From Boolean Functional Equations to Control Software

F rom Bo olean F unctio nal Equations to Con trol Soft w are F ederico Mari, Igor Melatti, Iv ano Salvo, Enrico T ronci Dep artment of Co mputer Scienc e Sapienza University of R ome via Salaria 113, 00198 R ome email: { mari,melatti,salv o,tronci } @di.uniroma1.it No v em b er 23, 2 018 Abstract Man y soft w are a s w ell digita l h ardwa re automa tic synthesis meth- o ds defin e the set of implementa tions meeting the giv en system sp eci- fications w ith a b o olean relatio n K . In suc h a conte xt a fundamental step in the soft ware (hardware) synthesis p ro cess is find in g effectiv e solutions to t he functional e quation defined b y K . This ent ails finding a (set of ) b o olean fun ction(s) F ( t yp ically r ep resen ted u sing OBDDs, Or der e d Binary De cision Diagr ams ) s uc h that: 1) for all x f or which K is satisfiable, K ( x, F ( x )) = 1 holds; 2) the implementa tion of F is efficien t with resp ect to give n implemen tation parameters suc h as co de size or execution time. While this p roblem has b een widely studied in digital hardwa re synthesis, little has b een done in a soft ware s y nthesis con text. Unfortunately the ap p roac hes dev elop ed for h ard w are syn- thesis cannot b e directly used in a softw are con text. This motiv ates in v estigation of effectiv e metho ds to solv e th e ab o ve problem wh en F has to b e implemen ted with softw are. In this pap er we present an algorithm that, from an OBDD repre- sen tation for K , generates a C co de im p lemen tation for F that has the same size as the OBDD f or F an d a W C ET ( Worst Case Exe cution Time ) at m ost O ( nr ), b eing n = | x | th e n umber of inp u t arguments for fu nctions in F a nd r the n um b er of fu nctions in F . 1 1 In tro du ction Man y soft w are as w ell digital hardw are auto matic syn thesis metho ds define the set of implemen tations meeting the giv en syste m sp ecifications with a b o o lean relation K . Suc h relation t ypically tak es as input (the n -bits enco d- ing o f ) a state x o f the system and (the r -bits enco ding o f ) a prop osed action to b e p erformed u , a nd returns true (i.e. 1) iff the system sp ecifications are met when p erforming action u in state x . In suc h a contex t a fundamental step in the soft w ar e (hardware) syn thesis pro cess is finding effectiv e solutions to t he functional equation defined b y K , i.e. K ( x, u ) = 1. This en ta ils find- ing a tuple of b o o lean functions F = h f 1 , . . . , f r i (t ypically represen ted using OBDDs, Or der e d Binary De cision Diagr ams [4]) s.t. 1) for all x for whic h K is satisfiable (i.e., it enables a t least one action), K ( x, F ( x )) = 1 holds, and 2) t he implemen tation of F is efficien t with resp ect to giv en implemen tation parameters suc h as co de size or execution time. While this problem has b een widely studied in digita l hardw are syn the- sis [2], little has b een done in a soft w ar e syn thesis con text. This is not surpris- ing since softw a re synthe sis from formal specifications is still in its infancy . Unfortunately the approache s deve lop ed for hardw are syn thesis cannot b e directly used in a softw are con text. In fact, syn thesis metho ds targeting a hardw ar e implemen tation t ypically aim at minimizing the n umber of digi- tal gates and of hierarc hy lev els. Since in the same hierarc hy lev el ga t es output computation is p ar al le l , the hardw a re implemen tation W CET ( Worst Case Exe cution Time ) is giv en by the n umber of lev els. On the ot her hand, a soft w are implemen tation will ha v e to se quential ly compute the gat es outputs. This implies that the soft ware implemen tation W CET is the num b er of gat es used, while a syn t hesis metho d targeting a softw are implemen tation ma y ob- tain a b etter W CET. This motiv ates in v estigation of effectiv e metho ds to solv e the ab ov e problem when F has t o b e implemen ted with softw are. 1.1 Our Con tribution In this paper w e prese n t an algo rithm that, from an OBDD represen tatio n for K , effectiv ely generates a C co de implemen ta t ion for K . This is done in t wo steps: 1. from an O BDD represen tation for K w e effectiv ely compute an OBDD represen tation for F , f o llo wing the lines o f [10]; 2 2. w e generate a C co de implemen tat ion for F that has the same size as the OBDD for F and a O ( nr ) W CET, b eing n = | x | the size of states enco ding and r = | u | the size of actions enco ding. Indee d, w e prov e a more strict upp er b ound for the W CET by also considering the heigh ts of the OBDDs represen t ing F . W e formally prov e b oth steps 1 and 2 t o b e correct. This allows us to syn thesize correct-b y-construction c ontr ol softwar e , pro vided that K is pro v a bly correct w.r.t. initial formal specifications. This is the case of [7], where an algorit hm t o syn thesize K starting from the fo rmal sp ecification of a Discrete-Time Linear Hybrid System ( DTLHS in the follo wing) is presen ted. Th us this metho dology allows a correct-b y-construction control soft w are to b e synthe sized, starting from f ormal sp ecifications for D TLHSs. Note that the problem of solving the functional equation K ( x, F ( x )) = 1 w.r.t. F is tr ivially decidable, since there are finitely man y F . How ev er, trying to explicitly en umerate a ll F requires time Ω(2 r 2 n ) (b eing n the num b er of bits enco ding state x and r the n um b er o f bits enco ding state u ). By using OBDD-based computations, our algorithm complexit y is O ( r 2 n ) in the w orst case. How ev er, in man y in teresting cases OBD D sizes and computations are muc h low er than the theoretical worst case (e.g. in Mo del Chec king applications, see [6]). F urthermore, once the OBDD represen ta t io n f or F has b een computed, a trivial imple men tatio n of F could use a lo ok-up t able in R AM. While this solution would yield a b etter WC ET, it would imply a Ω( r 2 n ) RAM usage. Unfo r tunately , implemen tations f or F in real- w or ld cases are typic ally implemen ted o n micro controllers (this is the case e.g. fo r emb e dde d systems ). Since micro con trollers usually hav e a small R AM, the lo ok-up table based solution is not feasible in many in teresting cases. T he a pproac h we presen t here o nly requires O ( n + r ) b ytes of RAM for the data. As for the program size, it is linear in the size (i.e., n um b er of no des) of the OBDDs represen ting F , th us again w e r ely on the compression OBDDs achiev e in many in teresting cases. Moreo ver, F : B n → B r is comp osed b y r b o olean functions, th us it is represen ted by r OBDDs. Suc h OBDDs t ypically share no des among them. If a trivial implemen ta tion of F in C co de is used, i.e. each OBDD is translated as a stand-alone C function, OBDDs no des sharing will not b e exploited. In our approac h, w e also exploit no des sharing, th us the control soft w ar e w e generate fully tak es adv antage of OBD Ds compression. 3 Finally , w e presen t exp erimen ta l results showing effectiv eness of the pro- p osed algorithm. As an example, in less than 1 second and within 70 MB of RAM w e are able to syn thesize the control softw are f or a function K of 2 4 b o o lean v ariables, divided in n = 2 0 state v ariables and r = 4 action v ari- ables, represen ted by a OBDD with ab out 4 × 10 4 no des. Suc h K represen ts the set of cor r ect implemen tations f or a real-w o rld system, namely a mu lti- input buc k DC/D C conv erter [8], o btained as describ ed in [7]. The con trol soft w are w e syn thesize in suc h a case has ab out 1 . 