1 Introduction

Reactive synthesis [30, 31] is the problem of automatically producing a system that is guaranteed to model a given temporal specification, where the Boolean variables (i.e., atomic propositions) are split into variables controlled by the environment and variables controlled by the system. Realizability is the related decision problem of deciding whether such a system exists. These problems have been widely studied [17, 21], specially in the domain of Linear Temporal Logic (LTL) [29]. Realizability corresponds to infinite games where players alternatively choose the valuations of the Boolean variables they control. The winning condition is extracted from the temporal specification and determines which player wins a given play. A system is realizable if and only if the system player has a winning strategy, i.e., if there is a way to play such that the specification is satisfied in all plays played according to the strategy.

However, in practice, many real and industrial specifications use complex data beyond Boolean atomic propositions, which precludes the direct use of realizability tools. These specifications cannot be written in (propositional) LTL, but instead use literals from a richer domain. We use \(LTL _{\mathcal {T}} \) for the extension of LTL where Boolean atomic propositions can be literals from a (multi-sorted) first-order theory \(\mathcal {T}\). The \(\mathcal {T} \) variables (i.e., non-Boolean) in the specification are again split into those controlled by the system and those controlled by the environment. The resulting realizability problem also corresponds to infinite games, but, in this case, players chose valuations from the domains of \(\mathcal {T} \), which may be infinite. Therefore, arenas may be infinite and positions may have infinitely many successors. In this paper, we present a method that transforms a specification that uses data from a theory \(\mathcal {T} \) into an equi-realizable Boolean specification. The resulting specification can then be processed by an off-the-shelf realizability tool.

The main element of our method is a novel Boolean abstraction method, which allows to transform \(LTL _{\mathcal {T}}\) specifications into pure (Boolean) LTL specifications. The method first substitutes all \(\mathcal {T} \) literals by fresh Boolean variables controlled by the system, and then extends the specification with an additional sub-formula that constrains the combination values of these variables. This method is described in Sect. 3. The main idea is that, after the environment selects values for its (data) variables, the system responds with values for the variables it controls, which induces a Boolean value for all the literals. The additional formula we compute captures the set of possible valuations of literals and the precise power of each player to produce each valuation.

Example 1

Consider the following specification \(\varphi = \square (R_0 \wedge R_1)\), where:

figure a

where x is a numeric variable that belongs to the environment and y to the system. In the game corresponding to this specification, each player has an infinite number of choices at each time step. For example, in \(\mathcal {T}_\mathbb {Z}\) (the theory of integers), the environment player chooses an integer for x and the system responds with an integer for y. This induces a valuation of all literals in the formula, which in turn induces (also considering the valuations of the literals at other time instants, according to the temporal operators) a valuation of the full specification.

In this paper, we exploit that, from the point of view of the valuations of the literals, there are only finitely many cases and provide a systematic manner to compute these cases. This allows us to reduce a specification into a purely Boolean specification that is equi-realizable. This specification encodes the (finite) set of decisions of the environment, and the (finite) set of reactions of the system.    \(\square \)

Example 1 suggests a naive algorithm to capture the powers of the environment and system to determine a combination of the valuations of the literals, by enumerating all these combinations and checking the validity of each potential reaction. Checking that a given combination is a possible reaction requires an \(\exists ^*\forall ^*\) query (which can be delegated to an SMT solver for appropriate theories).

In this paper, we describe and prove correct a Boolean abstraction method based on this idea. Then, we propose a more efficient search method for the set of possible reactions using SAT solving to speed up the exploration of the set of reactions. The main idea of this faster method is to learn from an invalid reaction which other reactions are guaranteed to be invalid, and from a valid reaction which other reactions are not worth being explored. We encode these learnt sets as a incremental SAT formula that allows to prune the search space. The resulting method is much more efficient than brute-force enumeration because, in each iteration, the learning can prune an exponential number of cases. An important technical detail is that computing the set of cases to be pruned from the outcome of a given query can be described efficiently using a SAT solver.

In summary, our contributions are: (1) a proof that realizability is decidable for all \(LTL _{\mathcal {T}}\) specifications for those theories \(\mathcal {T} \) with a decidable \(\exists ^*\forall ^*\) fragment; (2) a simple implementation of the resulting Boolean abstraction method; (3) a much faster method based on a nested-SAT implementation of the Boolean abstraction method that efficiently explores the search space of potential reactions; and (4) an empirical evaluation of these algorithms, where our early findings suggest that Boolean abstractions can be used with specifications containing different arithmetic theories, and also with industrial specifications. We used Z3 [10] both as an SMT solver and a SAT solver, and Strix [27] as the realizability checker. To the best of our knowledge, this is the first method that succeeds (and efficiently) in non-Boolean LTL realizability.

2 Preliminaries

We study realizability of LTL [26, 29] specifications. The syntax of LTL is:

figure b

where a ranges from an atomic set of proposition \(\textsf{AP} \), \(\vee \), \(\wedge \) and \(\lnot \) are the usual Boolean disjunction, conjunction and negation, and and \(\mathbin {\mathcal {U}}\) are the next and until temporal operators. The semantics of LTL associate traces \(\sigma \in \varSigma ^\omega \) with formulae as follows:

figure d

We use common derived operators like \(\vee \), \(\mathcal {R} \), \(\diamond \) and \(\square \).

Reactive synthesis [4, 5, 14, 28, 33] is the problem of producing a system from an LTL specification, where the atomic propositions are split into propositions that are controlled by the environment and those that are controlled by the system. Synthesis corresponds to a turn-based game where, in each turn, the environment produces values of its variables (inputs) and the system responds with values of its variables (outputs). A play is an infinite sequence of turns. The system player wins a play according to an LTL formula \(\varphi \) if the trace of the play satisfies \(\varphi \). A (memory-less) strategy of a player is a map from positions into a move for the player. A play is played according to a strategy if all the moves of the corresponding player are played according to the strategy. A strategy is winning for a player if all the possible plays played according to the strategy are winning.

Depending on the fragment of LTL used, the synthesis problem has different complexities. The method that we present in this paper generates a formula in the same temporal fragment as the original formula (e.g., starting from a safety formula another safety formula is generated). The generated formula is discharged into a solver capable to solve formulas in the right fragment. For simplicity in the presentation, we illustrate our method with safety formulae.

We use \(LTL _{\mathcal {T}} \) as the extension of LTL where propositions are replaced by literals from a first-order theory \(\mathcal {T} \). In realizability for \(LTL _{\mathcal {T}} \), the variables that occur in the literals of a specification \(\varphi \) are split into those variables controlled by the environment (denoted by \(\overline{v}_e\)) and those controlled by the system (\(\overline{v}_s\)), where \(\overline{v}_e\cap \overline{v}_s= \emptyset \). We use \(\varphi (\overline{v}_e,\overline{v}_s)\) to remark that \(\overline{v}_e\cup \overline{v}_s\) are the variables occurring in \(\varphi \). The alphabet \(\varSigma _{\mathcal {T}}\) is now a valuation of the variables in \(\overline{v}_e\cup \overline{v}_s\). A trace is an infinite sequence of valuations, which induces an infinite sequence of Boolean values of the literals occurring in \(\varphi \) and, in turn, a valuation of the temporal formula.

