

# Synthesis

SCOS

1



#### **Construct Correct Systems Automatically**



#### reactive synthesis

**Roderick Bloem** 

SCOS



# What Theory Will We Use?

- Games
- Automata
- Logic



#### Games Examples

- A new Cola market?
  - Coke is ahead of Pepsi makes first decision
  - Market cannot bear two competitors
  - Assumption: game is not repeated
  - Payoff matrix (Coke profit / Pepsi profit)
  - Who will enter the market?



In synthesis, we will look at graph games



#### SCOS

### Games Examples

- A new Cola market?
  - Coke is ahead of Pepsi makes first decision
  - Market cannot bear two competitors
  - Assumption: game is not repeated
  - Payoff matrix (Coke profit / Pepsi profit)
  - Who will enter the market?

|          | Coke  | No Coke |
|----------|-------|---------|
| Pepsi    | -5/-5 | 0/20    |
| No Pepsi | 10/0  | 0/0     |

#### In synthesis, we will look at graph games











SCOS



# Satisfiability & Realizability

#### Two problems:

- **1. Satisfiability**: Is there a *trace* that satisfies spec?
- 2. **Realizability**: Is there a *system* that satisfies spec?





never

#### Satisfiability & Realizability

Satisfiability: Is there a trace that satisfies the spec? Realizability: Is there a system that satisfies the spec? Realizability  $\neq$  Satisfiability

(req1  $\rightarrow$  grant1)  $\land$  (req2  $\rightarrow$  grant2)) always( grant1 ^ grant2

 $\mathcal{R}=r^2$ Satisfiable? Realizable? Satisfiable, but functionally impossible Distinguish inputs from outputs!



RATISFIABLE



#### Satisfiability & Realizability



**Synthesis** 



#### **Formal Verification**

Given: System provides outputs A specification



One Player: (not a game!)

Environment provides inputs

# System is good if it fulfills the spec for all possible inputs





#### Synthesis is a Game

Given: System provides outputs A specification



**Two** Players (a game!)

- Environment provides inputs
- System provides outputs

System is good if it fulfills the spec for all possible inputs





# Our Setting

#### **Reactive Systems**

- Constant interaction
- No Termination
- E.g. Cell phones, Operating Systems, Powerpoint

#### Finite State



Non-terminating, finite systems are graphs with loops

- Not our focus: functions
  - "Create a function that computes sqrt(2)"



#### <u>scos</u>

### Example I: Chess

- Environment determines black moves
- System determines white movers
- Winning condition:
  - If all black moves are legal, then all white moves are legal and eventually, white reaches checkmate

Easy to specify!



**System** 



# Checkers and Systems

#### Checkers are passive

Judge if given behavior is allowed (satisfiability) Used in verification

#### Systems are active

Construct correct behavior (realizability) Result of synthesis







### Synthesis

- 1. Specify
- 2. Create Game
- 3. Solve Game
- 4. Create System











#### **Example II: Arbiter**



- **1.** Specify
- 2. Create Game
- 3. Solve Game
- 4. Create System







#### SCOS

Specify

**Create Game** 

Solve Game

Create System

1.

2.

3.

4.

### **Arbiter Specification**

#### Deterministic Büchi automaton for

 $G(r \to Fg)$ 

Accepting states must be visited infinitely often



 $\Delta$ ccenting s

Roderick Bloem



<u>SCOS</u>





<u>SCOS</u>





<u>SCOS</u>





#### Games

- $G = (V_0, V_1, E, F).$
- $V_0$ : Player 0 states (circles)
- $V_1$ : Player 1 states (squares)  $V = V_0 \cup V_1$
- $E \subseteq (V_0 \times V_1) \cup (V_1 \times V_0)$  edges
- $F \subseteq (V_0 \cup V_1)^{\omega}$  winning condition
- We want to know from whether (and how!) Player 0 can force a play in *F*.



