Synthesis in presence of dynamic links
Introduction
Starting from Church's work [1] on synthesizing circuits from arithmetic specifications in the 1960s, automatic synthesis of programs or circuits has been widely studied.
In the case of a reactive system, given a specification, the goal is to find an implementation for a system that repeatedly receives inputs from the environment and generates outputs such that the system's behavior adheres to the specification. Early work [2], [3], [4] was synthesizing algorithms that require knowledge of the complete system state, inherently yielding single-process solutions.
Single-process synthesis is related to finding a strategy for a player representing the process that has to win against the adversarial environment, and has been studied in the context of games [5], [6], [7] and with automata techniques [4], [8].
For systems with more than one process, different models for how communication and computation is organized have been studied. Their two extremes are message-triggered asynchronous computation [9], [10] and round-wise synchronous computation.
An example for the latter is the work by Pnueli and Rosner [11], who considered synchronous distributed systems with an a priori fixed communication network. In their model, the network is given by a directed communication graph, whose nodes are the processes and with a link from process p to q if p can send messages to q (or write to and read from a shared variable). Messages are from a fixed, finite alphabet per link. A solution to the synthesis problem is a distributed algorithm that operates in rounds, repeatedly reading inputs, exchanging messages, and setting outputs. Already the case of two processes with separate inputs and outputs, and without a communication link to each other, was shown to be undecidable for linear temporal logic (LTL) specifications [12] on the inputs and outputs. As a positive result, the paper presents a solution for unidirectional process chains.
Still in the case of static architectures and bounded messages, Kupferman and Vardi [13], [14] extended decidability results to branching time specifications and proved sufficient conditions on communication networks for decidability, while Finkbeiner and Schewe [15] presented a characterization of networks where synthesis is decidable. Since specifications are allowed to talk about message contents, however, they are powerful enough to break existing communication links between processes, leading to undecidability like in the two-process system without communication [11]. Gastin et al. [16] proved a necessary and sufficient condition for decidability on a class of communication networks if specifications are only on the inputs and outputs of processes used by these to communicate with the environment and not on messages sent between processes. Like [16], our work only allows “input-output” specifications that talk about environmental inputs and outputs of processes p and do not constrain message contents exchanged between processes. In addition, we allow specifications to talk about communication links, e.g., constraining the network dynamics under which an algorithm has to work correctly as in . For such specifications, we obtain decidability in several cases where the framework of [15] does not provide decidability.
Like in the single-process scenario, synthesis in distributed systems can be modeled as a game, which, in this context, are partial information games played between a cooperating set of processes against the environment [17], [18], [19], [20]. With the exception of Berwanger et al. [20], all the above approaches assume static, reliable networks. In [20], Berwanger et al. study games in which information that players have about histories is hierarchically ordered, and this order may change dynamically during a play. The main difference to our work is that we consider a memory model where messages carry the complete causal history allowing for unbounded communication messages, while [20] is based on local observations so that, at every round, a bounded amount of information is transmitted between players. Further, while asynchronous solutions to the synthesis problem considered potentially unbounded messages [10], [9], previous synchronous solutions assume an a priori fixed message size. Also Madhusudan et al. [10] assume that processes that communicate infinitely often encounter each other within a bounded number of steps.
The above assumptions have two shortcomings:
Modeling unreliability. Distributed computing has a long history of studying algorithms that provide services in presence of unstable or unreliable components [21]. Indeed, classical process and link failures can be treated as particular dynamic network behavior [22]. Early work by Akkoyunlu et al. [23] considered the problem of two groups of gangsters coordinating a coup despite an unreliable channel between both parties; later on generalized to the Byzantine generals problem [24]. Protocols like the Alternating Bit Protocol [25] aim at tolerating message loss between a sender and receiver node, and Aho et al. [26] studies optimal transmission rates over unreliable links. Afek et al. [27] discuss protocols that implement reliable links on top of unreliable links. Further, for algorithms that have to operate in dynamic networks, see, e.g., [28], [29], [30], network changes are the normal case rather than the exception.
Synthesis with unstable or faulty components has been studied by Velner and Rabinovich [31] for two player games in presence of information loss between the environment and the inputs of a process. The approach is restricted to a single process, however. Dimitrova and Finkbeiner [32] study synthesis of fault-tolerant distributed algorithms in synchronous, fully connected networks. Processes are partitioned into correct and faulty. It is assumed that at every round at least one process is correct and the output of a correct process must not depend on the local inputs of faulty processes. While unreliable links can be mapped to process failures, the above assumptions are a priori too restrictive to cover dynamic networks.
Modeling full-information protocols. An important class of distributed algorithms are full-information protocols, where nodes piggy-pack previously received messages onto current messages [21], [33]. By construction, such algorithms do not have bounded message size. This kind of causal memory has been considered in [9], [10], [34], [35] for synthesis and control of Zielonka automata over Mazurkiewicz traces with various objectives, ranging from local-state reachability to ω-branching behaviors. Zielonka automata usually model asynchronous processes (there is no global clock so that processes evolve at their own speed until they synchronize) and symmetric communication (whenever processes synchronize, they mutually exchange their complete history).
