# A Symbolic Approach to Safety LTL Synthesis

Temporal synthesis is the automated design of a system that interacts with an environment, using the declarative specification of the system's behavior. A popular language for providing such a specification is Linear Temporal Logic, or LTL. LTL synthesis in the general case has remained, however, a hard problem to solve in practice. Because of this, many works have focused on developing synthesis procedures for specific fragments of LTL, with an easier synthesis problem. In this work, we focus on Safety LTL, defined here to be the Until-free fragment of LTL in Negation Normal Form (NNF), and shown to express a fragment of safe LTL formulas. The intrinsic motivation for this fragment is the observation that in many cases it is not enough to say that something "good" will eventually happen, we need to say by when it will happen. We show here that Safety LTL synthesis is significantly simpler algorithmically than LTL synthesis. We exploit this simplicity in two ways, first by describing an explicit approach based on a reduction to Horn-SAT, which can be solved in linear time in the size of the game graph, and then through an efficient symbolic construction, allowing a BDD-based symbolic approach which significantly outperforms extant LTL-synthesis tools.

• 5 publications
• 5 publications
• 7 publications
• 15 publications
• 36 publications
05/23/2017

### Symbolic LTLf Synthesis

LTLf synthesis is the process of finding a strategy that satisfies a lin...
09/23/2020

### LTLf Synthesis under Partial Observability: From Theory to Practice

LTL synthesis is the problem of synthesizing a reactive system from a fo...
03/26/2018

### Encodings of Bounded Synthesis

The reactive synthesis problem is to compute a system satisfying a given...
02/13/2018

### Reconciling Enumerative and Symbolic Search in Syntax-Guided Synthesis

Syntax-guided synthesis aims to find a program satisfying semantic speci...
01/18/2019

### First-Order vs. Second-Order Encodings for LTLf-to-Automata Translation

Translating formulas of Linear Temporal Logic (LTL) over finite traces, ...
09/17/2021

### Expressiveness of Extended Bounded Response LTL

Extended Bounded Response LTL with Past (LTLEBR+P) is a safety fragment ...
11/19/2019

### Hybrid Compositional Reasoning for Reactive Synthesis from Finite-Horizon Specifications

LTLf synthesis is the automated construction of a reactive system from a...

## 1 Introduction

Research on synthesis is the culmination of the ideal of declarative programming. By describing a system in terms of what it should do, rather than how it should be done, we are able to simplify the design process while also avoiding human mistakes. In the framework defined by synthesis, we describe a specification of a system’s behavior in a formal language, and the synthesis procedure automatically designs a system satisfying this specification [30]. Reactive synthesis [24] is one of the most popular variants of this problem, in which we wish to synthesize a system that interacts continuously with an environment. Such systems include, for example, operating systems and controllers for mechanical devices. To specify the behavior of such systems, we need a specification language that can reason about changes over time. A popular such language is Linear Temporal Logic, or ltl [23].

Despite extensive research, however, synthesis from ltl formulas remains a difficult problem. The classical approach is based on translating the formula to a deterministic parity automaton and reducing the synthesis problem to solving a parity game [24]. This translation, however, is not only theoretically hard, given its doubly-exponential upper bound, but also inefficient in practice due to the lack of practical algorithms for determinization [15]. Furthermore, despite the recent quasi-polynomial algorithm [7] for parity games, it is still not known if they can be solved efficiently. A promising approach to mitigating this problem consists of developing synthesis techniques for certain fragments of ltl that cover interesting classes of specifications but for which the synthesis problem is easier. Possibly the most notable example is that of Generalized Reactivity(1) formulas, or GR(1) [3], a fragment for which the synthesis problem can be solved in cubic time with respect to the game graph.

Here we focus on the Safety ltl fragment, which we define to be the fragment of ltl composed of Until-free formulas in Negation Normal Form (nnf). Such formulas express safety properties, meaning that every violating trace has a finite bad prefix that falsifies the formula [19]. The intrinsic motivation for this fragment is the observation that in many cases it is not enough to say that something “good” will eventually happen, we need to say by when it will happen [21]. For this strict subset of ltl, the synthesis problem can be reduced to a safety game, which is far easier to solve. In fact, for such a game the solution can be computed in linear time with respect to the game graph [1]. Some novel techniques for safety game solving have been developed in the context of the Annual Synthesis Competition (SyntComp) , but there the input consists of an AIGER model, while in this paper we are concerned with synthesis from Safety ltl formulas. See further discussion in the Concluding Remarks.

Our first contribution is a new solution to safety games by reducing to Horn satisfiability (Horn-SAT). There have been past works using SAT in the context of bounded synthesis [2], but our approach is novel in using a reduction to Horn-SAT, which can be solved in linear time [11]. Because, however, the Horn formula is proportional to the size of the state graph, in which the number of transitions is exponential in the number of input/output variables and the number of states can be in the worst case doubly exponential in the size of the Safety ltl formula, this approach becomes infeasible for larger instances. To avoid this problem, we pursue an alternative approach that uses a symbolic representation of the game graph via Binary Decision Diagrams (BDDs) [5].

