How to get decidability of distributed synthesis ?

Paul Gastin Joint work with Thomas Chatain and Nathalie Sznajder

> March 12, 2009 Séminaire Bordeaux

## Outline









◆□▶ ◆圖▶ ◆臣▶ ◆臣▶ 臣 - ���?

## Synthesis of a reactive system



◆ロト ◆母 ▶ ◆臣 ▶ ◆臣 ▶ ○臣 ○ のへぐ

# Synthesis of a reactive system



### Two problems

- Decide whether there exists a program st.  $P || E \models \varphi$ ,  $\forall E$ .
- Synthesis: If so, compute such a program.

For reasonable systems and specifications, the problems are decidable.

## Distributed synthesis



# Distributed synthesis



#### Two problems

- Decide the existence of a distributed program such that their joint behavior P<sub>1</sub>||P<sub>2</sub>||P<sub>3</sub>||P<sub>4</sub>||E satisfies φ, for all E.
- Synthesis : If it exists, compute such a distributed program.

### Synchronous semantics: Introduced by Pnueli Rosner '90

• At each tick of a global clock, all processes and the environment output their new value

### Synchronous semantics: Introduced by Pnueli Rosner '90

• At each tick of a global clock, all processes and the environment output their new value

▲日▼▲□▼▲□▼▲□▼ □ のので

• Undecidable with global specifications.



### Synchronous semantics: Introduced by Pnueli Rosner '90

• At each tick of a global clock, all processes and the environment output their new value

- Undecidable with global specifications.
- Undecidable with constraints on internal channels.



### Synchronous semantics: Introduced by Pnueli Rosner '90

- At each tick of a global clock, all processes and the environment output their new value
- Undecidable with global specifications.
- Undecidable with constraints on internal channels.
- Undecidable with bandwidth constraints.



### Synchronous semantics: Introduced by Pnueli Rosner '90

- At each tick of a global clock, all processes and the environment output their new value
- Undecidable with global specifications.
- Undecidable with constraints on internal channels.
- Undecidable with bandwidth constraints.
- Decidable for some architectures, e.g., pipelines.



・ロト ・ 理 ト ・ ヨ ト ・ ヨ ト

▲日▼▲□▼▲□▼▲□▼ □ のので

### P.G., Benjamin Lerman, Marc Zeitoun

- Behaviors are Mazurkiewicz traces
- Players = controllable actions
- Causal memory
- Specification : regular over Mazurkiewicz traces

### P.G., Benjamin Lerman, Marc Zeitoun

- Behaviors are Mazurkiewicz traces
- Players = controllable actions
- Causal memory
- Specification : regular over Mazurkiewicz traces

#### Theorem

Synthesis problem is decidable for co-graph dependence alphabets, i.e., for series-parallel systems.

### Our model

• Processes evolve asynchronously for local actions (i.e., communications with the environment)

### Our model

- Processes evolve asynchronously for local actions (i.e., communications with the environment)
- They can synchronize by signals = common actions initiated by only one process. A process cannot refuse reception of a signal.

### Our model

- Processes evolve asynchronously for local actions (i.e., communications with the environment)
- They can synchronize by signals = common actions initiated by only one process. A process cannot refuse reception of a signal.

- Specifications :
  - over partial orders

### Our model

- Processes evolve asynchronously for local actions (i.e., communications with the environment)
- They can synchronize by signals = common actions initiated by only one process. A process cannot refuse reception of a signal.

- Specifications :
  - over partial orders
  - will not restrain communication abilities

# Decidability Results

#### Theorem

Synthesis problem is decidable for

• strongly-connected architectures,



# Decidability Results

### Theorem

Synthesis problem is decidable for

- strongly-connected architectures,
- disjoint unions of decidable architectures.















### Architectures

### • Communication graph (Proc, E)



◆□ > ◆□ > ◆豆 > ◆豆 > ̄豆 = つへで

### Architectures

- Communication graph (*Proc*, *E*)
- For each process *i*, sets  $\text{In}_i$  and  $\text{Out}_i$  of input and output signals:  $\Gamma = \bigcup_{i \in Proc} \text{In}_i \cup \bigcup_{i \in Proc} \text{Out}_i$



▲□▶▲圖▶▲圖▶▲圖▶ ▲□▶

### Architectures

- Communication graph (*Proc*, *E*)
- For each process *i*, sets  $\text{In}_i$  and  $\text{Out}_i$  of input and output signals:  $\Gamma = \bigcup_{i \in Proc} \text{In}_i \cup \bigcup_{i \in Proc} \text{Out}_i$
- Processes choose sets  $\Sigma_{i,j}$  for  $(i,j) \in E$



### Architectures

- Communication graph (*Proc*, *E*)
- For each process *i*, sets  $\text{In}_i$  and  $\text{Out}_i$  of input and output signals:  $\Gamma = \bigcup_{i \in Proc} \text{In}_i \cup \bigcup_{i \in Proc} \text{Out}_i$
- Processes choose sets  $\Sigma_{i,j}$  for  $(i,j) \in E$

• 
$$\Sigma = \Gamma \cup \bigcup_{(i,j) \in E} \Sigma_{i,j}$$



#### Architectures

- Communication graph (Proc, E)
- For each process *i*, sets  $\text{In}_i$  and  $\text{Out}_i$  of input and output signals:  $\Gamma = \bigcup_{i \in Proc} \text{In}_i \cup \bigcup_{i \in Proc} \text{Out}_i$
- Processes choose sets  $\Sigma_{i,j}$  for  $(i,j) \in E$

• 
$$\Sigma = \Gamma \cup \bigcup_{(i,j) \in E} \Sigma_{i,j}$$

• For each process i,

 $\Sigma_i^c = \operatorname{Out}_i \cup \bigcup_{j,(i,j) \in E} \Sigma_{i,j}$  is the set of signals it can send (control),  $\Sigma_i = \operatorname{In}_i \cup \Sigma_i^c$  is its alphabet.