2 × 10 4 lines of co de, whilest a con tro l soft ware not t aking in to accoun t OBDDs no des sharing would hav e had ab out 1 . 5 × 10 4 lines of co de. Th us, w e obtain a 24% ga in tow ards a trivial implemen tation. 1.2 Related W ork Syn thesis of b o olean functions F satisfying a giv en b o olean relation K in a w ay s.t. K ( x, F ( x )) = 1 is also addressed in [2]. Ho wev er, [2 ] targets a hardw ar e setting, whereas w e are intere sted in a softw are implemen tat ion for F . Due to structural differences b etw een hardw a r e a nd soft w are based implemen tations (see the discus sion ab o v e), the metho d in [2 ] is not directly applicable here. In [7] an algorithm is presen ted whic h, starting fro m formal sp ecifications of a DTLHS, syn thesizes a correct-by-cons truction b o olean relation K , and then a corr ect-by-construction control soft w are implemen tation for K . How- ev er, in [7] the implemen ta tion of K is neither des crib ed in detail, nor it is pro v ed to be correct. F urthermore, the implemen tation syn thesis describ ed in [7 ] has not the same size o f the OBDD for F , i.e. it do es not exploit OBDD no de sharing. In [10] an alg o rithm is presen ted whic h computes b o o lean functions F satisfying a give n b o olean relation K in a w ay s.t. K ( x, F ( x )) = 1. This approac h is ve ry similar to ours. Ho w ev er [10] do es not generate the C co de con tro l softw are and it do es not exploit OBDD no de sharing. F urthermore, the algo r it hm is not prov ed to b e correct. Therefore, to the b est of our knowle dge this is the first time that an algorithm syn thesizing correct-by -construction control softw are starting from a bo olean relation (with the c haracteristics giv en in Sect. 1.1) is presen ted and prov ed to b e correct. 4 2 Basic Definitions In the f o llo wing, w e denote with B = { 0 , 1 } the b o olean domain, where 0 stands fo r fa l s e and 1 for true . W e will denote b o olean functions f : B n → B with b o olean expressions o n b o o lean v ariables in v o lving + (logical OR), · (logical AND, usually omitted th us xy = x · y ), ¯ (logical complemen tation) and ⊕ (log ical X OR). W e also denote with f | x i = g ( x 1 , . . . , x n ) the b o olean function f ( x 1 , . . . , x i − 1 , g ( x 1 , . . . , x n ) , x i +1 , . . . , x n ) and with ∃ x i f ( x 1 , . . . , x n ) the b o olean function f | x i =0 ( x 1 , . . . , x n ) + f | x i =1 ( x 1 , . . . , x n ). W e will also de- note ve ctors of b o olean v ariables in b oldface, e.g. x = h x 1 , . . . , x n i . Finally , w e denote with [ n ] the set { 1 , . . . , n } . 2.1 F eedbac k Con trol Problem for Lab eled T ransition Systems In this pap er we fo cus on solving and implemen ting a functiona l equation K ( x , u ) = 1. In this section w e show a t ypical case in whic h suc h an equation needs to b e solved and implemen ted. A L ab ele d T r a n sition System (L TS) is a tuple S = ( S, A, T ) where S is a finite set of states, A is a finite set of actions , and T : S × A × S → B is the tr a nsition r elation of S . An L TS is d e terministic if T ( s, a, s ′ ) ∧ T ( s, a, s ′′ ) ⇒ s ′ = s ′′ , and nondeterministic otherwise. A run or p ath f o r an L TS S is a seque nce π = s 0 , a 0 , s 1 , a 1 , s 2 , a 2 , . . . of states s t and actions a t suc h that ∀ t ≥ 0 T ( s t , a t , s t +1 ). The length | π | o f a finite run π is the n um b er of actions in π . W e denote with π ( S ) ( t ) the t -th state elemen t of π . A c ontr ol ler for an L TS S is a function K : S × A → B suc h that ∀ s ∈ S , ∀ a ∈ A , if K ( s, a ) = 1 then ∃ s ′ ∈ S T ( s, a, s ′ ) = 1. W e denote with D om( K ) the set of states for whic h a control action is defined. F ormally , Do m( K ) = { s ∈ S | ∃ a K ( s, a ) } . S ( K ) denotes the clo s e d lo op system , that is the L TS ( S, A, T ( K ) ), where T ( K ) ( s, a, s ′ ) = T ( s, a, s ′ ) ∧ K ( s, a ). In the following, b y a ssuming prop er b o olean enco ding functions for states and a ctions (as it is usually done in Mo del Chec king applications, see [6]), w e may see a con troller as a b o olean function K : B n × B r → B , with n = ⌈ log 2 | S | ⌉ and r = ⌈ log 2 | A |⌉ . W e call a path π ful lp ath [1] if either it is infinite or its last state π ( S ) ( | π | ) has no successors (i.e. Adm( S , π ( S ) ( | π | )) = ∅ ). W e denote with P ath( s ) the set of fullpaths starting in state s , i.e. the set of fullpaths π suc h that π ( S ) (0) = s . 5 Giv en a pa th π in S , w e define the measure J ( S , G, π ) on paths as the distance of π ( S ) (0) to the goal on π . That is, if there exists n > 0 s.t. π ( S ) ( n ) ∈ G , then J ( S , π , G ) = min { n | n > 0 ∧ π ( S ) ( n ) ∈ G } . Otherwise, J ( S , π , G ) = + ∞ . W e require n > 0 since our systems a r e non terminating and eac h controllable state (including a goa l state) must ha v e a path of p ositiv e length to a goal state. The worst c a s e distanc e (p essimistic view) of a state s from the goal region G is J strong ( S , G, s ) = sup { J ( S , G, s, π ) | π ∈ P ath( s ) } . Definition 2.1. Let P = ( S , I , G ) b e a con t rol problem a nd K b e a con- troller for S suc h t ha t I ⊆ Dom( K ). K is a str ong solution to P if for all s ∈ Dom( K ), J strong ( S ( K ) , G, s ) is finite. An o ptimal strong solution to P is a strong solutio n K ∗ to P suc h that for all strong solutions K to P , for all s ∈ S w e hav e: J strong ( S ( K ∗ ) , G, s ) ≤ J strong ( S ( K ) , G, s ). In tuitively , a strong solution ta k es a p essimistic view and requires that f or eac h initial state, al l runs in the closed lo op system reach the goa l (no matter nondeterminism o utcomes). Unless o therwise stated, we call just solution a strong solution. Definition 2.2. The m ost ge ner al optimal (mgo) str ong solution (simply mgo in the follo wing) to P is a n o ptima l strong solution ¯ K to P suc h t ha t for all other optimal strong solutions K to P , for all s ∈ S , for all a ∈ A w e ha v e that K ( s, a ) ⇒ ¯ K ( s, a ). Efficien t algorithms to compute mgos starting from suitable (nondeter- ministic) L TSs hav e b een proposed in the literature (e.g. see [5]). O nce an mgo K has b een computed, solving a nd implemen ting the functional equa- tion K ( x , u ) = 1 allow s a correct-b y- construction con trol soft w a re to b e syn thesized. 