Parameterized Synthesis

We study the synthesis problem for distributed architectures with a parametric number of finite-state components. Parameterized specifications arise naturally in a synthesis setting, but thus far it was unclear how to detect realizability and how to perform synthesis in a parameterized setting. Using a classical result from verification, we show that for a class of specifications in indexed LTL\X, parameterized synthesis in token ring networks is equivalent to distributed synthesis in a network consisting of a few copies of a single process. Adapting a well-known result from distributed synthesis, we show that the latter problem is undecidable. We describe a semi-decision procedure for the parameterized synthesis problem in token rings, based on bounded synthesis. We extend the approach to parameterized synthesis in token-passing networks with arbitrary topologies, and show applicability on a simple case study. Finally, we sketch a general framework for parameterized synthesis based on cutoffs and other parameterized verification techniques.


Introduction
Synthesis is the problem of turning a temporal logical specification into a reactive system [Chu62,PR89].In synthesis, parameterized specifications occur very naturally.For instance, Piterman, Pnueli, and Sa'ar [PPS06] illustrate their GR(1) approach with two parameterized examples of an arbiter and an elevator controller.Similarly, the case studies considered by Bloem et al. [BGJ + 07b, BGJ + 07a] consist of a parameterized specification of the AMBA bus arbiter and a parameterized generalized buffer.A simple example of a parameterized specification is ∀i.
G(r i → F g i ) ∧ ∀i = j.G(¬g i ∨ ¬g j ).This specification describes an arbiter serving an arbitrary number of clients, say n.Client i controls a signal r i for sending requests and can read a signal g i for receiving grants.The where information about the environment is essentially the same for all processes.Therefore, the resulting synthesis problems are decidable for a fixed or even an arbitrary number of processes.

Preliminaries
We assume that the reader is familiar with LTL, the synthesis problem, and the basic idea of parameterized model checking.For understanding the technical details of our approach, knowledge about the bounded synthesis method [FS13] is helpful.Also, we build on the decidability results for parameterized token rings of Emerson and Namjoshi [EN03], as well as those for parameterized token networks by Clarke et al. [CTTV04].
Architectures.An architecture A is a tuple (P, env, V, I, O), where P is a finite set of processes, containing the environment process env and system processes P − = P \ {env}, V is a set of Boolean system variables, I = {I i ⊆ V | i ∈ P − } assigns a set I i of Boolean input variables to each system process, and O = {O i ⊆ V | i ∈ P } assigns a set O i of Boolean output variables to each process, such that • i∈P O i = V .In contrast to output variables, inputs may be shared between processes.Without loss of generality, we use natural numbers to refer to system processes, and assume P − = {1, . . ., k} for an architecture with k system processes.We denote by A the set of all architectures.
Implementations.An implementation T i of a system process i with inputs I i and outputs O i is a labeled transition system (LTS) T i = (T i , t i , δ i , o i ), where T i is a set of states including the initial state t i , δ i : T i × P(I i ) → T i a transition function, and o i : T i → P(O i ) a labeling function.T i is a finite LTS if T i is finite.
That is, every process advances according to its own transition function and input variables, where inputs from other system processes are interpreted according to the labeling of the current state.
Asynchronous Systems.An asynchronous system is an LTS such that in every transition, only a subset of the system processes changes their state.This is decided by a scheduler that can choose for every transition which of the processes (including the environment) is allowed to make a step.In our setting, we will assume that the environment is always scheduled, and consider the scheduler as a part of the environment.
Formally, O env contains additional scheduling variables s 1 , . . ., s k , and s i ∈ I i for every i.For any i ∈ P − , t ∈ T i and I ⊆ I i , we require δ i (t, I) = t whenever s i ∈ I.
Token Rings.We consider a class of architectures called token rings, where the only communication between system processes is a token.At any time only one process can possess the token, and a process i that has the token can decide to pass it to process i + 1 by raising an output send i ∈ O i ∩ I i+1 .For processes in token rings of size k, addition and subtraction is done modulo k.
We assume that token rings are implemented as asynchronous systems, where in every step only one system process may change its state, except for token-passing steps, in which both of the involved processes change their state.

Synthesis Problems.
Distributed Synthesis.The distributed synthesis problem for a given architecture A and a specification ϕ is to find implementations for the system processes of A, such that the composition of the implementations T 1 , . . ., T k satisfies ϕ, written A, (T 1 , . . ., T k ) |= ϕ.A specification ϕ is realizable with respect to an architecture A if such implementations exist.
Checking realizability of LTL specifications has been shown to be undecidable for architectures in which processes have incomparable information about the environment in the synchronous case [FS05], and even for all architectures with more than one system process in the asynchronous case [SF06].
Bounded Synthesis.The bounded synthesis problem for given architecture A, specification ϕ and a set of bounds {b i ∈ N | i ∈ P − } on the size of system processes as well as a bound b A for the composition T A , is to find implementations T i for the system processes such that their composition T A satisfies ϕ, with |T i | ≤ b i for all process implementations, and

Parameterized Synthesis
In this section, we introduce the parameterized synthesis problem.Using a classical result for the verification of token rings by Emerson and Namjoshi [EN03], we show that parameterized synthesis for token ring architectures and specifications in LTL\X can be reduced to distributed synthesis of isomorphic processes in a ring of fixed size.We then show that, for this class of architectures and specifications, the isomorphic distributed synthesis problem is still undecidable.

