Chapter V: Reactive Contracts

5.5 Case Study: a Reactive GR(1) Contract on 3 Islands

Figure 5.1: A screenshot of a simulation trace. At this point, no failure has occured.

The red robot is holding down a red button for the crate-carrying blue robot to cross.

The simulation and synthesis code is available at (Phan-Minh, 2019a).

Note that the most costly step in the described procedure is the computation of the realizability relationR which has time complexity𝑂(|R |𝑛³) where𝑛is the length of the longest GR(1) formula. However, this should be done offline during the design/planning process. It is, nevertheless, easy to parallelize and also optimize this computation using a priori knowledge aboutA andG. In addition, full knowledge of R may not be necessarily for most applications and for that reason it can be incrementally refined. The following case study will demonstrate this method.

Figure 5.2: The brown bridge broke, the two robots are stranded.

that is home to these robots) and deposited at either the silver or yellow square patches (shipping ports), after which it will respawn at the black patch. The set of coarse guaranteesGconsists of 7 elements:

• ♦box_r2_far(resp.,♦box_r2_near): the supervisor robotr2stands on the yellow (resp., silver) square patch to supervise the dropping off of the crate there by the other robot infinitely often.

• ♦box_far (resp., ♦box_near): the crate gets dropped off at the yellow (resp., silver) square patch infinitely often (possibly without the supervisor robot being present).

• ♦r2_far(resp.,♦r2_near,♦r2_home): the supervisor robot patrols the yellow (resp., silver, black) square patch infinitely often.

The setAthat coarsely characterizes possible operating scenarios is constructed by taking the conjunction of all variables appearing in elements of the product set ob- tained from the sets{r1_home,r1_near,r1_far},{r2_home,r2_near,r2_far}, and 2^{{bridge,button1,button2}}. An element of A can be r1_home∧r2_far∧ bridge∧button1, denoting the condition that the transporter robot r1starts on the “home” island (the one with the black patch), the supervisor robotr2starts on the “far” island (yellow patch), and the button on the island with the silver patch,

Figure 5.3: Order isomorphic assumption/guarantee lattices of Galois fixpoints computed for the 3 island scenario. See Table 5.1 for details on each 𝐴⁰

𝑖/𝐺⁰

𝑖.

button2, is broken. We observe that A has 72 elements and is initially disjoint.

The Galois connection calculation will reduce this relatively large number of cases to only 9 inA⁰as can be seen from Fig. 5.3.

A calculation of R onA × G (which has 72×7 elements) using slugs, a GR(1) synthesis tool (Ehlers and Raman, 2016), on a laptop with an Intel i7-4720HQ processor and 16GB of RAM took approximately 40 minutes (not parallelized). It took about 3 seconds to generate the lattices using a fixpoint calculation algorithm from (Outrata and Vychodil, 2012). Note also that since all actions performed by the two robots in this example are reversible, if under an assumption, two liveness guarantees can be realized separately, their conjunction will also be realizable. This observation will also be used to synthesize one of the most basic forms of reactive contracts, namely: an “optimal” reactive contract, in which the reaction𝑅is defined to consist of all finite and infinite sequences whose elements are of the form(𝛼, 𝛾) where 𝛼 is an assumption from a node on the assumption lattice and 𝛾 is the conjunction of the corresponding guarantee on the guarantee lattice together with all guarantees contained in its descendant nodes. The contigencyΔis defined to be the sequences obtained by projecting away𝛾 from any sequence in 𝑅. In Fig. 5.3, if𝛼=bridge∧ (r2_far∨r2_near), then𝛾 =♦r2_near∧♦r2_far.

Consider a scenario in which we are given the latticesA⁰and G⁰and a set𝐹 ⊆ 𝔉 where𝔉consists of Boolean variables encoding all impending failures (in the 3 is- land scenarios,𝔉 = {button1,button2,bridge}) along with a set𝑔_min ⊆ G⁰ consisting of baseline guarantees that we would like the system to maintain. Algo- rithm 2 shows how one can use the assume-guarantee lattices to find an implemen-

Table 5.1: Assume-guarantee lattice data for Fig. 5.3.

