Coverability: Realizability Lower Bounds

04/10/2018 ∙ by Krishnendu Chatterjee, et al. ∙ 0

We introduce the problem of temporal coverability for realizability and synthesis. Namely, given a language of words that must be covered by a produced system, how to automatically produce such a system. We consider the case of coverability with no further specifications, where we have to show that the nondeterminism of the produced system is sufficient to produce all the words required in the output language. We show a counting argument on a deterministic automaton representing the language to be covered that allows to produce such a system. We then turn to the case of coverability with additional specification and give a precondition for the existence of a system that produces all required words and at the same time produces only computations satisfying the additional correctness criterion. We combine our counting argument on the deterministic automaton for the language to be covered with a ranking on the deterministic Büchi automaton for the correctness criterion. One of the major issues with practical realizability is the interaction between environment assumptions and system guarantees. In many cases, synthesis produces systems that are vacuous and concentrate on forcing the environment to falsify its assumptions instead of fulfilling their guarantees. Coverability offers an alternative approach to tackle this problem.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 1

page 2

page 3

page 4

This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

1 Introduction

Model-checking and realizability problem. The standard model-checking problem given a system and specification , that describes the set of allowed behaviors, asks whether the system satisfies the specification, i.e., the system has only allowed behaviors. In the linear-time approach, both and are considered as sets of computations and the model-checking problem translates into a language-inclusion problem . That is, does the language of contain all behaviors of . This is equivalent to checking whether , where is the set of computations not satisfying the specification. In case the specification is given as a deterministic automaton, its complement is easy to compute and we can use . If is given as a temporal-logic formula , then we construct directly an automaton for its complement [VW94]. Ultimately, model-checking is reduced to an emptiness problem of an automaton.

In the case of synthesis and realizability the system is expected to reply to every input of the environment by an output. The question is whether the system can do this in an online fashion (seeing one input at a time) in a way that satisfies the specification. That is, if is the set of inputs and the set of outputs, find a mapping from to such that the interactions resulting from interleaving an input with the mapped output satisfy the specification [PR89]. The solution calls for the construction of a two-player game modelling this interaction. If the specification is given by a deterministic automaton, we can construct from it a perfect-information turn-based two-player game such that the system (existential) player can realize some winning condition iff such a mapping exists. Choices of the system player correspond to possible outputs of the system and choice of the environment player correspond to checking all possible inputs. As the specification needs to be checked in multiple directions, deterministic (or universal, c.f., [KV05]) automata are required for the specification.

Temporal coverability. Model checking covers only some of the aspects of correctness (and analysis) of reactive systems. One such alternative issue is that of coverage. That is, both with respect to simulations and formal verification whether the tests and specifications that are written sufficient. In the case of simulation, various metrics are employed to consider whether the testing done so far exercised enough of the system. For example, one could check what parts of the code of the system was exercised or circuit covered (for hardware) (c.f., the survey [TK01]). This is similar to symbolic execution of software, an approach that is used extensively for checking security of system code [BGM13, QYPK15].

These approaches use structural properties of the system to guide testing. Alternative approaches call for trying to find types of behaviors based on semantics. For example, one can define a finite-state machine as a representation of some important features of the system and check what parts of the finite-state machine are exercised by tests (c.f., the reviews [TK01, HBB09]).

Formally stating a generalization of this approach would call for checking whether each behavior of a deterministic automaton describing the specification is present in the language of the system. That is, consider the dual problem of checking whether . Starting from a temporal logic formula temporal coverability would call for testing whether each behavior allowed by a temporal logic formula is also allowed by a system. Viewing the system and the specification, again, as automata, this would call for solving the inverse language containment problem . This time, as the system is nondeterministic (due to, e.g., inputs) an algorithmic solution would call for its complementation, which would clearly be intractable.

The classical approach of synthesis from linear temporal logic specifications only checks that all behaviors of the controlled system satisfy the specification. We rely on the ability of the environment to produce all inputs to ensure that the controlled system still has enough behaviors. We are not familiar with approaches that check whether the synthesized system includes a minimal set of behaviors.

