Synthesizing Approximate Implementations for Unrealizable Specifications

The unrealizability of a specification is often due to the assumption that the behavior of the environment is unrestricted. In this paper, we present algorithms for synthesis in bounded environments, where the environment can only generate input sequences that are ultimately periodic words (lassos) with finite representations of bounded size. We provide automata-theoretic and symbolic approaches for solving this synthesis problem, and also study the synthesis of approximative implementations from unrealizable specifications. Such implementations may violate the specification in general, but are guaranteed to satisfy the specification on at least a specified portion of the bounded-size lassos. We evaluate the algorithms on different arbiter specifications.


Introduction
The objective of reactive synthesis is to automatically construct an implementation of a reactive system from a high-level specification of its desired behaviour. While this idea holds a great promise, applying synthesis in practice often faces significant challenges. One of the main hurdles is that the system designer has to provide the right formal specification, which is often a difficult task [12]. In particular, since the system being synthesized is required to satisfy its requirements against all possible environments allowed by the specification, accurately capturing the designer's knowledge about the environment in which the system will execute is crucial for being able to successfully synthesize an implementation.
Traditionally, environment assumptions are included in the specification, usually given as a temporal logic formula. There are, however less explored ways of incorporating information about the environment, one of which is to consider a bound on the size of the environment, that is, a bound on the size of the state space of a transition system that describes the possible environment behaviors. Restricting the space of possible environments can render an unrealizable specification into a realizable one. The temporal synthesis under such bounded environments was first studied in [6], where the authors extensively study the problem, in several versions, from the complexity-theoretic point of view.
In this paper, we follow a similar avenue of providing environment assumptions. However, instead of bounding the size of the state space of the environment, we associate a bound with the sequences of values of input signals produced by the environment. The infinite input sequences produced by a finite-state environment which interacts with a finite state system are ultimately periodic, and thus, each such infinite sequence σ ∈ Σ ω I , over the input alphabet Σ I , can be represented as a lasso, which is a pair (u, v) of finite words u ∈ Σ * I and v ∈ Σ + I , such that σ = u · v ω . It is the length of such sequences that we consider a bound on. More precisely, given a bound k ∈ N, we consider the language of all infinite sequences sequences of inputs that can be represented by a lasso (u, v) with |u · v| = k. The goal of the synthesis of lasso precise implementations is then to synthesize a system for which each execution resulting from a sequence of environment inputs in that language, satisfies a given linear temporal specification.
As an example, consider an arbiter serving two client processes. Each client issues a request when it wants to access a shared resource, and keeps the request signal up until it is done using the resource. The goal of the arbiter is to ensure the classical mutual exclusion property, by not granting access to the two clients simultaneously. The arbiter has to also ensure that each client request is eventually granted. This, however, is difficult since, first, a client might gain access to the resource and never lower the request signal, and second, the arbiter is not allowed to take away a grant unless the request has been set to false, or the client never sets the request to false in the future (the client has become unresponsive). The last two requirements together make the specification unrealizable, as the arbiter has no way of determining if a client has become unresponsive, or will lower the request signal in the future. If, however, the length of the lassos of the input sequences is bounded, then, after a sufficient number of steps, the arbiter can assume that if the request has not been set to false, then it will not be lowered in the future either, as the sequence of inputs must already have run at least once through it's period that will be ultimately repeated from that point on.
Formally, we can express the requirements on the arbiter in Linear Temporal Logic (LTL) as follows. There is one input variable r i (for request) and one output variable g i (for grant) associated with each client. The specification is then given as the conjunction ϕ = ϕ mutex ∧ ϕ resp ∧ ϕ rel where we use the LTL operators Next , Globally and Eventually to define the requirements Due to the requirement to not revoke grants stated in ϕ rel , the specification ϕ is unrealizable (that is, there exists no implementation for the arbiter process). For any bound k on the length of the input lassos, however, ϕ is realizable. More precisely, there exists an implementation in which once client i has not lowered the request signal for k consecutive steps, the variable g i is set to false.
This example shows that when the system designer has knowledge about the resources available to the environment processes, taking this knowledge into account can enable us to synthesize a system that is correct under this assumption.
In this paper we formally define the synthesis problem for lasso-precise implementations, that is, implementations that are correct for input lassos of bounded size, and describe an automata-theoretic approach to this synthesis problem. We also consider the synthesis of lasso-precise implementations of bounded size, and provide a symbolic synthesis algorithm based on quantified Boolean satisfiability.
Bounding the size of the input lassos can render some unrealizable specifications realizable, but, similarly to bounding the size of the environment, comes at the price of higher computational complexity. To alleviate this problem, we further study the synthesis of approximate implementations, where we relax the synthesis problem further, and only require that for a given ǫ > 0 the ratio of input lassos of a given size for which the specification is satisfied, to the total number of input lassos of that size is at least 1 − ǫ. We then propose an approximate synthesis method based on maximum model counting for Boolean formulas [5]. The benefits of the approximate approach are two-fold. Firstly, it can often deliver high-quality approximate solutions more efficiently than the lasso-precise synthesis method, and secondly, even when the specification is still unrealizable for a given lasso bound, we might be able to synthesize an implementation that is correct for a given fraction of the possible input lassos.
The rest of the paper is organized as follows. In Section 2 we discuss related work on environment assumptions in synthesis. In Section 3 we provide preliminaries on linear temporal properties and omega-automata. In Section 4 we define the synthesis problem for lasso-precise implementations, and describe an automata-theoretic synthesis algorithm. In Section 5 we study the synthesis of lasso-precise implementations of bounded size, and provide a reduction to quantified Boolean satisfiability. In Section 6 we define the approximate version of the problem, and give a synthesis procedure based on maximum model counting. Finally, in Section 7 we present experimental results, and conclude in Section 8.

