Reactive Synthesis: Towards Output-Sensitive Algorithms by Finkbeiner, Bernd & Klein, Felix
ar
X
iv
:1
80
3.
10
10
4v
1 
 [c
s.L
O]
  2
7 M
ar 
20
18 Reactive Synthesis: Towards
Output-Sensitive Algorithms
Bernd Finkbeiner and Felix Klein
Universita¨t des Saarlandes
Abstract. Reactive synthesis is a technology for the automatic construc-
tion of reactive systems from logical specifications. In these lecture notes,
we study different algorithms for the reactive synthesis problem of linear-
time temporal logic (LTL). The classic game-based synthesis algorithm
is input-sensitive in the sense that its performance is asymptotically op-
timal in the size of the specification, but it produces implementations
that may be larger than necessary. We contrast this algorithm with
output-sensitive algorithms for reactive synthesis, i.e., algorithms that
are optimized towards the size or structural complexity of the synthe-
sized system. We study the bounded synthesis algorithm, which pro-
duces an implementation with a minimal number of states, and the
bounded cycle synthesis algorithm, which additionally guarantees that
the number of cycles of the implementation is minimal.
Keywords. reactive systems, synthesis, temporal logic, output-sensitive
algorithms
1. Introduction
Hardware circuits, communication protocols, and embedded controllers are typi-
cal examples of reactive systems [13], i.e., computer systems that maintain a con-
tinuous interaction with their environment. Reactive systems play a crucial role
in many applications in transport systems, building technology, energy manage-
ment, health care, infrastructure, and environmental protection. Designing reac-
tive systems is difficult, because one needs to anticipate every possible behavior
of the environment and prepare an appropriate response.
Synthesis is a technology that constructs reactive systems automatically from
a logical specification: that is, after the specification of the system is complete,
no further manual implementation steps are necessary. The developer focuses on
“what” the system should do instead of “how” it should be done. Because synthe-
sis analyzes objectives, not implementations, it can be applied at an early design
stage, long before the system has been implemented. The vision is that a designer
analyzes the design objectives with a synthesis tool, automatically identifies com-
peting or contradictory requirements and obtains an error-free prototype imple-
mentation. Coding and testing, the most expensive stages of development, are
eliminated from the development process.
The automatic synthesis of implementations from specifications is one of the
grand challenges of computer science. Its pursuit dates back at least to Alonzo
Church [5] and has ignited research on many fundamental topics, notably on
the connection between logics and automata, on algorithmic solutions of infinite
games over finite graphs [4], and on the theory of automata over infinite ob-
jects [17]. It is only in the last decade, however, that the theoretical ideas have
been translated into practical tools (cf. [14,6,3,2,8]). The tools have made it pos-
sible to tackle real-world design problems, such as the synthesis of an arbiter for
the AMBA AHB bus, an open industrial standard for the on-chip communication
and management of functional blocks in system-on-a-chip (SoC) designs [1].
A common argument against synthesis is its complexity. It is natural to com-
pare synthesis with the verification problem, where the implementation is already
given, and one needs to check whether the specification is satisfied. For both syn-
thesis and verification, the most commonly used specification language is linear-
time temporal logic (LTL). Measured in the size of an LTL specification, the
synthesis of a single-process finite-state machine is 2EXPTIME-complete, while
the corresponding verification problem is in PSPACE. But is this comparison be-
tween verification and synthesis fair? The high complexity of synthesis is due to
the fact that there exist small LTL formulas that can only be realized by very
large implementations. As a result, synthesis “looks” much more expensive than
verification, because the size of the implementation is an explicit parameter in
the complexity of verification, and left implicit in the complexity of synthesis.
This paper gives an introduction to a new class of synthesis algorithms, whose
performance is measured not only in the size of the specification, i.e., the input to
the synthesis algorithm, but also in the size and complexity of the implementa-
tion, i.e., the output of the synthesis algorithm. Such algorithms are called output
sensitive. The prototypical output-sensitive synthesis approach is bounded syn-
thesis. In bounded synthesis, we look for an implementation where the number
of states is limited by a given bound. By incrementally increasing the bound,
bounded synthesis can be used to find a minimal implementation.
We first describe the classic game-theoretic approach to synthesis in Section 4,
and then the bounded synthesis approach in Section 5. The two approaches differ
fundamentally. The game-based approach is to translate the given LTL formula
into an equivalent deterministic automaton, and then use the state space of the
deterministic automaton to define a two-player game. In this game, the “output
player” sets the outputs of the system and attempts to satisfy the specification,
i.e., ensures that the resulting play is accepted by the automaton, and the “input
player” sets the inputs and attempts to ensure that the play violates the specifi-
cation, i.e., is rejected by the automaton. This game can be solved automatically,
and a winning strategy for the output player can, if it exits, be translated into
an implementation that is guaranteed to satisfy the specification. Unfortunately,
the translation from LTL to deterministic automata is doubly exponential, which
results in the 2EXPTIME complexity. In bounded synthesis, the LTL formula is
not translated to a deterministic automaton; instead, its negation is translated
to a nondeterministic automaton. This translation is single, rather than double
exponential. The nondeterministic automaton suffices to check if a given imple-
mentation is correct: the implementation is correct if its product with the au-
tomaton does not contain an accepting path. In bounded synthesis, we “guess”
an implementation of bounded size and make sure it is correct. This is done via
propositional constraint solving: we build a constraint system that is satisfiable
if and only if an implementation that is correct with respect to the automaton.
The reduction of the synthesis problem to a constraint solving problem opens
the possibility to add further constraints in order to focus the search towards the
most desirable solutions. In Section 6, we describe such an extension: bounded
cycle synthesis. In addition to the number of states, bounded cycle synthesis also
bounds the number of cycles in the implementation. This leads to implementations
that are not only small but also structurally simple.
