1 Introduction

Program synthesis is considered the culmination of the ideal of declarative programming [1, 2]. By describing a system in terms of what it should do, instead of how it should do it, we are able, on the one hand, to simplify the program design process while avoiding human mistakes and, on the other hand, to allow an autonomous agent to self-program itself just from high-level specifications. Linear Temporal Logic (LTL) synthesis [3] is possibly one of the most popular variants of program synthesis, being the problem of automatically designing a reactive system with the guarantee that all its behaviors comply with desired dynamic properties expressed in LTL, the most used system/process specification language in Formal Methods. Unfortunately this dream of LTL synthesis has proven to be too difficult, and, in spite of a full-fledged theory, we still do not have good scalable algorithms after more than 30 years [4].

There have been two successful responses to these difficulties, both having to do with limiting the expressive power of the formalism used for the specification. The first approach, developed in Formal Methods, has been what we may call the GR(1), response [5]: essentially you focus on safety conditions, determining the possible transitions in a game between the environment and the agent, plus one powerful notion of fairness called Generalized Reactivity(1), or GR(1). This approach has found numerous applications, for example, in robotic motion-and-mission planning [6]. The second approach, developed in AI and inspired by classical AI planning, is of finite-horizon temporal synthesis, with LTL \(_f\) (LTL on finite traces) [7] as the specification language. In this approach [8], we specify the agent’s goal in LTL \(_f\), together possibly with environment specifications, such as safety conditions, possibly specified as a nondeterministic planning domain [9,10,11,12,13], or simple fairness and stability conditions (both special cases of GR(1) fairness) [14]. There are also studies in which general LTL environment specifications are used for LTL \(_f\) goals, but in this case the difficulties of handling LTL can indeed manifest [12, 15, 16]. Since LTL \(_f\) is a fragment of LTL, as shown in [7], the problem of LTL \(_f\) synthesis under LTL environment specifications can be reduced to LTL synthesis, as, e.g., explicitly pointed out by [12]. However, LTL synthesis algorithms do not scale well due to the difficulty of Büchi automata determinization, see e.g., [1].

In this work we propose to take these two lines of work, which are really the only successful stories in LTL synthesis, and bring them together. We first study the case in which we have an LTL \(_f\) agent goal and a GR(1) environment specification. We propose an approach based on using the automaton corresponding to the LTL \(_f\) goal as the game arena on which the environment has to satisfy its GR(1) environment specification. This means that we are able to reduce the problem to that of GR(1) synthesis over the new arena. We prove the correctness of the approach.

We then add to the framework safety conditions for both the environment and the agent, obtaining a highly expressive yet still scalable form of LTL synthesis. These two kinds of safety conditions differ, since the environment needs to maintain its safety indefinitely (as usual for safety), while the agent has to maintain its safety conditions only until s/he fulfills its LTL \(_f\) goal, i.e., within a finite horizon, something that makes them similar to “maintenance goals” in Planning [17]. We show that we can specify these safety conditions in a very general way by using LTL \(_f\). In particular, our safety conditions require that all prefixes of a trace satisfy an LTL \(_f\) formula. For the environment safety conditions, we consider all finite prefixes of infinite traces, while for the agent safety conditions, we consider all prefixes of the finite trace satisfying the agent’s LTL \(_f\) goal. Again, we prove the correctness of our approach and demonstrate its scalability through an experimental analysis.

Differences to conference paper. This paper is an extension of the previous conference version [18], we extend the content in the following way:

  • Provide the full proofs for all the theorems and lemmas;

  • Extend Sect. 2 to include more background knowledge to make the paper more self-contained;

  • Extend Sects. 3 and 5 by (i) new subsections consisting of detailed descriptions of how to reduce our synthesis problem settings to LTL synthesis; (ii) complexity analysis of our proposed synthesis approaches;

  • Extend Sect. 6 by (i) a new subsection of detailed description and complete formulation of the benchmarks; (ii) a new subsection to present a detailed reduction to LTL synthesis of the studied synthesis problems with the proposed benchmarks;

  • Add Sect. 7 for a thorough discussion with related work;

  • Add Sect. 8 of conclusion and future work.

2 Preliminaries

2.1 LTL and LTL \(_f\)

LTL is one of the most popular logics for temporal properties [19]. Given a set of propositions Prop, the formulas of LTL are generated as follows:

$$\begin{aligned} \varphi {:}{:}{=} a | (\varphi \wedge \varphi ) | (\lnot \varphi ) | ( \circ \varphi ) | (\varphi \mathop {\mathcal {U}}\varphi ) \end{aligned}$$

where \(a \in Prop\), \( \circ \) (next) and \(\mathop {\mathcal {U}}\) (until) are temporal operators. We use common abbreviations, so we have eventually as \(\Diamond \varphi \equiv \textit{true}\mathop {\mathcal {U}}\varphi \) and always as \(\Box \varphi \equiv \lnot \Diamond \lnot \varphi \).

LTL formulas are interpreted over infinite traces \(\pi \in (2^{Prop})^\omega \). A trace \(\pi = \pi _0,\pi _1,\ldots \) is a sequence of propositional interpretations (sets), where for every \(i \ge 0\), \(\pi _i \in 2^{Prop}\) is the i-th interpretation of \(\pi \). Intuitively, \(\pi _i\) is interpreted as the set of propositions that are true at instant i. Given \(\pi \), we define when an LTL formula \(\varphi \) holds at position i, written as \(\pi , i \models \varphi \), inductively on the structure of \(\varphi \), as:

  • \(\pi , i \models a \text { iff }a \in \pi _i\) (for \(a\in {Prop}\));

  • \(\pi , i \models \lnot \varphi \text { iff }\pi , i \not \models \varphi \);

  • \(\pi , i \models \varphi _1 \wedge \varphi _2 \text { iff }\pi , i \models \varphi _1 \text { and } \pi , i \models \varphi _2\);

  • \(\pi , i \models \circ \varphi \text { iff }\pi ,i+1 \models \varphi \);

  • \(\pi , i \models \varphi _1 \mathop {\mathcal {U}}\varphi _2\) iff there exists \(j \ge i\) such that \(\pi ,j \models \varphi _2\), and for all \(k, i\le k < j\) we have that \(\pi , k \models \varphi _1\).

We say \(\pi \) satisfies \(\varphi \), written as \(\pi \models \varphi \), if \(\pi ,0 \models \varphi \).

LTL \(_f\) is a variant of LTL interpreted over finite traces instead of infinite traces [7]. The syntax of LTL \(_f\) is exactly the same as the syntax of LTL. We define \(\pi , i \models \varphi \), stating that \(\varphi \) holds at position i, as for LTL, except that for the temporal operators we have:

  • \(\pi , i \models \circ \varphi \text { iff }i< \mathsf{{lst}}(\pi )\) and \(\pi ,i+1 \models \varphi \);

  • \(\pi , i \models \varphi _1 \mathop {\mathcal {U}}\varphi _2\) iff there exists j such that \(i \le j \le \mathsf{{lst}}(\pi )\) and \(\pi ,j \models \varphi _2\), and for all \(k, i\le k < j\) we have that \(\pi , k \models \varphi _1\).

where we denote the last position (i.e., index) in the finite trace \(\pi \) by \(\mathsf{{lst}}(\pi )\). In addition, we define the weak next operator \( \bullet \) as abbreviation of \( \bullet \varphi \equiv \lnot \circ \lnot \varphi \). Note that, over finite traces, \(\lnot \circ \varphi \not \equiv \circ \lnot \varphi \), instead \(\lnot \circ \varphi \equiv \bullet \lnot \varphi \). We say that a trace satisfies an LTL \(_f\) formula \(\varphi \), written \(\pi \models \varphi \), if \(\pi , 0 \models \varphi \).

2.1.1 Generalized reactivity(1) formulas

Generalized Reactivity(1) [5], or GR(1), is a fragment of LTL that generalizes fairness (\(\Box \Diamond \varphi \)) and stability (\(\Diamond \Box \varphi \)) formulas (cf. [14]). Given a set of propositions Prop, a GR(1) formula \(\varphi \) is required to be of the form

$$\begin{aligned} \varphi = \bigwedge _{i=1}^{m} \Box \Diamond {\mathcal {J}}_i \rightarrow \bigwedge _{j=1}^{n} \Box \Diamond {\mathcal {K}}_j \end{aligned}$$

where \({\mathcal {J}}_i\) and \({\mathcal {K}}_j\) are Boolean formulas over Prop.

2.2 Deterministic automata

A deterministic automaton (DA, for short) is a tuple \({\mathcal {A}} = (\Sigma , S, s_0, \delta , \alpha )\), where \(\Sigma \) is a finite alphabet, S is a finite set of states, \(s_0 \in S\) is the initial state, \(\delta : S \times \Sigma \rightarrow S\) is the transition function, \(\alpha \subseteq S^\omega \) is an acceptance condition. Given an infinite word \(\pi =a_0 a_1 a_2 \ldots \in \Sigma ^\omega \), the run of \({\mathcal {A}}\) on \(\pi \), denoted by \({\mathcal {A}}(\pi )\) is the sequence \(r= s_0 s_1 s_2 \ldots \in S^\omega \) starting at the initial state \(s_0\) where \(s_{i+1} = \delta (s_i, a_i)\). The automaton \({\mathcal {A}}\) accepts the word \(\pi \) if \({\mathcal {A}}(\pi ) \in \alpha \). The language of \({\mathcal {A}}\), denoted by \({\mathcal {L}}({\mathcal {A}})\), is the set of words accepted by \({\mathcal {A}}\). In this work we specifically consider reachability, safety, and reachability-safety acceptance conditions:

  • Reachability conditions. Given a set \(T \subseteq S\) of target states, \({{\text {Reach}}} (T)= \{ s_0 s_1 s_2 \ldots \in S^\omega | \exists k \ge 0: s_k \in T\}\) requires that a state in T is visited at least once.

  • Safety conditions. Given a set \(T \subseteq S\) of target states, \({{\text {Safe}}} (T)= \{ s_0 s_1 s_2 \ldots \in S^\omega | \forall k \ge 0: s_k \in T\}\) requires that only states in T are visited. This is the dual of reachability conditions.

  • Reachability-Safety conditions. Given two sets \(T_1, T_2 \subseteq S\) of target states corresponding to reachability and safety conditions, respectively, \({{\text {Reach-Safe}}} (T_1, T_2)= \{ s_0 s_1 s_2 \ldots \in S^\omega | \exists i \ge 0: s_i \in T_1 \text{ and } \forall j, i \ge j \ge 0: s_j \in T_2 \}\) requires that a state in \(T_1\) is visited at least once, and until then only states in \(T_2\) are visited.

