Validity-Guided Synthesis of Reactive Systems from Assume-Guarantee Contracts

Automated synthesis of reactive systems from spe- cifications has been a topic of research for decades. Recently, a variety of approaches have been proposed to extend synt- hesis of reactive systems from propositional specifications to- wards specifications over rich theories. Such approaches include inductive synthesis, template-based synthesis, counterexample- guided synthesis, and predicate abstraction techniques. In this paper, we propose a novel approach to program synthesis based on the validity of forall-exists formulas. The approach is inspired by verification techniques that construct inductive invariants, like IC3 / Property Directed Reachability, and is completely automated. The original problem space is recursively refined by blocking out regions of unsafe states, with the goal being the discovery of a fixpoint that describes safe reactions. If such a fixpoint is found, we construct a witness that is directly translated into an implementation. We have implemented the algorithm in the JKIND model checker, and exercised it against contracts written using the Lustre specification language. Experimental results show how the new algorithm yields better performance as well as soundness for"unrealizable"results when compared to JKIND's existing synthesis procedure, an approach based on the construction of k-inductive proofs of realizability.


I. INTRODUCTION
Program synthesis is one of the most challenging problems in computer science.The objective is to describe an efficient process to automatically derive efficient implementations that are guaranteed to comply with specifications expressed in the form of logic formulas.Program synthesis owes its origins to Church [1] (otherwise known as Church's Problem), and has long been an important area of research.The first important attempt to synthesize reactive systems came from Pnueli and Rosner [2], but the problem has seen increased popularity in more recent years due to the increased capability of symbolic solvers, including Satisfiability Modulo Theories [3] tools.As a result, the problem has been well-studied for the area of propositional specifications (see Gulwani [4] for a survey), and approaches have been proposed to tackle challenges involving richer specifications.Template-based techniques focus on synthesizing programs that match a certain shape (the template) [5], while inductive synthesis uses the idea of refining the problem space using counterexamples, to converge to a solution [6].A different category is that of functional synthesis, in which the goal is to fill in "gaps" in an already existing implementation with synthesized code [7].
In this work, we describe a novel approach that can effectively synthesize programs using safety specifications written in the form of Assume-Guarantee contracts.The technique has been used to synthesize contracts involving linear real and integer arithmetic (LIRA), but remains generic enough to be extended into supporting additional theories in the future, as well as to liveness properties that can be reduced to safety properties (as in K-liveness [8]).Our approach is completely automated and requires no guidance to the tools in terms of user interaction (unlike [9,10]), and is capable of providing solutions without the guidance of templates, as are used by Beyene et. al. in [11].We were able to automatically solve problems that were "hard" and required hand-written templates specialized to the problem in [11].
The main idea of the algorithm was inspired by frame-based inductive algorithms, the most prominent being the IC3/PDR algorithm [12,13].In PDR, the goal is to discover an inductive invariant for a property, by recursively blocking generalized regions describing unsafe states.In a similar concept, we attempt to reach a greatest fixpoint that contains states usable indefinitely by the system, in order to react to unpredictable environment behavior, while complying to well-defined specification.As such, beginning from the entire problem space, we recursively block regions of states that violate the contract, using regions of validity that are generated by invalid ∀∃formulas.If the refined ∀∃-formula is valid, we reach a fixpoint which can effectively be used by the specified transition relation, to provide safe reactions to environment inputs.We then extract a witness for the formula's satisfiability, which can be directly transformed into the language intended for the system's implementation.
The algorithm was implemented as a feature in the JKIND model checker, which already had unofficial support for program synthesis according to work from Katis et  k-inductive proofs of a contract's realizability [14][15][16].Our approach does not depend on k-induction, but is still based on the general concept of extracting a witness that satisfies a ∀∃formula, using the AE-VAL Skolemizer [17].To extract such a witness, we do not depend on a k-inductive proof, but instead use the regions of validity that AE-VAL can generate from invalid formulas to reach a fixpoint of satisfiable assignments to state variables.
We evaluate the fixpoint algorithm against the k-inductive approach using a comprehensive benchmark suite containing contracts that were initially used in verification problems, as well as specification for industrial-level designs and versions of the "Cinderella" problem from [11].The experiment demonstrates that this approach is a direct improvement over the k-inductive method in two important aspects: performance and generality.On all models that can be synthesized by k-induction, the new algorithm always outperforms the kinductive algorithm in terms of time required for synthesis (on average, 53.64% faster) while yielding roughly approximate code sizes and execution times for the generated C code.The new algorithm can synthesize a strictly larger set of benchmark models, and comes with an improved termination guarantee: unlike the k-inductive algorithm, if the algorithm terminates with an 'unrealizable' result, then there is no possible realization of the contract.
The contributions of the paper are therefore: A novel approach to synthesis of contracts involving rich theories that is efficient, general, and completely automated (no reliance on templates or user guidance), an implementation of the approach in a branch of the JKIND model checker, and an experiment over a large suite of benchmark models demonstrating the effectiveness of the approach.The rest of the paper is organized as follows: section II briefly describes the Cinderella-Stepmother problem that we will use as an example throughout the paper.In Section III we provide the necessary formal definitions to describe the synthesis algorithm, which is presented in Section IV.An outline of the algorithm's implementation in JKIND is described in Section V. Section VI describes the performance of the algorithm on a large benchmark suite, comparing it against a method based on k-induction that exists using the same input language.We discuss the differences of our work with closely related ideas in Section VII and we conclude by providing potential directions for future work in Section VIII.