#### Games

$$G = (V_0, V_1, E, F).$$

- $V_0$ : Player 0 states (circles)
- $V_1$ : Player 1 states (squares)  $V = V_0 \cup V_1$
- $E \subseteq (V_0 \times V_1) \cup (V_1 \times V_0)$  edges
- $F \subseteq (V_0 \cup V_1)^{\omega}$  winning condition



SCOS



$$\begin{aligned} & \text{Reachability Game} \\ & pre(C) = \{ q \mid q \in V_0 \land \exists q'. (q, q') \in E \land q' \in C \} \lor \\ & \{ q \mid q \in V_1 \land \forall q'. (q, q') \in E \rightarrow q' \in C \} \end{aligned}$$

Reachability game with goal F:

$$W_{0} = F$$

$$W_{i} = W_{i-1} \cup \underline{pre(W_{i-1})}$$

$$W = \bigcup W_{i}$$

$$F$$

Let's call this rch(C) = W Strategy: Move from  $W_i$  to  $W_{i-1}$ 





#### SCOS

### Terminology

```
Play Sequence \pi=q0q1q2... \in V<sup>\omega</sup> s.t. (qi,qi+1) \inT
Play is winning if \pi \in F.
```

```
Strategy Function \sigma: V^* \cdot V0 \rightarrow V
```

**Play** adheres to  $\sigma$  if for all prefixes q0...qi with qi  $\in$  V0, we have qi+1 =  $\sigma(q0,...,qi)$ 





#### SCOS

#### More General Games



Generalized Büchi:







#### Symbolic Games



 $pre(C) = \{q \mid q \in V_0 \land \exists q'. (q, q') \in E \land q' \in C\} \lor \{q \mid q \in V_1 \land \forall q'. (q, q') \in E \rightarrow q' \in C\} \lor pre(C)(W) \neq V_0(\chi) \land \exists \chi'. P(\chi, \chi') \land C(\chi') \lor V_0(\chi) \land \forall \chi'. P(\chi, \chi') \rightarrow C(\chi') \lor V_0(\chi) \land \forall \chi'. P(\chi, \chi') \rightarrow C(\chi') \lor V_0(\chi) \land \forall \chi'. P(\chi, \chi') \rightarrow C(\chi') \lor V_0(\chi) \land \forall \chi'. P(\chi, \chi') \rightarrow C(\chi') \lor V_0(\chi) \land \forall \chi'. P(\chi, \chi') \rightarrow C(\chi') \lor V_0(\chi) \land \forall \chi'. P(\chi, \chi') \rightarrow C(\chi') \lor V_0(\chi) \land \forall \chi'. P(\chi, \chi') \rightarrow C(\chi') \lor V_0(\chi) \land \forall \chi'. P(\chi, \chi') \rightarrow C(\chi') \lor V_0(\chi) \land \forall \chi'. P(\chi, \chi') \rightarrow C(\chi') \lor V_0(\chi) \land \forall \chi'. P(\chi, \chi') \rightarrow C(\chi') \lor V_0(\chi) \land \forall \chi'. P(\chi, \chi') \rightarrow C(\chi') \lor V_0(\chi) \land \forall \chi'. P(\chi, \chi') \rightarrow C(\chi') \lor V_0(\chi) \land \forall \chi'. P(\chi, \chi') \rightarrow C(\chi') \lor V_0(\chi) \land \forall \chi'. P(\chi, \chi') \rightarrow C(\chi') \lor V_0(\chi) \land \forall \chi'. P(\chi, \chi') \rightarrow C(\chi') \lor V_0(\chi) \land \forall \chi'. P(\chi, \chi') \rightarrow C(\chi') \lor V_0(\chi) \land \forall \chi'. P(\chi, \chi') \rightarrow C(\chi') \lor V_0(\chi) \land \forall \chi'. P(\chi, \chi') \rightarrow C(\chi') \lor V_0(\chi) \land \forall \chi'. P(\chi, \chi') \rightarrow C(\chi') \lor V_0(\chi) \land \forall \chi'. P(\chi, \chi') \rightarrow C(\chi') \lor V_0(\chi) \land \forall \chi'. P(\chi, \chi') \rightarrow C(\chi') \lor V_0(\chi) \land \forall \chi'. P(\chi, \chi') \rightarrow C(\chi') \lor V_0(\chi) \land \forall \chi'. P(\chi, \chi') \rightarrow C(\chi') \land \forall \chi'. P(\chi, \chi') \rightarrow C(\chi') \land \forall \chi'. P(\chi, \chi') \land \forall \chi'. P(\chi, \chi') \rightarrow C(\chi') \land \forall \chi'. P(\chi, \chi') \land \forall \chi'. P(\chi') \land \forall \forall \chi'. P(\chi') \land \forall \chi'. P(\chi') \land \forall \chi'. P(\chi$ 





