# Automatic Device Driver Synthesis

#### Adam Walker

Submitted in fulfilment of the requirements for the degree of Doctor of Philosophy



School of Computer Science and Engineering

**Faculty of Engineering** 

July 2015

## **Originality Statement**

'I hereby declare that this submission is my own work and to the best of my knowledge it contains no materials previously published or written by another person, or substantial proportions of material which have been accepted for the award of any other degree or diploma at UNSW or any other educational institution, except where due acknowledgement is made in the thesis. Any contribution made to the research by others, with whom I have worked at UNSW or elsewhere, is explicitly acknowledged in the thesis. I also declare that the intellectual content of this thesis is the product of my own work, except to the extent that assistance from others in the project's design and conception or in style, presentation and linguistic expression is acknowledged.'

| Signed | • • | • • • | <br> | <br>• • | • • | <br> | <br>• | <br> | ٠. | <br>• • | • | <br> | <br>• | <br> | <br>• | <br> | • • | • | <br> | <br> | <br> |
|--------|-----|-------|------|---------|-----|------|-------|------|----|---------|---|------|-------|------|-------|------|-----|---|------|------|------|
| Date   |     |       | <br> | <br>    |     | <br> | <br>  | <br> |    | <br>    |   | <br> |       | <br> |       | <br> |     |   | <br> | <br> | <br> |

#### Abstract

Device drivers are hard and tedious to write, and they are notorious for being unreliable. Automatic device driver synthesis is a radical approach to creating drivers faster and with fewer defects by generating them automatically based on operating system and hardware device specifications. This thesis addresses the two fundamental challenges in driver synthesis: (1) usability and (2) scalability.

The usability challenge is to enable developers to create drivers through a well-defined, predictable sequence of steps. It falls into the following three design objectives: (1) ease of developing specifications for driver synthesis, (2) ease of debugging synthesis errors due to incorrect specifications, and (3) enabling the benefits of automation without sacrificing the flexibility of conventional driver development. In this thesis I develop a new driver synthesis methodology that addresses the first objective through a high-level specification language whose syntax and semantics are close to those of familiar imperative programming languages like C. In addition, it facilitates the development of modular specifications and thus enables a high degree of specification reuse. I address the second objective by developing powerful debugging techniques that help the developer identify and fix specification defects through well-defined process, similar to how conventional debuggers help troubleshoot implementation errors. Finally, the proposed methodology strikes the balance between automation and flexibility by generating driver code in a user guided fashion, where the user can interactively alter or amend automatically generated code, while the synthesis tool verifies user changes on the fly.

The scalability challenge is to overcome the performance bottleneck of existing synthesis algorithms that are not able to efficiently handle real-world device specifications. I address this challenge with a new scalable synthesis engine based on predicate-based abstraction-refinement. Solutions are developed to the three key problems involved in the implementation of efficient predicate abstraction which have not been addressed previously in a synthesis settings: (1) keeping abstractions concise by identifying relevant predicates only, (2) solving abstract games efficiently, (3) and computing abstractions symbolically.

The proposed techniques are implemented in a new tool called Termite-2 and evaluated by synthesising drivers for a number of I/O devices representative of a typical embedded platform. Termite-2 is the first tool to combine the power of automation with the flexibility of conventional development. It is also the first practical synthesis tool based

on abstraction refinement. Finally, it is the first synthesis tool to support automated debugging of input specifications.

# **Contents**

| O  | rigina       | ality Statement                 | ii   |  |  |  |  |  |  |  |  |  |
|----|--------------|---------------------------------|------|--|--|--|--|--|--|--|--|--|
| Co | onten        | ats                             | v    |  |  |  |  |  |  |  |  |  |
| Li | st of        | Figures                         | viii |  |  |  |  |  |  |  |  |  |
| Li | st of        | Tables                          | ix   |  |  |  |  |  |  |  |  |  |
| Pι | ıblica       | ations                          | xi   |  |  |  |  |  |  |  |  |  |
| 1  | Intr         | roduction                       | 1    |  |  |  |  |  |  |  |  |  |
|    | 1.1          | Game Based Formalism            | 2    |  |  |  |  |  |  |  |  |  |
|    | 1.2          | User Guided Synthesis           | 3    |  |  |  |  |  |  |  |  |  |
|    | 1.3          | Scalable Synthesis Algorithm    | 6    |  |  |  |  |  |  |  |  |  |
|    | 1.4          | Chapter Outline                 | 8    |  |  |  |  |  |  |  |  |  |
| 2  | Bac          | kground                         | 9    |  |  |  |  |  |  |  |  |  |
|    | 2.1          | Device Drivers                  | 9    |  |  |  |  |  |  |  |  |  |
|    | 2.2          | Introduction to Game Formalisms | 12   |  |  |  |  |  |  |  |  |  |
|    | 2.3          | $\omega$ -regular Languages     | 13   |  |  |  |  |  |  |  |  |  |
|    | 2.4          | Two Player Games                | 13   |  |  |  |  |  |  |  |  |  |
|    | 2.5          | Fixed Points                    | 17   |  |  |  |  |  |  |  |  |  |
|    | 2.6          | Solving Games                   | 18   |  |  |  |  |  |  |  |  |  |
|    | 2.7          | Strategies and Counterexamples  | 27   |  |  |  |  |  |  |  |  |  |
|    | 2.8          | Symbolic Games                  | 31   |  |  |  |  |  |  |  |  |  |
| 3  | Related Work |                                 |      |  |  |  |  |  |  |  |  |  |
|    | 3.1          | Driver Reliability              | 39   |  |  |  |  |  |  |  |  |  |
|    | 3.2          | Driver Synthesis                | 42   |  |  |  |  |  |  |  |  |  |

vi *CONTENTS* 

| 4 | Syn  | thesis as a Game                                 | 45  |
|---|------|--------------------------------------------------|-----|
|   | 4.1  | The Players                                      | 46  |
|   | 4.2  | GR(1) Based Formalism                            | 47  |
|   | 4.3  | Device and OS Specifications and Synchronisation | 50  |
| 5 | Use  | r guided synthesis                               | 55  |
|   | 5.1  | Introduction                                     | 56  |
|   | 5.2  | Specifications                                   | 57  |
|   | 5.3  | TSL Compiler                                     | 65  |
|   | 5.4  | User-guided Code Generation                      | 67  |
|   | 5.5  | Heuristic Code Generation                        | 74  |
|   | 5.6  | Counterexample Guided Debugging                  | 78  |
|   | 5.7  | Limitations                                      | 80  |
|   | 5.8  | Implementation                                   | 83  |
|   | 5.9  | Evaluation                                       | 83  |
| 6 | Scal | able Synthesis Algorithm                         | 91  |
|   | 6.1  | Symbolic Solver                                  | 92  |
|   | 6.2  | Three Valued Abstraction-Refinement              | 97  |
|   | 6.3  | Variable Abstraction                             | 102 |
|   | 6.4  | Predicate Abstraction                            | 116 |
|   | 6.5  | Approximate Three Valued Abstraction Refinement  | 120 |
|   | 6.6  | Abstraction-Refinement for Predicate Abstraction | 122 |
|   | 6.7  | Optimisation                                     | 136 |
|   | 6.8  | Implementation                                   | 138 |
|   | 6.9  | Evaluation                                       | 138 |
| 7 | Con  | clusions                                         | 141 |
| A | TSL  | Language Reference                               | 143 |
|   | A.1  | Overview                                         | 143 |
|   | A.2  | Syntax Reference                                 | 150 |
| В | Use  | r Guided Synthesis of an I <sup>2</sup> C Driver | 173 |
|   | B.1  | Driver Template                                  | 173 |
|   | B.2  | Configuration                                    | 175 |
|   | B.3  | Master Write                                     | 176 |
|   | B.4  | Specifications                                   | 180 |

