctness proof can be understood using the following structure: (A) Prove that the behav-
ior the controller is well-defined, i.e., given any (infinite) input sequence, the controller can generate
an infinite output sequence such that the combined sequence forms an ω-word. (B) As the specifica-
tion under synthesis has the structure %→ ∧m=1...k ηm where % is a property over input variables, it
suffices to prove individually that all produced ω-words satisfy ηm. For each ηm, we then prove that
the created partial dataflow model realizes ηm. We use operational semantics to discuss the data
transfer in each cycle; an alternative method is to view the data processing in each cycle analogous
to applying functional composition.
(A) The internal dataflow of a synthesized controller, due to the sanity check of Condition 1 in
Section 4.3, obeys the following structure (here we omit the logic gates): external input ports ⇒
monitor controllers ⇒ high-level controllers ⇒ resolution actors ⇒ external output ports.
The satisfiability of 2QBF guarantees that for each output variable vout, under any input as-
signment, Resvout cannot receive from two input ports true and false. Therefore, the output value
of Resvout is well-defined, and as Resvout .out 99K vout , the value of vout at the end of a cycle is
either updated to true or to false.
(B, Specification Type 5) For specification ηm which is of type 5 (invariance condition), they are
guaranteed by line 15 of Step 4.
(B, Specification Type 3) In Step 2, the algorithm synthesizes the monitor controller G(χiin ↔
Xiout) ∧ ∧k=0...i−1 Xk¬out and connect the controller to external input ports. The output of the
monitor is connected to an OR-gate, which then connects to the input port (input) of the high-level
controller realizing G(input→ output). The output of the high-level controller is connected to one of
the input ports of Resvout (when %out ≡ ¬vout, a negation actor is inserted in between), which then
produces output to vout.
Our goal is to prove that the composition of these sub-controllers via wiring of ports is a controller
realizing G(φiin → Xi%out). Based on the definition, the synthesized controller realizes G(φiin →
Xi%out), if for all produced ω-words satisfies the property G(φ
i
in → Xi%out), i.e.,
(G) for all j ≥ 0, φiin → Xi%out holds
(→) for all j ≥ 0, if φiin holds then Xi%out holds
(X), proof goal for all j ≥ 0, if φiin holds at time j, then %out holds at j + i
Based on the definition, %out is either vout or ¬vout, where vout is an output variable. Here we
prove only for case where %out ≡ vout; for case %out ≡ ¬vout only a negation actor is introduced and
the proof is similar. For the synthesized controller:
[time j, monitor ] The specification of the monitor contains G(χiin ↔ Xiout). Thus it guarantees
that for all j ≥ 0, if χiin holds (does not hold) at time j, then at j+i, the value of out is computed
to true (false) after executing the monitor.
[time j, OR gate ] All monitors are connected to an OR gate, mimicking the formula structure. It
guarantees that for all j ≥ 0, if φiin holds at time j (due to one of its sub-formula χiin being true
at time j), then output port out of the OR gate is true at j + i (as the port out of the monitor
is true at time j + i, and it is wired to an input of the OR-gate).
Similarly, if φiin does not hold at time j (due to all of its sub-formula χ
i
in being false at time j),
then output port out of the OR gate has value false at j + i (as every port out of the monitor is
false at time j + i, and it is wired to an input of the OR-gate).
[time j + i, high-level controller ] The high-level controller IfTB realizes G(input → output),
which guarantees that at time j + i, if input holds then output holds. As the output port of the
OR-gate is wired to IfTB.input, if φiin holds at time j, then at time j + i IfTB.output is updated
to true, after executing IfTB.
[time j + i, Resvout , proof goal achieved ] At time j + i, whenever a resolution actor Resvout
receives a true from the input, the execution of Resvout produces the true to Resvout .out, thus
for output port vout, it is updated to true at time j + i. As %out ≡ vout, %out holds at time j + i.
(B, Specification Type 4) Proof similar to type 3, by first decomposing the specification formula,
followed by showing that the dataflow guarantees desired behavior.
(B, Specification Type 1) (Informal sketch; to ease understanding) Again the proof follows the struc-
ture of decomposing the specification formula, followed by showing that the dataflow guarantees
desired behavior. As the controller monitoring event φin is connected to the InUB block, to guar-
antee correctness, before observing event φin, InUB should always set output to true. In line 6 of
Step 2, the first i − 1 output of the monitor is false. Therefore, InUB does not change to ”–(–)”
within time 0 to i− 1. From time i onwards, φin is well defined and correctness is guaranteed.
