Distributed Synthesis for Parameterized Temporal Logics
Swen Jacobs, Leander Tentrup, Martin Zimmermann

TL;DR
This paper investigates the synthesis of distributed systems from parameterized temporal logic specifications, showing that certain problems remain decidable or semi-decidable in various system models and extending results to stronger logics.
Contribution
It demonstrates that distributed synthesis for PROMPT-LTL is not harder than LTL in synchronous systems and provides a semi-decision procedure for asynchronous systems, extending to PLTL and PLDL.
Findings
Realizability for PROMPT-LTL in synchronous systems is as tractable as LTL.
Semi-decision procedure for asynchronous PROMPT-LTL synthesis based on bounded synthesis.
Results extend to stronger logics PLTL and PLDL.
Abstract
We consider the synthesis of distributed implementations for specifications in parameterized temporal logics such as PROMPT-LTL, which extends LTL by temporal operators equipped with parameters that bound their scope. For single process synthesis it is well-established that such parametric extensions do not increase worst-case complexities. For synchronous distributed systems we show that, despite being more powerful, the realizability problem for PROMPT-LTL is not harder than its LTL counterpart. For asynchronous systems we have to express scheduling assumptions and therefore consider an assume-guarantee synthesis problem. As asynchronous distributed synthesis is already undecidable for LTL, we give a semi-decision procedure for the PROMPT-LTL assume-guarantee synthesis problem based on bounded synthesis. Finally, we show that our results extend to the stronger logics PLTL and PLDL.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Distributed Synthesis for
Parameterized Temporal Logics111Supported by the projects ASDPS (JA 2357/2–1) and TriCS (ZI 1516/1–1) of the German Research Foundation (DFG) and by the grant OSARES (No. 683300) of the European Research Council (ERC).
Swen Jacobs
Leander Tentrup
Martin Zimmermann
Reactive Systems Group, Saarland University, 66123 Saarbrücken, Germany
Abstract
We consider the synthesis of distributed implementations for specifications in parameterized temporal logics such as –, which extends by temporal operators equipped with parameters that bound their scope. For single process synthesis, it is well-established that such parametric extensions do not increase worst-case complexities. For synchronous distributed systems, we show that, despite being more powerful, the realizability problem for – is not harder than its counterpart. For asynchronous systems, we have to express scheduling assumptions and therefore consider an assume-guarantee synthesis problem. As asynchronous distributed synthesis is already undecidable for , we give a semi-decision procedure for the – assume-guarantee synthesis problem based on bounded synthesis. Finally, we show that our results extend to the stronger logics and .
keywords:
distributed synthesis , distributed realizability , incomplete information , parametric linear temporal logic , parametric linear dynamic logic
††journal: Information and Computation
1 Introduction
Linear Temporal Logic [1] () is the most prominent specification language for reactive systems and the basis for industrial languages like ForSpec [2] and PSL [3]. Its advantages include a compact variable-free syntax and intuitive semantics as well as the exponential compilation property, which explains its attractive algorithmic properties: every formula can be translated into an equivalent Büchi automaton of exponential size [4]. This yields a polynomial space model checking algorithm and a doubly-exponential time algorithm for solving two-player games. Such games solve the monolithic synthesis problem: given a specification, construct a correct-by-design implementation.
However, lacks the ability to express timing constraints. For example, the request-response property requires that every request is eventually responded to by a . It is satisfied even if the waiting times between requests and responses diverge, i.e., it is impossible to require that requests are granted within a fixed, but arbitrary, amount of time. While it is possible to encode an a-priori fixed bound for an eventually into , this requires prior knowledge of the system’s granularity and incurs a blow-up when translated to automata, and is thus considered impractical.
To overcome this shortcoming of , Alur et al. introduced parametric () [5], which extends with parameterized operators of the form and , where and are variables. The formula expresses that every request is answered within an arbitrary, but fixed, number of steps . Here, is a variable valuation, a mapping of variables to natural numbers. Typically, one is interested in whether a formula is satisfied with respect to some variable valuation, e.g., model checking a transition system against a specification amounts to determining whether there is an such that every trace of satisfies with respect to . Alur et al. [5] showed that the model checking problem is PSpace-complete. Due to monotonicity of the parameterized operators, one can assume that all variables in parameterized always operators are mapped to zero, as variable valuations are quantified existentially in the problem statements. Dually, again due to monotonicity, one can assume that all variables in parameterized eventually operators are mapped to the same value, namely the maximum of the bounds. Thus, in many cases the parameterized always operators and different variables for parameterized eventually operators are not necessary.
Motivated by this, Kupferman et al. introduced – [6], which can be seen as the fragment of without the parameterized always operator and with a single bound for the parameterized eventually operators. They proved that – model checking is PSpace-complete and solving – games is 2ExpTime-complete, i.e., not harder than games. While the results of Alur et al. rely on involved pumping arguments, the results of Kupferman et al. are all based on the so-called alternating color technique, which basically allows to reduce – to .
Intuitively, one introduces a new proposition that is thought of as coloring traces of a system. Then, one replaces each parameterized eventually operator by an formula requiring to hold within at most one color change. If the distance between color changes is bounded from above, then satisfaction of the rewritten formula implies the existence of a bound for the bounded eventually operators such that the original formula is satisfied with respect to . Dually, if the distance between color changes is bounded from below, then the other implication holds: the original – formula implies the rewritten formula.
When applying this equivalence, one has to specify how the truth values for the new atomic proposition coloring the traces are determined. In a game setting (in particular in synthesis), the player who aims to satisfy the – formula determines these truth values and is required to change colors infinitely often. Then, a finite-state strategy automatically ensures an upper bound on the distance between color changes.
Later, the result on – games was extended to games [7], relying on the monotonicity properties explained above and an application of the alternating color technique. These results show that adding parameters to does not increase the asymptotic complexity of the model checking and the game-solving problem, which is still true for even more expressive logics like Parametric Linear Dynamic Logic () [8] and and with costs [9]. The former logic is an extension of with the full expressiveness of the -regular languages. The latter logics are evaluated in weighted systems and generalize and by bounding the parameterized operators in the accumulated weight instead of bounding them in time.
The synthesis problems mentioned above assume a setting of complete information, i.e., every part of the system has a complete view on the system as a whole. However, this setting is unrealistic in distributed systems. Based on this observation, distributed synthesis is defined as the problem of synthesizing multiple components with incomplete information. Since there are specifications that are not implementable, one differentiates synthesis from the corresponding decision problem, i.e., the realizability problem of a formal specification. We focus on the latter, but note that typically algorithms for the realizability problem also solve the synthesis problem, as they rely on constructing implementations to prove realizability. This also holds in our work here.
