DCSYNTH: Guided Reactive Synthesis with Soft Requirements for Robust
  Controller and Shield Synthesis by Wakankar, Amol et al.
DCSYNTH: Guided Reactive Synthesis with
Soft Requirements for Robust Controller and
Shield Synthesis
Amol Wakankar, Paritosh K. Pandya, and Raj Mohan Matteplackel
1 Homi Bhabha National Institute, Mumbai, India.
Bhabha Atomic Research Centre, Mumbai, India.
Email: amolk@barc.gov.in
2 Tata Institute of Fundamental Research, Mumbai 400005, India.
Email: {pandya, raj.matteplackel}@tifr.res.in
Abstract. DCSYNTH is a tool for the synthesis of controllers from
safety and bounded liveness requirements given in interval temporal logic
QDDC. It investigates the role of soft requirements (with priorities) in
obtaining high quality controllers. A QDDC formula specifies past time
properties. In DCSYNTH synthesis, hard requirements must be invari-
antly satisfied whereas soft requirements may be satisfied ”as much as
possible” in a best effort manner by the controller. Soft requirements
provide an invaluable ability to guide the controller synthesis. In the pa-
per, using DCSYNTH, we show the application of soft requirements in
obtaining robust controllers with various specifiable notions of robust-
ness. We also show the use of soft requirements to specify and synthesize
efficient runtime enforcement shields which can correct burst errors. Fi-
nally, we discuss the use of soft requirements in improving the latency of
controlled system.
Keywords: Discrete Duration Calculus (QDDC), Reactive Controller
Synthesis, Soft Requirements, Guided Synthesis, Robustness, Shield Syn-
thesis, Latency Measurement.
1 Introduction
A temporal logic formula implicitly specifies the allowed sequence of in-
puts and outputs. In reactive synthesis the aim is to construct a controller
(say a Mealy Machine) which explicitly computes the value of the output
sequence for any given input sequence, in an online fashion, such that the
requirement is met. Reactive synthesis is typically a much harder prob-
lem than the monitor synthesis. Considerable research has been carried
out on the reactive synthesis problem and there are several tools which
implement and experiment with reactive synthesis [6].
ar
X
iv
:1
71
1.
01
82
3v
1 
 [c
s.L
O]
  6
 N
ov
 20
17
During development systems are often under specified and several
different controllers with distinct behaviors may all meet the specification.
In this case “guidance” must be provided to the synthesizer to choose
amongst them. A critical parameter in acceptance of automatic synthesis
technique is the quality of the synthesized controller [1, 2]. Thus, just
correct-by-construction synthesis is not sufficient.
Requirements are typically structured as a set of assumptions A and
a set of commitments (guarantees) C. Much of the research has addressed
“Be-Correct” goal [2] for synthesis which states that if assumptions hold
for throughout the behavior then commitment holds for the behavior. For
safety formulas this would take the form G A⇒ G C.
Robustness pertains to the ability of the controller to meet commit-
ments even when (some) environmental assumptions are violated, and
the ability of the controller to recover from transient environmental er-
rors. Laying down such criteria, Bloem et. al. have defined “don’t-be-lazy”
and “never-give-up” as desirable synthesis goals [2]. Other criteria include
various notions of resilience [5].
A related problem is synthesis of run time enforcement shield [3, 5,
11, 12] for critical correctness properties. The diagram 4 depicts the use
of shield, which receives both input I and output O from a (occasionally
incorrect) controller. The aim of the shield is to generate modified output
O′ which always meets the requirement Req(I,O′) even if system output
intermittently fails to meet Req(I,O). Moreover, O′ must deviate from O
“as little as possible” [3]. Bloem et. al. proposed a notion k-shield for “as
little as possible” whereas Wu et. al. [11] proposed an alternative notion
of “safety shield” which tolerates burst errors.
This paper describes a tool DCSYNTH which allows synthesis of con-
trollers from safety and bounded liveness requirements given in interval
temporal logic QDDC. The paper mainly investigates the role of soft
requirements (with priorities) in obtaining high quality controllers. A
QDDC formula specifies past time properties, and it holds at a position in
behavior if the past satisfies the property. Its (bounded) counting and reg-
ular expression like primitives allow complex quantitative properties to be
specified elegantly. In DCSYNTH synthesis, hard requirements must be
invariantly satisfied whereas soft requirements may be satisfied “as much
as possible” in a best effort manner by the controller. In DCSYNTH spec-
ification, the soft requirements (which are QDDC formulas) can be given
weights and the tool selects from all permissible outputs which meet the
hard requirements, the one which satisfies a maximal subset of soft re-
quirements, in a “locally optimal fashion”. We present the case studies
of bus arbiter and mine pump specification to illustrate the use of soft
requirements in synthesis specification.
Soft requirements provide a powerful and practically useful ability to
guide the controller synthesis. In the paper, we show the application of
soft requirements in obtaining robust controllers with various specifiable
notions of robustness. We also show the use of soft requirements to specify
and synthesize efficient run time enforcement shields which can correct
burst errors. Finally, we discuss the use of soft requirements in improving
the latency of controlled system. The main contributions of this paper
are as follows:
– We present a tool DCSYNTH for synthesis of controllers from QDDC
requirements. This extends the past work [8] on model checking in-
terval temporal logic with synthesis abilities.
– The tool DCSYNTH allows guided synthesis of controllers based on
soft requirements which are met “as much as possible” in a locally
optimal fashion. To our knowledge DCSYNTH is amongst the first
reactive synthesis tool to support soft requirement guided synthesis.
– We show application of mixture of hard and soft requirements to spec-
ify various notions of robustness. This includes “never-give-up” and
“don’t-be-lazy” criteria of Bloem et. al. [2] as well as k, b-resilience
criterion of Ehler et. al. [5]. DCSYNTH is able to automatically syn-
thesize robust controller from such specification. We give experimental
results to evaluate the applicability of our tool for such robust syn-
thesis.
– We show application of hard and soft requirements to specify shields.
We show how variants of shields of Bloem et. al. and Wu et. al. can
be specified and automatically synthesized. We give detailed experi-
mental results and comparison with past work to illustrate that DC-
SYNTH is able to synthesize very compact shields which tolerate burst
errors.
– Soft goals impact the latency of the controller. An associated tool,
CTLDC, allows measurement of worst case latencies using symbolic
techniques for finding longest and shortest paths [9]. We give exper-
imental results to show how soft requirements indirectly impact the
latencies.
The remainder of this paper is organized as follows. Section 2 gives a
motivating example of synchronous bus arbiter with hard and soft require-
ments. Logic QDDC as well as DCSYNTH syntax are introduced in Sec-
tion 3. Section 4 gives the guided synthesis method from given DCSYNTH
specification. Experimental results in synthesizing controllers using the
DCSYNTH tool are also reported. Section 5 deals with robustness and
Section 6 deals with shield synthesis. Both these include experimental re-
sults. We conclude with Section 7 on experiments examining impact of soft
requirements on controller latencies. The tool is available for download
from http://www.tcs.tifr.res.in/~pandya/dcsynth/dcsynth.html.
The input files for all the experiments reported in this paper as well
as corresponding outputs of the tool DCSYNTH are also available there
for examination.
2 Motivating Example
In this section we llustrate the main advantage of guided reactive synthesis
with soft requirement with an example of synchronous bus arbiter.
An n-cell synchronous bus arbiter with reqi as inputs and acki as cor-
responding outputs (where 1 ≤ i ≤ n), is a circuit that arbitrates between
a subset of requests at each cycle by setting one of the acknowledgments
true. Hard requirements include the following three invariant properties.
Mutex = [[ ∧i 6=j ¬(acki ∧ ackj) ]]
NoLoss = [[ (∨ireqi)⇒ (∨jackj) ]]
NoSpurious = [[ ∧i (acki ⇒ reqi) ]]
ARBINV = Mutex ∧NoLoss ∧NoSpurious
(1)
In QDDC [[P ]] denotes that proposition P is invariantly true. Thus,
Mutex gives mutual exclusion of acknowledgments. NoLoss states that
if there is at least one request then there must be an acknowledgment.
Nospurious states that acknowledgment is only given to a requesting cell.
In literature GR(1) synthesis has been used to specify fairness between
cells of arbiter [4]. We consider here other variants with concrete bounds
on the arbiter response.
– We can specify response time of k cycles as a bounded liveness prop-
erty: let Resp(req, ack, k) denote that if request has been high for
last k cycles there must have been at least one acknowledgment in
the last k cycles (next section gives the QDDC formula for this). Let
ArbResp(n, k) state that for each cell i and for all observation inter-
vals the formula Resp(reqi, acki, k) holds.
