Revisiting the AMBA AHB bus case study by Filippidis, Ioannis & Murray, Richard M.
Revisiting the AMBA AHB bus case study
Ioannis Filippidis Richard M. Murray
May 12, 2015
Abstract
This report describes a number of changes to the ARM AMBA bus case study from [1]
that lead to significant reduction in synthesis time. In addition, it identifies the reason of
blowup for the synthesized strategies in earlier studies as lack of binary decision diagram (BDD)
reordering during strategy construction. Enabling dynamic BDD reordering with the group
sifting algorithm, we synthesized strategies for as many as 18 masters, with both the original
and revised specifications. This conclusion is based on detailed experimental measurements that
show the changes of BDD sizes over time for the fixpoint and other variables during the nested
fixed point computation, including the cumulative time spent on BDD reordering and the total
number of BDD nodes. The measurements were obtained for eight different cases, allowing to
compare the original with the revised specifications, with strategy reordering enabled or not,
and conjoining the weak fairness guarantees or merging them into a single Büchi automaton.
The revised specification proposed here is expressed using the open Promela language.
Contents
1 Introduction 6
2 Revising the formal specification 8
2.1 A1 vs ARM standard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.2 Weakening A1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
2.3 Proof of weakening . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.4 Updating G2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
2.5 A3 becomes trivially true . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.6 Coupling between A1 and G2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.6.1 Coupling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
2.6.2 Modifying A1 to remove the coupling . . . . . . . . . . . . . . . . . . . . . . 13
2.7 Reducing the number of variables modeling the environment . . . . . . . . . . . . . . 15
2.7.1 Substitutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.7.2 Removing array HLOCK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
2.8 Merging progress guarantees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
2.9 Changes to variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
1
3 Experimental results 18
3.1 Experimental configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
3.1.1 Enabling reordering during strategy construction . . . . . . . . . . . . . . . . 18
3.1.2 Reordering using group sifting . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.1.3 Number of variables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
3.2 Instrumentation of the GR(1) synthesis algorithm . . . . . . . . . . . . . . . . . . . . 20
3.2.1 The different configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3.2.2 Measurements for each phase . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
3.3 Observations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
3.3.1 General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
3.3.2 Comparison of variants . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3.4 Trade-off of counter in state space . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
3.4.1 The two alternatives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
3.4.2 Effect of reordering and memoization . . . . . . . . . . . . . . . . . . . . . . . 25
4 Relevant work 146
A Note on determinism of automata 147
B Revised AMBA AHB specification 148
C Original AMBA AHB specification 151
List of Figures
1 Revising assumption A1. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
2 Automaton for guarantee G2. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
3 Abstraction of interest from the product of Fig. 1a and Fig. 2. . . . . . . . . . . . . 14
4 The form of a single Büchi automaton with one accepting state that is equivalent to
N weak fairness goals. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
5 Total run time vs number of masters for synthesizing an arbiter using the revised
specification, with fairness as a Büchi automaton, and reordering enabled during
strategy construction. These repeated experiments are different runs than those
from which the detailed tracing plots were generated. . . . . . . . . . . . . . . . . . . 26
6 Peak memory consumption for the experiments of Fig. 5 . . . . . . . . . . . . . . . . 27
7 Revised spec with BA and strategy reordering. . . . . . . . . . . . . . . . . . . . . . 28
8 Revised spec with BA but no strategy reordering. . . . . . . . . . . . . . . . . . . . . 29
9 Original spec with BA and strategy reordering. . . . . . . . . . . . . . . . . . . . . . 30
10 Original spec with BA but no strategy reordering. . . . . . . . . . . . . . . . . . . . 31
11 Revised spec with conjunction and strategy reordering. . . . . . . . . . . . . . . . . . 32
12 Revised spec with conjunction but no strategy reordering. . . . . . . . . . . . . . . . 33
13 Original spec with conjunction and strategy reordering. . . . . . . . . . . . . . . . . 34
14 Original spec with conjunction but no strategy reordering (last runs with memory
upgrade). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
15 Revised with BA, w/o divided by w/ reordering. . . . . . . . . . . . . . . . . . . . . 36
16 Original with BA, w/o divided by w/ reordering. . . . . . . . . . . . . . . . . . . . . 37
2
17 Revised with conjunction, w/o divided by w/ reordering. . . . . . . . . . . . . . . . . 38
18 Original with conjunction, w/o divided by w/ reordering. . . . . . . . . . . . . . . . 39
19 Original with conjunction and with reordering, divided by original BA w/o reordering. 40
20 Revised conjunction divided by BA (both with reordering). . . . . . . . . . . . . . . 41
21 Revised conjunction with reordering, divided by BA w/o reordering. . . . . . . . . . 42
22 Revised conjunction divided by BA (both w/o reordering). . . . . . . . . . . . . . . 43
23 Revised conjunction w/o reordering, divided by BA with reordering. . . . . . . . . . 44
24 Original with BA divided by revised with BA (both w/o reordering). . . . . . . . . . 45
25 Original with conjunction divided by revised with conjunction (both with reordering). 46
26 Revised spec with BA and strategy reordering: 2 masters. . . . . . . . . . . . . . . . 47
27 Revised spec with BA and strategy reordering: 3 masters. . . . . . . . . . . . . . . . 48
28 Revised spec with BA and strategy reordering: 4 masters. . . . . . . . . . . . . . . . 49
29 Revised spec with BA and strategy reordering: 5 masters. . . . . . . . . . . . . . . . 50
30 Revised spec with BA and strategy reordering: 6 masters. . . . . . . . . . . . . . . . 51
31 Revised spec with BA and strategy reordering: 7 masters. . . . . . . . . . . . . . . . 52
32 Revised spec with BA and strategy reordering: 8 masters. . . . . . . . . . . . . . . . 53
33 Revised spec with BA and strategy reordering: 9 masters. . . . . . . . . . . . . . . . 54
34 Revised spec with BA and strategy reordering: 10 masters. . . . . . . . . . . . . . . 55
35 Revised spec with BA and strategy reordering: 11 masters. . . . . . . . . . . . . . . 56
36 Revised spec with BA and strategy reordering: 12 masters. . . . . . . . . . . . . . . 57
37 Revised spec with BA and strategy reordering: 13 masters. . . . . . . . . . . . . . . 58
38 Revised spec with BA and strategy reordering: 14 masters. . . . . . . . . . . . . . . 59
39 Revised spec with BA and strategy reordering: 15 masters. . . . . . . . . . . . . . . 60
40 Revised spec with BA and strategy reordering: 16 masters. . . . . . . . . . . . . . . 61
41 Revised spec with BA and strategy reordering: 17 masters. . . . . . . . . . . . . . . 62
42 Revised spec with BA and strategy reordering: 18 masters. . . . . . . . . . . . . . . 63
43 Revised spec with BA and strategy reordering: 19 masters. . . . . . . . . . . . . . . 64
44 Revised spec with BA and strategy reordering: 20 masters. . . . . . . . . . . . . . . 65
45 Revised spec with BA but no strategy reordering: 2 masters. . . . . . . . . . . . . . 66
46 Revised spec with BA but no strategy reordering: 3 masters. . . . . . . . . . . . . . 67
47 Revised spec with BA but no strategy reordering: 4 masters. . . . . . . . . . . . . . 68
48 Revised spec with BA but no strategy reordering: 5 masters. . . . . . . . . . . . . . 69
49 Revised spec with BA but no strategy reordering: 6 masters. . . . . . . . . . . . . . 70
50 Revised spec with BA but no strategy reordering: 7 masters. . . . . . . . . . . . . . 71
51 Revised spec with BA but no strategy reordering: 8 masters. . . . . . . . . . . . . . 72
52 Revised spec with BA but no strategy reordering: 9 masters. . . . . . . . . . . . . . 73
53 Revised spec with BA but no strategy reordering: 10 masters. . . . . . . . . . . . . . 74
54 Revised spec with BA but no strategy reordering: 11 masters. . . . . . . . . . . . . . 75
55 Revised spec with BA but no strategy reordering: 12 masters. . . . . . . . . . . . . . 76
56 Revised spec with BA but no strategy reordering: 13 masters. . . . . . . . . . . . . . 77
57 Revised spec with BA but no strategy reordering: 14 masters. . . . . . . . . . . . . . 78
58 Revised spec with BA but no strategy reordering: 15 masters. . . . . . . . . . . . . . 79
59 Revised spec with BA but no strategy reordering: 16 masters. . . . . . . . . . . . . . 80
60 Revised spec with conjunction and strategy reordering: 2 masters. . . . . . . . . . . 81
61 Revised spec with conjunction and strategy reordering: 3 masters. . . . . . . . . . . 82
62 Revised spec with conjunction and strategy reordering: 4 masters. . . . . . . . . . . 83
3
63 Revised spec with conjunction and strategy reordering: 5 masters. . . . . . . . . . . 84
64 Revised spec with conjunction and strategy reordering: 6 masters. . . . . . . . . . . 85
65 Revised spec with conjunction and strategy reordering: 7 masters. . . . . . . . . . . 86
66 Revised spec with conjunction and strategy reordering: 8 masters. . . . . . . . . . . 87
67 Revised spec with conjunction and strategy reordering: 9 masters. . . . . . . . . . . 88
68 Revised spec with conjunction and strategy reordering: 10 masters. . . . . . . . . . . 89
69 Revised spec with conjunction and strategy reordering: 11 masters. . . . . . . . . . . 90
70 Revised spec with conjunction and strategy reordering: 12 masters. . . . . . . . . . . 91
71 Revised spec with conjunction and strategy reordering: 13 masters. . . . . . . . . . . 92
72 Revised spec with conjunction and strategy reordering: 14 masters. . . . . . . . . . . 93
73 Revised spec with conjunction and strategy reordering: 15 masters. . . . . . . . . . . 94
74 Revised spec with conjunction and strategy reordering: 16 masters. . . . . . . . . . . 95
75 Revised spec with conjunction and strategy reordering: 17 masters. . . . . . . . . . . 96
76 Revised spec with conjunction and strategy reordering: 18 masters. . . . . . . . . . . 97
77 Revised spec with conjunction and strategy reordering: 19 masters. . . . . . . . . . . 98
78 Revised spec with conjunction and strategy reordering: 20 masters. . . . . . . . . . . 99
79 Revised spec with conjunction but no strategy reordering: 2 masters. . . . . . . . . . 100
80 Revised spec with conjunction but no strategy reordering: 3 masters. . . . . . . . . . 101
81 Revised spec with conjunction but no strategy reordering: 4 masters. . . . . . . . . . 102
82 Revised spec with conjunction but no strategy reordering: 5 masters. . . . . . . . . . 103
83 Revised spec with conjunction but no strategy reordering: 6 masters. . . . . . . . . . 104
84 Revised spec with conjunction but no strategy reordering: 7 masters. . . . . . . . . . 105
85 Revised spec with conjunction but no strategy reordering: 8 masters. . . . . . . . . . 106
86 Revised spec with conjunction but no strategy reordering: 9 masters. . . . . . . . . . 107
87 Revised spec with conjunction but no strategy reordering: 10 masters. . . . . . . . . 108
88 Revised spec with conjunction but no strategy reordering: 11 masters. . . . . . . . . 109
89 Original spec with BA and strategy reordering: 2 masters. . . . . . . . . . . . . . . . 110
90 Original spec with BA and strategy reordering: 3 masters. . . . . . . . . . . . . . . . 111
91 Original spec with BA and strategy reordering: 4 masters. . . . . . . . . . . . . . . . 112
92 Original spec with BA and strategy reordering: 5 masters. . . . . . . . . . . . . . . . 113
93 Original spec with BA and strategy reordering: 6 masters. . . . . . . . . . . . . . . . 114
94 Original spec with BA but no strategy reordering: 2 masters. . . . . . . . . . . . . . 115
95 Original spec with BA but no strategy reordering: 3 masters. . . . . . . . . . . . . . 116
96 Original spec with BA but no strategy reordering: 4 masters. . . . . . . . . . . . . . 117
97 Original spec with BA but no strategy reordering: 5 masters. . . . . . . . . . . . . . 118
98 Original spec with BA but no strategy reordering: 6 masters. . . . . . . . . . . . . . 119
99 Original spec with BA but no strategy reordering: 7 masters. . . . . . . . . . . . . . 120
100 Original spec with BA but no strategy reordering: 8 masters. . . . . . . . . . . . . . 121
101 Original spec with conjunction and strategy reordering: 2 masters. . . . . . . . . . . 122
102 Original spec with conjunction and strategy reordering: 3 masters. . . . . . . . . . . 123
103 Original spec with conjunction and strategy reordering: 4 masters. . . . . . . . . . . 124
104 Original spec with conjunction and strategy reordering: 5 masters. . . . . . . . . . . 125
105 Original spec with conjunction and strategy reordering: 6 masters. . . . . . . . . . . 126
106 Original spec with conjunction and strategy reordering: 7 masters. . . . . . . . . . . 127
107 Original spec with conjunction and strategy reordering: 8 masters. . . . . . . . . . . 128
108 Original spec with conjunction and strategy reordering: 9 masters. . . . . . . . . . . 129
4
109 Original spec with conjunction and strategy reordering: 10 masters. . . . . . . . . . 130
110 Original spec with conjunction and strategy reordering: 11 masters. . . . . . . . . . 131
111 Original spec with conjunction and strategy reordering: 12 masters. . . . . . . . . . 132
112 Original spec with conjunction and strategy reordering: 13 masters. . . . . . . . . . 133
113 Original spec with conjunction and strategy reordering: 14 masters. . . . . . . . . . 134
114 Original spec with conjunction and strategy reordering: 15 masters. . . . . . . . . . 135
115 Original spec with conjunction and strategy reordering: 16 masters. . . . . . . . . . 136
116 Original spec with conjunction and strategy reordering: 17 masters. . . . . . . . . . 137
117 Original spec with conjunction and strategy reordering: 18 masters. . . . . . . . . . 138
118 Original spec with conjunction but no strategy reordering (last runs with memory
upgrade): 2 masters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139
119 Original spec with conjunction but no strategy reordering (last runs with memory
upgrade): 3 masters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
120 Original spec with conjunction but no strategy reordering (last runs with memory
upgrade): 4 masters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 141
121 Original spec with conjunction but no strategy reordering (last runs with memory
upgrade): 5 masters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
122 Original spec with conjunction but no strategy reordering (last runs with memory
upgrade): 6 masters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 143
123 Original spec with conjunction but no strategy reordering (last runs with memory
upgrade): 7 masters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144
124 Original spec with conjunction but no strategy reordering (last runs with memory
upgrade): 8 masters. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145
125 Comparison with [1]. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 146
126 Synthesis time for the revised specification using a BA (w/o strategy reordering),
Fig. 45 to Fig. 59, and conjoining liveness goals (using strategy reordering), Fig. 60
to Fig. 78, compared to results from [1, 2]. . . . . . . . . . . . . . . . . . . . . . . . . 146
127 Listing corresponding to formula in text. . . . . . . . . . . . . . . . . . . . . . . . . . 147
5
1 Introduction
The ARM processor Advanced Microcontroller Bus Architecture (AMBA) [3] specifies a number
of different bus protocols. Among them, the Advanced High-performance (AHB) architecture has
been studied extensively in the reactive synthesis [4, 5, 6, 7, 1, 8, 2, 9, 10] and verification [11, 12,
13, 14, 15, 16, 17] literature.
The AHB bus comprises of masters that need to communicate with slaves, and an arbiter that
controls the bus and decides which master is given access to the bus. The arbiter receives requests
from the masters that desire to access the bus, and must reposnd in a weakly fair way. In other
words, every master that keeps uninterruptedly requesting the bus must eventually be granted
access to it. Note that the AMBA technical manual does not specify any requirement on fairness,
but instead leaves that decision to the designer. For automated synthesis, weak fairness is one
possible formalization that ensures servicing of all the masters.
In addition, a master can request that the access be locked. However, the arbiter makes no
promises as to whether a request for the lock will be granted. If the arbiter does lock the access,
then it guarantees to maintain the lock until the request for locking is withdrawn by the master
that currently owns the bus.
A specification for the arbiter appeared in [4] and is presented in detail in [1]. In [2], the authors
formalize also the specifications for masters and slaves connected to the bus. Here, we revise the
specification of [1], and express it in the open Promela language.
The original specification includes some properties that are not in the GR(1) fragment. In [1],
these properties are translated to deterministic Büchi automata, by introducing auxiliary variables
for representing the nodes of the automaton. These variables are added to the problem’s alphabet.
The resulting formulae are much less readable, and not easy to modify and experiment with.
Here, we specify these properties directly as processes (transition systems), with progress states
where needed.
During expression of the specification in the Promela language, there are two possible rep-
resentations of the fairness requirements. In the original specification, fairness is required by a
conjunction of recurrence formulae
N 1^
i=0
	(request [i]! master = i):
It is possible to rewrite this conjunction as a Büchi automaton (BA) with a single accepting state,
which checks each fairness condition, one after the other. The property described by the BA is
equivalent to that described by the conjunction. This change reduces the number of recurrence
goals from N to 1. In the GR(1) synthesis algorithm [18], this reduces the number of fixed point
computations.
An initial motivation for this modification was to obtain a specification parameterized by the
domain of a counter variable (local to the BA process), which avoids the need to regenerate the
specification from an auxiliary script (as has been typically the case in similar studies).
Another motivation was to explore the design space, and the sensitivity of the specification,
by varying the amount of detail that was specified. In particular, we were interested in observing
whether the runtimes improve significantly in case that the order of goals was given and fixed. Note
that the Büchi automaton above does not fix the order that goals have to be satisfied. This variant
was an initial attempt that placed more constraints on the design, to see whether those “hints” to
the synthesizer had a significant effect, or not.
6
This experimentation revealed a notable difference between the two alternatives. When using
a Büchi automaton, there is a single liveness goal. So a single sub-strategy is synthesized for
this goal, and it need not be combined with other sub-strategies, as there are none. In contrast,
when there are multiple liveness goals, the individual sub-strategies need to be combined into a
single one. The process of combining the sub-strategies is disruptive to the BDD variable ordering.
As a result, it is impossible to scale synthesis using a conjunction of liveness guarantees, without
enabling dynamic reordering during the synthesis of the final, monolithic strategy. Reordering
during strategy construction is not necessary, and in fact, if the liveness goals are represented as
BA, then reordering during that final phase of synthesis has a negative effect on runtime. The
trade-off is introducing auxiliary variables (a counter) in the state space that are used to represent
the nodes of the BA. Together with the sequencing of goals that the BA represents, this leads to
longer runtimes, but scales without difficulty to a larger number of masters, without any need for
reordering during strategy construction.
The revised specification is given in Listing 1, where some additional changes involve weakening
the assumptions, and modifying assumption A1. An instance of the original specification is given in
Listing 2. In [1], assumption A1 requires that for locked undefined-length bursts, masters eventually
withdraw their request to access the bus. This assumption is not explicit in the ARM standard, so
we modify it, by requiring that masters withdraw only their request for the lock, not for bus access.
Weakening the assumptions also allowed abstracting the array HLOCK of N lock requests by the
two bits that are only referenced in it. Another difference is that a Mealy game is solved here, and
a Moore in [1].
In Section 2, we describe how the specification was revised, referring to the technical ARM spec-
ification. In Section 3, we present the experiments, measurements, observations, and conclusions
based on the measurements and the GR(1) synthesis algorithm.
Acknowledgments This work was supported in part by the TerraSwarm Research Center, one
of six centers supported by the STARnet phase of the Focus Center Research Program (FCRP) a
Semiconductor Research Corporation program sponsored by MARCO and DARPA.
7
2 Revising the formal specification
Declarative specifications for this case study were presented in [4, 5, 1, 2]. These papers do not
mention the processors used as hardware, so the difference in processor clock speed is unknown, so
the speedups are compared only as absolute time intervals.
We base our specifications on those of [1]. In that case study, each requirement was obtained
either:
• by formalizing the AMBA AHB standard, or
• by adding some desired (e.g., fair arbiter) or auxiliary properties (e.g., auxiliary scheduling
variables start, decide) that are left unspecified in the standard.
When initially formalized in LTL, some of the requirements yield formulae that are not in the
GR(1) fragment. Nonetheless, there do exist deterministic Büchi automata for these particular
properties (the notion of determinism is discussed in Appendix A). The next step in [1] is to
translate these properties to (symbolic) deterministic Büchi automata, whose states are represented
by auxiliary variables that become part of the problem’s alphabet. This translation is not always
trivial.
The translation step can be done either manually or automatically. However, with automatic
translation the user has little control over the form of the determinized automaton. The ability
to modify the automaton itself proves important during development and, especially, while debug-
ging the specification. By changing directly the automaton, one can observe what effects selected
modifications have on realizability, and understand better the problem’s structure.
Another aspect of writing LTL formulae, instead of attempting to express the design intent as an
automaton, is that the former may require nesting of operators, which quickly becomes unmanage-
able. Writing imperatively a Büchi automaton for the same property can prove easier. Moreover,
as the reduction of progress conditions in the AMBA example demonstrates, the availability of im-
perative elements can encourage modifications that significantly reduce the problem’s complexity,
while preserving the required property. For these reasons, describing directly automata can benefit
the synthesis process.
The properties from [1] have been either:
• changed, because they did not correspond to the ARM standard, or
• expressed directly as automata, in case they do not belong to GR(1) (similarly to what was
done in [1] by defining the automata directly in LTL), or
• equivalently expressed as automata, because this allows significant reduction in synthesis time,
or
• reformulated to an equivalent, but syntactically simpler formula, in several cases due to the
availability of array arithmetic, or
• remained unchanged.
The correspondence is noted inline, for example, “G 5” is the guarantee with index 5 in [1]. In
what follows, we consider each specification in incremental order, using the numbering in [1].
8
2.1 A1 vs ARM standard
Consider assumption A1, stating that for locked indefinite duration bursts, the master that controls




