Lossy Channel Games under Incomplete Information

In this paper we investigate lossy channel games under incomplete information, where two players operate on a finite set of unbounded FIFO channels and one player, representing a system component under consideration operates under incomplete information, while the other player, representing the component's environment is allowed to lose messages from the channels. We argue that these games are a suitable model for synthesis of communication protocols where processes communicate over unreliable channels. We show that in the case of finite message alphabets, games with safety and reachability winning conditions are decidable and finite-state observation-based strategies for the component can be effectively computed. Undecidability for (weak) parity objectives follows from the undecidability of (weak) parity perfect information games where only one player can lose messages.Comment: In Proceedings SR 2013, arXiv:1303.007

Abstractions and sensor design in partial-information, reactive controller synthesis

Automated synthesis of reactive control protocols from temporal logic specifications has recently attracted considerable attention in various applications in, for example, robotic motion planning, network management, and hardware design. An implicit and often unrealistic assumption in this past work is the availability of complete and precise sensing information during the execution of the controllers. In this paper, we use an abstraction procedure for systems with partial observation and propose a formalism to investigate effects of limitations in sensing. The abstraction procedure enables the existing synthesis methods with partial observation to be applicable and efficient for systems with infinite (or finite but large number of) states. This formalism enables us to systematically discover sensing modalities necessary in order to render the underlying synthesis problems feasible. We use counterexamples, which witness unrealizability potentially due to the limitations in sensing and the coarseness in the abstract system, and interpolation-based techniques to refine the model and the sensing modalities, i.e., to identify new sensors to be included, in such synthesis problems. We demonstrate the method on examples from robotic motion planning.Comment: 9 pages, 4 figures, Accepted at American Control Conference 201

Solving Infinite-State Games via Acceleration

Two-player graph games have found numerous applications, most notably in the synthesis of reactive systems from temporal specifications, but also in verification. The relevance of infinite-state systems in these areas has lead to significant attention towards developing techniques for solving infinite-state games. We propose novel symbolic semi-algorithms for solving infinite-state games with $\omega$-regular winning conditions. The novelty of our approach lies in the introduction of an acceleration technique that enhances fixpoint-based game-solving methods and helps to avoid divergence. Classical fixpoint-based algorithms, when applied to infinite-state games, are bound to diverge in many cases, since they iteratively compute the set of states from which one player has a winning strategy. Our proposed approach can lead to convergence in cases where existing algorithms require an infinite number of iterations. This is achieved by acceleration: computing an infinite set of states from which a simpler sub-strategy can be iterated an unbounded number of times in order to win the game. Ours is the first method for solving infinite-state games to employ acceleration. Thanks to this, it is able to outperform state-of-the-art techniques on a range of benchmarks, as evidenced by our evaluation of a prototype implementation

Reactive Synthesis Beyond Realizability (Invited Tutorial)

The automatic synthesis of reactive systems from high-level specifications is a highly attractive and increasingly viable alternative to manual system design, with applications in a number of domains such as robotic motion planning, control of autonomous systems, and development of communication protocols. The idea of asking the system designer to describe what the system should do instead of how exactly it does it holds a great promise. However, providing the right formal specification of the desired behavior of a system is a challenging task in itself. In practice it often happens that the system designer provides a specification that is unrealizable, that is, there is no implementation that satisfies it. Such situations typically arise because the desired behavior represents a trade-off between multiple conflicting requirements, or because crucial assumptions about the environment in which the system will execute are missing. Addressing such scenarios necessitates a shift towards synthesis algorithms that utilize quantitative measures of system correctness. In this tutorial, I will discuss two recent advances in this research direction. First, I will talk about the maximum realizability problem, where the input to the synthesis algorithm consists of a hard specification that must be satisfied by the synthesized system, and soft specifications which describe other desired, possibly prioritized properties, whose violation is acceptable. I will present a synthesis algorithm that maximizes a quantitative value associated with the soft specifications while guaranteeing the satisfaction of the hard specification. In the second half of the tutorial, I will present algorithms for synthesis in bounded environments, where a bound is associated with the sequences of input values produced by the environment. More concretely, these sequences consist of an initial prefix followed by a finite sequence repeated infinitely often, and satisfy the constraint that the sum of the lengths of the initial prefix and the loop does not exceed a given bound. I will also discuss the synthesis of approximate implementations from unrealizable specifications, which are guaranteed to satisfy the specification on at least a specified portion of the bounded-size input sequences. I will conclude by outlining some of the open avenues and challenges in quantitative synthesis from temporal logic specifications

