Low-Effort Specification Debugging and Analysis

Reactive synthesis deals with the automated construction of implementations of reactive systems from their specifications. To make the approach feasible in practice, systems engineers need effective and efficient means of debugging these specifications. In this paper, we provide techniques for report-based specification debugging, wherein salient properties of a specification are analyzed, and the result presented to the user in the form of a report. This provides a low-effort way to debug specifications, complementing high-effort techniques including the simulation of synthesized implementations. We demonstrate the usefulness of our report-based specification debugging toolkit by providing examples in the context of generalized reactivity(1) synthesis.Comment: In Proceedings SYNT 2014, arXiv:1407.493

Path-Based Program Repair

We propose a path-based approach to program repair for imperative programs. Our repair framework takes as input a faulty program, a logic specification that is refuted, and a hint where the fault may be located. An iterative abstraction refinement loop is then used to repair the program: in each iteration, the faulty program part is re-synthesized considering a symbolic counterexample, where the control-flow is kept concrete but the data-flow is symbolic. The appeal of the idea is two-fold: 1) the approach lazily considers candidate repairs and 2) the repairs are directly derived from the logic specification. In contrast to prior work, our approach is complete for programs with finitely many control-flow paths, i.e., the program is repaired if and only if it can be repaired at the specified fault location. Initial results for small programs indicate that the approach is useful for debugging programs in practice.Comment: In Proceedings FESCA 2015, arXiv:1503.0437

How to Handle Assumptions in Synthesis

The increased interest in reactive synthesis over the last decade has led to many improved solutions but also to many new questions. In this paper, we discuss the question of how to deal with assumptions on environment behavior. We present four goals that we think should be met and review several different possibilities that have been proposed. We argue that each of them falls short in at least one aspect.Comment: In Proceedings SYNT 2014, arXiv:1407.493

Reactive Safety

The distinction between safety and liveness properties is a fundamental classification with immediate implications on the feasibility and complexity of various monitoring, model checking, and synthesis problems. In this paper, we revisit the notion of safety for reactive systems, i.e., for systems whose behavior is characterized by the interplay of uncontrolled environment inputs and controlled system outputs. We show that reactive safety is a strictly larger class of properties than standard safety. We provide algorithms for checking if a property, given as a temporal formula or as a word or tree automaton, is a reactive safety property and for translating such properties into safety automata. Based on this construction, the standard verification and synthesis algorithms for safety properties immediately extend to the larger class of reactive safety.Comment: In Proceedings GandALF 2011, arXiv:1106.081

Natural Colors of Infinite Words

While finite automata have minimal DFAs as a simple and natural normal form, deterministic omega-automata do not currently have anything similar. One reason for this is that a normal form for omega-regular languages has to speak about more than acceptance - for example, to have a normal form for a parity language, it should relate every infinite word to some natural color for this language. This raises the question of whether or not a concept such as a natural color of an infinite word (for a given language) exists, and, if it does, how it relates back to automata. We define the natural color of a word purely based on an omega-regular language, and show how this natural color can be traced back from any deterministic parity automaton after two cheap and simple automaton transformations. The resulting streamlined automaton does not necessarily accept every word with its natural color, but it has a 'co-run', which is like a run, but can once move to a language equivalent state, whose color is the natural color, and no co-run with a higher color exists. The streamlined automaton defines, for every color c, a good-for-games co-B\"uchi automaton that recognizes the words whose natural colors w.r.t. the represented language are at least c. This provides a canonical representation for every $\omega$-regular language, because good-for-games co-B\"uchi automata have a canonical minimal (and cheap to obtain) representation for every co-B\"uchi language

Sparse Positional Strategies for Safety Games

We consider the problem of obtaining sparse positional strategies for safety games. Such games are a commonly used model in many formal methods, as they make the interaction of a system with its environment explicit. Often, a winning strategy for one of the players is used as a certificate or as an artefact for further processing in the application. Small such certificates, i.e., strategies that can be written down very compactly, are typically preferred. For safety games, we only need to consider positional strategies. These map game positions of a player onto a move that is to be taken by the player whenever the play enters that position. For representing positional strategies compactly, a common goal is to minimize the number of positions for which a winning player's move needs to be defined such that the game is still won by the same player, without visiting a position with an undefined next move. We call winning strategies in which the next move is defined for few of the player's positions sparse. Unfortunately, even roughly approximating the density of the sparsest strategy for a safety game has been shown to be NP-hard. Thus, to obtain sparse strategies in practice, one either has to apply some heuristics, or use some exhaustive search technique, like ILP (integer linear programming) solving. In this paper, we perform a comparative study of currently available methods to obtain sparse winning strategies for the safety player in safety games. We consider techniques from common knowledge, such as using ILP or SAT (satisfiability) solving, and a novel technique based on iterative linear programming. The results of this paper tell us if current techniques are already scalable enough for practical use.Comment: In Proceedings SYNT 2012, arXiv:1207.055

