Given two symbolic transition systemsAe0andAe1, whereAe0 , D e V0,el00,Re0,Fe0s,Fe0w E and e A1, D e V1,el10,eR1,Fe1s,Fe1w E
, we define the synchronous product ofAe0andAe1as the symbolic transition systemAe0 ||Ae1, D e V0∪Ve1,el00∧el10,eR0∧eR1,Fe0s∪Fe1s,Fe0w∪Fe1w E . We present the symbolic synthesis algorithm in terms of manipulations on sets of states. Astatein the
setting of a symbolic transition relationAeover a set of variablesVecan be considered avaluation of the variables inVe. LetS
e
V be the set ofallvaluations given a set of variablesVe,i.e.,SVe is
the set of all functionsσwhich maps each variablev∈Veto a value of the appropriate type. For every predicatepover the variablesVe, we denote by||p||⊆S
e
V the set of valuations that satisfy
p. It follows that||true||= S
e
V. A predicate likeeRover the variablesVe∪Ve
0can be viewed as a
binary relation overS
e
V, with the primed variables representing the second components of the
pairs in the relation. Given a setS⊆S
e
V and a binary relationR⊆SVe×SVe, we defineR∩S
asR∩S,R∩(S×S
e
V)
Having established the correspondence between sets and relations with predicates, we define the operatorimg(P,R),{s|(s0,s)∈R∧s0∈P}, whereP ⊆S
e
V andR⊆SVe×SVe.
IfPandRare represented symbolically asePandeRwhich are predicates overVeandVe∪Ve0 respectively, then the symbolic equivalent of theimgoperator is given by:
unprime
∃v1,v2, . . . ,vn p∧eR
given thatVeis the set{v1,v2, . . . ,vn}, and the functionunprimesubstitutes primed variables with their unprimed versions. In a similar fashion, we define the pre-image operatorpre(P,R),
{s|(s,s0)∈R∧s0∈P}, whereP andRare as defined earlier in the case of theimgoperator. IfPandRare represented symbolically as the predicatesePandeRas mentioned in the case of theimgoperator, then the symbolic equivalent of thepreoperator is given by:
∃v10,v20, . . . ,vn0 prime(p)∧Re
primed version. Thus theimgandpreoperators yield the set of states (or valuations) reachable from a given set of statesPwithin one forward or backward transition throughRrespectively. We define the operatorimg∗as:
img∗(P,R),P∪img(P,R)∪img(img(P,R),R) ∪ · · · Given thatS
e
V is finite, the sequence of unions forimg
∗ must converge to a fix-point after a
finite number of unions. Thusimg∗(P,R)represents the set of allstates that are reachable from a given set of statesPby zero or more forward transitions throughR. Similarly, we define the set of all states that can reach a given set of statesPby zero or more forward transitions throughRby the functionpre∗as:
pre∗(P,R),P∪pre(P,R)∪pre(pre(P,R),R) ∪ · · ·
Again, this sequence must also converge to a fix-point within a finite number of unions. Algorithm 3.1, GetSymbolicInterps, which has been adapted from the model checking algorithm presented in the work by Kesten et. al. [KPRS06]6 then describes the synthesis algorithm in terms of these definitions. Note that although the algorithm is described in terms of manipulations on sets, all of the operations have efficient implementations in the form of BDD manipulation routines, if we use BDDs as a symbolic representation for sets. For instance, we were able to translate these operations in a straightforward manner onto the operations provided by the BDD library CUDD [SB00], in the prototype that we developed.
3.4.1
Correctness
It has been shown in earlier work [KPRS06] that if the inputAeis not parameterized as it is in our case, thenAe |=ϕ, and thusA|=ϕif and only if the value of new13,i.e., the value of the variable new after the execution of line 13 of Algorithm 3.1, is such that new13∩||θe∧χ(¬ϕ)||=∅. Given that in our setting, the symbolic transition relationAe is parameterized by the set of variables
e
G, the set new13∩||θe∧χ(¬ϕ)||yields exactly the set of interpretations forGe which result in e
A6|=ϕ. Therefore, by eliminating these interpretations from the set of all interpretationsS
e
V
in line 14 of Algorithm 3.1, and by the bi-directional implication in the proof of correctness of 6In fact, in the presentation here, the algorithm is
exactlythe same as that presented in [KPRS06] up-to and
Algorithm 3.1:GetSymbolicInterps: Synthesize all correctfsm-skcompletions
Input :A symbolic transition systemAe ,hVeA,elA,ReA,eFAs,FeAwi, with parametersGe AnltlpropertyϕoverVeA.
Output : AllinterpretationsIfor parameters inGe, such thatA
I ϕ.
Data :T¬ϕ,hVe¬ϕ,el¬ϕ,eR¬ϕ,Fe¬ϕs,Fe¬ϕwi, the tester for theltlformula¬ϕ.
D,hVe,eθ,eR,eFs,eFwi, whereD=A||T¬ϕ. new, old : subsets ofS
e
V
ρ : subset ofS e
V×SVe 1 constructT¬ϕandDas defined 2 old← ∅
3 new←img∗(||eθ||,||Re||) 4 ρ←||eR||∩new 5 whilenew6=olddo
6 old←new
7 whilenew6=new∩pre(new,ρ)do
8 new←new∩pre(new,ρ) 9 foreachFw∈Fewdo
10 new←pre∗((new∩Fw),(ρ∩new)) 11 foreach(p,q)∈Fesdo
12 new←(new\ ||p||)∪pre∗((new∩||q||),(ρ∩new)) 13 new←pre∗(new,ρ)
14 bad←new∩||θe∧χ(¬ϕ)|| 15 return(SVe\bad)
the algorithm presented in the work by Kesten et. al [KPRS06], we immediately obtain the correctness of Algorithm 3.1.7