Abstract. We study the synthesis problem in an asynchronous distributed setting: a finite set of processes interact locally with an uncontrollable environment and communicate with each other by sending signals -actions that are immediately received by the target process. The synthesis problem is to come up with a local strategy for each process such that the resulting behaviours of the system meet a given specification. We consider external specifications over partial orders. External means that specifications only relate input and output actions from and to the environment and not signals exchanged by processes. We also ask for some closure properties of the specification. We present this new setting for studying the distributed synthesis problem, and give decidability results: the non-distributed case, and the subclass of networks where communication happens through a strongly connected graph. We believe that this framework for distributed synthesis yields decidability results for many more architectures.
Introduction
The synthesis problem consists in, given a high-level description of a system, automatically producing a program that behaves according to this specification. This can be parametrized by the specification language and the target model.
In this work, we address this problem for open, distributed, asynchronous systems, with specifications over partial orders. In open reactive systems, the process interacts with an uncontrollable environment and its behavior depends on this interaction. The goal is then to synthesize strategies that control the actions of the system and not those of the environment (see for instance [1, 7, 8, 15] ). The distributed case (that is, considering a set of processes that can cooperate against an environment, each process having only a local view of the system) is more involved, and the main hardness result is due to [17] . They proved that, when all processes and the environment evolve synchronously, the general problem is undecidable for LTL specifications, and that LTL synthesis for pipelines is decidable (though non elementary). Some other classes of architectures have been proved decidable: 2-ways pipelines for CTL * specifications [9] , doubly-flanked pipelines for local specifications [11] , uniformly well-connected architecture for CTL * specifications [5] . Synthesis in an asynchronous communication framework has first been studied in [16] . They considered single-process implementations and linear-time specifications. Later, [12] considered the problem in a distributed setting and exhibited a specific class of controllers for which distributed synthesis is decidable for trace-closed specifications. They strenghtened this result in [13] , where restrictions on communication patterns of controllers have been reduced. Considering controllers with causal memories yields decidability results for another subclass of systems in [4] . To reason about distributed synthesis in a more abstract framework, both with synchronous and asynchronous semantics, [14] proposed the framework of distributed games -a specialized version of multiplayer games. Recently, the synthesis of asynchronous distributed systems in the general case of µ-calculus specifications was studied in [3] .
Here we study a new model, different from the one of [12] in two ways: when there, processes evolve asynchronously only with respect to each other, in our model they also evolve locally asynchronously with respect to the environment. A second difference is in the communication mechanism: whereas in [12] the synchronization of processes is done by rendez-vous (handshaking), we use signals and define for each action an owner that can trigger it, the signal being immediately received by the other process regardless of whether it is willing to receive it or not. This communication mechanism is more convenient than shared variables communication, and more realistic than rendez-vous. As in [5] , we do not allow our specifications to constrain the internal behaviour of the system: communications between processes are only restricted by the communication architecture, not by the specification. This assumption is more natural from a practical point of view -when describing the way a system is expected to work, one is only concerned with its external behaviour, the way it interacts with the environment and not by internal communications processes may set up in order to achieve the specified global behaviour. In the framework of asynchronous distributed systems, executions are partial orders of actions. Our specifications will then be formulae whose models are partial orders of external actions. In addition, in order to rule out unnatural constraints between actions, specifications considered in this paper will have some closure properties, ensuring that we do not prevent causalities between events (this would restrain communication abilities of processes) or impose causalities between others when it would make no sense. With this model, we prove decidability for the synthesis problem for the class of architectures whose communication graph is strongly connected. We believe that the synthesis problem will be decidable for many more architectures with these hypotheses.
The Model
An architecture defines how a set of processes may communicate with each other and with an (uncontrollable) external environment. An important parameter of the problem is the type of communications allowed between processes. We are interested in asynchronous distributed systems, hence it would be natural to use unbounded fifo channels. However, this leads to infinite state systems, making decidability results more uncertain to obtain.
