We present a mathematical framework for analyzing the synthesis of interacting finite state systems. The logic S1S is used to derive simple, rigorous, and constructive solutions to problems in sequential synthesis. We obtain exact and approximate sets of permissible FSM network behavior, and address the issue of FSM realizability. This approach is also applied to synthesizing systems with fairness and timed systems.
Introduction
The advent of modern VLSI CAD tools has radically changed the process of designing digital systems. The first CAD tools automated the final stages of design, such as placement and routing. As the low level steps became better understood, the focus shifted to the higher stages. In particular logic synthesis, the science of optimizing designs (for various measures such as area, speed, or power) specified at the gate level, has shifted to the forefront of CAD research. Another area rapidly gaining importance is design verification, the study of systematic methods for formally proving the correctness of designs.
Logic synthesis algorithms originally targeted the optimization of PLA implementations; this was followed by research in synthesizing more general multi-level logic implementations. Currently, the central thrust in logic synthesis is sequential synthesis, i.e. the automatic optimization of the entire system. This can be at the logic level (i.e. the input is a netlist of gates and latches) or the state transition graph level. Designs invariably consist of a set of interacting components. Natural questions related to such systems are what is the optimal choice of a component, and automatically deriving a component so as to satisfy given properties.
Previous work in the VLSI design automation community related to optimizing interacting state machines has tended to be ad hoc and incomplete. The constructions and proofs offered are often extremely cumbersome. Relevant papers include [1, 2, 3, 4, 5, 6] . One attempt at formal synthesis framework based on trace and automata theory is given in [7] . However, the central theorem relating flexibility in a sub-circuit to the specification and the environment is incorrect; we give the correct formulation. There is a large body of theoretical work related to the existence of efficient decision procedures for deciding logics of programs [8, 9, 10, 11] . [9, 10] take logical specifications and construct programs satisfying them. [8] uses a game theoretic formulation to show that the set of moves for a controller is an !-regular set. [11] gives an elegant characterization of realizability.
Typically, the synthesis process has two stages: first, the set of all possible implementations is characterized (which is the topic of this paper), and then one is chosen according to some optimality criteria. Using the sequential calculus S1S as our basic tool we show in section 3.1 that the set of all implementations can always be Supported by SRC Grant 94- captured by a single finite-state automaton, which can be generated automatically. However, in practise such an automaton may be prohibitively large to construct. One approach to alleviate this problem is to define easier to handle automata which capture only a subset of possible implementations. We pursue this approach in section 3.2.
The rest of this paper is structured as follows: x2 reviews the basic definitions and salient results. In x3 we apply these results to synthesizing and optimizing finite state machine networks; specifically, we derive sources of flexibility that can be exploited by synthesis. We also address the issue of hardware realizability. In x4 we describe extensions of our approach to synthesizing systems which incorporate fairness constraints and timed systems.
The analysis in this paper is of a theoretical nature. In particular, the complexity of the exact procedures described can be exponential, or even doubly exponential. From a theoretical point of view, the complexity is inherent; this simply reinforces the need for approximations and heuristics.
Definitions and Basic Results
This section reviews germane definitions and results. In particular, the relationship between finite state machines, languages, and S1S logic is established. For reasons that will become apparent later, we will consider both automata on both finite and infnite sequences. An excellent survey of the material covered in this section is in [12] .
Finite State Automata and Machines
Given a finite set Σ, the set Σ is the set of all finite sequencesover Σ.
A -language over Σ is a subset of Σ . Given X 2 Σ , jXjdenotes the length of X. The set Σ is the set of all infinite sequences over Σ, i.e. all maps f : ! ! Σ, where ! = f0;1;2; : : : gis the set of natural numbers. An !-language over Σ is a subset of Σ .
Notation:
Lower case variables will take values from alphabets; upper case variables will be sequence valued.
Definition 1 A finite state automaton (FA) is a 5-tuple (Σ; S ; s 0 ; T ; A ) where Σ is a finite set called the alphabet, S is a finite set of states, s0 2 S is the initial state, T S Σ S is the transition relation, and A S is the set of accepting states.
The automaton is said to be deterministic (variously a DFA) if (8s:8x) [ j f t : ( s; x; t) 2 Tg j 1 ] ; otherwise it is said to be non-deterministic (variously an NFA).