HMASTLOCK ^ (HBURST = INCR)! 
	:HBUSREQ [HMASTER] (1)
The ARM standard states that:
• Sec.3.11.2, paragraph 2, p.3-29 and Sec. 3.11.4, p.3-33: A master can lose ownership of the
bus early, because the arbiter decides to limit their access time.
• Sec.3.11.2, paragraph 3, p.3-29 and Sec. 3.11.5, p.3-34: If a master requests both:
1. bus access (by setting HIGH the signal HBUSREQ [i]), and
2. locking of its access (by setting HIGH the signal HLOCK [i])
then: if the arbiter decides to give the bus to the master, and lock the access, then the arbiter
guarantees that it will maintain the lock,
“until the locked sequence has completed”.
The question becomes what “completion” of a locked sequence means. If a sequence has predefined
length (determined by HBURST and some other signals), then the arbiter knows how long the
request will last (G3 addresses this for length-4 locked bursts).
However, for indefinite length bursts, the arbiter does not know a priori when the locked sequence
will terminate. In [1], the “locked sequence” is interpreted as the time interval until the master
who was granted locked access stops requesting bus access. The master withdraws its request for
access by setting HBUSREQ [HMASTER] to false. As a consequence, the progress assumption A1
requires that a master who requested indefinite locked access, eventually withdraw its request to
communicate.
However, it is not clear from the standard whether this behavior is intended. In Table 2-2, entry
HLOCK , p.2-5, it is stated that
“When HIGH, this signal indicates that the master requires locked access to the bus,
and no other master should be granted the bus until this signal is LOW.”
The “until” above suggests that the arbiter can grant the bus to another master, after master j
deasserts the signal HLOCK [j]. This implies that deassertion of HLOCK [j] by the current master
suffices to allow the arbiter to reassign the bus. It does not refer to the signal HBUSREQ [j].
2.2 Weakening A1
Based on the previous note, we can arrive at a weaker assumption, that decouples the:
1. lock requests HLOCK , from the
2. bus access requests HBUSREQ .
9
As soon as a master withdraw its request for locking its access, the arbiter is allowed to assign the
bus to another master. This does not oblige the current master to withdraw its request for bus
access. So the master is free to keep requesting bus access (HBUSREQ), but is obliged to stop
requesting the lock (HLOCK ). In other words, a master is not allowed to lock the bus forever (but
may keep forever requesting access to the bus, without ever lowering HBUSREQ [j], in agreement
with Sec. 3.11.2, paragraph 1, p.3-29 “A bus master …may request the bus during any cycle”).
The modified assumption A1 is
((HMASTLOCK ^ (HBURST = INCR))! 
	:HLOCK [HMASTER]) (2)
Later, we will remove the conjunct (HBURST = INCR), for reasons explained then.
Note that, up to here, this allows the master to stop requesting bus access (LOW HBUSREQ),
but keep requesting the lock (during an indefinite length burst). Sec 3.11.2, paragraph 6, p.3-29
assumes that the master never does this. It is formulated as assumption A3 (Eq. (5)). As commented
later, we remove assumption A3, because it is not necessary for realizability (and simplifying it has
no adverse effect – weakening of assumptions is desirable [19]).
2.3 Proof of weakening
We now prove that the previous change to A1 from Eq. (1) to Eq. (2) weakens the assumptions.
In other words, the modified asssumption Eq. (2) is implied by the assumptions in the original