ArbResp(n, k) = ∧1≤i≤n [](Resp(reqi, acki, k))
ARBHARD(n, k) = ARBINV ∧ArbResp(n, k) (2)
– Consider the following specification with only hard requirements and
no soft requirements,
Arbhard(n, k) = (ARBHARD, 〈−〉) (3)
DCSYNTH can synthesize a controller say ArbCntrlhard(n, k) for
given values of n, k.
– Moreover, we can also include soft requirements giving priority to
cells, e.g. (ARBHARD(6, 6), 〈ack6, ack2〉) which gives acknowledg-
ment ack6 as first preference and ack2 as second preference as far
as these don’t conflict with the hard response requirements. Table. 1
gives experimental results for synthesis with several such soft require-
ments.
– If we use ARBHARD(6, 2) in place of ARBHARD(6, 6) the spec-
ification becomes unrealizable as expected (as we cannot guarantee
response within two cycles for all 6 cells). The tool reports this with
a diagnostic counter-strategy.
– However, we can specify the requirements of response in 2 cycles as
soft requirements with priority as Arbsoft(6, 2) where
Arbsoft(n, k) = (ARBINV, 〈Resp(req6, ack6, 2), . . . ,
Resp(req1, ack1, 2)〉 )
(4)
Using DCSYNTH we get a controller called ArbCntrlsoft(6, 2) which
“tries” to give every cell acknowledgment within 2 cycles as far as
possible with highest priority given to cell 6, followed by cell 5, and so
on. Table. 1 gives the time taken compute this controller. Table. 5 gives
a detailed account of the robust behavior of this complex arbiter. The
latency measurement of ArbCntrlsoft(6, 2) using tool CTLDC shows
that the worst case response time for cell 6 is 2 cycles, for cell 5 is 3
cycles and for all other cells it is ∞.
– Consider an Arbhard(n, k) like arbiter working under the assumption
Assume(n, i) which states that in current cycle at most i requests are
true simultaneously. Consider the arbiter specification with no soft
requirement as follows.
Arbhardassume(n, k, i) = ((Pref(Assume(n, i))⇒ ARBHARD(n, k)), 〈−〉) (5)
Synthesis of various robust arbiters which function even in presence
of intermittent violation of the assumption is reported in Table. 3.
– Section 6 gives experimental results in specifying and synthesizing run
time enforcement shields from diverse specifications (see Table. 4).
Above examples show that DCSYNTH can fruitfully use soft requirements
to synthesize better performing, more robust controllers as well as shields.
3 QDDC and DCSynth Specification
We now give the QDDC formula Resp(req, ack, k) for the response time
of the arbiter. We refer the reader to §A in Appendix for a discussion on
the logic QDDC [8].
We define Resp(req, ack, k) = (true^([[req]]&&(slen=k-1))=>
(true^(slen=k-1&&(true^<ack>^true))). In QDDC the only temporal
modality is the chop operator (^) and is interpreted over a word σ and
a closed interval [i, j], 0 ≤ i ≤ j < len(σ), as follows: σ, [i, j] |= D1ˆD2
iff ∃k : i ≤ k ≤ j : σ, [i, k] |= D1 and σ, [k, j] |= D2. For a propositional
formula p, σ, [i, j] |= <p> iff i = j and p holds at position i in σ. Finally
σ, i |= D iff σ, [0, i] |= D.
The term slen = k holds for an interval [i, j] if j− i = k and scount p,
where p is a propositional formula, counts the number of positions in
the interval where p holds. Thus, as true holds for any word and any
interval, Resp states that if req holds throughout the last k positions in
the word then at least at one of the last k positions ack should hold.
With [] being for all sub-intervals operator, the formula ArbResp(n, k)
says that Resp(req, ack, k) must be true for all intervals and for all the
cells from 1 to n.
The tool DCSYNTH takes a DCSYNTH spec as input and outputs a
controller. Formally, a DCSYNTH spec is a tuple
S = (I,O,Dh,∧i=ki=1(wi ⇔ Dsi ), 〈P1, · · · , Pl〉)
where I and O are input and output variables of the controller, respec-
tively. The QDDC formula Dh which is over I ∪ O, specifies hard re-
quirement on the synthesized controller, i. e. every execution of a con-
troller must satisfy Dh invariantly. We have a list of indicator definitions
D1, . . . , Dk where each D
s
i specifies a soft requirement over I ∪ O. Each
Di is associated with the indicator variable wi which witnesses whether
Dsi holds for the execution so far, i. e. σ, i |= wi iff σ, [0, i] |= Dsi . Let
W = {wi | 1 ≤ i ≤ k}. The soft requirements are specified as lexico-
graphically ordered list of propositions 〈P1, · · · , Pl〉 where each Pi is a
propositional formula over I ∪O ∪W . Each Pi represents a soft require-
ment with priority higher than all Pj ’s, 1 ≤ i < j ≤ l.
Example 1. A DCSYNTH spec for an n cell arbiter with soft requirement
of k cycle response ArbResp(n, k) for all the cells is as follows: let I =
{reqi | 1 ≤ i ≤ n} and O = {acki | 1 ≤ i ≤ n}. Let L = 〈w6, w5, . . . , w1〉
which gives the higher numbered cell the higher priority. Then
Arbprio(n, k) = (I,O,ARBINV, ∧i=ni=1 (wi ⇔ Resp(reqi, acki, k)), L).
4 Guided Reactive Synthesis Algorithm
Given S = (I,O,Dh,∧i=ki=1(wi ⇔ Dsi ), 〈P1, · · · , Pl〉), a DCSynth spec, we
synthesize a controller as below.
– The formula DInd = pref(∧i=ki=1(true^<wi><=>Dsi )) states that at
every point in execution, the value of wi equals the truth-value of D
s
i .
We construct a language equivalent symbolic DFA, called AHard+Ind,
for the formula Dhard ∧DInd using tools DCVALID and MONA.
From [8], it is known that for every QDDC formula D, we can effec-
tively construct a equivalent finite state automaton A(D), such that
a word is accepted by A(D) iff it satisfies formula D. Tool DCVALID
implements this procedure.
– A safety monitor automaton Amon is obtained by computing the pre-
fix closure of AHard+Ind. This automaton has the alphabet 2I∪O∪W .
The automaton is reduced to its minimal deterministic form. This
automaton forms the arena on which further synthesis is carried out.
– The Maximally Permissive Non deterministic Controller (MPNC) is
computed from the safety automaton using standard safety synthesis
algorithm. This algorithm iteratively removes those states from which
there exists an input combination for which all output combinations
lead to bad states. The resulting automaton is again represented as
a symbolic automaton Ampnc. If the initial state gets pruned in con-
struction, the specification is unrealizable. A counter-strategy in tree
form is displayed as explanation of unrealizability.
– Note that in Ampnc each edge is labelled by a bit vector giving truth
values of variables I ∪ O ∪W . The value of witness variable wi ∈ W
specifies whether QDDC formula Dsi holds for all behaviours leading
to this transition.
– For each state s and each input combination ip ∈ 2I , we select output
cum witness variable combination op ∈ 2O∪W such that δ(s, ip∪op) is
a valid transition of MPNC and valip∪op(〈P1, . . . , Pl〉) is lexicographi-
cally maximal amongst all such op. Here, valip∪op(〈P1, . . . , Pl〉) is l-bit
vector with i-th bit representing truth (1 or 0) of Pi under ip ∪ op. If
there are more than one choice of op giving the same maximal value,
we choose one arbitrarily. This gives the Locally Optimal Determinis-
tic Controller (LODC) which satisfies the lexicographically maximal
subset of soft requirements at each step. This greedy strategy does
not guarantee global optimality.
– The LODC can then be encoded as controller in any target language.
We provide the encoding of LODC to LUSTRE/SCADE or NuSMV,
which allows us to do simulation and model checking on the generated
controller.
Example 2. Synthesis of 2 Cell Arbiter with Soft Requirements giving
high priority to lower numbered request. Fig. 1 gives the safety monitor
automaton for 2-cell arbiter for following specification
(〈req1, req2〉, 〈ack1, ack2〉, ARBINV ∧ArbResp(2, 2), 〈〉, 〈ack1, ack2〉).
Each transition is labeled by 4 bit vector giving values of req1, req2, ack1, ack2.
