Unsynthesizable Cores - Minimal Explanations for Unsynthesizable
  High-Level Robot Behaviors by Raman, Vasumathi & Kress-Gazit, Hadas
1Unsynthesizable Cores – Minimal Explanations for
Unsynthesizable High-Level Robot Behaviors
Vasumathi Raman1 and Hadas Kress-Gazit2
Abstract—With the increasing ubiquity of multi-capable,
general-purpose robots arises the need for enabling non-expert
users to command these robots to perform complex high-level
tasks. To this end, high-level robot control has seen the appli-
cation of formal methods to automatically synthesize correct-by-
construction controllers from user-defined specifications; synthe-
sis fails if and only if there exists no controller that achieves
the specified behavior. Recent work has also addressed the
challenge of providing easy-to-understand feedback to users when
a specification fails to yield a corresponding controller. Existing
techniques provide feedback on portions of the specification that
cause the failure, but do so at a coarse granularity. This work
presents techniques for refining this feedback, extracting minimal
explanations of unsynthesizability.
Index Terms—high-level behaviors, formal methods, temporal
logic.
I. INTRODUCTION
As robots become increasingly general-purpose and ubiqui-
tous, there is a growing need for them to be easily controlled
by a wide variety of users. The near future will likely see
robots in homes and offices, performing everyday tasks such as
fetching coffee and tidying rooms. The challenge of program-
ming robots to perform these tasks has until recently been the
domain of experts, requiring hard-coded implementations with
the ad-hoc use of low-level techniques such as path-planning
during execution.
Recent advances in the use of formal methods for robot
control have enabled non-expert users to command robots
to perform high-level tasks using a specification language
instead of programming the robot controller (e.g., [1–6]).
There are several approaches in which correct-by-construction
controllers are automatically synthesized from a description of
the desired behavior and assumptions on the environment in
which the robot operates [5, 6]. If a controller implementing
the specification exists, one is returned. However, for specifica-
tions that have no implementation (i.e. unsynthesizable specifi-
cations), the process of pin-pointing the cause of the problem
can be a frustrating and time-consuming process. This has
motivated recent algorithms for explaining unsynthesizability
of specifications [7, 8], revising specifications [9], and adding
*V. Raman is supported by STARnet, a Semiconductor Research Cor-
poration program, sponsored by MARCO and DARPA. H. Kress-Gazit is
supported by NSF CAREER CNS-0953365 and DARPA N66001-12-1-4250.
V. Raman is with the Department of Computing and Mathematical Sci-
ences, California Institute of Technology, Pasadena CA 91125 (e-mail:
vasu@caltech.edu).
2H. Kress-Gazit is with the Sibley School of Mechanical and Aerospace
Engineering, Cornell University, Ithaca, NY 14853, USA hadaskg at
cornell.edu
Manuscript received August 21, 2014.
environment assumptions that would make the specification
synthesizable [10].
There are two ways in which a specification can be un-
synthesizable – it is either unsatisfiable, in which case the
specified robot behavior cannot be achieved in any environ-
ment, or it is unrealizable, in which case there exists an
admissible environment (satisfying the specified assumptions)
that prevents the robot from achieving its specified behav-
ior. Feedback about the cause of unsynthesizability can be
provided to the user in the form of a modified specification
[9, 11, 12], a highlighted fragment of the original specification
[13], or by allowing the user to interact with a simulated
adversarial environment that prevents the robot from achieving
the specified behavior [8].
Previous approaches left open the challenge of refining
feedback to the finest possible granularity, providing the
user with a minimal cause of unsynthesizability. The main
contribution of this paper is to to identify unsynthesizable
cores – minimal subsets of the desired robot behavior that
cause it to be unsatisfiable or unrealizable. The analysis
makes use of off-the-shelf Boolean satisfiability (SAT) solvers
and existing synthesis tools to find this minimal cause of
unsynthesizability, and therefore lends itself to generalization
to any formal specification language for which the relevant
tools exist. This paper subsumes the results presented in
[14, 15], and extends the core-finding capabilities to previously
unaddressed cases, as described in Section VII. In particular,
this is the first paper to present a sound and complete algorithm
for finding unsynthesizable cores (as defined in Section III)
for specifications in the GR(1) fragment of Linear Temporal
Logic (LTL), and discuss special considerations necessitated
by specifications in the robotics problem domain.
The paper is structured as follows. Section II reviews terms
and preliminaries. Section III describes types of unsynthesiz-
ability, and presents a formal definition of the problem of
identifying unsynthesizable cores. Section IV describes related
work on analyzing unsynthesizable specifications. Sections
V and VI present techniques for using Boolean satisfiability
to identify unsatisfiable and unrealizable cores respectively.
Section VII describes an alternative method for identifying
cores, based on iterated realizability checks. Section VIII
demonstrates the effectiveness of the more fine-grained feed-
back on example specifications. The paper concludes with a
description of future work in Section IX.
II. PRELIMINARIES
The high-level tasks considered in this work involve a robot
operating in a known workspace. The robot reacts to events
ar
X
iv
:1
40
9.
14
55
v1
  [
cs
.R
O]
  4
 Se
p 2
01
4
2in the environment, which are captured by its sensors, in a
manner compliant with the task specification, by choosing
from a set of actions including moving between adjacent
locations. The tasks may include infinitely repeated behaviors
such as patrolling a set of locations. Examples of such high-
level tasks include search and rescue missions and the DARPA
Urban Challenge.
A. Controller Synthesis
High-level control for robotics is inherently a hybrid do-
main, consisting of both discrete and continuous components.
Automated correct-by-construction controller synthesis for this
domain using formal methods requires a discrete abstraction
and a description of the task in a formal specification language.
The discrete abstraction of the high-level robot task consists
of a set of propositions X whose truth value is controlled by
the environment and read by the robot’s sensors, and a set
of action and location propositions Y controlled by the robot;
the set of all propositions AP = X ∪Y . The value of each
pi ∈ AP is the abstracted binary state of a low-level black box
component. More details on the discrete abstraction used in
this work can be found in [5].
The formal language used for high-level specifications in
this work is Linear Temporal Logic (LTL) [16], a modal
logic that includes temporal operators, allowing formulas to
specify the truth values of atomic propositions over time.
LTL is appropriate for specifying robotic behaviors because it
provides the ability to describe changes in the truth values of
propositions over time. To allow users who may be unfamiliar
with LTL to define specifications, some tools like LTLMoP
[17] include a parser that automatically translates English
sentences belonging to a defined grammar [18] into LTL
formulas, as well as some natural language capabilities, as
described in [14].
1) Linear Temporal Logic (LTL): LTL formulas are con-
structed from atomic propositions pi ∈ AP according to the
following recursive grammar:
ϕ ::= pi | ¬ϕ | ϕ ∨ϕ | ©ϕ | ϕ U ϕ,
where ¬ is negation, ∨ is disjunction, © is “next”, and U is a
strong “until”. Conjunction (∧), implication (⇒), equivalence
(⇔), “eventually” ( ) and “always” () are derived from
these operators. The truth of an LTL formula is evaluated over
sequences of truth assignments to the propositions in AP. In
this paper, truth assignments are represented as subsets P ⊆
AP, with pi ∈ P being set to true and pi ∈ AP\P being false.
Informally, the formula ©ϕ expresses that ϕ is true in the
next position in the sequence. Similarly, ϕ expresses that ϕ
is true at every position, and ϕ expresses that ϕ is true at
some position in the sequence. Therefore, the formula  ϕ
is satisfied if ϕ is true infinitely often. For a formal definition
of the semantics of LTL, see [19].
The task specifications in this paper are expressed as LTL
formulas of the form ϕ = ϕe ⇒ ϕs, where ϕe encodes as-
sumptions about the environment’s behavior and ϕs represents
the desired robot behavior. ϕe and ϕs each have the structure
ϕp =ϕ ip∧ϕ tp∧ϕgp , where ϕ ip,ϕ tp and ϕgp for p∈{e,s} represent
the initial conditions, transition relation and goals for the
environment (e) and the robot (s) respectively. This fragment
of LTL is called Generalized Reactivity (1) or GR(1) [20].