A finite model can be obtained by using shared variables: processes can write on variables that can be read by other processes. But in an asynchronous system, communication is difficult to achieve with shared variables. Assume that process i wants to transmit to process j a sequence m 1 , m 2 , . . . of messages. First, i writes m 1 to some shared variable x. But since processes evolve asynchronously, i does not know when m 1 will be read by j. Hence, some acknowledgement is required from j to i before i may write m 2 to x. Depending on the architecture, this may not be possible. In any cases, it makes synthesis of distributed programs satisfying a given specification harder.
Hence, we will use point to point communication by signals in the vein of [10] . Sending a signal is an action but receiving a signal is not. Instead, all signals sent to some process j are automatically added to its local history, without requiring actions from j. The system is still asynchronous, meaning that processes evolve at different speeds. We are interested in synthesizing local programs, also called strategies. By local we mean that to decide which action it should execute next, a process j only knows its current local history, which automatically includes all signals sent to j in addition to the signals sent by j.
Formally, an architecture is a tuple A = (Proc, E, (In i ) i∈Proc , (Out i ) i∈Proc ) where (Proc, E) is the directed communication graph whose nodes are processes and there is an edge (i, j) ∈ E if process i may send signals to process j. For each process i ∈ Proc, the sets In i and Out i define input and output signals that i may receive from or send to the environment. We assume that all these sets are pairwise disjoint. We let In = i∈Proc In i and Out = i∈Proc Out i be the sets of input and output signals of the whole system. Let also Γ = In ∪ Out.
In order to realize a specification, the processes may choose for each communication link (i, j) ∈ E a set Σ i,j of signals that i could send to j. Again, we assume that these sets are pairwise disjoint and disjoint from Γ . The complete alphabet (of signals) is then Σ = Γ ∪ (i,j)∈E Σ i,j . The actions in Γ are called external signals whereas the actions in Σ \ Γ are called internal signals. For each a ∈ Σ we let process(a) be the set of processes taking part in the execution of a: process(a) = {i} if a ∈ In i ∪ Out i and process(a) = {i, j} if a ∈ Σ i,j .
It should be no surprise now that the concrete executions of our asynchronous distributed systems will be Mazurkiewicz traces. We consider the trace alphabet (Σ, D) where the dependence relation D ⊆ Σ × Σ is defined by: (a, b) ∈ D if process(a) ∩ process(b) = ∅. We recall that a Mazurkiewicz trace t over (Σ, D) is (an equivalence class of) a finite or infinite Σ-labelled poset t = (V, ≤, λ) such that for all x, y ∈ V , ↓x = {y ∈ V | y ≤ x} is finite, (λ(x), λ(y)) ∈ D implies x ≤ y or y ≤ x, and x ⋖ y implies (λ(x), λ(y)) ∈ D where x ⋖ y means that x < y and there is no z ∈ V such that x < z < y.
We denote by R(Σ, D) the set of traces over (Σ, D) and by M(Σ, D) the set of finite traces. For i ∈ Proc, we denote by Σ i = {a ∈ Σ | i ∈ process(a)} the set of actions visible to process i and by Σ c i = Out i ∪ j|(i,j)∈E Σ i,j the set of actions controlled by process i. A local strategy for process i is a mapping f i :
After a sequence of actions w ∈ Σ * i visible to i (but not necessarily all initiated by i) f i (w) says which action in Σ c i the process i is willing to play. Observe that another action in Σ i \ Σ c i can be executed by another process before process i had time to play according to its strategy. This would modify its local history, and thus may modify its strategy: processes are then reactive to signals sent to them by other processes and by the environment. A distributed strategy (or program) is a tuple F = (f i ) i∈P roc of local strategies.
Let t = (V, ≤, λ) be a run of the system and let v ∈ V . By definition of the dependence relation, the sets of events
Let us fix a distributed strategy F . We say that a run t = (V, ≤, λ) is an F -run (or is compatible with strategy F ) if all controllable events are played according to
Observe that, for a fixed distributed strategy F , even if inputs from the environment follow the same pattern, there are multiple F -runs depending on the scheduling of internal signals.