(Formal argument) Here we again consider %out ≡ vout, as the other case (%out ≡ ¬vout) is analogous.
Based on the definition, the synthesized controller realizes %outWφ
i
in, if for all produced ω-words
satisfies the property %0outWφ
i
in ≡ (%0outUφiin) ∨G %0out, i.e., it satisfies (vout Uϕiin) or G vout. We
now consider whether an input sequence makes (ϕiin) holds or not - this condition partitions all input
sequences to two categories, and subsequently, make either left of right part of the disjunction hold:
(∨, left) Assume there ∃j such that ϕiin first holds at j, we prove that an implementation following
the construction guarantees that vout is true from 0 to j − 1, thereby satisfying the strong-until
part (U).
As ϕiin uses consecutive i X operators, although at cycle j the output can no longer produce
output true, as the controller cannot perform clairvoyance over future inputs, it needs to contin-
uously output true until cycle j + i, such that it can decide χiin holds at time j. In other words,
as j is the first time where χiin is true and the controller can only know it at time j + i, the
output should always be true from time 0 to j + i− 1, in order to satisfy the formula.
• From cycle 0 to i − 1, the output is always true. Consider the monitor component. Within
cycle 0 to i − 1, it produces false, due to “∧z=0...i−1 Xz¬out” in realizing the specification
G(χiin ↔ Xiout) ∧
∧
z=0...i−1 X
z¬out. As all monitors are connected to an OR-gate, the
output of produced by the OR-gate is false from cycle 0 to i− 1. As the output of the OR-
gate is connected to InUB which turns “-” only after it receives true, the output of InUB is
true from 0 to i− 1. Thus, vout is updated with value true from 0 to i− 1.
• From time i to j + i − 1, due to “G(χiin ↔ Xiout)” in realizing the specification G(χiin ↔
Xiout) ∧∧z=0...i−1 Xz¬out, as χiin first holds at j, so out first holds at time j + i, meaning
that before time j + i, the monitor produces false. As all monitor produces false before time
j + i, the input to the InUB is false. Thus, the output produced by InUB is true. Therefore,
before time j+ i, vout is always updated with value true, making the strong-until condition
hold.
(∨, right) Assume 6 ∃j such that ϕiin holds at j, we prove that an implementation following the
construction guarantees that vout remains true, thereby satisfying the Global part (G).
• For time 0 to i − 1, the monitor component generates false, due to “∧z=0...i−1 Xz¬out” in
realizing the specification G(χiin ↔ Xiout) ∧
∧
z=0...i−1 X
z¬out.
• For time i onwards, the output of a monitor is governed by whether χiin is true or false. As
6 ∃j such that ϕiin holds at j, and χiin is a formula in the DNF of ϕiin, 6 ∃j such that χiin holds
at j, thus the output of each monitor is always false.
• For InUB, it produces “-” after receiving a true in its input port. Before that, it produces
true in its output port. As InUB never receives input with value true, the generated output
value is always true. Due to the dataflow, vout is always true. Thus Gvout holds.
(B, Specification Type 2) (Informal sketch; to ease understanding) The proof strategy is similar.
Essentially the property can be viewed as Type 3 where the right-hand part of the implication is
replaced/nested by a Type 1 specification. When the triggering of left-hand part (the input part)
appears at time t, based on the formula one needs to “start” the monitor which constitutes the release
part. As “starting a monitor” is not possible, an alternative is to perform proper reset such that it
restart like new. That is, for monitoring release formula χhin, if at time t where the triggering event φin
turns true, let first h output to be false), such that the TrUB.release is not wrongly polluted by the first
h−1 values provided by the release monitor during time t, t+1, . . . , t+h−1. As our monitor is designed
not to take reset signals (this is to facilitate monitor reuse among multiple specifications), one can
alternatively achieve the same effect by the introduction of CΘh , which contains the mechanism to
set consecutive h outputs to be false, whenever its input port set receives value true.
C General Properties for GXW Synthesis
As each individual specification of {P1, P2, P3, P4} is trivially realizable, the reason that lead
to unrealizability is (1) simultaneous true and false demanded by different sub-specifications, (2)
violation of properties over output variables (type P5), which are invariance properties over output
variables. Notice that our method, as it generates structured controller, can also report unknown
when there exists a feedback loop in the constructed system, i.e., when output variables listed in the
release part of P2 create a need for simultaneous reasoning over two or more output variables. It is
only a restriction imposed on the controller structure and is not the reason for unrealizability.
