Safraless LTL synthesis considering maximal realizability
 950 Downloads
 3 Citations
Abstract
Linear temporal logic (LTL) synthesis is a formal method for automatically composing a reactive system that realizes a given behavioral specification described in LTL if the specification is realizable. Even if the whole specification is unrealizable, it is preferable to synthesize a besteffort reactive system. That is, a system that maximally realizes its partial specifications. Therefore, we categorized specifications into must specifications (which should never be violated) and desirable specifications (the violation of which may be unavoidable). In this paper, we propose a method for synthesizing a reactive system that realizes all must specifications and strongly endeavors to satisfy each desirable specification. The general form of the desirable specifications without assumptions is \(\mathbf{G }\varphi \), which means “\(\varphi \) always holds”. In our approach, the best effort to satisfy \(\mathbf{G }\varphi \) is to maximize the number of steps satisfying \(\varphi \) in the interaction. To quantitatively evaluate the number of steps, we used a meanpayoff objective based on LTL formulae. Our method applies the Safraless approach to construct safety games from given must and desirable specifications, where the must specification can be written in full LTL and may include assumptions. It then transforms the safety games constructed from the desirable specifications into meanpayoff games and finally composes a reactive system as an optimal strategy on a synchronized product of the games.
1 Introduction
1.1 Background
Open systems interact continuously with the external environment. When applied to real problems, they must often be highly reliable. These systems are modeled as reactive systems. Linear Temporal Logic (LTL) synthesis is a formal method for checking the realizability [1, 34, 35] of a behavioral specification described in LTL [33] and for automatically composing a reactive system realizing the specification if it is realizable. This method can effectively obtain a reliable system because it does not have a phase that introduces bugs.
In traditional LTL synthesis, if a given LTL specification is unrealizable, we must refine it in LTL. One approach for refining an unrealizable LTL specification \(\varphi \) is to add or strengthen the assumptions \(\psi \) regarding the environment, such that a refined specification \(\psi \rightarrow \varphi \) is realizable. In [14], Chatterjee et al. proposed a method for computing some of these assumptions. However, the computed assumptions are not logical formulae in their naive method and may be difficult to understand intuitively. Additionally, it may be unallowable in a practical sense. Hagihara et al. [25] introduced a method for efficiently extracting an assumption to make a given specification strong satisfiable, where strong satisfiability [31] is a necessary condition of realizability. The extracted assumption is the weakest LTL formula in a certain class and easy to understand. Li et al. [30] provided a method for finding an allowable assumption to make a given specification realizable, where the assumption is mined from given LTL templates. Even if we obtain \(\psi \), we must consider many things when synthesizing a reactive system from \(\psi \rightarrow \varphi \). A system synthesized from \(\psi \rightarrow \varphi \) may stop trying to satisfy \(\varphi \) after an unexpected input that violates \(\psi \), i.e., it may be intolerant [26]. Moreover, such a system may violate \(\psi \) against the wishes of its environment. In [7], Bloem et al. discussed how to deal with environmental assumptions and surveyed existing approaches.
One approach is to weaken some of the partial specifications that cause the unrealizability of the whole specification, \(\varphi =\bigwedge _{\varphi _i \in \varPhi } \varphi _i\). In this approach, we first find a subset of these partial specifications, i.e., \(\varPhi ' \subseteq \varPhi \) such that \(\bigwedge _{\varphi _i \in \varPhi '} \varphi _i\) is unrealizable. In [24], Hagihara et al. proposed a method for finding minimal strongly unsatisfiable subsets of specifications. Even if we find these partial specifications, it is difficult (but preferable) to obtain a refined specification that is realizable and close to the original. The intention of an original partial specification might not be preserved in the refined specification. Hence, handling specification rerefinements associated with changes to the original specifications is difficult.
If the whole specification is unrealizable, it is still preferable to synthesize a besteffort reactive system, i.e., a system that maximally realizes its partial specifications.
1.2 Our goal and approach
A whole reactive system specification usually consists of some subspecifications. If the whole specification is unrealizable, we first try to refine some of the subspecifications before we drastically reconsider the whole specification. We can divide the specifications into: must specifications, which should never be violated, and desirable specifications, the violation of which may be unavoidable. More precisely, the subspecifications have a priority order, and each subspecification may be violated if it competes with other higherpriority subspecifications. Must specifications have the highest priority, and hence they should never be violated.
In this paper, we propose a method for synthesizing a reactive system that realizes all given must specifications and endeavors to satisfy the given desirable specifications as much as possible considering their priorities.
In the endeavor, we consider it is reasonable that a desirable specification has no assumption. This is because the system is attempting as best as possible, regardless of whether an assumption holds, even though the best effort will depend on the assumption. The general form of the specifications without assumptions is a \(\mathbf{G }\)formula \(\mathbf{G }\varphi \) which means “\(\varphi \) always holds”, i.e., “\(\varphi \) holds at every step during an infinitestep interaction with the environment”. In our approach, the best effort at satisfying \(\mathbf{G }\varphi \) maximizes the number of steps that satisfy \(\varphi \).
Therefore, we use a meanpayoff objective based on LTL formulae to quantitatively evaluate the number of steps. For each desirable specification \(\mathbf{G }\varphi _i\), we basically consider a positive payoff for each occurrence of a step that satisfies \(\varphi _i\) during an interaction. However, it is often difficult to strictly impose this payoff, because whether \(\varphi \) holds at a step generally depends on the entire subsequent behavior. \(\mathbf{G }\varphi _i\) can be underapproximated into a safety property by assigning a bound k to a universal coBüchi word automaton (UCWA), which accepts words satisfying \(\mathbf{G }\varphi _i\). We then consider a negative payoff for occurrences of minimal bad prefixes of a safety property represented by a kbounded UCWA [22] (kUCWA) that rejects some of the words accepted by the unbounded UCWA. This approximation was inspired by the Safraless approach [8, 18, 22, 27, 28]. Our meanpayoff objective \({\textsf {MP}}(\sum _{1 \le i \le n} c_i \cdot t_i)\) is the limit inferior of averages for a sequence of weighted sums \(\sum _{1 \le i \le n} c_i \cdot t_i\) of payoffs \(t_i\) for desirable specifications \(\mathbf{G }\varphi _i\), considering weights \(c_i\) according to their priorities.
In our method, we first apply a UCWAbased Safraless method [8, 18, 22] to construct an underapproximated safety game from a must LTL specification \(\varphi \). We obtain a winning region \(\mathcal {W}\) on the game as a set of reactive systems realizing an underapproximation of \(\varphi \). Second, we construct meanpayoff games \(\mathcal {M}^{t_i}\) from atomic terms \(t_i\) in the meanpayoff objective \({\textsf {MP}}(\sum _{1 \le i \le n} c_i \cdot t_i)\), reusing the procedures in the Safraless method. Finally, we compose a reactive system as an optimal strategy on a weighted synchronized product of the region \(\mathcal {W}\) and the meanpayoff games \(\mathcal {M}^{t_1},\ldots ,\mathcal {M}^{t_n}\). An outline of our approach is depicted in Fig. 1.
1.3 Plan of the paper
In Sect. 2, we introduce some definitions and concepts concerning reactive systems, LTL, games, and Safraless synthesis. We define our meanpayoff objectives and show how to interpret desirable LTL specification in the meanpayoff objectives in Sect. 3. In Sect. 4, we describe our method for synthesizing a reactive system from a must LTL specification and a meanpayoff objective. We demonstrate the effectiveness of our method using some experiments in Sect. 5. Section 6 contains some information on related works, and Sect. 7 concludes the paper.
2 Preliminaries
In this section, we first introduce some definitions and concepts regarding reactive systems that interact with the external environment. Second, we briefly introduce LTL [33], which is commonly used to describe formal behavioral specifications of systems. Third, we give some definitions and concepts regarding games, which model sets of interactions between systems and environment, and related decision making processes. Finally, we briefly outline Safraless synthesis [8, 18, 22, 27, 28].
2.1 Reactive systems
A reactive system models an open system that interacts continuously with an external environment. It cannot control a sequence of inputs from the environment and hence must choose an output at each step based on the history of the interaction thus far.

An interaction between a reactive system and the environment is represented as an infinite word on alphabet \(2^{{ AP}}\), i.e., an infinite sequence \(s = (\alpha _0^O \cup \alpha _0^I) (\alpha _1^O \cup \alpha _1^I) \cdots \in (2^{{ AP}})^{\omega }\).