| CONTENTS     | vii |
|--------------|-----|
|              |     |
| Bibliography | 193 |

# **List of Figures**

| 1.1 | Termite synthesis workflow                                        | 5   |
|-----|-------------------------------------------------------------------|-----|
| 2.1 | Turn based controllable predecessor                               | 20  |
| 2.2 | Concurrent controllable predecessor                               | 22  |
| 2.3 | A binary decision tree for $x \lor y$                             | 33  |
| 2.4 | A binary decision diagram                                         | 34  |
| 4.1 | A simple two player game                                          | 46  |
| 4.2 | Büchi game for the simple network device                          | 48  |
| 4.3 | Fair reachability game for the simple network device              | 49  |
| 4.4 | Device specifications                                             | 52  |
| 4.5 | OS specifications                                                 | 52  |
| 4.6 | Combined specifications                                           | 54  |
| 5.1 | Termite synthesis workflow                                        | 56  |
| 5.2 | Input specifications for driver synthesis. Labels in italics show |     |
|     | interfaces from the running example (Figure 5.3 and Figure 5.4)   | 57  |
| 5.3 | Trivial serial controller device specifications                   | 60  |
| 5.4 | Trivial serial controller driver specifications                   | 63  |
| 5.5 | Trivial serial controller driver specifications                   | 65  |
| 5.6 | Generated send function                                           | 70  |
| 5.7 | Manually written send function                                    | 71  |
| 5.8 | Screenshot of Termite with a synthesised implementation of the    |     |
|     | IDE driver. Automatically generated code is highlighted           | 88  |
| 6.1 | Overview of three valued abstraction-refinement                   | 100 |
| 6.2 | The game specification for the running example                    | 103 |
| 6.3 | Abstract state space                                              | 104 |

| 6.4  | Partitioning induced by $\{U, X, Y\}$                              | 106 |
|------|--------------------------------------------------------------------|-----|
| 6.5  | May and must winning regions                                       | 108 |
| 6.6  | Refinement for variable abstraction                                | 109 |
| 6.7  | Game variables                                                     | 118 |
| 6.8  | Game specification                                                 | 119 |
| 6.9  | Abstract variables and corresponding predicates                    | 120 |
| 6.10 | Overview of approximate three valued abstraction-refinement        | 121 |
| 6.11 | Different types of consistency refinements. White, grey, and black |     |
|      | background is used to mark respectively must-losing, may-winning,  |     |
|      | and must-winning untracked substates. Dashed and solid arrows      |     |
|      | show $C^{m+}$ and $C^{M-}$ -consistent abstract transitions        | 128 |
| B.1  | Usage of the I <sup>2</sup> Cdriver                                | 174 |
| B.2  | Termite driver source code tab                                     | 177 |
| B.3  | Termite driver source code tab after code generation               | 178 |
| B.4  | Termite driver source code tab. Sending address                    | 179 |
| B.5  | Termite driver source code tab. Sending address manual code        | 180 |
|      |                                                                    |     |
|      |                                                                    |     |

# **List of Tables**

| 5.1 Size (in lines of code) of input specifications and of synthesis |                                                                |     |  |  |  |
|----------------------------------------------------------------------|----------------------------------------------------------------|-----|--|--|--|
|                                                                      | and equivalent manually written drivers                        | 84  |  |  |  |
| 5.2                                                                  | Performance of the Termite game solver                         | 86  |  |  |  |
| 6.1                                                                  | Performance of various optimisations when applied to the basic |     |  |  |  |
|                                                                      | symbolic solver                                                | 96  |  |  |  |
| 6.2                                                                  | Summary of experimental case studies                           | 139 |  |  |  |
| A.1                                                                  | TSL operators                                                  | 154 |  |  |  |

# **Publications**

- Leonid Ryzhyk, Adam Christopher Walker, John Keys, Alexander Legg, Arun Raghunath, Michael Stumm, and Mona Vij. User-guided device driver synthesis. In *USENIX Symposium on Operating Systems Design and Implementation*, pages 661–676, Broomfield, CO, USA, October 2014
- Adam Christopher Walker and Leonid Ryzhyk. Predicate abstraction for reactive synthesis. In *Conference on Formal Methods in Computer-Aided Design*, Lausanne, Switzerland, October 2014
- Swen Jacobs, Roderick Bloem, Romain Brenguier, Rüdiger Ehlers, Timotheus Hell, Robert Könighofer, Guillermo A. Pérez, Jean-François Raskin, Leonid Ryzhyk, Ocan Sankur, Martina Seidl, Leander Tentrup, and Adam Walker. The first reactive synthesis competition (syntcomp 2014). arXiv:1506.08726, 2015
- Nina Narodytska, Alexander Legg, Fahiem Bacchus, Leonid Ryzhyk, and Adam Walker. Solving games without controllable predecessor. In Proceedings of the 16th International Conference on Computer Aided Verification - Volume 8559, pages 533–540, New York, NY, USA, 2014. Springer-Verlag New York, Inc
- Mona Vij, John Keys, Arun Raghunath, Scott Hahn, Vincent Zimmer, Leonid Ryzhyk, Adam Christopher Walker, and Alexander Legg. Device driver synthesis. *Intel Technology Journal*, 17(2):136–157, December 2013

xii PUBLICATIONS

# **Awards**

• Kurt Gödel Medal in Silver. My solver placed first in the sequential realizability track of the reactive synthesis competition.

# 1 Introduction

Device driver synthesis has been proposed as a radical alternative to traditional driver development that offers the promise of creating drivers faster and with far fewer defects [Ryzhyk et al., 2009b]. The idea is to automatically generate the driver code responsible for controlling device operations from a behavioural model of the device and a specification of the driver-OS interface.