Symbolic solutions to safety games have played an important part in ltl synthesis tools following the idea of Safraless synthesis [20], which avoids the high cost of determinization and the parity acceptance condition of classical ltl synthesis by instead employing a translation to universal co-Büchi automata. Unbeast [14], a symbolic BDD-based tool for bounded synthesis, decomposes the ltl specification into safety and non-safety parts, using an incremental bound to allow the non-safety part to also be encoded as a safety game. Another tool, Acacia+ [4], takes a bounded synthesis approach that allows the synthesis problem to be reduced to a safety game, then explores the structure of the resulting game to implement a symbolic antichain-based algorithm.

In the above approaches the safety game is constructed from a co-Büchi automaton of the ltl specification. Our insight in this paper is that, since every bad trace of a formula in the Safety ltl fragment has a finite prefix, we can construct from the negation of such a formula a deterministic finite automaton that accepts exactly the language corresponding to bad prefixes. This DFA can be seen as the dual of a safety automaton defining a safety game over the same state space. Using a DFA as the basis for our safety game allows us to leverage tools and techniques developed for symbolic construction, determinization and minimization of finite automata.

Our symbolic synthesis framework is inspired by a recent approach [29] for synthesis of ltl over finite traces. This problem can be seen as the dual of Safety ltl synthesis, and as such we can inter-reduce the realizability problem between the two by negating the result. Nevertheless, the strategy generation is irreducible since the two problems are solving the game for different players. Therefore, we modify the algorithm to produce a strategy for the safety game instead. The procedure consists of two phases. First we construct symbolically a safety automaton from the Safety ltl formula instead of direct construction. For that we present a translation from the negation of Safety ltl to first-order logic over finite traces, which allows us to symbolically construct the dual DFA of the safety automaton. Second, we solve the safety game by computing the set of winning states through a backwards symbolic fixpoint computation, and then applying a boolean-synthesis procedure [16] to symbolically construct a strategy.

In summary, our contribution in this paper is to introduce a fragment of ltl called Safety ltl and present two approaches for the synthesis problem for this fragment, an explicit one based on a reduction to Horn-SAT and a symbolic one exploiting techniques for symbolic DFA construction. Since Safety ltl is a fragment of general ltl, existing ltl synthesis tools can likewise be used to solve the Safety ltl synthesis problem. To demonstrate the benefits of developing specialized synthesis techniques, we perform an experimental comparison with Unbeast and Acacia+, both tools for general ltl synthesis. Our results show that the explicit approach is able to outperform these tools when the formula is small, while the symbolic approach has the best performance overall.

## 2 Preliminaries

### 2.1 Safety/Co-safety ltl

Linear Temporal Logic (ltl), first introduced in [23], extends propositional logic by introducing temporal operators. Given a set of propositions, the syntax of ltl formulas is defined as .

and represent true and false respectively. is an atom, and we define a literal to be an atom or the negation of an atom. (Next) and (Until) are temporal operators. We also introduce the dual operator of , namely (Release), defined as . Additionally, we define the abbreviations and . Standard boolean abbreviations, such as (or) and (implies) are also used. An ltl formula is Until-free/Release-free iff it does not contain the Until/Release operator. Moreover, we say is in Negation Normal Form (nnf), iff all negation operators in are pushed only in front of atoms.

A trace is a sequence of propositional interpretations (sets), in which () is the -th interpretation of , and represents the length of . Intuitively, is interpreted as the set of propositions which are at instant . Trace is an infinite trace if , which is formally denoted as . Otherwise is a finite trace, denoted as . ltl formulas are interpreted over infinite traces. Given an infinite trace and an ltl formula , we inductively define when is in at step (), written , as follows:

• and ;

• iff ;

• iff ;

• , iff and ;

• , iff ;

• , iff there exists such that , and for all , we have .

An ltl formula is in , denoted by , if and only if .

Informally speaking, a safe ltl formula rejects traces whose “badness” follows from a finite prefix. Dually, a co-safe ltl formula accepts traces whose “goodness” follows from a finite prefix. Thus, is a safe formula iff is a co-safe formula. To define the safe/co-safe formulas, we need to introduce the concept of bad/good prefix.

###### Definition 1 (Bad/Good Prefix [19]).

Consider a language L of infinite words over . A finite word x over is a bad/good prefix for L if and only if for all infinite words over , the concatenation of and isn’t/is in L.

Safe/co-safe ltl formulas are defined as follows.

###### Definition 2 (safe/co-safe [19]).

An ltl formula is safe/co-safe iff every word that violates/satisfies has a bad/good prefix.

We use to denote the set of bad prefixes for safe formula , equivalently, we denote by -, the set of good prefixes for , which is co-safe. Indeed, - [19].

###### Theorem 2.1.

An ltl formula is safe iff is co-safe, and each bad prefix for safe formula is a good prefix for .

Checking if a given ltl formula is safe/co-safe is PSPACE-complete [19]. We now introduce a fragment of ltl where safety/co-safety is a syntactical feature.

###### Theorem 2.2 ([26]).

If an ltl formula in nnf is Until-free/Release-free, then is safe/co-safe.

Motivated by this theorem, we define now the syntactic fragment of Safety/Co-Safety ltl.