A reactive system is a function \(\mathcal {R}: (2^{{ IAP}})^* \rightarrow 2^{{ OAP}}\) that decides an output \(\alpha _n^O \in 2^{{ OAP}}\) at the current step, based on a sequence \(h \in (2^{{ IAP}})^*\) of inputs thus far.\(^{1}\)
2.2 Linear temporal logic (LTL)
Linear temporal logic [33] is a modal logic used to express temporal properties and is widely used to describe formal behavioral specifications of systems.
2.2.1 Syntax and semantics
Linear temporal logic has standard logical connectives (\(\lnot \), \(\vee \), and \(\wedge \)) and temporal operators (the next operator, \(\mathbf{X }\), the until operator, \(\mathbf{U }\), and the release operator, \(\mathbf{R }\)).
Definition 1
Intuitively, \(\mathbf{X }\varphi \) means that “\(\varphi \) holds in the next step”, \(\varphi _1 \mathbf{U }\varphi _2\) means that “\(\varphi _2\) eventually holds, and \(\varphi _1\) continually holds until then” (i.e., \(\varphi _1\) until \(\varphi _2\)), and \(\varphi _1 \mathbf{R }\varphi _2\) means that “\(\varphi _2\) holds until and including the point when \(\varphi _1\) holds” (i.e., \(\varphi _1\) releases \(\varphi _2\)). Note that the release operator \(\mathbf{R }\) is the dual of the untiloperator \(\mathbf{U }\).
Linear temporal logic semantics is defined as satisfaction relation \(\models \) between an infinite word on \(2^{{ AP}}\) and an LTL formula.
Definition 2
The set \(\{s \in (2^{{ AP}})^{\omega } \mid s \models \varphi \}\) of words satisfying \(\varphi \) is denoted by \(\mathcal {L}(\varphi )\). An LTL formula \(\varphi \) is satisfiable (or consistent) if \(\mathcal {L}(\varphi ) \ne \emptyset \).
2.2.2 Realizability
A reactive system specification \(\varphi \) described in LTL specifies a set of valid interactions as \(\mathcal {L}(\varphi )\). Note that a reactive system must decide an output at each step using the history of the interaction up to then. Thus, a reactive system specification given as an LTL formula \(\varphi \) must be realizable [1, 34, 35] (or programmable).
Definition 3
2.2.3 Minimal bad prefixes
For a language \(L \subseteq \Sigma ^{\omega }\) (i.e., a set of words) on an alphabet \(\Sigma \), we can sometimes determine if a word s is not in L using only a prefix of s. Such a prefix is called a bad prefix of L. Formally, a nonempty finite word \(s \in \Sigma ^+\) on \(\Sigma \) is a bad prefix of \(L \subseteq \Sigma ^{\omega }\) if \(s s' \not \in L\) for any infinite word \(s' \in \Sigma ^{\omega }\), and it is minimal if any proper prefix of it is not a bad prefix of L. A set of minimal bad prefixes of L is denoted by \({ BadPref}(L)\).
A language \(L \subseteq \Sigma ^{\omega }\) is a safety property if L is equivalent to the complement \(\Sigma ^{\omega } \setminus ({ BadPref}(L)(\Sigma ^{\omega }))\) of a set of words with bad prefixes of L. If \(\varphi \) is a safe LTL formula, \(\mathcal {L}(\varphi )\) is a safety property.
2.2.4 LTLtoautomata translation
For verification, an LTL formula \(\varphi \) is often translated into an \(\omega \)automaton accepting \(\mathcal {L}(\varphi )\). The set of accepting words for an automaton \(\mathcal {A}\) is also denoted by \(\mathcal {L}(\mathcal {A})\). LTL formula \(\varphi \) is equivalent to \(\mathcal {A}\) if \(\mathcal {L}(\varphi ) = \mathcal {L}(\mathcal {A})\).
A UCWA accepts a word if all of its corresponding runs only visit their rejecting states finitely many times. A UCWA is a dual of a nondeterministic Büchi word automaton (NBWA). We can therefore translate an LTL formula \(\varphi \) into an equivalent UCWA \(\mathcal {A}^{\varphi }\), using a standard LTLtoNBWA translating technique [3, 17, 23, 40]. In automatabased approaches, synthesis and probabilistic model checking require that a used automaton is deterministic,^{2} unlike naive model and satisfiabilitychecking. Safra’s construction [32, 36, 37, 38] is used to determinize UCWA (and NBWA) and is very complicated.
2.3 Games
A game models the set of interactions among agents and a related decisionmaking process. In LTL synthesis, a game is used to model the set of interactions between a reactive system and the environment.
Definition 4
 \(A=\langle V_0, V_1, \varGamma _0, \varGamma _1, E_0, E_1 \rangle \) is an arena, where

\(V_0\) (resp., \(V_1\)) is a disjoint set of states for Player 0 (resp., Player 1)

\(\varGamma _0\) (resp., \(\varGamma _1\)) is a set of actions for Player 0 (resp., Player 1),

\(E_0 : V_0 \times \varGamma _0 \rightarrow V_1\) (resp., \(E_1 : V_1 \times \varGamma _1 \rightarrow V_0\)) is a (possibly, partial) transition function which maps to \(V_1\) (resp., \(V_0\)) from \(V_0\) (resp., \(V_1\)) and \(\varGamma _0\) (resp., \(\varGamma _1\)),


\(v_{{ init}} \in V_0\) is the initial state,

\({ outcome}: (E_0 E_1)^{\omega } \rightarrow \mathbb {R}\) is a function that gives the outcome of a play \(\rho \in (E_0 E_1)^{\omega }\).
When the current state is v in \(V_0\) (resp., \(V_1\)), Player 0 (resp., Player 1) chooses its action \(\gamma \) in \(\varGamma _0\) (resp., \(\varGamma _0\)), and the state moves according to transition function \(E_0\) (resp., \(E_1\)). Let \(\sigma \in \{0,1\}\). If \(E_{\sigma }(v, \gamma ) = v'\), there is a transition to \(v'\) from v with \(\gamma \). If \(E_{\sigma }(v, \gamma )\) is undefined for some action \(\gamma \) (i.e., \(E_{\sigma }\) is a partial function), \(\gamma \) is unavailable on v. In this paper, we assume that all states have at least one available action; i.e., there is no deadend state. We let \(E_{\sigma }\) be a set \(\{\langle v,\gamma ,v' \rangle \mid E_{\sigma }(v,\gamma )= v'\}\) of triples that represent transitions. For an available transition \(e = \langle v,\gamma ,v' \rangle \), its predecessor state v, successor state \(v'\), and action \(\gamma \) are denoted by \({ pred}(e)\), \({ succ}(e)\), and \({ act}(e)\), respectively.
A play \(\rho \) on \(\mathcal {G}\) is an infinite alternating sequence \(e_0 e_1 e_2 e_3 \cdots \in (E_0 E_1)^{\omega }\) of 0 and 1transitions, where the starting state \({ pred}(e_0)\) is the initial state \(v_{{ init}}\). It is available if \({ succ}(e_i) = { pred}(e_{i+1})\) for each \(i \in \mathbb {N}\). A set of available plays on \(\mathcal {G}\) is denoted by \({ Play}(\mathcal {G})\).
An outcome of an available play is evaluated according to function \({ outcome}\). When the outcomes are in a binary set, an outcome is often interpreted as either win or loss. In this paper, we use two types of game: safety games and meanpayoff games.
2.3.1 Safety games
The outcome of a safety game is evaluated based on a safety condition and is mapped to the binary \(\{0, 1\}\).
Definition 5
Player 0 wins (and Player 1 loses) for \(\rho \) if \({ outcome}^{S}(\rho )=1\), i.e., \(\rho \) stays in S forever (safety condition). Otherwise, i.e., if \(\rho \) reaches the complement of S, Player 0 loses (and Player 1 wins). Therefore, this kind of game is a reachability game from the standpoint of Player 1.
The outcome \({ outcome}^{S}\) is characterized by S, and therefore we use a triple \(\langle A, v_{init},S \rangle \) instead of \(\langle A, v_{init},{ outcome}^S \rangle \).
2.3.2 Meanpayoff games
The outcome of a meanpayoff game is evaluated based on the limit inferior of averages for a sequence of payoffs assigned at each transition according to a given weighting function.
Definition 6
For a meanpayoff game, a threshold k is often given as a winning condition. That is, Player 0 wins (and Player 0 loses) for a play \(\rho \in { Play}(\mathcal {M})\) if \({ outcome}^{W}(\rho ) \ge k\).
The outcome \({ outcome}^{W}\) is characterized by W, and so we use a triple \(\langle A, v_{init},W \rangle \) instead of \(\langle A, v_{init},{ outcome}^W \rangle \).
2.3.3 Strategies
The goal of Player 0 (resp., Player 1) is to maximize (resp., to minimize) the outcome. Player \(\sigma \in \{0,1\}\) must choose an available action (and its corresponding transition) for their current state v based on a finite sequence \(e_0 e_1 \ldots e_{2n+\sigma 1} \in E_0 E_1 \ldots E_{1{\sigma }} E_{\sigma }\) of previous transitions such that \(v_{init}= { pred}(e_0)\), \({ succ}(e_i)={ pred}(e_{i+1})\) for \(0 \le i \le 2n+\sigma 1\), and \(v={ succ}(e_{2n+\sigma 1})\).
A strategy \(\mu _{0}: E_1^* \rightarrow E_0\) of Player 0 (resp., \(\mu _{1}: E_0^+ \rightarrow E_1\) of Player 1) on a game \(\mathcal {G}\) is a function that decides the next transition \(e_{2n}\) (resp., \(e_{2n+1}\)) from a set \(\{e \in E_{0} \mid { succ}(e_{2n1}) = { pred}(e)\}\) (resp., \(\{e \in E_{1} \mid { succ}(e_{2n}) = { pred}(e)\}\)) of available transitions from \({ succ}(e_{2n1})\) (resp., \({ succ}(e_{2n})\)). The 0strategy \(\mu _0\) and 1strategy \(\mu _1\) pair derives a play \(\rho ^{\{\mu _0, \mu _1\}} = e_0 e_1 \ldots \in { Play}(\mathcal {G})\) where \(e_0= \mu _0(\varepsilon )\), \(e_{2i+1} = \mu _{1}(e_{0} e_{2} \ldots e_{2i})\), and \(e_{2i+2} = \mu _{0}(e_{1} e_{3} \ldots e_{2i+1})\).
A 0strategy \(\mu _{0}\) (resp. 1strategy \(\mu _1\)) is memoryless or positional if there exists a function \(\nu _0 : V_0 \rightarrow E_0\) (resp. \(\nu _1 : V_1 \rightarrow E_1\)) that gives a next available transition for the current state, such that \(\mu _{0}(\varepsilon ) = \nu _{0}(v_{{ init}})\) and \(\mu _{0}(e_0 \ldots e_i) = \nu _{0}({ succ}(e_i))\) (resp. \(\mu _{1}(e_0 \ldots e_i) = \nu _{1}({ succ}(e_i))\)). In this case, \(\nu _{0}\) (resp. \(\nu _1\)) is equivalent to \(\mu _{0}\) (resp. \(\mu _1\)).
For safety games [19] and meanpayoff games [20], each player has a strategy that is both optimal and memoryless. Therefore, we only consider memoryless strategies in the following sections.
2.3.4 Winning regions
For a safety game \(\mathcal {G}\) with an arena \(A = \langle V_0, V_1, \varGamma _0,\varGamma _1,E_0,E_1 \rangle \), an initial state \(v_{init}\), and a safe region \(S \subseteq V_0 \cup V_1\), Player 0 will try to choose a transition such that they stay in S.
The winning region \(\mathcal {W}\) for Player 0 is the maximal subgraph \(\langle V_0', V_1', \varGamma _0,\varGamma _1,E_0'\), \(E_1' \rangle \) of A such that \(V_0' \subseteq V_0 \cap S\), \(V_1' \subseteq V_1 \cap S\), \(E_0' \subseteq E_0 \cap (V_0' \times \varGamma _0 \times V_1')\) and \(E_1' = E_1 \cap (V_1' \times \varGamma _1 \times V_0)\). Player 0 can ensure that they stay in \(\mathcal {W}\) because any 1state \(v \in V_1'\) has no successor outside of S. The region is maximal, and hence Player 0 has a winning strategy if \(v_{{ init}} \in V_0'\). In this case, \(\mathcal {W}\) represents the set of all winning strategies on \(\mathcal {G}\), and we let \(\mathcal {W}\) be a subgame \(\langle \mathcal {W}, v_{init}, V_0' \cup V_1' \rangle \) consisting of \(\mathcal {W}\).
For a safety game, we can efficiently extract the winning region using a simple fixedpoint computation, in time \(\mathcal {O}(E_0+E_1)\) [19].
2.3.5 Reactive systems as strategies