The realizability problem for distributed systems dates back to work of Pnueli and Rosner in the early nineties [10]. They showed that the realizability problem for LTL becomes undecidable already for the simple architecture of two processes with pairwise different inputs. In subsequent work, it was shown that certain classes of architectures, like pipelines and rings, can still be synthesized automatically [11, 12]. Later, a complete characterization of the architectures for which the realizability problem is decidable was given by Finkbeiner and Schewe by the information fork criterion [13]. Intuitively, an architecture contains an information fork if there is an information flow from the environment to two different processes where the information to one process is hidden from the other and vice versa. The distributed realizability problem is decidable exactly for those architectures without an information fork. Beyond decidability results, semi-decision procedures like bounded synthesis [14] give an architecture-independent synthesis method that is particularly well-suited for finding small-sized implementations. Bounded synthesis searches for finite-state implementations of a fixed size by encoding the problem as a constraint system in a decidable first-order theory. In case of a positive answer, the result is returned, otherwise the bound is increased. If there is an upper bound on the size of a finite-state implementation, then bounded synthesis is a complete decision procedure, as it can be stopped if the upper bound is reached without a positive answer. If there is no such upper bound, it is indeed a semi-decision procedure that finds an implementation if one exists, but runs forever otherwise.
1.1 Our Contributions
As mentioned above, one can add parameters to for free: the complexity of the model checking problem and of solving infinite games does not increase. This raises the question whether this is also true for distributed realizability of parametric temporal logics. For synchronous systems, we can answer this question affirmatively. For every class of architectures with decidable realizability, the – realizability problem is decidable, too. To show this, we apply the alternating color technique [6] to reduce the distributed realizability problem of – to the one of : one can again add parameterized operators to for free. To prove this result, we add a new process whose only task it is to determine a coloring with the fresh proposition. By ensuring that the new process does not introduce an information fork we obtain decidability for the same class of architectures as for .
For asynchronous systems, the environment is typically assumed to take over the responsibility for the scheduling decision [15]. Consequently, the resulting schedules may be unrealistic, e.g., one process may not be scheduled at all. While fairness assumptions such as “every process is scheduled infinitely often” solve this problem for specifications, they are insufficient for –: a fair scheduler can still delay process activations arbitrarily long and thereby prevent the system from satisfying its – specification for any bound . Bounded fair scheduling, where every process is guaranteed to be scheduled in bounded intervals, overcomes this problem. Since bounded fairness can be expressed in –, the realizability problem in asynchronous architectures can be formulated more generally as an assume-guarantee realizability problem that consists of two – specifications. Hence, we have to deal with two colorings of the traces when applying the alternating color technique: One induces bounds on the parameterized eventually operators in the assumption, the other on the bounds on the parameterized eventually operators in the guarantee.
We give a semi-decision procedure for this problem based on a new method for checking emptiness of two-colored Büchi graphs [6] and an extension of bounded synthesis [14]. As asynchronous realizability for architectures with more than one process is undecidable [15], the same result holds for – realizability. Thus, the semi-decision procedure is the best result one can hope for. Decidability in the one process case, which holds for [15], is left open for –.
Finally, we show that all these results also hold for and , even stronger logics to which the alternating color technique and bounded synthesis are still applicable.
This is a revised and extended version of a paper that appeared at GandALF 2016 [16].
1.2 Related Work
There is a rich literature regarding the synthesis of distributed systems from global -regular specifications [10, 11, 12, 13, 17, 18, 19, 20]. We are not aware of work that is concerned with the realizability of parameterized logics in this setting. For local specifications, i.e., specifications that only relate the inputs and outputs of single processes, the realizability problem becomes decidable for a larger class of architectures [21]. An extension of these results to context-free languages was given by Fridman and Puchala [22]. The realizability problem for asynchronous systems and LTL specifications is undecidable for architectures with more than one process to be synthesized [15]. Later, Gastin et al. showed decidability of a restricted specification language and certain types of architectures, i.e., well-connected [23] and acyclic [24] ones. Bounded synthesis [14, 25] provides a flexible synthesis framework that can be used in both the asynchronous and the synchronous setting, based on a semi-decision procedure.
1.3 Structure
In Section 2, we introduce – and the alternating color technique. In Section 3, we consider synchronous distributed synthesis for – and the asynchronous case in Section 4. Then, in Section 5, we consider both problems for the more expressive logics and . We conclude in Section 6 with a discussion of future work.
2 –
Throughout this work, we fix a set of atomic propositions. The formulas of – are given by the grammar
[TABLE]
where is an atomic proposition, are the usual Boolean operators, and are the operators next, until, and release. We use the derived operators and for some fixed , and and as usual. Furthermore, we use as a shorthand for if the antecedent is an -free formula (since in that case we can transform into negation normal form in the fragment above). We define the size of to be the number of sub-fomulas of . The satisfaction relation for – is defined between an -word , a position , a bound for the prompt-eventually operators, and a – formula.
if, and only if, .
- 2.
if, and only if, .
- 3.
if, and only if, and .
- 4.
if, and only if, or .
- 5.
if, and only if, .
- 6.
if, and only if, there exists a such that and for every in the range .
- 7.
if, and only if, for all : or for some in the range .
- 8.
if, and only if, there exists a in the range such that .
For the sake of brevity, we write instead of and say that is a model of with respect to . Note that implies for every , i.e., satisfaction with respect to is an upward-closed property.
The Alternating Color Technique
In this subsection, we recall the alternating color technique, which Kupferman et al. introduced to solve model checking, assume-guarantee model checking, and the realizability problem for – specifications [6].
Let be a fixed fresh proposition. An -word is an -coloring of if , i.e., and coincide on all propositions in . The additional proposition can be thought of as the color of : we say that the color changes at position , if or if the truth values of in and in are not equal. In this situation, we say that is a change point. An -block is a maximal infix of such that the color changes at and , but not in between.
Let . We say that is -spaced if the color changes infinitely often and each -block has length at least , and we say that is -bounded, if each -block has length at most . Note that -boundedness implies that the color changes infinitely often.
Given a – formula , let denote the formula obtained by inductively replacing every sub-formula by
[TABLE]
which is only linearly larger than and requires every prompt eventually to be satisfied within at most one color change (not counting the position where holds). Furthermore, the formula is satisfied if the colors change infinitely often. Finally, we define the formula . Kupferman et al. showed that and are in some sense equivalent on -words which are bounded and spaced.
Lemma 1** (Lemma 2.1 of [6]).**
Let be a – formula, and let .
If , then for every -spaced -coloring of . 2. 2.
If is a -bounded -coloring of with , then .
Whenever possible, we drop the subscript for the sake of readability, if is clear from context. However, when we consider asynchronous systems in Section 4, we need to relativize two formulas with different colors, which necessitates the introduction of the subscripts.
3 Synchronous Distributed Synthesis
– specifications can give guarantees that cannot, for example by asserting not only that requests to a system are answered eventually, but also that there is an upper bound on the reaction time. This is especially important in distributed systems, since such timing constraints become more difficult to implement because of information flows between the various parts of the system.
