The Unknown Component Problem: Theory and Applications

The Unknown Component Problem Tiziano Villa • Nina Yevtushenko Robert K. Brayton • Alan Mishchenko Alexandre Petrenko...

Author: Tiziano Villa | Nina Yevtushenko | Robert K. Brayton | Alan Mishchenko | Alexandre Petrenko | Alberto Sangiovanni-Vincentelli

63 downloads 757 Views 3MB Size Report

This content was uploaded by our users and we assume good faith they have the permission to share this book. If you own the copyright to this book and it is wrongfully on our website, we offer a simple DMCA procedure to remove your content from our site. Start by pressing the button below!
Report copyright / DMCA form

DOWNLOAD PDF

The Unknown Component Problem

Tiziano Villa • Nina Yevtushenko Robert K. Brayton • Alan Mishchenko Alexandre Petrenko Alberto Sangiovanni-Vincentelli

The Unknown Component Problem Theory and Applications

123

Tiziano Villa Dipartimento D’Informatica Università di Verona Strada le Grazie, 15 37134 Verona Italy [email protected] Robert K. Brayton Department of Electrical Engineering and Computer Science University of California Berkeley California USA [email protected] Alexandre Petrenko Computer Research Institute of Montreal (CRIM) Ogilvy 405, Suite 101 H3N 1M3 Montreal (Quebec) Canada [email protected]

Nina Yevtushenko Department of EECS Tomsk State University Tomsk Russia [email protected] Alan Mishchenko Department of Electrical Engineering and Computer Science (EECS) University of California, Berkeley Berkeley California USA [email protected] Alberto Sangiovanni-Vincentelli Department of Electrical Engineering and Computer Science (EECS) University of California, Berkeley Berkeley California USA [email protected]

ISBN 978-0-387-34532-1 e-ISBN 978-0-387-68759-9 DOI 10.1007/978-0-387-68759-9 Springer New York Dordrecht Heidelberg London Library of Congress Control Number: 2011938478 © Springer Science+Business Media, LLC 2012 All rights reserved. This work may not be translated or copied in whole or in part without the written permission of the publisher (Springer Science+Business Media, LLC, 233 Spring Street, New York, NY 10013, USA), except for brief excerpts in connection with reviews or scholarly analysis. Use in connection with any form of information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed is forbidden. The use in this publication of trade names, trademarks, service marks, and similar terms, even if they are not identified as such, is not to be taken as an expression of opinion as to whether or not they are subject to proprietary rights. Printed on acid-free paper Springer is part of Springer Science+Business Media (www.springer.com)

Mariae, uxori suavissimae, cum gratitudine: ad multos annos ! Tiziano To my parents who gave me the courage and strength to go through life; to my family for their love and support Nina To my family, Ruth my wife of 50 years, children Jane Burchard, James and Michael Brayton, in-laws Dan Burchard and Debbie Marr, and grandchildren Thomas and Lia Burchard, and Matthew, Mason, Mariella and Marshall Brayton Bob To my family Alan To my parents Alexandre To my beloved Marica Alberto

Preface

An important step in the design of complex systems is the decomposition of a system into a number of separate components which interact in some well-defined way. A typical question is how to design a component that when combined with a known part of a system, called the context, satisfies a given specification. This question arises in several applications ranging from logic synthesis to the design of discrete controllers. To formally solve such problems, the following questions need to be addressed: • How to model the system, its components and the specification? • How is the interaction between the components defined? • When does a system behavior satisfy its specification? For the first issue, different types of mathematical models can be used to specify the components of a system: finite automata (FA) and finite state machines (FSMs), !-automata, Petri Nets are some of the most common formal models. Given an answer to the first question, matching answers must be provided to the other two. For instance, if FSMs are used to model the system, operators to compose FSMs must be introduced together with the notion of an FSM conforming to another FSM. For FSM conformance, appropriate choices are language containment or simulation of one FSM by the other. For FSM composition, various forms have been described in the literature. For example, one can define an abstract equation over FSMs of the type MA ˇ MX MC , where MA models the context, MC models the specification, MX is unknown, ˇ stands for a composition operator (e.g., , synchronous composition or ˘, parallel composition), and stands for a conforming relation (e.g., for reduction relation, or Š for equivalence relation). For any given formal model, appropriate equations can be set up and their solutions investigated. More complex equations or systems of equations can be formulated depending on the topology of the system’s components.

vii

viii

Preface

In this book, we cast the problem of computing the unknown component in the common frame of solving equations over languages and automata. This allows to unify the treatment of a panoply of variants of this problem, as formulated by different research communities in different applicative domains. In particular, we treat in-depth equations over languages, regular languages, finite automata, finite state machines, and !-automata. Then we apply the machinery of equations over finite state machines to sequential synthesis and resynthesis, and study a host of specific topologies, exact and heuristic techniques, and optimization scenarios. Finally, we enlarge the scope to domains such as testing, supervisory control, game theory, and specialized forms of synthesis for co-Büchi specifications. In the case of supervisory control, we characterize all controllers that satisfy partial controllability in the classical sense, and then we extend them to the relaxed notion of weak controllers. The book is a blend of theory, especially in the chapters of Part I, with the description of a software package implementing most of the theory in Part II, together with applications to sequential synthesis in Part III and to sundry domains in Part IV. This book grew out of an intense collaboration of the authors, in North America, Europe, and Russia. In particular, it capitalizes on the research activities carried forth in the CAD group at UC Berkeley, devoted to efficient optimization of digital designs, and on the theoretical research in Tomsk about automata theory. The convergence of these lines of investigation fostered a better understanding of the subject matter. We thank all the Ph.D. students and researchers who contributed to this research in Berkeley, Tomsk and elsewhere, collaborating with the authors. We are grateful to NATO for the funding of travels and meetings where the authors could converge from their distant locations, and where the book took shape. The NATO grants were: 1. “Logic synthesis and analysis through automata and language equation solving”, NATO Science Program, No. PST.CLG.979698, Collaborative Linkage Grant. No. 971217, project duration: 2003–2005. 2. “Discrete Event System Optimization through Automata/FSM Equation Solving” NATO Collaborative Linkage Grant CBP.NR.CLG 982314, project duration: 2006–2009. Among the participants to those meetings, we thank Roland Jiang, National Taiwan University, Taipei, and Anatoly Chebotarev, Ukrainian Academy of Sciences, Kiev, for interesting discussions on the themes covered in the book. A couple of meetings were held at PARADES, in the historical Palazzo Bonadies, Rome, and we thank Alberto for making that charming venue available to us. Tiziano thanks Bob for inviting him to visit UC Berkeley throughout many summers, to work on the book and enjoy the research ambience of his alma mater.

Preface

ix

Thanks to Giovanni Castagnetti and Matteo Piccolo, research assistants at the University of Verona, for proofreading parts of the manuscript, and checking many of the examples with BALM. Giovanni and Matteo extended BALM (now BALMII) to solve automatically parallel equations. Verona Tomsk Berkeley Berkeley Montreal Berkeley

Tiziano Villa Nina Yevtushenko Robert K. Brayton Alan Mishchenko Alexandre Petrenko Alberto Sangiovanni-Vincentelli

Contents

1

Synopsis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . .

Part I 2

3

1

Theory of Equations Over Languages and Automata

Equations Over Languages and Finite Automata .. .. . . . . . . . . . . . . . . . . . . . 2.1 Preliminaries on Languages and Finite Automata . . . . . . . . . . . . . . . . . . 2.1.1 Languages and Operators . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 2.1.2 Finite Automata and Regular Expressions . . . . . . . . . . . . . . . . 2.1.3 Classes of Languages .. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 2.1.4 Composition of Languages .. . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 2.2 Solution of Equations Over Languages . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 2.2.1 Language Equations Under Synchronous Composition . . 2.2.2 Language Equations Under Parallel Composition . . . . . . . . 2.2.3 Language Equations Under Bounded Parallel Composition . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 2.3 Solution of Equations Over Regular Languages and Finite Automata.. . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 2.3.1 An Algorithm to Solve Equations Over Regular Languages and Automata .. . . .. . . . . . . . . . . . . . . . . . . . 2.3.2 An Application to Converter Synthesis: The Protocol Mismatch Problem . . . . . .. . . . . . . . . . . . . . . . . . . . Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . .

9 9 9 14 16 18 21 21 23

Equations Over Finite State Machines . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 3.1 Finite State Machines and Their Languages . . . .. . . . . . . . . . . . . . . . . . . . 3.1.1 Finite State Machines.. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 3.1.2 Languages of FSMs . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 3.2 Composition of Finite State Machines . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 3.2.1 Synchronous Composition of FSMs . . .. . . . . . . . . . . . . . . . . . . . 3.2.2 Parallel Composition of FSMs . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 3.2.3 Equations Over FSMs . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . .

37 37 37 39 43 44 47 48

25 25 25 28 33

xi

xii

Contents

3.3

Solution of FSM Equations Under Synchronous Composition . . . . 3.3.1 Largest FSM Solution . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 3.3.2 Restricted FSM Compositional Solutions . . . . . . . . . . . . . . . . . 3.4 Solution of FSM Equations Under Parallel Composition . . . . . . . . . . 3.4.1 Largest FSM Solution . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 3.4.2 Restricted FSM Compositional Solutions . . . . . . . . . . . . . . . . . 3.4.3 FSM Equations Under Bounded Parallel Composition .. . Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . .

51 51 57 59 59 65 68 70

4

Equations Over !-Automata .. . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 4.1 !-Languages and !-Automata . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 4.2 Equations Over !-Languages . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 4.2.1 Expansion and Restriction of !-Languages .. . . . . . . . . . . . . . 4.2.2 Parallel Composition of !-Languages .. . . . . . . . . . . . . . . . . . . . 4.2.3 Parallel Equations Over !-Languages .. . . . . . . . . . . . . . . . . . . . 4.2.4 Operations Over !-Automata .. . . . . . . . .. . . . . . . . . . . . . . . . . . . . Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . .

73 73 78 78 79 80 80 83

5

A Survey of Relevant Literature . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 85 5.1 Equations Under Synchronous Composition . . .. . . . . . . . . . . . . . . . . . . . 85 5.1.1 Hierarchical Optimization and Don’t Care Sequences.. . . 85 5.1.2 Computation of Input Don’t Care Sequences . . . . . . . . . . . . . 86 5.1.3 Computation of Output Don’t Care Sequences . . . . . . . . . . . 89 5.1.4 Computation of the Permissible Behaviors with the E-Machine .. . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 91 5.1.5 How to Exploit the Flexibility . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 92 5.1.6 FSM Network Synthesis by WS1S . . . .. . . . . . . . . . . . . . . . . . . . 93 5.1.7 Testing.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 96 5.1.8 Model Matching by Simulation Relations .. . . . . . . . . . . . . . . . 96 5.1.9 Structural Replacement of Synchronous and Asynchronous Hardware . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 97 5.2 Equations Under Parallel Composition.. . . . . . . . .. . . . . . . . . . . . . . . . . . . . 98 5.2.1 Equations Over Process Languages and Process Algebras.. . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 98 5.2.2 Supervisory Control . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 99 5.2.3 Simulation Relations . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 99 5.2.4 Delay-Insensitive Processes . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 100 5.3 !-Automata, Games, Realizability and Synthesis .. . . . . . . . . . . . . . . . . 100 Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 102

Part II 6

Algorithms for Solving FSM Equations: BALM

Implementation of Automata Manipulations . . . . . . . .. . . . . . . . . . . . . . . . . . . . 6.1 Hybrid Representation of Finite Automata . . . . .. . . . . . . . . . . . . . . . . . . . 6.2 Implementation of Particular Commands . . . . . . .. . . . . . . . . . . . . . . . . . . . 6.2.1 STG Extraction . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . .

109 110 111 111

Contents

xiii

6.2.2 Completion.. . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 6.2.3 Determinization .. . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 6.2.4 Complementation .. . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 6.2.5 Support .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 6.2.6 Product . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 6.2.7 Prefix-Closed . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 6.2.8 Input-Progressive . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . .

113 114 116 116 117 117 117 119

Manipulations of FSMs Represented as Sequential Circuits . . . . . . . . . . 7.1 Problem Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 7.1.1 Monolithic Representation of Relations .. . . . . . . . . . . . . . . . . . 7.1.2 Partitioned Representation of Relations . . . . . . . . . . . . . . . . . . . 7.2 Computation Algorithms.. . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 7.2.1 Elementary Operations Using Partitioned Representations . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 7.3 Completion and Determinization Commute . . . .. . . . . . . . . . . . . . . . . . . . 7.4 Experimental Results. . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 7.5 Conclusions .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . .

121 122 125 125 126

8

The Software Package BALM . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 8.1 Introduction .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 8.2 Describing FSMs and Automata.. . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 8.2.1 The BLIF-MV Format .. . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 8.2.2 The AUT Format . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 8.2.3 Comparing the BLIF-MV and AUT Formats . . . . . . . . . . . . . 8.2.4 Describing an Automaton Using BLIF-MV .. . . . . . . . . . . . . . 8.3 Two Alternate Synthesis Flows . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 8.3.1 Some Specialized Automata Operations . . . . . . . . . . . . . . . . . . 8.4 Appendix: Commands in BALM . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . .

137 137 138 138 140 142 145 146 147 149 151

9

Fundamental Operations in BALM . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 9.1 Extracting an Automaton from a Sequential Circuit. . . . . . . . . . . . . . . . 9.2 Completing an Automaton .. . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 9.3 Changing the Support . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 9.4 Determinizing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 9.5 Taking the Product of Two Automata . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . .

157 158 159 160 161 162 164

7

Part III

126 131 132 133 134

Application to Sequential Synthesis

10 Computation of Flexibility in Sequential Networks . . . . . . . . . . . . . . . . . . . . 173 10.1 The Kim–Newborn’s Procedure . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 173 10.2 The Wang–Brayton’s Procedure .. . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 177

xiv

Contents

10.3 The Yevtushenko–Zharikova’s Procedure .. . . . . .. . . . . . . . . . . . . . . . . . . . 182 Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 184 11 Computation of Sequential Flexibility in Netlists by Windowing . . . . . 11.1 Complete Sequential Flexibility in a Window . .. . . . . . . . . . . . . . . . . . . . 11.2 Selecting a Window by Latch Splitting . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 11.3 Efficient Window Selection .. . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 11.3.1 Efficient Window Selection for Combinational Networks 11.3.2 Efficient Window Selection for Sequential Networks . . . .

185 185 187 188 188 191

12 Computation of Sequential Flexibility in Networks of FSMs by Windowing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 12.1 Flexibility in Networks of FSMs . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 12.2 Windowing in a Network of FSMs . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 12.2.1 Windowing Via Solving a Set of Equations . . . . . . . . . . . . . . . 12.2.2 Windowing Via Solving a System of Equations . . . . . . . . . . 12.3 Solving a System of FSM Equations .. . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . .

195 195 199 199 203 206 208

13 Language Solving Using Simulation Relations . . . . . .. . . . . . . . . . . . . . . . . . . . 13.1 Model Matching by Simulation Relations . . . . . .. . . . . . . . . . . . . . . . . . . . 13.2 Computing Simulation Relations with Language Equations .. . . . . . 13.3 Example with Latch Splitting .. . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . .

211 211 214 216 222

14 Exploitation of Flexibility in Sequential Networks .. . . . . . . . . . . . . . . . . . . . 14.1 The Problem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 14.2 State Minimization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 14.3 DCMIN: Immediate Equivalence Using Don’t Cares . . . . . . . . . . . . . . 14.4 Minimizing the Communication Lines . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 14.5 State Encoding.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . .

227 227 228 230 232 239 239

Part IV

More Applications of the Unknown Component Problem

15 Supervisory Control .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 15.1 Supervisory Control .. . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 15.2 Supervisory Control with Full Controllability and Observability .. 15.2.1 Special Case: S and P Prefix-Closed .. . . . . . . . . . . . . . . . . . . . 15.2.2 General Case: S and P Not Prefix-Closed .. . . . . . . . . . . . . . . 15.2.3 Progressive Solutions Under Full Controllability .. . . . . . . . 15.3 Supervisory Control with Partial Controllability . . . . . . . . . . . . . . . . . . . 15.3.1 Supervisory Control Approach.. . . . . . . .. . . . . . . . . . . . . . . . . . . . 15.3.2 Equation Solving Approach .. . . . . . . . . . .. . . . . . . . . . . . . . . . . . . .

247 247 247 248 249 252 256 256 256

Contents

xv

15.4 Supervising a Cat and a Mouse in a Maze . . . . . .. . . . . . . . . . . . . . . . . . . . 259 Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 263 16 Testing .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 16.1 The Problem of Testing in Context .. . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 16.2 Solving Testing in Context Via Language Equations .. . . . . . . . . . . . . . Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . .

267 267 268 273

17 Synthesis of Strategies for Games . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 17.1 Formulating a Game as a Unknown Component Problem . . . . . . . . . 17.2 Describing and Solving a Game: The Game of NIM .. . . . . . . . . . . . . . Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . .

275 275 276 278

18 Extending BALM to Synchronous Equations Over co-Buchi ¨ Specifications .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 18.1 Introduction .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 18.2 Büchi and co-Büchi Automata.. . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 18.3 Problem Statement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 18.4 The Synthesis Flow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 18.4.1 Computing a General Automaton Solution.. . . . . . . . . . . . . . . 18.4.2 Applying the co-Büchi Conditions to Obtain Particular FSM Solutions.. . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 18.4.3 Preprocessing to Simplify the SAT Instance . . . . . . . . . . . . . . 18.4.4 Complementing Büchi Automata .. . . . .. . . . . . . . . . . . . . . . . . . . 18.4.5 Solving for Büchi Specifications.. . . . . .. . . . . . . . . . . . . . . . . . . . 18.5 Conclusions .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . Problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . .

283 283 285 285 286 287 289 291 293 293 294 294

19 Conclusions and Open Problems . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 299 References .. .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 301 Index . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .. . . . . . . . . . . . . . . . . . . . 309

Chapter 1

Synopsis

This book contains 18 chapters organized in four parts along with the synopsis and conclusion. Each chapter is ended by a section of problems, that vary from testing the reader’s grasp of the theory, to laboratory exercises with the software BALM, up to more open-ended problems at the level of a class project. This makes the book suitable also for advanced undergraduate and graduate teaching, besides being a reference for researchers. Part I, Theory of Equations over Languages and Automata, presents the basics of equations over languages and automata. It is partitioned into four chapters. In Chap. 2 we define and study abstract equations over languages, where a composition operator involved in the equations is either synchronous composition, , or parallel composition, ˘, and the languages are compared using the language containment relation. The composition operators reflect two different types of interactions between systems found, e.g., in hardware and communicating systems. We consider thus two types of equations A X C and A ˘ X C , where X represents an unknown language, while A and C represent known languages. The two types of equations are called, respectively, synchronous and parallel equations. A key contribution is the computation of the most general solutions of the language equations, found, respectively, as S D A C , and S D A ˘ C . These formulas turn out to subsume a panoply of specialized solutions derived in the past for specific composition operators and topologies. We then specialize language equations to regular languages, which are counterparts of finite automata. The idea is to operate algorithmically on regular languages via their automata to solve effectively the associated language equations. We conclude the chapter by applying the developed theory to a so-called converter synthesis problem, which occurs in the presence of different protocols. In Chap. 3 we specialize language equations to FSM languages, counterparts of FSMs. We define synchronous and parallel compositions of FSMs and elaborate procedures for solving equations over FSMs. We also study subsets of solutions characterized by additional properties of practical interest, such as solutions that

T. Villa et al., The Unknown Component Problem: Theory and Applications, DOI 10.1007/978-0-387-68759-9 1, © Springer Science+Business Media, LLC 2012

1

2

1 Synopsis

satisfy the Moore property and solutions to bounded parallel equations over FSMs, when external outputs should appear after a predefined number of internal actions. In Chap. 4 we extend the results obtained in the finite regular case to equations over !-automata. In this section, we explain how to extend parallel equations to !-languages described by Büchi automata. We define expansion and restriction of !-languages along with the corresponding !-expansion and !-restriction of !-automata; we lift operations on regular languages to !-regular languages and define !-parallel composition of !-automata. The largest solution of a parallel equation over Büchi automata is then formulated similarly to the finitary regular case. Concluding Part 1, we provide in Chap. 5 an overview of various previous contributions, concerning specific aspects of the theory of synchronous and parallel equations over languages and automata. Synchronous equations naturally model numerous problems related to sequential circuits, such as hierarchical optimization, don’t care conditions, flexibility and model matching. Equally, parallel equations offer a uniform way of modeling various domain problems, such as protocol converters and supervisory control. The overview indicates that the theory of synchronous and parallel equations models naturally a larger spectrum of language equations and their specialized solutions in different settings, since it is built upon the primitive notions of language and language composition. On the other hand, equation solving can be seen also as a special case of realizability/synthesis. Recall that given a logic formula, a classic problem of realizability is to determine whether there exists a sequential function to implement it, and if yes, find an implementation, which is a problem of synthesis. Problems of realizability/synthesis can be framed as solving games. In Part II, Algorithms for Solving FSM Equations – BALM, we focus on the efficient implementation of operations and an environment suited for manipulating FSMs and solving equations over them. The developed software system, BALM, the Berkeley Automata and Language Manipulation system, is based on the existing multi-valued logic synthesis environment, MVSIS. This part is partitioned into four chapters. In Chap. 6 we present several operations on finite automata implemented within BALM, which are used for solving equations. These operations include completion, determinization, complementation, product computation and others using a mixed representation of finite automata as state transition graphs, where transition predicates, if any, are represented by BDDs. In Chap. 7 we outline the implementation of operations in BALM needed to solve equations over FSMs represented as sequential circuits. We discuss how a partitioned representation of sequential circuits can be used to perform the basic operations of equation solving: completing, complementing, determinizing, hiding, and computing the product of finite automata. Such a representation uses a set of next state functions, which update the state of each latch (flip-flop or state-holding element) in the circuit. We conclude the chapter by presenting experimental results which indicate that using a partitioned representation for FSM manipulations is more efficient compared to a monolithic representation.

1 Synopsis

3

Chapter 8 is devoted to the BALM package that includes the most typical automata operations, such as determinization and state minimization, as well as visualization capabilities, which rely on the graph visualization software Graphviz. We present and illustrate the two file formats supported in BALM, one for describing FSMs as multi-level netlists of logic, and the other for describing automata. We conclude the chapter by presenting a summary of the commands available in BALM, which can be used to program complex manipulations with finite automata and FSMs. Chapter 9 provides a number of examples illustrating the use of BALM commands. In Part III, Application to Sequential Synthesis, we consider the problem of sequential synthesis where a finite state machine is embedded in a larger FSM environment. We want to find the set of all possible FSMs that can replace the current FSM without changing the external behavior of the whole system. This set represents the complete sequential flexibility of the FSM (with respect to its environment); it is a generalization of the complete flexibility used in combinational synthesis. We also provide a number of examples of using BALM scripts in sequential synthesis. This part includes five chapters, the first four chapters address the problem of computing the flexibility in sequential networks; the last chapter discusses how to exploit the computed sequential flexibility by extracting a valid replacement with a chosen cost function. Chapter 10 shows how BALM scripts implement several methods for computing a restricted form of sequential flexibility, sequential don’t cares. In Chap. 11, we explain how complete sequential flexibility for FSMs represented by netlists can be computed by windowing within BALM. Chapter 12 addresses the problem of resynthesizing the component FSMs in a network of FSMs. We discuss the possibility of resynthesizing them one by one until the whole network cannot be simplified further. In order to avoid construction of the FSM that specifies the behavior of the whole network, we may consider just pairs of connected FSMs and find for a component of each pair a replacement by solving the corresponding equation at the price of missing some flexibility. Such a windowing approach is not feasible for all the topologies of FSM networks; for topologies, where some component’s outputs are inputs of several components, we need to consider a system of FSM equations each of which involves a pair of such components. An FSM is a solution of a system of FSM equations if it is a solution of each equation of the system. Therefore the largest solution of a system of FSM equations can be obtained as the intersection of the largest solutions over all equations of the system. Chapter 13 discusses solving language equations using simulation relations. The need for simulation relations arises in the so-called model matching problem. It asks for the design of a controller so that the composition of a plant with the controller matches a given model, as discussed in Chap. 5. The use of the simulation relation instead of the language containment relation allows us to obtain restricted solutions

4

1 Synopsis

to FSM equations; we illustrate the possibilities of this approach with an example, where the BALM’s command latch split is used to divide the latches of a given FSM network into two parts, fixed and unknown. Chapter 14 discusses the problem of selecting a “minimum” reduction or submachine of the largest solution and some criteria for selecting it given the flexibility computed by techniques presented in the previous chapters. We consider two criteria: the minimum number of states and the minimum input support. We recapture the basic notions of FSM state minimization, a classical problem studied for deterministic FSMs first and then for observable FSMs, and present a heuristic procedure for minimizing an FSM implemented in BALM. The criterion of minimum input support can be used when, in synthesizing the components of a synchronous composition of FSMs, it is desired to minimize not the number of states, but the number of communication lines of a given component. We present a procedure for deriving a largest solution that uses a minimal number of input alphabets (representing communication lines). Part IV, More Applications of the Unknown Component Problem, comprises four chapters. Chapter 15 focuses on supervisory control and explains the applicability of equation solving techniques to this theory. Methods for solving equations over regular languages have an exponential complexity in the worst-case, because of the complementation operator that requires determinization, but they can handle arbitrary topologies. The methods for supervisory control under partial controllability with regular languages have a polynomial complexity, due to a simplified topology. Comparing the two approaches for supervisory control with full controllability and observability, we notice that both approaches yield necessary and sufficient conditions for the existence of a controller; with the supervisory control approach a single (smallest) controller is derived; with the language approach, the set of all controllers is derived, including the smallest and the largest ones. Both approaches have the same complexity. We also contrast the two approaches on supervisory control with partial controllability and finally illustrate our findings on an example of supervising a cat and mouse in a maze. Chapter 16 addresses the problem of testing a component FSM in an FSM network, also known as the problem of testing in context or embedded testing. It is customary to assume that a context FSM implementation (the fixed part) needs no testing and conforms to its specification, while an implementation of the embedded FSM (the unknown part) has to be tested for its conformance to the specification FSM. Inputs and outputs of the embedded machine are neither controllable nor observable and tests should be expressed using external inputs and outputs of the context machine. Testing an FSM in isolation can, under certain assumptions, detect faults which can make an implementation non-equivalent to its (deterministic) specification. However, testing in context can be more permissive, since the context FSM can tolerate faults in the embedded machine. We demonstrate first that the largest set of its permissible behaviors obtained by finding the largest solution of an appropriate FSM equation provides the exact characterization of all such faults. Since the largest solution is represented by a non-deterministic FSM such that each

1 Synopsis

5

non-conforming implementation is not its reduction, a test suite has to be derived using the reduction relation between the implementation and specification FSMs. The existing methods developed for testing FSMs in isolation can be used for this purpose. However, the resulting tests use the internal alphabets of the embedded machine; thus the internal tests must be translated into external tests defined over the external alphabets of the system. The problem of translating internal tests into external ones is sometimes called the fault propagation problem and can also be formulated as solving an appropriate equation over FSMs or automata. We use a simple example to illustrate the use of language equations for solving testing in context. Chapter 17 discusses the application of language solving to games. We demonstrate how finding winning strategies of some combinatorial games, such as the NIM game, tic-tae-toe, etc., can be formulated as solving the unknown component problem. Therefore, BALM can be used to synthesize winning strategies of these combinatorial games. The approach we take is to describe the dynamics and the state of the game in the fixed component. The unknown component represents one of the players of a two person game. A winning strategy is the ability to make a move to retain the possibility of winning. This is achieved when a solution is prefixclosed and progressive. If the input to the unknown component is the state of the game, then progressive means that, for every state that the game can get into, there is always an input which leads to an accepting state. We illustrate our approach by describing and solving the game of NIM. Chapter 18 discusses the extension of BALM to synchronous equations over co-Büchi specifications (with a brief mention of Büchi specifications). This extension is motivated by sequential synthesis problems where the objective is to find a strategy, implementable as an FSM, in order to guide a system to a given subset of accepting states with some desirable property and keep it there. Such requirements can be expressed by co-Büchi automata. We propose a synthesis flow, similar to that described in Chap. 2 for regular (finite-word) automata with the main difference in the last step, where the most general solution is trimmed to obtain FSM solutions that meet the co-Büchi condition. This necessitates a special nonregular method, based on formulating the problem as a SAT instance where each satisfying assignment corresponds to a way of trimming the graph to enforce the desired property.

Part I

Theory of Equations Over Languages and Automata

In this part we present the basics of equations over languages and automata, and specialize the theory to finite and !-regular languages. In Chap. 2 we define and study abstract equations over languages, to obtain results valid for any language equation. We investigate two composition operators for abstract languages: synchronous composition, , and parallel composition, ˘, and we check conformity by language containment. A key contribution is the computation of the most general solutions of the language equations A X C and A ˘ X C , found respectively as S D A C , and S D A ˘ C . The derivation sheds lights on the properties required of a composition operator to yield such a closed formula as the largest solution, and explains when different equations give rise to that same type of solution formula. These formulas turn out to subsume a panoply of specialized solutions derived in the past for specific composition operators and topologies. Some common network topologies are shown in Fig. 1.1. Then in Chap. 3 we specialize language equations to languages associated with classes of automata used for modeling hardware and software systems, namely, regular languages as counterparts of finite automata, FSM languages as counterparts of FSMs. Thus we can operate algorithmically on those languages through their automata and study how to solve effectively their related language equations. It is important to find solutions within the same language class of the equation, e.g., when studying FSM language equations we look for solutions that are FSM languages. Moreover, we are interested in subsets of solutions characterized by further properties of practical interest, e.g., FSM languages that satisfy the Moore property; thus the solutions are restricted further. In Chap. 4 we study the extensions to equations over !-automata of the results obtained in the finite regular case. Various contributions, investigating partial aspects of the topic of this research, have been published. A complete survey is provided in Chap. 5.

8

I Theory of Equations Over Languages and Automata

a

b

c

d

e

f

Fig. 1.1 Patterns of composition. (a) general topology; (b) 2-way cascade (or 2-way series) topology; (c) 1-way cascade (or 1-way series) topology; (d) rectification topology; (e) controller’s (or supervisory control) topology; (f) variant of general topology

Chapter 2

Equations Over Languages and Finite Automata

2.1 Preliminaries on Languages and Finite Automata 2.1.1 Languages and Operators Definition 2.1.1. An alphabet is a finite set of symbols. The set of all finite strings over a fixed alphabet X is denoted by X ? . X ? includes the empty string . A subset L X ? is called a language over alphabet X . A language L over the alphabet X V is a language over the alphabet A D f.x; v/ j x 2 X; v 2 V g. Standard set-theoretic operations are defined on alphabets, e.g., union and intersection. Some standard operations on languages are: 1. Given languages L1 and L2 , respectively over alphabets X1 and X2 , the language L1 [ L2 over alphabet X1 [ X2 is the union of languages L1 and L2 . 2. Given languages L1 and L2 , respectively over alphabets X1 and X2 , the language L1 L2 D f˛ˇ j ˛ 2 L1 ; ˇ 2 L2 g over alphabet X1 [ X2 is the concatenation of languages L1 and L2 . Define L0 D fg, Li D LLi 1 . The Kleene closure of L i C 1 i is the set L? D [1 i D0 L and the positive Kleene closure of L is L D [i D1 L . l l i Finally, the l-bounded Kleene closure of L is set L D [i D0 L . 3. Given languages L1 and L2 , respectively over alphabets X1 and X2 , the language L1 \ L2 over alphabet X1 \ X2 is the intersection of languages L1 and L2 . If X1 \ X2 D ; then L1 \ L2 D ;. 4. Given a language L over alphabet X , the language L D X ? n L over alphabet X is the complement of language L. Similarly, given languages L1 and L2 , respectively over alphabets X1 and X2 , the language L1 n L2 D L1 \ L2 over alphabet X1 is the difference of languages L1 and L2 . 5. Given a language L over alphabet X , the language Pref .L/ D fx 2 X ? j 9y 2 X ? ; xy 2 Lg is the prefix-closure of L, i.e., the language whose words are all the prefixes of words in L.


9

10

2 Equations Over Languages and Finite Automata

6. Given a language L over alphabet X , LPref is the largest prefix-closed language L0 with L0 L. It is useful to recall the notions of substitution and homomorphism of languages [63]. A substitution f is a mapping of an alphabet X onto subsets of Y ? for some alphabet Y . The substitution f is extended to strings by setting f ./ D fg and f .xa/ D f .x/f .a/. An homomorphism h is a substitution such that h.a/ is a singleton string for each symbol a in the alphabet X . We introduce some useful operations on languages. The first two are associated with synchronous composition, while the last two are associated with parallel composition. These operations are integral parts of constructing the most general solution. 1. Given a language L over alphabet X V , consider the homomorphism p W X V ! V ? defined as p..x; v// D v; then the language L#V D fp.˛/ j ˛ 2 Lg over alphabet V is the projection of language L to alphabet V , or V -projection of L. By definition of substitution p./ D . 2. Given a language L over alphabet X and an alphabet V , consider the substitution ? l W X ! 2.X V / defined as l.x/ D f.x; v/ j v 2 V g; then the language L"V D fl.˛/ j ˛ 2 Lg over alphabet X V is the lifting of language L to alphabet V , or V -lifting of L. By definition of substitution l./ D fg. 3. Given a language L over alphabet X [ V , consider the homomorphism r W X [ V ! V ? defined as y if y 2 V r.y/ D ; if y 2 X n V then the language L+V D fr.˛/ j ˛ 2 Lg over alphabet V is the restriction of language L to alphabet V , or V -restriction of L, i.e., words in L+V are obtained from those in L by deleting all the symbols in X that are not in V . By definition of substitution r./ D . 4. Given a language L over alphabet X and an alphabet V , consider the mapping ? e W X ! 2.X [V / defined as e.x/ D f˛xˇ j ˛; ˇ 2 .V n X /? g;

2.1 Preliminaries on Languages and Finite Automata

11

then the language L*V D fe.˛/ j ˛ 2 Lg over alphabet X [ V is the expansion of language L to alphabet V , or V -expansion of L, i.e., words in L*V are obtained from those in L by inserting anywhere in them words from .V n X /? . Notice that e is not a substitution and that e./ D f˛ j ˛ 2 .V n X /? g. Given a language L over alphabet X , an alphabet V , and a natural number l, l consider the mapping el W X ! 2.X [V / defined as el .x/ D f˛xˇ j ˛; ˇ 2 .V n X /l g; then the language L*.V;l/ D fel .˛/ j ˛ 2 Lg over alphabet X [ V is the l-bounded expansion of language L over alphabet V , or .V; l/-expansion of L, i.e., words in L*V are obtained from those in L by inserting anywhere in them words from .V n X /l . Notice that el is not a substitution and that el ./ D f˛ j ˛ 2 .V n X /l g. By definition ;#V D ;, ;"V D ;, ;+V D ;, ;*V D ;, ;*.V;l/ D ;. The four previous operators change a language and its alphabet of definition; in particular the operators " and # change what components are present in the Cartesian product that defines the language alphabet. We assume that each component has a fixed position in the Cartesian product. For instance, let language L1 be defined over alphabet I and language L2 be defined over alphabet O, then language L1 "O is defined over alphabet I O and also language L2 "I is defined over alphabet I O, if by assumption I precedes O in the Cartesian product. More precisely, say that we introduce an ordering of alphabets, i , by which I is mapped to index i.I / and O is mapped to i.O/, then i.I / < i.O/ implies that I precedes O in any Cartesian product of alphabets. The ordering is arbitrary, but, once chosen, it holds through the sequence of language operations. The following straightforward facts hold between the projection and lifting operators, and between the restriction and expansion operators. Proposition 2.1. The following inverse laws for "; # and *; + hold. (a) Let X and Y be alphabets, and let L be a language over alphabet X , then .L"Y /#X D L. (b) Let X and Y be alphabets, and let L be a language over alphabet X Y , then .L#X /"Y L. (c) Let X and Y be disjoint alphabets, and let L be a language over alphabet X , then .L*Y /+X D L. (d) Let X and Y be disjoint alphabets, and let L be a language over alphabet X [ Y , then .L+X /*Y L.

12


Proposition 2.2. The following equivalences hold. (a) Given alphabets X and Y , a language L over alphabet X , and a string ˛ 2 .X Y /? , then ˛#X 2 L , ˛ 2 L"Y . (b) Given disjoint alphabets X and Y , a language L over alphabet X , and a string ˛ 2 .X [ Y /? , then ˛+X 2 L , ˛ 2 L*Y . Proposition 2.3. The following distributive laws for " and # hold. (a) Let L1 ; L2 be languages over alphabet U . Then " commutes with [ .L1 [ L2 /"I D L1 "I [ L2 "I : (b) Let L1 ; L2 be languages over alphabet U . Then " commutes with \ .L1 \ L2 /"I D L1 "I \ L2 "I : (c) Let M1 ; M2 be languages over alphabet I U . Then # commutes with [ .M1 [ M2 /#U D M1 #U [ M2 #U : (d) Let M1 ; M2 be languages over alphabet I U . If M2 D .M2 #U /"I (or M1 D .M1 #U /"I ), then # commutes with \ .M1 \ M2 /#U D M1 #U \ M2 #U : Proof. Thesis: .L1 \ L2 /"I D L1 "I \ L2 "I . ()) If the string .i1 ; u1 / : : : .ik ; uk / 2 .L1 \ L2 /"I , then u1 : : : uk 2 L1 \ L2 ; thus u1 : : : uk 2 L1 , u1 : : : uk 2 L2 , and so .i1 ; u1 / : : : .ik ; uk / 2 L1 "I , .i1 ; u1 / : : : .ik ; uk / 2 L2 "I , implying .i1 ; u1 / : : : .ik ; uk / 2 L1 "I \ L2 "I . (() If the string .i1 ; u1 / : : : .ik ; uk / 2 L1 "I \ L2 "I , then .i1 ; u1 / : : : .ik ; uk / 2 L1 "I , .i1 ; u1 / : : : .ik ; uk / 2 L2 "I ; thus u1 : : : uk 2 L1 , u1 : : : uk 2 L2 , implying u1 : : : uk 2 L1 \ L2 , and so .i1 ; u1 / : : : .ik ; uk / 2 .L1 \ L2 /"I . Similarly one proves the first and third identity involving [. Thesis: If M2 D .M2 #U /"I (or M1 D .M1 #U /"I ), then .M1 \ M2 /#U D M1 #U \ M2 #U . ()) If the string u1 : : : uk 2 .M1 \ M2 /#U then there exists i1 : : : ik such that .i1 ; u1 / : : : .ik ; uk / 2 M1 \ M2 , i.e., .i1 ; u1 / : : : .ik ; uk / 2 M1 , .i1 ; u1 / : : : .ik ; uk / 2 M2 , and so u1 : : : uk 2 M1 #U and u1 : : : uk 2 M2 #U . (() If the string u1 : : : uk 2 M1 #U \ M2 #U , i.e., u1 : : : uk 2 M1 #U and u1 : : : uk 2 M2 #U , then there exists i1 : : : ik such that .i1 ; u1 / : : : .ik ; uk / 2 M1 . Moreover, since M2 D .M2 #U /"I , from u1 : : : uk 2 M2 #U it follows that .i1 ; u1 / : : : .ik ; uk / 2 M2 . In summary, .i1 ; u1 / : : : .ik ; uk / 2 M1 and .i1 ; u1 / : : : .ik ; uk / 2 M2 , implying .i1 ; u1 / : : : .ik ; uk / 2 M1 \ M2 , from which follows u1 : : : uk 2 .M1 \ M2 /#U . t u


13

Corollary 2.4. The following commutative laws for " and # hold. (a) Let Li ; i D 1; : : : ; n; be languages over alphabet U . Then " commutes with both [ and \ .[Li /"I D [.Li

"I /;

.\Li /"I D \.Li

"I /:

(b) Let Mi ; i D 1; : : : ; n; be languages over alphabet I U . Then # commutes with [ .[Mi /#U D [.Mi

#U /:

(c) Let Mi ; i D 1; : : : ; n; be languages over alphabet I U . If M2 D .M2 #U /"I , : : : , Mn D .Mn #U /"I (or any collection of n 1 languages Mi satisfies this property), then # commutes with \ .\Mi /#U D \.Mi

#U /:

The proof is by induction based on Prop. 2.3. Proposition 2.5. Suppose that I and U are disjoint alphabets. The following distributive laws for * and + hold. (a) Let L1 ; L2 be languages over alphabet U . Then * commutes with [ .L1 [ L2 /*I D L1 *I [ L2 *I : (b) Let L1 ; L2 be languages over alphabet U . Then * commutes with \ .L1 \ L2 /*I D L1 *I \ L2 *I : (c) Let M1 ; M2 be languages over alphabet I [ U . Then + commutes with [ .M1 [ M2 /+U D M1 +U [ M2 +U : (d) Let M1 ; M2 be languages over alphabet I [ U . If M2 D .M2 +U /*I (or M1 D .M1 +U /*I ) then + commutes with \ .M1 \ M2 /+U D M1 +U \ M2 +U : Proof. Thesis: .L1 \ L2 /*I D L1 *I \ L2 *I . ()) If the string ˛1 u1 : : : ˛k uk ˛kC1 2 .L1 \ L2 /*I and ˛1 ; : : : ; ˛k ; ˛kC1 2 I ? , then u1 : : : uk 2 L1 \ L2 ; thus u1 : : : uk 2 L1 , u1 : : : uk 2 L2 , and so ˛1 u1 : : : ˛k uk ˛kC1 2 L1 *I , ˛1 u1 : : : ˛k uk ˛kC1 2 L2 *I , implying ˛1 u1 : : : ˛k uk ˛kC1 2 L1 *I \ L2 *I .

14


(() If the string ˛1 u1 : : : ˛k uk ˛kC1 2 L1 *I \ L2 *I , then it holds that ˛1 u1 : : : ˛k uk ˛kC1 2 L1 *I and ˛1 u1 : : : ˛k uk ˛kC1 2 L2 *I ; thus u1 : : : uk 2 L1 , u1 : : : uk 2 L2 , implying u1 : : : uk 2 L1 \ L2 , and so it is also ˛1 u1 : : : ˛k uk ˛kC1 2 .L1 \ L2 /*I . Similarly one proves the first and third identity involving [. Thesis: if M2 D .M2 +U /*I (or M1 D .M1 +U /*I ) then .M1 \ M2 /+U D M1 +U \ M2 +U . ()) If the string u1 : : : uk 2 .M1 \M2 /+U then there exists ˛1 ; : : : ˛k ; ˛kC1 2 I ? such that it holds that the string ˛1 u1 : : : ˛k uk ˛kC1 2 M1 \ M2 , i.e., ˛1 u1 : : : ˛k uk ˛kC1 2 M1 , ˛1 u1 : : : ˛k uk ˛kC1 2 M2 , and so u1 : : : uk 2 M1 +U and u1 : : : uk 2 M2 +U . (() If the string u1 : : : uk 2 M1 +U \ M2 +U , i.e., u1 : : : uk 2 M1 +U and u1 : : : uk 2 M2 +U , then there exists ˛1 : : : ˛k ˛kC1 2 I ? such that ˛1 u1 : : : ˛k uk ˛kC1 2 M1 . Moreover, since M2 D .M2 +U /*I , from u1 : : : uk 2 M2 +U it follows that ˛1 u1 : : : ˛k uk ˛kC1 2 M2 . In summary, ˛1 u1 : : : ˛k uk ˛kC1 2 M1 and ˛1 u1 : : : ˛k uk ˛kC1 2 M2 , implying ˛1 u1 : : : ˛k uk ˛kC1 2 M1 \ M2 , from which follows u1 : : : uk 2 .M1 \ M2 /+U . t u Example 2.6. The identity .M1 \ M2 /+U D M1 +U \ M2 +U does not hold without the additional hypothesis in Prop. 2.5(d). Consider I D fa; bg, U D fug, M1 D faug, M2 D fbug, then .M1 \ M2 /+U D ;+U D ; and M1 +U \ M2 +U D fug \ fug D fug. Notice that au and bu are words of length 2 on the alphabet I [ U . Proposition 2.7. The following equivalences hold. (a) Let L be a language over alphabet I , then L"O D ; , L D ; (b) Let L be a language over alphabet I O, then L#O D ; , L D ; In the next two statements, suppose that I and O are disjoint alphabets. (c) Let L be a language over alphabet I [ O, then L*O D ; , L D ; (d) Let L be a language over alphabet I [ O, then L+O D ; , L D ;. Proof. The proofs are straightforward; implication ) of statement (d) is true because, even in the case that all strings in L are defined only over symbols from alphabet I , their restriction to alphabet O yields the empty string (i.e., 2 L+O ¤ ;) and so from L ¤ ; follows that L+O ¤ ;. t u

2.1.2 Finite Automata and Regular Expressions Definition 2.1.2. A finite automaton (FA) is a 5-tuple F D hS; ˙; ; r; Qi. S represents the finite state space, ˙ represents the finite alphabet, and ˙ S S is the next state relation, such that .i; p; n/ 2 iff n 2 S is a next state of present state p 2 S on symbol i 2 ˙. The initial or reset state is r 2 S and Q S is the set of final or accepting states. A variant of FAs allows the introduction of -moves, meaning that .˙ [ f/g S S .


15

The next state relation can be extended to have as argument strings in ˙ (i.e., Q ˙ S S ) as follows: .i; s; s 00 / 2 Q iff there exists s 0 2 S such that .; s; s 0 / 2 Q and .i; s 0 ; s 00 / 2 . For ease of notation we just use the symbol for both relations and let the context determine the meaning. A string x is said to be accepted by the FA F if there exists a sequence of transitions corresponding to x such that there exists a state r 0 2 Q for which .x; r; r 0 /. The language accepted by F , designated Lr .F /, is the set of strings fx j9r 0 2 Q Œ.x; r; r 0 /g. The language accepted or recognized by s 2 S , denoted Lr .F js/ or Lr .s/ when F is clear from the context, is the set of strings fx j.x; r; s/g. If for each present state p and symbol i there is at least one next state n such that .i; p; n/ 2 , the FA is said to be complete, otherwise it is partial. A partial automaton can be made complete by directing the unspecified transitions to a nonaccepting state. An FA is a deterministic finite automaton (DFA) if for each present state p and symbol i there is exactly one next state n such that .i; p; n/ 2 .1 The relation can be replaced by the next state function ı, defined as ı W ˙ S ! S , where n 2 S is the next state of present state p 2 S on symbol i 2 ˙ iff n D ı.i; p/. An FA that is not a DFA is a non-deterministic finite automaton (NDFA). A string x is said to be accepted by the DFA F if ı.x; r/ 2 Q. The language accepted by F , designated Lr .F /, is the set of strings fx jı.x; r/ 2 Qg. The language accepted or recognized by s 2 S , denoted Lr .F js/ or Lr .s/ when F is clear from the context, is the set of strings fx jı.x; r/ D sg. The languages associated with finite automata are the regular languages, defined by means of regular expressions, as established by the theorem due to Kleene [63]. Definition 2.1.3. The regular expressions over an alphabet ˙ are defined recursively as follows: 1. 2. 3. 4.

; is a regular expression and denotes the empty set. is a regular expression and denotes the set fg. For each a 2 ˙, a is a regular expression and denotes the set fag. If l1 and l2 are regular expressions denoting the languages L1 and L2 , respectively, then .l1 C l2 /, .l1 l2 / and .l1? / are regular expressions that denote the sets L1 [ L2 , L1 L2 and L?1 , respectively.

The sets denoted by regular expressions are the regular languages. Regular languages are closed under union, concatenation, complementation and intersection. Also regular languages are closed under projection, lifting and restriction, because they are closed under substitution [63]. Regular languages are closed under expansion, as shown in Sect. 2.3.1 providing an algorithm that, given the finite automaton of a language, returns the finite automaton of the expanded language. 1 By the given definition in agreement with standard textbooks (see [63]), a DFA must be a complete FA, but a complete FA does not need to be deterministic.

16


2.1.3 Classes of Languages We introduce several classes of languages used later in the paper. Definition 2.1.4. A language L over alphabet X is prefix-closed if 8˛ 2 X ? 8x 2 X Œ˛x 2 L ) ˛ 2 L: Equivalently, L is prefix-closed iff L D Pref .L/. Definition 2.1.5. A language L over alphabet X D I O is I -progressive if 8i 2 I 9o 2 O Œ˛ 2 L ) ˛ .i; o/ 2 L: If L is not I -progressive, then Prog.L/ is the largest I -progressive language L0 such that L0 L. Definition 2.1.6. A language L over alphabet I O is I# -defined if L#I D I ? . If a language over X D I O is I -progressive it is also I# -defined, but the converse does not hold. Example 2.8. The language L D f C i1 o1 C i1 o2 .i1 o1 /? g is I# -defined, but not I -progressive, as witnessed by ˛ D i1 o1 2 L and i D i1 for which there is no o such that ˛ i1 o 2 L. Definition 2.1.7. A language L over alphabet X D I O is Moore2 with respect to alphabet I , if 8˛ 2 L 8.i; o/ 2 X 8.i 0 ; o0 / 2 X Œ˛ .i; o/ 2 L ) Œ˛ .i 0 ; o0 / 2 L ) ˛ .i 0 ; o/ 2 L: Definition 2.1.8. A language L .IO/? over alphabet I [ O (I and O disjoint) is IO-prefix-closed if 8˛ 2 .IO/? 8i o 2 IO Œ˛ i o 2 L ) ˛ 2 L: Definition 2.1.9. A language L .IO/? over alphabet I [ O (I and O disjoint) is IO-progressive if 8i 2 I 9o 2 O Œ˛ 2 L ) ˛ io 2 L: Definition 2.1.10. A language L .IU ? O/? over alphabet I [ U [ O (I , U and O pairwise disjoint) is IU ? O-progressive if 8i 2 I 9ˇ 2 U ? 9o 2 O Œ˛ 2 L ) ˛ iˇo 2 L:

2

This definition is an abstraction to languages of the most common definition of Moore automata/finite state machines.


17

a

b

c

d

Fig. 2.1 (a) Finite automaton of the language described in Example 2.9-a; (b) Finite automaton of the language described in Example 2.9-b; (c) Finite automaton of the language described in Example 2.10-a; (d) Finite automaton of the language described in Example 2.10-b

Example 2.9. (a) Let I D fi1 ; i2 g, O D fo1 ; o2 g and U D fu1 ; u2 g. The language L D f.i1 u1 u?2 u1 o1 C i2 u?1 o2 /? g is UI ? O-progressive, since any word in L can be extended to a word in L by suffixes starting with either i1 or i2 . The corresponding automaton is shown in Fig. 2.1a. (b) Let I D fi1 ; i2 g, O D fo1 ; o2 g and U D fu1 g. The language L D f.i1 o1 /? C .i1 o1 /? i2 u?1 o2 .i1 u?1 o2 /? g is not IU ? O-progressive, since the words in the set fi2 u?1 o2 .i1 u?1 o2 /? g are in L, but when i D i2 there is no ˇ 2 U ? and no o 2 O such that ˛ i2 ˇo 2 L (e.g., ˛ D i2 u1 o2 cannot be extended by any suffix starting with i2 ). The corresponding automaton is shown in Fig. 2.1b. Definition 2.1.11. A language L over alphabet I [ O (I and O disjoint) is I+ -defined if L+I D I ? . An IO-progressive language is I+ -defined, so is an IU ? O-progressive language, but the converse does not hold. Definition 2.1.12. A language L ¤ ; over alphabet X [ U (X and U disjoint) is U -deadlock-free if 8˛ 2 .X [ U /? 8u 2 U 9ˇ 2 U ? 9x 2 X Œ˛u 2 L ) ˛u ˇx 2 L:

18


Any language L .IU ? O/? is U -deadlock-free (because no word ending by a symbol u 2 U belongs to the language). Example 2.10. (a) Let X D I [O, I D fi1 ; i2 g, O D fo1 ; o2 g and U D fu1 ; u2 g. The language L D f.i1 .u1 u?2 u1 /? o1 /? C.i1 .u1 u?2 u1 /? o1 /? i1 u1 u?2 g is U -deadlock-free, because any word in the language terminating by u1 or u2 can be extended by suffix u1 to a word in the language terminating by o1 . The corresponding automaton is shown in Fig. 2.1c. (b) Let X D I [ O, I D fi1 ; i2 g, O D fo1 ; o2 g and U D fu1 ; u2 ; u3 g. The language L D fi1 .u1 u?2 u3 /? o1 /? C.i1 .u1 u?2 u3 /? o1 /? i1 u1 u?2 C.i1 .u1 u?2 u3 /? o1 /? i1 u1 u?2 u1 u?2 g is not U -deadlock-free, since the words in the collection f.i1 .u1 u?2 u3 /? o1 /? i1 u1 u?2 u1 u?2 g cannot be extended to words in L (e.g., ˛ D i1 u1 u2 u1 ). The corresponding automaton is shown in Fig. 2.1d. Definition 2.1.13. A language L ¤ ; over alphabet X [ U (X and U disjoint) is U -convergent if 8˛ 2 X ? the language ˛*U \ L is finite, otherwise it is U -divergent. Example 2.11. The language L D fi u? og where X D fi; og and U D fug is U -divergent, as witnessed by the string ˛ D io 2 X whose expansion includes the infinite set fiu? og coinciding with L: f˛*U g D f.io/*fug g D fu? iu? ou? g fiu? og D L.

2.1.4 Composition of Languages Consider two systems A and B with associated languages L.A/ and L.B/. The systems communicate with each other by a channel U and with the environment by channels I and O. We introduce two composition operators that describe the external behavior of the composition of L.A/ and L.B/. Definition 2.1.14. Given the pairwise disjoint alphabets I; U; O, language L1 over I U and language L2 over U O, the synchronous composition of languages L1 and L2 is the language3 Œ.L1 /"O \ .L2 /"I #I O , denoted by L1 I O L2 , defined over I O. Definition 2.1.15. Given the pairwise disjoint alphabets I; U; O, language L1 over I [ U and language L2 over U [ O, the parallel composition of languages L1 and L2 is the language Œ.L1 /*O \ .L2 /*I +I [O , denoted by L1 ˘I [O L2 , defined over I [ O. Given alphabets I; U; O, language L1 over I [ U and language L2 over U [ O, the l-bounded parallel composition of languages L1 and L2 is the language Œ.L1 /*O \ .L2 /*I \ .I [ O/?*.U;l/ +I [O , denoted by L1 ˘lI [O L2 , defined over I [ O. 3

Use the same order I U O in the languages .L1 /"O and .L2 /"I .


19

Fig. 2.2 Composition topology with three components

For ease of notation, we will omit the alphabet from the symbol of synchronous and parallel composition, unless unclear from the context. By definition of the operations #V , "V , +V , *V , *.V;l/ it follows that ; L D L ; D ;, ; ˘ L D L ˘ ; D ;, ; ˘l L D L ˘l ; D ;. When l D 1 the definition of l-bounded parallel composition reduces to the definition of parallel composition of languages, because then .I [O/?*.U;l/ becomes .I [ O [ U /? , that is the universe over I [ O [ U , and so it can be dropped from the conjunction. These definitions can be easily extended to more components and more complex interconnection topologies, e.g., to the topology where U is observable externally or where U is the cartesian product of two alphabets only one of which is observable. For instance in Fig. 2.2 we show a composition topology with three components: A, B and C , which together define the composed system: .A"ZO \ B"I O \ C"I U V /#I U O : We notice that I and O are external variables, U is an internal variable that is observable externally, whereas V and Z are internal variables. The composition is well-formed because the synchronous composition operator is associative [150]. Each specific topology dictates the alphabets to which projection and lifting (restriction and expansion) should be applied. In the most straightforward

20


composition topology with two components, we will assume that I; O are external alphabets, and U is an internal alphabet; however, U or a part of it can be made observable externally, if needed. Comment. The definition of parallel composition justifies a-posteriori why the expansions operator e is not defined to be a substitution, i.e., e./ ¤ fg. Consider a language A D ..i o/? .uv/? /? and a language B whatsoever. The parallel composition of A and B should be equal to the language .i o/? , because B should not affect the I [ O behavior of A. Now suppose B D fg. If we would define e./ D fg, then it would be A \ B*I [O D ..i o/? .uv/? /? \ fg*I [O D ..i o/? .uv/? /? \ fg D fg; if we define instead fg*I [O D .I [ O/? then it is A \ B*I [O D ..i o/? .uv/? /? \ fg*I [O D ..i o/? .uv/? /? \ .i [ o/? D .i o/? , that is the expected result. Variants of synchronous composition are introduced in [25] as product, (with the comment sometimes called completely synchronous composition), and in [82] as synchronous parallel composition, ˝. Variants of parallel composition are introduced in [25] as parallel composition, k (with the comment often called synchronous composition), and in [82] as interleaving parallel composition, k; the same operator was called asynchronous composition in [107]. These definitions were usually introduced for regular languages; actually they were more commonly given for finite automata. It has also been noticed by Kurshan [82] and Arnold [2] that asynchronous systems can also be modeled with the synchronous interpretation, using null transitions to keep a transition system in the same state for an arbitrary period of time. Kurshan [82] observes that: “While synchronous product often is thought to be a simple -even uninteresting!- type of coordination, it can be shown that, through use of nondeterminism, this conceptually simple coordination serves to model the most general ‘asynchronous’ coordination, i.e., where processes progress at arbitrary rates relative to one another. In fact the ‘interleaving’ model, the most common model for asynchrony in the software community, can be viewed as a special case of this synchronous product.” A technical discussion can be found in [83], but the transformation is not straightforward in practice, and the matter requires further investigation. In the sequel it will be useful to extend some properties of languages to the composition of two languages. As examples, we illustrate the extension for I -progressive and I ? O-progressive languages. Definition 2.1.16. Given a language A over alphabet I U , a language B over alphabet U O is A-compositionally I -progressive if the language L D A"O \ B"I over alphabet X D I U O is I -progressive, i.e., 8i 2 I 9.u; o/ 2 U O Œ˛ 2 L ) ˛ .i; u; o/ 2 L. Definition 2.1.17. Given a language A over alphabet I [ U , a language B over alphabet U [ O is A-compositionally I U ? O-progressive if the language L D A"O \ B"I .I U ? O/? over alphabet X D I [ U [ O (I , U and O pairwise disjoint) is I U ? O-progressive, i.e., 8i 2 I 9ˇ 2 U ? 9o 2 O Œ˛ 2 L ) ˛ iˇo 2 L.

2.2 Solution of Equations Over Languages

21

Defns. 2.1.16 and 2.1.17 characterize compositions that do not fall into a deadlock or a livelock. When clear from the context, instead of A-compositionally we will write more simply compositionally.

2.2 Solution of Equations Over Languages 2.2.1 Language Equations Under Synchronous Composition Given the alphabets I; U; O, a language A over alphabet I U and a language C over alphabet I O, consider the language equations A X C;

(2.1)

A X D C:

(2.2)

or, Definition 2.2.1. Given the alphabets I; U; O, a language A over alphabet I U and a language C over alphabet I O, language B over alphabet U O is called a solution of the equation A X C iff A B C . Given the alphabets I; U; O, a language A over alphabet I U and a language C over alphabet I O, language B over alphabet U O is called a solution of the equation A X D C iff A B D C . A solution is called the largest solution if it contains any other solution. B D ; is the trivial solution. Theorem 2.12. The largest solution of the equation A X C is the language S D A C. If A A C D S then A C is the largest solution of the equation A X D C . Proof. Consider a string ˛ 2 .U O/? ; then ˛ is in the largest solution of A X C iff A f˛g C and the following chain of equivalences follows: A f˛g C , .A"O \ f˛g"I /#I O \ C D ; , by Prop: 2:1.a/ C D .C "U /#I O .A"O \ f˛g"I /#I O \ .C "U /#I O D ; , by Prop: 2:3.d / since ..C "U /#I O /"U D C "U .A"O \ f˛g"I \ C "U /#I O D ; , by Prop: 2:7.b/ A"O \ f˛g"I \ C "U D ; , by Prop: 2:7.b/

22


.A"O \ f˛g"I \ C "U /#U O D ; , by Prop: 2:3.d / since f˛g"I D ..f˛g"I /#U O /"I .f˛g"I /#U O \ .A"O \ C "U /#U O D ; , by Prop: 2:1.a/ .f˛g"I /#U O D f˛g f˛g \ .A"O \ C "U /#U O D ; , ˛ 62 .A"O \ C "U /#U O , ˛ 2 .A"O \ C "U /#U O , ˛ 2AC Therefore the largest solution of the language equation A X C is given by the language S D A C:

(2.3) t u

Corollary 2.13. A language B over alphabet U O is a solution of A X C iff B A C. Equations over languages can be extended to topologies with more than two components, as the one in Fig. 2.3, whose largest solution is given by: S D ..A"ZO \ C"I U V / \ S "V Z /#U V Z (see [150]). Let S be the largest solution of the equation A X C . It is of interest to investigate subsets of S that satisfy some further properties, e.g., being prefixclosed, progressive, etc. If S is prefix-closed then S is the largest prefix-closed solution of the equation. However, not every non-empty subset of S inherits the feature of being prefixclosed. If S is not prefix-closed, then denote by S Pref the set obtained from S by deleting each string that has a prefix not in S . Proposition 2.14. If S Pref ¤ ;, then S Pref is the largest prefix-closed solution of the equation A X C . If S Pref D ;, then the equation A X C has no prefix-closed solution. If the language S does not include the empty string, then A X C has no prefix-closed solution. If S is U -progressive (S is a language over alphabet U O), then S is the largest U -progressive solution of the equation. However, not each non-empty subset of S

2.2 Solution of Equations Over Languages

23

Fig. 2.3 Language equation with respect to a composition topology with three components

inherits the feature of being U -progressive. If S is not U -progressive, then denote by Prog.S / the set obtained from S by deleting each string ˛ such that, for some u 2 U , there is no o 2 O for which ˛.u; o/ 2 S . Proposition 2.15. If Prog.S / ¤ ;, then the language Prog.S / is the largest U -progressive solution of the equation A X C . If Prog.S / D ;, then the equation A X C has no U -progressive solution.

2.2.2 Language Equations Under Parallel Composition Given the pairwise disjoint alphabets I; U; O, a language A over alphabet I [ U , and a language C over alphabet I [ O, consider the language equation A ˘ X C;

(2.4)

A ˘ X D C:

(2.5)

or, Definition 2.2.2. Given the pairwise disjoint alphabets I; U; O, a language A over alphabet I [ U and a language C over alphabet I [ O, language B over alphabet U [ O is called a solution of the equation A ˘ X C iff A ˘ B C . Given the pairwise disjoint alphabets I; U; O, a language A over alphabet I [ U and a language C over alphabet I [ O, language B over alphabet U [ O is called a solution of the equation A ˘ X D C iff A ˘ B D C .

24


The largest solution is a solution that contains any other solution. B D ; is the trivial solution. Theorem 2.16. The largest solution of the equation A ˘ X C is the language S D A ˘ C. If A ˘ A ˘ C D S then A ˘ C is the largest solution of the equation A ˘ X D C . Proof. Consider a string ˛ 2 .U [ O/? , then ˛ is in the largest solution of A ˘ X C iff A ˘ f˛g C and the following chain of equivalences follows: A ˘ f˛g C , .A*O \ f˛g*I /+I [O \ C D ; , by Prop: 2:1.c/ C D .C *U /+I [O .A*O \ f˛g*I /+I [O \ .C *U /+I [O D ; , by Prop: 2:5.d / since ..C *U /+I [O /*U D C *U .A*O \ f˛g*I \ C *U /+I [O D ; , by Prop: 2:7.d / A*O \ f˛g*I \ C *U D ; , by Prop: 2:7.d / .A*O \ f˛g*I \ C *U /+U [O D ; , by Prop: 2:5.d / since f˛g*I D ..f˛g*I /+U [O /*I .f˛g*I /+U [O \ .A*O \ C *U /+U [O D; , by Prop: 2:1.c/ .f˛g*I /+U [O Df˛g f˛g \ .A*O \ C *U /+U [O D; , ˛ 62 .A*O \ C *U /+U [O , ˛ 2 .A*O \ C *U /+U [O , ˛ 2A˘C Therefore the largest solution of the language equation A ˘ X C is given by the language S D A ˘ C:

(2.6) t u

Corollary 2.17. A language B over alphabet U [ O is a solution of A ˘ X C iff B A ˘ C . Proposition 2.18. If S is U -convergent, then S is the largest U -convergent solution of the equation, and a language B ¤ ; is a U -convergent solution iff B S . When S is not U -convergent the largest U -convergent solution does not exist, since any finite subset of S is a U -convergent solution and therefore no string can be deleted from S without missing a solution. An analogous proposition and remark hold for S -compositionally U -convergent solutions.

2.3 Solution of Equations Over Regular Languages and Finite Automata

25

2.2.3 Language Equations Under Bounded Parallel Composition Theorem 2.19. The largest solution of the equation A ˘l X C is the language S D .A*O \ C *.U;l/ /+U [O : Proof. A ˘l f˛g C , .A*O \ f˛g*I \ .I [ O/?*.U;l/ /+I [O \ C D ; , A*O \ f˛g*I \ C *.U;l/ D ; , ˛ 62 .A*O \ C *.U;l/ /+U [O , ˛ 2 .A*O \ C *.U;l/ /+U [O

t u

2.3 Solution of Equations Over Regular Languages and Finite Automata Language equations can be solved effectively when they are defined over languages that can be computed with finite procedures. Usually such languages are presented through their corresponding mathematical machines, e.g., finite automata for regular languages. In the following sections, equations over various classes of automata are studied, like FAs and FSMs, specializing the theory of equations to their associated languages. A key issue to investigate is the closure of the solution set with respect to a certain type of language, e.g., when dealing with FSM language equations we require that the solutions are FSM languages. This cannot be taken for granted, because the general solution of abstract language equations is expressed through the operators of complementation and composition, which do not necessarily preserve certain classes of languages.

2.3.1 An Algorithm to Solve Equations Over Regular Languages and Automata Two well-known results [63] are that non-deterministic finite automata are equivalent (with respect to language equality) to deterministic ones and that regular expressions are equivalent to finite automata. By applying the algorithm of subset construction one converts a NDFA into an equivalent DFA (it is complete by construction). Given an NDFA F D hS; ˙; ; r; Qi, the process of subset construction

26


builds the DFA F 0 D h2S ; ˙; ı; r; Q 0 i, where (1) the states sQ 2 2S are the subsets of S , (2) the transition relation is ı.i; sQ / D [s2Qs fs 0 j .i; s; s 0 / 2 g and (3) a state is final, i.e., sQ 2 Q0 2S , iff sQ \Q ¤ ;. Since many of the states in 2S are unreachable from the initial state, they can be deleted and so the determinized automaton usually has fewer states than the power set.4 To make a NDFA complete it is not necessary to apply the full-blown subset construction, but it suffices to add a new non-accepting state sd whose incoming transitions are .i; s; sd / for all i; s for which there was no transition in the original automaton. By a closure construction [63], an NDFA with -moves can be converted to an NDFA without -moves; however, a subset construction must be applied at the end to determinize it. The equivalence of regular expressions and finite automata is shown by matching each operation on regular expressions with a constructive procedure that yields the finite automaton of the result, given the finite automata of the operands. For the most common operations (union, concatenation, complementation, intersection) see [63]. Here we sketch the constructions for the less known operations of projection, lifting, restriction and expansion: projection (#) Given FA F that accepts language L over X V , FA F 0 that accepts language L#V over X is obtained from F by the following procedure: replace each edge ..x; v/; s; s 0 / by the edge .x; s; s 0 /. lifting (") Given FA F that accepts language L over X , FA F 0 that accepts language L"V over X V is obtained from F by the following procedure: replace each edge .x; s; s 0 / by the edges ..x; v/; s; s 0 /; 8v 2 V . restriction (+) Given FA F that accepts language L over X [V , FA F 0 that accepts language L+V over V is obtained from F by the following procedure: 8x 2 X n V , change every edge .x; s; s 0 / into the edge .; s; s 0 /, i.e., replace the symbols x 2 X n V by .5 expansion (*) Given FA F that accepts language L over X , FA F 0 that accepts language L*V over X [ V (X \ V D ;) is obtained from F by the following procedure: for each state s, 8v 2 V add the edge (self-loop) .v; s; s/. l-expansion (*l ) Given FA F that accepts language L over X , FA F 0 that accepts language L*.V;l/ , l integer, over X [ V (X \ V D ;) is obtained from F by the following procedure: 1. The set of states S 0 of F 0 is given by S 0 D S [ f.s; j / j s 2 S; 1 j lg: It is not uncommon in practice to find that jSQ j jSj. Apply the closure construction to obtain an equivalent deterministic finite automaton without -moves.

4 5


27

2. The next state relation 0 of F 0 is given by 0 D [ f.v; s; .s; 1// j v 2 V; s 2 S g [ f.v; .s; j /; .s; j C 1// j v 2 V; s 2 S; 1 j < lg [ f.x; .s; j /; s 0 / j .x; s; s 0 / 2 ; 1 j lg: 3. r 0 D r and Q 0 D Q. The procedures for projection, lifting and restriction guarantee the substitution property f ./ D . Given that all the operators used to express the solution of regular language equations have constructive counterparts on automata, we conclude that there is an effective (constructive) way to solve equations over regular languages. As an example, given a regular language equation A X C , where A is a regular language over alphabet I U , C is over I O, and the unknown regular language X is over U O, an algorithm to build X follows. Procedure 2.3.1. Input: Regular language equation A X C ; Output: Largest regular language solution X 1. Consider the finite automata F .A/ and F .C / corresponding, respectively, to regular languages A and C . 2. Determinize F .C / by subset construction, if it is a NDFA. The automaton F .C / of C is obtained by interchanging the sets of accepting and non-accepting states of the determinization of F .C /. 3. Lift the language A to O by replacing each label .i; u/ of a transition of F .A/ with all triples .i; u; o/, o 2 O. Lift the language C to U by replacing each label .i; o/ of a transition of F .C / with all triples .i; u; o/, u 2 U . 4. Build the automaton F .A \ C / of the intersection A \ C . The states are pairs of states of the lifted automata F .A/ and F .C /, the initial state is the pair of initial states, and a state of the intersection is accepting if both states of the pair are accepting. There is a transition from the state .s1 ; s2 / to the state .s10 ; s20 / labeled with action .i; u; o/ in F .A \ C /, if there are corresponding transitions labeled with .i; u; o/ from state s1 to state s10 in F .A/ and from s2 to s20 in F .C /. 5. Project F .A \ C / to U O to obtain F .A C / by deleting i from the labels .i; u; o/. Projection in general makes the finite automaton non-deterministic. 6. Determinize F .A C / by subset construction, if it is a NDFA. The automaton F .A C / corresponding to the regular language solution X D A C is obtained by interchanging the sets of accepting and non-accepting states of the determinization of F .A C /. Notice that Procedure 2.3.1 holds for any regular language, not only for prefixclosed languages as in restricted versions reported in the literature. A companion procedure to solve the regular language equation under parallel composition A ˘ X C is obtained from Procedure 2.3.1, after replacing the

28


Cartesian product with union, projection with restriction and lifting with expansion. The largest solution of parallel equations for prefix-closed regular languages had been known already in the process-algebra literature [90, 94, 118].