We define the complement of a DA \({\mathcal {A}} = (\Sigma , S, s_0, \delta , \alpha )\) as \({\overline{{\mathcal {A}}}} = (\Sigma , S, s_0, \delta , S^\omega {\setminus } \alpha )\). Note that \({\mathcal {L}}({\overline{{\mathcal {A}}}}) = \Sigma ^\omega {\setminus } {\mathcal {L}}({\mathcal {A}})\). Note also that \(S^\omega {\setminus } {{\text {Reach}}} (T) = {{\text {Safe}}} (S {\setminus } T)\) and \(S^\omega {\setminus } {{\text {Safe}}} (T) = {{\text {Reach}}} (S {\setminus } T)\). Therefore, the complement of a DA with a reachability acceptance condition is a DA with a safety acceptance condition, and vice-versa. We also define the intersection of two DAs \({\mathcal {A}}_1 = (\Sigma , S_1, s^0_1, \delta _1, \alpha _1)\) and \({\mathcal {A}}_2 = (\Sigma , S_2, s^0_2, \delta _2, \alpha _2)\) as \({\mathcal {A}}_1 \cap {\mathcal {A}}_2 = (\Sigma , S_1 \times S_2, (s^0_1, s^0_2), \delta ', \alpha ')\), where \(\delta '((s_1, s_2), a) = (\delta _1(s_1, a), \delta _2(s_2, a)) \) and \(\alpha ' = \{(s^0_1, s^0_2)(s^1_1, s^1_2)(s^2_1, s^2_2)\ldots \in (S_1 \times S_2)^\omega | s^0_1 s^1_1 s^2_1 \ldots \in \alpha _1 \text { and } s^0_2 s^1_2 s^2_2 \ldots \in \alpha _2\}\). Note that if \(\alpha _1 = {{\text {Safe}}} (T_1)\) and \(\alpha _2 = {{\text {Safe}}} (T_2)\), then \(\alpha ' = {{\text {Safe}}} (T_1 \times T_2)\). If \(\alpha _1={{\text {Reach}}} (T_1)\) and \(\alpha _2={{\text {Safe}}} (T_2)\) we define a bounded intersection, where \(\alpha ' = {{\text {Reach-Safe}}} (T_1, T_2)\).

2.3 GR(1) games

Following [5], we define a GR(1) game structure as a tuple \({\mathcal {G}} = \langle {\mathcal {V}}, {\mathcal {I}}, {\mathcal {O}}, \theta _a, \theta _p, \rho _a, \rho _p, \varphi \rangle \) where:

  • \({\mathcal {V}}= \{v_1, \ldots , v_k\}\) is a set of Boolean state variables. A state of the game is given by an assignment \(s \in 2^{\mathcal {V}}\) of these variables. \({\mathcal {I}}\subseteq {\mathcal {V}}\) is the set of input variables controlled by the antagonist. \({\mathcal {O}}= {\mathcal {V}}\setminus {\mathcal {I}}\) is the set of output variables controlled by the protagonist.

  • \(\theta _a\) is a Boolean formula over \({\mathcal {I}}\) representing the initial states of the antagonist. \(\theta _p\) is a Boolean formula over \({\mathcal {V}}\) representing the initial states of the protagonist.

  • \(\rho _a\) is a Boolean formula over \({\mathcal {V}}\cup {\mathcal {I}}'\), where \({\mathcal {I}}'\) is the set of primed copies of \({\mathcal {I}}\). This formula represents the transition relation of the antagonist, between a state \(s \in 2^{\mathcal {V}}\) and a possible input \(s_{\mathcal {I}}\in 2^{\mathcal {I}}\) for the next state.

  • \(\rho _p\) is a Boolean formula over \({\mathcal {V}}\cup {\mathcal {I}}' \cup {\mathcal {O}}'\), where \({\mathcal {O}}'\) is the set of primed copies of \({\mathcal {O}}\). This formula represents the transition relation of the protagonist, relating a pair \((s, s_{\mathcal {I}}) \in 2^{\mathcal {V}}\times 2^{\mathcal {I}}\) of state s and input \(s_{\mathcal {I}}\) to an output \(s_{\mathcal {O}}\).

  • \(\varphi \) is the winning condition for the protagonist given by a GR(1) formula.

We use the terms antagonist and protagonist instead of environment and agent to avoid confusion when we switch roles.

2.4 LTL \(_f\) synthesis under environment specifications

Let \({\mathcal {X}}\) and \({\mathcal {Y}}\) be Boolean variables, with \({\mathcal {X}}\) controlled by the environment and \({\mathcal {Y}}\) controlled by the agent. An agent strategy is a function \(\sigma _ {ag} :(2^{{\mathcal {X}}})^* \rightarrow 2^{{\mathcal {Y}}}\), and an environment strategy is a function \(\sigma _{env}:(2^{\mathcal {Y}})^+ \rightarrow 2^{\mathcal {X}}\). A trace is a sequence \((X_0 \cup Y_0) (X_1 \cup Y_1) \dots \in (2^{{\mathcal {X}}\cup {\mathcal {Y}}})^\omega \). An agent strategy induces a trace \((X_i \cup Y_i)_i\) if \(\sigma _ {ag} (\epsilon )=Y_0\) and \(\sigma _ {ag} (X_0 X_1 \cdots X_j) = Y_{j+1}\) for every \(j \ge 0\). An environment strategy induces a trace \((X_i \cup Y_i)_i\) if \(\sigma _{env}(Y_0 Y_1 \cdots Y_j) = X_j\) for every \(j \ge 0\). For an agent strategy \(\sigma _ {ag} \) and an environment strategy \(\sigma _{env}\) let \(\textsf {play}(\sigma _ {ag} ,\sigma _{env})\) denote the unique trace induced by both \(\sigma _{ag}\) and \(\sigma _{env}\), and \(\textsf {play}^k(\sigma _{ag},\sigma _{env})\) be the finite trace that is a prefix up to k.

Let \(\varphi _{task}^{a}\) be an LTL \(_f\) formula over \({\mathcal {X}}\cup {\mathcal {Y}}\). An agent strategy \(\sigma _ {ag} \) realizes \(\varphi _{task}^{a}\) if for every environment strategy \(\sigma _{env}\) there exists \(k \ge 0\), chosen by the agent, such that the finite trace \(\textsf {play}^k(\sigma _ {ag} ,\sigma _{env})\) satisfies \(\varphi _{task}^{a}\), that is, \(\varphi _{task}^{a}\) is agent realizable.

In standard synthesis the environment is free to choose an arbitrary move at each step, but in AI typically the agent has some knowledge of how the environment works, which it can exploit in order to enforce the goal, specified as an LTL \(_f\) formula \(\varphi _{task}^{a}\). Here, we specify the environment behaviour by an LTL formula \( {Env} \) and call it environment specification. In particular, \( {Env} \) specifies the set of environment strategies that enforce \( {Env} \) [20]. Moreover, we require that \( {Env} \) must be environment realizable, i.e., the set of environment strategies that enforce \( {Env} \) is not empty. Formally, given an LTL formula \(\varphi \), we say that an environment strategy enforces \(\varphi \), written \(\sigma _{env}\ \rhd \ \varphi \), if for every agent strategy \(\sigma _{ag}\) we have \(\textsf {play}(\sigma _ {ag} ,\sigma _{env}) \models \varphi \).

The problem of LTL \(_f\) synthesis under environment specifications is to find an agent strategy \(\sigma _ {ag} \) such that

$$\begin{aligned} \exists \sigma _{ag} \forall \sigma _{env}\ \rhd {Env} :\exists k. \textsf {play}^k(\sigma _ {ag} ,\sigma _{env}) \models \varphi _{task}^{a}. \end{aligned}$$

As shown in [20], this can be reduced to solving the synthesis problem for the implication \( {Env} \rightarrow LTL(\varphi _{task}^{a})\), with \(LTL(\varphi _{task}^{a})\) being a suitable LTL \(_f\)-to-LTL transformation [7], which is 2exptime-complete [3].

3 LTL \(_f\) synthesis under GR(1) environment specifications

In this section, we first study LTL \(_f\) synthesis under GR(1) environment specifications. Formally, we are interested in solving the following synthesis problem.

Definition 1

(LTL \(_f\) synthesis under GR(1) Environment Specifications) The problem is described as a tuple \({\mathcal {P}}= ({\mathcal {X}},{\mathcal {Y}},\varphi _{GR(1)}^e, \varphi _{task}^{a})\), where \(\varphi _{GR(1)}^e\) is a GR(1) formula and \(\varphi _{task}^{a}\) is an LTL \(_f\) formula. Realizability of \({\mathcal {P}}\) checks whether

$$\begin{aligned} \exists \sigma _ {ag} \forall \sigma _{env}: \textsf {play}(\sigma _{ag},\sigma _{env})\models \varphi _{GR(1)}^e\rightarrow \exists k. \textsf {play}^k(\sigma _ {ag} , \sigma _{env}) \models \varphi _{task}^{a}. \end{aligned}$$

Synthesis of \({\mathcal {P}}\) computes a strategy \(\sigma _ {ag} \) if exists.

Reduction to LTL synthesis. A naive approach to solve \({\mathcal {P}}\) is to reduce it to standard LTL synthesis. Since \(\varphi _{GR(1)}^e\) can be naturally considered as an LTL formula, we are able to reduce the problem of \(\varphi _{GR(1)}^e\rightarrow \varphi _{task}^{a}\) by directly reducing to LTL synthesis, applying the reduction in [14, 16]. However, reducing to LTL synthesis has not shown promising results. Hence specific techniques have been proposed that try to avoid, if possible, the Büchi determinization and the solution of parity games, see e.g., [12, 16]. In the next, we will show how to avoid the detour to LTL synthesis for our case.

3.1 Reduction to GR(1) game

To solve the problem \({\mathcal {P}}\), we first observe that the agent’s goal is to satisfy \(\lnot \varphi _{GR(1)}^e\vee \varphi _{task}^{a}\), while the environment’s goal is to satisfy \(\varphi _{GR(1)}^e\wedge \lnot \varphi _{task}^{a}\). Moreover, we know that \(\varphi _{task}^{a}\) can be represented by a DA with a reachability condition [8]. Then, focusing on the environment point of view, we show that \({\mathcal {P}}\) can be reduced into a GR(1) game in which the game arena is the complement of the DA for \(\varphi _{task}^{a}\), i.e., a DA with safety condition, and \(\varphi _{GR(1)}^e\) is the GR(1) winning condition. Since we want a winning strategy for the agent, we need to deal with the complement of the GR(1) game to obtain a winning strategy for the antagonist. More specifically, we can solve the problem by taking the following steps:

  1. 1.

    Translate \(\varphi _{task}^{a}\) into \({\mathcal {A}}_ {ag} = (2^{{\mathcal {X}}\cup {\mathcal {Y}}}, S, s^0, \delta , {{\text {Reach}}} (T))\) that accepts a trace \(\pi \) iff \(\pi \models \varphi _{task}^{a}\) [8].

  2. 2.

    Complement \({\mathcal {A}}_ {ag} \) into \(\overline{{\mathcal {A}}_ {ag} } = (2^{{\mathcal {X}}\cup {\mathcal {Y}}}, S, s^0, \delta , {{\text {Safe}}} (T'))\) with \(T' = S{\setminus } T\). Note that \(\overline{{\mathcal {A}}_ {ag} }\) accepts a trace \(\pi \) iff \(\pi \) has no prefix satisfying \(\varphi _{task}^{a}\).