2.2 OBDD Represen tation for Bo olean F u n ctions A Binary De cision Diagr am (BDD) R is a ro oted directed acyclic graph (D A G) with t he following prop erties. Eac h R no de v is lab eled either with a b o o lean v ariable v ar( v ) (in ternal no de) or with a b o olean constan t v al( v ) ∈ B (terminal no de). Each R in ternal no de v has exactly tw o c hildren, lab eled 6 with high( v ) and lo w( v ). Let x 1 , . . . , x n b e the b o olean v ariables lab eling R in ternal no des. Eac h terminal no de v represen ts the (constan t) b o olean function f v ( x 1 , . . . , x n ) = v al( v ). Each in t ernal no de v represen ts the b o olean function f v ( x 1 , . . . , x n ) = x i f high( v ) ( x 1 , . . . , x n ) + ¯ x i f low( v ) ( x 1 , . . . , x n ), b eing x i = v ar( v ). An Or der e d BDD (OBD D ) is a BDD where, on eac h path from the ro ot to a terminal no de, the v ariables lab eling eac h in ternal no de m ust follow the same o r dering. Tw o OBDD s are isomorph i c iff there exists a mapping from no des to no des preserving attributes v ar, v al, high and low. An OBD D is called r e d uc e d iff it contains no v ertex v with low( v ) = high( v ), nor do es it contain distinct v ertices v and v ′ suc h that the subgraphs ro oted by v and v ′ are isomorphic. This en tails t hat isomorphic subgraphs are shar e d , i.e. only one copy of them is effectiv ely stored (see [4]). W e will only deal with reduced OBDDs, th us w e will call them simply OBDDs. It can b e sho wn [4] that each b o olean function can b e represen ted b y exactly one OBDD (up to isomorphism), thus OBDD represen t a tion for b o o lean functions is c anonic a l . 3 Solving a Bo olean F unctional Equation Let K ( x 1 , . . . , x n , u 1 , . . . , u r ) b e an mgo for a giv en con trol problem P = ( S , I , G ). W e w an t to solv e the b o ole a n functional e quation K ( x , u ) = 1 w.r.t. v ariables u , that is w e w an t to obtain b o olean f unctions f 1 , . . . , f r s.t. K ( x , f 1 ( x ) , . . . , f r ( x )) = K | u 1 = f 1 ( x ) ,...,u r = f r ( x ) ( x , u ) = 1. This problem ma y b e solv ed in differen t wa ys, dep ending o n the tar get implementation (har dw are or softw are) for functions f i . In b oth cases, it is crucial to b e able to b ound the WCE T ( Worst C ase Exe cution Time ) of the obtained con troller. In fact, controllers m ust w ork in an endless closed lo o p with the system S ( plant ) they con tro l. This implies that, eve ry T seconds ( sampling time ) , t he con troller has to decide the actions to b e sen t to the plan t . Th us, in order for the entire system (plan t + con trol soft w a re) to prop erly work, the con tr o ller WC ET upp er b ound must b e at most T . In [2], f 1 , . . . , f r are generated in order to optimize a ha r d w ar e imple- men tatio n. In this pap er, w e fo cus on softw are implemen tat io ns for f i ( c on- tr o l s oftwar e ). As it is discussed in Sect. 1, simply translating an hardware implemen tation into a soft ware implemen tation would result in a t o o high W CET. Th us, a metho d directly targeting softw are is needed. An easy so- 7 lution w ould b e to set up, for a giv en stat e x , a SA T pro blem instance C = C K 1 , . . . , C K t , c 1 , . . . , c n , where C K 1 ∧ . . . ∧ C K t is equisatisfiable to K and each clause c i is either x i (if x i is 1) or ¯ x i (otherwise). Then C may b e solv ed using a SA T solv er, a nd the v alues assigned to u in the computed satisfying assignmen t ma y b e returned as t he action to b e tak en. How ev er, it w ould b e ha r d to estimate a W CET for suc h an implemen tation. The metho d w e propo se in this pap er ov ercomes suc h obstructions by ac hieving a W CET at most prop ortio na l to r n . 4 OBDDs wit h Comple men te d E d ges In this section w e in tro duce OBD Ds with complemen ted edges (COBDDs, Def. 4.1), whic h w ere first presen ted in [3, 9]. In tuitively , they are OBDDs where else edges (i.e. edges of type ( v , l o w ( v ))) ma y be complemen ted. Then edges (i.e. edges of ty p e ( v , hig h ( v ))) complemen tatio n is not allow ed t o retain canonicit y . Edge complemen tation usually reduce resources usage, b oth in terms of CPU a nd memory . Definition 4.1. An OBDD with c omplemente d e d g es (COBDD in the fol- lo wing) is a tuple ρ = ( V , V , 1 , v ar, low, high, flip) with the following prop erties: 1. V = { x 1 , . . . , x n } is a finite set of b o olean v ariables s.t. for all x i 6 = x j ∈ V , either x i < x j or x j < x i ; 2. V is a finite set of no des ; 3. 1 ∈ V is the termin a l no de of ρ , corresp onding to the bo olean constan t 1; any non-terminal no de v ∈ V , v 6 = 1 is called interna l ; 4. v ar , lo w , high , flip a re functions defined on in t ernal no des, namely: • v ar : V \ { 1 } → V assigns to eac h internal no de a b o olean v ariable in V ; • high : V \ { 1 } → V assigns to eac h in ternal no de v a high child (or true child ), represen ting the case in whic h v ar( v ) = 1; • low : V \ { 1 } → V assigns to eac h in ternal no de v a low chi l d (or else ch ild ), represen ting the case in whic h v a r( v ) = 0; 8 • flip : V \ { 1 } → B a ssigns to eac h in ternal no de v a b o olean v alue; namely , if flip( v ) = 1 then the else c hild ha s to b e complemen ted, otherwise it is r egula r (i.e. non-complemen ted); 5. for eac h inte rnal no de v , v ar( v ) < v ar(high( v )) and v ar( v ) < v ar(low( v ) ). COBDDs as (lab eled) D AGs A COBDD ρ = ( V , V , 1 , v ar, low, high, flip) defines a lab eled directed m ultigraph in a straightforw ard w ay . This is detailed in Def. 4.2. Definition 4.2. Let ρ = ( V , V , 1 , v ar, lo w , high, flip) b e a COBD D. The gr aph asso cia te d to ρ is a lab eled directed m ultig raph G ( ρ ) = ( V , E ) where V is the same set of no des of ρ and: 1. E = { ( v , w ) | w = high( v ) ∨ w = lo w( v ) } ( E is a m ultiset since it ma y happ en tha t high( v ) = low( v ) for some v ∈ V ); 2. the following lab eling f unctions ar e defined on no des and edges: • ind : V \ { 1 } → V assigns to eac h inte rnal no de v a b o olean v a riable in V , and is defined by ind( v ) = v a r ( v ); • type : E → { then , else , compl } a ssigns to each edge e = ( v , w ) it s t yp e, and is defined b y: t yp e( e ) = then ( then e dge ) iff high( v ) = w , ty p e( e ) = else ( r e g ular els e e dge ) iff low( v ) = w ∧ flip( v ) = 0, type( e ) = compl ( c omplemente d else e dge ) iff lo w( v ) = w ∧ flip( v ) = 1. Example 4.3. L et ρ = ( { x 0 , x 1 , x 2 } , { 0x15 , 0x14 , 0x13 , 0xe , 1 } , 1 , v a r , lo w , high , flip ) b e a COBDD with: i) v ar(0x15) = x 0 , v ar(0x14) = v a r(0x13) = x 1 , v a r(0xe) = x 2 and x 0 < x 1 < x 2 ; ii) high(0x15) = 0x13 , lo w(0x15) = 0x14 , high(0x13) = high(0x14) = 0xe , hig h(0xe) = lo w(0 xe) = lo w(0x13) = lo w(0 x14) = 1 ; iii) flip( 0 x14) = 0 , flip(0x15) = flip(0x13) = flip(0xe) = 1 . Then G ( ρ ) is shown in Fig. 2, wher e e dges ar e dir e cte d down war ds. Mor e- over, in Fig. 2 then e dges ar e sol i d lines, r e gular el s e e dges ar e dashe d lines and c omplem e nte d els e e dges ar e dotte d lines . 9 Restriction of a COBDD The graph asso ciated to a giv en COBDD ma y b e seen as a forest with m ultiple ro ot ed m ultigra phs. Def. 4.4 allow us to select one ro ot ve rtex and thus one ro oted multigraph. Definition 4.4. Let ρ = ( V , V , 1 , v ar, lo w, high, flip) b e a COBDD, and let v ∈ V . The COBD D r estricte d to v is the COBDD ρ v = ( V , V v , 1 , v ar v , lo w v , high v , flip v ) s.t.: • V v = { w ∈ V | there exists a path from v to w in G ( ρ ) } (note that v ∈ V v ); • v ar v , lo w v , high v and flip v are t he restrictions to V v of v ar, low, high and flip. Reduced COBDDs Tw o COBDDs are isomorphic iff there exists a map- ping from no des to no des preserving attributes v ar, flip, hig h and lo w. A COBDD is called r e duc e d iff it con tains no vertex v with lo w( v ) = hig h( v ) ∧ flip( v ) = 0, nor do es it con ta ins distinct v ertices v and v ′ suc h that ρ v and ρ v ′ are isomorphic. Note tha t , differen tly from OBD Ds, it is p ossible that high( v ) = low( v ) for some v ∈ V , pro vided that flip ( v ) = 1 (e.g. see no des 0xf and 0xe in Fig . 