A High-Level LTL Synthesis Format: TLSF v1.1 by Jacobs, Swen et al.
Dimitrova, Piskac (Eds.): Fifth Workshop on
Synthesis (SYNT 2016)
EPTCS 229, 2016, pp. 112–132, doi:10.4204/EPTCS.229.10
c© S. Jacobs, F. Klein & S. Schirmer
This work is licensed under the
Creative Commons Attribution License.
A High-Level LTL Synthesis Format:
TLSF v1.1
Swen Jacobs
Saarland University
Saarbru¨cken, Germany
jacobs@react.uni-saarland.de
Felix Klein
Saarland University
Saarbru¨cken, Germany
klein@react.uni-saarland.de
Sebastian Schirmer
Saarland University
Saarbru¨cken, Germany
s9sescir@stud.uni-saarland.de
We present the Temporal Logic Synthesis Format (TLSF), a high-level format to describe syn-
thesis problems via Linear Temporal Logic (LTL). The format builds upon standard LTL, but
additionally allows to use high-level constructs, such as sets and functions, to provide a compact
and human-readable representation. Furthermore, the format allows to identify parameters of a
specification such that a single description can be used to define a family of problems. Addition-
ally, we present a tool to automatically translate the format into plain LTL, which then can be
used for synthesis by a solver. The tool also allows to adjust parameters of the specification and
to apply standard transformations on the resulting formula.
1 Introduction
The automatic synthesis of reactive systems from formal specifications has been one of the major
challenges of computer science, and an active field of research, since the definition of the problem by
Church [6]. For specifications in linear temporal logic the problem is 2EXPTIME-complete, and a
number of fundamental approaches to solve this problem have been proposed [5, 27, 26], based on a
translation of the specification into a game or an automaton. Recently, there has been a lot of work on
solving synthesis problems more efficiently, either by restricting the specification language [4, 25], or
by a smart exploration of the search space [16, 9, 13, 29, 15, 14].
However, as already noted by Ehlers [8], it has been very hard to compare different synthesis
tools. A major reason for this was the lack of a common language and a benchmark library on which
to compare tools. As a consequence, there has also been a lack of incentive for the development of
efficient implementations of new synthesis approaches.
To some extent, this has changed with the advent of the reactive synthesis competition (SYNT-
COMP) [19, 21], which has been organized in order to encourage the development of mature and
efficient synthesis tools. However, SYNTCOMP thus far was restricted to safety specifications in an
extension of the AIGER format [17], a low-level format that is not suited for writing expressive spec-
ifications by hand. Moreover, AIGER files directly represent a (safety) game, and the translation of a
temporal logic specification to a suitable game (or other intermediate representations) is a non-trivial
part of the synthesis problem that is removed from the picture if we start from an AIGER specification.
In this paper, we introduce the temporal logic synthesis format (TLSF), a high-level format for
the specification of synthesis problems. The goal of TLSF is to create a format that (i) makes it
S. Jacobs, F. Klein & S. Schirmer 113
convenient to write expressive specifications by hand, and at the same time (ii) is easy to support by
synthesis tools.
To achieve the first goal, TLSF allows to define synthesis problems with high-level temporal logic
specifications, and supports a number of additional features. These include user-defined enumeration
types and signal buses, function declarations (including recursion), and the definition of parameters
that allow to easily define parameterized families of synthesis problems.
To achieve the second goal, we define a basic format that is essentially restricted to linear temporal
logic (LTL) without these additional features, and we supply the Synthesis Format Conversion Tool
(SyFCo) that can compile arbitrary TLSF specifications into the basic format. Hence, for synthesis
tools it is sufficient to support the much simpler basic format. Moreover, the SyFCo tool also supports
a number of additional features, including the translation to some existing specification formats like
Promela LTL [1] or PSL [12], and is easily extensible to other formats.
To demonstrate the features of our specification format, we provide a version of the AMBA arbiter
specification in TLSF. In addition to this, a large number of existing benchmarks have already been
converted to TLSF, and can be found in our publicly available repository [2].
TLSF will be used as a high-level format in several new tracks of SYNTCOMP in 2016 [18, 20].
The goal is to develop and maintain a standard format for synthesis from high-level temporal logic
specifications, and to use our repository of benchmarks as a starting point for a growing benchmark
library that will be part of SYNTCOMP. The design decisions that went into TLSF are inspired by the
findings of Schirmer [28], who compared existing synthesis formats and made a first proposal towards
the goals stated above.
Overview. We present the basic version of the Temporal Logic Synthesis Format (TLSF) in Sect. 2.
In Sect. 3 we discuss the intended semantics of a specification, defined in terms of different implemen-
tation models. The full format is introduced in Sect. 4, followed by an illustration of its main features
on an example in Sect. 5. In Sect. 6, we give an overview of the SyFCo Tool. Finally, we discuss
possible extensions of the format in Sect. 7.
2 The Basic Format
A specification in the basic format consists of an INFO section and a MAIN section:
〈info〉〈main〉
2.1 The INFO Section
The INFO section contains the meta data of the specification, like a title and some description1 . Fur-
thermore, it defines the underlying semantics of the specification (Mealy or Moore / standard or strict
implication) and the target model of the synthesized implementation. Detailed information about sup-
ported semantics and targets can be found in Sect. 3. Finally, a comma separated list of tags can be
specified to identify features of the specification, e.g., the restriction to a specific fragment of LTL. A
〈tag〉 can be any string literal and is not restricted to any predefined keywords.
1We use colored verbatim font to identify the syntactic elements of the specification.
114 A High-Level LTL Synthesis Format
INFO {
TITLE: "〈some title〉"
DESCRIPTION: "〈some description〉"
SEMANTICS: 〈semantics〉
TARGET: 〈target〉
TAGS: 〈tag〉, 〈tag〉, . . .
}
2.2 The MAIN Section
The specification is completed by the MAIN section, which contains the partitioning of input and output
signals, followed by the main specification. The specification itself is separated into assumptions on
the environment and desired properties of the system, and can additionally be distinguished into initial
(INITIALLY/PRESET), invariant (REQUIRE/ASSERT), and arbitrary ( ASSUME/GUARANTEE) properties2 .
Multiple declarations and expressions need to be separated by a ’;’.
MAIN {
INPUTS { (〈boolean signal declaration〉;)∗ }
OUTPUTS { (〈boolean signal declaration〉;)∗ }
INITIALLY { (〈basic LTL expression〉;)∗ }
PRESET { (〈basic LTL expression〉;)∗ }
REQUIRE { (〈basic LTL expression〉;)∗ }
ASSERT { (〈basic LTL expression〉;)∗ }
ASSUME { (〈basic LTL expression〉;)∗ }
GUARANTEE { (〈basic LTL expression〉;)∗ }
}
All subsections except INPUTS and OUTPUTS are optional.