II. RUNNING EXAMPLE: THE CINDERELLA-STEPMOTHER GAME
For the purposes of this paper, we will illustrate how the validity guided-synthesis algorithm works, using a variation of the minimum-backlog problem, the two player game between Cinderella and her wicked Stepmother, first expressed by Bodlaender et al. [18].
The main objective for Cinderella (i.e. the reactive system) is to prevent a collection of buckets from overflowing with water.On the other hand, Cinderella's Stepmother (i.e. the
system's environment) refills the buckets with a predefined amount of water that is distributed in a random fashion between the buckets.For the running example, we chose an instance of the game that has been previously used in templatebased synthesis [11].In this instance, the game is described using five buckets, where each bucket can contain up to two units of water.Cinderella has the option to empty two adjacent buckets at each of her turns, while the Stepmother distributes one unit of water over all five buckets.In the context of this paper we use this example to show how specification is expressed, as well as how we can synthesize an efficient implementation that describes reactions for Cinderella, such that a bucket overflow is always prevented.

III. BACKGROUND
In this section we define Assume-Guarantee contracts (Section III-A), describe the problem of synthesis in terms of discovering inductive invariants that imply the realizability of the given specification (Section III-B), and give a background on our main solving engine (Section III-C).

A. Assume-Guarantee Contracts
We focus our interest on a mainstream variation for representing system requirements, using an Assume-Guarantee Contract.Requirements in this format contain two main types of constraints.The assumptions of the contract restrict the possible inputs that the environment can provide to the system, while the guarantees are used to describe what is considered a safe reaction of the system to the outside world.
A (conceptually) simple example is shown in Figure 1.The contract describes a possible set of requirements for a specific instance of the Cinderella-Stepmother game that we introduced in Section II.Our goal is to synthesize an implementation that describes Cinderella's winning region of the game.Cinderella in this case is the implementation, as shown by the middle box in Figure 1.Cinderella's inputs are five different values   , 1 ≤  ≤ 5, determined by a random distribution of one unit of water by the Stepmother.During each of her turns Cinderella has to make a choice denoted by the output variable , such that the buckets   do not overflow during the next action of her Stepmother.We define the contract using the set of assumptions  = {  ≥ 0, ∑︀ 5 =1   = 1} and the guarantees  = {  ≤ 2,   = (( =  ∨  =  + 1), 0, (  +   ))}.For the particular example, it is possible to construct at least one implementation that satisfies the guarantee constraints, given the input assumptions.The proof of existence of such an implementation is the main concept behind the realizability problem, while the automated construction of a witness implementation is the main focus of program synthesis.
Since the contract in Figure 1 is realizable, an efficient synthesis procedure would be capable of providing at least one implementation.At this point it is important to consider a variation of the example, where  = ∅.This is a practical case of an unrealizable contract, as there is no feasible Cinderella implementation that can correctly react to Stepmother's actions.The most apparent counterexample in this case is that the Stepmother is able to pour random amounts of water, and would be capable to overflow at least one bucket during every one of her turns.

