Engineering an $\mathsf{LTL_{f}}$ Synthesis Tool

A word over $\sigma$ of length $n$ over an alphabet $\Sigma$ is a function $\sigma:\{0,1,\ldots,n-1\}\to\Sigma$. We use $\Sigma^{n}$ (resp. $\Sigma^{\star}$ and $\Sigma^{+}$) to denote the set of words of length $n$ (resp. any length $n\geq 0$ and $n>0$). We use $|\sigma|$ to represent the length of a word $\sigma$. For $\sigma\in\Sigma^{n}$ and $0\leq i<n$, $\sigma(..i)$ denotes the prefix of $\sigma$ of length $i+1$.

Let $\mathcal{P}$ be a finite set of Boolean variables (a.k.a. atomic propositions). We use $\mathbb{B}^{\mathcal{P}}$ to denote the set of all assignments, i.e., functions $\mathcal{P}\to\mathbb{B}$ mapping variables to values in $\mathbb{B}=\{\bot,\top\}$.

Given two disjoint sets of variables $\mathcal{P}_{1}$ and $\mathcal{P}_{2}$, and two assignments $w_{1}\in\mathbb{B}^{\mathcal{P}_{1}}$ and $w_{2}\in\mathbb{B}^{\mathcal{P}_{2}}$, we use $w_{1}\sqcup w_{2}:(\mathcal{P}_{1}\cup\mathcal{P}_{2})\to\mathbb{B}$ to denote their combination.

In a system modeled using discrete Boolean signals that evolve synchronously, we assign a variable to each signal, and use a word $\sigma\in(\mathbb{B}^{\mathcal{P}})^{+}$ over assignments of $\mathcal{P}$ to represent the conjoint evolution of all signals over time.

We extend $\sqcup$ to such words. For two words $\sigma_{1}\in(\mathbb{B}^{\mathcal{P}_{1}})^{n}$, $\sigma_{2}\in(\mathbb{B}^{\mathcal{P}_{2}})^{n}$ of length $n$ over assignments that use disjoint sets of variables, we use $\sigma_{1}\sqcup\sigma_{2}\in(\mathbb{B}^{\mathcal{P}_{1}\cup\mathcal{P}_{2}})^{n}$ to denote a word such that $(\sigma_{1}\sqcup\sigma_{2})(i)=\sigma_{1}(i)\sqcup\sigma_{2}(i)$ for $0\leq i<n$.

We use classical ${\mathsf{LTL_{f}}}$ semantics over nonempty finite words [22].

Note that $\alpha\equiv\beta$ implies $\mathscr{L}(\alpha)=\mathscr{L}(\beta)$, but the converse is not true in general. Since $\equiv$ is an equivalence relation, we use $[\alpha]_{\equiv}\in{\mathsf{LTL_{f}}}(\mathcal{P})$ to denote some unique representative of the equivalence class of $\alpha$ with respect to $\equiv$.

Our goal is to build a tool that decides whether an $\mathsf{LTL_{f}}$ formula is realizable.

Let $\mathcal{S}$ be a finite set. Given a finite set of variables $\mathcal{P}=\{p_{0},p_{1},\ldots,p_{n-1}\}$ (that are implicitly ordered by their index) we use $f:\mathbb{B}^{\mathcal{P}}\to\mathcal{S}$ to denote a function that maps an assignment of all those variables to an element of $\mathcal{S}$. Given a variable $p\in\mathcal{P}$ and a Boolean $b\in\mathbb{B}$, the function $f_{p=b}:\mathbb{B}^{\mathcal{P}\setminus\{p\}}\to\mathcal{S}$ represents a generalized co-factor obtained by replacing $p$ by $b$ in $f$. When $\mathcal{S}=\mathbb{B}$, a function $f:\mathbb{B}^{\mathcal{P}}\to\mathbb{B}$ can be encoded into a Binary Decision Diagram (BDD) [11]. Multi-Terminal Binary Decision Diagrams (MTBDDs) [44, 45, 32, 39], also called Algebraic Decision Diagrams (ADDs) [5, 51], generalize BDDs by allowing arbitrary values on the leaves of the graph.