Realizability for \(LTL _{\mathcal {T}} \) corresponds to an infinite game with an infinite arena where positions may have infinitely many successors if the ranges of the variables controlled by the system and the environment are infinite. For instance, in Ex. 1 with \(\mathcal {T} =\mathcal {T}_\mathbb {Z}\), valuation ranges over infinite values, and literal \((x \ge 2)\) can be satisfied with \(x=2\), \(x=3\), etc.

Arithmetic theories are a particular class of first-order theories. Even though our Boolean abstraction technique is applicable to any theory with a decidable \(\exists ^*\forall ^*\) fragment, we illustrate our technique with arithmetic specifications. Concretely, we will consider \(\mathcal {T} _{\mathbb {Z}}\) (i.e., linear integer arithmetic) and \(\mathcal {T} _{\mathbb {R}}\) (i.e., non-linear real arithmetic). Both theories have a decidable \(\exists ^*\forall ^*\) fragment. Note that the choice of the theory influences the realizability of a given formula.

Example 2

Consider Ex. 1. The formula \(\varphi :=R_0\mathrel {\wedge }R_1\) is not realizable for \(\mathcal {T} _{\mathbb {Z}}\), since, if at a given instant t, the environment plays \(x=0\) (and hence \(x<2\) is true), then y must be greater than 1 at time \(t+1\). Then, if at \(t+1\) the environment plays \(x=2\) then \((x\ge 2)\) is true but there is no y such that both \((y>1)\) and \((y<2)\). However, for \(\mathcal {T} _{\mathbb {R}}\), \(\varphi \) is realizable (consider the system strategy to always play \(y=1.5\)).

The following slight modifications of Ex. 1 alters its realizability (\(R_1'\) substitutes \(R_1\) by having the \(\mathcal {T} \)-predicate \(y{}\le x\) instead of \(y<x\)):

figure e

Now, \(\varphi ' = \square (R_0 \wedge R_1')\) is realizable for both \(\mathcal {T} _{\mathbb {Z}}\) and \(\mathcal {T} _{\mathbb {R}}\), as the strategy of the system to always pick \(y=2\) is winning in both theories.   \(\square \)

3 Boolean Abstraction

We solve the realizability problem modulo theories by transforming the specification into an equi-realizable Boolean specification. Given a specification \(\varphi \) with literals \(l_i\), we get a new specification \(\varphi [l_i \leftarrow s_i] \wedge \square \varphi ^{\textit{extra}} \), where \(s_i\) are fresh Boolean variables and \(\varphi ^{\textit{extra}} \in LTL _{\mathbb {B}} \) is a Boolean formula (without temporal operators). The additional sub-formula \(\varphi ^{\textit{extra}} \) uses the freshly introduced variables \(s_i\) controlled by the system, as well as additional Boolean variables controlled by the environment \(\overline{e}\), and captures the precise combined power of the players to decide the valuations of the literals in the original formula. We call our approach Booleanization or Boolean abstraction. The approach is summarized in Fig. 1: given an LTL specification \(\varphi _{\mathcal {T}} \), it is translated into a Boolean \(\varphi _{\mathbb {B}} \) which can be analyzed with off-the-shelf realizability checkers. Note that \(\mathcal {G}^{\mathbb {B}}\) and \(\mathcal {G}^{\mathcal {T}}\) are the games constructed from specifications \(\varphi _{\mathbb {B}} \) and \(\varphi _{\mathcal {T}} \), respectively. Also, note that [20] shows that we can construct a game \(\mathcal {G}\) from a specification \(\varphi \) and that \(\varphi \) is realizable if and only if \(\mathcal {G}\) is winning for the system.

Fig. 1.
figure 1

The tool chain with the correctness argument.

Full size image

The Booleanization procedure constructs an extra requirement \(\varphi ^{\textit{extra}} \) and conjoins \(\square \varphi ^{\textit{extra}} \) with the formula \(\varphi [l_i \leftarrow s_i]\). In a nutshell, after the environment chooses a valuation of the variables it controls (including \(\overline{e}\)), the system responds with valuations of its variables (including \(s_i\)), which induces a Boolean value for all literals. Therefore, for each possible choice of the environment, the system has the power to choose a Boolean response among a specific collection of responses (a subset of all the possible combinations of Boolean valuations of the literals). Since the set of all possible responses is finite, so are the different cases. The extra requirement captures precisely the finite collection of choices of the environment and the resulting finite collection of responses of the system for each case.

3.1 Notation

In order to explain the construction of the extra requirement, we introduce some preliminary definitions. We will use Ex. 1 as the running example.

A literal is an atom or its negation, regardless of whether the atom is a Boolean variable or a predicate of a theory. Let \( Lit (\varphi )\) be the collection of literals that appear in \(\varphi \) (or \( Lit \), if the formula is clear from the context). For simplicity, we assume that all literals belong the same theory, but each theory can be Booleanized in turn, as each literal belongs to exactly one theory and we assume in this paper that literals from different theories do not share variables. We will use \(\overline{x}\) as the environment controlled variables occurring in \( Lit (\varphi )\) and \(\overline{y}\) for the variables controlled by the system.

In Ex. 1, we first translate the literals in \(\varphi \). Since \((x<2)\) is equivalent to \(\lnot (x \ge 2)\), we use a single Boolean variable for both. The substitutions is:

figure f

After the substitution we obtain \(\varphi '' = \square (R_0^{\mathbb {B}} \wedge R_1^{\mathbb {B}})\) where

figure g

Note that \(\varphi ''\) may not be equi-realizable to \(\varphi \), as we may be giving too much power to the system if \(s_0\), \(s_1\) and \(s_2\) are chosen independently without restriction. Note that \(\varphi ''\) is realizable, for example by always choosing \(s_1\) and \(s_2\) to be true, but \(\varphi \) is not realizable in \(\textit{LTL}_{\mathcal {T}_\mathbb {Z}}\). This justifies the need of an extra sub-formula.

Definition 1 (Choice)

A choice \(c\subseteq Lit (\varphi )\) is a subset of the literals of \(\varphi \).

The intended meaning of a choice is to capture what literals are true in the choice, while the rest (i.e., \( Lit \setminus {}c\)) are false. Once the environment picks values for \(\overline{x} \), the system can realize some choice c by selecting \(\overline{y} \) and making the literals in c true (and the rest false). However, for some values of \(\overline{x} \), some choices may not be possible for the system for any \(\overline{y} \). Given a choice c, we use \(f(c(\overline{x},\overline{y}))\) to denote the formula:

$$\begin{aligned} \bigwedge _{l\in c} l \wedge \bigwedge _{l \notin c} \lnot l \end{aligned}$$

which is a formula with variables \(\overline{x} \) and \(\overline{y} \) that captures logically the set of values of \(\overline{x} \) and \(\overline{y} \) that realize precisely choice c. We use \(\mathcal {C} \) for the set of choices. Note that there are \(|\mathcal {C} |=2^{| Lit |}\) different choices. We call the elements of \(\mathcal {C} \) choices because they may be at the disposal of the system to choose by picking the right values of its variables.

A given choice c can act as potential (meaning that the response is possible) or as antipotential (meaning that the response is not possible). A potential is a formula (that depends only on \(\overline{x}\)) that captures those values of \(\overline{x} \) for which the system can respond and make precisely the literals in c true (and the rest of the literals false). The negation of the potential (i.e., an antipotential) captures precisely those values of \(\overline{x} \) for which there are no values of \(\overline{y} \) that lead to c.