2.3.2 An Application to Converter Synthesis: The Protocol Mismatch Problem We apply the algorithm in Sect. 2.3.1 to an equation over finite automata to solve a problem of converter synthesis, i.e., the design of an automaton to translate between two different protocols. A communication system has a sending part and a receiving part that exchange data through a specific protocol. A mismatch occurs when two systems with different protocols try to communicate. The mismatch problem is solved by designing a converter that translates between the receiver and the sender, while respecting the overall service specification of the behavior of the composed communication system relative to the environment. We formulate the problem as a parallel language equation: given the service specification C of a communication system, a component sender and a component receiver, find a converter X whose composition with the sender and receiver A meets the system specification after hiding the internal signals: A ˘ X C . As an example we consider the problem of designing a protocol converter to interface: an alternating-bit (AB) sender and a non-sequenced (NS) receiver. This problem is adapted from [78] and [56]. A communication system based on an alternating bit protocol is composed of two processes, a sender and a receiver, which communicate over a half duplex channel that can transfer data in either directions, but not simultaneously. Each process uses a control bit called the alternating bit, whose value is updated by each message sent over the channel in either direction. The acknowledgement is also based on the alternating bit: each message received by either process in the system corresponds to an acknowledgement message that depends on the bit value. If the acknowledgement received by a process does not correspond to the message sent originally, the message is resent until the correct acknowledgement is received. On the other hand, a communication system is nonsequenced when no distinction is made among the consecutive messages received or their corresponding acknowledgements. This means that neither messages nor their acknowledgements are distinguished by any flags such as with the alternating bit. Figure 2.4 shows the block diagram of the composed system. Each component is represented by a rectangle with incoming and outgoing labeled arrows to indicate the inputs and outputs, respectively. The sender consists of an AB protocol sender (PS) and of an AB protocol channel (PC). Meanwhile, the receiving part includes an NS protocol receiver (PR). The converter X must interface the two mismatched protocols and guarantee that its composition with PS , P C and PR refines the service specification (SS) of the composed system. The events Acc (Accept) and Del


29

Fig. 2.4 Communication system described in Sect. 2.3.2

(Deliver) represent the interfaces of the communication system with the environment (the users). The converter X translates the messages delivered by the sender PS (using the alternating bit protocol) into a format that the receiver PR understands (using the non-sequenced protocol). For example, acknowledgement messages A delivered to the converter by the receiver are transformed into acknowledgements of the alternating bit protocol (a0xc to acknowledge a 0 bit and a1xc to acknowledge a 1 bit) and passed to the sender by the channel (a0cs to acknowledge a 0 bit and a1cs to acknowledge a 1 bit); data messages are passed from the sender to the channel (d0sc for a message controlled by a 0 bit and d1sc for a message controlled by a 1 bit) and then from the channel to the converter (d0cx for a message controlled by a 0 bit and d1cx for a message controlled by a 1 bit) to be transformed by the converter into a data message D for the receiver. We model the components as I/O automata [89], which recognize prefix-closed regular languages, and we solve their language equations. Figure 2.5 shows the automata of the components of the communication system. Missing transitions go to a trap (non-accepting) state, that loops to itself under any event. Figure 2.6 shows the largest prefix-closed solution S D PS ˘ PC ˘ PR ˘ SS of the converter problem. All missing transitions go to an accepting trap state dc (not shown), that would loop to itself under any event; e.g., the initial state would have a transition to state dc under events A; a0xc; a1xc; d1cx. These transitions are not indicated in the state transition graph of the automaton of the solution language to avoid cluttering the picture. State dc can be termed the don’t care state, because it is introduced during the determinization step to complete the automaton PS ˘ P C ˘ PR ˘ S S, before the final complementation. It is reached by transitions that cannot occur due to impossible combinations of events in the composition of PS ˘P C ˘PR and S , and so it does not matter how S behaves, once it is in state dc (thus the qualification don’t care state). This makes the largest solution S non-deterministic. The solution presented in [78] and [56] does not feature this trap accepting state and so it is not complete (in [78] and [56] all missing transitions of the solution are supposed to end up in a non-accepting trap state, a fail state); without the above dc state, one gets only a subset of all solutions (in particular the complete solutions are missed) and this might lead to an inferior implementation.

30


a

b

c d

Fig. 2.5 Automata of communication system described in Sect. 2.3.2. (a) Automaton of PS; (b) automaton of PR; (c) automaton of P C ; (d) automaton of SS

Figure 2.7 shows yet another view of the largest prefix-closed solution S D PS ˘ PC ˘ PR ˘ SS of the converter problem, with the dc state included and the fail state excluded. Figure 2.8 shows the largest prefix-closed 2-bounded solution of the converter problem, as an example of solution with bounded internal communication. Figure 2.9 shows the composition PS ˘ PC ˘ PR \ S*fAcc;Delg of the communication system PS ˘ PC ˘ PR and of the largest converter S . The largest prefix-closed solution S is compositionally .I ? O/-progressive and compositionally prefix .U [ V /-deadlock-free, but not compositionally prefix .U [ V /-convergent. This means that, even if we extract from the largest solution S a complete solution SO (i.e., SO is defined for every internal input A; d 0cx; d1cx), the composition of SO with the context (PS ˘ PC ˘ PR may deadlock, i.e., the automata can exchange internal actions without producing any output for the environment; this happens, for instance, if SO after the internal input d0cx always selects the internal output a1cx (and never selects D). In general the composition of any complete solution that never produces the internal output D with the context has livelocks (loop


31

Fig. 2.6 Largest prefix-closed solution S D PS ˘ P C ˘ PR ˘ SS of the converter problem of Sect. 2.3.2

a1xc-d0cx), which are deadlocks with respect to the external input Acc, i.e., the composition is not complete. So the largest solution S is not compositionally prefix .U [ V /-convergent due to the existence of internal cycles, but since the latter can be exited by selecting the internal output D S is compositionally prefix .U [ V /deadlock-free (and therefore compositionally .I ? O/-progressive). The protocol conversion problem was addressed in [78], as an instance of supervisory control of discrete event systems, where the converter language is restricted to be a sublanguage of the context A, and in [56] with the formalism of input-output automata. In [78] the problem is modeled by the equation A ˘ X D C over regular languages with the rectification topology (see Fig. 1d). The solution is given as a sublanguage of A of the form A ˘ C n A ˘ C (not the largest solution). An algorithm to obtain the largest compositionally progressive solution is provided that first splits the states of the automaton of the unrestricted solution (refining procedure, exponential step due to the restriction operator), and then deletes the states that violate the desired requirement of progressive composition (linear step). This algorithm does not generalize as it is to topologies where the unknown component depends also on signals that do not appear in the component A.

32


Fig. 2.7 Largest prefix-closed solution S of the converter problem of Sect. 2.3.2. It shows explicitly the transitions to the dc state

Problems

33

D

d0cx

A, d0cx

D, d0cx

A, d0cx

d1cx

d1cx

d1cx

a0xc

A, a0xc

A, a0xc

dc

a1xc, d1cx

a1xc

A

a1xc, d0cx

A, docx

D, docx

A, d0cx

d1cx

d1cx

d1cx

A

d1cx

D

Fig. 2.8 Largest prefix-closed 2-bounded solution of the converter problem of Sect. 2.3.2

Problems 2.1. Consider the traffic controller example described in [12]. For ease of reference we show in Figs. 2.10 and 2.11 respectively the context automaton A and the specification automaton C derived from it. Notice that the inputs of A are two binary variables v1 ; v2 , and the multi-valued variable colours that can assume the values green, red, yellow. The inputs of C are two multi-valued variables i1 ; i2 that can assume each one of the three values 1; 2; 3, and again the multi-valued variable colours. Find the largest solution of the equation A X C , where the input variables of X are i1 ; i2 and v1 ; v2 . This is a series topology where X feeds A, and the composition of X and A yields C . Repeat the problem assuming that X has one more input: the variable colours of automaton A, as in the controller’s topology. Hint. The largest solution automaton of the series-topology equation is shown in Fig. 2.12. If the reader will find too cumbersome carrying on by the hand the computations, it will be one more reason to appreciate the automatica tool BALM presented in the second part of the book. 2.2. Consider the alphabets I D fi 0; i1g, V D fv0; v1g, O D fo0; o1g, and the automata A D hSA ; ˙A ; A ; rA ; QA i and C D hSC ; ˙C ; C ; rC ; QC i. Let the automata be defined as follows: SA D QA D fsa; sbg, ˙A D V O, A D f.v0 o1; sa; sb/, .v1 o0; sa; sb/, .v0 o1; sb; sb/, .v1 o1; sb; sa/, rA D sa,

34


D

a1xc

d0cx

Del

a1xc

d0cx

D

A

a1xc

d0cx

Del

a1xc

d0cx

A

d0cx

a0xc

Acc

Acc

a1xc

d1cx

A

d1cx

Del

d1cx

a0xc

A

D

d1cx

a0xc

Del

d1cx

a0xc

a0xc

D

Fig. 2.9 Composition PS ˘ P C ˘ PR \ S*fAcc;Delg of communication system PS ˘ P C ˘ PR and largest converter S of the converter problem of Sect. 2.3.2

and SC D QC D fs1; s2; s3; s4g, ˙C D I O, C D f.i1 o0; s1; s2/, .i 0 o0; s1; s3/, .i 0 o1; s2; s1/, .i1 01; s2; s3/g, .i 0 o1; s3; s1/, .i1 o1; s3; s4/, .i1 o1; s4; s3/g, .i 0 o0; s4; s3/, rC D s1. Compute the largest solution of the equation A X C , where X has inputs I V. Verify whether in this example the largest solution is complete with respect to I . 2.3. Consider the alphabets I D fi1; i 2g, V D fv1; v2g, O D fo1; o2g, and the automata A D hSA ; ˙A ; A ; rA ; QA i and C D hSC ; ˙C ; C ; rC ; QC i. Let the automata be defined as follows: SA D QA D fs1; s2g, ˙A D V O, A D

Problems

35 The automaton is incomplete (3 states) and deterministic. 3 inputs 3 states 7 transitions Inputs = { v1, v2, colours(3) } 0-r

1 1-g 10y

00g 11y

2

-1g

01g

3

Fig. 2.10 Graphical output of BALM showing the automaton traffic-ma.aut describing the fixed automaton component of the traffic light controller problem. The notation of BALM will be presented formally later on, but this graph can be read as any usual FSM graphical representation The automaton is incomplete (4 states) and deterministic. 3 inputs 4 states 7 transitions Inputs = { i1(3), i2(3), colours(3) } -2r (0,1) (1,2) r 0-r

a

(1,2) 0 g 2 (0,1) g

--y

- (1,2) g

c

- (1,2) y

b

-0g

d

-0g

Fig. 2.11 Graphical output of BALM showing the automaton traffic-mc.aut describing the specification automaton of the traffic light controller problem

f.v1 o1; s1; s2/, .v2 o2; s1; s1/, .v1 o2; s2; s1/, .v2 o1; s2; s2/, rA D s1, and SC D QC D fsa; sb; scg, ˙C D I O, C D f.i1 o1; sa; sb/, .i 2 o2; sa; sc/, .i 2 o2; sb; sa/, .i1 02; sb; sc/g, .i1 o1; sc; sa/, .i 2 o1; sc; sb/, rC D sa. Compute the largest solution of the equation A X C , where X has inputs I V O. Verify whether in this example of controller’s topology the composition of the largest solution with MA is progressive.

36

2 Equations Over Languages and Finite Automata The automaton is complete and deterministic. 4 inputs 8 states 23 transitions Inputs = { i1(3), i2(3), v1, v2 } - 2 0 (0,1) (1,2) 0 0 - 0 -

s0

(1,2) 0 1 2 (0,1) 1 -

- - 1 1 - - 1 0

- (1,2) 0 0 - 2 1 (0,1) (1,2) 1 0 - 1 (1,2) 0 0 2 (0,1) 0 -

- (1,2) 1 0

s2

- (1,2) - 1

- 0 0 0

s4

- (1,2) 1 1

- 0 0 0

s5

- - 1 0

s6

- - - 1 - - 0 1 - - 0 -

- - - 0

- 0 - 1

- 0 - 1

- (1,2) - 1 - (1,2) 0 - 0 1 0

- 0 0 1

s7

- (1,2) 0 1 - - - 0 - 0 1 1

DC1

- - - -

DC

- - - -

Fig. 2.12 Graphical output of BALM showing the automaton traffic-xfsm min.aut describing the largest solution automaton of the traffic light controller problem

2.4. Somebody claims that there is a more efficient way to solve the language equation F X S . Instead of computing the solution .F \ S "U V /#U V , compute as a solution .F \ S "U V /#U V . The advantage would be to avoid a determinization because the second complementation is performed before the projection (the latter introduces non-determinism and so the need for determinization). Is it correct? Are the two expressions equivalent ? Is one contained in the other?

Chapter 3

Equations Over Finite State Machines

3.1 Finite State Machines and Their Languages 3.1.1 Finite State Machines Definition 3.1.1. A finite state machine (FSM) is a 5-tuple M D hS; I; O; T; ri where S represents the finite state space, I represents the finite input space, O represents the finite output space and T I S S O is the transition relation. On input i , the FSM at present state p may transit to next state n and produce output o iff .i; p; n; o/ 2 T . State r 2 S represents the initial or reset state. We denote the projection of relation T to I S S (next state relation) by Tn I S S , i.e., .i; s; s 0 / 2 Tn , 9o .i; s; s 0 ; o/ 2 T ; similarly, we denote the projection of relation T to I S O (output relation) by To I S O, i.e., .i; s; o/ 2 To , 9s 0 .i; s; s 0 ; o/ 2 T . Sometimes ı is used instead of Tn and instead of To . If at least one transition is specified for each present state and input pair, the FSM is said to be complete. If no transition is specified for at least one present state and input pair, the FSM is said to be partial. An FSM is said to be trivial when T D ;, denoted by M . The notion of a partial FSM should not be confused with that of an incompletely specified FSM (ISFSM), which is traditionally employed in the digital design literature to denote a form of restricted non-determinism widely used in the specification of sequential logic designs (see [66]). ISFSMs are introduced in Definition 3.1.4. It is convenient to think of the relations Tn and To as functions Tn W I S ! 2S and To W I S ! 2O . Definition 3.1.2. An FSM M 0 D hS 0 ; I 0 ; O 0 ; T 0 ; r 0 i is a submachine of FSM M D hS; I; O; T; ri if S 0 S , I 0 I , O 0 O, r 0 D r, and T 0 is a restriction of T to the domain of definition I 0 S 0 S 0 O 0 .


37

38

3 Equations Over Finite State Machines

Definition 3.1.3. A deterministic FSM (DFSM) is an FSM where for each pair .i; p/ 2 I S , there is at most one next state n and one output o such that .i; p; n; o/ 2 T , i.e., there is at most one transition from p under i . An FSM that is not a DFSM is a non-deterministic finite state machine (NDFSM). In a DFSM the next state n and the output o can be given, respectively, by a next state function n D Tn .i; p/ and an output function o D To .i; p/, where Tn and To may be partial functions when the DFSM is partial. Definition 3.1.4. An incompletely specified FSM (ISFSM) is a NDFSM such that, for a given input and present state, either there is a unique next state and output, or the next state is a designated don’t care state DNC and any output is produced; moreover, at the state DNC under any input there is a self-loop and any output is produced. Definition 3.1.5. An NDFSM is a pseudo non-deterministic FSM (PNDFSM) [142], or observably non-deterministic FSM[28], or observable FSM[130], if for each triple .i; p; o/ 2 I S O, there is at most one state n such that .i; p; n; o/ 2 T . The qualification “non-deterministic” is because for a given input and present state, there may be more than one possible output; however, edges (i.e., transitions) carrying different outputs must go to different next states. The further qualification “pseudo” non-deterministic is because its underlying finite automaton is deterministic. In a PNDFSM the next state n, if it exists, is unique for a given combination of input, present state and output, so it can be defined by a partial next state function n D Tn .i; p; o/. The output is represented by a relation To I S O, because the output is non-deterministic in general. Definition 3.1.6. A complete FSM is said to be of Moore type if .i; p; n; o/ 2 T implies that for all i 0 there is n0 such that .i 0 ; p; n0 ; o/ 2 T .1 The transition relation T of an FSM can be extended in the usual way to a relation on I ? S S O ? : given a present state p and an input sequence i1 : : : ik 2 I ? , .i1 : : : ik ; p; n; o1 : : : ok / 2 T iff there is a sequence s1 : : : skC1 such that s1 D p; : : : ; skC1 D n and for each j D 1; : : : ; k it holds that .ij ; sj ; sj C1 ; oj / 2 T . A similar extension can be defined for Tp and Tn . Here FSMs are assumed to be pseudo non-deterministic, unless otherwise stated. It is always possible to convert a general NDFSM into a PNDFSM by subset construction.

1

Notice that this definition allows for NDFSMs of Moore type, contrary to the more common definition of Moore type: for each present state p there is an output o such that all transitions whose present state is p carry the same output o.

3.1 Finite State Machines and Their Languages

39

3.1.2 Languages of FSMs We now introduce the notion of a language associated to an FSM. This is achieved by looking to the automaton underlying a given FSM. For our purposes, we define two related languages: one over the alphabet I O and the other over the alphabet I [ O, naturally associated, respectively, with synchronous and parallel composition, as it will be seen later. For a language over I O, the automaton coincides with the original FSM where all states are made accepting and the edges carry a label of the type .i; o/. For a language over I [ O, the automaton is obtained from the original FSM, by replacing each edge .i; s; s 0 ; o/ by the pair of edges .i; s; .s; i // and .o; .s; i /; s 0 / where .s; i / is a new node (non-accepting state). All original states are made accepting. The automaton is deterministic because from .i; s; s10 ; o1 / and .i; s; s20 ; o2 / the edges .i; s; .s; i //, .o1 ; .s; i /; s10 / and .o2 ; .s; i /; s20 / are obtained (the same edge .i; s; .s; i // works in both cases). Definition 3.1.7. Given an FSM M D hS; I; O; T; ri, consider the finite automaton F .M / D hS; I O; ; r; S i, where ..i; o/; s; s 0 / 2 iff .i; s; s 0 ; o/ 2 T . The language accepted by F .M / is denoted L r .M /, and by definition is the -language of M at state r. Similarly L s .M / denotes the language accepted by F .M / when started at state s, and by definition is the -language of M at state s. Definition 3.1.8. Given an FSM M D hS; I; O; T; ri, consider the finite automaton F .M / D hS [.S I /; I [O; ; r; S i, where .i; s; .s; i // 2 ^.o; .s; i /; s 0 / 2 iff .i; s; s 0 ; o/ 2 T . The language accepted by F .M / is denoted L[ r .M /, and by definition is the [-language of M at state r. Similarly L[ .M / denotes the language s accepted by F .M / when started at state s, and by definition is the [-language ? of M at state s. By construction, L[ s .M / .IO/ , where IO denotes the set fi o j i 2 I; o 2 Og. In both cases, 2 Lr .M / because the initial state is accepting. An FSM M is trivial iff Lr .M / D fg. Definition 3.1.9. A language L is an FSM language if there is an FSM M such that the associated automaton F .M / accepts L. The language associated to a DFSM is sometimes called a behavior.2 Remark. When convenient, we will say that FSM M has property X if its associated FSM language has property X . Definition 3.1.10. State t of FSM MB is said to be a reduction of state s of FSM MA (MA and MB are assumed to have the same input/output set), written t s,

2

The language associated to a NDFSM includes a set of behaviors.

40


iff Lt .MB / Ls .MA /. States t and s are equivalent states, written t Š s, iff t s and s t, i.e., when Lt .MB / D Ls .MA /. An FSM with no two equivalent states is a reduced FSM. Similarly, MB is a reduction of MA , MB MA , iff rMB , the initial state of MB , is a reduction of rMA , the initial state of MA . When MB MA and MA MB then MA and MB are equivalent FSMs, i.e., MA Š MB . For complete DFSMs reduction and equivalence of states coincide. An FSM can be reduced by merging the equivalent states with the classical state minimization procedure [63]. Given an FSM language, there is a family of equivalent FSMs associated with it; for simplicity we will usually speak of the FSM associated with a given FSM language. In this paper, complete deterministic FSMs are assumed to be reduced, unless stated otherwise. An FSM language is regular, whereas the converse is not true. Theorem 3.1. A regular language over alphabet I O is the language of a complete FSM over input alphabet I and output alphabet O iff L is prefix-closed and I -progressive. A regular language that is prefix-closed, but not I -progressive, is the language of a partial FSM. Notice that the merging of the notions of complete FSM and I -progressive associated language is due to the fact that FSMs are assumed to be PNDFSMs, i.e., their underlying automaton is deterministic, therefore a word has a unique run (sequence of transitions), from which an extension is possible under any input. Theorem 3.2. A regular language over alphabet I [ O is the language of a complete FSM over input alphabet I and output alphabet O iff L .IO/? , L is IO-prefix-closed and IO-progressive. A regular language L .IO/? that is IOprefix-closed, but not IO-progressive, is the language of a partial FSM. Given a regular language L over alphabet I O, an algorithm follows to build LFSM , the largest subset of L that is the -language of an FSM over input alphabet I and output alphabet O. Procedure 3.1.1. Input: Regular language L over I O; Output: Largest FSM language LFSM L. 1. Build a deterministic automaton A accepting L. 2. Delete all nonfinal states together with their incoming edges. 3. If the initial state has been deleted, then LFSM D ;. Otherwise, let AO be the automaton produced by the procedure and LFSM the language that AO accepts. If O then AO accepts the trivial there is no outgoing edge from the initial state of A, FSM language LFSM D fg, otherwise it accepts a nontrivial FSM language LFSM . Any FSM language in L must be a subset of LFSM . In general this procedure leads to a partial FSM. To obtain the largest subset of L that is the language of a complete FSM we must apply one more pruning algorithm.

3.1 Finite State Machines and Their Languages

41

Procedure 3.1.2. Input: FSM Language LFSM over I O; Output: Largest I progressive FSM language P rog.LFSM / LFSM . 1. Build a deterministic automaton A accepting LFSM . 2. Iteratively delete all states that have an undefined transition for some input (meaning: states such that 9i 2 I with no o 2 O for which there is an outgoing edge carrying the label .i; o/), together with their incoming edges, until the initial state is deleted or no more state can be deleted. 3. If the initial state has been deleted, then Prog.LFSM / D ;. Otherwise, let AO be the automaton produced by the procedure and Prog.LFSM / the language that AO accepts. Any I -progressive FSM language in LFSM must be a subset of Prog.LFSM /. Theorem 3.3. Procedure 3.1.2 returns the largest I -progressive subset of LFSM . Proof. Define a state s of the automaton A representing LFSM as I1 -nonprogressive if for some i 2 I and for all o 2 O there is no state reached from s under a transition labeled with .i; o/. State s is Ik -nonprogressive, k > 1, if for some i 2 I and for all o 2 O each state reached from s under the transition labeled .i; o/ is Ij -nonprogressive, j < k. State s is I -nonprogressive if it is Ik -nonprogressive for some k 1. The language P rog.LF SM / is represented by the automaton P rog.A/, obtained from A by removing iteratively the I -nonprogressive states and the related transitions. We must prove that if K LF SM and K is I -progressive then K P rog.LF SM /. The proof goes by induction. If K is I -progressive, there is no string in K that takes the automaton A from the initial state to an I1 -nonprogressive state. Suppose now by induction hypothesis that no string in K takes A to an Ik -nonprogressive state, k 1. We must conclude that, if K is I -progressive, there is also no string that takes A to an IkC1-nonprogressive state, otherwise, by definition of IkC1 -nonprogressive, K has a string that takes A to some Ij nonprogressive state, j k. Therefore no string in K takes the automaton A to a nonprogressive state, i.e., K P rog.LF SM /. t u Proposition 3.4. An FSM whose language is LF SM or P rog.LF SM / can be deduced trivially from AO (obtained according to Procedure 3.1.2) by interpreting each label .i; o/ as an input/output pair i=o. Proposition 3.5. Given a regular language L over alphabet I O, let M be an FSM over input alphabet I and output alphabet O. The language L r .M / of M is F SM contained in L iff L . r .M / L F SM . Indeed L Proof. Show that L r .M / L ) Lr .M / L r .M / is an FSM F SM language contained in L and L is by construction the largest FSM language F SM contained in L. So L . r .M / L F SM Lr .M / L ) Lr .M / L, since by definition LF SM L. t u

42


Given a regular language L over alphabet I [ O, an algorithm follows to build LF SM , the largest subset of L that is the [-language of an FSM over input alphabet I and output alphabet O. Procedure 3.1.3. Input: Regular language L over I [ O; Output: Largest FSM language LF SM L. 1. Build a deterministic automaton A accepting L \ .IO/? . 2. Delete the initial state if it is a nonfinal state. 3. Delete all nonfinal states having incoming edges labeled with symbols from alphabet O, together with their incoming edges. 4. If the initial state has been deleted, then LF SM D ;. Otherwise, let AO be the automaton produced by the procedure and LF SM the language that AO accepts. If O then AO accepts the trivial there is no outgoing edge from the initial state of A, F SM language L D fg, otherwise it accepts a nontrivial FSM language LF SM. Any FSM language in L must be a subset of LF SM. To obtain the largest subset of L that is the language of a complete FSM (IOprogressive) we must apply one more pruning algorithm. Procedure 3.1.4. Input: FSM Language LF SM over I [ O; Output: Largest IOprogressive FSM language P rog.LF SM / LF SM . 1. Build a deterministic automaton A accepting LF SM. 2. Iteratively delete all states that are final and for which 9i 2 I with no outgoing edge carrying the label i, together with their incoming edges, until the initial state is deleted or no more state can be deleted. Delete the initial state if 9i 2 I with no outgoing edge carrying the label i. 3. If the initial state has been deleted, then P rog.LF SM / D ;. Otherwise, let AO be the automaton produced by the procedure and P rog.LF SM / the language that AO accepts. Any IO-progressive FSM language in LF SM must be a subset of P rog.LF SM /. Theorem 3.6. Procedure 3.1.4 returns the largest IO-progressive subset of LF SM . Proof. Similar to the proof of Theorem 3.3.

t u

Proposition 3.7. An FSM whose language is LF SM or P rog.LF SM / can be deduced trivially from AO (obtained according to Procedure 3.1.4) by replacing pairs of consecutive edges labeled, respectively, with i and o by a unique edge labeled i=o. Proposition 3.8. Given a regular language L over alphabet I [ O, let M be an FSM over input alphabet I and output alphabet O. The language L[ r .M / of M is F SM contained in L iff L[ .M / L . r The proof is the same as the one of Prop. 3.5. Finally we characterize the Moore FSMs that are the reduction of a given FSM. Notice that the language of a Moore FSM is a Moore language.

3.2 Composition of Finite State Machines

43

Procedure 3.1.5. Input: Complete FSM M ; Output: Largest submachine of M that is a Moore FSM, denoted by Moore.M /, if it exists. Given a state s 2 M , define the set Ks D fo 2 O j 8i 2 I 9s 0 2 M s:t: .i; s; s 0 ; o/ 2 TM g, Ks O. 1. Iterate for each state s 2 M until M does not change. (a) Compute the set Ks O. (b) If Ks ¤ ; delete from TM each transition .i; s; s 0 ; o/ such that o 62 Ks ; if Ks D ; delete s with all its incoming edges from M . 2. If the initial state has been deleted then there is no submachine of M that is a Moore FSM, otherwise Moore.M / D M . Theorem 3.9. Any Moore FSM M 0 that is a reduction of M is a reduction of Moore.M /, the output of Procedure 3.1.5. Proof. Define a state s of FSM M as 1-nonMoore if Ks D ;. State s is k-nonMoore, k > 1, if for some i 2 I and for all o 2 O each state reached from s under the transition labeled .i=o/ is j -nonMoore, j < k. State s is nonMoore if it is knonMoore for some k 1. Moore.M / is obtained from M by removing iteratively the nonMoore states and, from the remaining states s, the transitions .i; s; s 0 ; o/ such that o 62 Ks . Notice that by construction Moore.M / is guaranteed to be complete. We must prove that if L.M 0 / L.M / and L.M 0 / is Moore then L.M 0 / L.Moore.M //. The proof goes by induction. If L.M 0 / is Moore, there is no string in L.M 0 / that takes the FSM M from the initial state to a 1-nonMoore state. Suppose now by induction hypothesis that no string in L.M 0 / takes M to a knonMoore state, k > 1. We must conclude that, if L.M 0 / is Moore, there is also no string that takes M to a .k C 1/-nonMoore state, otherwise, by definition of .k C 1/-nonMoore, L.M 0 / has a string that takes M to some j -nonMoore state, j k. Therefore no string in L.M 0 / takes the FSM M to a nonMoore state, i.e., L.M 0 / L.Moore.M //. t u Moore machines play a role in guaranteeing that the composition of FSMs is a complete FSM (see Theorem 3.12).

3.2 Composition of Finite State Machines Different types of composition between pairs of FSMs may be defined, according to the protocol by which signals are exchanged. For a given composition operator and pair of FSMs we must establish whether the composition of this pair is defined, meaning that it yields a set of behaviors that can be described by another FSM. In general, the composition of FSMs is a partially specified function from pairs of FSMs to an FSM. In our approach we define the composition of FSMs by means of the composition operators over languages introduced in Sect. 2.1. Thus

44


the FSM yielded by the composition of FSMs MA and MB is the one whose language is obtained by the composition of the FSM languages associated with MA and MB . The synchronous composition operator models the synchronous connection of sequential circuits, while the parallel composition operator models an exchange protocol by which an input is followed by an output after a finite exchange of internal signals. The latter model, introduced in [107], abstracts a system with two components and a single message in transit. At any moment either the components exchange messages or one of them communicates with its environment. The environment submits the next external input to the system only after the system has produced an external output in response to the previous input.

3.2.1 Synchronous Composition of FSMs Consider the pair of FSMs: 1. FSM MA has input alphabet I1 V , output alphabet U O1 , and transition relation TA . 2. FSM MB has input alphabet I2 U , output alphabet V O2 , and transition relation TB . We define a synchronous composition operator that associates with a pair of FSMs MA and MB another FSM MA MB such that: 1. The external input alphabet is I1 I2 D I . 2. The external output alphabet is O1 O2 D O. The topology for this is shown in Fig. 1a (a variant is in Fig. 1f).3 Recall that, by definition of synchronous composition of languages, a sequence ˛ 2 .I1 I2 O1 O2 /? is in the language of the synchronous composition of L.MA / and L.MB / iff ˛ is in the projection onto I1 I2 O1 O2 of the intersection of the lifting of L.MA / over I2 O2 and of the lifting of L.MB / over I1 O1 4 : ˛ 2 L.MA / L.MB / iff ˛ 2 ŒL.MA /"I2 O2 \ L.MB /"I1 O1 #I O : Notice that the liftings L.MA /"I2 O2 and L.MB /"I1 O1 are needed to have the languages of MA and MB defined on the same alphabet; e.g., L.MB / is defined over I2 U V O2 , and the lifting " I1 O1 defines it over I1 I2 U V O1 O2 .

3

Notice that more complex topologies can be handled in the same way, by defining the compositions with respect to the appropriate sets of variables, as pointed out when introducing the composition of automata. 4 Use the same order I1 I2 U V O1 O2 in the languages L.MA /"I2 O2 and L.MB /"I1 O1 .


45

In this way we describe the behavior of each FSM as a component of the synchronous composition. Lemma 3.10. If L.MA / and L.MB / are FSM -languages, then L.MA / L.MB / is an FSM -language. Proof. L.MA / L.MB / is prefix-closed, because prefix-closed FSM -languages are closed under composition. Notice that L.MA / L.MB / does not need to be progressive, because partial FSMs are allowed. t u Therefore we can state the following definition. Definition 3.2.1. The synchronous composition of FSMs MA and MB yields the FSM MA MB with language L.MA MB / D L.MA / L.MB /: If the language L.MA / L.MB / D fg, then MA MB is a trivial FSM. The previous definition is sound because the language L.MA / L.MB / by Lemma 3.10 is an FSM language, which corresponds to a (partial) complete FSM if the language L.MA / L.MB / is (not) I -progressive. Then by subset construction and state minimization, we produce a reduced observable FSM. In summary, we convert from the FSMs MA and MB to the automata accepting their FSM languages, operate on them and then convert back from the resulting automaton to an FSM; then we produce a reduced PNDFSM (we assume that MA and MB are PNDFSMs), because subset construction determinizes the underlying finite automaton. Example 3.11. (a) Synchronous composition of two FSMs defining a complete FSM. Given the topology shown in Fig. 1.1d, consider the FSMs MA D hSA ; I1 V; U O1 ; TA ; s1i and MB D hSB ; U; V; TB ; sai with SA D fs1; s2; s3g, TA D f.1 -; s1; s1; 11/, .00: s1; s2; 10/, .01; s1; s3; 10/, .- 0; s2; s1; 01/, .- 1; s2; s3; 10/, .- 1; s3; s1; 01/, .- 0; s3; s2; 00/g, SB D fsa; sbg, TB D f.0; sa; sa; 1/, .1; sa; sb; 0/, .0; sb; sa; 0/, .1; sb; sb; 0/g.5 Then MA MB D MAB D hSAB ; I1 ; O1 ; TAB ; .s1; sa/i with SAB D f.s1; sa/,.s1; sb/,.s2; sb/g and TAB D f.1; .s1; sa/; .s1; sb/; 1/, .0; .s1; sa/; .s2; sb/; 0/, .1; .s1; sb/; .s1; sb/; 1/ .0; .s1; sb/; .s2; sb/; 0/, .-; .s2; sb/; .s1; sa/; 1/g is a complete FSM. Figure 3.1 shows FSMs MA , MB and MA MB . (b) Synchronous composition of two FSMs defining a partial FSM. Modify the transition relation of MB to obtain MB0 as follows: TB0 D f.0; sa; sa; 1/, .1 sa sb 0/, .0; sb; sa; 1/, .1; sb; sb; 0/g. Then TAB 0 D f.1; .s1; sa/; .s1; sb/; 1/, .0; .s1; sa/; .s2; sb/; 0/, .1; .s1; sb/; .s1; sb/; 1/

5

denotes input or output don’t care conditions.

46


a b

c

d

e

Fig. 3.1 Illustration of synchronous compositions MA MB D MAB and MA MB0 D MAB 0 of Example 3.11-a) and 3.11-b). (a) FSM MA ; (b) FSM MB ; (c) FSM MB0 ; (d) FSM MA MB D MAB ; (e) FSM MA MB0 D MAB 0

.0; .s1; sb/; .s2; sb/; 0/g defines a partial FSM (no transition from state .s2; sb/). Figure 3.1 shows FSMs MA , MB0 and MA MB0 . Theorem 3.12. Let MA be a complete FSM over input alphabet I1 V and output alphabet O1 U and let MB be a complete Moore FSM over input alphabet I2 U and output alphabet O2 V . Then the composition MA MB is a complete FSM. Proof. Consider a string ˛ 2 L.MA /"I2 O2 \ L.MB /"I1 O1 . Suppose that from the initial state, MA reaches state s under the string ˛#I1 U V O1 and similarly that MB reaches state t under the string ˛#I2 U V O2 . Let the external input .i1 ; i2 / 2 I1 I2 be applied next. For any u 2 U there is a transition i2 u; t; t 0 ; o2 v/ in MB , because MB is a complete FSM; similarly, for any v 2 V there is a transition .i1 v; s; s 0 ; o1 u0 / in MA , because MA is a complete FSM. Moreover, given the input i2 u0 , there is a transition .i2 u0 ; t; t 00 ; o2 v/ with the same output o2 v of transition .i2 u; t; t 0 ; o2 v/, because MB is a Moore FSM. Therefore u0 and v are matching internal signals, i.e., the string ˛ can be extended by .i1 ; i2 ; u0 ; v; o1 ; o2 /. t u


47

3.2.2 Parallel Composition of FSMs Consider the pair of FSMs6,7 1. FSM MA has input alphabet I1 [ V , output alphabet U [ O1 , and transition relation TA . 2. FSM MB has input alphabet I2 [ U , output alphabet V [ O2 , and transition relation TB . We define a parallel composition operator ˘ that associates a pair of FSMs MA and MB with another FSM MA ˘ MB such that: 1. The alphabet of the external inputs is I1 [ I2 D I . 2. The alphabet of the external outputs is O1 [ O2 D O. Recall that, by definition of parallel composition of languages, a sequence ˛ 2 ..I1 [ I2 /.O1 [ O2 //? is in the language of the parallel composition of L.MA / and L.MB / iff ˛ is in the restriction onto I1 [ I2 [ O1 [ O2 of the intersection of the expansion of L.MA / over I2 [ O2 and of the expansion of L.MB / over I1 [ O1 : ˛ 2 L.MA / ˘ L.MB / iff ˛ 2 ŒL.MA /*I2 [O2 L \ L.MB /*I1 [O1 +I [O : Notice that the expansions L.MA /*I2 [O2 and L.MB /*I1 [O1 are needed to have the languages of MA and MB defined on the same alphabet; e.g., L.MB / is defined over I2 [U [V [O2 , and the expansion * I1 O1 defines it over I1 [I2 [U [V [O1 [O2 . In this way we describe the behavior of each FSM as a component of the parallel composition. Lemma 3.13. If L.MA / and L.MB / are FSM [-languages, then L.MA / ˘ L.MB / \ .IO/? is an FSM [-language. Proof. L.MA / ˘ L.MB / \ .IO/? is IO-prefix-closed, because IO-prefix-closed [-languages are closed under ˘ composition. Indeed, a state of the finite automaton corresponding to an FSM [-language is accepting iff it is the initial state or all its ingoing edges are labeled by symbols in O. The property is preserved by intersection and restriction over I [ O. The intersection with .IO/? makes sure that in the strings of the resulting FSM [-language an input is always followed by exactly one output, so that a corresponding FSM (with edges labeled by pairs .i=o// can be reconstructed. Notice that L.MA / ˘ L.MB / \ .IO/? does not need to be IOprogressive, because partial FSMs are allowed. t u

6

Notice that more complex topologies can be handled in the same way, by defining the compositions with respect to the appropriate sets of variables, as remarked for synchronous composition. 7 For simplicity the alphabets I1 ; I2 ; O1 ; O2 ; U; V are assumed to be pairwise disjoint.

48


Therefore we can state the following definition. Definition 3.2.2. The parallel composition of FSMs MA and MB yields the FSM MA ˘ MB with language L.MA ˘ MB / D L.MA / ˘ L.MB / \ .IO/? : If the language L.MA / ˘ L.MB / \ .IO/? D fg, then MA ˘ MB is a trivial FSM. The previous definition is sound because the language L.MA /˘L.MB /\ .IO/? by Lemma 3.13 is an FSM language, which corresponds to a (partial) complete FSM if the language L.MA / ˘ L.MB / \ .IO/? is (not) IO-progressive. Then by subset construction and state minimization we produce a reduced observable FSM. Example 3.14. (a) Parallel composition of two FSMs defining a complete FSM. Given the topology shown in Fig. 1.1d, consider the FSMs MA D hSA ; I1 [ V; U [ O1 ; TA ; s1i and MB D hSB ; U; V; TB ; sai with SA D fsa; sbg, TA D f.i1 ; sa; sa; o1 /, .v1 ; sa; sa; o1 /, .v2 ; sa; sa; u1 /, .i2 ; sa; sb; u2 /, .v1 ; sb; sb; u1 /, .v2 ; sb; sb; o2 /, .i1 ; sb; sa; o1 /, .i2 ; sb; sa; o1 /g, SB D fs1; s2g, TB D f.u2 ; s1; s2; v2 /, .u1 s1; s2; v1 /, .u1 ; s2; s2; v2 /, .u2 ; s2; s1; v2 /g. Then the composition MA ˘ MB D MA˘B D hSA˘B ; I1 ; O1 ; TA˘B ; .sa; s1/i with SA˘B D f.sa; s1/, .sb; s2/, .sa; s2/, .sb; s1/g and TA˘B D f.i1 ; .sa; s1/; .sa; s1/; o1 /, .i2 ; .sa; s1/; .sb; s2/; o2 /, .i1 ; .sb; s2/; .sa; s2/; o1 /, .i2 ; .sb; s2/; .sa; s2/; o1 /, .i1 ; .sa; s2/; .sa; s2/; o1 /, .i2 ; .sa; s2/; .sb; s1/; o2 /, .i1 ; .sb; s1/; .sa; s1/; o1 /, .i2 ; .sb; s1/; .sa; s1/; o1 /g is a complete FSM. Figure 3.2 shows some steps and the result of the computation of MA ˘ MB . (b) Parallel composition of two FSMs defining a partial FSM. Modify the transition relation of MB as follows: TB D f.u2 ; s1; s2; v2 /, .u1 s1; s2; v1 /, .u1 ; s2; s2; v1 /, .u2 ; s2; s1; v1 /g. Then TA˘B D f.i1 ; .sa; s1/; .sa; s1/; o1 /, .i2 ; .sa; s1/; .sb; s2/; o2 /, .i1 ; .sb; s2/; .sa; s2/; o1 /, .i2 ; .sb; s2/; .sa; s2/; o1 /, .i1 ; .sa; s2/; .sa; s2/; o1 /g defines a partial FSM, because there is no transition from state .sa; s2/ under input i2 (from .sa; s2/ under i2 =u2 we reach .sb; s2/, then under u2 =v1 we reach .sb; s1/, then under v1 =u1 we stay in .sb; s1/, then under u1 =v1 we reach .sb; s2/, where there is an endless cycle – livelock – under v1 =u1 to .sb; s2/ and then under u1 =v1 back again to .sb; s2/, without any production of an output in O1 ).

3.2.3 Equations Over FSMs Consider the network of FSMs shown in Fig. 3.3, where FSM MA has input signals I1 and V and output signals U and O1 , and FSM MX has input signals I2 and U and


49

a

b i2/u2

i1/o1 v1/o1 v2/u1

a

v1/u1 v2/o2

b

i1/o1 i2/o1

u2/v2 u1/v1

1

u1/v2

2

u2/v2

d

c c

i1, v1

v1

o1 a

i2

g

3

f i1, i2 u2

u1

u2

1

b

v2

v2

i1, i2, o1, o2 u2 4

v2

i1, i2, o1, o2

u1 u2

b2

i1/o1 i2/o1

v1

5

u2

i2/o2 a1

3 u1

2

i1/o1

i1, i2, o1, o2

v2

5

m

f e

v2 u1

o2

d

1

4

v2

u1

i1, i2, o1, o2

v1

u1

i1/o1 i2/o1 b1

2

i2/o2

i1, i2, o1, o2

a2 i1/o1

g

i1/o1 i2/o2 a1

i1/o1 i2/o1

b2

Fig. 3.2 Illustration of parallel composition MA ˘MB D MA˘B of Example 3.14-a. (a) FSM MA ; (b) FSM MB ; (c) Automaton of A ([-language of MA ); (d) Automaton of B ([-language of MB /; (e) Automaton of B*I1 [O1 ; (f) FSM MA ˘ MB D MA˘B ; (g) Reduced FSM MA ˘ MB D MA˘B . Double-circled nodes represent accepting states in (c), (d), (e). In pictures of FSMs, all nodes are accepting

output signals V and O2 . The network implements a specification MC with input signals I1 ; I2 and output signals O1 ; O2 . Supposing that MA and MC are known and MX is unknown, we want to define an equation of the type MA ˇ MX MC , to capture the FSMs MB that in place of MX let the network of MA and MB match the specification MC . Through Definitions 3.1.7 and 3.1.8 we have seen two different ways to associate an FSM language with a given FSM, and related composition operators and ˘ have been introduced in Sect. 3.2; therefore we introduce two

50


Fig. 3.3 General topology

types of equations over FSMs: MA MX MC and M A ˘ M X MC ; and solve them by building first the related language equations L.MA / L.MX / L.MC / and L.MA / ˘ L.MX / L.MC / [ .IO/? ; where L.MA / and L.MC / are the FSM languages associated with FSMs MA and MC . The latter language equation is justified by the following chain of equivalences MA ˘ M X M C , L.MA ˘ MX / L.MC / , by Def. 3.2.2 L.MA / ˘ L.MX / \ .IO/? L.MC / , L.MA / ˘ L.MX / L.MC / [ .IO/? : The last equivalence uses the set-theoretic equality A \ B C , A C C B.8 When there is no ambiguity we will denote by A X C and A ˘ X C [ .IO/? the language equations L.MA / L.MX / L.MC / and L.MA / ˘ L.MX / L.MC / [ .IO/? , where L.MA /, L.MX / and L.MC / are, respectively, the -languages and [-languages associated with the FSMs MA , MX and MC .

In one direction, A\B C ) A\BCA\B C CA\B ) A C CA\B ) A C CB. In the other direction, A C C B ) A \ B C A \ B C C B ) A \ B C , because A \ B 6 B if A \ B ¤ ; (if A \ B D ; then A \ B C ).

8

3.3 Solution of FSM Equations Under Synchronous Composition

51

3.3 Solution of FSM Equations Under Synchronous Composition 3.3.1 Largest FSM Solution Given alphabets I1 ; I2 ; U; V; O1 ; O2 , an FSM MA over inputs I1 V and outputs U O1 , and an FSM MC over inputs I1 I2 and outputs O1 O2 , consider the FSM equations M A M X MC ; (3.1) or, MA M X Š M C ;

(3.2)

whose unknown is an FSM MX over inputs I2 U and outputs V O2 . Sometimes the shortened notation I D I1 I2 and O D O1 O2 will be used.9 A variant of equations is Definition 3.3.1. FSM MB is a solution of the equation MA MX MC , where MA and MC are FSMs, iff MA MB MC . FSM MB is a solution of the equation MA MX Š MC , where MA and MC are FSMs, iff MA MB Š MC . Converting to the related FSM languages, we construct the associated language equation L.MA / L.MX / L.MC /; (3.3) where L.MA / is an FSM language over alphabet I1 U V O1 , L.MC / is an FSM language over alphabet I1 I2 O1 O2 and the unknown FSM language is over alphabet I2 U V O2 . The previous equation can be rewritten for simplicity as A X C: (3.4) We want to characterize the solutions of A X C as FSM languages. We know from Theorem 2.12 that the largest solution of the equation A X C is the language S D A C . When A and C are FSM languages, the following property holds. Theorem 3.15. Given the equation A X C and its largest solution S D A C , then S ¤ ;. Proof. FSM languages are not closed under complementation, because the complement of an FSM language does not include the empty string , so it cannot be an FSM language. So C does not include and neither does C "U V . Then the

9

Equations over more complex topologies and with respect to other input and output alphabets can be solved similarly, by setting up the appropriate compositions, as pointed out already when introducing composition of automata and FSMs.

52


intersection A"I2 O2 \ C "U V does not include the empty string, neither does its projection .A"I2 O2 \ C "U V /#I2 U V O2 , that is A C . Therefore A C includes the empty string, i.e., 2 S ¤ ;. t u Example 3.16. Consider the FSMs MA D hSA ; I1 V; U O1 ; TA ; sai and MC D hSC ; U; V; TC ; s1i with SA D fsag, TA D f.01; sa; sa; 01/, .00; sa; sa; 01/, .11; sa; sa; 10/, .10; sa; sa; 10/g, SC D fs1g, TC D f.1; s1; s1; 1/, .0; s1; s1; 0/g. The equation MA MX MC yields the language equation A X C with solution S D fg, i.e., the corresponding FSM solution MX produces only the empty word. The reason is that the i=o combinations of MC , i.e., 1=1; 0=0 do not match any i=o combination of MA , i.e., 0=1; 1=0. In general S is not an FSM language. To compute the largest FSM language contained in S , that is S FSM , we must compute the largest prefix-closed language contained in S . Theorem 3.17. Let A and C be FSM languages. The largest FSM language that is a solution of the equation A X C is given by S FSM , where S D A C . S FSM is obtained by applying Procedure 3.1.1 to S . S FSM contains at least the string . If A S FSM D C then S FSM is the largest solution of the FSM language equation A X D C. Thus, the synchronous FSM language equation A X C is always solvable, since the solution includes at least the empty string and so its prefix-closure does too. In other words, the trivial FSM is always a solution of the synchronous FSM equation A X C. Example 3.18. Consider the equation MA MX MC , with MA and MC shown, respectively, in Fig. 3.4a,c. The FSMs are composed with respect to the rectification topology and their alphabets are I1 D fi1 ; i2 g, O1 D fo1 ; o2 g, U D fu1 ; u2 g and V D fv1 ; v2 g. MA is a partial FSM, e.g., the transitions from state a under inputs i1 v2 and i2 v2 are missing. The automata of the related languages are shown, respectively, in Fig. 3.4b,d. The intermediate steps to compute the solution are demonstrated in Fig. 3.4e–g. The automaton generating the largest language solution, S D .A \ .C "U [V /#U [V , is portrayed in Fig. 3.4h. The state labeled dc accepts strings that are not in the language of the context. Notice that S is not prefix-closed, since string u1 v1 u2 v1 2 S , but u1 v1 62 S ; its largest prefix-closed sublanguage yields the largest FSM solution MX shown in Fig. 3.4i. MX is a PNDFSM and the composition of any DFSM reduction of MX with MA produces the trivial machine. Example 3.19. Consider the following variants of the context FSM MA in the equation MA MX MC , studied in Example 3.18. The specification FSM MC is the same. The variants of MA are MA1 , MA2 and MA3 , shown respectively in Fig. 3.5a,d,f. They are all complete FSMs, whereas MA of Example 3.18 is a partial FSM. The solution of MA1 MX MC is MX1 in Fig. 3.5c. MX1 is a partial FSM and MA1 MX1 D M , i.e., the composition yields the trivial FSM that is the “ultimate” partial machine, because each external input sequence causes a violation


53

c

a i2v1/u1o1

a

i1v1/u1o1

b

i2/o2 i1/o1

1

i1− −o1 i2− −o2

1

i1v1/u2o1

b

d i2o2 i1o1

1

e

i2u1v1o1

a

i1u1v1o1

i1u2v1o1

b

i1− −o2 i2− −o1

F

g

f a1

i1u1v1o1

i1u2v1o1

u 1 v1

i2u1v1o1 aF

u 1 v1

a1

b1

bF

u1v1

u2v1

aF

u 1 v1

i1u1v1o1

i2u1v1o1

−v2 u2v1

−−

a1 u1 v 1

dc u2v2 u1v2

−v2 u1v1

−v2 u1v1 −v2

i bF

u2v1 a1

aF, b1

u2v1

bF

u2v1

i1u2v1o1

h

b1

u2/v1 u1/v2 u2/v2

dc

u 2 v1

b1 u 2 v1 u 1 v1

−/−

aF, bF u 1 v1

Fig. 3.4 Illustration of Example 3.18. (a) FSM MA ; (b) FA (finite automaton) of A D L r .MA /; (c) FSM MC ; (d) FA of C D L r .MC /; (e) FA of C "U V ; (f) FA of A \ C "U V ; (g) FA of .A\C "U V /#U V ; (h) FA of largest solution S D .A \ C "U V /#U V ; (i) Largest FSM solution MX . MX is a PNDFSM such that MA MX D M MC

of the specification. Adding to state a of MA1 the transition to itself i1 v1 =u2 o2 0 0 would produce an FSM MA1 yielding the solution MX1 D M . The solution of 2 2 2 MA MX MC is MX in Fig. 3.5e. MX is a complete FSM and MA2 MX2 MC , where MA2 MX2 is an incomplete FSM that is a reduction of MC . The solution of MA3 MX MC is MX3 in Fig. 3.5g. MX3 is a complete FSM and MA3 MX3 Š MC is a complete FSM.

54


a i1v1/u1o1 i2v1/u1o1

a

i1v1/u2o1

b

b i1v2/− − i2v1/− − i2v2/− −

i1v2/− − i2v2/− −

i2/o2 i1/o1

1

c a1

u2/v1

dc

c − −/− −

d i1v1/u1o1 i2v2/u1o1

a

i1v1/u2o1

−/−

e

b

i1v2/u1o2

a1 u2/v2

i1v2/u2o2 i2v1/u1o1 i2v2/u2o1

i2v1/u2o1

u2/v1 u1/v1

c

u1/v2

dc − −/− −

e i1v1/u1o1 i2v1/u2o1

a

i1v1/u2o1 b

i1v2/u1o2 i2v2/u2o2


c

b1

i1v1/u1o2 i1v2/u2o1 i2v1/u2o1 i2v2/u1o2

− −/− −

g

u2/v1 u1/v1 a1

b1

u2/v2

u1/v2

c1

u1/v2 u2/v2

Fig. 3.5 Illustration of Example 3.19. (a) FSM MA1 ; (b) FSM MC ; (c) FSM MX1 ; (d) FSM MA2 ; (e) FSM MX2 ; (f) FSM MA3 ; (g) FSM MX3

For logic synthesis applications, we assume that MA and MC are complete FSMs and we require that the solution is a complete FSM too. This is obtained by applying Procedure 3.1.2 to S F SM , yielding P rog.S F SM /, the largest .I2 U /-progressive FSM language .I2 U V O/? . Notice that an .I2 U /-progressive solution might not exist, and in that case Procedure 3.1.2 returns an empty language.


55

Proposition 3.20. FSM MB is a solution of the equation MA MX MC , where MA and MC are FSMs, iff MB is a reduction of the FSM MS associated to S F SM , where S F SM is obtained by applying Procedure 3.1.1 to S , where S D A C . If S F SM D fg then the trivial FSM is the only solution. The largest complete FSM solution MP rog.S F SM / is found, if it exists, by applying Procedure 3.1.2. A complete FSM is a solution of MA MX MC iff it is a reduction of the largest complete solution MP rog.S F SM / . Given the largest (complete) solution MP rog.S F SM / of the equation MA MX MC , let MA MX Š MC . Then MP rog.S F SM / is the largest (complete) solution of the equation MA MX Š MC . Example 3.21. (Variant of Example 3.16) Consider the FSMs MA D hSA ; I1 V; U O1 ; TA ; sai and MC D hSC ; U; V; TC ; s1i with SA D fsag, TA D f.01; sa; sa; s00/, .00; sa; sa; 01/, .11; sa; sa; 10/, .10; sa; sa; 10/g, SC D fs1g, TC D f.1; s1; s1; 1/, .0; s1; s1; 0/g. The equation MA MX MC yields the language equation A X C with solution S D f.01/?g, i.e., the corresponding FSM solution MX produces the set of strings of input/output pairs f.0=1/?g, and so the equation has no complete FSM solution. Not every deterministic complete FSM MSR that is a reduction of the largest solution MS is a solution of the equation MA MX Š MC , as shown by the examples in Example 3.22. Example 3.22. Given the context FSM MA and the specification FSM MC shown respectively in Fig. 3.6a,b, consider the equation MA MX Š MC , whose largest solution MS is in Fig. 3.6c (and obviously satisfies MA MX Š MC , as shown in Fig. 3.6d). Then the deterministic complete FSM MS1 in Fig. 3.6e is not a solution of MA MX Š MC , whereas MS 2 in Fig. 3.6g is a solution of MA MX Š MC , as shown respectively in Fig. 3.6f and Fig. 3.6h. Notice that both MS1 and MS 2 are reductions of the largest solution MS . Given the context FSM MA and the specification FSM MC shown respectively in Fig. 3.7a,b, consider the equation MA MX Š MC , whose largest solution MS is in Fig. 3.7c (and obviously satisfies MA MX Š MC , as shown in Fig. 3.7d). Then a deterministic complete FSM that is a reduction of MS should choose at state s either the transition u3 =v2 or u3 =v1 . Suppose to define the reduction MS1 where at state s we choose u3 =v2 instead of u3 =v1 , then it is MA MS1 6Š MC , because in the product at state 1 we cannot get the transition i1 =o1 that requires the selection u3 =v1 in MS1 ; similarly, if we define the reduction MS 2 where at state s we choose u3 =v1 instead of u3 =v2 . then it is MA MS1 6Š MC , because in the product at state 1 we cannot get the transition i3 =o2 that requires the selection u3 =v2 in MS 2. So there is no deterministic complete FSM that is a reduction of the largest solution MS and also solves the FSM equation MA MX Š MC . Another interesting example and related discussion can be found in Example 3.1 and Fig. 2 of [149], where by removing any transition from the largest solution MS we would miss some complete deterministic FSM reduction that is a solution.

56


a a

b i1v1/u2o1 i1v2/u1o2 i2v1/u1o2 i2v2/u2o2

c

u1/v1 u2/v2

d i1/o1 as i2/o2

as

p

i2/o2

u2/v2 s

i1/o2

i2/o2

i1/o1

u2/v1

g

ap

f

u1/v1 u2/v2

u1/v1

i1/o2

i2/o2

u1/v2 p

s

u1/v1

i2/o2

u2/v1

e

2

a

u1/v1 u2/v2 s

i1/o1

u1/v2 p

u2/v1

h

ap i2/o2 i1/o1

as i2/o2

ap i2/o2

i1/o2

Fig. 3.6 Illustration of Example 3.18. (a) Context FSM MA ; (b) Specification FSM MC ; (c) Largest Solution FSM MS ; (d) MA MS Š MC ; (e) FSM MS1 , reduction of MS ; (f) MA MS1 6Š MC ; (g) FSM MS2 , reduction of MS ; (h) MA MS2 Š MC

3.3.1.1 Complexity of the Algorithm Consider the equation AX C , where A and C are FSM languages. We know that the largest unconstrained solution is given by S D A C . Given the rectification topology in Fig. 1.1d with MB as the unknown MX , the solution has in the worstjS j case 2jSA j:2 C states, where SA are the states of FA A and SC are the states of FA C . The exponent 2jSC j appears when C is non-deterministic, to account for the determinization needed to compute C ; otherwise if C is deterministic, in place of 2jSC j we have jSC j, because complementation becomes a linear operation. The product jSA j:2jSC j is due to the product of automata A and C . Then to complete the computation of the operator we must project the product on the internal signals U and V ; as a result we may get again a non-deterministic automaton, and therefore


57

a b

a

i1/o1 2

a i1v1/u3o1 i1v2/u1o2 i2v1/u1o2 i2v2/u2o2 i3v1/u2o1 i3v2/u3o2

c

u1/v1 u2/v2 s

u1/v1 u2/v2 u3/v2

i2/o2 i3/o2

u3/v2 u1/v2 p

u3/v1

i1/o2 i3/o2

i2/o2

d i1/o1 as i2/o2 i3/o2

ap i2/o2

i1/o2 i3/o2

Fig. 3.7 Illustration of Example 3.18. (a) Context FSM MA ; (b) Specification FSM MC ; (c) Largest Solution FSM MS ; (d) MA MS Š MC

a new determinization is needed before performing the final complementation: this jS j explains the outer exponential 2jSA j:2 C . There are “easier” topologies, like supervisory control, where there is no projection onto a subset of signals of the product automaton; therefore non-determinism is not introduced and so the final complementation is linear, resulting in the complexity of jSA j:2jSC j . Moreover, if SC is deterministic, the exponential 2jSC j is replaced by jSC j, and so the final complexity of supervisory control is bounded by only jSA j:jSC j. The operations on the language S to extract from it an FSM language, a complete FSM language or a Moore solution (see below) are linear in the number of edges of the automaton representing S .

3.3.2 Restricted FSM Compositional Solutions It is interesting to compute the subset of compositionally I -progressive solutions B, i.e., such that A"I2 O2 \ B"I1 O1 is an I -progressive FSM language .I U V O/? . Thus the composition (after projection on the external signals) is the language of a complete FSM over inputs I1 I2 and outputs O1 O2 . Since F SM A"I2 O2 \S"I is prefix-closed and hence corresponds to a partial FSM, we have 1 O1 to restrict it so that it is also I -progressive, which corresponds to a complete FSM.

58


If S F SM is compositionally I -progressive, then S F SM is the largest compositionally I -progressive solution of the equation. However, not every non-empty subset of S F SM inherits the feature of being compositionally I -progressive. If S F SM is not compositionally I -progressive, then denote by cP rog.S F SM / the largest compositionally I -progressive subset of S F SM . Conceptually cP rog.S F SM / is obtained from S F SM by deleting each string ˛ such that, for some i 2 I , there F SM is no .u; v; o/ 2 U V O such that ˛ .i; u; v; o/ 2 A"I2 O2 \ S"I . The 1 O1 F SM following procedure tells how to compute cP rog.S /. Procedure 3.3.1. Input: Largest prefix-closed solution S F SM of synchronous equation A X C and context A; Output: Largest compositionally I -progressive prefix-closed solution cP rog.S F SM /. 1. Initialize i to 1 and S i to S F SM . i 2. Compute R i D A"I2 O2 \ S"I . 1 O1 i If the language R is I -progressive then cP rog.S F SM / D S i . Otherwise (a) Obtain P rog.Ri /, the largest I -progressive subset of Ri , by using Procedure 3.1.2. (b) Compute T i D S i n .Ri n P rog.Ri //#I2 U V O2 . 3. If T i F SM D ; then cP rog.S F SM / D ;. Otherwise (a) Assign the language T i F SM to S i C1 . (b) Increment i by 1 and go to 2. Theorem 3.23. Procedure 3.3.1 returns the largest compositionally I -progressive (prefix-closed) solution, if it terminates. Theorem 3.24. Procedure 3.3.1 terminates. The proofs can be found in [148]. F SM A sufficient condition to insure that A"I2 O2 \ S"I is an I -progressive FSM 1 O1 F SM language is that S"I1 O1 or A"I2 O2 satisfy the Moore property (see Theorem 3.12 for a related statement proved for complete FSMs). If S F SM is Moore then it is the largest Moore solution of the equation. However, not every non-empty subset of S F SM inherits the feature of being Moore. If S F SM is not Moore, then denote by Moore.S F SM / the largest Moore subset of S F SM . The set Moore.S F SM / is obtained by deleting from S F SM each string which causes S F SM to fail the Moore property. Proposition 3.25. If Moore.S F SM / ¤ ;, then it is the largest Moore solution of the equation A X C . Otherwise the equation A X C has no Moore solution. To compute the largest Moore FSM that is a solution, it is sufficient to apply Procedure 3.1.5 to the FSM MS F SM associated with S F SM , as justified by Theorem 3.9. The result is the largest Moore FSM solution, of which every deterministic Moore solution is a reduction.

3.4 Solution of FSM Equations Under Parallel Composition

a

59

b

0/1 1/1

00/11

11/01 10/11

a

00/01 10/01 01/10 01/01 11/10

00/11 10/11

1

b 01/10 11/10

1/1

1/1 2

c

c

4

0/1

3

0/1

0/0 1/0

d a1

1/0

0/0 a2, b4 1/0

a1, b3

0/1

1/0 0/1

0/1

−/−

1/1 1/1

a1, b3

dc

b3

1/0 0/1

0/1

0/−

1/1 0/0

0/1 a2, c4 0/0

1/0

0/0

1/1

1/1

c3

a2, b4 0/0

a1, c3

a1 0/0

a2, c4

0/1

1/0

1/0

1/1 0/0

0/1

1/0

dc −/−

1/1 1/1 c3

1/1

0/1 b3

0/1

Fig. 3.8 Illustration of Example 3.26. (a) FSM MA ; (b) FSM MC ; (c) Largest FSM solution MX ; (d) Largest Moore FSM solution Moore.MX /

Example 3.26. Consider the equation MA MX MC , with MA and MC shown, respectively, in Fig. 3.8a,b. The largest FSM solution MX is shown in Fig. 3.8c, whereas Fig. 3.8d shows the largest Moore FSM solution Moore.MX /. Moore FSM solutions are portrayed in Fig. 3.9a,b, whereas nonMoore FSM solutions are pictured in Fig. 3.9c,d.

3.4 Solution of FSM Equations Under Parallel Composition 3.4.1 Largest FSM Solution Given alphabets I1 ; I2 ; U; V; O1 ; O2 , an FSM MA over inputs I1 [ V and outputs U [ O1 , and an FSM MC over inputs I1 [ I2 and outputs O1 [ O2 , consider the FSM equations

60


a

b a1 0/1 0/1

1/1

0/0

0/0

a2, c4

0/1

a2, b4 0/0

1/0

a1, b3

a1

1/0

a2, c4 0/0

1/0 0/1 1/1

dc

1/0

a1, b3

0/0 1/0

dc

1/1

1/1 1/1 c3

1/1

0/1 b3

1/1

0/1

c

c3

1/1

0/1 b3

0/1

d 1/0

a1 0/0

a2, b4 1/0

0/1

1/0

0/1

0/0

a2, c4

a2, b4 0/0

1/0

1/0 dc

0/1

1/0

1/0 a1, b3

a1

a1, b3

0/1 a2, c4 0/1

0/1 1/0

−/−

a1, c3

dc −/−

1/1 0/1

1/1 c3

1/1

b3

0/0

Fig. 3.9 Illustration of Example 3.26. (a)–(b) Moore FSM solutions; (c)–(d) Non-Moore FSM solutions

M A ˘ M X MC ;

(3.5)

MA ˘ M X Š M C ;

(3.6)

or, whose unknown is an FSM MX over inputs I2 [ U and outputs V [ O2 . Sometimes the shortened notation I D I1 [ I2 and O D O1 [ O2 will be used.10

10

Equations over more complex topologies and with respect to other input and output alphabets can be solved similarly, by setting up the appropriate compositions, as remarked already when discussing synchronous equations.


61

Definition 3.4.1. FSM MB is a solution of the equation MA ˘ MX MC , where MA and MC are FSMs, iff MA ˘ MB MC . FSM MB is a solution of the equation MA ˘ MX Š MC , where MA and MC are FSMs, iff MA ˘ MB Š MC . Converting to the related FSM languages, we construct the associated language equation (see Sect. 3.2.3) L.MA / ˘ L.MX / L.MC / [ .IO/? ;

(3.7)

where L.MA / is an FSM language over alphabet I1 [ U [ V [ O1 , L.MC / is an FSM language over alphabet I1 [ I2 [ O1 [ O2 and the unknown FSM language is over alphabet I2 [U [V [O2 . The previous equation can be rewritten for simplicity as A ˘ X C [ .IO/? : (3.8) We want to characterize the solutions of A˘X C [.IO/? that are FSM languages. We know from Theorem 2.16 that the largest solution of the equation A ˘ X C [ .IO/? is the language S D A ˘ .C \ .IO/? /. In general S is not an FSM language. To compute the largest FSM language contained in S , that is S F SM , we must compute the largest prefix-closed language contained in S \ ..I2 [ U /.V [ O2 //? . Theorem 3.27. Let A and C be FSM languages. The largest FSM language that is a solution of the equation A ˘ X C [ .IO/? is given by S F SM , where S D A ˘ .C \ .IO/? /. If S D ; then S FSM D ;; if S ¤ ;, S F SM is obtained by applying Procedure 3.1.3 to S . If S F SM D ; then the FSM language equation A ˘ X C [ .IO/? has no solution. Proof. The first step of Procedure 3.1.3 computes the intersection of S with ..I2 [ U /.V [ O2 //? to enforce that the solution, if it exists, is an FSM language with input alphabet I2 [ U and output alphabet V [ O2 . Since A and C are regular languages, S \ ..I2 [ U /.V [ O2 //? is a regular language too and, by construction, Procedure 3.1.3 extracts the largest FSM language contained in it. t u Example 3.28. Consider the FSMs MA D hSA ; I1 [ V; U [ O1 ; TA ; sai and MC D hSC ; U; V; TC ; s1i with SA D fsag, TA D f.i; sa; sa; o2 /, .v; sa; sa; u/g, SC D fs1g, TC D f.i; s1; s1; o1 /g. The equation MA ˘ MX MC yields the language equation A ˘ X C [ .IO/? whose solution S becomes empty under prefix-closure, because S does not contain , even though it contains the string uv. Thus there is no solution. By Proposition 3.7, it is easy to derive an FSM MS F SM associated to S F SM . This allows us to talk about FSMs that are solutions of FSM equations, meaning any reduction of the FSM MS F SM , as guaranteed by Proposition 3.8. Example 3.29. Consider the equation MA ˘ MX MC , with the language of MA , [ i.e., A D L[ r .MA /, and the language of MC , i.e., C D Lr .MC /, represented by the

62


b

a

i, v1, v2 c

a o1

o2

i

1

2

o1 u1 v1

d

b

v2

u1, u2

1

e

2

v1, v2

u2

(b )

c

v1, v2 dc2

u2 a1, c2

v1

u2 u2

v2

b2

u1

u1

u1

u2

u 1, u2

dc1

e4 d4, aF, c4 u2

aF, d2, c4 v2

u1

e2

u1

v1

b4

d 1

u2

v1, v2 2

5 u 1, u2

u1

u1 v1 3

4 u2

[ 0 Fig. 3.10 Illustration of Example 3.29. (a) FA of A D L[ r .MA /; (b) FA of C D Lr .MC /; (b )

FA of .U V /? ; (c) FA of .A \ .C \ .IO/? /*U [V /+U [V \ .U V /? ; (d) FA of prefix-closure of .A \ .C \ .IO/? /*U [V /+U [V \ .U V /?

automata shown, respectively, in Fig. 3.10a,b. The automata generating the largest language solution, .A \ .C \ .IO/? /*U [V /+U [V \ .U V /? and its largest prefix closure are portrayed, respectively, in Fig. 3.10c,d. Figs. 3.11 and 3.12 show the intermediate steps of the computation. Notice that in Fig. 3.10c there are two don’t care states, dc1 non-accepting and dc2 accepting, obtained by “splitting” the accepting dc state of the automaton recognizing the language .A \ .C \ .IO/? /*U [V /+U [V in Fig. 3.12b, when it is intersected with


a

63

b i

i

1

2

1

2

o1

o1

o2

i, o2

o1, o2

o 1 , o2 F

4

F

i

c i

1 u1, u2, v1, v2

o 1 , o2

o2

2

4

F

o1

i u1, u2, v1, v2

u1, u2, v1, v2

u1, u2, v1, v2

d v1 v1, v2

a1

c1

u1

b1

u2 u2

o1

i

e1

d1

c2

u2 o1

u1 v2

b2

d2

o2

aF

c4

u1

b4

v1 v2

i

d4

o2 v1

v2

v1, v2

e4

cF

u1

u2 eF

bF

v1

e2 v2

dF

Fig. 3.11 Illustration of Example 3.29. (a) FA of C ; (b) FA of C \ .IO/? ; (c) FA of .C \ .IO/? /*U [V ; (d) FA of A \ .C \ .IO/? /*U [V

the automaton of .U V /? in Fig. 3.10b0. The dc state of the former automaton is split into states dc1 and dc2 because .UV/? restricts the acceptance to words that terminate by a symbol in V ; therefore the original dc state that can accept any word in .U [V /? is replaced by two states to accept only the words in .U V /? .U [V /? . For logic synthesis applications, we assume that MA and MC are complete FSMs and we require that the solution is a complete FSM too. This is obtained by applying Procedure 3.1.4 to S F SM , yielding P rog.S F SM /, the largest .I2 [ U /.V [ O2 /progressive FSM language ..I2 [ U /.V [ O2 //? .