Definition.
Parameterized Architectures and Specifications.A parameterized architecture is a function Π : N → A. A parameterized token ring is a parameterized architecture Π R with Π R (n) = (P n , env, V n , I n , O n ), where • P n = {env, 1, . . ., n}, • I n is such that all system processes are assigned isomorphic sets of inputs, consisting of the token-passing input send i−1 and a set of inputs from the environment, distinguished by indexing each input with i. • Similarly, O n assigns isomorphic, indexed sets of outputs to all system processes, with send i ∈ O n (i), and every output of env is indexed with all values from 1 to n.A parameterized specification Φ is a sentence in indexed LTL, that is, an LTL specification with indexed variables and a combination of universal and existential quantification (in prenex form) over all indices.We say that a parameterized architecture Π and a process implementation T satisfy a parameterized specification (written Π, T |= Φ) if for all n, Π(n), (T , . . ., T ) |= Φ.
Example 3.1.Consider the parameterized token ring Π arb with Π arb (n) = (P n , env, V n , I n , O n ), where V n = {r 1 , . . ., r n , g 1 . . ., g n , send 1 , . . ., send n } (3.2) The architecture Π arb (n) defines a token ring with n system processes, with each process i receiving an input r i from the environment and another input send i−1 from the previous process in the ring, and an output send i to the next process, as well as an output g i to the environment.
An instance of this parameterized architecture for n = 4 is depicted in Figure 1.Together with the parameterized specification from Section 1, we will use it in Section 6 to synthesize process implementations for a parameterized arbiter.
Isomorphic and Parameterized Synthesis.The isomorphic synthesis problem for an architecture A and a specification ϕ is to find an implementation T for all system processes (1, . . ., k) such that A, (T , . . ., T ) |= ϕ, also written A, T |= ϕ.The parameterized synthesis problem for a parameterized architecture Π and a parameterized specification Φ is to find an implementation T for all system processes such that Π, T |= Φ.The parameterized (isomorphic) realizability problem is the question whether such an implementation exists.
Figure 1.Token ring architecture with 4 processes 3.2.Reduction of Parameterized to Isomorphic Synthesis.Emerson and Namjoshi [EN03] have shown that verification of LTL\X properties for implementations of parameterized token rings can be reduced to verification of a small ring with up to five processes, depending on the form of the specification.1For a sequence t of index variables and terms in arithmetic modulo n, let ϕ(t) in the following be a formula in LTL\X that only refers to system variables indexed by terms in t.

Theorem 3.2 ([EN03]
).Let Π R be a parameterized token ring, T an implementation of the isomorphic system processes that ensures fair token passing, and Φ a parameterized specification.Then This theorem implies that verification of such structures is decidable.For synthesis, we obtain the following corollary: Corollary 3.3.For a given parameterized token ring Π R and parametric specification Φ, parameterized synthesis can be reduced to isomorphic synthesis in rings of size up to 2 (3, 4, 5) for specifications of type a) (b, c, d, respectively).
In the following, we will show that this reduction in general does not make the synthesis problem decidable.

Decidability.
The parameterized synthesis problem is closely related to the distributed synthesis problem [PR90,FS05].We will use a modification of the original undecidability proof for distributed systems to show undecidability of isomorphic realizability in token rings, which in turn implies undecidability of parameterized realizability.
Theorem 3.4.The isomorphic realizability problem is undecidable for token rings with 2 or more processes and specifications in LTL\X.
Proof.We first reconsider the undecidability proof for synchronous distributed processes by Pnueli and Rosner [PR90], and then show how to modify the construction to prove undecidability in our setting.Standard undecidability proof.Pnueli and Rosner have shown that distributed realizability is undecidable for two synchronous processes, neither of which can observe the inputs or outputs of the other. 2The undecidability proof reduces the halting problem for deterministic Turing machines to the distributed realizability problem.This is done by encoding a specification in LTL that forces both processes to each simulate the given Turing machine M , and halt. 3 For notational simplicity, assume that processes have outputs sufficient to encode configurations of M (i.e., a valuation of the process outputs represents a tape symbol, a state symbol, or a blank symbol).For configurations C, D, represented as sequences of these output symbols, denote by C ⊢ D that D is a legal successor configuration of C. Each process i ∈ {1, 2} has a single input start i from the environment.At any given point in time, let L i be the number of start i signals the environment has sent thus far.Consider the following assumptions on the environment inputs: (1) The environment only sends start i if both processes currently send a blank.
(2) At any time, Let ψ denote the conjunction of these environment assumptions.Then, consider the following specification of the processes: (1) Process i outputs blank symbols until it receives the first start i signal.
(2) Whenever process i receives a start i , in the following state it will start to output a legal configuration of M , followed by blank symbols until it receives the next start i .(3) After receiving the first start i , process i outputs the initial configuration of M .(4) Assume the processes receive start 1 and start 2 at the same time, and denote by C and D the configurations that processes 1 and 2 start to output now.Then:

and
2 For a generalization of the undecidability proof to all architectures with "information forks" we refer to Finkbeiner and Schewe [FS05]. 3Pnueli and Rosner argue informally that such specifications can be expressed in LTL.For a more complete treatment and an analysis of temporal logic fragments that are sufficient to express such specifications, we refer to Schewe [Sch14].
The crucial part is the last statement: since the processes cannot observe in-or outputs of each other (and thus cannot know which one of them "goes first", if any), requirement (a) forces them to produce the same outputs if given the same inputs, and (b) and (c) together force them to correctly simulate M .Let ϕ denote the conjunction of these statements about the processes.Then, every system which realizes the specification given as ψ → ϕ must consist of two processes each satisfying the following (by [PR90, Lemma 4.3]): • The process outputs blank symbols until it receives the first start signal.
• If the process receives a start signal and has received k start signals before, then the process starts to output configuration C k+1 of M (where C 1 ⊢ C 2 ⊢ . . . is the sequence of configurations of M on the empty input tape).Thus, to satisfy ψ → ϕ, each of the two processes must correctly output the complete run of M , with configurations separated by a number of blank symbols.If we add to the specification that the process must eventually output a halt symbol (standing for the halting state of M ), then the new specification is realizable if and only if M halts.In particular, if M halts, then the specification is finite-state realizable, since only finitely many steps need to be simulated.Thus, this encoding reduces the halting problem of deterministic Turing machines to the realizability problem of distributed, synchronous finite-state processes.Modifications for isomorphic realizability of LTL\X specifications in token rings.
To prove the statement of Theorem 3.4, we amend the construction from above such that the halting problem of deterministic Turing machines is reduced to our modified realizability problem.We need to consider the following modifications: (1) The composition of the two processes is asynchronous, and the processes can communicate by passing a token.(2) We are not allowed to use the X operator in the specification.
(3) We restrict to the (possibly simpler) isomorphic synthesis problem.
To handle the first point, we force the system to use the token for synchronization of processes.That is, one step of the system from the original proof corresponds to one cycle of the token in the new system.To ensure that every infinite run also has infinitely many cycles of the token, we need the usual assumption of fair scheduling and require fair token passing of the processes.
Additionally, we augment the specification to assume that the token starts at a designated process, say 1.Furthermore, we require restricted output modification: each process changes its output only at the moment it receives the token, i.e., only once in each full cycle of the token.For every possible output symbol out i of process i, this can be expressed as We also assume that the environment keeps all start i signals constant during a cycle.That is, we call states where process 1 has just received the token 1-receiving states, and assume that environment inputs only change when entering a 1-receiving state.
Note that the token cannot be used to pass any additional information (beyond synchronization): the only freedom a process has is when to pass the token, and by lack of a global clock and visibility of the output signals of the other processes, a given process cannot measure this time or observe any changes of the system during this time.
To handle the loss of the X operator, we use the assumption of restricted output modification to correlate successive states of the original synchronous system to successive 1receiving states of the asynchronous system.That is, X ϕ for the synchronous system corresponds to for the asynchronous system.We replace all occurrences of the form X ϕ in the original specification by the corresponding instance of the formula above.Thus, every statement that originally referred to the next state now refers to the next 1-receiving state.As by restricted output modification none of the in-or outputs of the system will change between two such states, the rest of the specification is satisfied by a given run of the asynchronous system if and only if it is satisfied by the projection of this run to 1-receiving states.
In summary, the modified specification forces the processes to simulate the Turing machine M in the following sense: the projection of the outputs of a run to 1-receiving states must encode the run of Turing machine M .As before, if the specification contains the statement that halt must eventually be true, then the specification is finite-state realizable if and only if M halts.
Finally, we consider the isomorphic realizability problem instead of the general distributed realizability problem.Since (for every M ) the given specification is such that any correct implementation for one process can also be used for the other process, we can find a solution for one problem if and only if we can find one for the other.
As processes have no means of communication beyond synchronization, the proof extends to rings of three or more processes, where each additional process has the same specification as process 2.
Combining Theorems 3.2 and 3.4, we obtain the following result.
Theorem 3.5.The parametric realizability problem is undecidable for token rings and specifications of type b), c), or d).
Proof.By Theorem 3.2, the isomorphic realizability problem for a specification of type b) and (up to) three processes can be reduced to a parameterized realizability problem of type b).Since the former problem is undecidable by Theorem 3.4, so is the latter.The proof for cases c) and d) is analogous.
Note that the proof of Theorem 3.4 does not work for specifications of type a), since the specification relates outputs of one process to outputs of the other.In fact, we can prove that the parameterized realizability problem for type a) specifications is decidable: Lemma 3.6.The parameterized realizability problem is decidable for token rings and specifications of type a).
Proof.This follows almost immediately from results of Clarke et al. [CTTV04] on tokenpassing networks. 4By their reduction, a specification of the form ∀i. ϕ(i) holds for a process implementation T in a ring of arbitrary size if and only if ϕ(1) holds for T in a two-process system, where process 2 has a fixed implementation T 2 that does nothing but receive and (eventually) send the token.
Furthermore, we can encode the behaviour of T 2 as additional assumptions in the specification, and let outputs of process 2 be emulated by the environment.Thus, we can synthesize a process implementation T that satisfies a specification of type a) in token rings of any size by defining assumptions on the behavior of the token and synthesizing an implementation for one process under these assumptions.5That is, define assumption A tok as , and synthesize a process implementation T satisfying A tok → ϕ(1).

Bounded Isomorphic Synthesis
The reduction from Section 3 allows us to reduce parameterized synthesis to isomorphic synthesis with a fixed number of processes.Still, the problem does not fall into a class for which the distributed synthesis problem is decidable.
For distributed architectures that do not fall into decidable classes, Finkbeiner and Schewe have introduced bounded synthesis [FS13], a semi-decision procedure that converts an undecidable distributed synthesis problem into a sequence of decidable synthesis problems, by bounding the size of the implementation.In the following, we will show how to adapt bounded synthesis for isomorphic synthesis in token rings, which by Corollary 3.3 amounts to parameterized synthesis in token rings.4.1.Bounded Synthesis.The bounded synthesis procedure consists of three main steps: Step 1: Automata translation.Following an approach by Kupferman and Vardi [KV05], the LTL specification ϕ (including fairness assumptions like fair scheduling) is translated into a universal co-Büchi automaton U that accepts an LTS T if and only if T satisfies ϕ.
Step 2: SMT Encoding.Existence of an LTS that satisfies ϕ is encoded into a set of SMT constraints over the theory of integers and free function symbols.States of the LTS are represented by natural numbers in the bounded range T = 1, . . ., k, state labels as free functions of type T → B, and the global transition function as a free function of type T × B |Oenv| → T .Transition functions of individual processes are defined indirectly by introducing projections d i : T → T , mapping global to local states.To ensure that local transitions of process i only depend on inputs in I i , we add a constraint To obtain an interpretation of these symbols that satisfies the specification ϕ, additional annotations of states are introduced.This includes labels λ B q : T → B and free functions λ # q : T → N, defined such that (i) λ B q (t) is true if and only if (q, t) ∈ Q × T is reachable in a run of U on T 6 , and (ii) valuations of the λ # q must be increasing along paths of U , and strictly increasing for transitions that enter a rejecting state of U .Together, this 0 1 ensures that an LTS satisfying these constraints cannot have runs which enter rejecting states infinitely often (and thus would be rejected by U ).
Step 3: Solving, Iteration for Increasing Bounds.The SMT constraints that result from step 2 are in the theory of linear integer arithmetic with free function symbols.They are decidable because the number of processes, the size of process implementations and the number of inputs to each process are bounded.If any of these were unbounded, we would have to use unbounded quantification instead of the finite conjunction in step 2, making the satisfiability problem undecidable.Thus, for a given bound k on the size of T , we can decide satisfiability of the constraints.If the constraints are unsatisfiable for a given bound k, we increase k, add the necessary formulas to the encoding, and try again.If they are satisfiable, we obtain a model, giving us an implementation for the system processes such that ϕ is satisfied.