Definition 2 (Potential and Antipotential)

Given a choice c, a potential is the following formula \(c^p\) and an antipotential is the following formula \(c^a\):

$$ c^p(\overline{x}) = \exists \overline{y}.f(c(\overline{x},\overline{y})) c^a(\overline{x}) = \forall \overline{y}.\lnot {}f(c(\overline{x},\overline{y})) $$

Example 3

We illustrate two choices for Ex. 1. Consider choices \(c_0=\{(x<2), (y>1), (y<x)\}\) and \(c_1=\{(x<2),(y>1)\}\). Choice \(c_0\) corresponds to \(f(c_0) = (x<2) \wedge (y>1) \wedge (y<x)\), that is, literals \((x<2)\), \((y>1)\) and \((y<x)\) are true. Choice \(c_1\) corresponds to \(f(c_1) =(x<2) \wedge (y>1) \wedge (y \ge x)\), that is, literals \((x<2)\) and \((y>1)\) being true and \((y < x)\) being false (i.e., \((y \ge x)\) being true). It is easy to see the meaning of \(c_2\), \(c_3\) etc. Then, the potential and antipotential formulae of e.g., choices \(c_0\) and \(c_1\) from Ex. 1 are as follows:

$$ \begin{array}{l@{}l} c_0^p = \exists y . (x<2) \mathrel {\wedge }(y>1) \mathrel {\wedge }(y<x) &{} c_0^a = \forall y . \lnot \big ( (x<2) \mathrel {\wedge }(y>1) \mathrel {\wedge }(y<x)\big ) \\ c_1^p = \exists y . (x<2) \mathrel {\wedge }(y>1) \mathrel {\wedge }(y \ge x) &{} c_1^a = \forall y . \lnot \big ((x<2) \mathrel {\wedge }(y>1) \mathrel {\wedge }(y \ge x)\big ) \end{array} $$

Note that potentials and antipotentials have \(\overline{x} \) as the only free variables.    \(\square \)

Depending on the theory, the validity of potentials and antipotentials may be different. For instance, consider \(c_0^p\) and theories \(\mathcal {T}_{\mathbb {Z}}\) and \(\mathcal {T}_{\mathbb {R}}\):

  • In \(\mathcal {T}_{\mathbb {Z}}\): \(\exists y . (x<2) \wedge (y>1) \wedge (y<x)\) is equivalent to false.

  • In \(\mathcal {T}_{\mathbb {R}}\): \(\exists y . (x<2) \wedge (y>1) \wedge (y<x)\) is equivalent to \((x<2)\).

These equivalences can be obtained using classic quantifier elimination procedures, e.g., with Cooper’s algorithm [9] for \(\mathcal {T}_{\mathbb {Z}}\) and Tarski’s method [32] for \(\mathcal {T}_{\mathbb {R}}\).

A reaction is a description of the specific choices that the system has the power to choose.

Definition 3 (Reaction)

Let P and A be a partition of \(\mathcal {C} \) that is: \(P \subseteq \mathcal {C} \), \(A\subseteq \mathcal {C} \), \(P\cap A=\emptyset \) and \(P\cup A=\mathcal {C} \). The reaction \(\textit{react}_{(P,A)}\) is as follows:

$$ \textit{react}_{(P,A)}(\overline{x}) \,{\mathop {=}\limits ^{\text {def}}}\,\bigwedge _{c \in P} c^p \wedge \bigwedge _{c \in A} c^a $$

The reaction \(\textit{react}_{(P,A)}\) is equivalent to:

$$ \textit{react}_{(P,A)}(\overline{x}) = \bigwedge _{c \in P} \big (\exists \overline{y}. f(c(\overline{x},\overline{y}))\big ) \wedge \bigwedge _{c \in A} \big (\forall \overline{y}.\lnot f(c(\overline{x},\overline{y}))\big ). $$

There are \(2^{2^{| Lit |}}\) different reactions.

A reaction r is called valid whenever there is a move of the environment for which r captures precisely the power of the system, that is exactly which choices the system can choose. Formally, a reaction is valid whenever \(\exists \overline{x}. r(\overline{x})\) is a valid formula. We use \(\mathcal {R} \) for the set of reactions and \(\textit{VR}\) for the set of valid reactions. It is easy to see that, for all possible valuations of \(\overline{x} \) the environment can pick, the system has a specific power to respond (among the finitely many cases). Therefore, the following formula is valid:

$$ \varphi _{\textit{VR}}=\forall \overline{x}.\bigvee _{r\in \textit{VR}}r(\overline{x}). $$

Example 4

In Ex. 1, for theory \(\mathcal {T}_{\mathbb {Z}}\), we find there are two valid reactions (using choices from Ex. 3):

$$ \begin{array}{rcl} r_1 &{} : &{} \exists x .c_0^a \mathrel {\wedge }c_1^p \mathrel {\wedge }c_2^p \mathrel {\wedge }c_3^p \mathrel {\wedge }c_4^a \mathrel {\wedge }c_5^a \mathrel {\wedge }c_6^a \mathrel {\wedge }c_7^a \\ r_2 &{} : &{} \exists x . c_0^a \mathrel {\wedge }c_1^a \mathrel {\wedge }c_2^a \mathrel {\wedge }c_3^a \mathrel {\wedge }c_4^a \mathrel {\wedge }c_5^p \mathrel {\wedge }c_6^p \mathrel {\wedge }c_7^a, \end{array} $$

where reaction \(r_1\) models the possible responses of the system after the environment picks a value for x with \((x<2)\), whereas \(r_2\) models the responses to \((x \ge 2)\). On the other hand, for \(\mathcal {T}_{\mathbb {R}}\), there are three valid reactions:

$$ \begin{array}{rcl} r_1 &{} : &{} \exists x. c_0^a \wedge c_1^p \wedge c_2^p \wedge c_3^p \wedge c_4^a \wedge c_5^a \wedge c_6^a \wedge c_7^a \\ r_2 &{} : &{} \exists x. c_0^p \wedge c_1^p \wedge c_2^p \wedge c_3^a \wedge c_4^a \wedge c_5^a \wedge c_6^a \wedge c_7^a \\ r_3 &{} : &{} \exists x . c_0^a \wedge c_1^a \wedge c_2^a \wedge c_3^a \wedge c_4^p \wedge c_5^p \wedge c_6^p \wedge c_7^a \end{array} $$

Note that there is one valid reaction more, since in \(\mathcal {T}_{\mathbb {R}}\) there is one more case: \(x\in (1,2]\). Also, note that \(c_4\) cannot be a potential in \(\mathcal {T}_{\mathbb {Z}}\) (not even with a collaboration between environment and system), whereas it can in \(\mathcal {T}_{\mathbb {R}}\).    \(\square \)