Fig. 2(a) gives the MPNC automaton for the 2-cell arbiter computed
from the safety monitor automaton of Fig. 1. In the example, the soft re-
quirements are 〈ack1, ack2〉 which give ack1 priority over ack2. We obtain
the pruned LODC controller automaton of Fig. 2(b) from the MPNC of
Fig. 2(a). Note that we minimize the automaton at each step.
Fig. 1. Safety Monitor Automaton: 2 Cell Arbiter
Tool Implementation Internally, the monitor automaton, MPNC and
LODC are all stored as symbolic DFA. The transition table of the DFA
is represented as MTBDD using the DFA library of tool MONA [7]. In-
ternal data structures and algorithms can be found in the full version of
the paper (see Appendix B).
Fig. 2. (a)MPNC : 2 Cell Arbiter (b) LODC: 2 Cell Arbiter
4.1 Experimental Results
Several case studies for synthesis have been carried out using DCSYNTH.
Table. 1 enlists the results of two of the case studies: (a): controllers for
bus arbiter in §2 with various soft and hard requirements, and (b): a
minepump controller for the specification MINEPUMP (cf. Appendix.
C.1 for details). The controller operates a pump to get rid of water based
on water level and methane presence (which prevents pump from being
used). Soft requirements impact the quality of the pump controller. For
example, for the soft requirement !PumpOn the controller will try to keep
pump off as much as possible. On the other hand, the soft requirement
PumpOn agressively gets rid of water by keeping the pump on whenever
possible. The analysis of worst case time for the controllers to get rid of
water with different soft requirements is given in §7.
Table 1. DCSYNTH Controller Synthesis with Soft Requirements.
Hard Requirement Soft Requirement
Controller Generation
states time (Sec) Memory (MB)
ARBHARD(4, 4) ack4 >> ... >> ack1 50 0.014 3.3
ARBHARD(5, 5) ack5 >> ... >> ack1 432 0.33 22.4
ARBHARD(6, 6) ack6 >> ... >> ack1 4802 14.8 334.5
ARBINV (1 ≤ i, j ≤ 6) Resp(req6,ack6,2)>>...>>Resp(req1,ack1,2) 62 1.05 9.8
ARBINV (1 ≤ i, j ≤ 5) Resp(req5,ack5,3)>>...>>Resp(req1,ack1,3) 511 5.4 32.4
MINEPUMP (MPV 1) PumpOn >> !Alarm 31 0.07 9.1
MINEPUMP (MPV 2) (CH4Last2Cyc => !PumpOn) >> PumpOn 34 0.09 8.9
MINEPUMP (MPV 3) !PumpOn >> !Alarm 83 0.04 9.1
5 Robustness
We consider various notions of robustness. Table. 2 summarizes the ro-
bustness that we consider along with hard and soft requirements to obtain
robust controllers.
– Be-Correct If assumption has held invariantly so far then commit-
ment must hold now.
– Be-Currently-Correct If assumption holds intermittently, the com-
mitment must hold whenever assumption holds.
– Degraded-Performance Let Ad⊆ A and Cd⊆ C, where Ad,Cd denote
reduced set of assumptions and commitments which specify degraded
behaviour of system when fewer assumptions hold.
– Never-Give-Up In addition to Be-Correct, all the commitments are
asserted as soft requirements. This makes the controller synthesizer
attempt to make them true even when assumptions do not hold, and
for as many inputs as possible.
– Greedy Here commitments are given as soft goals ignoring the as-
sumptions. The synthesis algorithm tries ot make as many commit-
ments true as possible at each step in a greedy fashion.
Resilient synthesis requires synthesis of controller which works under
weaker assumptions than Be-Correct notion in order to tolerate errors in
assumptions. For example, Be-Currently-Correct requires commitment to
hold at now if assumption holds now irrespective of whether it has held
in past. Several other notions of resilience are given below. A notion of
k, b-resilience was proposed by Ehler and Topcu [5], and further adapted
by Bloem as k-robustness [3].
Table 2. Robust synthesis notions and their specifications.
In the table A denotes conjunction of assumptions and C denotes conjunc-
tion of commitments. Thus, !A denotes violation of at least one assumption.
Robustness Criterion Hard Requirement Soft Requirement
Be-Correct(A,C) G(Pref(A) => C)
Be-Currently-Correct(A,C) G(A => C)
Degraded-Performance(A,C,Ad,Cd) G((A => C) && (Ad => Cd)
Never-Give-Up(A,C) G(A => C) C
Greedy(C) C
k-Bounded(A,C,k) G((scount !A < k) => C)
k, b-Resilient(A,C,k,b) G(KBREZ(A) => C)
k, b-Variant(A,C,k,b) G([]((slen = b &&
scount !A <= k) => C))
where KBREZ(A) = !(true^((scount !A >= k) && []([A] => slen < b))^true)
– k-Bounded If in past assumptions have been violated at most k times
so far then commitment must be met.
– k, b-Resilient A subinterval where assumption is continuously true
for b or more cycles is called a recovery period. Formula KBREZ(A) in
Table. 2 states that between any two recovery periods, the maximum
number of assumption violations is at most k. A controller which guar-
antees commitments C at every point where past satisfies KBREZ(A)
is called k, b-resilient (see [5]).
– k, b-Variant If in past in any period of length b the assumption has
been violated at most k times then the commitment must hold.
Note that criterion such as Never-Give-Up can be combined with Resilient
synthesis. Moreover, designer may selectively apply these criteria to spe-
cific assumptions and commitments. DCSYNTH permits full flexibility in
making such choices. Table. 3 gives the synthesis of arbiter specifications
under various notions of robustness in DCSYNTH for the assumptions
Assume(n, i) and commitments ARBHARD(n, k) for the specification
Arbhardassume(n, k, i) in Equation. 5.
Table 3. Synthesis of Robust Arbiters in DCSynth
Specification LODC
Robustness Specification Priorities of Soft Requirements States Time
Be-Correct(Assume(4, 2), ARBHARD(4, 2)) - 6 0.02
Be-Currently-Correct(Assume(4, 2), ARBHARD(4, 2)) - Unrealizable
Never-Give-Up(Assume(4, 2), ARBHARD(4, 2)) (ARBINV >> Resp(req1, ack1, 2) 15 0.73
>> . . . >> Resp(req4, ack4, 2)
Greedy(ARBHARD(4, 2)) (ARBINV >> Resp(req1, ack1, 2) 15 0.07
. . . >> Resp(req4, ack4, 2)
k-Bounded(Assume(4, 2), ARBHARD(4, 3), 2) - 29 0.06
k, b-Resilient(Assume(4, 2), ARBHARD(4, 3), 2, 3) - 39 0.09
k, b-Variant(Assume(4, 2), ARBHARD(4, 3), 2, 3) - 27 0.22
The simulation of controller produced for Never-Give-Up Strategy is
given is Figure 3. The assumtions starts violating after step 15, where
more than request are true simultaneously, but the controller tries to
meet as many requirements as possible.
6 Shield Synthesis
I R
O
Safety
Shield
O′
Fig. 4. Safety shield.
A safety shield is a run time enforcer that
can be attached to a reactive system de-
sign R to detect the property violations
by the design and correct them run time
[3, 11]. Fig. 4 gives the schematic of a
safety shield for R.
We assume the definitions of a reactive
system design and their serial composition
11
2
2
3
3
4
4
5
5
6
6
7
7
8
8
9
9
10
10
11
11
12
12
13
13
14
14
15
15
16
16
17
17
18
18
19
19
20
20
21
21
22
22
23
23
24
24
25
25
26
26
27
27
28
28
29
29
req1
req2
req3
req4
ack1
ack2
ack3
ack4
Fig. 3. Example Simulation of Robust Controller for Never-Give-Up
(cf. [11] for details). LetD be a QDDC for-
mula over I ∪ O. Let O = {o1, · · · , on} ⊆
Σ and let O′ = {o′1, . . . , o′n}. Then we de-
fine D[O/O′] to be the formula D′ obtained by replacing every occurrence
of oi in D by o
′
i for all 1 ≤ i ≤ n. We can now define a safety shield.
Definition 1 (Safety shield). [3,11] Let R be a reactive system design
and let D be a safety specification, both over (I,O). Then a safety shield
for R and D is a reactive system S over (I,O′) satisfying:
– R ◦ S |= D[O/O′].
– For all input traces α = α0α1 · · · (R ◦ S)(αi) “deviates” from R(αi)
as seldom as possible.