###### Definition 3.

Safety/Co-Safety ltl formulas are in nnf and Until-free/Release-free, respectively.

Remark: To the best of our knowledge, it is an open question whether every safe ltl formula is equivalent to some Safety ltl formula. We conjecture that this is the case.

### 2.2 Boolean Synthesis

In this paper, we utilize the boolean synthesis technique proposed in [16].

###### Definition 4 (Boolean Synthesis [16]).

Given two disjoint atom sets of input and output variables, respectively, and a boolean formula over , the boolean-synthesis problem is to construct a function such that, for all , if there exists such that , then . We call the implementation function.

We treat boolean synthesis as a black box, applying it to the key operation of Safety ltl synthesis proposed in this paper. For more details on algorithms and techniques for boolean synthesis we refer to [16].

## 3 Safety ltl Synthesis

In this section we give the definition of Safety ltl synthesis. We then show how this problem can be modeled as a safety game played over a kind of deterministic automaton, called a safety automaton. In the following sections we describe approaches to construct this automaton from a Safety ltl formula and solve the game that it specifies.

###### Definition 5 (Safety ltl Synthesis).

Let be an ltl formula over an alphabet and be two disjoint atom sets such that . is the set of input (environment) variables and is the set of output (controller) variables. is realizable with respect to if there exists a strategy , such that for an arbitrary infinite sequence , is true in the infinite trace . The synthesis procedure is to compute such a strategy if is realizable.

There are two versions of the Safety ltl synthesis, depending on the first player. Here we consider that the environment moves first, but the version where the controller moves first can be obtained by a small modification.

The Safety ltl synthesis is a subset of ltl synthesis by restricting the property to be a Safety ltl formula. Therefore, we can use general ltl-synthesis methods to solve the Safety ltl synthesis problem. Classical approaches to ltl synthesis problems involve two steps: 1) Convert the ltl formula to a deterministic automaton; 2) Reduce ltl synthesis to an infinite game over the automaton. We now present the automata corresponding to the class of Safety ltl formulas.

###### Definition 6 (Deterministic Safety Automata).

A deterministic safety automaton (DSA) is a tuple , where is the alphabet, is a finite set of states with as the initial state, and is a partial transition function. Given an infinite trace , a run of on is a sequence of states such that . is accepted by if has an infinite run of .

Note that in the definition, is a partial function, meaning that given and , can either return a state or be undefined. Thus, an infinite run of on may not exist due to the possibility of being undefined for some . A DSA is essentially a deterministic Büchi automaton (DBA) [6] with a partial transition function and a set of accepting states .

Deterministic safety games are games between two players, the environment and the controller, played over a DSA. We have two disjoint sets of variables and . contains uncontrollable variables, which are under the control of the environment. contains controllable variables, which are under the control of the controller. A round consists of both the controller and the environment setting the value of the variables they control. A play of the game is a word that describes how the environment and the controller set values to the variables during each round. A run of the game is the corresponding sequence of states through the play. The specification of the game is given by a deterministic safety automaton .

A winning play for the controller is an infinite sequence accepted by . A strategy for the controller is a function such that given a history of the setting of the environmental variables, determines how the controller set the controllable variables in . A strategy is a winning strategy if starting from the initial state , for every possible sequence of assignments of the variables in , it leads to an infinite run. Checking the existence of such a winning strategy counts for the realizability problem.

Safety games can be seen as duals of reachability games, where reachability games are won by reaching a set of winning states, while safety games are won by avoiding a set of losing states. Safety games however cannot be reduced to reachability games. The realizability problem of safety game can indeed be reduced to that of reachability game since the two are dual and the underlying game is determined, but this does not work for strategy generation. Safety game does not generate a winning strategy for the environment if it is unrealizable. It is known that reachability games can be solved in linear time in the size of the game graph [1]. One of the ways to do this is by a reduction to Horn Satisfiability, which can be solved in linear time [11]. In the next section we present such a reduction.

## 4 Explicit Approach to Safety Synthesis

We now show how to solve safety games by reducing to Horn satisfiability (Horn-SAT), a variant of SAT where every clause has at most one positive literal. Horn-SAT is known to be solvable in linear time using constraint propagation, cf. [11]. Modern SAT solvers use specialized data structures for performing very fast constraint propagation [22].

From a DSA defining a safety game, we construct a Horn formula such that the game is winning for the system if and only if is satisfiable. Then, from a satisfying assignment of we can extract a winning strategy. We now describe the construction of the Horn formula. There are three kinds of Boolean variables in : (1) state variables: for each state ; (2) state-input variables: for each state and ; (3) state-input-output variables: for each state , , and .

We first construct a non-Horn boolean formula , then we show how to obtain a Horn formula from . The intuition of the construction is that first, must be a winning state. Then, for every winning state, for all inputs there should exist an output such that the corresponding successor is a winning state.

Let represent the number of possible output assignments: , . is a conjunction of with the following constraints for each state : (1) , for each ; (2) , for each ; (3) , for each , , if is well defined ; and (4) , for each , , if is undefined.

###### Theorem 4.1.

The formula is satisfiable with assignment iff the safety game over is realizable and encodes a winning strategy.