2. The Synthesis Problem
In reactive synthesis, we transform a temporal specification into an implementa-
tion that is guaranteed to satisfy the specification for all possible inputs of the
environment. In the following, we consider formulas of linear-time temporal logic
(LTL) over a set of atomic propositions AP = I∪˙O that is partitioned into a set
of inputs I and a set of outputs O. A trace t is an infinite sequence over subsets
of the atomic propositions. We define the set of traces TR := (2AP)ω. An LTL
formula describes a subset of TR. The idea is that in each step of a computation,
the inputs are chosen by the environment, and the outputs are chosen by the sys-
tem under construction. In a correctly synthesized system, all possible sequences
satisfy the LTL formula.
Linear-time temporal logic (LTL). Linear-time temporal logic (LTL) [16] com-
bines the usual Boolean connectives with temporal modalities such as the Next
operator and the Until operator U . The syntax of LTL is given by the following
grammar:
ϕ ::= p | ¬ϕ | ϕ∨ϕ | ϕ | ϕ U ϕ
where p∈AP is an atomic proposition. ϕmeans that ϕ holds in the next position
of a trace; ϕ1U ϕ2 means that ϕ1 holds until ϕ2 holds. There are several derived
operators, such as ϕ≡ true U ϕ, ϕ≡¬ ¬ϕ, and ϕ1Wϕ2 ≡ (ϕ1U ϕ2)∨ ϕ1.
ϕ states that ϕ will eventually hold in the future and ϕ states that ϕ holds
globally; W is the weak version of the until operator.
We use the following notation to manipulate traces: let t ∈ TR be a trace
and i ∈ N be a natural number. t[i] denotes the i-th element of t. Therefore, t[0]
represents the starting element of the trace. Let j ∈N and j≥ i, then t[i,j] denotes
the sequence t[i] t[i+1] . . . t[j− 1] t[j], and t[i,∞] denotes the infinite suffix of t
starting at position i. Let p ∈ AP and t ∈ TR. The semantics of an LTL formula
is defined as the smallest relation |= that satisfies the following conditions:
t |= p iff p ∈ t[0]
t |= ¬ψ iff t 6|= ψ
t |= ψ1∨ψ2 iff t |= ψ1 or t |= ψ2
t |= ψ iff t[1,∞] |= ψ
t |= ψ1U ψ2 iff there exists i≥ 0 : t[i,∞] |= ψ2
and for all 0≤ j < i we have t[j,∞] |= ψ1
Example 1 Suppose, for example, we are interested in constructing an arbiter cir-
cuit. Arbiters are used when more than one client needs access to some shared
resource, such as a communication bus. To access the resource, the client sends a
request signal R and waits until it receives a grant signal G from the arbiter. The
task of the arbiter is to answer each request with a grant without giving grants
to the two clients at the same time. In LTL, an arbiter with two clients can be
specified as a conjunction of three properties:
(¬G1 ∨¬G2) (mutual exclusion)
(R1→ G1) (response 1)
(R2→ G2) (response 2)
The mutual exclusion property states that at every point in time x, at most one
grant signal can be set; the response properties state that if a request is made at
some point in time, then there must exist a point in time, either immediately or
later, where the corresponding grant signal is set.
Implementations. We represent the result of the synthesis process as a finite-
state machine. Let the set AP = I∪˙O of atomic propositions be, as before, par-
titioned into the inputs I and the outputs O. A Mealy machine over I and O
has the form M = (S,s0,δ,γ) where S is a finite set of states, s0 ∈ S is the ini-
tial state, δ : S× 2I → S is the transition function, and γ : S × 2I → 2O is the
output function. The output of the Mealy machine thus depends on the current
state and the last input letter. A path of a Mealy machine is an infinite sequence
p = (s0,σ0)(s1,σ1)(s2,σ2) . . . ∈ (S × 2
AP)ω of states and sets of atomic propo-
sitions that starts with the initial state s0 and where δ(sn,I ∩ σn) = sn+1 and
γ(tn,I ∩σn) = O∩σn for all n ∈ N. We refer to the projection of a path p to its
second component π = σ0σ1σ2 . . . ∈ Σ
ω, as a computation of the Mealy machine.
The Mealy machine satisfies the LTL formula ϕ, denoted by M |= ϕ, if all its
computations satisfy ϕ.
Example 2 Figure 1 shows two Mealy machines that implement the arbiter speci-
fication from Example 1. The Mealy machine shown on the left carefully answers
every request and only issues a grant if there is an open request. The machine on
the right always issues the grant to the same client, initially to the first client,
and switches to the other client as soon as there is a request from the other client.
Both machines satisfy the specification from Example 1.
t0 t1
∅,{R1}→ {G1}
{R2},{R1,R2}→ {G1}
∅,{R2}→ {G2}
{R1},{R1,R2}→ {G2}
s0
s1 s2
∅→∅
{R1}→ {G1}
{R2}→ {R2}
{R
1 ,R
2 }
→
{G
1 }
∅
,{
R
1
}
→
{G
1
}
{R2},{R1,R2}→ {G1}
{R1},{R1,R2}→ {G2}
∅
,{R
2 }
→
{G
2 }
Figure 1. Two Mealy machines implementing the arbiter specification.
Realizability and Synthesis. We say that an LTL formula ϕ is realizable if there
exists a Mealy machine M over the same inputs I and outputs O as ϕ such that
M |= ϕ. The synthesis problem of an LTL formula ϕ is to determine whether ϕ
is realizable and, if the answer is yes, to construct a Mealy machineM such that
M|= ϕ.
3. Model checking
Before we address the synthesis problem, we take a quick detour into model
checking. In model checking, the implementation is already given and we are
interested in determining whether the implementation is correct.
Given a Mealy machineM and an LTL formula ϕ, model checking determines
whether M satisfies ϕ. In case of a negative answer, model checking produces a
counterexample, i.e., a trace t ∈ (2AP)ω that is a computation ofM that does not
satisfy ϕ.
To model check a given Mealy machine, we translate the negation of the
specification into an equivalent automaton, and then check the intersection of the
Mealy machine with that automaton for language emptiness. LTL specifications
can be represented as Bu¨chi automata.
