Synthesis of Reactive(1) designs  by Bloem, Roderick et al.
Journal of Computer and System Sciences 78 (2012) 911–938Contents lists available at ScienceDirect
Journal of Computer and System Sciences
www.elsevier.com/locate/jcss
Synthesis of Reactive(1) designs✩,✩✩
Roderick Bloem a, Barbara Jobstmann b, Nir Piterman c,∗, Amir Pnueli d, Yaniv Sa’ar d
a Graz University of Technology, Austria
b CNRS/Verimag, France
c University of Leicester, UK
d Weizmann Institute of Science, Israel
a r t i c l e i n f o a b s t r a c t
Article history:
Received 21 April 2010
Received in revised form 25 May 2011
Accepted 5 August 2011
Available online 18 August 2011
Keywords:
Property synthesis
Realizability
Game theory
We address the problem of automatically synthesizing digital designs from linear-time
speciﬁcations. We consider various classes of speciﬁcations that can be synthesized with
effort quadratic in the number of states of the reactive system, where we measure effort
in symbolic steps. The synthesis algorithm is based on a novel type of game called General
Reactivity of rank 1 (gr(1)), with a winning condition of the form
(1E p1 ∧ · · · ∧1E pm) → (1Eq1 ∧ · · · ∧1Eqn),
where each pi and qi is a Boolean combination of atomic propositions. We show symbolic
algorithms to solve this game, to build a winning strategy and several ways to optimize the
winning strategy and to extract a system from it. We also show how to use gr(1) games
to solve the synthesis of ltl speciﬁcations in many interesting cases. As empirical evidence
to the generality and eﬃciency of our approach we include a signiﬁcant case study. We
describe the formal speciﬁcations and the synthesis process applied to a bus arbiter, which
is a realistic industrial hardware speciﬁcation of modest size.
© 2011 Elsevier Inc. All rights reserved.
1. Introduction
One of the most ambitious and challenging problems in computer science is the automatic synthesis of programs and
(digital) designs from logical speciﬁcations. A solution to this problem would lift programming from the current level, which
is mostly imperative, to a declarative, logical style. There is some evidence that this level is preferable, in particular when
concurrency plays an important role.
The synthesis problem was ﬁrst identiﬁed by Church [5]. Several methods have been proposed for its solution [6,7]. The
two prevalent approaches to solving the synthesis problem were by reducing it to the emptiness problem of tree automata,
and viewing it as the solution of a two-person game. In these preliminary studies of the problem, the logical speciﬁcation
that the synthesized system should satisfy was given as an S1S formula and the complexity of synthesis is non-elementary.
The problem was considered again in [8] in the context of synthesizing reactive modules from a speciﬁcation given in
Linear Temporal Logic (ltl). This followed two previous attempts [9,10] to synthesize programs from temporal speciﬁca-
tions, which reduced the synthesis problem to satisﬁability, ignoring the fact that the environment should be treated as an
adversary. The method proposed in [8] for a given ltl speciﬁcation ϕ starts by constructing a Büchi automaton Bϕ , which
✩ This work was supported by the European Commission under contracts 507219 (PROSYD), 217069 (COCONUT), and 248613 (DIAMOND).
✩✩ This paper is based on the following papers: Piterman et al. (2006) [1] and Bloem et al. (2007) [2,3].
* Corresponding author.
E-mail address: nir.piterman@le.ac.uk (N. Piterman).0022-0000/$ – see front matter © 2011 Elsevier Inc. All rights reserved.
doi:10.1016/j.jcss.2011.08.007
912 R. Bloem et al. / Journal of Computer and System Sciences 78 (2012) 911–938is then determinized into a deterministic Rabin automaton. This double translation necessarily causes a doubly exponential
time complexity [11].
The high complexity established in [8,11] caused the synthesis process to be identiﬁed as hopelessly intractable and
discouraged many practitioners from ever attempting to use it for any sizeable system development. Yet there exist several
interesting cases where the synthesis problem can be solved in polynomial time, by using simpler automata or partial
fragments of ltl [12–15]. Representative cases are the work in [16] which presents an eﬃcient quadratic solution to games
(and hence synthesis problems) where the acceptance condition is one of the ltl formulas 1p, Eq, 1Ep, or E1q. The
work in [13] presents eﬃcient synthesis approaches for various ltl fragments.
This paper can be viewed as a generalization of the results of [16] and [13] into the wider class of Generalized Reactivity(1)
formulas (gr(1)), i.e., formulas of the form
(1E p1 ∧ · · · ∧1E pm) → (1Eq1 ∧ · · · ∧1Eqn). (1)
Here, we assume that the speciﬁcation is an implication between a set of assumptions and a set of guarantees.1 Following
the results of [18], we show how any synthesis problem whose speciﬁcation is a gr(1) formula can be solved with effort
O (mnN2), where N is the size of the state space of the design and effort is measured in symbolic steps, i.e., in the number
of preimage computations [19]. Furthermore, we present a symbolic algorithm for extracting a design (program) which
implements the speciﬁcation.
We show that gr(1) formulas can be used to represent a relatively wide set of speciﬁcations. First, we show that we can
include past ltl formulas in both the assumptions and the guarantees. Second, we show that each of the assumptions and
guarantees can be a deterministic “Just Discrete System” (Büchi automaton). Thus, our method does not incur the exponen-
tial blow-ups incurred in ltl synthesis for the translation of the formula to an automaton and for the determinization of the
automaton because the user provides the speciﬁcation as a set of deterministic automata. (But note that the state space of
the system is the product of the sizes of the automata, which may cause an exponential blowup.) Furthermore, a symbolic
implementation of our algorithm is easily obtained when the automata are represented in symbolic form. One drawback is
that our formalism is less expressive than ltl. In particular, Reactivity (Streett) conditions can not be expressed.
The reader may suspect that gr(1) speciﬁcations place an undue burden on the user or that the expressivity is too
limited. We argue that this is not the case. Intuitively, many speciﬁcations can naturally be split into assumptions on
the environment and guarantees on the system. (Cf. [20].) Often, assumptions and guarantees can naturally be written
as conjunctions of simple properties that are easily expressed as deterministic automata. We substantiate this view by
presenting two case studies of small but realistic industrial modules. We show that the speciﬁcations for these modules can
be expressed in gr(1), that their speciﬁcations are compact and easy to read, and that they can be synthesized relatively
eﬃciently.
The ﬁrst case study concerns a generalized buffer from ibm, a tutorial design for which a good speciﬁcation is available.
The second concerns the arbiter for one of the amba buses [21], a characteristic industrial design that is not too big. This
is the ﬁrst time realistic industrial examples have been tackled; previous work has only considered toy examples such as a
simple mutual exclusion protocol, an elevator controller, or a traﬃc light controller [14,1,22].
Our work stresses the compositionality of synthesis from ltl speciﬁcations and the structure of speciﬁcations as a guide
to eﬃcient synthesis. At the same time, it emphasizes the symbolic analysis of the state space through the usage of bdds.
Sohail et al. removed some of the restrictions on the expressive power imposed by our work [23,24]. They present a com-
positional approach in which each property is translated to a Büchi or parity automaton and the resulting generalized parity
game is solved symbolically. They also show how in some cases to circumvent the construction of deterministic automata
based on [25]. Morgenstern and Schneider present a similar approach. They construct an automaton that is minimal in the
automata hierarchy for each of the properties in the speciﬁcation [26].
In recent years signiﬁcant theoretical progress has been made in approaches that emphasize the treatment of full ltl. One
key result is that ltl realizability and synthesis can be reduced to games that are easier to solve than Rabin or parity games,
when bounding the size of the resulting system. In [27], Kupferman and Vardi show a reduction to Büchi games that avoids
the determinization procedure by going through universal co-Büchi automata. Their approach is further extended to work
compositionally for speciﬁcations that are a conjunction of properties [28]. The algorithm of [27] was implemented directly
in [22]. Schewe and Finkbeiner extend the reduction to co-Büchi winning conditions introduced in [27] to a reduction to
Safety games [29]. They show how to use these insights to solve distributed synthesis, where the size of components is
bounded. Filiot, Jin, and Raskin [30] give the same reduction to safety games and implement this approach using antichains
to eﬃciently encode sets of states [30]. To date, these approaches are still very restricted in the scale of systems they can
handle.
The paper is structured as follows. We start with presenting the notation and recalling known results (Section 2). Then,
we show how to solve Generalized Reactive(1) games symbolically (Section 3), compute a winning strategy, and extract a
correct program, if it exists (Section 4). In Section 5, we show how the techniques developed in Sections 3 and 4 are used
to synthesize systems from temporal speciﬁcations. In Section 6, we describe the amba ahb arbiter case study. We give its
formal speciﬁcation, and show the results of synthesizing it. Finally, we discuss lessons learned and conclude in Section 7.
1 The source of the name reactivity and the rank follow from the deﬁnitions of the temporal hierarchy in [17].
R. Bloem et al. / Journal of Computer and System Sciences 78 (2012) 911–938 9132. Preliminaries
2.1. Linear temporal logic
We assume a countable set of Boolean variables (propositions) V . Without loss of generality, we assume that all variables
are Boolean. The general case in which a variable ranges over arbitrary ﬁnite domains can be reduced to the Boolean case.
ltl formulas are constructed as follows:
ϕ ::= p | ¬ϕ | ϕ ∨ ϕ |!ϕ | ϕ U ϕ |!ϕ | ϕ S ϕ.
A model σ for a formula ϕ is an inﬁnite sequence of truth assignments to propositions. Namely, if Pˆ is the set of
propositions appearing in ϕ , then for every ﬁnite set P such that Pˆ ⊆ P , a word in (2P )ω is a model. Given a model
σ = σ0, σ1, . . . , we denote by σi the set of propositions at position i. For a formula ϕ and a position i  0, we say that ϕ
holds at position i of σ , written σ , i | ϕ , and deﬁne it inductively as follows:
• For p ∈ P we have σ , i | p iff p ∈ σi ,
• σ , i | ¬ϕ iff σ , i 	| ϕ ,
• σ , i | ϕ ∨ ψ iff σ , i | ϕ or σ , i | ψ ,
• σ , i |!ϕ iff σ , i + 1 | ϕ ,
• σ , i | ϕ U ψ iff there exists k i such that σ ,k | ψ and σ , j | ϕ for all j, i  j < k,
• σ , i |!ϕ iff i > 0 and σ , i − 1 | ϕ ,
• σ , i | ϕ S ψ iff there exists k, 0 k i such that σ ,k | ψ and σ , j | ϕ for all j, k < j  i.
If σ ,0 | ϕ , then we say that ϕ holds on σ and denote it by σ | ϕ . A set of models M satisﬁes ϕ , denoted M | ϕ , if every
model in M satisﬁes ϕ .
We use the usual abbreviations of the Boolean connectives ∧, → and ↔ and the usual deﬁnitions for true and false.
We use the temporal abbreviations E (eventually), 1 (globally), W (weakuntil), and for the past fragment 1 (historically),
E (once), and B (backto) which are deﬁned as follows:
• Eϕ = true U ϕ ,
• 1ψ = ¬E¬ψ ,
• ϕ W ψ = (ϕ U ψ) ∨1ϕ ,
• Eϕ = true S ϕ ,
• 1ψ = ¬E¬ϕ , and
• ϕ Bψ = (ϕ S ψ) ∨1ϕ .
The following abbreviations are used in Section 6. They are inspired by the ones designed in psl [31]. Given an atomic
proposition p and two ltl formulas ϕ and ψ , we deﬁne
• raise(p) = ¬p ∧!p,
• fall(p) = p ∧!¬p, and
• ϕ W [i]ψ = ϕ W (ψ ∧!(ϕ W [i − 1]ψ)) for i > 1 and ϕ W [1]ψ = ϕ W ψ .
That is raise(p) indicates the raising edge of signal p, fall(p) indicates the falling edges of signal p, and the nested
weak until ϕ W [i]ψ indicates that ϕ waits for ψ to hold i times or forever.
We distinguish between safety and liveness properties. An ltl-deﬁnable property ϕ is a safety property if for every model
σ that violates ϕ , i.e., σ 	| ϕ , there exists an i such that for every σ ′ that agrees with σ up to position i, i.e., ∀0 j  i,
σ ′i = σi , σ ′ also violates ϕ . An ltl-deﬁnable property ϕ is a liveness property if for every preﬁx of a model σ0, . . . , σi there
exists an inﬁnite model σ that starts with σ0, . . . , σi and σ | ϕ . Intuitively, safety properties specify bad things that should
never happen and liveness properties specify good things that should occur. We distinguish between properties that are (i)
safety, (ii) liveness, or (iii) combinations of safety and liveness.
A formula that does not include temporal operators is a Boolean formula (or an assertion). Given non-overlapping sets of
Boolean variables V1, . . . ,Vk , we use the notation ϕ(V1, . . . ,Vk) to indicate that ϕ is a Boolean formula over V1 ∪ · · · ∪ Vk .
For Boolean formulas we consider models representing only a single truth assignment, i.e., given a Boolean formula ϕ(V),
we say that s ∈ 2V models (or satisﬁes) ϕ , written as s | ϕ , if the formula obtained from ϕ by replacing all variables in
s by true and all other variables by false is valid. Formally, we deﬁne s | ϕ inductively by (i) for v ∈ V , s | v iff v ∈ s,
(ii) s | ¬ϕ iff s 	| ϕ , and (iii) s | ϕ ∨ ψ iff s | ϕ or s | ψ . We call the set of all possible assignments to variables V states
and denote them by ΣV (or simply Σ , if V is clear from the context), i.e., ΣV = 2V . We say that s is a ϕ-state if s | ϕ .
Given a formula ϕ and a set of states S ⊆ ΣV , we say S satisﬁes ϕ denoted by S | ϕ , if for all s ∈ S , s | ϕ holds. Given
914 R. Bloem et al. / Journal of Computer and System Sciences 78 (2012) 911–938a subset Y ⊆ V of the variables and a state s ∈ ΣV , we denote by s|Y the projection of s to Y , i.e., s|Y = {y ∈ Y | y ∈ s}.
We will often use assertions over V1 ∪ · · · ∪Vk ∪V ′1 ∪ · · · ∪V ′k , where V ′i is the set of primed versions of variables in Vi , i.e.,V ′i = {v ′ | v ∈ Vi}. Given an assertion ϕ(V1, . . . ,Vk,V ′1, . . . ,V ′k) and assignments si, ti ∈ ΣVi , we use (s1, . . . , sk, t′1, . . . , t′k) | ϕ
to abbreviate s1 ∪ · · · ∪ s2 ∪ t′1 ∪ · · · ∪ t′k | ϕ , where t′i = {v ′ ∈ V ′i | v ∈ ti}.
2.2. Fair discrete systems
A fair discrete system (fds) [32] is a symbolic representation of a transition system with ﬁnitely many states and weak
and strong fairness constraints. We use fds to represent reactive systems such as concurrent systems that communicate by
shared variables or digital circuits. Formally, an fds D = 〈V, θ,ρ,J ,C〉 consists of the following components.
• V = {v1, . . . , vn}: A ﬁnite set of Boolean variables. We deﬁne a state s to be an interpretation of V , i.e., s ∈ ΣV .
• θ : The initial condition. This is an assertion over V characterizing all the initial states of the fds. A state is called initial
if it satisﬁes θ .