Motivating example 1. The authors of [KPS13] applied synthesis to find a program that mimics certain aspects of a biological system. This program was then used to further study the biological system and suggest further experimental studies that could shed further light on the behavior of this system (c.f., [FPHH07, FHH11]). Specification of the system was derived from biological experiments, which included behaviors seen on the real live system. One aspect of the synthesis problem was to require that only experimentally observed behaviors of the system be seen in the synthesized system. However, in certain cases, the experimentally observed behavior included several options for the “same inputs”. Thus, the synthesis question was generalized to also check that the produced system includes a minimum of required behaviors. In this case, the authors of [KPS13] concentrated on behaviors of bounded length. The normal (bounded length) synthesis includes two quantifiers: there exists an implementation such that all its executions are correct. Here, in order to include the required behavior an additional quantifier was needed: there exists an implementation such that all its executions are correct and for every required behavior there exists a matching computation. We aim to generalize this approach beyond the case of a finite number of executions of bounded length.

Model-checking vs temporal coverability. As mentioned, the problems of model checking and temporal coverability are dual. The first, given system and specification calls for checking . The second, calls for checking . As mentioned, while the specification can be deterministic (or easily complementable through temporal logic) the system is inevitably nondeterministic. Thus, the model-checking problem is polynomial in the size of the system. However, the temporal coverability problem would be PSPACE-complete in the size of the system. This is likely to be impractical, however, the algorithmic framework within which this problem can be tackled is clear. The clarity of this algorithmic framework allows to approximate temporal coverability using testing approaches as mentioned above.

Realizability vs temporal coverability synthesis. When we come to extend this approach to realizability and synthesis the complexity lies elsewhere. As mentioned, for every input the system has to supply an output. If there is no restriction on the way that outputs can follow inputs the system is in some sense universal – it can produce all computations in . The problem, however, becomes in producing a set of required behaviors simultaneously. That is, is the branching of the inputs sufficient to allow writing all required outputs?

The framework of games, which is the framework providing the solution to realizability and synthesis, is no longer appropriate. We could try to seek inspiration from the game-theoretic solution to the language containment problem [WDHR06, RCDH07]. Namely, given a deterministic automaton and a nondeterministic automaton we can use a partial-information game to show that . The player trying to refute the containment would choose the input word and the player trying to prove/verify the containment would choose the run of on this word. However, if the player choosing the input word knows the nondeterministic choices of the run they could cheat. Essentially, changing their mind while choosing the sequence of letters of the input word based on the nondeterministic choices made by the verifier. If the input producing refuter is blind to the nondeterministic choices made by the verifier then she cannot cheat.

This framework is, intuitively, appropriate as the system can react with every possible output to every possible input leading to nondeterminism. However, it would have to coordinate its nondeterministic choices to produce all possible behaviors. This would suggest to have an existential player choosing the mapping from inputs to outputs, another universal player choosing the input, and a third existential player choosing the word to be covered. As before, the player choosing the strategy needs to be ignorant of the actual word to be covered. Otherwise, they would be able to direct their sequence of choices to handle that specific word. In the context of full-information games the existential quantification nested within the universal quantification can be reversed resulting in just two players. However, in the context of partial-information the order of quantification cannot be reversed. This implies that we would need the context of partial-information multi-player games. Unfortunately, reasoning about partial-information multi-player games is either, in some restricted cases [KV00], of very high complexity or, in general, undecidable [PR79] (c.f., [MW03, FS05]). Hence, the framework of games does not seem to offer a solution to temporal coverability.

Our results. We consider the problem of temporal coverability for synthesis when the temporal property to cover is given by a deterministic finite automaton. That is, find a system of branching such that the output language of contains a specification language . The space of options of , by definition, includes all possible sequence of outputs. So the question of whether every word in can be produced by trivially holds. The complexity, intuitively, arises from the need to coordinate between very different input sequences that would need to produce related outputs in order to ensure that all possible output sequences are produced. We show that a coverability weight on the structure of the automaton allows us to coordinate different parts of the tree in this way.