3). In the following, w e assume all our COBDDs to b e reduced. COBDDs Prop erties F or a giv en COBDD ρ = ( V , V , 1 , v ar, lo w, high, flip) the following prop erties follow from definitions 4.1 and 4 .2: i) G ( ρ ) is a ro oted directed acyclic (multi)graph (DA G); ii) eac h path in G ( ρ ) starting from an internal no de ends in 1 ; iii) let v 1 , . . . , v k b e a path in G ( ρ ) , then v ar ( v 1 ) < . . . < v ar ( v k ). W e define the height o f a no de v in a COBDD ρ (notation heigh t ρ ( v ), or simply height( v ) if ρ is understo o d) as the height o f the DA G G ( ρ v ) , i.e. the length of the longest path from v to 1 in G ( ρ ) . 4.1 Seman tics of a COBDD In Def. 4.5 w e define the seman tics J · K of eac h no de v ∈ V o f a given COBDD ρ = ( V , V , 1 , v a r, lo w, high, flip) as the b o o lean function represen ted b y v , giv en the parit y b of complemen ted edges seen o n the pat h from a ro ot to v . Definition 4.5. Let ρ = ( V , V , 1 , v ar, lo w , high, flip) b e a COBD D. The semantics of a no de v ∈ V w.r.t. a flipping bit b is a b o olean function defined as: 10 • J 1 , b K ρ := ¯ b (base of the induction) • J v , b K ρ := x i J high( v ) , b K ρ + ¯ x i J lo w ( v ) , b ⊕ flip( v ) K ρ for an y internal no de v (recursiv e step), b eing x i = v ar( v ). When ρ is understo o d, w e will write J · K instead of J · K ρ . Note that the seman tics of a node of a COBDD ρ is a function of v ari- ables in V a nd of an additional b o olean v ariable b . Th us, o n eac h no de two b o o lean functions on V are defined (one for eac h v alue of b ). It can b e shown (Prop. 4.6) that suc h b o olean functions are complemen ta r y . F act 4.6. L et ρ = ( V , V , 1 , v ar , low , high , flip) b e a COBD D , let v ∈ V b e a no de and b ∈ B b e a flipping bit. Then J v , b K = J v , ¯ b K . Pr o of. The pro of is b y induction on v . As base of the induction, w e ha v e J 1 , b K = ¯ b = ¯ ¯ ¯ b = J 1 , ¯ b K . As induction step, let v b e an internal no de, and suppose b y induction that J high( v ) , b K = J high( v ) , ¯ b K and J lo w ( v ) , b K = J low( v ) , ¯ b K . Then, since AB + ¯ AC = ( ¯ A + B ) ( A + C ), we hav e: J v , b K = x i J high( v ) , b K + ¯ x i J lo w ( v ) , b ⊕ flip( v ) K = ( ¯ x i + J high( v ) , b K )( x i + J lo w ( v ) , b ⊕ flip( v ) K ) = ( ¯ x i + J high( v ) , ¯ b K )( x i + J lo w( v ) , b ⊕ flip( v ) K ) = ( ¯ x i + J high ( v ) , ¯ b K )( x i + J lo w ( v ) , ¯ b ⊕ flip(v) K ) = x i J high( v ) , ¯ b K + ¯ x i J lo w ( v ) , ¯ b ⊕ flip(v) K = J v , ¯ b K . Example 4.7. L et ρ = ( { x 0 , x 1 , x 2 } , { 0x15 , 0x14 , 0x13 , 0xe , 1 } , 1 , v ar , lo w , high , flip) b e the COBDD o f Ex. 4.3. If we pick no des 0xe and 0x14 we have J 0xe , b K = x 2 J 1 , b K + ¯ x 2 J 1 , b ⊕ 1 K = x 2 ¯ b + ¯ x 2 b = x 2 ⊕ b and J 0x14 , b K = x 1 J 0xe , b K + ¯ x 1 J 1 , b ⊕ 0 K = x 1 x 2 ¯ b + x 1 ¯ x 2 b + ¯ x 1 ¯ b = x 2 ¯ b + x 1 ¯ x 2 b + ¯ x 1 ¯ b . Mor e over, if we pi c k no de 0x14 , then it r epr ese nts the two fol l o w ing b o ole an functions: J 0x14 , 0 K = x 2 + ¯ x 1 and J 0x14 , 1 K = x 1 ¯ x 2 (note that J 0x14 , 0 K = J 0x14 , 1 K ). Theor. 4 .8 states that COBD Ds ar e a c anon ic al represen tat io n for b o olean functions (see [3, 9]). Theorem 4.8. L et f : B n → B b e a b o ole an function. Then ther e exist a COBDD ρ = ( V , V , 1 , v ar , low , high , flip) , a no de v ∈ V an d a flipping bit b ∈ B s . t. J v , b K = f ( x ) . Mor e over, let ρ = ( V , V , 1 , v ar , lo w , high , flip) b e a COBDD, let v 1 , v 2 ∈ V b e no des and b 1 , b 2 ∈ B b e flipping bits. Then J v 1 , b 1 K = J v 2 , b 2 K iff v 1 = v 2 ∧ b 1 = b 2 . 11 Efficien t (i.e., at most O ( | V | log | V | )) alg orithms [3, 9] exist to compute standard logical op erations on COBDD s. W e will a ssume to hav e a v ailable the fo llowing functions (for instantiation and existe n tial quan tifier elimina- tion): • COBDD APP s.t. h v AP P , b AP P i = COBDD APP ( x i 1 , . . . , x i k , v 1 , b 1 , . . . , v k , b k , v , b ) iff J v AP P , b AP P K = J v , b K | x i 1 = J v 1 ,b 1 K ,...,x i k = J v k ,b k K ; • COBDD EX s.t. h v E X , b E X i = COBDD EX ( x i 1 , . . . , x i k , v , b ) iff J v E X , b E X K = ∃ x i 1 , . . . , x i k J v , b K . Note that the ab ov e defined functions may create new COBDD no des. W e assume that suc h functions also prop erly update V , v ar, lo w , hig h, flip inside COBDD ρ ( 1 and V are not affected). 5 Automatic Syn thesi s of C C o de from a COBDD Let K ( x 1 , . . . , x n , u 1 , . . . , u r ) b e a n mg o for a g iven con tro l problem. Le t ρ = ( V , V , 1 , v ar, low, high, flip) b e a COBDD s.t. there exist v ∈ V , b ∈ B s.t. J v , b K = K ( x 1 , . . . , x n , u 1 , . . . , u r ). Th us, V = X · ∪U = { x 1 , . . . , x n } · ∪{ u 1 , . . . , u r } (we denote with · ∪ the disjoin t union o p erator, th us X ∩ U = ∅ ). W e will call v ariables x i ∈ X as state variab le s and v a riables u j ∈ U as action variables . W e wan t to solve the b o olean functional equation problem intro duced in Sect. 3 t a rgeting a softwar e implemen tation. W e do this b y using a COBDD represen ting all our b o olean f unctions. This allo ws us t o exploit COBDD no de sharing . This results in an improv emen t for t he metho d in [1 0], whic h targets a softw are implemen tation but whic h do es not exploit sharing. Finally , we a lso syn thesize the soft w are (i.e., C co de) implemen tation for f 1 , . . . , f r , whic h is no t considered in [10]. Give n that K is an mgo, this results in an optimal c ontr ol softwar e for the starting L TS. 5.1 Syn thesis Algorithm: Ov erview Our metho d Synthes ize tak es as input ρ , v and b s.t. J v , b K = K ( x , u ). Then, it returns as output a C function void K(int *x, int *u) with the 12 follo wing pro p ert y: if, b efore a call to K , ∀ i x[ i − 1 ] = x i holds (array indexes in C languag e b egin from 0) with x ∈ D om( K ), and after the call to K , ∀ i u[ i − 1 ] = u i holds, then K ( x , u ) = 1. Moreo v er, the WC ET of function K is at mo st O ( nr ). Note that our metho d Syn thesize pro vides an effectiv e implementation of the mgo K , i.e. a C function whic h tak es a s input the curren t state o f the L TS and outputs the a ctio n to b e tak en. Thu s, K is indeed a con trol softw are. F unction Syn thesize is organized in tw o phases: 1. starting fro m ρ , v and b (thus from K ( x , u )), we generate COBDD no des v 1 , . . . , v r and flipping bits b 1 , . . . , b r for b o olean functions f 1 , . . . , f r s.t. eac h f i = J v i , b i K tak es a s input the state bit v ector x and computes the i -th bit u i of an output action bit v ector u , where K ( x , u ) = 1, provide d that x ∈ Dom( K ). This computation is carried out in function SolveF unctionalEq ; 2. f 1 , . . . , f r are translated inside function void K(int *x, int *u) . This step is p erformed b y main taining the structure of the COBDD no des represen ting f 1 , . . . , f r . This allows us to exploit COBD D no de sharing in the generated soft w ar e. This phase is p erformed b y function GenerateCCo de . Th us function Synthe size is organized as in Alg. 1. Corr ectness for func- tion Syn thesize is prov ed by Theor. 