The subformulas ϕ te and ϕ ts above are referred to as safety
formulas, and encode assumptions on the environment and re-
strictions on the system transitions respectively. Each consists
of a conjunction of formulas of the form Ai, where each Ai is
a Boolean formula over AP (formulas over©AP= {©pi | pi ∈
AP} are also allowed in ϕ ts). On the other hand, ϕeg and ϕsg are
referred to as liveness formulas, and consist of conjunctions of
clauses of the form  B j. Each B j is a Boolean formula over
AP, and represents an event that should occur infinitely often
when the robot controller is executed. The initial conditions
ϕ ie and ϕ is are non-temporal Boolean formulae over X and Y
respectively.
An LTL formula ϕ is realizable if, for every time step,
given a truth assignment to the environment propositions for
the next time step, there is an assignment of truth values to
the robot propositions such that the resulting infinite sequence
of truth assignments satisfies ϕ . The synthesis problem is to
find an automaton that encodes these assignments, i.e. whose
executions satisfy ϕ . For a synthesizable specification ϕ ,
synthesis produces an implementing automaton, enabling the
construction of a hybrid controller that produces the desirable
high-level, autonomous robot behavior. The reader is referred
to [20] and [5] for details of the synthesis procedure, and
to [5, 17] for a description of how the extracted discrete
automaton is transformed into low-level robot control.
B. Environment Counterstrategy
In the case of unsynthesizable specifications, the coun-
terstrategy synthesis algorithm introduced in [21] gives an
automatic method of constructing a strategy for the environ-
ment, which provides sequences of environment actions that
prevent the robot from achieving the specified behavior. The
counterstrategy takes the form of a finite state machine:
Definition 1 An environment counterstrategy for LTL formula
ϕ is a tuple Aeϕ = (Q,Q0,X ,Y,δe,δs,γX ,γY ,γgoals) where
• Q is a set of states.
• Q0 ⊆ Q is a set of initial states.
• X is a set of inputs (sensor propositions).
• Y is a set of outputs (location and action propositions).
• δe : Q → 2X is a deterministic input function, which
provides the input propositions that are true in the next
time step given the current state q, and satisfies ϕ te.
• δs : Q× 2X → 2Q is the (nondeterministic) transition
relation. If δs(q,x) = /0 for some x ∈ 2X ,q ∈ Q, then
there is no next-step assignment to the set of outputs that
satisfies the robot’s transition relation ϕ ts , given the next
set of environment inputs x and the current state q.
• γX : Q→ 2X is a transition labeling, which associates
with each state the set of environment propositions that
are true over incoming transitions for that state (note that
this set is the same for all transitions into a given state).
Moreover, if q′ ∈ δs(q,x) then γX (q′) = x.
• γY : Q→ 2Y is a state labeling, associating with each
state the set of robot propositions true in that state.
3start r3 r4 r5 r6 r7 r8 goalr2
Fig. 1: Map of robot workspace in Specification 1
• γgoals : Q→Z+ labels each state with the index of a robot
goal that is prevented by that state. During the counter-
strategy extraction, every state in the counterstrategy is
marked with some robot goal [21].
The counterstrategy Aeϕ provides truth assignments to the in-
put propositions (in the form of the transition function δe) that
prevent the robot from fulfilling its specification. The inputs
provided by δe in each state satisfy ϕ te, meaning that for all q∈
Q, the truth assignment sequence (γX (q)∪ γY(q),γX (δe(q)))
satisfies Ai for each conjunct Ai in ϕ te (note that Ai is a
formula over two consecutive time steps). In addition, all
infinite executions of Aeϕ satisfy ϕe∧¬ϕs.
III. PROBLEM STATEMENT
A specification that does not yield an implementing automa-
ton is called unsynthesizable. Unsynthesizable specifications
are either unsatisfiable, in which case the robot cannot succeed
no matter what happens in the environment (e.g., if the task
requires patrolling a disconnected workspace), or unrealizable,
in which case there exists at least one environment that can
prevent the desired behavior (e.g., if in the above task, the en-
vironment can disconnect an otherwise connected workspace,
such as by closing a door). More examples illustrating the two
cases can be found in [8].
In either case, the robot can fail in one of two ways: either
it ends up in a state from which it has no moves that satisfy
the specified safety requirements ϕ ts (this is termed deadlock),
or the robot is able to change its state infinitely, but one of
the goals in ϕgs is unreachable without violating ϕ ts (termed
livelock). In the context of unsatisfiability, an example of
deadlock is when the system safety conditions contain a con-
tradiction within themselves. Similarly, unrealizable deadlock
occurs when the environment has at least one strategy for
forcing the system into a deadlocked state. Livelock occurs
when there is one or more goals that cannot be reached while
still following the given safety conditions.
Consider Specification 1, in which the robot is operating
in the workspace depicted in Fig. 1. The robot starts at the
left hand side of the hallway (1), and must visit the goal on
the right (4). The safety requirements specify that the robot
should not pass through region r5 if it senses a person (2).
Additionally, the robot should always activate its camera (3).
Specification 1 Unrealizable specification – livelock
1) Robot starts in start with camera
(pistart ∧picamera, part of ϕ is))
2) If you are sensing a person then do not r5
((©piperson⇒¬©pir5), part of ϕts)
3) Always activate the camera (©picamera, part of ϕts)
4) Visit the goal ( pigoal , part of ϕgs )
It is clear that the environment can prevent the goal in (4) by
always activating the “person” sensor (piperson), because of the
initial condition in (1) and the safety requirement in (2). Note
that Specification 1 is a case of livelock: the robot can satisfy
the safety requirement indefinitely by moving between the first
four rooms on the left, but is prevented from ever reaching the
goal if it sees a person all the time – the environment is able
to disconnect the topology using the person sensor.
Previous work produced explanations of unsynthesizability
in terms of combinations of the specification components
(i.e., initial conditions, safeties and goals) [8]. However, in
many cases, the true conflict lies in small subformulas of
these components. For example, the safety requirement (3)
in Specification 1 is irrelevant to its unsynthesizability, and
should be excluded from any explanation of failure. The
specification analysis algorithm presented in [8] will narrow
down the cause of unsynthesizability to the goal in (4), but will
also highlight the entirety of ϕ ts , declaring that the environment
can prevent the goal because of some subset of the safeties
(without identifying the exact subset).
This motivates the identification of small, minimal, “core”
explanations of the unsynthesizability. A first step is to define
what is meant by an unsynthesizable core. This paper draws
inspiration from the Boolean satisfiability (SAT) literature
to define an unsynthesizable core of a GR(1) LTL formula.
Given an unsatisfiable SAT formula in conjunctive normal
form (CNF), an unsatisfiable core is traditionally defined as a
subset of CNF clauses that is still unsatisfiable. A minimal
unsatisfiable core is one such that every proper subset is
satisfiable; a given SAT formula can have multiple minimal
unsatisfiable cores of varying sizes. This definition should be
distinguished from that of a minimum unsatisfiable core, which
is one containing the smallest number of original clauses that
are unsatisfiable in themselves. While there are several practi-
cal techniques for computing minimal unsatisfiable cores, and
many modern SAT-solvers include this functionality, there are
no known practical algorithms for computing minimum cores.
This paper will therefore focus on leveraging existing tools for
computing minimal unsatisfiable cores, to compute minimal
unsynthesizable cores.
Let ϕ1  ϕ2 (ϕ1 ≺ ϕ2) denote that ϕ1 is a subformula (strict
subformula) of ϕ2.
Definition 2 Given a specification ϕ = ϕe ⇒ ϕs, a minimal
unsynthesizable core is a subformula ϕ∗s  ϕs such that
ϕe ⇒ ϕ∗s is unsynthesizable, and for all ϕ ′s ≺ ϕ∗s , ϕe ⇒ ϕ ′s
is synthesizable.
Problem 1 Given an unsynthesizable formula ϕ , return a
minimal unsynthesizable core ϕ∗s  ϕs.
IV. RELATED WORK
Robotics researchers have recently considered the problem
of revising specifications that cannot be satisfied by a given
robot system [9, 11, 12] . The work in [9] addressed the
problem of revising unsatisfiable LTL specifications. The
author defines a partial order on LTL formulas, and defines the
notion of a valid relaxation for an LTL specification, which
4informally corresponds to the set of formulas “greater than”
formulas in the specification according to this partial order.