  3. 3.

    Define a GR(1) game \({\mathcal {G}}_{\mathcal {P}}\) with the environment as the protagonist, where the arena is given by \(\overline{{\mathcal {A}}_ {ag} }\) and the winning condition is given by \(\varphi _{GR(1)}^e\).

  4. 4.

    Solve this game for the antagonist, i.e. the agent.

3.1.1 Building the GR(1) game

We now detail how to build the GR(1) game \({\mathcal {G}}_{\mathcal {P}}\) (c.f., step 3 above). Given \(\overline{{\mathcal {A}}_ {ag} } = (2^{{\mathcal {X}}\cup {\mathcal {Y}}}, S, s^0, \delta , {{\text {Safe}}} (T'))\), we start by encoding the state space S into a logarithmic set of variables \({\mathcal {Z}}\) (similarly to [21]). In what follows we identify assignments to \({\mathcal {Z}}\) with states in S, respectively. Given a subset \({\mathcal {Y}}\subseteq {\mathcal {V}}\) and a state \(s \in 2^{\mathcal {V}}\), we denote by \(s\mid _{\mathcal {Y}}\) the projection of s to \({\mathcal {Y}}\). We then construct the GR(1) game structure \({\mathcal {G}}_{\mathcal {P}}= \langle {\mathcal {V}}, {\mathcal {I}}, {\mathcal {O}}, \theta _a, \theta _p, \eta _a, \eta _p, \varphi \rangle \) as follows:

  • \({\mathcal {V}}= {\mathcal {X}}\cup {\mathcal {Y}}\cup {\mathcal {Z}}\), \({\mathcal {I}}= {\mathcal {Y}}\), \({\mathcal {O}}= {\mathcal {X}}\cup {\mathcal {Z}}\);

  • \(\theta _a = \top \); \(\theta _p\) is a formula satisfied by an assignment \(s \in 2^{\mathcal {V}}\) iff \(s\mid _{{\mathcal {Z}}} = s^0\);

  • \(\eta _a = \top \); \(\eta _p\) is a formula satisfied by assignments \(s \in 2^{\mathcal {V}}\) and \(s' \in 2^{{\mathcal {V}}'}\) iff \(\delta (s\mid _{\mathcal {Z}}, s'\mid _{{\mathcal {X}}' \cup {\mathcal {Y}}'}) = s'\mid _{{\mathcal {Z}}'}\), \(s'\mid _{{\mathcal {Z}}'} \in T'\);

  • \(\varphi = \varphi _{GR(1)}^e\).

In the game \({\mathcal {G}}_{\mathcal {P}}\), the environment takes the role of protagonist, and the agent of antagonist. States in the game are given by assignments of \({\mathcal {X}}\cup {\mathcal {Y}}\cup {\mathcal {Z}}\), where the \({\mathcal {X}}\) and \({\mathcal {Y}}\) components represent respectively the last assignment of the environment and agent variables chosen by the players, and the \({\mathcal {Z}}\) component represent the current state of \(\overline{{\mathcal {A}}_ {ag} }\). The agent first chooses the \({\mathcal {Y}}\) component of the next state. There is no restriction on what it can be, so \(\theta _a = \eta _a = \top \). Then, the environment chooses the \({\mathcal {X}}\) component, and based on the chosen assignments assigns the \({\mathcal {Z}}\) variables as well. \(\theta _p\) and \(\eta _p\) enforce that the assignment to the \({\mathcal {Z}}\) variables is consistent with \(\overline{{\mathcal {A}}_ {ag} }\), and \(\eta _p\) also enforces that the safety condition \({{\text {Safe}}} (T')\) is not violated. Note that a play of \({\mathcal {G}}_{\mathcal {P}}\), given by \(\textsf {play}=\rho _0 \rho _1 \ldots \in (2^{\mathcal {V}})^\omega \), corresponds to the run \(r = (\rho _0\mid _{{\mathcal {Z}}}) (\rho _1\mid _{{\mathcal {Z}}}) (\rho _2\mid _{{\mathcal {Z}}}) \ldots \) of \(\overline{{\mathcal {A}}_ {ag} } \) on trace \((\rho _1\mid _{{\mathcal {X}}\cup {\mathcal {Y}}}) (\rho _2\mid _{{\mathcal {X}}\cup {\mathcal {Y}}}) \ldots \). Since \(\rho _0\) satisfies \(\theta _p\), \(\rho _0\mid _{{\mathcal {Z}}} = s^0\), and since every \((\rho _i, \rho _{i+1})\) satisfy \(\eta _p\), \(\delta (\rho _i\mid _{{\mathcal {Z}}}, \rho _{i+1}\mid _{{\mathcal {X}}\cup {\mathcal {Y}}}) = \rho _{i+1}\mid _{{\mathcal {Z}}}\). Therefore, r is a valid run for \(\overline{{\mathcal {A}}_ {ag} } \).

Given a play \(\textsf {play}\) of \({\mathcal {G}}_{\mathcal {P}}\), there are two ways the environment can lose in \(\textsf {play}\). The first is by being unable to pick an assignment that satisfies \(\eta _p\). Since the transition relation \(\delta \) of \(\overline{{\mathcal {A}}_ {ag} }\) is total, this can only happen if \(s\mid _{{\mathcal {Z}}} \not \in T'\), meaning that \(\overline{{\mathcal {A}}_ {ag} }\) rejects a run visiting \(s\mid _{{\mathcal {Z}}}\). The other is by failing to satisfy \(\varphi _{GR(1)}^e\). These correspond to the two ways that the specification can be satisfied: by satisfying \(\varphi _{task}^{a}\) or by violating the GR(1) environment specification. Therefore, a play satisfies the specification iff it is losing for the protagonist of \({\mathcal {G}}_{\mathcal {P}}\) (i.e, the environment) and thus wining for the antagonist (i.e., the agent).

3.1.2 Correctness

The correctness of the reduction described above is illustrated by the following theorem.

Theorem 1

\({\mathcal {P}}= \langle {\mathcal {X}}, {\mathcal {Y}}, \varphi _{GR(1)}^e, \varphi _{task}^{a}\rangle \) is realizable iff the antagonist has a winning strategy in the GR(1) game \({\mathcal {G}}_{\mathcal {P}}\).

Proof

Let \(\overline{{\mathcal {A}}_ {ag} } = (2^{{\mathcal {X}}\cup {\mathcal {Y}}}, S, s^0, \delta , {{\text {Safe}}} (T'))\) be the constructed DA of \({\mathcal {P}}\). We now prove the theorem in two directions.

\(\leftarrow :\) If the antagonist has a winning strategy \(\kappa _{a}\) in \({\mathcal {G}}_{\mathcal {P}}\), then every play \(\rho _0, \rho _1, \ldots \in (2^{\mathcal {V}})^\omega \) that is consistent with \(\kappa _{a}\) is an antagonist winning play. That is to say, either of the following holds:

  • protagonist’s goal is violated, such that \(\varphi _{GR(1)}^e\) does not hold on this play. Therefore, ignoring the initial state of \(\rho _0\), the corresponding sequence \((\rho _1\mid _{{\mathcal {X}}\cup {\mathcal {Y}}}),\) \((\rho _2\mid _{{\mathcal {X}}\cup {\mathcal {Y}}}), \ldots \in (2^{\{{\mathcal {X}}\cup {\mathcal {Y}}\}})^\omega \) violates \(\varphi _{GR(1)}^e\). Thus \(\varphi _{GR(1)}^e\rightarrow \varphi _{task}^{a}\) holds.

  • There exists k, such that the protagonist’s transition constraint \(\eta _p\) is violated, thus \(\delta (\rho _k\mid _{\mathcal {Z}}, \rho _{k+1}\mid _{{\mathcal {X}}' \cup {\mathcal {Y}}'}) \notin T'\). That is to say, the finite trace \((\rho _1\mid _{{\mathcal {X}}\cup {\mathcal {Y}}}),\) \((\rho _2\mid _{{\mathcal {X}}\cup {\mathcal {Y}}}), \ldots (\rho _{k+1}\mid _{{\mathcal {X}}\cup {\mathcal {Y}}})\) satisfies \(\varphi _{task}^{a}\), then \(\varphi _{GR(1)}^e\rightarrow \varphi _{task}^{a}\) holds.

\(\rightarrow :\) If \({\mathcal {P}}\) is realizable, then the agent has a winning strategy \(\sigma _ {ag} \). So for every trace \(\pi _0, \pi _1, \ldots \in (2^{{\mathcal {X}}\cup {\mathcal {Y}}})^{\omega }\) that is consistent with \(\sigma _ {ag} \), either of the following holds:

  • \(\varphi _{GR(1)}^e\) is violated, therefore, starting from the initial state \(\rho _0\), following \(\sigma _ {ag} \), the antagonist is able to force the corresponding play \(\rho _0, \rho _1, \rho _2 \ldots \in (2^{{\mathcal {V}}})^\omega \) to violate the protagonist’s goal. Thus this play is winning for the antagonist.

  • There exists k such that \(\pi = \pi _0, \pi _1, \ldots \pi _k \models \varphi _{task}^{a}\). Therefore, the corresponding run of \(\pi \) on \(\overline{{\mathcal {A}}_ {ag} }\) ends in a state \( \notin T'\). That is to say, in the corresponding play \(\rho \), the antagonist is able to force the protagonist to violate its transition constraint \(\eta _p\), by having the move from \(\rho _k\) to \(\rho _{k+1}\). Thus this play is winning for the antagonist.

\(\square \)

3.1.3 Complexity

We now discuss the computational properties of the synthesis algorithm described above.

Theorem 2

The algorithm described above algorithm solves the synthesis problem \({\mathcal {P}}=({\mathcal {X}},{\mathcal {Y}},\varphi _{GR(1)}^e,\varphi _{task}^{a})\) in 2exptime (the problem is indeed 2exptime-complete).

Proof

We first prove that the problem is 2exptime. Specifically, building the corresponding DA with reachability condition for \(\varphi _{task}^{a}\) takes doubly exponential time in the size of \(\varphi _{task}^{a}\) [8]. This allows us to exploit subset construction and minimization rather than Büchi determinization, making it more scalable in practice, as for LTL \(_f\) synthesis. The complementation takes linear time in the size of the automaton. Finally, building the GR(1) game takes linear time in the size of the automaton and solving the corresponding GR(1) game is quadratic in the size of the game [5].

The hardness is immediate from 2exptime-completeness of LTL \(_f\) synthesis itself [8]. Notice that as a special case of our problem, we have standard LTL \(_f\) synthesis by considering trivially Env to be true. \(\square \)

4 Introducing safety conditions

Next we introduce safety conditions into the framework. Safety conditions are properties that assert that the behaviors of the environment or the agent always remain within some allowed boundaries. A notable example of safety conditions for the environment are effect specifications in planning domains that describe how the environment can react to agent actions in a given situation. A notable example of safety conditions for the agent are action preconditions, i.e. the agent cannot violate the precondition of actions. Another notable example of safety conditions for the agent comes from planning with maintenance goals (c.f. [17]). Observe though that there is a difference between the safety conditions on the environment and those on the agent: the first must hold forever, while the second must hold until the agent task is terminated, i.e., the goal is fulfilled.