B. Formal Representation
We use two disjoint sets,  and , to describe a system.A straightforward and intuitive way to represent an implementation is by defining a transition system, composed of an initial state predicate () of type  → , as well as a transition relation  (, ,  ′ ) of type  →  →  → .
Combining the above, we represent an Assume-Guarantee (AG) contract using a set of assumptions,  :  →  → , and a set of guarantees .The latter is further decomposed into two distinct subsets   :  →  and   :  →  →  → .  defines the set of valid initial states, and   contains constraints that need to be satisfied in every transition between two states.An important note at this point is that we do not make any distinction between internal state variables and outputs in the formalism.This alone allows us to use state variables to (in some cases) simplify the specification of guarantees, since we do not expect a contract to be always defined over all variables in the transition system.
Consequently, we can formally define a realizable contract, as one for which any preceeding state  can take a transition into a new state  ′ that satisfies the guarantees, assuming valid inputs.For a system to be ever-reactive, these new states  ′ should be further usable as preceeding states in a future transition.States like  and  ′ are defined as being viable, if and only if: This equation is recursive and we interpret it coinductively, i.e., as a greatest fixed-point.A necessary condition, finally, is that the set of viable states intersects with the set of initial states.As such, to conclude that a contract is realizable, we require that The intuition behind our proposed algorithm in this paper relies on the discovery of a greatest fixpoint that only contains viable states.In the case where a fixpoint is computed, we proceed by extracting a witnessing collection of reactions that are, by construction, guaranteed to satisfy the specification.To achieve both the fixpoint generation, as well as the witness extraction, we depend on AE-VAL, the solver for ∀∃-formulas.
(⇐) Suppose towards contradiction that the formula does not hold.Then there exists  0 such that ( 0 ) ∧ (∃ ′ .(0 ,  ′ )) ∧ ¬  ( 0 ) holds.But this is a direct contradiction for the termination condition for AE-VAL.Therefore the original formula does hold.

IV. VALIDITY-GUIDED SYNTHESIS FROM ASSUME-GUARANTEE CONTRACTS
The main contribution presented in this paper, is a novel idea that effectively uses the information provided by regions of validity to compute a greatest fixpoint of safe states.In our context, this fixpoint is not only usable as a proof to the realizability of a specification, but also leads to the construction of a witness that can be translated with a straightforward process into a functional and efficient implementation.The algorithm is presented in detail in Section IV-A and we provide soundness proofs regarding the algorithm's capabilities of determining the realizability (unrealizability) of specification in Sections IV-B and IV-C.The example from Section II is used in Section IV-D to illustrate the process of synthesizing implementations, using a specification that describes the Cinderella-Stepmother game.

A. Algorithm
Algorithm 1, named JVGS, shows the validity-guided technique that we use towards the automatic synthesis of implementations.The specification is written using the Assume-Guarantee convention that we described in Section III-B and is provided as an input to the algorithm.Line 1 initializes the process by defining the fixpoint  to be equal to .The algorithm then attempts to converge to a fixpoint  () that only contains viable states, considering Equation 1 and 2. We therefore construct the formula  ← ∀, .( () ∧ (, ) ⇒ ∃ ′ . (, ,  ′ ) ∧  ( ′ )), and provide it as an input to AE-VAL (Line 3).AE-VAL is particularly focused on determining the validity of .If the formula is valid, then a witness Skolem is constructed, containing valid assignments to the existentially quantified variables of .In the context of viability, this witness is capable of providing viable states that can be used as a safe reaction, given an input that satisfies the assumptions.
With a valid formula at hand, it remains to check that the fixpoint intersects with the initial states (Line 7).If the check passes, we have a realizable contract and the algorithm returns the extracted witness and a model for the initial state that can be directly combined and used towards an implementation of the system.Otherwise, the contract is unrealizable, since either the are no states that satisfy the initial state guarantees   , or the set of viable states  is empty.
If  is not true for every possible assignment of the universally quantified variables, AE-VAL provides a region of validity (, ) (Line 12).At this point, one might assume that (, ) is sufficient to restrict  towards a solution.This is not the case, however, as (, ) creates a subregion involving both state and input variables.As such, it may contain constraints over the contract's inputs above what are required by , ultimately leading to implementations that only work correctly for a small part of the input domain.
Fortunately, we can again use AE-VAL's capability of providing regions of validity towards removing inputs from .Essentially, we want to remove those states from  if even one input causes them to violate the formula on line (3).We denote by  the "violating region" of .To construct  , we ask AE-VAL to determine the validity of the formula  ′ ← ∀.( () ⇒ ∃.(, ) ∧ ¬(, )) (Line 13).AE-VAL computes a new region of validity and assigns it to  ().The new region entails the existence of unsafe states in  () for some input.We remove this unsafe region from  in line 16.The loop continues until we reach a greatest fixpoint for  .