▲日▼▲□▼▲□▼▲□▼ □ のので

#### Runs

A run is a Mazurkiewicz trace  $t = (V, \lambda, \leq)$  over  $(\Sigma, D)$ where *a D b* if there is a process that takes part both in *a* and *b* 



#### Runs

A run is a Mazurkiewicz trace  $t = (V, \lambda, \leq)$  over  $(\Sigma, D)$ where *a D b* if there is a process that takes part both in *a* and *b* 



#### Runs

A run is a Mazurkiewicz trace  $t = (V, \lambda, \leq)$  over  $(\Sigma, D)$ where *a D b* if there is a process that takes part both in *a* and *b* 



#### Runs

A run is a Mazurkiewicz trace  $t = (V, \lambda, \leq)$  over  $(\Sigma, D)$ where *a D b* if there is a process that takes part both in *a* and *b* 



#### Runs

A run is a Mazurkiewicz trace  $t = (V, \lambda, \leq)$  over  $(\Sigma, D)$ where *a D b* if there is a process that takes part both in *a* and *b* 



#### Runs

A run is a Mazurkiewicz trace  $t = (V, \lambda, \leq)$  over  $(\Sigma, D)$ where *a D b* if there is a process that takes part both in *a* and *b* 



ヘロト ヘヨト ヘヨト ヘヨト

#### Strategies

### • Strategies are partial functions $f_i : \Sigma_i^* \to \Sigma_i^c$ with local memory.



◆□▶ ◆□▶ ◆三▶ ◆三▶ 三三 のへぐ

#### Strategies

• Strategies are partial functions  $f_i : \Sigma_i^* \to \Sigma_i^c$  with local memory.

• Signal semantics implies reactivity of processes to events.



#### Strategies

- Strategies are partial functions  $f_i : \Sigma_i^* \to \Sigma_i^c$  with local memory.
- Signal semantics implies reactivity of processes to events.



#### Strategies

- Strategies are partial functions  $f_i : \Sigma_i^* \to \Sigma_i^c$  with local memory.
- Signal semantics implies reactivity of processes to events.



#### **Strategies**

- Strategies are partial functions  $f_i : \Sigma_i^* \to \Sigma_i^c$  with local memory.
- Signal semantics implies reactivity of processes to events.



#### **Strategies**

• Strategies are partial functions  $f_i : \Sigma_i^* \to \Sigma_i^c$  with local memory.

▲日▼▲□▼▲□▼▲□▼ □ ののの

• Signal semantics implies reactivity of processes to events.



#### **Strategies**

- Strategies are partial functions  $f_i : \Sigma_i^* \to \Sigma_i^c$  with local memory.
- Signal semantics implies reactivity of processes to events.



▲日▼▲□▼▲□▼▲□▼ □ ののの

#### **Strategies**

• Strategies are partial functions  $f_i : \Sigma_i^* \to \Sigma_i^c$  with local memory.

▲日▼▲□▼▲□▼▲□▼ □ ののの

• Signal semantics implies reactivity of processes to events.



#### **Strategies**

- Strategies are partial functions  $f_i : \Sigma_i^* \to \Sigma_i^c$  with local memory.
- Signal semantics implies reactivity of processes to events.
- A run respects a strategy f = (f<sub>i</sub>)<sub>i∈Proc</sub> (is an f-run) if each event of process i labelled with a controllable action respects the strategy f<sub>i</sub>.

▲日▼▲□▼▲□▼▲□▼ □ ○○○



#### **Strategies**

- Strategies are partial functions  $f_i : \Sigma_i^* \to \Sigma_i^c$  with local memory.
- Signal semantics implies reactivity of processes to events.
- A run respects a strategy f = (f<sub>i</sub>)<sub>i∈Proc</sub> (is an f-run) if each event of process i labelled with a controllable action respects the strategy f<sub>i</sub>.

▲日▼▲□▼▲□▼▲□▼ □ ののの



#### **Strategies**

- Strategies are partial functions  $f_i : \Sigma_i^* \to \Sigma_i^c$  with local memory.
- Signal semantics implies reactivity of processes to events.
- A run respects a strategy f = (f<sub>i</sub>)<sub>i∈Proc</sub> (is an f-run) if each event of process i labelled with a controllable action respects the strategy f<sub>i</sub>.