• ρ: A transition relation. This is an assertion ρ(V ∪ V ′), relating a state s ∈ Σ to its D-successors s′ ∈ Σ , i.e., (s, s′) | ρ .
• J = { J1, . . . , Jm}: A set of justice requirements (weak fairness). Each requirement J ∈ J is an assertion over V that is
intended to hold inﬁnitely many times in every computation.
• C = {(P1, Q 1), . . . , (Pn, Qn)}: A set of compassion requirements (strong fairness). Each requirement (P , Q ) ∈ C consists
of a pair of assertions, such that if a computation contains inﬁnitely many P -states, it should also hold inﬁnitely many
Q -states.
We deﬁne a run of the fds D to be a maximal sequence of states σ = s0, s1, . . . satisfying (i) initiality, i.e., s0 | θ , and
(ii) consecution, i.e., for every j  0, (s j, s j+1) | ρ . A sequence σ is maximal if either σ is inﬁnite or σ = s0, . . . , sk and sk
has no D-successor, i.e., for all sk+1 ∈ Σ , (sk, sk+1) 	| ρ .
A run σ is called a computation of D if it is inﬁnite and satisﬁes the following additional requirements: (i) justice
(or weak fairness), i.e., for each J ∈ J , σ contains inﬁnitely many J -positions, i.e., positions j  0, such that s j | J , and
(ii) compassion (or strong fairness), i.e., for each (P , Q ) ∈ C , if σ contains inﬁnitely many P -positions, it must also contain
inﬁnitely many Q -positions.
We say that an fds D implements speciﬁcation ϕ , denoted D | ϕ , if every run of D is inﬁnite, and every computation of
D satisﬁes ϕ . An fds is said to be fairness-free if J = C = ∅. It is called a just discrete system (jds) if C = ∅. When J = ∅ or
C = ∅ we simply omit them from the description of D. Note that for most reactive systems, it is suﬃcient to use a jds (i.e.,
compassion-free) model. Compassion is only needed in cases, in which the system uses built-in synchronization constructs
such as semaphores or synchronous communication.
An fds D is deterministic with respect toX ⊆ V , if (i) D has deterministic initial states, i.e, for all states s, t ∈ ΣV , if s | θ ,
t | θ , and s|X = t|X , then s = t holds, and (ii) D has deterministic transitions, i.e., for all states s, s′, s′′ ∈ ΣV , if (s, s′) | ρ ,
(s, s′′) | ρ , and s′|X = s′′|X , then s′ = s′′ holds.
An fds D is complete with respect to X ⊆ V , if (i) for every assignment sX ∈ ΣX , there exists a state s ∈ ΣV such that
s|X = sX and s | θ , and (ii) for all states s ∈ ΣV and assignments s′X ∈ ΣX , there exists a state s′ ∈ ΣV such that s′|X = s′X
and (s, s′) | ρ . For every fds and every X ⊆ V , we can construct an fds that is complete w.r.t. X whose set of computations
is the same as that of the original. We simply add a Boolean variable sf and set θˆ := sf ↔ θ and ρˆ := sf ′ ↔ (ρ ∧ sf ) and add
sf as an additional justice requirement. The set of computations of the two fds (when projecting the value of sf ) are the
same.
Given an fds D that is deterministic and complete w.r.t. X , for every possible sequence σ = s0, s1, . . . of states in ΣX ,
D has a unique run τ = t0, t1, . . . such that for all j  0, s j |X = t j |X holds. We call τ the run of D on σ . Note that D can
be seen as a symbolic representation of a Mealy machine with input signal X and output signals V \ X . We say that a
sequence σ ∈ (ΣX )ω is accepted by D, if the run of D on σ is a computation.
For every fds D, there exists an ltl formula ϕD , called the temporal semantics of D, which characterizes the computa-
tions of D. It is given by
ϕD : θ ∧1
(
ρ(V,!V))∧ ∧
J∈J
1E J ∧
∧
(P ,Q )∈C
(1EP →1EQ ),
where ρ(V,!V) is the formula obtained from ρ by replacing each instance of primed variable v ′ by the ltl formula !v .
Note that in the case that D is compassion-free (i.e., it is a jds), then its temporal semantics has the form
ϕD: θ ∧1
(
ρ(V ,!V )
)∧ ∧
J∈J
1E J .
Here, we are interested in open systems. That is, systems that interact with their environment: that receive some inputs
and react to them. For such systems speciﬁcations are usually partitioned into assumptions and guarantees. The intended
meaning is that if all assumptions hold then all guarantees should hold as well. That is, if the environment behaves as
R. Bloem et al. / Journal of Computer and System Sciences 78 (2012) 911–938 915expected then the system will behave as expected as well. In many cases, when we consider the conjunction of all assump-
tions (or all guarantees) the resulting formula is the temporal semantics of a jds. That is, it is common to get speciﬁcations
of the form ϕe and ϕs , where (i) ϕe and ϕs are conjunctions of smaller properties, (ii) ϕe and ϕs are the temporal semantics
of jdss, and (iii) the intended meaning is that the system should satisfy ϕe → ϕs .
2.3. Game structures
We consider two-player games played between a system and an environment. The goal of the system is to satisfy the
speciﬁcation regardless of the actions of the environment. Formally, a game structure G = 〈V,X ,Y, θe, θs,ρe,ρs,ϕ〉 consists
of the following components.
• V = {v1, . . . , vn}: A ﬁnite set of typed state variables over ﬁnite domains. Without loss of generality, we assume they are
all Boolean. A state and the set of states ΣV are deﬁned as before.
• X ⊆ V is a set of input variables. These are variables controlled by the environment.
• Y = V \X is a set of output variables. These are variables controlled by the system.
• θe is an assertion over X characterizing the initial states of the environment.
• θs is an assertion over V characterizing the initial states of the system.
• ρe(V,X ′) is the transition relation of the environment. This is an assertion relating a state s ∈ Σ to a possible next
input value sX ∈ ΣX by referring to unprimed copies of V and primed copies of X . The transition relation ρe identiﬁes
a valuation sX ∈ ΣX as a possible input in state s if (s, sX ) | ρe .
• ρs(V,X ′,Y ′) is the transition relation of the system. This is an assertion relating a state s ∈ Σ and an input value
sX ∈ ΣX to an output value sY ∈ ΣY by referring to primed and unprimed copies of V . The transition relation ρs
identiﬁes a valuation sY ∈ ΣY as a possible output in state s reading input sX if (s, sX , sY ) | ρs .
• ϕ is the winning condition, given by an ltl formula.
A state s is initial if it satisﬁes both θe and θs , i.e., s | θe ∧ θs . For two states s and s′ of G , s′ is a successor of s if
(s, s′) | ρe ∧ ρs . A play σ of G is a maximal sequence of states σ = s0, s1, . . . satisfying (i) initiality, i.e., s0 is initial and
(ii) consecution, i.e., for each j  0, s j+1 is a successor of s j . Let G be a game structure and σ be a play of G . Initially,
the environment chooses an assignment sX ∈ ΣX such that sX | θe and the system chooses an assignment sY ∈ ΣY such
that (sX , sY ) is initial. From a state s, the environment chooses an input sX ∈ ΣX such that (s, sX ) | ρe and the system
chooses an output sY ∈ ΣY such that (s, sX , sY ) | ρs . We say that a play starting in state s is an s-play.
A play σ = s0, s1, . . . is winning for the system if either (i) σ is ﬁnite and there is no assignment sX ∈ ΣX such that
(sn, sX ) | ρe , where sn is the last state in σ , or (ii) σ is inﬁnite and it satisﬁes ϕ . Otherwise, σ is winning for the environ-
ment.
A strategy for the system is a partial function f : M × ΣV × ΣX → M × ΣY , where M is some memory domain with a
designated initial value m0 ∈ M , such that for every s ∈ ΣV , every sX ∈ ΣX , and m ∈ M if (s, sX ) | ρe then (s, sX , sY ) | ρs ,
where f (m, s, sX ) = (m′, sY ). Let f be a strategy for the system. A play s0, s1, . . . is said to be compliant with strategy f if
for all i  0 we have f (mi, si, si+1|X ) = (mi+1, si+1|Y ). Notice, that the sequence m0,m1, . . . is implicitly deﬁned. Strategy
f is winning for the system from state s ∈ ΣV if all s-plays (plays starting from s) which are compliant with f are winning
for the system. We denote by Ws the set of states from which there exists a winning strategy for the system. We treat Ws
as an assertion as well. For player environment, strategies, winning strategies, and the winning set We are deﬁned dually.
A game structure G is said to be winning for the system, if for all sX ∈ ΣX , if sX | θe , then there exists sY ∈ ΣY such that
(sX , sY ) | θs and (sX , sY ) | Ws . We say that f uses ﬁnite memory or is ﬁnite when M is ﬁnite. When M is a singleton, we
say that f is memoryless.
2.3.1. Realizability and synthesis
Given an ltl formula ϕ over sets of input and output variables X and Y , we say that an fds D = 〈V, θ,ρ,J ,C〉
realizes ϕ if (i) V contains X and Y , (ii) D is complete with respect to X , and (iii) D | ϕ . Such an fds is called a controller
for ϕ , or just a controller. We say that the speciﬁcation is realizable [8], if there exists a fairness-free fds D that realizes it.
Otherwise, we say that the speciﬁcation is unrealizable. If the speciﬁcation is realizable, then the construction of such a
controller constitutes a solution for the synthesis problem.2
Given an ltl formula over sets of input and output variables X and Y , respectively, its realizability problem can be
reduced to the decision of winner in a game. Formally, Gϕ = 〈X ∪ Y,X ,Y, true, true, true, true,ϕ〉 is the game where the
initial conditions and the transition relations are true and the winning condition is ϕ . If the environment is winning in Gϕ ,
then ϕ is unrealizable. If the system is winning in Gϕ , then ϕ is realizable. Furthermore, from the winning strategy of
2 As all the variables of fdss are Boolean, this deﬁnition calls for realizability by a ﬁnite state system. It is well known that for ltl speciﬁcations
realizability and realizability by ﬁnite state systems are the same.
916 R. Bloem et al. / Journal of Computer and System Sciences 78 (2012) 911–938the system it is possible to extract a controller that realizes ϕ . Realizability for general ltl speciﬁcations is 2EXPTIME-
complete [33]. It is well known that for ltl speciﬁcations it is suﬃcient to consider ﬁnite memory strategies. In this paper
we are interested in a subset of ltl for which we solve realizability and synthesis in time exponential in the size of the ltl
formula and polynomial in the resulting controller.
More generally, consider a game G : 〈V,X ,Y, θe, θs,ρe,ρs,ϕ〉. The system wins in G iff the following formula is realiz-
able3:
ϕG = (θe → θs) ∧
(
θe →1
(
(1ρe) → ρs
))∧ (θe ∧1ρe → ϕ).
Formally, we have the following.
Theorem 1. The system wins in a game G iff ϕG is realizable.
The proof of this theorem resembles the proof of Theorem 4 and is omitted.
3. Generalized Reactive(1) games
In [18], we consider the case of Generalized Reactive(1) games (called there generalized Streett(1) games). In these games
the winning condition is an implication between conjunctions of recurrence formulas (1E J where J is a Boolean formula).
We repeat the main ideas from [18] and show how to solve gr(1) games, by computing the winning states of each of
the players. We start with a deﬁnition of μ-calculus over game structures. We then give the μ-calculus formula that
characterizes the set of winning states of the system; and explain how to implement this solution symbolically. We defer
the extraction of a controller from this computation to Section 4. We ﬁnish this section by explaining the straightforward
usage of gr(1) games in synthesis from ltl. In Section 5 we include a thorough discussion of usage of gr(1) games for ltl
synthesis.
3.1. μ-Calculus over game structures
We deﬁne μ-calculus [34] over game structures. Consider a game structure G : 〈V,X ,Y, θe, θs,ρe,ρs,ϕ〉. For every
variable v ∈ V the formulas v and ¬v are atomic formulas. Let Var = {X, Y , . . .} be a set of relational variables. The μ-calculus
formulas are constructed as follows:
ϕ ::= v | ¬v | X | ϕ ∨ ϕ | ϕ ∧ ϕ | ϕ | ϕ | μXϕ | νXϕ.
A formula ψ is interpreted as the set of G-states in Σ in which ψ is true. We write such set of states as [[ψ]]EG where G is
the game structure and E : Var → 2Σ is an environment. The environment assigns to each relational variable a subset of Σ .
We denote by E[X ← S] the environment such that E[X ← S](X) = S and E[X ← S](Y ) = E(Y ) for Y 	= X . The set [[ψ]]EG
is deﬁned inductively as follows.4
• [[v]]EG = {s ∈ Σ | s[v] = 1}.
• [[¬v]]EG = {s ∈ Σ | s[v] = 0}.
• [[X]]EG = E(X).
• [[ϕ ∨ ψ]]EG = [[ϕ]]EG ∪ [[ψ]]EG .
• [[ϕ ∧ ψ]]EG = [[ϕ]]EG ∩ [[ψ]]EG .
• [[ ϕ]]EG =
{
s ∈ Σ
∣∣∣ ∀sX ∈ ΣX , (s, sX ) | ρe → ∃sY ∈ ΣY such that
(s, sX , sY ) | ρs and (sX , sY ) ∈ [[ϕ]]EG
}
.
A state s is included in [[ ϕ]]EG if the system can force the play to reach a state in [[ϕ]]EG . That is, regardless of how
the environment moves from s, the system can choose an appropriate move into [[ϕ]]EG .
• [[ ϕ]]EG =
{
s ∈ Σ
∣∣∣ ∃sX ∈ ΣX such that (s, sX ) | ρe and ∀sY ∈ ΣY ,
(s, sX , sY ) | ρs → (sX , sY ) ∈ [[ϕ]]EG
}
.
A state s is included in [[ ϕ]]EG if the environment can force the play to reach a state in [[ϕ]]EG . As the environment
moves ﬁrst, it chooses an input sX ∈ ΣX such that for all choices of the system the successor is in [[ϕ]]EG .
3 Technically, ρe and ρs contain primed variables and are not ltl formulas. This can be easily handled by using the next operator (!). We ignore this
issue in the rest of the paper.
4 Only for ﬁnite game structures.
R. Bloem et al. / Journal of Computer and System Sciences 78 (2012) 911–938 917• [[μXϕ]]EG =
⋃
i Si where S0 = ∅ and Si+1 = [[ϕ]]E[X←Si ]G .
• [[νXϕ]]EG =
⋂
i Si where S0 = Σ and Si+1 = [[ϕ]]E[X←Si ]G .
When all the variables in ϕ are bound by either μ or ν the initial environment is not important and we simply write
[[ϕ]]G . In case that G is clear from the context we write [[ϕ]].
The alternation depth of a formula is the number of alternations in the nesting of least and greatest ﬁxpoints. A μ-calculus
formula deﬁnes a symbolic algorithm for computing [[ϕ]] [35] (i.e., an algorithm that manipulates sets of states rather than
individual states). For a μ-calculus formula of alternation depth k, this symbolic algorithm requires the computation of at
most O (|Σ |k+1) symbolic next step operations. By saving intermediate results of the symbolic computation it is possible
to reduce the number of symbolic next step operations of the symbolic algorithm to O (|Σ | k+12 ) [36]. In general, if the
number of transitions of G is m, then it is known that a μ-calculus formula over G can be evaluated in time proportional
to O (m|Σ | k2 ) [37]. For a full exposition of μ-calculus we refer the reader to [38]. We often abuse notations and write a
μ-calculus formula ϕ instead of the set [[ϕ]].