Consider, for example, a distributed computation system, where a central server gets important and unimportant tasks, and can forward tasks to a number of clients. A client can either enqueue the task, which means that it will be processed eventually, or clear the client-side queue and process the task immediately. The latter operation is very costly (we have to remember the open tasks as they still need to be completed), but guarantees an upper bound on the completion time. While in we can only specify that all incoming tasks are processed eventually, in – we can specify that the answer time to important tasks is bounded by the formula .222A similar constraint could be simulated in by writing that on every important incoming task, the worker queues are cleared. This, however, removes implementation freedom and requires the developer to determine how to implement the feature, instead of letting the synthesis algorithm decide.
Let us now formalize the distributed realizability problem. Let and be finite and pairwise disjoint sets of variables. A valuation of is a subset of ; thus, the set of all valuations of is . For and , let .
Strategies
A strategy maps a history of valuations of to a valuation of . The behavior of a strategy is characterized by an infinite tree that branches by the valuations of and whose nodes are labeled with the strategic choice . For an infinite word , the corresponding labeled path is defined as . We lift the set containment operator to the containment of a labeled path in a strategy tree induced by , i.e., if, and only if, and for all .
A -labeled -transition system is a tuple where is a finite set of states, is the designated initial state, is the transition function, and is the state-labeling. We generalize the transition function to sequences over by defining recursively as and for . A transition system generates the strategy if for every . A strategy is called finite-state if there exists a transition system that generates .
To reason about distributed systems, we have to combine strategies with different inputs, which we call the distributed product. To this end, we have to introduce widenings of strategies, which intuitively enlarge their domains with new atomic propositions that are ignored. Also, we need projections, which remove outputs from strategies.
In the following, we formally introduce these concepts. A visualization is given in Fig. 1.
Definition 1** (Distributed Product).**
Let , and be finite sets such that and are disjoint. Further, let and be two strategies with the same domain but different co-domains and .
The product of and is defined as for every .
- 2.
The -projection of a sequence is .
- 3.
The -widening of is defined as with for .
- 4.
Given some , the distributed product is defined as the product .
Analogously, for transition systems and the distributed product, written , is defined as the transition system , where if, and only if, and , and .
Remark 1**.**
The strategy generated by is equal to the distributed product of the strategies generated by and .
We define the satisfaction of a – formula (over propositions ) on strategy with respect to the bound , written for short, as for all paths .
Distributed Systems
We characterize a distributed system as a set of processes with a fixed communication topology, called an architecture in the following. Recall that is the set of atomic propositions used to build formulas. An architecture is a tuple , where is the finite set of processes and is the distinct environment process. We denote by the set of system processes.
Given a process , the input and output signals of this process are and , respectively, where we assume . For , let and . While processes may share the same inputs (in case of broadcasting), the outputs of processes must be pairwise disjoint, i.e., for all it holds that . Finally, we require that every input of a process originates from some other process, i.e., .
An implementation of a process is a strategy mapping finite input sequences to a valuation of the output variables.
Example 1**.**
Figure 2 shows example architectures and :
* with*
- (a)
* and*
- (b)
.
- 2.
* with*
- (a)
* and*
- (b)
.
The architecture in Fig. 2(a) contains two system processes, and , and the environment process . The processes and receive the inputs and , respectively, from the environment and output and , respectively. Hence, the environment can provide process with information that is hidden from and vice versa. In contrast, architecture , depicted in Fig. 2(b), is a pipeline architecture where information from the environment can only propagate through the pipeline processes and .
Distributed Realizability
Let be an architecture. The synchronous – realizability problem for is to decide, given a – formula , whether there exist a bound and a finite-state implementation for each process , such that the distributed product satisfies with respect to , i.e., . In this case, we say that is realizable in . The synchronous realizability problem is a special case of it, as is a fragment of –.
In the following, we show how to solve the synchronous – realizability problem. In our reduction to synchronous realizability, we introduce a new process that produces a coloring sequence needed for applying the alternating color technique [6]. Let be the fresh proposition introduced for the alternating color technique to relativize formulas and let be an architecture as above. We define the architecture as
[TABLE]
where and . Intuitively, this describes an architecture where one additional process is responsible for providing sequences in , i.e., a coloring by . We show that in and in are equi-realizable by applying the alternating color technique. As the processes are synchronized, the proof is similar to the one for the single-process case by Kupferman et al. [6].
Theorem 1**.**
A – formula is realizable in if, and only if, is realizable in .
Proof.
Let be an architecture and be a – formula.
Assume that the – formula is realizable in . Then, there exist finite-state strategies for and a bound satisfying the synchronous – realizability problem . For every , it holds that . By item 1 of Lemma 1, it holds that every -spaced -coloring of satisfies . Let be a (finite-state) strategy that produces the -spaced sequence . Then, the process implementations together with are a solution to the synchronous realizability problem .
Now, assume that the formula is realizable in the architecture . Thus, there exist finite-state strategies for and a finite-state strategy for process . Note that the strategy has a unique output , as it has no inputs. We claim that is -bounded, where is the number of states of the transition system generating . To see this, note that has no inputs, i.e., each state of has a unique successor in , and the unique run of on ends up in a loop which is traversed ad infinitum. As the output has infinitely many change points (since is realizable in ), the loop contains at least one state labeled by and at last one state with . Thus, the maximal length of a block of is bounded by the length of the loop, which in turn is bounded by the size of .
Hence, for every , the word is a -bounded -coloring of with . By item 2 of Lemma 1, for all such it holds that . Hence, together with the bound is a solution to the synchronous – realizability problem. ∎
Theorem 1 allows us to reduce the distributed realizability problem of – to the distributed realizability problem of in a strategy-preserving manner as shown in the accompanying proof. In particular, we are able to reuse semi-decision procedures for the latter, such as bounded synthesis [14], to effectively construct small solutions.
To conclude, we show that the newly introduced process also preserves the property whether the architecture has an information fork [13]. Formally, consider tuples , where is a subset of the processes, is a subset of the variables disjoint from , and are two different processes. Such a tuple is an information fork in if together with the edges that are labeled with at least one variable from forms a sub-graph of rooted in the environment and there exist two nodes that have edges to , respectively, such that and . For example, the architecture in Fig. 2(a) contains the information fork , while the pipeline architecture depicted in Fig. 2(b) has no information forks.
Lemma 2**.**
* contains an information fork if, and only if, contains an information fork.*
Proof.
The if direction follows immediately by construction: if is an information fork in , then it is an information fork in as well. Hence, assume is an information fork in . It holds that neither nor since has no incoming edges. As , cannot be in a sub-graph that is rooted in the environment, hence, and . It follows that is an information fork in . ∎
Thus, we can use well-known results for the decidability of distributed realizability for and weakly ordered architectures [13], i.e., those without an information fork.
Corollary 1**.**
Let be an architecture. The synchronous – realizability problem for is decidable if, and only if, is weakly ordered.
4 Asynchronous Distributed Synthesis
The asynchronous system model is a generalization of the synchronous model discussed in the previous section. In an asynchronous system, not all processes are scheduled at the same time. We model the scheduler as part of the environment, i.e., at any given time the environment additionally signals whether a process is enabled. The resulting distributed realizability problem is already undecidable for specifications and systems with more than one process [15].
