AbstractionGuided Synthesis of Synchronization
We present a novel framework for automatic inference of efficient synchronization in concurrent programs, a task known to be difficult and errorprone when done manually. Our framework is based on abstract interpretation and can infer synchronization for infinite state programs. Given a program, a specification, and an abstraction, we infer synchronization that avoids all (abstract) interleavings that may violate the specification, but permits as many valid interleavings as possible. Combined with abstraction refinement, our framework can be viewed as a new approach for verification where both the program and the abstraction can be modified onthefly during the verification process. The ability to modify the program, and not only the abstraction, allows us to remove program interleavings not only when they are known to be invalid, but also when they cannot be verified using the given abstraction. We implemented a prototype of our approach using numerical abstractions and applied it to verify several interesting programs.
Quantitative synthesis for concurrent programs
 In CAV 2011, volume 6806 of LNCS
Abstract. We present an algorithmic method for the quantitative, performanceaware synthesis of concurrent programs. The input consists of a nondeterministic partial program and of a parametric performance model. The nondeterminism allows the programmer to omit which (if any) synchronization construct is used at a particular program location. The performance model, specified as a weighted automaton, can capture system architectures by assigning different costs to actions such as locking, context switching, and memory and cache accesses. The quantitative synthesis problem is to automatically resolve the nondeterminism of the partial program so that both correctness is guaranteed and performance is optimal. As is standard for shared memory concurrency, correctness is formalized “specification free”, in particular as race freedom or deadlock freedom. For worstcase (averagecase) performance, we show that the problem can be reduced to 2player graph games (with probabilistic transitions) with quantitative objectives. While we show, using gametheoretic methods, that the synthesis problem is Nexpcomplete, we present an algorithmic method and an implementation that works efficiently for concurrent programs and performance models of practical interest. We have implemented a prototype tool and used it to synthesize finitestate concurrent programs that exhibit different programming patterns, for several performance models representing different architectures. 1
Measuring and synthesizing systems in probabilistic environments
 CoRR
Abstract. Often one has a preference order among the different systems that satisfy a given specification. Under a probabilistic assumption about the possible inputs, such a preference order is naturally expressed by a weighted automaton, which assigns to each word a value, such that a system is preferred if it generates a higher expected value. We solve the following optimalsynthesis problem: given an omegaregular specification, a Markov chain that describes the distribution of inputs, and a weighted automaton that measures how well a system satisfies the given specification under the given input assumption, synthesize a system that optimizes the measured value. For safety specifications and measures that are defined by meanpayoff automata, the optimalsynthesis problem amounts to finding a strategy in a Markov decision process (MDP) that is optimal for a longrun average reward objective, which can be done in polynomial time. For general omegaregular specifications, the solution rests on a new, polynomialtime algorithm for computing optimal strategies in MDPs with meanpayoff parity objectives. We present some experimental results showing optimal systems that were automatically generated in this way. 1
Temporal specifications with accumulative values
 In LICS
, 2011
Abstract—There is recently a significant effort to add quantitative objectives to formal verification and synthesis. We introduce and investigate the extension of temporal logics with quantitative atomic assertions, aiming for a general and flexible framework for quantitativeoriented specifications. In the heart of quantitative objectives lies the accumulation of values along a computation. It is either the accumulated summation, as with the energy objectives, or the accumulated average, as with the meanpayoff objectives. We investigate the extension of temporal logics with the prefixaccumulation assertions Sum(v) ≥ c and Avg(v) ≥ c, where v is a numeric variable of the system, c is a constant rational number, and Sum(v) and Avg(v) denote the accumulated sum and average of the values of v from the beginning of the computation up to the current point of time. We also allow the pathaccumulation assertions LimInfAvg(v) ≥ c and LimSupAvg(v) ≥ c, referring to the average value along an entire computation. We study the border of decidability for extensions of various temporal logics. In particular, we show that extending the fragment of CTL that has only the EX, EF, AX, and AG temporal modalities by prefixaccumulation assertions and extending LTL with pathaccumulation assertions, result in temporal logics whose modelchecking problem is decidable. The extended logics allow to significantly extend the currently known energy and meanpayoff objectives. Moreover, the prefixaccumulation assertions may be refined with “controlledaccumulation”, allowing, for example, to specify constraints on the average waiting time between a request and a grant. On the negative side, we show that the fragment we point to is, in a sense, the maximal logic whose extension with prefixaccumulation assertions permits a decidable modelchecking procedure. Extending a temporal logic that has the EG or EU modalities, and in particular CTL and LTL, makes the problem undecidable. I.