64


a

v1 v1, v2

a1, c2

u1

c1

b1

e1

u2 v2

d1

u2

e4

u1

b2

u1

v2

b4 u1

aF, d2, c4

v1

v2

u2

v1 d4, aF, c4

v1, v2 v1, v2

e2

cF

u2

u1

eF

bF

v1 v2

b

u1, v1, v2

v1 v1, v2

a1, c2

v1

dc

d1

v2

−

u2

u1

u2

u2 u1, u2

u1, v1, v2

u2

u1, u2 b4

aF, d2, c4

v1

dc

u2

v1, u2

v1, v2 b2

e1

b1

u2, v1, v2

u2

u1

u1

c1

dF

e4

v2

cF

dc

u2, v1, v2

u1, v1, v2 u2

u1

eF

bF

e2 u1, v1, v2

u2

d4, aF, c4

u1 v1, v2

v1, v2

dc

v1

u1, u2

v1 v2

dF

dc dc

Fig. 3.12 Illustration of Example 3.29. (a) FA of .A \ .C \ .IO/? /*U [V /+U [V ; (b) FA of .A \ .C \ .IO/? /*U [V /+U [V


65

Proposition 3.30. FSM MB is a solution of the equation MA ˘ MX MC , where MA and MC are FSMs, iff MB is a reduction of the FSM MS F SM associated to S F SM , where S F SM is obtained by applying Procedure 3.1.3 to S , where S D A ˘ .C \ .IO/? /. If S F SM D ; then no FSM solution exists. The largest complete FSM solution MP rog.S F SM / is found, if it exists, by Procedure 3.1.4. A complete FSM is a solution of MA ˘ MX MC iff it is a reduction of the largest complete solution MP rog.S F SM / . Given the largest (complete) solution MP rog.S F SM / of the equation MA ˘ MX MC , let MA ˘ MX Š MC . Then MP rog.S F SM / is the largest (complete) solution of the equation MA ˘ MX Š MC . The worst-case complexity of computing the largest solution of a parallel jS j equation is of 2jSA j:2 C , the same as for a synchronous equation. The same analysis applies (restriction plays the same role as projection in introducing nondeterminism).

3.4.2 Restricted FSM Compositional Solutions It is interesting to compute the subset of compositionally I ? O-progressive solutions B, i.e., such that A*I2 [O2 \ B*I1 [O1 \ .IO/?*U [V is an I.U [ V /? O-progressive FSM language .I.U [ V /? O/? . Thus the composition (after restriction to I [ O) is the language of a complete FSM over inputs I1 [ I2 and outputs O1 [ O2 . Since A*I2 [O2 \ B*I1 [O1 \ .IO/?*U [V (after restriction to I [ O) is IO-prefix-closed and hence corresponds to a partial FSM, we have to restrict it so that it is also I.U [ V /? O-progressive, which corresponds to a complete FSM. If S F SM is compositionally I.U [ V /? O-progressive, then S F SM is the largest compositionally I.U [ V /? O-progressive solution of the equation. However, not every non-empty subset of S F SM inherits the feature of being compositionally I.U [V /? O-progressive. If S F SM is not compositionally I.U [V /? O-progressive, then denote the largest compositionally I.U [ V /? O-progressive subset of S F SM by cI.U [ V /? OP rog.S F SM /. Conceptually, the language cI.U [ V /? OP rog .S F SM / is obtained from S F SM by deleting each string ˛ such that, for some i 2 I , there is no .u [ v/? 2 .U [ V /? and no o 2 O for which ˛ i.u [ v/? o 2 A*I2 [O2 \ F SM S*I \ .IO/?*U [V holds. We expect that a procedure to compute the largest 1 [O1 compositionally I.U [ V /? O-progressive prefix-closed solution, cP rog.S F SM /, can be designed following the pattern of Procedure 3.3.1, but as yet have not worked out the details. A procedure to compute the largest compositionally progressive solution of a parallel equation over regular languages for the rectification topology was provided in [78]. To characterize subsets of solutions well-behaved with respect to deadlocks and livelocks (endless cycles of internal actions), we introduce a few more language definitions.

66


Definition 3.4.2. A solution B of (3.8) is A-compositionally prefix I.U [ V /? O-progressive if Pref.A/*I2 [O2 \ Pref.B/*I1 [O1 \ Pref..IO/? /*U [V is I.U [ V /? O-progressive. A compositionally prefix I.U [ V /? O-progressive solution yields a composition that allows .u[v/? cycles without exit, yet every sequence in I.U [V /? O followed by an input in I must be followed by a .u [ v/? cycle that can be exited (by an output). Definition 3.4.3. A solution B of (3.8) is A-compositionally prefix .U [ V /deadlock-free if Pref.A/*I2 [O2 \ Pref.B/*I1 [O1 \ Pref..IO/? /*U [V is .U [ V /-deadlock-free. A compositionally prefix .U [ V /-deadlock-free solution yields a composition that has no .u [ v/? cycles without exit. Definition 3.4.4. A solution B of (3.8) is A-compositionally prefix .U [ V /convergent if Pref.A/*I2 [O2 \ Pref.B/*I1 [O1 \ Pref..IO/? /*U [V is .U [ V /-convergent. A compositionally prefix .U [ V /-convergent solution yields a composition that has no .u [ v/? cycles, i.e., it is livelock-free. A compositionally prefix .U [ V /-deadlock-free solution does not need to be compositionally prefix .U [ V /-convergent. Example 3.31. Consider the equation MA ˘ MX MC , where FSMs MA and MC and the largest solution MB are shown in Fig. 3.13a–c. Fig. 3.13d,e shows the related automata A and B*I1 [O1 D B*fi g[fog , whereas Fig. 3.13f,g portrays the automata representing the languages A*I2 [O2 \ B*I1 [O1 \ .IO/?*U [V D A \ B*fi g[fog \ .IO/?*fug[fvg and P ref .A/*I2 [O2 \ P ref .B/*I1 [O1 \ P ref ..IO/? /*U [V D P ref .A/ \ P ref .B/*fi g[fog \ P ref ..IO/? /*fug[fvg . If FSM MA answers by u to the external input i then FSMs MA and MB fall into an infinite dialog, so we would like to classify their composition as neither .U [ V /-convergent nor .U [ V /-deadlock-free. However the language A \ B*fi g[fog \ .IO/?*fug[fvg D f.i o/? g is both .U [ V /-convergent and .U [ V /deadlock-free. To overcome this modeling problem, we introduce the operator P ref (guarantees prefix-closure) and rewrite the previous language composition as P ref .A/ \ P ref .B/*fi g[fog \ P ref ..IO/? /*fug[fvg . The latter language is


b

a v/u i/u,o

a

67

c i/o

1

u/v

A

e

d i

i/o

v a

c

u

b

u,o

A

B

u

i/o

v

f i aA

cA

u

v aB

o

bA u

g i aA

cA

u

v aB

bA u

o

h i aA

cA

u

o

v aB

bA u

o

Fig. 3.13 Illustration of Example 3.31. (a) FSM MA ; (b) FSM MC ; (c) FSM MB ; (d) FA of A D ? [ L[ r .MA /; (e) FA of B*fig[fog , where B D Lr .MB /; (f) FA of A \ B*fig[fog \ .IO/*fug[fvg ; ? (g) FA of P ref .A/ \ P ref .B/*fig[fog \ P ref ..IO/ /*fug[fvg ; (h) FA of prefix .U [ V /deadlock-free, but not prefix .U [ V /-convergent language

neither .U [ V /-convergent (since i*fug[fvg includes i u.v C u/? that is a subset of the language) nor .U [V /-deadlock-free (˛i u cannot be extended to a string ending by o, against the definition of .U [ V /-deadlock-free). Finally Fig. 3.13h shows a language that is .U [ V /-deadlock-free, but not .U [ V /-convergent. Theorem 3.32. Let B be an .I2 [ U /.V [ O2 /-progressive solution of A ˘ X C [ .IO/? and let A be .I1 [ V /.U [ O1 /-progressive. If B is compositionally prefix .U [ V /-convergent, then B is compositionally prefix .U [ V /-deadlock-free. Proof. Since the components A and B are progressive, their composition Pref.A/*I2 [O2 \ Pref.B/*I1 [O1 \ Pref..IO/? /*U [V is deadlock-free, i.e., it never stops because a component does not have a transition under a given input. If the composition is also .U [ V /-convergent, there can be no livelocks, i.e., there are no cycles labeled with actions from the set U [ V . Therefore an external input, after a finite path labeled with internal actions, must be followed by an external output. t u

68


The computation of the largest subset of compositionally prefix .U [ V /deadlock-free solutions and of the largest subset of compositionally prefix .U [ V /convergent solutions requires further investigation. The former problem appears similar to the one of finding the largest subset of compositionally I.U [ V /? O-progressive solutions. About the latter problem, when S F SM is not compositionally prefix .U [ V /-convergent, then the largest compositionally prefix .U [ V /-convergent solution does not exist and each finite IO-prefix-closed subset of S F SM is a compositionally prefix .U [ V /-convergent solution. It is an open question whether there is the largest complete prefix .U [ V /-convergent solution.

3.4.3 FSM Equations Under Bounded Parallel Composition Here we discuss the solutions whose composition with the context produces an external output after at most l internal actions. One could build an analogy with Moore solutions of synchronous equations. We provide in the sequel the key steps to solve FSM equations under bounded parallel composition. Definition 3.4.5. The l-bounded parallel composition of FSMs MB , over input alphabet I2 [ U and output alphabet O2 [ V , with MA , over input alphabet I1 [ V and output alphabet O1 [ U , yields the FSM MA ˘l MB with language L.MA ˘l MB / D L.MA / ˘l L.MB / \ .IO/? i h D L.MA /*I2 [O2 \ L.MB /*I1 [O1 \ .I [ O/?*.U [V;l/

+I [O

\ .IO/? :

When l D 1, it reduces to the definition of parallel composition of FSMs. Example 3.33. Fig. 3.14a,b show the automata of .I [ O/?*.U [V;lD1/ and .I [ O/?*.U [V;lD2/ , with I D fi g, O D fog, U D fug and V D fvg. The words in .I [ O/?*.U [V;1/ are obtained from those in .I [ O/? by inserting anywhere in them words from .U [ V /1 D f; u; vg; the words in .I [ O/?*.U [V;2/ are obtained from those in .I [ O/? by inserting anywhere in them words from .U [ V /2 D f; u; v; uu; uv; vu; vvg. Proposition 3.34. FSM MB is a solution of the equation MA ˘l MX MC , where MA and MC are FSMs, iff MB is a reduction of the FSM MS F SM associated with S F SM , where S F SM is obtained by applying Procedure 3.1.3 to S , where S D .A*I2 [O2 \ .C \ .IO/? /*.U [V;l/ /+I2 [U [V [O2 . If S F SM D ; then no FSM is a solution. S F SM is the largest compositionally .U [ V /-convergent solution of MA ˘l MX MC . The largest complete FSM solution MP rog.S F SM / is found, if it exists, by Procedure 3.1.4.


a

69

i,o

i,o i,o u,v

u,v

b i,o

i,o

i,o

u,v

u,v

i,o

u,v

Fig. 3.14 Illustration of Example 3.33. (a) FA of .I [ O/?*.U [V;lD1/ ; (b) FA of .I [ O/?*.U [V;lD2/ . In both cases it is I D fi g, O D fog, U D fug and V D fvg

Theorem 3.35. A solution MB of MA ˘l MX MC is also a compositionally .U [ V /-convergent solution of MA ˘ MX MC . If MA and MB are also complete FSMs, then MB is a compositionally prefix I.U [ V /? O-progressive and compositionally I ? O-progressive solution of MA ˘ M X MC . Proof. By construction, a solution MB of MA ˘l MX MC is compositionally .U [ V /-convergent. A solution MB of MA ˘l MX MC is also a solution of MA ˘ MX MC , because when l D 1 the operator ˘l becomes the operator ˘. By Theorem 3.32, the fact that MB is compositionally .U [ V /-convergent, together with the completeness of MA and MB , imply that MB is compositionally prefix I.U [ V /? O-progressive and therefore compositionally I ? O-progressive. u t However, in general MA ˘ MX MC may be solvable despite the fact that MA ˘l MX MC has no solution. For instance, this may happen when MA ˘ MX MC has no compositionally I.U [V /? O-progressive solution. If the equation MA ˘l MX MC has no complete solution, it is open whether there is a compositionally I.U [ V /? O-progressive solution of MA ˘ MX MC .

70


Problems 3.1. Consider the FSMs and their parallel composition shown textually in Example 3.14(a). Compute all the steps to verify the correctness of the composition. (a) Derive from MA and MB the automata A and B recognizing, respectively, the [ languages L[ r .MA / and Lr .MB /. (b) Compute the automaton B*I1 [O1 . (c) Compute the automaton A \ B*I1 [O1 . (d) Compute the automaton .A \ B*I1 [O1 /+I1 [O1 \ .I1 O1 /? . (e) Extract the FSM MA ˘ MB from the automaton in the previous step and minimize it. The result should coincide with the one proposed in Example 3.14(a). 3.2. Repeat the steps of Problem 3.1 for the variant reported in Example 3.14(b). 3.3. Consider the examples of synchronous composition shown in Fig. 3.1. For instance, the picture shows machines MA and MB and their synchronous composition MAB D MA MB . What are the other machines such that their composition with the context MA yields the same composed machine MAB ? Compute all such machines by solving the equation MA MX D MAB . What is the relation between the largest solution of the equation and the given machine MB ? 3.4. Consider the traffic controller example described in [12] and already introduced in Problem 2.1. Interpret the state graphs in Figs. 2.10 and 2.11 as respectively the context FSM MA and the specification FSM MC , by defining their input and output variables as follows. The inputs of MA are two binary variables v1 ; v2 , and its output is the multi-valued variable colours that can assume the values green, red, yellow. The inputs of MC are two multi-valued variables i1 ; i2 that can assume each one of the three values 1; 2; 3, its output is again the multi-valued variable colours. Find the largest solution of the equation MA MX MC , where the input variables of MX are i1 ; i2 and its output variables are v1 ; v2 . This is a series topology where MX feeds MA , and the composition of MX and MA yields MC . Repeat the problem assuming that MX has one more input: the variable colours produced by MA , as in the controller’s topology. 3.5. Consider the FSMs MA D hSA ; V; U; TA; sai and MC D hSC ; I; O; TC ; s1i with SA D fsa; sbg, TA D f.v1; sa; sb; u1/, .v2: sa; sa; u1/, .v1; sb; sa; u1/, .v2; sb; sb; u2/, and SC D fs1; s2; s3g, TC D f.i1; s1; s2; o1/, .i 2; s1; s1; o2/, .i1; s2; s3; o2/, .i 2; s2; s3; o1/g, .i 2; s3; s3; o1/, .i1; s3; s1; o2/. Compute the largest solution of the equation MA MX MC , where MX has inputs I U and outputs V O. Notice that in this example only MX has access to the environment. 3.6. Consider the FSMs MA D hSA ; V; O; TA ; sai and MC D hSC ; I; O; TC ; s1i with SA D fsa; sbg, TA D f.v1; sa; sb; o1/, .v2: sa; sb; o2/, .v1; sb; sa; o2/,

Problems

71

.v2; sb; sb; o2/, and SC D fs1; s2; s3; s4g, TC D f.i 2; s1; s2; o1/, .i1; s1; s3; o1/, .i1; s1; s3; o2/, .i1; s2; s3; o2/g, .i 2; s2; s4; o2/, .i 2; s3; s3; o2/g, .i1; s3; s1; o2/, .i1; s4; s2; o1/g, .i 2; s4; s3 o2/. (a) Compute the largest solution of the equation MA MX MC , where MX has inputs I O and outputs V . This is an example of controller’s topology. (b) Compute the largest solution of the equation MA MX MC , where MX has inputs I and outputs V . This is an example of series topology. (c) Compare the solutions obtained in (b) and (c).

Chapter 4

Equations Over !-Automata

4.1 !-Languages and !-Automata An infinite word over an alphabet A, or !-word, is an infinite sequence of symbols of A. A! is the set of !-words on A. An !-language on A is a subset of A! . Moreover, A1 D A? [ A! . An !-word may be written as ˛ D ˛.0/˛.1/ : : : , where ˛.i / 2 A for every i 0; if n m, ˛.n; m/ D ˛.n/ : : : ˛.m 1/˛.m/ and ˛.n; 1/ D ˛.n/˛.n C 1/ : : : . The notations 9! n stands for ’there are infinitely many n’ and 9
W ! D f˛ 2 A! j ˛ D w0 w1 : : : ; wi 2 W g, W D f˛ 2 A! j 9! n ˛.0; n/ 2 W g (also called li m.W /), and I nf .˛/ D fa 2 A j 9! n ˛.n/ D ag. Given an !language L, P ref .L/ denotes (by overloading) the sets of finite prefixes of the words in L. Definition 4.1.1. A !-automaton is a 5-tuple A D .Q; A; ; q0 ; /, where is a Boolean formula defining the acceptance conditions.1 A run of A under an !-word ˛ is an !-word r˛ over the alphabet of the states in Q such that r˛ .0/ D q0 , and, for every i 0, .r˛ .i /; ˛.i /; r˛ .i C 1/ 2 . A run r˛ under an !-word ˛ is accepting if .Inf.r˛ // is true, i.e., the set of states of r˛ visited infinitely often satisfies the condition . An !-word ˛ is accepted if there exists an accepting run r˛ under ˛. The language accepted by the !-automaton A with acceptance condition , L.A/, is the set of accepted strings ˛ 2 A! , i.e., the strings for which there is a run of states r˛ visited by ˛ such that .Inf.r˛ // is true (the set of states visited infinitely often by r˛ satisfies the condition ).

1 For a Büchi automaton is a disjunctive formula representing the subset of states F Q; for a co-Büchi automaton is :F , where F is disjunctive formula representing the set Q n F ; for a Muller automaton is _F 2F .^f 2F f ^q62F :q/, where F 2Q ; for a Rabin automaton is _niD1 .Li ^ :.Ui //, where Li ; Ui ; 1 i n; are disjunctive formulas; for a Street automaton is ^niD1 .Li ^ :.Ui //, where Li ; Ui ; 1 i n; are disjunctive formulas.


73

74

4 Equations Over !-Automata

Definition 4.1.2. A Buchi ¨ automaton is a 5-tuple A D .Q; A; ; q0 ; F /, where Q is a finite set of states, A is a finite set of symbols, q0 2 Q is the initial state, F Q is the set of final states, and Q A Q is the transition relation. A run over an !-word ˛ is accepting if Inf./ \ F ¤ ;. A language is !-regular if and only if it is accepted by a Büchi automaton. The final states of a finite automaton can be interpreted as the recurrent states of a Büchi automaton, where accepting runs visit final states infinitely often. We get a co-Büchi automaton if the acceptance condition identifies a subset of states called co-final states or persistent states, where an accepting run finally never leaves the co-final states. The final states of a finite automaton can be interpreted as the persistent states of a co-Büchi automaton, where accepting runs eventually stay in the set of final states. The following closure properties hold for !-languages. Proposition 4.1. 1. If V A ? is regular, then V ! is !-regular. 2. If V A? is regular and L A! is !-regular, then V:L is !-regular. 3. If L1 ; L2 A! are !-regular, then L1 [ L2 and L1 \ L2 are !-regular. Moreover, there are effective constructions to obtain the automata of the resulting languages. S Definition 4.1.3. An !-regular expression has the form Ui :Vi! , where for all 1 i n, Ui and Vi are regular expressions. Theorem 4.2 (Buchi ¨ - 1960). For every Büchi automaton there is an !-regular expression that defines the same !-language and vice versa. Definition 4.1.4. A word ˛ 2 A! is definitively periodic if there are u; v 2 A? such that ˛ D uv! . Corollary 4.3. Every non-empty !-regular language contains an infinitely periodic !-word. The language of a Büchi automaton is non-empty if and only if its transition graph has a cycle that contains a final state reachable from the initial state. Theorem 4.4 (Buchi ¨ - 1960). If L A! is !-regular, then L D A! n L is !regular. There is an effective construction to build a Büchi automaton accepting L from the Büchi automaton accepting L. However the construction is computationally very hard, as discussed in [42,53,122]. Büchi automata over infinite words might appear as a direct extension of finite automata from finite words to infinite words, sharing the same underlying transition structure with acceptance conditions made infinitary instead than finitary. However the following examples highlight the fundamental differences. Example 4.5. Figure 4.1 shows three examples of automata A1 , A2 and A3 , with the same !-language L! .A1 / D L! .A2 / D L! .A3 / D f.ab/! g; however, their respective finitary languages are Lfin .A1 / D f.ab/? .a C /g, Lfin .A2 / D f.ab/? g,

4.1 !-Languages and !-Automata

a

75

b

a

c

a

b

b

a

b

Fig. 4.1 (a) Automaton A1 ; (b) Automaton A2 ; Automaton A3

a

b

a, b b

b a

b b a

Fig. 4.2 (a) Non-deterministic automaton A1 ; (b) deterministic automaton A2

Lfin .A3 / D fa.ba/? g. Notice that !-regular languages, as ?-regular languages, can be denoted by different expressions, e.g., L! .A3 / D f.ab/! g D fa.ba/! g.2 Example 4.6. The equality of prefixes of !-languages does not imply the equality of !-languages, nor vice versa, as the following examples show.3 • From L!1 D L!2 , it does not follow Pref .L!1 / D Pref .L!2 /, i.e., the equality of !-languages does not imply the equality of prefixes. E.g., given two empty !languages L!1 and L!2 , it may be that Pref .L!1 / D fabg, Pref .L!2 / D fbag and so Pref .L!1 / ¤ Pref .L!2 /. Question: does this happen only when L!1 D L!2 D ; ? • From Pref .L!1 / D Pref .L!2 /, it does not follow L!1 D L!2 , i.e., the equality of prefixes does not imply the equality of !-languages. E.g., ˙ D fa; bg, L!1 D ˙ ? a˙ ! , L!2 D ˙ ? a˙ ! [ b ! , Pref .L!1 / D Pref .L!2 /, but L!1 ¤ L!2 . Another example, is Pref .L!1 / D Pref .L!2 / D a? b ? , and L!1 D a? b ! , L!2 D ! a C a? b ! . Example 4.7. Consider the non-deterministic automaton A1 in Fig. 4.2a.4 The language of A1 when interpreted as an automaton over finite words is Lfin .A1 / D fw W w ends with bg, whereas its language when interpreted over infinite words is L! .A1 / D fw W a occurs a finite number of times in wg. For languages over finite words, we know that non-deterministic automata and deterministic automata are equivalent. Hence, consider the following deterministic automaton A2 in Fig. 4.2b. A2 is obtained by determinization of the automaton A1 , by applying the classic subset construction introduced for automata over finite words. Therefore A2 when interpreted as an automaton over finite words recognizes the same language as A1 : 2

We thank V. Bushkov, University of Tomsk, for discussions on Example 4.5. We thank A. Chebotarev, Ukrainian Academy of Sciences, Kiev, for discussions on Example 4.6. 4 We thank D. Bresolin, University of Verona, for discussions on Example 4.7. 3


76

Lfin .A2 / D Lfin .A1 /. However, A2 when interpreted over infinite words recognizes the language L! .A2 / D fw W b occurs infinitely many times in wg, that is different from the one of A1 . For instance, the infinite word .ab/! belongs to L! .A2 / but not to L! .A1 /. This example shows that the determinization operation for finite automata does not preserve the language recognized by a Büchi automaton. Even more, this fact can be seen as the corollary of a more general result, stating that deterministic Büchi automata are not closed under complementation. Indeed, it can be proved the !-language recognized by A1 is not recognizable by any deterministic Büchi automaton. To that purpose, we need the following characterization, stating that deterministic Büchi automata accept !-words that have infinitely many prefixes accepted as finite words, so roughly speaking deterministic Büchi automata are the natural extension of automata over finite words. Theorem 4.8. A language L A! is accepted by a deterministic Büchi automaton !

if and only if there is a regular set W A? such that L D W . Proof (Adapted from [98]). Let A D .Q; A; ; q0 ; F / be a deterministic Büchi automaton and A0 D .Q; A; ; q0 ; F / be the corresponding deterministic finite automaton (A and A0 have the same underlying structure and differ only by the acceptance condition). Let W D L.A0 / A? be the language recognized by A0 . !

The thesis is that L.A/ D W .

!

We prove first that L.A/ W . Let ˛ 2 L.A/. From the acceptance condition of deterministic Büchi automata we have that A accepts an !-word ˛ if and only if the run r˛ of A under ˛ satisfies Inf.r˛ / \ F ¤ ;, i.e., the set of states visited infinitely often by r˛ intersects the set of final states F . It follows that there are infinitely !

!

many prefixes w of ˛ such that w 2 W , i.e., ˛ 2 W by definition of W . ! ! Now we prove that W L.A/. Suppose that ˛ 2 W . For every prefix w of ˛ with w 2 W D L.A0 /, the accepting run of A0 over w may be seen as a prefix of the unique run r˛ of A over ˛ (unique because A is a deterministic Büchi automaton). Therefore Inf.r˛ / \ F ¤ ; and so ˛ 2 L.A/. t u Notice that in the proof of Theorem 4.8 the hypothesis that the Büchi automaton is !

deterministic is used in proving that W L.A/ (whereas it is not needed in proving !

that L.A/ W ). As a check, suppose to remove that hypothesis. Then the statement that A accepts ˛ if there are infinitely many prefixes of ˛ that drive A0 to a final state is false. Indeed from Example 4.7 consider the non-deterministic automaton A1 (set in this proof A D A1 ) and the !-word ˛ D .ab/! ; there are infinitely many prefixes of ˛ of the form .ab/n ; n 1; that drive A0 to a final state and so they are finite words in W , but it is false that A accepts ˛, because there is no final state that occurs infinitely often in any run r˛ of A and so there is no accepting run r˛ .

4.1 !-Languages and !-Automata

77

Now we show that there is no deterministic Büchi automaton that accepts the language L! .A1 / D f˛ 2 A! W a occurs a finite number of times in ˛g D f˛ 2 A! W 9
W A? such that L! .A1 / D W . Suppose by contradiction that there is such a set !

W . Since b ! 2 L! .A1 / D W , there is n1 such that b n1 2 W (b ! has infinitely many prefixes in W , in particular there will be a prefix b n1 2 W ). Similarly, since !

b n1 ab ! 2 L! .A1 / D W , there is n2 such that b n1 ab n2 2 W . Iterating the reasoning, we construct an !-word ˛ D b n1 ab n2 ab n3 : : : with infinitely many prefixes in W . !

!

!

By definition of W , ˛ 2 W , but W D L! .A1 / and so ˛ 2 L! .A1 /, which is a contradiction since ˛ contains infinitely many occurrences of a and so cannot be in L! .A1 /. Hence, the following theorem holds. Theorem 4.9. The class of !-languages recognized by deterministic Büchi automata is strictly included in the class of !-languages recognized by nondeterministic Büchi automata. Moreover, deterministic Büchi automata are not closed under complementation. Example 4.10. Consider the example in Fig. 4.2b. If we interpret it as a co-Büchi automaton with the final state interpreted as the persistent state, the language accepted is the set of !-words with finite occurrences of a. Compare it with the discussion in Example 4.7 to understand the duality between Büchi and co-Büchi conditions. Definition 4.1.5. A Muller automaton is a 5-tuple A D .Q; A; ; q0 ; F /, where Q is a finite set of states, A is a finite set of symbols, q0 2 Q is the initial state, F 2Q is a collection of sets of final states, and Q A Q is the transition relation. A run over an !-word ˛ is accepting if Inf./ 2 F . The automaton A accepts an !-word ˛ if there is an accepting run of A over ˛. The language L.A/ accepted by A is the set of !-words accepted by A. Given a deterministic Büchi automaton, a deterministic Muller automaton equivalent to it can be defined with the accepting condition F D fS 2 2Q j S \ F ¤ ;g. We state a few basic theorems about Muller automata. Theorem 4.11. Non-deterministic Muller automata accept !-regular languages and vice versa. Finally, the languages accepted by deterministic Muller automata are the same as the languages accepted by non-deterministic Büchi automata. So deterministic Muller automata have the same expressive power as nondeterministic Muller automata. Theorem 4.12 (McNaughton). An !-language is !-regular (i.e., accepted by a Büchi automaton) if and only if it is accepted by a deterministic Muller automaton.


78

4.2 Equations Over !-Languages We saw that Büchi automata have an underlying structure as finite automata, augmented with an infinitary acceptance condition. Büchi automata accept !regular languages; two automata are !-equivalent if they accept the same language, and automaton A is an !-reduction of automaton B if the !-language of A is a subset of the !-language of B. One might conjecture that the solution to an equation over !-languages could be obtained by solving the corresponding equation over their finitary counterparts, and then computing the limit of the latter solution to obtain the solution of the original equation over !-languages, however the following example shows that it is not true in general. Example 4.13. Given I D fi1 ; i2 g, U D fu1 ; u2 g, consider the !-regular languages C ! D ..i1 C i2 /.u1 C u2 //? .i1 u1 /! C .i2 u2 /! and S ! D .i1 C i2 /? i1! . Then the regular languages of the finite prefixes of the !-languages C ! and ! S are, respectively, P ref .C ! / D ..i1 C i2 /.u1 C u2 //? .i1 u1 /? C .i2 u2 /? and Pref .S ! / D .i1 C i2 /? i1? D .i1 C i2 /? . The largest solution of the equation Pref .C ! / ˘ X Pref .S ! / is the language !

L D .u1 C u2 /? , whose limit is L D .u1 C u2 /! . Indeed, L*I D ..u1 C u2 /? /*I D .u1 C u2 C i1 C i2 /? , whose intersection with Pref .C ! / is equal to Pref .C ! /. Then .Pref .C ! / \ L*I /+I D .Pref .C ! //+I D .i1 C i2 /? i1? C i2? D .i1 C i2 /? D Pref .S ! /. Moreover, L is the largest solution, because L is the universal language on alphabet U . !

However, L D .u1 C u2 /! is not a solution of C ! ˘! X S ! . Indeed, while ! u?2 2 L is a solution of Pref .C ! / ˘ X Pref .S /! , the word u!2 2 L is not a solution of the equation C ! ˘! X ! S ! . The reason is that the word .i2 u2 /! 2 .u!2 /*!I (the !-expansion of u!2 to alphabet I ), the word .i2 u2 /! 2 C ! \! ..u1 C u2 /! /*!I (the !-intersection of C ! and ..u1 C u2 /! /*!I ), and the word i2! D ..i2 u2 /! /+!I 62 S ! (..i2 u2 /! /+!I is the !-restriction of .i2 u2 /! to alphabet I ). In this section we describe how to extend parallel equations to !-languages described by Büchi automata, following the exposition in [24] and in the Master’s Thesis by V. Bushkov to which we are indebted [23]. A similar blueprint could be followed to extend synchronous equations to !-languages described by Büchi automata, but we are not going to work it out here.

4.2.1 Expansion and Restriction of !-Languages Definition 4.2.1. Given the disjoint alphabets A and B, an !-language L ! defined over A, and the mapping W A! ! 2.A[B/ such that .˛/ D

4.2 Equations Over !-Languages

79

fu1 ˛1 u2 ˛2 : : : ui ˛i W ui 2 B ? ; i 2 N g, the !-expansion of L to alphabet B (also called B-expansion of L) is the !-language L*!B D [˛2L .˛/; i.e., in order to expand L to B we insert all finite words over B before and after any symbol ˛i of any word ˛ 2 L. The generalization of the restriction operator from finitary languages to !-languages is less straightforward because it must return an !-language, even when the words of the initial !-language end with !-sequences of symbols only from alphabet B. Definition 4.2.2. Given the disjoint alphabets A and B, an !-language L defined over A [ B;, and the mapping h W A [ B ! A such that h.a/ D a if a 2 A and h.a/ D if a 62 A (and by induction h.˛/ D h.˛1 /h.˛2 / : : : h.˛i / : : : , where ˛ D ˛1 ˛2 : : : ˛i : : : 2 L), the !-restriction of L to alphabet A (also called A-restriction of L) is the !-language L+!A D

; [˛2Ln.A[B/? B ! h.˛/

if if

L .A [ B/? B ! L 6 .A [ B/? B !

The definition of !-restriction implies that if L D ; then L+!A D ;. Proposition 4.14. Given the disjoint alphabets A and B, and the !-language L A! , then .L*!B /+!A D L. Proposition 4.15. Given the disjoint alphabets A and B, and the !-languages L1 .A[B/! , L2 .A[B/! such that .L2+!A /*!B D L2 , then .L1 \L2 /+!A D L1+!A \ L2+!A .

4.2.2 Parallel Composition of !-Languages Definition 4.2.3. Given the pairwise disjoint alphabets I; U; V and O, the !languages L1 .I [ U [ V /! , L2 .O [ U [ V /! , and a subset E I [ V [ O, the !-parallel composition, denoted by ˘!E of L1 and L2 is the !-language L1 ˘!E L2 D .L1*O \ L2*I /+E : We use ˘E or ˘! instead of ˘!E when the meaning is clear from the context. A parallel composition models that the components interact by means of common actions from U [ V , i.e., an action from U [ V is executed if and only if both components are ready to execute it at their current states, while external actions from I [ O are executed independently. Proposition 4.16. If L02 L2 , then L1 ˘!E L2 L1 ˘!E L2 .

80


4.2.3 Parallel Equations Over !-Languages Definition 4.2.4. Given the pairwise disjoint alphabets I; U; V and O, the !-languages C .I [ U [ V /! , S .I [ V [ O/! , and the sets E D I [ V [ O and H D U [ V [ O, C ˘!E X S (or C ˘!E X D S ) is a !-parallel equation, with respect to the unknown !-language X over alphabet H . An !-language B H ! is a solution of the equation C ˘!E X S (or C ˘!E X D S ) if C ˘!E B S (or C ˘!E B D S ). C ˘!E B S (or C ˘!E B D S ) is solvable if a solution exists. A solution is called the largest solution, if it contains every solution. In [24] the following statement is proved. Theorem 4.17. A solvable equation C ˘!E X S over !-languages has the largest solution .C ˘!H S /, where S denotes the complement of S . If C ˘!E .C ˘!H S / D S , then .C ˘!H S / is the largest solution of the equation C ˘!E X D S . Any !-solution of the equation C ˘!E B D S is contained in .C ˘!H S /, but not every !-language contained in .C ˘!H S / is a solution of the equation. As done for finitary languages, solving an equation over !-regular languages reduces to transforming the operator over !-languages to operations over the corresponding !-automata that accept them.

4.2.4 Operations Over !-Automata 4.2.4.1 !-Expansion of !-Automata Proposition 4.18. Given a Büchi automaton A D .Q; A; ; q0 ; F / accepting a given !-regular language L over the alphabet A and an alphabet B disjoint from A, consider the Büchi automaton A*!B , derived from A as follows: for every state s 2 Q n F and every symbol b 2 B, add a self-loop .s; b; s/; for every state s 2 F , add a non-accepting state s 0 , a transition .s; b; s 0 /, a self-loop .s 0 ; b; s 0 / under every symbol b 2 B and a transition .s 0 ; a; s 00 / for every transition .s; a; s 00 / where. Then A*!B accepts the B-expansion L*!B of the language L accepted by A. Example 4.19. Given the automaton A over A D fa; cg shown in Fig. 4.3a, b shows A*!B , where B D fbg. Notice that the operators for standard expansion of finitary languages and !-expansion act differently on the automata. For instance, for !expansion we do not add self-loops at accepting states, otherwise L.A*!B / would not be equal to .L.A//*!B .

4.2 Equations Over !-Languages

81

a c c

a

a

a

b

b

c b

c a

b a

c

c

b

a

a

b b

Fig. 4.3 (a) Automaton A; (b) Automaton .A/*!B

4.2.4.2 !-Restriction of !-Automata Proposition 4.20. Given a Büchi automaton A D .Q; A[B; ; q0 ; F / accepting a given !-regular language L over the alphabet A[B, consider the Büchi automaton A+!A , derived from A by replacing every transition .s; b; s 0 / where s 2 Q and b 2 B n A by the transition .s; ; s 0 /, and then taking its -closure. Then A+!A accepts the A-restriction L+!A of the language L accepted by A. 4.2.4.3 !-Product of !-Automata Proposition 4.21. Given two Büchi automata A1 D .Q1 ; A; 1 ; q01 ; F1 / and A2 D .Q2 ; A; 2 ; q02 ; F2 / accepting respectively the given !-regular languages L1 and L2 over the alphabet A, consider the Büchi automaton A1 \! A2 D ..Q\ ; A; \ ; q0\ ; F\ //; defined as follows: Q\ D Q1 Q2 f1; 2gI q0\ D .q01 ; q02 ; 1/I F\ D Q1 Q2 f2gI \ is such that ..s1 ; s2 ; 1/; a; .s10 ; s20 ; 1// 2 \ iff .s1 ; a; s10 / 2 1 ; .s2 ; a; s20 / 2 2 ; s1 ..s1 ; s2 ; 1/; a; .s10 ; s20 ; 2// 2 \ iff .s1 ; a; s10 / 2 1 ; .s2 ; a; s20 / 2 2 ; s1 ..s1 ; s2 ; 2/; a; .s10 ; s20 ; 2// 2 \ iff .s1 ; a; s10 / 2 1 ; .s2 ; a; s20 / 2 2 ; s2 ..s1 ; s2 ; 2/; a; .s10 ; s20 ; 1// 2 \ iff .s1 ; a; s10 / 2 1 ; .s2 ; a; s20 / 2 2 ; s2

62 F1 , 2 F1 , 62 F2 , 2 F2 .


82

Then A1 \! A2 accepts the intersection of the !-languages accepted respectively by A1 and A2 . Notice the major differences between the operators for standard intersection of finitary languages and !-intersection. 4.2.4.4 !-Parallel Composition of !-Automata Proposition 4.22. Given two Büchi automata A1 D .Q1 ; I [ U [ V; 1 ; q01 ; F1 / and A2 D .Q2 ; U [ V [ O; 2 ; q02 ; F2 / accepting respectively the given !-regular languages L1 and L2 , and the alphabet E I [ V [ O, consider the Büchi automaton A1 ˘!E A2 D ..A1 /*!O \! .A2 /*!I /+!E : Then A1 ˘!E A2 accepts the parallel composition of the !-languages accepted respectively by A1 and A2 , with respect to alphabet E.

4.2.4.5 !-Parallel Complementation of !-Automata We omit the procedure for deriving the Büchi automaton that accepts the complement of the language accepted by a given Büchi automaton, because it is quite complicated. For a discussion on the topic we refer to [42, 53, 122]. The problem of complementation may be simplified in special cases, as done in Chap. 18, where a subset construction is used to obtain a deterministic Büchi overapproximation of an ND Büchi automaton. Therefore, the final complementation, done by simply complementing the acceptance conditions to obtain a co-Büchi automaton, yields a subset of the most general solution automaton.

4.2.4.6 Summing it up The following theorem has been proved in [24]. Theorem 4.23. Given the pairwise disjoint alphabets I; U; V and O, the !-regular languages C .I [ U [ V /! , S .I [ V [ O/! , and the sets E D I [ V [ O and H D U [ V [ O, suppose that AC and AS are Büchi automata accepting respectively C and S , then the largest solution of the !-regular parallel equation C ˘!E X S is the !-regular language accepted by the Büchi automaton AC ˘!H AS :

Problems

83

If C ˘!E L.AC ˘!H AS / D S , then L.AC ˘!H AS / is the largest solution of the equation C ˘!E X D S . We will describe in Chap. 18 an heuristic algorithm to solve synchronous equations over !-languages represented by Büchi automata.

Problems 4.1. Show that the set of finite subsets of natural numbers, ! D f0; 1; 2; : : : g, represented as a set of strings in f0; 1g! , is accepted by a non-deterministic Büchi automaton, but by no deterministic Büchi automaton (from [73]). Notice that a set A ! is represented by its characteristic string, i.e., the infinite string over f0; 1g with a 1 in position i if and only if i 2 A. For example the characteristic string of the set of multiples of 3 is: 100100100100100100100100::: the characteristic string of primes is: 001101010001010001010::: the characteristic set of singleton 4 is: 000010000000000000000::: 4.2. Show that every set accepted by a Büchi automaton is a finite union of sets of the form AB ! , where A and B are regular sets. 4.3. Consider the automaton in Fig. 4.4. (a) What is its language when interpreted as a finite automaton? (b) What is its language when interpreted as a Büchi automaton, with A as the final state? (c) Is there a deterministic Büchi automaton to recognize the complement of the language defined in (b)? (d) What is its language when interpreted as a co-Büchi automaton, with B as the persistent state?

a

b a

Fig. 4.4 (a) Büchi automaton for Problem 4.3

B

b

A


84 Fig. 4.5 Topology for Problem 4.4 and Problem 4.5 I

C

U

X

S

4.4. Given the topology shown in Fig. 4.5, consider the !-regular languages C ! D .i1 u1 C i1 u2 C i2 u1 C i2 u2 /? .i1 u1 /! C .i2 u2 /! and S ! D .i1 C i2 /? i1! . Check whether the largest solution of the equation C ! ! X ! S ! is the limit of the largest solution of the equation Pref .C ! / X Pref .S ! /. Notice that the former is a parallel equation over !-regular languages and the latter is a parallel equation over regular languages (obtained as finite prefixes of !-languages). 4.5. Given the topology shown in Fig. 4.5, consider the !-regular languages C ! D ..i1 C i2 /.u1 C u2 //! and S ! D .i1 C i2 /! . Check whether the largest solution of the equation C ! ˘! X ! S ! is the limit of the largest solution of the equation Pref .C ! / ˘ X Pref .S ! /. Notice that the former is a parallel equation over !-regular languages and the latter is a parallel equation over regular languages (obtained as finite prefixes of !-languages).

Chapter 5

A Survey of Relevant Literature

5.1 Equations Under Synchronous Composition Sequential synthesis offers a collection of problems that can be modeled by FSM equations under synchronous composition. Some have been addressed in the past with various techniques in different logic synthesis applications.

5.1.1 Hierarchical Optimization and Don’t Care Sequences In place of designing a huge monolithic FSM and then optimizing it by state reduction and encoding, it is convenient to work with a network of smaller FSMs. However, if each of them is optimized in isolation, part of the implementation flexibility is lost, because no use is made of the global network information. Hierarchical optimization calls for optimizing the FSMs of a network capturing the global network information by means of don’t care conditions. The goal of hierarchical optimization is to optimize the FSMs of a network capturing the global network information by means of don’t care conditions. This paradigm follows the approach taken in multi-level combinational synthesis since the beginning [27, 29], where a lot of effort has been invested in capturing the don’t cares conditions and devising efficient algorithms to compute them or their subsets [44, 54, 57, 95]. The first source of don’t care sets is due to external limitations on controllability and observability. In particular input controllability don’t cares and output observability don’t cares have been defined for multi-level combinational networks (see [57, 95]). Definition 5.1.1. The input controllability don’t care set, CDCi n , includes all input vectors that are never produced by the environment at the network’s inputs. The output observability don’t care sets, ODCout , denote all input vectors that represent situations when an output is not observed by the environment.


85

86

5 A Survey of Relevant Literature

When the theory is extended to sequential circuits, don’t care sets become sequences of inputs instead of single inputs, since sequential circuits transform input sequences into output sequences. seq

Definition 5.1.2. The input controllability sequential don’t care set, CDCi n , includes all input sequences that are never produced by the environment at the seq network’s inputs. The output observability sequential don’t care sets, ODCout , denote all input sequences that represent situations when an output is not observed by the environment at the current time or in the future, and all subsets of input sequences whose outputs are not distinguished by the environment. When the previous definitions are applied to the components of a network, the limited controllability or observability becomes a consequence of what cannot be produced by a source component or cannot be observed/distinguished by a sink component. These restrictions can be exploited to optimize the components; for instance, since the output don’t care sequences of a component are the subsets of input sequences that cannot be distinguished at the outputs of the component, they can be used to modify the component that produces them since the modifications carry no effect on the component that receives them as inputs. In the rest of the chapter, we will represent sometimes a composition like MA MB with the notation MA ! MB or MA $ MB , to highlight that it is a series composition (MA ! MB ) vs. a closed-loop (MA $ MB ).

5.1.2 Computation of Input Don’t Care Sequences Consider a cascade interconnection of two FSMs MA and MB , where the driving FSM MA feeds the input vectors to the driven FSM MB . Then input controllability don’t cares are the sequences of outputs not produced by MA ; they restrict the controllability of the driven FSM MB and are used to modify MB obtaining an FSM MOB such that the cascade interconnection does not change, i.e., MA ! MOB D MA ! M B . Kim and Newborn [69] were the first to give a procedure to compute all input controllability don’t care sequences for a series topology, as follows: 1. Construct a NDFA NAoMA accepting the output language produced by the FSM MA . NAoMA is derived from MA by replacing the input/output labels by the output labels and making each state acceptable; moreover a dead state F is added to NAoMA , and if from state s there is no transition with label o then a transition from s to F under o is added to NAoMA . 2. Obtain AoMA as the determinization of NAoMA (and minimize its states, if desired).

5.1 Equations Under Synchronous Composition

87

3. Compute MO B as the product of AoMA and MB ,1 except that transitions going into states of the product machine containing F are considered as unspecified transitions (in other words, they are sent to a dummy state DC with a selfloop under every input asserting every output). So MO B is an ISFSM that can be reduced using conventional algorithms for state minimization. After minimization, MO B is guaranteed to have no more states than MB . In [121] a heuristic was provided to reduce the number of states of AoMA by discarding some don’t care information; still AoMA has to be built first. More heuristics to approximate input don’t care sequences were explored in [139]. Later on, Wang and Brayton [139] showed that input don’t care sequences for a component in a network of FSMs with an arbitrary topology can be exploited in the same way as in a series topology and that computing input don’t care sequences for an arbitrary topology can be reduced to computing them for a series topology. Given the FSMs MA and MB composed in a two-way topology, MA $ MB , it was 0 proved that if Lx are the input don’t cares sequences for MB , and if MB is obtained 00 0 from MB using Lx as unspecified transitions and MB is obtained from MB after 00 state minimization, it holds that MA $ MB D MA $ MB , i.e., the behavior of the 00 network is preserved when MB replaces MB . An FSM network with an arbitrary topology and including FSM MB can be reduced to the case of a two-way topology, by lumping together as FSM MA all the FSM components except for MB . In this way, the original network is reduced to either a series topology or a two-way topology of FSMs MA and MB . As a result, input don’t care sequences for a component in a general FSM network can be exploited using state minimization procedures for incompletely specified FSMs. To compute the input don’t care sequences with the procedure of Kim and Newborn, a further step is needed to reduce from a two-way topology to a series topology, as follows: consider a network MA $ MB and call it N , then network N produces the same I/O sequences as network N 0 drawn in Fig. 5.1, because MA $ MB produces the same U and V sequences in N as it does in N 0 , therefore MA and MB behave under U and V in network N 0 as they do in N , and so N 0 produces the same I/O sequences as network N . By this transformation from a two-way topology to a series topology, the input don’t care sequences respectively of MA and MB are preserved. The driving machine is in both cases the composition of FSMs MA and MB , MA $ MB , and it is called the abstract driving machine of the FSM network. In general, given an FSM network and a component FSM MB whose input don’t care sequences should be computed, the abstract driving machine is the network itself, unless MB is in a one-way communication with the other components and so the abstract driving machine is the network except MB . The previous steps establish that it is correct to apply the procedure by Kim and Newborn directly to an arbitrary FSM network topology. In summary:

One has to take care of defining over the same alphabets both AoMA and MB , for instance turning AoMA into an FSM with don’t care outputs for each input combination of the automaton AoMA . 1

88


a I1

O1

MA

I2 V

V

MB

U

I2

O2

MB

b I1

I1

MA

U MA

V

O1 I2

U MB

O2

Fig. 5.1 Networks N 0 obtained by series composition of driving machine N D MA $ MB with MB or MA . (a) The series topology .MA MB /#I1 I2 U O1 ! MB is used to compute the input don’t care sequences of MB ; (b) The series topology .MA MB /#I1 I2 V O2 ! MA is used to compute the input don’t care sequences of MA

1. The series topology .MA MB /#I1 I2 V O2 ! MB preserves the input don’t care sequences of MB . 2. The series topology .MA MB /#I1 I2 U O1 ! MA preserves the input don’t care sequences of MA . Example 5.1. Figure 5.2 shows a series topology MA ! MB and the computation of the input don’t care sequences with the procedure by Kim and Newborn, providing the full flexibility at MB . Notice that MO B can be reduced to two states (by merging states 22, 33 and 3T ), whereas MB has three states. The theory of input don’t care sequences was developed independently in the Soviet Union by Yevtushenko [152]. Another approach based on injecting faults into the component FSM MB and checking whether the injected fault is redundant was proposed by Ferrandi et al. in [40]. This method does not compute the complete flexibility, but the experiments reported show that the computed partial flexibility is sufficient to achieve a good optimization of MB .

5.1 Equations Under Synchronous Composition 1/1 0/0

a 0/0

89 1/1 0/0

b 0/1

2

2

1

1

1/1

0/0 1/0

0/0 1/0

1/1

3

3 1/1 0/0

c 0/1

22

11

1/1

0/0

−/−

33

3T 1/−

Fig. 5.2 Components (a) MA and (b) MB of series topology MA ! MB of Example 5.1; (c) MO B expresses the full flexibility at MB due to input don’t care sequences; MO B can be reduced to two states by state minimization

5.1.3 Computation of Output Don’t Care Sequences Output observability don’t cares are the sets of sequences of inputs of MB that cannot be distinguished by the outputs of MB , i.e., the sequences of a set cannot be distinguished from each other by looking to the outputs of MB ; they restrict the observability of the driving FSM MA and are used to modify MA obtaining an FSM MO A such that the cascade interconnection does not change, i.e., MO A ! MB D MA ! M B .

5.1.3.1 Computation of Subsets of Output Don’t Care Sequences Output don’t cares sequences of length one (called simply sequential output don’t cares), were studied by Devadas [34], and fixed-length output don’t care sequences by Rho [121]. A different subset of output don’t care sequences of MA is computed by a procedure designed by Wang [140], whose idea is to enumerate implicitly all

90


possible languages generated by MA by changing the output function, but keeping the state transition function unchanged. Say that MA has k transition edges and an output alphabet U with jU j symbols, then MA may produce jU jk possible output functions, if its transition function is kept unchanged. For each such output 0 0 function 1 one must check whether the corresponding FSM MA is such that 0 MA ! MB D MA ! MB . Comparing Wang’s and Rho’s procedures, the former implicitly enumerates infinite-length output don’t care sequences, but it is restricted by the assumption that the state transition function must be kept unchanged; the latter is restricted to sequences of finite-length and also uses a restricted notion of equivalent sequences. So neither procedure is complete. 5.1.3.2 Computation of Complete Output Don’t Care Sequences in a Series Topology The complete flexibility for the head FSM of a series composition was derived by Yevtushenko and Petrenko [111, 112, 152] by means of a NDFSM whose states are the Cartesian product of the components’ states, and whose transition relation is unspecified for the inputs such that no internal signal produces the reference output, otherwise it includes all transitions with allowed internal signals. The first result [152] solved the special case of Moore FSMs where the tail component produces different outputs for different states. Consider a series composition MA ! MB of two Moore FSMs MA D .SA ; I; U; ıA ; A ; rA / and MB D .SB ; U; O; ıB ; B ; rB /, such that 8s1 ; s2 2 SB s1 ¤ s2 implies B .s1 / ¤ B .s2 /. The FSM representing all behaviors that can be realized at the head component is given by the NDFSM MD D .SA SB ; I; U; ıD ; D ; .rA ; rB //, where ıD ..sA ; sB /; i / D .ıA .sA ; i /; ıB .sB ; A .sA /// and D .sA ; sB / D fu j ıB .sB ; y/ D ıB .sB ; A .sA //g, i.e., the output of MD at state .sA ; sB / is the set of u 2 U that drive M2 from sB into the same state to which A .sA / does. Theorem 5.2. [152] MC ! MB D MA ! MB iff MC is a reduction of MD . The method was then extended to arbitrary tail machines through two more contributions [111, 112]. The first one described in [112] proposes an algorithm for output don’t care sequences dual to the one by Kim and Newborn for input don’t care sequences. Consider a series composition MA ! MB of two FSMs MA D .SA ; I; U; ıA ; A ; rA / and MB D .SB ; U; O; ıB ; B ; rB /. The FSM representing all classes of input sequences of MB equivalent with respect to MB (MB produces the same output sequence under these input sequences, which are the don’t care output sequences of MA ) is given by the NDFSM MD D .SB SB ; U; U; T; .rB ; rB //, where the transition ..OsB ; sQB /; u1 ; u2 ; .OsB0 ; sQB0 // 2 T iff B .OsB ; u1 / D B .QsB ; u2 /, sOB0 D ıB .OsB ; u1 / and sQB0 D ıB .QsB ; u2 /. In other words, the output sequences produced by FSM MD under a given input sequence ˛ are those under which MB produces the same output sequence that it generates under ˛.


91

Theorem 5.3. [112] MC ! MB D MA ! MB iff MC is a reduction of the product of MA and MD . The contribution described in [111] builds directly the NDFSM capturing all the flexibility.2 Example 5.2. Figure 5.3a,b show the head and tail components of a series topology MA ! MB to illustrate the computation of the output don’t care sequences with the procedure by Yevtushenko and Petrenko in [111], providing the full flexibility at MA . Figure 5.3c portrays the NDFSM MD representing all classes of input sequences equivalent with respect to MB (MB produces the same output sequence under these input sequences, which are the don’t care output sequences of MA ). Then the product MA MD contains all the behaviors that can replace the given head component MA . One such behavior, corresponding to a submachine MA0 of MA MD is shown in Fig. 5.3d, and it can be reduced to two states by state minimization as in Fig. 5.3e (states a1 ; c2 ; c4 are merged into one state, and states b1 ; b4 into another), whereas the original head machine MA had three states.

5.1.4 Computation of the Permissible Behaviors with the E-Machine The attempts to characterize with input and output don’t care sequences the complete flexibility of a component in a composition with loops failed, because modifying a component affects in a circular way the input and output don’t care sequences computed so far. The first description of the complete flexibility in a two-way synchronous composition for the rectification topology is due to Y. Watanabe and R. Brayton. Given the network topology shown in Fig. 1.1d, they introduced in [142] a fixedpoint computation to compute a PNDFSM that contains all behaviors MB (DFSMs) whose composition with the given machine MA is contained in the specification MC . The PNDFSM so obtained has been called the E-machine, where the prefix E stands for environment. An alternative computation, credited to A. Saldanha, builds an equivalent NDFSM (see [66] for a detailed exposition). The authors have also investigated the issue of logical implementability of the DFSMs contained in the E-machine, i.e., the problem of finding those contained DFSMs MB such that there Consider a series composition MA ! MB of two FSMs MA D .SA ; I; U; ıA ; A ; rA / and MB D .SB ; U; O; ıB ; B ; rB /. The FSM representing all behaviors that can be realized at the head component is given by the NDFSM MD D .SA SB SB ; I; U; T; .rA ; rB ; rB //, where ..sA ; sOB ; sQB /; i; u; .sA0 ; sOB0 ; sQB0 // 2 T iff the output of MA ! MB at state .sA ; sOB / under input i is equal to the output of MB at state sQB under input u, and .sA0 ; sOB0 ; sQB0 / are the successor states respectively in MA ! MB and MB . 2

Theorem 5.4. [111] MC ! MB D MA ! MB iff MC is a reduction of MD . .

92


a

b

x/u2 x/u1

a

b

u2/o1 u3/o1 1

2 u1/o1 u2/o2 u4/o2

x/u1 y/u1 y/u4

y/u3 c

c

u1/u1 u4/u4

u1/o1 u4/o2

d

b4

u4/u3

x/u2

u1/u1 u4/u2, u4

11 u1/u1 u2, u4/u4

u1/u2, u3

x/u2

12

u1/u1 u1/u2, u3 u2, u4/u2, u4 u2, u3/u1

y/u2

b1 x/u1

x/u1

y/u2

u2, u3/u2, u3

u3/u2, u4

x/u1

a1

u2, u4/u3

y/u3 y/u2

u2, u3/u1 21

u3/o2

22

u3/u4

y/u3 c2

c4

u3/u3

e x/u1 a

b y/u3

y/u2

x/u2

Fig. 5.3 Components (a) Head FSM MA and (b) Tail FSM MB of series topology MA ! MB of Example 5.2; (c) FSM MD that captures the flexibility at MA due to output don’t care sequences; (d) Submachine MA0 extracted from MA MD ; (e) FSM MA00 obtained by state minimization of MA0

exists a pair of circuit implementations of MB and MA with no combinational cycles created by connecting them together by the internal signals u and v. These DFSMs are called permissible.

5.1.5 How to Exploit the Flexibility A common way to exploit the computed flexibility is first to minimize the number of states of each legal FSM and then the size of the logic realization of the encoded FSM. State minimization of ISFSMs has been addressed in the classical literature


93

starting from the seminal papers of the 1960s by Grasselli and Luccio [50, 65], and then extended in the 1990s to PNDFSMs [32, 67, 143]. A comprehensive survey on state minimization of FSMs can be found in [66]. Using state minimizers to exploit the flexibility has two drawbacks: (1) exact state minimization is a computationally hard problem; (2) reducing the number of states does not guarantee a smaller logic realization. The problem of FSM encoding in the context of a network of FSMs is even more complex than for a monolithic FSM (because symbolic variables may be shared among components) and it has received up to now scant attention in the literature. Optimization techniques for sequential circuits at the netlist level are in a more mature stage than state-based methods, since they achieve good results on large circuits; however, manipulating symbolic (state-based) information is indispensable for computing the flexibility of a component in an FSM network. To handle this issue, Wang proposed in [141] an algorithmic strategy which takes a circuit implementation as the starting point and computes the flexibility at the symbolic level, but exploitation is directly at the netlist logic level.

5.1.6 FSM Network Synthesis by WS1S It is known since the seminal work of Büchi and Elgot in the sixties that regular languages play a role in decidability questions of formal logic [19]. For instance, it was shown that WS1S (Weak Second-Order Logic of 1 Successor) is decidable, because the set of satisfying interpretations of a subformula is represented by a finite automaton, and so the automaton for a formula can be constructed by induction, noticing that logical connectives correspond to operations on automata such as product, projection and subset construction. Validity, satisfiability or unsatisfiability of a formula can be established by answering questions on the corresponding automaton. So WS1S can be seen as another notation for regular languages, as also regular expressions are. WS1S features first-order variables that denote natural numbers (they can be compared and added to constants), and second-order variables that denote finite sets of numbers. We sketch next the basic steps that show the equivalence between WS1S logic and automata [70]. In WS1S any formula can be put in a form where atomic subformulas denoting either a subset, or a set difference, or a successor relation are operated upon by logical operators denoting either a negation, or a conjunction, or an existential quantification. Given a formula , its semantics is defined inductively relative to a string w over the alphabet Bk , where B D f0; 1g and k is the number of variables in . Assign to every variable of a unique index i in the range 1; 2; : : : ; k and denote as Pi the variable whose index is i . The interpretation of Pi under the string w is the finite set w.Pi / D fj j Pi Œj D 1g, where Pi Œj D 1 denotes that the j -th bit in the Pi -th track is 1. The notation w ˆ , read w satisfies , means that w 0 makes true. The inductive construction follows the rules: w ˆ : iff w 6ˆ ;

94

5 A Survey of Relevant Literature 0

00

0

00

w ˆ ^ iff w ˆ and w ˆ ; w ˆ 9Pi iff 9 a finite M N such that 0 wŒPi 7! M ˆ , where wŒPi 7! M denotes the shortest string w0 that interprets all variables Pj ; i ¤ i , as w does, but interprets Pi as M ; w ˆ Pi Pj iff w.Pi / w.Pj /; w ˆ Pi D Pj n Pk iff w.Pi / D w.Pj / n w.Pk /; w ˆ Pi D Pj C 1 iff w.Pi / D fk C 1 j k 2 w.Pj /g. Example 5.3. The formula D 8p .P .p/ $ :Q.p// defines the language L./ over B2 such that if the letter ˇ ˇ ˇ x1 ˇ ˇ ˇ 2 B2 ˇ x2 ˇ occurs in position j , then j 2 P iff x1 D 1 and j 2 Q iff x2 D 1. The string ˇ ˇ0 1 1 0 w D ˇˇ 100 whereas the string

ˇ 0 ˇˇ 2 L./; 1ˇ

ˇ ˇ ˇ0 1 1ˇ 00 ˇ 62 L./: w D ˇˇ 0 0 0ˇ

For a formula define the language L./ as the set of satisfying strings L./ D fw ˆ g. Then the following result holds. Theorem 5.7 (Thatcher-Wright [132]). L .f0; 1gk /? is regular iff there exists a WS1S formula with X1 ; : : : ; Xk as free variables and L./ D L. To prove that any L./ is a regular language, one shows by induction on the formula how to construct a deterministic automaton A such that L.A/ D L./, where L.A/ is the language recognized by A. The atomic formulas are translated into appropriate basic automata (see [71]). Composite formulas are handled by well-known automata operations: negation of a formula corresponds to automaton 0 0 complementation (if D : , then L.: / D L. 0 / D L.A0 / D L.A0 /, 0 0 where A0 is the automaton such that L. / D L.A /, and so A D A0 is the automaton for ); conjunction corresponds to language intersection; existential quantification corresponds to projection, that may introduce non-determinism and require determinization by subset construction. The converse statement that every regular language is representable in WS1S is proved by encoding in WS1S the finite automaton that recognizes the given regular language. Example 5.8. [93] The nondeterministic automaton of Fig. 5.4 can be represented by the formula in WS1S 8t .ŒS1 .t/ ^ S2 .t/ ^ :I.t/ ^ S1 .t C 1/ ^ S2 .t C 1/ _ ŒS1 .t/ ^ S2 .t/ ^ :I.t/ ^ :S1 .t C 1/ ^ S2 .t C 1/

5.1 Equations Under Synchronous Composition Fig. 5.4 Nondeterministic automaton of Example 5.8

95

Input b b a a a

Present state k0 k0 k1 k2 k2

Next state k0 k2 k0 k0 k1

_ ŒS1 .t/ ^ :S2 .t/ ^ I.t/ ^ S1 .t C 1/ ^ S2 .t C 1/ _ Œ:S1 .t/ ^ S2 .t/ ^ I.t/ ^ S1 .t C 1/ ^ :S2 .t C 1/ _ Œ:S1 .t/ ^ S2 .t/ ^ I.t/ ^ S1 .t C 1/ ^ S2 .t C 1// where I.t/ means input a, :I.t/ means input b, S1 .t/ ^ S2 .t/ means state k0 , S1 .t/ ^ :S2 .t/ means state k1 and :S1 .t/ ^ S2 .t/ means state k2 . Even though the space and time requirements to translate formulas into automata have been shown to be bounded below by a stack of exponentials whose height is proportional to the length of the formula, an “efficient” implementation of the decision procedures of WS1S has been presented in the tool MONA [71], which computes a minimum deterministic automaton whose language is the set of strings for which the formula holds. Efficient means that a variety of interesting practical problems have been successfully handled by the program. The WS1S formalism enables to write down easily equations that characterize the set of (functionally) permissible behaviors at a node for different topologies, as pointed out by Aziz et al. in [5]. We present the equations for some FSM networks shown in Fig. 1.1. In all equations MC represents the specification; in a given equation, we label the unknown FSM by a superscript ? . According to the WS1S syntax, the FSMs must be encoded to appear in the equations.

1-Way Cascade (a) - Fig. 1.1c MA .I1 ; U / D .8O2 /Œ MB .U; O2 /! MC .I1 ; O2 /: The machine MA is exactly the one produced by the construction due to Kim and Newborn [69]. 1-Way Cascade (b) - Fig. 1.1c MB .U; O2 / D .8I1 /Œ MA .I1 ; U /! MC .I1 ; O2 /: Supervisory Control - Fig. 1.1e MB .I2 ; O1 ; V / D MA .V; O1 / ! MC .I2 ; O1 /: The restriction to Moore solutions was investigated in [4]. 2-Way Cascade (a) - Fig. 1.1b MA .I1 ; V; U / D .8O2 /Œ MB .U; V; O2 / ! MC .I1 ; O2 /: 2-Way Cascade (b) - Fig. 1.1b MB .U; V; O2 / D .8I1 /Œ MA .I1 ; V; U / ! MC .I1 ; O2 /: Rectification (a) - Fig. 1.1d MB .U; V / D .8I1 ; O1 /Œ MA .I1 ; V; U; O1 / ! MC .I1 ; O1 /: Rectification (b) - Fig. 1.1d MA .I1 ; V; U; O1 / D MB .U; V / ! MC .I1 ; O1 /:

96


Going beyond previous ad hoc approaches, the fact of embedding logic synthesis problems into WS1S formulas allows one to state them in a common frame, enabling easily proof of correctness and completeness of the proposed solutions. Then the computations are performed on the related automata applying to them the operations that correspond to the standard logical connectives (however the result may be a regular language that is not an FSM language, an issue addressed by Theorem 3.8). In contrast, the theory of synchronous and parallel equations is built upon the primitive notions of language and language composition, and models naturally a larger spectrum of language equations and their specialized solutions.

5.1.7 Testing When an FSM is embedded into a complex system, usually there is no direct access to its inputs and outputs, and thus the FSM cannot be tested in isolation; the reason is limited controllability from outside of the internal inputs of the FSM, or limited observability from outside of the internal outputs of the FSM. This is the so-called problem of testing in context, which has been an active area of research. Petrenko et al. [114] proposed to solve testing in context by means of solving equations over FSMs to derive all FSMs externally equivalent to a given component FSM, since the latter FSMs are exactly the reductions of the largest solution describing the complete flexibility of the given component FSM.

5.1.8 Model Matching by Simulation Relations The objective of model matching in control theory is to design a controller MB so that the composition of a plant MA with MB matches a given model MC (see the controller’s topology in Fig. 1.1e). A procedure for deriving the largest solution for complete FSMs MA (DFSM) and MC (PNDFSM) of the equation MA MX sim MC for the discrete model matching problem was proposed in [12, 68], where sim denotes simulation relation3 (as opposed to language containment in

S1 S2 is a simulation relation from an FSM M1 D hS1 ; I; O; T1; r1 i to an FSM M2 D hS2 ; I; O; T2; r2 i if:

3

1. .r1 ; r2 / 2 2. .s1 ; s2 / 2

, and ) 0

i=o

0

0

i=o

0

0

0

f 8i 8o 8s1 Œ .s1 !M1 s1 / ) 9s2 Œ.s2 !M2 s2 / ^ .s1 ; s2 / 2

g.

If such a exists, we say that M2 simulates M1 , or that M1 has a simulation into M2 , and denote it by M1 sim M2 .


97

our approach). Simulation relations in general are stronger (more restrictive) than language containment, i.e., a simulation relation implies language containment, but not vice versa. The use of simulation relation instead of language containment avoids determinization and leads to an algorithm of polynomial complexity bounded by O.jSA j:jSC j:jTA j:jTC j/, where jSA j (jSC j) is the number of states of MA (MC ) and jTA j (TC ) is the size of the transition relation of MA (MC ). In [12] a solvability condition is given, based on the notion of simulation relation between the automata which generate the possible output sequences produced by an FSM. Model matching was investigated also within the frame of supervisory control in [8], relying on the relation between the controllability of a language and a given bisimulation; the same formulation was adopted in [91], where an implicit representation of automata based on algebraic methods is proposed. Notice that for some topologies, like the rectification topology, solutions based on simulation relations do not provide the complete flexibility.

5.1.9 Structural Replacement of Synchronous and Asynchronous Hardware We list a few lines of investigation covering topics that arise from structural replacement, when the implementability of a legal behavior is considered: 1. Model matching of asynchronous sequential machines. Issues of races, infinite cycles and adversarial inputs were discussed in [47, 99, 106, 133, 146]. 2. Replacement and verification of hierarchical models of synchronous and asynchronous circuits. Trace theory has been used by Dill [35] to model hierarchical verification of asynchronous hardware. E. Wolf developed it further in [22, 145] to derive a closed-form expression that specifies all and only the permissible replacement circuitry in a given location in a circuit or partially-structured specified model. Her frame applies to both combinational circuits and clocked sequential circuits. Nondeterministic specifications are allowed too. The circuit semantics adopted allows the expression of circuits that contain unlatched feedback loops, and therefore, among the degrees of freedom available for the correct implementation of a part of a logic network, there is the possibility that it contains unlatched feedback. 3. Safe replaceability. It is the problem of replacing components when there is limited or no information on the initial states of the component under replacement, After the pioneering work of C. Pixley, important contributions came from Singhal and Brayton [58, 88, 127–129].

98


5.2 Equations Under Parallel Composition Inequalities and equations under parallel composition have a wide range of applicability in various domains. For instance they found a fertile area of application in protocol converter synthesis [3, 6, 13, 103–105]. In this section we will survey some important related literature.

5.2.1 Equations Over Process Languages and Process Algebras A process language is usually a prefix-closed regular language and is represented as the language (or set of traces) of a labeled transition system (LTS), which is a finite automaton (with moves) where each state is accepting. Some states can be marked also with a partially ordered set of marks. In [94] the equation A ˘ X D C was studied over LTS languages and the following results were claimed: Theorem 5.9. The general solution of A ˘ X C over prefix-closed regular languages is given by S D A ˘ C n A ˘ C: Theorem 5.10. The equation A ˘ X D C is solvable over prefix-closed regular languages iff the language S D A ˘ C n A ˘ C is a solution of the equation, i.e., A ˘ .A ˘ C n A ˘ C / D C . Theorem 5.9 does not compute the largest solution of A˘X C that is S D A ˘ C ; the largest solution is obtained by adding to the language A ˘ C n A ˘ C each word ˛ 2 .U [ O/? such that the sets ˛+U and A+U are disjoint (these words cannot occur in the composition). Given the equation A ˘ X C over prefixclosed regular languages accepted by a finite automaton with nonaccepting states, a procedure leading to the same incomplete solution S D A ˘ C n A ˘ C is presented and argued to be maximal in [55]. Notice that the version of Procedure 2.3.1 for parallel composition handles unrestricted regular languages, so it is more general than the ones in [94] or [55]. Safe and compositionally deadlock-free solutions are considered in [36] and a procedure to derive the largest safe solution is proposed. In [107], the equation A ˘ X C is solved over complete FSMs. It is shown that the solution over LTSs cannot be applied directly to FSMs because in general it is not an FSM language (an FSM language must be also prefix-closed and I -progressive). Moreover, compositionally .U [ O/-convergent solutions are considered. A technique is proposed to find the so-called largest candidate solution by deleting from the largest solution the sequences causing deadlocks in the composition with FSM A. If the obtained solution is compositionally .U [ O/convergent then it is called the largest solution of the equation; otherwise, the

5.2 Equations Under Parallel Composition

99

question whether a compositionally .U [ O/-convergent solution exists remains open. In the latter case the authors propose to limit to l the number of internal interactions; if, for a given l, the largest solution of the equation exists then it is compositionally .U [ O/-convergent and also each of its reductions inherits this property. Notice that in Sect. 3.4.3 we extended to regular languages the procedure for determining the solution with a limited number of internal interactions. A number of papers in process algebra [36, 55, 94, 107, 118] discuss the equation A ˘ X C under various relations , where A and C are given processes.