B. Soundness
Lemma 2. Viable ⊆  is an invariant for Algorithm 1.
State predicates are equivalent to subsets of the state space and form a lattice in the natural way.Moreover,  is monotone on Algorithm 1 JVGS (A : assumptions, G : guarantees) Theorem 2. For finite models, Algorithm 1 terminates.

D. Applying JVGS to the Cinderella-Stepmother game
Figure 3 shows one possible interpretation of the contract designed for the instance of the Cinderella-Stepmother game that we introduced in Section II.The contract is expressed using Lustre [19], a language that has been extensively used for specification as well as implementation of safety-critical systems, and is the kernel language in SCADE, a popular tool in model-based development.The contract is defined as a Lustre node, with a global constant  denoting the bucket capacity.The node describes the game itself, through the problem's input and output variables.The main input is Stepmother's distribution of one unit of water over five different input variables, i1 to i5.While the node contains a sixth input argument, namely , this is in fact used as the output of the system that we want to implement, representing Cinderella's choice at each of her turns.We make an explicit distinction on which node arguments are the system's inputs, using the REALIZABLE statement towards the end of the contract.The contract's assumptions  are defined using assertions over the input variables i1-i5.We assume that there can be no negative input values, and the sum of i1 to i5 is equal to one unit of water.The specified node returns the value of a boolean variable guarantee, which corresponds to the contract's guarantee , and is explicitly defined to be such using the PROPERTY statement.Finally, we define what each bucket's state should be through the entire duration of the game, using the local variables b1 to b5.Initially, each bucket is empty, and with each transition to a new state, the contents depend on whether Cinderella chose the specific bucket, or an adjacent one.If this is the case, the contents of the bucket   become equal to the amount of water that Stepmother puts in the corresponding input variable , during the next turn.
If the bucket was not covered by Cinderella's choice, then its contents are updated by adding Stepmother's distribution to the volume of water that the bucket already had.The distinction between the initial state of each bucket, and every other state is expressed using Lustre's arrow (->) operator, while variable values in previous states can be accessed using the pre operation.The specification is fairly simple, as the objective is clear.The contract should only be realizable if, assuming valid inputs given by the Stepmother (i.e.positive values to input variables that add up to one water unit), Cinderella can keep reacting indefinitely, by providing outputs that satisfy the guarantees (i.e.she empties buckets in order to prevent overflow in Stepmother's next turn).
We initiate our call to the procedure defined in Algorithm 1, by providing the contract in Figure 3 as input.The algorithm then enters an infinite loop, where it attempts to construct a fixpoint of viable states that can use the transition relation to new, viable states, while complying to the specification.Initially  () = , and we ask AE-VAL for the validiity of the formula  ← ∀, .( ()∧(, ) ⇒ ∃ ′ . (, ,  ′ )∧ ( ′ )).cases where 1.5 ≤  ≤ 3.0, the problem becomes non-trivial, and their work showed how familiarity with the problem can help alleviate this complexity through the use of predefined templates.Despite this, we were still able to synthesize implementations for the Cinderella-Stepmother game for any value of  ≥ 2, using a completely automatic approach2 .

V. IMPLEMENTATION
The implementation of the algorithm has been added to a branch of the JKIND [20] model checker.JKIND already unofficially supports synthesis, using a k-inductive approach, named JSYN.For clarity, we named our validity-guided technique JVGS.JKIND uses Lustre [19] as its specification and implementation language.
During the internal process, JVGS translates Lustre specifications to the SMT-LIB language, with which the ∀∃formulas, regions of validity, as well as the witnesses are expressed.The underlying solver that is used is the AE-VAL Skolemizer, which currently supports ∀∃-formulas expressed using linear real (LRA) and integer (LIA) arithmetic, as well as their combination (LIRA).For realizable specification, and considering Algorithm 1, we recursively use regions of validity to block out unsafe states from the search space.Eventually, we reach a fixpoint that is sufficient to use in order to extract a Skolem function that witnesses the realizability of the specification.Given the generated function, what remains is its translation into an efficient and practical implementation.
To achieve this we use SMTLIB2C, a tool that has been specifically developed to translate similar AE-VAL Skolem functions to C implementations.The choice of C for the target language is not due to limitations, but mostly to provide a complete comparison against the previous work on JSYN.The Skolem functions are simple enough to be used as an intermediate representation to any mainstream programming language.