A nondeterministic Bu¨chi automaton over the alphabet Σ is a tuple A =
(Q,q0,∆,F ), whereQ is a finite set of states, q0 ∈Q is an initial state, ∆⊆Q×Σ×
Q a set of transitions, and F ⊆Q a subset of accepting states. A nondeterministic
Bu¨chi automaton accepts an infinite word w = w0w1w2 . . . ∈ Σ
ω iff there exists
a run r of A on w, i.e., an infinite sequence r0r1r2 . . . ∈ Q
ω of states such that
r0 = q0 and (ri,wi,ri+1) ∈ ∆ for all i ∈ N, such that rj ∈ F for infinitely many
j ∈N. The set of sequences accepted by A is called the language L(A) of A.
Example 3 Consider the negation of the arbiter specification from Example 1, i.e.,
the LTL formula
q0
q1 q2 q3
∗
R1G1
G1G2
R2G2
G1
∗ G2
Figure 2. Nondeterministic Bu¨chi automaton corresponding to the negation of the arbiter speci-
fication. The states depicted as double circles (q1, q2, and q3) are the accepting states in F . The
abbreviations R1G1, G1G2, R2G2, G1, G2 are used to indicate, in Boolean notation, letters
of the alphabet 2AP . E.g., R1G1 represents the letters {R1,R2,G2}, {R1,R2}, {R1,G2}, and
{R1}. The symbol ∗ represents all letters of the alphabet, i.e., all subsets of {R1,R2,G1,G2}.
〈t0,q0〉 〈t1,q0〉〈t1,q3〉 〈t0,q1〉
Figure 3. Product of the simple Mealy machine shown on the right in Fig. 1 with the Bu¨chi
automaton from Fig. 2.
(G1∧G2)
∨ (R1∧ ¬G1)
∨ (R2∧ ¬G2) .
A nondeterminstic Bu¨chi automaton that accepts exactly the traces that satisfy
this formula, i.e., all traces that violate the arbiter specification, is shown in Fig. 2.
Let A¬ϕ = (Q¬ϕ,q
0
¬ϕ,∆¬ϕ,F¬ϕ) be a Bu¨chi automaton that accepts all se-
quences in (2AP)ω that satisfy ¬ϕ, and therefore violate ϕ.
In model checking, we verify the Mealy machine M against a specification
ϕ by building the product M×A¬φ of the Mealy machine M= (S,s0,δ,γ) over
inputs I and outputs O, and the Bu¨chi automaton A¬φ = (Q¬ϕ,q
0
¬ϕ,∆¬ϕ,F¬ϕ)
with alphabet 2I∪O. The product is a directed graph (V,E) with vertices V =
T ×Q and edges E ⊆ V ×V , where (〈s,q〉,〈s′,q′〉) ∈ E iff there is an input ~i ∈ 2I
such that δ(s,~i) = s′ and q′ ∈ ∆¬ϕ(q,~i∪ γ(s,~i)). The Mealy machine satisfies ϕ
iff there is no path in M×A¬φ that visits an accepting state of A¬φ infinitely
often.
Example 4 Figure 3 shows the product M×A¬ϕ of the small Mealy machine M
shown on the right in Fig. 1 with the Bu¨chi automaton A¬ϕ from Fig. 2. The only
infinite paths are the self-loops from 〈t0,q0〉 and 〈t1,q0〉 and the path that oscillates
forever between 〈t0,q0〉 and 〈t1,q0〉. These paths do not visit any accepting states.
M thus satisfies ϕ.
s3
0
s2
3
s4
1
s5
5
s7
1
s6
0
G1G2R1,
G1G2R2,
G1G2R1R2
G
1
G
2
R
1
,
G
1
G
2
R
1
R
2
G1G2R2,
G1G2R1R2
G
1G
2R
1R
2
G1G2,
G1G2R1
G1G2R1
G
1 G
2 R
1
G
1
G
2
R
1
G1G2,
G1G2R2
G
1
G
2
R
2 G 1
G 2
R 1
G1G2R2
G1G2
G
1
G
2
G1G2
G1G2
G
1 G
2
G1G2G
1G2
R2
G 1
G 2
G 1
G 2
R 2
G
1
G
2
G
2
G
1
G
2
R
1
Figure 4. Deterministic parity automaton corresponding to the arbiter specification. The colors
of the states are shown in the lower part of the state labels.
4. Game-based Synthesis
In the classic game-based approach to synthesis [17], the problem is analyzed in
terms of a two-player game. The game is played between two players: the input
player Player I determines the inputs to the system with the goal of violating the
specification. The output player Player O controls the outputs of the system with
the goal of satisfying the specification. A winning strategy for Player I can be
translated into an implementation that is guaranteed to satisfy the specification.
To solve the synthesis problem, we must therefore check whether Player I has a
winning strategy.
In order to turn the specification into a game, we translate the LTL formula
into a deterministic automaton that accepts all traces that satisfy the formula.
An automaton is deterministic if each state and input has unique successor state,
i.e., the set of transitions ∆ is a total function from Q×Σ to Q. Since deter-
ministic Bu¨chi automata are not expressive enough to represent every possible
LTL specification, we must use a more expressive acceptance condition such as
the parity condition. Whereas a Bu¨chi acceptance condition identifies a set F ⊆ S
of accepting states, which have to be visited infinitely often, a parity condition
c : S → N labels every state with a natural number. We call such a number the
color of the state. A run of a parity automaton is accepting if the smallest color
that appears infinitely often as a label of the states of the run is even. This intro-
duces a hierarchy in the acceptance condition, as from some point on, every odd
color has to be answered by a smaller even color. The Bu¨chi acceptance condition
is a special case of the parity condition, where the accepting states are colored
with 0 and the remaining states are colored with 1.
Example 5 Figure 4 shows a deterministic parity automaton, whose language con-
sists of all traces that satisfy the arbiter specification from Example 1. The colors
of the states are shown in the lower part of the state labels.