5.2.2 Supervisory Control In supervisory control a controller (or supervisor) restricts the behavior of a plant by dynamically disabling some of the controllable events after the execution of each event with the goal to match a desired behavior. An extended literature has been developed since the seminal work by Ramadge and Wonham, studying control under complete and partial observation, centralized and distributed control and also control of non-terminating behaviors [76, 77, 101, 119]. Restricted solutions have been investigated too, e.g., in [78] the authors proposed a method to derive the largest compositionally progressive solution over finite automata. The method is based on splitting the states of the automaton of the unrestricted solution, combining the new automaton with the context and then deleting from the composed automaton the states that are not completely specified (for at least an input there is no transition). The method is proposed for a general supervisory control topology where the language of the specification C is the restriction on the external alphabet of a subset of the language of the known component A. A generalization of these results for a more general topology has been proposed in [21]. Restricted solutions to parallel equations over regular languages are considered also in [76, 101]. In [76] the solution is called the minimally restrictive supervisor, i.e., a supervisor that combined with the context matches the largest specification sublanguage; in [101], a bound l is set on the number of internal interactions. For updates on control of discrete event systems, including fault tolerant control and Petri nets the reader may refer to [61, 64]. The computational complexity of the harder supervisory control problems (verification and synthesis) varies from NP-hard/complete to (most often) PSPACEhard/complete (see [48,123,124]); some proofs use the reduction from the automata intersection problem.

5.2.3 Simulation Relations A procedure for deriving the largest solution for LTSs A and C of the equation A ˘ X bi si m C was proposed in [118], where bi si m denotes either a strong or

100


weak bisimulation relation (as opposed to language containment in our approach). The authors derive an automaton representing all traces of the parallel composition of A and each sequence over the alphabet U [ O. The final state of each trace of the composition whose I [ O-restriction is not a trace of C is marked as a bad state. To compute the largest solution, the automaton is augmented with a designated don’t care state that accepts all infeasible sequences, i.e., those that do not occur in the composition. Finally the .U [ O/-restriction of the automaton is derived and the result is determinized by subset construction, where each subset including a bad state is marked as bad. The largest solution is the subset of all sequences of the .U [ O/-restriction whose runs do not end up in bad states. In [155] the authors study supervisory control for nodeterministic specifications to design a controller such that the closed-loop system is bisimilar to the specification. Nondeterministic plant and specification are studied also in [59], using the trajectory model.

5.2.4 Delay-Insensitive Processes In the context of modeling delay-insensitive processes and their environments, a number of concurrency models use various labelings of states of processes to represent certain properties of states, such as quiescence and error or violation [90, 100]. The existence of state labels requires a stronger semantics than language semantics and leads to a reflection operator further refining the language complementation operator. See [90, 100] for discussions on parallel composition operators for delayinsensitive processes. The largest solution of the equation P k X R is the process Q .P k Q R/, where k is a composition operator and Q is a reflection operator, replacing the complementation operator used with language semantics. As with language semantics, such a solution might not be compositionally .U [ O/-convergent; it is also of interest to look for solutions exhibiting a property called healthness, capturing correctness properties according to the chosen parallel composition operator [90].

5.3 !-Automata, Games, Realizability and Synthesis Given a game between two players, player-0 and player-1, in a single step of the game player-0 chooses a symbol from the finite alphabet ˙0 and player-1 does the same from the finite alphabet ˙1 . A play of the game is a finite or infinite sequence of steps. Player-0 wins the game if the play is in the game language, .˙0 ˙1 /! ; otherwise, player-1 wins, i.e., when the play is in . A strategy for a player is a rule that tells the player what symbol to choose at each instant; a winning strategy is one that insures a win for the player no matter how the other player behaves. Each player sees the move of the other player at each

5.3 !-Automata, Games, Realizability and Synthesis

101

step, and the strategy may be a function of the entire history of the game, a game of perfect information. The game is determined if one of the players has a winning strategy. This type of infinite games of perfect information were first considered by Gale and Stewart [45] (GSP games). If is presented as an !-automaton. we have a GaleStewart game of perfect information on an !-automaton. In this case the winner has a finite-state strategy implemented by an FSM. Büchi and Landweber [20] gave a constructive procedure to solve games on !-automata, i.e., to decide the winner and synthesize the FSM representing the winner’s strategy. Solving a game on an !-automaton is also known as Church’s problem [31]. If is a property to be satisfied by a synchronous digital circuit to be synthesized, what we need to know is whether the circuit to be synthesized has a winning strategy against its adversarial environment (problem of realizability), and if it exists, we need to find an FSM realizing a winning strategy subject to the implementation constraints (problem of synthesis). Notice that while for combinational logic synthesis, given a Boolean relation R f0; 1gn f0; 1gm , there is always a Boolean function f W f0; 1gn ! f0; 1gm satisfying the relation R, i.e., such that for every i 2 f0; 1gn, if there exists o 2 f0; 1gm for which .i; o/ 2 R, then .i; f .i // 2 R [17], for sequential logic synthesis this is not always the case. Indeed, the objective of sequential synthesis is to come up with a sequential circuit that satisfies a property relation R 2 I ! O ! specifying for each input sequence the expected output sequences. Such a circuit can be seen as an FSM whose behavior corresponds to a function f W I ? ! O such that, for all i0 i1 i2 2 I ! and f .i0 /f .i0 i1 /f .i0 i1 i2 / 2 O ! , it holds that .i0 i1 i2 : : : ; f .i0 //f .i0 i1 /f .i0 i1 i2 / 2 R. Not every property is realizable, i.e., there is not always an FSM that implements it; e.g., the relation R f0; 1g! fa; bg! defined by .01f0; 1g! ; a! / 2 R and .01f0; 1g! ; b ! / 2 R is not realizable [74], because after the first input 0 to decide whether to output a or b it would need to look into the future to know whether the second input is 1 (and then output a now) or 0 (and then output b now). However property synthesis problems arising in practice, such as the synthesis of the unknown component problem, do no always fall in the paradigm of GaleStewart games of perfect information. To model these synthesis problems, Krishnan and Brayton [74] proposed and studied the paradigm of two-person Gale-Stewart games of incomplete information on deterministic !-automata (GSI games). For these games each player observes only the observable part of the opponent’s actions, on which he has to base his moves. The winner of GSI games can be decided and a winning strategy synthesized by reducing them to pairs of appropriate GSP games, at a higher computational cost. Some GSI games are not determined, i.e., there is no winner with a deterministic winning strategy. More precisely, GSI games are two person games played between two players: player-0 and player-1. In a single step of the game player-0 chooses a symbol from the finite alphabet ˙0 D ˙0obs ˙0hid , followed by player-1 choosing a letter from the finite alphabet ˙1 D ˙1obs ˙1hid . Same as for GSP games, a play of the game is a finite or infinite sequence of steps. The distinguishing feature of GSI games (Gale-Stewart games of incomplete information or partial observation) with

102


respect to GSP is the fact that each symbol in the players’ alphabet has two parts: the observed (˙ obs ) and the hidden one (˙ hid ). A player only sees the observed part of the opponent’s play: e.g., if player-0 selects 0 D .0obs ; 0hid /, player-1 can only see 0obs ; similarly, player-0 observes only the ˙1obs part of player-1’s moves. Each player instead knows both the observed and hidden part of the own move. An interpretation of the synthesis of the unknown component as solving a GSI game between a context player-0 M (with language L.M / .I V U O/! ), an unknown player-1 C (with language L.C / .V U /! ), and a specification S .I O/! has been offered in [74]. It is shown that the set of winning strategies for player-1 is the set of solutions for the Watanabe-Brayton rectification problem. A similar statement has been made for the controller’s topology. We are indebted for the exposition in this Section to the Ph.D. Dissertation by Krishnan [74].

Problems 5.1. Hierarchical Optimization vs. Global Optimization Rho and Somenzi observed in [121] that there are cases when MA is optimal with respect to MB and vice-versa (i.e., there is no flexibility in the series composition of MA with respect to MB nor vice versa of MB with respect to MA ), yet their cascade interconnection (MA feeding MB ) is not the smallest implementation of the product FSM. To prove their point they exhibited two FSMs MA and MB reported respectively in Figs. 5.5 and 5.6. (a) (b) (c) (d) (e)

Minimize the states of MA and MB in isolation. Are there input sequential don’t cares of MA to optimize MB ? Are there output sequential don’t cares of MB to optimize MA ? Merge the two FSMs MA and MB and minimize the collapsed FSM so obtained. Comment the previous results. What are the features of these two machines that explain their behavior in composition ?

5.2. Optimization of a Head Component in a Series Topology Figure 5.7 shows a series topology MA ! MB , with no input don’t care sequences of MB (since the output sequences of MA coincide with f0; 1g?), where MB is

Fig. 5.5 Machine MA for Problem 5.1

Input 0 1 0 1 0 1 0 1

Present state A A B B C C D D

Next state B C A D D B C B

Output 1 0 0 1 0 1 1 0

Problems

103

Fig. 5.6 Machine MB for Problem 5.1

Present state a a b b c c d d

Input 0 1 0 1 0 1 0 1

a

b

1/1 0/0 0/0

Output 1 0 0 1 0 1 1 0

1/1 0/0 0/1

2

1

Next state c b a d d b b c

2

1

1/1

0/1 1/0

0/1 1/0

1/1

3

3

Fig. 5.7 Components (a) MA and (b) MB of series topology MA ! MB of Problem 5.2

information-lossless and state-reduced, and so Devadas’ and Rho’s procedures find no sequential output don’t cares for MA . Let the output value ui be associated to the edge ei of MA , so that .u1 ; u2 ; u3 ; u4 ; u5 ; u6 / denotes an assignment of output values 0=0

1=1

to MA . E.g., in Fig. 5.7a it is: e1 D 1 ! 2; u1 D 0; e2 D 2 ! 2; u2 D 1; 0=0

1=1

1=0

e3 D 2 ! 2; u3 D 0; e4 D 1 ! 3; u4 D 1; e5 D 3 ! 3; u5 D 0; 0=1

e6 D 3 ! 3; u6 D 1. Then one can verify that each of the following assignments preserves the behavior MA ! MB : 8 .0; 1; 0; 1; 0; 1/ ˆ ˆ < .0; 1; 0; 0; 1; 0/ .u1 ; u2 ; u3 ; u4 ; u5 ; u6 / D ˆ .1; 0; 1; 0; 1; 0/ ˆ : .1; 0; 1; 1; 0; 1/ Notice that the states reachable in MA change according to the output function of MA . (a) Find out what is best assignment with respect to the final implementation of MA measured by the number of states and/or its logic cost.

104


a

b −/1

−/0 1

2 0/1

−/0

3

A

B 1/0

0/1 1/0 4

1/1

1/1

0/0

0/0 C

D 0/0

Fig. 5.8 Example for Problem 5.2; (a) Driving machine MA ; (b) Driven machine MB

(b) Solve the equation MX MB D MA MB and extract the best implementation of M out of the largest solution, where best is defined as in (a). (c) Compare the results of (a) and (b). 5.3. Computation of Observability Don’t care Sequences in a Series Topology Consider the series composition of the FSMs MA (driving machine) and MB (driven machine), shown in Fig. 5.8 (from [121]). (a) Find the output sequential don’t cares of MB to optimize MA , using the method of Theorem 5.3; optimize MA accordingly. (b) Find the output sequential don’t cares of MB to optimize MA , using the method of Theorem 5.4; optimize MA accordingly. (c) Find the largest flexibility for MA solving the equation MX MB MA MB ; optimize MA accordingly. (d) Compare the results of the different techniques. 5.4. Games on !-automata In this exercise we follow the exposition in [74]). The game is played on a deterministic !-automaton G D .Q; ˙0 ˙1 ; ; q0 ; /, called the game automaton. The game starts at state q0 ; player-0 plays a 00 2 ˙0 and then player-1 plays a 10 2 ˙1 , and the game advances to state q1 D ı.q0 ; .00 ; 10 //, player-0 then plays a 01 2 ˙0 , followed by player-1 playing a 11 2 ˙1 and so on forever. The infinite sequence D .00 ; 10 /.01 ; 11 / : : : is a play of the game. The acceptance condition of the game automaton is the winning condition for player-0 and : is the winning condition for player-1. The language of the game automaton, L.G/ is the game language. A play 2 .˙0 ˙1 /! is a win for player-0 if 2 L.G/, i.e., the set of states visited infinitely often by satisfies the winning condition. Otherwise, the play is a win for player-1, whose winning condition is :. In a Büchi game, player-1’s winning condition is a co-Büchi winning condition. Consider the Büchi game shown in Fig. 5.9a (from [74]). (a) Show a win play for player 1 and a win play for player-0. Solution. The play .b; 1/.b; 1/.a; 0/! is a win for player-1, whereas the play .b; 1/! is a win for player-0.

Problems

105 −/−

a A

a/1

a/0

−

B

b/1

b/1

a B

a/1

a/1

b/0

b/0

C

a/0 −/−

c A

b/0

D

b

0

b C

D −/1

1

Fig. 5.9 (a) Büchi game; (b) Winning strategy for player-1 starting as second from state A; (c) Winning strategy for player-0 starting as first from state C

(b) Show a winning strategy for player-1 starting as second from state A. Solution. See Fig. 5.9b. (c) Show a winning strategy for player-0 starting as first from state C . Solution. See Fig. 5.9c (the output at a state is the letter written inside the state).

Part II

Algorithms for Solving FSM Equations: BALM

The first part of this book presented the theory of language equations for synchronous composition. The theory was developed with several objectives in mind: • Generalize and unify several known approaches to solve the unknown component problem within the framework of solving language equations. • Provide a uniform method for expressing several classes of practical problems. • Enable an efficient software implementation to explore the limits of practical applications. • Provide a platform on which new algorithms can be developed and tested. In Part II, we focus on the efficient implementation aspects of this work. A software system was developed, BALM, the Berkeley Automata and Language Manipulation system, based on the multi-valued logic synthesis environment, MVSIS [46]. Both software packages and their documentation are available from the Download Software link on the web site of the UC Berkeley MVSIS: Logic Synthesis and Verification Group [52]. When implementing the theory, we had the following objectives: • To validate the theory as well as to refine it during its development when counterexamples showed that some conjectures did not hold. • To solve some practical problems by making the implementation as efficient as possible. • To facilitate instruction about finite automata, by developing a generic finite automata calculator supported by the ability to graphically display example results. BALM utilizes the programming environment of MVSIS as much as possible.1 The implementation was organized as a set of modules to facilitate porting, reuse in other applications, and ease of maintenance and extension. Multiple implementations of

1

An environment with multi-valued variables was chosen because such variables enable easier specification of automata or FSMs and, at the same time, facilitate debugging.

108

II Algorithms for Solving FSM Equations: BALM

some of the basic algorithms allow comparative studies. BALM is intended to be used in two modes: • As a black box, where a user invokes a synthesis script (an automatic sequence of high-level commands to BALM) to solve a given problem. In-depth knowledge of the underlying implementation details is not required. • As a white box, where BALM is used as a platform that can be programmed for other applications dealing with finite automata and FSMs. Detailed knowledge about programming with MVSIS/BALM is required. In Chap. 6, we describe some aspects of the implementation of BALM to aid the second type of user. Chap. 7 details how a particularly efficient implementation can be done if (a) the languages are represented initially as deterministic sequential circuits, and (b) the solution is required as an FSM language. Chap. 8 is a summary of how BALM can be used as a black box for a user who wants to try BALM on examples. Chap. 9 illustrates how BALM can be used as an educational tool to show the results of some of the basic automata operations.

Chapter 6

Implementation of Automata Manipulations

In the following, we use the term transition to refer to a directed arc of an STG, which enables the movement of an automaton from the current state to the next state. The transition predicate indicates when the transition is enabled. A transition predicate is an arbitrary Boolean function in terms of the inputs. In some cases, this function is just a minterm. In this case, to avoid confusion, we will refer to a minterm transition. A number of practical applications require representation and manipulation of finite automata and FSMs. Depending on an application, these objects can be specified as: 1. Sequential logic circuits 2. Transition relations 3. Explicit state transition graphs (STGs) In the first case, logic circuits are typically represented as directed acyclic graphs with nodes corresponding to logic gates or latches. In the second case, the transition relations are often represented using binary decision diagrams (BDDs) in a monolithic or partitioned form (conjunction of transition relations). A transition relation for an automaton is the set of (current state, next state, predicate) tuples describing the arcs of the automaton. In the third case, an STG specifying an automaton or FSM is represented using one of the three methods described below. The implementation of several procedures for manipulating STGs is outlined in the following subsections. Languages used in solving language equations are represented as finite automata. Operations on languages are implemented as operations over finite automata. Basic procedures for efficient manipulation of automata assume their specification as STGs. This is the reason that representing and manipulating STGs is of particular importance for implementing the theory developed in this book. First, we introduce several approaches to representing STGs in a software implementation and motivate the use of one of them, called the hybrid representation, which we believe is the most efficient in general.


109

110

6 Implementation of Automata Manipulations

• Explicit methods represent STGs in such a way that every state, transition, and predicate is stored in the computer memory as a separate object. • Implicit methods represent STGs as transition relations in a monolithic or partitioned form. A monolithic form uses one relation in contrast to a partitioned form which has many relations, where it is implied that they are to be conjoined to form a single relation. Transition relations are expressed and manipulated using Binary Decision Diagrams (BDDs). The choice of BDDs is motivated by the fact that they lead to efficient quantification of variables while other representation often have problems with quantification. • Hybrid methods use a combination of explicit and implicit representations. When implicit methods are used, states and transitions are not represented as specific objects. Instead the BDD is treated as a single object encoding all states and transitions. For many practical problems, the implicit representation is smaller than the explicit one. Implicit representations are often preferred in computations, such as reachability analysis. However, for several important classes of applications, and for most large practical functions, the size of implicit representations can exceed the amount of available memory, which makes implicit representations impractical. While implementing the proposed methods, we experimented with several types of STG representations. For example, we implemented determinization by subset construction using three methods, explicit, implicit, and hybrid, and compared their performance. The hybrid method was the winner in the majority of cases. The performance of this method scaled well with the problem size. The above observation motivated the use of a hybrid representation in our software implementation of language solving. In the subsections below, we focus on the hybrid representation, in which, states and transitions are stored explicitly while the predicates are stored implicitly as BDDs. A similar conclusion about the applicability of a hybrid representation to manipulating automata and FSMs was reached in the previous work [139].

6.1 Hybrid Representation of Finite Automata In this subsection, we describe the hybrid representation of finite automata. When this representation is used, the STG is represented as a graph with explicitly listed transition predicates. This is similar to the explicit representation. The difference is that the predicate enabling a transition from one state to another is represented using a BDD rather than a sum-of-product (SOP). The reason why the STG is represented explicitly (as a list of nodes and predicates) is that, in most practical problems, the STG is given in this form as an input to the program, or it is derived by enumerating states reachable from an initial state. In both cases, each state is visited at least once during file reading or during STG extraction from network form. As a result, there is no need to develop an implicit representation; the states can just as well be stored explicitly and visited in some order.

6.2 Implementation of Particular Commands

111

The reason why an implicit BDD-based representation is used for the transition predicates is that • BDDs are efficient for functions with small support. • BDDs allow for sharing identical or related functions and reusing the computed results. • BDDs are canonical, which allows for the use of BDD node pointers as unique keys in a hash table. These advantages are not available when SOPs are used to represent the predicates. The proposed hybrid representation was tested on a number of practical problems. It was found useful for problems with up to 100,000 states and 25 inputs/outputs. The number of states and transitions can be increased at the cost of linear increase in memory and computation time. Increasing the number of variables above 25 is also possible. However, in this case, the non-robustness of BDD representation limits the scalability because they can blow up in size unpredictably.

6.2 Implementation of Particular Commands In this subsection, we present implementation details of the procedures performing finite automata manipulations, which are used during language equations solving.

6.2.1 STG Extraction In many practical applications, an FSM is given as a binary or multi-valued sequential network, for which the initial state is known. The FSMs STG implied by this network can be extracted by an algorithm presented below. The resulting STG is used in a variety of computations. The extracted STG consists of a set of nodes which represent the set of states of the FSM reachable from the initial state. Each state is associated with a set of arcs originating in this state. Each arc has the next state, the output produced, and an input/output predicate, which enables this transition. In the application dealing with finite automata, inputs and outputs are treated uniformly. Therefore, in the STG extraction procedure, we do not distinguish inputs and outputs and simply record transitions as relations depending on both. A self-explanatory pseudo-code of the STG extraction algorithm is shown in Fig. 6.1. The input to the algorithm is a sequential network with initial states and a limit on the number of states extracted. The output is the hybrid representation of the resulting STG. The computation terminates if the limit on the number of states has been reached.

112

6 Implementation of Automata Manipulations stgExtract( network; limit ) f /* initialize the STG to be extracted */ ST G = newSTG(); /* get hold of the initial state of the network */ I = getInitialState( network ); /* initialize the set of states to be explored with the initial states */ S = I; /* explore states */ while ( S ¤ ; ) f /* extract one state from the set of states to be explored */ s = getOneState( S ); S D S n s; /* get the relation of the given state */ R.i; o; x/ = deriveStateRelation( network, s ); /* enumerate next states reachable from the given state */ while ( R.i; o; x/ ¤ ; ) f /* find one combination of variables from the state relation */ minterm.i; o; x/ = getOneCombination( R ); /* get the next state of this combination */ n.x/ D 9io minterm.i; o; x/; /* get the IO predicate of this next state */ pred.i; o/ D 9x minterm.i; o; x/; /* remove transition to this state from the relation */ R.i; o; x/ D R.i; o; x/ : Šn.x/; /* if the state does not exist, schedule it for exploration */ if ( stateIsNew(ST G; n) ) S D S [ n; /* record the transition */ addTransition( ST G; s; n; pred ); g /* quit if the number of states exceeded the limit */ if ( getNumStates(ST G) limit ) return NULL; g return ST G; g

Fig. 6.1 STG extraction algorithm

The internal procedures called from the STG extraction algorithm are the following: newSTG: Creates a new state transition graph. getInitialState: Queries the network for its initial state. getOneState: Extracts one state from the set. deriveStateRelation: Traverses the network and derives the transition relation from the given state as a BDD in terms of inputs, i , outputs, o, and next state variables, x.


113

completeAutomaton( A ) f /* iterate over states and check if there are incomplete states */ /* cond.i /s!t is the predicate over input variables i */ /* of the transition from state s to state t */ complete D 1; for each state s of automaton A f sum.i / D 0; for each transition t from state s sum.i / D sum.i / C cond.i /s!t if ( sum.i / ¤ 1 ) f complete D 0; break; g g if ( complete ) return; /* create the non-accepting state na */ addState( A, na ); /* iterate over states and add transitions from the incomplete states into the non-accepting state na */ for each state s of automaton A f sum.i / D 0; for each transition t from state s sum.i / D sum.i / C cond.i /s!t if ( sum.i / D 1 ) continue; addTransition( A; s; na; Šsum.i / ); g g Fig. 6.2 Completion algorithm

getOneCombination: Extracts one minterm .mi ; mo ; mx / from the BDD. stateIsNew: Checks if the state mx is already in the STG. addTransition: Adds one transition to the STG. getNumStates: Queries STG for its number of states.

6.2.2 Completion A finite automaton is complete if the Boolean OR of input predicates of all transitions from each state evaluates to constant 1. If there exists at least one state, for which this predicate does not hold, the automaton is incomplete. The pseudocode in Fig. 6.2 contains the pseudo-code of the completion algorithm.

114


The algorithm returns without changing the automaton if it is complete. Otherwise, it creates a new non-accepting state na. Next, the algorithm iterates through the states of the automaton. For each state, the algorithm computes its domain, i.e. the union of all transitions enabled from this state. If it is incomplete, a transition from this state to the non-accepting state is added with the associated transition being the complement of the domain.

6.2.3 Determinization Determinization is a crucial step in solving language equations and in many other algorithms working with finite automata. Determinization of a finite automaton is required before it is complemented. It derives a deterministic automaton accepting the same language of the original non-deterministic automaton. If the automaton is already deterministic, determinization is not performed. A self-explanatory pseudo-code of determinization by subset construction (see Sect. 2.3.1) is presented in Fig. 6.3. The input to the procedure is a finite automaton and a limit on the number of states of the determinized automaton. The output is a deterministic automaton that is equivalent to the initial one. The computation will terminate if the limit on the number of states has been reached. The procedures called from the determinization algorithm are the following: newAutomaton: Creates a new finite automaton. getInitialState: Queries the automaton for its initial state. getOneState: Extracts one subset state from the set. deriveStateRelation: Iterates through the subset s of states of automaton A, then over the transitions from these states, and derives the transition relation of s as a BDD in terms of inputs, i , and next state variables, x. getOneCombination: Extracts one arc from the BDD. stateIsNew: Checks if the end state is already present in the automaton. addTransition: Adds one transition to the automaton. getNumStates: Queries automaton for the number of states in it. A non-trivial part of the above determinization procedure is deriving the subsets of next states, n.x/, reachable from the subset s. To this end, a single predicate in terms of variables i and x, minterm(i, x), is found in R.i; x/, which is the transition relation of the subset of states, s. Next, the minterm, input(i), in terms of input variables, i , is computed from this minterm, by quantifying state variables, x. The subset of next states, n.x/, reachable under minterm input(i) is found by computing the image of input(i) using the relation R.i; x/. The full predicate, pred(i), of the transition from subset s into subset n is computed by universally quantifying next state variables, x, from the expression stating equality of R.i; x/ and n.x/; we want all those i which precisely go to the subset n and no more or less states. To understand the reason for computing pred.i / D 8x ŒR.i; x/ n.x/, suppose as an example that getOneCombination selects minterm.i1 ; n1 /, then it is input.i1 /

6.2 Implementation of Particular Commands subsetConstruction( A, limit ) f /* consider the case of a deterministic automaton */ if ( automaton A is deterministic ) return A; /* initialize the STG to be extracted */ B = newAutomaton(); /* get the initial state of the network */ I = getInitialState( A ); /* initialize the set of subset states to be explored with the initial state */ S D fI g; /* explore states */ while ( S ¤ ; ) f /* extract one subset state to be explored */ s = getOneState( S ); S D S n s; /* derive the transition relation of the given subset state */ R.i; x/ = deriveStateRelation( A; s ); /* enumerate the next state subsets reachable from the given subset */ while ( R.i; x/ ¤ ;) f /* read one combination of variables in the relation */ minterm.i; x/ = getOneCombination( R ); /* get the input minterm of this combination */ input.i / = 9x minterm.i; x/; /* get the subset of next states associated with this input */ n.x/ D 9i ŒR.i; x/ : input.i /; /* get the transition predicate associated with this subset */ pred.i / D 8x ŒR.i; x/ n.x/; /* remove the predicate to this subset from the relation */ R.i; x/ D R.i; x/ : Špred.i /; /* if the next state subset is new, schedule it for exploration */ if ( stateIsNew(B; n) ) f S D S [ n; /* set the acceptance attribute of the new product state */ if ( subset n contains at least one accepting state ) setAttribute( n, “accepting” ); else setAttribute( n, “non-accepting” ); g /* add transition from state s to state n under predicate pred */ addTransition( B; s; n; pred ); g /* quit if the number of states exceeds the limit */ if ( getNumStates.B/ limit ) return NULL; g return B; g Fig. 6.3 Determinization algorithm

115

116


and say n.n1 ; n2 ; n3 / (say that n1 ; n2 ; n3 are the next states under input i1 ), finally suppose that n1 ; n2 ; n3 are exactly the next states also under input i3 , then it will be pred.i1 ; i3 /. The transition relation R.i; x/ is reduced by removing the transitions to n.x/ under predicate pred(i). If state subset n(x) is new, it is scheduled for exploration by the proposed algorithm. Finally, transition from s to n under input pred is added to the automaton B under construction.

6.2.4 Complementation Complementation of a deterministic finite automaton is performed by exchanging the set of accepting and non-accepting states. This is done by enumerating all states of the automaton to be complemented and flipping the acceptance attribute of each state. If the automaton is not deterministic, it must be processed by the determinization algorithm first.

6.2.5 Support Support is an operation, which resets the support of the automaton to be equal to the given ordered list of variables. The following three situations may occur: • If a listed variable is not currently in the support, it is added to the resulting support and the domain of all transition predicates is expanded to include this variable. Since the predicates are represented implicitly using BDDs, the manager is expanded to include the new variable, while the BDDs of the predicates do not have to be modified, because they do not depend on the new variable. • If a variable already exists in the support, it is simply moved to its new position in the given order. This does not affect BDD ordering, so BDDs do not change, however it changes the mapping function that matches the ordered list of support variables and the internal BDD variables. • If a variable that is currently present in the support is not listed for inclusion in the resulting support, it is removed from the support. This is done by quantifying it existentially from all the predicates enabling the transitions of the given automaton. In the end, when the new variable order is defined, the variable map of the BDDs representing all predicates is updated while the predicates remain unchanged. The resulting automaton is returned.


117

6.2.6 Product Product of two finite automata, A and B, is a new automaton whose states are pairs of states from A and B, respectively, reachable from the initial states of A and B under some input sequences. It is assumed that both A and B are complete when forming the product. This can be achieved by applying the operation Completion to an automaton that is not yet complete: in this way it is completed by adding the non-accepting don’t care state, and all missing transitions from any state are directed to this non-accepting don’t care state. It is assumed that both A and B have the same support when forming the product. This can be achieved by forcing them to have the same support, if it is not already the case, by the operation Support, which resets the support of an automaton to be equal to a given ordered list of variables. For instance suppose that the support of automaton A is .x; z/ and the support of B is .y; z/, then the user must set the supports of both A and B to be x; y; z. If A and B share a variable in their supports, it is identified as the same variable and they must agree in value. Suppose that A is in state sa and B is in state sb , and that A transits to accepting state sQa on input .˛; ; / and B transits to accepting state sQb on input .; ˇ; / (the input to 0 0 means don’t care as an effect of lifting a variable to get a common support), then the product automaton transits from product state .sa ; sb / to product state ..Qsa ; sQb / under input .˛; ˇ; /. A product state is accepting if and only if both of the component states are accepting. A self-explanatory pseudo-code of the algorithm computing the product of two automata is presented in Fig. 6.4. The input to the procedure are the automata and the limit on the number of states of the product automaton. The output is the product automaton. The computation will exit if the limit on the number of states is reached.

6.2.7 Prefix-Closed Prefix-closed is an operation applied to a finite automaton, which transforms it as follows. The non-accepting states are removed together with all the transitions into them and from them. Only the states reachable under this new automaton from the given initial state are kept. This operation returns the empty automaton if the initial state is not accepting.

6.2.8 Input-Progressive Input-progressive is an operation, applied to a finite automaton, which transforms it as follows. First, operation prefix-closed is applied. If the resulting automaton is not

118

6 Implementation of Automata Manipulations productAutomaton( A; B; limit ) f /* initialize the product automaton */ P = newAutomaton(); /* get initial states of the automata */ IA = getInitialState( A ); IB = getInitialState( B ); /* initialize the set of states to be explored with the initial product state */ S D fIA ; IB g; /* explore states */ while ( S ¤ ; ) f /* extract one product state from the set of states to be explored */ fsA ; sB g = getOneState( S ); S D S n fsA ; sB g; /* iterate through the transitions from these component states */ for each state tA reachable from state sA in automaton A f for each state tB reachable from state sB in automaton B f /* transition conditions must agree on common support */ cond.i / D cond.i /sA !tA : cond.i /sB !tB ; if ( cond.i / D ; ) continue; // if the new product state does not exist, add it for exploration if ( stateIsNew(P; ftA ; tB g) ) f S D S [ ftA ; tB g; /* set the acceptance attribute of the new product state */ if ( stateIsAccepting(tA ) and stateIsAccepting(tB ) ) setAttribute( ftA ; tB g, “accepting” ); else setAttribute( ftA ; tB g, “non-accepting” ); g /* record the transition */ addTransition( P; fsA ; sB g; ftA ; tB g; cond.i / ); g g /* quit if the number of states exceeded the limit */ if ( getNumStates.P / limit ) return NULL; g return P ; g

Fig. 6.4 Product computation algorithm

empty, it is processed iteratively. Each iteration removes any state whose outgoing transitions under some input are undefined. The iteration stops when the automaton is not changed. This operation may return the empty automaton. Note that the subset of the support variables that constitute the inputs must be specified as an input to this procedure.

Problems

119

Problems 6.1. Show that the subset construction to convert a non-deterministic finite automaton into a deterministic finite automaton can be performed in O.k n2n / time, where k is the alphabet size and n is the number of states. 6.2. State Minimization Algorithms of different complexity and ease of implementation for state minimization of deterministic automata have been reported in the literature. For this problem we rely on the excellent discussion available in [126], where four algorithms are mentioned: naive-minimize, minimize, fast-minimize and brzozowski. (a) naive-minimize has worst-case complexity O.n3 /. The following pseudo-code is proposed in [126], p. 83: naive-minimize(Aut) f for (all unordered pairs .p; q/, p ¤ q) U Œ.p; q/ WD 0; for (all unordered pairs .p; q/, p 2 F; q 2 Q n F ) U Œ.p; q/ WD 1; done := false; while (not(done)) f done := true; T:= U; for (each unordered pair .p; q/, with T Œ.p; q/ D 0) for (each a 2 ˙) if (T Œ.ı.p; a/; ı.q; a// D 1) f U Œ.p; q/ WD 1; done := false; g g return(U ) g (b) minimize has worst-case complexity O.n2 /. The following pseudo-code is proposed in [126], p. 87: minimize(Aut) f for (all unordered pairs .p; q/, p ¤ q) U Œ.p; q/ WD 0; for (all unordered pairs .p; q/, p 2 F; q 2 Q n F ) U Œ.p; q/ WD 1; for (each unordered pair .p; q/, with either p; q 2 F or p; q 62 F ) if (U Œ.ı.p; a/; ı.q; a// D 1 for some symbol a 2 ˙) f U Œ.p; q/ WD 1; recursively set U Œ.p 0 ; q 0 / WD 1 for all unmarked pairs .p 0 ; q 0 / on the list for .p; q/, and all pairs on those lists, etc.;

120

6

Implementation of Automata Manipulations

g else f for (all a 2 ˙) if(ı.p; a/¤ı.q; a/) put .p; q/ on the list for .ı.p; a/; ı.q; a//; g return(U ); g (c) fast-minimize has worst-case complexity O.n log n/. Due to Hopcroft [14,62], the best exposition is by Gries [51]. (d) brzozowski has worst-case complexity O.k n22n / (but is practice is classified as often good) and it uses a series of four operations: reverse, subset construction, reverse, subset construction. Brzozowski described first the algorithm in 1962 and it has been rediscovered more than once since then, see [18] for the whole story. Consider the automaton A D hSA ; ˙A ; A ; rA ; QA i, defined as follows: SA D fs0; s1; s2g, ˙A D f0; 1g, A D f.1; s0; s0/, .0; s0; s1/, .1; s1; s2/, .0; s1; s1/, .1; s2; s1/, .0; s2; s2/, QA D fs1; s2g, rA D s0. Minimize the automaton A with algorithms (a) and (b). Retrieve from the literature algorithms (c) and (d) and minimize the automaton A with them. 6.3. Show that if A1 and A2 are minimal deterministic finite automata recognizing a language L , then A1 and A2 are isomorphic, i.e., their graphs are identical up to renaming of states. Give a counter-example to the previous statement for non-deterministic finite automata.

Chapter 7

Manipulations of FSMs Represented as Sequential Circuits

In many cases, hard computational problems can be reformulated using decomposition and partitioning, which can lead to computational advantages. An example is image computation, which is a core computation in formal verification. In its simplest form, the image of a set of states is computed using the formula: I mg.ns/ D 9i;cs ŒT .i; cs; ns/ : .cs/; where T .i; cs; ns/ is the transition relation, .cs/ is the set of current states, i is the set of input variables, and cs.ns/ is the set of current (next) state variables. The image, I mg.ns/, is the set of states reachable in one transition under all possible inputs from the current states, .cs/, using the state transition structure given by T .i; cs; ns/.1 When the state transition structure is given by a sequential network, the transition relation can be represented, for example, in partitioned form using a set of next state functions, fTk .i; cs/g, which update the state of each latch.2 The partition, fTk .i; cs; nsk /g, represents how the next state of each latch, nsk , depends on the values of inputs, i , and the current state, cs, of all latches: Tk .i; cs; nsk / D Œnsk Tk .i; cs/: The complete transition relations can be derived as the product of the next state functions as follows: Y Y T .i; cs; ns/ D Tk .i; cs; nsk / D Œnsk Tk .i; cs/: k

k

1

We do not distinguish between sets, relations, and their characteristic functions. Therefore, it is possible to think of .cs/, I mg.ns/, and T .i; cs; ns/ as completely specified Boolean functions represented using e.g. BDDs. 2 In this section, we will illustrate the concepts using next state functions, but the computations also work for the case of non-deterministic relations. T. Villa et al., The Unknown Component Problem: Theory and Applications, DOI 10.1007/978-0-387-68759-9 7, © Springer Science+Business Media, LLC 2012

121

122

7 Manipulations of FSMs Represented as Sequential Circuits

We call T .i; cs; ns/ the monolithic representation of the transition relation and contrast it with the representation in terms of the partition, fTk .i; cs; nsk /g. Many problems can be solved using a partitioned representation without ever resorting to the monolithic one, which may be impossible for larger problems. For example, the image computation can be performed using the partitioned representation by scheduling those cs variables, which do not appear in some parts, to be quantified earlier . In practice, this approach to image computation leads to significantly smaller intermediate BDDs, and has been responsible for dramatic increases, both in efficiency and in the sizes of problems that formal verification can solve. In this chapter, we discuss how to use the partitioned representation for solving language equations of the type F X D S , for the case when the automata for F and S are prefix-closed and represented by multi-level sequential networks. We show how the partitioned representation can be used to perform the basic operations of language equation solving: completing, complementing, determinizing, hiding, and computing the product of finite automata. An important aspect is that we show how most of these operations can be reformulated in terms of image computations, and hence can take advantage of the efficient developments in this area.

7.1 Problem Statement The interaction of F and X within the specification S is shown in Fig. 7.1.3 The external input and output variables are represented by symbols i and o, respectively. The internal variables that are the inputs and outputs of X are represented by symbols u and v, respectively. We assume that the behaviors of the components F and S are represented by multi-level sequential networks, similar to the one in Fig. 7.2. The external variables

i

v

Fig. 7.1 Topology with known component F , unknown component X and specification S

o

F

u X

S

3 The results of this chapter are not limited to the particular topology of Fig. 7.1, but we confine the discussion to that of Fig. 7.1 for ease of presentation.

7.1 Problem Statement

123

Fig. 7.2 The structure of a sequential network

cs

ns

o

i

Fig. 7.3 An example of sequential network

o cs1

cs2

ns1

ns2

i

of such networks are the primary inputs (i ), the primary outputs (o), and the latches having the current state (cs) and next state (ns) variables. We assume that the latch next-state functions, Tk .i; cs/, and the primary-output functions, Oj .i; cs/, can be computed and stored as BDDs in terms of the primary inputs and the current state variables. The automata for F and S are derived from the multi-level networks representing them, simply by taking the set of inputs of these automata as the union of the sets of inputs and outputs of the corresponding network. All reachable states of a network are the accepting states of the corresponding automaton, since F and S are FSMs and hence are prefix-closed. A “don’t-care” (DC ) state can be added to make an automaton complete. This is done by making all automaton input combinations, for which the behavior of a state is not defined, transition to DC , which becomes the only non-accepting state. The requirement of prefix-closed dictates that DC has a universal self-loop. Example 7.1. Figure 7.3 shows a sequential circuit, while Fig. 7.4a,b show respectively the corresponding FSM and automaton. The circuit has input i , output o,

124


Fig. 7.4 (a) FSM extracted from the sequential network of Fig. 7.3; (b) Automaton that recognizes the language of the FSM

a

b 1/0

−1

0/0 0/1 01 −/1 10

10

00

00

dc 0/0

1/1

−0 11

00 −0

−1

01

01

11

1/0 10

and two latches, with current state variables cs D fcs1 ; cs2 g and next state variables ns D fns1 ; ns2 g. The initial state of the latches is state .00/. The next state functions of the latches are T1 .i; cs/ D i:cs2 and T2 .i; cs/ D i C cs1 . The two parts of the transition relation are T1 .i; cs; ns1 / D Œns1 T1 .i; cs/ D Œns1 i:cs2 D ns1 :i:cs2 C ns1 :.i C cs2 / and T2 .i; cs; ns2 / D Œns2 T2 .i; cs/ D Œns2 .i Ccs1 / D ns2 :.i Ccs1 /Cns2 :i:cs1 /: The single output relation is O.cs1 ; cs2 ; o/ D Œo .cs1 ˚ cs2 /: The states of the automaton in Fig. 7.4b are labeled with the latch values .cs1 ; cs2 /. Transitions (arcs) are labeled with .i; o/ values. Thus, the transition from state .00/ under input 0 is to state .01/. The output produced by the network in this case is 0. So the label of this transition is 00 (equal to 0=0 using the conventional FSM labeling, as in Fig. 7.4a). This automaton is not complete. Thus, the transition from .00/ under input .11/ is not defined. The double-circled states of the automaton are accepting. The additional (single-circled) state .DC /, added for completion, is not accepting. DC has a universal self-loop and all transitions that were originally undefined (e.g., from .00/ under input .11/) are directed to DC .


125

7.1.1 Monolithic Representation of Relations The monolithic representations of the transition and output relations of the automaton can be obtained from the next-state and output functions: T .i; cs; ns/ D ˘k Œnsk Tk .i; cs/; O.i; o; cs/ D ˘k Œok Ok .i; cs/: The monolithic representation of the complete transition-output relation of the automaton is: TO.i; o; cs; ns/ D T .i; cs; ns/:O.i; o; cs/: TO specifies what the next state is for each current state and each input/output combination. A relation is not well-defined if there exists an input/output/currentstate combination for which the behavior of the automaton is not specified, i.e., the automaton is incomplete. As an example of the use of the monolithic representation TO, consider the operation of completion of an incomplete automaton. The transition-output relation of the completed automaton is TO 0 .i; o; cs; ns/ D TO.i; o; cs; ns/ C A.i; o; cs/:DC.ns/ C DC.cs/:DC.ns/ where A.i; o; cs/ D 9ns TO.i; o; cs; ns/ is the sub-domain of input/output/current-state variables for which the original automaton is not defined, and DC is the code (in terms of latch variables) of the “don’t-care” state added during completion. Note that we cannot use the code of an unreachable state to represent the DC because the unreachable states have next states. To encode DC we need to add an additional state variable. Thus the resulting relation is derived from the original one by simply directing all undefined transitions to DC and then adding a universal self-loop to DC .

7.1.2 Partitioned Representation of Relations The disadvantage of monolithic representations is that they include all variables and hence their BDDs may be huge. Even if these can be computed, the operations, such as completion, product, determinization, become very inefficient, if not impossible, to complete. If the set of reachable states is much smaller than the set of all states, re-encoding the monolithic relations using fewer state bits may alleviate this problem. However, re-encoding can be very slow and, in our experience, this tends to increase the BDD sizes of the relations. We will show how partitioned

126


representations can be used, both in making computations more efficient and in allowing larger problems to be solved. The monolithic transition and output relations will never be constructed. With a partitioned representation, the functionalities of the automata are represented as sets of functions, fTk .i; cs/g and fOk .i; cs/g. All Boolean operations are performed using these functions. It will be shown that image computation plays the key role in the manipulations involving partitioned representations, and hence a decade of research resulting in techniques to speed up image computations [30, 120, 137] can be used.4

7.2 Computation Algorithms This section describes how to perform operations on the automata, required for language equation solving, when the partitioned representations are available. The main algorithm for the computation, using either monolithic or partitioned representations, was described in Chap. 3, Sect. 3.3. In this section, we show that, given the partitioned representations, all the steps are essentially embedded into a modified determinization procedure, so that there is no need to perform the completion and variable hiding operations as separate steps. However for generality, we show first how these operations can be performed independently of determinization.

7.2.1 Elementary Operations Using Partitioned Representations In the application to the problem where the topology is as shown in Fig. 7.1, we have partitions for F (which has both u and o as outputs): fTjF F .i; v; cs F ; nsjT F /g; fUjU .i; v; ujU ; cs F /g; fOjF F .i; v; ojO F ; cs F /g T

O

and partitions for S : fTjS S .i; cs S ; nsjT S /g; fOjS S .i; ojO S ; cs S /g: T

O

7.2.1.1 Completion An automaton derived from an FSM is completed by interpreting the complement of its output relation as the condition for a transition from the current state to

4

It is beyond the scope of this book to describe all these advancements; we experimented extensively with implementing most of proposed techniques and chose the methods that we observed to be most efficient.

7.2 Computation Algorithms

127

the non-accepting DC state. The complement of the output relation, O.i; o; cs/, gives, for each current state, cs, all the input/output combinations, for which the automaton’s behavior is not defined, since a complete FSM is defined for all its input combinations. When the partitioned representation is used, there is no need to construct the monolithic representation of O.i; o; cs/. For any current state or subset of current states, given by its characteristic function .cs/, its undefined input/output combinations, O .i; o/, can be found by an image computation followed by complementation: O .i; o/ D 9cs O.i; o; cs/:.cs/: This image can be efficiently computed using the partitioned representation of the output relation: O .i; o/ D 9cs ˘j Œoj O.i; o; cs/:.cs/:

7.2.1.2 Complementation (Deterministic Case) In the general case of non-deterministic automata, determinization (subset construction) is required before complementation. In contrast, a deterministic automaton is easily complemented by interchanging the sets of its accepting and non-accepting states. Thus computing S, which is deterministic, is easy. When an automaton is derived from a deterministic multi-level network, its set of accepting states is equal to the set of reachable states of the network. The DC state introduced during completion is the only non-accepting state. In this case, complementation is performed by changing the interpretation of the DC state: it becomes the only accepting state, while all other states become non-accepting.

7.2.1.3 Product Computation The product of two automata is defined when they have the same support. In the partitioned view, having the same support simply means that each function is considered as a function of the full set of variables. When the argument automata are represented in their partitioned forms, n

o TjF F i; v; cs F ; nsjT F ; T

and

n

o TjS S i; cs S ; nsjT S ; T

128


the partitioned representation of the product automaton, is simply the union of the two partitions, i.e., fTjF F .i; v; cs F ; nsjT F /; TjS S .i; cs S ; nsjT S /g: T

T

The fact that some variables, for example, u and o, are missing, means that the relations are independent of these variables.

7.2.1.4 Hiding Variables Hiding variables i and o in the automaton representing the product of F and S is an operation which changes the support automaton. In the monolithic form, it is performed by existentially quantifying the variables, not in the support, from the transition-output relation TO of the product automaton: TO 0 .v; u; cs; ns/ D 9i;o ŒTO.i; v; u; o; cs; ns/: This operation usually leads to a non-deterministic automaton, even if the original automaton is deterministic. Hiding variables cannot be performed on the partitioned representation because the operations of existential quantification and product do not commute. For example, it is not possible to quantify the input variables i from the transition relation by quantifying them independently from each partition: 9i T .i; cs; ns/ D 9i ˘j Œnsj Tj .i; cs/ ¤ ˘j 9i Œnsj Tj .i; cs/: Thus hiding cannot be done by acting on the partitions independently. However, a key observation is that the hiding operation can be built into the next step, the determinization procedure, in such a way that there is no need to derive the monolithic transition relation and then apply hiding to it.

7.2.1.5 Determinization (Subset Construction) Determinization is performed by enumerating explicitly the subsets of states of a non-deterministic automaton, which are reachable from the initial subset state (which contains only the initial state). The basic step is the computation of the subset of states, reachable under various assignments of .u; v/ from a given subset of states, .cs/. Denote by P .u; v; ns/ the sets of states (the subset states) reachable from .cs/ under various combinations of .u; v/. Using the monolithic representation, with variable i hidden, the computation would be: P .u; v; ns/ D 9i;cs ŒU.i; v; cs; u/:T .i; v; cs; ns/:.cs/:

7.2 Computation Algorithms

129

The computation of P using the partitioned form is: P .u; v; ns/ D 9i;cs Œ˘j Œuj Uj .i; v; cs/:˘k Œnsk Tk .i; v; cs/:.cs/: Thus, the computation of P .u; v; ns/ can be seen as the computation of the image of .cs/, under the transition relation U.i; v; cs; u/:T .i; v; cs; ns/ represented in its partitioned form: fUj .i; v; cs/g; fTk .i; v; cs/g. In general, we cannot hide variables in the partitioned representation because, for this, we need to multiply out the partitions. So, we keep the variables inside the partitions and do not quantify them. However, by restricting to a specific .cs/ it becomes affordable to compute the product of the transitions relations and afterwards to quantify over i , therefore when we come to a specific state subset, P , we multiply the partitions, because they are restricted to the characteristic function of the subset, .cs/, and then we quantify over the inputs i . In other words. we say that hiding (quantification) of variables i is performed as part of the image computation. Let Cj .i; v; cs/ denote the condition that is true when the j -th output of F conforms to the j -th output of S : Cj .i; v; cs/ D ˘k ŒOjFk .i; v; cs F / ) OjSk .i; cs S /; where cs D .cs F ; cs S / and the iteration is over all values k of the output Oj , e.g., for binary signals, k 2 f0; 1g. Let C.i; v; cs/ D ˘j Cj .i; v; cs/, which is the overall condition when all outputs of F conform to the outputs of S : C.i; v; cs/ D ˘j ˘k ŒOjFk .i; v; cs F / ) OjSk .i; cs S /: Next, we compute Q .u; v/, the condition on u; v when the current subset of states .cs/ leads to the non-conformance of outputs of F and S : Q .u; v/ D 9i;cs ŒU.i; v; cs F ; u/:C.i; v; cs/:.cs/: Since these combinations of .u; v/ can lead to a non-conforming state, we exclude such transitions and map them all into a single non-accepting state DCN with a universal self-loop. We remove these combinations from consideration by restricting P .u; v; ns/ to those .u; v/ that are not contained in Q .u; v/: P0 .u; v; ns/ D P .u; v; ns/:Q .u; v/: Finally, the result is made complete by adding a state DCA (which is accepting in the final answer after complementation), with transitions from .cs/ into it for all .u; v/ that are contained in Q .u; v/.

130


Note that C.i; v; cs/ can be represented as the sum of output non-conformance conditions for each output. Therefore, the computation of Q .u; v/ can be done one output at a time, without computing the monolithic relation for C.i; v; cs/. Regarding the representation of states and subsets of states, the following facts hold: 1. The original circuit uses logarithmic state encoding by means of state-bits. 2. During determinization, BDDs of state subsets are used as unique identifiers of states after determinization. 3. After determinization, each state of the determinized automaton is represented explicitly, without state encoding.

7.2.1.6 Validity of the Computation The maximum prefix-closed solution (required for an FSM implementation) is computed after determinization and completion, when the set of reachable subset states, f.cs/g, are known and, for each of these, the function Q .u; v/ has been computed, which defines the transitions from this subset state into a newly added non-accepting state DCA. To perform the complementation, which is the last step in computing the maximum solution, the accepting and non-accepting states are switched. To do this, we need to determine what the accepting states are after the previous steps of computation. It is helpful to follow the computation process starting from the initial automata, F and S , and consider the two types of their states: the accepting states (labeled a) and the non-accepting states. • S could be completed by adding a new state DC1 which would be its only nonaccepting state, because S is represented by the multi-level network and so is prefix-closed. • In S , DC1 would be the only accepting state. (If S is non-deterministic, fDC1 g would be the only accepting (subset) state.) • Since F was left incomplete and is prefix-closed, all states of F are accepting. • When forming the product F S , a product state is accepting only if both states are accepting. Thus, in F S, the only accepting states would be those with labels .a; DC1 /, i.e., accepting in F and accepting in S . • In the subset construction, a subset state is accepting if at least one product state in the subset is accepting, i.e., of type .a; DC1 /. If such occurs, then those transitions represented by Q .u; v/ are redirected to DCN, since in the final answer, these states are not accepting.5 The new completion state, DCA, added after the subset construction to complete it, is non-accepting for the determinized product F S , but accepting in the final answer.

5

Note that it is not necessary to compute subset states which emanate from such a state since once reached, we know that all input sequences with this prefix are not in the language of an FSM.

7.3 Completion and Determinization Commute

131

• Finally, in the complement of this product, which is the maximum solution, the set of accepting states are DCA plus all the subset states which are left in P .u; v; ns/ after Q has deleted all those that lead to DCN. Thus all non-accepting subset states are mapped into DCN. As mentioned, this can be done because we will make the answer prefix-closed, a requirement for an FSM. (Thus, the X computed is the most general prefix-closed solution.) This requirement increases efficiency, because during the subset construction, as soon as a state of type .a; DC1 / is encountered in a subset state, .cs/, this state can be replaced with DCN. This efficiently reduces the number of subset states that emanate from such .cs/. Further, those states that are trimmed immediately by this need not be explored for reachability from them. This leads to a substantial trimming during the subset construction. This trimming can be performed because S is prefix-closed, and we require that X be prefix-closed also.6 Similarly, the existence of the single state, DCA, derives from the fact that F is prefix-closed. This allows for deferring the completion of F until the subset construction. Finally, to make X into an FSM automaton, it is made input-progressive. This step is the same for both the monolithic and partitioned case and is not detailed here. Note that in the partitioned flow, neither S nor F is made complete. In effect such completion is deferred to the all-inclusive determinization step. The validity of this is substantiated by the next section, which proves that the determinization and completion operations commute and observes that completion also commutes with complementation and product.

7.3 Completion and Determinization Commute Theorem 7.2. To determinize a finite automaton A, the following two procedures are equivalent: 1. Complete(Determinize(A), non-accepting) 2. Determinize(Complete(A, non-accepting)) Proof. We show that these two procedures yield the same result by comparing subset constructions without and with pre-completion. Let DC denote the added non-accepting state. Recall that DC has a universal self-loop. It is clear that if fs1 ; : : : ; sk g is a subset state in the automaton constructed by Procedure 1, then there must exist subset state fs1 ; : : : ; sk g and/or fs1 ; : : : ; sk ; DC g in the automaton constructed by Procedure 2. Also, if subset state fs1 ; : : : ; sk g or fs1 ; : : : ; sk ; DC g 6

While this trimming can be substantial, there is no avoiding that subset construction can be exponential. However, a common experience among people who have implemented subset construction, is that it can be surprisingly efficient in practice, with relatively few subset states reached, sometimes even leading to a reduction in the number of states.

132


exists in the resultant automaton of Procedure 2, then subset state fs1 ; : : : ; sk g must exist in the resultant automaton of Procedure 1. Observe that • DC state is non-accepting. A subset state is accepting if and only if one of its states is accepting. Thus, state fs1 ; : : : ; sk g is accepting if and only if state fs1 ; : : : ; sk ; DC g is accepting. • Under any transition condition, the successor states of fs1 ; : : : ; sk g are the same as those of fs1 ; : : : ; sk ; DC g except that the latter contains the DC state. Applying induction on the state space with the above two facts, it follows that subset states s1 ; : : : ; sk and s1 ; : : : ; sk ; DC are equivalent. On the other hand, if a subset state s1 ; : : : ; sk or s1 ; : : : ; sk ; DC can transition to the singleton subset state fDC g under some transition condition, then all of the member states s1 ; : : : ; sk must be incomplete under this transition condition. Therefore, it is immaterial whether the completion is done before or after the determinization. t u Other trivial propositions state that completion commutes with both the complementation and product operations. Corollary 7.3 follows from these observations and Theorem 7.2. Corollary 7.3. Let X be the solution obtained when F and S are not completed and let Y be the solution when F and S are made complete first. Then the languages of X and Y are identical.

7.4 Experimental Results In this section, an implementation using the partitioned representations is compared with the implementation using the monolithic representations. In effect, the partitioned implementation performs only the determinization procedure, which subsumes all other steps, as described above. In the case of the monolithic representations, the completion of S is done first, then the intermediate product is derived, followed by hiding and determinization, performed in a traditional way. The examples for this experiment were derived from FSM benchmarks by the operation called latch splitting. It is explained in Chaps. 11 and 13. It is a syntactic transformation of a sequential circuit into two circuits, one containing a subset of the latches of the original circuit and the other containing the rest. One of these becomes the fixed component, F , in the language solving problem while the other represents a particular solution, XP , for the “unknown” component. The sequential behavior of the original circuit is used as the specification. We compute the largest FSM solution called CSF (complete sequential flexibility). Since XP , is a particular solution, it is contained in the CSF. After the computation of CSF, it was formally verified by checking: 1. XP CSF, and 2. F CSF S D F XP .

7.5 Conclusions

133

Table 7.1 Comparison of partitioned and monolithic representations Name i=o=cs Fcs =Xcs States(X) Part,s Mono,s Ratio s510 19/7/6 3/3 54 0.3 0.2 0.7 s208 10/1/8 4/4 497 0.4 0.8 2.0 s298 3/6/14 7/7 553 0.9 2.7 3.0 s349 9/11/15 5/10 2,626 37.7 810.3 21.5 s444 3/6/21 5/16 17,730 25.9 CNC – s526 3/6/21 5/16 141,829 276.7 CNC –

Table 7.1 lists the results for several examples. The columns show the example name (column “Name”), the number of inputs, outputs and latches (column “i=o=cs”), the number of latches in the fixed part and in the current implementation of the unknown (column “Fcs =Xcs ”), the number of states in the CSF (column “States(X )”), the runtime in seconds of the partitioned algorithm (column “Part”) and runtime in seconds using monolithic representations (column “Mono”), and finally the ratio of these runtimes (column “Ratio”). The algorithms were implemented in the BALM. The measurements were made on a Windows XP computer with a 1.6 GHz CPU. The results show that the partitioned method is more efficient (except for very small examples) with efficiency increasing as the problem size increases. At some point, the monolithic method can not complete (CNC) when the intermediate automata become relatively large. Of course, even the partition method will run out of steam at a certain point, but note that on one example it could handle over 140,000 states in the CSF.

7.5 Conclusions In this chapter, a strategy was presented for solving language equations when the fixed component and the specification are represented using multi-level deterministic sequential networks. In such cases, a partitioned representation derived from the original network can be used to perform all the operations needed to compute the maximum solution. The operations required can be re-formulated in terms of image computations, which can take advantage of the advances made in the efficiency of these computations over the last decade. The new methods allow for faster solution of larger problem instances. We emphasize that the techniques described, rely heavily on the fact that both automata, F and S , are represented initially by multi-level sequential networks and hence are prefix-closed, and that the desired answer is also prefix-closed. It was proved also, that not completing F in the algorithm leads to the same answer. This has two important consequences. First, it is not necessary to form the completion conditions before computing the product or its determinization. This saves a lot of computing. Second, completion of F can lead to a non-deterministic

134


product after hiding, while leaving F incomplete leads to a deterministic product after hiding. Thus a subset construction is avoided when F is not completed. Of course, computing the CSF is only one step in sequential synthesis. Finding an optimum sub-solution of the CSF remains an outstanding problem for future research.

Problems 7.1. Representing Automata by MV Networks Manipulation of finite automata is performed using the graph representation, as discussed in Chap. 6. However automata can also be represented and manipulated using multi-valued multi-level networks that implement the next-state logic F , the latches (one or more multi-valued latches according to the encoding) and the acceptance unction Acc. F is the next-state logic that depends on the inputs and present-state variables and produces the next-state variables. If the automaton is non-deterministic F too is nondeterministic. Acc is a binary node producing value 1 if and only if the present-state is accepting; it depends only on the present-state. In practice we restrict ourselves to representing deterministic automata, because non-deterministic ones introduce complications7 in the network representation. Describe how to represent automata by MV networks. Discuss the various options for encoding and logic optimization algorithms. Note that the unused codes should be stored in a specific network, call it EXDC (external don’t cares) network, and exploited as such when appropriate. The EXDC network must be updated when the latches change. 7.2. Manipulating Automata by MV Networks In Problem 7.1 we represented a deterministic automaton by a MV network with multiple latches. Once an automaton is encoded as a network, the next task is to express the following operations on automata as operations on MV networks, i.e., to provide algorithms that perform these operations by working directly on the data structures representing the MV networks: (a) (b) (c) (d)

7

Operation complement of an automaton. Operation product of two automata. Operation variable projection of an automaton. Operation determinization of an automaton.

Say that an MV network has two binary latches and that under some input both latches produce both 1 and 0. Does this situation correspond to the subset of states .00; 11/, or .01; 10/ or .00; 11; 10/ ? To avoid loss of information we should introduce additional input variables to distinguish the situations. This is an unexplored area of synthesis.

Problems

135

Hint. Operations projection and determinization should be merged together into a single operation, since projection may introduce non-determinism and we are restricting ourselves to the representation of deterministic automata. This is a difficult step and there is no established good procedure for doing it. (e) Realize the operation prefix-closure for an automaton on its corresponding MV network. Hint. We are supposed to remove non-accepting states (and the transitions from them). The problem is that we cannot remove non-accepting states and still keep the MV network well-defined (specified under any input). Add the nonaccepting states to the EXDC network (this is consistent with the fact that their next states can be any states). (f) Realize the operation progressiveness for an automaton on its corresponding MV network. Hint. We are supposed to remove the accepting states that have no next state under some input pattern. This amounts to check all the states represented by the Acc function: if for a given present state there is an input pattern under which its next state is in the EXDC network, then this present state should be removed from Acc and added to the EXDC network; iterate until nothing changes. (g) Realize the operation state minimization for an automaton on its corresponding MV network.

Chapter 8

The Software Package BALM

8.1 Introduction Finite automata and their languages are well-studied topics since the early development of computation theory. Traditional implementations of automata manipulations are based on explicit state representation, and are limited to automata with a few thousand states. The manipulation of automata became more practical with the advent of efficient symbolic techniques based on binary decision diagrams (BDDs), satisfiability (SAT) solvers and AND-INVERTER graphs (AIGs). Based on these techniques, the BALM (Berkeley Automata and Language Manipulation) package provides an experimental environment for more efficient manipulation of finite automata in various application domains, e.g., synthesis, verification, control, etc. The BALM package includes the most typical automata operations, such as determinization and state minimization, as well as a few visualization capabilities, which rely on the powerful graph visualization software Graphviz [49]. The applicability of BALM to finite-state machine synthesis is illustrated by its use in solving several problems that are formulated as unknown component problems using language equations. BALM is designed like SIS and MVSIS to have a command line on which a command can be entered. A sequence of commands can be read from a file, called a script. In the appendix, we list and briefly explain the presently implemented commands of BALM. Compared with other automata manipulation utilities, such as Grail [117], FSA [43], FIRE [41] and many others (see also [144]), BALM provides an environment particularly suited for language equation solving. It can be used in component-based sequential hardware synthesis. It is useful as an educational tool, which can further the understanding of finite automata. In addition, it may be useful in sequential system optimization, because it can interface with other programs based on the logic file formats, such as BLIF-MV or BLIF, which are commonly used to represent designs in academic logic synthesis tools. With BALM, it is possible to extract sequential flexibilities in implementing a hardware finite state machine. We will illustrate some of these applications. T. Villa et al., The Unknown Component Problem: Theory and Applications, DOI 10.1007/978-0-387-68759-9 8, © Springer Science+Business Media, LLC 2012

137

138

8 The Software Package BALM

In addition to most of the traditional explicit graph enumeration algorithms for automata manipulations, BALM provides computation algorithms based on stateof-the-art symbolic techniques. This allows most manipulations of automata to be done implicitly or using a mixture of explicit and implicit techniques. With these, the system can handle millions of states. For example, complementation (determinization) of nondeterministic automata, which is an operation based on hybrid representations, can produce deterministic automata with 100 K states in several seconds on modern computers.

8.2 Describing FSMs and Automata BALM supports two file formats, the BLIF-MV (and BLIF) format for describing FSMs as multi-level netlists of logic, and the AUT format for describing automata. The AUT format is a restricted form of BLIF-MV.

8.2.1 The BLIF-MV Format BLIF-MV was created for VIS [15, 16], a verification package, and is an extension of BLIF (Berkeley Logic Interchange Format) to efficiently specify sequential systems in the form of multi-level multi-valued (possibly nondeterministic) logic networks. Compared to BLIF, BLIF-MV allows (1) multi-valued signals, and (2) nondeterministic nodes1 , which can be used to model nondeterministic systems. For instance, this is useful in the early stages of design development, when a sequential system may contain non-determinism because some of its components are still to be specified, and only an abstraction is known. BLIF-MV supports multi-valued variables, which often simplifies the specification of a system. Each multi-valued variable is given a size and optionally a list of value names. Currently, the number of values of the multi-valued variables in the implementation of BALM is limited to 32; however, the number of values of multi-valued variables denoting states variables in the AUT format is not limited. The semantics of BLIF-MV is defined using a combinational/sequential concurrency model. There are three basic primitives: variables, tables (nondeterministic nodes), and latches. A variable can take values from a finite domain. A relation defined over a set of variables is represented using a table. A table has only one output and any number of inputs. A particular variable can be designated as the output of at most one table. Several tables are conceptually inter-connected if they share the same variable name, i.e. if there is a common name at the output of one 1

Such a node generates, for a given input, a randomly selected output value from a specified subset of output values.

8.2 Describing FSMs and Automata

139

table and the inputs of the other tables. Thus a named variable is conceptually a wire. If a table is deterministic and binary, it can also be thought of as a logic gate. A latch is the state-holding element of BLIF-MV. It has only one input. Its output has the same set of allowed values (domain) as its input. A set of initial values is associated with every latch; they must be a subset of the domain of the latch. A state is an assignment of values to the latches of a design, where a value assigned must be in the domain of the latch. An initial state is a state where every latch takes one value from its set of initial values. A latch can have more than one initial state in general. The semantics are as follows. At every time point, the system is in some state (each latch has a value). At every clock tick, each latch updates its output value to be its current input value. These outputs then propagate through tables in a topological order until all the wires have a consistent set of values, i.e. each output value of a table is one of the set of allowed values for the set of input values on the inputs to the table. If a latch is encountered during the propagation, i.e., an output of a table is an input to a latch, the propagation process is stopped. Note that because of nondeterminism, given a single state in the latches, there may be several consistent sets of values on the wires. These semantics can be seen as a simple extension of the standard semantics of synchronous single-clocked digital circuits. In fact, if every table is deterministic and every latch has a single initial state, the two semantics are exactly equal. Thus, the only differences are in the interpretation of nondeterministic tables and latches with multiple initial states. In BALM, the command read blif mv reads a BLIF-MV (or BLIF) description, and then sets up a corresponding internal data structure to represent the multi-valued nondeterministic network. The write blif mv command writes a BLIF-MV description to a file. Although the BLIF-MV format was designed as a logic exchange format, simple examples in BLIF-MV are readable and can exhibit some degree of clarity. Example 8.1. We show an example of the BLIF-MV description of a multi-valued network with one internal node and one latch, where all signals are 3-valued: .model blif_mv_example .inputs a .outputs f g .mv a,f,g 3 .table a g -> f .default 0 1 0 1 0 2 2 .latch f g .reset g 2 .end

For a more detailed treatment of the BLIF-MV format and some examples, see [75].

140


8.2.2 The AUT Format The AUT format was designed to describe finite automata in a simple two-level form. It is essentially a restricted subset of BLIF-MV. The adopted restrictions allowed for a simplified version of the BLIF-MV parser; the restrictions are not an inherent part of any theory, and could be relaxed if future applications dictate. The unrestricted BLIF-MV is also used in BALM to represent the FSMs in the form of multi-valued multi-level nondeterministic networks, as described in the previous section. The restrictions of AUT are described below. The example that follows illustrates many of the points: 1. Only non-hierarchical BLIF-MV specifications are allowed. 2. An AUT file must have exactly one latch and exactly two combinational tables, one describing the next-state relation and one describing a single output named “Acc”. Multi-level netlist descriptions of the next-state relation are not supported. 3. The latch’s output variable is named “CS” and its input variable is named “NS”. They have the same domain whose size must be equal to the number of states of the automaton. The reset value of the latch is the initial state of the automaton. Currently, only automata with one initial state can be used. This data is specified using the .mv directive. 4. The next-state table (output is NS) must have the automaton inputs listed on the “.table” line, followed by CS. The last variable on the line must be NS, the output of the table. 5. In each line of the next-state table (which specifies a multi-valued cube), variables CS and NS can have only one specific state value; for example, “s33”or “stateABC”. Multi-valued state literals of the type “(s33, s35, s37)” are not allowed in the next-state table. The don’t-care literal “-” cannot be used for the CS and NS variables. All the values of CS must be used in the table at least once, including the “.default” line. There are no such restrictions on how the multi-valued inputs of the automaton are specified in the table. Any literals of these variables, including the don’t-care literal, can be used in the next-state table. 6. The BLIF-MV specification must have exactly one binary primary output. Its name is must to be “Acc” and is defined using the other combinational table of the AUT file. It has only one input, CS. The purpose of this node is to specify which of the automaton states are accepting. Thus Acc = 1 exactly when CS has a value equal to one of the accepting states. 7. The default line of the Acc table can be in one of the following forms: Case 1: all states are accepting .table -> Acc 1 This specifies that Acc is the constant 1.


141

Case 2: only one state is accepting .table CS -> Acc .default 0 1 This specifies that state “acc state” is the only accepting state. Case 3: only one state is non-accepting .table CS -> Acc .default 1 <non_acc_state> 0 This specifies that state “non acc state” is the only non-accepting state Case 4: several accepting states .table CS -> Acc .default 0 (comma-separated list of accepting states in parentheses) 1 or .table CS -> Acc .default 1 (comma-separated list of non-accepting states in parentheses) 0 Example 8.2. We show an example of a simple 3-state automaton with accepting state “DC” represented using the AUT format: .model spec .inputs i o .outputs Acc .mv CS, NS 3 a b DC #there are 3 states named a b and DC .mv i 3 #input i has 3 values. By default their names are 0,1,2 .latch NS CS #declares one latch with input NS and output CS .reset CS #its initial value is a a .table CS ->Acc #the only accepting state is DC .default 0 DC 1 .table i o CS ->NS #the next-state table .default DC (1,2) 1 a a #if i = 1 or 2, and o =1 and CS=a, then NS=a 0 a b 0 1 b a .end

142


The .default keyword in the .table construct is a shortcut for the following cases: 0 (1,2) -

1 1 0 -

a b b DC

DC DC DC DC

In BALM, the command read blif mv can also read an AUT file because AUT is a subset of BLIF-MV. In such a case, the file is interpreted as a multivalued network and not as an automaton (the number of states in this case should not exceed 32). There is no separate command to read in an automaton as an automaton, since the automata manipulation commands always read and write to AUT files; the input automata file name(s) are on the command line followed by the file name where the result will be written. Thus, there is no need for BALM to have separate commands to read and write automata, say read aut and write aut, because there is no notion of the current automaton, and instead each command that operates on automata reads and writes the automaton of interest in a specific file with extension .aut.