In some cases, instead of using a very complex formula, it may be more readable to use vector notation as in Eq. (2):
ϕ = ν
[
Z1
Z2
][
μY ( Y ∨ p ∧ Z2)
μY ( Y ∨ q ∧ Z1)
]
. (2)
Such a formula, may be viewed as the mutual ﬁxpoint of the variables Z1 and Z2 or equivalently as an equal formula
where a single variable Z replaces both Z1 and Z2 and ranges over pairs of states [39]. The formula above characterizes the
set of states from which system can force the game to visit p-states inﬁnitely often and q-states inﬁnitely often. We can
characterize the same set of states by the following ‘normal’ formula5:
ϕ = ν Z([μY ( Y ∨ p ∧ Z)]∧ [μY ( Y ∨ q ∧ Z)]).
3.2. Solving gr(1) games
Let G be a game where the winning condition is of the following form:
ϕ =
m∧
i=1
1E J ei →
n∧
j=1
1E J sj .
Here J ei and J
s
j are Boolean formulas. We refer to such games as Generalized Reactivity(1) games, or gr(1) in short. In
[18] we term these games as generalized Streett(1) games and provide the following μ-calculus formula to solve them. Let
j ⊕ 1= ( j mod n) + 1,
ϕgr = ν
⎡
⎢⎢⎢⎢⎢⎢⎢⎣
Z1
Z2
...
...
Zn
⎤
⎥⎥⎥⎥⎥⎥⎥⎦
⎡
⎢⎢⎢⎢⎢⎢⎢⎢⎣
μY (
∨m
i=1 νX( J s1 ∧ Z2 ∨ Y ∨ ¬ J ei ∧ X))
μY (
∨m
i=1 νX( J s2 ∧ Z3 ∨ Y ∨ ¬ J ei ∧ X))
...
...
μY (
∨m
i=1 νX( J sn ∧ Z1 ∨ Y ∨ ¬ J ei ∧ X))
⎤
⎥⎥⎥⎥⎥⎥⎥⎥⎦
. (3)
Intuitively, for j ∈ [1..n] and i ∈ [1..m] the greatest ﬁxpoint νX( J sj ∧ Z j⊕1 ∨ Y ∨ ¬ J ei ∧ X) characterizes the set of
states from which the system can force the play either to stay indeﬁnitely in ¬ J ei states (thus violating the left-hand side
of the implication) or in a ﬁnite number of steps reach a state in the set J sj ∧ Z j⊕1 ∨ Y . The two outer ﬁxpoints make
sure that the system wins from the set J sj ∧ Z j⊕1 ∨ Y . The least ﬁxpoint μY makes sure that the unconstrained phase
of a play represented by the disjunct Y is ﬁnite and ends in a J sj ∧ Z j⊕1 state. Finally, the greatest ﬁxpoint ν Z j is
responsible for ensuring that, after visiting J sj , we can loop and visit J
s
j⊕1 and so on. By the cyclic dependence of the
outermost greatest ﬁxpoint, either all the sets in J sj are visited or, getting stuck in some inner greatest ﬁxpoint, some J
e
i is
visited only ﬁnitely many times.
Lemma 2. (See [18].) Ws = [[ϕ]].
5 This does not suggest a canonical translation from vector formulas to plain formulas. The same translation works for the formula in Eq. (3) below. Note
that the formula in Eq. (2) and the formula in Eq. (3) have a very similar structure.
918 R. Bloem et al. / Journal of Computer and System Sciences 78 (2012) 911–938Fig. 1. Jtlv implementation of Eq. (3).
We include in Fig. 1 a (slightly simpliﬁed) code of the implementation of this μ-calculus formula in Jtlv ([40]). We
denote the system and environment players by sys and env, respectively. We denote J ei and J
s
j by env.Ji(i) and
sys.Ji(j), respectively. is denoted by cox. We use Fix to iterate over the ﬁxpoint values. The loop terminates if
two successive values are the same. We use mem to collect the intermediate values of Y and X. We denote by mY the two
dimensional vector ranging over 1..n, and 1..k, where k is the depth of the least ﬁxpoint iteration of Y. We denote by
mX a three dimensional vector ranging over 1..n, 1..k, and 1..m. We use the sets mY[ j][r] and their subsets mX[ j][r][i] to
deﬁne n memoryless strategies for the system. The strategy f j is deﬁned on the states in Z j . We show that the strategy f j
either forces the play to visit J sj and then proceed to Z j⊕1, or eventually avoid some J
e
i . We show that by combining these
strategies, either the system switches strategies inﬁnitely many times and ensures that the play be satisﬁes the right-hand
side of the implication or eventually uses a ﬁxed strategy ensuring that the play does not satisfy the left-hand side of
the implication. Essentially, the strategies are “go to mY[ j][r] for minimal r” until getting to a J sj state and then switch to
strategy j ⊕ 1 or “stay in mX[ j][r][i]”.
It follows that we can solve realizability of ltl formulas in the form that interests us in polynomial (quadratic) time.
Theorem 3. (See [18].) A game structure G with a gr(1) winning condition of the form ϕ =∧mi=11E J ei →∧nj=11E J sj can be
solved by a symbolic algorithm that performs O (nm|Σ |2) next step computations, where Σ is the set of all possible assignments to the
variables in ϕ .
A straightforward implementation of the ﬁxpoint computation gives a cubic upper bound. Implementing the approach
of [36] reduces the complexity in |Σ | to quadratic, as stated. Their approach starts computations of ﬁxpoints from earlier
approximations of their values. Thus, the ﬁxpoint is not restarted from scratch leading to signiﬁcant savings. An enumerative
algorithm (i.e., an algorithm that handles states individually and not sets of states) can solve a gr(1) game structure in time
O (nm|Σ ||T |), where |T | is the number of transitions in the game [41].6
Following Theorem 1, we prove the following about the connection between solving gr(1) games and realizability. Con-
sider a gr(1) game G: 〈V,X ,Y, θe, θs,ρe,ρs,ϕ〉, where ϕ =∧mi=11E J ei →∧nj=11E J sj . Let
ϕG = (θe → θs) ∧
(
θe →1
(
(1ρe) → ρs
))∧ ((θe ∧1ρe) → ϕ).
6 We note that in the previous versions [18,1] the analysis of complexity was not accurate and in particular higher than stated above. This led to some
confusion in the exact complexity of solving gr(1) games. In particular, in [42] an enumerative algorithm for gr(1) games is suggested whose complexity is
higher than the complexity stated above. It is, however, better than the stated complexity in previous publications.
R. Bloem et al. / Journal of Computer and System Sciences 78 (2012) 911–938 919Intuitively, this formula is split into three levels: initial, safety, and liveness levels. In order to realize this formula the
system needs to satisfy the same levels the environment does. For instance, if the environment chooses an initial assignment
satisfying θe , the system cannot choose an initial assignment violating θs even if the environment later violates ρe .
Theorem 4. The system wins in G iff ϕG is realizable.
Proof. Recall that if the system wins G ﬁnite memory suﬃces. Let M be some memory domain and m0 its designated
initial value. Suppose that f : M × Σ × ΣX → M × ΣY is a winning strategy for the system in G . Furthermore, for every
sX ∈ ΣX such that sX | θe there exists a sY ∈ ΣY such that (sX , sY ) | θe ∧ θs and (sX , sY ) ∈ Ws . We use f to construct
a fairness-free fds that realizes ϕG .
Let |M| = k and let M = {m1, . . . ,mlog(k)} be Boolean variables. It follows that an assignment to M characterizes a
value in M . By abuse of notations, we denote by m the value in M , the assignment to M that represents that value, and
the assertion over M whose unique satisfying assignment is m. Similarly, for a state s ∈ Σ , we denote by s the assertion
whose unique satisfying assignment is s. Consider the fairness-free fds D = 〈Vˆ, θˆ , ρˆ〉 with the following components.
• Vˆ = X ∪Y ∪M.
• θˆ = θe → (θs ∧m0 ∧ Ws).
That is, if the assignment to X satisﬁes θe then the assignment to Y ensures θs and the joint assignment to X and Y
(i.e., the state) is in Ws . Furthermore, the initial memory value is m0. If the assignment to the input variables does not
satisfy θe then the choice of m and sY is arbitrary.
• For the deﬁnition of ρˆ we write the strategy f as an assertion as follows:
fˆ =
∧
m∈M
∧
s∈Ws
∧
s′X ∈ΣX
((
m∧ s ∧ s′X
)→ f (m, s, s′X )′).
That is, depending on the current value of m, s, and s′X , the assignment to m
′ and s′Y respects the strategy f .
Finally, ρˆ is the following assertion:
ρˆ = (Ws ∧ ρe) → fˆ .
That is, if the current state s is winning for system (Ws) and the environment chooses an input s′X such that (s, s
′
X ) |
ρe , then the system is going to update the memory and choose outputs s′Y according to f . If the current state is
winning for the environment or the environment does not satisfy its transition, the choice of memory value and output
is arbitrary.
We have to show that D is complete with respect to X and that D | ϕG . Completeness of D follows from the deﬁnition
of winning in G and from the deﬁnition of the strategy f . Indeed, as system wins G , for every sX ∈ ΣX such that sX | θe
there exists a state s ∈ Σ such that s ∈ Ws and s | θe ∧ θs . Furthermore, if sX 	| θe then, by deﬁnition of θˆ , for every state
s such that s|X = sX we have s | θˆ . Similarly, for every m ∈ M , s ∈ Σ , and s′X ∈ ΣX , if s ∈ Ws and (s, s′X ) | ρe then
fˆ deﬁnes values s′Y and m
′ such that (s,m, s′X ,m
′, s′Y ) | ρˆ . If s /∈ Ws or (s, s′X ) 	| ρe then for every s′Y ∈ ΣY we have
(s,m, s′X ,m
′, s′Y ) | ρˆ .
We have to show that D | ϕG . Consider an inﬁnite computation σ : s0, s1, . . . of D. Clearly, if s0 	| θe then σ | ϕG .
Assume that s0 | θe , then by deﬁnition of θˆ we have s0 | θs and s0 ∈ Ws as well. Suppose now that for some i′ we have
(si′ , si′+1) 	| ρe . Let i0 be the minimal such that (si0 , si0+1) 	| ρe . We can show by induction that for every i < i0 we have
si ∈ Ws and (si, si+1) | ρs . It follows that σ | 1(1ρe → ρs) as required. Finally, as σ 	| 1ρe the third clause holds as
well. The remaining case is when σ |1ρe . We can show by induction that for every i  0 we have (si, si+1) | ρs . We have
to show that σ | ϕ as well. However, σ |X∪Y is a play in G that is compliant with f . It follows that σ | ϕ as required.
Overall, D | ϕG .
Suppose that there exists a fairness-free fds D = 〈Vˆ, θˆ , ρˆ〉 that is complete with respect to X and such that D | ϕ . We
use the states of D as the memory domain for construction of a strategy f . Let tin be a new state to be used as the initial
value of the memory. Formally, for a memory value t we deﬁne f (t, s, s′X ) = (t′, s′Y ) as follows.
• If t = tin then we deﬁne t′ and s′Y as follows.
– If s | θe ∧ θs and there exists a state t0 | θˆ such that t0|X∪Y = s then, by completeness of D, there exists a successor
t′ of t0 such that t′|X = s′X and we set s′Y = t′|Y .
– If s 	| θe ∧ θs or there is no state t0 | θˆ such that t0|X∪Y = s then we choose arbitrary t′ and s′Y (if at all).
• If t 	= tin then we deﬁne t′ and s′Y as follows.
– If t|X∪Y = s, then, by completeness of D, the state t has a successor t′′ such that t′′|X = s′X . We set t′ = t′′ and
s′Y = t′′|Y .
– If t|X∪Y 	= s, then t′ and s′ are arbitrary.Y
920 R. Bloem et al. / Journal of Computer and System Sciences 78 (2012) 911–938We claim that this strategy is winning from every state s for which there exists a state t0 such that t0 | θˆ and t0|X∪Y = s.
Consider such a state s0. Then for every s′X such that (s0, s
′
X ) | ρe there exists a t1 and s′Y such that (t0, t1) | ρs ,
t1|X = s′X , and t1|Y = s′Y . Consider a play σ : s0, . . . , sn compliant with f , where the sequence of memory values is τ :
t0, . . . , tn . It is simple to show by induction that for every j  1 we have t j |X∪Y = s j . Consider a value s′X such that
(sn, s′X ) | ρe . By completeness of D there exists a memory value tn+1 such that (tn, tn+1) | ρˆ , tn+1|X = s′X so the strategy
f is deﬁned. Furthermore, from D | ϕG it follows that (tn, tn+1) | ρs . Thus, tn+1|Y is a valid choice of the strategy f .
Consider an inﬁnite play σ : s0, . . . compliant with f , where τ : t0, . . . is the associated sequence of memory values. Then,
as τ is a computation of D (modulo the initial state), it follows that τ | ϕG . We conclude that σ | ϕ .
Finally, we have to show that for every value s′X such that s
′
X | θe there exists a value s′Y such that (s′X , s′Y ) | θe ∧ θs .
However, this follows from the completeness of D and from the inclusion of θe on the left-hand side of every implication
in ϕG . 
3.3. Symbolic Jds speciﬁcations
We would like to use gr(1) games to solve realizability directly from ltl formulas. In many practical cases, the speciﬁca-
tion is partitioned to assumptions and guarantees. Each assumption or guarantee is relatively simple; and together they have
the semantics that the conjunction of all assumptions implies the conjunction of all guarantees. To support this claim, we
will demonstrate in Section 6 the application of the synthesis method to a realistic industrial speciﬁcation. Here we suggest
to embed such speciﬁcations directly into a gr(1) game, giving rise to the strict semantics of the implication. In Section 5 we
discuss the differences between the strict semantics and the simple implication.
Recall that a temporal semantics of a jds D has the following form:
ϕD : θ ∧1
(
ρ(V,!V))∧ ∧
J∈J
1E J .
Let X and Y be ﬁnite sets of typed input and output variables, respectively and let V = X ∪Y . We say that a jds is output
independent if θ does not relate to Y and ρ does not depend on the value of Y in the next state. That is, ρ can be expressed
as an assertion over X ∪Y ∪X ′ . A jds can be represented by a triplet 〈ϕi,Φt ,Φg〉 with the following parts.
• ϕi is an assertion which characterizes the initial states (i.e., θ above).
• Φt = {ψi}i∈It is a set of Boolean formulas ψi , where each ψi is a Boolean combination of variables from X ∪ Y and
expressions of the form !v where v ∈ X if the jds is output independent, and v ∈ X ∪Y otherwise.
That is ρ(V,!V) is the conjunction of all the assertions in Φt .
• Φg = { J i}i∈I g is a set of Boolean formulas (i.e, Φg is a different name for J ).
The intended semantics of the triplet 〈ϕi,Φt ,Φg〉 is
ϕi ∧
∧
i∈It
1ψi ∧
∧
i∈I g
1E J i .