###### Proof.

If is satisfiable with assignment , there is a set of states, where for each state , it is the case that is true in . Then, by clauses of type (1), given a state , for all inputs , it is the case that is also true in . Furthermore, by clause of type (2), there must be some output such that is true in . Since is true, there cannot be a clause of type (4), and therefore it is the case that is well defined and, by clause of type (3), is also true in . This means that we have a wining strategy such that all states in , including , are winning. In response to input , the system outputs such that is true in , and this ensures that the successor state is also in .

If the safety game over is realizable, then there is a winning strategy and a set , containing , of winning states such that for each state and input , the output is such that . Then the truth assignment that makes true iff , and makes and true for all and is a satisfying assignment of . ∎

We now transform the formula to an equi-satisfiable formula that is a Horn formula (in which every clause contains at most one positive literal). We replace each variable , , and in by its negative literal , , and , respectively. We can then rewrite each constraint as . Similarly, we can rewrite as the equivalent constraint . is equivalent to with the polarity of the literals flipped, therefore we have that is equi-satisfiable to . Given a satisfying assignment for , we obtain a satisfying assignment for by, for every variable , assigning to be true in iff is assigned false in .

Since is a Horn formula, we can obtain a winning strategy in linear time. Note, however, that is constructed from an explicit representation of the DSA , as a state graph with one transition per assignment of the input and output variables. The challenge for this approach is the blow-up in the size of the state graph with respect to the input temporal formula. To address this challenge we need to be able to express the state graph more succinctly.

Therefore, we present an alternative approach for solving safety games using a symbolic representation of the state graph. Although the algorithm is no longer linear, not having to use an explicit representation of the game makes up for that fact. In order to construct this symbolic representation efficiently, we exploit the fact that safety games are dual to reachability games played over a DFA, allowing us to use techniques for symbolic construction of DFAs. This construction is described in the next section.

## 5 Symbolic Approach to Safety Synthesis

In order to perform Safety-ltl synthesis symbolically, the first step is to construct a symbolic representation of the DSA from the Safety-ltl formula. The following section explains how we can achieve this. The key insight that we use is that a symbolic representation of the DSA can be derived from the symbolic representation of the DFA encoding the set of bad prefixes of the Safety-ltl formula, allowing us to exploit techniques for symbolic DFA construction. After this, we describe how we can, from this representation, symbolically compute the set of winning states of the safety game, and then extract from them a winning strategy using boolean synthesis.

### 5.1 From Safety ltl to Deterministic Safety Automata

In this section, we propose a conversion from Safety ltl to DSA. The standard approach to constructing deterministic automata for ltl formulas is to first convert an ltl formula to a nondeterministic Büchi automaton using tools such as SPOT [12], LTL2BA [17], and then apply a determinization construction, e.g., Safra’s construction [25]. The conversion from ltl to deterministic automata, however, is intractable in practice, not only because of the doubly-exponential complexity, but also the non-trivial construction of both Safra [25] and Safraless [20] approaches. Therefore, ltl synthesis is able to benefit from a better automata construction technique. One of the contribution in this paper is proving such a technique which efficiently constructs the corresponding safety automata of Safety ltl formulas. The novelty here is a much simpler conversion, thus yielding a more efficient synthesis procedure.

Since every trace rejected by a DSA can be rejected in a finite number of steps, we can alternatively define the language accepted by by the finite prefixes that it rejects. This allows us to work in the domain of finite words, which can be recognized much more easily, using deterministic finite automata. Therefore, a DSA can be seen as the dual of a DFA over the same state space. Given a DFA , the corresponding DSA can be generated by following steps: 1) ; 2) For , if , then , otherwise is undefined.

###### Theorem 5.1 ([19]).

Given a Safety ltl formula , there is a DFA which accepts exactly the finite traces that are bad prefixes for .

Given a Safety ltl formula and the corresponding DFA , we can construct the DSA . The correctness of such construction is guaranteed by the following theorem.

###### Theorem 5.2.

For a Safety ltl formula , the DSA , which is dual to , accepts exactly the traces that satisfy .

###### Proof.

For an infinite trace , implies that an arbitrary prefix of is not a bad prefix for , so cannot be accepted by . Therefore, starting from the initial state , always returns some successor , so the corresponding transition is also in . The run of on is indeed infinite. As a result, implies that can be accepted by .

On the other hand, an infinite trace being accepted by implies that the run of on is infinite. Therefore, starting from the initial state , partial function can always return some successor , for which . There is a corresponding transition in for each transition in , then an arbitrary prefix of is indeed can not be accepted by , such that is not a bad prefix. As a result, can be accepted by implies that . ∎

Based on Theorem 5.2, the construction of the DSA relies on the construction of the DFA for the Safety formula . Therefore, we can leverage the techniques and tools developed for DFA construction. Although it still cannot avoid the doubly-exponential complexity, DFA construction is much simpler than that of -automata (e.g. parity [25], or co-Büchi [20]). Consider a Safety ltl formula . From Theorem 2.1 and 5.1, we know that , which is co-safe, can be interpreted over finite words. Thus, we can construct the DFA from .
DFA construction Summarily, the DFA construction is processed as follows: Given a Safety ltl formula , we first negate it to obtain a Co-Safety ltl formula . Taking the translation described below, which restricts the interpretation of over finite linear ordered traces, we can obtain a first-order logic formula . The DFA for such is obviously able to accept exactly the set of bad prefixes for (or say, good prefixes for ).