We have to adapt the definition of the synchronous – realizability problem for the asynchronous setting. Using the definition from Section 3, the system can never satisfy a – formula if the scheduler is part of the environment, since it may delay scheduling indefinitely. Moreover, even if the scheduler is assumed to be fair, it can still build increasing delay blocks between process activation times such that it is impossible for the system to guarantee any bound . Hence, we employ the concept of bounded fair schedulers and allow the system bound to depend on the scheduler bound. More generally, this is a typical instance of an assume-guarantee specification: under the assumption that the scheduler is bounded fair, the system satisfies its specification. In the following, we formally introduce the distributed realizability problem for asynchronous systems and assume-guarantee specifications.
Scheduling
To model scheduling, we introduce an additional set of atomic propositions. The valuation of indicates whether system process is currently scheduled or not. Given a (synchronous) architecture , we define the asynchronous architecture as the architecture with the environment output . Furthermore, we extend the input of a process by its scheduling variable , i.e., for each . The environment can decide at every step which processes to schedule. When a process is not scheduled, its state—and thereby its outputs—do not change [14]. Formally, for , let be a finite-state strategy for a process and a transition system that generates . For every path , it holds that if for some , then , where denotes the prefix of . For the remainder of this section, we will only consider such strategies.
Definition 2** (Assume-Guarantee Realizability).**
A – assume-guarantee specification consists of a pair of – formulas. The asynchronous – assume-guarantee realizability problem asks, given an asynchronous architecture and as above, whether for each process there exists a finite-state strategy such that for every bound on the assumption there is a bound on the guarantee such that for every , we have that implies . In this case, we say that satisfies .
Consider the bounded fairness specification discussed above, which is expressed by the formula , i.e., for every point in time, every is scheduled within a bounded number of steps. We use as an assumption on the environment which implies that the guarantee only has to be satisfied if holds. Consider, for example, the asynchronous architecture corresponding to Fig. 2(a) and the – specification . Even when we assume a fair scheduler, i.e., , the environment can prevent one process from satisfying the specification for any bound . This problem is fixed by assuming the scheduler to be bounded fair, i.e., . Then, there exist realizing implementations for processes and (that alternate between enabling and disabling the output), and the bound on the guarantee is for every bound on the assumption.
While in the case of the assume-guarantee problem can be reduced to the realizability problem for the implication , this is not possible in – due to the quantifier alternation on the bounds. As a matter of fact, we do not know yet whether the – assume-guarantee realizability problem in the single-process case is decidable. We show that even if the problem would turn out to be decidable, an implementation that realizes the specification in general may need infinite memory.
Lemma 3**.**
There exists a – assume-guarantee specification that can be realized with an infinite-state strategy, but not with a finite-state one.
Proof.
Consider the assume-guarantee specification with and and a single process architecture with and . As the guarantee is false, the implementation has to falsify the assumption for every bound on the prompt-eventually operator to realize . To falsify with respect to a fixed , the implementation has to produce a sequence where is true infinitely often and where is an infix of . Thus, the size of the implementation depends on and an implementation that falsifies for every must have infinite memory. ∎
Moreover, already the realizability problem is undecidable in the asynchronous case. Thus, the – assume-guarantee realizability problem for asynchronous architectures may be at best solvable by a semi-decision procedure. We present such a semi-decision procedure for the asynchronous – assume-guarantee realizability problem based on bounded synthesis [14]. In bounded synthesis, a transition system of a fixed size is “guessed” and model checked by a constraint solver. Model checking for – can be solved by checking pumpable non-emptiness of colored Büchi graphs [6]. However, the pumpability condition cannot directly be expressed in the bounded synthesis constraint system. Hence, in Section 4.1, we give an alternative solution to the non-emptiness of colored Büchi graphs by a reduction to Büchi graphs that have access to the state space of the transition system. We show how to extend bounded synthesis to such Büchi graphs in Section 4.2, and present a semi-decision procedure for – assume-guarantee synthesis based on this extension in Section 4.3.
In the following we use transition systems as representations for finite-state strategies, since the algorithm developed in this section needs access to the syntactic representation of strategies.
4.1 Nonemptiness of Colored Büchi Graphs
In the case of specifications, the nonemptiness problem for Büchi graphs gives a classical solution to the model checking problem for a given system . Let be the formula that should satisfy. In a preprocessing step, the negation of is translated to a nondeterministic Büchi word automaton [26]. Then, is violated by if, and only if, the Büchi graph representing the product of and is nonempty. An accepting path in witnesses a computation of that violates . Colored Büchi graphs are an extension to such graphs in the context of model checking – [6].
A colored Büchi graph of degree two is a tuple , where and are propositions, is a set of vertices, is a set of edges, is the designated initial vertex, describes the color of a vertex, and is a generalized Büchi condition of index two, i.e., . A Büchi graph is a special case where we omit the labeling function and are interested in finding an accepting path. A path is pumpable if we can pump all its -blocks without pumping its -blocks. Formally, a path is pumpable if for all adjacent -change points and , there are positions , , and such that , and if, and only if, . A path is accepting, if it visits both and infinitely often. The pumpable nonemptiness problem for is to decide whether has a pumpable accepting path. It is NLogSpace-complete and solvable in linear time [6].
We give an alternative solution to this problem based on a reduction to the nonemptiness problem of Büchi graphs. To this end, we construct a non-deterministic safety automaton that characterizes the pumpability condition. A non-deterministic safety automaton is a tuple , where is a finite alphabet, is a finite set of states, is the designated initial state, and is the transition function. An infinite word is accepted by a safety automaton if, and only if, there exists an infinite run on this word.
Lemma 4**.**
Let be a colored Büchi graph of degree two. There exists a Büchi graph , with , such that has a pumpable accepting path if, and only if, has an accepting path.
Proof.
We define a non-deterministic safety automaton over the alphabet that checks the pumpability condition. The product of and (defined later) represents the Büchi graph where every accepting path is pumpable.
The language of pumpable paths (with respect to a fixed set of vertices ) is an -regular language that can be recognized by a small non-deterministic safety automaton. This automaton operates in 3 phases between every pair of adjacent -change points: first, it non-deterministically remembers a vertex and the corresponding truth value of . Then, it checks that this value changes and thereafter it remains to show that the vertex repeats before the next -change point. Thus, the state space of is
[TABLE]
and the initial state is . The state space corresponds to the 3 phases: in the states a vertex and a truth value of are remembered, before state the value of changes, and is the state after the vertex repetition. The transition function is defined in the following. We use the notation to denote .
- 2.
- 3.
- 4.
The size of is in . Figure 3 gives a visualization of this automaton.
We define the product of the colored Büchi graph and the automaton as the Büchi graph , where
[TABLE]
and where is given by for . The size of is in . It remains to show that has a pumpable accepting path if, and only if, has an accepting path.
