Constructing most general controllers in practice

It is quite unsurprising and was confirmed by our initial experiments that a naive implemen- tation of the game-based controller construction would not scale beyond extremely limited toy examples mostly due to the exponential number of choices that are considered for each Vctr-vertex in the game. This is further aggravated by the fact that the number of observ-

ables (observable concurrent I/O-operations) in the system grows exponentially with the number of visible data-flow locationsNvis if the activity at these data-flow locations is in-

dependent, with the full nondeterminism leading to all combinations of activity appearing simultaneously and non-simultaneously. Likewise, complex data items at the visible data- flow locations tend to quickly increase the number of different observables. In the sequel, we will detail several techniques that allow a more advanced treatment of the choices with the effect that the number of _Venv-vertices to be considered in the complete-information

game is significantly reduced in practice.

When constructing the complete-information game, the successors_{hS, Oi ∈ V}envof each

vertexS _{∈ V}ctr represent the various choices O ⊆ Obs available to a decision function.

In the definition of the complete-information game in Chapter 5, all possible choices are included, even though some can be immediately ruled out for representing inadmissible be- havior. For these vertices, there exists at least one edge_{hS, Oi ,→ fail(s) to some fail-vertex.} As all fail-vertices are not winning for all the considered objectives, thehS, Oi-vertices with an inadmissible choiceO are losing as well. In practice, we thus do not generate vertices representing inadmissible choices in the game. Recall that there nonetheless remains at least one admissible choice, e.g., the full choiceO = Obs in case that the system has not been suspended or the choice consisting of all uncontrollable observables in the case that the system has been suspended.

Furthermore, we omit the creation of choice verticeshS, Oi where O schedules some ob- servable that is not schedulable from any of the states inS. Clearly, a vertexhS, Oi where O contains non-schedulable observables has exactly the same edges and successors in the game as the vertexhS, O0_{i where O}0 _{is the choice obtained fromO by removing all non-}

schedulable observables.

We refer to these choices asCadm(S) ⊆ 2Obs, the set of choices O ⊆ Obs that are both

admissible for a given set of statesS and schedule only schedulable observables. This cor- responds to the choicesO in the complete-information game where the vertexhS, Oi has no edge to a fail-vertex and that has for everyβ _{∈ O an edge hS, Oi},_{→ S}β 0to some vertex S0_{∈ V}

ctr.

In an additional attempt to reduce the number of choice verticesVenvthat have to be gener-

ated and considered in the complete-information games, we apply two further reductions. In the first reduction, we exploit the structural properties of decision functions we have shown in Section 4.2. The second reduction relies on the specific structure in regard to the use of annotations of the most general controllers we generate forω-regular objectives as detailed in Chapter 7. The decision function templates for all the controllers that employ annota- tions provide choices that are fully annotated by a single annotation. When considering the potential choices in the game of a subsequent iteration, i.e., for a systemC ./ A, we will later show that it is then sufficient to consider only choices that are likewise annotated with

8.4. Synthesis of most general controllers in Vereofy Chapter 8. Synthesis in the Reo and constraint automata framework

a single annotation.

First, our goal is to construct a subsetCred(S) ⊆ Cadm(S) of the admissible choices for a

given vertexS ∈ Vctr, such that a reduced game with onlyVenv-vertices of the formhS, Oi

withO_{∈ C}red(S) is still sufficient for the construction of most general controllers. For this,

we exploit the following structural properties of the choices of decision functions:

1. Lemma 4.10 ensures that if two choicesO1 andO2can be used in a particular situa-

tion to enforce a given objective that then the unionO1∪ O2can likewise be used to

enforce the objective. In particular,O1∪ O2will be admissible.

2. By Lemma 4.8, if a choiceO can be used in a particular situation to enforce an objec- tive then any subset ofO that is still admissible can be used instead of O to enforce the objective.

3. On the other hand, if an admissible choiceO cannot be used in a particular situation to enforce an objective then any superset ofO can likewise not be used to enforce the objective (Lemma 4.9).