8.2.3 Comparing the BLIF-MV and AUT Formats The difference between BLIF-MV and AUT (which is a modified BLIF-MV) is that BLIF-MV (as interpreted by MVSIS/BALM) can only have multi-valued variables up to 32 values. Meanwhile, AUT can have an arbitrary number of values. BALM uses a dedicated AUT-parser to bypass the limitations of the BLIF-MV-parser in MVSIS and be able to parse multi-valued variables with more than 32 values. Therefore, using AUT we can represent FSMs and automata with any number of states. The multi-valued network flow in MVSIS and the automata/FSM flow in BALM are organized differently. MVSIS is based on the notion of the current network. So there is a command (read blif mv) which just reads the network in from file, making it the current network. BALM inherits the notion of current multivalued network from MVSIS, but does not rely on the notion of the current automaton/FSM, because each command is made to read its own input and produce its own output. This is why there is no special command to read the automaton as automaton. Of course, we can read the automaton as a multi-valued network (provided it has no more than 32 states), but then we are working with MVSIS, not BALM. Example 8.3. Suppose that we want to describe a counter FSM with 32 states whose description in the kiss format [125] is the following: .i 1 .o 1 .s 32


143

.p 64 0 st0 st0 0 1 st0 st1 1 0 st1 st1 0 1 st1 st2 1 ... 0 st30 st30 0 1 st30 st31 1 0 st31 st31 0 1 st31 st0 1 .end

We may describe it in the BLIF-MV format (say in the file counter32.mv) 2 : .model counter32.mv .inputs i .outputs SP o .mv SF, SP 32 st0 st1 ... st31 .table i SP ->SF 0 st0 st0 1 st0 st1 0 st1 st1 1 st1 st2 ... 0 st31 st31 1 st31 st0 .latch SF SP .reset SP 0 .table i SP ->o 0 st0 0 1 st0 1 0 st1 0 1 st1 1 ... 0 st31 0 1 st31 1 .end

Otherwise, we could describe it in the AUT format as follows (say in the file counter32.aut): .model counter32.aut .inputs i o .outputs Acc .mv CS, NS 32 st0 st1 ... st31 .latch NS CS .reset CS 0

2

Lines introducing mv variables like .mv SF, SP 32 st0 st1 ... st31 stand for the full list of symbolic names of the values of the mv variables, e.g., .mv SF, SP 32 st0 st1 st2 st3 st4 st5 st6 st7 st8 st9 st10 st11 st12 st13 st14 st15 st16 st17 st18 st19 st20 st21 st22 st23 st24 st25 st26 st27 st28 st29 st39 st31.

144


.table Acc #all states are accepting 1 .table i o CS ->NS 0 0 st0 st0 1 1 st0 st1 0 0 st1 st1 1 1 st1 st2 ... 0 0 st31 st31 1 1 st31 st0 .end

The latter format would apply also if the counter FSM would have say 33 states, whereas the former format would not. Consider the following counter with 33 states: .i 1 .o 1 .s 33 .p 66 0 st0 st0 0 1 st0 st1 1 0 st1 st1 0 1 st1 st2 1 ... 0 st31 st31 0 1 st31 st32 1 0 st32 st32 0 1 st32 st0 1 .end

The previous AUT description would be extended easily as follows (say in the file counter33.aut): .model counter33.aut .inputs i o .outputs Acc .mv CS, NS 33 st0 st1 ... st31 st32 .latch NS CS .reset CS 0 .table Acc #all states are accepting 1 .table i o CS ->NS 0 0 st0 st0 1 1 st0 st1 0 0 st1 st1 1 1 st1 st2 ... 0 0 st31 st31 1 1 st31 st32 0 0 st32 st32 1 1 st32 st0 .end


145

.model spec ..inputs ..outputs out ..mv out 3 OK notOK done ..table ->out .OK .done ..end Fig. 8.1 BLIF-MV description of the automaton discussed in Example 8.4

a

b 1

notOK 2

OK

c 1

done 3

OK done

1

OK done

notOK OK, done, notOK

2 OK, done, notOK

OK, done, notOK

Fig. 8.2 Illustration of Example 8.4. (a) Automaton Structure 1; (b) Automaton Structure corresponding to BLIF-MV description in Fig. 8.1; (c) Automaton Structure 2

8.2.4 Describing an Automaton Using BLIF-MV The BLIF-MV format does not have the notion of accepting states, and therefore has a limited ability to describe an automaton. By default it describes an FSM and hence all states are accepting. The only possibility for having a non-accepting state is adding a state to an incomplete automaton when it is completed. Thus BLIF-MV can only be used to describe automata where all states are accepting except one. The reason why this is still useful is that if the specification automaton can be described in BLIF-MV, then the efficient method of Chap. 7 can be used to solve for an FSM solution. In many examples, having only one non-accepting state is enough, as shown in Example 8.4. Example 8.4. Suppose that we want to specify in BLIF-MV the automaton with 3 states shown in Fig. 8.2a. The states 1 and 3 are accepting states and 2 is a non-accepting state. Consider the BLIF-MV description shown in Fig. 8.1. The table for out does not produce the output value notOK. Consider what happens when this FSM is converted into an automaton and out becomes the input. Since it has no latches, it is an FSM with only one state, as shown in

146


Fig. 8.2b. The transitions from this state to a next state are defined only for out =OK and out=done, but not for out = notOK. As an automaton, it is incompletely defined. When the automaton is completed it will have two states as shown in Fig. 8.2c, where state 2 is non-accepting. Note that this is not exactly the same as the three-state automaton in Fig. 8.2a, because the two accepting states have been merged into one state. However, for some applications, this can be done. For example, suppose that, when the fixed part produces out = done or out = notOK, then no further changes in state happen. Then it is not important what happens after states 2 or 3 in Fig. 8.2 are entered. Thus, any transition added to state 3 in Structure 1 will be irrelevant. If the transition 3 ! 2 is added, then state 3 becomes equivalent to state 1 and hence Structure 1 can be minimized to that of Structure 2. In summary, if the fixed part of the language solving problem has the property that no state change occurs after a sink state is entered in the specification, then a construct similar to that shown in Fig. 8.1 can be used to describe the specification in BLIF-MV format. If, in addition, the fixed part is a deterministic FSM, then the highly efficient method of Chap. 7 can be used to obtain the largest FSM solution.

8.3 Two Alternate Synthesis Flows BALM supports two different flows for solving language equations or manipulating languages. The languages are represented in either BLIF-MV or AUT formats3 . In the former case it means that we start from a sequential circuit from which an STG can be extracted, whereas in the latter case we start already from a given STG. 1. The first flow deals with FSMs where typically one has a fixed part F and a specification S given as FSMs. This flow is oriented towards solving for the unknown component X the equation F X S. The same sequence of operations could be done with the second type of flow using only AUT files, but this FSM flow takes advantage of the special features of F , S , and X to provide a very efficient implementation, as discussed in detail in Chap. 7. The entire flow is embodied in a single command, solve fsm equ, which produces the largest FSM solution X in AUT format. This command takes advantage of the fact that F and S are deterministic FSM automata and X is required to be an FSM automaton4. 2. The second flow deals directly with automata where each step consists of reading in input AUT files, manipulating them according to the command, and writing

3

Notice that technically the AUT format is just a special case of the BLIF-MV format. Precisely, the initial sequential circuits F and S yield deterministic FSMs whose automata define the language equation for which we look for a solution that is an FSM automaton, i..e., a prefixclosed input-progressive automaton.

4

8.3 Two Alternate Synthesis Flows

147

out a resulting automaton in AUT format. In addition, there is a command which extracts an equivalent automaton from a BLIF-MV file: the command is extract aut. A typical script executing equation solving is the following: read_blif_mv fixed.mv extract_aut fixed.aut complement spec.aut specc.aut product fixed.aut specc.aut product.aut support u product.aut product_supp.aut complement product_supp.aut x.aut progressive -i n x.aut xfsm.aut minimize xfsm.aut xfsm_min.aut Note that each command, except for read blif mv, reads in an automaton file and writes out an automaton file. Here u is a list of support variables and n is the number of inputs that the solution will have as an FSM. If an automaton would be already available as fixed.aut (say written directly in the AUT format) then there would be no need to run first the read blif mv and extract aut commands and the previous flow would reduce to: complement spec.aut specc.aut product fixed.aut specc.aut product.aut support u product.aut product_supp.aut complement product_supp.aut x.aut progressive -i n x.aut xfsm.aut minimize xfsm.aut xfsm_min.aut

8.3.1 Some Specialized Automata Operations In BALM, command print nd states checks if an automaton is deterministic. A nondeterministic automaton can be determinized using the command determinize. This uses a subset construction. Determinizing a nondeterministic automaton is a step usually performed before complementation since complementing a deterministic automaton A can be easily achieved by inverting the acceptance condition of states. In BALM, an automaton A can be complemented using command complement where a determinization step is automatically performed first if A is nondeterministic. A state is incomplete if there exists some input assignment, under which the next state transition is undefined (i.e., there is no next state under that input assignment). An automaton is said to be incomplete if it has at least one incomplete state. An incomplete automaton can be completed by adding a single non-accepting don’t-care state with a self-loop transition under any input assignment (thus the don’t-care state is a sink state). All missing input assignments of an incomplete

148


state are assigned as transitions from that state to this don’t-care state. Note that the automata before and after completion both accept the same language. In BALM, an incomplete automaton can be completed using command complete. By default, this command adds a non-accepting don’t-care state. In some applications, it is necessary to add an accepting don’t-care state, which is done using command complete -a. An automaton obtained from an FSM (by combining inputs and outputs) is prefix-closed and input-progressive. Given an automaton A with the specification of input and output variables, BALM is capable of trimming A to be the automaton of an FSM. An automaton A is prefix-closed if any prefix of an accepting string in L.A/ is also in L.A/. A deterministic automaton can be trimmed to be prefix-closed by the following three steps: (a) removing all non-accepting states and transitions into them and from them, (b) removing states unreachable from the initial state, (c) completing the resulting automaton. BALM provides command prefix to trim an automaton to be prefix-closed. A state of an automaton is progressive with respect to a set of variables U , called U -progressive, if under any valuation of u at least one of its next states is accepting. An automaton is progressive with respect to U , if all of its states are U -progressive. An automaton can be trimmed to be progressive with respect to U by iteratively deleting states that are not U -progressive. BALM can trim an automaton to be progressive by command progressive. The number of variables that are to be considered as inputs to U needs to be specified on the input line, e.g., progressive -i 5 specifies that the first 5 input variables of the automaton are considered as inputs, the remaining as outputs. By convention, inputs must occur first in the list of variables. Otherwise, command support can be used to reorder the list. Thus the command prefix; progressive can be used to convert a general automaton into an FSM automaton (if one exists). In fact, progressive is defined so that if the input automaton is not prefix-closed, it will be made prefix-closed automatically. These operations will trim some states and transitions, so that the result may not be a well-defined FSM, i.e., for every input minterm there exists a next state. This can happen during language solving where we first derive the most general solution automaton, from which we want to extract an FSM automaton. If the trimming process results in a not well-defined FSM, then this implies that there is no FSM solution. Also, BALM can further constrain the synthesized FSM to be of Moore type. This may result in more trimming and also may lead to a not welldefined machine. In composing two FSMs, it is sometimes necessary to rearrange (rename, reorder, create, or hide variables) input and output signals. BALM supports these rearrangements by one command support. In BALM, a deterministic finite automaton can be state-minimized using command minimize based on the Myhill-Nerode theorem [63]. In this, the full behavior is preserved, just the number of states is reduced. In contrast, BALM provides a heuristic algorithm (command dcmin), which can be applied to a

8.4 Appendix: Commands in BALM

149

nondeterministic finite automaton. In this, some behavior may be eliminated (the resulting language is a subset of the original language). This is used when the largest solution of a language equation is computed first, which contains all possible solutions, whereas we only want one small solution. A discussion of the use of dcmin can be found in Sect. 14.3. Many verification problems in state-transition systems can be reduced to checking language containment, which tests if the language of one automaton is contained in that of another. The checking can be accomplished by the product and complement operations. In BALM, language containment checking is performed using command contain, which will report if the two automata specified on the command line are related by language containment (or are equivalent). If the automata are not equivalent, a counter-example can be produced.

8.4 Appendix: Commands in BALM BALM can be downloaded from the following site: http://embedded.eecs.berkeley.edu/mvsis/balm.html. The following list contains a one line summary of all the commands available in BALM. Automata manipulation commands: • complement: complement an automaton (a nondeterministic automaton will be automatically determinized first) • complete: complete an automaton by adding a don’t-care state • contain: check language containment of two automata (checking is automatically aborted is at least one automaton is nondeterministic) • dcmin: minimize the number of states by collapsing states whose transitions into care states are compatible • determinize: determinize an automaton • minimize: minimize the number of states of a deterministic automaton • moore: trim an automaton to contain Moore states only • prefix: leave only accepting states that are reachable from initial states • product: build the product of two automata • progressive: leave only accepting and complete states that are reachable from initial states • support: change the input variables of an automaton5

5

Two caveats about using support:

1. One must declare explicitly the number of values of input variables with more than two values. 2. It cannot handle an automaton with only one state; a work-around is to define an automaton with two equivalent states.

150


Automata viewing commands: • plot aut: visualize an automaton using DOT and GSVIEW • print lang size: compute the number of I/O strings accepted (within the string length set by the argument -l) by the maximum prefix-closed subautomaton of an automaton • print nd states: print information about nondeterministic states of an automaton • print stats aut: print statistics about an automaton • print support: print the list of support variables of an automaton I/O commands: • • • •

read blif: read the current network from the BLIF file read blif mv: read the current network from the BLIF-MV file write blif: write the current network in the BLIF format write blif mv: write the current network in the BLIF-MV format Miscellaneous commands:

• • • • • • • • •

alias: provide an alias for a command echo: echo the arguments help: print the list of available commands by group history: a UNIX-like history mechanism inside the BALM shell ls: print the file names in the current directory quit: exit BALM source: execute commands from a file time: provide a simple elapsed time value unalias: removes the definition of an alias MV network commands:

• extract aut: extract the state-transition graph from the current network as an automaton • latch expose: make latch outputs visible as POs of the current network • latch split: split the current network into two networks by dividing latches and the related combinational logic; generates synthesis and verification scripts assuming that one part is fixed and another part is unknown • solve fsm equ: solve language equation F X S using the method discussed in Chap. 7. F and S must be given in BLIF-MV format and must be deterministic. Network viewing commands: • • • •

print: print multi-valued sum-of-products representation of nodes print factor: print algebraic factored form of nodes print io: print fanins/fanouts of nodes print latch: print the list of latches of the current network

Problems

• • • •

151

print level: print nodes in the current network by level print nd: print the list of nondeterministic nodes in the current network print range: print the numbers of values of nodes print stats: print network statistics and report the percentage of nodes having each representation

Problems 8.1. Consider the context automaton ma defined by the following BLIF-MV description: .model ma .inputs i v u o .outputs Acc .mv .mv .mv .mv .mv

CS, i 2 v 2 u 2 o 3

NS i1 v1 u1 o1

2 a b i2 v2 u2 o2 o3

.latch NS CS .reset CS a .table CS -> Acc .default 1 .table i i1 v1 u1 i2 v2 u1 i1 v2 u1

v u o CS -> NS o1 a a o2 a a o2 a a

i1 v1 u1 o3 a b i1 v1 u2 o1 a b i1 v1 u2 o3 b b i2 v1 u1 o1 b a i1 v2 u1 o2 b a .end

152


and the specification automaton mc defined by the following BLIF-MV description: .model mc .inputs i o .outputs Acc .mv CS, NS 2 s1 s2 .mv i 2 i1 i2 .mv o 3 o1 o2 o3 .latch NS CS .reset CS s1 .table CS -> Acc .default 1 .table i i1 o2 s1 i1 o3 s1 i2 o2 s1

o CS -> NS s1 s1 s1

i1 o1 s1 s2 i1 o3 s2 s2 i2 o1 s2 s2 i1 o2 s2 s1 i2 o2 s2 s1 .end Use BALM to solve the equation ma mx mc, where mx has support v; u. Compute the following operations, invoking the appropriate commands in BALM, and at each step plot the resulting automaton: 1. Compute mc comp, the complement of mc. 2. Compute ma .mc comp/ prod, the product of ma and mc comp. 3. Compute ma .mc comp/ prod supp, the projection to the support v; u of the previous automaton ma .mc comp/ prod. 4. Compute mx, the complement of the previous automaton ma .mc comp/ prod supp, i.e., the largest automaton solution of the equation (mxD .ma mc/). 8.2. Perform using the appropriate commands of BALM the following operations, and at each step plot the resulting automaton: 1. Compute mx prog, the largest progressive automaton contained in mx. 2. Compute mx prog min, the automaton obtained by the (state) minimization of mx prog.

Problems

153

3. Compute mx min, the automaton obtained by the (state) minimization of mx. 4. Compute mx min prog, the largest progressive automaton contained in mx min. Compare mx prog min vs mx min prog, and comment on their differences if any. 5. Compute mx min prog min, the automaton obtained by the (state) minimization of mx. Compare mx prog min vs. mx min prog vs. mx min prog min, and comment on their differences if any. 8.3. Consider the context FSM MA and the specification FSM MC whose descriptions in kiss format are, respectively, the following: .i .o .s .p .r

2 2 2 8 a

i1 i1 i1 i1 i2

v1 v1 v1 v2 v2

a a a a a

a b b a a

u1 u1 u2 u1 u1

o1 o3 o1 o2 o2

i1 v1 b b u2 o3 i1 v2 b a u1 o2 i2 v1 b a u1 o1 .end and .i .o .s .p .r

1 1 2 8 s1

i1 i1 i2 i1

s1 s1 s1 s1

s1 s1 s1 s2

o2 o3 o2 o1

i1 s2 i2 s2 i1 s2 i2 s2 .end

s2 s2 s1 s1

o3 o1 o2 o2

154


Using the appropriate commands in BALM, find the largest FSM solution of the FSM equation MA MX MC , where MX has inputs U D fu1; u2g and outputs V D fv1; v2g. Analyze carefully the result of each step. 8.4. Given the context FSM MA and the specification FSM MC consider the underlying automaton A and C whose descriptions in aut format are, respectively, the following: .model es43ma .inputs i u o .outputs Acc .mv .mv .mv .mv

i 2 u 2 o 2 CS,

i1 u1 o1 NS

i2 u2 o2 3 a b c

.latch NS CS .reset CS a .table ->Acc 1 .table i u o i2 u1 - a a i1 u1 - a b i2 u1 - b a i1 u2 - b c - u1 - c a .end

CS ->NS

and .model es3mc .inputs i o .outputs Acc .mv CS, NS 6 1 2 3 4 5 6 .mv i 2 i1 i2 .mv o 2 o1 o2 .latch NS CS .reset CS 1

Problems

155

.table CS -> Acc .default 1 .table i o CS -> NS i1 o1 1 4 i2 o2 4 1 i1 o2 4 5 - o2 5 1 i2 o1 1 2 i2 o2 2 1 i1 o2 2 3 i2 o1 3 2 i1 o2 3 6 - o1 6 2 .end Using the appropriate commands in BALM, find the largest automaton solution of the automata equation A X C , where X has inputs u; o. One can relate easily these results to the solution of MA MX MC , where MA has inputs i and outputs u, MC has inputs i and outputs o, MX has inputs u and outputs o. Notice that in this example every reduction of the largest solution is a solution.

Chapter 9

Fundamental Operations in BALM

In this chapter, we illustrate some of the basic automata operations using small examples so that the results can be plotted with reasonable readability. All of the examples were computed using BALM commands and the BALM plot command, plot aut, to display the automata graphically. We illustrate most of the operations below using common examples derived from the file S27.blif, shown below .model s27.bench .inputs G0 G1 G2 G3 .outputs G17 .latch G10 G5 0 .latch G11 G6 0 .latch G13 G7 0 .names G11 G17 0 1 .names G14 G11 G10 00 1 .names G5 G9 G11 00 1 .names G2 G12 G13 00 1 .names G0 G14 0 1 .names G14 G6 G8 11 1 .names G1 G7 G12 00 1 .names G12 G8 G15 1- 1 -1 1 .names G3 G8 G16 1- 1 T. Villa et al., The Unknown Component Problem: Theory and Applications, DOI 10.1007/978-0-387-68759-9 9, © Springer Science+Business Media, LLC 2012

157

158

9 Fundamental Operations in BALM

-1 1 .names G16 G15 G9 0- 1 -0 1 .end

9.1 Extracting an Automaton from a Sequential Circuit The operation extract aut builds the automaton corresponding to the FSM extracted from a given sequential circuit, according to the construction introduced in Definition 3.1.7, by which the inputs and outputs of the FSM are merged to become the inputs of the automaton. In the example, the sequential circuit is given as a netlist in BLIF format. read_blif S27.blif extract_aut S27.aut The result is the automaton S27.aut shown in Fig. 9.1. The S27.blif file has 3 binary latches for a total of 8 possible states. However, the result of extract aut indicates that only 6 states are reachable from the initial state 000. The octagonal node at the top indicates that it is the initial state. The output indicates that the automaton is incomplete with all 6 states being incomplete. Thus when we complete the automaton, there will be a transition from each state to the The automation is incomplete (6 states) and deterministic. 5 inputs 6 states 25 transitions Inputs = { G0, G1, G2, G3, G17 } 00-01 011-1

000

-0-10 0-1-1

010-1

0-1-1 110-1 10-01 111-1

001

0-0-1 1-0-1

010-1

-0-10 0-1-0 00--0

010 010-0

0-1-1 00--1

110-1

101 110-1

100

1-0-1

0-0-0 10-01 111-1

1-0-1

0-0-1 1-1-1

011

0-1-0

1-1-1

1-1-1

1-1-1 10--1

Fig. 9.1 Graphical output of BALM showing the automaton s27.aut obtained by extraction from the sequential circuit S27.blif

9.2 Completing an Automaton

159

completion don’t care state. The incompleteness is due to the output of the FSM becoming an input to the automaton, because by construction the inputs of the automaton are the cartesian product of the inputs and outputs of the FSM. The result is that a state of the automaton is not complete for those combinations of values of inputs and outputs of FSM such that at that state the FSM under those inputs does not produce those outputs.

9.2 Completing an Automaton A state is called incomplete if under some input combinations no transition to a next state is defined. If an automaton has some incomplete states, it can be completed by adding one additional non-accepting state, called the don’t care state. complete S27.aut S27_cpl.aut The result is the automaton S27 cpl.aut shown in Fig. 9.2. Since this example came from an FSM, all states are accepting except the completion don’t care state DC . Note that it is shaded differently to indicate a nonaccepting state. Also note that there are 6 incoming transitions to DC (besides its universal self-loop), one from each state. The automaton is complete and deterministic. 5 inputs 7 states 32 transitions Inputs = { G0, G1, G2, G3, G17 } 00-01 011-1

000 -0-10

010 0-1-0

010-0

011

0-0-0 1-1-1

0---1 1--00 11--0 -0-11

1-0-1 1---0 0---1

-0-10 0-1-0 00--0

010-1 10-01 111-1

0-1-1 00--1

10-01 111-1

110-1 010-1

110-1

100 1-1-1

0-1-1

001

0-0-1

---00 -1--0 -0-11

1-1-1

1-1-1 10--1

0-0-1

0-1-1

1-0-1 ----0

110-1

101

1-0-1

----0

----0

DC

-----

Fig. 9.2 Graphical output of BALM showing the automaton S27 cpl.aut obtained by completing the automaton S27.aut

160


9.3 Changing the Support The support of an automaton is the list of its input variables. Its support can be changed by giving a new list. This one command can be used to hide variables or to insert new variables in the support, or to rearrange the order of the support list. support G0,G2,G17 S27.aut S27_sup1.aut The result is the automaton S27 sup1.aut shown in Fig. 9.3. Initially, this had 5 variables in the support, but the support command caused two, G1 and G3, to be dropped. If we bring back these variables, their instances are replaced with -, indicating any value. support G0,G1,G2,G3,G17 S27_sup1.aut S27_sup2.aut The result is the automaton S27 sup2.aut shown in Fig. 9.4. Notice that if a variable has more than two values one must declare the number of values between parentheses, e.g., support u(3),v,z(4)

The automaton is incomplete (5 states) and non-deterministic (3 states). 3 inputs 6 states 25 transitions Inputs = { G0, G2, G17 }

0-1

000

--0 001

011 011

1-1

001

001

001

000

101

101

0-1 001

101

--0

010

011

101

101

111

111

101

100

000

1-1

101

111

010

1-1

Fig. 9.3 Graphical output of BALM showing the automaton s27 sup1.aut obtained by changing the support of the automaton S27.aut

9.4 Determinizing

161

The automaton is incomplete (5 states) and non-deterministic (3 states). 5 inputs 6 states 25 transitions Inputs = { G0, G1, G2, G3, G17 } 0---1

000

----0 0-0-1

0-1-1 0-1-1

1---1

0-0-1

001

0-0-1

0-0-0

1-0-1

1-0-1

0---1 0-0-1

1-0-1

----0

010

1-1-1

011 1-0-1

1-0-1

101 1-0-1

100

0-1-0 0-0-0

1---1

1-1-1

1-1-1

1---1

Fig. 9.4 Graphical output of BALM showing the automaton s27 sup2.aut obtained by changing the support of the automaton S27 sup1.aut

9.4 Determinizing A non-deterministic automaton can be determinized using the subset construction in which subset states are created if a transition input exists, which can transit to at least two different states. Generally, the subset construction can lead to a set of new states, which potentially can be any subset of the set of original states, leading to a possible exponential number of states. In practice this almost never happens in practical examples, and in fact the new automaton may have a smaller number of states. determinize -l S27_sup1.aut S27_sup1_det.aut The result is the automaton S27 sup1 det.aut shown in Fig. 9.5. Note that the names of the states have changed to subset names (the option -l keeps the original names to show which subset states were formed). For instance state 010 011 denotes a subset state composed of two states, 010 and 011. This came from the fact that S27 sup1.aut was non-deterministic, caused by having restricted its support to only 3 of the original 5 inputs. Note that there are still only a total of 6 states despite that a subset construction was done. This is because all possible subset states cannot be reached from the initial state.

162

9 Fundamental Operations in BALM The automaton is incomplete (4 states) and deterministic. 3 inputs 6 states 26 transitions Inputs = { G0, G2, G17 } 000

011

--0 -10 1-0

010 -10 1-0

011

001

000

010_011

111

--0

111

100

000_001

100_101

101

101

101

111

001

011

000

111

011

101

111

101 001

101

111

001

Fig. 9.5 Graphical output of BALM showing the automaton S27 sup1 det.aut obtained by determinizing the automaton S27 sup1.aut

9.5 Taking the Product of Two Automata To illustrate the product of two automata, we consider two automata, S27Fs.aut shown in Fig. 9.6 and S27as.aut shown in Fig. 9.7. If the two automata have different supports, the user is responsible for lifting both automata to their common support. By an undocumented option, the product operation in BALM is defined to automatically lift both automata to their least common support. In the example below, the two automata start out with the same support. product -l S27Fs.aut S27as.aut S27_prod.aut The result is the automaton S27 prod.aut shown in Fig. 9.8. Note that this automaton is isomorphic to S27.aut. This is because the two automata S27Fs.aut and S27as.aut were created by decomposing S27.aut into two sub-automata. When their product is formed, they recreate the original automaton. The state names of S27Fs.aut were changed from 0; 1 to a; b respectively to help illustrate where the product states came from. Thus product state b01 came from state b in S27Fs.aut and from state 01 in S27as.aut.

9.5 Taking the Product of Two Automata

163

Fig. 9.6 Graphical output of BALM showing the automaton S27Fs.aut

The automaton is incomplete (2 states) and deterministic. 5 inputs 2 states 4 transitions Inputs = { G0, G1, G2, G3, G17 } --1-1 -0--1 -0-10-1-00---

a --1-1 0-1--

-10-1 010--

--0-1 0-0--

b

Fig. 9.7 Graphical output of BALM showing the automaton S27as.aut

The automaton is incomplete (3 states) and deterministic. 5 inputs 3 states 7 transitions Inputs = { G0, G1, G2, G3, G17 }

00

0---1

-0-10 0---0 -0-10

01

1---1

0---1

1---1

10

1---1

The automaton is incomplete (6 states) and deterministic. 5 inputs 6 states 27 transitions Inputs = { G0, G1, G2, G3, G17 } 0-1-1 00--1

a00

-0-10 0-1-1 00--1 110-1

1-1-1 10--1

a01 1-1-1 10--1

0-1-1

1-1-1 10--1

a10 110-1

b10 1-1-1

-0-1-0 -0-1-0 00--0

110-1

0-1-0

00010

1-1-1 010-1

1-0-1 1-0-1

010-1

1-1-1

0-1-0

010-0

0-0-1 1-0-1

b00

0-0-1

00010

b01

0-0-0

Fig. 9.8 Graphical output of BALM showing the automaton S27 prod.aut obtained by taking the product of the automata S27Fs.aut and S27as.aut

164


Problems 9.1. Consider the context FSM MA and the specification FSM MC whose descriptions in kiss format are, respectively, the following: .i .o .s .p .r

2 2 1 4 a

i1 v1 i2 v1 i1 v2 i2 v2 .end

a a a a

a a a a

u1 u2 u2 u1

o o o o

and .i .o .s .p .r

1 1 1 2 b

i1 b b o i2 b b o .end (a) Convert the descriptions in kiss format of MA and MC into their descriptions as automata in the blif mv format, creating respectively the files fig2ma.aut for the context MA and fig2mc.aut for the specification MC . Caveat: since not all commands of BALM handle one-state machines, a workaround is to rewrite the FSMs/automata with two equivalent states. In this case a solution for fig2ma.aut is: .model fig2ma .inputs i v u o .outputs Acc .mv CS, NS 2 a aa .mv i 2 i1 i2 .mv v 2 v1 v2 .mv u 2 u1 u2

Problems

165

.latch NS CS .reset CS a .table CS -> Acc .default 1 .table i i1 v1 u1 i2 v1 u2 i1 v2 u2 i2 v2 u1

v 0 0 0 0

u a a a a

i1 i2 i1 i2

0 0 0 0

aa aa aa aa

v1 v1 v2 v2

u1 u2 u2 u1

o CS -> NS aa aa aa aa a a a a

.end and a solution for fig2mc.aut is: .model fig2mc .inputs i o .outputs Acc

.mv i 2 i1 i2 .mv CS, NS 2 b bb .latch NS CS .reset CS b .table CS -> Acc .default 1 .table i o CS -> NS i1 0 b bb i2 0 b bb i1 0 bb b i2 0 bb b .end

166


(b) Solve the equation MA MX MC by running the appropriate commands in BALM. Hint. Run the following commands: complement fig2mc.aut mc_comp.aut product fig2ma.aut mc_comp.aut product.aut support v,u product.aut product_supp.aut complement product_supp.aut x.aut progressive -i 1 x.aut xfsm.aut minimize xfsm.aut xfsm_min.aut Analyze carefully the result of each step. How is the solution? 9.2. By running the appropriate commands in BALM, solve the same equation for the following context automaton fig3ma: .model fig3ma .inputs i v u o .outputs Acc .mv .mv .mv .mv .mv

CS, i 2 v 2 u 2 o 2

NS i1 v1 u1 o1

4 a b c d i2 v2 u2 o2

.latch NS CS .reset CS a .table CS -> Acc .default 1 .table i i1 v1 u1 i2 v1 u1 i2 v2 u1

v u o CS -> NS o1 a b o2 a b o2 a b

i2 i1 i1 i2

o1 o2 o2 o1

v2 v1 v2 v1

u2 u1 u1 u2

b b b b

b b b b

i1 v2 u2 o1 a c i2 v1 u2 o2 c c

Problems

167

i1 v1 u1 o1 c d i2 v2 u1 o2 c d i1 v2 u2 o1 c d i1 v1 i2 v1 i1 v2 i2 v2 .end

u1 u1 u1 u1

o2 o1 o2 o1

d d d d

d d d d

and specification automaton fig3mc: .model fig3mc .inputs i o .outputs Acc .mv CS, NS 4 a1 b2 c3 d3 .mv i 2 i1 i2 .mv o 2 o1 o2 .latch NS CS .reset CS a1 .table CS -> Acc .default 1 .table i o CS -> NS i1 o1 a1 b2 i2 o2 a1 b2 i1 o2 b2 b2 i2 o1 b2 b2 i1 o1 a1 c3 i1 o1 c3 d3 i1 o2 d3 d3 i2 o1 d3 d3 .end Plot the state transition graph of the result xfsm min.aut.

168


9.3. By running the appropriate commands in BALM, solve the same equation for the following context automaton fig9ma: .model fig9ma .inputs i v u o .outputs Acc .mv .mv .mv .mv .mv

CS, i 2 v 3 u 2 o 3

NS i1 v1 u1 o1

2 a b i2 v2 v3 u2 o2 o3

.latch NS CS .reset CS a .table CS -> Acc .default 1 .table i i1 v1 u1 i1 v2 u2 i1 v3 u1 i2 v1 u2 i2 v2 u2 i1 v3 u2

v u o CS -> NS o1 a a o1 a a o1 a a o3 a a o1 a a o3 a a

i1 v2 u1 o2 a b i2 v1 u1 o2 a b i1 v2 u2 o1 b b i2 v3 u2 o3 b b i1 v3 i2 v1 i2 v2 i1 v1 .end

u1 u2 u1 u1

o1 o3 o3 o1

b b b b

a a a a

and specification automaton fig9mc: .model fig9mc .inputs i o .outputs Acc

Problems

169

.mv CS, NS 2 a b .mv i 2 i1 i2 .mv o 4 o1 o2 o3 o4 .latch NS CS .reset CS a .table CS -> Acc .default 1 .table i o CS -> NS i1 o1 a b i2 o1 a b i2 o2 a b i1 o1 b a i2 o1 b a i2 o2 b a .end 9.4. Problem 3.3 asks to find the largest FSM solution of a given equation. Work out the same problem by using the suite of commands available in BALM to solve the equation. By invoking the command contain in BALM, verify that the (language of the) largest solution computed before contains indeed the (language of the) FSM MB that was used to obtain the specification MAB D MA MB .

Part III


In this part of the book, we look at the problem of sequential synthesis where a finite state machine is embedded in a larger FSM environment. The problem addressed is to find the set of all possible FSMs that can be used in place of the current FSM without changing the externally observed behavior of the FSM environment. This set is called the complete sequential flexibility, CSF, of the machine (with respect to its environment), and is analogous to the complete flexibility used in combinational synthesis. We will also show how to solve a number of examples in sequential synthesis using scripts of the BALM system, thereby reinforcing the understanding of its inner working from the user’s point-of-view. This part includes five chapters, of which the first four chapters address the problem of computing the flexibility in sequential networks (maximum or restricted flexibility); instead the last chapter discusses how to exploit the computed sequential flexibility by extracting a valid replacement that is advantageous with respect to a chosen cost function. Chapter 10 reports some classical and new methods to compute restricted forms of sequential flexibility, as sequential don’t cares; it surveys the techniques of KimNewborn, Wang-Brayton and Yevtushenko-Zharikova, illustrating some of them by examples solved with BALM. Chapter 11 discusses how to compute the sequential flexibility in a netlist given in BLIF-MV or BLIF format, and then focus on a window, partitioning the netlist into two parts - all nodes inside the window and all nodes outside the window. The nodes inside the window can be viewed as a separate FSM and the nodes outside the window as its fixed environment. Chapter 12 addresses the problem of resynthesizing the component FSMs of a network of FSMs; we will discuss both a global approach and a local (windowing) approach. It will turn out that sometimes it is more effective to solve a system of equations instead of a single equation; therefore we will introduce systems of equations over FSMs. Chapter 13 discusses the use of simulation relations which make language solving easier for some topologies, but they do not always guarantee to compute

172

III


the full flexibility. We show how such relations can be imposed by making some internal variables external. Chapter 14 introduces the problem of selecting a “minimum” reduction or submachine of the largest solution. This is an introductory chapter about an open problem that does not have yet a satisfactory solution. Once we have the largest (or even a restricted) flexibility we need to select a deterministic behavior to implement in place of the original one. We would like to choose such a solution so that the final implemented logic is the best with respect to area, and/or delay, testability, power consumption and so on. So we need “minimizers” to select the best implementation; however, it is not obvious how to explore state-based representations with cost functions defined at the gate-level, and this makes quite difficult the task. For instance, a common criterion of selecting a deterministic behavior is to find a state-based representation with a minimum number of states, however this does not track necessarily well with a minimum area at the gate-level.

Chapter 10

Computation of Flexibility in Sequential Networks

There is a long history of resynthesizing an FSM, given its surrounding environment. Much of the work was modeled after results for combinational networks. Thus input sequential don’t cares and output sequential don’t cares were defined in analogy to satisfiability and observability don’t cares. For example, input sequential don’t cares were defined as input sequences that can never happen at a state because of the FSM input environment. An elegant theory was provided by Kim and Newborn for treating the case of a cascade of two FSMs. This is discussed in Sect. 10.1 as well as an extension by Wang and Brayton in Sect. 10.2. These results provide reasonable computational procedures and can be used for resynthesis of an FSM. However, attempts at extending to output sequential don’t cares became overly complicated and were unsuccessful. It was surprising then that Watanabe came up with a computation for the full flexibility for an FSM embedded in an environment, which captures all input and output sequential don’t cares. This was called the “E-machine” and was constructed by a somewhat complicated construction. It became clear later that this construction essentially modeled the subset construction. Now we know that this full flexibility embodied by the E-machine is simply the largest FSM solution obtained by language solving, and a simpler construction is the one given in this book and discussed in this chapter in more detail.

10.1 The Kim–Newborn’s Procedure J. Kim and M.M. Newborn [69] devised a procedure to compute an incompletely specified machine which takes account of all input sequences which can never occur in a cascade connection of two FSMs. The topology considered is shown in Fig. 10.1, where MA and MB are FSMs. We review the procedure: 1. Construct an NFA A0 to accept the u-language produced by machine MA . This can be achieved by removing the input part in the STG of MA , and considering T. Villa et al., The Unknown Component Problem: Theory and Applications, DOI 10.1007/978-0-387-68759-9 10, © Springer Science+Business Media, LLC 2012

173

174 Fig. 10.1 Topology for Kim and Newborn procedure

10 Computation of Flexibility in Sequential Networks

i

MA

u

MB

o

every state of MA as a final state. For a state s, if there are output symbols not emitted from it, a transition with these symbols is inserted from s to the dead state d . The dead state d is the only non-accepting state. Thus A0 is completely specified but nondeterministic in general. 2. Convert A0 to a minimized completely specified DFA A. This can be done by using the subset construction and state minimization for DFA A. Note that the efficient state minimization method minimize in BALM can be used, since the subset construction produces a deterministic machine. 3. A modified machine MB0 is constructed as follows: construct MB A and then redirect to a DNC state all transitions to a state that contains the dead state d in its subset. MB0 is an incompletely specified FSM. We assume that MA and MB are given in BLIF-MV format as MA.mv and MB.mv, respectively. We can translate these steps into the equivalent BALM commands by the following script. K&N script read_blif_mv MA.mv extract_aut MA.aut \# convert into an automaton support u MA.aut MAs.aut \# remove input complete MAs.aut MAsc.aut \# add the dead state determinize MAsc.aut MAd.aut minimize MAd.aut MAd_min.aut read_blif_mv MB.mv extract_aut MB.aut \# convert into an automaton product MB.aut MAd_min.aut MBi.aut \# MB x A prefix MBi.aut MBifsm.aut \# make prefix-closed We illustrate this with a small example. Machine MA.mv .model MA .inputs a b c d e .outputs x y .latch R1 r1 .reset r1 0 .latch R2 r2 .reset r2 0 .table c d x1

10.1 The Kim–Newborn’s Procedure

.default 0 1 - 1 - 1 1 .table r1 r2 x2 .default 0 1 - 1 - 1 1 .table x1 x2 x .default 0 1 1 1 .table a b y1 .default 0 1 - 1 - 1 1 .table y1 e y .default 0 1 1 1 .table a R1 .default 0 1 1 .table b R2 .default 0 1 1 .end Machine MB.mv .model MB .inputs x y .outputs o .latch R1 r1 .reset r1 0 .latch R2 r2 .reset r2 0 .latch R3 r3 .reset r3 0 .table x y r1 r2 r3 o .default 0 - 1 - - - 1 1 - - - 1 1 1 - 1 1 - 1 .table y r1 r2 r3 R1 .default 0

175

176


1 1 1 - 1 1 - - 1 1 .table x r2 R2 .default 0 1 1 1 .table x y r3 R3 .default 0 1 - 1 1 - 1 - 1 .end We adapt the K&N script to this example: K&N script - example MA.mv MB.mv read_blif_mv MA.mv extract_aut MA.aut support x,y MA.aut MAs.aut complete MAs.aut MAsc.aut determinize MAsc.aut MAd.aut minimize MAd.aut MAd_min.aut read_blif_mv MB.mv extract_aut MB.aut product MB.aut MAd_min.aut MBi.aut prefix MBi.aut MBifsm.aut We obtain the automaton shown in Fig. 10.2, which is reduced to two states by state minimization with STAMINA. In contrast, we can solve for the largest FSM solution of the component MB of this example. We take the specification in spec.mv to be the FSM composed of MA MB with inputs a; b; c; d; e and output o. We use the following script: Largest solution script - example spec.mv MA.mv read_blif_mv spec.mv extract_aut spec.aut complement spec.aut specc.aut read_blif_mv MA.mv extract_aut MA.aut product MA.aut specc.aut p.aut support x,y,o p.aut ps.aut complement ps.aut x.aut progressive -i 2 x.aut xfsm.aut minimize xfsm.aut temp.aut prefix temp.aut xfsm_min.aut We obtain the solution xfsm min.aut shown in Fig. 10.3, which is again reduced to two states by state minimization with STAMINA. One can check that MBifsm.aut is contained in xfsm min.aut using the command contain MBifsm.aut xfsm min.aut.

10.2 The Wang–Brayton’s Procedure

177

The automaton is complete (4 states) and deterministic. 3 inputs 4 states 10 transitions Inputs = { x, y, o} s0 000

s1 000

-00 -11

s2

000 101

s5

011

101

-11 -11

Fig. 10.2 Graphical output of BALM showing the automaton MBifsm.aut generated by the script K&N script - example MA.mv MB.mv. The first two variables are the internal signals x; y, whereas the third variables is the external output o

The automaton is incomplete (3 states) and deterministic. 3 inputs 4 states 8 transitions Inputs = { x, y, o} s0 000 s1 -11

-00

1-011

DC

---

000 s4

-11 101

Fig. 10.3 Graphical output of BALM showing the automaton xfsm min.aut generated by the script Largest solution script - example spec.mv MB.mv that computes the largest solution

10.2 The Wang–Brayton’s Procedure H.-Y. Wang and R. Brayton [139] extended the method of Kim and Newborn to include the case where MB had a feedback connection to MA . This configuration is shown in Fig. 10.4. This theory also applies in the case where the output o is produced by MA .

178


x i

MA

o

MB

y

Fig. 10.4 A two-way communication network of FSMs

x i

MA

MB

y

KN (MA • MB) i×x =M A

x y

o

MB

Fig. 10.5 Wang–Brayton’s construction to extend Kim–Newborn’s procedure o

u i

MA

v

MB

Fig. 10.6 Topology for latch splitting

It was shown that the input don’t care sequences (those sequences which can never occur) can be captured by the following construction. We derive .MA MB /#i x , the composition FSM of MA and MB with input i to MA and output x to MB as shown in Fig. 10.5. Then the Kim–Newborn construction is applied where MA (in Kim–Newborn’s procedure) is replaced by .MA MB /#i x D MAKN (in Wang–Brayton’s procedure). The argument for the correctness of this is that the composition will produce the same sequences of x is as in Fig. 10.4. Since the configuration is now the same as in Sect. 10.1, the Kim–Newborn procedure can be used. We will illustrate this on an example and compare the incompletely specified FSM produced in this way with the largest FSM solution produced by language solving. We use an example which is produced by latch splitting. The latch splitting topology is shown in Fig. 10.6, where MB becomes the unknown component.


179

o u i

MA

MB

v

(MA • MB) i×u×o = MAKN

u v

MB

Fig. 10.7 Topology for Wang–Brayton’s construction applied to latch-splitting example

This is converted into the Kim–Newborn topology shown in Fig. 10.7. We use the example s386.blif from the iscas89 benchmark suite and do latch splitting on this. The inputs i are v6,v5,v4,v3,v2,v1,v0. The u vector, v9,v8,v7 and the v vector, v12,v11,v10, are produced by the latch split command. The BALM commands (with comments) executed are W&B-K&N script - example s386.blif read_blif s386.blif latch_split 0-2 \# produces files s386f.blif and s386a.blif latch_expose \# exposes all latch outputs v7 - v12 of s386.blif extract_aut MA.aut \# since s386.blif is already the product MA x MB, this is \# MA x MB and will become the Kim--Newborn abstract driving \# machine MAˆRN for MB (it is the composition of s386a.blif \# and s386f.blif which is just s386.blif) support v6,v5,v4,v3,v2,v1,v0,v9,v8,v7,v12,v11,v10 MA.aut MAs.aut \# restricts support to i,u,v complete MAs.aut MAsc.aut determinize MAsc.aut MAd.aut minimize MAd.aut MAd_min.aut \# this is the abstract driving machine MAˆKN of Kim--Newborn \# for MB read_blif s386a.blif \# this is MB latch_expose \# we need to expose the v variables which are the latch \# outputs of MB \# forces the v variables of MA x MB to agree with the v \# variables of MB

180


extract_aut MB.aut support v6,v5,v4,v3,v2,v1,v0,v9,v8,v7,v12,v11,v10 MB.aut MBs.aut product MBs.aut MAd_min.aut MBi.aut prefix MBi.aut MBifsm.aut

This produces the automaton shown in Fig. 10.8 that represents the incompletely specified FSM obtained by Wang–Brayton’s procedure. The input labels have been left off the STG because it would be unreadable. To compare this with the language solving approach, we execute the latch split script produced by the BALM latch split command: \# \# \# \# \# \# \#

Language solving script (partitioned) generated by MVSIS for latch splitting of sequential network s386.blif on Wed Jun 06 09:02:05 2007 Command line was: latch_split 0-2. We use the previous results generated by latch-splitting s386.blif, which created the environment automaton s386f.blif

echo Solving the language equation ... solve_fsm_equ s386f.blif s386.blif v6,v5,v4,v3,v2,v1,v0,v9, v8,v7 v12,v11,v10 s386xs.aut print_stats_aut s386xs.aut

Executing print stats aut gives the following output Solving the language equation ... Progressive = 0.00 sec "csf":incomplete(14 st), deterministic, non-progressive(14 st), and non-Moore(14 st). 13 inputs(13 FSM inputs) 15 states(15 accepting) 59 trans Inputs = { v6,v5,v4,v3,v2,v1,v0,v9,v8,v7,v12,v11,v10 }

We now check if the language of the automaton MBifsm.aut, produced by the W&B-K&N procedure, is contained in the most general FSM solution, s386xs.aut: balm > contain s386xs.aut MBifsm.aut Warning: Automaton 1 is completed before checking. Warning: Automaton 2 is completed before checking. The behavior of automaton 1 contains the behavior of automaton 2.

and fortunately it is. The next steps would be to use the incompleteness of MBifsm.aut to state minimize it as an incompletely specified FSM. The program STAMINA could be used. In contrast, the NDFSM s386xs.aut, produced by language solving, needs to be minimized but there are no good general procedures for this at the moment. The operator dcmin can be used and in this case it does produce an NDFSM automaton with 6 states (from 15 states), but the original machine for this part, s386a.blif, has only 5 reachable states. We did not try STAMINA on MBifsm.aut to see what kind of minimization can be done.


181

The automaton is incomplete (13 states) and deterministic. 13 inputs 13 states 39 transitions Inputs = { v6, v5, v4, v3, v2, v1, v0, v9, v8, v7, v12, v11, v10 } s00

s04

s10

s05

s12

s13

s14

s15

s16

s17

s01

s08

s09

Fig. 10.8 Graphical output of BALM showing the automaton MBifsm.aut generated by the script W&B-K&N script - example s386.blif. The automaton represents the incompletely specified FSM created by Wang–Brayton’s procedure

182


10.3 The Yevtushenko–Zharikova’s Procedure In this section, we present a procedure due to N. Yevtushenko and S. Zharikova to compute sequential don’t cares that capture a restricted form of flexibility, to be applied for the resynthesis of a component in a network of FSMs (see [151, 153]). Given the composition MA MB in Fig. 10.9, the procedure by Yevtushenko– Zharikova works as follows: 1. Transform MA and MB into the corresponding automata A and B. 2. Derive the intersection A \ B"I O . 3. Replace a transition from state bk under input uj in B by a don’t care transition 1 if for each state .a; bk / 2 A \ B"I O , a 2 A, there is no transition with an action whose projection on U is uj . 4. Let MB0 be the final corresponding incompletely specified FSM. Proposition 10.1. Each FSM that is a reduction of FSM MB0 can replace the component FSM MB without changing the behavior of the overall system. Similarly, don’t care transitions can replace care transitions in the component FSM MA ; they are inputs of MA that cannot be produced in the composition as outputs by the component FSM MB .

I

O MA

U

V

MB Fig. 10.9 FSM composition to illustrate Yevtushenko–Zharikova’s procedure

1

Spec

A don’t care transition goes to a designated DNC state and issues any output; at the state DNC under any input there is a self-loop that issues any output.

10.3 The Yevtushenko–Zharikova’s Procedure

a

b

i1v2/u2o1 i2v1/u1o2 i2v2/u1o1 a0

i1v1/u2o1

183

u1/v1 u3/v1 b0

a1 i2v1/u2o1 i2v2/u3o2

b1 u1/v2 u3/v2

i1v1/u3o2 i1v2/u2o2

u2/v2 u2/v2

u2/v2 u1/v1 u3/v2

c

d

u1/v1

i2v1/u1o2 a0b0

b0

a1b1

b1 u3/v2


i1v2/u2o1

u2/v2 u3/−

u1/−

i1v2/u2o2 a1b2

i2v2/u3o2

b2

DN C a0b2 −/−

i2v1/u1o2

u2/v2

u2/v2 u1/v1 u3/v2

b2

e b0

u1/v1 u2/v2 u3/v2

Fig. 10.10 FSMs with reference to the topology in Fig. 10.9. (a) FSM MA ; (b) FSM MB ; (c) Intersection MA \ MB"I O ; (d) Incompletely specified FSM MB0 ; (e) FSM MB0 R that is a reduction of MB0

Example 10.2. Consider the transition diagrams of FSMs MA and MB in Fig. 10.10a,b. Derive the intersection MA \ MB"I O , which is shown in Fig. 10.10c; the states of the intersection are the pairs fa0 b0 ; a1 b1 ; a0 b2 ; a1 b2 g. For each state of the FSM MA , determine the don’t care inputs over alphabet U . The don’t care input of state a0 is given by the set DCa0 D fu3 g, since fu3 g cannot be produced at state a0 . In the same way, we obtain DCa1 D fu1 g. Now check all the states of the FSM MB . In the intersection, state b0 is combined only with state a0 . Since DCa0 D fu3 g, the transition in MB from state b0 under input u3 can be replaced by a don’t care transition. State b1 is combined only with state a1 ; thus, the transition from state b1 under input u1 can be replaced by a don’t care transition. Finally, state b2 is combined with state a0 as well as with state a1 ,

184


and so there are no don’t care transitions from state b2 , since DCa0 \DCa1 D fu3 g\ fu1 g D ;. In other words, all missing transitions are added as don’t care transitions, i.e., they are directed to the DNC state. The obtained incompletely specified FSM MB0 is shown in Fig. 10.10d. Each reduction of MB0 can replace the component FSM MB , e.g., we can replace MB by the reduction FSM MB0 R with a single state that is portrayed in Fig. 10.10e. This procedure has the advantage that it works directly on machine MB (or MA ) and can obtain a result that is no worse than the original machine. An FSM that is a reduction of the ISFSM obtained by the Yevtushenko– Zharikova’s procedure is a reduction of the ISFSM obtained by the Wang–Brayton’s procedure, but the vice versa does not always hold. Indeed, the Wang–Brayton’s procedure allows more flexibility.

Problems 10.1. Refer to the example with FSMs MA.aut and MB.aut computed in Sect. 10.1. It is claimed there that the largest solution xfsm min.aut contains the solution MBifsm.aut obtained by the K&N script. Show that it is the case. 10.2. Comparisons of procedures to compute flexibility Consider the example shown in Fig. 10.10. (a) Compute the flexibility for FSM MB according to the procedure of Wang– Brayton/Kim–Newborn. (b) Compute the maximum flexibility for FSM MB solving the FSM equation MA M X D MA MB . (c) Compare these results with the flexibility computed by Yevtushenko– Zharikova’s procedure.

Chapter 11

Computation of Sequential Flexibility in Netlists by Windowing

11.1 Complete Sequential Flexibility in a Window A challenging problem is to take a larger FSM given as a netlist, e.g., in BLIF-MV or BLIF format, and then focus on a window, partitioning the netlist into two parts – all nodes inside the window and all nodes outside the window. The nodes inside the window can be viewed as a separate FSM and the nodes outside the window as its fixed environment. The nodes on the boundary of the window are sometimes called a cut – they separate the inside from the outside. The nodes which fanout from the inside to the outside are the POs of the window and the nodes which fanout from the outside to the inside are the PIs of the window FSM. A similar situation occurs when the initial netlist is given as a hierarchy of FSMs. In this case the boundaries between the FSMs are given by the hierarchy structure. The netlist inside the window will be considered as the unknown FSM component; the remaining nodes will constitute the fixed part. The specification will be the entire netlist. The largest FSM solution of the unknown component problem is sometimes referred to as the complete sequential flexibility (CSF) of the window. It contains all deterministic FSMs, which can be placed in the window and connected to the fixed part such that the overall composed behavior is the same as the original netlist. Note that unlike some problems, this application comes with a particular known solution, which is the original netlist in the window. The challenge of this application is to come up with a replacement netlist which is better, in some sense. Even though the particular known solution must be contained in the largest FSM solution, it is surprisingly difficult in many cases to find a sub-machine that is equal or better than the original known solution. One reason is that the largest FSM solution is usually a relatively very large machine and has so much behavior that is it hard to find a small sub-solution. In practical applications, the original netlist is too large, with too many latches for the techniques in this book to be applied. To overcome this, a typical fix is to use a two-window approach, where the first step is to find a sub-netlist which is the target of resynthesis, in order to obtain some improvement over the original netlist inside T. Villa et al., The Unknown Component Problem: Theory and Applications, DOI 10.1007/978-0-387-68759-9 11, © Springer Science+Business Media, LLC 2012

185

186

11 Computation of Sequential Flexibility in Netlists by Windowing

Fig. 11.1 A window and its abstracted environment, S

o Window 2

v Window 1

Large Netlist F

S

u i

the window, if possible. Then a second window is found which contains the first window. The second window is chosen to include as much information about the flexibility allowed by the environment without making the second window too large. An example of choosing the second window would be to include all nodes in the transitive fanout of up to k levels and all nodes in the transitive fanin up to m levels. Even this might be too large, so some methods for trimming this second window can be used. An efficient method for choosing the second window is proposed in Sect. 11.2. It is modeled after similar constructions for combinational networks. Once the two windows have been chosen, the larger one is taken as the specification and the smaller one as the unknown component. Note that the efficient method of solution of Chap. 7 can be used for obtaining the largest FSM solution for the smaller window, because both the specification and fixed part are given as deterministic netlists. Suppose that the FSM solution has been obtained and that a small implementation is chosen to replace the first window, then the overall behavior of the larger window is unchanged according to the theory of language solving. Hence, the overall behavior of the netlist is also unchanged. We highlight that in all steps of windowing, from choosing the second window of the unknown component to selecting a replacement from the largest solution and then optimizing the resulting sequential logic, care must be observed not to introduce combinational cycles. However we will not discuss the issue in this chapter, and we leave it as a caveat in the background. This idea is used for minimizing the original large netlist by iterating this procedure and choosing another window for minimization, solving and reimplementing the network inside the window. This is iterated over the entire network. By limiting the sizes of the windows chosen, the computations can be made practical and reasonably efficient. In this chapter, we discuss the methods for choosing the two windows and the implications that their sizes have on the solution process. The general setting is shown in Fig. 11.1, where Window 1 denotes the subnetwork, X , to be optimized and Window 2 denotes the specification, S , to be used in the language solving instance. The sub-network S n X (S without X ) represents the fixed part, F , of the language solving problem.

11.2 Selecting a Window by Latch Splitting

187

Let F.mv describe the netlist of the FSM of the fixed part and S.mv the netlist of the FSM of the specification, which is the netlist of the second window. As shown in Fig. 11.1, the variables i and v are inputs to F and the variables u and o are the outputs of F . Using BALM, there are two ways to find the CSF of the netlist of the inner window. The first way is to run the sequence of BALM procedures: read_blif_mv S.mv extract_aut S.aut complement S.aut Sc.aut read_blif_mv F.mv extract_aut F.aut product F.aut Sc.aut FxSc.aut support u1,u2,u3,v1,v2 FxSc.aut FxScs.aut complement FxScs.aut x.aut progressive -i 3 x.aut xfsm.aut Here, for the sake of example, we assume that u1,u2,u3 and v1,v2 are the binary inputs and outputs of the unknown component. If they are non-binary variables, then the sizes of their domains would need to be given in the command support, e.g., support u1(3),u2(3),u3(3),v1(4),v2(5) FxSc.aut FxScs.aut. The second way of solving for the CSF is to use the command solve fsm equ, as in: solve_fsm_equ F.mv S.mv u1,u2,u3 v1,v2 xfsm.aut where the two lists for u and v are comma-separated lists denoting the inputs and outputs. Even if the u; v variables are non-binary, it is not necessary to specify their domains since this information will be extracted from the files. These two procedures lead to identical automata, xfsm.aut.

11.2 Selecting a Window by Latch Splitting One way that BALM allows for selecting a window is to take an entire FSM and use “latch splitting” on it. The command is called latch split, which specifies which latches are to be put in each part. This separates the latches of the FSM into two parts, one part is in the fixed part F and the other part is in the known (original) solution for the unknown component. The topology is shown in Fig. 11.2, where the FSM S may be part of a larger netlist. As shown in the figure, the outputs v of X have the dimension of the number of latches that were included in X . These may have nothing to do with the final states of X , since X is the unknown component to be solved for, and can have a completely different set of states and latches that were originally in the X part.

188


Fig. 11.2 Topology of the result of latch splitting

The known solution for X is called A and in this case the outputs v are the outputs of the latches. Note that because the outputs u of F are from latches, the configuration in Fig. 11.2 can have no combinational loops. Generally, S is a Mealy machine, so the input i needs to be an input of X , as shown. The method of latch splitting will be illustrated with an example in more detail in Sect. 13.3; there we will set up some extra correspondences between signals that will force a simulation relation between state signals. The use of simulation relations is the topic of Chap. 13. Another way to select a window is to focus on a particular section of a netlist for optimization. Around this section we can construct a surrounding window which will serve as the specification for the section. How to compute a reasonable surrounding window is the next topic.

11.3 Efficient Window Selection Windowing is a method of limiting the scope of logic synthesis to work only on a small portion of a Boolean network. This method is indispensable for scalability when working with large Boolean networks arising in industrial applications.

11.3.1 Efficient Window Selection for Combinational Networks The material in this section is adapted from [96], where windowing is used to compute don’t cares in large combinational networks. Definition 11.3.1. Two non-overlapping subsets of nodes, the leaf set and the root set, are in a leaf/root relation if every path from the PIs to any node in the root set passes through some node in the leaf set.

11.3 Efficient Window Selection

189

(nodeset, nodeset) Window(node N , int nFanins, int nFanouts) f nodeset I1 = CollectNodesTFI(fN g, nFanins); nodeset O1 = CollectNodesTFO(fN g, nFanouts); nodeset I2 = CollectNodesTFI(O1 , nFanins + nFanouts); nodeset O2 = CollectNodesTFO(I1 , nFanins + nFanouts); nodeset S = I2 \ O2 ; nodeset L = CollectLeaves(S); nodeset R = CollectRoots(S); return (L, R); g Fig. 11.3 Computation of a window for a node

Fig. 11.4 Example of the 1 1 window of node N

Definition 11.3.2. Given two subsets in a leaf/root relation, its window is the subset of nodes of the network containing the root set together with all nodes on paths between the leaf set and the root set. The nodes in the leaf set are not included in the window. Definition 11.3.3. A path connecting a pair of nodes is distance-k if it spans exactly k edges between the pair. Two nodes are distance-k from each other if the shortest path between them is distance-k. The pseudo-code in Fig. 11.3 and the example in Fig. 11.4 describe the flow of a window construction algorithm. Procedure Window takes a node and two integers defining the number of logic levels on the fanin/fanout sides of the node to be included in the window. It returns the leaf set and the root set of the window. The procedure CollectNodesTFI takes a set S of nodes and an integer m 0, and returns a set of nodes on the fanin side that are distance-m or less from the nodes in S . An efficient implementation of this procedure for small m (for most applications, m 10) iterates through the nodes that are distance-k (0 k m)

190


from the given set. The distance-0 nodes are the original nodes. The distance-.k C1/ nodes are found by collecting the fanins of the distance-k nodes not visited before. The procedure CollectNodesTFO is similar. Procedures CollectLeaves and CollectRoots take the set of the windows internal nodes and determine the leaves and roots of this window. The leaves are the nodes that do not belong to the given set but are fanins of at least one of the nodes in the set. The roots are the nodes that belong to the given set and are also fanins of at least one node not in the set. Note that some of the roots thus computed are not in the TFO cone of the original node, for which the window is being computed, and therefore can be dropped without violating the definition of the window and undermining the usefulness of the window for logic synthesis operations dealing with the node. We refer to the window constructed for a node by including n TFI logic levels and m TFO logic levels as an n m window. Example 11.1. Figure 11.4 shows a 1 1 window for node N in a network. The nodes labeled I1 , O1 , S , L, and R are in correspondence with the pseudo-code in Fig. 11.3. The windows roots (top) and leaves (bottom) are shaded. Note that the nodes labeled by P do not belong to the TFI and TFO of N , but represent reconvergent paths in the vicinity of N . The left-most root and right-most root are not in the TFO of N and can be dropped, as explained above. Since implementing the first version of the windowing algorithm in [96], it was applied in several projects. A major drawback was found to be non-robustness when windowing is used for large designs containing nodes with more than 100 fanouts. The original algorithm involved topological traversals of the network from the window PIs in order to find the window POs. Nodes with multiple fanouts, each of which had to be visited, led to a substantial slow-down during this traversal. The problem was aggravated by the fact that multiple-fanout nodes were involved in many windows and, therefore, had to be traversed many times. This led to the following modification. The original algorithm first detected the window PIs, then the window POs. The current algorithm does the opposite: it performs a shallow topological traversal to detect the window POs followed by a deeper reverse-topological traversal from the POs to find the window PIs. The topological traversal is performed with a fanout limit set to 10. The limit stops the traversal at multiple-fanout nodes and declares them as window POs because they are unlikely to yield any observability don’t cares (due to many outgoing paths). Another important improvement is that only those window POs are computed that have reconvergence involving the pivot node and the window PIs. The POs without reconvergence should not be included in the window because they do not contribute don’t cares. Once the window for a node is constructed, it is considered as the network, for the purpose of don’t care computation or other logic optimizations. For this reason, algorithms for logic optimization can be discussed in the context of a sufficiently small network.

Problems

191

11.3.2 Efficient Window Selection for Sequential Networks The above presentation concerns computation of windows in combinational networks. When the network is sequential, it may be considered as combinational for the purpose of computing internal don’t-cares. In this case, combinational windowing can be applied, but the result of optimization will only exploit combinational flexibility. To tap into sequential flexibility, we need to consider sequential elements during optimization. Just as in the combinational case, windowing is important in this case because it allows computations to be scalable. We experimented with several schemes for sequential windowing, i.e., windowing that considers sequential elements. The main difficulty here is that some path may be cyclic and need to be included in the window completely, instead of being broken by introducing PI and PO pairs, which are used to represent sequential elements in combinational synthesis. Described below is the simplest form of sequential windowing used in several applications. It is both easy to implement and gives good experimental results. This windowing is based on partitioning registers of the network, and extracting the coneof-influence of one partition at a time, while replacing the outputs of registers of other partitions by free variables, that is, additional PIs. We tried several register partitioning algorithms and found that the following naive one works well in most cases: divide registers into groups of fixed size in the order of their appearance in the network, with possibly a fixed overlap between the groups. For example, if we have eight registers .1; 2; 3; 4; 5; 6; 7; 8/, with partition size 3 and overlap 1, we have the following partitioning: .1; 2; 3/; .3; 4; 5/; .5; 6; 7/; .7; 8/. The selection of partition size and overlap depends on the application. In particular, when detecting and merging sequential equivalent nodes using a SAT-based inductive prover, the partition size of several thousands led to acceptable runtime and good experimental results [97].

Problems 11.1. Consider the sequential circuit lion9.blif whose description in the blif language is: .model lion9.kiss2 .inputs v0 v1 .outputs v6.4 .latch v6.0 v2 .latch v6.1 v3 .latch v6.2 v4 .latch v6.3 v5 .names [17] v6.4 0 1

0 0 1 0

192


.names [9] v6.0 0 1 .names [11] v6.1 0 1 .names [13] v6.2 0 1 .names [15] v6.3 0 1 .names v0 v1 v3 v5 [0] 0001 1 .names v1 v5 [1] 10 1 .names v0 v1 v3 [2] 001 1 .names v3 v4 [3] 11 1 .names v0 v5 [4] 00 1 .names v0 v1 v5 [5] 111 1 .names v0 v1 v5 [6] 101 1 .names v0 v3 v5 [7] 011 1 .names v3 v5 [8] 01 1 .names [0] [9] 0 1 .names [1] [2] [6] [7] 0000 1 .names [0] [4] [5] [7] 0000 1 .names [2] [5] [6] [8] 0000 1 .names [3] [5] [6] [7] 00000 1 .end

[11] [13] [15] [8] [17]

(a) Decompose the network in all possible ways into two components assigning to each part some of the latches and the related combinational logic. Treating the whole network as a specification, and defining one of two components as the fixed part and the other as the flexible part to redesign, solve the corresponding language equation to compute the largest solution that represents the complete sequential flexibility of the part under redesign.

Problems

193

(b) Transform the largest solution into sequential logic by encoding the multi-valued variables, and by applying to it any appropriate sequential logic optimization. (c) Compare the results obtained among themselves and with the original flexible part. 11.2. (a) Consider the FSM lion9.kiss whose description in the kiss language is: .i .o .p .s 10 00 00 10 11 10 11 01 11 01 00 01 00 10 00 10 11 10 11 01 11 01 00 01 00 .e

2 1 25 9 st0 st0 st1 st1 st1 st2 st2 st2 st3 st3 st3 st4 st4 st4 st5 st5 st5 st6 st6 st6 st7 st7 st7 st8 st8

st1 st0 st0 st1 st2 st1 st2 st3 st2 st3 st4 st3 st4 st5 st4 st5 st6 st5 st6 st7 st6 st7 st8 st7 st8

0 0 0 0 0 0 0 0 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1

Repeat the experiments of Problem 11.1. (b) Consider the FSM lion9 min.kiss whose description in the kiss language is: .i 2 .o 1 .p 16

194


.s 00 01 10 11 00 01 10 11 00 01 10 11 00 01 10 11 .e

4 0 0 0 0 1 1 1 1 2 2 2 2 3 3 3 3

0 0 1 0 1 2 1 0 1 2 1 3 3 2 3 3

1 1 1 1 1 1 1 1 1 1 1 1 0 0 0 0

The FSM lion9 min.kiss has been obtained by state minimization of lion9.kiss. Repeat the experiments of Problem 11.1.

Chapter 12

Computation of Sequential Flexibility in Networks of FSMs by Windowing

12.1 Flexibility in Networks of FSMs This chapter addresses the problem of resynthesizing the component FSMs of a network of FSMs; we will discuss both a global approach and a local (windowing) approach. It will turn out that sometimes it is more effective to solve a system of equations instead of a single equation; therefore we will introduce systems of equations over FSMs. The motivation is that, when optimizing a component FSM by solving a single monolithic equation, the context and the specification may be so huge for real sequential circuits, that they will be difficult to build. Using the fact that the synchronous composition operator is associative, we will see that the task may be simplified by applying a window approach, where we replace the solution of a single large equation by the solution of a system of simpler equations. In the windowing approach, the specification is restricted to be the composition of only two component FSMs, and the context to a single component FSM, so that the computational effort is reduced with respect to the general case, where the specification is the composition of all component FSMs and the context is the composition of all but one (the one to be resynthesized) component FSMs. For the sake of simplicity, all component FSMs are assumed to be complete and deterministic. Example 12.1. Consider the FSM network topology shown in Fig. 12.1. Instances of FSMs MA , MB and MC are provided in Fig. 12.2a–c respectively. There is a loop containing component FSMs MA and MB , but there are no combinational cycles because MA is a Moore FSM. One can check that the reduced FSM MA MB MC has two states as shown in Fig. 12.2d. Given the synchronous composition MA1 MAj MAn of a collection of complete and deterministic FSMs MA1 ; : : : ; MAj ; : : : ; MAn , the largest solution of the FSM equation MA1 : : : MAj 1 MX MAj C1 MAn Š MA1 : : : MAj 1 MAj MAj C1 MAn captures all the admissible behaviors that may replace a T. Villa et al., The Unknown Component Problem: Theory and Applications, DOI 10.1007/978-0-387-68759-9 12, © Springer Science+Business Media, LLC 2012

195

196

12 Computation of Sequential Flexibility in Networks of FSMs by Windowing

Fig. 12.1 FSM composition I MA MC U

O

V

MB

Z

given component MAj , while preserving the original composition, i.e., any valid replacement MO Aj of MAj is such that MA1 MAj MAn and MA1 MO Aj MAn are equivalent. Due to the fact that the synchronous composition operator is commutative and associative,1 it holds that MA1 MAj MAn and MAj .MA1 MAj 1 MAj C1 MAn / are equivalent. Therefore the previous equation can be rewritten as: MX MA1 : : : MAj 1 MAj C1 MAn Š MA1 MAj 1 MAj MAj C1 MAn : The associative property of the composition operator simplifies the operation to build the FSM composition MA1 MAn , because the composition of several FSMs can be derived by iterating the composition of two machines. To resynthesize a component FSM MAi based on equation solving, we lump together all the remaining FSMs to obtain the context FSM MA1 MAj 1 MAj C1 MAn Š MContext , and then we further compose MAi with MContext to obtain the specification FSM MAi MContext Š Mspec; at the end we set up the equation MX MContext Š MAj MContext or MX MContext Š Mspec (or symmetrically MContext MX Š Mspec ). We remind from Chap. 3 that the largest solution of the equation MC ont ext MX Š Mspec is expressed by an observable FSM. Any solution of the equation is a reduction of the largest solution, i.e., the behavior of each FSM that is a solution of the equation is contained in the largest solution. The converse is not always true: not each reduction of the largest solution is a solution of the equation. The complete characterization of such valid reductions still remains unknown. However, for an equation over complete deterministic FSMs there are known cases where

Given FSMs MA ; MB ; MC it holds that MA MB Š MB MA and that .MA MB / MC Š MA .MB MC /.