Players 0 and 1 represent systemside and environmentside players, respectively.

\(\varGamma _0\) is \(2^{{ OAP}}\), and \(\varGamma _1\) is \(2^{{ IAP}}\).

\(E_0\) may be partial, whereas \(E_1\) must be total.
 An available play \(\rho = e_0 e_1\ldots \in { Play}(\mathcal {G})\) corresponds to an interaction \({ trace}(\rho ) \in (2^{{ AP}})^{\omega }\),

where a trace \({ trace}(\rho )\) on \(\rho \) is an infinite word \(({ act}(e_0) \cup { act}(e_1)) ({ act}(e_{2}) \cup { act}(e_{3}))\cdots ({ act}(e_{2i}) \cup { act}(e_{2i+1}))\ldots \).

 \(\mathcal {R}^{\nu _0}(\varepsilon )=\alpha _0^O\) and \(\mathcal {R}^{\mu _0}(\alpha _0^I \ldots \alpha _i^I)=\alpha _{i+1}^O\) where, for \(0 \le j \le i\),

\(v_0=v_{{ init}}\), \(v_{2(j+1)} = E_1( E_0(v_{2j},\alpha _{j}^O),\alpha _{j}^I)\), and

\(\alpha _0^O={ act}(\nu _0(v_{0}))\) and \(\alpha _{j+1}^O=\nu _{0}({ act}(v_{2(j+1)}))\).

2.4 Safraless synthesis
Safraless synthesis [8, 18, 22, 27, 28] is a mainstream method for LTL synthesis.
The outline of a UCWAbased method [8, 18, 22] is given in Algorithm 1. For a given LTL formula \(\varphi \) on a set \({ AP}\) (\(= { IAP}\cup { OAP}\)) of atomic propositions, we first construct a UCWA \(\mathcal {A}^{\varphi }\) accepting \(\mathcal {L}(\varphi )\) (the procedure \(\texttt {LTL2UCWA\_translation}\) at Line 1) and initialize the bound k to 0 (Line 2). Let \(\mathcal {T}\) be an LTLtoUCWA mapping implemented by LTL2UCWA_translation, i.e., \(\mathcal {A}^{\varphi }=\mathcal {T}({\varphi })\). We next derive an underapproximation to \(\mathcal {A}^{\varphi }\) using k and transform the underapproximated kUCWA \(\mathcal {T}^k({\varphi })\) into a safety game \(\mathcal {S}^{\varphi ,k}\) (the procedure \(\texttt {BUCWA2SG\_transformation}\) at Line 4). This transformation consists of determinizing \(\mathcal {A}^{\varphi }\) and dividing its states/transitions into systemside and environmentside ones based on the respective sets \({ OAP}\) and \({ IAP}\) of output and input propositions. \(\mathcal {S}^{\varphi ,k}\) has characteristics described in Sect. 2.3.5. Additionally, the winning condition of \(\mathcal {S}^{\varphi ,k}\) corresponds to the underapproximated property \(\mathcal {L}(\mathcal {T}^k({\varphi }))\) of \(\varphi \). Therefore, if the systemside player wins for a play \(\rho \) on \(\mathcal {S}^{\varphi ,k}\), \({ trace}(\rho )\) satisfies \(\varphi \). Then we extract a winning region \(\mathcal {W}^{\varphi ,k}\) for the systemside player on \(\mathcal {S}^{\varphi ,k}\) (the \(\texttt {extract\_winning\_region}\) at Line 5). If the initial state of \(\mathcal {S}^{\varphi ,k}\) is in \(\mathcal {W}^{\varphi ,k}\) (Line 6), there exists a reactive system that realizes \(\varphi \). Otherwise, k is incremented (Line 9), and we repeat a loop from Line 3. Lines 1–10 check the realizability of \(\varphi \), and in practice the unrealizability of \(\varphi \) is also checked in parallel. Finally, we concretely compose a winning strategy \(\nu \) for the systemside player on \(\mathcal {W}^{\varphi ,k}\) (the procedure \(\texttt {winning\_strategy}\) at Line 11).
3 Meanpayoff objectives
In this section, we focus on desirable specifications and introduce the meanpayoff objective that determines the desirable specifications.
3.1 Basic idea
The general form of desirable specifications without assumptions is a \(\mathbf{G }\)formula \(\mathbf{G }\varphi \). We consider that a preferable reactive system should endeavor to satisfy \(\varphi \) at each step, i.e., to maximize the number of steps satisfying \(\varphi \) to the extent possible.
We fit a meanpayoff to quantitatively evaluate the desirability if the payoff at each step depends on the importance of the desirable specifications \(\mathbf{G }\varphi \) and whether \(\varphi \) holds at the step. Therefore, we propose a meanpayoff objective, which covers the set of desirable specifications. We can optimize a reactive system using the meanpayoff objective, which quantitatively specifies the desirability of interactions with the environment.
3.2 Syntax and semantics
We now introduce the syntax and semantics for meanpayoff objectives, based on the ideas in the previous subsection.
The syntax of meanpayoff objectives is defined, in a similar manner to [39], as follows.
Definition 7
For a payoff term t, a meanpayoff objective is a term \({\textsf {MP}}(t)\).
Intuitively, \({\textsf {S}}(\chi )\) means that a payoff of 1 is given at a step if \(\chi \) holds at the step, i.e., \({\textsf {S}}(\chi )\) strictly captures whether \(\chi \) holds at the step. A value of \({\textsf {S}}(\chi )\) at a step depends on the behavior after the next nsteps, where n is the depth of \(\mathbf{X }\) in \(\chi \). However, \({\textsf {B}}^{b}(\varphi )\) means that a payoff of \(1\) is given for each occurrence of minimal bad prefixes of \(\mathcal {L}(\mathcal {T}^{b}(\varphi ))\), where the overlapping of the prefixes is not considered. The value of \({\textsf {B}}^{b}(\varphi )\) at a step depends on the preceding behavior. The coefficient c of the product term \(c \cdot t\) is used as a weight that depends on the desirability of t. We abbreviate \(c \cdot {\textsf {S}}(\top )\) to c and \({\textsf {B}}^0(\varphi )\) to \({\textsf {B}}(\varphi )\).
Note that a \({\textsf {B}}\)term \({\textsf {B}}^{b}(\varphi )\) should be treated attentively because the precise meaning of the \({\textsf {B}}\)term depends on an LTLtoautomata translation \(\mathcal {T}\) that does not appear in the syntax. From only the syntax, it is impossible to understand the structure of \(\mathcal {T}(\varphi )\), and hence it is not clear what is lost in \(\mathcal {T}^{b}(\varphi )\). For example, a certain translator underapproximates \(\mathbf{G }\mathbf{F }p\) into \(\mathbf{G }\mathbf{F }^{\le b} p\), but another translator outputs \(\mathbf{G }\mathbf{F }^{\le b+1} p\). The loss depends strongly on \(\mathcal {T}\), although, it becomes smaller when b becomes larger. Even if we do not use sufficiently large b, we can estimate the loss for b when we fix \(\mathcal {T}\) and construct experimentally \(\mathcal {T}(\varphi )\) in advance. For instance, the size of the state space and the length of the shortest path reaching to rejecting states from the initial state, etc. of \(\mathcal {T}(\varphi )\) will be important information for the estimation. Another reason is that a \({\textsf {B}}\)term focuses on only nonoverlapped minimal bad prefixes. For the example shown in Fig. 3, the first and sixth occurrences of minimal bad prefixes are counted and the others are not. We do not strictly count occurrences of minimal bad prefixes, which play an important role in the violation of \(\mathcal {T}^{b}(\varphi )\).
The semantics of meanpayoff objectives is given in the following.
Definition 8
3.2.1 Choice on LTLtoautomata translators
In formal verification and analysis, it is normally preferable that an LTLtoautomata translator composes an automaton not only efficiently but also with tractable characteristics, e.g., smaller state space, simpler acceptance condition, and certain limitation on transition function. Most existing translators, e.g., LTL2BA^{4} [23], SPOT^{5} [17] and LTL3BA^{6} [3], try to compose such automata. Our semantics of meanpayoff objectives depend strongly on an LTLtoautomata translator \(\mathcal {T}\), so that the choice for \(\mathcal {T}\) is very important, especially when bounds for \({\textsf {B}}\)terms are not sufficiently large.
However, the preference in the normal sense may not be suited to our approach. This is because the preference on LTLtoautomata translators in our method should be considered on the premise of using the kUCWA approximation.
There are questions on the preferable translation in our method; however, they are beyond the scope of this paper.
3.2.2 The relations between meanpayoff objectives and \(\mathbf{G }\mathbf{F }\)/\(\mathbf{F }\mathbf{G }\)formulae
3.2.3 Meanpayoff objectives for words with periodic suffixes
3.3 Interpretation
A meanpayoff objective can be constructed from scratch. However, if a conjunction of must LTL specifications is unrealizable, some of them should be downgraded to desirable specifications. In this subsection, we show how to interpret these desirable LTL specifications in a meanpayoff objective. This interpretation may be conducted along with refining the other must LTL specifications. However, for simplicity, we only consider interpretations without the refinement and assume that all desirable LTL specifications are \(\mathbf{G }\)formulae.
3.3.1 General cases
We first address how to interpret each desirable LTL specification \(\mathbf{G }\varphi _i\), without considering the detailed structure and intention of its subformula \(\varphi _i\). We provide naive interpretation guidelines, however, the details of the interpretation should be specified based on desirability.