▲日▼▲□▼▲□▼▲□▼ □ ののの



#### **Strategies**

- Strategies are partial functions  $f_i : \Sigma_i^* \to \Sigma_i^c$  with local memory.
- Signal semantics implies reactivity of processes to events.
- A run respects a strategy f = (f<sub>i</sub>)<sub>i∈Proc</sub> (is an f-run) if each event of process i labelled with a controllable action respects the strategy f<sub>i</sub>.
- A run t = (V, λ, ≤) is f-maximal if for each process i either
  V<sub>i</sub> = λ<sup>-1</sup>(Σ<sub>i</sub>) is infinite, or f<sub>i</sub> is undefined on the maximal event of V<sub>i</sub>.



## The model

#### Observable runs

#### Given a run $t = (V, \lambda, \leq)$ , we define the observable run by

$$\pi_{\Gamma}(t) = (\Gamma, \lambda_{|\Gamma}, \leq \cap (\Gamma \times \Gamma))$$

#### where

$$\Gamma = \bigcup_{i \in Proc} \operatorname{In}_i \cup \bigcup_{i \in Proc} \operatorname{Out}_i$$

## The model

#### Observable runs

#### Given a run $t = (V, \lambda, \leq)$ , we define the observable run by

$$\pi_{\Gamma}(t) = (\Gamma, \lambda_{|\Gamma}, \leq \cap (\Gamma \times \Gamma))$$

#### where

$$\Gamma = \bigcup_{i \in Proc} \operatorname{In}_i \cup \bigcup_{i \in Proc} \operatorname{Out}_i$$



### The model

#### Observable runs

#### Given a run $t = (V, \lambda, \leq)$ , we define the observable run by

$$\pi_{\Gamma}(t) = (\Gamma, \lambda_{|\Gamma}, \leq \cap (\Gamma \times \Gamma))$$

#### where

$$\Gamma = \bigcup_{i \in Proc} \operatorname{In}_i \cup \bigcup_{i \in Proc} \operatorname{Out}_i$$



▲□▶ ▲□▶ ▲□▶ ▲□▶ ▲□ ● ● ●

Given

• 
$$\mathcal{A} = (\operatorname{Proc}, E, \Gamma)$$

#### Given

• 
$$\mathcal{A} = (\operatorname{Proc}, E, \Gamma)$$

•  $\varphi$  a specification over  $\Gamma$ -labelled partial orders (observable runs)

#### Given

•  $\mathcal{A} = (\operatorname{Proc}, E, \Gamma)$ 

•  $\varphi$  a specification over  $\Gamma\text{-labelled}$  partial orders (observable runs) Do there exist

▲日▼▲□▼▲□▼▲□▼ □ ののの

• sets  $\Sigma_{i,j}$  for each  $(i,j) \in E$ 

#### Given

•  $\mathcal{A} = (\operatorname{Proc}, E, \Gamma)$ 

•  $\varphi$  a specification over  $\Gamma\text{-labelled}$  partial orders (observable runs) Do there exist

▲日▼▲□▼▲□▼▲□▼ □ ののの

- sets  $\Sigma_{i,j}$  for each  $(i,j) \in E$
- and strategies  $f_i : \Sigma_i^* \to \Sigma_i^c$  for each  $i \in \operatorname{Proc}$

#### Given

•  $\mathcal{A} = (\operatorname{Proc}, \mathcal{E}, \Gamma)$ 

•  $\varphi$  a specification over  $\Gamma\text{-labelled}$  partial orders (observable runs) Do there exist

▲日▼▲□▼▲□▼▲□▼ □ ののの

• sets  $\Sigma_{i,j}$  for each  $(i,j) \in E$ 

• and strategies  $f_i : \Sigma_i^* \to \Sigma_i^c$  for each  $i \in \operatorname{Proc}$ 

such that every *f*-maximal *f*-run *t* is such that  $\pi_{\Gamma}(t) \models \varphi$ ?

#### Given

•  $\mathcal{A} = (\operatorname{Proc}, \mathcal{E}, \Gamma)$ 

•  $\varphi$  a specification over  $\Gamma\text{-labelled}$  partial orders (observable runs) Do there exist

▲日▼▲□▼▲□▼▲□▼ □ ののの

- sets  $\Sigma_{i,j}$  for each  $(i,j) \in E$
- and strategies  $f_i : \Sigma_i^* \to \Sigma_i^c$  for each  $i \in \operatorname{Proc}$

such that every *f*-maximal *f*-run *t* is such that  $\pi_{\Gamma}(t) \models \varphi$ ?

If so, compute them











◆□▶ ◆□▶ ◆臣▶ ◆臣▶ 臣 めんぐ

Communication induces order relation



### Communication induces order relation





▲□▶▲□▶▲□▶▲□▶ □ のへで

### Communication induces order relation







◆□ > ◆□ > ◆三 > ◆三 > ● ● ●

### Communication induces order relation





◆□▶ ◆□▶ ◆三▶ ◆三▶ 三三 のへで



### Communication induces order relation







◆□ > ◆□ > ◆三 > ◆三 > ● ● ●

### Communication induces order relation





◆□▶ ◆□▶ ◆三▶ ◆三▶ 三三 のへで



### Communication induces order relation







◆ロト ◆御 ▶ ◆臣 ▶ ◆臣 ▶ ○臣 ● のへで

### Communication induces order relation





◆□▶ ◆□▶ ◆三▶ ◆三▶ 三三 のへで



### Communication induces order relation







◆ロト ◆御 ▶ ◆臣 ▶ ◆臣 ▶ ○臣 ● のへで

### Communication induces order relation







▲ロ▶ ▲□▶ ▲目▶ ▲目▶ 三目 - 釣A@

### Communication induces order relation







◆ロ〉 ◆御〉 ◆臣〉 ◆臣〉 三臣 → 今々⊙

#### Restrictions on specifications

• Specifications should not discriminate between a partial order and its order extensions