2.3 Basic Expressions
A basic expression e is either a boolean signal or a basic LTL expression. Each basic expression has a
corresponding type that is S for boolean signals and T for LTL expressions. Basic expressions can be
composed to larger expressions using operators. An overview over the different types of expressions
and operators is given below.
Boolean Signal Declarations. A signal identifier is represented by a string consisting of lowercase
and uppercase letters (’a’-’z’, ’A’-’Z’), numbers (’0’-’9’), underscores (’_’), primes (’’’), and at-
signs (’@’) and does not start with a number or a prime. Additionally, keywords like X, G or U, as
defined in the rest of this document, are forbidden. An identifier is declared as either an input or an
output signal. We denote the set of declared input signals as I and the set of declared output signals as
O, where I ∩O = /0. Then, a boolean signal declaration simply consists of a signal identifier 〈name〉
from I ∪O.
Basic LTL Expressions. A basic LTL expression conforms to the following grammar, including truth
values, signals, boolean operators and temporal operators. For easy parsing of the basic format, we
2In TLSF v1.0 [22], ASSERT was called INVARIANTS, ASSUME was called ASSUMPTIONS, and GUARANTEE was called
GUARANTEES (and subsections INITIALLY, PRESET, and REQUIRE did not exist). TLSF v1.1 still supports the old identifiers.
S. Jacobs, F. Klein & S. Schirmer 115
require fully parenthesized expressions, as expressed by the first of the following lines:
ϕ ≡ (ϕ ′)
ϕ ′ ≡ true | false | s for s ∈ I ∪O |
!ϕ | ϕ && ϕ | ϕ || ϕ | ϕ -> ϕ | ϕ <-> ϕ
X ϕ | G ϕ | F ϕ | ϕ U ϕ | ϕ R ϕ | ϕ W ϕ
Thus, a basic LTL expression is either true, false, or a signal, or composed from these atomic expres-
sions with boolean operators (negation, conjunction, disjunction, implication, equivalence) and tem-
poral operators (next, globally, eventually, until, release, weak until). The semantics of the boolean
operators are defined in the usual way, and the temporal operators are defined in Appendix A.1.
3 Targets and Semantics
3.1 Targets
The TARGET of the specification defines the implementation model that a solution should adhere to.
Currently supported targets are Mealy automata (Mealy), whose output depends on the current state
and input, and Moore automata (Moore), whose output only depends on the current state. The differ-
entiation is necessary since realizability of a specification depends on the target system model. For
example, every specification that is realizable under Moore semantics is also realizable under Mealy
semantics, but not vice versa. A formal description of both automata models can be found in Ap-
pendix A.2.
3.2 Semantics
The SEMANTICS of the specification defines how the formula was intended to be evaluated, which also
depends on an implementation model. We currently support four different semantics: standard Mealy
semantics (Mealy), standard Moore semantics (Moore), strict Mealy semantics (Mealy, Strict), and
strict Moore semantics (Moore,Strict).
In the following, consider a specification where INITIALLY evaluates to the LTL formula θe,
PRESET evaluates to θs, REQUIRE evaluates to ψe, ASSERT evaluates to ψs, ASSUME evaluates to ϕe,
and GUARANTEE evaluates to ϕs. For specification sections that are not present, the respective formula
is interpreted as true.
Standard semantics. If the semantics is (non-strict) Mealy or Moore, and the TARGET coincides with
the semantics system model, then the specification is interpreted as the formula
θe → (θs∧ (Gψe∧ϕe → Gψs∧ϕs))
in standard LTL semantics (see Appendix A.1). Note that we require that the PRESET property θs
holds whenever the INITIALLY condition θe holds, regardless of other environment assumptions.
Strict semantics. If the semantics is Mealy,Strict or Moore,Strict, and the TARGET coincides
with the semantics system model, then the specification is interpreted under strict implication seman-
tics (as used in the synthesis of GR(1) specifications), which is equivalent to the formula
θe → (θs∧ (ψsW¬ψe)∧ (Gψe∧ϕe → ϕs))
116 A High-Level LTL Synthesis Format
in standard LTL semantics. In this case, we additionally require that the ASSERT property ψs needs to
hold at least as long as the REQUIRE condition ψe holds.
Note that this gives us an easy way to convert a specification with strict semantics into one with
non-strict semantics. For details on strict implication semantics, see Klein and Pnueli [24], as well as
Bloem et al. [4], from which we also take our definition and interpretation of the GR(1) fragment.3
Conversion between system models. If the implementation model of the SEMANTICS differs from
the TARGET of a specification, we use a simple conversion to get a specification that is realizable in
the target system model iff the original specification is realizable in the original system model: a
specification in Moore semantics can be converted into Mealy semantics by prefixing all occurrences
of input atomic propositions with an additional X-operator. Similarly, we can convert from Mealy
semantics to Moore semantics by prefixing outputs with a X-operator.
4 The Full Format
In the full format, a specification consists of three sections: the INFO section, the GLOBAL section and
the MAIN section. The GLOBAL section is optional.
〈info〉[〈global〉]〈main〉
The INFO section is the same as in the basic format, defined in Sect. 2.1. The GLOBAL section can be
used to define parameters, and to bind identifiers to expressions that can be used later in the specifica-
tion. The MAIN section is used as before, but can use extended sets of declarations and expressions.
We define the GLOBAL section in Sect. 4.1, and the changes to the MAIN section compared to
the basic format in Sect. 4.2. The extended set of expressions that can be used in the full format is
introduced in Sect. 4.3, enumerations, extended signal and function declarations in Sect. 4.4 and 4.6,
and additional notation in Sect. 4.7–4.9.
4.1 The GLOBAL Section
The GLOBAL section consists of the PARAMETERS subsection, defining the identifiers that parameterize
the specification, and the DEFINITIONS subsection, that allows to define functions, enumerations and
to bind identifiers to complex expressions. Multiple declarations need to be separated by a ’;’. The
section and its subsections are optional.
GLOBAL {
PARAMETERS {
(〈identifier〉 = 〈numerical expression〉;)∗
}
DEFINITIONS {
((〈function declaration〉 | 〈enum declaration〉 | 〈identifier〉 = 〈expression〉);)∗
}
}
3Note that in the conversion of [4], the formula is strengthened by adding the formula G(Hψe → ψs), where Hϕ is a
Past-LTL formula and denotes that ϕ holds everywhere in the past. However, it is easy to show that our definition of strict
semantics matches the definition of [4]. We prefer this notion, since it avoids the introduction of Past-LTL.