The Specification
The specifications we consider only constrain external actions from Γ , i.e., actions that reflect communications with the environment. We want the processes to collaborate freely in order to achieve the specification, hence we do not constrain internal signals. Moreover, our specifications will be on partial orders, and not linearizations of executions. Indeed, specifying over interleavings allows to differentiate between equivalent linearizations, which is not desirable for distributed systems.
For a concrete run t = (V, ≤, λ) we define the abstract (observable) run as the projection
. Specifications will then be formulae in some logical formalism whose models are Γ -labelled partial orders. We say that a concrete run t satisfies a specification ϕ if its projection π Γ (t) satisfies ϕ.
Distributed synthesis: Given an architecture (Proc, E, (In i ) i∈Proc , (Out i ) i∈Proc ) and a specification ϕ over Γ -labelled posest in an appropriate logic, decide whether there exist internal signal sets (Σ i,j ) (i,j)∈E and a distributed strategy F such that every F -maximal concrete F -run satisfies the specification ϕ. Acceptable Specifications. We explain now with some examples that not all specifications are acceptable in our framework. We start with an example showing that specifications must be closed under extensions of partial orders.
Consider a distributed system with Proc = {p, q, r} and E = {(p, q), (q, r)}. Note that p cannot directly send signals to r. A natural specification could be that q must output b and that if p receives input a from the environment then r must later output c. This corresponds to the partial order represented in Figure 1 (a). In order to implement this specification, when process p receives a it must send a signal to q and q should forward this signal to r so that r knows it should output c. But these internal signals will induce some additional ordering between a and b or between b and c as can be seen in Figure 1(b) . None of the corresponding abstract runs in Figure 1 (c) correspond to the partial order of the specification, though they are all extensions of it. Hence, we need to extend this specification so that it can be implemented.
Formally, an (order) extension of a labelled partial order t = (V, ≤ t , λ) is any partial order s = (V, ≤ s , λ) with ≤ t ⊆ ≤ s . We will require our specifications to be closed under extensions.
Next, we show that the specification should also be closed under some weakenings of the partial order. This is due to the fact that inputs from the environment are uncontrollable events. Hence, it seems unrealistic to try to impose a direct causality between any action on some process and an input event from the environment on another process. For instance, consider an architecture with two processes, one receiving service requests from a client and the other granting the service: In c = {request} and Out s = {grant}.
A naive specification could be an alternation of request and grant as presented in Figure 2(a) . A possible implementation is presented in Figure 2 where z ′ is an input event from the environment and z, z ′ are not on the same process, then the weakening s = (V, ≤ s , λ) with ≤ s = ≤ t \ {(z, z ′ )} should also satisfy the specification (≤ s is still an order relation since z ′ is a successor of z). We will define the weakest partial order induced by t. Recall that actions in Γ are either inputs from the environment or outputs to the environment: Γ = In ∪ Out with In = i∈Proc In i and Out = i∈Proc Out i . Consider now a Γ -labelled partial order t = (V, ≤, λ) and define
The set W t consists of all those pairs (z, z ′ ) for which the ordering in t is fortuitous. This happens when z, z ′ are on different processes and z ′ is an uncontrollable input from the environment, except if we find an output event y between z and z ′ which is on the same process as z ′ . Indeed, output y may have been triggered by z so we do not remove orderings to output events.
We are now ready to define acceptable specifications.
Definition 1.
A specification is acceptable if it is closed under extension and weakening. Formally, a specification ϕ is acceptable if for all t = (V,
weakening).
Observe that this definition of weakening removes all fortuitous orderings at once, but, since the specification is also closed under extension, all intermediary partial orders can also be obtained.