The word “deviates” assumes different meaning in the literature. For
example, in [3] Bloem et. al. proposed K-shield which can disagree with
the design for at most K consecutive steps provided the design recovers
immediately after an error and does not violate the specification for next
K cycles. Since the shield is allowed a window of K cycles to deviate from
the design output in the event of an output error by the design it is not
suited to handle burst errors. In [11] Wu et. al. proposed a burst error
shield which is resilient to burst error and matches the design output
whenever it meets the specification. However, this strategy of matching
the design output until a violation occurs makes the synthesis algorithm
“non-conservative” in the sense that it may fail to generate a shield even
if specification is realizable.
To overcome these issues we propose conservative shield synthesis.
The conservative shield synthesis differs from K-shield synthesis in two
key respects: it does not impose any restriction on the design output and
it can handle burst errors. It also differs from Wu et. al. as, unlike them,
we will always synthesize a shield whenever the specification is realizable.
Shield synthesis criteria can be specified using hard and soft require-
ments. DCSYNTH can then synthesize the desired shield. We give exam-
ples of variants of K-shield and Burst error shield, and call the “conser-
vative”.
– Conservative K-shield.
• Input: I ∪O. Output: O′
• Hard requirement: REQ[O/O’]&&[]([[∨o∈O(o 6=o’)]]=>slen<k).
• Soft requirement: None
– Conservative burst error shield.
• Input: I ∪O. Output: O′
• Hard requirement: REQ[O/O’]
• Soft requirement: ∧o∈O(true ^ <o=o’>) with all of formulas as-
signed same priority.
We emphasize the importance soft requirements here, it forces a con-
servative burst error shield to try and match the design output as
often as possible. This is because when all the soft requirements are
assigned same priority DCSYNTH will try to synthesize a controller
selecting an output which meets the hard requirement as well as a
maximal set of soft requirements at every step.
.
We have rerun the experiments in [11] in our framework, and the re-
sults are as tabulated in Table. 4. For the sake of comparison we use
the input files of Wu et. al. [10] as inputs to DCSYNTH1. As the table
suggests, in most of the cases the shield that we synthesize compares fa-
vorably with the corresponding shield synthesized in [3] and [11] both in
terms of size and time taken for the synthesis. For instance, for the guar-
antee AMBA G5+6+9e64+10 our tool synthesize a shield significantly
faster and with smaller no. of states than the existing tools [3, 11].
7 Quantitative Latency Measurement
Soft requirements are often used as directives to the synthesis algorithm
which impact the “latency” of the controller. We give a notation to allow
1 Automata as formula
Table 4. Comparison of K-Shield and Burst error shield with Conservative safety
shield. Columns under K-shield and Burst error shield are taken from Wu et. al. [11]
and reproduced here for comparision.
Guarantees Monitor states
K-Shield Burst error shield Conservative burst error shield
states time states time states time
Toyota Powertrain 23 38 0.2 38 0.3 9 0.7
Traffic light 4 7 0.1 7 0.2 4 0.007
F64p 67 67 0.7 67 0.5 67 0.002
F256p 259 259 46.9 259 10.5 259 0.01
F512p 515 515 509.1 515 54.4 515 0.07
G(¬ q) ∨ F64(q ∧ F64p) 67 67 0.8 67 0.6 67 0.007
G(¬ q) ∨ F256(q ∧ F256p) 259 259 46.2 259 10.7 259 0.04
G(¬ q) ∨ F512(q ∧ F512p) 515 515 571.7 515 54.5 515 0.1
G(q ∧ ¬ r → (¬ r ∪4 (p ∧ ¬ r))) 6 15 0.1 145 0.1 6 0.004
G(q ∧ ¬ r → (¬ r ∪8 (p ∧ ¬ r))) 10 109 0.2 5519 4.5 10 0.005
G(q ∧ ¬ r → (¬ r ∪12 (p ∧ ¬ r))) 14 753 6.3 27338 1414.5 14 0.006
AMBA G1+2+3 12 22 0.1 22 0.1 7 0.008
AMBA G1+2+4 8 61 6.3 78 2.2 8 0.6
AMBA G1+3+4 15 231 55.6 640 97.6 14 0.4
AMBA G1+2+3+5 18 370 191.8 1405 61.8 17 0.05
AMBA G1+2+4+5 12 101 3992.9 253 472.9 12 3.2
AMBA G4+5+6 26 252 117.9 205 26.4 18 0.6
AMBA G5+6+10 31 329 9.8 396 31.4 27 2.6
AMBA G5+6+9e4+10 50 455 17.6 804 42.1 46 5.2
AMBA G5+6+9e8+10 68 739 34.9 1349 86.8 64 7.6
AMBA G5+6+9e16+10 104 1293 74.7 2420 189.7 100 12.5
AMBA G5+6+9e64+10 320 4648 1080.8 9174 2182.5 316 40.9
AMBA G8+9e4+10 48 204 7.0 254 6.1 48 0.3
AMBA G8+9e8+10 84 422 22.5 685 33.7 84 0.5
AMBA G8+9e16+10 156 830 83.7 1736 103.1 156 0.9
AMBA G8+9e64+10 588 3278 2274.2 7859 2271.5 588 3.3
users to specify what is latency. Model checking technique, implemented
in tool CTLDC [9], can then measure the worst case latency.
For latency measurement, user must specify a QDDC formula Dp
characterizing execution fragments of interest. For example the QDDC
formula Dp = [[req]]&&(scount ack <3) specifies fragments of execu-
tion with request continuously true but with less than 3 acknowledgments
(exact syntax is explained in §3). The latency goal MAXLEN(Dp,M)
computes sup{e − b | ρ[b, e] |= Dp, ρ ∈ Exec(M)}, i. e. it computes the
length of the longest interval satisfying Dp within the executions of M .
For example MAXLEN(Dp, Arb) specifies the worst case response time
of the arbiter Arb to get three acknowledgments. Tool CTLDC, which
like DCSYNTH is member of DCTOOLS suite of tools, provides efficient
computation of MAXLEN by symbolic search for longest paths as for-
mulated in [9].
Table. 5 gives worst case latency measurements carried out using tool
CTLDC for various controllers synthesized using DCSYNTH. The results
illustrate the impact of soft goals on controller behaviour as well as con-
troller latency under various scenarios. For example, Arbsoft(6, 2) “tries”
to give acknowledgement within 2 cycles with higher priority assigned to
higher numbered cell (see the description in §2). Note that response time
is one more than that in the column Computed Response in the Table.
The worst case latency measurement shows that req6 has response time
of 1 cycle whereas req5 has response time of 2 cycles. For all other cells
the response time is ∞ since cells 6 and 5 can consume all the cycles.
Note that when req6 is absent throughout the response time of cell 4
changes from ∞ to 3 cycles as shown in the 4th row of the Table. 5. This
points to the robustness of the synthesized controller.
Table 5. Worst Case Latency Analysis using CTLDC using MAXLEN(Response For-
mula) computation
Sr.No Example Response Formula Computed Response
1 Arbsoft(6, 2) ([[req6]]&&([[!ack6]])) 1
2 Arbsoft(6, 2) ([[req5]]&&([[!ack5]])) 2
3 Arbsoft(6, 2) ([[reqi]]&&([[!acki]])) ∞
for 1 ≤ i ≤ 4 ∞
4 Arbsoft(6, 2) ([[req4 && !req6]] && ([[!ack4]])) 2
5 Arbsoft(5, 3) ([[req5]]&&([[!ack5]])) 2
6 Arbsoft(5, 3) ([[req4]]&&([[!ack4]])) 3
7 Arbsoft(5, 3) ([[req3]]&&([[!ack3]])) 4
8 MINEPUMP(MPV1) [[AssumptionOk && HH2O]] 4
9 MINEPUMP(MPV2) [[AssumptionOk && HH2O]] 7
10 MINEPUMP(MPV3) [[AssumptionOk && HH2O]] 8
For the MINEPUMP case study rows 8,9,10 give the maximum
amount of time (in cycles) for which the water level can remain high (indi-
cated by the variable HH2O) without violating the assumptions (indicated
by AssumptionOk). Here, MINEPUMP (req) denotes MINEPUMP
specification with soft requirement req as given in Appendix C.1. For ex-
ample, soft requirement MPV3 is !PumpOn which tries to keep pump off as
much as possible where as soft requirement MPV1 is PumpOn which tries
to keep pump on as much as possible. As a result MINEPUMP (MPV 1)
gets rid of water in 4 cycles compared to 8 cycles forMINEPUMP (MPV 3).
References
1. Shaull Almagor, Udi Boker, and Orna Kupferman. Formally reasoning about
quality. J. ACM, 63(3):24:1–24:56, 2016.