(HMASTER = i)! (BUSREQ $ HBUSREQ [i]) (3)
= (BUSREQ $ HBUSREQ [HMASTER])

 






HLOCK [i]! HBUSREQ [i]: (5)
Eqs. (3) and (5) imply that
(BUSREQ $ HBUSREQ [HMASTER]) =)
(:BUSREQ ! :HBUSREQ [HMASTER]) Eq: (5)=)
(:BUSREQ ! :HLOCK [HMASTER]):
(6)
By this and Eq. (4), it follows that

 
HMASTLOCK ^ (HBURST = INCR)! 
	:HLOCK [HMASTER]: (7)
This proves that Eq. (2) is implied by the original specification of [1].
2.4 Updating G2
The replacement of HBUSREQ [HMASTER] by HLOCK [HMASTER] in A1 implies that the same
replacement applies to G2 also.
10
2.5 A3 becomes trivially true
The replacement of HBUSREQ [HMASTER] by HLOCK [HMASTER] in A1 allows each master i to
keep HBUSREQ [i] always HIGH. As a result, assumption A3 does not constrain the environment
in a way essential for realizability (since the environment can set HIGH all the elements of array
HBUSREQ forever). Therefore, we drop assumption A3.
2.6 Coupling between A1 and G2
2.6.1 Coupling
In this section, we analyze the dependence of G2 on A1. The conclusion motivates simplifying A1.
An initial (wrong) attempt to express the LTL property A1 in Promela (without using Fig.9(a)
[1]) resulted in the code
assume env proctype withdraw_lock(){
progress:
do
:: lock && (burst == INCR);
do
:: ! master_lockreq; break





We have used master_lockreq in place of HMASTLOCK [HMASTER], for reasons explained later.
This automaton is shown in Fig. 1a
The correct automaton for property A1 is Fig.9(a), and is expressed by the code
assume env proctype withdraw_lock(){
progress0:
do





:: (! master_lockreq) && ! (lock && (burst == INCR));
goto progress0










�� ������������� ����� �����������������
���������������������������






(b) Revised assumption A1 as an automaton.
Figure 1: Revising assumption A1.





The specification with the first automaton as A1 is unrealizable. Using the second automaton,
the specification is realizable.
Consider the first automaton and the automaton for G2, shown in Fig. 2:
assert sys proctype maintain_lock(){
do
:: lock && start && (burst == INCR);
do






Each of them has two states: an “initial” one (outer do), and a “waiting” one (inner do). The
product of the two automata has 4 states, and an abstraction is shown in Fig. 3:
State 0: both automata at the initial states. The system has not yet lost at this state.
State 1: both automata at the “waiting” states. As soon as the environment sets master_lockreq,




�������� ���� ������������� ����� �������� �����������������
�������� �������� �����������������
Figure 2: Automaton for guarantee G2.
(The environment also returns to its initial state).
State 2: the environment at the initial state, and the system at the waiting state. The system
has lost, because the initial A1 state is a progress state, and the environment can keep HBURST
different from INCR, to remain at its initial state. So the environment is not obliged to withdraw
the lock request master_lockreq, leaving the system indefinitely trapped at its waiting state.
State 3: the system at the initial state, and the environment at its waiting state. Note that state
3 is reachable, because the environment can reach its waiting state as soon as lock && (burst == INCR),
whereas the system has to wait until start, and start can be delayed arbitrarily long by the en-
vironment keeping ready LOW (G1).
If the system transitions to its waiting state, but the environment remains at its waiting state,
then state 1 is reached. If the environment transitions to its initial state, but the system remains
at its initial state, then state 0 is reached. These two transitions cause no problems.
The transition that makes the system lose is if the environment returns to its initial state, and
the system transitions to its waiting state, both at the same time. If this happens, then state 2 is
reached, and the system has lost. This transition is possible, only if burst == INCR can hold when
! master_lockreq.
This execution is not possible with the automaton of Fig.9(a), because in order for the environ-
ment to return to progress0 there, it must set both burst != INCR and ! master_lockreq at
the same time. This implies that the environment will return to its initial state, without letting
the system transition from its initial, to its waiting state. So it prevents the transition from state
3 to the losing state 1.
2.6.2 Modifying A1 to remove the coupling
The coupling analyzed previously requires that the original automaton be used for assumption A1
(which can be rewritten, using structured programming constructs). The resulting specification
is more fragile (for example, the initial attempt at manually writing an automaton contained the








Figure 3: Abstraction of interest from the product of Fig. 1a and Fig. 2.
For these reasons, we simplify assumption A1 to
(HMASTLOCK ! 
	:HLOCK [HMASTER]) (8)
Using the replacement bit variable ! master_req, this is equivalent to the (much simpler) automa-
ton





:: ! master_lockreq; break





This automaton is shown in Fig. 1b. Note that the only modification from the erroneous initial
attempt is to remove the conjunct burst == INCR from the guard lock && (burst == INCR).
The modified assumption A1 states that if the current master is granted the lock, then next it
must eventually withdraw the locking request. This assumption is reasonable, because no master
that has been granted locked bus access is entitled to continue requesting the lock indefinitely.
Moreover, it decouples the type of burst from the lock requests.
14
2.7 Reducing the number of variables modeling the environment
2.7.1 Substitutions
Earlier, we used master_lockreq in place of HLOCK [HMASTER]. The reason is that assumption
A3 does not constrain HLOCK any more (and was dropped, as explained earlier), so each bit in
the array HLOCK can take any value in its domain (no constraint). Therefore, it is not significant
which bit this is, so HMASTER can be removed, abstracting the value HLOCK [HMASTER] by a
single environment bit master_lockreq.
This implies the same replacement, of HLOCK [HMASTER] by the bit master_lockreq, also
in G2.
The only remaining use of array HLOCK is in G7. Using arrays, the guarantee G7 can be
expressed as
[] ( decide -> (lockmemo' <-> HLOCK[grant']) )
We observe that HLOCK[grant'] above is again an element of the array HLOCK . Before re-
placement with bit master_lockreq, the only constraint on HLOCK was A1. A1 required that
HLOCK [HMASTER] eventually become LOW, if locked access is granted.
In general, grant' will be a master different than the current (so as to serve all masters),
therefore HLOCK[grant'] takes values independently of HLOCK [HMASTER]. So we abstract
HLOCK[grant'] by a single environment bit grantee_lockreq. The bit grantee_lockreq repre-
sents the lock request of that master that is selected as the next grantee. The values of grantee_lockreq
are not constrained in any way.
The initial condition assumption A4 implies that master_lockreq and grantee_lockreq must
be false initially.
2.7.2 Removing array HLOCK
The replacements:
1. HLOCK [HMASTER] by the single bit master_lockreq, and of
2. HLOCK [HGRANT [i]0] by the single bit grantee_lockreq
weaken the assumptions. Therefore, they are desirable.
After these replacements, the array HLOCK does not appear in any guarantee or assumption
(except the initial condition A4). Therefore, the array HLOCK can now be removed.
In the best case (N = 16 masters), the replacement of the bit array HLOCK by the 2 bits
master_lockreq and grantee_lockreq resulting in a reduction by 16 - 2 = 14 bits. So it reduces
by 28 (14 unprimed and 14 primed copies) the number of environment variables in the binary
decision diagram (BDD). This reduction is significant, because environment variables are universally
quantified, leading to an exponential increase in the number of possible next inputs. This reduction
reduced synthesis time.
Instead of 32 possible next environment valuations for HLOCK , this replacement reduces them










Figure 4: The form of a single Büchi automaton with one accepting state that is equivalent to N
weak fairness goals.
2.8 Merging progress guarantees
The second significant change was the merging of the N weak fairness guarantees in G9:
N 1^
i=0
	(HBUSREQ [i]! (HMASTER = i)) (9)
into an equivalent Büchi automaton with a single progress state. This reduces the N inner fixed
point computations in the GR(1) synthesis algorithm, to only a single fixed point computation. As
a result, the number of masters N does not increase any more the number of progress goals that
the system must satisfy.
The Büchi automaton used is
/* G9: weak fairness */
assert active proctype fairness(){
int(0, N) count;
do
:: ! request[count] || (master == count);
if
:: (count < N) && (count' == count + 1)






This automaton is equivalent with the conjunction of weak fairness guarantees, because it
16
• “looks” at each one of them in turn,
• waits until that progress requirement is satisfied (! request[count] || (master == count))
• then increments the counter count and waits for the next fairness guarantee to be satisfied,
until it reaches the last fairness guarantee. At this point it has completed a round of each fairness
guarantee being satisfied, so it visits the progress state, and starts a new round. The structure of
the automaton (after unfolding of the program graph) is shown in Fig. 4.