Consider a pumpable accepting path in . We show that there is a corresponding accepting path in . Let and be adjacent -change points. Then, there are positions , , and such that , and if, and only if, . By construction, at position , automaton is at some state from the set . We follow the automaton and remember vertex and the truth value of at position (some state ). Next, we take the transition to where the truth value of changes (at position ). Lastly, we check that there is a vertex repetition (at position ) and go to state . At the next -change point , the argument repeats. This path is accepting, as the original one is accepting.
Now, consider an accepting path in . We show that there is a pumpable accepting path in . Let be the projection of every position of to the first component. By construction, is an accepting path in . Let be an -block of . As has a run of the automaton , we know that there exists a state repetition between and where the truth value of changes in between. Hence, the path is pumpable. ∎
Remark 2**.**
Note that in the context of the previous proof, it would be enough to remember a vertex without the valuation of , as the vertex determines the valuation by the labeling function of . However, we will later use in a more general setting (cf. Section 4.3).
4.2 Bounded Synthesis
Bounded synthesis [14] is a semi-decision procedure for the distributed synthesis problem. In its original form, it takes as input a specification expressed by a universal co-Büchi automaton , a (possibly asynchronous) architecture , and a size bound (or a family of bounds on the individual processes), and decides whether a correct implementation of the given size exists. Bounded synthesis expresses the acceptance of a transition system on , i.e., acceptance of all traces generated by , as a constraint system in a decidable first-order theory. In this section, we show a modification of bounded synthesis that gives the specification automaton access to the states of the system to be synthesized. This extension is needed for automata that can express the pumpability condition, in particular the one we constructed in the proof of Lemma 4. We will show in Section 4.3 how to obtain such an automaton from a – assume-guarantee specification , resulting in a semi-decision procedure for asynchronous distributed synthesis from this class of specifications.
For distributed architectures, bounded synthesis separately considers the problems of finding a global transition system that is accepted by and of dividing the transition system into local components according to the given architecture. To this end, two sets of constraints are generated: (i) an encoding of the acceptance by of a global transition system of size , and (ii) an encoding of the architectural constraints that divides this global system into local components. If the conjunction of both sets of constraints is satisfiable, then a satisfying assignment of the constraints represents a distributed system that satisfies in . Since the architectural constraints we consider are the same as in standard bounded synthesis, we only have to modify the constraints encoding the existence of a global transition system that satisfies the given specification.
Extended Automata
We define a universal co-Büchi tree automaton as a tuple \mathcal{U}={\langle\Sigma,\Upsilon,Q,q_{0},\delta,\reflectbox{B}\rangle}, where is an input alphabet, is a set of directions, is a set of states, is the transition function, and \reflectbox{B}\subseteq Q is the set of rejecting states.
As mentioned above, we want to check acceptance of a global transition system by . Therefore, we consider the sets of inputs and outputs of the composition of the system processes, and are interested in the acceptance of a -labeled -transition system . In addition, we want to recognize the pumpability condition. Therefore, we consider a state-aware universal co-Büchi tree automaton with and , i.e., in addition to output valuations, the automaton has access to the current state of .
Acceptance of by the automaton is defined in terms of run graphs: the run graph of an automaton \mathcal{U}_{S}={\langle 2^{O}\times S,2^{I},Q,q_{0},\delta,\reflectbox{B}\rangle} on is the minimal directed graph that satisfies the constraints:
,
- 2.
, and
- 3.
for every , it holds
[TABLE]
The co-Büchi condition requires that, for an infinite path of the run graph, g_{i}\in\reflectbox{B}\times S holds for only finitely many . A run graph is accepting if every infinite path of the run graph satisfies the co-Büchi condition. A transition system is accepted by if the (unique) run graph of on is accepting.
Annotated transition systems
We introduce an annotation function for transition systems that witnesses acceptance by a (possibly state-aware) universal co-Büchi tree automaton. The annotation assigns to each pair a natural number or a special symbol . Natural numbers indicate the maximal number of occurrences of rejecting states on any path to in the run graph; indicates that the pair is not reachable. Thus, if for a given transition system there exists an annotation that assigns natural numbers to all vertices of the run graph, then the number of visits to rejecting states must be bounded in any run. Such annotations are called valid, and transition systems with valid annotations are exactly those that are accepted by the automaton.
An annotation of a -labeled -transition system on a state-aware universal co-Büchi tree automaton \mathcal{U}_{S}={\langle 2^{O}\times S,2^{I},Q,q_{0},\delta,\reflectbox{B}\rangle} is a function . An annotation is valid if it satisfies the following conditions:
- 2.
for any :
- if and
- then ,
- where is interpreted as if q^{\prime}\in\reflectbox{B}, and otherwise.
An annotation is -bounded if its codomain is contained in .
Theorem 2** (see [14]).**
A finite-state -labeled -transition system is accepted by a state-aware universal co-Büchi tree automaton \mathcal{U}_{S}={\langle 2^{O}\times S,2^{I},Q,q_{0},\delta,\reflectbox{B}\rangle} if, and only if, it has a valid (\left|{S}\right|\cdot\left|{\reflectbox{B}}\right|)-bounded annotation.
Proof.
The original proof by Finkbeiner and Schewe [14] works without modifications for our extension to state-aware universal co-Büchi tree automata. ∎
For a given state-aware universal co-Büchi tree automaton \mathcal{U}_{S}={\langle 2^{O}\times S,2^{I},Q,q_{0},\delta,\reflectbox{B}\rangle}, Theorem 2 allows us to decide the existence of an -labeled -transition system with state space that is accepted by .
Encoding of global acceptance
The existence of a (global) transition system with a valid annotation can be encoded into a set of decidable constraints in first-order logic modulo a theory with uninterpreted functions and a partial order. Essentially, we can directly encode the conditions for a valid annotation into constraints, with uninterpreted transition function and labeling for the desired transition system. Such constraints can then be solved by off-the-shelf satisfiability modulo theories (SMT) tools.
Like the proof of Theorem 2, the original encoding can easily be extended to support our notion of state-aware universal Büchi tree automata. It is constructed in the following way:
Assume that is defined in a suitable way, i.e., the sets and
, state , and transition relation are defined. 2. 2.
Declare uninterpreted sets and functions for the transition system and the annotation:
- (a)
Define the set of states as for the given bound .
- (b)
Declare the transition function of as and the labeling function as .
- (c)
Declare two functions that are used to model the annotation function: and . 3. 3.
Assert the following constraints:
[TABLE]
The encoding ensures that is true whenever is reachable in the run graph of on , and that respects the conditions for a valid annotation for all reachable vertices . Since there are no conditions for the annotation on vertices that are not reachable, a solution for will represent a valid annotation of on .
Note that our encoding is a strict generalization of the encoding of Finkbeiner and Schewe [14]. In particular, our encoding can also be used for specifications in that are translated into a universal co-Büchi tree automaton (see Kupferman and Vardi [27]), which can be seen as a state-aware automaton that ignores the state of the transition system.
Encoding of architectural constraints
As mentioned above, the encoding of architectural constraints can be adopted from the original approach without changes. For a given asynchronous architecture , the additional constraints (1) assert that the state of a process does not change if it is not scheduled and (2) that the transitions of a process only depend on its current state and the visible inputs. In addition, it can contain additional bounds on the state space of every single component.