AlocTL. Among different logics available to express specifications over partial orders, we will focus on local temporal logics (locTL), for they allow easy and intuitive specifications for distributed system, and they have a reasonable complexity. However, not all local temporal logic formulae are acceptable: the formula EM(a ∧ ¬ F b) meaning that there is a minimal a-event with no b-events in its future is not closed under extension (see e.g. [2] for a formal semantics of locTL). Also, the formula EM(a ∧ EX c) meaning that there is a minimal a-event immediately followed by a c-event is not closed under extension. In fact, in order to stay in the class of specifications closed under extensions, we have to rule out any modality that requires some concurrency between two events. For the closure by weakening, we restrict the use of the order relation between events on different processes so that the greater event is not an input.
We introduce a syntactic restriction of a process based local temporal logic for which all formulae will be acceptable. The syntax of AlocTL(Γ, Proc) (or simply AlocTL if Γ and Proc are clear from the context) is given by:
with a ∈ Γ and i, j ∈ Proc. The modalities X i , Y i , U i and S i are the usual next, yesterday, until and since restricted to the totally ordered events of process i. We can also express in our logic release (dual of until ):
When restricted to the events of some process i, our logic has the full expressive power of LTL or FO. We only restrict how one can switch from one process to another so that closure under extensions and weakenings will be obtained. To switch from process i to process j, we use F i,j or H i,j . The first one allows to specify a response property triggered on process i for which the output is delivered on process j, e.g., G(request −→ F i,j (Out ∧ grant)). The second modality may be used to specify that outputs should have a cause, e.g., G(grant −→ (Out ∧ H j,i request)). We do not include negations or modalities of the form X i,j since they lead out of acceptable specifications.
We did not investigate the expressive power of our logic, but we believe it can express lots of interesting properties since it has the expressive power of FO when restricted to local events of each process, and allows response and cause properties between processes.
The semantics defines when t, x |= ϕ where t = (V, ≤, λ) is a Γ -labelled partial order with V i = λ −1 (Σ i ) totally ordered for each i ∈ Proc, and x ∈ V :
and t, y |= ϕ for some y ∈ V i such that x < y and for all z ∈ V i , z ≤ x or y ≤ z. -t, x |= G i ϕ if x ∈ V i and t, y |= ϕ for all y ∈ V i such that x ≤ y. -t, x |= ϕ U i ψ if x ∈ V i and t, y |= ψ for some y ∈ V i such that x ≤ y and for all z ∈ V i , x ≤ z < y implies t, z |= ϕ. -t, x |= F i,j (ϕ ∧ Out) if x ∈ V i and t, y |= ϕ for some y ∈ V j such that x ≤ y and λ(y) ∈ Out.
The other modalities are defined similarly. As in [2] , we have chosen to introduce initial formulae to address the problem of starting the evaluation of a formula. Those are defined by the syntax
where ϕ is a formula of AlocTL. The semantics is given by t |= EM i ϕ if t, x |= ϕ where x is the minimal vertex of V i .
Proposition 1. The logic AlocTL is closed under extension and weakening.
Observe that AlocTL is a natural fragment of FO(<) which is closed under extensions and weakenings. In our setting, it provides a convenient way to specify desired properties. Our decidability results will be stated for AlocTL but they would still hold for more general logics defining regular properties which are closed under extensions and weakenings.
Decidability Results
In this section we solve the synthesis problem for the subclass of architectures having a strongly connected communication graph: every process can send signals to everyone (though maybe not directly). In the following, we will simply call them strongly connected architectures.
Singleton Architectures. A first step in solving the general problem is to handle the sequential case. This problem is slightly different from the asynchronous synthesis of [16] (where the communication was through shared variables) and [12] (where a single process does not evolve asynchronously with respect to its environment).