Symmetric and efficient synthesis

Since the formulation of the synthesis problem for reactive systems by Church in the 60s, research on synthesis has lead to both theoretical insights and practical approaches for automatically constructing systems from their specifications. While the first solution of the problem was given by Büchi as early as 1969, only very recently, focus has shifted towards identifying ways to exploit the structure in reactive system specifications in order to lift the scalability of synthesis to industrial-sized designs. The recent progress in synthesis not only lead to a renewed interest in the subject, but also shed light onto the downsides of current synthesis approaches. In the original formulation of the problem, the structure of the produced solutions was not a concern. Experiments with current synthesis approaches has however shown that the computed implementations are usually very hard to understand and have little of the structure that manually constructed implementations have. Furthermore, the scalability of current synthesis approaches is still deemed to be insufficient for many industrial application scenarios, which prevents the introduction of reactive synthesis technology into industrial design flows. In this thesis, we tackle both of these problems for reactive synthesis. To counter the insufficient structure in the solutions, we analyse the problem of symmetric synthesis. In this alternative synthesis problem, the aim is to compute a solution that consists of multiple copies of the same process such that the overall system satisfies the specification. Such systems have no centralised control units, and are considered to be more robust and easier to maintain. We characterise undecidable and decidable cases of the problem, and provide a synthesis algorithm for rotation-symmetric architectures, which capture many cases of practical relevance. To improve the scalability in synthesis, we start with a simple but scalable approach to reactive synthesis that has shown its principal applicability in the field, and extend its main idea both in terms of scope and usability. We enhance its expressivity in a way that allows to synthesise robust systems, and remove its limitation to specifications of a very special form. Both improvements yield theoretical insights into the synthesis problem: we characterise which specification classes can be supported in synthesis approaches that use parity games with a fixed number of colours as the underlying computation model, and examine the properties of universal very-weak automata, on which we base a synthesis workflow that combines ease of specification with a low complexity of the underlying game solving step. As a side-result, we also obtain the first procedure to translate a formula in linear-time temporal logic (LTL) to a computation tree logic (CTL) formula with only universal path quantifiers, whenever possible. The new results on symmetric and efficient reactive synthesis are complemented by an easily accessible introductory chapter to the field of reactive synthesis that can also be read in isolation.paddle apparatus with membrane holder were identified.Trotz der Vorzüge der Synthese reaktiver Systeme gegenüber der manuellen Konstruktion solcher Systeme ist Synthese noch nicht als Teil industrieller Vorgehensmodelle etabliert. Als Hauptgrund für diese Diskrepanz gilt allgemein, dass sowohl die Qualität der synthetisierten Systeme bei Anwendung bisheriger Methoden unzureichend ist, als auch die Skalierbarkeit aktueller Syntheseverfahren der Verbesserung bedarf. Diese Dissertation behandelt beide diese Probleme der Synthese reaktiver Systeme auf breiter Front. Zur Verbesserung der Qualität synthetisierter Systeme wird die Synthese von strukturierten Systemen betrachtet. Experimente mit aktuellen Syntheseverfahren haben gezeigt, dass die erzeugten Implementierungen oft schwer zu verstehen sind und anders als handgeschriebene Implementierungen kaum Struktur haben. Abhilfe verschafft die Beschränkung auf die Erzeugung symmetrischer Systeme, die aus mehreren Kopien des selben Prozesses bestehen, so dass das Gesamtsystem die Spezifikation erfüllt. Solche Systeme haben keine zentrale Koordinationskomponente und werden allgemein als robuster und einfacher zu warten eingestuft. In dieser Dissertation werden entscheidbare und unentscheidbare Fälle des symmetrischen Syntheseproblems identifiziert und ein Synthesealgorithmus für rotationssymmetrische Systeme beschrieben. Diese Systemklasse deckt viele praktisch relevante Architekturen ab. Um das Problem der mangelnden Skalierbarkeit anzugehen, wird die Hauptidee des Generalised Reactivity(1) Syntheseansatzes, welcher seine praktische Anwendbarkeit bereits unter Beweis gestellt hat, aufgegriffen und sowohl bezüglich der Expressivität als auch der Benutzbarkeit vervollständigt. Die Erweiterung der Expressivität ermöglicht es, den resultierenden Ansatz für die Synthese robuster Systeme zu nutzen, während die Benutzbarkeit für industrielle Anwendungen durch die Aufhebung der Beschränkung, dass die Spezifikation eine sehr spezielle Form haben muss, erreicht wird. Beide Erweiterungen geben Einsicht in die Theorie der Synthese: Zum einen wird die Klasse der Spezifikationen, die in Syntheseansätzen verwendet werden können, die auf dem Lösen von Paritätsspielen mit einer vordefinierten Anzahl von Farben basieren, charakterisiert. Zum anderen wird Einsicht in die Eigenschaften universeller sehr schwacher Automaten gegeben. Ein Nebenprodukt der neuen Syntheseverfahren ist die erste Prozedur, um einen Ausdruck in linear-time temporal logic (LTL) in computation tree logic mit universellen Pfadquantoren (ACTL) zu übersetzen, wann immer dies möglich ist. Die Resultate zur symmetrischen und effizienten reaktiven Synthese werden von einer didaktisch aufbereiteten Einführung in das Gebiet der reaktiven Synthese begleitet, welche auch unabhängig von den übrigen Teilen der Dissertation gelesen werden kann