4.1 Expressing safety as LTL \(_f\) formulas

Typically, we capture general safety conditions as LTL formulas that, if invalid, are always violated within a finite number of steps. Alternatively, we can think of them as properties that need to hold for all prefixes of an infinite trace. Under this second view, we can also describe the finite variant of safety by simply requiring that the safety condition holds for all prefixes of a finite trace determined by the LTL \(_f\) agent task requirement. This view of safety conditions as properties that must hold for all prefixes also allows us to specify them in LTL \(_f\). Indeed, all prefixes are, in fact, finite traces. Formally, in order to use LTL \(_f\) formulas to specify safety conditions, we need to define an alternative notion of satisfaction that interprets a formula over all prefixes of a trace:

Definition 2

A (finite or infinite) trace \(\pi \) satisfies an LTL \(_f\) formula \(\varphi \) on all prefixes, denoted \(\pi \models _\forall \varphi \), if every non-empty finite prefix of \(\pi \) satisfies \(\varphi \). That is, \(\pi ^k = \pi _0 \pi _1, \ldots , \pi _k \models \varphi \), for every \(0 \le k < \mid \pi \mid \).

Next we show that we can specify all possible safety conditions expressible in LTL, i.e., all first-order (logic) safety properties [22], using LTL \(_f\) on prefixes.

It is known that every safety property expressible in LTL can be expressed by a formula of the form \(\Box \varphi \), where \(\varphi \) is a pure-past formula [22]. Let us denote by PLTL \(_f\) these pure-past formulas. For every PLTL \(_f\) formula \(\varphi \), there exists an LTL \(_f\) formula \(\varphi '\) such that every finite trace \(\pi \) that satisfies \(\varphi \) (i.e., \(\pi , \mathsf{{lst}}(\pi ) \models \varphi \)) also satisfies \(\varphi '\) (i.e., \(\pi , 0 \models \varphi '\)) [23]. As an example of the equivalence between PLTL \(_f\) and LTL \(_f\), consider the PLTL \(_f\) formula \(\varphi = ((\lnot p) \mathop {{\mathcal {S}}}q)\), where \(\mathop {{\mathcal {S}}}\) stands for pure-past connective Since. We refer to [23] for more details about PLTL \(_f\). An equivalent LTL \(_f\) formula is \(\varphi ' = \Diamond (q \wedge \bullet \Box (\lnot p))\). Considering this discussion, we can prove the following result.

Theorem 3

Every first-order safety property can be expressed as an LTL \(_f\) formula on all prefixes, and viceversa.

Proof

It has been shown that every first-order safety property can be expressed by a formula of the form \(\Box \varphi \), where \(\varphi \) is PLTL \(_f\) (pure-past) formula [22]. From the semantics of \(\Box \varphi \) when \(\varphi \) is a pure-past formula, \(\pi \models \Box \varphi \) iff every non-empty prefix \(\pi '\) of \(\pi \) satisfies \(\varphi \). Moreover, for every PLTL \(_f\) formula \(\varphi \), there exists an LTL \(_f\) formula \(\varphi '\) such that every finite trace \(\pi \) that satisfies \(\varphi \) (i.e., \(\pi , last(\pi ) \models \varphi \)) also satisfies \(\varphi '\) (i.e., \(\pi , 0 \models \varphi '\)) [23]. That is to say, \(\pi \models \Box \varphi \) happens iff every non-empty prefix \(\pi '\) satisfies \(\varphi '\), which by definition happens iff \(\pi \models _\forall \varphi '\).

The other direction is proved by the definition of LTL \(_f\) on all prefixes. Indeed, by definition, a trace \(\pi \models _\forall \varphi \) if every non-empty prefix of \(\pi \) satisfies \(\varphi \). Therefore, if \(\pi \not \models _\forall \varphi \), then there exists a finite prefix that does not satisfy \(\varphi \). Then, the LTL \(_f\) formula \(\varphi \) on all prefixes expresses a safety property. \(\square \)

Turning to safety conditions for the agent, we observe that the fact that an LTL \(_f\) formula holds for every prefix of a finite trace (in our case the trace satisfying the task of the agent), is expressible in first-order logic on finite traces, and hence directly as an LTL \(_f\) formula [7]. Nevertheless, translating an LTL \(_f\) formula on all prefixes to an LTL \(_f\) formula may require exponential blowups in general.

5 Adding safety into LTL \(_f\) synthesis under GR(1) environment specifications

We now enrich our synthesis framework by adding safety conditions, expressed in LTL \(_f\), on both the environment and the agent, following the considerations made previously. In this setting, we are interested in solving the synthesis problem defined as follows.

Definition 3

(LTL \(_f\) under GR(1) Environment Specifications, adding safety conditions) The problem is described as a tuple \({\mathcal {P}}'= \langle {\mathcal {X}}, {\mathcal {Y}}, \textit{Env}, Goal \rangle \) where \(\textit{Env}= \langle \varphi _{GR(1)}^e, \varphi _{safe}^e\rangle \), \(Goal = \langle \varphi _{task}^{a}, \varphi _{safe}^{a}\rangle \), and \(\varphi _{GR(1)}^e\) is a GR(1) formula and \(\varphi _{task}^{a}\), \(\varphi _{safe}^e\) and \(\varphi _{safe}^{a}\) are LTL \(_f\) formulas. Realizability of \({\mathcal {P}}\) checks whether

$$\begin{aligned}\exists \sigma _{ag} \forall \sigma _{env}: \textsf {play}(\sigma _{ag},\sigma _{env}) \models \varphi _{GR(1)}^e\text { and }\textsf {play}(\sigma _{ag},\sigma _{env})\models _\forall \varphi _{safe}^e\rightarrow \\ \exists k. \textsf {play}^k(\sigma _{ag}, \sigma _{env}) \models \varphi _{task}^{a}\text { and } \textsf {play}^k(\sigma _{ag}, \sigma _{env}) \models _\forall \varphi _{safe}^{a}. \end{aligned}$$

Synthesis of \({\mathcal {P}}\) computes a strategy \(\sigma _ {ag} \) if exists.

This class of synthesis problem is able to naturally reflect the structure of many reactive systems in practice. We illustrate this with a relatively simple example representing a three-way handshake used to establish a TCP connection.

Example 1

In this example, the server and client involved in TCP connection are considered as environment and agent, respectively. Let \({\mathcal {X}}=\{SynAck\}\) and \({\mathcal {Y}}=\{Syn,Ack\}\).

  • The server can only send a SYN-ACK message after the client has sent a SYN message. \(\varphi _{safe}^e= \Box \lnot Syn \rightarrow \Box \lnot SynAck\) Note that, \(\varphi _{safe}^e\) is an LTL \(_f\) formula and represents a safety property with respect to all prefixes semantic (see Definition 2).

  • If the client keeps sending a SYN message, the server eventually responds with a SYN-ACK message. \(\varphi _{GR(1)}^e= \Box \Diamond Syn \rightarrow \Box \Diamond SynAck\)

  • The client should eventually send an ACK message, establishing the TCP connection. \(\varphi _{task}^{a}= \Diamond Ack\)

  • The client can only send an ACK message after the server has sent a SYN-ACK message. \(\varphi _{safe}^{a}= \Box \lnot SynAck \rightarrow \Box \lnot Ack\)

5.1 Reduction to LTL synthesis

Notice that there is a critical difference between the safety conditions of the environment and the ones of the agent, where we require the environment safety conditions to hold forever (leading to an infinite trace), and the agent safety conditions to hold until fulfilling the agent task (expressed as an LTL \(_f\) formula such that leading to a finite trace). We start with considering the case of adding environment safety conditions only, and then discuss the case of also adding agent safety conditions.

5.1.1 Adding environment safety conditions

Suppose \(\textit{Env}= \langle \varphi _{GR(1)}^e, \varphi _{safe}^e\rangle \) and Goal is an LTL \(_f\) formula \( \varphi _{task}^{a}\), we are still able to reduce the problem of \(\varphi _{GR(1)}^e\wedge \varphi _{safe}^e\rightarrow \varphi _{task}^{a}\) to LTL synthesis. The reduction here, however, is not as intuitive as the ones studied for LTL \(_f\) synthesis [21] or LTL \(_f\) synthesis under LTL environment specifications [14, 16]. This is because the safety condition \(\varphi _{safe}^e\) is interpreted over all prefixes, and there is no known linear translation from this type of formula to LTL. Nevertheless, it is still possible to reduce \({\mathcal {P}}= \langle {\mathcal {X}}, {\mathcal {Y}}, \textit{Env}, Goal \rangle \) to LTL synthesis. Note that the problem can be rewritten as

$$\begin{aligned} \varphi _{GR(1)}^e\rightarrow (\lnot \varphi _{safe}^e\vee \varphi _{task}^{a}) \end{aligned}$$

where \(\lnot \varphi _{safe}^e\) is interpreted using standard LTL \(_f\) semantics. That is to say, an agent strategy \(\sigma _ {ag} : (2^{{\mathcal {X}}})^* \rightarrow 2^{{\mathcal {Y}}}\) realizes Goal under environment specification Env, if for every \(\pi = \pi _0, \pi _1, \ldots \in (2^{{\mathcal {X}}\cup {\mathcal {Y}}})^{\omega }\) consistent with \(\sigma _ {ag} \) it is the case that

  • if \(\pi \models \varphi _{GR(1)}^e\), then

    • \(\pi \models _\forall \varphi _{safe}^e\) is violated, or

    • there exists \(k \ge 0\) such that \(\pi ^k \models \varphi _{task}^{a}\).

This interpretation allows us to shift environment specification \(\varphi _{safe}^e\) to be part of the agent goal, such that Goal is satisfied by \(\pi \) if \(\pi \models _\forall \varphi _{safe}^e\) is violated or there exists \(k \ge 0\) such that \(\pi ^k \models \varphi _{task}^{a}\).

Regarding the first case, note that \(\pi \models _\forall \varphi _{safe}^e\) requires that every non-empty finite prefix of \(\pi \) satisfies \(\varphi _{safe}^e\). That is, \(\pi _0, \ldots , \pi _k \models \varphi _{safe}^e\), for every \(0 \le k < \mid \pi \mid \). Therefore, \(\pi \models _\forall \varphi _{safe}^e\) is violated iff there exists a non-empty finite prefix of \(\pi \) that falsifies \(\varphi _{safe}^e\) in the standard LTL \(_f\) semantics. That is, \(\pi _0, \ldots , \pi _k \models \lnot \varphi _{safe}^e\), for some \(0 \le k < \mid \pi \mid \), which is equivalent to \(\pi \models \lnot \varphi _{safe}^e\) in standard LTL \(_f\) semantics. Therefore, Goal is satisfied by \(\pi \) if there exists \(k \ge 0\) such that \(\pi ^k \models (\lnot \varphi _{safe}^e) \vee \varphi _{task}^{a}\).