3.2 The Boolean Abstraction Algorithm

Boolean abstraction is a method to compute \(\varphi _{\mathbb {B}} \) from \(\varphi _{\mathcal {T}} \). In this section we describe and prove correct a basic brute-force version of this method, and later in Sect. 4, we present faster algorithms. All Boolean abstraction algorithms that we present on this paper first compute the extra requirement, by visiting the set of reactions and computing a subset of the valid reactions that is sufficient to preserve realizability. The three main building blocks of our algorithms are (1) the stop criteria of the search for reactions; (2) how to obtain the next reaction to consider; and (3) how to modify the current set of valid reactions (by adding new valid reactions to it) and the set of remaining reactions (by pruning the search space). Finally, after the loop, the algorithm produces as \(\varphi ^{\textit{extra}}\) a conjunction of cases, one per valid reaction (PA) in \(\textit{VR}\).

figure h

We introduce a fresh variable \(e_{(P,A)}\), controlled by the environment for each valid reaction (PA), to capture that the environment plays values for \(\overline{x}\) that correspond to the case where the system is left with the power to choose captured precisely by (PA). Therefore, there is one additional environment Boolean variable per valid reaction (in practice we can enumerate the number of valid reactions and introduce only a logarithmic number of environment variables). Finally, the extra requirement uses P for each valid reaction (PA) to encode the potential moves of the systems as a disjunction of the literals described by each choice in P. Each of these disjunction contains precisely the combinations of literals that are possible for the concrete case that (PA) captures.

A brute-force algorithm that implements Boolean abstraction method by exhaustively searching all reactions is shown in Algorithm 1. The building blocks of this algorithm are:

  1. (1)

    It stops when the remaining set of reactions is empty.

  2. (2)

    It traverses the set \(\mathcal {R} \) according to some predetermined order.

  3. (3)

    To modify the set of valid reactions, if (PA) is valid it adds (PA) to the set VR (line 7). To modify the set of remaining reactions, it removes (PA) from the search.

Finally, the extra sub-formula \(\varphi ^{\textit{extra}}\) is generated by getExtra (line 8) defined as follows:

$$ \textit{getExtra}(\textit{VR}) = \bigwedge _{(P,A)\in \textit{VR}} (e_{(P,A)} \rightarrow \bigvee _{c\in P} (\bigwedge _{l_i\in c}s_i\mathrel {\wedge }\bigwedge _{l_i\notin c}\lnot s_i)) $$

Note that there is an \(\exists ^*\forall ^*\) validity query in the body of the loop (line 6) to check whether the candidate reaction is valid. This is why decidability of the \(\exists ^*\forall ^*\) fragment is crucial because it captures the finite partitioning of the environment moves (which is existentially quantified) for which the system can react in certain ways (i.e., potentials, which are existentially quantified) by picking appropriate valuations but not in others (i.e., antipotentials, which are universally quantified). In essence, the brute-force algorithm iterates over all the reactions, one at a time, checking whether each reaction is valid or not. In case the reaction (characterized by the set of potential choicesFootnote 1) is valid, it is added to \(\textit{VR} \).

Example 5

Consider again the specification in Ex. 1, with \(\mathcal {T}_\mathbb {Z}\) as theory. Note that the valid reactions are \(r_1\) and \(r_2\), as shown in Ex. 4, where the potentials of \(r_1\) are \(\{c_1,c_2,c_3\}\) and the potentials of \(r_2\) are \(\{c_5,c_6\}\). Now, the creation of \(\varphi ^{\textit{extra}} \) requires two fresh variables \(d_0\) and \(d_1\) for the environment (they correspond to environment decisions \((x<2)\) and \((x \ge 2)\), respectively), resulting into:

$$\begin{aligned} \varphi ^{\textit{extra}}_{\mathcal {T}_{\mathbb {Z}}} : \begin{pmatrix} \begin{array}{rcl} d_0 &{} \mathrel {\rightarrow }&{} \big ( (s_0 \mathrel {\wedge }s_1 \mathrel {\wedge }\lnot s_2) \mathrel {\vee }(s_0 \mathrel {\wedge }\lnot s_1 \mathrel {\wedge }s_2) \mathrel {\vee }(s_0 \mathrel {\wedge }\lnot {}s_1 \mathrel {\wedge }\lnot s_2) \big ) \\ &{}\mathrel {\wedge }&{} \\ d_1 &{}\mathrel {\rightarrow }&{}\big ( (\lnot {}s_0 \mathrel {\wedge }s_1 \mathrel {\wedge }\lnot s_2 )\mathrel {\vee }(\lnot {}s_0 \mathrel {\wedge }\lnot {}s_1 \mathrel {\wedge }s_2)\big ) \end{array} \end{pmatrix} \end{aligned}$$

For example \(c_2=\{s_0\}\) is a choice that appears as potential in valid reaction \(r_1\), so it appears as a disjunct of \(d_0\) as \((s_0\mathrel {\wedge }\lnot {}s_1\mathrel {\wedge }\lnot {}s_2)\). The resulting Booleanized specification \(\varphi _{\mathbb {B}} \) is as follows:

$$ \varphi ^{\mathbb {B}}_{\mathcal {T}_{\mathbb {Z}}} = (\varphi '' \mathrel {\wedge }\square (A_{\mathbb {B}} \mathrel {\rightarrow }\varphi ^{\textit{extra}}_{\mathcal {T}_{\mathbb {Z}}})) $$

   \(\square \)

Note that the Boolean encoding is extended with an assumption formula \(A_{\mathbb {B}} = (d_0 \leftrightarrow \lnot d_1) \wedge (d_0 \vee d_1)\) that restricts environment moves to guarantee that exactly one environment decision variable is picked. Also, note that a Boolean abstraction algorithm will output three (instead of two) decisions for the environment, but we ackowledge that one of them will never be played by it, since it gives strictly more power to the system. The complexity of this brute-force Booleanization algorithm is doubly exponential in the number of literals.

3.3 From Local Simulation to Equi-Realizability

The intuition about the correctness of the algorithm is that the extra requirement encodes precisely all reactions (i.e., collections of choices), for which there is a move of the environment that leaves the system with precisely that power to respond. As an observation, in the extra requirement, the set of potentials in valid reactions cannot be empty. This is stated in Lemma 1.

Lemma 1

Let \(C \in \mathcal {C}\) be such that \(react_C \in \textit{VR}\). Then \(C \ne \emptyset \).

Proof

Bear in mind \(\textit{react}_C \in \textit{VR}\) is valid. Let \(\overline{v} \) be such that is valid. Let \(\overline{w} \) be an arbitrary valuation of \(\overline{y} \) and let c be a choice and l a literal. Therefore:

figure j

It follows that \(I[\overline{x} \leftarrow \overline{v} ] \exists \overline{y}. c\), so \(c\in C\).    \(\square \)

Lemma 1 is crucial, because it ensures that once a Boolean abstraction algorithm is executed, for each fresh \(\overline{e}\) variable in the extra requirement, at least one reaction with one or more potentials can be responded by the system.

Therefore, in each position in the realizability game, the system can respond to moves of the system leaving to precisely corresponding positions in the Boolean game. In turn, this leads to equi-realizability because each move can be simulated in the corresponding game. Concretely, it is easy to see that we can define a simulation between the positions of the games for \(\varphi _{\mathcal {T}} \) and \(\varphi _{\mathbb {B}} \) such that (1) each literal \(l_i\) and the corresponding variable \(s_i\) have the same truth value in related positions, (2) the extra requirement is always satisfied, and (3) moves of the system in each game from related positions in each game can be mimicked in the other game. This is captured by the following theorem:

Theorem 1

System wins \(\mathcal {G}^{\mathcal {T}}\) if and only if System wins the game \(\mathcal {G}^{\mathbb {B}}\). Therefore, \(\varphi _{\mathcal {T}} \) is realizable if and only if \(\varphi _{\mathbb {B}} \) is realizable.