Related Work
Providing good-quality environment specifications (typically in the form of assumptions on the allowed behaviours of the environment) is crucial for the synthesis of implementations from high-level specifications. Formal specifications, and thus also environment assumptions, are often hard to get right, and have been identified as one of the bottlenecks in formal methods and autonomy [12]. It is therefore not surprising, that there is a plethora of approaches addressing the problem of how to revise inadequate environment assumptions in the cases when these are the cause of unrealizability of the system requirements.
Most approaches in this direction build upon the idea of analyzing the cause of unrealizability of the specification and extracting assumptions that help eliminate this cause. The method proposed in [2] uses the game graph that is used to answer the realizability question in order to construct a Büchi automaton representing a minimal assumption that makes the specification realizable. The authors of [8] provide an alternative approach where the environment assumptions are gradually strengthened based on counterstrategies for the environment.
The key ingredient for this approach is using a library of specification templates and user scenarios for the mining of assumptions, in order to generate goodquality assumptions. A similar approach is used in [1], where, however, assumption patterns are synthesized directly from the counterstrategy without the need for the user to provide patterns. A different line of work focuses on giving feedback to the user or specification designer about the reason for unrealizability, so that they can, if possible, revise the specification accordingly. The key challenge adressed there lies in providing easy-to-understand feedback to users, which relies on finding a minimal cause for why the requirements are not achievable and generating a natural language explanation of this cause [11].
In the above mentioned approaches, assumptions are provided or constructed in the form of a temporal logic formula or an omega-automaton. Thus, it is on the one hand often difficult for specification designers to specify the right assumptions, and on the other hand special care has to be taken by the assumption generation procedures to ensure that the constructed assumptions are simple enough for the user to understand and evaluate. The work [6] takes a different route, by making assumptions about the size of the environment. That is, including as an additional parameter to the synthesis problem a bound on the state space of the environment. Similarly to temporal logic assumptions, this relaxation of the synthesis problem can render unrealizable specifications into realizable ones. From the system designer point of view, however, it might be significantly easier to estimate the size of environments that are feasible in practice than to express the implications of this additional information in a temporal logic formula. In this paper we take a similar route to [6], and consider a bound on the cyclic structures in the environment's behaviour. Thus, the closest to our work is the temporal synthesis for bounded environments studied in [6]. In fact, we show that the synthesis problem for lasso-precise implementations and the synthesis problem under bounded environments can be reduced to each other. However, while the focus in [6] is on the computational complexity of the bounded synthesis problems, here we provide both automata-theoretic, as well as symbolic approaches for solving the synthesis problem for environments with bounded lassos. We further consider an approximate version of this synthesis problem. The benefits of using approximation are two-fold. Firstly, as shown in [6], while bounding the environment can make some specifications realizable, this comes at a high computational complexity price. In this case, approximation might be able to provide solutions of sufficient quality more efficiently. Furthermore, even after bounding the environment's input behaviours, the specification might still remain unrealizable, in which case we would like to satisfy the requirements for as many input lassos as possible. In that sense, we get closer to synthesis methods for probabilistic temporal properties in probabilistic environments [7]. However, we consider non-probabilistic environments (i.e., all possible inputs are equally likely), and provide probabilistic guarantees with desired confidence by employing maximum model counting techniques. Maximum model counting has previously been used for the synthesis of approximate non-reactive programs [5]. Here, on the other hand we are concerned with the synthesis of reactive systems from temporal specifications.
Bounding the size of the synthesized system implementation is a complementary restriction of the synthesis problem, which has attracted a lot of attention in recent years [4]. The computational complexity of the synthesis problem when both the system's and the environment's size is bounded has been studied in [6]. In this paper we provide a symbolic synthesis procedure for bounded synthesis of lasso-precise implementations based on quantified Boolean satisfiability.