Theorem 4.1 ([FS13]
).If a given LTL specification ϕ is realizable in a given architecture A, then the bounded synthesis procedure will eventually terminate and return implementations of the system processes that satisfy ϕ in A.
Example 4.2.As a very simple example with just one process P , consider the specification G(r → F g), where r is an input and g an output variable of P .Figure 2 depicts the resulting universal co-Büchi automaton, and Figure 3 the resulting set of SMT constraints. 7he constraints encode, from top to bottom, annotations corresponding to states and transitions of U .In particular, we have annotations for i) the initial state of T (and U ), ii) states reachable by any transition from a state t with λ B 0 (t), iii) states reachable by a transition with r ∧ ¬g from a state t with λ B 0 (t), and iv) states reachable by a transition with ¬g from a state t with λ B 1 (t).
4.2.Adaption to Token Rings.We adapt the bounded synthesis approach for synthesis in token rings, and introduce some optimizations we found vital for a good performance of the synthesis method.
Additional Constraints and Optimizations.We use some of the general modifications and optimizations mentioned in Finkbeiner and Schewe [FS13]: • We modify the constraints to ensure that the resulting system implementation is asynchronous.In general (see Section 2.1), we could directly add a scheduling variable s i for each process i and a constraint i∈P − I∈P(Oenv) For the synthesis of token rings we use a modified version, explained below.• We use symmetry constraints to encode that all processes should be isomorphic.Particularly, we use the same function symbols for state labels of all system processes, and special constraints for the local transition functions, also explained below.• We use the semantic variant where environment inputs are not stored in system states, but are directly used in the transition term that computes the following state.This results in an implementation that is a factor of |O env | smaller.8• Finally, we use real numbers instead of integers as the codomain of functions λ # q , as real arithmetic can be solved more efficiently.
Encoding Token Rings.For the synthesis of token rings, we use the following modifications to the SMT encoding: • We want to obtain an asynchronous system in which the environment is always scheduled, along with exactly one system process.Thus, we do not need |P | scheduling variables, but can encode the index of the scheduled process into a binary representation with log 2 (|P − |) inputs.• We encode the special features of token rings: i) exactly one process should have the token at any time, ii) only a process that has the token can send it, iii) if process i wants to send the token, and process i + 1 is scheduled, then in the next state process i + 1 has the token and process i does not, iv) if process i has the token and does not send it (or process i + 1 is not scheduled), it also has the token in the next state, and v) if process i does not have the token and does not receive it from process i − 1, then it will also not have the token in the next step.Properties ii) -v) are encoded in the following constraints, where tok i (d i (t)) is true in state t if and only if process i has the token, -send(d i (t)) is true if and only if i is ready to send the token, and sched i (I) is true if and only if the scheduling variables in I are such that process i is scheduled.
We do not encode property i) directly, because it is implied by the remaining constraints whenever we start in a state where only one process has the token.Without loss of generality, we can assume that process 1 initially has the token, expressed as • Token passing is an exception to the rule that only the scheduled process changes its state: if process i is scheduled in state t, and send(d i−1 (t)) holds, then in the following transition both processes i − 1 and i will change their state.The constraint that ensures that only scheduled processes may change their state is modified into • Finally, we need to restrict local transitions in order to obtain isomorphic processes.The general rule is that local transitions of process i should be determined by the local state and inputs in I i .With our definition, token passing is an exception to this rule.The resulting constraints for local transitions are: Fairness of Scheduling and Token Passing.A precondition of Theorem 3.2 is that the implementation needs to ensure fair token-passing.Thus, we always add ∀i. fair scheduling → G(tok i → F send i ) to ϕ, where fair scheduling stands for ∀j.G F sched j .Note that with this condition, the formula does not fall into any of the cases from Theorem 3.2.However, by adding this formula we only make explicit the assumption of fair token passing, which obviously necessitates fair scheduling.Thus, this formula does not need to be taken into account when choosing which of the cases of the theorem needs to be applied.
Similarly, the fair scheduling assumption needs to be added to any liveness conditions of the specification, as without fair scheduling in general liveness conditions cannot be guaranteed.As before, this does not need to be taken into account considering Theorem 3.2.
Correctness and Completeness of Bounded Synthesis for Token Rings.Based on correctness of the original bounded synthesis approach (and correct modeling of the features of token rings), we obtain Corollary 4.3.If a given specification ϕ is realizable in a token ring of a given size n, then the bounded synthesis procedure, adapted to token rings, will eventually find this implementation.
Since we have shown in Theorem 3.4 that the isomorphic realizability problem is undecidable in token rings, there is no algorithm that can also detect unrealizability in all cases.In fact, the given procedure will not terminate if the specification is unrealizable.
Finally, based on the correctness of our adaption of bounded synthesis, and Corollary 3.3, we obtain Theorem 4.4.If a given specification Φ = ∀t.ϕ(t) falls into class a) (b,c,d) of Theorem 3.2 and the adapted bounded synthesis algorithm finds a process implementation T such that, for a parameteric token ring Π R and m = 2 (3,4,5), then T satisfies Φ in token rings of arbitrary size.