Maximizing the meanpayoff for the \({\textsf {S}}\)term given by Eq. (57) [resp., Eq. (65)] corresponds to making an effort to satisfy \(\varphi _i\) (resp., the approximated property of \(\varphi _i\)) at each step.

Maximizing the meanpayoff for the \({\textsf {B}}\)term given by Eq. (58) [resp., Eqs. (59), (64) or (66)] corresponds to making an effort to avoid violating \(\mathbf{G }\varphi _i\) (resp., the underapproximated property of \(\mathbf{G }\varphi _i\)) at each step.
3.3.2 Special cases
In this type of interpretation, it is sometimes possible to naturally formalize requirements, e.g. “as soon as possible” as above, that are difficult (or impossible) to express in LTL.
3.4 Assumptions
A kind of soft assumption which may be violated by the environment can be included in our meanpayoff objectives.
4 Our synthesis method
In this section, we propose a method for synthesizing a reactive system that realizes all given must specifications and endeavors to satisfy the desirable specifications.
This problem can be strictly reduced to finding an optimal (or \(\varepsilon \)optimal) strategy on a meanpayoff parity game [13]. However, this reduction generally requires a deterministic \(\omega \)regular automaton, which is very difficult to attain. Furthermore, the algorithm in [13] that solves the meanpayoff parity game is also very complicated, and the optimal (resp., \(\varepsilon \)optimal) strategy generally requires infinite (resp., large) memory.
In considering the tradeoff among computational cost, size (and finite memory), and optimality of the resulting reactive systems, we propose using the Safraless approach (Lines 1–10 in Algorithm 1), to obtain a winning region \(\mathcal {W}^{\varphi ,k}\) from \(\varphi \). We then compose a locally optimal reactive system for \({\textsf {MP}}(t)\) from the set of systems given as winning strategies in the winning region \(\mathcal {W}^{\varphi ,k}\). This is a generalized method of the one in [26], which focuses on must LTL specifications with the assumptionguarantee form and meanpayoff objectives (interpreted from its guarantee part) without Bterms.
4.1 Outline
4.2 Meanpayoff games for simple meanpayoff objectives
In this subsection, we explain how to construct a meanpayoff game \(\mathcal {M}^{t}\) from an atomic term \(t \in \{{\textsf {S}}(\chi ), {\textsf {B}}^k(\varphi )\}\), i.e., Lines 3–10 and 12–14 in Algorithm 2.
4.2.1 Meanpayoff game for \({\textsf {MP}}({\textsf {S}}(\chi ))\)
4.2.2 Meanpayoff game for \({\textsf {MP}}({\textsf {B}}^{b}(\varphi ))\)
For a term \({\textsf {MP}}({\textsf {B}}^{b}(\varphi ))\), we can obtain a UCWA \(\mathcal {A}^{\varphi }\) (\(=\mathcal {T}(\varphi )\)) by the procedure LTL2UCWA_translation at Line 12 in Algorithm 2. On a determinized safety word automaton of \(\mathcal {T}^b(\varphi )\) (resp., in \(\mathcal {A}^{\varphi }\)), reaching (resp., more than btimes visiting) rejecting states on a run means a minimal bad prefix of \(\mathcal {L}(\mathcal {T}^b(\varphi ))\) has occurred in its word. In the transformation from \(\mathcal {A}^{\varphi }\) with bound b into a meanpayoff game \(\mathcal {M}^{{\textsf {B}}^{b}(\varphi )}\) for \({\textsf {MP}}({\textsf {B}}^{b}(\varphi ))\), we use rejecting states as guides to set payoffs.
4.3 Weighted synchronized product
Let \(\mathcal {W}^{\varphi ,k}\) be a winning region \(\langle \langle V_0^0, V_1^0, 2^{{ OAP}}, 2^{{ IAP}}, E_0^0, E_1^0 \rangle \), \(v_{{ init}}^0\), \(V_0^0 \cup V_1^0 \rangle \) of an input to Algorithm 2. For payoff term \(t = \sum _{1 \le i \le n} c_i \cdot t_i\), let \(\mathcal {M}^{t_i}\) be a meanpayoff game \(\langle \langle V_0^i, V_1^i, 2^{{ OAP}}, 2^{{ IAP}}, E_0^i, E_1^i \rangle , v_{{ init}}^i\), \(W^i \rangle \), constructed from \(t_i\) using either Line 10 or Line 14 in Algorithm 2.
4.4 Correctness and optimality
We have the following theorem.
Theorem 1
(Correctness of Algorithm 2) Algorithm 2 returns a reactive system that realizes \(\varphi \) and is optimal for meanpayoff objective \({\textsf {MP}}(t)\) on winning region \(\mathcal {W}^{\varphi ,k}\).
Proof
From Eqs. (93) and (94), the optimal strategy on \(\mathcal {M}^{\varphi ,k,t}\) is optimal on \(\mathcal {W}^{\varphi ,k}\), and any play on \(\mathcal {W}^{\varphi ,k}\) satisfies \(\varphi \). \(\square \)
As a result, we can obtain a reactive system that realizes \(\varphi \) and is locally optimal for \({\textsf {MP}}(t)\) in the sense of Eq. (72). Note that our method does not guarantee that the reactive system is globally optimal for \({\textsf {MP}}(t)\) as a tradeoff for the memory finiteness. This is because the must LTL specification \(\varphi \) is underapproximated in our method. The winning region \(\mathcal {W}^{\varphi ,k}\) derived from \(\varphi \) is based on the underapproximated safe property via UCWA with bound k, and we find the reactive system from \(\mathcal {W}^{\varphi ,k}\). There generally exists a gap between the original property \(\varphi \) and the underapproximated property. It can be a matter for any large k in our method, unlike in LTL realizability checking. Consider the simple case when a must LTL specification \(\mathbf{G }\mathbf{F }p\) and a meanpayoff objective \({\textsf {MP}}({\textsf {S}}(\lnot p))\), where p is an output proposition. A reactive system realizes \(\mathbf{G }\mathbf{F }p\) and is globally optimal for \({\textsf {MP}}({\textsf {S}}(\lnot p))\), i.e., its value is 1, if and only if the system outputs p infinitely often and the distance between p increases further and further. Our method cannot produce such reactive systems requiring infinite memory. \(\mathbf{G }\mathbf{F }p\) would be underapproximated into \(\mathbf{G }\mathbf{F }^{k} p\) via a naive LTLtoUCWA translator. Therefore, our method employing the naive translation composes a reactive system outputting p at kstep intervals, i.e., its value of \({\textsf {MP}}({\textsf {S}}(\lnot p))\) is \((k1)\)/k. Any other translator leads to a similar result. The value approaches the global optimum arbitrarily using larger k in Algorithm 1.
4.5 Complexity
The time complexity of Algorithm 2 is doubly exponential, so it is in the same class as traditional LTL synthesis and realizabilitychecking [1, 34, 35].
For each atomic payoff term \(t_i\) with the form \({\textsf {S}}(\chi _i)\), we can construct \(\mathcal {M}^{t_i}\) with at most \(2^{P_i \cdot \lfloor { depth}(\chi _i) \rfloor } \cdot (2^{{ OAP}} + 1)\) states, where \(P_i\) is the number of distinct atomic propositions in \(\chi _i\). \(\chi _i\) can be translated into a deterministic safety automaton with at most \(2^{P_i \cdot \lfloor { depth}(\chi _i) \rfloor }\) states. An mstate deterministic automaton can be transformed into a game with at most \(m \cdot (2^{{ OAP}} + 1)\) states. For each atomic payoff term \(t_i\) with the form \({\textsf {B}}^{b_i}(\varphi _i)\), we can construct a meanpayoff game \(\mathcal {M}^{t_i}\) with at most \(2^{2^{\mathcal {O}(\varphi _i)} \cdot \log ({b}_i+2)} \cdot (2^{{ OAP}} + 1)\) states, where \(\varphi _i\) is the size of \(\varphi _i\). \(\varphi _i\) (resp., \(\lnot \varphi _i\)) can be translated into an equivalent UCWA (resp., NBWA) with at most \(2^{\mathcal {O}(\varphi _i)}\) states [40]. An \(n_i\)state \(b_i\)UCWA can be transformed into an equivalent deterministic safety automaton with at most \(2^{n_i \cdot \log (b_i+2)}\) states. We can construct the weighted synchronized product meanpayoff game from input winning region \(\mathcal {W}^{\varphi ,k}\) and meanpayoff objective \({\textsf {MP}}(t)\), which has at most \(\mathcal {W}^{\varphi ,k} \cdot T\) states and a largest absolute weight less than or equal to the possible weights of t. Here, T is a product of the sizes of the meanpayoff games for atomic terms in t. The time complexity for solving an mstate ltransition meanpayoff game is \(\mathcal {O}(m^2 \cdot l \cdot d \cdot (\log m + \log d))\) [12], where d is the largest absolute value of the weights. The above discussion implies that the time complexity of Algorithm 2 is doubly exponential.
As mentioned in Sect. 4.4, there is a tradeoff between the optimality of the resulting system for \({\textsf {MP}}(t)\) and its computational cost. The size of \(\mathcal {W}^{\varphi ,k}\) (and the resulting system) grows polynomially in k. Therefore, the meanpayoff value of the resulting system approaches the global optimum arbitrary; however, its computational cost increases polynomially as k increases.
5 Experimental evaluation
To confirm that our algorithm produces preferable reactive systems, we implemented a prototype of our synthesis method and performed a simple experiment. We also demonstrate that our method can treat nontrivial scale instances. Additionally, we discuss the advantage of our method.
5.1 Implementation and experimental environment
The prototype is implemented in C++ and only supports payoff terms without \({\textsf {B}}\)terms. We can employ an existing LTLtoNBWA translator, e.g., LTL2BA [23], SPOT [17] and LTL3BA [3], as an LTLtoUCWA translator. The prototype uses LTL3BA for the LTLtoUCWA mapping \(\mathcal {T}\). A direction of the implementation is the same as the one in [26]. Each state of automata and games is dealt with explicitly whereas transitions from the state are represented by one multiterminal binary decision diagram (BDD). We employ CUDD^{9} for manipulating BDDs. On solving meanpayoff games (at Line 18 in Algorithm 2), we employ an iterative algorithm proposed in [42] and introduce a heuristic to check the optimality of a tentative solution after a certain number of iterations, which depends on the size of the games. Furthermore, for solving them efficiently, an abstracted meanpayoff game is constructed from the original game \(\mathcal {M}^{\varphi ,k,t}\). Actions of transitions are omitted in the abstracted game, and thus the state space of the abstracted game can be reduced. That is, its optimal strategy can be computed efficiently. From the optimal strategy and \(\mathcal {M}^{\varphi ,k,t}\), the optimal reactive system is composed as a transition system with the same format to Acacia+^{10} [8, 9, 10] that is a wellknown LTL synthesis tool.
The experiments were performed on a MacBook Pro (Retina, Mid 2012) with OS X Yosemite 10.10.5, 2.6GHz CPU (Intel Core i7), and 16GB memory (1600MHz DDR3).
5.2 Experiments
Result 2 Table 1 shows an experimental result for the must LTL specification \(\varphi _{\text {a}}^{\text {LB}}\) and meanpayoff objective \({\textsf {MP}}(t_3^{\text {LB}})\) when \(n \in \{2, \ldots , 7\}\). Because \(\varphi _{\text {a}}^{\text {LB}}\) is safe, there is no approximation in Algorithm 1, i.e., k is meaningless in this case. The numbers of clients are given in column “n”. Column “\(\alpha \)” (resp. “\(\beta \)”) gives execution times for transforming UCWAs, which are constructed from the must specification (resp. payoff terms), into safety games (resp. meanpayoff games). This transforming includes a procedure for minimizing statespaces of the games. Column “\(\gamma \)” gives execution times for solving weighted synchronized product games, i.e., constructing and minimizing actionabstracted games and solving them. Total execution times (including execution times for constructing UCWAs, etc.) are given in column “Total”. We denote timeouts (>20 min) by “TO”. Column “\(\mathcal {W}\)” (resp. “\(\mathcal {M}\)”) gives the sizes of winning regions which are eventually obtained from the must specifications (resp., synchronized products of meanpayoff games, which are eventually obtained from the payoff terms). The sizes of weighted synchronized products of the winning regions and meanpayoff games are given in column “\(\mathcal {P}\)”. Column “\(\mathcal {P}^{\text {abs}}\)” gives the sizes of the abstracted and minimized games for the weighted synchronized products. The sizes of resulting systems are listed in column “\(\mathcal {R}\)”. Table 2 (resp. Table 3) shows an experimental result for the must LTL specification \(\varphi _{\text {b}}^{\text {LB}}\) (resp. \(\varphi _{\text {c}}^{\text {LB}}\)) and meanpayoff objective \({\textsf {MP}}(t_5^{\text {LB}})\) (resp. \({\textsf {MP}}(t_9^{\text {LB}})\)) when \(n \in \{2, \ldots , 5\}\) (resp. \(n \in \{2, \ldots , 6\}\)). We set the initial value for k as \(n+1\) (resp. n) in this case. This is because it is the minimum value which makes \(\mathcal {L}(\mathcal {T}^k(\varphi _{\text {b}}^{\text {LB}}))\) (resp. \(\mathcal {L}(\mathcal {T}^k(\varphi _{\text {c}}^{\text {LB}}))\)) realizable. These results suggest that our implementation can treat nontrivial scale instances.
Experimental result for the must LTL specification \(\varphi _{\text {a}}^{\text {LB}}\) and meanpayoff objective \({\textsf {MP}}(t_3^{\text {LB}})\)
n  Execution time (s)  Size  

\(\alpha \)  \(\beta \)  \(\gamma \)  Total  \(\mathcal {W}\)  \(\mathcal {M}\)  \(\mathcal {P}\)  \(\mathcal {P}^{\text {abs}}\)  \(\mathcal {R}\)  
2  0.022  0.035  0.027  0.201  5  59  116  59  5 
3  0.026  0.061  0.063  0.278  9  199  460  84  17 
4  0.022  0.472  0.183  0.818  17  707  1684  92  47 
5  0.023  20.56  0.604  21.38  33  2599  5710  92  99 
6  0.025  884.6  1.726  887.0  65  9779  18136  92  179 
7  0.026  TO  –  –  129  –  –  –  – 
Experimental result for the must LTL specification \(\varphi _{\text {b}}^{\text {LB}}\) and meanpayoff objective \({\textsf {MP}}(t_5^{\text {LB}})\)
n  Execution time (s)  Size  

\(\alpha \)  \(\beta \)  \(\gamma \)  Total  \(\mathcal {W}\)  \(\mathcal {M}\)  \(\mathcal {P}\)  \(\mathcal {P}^{\text {abs}}\)  \(\mathcal {R}\)  
2  0.029  0.031  0.152  0.335  55  4  94  75  15 
3  0.047  0.029  1.765  1.965  471  4  854  315  87 
4  0.714  0.029  112.7  113.5  6449  4  12150  1624  711 
5  61.12  0.026  TO  –  125,309  4  240,484  8353  – 
Experimental result for the must LTL specification \(\varphi _{\text {c}}^{\text {LB}}\) and meanpayoff objective \({\textsf {MP}}(t_9^{\text {LB}})\)
n  Execution time (s)  Size  

\(\alpha \)  \(\beta \)  \(\gamma \)  Total  \(\mathcal {W}\)  \(\mathcal {M}\)  \(\mathcal {P}\)  \(\mathcal {P}^{\text {abs}}\)  \(\mathcal {R}\)  
2  0.025  0.029  0.019  0.085  20  4  23  18  8 
3  0.047  0.030  0.132  0.362  101  4  110  54  25 
4  0.686  0.029  0.750  1.620  810  4  861  188  148 
5  25.03  0.031  13.29  38.76  8693  4  9126  691  1299 
6  TO  –  –  –  –  –  –  –  – 
Experimental result for the must LTL specification \(\varphi ^{\text {ELV}}\) and meanpayoff objective \({\textsf {MP}}(t^{\text {ELV}})\)
k  Execution time (s)  Size  MP  