Preliminaries
We now recall definitions and notation from formal languages and automata, and notions from reactive synthesis such as implementation and environment.

Linear-time Properties and Lassos.
A linear-time property ϕ over an alphabet Σ is a set of infinite words ϕ ⊆ Σ ω . Elements of ϕ are called models of ϕ. A lasso of length k over an alphabet Σ is a pair (u, v) of finite words u ∈ Σ * and v ∈ Σ + with |u · v| = k that induces the ultimately periodic word u · v ω . We call u · v the base of the lasso or ultimately periodic word, and k the length of the lasso.
If a word w ∈ Σ * is a prefix of a word σ ∈ Σ * ∪ Σ ω , we write w < σ. For a language L ⊆ Σ * ∪ Σ ω , we define Prefix (L) = {w ∈ Σ * | ∃σ ∈ L : w < σ} is the set of all finite words that are prefixes of words in L.

Implementations. We represent implementations as labeled transition systems.
Let I and O be finite sets of input and output atomic propositions respectively. A 2 O -labeled 2 I -transition system is a tuple T = (T, t 0 , τ, o), consisting of a finite set of states T , an initial state t 0 ∈ T , a transition function τ : T × 2 I → T , and a labeling function o : T → 2 O . We denote by |T | the size of an implementation T , defined as |T | = |T |. A path in T is a sequence π : N → T × 2 I of states and inputs that follows the transition function, i.e., for all i ∈ N if π(i) = (t i , e i ) and π(i + 1) = (t i+1 , e i+1 ), then t i+1 = τ (t i , e i ). We call a path initial if it starts with the initial state: π(0) = (t 0 , e) for some e ∈ 2 I . For an initial path π, we call the sequence σ π : i → (o(t i ) ∪ e i ) ∈ (2 I∪O ) ω the trace of π. We call the set of traces of a transition system T the language of T , denoted L(T ).
Finite-state environments can be represented as labelled transition systems in a similar way, with the difference that the inputs are the outputs of the implementation, and the states of the environment are labelled with inputs for the implementation. More precisely, a finite-state environment is a 2 I -labeled 2 O -transition system E = (E, s 0 , ρ, ι). The composition of an implementation T and an environment E results in a set of traces of T , which we denote L E (T ), where σ = σ 0 σ 1 . . . ∈ L E (T ) if and only if σ ∈ L(T ) and there exists an initial path s 0 s 1 . . . in E such that for all i ∈ N, s i+1 = ρ(s i , σ i+1 ∩O) and σ i ∩I = ι(s i ).
Linear-time Temporal Logic. We specify properties of reactive systems (implementations) as formulas in Linear-time Temporal Logic (LTL) [9]. We consider the usual temporal operators Next , Until U, and the derived operators Release R, which is the dual operator of U , Eventually and Globally . LTL formulas are defined over a set of atomic propositions AP. We denote the satisfaction of an LTL formula ϕ by an infinite sequence σ ∈ (2 AP ) ω of valuations of the atomic propositions by σ |= ϕ and call σ a model of ϕ. For an LTL formula ϕ we define the language L(ϕ) of ϕ to be the set {σ ∈ (2 AP ) ω | σ |= ϕ}.
For a set of atomic propositions AP = O ∪ I, we say that a 2 O -labeled 2 Itransition system T satisfies an LTL formula ϕ, if and only if L(T ) ⊆ L(ϕ), i.e., every trace of T satisfies ϕ. In this case we call T a model of ϕ, denoted T |= ϕ.
For I ⊆ AP and σ ∈ (2 AP ) * ∪ (2 AP ) ω , we denote with σ| I the projection of σ on I, obtained by the sequence of valuations of the propositions from I in σ.
Automata Over Infinite Words. The automata-theoretic approach to reactive synthesis relies on the fact that an LTL specification can be translated to an automaton over infinite words, or, alternatively, that the specification can be provided directly as such an automaton. An alternating parity automaton over an alphabet Σ is a tuple A = (Q, q 0 , δ, µ), where Q denotes a finite set of states, Q 0 ⊆ Q denotes a set of initial states, δ denotes a transition function, and µ : Q → C ⊂ N is a coloring function. The transition function δ : Q×Σ → B + (Q) maps a state and an input letter to a positive Boolean combination of states [14].
A tree T over a set of directions D is a prefix-closed subset of D * . The empty sequence ǫ is called the root. The children of a node n ∈ T are the nodes {n · d ∈ T | d ∈ D}. A Σ-labeled tree is a pair (T, l), where l : T → Σ is the labeling function. A run of A = (Q, q 0 , δ, µ) on an infinite word σ = α 0 α 1 · · · ∈ Σ ω is a Q-labeled tree (T, l) that satisfies the following constraints: (1) l(ǫ) = q 0 , and (2) for all n ∈ T , if l(n) = q, then {l(n ′ ) | n ′ is a child of n} satisfies δ(q, α |n| ).
A run tree is accepting if every branch either hits a true transition or is an infinite branch n 0 n 1 n 2 · · · ∈ T , and the sequence l(n 0 )l(n 1 )l(n 2 ) . . . satisfies the parity condition, which requires that the highest color occurring infinitely often in the sequence µ(l(n 0 ))µ(l(n 1 ))µ(l(n 2 )) · · · ∈ N ω is even. An infinite word σ is accepted by an automaton A if there exists an accepting run of A on σ. The set of infinite words accepted by A is called its language, denoted L(A).
A nondeterministic automaton is a special alternating automaton, where for all states q and input letters α, δ(q, α) is a disjunction. An alternating automaton is called universal if, for all states q and input letters α, δ(q, α) is a conjunction. A universal and nondeterministic automaton is called deterministic.
A parity automaton is called a Büchi automaton if and only if the image of µ is contained in {1, 2}, a co-Büchi automaton if and only if the image of α is contained in {0, 1}. Büchi and co-Büchi automata are denoted by (Q, Q 0 , δ, F ), where F ⊆ Q denotes the states with the higher color. A run graph of a Büchi automaton is thus accepting if, on every infinite path, there are infinitely many visits to states in F ; a run graph of a co-Büchi automaton is accepting if, on every path, there are only finitely many visits to states in F . The next theorem states the relation between LTL and alternating Büchi automata, namely that every LTL formula ϕ can be translated to an alternating Büchi automaton with the same language and size linear in the length of ϕ.
Automata Over Finite Words. We also use automata over finite words as acceptors for languages consisting of prefixes of traces. A nondeterministic finite automaton over an alphabet Σ is a tuple A = (Q, Q 0 , δ, F ), where Q and Q 0 ⊆ Q are again the states and initial states respectively, δ : Q × Σ → 2 Q is the transition function and F is the set of accepting states. A run on a word a 1 . . . a n is a sequence of states q 0 q 1 . . . q n , where q 0 ∈ Q 0 and q i+1 ∈ δ(q i , a i ). The run is accepting if q n ∈ F . Deterministic finite automata are defined similarly with the difference that there is a single initial state q 0 , and that the transition function is of the form δ : Q × Σ → Q. As usual, we denote the set of words accepted by a nondeterministic or deterministic finite automaton A by L(A).