2. Roderick Bloem, Ru¨diger Ehlers, Swen Jacobs, and Robert Ko¨nighofer. How to
handle assumptions in synthesis. In Krishnendu Chatterjee, Ru¨diger Ehlers, and
Susmit Jha, editors, Proceedings 3rd Workshop on Synthesis, SYNT 2014, Vienna,
Austria, July 23-24, 2014., volume 157 of EPTCS, pages 34–50, 2014.
3. Roderick Bloem, Bettina Ko¨nighofer, Robert Ko¨nighofer, and Chao Wang. Shield
synthesis: - runtime enforcement for reactive systems. In Christel Baier and Cesare
Tinelli, editors, Tools and Algorithms for the Construction and Analysis of Systems
- 21st International Conference, TACAS 2015, Held as Part of the European Joint
Conferences on Theory and Practice of Software, ETAPS 2015, London, UK, April
11-18, 2015. Proceedings, volume 9035 of Lecture Notes in Computer Science, pages
533–548. Springer, 2015.
4. Aaron Bohy, Ve´ronique Bruye`re, Emmanuel Filiot, Naiyong Jin, and Jean-Franc¸ois
Raskin. Acacia+, a tool for LTL synthesis. In P. Madhusudan and Sanjit A. Seshia,
editors, Computer Aided Verification - 24th International Conference, CAV 2012,
Berkeley, CA, USA, July 7-13, 2012 Proceedings, volume 7358 of Lecture Notes in
Computer Science, pages 652–657. Springer, 2012.
5. Ru¨diger Ehlers and Ufuk Topcu. Resilience to intermittent assumption violations
in reactive synthesis. In Martin Fra¨nzle and John Lygeros, editors, 17th Inter-
national Conference on Hybrid Systems: Computation and Control (part of CPS
Week), HSCC’14, Berlin, Germany, April 15-17, 2014, pages 203–212. ACM, 2014.
6. Swen Jacobs, Roderick Bloem, Romain Brenguier, Ru¨diger Ehlers, Timotheus Hell,
Robert Ko¨nighofer, Guillermo A. Pe´rez, Jean-Franc¸ois Raskin, Leonid Ryzhyk,
Ocan Sankur, Martina Seidl, Leander Tentrup, and Adam Walker. The first reac-
tive synthesis competition (SYNTCOMP 2014). CoRR, abs/1506.08726, 2015.
7. Nils Klarlund and Anders Møller. MONA Version 1.4 User Manual. BRICS,
Department of Computer Science, Aarhus University, January 2001. Notes Series
NS-01-1. Available from http://www.brics.dk/mona/. Revision of BRICS NS-98-
3.
8. Paritosh K Pandya. Specifying and deciding quantified discrete-time duration
calculus formulae using dcvalid. In RTTOOLS 2001 Workshop (affiliated with
CONCUR 2001). Aalborg University, 2001., 2001.
9. Paritosh K. Pandya. Finding extremal models of discrete duration calculus for-
mulae using symbolic search. Electr. Notes Theor. Comput. Sci., 128(6):247–262,
2005.
10. Meng Wu. ishield2 synthesizer. https://bitbucket.org/mengwu/shield-synthesis/,
2016.
11. Meng Wu, Haibo Zeng, and Chao Wang. Synthesizing runtime enforcer of safety
properties under burst error. In Sanjai Rayadurgam and Oksana Tkachuk, editors,
NASA Formal Methods - 8th International Symposium, NFM 2016, Minneapolis,
MN, USA, June 7-9, 2016, Proceedings, volume 9690 of Lecture Notes in Computer
Science, pages 65–81. Springer, 2016.
12. Meng Wu, Haibo Zeng, Chao Wang, and Huafeng Yu. Safety guard: Runtime
enforcement for safety-critical cyber-physical systems: Invited. In Proceedings of
the 54th Annual Design Automation Conference, DAC 2017, Austin, TX, USA,
June 18-22, 2017, pages 84:1–84:6. ACM, 2017.
A Logic QDDC
Let Σ be a finite non empty set of propositional variables. A word σ
over Σ is a finite sequence of the form P0 · · ·Pn where Pi ⊆ Σ for each
i ∈ {0, . . . , n}. Let len(σ) = n+1, dom(σ) = {0, . . . , n} and ∀i ∈ dom(σ) :
σ(i) = Pi.
The syntax of a propositional formula over Σ is given by:
ϕ := 0 | 1 | p ∈ Σ | ϕ ∧ ϕ | ϕ ∨ ϕ | ¬ϕ,
and operators such as ⇒ and ⇔ are defined as usual. Let ΩΣ be the set
of all propositional formulas over Σ.
Let i ∈ dom(σ). Then the satisfaction relation σ, i |= ϕ is defined
inductively as follows:
σ, i |= 1,
σ, i |= p iff p ∈ σ(i),
σ, i |= ¬p iff σ, i 6|= p,
and the satisfaction relation for the rest of the boolean combinations
defined in a natural way.
The syntax of a QDDC formula over Σ is given by:
D := 〈ϕ〉 | [ϕ] | [[ϕ]] | {{ϕ}} | D ^ D | ¬D | D ∨D |
D ∧D | D∗ | ∃p. D | ∀p. D |
slen ./ c | scount ϕ ./ c | sdur ϕ ./ c,
where ϕ ∈ ΩΣ , p ∈ Σ, c ∈ N and ./∈ {<,≤,=,≥, >}.
An interval over a word σ is of the form [b, e] where b, e ∈ dom(σ) and
b ≤ e. An interval [b1, e1] is a sub interval of [b, e] if b ≤ b1 and e1 ≤ e.
Let Intv(σ) be the set of all intervals over σ.
Let σ be a word overΣ and let [b, e] ∈ Intv(σ) be an interval. Then the
satisfaction relation of a QDDC formula D over Σ, written σ, [b, e] |= D,
is defined inductively as follows:
σ, [b, e] |= 〈ϕ〉 iff σ, b |= ϕ,
σ, [b, e] |= [ϕ] iff ∀b ≤ i < e : σ, i |= ϕ,
σ, [b, e] |= [[ϕ]] iff ∀b ≤ i ≤ e : σ, i |= ϕ,
σ, [b, e] |= {{ϕ}} iff e = b+ 1 and σ, b |= ϕ,
σ, [b, e] |= ¬D iff σ, [b, e] 6|= D,
σ, [b, e] |= D1 ∨D2 iff σ, [b, e] |= D1 or σ, [b, e] |= D2,
σ, [b, e] |= D1 ∧D2 iff σ, [b, e] |= D1 and σ, [b, e] |= D2,
σ, [b, e] |= D1^D2 iff ∃b ≤ i ≤ e : σ, [b, i] |= D1 and
σ, [i, e] |= D2.
We call word σ′ a p-variant, p ∈ Σ, of a word σ if ∀i ∈ dom(σ), ∀q 6=
p : σ′(i)(q) = σ(i)(q). Then σ, [b, e] |= ∃p. D ⇔ σ′, [b, e] |= D for some
p-variant σ′ of σ and, σ, [b, e] |= ∀p. D ⇔ σ, [b, e] 6|= ∃p. ¬D. We define
σ |= D iff σ, [0, len(σ)] |= D.
Example 3. Let Σ = {p, q} and let σ = P0 · · ·P7 be such that ∀0 ≤ i <
7 : Pi = {p} and P7 = {q}. Then σ, [0, 7] |= [p] but not σ, [0, 7] |= [[p]] as
p 6∈ P7.
Example 4. Let Σ = {p, q, r} and let σ = P0 · · ·P10 be such that ∀0 ≤
i < 4 : Pi = {p}, ∀4 ≤ i < 8 : Pi = {p, q, r} and ∀8 ≤ i ≤ 10 : Pi = {q, r}.
Then
σ, [0, 10] |= [p]^[[¬p ∧ r]]
because for i ∈ {8, 9, 10} the condition ∃0 ≤ i ≤ 10 : σ, [0, i] |= [p] and
σ, [i, 10] |= [[¬p ∧ r]] is met. But σ, [0, 7] 6|= [p]^[[¬p ∧ r]] as ¬∃0 ≤ i ≤ 7 :
σ, [0, i] |= [p] and σ, [i, 7] |= [[¬p ∧ r]].
Entities slen , scount , and sdur are called terms. The term slen
gives the length of the interval in which it is measured, scount ϕ where
ϕ ∈ ΩΣ , counts the number of positions including the last point in the
interval under consideration where ϕ holds, and sdur ϕ gives the num-
ber of positions excluding the last point in the interval where ϕ holds.