Consider an infinite trace that satisfies the Co-Safety ltl formula in nnf, where the finite prefix of is a good prefix for . The corresponding FOL interpretation of is defined as follows: , where . For each , its interpretation . Intuitively, is interpreted as the set of positions where is true in . Then we can generate a corresponding FOL formula that opens in by a function from the Co-Safety ltl formula and a variable where , which is defined as follows:

• and

In the above, the notation succ denotes that is the successor of . The following theorem guarantees a finite trace is a good prefix of the Co-Safety ltl formula iff the corresponding interpretation of models .

###### Theorem 5.3.

Given a Co-Safety ltl formula , a finite trace and the corresponding interpretation of , is a good prefix for iff .

###### Proof.

We prove the theorem by the induction over the structure of .

• Basically, if is an atom, is a good prefix for iff . By the definition of , we have that . As a result, is a good prefix for iff . Moreover, if where is an atom, is a good prefix for iff , and iff , finally iff holds;

• If , is a good prefix for implies is a good prefix for both and . By induction hypothesis, it is true that and . So , i.e. holds. On the other hand, since , and are true. By induction hypothesis, we have that is a good prefix for both and . Thus is a good prefix for ;

• If , is a good prefix for iff is a good prefix for either or . Without loss of generality, we assume that is a good prefix for . By induction hypothesis, holds, thus is true. The other direction can be proved analogously.

• If , is a good prefix for iff suffix of is a good prefix for . Let be the corresponding interpretation of , thus every atom satisfies iff . By induction hypothesis, holds, thus is true. Therefore, holds.

• If , is a good prefix for iff there exists such that suffix of is a good prefix for . And for all , is a good prefix for . Let and be the corresponding interpretations of and . Thus every atom satisfies that iff , iff . By induction hypothesis, and holds. Thus and hold. Therefore, .

MONA [18] is a tool that translates Weak Second-order Theory of One or Two successors (WS1S/WS2S) [10] formula to minimal DFA, represented symbolically. WS1S subsumes the First-Order Logic (FOL) over finite traces, which allows us to adopt MONA to construct the DFA for Safety formula . Taking the assumption that the DFA generated by MONA accepts exactly the same traces that satisfy , which corresponds to Co-Safety ltl formula , by Theorem 5.3 we can conclude that the DFA returned by MONA is that accepts exactly the bad prefixes for the Safety ltl formula .

###### Theorem 5.4.

Let be a Safety ltl formula and be the DFA constructed by MONA taking as input. Finite trace is a bad prefix for iff is accepted by .

Deleting all transitions toward the accepting states in and removing the accepting states of derives the safety automaton . To solve the Safety ltl synthesis problem, we reduce the problem to a deterministic safety game over this automaton. We first present the standard formulation and algorithm for solving such a game. Then, since MONA constructs the DFA symbolically, we present a symbolic version of this algorithm.

### 5.2 Solving Safety Games Symbolically

Computing a winning strategy of the safety game over DSA solves the synthesis problem. We base our symbolic approach on the algorithm from [9] for DFA (reachability) games, which are the duals of safety games. In this section, we first describe the general algorithm, which computes the set of winning states as a fixpoint. We then show how to perform this computation symbolically using the symbolic representation of the state graph constructed by MONA. Finally, we describe how we can use boolean synthesis to extract a winning strategy from the symbolic representation of the set of winning states.

Consider a set of states . The pre-image of is a set . That is, is the set of states from which, regardless of the action of the environment, the controller can force the game into a state in . If the controller moves first, we swap the order of and to compute the pre-image.

We define as the greatest-fixpoint of , which denotes the set of states in which the controller can remain within steps. This means that is the set of states in which the controller can remain indefinitely, that is, the set of winning states. The safety game is solved by computing the fixpoint as follows:

 Win0(As)=S (1) Wini+1(As)=Wini(As)∩Pre(Wini(As)) (2)

That is, we start with the set of all states and at each iteration remove those states from which the controller cannot force the game to remain in the current set.

For realizability checking, if , then the game is realizable, otherwise the game is unrealizable. We also consider an early-terminationheuristic to speed up the realizability checking: after each computation of , if , then return unrealizable. To generate the strategy, we define a deterministic finite transducer based on the set , where: is the set of winning states; is the transition function such that and ; is the output function, where such that . Note that there are many possible choices for the output function . The transducer defines a winning strategy by restricting to return only one possible setting of .

Following the construction in Section 5.1, MONA produces a symbolic representation of the DFA which accepts all bad prefixes of the Safety ltl formula . Therefore, in this section we show how to derive a DSA and solve the corresponding safety game from this representation. Following [29], we define a symbolic DFA as , where: is a set of input variables; is a set of output variables; is a set of state variables; is the assignment to the state propositions corresponding to the initial state; is a boolean function mapping assignments , and of the variables of , and to a new assignment of the variables of ; is a boolean formula over the propositions in , such that is satisfied by an interpretation iff corresponds to an accepting state.