Proof

(Sketch). Since realizability games are memory-less determined, it is sufficient to consider only local strategies. Given a strategy \(\rho _{\mathbb {B}} \) that is winning in \(\mathcal {G}^{\mathbb {B}}\) we define a strategy \(\rho _{\mathcal {T}} \) in \(\mathcal {G}^{\mathcal {T}}\) as follows. Assuming related positions, \(\rho _{\mathcal {T}} \) moves in \(\mathcal {G}^{\mathcal {T}}\) to the successor that is related to the position where \(\rho _{\mathbb {B}} \) moves in \(\mathcal {G}^{\mathbb {B}}\). By (3) above, it follows that for every play played in \(\mathcal {G}^{\mathbb {B}}\) according to \(\rho _{\mathbb {B}} \) there is a play in \(\mathcal {G}^{\mathcal {T}}\) played according to \(\rho _{\mathcal {T}} \) that results in the same trace, and vice-versa: for every play played in \(\mathcal {G}^{\mathcal {T}}\) according to \(\rho _{\mathcal {T}} \) there is a play in \(\mathcal {G}^{\mathbb {B}}\) played according to \(\rho _{\mathbb {B}} \) that results in the same trace. Since \(\rho _{\mathbb {B}} \) is winning, so is \(\rho _{\mathcal {T}} \). The other direction follows similarly, because again \(\rho _{\mathbb {B}} \) can be constructed from \(\rho _{\mathcal {T}} \) not only guaranteeing the same valuation of literals and corresponding variables, but also that the extra requirement holds in the resulting position.    \(\square \)

The following corollary of Thm. 1 follows immediately.

Theorem 2

Let \(\mathcal {T}\) be a theory with a decidable \(\exists ^*\forall ^*\)-fragment. Then, \(LTL _{\mathcal {T}} \) realizability is decidable.

4 Efficient Algorithms for Boolean Abstraction

4.1 Quasi-reactions

The basic algorithm presented in Sect. 3 exhaustively traverses the set of reactions, one at a time, checking whether each reaction is valid. Therefore, the body of the loop is visited \(2^{|\mathcal {C} |}\) times. In practice, the running time of this basic algorithm quickly becomes unfeasible.

We now improve Alg. 1 by exploiting the observation that every SMT query for the validity of a reaction reveals information about the validity of other reactions. We will exploit this idea by learning uninteresting subsequent sets of reactions and pruning the search space. The faster algorithms that we present below encode the remaining search space using a SAT formula, whose models are further reactions to explore.

To implement the learning-and-pruning idea we first introduce the notion of quasi-reaction.

Definition 4 (Quasi-reaction)

A quasi-reaction is a pair (PA) where \(P\subseteq {}\mathcal {C} \), \(A\subseteq {}\mathcal {C} \) and \(P \cap A=\emptyset \).

Quasi-reactions remove from reactions the constraint that \(P \cup A=\mathcal {C} \). A quasi-reaction represents the set of reactions that would be obtained from choosing the remaining choices that are neither in P nor in A as either potential or antipotential. The set of quasi-reactions is:

$$ \mathcal {Q} =\{ (P,A) | P,A \subseteq \mathcal {C} \textit{ and } P \cap A=\emptyset \} $$

Note that \(\mathcal {R} =\{(P,A)\in \mathcal {Q} | P \cup A =\mathcal {C} \}.\)

Example 6

Consider a case with four choices \(c_0\), \(c_1\), \(c_2\) and \(c_3\). The quasi-reaction \((\{c_0,c_2\},\{c_1\})\) corresponds to the following formula:

$$ \exists \overline{x} \textit{. } \big (\exists \overline{y} \textit{. }f(c_0(\overline{x}, \overline{y})) \wedge \forall \overline{y} \textit{. } \lnot f(c_1(\overline{x}, \overline{y})) \wedge \exists \overline{y} \textit{. }f(c_2(\overline{x}, \overline{y}))\big ) $$

Note that nothing is stated in this quasi-reaction about \(c_3\) (it neither acts as a potential nor as an antipotential).    \(\square \)

Consider the following order between quasi-reactions: \((P,A)\mathrel {\preceq }(P',A')\) holds if and only if \(P\subseteq P'\) and \(A\subseteq A'\). It is easy to see that \(\mathrel {\preceq }\) is a partial order, that \((\emptyset ,\emptyset )\) is the lowest element and that for every two elements (PA) and \((P',A')\) there is a greatest lower bound (namely \((P\cap P',A\cap A')\)). Therefore \((P,A)\sqcap (P',A')\,{\mathop {=}\limits ^{\text {def}}}\,(P\cap P',A\cap A')\) is a meet operation (it is associative, commutative and idempotent). Note that \(q\mathrel {\preceq }{}q'\) if and only if \(q\sqcap q'=q\). Formally:

Proposition 1

\((\mathcal {Q},\sqcap )\) is a lower semi-lattice.

The quasi-reaction semi-lattice represents how informative a quasi-reaction is. Given a quasi-reaction (PA), removing an element from either P or A results in a strictly less informative quasi-reaction. The lowest element \((\emptyset ,\emptyset )\) contains the least information.

Given a quasi-reaction q, the set \(\mathcal {Q} _q=\{ q'\in \mathcal {Q} | q'\mathrel {\preceq }q\}\) of the quasi-reactions below q form a full lattice with join \((P,Q)\sqcup (P',Q')\,{\mathop {=}\limits ^{\text {def}}}\,(P\cup P',Q\cup Q')\). This is well defined because \(P'\) and Q, and P and \(Q'\) are guaranteed to be disjoint.

Proposition 2

For every q, \((\mathcal {Q} _q,\sqcap ,\sqcup )\) is a lattice.

As for reactions, quasi-reactions correspond to a formula in the theory as follows:

$$ \textit{qreact}_{(P,A)}(\overline{x}) = \bigwedge _{c \in P} \big (\exists \overline{y}. c(\overline{x},\overline{y})\big ) \wedge \bigwedge _{c \in A} \big (\forall \overline{y}.\lnot c(\overline{x},\overline{y})\big ) $$

Again, given a quasi-reaction q, if \(\exists \overline{x}. \textit{qreact}_q(\overline{x})\) is valid we say that q is valid, otherwise we say that q is invalid. The following holds directly from the definition (and the fact that adding conjuncts makes a first-order formula “less satisfiable”).

Proposition 3

Let \(q,q'\) be two quasi-reactions with \(q\mathrel {\preceq }{}q'\). If q is invalid then \(q'\) is invalid. If \(q'\) is valid then q is valid.

These results enable the following optimizations.