It is thus sufficient to only consider the “smallest” admissible choices, i.e., those that cannot be decomposed into two or more choices that are still admissible. We say a subsetC_{⊆ 2}Obs

of choices is fully decomposed if none of the choicesO _{∈ C can be obtained by the union} O1∪ . . . ∪ Onof a finite set of other choicesOi∈ C \ {O}. We say a subset C1 ⊆ 2Obs of

choices covers another subsetC2⊆ 2Obsof choices if for everyO ∈ C2eitherO ∈ C1orO

can be obtained by the union of a finite number of choices fromC1, i.e.,O = O1∪ . . . ∪ On

withOi∈ C1 for all16 i 6 n.

We then denote byCred(S)⊆ 2Obs the smallest subset of choices that is both reduced and

coversCadm(S), the set of admissible choices scheduling only schedulable observables. We

will later show thatCred(S) is uniquely defined.

ComputingCred(S). Algorithm 1 details a procedure for obtaining Cred(S) given the set

of admissible choicesCadm(S) for aVctr-vertexS as input.

Algorithm 1

Computes the set of choicesCred(S) from the set of admissible choices Cadm(S) for some

set of statesS

1: procedure COMPUTECRED(S)FROMCADM(S)

2: Chosen ← Covered ← ∅ 3: C = C_adm(S)

4: whileC6= ∅ do

5: selectO ∈ C such that |O| 6 |O0_{| for all O}0_{∈ C}

6: Chosen ← Chosen ∪ {O}

7: Covered ← Covered ∪ {O} ∪O∪ O0: O0 ∈ Covered 8: C ← C \ Covered

9: end while

10: Cred(S)← Chosen

11: end procedure

The algorithm proceeds by choosing choices to include, stored in the set of choicesChosen in a bottom-up manner. The set of choicesC contains all admissible choices that have not

Chapter 8. Synthesis in the Reo and constraint automata framework 8.4. Synthesis of most general controllers in Vereofy

yet been covered, with the set of choicesCovered containing all choices that have already been covered. The selection of the next choiceO to be added to Chosen in line 5 picks one of the remaining choices with the least number of elements, i.e., that could not be further decomposed. Clearly, once a choice O with _{|O| = i is selected in line 5, all the other} choicesO0 _{∈ C with |O}0_{| = i will in the end likewise be chosen, as they can not be added}

to the set Covered in line 7 as the union of the previously covered choice and a newly covered choice of the same cardinality. This shows thatCred(S) is uniquely determined.

Clearly, having to construct an explicit representation of the setCadm(S) would defeat the

purpose of the reduction, as then again an exponential number of choices has to be consid- ered. In our implementation in Vereofy we obtain a symbolic representation ofCadm(S) as

a BDD-encoded switching function, with the elements of the setSched (S) = obs(Act(S)) serving as boolean variables, i.e., the union of the schedulable observables for all states inS. The other sets of choices in the algorithm are similarly encoded, with a single choiceO _⊆ Sched (S) corresponding to an assignment of the BDD-variables β1, . . . , βn ∈ Sched(S).

The implementation in Vereofy then relies on standard BDD-operations to perform the nec- essary steps in the algorithm, with the selection of a choiceO of minimal cardinality from C corresponding to a custom BDD-operator that constructs a satisfying assignment with a minimal number of positive variables.

As a special case, the situation where all states inS have exactly the same outgoing observ- ables, e.g., whereS is a singleton set, is detected at the symbolic level before the calcula- tions ofCred(S) and Cadm(S), as in this case the set of choices in Cred(S) can be determined

straightforwardly.