The deterministic automaton is then translated into an infinite game over a
finite graph. A game graph is a directed graph (V,E) with vertices V and edges E.
The vertices V =VI ∪˙VO are partitioned into the vertices VI controlled by Player I
and the vertices VO controlled by Player O. A parity game (V,E,c) consists of a
game graph (V,E) and a parity condition c : V → N. To play the game, a token
is placed on some initial vertex v, which is then moved by the player owning the
vertex to one of its successors v′, i.e., such that (v,v′) ∈ E. This is repeated ad
infinitum, resulting in an infinite sequence of vertices, called a play of the game.
If the underlying color sequence, i.e., the sequence resulting by the reduction of
the vertices to their labels, satisfies the parity condition, Player O wins the game,
otherwise Player I wins the game.
The game for the synthesis problem is obtained from the deterministic au-
tomaton by separating the moves of Player I, namely the choice of the inputs I
to the system, and the moves of Player O, i.e., the choice of the outputs O.
We are interested in finding a winning strategy for Player O, i.e., an appro-
priate choice of output after every possible prefix of a play. We call such a prefix a
history of the play. A useful property of parity games is that they are memoryless
determined, which means that if one of the players has a winning strategy, then
there also exists a winning strategy that only depends on the last vertex of the
history, ignoring the previously visited vertices. For parity games, it is possible
to automatically compute the set of vertices from which Player O has a winning
strategy. This set of vertices is called the winning region. If the vertex correspond-
ing to the initial state of the automaton is in the winning region, then there exists
a solution to the synthesis problem.
Example 6 Figure 5 shows the parity game for the synthesis problem of the arbiter
specification from Example 1. The game was constructed by first translating the
LTL formula into the deterministic automaton shown in Fig. 4, and then sepa-
rating the moves of the input and output players. In Fig. 5, vertices controlled
by Player I are depicted as rectangles, vertices controlled by Player O as circles.
The winning region of Player O is marked by the highlighting. Since the initial
vertex is in the winning region, the specification can be realized. The (memoryless)
winning strategy is indicated by the thick edges.
Game-based synthesis is asymptotically optimal in the size of the input. How-
ever, the synthesized implementations are often much larger than necessary. Com-
pare, for example, the size of the winning strategy in Fig. 5 with the small Mealy
machine on the right in Fig. 1.
06
6
2
4
1
5
8
3
7
1
7 9
3
1
8 3
1
0
4
Figure 5. Parity game resulting from the deterministic parity automaton depicted in Fig. 4.
Vertices controlled by Player I are depicted as rectangles, vertices controlled by Player O as
circles. The highlighted states mark the winning region of Player O. The winning strategy is
indicated by the thick edges.
5. Bounded Synthesis
In bounded synthesis [12], we set a bound on the number of states of the synthe-
sized Mealy machine. By incrementally increasing the bound, we can use bounded
synthesis to find a Mealy machine with a minimal number of states. The Mealy
machine is found as a solution of a constraint system. To ensure that all solutions
of the constrain system satisfy the specification, we encode not only the states,
transitions, and outputs of the Mealy machine, but, additionally, an annotation
of the states of the Mealy machine that ensures that the given LTL specification
is satisfied. This annotation essentially ensures that the model checking of the
Mealy machine succeeds, i.e., that the language of the product with the Bu¨chi
automaton corresponding to the negation of the specification is empty.
Let 〈V,E〉 be the product of a Mealy machine M and a Bu¨chi automaton
A¬ϕ for the negation of the specification. An annotation λ : S×Q→ {⊥}∪N
is a function that maps nodes from the run graph to either unreachable ⊥ or a
natural number k. An annotation is valid if it satisfies the following conditions:
〈t0,q0〉
λ : 0
〈t1,q0〉
λ : 0
〈t1,q3〉
λ : 1
〈t0,q1〉
λ : 1
〈t0,q3〉
λ :⊥
〈t0,q2〉
λ :⊥
〈t1,q2〉
λ :⊥
〈t1,q1〉
λ :⊥
Figure 6. Annotated product of the simple Mealy machine shown on the right in Fig. 1 with the
Bu¨chi automaton from Fig. 2.
• the initial vertex 〈s0,q0〉 is labeled by a natural number: λ(t0,q0) 6=⊥, and
• if a vertex 〈s,q〉 is annotated with a natural number, i.e., λ(t,q) = k 6=
⊥, then for every ~i ∈ 2I and q′ ∈ ∆¬ϕ(q,~i∪ γ(s,~i),q
′), the successor pair
〈τ(s,~i),q′)〉 is annotated with a greater or equal number, which needs to be
strictly greater if q′ is a rejecting state. That is, λ(t′,q′) > k if q′ ∈ F and
≥λ(t′,q′)≥ k otherwise.
Example 7 Figure 6 shows the annotated product of the simple Mealy machine
from the right in Fig. 1 with the Bu¨chi automaton from Fig. 2. One can verify
that the annotation is correct by checking every edge individually. For example,
the annotation has to increase from 〈t0,q0〉 → 〈t1,q3〉 and from 〈t1,q0〉 → 〈t0,q1〉
as q1 and q3 are rejecting.
The existence of a Mealy machine with a corresponding annotation of the
product graph can be expressed as a propositional constraint. For this purpose,
we encode the Mealy machine and the annotation with Boolean variables.
• trans(t,ν, t′) for all t, t′ ∈ S and ν ∈ 2I , for the transition function δ : S×
2I → S of the Mealy machine M= (S,s0,δ,γ).
• output(t,ν,x) for all t ∈ S, ν ∈ 2I and x ∈ O, for the output function
δ : S×2I → S.
• rgstate(t,q) for all t ∈ T and q ∈ Q, to encode the reachable states of
the product graph G of M and A¬ϕ, i.e., those state pairs 〈t,q〉 where
λ(t,q) 6=⊥.