S. Jacobs, F. Klein & S. Schirmer 117
4.2 The MAIN Section
Like in the basic format, the MAIN section contains the partitioning of input and output signals, as
well as the main specification. However, signal declarations can now contain signal buses, and LTL
expressions can use parameters, functions, and identifiers defined in the GLOBAL section.
MAIN {
INPUTS { (〈signal declaration〉;)∗ }
OUTPUTS { (〈signal declaration〉;)∗ }
INITIALLY { (〈LTL expression〉;)∗ }
PRESET { (〈LTL expression〉;)∗ }
REQUIRE { (〈LTL expression〉;)∗ }
ASSERT { (〈LTL expression〉;)∗ }
ASSUME { (〈LTL expression〉;)∗ }
GUARANTEE { (〈LTL expression〉;)∗ }
}
As before, all subsections except INPUTS and OUTPUTS are optional.
4.3 Expressions
An expression e is either a boolean signal, an n-ary signal (called bus), an enumeration type, a numer-
ical expression, a boolean expression, an LTL expression, or a set expression. Each expression has a
corresponding type that is either one of the basic types: S,U,E,N,B,T, or a recursively defined set
type SX for some type X.
As before, an identifier is represented by a string consisting of lowercase and uppercase let-
ters (’a’-’z’, ’A’-’Z’), numbers (’0’-’9’), underscores (’_’), primes (’’’), and at-signs (’@’) and does
not start with a number or a prime. In the full format, identifiers are bound to expressions of differ-
ent type. We denote the respective sets of identifiers by ΓS, ΓU, ΓE, ΓN, ΓB, ΓT, and ΓSX . Finally,
basic expressions can be composed to larger expressions using operators. In the full format, we do
not require fully parenthesized expressions. If an expression is not fully parenthesized, we use the
precedence order given in Table 1. An overview over the all types of expressions and operators is
given below.
Numerical Expressions. A numerical expression eN conforms to the following grammar:
eN ≡ i for i ∈ ΓN | n for n ∈ N | eN + eN | eN - eN | eN * eN | eN / eN | eN % eN
|eSX| | MIN eSN | MAX eSN | SIZEOF s for s ∈ ΓU
Thus, a numerical expression either represents an identifier (bound to a numerical value), a numerical
constant, an addition, a subtraction, a multiplication, an integer division, a modulo operation, the size
of a set, the minimal/maximal value of a set of naturals, or the size (i.e., width) of a bus, respectively.
The semantics are defined in the usual way.
Set Expressions. A set expression eSX , containing elements of type X, conforms to the following
grammar:
eSX ≡ i for i ∈ ΓSX | {eX,eX, . . .,eX} | {eN,eN ..eN } |
eSX (+) eSX | eSX (*) eSX | eSX (\) eSX
118 A High-Level LTL Synthesis Format
Precedence Operator Description Arity Associativity
1
+[·] (SUM[·]) sum
unary
*[·] (PROD[·]) product
|· · ·| (SIZE) size
MIN minimum
MAX maximum
SIZEOF size of a bus
2 * (MUL) multiplication binary left-to-right
3 / (DIV) integer division binary right-to-left
% (MOD) modulo
4 + (PLUS) addition binary left-to-right
- (MINUS) difference
5 (*)[·] (CAP[·]) intersection unary
(+)[·] (CUP[·]) union
6 (\) ((-),SETMINUS) set difference binary right-to-left
7 (*) (CAP) intersection binary left-to-right
8 (+) (CUP) union binary left-to-right
9
== (EQ) equality
binary left-to-right
!= (/=, NEQ) inequality
< (LE) smaller than
<= (LEQ) smaller or equal than
> (GE) greater then
>= (GEG) greater or equal than
10 IN (ELEM, <-) membership binary left-to-right
11
! (NOT) negation
unary
X next
F finally
G globally
&&[·] (AND[·], FORALL[·]) conjunction
||[·] (OR[·], EXISTS[·]) disjunction
12 && (AND) conjunction binary left-to-right
13 || (OR) disjunction binary left-to-right
14 -> (IMPLIES) implication binary right-to-left
<-> (EQUIV) equivalence
15 W weak until binary right-to-left
16 U until binary right-to-left
17 R release binary left-to-right
18
˜
pattern match binary left-to-right
19 : guard binary left-to-right
Table 1: The table lists the precedence, arity and associativity of all expression operators. Also con-
sider the alternative names in brackets which can be used instead of the symbolic representations.
S. Jacobs, F. Klein & S. Schirmer 119
Thus, the expression eSX either represents an identifier (bound to a set of values of type X), an explicit
list of elements of type X, a list of elements specified by a range (for X = N), a union of two sets, an
intersection or a difference, respectively. The semantics of a range expression {x,y..z} are defined
for x < y via:
{n ∈ N | x ≤ n ≤ z∧∃ j. n = x+ j · (y− x)}.
The semantics of all other expressions are defined as usual. Sets contain either positive integers,
boolean expressions, LTL expressions, buses, signals, or other sets of a specific type.
Boolean Expressions. A boolean expression eB conforms to the following grammar:
eB ≡ i for i ∈ ΓB | eX IN eSX | true | false | !eB |
eB && eB | eB || eB | eB -> eB | eB <-> eB |
eN == eN | eN != eN | eN < eN | eN <= eN | eN > eN | eN >= eN
Thus, a boolean expression either represents an identifier (bound to a boolean value), a membership
test, true, false, a negation, a conjunction, a disjunction, an implication, an equivalence, or an equation
between two positive integers (equality, inequality, less than, less or equal than, greater than, greater
or equal than), respectively. The semantics are defined in the usual way. Note that signals are not
allowed in a boolean expression, but only in an LTL expression.
LTL Expressions. An LTL expression ϕ conforms to the same grammar as a boolean expression,
except that it additionally includes signals and temporal operators.
ϕ ≡ . . . | i for i ∈ ΓT | s for s ∈ ΓS | b[eN] for b ∈ ΓU |
b0 == b1 for b j ∈ ΓU and b1− j ∈ ΓE | b0 != b1 for b j ∈ ΓU and b1− j ∈ ΓE |
X ϕ | G ϕ | F ϕ | ϕ U ϕ | ϕ R ϕ | ϕ W ϕ
Thus, an LTL expression additionally can represent an identifier bound to an LTL formula, a signal,
an eN-th signal of a bus, a next operation, a restriction of a bus to a set of enumeration valuations
via equality or inequality, a globally operation, an eventually operation, an until operation, a release
operation, or a weak until operation, respectively. Note that every boolean expression is also an LTL
expression, thus we allow the use of identifiers that are bound to boolean expressions as well. A
formal definition of the semantics of the temporal operators is given in Appendix A.1. The semantics
of expressions involving bus operations is defined in the subsequent sections.