Consider the case where assumptions and guarantees have the following forms: (i) ψ for an assertion over V , (ii) 1ψ
for an assertion over V ∪ V ′ , or (iii) 1Eψ for an assertion over V . Then, we can partition the Boolean components of
assumptions or guarantees to triplets as explained above.
Let Sα = 〈ϕαi ,Φαt ,Φαg 〉 for α ∈ {e, s} be two speciﬁcations as described above, where Se is output independent. Here Se
is a description of the environment (i.e., results from the assumptions) and Ss is the description of the system (i.e., results
from the guarantees). The speciﬁcations Se and Ss naturally give rise to the following game. The strict realizability game for
Se and Ss is Gsre,s: 〈V,X ,Y, θe, θs,ρe,ρs,ϕ〉 with the following components.7
• V = X ∪Y .
• θe = ϕei .
• θs = ϕsi .
• ρe =∧i∈Iet ψei .
• ρs =∧i∈I st ψ si .
• ϕ =∧i∈Ieg 1E J ei →∧i∈I sg 1E J si .
By Theorem 4 the game Gsre,s is winning for system iff the following formula is realizable
7 The name strict realizability when referring to such a composition was coined in [43].
R. Bloem et al. / Journal of Computer and System Sciences 78 (2012) 911–938 921ϕsre,s =
(
ϕei → ϕsi
)
∧ (ϕei ∧1((1ρe) → ρs))
∧
(
ϕei ∧1ρe ∧
∧
i∈Ieg
1E J ei →
∧
i∈I sg
1E J si
)
.
The proof of Theorem 4 also tells us how to extract an implementation for ϕsre,s from the winning strategy in G
sr
e,s .
3.4. Example: Lift controller
As an example, we consider a simple lift controller. We specify a lift controller serving n ﬂoors. We assume the lift has n
button sensors (b1, . . . ,bn) controlled by the environment. The lift may be requested on every ﬂoor, once the lift has been
called on some ﬂoor the request cannot be withdrawn. Initially, on all ﬂoors there are no requests. The location of the lift
is modeled by n Boolean variables ( f1, . . . , fn) controlled by the system. Once a request has been fulﬁlled it is removed.
Formally, the speciﬁcation of the environment is Se = 〈ϕei , {ψe1,1, . . . ,ψe1,n,ψe2,1, . . . ,ψe2,n},∅〉, where the components of Se
are as follows:
ϕei =
∧
j
¬b j,
ψe1, j = b j ∧ f j →!¬b j,
ψe2, j = b j ∧ ¬ f j →!b j.
We expect the lift to initially start on the ﬁrst ﬂoor. We model the location of the lift by an n bit array. Thus we have
to demand mutual exclusion on this array. The lift can move at most one ﬂoor at a time, and eventually satisfy every
request. Formally, the speciﬁcation of the system is Ss = 〈ϕsi , {ψ s1,ψ s2,1, . . . ,ψ s2,n,ψ s3,1, . . . ,ψ s3,n}, { J s1, . . . , J sn+1}〉, where the
components of Ss are as follows:
ϕsi =
∧
j
( j = 1∧ f j) ∨
(
( j 	= 1) ∧ ¬ f j
)
,
ψ s1 = up → sb,
ψ s2, j =
∧
k 	= j
¬( f j ∧ fk),
ψ s3, j = f j →!( f j ∨ f j−1 ∨ f j+1),
J sj = b j → f j,
J sn+1 = f1 ∨ sb,
where up =∨i( f i ∧ ! f i+1) denotes that the lift moves one ﬂoor up, and sb =∨i bi denotes that at least one button is
pressed. The requirement ψ s1 states that the lift should not move up unless some button is pressed. The liveness requirement
J sn+1 states that either some button is pressed inﬁnitely many times, or the lift parks at ﬂoor f1 inﬁnitely many times.
Together they imply that when there is no active request, the lift should move down and park at ﬂoor f1.
The strict realizability game for Se and Ss is won by system, implying that there is a controller realizing ϕsre,s .
4. GR(1) strategies
In this section we discuss how to extract a program from the solution of the gr(1) game. First, we show how to analyze
the intermediate values and how to extract from them a winning strategy for the system. Then, we show how this strategy
can be reduced in size in some cases. Finally, we show how to extract from the symbolic bdd representation of the strategy
a deterministic strategy that can be used for creating an hdl description of a resulting circuit.
4.1. Extracting the strategy
We show how to use the intermediate values in the computation of the ﬁxpoint to produce an fds that implements ϕ .
The fds basically follows the strategies explained in Section 3.2. Recall that the combined strategy does one of two things.
It either iterates over strategies f1, .., fn inﬁnitely often, where strategy f j ensures that the play reaches a J sj state. Thus,
the play satisﬁes all liveness guarantees. Or, it eventually uses a ﬁxed strategy ensuring that the play does not satisfy one
of the liveness assumptions.
922 R. Bloem et al. / Journal of Computer and System Sciences 78 (2012) 911–938ρ1 =
∨
j∈[1..n]
(Zn = j) ∧ J ej ∧ ρs ∧ Z′ ∧ (Z ′n = j ⊕ 1),
ρ2( j) =
∨
r>1
mY[ j][r] ∧ ¬mY[ j][<r] ∧ ρs ∧ mY′[ j][<r],
ρ2 =
∨
j∈[1..n]
(Zn =Z ′n = j) ∧ ρ2( j),
ρ3( j) =
∨
r
∨
i∈[1..m]
mX[ j][r][i] ∧ ¬mX[ j][≺(r, i)] ∧ ¬ J si ∧ ρs ∧ mX′[ j][r][i],
ρ3 =
∨
j∈[1..n]
(Zn =Z ′n = j) ∧ ρ3( j).
Fig. 2. The transitions deﬁnition.
Let Zn = {z0, . . . , zk} be a set of Boolean variables that encode a counter ranging over [1..n]. We denote by Zn = j the
variable assignment that encodes the value j. Let X and Y be ﬁnite sets of input and output variables, respectively, and
ϕ be a gr(1) winning condition. Let G = 〈V,X ,Y, θe, θs,ρe,ρs,ϕ〉 be a game structure (where V = X ∪ Y). We show how
to construct a fairness-free fds D = 〈VD, θD,ρ〉, where VD = V ∪ Zn , such that D is complete with respect to X . the
BDD representing the set of winning states. Following Theorem 4, we set θD = θe → (θs ∧ Zn = 1 ∧ Z). Recall, that Z is
the variable representing the winning states for the system (as in Fig. 1). The variable Zn is used to store internally which
strategy should be applied. The transition relation ρ is (ρe ∧Z) → (ρ1 ∨ρ2 ∨ρ3), where ρ1, ρ2, and ρ3 are formally deﬁned
in Fig. 2, and described below.
We use the sets mY[ j][r] and their subsets mX[ j][r][i] to construct the strategies f1, . . . , fn collected for the system,
where j ranges over the number of strategies, r ranges over the number of iterations of the least ﬁxpoint at the jth strategy,
and i ranges over the number of assumptions. Let mY[ j][<r] denote the set ⋃l∈[1..r−1] mY[ j][l]. We write (r′, i′) ≺ (r, i) to
denote that the pair (r′, i′) is lexicographically smaller than the pair (r, i). That is, either r′ < r or r′ = r and i′ < i. Let
mX[ j][≺(r, i)] denote the set ⋃(r′,i′)≺(r,i) mX[ j][r′][i′].
Transitions in ρ1 are taken when a J sj state is reached and we change strategy from f j to f j⊕1. The counter Zn is
updated accordingly. Transitions in ρ2 are taken when we can get closer to a J sj state. These transitions go from states
in mY[ j][r] to states in mY[ j][r′] where r′ < r. We require that r′ is strictly smaller than r to ensure that the phase of the
play, where neither the guarantees are satisﬁed nor the assumptions are violated, is bounded. Note that there is no need to
add transitions that start from states in mY[ j][1] to ρ2( j), because these transitions are already included in ρ1. The conjunct
¬mY[ j][<r] appearing in ρ2( j) ensures that each state is considered once in its minimal entry.
Transitions in ρ3 start from states s ∈ mX[ j][r][i] such that s | ¬ J ei and take us back to states in mX[ j][r][i]. Repeating
such a transition forever will also lead to a legitimate computation because it violates the environment requirement of
inﬁnitely many visits to J ei -states. Again, to avoid redundancies we apply this transition only to states s for which (r, i) are
the lexicographically minimal indices such that s ∈ mX[ j][r][i]. The conjuncts ¬mX[ j][≺(r, i)] appearing in transitions ρ3( j)
ensure that each state is considered once in its minimal entry.
Note that the above transition relation can be computed symbolically. We show the Jtlv code that symbolically constructs
the transition relation of the synthesized fds in Fig. 3. We denote the resulting controller by ctrl. The functionality of all
used methods is self-explanatory.
4.2. Minimizing the strategy
In the previous section, we have shown how to create an fds that implements an ltl goal ϕ . The set of variables of this
fds includes the given set of input and output variables as well as the ‘memory’ variables Zn . This fds follows a very liberal
policy when choosing the next successor in the case of a visit to J sj , i.e., it chooses an arbitrary successor in the winning
set. In the following, we use this freedom to minimize (symbolically) the resulting fds. Notice, that our fds is deterministic
with respect to X ∪ Y . That is, for every state and every possible assignment to the variables in X ∪ Y there exists at
most one successor state with this assignment.8 As X and Y and the restrictions on their possible changes are part of the
speciﬁcation, removing transitions seems to be of lesser importance. We concentrate on removing redundant states.
Since we are using the given sets of variables X and Y the only possible candidate states for merging are states that
agree on the values of variables in X ∪ Y and disagree on the value of Zn . If we ﬁnd two states s and s′ such that ρ(s, s′),
s|X∪Y = s′|X∪Y , and s′|Zn = s|Zn⊕1, we remove state s. We direct all its incoming arrows to s′ and remove its outgoing
arrows. Intuitively, we can do that because the speciﬁcation does not relate to the variable Zn . Consider a computation
where the sequence (s0, s′, s1) appears and results from separate transitions (s0, s) and (s′, s1). Consider the case that there
is no successor s′1 of s such that s′1|X∪Y = s1|X∪Y and similarly for a predecessor s′0 of s′ . By s|X∪Y = s′X∪Y we conclude
8 On the other hand, the fds may be non-deterministic with respect to X . That is, for a given state s and a given assignment s′X to X , there may be
multiple s′Y such that (s, s′X , s′Y ) satisﬁes the transition of D.
R. Bloem et al. / Journal of Computer and System Sciences 78 (2012) 911–938 923Fig. 3. The symbolic construction of the fds.
that (s0, s′) | ρe ∧ρs . Furthermore, if some J is visited in s then the same J is visited in s′ and the progress of Zn ensures
that an inﬁnite computation satisﬁes all required liveness constraints.
The symbolic implementation of the minimization is given in Fig. 4. The transition obseq includes all possible assign-
ments to V and V ′ such that all variables except Zn maintain their values. It is enough to consider the transitions from
Zn = j to Zn = j⊕1 for all j and then from Zn = n to Zn = j for all j to remove all redundant states. This is because the
original transition just allows to increase Zn by one.
This minimization can signiﬁcantly reduce the numbers of states and so lead to smaller explicit-state representations
of a program. However, it turns out that the minimization increases the size of the symbolic representation, i.e., the bdds.
Depending on the application, we may want to keep the size of bdds minimal rather than minimize the fds. In the next
section, we minimize the symbolic representation to reduce the size of the resulting circuit.
4.3. Generating circuits from bdds
In this section, we describe how to construct a Boolean circuit from the strategy in Section 4.1. A strategy is a bdd over
the variables X , Y , Zn , X ′ , Y ′ , and Z ′n where X are input variables, Y are output variables, Zn are the variables encoding
the memory of the strategy, and the primed versions represent next state variables. The corresponding circuit contains
|X | + |Y| + |Zn| ﬂipﬂops to store the values of the inputs and outputs in the last clock tick as well as the extra memory
needed for applying the strategy (see Fig. 5). In every step, the circuit reads the next input values X ′ and determines the
next output values Y ′ (and Z ′n) using combinational logic with inputs I = X ∪ Y ∪ Zn ∪ X ′ . Note that the strategy does
not prescribe a unique combinational output for every combinational input. In most cases, multiple outputs are possible, in
states that do not occur when the system adheres to the strategy, no outputs may be allowed. Both issues need to be solved
before translation to a combinational circuit. That is, we have to ﬁx exactly one possible output for every possible value of
the ﬂipﬂops and the inputs.
The extant solution [44] yields a circuit that can generate, for a given input, any output allowed by the strategy. To this
end, it uses a set of extra inputs to the combinational logic. Note that this is more general than what we need: a circuit
924 R. Bloem et al. / Journal of Computer and System Sciences 78 (2012) 911–938Fig. 4. The symbolic algorithm of the minimization.
Fig. 5. Diagram of generated circuit.
that always yields one valid output given an input. Our experience shows that this may come at a heavy price in terms of
the size of the logic [3].
Due to these scalability problems of [44], we devised the following method to extract a combinational circuit from a bdd
that matches our setting. Our method uses the pseudo code shown in Fig. 6.
We write outputs and inputs to denote the set of all combinational outputs and inputs, respectively. We denote by
set_minus(outputs,y) the functionality which excludes y from the set outputs. For every combinational output y
we construct a function f_y in terms of X that is compatible with the given strategy bdd. The algorithm proceeds through
the combinational outputs y one by one: First, we build trans_y to get a bdd that restricts only y in terms of X . Then
we build the positive and negative cofactors (p,n) of trans_y with respect to y, that is, we ﬁnd the sets of inputs for
which y can be 1 and the sets of inputs for which y can be 0. For the inputs that occur both in the positive cofactor and
in the negative cofactor, both 0 and 1 are possible values. The combinational inputs that are neither in the positive cofactor
nor in the negative cofactor are outside the winning states and thus represent situations that cannot occur (as long as the
environment satisﬁes the assumptions). Thus, f_y has to be 1 in p ∩ !n and 0 in (!p ∩ n), which give us the set of care
states. We minimize the positive cofactors with the care set to obtain the function f_y. Finally, we substitute variable y
in comb by f_y, and proceed with the next variable. The substitution is necessary since a combinational output may also
depend on other combinational outputs.
R. Bloem et al. / Journal of Computer and System Sciences 78 (2012) 911–938 925Fig. 6. Algorithm to construct a circuit from a bdd.
Fig. 7. Extension to algorithm in Fig. 6.
The resulting circuit is constructed by writing the bdds for the functions using cudd’s DumpBlif command [45].
In the following we describe two extensions that are simple and effective.
4.3.1. Optimizing the cofactors
The algorithm presented in Fig. 6 generates a function in terms of the combinational inputs for every combinational
output. Some outputs may not depend on all inputs and we would like to remove unnecessary inputs from the functions.
Consider the positive cofactor and the negative cofactor of a variable y. If the cofactors do not overlap when we existentially
quantify variable x, then variable x is not needed to distinguish between the states where y has to be 1 and where y has
to be 0. Thus, variable x can be simply left out. We adapt the algorithm in Fig. 6 by inserting the code shown in Fig. 7 at
the spot marked with (*).