In this work we consider the synthesis problem for a system of two nodes communicating in synchronous rounds, where specifications are given as LTL formulas or, more generally, ω-regular languages. The nodes are connected via a dynamic link. As in Coulouma et al. [29] and Charron-Bost et al. [30], a network is specified by a set of communication graphs, the network model, also referred to as oblivious message adversary in literature [29]. A distributed algorithm operates in rounds as in the model by Pnueli and Rosner [11], with the difference that the communication graph is chosen by an adversary per round. Motivated by communication buses, like the industry standard I2C bus [36] and CAN bus [37], with direct acknowledge mechanisms after message transfers, we assume that nodes are aware if messages have been delivered successfully. In contrast to the Pnueli-Rosner setting, we suppose full-information protocols where processes have access to their causal history. That is, the dynamic links have unbounded message size. Unlike in Zielonka automata over traces, however, we consider synchronous processes and potentially asymmetric communication. In particular, the latter implies that a process may learn all about the other's history without revealing its own. Observe that, when restricting to Zielonka automata, synthesis of asynchronous distributed systems is not a generalization of the synchronous case.
We show that the synthesis problem for two processes is decidable for a network model if and only if it does not contain the empty link that dismisses both processes' messages. As we assume that LTL specifications can not only reason about inputs and outputs, but also about the communication graph, our result covers synthesis for dynamic systems where links change in more restricted ways. In particular, this includes processes that do not send further messages after their message has been lost, bounded interval omission faults, etc.
We then extend this characterization to sets of network sequences. We show that in case the adversarial environment can choose from an ω-regular language of network sequences, the synthesis problem is decidable if and only if the number of consecutive empty links is uniformly bounded from above.
The work is an extended version of [38].
Outline. We define the synthesis problem for the dynamic two-process model in Section 2. In Section 3, we discuss the asymmetric model where communication to process 1 never fails. Central to the analysis is to show that, despite the availability of unbounded communication links, finite-memory distributed algorithms actually suffice. We then prove that the synthesis problem is decidable (Theorem 2). In Section 5 we reduce the general case of dynamic communication to the asymmetric case, obtaining our main result of decidability in network models that do not contain the empty link (Theorem 1). In Section 6, we extend our results to the case of network sequences where the number of successive empty links is uniformly bounded. We conclude in Section 7.
Section snippets
The synthesis problem
We start with a few preliminaries. Let . For a (possibly infinite) alphabet A, the set of finite words over A is denoted by , the set of nonempty finite words by , and the set of countably infinite words by . We let ε be the empty word and denote the concatenation of and by or simply .
Fix the set of processes . Every process comes with fixed finite sets and of possible inputs and outputs, respectively. We assume that there are at least
Finite-memory distributed algorithms for
In this section, we suppose . We will provide the first ingredient of the proof of Theorem 2: Every realizable specification φ comes with a distributed algorithm with finite memory fulfilling it (Lemma 2).
Remark 2 For the sake of technical simplification, we assume in Sections 3 and 4, without loss of generality, that input sequences start with a symbol from . Instead of the original formula , we then simply take . That is, we can henceforth consider that and ,
Games with imperfect information
The existence of finite-memory distributed algorithms shown in Section 3 paves the way for a reduction of the synthesis problem to -player games with imperfect information, where two players form a coalition against an environment in order to fulfill some objective. The main differences between games and the synthesis problem are twofold: Games are played in an arena, on a finite set of nodes (or states), while the input of the synthesis problem is a logical specification. More
Reduction from to
In this section, we show decidability for the network model , with input alphabet and output alphabet . Recall that this also implies decidability for the network model .
The idea is to reduce the problem to the case of the network model that we considered in Sections 3 and 4, choosing as input alphabet where , and as output alphabet where . To do so, we will rewrite the given specification
−×-block-boundedness
In this section, we propose an extension of the decidability result for subsets of where the number of consecutive empty links in an input sequence is uniformly bounded. We reduce the synthesis problem over network model to the synthesis problem over . The general case can be obtained by combining this reduction with the previous one. We also show that relaxing the hypothesis over the number of consecutive empty links leads to undecidability, so the boundedness
Conclusion
Highly dynamic networks can be modeled by a set of communication graphs from which the adversarial environment may choose arbitrary sequences. We showed that synthesis in such synchronous two-node system is decidable for LTL specifications if and only if the network model does not contain the empty network. Our model covers full-information protocols where nodes communicate their complete unbounded causal history.
While network models account for highly unstable networks, minimal stability
Declaration of Competing Interest
The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.
Acknowledgement
We thank Dietmar Berwanger for valuable feedback. We are grateful to the reviewers for their careful reading and their comments, which led to an improved presentation. We also thank an anonymous reviewer of a previous version for pointing out that using parity automata instead of Rabin automata saves one exponential. This work was partly supported by ANR FREDDA (ANR-17-CE40-0013).
References (45)
The temporal semantics of concurrent programs
Theor. Comput. Sci.
(1981)- et al.
Bounds on the size and transmission rate of communications protocols
Comput. Math. Appl.
(1982) - et al.
A characterization of oblivious message adversaries for which consensus is solvable
Theor. Comput. Sci.
(2015) Automata on infinite objects
Infinite games on finitely coloured graphs with applications to automata on infinite trees
Theor. Comput. Sci.
(1998)- et al.
Reasoning about infinite computations
Inf. Comput.
(1994) Applications of recursive arithmetic to the problem of circuit synthesis – summaries of talks
Automata on Infinite Objects and Church's Problem, vol. 13
(1972)- et al.
A framework for the synthesis of reactive modules
- et al.
On the synthesis of a reactive module