HBUSREQ [1]! (HMASTER = 1) ^ : : :! (10)
This demonstrates the merits of using a language that allows directly writing sequential com-
position. Note that this automaton does not constrain in any way the order in which the arbiter
chooses masters to grant the bus. In other words, it does not restrict the master to using a particular
priority for choosing masters.
Note that, after all these changes, the result is a fully parameterized program, where one need
only change a single preprocessor definition (#define N 15), in order to define a different number
of masters in the bus.
2.9 Changes to variables
Note that we use an integer variable to model the HGRANT signal. This conforms to the standard,
because the standard requires that exactly one HGRANTi bit be true at a time. So we reduce
the number of BDD variables by a factor exponential in the number of masters. The synthesized





The experiments were performed with the open Promela compiler [20] and the Slugs GR(1)
synthesizer as back-end [21]. The hardware used has:
1. Intel(R) Xeon® X5550 processing core
2. runs Ubuntu 14.04.1
3. 11 GB RAM (3 experiments in the last batch were run after an upgrade to 27GB RAM).
The modifiable parameters are listed in the table below. The parameters that are fixed are
assigned values in the table. The remaining parameters vary over the experiments. The number of
variables varies by the size of the masters, and is given for the different specifications in Fig. 7 to
Fig. 14.
In addition, there are two versions of the specification: the original from [1], and the revised one
proposed here. The original specification is obtained by translating to Python the Perl generator
script for AMBA specifications that is distributed on the Anzu homepage. The new generator
produces the same specifications, but in open Promela syntax (as ltl blocks for assumptions and
assertions). For each specification, there are two equivalent variants that we evaluate: conjoining
the fairness formulae, or merging them into a single Büchi automaton.
In the experiments, we are interested in the effect of the following parameters: strategy reorder-
ing, machine (memory, CPU frequency), conjunction vs BA, original vs revised AMBA specification,
initial variable ordering.
3.1.1 Enabling reordering during strategy construction
In all experiments, reordering is enabled during realizability. Checking realizability without re-
ordering causes a memory blowup very fast, going from 309K BDD nodes in the strategy for 2
masters, to 1.8M BDD nodes for 3 masters. For comparison, when dynamic reordering during
realizability is enabled, in the worst case1, the strategy BDD for 2 masters has about 20K nodes,
and about 200K nodes for 3 masters.
In Slugs, reordering during strategy construction is disabled by default. Enabling reordering
during this second phase proved the enabling factor for scalable synthesis of the AMBA case study
when the (weak) fairness guarantees are conjoined. In contrast, the revised specification with the
fairness requirements represented as a single Büchi automaton does not require that reordering be
enabled during construction of the strategy.
The price is longer runtimes. Nonetheless, when strategy reordering is deactivated, the runtimes
using a BA do not scale as quickly as memory does when using a conjunction of fairness formulae.
Without reordering during strategy construction, the shared BDD quickly blows up, for both the
original and revised specifications, as shown in Fig. 123 and Fig. 84, respectively.
Note that in experiments with the same specification, the realizability phase has the same
parameters, independently of whether the strategy is constructed with reordering enabled or not.
Typically, realizability terminates, whereas construction of a strategy can cause a memory blowup
1The worst case in terms of strategy size blowup is the original spec with reordering disabled during strategy
construction.
18







reorder during strategy construction varies
number of variables varies
universal branching (number of env vars) varies
initial var order natural order (1, 2, 10, …)
or time out, limiting the number of masters for which we could synthesize an arbiter, for certain
combinations of specification with parameters.
3.1.2 Reordering using group sifting
Rudell’s sifting [22] is the reordering algorithm used by Slugs. After experiments with different
reordering algorithms, group sifting [23] was found as the algorithm that produces the best results
for this case study. Group siting is an extension of sifting that automatically detects affinity between
variables, and creates temporary groups. Grouped variables are shifted together during swaps of
levels. This can improve the results by avoiding a situation where shifting one of the two tightly
coupled variables finds no better place, because the other variable is “pulling it back” (known as
rubber-band effect), and the same happening to the second variable results in no overall change.
In contrast, moving both variables together enables finding a better position for both of them.
3.1.3 Number of variables
Original vs revised specification The number of variables differs between the original and
revised specifications. It also differs for each variant of these specifications. In the original specifi-
cation, the number of variables grows faster with the number of masters, than it does in the revised
one. The reasons are:
• The use of one lock request bit for each master. The lock requests have been abstracted by
using two bits, without any conflict with the requirements described in the AMBA technical
manual [3]. This change leads to N 2 fewer environment variables, where N is the number of
masters. It is a significant gain, because not only does it reduce the state space size, but also
the degree of universal branching (at each state, the environment has fewer “next moves”).
• The one-hot encoding of the system variables “master” and “grantee” in the original spec-
ification. In the revised specification, these variables are encoded as bitvectors. The two
formulations are equivalent. As a result, in the revised specification, the number of system
variables increases only when the number of masters reaches boundaries of powers of 2. The
effect is reduction of state space size.
19





Conjunction of fairness with slow fastw/o memory blowup memory blowup
Büchi automaton with very slow ok (slower)w/o slow ok
Fig. 7 to Fig. 14 show how the number of variables scales for the original and revised specificantion
variants considered.
Conjunction vs Büchi automaton The number of variable differs also between a specification
that includes fairness in the form of conjoined recurrence formulae, and as a Büchi automaton. The
representation of a Büchi automaton requires introducing an auxiliary bitvector for representing the
current node of the automaton. This is also discussed later, in the section Section 3.4 analyzing the
trade-off of using a BA, instead of handling weak fairness at the level of the strategy construction
algorithm.
Note that when using a BA in the original specification, there is one extra fairness guarantee
from one of the automata (Eq.G2.4 in [1]. This results in one extra point in the “combined strategy”
plots. The number of points in a “combined strategy” plot is equal to the number of recurrence goals
in the game, plus one (the initial point). This guarantee is not present in the revised specification,
because it describes a safety property that can be represented by a process without progress states.
Optimizing away unused auxiliary variables Note that if the processes of a player do not
include any atomic blocks, then no auxiliary variables are added for requesting and granting atomic
execution of processes. In the specification of the AMBA arbiter used here, no atomic blocks are
necessary, so the auxiliary variables ex s and pms are not used, thus the compiler does not define
them. This avoids unnecessarily increasing the number of states.
3.2 Instrumentation of the GR(1) synthesis algorithm
3.2.1 The different configurations
The experiments were performed for 8 different combinations: original and revised specification,
using conjunction or a BA, and with strategy reordering enabled and disabled. An overview of the
results is shown in Table 2, and in detail in Fig. 26 to Fig. 124.
3.2.2 Measurements for each phase
The measurements were obtained by inserting in Slugs statements that print the information and
dumping this output to a log file. The most relevant set of changes can be found in a fork of Slugs
on github. There are three distinct phases of computation:
1. Fixed-point iteration that decides realizability and stores the interant sets X;Y; Z.
20
2. Construction of individual strategies, one for each recurrence goal.
3. Combination of the individual strategies into a single one that iterates through them.
Each phase involves different quantities to be measured, so it is instrumented slightly differently.
The realizability phase involves three nested iterations, each one computing a fixed point. The
three variables are X;Y; Z, and at a high level, the iteration has the structure of the following
-calculus formula Z:Y:X. So X;Z are greatest fixed points and Y is a least fixed point.
Moreover, X is in the innermost loop, so it is the most frequently updated variable, with variable
Y less frequently updated, and variable Z the least frequently updated one.
Each one of the variables X;Y; Z represents a set symbolically, by reference to a BDD in the
shared BDD managed by Cudd. Therefore, the size of these variables can be quantified as the
number of BDD nodes in the referenced BDD. This number is obtained by calling the function
Cudd_DagSize.
In addition, the total number of nodes in the shared BDD is recorded with Cudd_ReadNodeCount.
The total size of the shared BDD corresponds to the current memory use of Cudd (though they are
not identical entities). Reordering is triggered based on growth of the shared BDD, as measured
by its number of nodes. The total number of nodes also quantifies the randomness with which new
nodes have been added [24], and so how inefficiently representable the intermediate results of the
fixed point computation are, compared to the final result (that is typically much smaller, as has
been observed in the literature [25]).
Plotting the sizes of the variablesX;Y; Z provides a view into the fixed-point iteration. However,
it is difficult or impossible to tell when a loop starts of ends, by only inspecting how X;Y and Z
change. For this reason, the indices of the:
1. current recurrence assumption, and
2. current recurrence guarantee
are also recorded. Finally, the total runtime is measured with the function gettimeofday from
sys/time.h, and the time spent reordering so far is measured with the function Cudd_ReadReorderingTime.
The remaining measurements are taken during construction of the strategy. During construction
of the individual strategies, the quantities recorded are the total time, reordering time so far, goal
pursued by the strategy under construction, the total number of nodes in the shared BDD, the
number of nodes in the BDD of the current strategy, as well as the number of BDD nodes in the
sets of new and accumulated states.
The final phase combines the individual strategies into a single one. Besides the total and
reordering time, the goal whose strategy is currently combined in the overall strategy, the total
BDD nodes, and the nodes in the combined strategy (so far) are recorded.
3.3 Observations
3.3.1 General
The figures can be understood as follows. There are two sets of figures:
1. the top four figures extend through the whole computation, whereas
2. the bottom three figures contain more details for each of the individual phases.
21
In most runs, reordering takes a high, to very high, percentage of the total runtime. A sense
of this ratio can be obtained visually by comparing the bisector in2 Fig. 26-(i) (dotted) to the
cumulative reordering time (solid line). The final values of each run are collected in Fig. 7 to
Fig. 14.
The periods of constancy of the reordering curve correspond to BDD computations. The high-
lighted period corresponds to the construction of individual strategies.
Fig. 26-(ii) shows the goal that is currently pursued during realizability, and the goal whose
strategy is currently being constructed during the individual strategy construction phase. For the
revised specification, there is only a single recurrence goal, so this curve is constant. For the original
specification, the successive goals appear as increments.
Fig. 26-(iii) shows the recurrence assumption that is currently being considered during the fixed-
point computation of Y . For every iteration of the middle fixed-point Y , the computation takes a
disjunction over all assumption, which results in fast cycling in the plot.
The total number of nodes in the shared BDD is shown in Fig. 26-(iv). We can identify the
following features that correspond to the computation. Initially, the total number of nodes grows
slowly, and several reorderings occur (flat or slightly decreasing periods). These are triggered by
the initial exploration of the state space. The new states added to the BDD trigger changes to the
variable ordering, which tends to “adapt” to the sets that need to be represented.
After the first outer fixed point is completed, the stored iterants (X;Y over the inner iterations,
to be used for constructing the strategies in the final fixed-point iteration) are deleted, if a fixed-
point was not reached in the current iteration. This dereferencing appears as abrupt reductions of
the number of nodes to almost zero (forming “teeth”). So each such reduction corresponds to one
iteration of the Z greatest fixed-point.
During construction of the strategy, the number of nodes increases monotonically, if no reorder-
ing is enabled. If reordering is enabled in the strategy construction phase, then the number of
nodes may be observed to decrease, and in those cases, its rate of growth is always limited (with
the trade-off of long interruptions for reordering). Note that the allocated memory never decreases,
because Cudd does not release memory, even when nodes are deleted.
In some total node count plots, a dashed line is visible, starting from the end of the highlighted
period. This corresponds to the time between the completion of individual strategy construction,
and the first iteration of combining strategies. It is included, because reordering during that period
can defer the initial iteration of constructing the combined strategy.
In the second set of figures, Fig. 26-(v) shows the sizes of the fixed-point variables X;Y; Z. We
can observe that X;Y are quite similar in size. This is expected, because Y is assigned the union of
X over the recurrence assumptions (and there are only two recurrence assumptions). The variable
Z exhibits more interesting behavior. In the initial iteration, Z is always 1 (>), by definition. Its
size changes in the following iterations, remaining constant in each one of those iterations. As a
result, the curve of variable Z indicates the successive loops of the outer fixed-point iteration. We
can also observe “humps” of X;Y during the intermediate results of each outer iteration. Note that
these humps of X;Y , and steps of Z correspond to the teeth in Fig. 26-(vi).
Fig. 26-(vi) shows the BDD size of the strategies for the individual goals, as they are being
constructed. It also shows the number of accumulated and new states. It is interesting that these
curves are typically close to constant. Another observation is that, in most cases, this phase is brief,
unless reordering is triggered. When strategy reordering is disabled, this phase is always of short
duration.
2Counting over the graphics within each subfigure proceeds from top to bottom.
22
Finally, the size of the cumulative strategy as the individual ones are being combined is shown in
Fig. 26-(vii). Note that in the revised specification, when using a BA, there is only one recurrence
goal, so only a single point in this plot (there is only a single sub-strategy, so not multiple ones to
be combined). In cases without reordering and with conjunction, the rapid growth of the combined
strategy can be observed in this plot. Another observed feature is the triggering of reordering
during this last phase, and that if triggered, reordering takes most of the time in this phase.
Fig. 7 to Fig. 14 summarize the previous measurements over the number of masters, per ex-
perimental configuration. The top plot shows how the numbers of variables change. The number
of variables determines the size of the state space, and this is a difference between specification
variants. The number of environment variables gives an upper bound on the amount of universal
branching in a problem.
The second plot summarizes the total number of nodes in the shared BDD, and the size of the
synthesized strategies. This is a measure of how larger the intermediate BDDs are from the desired
result.
The third and fourth plots show how total, realizability, and reordering times scale with the
number of masters, and how they compare to each other.
Fig. 15 to Fig. 25 are the most interesting, and compactly represent the conclusions from the all
the experiments. The show ratios of quantities between different selected pairs of configurations,
those that we think are the most interesting and useful.
3.3.2 Comparison of variants
From the measurements, we observe that
• The revised specification is orders of magnitude better than the original, as seen in Figs. 24
and 25.
• Using a Büchi automaton, reordering during strategy construction is not needed, and unde-
sired, as seen in Figs. 15 and 16.
• Using conjunction of fairness goals, reordering is necessary, as seen in Figs. 17 and 18.
• Conjunction with reordering is clearly better than the BA, by about an order of magnitude,
as seen in Figs. 19 to 21.
• Using a Büchi automaton is clearly better than conjunction without reordering, by several
orders of magnitude, as seen in Figs. 22 and 23. In absence of strategy reordering, only the
BA scales.
3.4 Trade-off of counter in state space
In the following, by realizability phase, we refer to the fixed-point computation that stratifies the
set of states to produce the layers that comprise the attractors [18, 26]. This phase stores these
sets in memory as an array of BDD nodes. By construction phase, we refer to the construction
of a strategy that satisfies the original specification, using the layers produced by the realizability
phase. So the realizability phase precedes the construction phase.
23
3.4.1 The two alternatives
In this section, we evaluate the two (equivalent) alternatives for representing liveness goals:
1. as a conjunction of the form 	p0 ^	p1 ^   	pN 1
2. as a single Büchi automaton with the structure shown in Fig. 4.
Representing the Büchi automaton augments the system state by the integer counter that describes
the current node. This counter is linear in the number of fairness guarantees.
Conjoining multiple fairness goals leads to the construction of a sub-trategy for each goal. In
order to obtain the overall strategy, these sub-strategies are combined, using a counter to keep track
of the currently active sub-strategy. This other counter comprises the transducer’s memory.
Note that both counters have the same range. In the final strategy, both counters appear as
BDD variables. The difference is that the first counter is present during the attractor computations
(realizability phase), whereas the second is introduced only at the end (strategy construction phase).
This means that using a Büchi automaton shifts the transducer memory from the construction,
to the realizability phase. As a result, the state space of the game is multiplied by a factor of k,
the number of fairness goals. In the experiments presented here, the default implementation of
the synthesis algorithm in Slugs was used. In the worst case, the time complexity increases by a
factor O(k3), measured in number of symbolic controllable preimage computations. An improved
implementation employing fixpoint memoization [27, 1] is available as a Slugs option, but was not
used. The improved implementation would be affected by a factor of O(k2).
Nonetheless, an improvement is observed, because synthesis remains scalable, even without
reordering during the construction phase. This can be understood by considering three effects.
Including the counter in the state space encodes the problem symbolically, instead of explicitly.
It avoids the combination of individual strategies later, which is an enumerated procedure that
iterates over the transducer’s memory (the counter introduced during the construction phase). The
number of sub-strategies to disjoin increases linearly with the number of liveness goals. This can
affect the suitability of the variable order significantly, and it does. The measurements indicate
an exponential growth of the total number of nodes in the shared BDD, as the number of masters
grows.
The second effect is the reduction of intermediate results [25] of BDD computations. As has
been observed in the literature [24], unstructured breadth-first search of the state space creates
intermediate sets that have “a lot of ad hoc detail”. For a fixed variable ordering, this semi-random
detail decreases the likelihood of these intermediate sets being efficiently representable as BDDs. As
described in [24], an interesting analog is the entropy of random strings in information theory. The
Büchi automaton introduces structure in the state space that is relevant to the fairness constraints.
The third effect is the abruptness of changes to how far from optimal the current order is. The
experimental results suggest that disjoining individual strategies at the end is disruptive to the
variable ordering, necessitating reordering to avoid BDD blowup. In contrast, shifting the counter
to the state space allows the order to adapt over a longer number of iterations, while the BDD is
changing less abruptly (i.e., during the attractor computations).
Another effect is the reduction of size of the goal set. This can lead to a simpler BDD for the Z
variable in the fixed-point computation. It is observed as small BDD size for Z for a specification
that uses a Büchi automaton. For example, in Fig. 26 to Fig. 57 Z is much smaller than X and
Y . In contrast, a conjunction of recurrence formulae leads to large Z values, much larger in many
cases than the variables X;Y . This difference can be seen in Fig. 60 to Fig. 88.
24
3.4.2 Effect of reordering and memoization
In most cases, 65%„ or more, of the total runtime is spent reordering the shared BDD. A similar
observation has been made in [1]. Therefore, reordering is a controling factor of overall runtime.
Reordering by sifting considers all BDDs in a “neighborhood” of the BDD being reordered. This
allows it to cross boundaries between basins of attraction associated with different local minima.
However, it also makes sifting (and reordering in general) quite sensitive to the details of in-
termediate results during the fixed-point computation. In turn, these intermediate results can
depend on the order that individual goals are visited, as well as variations in the encoding, e.g., of
a program graph by integers. Overall, these variations can cause reordering to “touch” expensive
neighborhoods, resulting in significant runtime outliers being observed. The sensitivity of BDD
computations is a common observation in the symbolic model checking literature [25].
This effect can be further amplified by the cache, where results are memoized (mapping ar-
guments to results of the operation being performed). As more memory is required, results are
overwritten, causing regeneration, thus deviating from the practically bilinear cost of BDD opera-
tions, to the worst-case exponential [28], Programmer’s Guide.
Configuring Cudd memory limit Initially, fragile behavior was observed with Cudd. This was
due to the maximum memory limit of Cudd that by default3 is set to 3GB in Slugs. Increasing
this limit to that available on the machine resulted in improved performance, and very significantly
reduced fragile behavior. This limit can be set with the function Cudd_SetMaxCacheHard. A
relevant suggestion can be found in the Cudd Programmer’s manual, Sec. “Modifiable parameters”.
Effect of initial order Another factor that introduced significant variability and adversely af-
fected runtime was the initial order of variables. In the initial implementation, the initial order
of variables was not controlled. The result was semi-random, because the enumeration of items in
Python sets and dictionaries can vary arbitrarily.
Later, the BDD variables were initially sorted in natural order by their bitblasted “flat” name
(i.e., after translation to logic and bitblasting). The flat name of a variable includes scope informa-
tion in the form of a prefix. This brings together in ordering variables that are defined in the same
namespace, bits in the same bitvector, and variables with similar names (with respect to natural
ordering). Initial sorting by natural order improved the results.
Using a natural lexical ordering to obtain the initial variable order brings together variables
in the same scope. The revised specification contains more information in the form of variable
scopes, because local variables in the same process have the same prefix in the logic formulae (for
example, a local variable x will become pid0_x). The original specification is flat (no processes in
the syntactic description), so it contains less scoping information.
3 In BFCuddManager.h as of f9eed21813e7e6d23c0bd63563b587cc1cee95c6 (line 30).
25

























