◆□▶ ◆□▶ ◆三▶ ◆三▶ - 三 - のへぐ

#### Restrictions on specifications

• Specifications should not discriminate between a partial order and its order extensions



#### Restrictions on specifications

• Specifications should not discriminate between a partial order and its order extensions



#### Input events are not controllable by processes





◆□ > ◆□ > ◆豆 > ◆豆 > ̄豆 = ∽ へ @

#### Input events are not controllable by processes





◆□▶ ◆□▶ ◆三▶ ◆三▶ 三三 のへで



#### Input events are not controllable by processes







◆□ > ◆□ > ◆三 > ◆三 > ● ● ●

#### Input events are not controllable by processes





◆□▶ ◆□▶ ◆三▶ ◆三▶ 三三 のへで



#### Input events are not controllable by processes





◆□▶ ◆□▶ ◆三▶ ◆三▶ 三三 のへで



### Input events are not controllable by processes





◆□ > ◆□ > ◆豆 > ◆豆 > ̄豆 = のへで

### Input events are not controllable by processes





◆□▶ ◆□▶ ◆三▶ ◆三▶ 三三 のへで



### Input events are not controllable by processes







◆□ > ◆□ > ◆三 > ◆三 > ● ● ●

### Input events are not controllable by processes





◆□▶ ◆□▶ ◆三▶ ◆三▶ 三三 のへで



### Input events are not controllable by processes





◆□▶ ◆□▶ ◆三▶ ◆三▶ 三三 のへで



### Input events are not controllable by processes





◆□▶ ◆□▶ ◆三▶ ◆三▶ 三三 - の々で

### Restrictions on specifications

- Specifications should not discriminate between a partial order and its order extensions
- Specifications should not discriminate between a partial order and its "weakenings"

### Restrictions on specifications

- Specifications should not discriminate between a partial order and its order extensions
- Specifications should not discriminate between a partial order and its "weakenings"



### Restrictions on specifications

- Specifications should not discriminate between a partial order and its order extensions
- Specifications should not discriminate between a partial order and its "weakenings"



#### AlocTL

$$\varphi ::= \mathbf{a} \mid \neg \mathbf{a} \mid \varphi \lor \varphi \mid \varphi \land \varphi$$
$$\mid \mathsf{X}_{i} \varphi \mid \varphi \mathsf{U}_{i} \varphi \mid \neg \mathsf{X}_{i} \top \mid \varphi \widetilde{\mathsf{U}}_{i} \varphi$$
$$\mid \mathsf{Y}_{i} \varphi \mid \varphi \mathsf{S}_{i} \varphi \mid \neg \mathsf{Y}_{i} \top \mid \varphi \widetilde{\mathsf{S}}_{i} \varphi$$
$$\mid \mathsf{F}_{i,i}(\operatorname{Out} \land \varphi) \mid \operatorname{Out} \land \mathsf{H}_{i,j} \varphi$$

#### AlocTL

$$\begin{split} \varphi &::= a \mid \neg a \mid \varphi \lor \varphi \mid \varphi \land \varphi \\ &\mid \mathsf{X}_i \varphi \mid \varphi \, \mathsf{U}_i \varphi \mid \neg \, \mathsf{X}_i \top \mid \varphi \, \widetilde{\mathsf{U}}_i \varphi \\ &\mid \mathsf{Y}_i \varphi \mid \varphi \, \mathsf{S}_i \varphi \mid \neg \, \mathsf{Y}_i \top \mid \varphi \, \widetilde{\mathsf{S}}_i \varphi \\ &\mid \mathsf{F}_{i,j}(\operatorname{Out} \land \varphi) \mid \operatorname{Out} \land \mathsf{H}_{i,j} \varphi \end{split}$$

◆□ > ◆□ > ◆臣 > ◆臣 > ─ 臣 ─ のへで



#### AlocTL

$$\begin{split} \varphi &::= a \mid \neg a \mid \varphi \lor \varphi \mid \varphi \land \varphi \\ &\mid \mathsf{X}_i \varphi \mid \varphi \, \mathsf{U}_i \varphi \mid \neg \, \mathsf{X}_i \top \mid \varphi \, \widetilde{\mathsf{U}}_i \varphi \\ &\mid \mathsf{Y}_i \varphi \mid \varphi \, \mathsf{S}_i \varphi \mid \neg \, \mathsf{Y}_i \top \mid \varphi \, \widetilde{\mathsf{S}}_i \varphi \\ &\mid \mathsf{F}_{i,j}(\operatorname{Out} \land \varphi) \mid \operatorname{Out} \land \mathsf{H}_{i,j} \varphi \end{split}$$