4.4 Enumerations
An enumeration declaration conforms to the following grammar:
enum 〈enumtype〉 =
(
〈identifier〉 : (0 | 1 | *)n(, (0 | 1 | *)n)∗
)+
for some arbitrary but fix positive integer n > 0. As an example consider the enumeration Positions,
which declares the enumeration identifiers LEFT, MIDDLE, RIGHT, and UNDEF as members of ΓE:
enum Position =
LEFT: 100
MIDDLE: 010
120 A High-Level LTL Synthesis Format
RIGHT: 001
UNDEF: 11*, 1*1, *11
We use 0 to identify the absent signal, 1 to identify the present signal and * for either of both. Each
identifier then refers to at least one concrete signal valuation sequence. Multiple values can be denoted
by sequences with a *, as well as by comma separated lists. Furthermore, the identifier of each declared
valuation has to be unique. Not all possible valuations have to be identified.
Enumeration identifiers can only be used in comparisons against buses inside an LTL expression,
where we require that the corresponding bus has the same width as the valuation compared to. It
defines a boolean constraint on the bus, restricting it to the different valuations, bound to the identifier,
e.g., the expressions b == RIGHT and !b[0] && !b[1] && b[2] are semantically equivalent, as
well as b /= UNDEF and !((b[0] && b[1]) || (b[0] && b[2]) || (b[1] && b[2])).
4.5 Signals and Buses
A single signal declaration consists of the name of the signal. As for the basic format, signals are
declared as either input or output signals, denoted by I and O, respectively. A bus declaration addi-
tionally specifies a signal width, i.e., a bus represents a finite set of signals. The signal width is either
given by a numerical value or via an enumeration type.
〈name〉 | 〈name〉[eN] | 〈enumtype〉〈name〉
Semantically, a signal declaration s specifies a signal s∈I∪O, where a bus declaration b[n] specifies
n signals b[0], b[1], . . ., b[n-1], with either b[i]∈ I for all 0≤ i < n, or b[i]∈O for all 0≤ i < n.
A bus specified via an enumeration type has the same width as the valuations of the corresponding
enumeration.
Buses which are declared using an enumeration type, where not all valuations are related to an
identifier4 induce an implicit constraint on the corresponding signals: if the bus corresponds to a set of
input signals, then the global requirement that no other than the defined valuations appear on this bus
is imposed. If it corresponds to a set of output signals, then the equivalent global invariant is imposed.
Finally, note that we use b[i] to access the i-th value of b, i.e., we use the same syntax as for
the declaration itself5. Also note that for the declared signals s, we have s ∈ I ∪O ⊆ ΓS, and for the
declared buses b, we have b ∈ ΓU.
4.6 Function Declarations
As another feature, one can declare (recursive) functions of arbitrary arity inside the DEFINITIONS
section. Functions can be used to define simple macros, but also to generate complex formulas from a
given set of parameters. A declaration of a function of arity n has the form
〈function name〉(〈arg1〉,〈arg2〉, . . .,〈argn〉) = (ec)+,
where 〈arg1〉,〈arg2〉, . . . ,〈argn〉 are fresh identifiers that can only be used inside the sub-expressions ec.
An expression ec conforms to the following grammar:
ec ≡ e | eB : e | eP : e where e ≡ eN | eB | eSX | ϕ
4See e.g. the 000 valuation of the example of Sect. 4.5
5C-Array Syntax Style
S. Jacobs, F. Klein & S. Schirmer 121
Thus, a function can be bound to any expression e, parameterized in its arguments, which additionally
may be guarded by some boolean expression eB, or a pattern match eP. If the regular expression (ec)+
consists of more than one expression ec, then the function binds to the first expression whose guard
evaluates to true (in the order of their declaration). Furthermore, the special guard otherwise can be
used, which evaluates to true if and only if all other guards evaluate to false. Expressions without a
guard are implicitly guarded by true. All sub-expressions ec need to have the same type X. For every
instantiation of a function by given parameters, we view the resulting expression eX as an identifier
in ΓX, bound to the result of the function application.
Pattern Matching. Pattern matches are special guards of the form
eP ≡ ϕ
˜
ϕ ′,
which can be used to describe different behavior depending on the structure of an LTL expression.
Hence, a guard eP evaluates to true if and only if ϕ and ϕ ′ are structurally equivalent, with respect to
their boolean and temporal connectives. Furthermore, identifier names that are used in ϕ ′ need to be
fresh, since every identifier expression that appears in ϕ ′ is bound to the equivalent sub-expression in
ϕ , which is only visible inside the right-hand-side of the guard. Furthermore, to improve readability,
the special identifier _ (wildcard) can be used, which always remains unbound. To clarify this feature,
consider the following function declaration:
fun(f) =
f
˜
a U _: a
otherwise: X f
The function fun gets an LTL formula f as a parameter. If f is an until formula of the form ϕ1U ϕ2,
then fun( f ) binds to ϕ1, otherwise fun( f ) binds to X f .
4.7 Big Operator Notation
It is often useful to express parameterized expressions using “big” operators, e.g., we use Σ to denote
a sum over multiple sub-expressions, Π to denote a product, or ⋃ to denote a union. It is also possible
to use this kind of notion in this specification format. The corresponding syntax looks as follows:
〈op〉[ 〈id0〉IN eSX0,〈id1〉IN eSX1, . . . ,〈idn〉IN eSXn]eX
Let x j be the identifier represented by 〈id j〉 and S j be the set represented by eSX j. Further, let
⊕
be the mathematical operator corresponding to 〈op〉. Then, the above expression corresponds to the
mathematical expression: ⊕
x0∈S0
⊕
x1∈S1
· · ·
⊕
xn∈Sn
(
eX)
Note that 〈id0〉 is already bound in expression eSX1, 〈id1〉 is bound in eSX2, and so forth. The syntax is
supported by every operator 〈op〉 ∈ {+,*,(+),(*),&&,||}.