Given , the corresponding safety automaton that avoids all bad prefixes accepted by is defined by: and are the same as in the definition of ; ; ; is the partial function such that if , and is undefined otherwise.

###### Lemma 1.

If is a symbolic DFA that accepts exactly the bad prefixes of a Safety ltl formula , then is a deterministic safety automaton for .

This correspondence allows us to use the symbolic representation of to compute the solution of the safety game defined by . To compute the set of winning states, we represent the set by a boolean formula in terms of the state variables , such that an assignment satisfies if and only if the state represented by is in . We define and , which correspond respectively to (1) and (2) above. The fixpoint computation terminates once , at which point we define , representing . We can then test for realizability by checking if the assignment representing the initial state satisfies .

###### Theorem 5.5.

The safety game defined by is realizable if and only if .

If , then we wish to construct a transducer representing a winning strategy. We define , and if and undefined otherwise. To construct , we can use a boolean-synthesis procedure. Recall that the input to this procedure is a boolean formula , a set of input variables and a set of output variables . In our case, , and . The result of the synthesis is a boolean function . Then, from the definition of boolean synthesis it follows that if the output is chosen by the game remains in the set of winning states. That is, if satisfies , then for all , also satisfies .

## 6 Experimental Evaluation

### 6.1 Implementation

#### 6.1.1 Explicit Approach

The main algorithm for the explicit approach consists of three steps: DSA construction, Horn formula generation and SAT solving for synthesis. We adopted SPOT [12] as the DSA constructor since the output automata should be deterministic. Generating the Horn formula follows the rules described in Section 4. Furthermore, here we used Minisat-2.2 [13] for SAT solving. Decoding the variables that are assigned with the truth in the assignment returned by Minisat-2.2 [13] is able to generate the strategy if the Safety ltl formula is realizable with respect to .

#### 6.1.2 Symbolic Encoding

We implemented the symbolic framework for Safety ltl synthesis in the SSyft tool, which is written in C++ and utilizes the BDD library CUDD-3.0.0 [28]. The entire framework consists of two steps: the DSA construction and the safety game over the DSA. In the first step, the dual of the DSA, a DFA is constructed via MONA [18] and represented as a Shared Multi-terminal BDD (ShMTBDD) [5, 18]. From this ShMTBDD, we construct a representation of the transition relation by a sequence of BDDs. Each , when evaluated over an assignment of , outputs an assignment to a state variable . The boolean formula representing the accepting states of the DFA is likewise encoded as a BDD .

To perform the fixpoint computation, we construct a sequence of BDDs, where is the BDD representation of the formula . is constructed from by substituting each state variable with the corresponding BDD , which can be achieved by the Compose operation in CUDD. Moreover, CUDD provides the operations UnivAbstract and ExistAbstract for universal and existential quantifier elimination respectively. The fixpoint computation benefits from the canonicity of BDDs by checking the equivalence of and . To check realizability we use the Eval operation. Since in our construction the state variables appear at the top of the BDDs, we use the Input-First boolean-synthesis procedure introduced in [16] to synthesize the winning strategy if the game is realizable.

### 6.2 Experimental Methodology

To show the efficiency of the methods proposed in this paper, we compare our tool SSyft based on the symbolic framework and the explicit approach, named as Horn_SAT, with extant ltl synthesis tools Unbeast [14] and Acacia+ [4]. Both of the ltl synthesis tools can use either SPOT [12] or LTL2BA [17] for the automata construction. From our preliminary evaluation, both Unbeast and Acacia+ perform better when they construct automata using LTL2BA. As a result, LTL2BA is the default ltl-to-automata translator of Unbeast and Acacia+ in our experiments. All tests are ran on a platform whose operating system is 64-bit Ubuntu 16.04, with a 2.4 GHz CPU (Intel Core i7) and 8 GB of memory. The timeout was set to be 60 seconds (s).

Input Formulas Our benchmark formulas are collected from [14], called LoadBalancer. Since not all cases are safe, here we propose a class of Expansion Formulas for safety-property generation. Consider an ltl formula in nnf. We use a transformation function that given and a parameter , which represents the expansion length, returns a Safety ltl formula. The function works in the following way: (1) For each subformula of the form , expand to for times; (2) Substitute the remaining with . Note that Safety formulas are Until-free in nnf, thus for ltl formulas in nnf, it is not necessary to deal with the Release operator. The intuition of the expansion is to bound the satisfied length of by adding the Next operator. The parameter scales to 5 in our test, for each length there are 79 instances. And 395 cases in total.

Correctness The correctness of our implementation was evaluated by comparing the results from our approaches with those from Acacia+ and Unbeast. For the solved cases, we never encountered an inconsistency.

### 6.3 Results

We evaluated the performance of SSyft and Horn_SAT in terms of the number of solved cases and the running time. Our experiments demonstrate that the symbolic approach we introduced here significantly improves the effectiveness of Safety ltl synthesis. The safety game has two versions, depending on which player (environment or controller) moves first. Both our tool SSyft and Acacia+ are able to handle these two kinds of games, while Unbeast supports only games with the environment moving first. As a result, we only consider the comparison on the environment-moving-first game. We aim to compare the results on two aspects: 1) the scalability on the expansion length; 2) the number of solved cases in the given time limit.