Consequently, the original problem of Goal under environment specification Env is realized by agent strategy \(\sigma _ {ag} : (2^{{\mathcal {X}}})^* \rightarrow 2^{{\mathcal {Y}}}\), if for every \(\pi = \pi _0, \pi _1, \ldots \in (2^{{\mathcal {X}}\cup {\mathcal {Y}}})^{\omega }\) consistent with \(\sigma _ {ag} \) it is the case that

  • if \(\pi \models \varphi _{GR(1)}^e\), then

  • there exists \(k \ge 0\) such that \(\pi ^k \models (\lnot \varphi _{safe}^e) \vee \varphi _{task}^{a}\)

Since \(\varphi _{GR(1)}^e\) is an LTL formula, this is a standard problem of LTL \(_f\) synthesis under LTL environment specifications. Therefore, following the reduction in [14, 16], consider synthesis problem \({\mathcal {P}}= \langle {\mathcal {X}}, {\mathcal {Y}}, \textit{Env}, Goal \rangle \), where \(\textit{Env}= \langle \varphi _{GR(1)}^e, \varphi _{safe}^e\rangle \) and Goal is \( \varphi _{task}^{a}\), we are able to reduce it to solving the LTL synthesis problem \(\langle {\mathcal {X}}, {\mathcal {Y}}\cup \{alive\}, \varphi _{GR(1)}^e\rightarrow {LTL} ((\lnot \varphi _{safe}^e) \vee \varphi _{task}^{a}) \rangle \). The operation of \({LTL} (\varphi )\) takes an LTL \(_f\) formula \(\varphi \) as input, applies the LTL \(_f\)-to-LTL translation introduced in [7], and returns the corresponding LTL formula \(\psi \), that is equa-satisfiable to \(\varphi \). Moreover, proposition alive is introduced by LTL \(_f\)-to-LTL translation and assigned as agent variable.

The following theorem guarantees the correctness of this reduction.

Theorem 4

Let \({\mathcal {P}}= \langle {\mathcal {X}}, {\mathcal {Y}}, \textit{Env}, Goal \rangle \), where \(\textit{Env}= \langle \varphi _{GR(1)}^e, \varphi _{safe}^e\rangle \) and Goal is \(\varphi _{task}^{a}\), be the defined synthesis problem, \({\mathcal {P}}' = \langle {\mathcal {X}}, {\mathcal {Y}}\cup \{alive\}, \varphi _{GR(1)}^e\rightarrow {LTL} ((\lnot \varphi _{safe}^e) \vee \varphi _{task}^{a}) \rangle \) be the reduced LTL synthesis problem. We have \({\mathcal {P}}\) is realizable if and only if \({\mathcal {P}}'\) is realizable.

Proof

We prove the two directions separately.

  • \(\leftarrow : \) Since \({\mathcal {P}}'\) is realizable with respect to \(\langle {\mathcal {X}}, {\mathcal {Y}}\cup \{alive\} \rangle \), there exists a winning strategy \(\sigma _ {ag} ': (2^{\mathcal {X}})^* \rightarrow 2^{{\mathcal {Y}}\cup \{alive\}}\) such that every trace \(\pi '\) that is consistent with \(\sigma _ {ag} '\) satisfies \(\lnot \varphi _{GR(1)}^e\vee {LTL} ((\lnot \varphi _{safe}^e) \vee \varphi _{task}^{a})\). Therefore, one of the following conditions holds for \(\pi '\):

    • \(\lnot \varphi _{GR(1)}^e\) is true, and therefore the environment specification \(\varphi _{GR(1)}^e\) is violated. \(\pi '\) thus realizes \({\mathcal {P}}\) by violating environment specification \(\varphi _{GR(1)}^e\).

    • \({LTL} ((\lnot \varphi _{safe}^e) \vee \varphi _{task}^{a})\) is true, and therefore there exists a position k such that either \(\pi '_0, \ldots , \pi '_k \models \lnot \varphi _{safe}^e\) or \(\pi '_0, \ldots , \pi '_k \models \varphi _{task}^{a}\). The former happens, then environment specification \(\varphi _{safe}^e\) is violated, and \(\pi '\) thus realizes \({\mathcal {P}}\) by violating environment specification \(\varphi _{safe}^e\). The latter happens when agent task \(\varphi _{task}^{a}\) is accomplished, and \(\pi '\) thus realizes \({\mathcal {P}}\).

    Finally, in order to obtain the winning strategy \(\sigma _ {ag} \), we have \(\sigma _ {ag} (\lambda ) = \sigma _ {ag} '(\lambda )\mid _{{\mathcal {Y}}}\), where \(\lambda \in (2^{\mathcal {X}})^*\).

  • \(\rightarrow : \) Since \({\mathcal {P}}\) is realizable, there exists a winning strategy \(\sigma _ {ag} : (2^{\mathcal {X}})^* \rightarrow 2^{{\mathcal {Y}}}\) such that every trace \(\pi \) that is consistent with \(\sigma _ {ag} \) realizes \(\varphi _{task}^{a}\) under environment specification Env. Therefore, one of the following conditions holds:

    • The environment behaves in a way that violates \(\varphi _{GR(1)}^e\), in which case environment specification \(\varphi _{GR(1)}^e\) does not hold. Therefore, \(\pi \) realizes \({\mathcal {P}}'\) by satisfying \(\varphi _{GR(1)}^e\rightarrow {LTL} ((\lnot \varphi _{safe}^e) \vee \varphi _{task}^{a})\).

    • The environment behaves such as violating \(\varphi _{safe}^e\), in which case environment specification \(\varphi _{safe}^e\) does not hold. That is to say, there exists a position k such that \(\pi _0, \ldots , \pi _k \models \lnot \varphi _{safe}^e\). Since alive is assigned as an agent variable, we can construct \(\pi '\) such that \(\pi '_i = \pi _i \cup \{alive\}\) for \(0 \le i \le k\) and \(\pi '_i = \pi _i\) for \(i > k\). Thus, we have \(\pi '\) such that \(\pi ' \models {LTL} (\lnot \varphi _{safe}^e)\). Therefore, \(\pi ' \models \varphi _{GR(1)}^e\rightarrow {LTL} ((\lnot \varphi _{safe}^e) \vee \varphi _{task}^{a})\) by satisfying the right side of the implication \({LTL} ((\lnot \varphi _{safe}^e) \vee \varphi _{task}^{a})\).

    • Goal is accomplished, and therefore \(\varphi _{task}^{a}\) holds. That is to say, there exists k such that \(\pi ^k \models \varphi _{task}^{a}\). We again construct \(\pi '\) similarly as above, and \(\pi ' \models {LTL} (\varphi _{task}^{a})\) holds. Therefore, \(\pi ' \models \varphi _{GR(1)}^e\rightarrow {LTL} ((\lnot \varphi _{safe}^e) \vee \varphi _{task}^{a})\) by satisfying the right side of the implication \({LTL} ((\lnot \varphi _{safe}^e) \vee \varphi _{task}^{a})\).

    Finally, we obtain the agent winning strategy as follows. Given k the position in which \({LTL} ((\lnot \varphi _{safe}^e) \vee \varphi _{task}^{a})\) is satisfied, we have that \(\sigma _ {ag} '(X_0,\ldots ,X_i) = \sigma _ {ag} (X_0,\ldots ,X_i) \cup \{alive\}\) for \(0 \le i \le k\), and \(\sigma _ {ag} '(X_0,\ldots ,X_i) = \sigma _ {ag} (X_0,\ldots ,X_i)\), for \(i>k\).

\(\square \)

5.1.2 Adding environment and agent safety conditions

We now have \(\textit{Env}= \langle \varphi _{GR(1)}^e, \varphi _{safe}^e\rangle \) and \(Goal = \langle \varphi _{task}^{a}, \varphi _{safe}^{a}\rangle \), where \(\varphi _{safe}^{a}\) is expressed in LTL \(_f\) on all prefixes. As mentioned above, the agent safety condition requires that the agent remains in desired boundaries until fulfilling the task. In this case, there is no known linear translation from an arbitrary \(\varphi _{safe}^{a}\) directly to LTL \(_f\) or LTL. However, later in the experiments, we show that for specific \(\varphi _{safe}^{a}\) formulas, one can still obtain an equivalent LTL \(_f\) formula \(\psi \) by analyzing the properties specified by \(\varphi _{safe}^{a}\). Let \({\mathcal {P}}= \langle {\mathcal {X}}, {\mathcal {Y}}, \textit{Env}, Goal \rangle \), where \(\textit{Env}= \langle \varphi _{GR(1)}^e, \varphi _{safe}^e\rangle \) and \(Goal = \langle \varphi _{task}^{a}, \varphi _{safe}^{a}\rangle \), be the defined synthesis problem. Suppose there is an LTL \(_f\) formula \(\psi \) that is equivalent to \(\varphi _{safe}^{a}\), we are able to reduce the original problem to \({\widehat{{\mathcal {P}}}}= \langle {\mathcal {X}}, {\mathcal {Y}}, \textit{Env}, {\widehat{Goal}} \rangle \), where \(\textit{Env}= \langle \varphi _{GR(1)}^e, \varphi _{safe}^e\rangle \), \({\widehat{Goal}} = \langle {\widehat{\varphi _{task}^{a}}} \rangle \), and \({\widehat{\varphi _{task}^{a}}} = \varphi _{task}^{a}\wedge \psi \). This reduction allows us to solve \({\mathcal {P}}\) by applying the reduction from \({\widehat{{\mathcal {P}}}}\) to LTL synthesis described in Sect. 5.1.1.

5.2 Reduction to GR(1) game

We now show that the synthesis problem \({\mathcal {P}}'\) can be reduced into a GR(1) game \({\mathcal {G}}_{{\mathcal {P}}'}\), analogously to the construction of \({\mathcal {G}}_{\mathcal {P}}\) in Sect. 3. To solve this problem, the first thing to note is that \(\varphi _{task}^{a}\wedge \varphi _{safe}^{a}\) can be represented by a DA with reachability-safety condition. As we will show later in this section, this DA can then be reduced into one with a pure reachability condition. Now, since the environment’s goal is to satisfy \(\varphi _{GR(1)}^e\wedge \varphi _{safe}^e\wedge \lnot (\varphi _{task}^{a}\wedge \varphi _{safe}^{a})\), then we can reduce \({\mathcal {P}}'\) to solving a GR(1) game whose game arena is the product of the DA for \(\varphi _{safe}^e\) with safety condition and the complement of the DA for \(\varphi _{task}^{a}\wedge \varphi _{safe}^{a}\) with reachability condition, i.e. a DA with safety condition. Note that in what follows, we consider \(\Sigma = 2^{{\mathcal {X}}\cup {\mathcal {Y}}}\).

To solve the synthesis problem \({\mathcal {P}}'\) we proceed as follows:

  1. 1.

    Build the DA \({\mathcal {A}}_{t}^a=(\Sigma , S_1, s^0_1, \delta _1, {{\text {Reach}}} (T_1))\) of \(\varphi _{task}^{a}\) [8].