Formula relaxation for unreachable states is accomplished by
recursively removing all positive occurrences of unreachable
propositions. Specifications with logical inconsistencies are
revised by augmenting the synchronous product of the robot
and environment specifications with previously disallowed
transitions as needed to achieve the goal state. In [11, 12], the
authors present exact and approximate algorithms for finding
minimal revisions of specification automata, by removing
the minimum number of constraints from the unsatisfiable
specification. They too encode the problem as an instance
of Boolean satisfiability, and solve it using efficient SAT
solvers. However, the work presented in this paper differs
in its objective, which is to provide feedback on existing
specifications, not rewrite them. Moreover, unlike the above
approaches, this work deals with reactive specifications.
Although explaining unachievable behaviors has only re-
cently been studied in the context of robotics, there has been
considerable prior work on unsatisfiability and unrealizability
of LTL in the formal methods literature, and the problem
of identifying small causes of failure has been studied from
several perspectives. For unsatisfiable LTL formulas, the au-
thors of [22] suggest a number of notions of unsatisfiable
cores, tied to the corresponding method of extraction. These
include definitions based on the syntactic structure of the
formula parse tree, subsets of conjuncts in various conjunctive
normal form translations of the formula, resolution proofs from
bounded model-checking (BMC), and tableaux constructions.
The authors of [23] employ a formal definition of causality
to explain counterexamples provided by model-checkers on
unsatisfiable LTL formulas; the advantage of this method is
the flexibility of defining an appropriate causal model.
The technique of extracting an unsatisfiable core from a
BMC resolution proof is one that is well-used in the Boolean
satisfiability (SAT) and SAT Modulo Theories (SMT) (e.g.,
[24, 25]) literature. A similar technique was used in [26]
for debugging declarative specifications. In that work, the
abstract syntax tree (AST) of an inconsistent specification was
translated to CNF, an unsatisfiable core was extracted from
the CNF, and the result was mapped back to the relevant
parts of the AST. The approach in [26] only generalizes to
specification languages that are reducible to SAT, a set which
does not include LTL; this paper presents a similar approach,
using SAT solvers to identify unsatisfiable cores for LTL.
The authors of [27] also attempted to generalize the idea
of unsatisfiable cores to the case of temporal logic using
SAT-based bounded model checkers. Temporal atoms of the
original LTL specification were associated with activation
variables, which were then used to augment the formulas used
by a SAT-based bounded model checker. The result, in the
case of an unsatisfiable LTL formula, was a subset of the
activation variables corresponding to the atoms that cannot
be satisfied simultaneously. The approach presented here for
unsatisfiability is very similar, in that the SAT formulas used
to determine the core are exactly those that would be used
for bounded model checking. However, a major difference is
that this work does not use activation variables in order to
identify conjuncts in the core, but maintains a mapping from
the original formula to clauses in the SAT instance.
In the context of unrealizability, the authors of [28] propose
definitions for helpful assumptions and guarantees, and com-
pute minimal explanations of unrealizability (i.e., unrealizable
cores) by iteratively expelling unhelpful constraints. Their
algorithm assumes an external realizability checker, which
is treated as a black box, and performs iterated realizability
tests. This work will draw on the same iterative realizability
approach in Section VII. The authors in [29] use model-based
diagnosis to remove not only guarantees but also irrelevant
output signals from the specification. These output signals
are those that can be set arbitrarily without affecting the
unrealizability of the specification. Model-based diagnoses
provide more information than a single unrealizable core,
but requires the computation of many unrealizable cores. In
[29], this is accomplished using techniques similar to those
in [28], which in turn require many realizability checks. The
main advantage of the work presented here is that it reduces
the number of computationally expensive realizability checks
required for most specifications, as detailed in Sections V and
VI.
To identify and eliminate the source of unrealizability,
some works like [10, 30] provide a minimal set of additional
environment assumptions that, if added, would make the
specification realizable; this is accomplished in [30] using
efficient analysis of turn-based probabilistic games, and in
[10] by mining the environment counterstrategy. On the other
hand, the work presented in this paper takes the environment
assumptions as fixed, and the goal is to compute a minimal
subset of the robot guarantees that is unrealizable. Seen from
another perspective, this work presumes that the assumptions
accurately capture the specification designer’s understanding
of the robot’s environment, and provides the source of failure
in the specified guarantees.
V. UNSATISFIABLE CORES VIA SAT
This section describes how unsatisfiable components of
the robot specification ϕs are further analyzed to narrow the
cause of unsatisfiability, for both deadlock and livelock, using
Boolean satisfiability testing. Extending these techniques to
the environment assumptions ϕe is straightforward.
The Boolean satisfiability problem or SAT is the problem
of determining whether there exists a truth assignment to a
set of propositions that satisfies a given Boolean formula. A
Boolean formula in Conjunctive Normal Form (CNF) is one
that has been rewritten as a conjunction of clauses, each of
which is a disjunctions of literals, where a literal is a Boolean
proposition or its negation. For a Boolean formula in CNF, an
unsatisfiable core is defined as a subset of CNF clauses whose
conjunction is still unsatisfiable; a minimal unsatisfiable core
is one such that removing any clause results in a satisfiable
formula.
A. Unsatisfiable Cores for Deadlock
Given a depth d and an LTL safety formula ϕ over proposi-
tions pi ∈ AP, the propositional formula ψd is constructed over
5loungehall_W
hal
l_C
ha
ll_
Nr4 r3
r2r1
r6 r5
kitchenc
Fig. 2: Map of hospital workspace (“c” is the closet)
⋃
0≤i≤d+1 APi, where pi i ∈ APi represents the value of pi ∈ AP
at time step i, as:
ψd(ϕ) =
∧
0≤i≤d
ϕ[©pi/pi i+1][pi/pi i],
where ϕ[a/b] represents ϕ with all occurrences of subformula
a replaced with b. This formula is called the depth-d unrolling
of ϕ . Consider Specification 2. ψ0(ϕ ts) = ¬pi0kitchen ∧ pi1camera
and ψ1(ϕ ts) = ¬pi0kitchen ∧ pi1camera ∧¬pi1kitchen ∧ pi2camera, where
pi ikitchen is a propositional variable representing the value of
pikitchen at time step i. Given the depth-d unrolling ψd(ϕ ts) of
the robot safety formula, define ψdf romInit =ϕ
i
s[pi/pi0]∧ψd(ϕ ts).
In the case of deadlock, which can be identified as in [7,
8], a series of Boolean formulas {ψdf romInit} is produced by
incrementally unrolling the robot safety formula ϕ ts , and the
satisfiability of ψdf romInit is checked at each depth. To perform
this check, the formula ψdf romInit is first converted into CNF, so
that it can be provided as input to an off-the-shelf SAT-solver;
this work uses PicoSAT [31]. Converting a Boolean formula to
CNF form can, in the worst case, cause an exponential increase
in the size of the formula. However, since ψdf romInit consists of
conjunctions of simple Boolean formulas, the resulting CNFs
are small in practice. If ψdf romInit is found unsatisfiable, there
is no valid sequence of actions that follow the robot safety
condition for d time steps starting from the initial condition.
In this case, the SAT solver returns a minimal unsatisfiable
subformula, in the form of a subset of the CNF clauses.
When translating the Boolean formula ψdf romInit to CNF, a
mapping is maintained between the portions of the the original
specification, and the clauses they generate. This enables the
CNF minimal unsatisfiable core to be traced back to the
corresponding safety conjuncts and initial conditions in the
specification.
Specification 2 Core-finding example – unsatisfiable deadlock
1) Start in the kitchen (ϕ is):
pikitchen
2) Avoid the kitchen (ϕ is, ϕts):¬pikitchen∧¬pikitchen
3) Always activate your camera (ϕts):
©picamera
Specification 2 is a deadlocked specification, referring to
a robot operating in the workspace depicted in Fig. 2. The
described method begins at the initial state described by
ϕ is (lines 1 and 2), and unrolls it to ψ0f romInit = pi
0
kitchen ∧
¬pi0kitchen ∧ ¬pi0kitchen ∧ pi1camera above. Note that ψ0f romInit is
already unsatisfiable, and the core is given by the subformula
pi0kitchen∧¬pi0kitchen, which in turn maps back to lines 1 and 2.