4.3.2. Removing dependent variables
After computing the combinational logic, we perform dependent variables analysis [46] on the set of reachable states to
simplify the generated circuit.
Deﬁnition 1. (See [46].) Given a Boolean function f over v0, v1, . . . vn , a variable vi is functionally dependent in f iff
∀vi . f = 0.
Note that if vi is functionally dependent, it is uniquely determined by the remaining variables of f . Thus, the value of vi
can be replaced by a function g(v0, . . . vi−1, vi+1 · · · vn).
Suppose our generated circuit has the set R(X ∪ Y) of reachable states. If a state variable y is functionally dependent
in R , we can remove the corresponding ﬂipﬂop in the circuit. The value of s is instead computed as a function of the values
of the other ﬂipﬂops. This will reduce the number of ﬂipﬂops in the generated circuit.
5. LTL Synthesis
In this section we show that the techniques developed in Sections 3 and 4 are strong enough to handle synthesis of
ltl speciﬁcations in many interesting cases. In particular, the speciﬁcations of many hardware designs that we encountered
as part of the Prosyd project fall into this category [47]. Given a speciﬁcation of a realizability problem, we show how to
926 R. Bloem et al. / Journal of Computer and System Sciences 78 (2012) 911–938embed this problem into the framework of gr(1) games. We start from a simple subset of ltl (that is interesting in its own
right) and show how to extend the types of speciﬁcations that can be handled.
5.1. Implication of Symbolic Jds over input and output variables
We have already argued that in many practical cases the speciﬁcation calls for a jds that realizes the environment and a
jds that realizes the system. We suggested to embed the different parts of such speciﬁcations into a gr(1) game and deﬁned
the strict realizability of the implication of such speciﬁcations. Here we highlight the differences between strict realizability
of the implication and realizability of the implication; show how to embed the implication of the speciﬁcations as a gr(1)
game; and (in the following subsections) explain how to extend the fragment of ltl handled by these techniques.
Recall, that the temporal semantics of a jds D has the following form:
θ ∧1ρ ∧
∧
J∈J
1E J .
Accordingly, when assumptions or guarantees taken together give rise to a jds they can be arranged as a speciﬁcation as
follows. Let Sα = 〈ϕαi ,Φαt ,Φαg 〉 be a speciﬁcation, where ϕαi is an assertion over V , Φαt = {ψi}i∈Iαt is a set of assertions
over V ∪ V ′ , and Φαg = { J i}i∈Iαg is a set of assertions over V . Given Se and Ss of this form, we deﬁned strict realizability in
Section 3. Consider now the implication between these two speciﬁcations. Formally, let ϕ→e,s be the following formula(
ϕei ∧1ρe ∧
∧
i∈Ieg
1E J ei
)
→
(
ϕsi ∧1ρs ∧
∧
i∈I sg
1E J si
)
, (4)
where ρe =∧i∈Ieg ψi and ρs =∧i∈I sg ψi . Namely, ϕ→e,s says that if the environment satisﬁes its speciﬁcation then the system
guarantees to satisfy its speciﬁcation. The formula ϕ→e,s seems simpler and more intuitive than ϕsre,s . This simpliﬁed view,
however, leads to dependency between the fulﬁllment of the systems safety and the liveness of the environment. Thus,
speciﬁcations that should intuitively be unrealizable turn out to be realizable.
Notice that ϕsre,s implies ϕ
→
e,s . Thus, if ϕ
sr
e,s is realizable, a controller for ϕ
sr
e,s is also a controller for ϕ
→
e,s . The following
example shows that the other direction is false.
Example 1. Let X = {x} and Y = {y}, where both x and y are Boolean variables. Let Se = 〈true, {!x}, {x ↔ y}〉 and Ss =
〈true, {!x ↔ !y}, {¬y}〉. Intuitively, the environment speciﬁcation says that the environment should keep x asserted and
make sure that x and y are equal inﬁnitely often.9 The system speciﬁcation says that the system should keep y equal to x
and make sure that y is off inﬁnitely often. Consider the two speciﬁcations ϕ→e,s and ϕsre,s ,
ϕ→e,s =
(
1! x∧1E(x↔ y))→ (1(!x↔!y) ∧1E¬y),
ϕsre,s =1
(
1! x → (!x↔!y))∧ (1! x∧1E(x ↔ y) →1E¬y).
While ϕ→e,s is realizable, ϕsre,s is unrealizable. Indeed, in the ﬁrst case, the strategy that always sets y to the inverse of x is
a winning strategy. The system may violate its safety but it ensures that the environment cannot fulﬁll its liveness. On the
other hand, ϕsre,s is unrealizable. Indeed, as long as the environment does not violate its safety the system has to satisfy
safety. An inﬁnite play that satisﬁes safety will satisfy the liveness of the environment but not of the system. We ﬁnd that
ϕsre,s better matches what we want from such a system. Indeed, if the only way for the system to satisfy its speciﬁcation
is by violating its safety requirement, then we would like to know that this is the case. Using ϕsre,s and its unrealizability
surfaces this problem to the user.
We now contrast two examples.10
Example 2. Consider the case where X = {x} and Y = {y} but this time x ranges over {1, . . . ,10} and y ranges over
{1, . . . ,5}. Let Se = 〈x = 0, {!x > x}, {true}〉 and Ss = 〈y = 0, {!y > y}, {true}〉. Intuitively, both the system and the environ-
ment are doomed. Both cannot keep increasing the values of x and y as both variables range over a ﬁnite domain. In this
case ϕ→e,s is realizable and ϕsre,s is unrealizable. Dually, if x ranges over {1, . . . ,5} and y ranges over {1, . . . ,10} both ϕ→e,s and
ϕsre,s are realizable. Again, we ﬁnd that the behavior of ϕ
sr
e,s matches better our intuition of what it means to be realizable.
Indeed, only when the environment is the ﬁrst to violate its safety the speciﬁcation is declared realizable.
9 This example and the observation that the implication between strict realizability and realizability is only one way is due to M. Roveri, R. Bloem,
B. Jobstmann, A. Tchaltsev, and A. Cimatti.
10 Due to O. Maler.
R. Bloem et al. / Journal of Computer and System Sciences 78 (2012) 911–938 927In general, the kind of dependency that is created in the realizability of ϕ→e,s is related to machine closure of speciﬁcations
[48] (cf. also discussion in [49,50]). In general, we ﬁnd that speciﬁcations that allow this kind of dependency between safety
and liveness are not well structured and using strict realizability informs us of such problems.
We now turn to the question of realizability of ϕ→e,s and show how to reduce it to the solution of a gr(1) game. Intuitively,
we add to the game a memory of whether the system or the environment violate their initial requirements or their safety
requirements. Formally, we have the following.
Let Sα = 〈ϕαi ,Φαt ,Φαg 〉 for α ∈ {e, s} be two speciﬁcations. The realizability game for ϕ→e,s is G→e,s: 〈V,X ′,Y ′, θe, θs,ρe,
ρs,ϕ
′〉 with the following components.
• X ′ = X .
• Y ′ = Y ∪ {sf e, sf s}.
• V = X ′ ∪Y ′ .
• θe = true.
• θs = (ϕei ↔ sf e) ∧ (ϕsi ↔ sf s).
• ρe = true.
• ρs = ((∧i∈Iet ψei ∧ sf e) ↔ sf ′e) ∧ ((∧i∈I st ψ si ∧ sf s) ↔ sf ′s).
• ϕ′ = (1Esf e ∧
∧
i∈Ieg 1E J
e
i ) → (1Esf s ∧
∧
i∈I sg 1E J
s
i ).
We show that the game G→e,s realizes the goal ϕ→e,s .
Theorem 5. The game G→e,s is won by system iff ϕ→s,e is realizable.
Proof. By Theorem 4 we have that G→e,s is won by system iff the following speciﬁcation ψ sr is realizable
ψ sr = ((ϕei ↔ sf e) ∧ (ϕsi ↔ sf s))∧1
(((∧
i∈Iet
ψei ∧ sf e
)
↔ sf ′e
)
∧
((∧
i∈I st
ψ si ∧ sf s
)
↔ sf ′s
))
∧
(
1Esf e ∧
∧
i∈Ieg
1E J ei
)
→
(
1Esf s ∧
∧
i∈I sg
1E J si
)
.
Consider an fds that realizes ψ sr . Let σ : s0, s1, . . . be a computation of this fds. We show that σ | ϕ→e,s . If σ does not satisfy
one of the conjuncts on the left-hand side of ϕ→e,s then clearly σ | ϕ→e,s . Assume that σ satisﬁes all the conjuncts on the
left-hand side of ϕ→e,s . As σ | ϕei it follows that σ | sf e . As σ |1(
∧
i∈Iet ψ
e
i ) it follows that σ |1sf e . As σ |
∧
i∈Ieg 1E J
e
i
and clearly σ |1Esf e if follows that σ |1Esf s and σ |
∧
i∈I sg 1E J
s
i . As there are inﬁnitely many positions where sf s
holds, by using 1((
∧
i∈I st ψ
s
i ∧ sf s) ↔ sf ′s) we conclude that σ |1sf s and σ |1(
∧
i∈I st ψ
s
i ). Finally, as σ | sf s we conclude
that σ | ϕsi . Thus, σ satisﬁes all the conjuncts on the right-hand side of ϕ→e,s as well.
In the other direction, consider an fds D that satisﬁes ϕ→e,s . We create the system Dˆ by adding to D the variables sf e
and sf s and use the augmented initial condition θˆ = θ ∧ θs and the augmented transition relation ρˆ = ρ ∧ ρs . The addition
of sf e and sf s does not restrict the behavior of D. Furthermore, the values of sf s and sf e are determined according to the
values of other variables of Dˆ. Consider a computation σ : s0, s1, . . . of the augmented system Dˆ. By deﬁnition of Dˆ we
have σ | θs and σ |1((1ρe) → ρS). We have to show σ | ϕ′ . As σ is also a computation of D we have σ | ϕ→e,s .
• Suppose that σ 	| ϕei . Then, σ |1¬sf e and σ | ϕ′ .
• Suppose that σ | ϕei and σ 	|1
∧
i∈Iet ψ
e
i . Then, σ |E1¬sf e and σ | ϕ′ .
• Suppose that σ | ϕei ∧1
∧
i∈Iet ψ
e
i , and that σ 	|
∧
i∈Ieg 1E J
e
i . Then, σ | ϕ′ as the left-hand side of the implication
does not hold.
• Suppose that σ satisﬁes all the conjuncts on the left-hand side of ϕ→e,s . Then, σ also satisﬁes all the conjuncts on the
right-hand side of ϕ→e,s . It follows that σ | ϕsi implying σ | sf s . It follows that σ |1(
∧
i∈I st ψ
s
i ) implying σ |1sf s .
Finally, σ |1Esf s and ϕ′ holds as well. 
5.2. Incorporating the past
We have discussed the case where the speciﬁcation is a combination of assumptions and guarantees of the forms 1ψ
and 1E J , where ψ is a Boolean formula restricting transitions of the environment or of the system, and J is a Boolean
formula. In this subsection we show how to reduce to gr(1) games the case where speciﬁcations include parts J and ψ
containing past temporal formulas (or temporal patterns that can be translated to past temporal formulas). As before, one
928 R. Bloem et al. / Journal of Computer and System Sciences 78 (2012) 911–938could distinguish between realizability and strict realizability. To simplify presentation we concentrate on strict realizabil-
ity.
An ltl formula ϕ is a past formula if it does not use the operators ! and U . That is, it belongs to the following grammar.
ϕ ::= p | ¬ϕ | ϕ ∨ ϕ |!ϕ | ϕ S ϕ.
For example, the formula ψ = (¬g) S r is a past formula. If r is a request and g is a grant, then ψ holds at time i if there
is a pending request in the past that was not granted.
For every ltl formula ϕ over variables V , one can construct a temporal tester, a jds Tϕ , which has a distinguished Boolean
variable xϕ such that the following hold.
• Tϕ is complete with respect to V .
• For every computation σ : s0, s1, s2, . . . of Tϕ , si[xϕ] = 1 iff σ , i | ϕ .
• For every sequence of states σ : s0, s1, s2, . . . there is a corresponding computation σ ′: s′0, s′1, s′2, . . . of Tϕ such that for
every i we have si and s′i agree on the interpretation of the variables of ϕ .
For further details regarding the construction and merits of temporal testers, we refer the reader to [51,52]. It is well known
that temporal testers for past ltl formulas are fairness-free and deterministic. It follows that for every past ltl formula ϕ ,
there exists a fairness-free fds Tϕ : 〈V, θ,ρ〉 such that V contains the set of variables of ϕ and θ and ρ are deterministic.
Using these fairness-free fds we can now handle assumptions and guarantees that contain past ltl formulas.
Let X and Y be the set of input and output variables, respectively, and let V = X ∪ Y . Consider an assumption or
guarantee 1ψ , where ψ is a Boolean combination of past formulas over V and expressions of the form !v , where v ∈ X
if 1ψ is an assumption, and v ∈ X ∪ Y if 1ψ is a guarantee. For every maximal past temporal formula γ appearing in
ψ ,11 there is a temporal tester Tγ with the distinguished variable xγ . Consider the following speciﬁcation 1ψˆ , where ψˆ is
obtained from ψ by replacing γ by xγ . It follows that the speciﬁcation 1ψˆ is of the required form as in Section 3. Given
an assumption or guarantee 1E J , where J is a past formula over V , we treat it in a similar way.
Here we extend the speciﬁcations described previously by incorporating referral to past in them. The speciﬁcations we
consider are
Sα =
〈
ϕαi ,Φ
α
t ,Φ
α
g
〉
for α ∈ {e, s}, where Φαt =
{
ψαi
}
i∈Iαt and Φ
α
g =
{
Jαi
}
i∈Iαj
and ψαi and J
α
i may relate to past formulas.
Given such a speciﬁcations Se and Ss , let Sˆα denote the speciﬁcation obtained by treating Sα as explained above.
Namely, replacing referral to past formulas by referral to the outputs of temporal testers. In particular, let ψˆαi denote
the speciﬁcation obtained from ψαi by replacing maximal past formulas γ by xγ and similarly for Jˆ
α
i . Let Tγ1 , . . . , Tγn
be the temporal testers whose variables are used in Sˆα for α ∈ {e, s}. The strict realizability game for Se and Ss is Gsre,s:〈V ∪ Vt ,X ,Y ∪ Vt , θe, θs,ρe,ρs,ϕ〉 with the following components.
• Vt is the set of variables of Tγ1 , . . . , Tγn that are not in V .
• θe = ϕei .
• θs = ϕsi ∧
∧n
i=1 θi , where θi is the initial condition of Tγi .
• ρe =∧i∈Iet ψˆei .
• ρs = (∧i∈I st ψˆ si ) ∧ (∧ni=1 ρi), where ρi is the transition of Tγi .
• ϕ =∧i∈Ieg 1E Jˆ ei →∧i∈I sg 1E Jˆ si .
That is, all the variables of Tγ1 , . . . , Tγn are added as variables of the system. The initial condition of the system is extended
by all the initial conditions of the temporal testers and the transition of the system is extended by the transitions of the
temporal testers. Notice, that variables and transitions of temporal testers that come from assumptions as well as guarantees
are added to the system side of the game. This is important as the next state of temporal testers may depend on the next
state of both the inputs and the outputs.