Figure 5: Total run time vs number of masters for synthesizing an arbiter using the revised speci-
fication, with fairness as a Büchi automaton, and reordering enabled during strategy construction.
These repeated experiments are different runs than those from which the detailed tracing plots were
generated.
26







































































































































































































































































Figure 6: Peak memory consumption for the experiments of Fig. 5
Table 3: Index of measurements for each experiment.
Revised Y Y Y Y
BA Y Y Y Y
Reorder Y Y Y Y
masters Experiments
2 Fig. 60 Fig. 101 Fig. 89 Fig. 94 Fig. 118 Fig. 26 Fig. 45 Fig. 79
3 Fig. 61 Fig. 102 Fig. 90 Fig. 95 Fig. 119 Fig. 27 Fig. 46 Fig. 80
4 Fig. 62 Fig. 103 Fig. 91 Fig. 96 Fig. 120 Fig. 28 Fig. 47 Fig. 81
5 Fig. 63 Fig. 104 Fig. 92 Fig. 97 Fig. 121 Fig. 29 Fig. 48 Fig. 82
6 Fig. 64 Fig. 105 Fig. 93 Fig. 98 Fig. 122 Fig. 30 Fig. 49 Fig. 83
7 Fig. 65 Fig. 106 Fig. 99 Fig. 123 Fig. 31 Fig. 50 Fig. 84
8 Fig. 66 Fig. 107 Fig. 100 Fig. 124 Fig. 32 Fig. 51 Fig. 85
9 Fig. 67 Fig. 108 Fig. 33 Fig. 52 Fig. 86
10 Fig. 68 Fig. 109 Fig. 34 Fig. 53 Fig. 87
11 Fig. 69 Fig. 110 Fig. 35 Fig. 54 Fig. 88
12 Fig. 70 Fig. 111 Fig. 36 Fig. 55
13 Fig. 71 Fig. 112 Fig. 37 Fig. 56
14 Fig. 72 Fig. 113 Fig. 38 Fig. 57
15 Fig. 73 Fig. 114 Fig. 39 Fig. 58
16 Fig. 74 Fig. 115 Fig. 40 Fig. 59
17 Fig. 75 Fig. 116 Fig. 41
18 Fig. 76 Fig. 117 Fig. 42
19 Fig. 77 Fig. 43
20 Fig. 78 Fig. 44
27



























































































Figure 7: Revised spec with BA and strategy reordering.
28



























































































Figure 8: Revised spec with BA but no strategy reordering.
29




























































































Figure 9: Original spec with BA and strategy reordering.
30





























































































Figure 10: Original spec with BA but no strategy reordering.
31


























































































Figure 11: Revised spec with conjunction and strategy reordering.
32
























































































Figure 12: Revised spec with conjunction but no strategy reordering.
33




























































































Figure 13: Original spec with conjunction and strategy reordering.
34






























































































Figure 14: Original spec with conjunction but no strategy reordering (last runs with memory
upgrade).
35























































reordering / total time
strategy / total nodes
env / total vars
strategy construction /
 realizability time
Figure 15: Revised with BA, w/o divided by w/ reordering.
36

























































reordering / total time
strategy / total nodes
env / total vars
strategy construction /
 realizability time
Figure 16: Original with BA, w/o divided by w/ reordering.
37























































reordering / total time
strategy / total nodes
env / total vars
strategy construction /
 realizability time
Figure 17: Revised with conjunction, w/o divided by w/ reordering.
38





















































reordering / total time
strategy / total nodes
env / total vars
strategy construction /
 realizability time
Figure 18: Original with conjunction, w/o divided by w/ reordering.
39



























































reordering / total time
strategy / total nodes
env / total vars
strategy construction /
 realizability time
Figure 19: Original with conjunction and with reordering, divided by original BA w/o reordering.
40






















































reordering / total time
strategy / total nodes
env / total vars
strategy construction /
 realizability time
Figure 20: Revised conjunction divided by BA (both with reordering).
41






















































reordering / total time
strategy / total nodes
env / total vars
strategy construction /
 realizability time
Figure 21: Revised conjunction with reordering, divided by BA w/o reordering.
42
























































reordering / total time
strategy / total nodes
env / total vars
strategy construction /
 realizability time
Figure 22: Revised conjunction divided by BA (both w/o reordering).
43


























































reordering / total time
strategy / total nodes
env / total vars
strategy construction /
 realizability time
Figure 23: Revised conjunction w/o reordering, divided by BA with reordering.
44
























































reordering / total time
strategy / total nodes
env / total vars
strategy construction /
 realizability time
Figure 24: Original with BA divided by revised with BA (both w/o reordering).
45






















































reordering / total time
strategy / total nodes
env / total vars
strategy construction /
 realizability time
Figure 25: Original with conjunction divided by revised with conjunction (both with reordering).
46





























































































