4.8 Syntactic Sugar
To improve readability, there is additional syntactic sugar, which can be used beside the standard
syntax. Let n and m be numerical expressions, then
122 A High-Level LTL Synthesis Format
• X[n] ϕ denotes a stack of n next operations, e.g.:
X[3] a ≡ X X X a
• F[n:m] ϕ denotes that ϕ holds somewhere between the next n and m steps, e.g.:
F[2:3] a ≡ X X(a || X a)
• G[n:m] ϕ denotes that ϕ holds everywhere between the next n and m steps, e.g.:
G[1:3] a ≡ X(a && X(a && X a))
• 〈op〉[ . . .,n ◦1 〈id〉 ◦2 m,. . .]eX denotes a big operator application, where n ◦1 〈id〉 ◦2 m with
◦1,◦2 ∈ {<,<=} denotes that 〈id〉 ranges from n to m. The inclusion of n and m depends on the
choice of ◦1 and ◦2, respectively. Thus, the notation provides an alternative to membership in
combination with set ranges, e.g.:
&&[0 <= i < n] b[i] ≡ &&[i IN {0,1..n-1}] b[i]
4.9 Comments
It is possible to use C style comments anywhere in the specification, i.e., there are single line comments
initialized by // and multi line comments between /* and */. Multi line comments can be nested.
5 Example: A Decomposed AMBA Arbiter
To get a feeling for the interplay of the aforementioned features, we present a specification of an
arbiter for ARM’s Advanced Microcontroller Bus Architecture (AMBA) [3] in TLSF, decomposed
into multiple components as depicted in Figure 1. Inputs of the system are requests (HBUSREQ)
from masters that want to access the bus, and a ready signal (HREADY) from the clients that the
masters want to talk to. Additionally, each master has a signal for locking the bus (HLOCK), and
different types of locked accesses can be requested (via HBURST). The main output of the system is
the number of the master that currently owns the bus (HMASTER, in a binary encoding), and a signal
for whether the bus is locked (HMASTLOCK). Additionally, there are outputs for the next master that
will get access to the bus (HGRANT, unary encoding).
Our encoding is inspired by existing encodings [23], but also includes some new design aspects
with respect to the decomposition. We only consider the TLSF encoding of the components DECODE,
ENCODE and ARBITER in detail. Encodings of the remaining components can be found in App. A.3.
First, consider the DECODE component, whose encoding is depicted in Figure 3. The component
reads the different values of the HBURST bus and splits them up into separate, mutually exclusive
signals. Clearly, enumerations are perfectly suited to describe such a behavior.
S. Jacobs, F. Klein & S. Schirmer 123
ARBITER
DECIDE
BUSREQ ALLREADY
HBUSREQ0
HBUSREQ1
.
.
.
HBUSREQn−1
HGRANT0
HGRANT1
.
.
.
HGRANTn−1
LOCK
LOCKED
DECIDE
HLOCK0
HLOCK1
.
.
.
HLOCKn−1
HGRANT0
HGRANT1
.
.
.
HGRANTn−1
DECODE INCR
BURST4
SINGLE
HBURST
ENCODE
HMASTERHREADY
H
G
R
A
N
T 0
H
G
R
A
N
T 1
. . .
H
G
R
A
N
T n
−
1
SHIFT
HMASTLOCK
HREADY
LOCKED
TINCR
READY1
H
R
E
A
D
Y
L
O
C
K
E
D
D
E
C
ID
E
IN
C
R
BUSREQ
TBURST4
READY2
H
R
E
A
D
Y
L
O
C
K
E
D
D
E
C
ID
E
B
U
R
ST
4
TSINGLE
READY3
H
R
E
A
D
Y
L
O
C
K
E
D
D
E
C
ID
E
SI
N
G
L
E
AND
HGRANT
HLOCK
HBUSREQ
HMASTLOCK
HMASTER
HBURST
HREADY
Figure 1: Decomposition of the AMBA AHB arbiter.
Next, consider the ARBITER component, granting the bus to the different masters. The compo-
nent selects a new master, whenever all other components completed their tasks (signaled by ALL-
READY). Furthermore, every master requesting the bus is eventually granted access to it, where every
request needs the be held until the access is granted. Additionally, we require that every assignment
of a new master triggers the DECIDE flag, which has to be raised one time step in advance to inform
other components early about the change. Finally, the request signal of the granted bus is mirrored by
124 A High-Level LTL Synthesis Format
INFO {
TITLE: "AMBA AHB Arbiter"
DESCRIPTION: "Component: Arbiter"
SEMANTICS: Mealy
TARGET: Mealy
}
GLOBAL {
PARAMETERS {
n = 2;
}
DEFINITIONS {
// mutual exclusion
mutual(b) =
||[i IN {0, 1 .. (SIZEOF b) - 1}]
&&[j IN {0, 1 .. (SIZEOF b) - 1} (\) {i}]
!(b[i] && b[j]);
}
}
MAIN {
INPUTS {
HBUSREQ[n];
ALLREADY;
}
OUTPUTS {
HGRANT[n];
BUSREQ;
DECIDE;
}
INITIALLY {
// the component is initially idle
ALLREADY;
}
ASSUME {
// the component is not eventually disabled
G F ALLREADY;
}
ASSERT {
// always exactely one master is granted
mutual(HGRANT) && ||[0 <= i < n] HGRANT[i];
// if not ready, the grants stay unchanged
&&[0 <= i < n]
(!ALLREADY -> (X HGRANT[i] <-> HGRANT[i]));
// every request is eventually granted
&&[0 <= i < n]
(HBUSREQ[i] -> F (!HBUSREQ[i] || HGRANT[i]));
// the BUSREQ signal mirrors the HBUSREQ[i]
// signal of the currently granted master i
&&[0 <= i < n]
(HGRANT[i] -> (BUSREQ <-> HBUSREQ[i]));
// taking decisions requires to be idle
!ALLREADY -> !DECIDE;
// granting another master triggers a decision
DECIDE <-> ||[0 <= i < n]
!(X HGRANT[i] <-> HGRANT[i]);
// if there is no request, master 0 is granted
(&&[0 <= i < n] !HBUSREQ[i]) && DECIDE
-> X HGRANT[0];
}
}
INFO {
TITLE: "AMBA AHB Arbiter"
DESCRIPTION: "Component: Encode"
SEMANTICS: Mealy
TARGET: Mealy
}
GLOBAL {
PARAMETERS {
n = 2;
}
DEFINITIONS {
// mutual exclusion
mutual(b) =
||[i IN {0, 1 .. (SIZEOF b) - 1}]
&&[j IN {0, 1 .. (SIZEOF b) - 1} (\) {i}]
!(b[i] && b[j]);
// checks whether a bus encodes the numerical
// value v in binary
value(bus,v) = value’(bus,v,0, SIZEOF bus);
value’(bus,v,i,j) =
i >= j : true
bit(v,i) == 1 : value’(bus,v,i+1,j)
&& bus[i]
otherwise : value’(bus,v,i+1,j)
&& !bus[i];
// returns the i-th bit of the numerical
// value v
bit(v,i) =
i <= 0 : v % 2
otherwise : bit(v/2,i-1);
// discrete logarithm
log2(x) =
x <= 1 : 1
otherwise : 1 + log2(x/2);
}
}
MAIN {
INPUTS {
HREADY;
HGRANT[n];
}
OUTPUTS {
// the output is encoded in binary
HMASTER[log2(n-1)];
}
REQUIRE {
// a every time exactely one grant is high
mutual(HGRANT) && ||[0 <= i < n] HGRANT[i];
}
ASSERT {
// output the binary encoding of i, whenever
// i is granted and HREADY is high
&&[0 <= i < n] (HREADY ->
(X value(HMASTER,i) <-> HGRANT[i]));
// when HREADY is low, the value is copied
!HREADY -> &&[0 <= i < log2(n-1)]
(X HMASTER[i] <-> HMASTER[i]);
}
}
Figure 2: The ARBITER component (left) and the ENCODE component (right) of the decomposed
AMBA AHB arbiter.