The primary motivations for device driver synthesis are the fact that device drivers are hard and tedious to write, and they are notorious for being unreliable [Chou et al., 2001; Ganapathi et al., 2006]. Drivers generally take a long time to bring to production—given the speed at which new devices can be brought to market today, it is not uncommon for a device release to be delayed by driver rather than by silicon issues [Yavatkar, 2012].

Automatic driver synthesis was proposed in earlier work on the Termite-1 project [Ryzhyk et al., 2009b], which formulated the key principles behind the approach and demonstrated its feasibility by synthesising drivers for several real-world devices. The next logical step was to develop driver synthesis into a practical methodology, capable of replacing the conventional driver development process. To this end, this thesis addresses the key problems left open by Termite-1:

Termite-1 produced poor quality synthesised code. While functionally correct, Termite-1 drivers were bloated and poorly structured. This made it impossible for a programmer to maintain and improve the generated code and prevented synthesised drivers from being adopted by Linux and other major operating systems. Furthermore, it was impossible to enforce non-functional properties such as CPU and power efficiency. Addressing these issues is the first major contribution of this dissertation.

• The scalability of the Termite-1 synthesis algorithm was severely limited, which made synthesis of drivers for real-world devices intractable. Termite-1 got around the problem by using carefully crafted simplified device specifications, which is acceptable in a proof-of-concept prototype, but not in a practical tool. Addressing this issue is the second major contribution of this dissertation.

#### 1.1 Game Based Formalism

The key step towards addressing the above challenges is to capture the driver synthesis problem using a precise mathematical formalism. In this work, I develop the first precise mathematical formulation of the driver synthesis problem. This enables us to apply theoretical results and algorithmic techniques from game theory to driver synthesis. Following the approach proposed by Termite-1, I treat the driver synthesis problem as a two-player game between the driver and its environment, comprised of the device and the OS. Each player has a set of *moves* available to it. The driver's moves are called the *controllable* moves, while the environment's moves are *uncontrollable*. The driver's moves, for example, may consist of the set of device register writes that it can perform. The game is played on a large state machine that describes the behaviour of the device and operating system. At any instant, one state is the *current state* and play progresses from state to state by following edges labelled with the set of moves.

However, the formal model used in Termite-1 had several important short-comings that made it unsound, potentially leading to incorrect synthesised drivers or synthesis failures. The *objective* of a Termite-1 game was defined by designating some states as *goal* states. A goal may, for example, correspond to a state where the driver has no outstanding data to send. A correct driver is defined as one that can eventually force the current state to be in the set of goal states, regardless of the environment behaviour.

Objectives, defined using goals, are insufficient for two reasons. First, they do not capture recurring properties. Termite-1 considered a driver to be correct if it could force execution into the goal once. Real drivers, however, are reactive systems that need to continuously satisfy requests. Second, such objectives do not allow the driver to make realistic assumptions about how the environment behaves. Termite-1 drivers could not rely on simple properties

like the fact that timeouts eventually time out. This is discussed further in Section 4.2.3.

The new tool called Termite-2 (further referred to as Termite) overcomes these shortcomings by using generalised reactive (1), or GR(1) objectives [Piterman et al., 2006].

In addition, Termite-1 did not handle the concurrency between the driver and its environment properly, resulting in subtly incorrect drivers. I handle this in a robust way using concurrent games.

## 1.2 User Guided Synthesis

The Termite team and I came to the conclusion that the approach taken by Termite-1 was *critically flawed*. The fundamental problem, in our view, was that the synthesis was viewed as a "push-button" technology that generated a specification-compliant implementation without any user involvement. As a result, the user had to rely on the synthesis tool to produce a good implementation. Unfortunately, even the most intelligent algorithm cannot fully capture the user-perceived notion of high-quality code. While in theory one might be able to enforce some of the desired properties by adding appropriate constraints to the input specification, in our experience creating such specifications is extremely hard and seldom yields satisfactory results.

A radically different approach was needed—one that combines the power of automation with the flexibility of conventional development, and that involves the developer from the start, guiding the generation of the driver. In many ways, synthesis and conventional development are conflicting. Hence, a key challenge was to conceive of a way that allowed the two to be combined so that the developer could do their job more efficiently and with fewer errors without having the synthesis tool get in the way.

This dissertation presents a novel *user-guided* approach to driver synthesis implemented in Termite. In Termite, the user has full control over the synthesis process, while the tool acts as an assistant that suggests, but does not enforce, implementation options and ensures correctness of the resulting code. At any point during synthesis the user can modify or extend previously synthesised code. The tool automatically analyses user-provided code and, on user's request, suggests possible ways to extend it to a complete implementation. If such an extension is not possible due to an error in the user code, the tool

generates an explanation of the failure that helps the user to identify and correct the error.

In an extreme scenario, Termite can be used to synthesise the complete implementation fully automatically. At the other extreme, the user can build the complete implementation by hand, in which case Termite acts as a static verifier for the driver. In practice, it was determined that the intermediate approach, where most of the code is auto-generated, but manual involvement is used when needed to improve the implementation, to be the most practical.

From the developer's perspective, user-guided synthesis appears as an enhancement of the conventional development process with very power-ful autocomplete functionality, rather than a completely new development methodology. Input specifications for driver synthesis are written as imperative programs that model the behaviour of the device and the OS. The driver itself is modelled as a source code template where parts to be synthesised are omitted. This approach enables the use of familiar programming techniques in building input specifications. In contrast, previous synthesis tools, including Termite-1, require specifications to be written in formal languages based on state machines and temporal logic, which proved difficult and error-prone to use even for formal methods experts, not to mention software development practitioners.

Most previous research on automatic synthesis, including Termite-1, considered input specifications to be "correct by definition". In contrast, we recognise that input specifications produced by human developers are likely to contain defects, which can prevent the synthesis algorithm from finding a correct driver implementation. Therefore Termite incorporates powerful debugging tools that help the developer identify and fix specification defects through well-defined steps, similar to how conventional debuggers help troubleshoot implementation errors.

Figure 1.1 gives an overview of the components of Termite and the synthesis workflow. I will be presenting each of the following components in the remaining chapters of this thesis:

- A scalable synthesis algorithm.
- A high level specification language and compiler.
- A graphical debugging and state space exploration environment.



Figure 1.1: Termite synthesis workflow.

- A counterexample generator.
- A heuristic code generator.

I evaluated Termite by synthesising drivers for several I/O devices representative of peripherals found in a typical embedded system. The evaluation criteria are:

- Percent of the driver that is synthesiseable by Termite.
- Performance and code size of the synthesized driver.
- Synthesis algorithm running time and memory usage.
- Ease of creation and debugging of the specifications.

I conclude that for typical embedded devices automatic driver synthesis is practical.