We then turn to the problem of realizability solving both coverability and adherence to specification. That is, there is an additional correctness specification and we have to find a system of branching such that the output language of contains and at the same time the input-output interactions of are contained in . We consider the case where is a deterministic finite automaton as before and is a deterministic Büchi automaton. Clearly, if the task is impossible. As is given as a deterministic automaton the check whether is simple. We extend our weighting argument and combine it with a ranking function that ensures that the correctness specification is ensured as well. In the case of coverability with correctness, we give a precondition that ensures that coverability with correctness is possible.

Motivating example 2. In synthesis it is very natural to partition the specification to assumptions about the behavior of the environment and guarantees of the system. This leads to a specification of the form . However, sometimes, the system has the ability to force the environment to falsify and void the requirement to fulfil . This problem led to much research in the commuity studying synthesis suggesting various approachs to solve it. For example, in [KP10] the authors study in what cases specifications cannot lead to such situations. In [EKB15] the authors suggest how to ensure that the system cooperates with the environment. See also, [BEJK14] for a survey of different approaches to solve this problem. Coverability offers an alternative and very different approach to try and solve this problem. Consider the case of input alphabet and output alphabet . Suppose that the environment assumption forces the environment to input a after seeing the output . In addition, the environment must eventually input a 1. For an environmnent that satisfies these assumptions, the system is required to output an infinite number of s. Clearly, the specification is easily realizable. However, one option for the system is to always output . This implies that the environment would never be able to input and the system would not have to output infinitely many s. Consider the language . We can force the system to cover this language. However, this langugae includes words of length four, three with the third letter and three with the third letter . It follows, that after seeing the input twice the system would have to output a or a thus allowing the environmnet to input the desired and forcing the system in turn to output infinitely many s in return. The minimal required behavior forces the system to include enough variability in its outputs to allow the environment to fulfil its assumptions.

2 Background

We consider finite or infinite sequences of symbols from some finite alphabet . Given a word , an element in , we denote by the letter of the word , and by the suffix of starting at hence . The length of is denoted by and is defined to be for infinite words.

Finite Word Automata and Finite Transducers. A nondeterministic finite word automaton is , where is the finite alphabet, is the finite set of states, is the transition function, is the initial state, and is the acceptance set. We can run either on finite words (nondeterministic finite word automaton or NFW for short) or on infinite words (nondeterministic Büchi word automaton or NBW for short). The automaton is deterministic if for every state and every letter we have . Deterministic automata are denoted DFW and DBW, for short.

A run of on a finite word is a finite sequence of states where and for every we have . A run is accepting if and . A run of on an infinite word is defined similarly as an infinite sequence. For an NBW, a run is accepting if it visits infinitely often.

A word is accepted by if it has an accepting run over . The language of is the set of words accepted by , denoted by .

A finite transducer is , where is a finite set of directions, is a finite alphabet, is a finite set of states, is a partial transition function, is a start state, and is a labeling function. When is defined for every and we say that is full. We define in the standard way: and . Similarly, we define the extended labeling by considering and . Notice that, unless is full, and may be partial functions. Intuitively, a transducer is a labeled finite graph with a designated start node, where the edges are labeled by and the nodes are labeled by . The language of a transducer is the set . That is, all the possible words that label paths through the graph of . A transducer is deterministic if for every state and every two letters we have if then . That is, every state and for every letter there is at most one successor of labeled by . Given a nondeterministic transducer, it is possible to construct a deterministic transducer with the same language. This is a simple variant of the determinization of NFW [RS59].

Trees. Given a finite set of directions, an -tree is a set such that if , where and , then also . The elements of are called nodes, and the empty word is the root of . For every and , the node is the parent of . Each node has a direction in . We assume that the root has some fixed direction . The direction of a node is . We denote by the direction of node . An -tree is a full infinite tree if . Unless otherwise mentioned, we consider here full infinite trees. A path of a tree is a set such that and for every there exists a unique such that . For a node in the tree, we denote by the prefix of up to length . For example, and .