The reduced game Gred. We now consider the effect of using a reduced version of the

complete-information game in the algorithms to synthesize a most general controller for a given objective. LetΦ be an invariance, reachability, safety, co-safety or omega-regular objective of the form considered in Chapter 6 and Chapter 7 and letG be the correspond- ing complete-information game, restricted to the _Venv-vertices of the form hS, Oi with

O_{∈ C}adm(S), i.e., only considering choices that are admissible and schedule only schedu-

lable observables. We obtain a reduced gameGredby removing allVenv-vertices of the form

hS, Oi with O /∈ Cred(S). Intuitively, this reduced game only considers decision functions

with fully decomposed, admissible choices. This reduction preserves the reachability of Vctr-vertices in the game, as the edgesS ,→ hS, Oi

β

,_{→ S}0 _{inG for some choice O and ob-}

servableβ _{∈ O imply the existence of some O}0 _{∈ C}

red(S) with β ∈ O0 and thus the edges

S ,→ hS, Oi ,→ Sβ 0 _inG

red. Otherwise, Cred(S) would not cover Cadm(S). Likewise, the

reduction preserves the reachability of_Vterm-vertices. As eachhS, Oi-vertice corresponds

to an admissible choiceO, no fail-vertex can be reached, neither in_{G nor in G}red. Diver-

gence is independent of the choices, thus the reachability of div-vertices is unaffected by the reduction. The reachability of stop-vertices in_{G and G}red is unaffected as well, as an

edgehS, Oi ,→ stop(s) for some admissible choice O implies the existence of the edge hS, O0_{i ,→ stop(s) for all other admissible choices O}0_{. This is due to the fact that termina-}

tion at a states for an admissible choice can only occur if s is terminal or if termination is caused by suspension and under both circumstances the particular choice is irrelevant. We first observe that the initial vertex of the reduced game is winning exactly if the initial

8.4. Synthesis of most general controllers in Vereofy Chapter 8. Synthesis in the Reo and constraint automata framework

vertex of the non-reduced game is winning. As we know, the initial vertex of the non- reduced game is winning if there exists a decision functiond that enforces the given ob- jectiveΦ. But then there exists a decision function d0whose choices are fully decomposed (Lemma 4.8) that likewise enforcesΦ. The plays corresponding to d0 visit only those_Venv-

vertices with fully decomposed choices, i.e., those in the reduced game and the initial vertex of the reduced game is thus winning iff the initial vertex in the non-reduced game is win- ning. By the same argument, we obtain that each_Vctr-vertexv is in the winning region ofG

ifv is in the winning region of_Gredand vice versa.

We now show that we can reconstruct the relevant information for a vertexhS, Oi ∈ Venv

with O /_{∈ C}red(S), i.e., a vertex that only appears in the non-reduced game G, from the

winning regions for the reduced gameGred. For this, we consider the different forms of

objectives.

Invariance objectivesΦ = I, with empty fairness Fair[A]. Let Wred be the winning

region of the reduced game_Gred, letW be the winning region of the non-reduced game G

and let_{hS, Oi ∈ V}envbe a vertex inG with O /∈ Cred(S), i.e., a vertex that is not in Gred.

We show that

hS, Oi ∈ W ⇐⇒ ∃O1, . . . , Onsuch thatO = O1∪ . . . ∪ On

andhS, Oii ∈ Wredfor all16 i 6 n.

The choice O is an element of Cadm(S) ashS, Oi is a vertex in G. As Cred(S) covers

Cadm(S), there exists a set O1, . . . , Onof choices inCred(S) such that O = O1∪ . . . ∪ On.

Furthermore, the set of successor vertices of hS, Oi corresponds to the union of the suc- cessor vertices of_{hS, O}1i, . . . , hS, Oni. As hS, Oi is a Venv-vertex, it is contained inW iff

all its successor vertices are likewise in W, which is exactly the case if all the successor vertices of the verticeshS, Oii for 1 6 i 6 n are elements of W and thus the hS, Oii are el-

ements of_{W as well. The membership in W for the vertices in G that are not in the reduced} gameGredcan hence be determined fromWred.

Reachability objectivesΦ =♦F. As the game G is identical for the cases where A has no fairness condition and the case whereA has a non-empty fairness condition, we can ignore Fair[_{A] when examining the differences between G and G}red. By the same argument as for

invariance objectives, the membership of vertices _{hS, Oi for reachability objectives with} O /∈ Cred(S) in the set of winning verticesW can be recovered from the set of winning

vertices in the reduced game_Wred.