Therefore, as unrealizability of a GXW specification is due to (1) and (2), one can construct a
counter strategy by first constructing a tree which provides input assignments that lead to undesired
states violating (1) or (2), then all tree leaves violating (1) or (2) are connected to a self-looped final
state, in order to accept ω-words created by inputs and outputs. As the input part listed in Table 2
does not involve any output variable, a counter-strategy, if exists, can lead to violation of (1) or (2)
within Ω cycles, where Ω is a number sufficient to let each input part of the sub-specification be true
in a run.
Lemma 1. For GXW specification % → ∧m=1...k ηm, if (a) ρ0out is false for all ηm of type P2 and
(b) no specification of type P5 exists, then if the specification is not realizable, then there exists a
counter-strategy which leads to violation of (1) or (2) in Ω steps, where Ω is bounded by the sum of
(i) the number of specifications k, and (ii) the sum of all i value defined within each φiin of ηm.
(Note) With the constraint where ρ0out is always false, it is impossible to create feedback loops during
the construction, as feedback loops are created due to the connecting output to the monitoring
subsystem which corresponds to the release part of a formula.
Proof. When ρ0out is false for all ηm of type P2, then for type P2 specification, locking the output
to %out and the release of the locking is completely determined by two input events φ
i
in and ϕ
j
in.
Similarly, for specifications of type P1, P3, P4, whether output is locked to %out is decided by φ
i
in.
Consider the simplest case with two specifications τ1 := G(φ
i1
in,1 → Xi1(%out,1 Wϕj1in,1)) and
τ2 := G(φ
i2
in,2 → Xi2(%out,2 Wϕj2in,2)). Let %out,1 be out1 and %out,2 be ¬out1. Thus these two
specifications can lead to conflicts (τ1 demanding out1 to true while τ2 demanding out1 to false).
Consider a finite time window of size (i1 + 1) + (i2 + 1). It is sufficiently large to first (from time
0 to i1) make φ
i1
in,1 true, and subsequently (from time i1 + 1 to i1 + 1 + i2), let φ
i2
in,2 be true. Then
if ϕj1in,1 is always false in between (from time i1 to i1 + 1 + i2), a counter strategy is created within
length (i1 + 1) + (i2 + 1). The overall concept is demonstrated in Figure 9.
φi1in,1 = true φ
i2
in,2 = true
%out,1 = true
ϕj1in,1 = false
i1 i1 + 1 + i20
time (cycle)
Fig. 9. A timeline describing the time windows required to produce conflict at time i1 + 1 + i2.
For the case in Figure 9, the sufficient and necessary condition for producing conflict is to keep
ϕj1in,1 always false from time i1 to i1 + 1 + i2. That is, if within time [i1, i1 + 1 + i2], when the
environment provides a sequence of inputs to make φi2in,2 true, the sequence will also make ϕ
j1
in,1 true,
then it is impossible to create a counter strategy. Similarly, one can reverse the ordering of events
by first making φi2in,2 true followed by making φ
i1
in,1 true; the sufficient and necessary condition for
producing conflict is to keep ϕj2in,2 to false from time i2 to i2 + 1 + i1. In both cases, a time horizon
(i1 + 1) + (i2 + 1) is sufficient to demonstrate the existence of a counter-strategy.
One can also replace τ1 and τ2 by any specification pattern in {P1, P2, P3, P4}, and the bound
(i1 + 1) + (i2 + 1) is still sufficient. Lastly, by generalizing the result to k specifications, we have
derived the bound (i1 + 1) + (i2 + 1) + . . .+ (ik + 1).
Lemma 1 is based on the premise where no specification is of type P5, while input and release
parts in Table 2 are only controlled by input variables. When no constraints are imposed to output
variables due to input events, an implementation can freely select output variable assignments, as it
can neither influence release nor violate properties type P5. Therefore, when checking the existence
of a counter-strategy, there is no need to use quantifier alternation, thereby making the synthesis
problem easier.
Lemma 2. For a GXW specification under constraint of Lemma 1, deciding whether the specification
is realizable is in co-NP.