Fig. 2 shows the number of solved cases for each expansion length (1-5)222We recommend viewing the figures online for better readability.. As shown in the figure, SSyft solves approximately twice as many cases as the other three tools. The advantage of SSyft diminishes as the expansion length grows, because MONA cannot generate the automata for such cases. Neither of Acacia+ and Unbeast can solve these cases even in a small expansion length. Horn_SAT performs similarly as SSyft when , which derives smaller DSA. The performance of Horn_SAT decreases sharply as the size of the DSA grows, since formula generation dominates the synthesis time. In total, SSyft solves a total of 339 cases, while Acacia+, Unbeast and Horn_SAT solve 182, 132 and 159 cases, respectively.

The scatter plot for the total time comparison is shown in Fig. 2, where plots the data for SSyft against Acacia+, plots the data for SSyft against Unbeast and is for Horn_SAT. Clearly, SSyft outperforms the other three tools. The results shown in Fig. 2 confirm the claim that the symbolic approach is much more efficient than Acacia+ and Unbeast. In some cases, Horn_SAT performs better than SSyft, nevertheless in general SSyft has a significant advantage. Thus, the evidence here indicates that both the symbolic approach and the explicit method introduced in this paper contribute to the improvement of the overall performance of Safety ltl synthesis.

## 7 Concluding Remarks

We presented here a simple but efficient approach to Safety ltl synthesis based on the observation that a minimal DFA can be constructed for Co-Safety ltl formula. Furthermore, a deterministic safety automaton (DSA) can be generated from the DFA, and a symbolic safety game can be solved over the DSA. A comparison with the reduction to Horn-SAT confirms better scalability of the symbolic approach. Further experiments show that the new approach outperforms existing solutions for general ltl synthesis. Both the DSA construction and the symbolic safety game solution contribute to the improvement. It will be interesting to apply our approach to the safety-first method [27] for ltl synthesis.

It should be noted, however, that symbolic DSA construction cannot avoid the worst case doubly exponential complexity: it can only make the synthesis simpler and more efficient in practice. Our experiments show that the bottleneck is manifested when the input Safety ltl formula gets larger, and DSA construction becomes unachievable within the reasonable time. A promising solution may be to develop an on-the-fly method to perform the DSA construction and solve the safety game at the same time. We leave this to our future work.

Beyond general ltl-synthesis approaches, another relevant work is on GR(1) synthesis [3]. Although GR(1) synthesis aims to handle a fragment of general ltl as well, it is not comparable to Safety ltl, since GR(1) does not allow arbitrary nesting of the Release (R) and Next (X) operators. For that reason, our experiments do not cover the comparison between our approach and GR(1) synthesis. Another work related is synthesis of the GXW fragment [8]. In this fragment, input formulas are conjuction of certain pattern formulas expressed using the temporal connectives , , and . Because of the limitation to six specific patterns, this fragment is quite less general that the Safety ltl fragment studied here.

Our work is also related to the safety-synthesis track of the Annual Synthesis Competition (SyntComp). While the Safety-ltl-synthesis problem can, in principle, be reduced to safety synthesis, the reduction is quite nontrivial. Safety-synthesis tools from SyntComp take AIGER models as input, while our approach takes Safety ltl formulas as input. A symbolic DSA can be encoded as an AIGER model by adding additional variables to encode intermediate BDD nodes. As we saw, however, the construction of symbolic DSAs is a very demanding part of Safety ltl synthesis, with a worst-case doubly exponential complexity, so the usefulness of such a reduction is questionable.

We have shown here a new symbolic approach to Safety ltl synthesis, in which a more efficient automata-construction technique is utilized. Experiments show that our new approach outperforms existing solutions to general ltl synthesis, as well as a new reduction of safety games to Horn_SAT.

Acknowledgments. Work supported in part by NSF grants CCF-1319459 and IIS-1527668, NSF Expeditions in Computing project “ExCAPE: Expeditions in Computer Augmented Program Engineering”, NSFC Projects No. 61572197 and No. 61632005, MOST NKTSP Project 2015BAG19B02, and by the Brazilian agency CNPq through the Ciência Sem Fronteiras program.