Device driver synthesis technology is still in its early days and, as such, has several important limitations. Most notably, Termite does not currently support synthesis or verification of code for managing direct memory access (DMA) queues. This code must be written manually and is treated by Termite as an external API invoked by the driver. This limitation makes the use of Termite less appealing for devices such as gigabit ethernet controllers where the majority of driver writing effort goes into handling DMA. As another example, in certain situations, explained in Chapter 5 Section 5.4, Termite is unable to produce correct code without user assistance; however it is able to verify the correctness of user-provided code. We discuss limitations of Termite in more detail in Chapter 5 Section 5.7.

This dissertation makes two contributions in the field of practical device driver synthesis:

- 1. A practical synthesis tool that allows the user to work anywhere on the spectrum from full automation to verified manual development.
- 2. A counterexample guided debugging environment that the developer may use to interactively eliminate defects in the input specifications.

## 1.3 Scalable Synthesis Algorithm

To address the scalability problem, I created a new scalable synthesis algorithm, which mitigates the computational bottleneck in driver synthesis [Walker and Ryzhyk, 2014]. Our game-based synthesis algorithm relies on abstraction and symbolic reasoning to achieve orders of magnitude speed up compared to the current state-of-the-art synthesis techniques. The algorithm, along with supporting benchmarks, is given in Chapter 6.

Game solving inherently involves exploring the state space of the game. These state spaces are potentially very large and exploring them becomes difficult. This is referred to as the state space explosion problem. *Abstraction* offers an effective approach to mitigating the state space explosion problem. For example, in the model checking domain abstraction proved instrumental in enabling automatic verification of complex hardware and software systems [Clarke et al., 2000, 2004; Henzinger et al., 2002]. The reactive synthesis community has also identified the key role of abstraction in tackling real-world synthesis problems; however most research in this area has so far been of theoretical nature [de Alfaro and Roy, 2007; Henzinger et al., 2003].

In this dissertation I present the first practical abstraction-refinement algorithm for solving games. Our algorithm is based on *predicate abstraction*, which proved to be particularly successful in model checking [Graf and Saïdi, 1997]. Predicate abstraction partitions the state space of the game based on a set of predicates, which capture essential properties of the system. States inside a partition are indistinguishable to the abstraction, which limits the maximal precision of solving the game achievable with the given abstraction. The abstraction is iteratively refined by introducing new predicates.

The key difficulty in applying predicate abstraction to games is to efficiently solve the abstract game arising at every iteration of the abstraction refinement loop. This requires computing the abstract *controllable predecessor* operator, which maps a set of abstract states, winning for one of the players, into the set of states from which the player can force the game into the winning set in one round of the game. This involves enumerating concrete moves available to both players in each abstract state, which can be prohibitively expensive.

I address the problem by further approximating the expensive controllable predecessor computation and refining the approximation when necessary. To this end, I introduce additional predicates that partition the set of actions available to the players into *abstract actions*. The controllable predecessor computation then consists of two steps: (1) computing abstract actions available in each abstract state, and (2) evaluating controllable predecessor over abstract states and actions.

The first step involves potentially expensive analysis of concrete transitions of the system and is therefore computed approximately. More specifically, solving the abstract game requires overapproximating moves available to one of the players, while underapproximating moves available to the other [Henzinger et al., 2003]. The former is achieved by allowing an abstract action in an abstract state if it is available in at least one corresponding concrete state, the latter allows an action only if it is available in all corresponding concrete states. I compute the overapproximation by initially allowing all actions in all states and gradually refining the abstraction by eliminating spurious actions. Conversely, I start with an empty underapproximation and add available actions as necessary.

This dissertation makes three contributions in the field of reactive synthesis:

- 1. I propose the first practical predicate-based abstraction refinement algorithm for two-player games.
- 2. I introduce a new type of refinement, which increases the precision of controllable predecessor computation without refining the abstract state space of the game. This approach avoids costly operations involved in solving the abstract game, approximating them with a sequence of light-weight operations performed on demand, leading to dramatically improved scalability.

3. I evaluate the algorithm by implementing it as part of the Termite driver synthesis toolkit [Ryzhyk et al., 2014] and using it to synthesise drivers for complex real-world devices. Our algorithm efficiently solves games with very large state spaces, which is impossible without using abstraction or using simpler forms of abstraction.

## 1.4 Chapter Outline

The rest of this dissertation is structured as follows. Chapter 2 provides the necessary background information on game solving. Chapter 5 presents our user guided device driver synthesis tool and methodology and, finally, Chapter 6 presents our scalable synthesis algorithm.

# 2 Background

#### 2.1 Device Drivers

A device driver provides an interface for the operating system (OS) to use a hardware device that is attached to the computer. It translates requests between the OS and the hardware. It allows the operating system to use the device without knowing the exact details of the hardware. As an example, a network interface driver may provide functions to send and receive packets from the network. It performs the low-level device register and memory writes necessary to perform these operations while presenting a high level interface to the OS.

Writing a device driver requires in depth knowledge of both the device to be controlled and the interface to the OS. This makes writing a device driver a tedious and error prone process. Additionally, a device driver usually operates in a privileged part of the OS so that it can access the hardware. As a result, errors often lead to failures of the system.

Device drivers are usually developed by the hardware vendor as they have the best access to information about the design of the hardware. This includes hardware documentation as well as the actual description of the hardware in a hardware description language. If is common for the documentation to never be released to the public.

#### 2.1.1 Device driver functions

The key functions of a device driver are:

Abstraction. As discussed, the driver abstracts away the low-level details
of the device and presents the functionality through a high level set of

operations.

- *Unification*. The driver provides a unified interface to similar devices. For example, another network interface may have a completely different hardware interface to the first but its driver presents the same send and receive functionality to the OS as before.
- *Multiplexing*. The driver and OS cooperate to make sure that the services that the hardware provides are available to all users of the system with sufficient permissions to access the hardware.

#### 2.1.2 Device driver organisation

#### I/O buses

Device drivers communicate with devices over an I/O bus such as the *Peripheral Component Interconnect* (PCI) or *Universal Serial Bus* (USB). Modern operating systems contain drivers that operate these buses and provide low-level access to devices over them. In this thesis I assume that these-bus level drivers already exist.

#### Memory Mapped I/O

Device registers and data buffers can be mapped into the system's memory space by the bus controller. When the CPU initiates a load or store transaction which falls in the range of memory mapped to the device the bus controller translates this to a transaction with the device. This transaction reads and writes the device's internal registers.

#### **Direct Memory Access**

It is also possible for the device to initiate a transaction to transfer data to or from main memory. The CPU is not involved in such a transfer. This is known as *Direct Memory Access* or DMA. DMA is necessary for efficient I/O with devices that transfer large amounts of data as otherwise the CPU would be required to copy all of the data to and from the device word by word.