Network Decomposition for General Token-passing Systems
Clarke, Talupur, Touilli, and Veith [CTTV04] have extended the results of Emerson and Namjoshi to arbitrary token-passing networks.They reduce the parameterized verification problem to a finite set of model checking problems, where the number of problems and the size of systems to be checked depends on the architecture of the parameterized system and on the property to be proved.In the following, we recapitulate their results and show how they can be applied to allow for synthesis of processes in general token-passing networks.Network Graph.A network graph is a finite directed graph G = (S, C) without self-loops, where S is the set of processes, and C is the set of connections.A path in G is a sequence of processes s 1 s 2 . . .s n such that for 1 Token-passing Network.We consider token-passing networks based on network graphs.Let I i be isomorphic sets of indexed input variables for all processes i ∈ S, with send j ∈ I i for at least one j = i ∈ S. Similarly, let O i ⊇ {tok i , send i } be isomorphic sets of output variables for all processes.Let furthermore env be the environment process with outputs O env , such that ( • i∈S O i ) ∩ O env = ∅, and let P = S ∪ {env}.Together with this interface for the processes, a network graph G corresponds to the architecture Note that in contrast to token rings, we may have several connections that allow sending or receiving the token for each process, i.e., we may have send i ∈ I j for more than one j ∈ S, and send k ∈ I i for more than one k ∈ S. The decision which of these connections is used is left to the scheduler, i.e., the environment process env: if send i is active, then the next process j with send i ∈ I j that is scheduled will receive the token.Similar to the case of token rings, we consider only networks and schedulers that ensure fair token passing, i.e. in every execution of the system, every process will receive the token infinitely often.
Example 5.1 (Token-Passing Network).Figure 4 shows the network graph G prio that resembles a token ring, except that there is an additional "shortcut" connection between processes 5 and 1. G prio can be seen as a token ring with additional prioritization: whenever the token is passed by process 5, the environment can decide whether the low-priority processes on the left-hand side will receive the token in this round (by scheduling process 6) or not (by scheduling process 1).The fairness assumptions ensure that every process will receive the token infinitely often.k-Indexed Formula.A k-indexed formula is a formula with arbitrary quantification in prenex form that refers to at most k different processes, i.e., there are at most k different constant indices and index variables.
Connectivity, Connection Topology.Consider a network graph G = (S, C) and a subset R = {p 1 , . . ., p k } ⊆ S of processes.We define the following connectivity properties for index variables x, y: "There is an R-free path from x to itself" G |= Φ (x, y, R) "There is a path from x to y via a third process not in R" G |= Φ → (x, y) "There is a direct connection (x, y) ∈ C" By instantiating variables x and y with elements of R in all possible combinations, we obtain a finite set of different conditions, describing all possible connectivities between processes in R.These connectivities represent the connection topology of G with respect to R, denoted G R .The connection topology G R can be depicted in a network graph G R = (S R , C R ) with at most 2k nodes, where S R contains sites site 1 , . . ., site k corresponding to elements of R, and a number of "hub" nodes, each representing one or several nodes from S \ R.
The minimal network graph with these properties can be used as a representative of the connection topology.For a given connection topology CT and process interface, we will denote by A CT the architecture based on CT , where sites are represented by processes as usual, and hubs are replaced by processes with a fixed implementation that always eventually passes on the token. 9 Example 5.2. Figure 5 shows the connection topology G prio R of the network graph from Example 5.1 with respect to R = {1, 4}.Hub nodes are depicted as filled black circles.
Example 5.3.Figure 6 shows the 2-topology of the network graph G prio from Example 5.1.Note that several subsets R ⊆ S have the same topology.E.g., the topology in a) is G prio {i,j} for any two processes i, j ∈ S which are both high-or low-priority, and are not neighbors.Also, for all topologies there are symmetric variants, where i and j switch positions.Except 9 Actually, an implementation with three states is sufficient: one where the process waits for the token, one state it enters when receiving the token, and one where it sends the token.The latter is always entered when it is scheduled for the first time after receiving the token.Since processes cannot observe how many steps the other processes take, this preserves full generality.).Let T be a process implementation, A G an architecture based on network graph G and the interface of T , and ∃i.ϕ(i) a k-indexed formula.Then This result can be extended to a model checking approach for arbitrary combinations of quantifiers by rewriting universal (existential) quantifiers into explicit conjunctions (disjunctions) over all connection topologies in CT k (G), and checking A CT , T |= ϕ(site 1 , . . ., site k ) for all CT ∈ CT k (G) to evaluate the resulting formula.That is, for a k-indexed formula Qi. ϕ(i) with arbitrary quantifier prefix Qi, we rewrite the model checking problem A G , (T , . . ., T ) |= Qi. ϕ(i) until saturation, according to the following rules: where Reductions in Token-Passing Networks.With some restrictions, the result above provides a reduction from the parameterized model checking problem to a set of finite-state model checking problems for a given class G of network graphs with k-topology CT k : • if the quantifier prefix is purely universal, then we can check validity of ∀i.ϕ(i) in all graphs of the class by checking whether ϕ(i) holds for all topologies in CT k .• similarly, we can check ∃i.ϕ(i) by checking whether ϕ(i) holds for at least one topology in CT k .• if we have quantifier alternations, the problem is not so simple.In general, to define a reduction for a class of network graphs and a formula Qi. ϕ(i), we additionally need a Boolean function B over variables whose truth values are defined by model checking elements of the k-topology.That is, to check whether Qi. ϕ(i) holds in all network graphs of the class, we let CT k = {CT 1 , . . ., CT m }, define valuations of Boolean variables g j for 1 ≤ j ≤ m by g j ⇔ CT j , T |= ϕ(i), and evaluate B(g 1 , . . ., g m ).Clarke et al. [CTTV04] prove that for every network topology and k-indexed quantifier prefix Qi there is a reduction (CT k , B(g 1 , . . ., g m )), but do not show how to find B.
Example 5.5. Figure 7 shows several network graphs that are similar to G prio from Example 5.1.Graphs a) and b) have the same 2-topology, while c) and d) have not: the connection topology for c) and R = {1, 2} is not in T C 2 (G prio ) (it has direct back and forth connections between i and j), and the same holds for the topology of d) and R = {1, 4} (which is similar to Figure 6 b), but has back and forth connections from i to both hubs).Note that, if we allow quantifier alternations, even a) and b) do not agree on all 2indexed specifications: assuming that we have an implementation T such that we can directly observe that a given process has the token, an example for a 2-indexed specification that does not hold in all graphs with the 2-topology CT 2 (G prio ) is ∀i.∃j.
This formula is valid in the graphs from Figure 4 and Figure 7 b), but not in Figure 7 a): for i = 8 there is no j such that the formula holds.
5.3.Parameterized Synthesis in Token Networks.We can lift these verification results to the synthesis of parameterized token-passing networks, such that the resulting implementation will ensure a given k-indexed specification in all networks with a given reduction (CT k , B(g 1 , . . ., g m )).
To synthesize process implementations in token networks, we again adapt the bounded synthesis approach introduced in Section 4. We first show how to encode the isomorphic synthesis problem for a single connection topology CT ∈ CT k .To this end, we use the general modifications mentioned in Section 4.2 for isomorphic processes and small implementations, as well as the binary representation of scheduling variables.Additionally, we use the following modifications: • Hub nodes are not synthesized, but have a fixed implementation with three states: one where they wait for the token, one they enter upon receiving the token, and another one where send is active, which is entered when they are scheduled again after receiving the token.• The special features of token-passing networks are encoded similarly to token rings.The main difference is that we cannot talk about process i + 1 anymore, since successors with respect to token passing are not unique in general token networks.Instead, the corresponding constraints talk about all processes which have a connection to the process that is sending the token.In the following, (i, j) ∈ CT means there is a direct connection between processes i and j in CT , and P − stands for non-environment processes (in both cases including hubs): • Similarly, the restriction of state changes to the scheduled process, with exception of token-passing steps, needs to be modified to account for connections in the topology: (i,j)∈CT t∈T I∈P(Oenv) • To ensure that we obtain isomorphic constraints, we pick one process from CT (denoted by 1 below) and modify the corresponding constraints from Section 4.2 to the following, where P * stands for P − without hubs and without 1: • As for token rings, we ensure that the synthesized process implementation will always eventually release the token under the assumption of fair scheduling by adding the same constraint: However, since the environment decides on the connection used for token-passing in case of multiple connections, this property does not imply fair token passing, even under the assumption of fair scheduling.Thus, instead of fair scheduling, we directly add fair token passing (fair token ≡ ∀i.G F tok i ) as an environment assumption to all liveness guarantees of the system.10• Finally, since we want to synthesize processes that potentially have to satisfy constraints from several CT at the same time, we do not use a bound on the size of the overall system implementation, but instead on the process implementation.This can be achieved e.g. by letting the d i map into {1, . . ., n}, and choosing the size of the overall system as n |P * | • 3 h , where h is the number of hubs in CT .With these modifications, we can use the bounded synthesis approach to encode the isomorphic synthesis problem for a k-indexed formula ϕ(i) and a connection topology CT into a sequence of set of SMT constraints SM T (CT, n), where n is the bound on the size of process implementations.
In order to extend this to parameterized synthesis for all networks with the same reduction (CT k , B(g 1 , . . ., g m )), we encode the isomorphic synthesis problem A CT , T |= ϕ(i) for all CT ∈ CT k , using for all CT the same function symbols for outputs and transition function of the process to be synthesized.If the original specification universally quantifies over all indices, the SMT constraint we are trying to solve is CT ∈CT k SM T (CT, n), for increasing n.In general, we need to solve B(SM T (CT 1 , n), . . ., SM T (CT m , n)).As before, if for a given bound no solution exists, we increase n until an implementation is found.
Note that, in contrast to verification, we cannot solve the problems SM T (CT i , n) independently: we want to obtain an implementation that satisfies all of these constraints (or a Boolean combination of the constraints), and thus have to consider the combination of the constraint systems.
Theorem 5.6.Let G be a class of network graphs, Φ(i) a k-indexed parametric specification, and (CT k , B(g 1 , . . ., g m )) a reduction for G and Φ(i).If Φ(i) is realizable in all token-passing networks based on graphs in G, then the adapted bounded synthesis procedure will eventually find an implementation that satisfies Φ(i) in all these token-passing networks.Symmetry Reduction.Since the number of different topologies in CT k can be very big, and to a large extent consists of symmetric variants, we propose the following optimization: if the specification Φ(i) is symmetric, i.e. we have Φ(i) ⇔ Φ(j) for any permutation j of i, then we do not need to consider symmetric variants.For specifications with many variables, we can make this even more fine-grained: if we have Φ(. . ., i, j, . ..) ⇔ Φ(. . ., j, i, . ..), then for each pair of connection topologies such that one can be obtained from the other by switching positions of i and j, we only need to consider one of them.
This optimization can be used both for model checking and synthesis of implementations in token-passing networks.
Example 5.7.When considering symmetric specifications in the prioritized token-ring architecture, we only check the 6 topologies depicted in Figure 6, and not the 5 additional symmetric variants.This simplifies the SMT encoding of the specification, and the resulting constraint will be a conjunction of the constraints for 6 topologies, instead of 11.