## References

• [1] de Alfaro, L., Henzinger, T.A., Kupferman, O.: Concurrent Reachability Games. In: FOCS. pp. 564–575 (1998)
• [2] Bloem, R., Könighofer, R., Seidl, M.: SAT-based Synthesis Methods for Safety Specs. In: VMCAI. pp. 1–20 (2014)
• [3] Bloem, R., Jobstmann, B., Piterman, N., Pnueli, A., Sa’ar, Y.: Synthesis of Reactive(1) designs. J. Comput. Syst. Sci. 78(3), 911–938 (2012)
• [4] Bohy, A., Bruyère, V., Filiot, E., Jin, N., Raskin, J.: Acacia+, a Tool for LTL Synthesis. In: CAV. pp. 652–657 (2012)
• [5] Bryant, R.E.: Symbolic Boolean Manipulation with Ordered Binary-Decision Diagrams. ACM Comput. Surv. 24(3), 293–318 (1992)
• [6] Buc̈hi, J.R.: Weak Second-Order Arithmetic and Finite Automata. Z.Math. Logik Grundl. Math. 6, 66–92 (1960)
• [7] Calude, C.S., Jain, S., Khoussainov, B., Li, W., Stephan, F.: Deciding Parity Games in Quasipolynomial Time. In: STOC. pp. 252–263 (2017)
• [8] Cheng, C., Hamza, Y., Ruess, H.: Structural Synthesis for GXW Specifications. In: CAV. pp. 95–117 (2016)
• [9] De Giacomo, G., Vardi, M.Y.: Synthesis for LTL and LDL on Finite Traces. In: IJCAI. pp. 1558–1564 (2015)
• [10] Doner, J.: Tree Acceptors and Some of Their Applications. J. Comput. Syst. Sci. 4(5), 406–451 (1970)
• [11] Dowling, W.F., Gallier, J.H.: Linear-Time Algorithms for Testing the Satisfiability of Propositional Horn Formulae. J. Log. Program. 1(3), 267–284 (1984)
• [12] Duret-Lutz, A., Lewkowicz, A., Fauchille, A., Michaud, T., Renault, E., Xu, L.: Spot 2.0-A Framework for LTL and -Automata Manipulation. In: ATVA. pp. 122–129 (2016)
• [13] Eén, N., Mishchenko, A., Amla, N.: A Single-Instance Incremental SAT Formulation of Proof- and Counterexample-Based Abstraction (2010)
• [14] Ehlers, R.: Symbolic Bounded Synthesis. In: CAV. pp. 365–379 (2010)
• [15] Fogarty, S., Kupferman, O., Vardi, M.Y., Wilke, T.: Profile Trees for Büchi Word Automata, with Application to Determinization. In: GandALF. pp. 107–121 (2013)
• [16] Fried, D., Tabajara, L.M., Vardi, M.Y.: BDD-Based Boolean Functional Synthesis. In: CAV, Part II. pp. 402–421 (2016)
• [17] Gastin, P., Oddoux, D.: Fast LTL to Büchi Automata Translation. In: CAV. pp. 53–65 (2001)
• [18] Henriksen, J., Jensen, J., Jørgensen, M., Klarlund, N., Paige, B., Rauhe, T., Sandholm, A.: Mona: Monadic Second-Order Logic in Practice. In: TACAS. pp. 89–110 (1995)
• [19] Kupferman, O., Vardi, M.Y.: Model Checking of Safety Properties. Formal Methods in System Design 19(3), 291–314 (2001)
• [20] Kupferman, O., Vardi, M.Y.: Safraless Decision Procedures. In: FOCS. pp. 531–542 (2005)
• [21] Lamport, L.: What good is temporal logic? In: IFIP Congress. pp. 657–668 (1983)
• [22] Malik, S., Zhang, L.: Boolean Satisfiability from Theoretical Hardness to Practical Success. Commun. ACM 52(8), 76–82 (2009)
• [23] Pnueli, A.: The Temporal Logic of Programs. In: FOCS. pp. 46–57 (1977)
• [24] Pnueli, A., Rosner, R.: On the Synthesis of a Reactive Module. In: POPL. pp. 179–190 (1989)
• [25] Safra, S.: On the Complexity of omega-Automata. In: FOCS. pp. 319–327 (1988)
• [26] Sistla, A.P.: Safety, Liveness and Fairness in Temporal Logic. Formal Asp. Comput. 6(5), 495–512 (1994)
• [27] Sohail, S., Somenzi, F.: Safety First: A Two-Stage Algorithm for LTL Games. In: FMCAD. pp. 77–84 (2009)
• [28] Somenzi, F.: CUDD: CU Decision Diagram Package 3.0.0. Universiy of Colorado at Boulder (2016)
• [29] Zhu, S., Tabajara, L.M., Li, J., Pu, G., Vardi, M.Y.: Symbolic LTL Synthesis. In: IJCAI. pp. 1362–1369 (2017)
• [30] Zohar, Z.M., Waldinger, R.: Toward Automatic Program Synthesis. Commun. ACM 14(3), 151–165 (1971)

## Appendix 0.A Appendix

We also compare the approaches in terms of the impact of the result of the formula (realizable/unrealizable). As shown in Figure 3 and Figure 4, we separate the realizable and unrealizable results to explore how our new approaches perform on each category. The results show that SSyft takes an obvious advantage on solving unrealizable cases. This happens because SSyft benefits from the early-termination realizability-checking heuristic; that is, the checking of whether the initial state is in is invoked after each iteration of computing the set of winning states, i.e. . Note that is in initially, since is assumed to be a winning state. If is not in for some , is no longer a winning state such that the realizability checking indeed returns unrealizable. The explicit approach, Horn_SAT, performs similarly as Acacia+ on realizable cases, while on unrealizable cases, Acacia+ has advantageous on Horn_SAT. In general, Horn_SAT performs better than Unbeast, although Unbeast has clear advantage on realizable cases.