Formally, for ϕ ∈ ΩΣ we have
slen(σ, [b, e]) = e− b,
scount(σ, ϕ, [b, e]) =
∑i=e
i=b
{
1, if σ, i |= ϕ,
0, otherwise.
}
sdur(σ, ϕ, [b, e]) =
∑i=e−1
i=b
{
1, if σ, i |= ϕ,
0, otherwise.
}
In addition we also use the following derived constructs: σ, [b, e] |= pt
iff b = e; σ, [b, e] |= ext iff b < e; σ, [b, e] |= ♦D iff true ^D^true and
σ, [b, e] |= D iff σ, [b, e] 6|= ♦¬D.
A formula automaton for a QDDC formula D is a deterministic finite
state automaton which accepts precisely language L = {σ | σ |= D}.
Theorem 1. [8] For every QDDC formula D over Σ we can construct
a DFA A (D) for D such L(D) = L(A (D)).
B The Algorithm Implementation
The example shows the explicit state representation of the state space to
produce the controller for demonstration purpose.
The algorithms are actually designed to work on symbolic data struc-
ture to represent the transistion function for each automaton. We use
Multi-Terminal BDD(MTBDD) to represent the all the automaton.
The psuedocode of our algorithm is given in the following section.
Algorithm 1 SYNTHESIZE:
Input: S = (I,O,Dh,∧i=ki=1(wi ⇔ Dsi ), 〈P1, · · · , Pl〉)
Output: Controller for S.
1. Amon=GenMonitorAutomaton(S)
//Generates prefix closed language equivalent safety automaton
2. Ampnc=GenMPNC(Amon, I, O)
//Generates MPNC from Amon and Input-output partitioning
3. IF initial state of Ampnc is NOT an accepting state THEN
S is unrealizable, generate a counter example tree
ELSE
Specification is realizable, GOTO step 4.
4. Alodc = GenLODC(Ampnc, 〈P1, . . ., Pl〉)
//Determinizes the MPNC with respect to Soft Requirements.
5. Encode Alodc in an implementation language.
The monitor automaton Amon is obtained by GenMonitorAutoma-
ton(), based on the procedure implemented in a tool DCVALID.
The algorithm for construction of Ampnc from Amon, is implemented
by the function GenMPNC(). To illustrate this function, we first define
the function Cstep: S × 2S → {1, 0} as follows:
Cstep(s, G) = 1 if ∀ i, ∃ o : δ(s, (i, o)) ∈ G
else Cstep(s, G) = 0.
where i ∈ I and o ∈ (O ∪ W) and s ∈ S.
Algorithm 2 GenMPNC:
Input: Amon, I, O, W
Output: Ampnc.
S = set of states in Amon,
F = set of accepting states in Amon
δ: S × (I ∪O ∪W ) → S be the trasition function in Amon.
V: S → {1, 0} be a value function over S
Initialize V(s)=1 ∀s ∈ G, otherwise V(s) = 0
SET G = F
DO
Pre V = V
FOR each s ∈ G do
IF Cstep(s, G) = 0 then
V(s) = 0
G = G − s
WHILE (Pre V 6= V )
Ampnc = Created from Amon by keeping only the states s ∈ G and
transitions (s, t) s.t. s ∈ G and t ∈ G.
Now, we give construction of Alodc from Ampnc, which is implemented
by the function GenLODC(). GenLODC() determinizes the automaton
such that for any input a unique output can be selected.
We define the function evaluateSoftReq(〈 P1,..,Pl 〉, input output val-
uation), which takes list of soft requirements and input-output valuation
as input and returns the weighted value of the soft requirements being
satisfied by the valuation.
We also define lookupTable:I → (O × S × Integer), which contains for
each input, the output value and the next state, that maximizes the satis-
faction of soft requirements. Similarly a function initLookup: lookupTable
× val → lookupTable initializes the lookupTable to some minimal value
val for each input valuation..
Algorithm 3 GenLODC:
Input: Ampnc, I, O, 〈 P1,..,Pl 〉
Output: Alodc.
S = set of states in Ampnc,
initLookup(lookupTable, -1) initializes the lookupTable by the -1 for
each input.
FOR every state s ∈ S DO
FOR every valuation (i,o,w) of (I ∪ O ∪ W)
val = evaluateSoftReq(〈 P1,..,Pl 〉, (i,o,w))
IF val > lookupTable(i) THEN lookupTable(i) = {val, o, next state}
Create the Automaton Alodc with updated transitions with valuation for
each input and the corresponding output valuation given in lookupTable
for each state.
Complexity Results: The algorithms work directly on this symbolic
representaion, including function Cstep used inside GenMPNC. For the
algorithn GenMPNC, the worst case complexity is O(N2.|BDD|), where
N is the number of states in monitor automaton Amon. This can be derived
from the fact that the maximum number of iterations to reach a fix-point
is (N − 1), and in each iteration there can be O(N) step for each state
which are marked as good. Each such state may requires O(|BDD|) steps
to determine whether the state is winning or not (determined by function
Cstep). |BDD| represents the size of the MTBDD datastructure in terms
of the number of BDD nodes.
The function Cstep is an important function as it is the core function
used to find the winning region. We implement this function over MTBDD
data structure without actually creating a game graph.
We give the outline of our algorithm as follows:
We assume that safety monitor automaton Amon is given as a dfa M =
(Q,Σ, δ,G) where G ⊆ Q is the set of accepting states. Σ = 2(I∪O∪W ) is
the alphabet and δ : Q×Σ → Q with Q−G being the reject states. We
assume that δ is encoded as MTBDD as in MONA.
In MTBDD the bdd nodes can be categorized as internal nodes or
the terminal node. The terminal node represent the destination state of
the transition. The internal nodes represent the decision on some variable
v ∈ (I ∪O ∪W ).
Our algorithm start by labelling each terminal node with a value and
then propagating this value to the bdd node corresponding to source state
to see whether the source state belong to the winning region or not.
1. We starts by labeling each terminal node. Every terminal node is
labelled as 1 if it belongs to accepting states, otherwise it is labelled
as 0.
2. then we label the internal bdd nodes whose successors are already
labelled as follows: if the internal node represents the decision on an
input variable then its lable is minimum of its successors. Otherwise
(representing decision on output or indicatior variable), the internal
node is labeled by maximum of its sucessor.
3. step 2 is performed recursively until we get the bdd node correspond-
ing to sources (starting) state labeled with 0 or 1. If bdd node for
source state is labelled as 1 then it is inside the winning region based
on current labeling of terminal nodes. If bdd node for source state is
labelled as 0 then it’s not in the winning region and can be removed
during construction of MPNC.
Fig. 5. MPNC Computation over MTBDD for state 3: BDD nodes colored purple to
be evaluated
Fig. 6. MPNC Computation over MTBDD for variable index 3
Fig. 7. MPNC Computation over MTBDD for variable index 2
Fig. 8. MPNC Computation over MTBDD for variable index 1
Fig. 9. MPNC Computation over MTBDD for variable index 0
The example computation of Cstep function of the MTBDD for source
state 3 and starting with the winning region states {3, 4} is shown in the
figures from B to B. In the MTBDD there are 4 variables indexed as
0,1,2 and 3. The variable indexed 0,1 are inputs and 2, 3 are outputs.
All internal nodes are represented by circle and encircled number is the
decision variable. All terminal nodes are represented by rectangle and
number inside that is the destination state number. The list on the top
corresponds to the state numbered 0 to 4.
Similarly the worst case complexity for GenLODC could be calculated
as O(N.l.(2|I∪O∪W |)), where N is the number of states in MPNC, l is
the number of soft requirements. This can be derived from the fact that
maximum number of states in LODC can be equal to MPNC in case
MPNC itself is a deterministic automaton. For each state in LODC we
have to compute its locally optimal output, which depends on the number
of soft requirements to be computed.
Although in worst case |BDD| can be O(2|I∪O∪W |), but in most of
the practical examples the size of MTBDD is much smaller, and therefore
the tool performs much better that the worst case estimation.
In Section B.1 we give an algorithm for GenLODC to exploit the
shared bdd nodes in MTBDD. The results show the considerable im-
provement over the naive explicit path enumeration based algorithm.
B.1 LODC Optimization
We have also developed an algorithm to efficiently compute the LODC
from MPNC. Following section gives the brief overview of algorithm.