S. Jacobs, F. Klein & S. Schirmer 125
the BUSREQ output. The encoding of the component is depicted in Figure 2 on the left. It uses
straightforward formulations of the aforementioned properties in TLSF, which integrate the behavior
informally described above. Note that the whole encoding is parameterized in the number of masters n.
INFO {
TITLE: "AMBA AHB Arbiter"
DESCRIPTION: "Component: Decode"
SEMANTICS: Mealy
TARGET: Mealy
}
GLOBAL {
DEFINITIONS {
enum hburst =
Single: 00
Burst4: 10
Incr: 01
}
}
MAIN {
INPUTS {
hburst HBURST;
}
OUTPUTS {
SINGLE;
BURST4;
INCR;
}
ASSERT {
HBURST == Single -> SINGLE;
HBURST == Burst4 -> BURST4;
HBURST == Incr -> INCR;
!(SINGLE && (BURST4 || INCR)) && !(BURST4 && INCR);
}
}
Figure 3: The DECODE component of the decomposed AMBA AHB arbiter.
As our final example, consider the encoding of the ENCODE component depicted on the right
side of Figure 2. The component identifies the master currently holding the bus via a binary number,
encoded logarithmically in the number of masters. Furthermore, the component is only enabled as long
as the HREADY input is high. We observe that the translation from unary to binary can be easily
described using a function mapping the unary values to the corresponding binary ones. Inspecting the
encoding shows that the semantics of the function are derivable straightforwardly from the declaration,
due to the close relation to the equivalent mathematical representation.
The remaining components are included in Appendix A.3.
6 The SyFCo Tool
We created the Synthesis Format Conversion Tool (SyFCo) [2] that can interpret the high level con-
structs of the format and supports transformation of the specification to plain LTL. The tool has been
designed to be modular with respect to the supported output formats and semantics. Furthermore, the
tool can identify and manipulate parameters, targets and semantics of a specification on the fly, and
thus allows comparative studies, as it is for example needed in the reactive synthesis competition.
The main features of the tool can be summarized as follows:
• Evaluation of high level constructs in the full format to reduce full TLSF to basic TLSF.
• Transformation to other existing specification formats, like Promela LTL [1], PSL [12], Un-
beast [7], Wring [30], or SLUGS [11, 10].
• Syntactical analysis of membership in GR(k) for any k, modulo boolean identities6.
• On the fly adjustment of parameters, semantics or targets.
• Preprocessing of the resulting LTL formula, including
6We use the setup of [4] to identify the transition structure and the GR(k) winning condition.
126 A High-Level LTL Synthesis Format
◦ conversion to negation normal form,
◦ replacement of derived operators, and
◦ pushing/pulling next, eventually, or globally operators inwards/outwards.
7 Extensions
The format remains open for further extensions, which allow more fine-grained control over the speci-
fication with respect to a particular synthesis problem. At the time of writing, the following extensions
were under consideration:
• Compositionality: The possibility to separate specifications into multiple components, which
then can be used as building blocks to specify larger components. E.g., it should be possible
to express the whole decomposed specification, as it is depicted in Figure 1 (including the
interconnections), in a single specification file in TLSF.
• Partial Implementations: a specification that is separated into multiple components might also
contain components that are already implemented. Implemented components could be given in
the AIGER format that is already used in SYNTCOMP [17].
• Libraries: Several functions and definitions are often shared between components, e.g., the
function mutual of the example in Sect. 5. Hence, it is more useful to ship them via libraries
instead of redeclaring them each time.
• LTL Fragment Detection: Our tool currently only supports detection of GR(k). We aim to
support the detection of further relevant fragments, like for example Liveness or Safety.
Acknowledgments
We thank Roderick Bloem, Ru¨diger Ehlers, Bernd Finkbeiner, Ayrat Khalimov, Robert Ko¨nighofer, Nir Piter-
man, and Leander Tentrup for comments on TLSF and drafts of this document.
The development of TLSF has been supported by the German Research Foundation (DFG) through project
“Automatic Synthesis of Distributed and Parameterized Systems” (JA 2357/2-1) and by the European Research
Council (ERC) Grant OSARES (No. 683300).
References
[1] Promela Manual Pages (Promela LTL). Available at http://spinroot.com/spin/Man/ltl.html.
[2] Synthesis Format Conversion Tool. Available at https://github.com/reactive-systems/syfco.
[3] ARM Ltd. (1999): AMBA specification (rev. 2). Available at http://www.arm.com.
[4] Roderick Bloem, Barbara Jobstmann, Nir Piterman, Amir Pnueli & Yaniv Sa’ar (2012): Synthesis of
Reactive(1) Designs. J. Comput. Syst. Sci. 78(3), pp. 911–938, doi:10.1016/j.jcss.2011.08.007.
[5] J.R. Bu¨chi & L.H. Landweber (1969): Solving sequential conditions by finite-state strategies. Trans.
Amer. Math. Soc. 138, pp. 295–311, doi:10.2307/1994916.
[6] Alonzo Church (1962): Logic, arithmetic and automata. In: Proceedings of the international congress of
mathematicians, pp. 23–35, doi:10.2307/2270398.
[7] Ru¨diger Ehlers (2010): Unbeast - Symbolic Bounded Synthesis. Available at
https://react.cs.uni-saarland.de/tools/unbeast.
S. Jacobs, F. Klein & S. Schirmer 127
[8] Ru¨diger Ehlers (2011): Experimental Aspects of Synthesis. In: iWIGP, EPTCS 50, pp. 1–16,
doi:10.4204/EPTCS.50.1.
[9] Ru¨diger Ehlers (2012): Symbolic bounded synthesis. Formal Methods in System Design 40(2), pp. 232–
262, doi:10.1007/s10703-011-0137-x.
[10] Ru¨diger Ehlers & Vasumathi Raman (2016): Slugs: Extensible GR(1) Synthesis. In: CAV (2), Lecture
Notes in Computer Science 9780, Springer, pp. 333–339, doi:10.1007/978-3-319-41540-6 18.