◆□ > ◆□ > ◆臣 > ◆臣 > ─ 臣 ─ のへで



#### AlocTL

$$\begin{split} \varphi &::= a \mid \neg a \mid \varphi \lor \varphi \mid \varphi \land \varphi \\ &\mid \mathsf{X}_i \varphi \mid \varphi \, \mathsf{U}_i \varphi \mid \neg \, \mathsf{X}_i \top \mid \varphi \, \widetilde{\mathsf{U}}_i \varphi \\ &\mid \mathsf{Y}_i \varphi \mid \varphi \, \mathsf{S}_i \varphi \mid \neg \, \mathsf{Y}_i \top \mid \varphi \, \widetilde{\mathsf{S}}_i \varphi \\ &\mid \mathsf{F}_{i,j}(\operatorname{Out} \land \varphi) \mid \operatorname{Out} \land \mathsf{H}_{i,j} \varphi \end{split}$$

◆□ > ◆□ > ◆臣 > ◆臣 > ─ 臣 ─ のへで



#### AlocTL

$$\begin{split} \varphi &::= a \mid \neg a \mid \varphi \lor \varphi \mid \varphi \land \varphi \\ &\mid \mathsf{X}_i \varphi \mid \varphi \, \mathsf{U}_i \varphi \mid \neg \, \mathsf{X}_i \top \mid \varphi \, \widetilde{\mathsf{U}}_i \varphi \\ &\mid \mathsf{Y}_i \varphi \mid \varphi \, \mathsf{S}_i \varphi \mid \neg \, \mathsf{Y}_i \top \mid \varphi \, \widetilde{\mathsf{S}}_i \varphi \\ &\mid \mathsf{F}_{i,j}(\operatorname{Out} \land \varphi) \mid \operatorname{Out} \land \mathsf{H}_{i,j} \varphi \end{split}$$

with  $a \in \Gamma$  and  $i, j \in Proc$ 



◆□ > ◆□ > ◆豆 > ◆豆 > ̄豆 \_ のへで

#### AlocTL

$$\begin{split} \varphi &::= a \mid \neg a \mid \varphi \lor \varphi \mid \varphi \land \varphi \\ &\mid \mathsf{X}_i \varphi \mid \varphi \, \mathsf{U}_i \varphi \mid \neg \, \mathsf{X}_i \top \mid \varphi \, \widetilde{\mathsf{U}}_i \varphi \\ &\mid \mathsf{Y}_i \varphi \mid \varphi \, \mathsf{S}_i \varphi \mid \neg \, \mathsf{Y}_i \top \mid \varphi \, \widetilde{\mathsf{S}}_i \varphi \\ &\mid \mathsf{F}_{i,j}(\operatorname{Out} \land \varphi) \mid \operatorname{Out} \land \mathsf{H}_{i,j} \varphi \end{split}$$

◆□ > ◆□ > ◆臣 > ◆臣 > ─ 臣 ─ のへで



#### AlocTL

$$\begin{split} \varphi &::= a \mid \neg a \mid \varphi \lor \varphi \mid \varphi \land \varphi \\ &\mid \mathsf{X}_i \varphi \mid \varphi \, \mathsf{U}_i \varphi \mid \neg \, \mathsf{X}_i \top \mid \varphi \, \widetilde{\mathsf{U}}_i \varphi \\ &\mid \mathsf{Y}_i \varphi \mid \varphi \, \mathsf{S}_i \varphi \mid \neg \, \mathsf{Y}_i \top \mid \varphi \, \widetilde{\mathsf{S}}_i \varphi \\ &\mid \mathsf{F}_{i,j}(\operatorname{Out} \land \varphi) \mid \operatorname{Out} \land \mathsf{H}_{i,j} \varphi \end{split}$$



#### AlocTL

$$\begin{split} \varphi &::= a \mid \neg a \mid \varphi \lor \varphi \mid \varphi \land \varphi \\ &\mid \mathsf{X}_i \varphi \mid \varphi \, \mathsf{U}_i \varphi \mid \neg \, \mathsf{X}_i \top \mid \varphi \, \widetilde{\mathsf{U}}_i \varphi \\ &\mid \mathsf{Y}_i \varphi \mid \varphi \, \mathsf{S}_i \varphi \mid \neg \, \mathsf{Y}_i \top \mid \varphi \, \widetilde{\mathsf{S}}_i \varphi \\ &\mid \mathsf{F}_{i,j}(\operatorname{Out} \land \varphi) \mid \operatorname{Out} \land \mathsf{H}_{i,j} \varphi \end{split}$$

◆□ > ◆□ > ◆臣 > ◆臣 > ─ 臣 ─ のへで



### AlocTL

$$\begin{split} \varphi &::= a \mid \neg a \mid \varphi \lor \varphi \mid \varphi \land \varphi \\ &\mid \mathsf{X}_i \varphi \mid \varphi \, \mathsf{U}_i \varphi \mid \neg \mathsf{X}_i \top \mid \varphi \, \widetilde{\mathsf{U}}_i \varphi \\ &\mid \mathsf{Y}_i \varphi \mid \varphi \, \mathsf{S}_i \varphi \mid \neg \mathsf{Y}_i \top \mid \varphi \, \widetilde{\mathsf{S}}_i \varphi \\ &\mid \mathsf{F}_{i,j}(\operatorname{Out} \land \varphi) \mid \operatorname{Out} \land \mathsf{H}_{i,j} \varphi \end{split}$$