Given two sets and , a -labeled -tree is a pair where is an -tree and maps each node of to a letter in . A -labeled -tree is directed if for every we have and . For a node the prefix-label of is the finite word that labels the path from the root of the tree to . More formally, and . We denote the prefix-label of by . We define the language of the tree to be .

A labeled tree is regular if it is the unwinding of some full transducer. Formally, a -labeled -tree is regular if there exists a full transducer , such that for every , we have . The size of , denoted , is , the number of states of .

Realizability. Consider an NBW , where the alphabet has the structure for some sets of inputs and outputs and , respectively. The language of is realizable if there exists a full directed -labeled -tree such that . We say that realizes . Notice that this implies that the initial state of reads the label of the root of the tree. As the direction of the root is this implies that for some we have .

Theorem 2.1

[PR89] The language of is realizable iff there exists a finite transducer over directions and alphabet such that for every and every we have such that .

3 Simple Covering

Solutions to realizability problems include two-player games or tree automata. The problem we are interested in here is dual. Instead (and later in addition to) of requiring that all interactions between the system and its environment produce computations that satisfy the specification, here we require that a minimal set of computations (produced by a finite transducer) are generated by the interactions.

Consider an alphabet , and two sets of directions and . Consider a transducer . We say that covers if . We note that the set helps to distinguish between transitions of but does not appear on .

Definition 1

Covering. The language of a transducer is coverable with branching if there is a labeled -tree that covers .

Obviously, the question makes sense only in the case that and . If then it is trivial to label an -tree by . If we can use the regular tree induced by as a subset of .

Figure 1: A transducer whose language is coverable and a tree witnessing it.

Consider for example the transducer in Figure 1. The language of the transducer is finite and includes only 9 words. The alphabet is and the language is , that is, all words of length 5 that start with three s. We include an example of a tree of branching degree (i.e., ) that covers this language. Clearly, in the case of branching degree or more (i.e., ) the language is trivially coverable as .

Figure 2: A coverable transducer with infinite language and a tree witnessing it.

We proceed with a slightly more complicated example. Consider the transducer in Figure 2. As before, the alphabet is and for now we can ignore the state names. This time, the language is infinite: . That is, start with a finite number of s and follow with an or a and a final . Again, when there is a tree covering the language and we include such an example. As before, if then coverability is trivial.

Figure 3: A transducer whose language is not coverable with branching degree .

Finally, consider the example in Figure 3. The alphabet is as before. For a letter we denote the number of occurrences of in . A word is a prefix of if for some , denoted by . Then, the language of the transducer is . Indeed, in the states in the middle column (, , and ) and the initial state the number of s and s seen so far is equal. Then, an increase in the number of s moves to the right. From the right-most column (states with superscript , where two s have been seen more than s, it is impossible to read further s until another is read. This language is not coverable with branching degree . We are going to develop the tools that will enable us to prove this. But, intuitively, in a hypothetical tree covering this language there should be two nodes below the root of the tree that correspond to state . Indeed, otherwise, it would be impossible to cover the three possible continuations of , namely , , and . For exactly the same reason, two nodes in level of the tree must correspond to state and two to state (the -successor and the -successor). As there are only four nodes in level two of the tree this leaves no free nodes to cover the runs leading to state , the -successor of . We make this argument formal in what follows.

Consider a transducer . We denote for . A weight distribution for and branching is a function such that the following conditions hold.

  • For every we have .

    That is, the weight of can cover the weights of all outgoing transitions.

  • For every we have and .

    That is, the weight of a transition can cover the target of that transition.

Intuitively, with nodes in the tree we can cover the language of , namely with as its initial state. The language of is covered by allocating of the children of the nodes to successor . As we have enough children for all successors of . As the children allocated for are sufficient to cover the language of .