[11] Ru¨diger Ehlers, Vasumathi Raman & Cameron Finucane (2013): slugs - SmalL bUt Complete GROne
Synthesizer. Available at https://github.com/VerifiableRobotics/slugs.
[12] Cindy Eisner & Dana Fisman (2006): A Practical Introduction to PSL. Series on Integrated Circuits and
Systems, Springer-Verlag, doi:10.1007/978-0-387-36123-9.
[13] Emmanuel Filiot, Naiyong Jin & Jean-Franc¸ois Raskin (2011): Antichains and compositional
algorithms for LTL synthesis. Formal Methods in System Design 39(3), pp. 261–296,
doi:10.1007/s10703-011-0115-3.
[14] Emmanuel Filiot, Naiyong Jin & Jean-Franc¸ois Raskin (2013): Exploiting structure in LTL synthesis.
STTT 15(5-6), pp. 541–561, doi:10.1007/s10009-012-0222-5.
[15] Bernd Finkbeiner & Swen Jacobs (2012): Lazy Synthesis. In: VMCAI, LNCS 7148, Springer, pp. 219–
234, doi:10.1007/978-3-642-27940-9 15.
[16] Bernd Finkbeiner & Sven Schewe (2013): Bounded synthesis. STTT 15(5-6), pp. 519–539,
doi:10.1007/s10009-012-0228-z.
[17] Swen Jacobs (2014): Extended AIGER Format for Synthesis. CoRR abs/1405.5793. Available at
http://arxiv.org/abs/1405.5793.
[18] Swen Jacobs & Roderick Bloem (2016): The Reactive Synthesis Competition: SYNTCOMP 2016 and
Beyond. In: SYNT, Electronic Proceedings in Theoretical Computer Science 229, Open Publishing Asso-
ciation, pp. 133–148, doi:10.4204/EPTCS.229.11.
[19] Swen Jacobs, Roderick Bloem, Romain Brenguier, Ru¨diger Ehlers, Timotheus Hell, Robert Ko¨nighofer,
Guillermo A. Pe´rez, Jean-Franc¸ois Raskin, Leonid Ryzhyk, Ocan Sankur, Martina Seidl, Leander Ten-
trup & Adam Walker (2016): The First Reactive Synthesis Competition (SYNTCOMP 2014). STTT,
doi:10.1007/s10009-016-0416-3. Published online first, journal issue to appear.
[20] Swen Jacobs, Roderick Bloem, Romain Brenguier, Ayrat Khalimov, Felix Klein, Robert Ko¨nighofer,
Jens Kreber, Alexander Legg, Nina Narodytska, Guillermo A. Pe´rez, Jean-Franc¸ois Raskin, Leonid
Ryzhyk, Ocan Sankur, Martina Seidl, Leander Tentrup & Adam Walker (2016): The 3rd Reactive
Synthesis Competition (SYNTCOMP 2016): Benchmarks, Participants & Results. In: SYNT, Elec-
tronic Proceedings in Theoretical Computer Science 229, Open Publishing Association, pp. 149–177,
doi:10.4204/EPTCS.229.12.
[21] Swen Jacobs, Roderick Bloem, Romain Brenguier, Robert Ko¨nighofer, Guillermo A. Pe´rez, Jean-Franc¸ois
Raskin, Leonid Ryzhyk, Ocan Sankur, Martina Seidl, Leander Tentrup & Adam Walker (2015): The
Second Reactive Synthesis Competition (SYNTCOMP 2015). In: SYNT 2015, EPTCS 202, pp. 27–57,
doi:10.4204/EPTCS.202.4.
[22] Swen Jacobs & Felix Klein (2016): A High-Level LTL Synthesis Format: TLSF v1.0. CoRR
abs/1601.05228. Available at http://arxiv.org/abs/1601.05228.
[23] Barbara Jobstmann (2007): Applications and Optimizations for LTL Synthesis. Ph.D. thesis, Graz Univer-
sity of Technology.
[24] Uri Klein & Amir Pnueli (2010): Revisiting Synthesis of GR(1) Specifications. In: HVC 2010. Revised
Selected Papers, LNCS 6504, Springer, pp. 161–181, doi:10.1007/978-3-642-19583-9 16.
[25] Andreas Morgenstern & Klaus Schneider (2011): A LTL Fragment for GR(1)-Synthesis. In: iWIGP,
EPTCS 50, pp. 33–45, doi:10.4204/EPTCS.50.3.
128 A High-Level LTL Synthesis Format
[26] Amir Pnueli & Roni Rosner (1989): On the Synthesis of a Reactive Module. In: POPL, ACM Press, pp.
179–190, doi:10.1145/75277.75293.
[27] Michael O. Rabin (1969): Decidability of second-order theories and automata on infinite trees. Trans.
Amer. Math. Soc. 141, pp. 1–35, doi:10.1090/S0002-9947-1969-0246760-1.
[28] Sebastian Schirmer (2015): A Specification Format for Reactive Synthesis. Bachelor Thesis. Saarland
University, Computer Science.
[29] Saqib Sohail & Fabio Somenzi (2013): Safety first: a two-stage algorithm for the synthesis of reactive
systems. STTT 15(5-6), pp. 433–454, doi:10.1007/s10009-012-0224-3.
[30] Fabio Somenzi & Roderick Bloem (2000): Efficient Bu¨chi Automata from LTL Formulae. In: CAV, LNCS
1855, Springer, pp. 248–263, doi:10.1007/10722167 21.
S. Jacobs, F. Klein & S. Schirmer 129
A Appendix
A.1 Linear Temporal Logic
Linear Temporal Logic (LTL) is a temporal logic, defined over a finite set of atomic propositions AP.