#### Interrupts

*Interrupts* are asynchronous transactions initiated by the device to signal to the CPU that an event has happened that requires the driver's attention. For example, a network interface may raise an interrupt when a packet has arrived or when a packet has been successfully sent. Interrupts are also often raised on error conditions within the device.

On a Linux system, when an interrupt is raised, the currently executing task is temporarily suspended and control is transferred to the kernel's interrupt handler routine. This determines which driver is responsible for handling the interrupt and invokes the driver's interrupt handler.

#### Concurrency

Most operating systems are multithreaded, including the device drivers. Driver entry points and interrupt handlers may be invoked concurrently and recursively. Careful use of synchronisation primitives are required to avoid race conditions and deadlock. In this work, I assume that only one driver entry point is invoked at a time, removing all concurrency. This can be achieved by using an event based framework such as Dingo [Ryzhyk et al., 2009a], writing a wrapper to translate the concurrent interface required by the operating system to the single threaded interface of the generated drivers, or by post processing the generated driver as described by [Cerny et al., 2013, 2014b, 2015]

#### Operating system services

In addition to bus-level drivers, the OS provides various services to device drivers. These include memory management, timing and synchronisation. Memory management includes allocating memory and support for memory mapped IO and DMA. Timer functionality includes both synchronous (thread delays) and asynchronous (callback) timers. Various synchronization primitives are also provided, but, given that Termite does not make any use of them, I do not discuss them further.

#### 2.2 Introduction to Game Formalisms

Termite's game formalism and synthesis algorithm build on considerable pre-existing work in the field of reactive synthesis which is presented in the following sections. I begin, in Sections 2.3 and 2.4 with introducing the notion of  $\omega$ -regular games. Section 2.3 introduces  $\omega$ -regular languages and  $\omega$ -regular expressions offer a natural formalism for reasoning about reactive systems, i.e., systems that continuously interact with their environment, such as device drivers. Section 2.4 defines two player  $\omega$ -regular games, i.e., games whose objectives are expressed using  $\omega$ -regular languages. Starting from the simplest kinds of games, it eventually builds up to GR(1) games - the kind of games used by Termite. Definitions for this and the following sections are given in [Grädel et al., 2002] and [Thomas, 1995]. GR(1) games are discussed in depth in [Piterman et al., 2006].

Sections 2.5 and 2.6 introduce algorithms for solving two-player games, i.e., determining whether one of the players can meet its objective. I first define a logic for describing fixed points of functions in Section 2.5. Next, in Section 2.6, I introduce the controllable predecessor operator, the fundamental building block of all game solving algorithms used in this thesis. I then put the two together by presenting translations of  $\omega$ -regular game objectives to fixed point formulas over the controllable predecessor operator. The solution of a game can then be obtained by evaluating the fixed point formula.

In addition to deciding whether there exists a correct driver for a set of specifications, Termite must synthesize a strategy which will be turned into driver code. In Section 2.7 I modify the algorithms given in the previous section to return a strategy if the game is winnable. I also show how to generate a strategy for the opponent, called a counterexample, when the game is not winnable. Counterexamples are used extensively in Termite to aid in debugging faulty specifications.

Finally, Section 2.8 borrows symbolic techniques from model checking and applies them to games. The idea of symbolic game solving it to represent sets of states using characteristic equations over state variables rather than by enumerating them explicitly. This technique allows game solvers to scale well beyond what was possible previously. Binary decision diagrams and the algorithms that operate on them are given in [Bryant, 1986]. Symbolic model checking is discussed in depth in [Burch et al., 1992] and [McMillan, 1993].

### 2.3 $\omega$ -regular Languages

The  $\omega$ -regular languages extend the regular languages to infinite length sequences. An  $\omega$ -regular language is a set of sequences of symbols of infinite length. An  $\omega$ -regular language has the form:

- $A^{\omega}$  where A is a nonempty regular language not containing the empty string.
- AB, the concatenation of a regular language A and an  $\omega$ -regular language B. Note that B must not be a regular language as this would imply that the sequence is finite.
- $A \cup B$  where A and B are  $\omega$ -regular languages.

Elements of  $A^{\omega}$  are obtained by concatenating words from A infinitely many times. Intuitively,  $\omega$ -regular languages are similar to regular languages but with an additional  $\omega$  operator that concatenates words from the regular language infinitely many times.

## 2.4 Two Player Games

Two-player games are a useful formalism for reactive synthesis. Many problems in electronic design automation, industrial automation, software synthesis and robotics can be formalised as a game. In particular, the driver synthesis problem can be formalised as a game, and, this is the formalism around which Termite is built. Here, I present the fundamentals of two player games.

#### 2.4.1 Formalism

A two player game is played by player 1 against its opponent, player 2. It consists of a possibly infinite state space S on which the game is played. The game is always in some state  $s \in S$  called the *current state*. The game progresses from state to state according to a transition relation,  $\delta \subseteq S \times L \times S$  where S is the set of states and L is a set of labels. A transition  $t \in S \times L \times S$  is allowed in the game iff  $t \in \delta$ .

The meaning of the label  $l \in L$  depends on the type of game, but for now we will consider turn based games. In a turn based game, S is partitioned into two sets: the player 1 set  $\tau_1$  and the player 2 set  $\tau_2$ , where  $\tau_1 \cap \tau_2 = \emptyset$  and

 $\tau_1 \cup \tau_2 = S$ . When  $s \in \tau_1$  player 1 gets to pick l and when  $s \in \tau_2$  player 2 gets to pick l. The opponent of player i is referred to as  $\bar{i}$  ( $\bar{1} = 2, \bar{2} = 1$ ).

Lastly, each game has an associated set of initial states  $I \in 2^S$  where execution of the game begins.

Putting this all together, we can identify a *turn based game structure*  $G = \langle S, L, I, \tau_1, \tau_2, \delta \rangle$  with a turn based game.

A game proceeds in an infinite sequence of rounds, starting from some initial state. The infinite sequence of states visited  $(s_0, s_1, ...) \in S^{\omega}$  is called a path. An *objective*  $\Phi \subseteq S^{\omega}$  is a subset of state sequences of G. We are concerned with  $\omega$ -regular objectives, i.e., objectives characterised by  $\omega$ -regular languages (Section 2.3).

A strategy for player i is a function  $\pi_i: S^* \times \tau_i \to L$  that, in any player i state, associates the history of the game with a label to play. The set of initial states I and a player i strategy  $\pi_i$  determines a set  $Outcomes_i(I,\pi_i)$  of paths  $s_0, s_1, s_2, \ldots$  such that  $s_0 \in I$  and  $s_{k+1} = \delta(s_k, \pi_i(s_0, \ldots, s_k))$  when  $s_k \in \tau_i$  and  $s_{k+1} = \delta(s_k, l)$  for some l when  $s_k \in \tau_i$ . Given an objective  $\Phi \subseteq S^\omega$  we say that state  $s \in S$  is winning for player i if there is a strategy  $\pi_i$  such that  $Outcomes_i(s,\pi_i) \subseteq \Phi$ . That is, if, by picking suitable labels, they can force the path to be within the set of winning sequences. An arbitrary set of infinite sequences is an extremely general, but not practically useful, way of defining an objective. In the following sections we will consider some more restricted objectives that have practical uses.