The conjunction of both sets of constraints then asks for the existence of a distributed implementation of size that is accepted by , possibly with additional bounds for every on the size of the components.
Theorem 3** (see [14]).**
Given a state-aware universal co-Büchi tree automaton 333As the symbol in refers to the state-space of the distributed product, has to be equal to the product of bounds for ., an asynchronous architecture , and a family of bounds for every , there is a constraint system (in a decidable first-order theory) that is satisfiable if, and only if, there exist implementations of size for every such that is accepted by and satisfies the architectural constraints of .
Proof.
Follows immediately from Theorem 2 and the correctness of the architectural constraints from Finkbeiner and Schewe [14]. ∎
4.3 A Semi-Decision Procedure for Assume-Guarantee Realizability
Since the assume-guarantee realizability problem for asynchronous architectures is undecidable and infinite-state strategies are required in general, we give a semi-decision procedure for the problem. Our solution is based on the techniques developed in the last subsections.
As the bounded synthesis approach described in the last subsection already accounts for “guessing” transition systems for each system process according to the architectural constraints given by , we reduce the problem of model checking individual implementations to model checking the product system . A transition system satisfies an assume-guarantee specification if the strategy generated by satisfies , i.e., if for every bound there is a bound such that for every , we have that implies .
Given an assume-guarantee specification , we first solve the problem of model checking assume-guarantee specifications by building a state-aware universal co-Büchi tree automaton that accepts a transition system if, and only if, satisfies . Given and a bound on the size of the implementation, we can then use the encoding from Section 4.2 to decide realizability modulo this bound, and obtain a semi-decision procedure by solving the problem for increasing bounds.
Encoding into Büchi automata
Let be an asynchronous architecture and let and be the set of inputs and outputs, respectively, of the composition of the system processes. First, we construct the non-deterministic Büchi automaton , where , whose language contains exactly those paths that satisfy [26]. Then, we use the following lemma to characterize whether a transition system satisfies an assume-guarantee specification by reducing it to finding pumpable error paths in the two-color Büchi graph , as introduced in Section 4.1, which is the product of and . Formally, the elements of are defined as , as if, and only if, there is an input valuation such that and , , as , and .
Lemma 5**.**
Let be a – assume-guarantee specification, an asynchronous architecture and a finite-state implementation for every system process . The distributed product does not satisfy if, and only if, the product of and is pumpable non-empty.
Proof.
Similar to the proof of Lemma 6.1 and Theorem 6.2 in [6]. The missing proof of Lemma 6.1 is given in [8] (Lemma 8). See also the discussion below its proof. ∎
To check the existence of pumpable error paths, we use the non-deterministic automaton from the proof of Lemma 4. Here, we let , where is a set with elements, representing the state space of the desired solution , and is the state space of the automaton defined above, that is, we use as the state space of the colored Büchi graph that is used to model check an implementation against a specification .
The product of and is an automaton that operates on the inputs , outputs , propositions , and the state space of the implementation, and accepts all those paths that are pumpable and violate the assume-guarantee specification (cf. Lemma 4).
Formally, is defined as:
[TABLE]
where is defined as
[TABLE]
and is the Büchi condition .
We complement , resulting in a universal co-Büchi automaton that accepts a given sequence of inputs and the behavior of an implementation on if, and only if, the execution of on satisfies . Finally, we construct a (state-aware) universal co-Büchi tree automaton \mathcal{U}_{S}=(2^{O}\times X,2^{I\cup{\{r,r^{\prime}\}}},Q,q_{0},\delta,\reflectbox{B}) by spanning a copy of for every direction in . Then, an implementation with set of states is accepted by if, and only if, satisfies (for all possible input sequences). Thus, solves the problem of model checking assume-guarantee specifications.
Encoding the automaton into constraints
Now, we can use the modified bounded synthesis algorithm from Section 4.2 to encode into a set of constraints that is satisfiable if, and only if, there exists an implementation that satisfies . We obtain the following corollaries stating the correctness of the constraint system for single-process implementations (Corollary 2) and distributed implementations (Corollary 3), respectively.
Corollary 2**.**
Given a – assume-guarantee specification and a bound , there is a constraint system (in a decidable first-order theory) that is satisfiable if, and only if, there exists an implementation of size such that satisfies .
Corollary 3**.**
Given a – assume-guarantee specification , an asynchronous architecture , and a family of bounds for each , there is a constraint system (in a decidable first-order theory) that is satisfiable if, and only if, there exist implementations of size for each such that satisfies in .
By exhaustively traversing the space of bounds and by solving the resulting constraint system, we obtain a semi-decision procedure for the asynchronous – assume-guarantee realizability problem. Furthermore, this also solves the synthesis problem, as a satisfying assignment of the constraint system directly represents a valid implementation, where the transition relation is given by (the assignment of) the function , and the state labeling by (the assignment of) the function .
Corollary 4**.**
Let be an asynchronous architecture. The asynchronous – assume-guarantee realizability problem for is semi-decidable.
5 Beyond –
In this section, we consider distributed synthesis for logics stronger than –. As already pointed out in the introduction, – is predated by parametric linear temporal logic (), which was introduced by Alur et al. [5]. This logic is obtained by adding parameterized eventually operators of the form and parameterized always operators of the form to . Here, and are variables which are instantiated by a variable valuation mapping variables to natural numbers that serve as bounds: holds with respect to if holds within the next steps, while holds with respect to , if holds at least for the next steps. Thus, intuitively, the variables bound the scope of the operators. In particular, – can be seen as the fragment of without parameterized always operators and where all parameterized eventually operators are parameterized by the same variable.
Alur et al. showed that the model checking problem for , where the variable valuation is existentially quantified, is PSpace-complete, and therefore not harder than model checking. Later, a similar result was shown for solving infinite games with winning conditions, which is still complete for doubly-exponential time [7]. As for –, distributed synthesis for specifications has never been considered before.
The second logic we consider in this section is parametric linear dynamic logic () [8], which has its roots in another shortcoming of : it lacks the full expressive power of the -regular languages. There is a long line of extensions of addressing this issue [28, 4, 29]. Most recently, Vardi introduced linear dynamic logic (), which adds regular expressions as guards to the temporal operators of : the formula holds if there is a position such that the prefix up to it matches the guard and holds at this position. Similarly, holds, if holds at all positions where the prefix up to it matches the guard. Thus, the diamond operator is a guarded eventually operator and the box operator is a guarded always operator. Vardi showed that has the exponential compilation property [30], i.e., formulas can be translated into equivalent Büchi automata of exponential size. Thus, model checking is still PSpace-complete while solving games is still 2ExpTime-complete.
Now, is obtained by allowing parameterized diamond and box operators, with the expected semantics. For the first time, this logic addresses both shortcomings of , lack of timing constraints and limited expressiveness, simultaneously. Even in this setting, model checking is just PSpace-complete and solving games is 2ExpTime-complete [8]. Distributed synthesis for specifications has never been considered before.