4.2 Quasi-reaction-based Optimizations

A Logic-Based Optimization. Consider that, during the search for valid reactions in the main loop, a reaction (PA) is found to be invalid, that is \(\textit{react}_{(P,A)}\) is unsatisfiable. If the algorithms explores the quasi-reactions below (PA), finding \((P',A')\mathrel {\preceq }(P,A)\) such that \(\textit{qreact}_{(P',A')}\), then by Prop. 3, every reaction \((P'',A'')\) above \((P',A')\) is guaranteed to be invalid. This allows to prune the search in the main loop by computing a more informative quasi-reaction q after an invalid reaction r is found, and skipping all reactions above q (and not only r). For example, if the reaction corresponding to \((\{c_0,c_2,c_3\},\{c_1\})\) is found to be invalid, and by exploring quasi-reactions below it, we find that \((\{c_0\},\{c_1\})\) is also invalid, then we can skip all reactions above \((\{c_0\},\{c_1\})\). This includes for example \((\{c_0,c_2\},\{c_1,c_3\})\) and \((\{c_0,c_3\},\{c_1,c_2\})\). In general, the lower the invalid quasi-reaction in \(\mathrel {\preceq }\), the more reactions will be pruned. This optimization resembles a standard choosing of max/min elements in an anti-chain.

A Game-Based Optimization. Consider now two reactions \(r=(P,A)\) and \(r'=(P',A')\) such that \(P\subseteq P'\) and assume that both are valid reactions. Since \(r'\) allows more choices to the system (because the potentials P determine these choices), the environment player will always prefer to play r than \(r'\). Formally, if there is a winning strategy for the environment that chooses values for \(\overline{x}\) (corresponding to a model of \(\textit{react}_r\)), then choosing values for \(\overline{x}'\) instead (corresponding to a model of \(\textit{react}_{r'}\)) will also be winning.

Therefore, if a reaction r is found to be valid, we can prune the search for reactions \(r'\) that contain strictly more potentials, because even if \(r'\) is also valid, it will be less interesting for the environment player. For instance, if \((\{c_0,c_3\},\{c_1,c_2\})\) is valid, then \((\{c_0,c_1,c_3\},\{c_2\})\) and \((\{c_0,c_1,c_3,c_2\},\{\})\) become uninteresting to be explored and can be pruned from the search.

4.3 A Single Model-Loop Algorithm (Algorithm 2)

We present now a faster algorithm that replaces the main loop of Algorithm 1 that performs exhaustive exploration with a SAT-based search procedure that prunes uninteresting reactions. In order to do so, we use a SAT formula \(\psi \) with one variable \(z_i\) per choice \(c_i\), in a DPLL(T) fashion. An assignment \(v: Vars (\psi )\mathrel {\rightarrow }\mathbb {B}\) to these variables represents a reaction (PA) where

$$ P=\{ c_i | v(z_i)=\textit{true}\} A=\{ c_j | v(z_j)=\textit{false}\} $$

Similarly, a partial assignment \(v: Vars (\psi )\rightharpoonup \mathbb {B}\) represents a quasi-reaction. The intended meaning of \(\psi \) is that its models encode the set of interesting reactions that remain to be explored. This formula is initialized with \(\psi =\textit{true}\) (note that \(\lnot (\bigwedge _{z_i} \lnot z_i)\) is also a correct starting point because the reaction where all choices are antipotentials is invalid). Then, a SAT query is used to find a satisfying assignment for \(\psi \), which corresponds to a (quasi-)reaction r whose validity is interesting to be explored. Algorithm 2 shows

figure k

the Model-loop algorithm. The three main building blocks of the model-loop algorithm are:

  1. (1)

    Algorithm 2 stops when \(\psi \) is invalid (line 14).

  2. (2)

    To explore a new reaction, Algorithm 2 obtains a satisfying assignment for \(\psi \) (line 15).

  3. (3)

    Algorithm 2 checks the validity of the reaction (line 16) and enriches \(\psi \) o prune according to what can be learned, as follows:

    • If the reaction is invalid (as a result of the SMT query in line 16), then it checks the validity of quasi-reaction \(q=(\emptyset ,A)\) in line 23. If q is invalid, add the negation of q as a new conjunction of \(\psi \) (line 26). If q is valid, add the negation of the reaction (line 24). This prevents all SAT models that agree with one of these q, which correspond to reactions \(q\mathrel {\preceq }{}r'\), including r.

    • If the reaction is valid, then it is added to the set of valid reactions \(\textit{VR}\) and the corresponding quasi-reaction that results from removing the antipotentials is added (negated) to \(\psi \) (line 18), preventing the exploration of uninteresting cases, according to the game-based optimization.

As for the notation in Algorithm 2 (also in Algorithm 3 and Algorithm 4), model(\(\psi \)) in line 15 is a function that returns a satisfying assignment of the SAT formula \(\psi \), posVars(m) returns the positive variables of m (e.g., \(c_i, c_j\) etc.) and negVars(m) returns the negative variables. Finally, \( \textit{toTheory}(m, \mathcal {C}) = \bigwedge _{m_i} c_i^p \wedge \bigwedge _{\lnot m_i} c_i^a\) (in lines 16 and 23) translates a Boolean formula into its corresponding formula in the given \(\mathcal {T}\) theory. Note that unsatisfiable m can be minimized finding cores.

If r is invalid and \((\emptyset ,A)\) is found also to be invalid, then exponentially many cases can be pruned. Similarly, if r is valid, also exponentially many cases can be pruned. The following result shows the correctness of Algorithm 2:

Theorem 3

Algorithm 2 terminates and outputs a correct Boolean abstraction.

Proof

(Sketch). Algorithm 2 terminates because, at each step in the loop, \(\psi \) removes at least one satisfying assignment and the total number is bounded by \(2^{|\mathcal {C} |}\). Also, the correctness of the generated formula is guaranteed because, for every valid reaction in Algorithm 1, either there is a valid reaction found in Algorithm 2 or a more promising reaction found in Algorithm 2.    \(\square \)

4.4 A Nested-SAT Algorithm (Algorithm 3)

We now present an improvement of Algorithm 2 that performs a more detailed search for a promising collection of invalid quasi-reactions under an invalid reaction r.

figure l

Note that it is not necessary to find the precise collection of all the smallest quasi-reactions that are under an invalid reaction r, as long as at least one quasi-reaction under r is calculated (perhaps, r itself). Finding lower quasi-reactions allow to prune more, but its calculation is more costly, because more SMT queries need to be performed. The Nested-SAT algorithm (Algorithm 3) explores (using an inner SAT encoding) this trade-off between computing more exhaustively better invalid quasi-reactions and the cost of the search. The three main building blocks of the nested-SAT algorithm (see Algorithm 3) are:

  1. (1)

    It stops when \(\psi \) is invalid (as in Algorithm 2), in line 33.

  2. (2)

    To get the reaction, obtain a satisfying assignment m for \(\psi \) (as in Algorithm 2), in line 34.

  3. (3)

    Check the validity of the corresponding reaction and prune \(\psi \) according to what can be learned as follows. If the reaction is valid, then we proceed as in Algorithm 2. If \(r=(P,A)\) is invalid (as a result of the SMT query), then an inner SAT formula encodes whether a choice is masked (eliminated from P or A). Models of the inner SAT formula, therefore, correspond to quasi-reactions below r. If a quasi-reaction q found in the inner loop is invalid, the inner formula is additionally constrained and the set of invalid quasi-reactions is expanded. If a quasi-reaction q found is valid, then the inner SAT formula is pruned eliminating all quasi-reactions that are guaranteed to be valid. At the end of the inner loop, a (non-empty) collection of invalid quasi-reactions are added to \(\psi \).