Theorem 6. The game Gsre,s is won by system iff ϕ
sr
e,s is realizable.
Notice that ϕsre,s uses ψ
α
i and not ψˆ
α
i , and similarly for J
α
i .
11 Subformula γ is a maximal past formula in ψ if every subformula γ ′ of ψ that contains γ includes the operator !.
R. Bloem et al. / Journal of Computer and System Sciences 78 (2012) 911–938 929Proof. This follows from Theorem 4 and the correctness of the temporal testers Tψ1 , . . . , Tψn . The argument relies on tem-
poral testers for past being fairness-free, deterministic, and complete with respect to X ∪Y . 
We note that the inclusion of the past allows us to treat many interesting formulas. For example, consider formulas of
the form 1(r →Eg), where r is a request and g a guarantee. As this formula is equivalent to 1E¬(¬g S (¬g ∧ r)), it is
simple to handle using the techniques just introduced. Similarly, 1(a∧!b →!2c) can be rewritten to 1(!a∧b →!c) and
1(a → a U b) is equivalent to 11 (! (a ∧ ¬b) → (a ∨ b)) ∧1E(¬a ∨ b). In practice, many interesting future ltl formulas
(that describe deterministic properties) can be rewritten into the required format.
In the next subsection we use deterministic fds to describe very expressive speciﬁcations whose realizability can be
reduced to gr(1) games.
5.3. Implication of symbolic Jds
We now proceed to an even more general case of speciﬁcations, where each of the assumptions or guarantees is given
as (or can be translated to) a deterministic jds. The main difference between this section and previous sections is in the
inclusions of additional variables as part of the given speciﬁcations. These variables are then added to the game structure
and enable a clean treatment of this kind of speciﬁcations. Notice that it is hard to impose strict realizability as there is no
clean partition of speciﬁcations to safety and liveness.
Let X and Y be ﬁnite sets of typed input and output variables, respectively. In this subsection we consider the case
where speciﬁcations are given as a set of complete deterministic jds. Formally, let Sα = {Dαi }i∈Iα for α ∈ {e, s} be a pair of
speciﬁcations, where Dαi = 〈Vαi , θαi ,ραi ,J αi 〉 is a complete and deterministic jds with respect to X ∪Y for every i and α.
The realizability game for Se and Ss is Gde,s: 〈V,X ′,Y ′, true, θs, true,ρs,ϕ〉 with the following components.
• V = X ∪Y ∪ (⋃i∈Ie Vei ) ∪ (⋃i∈Is V si ).
• X ′ = X .
• Y ′ = Y ∪ (⋃i∈Ie Vei ) ∪ (⋃i∈Is V si ).
• θs = (∧i∈Ie θei ) ∧ (∧i∈Is θ si ).
• ρs = (∧i∈Ie ρei ) ∧ (∧i∈Is ρsi ).
• ϕ = (∧i∈Ie (∧ J∈J ei 1E J )) → (∧i∈I s (∧ J∈J si 1E J )).
We show that the game Gde,s realizes the goal of implication between these sets of deterministic jds. Let
ϕde,s =
∧
i∈Ie
Di →
∧
i∈Is
Di .
We say that σ | ϕde,s if either (i) there exists an i ∈ Ie such that there is no computation of Di that agrees with σ on the
variables in X ∪ Y or (ii) for every i ∈ Is there is a computation of Di that agrees with σ on the variables in X ∪ Y . The
speciﬁcation ϕde,s is realizable if there exists an fds that is complete with respect to X that implements this speciﬁcation.
Theorem 7. The game Gde,s is won by system iff ϕ
d
e,s is realizable.
Proof. By Theorem 4 we have that Gde,s is won by system iff the following speciﬁcation ψ
sr is realizable.
ψ sr =
(∧
i∈Ie
θei
)
∧
(∧
i∈Is
θ si
)
∧1
((∧
i∈Ie
ρei
)
∧
(∧
i∈Is
ρsi
))
∧
(∧
i∈Ie
( ∧
J∈J ei
1E J
))
→
(∧
i∈I s
( ∧
J∈J si
1E J
))
.
Consider an fds that realizes ψ sr . Let σ : s0, s1, . . . be a computation of this fds. Let τ : t0, t1, . . . be the computation over
X ∪ Y such that for every j  0 we have s j |X∪Y = t j . We show that σ | ϕde,s . Consider an fds Di . As Di is deterministic
the assignment to the variables in Vi in σ is the unique assignment that is possible to accompany τ . It follows that τ | Di
iff the σ |∧ J∈Ji 1E J . It follows that σ | ϕde,s .
In the other direction, consider an fds D that satisﬁes ϕde,s . From determinism and completeness of Di for every i it
follows that D also satisﬁes ψ sr . 
To summarize, we have presented three possible fragments of speciﬁcations and their translation to gr(1) games. In
general, when one is presented with speciﬁcations in ltl or psl, a combination of the approaches in the previous sections
930 R. Bloem et al. / Journal of Computer and System Sciences 78 (2012) 911–938should be taken. Simple speciﬁcations of the form 1ψ or 1E J , where ψ or J are either Boolean formulas or past formulas,
should be treated by adding them to the game as explained previously. More complicated speciﬁcations should be translated
to deterministic jds and treated by inclusion of the additional variables in this jds as part of the game. In a sense, the
treatment of past formulas and of deterministic jds is very similar in that it requires the inclusion of additional variables
(except the input and the output) in the structure of the game.
For some speciﬁcations, it may be impossible to translate them to deterministic jds. We ﬁnd that these speciﬁcations are
not very common. Generalizations of our techniques as presented, e.g., in [23] might be applicable. Otherwise, techniques
that handle general ltl formulas may be required [53,27,28,25,24].
6. AMBA AHB case study
We demonstrate the application of the synthesis method by shortly summarizing a case study that we performed on one
of the amba (Advanced Microcontroller Bus Architecture) [21] buses of arm. More details about this case study can be found
in [2]. In order to obtain further insights on the applicability and performance of the method, we refer the interested reader
to a second case study [3] based on a tutorial design from ibm.
6.1. Protocol
Arm’s Advanced Microcontroller Bus Architecture (amba) [21] deﬁnes the Advanced High-Performance Bus (ahb), an on-chip
communication standard connecting such devices as processor cores, cache memory, and dma controllers. Up to 16 masters
and up to 16 slaves can be connected to the bus. The masters initiate communication (read or write) with a slave of their
choice. Slaves are passive and can only respond to a request. Master 0 is the default master and is selected whenever there
are no requests for the bus.
The ahb is a pipelined bus. This means that different masters can be in different stages of communication. At one instant,
multiple masters can request the bus, while another master transfers address information, and a yet another master transfers
data. A bus access can be a single transfer or a burst, which consists of a speciﬁed or unspeciﬁed number of transfers. Access
to the bus is controlled by the arbiter, which is the subject of this section. All devices that are connected to the bus are
Moore machines, that is, the reaction of a device to an action at time t can only be seen by the other devices at time t + 1.
The amba standard leaves many aspects of the bus unspeciﬁed. The protocol is at a logic level, which means that timing
and electric parameters are not speciﬁed; neither are aspects such as the arbitration protocol.
We will now introduce the signals used in the ahb. The notation S[n:0] denotes an (n+ 1)-bit signal.
• HBUSREQ[i] – A request from master i to access the bus. Driven by the masters.
• HLOCK[i] – A request from master i to receive a locked (uninterruptible) access to the bus (raised in combination with
HBUSREQ[i]). Driven by the masters.
• HMASTER[3:0] – The master that currently owns the address bus (binary encoding). Driven by the arbiter.
• HREADY – High if the slave has ﬁnished processing the current data. Change of bus ownership and commencement of
transfers only takes place when HREADY is high. Driven by the slave.
• HGRANT[i] – Signals that if HREADY is high, HMASTER = i will hold in the next tick. Driven by the arbiter.
• HMASTLOCK – Indicates that the current master is performing a locked access. If this signal is low, a burst access may
be interrupted when the bus is assigned to a different master. Driven by the arbiter
The following set of signals is multiplexed using HMASTER as the control signal. For instance, although every master has an
address bus, only the address provided by the currently active master is visible on HADDR.
• HADDR[31:0] – The address for the next transfer. The address determines the destination slave.
• HBURST[1:0] – One of SINGLE (a single transfer), BURST4 (a four-transfer burst access), or INCR (unspeciﬁed length burst).
The list of signals does not contain the data transfer signals as these do not concern the arbiter (ownership of the data bus
follows ownership of the address bus in a straightforward manner). Bursts of length 8 or 16 are not taken into account, nor
are the different addressing types for bursts. Adding longer bursts only lengthens the speciﬁcation and the addressing types
do not concern the arbiter. Furthermore, as an optional feature of the ahb, a slave is allowed to “split” a burst access and
request that it be continued later. We have left this feature out for simplicity, but it can be handled by our approach.
A typical set of accesses is shown in Fig. 8 Signals DECIDE, START, and LOCKED should be ignored for now. At time 1,
masters 1 and 2 request an access. Master 1 requests a locked transfer. The access is granted to master 1 at the next time
step, and master 1 starts its access at time 3. Note that HMASTER changes and HMASTLOCK goes up. The access is a BURST4
that cannot be interrupted. At time 6, when the last transfer in the burst starts, the arbiter prepares to hand over the bus to
master 2 by changing the grant signals. However, HREADY is low, so the last transfer is extended and the bus is only handed
over in time step 8, after HREADY has become high again.
R. Bloem et al. / Journal of Computer and System Sciences 78 (2012) 911–938 931Fig. 8. An example of amba bus behavior.
6.2. Formal speciﬁcation
This section contains the speciﬁcation of the arbiter. To simplify the speciﬁcation, we have added three auxiliary vari-
ables, START, LOCKED, and DECIDE, which are driven by the arbiter. Signal START indicates the start of an access. The master
only switches when START is high. The signal LOCKED indicates if the bus will be locked at the next start of an access. Signal
DECIDE is described below.
We group the properties into three sets. The ﬁrst set of properties deﬁnes when a new access is allowed to start, the
second describes how the bus has to be handed over, and the third describes which decisions the arbiter makes.
All properties are stated using ltl formulas. Some properties are assumptions on the environment, the others are guar-
antees the system has to satisfy. As explained in Section 5, not all ltl speciﬁcations can be synthesized directly using gr(1)
games. In order to apply the presented synthesis approach, we aim for a speciﬁcation that can be expressed using Eq. (4)
in Section 5. The separation of the properties into assumptions and guarantees facilitates this translation: the conjunction
of all formulas used to describe assumptions form the premiss (left part) of the implication in Eq. (4). Formulas describ-
ing guarantees form to the consequent (right part). Now, we only need to ensure that every formula that we use can be
mapped into one of the parts of Eq. (4), i.e., into (1) ϕxi , (2) 1ρx , or (3)
∧
i∈Ixg 1E J
x
i with x= {e, s}. (Recall that ϕxi and J xi
are Boolean formulas over the variables, and ρx is a Boolean formula over the variables potentially preﬁxed with the next
operator !.) Furthermore, note that 1ϕ1 ∧1ϕ2 =1(ϕ1 ∧ϕ2) for arbitrary ϕ1 and ϕ2. Therefore, we can write Part (2) also
as conjunction of formulas starting with the always operator 1.
Most formulas we use to describe the desired properties of the arbiter are already in the required format. For the
properties (Assumption 1, Guarantees 2 and 3) that are initially not in the right format, we give a corresponding translation.
6.2.1. Starting an access
Assumption 1. During a locked unspeciﬁed length burst, leaving HBUSREQ[i] high locks the bus. This is forbidden by the standard.
1
(
(HMASTLOCK ∧ HBURST = INCR) →!E¬HBUSREQ[HMASTER]).
The expression HBUSREQ[HMASTER] is not part of the ltl syntax. The formula can be replaced by adding for every master i, the formula
1((HMASTLOCK ∧ HBURST = INCR ∧ HMASTER=i) →!E¬HBUSREQ[i]). Alternative, we can introduce a new variable (e.g., BUSREQ)
and add the following two formulas:
932 R. Bloem et al. / Journal of Computer and System Sciences 78 (2012) 911–938Fig. 9. Automata representing Assumption (A1.2) and Guarantee (2). The formulas HMASTLOCK∧HBURST= INCR, BUSREQ, and START are abbreviated
by lock, req, and start, respectively.
1
(∧
i
HMASTER=i→ (BUSREQ ↔ HBUSREQ[i])
)
, (A1.1)
1
(
(HMASTLOCK ∧ HBURST =INCR) →!E¬BUSREQ). (A1.2)
We chose the latter option, since it made the synthesis computation more eﬃcient.
Assumption (A1.1) is in the right format. We translated Assumption (A1.2) into a deterministic fds encoding the automa-
ton shown in Fig. 9(a), i.e., we replace Assumption (A1.2) by the three formulas (A1.3), (A1.4), and (A1.5) referring to a new
variable s ranging over {0,1,2}. (See Section 5.3 for references on how to obtain this fds.)
s = 0, (A1.3)
1
(
s = 0∧ ¬(HMASTLOCK ∧ HBURST = INCR) → !(s = 0))∧
1
(
s = 0∧ HMASTLOCK ∧ HBURST = INCR → !(s = 1))∧
1
(
(s = 1∨ s = 2) ∧ BUSREQ → !(s = 1))∧
1
(
(s = 1∨ s = 2) ∧ ¬BUSREQ∧
HMASTLOCK ∧ HBURST = INCR → !(s = 2))∧
1
(
(s = 1∨ s = 2) ∧ ¬BUSREQ∧
¬(HMASTLOCK ∧ HBURST = INCR) → !(s = 0)),
(A1.4)
1E(s = 0∨ s = 2). (A1.5)
Assumption 2. Leaving HREADY low locks the bus, the standard forbids it.
1EHREADY. (A2)
Assumption 3. The lock signal is asserted by a master at the same time as the bus request signal.∧
i
1(HLOCK[i] → HBUSREQ[i]). (A3)
Guarantee 1. A new access can only start when HREADY is high.
1
(¬HREADY →!(¬START)). (G1)
Guarantee 2. When a locked unspeciﬁed length burst starts, a new access does not start until the current master (HMASTER) releases
the bus by lowering HBUSREQ[HMASTER].
1
(
(HMASTLOCK ∧ HBURST = INCR∧ START) →
!
(¬STARTW (¬START ∧ ¬HBUSREQ[HMASTER]))).
We treat the expression HBUSREQ[HMASTER] in the sameway as in Assumption 1, i.e., we use the variable BUSREQ introduced previously
and obtain the following formula.
1
(
(HMASTLOCK ∧ HBURST = INCR∧ START) →
!
(¬STARTW (¬START ∧ ¬BUSREQ))). (G2.1)
R. Bloem et al. / Journal of Computer and System Sciences 78 (2012) 911–938 933Fig. 10. Automaton encoding Guarantee (G3.1) and (G3.2). We use burst, start, and rdy to abbreviate HMASTLOCK∧HBURST = BURST4, START, and
HREADY, respectively.
Guarantee (2) has the form 1(a →!(bW (b ∧ c))), which is equivalent to the past formula 1(¬(¬b ∧! (¬c S !a))).