6 .5 . Algorithm 1 T ranslating COBDD s to a C f unction Require: COBD D ρ = ( V , V , 1 , v ar, low, high, flip), no de v ∈ V , b o olean b ∈ B Ensure: Synthes ize ( ρ, v , b ): 1: h v 1 , b 1 , . . . , v r , b r i ← Solv eF unctionalEq ( ρ, v , b ) /* first phase */ 2: GenerateCCo de ( ρ, v 1 , b 1 , . . . , v r , b r ) /* se c ond phase */ 5.2 Syn thesis A lgorithm: Solving F unctional Equation (First Phase) In this phase, starting from ρ , v and b (th us fr o m J v , b K = K ( x , u )), w e compute the COBDD no des v 1 , . . . , v r and flipping bits b 1 , . . . , b r ha ving the follo wing prop erties: 13 • for all i ∈ [ r ], J v i , b i K = f i ( x ) (thus each f i : B n → B do es not dep end on u ); • for all x ∈ Do m( K ), K ( x , f 1 ( x ) , . . . , f r ( x )) = 1. In a har dware syn thesis setting, tec hniques to compute f 1 , . . . , f r sat- isfying the ab o v e functional equation hav e b een widely studied (e.g. see [2]). In our sof tw are synthe sis setting we follow an approac h sim- ilar to the one presen ted in [10] to compute such f 1 , . . . , f r . Namely , w e observ e that f i ma y b e computed using f 1 , . . . , f i − 1 , that is f i ( x ) = ∃ u i +1 , . . . , u n K ( x , f 1 ( x ) , . . . , f i − 1 ( x ) , 1 , u i +1 , . . . , u n ) (see Lemma 6.1). This allo ws us to compute COBDD no des v 1 , . . . , v r and flipping bits b 1 , . . . , b r as it is sho wn in function Solv eF unctionalEq of Alg. 2. Correctness for function Solv eF unctionalEq is pro v ed in Lemma 6 .2. Algorithm 2 Solving a b o olean functional equation Require: COBD D ρ = ( V , V , 1 , v ar, low, high, flip), no de v ∈ V , b o olean b ∈ B Ensure: So lv eF unctionalEq ( ρ, v , b ): 1: for all i ∈ [ r ] do 2: J v i , b i K ← COBDD EX ( u i +1 , . . . , u n , COBDD APP ( u 1 , . . . , u i , v 1 , b 1 , . . . , v i − 1 , b i − 1 , 1 , 0 , v , b )) 3: return h v 1 , b 1 , . . . , v r , b r i 5.3 Syn thesis Algorithm: Generating C Co de (Second Phase) In this phase, starting f r o m COBDD no des v 1 , . . . , v r and flipping bits b 1 , . . . , b r for functions f 1 , . . . , f r generated in the first phase, w e generate t wo C f unc- tions: • void K(int *x, int *u) , whic h is the required o utput function for our metho d Syn t hesize ; • int K bits(int *x, int action) , whic h is an auxiliary function called by K . A call to K bits(x, i ) returns f i ( x ), b eing x[ j − 1 ] = x j for all j ∈ [ n ]. This phase is detailed in Algs. 3 and 4. 14 Algorithm 3 Generating C functions Require: COBD D ρ = ( V , V , 1 , v ar, lo w, high , flip), no des v 1 , . . . , v r , b o o lean v alues b 1 , . . . , b r Ensure: G enerateCCo de ( ρ, v 1 , b 1 , . . . , v r , b r ): 1: prin t “ int K bits(int *x, int action) { int ret b; switch(acti on) { ” 2: for all i ∈ [ r ] do 3: prin t “ case ”, i − 1, “ : ret b = ”, ¯ b i , “ ; goto L ”, v i ,“ ; ” 4: prin t “ } ” /* end of the switch blo ck */ 5: W ← ∅ 6: for all i ∈ [ r ] do 7: W ← T ranslate ( ρ, v i , W ); 8: prin t “ } ” /* end of K bits */ 9: prin t “ void K(int *x,int *u) { int i; for(i=0;i< ”, r , “ ;i++) u[i]=K bits(x,i); } ” Details of F unction Gen erateCC o de (Alg. 3) Giv en inputs ρ, v 1 , b 1 , . . . , v r , b r (output by Solve F unctionalEq ), Alg. 3 w orks as follows. First, function int K bits(int *x, int action) is generated. If x[ j − 1 ] = x j for a ll j ∈ [ n ], the call K bit s(x, i ) has to return f i ( x ). In order to do this, the graph G ( ρ v i ) is trav ersed by taking, in eac h node v , t he then edge if x [ j − 1] = 1 (with j s.t. v ar( v ) = x j ) and the else edge otherwise. When no de 1 is reac hed, then 1 is returned iff the integer sum c + b i is ev en, b eing c the num b er of complemen ted else edges trav ersed. Note that parity of c + b i ma y b e maintained by initia lizing a C v ariable ret b to ¯ b i , t hen complemen ting ret b (i.e., b y p erforming a ret b = !ret b statemen t) when a complemen ted else edge is trav ersed, and finally returning ret b . Note that fo rmally this is equiv alen t to compute the flipping bit b s.t. h 1 , ¯ b i = COBDD APP ( x 1 , . . . , x n , 1 , 1 − x [ 0 ] , . . . , 1 , 1 − x [ n − 1] , v i , b i ), b eing J v i , b i K = f i ( x ). This mec hanism is implemen ted inside function K bits b y prop erly trans- lating each COBDD no de ˜ v ∈ S r i =1 V v i in a C co de blo ck . Eac h blo c k is lab eled with a unique lab el dep ending on ˜ v , and main tains in v ariable ret b the curren t parit y o f c + b i as describ ed a b o v e. This is done by function T r anslate , called on line 7 and detailed in Alg. 4. Th us, the initial part of function K bits consists of a switch blo c k (gen- erated in lines 1 – 4 o f Alg. 3) whic h initializes ret b to ¯ b i and then jumps to 15 the la b el corresp o nding to no de v i . Then, the C co de blo c ks corresp onding to COBDD no des are generated in lines 5 – 7 of Alg. 3, by calling r times function T ranslate (see Alg. 4) with parameters v 1 , . . . , v r . Note that W main ta ins the already translated COBD D no des. Since function T ranslate only translates no des not in W , this allo ws us to exploit sharing not only inside each G ( ρ v i ) , but a lso inside G ( ρ v 1 ) , . . . , G ( ρ v r ) . Finally , function K is generated in line 9. F unction K simply consis ts in a for lo op filling eac h entry u[i] o f the output array u with the b o olean v a lues returned b y K bits(x, i) . Correctness of function GenerateCC o de is prov ed in Lemma 6.4. Algorithm 4 COBDD no des translation Require: COBD D ρ = ( V , V , 1 , v ar, lo w , high, flip), no de v , no des set W ⊆ V Ensure: T ranslate ( ρ, v , W ): 1: if v ∈ W then return W 2: W ← W ∪ { v } 3: prin t “ L ”, v , “ : ” 4: if v = 1 then 5: prin t “ return ret b; ” 6: else 7: let i b e s.t. v ar( v ) = x i 8: prin t “ if (x[ ”, i − 1, “ ] == 1) goto L ”, high( v ), “ ; ” 9: if flip ( v ) t hen prin t “ else { ret b = !ret b;goto L ”,lo w ( v ),“ ; } ” 10: else prin t “ else goto L ”, lo w( v ),“ ; ” 11: W ← T ranslate ( ρ, high ( v ) , W ) 12: W ← T ranslate ( ρ, lo w ( v ) , W ) 13: r eturn W Details of F unction T ranslate (Alg. 4) G iv en inputs ρ, v , W , Alg. 4 p erforms a recursiv e graph trav ersal o f G ( ρ v ) as follows. The C co de blo c k for in ternal no de v is generated in lines 3 a nd 7 – 10. The blo c k consists of a la b el L v : and an if-then-else C construct. Note that lab el L v univ o cally iden tifies the C co de blo c k related to no de v . This ma y b e implemen ted b y printing the exadecimal v alue of a p oin ter to v . The if-then-els e C construct is generated so as to tra v erse no de v in graph G ( ρ v ) in the follo wing w ay . In line 8 the c heck x[ i − 1 ] = 1 is 16 generated, being i s.t. v ar( v ) = x i . The co de to tak e the then edge of v is also generated. Namely , it is sufficien t to generate a goto statemen t to the C co de blo c k related to no de high( v ). In lines 9 and 10 the co de to take the else edge is generated, in the case x[ i − 1 ] = 1 is false. In this case, if the else edge is complemen ted, i.e. flip( v ) holds (line 9) , it is necessary to complemen t ret b and then p erform a goto statemen t to the C co de blo ck related to no de lo w( v ) (line 9). Otherwise, it is sufficien t to generate a goto statemen t to the C co de blo c k related to no de lo w ( v ) (line 10). Th us, the blo c k generated for an in ternal no de v , for prop er i , l and h , has one of the follow ing forms: • L v : if (x[ i − 1 ]) goto L h ; else goto L l ; • L v : if (x[ i − 1 ]) goto L h ; else { ret b = !ret b; goto L l ; } . There are tw o base cases for the recursion of function T ranslate : • v ∈ W (line 1), i.e. v has already b een translated in to a C co de blo c k as ab o ve. In this case, the set of visited COBDD no des W is directly returned (line 1) without generating an y C co de. This allows us to retain COBDD no de sharing; • v = 1 (line 4), i.e. the terminal no de 1 has b een reac hed. In this case, the C co de blo c k to b e generated is simply L 1: return ret b; . Note that suc h a blo ck will b e generated only once. In all other cases, f unction T ranslate ends with the recursiv e calls on the then and else edges (lines 11 – 1 2). Note t ha t the visited no des set W passed to the second recursiv e call is the result of the first recursiv e call. Corr ectness of function T ranslate is pro ved in L emma 6.4. 