1

2

2

1

1

2

1

1

2

2

1

2

1

2

2

2

1

Figure 4: A coverable transducer with its weight distribution (state weights in red and transition weights in blue) and the corresponding witness tree.

Consider the transducer in Figure 4. Its alphabet is and we consider . The numbers written on states (red) and transitions (blue) constitute a weight distribution. Indeed, for the initial state, we have and . Also, and . For state , we have , which is also the weight of the three incoming transitions , , and . Also . The conditions for the other states and transitions can be verified as well.

We also go back to the transducer in Figure 3 and show that it is not coverable with branching degree . As the maximal weight for the transition to is implying that . Suppose that . Then must be at least as well as the two states have the same language after the initial symbol. It follows that both and are 1. As it must be that , which contradicts . Suppose that . As before implying that and . Applying the same logic to , we conclude that . This contradicts . This shows that the language of this transducer cannot be covered by a tree of branching degree 2. In fact, for every , the language cannot be covered by a tree of branching degree 2.

We show that the language of is coverable if and only if there exists a weight distribution for . Intuitively, the weight tells us how many nodes in the tree should correspond to a state of the transducer (following a certain transition).

Theorem 3.1

The language of is coverable by an -tree if and only if there is a weight distribution for and branching .

Proof
  • We construct an -tree covering from a weight distribution.

    Consider the tree . Based on the weight distribution , we construct a -labeled -tree by induction, where the labeling may be partial. The labeling maintains the following:

    • for every we have .

    • for every run of ending in state , we maintain the invariant that there are at least nodes in such that for every we have .

    • for every if then for some such that .

      That is, the nodes in the tree are labeled by runs of and children of a node are labeled by runs that extend the run labeling their parent.

    We set . Clearly, . By definition of weight distribution and hence one node labeled by the run is sufficient.

    Consider a run ending in state and let such that for every we have . By definition of the weight distribution we have and for every we have . Let denote the set of nodes . It follows that . Hence, we can partition such that for every there is a set of size such that for every two and such that we have . It follows that it is safe to label the nodes by the run . That is, for we set .

    As there are at least nodes labeled by . As then . Finally, extends by .

    This completes the construction of by induction. We now use to show a labeling for that covers the language of . By the invariant for labeling, for every run of there is (at least) a node such that . We set , where is the last state of . As required, .

  • Consider a tree such that . As is deterministic, we can create a mapping mapping every node of to the run of corresponding to .

    Let denote the set of runs of . For every state , let denote . That is, of all the runs ending in , all of them appearing in the tree , consider the one that has the minimal number of copies in . For a state , let denote the set of nodes of such that there is a run of and for every we have , where gives rise to the minimal such set. Consider a transition of . Clearly, all the runs have to appear in . Let

    Clearly, as includes all nodes such that we have includes all nodes such that . We set .

    By definition must label the root of the tree . Hence, . Furthermore, it must be the case that . Indeed, for all successors of the weight of is induced by the same set of nodes in the tree and has at most children in . Finally, as is chosen according to the number of children of that are labeled by . As is chosen as the minimal set, it follows that .

Corollary 1

In a weight distribution for and branching all weights are bounded by . It follows that the decision of whether the language of a transducer is coverable is in NP.

The proof of this corollary is included in Appendix.

We note that the tree is not restricted “from above”. That is, the words that are possible to write on branches of the tree are all possible words over . Thus, the issue of whether the language of is contained in a nondeterministic language is bypassed.

4 Coverability with Büchi Realizability

We extend the problem of coverability by considering simultaneously that all the paths in the tree must be labeled by words accepted by a DBW. We give a precondition for coverability that is not complete.

Consider a transducer and a DBW . As usual, in order to realize the DBW for every we have to choose a such that the infinite word resulting from such repeated interactions is in the language of . We note that initially one has to choose a only for the initial direction . For the transducer, , we choose to ignore the input . The reasoning is that the tree must include all possible options for and there is no choice about their inclusion. In order to define covering in a way that does take the input into account we would have to allow the transducer to “choose” between different options for inputs and enforce a very unusual definition of what is the language of the transducer. The techniques we establish will form foundations for such definitions of covering as well.