• annotation(t,q, i) for all t ∈ T , q ∈Q and 0< i≤ log(n ·k), where n is the
bound on the size of the Mealy machine and k is the number of states of
the Bu¨chi automaton. The variables encode the numerical annotation of a
state pair (t,q) of G. We use a logarithmic number of bits to encode the
annotated value in binary.
Given an LTL formula ϕ and a bound n on the states of the Mealy machine, we
solve the bounded synthesis problem by checking the satisfiability of the propo-
sitional formula FBS(ϕ,n), consisting of the following constraints:
• The pair of initial states 〈s0,q0〉 for some arbitrary, but fixed, s0 is reachable
and annotated with 1.
rgstate(s0,q0)∧annotation(1,1) = 1
• Each annotation of a vertex of the product graph bounds the number of
visited accepting states, not counting the current vertex itself:
∧
t∈T,q∈Q
rgstate(t,q)→
∧
σ∈2Σ
output(t,σ)→
∧
t′∈T
trans(t,I ∩σ,t′)→
∧
q′∈∆(q,σ)
rgstate(t′,q′)∧annotation(t,q)≺q annotation(t
′,q′)
where≺q equals< if q ∈R and equals≤ otherwise. The formula output(t,σ)
ensures that the output corresponds to the output function of the Mealy
machine, i.e.,
output(t,σ) =
∧
x∈O∩σ
output(t,I ∩σ,x)∧
∧
x∈Orσ
¬output(t,I ∩σ,x).
Theorem 1 (Bounded Synthesis [12]) For an LTL formula ϕ and a bound n ∈ N,
the propositional formula FBS(ϕ,n) is satisfiable if and only if there is a Mealy
machine M with |M|= n that satisfies ϕ.
The propositional constraint can be solved by a standard SAT solver. In
addition to the encoding as a propositional constraint, the bounded synthesis
problem has also been reduced to the satisfiability of quantified Boolean formulas
(QBF) and dependency quantified Boolean formulas (DQBF) [7], as well as to
satisfability modulo theories (SMT) [11]. Such encodings are more concise than
the encoding as a Boolean formula. Even though the satisfiability problems of
these logics are more expensive than propositional satisfiability, in particular the
QBF encoding has proven advantageous in experiments (cf. [8]).
Another powerful optimization is lazy synthesis [9], which avoids the full con-
struction of the constraint system. Lazy synthesis alternates between constraint
solving, where a model is constructed for an incomplete constraint system, and
verification, where errors in the previously constructed model are identified and
used to extend the constraint system.
6. Bounded Cycle Synthesis
Bounded cycle synthesis [10] extends bounded synthesis by bounding not only the
number of states, but also the number of cycles of the Mealy machine. Bounded
cycle synthesis allows us to find implementations that are not only small but also
structurally simple. A cycle is a path of a Mealy machine that ends in the same
state it started in. Even Mealy machines with a small number of states can have
many cycles: the number of cycles can be exponential in the number of states.
The explosion of the number of circles is in fact worse than the explosion of the
number of states: while a realizable LTL formula has an implementation with
at most doubly exponentially many states, there exist LTL formulas where the
number of cycles in the Mealy machine is triply exponential [10]. This makes the
number of cycles a particularly interesting metric for output-sensitive synthesis
algorithms.
Let G= (V,E) be a directed graph. A (simple) cycle c of G is a a tuple (C,η),
consisting of a non-empty set C ⊆ V and a bijection η : C 7→ C such that
• ∀v ∈ C. (v,η(v)) ∈ E and
• ∀v ∈ C. n ∈ N. ηn(v) = v ⇔ n mod |C|= 0,
where ηn denotes n times the application of η. In other words, a cycle of G is a
path through G that starts and ends at the same vertex and visits every vertex
of V at most once. We say that a cycle c= (C,η) has length n iff |C|= n.
We extend the notion of a cycle of a graph G to Mealy machines M =
(T,tI ,δ,λ), such that c is a cycle of M iff c is a cycle of the graph (T,E) for
E = {(t, t′) | ∃ν ∈ 2I . δ(t,ν) = t′}. Thus, we ignore the input labels of the edges
of M. The set of all cycles of a Mealy machine M is denoted by C(M).
6.1. Counting Cycles
A classical algorithm for counting the number of cycles of a directed graph is due
to Tiernan [18]. We review this algorithm here as a preparation for the bounded
cycle synthesis encoding.
Algorithm 1. Given a directed graph G= (V,E), we count the cycles of G using
the following algorithm:
(1) Initialize the cycle counter c to c := 0 and some set P to P :=∅.
(2) Pick some arbitrary vertex vr of G, set v := vr and P := {vr}.
(3) For all edges (v,v′) ∈ E, with v′ /∈ P \ {vr}:
(3a) If v′ = vr, increase c by one.
(3b) Oherwise, set v := v′, add v′ to P and recursively execute (3). After-
wards, reset P to its value before the recursive call.
(4) Obtain the sub-graph G′, by removing vr from G:
(4a) If G′ is empty, return c.
(4b) Otherwise, continue from (2) with G′.
The algorithm starts by counting all cycles that contain the first picked vertex vr.
This is done by an unfolding of the graph into a tree, rooted in vr, such that
there is no repetition of a vertex on any path from the root to a leaf. The number
of vertices that are connected to the root by an edge of E then represents the
corresponding number of cycles through vr. The remaining cycles of G do not
contain vr and, thus, are cycles of the sub-graph G
′ without vr, as well. Hence, we
count the remaining cycles by recursively counting the cycles of G′. The algorithm
terminates as soon as G′ becomes empty.
c := 0, v := s0, vr := s0
P := {s0}
(1) + (2)
s0
s1 s2
c := 1, v := s0, vr := s0
P := {s0}
(3) + (3a)
(s0,s0)
s0
s1 s2
c := 1, v := s2, vr := s0
P := {s0,s2}
(3) + (3b)
(s0,s2)
s0
s1 s2
c := 2, v := s2, vr := s0
P := {s0,s2}
(3) + (3a)
(s2,s0)
s0
s1 s2
c := 2, v := s1, vr := s0
P := {s0,s1,s2}
(3) + (3b)
(s2,s1)
s0
s1 s2
c := 3, v := s1, vr := s0
P := {s0,s1,s2}
(3) + (3a)
(s1,s0)
s0
s1 s2
c := 3, v := s1, vr := s1
P := {s1}
(4) + (2)
s0
s1 s2
c := 3, v := s2, vr := s1
P := {s1,s2}
(3) + (3b)
(s1,s2)
s0
s1 s2
c := 4, v := s2, vr := s1
P := {s1,s2}
(3) + (3a)
(s2,s1)
s0
s1 s2
1 2 3
4 5 6
7 8 9
Figure 7. Execution of Tiernan’s algorithm for the larger Mealy machine on the left in Fig. 1.