A string X 2 Σ is accepted by the FA if there exists a sequence of states = 01 : : : nsuch that n = j X j, 0 = s0, n 2 A, and (8i) [ ( i ; X i ; i + 1 ) 2T ] . The language of the automaton is the set of strings accepted by it; this language is said to be -regular if it is the language accepted by some automaton.
Definition 2 A Büchi automaton (BA) is a 5-tuple (Σ; S ; s 0 ; T ; B ) where Σ is a finite set called the alphabet, S is a finite set of states, s0 2 S is the initial state, T S Σ S is the transition relation, and B S are the accepting states.
The automaton is said to be deterministic if (8s:8x) [ 
The notion of a run readily generalizes to infinite sequences.
Our definition of deterministic finite state machine has been referred to as "pseudo non-deterministic" (PNDFSM) in the past [6] . The term deterministic was reserved for what we refer to as an implementation. A related notion is that of incompletely specified finite state machines (ISFSM), where given any state s and input i, either (9! Note that the behavior of a deterministic machine is defined by a deterministic finite automaton.
Definition 5
Given a language L (ΣI ΣO ) , a finite state
with L and is an implementation. A language is said to be realizable if there exists a realization of it; similarly an FSM is realizable if its language is realizable.
Definition 6
A finite state machine with Büchi fairness is a tuple (M;C) where M is an FSM, and C is a subset of the states of M. Given F = ( M;C), an FSM with fairness F is said to be deterministic (complete) if M is deterministic (complete).
The notion of a corresponding run over infinite input/output sequences is defined analogously to that for ordinary FSM's; a run is fair if the infinitary set of states is an element of C. Similarly the language of a finite state machine with fairness is defined to be the language of the corresponding Büchi automaton.
Composition of finite state machines is defined in the usual way [6] . In composing interacting FSM's, (sometimes referred to as a network of FSM's) some inputs of each machine may be the outputs of each machine, whereas some inputs may be external; also, not all outputs need be external. The entire systems is itself a finite state machine on the product state space, referred to as the product machine [6] ; transitions take place synchronously, i.e. in "lock-step". When the component machines are Mealy and derived from hardware, composition can lead to combinational cycles, and the product may have undesired oscillatory behaviors [14] . These problems can be circumvented by using Moore machines; we will come back to this phenomenon in section 3.3.
The Sequential Calculus S1S
The logic S1S is a formalism for analyzing sequences over finite alphabets. It was studied in detail by Büchi in [15] ; in particular it was shown to be decidable. S1S provides an extremely powerful mechanism for analyzing and manipulating sequential systems -the full expressiveness of logic (conjunction, negation, and quantification) is available.
Definition 7
The logic S1S (second order theory of one successor) is a second order logic [12] . Formulae are derived from the alphabet f0; S ; = ; < ; 2 ; ; : ; 9 ; x 1 ; x 2 ; : : : ; X 1 ; X 2 ; : : : g . Lower case variables x1; x 2 ; : : :are first order variables ranging over elements of the domain, and upper case variables X1; X 2 ; : : :are second order variables ranging over subsets of the domain. The well formed formulae of the logic S1S are given by the following syntax:
Terms are constructed from the constant 0 and first order variables by repeated applications of the successor function S. Examples of terms -0, SS0, SSSSx3.
Atomic formulae are of the form t1 = t2, t1 < t 2 , t 2 X k . Examples of atomic formulas -0 < S 0 ; x 3 = Sx 5 ; S x 7 2 X 2 . S1S formulae are constructed from atomic formulas by using the boolean connectives^; : and quantification over both kinds of variables. Examples of S1S formulas
. We write (X1; X 2 ; : : : ; X n ) to denote that at most X1; X 2 ; : : : ; X n occur free in (i.e. are not in the scope of any quantifier).
We will routinely use the symbols _;!; 8, etc as logical abbreviations.
S1S formulae can be interpreted over the set of natural numbers,
where Sxis simply x + 1. Formal semantics of S1S can be found in [12] ; we informally illustrate them by means of examples.
Example 1: (Non-empty subsets of ! contain minimal elements)
The above sentence formally states that for every subset (X) of !, if X is non-empty (9x 2 X), then it contains a least element (y). 