In the sequential case, there is no internal action and then Σ = Γ = In∪Out, and all runs are total orders. The only specificity is that the system communicates asynchronously with the environment, i.e., there may be several signals from the environment before the process has a chance to play, and reciprocally. Since there is no possible weakening or extension, we are concerned with classical logics for specifications. We can deal both with linear time specifications (LTL, FO, MSO) or with branching time specifications (CTL * , µ-calculus) since all we need is regular specifications. With slight modifications of the proof technique used in [6] , we obtain the following result. Theorem 1. The synthesis problem over the singleton architecture is decidable for regular specifications. Strongly Connected Architectures. Now, we show that the distributed synthesis problem is decidable for the whole subclass of strongly connected architectures. This is done by reduction to the synthesis problem over the singleton. On one hand, it is easy to simulate a distributed strategy with a sequential one. Conversely, when given a program for the singleton that produces only runs satisfying the specification, we can distribute it over the strongly connected architecture. We use a master-slave algorithm: we centralize the information by making all processes forward their local histories to a master process that takes all decisions about which action to output. This master process consequently sends back orders to the other processes, based on information it has and the given sequential strategy. Formally, we will prove the following main result.
Theorem 2. The distributed synthesis problem over strongly connected architectures is decidable for AlocTL specifications.
The rest of the section is devoted to the proof of this theorem. Let A = (Proc, E, (In i ) i∈Proc , (Out i ) i∈Proc ) be an architecture with (Proc, E) strongly connected. Let S be an architecture with a single process p and external signals In p = In = i∈Proc In i and Out p = Out = i∈Proc Out i . We show that the distributed synthesis problem for ϕ ∈ AlocTL(Γ, Proc) over A can be reduced to the synthesis problem for an associated specification ϕ ∈ AlocTL(Γ, {p}) over S. Then, we obtain Theorem 2 from Theorem 1. We have to change the specification since there is a single process in S and several processes in A. We do so in such a way that for all Γ -labelled total order t and all x ∈ t, we have t, x |= ϕ if and only if t, x |= ϕ. For instance,
The following two propositions state that the synthesis problem for ϕ over A is reduced to the synthesis problem for ϕ over S.
Proposition 2.
If there are internal signals sets and a distributed winning strategy for ϕ over A, then there is a winning strategy for ϕ over S.
The proof of this proposition is omitted due to lack of space. Proposition 3. If there is a winning strategy for ϕ over S then one can define internal signals sets and a distributed winning strategy for ϕ over A.
Proof (Sketch). We want to simulate a sequential run of S in the distributed system A. Due to uncontrollable inputs from the environment, we cannot avoid some concurrency but we will restrict it as much as possible so that runs of A will be weakenings of sequential runs of S. To do so, we select a cycle in the communication graph and force the processes to communicate in a sequential way through this virtual ring -note that there may be no simple cycle, and some technical details arise when a process appears several times in the ring. For simplicity, we present here the proof assuming there is a simple cycle in (Proc, E) and we rename the processes Proc = {1, . . . , n} according to this cycle. Process 1 will be our master.
Let f be a winning strategy for ϕ over S. To simulate f over S, the master Process 1 transforms its local history σ into a compatible sequential history ψ(σ) of S (the definition of ψ will be given later).
If f is undefined on ψ(σ) then we let f 1 (σ) = (Msg 1 , ε) meaning that Process 1 wants to initiate a round collecting inputs received by other Processes. When receiving this signal, Process 2 sends a pair (Msg 2 , τ ) where τ ∈ In sequence of inputs received by Process 1 since the last time it has sent a signal to Process 2. The round continues similarly for the other Processes. Formally,
Here τ is the sequence of inputs collected by previous processes, τ 1 consists of inputs received before the signal Msg i−1 and τ 2 of the messages received after Msg i−1 and before Msg i could be sent. This explains the reordering τ · τ 1 · τ 2 .