  2. 2.

    Build the DA \({\mathcal {A}}_{s}^a = (\Sigma , S_2, s^0_2, \delta _2, {{\text {Safe}}} (T_2 \cup \{s^0_2\}))\) that accepts a trace \(\pi \) iff \(\pi \models _\forall \varphi _{safe}^{a}\) (see Sect. 6.3.1).

  3. 3.

    Take the bounded intersection of \({\mathcal {A}}_{t}^a\) and \({\mathcal {A}}_{s}^a\) into \({\mathcal {A}}_{t \wedge s}^a=(\Sigma , S_1 \times S_2, (s^0_1, s^0_2), \delta ', {{\text {Reach-Safe}}} (T_1,T_2\cup \{s^0_2\})\). Note that \({\mathcal {A}}_{t \wedge s}^a\) accepts a trace \(\pi \) iff there exists \(k \ge 0\) such that \(\pi ^k \models \varphi _{task}^{a}\) and \(\pi ^k \models _\forall \varphi _{safe}^{a}\).

  4. 4.

    Reduce \({\mathcal {A}}_{t \wedge s}^a\) to \({\mathcal {A}}_ {ag} =(\Sigma , S_1 \times S_2, (s^0_1, s^0_2),\) \(\delta ', {{\text {Reach}}} (T))\), as described later in this section. We have that \({\mathcal {L}}({\mathcal {A}}_{t \wedge s}^a) = {\mathcal {L}}({\mathcal {A}}_{ag})\).

  5. 5.

    Complement \({\mathcal {A}}_ {ag} \) into \(\overline{{\mathcal {A}}_ {ag} } = (\Sigma , S_1 \times S_2,\) \( (s^0_1, s^0_2),\) \( \delta ', {{\text {Safe}}} (T'))\) with \(T' = (S_1 \times S_2) {\setminus } T\).

  6. 6.

    Build the DA \({\mathcal {A}}_ {Env} = (\Sigma , Q, q_0, \delta ^e, {{\text {Safe}}} (R))\) that accepts a trace \(\pi \) iff \(\pi \models _\forall \varphi _{safe}^{a}\).

  7. 7.

    Intersect \(\overline{{\mathcal {A}}_ {ag} }\) and \({\mathcal {A}}_ {Env} \) into a DA \({\mathcal {B}}=(\Sigma , S_1 \times S_2 \times Q, (s^0_1, s^0_2,q_0), \alpha , {{\text {Safe}}} (T' \times R))\). Note that \({\mathcal {B}}\) accepts exactly the safe prefixes for the environment.

  8. 8.

    Define a GR(1) game \({\mathcal {G}}_{{\mathcal {P}}'}\) with the environment as the protagonist, where the arena is given by \({\mathcal {B}}\) and the winning condition is given by \(\varphi _{GR(1)}^e\) (see Sect. 3).

  9. 9.

    Solve this game for the antagonist, i.e. the agent.

We now detail the construction at Step 4 above. Let \({\mathcal {A}}=(\Sigma , S, s_0, \delta , \alpha )\) be a DA with a reachability-safety condition \(\alpha = {{\text {Reach-Safe}}} (T_1, T_2)\). We describe a reduction to a \({\mathcal {A}}' = (\Sigma , S, s_0, \delta ', \alpha ')\) with a reachability condition \(\alpha ' = {{\text {Reach}}} (T)\) such that \({\mathcal {L}}({\mathcal {A}}') = {\mathcal {L}}({\mathcal {A}})\). We define the transition relation of \({\mathcal {A}}'\) as follows:

$$\begin{aligned} \delta '(s, \sigma ) = {\left\{ \begin{array}{ll} \delta (s, \sigma ) &{}\hbox { if}\ s \in T_2 \\ s &{}\hbox { if}\ s \not \in T_2 \end{array}\right. } \end{aligned}$$

Intuitively, the only change we make is to turn all non-safe states (states not in \(T_2\)) into sink states. We then define the reachability condition as \(\alpha ' = {{\text {Reach}}} (T_1 \cap T_2)\). Intuitively, we want to reach a goal state (a state in \(T_1\)) that is also safe (i.e., it is in \(T_2\)). The two automata are indeed equivalent:

Lemma 5

Let \({\mathcal {A}}\) and \({\mathcal {A}}'\) be as above, then \({\mathcal {L}}({\mathcal {A}}') = {\mathcal {L}}({\mathcal {A}})\).

Proof

(\(\supseteq \)) Assume \(\pi = \pi _0 \pi _1 \ldots \in {\mathcal {L}}({\mathcal {A}})\). Then, the run \(r= s_0 s_1 s_2 \ldots = {\mathcal {A}}(\pi )\) has a prefix \(r^k\) that ends in \(T_1\) and for which every state visited (including the last one) is in \(T_2\). Let \(r' = {\mathcal {A}}'(\pi )\) be the corresponding run in \({\mathcal {A}}'\). We prove that \((r')^k = r^k\) and \((r')^k\) satisfies the reachability condition \(\alpha '\).

To prove that \((r')^k = r^k\), note that both start at \(s_0\) and that every state \(s_i\) in \(r^k\) is in \(T_2\). Therefore, \(\delta '(s_i, \pi _i) = \delta (s_i, \pi _i)\) for every state \(s_i\) in \(r^k\), by the definition of \(\delta '\). By induction, \((r')^k = r^k\).

To prove that \((r')^k\) satisfies the reachability objective \(\alpha '\), we need to prove that \(\mathsf{{lst}}((r')^k) \in T_1 \cap T_2\). But we already know that \(\mathsf{{lst}}(r^k) \in T_1\) and \(\mathsf{{lst}}(r^k) \in T_2\). Since \((r')^k = r^k\), the conclusion follows.

(\(\subseteq \)) Assume \(\pi = \pi _0 \pi _1 \ldots \in {\mathcal {L}}({\mathcal {A}}')\). Then, the run \(r' = s_0 s_1 s_2 \ldots = {\mathcal {A}}'(\pi )\) has a prefix \((r')^k\) that ends in \(T_1 \cap T_2\). Let \(r= {\mathcal {A}}(\pi )\) be the corresponding run in \({\mathcal {A}}\). We prove that \(r^k = (r')^k\) and \(r^k\) satisfies the reachability-safety condition \(\alpha \).

To prove both of these, we first prove that all states in \((r')^k\) are in \(T_2\). By the definition of \(\delta '\), if there was a state s in \((r')^k\) that was not in \(T_2\), then every following state would also be s, and therefore not in \(T_2\). But we already know that \(\mathsf{{lst}}((r')^k) \in T_1 \cap T_2\), and therefore the last state is in \(T_2\). Thus, all states in \((r')^k\) must be in \(T_2\).

To prove that \(r^k = (r')^k\), note that both \(r^k\) and \((r')^k\) start at \(s_0\), and that \(\delta (s_i, \pi _i) = \delta '(s_i, \pi _i)\) for every state in \(T_2\). Since we have already proved that all states in \((r')^k\) are in \(T_2\), it follows by induction that \(r^k = (r')^k\).

To prove that \(r^k\) satisfies the reachability-safety condition \(\alpha \), note that \(\mathsf{{lst}}((r')^k) \in T_1 \cap T_2\), and therefore \(\mathsf{{lst}}((r')^k) \in T_1\). We have also proved that all states in \((r')^k\) are in \(T_2\). Since \(r^k = (r')^k\), this is enough to prove that \(r^k\) satisfies \(\alpha \). \(\square \)

Hence, we are able to reduce the synthesis problem \({\mathcal {P}}'= \langle {\mathcal {X}}, {\mathcal {Y}}, \textit{Env}, Goal \rangle \) to a GR(1) game as well.

5.3 Correctness

The correctness of the reduction described above is illustrated by the following theorem.

Theorem 6

\({\mathcal {P}}'= \langle {\mathcal {X}}, {\mathcal {Y}}, \textit{Env}, Goal \rangle \), with \(\textit{Env}= \langle \varphi _{GR(1)}^e, \varphi _{safe}^e\rangle \) and \(Goal = \langle \varphi _{task}^{a}, \varphi _{safe}^{a}\rangle \), is realizable iff the antagonist has a winning strategy in the GR(1) game \({\mathcal {G}}_{{\mathcal {P}}'}\).

Proof

The proof here naturally follows the proof for Theorem 1. This is because the accomplishing \(Goal = \langle \varphi _{safe}^{a}, \varphi _{task}^{a}\rangle \) can be reduced to a reachability condition \({\varphi _{task}^{a}}'\), as stated by Lemma 5. Moreover, violating environment safety condition \(\varphi _{safe}^e\) can be considered as a reachability condition as well, thus we have \(\lnot \varphi _{safe}^e\). Consequently, following the detailed constructions described in Sect. 5, we can consider the original problem of \((\varphi _{GR(1)}^e\wedge \varphi _{safe}^e) \rightarrow (\varphi _{task}^{a}\wedge \varphi _{safe}^{a})\) as \(\varphi _{GR(1)}^e\rightarrow (\lnot \varphi _{safe}^e\vee {\varphi _{task}^{a}}')\), where \((\lnot \varphi _{safe}^e\vee {\varphi _{task}^{a}}')\) can be considered as a reachability condition, as in the problem defined in Sect. 3. Therefore, the solution of reducing to a GR(1) game remains correct. \(\square \)

5.3.1 Complexity

We study the computational properties of the synthesis technique presented in this section, and analyze the operations required in our synthesis technique in detail.

Theorem 7

The synthesis problem \({\mathcal {P}}=({\mathcal {X}},{\mathcal {Y}},Env,Goal)\) can be solved with the algorithm described above in 2exptime (the problem is indeed 2exptime-complete).

Proof

We first prove the membership. Specifically, building the DAs for \(\varphi _{task}^{a}\) and \(\varphi _{safe}^{a}\) takes doubly exponential time in the size of \(\varphi _{task}^{a}\) and \(\varphi _{safe}^{a}\), respectively. Second, the computation of the bounded intersection between the two DAs, and the reduction to a DA with reachability condition and complementation is done in linear time in the size of the automaton. Then, building the corresponding DA with safety condition for \(\varphi _{safe}^e\) takes double exponential time in the size of \(\varphi _{safe}^e\), complementing it and performing the intersection with the DA built previously takes linear time in the size of the automaton. Finally, building the GR(1) game takes linear time in the size of the automaton and solving the corresponding GR(1) game is quadratic in the size of the game.

The hardness is immediate from 2exptime-completeness of LTL \(_f\) synthesis itself [8]. Notice that as a special case of our problem, we have standard LTL \(_f\) synthesis by considering trivially \(\varphi _{GR(1)}^e\) and \(\varphi _{safe}^e\) to be true. \(\square \)

6 Experimental analysis

We implemented the approach described in Sect. 5, which subsumes the method described in Sect. 3, in a tool called GFSynth  .Footnote 1 In this section, we first describe the implementation of GFSynth, and then introduce two representative benchmarks that are able to capture commonly used sensor-based robotic tasks. An empirical evaluation is shown at the end to show the performance of our approach.