Outline of Optimization Algorithm We assume that MPNC is given
as a dfa M = (Q,Σ, δ, r) where r is the unique reject state. Σ = 2(I∪O) is
the alphabet and δ : Q×Σ → Q with r being the SINK state. We assume
that δ is encoded as multi terminal BDD as in MONA. Being MPNC it
is assumed that
∀q 6= r. ∀i ∈ 2I . ∃o ∈ 2O.δ(q, i ∪ o) ∈ Q− {r}
Problem Given MPNCM and soft goals a sequence of literals (l1, l2, . . . , lr)
where li = o or li = ¬o for o ∈ O, aim is to construct LODC N by choos-
ing exactly one of permitted outputs which maximizes the value of soft
goal list (considered lexicographically ordered). Note that LODC satisfies
the condition
∀q 6= r. ∀i ∈ 2I .
(∃!o ∈ 2O.δlodc(q, i ∪ o) ∈ Q− {r} ∧
(∀o′ ∈ 2O.δmpnc(1, i ∪ o′) ∈ Q− {r} ⇒ val(i ∪ o′) ≤ val(i ∪ o)))
We assume that in the bdd representation all O occur af-
ter I. The BDD node which is either terminal or labelled by output
variable such that all its ancestors are input labelled is called a fron-
tier node. See the example below. In the Figure B.1, bdd nodes marked
0,1,2,3 correspond to variables req1, req2, ack1 and ack2. Nodes marked
2 are the frontier nodes. Note that 4 is the reject state. For the left-
most frontier node marked (2), we can see that ack1 = true as well
as ack1 = false, ack2 = false lead to reject state 4 (these are infeasi-
ble paths), where as ack1 = false, ack2 = true leads to good state 1.
Hence ack1 = false, ack2 = true is the unique feasible path. Now con-
sider the second rightmost frontier node marked (2). It has two feasible
paths P1 = (ack1 = true, ack2 = false) going to target state 3 and
P2 = (ack1 = false, ack2 = true) going to target state 2.
Step 1 Our algorithm works by assigning to each frontier node N an out-
put valuation, a reward value to each frontier node and the target state.
Note that under given soft goal list, an optimal value can be assigned to a
frontier node purely by choosing an output path, from all feasible outputs
(i.e. outputs which don’t end in reject node r), one which maximizes the
value of the softgoal list. This path ends in the target state.
Fig. 10. BDD-representation of a Transition function.
Example 5. For example, in above figure for the second rightmost frontier
node marked (2b) has It has two feasible paths P1 = (ack1 = true, ack2 =
false) going to target state 3 and P2 = (ack1 = false, ack2 = true)
going to target state 2. Given soft goal (ack1, ack2), path P1 has higher
lexicographic value and must be selected as optimal. Thus, the node can
be marked with optoutput = (ack1 = true, ack2 = false), optvalue =
(1, 0) and optstate = 3.
Step 2 we can systematically enumerate all the paths to frontier nodes
(mentioning only source state and the value of variables which occur on
the path). It is clear that for any two such paths originating from the same
source state the value of at least one of the input variables is different,
hence we get distinct cases. (There can be identical input paths starting
from different states. see example below.) For each such path, we set the
output and next state to the output valuation and target state of the
frontier node.
Example 6. For the second rightmost frontier node marked (2-b), we have
a unique input path req1 = true, req2 = true which originates from state
1. In conjunction with above above example, we get the scade transition
state=1 AND req1 AND req2 -> ack1=true, ack2=true, state=3
For the third leftmost state marked (2-a) there are three input paths with
req1 = true, req2 = false originating in states either 1,2 or 3.
The psuedocode of our algorithm is given as follows:
for each frontier node N
{
optoutput[N]:= bottom, optvalue[N] = -1, optstate:= bottom;
for each output-path, PATH, to a non-rejecting state
{
output,value,endstatestate:= maxoutput(PATH,SOFTGOAL)
if optvalue[N] < value
{optoutput[N] := output;
optvalue[N] := value;
optstate[N] := state;
}
}
}
// the frontier node now has optimal output and its reward value
//Next we generate LODC DFA below
Initialize a new DFA with same states as MPNC and
with default transition to the unique reject state r.
All other states are accept states.
for each each source state,
for each input path, PATH, to a frontier node N
{
add Transition(PATH,optoutput[N],optstate[N]) to DFA
}
LODC := Minimized(DFA) // this gets rid of unreachable state
C Case studies
In this section we give few sythesis case studies in our logic formalism.
We show the controller synthesis from the logic specification and the ef-
fect of soft requirements on the sythesized controller. We also compare
the sythesized controllers based on our performance measurement algo-
rithm. Performance parameters therefore gives the quantitative matrics
of betterness of one controller over the other and can be used as the
formal guarantees for the sythesized controller with respect to the soft
requirements.
C.1 MinePump
In this section we present the detailed specification of a minepump con-
troller. We first specify some useful generic properties which would used
for requirement specification in case studies.
– lag(P,Q, n): specifies that in any observation interval if P holds con-
tinuously for n+1 cycles and persists then Q holds from (n+1)th cycle
onwards and persists till P persists. This specification is represented
by following formula.
[]([[P]] && slen>=n-1 => slen=n-1^[[Q]])
– tracks(P,Q, n): in any observation interval if P is continuously true
for n cycles then Q persists as long as P persists or for n cycles
whichever is shorter.
{P} <=n= {Q}
– sep(P, n): any interval which begins with a falling edge of P and ends
with a rising edge of P then the length of the interval should be at
least n cycles.
[]([P]^[!P]^<P> => slen > n)
– ubound(P, n): in any observation interval P can be continuously true
for at most n cycles.
[]([[P]] => slen < n)
Case Study Description: Imagine a minepump which keeps the water
level in a mine under control for the safety of miners. The pump is driven
by a controller which can switch it on and off. Mines are prone to methane
leakage trapped underground which is highly flammable. So as a safety
measure if a methane leakage is detected the controller is not allowed to
switch on the pump under no circumstances.
The controller has two input sensors - HH2O which becomes 1 when
water level is high, and HCH4 which is 1 when there is a methane leak-
age; and can generate two output signals - ALARM which is set to 1 to
sound/persist the alarm, and PUMPON which is set to 1 to switch on the
pump. The objective of the controller is to safely operate the pump and
the alarm in such a way that the water level is never dangerous, indicated
by the indicator variable DH2O, whenever certain assumptions hold. We
have the following assumptions on the mine and the pump.
- Sensor reliability assumption: ppref(DH2O ⇒ HH2O) where
ppref(D) = ¬((¬D)^ext). If HH2O is false then so is DH2O.
- Water seepage assumptions: tracks(HH2O,DH2O,w). The minimum
no. of cycles for water level to become dangerous once it becomes high
is w.
- Pump capacity assumption: lags(PUMPON, !HH2O, epsilon). If pump
is switched on for at least epsilon+ 1 cycles then water level will not
be high after epsilon cycles.
- Methane release assumptions: sep(HCH4, zeta) and ubound(HCH4,
kappa). The minimum separation between the two leaks of methane is
zeta cycles and the methane leak cannot persist for more than kappa
cycles.
- Initial condition assumption: init(<!HH2O> && <!HCH4>, slen =
0). Initially neither the water level is high nor there is a methane
leakage.
The commitments are:
- Alarm control: lags(HH2O,ALARM, delta) and lags(HCH4,
ALARM, delta) and lags(!HH2O && !HCH4, !ALARM, delta). If
the water level is dangerous then alarm will be high after delta cycles
and if there is a methane leakage then alarm will be high after delta
cycles. If neither the water level is dangerous nor there is a methane
leakage then alarm should be off after delta cycle.
- Safety condition: ppref(!DH2O && (HCH4 ⇒!PUMPON)). The
water level should never become dangerous and whenever there is a
methane leakage pump should be off.
We can automatically synthesize a controller for the values say w = 8,
epsilon = 2, zeta = 10, kappa = 1, and delta = 1. The complete textual
DCSynth specification of minepump is given is figure 14.
Soft goals and Performance measurement We could also synthe-
size the minepump controllers with each one of the following as a soft
requirement giving three different controllers. (Note that these require-
ments are mutually contradictory. So they are not given together.)
– MPV1: Keep the pump switched on whenever possible (specified by
soft requirement PUMPON).
– MPV2: Keep pump off if there is a methane leak in last 2 cycles oth-
erwise switch on the pump (specified by soft requirement (CH4Last2Cyc
=> !PUMPON), where CH4Last2Cyc indicates that there was a methane
leak within last 2 cycles).
– MPV3: Keep pump off as much as possible i. e. delay the switch-
ing on the pump as much as possible (specified by soft requirement
!PUMPON).