In this section, we address the distributed synthesis problem for both logics, starting with the synchronous variant. For , we rely on a reduction to the – synthesis problem. The variable valuation will be existentially quantified in the problem statement, just as the bound in the case of – synthesis is existentially quantified. Now, consider a parameterized always operator : if is satisfied for at last steps, then also for at least zero steps, i.e., at the current position. Thus, when the value for is existentially quantified, degenerates to the formula , as can always be instantiated with [math].
Dually, consider a parameterized eventually operator : if holds at least once within the next steps, then also at least once within the next steps, for every . Thus, if is existentially quantified, then one can replace all variables parameterizing parameterized eventually operators by a unique one. By applying these two replacements, one obtains an equivalent – formula, provided is existentially quantified. In fact, these observations were the impetus to introduce –. However, the situation is different when one is interested in a fixed variable valuation or for optimization problems. In this case, the replacements are no longer valid.
Then, we consider the synchronous synthesis problem for , which we solve along the same lines as for its special case –: the alternating color technique has been reformulated for and the exponential compilation property holds as well. Finally, we also discuss the asynchronous synthesis problem. Here, the approach for and is similar. Hence, we restrict our attention to the case of , as it subsumes .
5.1 Synchronous Distributed Synthesis for Parametric Linear Temporal Logic
Let be an infinite set of variables and let be a set of atomic propositions. The formulas of are given by the grammar
[TABLE]
where and . As before, we use the derived operators and as well as implications, which are defined as for –.
The set of sub-formulas of a formula is denoted by and we define the size of to be the cardinality of . Furthermore, we define
[TABLE]
to be the set of variables parameterizing eventually operators in , and
[TABLE]
to be the set of variables parameterizing always operators in . Finally, denotes the set of all variables appearing in .
To evaluate formulas, we define a variable valuation to be a mapping mapping each variable to a value. Now, we can define the model relation between a path , a position of , a variable valuation , and a formula. For the atomic propositions, Boolean connectives, and standard temporal operators, it is defined as for –, while for the parameterized operators it is defined as follows:
if, and only if, there exists a such that .
- 2.
if, and only if, for every : .
For the sake of brevity, we write instead of and say that is a model of with respect to .
As usual for parameterized temporal logics, the use of variables has to be restricted: parameterizing eventually and always operators by the same variable leads to an undecidable satisfiability problem [5].
Definition 3**.**
A formula is well-formed if .
In the following, we only consider well-formed formulas and omit the qualifier “well-formed”. Also, we will denote variables in by and variables in by , if the formula is clear from the context.
Our solution for the synthesis problem is based on the monotonicity of the parameterized temporal operators explained earlier, which is formalized in the following lemma.
Lemma 6** ([5]).**
Let be a formula and let and be variable valuations satisfying , for each , and , for each . If , then .
Thus, let be a formula and let be the –-formula obtained from by inductively replacing each sub-formula by and each sub-formula by . The following is a straightforward consequence of the previous lemma.
Corollary 5**.**
Let be a formula and let be defined as above.
For every , if there exists a variable valuation such that , then . 2. 2.
For every , if there exists a bound such that , then , where maps each to and each other variable to [math].
Let be an architecture. Here, the synchronous realizability problem for is the problem of deciding, given a formula , whether there exist a variable valuation and a finite-state implementation , for each process , such that the distributed product satisfies with respect to , i.e., . In this case, we say that is realizable in .
Theorem 4**.**
Let be an architecture. The synchronous realizability problem for is decidable if, and only if, is weakly ordered.
Proof.
Fix an architecture . By Corollary 5, a given formula is realizable in if, and only if, as defined in the corollary is realizable in . Thus, Corollary 1 yields the desired result. ∎
Also, bounded synthesis is again applicable, as we can translate the relativized PLTL formulas into universal co-Büchi automata.
5.2 Synchronous Distributed Synthesis for Parametric Linear Dynamic Logic
As before, let be an infinite set of variables and let be the set of atomic propositions. The formulas of are given by the grammar
[TABLE]
where , , and ranges over propositional formulas over . Here, expressions of the form are tests, which allow us to nest operators. The sets , , and are defined analogously to the sets , , and for , taking sub-formulas in tests into account.
The satisfaction relation is defined, as before, among a path , a position , a variable valuation , and a formula . First, let the relation contain all pairs such that matches . Formally, it is defined inductively by
for propositional ,
- 2.
,
- 3.
,
- 4.
, and
- 5.
.
Then, for atomic formulas and Boolean connectives it is defined as for –, while for the four temporal operators, it is defined as follows:
if there exists such that and ,
- 2.
if for all , with , we have ,
- 3.
if there exists such that and , and
- 4.
if for all with , we have .
Again, we restrict ourselves to well-formed formulas, i.e., those formulas with . With this restriction, Lemma 6 holds for , too.
Lemma 7**.**
Let be a formula and let and be variable valuations satisfying , for each , and , for each . If , then .
Recall that the alternating color technique for – replaces every prompt-eventually operator by a formula that expresses that holds within one color change. In , this is naturally expressed by two nested until operators. In , parameterized diamond operators, which are the analogues of prompt-eventually operators, are guarded by regular expressions, and, thus, one has to express that both the guard holds and at most one color change occurs. The simplest way to do it is to introduce a change point bounded variant of the diamond-operator (see [8]).
Formally, we add the operator with the following semantics:
if there exists a s.t. , contains at most one -change point, and .
Let be the logic obtained by disallowing parameterized operators but allowing the change point-bounded operator, whose semantics are independent of variable valuations. Hence, we drop them from our notation for the satisfaction relation and the relation .
We need the following results from [8] which generalizes the replacement of sub-formulas by with respect to variable valuations mapping to zero. In , the situation is different, e.g., the formulas and are not necessarily equivalent with respect to variable valuations mapping to zero, e.g., if is a test. This test has to be satisfied, even if . However, one can easily simplify the guard to a guard that captures when restricted to matchings of length zero.
Lemma 8** ([8]).**
For every formula there is an efficiently constructible formula without paramterized box operators whose size is at most the size of such that
, 2. 2.
for each and each , implies , and 3. 3.
for each and each , implies .
In the third item, is the valuation mapping each to and each other variable to [math].
Note that the formulas and as above are equivalent, if the variable valuation is existentially quantified.
Now, given such a formula , let denote the formula obtained from the formula as in Lemma 8 by inductively replacing each sub-formula by . Furthermore, let , which is equivalent to the formula from above. Now, define , which is an formula.
Lemma 9** ([8]).**
Let be a formula and let .
If , then for every -spaced -coloring of , where . 2. 2.
If is a -bounded -coloring of with , then , where maps each to and each other variable to zero.
Finally, the exponential compilation property holds for as well: every formula can be translated into an equivalent non-determinstic Büchi automaton of exponential size [8].