Synthesis of Lasso-precise Implementations
In this section we first define the synthesis problem for environments producing input sequences representable as lassos of length bounded by a given number. We then provide an automata-theoretic algorithm for this synthesis problem.

Lasso-precise implementations
We begin by formally defining the language of sequences of input values representable by lassos of a given length k. We say that an infinite word σ ∈ Σ ω is an I-k-model of ϕ, for a bound k ∈ N, if and only if there are words u ∈ (2 I ) * and v ∈ (2 I ) + such that |u · v| = k and σ| I = u · v ω . The language of I-k-models of the property ϕ is defined by the set Note that a model of ϕ might be induced by lassos of different length and by more than one lasso of the same length, e.g, a ω is induced by (a, a) and (ǫ, aa). The next lemma establishes that if a model of ϕ can be represented by a lasso of length k then it can also be represented by a lasso of any larger length.
Proof. Let σ ∈ L I k (ϕ). Then, σ |= ϕ and there exists (u, v) ∈ (2 I ) * × (2 I ) + such that |u · v| = k and σ| The claim follows by induction. ⊓ ⊔ Using the definition of I-k-models, the language of infinite sequences of environment inputs representable by lassos of length k can be expressed as L I k (Σ ω ).
Definition 2 (k-lasso-precise Implementations). For a linear-time property ϕ over Σ = 2 AP , subset I ⊆ AP of atomic propositions, and bound k ∈ N, we say that a transition system T is a k-lasso-precise implementation of ϕ, denoted T |= k,I ϕ, if it holds that L I k (L(T )) ⊆ ϕ.
That is, in a k-lasso-precise implementation T all the traces of T that belong to the language L I k (Σ ω ) are I-k-models of the specification ϕ.
Problem definition: Synthesis of lasso-precise implementations. Given a linear-time property ϕ over atomic propositions AP with input atomic propositions I, and given a bound k ∈ N, construct an implementation T such that T |= k,I ϕ, or determine that such an implementation does not exist.
Another way to bound the behaviour of the environment is to consider a bound on the size of its state space. The synthesis problem for bounded environments asks for a given linear temporal property ϕ and a bound k ∈ N to synthesize a transition system T such that for every possible environment E of size at most k, the transition system T satisfies ϕ under environment E, i.e., T |= E ϕ.
We now establish the relationship between the synthesis of lasso-precise implementations and synthesis under bounded environments. Intuitively, the two synthesis problems can be reduced to each other since an environment of a given size, interacting with a given implementation, can only produce ultimately periodic sequences of inputs representable by lassos of length determined by the sizes of the environment and the implementation. This intuition is formalized in the following proposition, stating the connection between the two problems. Proposition 1. Given a specification ϕ over a set of atomic propositions AP with subset I ⊆ AP of atomic propositions controlled by the environment, and a bound k ∈ N, for every transition system T the following statements hold: (1) If T |= E ϕ for all environments E of size at most k, then T |= k,I ϕ.
(2) If T |= k·|T |,I ϕ, then T |= E ϕ for all environments E of size at most k.
Proof. For (1), let T be a transition system such that T |= E ϕ for all environments E of size at most k. Assume, for the sake of contradiction, that T |= k,I ϕ. Thus, that there exists a word σ ∈ L(T ), such that σ ∈ L I k (Σ ω ) and σ |= ϕ. Since σ ∈ L I k (Σ ω ), we can construct an environment E of size at most k that produces the sequence of inputs σ| I . Since E is of size at most k, we have that T |= E ϕ. Thus, since σ ∈ L E (T ), we have σ |= ϕ, which is a contradiction.
For (2), let T be a transition system such that T |= k·|T |,I ϕ. Assume, for the sake of contradiction that there exists an environment E of size at most k such that T |= E ϕ. Since T |= E ϕ, there exists σ ∈ L E (T ) such that σ |= ϕ. As the number of states of E is at most k, the input sequences it generates can be represented as lassos of size k · |T |. Thus, σ ∈ L I k·|T | (Σ ω ). This is a contradiction with the choice of T , according to which T |= k·|T |,I ϕ.