This is because the two statements combined require the robot
to both start in the kitchen and not start in the kitchen. Section
VIII contains another example demonstrating unsatisfiable
core-finding for deadlock.
B. Unsatisfiable Cores for Livelock
In the case of livelock, a similar unrolling procedure can
be applied to determine the core set of clauses that prevent a
goal from being fulfilled. A propositional formula is generated
by unrolling the robot safety from the initial state for a pre-
determined number of time steps, with an additional clause
ϕdgoal representing the unsatisfied liveness condition being
required to hold at the final time step for that depth. Consider
the livelocked Specification 3.
Specification 3 Core-finding example – unsatisfiable livelock
1) Start in the kitchen (ϕ is):
pikitchen
2) Avoid hall w (ϕ is, ϕts):¬pihall w∧¬pihall w
3) Always activate your camera (ϕts):
©picamera
4) Patrol r3 (ϕgs ):
 pir3
Unrolling the robot safety to depth d, with the added clause
ϕdgoal = pi
d
r3 for liveness at depth d, results in:
ψdf romInit ∧ϕdgoal = pi0kitchen∧
∧
0≤i≤d
¬pi ihall w
∧
∧
1≤i≤d+1
pi icamera∧
∧
0≤i≤d
ϕ itopo∧pidr3
where ϕ itopo represents the topology constraints on the robot
unrolled at time i. ψdf romInit is unsatisfiable for any d ≥ 0.
C. Unroll Depth
In the case of deadlock, the propositional formula ψdf romInit
can be built for increasingly larger depths until it is found
to be unsatisfiable for some d; by the definition of deadlock,
there will always exist such a d. This gives us a sound and
complete method for determining the depth to which the safety
formula must be unrolled in order to identify an unsatisfiable
core for deadlock. For livelock, on the other hand, determining
the shortest depth that will produce a meaningful core is
a much bigger challenge. Consider the above example. For
unroll depths less than or equal to 3, the unsatisfiable core
returned will include just the environment topology, since the
robot cannot reach r3 from the kitchen in 3 steps or fewer, even
if it is allowed into hall w; however, this is not a meaningful
core.
For d ≥ 3 the core is given by the subformula:
pi0kitchen∧
∧
0≤i≤d
¬pi ihall w∧pidr3∧
∧
0≤i≤d
ϕ itopo,
which maps back to specification sentences (1), (2) and (4)
in Specification 3. This is because the robot cannot reach r3
6without passing through hall w. Section VIII contains another
example demonstrating unsatisfiable core-finding for livelock.
The depth required to produce a meaningful core for unsat-
isfiability is bounded above by the number of distinct states
that the robot can be in, i.e. the number of possible truth
assignments to all the input and output propositions. However,
efficiently determining the shortest depth that will produce a
meaningful core remains a future research challenge, and for
the purpose of this work, a fixed depth of 15 time steps was
used for the examples presented, unless otherwise indicated.
Algorithm 1 summarizes the core-finding procedure de-
scribed in this section. The module SAT_SOLVER takes as
input a Boolean formula in CNF form and returns a minimal
unsatisfiable core (MUS). MAP_BACK maps the returned CNF
clauses to portions of the original specification; in LTLMoP,
this mapping returns sentences in structured English or natural
language.
Algorithm 1 Unsatisfiable Cores via SAT solving
1: function UNSAT_BMC(ϕ,max depth, reason)
2: MUS ← /0
3: if reason==deadlock then
4: for d := 1 to max depth do
5: MUS ← SAT_SOLVER(ψdf romInit )
6: if MUS 6= /0 then return MAP_BACK(MUS)
7: else
8: MUS ← SAT_SOLVER(ψmax depthf romInit ∧ϕmax depthgoal )
return MAP_BACK(MUS)
D. Interactive Exploration of Unrealizable Tasks
If the specification is unrealizable rather than unsatisfiable,
the above techniques do not apply directly to identify a
core. This is because if the specification is satisfiable but
unrealizable, there exist sequences of truth assignments to the
input variables that allow the system requirements to be met.
Therefore, in order to produce an unsatisfiable Boolean for-
mula, all sequences of truth assignments to the input variables
that satisfy the environment assumptions must be considered.
This requires one depth-d Boolean unrolling for each possible
length-d sequence of inputs, where each unrolling encodes a
distinct sequence of inputs in the unrolled Boolean formula. In
the worst case, the number of depth-d Boolean formulas that
must be generated before an unsatisfiable formula is found
grows exponentially in d.
However, unsatisfiable cores do enable a useful enhance-
ment to an interactive visualization of the environment coun-
terstrategy. Since succinctly summarizing the cause of an un-
realizable specification is often challenging even for humans,
one approach to communicating this cause in a user-friendly
manner is through an interactive game (shown in Fig. 3).
The tool illustrates environment behaviors that will cause the
robot to fail, by letting the user play as the robot against
an adversarial environment. At each discrete time step, the
user is presented with the current goal to pursue and the
current state of the environment. They are then able to respond
by changing the location of the robot and the status of its
actuators. Examples of this tool in action are given in [7, 8].
}Game history
kitchen
Explanation of invalid move
Current goal
Environment state
Fig. 3: Screenshot of interactive visualization tool for Spec-
ification 4. The user is prevented from following the target
into the kitchen in the next step (denoted by the blacked out
region) due to the portion of the specification displayed.
An initial version of this tool simply prevented the user
from making moves that were disallowed by the specification.
However, by using the above core-finding technique, a specific
explanation can be given about the part of the original speci-
fication that would be violated by the attempted invalid move.
This is achieved by finding the unsatisfiable core of a single-
step satisfiability problem constructed over the user’s current
state, the desired next state, and all of the robot’s specified
safety conditions.
Consider Specification 4, which first appeared in [14]. The
robot is instructed to follow a human partner (Line 1) through
the workspace depicted in 2. This means that the robot should
always eventually be in any room that the human visits.
Additionally, the robot has been banned from entering the
kitchen in Line 2. We discover that the robot cannot achieve its
goal of following the human if the human enters the kitchen.
This conflict is presented to the user as depicted in Fig. 3: the
environment sets its state to represent the target’s being in the
kitchen, and then, when the user attempts to enter the kitchen,
the tool explains that this move is in conflict with Line 2.
Specification 4 Example of unrealizability
1) Follow me.
2) Avoid the kitchen.
VI. UNREALIZABLE CORES VIA SAT
As described in Section V-D, the extension of the SAT-based
core-finding techniques described in Section V to unrealizable
specifications requires examining the exact environment input
sequences that cause the failure. Considering all possible
environment input sequences is not feasible; fortunately, the
environment counterstrategy sometimes provides us with ex-
actly those input sequences that cause unsynthesizability.
Consider a counterstrategy Aeϕ =
(Q,Q0,X ,Y,δe,δs,γX ,γY ,γgoals) for formula ϕ . It allows the
following characterizations of deadlock and livelock:
• Deadlock There exists a state in the counterstrategy such
that there is a truth assignments to inputs, for which no
7truth assignment to outputs satisfies the robot transition
relation. Formally,
∃q ∈ Q s.t. δs(q,δe(q)) = /0
• Livelock There exist a set of states C in the counterstrat-
egy such that the robot is trapped in C no matter what it
does, and there is some robot liveness Bk in ϕ
g
s that is
not satisfied by any state in C. Formally,
∃C ⊆ Q,Bk  ϕgs s.t. ∀q ∈ C,q 6|= Bk,δs(q,δe(q))⊆ C
Here “q 6|= Bk” indicates that the truth assignment given
by γX (q)∪ γY(q) does not satisfy the propositional for-
mula Bk. Note that there is always such a set of states in
the counterstrategy in the case of livelock.
A. Unrealizable Cores for Deadlock
Consider Specification 5 on the workspace in Fig. 1. The
robot starts in r5 with the camera on (1). The safety conditions
specify that the robot should not pass through the region
marked r5 if it senses a person (2). In addition, the robot
must stay in place if it senses a person (3). Finally, the robot
should always activate its camera (4). Here, the environment
can force the robot into deadlock by activating the “person”
sensor (piperson) when the robot is in r5, because there is then
no way the robot can fulfil both (2) and (3).