#### 2.4.2 Safety and reachability

The two simplest objectives are safety and reachability. A safety objective is defined by a set  $SAFE \subseteq S$  that player 1 must force the game to stay within, regardless of the labels that player 2 picks. Formally, a run is safe if

$$\forall i. \ s_i \in SAFE \tag{2.1}$$

The dual of a safety objective is a reachability objective. A reachability objective is defined by a set  $REACH \subseteq S$  that player 1 must force the game to visit at least once, regardless of the labels that player 2 picks. Formally, a reachability run is winning if

$$\exists i. \ s_i \in REACH$$
 (2.2)

**Büchi** A Büchi objective is defined by a set  $BUCHI \subseteq S$  that player 1 must always be able to force execution of the game into. This differs from a reachability game in that the region must always be reachable, not just once. When it has been reached once, it must be reachable again, and so on. So, it must be reachable infinitely many times. Formally, a run is Büchi winning if

$$\forall i. \ \exists j > i. \ s_j \in BUCHI \tag{2.3}$$

**Generalised Büchi** A Generalised Büchi objective is defined by a finite set of sets  $BUCHIS \subseteq 2^S$ . Player 1 must always be able to force execution into each set  $BUCHI \in BUCHIS$ . Formally, a run satisfies a generalised Büchi objective if

$$\forall i. \ \forall BUCHI \in BUCHIS. \ \exists j > i. \ s_j \in BUCHI$$
 (2.4)

Fairness Sometimes it is necessary to rule out invalid plays that are not easily ruled out by changing the state machine. As an example, consider a progress assumption that guarantees that the game will eventually leave a set of 'pending' states. For this we use fairness conditions. A fairness condition is a set of states, the *fair* set, which we may assume that all valid runs of the game eventually enter. Or, equivalently, a set of states, called the *unfair* set which we may assume that all valid runs of the game eventually leave. The player can assume that all executions of the system are fair and hence they only need to satisfy the objective of the game in fair runs. Formally, a run satisfies a fair reachability objective if

$$\forall i. \ \exists j > i. \ s_i \in FAIR \to \exists i. \ s_i \in REACH \tag{2.5}$$

**GR(1)** A Generalised Reactive 1, or GR(1) [Piterman et al., 2006] objective, is a generalised Büchi objective with multiple fairness conditions. In practice, this turns out to be a very useful type of objective with specifying the requirements of device drivers. This is because it captures the notion that the driver must satisfy requestes indefinitly while at the same time relying on guarantees provided by the environment in order to satisfy those requests. Formally, given a set FAIRS of fair sets of states, a run satisfies a GR(1) objective if

```
\forall i. \ \forall FAIR \in FAIRS. \ \exists j > i. \ s_j \in FAIR \rightarrow 
\forall i. \ \forall BUCHI \in BUCHIS. \ \exists j > i. \ s_j \in BUCHI \quad (2.6)
```

Informally, a run is winning in a GR(1) game if for all fair runs the generalised Büchi condition holds.

#### 2.4.3 Perfect information games

Perfect information games are two player games where both players know the current state of the transition system at all times. We will assume that all games are perfect information games.

#### 2.4.4 Strategies and counterexamples

It is known that for perfect information safety, reachability and Büchi games, if there exists a strategy, then there also exists one that only depends on the current state [Grädel et al., 2002]. Thus, we can simplify the definition of a strategy in this case for player 1 to be a function  $\pi_1: \tau_1 \to L$  that only depends on the current state.

Furthermore, for the case of generalised Büchi and GR(1) games, if there exists a strategy, then there also exists one that only depends on the current state and some finite additional state (Section 2.7.1). We can simplify the definition of a strategy in this case for player 1 to be a function  $\pi_1:\tau_1\times\sigma\to L\times\sigma$  that only depends on the current state and the finite additional state ( $\sigma$ ), and, in addition to returning the label to play, returns the updated additional state.

Perfect information  $\omega$ -regular games are *determined*. That is, the winning regions for player 1 and player 2 partition the set of game states [Grädel et al., 2002]. This means that if a state is not winning for player 1, then it is winning for player 2 and there exists a strategy for player 2 to violate the objective.

This is known as a *counterexample strategy*. It is a strategy for player 2 which ensures that player 1 cannot satisfy their objective. In the case of perfect information safety, reachability and Büchi games, if there exists a counterexample strategy (or, equivalently if the game is not winnable for player 1) then there exists a counterexample strategy that only depends on

2.5. FIXED POINTS 17

the current state. This is a function  $\pi_2 : \tau_2 \to L$  that associates any player 2 state with a label for player 2 to play.

Again, in the case of generalised Büchi and GR(1) games, the counterexample strategy may depend on an additional finite state:  $\pi_1 : \tau_2 \times \sigma \to L \times \sigma$ .

#### 2.5 Fixed Points

#### 2.5.1 Syntax

This section defines a logic with fixed points capable of expressing greatest and least solutions of fixed point equations X = f(X) where f is a monotone function. The set of formulas in this logic is defined as follows:

Let P be a set of propositions and V be a set of variables. Then

- each proposition  $p \in P$  is a formula
- if  $\phi$  and  $\psi$  are formulas then  $\phi \wedge \psi$  is a formula
- if  $\phi$  is a formula then  $\neg \phi$  is a formula
- if  $\phi$  is a formula and Z a variable then  $\nu Z.\phi$  is a formula provided that every free occurrence of Z in  $\phi$  occurs under an even number of negations
- if  $\phi$  is a formula and Z is a variable then  $\forall Z.\phi$  is a formula

Given these definitions, we also have:

- $\phi \lor \psi$  meaning  $\neg(\phi \land \psi)$
- $\mu Z.\phi$  meaning  $\neg \nu Z.\neg \phi[Z:=\neg Z]$  where  $\phi[Z:=\neg Z]$  means substituting  $\neg Z$  for all free occurrences of Z in  $\phi$
- $\exists Z. \phi$  meaning  $\neg \forall Z. \neg \phi$

#### 2.5.2 Semantics

Given the tuple  $\langle S, F \rangle$  where

• S is the set of states

•  $F: P \to 2^S$  maps each proposition to the set of states where the proposition is true

A fixed point formula is interpreted as follows:

- p holds in the set of states F(p)
- $\phi \wedge \psi$  holds in the set of states where both  $\phi$  and  $\psi$  hold
- $\neg \phi$  holds in every state where  $\phi$  does not hold
- $\nu Z.\phi$  holds in any set of states T such that when the variable Z is set to T in  $\phi$  then  $\phi$  holds for all of T. It is the greatest fixpoint of  $\phi$ .
- $\forall X. \phi$  holds when  $\phi$  holds for all possible values of X.