Proof. (A) We first argue that the construction after Step 1, 2, and 3, whether an input of a resolution
block is to true or false (i.e., not ”–”) is only controlled by input events.
• For specification P3, the high-level controller outputs – once when its input receives a false,
but monitor component only sends true when φiin turns true. Therefore, an input of a resolution
block is to true or false (i.e., not ”–”) only when needed.
• For specification P1, the high-level controller continuously outputs – once when its input receives
a true, and before that, it outputs true. But monitor component only sends true when φiin turns
true, and before that (from 0 to i− 1), the monitor sends false.
• Specification P2 is a combination of P3 and P1.
• For specification P4, the monitor component is connected directly to Resolution Actor; it only
sends true or false when φiin turns true or false and before that (from 0 to i − 1), the monitor
component sends – (dc = true).
(B) Using the result in Lemma 1, one can perform a bounded unroll over the generated actor system
from Step 1, 2, and 3, in order to check if there exists a counter-strategy. This is because for the
construction guarantees (A), therefore, whenever a counter-example is demonstrated, it is completely
due to the sequence of input events. The unroll algorithm is stated in Step 5; it is similar to Step 4,
with the slight variation to encode the initial condition (line 21-23) and to encode the transition of
Ω steps using index 0, . . . , Ω (line 5 for using α to iterate over 0, . . . , Ω).
As for each output variable vout, the existential variable Resvout .A can neither influence release
nor violate properties type P5 (due to the restriction stated in Lemma 1), one can simply set it
to true. Therefore, the constraint system with one quantifier alternation is simplified to checking the
validity of a quantifier-free Boolean formula, or equivalently, checking the existence of an assignment
to make the quantifier-free formula false.
As running one cycle requires time linear to the number of actors and wires, which is bounded
by length of the complete specification formula, deciding whether the specification is unrealizable is
in co-NP.
(C) The result follows the fundamental property of LTL synthesis - an LTL specification is either
realizable or unrealizable. As deciding whether the specification is unrealizable is in co-NP, the dual
problem of whether the specification is realizable can be decided in time co-NP.
(Remark) We can also analyze the number of variables and the number of clauses created in each
unroll. Those numbers are timed with Ω = (i1 + 1) + (i2 + 1) + . . . + (ik + 1) to derive the total
number of variables and clauses.
• For all global input and output ports, they are encoded as variables.
• For each resolution block, it takes at most k inputs, so at most 2k variable is needed (a factor
of 2 is due to the use of –). The output of a resolution block can be syntactically replaced by the
corresponding global output port.
• For each specification ηm:
– Implementing each χiin of φ
i
in uses variables of size i times the number of input variables in
χiin. For type P4, one adds a counter for counting i steps. Thus for ηm, one at most uses
im|Vin|+ log2(im) variables.
– Similar estimation holds as an upperbound for the release part of specification type P2, but
there is a need to add state variable of Θj . Thus a conservative estimation is jm|Vin| + 2 ×
log2(jm).
– A high-level control block uses at most two state variables, and has at most four ports. Each
port is modeled as a variable.
– All input ports of event monitor (for monitoring χiin) can be syntactically replaced by global
input ports. All inputs of a OR-gate can be syntactically replaced by the output port of an
event monitor or global output ports. The output of a OR-gate can be syntactically replaced
by the input port of a high-level block.
Therefore, the total number of variables is bounded by
Ω(|Vin|+ |Vout|+
∑
m=1...k
(2k|Vout|+ (im|Vin|+ log2(im)) + (jm|Vin|+ 2× log2(jm)) + 6))
The number of constraints created in each unroll can be understood by how data is flowed from
source to destination, which follows the ordering (here we omit the logic gates): external input
ports ⇒ monitor controllers ⇒ skeleton controllers ⇒ resolution actors ⇒ external output ports.
Evaluating constraints in single cycle takes time linear to the number of actors, and evaluating
Ω = (i1 + 1) + (i2 + 1) + . . .+ (ik + 1) rounds takes polynomial time. Therefore, given an assignment
over all variables, deciding whether the formula is violated is done in polynomial time.
The following result shows that, the bound is still valid even without the above mentioned restriction.
Lemma 3. For GXW specification %→ ∧m=1...k ηm, if the specification is not realizable, then there
exists a counter-strategy which leads to violation of (1) or (2) in Ω steps, where Ω is bounded by
the sum of (i) the number of specifications k, and (ii) the sum of all i value defined within each φiin
of ηm.