Synthesizing a Parameterized Arbiter
In this section, we show how parameterized synthesis can be used to obtain process implementations for token ring architectures and general token-passing networks, exemplified by prioritized token rings.Our example is a parameterized arbiter with the following specification ∀i, j. ϕ(i, j): Every process i has an input r i for requests from the environment and an output g i to grant requests.We want grants of all processes to be mutually exclusive, and every request to be eventually followed by a grant.
. Universal co-Büchi automaton for specification Φ 6.1.Token Rings.The arbiter specification satisfies case c) in Theorem 3.2, i.e., a ring of size 4 is sufficient to synthesize implementations that satisfy the specification for rings of any size.
According to the adapted bounded synthesis approach from Section 4.2, we need to add the token fairness requirement, and add the fair scheduling assumption to all liveness constraints.This results in the extended specification Φ: fair scheduling → G(tok i → F send i ).
We translate the specification into a universal co-Büchi automaton, shown for 2 processes in Figure 8.The ⊥-state is universally rejecting, i.e. any trace that visits it is rejected by the automaton.This automaton translates to a set of first-order constraints for the annotations of an LTS implementing Φ, a part of which is shown in Figure 9 (only constraints for states 0, 1, 3, 5 of the automaton are shown).These constraints, together with general constraints for asynchronous systems, isomorphic processes, token rings, and size bounds, are handed to Z3 [DMB08].For correctly chosen bounds (|T A | ≤ 4 and |T p | ≤ 2), we obtain a model of the process implementation in ∼5.5 seconds (on an Intel Core i5 CPU @ 2.60GHz).The solution is very simple: every process needs only 2 states, with send i and g i signals high if and only if the process has the token.In the parallel composition of 4 such processes, only 4 global states are reachable.Theorem 4.4 guarantees that with this process implementation, Φ will be satisfied for any instance of the architecture.Figure 10a depicts the LTS for one process, and Fig. 10b the parallel composition of 4 processes in a ring.
Note that synthesis is easy in this case because we can restrict it to a small ring of 4 processes, and have a rather simple specification.For 5 processes (and |T A | ≤ 5), Z3 already needs ∼100 seconds to solve the resulting constraints.6.2.Prioritized Token Rings.Now, we consider the arbiter specification ∀i, j. ϕ(i, j) from above, and the 2-topology CT 2 (G prio ) for prioritized token rings, as given in Figure 6 (modulo symmetric variants).We want to find an implementation T such that A G prio , T |= ∀i, j. ϕ(i, j), under the assumption of fair token passing.
According to the synthesis approach from Section 5.3, we add fair token passing as an environment assumption to the liveness constraint of the arbiter, and add a constraint that ensures that every process must eventually release the token if scheduling is fair.This results in the following specification Φ ′ : fair token → G(r i → F g i ) ∀i.
fair scheduling → G(tok i → F send i ).As before, the specification is translated into a universal co-Büchi automaton.Then, for all 11 topologies CT ∈ CT 2 (G prio ), we translate this automaton into a set of constraints SM T (CT, n), using the same function symbols for transition and output functions of the synthesized process in each set of constraints.Then, we solve the conjunction of all these constraints for increasing n.
Again, a solution is very simple, and in fact the same process implementation that satisfies this specification in rings (see Figure 10a) is synthesized in this case. 11For the correct size bound of 2, Z3 needs ∼27 seconds to solve the resulting constraints.
Since the arbiter specification is symmetric (ϕ(i, j) ⇔ ϕ(j, i)), we can use the symmetry reduction technique mentioned at the end of Section 5.That is, we only need to consider the 6 topologies depicted in Figure 6, and not the 5 additional symmetric variants.The resulting SMT constraints have a size of ∼2.8MB instead of ∼5.1MB, and are solved by Z3 in ∼5 seconds instead of ∼27.
The Parameterized Synthesis Tool Party.The experiments presented above are rather restricted because part of the translation of specifications into SMT constraints was done manually.Khalimov, Jacobs and Bloem [KJB13a] have since developed a fully automatic implementation of the approach for token rings, and compared the time required for parameterized synthesis for several different benchmarks and combinations of optimizations.In particular, they show that significant increases in synthesis time, similar to those for increasing number of components, can also be observed if we consider more complex specifications (in a ring of the same size).
Based on the synthesis approach presented in this paper, Party [KJB13a] implements additional optimizations and extensions due to Khalimov, Jacobs and Bloem [KJB13b].The tool accepts a specification in indexed LTL, in a language derived from that of (monolithic) synthesis tool Acacia+ [BBF + 12].Based on the syntactical form of the specification, it automatically determines the valid cutoff for an implementation in a token-ring architecture, and applies our synthesis method with suitable optimizations.