Specification 5 Core-finding example – deadlock
1) Robot starts in r5 with camera (ϕ is):
pir5∧picamera
2) If you are sensing person then do not r5 (ϕts):
(©piperson⇒¬©pir5)
3) If you are sensing person then stay there (ϕts):
(©piperson⇒ (©pistart ⇔ pistart ∧©pir2⇔ pir2...))
4) Always activate your camera (ϕts):
©picamera
The environment counterstrategy Aeϕ is as follows:
• Q = Q0 = {q1}
• X = {piperson}, Y = {pir5,picamera}
• δe(q1) = {piperson}, δs(q1,{piperson}) = /0, δs(q1, /0) = /0
• γX (q1) = {piperson}, γY(q1) = {pir5,picamera}
• γgoals(q1) = 1
The state q1 is deadlocked, because given the input piperson
in the next time step, there is a conflict between safety
conditions 2 and 3, and the robot has no valid move (so
δs(q1,{piperson}) = /0). Note that δs(q1, /0) = /0 indicates that
the environment strategy does not include any transition out
of q1 where the environment does not activate the “person”
sensor.
For q ∈ Q, the propositional-representation of q is defined
as:
ψstate(q) =
∧
x∈γX (q)
x∧
∧
x∈X\γX (q)
¬x∧
∧
y∈γY (q)
y∧
∧
y∈Y\γY (q)
¬y
In the example above, ψstate(q1) = piperson∧pir5∧picamera.
As before, let pi i represent the value of pi ∈ AP at time step
i, and APi = {pi i | pi ∈ AP}. For example, in Specification 5,
AP0 = {pi0person,pi0r5,pi0camera} and AP1 = {pi1person,pi1r5,pi1camera}.
Given LTL specification ϕ , q∈Q such that δs(q,δe(q)) = /0,
construct a propositional formula over AP0∪AP1 as follows:
ψdead(q,ϕ) = ψstate(q)[pi/pi0]∧
∧
z∈δe(q)
z1∧
∧
z∈X\δe(q)
¬z1
∧ϕ ts[©pi/pi1][pi/pi0],
Intuitively, this formula represents the satisfaction of the
robot safety condition in the next step from state q, with the
additional restriction that the input variables be bound to the
values provided by δe(q) in the next time step.
In the above case, ψdead(q1,ϕ) =
pi0person∧pi0r5∧pi0camera∧pi1person∧pi1camera∧ϕ0topo
∧(pi1person⇒¬pi1r5)∧ (pi1person⇒ (pi1r5⇔ pi0r5∧ ...)),
where ϕ itopo is a formula over APi ∪APi+1 representing the
topological constraints on the robot motion at time i (i.e. which
rooms it can move to at time i+1 given where it is at time i,
and mutual exclusion between rooms).
Note that if q is a deadlocked state, then by definition
ψdead(q,ϕ) is unsatisfiable, since there is no valid setting to
the robot propositions in the next time step starting from q. A
SAT solver can now be used to find a minimal unsatisfiable
subformula, as in Section V.
In the above example, the SAT solver finds the core of
ψdead(q,ϕ) as the subformula
pi0r5∧pi1person∧ (pi1person⇒¬pi1r5)∧ (pi1person⇒ (pi1r5⇔ pi0r5)).
This is because the two statements combined require the
robot to both stay in r5 and not be in r5 in time step 1.
This gives us a core explanation of the deadlock caused in
state q. Taking the union over the cores for all the deadlocked
states provides a concise explanation of how the environment
can force the robot into a (not necessarily unique) deadlock
situation. Section VIII contains another, more complex ex-
ample demonstrating unrealizable core-finding for deadlocked
specifications.
B. Unrealizable Cores for Livelock
Consider Specification 1 again. If the environment action
is to always set piperson, then the safety requirement in 2
enforces that the robot will never activate pir5, because it is
explicitly forbidden from doing so when sensing a person. This
is livelock because the robot can continue to move between
start and r2− r4. The environment counterstrategy Aeϕ is as
follows:
• Q = {q1,q2,q3,q4}, Q0 = {q1}
• X = {piperson},Y = {pistart ,pir2,pir3, ...,pir8,pigoal ,picamera}
• ∀q ∈ Q,δe(q) = {piperson}
•
δs(qi,{piperson}) =
 {q1,q2} if i = 1{qi−1,qi,qi+1} for 2≤ i≤ 3{q3,q4} if i = 4
Additionally, δs(q, /0) = /0 for all q.
• ∀q ∈ Q,γX (q) = {piperson}.
•
γY(qi) =
{ {picamera,pistart} if i = 1
{picamera,piri} for 2≤ i≤ 4
• ∀i,γgoals(qi) = 1 (since there is only one goal).
81) Countertraces: One of the main sources of complexity
in analyzing an environment counterstrategy is that it might
depend on the behavior of the system. However, sometimes
it is possible to extract a single trace of inputs such that
no output trace fulfil the specification. Following [21], we
call such a trace a countertrace. A countertrace does not
always exist, but it does simplify our analysis. Computing
countertraces is expensive [21], but it is possible to identify
whether a given counterstrategy is a countertrace by checking
that all paths from an initial state follow the same sequence of
environment inputs. For the analysis that follows, we assume
that the counterstrategy is a countertrace. We will later discuss
how to analyze counterstrategies that are not traces. Note that
counterstrategy Aeϕ for Specification 1 above is a countertrace.
In the case of livelock, we know there exists a set of states C
in the counterstrategy that trap the robot, locking it away from
the goal. Without loss of generality, C consists of (possibly
overlapping) cycles of states. In the specifications of the form
considered in this work, robot goals are of the form  Bi for
1≤ i≤ n, where each Bi is a propositional formula over AP=
X ∪Y . Suppose the algorithm in [8] identified goal  Bk
as the goal responsible for livelock. Let Qk be the set of all
states in Aeϕ that prevent goal Bk, and let Ck be the set of
maximal k-preventing cycles in Qk, i.e. cycles that are not
contained in any other cycle in Qk (modulo state-repetition).
Let C1 = (q10,q
1
1, ...,q
1
a) and C2 = (q
2
0,q
2
1, ...,q
2
b) be cycles, and
define C1 ≺ C2 if a < b and there is some offset index o in
C2 such that all of C1 is found in C2 starting at o, i.e. q1i =
q2(i+o) mod (b+1) for all 0 ≤ i ≤ a. This expresses that C1 is a
strict sub-cycle of C2. Formally,
Qk = {q ∈ Q|γgoals(q) = k}
Callk = {(q0,q1, ...,ql)|∀0≤ i≤ l,qi ∈ Qk,
∀i < l,qi+1 ∈ δs(qi,δe(qi)),qi 6= qi+1,
q0 ∈ δs(ql ,δe(ql)),q0 6= ql},
Ck = {C ∈Callk |∀C′ ∈Callk ,C 6≺C′}.
In Specification 1, there is only one goal,  pigoal . C1 =
(q1,q2,q3,q4,q3,q2) is a maximal 1-preventing cycle.
Given an initial state q, a depth d and an LTL safety
formula ϕ ts over pi ∈ AP, we construct a propositional formula
ψd(ϕ ts,q) over
⋃
0≤i≤d+1 APi as:
ψd(ϕ ts,q) = ψstate(q)[pi/pi
0]∧
∧
0≤i≤d
ϕ ts[©pi/pi i+1][pi/pi i].
This formula is called the depth-d unrolling of ϕ ts from
q, and represents the tree of length-d + 1 truth assignment
sequences that satisfy ϕ ts , starting from q. Note that a depth-
d unrolling governs d + 1 time steps, because each conjunct
in ϕ ts governs the current as well as next time steps. In the
example, ψd(ϕ ts,q1) =
pi0start ∧pi0camera∧
∧
0≤i≤d
(ϕ itopo∧pi i+1camera∧ (pi i+1person⇒¬pi i+1r5 )).
Given a cycle of states C = (q0,q1, ...,ql)∈ Aeϕ , and a depth
d, construct a propositional formula ψdX (C) over
⋃
0≤i≤dX i,
where xi ∈X i represents the value of each input x∈X in state
qi mod (l+1) for 0≤ i≤ d, as:
ψdX (C) =
∧
0≤i≤d
(
∧
p∈γX (qi mod (l+1))
xi∧
∧
p∈X\γX (qi mod (l+1))
¬xi).