VI. EXPERIMENTAL RESULTS
In this section we evaluate JVGS by synthesizing implementations for 110 contracts that originate from a broad variety of The goal of this experiment was to determine the performance and generality of the JVGS algorithm.We compared against the existing JSYN algorithm, and for the Cinderella model, we compared against [11] (this was the only synthesis problem in the paper).We examined the following aspects: Time required to synthesize an implementation Size of generated implementations (in SLOC) Execution speed of generated C implementations derived from the synthesis procedure.Number of contracts that could be synthesized by each approach Since JKIND already supports synthesis through JSYN, we were able to directly compare JVGS against JSYN's kinductive approach.We ran the experiments using a computer with Intel Core i3-4010U 1.70GHz CPU and 16GB RAM.
A listing of the statistics that we tracked while running experiments is presented in Table I. Figure 6a shows the time allocated by JSYN and JVGS to solve each problem, with JVGS outperforming JSYN across the board, often times by a margin greater than 50%.Figure 6b on the other hand, depicts small differences in the overall size between the synthesized implementations.While it would be reasonable to conclude that there are no noticable improvements, the bigger picture is different.The key factor that is not apparent from this figure, is the length of the k-inductive proof.For the majority of the benchmarks in the suite, JSYN proves their realizability by constructing proofs of length  = 0, which essentially means that the entire space of states is an inductive invariant.As such, JVGS also manages to synthesize implementations without requiring any refinement process.For these cases, both algorithms generate a single Skolem function.In the general 3 An anonymized repository containing the benchmark contracts can be found at https://tinyurl.com/mjtyxae.We will replace this repository with the official for the camera-ready version of the paper.case though, the size of JSYN solutions is directly dependent on , since each implementation is composed of  Skolem functions ( − 1 to initialize the system, and one last for the inductive step), where the equivalent solution from JVGS is always just one.Figure 6b hints towards this intuition, through a handful of spikes in JSYN implementation size.Despite this, we also noticed cases where JSYN implementations are shorter.This provides us with another interesting observation regarding the formulation of the problem for  = 0 proofs.In these cases, JSYN proves the existence of viable states, starting from a set of pre-initial states, where the contract does not need to hold.This has direct implications to the way that the ∀∃-formulas are constructed in JSYN's underlying machinery, where the assumptions are "baked" into the transition relation, affecting thus the creation of Model-Based Projections by AE-VAL.
One last statistic that we tracked was the performance of the synthesized C implementations, which can be seen in Figure 6c.For this purpose, we translated the generated witnesses from JSYN and JVGS solutions using SMTLIB2C under the same set of options.Table I shows that while JSYN implementations are faster, the difference is minuscule on average.This may be in part because JSYN creates separate skolem functions for the initial evaluation (when %init is true) and subsequent evaluations, whereas currently JVGS uses a single function for both the initial and subsequent steps.We are considering specialization of the generated JVGS functions based on %init, as well as several other optimizations of the generated code in future work.
Figure 6 does not cover the entirety of the benchmark suite.From the original 110 problems, five of them cannot be solved by JSYN's k-inductive approach.Four of these files are variations of the cinderella-stepmother game that we described in Section II, using different representations of the game, as well as two different values for the bucket capacity (2 and 3).Using the variation that we included in the aforementioned section as an input to JSYN, we receive an "unrealizable" answer, with the counterexample shown in Figure 7. Reading through the feedback provided by JSYN, it is apparent that the underlying SMT solver is incapable of choosing the correct buckets to empty, leading eventually to a state where an overflow occurs for the third bucket.As we already discussed though, a winning strategy exists for the cinderella, as long as the bucket capacity  is between 1.5 and 3.This provides an excellent demonstration regarding the inherent weakness of JSYN in providing sound "unrealizable" results.JVGS's validity-guided approach, on the other hand, was able to prove the realizability for these contracts, as well as synthesize an implementation for each.
Table II shows how JVGS performed against the four contracts describing the Cinderella-Stepmother game.We used two different interpretations for the game, and exercised both for the cases where the bucket capacity  is equal to 2 and 3.The performance is heavily affected when we exercise the variation for  = 2, but JVGS is still able to synthesize a winning region for Cinderella.Regarding the synthesized  implementations, their size remains analogous to the difficulty of the problem, in conjunction with the complexity of the program (Cinderella2 contains more local variables and a helper function to empty buckets).Despite this, the implementation performance remains at the same levels across all implementations.Finally for reference, the table contains the results from the template-based approach followed in CONSYNTH [11].From the results, it is apparent that providing templates dramatically increases the performance of the underlying synthesis procedure.Nevertheless, the automated approach in JVGS is able to synthesize solutions for the same problems in a reasonable time margin, when compared to CONSYNTH.
Overall, JVGS's validity-guided approach provides significant advantages over the k-inductive technique followed in JSYN, and effectively expands JKIND's solving capabilities regarding specification realizability.On top of that, it provides an efficient "hands-off" approach that is capable of solving complex games.The most significant contribution, however, is the applicability of this approach, as it is not tied to a specific environment since it can be extended to support more theories, as well as categories of specification.