1

12.1 Flexibility in Networks of FSMs

a

i2v1/u1 i2v2/u1

197

i1v1/u1 i1v2/u1 s0

s1

i1v2/u2 i2v2/u2

i1v1/u2 i2v1/u2

b

i2u1/v2z2

i1u1/v1z1 i2u2/v2z1 t0

t1 i1u1/v1z1 i1u2/v1z1 i1u1/v2z2 i1u2/v2z1 i2u1/v2z2

c

i2u1/v1z2 i2u2/v2z2

i1u2/v1z2

z2/o1 z1/o1 q0

q1

2

z1/o2 z2/o1

i2u2/v2z2

e d

i2u1/v1z2 i2u1/v2z2

i1u1/v1z1 i1u1/v2z1 a

i2/o1 i1/o1 b

i1u2/v1z1 i2u2/v1z2 i1u2/− − i2u2/− −

i1u1/− − i2u1/− −

dnc

i1u1/− − i1u2/− − i2u1/− − i2u2/− −

i1u2/v2z1 i2u2/v2z2

r0

r1 i1/o2 i2/o1

g f i1/z1 i2/z2

0

i1u1/v1z1 i1u2/v1z1 i2u1/v1z2 i2u2/v1z2

0

Fig. 12.2 FSMs with reference to the topology in Fig. 12.1. (a) FSM MA ; (b) FSM MB ; (c) FSM MC ; (d) Composition MA MB MC ; (e) Largest solution of the equation MX .MA MC / Š MA MB MC ; (f) Reduction MB0 of the largest solution independent from the input U (and with a single state); (g) Reduction MB? of the largest solution with a single state

198


every reduction of the largest solution is a solution of the equation. In particular, when the context FSM MC ont ext and the specification FSM Mspec are complete and deterministic FSMs, the following properties hold: 1. If MC ont ext is a Moore FSM, then each complete reduction of the largest solution of the equation MC ont ext MX Š Mspec is a solution of the equation. 2. Each complete deterministic reduction of the largest solution that is a Moore FSM is a solution of the equation. These sufficient conditions may be used to select a reduction of the largest solution, forcing the rule that a Moore component FSM can be replaced only by a reduction of the largest solution that is a Moore FSM. As discussed in Sect. 3.1.2, the largest Moore solution is a submachine of the largest solution that is computed by Procedure 3.1.5. If the component FSM used for replacement is not a Moore FSM and the context is a Moore FSM, then any complete deterministic reduction of the largest solution can be selected as a replacement. In Chap. 14 we will discuss the issue of extracting an optimal solution from the pool of all solutions contained in the largest solution. Useful cost functions to measure a solution are the number of states or the number of connection lines. Suppose that for a realistic cost function it is feasible to extract a behavior minimizing the chosen cost, the problem arises of how to resynthesize a given network of FSMs replacing legally the individual components. We propose a scheme of iterative FSM equation solving, which requires the solution of an appropriate sequence of FSM equations. To illustrate the idea, suppose that we start with the component FSM MA1 and assume that all other component FSMs are optimal. Then we collapse all other component FSMs into a single context FSM MC ont ext Š MA2 MAn and solve the equation MX MC ont ext Š MSpec , where MSpec Š MA1 MAn , in order to capture all FSMs which can replace the component FSM MA1 without changing the external behavior of the overall circuit. The largest solution of the equation contains each possible behavior; we select a reduction of the largest solution of minimum cost that is a solution of the equation. Then we iterate on each component FSM MA2 ; : : : ; MAn in order to replace it with a corresponding component of minimum cost in the composed system. Finally we return to FSM MA1 and repeat the process until none of the component FSMs can be reduced. Summarizing, we resynthesize iteratively each component FSM assuming that all other components are already optimal. The component FSM is modified while checking for improvement and conformance. The former is measured by the optimization cost function, whereas the latter is verified by solving its related FSM equation. Example 12.2. For the network topology shown in Fig. 12.1, consider the FSMs instances MA , MB and MC given in Fig. 12.2a–c. The largest solution of the equation MX .MA MC / Š MA MB MC shown in Fig. 12.2e has three states, and has a reduction MB? with a single state shown in Fig. 12.2g. By noticing that the transitions of MB? depend essentially only on input I , we can remove input U from

12.2 Windowing in a Network of FSMs

199

MB? and obtain the solution MB 0 that does not depend on input U and is shown in Fig. 12.2f. Therefore, the component FSM MB can be replaced by MB 0 independent from input U , and so the component FSM MA becomes superfluous, i.e., it can be deleted from the composition, because there is no need to produce the internal output U (and also no need for MB 0 to produce the internal output V ). By direct inspection, one can verify that the composition of the FSM MB 0 and of the component FSM MC is equivalent to the composition MA MB MC (the latter is shown in Fig. 12.2d). The proposed strategy for resynthesis is a global one, because it takes into account the complete network in computing the flexibility of the components. Its main disadvantage is that collapsing a system of interacting FSMs into a single FSM (the specification and the context) may cause state explosion, since the collapsed FSMs are huge for real applications. In order to alleviate the computational effort, at the price of missing some flexibility, we propose local optimization procedures that apply windowing strategies to networks of FSM (cf. windowing applied to netlists in Chap. 11).

12.2 Windowing in a Network of FSMs Given a component FSM to be resynthesized, it is reasonable to assume that its behavior depends mostly on its neighbouring machines. Therefore, we will propose strategies to compute the flexibility of a component with respect to its neighbours instead of the entire context.

12.2.1 Windowing Via Solving a Set of Equations Given the FSM network MA1 MAn and a component FSM MAj , consider another component FSM MAt connected with MAj , and the equation MX MAt Š MAj MAt . For each solution MBj of the equation, it holds that MBj MAt Š MAj MAt . Since the composition operator is commutative and associative, the composition MA1 MAj MAt MAn is equivalent to MA1 .MAj MAt / MAn , and also to MA1 .MBj MAt / MAn and finally to MA1 MBj MAt MAn , i.e., each solution of the equation can replace the component FSM MAj without changing the external behavior of the overall composition. So the following statement holds. Proposition 12.2.1 Given the composition MA1 MAj MAt : : : MAn , let MAj and MAt be connected component FSMs. For each solution MBj of the

200


A2j

A1

A2

A1j

Aj

Apj

A3j

Fig. 12.3 Local optimization of FSM MAj MA2j ; : : : ; MApj

with respect to neighbour FSMs MA1j ;

equation MX MAt Š MAj MAt , the composition MA1 MBj MAn where MBj replaces the component FSM MAj , is equivalent to the composition MA1 MAj MAn . Proposition 12.2.1 can be used to define heuristics that simplify the problem of resynthesis and optimization of a component FSM, at the price of a loss of completeness and optimality. As an example, consider the topology shown in Fig. 12.3, in order to resynthesize the FSM MAj we may take the collection MA1j ; : : : ; MApj of all FSMs connected with FSM MAj and then derive the collection of equations: MX1 MA1j Š MAj MA1j ; ::: MXP MApj Š MAj MApj : Replacements for MAj are to be found among the reductions of each of the previous equations; to guarantee that a given reduction is a solution we can apply sufficient conditions, e.g., replacing a Moore FSM only by Moore reductions of the largest solution. An optimal solution is selected from the solutions over all equations, i.e., we solve each equation, select an optimal solution of the equation and then select the best solution over all optimal solutions.


201

Example 12.3. A replacement of the component FSM MB in Fig. 12.1 can be found by solving the two equations MXA MA Š MB MA and MXC MC Š MB MC . By direct inspection, one can check that the largest solution of the equation MX MA Š MB MA coincides with the largest solution of the global equation MX MA MC Š MB MA MC , shown in Fig. 12.2e; therefore the FSM MB 0 in Fig. 12.2f can be obtained by solving a simpler equation. Indeed one can check that the specification FSM MB MA has a single state and two transitions; moreover, the context FSM MA has two states and eight transitions, as shown in Fig. 12.2a. Therefore the second equation cannot improve the FSM MB 0 . Resynthesis and optimization based on the window approach are computationally cheaper than global optimization, because we do not need to consider the whole network. The process can terminate once a solution of reasonable size is obtained. However, when using local optimization an optimal solution may be missed, since not all the component FSMs are taken into account. Example 12.4. In Table 12.1 we report some experiments obtained by the composition and resynthesis of triples of FSMs from the LGSynth93 suite [87]. The letters s and i denote the number of states and inputs of a corresponding benchmark. The fourth, fifth and sixth columns report the number of states of a component FSM after local and global optimization with respect to the minimum number of states. When optimizing the head and the tail machines, a single FSM equation w.r.t. a neighbor FSM was solved, while when optimizing the middle component machine a collection of two equations was solved. Then in either case an optimal solution was selected, to be a reduction of the largest solution that is a submachine with a minimum number of states (with the usual requirement that such reduction be a solution), As an example, consider the last network in the table defined by the composition of shiftreg, modulo12 and dk512. In the first step the tail component FSM dk512 with two inputs and 15 states can be replaced with FSM MC 0 with 13 states. When the tail machine dk512 is replaced with MC 0 , the middle component FSM becomes reducible and is replaced with FSM MB 0 with 11 states. We repeat the optimization process for the composition of shiftreg, MB 0 and MC 0 , and reduce the middle and tail component FSMs to FSMs with 10 and 11 states, respectively. The head component FSM cannot be reduced. As a result, we get a final composition whose head component FSM has eight states, the middle component FSM has 10 states and the tail component FSM has 11 states, matching the global optimum solution. However, in Sect. 12.2.2 we will discuss cases when the component FSM of interest cannot be reduced by solving a set of equations, but requires instead a system of equations.

Head FSM Name s shiftreg 8 bbara 10 shiftreg 8 shiftreg 8

2 16 2 2

i

Mid FSM Name dk27 bbtas modulo12 modulo12 7 6 12 12

s

i 2 4 2 2

Tail FSM Name s lion 4 dk27 7 dk27 7 dk512 15 i 4 2 2 2

Head s 8 9 8 8

Mid s 6 6 12 10

Tail s 4 6 7 11

Head s 8 9 8 8

Mid s 6 6 12 10

Table 12.1 Experiments for resynthesis and optimization by solving iteratively sets of equations Local Global optimization optimization Tail s 4 6 6 11

202 12 Computation of Sequential Flexibility in Networks of FSMs by Windowing


I

Aj

203

V

A1j

Z1

...

Apj

Zp

Fig. 12.4 A network topology to illustrate systems of equations

12.2.2 Windowing Via Solving a System of Equations Given the composition MA1 MAj MAk , consider a component FSM MAj and all component FSMs MA1j ; : : : ; MApj with inputs that are connected with the same output V of the FSM MAj , as in Fig. 12.4. In this case, for each equation MX MA1j Š MAj MA1j ; : : : ; MX MApj Š MAj MApj , the input and output sets of their specifications MAj MA1j ; : : : ; MAj MApj are respectively .I; V; Z1 /, : : : , .I; V; Zp / and contain those of the component MAj that are .I; V /. Therefore, the output response of each solution (replacing MAj ) to each input sequence coincides with that of the initial FSM MAj because the signal V must be produced as an external output, i.e., the solution of each equation is equivalent to MAj , and therefore the component MAj cannot be optimized by solving a single local equation. In order to be able to optimize such component we need to hide some input or output alphabets of the component, i.e., to consider them as internal alphabets. The latter can be achieved if we consider a system of equations instead of a single equation. The difference between a set of equations and a system of equations is that in the former case a solution of any equation is a solution of the set of equations, whereas in the latter case a solution of the system must be a solution of each equation of the system. The definition of a system of FSM equations follows [151, 153]. Definition 12.2.1. Given FSMs MA1 ; : : : ; MAk and MC1 ; : : : ; MCk , a system of FSM equations 8 MX MA1 Š MC1 ˆ ˆ < M X M A 2 Š M C2 ˆ ::: ˆ : M X M A n Š MCn

204


is a finite set of FSM equations where the unknown MX is specified over the same input and output alphabets. An FSM MS is a solution of the system of equations iff it is a solution of each equation of the system. Going back to the topology in Fig. 12.4, let us define the system of equations MX MA1j Š MAj MA1j ; : : : ; MX MApj Š MAj MApj , where in each equation MX MAkj Š MAj MAkj the FSM MAj MAkj is the sequential composition of FSMs MAj and MAkj ,with no external access granted to the output alphabet V of the component MAj , i.e., the alphabet V is kept as an internal alphabet of the composition. In that case, the component FSM MAj may still be reducible, because its output V is not visible externally and its effect is “masked” by the series compositions with MA1j ; : : : ; MApj . In fact, given an FSM MB that is a solution of the system of equations MX MA1j Š MAj MA1j ; : : : ; MX MApj Š MAj MApj and an input sequence ˛ 2 I ? , the output response of the composition MAj MA1j MApj to ˛ is the output response of MA1j ; : : : ; MApj , together with the output response of MAj , when the FSMs MAj ; MA1j ; : : : ; MApj are composed synchronously. Therefore, MB is a solution of the equation MX .MA1j MApj / Š MAj MA1j MApj , and the converse holds too. So, one proves the following statement. Proposition 12.2.2 For the topology given in Fig. 12.4, the composition MB MA1j MApj is equivalent to MAj MA1j MApj , i.e., the FSM MB is a solution of the equation MX .MA1j MApj / Š MAj MA1j MApj , if and only if it is a solution of the system of equations MX MA1j Š MAj MA1j ; : : : ; MX MApj Š MAj MApj . Proof. (Sketch) (a) MX .MA1j MApj / Š MAj MA1j MApj implies MX MA1j Š MAj MA1j ; : : : ; MX MApj Š MAj MApj . Given that MX MX Š MX and MAj MAj Š MAj , in the previous equality we can compose the left side with p 1 copies of MX , and the right side with p 1 copies of MAj , to obtain: MX MX MX .MA1j MApj / Š MAj MAj MAj MA1j MApj . By commutativity and associativity, we can restructure the previous equality and get .MX MA1j / .MX MApj / Š .MAj MA1j / .MAj MApj /. From the latter we get finally MX MA1j Š MAj MA1j ; : : : ; MX MApj Š MAj MApj (notice that MX MA1j and MAj MA1j are defined over .I; Z1 /, ..., MX MApj and MAj MApj are defined over .I; Zp /). (b) MX MA1j Š MAj MA1j ; : : : ; MX MApj Š MAj MApj implies MX .MA1j MApj / Š MAj MA1j MApj . From MX MA1j Š MAj MA1j ; : : : ; MX MApj Š MAj MApj , we obtain by composition .MX MA1j / .MX MApj / Š .MAj MA1j / .MAj MApj /, and then by commutativity and associativity MX .MA1j MApj / Š MAj MA1j MApj . t u Example 12.5. Consider the composition in Fig. 12.5 and the instances of the FSMs MF , MD and ME in Fig. 12.6a–c.


205

V

I

MD

Z

ME

Y

MF

V

Fig. 12.5 Instance of topology in Fig. 12.4 restricted to three FSMs

a

b

i1/v1 i2/v2 f0

f1

v1/0 v2/0 d0

d1

i2/v1

v1/1 i1/v2

v1/1 v2/1 e0

e1 v1/0

v2/0

d

c

i1/v1, v2 i2/v1, v2 s1

s0 v2/1

i2/v1

i1/v2

e s0

i1/v2 i2/v1

Fig. 12.6 FSMs with reference to the topology in Fig. 12.5. (a) FSM MF ; (b) FSM MD ; (c) FSM ME ; (d) Largest solution of the system of FSM equations MX MD Š MF MD ; MX ME Š MF ME ; (e) Reduction with a single state of the largest solution

The largest solutions of the separate equations MX MD Š MF MD and MX ME Š MF ME , where the composed FSMs MF MD and MF ME are specified over the input alphabet I and – respectively – the output alphabets V Z and V Y , are equivalent to MF , i.e., MF cannot be minimized when solving a local FSM equation. The reason is that the output V of the FSM MF is an external output alphabet, and so, for each component FSM MK such that MK MD ME is equivalent to MF MD ME , the output response of MK to each input sequence coincides with that of the FSM MF , i.e., FSMs MF and MK are equivalent. However, the FSM MF can be replaced with a smaller FSM when solving a corresponding system of FSM equations, i.e., when the output V of the FSM MF is

206


an internal hidden alphabet, and thus the composed FSMs MF MD and MF ME are specified over input alphabet I and output alphabets Z and Y , respectively. By solving the system of equations (see next section), one finds the largest solution in Fig. 12.6d whose reduction to a single state in Fig. 12.6e can replace the FSM MF without changing the overall behavior of the composition. In the next section we discuss some facts about solving systems of FSM equations.

12.3 Solving a System of FSM Equations We refer to Definition 12.2.1 of a system of FSM equations. An FSM MB is a solution of a system of FSM equations if it is a solution of each equation of the system. The largest solution MS of a system of FSM equations contains every solution of the system, i.e., it is such that every solution of the system of equations is a reduction of the FSM MS . Therefore the largest solution of a system of FSM equations can be obtained as the intersection of the largest solutions over all equations of the system. The intersection of FSMs is defined in a number of papers; we use the definition from [147]. Definition 12.3.1. Given two nondeterministic FSMs M1 D .S1 ; I; O; T1 ; r1 / and M2 D .S2 ; I; O; T2 ; r2 /, the intersection of FSMs M1 and M2 , denoted by M1 \ M2 , is the largest connected submachine of the FSM .S1 S2 ; I; O; T\ ; .r1 ; r2 //, where ..s1 ; s2 /; i; o; .s10 ; s20 // 2 T\ , Œ.s1 ; i; o; s10 / 2 T1 ^ .s2 ; i; o; s20 / 2 T2 : The definition can be easily extended to more than two machines. If FSMs M1 and M2 are observable then their intersection is also an observable FSM. However, the intersection of complete FSMs can be a partial FSM. In order to describe the set of all complete machines that are reductions of M1 and M2 simultaneously, we need the notion of the largest complete submachine of the intersection. The largest complete submachine Complete.MA / of the FSM MA is obtained by deleting iteratively all the states with undefined transitions. If the initial state is deleted then MA has no complete submachine. Otherwise, the obtained complete machine is the largest complete submachine of MA . The set of complete reductions of MA and of Complete.MA / coincide, and as a corollary, the following statement holds for the intersection of two observable FSMs [147]. Proposition 12.6. Given two observable FSMs MA and MB , a complete FSM is a reduction of both FSMs MA and MB , if and only if it is a reduction of Complete.A \ B/, where Complete.A \ B/ is the largest complete submachine of the intersection MA \ MB .

12.3 Solving a System of FSM Equations

207

Due to the commutative and associative properties of the composition operator, Proposition 12.6 can be extended to more than two equations. This suggests the following procedure to solve a system of FSM equations: Procedure 12.3.1. Input: System of FSM equations MX MAj Š MCj , j D 1; : : : ; k; Output: Largest complete FSM solution MS of the system of FSM equations. 1. Compute the largest solution MSj of each equation MX MAj Š MCj , j D 1; : : : ; k. 2. The largest complete submachine of the intersection MS D \kj D1 MSj (if it exists) is the largest complete solution of the system. To compare the efficiency of solving a system of FSM equations vs. solving a single monolithic equation, consider the topology shown in Fig. 12.5. In order to capture all the FSMs that can replace the head machine MF we set up the equation MX .MD ME / Š MF MD ME . Given the complete and deterministic machines MF ; MD and ME and the largest complete solution MS of the equation over alphabets I and V (it is solvable because there is at least the solution MF ), each complete and deterministic reduction of MS can replace the FSM MF in the composition, i.e., given a complete and deterministic FSM MK such that MK is a reduction of MS it holds that MK MD ME Š MF MD ME . However, notice that the numbers of states of the machines MF MD ME and MD ME are equal, respectively, to jSF j jSD j jSE j and jSD j jSE j. Since by Theorem 12.2.2 an FSM is a solution of the equation MX .MD ME / Š MF MD ME if and only if it is a solution of the system of equations MX MD Š MF MD and MX ME Š MF ME , we can replace the single monolithic equation by the system of two equations MX MD Š MF MD and MX ME Š M F M E . When a system of equations is solved instead of a monolithic equation the worstcase complexity of computing the largest solution does not decrease. The reason is that to obtain the largest solution of the system of equations we need to build the product of the components of the single equations (respectively, jSF j jSD j and jSF j jSE j) and then to intersect them (jSF j jSD j jSF j jSE j). However, since each single equation of the system has a smaller worst-case complexity, when the reduced largest solutions of the single equations are smaller than their worst-case complexity, equations involving FSMs of larger sizes may be solved. Example 12.7. Consider the FSMs MF ; MD and ME in Fig. 12.7a–c. By direct inspection one can check that the largest solutions MSD and MSE to the FSM equations MX MD Š MF MD and MX ME Š MF ME are isomorphic to the FSM MF . Therefore, their intersection is also isomorphic to MF . Thus, each FSM that is not equivalent to MF changes the external behavior of the composition, i.e., MF cannot be replaced without changing the behavior of the overall system. Instead, when solving a single equation, we have to build the FSMs MD ME and

208


b

a

1/z1

b/0

0/z1

a/0 f0

d0

f1

c

d1 1/z1

a/1 b/0 0/y1 1/y2

0/z2

e0

e1 0/y2

1/y2

Fig. 12.7 FSMs with reference to the topology in Fig. 12.5. (a) FSM MF ; (b) FSM MD ; (c) FSM ME

MF MD ME whose number of states is 4 and 7 respectively. Therefore, the above example shows that sometimes a system of equations can be solved more efficiently than a single monolithic equation. Acknowledgments We thank Maria Vetrova and Svetlana Zharikova for their contribution to this chapter from their dissertations at the University of Tomsk [134, 154].

Problems 12.1. Check the statements of Example 12.7 by working out all the computations. 12.2. Sets and Systems of FSM equations 1. For each topology shown in Fig. 12.8, define the appropriate set or systems of equations to compute the flexibility of FSM MA using local optimization. For a start, one can consider the sets/systems of equations proposed below as candidates for local optimizations of MA . a. Topology N. 1 in Fig. 12.8a MB1 MX1 Š MB1 MA MX2 MC1 Š MA MC1 b. Topology N. 2 in Fig. 12.8b MB1 MX1 Š MB1 MA MB2 MX1 Š MB2 MA

Problems

209

d

a MB 1

MA

MC1

b MB1

MB1

MB2

MB2 MA

MC1

MC

MA MB2

MB1

MC2

MC2

c

e MB

MC

MB 2

M C2

MC2

MC1

1

MA

MA

1

f

MC1

1

MC

1

MA MC1

MC1

Fig. 12.8 (a) Topology N. 1; (b) Topology N. 2; (c) Topology N. 3; (d) Topology N. 4; (e) Topology N. 5; (f) Topology N. 6

M X2 M C1 Š M A M C1 M X2 M C2 Š M A M C2

c. Topology N. 3 in Fig. 12.8c 8 ˆ ˆ MB1 < MB2 ˆ ˆ M C1 : M C2

M X1 M X1 MX1 MX1

Š MB1 MA Š MB2 MA Š MC 1 M A Š MC 2 M A

8 MX2 ˆ ˆ < M X2 ˆ M ˆ : X2 M X2

MB1 MB2 MB1 MB2

Š MA MB1 Š MA MB2 Š MA MB1 Š MA MB2

d. Topology N. 4 in Fig. 12.8d Same as topology N. 2. e. Topology N. 5 in Fig. 12.8e MX M C1 Š M A M C1 MX MC2 Š MA MC2

210


f. Topology N. 6 in Fig. 12.8f

MX M C 1 Š M A M C 1 MX MC2 Š MA MC2

2. Discuss the relation between Topologies N. 2 and N. 3 in Fig. 12.8b, c with respect to the equations defined for local optimization. Can they be treated in the same way? If not, how do they differ? 3. Discuss the relation between Topologies N. 5 and N. 6 in Fig. 12.8e, f with respect to the equations defined for local optimization. Can they be treated in the same way? If not, how do they differ?

Chapter 13

Language Solving Using Simulation Relations

13.1 Model Matching by Simulation Relations An important application coming from discrete control theory is the so-called model matching problem. It asks to design a controller MB so that the composition of a plant MA with the controller MB matches a given model MC (see the controller’s topology in Fig. 1.1e). Versions of the problem where the closed-loop system is required to be simulation-equivalent to the model have been studied in the literature [12, 68]. Definition 13.1.1. S1 S2 is a simulation relation from an FSM M1 D hS1 ; I; O; T1 ; r1 i to an FSM M2 DhS2 ; I; O; T2 ; r2 i if 1. .r1 ; r2 / 2 , and 2. .s1 ; s2 / 2 ) i=o i=o 0 0 0 0 0 0 s1 !M1 s1 ) 9s2 s2 !M2 s2 ^ .s1 ; s2 / 2 8i 8o 8s1

.

If such a exists, we say that M2 simulates M1 , or that M1 has a simulation into M2 , and denote it by M1 si m M2 . Given the plant MA D hSA ; I; O; TA ; rA i and the reference model MC D hSC ; I; O; TC ; rC i, from [68] we define the relation Hmax SA SC , that relates state sA in MA with state sC in MC if and only if sC “simulates” sA . Definition 13.1.2. The relation Hmax SA SC is defined by: v=o 0 0 sA !MA sA ) .sA ; sC / 2 Hmax , 8i 9v 8o 8sA 0

9sC

i=o 0 0 0 sC !MC sC ^ .sA ; sC / 2 Hmax :


(13.1)

211

212

13 Language Solving Using Simulation Relations

Intuitively, MA can be controlled if and only if for all input i that the environment produces, the controller MB can input a v to the plant, under which both MA and 0 0 MC produce the same output and go respectively to next states sA and sC , at which the same property holds. It is the case that any pair of states .sA ; sC / such that sC “simulates” sA and the same holds for the next states, are in Hmax . To construct Hmax , start with all the states in the two machines in Hmax . Then keep a given pair .sA ; sC / in Hmax if and only if for every i , there exists a v, such 0 0 that for every o, MA and MC make transitions to sA and sC respectively, for which 0 0 0 0 .sA ; sC / is also in Hmax . If this condition is not met, drop .sA ; sC / from Hmax and iterate until a fixed point is obtained. Hmax is a simulation relation and is the maximal simulation relation. The main result, proved in [68] and restated in its complete form in [66], follows. Theorem 13.1. Suppose that MA is a deterministic FSM and that MC is a deterministic or pseudo non-deterministic FSM. If .rA ; rC / 62 Hmax , the maximal controller does not exist. If .rA ; rC / 2 Hmax , the maximal controller MX D hSX [ fFg; .I; O/; V; TX ; rX i is obtained by the following construction: 1. rX D .rA ; rC /, and 2. SX D f.sA ; sC / 2 SA SC j .sA ; sC / 2 Hmax g, and .i;o/=v

0

0

v=o

i=o

0

0

0

0

3. ..sA ; sC / ! MX .sA ; sC // , Œ.sA !MA sA / ^ .sC !MC sC / ^ .sA ; sC / 2 Hmax , and 4. add transitions from a state .sA ; sC / to F under .i; o/=v if and only if there is no transition in MA under v=o. There is also a transition from F to F on =. 0

0

There is a transition in the controller from .sA ; sC / to .sA ; sC / on input .i; o/ with 0 output v, if and only if there is a transition from sA to sA on v in MA , and a transition 0 0 0 from sC to sC on i in MC , both producing the same output o, and .sA ; sC / 2 Hmax . The transitions related to F capture the behaviors which are present in MX but are never exercised in the composition of MA and MX ; they correspond to the antecedent of the implication in the definition of Hmax , i.e., it is a don’t care condition about what the controller does on .i; o/=v if v=o is not in the behavior of the plant at sA . Notice that MX is a maximal solution with respect to language containment, because the existence of a simulation relation is equivalent to language containment, when MA and MC are deterministic or pseudo non-deterministic1. When MC is nondeterministic (and not pseudo non-deterministic), MX is a maximal solution with respect to the (maximal) simulation relation. However, we may miss some solutions with respect to language containment, since

1

We remind that the underlying automaton of a pseudo non-deterministic FSM is deterministic, and that for deterministic automata not only the existence of a simulation relation implies language containment but also the vice versa holds.

13.1 Model Matching by Simulation Relations

213

(maximal) simulation relation in general is stronger than language containment, i.e., (maximal) simulation relation implies language containment, but not vice versa. We use a (maximal) simulation relation instead of language containment to avoid determinizing and so obtain an algorithm of polynomial complexity bounded by O.jSA jjSC jjTA jjTC j/, where jSA j (jSC j) is the number of states of MA (MC ) and jTA j (jTC j) is the size of the transition relation of MA (MC ). An approach based on simulation relations has been followed also in [9–12], a series of papers devoted to the model matching problem and its variants from discrete control theory. These papers give a solvability condition based on the notion of a simulation relation between inverse automata, which characterize the possible output sequences generated by an FSM. Definition 13.1.3. Let a NDFSM F D hS; I; O; T; ri be given. Let I.s/ D fi 2 I j9s 0 2 .i; s/g denote the set of applicable inputs at state s. The inverse automaton of F is a non-deterministic finite state automaton F 1 D hS; O; 1 ; ri, where 1 O S S .o; s; s 0 / 2 1 ” 9i 2 I.s/ .i; s; s 0 ; o/ 2 T: The inverse automaton of a given FSM is obtained by using its output labels as input labels. The existence of a simulation relation between the inverse automaton of MC , MC1 D hY; S; 1 ; ri, and that of MA , MA1 D hY; S1 ; 1 1 ; r1 i, enables to prove that the output sequences generated by MC can also be generated by MA . In [12], the following necessary and sufficient condition for the existence of a solution to the FSM model matching problem is proved. Theorem 13.2. Let the plant MA and the model MC be DFSMs. The FSM model matching problem is solvable if and only if there exists a simulation relation under which MC1 si m MA1 , i.e., MC1 is simulated by MA1. This theorem holds both for the controller’s topology (with the unknown controller forming a closed loop with the known plant) and the cascade topology (with the unknown controller as the head FSM and the known plant as the tail FSM), since the solvability condition does not depend on whether the connection is closed-loop or open-loop. Therefore the equation is solvable for the closed-loop topology iff it is solvable for the open-loop topology iff MC1 si m MA1 . In addition, it is shown that for each such simulation relation, say ', it is possible to build a corresponding machine M ' , that actually generates the sequence of inputs u for MA to match the sequence of outputs of MC . It is also shown that every solution is in a one-to-one correspondence with a simulation relation. Notice that the method of simulation relations is considered as an alternative to language equations for the controller’s topology (with the caveats mentioned in this section), but it is not a replacement to solving language equations for general topologies like the rectification topology.

214


13.2 Computing Simulation Relations with Language Equations We assume to operate with FSMs represented as sequential circuits, so we can talk of sequential elements as latches (as in Chap. 7). Consider the general topology of Fig. 13.1a. The configuration indicates that variables u and v are internal to S . This is typical of the situation where we want to derive the maximum flexibility of a submachine FSM from a given one. The given FSM will be the specification S . The signals u and v can be any signals present in the fixed part F , not just latch outputs of F (as is done in the case of the latch splitting operation of BALM). We might want to compute the maximum flexibility (or CSF) of the X part. This is, the maximum FSM solution to the language solving problem, F .i; o; u; v/ X.i; ; u; v/ S.i; o; ; /. On the other hand, we will show that we can set up a simulation relation with a similar configuration shown in Fig. 13.1b. The only difference is that we have made u also a pseudo-output of S . It is a pseudo output since it does not connect to anything in the environment; moreover, we will require that it is preserved. The problem stated in terms of language solving is F .i; o; u; v/ X.i; ; u; v/ S.i; o; u; /. We will show that this corresponds to solving F .i; o; u; v/ X.i; ; u; v/ si m S.i; o; ; /, where si m corresponds to a particular simulation relation between the states on the left and right sides. We restate for automata the definition of a simulation relation previously given for FSMs, since we deal with automata in this section.

a

b S i

o

F

v

u X

S i

o

F

v

u X

Fig. 13.1 (a) Regular configuration for computing the CSF for a submachine X from a given FSM, where u is any set of signals in F and v are some inputs to F ; (b) Configuration for computing a sub-flexibility for a submachine X from a given FSM, where u is any set of signals in F and v are some inputs to F (u is also a pseudo-output of S)

13.2 Computing Simulation Relations with Language Equations

215

Definition 13.2.1. Let P and S be two automata over the same alphabet ˙. Automaton P simulates automaton S , P si m S , if there exists a (simulation) relation R QP QS such that

8.sP ;sS /2R 8 8sP0 Œ.sP ! sP0 / ) 9sS0 .sS ! sS0 / ^ .sP0 ; sS0 / 2 R: In other words, any move that P makes can be imitated by a similar move of S , ending up in a state sS0 that can be paired with sP0 continuing to satisfy the relation. Although, in general, u can be any set of signals of F (as long as there are no combinational loops created between u and v), it is simpler to describe the relation R if the variables u are the outputs of the latches of F and thus are also latches of S . Denote the other latches of S as w. In the application considered, assume that S (and hence F ) is deterministic, then the complement of S is deterministic and so F S is deterministic. Since the only variables that are hidden are o, .F S /#.i;u;v/ is still deterministic. Hence, every state of X D F S can be identified with state combinations coming from F and S . Thus, a state of X has the form .Qu; .Qu; w//. Q The simulation relation R QF X QS consists of all tuples of the form ŒsF X ; sS D Œ.Qu; .Qu; .Qu; w///; Q .Qu; w/. O Note that the two instances of minterms in w are different in general, but the minterms in the u positions must be the same. In essence, we solve the language equation F X si m S simply by exposing u as an output of S and then using the language solving machinery already developed. Solving a problem as a simulation relation rather than language containment creates many don’t cares in its solution Xsi m , although Xsi m X , where X is the solution provided by language solving. However, it is better understood how to use don’t cares in the minimization process. We miss some solutions due to the fact that in general u does not need to be preserved. As an example of how don’t cares are created in Xsi m , suppose that S is in the state .Qu; w/ Q and F is in the state uO . As notational matter, we remind that nF is the non-accepting don’t care state of F , nS is the non-accepting don’t care state of S , sF is any accepting state of F , sS is any accepting state of S . Suppose that under input .iQ ; o; Q uQ ; /, S makes a transition to the state .Qu0 ; wQ 0 /. Consider the transition that state uO of F makes under the same input ..iQ ; o; Q uQ ; //. If uQ ¤ uO , then this transition in F is undefined and hence will transit to its non-accepting don’t care state, nF . Thus, in the product machine F .i; o; u; v/ S.i; ; u; v/, the current state will transit to .nF ; .Qu0 ; wQ 0 //. This is a non-accepting state of the product machine because a state is accepting in a product only if both states are accepting2 . Thus, in F .i; o; u; v/ S.i; ; u; v/, the only accepting states would be .sF ; nS / where nS is the don’t care state of S . Finally in F S , the accepting states are all states except .sF ; nS /. In particular, states .nF ; sS / are accepting. Such states can never transition to a non-accepting state because nF has a universal self-loop, i.e., the non-accepting In the pair .nF ; .Qu0 ; w Q 0 //, neither state is an accepting state (nF is non-accepting in F , and .Qu0 ; w Q 0/ is non-accepting in S , the complement of S).

2

216


states are of the form .sF ; nS / and .nF ; sS / cannot transition to any of them because nF cannot transition to sF . These states can be lumped into one state, an accepting don’t care state. In conclusion, if uQ ¤ uO , Xsi m will transition into an accepting don’t care state and thus there are many don’t care transitions created by exposing u as a pseudo output of S .

13.3 Example with Latch Splitting In this section we discuss an example that starts with a sequential network representing FSM S , which may already be a sub-network of a larger FSM as discussed in Chap. 11. We use the BALM’s command latch split to divide the latches (and combinational logic feeding them) of the network S into two parts. The first part is called F and the second part is called A. Next, the complete sequential flexibility X is computed for the A part using S as the specification and F as the fixed part. A is a particular solution contained in the most general FSM solution Xfsm. The equation F X S can be solved in two different ways: 1. Normal use of latch split where an FSM is divided into two parts, say F and A, where the A part is considered as unknown. Solving the language equation for X provides the most general solution, which represents the complete set of flexibilities possible for replacing A. This was the topic of Sect. 11.2. 2. Solving a restricted problem, which is obtained by setting up a relation between the states of F X and S (instead of language containment), i.e., solving F X si m S . Finding the largest solution of this restricted problem yields a restricted solution of the language equation problem. The running example, planet.blif 3 , will demonstrate how the solution by the second method can be found and then minimized using command dcmin, specifically targeted for this situation, where the states are constrained (see Sect. 14.3 for an in-depth presentation of dcmin). Example 13.3. In an initial FSM (which is planet.blif in this example), the latches are (v7,v8,v9,v10,v11,v12). Using the command, latch split 0-3, the first four latches are moved to the A part leaving the latches of F as (v11,v12). When we compute the product of F S , in order to solve for X , the state space variables of the product are (v11,v12,v7,v8,v9,v10, v11,v12), i.e., .sF ; sS /. Although X is obtained from this by complementation, its states can be labeled with .sF ; sS /. In general, values in the first two slots, (v11,v12), need not agree with those in the last two slots, because v11 and

3

To save space, we do not include here the description of planet.blif, which can be found in the standard MCNC/ISCAS benchmarks for FSMs [87], and also can be retrieved from the examples provided in the on-line directory of BALM.

13.3 Example with Latch Splitting

217

v12 are internal variables of S . However, if they are made external variables of S , this would set up a simulation relation between the states of X and S , namely, a state of X , say .0; 0; sS / would be associated only with a state of S of the form, sS D .; ; ; ; 0; 0/; i.e., the values of (v11,v12) in F are forced to take the same values as latches 4 and 5 in S , but latches 0-3 in S can have any value. All other product states would not be allowed. For example, a product state .0; 0; 1; 1; 0; 1; 0; 1/ will not exist since the two copies of (v11,v12) in the product would disagree. Further, for any state sX that X is in, the u input, (v11,v12), to X must agree with the state label of sX . No other inputs can appear. This creates many input don’t cares for each state of X . We will see in Sect. 14.3 that these can be used effectively to state minimize Xfsm by the command dcmin. This type of forced correspondence can be introduced using the following two steps: (Step 1) Make latches in F additional primary outputs of S . In this example, it would amount to adding (v11,v12) to the primary outputs of S . (Step 2) Make all the latches of F primary outputs of F . In the example, F would have the additional outputs (v11,v12). As a result, in computing the solution X , the primary outputs of F and S are forced to have the same values. This is because when taking the product of F and S , by definition, two signals with the same name must have the same values. The above two steps can be performed using BALM’s command latch expose, which takes a range of latch numbers to be made into primary outputs. Example 13.4. (continued from Example 13.3) We illustrate the procedure in the example, planet.blif is S . The six latches of planet.blif are (v7,...,v12). We first execute the following sequence of BALM commands: 1.read_blif planet.blif 2.latch_split 0-3 3.latch_expose 4-5 \# this makes v11 and v12 outputs of planet.mv 4.write_blif_mv planet.mv 5.read_blif planetf.blif 6.latch_expose 7.write_blif_mv planetf.mv 8.source planetS.script

The command latch split creates the following files: planetf.blif, planeta.blif, planetS.script, planetSC.script, planetL. script, planetLC.script. The last four files are scripts to compute the largest solutions of the general language equation and of the restricted (by simulation) problems. In particular, the file planetS.script is a BALM script that computes the largest solution of the restricted problem defined by setting up a relation between the states of F X and S . The solution is produced in the file planetxs.aut.

218


i

o

F

v

u

X

Fig. 13.2 Topology for latch splitting. In the example planet.blif the i signals correspond to v0,...,v6, the v signals correspond to v7,v8,v9,v10 (latches of the X component planeta.blif), the u signals correspond to v11,v12 (exposed latches of the F component planetf.blif), the o signals correspond to v13.6,...,v13.24. The u signals v11,v12 are exposed both in the context planetf.blif and in the specification planet.blif

Files planetf.blif and planeta.blif derived by latch split are copies of planet.blif, except in planetf.blif the latches (v7,...,v10) have been removed and replaced by input variables v which are named (v7,...,v10). In planeta.blif the latches (v11,v12) have been removed and replaced by inputs named (v11,v12). In addition, all outputs o are removed from planeta.blif, i.e., its only output signals are (v7,v8,v9,v10). This procedure sets up the topology shown in Fig. 13.2. Recall that planeta.blif is a particular solution contained in X (except that it does not have logic that produces the outputs o). Thus the latches of planet.blif have been split into the first four latches that are part of A and the remaining two that are part of F . The third command, latch expose 4-5, makes those latches of S , which correspond to latches of F , additional primary outputs. The fourth command writes the exposed network into a new file, named planet.mv. This file will replace planet.blif as the specification. The last three commands expose the latches of F as required by Step 2). Before running the script file planetS.script, it should be edited to reflect that S is now called planet.mv. Initially planetS.script looks like: \# Language solving script (partitioned) generated by MVSIS \# for latch splitting of sequential network ‘‘planet.blif" on Tue Jun 22 13:45:35 2010 \# Command line was: ‘‘latch_split 0-3". echo ‘‘Solving the language equation ... " solve_fsm_equ planetf.blif planet.blif v0,v1,v2,v3,v4,v5, v6,v11,v12 v7,v8,v9,v10 planetxs.aut print_stats_aut planetxs.aut

We replace the input files, planetf.blif and planet.blif, of procedure solve fsm equ by planetf.mv and planet.mv, since these are the new files


219

for the fixed part F and the specification S which have (v11,v12) as new outputs. Note that the above script consists of only one command solve fsm equ, but its arguments for this application have been derived automatically from the split command. The arguments are the two files containing FSMs F and S and two comma separated lists, the first is the set of inputs of X , and the second is the set of its outputs. The last file named, planetxs.aut, is the file which will contain the maximum FSM solution in the AUT format. So finally planetS.script looks like: \# Language solving script (partitioned) generated by MVSIS \# for latch splitting of sequential network ‘‘planet.blif" on Tue Jun 22 13:45:35 2010 \# Command line was: ‘‘latch_split 0-3". echo ‘‘Solving the language equation ... " solve_fsm_equ planetf.mv planet.mv v0,v1,v2,v3,v4,v5, v6,v11,v12 v7,v8,v9,v10 planetxs.aut print_stats_aut planetxs.aut

We now look at the input and output parts of S (planet.mv): Primary inputs: v0 v1 v2 v3 v4 v5 v6 \# these are the original inputs Primary outputs: {v13.6} {v13.7} {v13.8} {v13.9} {v13.10} {v13.11} {v13.12} {v13.13} {v13.14} {v13.15} {v13.16} {v13.17} {v13.18} {v13.19} {v13.20} {v13.21} {v13.22} {v13.23} {v13.24} {v11} {v12} \# these are the original outputs plus the latches exposed corresponding to F

and of F (planetf.mv): Primary inputs: v0 v1 v2 v3 v4 v5 v6 v7 v8 v9 v10 \# the last 4 represent the new v inputs Primary outputs: {v13.6} {v13.7} {v13.8} {v13.9} {v13.10} {v13.11} {v13.12} {v13.13} {v13.14} {v13.15} {v13.16} {v13.17} {v13.18} {v13.19} {v13.20} {v13.21} {v13.22} {v13.23} {v13.24} {v11} {v12} \# these are the original outputs plus the new u outputs

Note that F has 4 extra inputs coming through channels associated with outputs of X . These channels are named (v7,v8,v9,v10) (the v variables). F also has extra latch outputs, (v11,v12) (the u variables). These will be outputs and inputs, respectively, of the solution X . We emphasize that the new aspect of what we are doing, in contrast to using the regular latch split operation, is that both F and S have (v11,v12) as outputs (which are done by lines 3 and 6), whereas S would not have these outputs. Thus, in forming the product machine, these variables are tied together and forced to be equal by the nature of the product operation. This association sets up a simulation relation as discussed in Sect. 13.2. After executing line 8: source planetS.script,

220


the inputs and outputs of the file produced by this script, planetxs.aut, are: Primary inputs: v0,v1,v2,v3,v4,v5,v6,v11,v12,v7,v8,v9,v10 Primary outputs: Acc

The first 7 inputs are the inputs i of the original planet.blif. The inputs v11 and v12 are the u variables coming from F , and the last 4 are the v variables which are the outputs of X . Acc is the unique primary output of an automaton in the BLIF-MV description to specify accepting states (see the format of automata in Sect. 8.2). Finally, we mentioned that the command latch split creates also three more scripts; we will introduce them briefly and leave as an exercise their careful examination. The following script planetSC.script verifies that the product of the solution planetxs.aut and of the context planetf.aut is contained in the specification planets.aut. echo "Verifying the (partitioned) composition in the spec ... " support v0,v1,v2,v3,v4,v5,v6,v11,v12,v7,v8,v9,v10,v13.6,v13.7, v13.8,v13.9,v13.10,v13.11,v13.12,v13.13,v13.14,v13.15,v13.16, v13.17,v13.18,v13.19,v13.20,v13.21,v13.22,v13.23,v13.24 planetxs.aut suppx.aut read_blif planetf.blif latch_expose extract_aut planetf.aut support v0,v1,v2,v3,v4,v5,v6,v11,v12,v7,v8,v9,v10,v13.6,v13.7, v13.8,v13.9,v13.10,v13.11,v13.12,v13.13,v13.14,v13.15,v13.16, v13.17,v13.18,v13.19,v13.20,v13.21,v13.22,v13.23,v13.24 planetf.aut suppf.aut product suppx.aut suppf.aut prod.aut support v0,v1,v2,v3,v4,v5,v6,v13.6,v13.7,v13.8,v13.9,v13.10, v13.11,v13.12,v13.13,v13.14,v13.15,v13.16,v13.17,v13.18,v13.19, v13.20, v13.21,v13.22,v13.23,v13.24 prod.aut prod.aut determinize prod.aut prod.aut read_blif planet.blif extract_aut planets.aut support v0,v1,v2,v3,v4,v5,v6,v13.6,v13.7,v13.8,v13.9,v13.10, v13.11, v13.12,v13.13,v13.14,v13.15,v13.16,v13.17,v13.18, v13.19, v13.20,v13.21, v13.22,v13.23,v13.24 planets.aut supps.aut contain prod.aut supps.aut

The following script planetL.script solves the general language equation F X S . The result is in the file planetxl.aut. # Language solving script (monolithic) generated by MVSIS # for latch splitting of sequential network "planet.blif" on Tue Jun 22 13:45:35 2010 # Command line was: "latch_split 0-3". read_blif planetf.blif latch_expose extract_aut planetf.aut read_blif planet.blif


221

extract_aut planets.aut echo "Solving the equation using the standard script ... " determinize -ci planets.aut spec_dci.aut support v0,v1,v2,v3,v4,v5,v6,v11,v12,v7,v8,v9,v10,v13.6,v13.7, v13.8,v13.9,v13.10,v13.11,v13.12,v13.13,v13.14,v13.15,v13.16, v13.17,v13.18,v13.19,v13.20,v13.21,v13.22,v13.23,v13.24 spec_dci.aut suppsi.aut support v0,v1,v2,v3,v4,v5,v6,v11,v12,v7,v8,v9,v10,v13.6,v13.7, v13.8,v13.9,v13.10,v13.11,v13.12,v13.13,v13.14,v13.15,v13.16, v13.17,v13.18,v13.19,v13.20,v13.21,v13.22,v13.23,v13.24 planetf.aut suppf.aut product suppf.aut suppsi.aut p.aut support v0,v1,v2,v3,v4,v5,v6,v11,v12,v7,v8,v9,v10 p.aut p_supp.aut determinize -ci p_supp.aut p_dci.aut progressive -i 9 p_dci.aut planetxl.aut print_stats_aut planetxl.aut

The following script planetLC.script verifies that the product of the solution planetxl.aut and of the context planetf.aut is contained in the specification planets.aut. echo "Verifying the (partitioned) composition in the spec ... " support v0,v1,v2,v3,v4,v5,v6,v11,v12,v7,v8,v9,v10,v13.6,v13.7, v13.8,v13.9,v13.10,v13.11,v13.12,v13.13,v13.14,v13.15,v13.16, v13.17,v13.18,v13.19,v13.20,v13.21,v13.22,v13.23,v13.24 planetxs.aut suppx.aut read_blif planetf.blif latch_expose extract_aut planetf.aut support v0,v1,v2,v3,v4,v5,v6,v11,v12,v7,v8,v9,v10,v13.6,v13.7, v13.8,v13.9,v13.10,v13.11,v13.12,v13.13,v13.14,v13.15,v13.16, v13.17,v13.18,v13.19,v13.20,v13.21,v13.22,v13.23,v13.24 planetf.aut suppf.aut product suppx.aut suppf.aut prod.aut support v0,v1,v2,v3,v4,v5,v6,v13.6,v13.7,v13.8,v13.9,v13.10, v13.11, v13.12,v13.13,v13.14,v13.15,v13.16,v13.17,v13.18,v13.19, v13.20, v13.21,v13.22,v13.23,v13.24 prod.aut prod.aut determinize prod.aut prod.aut read_blif planet.blif extract_aut planets.aut support v0,v1,v2,v3,v4,v5,v6,v13.6,v13.7,v13.8,v13.9,v13.10, v13.11, v13.12,v13.13,v13.14,v13.15,v13.16,v13.17,v13.18,v13.19,v13.20, v13.21,v13.22,v13.23,v13.24 planets.aut supps.aut contain prod.aut supps.aut

222


Notice that the solution to the restricted problem (e.g., planetxs.aut) must be contained in the solution to the general language problem (e.g., planetxl.aut). This can be verified by using the command contain in BALM. The containment may be strict or not, according to each specific case.

Problems 13.1. By using BALM, perform the sequence of experiments explained in the text on the example planet.blif. Be sure to understand the rationale of each command line included in each script: (a) Execute the following sequence of BALM commands that solves the restricted problem F X si m S and generates the scripts planetS.script, planetSC.script, planetL.script, planetC.script: 1.read_blif planet.blif 2.latch_split 0-3 3.latch_expose 4-5 \# this makes v4 and v5 outputs of planet.mv 4.write_blif_mv planet.mv 5.read_blif planetf.blif 6.latch_expose 7.write_blif_mv planetf.mv 8.source planetS.script

The result is in the file planetxs.aut. (b) Execute the script planetSC.script to verify that the product of the solution planetxs.aut and of the context planetf.aut is contained in the specification planets.aut. Is the containment strict ? Suppose that we modify the script planetSC.script by adding v11,v12 in the last two calls to the support command. Is the containment strict ? Explain. (c) Execute the script planetL.script to solve the general language equation F X S . The result is in the file planetxl.aut. (d) Execute the script planetLC.script to verify that the product of the solution planetxl.aut and of the context planetf.aut is contained in the specification planets.aut. Is the containment strict ? (e) Check whether the restricted solution planetxs.aut is strictly contained in the general solution planetxl.aut by using the command contain in BALM; run contain with the option -e to obtain, if any, a trace produced by planetxl.aut but not by planetxs.aut. 13.2. Consider the sequential circuit lion9.blif whose description in the blif language is shown in Problem 11.1.

Problems

223

I

MA(f ixed)

V

O

U

I

MC

O

MX(unknown)

Fig. 13.3 Rectification topology for Problem 13.3

(a) Execute the following sequence of BALM commands that solves the restricted problem F X si m S and generates the scripts lion9S.script, lion9SC.script, lion9L.script, lion9tC.script: 1.read_blif lion9.blif 2.latch_split 0-1 3.latch_expose 2-3 \# this makes v4 and v5 outputs of lion9.mv 4.write_blif_mv lion9.mv 5.read_blif lion9f.blif 6.latch_expose 7.write_blif_mv lion9f.mv 8.source lion9S.script

The result is in the file lion9xs.aut. (b) Execute the script lion9SC.script to verify that the product of the solution lion9xs.aut and of the context lion9f.aut is contained in the specification lion9s.aut. (c) Execute the script lion9L.script to solve the general language equation F X S . The result is in the file lion9xl.aut. (d) Execute the script lion9LC.script to verify that the product of the solution lion9xl.aut and of the context lion9f.aut is contained in the specification lion9s.aut. (e) Check whether the restricted solution lion9xs.aut is strictly contained in the general solution lion9xl.aut by using the command contain in BALM; run contain with the option -e to obtain, if any, a trace produced by lion9xl.aut but not by lion9xs.aut. 13.3. For the interconnection topology in Fig. 13.3, where MA and MC are deterministic machines and MA is Moore, consider the problem to solve MA MX MC , requiring that MX is Moore too. In Sect. 13.1, we showed how to compute a simulation relation for the controller’s topology; consider the following proposal to extend the computation of a simulation relation to the rectification topology of Fig. 13.3 (proposed by Satrajit Chatterjee, class project report at UC Berkeley).

224


a A

b −0/00

A

−1/00 C

−1/10

−0/01

−/00

−/10

−0/11 B

B

−1/11

−0/10

−1/01 D

Fig. 13.4 Example for Problem 13.3. (a) Fixed component MA (variables I V =U1 U2 /; (b) Specification MC (variables I=U1 U2 )

Definition 13.3.1. A relation SA SC is defined to be a simulation relation from the fixed machine MA D .SA ; I V; U O; TA ; rA / to the specification MC D .SC ; I O; TC ; rC / if and only if: 1. .rA ; rC / 2 2. .sA ; sC / 2

, and

i v=uo 0 0 ) 8i 9v 8u 8o 8sA sA !MA sA i=o 0 0 0 0 sC !MC sC ^ .sA ; sC / 2 ) 9sC

.

0

Notice that, since by logic the quantification 9sC can be brought in front and by 0 0 hypothesis of determinism 8sA can be replaced by 9sA (there is a unique next state), the second clause in Definition 13.3.1 can be replaced by the following one: i v=uo 0 0 0 sA !MA sA .sA ; sC / 2 ) 8i 9v 8u 8o 9sA 9sC i=o 0 0 0 . ) sC !MC sC ^ .sA ; sC / 2 (a) Consider the following algorithm proposed to compute the maximal simulation relation max : a. Start as the collection of all pairs of states from MA and MC . b. Repeat until convergence the greatest fixed point computation: i v=uo 0 0 sA !MA sA Ri C1 .sA ; sC / D Ri C1 .sA ; sC / ^ 8i 9v 8u 8o 8sA i=o 0 0 0 0 . sC !MC sC ^ Ri .sA ; sC / ) 9sC c. If .rA ; rC / 62 Ri C1 there is no solution, otherwise Ri C1.sA ; sC / is the maximal simulation relation max .

Problems

225

Build MX D .SX ; U; V; TX ; rX / as follows: a. Set SX D max ; rX D .rA ; rC /. 0 0 0 b. For s D .sA ; sC / and s D .sA ; sC /, set .s; u; v; s 0 / 2 TX if and only if 9i 9o 0 0 such that .sA ; .i; v/; .u; o/; sA / 2 TA and .sC ; i; o; sC / 2 TC . Apply the procedure to compute the maximal simulation relation to the FSMs MA (fixed part) and MC (specification) in Fig. 13.4a, b. Notice that in this example the variables U D .U1 U2 / and O coincide, so we retain only U . (b) Compute the largest solution of the equation MA MX MC . (c) Compare the results of (b) and (c). (d) Is it true that the equation has a solution if and only if there is a simulation relation from MA to MC ? Prove or disprove it.

Chapter 14

Exploitation of Flexibility in Sequential Networks

14.1 The Problem We have seen how language equations can be solved by manipulating automata or FSMs, and that a largest solution can be obtained in terms of a deterministic automaton. If the solution is required as a finite state machine, then the solution can be made prefix-closed and (input)-progressive. At this point, we have the largest (non-deterministic, in general) FSM solution which contains all possible deterministic FSMs that are a solution; usually a deterministic FSM solution can be obtained by selecting a submachine of the largest solution. In some problems, it is enough to know that a solution exists and any one solution will be adequate. In other problems, we want a solution which can be implemented in an efficient way, say with small area, or power or delay. It is surprisingly difficult to find small solutions. The problem is that the solution obtained in the language solving paradigm is a description of a state transition graph (STG) and we want to convert this into a netlist consisting of interconnections of logic gates and latches. This requires making choices on how to use the nondeterminism, possibly minimizing the number of states, and encoding the states by associating values in the latches to each state. These are hard problems for which there exist some algorithms for solving them either exactly or (more often) heuristically. The most work has been on FSMs where the non-determinism is in the form of incomplete specification. Therefore, the material in this part of the book reviews some of these techniques to understand how they can be used. It should be noted that the automata solutions computed by the methods of this book are deterministic because the last step in the solving method is complementation. The only effective method for complementing a non-deterministic automaton (as far as we know) is to determinize it first and then negate the accepting conditions. Hence the answer is always in the form of a deterministic automaton. There is an effective method for state-minimizing a deterministic automaton and this is embodied in the BALM command minimize. Mostly this should be used as a final step, but it does not produce what we want. What we want is a reduction or T. Villa et al., The Unknown Component Problem: Theory and Applications, DOI 10.1007/978-0-387-68759-9 14, © Springer Science+Business Media, LLC 2012

227

228

14 Exploitation of Flexibility in Sequential Networks

submachine which is implementable in an efficient way. The minimize algorithm does not find such a reduction or submachine; it just minimizes the number of states to find a smaller machine that is equivalent to the original. In contrast, the desired implementation is just contained in the original. In this chapter we discuss some criteria to select a behavior or a submachine out of the flexibility computed by one of the global or local techniques studied in the previous chapters. We examine two cost functions: the minimum number of states and the minimum input support. Minimizing the number of states of an FSM is a classical problem, studied for incompletely specified FSMs first and for observable FSMs later on. We review some basic notions of state minimization of ISFSMs and observable FSMs in Sect. 14.2. Since exact state minimization may be infeasible in some practical examples, Sect. 14.3 presents a practical heuristic that is supported by good experimental results. Finally Sect. 14.4 describes an algorithm to select a behavior that minimizes the number of inputs on which the FSM under synthesis depends essentially.

14.2 State Minimization State minimization of FSMs is a well-known problem [72]. State minimization of completely specified FSMs has a complexity subquadratic in the number of states [51, 62]. This makes it an easy problem when the starting point is a twolevel description of an FSM, because the number of states is usually less than a few hundred. The problem becomes difficult to manage when the starting point is an encoded sequential circuit with a large number of latches (in the hundreds). In that case one should extract first a state transition graph from the encoded network and then apply state minimization to it. But when latches are more than a dozen, the number of reachable states may be so large as to make state extraction and/or state minimization infeasible. However, it has been shown [85, 86, 116] how to bypass the extraction step and compute equivalent state pairs and equivalence classes of states implicitly. Equivalence classes are basically all that is needed to minimize a completely specified state machine. A compatible projection operator [85] uniquely encodes each equivalence class by selecting a unique representative of the class to which a given state belongs. This implicit technique allows state minimization of sequential networks outside the domain of standard state minimization. State minimization of incompletely specified FSMs described by state-based representations has been studied since the beginning of sequential synthesis and a classical exact algorithm has been formulated by Grasselli and Luccio. Later on, this algorithm has been extended to complete observable FSMs by various authors. Now we review the basics of the procedure for exact state minimization of complete observable FSMs described by state-based representations. For a thorough treatment of the topic we refer to the specialized monograph [66].

14.2 State Minimization

229

Definition 14.2.1. A set of states is a compatible if and only if there exists an FSM whose initial state is a reduction of each state in the set. The intuition is that a set of states is a compatible if they can be merged into a single state in such a way to obtain an FSM that is a reduction of the original FSM. The following theorem serves as an equivalent, constructive definition of compatibles. Theorem 14.1. A set c of states is a compatible if and only if for each input i , there exists an output o such that 1. Each state in c has a transition under input i and output o 2. From the set c of states, the set c 0 of next states under i and o is also a compatible Definition 14.2.2. A set of compatibles covers the reset state(s) if at least one selected compatible contains a reset state. Definition 14.2.3. A set C of compatibles is closed if for each compatible c 2 C , for each input i , there exists an output o such that: 1. Each state in c has a transition under input i and output o 2. From the set c of states, the set d of next states under i and o is contained in a compatible in C Here we restate a main theorem for state minimization of PNDFSMs. Theorem 14.2. The state minimization problem of a PNDFSM reduces to the problem of finding a minimum set of compatibles that covers the reset state(s) and is closed. As in the case of ISFSMs, it is sufficient to consider a subset of compatibles, called prime compatibles, for PNDFSM minimization. Definition 14.2.4. A compatible c 0 prime dominates a compatible c if for each minimum closed cover containing c, the selection with c replaced by c 0 also corresponds to a minimum closed cover. Definition 14.2.5. A compatible c is a prime compatible if there does not exist another compatible c 0 such that c 0 prime dominates c. Theorem 14.3. There exists a minimum closed cover made up entirely of prime compatibles. The above theorem justifies that prime compatibles are sufficient to find a minimum solution, although there may exist other minimum solutions. State minimization of incompletely specified FSMs (a special case of observable FSMs) has been shown to be an NP-hard problem [115]. Therefore even for problems represented with two-level descriptions involving a hundred states, an exact algorithm may be computationally infeasible. Methods for recasting the computations as operations on BDDs have been proposed and implemented in the program ISM [65, 67, 135], for which interesting experimental results were reported. Still the fundamental limitation remains that ISM works on a state-based

230


representation, a fact reflected in that the number of BDD variables is proportional to the number of states (the advantage of using ISM is that sets of states, e.g., sets of compatible states, are represented implicitly and so they may be described more compactly than an explicit enumeration would do). As an alternative to exact methods, we may turn to heuristic procedures for state minimization, one of which will be presented in the next section.

14.3 DCMIN: Immediate Equivalence Using Don’t Cares Command dcmin in BALM implements a minimization procedure. It works particularly well when there are many transitions to an accepting “don’t care” state, usually named DC1 in the BALM system. A don’t care state is by definition a sink with a self-loop, and can be made equivalent to any other state (if it is accepting) by using its don’t cares. For example, suppose two states, a and b are almost the same except that on transition i , a transits to c and b transits to DC . Then we can make a copy of DC , say DC 0 , and moreover DC 0 and c can be made equivalent, and hence a and b will be equivalent. Thus each transition into a don’t care state can be redirected to any other state of similar type f accepting, non-accepting g (the steps are shown in Fig. 14.6a–c).

a

−/− b

i/o

DC

i/o

b

−/− b

DC i/o

−/− DC

a

i/o

DC

c

c

−/−

a

i/o

c

−/− b

DC

i/o

a

i/o

c

Fig. 14.1 (a) Original transition diagram; (b) Transition diagram with added don’t care state DC 0 that is a copy of DC ; (c) Transformed transition diagram where c is equivalent to DC 0 and a is equivalent to b

14.3 DCMIN: Immediate Equivalence Using Don’t Cares

231

We can use this property to make many states immediately equivalent to each other.1 A sufficient condition for two different states to be made equivalent is that their sets of care transitions (i.e. those that go to some accepting state other than DC1), do not intersect. Thus if p1 and p2 are the sets of care transitions from states s1 and s2 , respectively, where p1 ^ p2 D ;, then s1 and s2 can be made equivalent using the don’t cares to extend the care transitions of each of the states, s1 and s2 , to the set of care transitions described by p1 C p2 . For example, if p2 goes from s2 to sQ , then we can add a transition from s1 to sQ because p2 is a don’t-care for s1 . Continuing in this manner, we can make two or more states immediately equivalent because on every input they go to the same next state. The BALM command dcmin uses this property to build an incompatibility graph among the states. In this graph, there is an edge s1 ! s2 if and only if p1 ^ p2 ¤ ;. The decision what states to merge is made by applying a minimal coloring algorithm to the incompatibility graph. We note that this is just one way of using the flexibility provided by the don’t cares in the solution X and certainly may not be the best way. On the positive side, command dcmin is fast (because equivalent states are found structurally by immediate equivalence) and in practice it is quite effective on some examples. In comparison, other good methods of state minimization may be much more computationally intensive. We will provide an illustration of the use of dcmin in the next section. We illustrate the use of dcmin by continuing the example of Sect. 13.3. We saw that by exposing internal variables v11 and v12 in S , a relation between states can be forced. Thus inputs u to the solution automaton planetxs.aut must agree with the product state in the u variables of F , v11 and v12. For example, if the S state had 0 1 in these positions, then any input u with v11 = 1 or v12 = 0 would be a u input to X that would never occur, and its corresponding transition would be directed to the accepting don’t care state. This is purely due to the fact that u was exposed as an output of S . Hence, this can be used by dcmin in minimizing the result, as follows: dcmin planetxs.aut planetxs-dcmin.aut. Looking at the relative sizes before and after dcmin, we see it is very effective. Executing print stats aut planetxs.aut, before dcmin we would see: "csf": incomplete (48 st), deterministic, non-progressive (48 st), and non-Moore (48 st). 13 inputs (13 FSM inputs) 49 states (49 accepting)120 trans Inputs = {v0,v1,v2,v3,v4,v5,v6,v11,v12,v7,v8,v9,v10}

1

Two states are immediately equivalent if for any input, they produce the same output and go to the same next state.

232


and after dcmin we would see: print_stats_aut planetxs-dcmin.aut "csf": complete, deterministic, progressive, and Moore. 13 inputs (13 FSM inputs) 13 states (12 accepting) 61 trans Inputs = {v0,v1,v2,v3,v4,v5,v6,v11,v12,v7,v8,v9,v10} Thus dcmin has resulted in using don’t cares to state minimize from 49 states to 12 accepting states by creating immediately equivalent states. We note that it is possible to execute the latch split procedure as follows: read_blif_mv planet.blif latch_expose latch_split 0-3 source planetS.script dcmin planetxs.aut planet-dcmin.aut but this would expose all latches, and would force the outputs of X to be aligned with the states of S . This would overly constrain the solution. If this is tried on the example, the final solution planet-dcmin.aut would have 3 more states than obtained by exposing only v11 and v12. Also, in checking the particular original solution planeta.blif, we note that it has 16 states, all of which are deterministic, and cannot be state minimized, whereas planetxs-dcmin has only 12 states, which may be nondeterministic in the outputs. Finally print stats aut certifies that the underlying automaton is deterministic.

14.4 Minimizing the Communication Lines When synthesizing the components of a synchronous composition of FSMs, it may be of interest to minimize the number of communication lines of a given component. For instance, in the network of Fig. 14.2 we may wish to replace the FSM MAj with a component that depends on a single input variable, instead of two input variables, if at all possible. In order to capture all the FSMs which can replace a given component FSM MAj j j (defined over the input alphabets I D fI1 ; : : : ; Il g and the output alphabets O D j j fO1 ; : : : ; Or g), without changing the external behavior of the initial composition, we solve the equation MX MC ont ext Š MAj MC ont ext , where MC ont ext describes the joint behavior of all other component FSMs or of an appropriate neighbour FSM (window approach). Say that the equation is solved over the set j j j j fI1 ; : : : ; Il ; O1 ; : : : ; Or g of alphabets of the component FSM MAj . We would j j like to check whether there exists a proper subset P fI1 ; : : : ; Il g of input alphabets of MAj such that a solution of the equation exists over the subset P of input alphabets and the set of output alphabets of MAj .

14.4 Minimizing the Communication Lines

I1

I2

MA

MA

233

MA

1

MA

2

MA Im

O1

4

j

MA

5

O2

... 3

MA

n

Ok

Fig. 14.2 FSM composition

The next proposition characterizes the solutions over a restricted set of input alphabets: an FSM MCj over the set P [ O is a valid replacement of the FSM MAj if the following holds. Proposition 14.4. Given the equation MX MC ont ext Š MAj MC ont ext , where j j MAj is defined over the set of input alphabets I D fI1 ; : : : ; Il g and of output j j j j alphabets O D fO1 ; : : : ; Or g, and given a proper subset P fI1 ; : : : ; Il g, assume that either the composition MAj MC ont ext is loop-free or that MC ont ext is a Moore FSM. Let MS be the largest FSM solution of the equation over input alphabets I and output alphabets O. If there exists a complete deterministic FSM MCj over P [ O such that the j j j j language of the FSM MCj lifted to the set fI1 ; : : : ; Il ; O1 ; : : : ; Or g is contained in the language of the largest FSM solution MS , then MCj can replace the component FSM MAj without changing the external behavior of the overall system. If MCj is a Moore FSM, then MCj can replace the component FSM MAj without changing the external behavior of the overall system, independently of the properties of the initial composition. In order to minimize the number of communication wires, we look for a reduction MCj of the largest FSM solution MS that depends essentially on a minimal number j j j of input alphabets I1 ; : : : ; Il . For this purpose, for each input alphabet Ik we check whether the projection of the FSM MS onto the subset of input alphabets without j j j j j Ik , i.e., I1 Ik1 IkC1 Il , satisfies the conditions of Proposition 14.4. If it is so, we obtain by projection and determinization the largest FSM solution on j j j j the subset of input alphabets I1 Ik1 IkC1 Il ; then we try to

234


eliminate another input alphabet and so on. In particular, when testing for an input j j Ik we detect and remove so-called forbidden states that depend essentially on Ik : j if the initial state is a forbidden state, the FSM depends essentially on input Ik . Definition 14.4.1. Given an FSM M D .S; I1 Il ; O1 Or ; T; r/ over the input alphabet I1 Il , a state s 2 S is Ik -forbidden if for some .iO1 ; : : : ; iOk1 ; iOkC1 ; : : : ; iOl / 2 I1 Ik1 IkC1 Il there does not exist o1 or 2 O1 Or such that for each i 2 Ik there exists s 0 2 S for which ..iO1 ; : : : ; iOk1 ; i; iOk1 ; : : : ; iOl /; s; s 0 ; o1 or / 2 T . The meaning is that the behavior of each reduction of an FSM M in a Ik -forbidden state depends essentially on alphabet Ik , and thus such state cannot be included into a solution that does not depend on alphabet Ik . Therefore first we delete iteratively all the forbidden states and all transitions to such states. If the initial state is deleted too, then each reduction of the FSM M depends essentially on alphabet Ik . If the initial state is not deleted, we check whether the conditions of Proposition 14.4 hold. If they do, then the communication wires corresponding to alphabet Ik can be deleted from the initial composition by a projection with respect to Ik . Definition 14.4.2. Given an FSM M over input alphabet I1 Il and output alphabet O1 Or , an FSM MP;k over input alphabet I1 Ik1 IkC1 Il such that the language of FSM MP;k lifted to the set fI1 ; : : : ; Il ; O1 ; : : : ; Or g is contained in the language of M is a full Ik -projection of the FSM M to the set I1 Ik1 IkC1 Il . Otherwise (when the conditions of Proposition 14.4 do not hold), each reduction of the FSM M depends essentially on input alphabet Ik , i.e., the communication wires corresponding to alphabet Ik cannot be deleted from the initial composition. We try all input alphabets and derive the largest solution that depends on a minimal number of input alphabets. We propose next an algorithm for deriving the largest solution that depends on a minimal number of input alphabets. Procedure 14.4.1. Input: FSM equation MC ont ext MX Š MSpec , where MX is defined over the input alphabets fI1 ; : : : ; Il g; Output: Largest FSM solution MP defined on a minimal subset of input alphabets fI1 ; : : : ; Il g; reduction MB of MP that satisfies Proposition 14.4. 1. Find the largest solution MS over the input alphabets fI1 ; : : : ; Il g of the FSM equation MC ont ext MX Š MSpec . Set Ii ; i D 1. 2. Iteratively delete from MS all Ii -forbidden states and transitions to these states. If the initial state is deleted f /* any reduction of MS depends essentially on the alphabet Ii */ If there are untried input alphabets, try the next one (i D i C 1) and go to 2., otherwise set MP D MS ; MB D MS and exit. g else f


235

Derive the full I1 -projection MP of MS . If the FSM MP has no complete submachine f /* any reduction of MS depends essentially on the alphabet Ii */ If there are untried input alphabets, try the next one (i D i C 1) and go to 2., otherwise set MP D MS ; MB D MS and exit. g else f /* The FSM MP has a complete submachine */ If there is no complete submachine MB of MP satisfying Proposition 14.4 f If there are untried input alphabets, try the next one (i D i C 1) and go to 2., otherwise set MP D MS ; MB D MS and exit. g else f /* there is a complete submachine MB of MP satisfying Proposition 14.4 */ Set MS D MP . If there are untried input alphabets, try the next one (i D i C 1) and go to 2., otherwise go to 3. g g g 3. Determine a reduction MB (a submachine) of MS that satisfies Proposition 14.4. If there exists such FSM MB , then the component FSM MX can be replaced by MB that does not depend essentially on some input alphabets, and the corresponding communication wires can be deleted from the initial composition. Thus, the FSM MB can replace the initial component FSM without changing the behavior of the overall composition, and the communication wires corresponding to the redundant input alphabets can be deleted from the original composition. The correctness of Procedure 14.4.1 can be established by exploiting the following proposition. Proposition 14.5. Let M be a solution of the equation MC ont ext MX Š MSpec and MP;k be the full Ik -projection of the FSM M . If MP;k has no completely defined submachine, then each complete reduction of M depends essentially on the input alphabet Ik . If there exists a reduction MB of the FSM MP;k that satisfies the conditions of Proposition 14.4, then the FSM MB does not depend essentially on the input alphabet Ik and is a solution of the FSM equation MC ont ext MX Š MSpec . Example 14.6. Consider a window containing component FSMs MA1 and MA2 (see Fig. 14.3) and an FSM equation MX MA2 Š MSpec , where MA1 , MA2 and MSpec Š MA1 MA2 are shown in Fig. 14.4. The goal is to compute the largest flexibility in place of MA1 and then to extract a replacement that minimizes the number of input alphabets of component MA1 . The largest solution MS of equation MX MA2 Š MA1 MA2 has three states (see Fig. 14.5a).