Synthesis and control of infinite-state systems with partial observability

Complex computer systems play an important role in every part of everyday life and their correctness is often vital to human safety. In light of the recent advances in the area of formal methods and the increasing availability and maturity of tools and techniques, the use of verification techniques to show that a system satisfies a specified property is about to become an integral part of the development process. To minimize the development costs, formal methods must be applied as early as possible, before the entire system is fully developed, or even at the stage when only its specification is available. The goal of synthesis is to automatically construct an implementation guaranteed to fulfill the provided specification, and, if no implementation exists, to report that the given requirements cannot be realized. When synthesizing an individual component within a system and its external environment, the synthesis procedure must take into account the component’s interface and deliver implementations that comply with it. For example, what a component can observe about its environment may be restricted by imprecise sensors or inaccessible communication channels. In addition, sufficiently precise models of a component’s environment are typically infinite-state, for example due to modeling real time or unbounded communication buffers. This thesis presents novel synthesis methods that respect the given interface limitations of the synthesized system components and are applicable to infinite-state models. The studied computational model is that of infinite-state two-player games under incomplete information. The contributions are structured into three parts, corresponding to a classification of such games according to the interface between the synthesized component and its environment. In the first part, we obtain decidability results for a class of game structures where the player corresponding to the synthesized component has a given finite set of possible observations and a finite set of possible actions. A prominent type of systems for which the interface of a component naturally defines a finite set of observations are Lossy Channel Systems. We provide symbolic game solving and strategy synthesis algorithms for lossy channel games under incomplete information with safety and reachability winning conditions. Our second contribution is a counterexample-guided abstraction refinement scheme for solving infinite-state under incomplete information in which the actions available to the component are still finitely many, but no finite set of possible observations is given. This situation is common, for example, in the synthesis of mutex protocols or robot controllers. In this setting, the observations correspond to observation predicates, which are logical formulas, and their computation is an integral part of our synthesis procedure. The resulting game solving method is applicable to games that are out of the scope of other available techniques. Last we study systems in which, in addition to the possibly infinite set of observation predicates, the component can choose between infinitely many possible actions. Timed games under incomplete information are a fundamental class of games for which this is the case. We extend the abstraction-refinement procedure to develop the first systematic method for the synthesis of observation predicates for timed control. Automatically refining the set of candidate observations based on counterexamples demonstrates better potential than brute-force enumeration of observation sets, in particular for systems where fine granularity of the observations is necessary.Komplexe Computer Systeme spielen eine wichtige Rolle in jedem Teil des Alltags und ihre Korrektheit ist oft entscheidend für die menschliche Sicherheit. Angesichts der neuesten Fortschritte auf dem Gebiet der formalen Methoden und die zunehmende Verfügbarkeit und Reife von Tools und Verfahren, wird die Verwendung von Techniken zur Prüfung, dass ein System eine bestimmte Eigenschaft erfüllt, zu einem integralen Bestandteil des Entwicklungsprozesses. Um die Entwicklungskosten zu minimieren, sollen formale Methoden so früh wie möglich angewendet werden, bevor das System vollständig entwickelt ist, oder sogar in der Phase, wenn nur seine Spezifikation zur Verfügung steht. Das Ziel von Synthese ist, automatisch eine Implementierung zu konstruieren, die garantiert die gegebene Spezifikation erfüllt. Falls keine solche Implementierung existiert, soll die Unrealisierbarkeit der Spezifikation ausgewiesen werden. Bei der Synthese einer einzelnen Komponente innerhalb eines Systems und seiner äußeren Umgebung müssen synthetisierte Implementierungen die Schnittstelle der Komponente berücksichtigen. Beispielsweise kann eine Komponente ihre Umgebung nur über wenige, unpräzise Sensoren beobachten. Darüber hinaus haben präzise Modelle einer Umgebung einer Komponente normalerweise einen unendlichen Zustandsraum, z.B. durch die Modellierung von Realzeit oder durch unbegrenzte Kommunikationspuffer. Diese Dissertation stellt neuartige Syntheseverfahren für Modelle mit unendlichem Zustandsraum vor, die die Einschränkungen berücksichtigen, die durch die Schnittstelle der synthetisierten Systemkomponenten gegeben sind. Das grundlegende Berechnungsmodell sind Spiele mit zwei Spielern und einem unendlichen Zustandsraum. Der Beitrag der Dissertation ist in drei Teile gegliedert. Der erste Teil der Dissertation liefert Entscheidbarkeitsresultate für eine Klasse von Spielen, in der der Spieler, der die Systemkomponente repräsentiert, eine endliche Menge von Beobachtungen und Aktionen hat. Ein prominenter Repräsentant dieser Klasse sind Lossy Channel Systeme. Es werden symbolische Algorithmen zur Strategiesynthese für Lossy Channel Spiele unter unvollständiger Information mit Sicherheits und Erreichbarkeits-Gewinnzielen präsentiert. Der zweite Beitrag besteht aus einem Gegenbeispiel-geführten Abstraktionsverfeinerungs-Schema zum Lösen von Spielen mit unendlichem Zustandsraum unter unvollständiger Information, in denen die Komponente endlich viele Aktionen hat aber keine endliche Menge von möglichen Beobachtungen gegeben ist. Diese Situation ist weit verbreitet z.B. bei der Synthese von Mutex-Protokollen oder Robotersteuerungen. In diesem Kontext entsprechen die Beobachtungen Beobachtungsprädikaten, die durch logische Formeln repräsentiert sind, wobei deren Berechnung ein integraler Bestandteil des Syntheseverfahrens ist. Das resultierende Verfahren kann zum Lösen von Spielen benutzt werden, die mit keiner verfügbaren Technik gelöst werden können. Letztlich werden Systeme untersucht, in denen die Komponente unendlich viele Beobachtungsprädikate hat und zwischen unendlich vielen Aktionen auswählen kann. Gezeitete Spiele unter unvollständiger Information sind eine grundlegende Klasse von Spielen, bei denen dies der Fall ist. Wir erweitern das Abstraktionsverfeinerungs-Schema, um die erste systematische Methode zur Synthese von Beobachtungsprädikaten für gezeitete Controller zu entwickeln. Es wird demonstriert, dass eine Verfeinerung der Beobachtungen, basierend auf Gegenbeispielen, ein höheres Potential aufzeigt als eine Brute-Force-Aufzählung der Beobachtungen, insbesondere für Systeme, bei denen eine feine Granularität der Beobachtungen notwendig ist