### Symbolic Games

 $X = \{x_1, \dots, x_n\}$ system variables $V_0$  is a Boolean formula over X: system states $V = \neg V_0$ : environment statesR is a Boolean formula over X and X'

$$pre(C) = \{q \mid q \in V_0 \land \exists q'. (q, q') \in E \land q' \in C\} \lor \{q \mid q \in V_1 \land \forall q'. (q, q') \in E \rightarrow q' \in C\}$$

$$pre(C)(X) = V_0 \land \exists X'. C(W') \land R(X, X') \lor V_1 \land \forall X'. R(X, X') \rightarrow C(X')$$





### Symbolic Game

#### Reachability game with goal F:

```
W = F;
while W changes do
W = W \lor pre(W)
```

#### What kind of solver do we use?



# Selecting One Implementation

Specification = Set of sequential circuits

Strategy = Set of combinational circuits

Construction of circuit

One combinational circuit

Less freedom Fewer circuits More complexity





combinational inputs I

combinational outputs O

- Spec is given in terms of sequential inputs and outputs
- Flipflops keep track of state of specification automata (state space of game)
- Strategy is relation between combinational inputs and combinational outputs:  $R \subseteq I \; X \; O$
- A circuit is a function f:  $I \rightarrow O$



# From BDD to Circuit

#### **Relation Solving**



**Given**: Strategy R: I x O **Find**: function f: I  $\rightarrow$  O such that if f(i) = 0 then (i,0)  $\in$  R

# Multiple possibilities lead to wildly different sizes in circuits





### Back to Theory

- Automata Theory
  - For Games
- Logics
  - For the Spec: Temporal Logic
  - For the Solution: Automatic Solvers
  - Quantifiers?

 $\forall i \exists o. \varphi$ 

Non-Boolean logics?





#### Example III: AMBA



#### <u>SCOS</u>

## AMBA Bus

- Industrial standard
- ARM's AMBA AHB bus
  - High performance on-chip bus
  - Data, address, and control signals (pipelined)
  - Arbiter part of bus (determines control signals)
  - Up to 16 masters and 16 clients





#### **SCOS**

## AMBA Bus

- Master initiates transfer. Signals:
  - HBUSREQi
  - HLOCKi
  - HBURST
- Master i wants the bus
- Master i wants an uninterruptible access
- This access has length 1/4/incr
- address & data lines
- The arbiter decides access
  - HGRANTi

- Next transfer for master i
- HMASTER[..] Currently active master
- HMASTLOCK Current access is uninterruptible
- The clients synchronize the transfer
  - HREADY Ready for next transfer
- Sequence for master
  - Ask; wait for grant; wait for hready; state transfer type & start transfer





## **AMBA** Arbiter

- Specification
- 3 Assumptions, 12 Guarantees.
- Example:

*"When a locked unspecified length burst starts, new access does not start until current master (i) releases bus by lowering HBUSREQi."* 

 $\bigwedge_{i}$  G( HMASTLOCK  $\land$  HBURST=INCR  $\land$  HMASTER=i  $\land$  START  $\rightarrow$  X(¬START U ¬HBUSREQi) )