Automata-theoretic synthesis of lasso-precise implementations
We now provide an automata-theoretic algorithm for the synthesis of lassoprecise implementations. The underlying idea of this approach is to first construct an automaton over finite traces that accepts all finite prefixes of traces in L I k (Σ ω ). Then, combining this automaton and an automaton representing the property ϕ we can construct an automaton whose language is non-empty if and only if there exists an k-lasso-precise implementation of ϕ.
The next theorem presents the construction of a deterministic finite automaton for the language Prefix (L I k (Σ ω )). Theorem 2. For any set AP of atomic propositions, subset I ⊆ AP, and bound k ∈ N there is a deterministic finite automaton A k over alphabet Σ = 2 AP , with size (2 |I| + 1) k · (k + 1) k , such that L(A k ) = {w ∈ Σ * | ∃σ ∈ L I k (Σ ω ). w < σ}.

Idea & Construction. For given k ∈ N we first define an automaton
is the set of all finite prefixes of infinite words over Σ that can be represented by a lasso of length k. We can then define the automaton A k as the automaton that for each w ∈ Σ * simulates A k on the projection w| I of w. We define the automaton A k = (Q, q 0 , δ, F ) such that Proof. States of the form (w · α · # m , t) with m ≥ 1 store the portion of the input word read so far, for input words of length smaller than k. In states of this form we have t = (1, 2, . . . , k), which implies that all such states are accepting. In turn, this means that A k accepts all words of length smaller or equal to k. This is justified by the fact that, each word of length smaller or equal to k is a prefix of an infinite word in L I k ( Σ ω ), obtained by repeating the prefix infinitely often. Now, let us consider words of length greater than k.
In states of the form (u, (i 1 , . . . , i k )), with u ∈ Σ * , the word u stores the first k letters of the input word. Intuitively, the tuple (i 1 , . . . , i k ) stores the information about the loops that are still possible, given the portion of the input word that is read thus far. To see this, let us consider a word w ∈ Σ * such that |w| = l > k, and let q 0 q 1 . . . q l be the run of A k on w. The state q l is of the form q l = (w(1) . . . w(k), (i l 1 , . . . , i l k )). It can be shown by induction on l that for each j we have i l j = − if and only if w is of the form w = w ′ · w ′′ · w ′′′ where w ′ = w(1) . . . w(j − 1), w ′′ = (w(j) . . . w(k)) k for some k ≥ 0, and w ′′′ = (w(j) . . . w(i l j − 1)). Thus, if i l j = −, then it is possible to have a loop starting at position j, and i l j is such that (w(j) . . . w(i l j − 1)) is the prefix of w(j) . . . w(k) appearing after the (possibly empty) sequence of repetitions of w(j) . . . w(k). This means, that if i l j = −, then w is a prefix of the infinite word w ′ · (w ′′ ) ω ∈ L I k ( Σ ω ). Therefore, if the run of A k on a word w with |w| > k is accepting, then there exists σ ∈ L I k ( Σ ω ) such that w < σ. For the other direction, suppose that for each j, we have i l j = −. Take any j, and consider the first position m in the run q 0 q 1 . . . q l where i m j = −. By the definition of δ we have that w(m) = w(i m−1 j ). This means that the prefix w(1) . . . w(m) cannot be extended to the word w(1) . . . w(j − 1)(w(j) . . . w(k)) ω . Since for every j ∈ {1, . . . , k} we can find such a position m, it holds that there does not exist σ ∈ L I k ( Σ ω ) such that w < σ. This concludes the proof.