◆□ > ◆□ > ◆臣 > ◆臣 > ─ 臣 ─ のへで

with  $a \in \Gamma$  and  $i, j \in Proc$ 

### Formulae

• 
$$G_1(\texttt{request} \longrightarrow \mathsf{F}_{1,2}(\texttt{Out} \land \texttt{grant}))$$

• 
$$G_2(\texttt{grant} \longrightarrow (\text{Out} \land \mathsf{H}_{2,1} \texttt{request}))$$

### AlocTL

$$\varphi ::= \mathbf{a} \mid \neg \mathbf{a} \mid \varphi \lor \varphi \mid \varphi \land \varphi$$
$$\mid \mathsf{X}_{i} \varphi \mid \varphi \mathsf{U}_{i} \varphi \mid \neg \mathsf{X}_{i} \top \mid \varphi \widetilde{\mathsf{U}}_{i} \varphi$$
$$\mid \mathsf{Y}_{i} \varphi \mid \varphi \mathsf{S}_{i} \varphi \mid \neg \mathsf{Y}_{i} \top \mid \varphi \widetilde{\mathsf{S}}_{i} \varphi$$
$$\mid \mathsf{F}_{i,j}(\operatorname{Out} \land \varphi) \mid \operatorname{Out} \land \mathsf{H}_{i,j} \varphi$$

▲日▼▲□▼▲□▼▲□▼ □ ののの

with  $a \in \Gamma$  and  $i, j \in Proc$ 

#### Formulae

• 
$$G_1(\texttt{request} \longrightarrow F_{1,2}(\texttt{Out} \land \texttt{grant}))$$

•  $G_2(\texttt{grant} \longrightarrow (\texttt{Out} \land \mathsf{H}_{2,1} \texttt{request}))$ 

#### Theorem

AlocTL is closed under extension and weakening

•  $\neg \mathsf{F}_{i,j} \varphi$  forbidden!

◆□▶ ◆□▶ ◆ □▶ ★ □▶ = □ ● の < @

• 
$$\neg \mathsf{F}_{i,j} \varphi$$
 forbidden!



• 
$$\neg \mathsf{F}_{i,j} \varphi$$
 forbidden!



•  $\neg \mathsf{F}_{i,j} \varphi$  forbidden!

(ロ)、(型)、(E)、(E)、 E、 の(の)

•  $X_{i,j}\varphi$  forbidden!

- $\neg \mathsf{F}_{i,j} \varphi$  forbidden!
- $X_{i,j}\varphi$  forbidden!



◆□▶ ◆□▶ ◆目▶ ◆目▶ 目 のへぐ

- $\neg \mathsf{F}_{i,j} \varphi$  forbidden!
- $X_{i,j}\varphi$  forbidden!



- $\neg \mathsf{F}_{i,j} \varphi$  forbidden!
- $X_{i,j}\varphi$  forbidden!

Specification is not allowed to require concurrency

◆□▶ ◆□▶ ◆ □▶ ★ □▶ = □ ● の < @

- $\neg \mathsf{F}_{i,j} \varphi$  forbidden!
- $X_{i,j}\varphi$  forbidden!

Specification is not allowed to require concurrency

Closure by weakening

Ensured by  $F_{i,j} \wedge Out$  and  $Out \wedge H_{i,j} \varphi$ .

### Outline











# Decidability Results

#### Theorem

The synthesis problem over singleton architectures is decidable for regular specifications.

◆□▶ ◆□▶ ◆三▶ ◆三▶ 三回 ● のへで

# Decidability Results

#### Theorem

The synthesis problem over singleton architectures is decidable for regular specifications.

#### Theorem

The distributed synthesis problem over strongly connected architectures is decidable for AlocTL specifications.

▲ロ ▶ ▲周 ▶ ▲ 国 ▶ ▲ 国 ▶ ● の Q @

# Decidability Results

#### Theorem

The synthesis problem over singleton architectures is decidable for regular specifications.

#### Theorem

The distributed synthesis problem over strongly connected architectures is decidable for AlocTL specifications.

#### Proof

By reduction to the singleton case.

Note that we do not need to change the specification since it is closed under extension

▲日▼▲□▼▲□▼▲□▼ □ ののの

#### Proposition

If there are communication sets  $\Sigma_{i,j}$  for  $(i,j) \in E$  and a winning distributed strategy on the strongly connected architecture, then there is a winning strategy on the singleton.

# Proof Easy.

▲ロ ▶ ▲周 ▶ ▲ 国 ▶ ▲ 国 ▶ ● の Q @

### Proposition

If there is a winning strategy f over the singleton architecture then one can define internal signals sets and a distributed winning strategy for the strongly connected architecture.

◆□▶ ◆□▶ ◆三▶ ◆三▶ 三回 ● のへで

### Proposition

If there is a winning strategy f over the singleton architecture then one can define internal signals sets and a distributed winning strategy for the strongly connected architecture.



• We select a master process and a cycle.

### Proposition

If there is a winning strategy f over the singleton architecture then one can define internal signals sets and a distributed winning strategy for the strongly connected architecture.



• We select a master process and a cycle.

• The master process will centralize information in order to simulate *f* and tell other processes which value to output

### Proposition

If there is a winning strategy f over the singleton architecture then one can define internal signals sets and a distributed winning strategy for the strongly connected architecture.