Proof. For general GXW, the effect of enabling output variable to certain value within a given time
point α is not carried to time point α + 1, as no X is bundled with any output variable in the
specification.
We again refer readers to Figure 9. Now, view the control of output variables being governed
by an imaginary SAT solver. In each time point, the produced output assignments should satisfy
invariance properties of P5, while being constrained by the locking condition. When possible, it tries
to produce output assignment that turns ρ0out to true, such that the output is no longer constrained
to %out. For example in Figure 9, starting from time i1, the SAT solver has independently i2 + 1
opportunities to make the release part to true. If it succeeds, then conflict does not appear. Otherwise,
counter strategy is produced latest at time i1 + 1 + i2.
Lemma 4. For a GXW specification, deciding whether the specification is realizable is in PSPACE.
Proof. We check if the specification is not realizable S by the following: non-deterministically provide
input variable assignments for (i1 + 1) + (i2 + 1) + . . . + (ik + 1) times, and check for all output
assignments for (i1 + 1) + (i2 + 1) + . . .+ (ik + 1) rounds, it is possible to violate the specification.
Checking whether it is possible to violate the specification can be done in PSPACE: The process is
similar to the above unroll case, but for each variable vout, instead of setting Resvout .A to true, we
simply let output variable to process (i1 + 1) + (i2 + 1) + . . .+ (ik + 1) different copies, meaning that
one can freely select the value in each round. The total memory used is ((i1 + 1) + (i2 + 1) + . . . +
(ik + 1))|Vout|, which is polynomial to the problem size.
Then given input assignment for (i1 +1)+(i2 +1)+ . . .+(ik+1) rounds, one can use the memory
to check if for all possible output variable assignments of they all unfortunately lead to conflict. If so,
then report that the specification is not realizable. Therefore, deciding whether the specification is
unrealizable is in NPSPACE (non-determinisstic input assignment + PSPACE complexity for checking
if conflict appears).
As NPSPACE = DPSPACE = PSPACE, and an LTL specification is either realizable or unrealizable,
deciding whether the specification is realizable is in PSPACE.
Notice that although the complexity for checking if a GXW specification is realizable is in PSPACE,
the algorithm presented previously only sets every Resvout .A as a constant that does not change over
time. This creates a simpler structure for the implemented controller. Soundness is still guaranteed
by performing an unroll to the above mentioned bound.
Step 5: Generating 2QBF constraints for bounded unroll
Input : LTL specification φ = %→ ∧m=1...k ηm, input variables Vin, output variables Vout, partial
controller implementation S = (Vin, Vout, Act, τ) with unknown parameters, integer unroll
bound Ω
Output: 2QBF constraint (V∃, V∀, Υ ), where V∃ and V∀ are sets of Boolean variables, and Υ is a
quantifier free constraint over variables in V∃ ∪ V∀
1 let Υa, Υg := true;
2 let V∃, V∀ := NewEmptySet();
3 foreach vout ∈ Vout do V∃ := V∃ ∪ {Resvout .A}
4 let Ξ be the evaluation ordering of S ;
5 for α = 0 . . . Ω do
6 foreach ξ ∈ Ξ do
7 if ξ ∈ τ then
/* ξ is w wire; encode biimplication among two ports */
8 Let ξ be (source 99K dest);
9 V∀.add(sourceα);
10 V∀.add(destα);
11 Υa := Υa ∧ (sourceα ↔ destα);
12 else
/* ξ is an actor; encode transition using index α and α+ 1 */
13 V∀.add(GetStateVariable(ξ, α));
14 Υa := Υa ∧ (EncodeTransition(ξ, α))
15 Υa := Υa ∧∧VariableReplace(%, α);
16 for vout ∈ Vout do
17 Υg := Υg ∧ (6 ∃i, j : (Resvout,α.inputi = true) ∧ (Resvout,α.inputj = false));
18 foreach ηm, m = 1 . . . k do
19 p := DetectPattern(ηm);
20 if p ∈ {P5} then Υg := Υg ∧ VariableReplace(ηm, α)
/* Add initial condition, to achieve bounded unroll */
21 foreach ξ ∈ Ξ do
22 if ξ 6∈ τ then
/* ξ is an actor; encode initial state with index 0 */
23 Υa := Υa ∧ (EncodeInitialState(ξ, 0))
24 return (V∃, V∀, Υa → Υg)
