Synthesis from scenarios and
requirements
Joint work with R. Alur, M. Martin, M. Raghothaman,
A. Udupa (UPenn), and C. Stergiou (Berkeley & Upenn)
Part of NSF Expeditions Project ExCAPE (co-PI)
Tripakis
1
Synthesis –
raising the level of abstraction in system design
• Verification:
1. Design system “by hand”: 𝑆
2. State system requirements: 𝜙
3. Check if system meets requirements: 𝑆 ⊨ 𝜙 ?
• Synthesis:
1. State system requirements: 𝜙
2. Generate automatically (synthesize) system 𝑆 that
satisfies 𝜙 by construction.
Tripakis
2
Limitations of synthesis
• Methodologically difficult
– Not always easy to write complete formal specs (e.g.,
imagine complete formal spec for Intel Pentium)
• Algorithmically expensive => does not scale
– E.g., doubly exponential algorithms in the length of
the formal spec (temporal logic formulas)
• Generally undecidable for distributed controllers
Tripakis
3
ABP: reliable transmission
over an unreliable channel
Sending
client
done
Receiving
client
deliver
msg
O,1
ABP
sender
O,1
Forward channel
O,1
Backward channel
O,1
Channels are lossy but FIFO.
ABP
receiver
Challenge problem:
synthesize the ABP automatically!
Sending
client
done
Receiving
client
deliver
msg
O,1
?
O,1
Forward channel
O,1
Backward channel
O,1
?
Can be formalized as a decentralized
controller synthesis problem
Plant
Controller 1
(locally)
observable
events
Controller 2
Unfortunately problem
is undecidable …
(locally)
controllable
events
Our work: Synthesis from Scenarios and
Requirements
• Idea: combine requirements + example scenarios
Synthesis tool
example scenarios
These are typically
not complete specs!
Tripakis
formal requirements
(safety, liveness,
deadlock-freedom, …)
synthesized
protocol
(state machines)
7
Synthesis using Scenarios
• Learn (generalize) behavior from examples
• Often only a few scenarios required (1-10)
• Synthesis becomes an automata completion problem
Scenario 1
(nominal)
Scenario 2
(msg loss)
Scenario 3
(ack loss)
Scenario 4
(delay)
8
From Scenarios to Incomplete Automata
Process
S0
initial
a!
S0: empty message history
S1: a!
S2: a! b?
a!
b?
S1
S0
S0 = S2
S2
initial
initial
b?
S1
a!
b?
S2
S1
Automata Completion
Incomplete automata using first scenario:
ABP
Sender
ABP
Receiver
Completed automata after adding missing inputs:
Synthesis from Scenarios and Requirements:
Results
• Able to synthesize the Alternating Bit Protocol (ABP) and other
simple finite-state protocols (cache coherence, consensus, …)
fully automatically [HVC 2014].
• Progress towards industrial-level protocols modeled as extended
state machines [CAV 2015]: synthesis of symbolic expressions.
Tripakis
11
Synthesis from Scenarios and Requirements:
completion of (extended) state machines
• At the heard of the synthesis method: completion of incomplete
machines: find missing transitions, guards, assignments, etc.
Counterexample-guided
synthesis
Tripakis
12
Back-up slides
Tripakis
13
Synthesis from LTL
Tripakis
14
Synthesis – state of the art
• Able to automatically synthesize controller for an
avionic electric power generation and distribution
system (EPS)
• Formal spec: LTL (linear temporal logic)
• Using Tulip synthesis tool (Caltech)
• Input: ~40 lines of LTL
• Output: ~3k lines of Matlab
• Synthesis time < 1 min
Case study by:
Pierluigi Nuzzo &
Antonio Iannopollo
(UC Berkeley), and
Eelco Scholte (UTC)
EPS
Case study
• “Manual” controller design
vs.
• Controller automatically synthesized from
formal specification
Tripakis
16
Case study: controller design for an avionic electric
power generation and distribution system (EPS)
Case study by:
Pierluigi Nuzzo &
Antonio Iannopollo
(UC Berkeley), and
Eelco Scholte (UTC)
EPS requirements (in English)
Assumptions:
Guarantees:
EPS requirements (in English)
“Manual” controller design
• “Hand-written” controller: ~2 PhD student weeks
• Complex, not obvious that it works
• ⇒ Still needs to be verified
Formal specification
• From English to a formal specification language
– Linear temporal logic (LTL)
• Close mapping from English to LTL:
[](gl_healthy | gr_healthy | al_healthy | ar_healthy)
Formal specification for EPS
• ~40 lines of LTL
#Assumptions
(gl_healthy & gr_healthy & al_healthy & ar_healthy)
[](gl_healthy | gr_healthy | al_healthy | ar_healthy)
[](!gl_healthy -> X(!gl_healthy) )
[](!gr_healthy -> X(!gr_healthy) )
[](!al_healthy -> X(!al_healthy) )
[](!ar_healthy -> X(!ar_healthy) )
#Guarantees
…
[](!gl_healthy -> X(c5))
[](!gr_healthy -> X(c6))
[]((X(gl_healthy) & X(gr_healthy) ) -> (X(!c5) & X(!c6) ))
#Guarantees
(!c1 & !c2 & !c3 & !c4 & !c5 & !c6 & !c7 & !c8 & !c9 & !c10 & !c11 & !c12 & !c13)
[](X(c7) & X(c8) & X(c11) & X(c12) & X(c13))
[](!(c2 & c3))
[](!(c1 & c5 & (al_healthy | ar_healthy)))
[](!(c4 & c6 & (al_healthy | ar_healthy)))
[]((X(gl_healthy) & X(gr_healthy) ) -> X(!c2) & X(!c3) & X(!c9) & X(!c10))
[]((X(!gl_healthy) & X(!gr_healthy) ) -> X(c9) & X(c10))
[](X(!gl_healthy)-> X(!c1) )
[](X(!gr_healthy)-> X(!c4) )
[](X(!al_healthy)-> X(!c2) )
[](X(!ar_healthy)-> X(!c3) )
[](X(gl_healthy) -> X(c1) )
[](X(gr_healthy) -> X(c4) )
…
[]((X(!gl_healthy) & X(al_healthy) & X(gr_healthy) ) -> ( X(c2) & X(c3)) )
[]((X(!gl_healthy) & X(!gr_healthy) & X(al_healthy) & !c3 & !c2) -> X(c2) )
[]((X(al_healthy) & c2) -> X(c2) )
[]((X(ar_healthy) & c3) -> X(c3) )
[]((X(!gl_healthy) & X(!al_healthy) & X(ar_healthy) & !c2) -> X(c3) )
[]((X(!gr_healthy) & X(!ar_healthy) & X(al_healthy) & !c3) -> X(c2) )
[]((!gl_healthy & !al_healthy & !ar_healthy) -> X(c6) )
[]((!gr_healthy & !ar_healthy & !al_healthy) -> X(c5) )
Automatic controller synthesis from LTL spec
• Controller (~3k lines of Matlab code) automatically
synthesized in <1 min using the tool Tulip (Caltech)