Energy and meanpayoff games with imperfect information
 In CSL 2010, volume LNCS 6247
, 2010
Abstract. We consider twoplayer games with imperfect information and quantitative objective. The game is played on a weighted graph with a state space partitioned into classes of indistinguishable states, giving players partial knowledge of the state. In an energy game, the weights represent resource consumption and the objective of the game is to maintain the sum of weights always nonnegative. In a meanpayoff game, the objective is to optimize the limitaverage usage of the resource. We show that the problem of determining if an energy game with imperfect information with fixed initial credit has a winning strategy is decidable, while the question of the existence of some initial credit such that the game has a winning strategy is undecidable. This undecidability result carries over to meanpayoff games with imperfect information. On the positive side, using a simple restriction on the game graph (namely, that the weights are visible), we show that these problems become EXPTIMEcomplete. 1
Optimal Strategy Synthesis For Requestresponse Games
 THEORETICAL INFORMATICS AND APPLICATIONS
, 1999
We show the existence and effective computability of optimal winning strategies for requestresponse games in case the quality of a play is measured by the limit superior of the mean accumulated waiting times between requests and their responses.
P.: Symbolic approximate timeoptimal control
 Systems & Control Letters
, 2011
Abstract. There is an increasing demand for controller design techniques capable of addressing the complex requirements of todays embedded applications. This demand has sparked the interest in symbolic control where lower complexity models of control systems are used to cater for complex specifications given by temporal logics, regular languages, or automata. These specification mechanisms can be regarded as qualitative since they divide the trajectories of the plant into bad trajectories (those that need to be avoided) and good trajectories. However, many applications require also the optimization of quantitative measures of the trajectories retained by the controller, as specified by a cost or utility function. As a first step towards the synthesis of controllers reconciling both qualitative and quantitative specifications, we investigate in this paper the use of symbolic models for timeoptimal controller synthesis. We consider systems related by approximate (alternating) simulation relations and show how such relations enable the transfer of timeoptimality information between the systems. We then use this insight to synthesize approximately timeoptimal controllers for a control system by working with a lower complexity symbolic model. The resulting approximately timeoptimal controllers are equipped with upper and lower bounds for the time to reach a target, describing the quality of the controller. The results described in this paper were implemented in the Matlab Toolbox Pessoa [1] which we used to workout several illustrative examples reported in this paper. 1.
Bridging boolean and quantitative synthesis using smoothed proof search
, 2014
We present a new technique for parameter synthesis under boolean and quantitative objectives. The input to the technique is a “sketch” — a program with missing numerical parameters — and a probabilistic assumption about the program’s inputs. The goal is to automatically synthesize values for the parameters such that the resulting program satisfies: (1) a boolean specification, which states that the program must meet certain assertions, and (2) a quantitative specification, which assigns a real valued rating to every program and which the synthesizer is expected to optimize. Our method — called smoothed proof search — reduces this task to a sequence of unconstrained smooth optimization problems that are then solved numerically. By iteratively solving these problems, we obtain parameter values that get closer and closer to meeting the boolean specification; at the limit, we obtain values that provably meet the specification. The approximations are computed using a new notion of smoothing for program abstractions, where an abstract transformer is approximated by a function that is continuous according to a metric over abstract states. We present a prototype implementation of our synthesis procedure, and experimental results on two benchmarks from the embedded control domain. The experiments demonstrate the benefits of smoothed proof search over an approach that does not meet the boolean and quantitative synthesis goals simultaneously.
Formalizing and reasoning about quality
, 2012
Abstract. Traditional formal methods are based on a Boolean satisfaction notion: a reactive system satisfies, or not, a given specification. We generalize formal methods to also address the quality of systems. As an adequate specification formalism we introduce the linear temporal logic LTL[F]. The satisfaction value of an LTL[F] formula is a number between 0 and 1, describing the quality of the satisfaction. The logic generalizes traditional LTL by augmenting it with a (parameterized) set F of arbitrary functions over the interval [0, 1]. For example, F may contain the maximum or minimum between the satisfaction values of subformulas, their product, and their average. The classical decision problems in formal methods, such as satisfiability, model checking, and synthesis, are generalized to search and optimization problems in the quantitative setting. For example, model checking asks for the quality in which a specification is satisfied, and synthesis returns a system satisfying the specification with the highest quality. Reasoning about quality gives rise to other natural questions, like the distance between specifications. We formalize these basic questions and study them for LTL[F]. By extending the automatatheoretic approach for LTL to a setting that takes quality into an account, we are able to solve the above problems and show that reasoning about LTL[F] has roughly the same complexity as reasoning about traditional LTL. 1