5.4 An Example of T ranslation In this section w e sho w ho w a no de v and a flipping bit b of a COBDD ρ with 3 state v a riables and 2 action v aria bles is translated in K and K bits C functions. This is do ne b y applying Algs. 1, 2, 3 a nd 4. Consider COBDD ρ = ( { u 0 , u 1 , x 0 , x 1 , x 2 } , { 0x17, 0x16, 0 x15 , 0x14, 0x13, 0x12, 0 x11, 0x10, 0 xf , 0 xe , 1 } , 1 , v ar, lo w , high, flip ). The corresp onding G ( ρ ) is show n in Fig . 1 . Within ρ , consider mgo K ( x 0 , x 1 , x 2 , u 0 , u 1 ) = J 0x17 , 1 K = 17 u0 u1 x0 x1 x2 K 0x17 0x12 0x16 0x10 0x11 0x15 1 0xf 0xe 0x13 0x14 Figure 1 : An mgo example x0 x1 x2 f1 0x15 0x13 0x14 0xe 1 Figure 2: Comput- ing first action bit for mgo in Fig. 1 x0 x1 x2 f2 0x10 0xf 0xe 1 Figure 3: Com- puting second ac- tion bit for mgo in Fig. 1 ¯ u 0 ¯ u 1 ¯ x 0 x 1 ¯ x 2 + ¯ u 0 ¯ u 1 x 0 x 1 x 2 + u 0 ¯ u 1 ¯ x 1 x 2 + u 0 u 1 ¯ x 0 ¯ x 1 ¯ x 2 + u 0 u 1 ¯ x 0 x 1 x 2 + u 0 u 1 x 0 ¯ x 2 . By applying Solve F unctionalEq (see Alg. 2), we obtain f 1 ( x 0 , x 1 , x 2 ) = J 0x15 , 1 K = ¯ x 0 ¯ x 1 + ¯ x 0 x 1 x 2 + x 0 ¯ x 1 + x 0 x 1 ¯ x 2 and f 2 ( x 0 , x 1 , x 2 ) = J 0x10 , 1 K = ¯ x 0 ¯ x 1 ¯ x 2 + ¯ x 0 x 1 x 2 + x 0 ¯ x 2 . COBDDs for f 1 and f 2 are depicted in Figs. 2 and 3 resp ectiv ely . Note that in this simple example no new no des ha v e b een added w.r.t. the COBDD of Fig. 1, and that node 0xe is shared b et ween G ( ρ 0x15 ) and G ( ρ 0x10 ) . Finally , b y calling G enerateCCo de (see Alg. 3 ) on f 1 , f 2 , we ha v e the C co de in Fig. 4. 6 T ranslation Pro o f of Corr e ctness In this section w e pro v e the correctness of our appro ac h (Theor. 6.5 ). That is, we sho w tha t t he function K w e generate indeed implemen ts the giv en mgo K , th us resulting in a correct-b y-construction con trol softw are. W e b egin by stating fo ur useful lemmata for our pro of. Lemma 6.1 is useful to prov e Lemma 6.2, i.e. to prov e correctness of function Solv eF unc- tionalEq . Lemma 6.1. L et K : B n × B r → B and let f 1 , . . . , f r b e s.t. f i ( x ) = ∃ u i +1 , . . . , u r K ( x , f 1 ( x ) , . . . , f i − 1 ( x ) , 1 , u i +1 , . . . , u r ) for al l i ∈ [ r ] . Then, x ∈ Dom( K ) ⇒ K ( x , f 1 ( x ) , . . . , f r ( x )) = 1 . 18 i n t K _ b i t s ( i n t * x , i n t a c t i o n ) { i n t r e t _ b ; / * b l o c k s h a v e b e e n r e o r d e r e d * / s w i t c h ( a c t i o n ) { c a s e 0 : r e t _ b = 0 ; g o t o L _ 0 x 1 5 ; c a s e 1 : r e t _ b = 0 ; g o t o L _ 0 x 1 0 ; } L _ 0 x 1 5 : i f ( x [ 0 ] = = 1 ) g o t o L _ 0 x 1 3 ; e l s e { r e t _ b = ! r e t _ b ; g o t o L _ 0 x 1 4 ; } L _ 0 x 1 3 : i f ( x [ 1 ] = = 1 ) g o t o L _ 0 x e ; e l s e { r e t _ b = ! r e t _ b ; g o t o L _ 1 ; } L _ 0 x e : i f ( x [ 2 ] = = 1 ) g o t o L _ 1 ; e l s e { r e t _ b = ! r e t _ b ; g o t o L _ 1 ; } L _ 0 x 1 4 : i f ( x [ 1 ] = = 1 ) g o t o L _ 0 x e ; e l s e g o t o L _ 1 ; L _ 0 x 1 0 : i f ( x [ 0 ] = = 1 ) g o t o L _ 0 x e ; e l s e { r e t _ b = ! r e t _ b ; g o t o L _ 0 x f ; } L _ 0 x f : i f ( x [ 1 ] = = 1 ) g o t o L _ 0 x e ; e l s e { r e t _ b = ! r e t _ b ; g o t o L _ 0 x e ; } L _ 1 : r e t u r n r e t _ b ; } v o i d K ( i n t * x , i n t * u ) { i n t i ; f o r ( i = 0 ; i < 2 ; i + + ) u [ i ] = K _ b i t s ( x , i ) ; } Figure 4 : C co de for mgo in Fig. 1 Pr o of. Let x ∈ B n b e s.t. x ∈ Dom( K ), i.e. ∃ u K ( x , u ) = 1. W e prov e the lemma b y induction on r . F o r r = 1, we hav e f 1 ( x ) = K ( x , 1). If f 1 ( x ) = 1 , we ha v e K ( x , f 1 ( x )) = K ( x , 1) = f 1 ( x ) = 1. If f 1 ( x ) = 0 , w e ha v e K ( x , f 1 ( x )) = K ( x , 0), a nd K ( x , 0) = 1 since x ∈ D om( K ) and K ( x , 1) = 0. Supp ose by induc tion that for all ˜ K : B n × B r − 1 → B ˜ K ( x, ˜ f 1 ( x ) , . . . , ˜ f r − 1 ( x )) = 1, where for a ll i ∈ [ r − 1] ˜ f i ( x ) = ∃ u i +1 , . . . , u r − 1 ˜ K ( x , ˜ f 1 ( x ) , . . . , ˜ f i − 1 ( x ) , 1 , u i +1 , . . . , u r − 1 ). W e ha ve that x ∈ D om( K ) implies that either x ∈ Dom( K | u 1 =0 ) or x ∈ Dom( K | u 1 =1 ). Supp ose x ∈ D om( K | u 1 =1 ) holds. W e hav e that K | u 1 =1 ( x , ˜ f 2 ( x ) , . . . , ˜ f r ( x )) = 1, where fo r all i = 2 , . . . , r ˜ f i ( x ) = ∃ u i +1 , . . . , u r K | u 1 =1 ( x , ˜ f 2 ( x ) , . . . , ˜ f i − 1 ( x ) , 1 , u i +1 , . . . , u r ). By construction, w e ha ve that f 1 ( x ) = 1 and f i ( x ) = ˜ f i ( x ) for i ≥ 2 , th us 1 = K | u 1 =1 ( x , ˜ f 2 ( x ) , . . . , ˜ f r ( x )) = K ( x , f 1 ( x ) , . . . , f r ( x )). Analo gously , if x / ∈ Dom( K | u 1 =1 ) ∧ x ∈ Do m( K | u 1 =0 ) w e hav e that f 1 ( x ) = 0 a nd f i ( x ) = ˜ f i ( x ) for i ≥ 2 , th us 1 = K | u 1 =0 ( x , ˜ f 2 ( x ) , . . . , ˜ f r ( x )) = K ( x , f 1 ( x ) , . . . , f r ( x )). Lemma 6.2 states corr ectness of function SolveF unctionalEq of Alg. 2. Lemma 6.2. L et ρ = ( V , V , 1 , v ar , lo w , high , flip) b e a COB DD with 19 V = X · ∪U , v ∈ V b e a no d e, b ∈ B b e a flipping bit. L et J v , b K = K ( x , u ) and r = |U | . Then function Solv eF unctionalEq ( ρ, v , b ) (s e e Alg. 2) outputs no d es v 1 , . . . , v r and b o o le an values b 1 , . . . , b r s.t. for al l i ∈ [ r ] J v i , b i K = f i ( x ) a n d x ∈ Dom( K ) impli e s K ( x , f 1 ( x ) , . . . , f r ( x )) = 1 . Pr o of. Correctness of functions COBDD APP and COBDD EX (and lemma h yp otheses) implies t hat for all i ∈ [ r ] f i ( x ) = ∃ u i +1 , . . . , u r K ( x , f 1 ( x ) , . . . , f i − 1 ( x ) , 1 , u i +1 , . . . , u r ). By Lemma 6.1 w e ha v e the thesis. Let T ranslate dup b e a function that works as function T ranslate of Alg. 4, but that do es not tak e no de sharing in to accoun t. F unction T rans- late dup ma y b e obtained from function T ranslate by deleting line 1 (high- ligh ted in Alg. 4) and b y replacing calls to T ranslate in lines 1 1 a nd 12 with recursiv e calls t o T ranslate dup (with no c hanges on parameters). Lemma 6.3 states correctness of function T ranslate dup . Lemma 6.3. L et ρ = ( V , V , 1 , v ar , low , high , flip) b e a COBD D, v ∈ V b e a no de, b ∈ B b e a flipping bit, and W ⊆ V b e a se t of no des. T hen function T ranslate dup ( ρ, v , W ) gener ates a se quenc e of lab ele d C s tatemen ts B 1 . . . B k s.t. k ≥ | V v | and for al l w ∈ V v : 1 ) lab el L w is in B i for some i and 2) starting an exe cution fr om lab e l L w with ∀ i ∈ [ n ] x[ i − 1 ] = x i and ret b = ¯ b , a return ret b; statement is invoke d in at m o st O ( p ) steps with ret b = J w , b K = f w ,b ( x ) a n d p = heigh t( w ) . Pr o of. W e pro v e this lemma b y induction on v . Let v = 1 , whic h implies J v , b K = ¯ b and V v = { 1 } . W e ha v e that function T ranslate dup ( ρ, v , W ) generates a single blo c k B 1 (th us k = 1 = | V 1 | ) s.t. B 1 = L 1: return ret b; (lines 3 – 5 of Alg. 4). Since b y hypothesis we hav e ret b = ¯ b , and since starting from B 1 the return statemen t is in vok ed in O (1) steps, the base case of the induction is pro v ed. Let v b e an in ternal no de with v ar( v ) = x i and let f ( x ) = J v , b K . Since w ∈ V v iff w = v ∨ w ∈ V high( v ) ∨ w ∈ V low( v ) , by induction hy p othesis w e only ha v e to prov e the thes is for w = v . W e ha v e that f ( x ) = x i J high( v ) , b K + ¯ x i J lo w ( v ) , b ⊕ flip( v ) K , i.e. f ( x ) = x i J high( v ) , b K + ¯ x i J lo w ( v ) , b K if flip( v ) = 0 a nd f ( x ) = x i J high( v ) , b K + ¯ x i J lo w ( v ) , ¯ b K if flip( v ) = 1. Since f ( x ) = x i f | x i =1 ( x ) + ¯ x i f | x i =0 ( x ), b y Theor. 