# Application Example: Shields













# Your system:

- Large
- Heterogeneous
- Subject to failures
- Not available



# Critical spec:

- Critical aspects only
- Small & sweet

© Disney

oynmesis



Institute for Applied Information Processing and C

# Some Systems

# Applications

- Complicated systems
- Heterogeneous systems
- Third-Party IP
- Soft Errors
- Uncertified systems





or machine learning Humans<sup>V</sup>should take care of excellent average case behavior Humans write programs



**Formal** should take care of acceptable worst case Formal makes sure they are right at runtime

SCOS





SCOS







# System: complicated

### Critical specification: simple safety property





# Challenge



### Verification inconclusive:

- System too complicated
- ... but we need absolute certainty of critical spec







### Synthesize a "safety shield" Scalable because critical spec is small







### Trafictec CMU Conflict Monitor Unit

Monitors selected traffic controller channels for conflicts.

#### Goals:

- 1. Generate automatically
- 2. Independent of system
- 3. Smarter than going to failsafe

#### General

**The Trafictec CMU Conflict Monitor Unit**, which is optional for use with the SBC-2400 Traffic Control System, monitors selected traffic signal controller channels for conflicts. There are 8 input lines and 6 CMU channels. Two sets of input lines are tied together, forming a single signal group (i.e., Green and Walk) that can be monitored as one channel. When two channels are in conflict, the CMU will activate a conflict signal. This signal is read by the traffic controller, which will then place the intersection in flash. The conflict signal is latched and can only be cleared by a manual reset. The latching relay maintains the fault status during a power outage.

**Synthesis** 

#### http://www.zwiesler.com/sbc2400/cmu\_conflict\_monitor.htm



# **Crucial Properties**

#### Shielded system satisfies specification

2. Generic

1. Correct

Shield does not depend the system implementation

3. Reacts on-the-fly, no delay





# **Crucial Properties**

#### Shielded system satisfies specification

2. Generic

1. Correct

Shield does not depend the system implementation

3. Reacts on-the-fly, no delay

## Shield could ignore system!







# Minimum Interference: Properties

1. Deviate only if necessary

Retain non-critical properties if system OK

2. Deviate as little as possible

likely retain non-critical properties if system fails









#### Deviation allowed up to k steps after violation



### What does it mean to have multiple failures?





SCOS





# Organizational

| Number | Date       | Lecturer              | Chapter                              |
|--------|------------|-----------------------|--------------------------------------|
| 1      | 2020-03-10 | Roderick Bloem        | Introduction                         |
| 2      | 2020-03-17 | Bettina Könighofer    | Bounded Synthesis, safety only       |
| 3      | 2020-03-24 | Vedad Hadzic          | Introduction SMT (Z3)                |
| 4      | 2020-03-31 | Bettina Könighofer    | SMT – Theory                         |
| 5      | 2020-04-21 | Masoud Ebrahimi       | LTL                                  |
| 6      | 2020-04-28 | All SCOS members      | Presentations Exercise 1 by Students |
| 7      | 2020-05-05 | Benedikt Marderbacher | Omega Autmomata                      |
| 8      | 2020-05-12 | Benedikt Marderbacher | Bounded Synthesis                    |
| 9      | 2020-05-19 | Bettina Könighofer    | Synthesis via Games, Games 1         |
| 10     | 2020-05-26 | Bettina Könighofer    | Synthesis via Games, Games 2         |
| 11     | 2020-06-09 | Roderick Bloem        | Relation Determinization             |
| 12     | 2020-06-16 | All SCoS Members      | Research                             |
| 13     | 2020-06-23 | All SCoS Members      | Presentations Exercise 2 by Students |



# Time Line

- Lecture: 120 minutes
  - **10:00-11:00**
  - 15 minute break
  - 11:15-12:15
  - Or not??
- Interactive!
- Exam will be waived for those who participate actively
- Uebung
  - Pencil and Paper take-home exercises

# Corona?