6.1 Implementation

GFSynth runs in three steps: automaton construction, reduction to GR(1) game, and GR(1) game solving. In the first step, we use code from the LTL \(_f\)-synthesis tool Syft [21] to read and parse the input and construct corresponding DAs. All DAs in GFSynth are symbolically represented by Binary Decision Diagrams (BDDs), as in [21], with each explicit state represented as an assignment over a set of state variables. Therefore, each state in the automaton for the bounded intersection of \(\varphi _{safe}^{a}\) and \(\varphi _{task}^{a}\) is a concatenation of the state assignments from both automata. In symbolic representation, the transition function is given by a sequence of BDDs, each computing the next assignment for one of the state variables. Analogously, the transition function in the bounded-intersection automaton can be obtained by concatenating the transition functions from both automata. Regarding the reachability-safety to reachability reduction, where the key part is turning all non-safe states into sink states, consider the set of non-safe states represented by BDD \(B_{unsafe}\). For each BDD \(B_z\) in the transition function corresponding to state variable z, if the current state is a non-safe state, we restrict \(B_z\) to return the same value as in the current state assignment. Otherwise, we don’t change the value that \(B_z\) is supposed to return. This can be computed as \((\lnot B_{unsafe} \wedge B_z) \vee (B_{unsafe} \wedge z)\). The necessary BDD operations are available in the CUDD\(-\)3.0.0 [24] BDD library. Finally, we solve the GR(1) game in the input format of the GR(1)-synthesis tool Slugs [25]. To solve and compute a strategy for the antagonist, we call Slugs using the -CounterStrategy option.

6.2 Benchmarks

For the experimental evaluation, we use two sets of benchmarks based on examples of reactive synthesis from the literature, slightly modified to adapt them to our framework. Both examples involve an agent navigating around an environment in order to perform a task. In both cases, we can use a parameter n to scale the number of regions, and thus measure how our tool performs as the size of the problem grows.

6.2.1 Finding Nemo

This example is based on the running example from [6]. The agent is a robot that moves in a workspace consisting of a circular hallway with n sections, each of which leads to two rooms with no other exits, adding up to 3n regions in total. Figure 1 shows an illustration with \(n=4\).

Fig. 1
figure 1

Illustration of Finding Nemo with \(n=4\)

Full size image

The agent is searching for “Nemo”, who can move around the odd-numbered rooms. The robot has a sensor that detects if Nemo is in the current region the robot is in, and has a camera that it can use to record Nemo if it finds him. The input variable SenseNemo indicates whether the sensor has detected Nemo in the current room. The sensor can also detect if Nemo is leaving the region, which is represented by the input variable NemoLeaving. The output variables \(R = \{Hallway_1, \ldots , Hallway_n, Room_1, \ldots , Room_{2n}\}\) indicate which region the robot is currently at. The output variable CameraOn indicates whether the robot’s camera is turned on. We use \(T \subseteq R^2\) to denote the transition relation between regions. Specifically, \((r, r') \in T\) iff the robot can move directly from region r to region \(r'\). Following the room layout described above, we define T as follows:

$$\begin{aligned} T = \bigcup _{1 \le i \le n} \{&(Hallway_i, Hallway_{(i - 1) \bmod n}), \\&(Hallway_i, Hallway_i), \\&(Hallway_i, Hallway_{(i+1) \bmod n}), \\&(Hallway_i, Room_{2i - 1}), \\&(Hallway_i, Room_{2i}), \\&(Room_{2i - 1}, Room_{2i - 1}), \\&(Room_{2i - 1}, Hallway_i), \\&(Room_{2i}, Room_{2i}), \\&(Room_{2i}, Hallway_i)\} \end{aligned}$$

The following are the components of the specification, and note that all the safety conditions are expressed in LTL \(_f\) on all prefixes:

  • Nemo can only be found in the odd-numbered rooms. (environment safety condition)

    $$\begin{aligned} safe^1_{env} = \Box \left( \left( \bigwedge ^{n}_{i = 1} \lnot Room_{2i - 1}\right) \rightarrow \lnot SenseNemo \right) \end{aligned}$$

  • Nemo leaves a room if and only if the sensor has detected so in the previous timestep. (environment safety condition)

    $$\begin{aligned} safe^2_{env} = \Box ((&SenseNemo \wedge \bigvee ^{2n}_{i = 1} \left( Room_i \wedge \circ Room_i\right) ) \\&\rightarrow ( \circ SenseNemo \leftrightarrow \lnot NemoLeaving)) \end{aligned}$$

  • If Nemo is found in a room, then Nemo will stay in that room for at least one time step after it is found. (environment safety condition)

    $$\begin{aligned} safe^3_{env} = \Box ((&\lnot SenseNemo \wedge \circ SenseNemo\,\wedge \\&\bigvee ^{2n}_{i = 1} \left( \circ Room_i \wedge \circ \circ Room_i\right) ) \rightarrow \\& \circ \circ SenseNemo) \end{aligned}$$

  • If the rooms where Nemo appears are visited infinitely often, then Nemo is found infinitely often. (environment GR(1) condition)

    $$\begin{aligned} GR(1)_{env} = \left( \bigwedge ^{n}_{i = 1} \Box \Diamond Room_{2i - 1} \right) \rightarrow \Box \Diamond SenseNemo \end{aligned}$$

  • Only one region can be visited at a time. (agent safety condition)

    $$\begin{aligned} safe^1_{agn} = \Box \bigwedge _{r \in R} \left( r \rightarrow \bigwedge _{r' \ne r} \lnot r' \right) \end{aligned}$$

  • The robot can only move to a region that has a connection to the region it is currently in. (agent safety condition)

    $$\begin{aligned} safe^2_{agn} = \Box \bigwedge _{r \in R} \left( r \rightarrow \bigvee _{(r, r') \in T} \bullet r' \right) \end{aligned}$$

  • The camera should not be on if Nemo is not present to be recorded. (agent safety condition)

    $$\begin{aligned} safe^3_{agn} = \Box (\lnot SenseNemo \rightarrow \lnot CameraOn) \end{aligned}$$

  • The robot should get 3 timesteps worth of footage of Nemo. (agent task)

    $$\begin{aligned} task_{agn} = \Diamond (&SenseNemo \wedge CameraOn\,\wedge \\& \circ \Diamond (SenseNemo \wedge CameraOn\,\wedge \\& \circ \Diamond (SenseNemo \wedge CameraOn))) \end{aligned}$$

6.2.2 Workstation resupply

This example is based on the scenario presented in [26] of a robot responsible for resupplying workstations in a factory with parts from a stockroom, as illustrated in Fig. 2

Fig. 2
figure 2

Illustration of Workstation Resupply

Full size image

There are n stations that the robot needs to resupply. In order to resupply a station, the robot must first pick up a part from the stockroom, then bring it to the workstation. A workstation may be occupied, in which case the robot has to wait until it is vacated before going inside. The environment must guarantee that the workstations will be vacated infinitely often and that they won’t become occupied when the robot is already inside.

We use a map consisting of \(2n + 2\) regions. The set of regions R is represented by the output variables Stockroom, \(Station_1, \ldots , Station_n\), OutsideStockroom, \(OutsideStation_1, \ldots , OutsideStation_n\). We define the transition relation T as follows:

$$\begin{aligned} T =&(Stockroom, OutsideStockroom)\,\cup \\&(OutsideStockroom, Stockroom)\,\cup \\&\begin{aligned} \bigcup _{1 \le i \le n} \{&(Station_i, OutsideStation_i), \\&(OutsideStation_i, Station_i), \\&(OutsideStation_i, OutsideStockroom), \\&(OutsideStockroom, OutsideStation_i)\}\,\cup \end{aligned} \\&\bigcup _{1 \le i \le n} \bigcup _{1 \le j \le n} \{(OutsideStation_i, OutsideStation_j)\}\,\cup \\&\{(r, r) | r \in R\} \end{aligned}$$

The output variables also include PickUpPart and Resupply, representing the actions that the robot can take in the stockroom and workstations, respectively. The input variables are \(Occupied_1, \dots , Occupied_n\), which indicate if each workstation is occupied at a given point in time.

The following are the components of the specification, and note that all the safety conditions are expressed in LTL \(_f\) on all prefixes:

  • A station cannot become occupied after the robot is already inside. (environment safety condition)

    $$\begin{aligned} safe_{env} = \bigwedge ^n_{i=1} \Box (&(\lnot Occupied_i \wedge \circ Station_i) \rightarrow \\&\lnot \circ Occupied_i) \end{aligned}$$

  • Every workstation must be vacated infinitely often. (environment GR(1) condition)

    $$\begin{aligned} GR(1)_{env} = \Box \Diamond \top \rightarrow \left( \bigwedge ^n_{i = 1} \Box \Diamond \lnot Occupied_i\right) \end{aligned}$$

  • Only one region can be visited at a time. (agent safety condition)

    $$\begin{aligned} safe^1_ {ag} = \Box \bigwedge _{r \in R} \left( r \rightarrow \bigwedge _{r' \ne r} \lnot r' \right) \end{aligned}$$

  • The robot can only move to a region that has a connection to the region it is currently in. (agent safety condition)

    $$\begin{aligned} safe^2_ {ag} = \Box \bigwedge _{r \in R} \left( r \rightarrow \bigvee _{(r, r') \in T} \bullet r' \right) \end{aligned}$$

  • The robot cannot be in a station if it is occupied. (agent safety condition)

    $$\begin{aligned} safe^3_ {ag} = \Box \bigwedge ^n_{i = 1} \left( Occupied_i \rightarrow \lnot Station_i \right) \end{aligned}$$

  • The robot needs to be inside the stockroom to pick up a part. (agent safety condition)

    $$\begin{aligned} safe^4_ {ag} = \Box \left( PickUpPart \rightarrow Stockroom\right) \end{aligned}$$

  • The robot needs to be inside a station to resupply. (agent safety condition)

    $$\begin{aligned} safe^5_ {ag} = \Box \left( Resupply \rightarrow \bigvee ^n_{i=1} Station_i\right) \end{aligned}$$

  • The robot can only resupply a station if it has picked up a part since last resupplying. Intuitively, this also requires that whenever Resupply holds, it only holds for one time step. (agent safety condition)Footnote 2

    $$\begin{aligned} safe^6_ {ag} = \Diamond (\textit{last}&\wedge Resupply) \rightarrow \\ (\Diamond (&PickUpPart\,\wedge \\&\lnot Resupply\,\mathop {\mathcal {U}}\,(\textit{last}\wedge Resupply))) \end{aligned}$$

  • The robot should resupply all workstations. (agent task)

    $$\begin{aligned} task_ {ag} = \bigwedge ^n_{i = 1} \Diamond (Resupply \wedge Station_i) \end{aligned}$$

6.3 Empirical evaluation

In this section, we describe in detail the techniques that allow us to compare GFSynth against a state-of-the-art LTL synthesis tool Strix [27], the winner of the LTL-synthesis track of the synthesis competition SYNTCOMP 2020 [28], using it as the baseline of comparison to our tool. Note that since our benchmarks assume that the agent moves first, while Strix assumes the environment moves first, we had to slightly modify the specifications by adding a \( \circ \) before all variables controlled by the environment, a transformation that essentially corresponds to ignoring the first move by the environment.