236


I

V

MA2

O

MA1

Spec

Z

Fig. 14.3 Topology from Example 14.6; the problem is to resynthesize FSM MA1 with a minimal number of input alphabets

a

i2/v1 a0 i1/v1

a1

b

i1v2z1/o2 i2v1z1/o1 i2v1z2/o2 i2v2z2/o2

i1/v2 i2/v1 b0

c

i2z1/v1o1 i2z2/v1o2 c0

i1z1/v1o1 i1z2/v1o2

c1 i1z1/v2o1 i1z2/v2o2 i2z1/v1o1 i2z2/v1o2


b1 i1v1z2/o2 i1v2z1/o1 i1v2z2/o2 i2v1z1/o1 i2v1z2/o2

i1v1z1/o2 i2v2z1/o2 i2v2z2/o1

Fig. 14.4 Components for Example 14.6. (a) FSM MA2 ; (b) FSM MA1 ; (c) Specification FSM MSpec Š MA1 MA2

Let us check whether the largest solution MS depends essentially on input alphabet I . At each state sq of FSM MS for each pair of input symbols .vj ; zk / 2 V Z we find the set of permissible transitions, i.e., we look for the output symbols ot 2 O such that 8i 2 I; 9s 0 2 S for which ..i; vj ; zk /; sq ; s 0 ; ot / 2 T . For each output symbols ot 2 O with such a property, we keep all transitions from state sq whose input symbol is .i; vj ; zk /, 8i 2 I , and whose output symbol is ot 2 O, whereas all other transitions from state sq with input symbol .i; vj ; zk / are deleted. If an output symbol with such a property does not exist then state sq is I -forbidden and we delete state sq and all transitions to this state. FSM MS has no I -forbidden states; we just delete the transitions that are not permissible, namely, i1 v1 z1 =o2 ; i1 v1 z2 =o1 ; i2 v2 z1 =o2 ; i2 v2 z2 =o1 (see Fig. 14.5b), and we project over the input alphabets V Z and output alphabet O (see Fig. 14.5c). The determinization of the previous projection, denoted by MO S D .MS /d#V ZO , has 5 states and it is shown in Fig. 14.5d.


a

237

i2v1z1/o1 i2v1z2/o2 s0

s1

i1v1z1/o1 i1v1z2/o2 i1v2z1/− i1v2z2/− i2v2z1/− i2v2z2/−


i1v1z1/− i1v1z2/− i2v2z1/− i2v2z2/− s2

− − −/−

b

c

i2v1z1/o1 i2v1z2/o2

i1v1z1/−o1 i1v1z2/−o2

s0

s0

s1

i1v2z1/− i1v2z2/− i2v2z1/− i2v2z2/−


v1z1/o1 v1z2/o2


v1z1/o1 v1z2/o2 v2z1/− v2z2/−

s1 v2z1/o1 v2z2/o2 v1z1/o1 v1z2/o2

v1z1/o1 v1z2/o2 v2z1/o1 v2z2/o2 s2

s2 − − −/−

− −/−

d v1z1/o1 v1z2/o2

s0

v1z1/o1 v1z2/o2

s0s1 v2z1/o2 v2z2/o1

v2z1/− v2z2/− v1z1/− v1z2/− v2z1/− v2z2/−

s2

v2z1/o1 v2z2/o2

v1z1/o1 v1z2/o2 s0s1 v2z1/− v2z2/− v1z1/o2 v1z2/o1

v1z1/o1 v1z2/o2 s0s1s2

v2z1/o1 v2z2/o2 v1z1/o2 v1z2/o1 v2z1/o2 v2z2/o1

Fig. 14.5 (a) Largest solution MS for FSM equation from Example 14.6; (b) Permissible transitions w.r.t. input alphabet I of largest solution MS ; (c) .MS /#V ZO , i.e., MS restricted O S D .MS /d to input alphabets V Z and output alphabet O; (d) M #V ZO , determinization of .MS /#V ZO

We then check whether MO S D .MS /d#V ZO depends essentially on the input alphabet V . FSM MO S D .MS /d#V ZO has no V -forbidden states; we just delete the transitions that are not permissible, namely, the transitions v2 z1 =o2 and v2 z2 =o1

238


a v1z1/o1 v1z2/o2

s0

v1z1/o1 v1z2/o2

s0s1

v1z1/o1 v1z2/o2

v2z1/o1 v2z2/o2

s0s2 v2z1/− v2z2/− v1z1/o2 v1z2/o1

v2z1/o1 v2z2/o2 − −/−

v1z1/o1 v1z2/o2 s0s1s2

v2z1/o1 v2z2/o2 v1z1/o2 v1z2/o1

s2

b z1/o1 z2/o2

s0

z1/o1 z2/o2

s0s1

z1/o1 z2/o2

s0s2

− −/−

z1/o2 z2/o1

s2

c s0

z1/o1 z2/o2

s1

z1/o1 z2/o2

z1/o1 z2/o2

z1/o2 z2/o1

− −/−

s0s1s2 z1/o1 z2/o2

z1/o1 z1/o2 z2/o1 z2/o2

z1/o1 z2/o2

z1/o1 z2/o2

z1/o1 z2/o2

s3 z1/o2 z2/o1

d s0

s2

z1/o1 z2/o2

Fig. 14.6 (a) Permissible transitions w.r.t. input alphabet V of largest solution MO S D .MS /d#V ZO from Example 14.6; (b) .MO S /#ZO , i..e, MO S D .MS /d#V ZO restricted to input alphabet Z and output alphabet O; (c) .MO S /d , determinization of .MO S /#ZO ; (d) DFSM contained in .MO S /d#ZO

#ZO

from fs0 ; s1 g to fs2 g, and the transitions v2 z1 =o2 and v2 z2 =o1 from fs0 ; s1 ; s2 g to fs2 g (see Fig. 14.6a), and we project over the input alphabet Z (see Fig. 14.6b). The determinization of the previous projection has 4 states and it is shown in

Problems Fig. 14.7 Optimized composition for Example 14.6: MA1 after resynthesis does not depend anymore from inputs I and V

239

I

MA2

V

O

MA1

Spec Z

Fig. 14.6c). Finally, by applying state minimization to the incompletely specified FSM .MO S /d#ZO , we obtain the DFSM MO A1 contained in .MO S /d#ZO that is shown in Fig. 14.6d. Since the initial composition in Fig. 14.4 is loop-free, the component MA1 can be replaced by the DFSM MO A1 , independent from inputs I and V , without changing the external behavior of the composition. An optimized composition is shown in Fig. 14.7; wires I and V cannot be deleted completely, since they are needed by other components. Further optimization is impossible.

14.5 State Encoding Once a behavior (DFSM) has been selected, we must encode the states to obtain a netlist with gates and memory elements. This is the classical state assignment problem whose objective is to bridge from a representation based on automata to one based on logic elements. This translation should be performed with the objective of minimizing some cost function of the resulting logic implementation. There is a rich literature on the subject and we refer to a specialized monograph on the topic for a survey [136]. When encoding the states with an optimization objective, it is difficult starting from a state-based representation to measure the effect on the encoded implementation of a given state assignment. The most interesting approaches are for minimal area and they are based on a precise cost evaluation obtained by multi-valued minimization procedures that mimick at the automaton level the minimization process performed on the encoded netlist.

Problems 14.1. Maximal sequential flexibility of a combinational node The maximum sequential flexibility of a combinational node in a sequential network is the largest incompletely specified function, whose don’t care minterms represent

240


conditions when the output of the node does not influence the values produced by the primary outputs (after any number of iterations, given the same input sequence and initial latch states). However the latch outputs may change, as long as the primary outputs are unaffected over all iterations. The maximum sequential flexibility (MSF) is a superset of the combinational flexibility (CF) at a node, since the latter constrains all outputs to be the same, while the former allows latch outputs to be different. For instance, MSF may be a superset of CF due to presence of unreachable latch outputs (states), so that some primary input combinations can never occur and therefore we can set them to assume any value (see the command extract seq dc in SIS). An additional source of flexibility are equivalent states, so that for certain input combinations more than one latch value is acceptable. For instance, in the following FSM specified in kiss format, states st1 and st2 are equivalent. .i 1 .o 1 .s 2 .p 4 0 st1 1 st1 0 st2 1 st2 .end

st1 st2 st2 st1

1 0 1 0

With the encoding st1 D 0 and st2 D 1, we obtain the logic equations (X input, Z output, cs and ns present and next state) ns D X ˚ cs, Z D X . The output of the XOR gate has no combinational flexibility or due to unreachable states, however it does not affect the primary output Z, thus all four minterms of ns are don’t care minterms due to equivalent states. Latch encoding has an important effect on introducing minterm don’t cares. Consider the following FSM specified in kiss format: .i 1 .o 1 .s 4 .p 8 0 st1 1 st1 0 st2 1 st2 1 st3 0 st3 1 st4 0 st4 .end

st2 st3 st1 st4

1 0 1 0

st1 st4 st2 st3

1 0 1 0

Are there equivalent states ? With the encoding st1 D 00, st2 D 01, st3 D 10, st4 D 11. obtain the logic equations for ns1.X; cs0; cs1/, ns0.X; cs0; cs1/ and Z.X; cs0; cs1/ (X input, Z output, cs0; cs1 and ns0; ns1 present and next states). Are there don’t care minterms due to equivalent states ?

Problems

241

With the encoding st1 D 00, st2 D 11, st3 D 01, st4 D 10. obtain the logic equations for ns1.X; cs0; cs1/, ns0.X; cs0; cs1/ and Z.X; cs0; cs1/ (X input, Z output, cs0; cs1 and ns0; ns1 present and next states). Are there don’t care minterms due to equivalent states ? It is an open question of a good encoding that increases don’t care minterms. We leave also to reader the open question to characterize the sequential flexibility beyond equivalent states. 14.2. Maximal sequential flexibility of a combinational node – continues Given a specification network S , say that the fixed component F is all of S except for a single node X , then the solution of the equation F X S gives the set of all possible behaviors of X such that the functionality of S is maintained. This is a superset of the MSF of X , since MSF may contain non-combinational behaviors, whereas MSF is restricted to combinational ones. Consider the following brute-force procedure to compute an approximation (i.e., maximal sequential flexibility) of the MSF of X (due to N.R. Satish): 1. Compute M S GX , the most general solution of node X , by solving the equation F X S. 2. Set the flexibility to be CF plus the unreachable states of node X in the network. 3. Let M be the set of all care minterms of X . 4. For all minterms in M , replace in X the minterm by a don’t care minterm to obtain X 0 . Check sequential containment: if X 0 M S GX replace X by X 0 and repeat with another care minterm. What MSF is found depends on the ordering of minterms (trying all orderings would give the MSF – maximum sequential flexibility). (a) Apply the previous procedure to the following sequential circuit, train11. blif: .model train11.kiss2 .inputs v0 v1 .outputs v6.4 .latch v6.0 v2 0 .latch v6.1 v3 0 .latch v6.2 v4 0 .latch v6.3 v5 0 .names [20] v6.4 0 1 .names [12] v6.0 0 1 .names [14] v6.1 0 1 .names [16] v6.2 0 1 .names [18] v6.3 0 1 .names v1 v2 v3 v5 [0] 1000 1 .names v0 v4 v5 [1]

242

14 Exploitation of Flexibility in Sequential Networks 111 1 .names v0 v1 v4 [2] 101 1 .names v0 v1 v4 v5 [3] 0010 1 .names v0 v4 v5 [4] 100 1 .names v0 v2 v4 [5] 011 1 .names v0 v2 v4 [6] 101 1 .names v0 v1 v2 [7] 001 1 .names v0 v1 v2 [8] 111 1 .names v1 v3 [9] 11 1 .names v0 v1 v5 [10] 101 1 .names v1 v5 [11] 11 1 .names [4] [7] [8] [12] 000 1 .names [2] [3] [5] [9] [10] [14] 00000 1 .names [0] [1] [3] [8] [16] 0000 1 .names [6] [7] [10] [11] [18] 0000 1 .names [0] [3] [4] [5] [6] [7] [8] [9] [10] [11] [20] 0000000000 1 .end

(b) Starting from the following FSM description of train11 in kiss format, explore different encodings, and for each encoding apply the previous procedure to compute a maximal sequential flexibility set: .i .o .p .s 00 10 01 10 00 11 01 00 11 00 01 01 00

2 1 25 11 st0 st0 st0 st1 st1 st1 st2 st2 st2 st3 st3 st4 st4

st0 st1 st2 st1 st3 st5 st2 st7 st9 st3 st4 st4 st0

0 1 1 1 1 1 1 1 1 1 -

Problems 11 01 01 00 00 10 10 00 11 10 10 00

243 st5 st5 1 st5 st6 1 st6 st6 1 st6 st0 st7 st7 1 st7 st8 1 st8 st8 1 st8 st0 st9 st9 1 st9 st10 1 st10 st10 1 st10 st0 -

14.3. Apply the procedure DCMIN to the (largest language) solution obtained in the example of Problem 13.3(c).

Part IV


The unknown component problem can be applied in several domains, such as: logic synthesis; model matching; testing; game theory; cryptography (FSM-based cryptosystems). Logic synthesis has been thoroughly discussed in Part III. In this part we consider some more applications: supervisory control, testing, game theory, synthesis with respect to !-specifications. Chapter 15 introduces the supervisory control problem, that deals with solving the unknown component problem for the controller’s topology, and must also take into account partial controllability (and partial observability). We show how to model the problem in the framework of solving language equations for full controllability and partial controllability; for those cases we characterize controllers that are solutions. We also introduce the notion of weak controllers that model an extended class of controllers with respect to a looser notion of partial controllability that has a natural interpretation. Chapter 16 addresses the problem of testing a component embedded within a modular system [131], that is known as the problem of testing in context or embedded testing. Solving this problem, the modular system is conveniently represented as two communicating machines, the embedded component machine, and the context machine that models the remaining part of the system which is assumed to be correctly implemented. Chapter 17 discusses the application of language solving to games. First we summarize some of the existing results in game theory. Then we show how the theory of this book and the BALM program can be applied to games. Typically the rules of the game are described in the fixed part of the description which also keeps track of the game state. In addition, it is usually convenient to have an output which indicates if the game has been won and by whom. This reduces the specification to a simple automaton which monitors this output. The unknown component represents one players winning strategy, which is to be solved for if it exists. The other player is represented by unconstrained inputs. To restrict this player to legitimate moves, we map all illegal moves as a win for the first player. However, a winning strategy (or at least a non-losing strategy) for the first player is one where he must be able to win (or tie) no matter what (legal) move the second player makes. The game of tic-

246

IV


tac-toe is used to illustrate how a game can be modeled BLIF-MV and solved using BALM. The techniques described in this chapter generally apply to finite games where after a finite number of moves, the game is over. However, if a strictly winning strategy is desired, it might be necessary to model the game with !-automata (as discussed in Chap. 18). Chapter 18 illustrates how, in certain situations, the theory and implementation developed for finite-word automata can be applied to infinite-word automata. Although the theory of language solving can be extended formally (as discussed in Chap. 4 in Part I), the complexity of solving becomes doubly exponential in general. In this chapter, a restricted form of !-language solving is discussed, which almost fits into the finite-word implementation, as available in BALM, except for a small modification of the derived result at the end.

Chapter 15

Supervisory Control

15.1 Supervisory Control Supervisory control is an important area of discrete control theory that received a growing attention since the seminal work of Ramadge and Wonham (see, for example [8, 25, 77, 78, 119]). In this chapter we apply the techniques for language equation solving to supervisory control problems, taking into account that methods for language equation solving cannot be directly used in supervisory control, and vice versa. The reason is that from one side the topology addressed in supervisory control is a special case of the general topology addressed by language equation solving; from another side in supervisory control one is required to model also partial controllability and partial observability, which are formalized in a different way when solving language equations. Methods for solving equations over regular languages have an exponential complexity in the worst-case, because of the complementation operator that requires determinization, but they can handle arbitrary topologies. The methods for supervisory control under partial controllability with regular languages have a polynomial complexity, due to the simplified topology. Comparing the two approaches helps in characterizing the topologies for equation solving whose worst-case computational complexity is lower than in the general case. An investigation of such topologies started already in [12, 148].

15.2 Supervisory Control with Full Controllability and Observability We start with the general controller topology (see Fig. 15.1). Given a plant and a specification as languages P and S over the alphabet ˙, the problem of supervisory control is to find a controller with a prefix-closed language C over ˙ such that P \ C D S . Such controller is also called a supervisor or supervisory controller. T. Villa et al., The Unknown Component Problem: Theory and Applications, DOI 10.1007/978-0-387-68759-9 15, © Springer Science+Business Media, LLC 2012

247

248

15 Supervisory Control

Fig. 15.1 Supervisory control topology

MP

U

V S

MC

MS

Even though the theory of supervisory control holds also for discrete event systems whose number of states is not finite, for reasons of implementability we restrict ourselves to regular languages and the finite automata that generate them. In this chapter we will denote with the same symbol a regular language and its related automaton, unless it is required to distinguish them. When we denote operations over languages we mean that they are performed on their representations as automata.

15.2.1 Special Case: S and P Prefix-Closed Suppose for the sake of simplicity that S and P are prefix-closed languages.

15.2.1.1 Supervisory Control Approach Given the plant and the specification as prefix-closed languages P and S over the alphabet ˙, we would like to derive a prefix-closed language C of the controller such that P \ C D S . A controller language C exists if and only if S P . Proposition 15.1. A controller exists if and only if S P . If so, the prefix-closed language S can be chosen as the language of the controller. Proposition 15.2. If S 6 P , i.e., a controller does not exist, then S \ P is the supremal controllable sublanguage of S , i.e., the largest language contained in S for which a controller exists.

15.2 Supervisory Control with Full Controllability and Observability

249

15.2.1.2 Equation Solving Approach When casting the supervisory control problem as solving a language equation, the language equation P \ X D S has to be solved. If the equation is solvable then there exists the largest solution P [ S . The equation is solvable if and only if the composition P \ .P [ S / of the plant and of the largest solution is equal to S . The latter happens if and only if P \S D S , i.e., if and only if S P . If the language of the largest controller is not prefix-closed, we extract the largest prefix-closed subset contained in the set P [ S , denoted by .P [ S /P ref . Proposition 15.3. There exists a solution of the equation P \ X D S if and only if S P . If the equation P \ X D S is solvable then each prefix-closed language L such that S L P [ S is a controller solution of the language equation P \ X D S. If the equation is not solvable then the supremal controllable sublanguage of S is P \ .P [ S /, i.e., it is P \ S .

15.2.2 General Case: S and P Not Prefix-Closed Consider the general case when P and S are not required to be prefix-closed languages. Given a language S , we denote by Pref .S / the prefix closure of S , and by S Pref the largest prefix-closed sublanguage of S .

15.2.2.1 Supervisory Control Approach In supervisory control (with full controllability and observability) solvability is equivalent to the fact that Pref .S / is a solution. Theorem 15.4. A solution of the supervisory control problem P \ X D S exists if and only if P \ Pref .S / D S . Proof. If If P \ Pref .S / D S then by definition the controller C given by Pref .S / is a solution because Pref .S / is prefix-closed. Only if We must prove that if there is a controller C then P \ Pref .S / D S . Suppose by contradiction that P \ Pref .S / ¤ S , then it must be P \ Pref .S / S (because for a solution to exist it must be S P and so it cannot be P \ Pref .S / S , given that Pref .S / S ), and so there must be a string ˛ 2 P \ Pref .S /, ˛ 62 S . Then there must be a string ˇ ¤ such that D ˛ˇ 2 S , because ˛ 2 Pref .S / and so it can be extended to 2 S . Since C is a controller and so

250


P \ C D S , it is ˛ˇ 2 C ; moreover, ˛ 2 C , because C is prefix-closed. Thus, ˛ 2 P \ C and P \ C ¤ S . So we contradict that C is a controller, completing our reduction ad absurdum. t u If S is prefix-closed, S P is also a sufficient condition for solvability. Corollary 15.5. If S is prefix-closed then a solution of the supervisory control problem exists if and only if S P . Proof. If S is prefix-closed then S D Pref .S /, so P \ Pref .S / D S if and only if P \ S D S if and only if S P . t u

15.2.2.2 Equation Solving Approach Casting the problem as solving equations over languages, we must solve the language equation P \ X D S , restricting X to be a prefix-closed language. According to Proposition 15.3 (when S and P are prefix-closed languages), if P \X D S is solvable then each prefix-closed language L such that S L P [S is a solution. In the following we extend the solvability and characterization results to the case when S and P are not prefix-closed. From the theory of equations over languages, we obtain the following solvability condition based on the largest solution, whereas in Theorem 15.4 solvability was obtained according to the existence of the smallest solution. Corollary 15.6. A solution of the supervisory control problem P \ X D S exists if and only if P \ .P [ S /Pref D S . This is a consequence of Theorem 2.12 or Theorem 2.16, where .P [ S /Pref is the largest prefix-closed sublanguage of the largest solution P \ S D .P [ S /. Since Pref .S / is the smallest prefix-closed language that contains S , and .P [ S /Pref is the largest prefix-closed sublanguage contained in the largest solution P [S of the equation P \ X D S , the following statement holds. Theorem 15.7. A prefix-closed language L is a solution of the supervisory control problem P \ X D S , if and only if Pref .S / L .P [ S /Pref . Proof. If If L is a prefix-closed language such that Pref .S / L .P [ S /Pref then S D P \ Pref .S / P \ L P \ .P [ S /Pref D S , so P \ L D S is a solution of P \ X D S . Only If If L is a solution of P \ X D S , i.e., P \ L D S , then L S . Given that L is prefix-closed, and the fact that Pref .S / is the smallest prefix-closed language containing S , it follows that L Pref .S /. The largest solution of P \ X D S is P [ S , therefore it must be L P [ S . Given that L is prefix-closed, and the fact that .P [S /Pref is the largest prefix-closed language contained in .P [ S /Pref , it follows that L .P [ S /Pref . Finally, S Pref .S / L .P [ S /Pref P [ S . t u


251

Notice that the if part of the previous statement holds because the smallest solution exists, and of course it is Pref .S /. Instead, in general the smallest solution does not exist, and it is not true that every language contained in the largest solution of a given equation is itself a solution of the equation. The largest controller solution can be seen as the collection of all particular solutions, out of which the “best” one may be extracted according to a given criterion. Example 15.8. Consider ˙ D fa; bg, P D S D f; b.a C b/? g, i.e., all words starting by b. The equation P \ X D S is satisfied by X D S (P \ S D S ); S is the smallest controller solution, because it is prefix-closed. P is the set of all words that do not start by b, P [S D .P [S /Pref is the set of all words. So the largest solution is the set of all words over the alphabet ˙ D fa; bg, which may yield a simpler implementation. The following example shows an equation with no solution; as expected, both Pref .S / and .P [ S /Pref fail the solvability test. Example 15.9. Consider ˙ D fa; bg, P D fa; abg, S D fabg. The equation P \ X D S is satisfied by X D S (P \ S D fa; abg \ fabg D fabg D S ). However S D fabg is not a controller solution, because it is not prefix-closed. The smallest prefix-closed language that contains S is Pref .S / D f; a; abg. However Pref .S / is not a controller solution, because P \ Pref .S / D fa; abg ¤ S D fabg. P is the set of all words except a and ab, P [ S is the set of all words except a, .P [ S /Pref is the set of all words that do not start by a, i.e., those that start by b. So .P [ S /Pref D f; b; bb; ba; : : : g. However .P [ S /Pref is not a controller solution, because P \ .P [ S /Pref D fa; abg \ f; b; bb; ba; : : : g D ; ¤ S D fabg. Example 15.10. Consider ˙ D fa; b; cg, P D fa; abcg, S D fag. The smallest controller solution is Pref .S / D f; ag, indeed P \ Pref .S / D fa; abcg \ f; ag D fag D S . P is the set of all words except a and abc, P [S is the set of all words except abc, .P [ S /Pref is the set of all words that do not start by abc. So the largest controller solution is .P [ S /Pref D f.a C b/ C .a C c/ C .b C c/ C a.a C c/.a C b C c/ C ab.a C b/.a C b C c/ C b.a C b C c/ C c.a C b C c/ g, indeed P \ .P [ S /Pref D fa; abcg \ fwords that do not start by abcg D fag D S . Example 15.11. Consider a plant P and a specification S shown respectively in Fig. 15.2a,b. The smallest solution Cm D Pref .S / is shown in Fig. 15.2c, whereas the largest solution CM D .P [ S /Pref obtained by BALM is shown in Fig. 15.3. Finally, Fig. 15.2d shows an intermediate solution Ci such that Cm Ci CM ; notice that aaa 2 Ci , aaa 62 Cm , and that aaba 2 CM , aaba 62 Ci . If P \ .P [ S /Pref D P \ Pref .S / S , then P \ .P [ S /Pref S is the supremal controllable sublanguage of S , meaning that the language P \ .P [ S /Pref is the largest language that can be controlled.

252


a

b a

p3

a

p2

s4 b

a b

p1

a

s3

b

a p0

p4

s0

s1

b

s2

a, b

c

b

d a

c4

c0

b

c1

b

a c0

c4

c1

b

a

b

c2

b

Fig. 15.2 Illustration of Example 15.11. (a) Plant P ; (b) Specification S; (c) Smallest controller Cm D Pref .S/; (d) A controller Ci such that Cm Ci CM where CM D .P [ S/Pref is the largest controller shown in Fig. 15.3

In summary, we notice the following facts to compare the two approaches: 1. In the supervisory control approach, (a) necessary and sufficient conditions for the existence of a controller are established, and (b) a single (smallest) controller Pref .S / is derived. 2. In the language approach, (a) necessary and sufficient conditions for the existence of a controller are established, and (b) the set of all controllers is derived, including the smallest controller Pref .S / and the largest one P \ .P [ S /Pref . 3. Both approaches have the same complexity.

15.2.3 Progressive Solutions Under Full Controllability Definition 15.2.1. A state s of an automaton G is co-accessible if there is a path in the state transition diagram of G from s to an accepting or final state (in the supervisory control literature, usually an accepting state is called a marked state). An automaton is trim if every state is reachable from the initial state and every state is co-accessible (i.e., from any state an accepting state can be reached). Unless otherwise stated, we assume that P , S and C are trim automata. If the languages of the plant and of the specification are not prefix-closed, then the automaton of the intersection P \C is not necessarily a trim automaton, and thus


253

T h e a u to ma t o n is in c o mp le t e ( 2 st a t e s) and deter m inis tic. 2 in p u t s 8 st a t e s 1 3 t ra ns itions In p u t s = { i, E } s0 a -

s1 a -

s2 b -

s3 a -

s4

b -

b -

s5

b b -

a -

a -

s6

b b -

DC

- -

Fig. 15.3 Graphical output of BALM showing the automaton x.aut of the largest controller CM D .P [ S/Pref for the full controllability problem of Example 15.11 and Fig. 15.2

a deadlock or a livelock may occur in the closed-loop composition of the plant with the supervisor. To exclude these situations one introduces the notion of a progressive (i.e., non-blocking) supervisor.1 Definition 15.2.2. A supervisor C is compositionally progressive or simply progressive or non-blocking if the automaton P \ C is trim. Theorem 15.12. If the equation P \ X D S is solvable then Pref .S / is a progressive solution. 1

Another definition of progressive or non-blocking solution is reported in the literature, see [38, 78, 102, 104], by which a non-blocking controller C cannot block in the product P \ C any action that is allowed by the specification.

254


a

b p0

a

p1

a

c1

b

p2

c

p3

s0

a

c2

c

c3

c0

a

s1

c c0

b a, b

a, c

b, c

b, c a, b, c

c4

c1

b

c2 a, b

a, c c4

a, b, c

a, b, c

d i0

a

i1

b

i2

c

i3

Fig. 15.4 Illustration of Example 15.13. (a) Plant P ; (b) Specification S; (c) Largest solution P [ S and largest controller C D .P [ S/Pref ; (d) Composition P \ C

Proof. If the equation is solvable then S P , and Pref .S / is a solution of the equation. Consider a string ˛ 2 Pref .S /, then there exists a string ˇ such that ˛ˇ 2 S , and since S P , it holds ˛ˇ 2 P . Since P is deterministic, ˛ˇ takes P to an accepting state, i.e., each state of P \ Pref .S / is co-accessible. t u However, it may be the case that for a solvable equation the solution .P [ S /Pref is not progressive. Example 15.13. Consider a plant P D fa; abcg and a specification S D fag shown respectively in Fig. 15.4a,b. The largest solution C D .P [ S /Pref contains all the words that do not start by abc and it is shown in Fig. 15.4c (represented by a nontrim automaton because the state c3 does not reach a final state). However C is not progressive, because P \ C is not trim, as seen in Fig. 15.4d. In supervisory control the notion of progressive supervisor plays the role of the one of (compositionally) progressive solution of an equation over automata [38]. A solvable equation has the largest progressive supervisor that is obtained in the same way as the largest (compositionally) progressive solution of an equation over automata, i.e., by deleting “bad” words from C D .P [ S /Pref , where a word is “bad” if it is in Pref .P \ C /, but has no extension in P \ C , i.e., it ends at a state of P \ C that is not co-accessible. Example 15.14 (continues from Example 15.13). By applying the trimming procedure to the largest solution .P [ S /Pref we get the largest progressive solution cProg..P [ S /Pref / shown in Fig. 15.5c. Examples of non-progressive and


a

255

b p0

a

c0

a

p1

b

c

p2

c

p3

i0

a

i1

s0

a

s1

d c1

a, c

b, c

c2

a, b, c

e

f a, b c0

g

i0

a

i1

i0

a

i1

b

i2

h a, c c0

Fig. 15.5 Illustration of Example 15.14. (a) Plant P ; (b) Specification S; (c) Largest progressive solution C D cProg..P [S/Pref /; (d) Composition P \C ; (e) Non-progressive solution Cnonprog ; (f) Composition P \ Cnonprog; (g) Progressive solution Cprog ; (h) Composition P \ Cprog

progressive solutions are shown, respectively, in Fig. 15.5e,g, while the non-trim and trim compositions of the plant and of the controller are shown, respectively, in Fig. 15.5f, h. Denote by cProg..P [ S /Pref / the largest progressive reduction of .P [ S /Pref , i.e., the largest progressive solution contained in .P [S /Pref . The following theorem characterizes progressive supervisors. Theorem 15.15. A prefix-closed solution L of the equation P \ X D S is progressive if and only if Pref .S / L cProg..P [ S /Pref /. Proof. Suppose that there is a prefix-closed solution Ci that is not progressive and such that Pref .S / Ci cProg..P [ S /Pref /. Then there is a string ˛ 2 Ci under which P \ Ci reaches a state that is not co-accessible.

256


Given that ˛ 2 cProg..P [ S /Pref / (because Ci cProg..P [ S /Pref /) that is progressive by construction, P \ cProg..P [ S /Pref / reaches under ˛ a co-accessible state. So by definition of co-accessible state, there is a string ˇ such that ˛ˇ leads P \ cProg..P [ S /Pref / to an accepting state, i.e., ˛ˇ 2 P \ cProg..P [ S /Pref / D S . Finally, from ˛ˇ 2 P , ˛ˇ 2 S , and P \ Ci D S (Ci is a solution), it follows that ˛ˇ 2 Ci , contradicting that P \ Ci under ˛ reaches a state that is not co-accessible. t u

15.3 Supervisory Control with Partial Controllability The set ˙ of actions is partitioned into two sets, ˙ D ˙c [ ˙uc : the set ˙c of controllable actions and the set ˙uc of uncontrollable actions. When an uncontrollable action occurs in the plant the controller cannot disable this action.

15.3.1 Supervisory Control Approach Definition 15.3.1. Let S and P D Pref .P / be languages over the event alphabet ˙, con ˙uc ˙. S is said to be controllable with respect to P and ˙uc , if for all strings s 2 Pref .S / and for all events 2 ˙uc it is s 2 P ) s 2 Pref .S /; (controllability condition) equivalent to Pref .S /˙uc \ P Pref .S /: When the controllability condition is valid, Pref .S / is a controller that solves the supervision problem under partial controllability.

15.3.2 Equation Solving Approach When modeling the problem of partial controllability by solving language equations, one should characterize all the solutions that do not block the uncontrollable actions, i.e., to determine necessary and sufficient conditions for a prefix-closed language C over ˙ to be a controller under partial controllability. Definition 15.3.2. A prefix-closed language C over ˙ is a controller for S , with respect to a plant P and a set of uncontrollable events ˙uc , if P \ C D S , and for each state .p; c/ 2 P \ C and each 2 ˙uc , the following implication holds: if is an event defined at state p then is an event defined at state s.

15.3 Supervisory Control with Partial Controllability

257

Indeed, if the controllability condition holds for C then each uncontrollable action at each state of P reached from the initial state by means of a string in the language S is enabled by C . As a direct consequence, an algorithm follows for deriving a largest controller under partial controllability, 1. Step 1: Derive the largest solution .P [ S /Pref of the equation P \ X D S . If P \ .P [ S /Pref S then S is not controllable with respect to P . If P \ .P [ S /Pref D S then L D .P [ S /Pref . 2. Step 2: Delete iteratively from L each state l such that the product P \ L has a state .p; l/ for which some uncontrollable event is defined at p 2 P , but is not defined at l 2 L. If P \ L D S then L is the largest solution under partial controllability. Proposition 15.16. If L S , the above algorithm returns the largest controller under partial controllability, if such a controller exists. Instead, if L S then there is no controller under partial controllability. Proof. We delete only states which require that the controller should disable an uncontrollable event, thus we get the largest controller. u t In Sect. 15.4, we discuss the well-known example of the maze with a cat and a mouse, and we discuss the solution obtained by applying the previous algorithm. In the sequel we will show that we can get a larger class of controllable languages if we introduce the notion of composition with priorities (originally proposed in [79]), where for the plant each uncontrollable action has a higher priority compared with controllable actions. Definition 15.3.3. Given two automata P and C their composition with priorities \P yields an automaton P \p C obtained as follows. a

a

0

0

If there are transitions p ! p in P and c ! c in C , then there is a transition a 0 0 .p; c/ ! .p ; c / in P \p C . a

0

a

If a 2 ˙uc , there is a transition p ! p in P and there is no transition c 6! c a 0 in C , then there is a transition .p; c/ ! .p ; c/ in P \p C .

0

This motivates the definition of a weak controller as a prefix-closed solution of the equation P \p C D S . Definition 15.3.4. A prefix-closed language C over ˙ is a weak controller for S , with respect to a plant P and a set of uncontrollable events ˙uc , if P \p C D S . Corollary 15.17. A controller that satisfies Definition 15.3.2 is a weak controller that satisfies Definition 15.3.4. Definition 15.3.5. Given an automaton C over the alphabet ˙ and ˙uc ˙, we obtain the ˙uc -extension C *˙uc of C by adding at each state of C a self-loop labeled with each action a 2 ˙uc such that there is no transition from this state under action a.

258


Notice that the difference with respect to the expansion operator is that in the latter the expansion is with respect to an alphabet V disjoint from ˙ (and again we add self-loops for every symbol in V ), whereas extension here is performed with respect to a sub-alphabet ˙uc ˙. Now we provide an operational test for a weak controller, by proving that C is a solution of P \p X D S if and only if C *˙uc is a solution of P \ X D S . Theorem 15.18. A prefix-closed solution C of the equation P \ X D S is a weak controller under partial controllability with respect to ˙uc if and only if C *˙uc is a prefix-closed solution of the equation P \ X D S . Proof. We show that P \p C D P \ C *˙uc . If 62 ˙uc or 2 ˙uc and there are transitions .p; ; p 0 / in P and .c; ; c 0 / in C then in both intersections there is a transition ..p; c/; ; .p 0 ; c 0 //. If 2 ˙uc and there is a transition .p; ; p 0 / in P and there is no transition from state c under in C then in both intersections there is a transition ..p; c/; ; .p 0 ; c//. t u Theorem 15.19. Given a plant P , a specification S and a set of uncontrollable actions ˙uc there exists a controller if and only if there exists a weak controller. Proof. If Let C be a controller, i.e., P \ C D S and at each state .p; c/ in P \ C , if an uncontrollable action is defined at p then is defined at c too. Thus an action can be undefined at state c of C if and only if for each state .p; c/ of P \ C the action is undefined at P , i.e., P \ C *˙uc D P \ C D S , meaning that C is a weak controller. Only if Let C be a weak controller, then by Theorem 15.18 P \ C *˙uc D S . Since each uncontrollable action is defined at each state of C *˙uc , then C *˙uc is a controller under partial controllability. t u However, we notice that the set of all controllers under partial controllability is a proper subset of the set of all weak controllers, as shown. Example 15.20. Consider ˙ D fa; bg, ˙uc D fag, P D f; a; bg, S D fag. C D fg is a weak controller (it stutters when P issues a), but is not a controller (it cannot disable a). Example 15.21. Consider ˙ D fa; b; cg, ˙uc D fcg. Figure 15.6a shows the plant P . Figure 15.6b shows the specification S , which coincides with the smallest controller under partial controllability C D Pref .S /, since P \ C D S . Figure 15.6c shows a weak controller Cw , since P \ Cw*˙uc D P \p Cw D S . However, Cw is not a controller under partial controllability (c 2 ˙uc is not defined at c0 ). An interesting question is whether Theorem 15.7 can be generalized to partial controllability (but with the restricted hypothesis that the languages of P and S are prefix-closed) to characterize all controllers C by means of the interval Pref .S / C .P [ S /Pref :

15.4 Supervising a Cat and a Mouse in a Maze

259

a b, c

b a

c0

c1

c1 c

a

c

b b

b

a b, c

c1

c0

b a

c0

c1 a

c1 c

Fig. 15.6 Illustration of Example 15.21. (a) Plant P ; (b) Specification S and controller C under partial controllability; (c) A weak controller Cw under partial controllability

When characterizing all controllers C , Pref .S / is a lower bound (if there is a controller), whereas a tight upper bound on C can be less than .P [ S /Pref . When characterizing all weak controllers Cw , .P [ S /Pref is still an upper bound on Cw ,2 whereas Fig. 15.21 shows a weak controller whose language is incomparable with Pref .S /. Weak controllers arise in the equation solving approach when modeling composition with priorities. However, when interpreted within the framework of supervisory control, this notion models actions which the plant can execute with the environment and which are neither controllable nor observable by the controller. This should be further investigated in the context of modeling disturbances with both partial controllability and observability.

15.4 Supervising a Cat and a Mouse in a Maze In the next example we derive in some detail the controller for the cat and mouse from [119]. Example 15.22. There are two mobile agents, say a cat and mouse moving in a maze. The maze is shown in Fig. 15.7; it has five rooms communicating through doorways. each of which is traversed only in the indicated direction exclusively 2

If Cw is a weak controller, then Cw Cw*˙uc .P [ S/Pref .

260


Cat

Mouse

2

0

c3 m1

m2 c2

m3

c6

c4

c1 c7

1

4

m4

m6

m5

c5

3

Fig. 15.7 Maze for cat and mouse for Example 15.22

by the cat (door of type ci ) or exclusively by the mouse (door of type mj ). Cat and mouse can be modeled each by an automaton whose states are the rooms, and whose transitions represent moving from one room to the other. The automaton in Fig. 15.8 is obtained by the intersection of the automata of the cat and mouse, assuming that initially the cat is in room 2 and the mouse is in room 4; each state of the composed automaton corresponds to the pair of rooms .rc ; rm /, where rc is the current room of the cat and rm is the current room of the mouse; there is a transition from state .rc ; rm / to state .rc0 ; rm / (state .rc ; rm0 /) under ci (mj ) if the cat (mouse) crosses door ci (mj ) to go to room rc0 (rm0 ). Notice that we did not draw the whole automaton for lack of space, however what is shown is sufficient to understand the trimming procedure below. All doors can be open or closed, except the bidirectional door c7 that is always open, i.e., c7 is uncontrollable while all the other doors are controllable. The goal is to design a controller that allows the maximal freedom to the cat and mouse while satisfying the following two properties: 1. The cat and mouse never occupy the same room at the same time. 2. It is always possible for the cat and mouse to return to the initial state .2; 4/. The controller can be obtained by an iteration of trimming steps on the maze automaton, until nothing changes. Initially the maze automaton is intersected with the automaton representing the specifications of the system (no cat and mouse in the same room, and existence of a path to the initial state). The result is that all states with the cat and mouse in the same room are deleted (states (0,0), (1,1), (2,2), (3,3), (4,4)); no state is deleted initially due to inability to reach the initial state. In general, deleting a state requires also deleting all transitions from it. Once the initial trimming step has been performed, the following step is iterated: • If an uncontrollable transition has been deleted from a state (because directed to a deleted state), delete that state and all transitions from it.

15.4 Supervising a Cat and a Mouse in a Maze

261

24

m5 m4

23

c3 m6

c2 04

c1

20

c3

c4 c7

c3

m5

m1 c2

34

14

00

c7 c5

m5

44

m5

22

03

33

m6

c1

c4 33

00

13

m6 c7 33

10

...

Fig. 15.8 (Fragment of the) Automaton of the maze for cat and mouse from Example 15.22

• Delete all transitions to a state that has been deleted. • Delete all states unreachable from the initial state and all states that are not coreachable, i.e., from which an accepting state cannot be reached. In our case the following steps are needed to reach a fixed point: 1. Step 1: Delete the state (1,3), because its uncontrollable transition under c7 to (3,3) must be deleted (since (3,3) was deleted), and all transitions from it;

262


24

m5 m4

c3

23

m6

c2 04

c1

20

c4 c7 34

14

c7 Fig. 15.9 Supervisory controller for cat and mouse from Example 15.22

as a consequence the states in the subgraph rooted in the state (1,0) are made unreachable (we did not show in the picture the subgraph rooted in (1,0) to keep the drawing simple). Delete transitions to previously removed states, e.g., from state (0,3) delete transitions to (3,3) under c4 and to (0,0) under m6 . Eliminate unreachable states, e.g. state (1,0) and successors. 2. Step 2: Delete state (0,3) since it is not co-reachable, because after deleting (1,3) it became a blocking state with no transitions out of it, and delete all transitions to it. What remains is the supervisory controller shown in Fig. 15.9. At each state some doors must be closed or open, while the rest are don’t cares conditions (and c7 is uncontrollable), as follows: (2,4): m6 (0,4): m4 (1,4): m6 (3,4): m6 (2,0): m5 (2,3): m5

c3 D 1, m5 D 1, c1 D c2 D c4 D c5 D c6 D , m1 D m2 D m3 D m4 D c1 D 1, c4 D 1, m5 D 0, c2 D c3 D c5 D c6 D , m1 D m2 D m3 D m6 D c2 D 1, m5 D 0, c1 D c3 D c4 D c5 D c6 D , m1 D m2 D m3 D m4 D c5 D 0, m5 D 0, c1 D c2 D c3 D c4 D c6 D , m1 D m2 D m3 D m4 D c3 D 0, m1 D 0, m4 D 1, c1 D c2 D c4 D c5 D c6 D , m2 D m3 D m6 D c3 D 0, m6 D 1, c1 D c2 D c4 D c5 D c6 D , m1 D m2 D m3 D m4 D

D D D D D D

Problems

263 c3, m5

S0

S1

c1, c4, c7, m6

c2, m4

Fig. 15.10 to [119]

Supervisory controller for cat and mouse from Example 15.22 reduced according

Mouse

Cat 2

c3 m1

m2 c2

6

c8

5 c7

4 c6

c4

c1

m3 1

m4

0

c0

m5

c5

m6

3

c9 7

c10

Fig. 15.11 Maze for cat and mouse from Problem 15.1

These choices allow the maximum flexibility of the cat and mouse, while satisfying the constraints. In [119] a reduced version of the controller is proposed where the states are merged as follows: S0 = f(2,4)g: c3 D 1, m5 D 1, c1 D c2 D c4 D c5 D c6 D , m1 D m2 D m3 D m4 D m6 D S1 = f(0,4),(1,4),(3,4),(2,0),(2,3)g: c1 D 1, c2 D 1, c4 D 1, c3 D 0, c5 D 0, m1 D 0, m5 D 0, m4 D 1, m6 D 1, c6 D , m2 D m3 D The state reduction is at the expense of restricting some flexibility. The resulting reduced controller is shown in Fig. 15.10.

Problems 15.1. (Partially) Worked-out Revisitation of Cat-and-Mouse problem Consider the variant of the cat and mouse problem shown in Fig. 15.11 from [7]: the maze has three more rooms, one of which – room 7 – is a dead-end for the cat. The

264

15

24

Supervisory Control

m5 m4

23

c3 m6

c2 04

c1

54

m5

c3

m5

m1 c2

34 00

c7

c9

c0

44

33

03

c4

m5

74

...

m6

33

60

33

m6 c9

c0 73

22

m5

c5

64

c8

c3

c4

c10

14

m5

20

00

13

c7

m6

53

10

c8 63

c1

m6 50

...

...

Fig. 15.12 (Fragment of the) Automaton of the maze for cat and mouse from Problem 15.1

specification is the same: no cat and mouse in the same room, and from any state existence of a path to the initial state. The uncontrollable doors are c7 ; c8 ; c9 that are always open. The automaton for the new maze is shown partially in Fig. 15.12, and the final supervisory controller is shown in Fig. 15.13. Describe carefully the trimming procedure that yields the controller in Fig. 15.13 starting from the one in Fig. 15.12, by repeating the analysis applied to the simpler maze of Example 15.12.

Problems

265

24

m5 m4

23

c3 m6

c2 04

c1

14

c7

54

20

c4

c10

34

c9

c8

64

Fig. 15.13 Supervisory controller for cat and mouse from Problem 15.1 Fig. 15.14 Plant P from Problem 15.2

a

a

b

15.2. (More) Supervisory Control under Partial Controllability Consider the plant P shown in Fig. 15.14 from [77], where ˙ D fa; bg, ˙uc D fbg, P D fa? ba? g. (a) Suppose that the specification is S D Pref .fak bak ; k 0g/, i.e., it is required that the closed-loop system produces prefixes of words with an equal number of occurrences of a before and after the single occurrence of b. Check whether there exists a supervisor for this specification, and if so specify it and describe its control strategy. (b) Repeat the problem in (a) with the marked language of the specification given by S D fak bak ; k 0g. Is there a non-blocking supervisor? (c) Repeat the problem in (a) with the marked language of the specification given by S D fak bal ; k l 0g. Is there a non-blocking supervisor?

Chapter 16

Testing

16.1 The Problem of Testing in Context We address the problem of testing a component embedded within a modular system [131], a.k.a. as the problem of testing in context or embedded testing. When solving this problem, the modular system may be represented by two communicating machines: the embedded component machine, and the context machine that models the remaining part of the system and is assumed to be implemented correctly. A number of test derivation methods have been developed for testing in context when the system components are modeled as FSMs. Some methods [26, 84] use techniques like guided random walks or hit-or-jump (a generalization thereof) that do not guarantee that the resulting tests are complete, i.e., they do not detect all possible faulty implementations of the embedded FSM. Other methods are based on black-box testing [108] and return test suites that are complete, but potentially redundant, since they consider fault domains that include infeasible implementations of the embedded FSM. Another approach reported in [109,110,114] describes how to generate complete tests for an embedded machine by finding the largest set of its permissible behaviors, which is obtained by finding the largest solution of an appropriate FSM equation. Since the largest solution is represented by a non-deterministic FSM such that each non-conforming implementation is not a reduction of the FSM, a test suite has to be derived using the reduction relation between the implementation and specification FSMs. The methods presented in [60, 108, 112, 113] can be used for this purpose. However, since tests are generated over the internal alphabets of the embedded machine, the internal tests must be translated into external tests defined over the external alphabets of the system. The problem of translating internal tests into external ones is sometimes called the fault propagation problem and can also be formulated as solving an appropriate equation over FSMs or automata [39]. When necessary, the obtained external test suites can be minimized using, e.g., the approach proposed in [1]. T. Villa et al., The Unknown Component Problem: Theory and Applications, DOI 10.1007/978-0-387-68759-9 16, © Springer Science+Business Media, LLC 2012

267

268

16 Testing

16.2 Solving Testing in Context Via Language Equations We use the parallel composition operator to illustrate solving testing in context by equation solving, but all the results hold also for the synchronous composition operator. We consider the parallel composition of two communicating FSMs, the context FSM ContextDhSContext ; I [ V; O [ U; TContext ; rContext i and the embedded FSM EmbDhSEmb ; U; V; TEmb ; rEmb i, as shown in Fig. 16.1. The alphabets I and O represent the external inputs and outputs of the system, while the alphabets V and U represent the internal interactions between the two machines. For the sake of simplicity, we assume that all communicating machines are complete and deterministic. The external behavior of the composition is given by the complete def deterministic FSM Spec D Context ˘ Emb defined over external input and output alphabets I and O. Given an implementation of the topology in Fig. 16.1, suppose that the implementation of the FSM Context is fault-free, and that we would like to generate tests in order to check whether the FSM Emb is correctly implemented, i.e., the composition of Context and Imp, where Imp is the implementation of Emb, has the same behavior as the FSM Spec. Here, for solving the problem we use two test suites. An internal test suite TSint is a finite set of finite internal input sequences, while an external test suite TSext is a finite set of finite external input sequences. An FSM Imp is externally distinguishable from Emb or distinguishable from Emb composed with Context, if there exists an input sequence such that the FSMs Spec and Context ˘ Imp have different output responses to such input sequence. We know that the equivalence of Context ˘ Emb and Context ˘ Imp does not imply the equivalence of Emb and Imp, i.e., non-equivalence in the context is weaker than nonequivalence in isolation due to the lack of controllability and observability [114]. It

I Context O

U

Fig. 16.1 Topology of parallel composition of two FSMs used for testing in context

V

Emb

Spec

16.2 Solving Testing in Context Via Language Equations

269

turns out that the largest complete solution of the equation Context ˘ X Š Spec contains implementations of the FSM Emb externally indistinguishable from it and only them. Thus, each FSM Imp that is not a reduction of the largest solution of Context ˘ X Š Spec can be detected by an external test case. Proposition 16.1. Given an FSM equation Context ˘ X Š Spec and its largest complete FSM solution, denoted by Largest, let Imp be an FSM such that Imp Largest (Imp is not a reduction of Largest, i.e., it is not a contained behavior), then there is an external test case ˛ to detect Imp, i.e., such that Context ˘ Imp ©˛ Spec. Notice that even if Imp is a reduction of Largest, i.e., Imp is not externally distinguishable from Emb, we still cannot claim that Context ˘ Imp and Spec are equivalent, i.e., it can well happen that Context ˘ Imp © Spec. The reason is that a livelock can occur in the composition of the FSMs Context and Imp. However, when each machine is deterministic, livelocks can usually be detected with timeouts, i.e., by measuring the time elapsed after an input was submitted to the system under test, while executing a test suite; once a given timer expires, we conclude that the system does not respond due to a livelock. The hypothesis that the component FSMs must be deterministic is required, as the following situation shows: suppose that there are two internal outputs to an internal input, such that one of the internal outputs implies a livelock while the other triggers an external output. The result is that in the latter case an external output is produced, however, we cannot apply the next input, since there still is another internal action due to the former case. An external test suite TSext is complete w.r.t. the fault domain which is the set JEmb of implementations of the embedded component Emb if, for each Imp 2 JEmb that is externally distinguishable from Emb, there exists 2 TSext that distinguishes Context˘Imp from Spec. If the set JEmb is finite, e.g., it contains all FSMs over input alphabet U with a certain number of states, then such a test suite can be derived by determining an external test for each FSM in the set. However, this method becomes impractical when the cardinality of JEmb grows, so other approaches which do not require explicit enumeration are needed. The following statement from [114] states the conditions under which a test suite TSext can be found for Imp that is not a reduction of Largest, based on internal I/O sequences. Proposition 16.2. Given an internal I/O sequence ˛=ˇ accepted by the largest complete solution Largest of the equation Context ˘ X Š Spec, suppose that 9u; v such that the I/O sequence ˛u=ˇv is not accepted by the FSM Largest. Then there exists an external test suite TSext .˛u=ˇv/ such that for each implementation Imp of the embedded FSM Emb accepting the I/O sequence ˛u=ˇv, there exists 2 TSext .˛u=ˇv/ for which the output responses of the FSMs Context ˘ Imp and Spec are different. The proposition indicates that an external test suite can be obtained by first finding an internal test suite and then translating it into an external test suite. An internal test suite TSint is complete for the specification FSM Emb w.r.t. the fault domain JEmb and FSM Context if for each implementation Imp 2 JEmb

270

16 Testing

a

b i2/u1 v2/u1

u1/v2

t0 i1/u1 v2/u2

q0

t1 i2/o2 v2/o2

c

i1/u2 v1/o1 i1/o1 s2

i2/o2

i2/o1

u2/v1

v2/v1

u2/v1

d

i1/o1 s0

q1 u1/v1

u1/v1

u1/v2

p1

p2

u2/−

i2/o2 s1

dc

i1/o2

−/−

u2/v2

u1/−

p3

u1/v2

p5

u2/v1

u1/v1

u2/v1

p4

u2/v2 u2/− def

Fig. 16.2 (a) FSM Context; (b) FSM Emb; (c) FSM Spec D Context ˘ Emb; (d) Largest solution of the equation Context ˘ X Š Spec

that is externally distinguishable from Emb, there exists a sequence in TSint that distinguishes Imp and Emb. The subset of JEmb that contains FSMs externally indistinguishable from Emb is characterized by the FSM Largest, therefore, the problem of generating a complete internal test suite becomes now as follows. Given the pair JEmb and Largest, we are required to determine a set TSint of input sequences such that for each FSM Imp 2 JEmb that is not a reduction of the FSM Largest, there exists ˛ 2 TSint such that the output response of Imp under the input ˛ cannot be produced by the FSM Largest under ˛. This problem can be solved using the method developed in [108] for generating complete test suites for the case of reduction relation between implementation and specification FSMs. Such a complete internal test suite can be translated into a complete external test suite according to Proposition 16.2. We illustrate the approach for testing an embedded component using an example from [114]. Example 16.3. Given the topology in Fig. 16.1, consider the instances of Context, Emb and Spec in Fig. 16.2a–c; the largest complete solution of the equation Context ˘ X Š Spec is shown in Fig. 16.2d. FSM Emb is included in Largest,

16.2 Solving Testing in Context Via Language Equations

271

u1/v2

Fig. 16.3 Solution Implive of the equation Context ˘ X Š Spec

q0

q1 u1/v1 u2 /v2

u2 /v1

since the submachine of the latter restricted to the states p1 ; p2 ; p3 ; p4 ; dc (p2 with the transition u2 =v1 but no transition u2 =v2 ) is an “unfolding” of Emb, where p1 ; p3 and dc simulate q0 , and p2 and p4 simulate q1 . Notice that if we choose Implive , the solution contained in Largest shown in 0 0 Fig. 16.3 (p1 and dc simulate q0 , and p2 and p5 simulate q1 ), we get a situation where Context˘Implive © Spec, due to the livelock occurring e.g., with the sequence i1 =u1

0

u1 =v2

0

v2 =u2

0

u2 =v2

0

v2 =u2

0

u2 =v2

0

t0 ! t0 , q0 ! q1 , t0 ! t0 , q1 ! q1 , t0 ! t0 , q1 ! q1 etc. The largest solution is a complete observable FSM and following the approach of [108] we derive from it a complete internal test suite w.r.t. the fault domain JEmb than contains each FSM over input alphabet U with up to 2 states: TSint D fu1 u1 u1 u1 ; u1 u1 u2 u1 ; u1 u2 u1 u1 ; u1 u2 u2 u1 g: The completeness of a test suite implies that for each FSM which is not a reduction of the specification FSM a state of the product of the two machines where they disagree on outputs for some input is traversed when some test from the test suite followed by that input is executed. Therefore, according to Proposition 16.2, the test suite TSint can be translated into a complete external test suite. Formally, for each prefix ˛u of each input sequence of an internal test suite TSint and each output sequence ˇv of the same length such that ˇ is in the set of output responses of the largest solution to ˛ while ˇv is not in the set of output responses of the largest solution to ˛u, we must determine a set TSext .˛u=ˇv/ of external input sequences such that, for each implementation Imp of the embedded FSM Emb accepting the internal I/O sequence ˛u=ˇv, there exists an external input sequence 2 TSext .˛u=ˇv/ for which the output responses of the composition Context ˘ Imp and of Spec to the input sequence are different. Example 16.4 (continues from Example 16.3). For each prefix ˛u of each test case of the internal test suite TSint we derive a set of sequences ˛u=ˇv such that ˛=ˇ is accepted by the largest complete solution Largest of the equation Context ˘ X Š Spec, while the I/O sequence ˛u=ˇv is not accepted by the FSM Largest and obtain the following subset of prefixes of TSint together with the corresponding outputs: fu1 =v1 ; u1 u1 =v2 v2 ; u1 u1 u1 =v2 v1 v1 ; u1 u1 u1 u1 =v2 v1 v2 v2 ; u1 u1 u2 =v2 v1 v2 ; u1 u1 u2 u1 = v2 v1 v1 v1 ; u1 u2 u1 =v2 v1 v2 ; u1 u2 u1 u1 =v2 v1 v1 v1 ; u1 u2 u2 u1 =v2 v2 v1 v2 g: Notice that u1 u2 and u1 u2 u2 are not in the set because they do not satisfy the conditions that ˛=ˇ is in Largest, while ˛u=ˇv is not.

272

16 Testing

According to Proposition 16.2, for each I/O sequence in the above set there exists an external test suite that detects each faulty implementation FSM with this I/O sequence. As an example, consider a faulty FSM Imp producing the internal I/O sequence u1 u1 =v2 v2 ; notice that it is faulty because the FSM Largest produces the I/O sequence u1 u1 =v2 v1 . Under the external input i2 , Context issues u1 (and goes to t1 ); under u1 , Imp issues v2 ; under v2 , Context issues o2 (and goes to t0 ). Under the second input i2 , Context issues once again u1 (and goes to t1 ); under u1 , Imp issues again v2 ; under v2 , Context issues a faulty output o2 (instead of the correct output o1 ). Therefore, each implementation FSM Imp with the I/O sequence u1 u1 =v2 v2 is detected by an external test case i2 i2 . Thus, TSext .u1 u1 =v2 v2 / D fi2 i2 g; this is certified by the fact that Spec produces fi2 i2 =o2 o1 g, whereas due to the faulty Imp the composition Context˘Imp produces fi2 i2 =o2 o2 g. Summmarizing, the simulation goes as follows: Context issues i2 =u1 , the faulty Emb issues u1 =v2 , Context issues v2 =o2 , Context issues i2 =u1 , the faulty Emb issues u1 =v2 , Context issues v2 =o2 . To find an external test suite for a given internal sequence say u1 u1 =v2 v2 (which in turn is derived from an internal test u1 u1 ), one can compose the automaton A.u1 v2 u1 v2 / accepting the word u1 v2 u1 v2 with the FSM Context converted into an automaton, and find in the composition an external sequence which is needed to reach the final accepting state of A.u1 v2 u1 v2 /; in this case one gets the external sequence i2 i2 . When translating the above set of internal I/O sequences into external test cases the following complete external test suite is obtained: TSext D fi2 i2 i2 i2 ; i2 i2 i1 i2 ; i1 i2 i2 g: The test suite has three test cases with a total length of 11. Note that following a black-box testing approach, a complete test suite with 192 test cases and a total length of 1664 can be derived, using the method of [108]. It detects errors in the same component assuming that the fault domain for the FSM Spec with three states has all FSMs with up to four states, since some faulty implementations of the embedded component with up to two states can induce a composed FSM with four states. The reduction achieved by deriving tests based on the largest solution of the corresponding FSM equation is due to the fact that some of these FSMs cannot be decomposed into a composition with the component FSM Context, and thus the fault domain includes infeasible machines, i.e., the black-box testing approach is unable to exploit the information about the restriction imposed by the composition with the context. We underline that there are two fault domains for FSMs to which the previous discussions may refer according to the context. The first one is defined for the FSM Emb, as the set of all FSMs with at most 2 states over the alphabets U and V . The second one is defined from the composed machine Spec as the set of all FSMs with at most 4 states over the alphabets I and O. The second set includes all possible products of the Context and each FSMs with at most 2 states over the alphabets U

Problems

273

and V (from the first fault domain). But it also contains FSMs which are not products of the Context with any FSM. These are called “infeasible” machines in the sense that they cannot be decomposed into the product of the Context and another FSM.

Problems 16.1. Solve the FSM equation MA ˘ MX MC , where MA is the context FSM shown in Fig. 16.2a, and MC is the specification FSM in Fig. 16.2c. Define the related automata A and C and carry on the following automata computations: 1. 2. 3. 4. 5.

C C \ .IO/? .C \ .IO/? /*U [V A \ .C \ .IO/? /*U [V .A \ .C \ .IO/? /*U [V /+U [V

6. .A \ .C \ .IO/? /*U [V /+U [V 7. .A \ .C \ .IO/? /*U [V /+U [V \ .U V /? 16.2. Solve the FSM equation MA ˘ MX Š MC , where MA is the context FSM shown in Fig. 16.2a, and MC is the specification FSM in Fig. 16.2c. Given the solution of the companion FSM equation MA ˘MX MC obtained in Problem 16.1, how does one solve this FSM equation? 16.3. Consider the parallel composition in Fig. 16.1, where MA is the context FSM shown in Fig. 16.2a, and MC is the specification FSM in Fig. 16.2c. Given the implementations Imp1 and Imp2 of the FSM Emb, shown respectively in Fig. 16.4a, b, for each implementation find external test suites to detect whether it is faulty, based on the information provided by the largest solution of the related FSM equation.

b

a

u1/v2

u1/v2 u1/v1 u2/v2

u2/v1

u1/v1 u2/v1

c

u1/v2 u2/v2 Fig. 16.4 (a) FSM Imp1; (b) FSM Imp2; (c) FSM Imp2

u2/v2

274

16 Testing

16.4. Design a procedure for testing an embedded component FSM of a synchronous composition (see Fig. 16.1). What are the differences with respect to the procedure for testing an isolated FSM? 16.5. Consider the parallel composition in Fig. 16.1, where MA is the context FSM shown in Fig. 3.2a, and MC is the specification FSM in Fig. 3.2g. Is there a correct implementation of the FSM Emb by an FSM that has a single state? Is it possible to replace the FSM Emb by the FSM shown in Fig. 16.4c?

Chapter 17

Synthesis of Strategies for Games

17.1 Formulating a Game as a Unknown Component Problem Finding winning strategies of some combinatorial games, such as the NIM game, tic-tae-toe, etc., can be formulated as solving the unknown component problem. Therefore, BALM can be used to synthesize winning strategies of these combinatorial games. The strategy we take is to describe the dynamics and the state of the game in the fixed component. The unknown component represents one of the players of a two person game. Generally, we want to input the state of the game to the unknown component, which will represent the strategy to be used by Player 2; otherwise the unknown component would have to have many states just to remember what state the game is in. The other player, Player 1, can be modeled as a random player. The reason for this is that it is simpler to not have to describe the strategy for making moves; we will allow it to make any move. If it makes an illegal move, it loses the game immediately. In this way, Player 2 only has to have a strategy for when Player 1 makes a legal move. A winning strategy is such that whatever move Player 1 makes, Player 2 has the ability to make a move to continue the possibility of winning. This can be ensured by requiring the solution to be an FSM, i.e., to be expressed by a prefix-closed and progressive automaton. In this case, a winning strategy can be implemented by a Boolean network. If the input to the unknown component is the state of the game, then progressive means that, for every state that the game can get into, there is always an input which leads to an accepting state. Suppose we have a game for which on each move, there is always some “progress”. This might be measured by some “energy” function, which always decreases and is lower-bounded by 0. Examples of such games are NIM (see Sect. 17.2), where the total number of coins in the three piles is always decreasing, or tic-tac-toe, where the number of empty squares is decreasing. However, in games like chess, there is no energy function because it is possible to stay in a loop forever. For energy-decreasing games, the lowest energy states are states where the game is over. In such cases, any accepting state must be able to progress, and eventually


275

276

17 Synthesis of Strategies for Games

reach an accepting state of minimal energy. This is guaranteed by requiring the solution to correspond to an FSM (i.e., the automaton must be prefix-closed and progressive). A good strategy for describing a game is to keep the number of reached states low. This can be done by forcing the game into a single final state immediately when the game is over. For example, if the game has been won, reset all latches to 0. This can make a big difference in the number of states that can be reached, and make the language solving process much simpler. An example is tic-tac-toe, where any time a line of X s or Os is seen, then the game is over. Instead of leaving the game in whatever state the winning line was found, it is better to empty all the squares to arrive at a single final state. Games which can loop infinitely often could be solved by modeling the specification by !-automata (see Chap. 18) unless Player 2 is just interested in not losing. The reason is that, in using the unknown component problem to solve the game, we look for an FSM solution. This means that every state reached is accepting. If we want to win and not just tie, all accepting states must be those where we have won. However, an FSM solution must always have the initial state as accepting, and it is not reasonable to already have won the game initially. Thus the specification should be an !-automaton.

17.2 Describing and Solving a Game: The Game of NIM In this Section, we use the game of NIM to illustrate how a combinatorial game can be described and solved. We model the game as shown in Fig. 17.1, where there is a fixed part that models the rules of the game and stores its current state, and an unknown component that represents the winning strategies of Player 2, according to the specification in Fig. 17.2 (that is the composition of the two previous components). The inputs of the games fixed component are the moves of Player 1 and 2 (respectively, p1, d1 and p2, d2; its outputs are the current state cs0, cs1, cs2 and the out signal that flags the outcome (Player 2 wins or looses or game still on). The specification does not depend essentially on p1 and d1, which may or may not be added explicitly to it. The first step is to describe the game dynamics in the fixed part of the unknown component problem as well as the specification. The game dynamics is as follows. There are 3 piles of coins, consisting of up to 6 coins each. On a move, each player must take away at least one coin, but only from a single pile. The objective of the game is to make the other player take the last coin. (p1,d1) is the move of Player 1 (p1 in (0,1,2) and d1 in (0,1,2,3,4,5,6)). Similarly (p2,d2) is the move of Player 2. In general: p1=i d1=j means that j coins are taken away from Pile i. Which player moves next is controlled by whoseturn. A move (p,d) is invalid if d is greater than the height of pile p. If a player makes an invalid move, the pile heights are set to 000. If the pile heights become 000, Player 1 loses if it just made the last move, i.e., whoseturn = 1.

17.2 Describing and Solving a Game: The Game of NIM

277

Fig. 17.1 Topology for modeling the game NIM by language equation solving

Fig. 17.2 Graphical output of BALM showing the automaton spec.aut used in the script for the example fixed.mv modeling the game NIM

The automaton is complete and deterministic. 1 inputs 3 states 5 transitions Inputs = { out(3) } playing notOK

1wins

OK done

2wins

Similarly for Player 2. If out = done, then Player 2 has won. If out = notOK, then Player 1 has won. To solve for the winning strategy for Player 2 moving second, we start with an initial condition 321 for the pile heights. We know that this is a winnable condition for Player 2 starting second. So the game solution should indicate this. Heights 653 would be another winnable starting condition for Player 2. We leave to the reader to design the automaton that encodes the fixed part of the NIM game and to describe it in the format BLIF-MV for BALM. The specification used is a simple 3-state automaton as shown in Fig. 17.2. Note that state 1wins is shaded to indicate that it is not an accepting state. We note that this automaton can be described in BLIF-MV format too and the command solve fsm equ can be used. To solve for the winning strategy, the following script is executed in BALM: read_blif_mv fixed.mv extract_aut fixed.aut

278


complement spec.aut spec_comp.aut product fixed.aut spec_comp.aut product.aut support cs0(7),cs1(7),cs2(7),p2(3),d2(7) product.aut\ product_supp.aut complement product_supp.aut x.aut progressive -i 3 x.aut xfsm.aut minimize xfsm.aut xfsm_min.aut

We show the automaton xfsm min.aut in Fig. 17.3 at the end of this chapter. The state names of the automaton xfsm min.aut do not carry any information, but one can infer what state the game is in by looking at the outgoing edges of a state. For example, state s00 has an outgoing edge labeled 321 . Note that the inputs to the automaton are cs0(7), cs1(7), cs2(7), p2(3), d2(7), so 321 refers to the state where the pile heights are 321. The part of the label refers to p2,d2, and since player 1 went first, it does not matter what p2,d2 is on the first move; hence . From state s01, note that there are two outgoing arcs, one going to s11 and the other to s14. The arc to s11 has two labels, 12111 and 31102. The first indicates that if we were in state 121, then we would choose Pile 1 and take 1 coin away from it. Looking at the next state s11, the only outgoing arc is labeled 111 , indicating that the game is in state 111. This correlates with taking 1 coin from Pile 1, thus changing the state from 121 to 111. Similarly the label 31102 means that we take 2 coins from Pile 0, leaving 111 again. Thus considering all the outgoing arcs of s01, we see that state s01 represents the game being in any one of game states f121; 311; 320; 221g. The state, s02, is the winning state for Player 2. Note that there is always a path to s02 from any state. This means that there is a winning strategy. Many of the arcs into state s02 are caused by Player 1 making an illegal move. Note that Player 1 is modeled by a random player since his moves are uncontrolled inputs. Modeling any illegal move as a win for the other player is an easy way to model a player making only legal moves. Solving with the initial state set to 653 leads to a minimized FSM automaton with 39 states, and in examining the solution one can see that from every state there is a path to the winning state. However, with initial state 553, the solution shows that this is not the case because, after the operation to make it progressive, the solution FSM is empty.

Problems 17.1. Consider the topology of the game of NIM in Fig. 17.1, and revise it assuming that the state of the game (encoded by variables cs0; cs1; cs2) is not exposed to player 2. Moreover p1 ; d1 are given as an input also to player 2. Solve this modified version of the NIM game and compare the solution with the one of the original problem, where the state of the game was exposed to player 2.