We select a master process and a cycle.

- The master process will centralize information in order to simulate *f* and tell other processes which value to output
- Aim: create a run that will be a weakening of some *f*-run over the singleton

#### Example

Specification:  $\operatorname{req}_3 \to F_{32}(\neg Y_2 \operatorname{alert} \leftrightarrow \operatorname{grant})$ Strategy for the singleton:  $f(\sigma) = \operatorname{grant} \operatorname{iff} \sigma$  contains  $\operatorname{req}_3$  but no alert



Master collect information by sending a signal Msg through the cycle



*t*′:

#### Example

Specification: req<sub>3</sub>  $\rightarrow$  F<sub>32</sub>( $\neg$  Y<sub>2</sub> alert  $\leftrightarrow$  grant) Strategy for the singleton:  $f(\sigma) = \text{grant iff } \sigma$  contains req<sub>3</sub> but no alert



Master collect information by sending a signal Msg through the cycle



*t*′:

#### Example

Specification: req<sub>3</sub>  $\rightarrow$  F<sub>32</sub>( $\neg$  Y<sub>2</sub> alert  $\leftrightarrow$  grant) Strategy for the singleton:  $f(\sigma) = \text{grant iff } \sigma$  contains req<sub>3</sub> but no alert



Master collect information by sending a signal Msg through the cycle



*t*′:

#### Example

Specification: req<sub>3</sub>  $\rightarrow$  F<sub>32</sub>( $\neg$  Y<sub>2</sub> alert  $\leftrightarrow$  grant) Strategy for the singleton:  $f(\sigma) = \text{grant iff } \sigma$  contains req<sub>3</sub> but no alert



Master collect information by sending a signal Msg through the cycle



*t'*: \_\_\_\_\_

#### Example

Specification: req<sub>3</sub>  $\rightarrow$  F<sub>32</sub>( $\neg$  Y<sub>2</sub> alert  $\leftrightarrow$  grant) Strategy for the singleton:  $f(\sigma) = \text{grant iff } \sigma$  contains req<sub>3</sub> but no alert



Master collect information by sending a signal Msg through the cycle



#### Example

Specification: req<sub>3</sub>  $\rightarrow$  F<sub>32</sub>( $\neg$  Y<sub>2</sub> alert  $\leftrightarrow$  grant) Strategy for the singleton:  $f(\sigma) = \text{grant iff } \sigma$  contains req<sub>3</sub> but no alert



Master collect information by sending a signal Msg through the cycle



#### Example

Specification: req<sub>3</sub>  $\rightarrow$  F<sub>32</sub>( $\neg$  Y<sub>2</sub> alert  $\leftrightarrow$  grant) Strategy for the singleton:  $f(\sigma) = \text{grant iff } \sigma$  contains req<sub>3</sub> but no alert



Master collect information by sending a signal Msg through the cycle



#### Example

Specification:  $\operatorname{req}_3 \to F_{32}(\neg Y_2 \operatorname{alert} \leftrightarrow \operatorname{grant})$ 

Strategy for the singleton:  $f(\sigma) = \text{grant}$  iff  $\sigma$  contains req<sub>3</sub> but no alert





#### Example

Specification:  $\operatorname{req}_3 \to F_{32}(\neg Y_2 \operatorname{alert} \leftrightarrow \operatorname{grant})$ 

Strategy for the singleton:  $f(\sigma) = \text{grant}$  iff  $\sigma$  contains req<sub>3</sub> but no alert





#### Example

Specification:  $\operatorname{req}_3 \to F_{32}(\neg Y_2 \operatorname{alert} \leftrightarrow \operatorname{grant})$ 

Strategy for the singleton:  $f(\sigma) = \text{grant}$  iff  $\sigma$  contains req<sub>3</sub> but no alert





#### Example

Specification:  $\operatorname{req}_3 \to F_{32}(\neg Y_2 \operatorname{alert} \leftrightarrow \operatorname{grant})$ 

Strategy for the singleton:  $f(\sigma) = \text{grant}$  iff  $\sigma$  contains req<sub>3</sub> but no alert





f : grant

#### Example

Specification:  $\operatorname{req}_3 \to F_{32}(\neg Y_2 \operatorname{alert} \leftrightarrow \operatorname{grant})$ 

Strategy for the singleton:  $f(\sigma) = \text{grant}$  iff  $\sigma$  contains req<sub>3</sub> but no alert



Master sends orders to other processes to simulate the strategy f



0-----

#### Example

*t*′·

Specification:  $\operatorname{req}_3 \to F_{32}(\neg Y_2 \operatorname{alert} \leftrightarrow \operatorname{grant})$ 

Strategy for the singleton:  $f(\sigma) = \text{grant}$  iff  $\sigma$  contains req<sub>3</sub> but no alert



Master sends orders to other processes to simulate the strategy f



a a c c <sup>req</sup><sub>3</sub> b a

f : grant

#### Example

Specification:  $\operatorname{req}_3 \to F_{32}(\neg Y_2 \operatorname{alert} \leftrightarrow \operatorname{grant})$ 

Strategy for the singleton:  $f(\sigma) = \text{grant}$  iff  $\sigma$  contains req<sub>3</sub> but no alert