⊓ ⊔
The automaton constructed in the previous theorem has size which is exponential in the length of the lassos. In the next theorem we show that this exponential blow-up is unavoidable. That is, we show that every nondeterministic finite automaton for the language Prefix (L I k (Σ ω )) is of size at least 2 Ω(k) .
Theorem 3. For any bound k ∈ N and sets of atomic propositions AP and ∅ = I ⊆ AP, every nondeterministic finite automaton N over the alphabet Σ = 2 AP that recognizes L = {w ∈ Σ * | ∃σ ∈ L I k (Σ ω ). w < σ} is of size at least 2 Ω(k) . Proof. Let N = (Q, Q 0 , δ, F ) be a nondeterministic finite automaton for L. For each w ∈ Σ k , we have that w · w ∈ L. Therefore, for each w ∈ Σ k there exists at least one accepting run ρ = q 0 q 1 . . . q f of N on w · w. We denote with q(ρ, m) the state q m that appears at the position indexed m of a run ρ.
Let a ∈ 2 I be a letter in 2 I , and let That is, L ′ consists of the words of length k in which letters a ′ with a ′ | I = a appear in the last position and only in the last position.
Let us define the set of states That is, Q k consists of the states that appear at position k on some accepting run on some word w · w, where w is from L ′ . We will show that |Q k | ≥ 2 k−1 .
Assume that this does not hold, i.e., |Q k | < 2 k−1 . Since |L ′ | ≥ 2 k−1 , this implies that there exist w 1 , w 2 ∈ L ′ , such that w 1 | I = w 2 | I and there exists accepting runs ρ 1 and ρ 2 of N on w 1 · w 1 and w 2 · w 2 respectively, such that q(ρ 1 , k) = q(ρ 2 , k). That is, there must be two words in L ′ with w 1 | I = w 2 | I , which have accepting runs on w 1 · w 1 and w 2 · w 2 visiting the same state at position k.
We now construct a run ρ 1,2 on the word w 1 · w 2 that follows ρ 1 for the first k steps on w 1 , ending in state q(ρ 1 , k), and from there on follows ρ 2 on w 2 . It is easy to see that ρ 1,2 is a run on the word w 1 ·w 2 . The run is accepting, since ρ 2 is accepting. This means that w 1 ·w 2 ∈ L, which we will show leads to contradiction.
To see this, recall that w 1 = w ′ 1 · a ′ and w 2 = w ′ 2 · a ′′ , and w 1 | I = w 2 | I , and a ′ | I = a ′′ | I = a. Since w 1 · w 2 ∈ L, we have that w ′ 1 · a ′ · w ′ 2 · a ′′ < σ for some σ ∈ L I k (Σ ω ). That is, there exists a lasso for some word σ, and w ′ 1 · a ′ · w ′ 2 · a ′′ is a prefix of this word. Since a does not appear in w ′ 2 | I , this means that the loop in this lasso is the whole word w 1 | I , which is not possible, since w 1 | I = w 2 | I . This is a contradiction, which shows that |Q| ≥ |Q k | ≥ 2 k−1 . Since N was an arbitrary nondeterministic finite automaton for L, this implies that the minimal automaton for L has at least 2 Ω(k) states, which concludes the proof.
⊓ ⊔ Using the automaton from Theorem 2, we can transform every property automaton A into an automaton that accepts words representable by lassos of length less than or equal to k if and only if they are in L(A), and accepts all words that are not representable by lassos of length less than or equal to k. Proof. The theorem is a consequence of Theorem 2 established as follows. Let A = (Q, Q 0 , δ, µ) be a parity automaton, and let D = ( Q, q 0 , δ, F ) be the deterministic finite automaton for bound k defined as in Theorem 2. We define the parity automaton A = (Q ′ , Q ′ 0 , δ ′ , µ ′ ) with the following components: is a singleton set); -δ ′ ((q, q), α) = δ(q, α) [q ′ /(q ′ , δ( q,α))] , where δ(q, α) [q ′ /(q ′ , q ′ )] is the Boolean expression obtained from δ(q, α) by replacing every state q ′ by the state (q ′ , q ′ ); Intuitively, the automaton A ′ is constructed as the product of A and D, where runs entering a state in D that is not accepting in D are accepting in A ′ . To see this, recall from the construction in Theorem 2 that once D enters a state in Q \ F it remains in such a state forever. Thus, by setting the color of all states (q, q) where q ∈ F to 0, we ensure that words containing a prefix rejected by D have only runs in which the highest color appearing infinitely often is 0. Thus, we ensure that all words that are not representable by lassos of length less than or equal to k are accepted by A ′ , while words representable by lassos of length less than or equal to k are accepted if and only if they are in L(A).