This formula is called the depth-d environment-unrolling of
C, and represents the sequence of inputs seen when following
cycle C for d time-steps. In the example, the depth-d environ-
ment unrolling of C1 is ψdX (C) =
∧
0≤i≤d pi iperson.
Now, given an LTL safety specification ϕ ts over pi ∈ AP, a
goal Bk, a maximal k-preventing cycle Ck = (q0,q1, ...,ql) ∈
Ck, and an unrolling depth d, construct propositional formula
ψdlive(Bk,Ck,ϕ
t
s) over
⋃
0≤i≤d+1 APi as:
ψdlive(Bk,Ck,ϕ
t
s) =
ψd+1X (Ck)∧ψd(ϕ ts,q0)∧Bk[pi/pid ].
Intuitively, this formula expresses the requirement that the
goal Bk be fulfilled after some depth-d unrolling of the safety
formula starting from state q0, given the input sequence
provided by ψd+1X (Ck) (note that this input sequence extends
to the final time step in the safety formula unrolling). This
is an unsatisfiable propositional formula, and can be used to
determine the core set of clauses that prevent a goal from being
fulfilled. Taking the union of cores over all Ck ∈ Ck gives a
concise explanation of the ways in which the environment can
prevent the robot from fulfilling the goal. This step makes
use of the fact that the counterstrategy is a countertrace,
since otherwise the reason for unrealizability might involve
an interplay between two input sequences.
In the above example, ψdlive(pigoal ,C1,ϕ
t
s) =
pi0start ∧pi0camera∧
∧
0≤i≤d+1
pi iperson
∧
∧
0≤i≤d
(ϕ itopo∧pi i+1camera∧ (pi i+1person⇒¬pi i+1r5 ))
∧pidgoal .
In the case of livelock, the choice of unroll depth d
determines the quality of the core returned. Recall that for
deadlock, the propositional formula ψdead(q,ϕ) is built over
just one step, since it is already known to cause a conflict
with the robot transition relation, and be unsatisfiable. The
unsatisfiable core of this formula is a meaningful unrealizable
core in this case because it provides the immediate reason for
the deadlock. For livelock, on the other hand, determining the
shortest depth to which a cycle Ck must be unrolled to produce
a meaningful core is not obvious.
In the above example, for unroll depths less than or equal
to 8, the unsatisfiable core returned will include just the
environment topology, since the robot cannot reach the goal
from the start in 8 steps or fewer, even if it is allowed
into r5; however, this is not a meaningful core. Unrolling
to depth 9 or greater returns the expected subformula that
includes
∧
0≤i≤d(pi i+1person⇒¬pi i+1r5 ). Automatically determining
the shortest depth that will produce a meaningful core remains
a research challenge, but a good heuristic is to use the
maximum distance between two states in the environment
counterstrategy (i.e. the diameter of the graph representing the
9counterstrategy, or the sum of the diameters of its connected
components).
2) General Counterstrategies: It may be tempting to try
and use a similar approach to find unrealizable cores from
counterstrategies that are not countertraces. However, since
the input sequences can now depend on the system behavior,
it becomes necessary to encode all possible paths through
the counterstrategy. Even so, since the counterstrategy only
contains paths that are valid for the system specification,
we found that the returned core often contained these added
constraints on the system instead of the original specification.
Instead, we used the approach described in Section VII to
extract a minimal core in the case of livelock, when the
counterstrategy was not a countertrace.
Algorithm 2 Unrealizable Cores via SAT solving
1: function UNREAL_BMC(ϕ , reason)
2: MUS ← /0
3: Aeϕ = (Q,Q0, ...,)← COUNTERSTRATEGY(ϕ)
4: if reason==deadlock then
5: for q ∈ Q such that δs(q,δe(q)) = /0 do
6: MUS ← MUS ∪ SAT_SOLVER(ψdead(q,ϕ))
7: else
8: k← livelocked goal
9: if IS_COUNTERTRACE(Aeϕ , k) then
10: Callk ← FIND_PREVENTING_CYCLES(Aeϕ , k)
11: for Ck ∈ {C ∈Callk |∀C′ ∈Callk ,C 6≺C′} do
12: MUS←MUS ∪ SAT_SOLVER(ψdlive(Bk,Ck,ϕts))
13: else
14: ϕbadInits ← CHOOSE_ONE(Q0)
15: MUS ← UNREAL_ITERATE(ϕ,ϕbadInits ,k)
return MAP_BACK(MUS)
Algorithm 2 summarizes the core-finding procedure de-
scribed in this section. The module IS_COUNTERTRACE
checks that all paths form a single initial state in
the counterstrategy follow the same sequence of inputs.
FIND_PREVENTING_CYCLES finds cycles in Aeϕ that pre-
vent goal k. UNREAL_ITERATE is described in Section VII.
Note that, since unsatisfiability is a special case of unre-
alizability (in which not just some, but any environment can
prevent the robot from fulfilling its specification), the above
analysis also applies to unsatisfiable specifications. Moreover,
a countertrace can always be extracted for an unsatisfiable
specification, and so the approach in Section VI-B1 applies for
livelock. However, the analysis presented in Section V is more
efficient for unsatisfiability, as it does not require explicit-state
extraction of the environment counterstrategy.
VII. UNSYNTHESIZABLE CORES VIA ITERATED
SYNTHESIS
As discussed in Sections V and VI, the SAT-based approach
to identifying an unsynthesizable core for the case of livelock
presents the challenge of determining a depth to which the
LTL formula must be instantiated with propositions. This
minimal depth is often tied to the number of regions in the
robot workspace, and is usually easy to estimate. However,
no efficient, sound method is known for determining this
minimal unrolling depth. In addition, if the counterstrategy is
not a countertrace, the techniques in Section VI do not readily
apply to extracting an unrealizable core. In both these cases,
the SAT-based analysis described in Section VI may return a
core that does not capture the real cause of failure, causing
confusion when presented to the user. Fortunately, alternative,
more computationally expensive techniques can be used to
return a minimal core in these cases.
This section presents one such alternative approach to
determining the minimal subset of the robot safety conjuncts
that conflicts with a specified goal. The approach is based
on iterated realizability checks, removing conjuncts from the
safety formula and testing realizability of the remaining speci-
fication. While this approach is guaranteed to yield a minimal
unsynthesizable core, it requires repeated calls to a realizability
oracle, which may be expensive for specifications with a large
number of conjuncts.
Recall from Section II the syntactic form of the LTL
specifications considered in this work. In particular, the for-
mula ϕgs is a conjunction
∧ngs
j=1 B j, where each B j is a
Boolean formula over AP, and represents an event that should
occur infinitely often when the robot controller is executed.
Similarly, ϕ ts represents the robot safety constraints; it is a
conjunction
∧nts
i=1Ai where each Ai is a Boolean formula
over AP and ©AP.
In the case of livelock, the initial specification analysis
presented in [8] provides a specific liveness condition Bk
that causes the unsynthesizability (i.e. either unsatisfiability
or unrealizability), and can also identify one of the initial
states ϕbadInits from which the robot cannot fulfil Bk. However,
the specific conjuncts of the safety formula ϕ ts that prevent
this liveness are not identified. The key idea behind using
realizability tests to determine an unrealizable or unsatisfiable
core of safety formulas is as follows. If on removing a safety
conjunct from the robot formula, the specification remains
unsynthesizable, then there exists an unsynthesizable core that
does not include that conjunct (since the remaining conjuncts
are sufficient for unsynthesizability). Therefore, in order to
identify an unsynthesizable core, it is sufficient to iterate
through the conjuncts of ϕ ts , removing safety conditions one
at a time and checking for realizability.
Algorithm 3 presents the formal procedure for perform-
ing these iterated tests, given the index k of the live-
ness condition that causes the unsynthesizability. Denote by
ϕs[S,ϕbadInits ,k]⊆ ϕs the formula ϕbadInits ∧
∧
i∈SAi∧ Bk
for indices in a set S. Let Si denote set S at iteration i. Set
S1 is initialized to the indices of all safety conjuncts, i.e.