The syntax of LTL conforms to the following grammar:
ϕ := true | p ∈ AP | ¬ϕ | ϕ ∨ϕ | Xϕ | ϕ U ϕ
The semantics of LTL are defined over infinite words α = α0α1α2 · · · ∈ (2AP)ω . A word α satisfies a
formula ϕ at position i ∈ N:
• α , i  true
• α , i  p iff p ∈ αi
• α , i  ¬ϕ iff α , i 6 ϕ
• α , i  ϕ1∨ϕ2 iff α , i  ϕ1 or α , i  ϕ2
• α , i  Xϕ iff α , i+1  ϕ
• α , i  ϕ1U ϕ2 iff ∃n≥ i. α ,n  ϕ2 and ∀i≤ j < n. α , j  ϕ1
A word α ∈ 2AP satisfies a formula ϕ iff α ,0ϕ . Beside the standard operators, we have the following
derived operators:
• ϕ1∧ϕ2 ≡ ¬(¬ϕ1∨¬ϕ2)
• ϕ1 → ϕ2 ≡ ¬ϕ1∨ϕ2
• ϕ1 ↔ ϕ2 ≡ (ϕ1 → ϕ2)∧ (ϕ2 → ϕ1)
• Fϕ ≡ trueU ϕ
• Gϕ ≡ ¬F¬ϕ
• ϕ1Rϕ2 ≡ ¬(¬ϕ1U ¬ϕ2)
• ϕ1W ϕ2 ≡ (ϕ1U ϕ2)∨Gϕ1
A.2 Mealy and Moore Automata
A Mealy automaton is a tuple Me = (I,O,Q,q0,δ ,λe), where
• I is a finite set of input letters,
• O is a finite set of output letters,
• Q is finite set of states,
• q0 ∈ Q is the initial state,
• δ : Q×I → Q is the transition function, and
• λe : Q×I →O is the output function.
Hence, the output depends on the current state of the automaton and the last input letter.
A Moore automaton is a tuple Mo = (I,O,Q,q0,δ ,λo), where I,O,Q,q0 and δ are defined as for
Mealy automata. However, the output function λo : Q→O determines the current output only on the
current state of the automaton, but not the current input.
130 A High-Level LTL Synthesis Format
A.3 TLFS encoding of Shift, TSingle, TIncr, TBurst4 and Lock
Shift.
INFO {
TITLE: "AMBA AHB Arbiter"
DESCRIPTION: "Component: Shift"
SEMANTICS: Mealy
TARGET: Mealy
}
MAIN {
INPUTS { HREADY; LOCKED; }
OUTPUTS { HMASTLOCK; }
ASSERT {
// if HREADY is high, the component copies LOCKED to HMASTLOCK, shifted by one time step
HREADY -> (X HMASTLOCK <-> LOCKED);
// if HREADY is low, the old value of HMASTLOCK is copied
!HREADY -> (X HMASTLOCK <-> HMASTLOCK);
}
}
TSingle.
INFO {
TITLE: "AMBA AHB Arbiter"
DESCRIPTION: "Component: TSingle"
SEMANTICS: Mealy
TARGET: Mealy
}
MAIN {
INPUTS { SINGLE; HREADY; LOCKED; DECIDE; }
OUTPUTS { READY3; }
INITIALLY {
// initially no decision is taken
!DECIDE;
}
PRESET {
// at startup, the component is ready
READY3;
}
REQUIRE {
// decisions are only taken if the component is ready
!READY3 -> X !DECIDE;
}
ASSUME {
// a slave cannot block the bus
G F HREADY
}
ASSERT {
// for each single, locked transmission, the bus is locked for one time step
DECIDE ->
X[2] (((SINGLE && LOCKED) -> (!READY3 U (HREADY && !READY3 && X READY3))) &&
(!(SINGLE && LOCKED) -> READY3));
// the component stays ready as long as there is no decision
READY3 && X !DECIDE -> X READY3;
// if there is a decision the component blocks the bus for at least two time steps
READY3 && X DECIDE -> G[1:2] ! READY3;
}
}
S. Jacobs, F. Klein & S. Schirmer 131
TIncr.
INFO {
TITLE: "AMBA AHB Arbiter"
DESCRIPTION: "Component: TIncr"
SEMANTICS: Mealy
TARGET: Mealy
}
MAIN {
INPUTS { INCR; HREADY; LOCKED; DECIDE; BUSREQ; }
OUTPUTS { READY1; }
INITIALLY { !DECIDE; }
PRESET { READY1; }
REQUIRE {
// decisions are only taken if the component is ready
!READY1 -> X !DECIDE;
}
ASSUME {
// slaves and masters cannot block the bus
G F HREADY && G F !BUSREQ;
}
ASSERT {
// for each incremental, locked transmission, the bus is locked as long as requested
DECIDE ->
X[2] (((INCR && LOCKED) -> (!READY1 W (HREADY && !BUSREQ))) &&
(!(INCR && LOCKED) -> READY1));
// the component stays ready as long as there is no decision
READY && X !DECIDE -> X READY1;
// if there is a decision the component blocks the bus for at least two time steps
READY1 && X DECIDE -> G[1:2] ! READY1;
}
}
TBurst4.
INFO {
TITLE: "AMBA AHB Arbiter"
DESCRIPTION: "Component: TBurst4"
SEMANTICS: Mealy
TARGET: Mealy
}
MAIN {
INPUTS { BURST4; HREADY; LOCKED; DECIDE; }
OUTPUTS { READY2; }
INITIALLY { !DECIDE; }
PRESET { READY2; }
REQUIRE {
// decisions are only taken if the component is ready
!READY2 -> X !DECIDE;
}
ASSUME {
// a slave block the bus
G F HREADY;
}
ASSERT {
// for each burst4, locked transmission, the bus is locked for four time steps
DECIDE ->
X[2] (((BURST4 && LOCKED) -> (!READY2 U (HREADY && !READY2 && X (!READY2 U (HREADY &&
!READY2 && X (!READY2 U (HREADY && !READY2 && X (!READY2 U (HREADY &&
!READY2 && XREADY2))))))))) && (!(BURST4 && LOCKED) -> READY2))
// the component stays ready as long as there is no decision
READY2 && X !DECIDE -> X READY2;
// if there is a decision the component blocks the bus for at least two time steps
READY2 && X DECIDE -> G[1:2] ! READY2;
}
}
132 A High-Level LTL Synthesis Format
Lock.
INFO {
TITLE: "AMBA AHB Arbiter"
DESCRIPTION: "Component: Lock"
SEMANTICS: Mealy
TARGET: Mealy
}
GLOBAL {
PARAMETERS {
n = 2;
}
DEFINITIONS {
// mutual exclusion
mutual(b) =
||[i IN {0, 1 .. (SIZEOF b) - 1}]
&&[j IN {0, 1 .. (SIZEOF b) - 1} (\) {i}]
!(b[i] && b[j]);
}
}
MAIN {
INPUTS {
DECIDE;
HGRANT[n];
HLOCK[n];
}
OUTPUTS {
LOCKED;
}
REQUIRE {
// a every time exactely one grant is high
mutual(HGRANT) && ||[0 <= i < n] HGRANT[i];
}
ASSERT {
// whenever a decicion is taken, the LOCKED signal is updated to
// the HLOCK value of the granted master
&&[0 <= i < n] (DECIDE && X HGRANT[i] -> (X LOCKED <-> X HLOCK[i]));
// otherwise, the value is copied
!DECIDE -> (X LOCKED <-> LOCKED);
}
}