VII. RELATED WORK
The alternative name to program synthesis is Church's problem, since the description of the problem was first described by Church in 1963 [1].Research in this field of program synthesis attributes began in the 1970s, when Manna and Waldinger [21] first introduced a synthesis procedure using principles of theorem proving.Almost two decades later, Pnueliand Rosner [2] first formally described the implementability of reactive systems, considering first order logic formulas that stem from temporal specifications.In the same work, they provided a complete approach to synthesize finite-state implementations through the construction of deterministic Rabin automata.
In the recent years, program synthesis has enjoyed a vast variety of contributions under numerous contexts.Gulwani [4] presented an extended survey, hinting future research directions.Synthesis algorithms have been proposed for simple LTL specification [22,23] subsets of it [24][25][26], as well as under other temporal logics [27,28], such as SIS [29].Chatterjee and Henzinger [30] proposed a novel component-based approach using the notion of Assume-Guarantee contracts.
The work presented in this paper is closely related to approaches that attempt to construct infinite-state implementations.Some focus on the continuous interaction of the user with the underlying machinery, either through the use of templates [5,11], or environments where the user attempts to guide the solver by choosing reactions from a collection of different interpretations [10].We differentiate from this direction by providing a completely automatic approach that does not require human ingenuity to find a solution and most importantly, the user does not need to be deeply familiar with the problem at hand.A "hands-off" approach has been proposed in the past by Katis et al. [14][15][16].The work is based on the concept of extracting collections of reactions that witness the satisfaction of a k-inductive proof on the contract's realizability.In Section VI we were able to effectively show in practice how a validity-guided approach significantly improves upon this work, by using a fixpoint-generating technique rather than the principle of k-induction.
The concept of synthesizing implementations by discovering fixpoints was mostly inspired by the IC3 algorithm, the technique also known as Property Directed Reachability [12,13], which was first introduced in the context of verification.Work from Cimatti et al. effectively applied this idea for synthesis, albeit that of parameters, in the HYCOMP model checker [31,32].Discovering fixpoints to synthesize reactive designs, instead, was first extensively covered by Piterman et al. [33] who proved that the problem can be solved in cubic time for the class of GR(1) specifications.However, their proposed algorithm is significantly different from this paper.It requires the discovery of least fixpoints for the state variables, each one covering a greatest fixpoint of the input variables.If the specification is realizable, then the entirety of the input space is covered by the greatest fixpoints.For the purposes of our work, we only attempt to compute a single greatest, instead of least, fixpoint over the system's outputs, and we avoid the partitioning of the input space.A straightforward comparison between the two techniques, while not currently supported, is of particular interest to us and we will be looking forward to achieving this as part of future work.
More recently, Preiner et al. presented their work on counterexample-guided model synthesis (CEGMS) [34].In CEGMS, candidate witnesses are being constructed, their validity is checked with respect to the specification.Internally, a counterexample-guided refinement process is used [35] for the purposes of quantifier elimination, and enumerative learning is applied to generalize witnesses.Enumerative learning is a syntax-based technique that enumerates expressions, checks their truth against ground test cases, and proceeds to generalize the expressions by constructing larger ones.In constrast to the principle of enumerative learning, our approach is syntaxinsensitive in terms of generating regions of validity.On top of that, CEGMS has only been tested against the theory of Boolean Vectors (BV, and BV   ), while JVGS supports the mixed theories of linear integer and real arithmetic.In general, enumeration techniques such as the one used in CONSYNTH's underlying E-HSF engine [11] is not an optimal strategy for our class of problems, since the witnesses constructed for the most complex contracts are described by nested if-then-else expressions of depth (i.e.number of branches) 10-20, a point at which space explosion is difficult to handle since the number of candidate solutions is significantly large.