\(\alpha \)  \(\beta \)  \(\gamma \)  Total  \(\mathcal {W}\)  \(\mathcal {P}\)  \(\mathcal {P}^{\text {abs}}\)  \(\mathcal {R}\)  value  
3  0.468  0.029  0.065  0.763  165  197  58  37  −0.500 
6  5.246  0.027  1.995  7.281  1194  1185  323  93  −0.200 
9  23.15  0.029  4.055  27.86  3015  3159  855  153  −0.125 
12  68.12  0.024  33.51  103.1  5852  6069  1638  213  −0.091 
15  156.7  0.031  85.16  224.9  9635  9915  2673  273  −0.071 
18  352.0  0.032  432.1  790.9  14,354  14,697  3960  333  −0.059 
19  415.3  0.040  350.6  779.8  16,135  16,499  4444  353  −0.056 
20  535.3  0.156  650.6  1157  18,020  18,405  4958  373  −0.053 
21  631.7  0.314  TO  –  20,009  20,415  5499  –  – 
Result 3 Table 4 shows an experiment result for the must LTL specification \(\varphi ^{\text {ELV}}\) and meanpayoff objective \({\textsf {MP}}(t^{\text {ELV}})\) when \(k_{ init} \in \{3,6,9,12,15,18,19,20,21\}\). Column “MP value” gives meanpayoff values of resulting systems. The other columns are the same as Tables 1, 2 and 3. The size of the product of meanpayoff games for payoff terms in \(t^{\text {ELV}}\) is 9. This result suggests that the meanpayoff value of the resulting system approaches the global optimum (0, for this instance) and its computational cost grows nonlinearly, when k increases. For this instance, reasonably good systems are obtained in times that are practical.
5.3 Summary

We can obtain a besteffort system from an unrealizable specification, by interpreting lowpriority subspecifications into a meanpayoff objective.

Our method can treat nontrivial scale instances in times that are practical.