⊓ ⊔
The following theorem is a consequence of the one above, and provides us with an automata-theoretic approach to solving the lasso-precise synthesis problem.
Theorem 5 (Synthesis). Let AP be a set of atomic propositions, and I ⊆ AP be a subset of AP consisting of the atomic propositions controlled by the environment. For a specification, given as a deterministic parity automaton P over the alphabet Σ = 2 AP , and a bound k ∈ N, finding an implementation T , such that, T |= k,I P can be done in time polynomial in the size of the automaton P and exponential in the bound k.

Bounded Synthesis of Lasso-precise Implementations
For a specification ϕ given as an LTL formula, a bound n on the size of the synthesized implementation and a bound k on the lassos of input sequences, bounded synthesis of lasso-precise implementations searches for an implementation T of size n, such that T |= k,I ϕ. Using the automata constructions in the previous section we can construct a universal co-Büchi automaton for the language L I k (ϕ) ∪ (Σ ω \ L I k (Σ ω )) and construct the constraint system as presented in [4]. This constraint system is exponential in both |ϕ| and k. In the following we show how the problem can be encoded as a quantified Boolean formula of size polynomial in |ϕ| and k.
Theorem 6. For a specification given as an LTL formula ϕ, and bounds k ∈ N and n ∈ N, there exists a quantified Boolean formula φ, such that, φ is satisfiable if and only if there is a transition system T = (T, t 0 , τ, o) of size n with T |= k,I ϕ.
(3) ∀{t j | t ∈ T, 0 ≤ j < n · k}. (4) which we read as: there is a transition system (1), such that, for all input sequences representable by lassos of length k (2) the corresponding sequence of outputs of the system (3) satisfies ϕ. The variables introduced in lines (4) and (5) are necessary to encode the corresponding output for the chosen input lasso.
An assignment to the variables satisfies the formula in line (6), if it represents a deterministic transition system (ϕ det ) in which lassos of length n·k (ϕ lasso∧ϕ n,k ∈T ) satisfy the property ϕ ( ϕ (k,n·k) 0 )). These constraints are defined as follows. ϕ det : A transition system is deterministic if for each state t and input i there is exactly one transition τ t,i,t ′ to some state t ′ : ϕ n,k ∈T : for a certain input lasso of size k we can match a lasso in the system of size at most n · k. A lasso of this size in the transition system matches the input lasso if the following constraints are satisfied.
∧ t 00 (8) Lines (9) and (10) make sure that the chosen lasso follows the guessed transition relation τ . Line (10) handles the loop transition of the lasso, and makes sure that the loop of the lasso follows τ . Line (7) is a necessary requirement in order to match the output produced on the lasso with ϕ. If the output variables o j satisfy the constraint ϕ (k,n·k) 0 , then the lasso satisfies ϕ. As the input lasso is smaller than its matching lasso in the system we need to make sure that the indices of the input variables are correct with respect to the chosen loop. This is computed using the function ∆ which is given by: ϕ lasso : The formula encodes the additional constraint that exactly one of the loop variables can be true for a given variable valuation.
ϕ k,m 0 : This constraint encodes the satisfaction of ϕ on lassos of size m. The encoding is similar to the encoding of bounded model checking [3], with the distinction of encoding the satisfaction relation of the atomic propositions, given below. As the inputs run with different indices than the outputs, we again, as in the lines (9) and (10), need to compute the correct indices using the function ∆.