A Multi-Terminal BDD encodes any function $f:\mathbb{B}^{\mathcal{P}}\to\mathcal{S}$ as a rooted, directed acyclic graph. We use the term nodes to refer to the vertices of this graph. All nodes in an MTBDD are represented by triples of the form $(p,\ell,h)$. In an internal node, $p\in\mathcal{P}$ and $\ell,h$ point to successors MTBDD nodes called the $\mathsf{low}$ and $\mathsf{high}$ links. The intent is that if $(p,\ell,h)$ is the root of the MTBDD representing the function $f$, then $\ell$ and $h$ are the roots of the MTBDDs representing the functions $f_{p=\bot}$ and $f_{p=\top}$, respectively. Leaves of the graph, called terminals, hold values in $\mathcal{S}$. For consistency with internal nodes, we represent terminals with a triple of the form $(\infty,s,\infty)$ where $s\in\mathcal{S}$. When comparing the first elements of different triplets, we assume that $\infty$ is greater than all variables. We use $\mathsf{MTBDD}(\mathcal{P},\mathcal{S})$ to denote the set of MTBDD nodes that can appear in the representation of an arbitrary function $\mathbb{B}^{\mathcal{P}}\to\mathcal{S}$.

Following the classical implementations of BDD packages [11, 1], we assume that MTBDDs are ordered (variables of $\mathcal{P}$ are ordered and visited in increasing order by all branches of the MTBDD) and reduced (isomorphic subgraphs are merged by representing each triplet only once, and internal nodes with identical $\mathsf{low}$ and $\mathsf{high}$ links are skipped over). Doing so ensures that each function $f:\mathbb{B}^{\mathcal{P}}\to\mathcal{S}$ has a unique MTBDD representation for a given order of variables.

Given $m\in\mathsf{MTBDD}(\mathcal{P},\mathcal{S})$ and an assignment $w\in\mathbb{B}^{\mathcal{P}}$, we note $m(w)$ the element of $\mathcal{S}$ stored on the terminal of $m$ that ^††margin: Cf. App. 0.A.1 is reached after following the assignment $w$ in the structure of $m$. We use $|m|$ to denote the number of MTBDD nodes that can be reached from $m$.

Let $m_{1}\in\mathsf{MTBDD}(\mathcal{P},\mathcal{S}_{1})$ and $m_{2}\in\mathsf{MTBDD}(\mathcal{P},\mathcal{S}_{2})$ be two MTBDD nodes representing functions $f_{i}:\mathbb{B}^{\mathcal{P}}\to\mathcal{S}_{i}$, and let $\odot:\mathcal{S}_{1}\times\mathcal{S}_{2}\to\mathcal{S}_{3}$, be a binary operation. One can easily construct $m_{3}\in\mathsf{MTBDD}(\mathcal{P},\mathcal{S}_{3})$ representing the function $f_{3}(p_{0},\ldots,p_{n-1})=f_{1}(p_{0},\ldots,p_{n-1})\odot f_{2}(p_{0},\ldots,p_{n-1})$, by generalizing the apply2 function typically found in BDD libraries [32].^††margin: Cf. App. 0.A.2 We use $m_{1}\odot m_{2}$ to denote the MTBDD that results from this construction.

For $m\in\mathsf{MTBDD}(\mathcal{P},\mathcal{S})$ we use $\textnormal{{leaves}}(m)\subseteq\mathcal{S}$ to denote the elements of $\mathcal{S}$ that label terminals reachable from $m$. This set can be computed in $\Theta(|m|)$.^††margin: Cf. App. 0.A.3.

We now define an MTBDD-based representation of a DFA with a propositional alphabet, inspired by Mona’s DFA representation [36, 39].

An MTDFA can be regarded as a semi-symbolic representation of a DFA over propositional alphabet.^††margin: Cf. App. 0.C From a state $q$ and reading the assignment $w$, the automaton jumps to the state $q^{\prime}$ that is the result of computing $(q^{\prime},b)=\Delta(q)(w)$. The value of $b$ indicates whether that assignment is allowed to be the last one of the word being read. By definition, an MTDFA cannot accept the empty word.

MTDFAs are compact representations of DFAs, because the MTBDD representation of the successors of each state can share their common nodes. Boolean operations can be implemented over MTDFAs, with the expected semantics, i.e., $\mathscr{L}(\mathcal{A}_{1}\odot\mathcal{A}_{2})=\{\sigma\in(\mathbb{B}^{\mathcal{P}})^{+}\mid(\sigma\in\mathscr{L}(\mathcal{A}_{1}))\odot(\sigma\in\mathscr{L}(\mathcal{A}_{2}))\}$.^††margin: Cf. App. 0.B

Such a reachability game can be solved by backpropagation identifying the maximal set $W$ in a strategy. Namely, start from $W=\mathcal{F}_{\textsc{o}}$. Then $W$ is iteratively augmented with every vertex in $\mathcal{V}_{\textsc{o}}$ that has some edge to $W$, and every (non dead-end) vertex in $\mathcal{V}_{\textsc{i}}$ whose edges all lead to $W$. At the end of this backpropagation, which can be performed in linear time [35, Theorem 3.1.2], every vertex in $W$ is winning for o, and every vertex outside $W$ is losing for o. Notice that every dead-end that is not in $\mathcal{F}_{\textsc{o}}$ cannot be winning. It follows that we can identify some (but not necessarily all) vertices that are losing by setting $L$ as the set of all dead-ends and adding to $L$ every $\mathcal{V}_{\textsc{i}}$ vertex that has some edge to $L$ and every $\mathcal{V}_{\textsc{o}}$ vertex whose edges all lead to $L$.