Taming Large Bounds in Synthesis from Bounded-Liveness Specifications

Automatic synthesis from temporal logic specifications is an attractive alternative to manual system design, due to its ability to generate correct-by-construction implementations from high-level specifications. Due to the high complexity of the synthesis problem, significant research efforts have been directed at developing practically efficient approaches for restricted specification language fragments. In this paper, we focus on the Safety LTL fragment of Linear Temporal Logic (LTL) syntactically extended with bounded temporal operators. We propose a new synthesis approach with the primary motivation to solve efficiently the synthesis problem for specifications with bounded temporal operators, in particular those with large bounds. The experimental evaluation of our method shows that for this type of specifications, it outperforms state-of-art synthesis tools, demonstrating that it is a promising approach to efficiently treating quantitative timing constraints in safety specifications

Compositional High-Quality Synthesis

Over the last years, there has been growing interest in synthesizing reactive systems from quantitative specifications, with the goal of constructing correct and high-quality systems. Considering quantitative requirements in systems consisting of multiple components is challenging not only because of scalability limitations but also due to the intricate interplay between the different possibilities of satisfying a specification and the required cooperation between components. Compositional synthesis holds the promise of addressing these challenges. We study the compositional synthesis of reactive systems consisting of multiple components, from requirements specified in a fragment of the logic LTL[F], which extends LTL with quality operators. We consider specifications that are combinations of local and shared quantitative requirements. We present a sound decomposition rule that allows for synthesizing one component at a time. The decomposition requires assume-guarantee contracts between the components, and we provide a method for iteratively refining the assumptions and guarantees. We evaluate our approach with a prototype implementation, demonstrating its advantages over monolithic synthesis and ability to generate decompositions

Birth Size of Neonates and Its Association with Seasonality

The aim of the study is to evaluate the relationship between the season of birth and the birth weight and length of Bulgarian newborns.The weight and length data of 6517 (6098 full-term and 419 preterm) live births in 2000–2001 were collected from the birth registry of II Hospital of Obstetrics and Gynaecology “Sheynovo”, Sofia, Bulgaria. Statistical analyses were done using the SPSS 16 software for Windows: descriptive statistics; the t-test (p<0.05); One-Way ANOVA, (Tukey, HSD-test, p<0.05) and the Pearson’s correlation. The sunshine dura-tion data for 2000 and 2001 were collected at the Sofia Meteorological Station.The mean weight of Bulgarian neonates born in 2000-2001 was 3389.8 g in boys and 3261.8 g in girls. The average newborn’s length was 51.0 cm and 50.3 cm in boys and girls, respectively. In all seasons, significant gender differences were observed with a priority for boys (p≤0.001). The winter period was identified with a peak in birth length for both sexes, and spring and summer were the seasons with the lowest values for boys and girls, respectively. A significant positive correlation between birth length and the daily amount of sunshine during the prenatal period was found (p<0.001).Seasonal fluctuations influenced weight and length in Bulgarian neonates. The results obtained in this study can be useful in prenatal diagnostics, neonatal care, and health prevention of pregnant women and neonates

Trusted autonomous vehicles: an interactive exhibit

Recent surveys about autonomous vehicles show that the public is concerned about the safety consequences of system or equipment failures and the vehicles' reactions to unexpected situations. We believe that informing about the technology and quality, e.g., safety and reliability, of autonomous vehicles is paramount to improving public expectations, perception and acceptance. In this paper, we report on the design of an interactive exhibit to illustrate (1) basic technologies employed in autonomous vehicles, i.e., sensors and object classification; and (2) basic principles for ensuring their quality, i.e., employing software testing and simulations. We subsequently report on a public engagement event involving this exhibit at the Royal Society Summer Science Exhibition 2019 in the exhibit titled "Trusted Autonomous Vehicles". We describe the process of designing and developing the artefacts used in our exhibit, the theoretical background associated to them, the design of our stand, and the lessons learned. The activities and findings of this study can be used by other educators and researchers interested in promoting trust in autonomous vehicles among the general public