Assume now that f is defined on ψ(σ) and let i with a = f (ψ(σ)) ∈ Out i . If i = 1 then we simply let f 1 (σ) = f (ψ(σ)). Now, if i > 1 then we let f 1 (σ) = (Ord 1 , a) to transmit to Process i the order to output a. The order is forwarded by each intermediary Process 1 < j < i only if j received no inputs since the last time it has sent a signal to j + 1. Then output a is performed by i and an acknowledgement is sent to Process 1. This acknowledgement will also collect inputs received by remaining processes. Formally, for 1
Now, if an intermediary process received some inputs from the environment before it could forward the order to Process i, then the basis on which Process 1 took is decision is no longer valid. Hence, we have to abort the order and signal this fact with a Nack. We also need to abort if i received the order but has also received inputs from the environment before it could execute the order. As above, Nack also collects inputs received by the remaining processes. Formally,
The sets of internal signals are implicitely defined by the strategies above: Σ 1,2 = ({Ord 1 } × Out) ∪ {(Msg 1 , ε)} and for 1 < i ≤ n and j = 1 + (i mod n),
Due to In * , the sets Σ i,j are infinite. We explain in Remark 1 how to reduce to finite sets of signals, and strategies with finite-memories.
To conclude the construction, we define the map ψ :
Note that, after sending Msg 1 or Ord 1 , ψ is undefined until the corresponding Msg n , Ack n or Nack n has been received by Process 1. When ψ is undefined then f 1 is also undefined so that Process 1 waits for the end of the round. Note also that inputs in τ ′ may have been received before those in τ . Let t = (V, ≤ t , λ) be an F -maximal F -run. We can easily check that all output events in λ −1 (Out) are totally ordered. We can also show that the history t ′ computed by ψ is an f -maximal f -run which is a linear extension of π Γ (t).
To conclude the proof, it remains to show that π Γ (t) is an extension of the weakening of t ′ : ≤ t ′ \ W t ′ ⊆ ≤ t ⊆ ≤ t . For this, we will use the following claim whose proof is omitted for lack of space.
Claim. For all x, y ∈ λ −1 (Γ ) such that x t y, if x < t ′ y then λ(y) ∈ In.
So let z, z ′ ∈ λ −1 (Γ ) with z < t ′ z ′ and z t z ′ . We have to show that (z, z ′ ) ∈ W t ′ . By the above claim, we get λ(z ′ ) ∈ In. Let i ∈ Proc be such that λ(z ′ ) ∈ In i . Since z t z ′ we deduce λ(z) / ∈ Σ i . Now, let y ∈ λ −1 (Γ ) be such that z < t ′ y < t ′ z ′ . Clearly, z t z ′ implies z t y and we deduce λ(y) ∈ In by the claim stated above. Therefore, (z, z ′ ) ∈ W t ′ . Finally, t ′ |= ϕ since the strategy f is winning. We deduce that π Γ (t) |= ϕ since our specification logic is closed under weakenings and extensions. ⊓ ⊔ Remark 1. As they are defined, the sets (Σ i,j ) (i,j)∈E are infinite, and the strategies for the distributed architecture need unbounded memory. However, it is possible to modify them to use only finite signal sets and strategies with finite memories. Recall that the strategy of our master process is essentially based on the strategy f of the singleton. As usual in the sequential case, when there is a winning strategy, then there is also a winning strategy using a finite memory which can be described by a deterministic finite automaton M = (Q, Γ, δ, q 0 , f ) with f : Q → Out. Consequently, each slave process may compute the transition function δ τ ∈ Q Q associated with a sequence τ of inputs it has received and transmit δ τ instead of τ . Therefore, we get finite sets of internal signals Σ i,1+(i mod n) = ({Msg i , Ack i , Nack i } × Q Q ) ∪ ({Ord i } × Out). and the memory needed by each process 1 < i ≤ n is Q Q . It is then easy to adapt the proof of Proposition 3.
Conclusion
In this paper, we have defined a new setting for the synthesis problem for distributed asynchronous systems, and proved that it is decidable for an interesting subclass of architectures. We believe that using signals in asynchronous systems, and restricting to acceptable specifications will help to overcome a lot of the common difficulties that usually lead to undecidability results.
Future work includes the generalization of our decidability result to larger classes of architectures. Other interesting problems would be to study the expressivity of AlocTL or to define other logics for acceptable specifications.