A Framework for Parameterized Synthesis
Our approach for reduction of parameterized synthesis to isomorphic synthesis is not limited to token-passing systems.The methods presented here can be seen as the basis of a framework that lifts certain classes of algorithms for the verification of parameterized systems to (semi-)algorithms for their synthesis.
There is a vast body of work on the verification of parameterized systems, much of it going beyond token-passing systems.In the following, we consider the problem of lifting these results to parameterized synthesis.The methods described in this paper extend more or less directly to results that provide a cutoff that reduces the parameterized model checking problem to an equivalent set of finite-state model checking problems.In addition to these, we survey other methods for parameterized verification, and how they might be lifted to parameterized synthesis.7.1.Methods Based on Cutoffs.The literature on parameterized model checking contains many results that prove a cutoff for the given class of systems and specifications, making the parameterized verification problem decidable.We give an incomplete overview:  [EK04] provide cutoffs for bi-directional rings with multi-valued tokens and some additional restrictions.Intended applications are leader election algorithms, as well as resource allocation algorithms.• Kahlon et al. [KIG05] show that also for threads communicating via locks, there are cutoffs for certain cases.Like the guarded transitions of Emerson and Kahlon [EK00], this can be seen as a limited form of shared variables.• Bouajjani et al. [BHV08] consider resource management systems based on (prioritized) FIFO queues, and provide cutoffs for several cases.• Aminof et al. [AJKR14] extend and unify the results for token rings and general tokenpassing networks considered in this paper.In particular, they provide concrete cutoffs for processes arranged in rings, cliques, or stars.In principle, any verification result that provides a cutoff can be used to obtain a semidecision procedure for the parameterized synthesis problem.We distinguish three cases: Static Structure-Independent Cutoffs.For many of the results mentioned above [EK00, EK04, KIG05, BHV08, AJKR14], the cutoff depends only on the architecture and the specification, but not on the (structure of the) implementation.In this case, the approach is directly analogous to what we described for token-passing systems: (1) determine suitable cutoff, based on architecture and specification, (2) encode synthesis problem into SMT constraints for bounded synthesis (including architecture-specific encoding), and (3) for increasing n, until implementation is found: solve bounded synthesis problem by solving SMT constraints with size bound n.In this case, the only limitation is the ability to (efficiently) encode the features of the class of systems in decidable first-order constraints.This should be possible for all of the results mentioned above.
Static Structure-Dependent Cutoffs.For some of the results [GS92, EK00], the cutoff also depends on the size (i.e., the number of states) of the implementation.In this case, all three steps need to be repeated whenever we want to check if an implementation for a given size exists: For increasing n, until implementation is found: (1) determine suitable cutoff, based on architecture, specification, and n, (2) encode synthesis problem into SMT constraints for bounded synthesis (including architecture-specific encoding), and (3) solve bounded synthesis problem by solving SMT constraints for size n.
Additionally, there are results [BHV08] where the cutoff not only depends on the size of the implementation, but some other properties, e.g., the number of transitions.For these, the synthesis approach has to be refined again, enumerating models with increasing number of transitions together with their suitable cutoff.Similar approaches can be used for cutoffs that depend on other properties (e.g., the diameter) of the implementation, but may be much more difficult to implement efficiently than the comparably simple approaches above.
Dynamic Cutoffs.There are also approaches that detect a cutoff for a given system implementation dynamically [HBR09,KKW10].That is, the cutoff is not determined by syntactic properties of architecture, specification, or implementation.These are less suited for our framework: in order to integrate them with our approach, cutoff detection would have to be interleaved with generation of candidate implementations, making it hard to devise a complete synthesis approach.Finding out how this can be done constitutes a separate direction of research.