ith  strategy covered states new states






























Figure 26: Revised spec with BA and strategy reordering: 2 masters.
47
































































































































ith  strategy covered states new states































Figure 27: Revised spec with BA and strategy reordering: 3 masters.
48





























































































































ith  strategy covered states new states
































Figure 28: Revised spec with BA and strategy reordering: 4 masters.
49

































































































































ith  strategy covered states new states


































Figure 29: Revised spec with BA and strategy reordering: 5 masters.
50






























































































































ith  strategy covered states new states
































Figure 30: Revised spec with BA and strategy reordering: 6 masters.
51































































































































ith  strategy covered states new states































Figure 31: Revised spec with BA and strategy reordering: 7 masters.
52































































































































ith  strategy covered states new states































Figure 32: Revised spec with BA and strategy reordering: 8 masters.
53


































































































































ith  strategy covered states new states
































Figure 33: Revised spec with BA and strategy reordering: 9 masters.
54































































































































ith  strategy covered states new states































Figure 34: Revised spec with BA and strategy reordering: 10 masters.
55


































































































































ith  strategy covered states new states






























Figure 35: Revised spec with BA and strategy reordering: 11 masters.
56


































































































































ith  strategy covered states new states





























Figure 36: Revised spec with BA and strategy reordering: 12 masters.
57






























































































































ith  strategy covered states new states
































Figure 37: Revised spec with BA and strategy reordering: 13 masters.
58



































































































































ith  strategy covered states new states






























































































































































ith  strategy covered states new states
































Figure 39: Revised spec with BA and strategy reordering: 15 masters.
60



































































































































ith  strategy covered states new states






























Figure 40: Revised spec with BA and strategy reordering: 16 masters.
61































































































































ith  strategy covered states new states































Figure 41: Revised spec with BA and strategy reordering: 17 masters.
62





































































































































ith  strategy covered states new states







































































































































































ith  strategy covered states new states






























Figure 43: Revised spec with BA and strategy reordering: 19 masters.
64


































































































































ith  strategy covered states new states


































Figure 44: Revised spec with BA and strategy reordering: 20 masters.
65





























































































































ith  strategy covered states new states






























Figure 45: Revised spec with BA but no strategy reordering: 2 masters.
66
































































































































ith  strategy covered states new states
































Figure 46: Revised spec with BA but no strategy reordering: 3 masters.
67




































































































































ith  strategy covered states new states
































Figure 47: Revised spec with BA but no strategy reordering: 4 masters.
68

































































































































ith  strategy covered states new states


































Figure 48: Revised spec with BA but no strategy reordering: 5 masters.
69
































































































































ith  strategy covered states new states
































Figure 49: Revised spec with BA but no strategy reordering: 6 masters.
70






























































































































ith  strategy covered states new states
































Figure 50: Revised spec with BA but no strategy reordering: 7 masters.
71
































































































































ith  strategy covered states new states































Figure 51: Revised spec with BA but no strategy reordering: 8 masters.
72





































































































































ith  strategy covered states new states
































Figure 52: Revised spec with BA but no strategy reordering: 9 masters.
73

































































































































ith  strategy covered states new states
































Figure 53: Revised spec with BA but no strategy reordering: 10 masters.
74






























































































































ith  strategy covered states new states
































Figure 54: Revised spec with BA but no strategy reordering: 11 masters.
75







































































































































ith  strategy covered states new states

































Figure 55: Revised spec with BA but no strategy reordering: 12 masters.
76



































































































































ith  strategy covered states new states
































Figure 56: Revised spec with BA but no strategy reordering: 13 masters.
77




































































































































ith  strategy covered states new states






























Figure 57: Revised spec with BA but no strategy reordering: 14 masters.
78


































































































































ith  strategy covered states new states

































Figure 58: Revised spec with BA but no strategy reordering: 15 masters.
79



































































































































ith  strategy covered states new states






























Figure 59: Revised spec with BA but no strategy reordering: 16 masters.
80



























































































































ith  strategy covered states new states































Figure 60: Revised spec with conjunction and strategy reordering: 2 masters.
81































































































































ith  strategy covered states new states

































Figure 61: Revised spec with conjunction and strategy reordering: 3 masters.
82





























































































































ith  strategy covered states new states
































Figure 62: Revised spec with conjunction and strategy reordering: 4 masters.
83

































































































































ith  strategy covered states new states

































Figure 63: Revised spec with conjunction and strategy reordering: 5 masters.
84




























































































































ith  strategy covered states new states


































Figure 64: Revised spec with conjunction and strategy reordering: 6 masters.
85





























































































































ith  strategy covered states new states
































Figure 65: Revised spec with conjunction and strategy reordering: 7 masters.
86

































































































































ith  strategy covered states new states
































Figure 66: Revised spec with conjunction and strategy reordering: 8 masters.
87





























































































































ith  strategy covered states new states

































Figure 67: Revised spec with conjunction and strategy reordering: 9 masters.
88


































































































































ith  strategy covered states new states

































































































































































ith  strategy covered states new states































Figure 69: Revised spec with conjunction and strategy reordering: 11 masters.
90






























































































































ith  strategy covered states new states































Figure 70: Revised spec with conjunction and strategy reordering: 12 masters.
91
































































































































ith  strategy covered states new states





























Figure 71: Revised spec with conjunction and strategy reordering: 13 masters.
92































































































































ith  strategy covered states new states































Figure 72: Revised spec with conjunction and strategy reordering: 14 masters.
93


































































































































ith  strategy covered states new states


































Figure 73: Revised spec with conjunction and strategy reordering: 15 masters.
94

































































































































ith  strategy covered states new states
































Figure 74: Revised spec with conjunction and strategy reordering: 16 masters.
95































































































































ith  strategy covered states new states































Figure 75: Revised spec with conjunction and strategy reordering: 17 masters.
96































































































































ith  strategy covered states new states






























Figure 76: Revised spec with conjunction and strategy reordering: 18 masters.
97



































































































































ith  strategy covered states new states































Figure 77: Revised spec with conjunction and strategy reordering: 19 masters.
98































































































































ith  strategy covered states new states






























Figure 78: Revised spec with conjunction and strategy reordering: 20 masters.
99



























































































































ith  strategy covered states new states































Figure 79: Revised spec with conjunction but no strategy reordering: 2 masters.
100
































































































































ith  strategy covered states new states































Figure 80: Revised spec with conjunction but no strategy reordering: 3 masters.
101


































































































































ith  strategy covered states new states






























Figure 81: Revised spec with conjunction but no strategy reordering: 4 masters.
102


































































































































ith  strategy covered states new states

































Figure 82: Revised spec with conjunction but no strategy reordering: 5 masters.
103






























































































































ith  strategy covered states new states
































Figure 83: Revised spec with conjunction but no strategy reordering: 6 masters.
104




























































































































ith  strategy covered states new states






























Figure 84: Revised spec with conjunction but no strategy reordering: 7 masters.
105






























































































































ith  strategy covered states new states































Figure 85: Revised spec with conjunction but no strategy reordering: 8 masters.
106





























































































































ith  strategy covered states new states






























Figure 86: Revised spec with conjunction but no strategy reordering: 9 masters.
107



































































































































ith  strategy covered states new states































Figure 87: Revised spec with conjunction but no strategy reordering: 10 masters.
108
































































































































ith  strategy covered states new states

































Figure 88: Revised spec with conjunction but no strategy reordering: 11 masters.
109
































































































































ith  strategy covered states new states

































Figure 89: Original spec with BA and strategy reordering: 2 masters.
110





























































































































ith  strategy covered states new states
































Figure 90: Original spec with BA and strategy reordering: 3 masters.
111

































































































































ith  strategy covered states new states

































Figure 91: Original spec with BA and strategy reordering: 4 masters.
112
































































































































ith  strategy covered states new states






























Figure 92: Original spec with BA and strategy reordering: 5 masters.
113
































































































































ith  strategy covered states new states
































Figure 93: Original spec with BA and strategy reordering: 6 masters.
114





























































































































ith  strategy covered states new states































Figure 94: Original spec with BA but no strategy reordering: 2 masters.
115





























































































































ith  strategy covered states new states
































Figure 95: Original spec with BA but no strategy reordering: 3 masters.
116

































































































































ith  strategy covered states new states
































Figure 96: Original spec with BA but no strategy reordering: 4 masters.
117

































































































































ith  strategy covered states new states































Figure 97: Original spec with BA but no strategy reordering: 5 masters.
118
































































































































ith  strategy covered states new states
































Figure 98: Original spec with BA but no strategy reordering: 6 masters.
119
































































































































ith  strategy covered states new states


































Figure 99: Original spec with BA but no strategy reordering: 7 masters.
120































































































































ith  strategy covered states new states































Figure 100: Original spec with BA but no strategy reordering: 8 masters.
121





























































































































ith  strategy covered states new states































Figure 101: Original spec with conjunction and strategy reordering: 2 masters.
122
































































































































ith  strategy covered states new states
































Figure 102: Original spec with conjunction and strategy reordering: 3 masters.
123




























































































































ith  strategy covered states new states

































Figure 103: Original spec with conjunction and strategy reordering: 4 masters.
124































































































































ith  strategy covered states new states

































Figure 104: Original spec with conjunction and strategy reordering: 5 masters.
125





























































































































ith  strategy covered states new states




































































































































































ith  strategy covered states new states































Figure 106: Original spec with conjunction and strategy reordering: 7 masters.
127






































































































































ith  strategy covered states new states


































Figure 107: Original spec with conjunction and strategy reordering: 8 masters.
128






























































































































ith  strategy covered states new states

































Figure 108: Original spec with conjunction and strategy reordering: 9 masters.
129





































































































































ith  strategy covered states new states






























Figure 109: Original spec with conjunction and strategy reordering: 10 masters.
130


































































































































ith  strategy covered states new states






























Figure 110: Original spec with conjunction and strategy reordering: 11 masters.
131


































































































































ith  strategy covered states new states

































Figure 111: Original spec with conjunction and strategy reordering: 12 masters.
132






























































































































ith  strategy covered states new states































Figure 112: Original spec with conjunction and strategy reordering: 13 masters.
133

































































































































ith  strategy covered states new states
































Figure 113: Original spec with conjunction and strategy reordering: 14 masters.
134





































































































































ith  strategy covered states new states






























Figure 114: Original spec with conjunction and strategy reordering: 15 masters.
135





































































































































ith  strategy covered states new states


































Figure 115: Original spec with conjunction and strategy reordering: 16 masters.
136








































































































































ith  strategy covered states new states
































Figure 116: Original spec with conjunction and strategy reordering: 17 masters.
137

































































































































ith  strategy covered states new states





























Figure 117: Original spec with conjunction and strategy reordering: 18 masters.
138






























































































































ith  strategy covered states new states


































Figure 118: Original spec with conjunction but no strategy reordering (last runs with memory
upgrade): 2 masters. 139


































































































































ith  strategy covered states new states






























Figure 119: Original spec with conjunction but no strategy reordering (last runs with memory
upgrade): 3 masters. 140































































































































ith  strategy covered states new states


































Figure 120: Original spec with conjunction but no strategy reordering (last runs with memory
upgrade): 4 masters. 141



































































































































ith  strategy covered states new states































Figure 121: Original spec with conjunction but no strategy reordering (last runs with memory
upgrade): 5 masters. 142






























































































































ith  strategy covered states new states






























Figure 122: Original spec with conjunction but no strategy reordering (last runs with memory
upgrade): 6 masters. 143



































































































































ith  strategy covered states new states
































Figure 123: Original spec with conjunction but no strategy reordering (last runs with memory
upgrade): 7 masters. 144






































































































































ith  strategy covered states new states

































Figure 124: Original spec with conjunction but no strategy reordering (last runs with memory
upgrade): 8 masters. 145
