As explained in Section 5.2, for every past ltl formula, there exists a corresponding fairness-free12 fds. Fig. 9(b) shows an
automaton that encodes Guarantee (G2.1) and corresponds to the fds that is given by the formulas (G2.2), (G2.3), and (G2.4)
referring to the new Boolean variable t .
t = 0, (G2.2)
1
(
t = 0∧ ¬(HMASTLOCK ∧ HBURST = INCR∧ START) →!(t = 0))∧
1
(
t = 0∧ HMASTLOCK ∧ HBURST = INCR ∧ START →!(t = 1))∧
1
(
t = 1∧ ¬START ∧ ¬BUSREQ →!(t = 0))∧
1
(
t = 1∧ ¬START ∧ BUSREQ →!(t = 1))∧
1
(
t = 1∧ START →!(t = 2))
1
(
t = 2 →!(t = 2)),
(G2.3)
1E(t = 0∨ t = 1). (G2.4)
Guarantee 3. When a length-four locked burst starts, no other accesses start until the end of the burst. We can only transfer data when
HREADY is high, so the current burst ends at the fourth occurrence of HREADY (in the formula, we treat the cases where HREADY is
true initially separately from the case in which it is not).
1
(
(HMASTLOCK ∧ HBURST = BURST4 ∧ START ∧ HREADY) →
!
(¬STARTW [3](¬START ∧ HREADY))), (G3.1)
1
(
(HMASTLOCK ∧ HBURST = BURST4 ∧ START ∧ ¬HREADY) →
!
(¬STARTW [4](¬START ∧ HREADY))). (G3.2)
In order to express Guarantee (G3.1) and (G3.2) in the right format, we translate them into a deterministic fds in the
same way as for Guarantee (G2.1). Fig. 10 shows the automaton this fds encoding. We use a new variable u, ranging over
{0,1,2,3,4,5}, and three formulas (G3.3), (G3.4), and (G3.5) to encode the initial, transition, and ﬁnal condition of the
corresponding fds, respectively. Since the encoding is done in the same way as the encoding for Assumption (A1.2) and
Guarantee (G2.1), we omit the detailed descriptions of (G3.3), (G3.4), and (G3.5).
6.2.2. Granting the bus
Guarantee 4. The HMASTER signal follows the grants: When HREADY is high, HMASTER is set to the master that is currently granted.
This implies that no two grants may be high simultaneously and that the arbiter cannot change HMASTER without giving a grant.∧
i
1
(
HREADY → (HGRANT[i] ↔!(HMASTER = i))). (G4)
12 Note that if we remove the state t = 2, which has an empty language, from the automaton shown in Fig. 9(b), then the automaton is fairness-free.
However, in order to ensure that the semantics of realizability and strict realizability are the same for our speciﬁcation (cf. Section 5.1) we give the
translation for the complete automaton with fairness.
934 R. Bloem et al. / Journal of Computer and System Sciences 78 (2012) 911–938Guarantee 5. Whenever HREADY is high, the signal HMASTLOCK copies the signal LOCKED.
1
(
HREADY → (LOCKED ↔!(HMASTLOCK))). (G5)
Guarantee 6. If we do not start an access in the next time step, the bus is not reassigned and HMASTLOCK does not change.
For each master i,
1
(
!(¬START) → ((HMASTER = i ↔!(HMASTER = i))∧(
HMASTLOCK ↔!(HMASTLOCK)))). (G6)
6.2.3. Deciding the next access
Signal DECIDE indicates the time slot in which the arbiter decides who the next master will be, and whether its access
will be locked. The decision is based on HBUSREQ[i] and HLOCK[i]. For instance, DECIDE is high in Step 1 and 6 in Fig. 8. Note
that a decision is executed at the next START signal, which can occur at the earliest two time steps after the HBUSREQ[i] and
HLOCK[i] signals are read. See Fig. 8, the signals are read in Step 1 and the corresponding access starts at Step 3.
Guarantee 7. When the arbiter decides to grant the bus, it uses LOCKED to remember whether a locked access was requested.∧
i
1
((
DECIDE ∧!(HGRANT[i]))→ (HLOCK[i] ↔!(LOCKED))). (G7)
Guarantee 8. We do not change the grant or locked signals if DECIDE is low.
1
(¬DECIDE →∧
i
(
HGRANT[i] ↔!(HGRANT[i])))∧1(¬DECIDE → (LOCKED ↔!(LOCKED))). (G8)
Guarantee 9. We have a fair bus. Note that this is not required by the amba standard, and there are valid alternatives, such as a
ﬁxed-priority scheme (without this property, there is no need for the arbiter to serve any master at all).∧
i
1E
(¬HBUSREQ[i] ∨ HMASTER = i). (G9)
Guarantee 10. We do not grant the bus without a request, except to master 0. If there are no requests, the bus is granted to master 0.∧
i 	=0
(¬HGRANT[i]W HBUSREQ[i]), (G10.1)
1
((
DECIDE ∧
∧
i
¬HBUSREQ[i])→!(HGRANT[0])). (G10.2)
Guarantee 11. An access by master 0 starts in the ﬁrst clock tick and simultaneously, a decision is taken. Thus, the signals DECIDE,
START, and HGRANT[0] are high and all others are low.
DECIDE∧ START ∧ HGRANT[0] ∧ HMASTER = 0∧ ¬HMASTLOCK ∧
∧
i 	=0
¬HGRANT[i]. (G11)
Assumption 4.We assume that all input signals are low initially.∧
i
(¬HBUSREQ[i] ∧ ¬HLOCK[i])∧ ¬HREADY. (A4)
6.3. Synthesis
The ﬁnal speciﬁcation in the right form is an implication ϕe → ϕs , where ϕe is the conjunction of all the formulas
referring to assumptions and ϕs is the conjunction of all the formulas referring to guarantees. In the following we use the
equation numbers to abbreviate for the corresponding formulas.
ϕe = (A1.1)∧ (A1.3)∧ ( A1.4)∧ (A1.5)∧ (A2)∧ (A3)∧ (A4),
ϕs = (G1)∧ (G2.2)∧ ( G2.3)∧ (G2.4)∧ (G3.3)∧ (G3.4)∧ (G3.5)∧ (G4)∧ (G5)∧ ( G6)∧ (G7)∧ (G8)∧ (G9)
∧ (G10.1)∧ ( G10.2)∧ (G11).
R. Bloem et al. / Journal of Computer and System Sciences 78 (2012) 911–938 935Fig. 11. Synthesis of amba arbiter results.
Given a speciﬁcation in the right form, we synthesize a strategy and construct a circuit as described in Section 4.3.
Subsequently, the circuit is optimized and mapped to standard cells using abc [54].
We note that using an extra variable (BUSREQ) for Assumption 1 afforded a considerable increase in capacity of the
technique. The time for synthesis is shown in Fig. 11(a) and ranges from a few seconds for 2 masters to about 1.5 h for
10 masters and 21 h for 12 masters. Computing the set of winning states, which allows us to decide if the speciﬁcation
is realizable, takes only a small fraction of the total time. Most of the time is spent in constructing the winning strategy.
A more precise analysis showed that our tool spends most of this time reordering bdds to keep them small. We do not
know why synthesis for ten masters is faster than for nine.
In Fig. 11(b), we show the areas of the arbiter as a function of the number of masters using our algorithm compared with
a manual implementation. For one master the manual and the automatically generated implementation have approximately
the same size. The automatically generated implementations grow rapidly with the number of masters, while the manual
implementations are nearly independent of the number of masters. The automatically generated implementation for ten
master is about a hundred times larger than the manual implementation. We do not know why size of arbiter for nine
masters is smaller than for eight.
The automatically generated arbiter implements a round-robin arbitration scheme. This can be explained from the con-
struction of the strategy in the synthesis algorithm, but it is also the simplest implementation of a fair arbiter. We have
validated our speciﬁcation by combining the resulting arbiter with manually written masters and clients, with which it
cooperates without problems.
7. Discussion and conclusions
In this section we discuss the most important beneﬁts and drawbacks of automatic synthesis, as we perceive them, and
we discuss extensions of the approach presented here.
Writing a complete formal speciﬁcation for the amba arbiter was not trivial. Many aspects of the arbiter are not deﬁned
in arm’s standard. Such ambiguities would lead to long discussions on how someone implementing a bus device could read
the standard, and which behavior the arbiter should allow. Note that the same problem occurs when writing a verilog
implementation for the arbiter.
Second, it was not trivial to translate the informal speciﬁcation to formulas. One of the important insights when writing
the speciﬁcation of the arbiter was that additional signals were needed. This problem also occurs when we attempt to
formally verify a manually coded arbiter, in which case the same signals are useful. In fact, these signals occur, in one form
or other, in our manual implementation as well.
The effort for and the size of a manual implementation of the amba arbiter does not depend much on the number of
senders. The same is not true for automatic synthesis: the time to synthesize the arbiter grows quickly with the number of
masters as does the size of the generated circuit. Moreover, the size of the system depends strongly on the formulation of
the speciﬁcation. Godhal, Chatterjee, and Henzinger present a formulation of the ahb speciﬁcation that can be synthesized
more eﬃciently than ours, and present recommendation for writing speciﬁcations for synthesis [55].
The gate-level output that our tool produces is complicated and cannot be easily modiﬁed manually. The resulting circuit
can likely be improved further by using more intelligent methods to generate the circuits, which is an important area for
future research. The problem is related to synthesis of partially speciﬁed functions [56] with the important characteristic
that the space of allowed functions is very large.
On the upside, the resulting speciﬁcation is short, readable, and easy to modify, much more so than a manual implemen-
tation in verilog. There is anecdotal evidence that the speciﬁcation in the form given in this paper can easily be understood
936 R. Bloem et al. / Journal of Computer and System Sciences 78 (2012) 911–938by people with no experience in formal methods: The arm helpdesk very quickly found some errors in the speciﬁcation in
a preliminary version of this paper.13 For the arbiter, we expect that it is easier to learn the way the design functions from
the formal speciﬁcation than from a manual verilog implementation. The synthesis algorithm was also a great tool to get
the speciﬁcations to be consistent and complete. We doubt whether we would have gotten to a complete and consistent
speciﬁcation without it.
Automatic synthesis is ﬁrst and foremost applicable to control circuitry. We are looking into methods to beneﬁcially
combine manually coded data paths with automatically synthesized control circuitry.
Although this approach removes the need for veriﬁcation of the resulting circuit, the speciﬁcation itself still needs to be
validated. This is not quite trivial, as the speciﬁcation is not executable. In our experience, mistakes in the speciﬁcation are
immediately apparent: either the speciﬁcation becomes unrealizable, or the resulting system behaves nonsensically. Finding
the cause, however, is not at all easy. Debugging of speciﬁcations has been addressed in [57]. In [58] and [43], methods
were developed to extract a core from an unrealizable (or incorrect) speciﬁcation and to extract a compact explanation of
unrealizability. Chatterjee, Henzinger, and Jobstmann consider the modiﬁcation of unrealizable speciﬁcations by making the
environment assumptions (minimally) stricter [59].
A need for quantitative speciﬁcations to state that an event should happen “as soon as possible,” “as infrequently” as
possible, etc. was identiﬁed in [60], but requires a more expensive synthesis algorithm.
The algorithm presented in this paper has the disadvantage that the resulting system can behave arbitrarily as soon
as the environment assumptions are violated. In [61,42], we developed algorithms that synthesize systems that behave
“reasonably” in the presence of environment failures.
The algorithm presented here generates synchronous systems. Pnueli and Klein [62] show an incomplete algorithm to
reduce asynchronous synthesis [63] of gr(1) properties to the problem of synchronous gr(1) synthesis, making the algorithm
presented here applicable to that domain as well.
The work described in this paper has given rise to several implementations. The algorithm is implemented as part of
tlv [64] and Jtlv [40], as a stand-alone tool called Anzu [4], as a realizability checker in the requirements analysis tool rat
[65] and in the synthesis tool ratsy [66]. Ratsy in particular allows for graphical input of the speciﬁcation automata and
contains the debugging algorithm described above.
Finally, our algorithm and its implementation have been used also for applications in robotics and user programming.
Kress-Gazit, Conner, et al. use our algorithm to produce robot controllers [67,68]. They combine the discrete controller with
continuous control and achieve, for example, controllers for cars that autonomously search for parking. Further, they start
exploring domain-speciﬁc languages for synthesis of robot controllers [69]. Similar applications are considered in [70–72],
where additional effort is exerted to analyze huge state spaces. In the context of user programming our algorithm is used to
produce programs from live sequence charts [73,74], and to develop AspectLTL – an aspect-oriented programming language
for LTL speciﬁcations [75].
References
[1] N. Piterman, A. Pnueli, Y. Sa’ar, Synthesis of reactive(1) designs, in: Proc. of the 7th Int. Conf. on Veriﬁcation, Model Checking, and Abstract Interpreta-
tion, in: Lecture Notes in Comput. Sci., vol. 3855, Springer-Verlag, 2006, pp. 364–380.
[2] R. Bloem, S. Galler, B. Jobstmann, N. Piterman, A. Pnueli, M. Weiglhofer, Automatic hardware synthesis from speciﬁcations: A case study, in: Design
Automation and Test in Europe, ACM, 2007, pp. 1188–1193.
[3] R. Bloem, S. Galler, B. Jobstmann, N. Piterman, A. Pnueli, M. Weiglhofer, Specify, compile, run: Hardware from PSL, in: 6th Int. Workshop on Compiler
Optimization Meets Compiler Veriﬁcation, in: Electron. Notes Theor. Comput. Sci., vol. 190, 2007, pp. 3–16.
[4] B. Jobstmann, S. Galler, M. Weiglhofer, R. Bloem, Anzu: A tool for property synthesis, in: Proc. of the 19th Int. Conf. on Computer Aided Veriﬁcation,
in: Lecture Notes in Comput. Sci., vol. 4590, Springer-Verlag, 2007, pp. 258–262.
[5] A. Church, Logic, arithmetic and automata, in: Proc. 1962 Int. Congr. Math. Upsala, 1963, pp. 23–25.
[6] J. Büchi, L. Landweber, Solving sequential conditions by ﬁnite-state strategies, Trans. Amer. Math. Soc. 138 (1969) 295–311.
[7] M. Rabin, Automata on Inﬁnite Objects and Churc’s Problem, CBMS Reg. Conf. Ser. Math., vol. 13, Amer. Math. Soc., 1972.
[8] A. Pnueli, R. Rosner, On the synthesis of an asynchronous reactive module, in: Proc. of the 16th Int. Colloq. Aut. Lang. Prog., in: Lecture Notes in
Comput. Sci., vol. 372, Springer-Verlag, 1989, pp. 652–671.
[9] E. Clarke, E. Emerson, Design and synthesis of synchronization skeletons using branching time temporal logic, in: Proc. IBM Workshop on Logics of
Programs, in: Lecture Notes in Comput. Sci., vol. 131, Springer-Verlag, 1981, pp. 52–71.
[10] Z. Manna, P. Wolper, Synthesis of communicating processes from temporal logic speciﬁcations, ACM Trans. Prog. Lang. Syst. 6 (1984) 68–93.
[11] R. Rosner, Modular synthesis of reactive systems, PhD thesis, Weizmann Institute of, Science, 1992.