Problems

279

Fig. 17.3 Graphical output of BALM showing the solution automaton xfsm min.aut generated by the script for the example fixed.mv modeling the game NIM

280


17.2. Wolf–Goat–Cabbage The problem is to find a strategy to transport across a river by boat, three items (wolf, goat, cabbage), without having one of them eat another in the process (wolf eats goat or goat eats cabbage if the boatman is absent). The boat can hold only one item in addition to the boatman, thus leaving the other two on a shore unsupervised. We must not leave (wolf, goat) or (goat, cabbage) on the same shore alone. The fixed part, fixed.mv, is a finite-state machine that describes the dynamics of a boat going back and forth across the river; it has an input in from the controller (finite state machine implementing the winning strategy) and issues an output out to the controller. The input in decides which item is loaded in the boat on the next trip, and it has 4 possible values, fempty, wolf, goat, cabbageg . The output out describes the state of the systems as follows: out = notOK if it enters a bad state, e.g., wolf and goat are left together on the same bank; if the state is such that all three objects are on the opposite shore, out = done; otherwise out = OK. The specification spec.aut follows: # 00 = null, 10 = OK, 01 = notOK, 11 = done .i 2 .o 0 .s 3 .p 5 .ilb out_0 out_1 .ob .accepting a c -0 a a 01 a b 11 a c -- b b -- c c .e

(a) Design the automaton that encodes the fixed part of the Wolf–Goat–Cabbage game and describe it in the format BLIF-MV for BALM. (b) The script solve script to synthesize the winning strategy follows: rl fixed.mv io_encode stg_extract fixed.kiss read_fsm fixed.kiss fixed.aut determinize -lc spec.aut spec_det.aut complement spec_det.aut spec_det_compl.aut support in_0,in_1,out_0,out_1 spec_det_compl.aut spec_det_compl _supp.aut support in_0,in_1,out_0,out_1 fixed.aut fixed_supp.aut product -l fixed_supp.aut spec_det_compl_supp.aut p.aut support out_0,out_1,in_0,in_1 p.aut p_supp.aut determinize -lc p_supp.aut p_det_com.aut complement p_det_com.aut p_det_com_compl.aut progressive -i 2 p_det_com_compl.aut x.aut write_fsm -i 2 x.aut x.kiss2 dot x.aut x.dot

Problems

281

echo "performing verification ... " support in_0,in_1,out_0,out_1 x.aut x-supp.aut product x-supp.aut fixed_supp.aut prod.aut complete prod.aut prod-com.aut support in_0,in_1,out_0,out_1 spec.aut spec-supp.aut complete spec-supp.aut spec-supp-com.aut check prod-com.aut spec-supp-com.aut

Run the previous script making sure that you understand each operation, and describe in words the winning strategy x.aut synthesized by BALM.

Chapter 18

Extending BALM to Synchronous Equations ¨ Over co-Buchi Specifications

18.1 Introduction Suppose that we consider sequential synthesis problems where the objective is to find a strategy, implementable as a finite state machine (FSM), which guides a system to a given subset of states where at least one state is accepting and keeps it in that subset (e.g., the subset may include a winning state for a game, or a set of states with some desirable property). Such situations need !-automata to capture these specifications. For instance, a useful property like liveness is expressed with Büchi automata. When, as a special case, the problems we consider are concerned with steering a system into an accepting set of states and then keeping it there, such requirements are what can be expressed by co-Büchi automata. In this chapter we will describe a synthesis flow for co-Büchi specifications. We comment at the end of this chapter how the synthesis flow that we describe for co-Büchi can be adapted for Büchi automata. For co-Büchi specifications, the FSM synthesis problem is stated as usual: if S is a co-Büchi automaton, F is a known FSM, and represents the synchronous composition of two Büchi automata, find the most general FSM X such that F X S , i.e., the !-language represented by the !-automaton F X is contained in the !-language represented by the !-automaton S .1 From Chap. 2, we know that the most general automaton solution is given by X D F S , where the outside complementation must deal with the usual non-determinism. Therefore, in general, ND Büchi and co-Büchi automata complementation are required, which are superexponential in complexity. We show how this can be avoided by aiming for a slightly less general but more efficient solution. We propose a synthesis flow, very similar

1

The consistency of the “types” of automata in the synchronous equation will become clear when reading the chapter. It suffices to say here that an FSM can be interpreted as a special case of Büchi or co-Büchi automaton.


283

284

18 Extending BALM to Synchronous Equations Over co-Büchi Specifications

to that described in Chap. 2 for regular (finite-word) automata. We use a subset construction to obtain a deterministic Büchi over-approximation of an ND Büchi automaton. Therefore, the final complementation, done by simply complementing the acceptance conditions to obtain a co-Büchi automaton, yields a subset2 of the most general solution automaton. Up to the last step, our solution flow does not involve using the co-Büchi acceptance condition for constructing the transition relations on the automata structures; it merely keeps track of the acceptance conditions of the final result and uses this to trim the final transition structure. To do this, a SAT instance [37, 42, 92] is formulated, each of whose solutions corresponds to a particular FSM solution. The SAT instance contains clauses that ensure the input-progressiveness property required for FSMs. Other clauses enforce the co-Büchi condition by requiring the elimination of all simple cycles that contain a non-accepting state. The SAT instance represents all FSM solutions that can be associated with sub-graphs of the automaton solution; solutions with non-simple cycles are not represented, but we argue that such solutions are impractical anyway. In addition, we only focus on subgraphs and do not consider the possibility of splitting states and then looking for a sub-graph as is done in Chap. 2 to find the largest compositionally progressive solution. To simplify the SAT instance, a graph pre-processing step derives a partial order based on input-progressiveness. In this, an edge is classified as essential if its removal causes a state to become non-progressive. This concept is used to simplify the graph (see Sect. 18.4.3, which then is used to obtain a simpler SAT formulation. The algorithm was implemented in a special version of BALM and we discuss some results on a few simple examples. On larger problems, we found that the bottleneck was the enumeration of all simple cycles required for the SAT instance. It remains a challenge to make this more efficient in order to apply these ideas to larger problems. This procedure provides a synthesis flow for co-Büchi specifications that follows the flow for finite automata; hence it is simpler than for general !-automata and can make use of recent efficient algorithms for regular automata as described in Chap. 2. Only in a final step, which extracts an FSM implementation using a SAT formulation, does the flow differ substantially from that for finite automata specifications. It turns out that this same procedure can be used for Büchi specifications, except that at the beginning we need to complement the Büchi specification S into a (ND) Büchi automaton which can be done linearly by an algorithm in [81]. This chapter is structured with some preliminaries given in Sect. 18.2, and the problem statement presented in Sect. 18.3. The proposed !-property synthesis techniques are addressed in Sect. 18.4, including the SAT formulation. In Sect. 18.4.4 we discuss the complexity of complementing non-deterministic Büchi automata in

2

An important subclass of co-Büchi automata is the one of “co-looping” automata. For this class of specifications, our procedure is exact and thus obtains the most general solution automaton.


285

general with respect to the construction in this chapter; moreover, in Sect. 18.4.5 we mention a minor modification that can be used for synthesizing to Büchi specifications. Sect. 18.5 concludes.

¨ ¨ 18.2 Buchi and co-Buchi Automata An !-automaton is a finite state automaton that accepts infinite strings [53, 122]. For the purposes of this chapter, we only need to discuss Büchi, co-Büchi, looping, and co-looping automata. Both Büchi and co-Büchi automata have a designated subset of states (called the stable set or acceptance condition or final set), which define their acceptance condition. In the Büchi case the meaning is that an accepting run should visit the stable set infinitely often, while in the co-Büchi case an accepting run eventually should enter the stable region and stay there forever. For an ND automaton with acceptance condition Acc, an input sequence is accepted (is in the language of the automaton) if there exists an accepting run under that input sequence. A co-looping automaton is a co-Büchi automaton with the additional restriction that the set of final states must be a sink, i.e. there is no edge from any final state to a non-final state. A looping automaton is the dual of a co-looping automaton; its non-final states are a sink. Thus an accepting run for a looping automaton is one that always avoids a non-final state. Looping automata are useful for expressing safety properties. Looping and co-looping automata have the property that they can be determinized by the subset construction [80], which is simpler than for the general case. Thus, the difference between co-looping and co-Büchi is that the latter can have a final set from which it is possible to exit. However, it seems possible that in many cases with a general co-Büchi specification, the synthesis problem can be divided into two phases, the problem of steering the state of the system into a state of the final set (a co-looping problem), and the problem of keeping it there (a looping problem). These might be solved separately. We will see that the procedure described in this chapter, when used for finding the most general solution with a co-looping specification, is exact, while for the general co-Büchi case, it is a conservative approximation.

18.3 Problem Statement The synthesis problems considered in this chapter have the topology shown in Fig. 18.1,3 however, we investigate the situation where S is a co-Büchi automaton. 3

The particular topology of communication is not important. Our results can be adapted easily to other topologies.

286


Fig. 18.1 Topology for the synthesis of !-automata

i

o

F

v

S

u

X

This has multi-valued input signal o whose values are taken from the alphabet ˙o . Thus S D .QS ; ˙o ; q0S ; S ; A/, where A is the stable set. The fixed part F (or context) is assumed to be an FSM with multi-valued inputs i and v and multi-valued outputs o and u. F (although an FSM) is interpreted as a special deterministic Büchi automaton, represented by F D .QF ; ˙i;u;v;o ; q0F ; F ; B/, where the accepting set B is the set of all states. X is required to be a deterministic FSM, because we want to implement it as a sequential network. The objective is to find an FSM implementation of X such that its synchronous composition with F satisfies the co-Büchi specification S . Solutions are obtained by solving a corresponding !-language containment problem: find X such that F X S , i.e., the !-language represented by the !-automaton F X is contained in the !-language represented by the !-automaton S . The most general solution (not necessarily an FSM) of F X S is X D F S as derived in Chap. 2 and interpreted as an !-automaton. Particular FSM solutions are derived by eliminating from the graph of the most general solution loops that contain non-accepting states while being input-progressive, as discussed in detail in Sect. 18.4.2.

18.4 The Synthesis Flow The general synthesis flow has the following steps, that pattern those already seen for finite automata, except that the latter are replaced !-automata. All operations are done on Büchi or co-Büchi automata and are explained below in more detail. The steps of the procedure to compute X D F S and the FSM sub-solutions are: 1. ComplementOmega(S ); (complement the co-Büchi automaton S by dualizing the acceptance condition). 2. Complete(F ); (complete the FSM F as a Büchi automaton).

18.4 The Synthesis Flow

287

3. ProductOmega(P D F S ); (Compute the product P of the two Büchi automata F and S ). 4. Hide variables in P invisible to X , i.e. hide i and o. 5. Pseudo-determinizeOmega(P ); (determinize the Büchi automaton P ). 6. ComplementOmega(P ); (dualize the acceptance conditions to produce a coBüchi automaton). 7. Restrict to FSM solutions; (final processing to produce FSM sub-solutions). The first six steps compute a general automaton solution while the last step constrains it to only FSM solutions. The general flow has been modified to avoid complementing (possibly non-deterministic) Büchi automata (P ), as discussed below.4 The term “Omega” has been added to emphasize these modifications.

18.4.1 Computing a General Automaton Solution We summarize the modifications of the first six steps and argue that they can be done in the same way as for regular finite-word automata, but with only slight modifications to keep track of the Büchi type acceptance conditions. All transition relations of intervening automata computed will be the same as for the unmodified case, and thus can be done by the methods discussed in Chap. 7. The co-Büchi/Büchi acceptance conditions are simply inferred by analyzing the computations leading up to Step 7, which then applies the acceptance condition to extract a set of particular FSM solutions. 1. Complementing the Specification S . S is a deterministic co-Büchi automaton with final states A, and therefore can be complemented into a Büchi automaton by simply inverting its acceptance condition. Thus, S is a deterministic Büchi automaton and a run of S is accepted if it intersects A QS n A infinitely often. We will handle Büchi in a similar way except this first step will compute the complement of S as another (ND) Büchi [81]. 2. Completing the Fixed Part F . F is an FSM, but it can interpreted also as a special Büchi automaton; its accepting set of states is the set B of all its states. Since F , as an automaton, is incomplete, it can be completed by adding a single new state, nF , which is the only non-accepting state (it is added as a state with no-exit and a universal self-loop - a “don’t care” state). For convenience, the completed automaton is also denoted by F . 3. Creating the Product P D F S . F and S are Büchi automata. The product of two Büchi automata is conventionally done by introducing a binary flag as a third entry in the product state. The flag toggles whenever an accepting state of one of the automaton arguments, indicated by the flag, is just visited. This is

4

The general procedure would have combined Steps 5 and 6 into a single step, “complementOmega(P )”.

288


required since a product is accepting only if the acceptance condition of each of its components has been met; we need to visit B as well as A infinitely often. In general, the flag is used to ensure that we visit infinitely often both product states of type .fB ; s/, where fB is in B and s is any state of S , as well as those of type .f; sA /, where f is any state of F and sA is in A. In our case, this flag is not needed because all states of F , except the don’t care state, nF , are accepting. The flag would toggle once we have visited B and again once we have visited A. Suppose that A has just been visited, so the current state .f; sA / has sA 2 A. There are two cases. If f 2 B, then we have just visited B also, so the flag does not need to be toggled. The only other case is f D nF . Since nF is a don’t care state, we can never exit from it and all subsequent states of the product machine will be .nF ; s/. All such states are non-accepting Büchi states of P . Thus, we don’t need to toggle the flag, since nothing important will happen after this. Hence the product automaton P D F S is obtained by taking the regular product of the two operand automata (no extra flag in the product state is needed) to obtain the transition structure of the Büchi automaton, P D .QP ; ˙i;v;u;o ; q0P ; P ; C /. To determine C QP , we note that P has only the following types of states: .b; a/, .b; a/, .nF ; a/, .nF ; a/, where a 2 A, a 2 A, and b 2 B. Thus C D f.b; a/g, i.e., all states are of type .b; a/, and a run of P is accepting if and only if it visits states of type .b; a/ infinitely often. 4. Hiding Variables Invisible to X . Hiding the variables i and o that are invisible to the unknown component X is simply the regular procedure of “erasing” such labels on the state transitions. Even though P is deterministic, the result P#.u;v/ can be non-deterministic. The acceptance conditions (which are on the states) are not changed. 5. Pseudo-Determinizing P#.u;v/ . Since this is a ND Büchi automaton, it cannot be determinized in general (deterministic Büchi automata are not as expressive). On the other hand, complementing it to an ND co-Büchi is a super-exponential procedure, 2O.n log n/ (see Sect. 18.4.4), which should be avoided if possible. As a heuristic approximation,5 we apply the subset construction to the transition structure of P#.u;v/ to obtain a deterministic Büchi automaton PQ , whose language contains that of P#.u;v/ . The accepting states, CQ , of this are determined as follows:

when a subset, containing a state of type .b; a/, is reached, it is marked as in CQ , because a run is accepting if there exists a path to an accepting state. 6. Complementing PQ . Since PQ is deterministic, PQ can be obtained by duality, by inverting its acceptance condition; thus it keeps the same transition structure, but the result is a co-Büchi automaton with accepting states CQ . In general, PQ will be an under-approximation to the most general solution automaton P#.u;v/ .

5

See the last paragraph of this section for a discussion of when this is not an approximation.


289

18.4.1.1 Observations All the computations above involve only those types that are in the “normal” flow for finite automata (in terms of computing the transition relations). These computations have been implemented efficiently in a special version of BALM. The final accepting set CQ is derived as a side computation as discussed above. In the special case when the fixed part F is given as a logic network, the computations of the transition structures can be done using the partitioned method discussed in Chap. 7. Thus, in this section, nothing special has been done that is associated with computing with Büchi automata, except for the side computations of determining the acceptance states. Even the determinization step when deciding which of the subset states are to be put in the Büchi final set, CQ , is a typical operation in which each subset state is classified as soon as it is generated. The only difference in the transition structures for the Büchi case will come when the interpretation of CQ , i.e. what it means for CQ to be the accepting set, is used to construct FSM solutions. This is discussed in the next section, where special non-regular methods are formulated to trim PQ to obtain FSM solutions to meet the co-Büchi condition CQ . Thus, all the efficient implementations done in BALM for computing with finite automata can be used. Another observation is that for specifications, which are co-looping automata, it is known that the pseudo-determinization step in this section is exact, i.e., PQ D P#.u;v/ . This follows from the fact that looping automata can be determinized by the subset construction [80]. Hence for this case, we obtain the most general solution automaton.

18.4.2 Applying the co-Buchi Conditions to Obtain Particular ¨ FSM Solutions To obtain particular FSM implementations for the unknown component, we first need to determinize the most general solution, and then to eliminate all loops that contain a non-accepting state. Moreover, input-progressiveness must be enforced. To eliminate all such loops, we will generate all sub-graphs, of the state transition graph of the solution X just found, such that any loop that contains a non-stable state will be eliminated, leaving only acyclic paths from the initial state to CQ . The most difficult part is to do this while maintaining input-progressiveness of the solutions.6 We emphasize that, in general, some solutions will be lost, since only sub-graphs are

6

Algorithms for finding minimum feedback-arc sets in directed graphs exist [33], but do not deal with input-progressiveness.

290


derived, and thus, for example, state duplication is not allowed. Therefore, solutions which would circulate around a loop a finite number of times before leaving the loop would not be captured.7 In addition, as mentioned already, in the general case, we may have lost some solutions (in case S in not co-looping) by using the subset construction on P#.u;v/ . 18.4.2.1 SAT Formulation The deterministic co-Büchi solution P#.u;v/ will be trimmed so that the only cycles left are those entirely contained in the stable set CQ . This requires removing transitions (edges) in the graph of P#.u;v/ making the non-stable part acyclic but still maintaining u-progressiveness (u is the only input for the unknown component shown in Fig. 18.1). This is formulated as a SAT instance where each satisfying assignment will correspond to a way of trimming the graph to give to the sub-graph the desired property. For each transition j ! k, a variable ej k D 1 if the transition is chosen to remain. For each state j , a variable sj D 1 if j is chosen to remain. Let Ej u be the set of edges that may be traversed on input u in one step from state j . Ej u D ej1 C : : : ej n, where n is the cardinality of Ej u . The u-progressiveness clauses, Cju D Ej u , say that for input u, there exists at least one next state. Thus, the u-progressiveness of state j is Cj D .sj ) ˘u Ej u /, which says that if state j is selected, then it must be u-progressive, meaning that for each minterm of u, there exists a next state. Connection clauses, say that if edge eij is selected, then both terminal states have to be selected, i.e. Ciji D .eij ) si /.eij ) sj /. Finally, to eliminate every simple loop not entirely contained in the stable set, loop-breaking clauses are constructed, one for each such loop. Suppose L D fe12 ; e23 ; e34 ; : : : ; el1 g is such a loop. Its loop-breaking clause says that at least one of these transitions should not be chosen. This is equivalent to CL D e12 C e23 C e34 C C el1 . We must also require that the initial state s0 be selected. Thus, C0 D s0 , i.e., s0 D 1, is added as an assumption. Since all simple unstable loops must be enumerated, there could be many such loops. To alleviate this problem, the graph is pre-processed to eliminate certain obvious transitions, using the notion of essential edges. This is described below. This reduction usually cuts down the number of loops considerably. Summing up, any solution is a selection of a subset of states and transitions of PQ . This corresponds to a sub-graph of the most general solution X where every state is u-progressive and in the graph there is no loop not entirely contained in C . Being u-progressive means that the graph represents a (possibly non-deterministic) FSM.

7

It might be argued that such solutions are impractical since they simply delay getting to the stable set.


291

Being a sub-graph of a general solution automaton with the required properties, it is a solution of the synthesis problem. Hence, all its deterministic sub-machines are solutions. In [138] it is proved that any solution of the above SAT instance is an FSM solution of the !-language synthesis problem. A SAT solver can be configured to enumerate all possible satisfying assignments. Hence, the formulated SAT instance represents a set of FSM solutions. However, all FSM solutions may not be represented, e.g., those where a non-simple loop is traversed a finite number of times before it is exited. An associated FSM would require enough extra states to count effectively the number of times it has gone around a particular loop. In this sense, such solutions might not be of interest from a practical point of view. On the other hand, it is possible that our SAT instance is not satisfiable, but still there may exist an FSM solution. Possibly this gap might be remedied by first duplicating one or more states and then formulating a new SAT instance which is satisfiable. Finally, as noted previously, the subset determinization, Step 5, may cause some FSM solutions to be lost.

18.4.3 Preprocessing to Simplify the SAT Instance To reduce the size of the SAT instance, a preprocessing step, which trims away some of the states and transitions of PQ can be done. In some cases, after this step, it is possible that no SAT solving would be needed.

18.4.3.1 Trimming the Acceptance Set PQ is a co-Büchi automaton with accepting set CQ . We create an acceptance automaton as follows. A nominal initial state is created where its outgoing transitions are all the transitions from CQ to CQ , (the labels on these edges are irrelevant); then all states of the automaton CQ are eliminated. Thus all transitions from CQ to CQ have been eliminated. This automaton is processed in the regular way, which trims away some states and transitions in CQ , to make it u-progressive. If the result is empty, then there can be no cycles entirely contained in CQ and we stop. Otherwise, we modify PQ by merging all remaining nodes of CQ into a sink node f , having a single outgoing edge being a universal self-loop. Incoming edges to f are only those which lead to the remaining nodes of CQ ; other edges are removed. We obtain a so-called path (co-looping) automaton Xpath , derived thus from PQ , which has only one nominal stable state f with a universal self-loop.

292


18.4.3.2 Pre-Processing the Path Automaton For each state in Xpath , outgoing transitions are tagged if they are “essential”. An essential edge is one that if eliminated would make that state not u-progressive. The graph is processed as follows. 1. Restrict Xpath to only its essential transitions and their corresponding states. If this graph has a loop (of essential edges), then all states of the connected component containing the loop must be eliminated. This is because to make Xpat h acyclic at least one transition in the loop must be eliminated, requiring a corresponding state to be eliminated, which causes other essential transitions and states to be eliminated until the entire connected component is gone. After this, only those connected components, which have no loops of essential transitions, remain. If no states are left in the path automaton, then there is definitely no solution. 2. There may be non-essential transitions that must be eliminated because they lead to eliminated states. This can create new essential transitions (secondary essential transitions). This procedure is repeated until no further eliminations can be done. 3. Of the remaining nodes, the essential edges define a partial order of states; for each totally ordered subset of states, all backward (non-essential) edges within this subset must be eliminated because this is the only way to break such loops while still ensuring input-progressiveness. This could create additional essential transitions (tertiary essential transitions). 4. The above three steps are repeated with all the newly created essential transitions added until no further eliminations are possible. This fixed point can be considered the complex core of the problem for which the SAT instance is formulated. After deriving any particular solution corresponding to this reduced path automaton, it is straightforward to combine it with the solution of the acceptance automaton to get a corresponding particular solution for the original unknown component problem.

18.4.3.3 Discussion The value associated with all essential transitions cannot simply be assumed 1 in the SAT instance, because one of their states may not always be in a final solution. However, knowledge of essential edges can help in satisfying the loop-breaking clauses. For example, after the preprocessing step, any simple cycle must contain at least one non-essential transition. It turns out that only one non-essential edge of any loop needs to be eliminated in order to break that loop; otherwise, assume a loop is broken by eliminating an essential edge. This implies that the source node of this edge must be eliminated. Then all edges that lead to this node must be eliminated. If any of these is an essential edge on the loop, then its source node must be eliminated.


293

Eventually, we eliminate a node in the loop whose incoming edge on the loop is non-essential. Thus this loop could have been broken by simply eliminating that non-essential edge initially.

18.4.4 Complementing Buchi Automata ¨ After the construction of the product of two Büchi automata and the hiding of some variables (i and o) an ND Büchi automaton P#.u;v/ is obtained. The last step to find the most general automaton solution would be to complement this. Although there has been much progress in complementing ND Büchi automata (see [42] for a good review and the most recent construction), a tight lower bound on the number of states in this is 2O.n log n/ where n is the number of states in the original Büchi automaton. An upper bound is .1:06n/n (see again [42]). A subset construction cannot be used for determinizing co-Büchi (Büchi) automata. However, for co-looping (looping) automata, it can be used. A subset construction is upper bounded by 2n in the number of states. Thus the procedure in this section is much less expensive in complexity. In addition, experience with the subset construction on a number of practical problems, shows that its behavior is surprisingly well-behaved, in some cases even resulting in a reduced number of states. However, the price paid is that only a subset of the most general solution is obtained (unless of course the original specification is co-looping).

18.4.5 Solving for Buchi Specifications ¨ Büchi specifications provide an effective way for specifying liveness properties, e.g., always eventually something good happens. The overall flow for using Büchi specifications might seem to be similar to that already discussed for co-Büchi specifications, just by interchanging the words “Büchi” and “co-Büchi”. However, in synthesizing for co-Büchi, we had to determinize a Büchi product (Step 5) and thus for synthesizing for Büchi, we would have to determinize a co-Büchi product. However, the subset construction for co-Büchi produces a smaller language and so the procedure is not sound (since its complement produces a larger language). If the specification is a looping automaton, then the basic procedure is correct. However this restriction to safety properties is not satisfactory, since the reason for considering Büchi was its ability to express liveness. For a general deterministic Büchi specification, S , a sound approach would be to compute its complement using the procedure in [80]. This produces a Büchi complement, so the product and the rest of the operations are now the same as they would be if we had started out with a co-Büchi specification. In addition to this complementation procedure being linear, by adding to the description of the fixed part F , often the specification S can be a simple monitor and described with only a

294


few states. After this, the flow is the same as described for the co-Büchi case, since S is obtained as a Büchi automaton using the procedure of [80], and therefore P will be a co-Büchi automaton.

18.5 Conclusions In general, the computational flow to synthesize an FSM according to co-Büchi or Büchi specifications method is sound but incomplete since we chose to complement a deterministic over-approximation of a ND Büchi automaton in the inner loop, instead of complementing the ND Büchi itself, which is a reduction of the most general FSM, and so may exclude some solutions. The computational steps are the same as those used in regular finite-word automata synthesis, except for the last step, which derives a particular solution by formulating and solving a corresponding SAT problem. The case considered was for a deterministic specification. If it is nondeterministic, it seems expeditious to complement it using the algorithms for complementation mentioned in Sect. 18.4.4. Although these are super-exponential in complexity, the number of states in the specification usually can be kept small by embedding the details of S in the fixed part F . Synthesizing for Büchi specifications is only a minor modification of the procedure presented, because most of the details of S can be embedded in F , making S small and easily complemented. The above presented synthesis approach has interesting applications in the controller synthesis area. Control strategies for some case studies (see the problems at the end of the chapter) were synthesized with a specialized version of BALM for Büchi/co-Büchi specifications. The practicality of this approach rests on the ability to enumerate bad cycles. In experiments we have seen that this is a bottleneck and more research needs to be done to do this efficiently. Acknowledgments This chapter grew out of a research project report by Guo Qiang Gerald Wang at UC Berkeley. Thanks to Orna Kupferman for extensive readings of a previous draft and suggesting the application to looping automata, and to Moshe Vardi for very useful comments.

Problems 18.1. Wolf–Goat–Cabbage Solve the Wolf-Goat-Cabbage problem by the steps of the procedure outlined in this chapter. Notice that there are no inputs i in this example. For an introduction to the Wolf-Goat-Cabbage game, see Problem 17.2. Here we would like to find all

Problems

295

strategies by which a boatman can take the three items from one shore to the other, and repeat it forever. 1. Design the co-Büchi specification automaton. Solution. The co-Büchi specification has one input, out, and has three states, a, b, and c. The initial state is a; the stable region consists only of state c, which is a sink (so the specification is a co-looping automaton). A transition is made from a to c if out = done, from a to b if out = notOK and from a to a if out = OK. Also state b is a sink. The specification spec.aut follows (accepting here refers to the coBüchi acceptance conditions): # 00 = null, 10 = OK, 01 = notOK, 11 = done .i 2 .o 0 .s 3 .p 5 .ilb out_0 out_1 .ob .accepting c -0 a a 01 a b 11 a c -- b b -- c c .e

Design the fixed component automaton F (see Problem 17.2). Compute the most general solution automaton. Minimize the most general solution automaton. To find a particular implementation, the most general solution automaton is split into two automata: the acceptance automaton and the path automaton. From the minimized most general solution automaton, obtain the acceptance and path automata. 6. Make progressive the acceptance automaton. 7. In the path automaton there are cycles and a state that cannot reach the target state f . Pre-process the path automaton to remove cycles consisting only of essential transitions and backward transition edges. 8. Extract a particular solution from the path automaton.

2. 3. 4. 5.

18.2. Compare the specifications of the Wolf–Goat–Cabbage game as described in Problem 17.2 as a regular game, and in Problem 18.2 as an !-regular game. Notice that the way to model a game that we described in Chap. 17 allows the possibility of meaningless solutions, e.g., in the Wolf–Goat–Cabbage example never getting all three on the opposite shore, i.e., essentially shuffling items back and forth forever; another example of meaningless solution might be that the system does not progress from the initial state. So it may be that the language of the solution of a

296


given game computed with that model is not empty, and yet there is no winning strategy, i.e., one that brings the game to a state that achieves the goal. Does the introduction of specifications expressed by co-Büchi automata address adequately these issues? Argue it in the case of the Wolf–Goat–Cabbage game. 18.3. Compare the models and solutions of the Wolf–Goat–Cabbage game as described in Problem 17.2 as a regular game, and in Problem 18.2 as an !-regular game. Are the solutions different? If no, why not? If yes, what is the interpretation of their differences with the respect to the acceptance conditions of the two models? 18.4. Aircraft Control The problem is to keep an airplane within a specified range of altitudes above ground, e.g., between 1 and 2 units of elevation above ground. The land elevation varies and there is a random up or down air draft causing the aircrafts rate of climb to alter. Notice that in the case of airplane control, if we adopt the point-of-view of Chap. 17 where we model the problem with FSMs and if we start on the ground, one solution would be that the system does not progress at all from the initial state, whereas we are looking for a control where we take off and finally keep within the interval of allowed elevations forever. For this reason we need to model the specification using co-Büchi conditions. The fixed automaton, F , describes the dynamics of the flight in terms of the planes position, elevation and rate of climb. It has 3 inputs, 1 for the random air draft input and 2 for the auto-pilot control. The auto-pilot has two controls to adjust the rate of climb, one can increase or decrease it by 1 or 2 units and the other is a binary boost which doubles the effect of the first input. The airplane takes off at the ground elevation, so it is not initially in the accepting set of states. The up or down draft of air is limited to affect the rate of climb by at most one unit. For simplicity, there are 16 ground positions with different elevations. The plane flies in a loop over these positions. The fixed part, F , describes these dynamics. It has two inputs from the controller, i1 and i2, and one output, out. The specification automaton has two states, a and c of which a is the initial state and c is the only accepting state. Its input, out, comes from the fixed part and simply indicates if the elevation is OK or not. There is a transition from a to c if out = OK and from c to a if out = notOK. This specification is clearly co-Büchi, but not co-looping since it is possible to exit the accepting set of states. Model and solve the aircraft control problem with the procedure described in this chapter. 18.5. Model and solve the application of the Guideway scheduling synthesis problem discussed in [119]. 18.6. In the co-Büchi case we find an automaton such that any cycle has all of its states in the set of final states. The first thing we do is to find the largest prefix-closed and input-progressive solution without enforcing the co-Büchi conditions. Then we trim this solution using the co-Büchi conditions by eliminating loops that are not contained in the final set. We keep the resulting automaton input-progressive while

Problems

297

we trim. Note that what is left is either empty or has one or more accepting loops. This is so because it has a finite number of states and it is input-progressive (there is always a next state). We obtain the final FSM by just selecting one that steers to one of the accepting loops. For Büchi conditions we cannot insist that the largest solution is prefix-closed even though we want to finally get an FSM from it. To get an FSM solution for Büchi conditions, we have to give up initially on the largest solution automaton to be prefix-closed and just get the largest solution. Afterwards, to find an FSM solution is a different problem that in general we did not address in this chapter except for the co-Büchi case where we can use some special properties. Discuss how to find an FSM solution when synthesizing for Büchi properties.

Chapter 19

Conclusions and Open Problems

The problem of finding an unknown component in a network of components in order to satisfy a global system specification was addressed. Abstract language equations of the type A X C and A ˘ X C were investigated, where and ˘ are operators of language composition. The most general solution was computed and various types of constrained solutions were studied. Then specialized language equations were introduced, such as regular and FSM language equations. The maximum subsets of them, closed with respect to various language properties, were studied; in particular the largest compositional solutions were studied. This approach unifies, in a seamless frame, previously reported techniques and appears capable of modeling problems with various notions of language acceptance, composition and conformance relations. Examples were discussed, such as a classical synthesis problem of a converter between a given mismatched pair of protocols, given their specifications, as well as those of the channel and of the required service. This problem was also addressed in the literature with supervisory control techniques. We were able to derive the largest solution, and the largest compositionally progressive solution, which were not previously reported in the literature. We applied this theory to sequential logic synthesis in order to derive results for some commonly studied topologies of networks of FSMs. A prototype software package – BALM – has been built to compute the solutions automatically. To assess the practical relevance of the method, we tested it in different applicative domains. We also investigated approximations of the exact solutions, to trade off flexibility vs. computational effort. A number of open problems have been mentioned already throughout the text, here are some open problems of a more general nature: 1. How to make the computations to solve language equations more scalable. In applicative domains like synthesis of sequential circuits, one can choose state-based representations vs. structural-based representations; the former are exponentially related to the latter. Language equations require state-based representations, which bounds the size of the problem instances that can be treated. It would T. Villa et al., The Unknown Component Problem: Theory and Applications, DOI 10.1007/978-0-387-68759-9 19, © Springer Science+Business Media, LLC 2012

299

300

2.

3. 4. 5.

19 Conclusions and Open Problems

be interesting to study the level of system “granularity” at which the method is effective, and to interplay hierarchical decomposition with full flexibility at the feasible scale. How to select a behavior from the largest solution that yields the best replacement of the component to redesign under appropriate metrics, e.g., in sequential synthesis the cost functions are area, delay, etc. In case of FSM equations with respect to strict equality it is a problem even to extract an FSM solution itself. Extend BALM to solve equations whose specifications are expressed with more general ! conditions than co-Büchi ones. Study language equations over other types of formalisms widely used in the discrete event system community, like Petri Nets. Develop further the theory of realizability and synthesis for specifications expressed by classes of formulas in temporal logic of practical relevance.

Acknowledgments Robert Brayton, Alan Mishchenko, Nina Yevtushenko and Tiziano Villa gratefully acknowledge the support of the following NATO travel grants: Collaborative Linkage Grant. No. 971217, Collaborative Linkage Grant CBP.NR.CLG 982314. Tiziano Villa was partly supported by the EU projects FP7-IST-1-217069 COCONUT and FP7ICT-223844 CON4COORD. Nina Yevtushenko was partly supported by RFBR NNC grants No. 06-08-89500 and 10-0892003, and by a COOPERINT travel grant of the University of Verona. Robert Brayton and Alan Mishchenko were partly supported by NSF contracts CCR-0312676 and CCF-0702668. Alexandre Petrenko was partly supported by NSERC (Grant OGP0194381). Alberto Sangiovanni-Vincentelli was partly supported by the Gigascale Systems Research Center and by the Multiscale System Center, two of five research centers funded under the Focus Center Research Program, a Semiconductor Research Corporation program.

References

1. R. Anido, A.R. Cavalli, L.A. Paula Lima Jr., N. Yevtushenko, Test suite minimization for testing in context. Softw. Test. Verif. Reliab. 13(3), 141–155 (2003) 2. A. Arnold, Finite Transition Systems: Semantics of Communicating Systems. (Prentice Hall, Englewood Cliffs, NJ, 1994) 3. K. Avnit, A. Sowmya, A formal approach to design space exploration of protocol converters. in The Proceedings of the Design, Automation and Test in Europe Conference, pp. 129–134, April 2009 4. A. Aziz, F. Balarin, R.K. Brayton, M.D. Di Benedetto, A. Saldanha, A.L. SangiovanniVincentelli, Supervisory control of finite state machines. in Proceedings of the International Conference on Computer-Aided Verification, pp. 279–292, July 1995 5. A. Aziz, F. Balarin, R.K. Brayton, A. Sangiovanni-Vincentelli, Sequential synthesis using S1S. IEEE Trans. Comput. Aided Des. 19(10), 1149–1162 (2000) 6. F. Balarin, R. Passerone, Specification, synthesis, and simulation of transactor processes. IEEE Trans. CAD Integr. Circuits Syst. 26(10), 1749–1762 (2007) 7. M. Barbeau, R. St-Denis, Beyond the verification approach: the synthesis approach. in RealTime Systems: Modeling, Design, and Applications, eds. by D. Ionescu, A. Cornell (World Scientific, New York, 2007), pp. 197–218 8. G. Barrett, S. Lafortune, Bisimulation, the supervisory control problem and strong model matching for finite state machines. Discrete Event Dyn. Syst. Theory Appl. 8(4), 377–429 (1998) 9. M. Di Benedetto, A. Saldanha, A. Sangiovanni-Vincentelli, Model matching for finite state machines. in Proceedings of the IEEE Conference on Decision and Control, pp. 3117–3124, Dec 1994 10. M. Di Benedetto, A. Saldanha, A. Sangiovanni-Vincentelli, Strong model matching for finite state machines. in European Conference on Control, pp. 2027–2034, Sept 1995 11. M. Di Benedetto, A. Saldanha, A. Sangiovanni-Vincentelli, Strong model matching for finite state machines with non-deterministic reference model. in Proceedings of the IEEE Conference on Decision and Control, pp. 422–426, Dec 1995 12. M. Di Benedetto, A. Sangiovanni-Vincentelli, T. Villa, Model Matching for Finite State Machines. IEEE Trans. Automat. Control 46(11), 1726–1743 (2001) 13. P. Bhaduri, S. Ramesh, Interface synthesis and protocol conversion. Formal Aspects Comput. 20, 205–224 (2008). 10.1007/s00165-007-0045-4. 14. N. Blum, An O (n log n) implementation of the standard method for minimizing n-state finite automata. Inform. Process. Lett. 57, 65–69 (1996)

T. Villa et al., The Unknown Component Problem: Theory and Applications, DOI 10.1007/978-0-387-68759-9, © Springer Science+Business Media, LLC 2012

301

302

References

15. R. Brayton, G. Hachtel, A. Sangiovanni-Vincentelli, F. Somenzi, A. Aziz, S.-T. Cheng, S. Edwards, S. Khatri, Y. Kukimoto, A. Pardo, S. Qadeer, R. Ranjan, S. Sarwary, T. Shiple, G. Swamy, T. Villa, VIS. in Proceedings of the Conference on Formal Methods in ComputerAided Design, eds. by M. Srivas, A. Camilleri. volume 1166 of LNCS, pp. 248–256. (Springer, Berlin, 1996) 16. R. Brayton, G. Hachtel, A. Sangiovanni-Vincentelli, F. Somenzi, A. Aziz, S.-T. Cheng, S. Edwards, S. Khatri, Y. Kukimoto, A. Pardo, S. Qadeer, R. Ranjan, S. Sarwary, T. Shiple, G. Swamy, T. Villa, VIS: A System for Verification and Synthesis. in Proceedings of the Conference on Computer-Aided Verification, eds. by R. Alur, T. Henzinger. volume 1102 of LNCS, pp. 332–334. (Springer, Berlin, 1996) 17. R. Brayton, F. Somenzi, An exact minimizer for Boolean relations. in The Proceedings of the International Conference on Computer-Aided Design, pp. 316–319, Nov 1989 18. J. Brzozowski, Minimization by reversal is not new. Bull. Eur. Assoc. Theor. Comput. Sci. 37, 130 (1989) 19. J.R. Büchi, The collected works of J. Richard Büchi. (Springer, Berlin, 1990) 20. J.R. Büchi, L.H. Landweber, Solving sequential conditions by finite state strategies. Trans. Am. Math. Soc. 138, 295–311 (1969) 21. S. Buffalov, K. El-Fakih, N. Yevtushenko, G.V. Bochmann, Progressive solutions to a parallel automata equation. in Proceedings of the IFIP 23rd International Conference on Formal Techniques for Networked and Distributed Systems (FORTE 2003), volume 2767 of LNCS, pp. 367–382. (Springer, Berlin, 2003) 22. J.R. Burch, D. Dill, E. Wolf, G. DeMicheli, Modelling hierarchical combinational circuits. in The Proceedings of the International Conference on Computer-Aided Design, pp. 612–617, Nov. 1993 23. V. Bushkov, Deriving supervisors for non-terminal systems by solving equations over omegalanguages. Master’s thesis, Tomsk State University, Russia, 2010. (In Russian, Original title: Sintes compensatorov dlia sistem s neterminalnim povedeniem na osnove rescenia uravnenia dlia omega-iazikov) 24. V. Bushkov, N. Yevtushenko, Solving parallel equations over !-languages. in Prikladnaya Diskretnaya Matematika (Discrete Applied Mathematics), N. 2, 117–123 (2010) (In Russian) 25. C. C. Cassandras, S. Lafortune, Introduction to Discrete Event Systems. (Kluwer, Dordrecht, 1999) 26. A.R. Cavalli, D. Lee, C. Rinderknecht, F. Zaidi, Hit-or-jump: An algorithm for embedded testing with applications to IN services. in FORTE, pp. 41–56 (1999) 27. E. Cerny, Controllability and fault observability in modular combinational circuits. IEEE Trans. Comput. C-27(10), 896–903 (1978) 28. E. Cerny, Verification of I/O trace set inclusion for a class of non-deterministic finite state machines. in The Proceedings of the International Conference on Computer Design, pp. 526–530, Oct. 1992 29. E. Cerny, M. Marin, An approach to unified methodology of combinational switching circuits. IEEE Trans. Comput. C-26(8), 745–756 (1977) 30. P. Chauhan, E. Clarke, S. Jha, J. Kukula, T. Shiple, H. Veith, D. Wang, Non-linear quantification scheduling in image computation. in The Proceedings of the International Conference on Computer-Aided Design, pp. 293–298, Nov. 2001 31. A. Church, Logic, arithmetic and automata. in Proceedings of the International Congress of Mathematicians, pp. 21–35 (1963) 32. M. Damiani, The state reduction of nondeterministic finite-state machines. IEEE Trans. Comput. Aided Des. 16(11), 1278–1291 (1997) 33. C. Demetrescu, I. Finocchi, Combinatorial algorithms for feedback problems in directed graphs. Inf. Process. Lett. 86(3), 129–136 (2003) 34. S. Devadas, Optimizing interacting finite state machines using sequential don’t cares. IEEE Trans. Comput. Aided Des. 10(12), 1473–1484 (1991) 35. D. Dill, Trace Theory for Automatic Hierarchical Verification of Speed-Independent Circuits. (MIT, Cambridge, 1989)

References

303

36. J. Drissi, G.V. Bochmann, Submodule construction for systems of I/O automata. Technical Report #1133, DIRO, Universite’ de Montreal, Canada, 1999 37. N. Eén, N. Sörensson, An extensible SAT-solver. in Theory Applications of Satisfiability Testing. (Springer, Berlin, 2004), pp. 502–518 38. K. El-Fakih, S. Buffalov, N. Yevtushenko, G.V. Bochmann, Progressive solutions to a parallel automata equation. Theor. Comput. Sci. 362, 17–32 (2006) 39. K. El-Fakih, N. Yevtushenko, Fault propagation by equation solving. in FORTE, eds. by D. de Frutos-Escrig, M. Nún˜ ez. volume 3235 of Lecture Notes in Computer Science. (Springer, Berlin, 2004), pp. 185–198 40. F. Ferrandi, F. Fummi, E. Macii, M. Poncino, D. Sciuto, Symbolic optimization of interacting controllers based on redundancy identification and removal. IEEE Trans. Comput. Aided Des. 19(7), 760–72 (2000) 41. FIRE. A C++ Toolkit for Finite Automata and Regular Expressions. Software package, available at www.RibbitSoft.com 42. E. Friedgut, O. Kupferman, M.Y. Vardi, Büchi complementation made tighter. Int. J. Found. Comput. Sci. 17(4), 851–868 (2006) 43. FSA6.2XX. Finite State Automata Utilities. Software package, available at http://odur.let.rug. nl/ vannoord/Fsa 44. M. Fujita, Y. Matsunaga, M. Ciesielski, Multi-level logic optimization. in Logic Synthesis and Verification, eds. by R. Brayton, S. Hassoun, T. Sasao. (Kluwer, Dordrecht, 2001), pp. 29–63 45. D. Gale, F.M. Stewart, Infinite games with perfect information. in Contributions to the Theory of Games. (Princeton University Press, Princeton, 1953), pp. 245–266 46. M. Gao, J.-H. Jiang, Y. Jiang, Y. Li, A. Mishchenko, S. Sinha, T. Villa, R. Brayton, Optimization of multi-valued multi-level networks. in The Proceedings of the International Symposium on Multiple-Valued Logic, pp. 168–177, May 2002 47. X.-J. Geng, J. Hammer, Input/output control of asynchronous sequential machines. IEEE Trans. Automat. Control 50(12), 1956–1970 (2005) 48. P. Gohari, W.M. Wonham, On the complexity of supervisory control design in the RW framework. IEEE Trans. Syst. Man Cybern. B-30(5), 643–652 (2000) 49. Graphviz, Graph Visualization Software. Software package, available at http://www.graphviz. org 50. A. Grasselli, F. Luccio, A method for minimizing the number of internal states in incompletely specified sequential networks. IRE Trans. Electron. Comput. EC-14(3), 350–359 (1965) 51. D. Gries, Describing an algorithm by Hopcroft. Acta Inform. 2, 97–109 (1973) 52. MVSIS Research Group, MVSIS: Logic Synthesis and Verification. Website at http:// embedded.eecs.berkeley.edu/Respep/Research/mvsis/ 53. S. Gurumurthy, O. Kupferman, F. Somenzi, M.Y. Vardi, On complementing nondeterministic Büchi automata. In 12th Advanced Research Working Conference on Correct Hardware Design and Verification Methods, Lecture Notes in Computer Science. (Springer, Berlin, 2003) 54. G. Hachtel, F. Somenzi, Logic Synthesis and Verification Algorithms. (Kluwer, Dordrecht, 1996) 55. E. Haghverdi, H. Ural, Submodule construction from concurrent system specifications. Inform. Softw. Technol. 41(8), 499–506 (1999) 56. H. Hallal, R. Negulescu, A. Petrenko, Design of divergence-free protocol converters using supervisory control techniques. in 7th IEEE International Conference on Electronics, Circuits and Systems, ICECS 2000, vol. 2, pp. 705–708, Dec 2000 57. S. Hassoun, T. Villa, Optimization of synchronous circuits. in Logic Synthesis and Verification, eds. by R. Brayton, S. Hassoun, T. Sasao. (Kluwer, Dordrecht, 2001), pp. 225–253 58. T.A. Henzinger, S.C. Krishnan, O. Kupferman, F.Y.C. Mang, Synthesis of uninitialized systems. in ICALP, eds. by P. Widmayer, F.T. Ruiz, R.M. Bueno, M. Hennessy, S. Eidenbenz, R. Conejo. volume 2380 of Lecture Notes in Computer Science. (Springer, Berlin, 2002), pp. 644–656

304

References

59. M. Heymann, F. Lin, Discrete-event control of nondeterministic systems. IEEE Trans. Automat. Control 43(1), 3–17 (1998) 60. R.M. Hierons, Using candidates to test a deterministic implementation against a nondeterministic finite state machine. Comput. J. 46(3), 307–318 (2003) 61. L.E. Holloway, B.H. Grogh, A. Giua, A survey of Petri net methods for controlled discrete event systems. Discrete Event Dyn. Syst. Theory Appl. 7(2), 151–190 (1997) 62. J.E. Hopcroft, An n log n algorithm for minimizing states in a finite automaton. in Theory of Machines and Computations, eds. by Z. Kohavi, A. Paz. (Academic, New York, 1971), pp. 189–196 63. J.E. Hopcroft, R. Motwani, J.D. Ullman, Introduction to Automata Theory, Languages, and Computation. (Addison-Wesley Publishing Company, Readings, MA, 2001) 64. R.M. Jensen, DES controller synthesis and fault tolerant control. Technical Report TR-200340, The IT University of Copenaghen, Dec 2003 65. T. Kam, T. Villa, R. Brayton, A. Sangiovanni-Vincentelli, Implicit computation of compatible sets for state minimization of ISFSMs. IEEE Trans. Comput. Aided Des. 16(7), 657–676 (1997) 66. T. Kam, T. Villa, R. Brayton, A. Sangiovanni-Vincentelli, Synthesis of FSMs: functional optimization. (Kluwer, Boston, 1997) 67. T. Kam, T. Villa, R. Brayton, A. Sangiovanni-Vincentelli, Theory and algorithms for state minimization of nondeterministic FSMs. IEEE Trans. Comput. Aided Des. 16(11), 1311– 1322 (1997) 68. S. Khatri, A. Narayan, S. Krishnan, K. McMillan, R. Brayton, A. Sangiovanni-Vincentelli, Engineering change in a non-deterministic FSM setting. in The Proceedings of the Design Automation Conference, pp. 451–456, June 1996 69. J. Kim, M.M. Newborn, The simplification of sequential machines with input restrictions. IRE Trans. Electron. Comput. 1440–1443 (1972) 70. N. Klarlund, Mona & Fido: The logic-automaton connection in practice. in Computer science logic : 11th international workshop, CSL ’97, eds. by M. Nielsen, W. Thomas. volume 1414 of LNCS. (Springer, Berlin, 1998), pp. 311–26 71. N. Klarlund, A. Moller, MONA version 1.3 user manual. Note Series NS-98-3, BRICS, Oct 1998 72. Z. Kohavi, Switching and Finite Automata Theory, 2nd edn. (McGraw-Hill Book Company, New York, 1978) 73. D.C. Kozen, Theory of Computation. (Springer, Berlin, 2006) 74. S.C. Krishnan, !-Automata, Games and Synthesis. PhD thesis, EECS Department, University of California, Berkeley, 1998. Tech. Report No. UCB/ERL M98/30 75. Y. Kukimoto, the VIS Group, BLIF-MV. Website at http://vlsi.colorado.edu/ vis/usrDoc. html and http://embedded.eecs.berkeley.edu/ vis/usrDoc.html 76. R. Kumar, V. Garg, S.I. Marcus, On controllability and normality of discrete event dynamical systems. Syst. Control Lett. 17(3), 157–168 (1991) 77. R. Kumar, V.K. Garg, Modeling and Control of Logical Discrete Event Systems. (Kluwer, Dordrecht, 1995) 78. R. Kumar, S. Nelvagal, S.I. Marcus, A discrete event systems approach for protocol conversion. Discrete Event Dyn. Syst. Theory Appl. 7(3), 295–315 (1997) 79. R. Kumar, M.A. Shayman, Non-blocking supervisory control of nondeteministic sysmtes via prippritized synchronization. IEEE Trans. Automat. Control 41(8), 1160–1175 (1996) 80. O. Kupferman, M.Y. Vardi, On bounded specifications. in LPAR ’01: Proceedings of the Artificial Intelligence on Logic for Programming, London, UK. (Springer, New Yo, 2001), pp. 24–38 81. R.P. Kurshan, Complementing deterministic Büchi automata in polynomial time. J. Comput. Syst. Sci. 35(1), 59–71 (1987) 82. R.P. Kurshan, Computer-Aided Verification of Coordinating Processes. (Princeton University Press, Princeton, 1994)

References

305

83. R.P. Kurshan, M. Merritt, A. Orda, S.R. Sachs, Modelling asynchrony with a synchronous model. Formal Methods Syst. Des. 15(3), 175–199 (1999) 84. D. Lee, K.K. Sabnani, D.M. Kristol, S. Paul, Conformance testing of protocols specified as communicating finite state machines-a guided random walk based approach. Commun. IEEE Trans. 44(5), 631–640 (1996) 85. B. Lin, A.R. Newton, Implicit manipulation of equivalence classes using binary decision diagrams. in The Proceedings of the International Conference on Computer Design, pp. 81–85, Sept 1991 86. B. Lin, Synthesis of VLSI designs with symbolic techniques. PhD thesis, U.C. Berkeley, Tech. Report No. UCB/ERL M91/105, 1991 87. R. Lisanke, Logic synthesis benchmark circuits for the International Workshop on Logic Synthesis, May 1989 88. T.-H. Liu, A. Aziz, V. Singhal, Optimizing designs containing black boxes. ACM Trans. Des. Autom. Electron. Syst. 6(4), 591–601 (2001) 89. N. Lynch, M. Tuttle, An introduction to input/output automata. CWI Q 2(3) 219–246 (1989) 90. W.C. Mallon, J.T. Tijmen, T. Werhoeff, Analysis and applications of the XDI model. in International Symposium on Advanced Research in Asynchronous Circuits and Systems, pp. 231–242, 1999 91. H. Marchand, S. Pinchinat, Supervisory control problem using symbolic bisimulation techniques. in Proceedings of 2000 American Control Conference, pp. 4067–4071, June 2000 92. J.P. Marques-Silva, K.A. Sakallah, Grasp: A search algorithm for propositional satisfiability. IEEE Trans. Comput. 48(5), 506–521 (1999) 93. R. McNaughton, Büchi’s sequential calculus. in The collected works of J. Richard Büchi, eds. by S. Mac Lane, D. Siefkes. (Springer, Berlin, 1990), pp. 382–97 94. P. Merlin, G.V. Bochmann, On the construction of submodule specifications and communication protocols. ACM Trans. Programm. Lang. Syst. 5(1), 1–25 (1983) 95. G. De Micheli, Synthesis and Optimization of Digital Circuits. (McGraw-Hill, New York, 1994) 96. A. Mishchenko, R.K. Brayton, SAT-based complete don’t-care computation for network optimization. in The Proceedings of the Design, Automation and Test in Europe Conference, vol. 01, pp. 412–417, Mar 2005 97. A. Mishchenko, M.L. Case, R.K. Brayton, S. Jang, Scalable and scalably-verifiable sequential synthesis. in The Proceedings of the International Conference on Computer-Aided Design, Nov 2008 98. A. Montanari, Linguaggi formali, automi e logiche. Classroom notes (in Italian), Department of Mathematics and Computer Science, University of Udine, Apr 2011 99. T.E. Murphy, X.-J. Geng, J. Hammer, On the control of asynchronous machines with races. IEEE Trans. Automat. Control 48(6), 1073–1081 (2003) 100. R. Negulescu, Process spaces. in Proceedings of CONCUR 2000, 11th International Conference on Concurrency Theory, ed. by C. Palamidessi. volume 1877 of LNCS, pp. 199–213. (Springer, New York, 2000) 101. A. Overkamp, Supervisory control using failure semantics and partial specifications. IEEE Trans. Automat. Control 42(4), 498–510 (1997) 102. R. Passerone, Semantic Foundations for Heterogeneous Systems. PhD thesis, EECS Department, University of California, Berkeley, 2004 103. R. Passerone, Interface specification and converter synthesis. in Embedded Systems Handbook, ed. by R. Zurawski. (CRC, Taylor and Francis Group, 2005) 104. R. Passerone, L. de Alfaro, T.A. Henzinger, A.L. Sangiovanni-Vincentelli, Convertibility verification and converter synthesis: two faces of the same coin. in ICCAD, eds. by L.T. Pileggi, A. Kuehlmann. (ACM, New York, 2002), pp. 132–139 105. R. Passerone, J.A. Rowson, A.L. Sangiovanni-Vincentelli, Automatic synthesis of interfaces between incompatible protocols. in DAC, pp. 8–13, 1998 106. J. Peng, J. Hammer, Input/output control of asynchronous sequential machines with races. Int. J. Control 83(1), 125–144 (2010)

306

References

107. A. Petrenko, N. Yevtushenko, Solving asynchronous equations. in Formal Description Techniques and Protocol Specification, Testing and Verification – FORTE XI/PSTV XVIII ’98, eds. by S. Budkowski, A. Cavalli, E. Najm. (Kluwer, Dordrecht, 1998), pp. 231–247 108. A. Petrenko, N. Yevtushenko, Conformance tests as checking experiments for partial nondeterministic FSM. in FATES 2005, eds. by W. Grieskamp, C. Weise. volume 3997 of Lecture Notes in Computer Science. (Springer, Berlin, 2005), pp. 118–133 109. A. Petrenko, N. Yevtushenko, G.V. Bochmann, Fault models for testing in context. in IFIP TC6/ 6.1 international conference on formal description techniques IX/protocol specification, testing and verification XVI on Formal description techniques IX : theory, application and tools, pp. 163–178, London, UK, 1996. Chapman & Hall, Ltd. 110. A. Petrenko, N. Yevtushenko, G.V. Bochmann, Testing faults in embedded components. in Proceedings of the 10th International Workshop on Testing of Communicating Systems – IFIP IWTCS97, pp. 272–287, Sept 8–10, 1997 111. A. Petrenko, N. Yevtushenko, R. Dssouli, Testing strategies for communicating finite state machines. in IFIP WG 6.1 International Workshop on Protocol Test Systems (7th : 1994 : Tokyo, Japan), eds. by T. Mizuno, T. Higashino, N. Shiratori. (Chapman & Hall, London, 1995), pp. 193–208 112. A. Petrenko, N. Yevtushenko, A. Lebedev, A. Das, Non-deterministic state machines in protocol conformance testing. in IFIP TC6/WG6.1 International Workshop on Protocol Test Systems (6th : 1993 : Pau, France), ed. by O. Rafiq. (North-Holland, Amsterdam, 1994), pp. 363–378 113. A. Petrenko, N. Yevtushenko, G.V. Bochmann, Testing deterministic implementations from nondeterministic FSM specifications. in Testing of Communicating Systems, Selected proceedings of the IFIP TC6 9th international workshop on Testing of communicating systems. (Chapman & Hall, Ltd., London, UK, 1996), pp. 125–140 114. A. Petrenko, N. Yevtushenko, G.V. Bochmann, R. Dssouli, Testing in context: framework and test derivation. Comput. Commun. 19(14), 1236–1249 (1996) 115. C.P. Pfleeger, State reduction in incompletely specified finite state machines. IEEE Trans. Comput. 1099–1102 (1973) 116. C. Pixley, A computational theory and implementation of sequential hardware equivalence. in DIMACS Technical Report 90-31, volume 2, Workshop on Computer-Aided Verification, eds. by R. Kurshan, E.M. Clark (1990) 117. The Grail+ Project, A Symbolic Computation Environment for Finite-State Machines, Regular Expressions, and Finite Languages. Software package, available at http://www.csd. uwo.ca/research/grail 118. H. Qin, P. Lewis, Factorisation of finite state machines under strong and observational equivalences. Formal Aspect. Comput. 3, 284–307 (1991) 119. P. Ramadge, W. Wonham, The control of discrete event systems. Proc. IEEE 77(1), 81–98 (1989) 120. R. Ranjan, A. Aziz, R. Brayton, B. Plessier, C. Pixley, Efficient BDD algorithms for FSM synthesis and verification. International Workshop on Logic Synthesis, 1995 121. J.-K. Rho, F. Somenzi, Don’t care sequences and the optimization of interacting finite state machines. IEEE Trans. Comp. Aided Des. 13(7), 865–874 (1994) 122. M. Roggenbach, Determinization of Büchi-automata. In Automata logics, and infinite games: a guide to current research, (Springer, New York, 2002), pp. 43–60 123. K. Rohloff, S. Lafortune, PSPACE-completeness of modular supervisory control problems. Discrete Event Dyn. Syst. Theo. Appl. 15(2), 145–167 (2005) 124. K.R. Rohloff, Computations on Distributed Discrete-Event Systems. PhD thesis, University of Michigan, May 2004 125. E. Sentovich, K. Singh, L. Lavagno, C. Moon, R. Murgai, A. Saldanha, H. Savoj, P. Stephan, R. Brayton, A. Sangiovanni-Vincentelli, SIS: A system for sequential circuit synthesis. Technical report, Tech. Rep. No. UCB/ERL M92/41, Berkeley, CA, May 1992. 126. J. Shallit, A Second Course in Formal Languages and Automata Theory. (Cambridge U.P., 2009)

References

307

127. V. Singhal, C. Pixley, A. Aziz, R.K. Brayton, Theory of safe replacements for sequential circuits. IEEE Trans. Comp. Aided Des. 20(2), 249–265 (2001) 128. V. Singhal, C. Pixley, A. Aziz, R.K. Brayton, Sequential optimization in the absence of global reset. ACM Trans. Des. Autom. Electron. Syst. 8(2), 222–251 (2003) 129. V. Singhal, Design Replacements for Sequential Circuits. PhD thesis, University of California, Berkeley, March 1996. Tech. Report No. UCB/ERL M96/10. 130. P. H. Starke, Abstract Automata. (North-Holland Pub. Co.; American Elsevier Pub. Co., 1972) 131. Information Technology. Conformance testing methodology and framework, 1991. 132. J.W. Thatcher, J.B. Wright, Generalized finite automata with an application to a decision problem of second-order logic. Math. Syst. Theor. 2, 57–82 (1968) 133. N. Venkatraman, J. Hammer, On the control of asynchronous sequential machines with infinite cycles. Int. J. Contr. 79(7), 764–785 (2006) 134. M. Vetrova Designing and Testing FSM compensators. PhD thesis, Tomsk State University, Russia, 2004. (in Russian) 135. T. Villa, T. Kam, R. Brayton, A. Sangiovanni-Vincentelli, Explicit and implicit algorithms for binate covering problems. IEEE Trans. Comput. Aided Des. 16(7), 677–691 (1997) 136. T. Villa, T. Kam, R. Brayton, A. Sangiovanni-Vincentelli, Synthesis of FSMs: logic optimization (Kluwer Academic Publishers, Boston, 1997) 137. C. Wang, G. Hachtel, F. Somenzi, The compositional far side of image computation, in The Proceedings of the International Conference on Computer-Aided Design, pages 334–340, November 2003 138. G. Wang, A. Mishchenko, R. Brayton, A. Sangiovanni-Vincentelli, Synthesizing FSMs according to co-Büchi properties. Technical Report UCB/ERL M05/13, EECS Department, University of California, Berkeley, Apr 2005. 139. H.-Y. Wang and R.K. Brayton. Input don’t care sequences in FSM networks. In The Proceedings of the International Conference on Computer-Aided Design, pages 321–328, November 1993 140. H.-Y. Wang, R.K. Brayton, Permissible observability relations in FSM networks, in The Proceedings of the Design Automation Conference, pages 677–683, June 1994 141. H.-Y. Wang, R.K. Brayton, Multi-level logic optimization of FSM networks, in The Proceedings of the International Conference on Computer-Aided Design, pages 728–735, November 1995 142. Y. Watanabe, R.K. Brayton, The maximum set of permissible behaviors for FSM networks, in IEEE International Conference on Computer-Aided Design, pages 316–320, November 1993 143. Y. Watanabe, R.K. Brayton, State minimization of pseudo non-deterministic FSM’s, in European Conference on Design Automation, pages 184–191, March 1994 144. B.W. Watson, Implementing and using finite automata toolkits. Nat. Lang. Eng. 2(4), 295–302 (1996) 145. E. Wolf, Hierarchical Models of Synchronous Circuits for Formal Verification and Substitution. PhD thesis, Stanford University, September 1995. Tech. Report No. CS-TR-95-1557 146. J.-M. Yang, J. Hammer, State feedback control of asynchronous sequential machines with adversarial inputs. Int. J. Contr. 81(12), 1910–1929 (2008) 147. N. Yevtushenko, I. Koufareva, Studying relations between nondeterministic Finite State Machines. Technical report, Spectrum Publishers, Tomsk, 2001. (In Russian) 148. N. Yevtushenko, T. Villa, R. Brayton, A. Petrenko, A. Sangiovanni-Vincentelli, Compositionally progressive solutions of synchronous language equations, in International Workshop on Logic and Synthesis, May 2003 149. N. Yevtushenko, T. Villa, R. Brayton, A. Petrenko, A. Sangiovanni-Vincentelli, Compositionally progressive solutions of synchronous FSM equations. Discrete. Event. Dyn. Syst. 18(1), 51–89 (2008) 150. N. Yevtushenko, T. Villa, S. Zharikova, Solving language equations over synchronous and parallel composition operators, in Proceedings of the 1st International Workshop on Theory and Applications of Language Equations, ed. by M. Kunc, A. Okhotin TALE 2007, Turku (Finland), 2 July 2007, pages 14–32. Turku Centre for Computer Science, 2007

308

References

151. N. Yevtushenko, S. Zharikova, M. Vetrova, Multi component digital circuit optimization by solving FSM equations, in Proceedings of the Euromicro Symposium on Digital Systems Design, DSD ’03, pages 62–68, Washington, DC, USA, 2003. IEEE Computer Society 152. N.V. Yevtushenko, A.Y. Matrosova, Synthesis of checking sequences for automaton networks. Automat. Contr. Comput. Sci. 25(2), 1–4 (1991) 153. S. Zharikova, Digital circuits optimization through solving a system of FSM equations. In Vestnik TSU, Tomsk, N. 1, pages 255–259, 2002. (In Russian) 154. S. Tikhomirova, Optimizing multi component discrete event systems based on FSM/automata equation solving. PhD thesis, Tomsk State University, Russia, 2008. (in Russian) 155. C. Zhou, R. Kumar, S. Jiang, Control of nondeterministic discrete event systems for bisimulation equivalence. In Proceedings of 2004 American Control Conference, pages 4488– 4492, June 2004

Index

Symbols !-automaton, 73 !-expansion, *! , 80 !-parallel complementation, 82 !-parallel composition, ˘! , 82 !-product, \! , 81 !-restriction, +! , 81 Büchi automaton, 73 co-Büchi automaton, 285 co-looping automaton, 285 looping automaton, 285 Muller automaton, 77 run, 73 accepting, 73 !-language, 73 !-expansion, *! , 78 !-parallel composition, ˘! , 79 !-parallel equation, 80 !-regular, 74 !-restriction, +! , 79

BLIF-MV format, 138 BLIF-MV format for automata, 145 BLIF-MV vs. AUT formats, 142 scripts for synthesis, 146

C compositionally prefix *-convergent solution, 66 compositionally prefix *-deadlock-free solution, 66 compositionally prefix *-progressive solution, 66

E equations over !-languages, 78 equations over process languages and process algebras, 98

!

limit set of language W , W or li m.W /, 73 symbols of !-word ˛ visited infinitely often, I nf .˛/, 73 !-regular expression, 74 !-word, 73 definitively periodic, 74 A alphabet, 9 B BALM, 137 AUT format, 140 BALM commands, 149

F finite automaton (FA), 14 accepted language of FA F , Lr .F /, 15 co-accessible, 252 complete, 15 deterministic (DFA), 15 marked state, 252 nondeterministic (NDFA), 15 partial, 15 trim, 252 finite state machine (FSM), 37 Ik -forbidden state, 234 [-language of FSM M , L[ r .M /, 39 -language of FSM M , L r .M /, 39 l-bounded parallel composition of FSMs, 68

T. Villa et al., The Unknown Component Problem: Theory and Applications, DOI 10.1007/978-0-387-68759-9, © Springer Science+Business Media, LLC 2012

309

310 finite state machine (FSM) (cont.) behavior, 39 complete, 37 deterministic (DFSM), 37 equivalence (for states or FSMs), Š, 39 FSM language, 39 full Ik -projection, 234 incompletely specified (ISFSM), 38 intersection, 206 inverse automaton of FSM F , F 1 , 213 largest FSM language of L, LFSM , 40 Moore, 38 non-deterministic (NDFSM), 37 parallel composition, ˘, 48 parallel FSM equation, 59 partial, 37 pseudo non-deterministic or observable (PNDFSM), 38 reduced, 39 reduction (for states or FSMs), , 39 submachine, 37 synchronous composition, , 45 synchronous FSM equation, 51 trivial, 37 FSM network synthesis by WS1S, 93

I input don’t care sequences, 86 input don’t care set, 85 input sequential don’t care set, 86

L language, 9 I -progressive, 16 largest I -progressive language L, P rog.L/, 16 IO-prefix-closed, 16 IO-progressive, 16 I U ? O-progressive, 16 I+ -defined, 17 I# -defined, 16 U -convergent, 18 U -deadlock-free, 17 U -divergent, 18 l-bounded expansion, *l , 11 l-bounded parallel composition, ˘l , 18 bounded Kleene closure, 9 complement, 9 compositionally I -progressive, 20 compositionally I U ? O-progressive, 20 concatenation, 9

Index difference, 9 expansion, * , 11 homomorphism, 10 intersection, 9 Kleene closure, 9 largest prefix-closed language L, LP ref , 9 lifting, " , 10 Moore, 16 parallel composition, ˘, 18 parallel equation, 23 largest solution, 23 solution, 23 trivial solution, 24 prefix-closed, 16 prefix-closure of L, P ref .L/, 9 projection, # , 10 regular, 15 restriction, + , 10 substitution, 10 synchronous composition, , 18 synchronous equation, 21 largest solution, 21 solution, 21 trivial solution, 21 union, 9

M manipulation of finite automata, 109 complementation, 116 completion, 113 determinization, 114 input-progressive, 117 prefix-closed, 117 product, 117 state minimization, 119 STG extraction, 111 support, 116

O operations in BALM, 157 changing the support, 160 completing an automaton, 159 determinizing, 161 extracting an automaton from a sequential circuit, 158 taking the product of two automata, 162 output don’t care sequences, 89 output don’t care sets, 85 output sequential don’t care sets, 86

Index R regular expression, 15 representation of sequential circuits, 122 monolithic relations, 125 partitioned relations, 125 complementation, 127 completion, 126 determinization, 128 hiding variables, 128 product computation, 127

S simulation relation, sim , 211, 215 maximal,Hmax , 211 state minimization closed compatible, 229 compatible (set of states), 228

311 covering by a compatible, 229 prime compatible, 229 prime domination (by a compatible), 229 supervisor, 247 ˙uc -extension, *˙uc , 257 compositionally progressive,non-blocking, 253 controllability condition, 256 controller, 256 weak controller, 257 system of FSM equations, 203

W window, 188 distance-k nodes, 189 distance-k path, 189 leaf/root relation, 188

The Unknown Component Problem: Theory and Applications

Satisfiability problem: theory and applications

State Space and Unobserved Component Models: Theory and Applications

Traveling Salesman Problem, Theory and Applications

State Space and Unobserved Component Models: Theory and Applications

State Space and Unobserved Component Models: Theory and Applications

Multi-Component Molecular Orbital Theory

The Moral Problem (Philosophical Theory)

The Unknown

Unknown

Unknown

Unknown

Unknown

Unknown

Unknown

Inverse problem Theory

The Unknown

The Unknown

UWB: Theory and Applications

Matrices: Theory and Applications

Graph Theory and Applications

Bifurcation Theory and Applications

Supermanifolds : theory and applications

Superconductivity – Theory and Applications

Rigidity theory and applications

Nucleation Theory and Applications

Multifractals. Theory and applications

Matrices theory and applications

Wavelets: Theory and applications

Graph Theory and Applications

Matrices: theory and applications

The Unknown Component Problem: Theory and Applications

Satisfiability problem: theory and applications

State Space and Unobserved Component Models: Theory and Applications

Traveling Salesman Problem, Theory and Applications

State Space and Unobserved Component Models: Theory and Applications

State Space and Unobserved Component Models: Theory and Applications

Multi-Component Molecular Orbital Theory

The Moral Problem (Philosophical Theory)

The Unknown

Unknown

Unknown

Unknown

Unknown

Unknown

Unknown

Inverse problem Theory

The Unknown

The Unknown

UWB: Theory and Applications

Matrices: Theory and Applications

Graph Theory and Applications

Bifurcation Theory and Applications

Supermanifolds : theory and applications

Superconductivity – Theory and Applications

Rigidity theory and applications

Nucleation Theory and Applications

Multifractals. Theory and applications

Matrices theory and applications

Wavelets: Theory and applications

Graph Theory and Applications

Matrices: theory and applications

Recommend Documents