Now, the (synchronous) distributed synthesis problem is defined as its analogue for . Let be an architecture. Then, the synchronous realizability problem for is the problem of deciding, given a formula , whether there exist a variable valuation and a finite-state implementation for each process , such that the distributed product satisfies with respect to , i.e., . In this case, we say that is realizable in .
Theorem 5**.**
Let be an architecture. The synchronous realizability problem for is decidable if, and only if, is weakly ordered.
Proof.
Theorem 1 holds for as well, using the same proof: a formula is realizable in if, and only if, is realizable in . Now, the information fork criterion holds for -regular conditions as well [13], which finishes the proof. ∎
Also, bounded synthesis is again applicable, as we can also translate the relativized PLDL formulas into universal co-Büchi automata.
5.3 Asynchronous Distributed Synthesis for PLDL
Finally, we consider the asynchronous setting. We focus on , as is a fragment of and the approach for both problems is similar.
As for the asynchronous – realizability problem, we require the implementations to only change their state if they are scheduled. Here, a assume-guarantee specification consists of a pair of formulas. The asynchronous assume-guarantee realizability problem asks, given an asynchronous architecture and as above, whether there exists a finite-state implementation , for each process , such that for each variable valuation there is a variable valuation such that for each , we have that implies . In this case, we say that satisfies .
To solve the problem, we use the framework of bounded synthesis and emptiness checking for Büchi graphs as presented for – in Section 4. In particular, we adapt the notation introduced in Subsection 4.3, e.g., the product system . Our semi-decision procedure again guesses implementations and then model checks whether their product satisfies the assume-guarantee specification, based on a characterization in terms of being pumpable non-empty. To this end, we have to lift Lemma 11 to , which again requires to remove parameterized box operators. Once more, we rely on monotonicity, but due to the quantifier alternation and the implication between and , the application is not completely trivial. Given the assumption , let be the formula as described in Lemma 8, which has no parameterized box operators. The formula is defined similarly.
Lemma 10**.**
Let , , and as above. Then, satisfies if, and only if, satisfies .
Proof.
Let denote the strategy generated by .
For the implication from left to right, let satisfy , i.e., for each there is a such that for all : implies . As depends on , we write to make the dependency clear.
Now, given some arbitrary let denote the variable valuation mapping each to and each other variable to [math]. We claim that implies for all , which implies that satisfies .
Thus, assume the assumption is satisfied, i.e., . Then, we also have by Lemma 8. Thus, , which implies , again by Lemma 8.
For the other implication, let satisfy , i.e., for each there is a such that for all : implies . Again, as depends on , we write to make the dependency clear.
We claim that implies for all , which implies that satisfies .
Thus, assume the assumption is satisfied, i.e., . Then, we also have by Lemma 8. Thus, , which implies , again by Lemma 8. Here, maps each variable in to and each other variable to [math]. ∎
To simplify the notation we can assume that and do not contain any parameterized box operators. Thus, the alternating color technique is applicable to them. Also, there is a non-deterministic Büchi automaton , where whose language contains exactly those paths that satisfy [8]. Then, Lemma 11 holds in this setting as well.
Lemma 11**.**
Let be a PLDL assume-guarantee specification, be an asynchronous architecture, and be a finite-state implementation for each system process . The distributed product does not satisfy if, and only if, the product of and is pumpable non-empty.
From here on the algorithm is similar to that described in Section 4 and we obtain the same semi-decidability result.
Corollary 6**.**
Let be an asynchronous architecture. The asynchronous PLDL assume-guarantee realizability problem for is semi-decidable.
6 Conclusion
In this paper, we have initiated the investigation of distributed synthesis for parameterized specifications, in particular for –, PLTL, and PLDL. These logics subsume , and additionally allow to express bounded satisfaction of system properties, instead of only eventual satisfaction. To the best of our knowledge, this is the first treatment of parametrized temporal logic specifications in distributed synthesis.
We have shown that for the case of synchronous distributed systems, we can reduce the – synthesis problem to an synthesis problem. Thus, the complexity of – synthesis corresponds to the complexity of synthesis, and the – realizability problem is decidable if, and only if, the realizability problem is decidable. For the case of asynchronous distributed systems with multiple components, the – realizability problem is undecidable, again corresponding to the result for . For this case, we give a semi-decision procedure based on a novel method for checking emptiness of two-colored Büchi graphs. Finally, we have shown that all these results also hold for and . Furthermore, the approach is also applicable to and in a weighted setting [9], as even these logics have the exponential compilation property and the alternating color technique is applicable to them as well. Finally, we conjecture that the approach also extends to assume-guarantee synthesis with mutual assumptions between different processes [31, 32].
Among the problems that remain open is realizability of – specifications in asynchronous distributed systems with a single component. This problem can be reduced to the (single-process) assume-guarantee realizability problem for –, which was left open in [6].
In the future, we also want to look into the synthesis of distributed systems with a parametric number of components [33, 34] from parameterized temporal logics. In addition to the even more difficult problems of realizability and synthesis, new questions arise in this context, such as: how does the bound on prompt eventualities increase with the number of components in the system?
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[1] A. Pnueli, The temporal logic of programs, in: FOCS 1977, IEEE, 1977, pp. 46–57. doi:10.1109/SFCS.1977.32 . · doi ↗
- 2[2] R. Armoni, L. Fix, A. Flaisher, R. Gerth, B. Ginsburg, T. Kanza, A. Landver, S. Mador-Haim, E. Singerman, A. Tiemeyer, M. Y. Vardi, Y. Zbar, The For Spec temporal logic: A new temporal property-specification language, in: J.-P. Katoen, P. Stevens (Eds.), TACAS 2002, Vol. 2280 of LNCS, Springer, 2002, pp. 296–311. doi:10.1007/3-540-46002-0\_21 . · doi ↗
- 3[3] C. Eisner, D. Fisman, A Practical Introduction to PSL, Integrated Circuits and Systems, Springer, 2006. doi:10.1007/978-0-387-36123-9 . · doi ↗
- 4[4] M. Y. Vardi, P. Wolper, Reasoning about infinite computations, Inf. Comput. 115 (1) (1994) 1–37. doi:10.1006/inco.1994.1092 . · doi ↗
- 5[5] R. Alur, K. Etessami, S. La Torre, D. Peled, Parametric temporal logic for ”model measuring”, ACM Trans. Comput. Log. 2 (3) (2001) 388–407. doi:10.1145/377978.377990 . · doi ↗
- 6[6] O. Kupferman, N. Piterman, M. Y. Vardi, From liveness to promptness, Formal Methods in System Design 34 (2) (2009) 83–103. doi:10.1007/s 10703-009-0067-z . · doi ↗
- 7[7] M. Zimmermann, Optimal bounds in parametric LTL games, Theor. Comput. Sci. 493 (2013) 30–45. doi:10.1016/j.tcs.2012.07.039 . · doi ↗
- 8[8] P. Faymonville, M. Zimmermann, Parametric linear dynamic logic, Inf. Comput. 253 (2017) 237–256. doi:10.1016/j.ic.2016.07.009 . · doi ↗