[12] N. Wallmeier, P. Hütten, W. Thomas, Symbolic synthesis of ﬁnite-state controllers for request-response speciﬁcations, in: Proceedings of the Interna-
tional Conference on the Implementation and Application of Automata, in: Lecture Notes in Comput. Sci., vol. 2759, Springer-Verlag, 2003, pp. 11–22.
[13] R. Alur, S.L. Torre, Deterministic generators and games for LTL fragments, ACM Trans. Comput. Log. 5 (1) (2004) 1–25.
[14] A. Harding, M. Ryan, P. Schobbens, A new algorithm for strategy synthesis in LTL games, in: Tools and Algorithms for the Construction and the Analysis
of Systems, in: Lecture Notes in Comput. Sci., vol. 3440, Springer-Verlag, 2005, pp. 477–492.
[15] B. Jobstmann, A. Griesmayer, R. Bloem, Program repair as a game, in: Proc. of the 17th Int. Conf. on Computer Aided Veriﬁcation, in: Lecture Notes in
Comput. Sci., vol. 3576, Springer-Verlag, 2005, pp. 226–238.
[16] E. Asarin, O. Maler, A. Pnueli, J. Sifakis, Controller synthesis for timed automata, in: IFAC Symposium on System Structure and Control, Elsevier, 1998,
pp. 469–474.
[17] Z. Manna, A. Pnueli, A hierarchy of temporal properties, in: Proc. 9th ACM Symp. Princ. of Dist. Comp., 1990, pp. 377–408.
13 We take this opportunity to acknowledge the help of Margaret Rugira, Chris Styles, and Colin Campbell at the arm helpdesk.
R. Bloem et al. / Journal of Computer and System Sciences 78 (2012) 911–938 937[18] Y. Kesten, N. Piterman, A. Pnueli, Bridging the gap between fair simulation and trace inclusion, Inform. and Comput. 200 (1) (2005) 36–61.
[19] R. Bloem, H.N. Gabow, F. Somenzi, An algorithm for strongly connected component analysis in n logn symbolic steps, Formal Methods Syst. Des. 28 (1)
(2006) 37–56.
[20] A. Pnueli, In transition from global to modular temporal reasoning about programs, Logics Models Concurrent Syst. 13 (1985) 123–144.
[21] A. Ltd., AMBA speciﬁcation (rev. 2), available from www.arm.com, 1999.
[22] B. Jobstmann, R. Bloem, Optimizations for LTL synthesis, in: Proc. of the 6th Int. Conf. on Formal Methods in Computer-Aided Design, IEEE, 2006,
pp. 117–124.
[23] S. Sohail, F. Somenzi, K. Ravi, A hybrid algorithm for LTL games, in: Proc. of the 9th Int. Conf. on Veriﬁcation, Model Checking, and Abstract Interpre-
tation, in: Lecture Notes in Comput. Sci., vol. 4905, Springer-Verlag, 2008, pp. 309–323.
[24] S. Sohail, F. Somenzi, Safety ﬁrst: A two-stage algorithm for LTL games, in: Proc. of the 9th Int. Conf. on Formal Methods in Computer-Aided Design,
IEEE, 2009, pp. 77–84.
[25] T. Henzinger, N. Piterman, Solving games without determinization, in: Proc. of the 15th Annual Conf. of the European Association for Computer Science
Logic, in: Lecture Notes in Comput. Sci., vol. 4207, Springer-Verlag, 2006, pp. 394–410.
[26] A. Morgenstern, Symbolic controller synthesis for LTL speciﬁcations, PhD thesis, Universität Kaiserslautern, 2010.
[27] O. Kupferman, M. Vardi, Safraless decision procedures, in: Proc. of the 46th IEEE Symp. on Foundations of Computer Science, 2005, pp. 531–542.
[28] O. Kupferman, N. Piterman, M. Vardi, Safraless compositional synthesis, in: Proc. of the 18th Int. Conf. on Computer Aided Veriﬁcation, in: Lecture
Notes in Comput. Sci., vol. 4144, Springer-Verlag, 2006, pp. 31–44.
[29] S. Schewe, Bounded synthesis, in: Automated Technology for Veriﬁcation and Analysis, 2007, pp. 474–488.
[30] E. Filiot, N. Jin, J.-F. Raskin, An antichain algorithm for ltl realizability, in: Proc. of the 21st Int. Conf. on Computer Aided Veriﬁcation, in: Lecture Notes
in Comput. Sci., vol. 5643, Springer-Verlag, 2009, pp. 263–277.
[31] C. Eisner, D. Fisman, A Practical Introduction to PSL, Springer-Verlag, 2006.
[32] Y. Kesten, A. Pnueli, Veriﬁcation by augmented ﬁnitary abstraction, Inform. and Comput. 163 (2000) 203–243.
[33] A. Pnueli, R. Rosner, Distributed reactive systems are hard to synthesize, in: Proc. of the 31st IEEE Symp. Found. of Comp. Sci., 1990, pp. 746–757.
[34] D. Kozen, Results on the propositional μ-calculus, Theoret. Comput. Sci. 27 (1983) 333–354.
[35] E.A. Emerson, C.L. Lei, Eﬃcient model-checking in fragments of the propositional modal μ-calculus, in: Proc. of the 1st IEEE Symp. Logic in Comp. Sci.,
1986, pp. 267–278.
[36] D. Long, A. Brown, E. Clarke, S. Jha, W. Marrero, An improved algorithm for the evaluation of ﬁxpoint expressions, in: Proc. of the 6th Int. Conf. on
Computer Aided Veriﬁcation, in: Lecture Notes in Comput. Sci., vol. 818, Springer-Verlag, 1994, pp. 338–350.
[37] M. Jurdzin´ski, Small progress measures for solving parity games, in: Proc. of the 17th Symp. on Theoretical Aspects of Computer Science, in: Lecture
Notes in Comput. Sci., vol. 1770, Springer-Verlag, 2000, pp. 290–301.
[38] E. Emerson, Model checking and the μ-calculus, in: N. Immerman, P. Kolaitis (Eds.), Descriptive Complexity and Finite Models, American Mathematical
Society, 1997, pp. 185–214.
[39] O. Lichtenstein, Decidability, completeness, and extensions of linear time temporal logic, PhD thesis, Weizmann Institute of Science, 1991.
[40] A. Pnueli, Y. Sa’ar, L.D. Zuck, JTLV: A framework for developing veriﬁcation algorithms, in: Proc. of the 22nd Int. Conf. on Computer Aided Veriﬁcation,
in: Lecture Notes in Comput. Sci., vol. 6174, Springer-Verlag, 2010, pp. 171–174, http://jtlv.ysaar.net/.
[41] S. Juvekar, N. Piterman, Minimizing generalized Büchi automata, in: Proc. of the 18th Int. Conf. on Computer Aided Veriﬁcation, in: Lecture Notes in
Comput. Sci., vol. 4144, Springer-Verlag, 2006, pp. 45–58.
[42] R. Bloem, K. Chatterjee, K. Greimel, T. Henzinger, B. Jobstmann, Robustness in the presence of liveness, in: Proc. of the 22nd Int. Conf. on Computer
Aided Veriﬁcation, in: Lecture Notes in Comput. Sci., vol. 6174, Springer-Verlag, 2010, pp. 410–424.
[43] R. Koenighofer, G. Hofferek, R. Bloem, Debugging formal speciﬁcations using simple counterstrategies, in: Proc. of the 9th Int. Conf. on Formal Methods
in Computer-Aided Design, IEEE, 2009, pp. 152–159.
[44] J.H. Kukula, T.R. Shiple, Building circuits from relations, in: Proc. of the 12th Int. Conf. on Computer Aided Veriﬁcation, in: Lecture Notes in Comput.
Sci., vol. 1855, Springer-Verlag, 2000, pp. 113–123.
[45] F. Somenzi, CUDD: CU Decision Diagram package, University of Colorado at Boulder, ftp://vlsi.colorado.edu/pub/.
[46] A.J. Hu, D. Dill, Reducing BDD size by exploiting functional dependencies, in: Proc. of the Design Automation Conference, Dallas, TX, 1993, pp. 266–271.
[47] Prosyd – Property-Based System Design, http://www.prosyd.org/, EU grant 507219, 2004–2007.
[48] M. Abadi, L. Lamport, The existence of reﬁnement mappings, Theoret. Comput. Sci. 82 (2) (1991) 253–284.
[49] F. Dederichs, R. Weber, Safety and liveness from a methodological point of view, Inform. Process. Lett. 36 (1) (1990) 25–30.
[50] M. Abadi, B. Alpern, K.R. Apt, N. Francez, S. Katz, L. Lamport, F.B. Schneider, Preserving liveness: Comments on “safety and liveness from a method-
ological point of view”, Inform. Process. Lett. 40 (3) (1991) 141–142.
[51] Y. Kesten, A. Pnueli, L. Raviv, Algorithmic veriﬁcation of linear temporal logic speciﬁcations, in: Proc. of the 25th Int. Colloq. Aut. Lang. Prog., in: Lecture
Notes in Comput. Sci., vol. 1443, Springer-Verlag, 1998, pp. 1–16.
[52] A. Pnueli, A. Zaks, On the merits of temporal testers, in: 25 Years of Model Checking, in: Lecture Notes in Comput. Sci., vol. 5000, Springer-Verlag,
2008, pp. 172–195.
[53] A. Pnueli, R. Rosner, On the synthesis of a reactive module, in: Proc. of the 16th ACM Symp. Princ. of Prog. Lang., 1989, pp. 179–190.
[54] B.L. Synthesis, V. Group, Abc: A system for sequential synthesis and veriﬁcation, release 61208, http://www.eecs.berkeley.edu/~alanmi/abc/.
[55] Y. Godhal, K. Chatterjee, T.A. Henzinger, Synthesis of AMBA AHB from formal speciﬁcation, Tech. Rep. abs/1001.2811, CORR, 2010.
[56] G.D. Hachtel, F. Somenzi, Logic Synthesis and Veriﬁcation Algorithms, Kluwer Academic Publishers, Boston, MA, 1996.
[57] I. Pill, S. Semprini, R. Cavada, M. Roveri, R. Bloem, A. Cimatti, Formal analysis of hardware requirements, in: Proc. of the Design Automation Conference,
2006, pp. 821–826.
[58] A. Cimatti, M. Roveri, V. Schuppan, A. Tchaltsev, Diagnostic information for realizability, in: Proc. of the 9th Int. Conf. on Veriﬁcation, Model Checking,
and Abstract Interpretation, in: Lecture Notes in Comput. Sci., vol. 4905, Springer-Verlag, 2008, pp. 52–67.
[59] K. Chatterjee, T. Henzinger, B. Jobstmann, Environment assumptions for synthesis, in: Int. Conf. on Concurrency Theory (CONCUR), in: Lecture Notes in
Comput. Sci., vol. 5201, Springer-Verlag, 2008, pp. 147–161.
[60] R. Bloem, K. Chatterjee, T. Henzinger, B. Jobstmann, Better quality in synthesis through quantitative objectives, in: Proc. of the 21st Int. Conf. on
Computer Aided Veriﬁcation, in: Lecture Notes in Comput. Sci., vol. 5643, Springer-Verlag, 2009, pp. 140–156.
[61] R. Bloem, K. Greimel, T. Henzinger, B. Jobstmann, Synthesizing robust systems, in: Proc. of the 9th Int. Conf. on Formal Methods in Computer-Aided
Design, IEEE, 2009, pp. 85–92.
[62] A. Pnueli, U. Klein, Synthesis of programs from temporal property speciﬁcations, in: Proc. Formal Methods and Models for Co-Design (MEMOCODE),
IEEE, 2009, pp. 1–7.
[63] M. Abadi, L. Lamport, P. Wolper, Realizable and unrealizable speciﬁcations of reactive systems, in: Proc. of the 16th Int. Colloq. Aut. Lang. Prog., in:
Lecture Notes in Comput. Sci., vol. 372, Springer-Verlag, 1989, pp. 1–17.
[64] A. Pnueli, E. Shahar, A platform for combining deductive with algorithmic veriﬁcation, in: Proc. of the 8th Int. Conf. on Computer Aided Veriﬁcation,
in: Lecture Notes in Comput. Sci., vol. 1102, Springer-Verlag, 1996, pp. 184–195.
938 R. Bloem et al. / Journal of Computer and System Sciences 78 (2012) 911–938[65] R. Bloem, R. Cavada, I. Pill, M. Roveri, A. Tchaltsev, Rat: A tool for the formal analysis of requirements, in: Proc. of the 19th Int. Conf. on Computer
Aided Veriﬁcation, in: Lecture Notes in Comput. Sci., vol. 4590, Springer-Verlag, 2007, pp. 263–267.
[66] R. Bloem, A. Cimatti, K. Greimel, G. Hofferek, R. Koenighofer, M. Roveri, V. Schuppan, R. Seeber, RATSY — a new requirements analysis tool with
synthesis, in: Proc. of the 22nd Int. Conf. on Computer Aided Veriﬁcation, in: Lecture Notes in Comput. Sci., vol. 6174, Springer-Verlag, 2010, pp. 425–
429.
[67] H. Kress-Gazit, G.E. Fainekos, G.J. Pappas, Where’s waldo? sensor-based temporal logic motion planning, in: Conf. on Robotics and Automation, IEEE,
2007, pp. 3116–3121.
[68] D.C. Conner, H. Kress-Gazit, H. Choset, A.A. Rizzi, G.J. Pappas, Valet parking without a valet, in: Conf. on Intelligent Robots and Systems, IEEE, 2007,
pp. 572–577.
[69] H. Kress-Gazit, G. Fainekos, G. Pappas, From structured English to robot motion, in: Proc. IEEE/RSJ Int. Conf. on Intelligent Robots and Systems, IEEE,
2007, pp. 2717–2722.
[70] T. Wongpiromsarn, U. Topcu, R.M. Murray, Receding horizon temporal logic planning for dynamical systems, in: Proc. of the 48th IEEE Conf. on Decision
and Control, IEEE, 2009, pp. 5997–6004.
[71] T. Wongpiromsarn, U. Topcu, R.M. Murray, Receding horizon control for temporal logic speciﬁcations, in: Proc. of the 13th ACM Int. Conf. on Hybrid
Systems: Computation and Control, ACM, 2010, pp. 101–110.
[72] T. Wongpiromsarn, U. Topcu, R.M. Murray, Automatic synthesis of robust embedded control software, in: In AAAI Spring Symposium on Embedded
Reasoning: Intelligence in Embedded Systems, 2010, pp. 104–110.
[73] H. Kugler, C. Plock, A. Pnueli, Controller synthesis from LSC requirements, in: Proc. Fundamental Approaches to Software Engineering, in: Lecture Notes
in Comput. Sci., vol. 5503, Springer-Verlag, 2009, pp. 79–93.
[74] H. Kugler, I. Segall, Compositional synthesis of reactive systems from live sequence chart speciﬁcations, in: Proc. of the 15th Int. Conf. on Tools and
Algorithms for the Construction and Analysis of Systems, in: Lecture Notes in Comput. Sci., vol. 5505, Springer-Verlag, 2009, pp. 77–91.
[75] S. Maoz, Y. Sa’ar, Aspectltl: an aspect language for ltl speciﬁcations, in: Proc. of the 10th Int. Conf. on Aspect-Oriented Software Development, ACM,
2011, pp. 19–30.