The inner loop, shown in Algorithm 4 (where VQ stands for valid quasi-reactions), explores a full lattice.

figure m

Also, note that \(\lnot (\bigwedge _{z_i} \lnot z_i)\) is, again, a correct starting point. Consider, for example, that the outer loop finds \((\{c_1,c_3\},\{c_0,c_2\})\) to be invalid and that the inner loop produces assignment \(w_0\mathrel {\wedge }w_1\mathrel {\wedge }w_2 \mathrel {\wedge }\lnot w_3\). This corresponds to \(c_3\) being masked producing quasi-reaction \((\{c_1\},\{c_0,c_2\})\). The pruning system is the following:

  • If quasi-reaction q is valid then the inner SAT formula is pruned eliminating all inner models that agree with the model in the masked choices. In our example, we would prune all models that satisfy \(\lnot w_3\) if q is valid (because the resulting quasi-reactions will be inevitably valid).

  • If quasi-reaction q is invalid, then we prune in the inner search all quasi-reactions that mask less than q, because these will be inevitably invalid. In our example, we would prune all models satisfying \(\lnot (w_0\mathrel {\wedge }w_1\mathrel {\wedge }w_2)\).

Note that toTheory_inn\((u, m, \mathcal {C}) = \bigwedge _{m_i \wedge u_j} c_i^p \wedge \bigwedge _{\lnot m_i \wedge u_j} c_i^a\) is not the same function as the \(\textit{toTheory()}\) used in Algorithm 2 and Algorithm 3, since the inner loops needs both model m and mask u (which makes no sense to be negated) to translate a Boolean formula into a \(\mathcal {T}\)-formula. Also, note that there is again a trade-off in the inner loop because an exhaustive search is not necessary. Thus, in practice, we also used some basic heuristics: (1) entering the inner loop only when \((\emptyset ,A)\) is invalid; (2) fixing a maximum number of inner model queries per outer model with the possibility to decrement this amount dynamically with a decay; and (3) reducing the number of times the inner loop is exercised (e.g., enter the inner loop only if the number of invalid outer models so far is even).

Example 7

We explore the results of Algorithm 3. A possible execution for 2 literals can be as follows:

  1. 1.

    Reaction \((\{c_0,c_3\},\{c_1,c_2\} )\) is obtained in line 34, which is declared invalid by the SMT solver in line 35. The inner loop called in line 42 produces \((\{c_0\},\{c_1\} )\), \((\{c_3\},\{c_2\} )\) and \((\{\},\{c_1,c_2\} )\) as three invalid quasi-reactions, and their negations are added to the SAT formula of the outer loop in line 43.

  2. 2.

    A second reaction \((\{c_0,c_1\},\{c_3,c_4\} )\) is obtained from the SAT solver in line 34, and now the SMT solver query is valid in line 35. Then, \(\lnot (c_0\mathrel {\wedge }c_1)\) is added to the outer SAT formula in line 37.

  3. 3.

    A third reaction \((\{c_2,c_3\},\{c_0,c_1\} )\) is obtained in line 33 , which is again valid in line 35. Similarly, \(\lnot (c_2\mathrel {\wedge }c_3)\) is added the outer SAT formula in line 37.

  4. 4.

    A fourth reaction \((\{c_1,c_2\},\{c_0,c_3\} )\) is obtained in line 33, which is now invalid (line 35). The inner loop called in line 42 generates the following cores: \((\{c_1\},\{c_0\} )\) and \((\{c_2\},\{c_3\})\). The addition of the negation of these cores leads to an unsatisfiable outer SAT formula, and the algorithm terminates.

The execution in this example has performed 4 SAT+SMT queries in the outer loop, and 3+2 SAT+SMT queries in the inner loops. The brute-force Algorithm 1 would have performed 16 queries. Note that the difference between the exhaustive version and the optimisations soon increases exponentially when we consider specifications with more literals.    \(\square \)

5 Empirical Evaluation

We perform an empirical evaluation on six specifications inspired by real industrial cases: Lift (Li.), Train (Tr.), Connect (Con.), Cooker (Coo.), Usb (Usb) and Stage (St.), and a synthetic example (Syn.) with versions from 2 to 7 literals. For the implementation, we used used Python 3.8.8 with Z3 4.11.

Fig. 2.
figure 2

Empirical evaluation results of the different Boolean abstraction algorithms , where the best results are in bold and \(\varphi _{\mathbb {B}} \) only refers to best times.

Full size image

It is easy to see that “clusters” of literals that do not share variables can be Booleanized independently, so we split into clusters each of the examples. We report our results in Fig. 2. Each row contains the result for a cluster of an experiment (each one for the fastest heuristic). Each benchmark is split into clusters, where we show the number of variables (vr.) and literals (lt.) per cluster. We also show running times of each algorithm against each cluster; concretely, we test Algorithm 1 (BF), Algorithm 2 (SAT) and Algorithm 3 (Doub.). For Algorithm 2 and Algorithm 3, we show the number of queries performed; in the case of Algorithm 3, we also show both outer and inner queries. Algorithm 1 and Algorithm 2 require no heuristics. For Algorithm 3, we report, left to right: maximum number of inner loops (MxI.), the modulo division criteria (Md.)Footnote 2, the number of queries after which we perform a decay of 1 in the maximum number of inner loops (Dc.), and if we apply the invalidity of \((\emptyset , A)\) as a criteria to enter the inner loop (A.), where \(\checkmark \) means that we do and \(\times \) means the contrary. Also, \(\perp \) means timeout (or no data).

The brute-force (BF) Algorithm 1 performs well with 3 or fewer literals, but the performance dramatically decreases with 4 literals. Algorithm 2 (single SAT) performs well up to 4 literals, and it can hardly handle cases with 6 or more literals. An exception is Lift (1,7) which is simpler since it has only one variable (and this implies that there is only one player). The performance improvement of SAT with respect to BF is due to the decreasing of queries. For example, Train (3,6) performs 13706 queries, whereas BF would need \(2^{2^6}=1.844\cdot 10^{18}\) queries.

All examples are Booleanizable when using Algorithm 3 (two SAT loops), particularly when using a combination of concrete heuristics. For instance, in small cases (2 to 5 literals) it seems that heuristic-setups like \(3/3/3/0/\checkmark \)Footnote 3 are fast, whereas in bigger cases other setups like \(40/2/0/\checkmark \) or \(100/40/20/\times \) are faster. We conjecture that a non-zero decay is required to handle large inputs, since inner loop exploration becomes less useful after some time. However, adding a decay is not always faster than fixing a number of inner loops (see Syn (2,7)), but it always yields better results in balancing the number of queries between the two nested SAT layers. Thus, since balancing the number of queries typically leads to faster execution times, we recommend to use decays. Note that we performed all the experiments reported in this section running all cases several times and computing averages, because Z3 exhibited a big volatility in the models it produces, which in turn influenced the running time of our algorithms. This significantly affects the precise reproducibility of the running times. For instance, for Syn(2,5) the worst case execution was almost three times worst than the average execution reported in Fig. 2. Studying this phenomena more closely is work in progress. Note that there are cases in which the number of queries of SAT and Doub. are the same (e.g., Usb(3,5)), which happened when the A. heuristic had the effect of making the search not to enter the inner loop.