Consider synthesis problem \({\mathcal {P}}= \langle {\mathcal {X}}, {\mathcal {Y}}, \textit{Env}, Goal \rangle \), the alternative approach of reducing to LTL synthesis exists regarding different configurations of \(\textit{Env}\) and Goal, as shown in Sects. 3 and 5. In particular, when considering both GR(1) and environment safety conditions (no agent safety conditions), there exists a linear time reduction to LTL synthesis. However, for the case of adding also agent safety conditions, although the reduction to LTL synthesis works, there is no naive reduction to LTL synthesis. This is because there is no known linear translation from an arbitrary \(\varphi _{safe}^{a}\) directly to LTL \(_f\) or LTL. Nevertheless, in both of benchmarks Finding Nemo and Workstation Resupply, we are able to obtain an equivalent LTL \(_f\) formula by analyzing the properties specified by \(\varphi _{safe}^{a}\). We now elaborate their details.

6.3.1 Reduction to LTL synthesis with proposed benchmarks

Suppose \(\textit{Env}= \langle \varphi _{GR(1)}^e, \varphi _{safe}^e\rangle \) and \(Goal = \langle \varphi _{task}^{a}, \varphi _{safe}^{a}\rangle \), where \(\varphi _{safe}^{a}\) is expressed in LTL \(_f\) on all prefixes. Note that in both of benchmarks Finding Nemo and Workstation Resupply, \(\varphi _{safe}^{a}\) is a conjunction over smaller safety conditions \(safe^*_ {ag} \). Basically, \(safe^*_ {ag} \) is specified in one of the following three patterns, where \(\beta \) denotes a propositional formula:

  1. 1.

    \(safe^*_ {ag} = \Box (\beta )\)

  2. 2.

    \(safe^*_ {ag} = \Box (\beta \rightarrow \bigvee _{i} \bullet \beta _i)\)

  3. 3.

    \(safe^*_ {ag} = \Diamond (\textit{last}\wedge Resupply) \rightarrow (\Diamond (PickUpPart\,\wedge \lnot Resupply\,\mathop {\mathcal {U}}\,(\textit{last}\wedge Resupply)))\)

We now describe the corresponding equivalent LTL \(_f\) formula \({safe^*_ {ag} }'\) that accepts the same language as each pattern of \(safe^*_ {ag} \):

  1. 1.

    \({safe^*_ {ag} }' = \Box (\beta )\) (no changes)

  2. 2.

    \({safe^*_ {ag} }' = \Box (\beta \rightarrow \bigvee _{i} \bullet \beta _i)\) (no changes)

  3. 3.

    \({safe^*_ {ag} }' = ((\lnot Resupply) \mathop {{\mathcal {W}}}PickUpPart) \wedge \Box (Resupply \rightarrow ( \bullet ((\lnot Resupply) \mathop {{\mathcal {W}}}PickUpPart)))\)

The equivalence between each pattern of \(safe^*_ {ag} \) of the corresponding LTL \(_f\) formula \({safe^*_ {ag} }'\) can be shown by comparing the corresponding DAs respectively. It is worth noting that, we only consider finite safety of agent safety conditions. Therefore, we reload the definition of DA in Sect. 2 with finite-trace interpretation. Basically, the reachability condition is reloaded as \({{\text {Reach}}} (T)= \{ s_0 s_1 s_2 \ldots s_k \in S^* | s_k \in T\}\) requires that the run of finite trace \(\pi \) on \({\mathcal {D}}\) ends in T. The safety condition is reloaded as \({{\text {Safe}}} (T)= \{ s_0 s_1 s_2 \ldots s_k | \forall 0 \le i \le k: s_i \in T\}\) requires that the run of finite trace \(\pi \) on \({\mathcal {D}}\) only visits states in T.

We now show how to obtain a DA of an LTL \(_f\) formula on all prefixes. Consider formula \(safe^*_ {ag} \) on all prefixes. In order to obtain a DA \({\mathcal {D}}\) such that \(\pi \) is accepted by \({\mathcal {D}}\) iff \(\pi \models _\forall safe^*_ {ag} \), we proceed as follows:

  1. 1.

    Construct the DA \({\mathcal {A}} = (\Sigma , S, s_0, \delta , {{\text {Reach}}} (T))\) such that \(\pi \) is accepted by \({\mathcal {A}}\) iff \(\pi \models safe^*_ {ag} \).

  2. 2.

    We construct \({\mathcal {D}}=(\Sigma , S, s_0, \delta ', {{\text {Safe}}} (T))\) based on \({\mathcal {A}} = (\Sigma , S', s_0, \delta , {{\text {Reach}}} (T))\) as follows. Note that a sink state is a non-accepting state that has only one outgoing edge but going back to itself.

    • \(S' = {\left\{ \begin{array}{ll} S &{}\hbox { if there is a sink state in}\ {\mathcal {A}} \\ S \cup \{sink\} &{}\hbox { if there is no sink state in}\ {\mathcal {A}} \end{array}\right. }\)

    • \(\delta '(s, \sigma ) = {\left\{ \begin{array}{ll} sink &{}\hbox { if}\ \delta (s, \sigma ) \notin T \\ \delta (s, \sigma ) &{}\hbox { if}\ \delta (s, \sigma ) \in T \end{array}\right. }\)

Consider an arbitrary trace \(\pi \in \Sigma ^*\). By the construction of \({\mathcal {D}}\), \(\pi \) is accepted by \({\mathcal {D}}\) iff the corresponding run of \(\pi \) only visits T. That is, for every \(0 \le k < \mid \pi \mid \), the corresponding run of \(\pi _0, \ldots , \pi _k\) ends in T, and therefore \(\pi _0, \ldots , \pi _k \models \varphi \). By definition, \(\pi \models _\forall safe^*_ {ag} \).

The DA \({\mathcal {D}}'\) of the corresponding LTL \(_f\) formula \({safe^*_ {ag} }' \) can be achieved directly using existing LTL \(_f\)-to-DA tools [21]. By checking the equivalence between the DA \({\mathcal {D}}\) and the DA \({\mathcal {D}}'\), we can address the equivalence check between LTL \(_f\) formula \({safe^*_ {ag} }\) over all prefixes and LTL \(_f\) formula \({safe^*_ {ag} }'\).

We now can reduce to LTL synthesis following the subsequent steps described in Sect. 5.1.2.

Baseline and Experiment Setup. All tests were run on a computer cluster. Each test had exclusive access to a node with Intel(R) Xeon(R) CPU E5-2650 v2 processors running at 2.60GHz. Time out was set to two hours (7200 s).

Correctness. Our implementation was verified by comparing the results returned by GFSynth with those from Strix. No inconsistency encountered for the solved cases.

6.3.2 Results

We compared GFSynth against Strix by performing an end-to-end (from specification to winning strategy if realizable) comparison experiment over the benchmarks described in Sect. 6.2. Comparison on both classes of benchmarks show that GFSynth outperforms Strix.

Fig. 3
figure 3

Benchmark Finding Nemo

Full size image
Fig. 4
figure 4

Benchmark Workstation Resupply

Full size image

Figures 3 and 4 show the running time of GFSynth and Strix on both benchmarks, respectively. The x-axis indicates the value of the scalable parameter n for each benchmark. The y-axis is in \(\log \) scale. Results of cases on which both tools failed are not shown. For benchmark Finding Nemo, in small cases where \(n \le 2\), there is no large gap in the time cost. However, as n grows, the time cost of GFSynth increases linearly, while the time cost of Strix increases exponentially. Regarding benchmark Workstation Resupply, the exponential gap is not so obvious. Nevertheless, as the benchmark grows, Strix almost always takes around 10 times longer than GFSynth. Strix also failed for \(n=5\).

7 Related work

There has been extensive studies on the problem of LTL \(_f\) synthesis under environment specifications. The paper [29] introduces environment specifications in LTL making the observation that even if the agent goal is expressed in LTL \(_f\) the environment specifications should be expressed in LTL on infinite traces, since it is the agent and not the environment that decides when to stop. This observation was already implicit in earlier works [9, 10] on planning for LTL \(_f\) goals (the planning domain can be considered as environment safety specifications), indeed in FOND planning the environment fairness specification of FOND is already on infinite traces, but [12] spells this point out in details. [12] also gives a reduction of the LTL \(_f\) synthesis under environment specifications problem to LTL synthesis and a specific technique to work with environment safety and co-safety specifications. Interestingly, environment specifications were also studied in [11, 30] and then in [15] under the perspective of seeing environment specifications as sets of environment strategies.

In [31] one of the bases of our technique was developed: create the game arena out of the LTL \(_f\) goals, and impose on that arena simple fairness and stability conditions, both subsumed by GR(1). Note, however, that in general the arena built from the LTL \(_f\) formula must be combined with the arena coming from the environment specifications, and if expressed in LTL this will lead to solving a parity game, but above all the construction of the arena for the LTL part will require determinization of Büchi automata for which we have no scalable algorithms. This is spelled out in [16].

In this paper, we consider as environment specifications only safety conditions and GR(1) formulas, again avoiding Büchi determinization. GR(1) has been used before in synthesis/planning to specify temporally extended goal on infinite traces, e.g., in [32], or in fact much earlier in [29, 33]. Here instead we are using GR(1) for the environment specifications, while keeping the goal on finite traces in LTL \(_f\). In this way we take advantage of the two most successful cases in synthesis, namely GR(1) and LTL \(_f\).

8 Conclusion and future work

In this paper, we brought together the two most successful stories in LTL synthesis, GR(1) and LTL \(_f\), obtaining a form of reactive synthesis which is highly expressive yet still scalable. More specifically, we studied the problem in the form of LTL \(_f\) synthesis under environment specifications, where the environment specification is expressed as a GR(1) formula, and the agent task is specified as an LTL \(_f\) formula. Our approach bases on a reduction to GR(1) game, where the game arena only derivates from the LTL \(_f\) part, and the game winning condition comes from by the GR(1) part. In particular, the crux of the reduction is that we aim to obtaining a winning strategy of the antagonist of the GR(1) game, which, in fact, leads to solving a dual GR(1) game. Moreover, we enriched the problem setting by allowing safety conditions on both players. To do so, we first presented a different way of specifying safety properties via LTL \(_f\) formulas, which is able to cover all first-order expressible safety properties, and provide a natural way of expressing safety properties. We showed that, with additional safety conditions on both players, our synthesis approach of reducing to GR(1) game stills works. Finally, we integrated our approach in a tool GFSynth, and proved its efficiency through empirical evaluations.

Looking deeper into GFSynth, we observed that on those cases where GFSynth fails, the automata can not be constructed by the MONA library employed by Syft for automata construction from LTL \(_f\). There have been various studies on LTL \(_f\)-to-automata translation. Possibly the most successful attempt is the compositional approach presented in [34, 35]. For future work, we will take this approach into account to improve GFSynth.