S1 = {1, ...,nts} in line 2. In each iteration of the loop in lines 3-
7, the next conjunct Ai is omitted from the robot transition rela-
tion, and realizability of ϕe⇒ ϕs[Si\{i},ϕbadInits ,k] is checked
(line 4). If removing conjunct i causes an otherwise unsynthe-
sizable specification to become synthesizable, it is retained for
the next iteration (line 5); otherwise it is permanently deleted
from the set of conjuncts Si (line 6-7). After iterating through
all the conjuncts in {1, ...,nts}, the final set Snts+1 determines a
minimal unsynthesizable core of ϕe⇒ϕs that prevents liveness
k. Note that the core is non-unique, and depends both on the
order of iteration on the safety conjuncts, and on the initial
10
state ϕbadInits returned by the synthesis algorithm.
Theorem VII.1 Algorithm 3 yields a minimal unsynthesizable
core of ϕe⇒ ϕs.
Proof: Each iteration i of the loop in Algorithm 3, lines 3-7,
maintains the invariant that ϕe ⇒ ϕs[Si,ϕbadInits ,k] is unsyn-
thesizable; thus, ϕe ⇒ ϕs[Snts+1,ϕbadInits ,k] is unsynthesizable
when the loop is exited.
Moreover, removing any of the safety conjuncts in Snts+1
yields a synthesizable specification. To see this, assume
for a contradiction that there exists j ∈ Snts+1 such that
ϕe ⇒ ϕs[Snts+1\{ j},ϕbadInits ,k] is unsynthesizable. Clearly,
Snts+1 ⊆ S j, so by definition of , ϕs[Snts+1\{ j},ϕbadInits ,k] 
ϕs[S j\{ j},ϕbadInits ,k]. Therefore, if ϕe⇒ϕs[S j\{ j},ϕbadInits ,k]
is synthesizable, then ϕe ⇒ ϕs[Snts+1\{ j},ϕbadInits ,k] must
be synthesizable, since any implementation that satisfies
ϕs[S j\{ j},ϕbadInits ,k] also satisfies ϕs[Snts+1\{ j},ϕbadInits ,k] .
Since j was not removed from S j on the jth iteration,
ϕe ⇒ ϕs[S j\{ j},ϕbadInits ,k] is synthesizable. It follows that
ϕe ⇒ ϕs[Snts+1\{ j},ϕbadInits ,k] must be synthesizable, a con-
tradiction.
Algorithm 3 Unsynthesizable Cores via Iterated Realizability
Testing
1: function UNREAL ITERATE(ϕ = ϕe,⇒ ϕs,ϕbadInits ,k)
2: S1 = {1,2, ...,nts}
3: for i := 1 to nts do
4: if (ϕe⇒ ϕs[Si\{i},ϕbadInits ,k]) is synthesizable then
5: Si+1← Si
6: else
7: Si+1← Si\{i}
return ϕs[Snts+1,ϕ
badInit
s ,k])
Note that Algorithm 3 yields an unsynthesizable core for
livelock, for both unsatisfiable and unrealizable specifications.
It is sound and complete, because it will always yield a
minimal set of safety conditions that prevent the relevant
liveness. As compared with the methods presented in Sections
V and VI, it circumvents the problem of determining the
depth to which to instantiate the LTL safety formula in a
propositional SAT instance. Moreover, if ϕs[S,ϕbadInits ,k] is
replaced with ϕbadInits ∧
∧
i∈SAi∧ TRUE (i.e. the robot
liveness condition is trivial), the algorithm also yields an
unsynthesizable core in the case of deadlock.
A. Computational Tradeoffs
There is a computational tradeoff involved in performing
a synthesizability (i.e. realizability) check once for every
conjunct in the safety formula, instead of once for the entire
specification. Algorithm 3 checks synthesizability once in each
iteration of the loop in lines 3-7. Using the efficient algorithm
in [20], each realizability check takes time O((mnΣ)3), where
Σ is the size of the state space, i.e. Σ = 2|X∪Y|, and m,n are
the number of environment and system liveness conditions,
respectively. Therefore the complexity of Algorithm 3 is
O((nts)(mnΣ)3). On the other hand, the complexity of the
approach described in Section VI requires only one call to the
Fig. 4: Map of robot workspace for specifications in Section
VIII
counterstrategy synthesis algorithm, but multiple calls to the
SAT solver. The SAT solver is invoked with Boolean formulas
in CNF form that are, in the worst case, exponential in the size
of the original LTL conjuncts, although the conjunctive form of
the original GR(1) specifications mitigates some of this blowup
in practice. Additionally, iterated realizability tests do not
require explicit extraction of the environment counterstrategy,
as in the case of the SAT-based tests presented in Section VI.
The relative appropriateness of the two methods (SAT-based
vs. iterated realizability testing) for the case of deadlock will
depend on the specific unsynthesizable formula.
For example, in Specification 4, the calls to SAT_SOLVER
made as part of the approach in Algorithm 2 took <1ms each
to complete on a 1.3 GHz Intel Core i5 processor with 8GB
of RAM. On the other hand, for the same specification with
line (2) replaced with Always do not r5 ((¬©pir5)), each
call took approximately 60s. This was exceptional, and most
of the calls to SAT_SOLVER for the examples in this paper
(including those in section VIII) took <1ms each. On the
other hand, each call to COUNTERSTRATEGY for the approach
in Algorithm 3 took approximately 5ms for the example in
Section VIII-B.
VIII. EXAMPLES
This section presents examples of the cores identified for
unsynthesizable specifications. The examples presented pre-
viously appeared in [7], and this section demonstrates the
improvement of the proposed approach over the analysis pre-
sented in that work. These examples were run using the open-
source LTLMoP toolbox [17], within which all the technical
outcomes presented in this paper have been implemented.
A. Deadlock
Consider the specification in Fig. 5, where the robot is
operating in the workspace depicted in Fig. 4. The robot starts
in the porch. The safety conditions govern what it should do
when it senses a “person” (stay with them and radio for help)
or a “hazardous item” (pick up the hazardous item and carry
it to the porch). The robot should not visit the porch unless it
is carrying a hazardous item. The robot’s goals are to patrol
all rooms in the workspace.
The environment can cause deadlock by setting the person
sensor to true and the hazardous item sensor to false when the
robot is in the porch. Note that sensing a hazardous item results
in the robot activating the “pick up” action, which in turn
results in the proposition “carrying item” being set. Similarly,
11
(a) Sentences highlighted using approach in [7] (b) Sentences highlighted using proposed approach
Fig. 5: Core-Finding Example: Deadlock
(a) Sentences highlighted using approach in [7] (b) Sentences highlighted using proposed approach
Fig. 6: Core-Finding Example: Livelock
sensing a person results in the robot turning on the radio.
Now the state in which both “radio” and “carrying item”
are true in the porch is a deadlocked state because of the
safety conditions, “If you are activating radio or you were
activating radio then stay there” and “If you did not activate
carrying item then always not porch”, since there is no way
to satisfy both from this state.
Fig. 5(a) depicts the sentences highlighted by the algorithm
in [7]. A subset of sentences in the specification is identified
by triangle-shaped markers in the left-hand margin, and the
color-coding is based on whether they correspond to initial,
safety or liveness conditions. The sentences highlighted in 5(a)
include all initial (red) and safety (blue) conditions, which
forms a very large subset of the original specification. On
the other hand, Fig. 5(b) depicts the much smaller subset
of guilty sentences returned by the analysis presented in
Algorithm 2 (these sentences are all highlighted in red). The
core sentences highlighted correspond to the safety conditions
that cause deadlock – in this example, removing any one of
these sentences results in a synthesizable specification.
B. Livelock
Consider the specification in Fig. 6, also in the same
workspace. The robot starts in the deck and its goal is to visit
the porch. However, based on whether it senses a person or
a fire, it has to keep out of the kitchen and the living room,
respectively. Fig. 6(a) depicts the sentences highlighted by the
algorithm in [7], which includes all safety conditions (red) in
addition to the goal (green). This includes irrelevant sentences,
12
such as the one that requires the robot to always turn on the
camera. Fig. 6(b) depicts the core returned by Algorithm 3 –
only those safeties that directly contribute to keeping the robot
out of the porch are returned.