We can obtain a reasonably good system by choosing bound k (which is an overapproximation parameter for a given must LTL specification) considering the available computational resource and desired meanpayoff value.
6 Related work
6.1 LTL synthesis
In a naive gamebased method for LTL synthesis, a deterministic \(\omega \)regular word automaton (e.g., deterministic parity word automaton) \(\mathcal {D}^{\varphi }\) is translated from a given LTL specification \(\varphi \). Next, an \(\omega \)regular game \(\mathcal {G}^{\varphi }\) is transformed from \(\mathcal {D}^{\varphi }\). Finally, a reactive system is composed as a winning strategy on \(\mathcal {G}^{\varphi }\). The first phase can be performed by translating \(\varphi \) to a nondeterministic \(\omega \)regular word automaton \(\mathcal {N}^{\varphi }\) [3, 17, 23, 40], and, using Safra’s construction [32, 36, 37, 38], to determinize \(\mathcal {N}^{\varphi }\) to \(\mathcal {D}^{\varphi }\). However, Safra’s construction is very complicated and difficult to implement efficiently. Recently, Esparza and Křetínský proposed another method for directly constructing a deterministic \(\omega \)regular automaton from an LTL formula [21]. Their method constructs transitionbased automata, which are in most cases smaller than statebased automata obtained by Safra’s construction, but is also complicated.
Therefore, some Safraless LTL synthesis methods were proposed [8, 18, 22, 27, 28]. In these methods, \(\varphi \) is appropriately underapproximated into a tractable automaton (e.g., safety automaton), which is used to construct a reactive system. Some tools are available for Safraless LTL synthesis, e.g., Lily^{11} [27], Acacia+ [8, 9, 10], and Unbeast^{12} [18]. In some Safraless LTL synthesis methods [8, 18, 22], \(\varphi \) is underapproximated by giving a bound k to UCWA \(\mathcal {A}^{\varphi }\) equivalent to \(\varphi \). A kUCWA \(\mathcal {A}^{\varphi ,k}\) represents a safety property and can easily be determinized by a type of powerset (i.e., Safraless) construction. Therefore, a reactive system is composed as a winning strategy on a safety game \(\mathcal {S}^{\varphi ,k}\) corresponding to \(\mathcal {A}^{\varphi ,k}\). The state space of this winning strategy is typically minimized [19].
In our method, we apply the UCWAbased Safraless method to construct an underapproximated safety game from a must LTL specification and then compose a reactive system as a winning strategy on the game. This is also optimal for a given meanpayoff objective that represents weighted desirable specifications.
6.2 Maximum satisfiability problem
Our problem is similar to the weighed partial maximum satisfiability (MAXSAT) problem [29].^{13}
The weighed partial MAXSAT problem considers a set of hard clauses, which must be satisfied, and a set of weighted soft clauses, which are satisfied if possible. The solution is a valuation that satisfies all the hard clauses and maximizes the total weight of the satisfied soft clauses. The input formulae of the problem are not temporal; the objective is given as the total weight of the satisfied soft clauses, and the problem considers satisfiability.
However, our problem considers a must LTL specification and a meanpayoff objective that represents weighted desirable specifications. The solution is a synthesized reactive system that realizes all the must specifications and maximizes the objective. The input formula for our problem is temporal, the objective is given as a meanpayoff of a sequence of weights that depend on LTL formulae, and our problem considers realizability.
6.3 Synthesis considering the meanpayoff objectives/constraints
In our approach, a set of weighted desirable specifications is represented by a naive meanpayoff objective based on LTL formulae with weights. The syntax of our objective is based on that of the meanpayoff constraints in [39]. In this paper, an argument of a \({\textsf {S}}\)term must be bounded, but it may be unbounded in [39] (i.e., \(\mathcal {S}\)terms defined in Equation (95) are considered). This restriction is derived from the difficulty of dealing with nondeterminacy (on payments) in the synthesis. [39] studied an LTL with multiple meanpayoff constraints and methods for model and satisfiabilitychecking. Nondeterminacy does not affect the model or satisfiabilitychecking. In this paper, we instead used a new type of term, \({\textsf {B}}^{b}(\varphi )\), to capture the violation of the approximated safety property using UCWA. Therefore, the expressive power of payoff terms in this paper is incomparable with that in [39]. The semantics of the meanpayoff constraints in [39] was purely based on LTL formulae. However, our objective in this paper is also based on an LTLtoUCWA translator.
Our method synthesizes an optimal reactive system in a set of reactive systems that realize a certain underapproximation of a must LTL specification. This is an optimal memoryless strategy on a naive meanpayoff game that is constructed from a meanpayoff objective. This strategy can be efficiently computed [12]. Our problem can be strictly reduced to finding an optimal (or \(\varepsilon \)optimal) strategy on a meanpayoff parity game [13], which is a synchronized product of a parity game constructed from the must LTL specification and the naive meanpayoff game. However, this reduction generally requires that we construct a deterministic parity word automaton that accepts words satisfying the must LTL specification. That is, Safra’s or the EsparzaKřetínský construction.^{14} Furthermore, the algorithm for solving the game in [13] requires recursively solving parity and meanpayoff games; its optimal (resp., \(\varepsilon \)optimal) strategy generally requires infinite (resp., large) memory.
In [6], Bloem et al. studied lexicographic meanpayoff (parity) games with multidimensional weights. The meanpayoffs are lexicographically ordered based on the priority of the dimensions. Any lexicographic meanpayoff (parity) game can be reduced to a naive meanpayoff (parity) game [6]. Therefore, our method can be easily extended to allow such multidimensional lexicographical weighting. However, the time complexity of extending our method is exponential to the number of dimensions [6]. Bloem et al. also proposed a method for reducing an automatabased meanpayoff objective (and \(\omega \)regular specification) into a lexicographic meanpayoff (parity) game [6]. They composed an optimal strategy for the game. However, our method deals with an LTL specification and a formulabased meanpayoff objective.
In [15], Chatterjee et al. studied multidimensional meanpayoff games, and proposed a method for finding a winning strategy that guarantees that the multidimensional meanpayoff for any play is greater than or equal to a given threshold vector. Acacia+ supports synthesis from an LTL formula with multiple meanpayoff constraints [9] (based on [15]) and also one with optimization for a naive meanpayoff objective under a Markov decision process environment [10]. However, the meanpayoff constraints and objectives supported in Acacia+ are only based on \({\textsf {S}}\)terms. Strictly speaking, Acacia+ only supports payoffs for literals. Hence, if we use \({\textsf {S}}(\chi )\) with a nonBoolean and bounded argument \(\chi \), we need to add a fresh atomic proposition \(\hat{p} \in 2^{{ OAP}}\) for output and an additional LTL specification \(\mathbf{G }(\chi \leftrightarrow \mathbf{X }^{\lceil { depth}(\chi ) \rceil } \hat{p})\). Our meanpayoff objective can be expressed by \({\textsf {B}}\)terms that capture the violations of approximated safety properties using UCWAs.
6.4 Synthesis considering assumptions
A reactive system specification is often given as an LTL formula with the implication form \(\varphi _{Asmp} \rightarrow \varphi _{Grnt}\), where \(\varphi _{Asmp}\) is an assumption regarding the behavior of the environment, and \(\varphi _{Grnt}\) is a property that the system should guarantee. In [7], Bloem et al. presented some goals for a reliable system synthesized from such a specification. The becorrect goal is “to fulfill \(\varphi _{Grnt}\) if the environment fulfills \(\varphi _{Asmp}\)”. This is the aim for a reactive system obtained by traditional LTL synthesis. Some approaches for the other goals were surveyed in [7]. In our method, we can include assumptions in must specifications in a naive sense.