The algorithm, as described so far, has the disadvantage that the number
of unfolded trees is exponential in the size of the graph, even if none of their
vertices is connected to the root, i.e., even if there is no cycle to be counted. This
drawback can be avoided by first reducing the graph to all its strongly connected
components (SCCs) and then counting the cycles of each SCC separately [19,15].
This reduction is sound, as a cycle never leaves an SCC of the graph.
The improved algorithm is exponential in the size of G, and linear in the
number of cycles m. Furthermore, the time between two detections of a cycle,
during the execution, is bounded linear in the size of G.
Example 8 To see Tiernan’s algorithm in action, we count the number of simple
cycles of the larger Mealy machine on the left in Fig. 1. The execution is shown
in Fig. 7. In this example, we do not need to apply the reduction to individual
SCCs, because the Mealy machine consists of a single SCC. As result we obtain
that the Mealy machine has four simple cycles.
6.2. The Bounded Cycle Synthesis Encoding
Like in the bounded synthesis approach, we solve the bounded cycle synthesis
problem via a reduction to propositional satisfiability. We extend the constraint
system from bounded synthesis with additional constraints that ensure that the
number of cycles, as determined by Tiernan’s algorithm, does not exceed the given
bound.
We call a tree that witnesses m cycles in G, all containing the root r of the
tree, a witness-tree Tr,m of G. Formally, a witness-tree Tr,m of G = (V,E) is a
labeled graph Tr,m=((W,B∪R), τ), consisting of a graph (W,B∪R) withm= |R|
and a labeling function τ : W → V , such that:
1. The edges are partitioned into blue edges B and red edges R.
2. All red edges lead back to the root:
R⊆W ×{r}
3. No blue edges lead back to the root:
B∩W ×{r}=∅
4. Each non-root has at least one blue incoming edge:
∀w′ ∈W \ {r}. ∃w ∈W. (w,w′) ∈B
5. Each vertex has at most one blue incoming edge:
∀w1,w2,w ∈W. (w1,w) ∈B∧ (w2,w) ∈B⇒ w1 = w2
6. The graph is labeled by an unfolding of G:
∀w,w′ ∈B∪R. (τ(w), τ(w′)) ∈E,
7. The unfolding is complete:
∀w ∈W. ∀v′ ∈ V. (τ(w),v′) ∈E⇒∃w′ ∈W. (w,w′) ∈B∪R∧τ(w′) = v′
8. Let wi,wj ∈W be two different vertices that appear on a path from the
root to a leaf in the r-rooted tree (W,B)1. Then the labeling of wi and wj
differs, i.e., τ(vi) 6= τ(vj).
9. The root of the tree is the same as the corresponding vertex of G, i.e.,
τ(r) = r.
Lemma 1 ([10]) Let G = (V,E) be a graph consisting of a single SCC, r ∈ V be
some vertex of G and m be the number of cycles of G containing r. Then there
is a witness-tree Tr,m = ((W,B ∪R), τ) of G with |W | ≤m · |V |.
Lemma 2 ([10]) Let G= (V,E) be a graph consisting of a single SCC and let Tr,m
be a witness-tree of G. Then there are at most m cycles in G that contain r.
1Note that the tree property is enforced by Conditions 3 – 5.
s0
s2
s1
s1
s2
s2
Figure 8. The forest of witness trees proving prove the overall number of four cycles in the larger
Mealy machine of Fig. 1.
From Lemma 1 and 2 we derive that Tr,m is a suitable witness to bound the
number of cycles of an implementation M. Furthermore, from Lemma 1, we also
obtain an upper bound on the size of Tr,m.
Example 9 Figure 8 shows the witness trees for the larger Mealy machine on the
left of Fig. 1. Each red edge, leading back to s0 and s1 on the first tree level,
captures one cycle of the machine. Thereby, the properties of the tree enforce that
all cycles are captured by these trees.
We now encode the bound on the number of cycles as a propositional con-
straint. First, we construct a simple directed graph G out of the implementa-
tion M. Then, we guess all the sub-graphs, obtained from G via iteratively re-
moving vertices, and split them into their corresponding SCCs. Finally, we guess
the witness-tree for each such SCC.
In order to keep the encoding compact, we introduce some further optimiza-
tions. First, we do not need to introduce a fresh copy for each SCC, since the
SCC of a vertex is always unique. Thus, it suffices to guess an annotation for
each vertex. Second, we have to guess n trees Tri,mi , i = 1 . . .n, each consisting
of at most mi ·n vertices, such that the sum of all mi is equal to the overall
number of cycles m. One possible solution would be to overestimate each mi by
m. Another possibility would be to guess the exact distribution of the cycles over
the different witness-trees Tri,mi . In our encoding, we guess all trees together in
a single graph bounded by m ·n. We annotate each vertex with its corresponding
witness-tree Tri,mi . Instead of bounding the number of red edges separately for
each Tri,mi by mi, we just bound the number of all red edges in the whole forest
by m. In this way, we not only reduce the size of the encoding, but also avoid
additional constrains that would be needed to sum up the different witness-tree
bounds i to m.
Let T be some ordered set with |T |= n and S = T ×{1,2, . . . ,m}. We use T to
denote the vertices of G and S to denote the vertices of the forest of Tri,mi s.