We have measured the performance of the three synthesized controllers
each, taking into account one soft requirement at a time. The performance
is measured in terms the maximum amount of time (in cycles) for which
the water level can remain high without violating the assumptions and
the detailed results are tabulated in Table. 5.
Simulation of Synthesized Minepump Controllers The controllers
are encoded as Lustre specification and Lustre V4 tools are used for sim-
ulation. The example simulation for these three variants of Minepump is
shown in figures 11, 12 and 13 respectively.
D Experimental results and Performance Evaluation
This section is divided into two subsections. One deals with the per-
formance of the tools and its comparision with the other state of the
art tools. The implementation of tool DCSYNTH is based on the algo-
rithms presented in Section B. The second section deals with the per-
formance evaluation of synthesized controller. This allows the compari-
sion of controllers produced for the same hard requirement with different
soft-requirements based on user defined performance measure specified as
maxlen of a QDDC formula.
Fig. 11. Simulation of Minepump Controller Variant MP V1
Fig. 12. Simulation of Minepump Controller Variant MP V2
Fig. 13. Simulation of Minepump Controller Variant MP V3
D.1 Tool Performance
Table 6 shows how DCSynth fares against Acacia+, which is a leading
tool for synthesis of controllers from temporal logic specification. Aca-
cia+ can handle LTL and PSL specification as well as quantitative syn-
thesis with mean payoff objectives. In contrast, our tool can only handle
past time temporal properties but it can handle soft requirements which
other tools like Acacia+ cannot. Table 6 compares the performance of
DCSYNTH against Acacia+ for examples with only hard safety require-
ments. It is noteworthy that controllers for complex specifications such
as MINEPUMP could be synthesized with DCSYNTH. Table 1 gives
the results of synthesis using DCSYNTH for specifications which include
soft requirements.
In the table 6 the example Arbtok(n) indicates the n cell arbiter, with
a token circulating between them. Apart from the three invariant spec-
ifications (ARBINV) for the arbiter given in section 2 it specifies the
requirement that if a cell has the request line true and it also has the
token then it would surely get an acknowledgment. The specification also
says that the initially token is with cell 0, in next cycle token is owned
by cell 1, then 2 and so on till it reaches the last cell. At this time the
token comes back to cell 0.
Similarly MP indicates the minepump example without soft require-
ment specification as given in section C.1.
Table 6. Comparison of Synthesis in Acacia+ and DCSYNTH
Problem Acacia+ DCSynth
time (Sec) Memory /States time (Sec) Memory /States
Arbhard(4, 4) 0.4 29.8/ 55 0.08 9.1/ 50
Arbhard(5, 5) 11.4 71.9/ 293 5.03 28.1/ 432
Arbhard(6, 6) TOa - 80 1053.0/ 4802
Arbhard(7, 7) TO - - MOb
Arbtok(7) 9.65 39.1/ 57 0.3 7.3/ 7
Arbtok(8) 46.44 77.9/ 73 2.2 16.2/ 8
Arbtok(10) NCc - 152 82.0/ 10
Arbtok(12) NC - TO 255.0/ 12
MINEPUMP NC - 0.06 50/ 32
a TO=timeout
b MO=memory out
c NC=synthesis inconclusive
E Minepump Source
BEGIN QDDCSYNTH MinePump
INTERFACESPEC
HH2Op: INPUT
HCH4p: INPUT
ALARMp: OUTPUT MONITOR x
PUMPONp: OUTPUT MONITOR x
Y HCH4p: OUTPUT MONITOR x;
SOFTREQS
((!Y HCH4p)|(!PUMPONp))>>(PUMPONp) ;
AUXVARS
DH2O
;
CONSTANTS
– delta response time of PUMP and ALARMS after trigger
delta = 1, w = 8, epsilon=2 , zeta=10, kappa=1
;
DEFINE
– Alarm control
define alarm1(HH2O, DH2O, HCH4, ALARM, PUMPON) as
HH2O = delta => ALARM ;
define alarm2(HH2O, DH2O, HCH4, ALARM, PUMPON) as
HCH4 = delta => ALARM ;
define alarm3(HH2O, DH2O, HCH4, ALARM, PUMPON) as
!HCH4 && !HH2O = delta => !ALARM ;
– Water seepage Assumptions
define water1(HH2O, DH2O, HCH4, ALARM, PUMPON) as
[] ( [[ DH2O => HH2O ]] ) ;
define water2(HH2O, DH2O, HCH4, ALARM, PUMPON) as
HH2O <= w = ! DH2O ;
– Pump capacity assumption
define pumpcap1(HH2O,DH2O,HCH4,ALARM,PUMPON) as
PUMPON = epsilon => !HH2O ;
– Methane Release assumptions
define methane1(HH2O,DH2O,HCH4,ALARM,PUMPON) as
[] ( [HCH4]∧[!HCH4]∧<HCH4> => slen > zeta ) ;
define methane2(HH2O,DH2O,HCH4,ALARM,PUMPON) as
[] ( [[HCH4]] => slen < kappa ) ;
– Initial condition assumption
define initdry(HH2O, DH2O, HCH4, ALARM, PUMPON) as
<!HH2O> ∧ true ;
– safety condition
define safe(HH2O, DH2O, HCH4, ALARM, PUMPON) as
[[!DH2O && ( (HCH4 || !HH2O) => !PUMPON)]];
define plant(HH2O, DH2O, HCH4, ALARM, PUMPON) as
initdry(HH2O, DH2O, HCH4, ALARM, PUMPON) &&
water1(HH2O, DH2O, HCH4, ALARM, PUMPON) &&
water2(HH2O, DH2O, HCH4, ALARM, PUMPON) &&
pumpcap1(HH2O, DH2O, HCH4, ALARM, PUMPON) &&
methane1(HH2O, DH2O, HCH4, ALARM, PUMPON) &&
methane2(HH2O, DH2O, HCH4, ALARM, PUMPON);
define req(HH2O, DH2O, HCH4, ALARM, PUMPON) as
infer MPsyn as
INDICATORS
YHCH4p : (slen=2 && <><HCH4p>)
;
ASSUME
plant(HH2Op, DH2O, HCH4p, ALARMp, PUMPONp)
;
REQUIRES
req(HH2Op, DH2O, HCH4p, ALARMp, PUMPONp)
;
SYNTHESIZE
SynthG MPsyn
END QDDCSYNTH
Fig. 14. DCSynth spec for Minepump.
F Textual Specification of Arbiter Case Study
The DCSynth specification of the 4 cell arbiter is shown in figure 15. It
can be easily generalized to n-cells.
BEGIN QDDCSYNTH arbiter-4-cell
INTERFACESPEC
req1: INPUT
req2: INPUT
req3: INPUT
req4: INPUT
ack1: OUTPUT MONITOR x
ack2: OUTPUT MONITOR x
ack3: OUTPUT MONITOR x
ack4: OUTPUT MONITOR x
sr1: OUTPUT MONITOR x
sr2: OUTPUT MONITOR x
sr3: OUTPUT MONITOR x
sr4: OUTPUT MONITOR x
;
SOFTREQS
(sr4)>>(sr3)>>(sr2)>>(sr1)
;
CONSTANTS
;
AUXVARS
;
DEFINE
– Acknowledgments should be exclusive
define exclusion() as
[[((ack1 => !((ack2) || (ack3) || (ack4))) &&
(ack2 => !((ack1) || (ack3) || (ack4))) &&
(ack3 => !((ack1) || (ack2) || (ack4))) &&
(ack4 => !((ack1) || (ack2) || (ack3))))]];
– No lost cycle
define noloss() as
[[((req1) || (req2) || (req3) || (req4))
=> ((ack1) || (ack2) || (ack3) || (ack4))]];
– Ack should be granted if there is a request
define nospuriousack(ack, req) as
[[ack => req]];
– 2 cycle response property
define response(req, ack) as
[ ](([[req]] && (slen=k-1)) => <>< ack >);
infer arbiter4cell as
INDICATORS
sr1 : (response(req1, ack1))
sr2 : (response(req2, ack2))
sr3 : (response(req3, ack3))
sr4 : (response(req4, ack4))
;
ASSUME
;
REQUIRES
exclusion()
noloss()
nospuriousack(ack1, req1)
nospuriousack(ack2, req2)
nospuriousack(ack3, req3)
nospuriousack(ack4, req4)
;
SYNTHESIZE
SynthG arbiter4cell
END QDDCSYNTH
Fig. 15. DCSynth spec for 4 Cell Arbiter.