4.8 w e hav e that J high( v ) , b K = f | x i =1 ( x ), and that J lo w ( v ) , b K = f | x i =0 ( x ) if flip( v ) = 0 a nd J low( v ) , ¯ b K = f | x i =0 ( x ) if flip( v ) = 1. 20 By lines 3 and 8 – 10 of Alg. 4, w e ha v e that function T r ans- late dup ( ρ, v , W ) generates blo c ks B B 11 . . . B 1 h B 21 . . . B 2 l s.t. B = L v : if (x[ i − 1 ] == 1) goto L high( v ) ; else B E where B E is either goto L low( v ) ; if flip( v ) = 0 or { ret b = !ret b; goto L low( v ) ; } if flip( v ) = 1, and B 11 . . . B 1 h ( B 21 . . . B 2 l ) are generated b y the recursiv e call T rans- late dup ( ρ, high( v ) , W ) in line 11 ( T ra nslate dup ( ρ, lo w( v ) , W ) in line 12). By induction hypothesis and the ab o ve reasoning, if the execution starts at lab el L high( v ) and ret b = ¯ b , then a return ret b; statemen t is in vok ed in at most O ( p − 1) steps with ret b = f | x i =1 ( x ). As for the else case, w e hav e that starting from L lo w( v ) with ret b = ¯ b ( ret b = ¯ ¯ b ) if flip( v ) = 0 (flip( v ) = 1), then a return ret b; statemen t is in vok ed in at most O ( p − 1) steps with ret b = f | x i =0 ( x ). By construction of blo c k B , starting from lab el L v , a return ret b; statemen t is inv ok ed in at most O ( p − 1 + 1 ) = O ( p ) steps with ret b = x i f | x i =1 ( x ) + ¯ x i f | x i =0 ( x ) = f ( x ). Finally , note t ha t b y induction hy p othesis h ≥ | V high( v ) | and l ≥ | V low( v ) | , thus w e hav e that k = 1 + h + l ≥ 1 + | V high( v ) | + | V low( v ) | ≥ | V v | . Lemma 6.4 extends Lemma 6.3 by also considering no de sharing, th us stating correctness of function GenerateCCo de of Alg. 3 and function T rans- late o f Alg. 4. Lemma 6.4. L et ρ = ( V , V , 1 , v ar , low , high , flip) b e a C OBDD and v 1 , . . . , v r ∈ V b e r n o des and b 1 , . . . , b r ∈ B b e r flipping b its. Then lines 5 – 7 of function GenerateCCode ( ρ, v 1 , b 1 , . . . , v r , b r ) gen er ate a se q uenc e of lab ele d C statements B 1 . . . B k s.t. k = | ∪ r i =1 V v i | and for al l v ∈ ∪ r i =1 V v i : 1) the lab el L v is in B j for some j an d 2) starting an exe cution fr om lab el L v with ∀ j ∈ [ n ] x[ j − 1 ] = x j and ret b = ¯ b , a return ret b; statemen t is invoke d in at mo s t O ( p ) steps w ith ret b = J v , b K = f v,b ( x ) and p = heigh t ( w ) . Pr o of. W e b egin b y prov ing that k = | ∪ r i =1 V v i | . T o this aim, w e prov e that for eac h no de v ∈ ∪ r i =1 V v i , a unique blo c k B v is generated. This follo ws by ho w the no des set W is managed b y function T ranslate in lines 1 – 3 of Alg. 4 and b y function GenerateCCo de in lines 5 – 7 of Alg. 3. In fact, function T r anslate , when called on parameters ρ, v , W , returns a set W ′ ⊇ W , and function GenerateCCo de calls T ranslate b y a lw ays passing the W resulting b y the prev ious call. Since a block is generated for no de v only if v is not in W , and v is added to W only when a blo ck is generated for no de v , this pro v es this pa rt o f the lemma. 21 As for correctness, w e prov e this lemma by induction on m , b eing m the n umber of times that the retur n W ; statemen t in line 1 of Alg. 4 is exe- cuted. As base of the induction, let m = 1 and let ρ, v , W b e the para meters of the recursiv e call executing the first return W ; statemen t. Then, by construction of function T ranslate , v has b een added to W in some previous recursiv e call with pa rameters ρ, v , ˜ W . In this previous recursiv e call, a blo c k B v with lab el L v has b een generated. Moreov er, f or t his previous recursiv e call, thus for parameters ρ, v , ˜ W , we are in t he hy p othesis of Lemma 6.3, whic h implies that the induction base is pro v ed. Supp ose no w that the thesis holds for t he first m executions of the return W ; statement in line 1 of Alg. 4. Then, by construction of function T ra ns- late , v has b een added to W in some previous recursiv e call with parameters ρ, v , ˜ W . In this previous recursiv e call, a blo ck B v with lab el L v has been generated. Let w 1 , W 1 , . . . , w m , W m , b e s.t. the m recurs iv e calls ex ecuting the return W ; statemen t ha v e pa rameters ρ, v i , W i (note that they are not necessarily distinct). By induction hypothesis, for all i ∈ [ m ] start ing from lab el L w i with ∀ j ∈ [ n ] x[ j − 1 ] = x j and ret b = ¯ b , a return ret b; state- men t is in vok ed in at most O ( p ) steps with ret b = f w i ,b ( x ). By Lemma 6 .3 and its pro of , the same holds for all v ∈ V v \ { w 1 , . . . , w m } , thus it holds for all v ∈ V v . W e are now ready to giv e o ur main correctness theorem for function Syn thesize of Alg. 1. Theorem 6.5. L et ρ = ( V , V , 1 , v ar , low , high , flip ) b e a COB DD with V = X · ∪U , v ∈ V b e a no d e , b ∈ B b e a b o ole an. L et J v , b K = K ( x , u ) , r = | U | and n = |X | . Then function Sy n thesize ( ρ, v , b ) gen e r ates a C function void K(int *x, int *u) with the fol lowing pr op erty: for al l x ∈ D om( K ) , if b efor e a c al l to K ∀ i ∈ [ n ] x[ i − 1 ] = x i , and after the c al l to K ∀ i ∈ [ r ] u[ i − 1 ] = u i , then K ( x , u ) = 1 . F urthermor e, function K has WCET P r i =1 O (height( v i )) , b eing v 1 , . . . , v r the no des output by function Solv eF unctionalEq . Pr o of. Let x ∈ Dom( K ) (i.e. ∃ u K ( x , u ) = 1) and supp o se that for all j ∈ [ n ] x[ j − 1 ] = x j . By line 9 o f Alg. 3, for all i ∈ [ r ], u[ i − 1 ] will take the v a lue r eturned b y K bits( x, i ) . In turn, b y line 3 Alg. 3, eac h K bits (x, i ) sets ret b to ¯ b i and makes a jump to la b el L v i . By Lemma 6.2 and b y construction of Syn thesize , suc h b 1 , . . . , b r and v 1 , . . . , v r are s.t. that 22 J v 1 , b 1 K = f 1 ( x ) , . . . , J v r , b r K = f r ( x ) and K ( x , f 1 ( x ) , . . . , f r ( x )) = 1. By Lemma 6 .4, the sequence of calls K bits(x, 1 ) , . . . , K bits( x, r ) will in- deed return, in at most P r j =1 O (height( v i )) steps, f 1 ( x ) , . . . , f r ( x ). Corollary 6.6. L e t ρ = ( V , V , 1 , v ar , lo w , high , flip) b e a COBDD with V = X · ∪U , v ∈ V b e a no d e , b ∈ B b e a b o ole an. L et J v , b K = K ( x , u ) , r = | U | and n = |X | . Then the C function K output by function Syn t hesize ( ρ, v , b ) has WCET O ( r n ) . Pr o of. The corollary immediately follow s fro m Theor. 6.5 and fro m the fact that, for all v ∈ V , height( v ) ≤ n . 