In Fig. 2 we also analyzed the constructed \(\varphi _{\mathbb {B}} \), measuring the number of valid reactions from which it is made (Val.) and the time (Tme.) that a realizability checker takes to verify whether \(\varphi _{\mathbb {B}} \) (hence, \(\varphi _{\mathcal {T}} \)) is realizable or not (expressed with dark and light gray colours, respectively). We used Strix [27] as the realizability checker. As we can see, there is a correspondence between the expected realizability in \(\varphi _{\mathcal {T}} \) and the realizability result that Strix returns in \(\varphi _{\mathbb {B}} \). Indeed, we can see all instances can be solved in less than 7 seconds, and the length of the Boolean formula (characterized by the number of valid reactions) hardly affects performance. This suggests that future work should be focused on reducing time necessary to produce Boolean abstraction to scale even further.

Also, note that Fig. 2 shows remarkable results as for ratios of queries required with respect to the (doubly exponential) brute-force algorithm: e.g., \(4792+9941\) (outer + inner loops) out of the \(1.844 \cdot 10^{19}\) queries that the brute-force algorithm would need, which is less than its \(1 \cdot 10^{-13}\%\) (see Fig. 3 for more details). We also compared the performance and number of queries for two different theories \(\mathcal {T}_{\mathbb {Z}}\) and \(\mathcal {T}_{\mathbb {R}}\) for Syn (2,3) to Syn (2,6). Note, again, that the realizability result may vary if a specification is interpreted in different theories, but this is not relevant for the experiment in Fig. 4, which suggests that time results are not dominated by the SMT solver; but, again, from the enclosing abstraction algorithms.

Fig. 3.
figure 3

Best numbers of queries for Algorithm 2 and 3 relative to brute-force (Alg.1).

Full size image
Fig. 4.
figure 4

Comparison of \(\mathcal {T}_\mathbb {Z}\) and \(\mathcal {T}_\mathbb {R}\) for Syn (2,3) to Syn (2,6).

Full size image

6 Related Work and Conclusions

Related Work. Constraint LTL [11] extends LTL with the possibility of expressing constraints between variables at bounded distance (of time). The theories considered are a restricted form of \(\mathcal {T}_\mathbb {Z}\) with only comparisons with additional restrictions to overcome undecidability. In comparison, we do not allow predicates to compare variables at different timesteps, but we prove decidability for all theories with an \(\exists ^*\forall ^*\) decidable fragment. LTL modulo theories is studied in [12, 19] for finite traces and they allow temporal operators within predicates, leading the logic to undecidability.

As for works closest to ours, [7] proposes numerical LTL synthesis using an interplay between an LTL synthesizer and a non-linear real arithmetic checker. However, [7] overapproximates the power of the system and hence it is not precise for realizability. Linear arithmetic games are studied in [13] introducing algorithms for synthesizing winning strategies for non-reactive specifications. Also, [22] considers infinite theories (like us), but it does not guarantee success or termination, whereas our Boolean abstraction is complete. They only consider safety, while our approach considers all LTL. The follow-up [23] has still similar limitations: only liveness properties that can be reduced to safety are accepted, and guarantees termination only for the unrealizability case. Similarly, [18] is incomplete, and requires a powerful solver for many quantifier alternations, which can be reduced to 1-alternation, but at the expense of the algorithm being no longer sound for the unrealizable case (e.g., depends on Z3 not answering “unknown”). As for [34], it (1) only considers safety/liveness GR(1) specifications, (2) is limited to the theory of fixed-size vectors and requires (3) quantifier elimination (4) and guidance. We only require \(\exists ^*\forall ^*\)-satisfiability (for Boolean abstraction) and we consider multiple infinite theories. The usual main difference is that Boolean abstraction generates a (Boolean) LTL specification so that existing tools can be used with any of their internal techniques and algorithms (bounded synthesis, for example) and will automatically benefit from further optimizations. Moreover, it preserves fragments like safety and GR(1) so specialized solvers can be used. On the contrary, all approaches above adapt one specific technique and implement it in a monolithic way.

Temporal Stream Logic (TSL) [16] extends LTL with complex data that can be related accross time, making use of a new update operator , to indicate that y receives the result of applying function f to variable x. TSL is later extended to theories in [15, 25]. In all these works, realizability is undecidable. Also, in [8] reactive synthesis and syntax guided synthesis (SyGuS) [1] collaborate in the synthesis process, and generate executable code that guarantees reactive and data-level properties. It also suffers from undecidability: both due to the undecidability of TSL [16] and of SyGus [6]. In comparison, we cannot relate values accross time but we provide a decidable realizability procedure.

Comparing TSL with \(LTL _{\mathcal {T}}\), TSL is undecidable already for safety, the theory of equality and Presburger arithmetic. More precisely, TSL is only known to be decidable for three fragments (see Thm. 7 in [15]). TSL is (1) semi-decidable for the reachability fragment of TSL (i.e., the fragment of TSL that only permits the next operator and the eventually operator as temporal operators); (2) decidable for formulae consisting of only logical operators, predicates, updates, next operators, and at most one top-level eventually operator; and (3) semi-decidable for formulae with one cell (i.e., controllable outputs). All the specifications considered for empirical evaluation in Sect. 5 are not within the considered decidable or semi-decidable fragments. Also, TSL allows (finite) uninterpreted predicates, whereas we need to have predicates well defined within the semantics of theories of specifications for which we perform Boolean abstraction.

Conclusion. The main contribution of this paper is to show that \(LTL _{\mathcal {T}}\) is decidable via a Boolean abstraction technique for all theories of data with a decidable \(\exists ^*\forall ^*\) fragment. Our algorithms create, from a given \(LTL _{\mathcal {T}}\) specification where atomic propositions are literals in such a theory, an equi-realizable specification with Boolean atomic propositions. We also have introduced efficient algorithms using SAT solvers for efficiently traversing the search space. A SAT formula encodes the space of reactions to be explore and our algorithms reduce this space by learning uninteresting areas from each reaction explores. The fastest algorithm uses a two layer SAT nested encoding, in a DPLL(T) fashion. This search yields dramatically more efficient running times and makes Boolean abstraction applicable to larger cases. We have performed an empirical evaluation of implementations of our algorithms. We found empirically that the best performances are obtained when there is a balance in the number of queries made by each layer of the SAT-search. To the best of our knowledge, this is the first method to propose a solution (and efficient) to realizability for general \(\exists ^*\forall ^*\) decidable theories, which include, for instance, the theories of integers and reals.

Future work includes first how to improve scalability further. We plan to leverage quantifier elimination procedures [9] to produce candidates for the sets of valid reactions and then check (and correct) with faster algorithms. Also, optimizations based in quasi-reactions can be enhanced if state-of-the-art tools for satisfiability core search (e.g., [2, 3, 24]) are used. Another direction is to extend our realizability method into a synthesis procedure by synthesizing functions in \(\mathcal {T} \) to produces witness values of variables controlled by the system given (1) environment and system moves in the Boolean game, and (2) environment values (consistent with the environment move). Finally, we plan to study how to extend \(LTL _{\mathcal {T}}\) with controlled transfer of data accross time preserving decidability.