Definition 2

Covering with Büchi Realizability. The language of a transducer is coverable while realizing DBW with branching if there is a full directed -labeled -tree that covers and realizes .

As before, the directions read by are used to distinguish between different transitions and do not appear on the tree.

We note that if then covering is clearly impossible. As is deterministic, the check whether is easy to perform. If the upper bound language is given as a nondeterministic automaton then the very first step in checking coverability would be to check language inclusion between and . Here, we assume that and consider a system that can output all possible output symbols at every stage of its computation. Thus, the issue of language containment in the language of a nondeterministic system is largely bypassed.

Consider for example the transducer in Figure 2 again. Let be the set of input letters. We add a property that dictates that if a is combined with direction then only can follow it and that s must follow a in direction infinitely often (unless completely diverging from the language of the transducer). The safety part of this condition means that if a copy of state appears in direction it can’t be followed by copies of states and . This means that we want the copy of state in direction to be followed by and . However, this conflicts with the liveness property telling us that in direction should be followed infinitely often by . In order to accommodate this requirement we must include two copies of with output in level 3 of the tree both of them having input followed by output . This is in contrast to the previous case where one copy of in level 3 was sufficient. In particular, the root of the tree, which corresponds to the initial state of the transducer and the transition of the DBW is covered in a different way from the nodes and , which also correspond to the initial state of the transducer and the transition .

*

Figure 5: A DBW enforcing that after a ( in direction ) the outputs and cannot appear and that a follows a (a in direction ) infinitely often and a tree covering the transducer in Figure 2 and realizing this DBW. Directions that are missing from the tree are not restricted by the transducer and can be be easily completed in a way that realizes the DBW.

We now develop techniques similar to those developed in Section 3 for proving coverability. As notations get quite cumbersome we start with a simpler definition that shows only cover with no memory and extend it to cover with memory later.

4.1 Coverability without Memory

Consider a transducer and a DBW . We assume that and let denote . A combined weight-ranking for and is and such that the following conditions hold.

  • For the weight distribution we have the following:

    • .

    • For every , , , and if then is defined and is defined.

      That is, weight can be associated only with real (combined) transitions of and .

    • For every and we have .

      That is, the weight of is sufficient to cover the weights of all outgoing transitions.

    • For every , , and we have .

      That is, we can use at most successors in direction .

    • For every , , , and we have .

      That is, the weight of a transition is sufficient to cover the target of that transition.

  • For the ranking we have the following:

    • That is, the state reached after reads the direction of the root and the label of has a finite rank.

    • For every and for every and such that :

      • For every such that we have .

      • If then there is some such that .

      That is, if is not a Büchi state then the rank must decrease in all directions of the tree. Either by continuing to cover the transducer or by considering only realizability.

    • For every and for every and such that :

      • For every such that we have .

      • If then there is some such that .

      That is, if is a Büchi state then the rank must be finite in all directions of the tree. Either by continuing to cover the transducer or by considering only realizability.

    • If for some we have then:

      • If then for every there is some such that .

      • If then for every there is some such that .

      That is, in order to ensure realizability the ranking must be decreasing for non-Büchi states and defined for successors of Büchi states.

This definition combines the weight with a Büchi ranking, where the weight shows that the language of is coverable and the ranking shows that the language of the tree realizes the language of . The intuition is similar to that of the weight of the simple covering. With nodes in the tree we can cover the language of realizing the language of . The ranking ensures that at the same time the language of is realizable. When the covering does not constrain the whole tree then the ranking with the “state” ensures that the language of is realizable without caring about the weights.

Theorem 4.1

If there is a combined weight-ranking and for and then the language of is coverable while realizing with branching

Proof

Suppose that there is a combined weight-ranking and for and .

Given a run of and a run