Given a formula (X1) in S1S, the class of subsets of ! defined by (X1) is the set f ! j () is trueg. The class of subsets of ! is in a one to one correspondence with the set of !-sequences on f0;1g -the 1's in the sequence can be thought of as representing the integers in the corresponding set, e.g. 010101: : :$ f 1 ; 3 ; 5 ; : : : g .
In this way, an S1S formula (X1) defines an !-language over alphabet f0;1g. More generally, formulae (X1; X 2 ; : : : ; X n ) define subsets of (f0; 1g n ) .
The following result relates S1S formulae to !-automata. The forward direction is by induction on the length of the S1S formula. Automata for the atomic formulae are easily derived; an inductive construction is used for :;^;9. 9 is handled by automaton projection,^by automaton intersection, and : by automaton complementation. The latter is the non-trivial step -invariably performed by first determinizing the automaton, following which complementation is trivial. The process of complementation is inherently exponential, since the number of states in the complement can (in the worst case) be exponential in the number of states of the given automaton.
With minor modifications, Büchi's result also holds for sets of finite words i.e. when set quantification is restricted to finite sets only. In this case one speaks of the theory WS1S (weak S1S). The corresponding result for WS1S states that a -language is definable in WS1S if and only if it is -regular [12, 15] .
Definition 8
Given a formula A (X1; X 2 ; : : : ; X n ) in S1S (WS1S) we can uniquely identify a Büchi automaton (finite automaton) A over the alphabet f0;1g n .
The relationship between automata and S1S allows us to formally and succinctly express behaviors as formulae in logic, and also provides an automatic procedure to obtain automata from the formulae. Hence, elegant yet rigorous proofs can be given to a large class of solutions to problems related to finite state systems. Furthermore these proofs are constructive, i.e. given formula in S1S/WS1S it is possible to mechanically construct the corresponding automaton.
Synthesizing FSM networks
As mentioned in the introduction, a critical first step towards synthesizing a component in a design is characterizing the set of all valid implementations. In this section, the flexibility available for sequential synthesis is analyzed. We use S1S to formulate the "E-machine" of Watanabe [6] for a number of FSM interconnect topologies, derive a spectrum of approximations to the E-machine, and address the issue of realizability. 
The E-machine
Consider machines communicating in the configuration shown in figure 1 . Suppose x and y are the observable inputs and outputs, and L S (ΣX ΣY ) is a -regular specification on them, i.e. the only acceptable input-output behavior is that which is contained in L S .
Also suppose the machine M is fixed. The following theorem states that all the flexibility available for synthesis at C is characterized by a single language L C definable in S1S: for any FSM C, M C satisfies S if and only if L C L C This complexity is inherent: it can be achieved in the worst case.
We illustrate the construction for C by means of an example, described in figure 2.
In the special case when the automaton defining L S is deterministic, the corresponding bound is 2 jS M jjS S j . This is precisely the construction of [6] ; it is instructive to contrast this approach with that taken in [6] and noting the simplicity afforded by appealing to S1S.
The specification automaton could be M C; this correspondsto the re-synthesis problem, i.e. suppose we wish to find a replacement for the C block which is optimal (with respect to an appropriate objective function) while preserving the observed behavior. Then the behavior of the replacement must be contained in the behavior
In the most general setting M and the specification automaton are non-deterministic and incompletely specified. In this case, simply deciding if an implementation (in the sense of definition 5, section 2) exists for the block C which is compatible with the specification is non-trivial; realizability is discussed in x 3.3.
There are variations on the interconnect structures to which an approach similar to that of theorem 3.1 can be applied to derive formulae expressing the set of permissible behaviors at a specified machine. In figure 3 we describe a set of FSM network topologies; below we give the S1S formulae defining the corresponding E-machines. The ease with which we derive the flexibility is a measure of the power of S1S logic -in the past, individual topologies have been considered individually, and the flexibility has been laboriously derived. It is noteworthy that when all signals are observable at a machine, and the specification is deterministic, then the machine defining the set of permissible behaviors is polynomial sized. 
Cascade-I (a)
A
Optimization of FSM networks
In this section we describe procedures for optimizing networks of finite state machines. In particular, we are interested in the re-synthesis problem, i.e. the specification is the functionality of the original FSM network. For such systems, the full range of admissible behavior at a node is described by the E-machine, and the original machine trivially satisfies the specification.