#### 2.5.3 From fixed point formulas to algorithms

It is straightforward to convert a fixed point formula into an algorithm that returns the set of states for which the formula holds.

Greatest and least fixed points are computed by iteration. To compute the greatest fixed point of a function f(x) i.e.  $\nu X.f(X)$  we iterate f starting with the universal set. As f is monotonic, the result is guaranteed to shrink or stay the same on each iteration. Furthermore, if the set of states, S is finite, this iteration must eventually converge to some set as S being finite prevents the result from shrinking forever.

The algorithm for computing the set of states for which a fixed point formula holds is given in Algorithm 1. It assumes the existence of an abstract set datatype that supports set union, complementation and equality checking.

## 2.6 Solving Games

Given a game and an objective there are two questions we can ask:

- can player 1 win?
- if so, what is the strategy for player 1 and, if not, what is the counterexample strategy for player 2

I present algorithms to answer these questions in this section. I begin with the simplest game, the reachability game, and progress to GR(1) games as are used in Termite.

**Algorithm 1** MuSemantics, given a fixed point formula, returns the set of states that satisfy the formula.

```
function MUSEMANTICS(\phi)
    if \phi = p then
        return F(p)
    else if \phi = \psi \vee \rho then
        return MuSemantics(\psi) \cup MuSemantics(\rho)
    else if \phi = \neg \psi then
        return S - MUSEMANTICS(\psi)
    else if \phi = \forall X.\psi then
        return \{s \in S \mid \forall x. \ s \in \text{MUSEMANTICS}(\psi[X := x])\}
    else if \phi = \nu X.\psi then
        Z \leftarrow S
        loop
            Z' \leftarrow \text{MuSemantics}(\psi[X := Z])
            if Z' = Z then
                return Z
            end if
            Z \leftarrow Z'
        end loop
    end if
end function
```

#### 2.6.1 Controllable predecessor

All of the algorithms for games I will be describing use a function called the *controllable predecessor* (abbreviated CPre). CPre is a function from a target set of game states  $(2^S)$  called the *target set* to another set of game states. Given a set T, CPre(T) returns the set of states from which player 1 can force execution into T in one step.

The exact details of CPre depend on the type of game being solved. Here it is considered to be a parameter to the game solving algorithms. The only property of CPre that the game solving algorithms require is that it is monotonic, i.e. if  $X \subseteq Y$  then  $CPre(X) \subseteq CPre(Y)$ . Clearly, any reasonable CPre function will have this property.

In the following sections I describe the controllable predecessor for turn based games as well as the more complicated type of games used in Termite's.



Figure 2.1: Turn based controllable predecessor

#### Turn based controllable predecessor

$$CPre(X) = \tau_1 \cap \{x | \exists l. \langle x, l, x' \rangle \in \delta \to x' \in X\}$$
$$\cup \tau_2 \cap \{x | \langle x, l, x' \rangle \in \delta \to x' \in X\} \quad (2.7)$$

The controllable predecessor for turn based games, given by Equation 2.7, returns the subset of  $\tau_1$  where there exists a label which player 1 can choose to take execution into X together with the subset of  $\tau_2$  where all labels which player 2 can choose take execution into X.

This is illustrated in Figure 2.1. Assume that the two dark states are winning and they form the set X passed to CPre. Solid lines represent controllable transitions and dashed lines represent uncontrollable transitions. CPre returns state s1 in the winning set because it is a controllable state and there exists a transition into a winning state. State s2 is also winning because it is an uncontrollable state and all outgoing transitions go to winning states. Lastly, s3 is not winning because it is uncontrollable and one of its outgoing transitions does not lead to a winning state.

#### Termite's controllable predecessor

**Concurrent Games** Games where there are states in which both player 1 and player 2 have moves are called *concurrent games*. Concurrent games differ from simpler turn based games in that in each state both players get to pick a label and the next state that the game transitions to is some (possibly non-deterministic) function,  $\lambda$ , of both of those labels. Turn based games are a special case of concurrent games where in player i states (a concept that does

21

not generally exist in concurrent games)  $\lambda$  only depends on the label played by player i and the other player's label is ignored.

**Termite's controllable predecessor** In Termite, however, the concurrent game is almost as simple as a turn based game. Labels, not states, are classified as controllable or uncontrollable.  $\lambda$  chooses the effective label non-deterministically. This means that while player 1 may choose a label in any state, there is no guarantee that it will be played. There is, however, a fairness guarantee that each player eventually gets a turn that will be dealt with later.

This non-determinism is simulated with the input variable controllable. This variable is always chosen non-deterministically. The (now deterministic)  $\lambda$  function picks the player 1 chosen label if controllable is True and it picks the player 2 chosen label otherwise.

Disregarding fairness for now, given a target state X, a state s is defined to be winning if both:

- 1. there exists a controllable label originating from S such that all transitions with this label lead to X, and
- 2. all uncontrollable transitions with any label originating from S lead to X

are simultaneously true.

Condition 1 is captured by the function CpreC given in Equation 2.8. It returns the set of states from which there exists a controllable label such that all transitions with this label lead to a state in the target set X.

$$CpreC(X) = \exists L.controllable \land \forall N.Trans(S, L, N) \rightarrow X(N)$$
 (2.8)

Condition 2 is captured by the function CpreU given in Equation 2.9. It returns the set of states from which all transitions with uncontrollable labels lead to a state in X.

$$CpreU(X) = \forall L. \neg controllable \rightarrow \forall N. Trans(S, L, N) \rightarrow X(N)$$
 (2.9)

The final controllable predecessor, *Cpre*, given in Equation 2.10 returns the set of states for which both conditions are satisfied.



Figure 2.2: Concurrent controllable predecessor

$$Cpre(X) = CpreC(X) \wedge CpreU(X)$$
 (2.10)

This is illustrated in Figure 2.2. Again, assume that the two dark states are winning and they form the set X passed to CPre. CPre returns state s1 in the winning set because there exists a controllable transition into the winning set and all uncontrollable transitions also lead to the winning set. State s2 is not winning because it does not have a controllable transition into the winning set. Lastly, s3 is not winning because there exists an uncontrollable transition to a non-winning state.

#### 2.6.2 Solving safety and reachability games

We start with reachability as it is the simplest type of objective. Games are solved by finding the set of states from which player 1 can win, called the *winning region* and denoted WIN. If the winning region contains the set of initial states, then we know that player 1 can win from any state in the initial set and thus can win the game.