Synthesis of Approximate Implementations
In some cases, specifications remain unrealizable even when considered under bounded environments. Nevertheless, one might still be able to construct implementations that satisfy the specification in almost all input sequences of the environment. Consider for example the following simplified arbiter specification: The specification defines an arbiter that should give grants g upon requests r, but is not allowed to provide these grants unless a signal w is true. The specification is unrealizable, because a sequence of inputs where the signal w is always false prevents the arbiter from answering any request. Bounding the environment does not help in this case as a lasso of size 1 already suffices to violate the specification (the one where w is always false). Nevertheless, one can still find reasonable implementations that satisfy the specification for a large fraction of input sequences. In particular, the fraction of input sequences where w remains false forever is less probable.
Definition 3 (ǫ-k-Approximation). For a specification ϕ, a bound k, and an error rate ǫ, we say that a transition system T approximately satisfies ϕ with an error rate ǫ for lassos of length at most k, denoted by T |= ǫ k,I ϕ, if and only if, We call T an ǫ-k-approximation of ϕ.
Theorem 7. For a specification given as a deterministic parity automaton P , a bound k and a error rate 0 ≤ ǫ ≤ 1, checking whether there is an implementation T , such that, T |= ǫ k,I P can be done in time polynomial in |P | and exponential in k.
Proof. For a given ǫ and k, we construct a nondeterministic parity tree automaton N that accepts all ǫ-k-approximations with respect to L(P ). For ǫ, we can compute the minimal number m of lassos from L I k ((2 I ) ω ) for which an ǫ-kapproximation has to satisfy the specification. In its initial state, the automaton N guesses m many lassos and accepts a transition system if it does not violate the specification on any of these lassos. The latter check is done by following the structure of the automaton constructed for P using Theorem 4. In order to check whether there is an ǫ-k-approximation for P , we solve the emptiness game of N . The size of N is (2 k ) m+1 · |P |. ⊓ ⊔

Symbolic Approach
In the following, we present a symbolic approach for finding ǫ-k-approximations based on maximum model counting. We show that we can build a constraint system and apply a maximum model counting algorithm to compute a transition system that satisfies a specification for a maximum number of input sequences.
Definition 4 (Maximum Model Counting [5]). Let X, Y and Z be sets of propositional variables and φ be a formula over X, Y and Z. Let x denote an assignment to X, y an assignment to Y , and z an assignment to Z. The maximum model counting problem for φ over X and Y is computing a solution for max x #y.∃z.φ(x, y, z).
For a specification ϕ, bounds k and n on the length of the lassos and size of the system, respectively, we can compute an ǫ-k-approximation for ϕ by applying a maximum model counting algorithm to the constraint system given below. It encodes transition systems of size n that have an input lasso of length k that satisfies ϕ.
(15) ∃{l ′ j | 0 ≤ j < n · k}. (16) To check the existence of a ǫ-k-approximation, we maximize over the set of assignment to variables that define the transition system (line 11) and count over variables that define input sequences of the environment given by lassos of length k. As two input lassos of the same length may induce the same infinite input sequence, we count over auxiliary variables that represent unrollings of the lassos instead of counting over the input propositions themselves (line 13).
The formulas ϕ det , ϕ lasso , ϕ n,k ∈T and ϕ k,n·k 0 are defined as in the previous section. The formula k 0 is defined over that variables in line (13) and makes sure that input lasso that represent the same infinite sequence are not counted twice by unrolling the lasso to size 2k.

Experimental Results
We implemented the symbolic encodings for the exact and approximate synthesis methods, and evaluated our approach on a bounded version of the greedy arbiter specification given in Section 1, and another specification of a round-robin arbiter. The round-robin arbiter is defined by the specification: w → g 1 ∧ g 2 ∧ (¬w → (¬g 1 ∧ ¬g 2 )) ∧ (¬g 1 ∨ ¬g 2 ) Table 1. Experimental results for the symbolic approaches. The rate in the approximate approach is the rate of input lassos on which the specification is satisfied.
This specification is realizable, with transition systems of size at least 4. We used our implementation to check whether we can find approximative solutions with smaller sizes. We used the tool CAQE [10] for solving the QBF instances and the tool MaxCount [5] for solving the approximate synthesis instances.
The results are presented in Table 1. As usual in synthesis, the size of the instances grows quickly as the size bound and number of processes increase. Inspecting the encoding constraints shows that the constraint for the specification is responsible for more than 80% of the number of gates in the encoding. The results show that, using the approach we proposed, we can synthesize implementations for unrealizable specifications by bounding the environment. The results for the approximate synthesis method further demonstrate that for the unrealizable cases one can still obtain approximative implementations that satisfy the specification on a large number of input sequences.

Conclusion
In many cases, the unrealizability of a specification is due to the assumption that the environment has unlimited power in producing inputs to the system. In this paper, we have investigated the problem of synthesizing implementations under bounded environment behaviors. We have presented algorithms for solving the synthesis problem for bounded lassos and the synthesis of approximate implementations that satisfy the specification up to a certain rate.
We have also provided polynomial encodings of the problems into quantified Boolean formulas and maximum model counting instances. Our experiments demonstrate the principal feasibility of the approach. Our experiments also show that the instances can quickly become large. While this is a common phenomenon for synthesis, there clearly is a lot of room for optimization and experimentation with both the solvers for quantified Boolean expressions and for maximum model counting.