Deriving Optimal Implementations
Given the E-machine, one would like to derive an implementation that is optimal. One criterion for optimality is state minimality. In practice, deriving state minimal realizations from ISFSM's is easier than from general deterministic FSM's [6] (although both are NP-complete). Our interest in input don't care sequences and satisfiability don't care sequences defined below partly stems from the fact that the flexibility afforded by them can be captured by ISFSM's rather than general deterministic FSM's. We provide a spectrum of approximations to the flexibility at a component, starting from more conservative approximations, and leading up to the E-machine. Let x; y be the input and output of the FSM network. Consider a component machine C on inputs v and outputs u. Let M be the rest of the network.
Definition 9
The strong satisfiability don't care set for C is defined by the following formula:
It is precisely the set of sequences over v which can never be generated, no matter what replacement is used for C.
This set gives a certain amount of flexibility in choosing implementations for C; namely any behavior in the machine C0 defined below is acceptable.
In [16] we prove the above claim, show that C0 is an ISFSM, and also demonstrate that C0 does not provide all the flexibility available in optimizing C.
Definition 10
The weak satisfiability don't care set for C is given by the following expression:
It is precisely the set of sequences over v which can never be generated in the product machine M C, and corresponds to the input don't care sequences of [4] .
This set gives additional flexibility over SDC C 0 in choosing implementations for C; namely any behavior in the machine C1 defined below is acceptable.
In [16] we prove the above claim, show that C1 is an ISFSM, and also demonstrate that C1 does not provide all the flexibility available in optimizing C.
Definition 11
The strong observability equivalence relation for C is given by the following expression:
It is precisely the set of sequences over v for which any output sequence over u is permissible. Clearly, for input sequences which are never generated any output is acceptable, so SDC C
This set gives additional flexibility over SDC C 1 in choosing implementations for C; namely any behavior in the machine C2 defined below is acceptable.
In [16] we prove the above claim, show that C2 is an ISFSM, and also demonstrate that C2 does not provide all the flexibility available in optimizing C. In [16] , we prove that the true observability equivalence relation is logically equivalent to C which defines the E-machine, and hence captures all the flexibility possible for synthesizing C.
Realizability
The set L C defined by C (U; V ) is the set of all acceptable controller behavior. In general, L C may not be realizable (x 2). This can happen in two ways. There may be blocking input sequences V , i.e. sequences for which there is noŨ such that (Ũ ;Ṽ)2 L C . However, even if there are no blocking input sequences, a realization may not exist because of causality, viz the output may depend on future values of the input.
In [11] it is argued that a necessary and sufficient condition for realizability of a language L over ΣV ΣU is that a strategy tree must exist for a player observing inputs over v and producing outputs over u while ensuring that the input-output behavior is compatible with the relation C (U; V ). This can be checked using known algorithms for emptiness of tree automaton [12] ; we have developed an alternative algorithm which does not require tree automata. This algorithm extends to the similar problem for finding Moore realizations.
Given L C (ΣV ΣU ) , we wish to determine the exis- It should also be pointed out that when both M and the controller C are Mealy machines, there exists the possibility of combinational cycles. In this case, hardware implementations may be erroneous [14] . Since it is sufficient for the controller to be a Moore machine to avoid combinational cycles, one approach is to look for 
Synthesizing General Finite State Systems
In this section we sketch extensions of the technique developed in the previous section to more general systems -specifically systems with fairness, and real time systems.
Synthesizing Fairness
The analysis of systems with fairness is of growing importance with the advent of formal verification [17] . In order to verify large systems, they have to be simplified; in practice this is often done by abstraction, i.e. adding behaviors (possibly through non-determinism) that the original system did not have in order to obtain a more compact representation. Verification performed on the abstract system is usually conservative. To get a more accurate representation of the system, fairness constraints, which are restrictions on the infinitary behavior of the system, are added.
Fairness constraints can be used to model specifications that formalize notions of progress, eventuality, justice, liveness, etc [18] . Fairness is inherently required to model such properties.