IX. CONCLUSIONS
This paper provides techniques for analyzing high-level
robot specifications that are unsynthesizable, with the goal of
providing a minimal explanation for why the robot specifi-
cation is inconsistent, or how the environment can prevent
the robot from fulfilling the desired guarantees. The causes of
failure presented in this work take the form of unsynthesizable
subsets of the original specification, or cores. A suite of SAT-
based techniques is presented for identifying unsatisfiable and
unrealizable cores in the case of deadlock and most cases of
livelock; iterated realizability checking is used to identify cores
in cases where the SAT-based analysis fails. Examples show
that the additional analysis provides improvements in terms of
reducing the number of sentences in the original specification
highlighted, and ignoring irrelevant subformulas.
Future work includes automatically determining the depth
for obtaining a meaningful core in the case of livelock for
the SAT-based approaches, and exploring SAT-based tech-
niques that do not require explicit state extraction of the
counterstrategy automaton. Another direction for future study
is a systematic empirical comparison of SAT-based techniques
with approaches based on iterated realizability testing, to
evaluate scalability and relative computation time for practical
examples.
REFERENCES
[1] M. Kloetzer and C. Belta, “A fully automated frame-
work for control of linear systems from temporal logic
specifications,” IEEE Transactions on Automatic Control,
vol. 53, no. 1, pp. 287–297, 2008.
[2] S. Karaman and E. Frazzoli, “Sampling-Based motion
planning with deterministic µ-calculus specifications,” in
IEEE Conference on Decision and Control (CDC), 2009.
[3] A. Bhatia, L. E. Kavraki, and M. Y. Vardi, “Sampling-
Based motion planning with temporal goals,” in IEEE
International Conference on Robotics and Automation
(ICRA), 2010, pp. 2689–2696.
[4] L. Bobadilla, O. Sanchez, J. Czarnowski, K. Gossman,
and S. LaValle, “Controlling wild bodies using linear
temporal logic,” in Robotics: Science and Systems (RSS),
Los Angeles, CA, USA, June 2011.
[5] H. Kress-Gazit, G. E. Fainekos, and G. J. Pappas,
“Temporal-Logic-Based reactive mission and motion
planning,” IEEE Transactions on Robotics, vol. 25, no. 6,
pp. 1370–1381, 2009.
[6] T. Wongpiromsarn, U. Topcu, and R. M. Murray, “Re-
ceding horizon control for temporal logic specifications,”
in Hybrid Systems: Computation and Control (HSCC),
2010, pp. 101–110.
[7] V. Raman and H. Kress-Gazit, “Automated feedback
for unachievable High-Level robot behaviors,” in IEEE
International Conference on Robotics and Automation
(ICRA), 2012, pp. 5156–5162.
[8] V. Raman and H. Kress-Gazit, “Explaining impossi-
ble High-Level robot behaviors,” IEEE Transactions on
Robotics, vol. PP, no. 99, pp. 1 –11, 2012.
[9] G. E. Fainekos, “Revising temporal logic specifications
for motion planning,” in IEEE International Conference
on Robotics and Automation (ICRA), 2011, pp. 40–45.
[10] W. Li, L. Dworkin, and S. A. Seshia, “Mining as-
sumptions for synthesis,” in ACM-IEEE International
Conference on Formal Methods and Models for Codesign
(MEMOCODE), 2011, pp. 43–50.
[11] K. Kim, G. E. Fainekos, and S. Sankaranarayanan, “On
the revision problem of specification automata,” in IEEE
International Conference on Robotics and Automation
(ICRA), 2012, pp. 5171–5176.
[12] K. Kim and G. E. Fainekos, “Approximate solutions for
the minimal revision problem of specification automata,”
in IEEE/RSJ International Conference on Intelligent
Robots and Systems (IROS), 2012, pp. 265–271.
[13] V. Raman and H. Kress-Gazit, “Analyzing unsynthesiz-
able specifications for high-level robot behavior using
LTLMoP,” in Computer Aided Verification (CAV), 2011,
pp. 663–668.
[14] V. Raman, C. Lignos, C. Finucane, K. C. T. Lee, M. P.
Marcus, and H. Kress-Gazit, “Sorry Dave, i’m afraid i
can’t do that: Explaining unachievable robot tasks using
natural language,” in Robotics: Science and Systems,
2013.
[15] V. Raman and H. Kress-Gazit, “Towards minimal expla-
nations of unsynthesizability for high-level robot behav-
iors,” in IROS, 2013, pp. 757–762.
[16] A. Pnueli, “The temporal logic of programs,” in Founda-
tions of Computer Science (FOCS), 1977, pp. 46–57.
[17] C. Finucane, G. Jing, and H. Kress-Gazit, “LTLMoP:
Experimenting with language, temporal logic and robot
control,” in IEEE/RSJ International Conference on In-
telligent Robots and Systems (IROS), 2010, pp. 1988 –
1993.
[18] H. Kress-Gazit, G. E. Fainekos, and G. J. Pappas, “Trans-
lating structured english to robot controllers,” Advanced
Robotics, vol. 22, no. 12, pp. 1343–1359, 2008.
[19] E. M. Clarke, O. Grumberg, and D. A. Peled, Model
Checking. MIT Press, 1999.
[20] N. Piterman, A. Pnueli, and Y. Sa’ar, “Synthesis of
Reactive(1) Designs,” in Verification, Model Checking,
and Abstract Interpretation (VMCAI). Springer, 2006,
pp. 364–380.
[21] R. Ko¨nighofer, G. Hofferek, and R. Bloem, “Debugging
formal specifications using simple counterstrategies,” in
Formal Methods in Computer-Aided Design (FMCAD),
2009, pp. 152–159.
[22] V. Schuppan, “Towards a notion of unsatisfiable cores for
LTL,” in Fundamentals of Software Engineering (FSEN),
2009, pp. 129–145.
[23] I. Beer, S. Ben-David, H. Chockler, A. Orni, and R. J.
Trefler, “Explaining counterexamples using causality,”
Formal Methods in System Design, vol. 40, no. 1, pp.
13
20–40, 2012.
[24] E. Goldberg and Y. Novikov, “Verification of proofs
of unsatisfiability for CNF formulas,” in Design, Au-
tomation and Test in Europe Conference and Exhibition
(DATE), 2003, pp. 886–891.
[25] A. Cimatti, A. Griggio, and R. Sebastiani, “A simple
and flexible way of computing small unsatisfiable cores
in SAT modulo theories,” in International Conference
on Theory and Applications of Satisfiability Testing
(SAT). Berlin, Heidelberg: Springer-Verlag, 2007, pp.
334–339. [Online]. Available: http://dl.acm.org/citation.
cfm?id=1768142.1768174
[26] I. Shlyakhter, R. Seater, D. Jackson, M. Sridharan,
and M. Taghdiri, “Debugging overconstrained declarative
models using unsatisfiable cores,” in IEEE International
Conference on Automated Software Engineering (ASE),
2003, pp. 94–105.
[27] A. Cimatti, M. Roveri, V. Schuppan, and S. Tonetta,
“Boolean abstraction for temporal logic satisfiability,” in
Computer Aided Verification (CAV), 2007, pp. 532–546.
[28] A. Cimatti, M. Roveri, V. Schuppan, and A. Tchaltsev,
“Diagnostic information for realizability,” in Verification,
Model Checking, and Abstract Interpretation (VMCAI),
2008, pp. 52–67.
[29] R. Ko¨nighofer, G. Hofferek, and R. Bloem, “Debugging
unrealizable specifications with Model-Based diagnosis,”
in International Conference on Hardware and Software:
Verification and Testing (HVC). Berlin, Heidelberg:
Springer-Verlag, 2011, pp. 29–45. [Online]. Available:
http://dl.acm.org/citation.cfm?id=1987082.1987090
[30] K. Chatterjee, T. A. Henzinger, and B. Job-
stmann, “Environment assumptions for synthesis,”
in International Conference on Concurrency
Theory (CONCUR). Berlin, Heidelberg: Springer-
Verlag, 2008, pp. 147–161. [Online]. Available:
http://dx.doi.org/10.1007/978-3-540-85361-9 14
[31] A. Biere, “PicoSAT essentials,” Journal on Satisfiability
(JSAT), vol. 4, no. 2-4, pp. 75–97, 2008.