BA revised, w/o reorder
time from [Bloem et al.`12]
time from [Godhal et al.`13]
Figure 125: Comparison with [1].
Figure 126: Synthesis time for the revised specification using a BA (w/o strategy reordering),
Fig. 45 to Fig. 59, and conjoining liveness goals (using strategy reordering), Fig. 60 to Fig. 78,
compared to results from [1, 2].
4 Relevant work
The specification that we considered was proposed in [5, 4, 1]. The time reported there for 12
masters is in the order of 20 hours, using the synthesizer Anzu [29]. Both Anzu (Perl) and
Slugs (C++) use Cudd [28] as BDD library.
In [2], a more complete specification was presented for the AHB arbiter, by extending the
specification of [1], but without revisions of the form proposed here. In particular, [2] refines the
specification, adding more detail, whereas we abstract it, weakening and modifying assumptions.
The times reported there are much improved compared to [1], but still scale to above an hour for 16
masters. In contrast, the revised specification with conjunction synthesizes in the order of minutes
(with strategy reordering enabled).
In [8], a different algorithm is proposed for constructing the winning strategy from the interme-
diate sets produced by the fixed point iteration that decides realizability. The resulting strategy
is eager to progress in reaching multiple goals, when the opportunity exists, cycling faster through
liveness goals. The times reported there are in the order of 6 and 10 hours (for the various strategy
















Figure 127: Listing corresponding to formula in text.
A Note on determinism of automata
Note that the (symbolic) automaton is deterministic, because it commits to the choices it makes,
i.e., its existential branching is visible to the property (the variables that represent the state are
letters in the alphabet). (For automated determinization of LTL properties to either parity or Büchi
automata, prior to solving a parity game, see [30]).
For example, an automaton with four nodes can be represented by introducing an auxiliary
integer variable u 2 f0; 1; 2; 3g. Suppose that it has the transitions ((u = 0) ! (('1 ^ 
(u =
1)) _ (:'1 ^ 
(u = 0)))) ^ ((u = 1) ! (('2 ^ 
(u = 2)) _ ('3 ^ 
(u = 2)))) ^ ((u = 2) !
(('4 ^
(u = 3)) _ ('5 ^
(u = 2)) _ (:'4 ^ :'5 ^
(u = 2)))) ^ ((u = 3)! ('6 ^
(u = 0)). It
can be argued that this formula is much less readable and editable than the listing of Fig. 127.
Note that the above automaton can have more than a single enabled transition. Nonetheless,
it represents a deterministic Buchi automaton, because the program counter u is visible to the
environment. This forces the system to commit to its future strategy during GR(1) synthesis, when
it selects a valuation of its variables as reaction. In other words, the non-determinism is visible,
because u is part of the alphabet and so of the moves that the synthesis algorithm takes in the
game. For the above symbolic automaton to be non-deterministic, the variable u must not be part
of the alphabet, so not a visible output. This is not the case in GR(1) synthesis. Strictly speaking,
the previous can be regarded as a symbolic representation of an automaton, but not as a Büchi
automaton. If each edge label is conjoined with a formula of the form 
(u = j), then the resulting
representation will indeed be a deterministic Büchi automaton.
147
B Revised AMBA AHB specification
Listing 1: The revised AMBA AHB specification.
1 #define N 2 /* N + 1 masters */
2 #define SINGLE 0
3 #define BURST4 1
4 #define INCR 2
5
6
7 /* variables of masters and slaves */
8 /* A4: initial condition */
9 free env bool ready = false;
10 free env int(0, 2) burst;
11 free env bool request[N + 1] = false;
12 free env bool grantee_lockreq = false;
13 free env bool master_lockreq = false;
14
15 /* arbiter variables */
16 /* G11: sys initial condition */
17 free bool start = true;
18 free bool decide = true;
19 free bool lock = false;
20 free bool lockmemo;
21 free int(0, N) master = 0;
22 free int(0, N) grant;
23
24 /* A2: slaves must progress with receiving data */
25 assume ltl { []<> ready }
26
27 /* A3: dropped, weakening the assumptions */
28
29 /* A1: if current master is granted locked access,
30 * then it must progress by withdrawing the lock request.
31 */





37 :: ! master_lockreq; break








45 assert ltl {
46 [](
47 /* G1: new access starts only when slave is ready
*/
48 (start'  > ready)
49 /* G4,5: current master and lock updated
50 * only when communicating slave signals
51 * that it completed receiving data.
52 */
53 && (ready  > ((master' == grant) && (lock' < >
lockmemo)))
54 /* G6: current master and locking may change only
55 * when an access starts, and remain invariant
otherwise
56 */
57 && (! start'  > (
58 (master' == master) &&
59 (lock' < > lock)))
60 /* G7: when deciding, remember if the requestor
61 * requested also locking.
62 * when implementing the circuit, route:
63 * grantee_lockreq = lockreq[grant']
64 */
65 && (decide  > (lockmemo' < > grantee_lockreq))
66 /* G8: current grantee and locking memo
67 * remain invariant while not deciding.
68 */
69 && (! decide  > (
70 (grant' == grant) &&
71 (lockmemo' < > lockmemo)))
72 /* G10: only a requestor can become grantee */





77 /* all properties must hold synchronously */
78 sync{
79
80 /* G9: weak fairness */
81 assert sys proctype fairness(){
82 int(0, N) count;
83 do
84 :: (! request[count] || (master == count));
149
85 if
86 :: (count < N) && (count' == count + 1)







94 /* G2: if locked access of unspecified length starts,
95 * then locking shall be withdrawn before starting
96 * another access.
97 */
98 assert sys proctype maintain_lock(){
99 do
100 :: (lock && start && (burst == INCR));
101 do
102 :: (! start && ! master_lockreq); break






109 /* G3: for a BURST4 access,
110 * count the "ready" time steps.
111 */
112 assert sys proctype count_burst(){
113 int(0, 3) count;
114 do
115 :: (start && lock &&
116 (burst == BURST4) &&
117 (!ready || (count' == 1)) &&
118 (ready || (count' == 0)) );
119 do
120 :: (! start && ! ready)
121 :: (! start && ready && (count < 3) &&
122 (count' == count + 1))








C Original AMBA AHB specification
The following specification was created by a translator based on the original one from the Anzu
website [29].
Listing 2: The original AMBA AHB specification from [1], for the case of 2 masters.
1 free env bit hready, hburst0, hburst1, hbusreq0, hlock0, hbusreq1,
hlock1;
2 free sys bit hmaster0, hmastlock, start, locked, decide, hgrant0,
busreq, stateA1_0, stateA1_1, stateG2, stateG3_0, stateG3_1,
stateG3_2, hgrant1, stateG10_1;
3 assume ltl {
4 hready == 0 &&
5 hbusreq0 == 0 &&
6 hlock0 == 0 &&
7 hbusreq1 == 0 &&
8 hlock1 == 0 &&
9 hburst0 == 0 &&
10 hburst1 == 0 &&
11
12 []( hlock0 == 1  > hbusreq0 == 1 ) &&
13 []( hlock1 == 1  > hbusreq1 == 1 ) &&
14
15 [](<>(stateA1_1 == 0)) &&
16 [](<>(hready == 1))
17
18 }
19 assert ltl {
20 hmaster0 == 0 &&
21 hmastlock == 0&&
22 start == 1&&
23 decide == 1&&
24 locked == 0&&
25 hgrant0 == 1&&
26 hgrant1 == 0 &&
27 busreq==0 &&
28 stateA1_0 == 0 &&
29 stateA1_1 == 0 &&
30 stateG2 == 0 &&
31 stateG3_0 == 0 &&
32 stateG3_1 == 0 &&
33 stateG3_2 == 0 &&
34 stateG10_1 == 0 &&
35
36 []((hmaster0 == 0)  > (hbusreq0 == 0 < > busreq==0)) &&
37 []((hmaster0 == 1)  > (hbusreq1 == 0 < > busreq==0)) &&
151
38 [](((stateA1_1 == 0) && (stateA1_0 == 0) && ((hmastlock == 0) || (
hburst0 == 1) || (hburst1 == 1)))  >
39 X((stateA1_1 == 0) && (stateA1_0 == 0))) &&
40 [](((stateA1_1 == 0) && (stateA1_0 == 0) && (hmastlock == 1) && (
hburst0 == 0) && (hburst1 == 0))  >
41 X((stateA1_1 == 1) && (stateA1_0 == 0))) &&
42 [](((stateA1_1 == 1) && (stateA1_0 == 0) && (busreq == 1))  >
43 X((stateA1_1 == 1) && (stateA1_0 == 0))) &&
44 [](((stateA1_1 == 1) && (stateA1_0 == 0) && (busreq == 0) && ((
hmastlock == 0) || (hburst0 == 1) || (hburst1 == 1)))  >
45 X((stateA1_1 == 0) && (stateA1_0 == 0))) &&
46 [](((stateA1_1 == 1) && (stateA1_0 == 0) && (busreq == 0) && (
hmastlock == 1) && (hburst0 == 0) && (hburst1 == 0))  >
47 X((stateA1_1 == 0) && (stateA1_0 == 1))) &&
48 [](((stateA1_1 == 0) && (stateA1_0 == 1) && (busreq == 1))  >
49 X((stateA1_1 == 1) && (stateA1_0 == 0))) &&
50 [](((stateA1_1 == 0) && (stateA1_0 == 1) && (hmastlock == 1) && (
hburst0 == 0) && (hburst1 == 0))  >
51 X((stateA1_1 == 1) && (stateA1_0 == 0))) &&
52 [](((stateA1_1 == 0) && (stateA1_0 == 1) && (busreq == 0) && ((
hmastlock == 0) || (hburst0 == 1) || (hburst1 == 1)))  >
53 X((stateA1_1 == 0) && (stateA1_0 == 0))) &&
54 []((hready == 0)  > X(start == 0)) &&
55 [](((stateG2 == 0) && ((hmastlock == 0) || (start == 0) || (
hburst0 == 1) || (hburst1 == 1)))  > X(stateG2 == 0)) &&
56 [](((stateG2 == 0) && (hmastlock == 1) && (start == 1) && (
hburst0 == 0) && (hburst1 == 0))  > X(stateG2 == 1)) &&
57 [](((stateG2 == 1) && (start == 0) && (busreq == 1))  > X(stateG2
== 1)) &&
58 [](((stateG2 == 1) && (start == 1))  > false) &&
59 [](((stateG2 == 1) && (start == 0) && (busreq == 0))  > X(stateG2
== 0)) &&
60 [](((stateG3_0 == 0) && (stateG3_1 == 0) && (stateG3_2 == 0) &&
61 ((hmastlock == 0) || (start == 0) || ((hburst0 == 1) || (hburst1
== 0))))  >
62 (X(stateG3_0 == 0) && X(stateG3_1 == 0) && X(stateG3_2 == 0)))
&&
63 [](((stateG3_0 == 0) && (stateG3_1 == 0) && (stateG3_2 == 0) &&
64 ((hmastlock == 1) && (start == 1) && ((hburst0 == 0) && (hburst1
== 1)) && (hready == 0)))  >
65 (X(stateG3_0 == 1) && X(stateG3_1 == 0) && X(stateG3_2 == 0)))
&&
66 [](((stateG3_0 == 0) && (stateG3_1 == 0) && (stateG3_2 == 0) &&
67 ((hmastlock == 1) && (start == 1) && ((hburst0 == 0) && (hburst1
== 1)) && (hready == 1)))  >