Let $\mathcal{A}_{\varphi}=\langle\mathcal{Q},\mathcal{I}\uplus\mathcal{O},\iota,\Delta\rangle$ be a translation of $\varphi\in{\mathsf{LTL_{f}}}(\mathcal{I}\uplus\mathcal{O})$ (per Th. 3.1) such that variables of $\mathcal{I}$ appear before $\mathcal{O}$ in the MTBDD encoding of $\Delta$.

Moore realizability can be checked similarly by changing the order of $\mathcal{I}$ and $\mathcal{O}$ in the MTBDD encoding of $\Delta$.

The difference with DFA games [23, 20, 28, 54] is that instead of having player i select all input signals at once, and then player o select all output signals at once, our game proceeds by selecting one signal at a time. Sharing nodes that represent identical partial assignments contributes to the scalability of our approach.

We now show how to construct and solve $\mathcal{G}_{\varphi}$ on-the-fly, for better efficiency. The construction is easier to study in two parts: (1) the on-the-fly solving of reachability games, based on backpropagation, and (2) the incremental construction of $\mathcal{G}_{\varphi}$, done with a forward exploration of a subset of the MTDFA for $\varphi$.

Algorithm 1 presents the first part: a set of functions for constructing a game arena incrementally, while performing the ^††margin: Cf. App. 0.D linear-time backpropagation algorithm on-the-fly. At all points during this construction, the winning status of a vertex ($\mathit{winner}[x]$) will be one of o (player o can force the play to reach $\mathcal{F}_{\textsc{o}}$, i.e., the vertex belongs to $W$), i (player i can force the play to avoid $\mathcal{F}_{\textsc{o}}$, i.e., the vertex belongs to $L$), or u (undetermined yet), and the algorithm will backpropagate both o and i. At the end of the construction, all vertices with status u will be considered as winning for i. Like in the standard algorithm for solving reachability games [35, Th. 3.1.2] each state uses a counter ($\mathit{count}$, lines 1,1) to track the number of its undeterminated successors. When a vertex $x$ is marked as winning for player $w$ by calling set_winner(x,w), an undeterminated predecessor $p$ has its counter decreased (line 1), and $p$ can be marked as winning for $w$ (line 1) if either vertex $p$ is owned by $w$ (player $w$ can choose to go to $x$) or the counter dropped to $0$ (meaning that all choices at $p$ were winning for $w$).

To solve the game while it is constructed, we freeze vertices. A vertex should be frozen after all its successors have been introduced with new_edge. The counter dropping to $0$ is only checked on frozen vertices (lines 1, 1) since it is only meaningful if all successors of a vertex are known.

Algorithm 2 is the second part. It shows how to build $\mathcal{G}_{\varphi}$ incrementally. It translates the states $\alpha$ of the corresponding MTDFA one at a time, and uses the functions of Algorithm 1 to turn each node of $\mathsf{tr}(\alpha)$ into a vertex of the game. Since the functions of Algorithm 1 update the winning status of the states as soon as possible, Algorithm 2 can use that to cut parts of the exploration.

Instead of using $\Delta(\varphi)=\mathsf{tr}(\varphi)$ as initial vertex of the game, as in Theorem 4.1, we consider $\mathit{init}=\mathsf{term}(\varphi,\bot)$ as initial vertex (line 2): this makes no theoretical difference, since $\mathsf{term}(\varphi,\bot)$ has $\mathsf{tr}(\varphi)$ as unique successor. Lines 2,2–2,2, and 2 implements the exploration of all the ${\mathsf{LTL_{f}}}$ formulas $\alpha$ that would label the states of the MTDFA for $\varphi$ (as needed to implement Theorem 3.1). The actual order in which formulas are removed from $\mathit{todo}$ on line 2 is free. (We found out that handling $\mathit{todo}$ as a queue to implement a BFS exploration worked marginally better than using it as a stack to do a DFS-like exploration, so we use a BFS in practice.)