7 Exp erimen t al Resu lts W e implemen t ed our syn thesis a lgorithm in C pro g ramming language, using the CUDD pack age for OBDD based computations. W e name the resulting to ol KSS ( Kontr ol Softwar e Synthesizer ). KSS is part of a more general to ol named Q KS ( Quantize d fe e db ack K o ntr ol Synthesizer [7]). KSS ta k es as input a BLIF file whic h enco des the OBDD f o r an mgo K ( x , u ). Suc h BLIF file also con tains informatio n ab out how to distinguish from state v aria bles x and action v ariables u . Then KSS g enerates as output a C co de file containing functions K and K bits as describ ed in Sect. 5. In this section w e presen t our exp erimen ts that aim at ev aluating effectiv eness of KSS. 7.1 Exp erimen tal S ettings W e presen t exp erimen tal results obtained by using KSS on giv en COBD D s ρ 1 , . . . , ρ 4 s.t. fo r all i ∈ [4]: • ρ i = ( V i , V i , 1 , v ar i , lo w i , high i , flip i ), with V i = X i · ∪U i = { x 1 , . . . , x 20 } · ∪{ u 1 , . . . , u i } ; th us n i = 20 and r i = i (note that V i ⊂ V j for j > i ); • there exists v i ∈ V i , b i ∈ B s.t. J v i , b i K = K i ( x , u ), b eing K i ( x , u ) t he COBDD represen ta tion of t he mgo for a buck D C/DC c onverter wi th i inputs (see [8] for a description of this system). K i is an in termediate output of the QK S to ol describ ed in [7]. 23 T a ble 1: KSS p erformaces r CPU MEM | K | | F unsh | | S w | % 1 2.20e-01 4.53e+07 12 124 2545 2545 0.00e+00 2 4.20e-01 5.29e+07 25 246 5444 4536 1.67e+01 3 5.20e-01 5.94e+07 34 741 107 31 827 1 2.29 e+01 4 6.30e-01 6.50e+07 43 065 151 65 114 90 2.4 2e+01 F or eac h ρ i , we run KSS so as to compute Synthes ize ( ρ i , v i , b i ) (see Alg. 1). In the follo wing, w e will call h w 1 i , b 1 i , . . . , w ii , b ii i , with w j i ∈ V i , b j i ∈ B , the output of function Solv eF unctionalEq ( ρ i , v i , b i ) of Alg. 2. Moreo ver, we call f 1 i , . . . , f ii : B n → B the i b o olean functions s.t. J w j i , b j i K = f j i ( x ). Note that, by Lemma 6.2, for all x ∈ Do m( K ), K i ( x , f 1 i ( x ) , . . . , f ii ( x )) = 1. All our exp erimen t s ha v e b een carr ied out on a 3.0 GHz Intel h yp er- threaded Quad Core Linux PC with 8 GB of RAM. 7.2 KSS P erformance In this section w e will show the p erformance (in terms of computation time, memory , and output size) o f the algo rithms discussed in Sect. 5. T ab. 1 sho w our exp erimen ta l results. The i -th row in T ab. 1 cor r esp o nds to experiments running KSS so as to compute Syn t hesize ( ρ i , v i , b i ). Columns in T ab. 1 hav e the follo wing meaning. Column r shows the n umber of action v ariables, i.e. |U i | (note t ha t |X i | = 2 0 for all i ∈ [4]). Column CPU show s the compu- tation t ime of K SS (in secs). Column MEM sho ws the memory usage fo r KSS ( in bytes ). Column | K | sho ws the n um b er of no des of the COBDD represen tation f or K i ( x , u ), i.e. | V v i | . Column | F unsh | sho ws the num b er of nodes of the COBDD represe n tations of f 1 i , . . . , f ii , without considering no des sharing among suc h COBDDs. Note that w e do consider no des shar- ing inside eac h f j i separately . That is, | F unsh | = P i j =1 | V w j i | is the size of a trivial implemen tation of f 1 i , . . . , f ii in which each f j i is implemen ted by a stand-alone C function. Column | S w | sho ws the size o f the control softw are generated b y KSS, i.e. the n umber of no des of the COBDD represen tat io ns f 1 i , . . . , f ii , considering also no des sharing among suc h COBDDs. That is, | S w | = | ∪ i j =1 V w j i | is the num b er of C co de blo ck s g enerated b y lines 5 – 7 of function GenerateCCo de in Alg. 3. Finally , Column % sho ws the gain 24 p ercen tag e w e obtain by considering no de sharing among COBDD represen - tations for f 1 i , . . . , f ii , i.e. (1 − | S w | | F unsh | )100. F rom T ab. 1 w e can see that, in less than 1 second a nd within 70 MB of RAM w e a re able to syn thesize the con trol soft w a r e for the multi-input buc k with r = 4 action v ariables, starting from a COBDD represen t a tion of K with abo ut 4 × 10 4 no des. The control soft ware we syn thesize in suc h a case has ab out 1 . 2 × 10 4 lines of co de, whilest a con trol soft w a re not t a king in to account COBDD no des sharing w ould ha ve had ab out 1 . 5 × 10 4 lines of co de. Th us, w e obta in a 2 4% ga in tow a rds a trivial implemen tation. 8 Conclus ions W e presen ted an a lgorithm a nd a to ol KSS implemen t ing it whic h, starting from a b o olean relatio n K represen ting the set of implemen tatio ns meeting the given system sp ecifications, generates a correct-by-construction C co de implemen ting K . This en ta ils finding b o olean functions F s.t. K ( x, F ( x )) = 1 holds, and then implemen t suc h F . WCE T for the generated con t r ol soft- w are is at most linear in nr , b eing n = | x | the n umber of input argumen ts for functions in F and r the n um b er o f functions in F . F urthermore, w e formally prov ed that our algorithm is correct. KSS allo ws us to syn thesize correct-b y-construction control softw a re, pro - vided that K is pro v ably correct w.r.t. initia l forma l sp ecifications. This is the case in [7], th us this methodolog y e.g. allo ws to syn thesize correct-by- construction control softw are starting fr om fo r ma l sp ecifications f or D TLHSs. W e hav e sho wn feasibility of our prop osed approac h b y presen ting exp erimen- tal results on using it to synthe size C con trollers for a buc k DC-D C con verter. In or der to speed-up the resulting W CET, a natural p ossible future re- searc h direction is to in ves tigate ho w to parallelize the generated con trol soft w are, as well as to improv e do n’t - cares handling in F . References [1] P aul C. A ttie, Anish Arora, and E. Allen Emerson. Synthesis of fault-toleran t concurrent programs. ACM T r ans. on Pr o gr am. L ang. Syst. , 26(1):1 25–18 5, 2004. 25 [2] Da vid Baneres, Jordi Cortadella, and Mike Kish inevsky . A recursiv e paradigm to solve b o olean relations. IEEE T r ans. Comput. , 58:512– 527, April 200 9. [3] Karl S. Brace, Richard L. Rud ell, and Randal E. Br yan t. Efficien t implemen- tation of a b dd p ac k age. In DA C , pages 40–45, 1990. [4] R. Bryan t. Graph-based algorithms for b o olean function manip ulation. IEEE T r ans. on Computers , C-35(8):6 77–69 1, 1986. [5] Alessandro Cim atti, Marco Ro veri, and P aolo T ra v erso. Strong p lanning in non-deterministic domains via mo del c hecking. In AIPS , p ages 36–43, 1998. [6] E. M. Clarke , O. Grum b erg, and D. A. P eled. Mo del Che cking . Th e MIT Press, 1999. [7] F ederico Mari, Igor Melatti, Iv ano Salvo, and En rico T ronci. S yn thesis of quan tized f eedbac k con trol soft w are for discrete time linear hybrid systems. In CA V , L NC S 6174, pages 180– 195, 2010. [8] F ederico Mari, Igor Melatti, Iv ano Salv o, and Enrico T r onci. Qu an tized feed- bac k control soft w are synthesis from system level formal s p ecifications f or buc k d c/dc con ve rters. T ec hn ical Rep ort arXiv:1105.5640 v1, arXiv, 2011. [9] Shin-ic hi Minato, Nagisa Ishiura, and Sh uzo Y a jima. Sh ared binary decision diagram with attribu ted edges for efficien t b o olean function manipulation. I n DA C , p ages 52–57, 1990. [10] En rico T r onci. Au tomatic sy nthesis of control lers from formal sp ecificatio ns. In ICFEM , pages 134–14 3. I EEE, 1998. 26