As suggested in [7], synthesis with meanpayoff optimization can work against the don’tbelazy goal, which is “to fulfill \(\varphi _{Grnt}\) as well as possible for as many situations as possible, even when \(\varphi _{Asmp}\) are not fulfilled”. In our approach, the don’tbelazy goal is accomplished by a system synthesized from the must LTL specification \(\varphi _{Asmp} \rightarrow \varphi _{Grnt}\) and the meanpayoff objective interpreted from (subformulae of) \(\varphi _{Grnt}\). The synthesized system realizes \(\varphi _{Asmp} \rightarrow \varphi _{Grnt}\) and tries to satisfy (the subformulae of) \(\varphi _{Grnt}\) to the extent possible, even if \(\varphi _{Asmp}\) is violated. In [26], we focused on this type of synthesis and regarded the goal as maximizing the degree of environmental tolerance which is given by the meanpayoff objective with \(\mathcal {S}\)terms and without Bterms, as in [39]. However, atomic terms occurring in the meanpayoff objective for a synthesis method in [26] is restricted to be Sterms.
7 Conclusions
In this work, we divided specifications into must specifications and desirable specifications. We proposed a method for efficiently synthesizing a reactive system, which realizes all the must specifications and endeavors as best as possible to satisfy the desirable specifications.
We derived a meanpayoff objective to encapsulate a set of desirable specifications. The syntax of the objective is given in LTL formulae, and its semantics is based on the UCWAbased approximation used in Safraless synthesis. The precise meaning of the meanpayoff objective depends on an LTLtoautomata translator. However, we can easily and flexibly describe the objective considering desirable specifications with weights.
In the proposed method, we first construct a safety game from a must LTL specification in the same way as UCWAbased Safraless synthesis. Note that assumptions can naively be included in the must specification. Then, meanpayoff games are constructed from atomic terms in the meanpayoff objective by reusing procedures from the Safraless synthesis. Note that the LTLtoautomata translator for meanpayoff objectives may be different from one for constructing the safety game from the must LTL specification. Finally, a reactive system is composed as an optimal strategy on a weighted synchronized product of games. We can obtain a preferable reactive system considering the objective, if the must LTL specification is realizable. We implemented a prototype of our method and performed several experiments. The results of these experiments suggest that our method can treat nontrivial scale instances and produce reasonably good systems in times that are practical.
The \(\mathbf{G }\)formula is a basic form of reactive system specifications without assumptions. This reasonably implies that the best effort to satisfy \(\mathbf{G }\varphi \) is to maximize the number of steps that satisfy \(\varphi \) on an infinitestep interaction with the environment. Our method can construct a reactive system that realizes a given must LTL specification and keeps trying to the extent possible to satisfy \(\varphi \) at each step for each desirable specification \(\mathbf{G }\varphi \), even when \(\mathbf{G }\varphi \) is violated. Such systems are expected in many practical applications. We expect that our approach can be further refined, so that it can be applied as a formal synthesis method for practical systems.
A direction for further refinement is to discuss what kind of LTLtoautomata translators is fit to our meanpayoff objectives. We believe that a framework to reflect the designer’s intention on LTLtoautomata translation is required. Additionally, the implementation/method need to be complete/refined along with a series of experiments. The complexity of our synthesis method is doubly exponential time. Nevertheless, it may be possible to solve practical instances using stateoftheart techniques.
As stated in Sect. 3.4, our method can synthesize a reactive system, giving consideration to a number of soft assumptions of the form \(\mathbf{G }\varphi \) and the frequency with which their violation occurs or is witnessed. However, our method does not treat hard assumptions, which are strictly followed by the environment, on desirable specifications. Another direction is an extension for adding the hard assumptions on desirable specifications. A desirable specification in our method is given via a meanpayoff objective, and hence the hard assumptions should be meanpayoff (or probabilistic) constraints. This extension is required for obtaining a reactive system that is optimal under a certain situation satisfying the hard assumptions.
Footnotes
 1.
When an interaction starts with an input from the environment, a reactive system is defined as \(\mathcal {R}: (2^{{ IAP}})^+ \rightarrow 2^{{ OAP}}\). Cf. Footnote 3.
 2.
For probabilistic model checking, a deterministic automaton is required for Markov decision processes; however, an unambiguous automaton suffices for Markov chains [4].
 3.
When an interaction starts with an input from the environment, the roles of Players 0 and 1 are switched. Cf. Footnote 1.
 4.
Available at http://www.lsv.enscachan.fr/~gastin/ltl2ba/.
 5.
Available at https://spot.lrde.epita.fr/.
 6.
Available at http://sourceforge.net/projects/ltl3ba/.
 7.
In an advanced interpretation, we can use \(\mathbf{G }(req \rightarrow \mathbf{X }(wait \mathbf{W }res))\) as an additional must specification and \({\textsf {MP}}( c_{s} \cdot {\textsf {S}}(wait))\) as a meanpayoff objective.
 8.
We reuse the LTLtoautomata translator in Algorithm 1 for simplicity. However, we can use another translator in Algorithm 2.
 9.
Available at http://vlsi.colorado.edu/~fabio/.
 10.
Available at http://lit2.ulb.ac.be/acaciaplus/.
 11.
 12.
Available at http://www.react.unisaarland.de/tools/unbeast/.
 13.
The term partial means that some clauses are hard.
 14.
References
 1.Abadi, M., Lamport, L., Wolper, P.: Realizable and unrealizable specifications of reactive systems. In: Ausiello, DezaniCiancaglini, G.M., Della Rocca, S. (eds.) Automata, Languages and Programming, Lecture Notes in Computer Science, vol. 372, pp. 1–17. Springer, Berlin (1989). doi: 10.1007/BFb0035748
 2.Aoshima, T., Yonezaki, N.: Verification of reactive system specifications with outer event conditional formula. In: Proceedings of International Symposium on Principles of Software Evolution, 2000, pp. 189–193. IEEE (2000). doi: 10.1109/ISPSE.2000.913238
 3.Babiak, T., Křetínský, M., Řehák, V., Strejček, J.: LTL to Büchi automata translation: fast and more deterministic. In: Flanagan, König, C.B. (eds.) Tools and Algorithms for the Construction and Analysis of Systems, Lecture Notes in Computer Science, vol. 7214, pp. 95–109. Springer, Berlin (2012). doi: 10.1007/9783642287565_8
 4.Benedikt, M., Lenhardt, R., Worrell, J.: LTL model checking of interval Markov chains. In: Piterman, N., Smolka, S. (eds.) Tools and Algorithms for the Construction and Analysis of Systems, Lecture Notes in Computer Science, vol. 7795, pp. 32–46. Springer, Berlin (2013). doi: 10.1007/9783642367427_3
 5.Bloem, R., Chatterjee, K., Greimel, K., Henzinger, T.A., Hofferek, G., Jobstmann, B., Könighofer, B., Könighofer, R.: Synthesizing robust systems. Acta Inform. 51(3–4), 193–220 (2014). doi: 10.1007/s0023601301915 MathSciNetCrossRefzbMATHGoogle Scholar
 6.Bloem, R., Chatterjee, K., Henzinger, T., Jobstmann, B.: Better quality in synthesis through quantitative objectives. In: Bouajjani, A., Maler, O. (eds.) Computer Aided Verification, Lecture Notes in Computer Science, vol. 5643, pp. 140–156. Springer, Berlin (2009). doi: 10.1007/9783642026584_14
 7.Bloem, R., Ehlers, R., Jacobs, S., Könighofer, R.: How to handle assumptions in synthesis. In: Chatterjee, K., Ehlers, R., Jha, S. (eds.) Proceedings 3rd Workshop on Synthesis, Electronic Proceedings in Theoretical Computer Science, vol. 157, pp. 34–50. Open Publishing Association (2014). doi: 10.4204/EPTCS.157.7
 8.Bohy, A., Bruyére, V., Filiot, E., Jin, N., Raskin, J.F.: Acacia+, a tool for LTL synthesis. In: Madhusudan, P., Seshia, S. (eds.) Computer Aided Verification, Lecture Notes in Computer Science, vol. 7358, pp. 652–657. Springer, Berlin (2012). doi: 10.1007/9783642314247_45
 9.Bohy, A., Bruyére, V., Filiot, E., Raskin, J.F.: Synthesis from LTL specifications with meanpayoff objectives. In: Piterman, N., Smolka, S. (eds.) Tools and Algorithms for the Construction and Analysis of Systems, Lecture Notes in Computer Science, vol. 7795, pp. 169–184. Springer, Berlin (2013). doi: 10.1007/9783642367427_12