Further, we useM = T×{1} to denote the roots andN =S\M to denote the non-
roots of the corresponding trees. We introduce the following Boolean variables:
• edge(t, t′) for all t, t′ ∈ T , denoting the edges of the abstraction ofM to G.
t0 t1
∗→ {G1}
∗→ {G2}
Figure 9. The implementation of the arbiter specification with the smallest number of states
and cycles.
• bedge(s,s′) for all s ∈ S and s′ ∈N , denoting a blue edge.
• redge(s,s′) for all s ∈ S and s′ ∈M , denoting a red edge.
• wtree(s,i) for all s ∈ S, 0< i≤ log(n), denoting the witness-tree for each
s. Thereby, each tree is referenced by a unique number encoded in binary
using a logarithmic number of bits.
• visited(s,t) for all s∈S and t∈ T , denoting the set of all vertices t, already
visited at s, since leaving the root of the corresponding witness-tree.
• rbound(c, i) for all 0< c≤m, 0 < i≤ log(n ·m), denoting an ordered list
of all red edges, bounding the red edges of the forest.
• scc(k,t, i) for all 0< k ≤ n, t ∈ T, and 0 ≤ i < logn, denoting the SCC of
t in the k-th sub-graph of G. The sub-graphs are obtained by iteratively
removing vertices of T , according to the pre-defined order. This way, each
sub-graph contains exactly all vertices that are larger than the root.
Note that, by the definition of S, we introduce m explicit copies for each vertex
of G. This is sufficient, since each cycle contains each vertex at most once. Thus,
the labeling τ of a vertex s can be directly derived from the first component of s.
Given the respective bounded synthesis encoding for the specification ϕ and a
bound n on the states of the resulting implementationM, and a bound m on the
number of cycles of M, we encode the bounded cycle synthesis problem as the
propositional formula
F = FBS(ϕ,n) ∧ FCS(n,m) ∧ FM→G(ϕ,n) ∧ FSCC(n)
The constraints of FBS(ϕ,n) represent the bounded synthesis encoding. The con-
straints of FM→G(ϕ,n) simplify the representation of the Mealy machine M to
G. The constraints of FCS(A,n,m) bound the cycles of the system and are pre-
sented in Table 1. The constraints of FSCC(n) enforce that each vertex is labeled
by a unique SCC [10].
Theorem 2 (Bounded Cycle Synthesis [10]) For an LTL formula ϕ and a pair of
bounds n,m ∈ N, the propositional formula F is satisfiable if and only if there is
a Mealy machine M with |M|= n and |C(M)|=m that satisfies ϕ.
Example 10 Using our encoding, we can now search for the implementation of
the arbiter specification from Example 1 with the smallest number of states and,
additionally, smallest number of cycles. It turns out that neither Mealy machine
from Fig. 1 is the minimal solution. The smallest implementation for the arbiter
specification, with respect to the number of states and cycles is shown in Fig. 9.
Table 1. Constraints of the SAT formula FCS(A,n,m).
∧
r∈T
wtree((r,1)) = r Roots indicate the witness-tree.
∧
s∈S,(r,1)∈M
redge(s, (r,1))→ wtree(s) = r
Red edges only connect vertices
of the current Tri,mi .∧
s∈S, s′∈N
bedge(s,s′)
→ wtree(s) = wtree(s′)
Blue edges only connect vertices
of the current Tri,mi .∧
s′∈N
exactlyOne(
{bedge(s,s′) | s ∈ S} )
Every non-root has exactly one
blue incoming edge.
∧
(t,c)∈S, r∈T,
redge((t, c), (r,1))→ edge(t, r)
Red edges are related to the
edges of the graph G.
∧
(t,c)∈S,(t′,c′)∈N
bedge((t, c), (t′, c′))→ edge(t, t′)
Blue edges are related to the
edges of the graph G.
∧
(t,c)∈S, r∈T,
t≥r
edge(t, r)∧ scc(r, t) = scc(r,r)∧
wtree((t, c)) = r
→ redge((t, c), (r,1))
Every possible red edge must be
taken.
∧
(t,c)∈S, r,t′∈T,
t≥t′
edge(t, t′)∧ scc(r, t) = scc(r, t′)∧
wtree((t, c)) = r∧visited((t, c), t′)
→
∨
0<c′≤m
bedge((t, c), (t′, c′))
Every possible blue edge must
be taken.
∧
r∈T
∧
t≤r
¬visited((r,1), t)∧
∧
t>r
visited((r,1), t)
Only non-roots of the corre-
sponding sub-graph can be suc-
cessors of a root.
∧
(t,c)∈S, s∈N
bedge((t, c), s)
→¬visited(s, t)∧
(visited(s, t′)
↔ visited((t, c), t′))
Every vertex appears at most
once on a path from the root to
a leaf.
∧
s∈S, s′∈M
redge(s,s′)
→
∨
0<c≤m
rbound(c) = f(s)
The list of red edges is complete.
(f(s) maps each state of S to a
unique number in {1, . . . ,n ·m})∧
0<c≤m
rbound(c) < rbound(c+1) Red edges are strictly ordered.
The minimal implementation switches the grant at every time step, completely
ignoring the requests. This solution only requires two states and a single cycle. The
solution may not be the best choice with respect to a possible target application,
but it is definitely the smallest one.
In general, it is not always possible to minimize the two parameters simulta-
neously. There are specifications for which the smallest possible number of states
and the smallest possible number of cycles cannot be realized within a single so-
lution [10]. In such situations it may be helpful to have an explicit optimization
function specified by the user that resolves the trade-off.
7. Conclusions
We have studied three different algorithms for the reactive synthesis problem. The
classic game-based synthesis algorithm is input-sensitive in the sense that its per-
formance is asymptotically optimal in the size of the specification, but it produces
implementations that may be larger than necessary. Bounded synthesis produces
implementations with a minimal number of states. Bounded cycle synthesis ad-
13
2
5
4
7
6
1
3
2
5
4
7
6
24 2526
20
21
2223
1
3
2
5
4
7
6
9
8
11
10
13
12
1514
17
16
19
18
Figure 10. Three implementations of the TBURST4 component of the AMBA bus controller [10].