For reachability objectives, the detailed information about the membership of the vertices in a particular winning region is necessary for the construction of the controller. We show that membership in the winning regions for those vertices that are both in G and Gred is

identical and for those vertices that are only in_{G can be recovered from the winning regions} ofGred. LethS, O1i ∈ W(i)andhS, O2i ∈ W be Venv-vertices that are winning inG such

thatO2 ⊇ O1. AshS, O2i is winning, it is contained in some winning region W(j). As

the choice O2 offers more observables than the choice O1, the set of successor vertices

of hS, O2i is a superset of the successor vertices of hS, O1i. The choice O2 thus offers

additional possibilities to the opponent which could be used to prolong the distance to the reachability goal and as a consequence _{hS, O}2i ∈ W(j) for somej > i. The first player

Chapter 8. Synthesis in the Reo and constraint automata framework 8.4. Synthesis of most general controllers in Vereofy

can thus never reduce the worst-case distance from vertex S to the reachability goal by selecting the successorhS, O2i over hS, O1i if both of them are winning. As a consequence

removing thehS, Oi-vertices with O /∈ Cred(S) in the reduced gameGreddoes not change

the membership of the vertices in_Gredin the winning regions, i.e., for a vertexv that is both

a vertex ofG and Gredmembership in the winning regions is identical, i.e.,v ∈ W(j) ⇐⇒

Wred(j).

To recover the membership in the winning regions ofG for the omitted vertices hS, Oi ∈ W with O /∈ Cred(S), we derive the worst-case distance to the reachability goal from the

winning regions_Wred. Again, asCred(S) covers Cadm(S) and O ∈ Cadm(S), the successor

set of the vertexhS, Oi in G is the union of the successors of any decomposition O1, . . . , On

withOi ∈ Cred(S). As hS, Oi is winning, all successors have to be winning as well and

are thus contained each in a particular winning region. Letj be the smallest index such that each successorv of_{hS, Oi in G is a member of some winning region W}(i)_{withi6 j. Then,}

hS, Oi is an element of W(j+1)_{, as the opponent can select the particular successor vertex,}

ensuring the “worst-case situation” of selecting a successor in_W(j). We can thus recover the membership in the winning regions for the vertices that are omitted in the reduced game. Invariance objectives with non-empty fairnessFair[_{A]. As the algorithm for invariance} objectives with (finitary) fairness relies on slightly modified variants of the algorithms for invariance and reachability objectives without fairness, the observations above apply to the case with fairness conditions as well.

ω-regular objectives. As before, using Lemma 4.8 it can be shown that membership in the set of winning vertices remains identical for the vertices that occur both in the non-reduced game G and the reduced game Gred. In particular, there exists a winning game strategy

and corresponding controller that only schedules choices available in_Gred. Note that this is

likewise a winning game strategy inG. By the same argument as for invariance objectives, the membership of verticeshS, Oi for ω-regular objectives with O /∈ Cred(S) in the set of

winning vertices_{W can be recovered from the set of winning vertices in the reduced game} Wred.

The induced transition system_AC. We have shown that it suffices to solve the reduced

gameGredto determine the enforceability for the objective and that we can easily recover the

information about the winning regions for the omitted vertices. This allows us to construct identical most general controllers fromGredandG.

In practice, we construct the most general controller as a CARML module, i.e., correspond- ing to the induced transition system_AC. The transition structure of the CARML module

for the most general controller is derived from the choices offered by the controller deci- sion function template, but abstracts away certain information about the particular choices. A transition with a particular observableβ is enabled for a mode m in _AC iff there is any

choice in the decision function template form that offers β. The successor mode, i.e., the successor state inAC, likewise does not depend on the particular choice but only on the

scheduled observable. As the choices of the reduced game cover the omitted choices, the transition structure induced by the controller constructed from the reduced game _Gred is

In document Compositional Synthesis and Most General Controllers (Page 125-131)