Since fairness is a restriction on the infinitary behavior of the system, the defining relations for languages derived from FSM's with fairness are formulae in S1S rather than WS1S. The definition for the E-machine continues to give the range of permissible behaviors at the controller in the context of !-languages. The construction of the Büchi automaton C proceeds as before -complementation of S, followed by conjunction with M, projection down to u; v and complementation again.
Complementation of non-deterministic Büchi automata is done by a (highly non-trivial) generalization of the powerset construction for NFA [19] .
Testing the existence of an implementation requires checking for the existence of a strategy tree (cf 3.3) which can be done using tree automaton. Given L C (ΣV ΣU ) , defined by a non-deterministic Büchi automaton over the alphabet ΣV ΣU the following is a procedure for determining if a finite state machine C exists which realizes L C : 1. Determinize the automaton C to obtain a deterministic Rabin automaton [19] .
2. In this Rabin automaton, project the symbols of the alphabet ΣV ΣU down to ΣV . Interpret the new structure as a Rabin automaton on trees and check for tree emptiness;
As is shown in [11] , an implementable controller exists if and only if the tree emptiness check is negative. The algorithm of given in [11] derives an implementation if one exists.
The complexity of this procedure is very high -the construction of the deterministic Rabin automaton potentially yields of the order of 2 jS M j2 jS S j states. Furthermore, the tree emptiness check is NPcomplete; the algorithm of [11] has complexity polynomial in the number of states and exponential in the number of accepting pairs.
We illustrate this procedure by means of an example, as shown in figure 4.1. Contrast this with the example on finite sequences in figure 2 -in particular note the inherent need for a Büchi automaton to capture the eventuality condition in the specification. Similarly fairness is needed to define the set of permissible behavior.
Synthesizing Time
The formal analysis of real time systems is an area of active research [20] . The behavior of a timed system is now a map from IR rather than ! as was the case for discrete time systems. Languages can be defined in terms of sets of maps from IR to the output, a finite We are given an FSM on inputs x; u and outputs y;v, and the specification that "if x goes high, then eventually y should be high" formalized by the Büchi automaton S. We obtain the Büchi automaton C by the construction corresponding to section 4.1. Any controller which on composition with M yields a machine compatible with S is contained in C ; in particular N1 and N2 are valid controllers.
set of scalars. The real time control/synthesis problem is defined in a manner analogous to that for discrete time.
Let S be a timed automaton whose language describes an acceptable relationship between the input timed trace X and the output timed trace Y , and M a timed automaton on inputs x; u and outputs y;v. The formulation and derivation of the E-machine continues to hold -the set L C Different formulations of timed automaton yield different classes of definable timed languages. [21] has identified a class closed under both quantification and complementation; thus in theory this class is synthesizable.
Conclusions
We have proposed the logic S1S as a formalism to describe permissible behaviors of an FSM interacting with other FSM's. We believe that this framework offers several advantages.
Firstly, for any S1S formula it is possible to automatically generate an automaton describing the same behaviors as the formula. Thus, a fully automatic synthesis is possible that takes into account all available degrees of freedom. In practice, the generated automaton is often too large to handle with the state-of-the-art optimization algorithms. Nevertheless, S1S provides a rigorous framework in which one can prove that set of behaviors used as a don't care condition indeed represents permissible behaviors of the system. This allows easy development of a spectrum of methods that explore trade-offs between flexibility provided by the information about the environment, and the price of storing and using this information. On one side of the spectrum is the optimization of a component in isolation, and on the other side is the construction of the E-machine. In this paper we have also suggested three other points, analogous to sets of don't cares used in combinational synthesis. S1S provides a systematic and simple way of reducing the problem of optimizing interacting FSM's to optimizing a single FSM, with different methods generating FSM's of different sizes. Thus, any future improvement in FSM optimization algorithms will provide immediate benefits to optimization of interacting FSM's.
Secondly, in contrast to previous approaches, our approach is easily extended to different interconnection topologies. In this paper we have derived specifications of permissible behaviors for several topologies, some of which have not previously been investigated. By observing specifications for different topologies we were able to formulate the following general property: if an FSM can observe values of all the signal in the system, then the size of its E-machine is polynomial; otherwise it is exponential.
Finally, our approach can also be extended to more general systems. We have sketched the extension to systems with fairness and real-time systems.