#### Example

Specification:  $\operatorname{req}_3 \to F_{32}(\neg Y_2 \operatorname{alert} \leftrightarrow \operatorname{grant})$ 

Strategy for the singleton:  $f(\sigma) = \text{grant}$  iff  $\sigma$  contains req<sub>3</sub> but no alert





#### Example

Specification:  $\operatorname{req}_3 \to F_{32}(\neg Y_2 \operatorname{alert} \leftrightarrow \operatorname{grant})$ 

Strategy for the singleton:  $f(\sigma) = \text{grant}$  iff  $\sigma$  contains req<sub>3</sub> but no alert





#### Example

Specification:  $\operatorname{req}_3 \to F_{32}(\neg Y_2 \operatorname{alert} \leftrightarrow \operatorname{grant})$ 

Strategy for the singleton:  $f(\sigma) = \text{grant}$  iff  $\sigma$  contains req<sub>3</sub> but no alert



Master sends orders to other processes to simulate the strategy f



f : grant

#### Example

Specification:  $\operatorname{req}_3 \to F_{32}(\neg Y_2 \operatorname{alert} \leftrightarrow \operatorname{grant})$ 

Strategy for the singleton:  $f(\sigma) = \text{grant}$  iff  $\sigma$  contains req<sub>3</sub> but no alert



Master sends orders to other processes to simulate the strategy f



f : grant

#### Example

Specification:  $\operatorname{req}_3 \to F_{32}(\neg Y_2 \operatorname{alert} \leftrightarrow \operatorname{grant})$ 

Strategy for the singleton:  $f(\sigma) = \text{grant}$  iff  $\sigma$  contains req<sub>3</sub> but no alert





#### Example

Specification:  $\operatorname{req}_3 \to F_{32}(\neg Y_2 \operatorname{alert} \leftrightarrow \operatorname{grant})$ 

Strategy for the singleton:  $f(\sigma) = \text{grant}$  iff  $\sigma$  contains req<sub>3</sub> but no alert





#### Example

Specification:  $\operatorname{req}_3 \to F_{32}(\neg Y_2 \operatorname{alert} \leftrightarrow \operatorname{grant})$ 

Strategy for the singleton:  $f(\sigma) = \text{grant}$  iff  $\sigma$  contains req<sub>3</sub> but no alert





#### Example

Specification:  $\operatorname{req}_3 \to F_{32}(\neg Y_2 \operatorname{alert} \leftrightarrow \operatorname{grant})$ 

Strategy for the singleton:  $f(\sigma) = \text{grant}$  iff  $\sigma$  contains req<sub>3</sub> but no alert





#### Lemma

t' is an extension of  $\pi_{\Gamma}(t)$ .

◆□▶ ◆□▶ ◆ □▶ ★ □▶ = □ ● の < @

#### Lemma

t' is an extension of  $\pi_{\Gamma}(t)$ .

#### Lemma

### If x <' y in t' and $x \parallel y$ in $\pi_{\Gamma}(t)$ then $\lambda(y) \in \text{In}$ .

◆□▶ ◆□▶ ◆三▶ ◆三▶ 三回 ● のへで

#### Lemma

t' is an extension of  $\pi_{\Gamma}(t)$ .

#### Lemma

If x <' y in t' and  $x \parallel y$  in  $\pi_{\Gamma}(t)$  then  $\lambda(y) \in \text{In}$ .

### Corollary

 $\pi_{\Gamma}(t)$  is a weakening of t'.

◆□▶ ◆□▶ ◆三▶ ◆三▶ - 三 - のへぐ

#### Lemma

t' is an extension of  $\pi_{\Gamma}(t)$ .

#### Lemma

If 
$$x <' y$$
 in  $t'$  and  $x \parallel y$  in  $\pi_{\Gamma}(t)$  then  $\lambda(y) \in \text{In}$ .

### Corollary

 $\pi_{\Gamma}(t)$  is a weakening of t'.

#### Lemma

t' is an f-maximal f-run.

◆□▶ ◆□▶ ◆三▶ ◆三▶ 三回 ● のへで

#### Lemma

t' is an extension of  $\pi_{\Gamma}(t)$ .

#### Lemma

If 
$$x <' y$$
 in  $t'$  and  $x \parallel y$  in  $\pi_{\Gamma}(t)$  then  $\lambda(y) \in \text{In}$ .

### Corollary

 $\pi_{\Gamma}(t)$  is a weakening of t'.

#### Lemma

```
t' is an f-maximal f-run.
```

#### Conclusion

Then  $t' \models \varphi$  and, by closure property  $\pi_{\Gamma}(t) \models \varphi$ .

# Memory

#### Proposition

If the strategy f over the singleton has finite memory, then we can distribute the strategy for the strongly connected architecture using

▲ロ ▶ ▲周 ▶ ▲ 国 ▶ ▲ 国 ▶ ● の Q @

- finite alphabets  $\Sigma_{i,j}$
- local strategies with finite memories

# Conclusion

◆□ > ◆□ > ◆臣 > ◆臣 > ─ 臣 ─ のへで

- Asynchrony removes undecidability causes
- We have defined a new model of communication
- We have identified a class of decidable architectures
- Hopefully, many more to come!