 10.Bohy, A., Bruyère, V., Raskin, J.F.: Symblicit algorithms for optimal strategy synthesis in monotonic Markov decision processes. In: Chatterjee, K., Ehlers, R., Jha, S. (eds.) Proceedings 3rd Workshop on Synthesis, Electronic Proceedings in Theoretical Computer Science, vol. 157, pp. 51–67. Open Publishing Association (2014). doi: 10.4204/EPTCS.157.8
 11.Boker, U., Kupferman, O., Steinitz, A.: Parityizing Rabin and Streett. In: Lodaya, K., Mahajan, M. (eds.) IARCS Annual Conference on Foundations of Software Technology and Theoretical Computer Science (FSTTCS 2010), Leibniz International Proceedings in Informatics (LIPIcs), vol. 8, pp. 412–423. Schloss Dagstuhl–LeibnizZentrum fuer Informatik, Dagstuhl (2010). doi: 10.4230/LIPIcs.FSTTCS.2010.412. http://drops.dagstuhl.de/opus/volltexte/2010/2882
 12.Brim, L., Chaloupka, J., Doyen, L., Gentilini, R., Raskin, J.: Faster algorithms for meanpayoff games. Form. Methods Syst. Des. 38(2), 97–118 (2011). doi: 10.1007/s107030100105x CrossRefzbMATHGoogle Scholar
 13.Chatterjee, K., Henzinger, T., Jurdzinski, M.: Meanpayoff parity games. In: Proceedings of 20th Annual IEEE Symposium on Logic in Computer Science, 2005. LICS 2005, pp. 178–187 (2005). doi: 10.1109/LICS.2005.26
 14.Chatterjee, K., Henzinger, T.A., Jobstmann, B.: Environment assumptions for synthesis. In: van Breugel, F., Chechik, M. (eds.) CONCUR 2008—Concurrency Theory, Lecture Notes in Computer Science, vol. 5201, pp. 147–161. Springer, Berlin (2008). doi: 10.1007/9783540853619_14
 15.Chatterjee, K., Randour, M., Raskin, J.F.: Strategy synthesis for multidimensional quantitative objectives. Acta Inform. 51(3–4), 129–163 (2014). doi: 10.1007/s0023601301826 MathSciNetCrossRefzbMATHGoogle Scholar
 16.Damm, W., Finkbeiner, B.: Automatic compositional synthesis of distributed systems. In: Jones, C., Pihlajasaari, P., Sun, J. (eds.) FM 2014: Formal Methods, Lecture Notes in Computer Science, vol. 8442, pp. 179–193. Springer, Berlin (2014). doi: 10.1007/9783319064109_13
 17.DuretLutz, A., Poitrenaud, D.: SPOT: an extensible model checking library using transitionbased generalized Büchi automata. In: Proceedings of the IEEE Computer Society’s 12th Annual International Symposium on Modeling, Analysis, and Simulation of Computer and Telecommunications Systems, 2004 (MASCOTS 2004), pp. 76–83. IEEE Computer Society (2004). doi: 10.1109/MASCOT.2004.1348184
 18.Ehlers, R.: Symbolic bounded synthesis. Form. Methods Syst. Des. 40(2), 232–262 (2012). doi: 10.1007/s107030110137x CrossRefzbMATHGoogle Scholar
 19.Ehlers, R., Moldovan, D.: Sparse positional strategies for safety games. In: Peled, D., Schewe, S. (eds.) Proceedings First Workshop on Synthesis, Berkeley, California, 7th and 8th July 2012. Electronic Proceedings in Theoretical Computer Science, vol. 84, pp. 1–16. Open Publishing Association (2012). doi: 10.4204/EPTCS.84.1
 20.Ehrenfeucht, A., Mycielski, J.: Positional strategies for mean payoff games. Int. J. Game Theory 8, 109–113 (1979). doi: 10.1007/BF01768705 MathSciNetCrossRefzbMATHGoogle Scholar
 21.Esparza, J., Křetínský, J.: From LTL to deterministic automata: a Safraless compositional approach. In: Biere, A., Bloem, R. (eds.) Computer Aided Verification, Lecture Notes in Computer Science, vol. 8559, pp. 192–208. Springer, Berlin (2014). doi: 10.1007/9783319088679_13
 22.Finkbeiner, B., Schewe, S.: Bounded synthesis. Int. J. Softw. Tools Technol. Transf. 15(5), 519–539 (2012). doi: 10.1007/s100090120228z zbMATHGoogle Scholar
 23.Gastin, P., Oddoux, D.: Fast LTL to Büchi automata translation. In: Berry, G., Comon, H., Finkel, A. (eds.) Computer Aided Verification, Lecture Notes in Computer Science, vol. 2102, pp. 53–65. Springer, Berlin (2001). doi: 10.1007/3540445854_6
 24.Hagihara, S., Egawa, N., Shimakawa, M., Yonezaki, N.: Minimal strongly unsatisfiable subsets of reactive system specifications. In: Proceedings of the 29th ACM/IEEE International Conference on Automated Software Engineering, ASE ’14, pp. 629–634. ACM, New York (2014). doi: 10.1145/2642937.2642968
 25.Hagihara, S., Kitamura, Y., Shimakawa, M., Yonezaki, N.: Extracting environmental constraints to make reactive system specifications realizable. In: 2009 16th AsiaPacific Software Engineering Conference, pp. 61–68 (2009). doi: 10.1109/APSEC.2009.70
 26.Hagihara, S., Ueno, A., Tomita, T., Shimakawa, M., Yonezaki, N.: Simple synthesis of reactive systems with tolerance for unexpected environmental behavior. In: Proceedings of the 4th FME Workshop on Formal Methods in Software Engineering, FormaliSE ’16, pp. 15–21. ACM, New York (2016). doi: 10.1145/2897667.2897672
 27.Jobstmann, B., Bloem, R.: Optimizations for LTL synthesis. In: Formal Methods in Computer Aided Design, 2006. FMCAD ’06, pp. 117 –124 (2006). doi: 10.1109/FMCAD.2006.22
 28.Kupferman, O., Vardi, M.: Safraless decision procedures. In: 46th Annual IEEE Symposium on Foundations of Computer Science, 2005. FOCS 2005, pp. 531–540 (2005). doi: 10.1109/SFCS.2005.66
 29.Li, C.M., Manyà, F.: MaxSAT, Hard and Soft Constraints, Frontiers in Artificial Intelligence and Applications, vol. 185, chap. 19, pp. 613–631. IOS Press, Amsterdam (2009). doi: 10.3233/9781586039295613
 30.Li, W., Dworkin, L., Seshia, S.A.: Mining assumptions for synthesis. In: 2011 9th IEEE/ACM International Conference on Formal Methods and Models for Codesign (MEMOCODE), pp. 43–50 (2011). doi: 10.1109/MEMCOD.2011.5970509
 31.Mori, R., Yonezaki, N.: Several realizability concepts in reactive objects. In: Kangassalo, H., Jaakkola, H., Hori, K., Kitahashi, T. (eds.) Information Modelling and Knowledge Bases IV, Frontiers in Artificial Intelligence and Applications, vol. 16, pp. 407–424. IOS Press, Amsterdam (1993)Google Scholar
 32.Piterman, N.: From nondeterministic Büchi and Streett automata to deterministic parity automata. In: 21st Annual IEEE Symposium on Logic in Computer Science, 2006, pp. 255–264 (2006). doi: 10.1109/LICS.2006.28
 33.Pnueli, A.: The temporal logic of programs. In: 18th Annual Symposium on Foundations of Computer Science, 1977, pp. 46 –57 (1977). doi: 10.1109/SFCS.1977.32
 34.Pnueli, A., Rosner, R.: On the synthesis of a reactive module. In: Proceedings of the 16th ACM SIGPLANSIGACT Symposium on Principles of Programming Languages, POPL ’89, pp. 179–190. ACM, New York (1989). doi: 10.1145/75277.75293
 35.Rosner, R.: Modular synthesis of reactive systems. Ph.D. thesis, Weizmann Institute of Science (1992)Google Scholar
 36.Safra, S.: On the complexity of omega automata. In: Proceedings of the 29th Annual Symposium on Foundations of Computer Science, SFCS ’88, pp. 319–327. IEEE Computer Society, Washington, DC (1988). doi: 10.1109/SFCS.1988.21948
 37.Schewe, S.: Tighter bounds for the determinisation of Büchi automata. In: de Alfaro, L. (ed.) Foundations of Software Science and Computational Structures, Lecture Notes in Computer Science, vol. 5504, pp. 167–181. Springer, Berlin (2009). doi: 10.1007/9783642005961_13
 38.Schewe, S., Varghese, T.: Tight bounds for the determinisation and complementation of generalised Büchi automata. In: Chakraborty, S., Mukund, M. (eds.) Automated Technology for Verification and Analysis, Lecture Notes in Computer Science, pp. 42–56. Springer, Berlin (2012). doi: 10.1007/9783642333866_5
 39.Tomita, T., Hiura, S., Hagihara, S., Yonezaki, N.: A temporal logic with meanpayoff constraints. In: Aoki, T., Taguchi, K. (eds.) Formal Methods and Software Engineering, Lecture Notes in Computer Science, vol. 7635, pp. 249–265. Springer, Berlin (2012). doi: 10.1007/9783642342813_19
 40.Vardi, M.Y., Wolper, P.: Reasoning about infinite computations. Inf. Comput. 115, 1–37 (1994)MathSciNetCrossRefzbMATHGoogle Scholar
 41.Wolper, P.: The tableau method for temporal logic: an overview. Logique et Analyse 119–136 (1985)Google Scholar
 42.Zwick, U., Paterson, M.: The complexity of mean payoff games on graphs. Theor. Comput. Sci. 158(1–2), 343–359 (1996). doi: 10.1016/03043975(95)001883 MathSciNetCrossRefzbMATHGoogle Scholar
Copyright information
Open AccessThis article is distributed under the terms of the Creative Commons Attribution 4.0 International License (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted use, distribution, and reproduction in any medium, provided you give appropriate credit to the original author(s) and the source, provide a link to the Creative Commons license, and indicate if changes were made.