7.2.
Other Methods.There are several other results for the verification of systems with an arbitrary number of components.For these, it is less clear how to lift results from the verification of parameterized systems to their synthesis.Again, we distinguish three cases: Induction-Based Approaches.These approaches reduce the parameterized verification problem to the problem of finding an inductive network invariant [KM95].However, they are usually not guaranteed to work for a fixed class of systems, and the invariant must be found manually for the given system under consideration.Clarke et al. [CGJ97] introduced a method that partly automates the construction of network invariants.Finally, the invisible invariants approach [PRZ01, ZP04] can be seen as a combination of network invariants with automatic detection of cutoffs (that can directly depend on the invariant to be proved).
Since network invariants not only depend on the specification, but also on the implementation, a parameterized synthesis approach would have a feedback loop between synthesis and invariant generation, similar to the case of dynamic cutoffs.
Abstraction-Based Methods.These methods construct a finite-state abstraction of a parameterized system, and have been pioneered by counter abstraction [PXZ02,ZP04].An interesting extension of this approach combines counter abstraction with environment abstraction, which centers on one process, and abstracts the behavior of all other processes [CTV06,CTV08].
A way to integrate such results into a parameterized synthesis method would be to identify conditions on distributed systems that guarantee applicability of, e.g., counterabstraction, and then apply synthesis modulo these conditions.Consequently, synthesis will find an implementation if and only if there exists one that satisfies these conditions.
Regular Model Checking.Regular model checking [BJNT00] is an approach for the verification of infinite-state systems that can also be used for parameterized verification.It is based on the idea that the state of a system can be expressed as a regular expression, and transitions given as finite-state transducers.Overviews of some of the methods based on regular model checking can be found in the work of Vojnar [Voj07] and Abdulla [Abd12].
The question how to integrate regular model checking into parameterized synthesis is wide open.One option would be to consider approaches that compute (approximations of) the reachable states in regular model checking, and try to extend them to a game-based synthesis approach.

Conclusions and Future Work
We have stated the problem of parameterized realizability and parameterized synthesis: whether and how a parameterized specification can be turned into a simple recipe for constructing a parameterized system.The realizability problem asks whether a parameterized specification can be implemented for any number of processes, i.e., whether the specification is correct.Our procedure for parameterized synthesis yields a process implementation that can be replicated to obtain a correct system of arbitrary size, thus avoiding the steeply rising need for resources associated with synthesis for an increasing number of processes using classical, non-parameterized methods.
We have considered the problem in detail for token-passing systems, including token rings.Using results from parameterized verification, we showed that the parameterized synthesis problem reduces to distributed synthesis in a small network of isomorphic processes with fairness constraints on token passing.Unfortunately, the distributed synthesis problem remains undecidable, even for small token rings.
Regardless of this negative result, we managed to synthesize an actual -albeit very small -example of a parameterized arbiter.To this end, we used Schewe and Finkbeiner's results on bounded synthesis.In theory, this approach will eventually find an implementation if it exists.In practice, this currently only works for small implementations.One line of future work will be on making synthesis feasible for larger systems -together with Khalimov, we recently started research in that direction [KJB13b], and managed to reduce synthesis time by several orders of magnitude by using modularity and abstraction techniques.We plan to extend research into more efficient encoding techniques, as well as the integration of ideas from the lazy synthesis approach [FJ12].
For unrealizable specifications, our approach will run forever.It is an interesting question whether it could be combined with incomplete methods to check unrealizability.
We note that the topologies we considered limit communication between processes, and therefore also the possible solutions.For our running example, processes give grants only when they hold the token.In a token ring, this means that response time increases linearly with the number of processes, something that can be avoided in other topologies.We can widen the class of topologies that we can synthesize by using more general results on parameterized verification.
To this end, we have given an incomplete overview of results for parameterized model checking, and ideas for how to lift these results to parameterized synthesis.In particular, the approach presented in this article can be seen as a framework for lifting cutoff-based reduction techniques from parameterized verification to parameterized synthesis.

Figure 4 .
Figure 4. Network Graph for a Prioritized Token Ring

Figure 6
Figure 6.2-Topology of G prio a (possibly empty) quantifier prefix over the remaining index variables.Upon saturation, we obtain a Boolean combination of model checking problems A CT , T |= ϕ(i), for all possible topologies CT ∈ CT k (G), where ϕ(i) is quantifier-free and the elements of i are instantiated to concrete elements of S. Since several subsets R ⊂ S have the same topology G R ∈ CT k (G), we do not need to solve |S| k model checking problems, but only as many as there are different topologies in CT k (G).

Figure 7 .
Figure 7. Network Graphs similar to G prio

Figure 9 .
Figure 9. Constraints that are equivalent to realizability of Φ

•
German and Sistla [GS92] provide cutoffs for 1-indexed properties in architectures with pairwise communication (synchronization) in a clique.Intended application areas are resource allocation algorithms and network protocols.• Emerson and Kahlon [EK00] provide cutoffs for systems where transitions of any component are guarded with conjunctive or disjunctive statements about the states of the other processes, effectively constituting a clique structure with a limited form of shared variables.Intended applications are cache coherence protocols and readers-writers problems.• Furthermore, Emerson and Kahlon [EK03] provide cutoffs for (initialized) broadcast protocols that can be used for proving cache coherency.• Additionally, Emerson and Kahlon