70 [](((stateG3_0 == 1) && (stateG3_1 == 0) && (stateG3_2 == 0) && ((
start == 0) && (hready == 0)))  >
71 (X(stateG3_0 == 1) && X(stateG3_1 == 0) && X(stateG3_2 == 0)))
&&
72 [](((stateG3_0 == 1) && (stateG3_1 == 0) && (stateG3_2 == 0) && ((
start == 0) && (hready == 1)))  >
73 (X(stateG3_0 == 0) && X(stateG3_1 == 1) && X(stateG3_2 == 0)))
&&
74
75 [](((stateG3_0 == 1) && (stateG3_1 == 0) && (stateG3_2 == 0) && ((
start == 1)))  > false) &&
76
77
78 [](((stateG3_0 == 0) && (stateG3_1 == 1) && (stateG3_2 == 0) && ((
start == 0) && (hready == 0)))  >
79 (X(stateG3_0 == 0) && X(stateG3_1 == 1) && X(stateG3_2 == 0)))
&&
80 [](((stateG3_0 == 0) && (stateG3_1 == 1) && (stateG3_2 == 0) && ((
start == 0) && (hready == 1)))  >
81 (X(stateG3_0 == 1) && X(stateG3_1 == 1) && X(stateG3_2 == 0)))
&&
82 [](((stateG3_0 == 0) && (stateG3_1 == 1) && (stateG3_2 == 0) && ((
start == 1)))  > false) &&
83
84 [](((stateG3_0 == 1) && (stateG3_1 == 1) && (stateG3_2 == 0) && ((
start == 0) && (hready == 0)))  >
85 (X(stateG3_0 == 1) && X(stateG3_1 == 1) && X(stateG3_2 == 0)))
&&
86 [](((stateG3_0 == 1) && (stateG3_1 == 1) && (stateG3_2 == 0) && ((
start == 0) && (hready == 1)))  >
87 (X(stateG3_0 == 0) && X(stateG3_1 == 0) && X(stateG3_2 == 1)))
&&
88 [](((stateG3_0 == 1) && (stateG3_1 == 1) && (stateG3_2 == 0) && ((
start == 1)))  > false) &&
89
90 [](((stateG3_0 == 0) && (stateG3_1 == 0) && (stateG3_2 == 1) && ((
start == 0) && (hready == 0)))  >
91 (X(stateG3_0 == 0) && X(stateG3_1 == 0) && X(stateG3_2 == 1)))
&&
92 [](((stateG3_0 == 0) && (stateG3_1 == 0) && (stateG3_2 == 1) && ((
start == 0) && (hready == 1)))  >




95 [](((stateG3_0 == 0) && (stateG3_1 == 0) && (stateG3_2 == 1) && ((
start == 1)))  > false) &&
96 []((hready == 1)  > ((hgrant0 == 1) < > (X(hmaster0 == 0)))) &&
97 []((hready == 1)  > ((hgrant1 == 1) < > (X(hmaster0 == 1)))) &&
98 []((hready == 1)  > (locked == 0 < > X(hmastlock == 0))) &&
99 [](X(start == 0)  > (((hmaster0 == 0)) < > (X(hmaster0 == 0)))) &&
100 [](X(start == 0)  > (((hmaster0 == 1)) < > (X(hmaster0 == 1)))) &&
101 [](((X(start == 0)))  > ((hmastlock == 1) < > X(hmastlock == 1)))
&&
102 []((decide == 1 && hlock0 == 1 && X(hgrant0 == 1)) >X(locked == 1)
) &&
103 []((decide == 1 && hlock0 == 0 && X(hgrant0 == 1)) >X(locked == 0)
) &&
104 []((decide == 1 && hlock1 == 1 && X(hgrant1 == 1)) >X(locked == 1)
) &&
105 []((decide == 1 && hlock1 == 0 && X(hgrant1 == 1)) >X(locked == 0)
) &&
106 []((decide == 0)  > (((hgrant0 == 0)< > X(hgrant0 == 0)))) &&
107 []((decide == 0)  > (((hgrant1 == 0)< > X(hgrant1 == 0)))) &&
108 []((decide == 0) >(locked == 0 < > X(locked == 0))) &&
109 [](((stateG10_1 == 0) && (((hgrant1 == 1) ||(hbusreq1 == 1))))  >
X(stateG10_1 == 0)) &&
110 [](((stateG10_1 == 0) && ((hgrant1 == 0) && (hbusreq1 == 0)))  > X
(stateG10_1 == 1)) &&
111 [](((stateG10_1 == 1) && ((hgrant1 == 0) && (hbusreq1 == 0))) > X(
stateG10_1 == 1)) &&
112 [](((stateG10_1 == 1) && (((hgrant1 == 1)) && (hbusreq1 == 0)))  >
false) &&
113 [](((stateG10_1 == 1) && (hbusreq1 == 1))  > X(stateG10_1 == 0))
&&
114 []((decide==1 && hbusreq0 == 0 && hbusreq1 == 0)  > X(hgrant0==1)
) &&
115
116 [](<>(stateG2 == 0)) &&
117 [](<>((stateG3_0 == 0) && (stateG3_1 == 0) && (stateG3_2 == 0)
))
118 && [](<>(((hmaster0 == 0)) || hbusreq0 == 0))&&




[1] R. Bloem, B. Jobstmann, N. Piterman, A. Pnueli, and Y. Sa’ar, “Synthesis of Reactive(1)
designs,” Journal of Computer and System Sciences, vol. 78, no. 3, pp. 911 – 938, 2012, in
Commemoration of Amir Pnueli. 1, 5, 6, 7, 8, 9, 10, 11, 18, 20, 24, 25, 146, 151
[2] Y. Godhal, K. Chatterjee, and T. A. Henzinger, “Synthesis of AMBA AHB from formal specifi-
cation: a case study,” International Journal on Software Tools for Technology Transfer, vol. 15,
no. 5-6, pp. 585–601, 2013. 5, 6, 8, 146
[3] AMBA™ Specification, Rev 2.0 ed., ARM Ltd., 1999. 6, 19
[4] R. Bloem, S. Galler, B. Jobstmann, N. Piterman, A. Pnueli, and M. Weiglhofer, “Interactive
presentation: Automatic hardware synthesis from specifications: A case study,” in Proceedings
of the Conference on Design, Automation and Test in Europe, ser. DATE ’07. San Jose, CA,
USA: EDA Consortium, 2007, pp. 1188–1193. 6, 8, 146
[5] ——, “Specify, compile, run: Hardware from PSL,” Electronic Notes in Theoretical Com-
puter Science, vol. 190, no. 4, pp. 3 – 16, 2007, proceedings of the Workshop on Compiler
Optimization meets Compiler Verification (COCV 2007). 6, 8, 146
[6] A. Morgenstern, “Symbolic controller synthesis for LTL specifications,” Ph.D. dissertation,
Computer Science, February 2010. [Online]. Available: http://nbn-resolving.de/urn/resolver.
pl?urn:nbn:de:hbz:386-kluedo-25721 6
[7] W. Li, L. Dworkin, and S. A. Seshia, “Mining assumptions for synthesis,” in Formal Methods
and Models for Codesign (MEMOCODE), 2011 9th IEEE/ACM International Conference on.
IEEE, 2011, pp. 43–50. 6
[8] M. Schlaipfer, G. Hofferek, and R. Bloem, “Generalized reactivity (1) synthesis without a
monolithic strategy,” in Hardware and Software: Verification and Testing. Springer, 2012,
pp. 20–34. 6, 146
[9] R. Bloem, S. Jacobs, and A. Khalimov, “Parameterized synthesis case study: AMBA AHB
(extended version),” 06 2014. [Online]. Available: http://arxiv.org/abs/1406.7608 6
[10] R. Ehlers, R. Kunighofer, and G. Hofferek, “Symbolically synthesizing small circuits,” in For-
mal Methods in Computer-Aided Design (FMCAD), 2012, Oct 2012, pp. 91–100. 6
[11] J. Schmaltz and D. Borrione, “Validation of a parameterized bus architecture model,” Proc.
TIMA-VDS, 2003. 6
[12] K. W. Susanto, “A verification platform for system on chip,” Ph.D. dissertation, Dept. of
Computing Science, Glasgow, UK, October 2003. 6
[13] K. W. Susanto and T. Melham, “An AMBA-ARM7 formal verification platform,” in Formal
Methods and Software Engineering. Springer, 2003, pp. 48–67. 6
[14] A. Roychoudhury, T. Mitra, and S. Karri, “Using formal techniques to debug the AMBA
system-on-chip bus protocol,” in Design, Automation and Test in Europe Conference and
Exhibition, 2003. IEEE, 2003, pp. 828–833. 6
155
[15] A. A. McEwan and S. Schneider, “Modelling and analysis of the AMBA bus using CSP and
B,” Concurrency and Computation: Practice and Experience, vol. 22, no. 8, pp. 949–964, 2010.
6
[16] G. Madl, S. Pasricha, L. A. D. Bathen, N. Dutt, and Q. Zhu, “Formal performance evalua-
tion of AMBA-based system-on-chip designs,” in Proceedings of the 6th ACM &amp; IEEE
International conference on Embedded software. ACM, 2006, pp. 311–320. 6
[17] M. Pockrandt, P. Herber, and S. Glesner, “Model checking a SystemC/TLM design of the
AMBA AHB protocol,” in Embedded Systems for Real-Time Multimedia (ESTIMedia), 2011
9th IEEE Symposium on. IEEE, 2011, pp. 66–75. 6
[18] N. Piterman, A. Pnueli, and Y. Sa’ar, “Synthesis of Reactive(1) designs,” in Verification, Model
Checking, and Abstract Interpretation (VMCAI). Charleston, SC, USA: Springer, January
2006, pp. 364–380. 6, 23
[19] E. W. Dijkstra, “Guarded commands, nondeterminacy and formal derivation of programs,”
Commun. ACM, vol. 18, no. 8, pp. 453–457, Aug. 1975. 10
[20] I. Filippidis, R. M. Murray, and G. J. Holzmann, “Synthesis from multi-paradigm
specifications,” California Institute of Technology, Tech. Rep., March 2015. [Online]. Available:
http://resolver.caltech.edu/CaltechCDSTR:2015.003 18
[21] R. Ehlers and V. Raman, “Low-effort specification debugging and analysis,” EPTCS, vol. 157,
pp. 117–133, 07 2014. 18
[22] R. Rudell, “Dynamic variable ordering for ordered binary decision diagrams,” in Proceedings
of the 1993 IEEE/ACM international conference on Computer-aided design. IEEE Computer
Society Press, 1993, pp. 42–47. 19
[23] S. Panda and F. Somenzi, “Who are the variables in your neighbourhood,” in Computer-
Aided Design, 1995. ICCAD-95. Digest of Technical Papers., 1995 IEEE/ACM International
Conference on. IEEE, 1995, pp. 74–77. 19
[24] M. Byrod, B. Lennartson, A. Vahidi, and K. Akesson, “Efficient reachability analysis on mod-
ular discrete-event systems using binary decision diagrams,” in Discrete Event Systems, 2006
8th International Workshop on. IEEE, 2006, pp. 288–293. 21, 24
[25] J. Geldenhuys and A. Valmari, “Techniques for smaller intermediary bdds,” in CONCUR
2001—Concurrency Theory. Springer, 2001, pp. 233–247. 21, 24, 25
[26] W. Thomas, “Solution of church’s problem: A tutorial,” New Perspectives on Games and
interaction, vol. 5, 2008. 23
[27] A. Browne, E. M. Clarke, S. Jha, D. E. Long, and W. Marrero, “An improved algorithm for the
evaluation of fixpoint expressions,” Theoretical Computer Science, vol. 178, no. 1, pp. 237–255,
1997. 24
[28] F. Somenzi, “Cudd: CU Decision Diagram package - release 2.5.0,” University of Colorado
at Boulder, 2012. [Online]. Available: http://vlsi.colorado.edu/~fabio/CUDD/cuddIntro.html
25, 146
156
[29] B. Jobstmann, S. Galler, M. Weiglhofer, and R. Bloem, “Anzu: A tool for property
synthesis,” in Computer Aided Verification. Springer, 2007, pp. 258–262. [Online]. Available:
http://www.iaik.tugraz.at/content/research/design_verification/anzu/ 146, 151
[30] S. Sohail, F. Somenzi, and K. Ravi, “A hybrid algorithm for LTL games,” in Verification,
Model Checking, and Abstract Interpretation. Springer, 2008, pp. 309–323. 147
157
