Assume-admissible synthesis
Acta Informatica
Romain Brenguier 0 1 2
Jean-François Raskin 0 1 2
Ocan Sankur 0 1 2
0 CNRS, IRISA , Rennes , France
1 Département d'informatique, Université Libre de Bruxelles , Brussels , Belgium
2 Department of Computer Science, University of Oxford , Oxford , UK
In this paper, we introduce a novel rule for synthesis of reactive systems, applicable to systems made of n components which have each their own objectives. This rule is based on the notion of admissible strategies. We compare this rule with previous rules defined in the literature, and show that contrary to the previous proposals, it defines sets of solutions which are rectangular. This property leads to solutions which are robust and resilient, and allows one to synthesize strategies separately for each agent. We provide algorithms with optimal complexity and also an abstraction framework compatible with the new rule. The automatic synthesis of reactive systems has recently attracted a considerable attention. The theoretical foundations of most of the contributions in this area rely on two-player zero sum games played on graphs: one player (player 1) models the system to synthesize, and the other player (player 2) models its environment. The game is zero-sum: the objective of player 1 is to enforce the specification of the system while the objective of player 2 is the negation of this specification. This is a worst-case assumption: because the cooperation of the environment cannot be assumed, we postulate that it is antagonistic. A fully adversarial environment is usually a bold abstraction of reality. Nevertheless, it is popular because it is simple and sound: a winning strategy against an antagonistic player is winning against any environment which pursues its own objective. But this approach may fail to find a winning strategy even if there exist solutions when the objective of the environment
Assume-admissible synthesis
1 Introduction
Supported by the ERC starting Grant inVEST (FP7-279499).
B Ocan Sankur
is taken into account. Also, this model is for two players only: system vs environment.
In practice, both the system and the environment may be composed of several parts to be
constructed individually or whose objectives should be considered one at a time. In fact,
many systems, such as telecommunication protocols, and distributed algorithms are made
of several components or processes, each having its own objective which may or may not
conflict other components’ objectives. Consider, for instance, a communication network in
which each node has the objective of transmitting a message to a subset of other nodes,
using some preferred frequency range; the objectives of some nodes may not conflict at all
if they are independent (using different frequencies), while some of them may be in conflict.
Indeed, game theory is used to model such situations; see e.g. [20]. Such problems are the
subject of non-zero sum games where each entitiy having its own objective is seen as a
different player (a.k.a. agent). For controller synthesis within this context, it is thus crucial
to take different players’ objectives into account when synthesizing strategies; accordingly,
alternative notions have been proposed in the literature.
A first classical alternative is to weaken the winning condition of player 1 using the
objective of the environment, requiring the system to win only when the environment meets
its objective. This approach together with its weaknesses have been discussed in [3], we will
add to that later in the paper. A second alternative is to use concepts from n-players non-zero
sum games. This is the approach taken both by assume-guarantee synthesis [7] (AG), and
by rational synthesis [18] (RS). For two players, AG relies on secure equilibria [9] (SE), a
refinement of Nash equilibria [28] (NE). In SE, objectives are lexicographic: players first try
to maximize their own specifications, and then try to falsify the specifications of others. It is
shown in [9] that SE are those NE which represent enforceable contracts between the two
players. However the AG rule as extended to several players in [7] no longer corresponds to
secure equilibria.
This was not noticed in [7], so the algorithm proposed for computing secure equilibria
does not actually apply for the AG rule. The difference between AG and SE is that AG
strategies have to be resiliant to deviations of all the other players, while SE profiles have to
be resiliant to deviations by only one player.
In RS, the system is assumed to be monolithic and the environment is made of components
that are partially controllable. In RS, we search for a profile of strategies where the system
ensures its objective and the players that model the environment are given an “acceptable”
strategy profiles, from which it is assumed that they will not deviate. “Acceptable” is
formalized by any solution concept, e.g. by NE, dominating strategies (Dom), or subgame perfect
equilibria (SPE).
1. As a first an (...truncated)