𝑖 𝐴⁰

𝑖 𝐺⁰

𝑖

1 bridge∧button2∧ (button1∨r1_far∨r1_near∨r2_far∨

r2_near) ♦box_r2_far

2 button2∧(r1_home∨r1_near)∧(r2_home∨r2_near)∧(r2_home∨

r2_near) ∧ (button1∨r1_near∨r2_near)

♦box_r2_near 3 bridge∧button1∧ (r1_home∨r2_home) ♦box_far 4 button1∧(r1_home∨r1_near)∧(r1_home∨r2_home)∧(r2_home∨

r2_near)

♦box_near

5 bridge∧ (r2_far∨r2_near) ∅(or∧)

6 r2_home ♦r2_home

7 r2_near ♦r2_near

8 r2_far ♦r2_far

9 ∅(or∧) ∅(or∨)

tation that is robust against𝐹while maintaining at least𝑔_minstarting from an initial configuration 𝐴_init. In line 2 of the algorithm, a check is performed to see if the Algorithm 2Find robust reactive GR(1) implementation for prioritized failures

1: functionfindRobustImplementation(A⁰,G⁰, 𝐴_init, 𝐹 , 𝑔_min)

2: if 𝐴_init∉∪𝛼∈A⁰𝛼then

3: error out: “initial state is not in contract!”

4: else

5: 𝛾 ←sup_≤

G 0 𝑔_min

6: 𝛼←theA⁰node corresponding to𝛾

7: 𝛼_inv ← 𝛼∨ (∨_{𝑎∈ancestors(𝛼)}𝑎)with variables in𝐹replaced byFalseand variables in𝔉\𝐹replaced byTrue

8: if isRealizable(𝐴_init, 𝛾∧𝛼_inv) then

9: 𝛾⁰←largest guarantee such that isRealizable(𝐴_init, 𝛾⁰∧𝛼_inv)

10: returngetStrategy(𝐴_init, 𝛾⁰∧𝛼_inv)

11: else

12: error out: “robust strategy doesn’t exist!”

initial configuration 𝐴_initis a valid assumption; if not, an error will be thrown (line 3). In line 5, the algorithm finds the least node onG⁰such that𝛾and its descendants contain 𝑔_min (this always exists and is unique by the completeness of G⁰). Line 6 defines 𝛼 as the corresponding node to 𝛾 on A⁰. Hence, 𝛼∨ (∨𝑎∈ancestors(𝛼)𝑎) corresponds to the most relaxed assumption for which𝑔_min can be guaranteed. In other words, all configurations from which 𝑔_min can be satisfied are contained in it. In line 7, an invariant constraint𝛼_inv is computed from 𝛼∨ (∨𝑎∈ancestors(𝛼)𝑎) by assuming that all failures in 𝐹 have occurred. This represents configurations from which𝛾can still be guaranteed. In line 8, a check is performed to see if it is possible to satisfy 𝛾 while maintaining 𝛼_inv. If the answer is yes, the algorithm attempts to find a better guarantee than𝛾 (possibly using bisection) and will return a robust

strategy that guarantees it (lines 9−10); otherwise it will throw an error saying that such a robust strategy does not exist (line 12).

In the 3 island example, if we start out at an initial configuration where at least one robot is not on the home island, 𝑔_min is anything, and 𝐹 = {button1}, then algorithm 2 will return a robust strategy with 𝛾⁰ =G⁰(all guarantees) which never allows both robots to be on the “home” island at the same time (because ifbutton1 fails, then the robots will not be able to leave the home island). In particular, if 𝑔_min ={♦box_r2_far}, then𝛼_invwill be equal tor1_far∨r1_near∨r2_far∨ r2_near.