Game-based synthesis produces a Mealy machine with the shape shown on the left with 14 states
and 61 cycles. Bounded synthesis produces the implementation in the middle with 7 states and
19 cycles. The implementation on the right, produced by bounded cycle synthesis, has 7 states
and 7 cycles, which is the minimum.
ditionally minimizes the number of cycles. Bounded synthesis and bounded cycle
synthesis belong to the new class of output-sensitive synthesis algorithms.
A direct comparison of the three algorithms is shown in Fig. 10. The figure
depicts the shape of the synthesized implementations from the AMBA TBURST4
specification [10] using, from left to right, game-based synthesis, bounded synthe-
sis, and bounded cycle synthesis. Even just based on a superficial visual compari-
son, it is immediately clear that the output-sensitive algorithms produce dramat-
ically simpler implementations.
Acknowledgement. This work was partially supported by the European Research
Council (ERC) Grant OSARES (No. 683300).
References
[1] R. Bloem, S. Galler, B. Jobstmann, N. Piterman, A. Pnueli, and M. Weiglhofer. Automatic
hardware synthesis from specifications: A case study. In Proceedings of the Conference on
Design, Automation and Test in Europe (DATE), pages 1188–1193, 2007.
[2] R. P. Bloem, H.-J. Gamauf, G. Hofferek, B. Ko¨nighofer, and R. Ko¨nighofer. Synthesizing
robust systems with RATSY. In Proceedings of the Workshop on Synthesis (SYNT),
volume 84, pages 47 – 53. Electronic Proceedings in Theoretical Computer Science, 2012.
[3] A. Bohy, V. Bruye`re, E. Filiot, N. Jin, and J.-F. Raskin. Acacia+, a tool for LTL synthesis.
In P. Madhusudan and S. A. Seshia, editors, CAV, volume 7358 of Lecture Notes in
Computer Science, pages 652–657. Springer, 2012.
[4] J. R. Bu¨chi and L. H. Landweber. Solving sequential conditions by finite-state strategies.
Transactions of the American Mathematical Society, 138, 1969.
[5] A. Church. Applications of recursive arithmetic to the problem of circuit synthesis. In
Summaries of the Summer Institute of Symbolic Logic, volume 1, pages 3–50. Cornell
Univ., Ithaca, NY, 1957.
[6] R. Ehlers. Unbeast: Symbolic bounded synthesis. In P. A. Abdulla and K. R. M. Leino,
editors, Proceedings of the Conference on Tools and Algorithms for the Construction and
Analysis of Systems (TACAS), volume 6605 of Lecture Notes in Computer Science, pages
272–275. Springer, 2011.
[7] P. Faymonville, B. Finkbeiner, M. N. Rabe, and L. Tentrup. Encodings of bounded syn-
thesis. In A. Legay and T. Margaria, editors, Tools and Algorithms for the Construction
and Analysis of Systems: 23rd International Conference, TACAS 2017, Held as Part of
the European Joint Conferences on Theory and Practice of Software, ETAPS 2017, Up-
psala, Sweden, April 22-29, 2017, Proceedings, Part I, pages 354–370, Berlin, Heidelberg,
2017. Springer Berlin Heidelberg.
[8] P. Faymonville, B. Finkbeiner, and L. Tentrup. Bosy: An experimentation framework for
bounded synthesis. In 29th International Conference on Computer Aided Verification
(CAV 2017), Berlin, Heidelberg, 2017. Springer Berlin Heidelberg.
[9] B. Finkbeiner and S. Jacobs. Lazy synthesis. In 13th International Conference on Ver-
ification, Model Checking, and Abstract Interpretation (VMCAI 2012), pages 219–234.
Springer Verlag, 2012.
[10] B. Finkbeiner and F. Klein. Bounded cycle synthesis. In S. Chaudhuri and A. Farzan, ed-
itors, Computer Aided Verification - 28th International Conference, CAV 2016, Toronto,
ON, Canada, July 17-23, 2016, Proceedings, Part I, volume 9779 of Lecture Notes in
Computer Science, pages 118–135. Springer, 2016.
[11] B. Finkbeiner and S. Schewe. SMT-based synthesis of distributed systems. In Proceedings
of the Second Workshop on Automated Formal Methods, AFM ’07, pages 69–76, New
York, NY, USA, 2007. ACM.
[12] B. Finkbeiner and S. Schewe. Bounded synthesis. International Journal on Software Tools
for Technology Transfer, 15(5-6):519–539, 2013.
[13] D. Harel and A. Pnueli. On the development of reactive systems. In Logics and models
of concurrent systems, pages 477–498, New York, NY, USA, 1985. Springer-Verlag New
York, Inc.
[14] B. Jobstmann, S. Galler, M. Weiglhofer, and R. Bloem. Anzu: A tool for property syn-
thesis. In Computer Aided Verification (CAV), pages 258–262, 2007.
[15] D. B. Johnson. Finding All the Elementary Circuits of a Directed Graph. SIAM J.
Comput., 4(1):77–84, 1975.
[16] A. Pnueli. The temporal logic of programs. In 18th Annual Symposium on Foundations
of Computer Science, Providence, Rhode Island, USA, 31 October - 1 November 1977,
pages 46–57. IEEE Computer Society, 1977.
[17] M. O. Rabin. Automata on Infinite Objects and Church’s Problem. American Mathemat-
ical Society, Boston, MA, USA, 1972.
[18] J. C. Tiernan. An Efficient Search Algorithm to Find the Elementary Circuits of a Graph.
Commun. ACM, 13(12):722–726, 1970.
[19] H. Weinblatt. A New Search Algorithm for Finding the Simple Cycles of a Finite Directed
Graph. J. ACM, 19(1):43–56, 1972.