A. Summary
In this paper, we presented a novel and elegant approach towards the synthesis of reactive system implementations, using only the knowledge provided by the system specification expressed in linear integer and real arithmetic.The approach is directly inspired from previous work on Property Directed Reachability, with the objective being the construction of inductive invariants that can be used as a proof to the specification's realizability.The main goal is to converge to a fixpoint by iteratively blocking subsets of unsafe states from the problem space.This is achieved through the continuous extraction of regions of validity which hint towards subsets of states that lead to a candidate implementation.This is the first complete attempt, to the best of our knowledge, on handling valid subsets of a ∀∃-formula to construct a greatest fixpoint, while the specification is expressed using infinite theories.We were able to prove its effectiveness in practice, by comparing it to an already existing approach that focuses on constructing k-inductive proofs of realizability.The results showed a dramatic improvement on performance, and indicated how the validity-guided approach can lead to the solution of a bigger class of problems.

B. Future Work
Research in the area of program synthesis, and particularly the work presented in this paper, is rich with challenges and promising directions.We enlist the most important challenges that we would like to address as part of future work.
Optimizations and Machine-Checked Proofs.The most interesting question is how we can possibly improve JVGS's speed of convergence.Not excluding techniques such as counterexample-guided refinement and predicate abstraction [36], a potential improvement could be achieved through the use of a more compact transition relation.Regarding the synthesized implementations, an interesting subproblem to examine the potential benefits of a subprocess that provides collections of equivalent implementations, rather than a single witness.There are several promising concepts that can lead to further implementation optimization, such as the use of Inductive Validity Cores [37], which can be potenitally used to identify the core elements in a synthesized implementation that lead to the satisfaction of the specification.Using only the core elements, we can effectively reduce the size of the implementations, and improve their performance.Another interesting direction in pursuing compact implementations exploited is to examine the effects of recent work in witness abstractions [38].Finally, a short-term goal is the development of machine-checked proofs regarding the soundness of the fixpoint generation process, as well as the realizability results.
Test case generation.AE-VAL's effectiveness in providing witnesses to the satisfiability of ∀∃-formulas can be also exploited in terms of the tool providing concrete counterexamples to a subset of unrealizable contracts that relate to formula  ′ ← ∀.( () ⇒ ∃.(, ) ∧ ¬(, )) ′ being valid (Algorithm 1, Line 16).In this particular case, if  ′ is a valid formula, it is possible a witness that can be essentially used as a test case to demonstrate the specification's unrealizability.The witness contains certain assignments to input variables, for which the condition of viability does not hold, for any state.In conjunction with the potential capabilities of generating collections of equivalent implementations, this problem may lead to the creation of an elegant process that constructs test suites against the contract's realizability.Such a test suite can then be used as a complementary collection to testing procedures that take place towards the end of the system's development.
Mapping infinite theories to finite representations.A particularly challenging topic of research, is how we can transition from implementations that use infinite types through SMT, to equivalent ones using finite representations, without violating the specification.The SMT community has already kickstarted a project towards achieving this, through a recently introduced theory on Floating-Point Arithmetic [39].The problem is particularly interesting for the cases where the highend user has to define secure contracts that contain properties for memory allocation, representation of floats, and overflow handling.

Fig. 2 :
Fig. 2: Region of validity computed for an example requiring AE-VAL to iterate two times.

Fig. 5 :
Fig. 5: Code snippet of the synthesized implementation for the Cinderella-Stepmother example Fig. 6: Experimental results
C. Termination on Finite ModelsLemma 3. Every loop iteration in Algorithm 1 either terminates or removes at least one state from  .Proof.It suffices to show that at least one state is removed from  on Line 16.That is, we want to that  ∩  ̸ = ∅ since this intersection is what is removed from  by Line 16. Suppose towards contradiction that  ∩  = ∅.Since  is the region of validity for  ′ on Line 13, we know that  lies completely outside the region of validity and therefore ∀.¬∃.(,) ∧ ¬(, ) by Lemma 1. Rewritten, ∀, .(, ) ⇒ (, ).

TABLE II :
Cinderella-Stepmother results