According to Equation 2.2, a state is winning in a reachability game if there is some finite i such that we can guarantee that after i rounds of the game, execution will have, at least once, entered a state in REACH.

We can define the winning region inductively. It is obviously possible to reach the set REACH from REACH in 0 steps as we are already there. This is the base case. It is also possible to reach REACH from  $x \in S$  in N+1 steps or

fewer iff there exists  $Y \subseteq 2^S$  such that it is possible to reach REACH from all of  $Y \subseteq 2^S$  in N steps or fewer and  $x \in CPre(Y)$ .

This suggests an algorithm to find the winning region. We start with REACH, apply CPre to get the states winning in 1 step, combine with REACH again to get the states reachable in 1 step or less, and then repeat. After N iterations, we find the states winning in N or less steps. Two questions remain:

- An algorithm must terminate, so, when should we stop iterating?
- After termination, has the algorithm found all the winning states?

We denote the set of states from which it is possible to reach REACH in N or less steps  $W_N$ . Observe that  $W_{N+1} \supseteq W_N$ . So, on each iteration, we either grow the winning set or it remains the same. Also observe that the set S is finite, which means that  $2^S$  is also finite. As set inclusion is a transitive relation, we cannot grow the winning set forever, so eventually we must reach a fixed point of the CPre function.

A more formal proof of termination is based in the Knaster-Tarski theorem [Tarski, 1955]. The power set of S can be ordered by set inclusion to obtain a complete lattice with supremum S and infimum  $\emptyset$ .  $f(X) = CPre\ (X \cup REACH)$  is an order preserving function, so by the Knaster-Tarski theorem the set of fixed points of f is also a complete lattice. Thus there exists a greatest and least fixed point (as the lattice is complete). The least fixed point of f is clearly obtained by iteration starting from the least element of the lattice, ie.  $\emptyset$ .

Thus, we will eventually reach a fixed point, and, this is when we should stop iterating as further iterations will not change the winning set. Furthermore, we know that after any finite number N of iterations where N is greater than the number of iterations required to reach the fixed point, the winning region will remain WIN. Thus  $WIN_N = WIN$  and we have found all winning states.

Finally, to answer the question of whether the game is winning for player 1, we check if the winning region contains the initial state set. If it does, we return *Yes*; otherwise, we return *No*.

The algorithm is given in Algorithm 2 and the equivalent fixed point (Section 2.5) formula is given in Equation 2.11. Note that, for this to be a valid fixed point formula, T must be a proposition (Section 2.5.2) and CPre must

#### Algorithm 2 Solving a reachability game

```
Input: A set of target states REACH \subseteq S, an initial set of states I and a
  monotonic controllable predecessor CPre.
Output: Yes if I \subseteq ReachWin(T, Cpre) and No otherwise.
  function REACHWIN(REACH, I, CPre)
      Y \leftarrow \varnothing
      loop
          Y' \leftarrow CPre(Y \cup REACH)
          if Y' = Y then
             if Y \subseteq I then
                 return Yes
             else
                 return No
             end if
          end if
          Y \leftarrow Y'
      end loop
  end function
```

be a monotonic function, itself expressed as a fixed point formula.

$$ReachWin(T) = \mu Y.CPre(Y \vee T)$$
 (2.11)

Safety games are the dual of reachability games and are also solved by iterating the controllable predecessor. The fixed point formula for computing the winning region is given in Equation 2.12 and the algorithm can be deduced from this using Algorithm 1.

$$SafeWin(T) = \nu Y.CPre(Y \wedge T) \tag{2.12}$$

#### 2.6.3 Büchi

To solve a Büchi game, we first find the set from which we can reach the goal once as we do for a reachability game. Then, we use this set to find the set from which we can reach the goal twice, three times, and so on until we get to another fixed point.

Imagine we have solved the reachability game R = ReachWin(T) where T is the Büchi target set and R is the winning region. Then  $V = R \wedge T$  is a subset of the goal from which player 1 can reach the goal one more time. Computing W = ReachWin(V) gets us the set of states from which we can

# Algorithm 3 Solving a generalised Büchi game

```
function \ Generalised\_Buchi(T, CPre) \\ X \leftarrow S \\ loop \\ X' \leftarrow S \\ for \ each \ G \ in \ Goals \ do \\ X' \leftarrow X' \cap ReachWin(X \cap G) \\ end \ for \\ if \ X' = X \ then \\ return \ X \\ end \ if \\ X \leftarrow X' \\ end \ loop \\ end \ function
```

reach the goal twice. Iterating this procedure will eventually lead to a fixed point as ReachWin is a monotonic function.

This fixed point is the set of states from which we can reach the goal any number of times. Thus, it is the winning set of the Büchi game. The fixed point formula is given in Equation 2.13 and the algorithm to solve Büchi games can be deduced from this using Algorithm 1.

$$BuchiWin(T) = \nu X.\mu Y.CPre(Y \lor (X \land T)) \tag{2.13}$$

### 2.6.4 Generalised Büchi

Solving a generalised Büchi game is similar to a Büchi game except that we find the set from which we can reach any goal once, then any goal twice, etc. The algorithm is a small modification to the Büchi algorithm and is given in Algorithm 3. The equivalent fixed point formula is given in Equation 2.14.

$$GenBuchiWin(Goals) = \nu X. \bigwedge_{G \in Goals} \mu Y.CPre(Y \lor (X \land G))$$
 (2.14)

# 2.6.5 GR(1)

Next, fairness is added. Consider a fair reachability game. An unfair region is a region that we can assume execution will leave, regardless of the loops it contains. The controllable predecessor is modified to create a fair controllable

# Algorithm 4 The fair controllable predecessor

```
function FAIRCPRE(CPre, \phi, T)
Z \leftarrow S
loop
Z' \leftarrow CPRE(Z \cap \phi \cup T)
if Z' = Z then
return Z
end if
Z \leftarrow Z'
end loop
end function
```

# Algorithm 5 GR(1) game

```
function GR1(CPre, T)
return BUCHIWIN(T, fairCpre(CPre))
end function
```

predecessor that takes this into account. Intuitively, the algorithm considers a set of unfair states to be winning if the only way out leads to an already winning state. To compute this set of states, we play a variation of a safety game where we can win if we stay indefinitely within the unfair set or upon exiting the unfair set we are immediately in the target set T. The procedure for the fair controllable predecessor is given in Algorithm 4 and the equivalent fixed point formula is given in Equation 2.15.

$$fairCpre(F,T) = \nu Z.CPre((\neg F \land Z) \lor T)$$
 (2.15)

Using *fairCpre* as the controllable predecessor operator in the reachability algorithm (Algorithm 2) yields the fair reachability algorithm. Finally, if we combine the Büchi game with the fair controllable predecessor we get a GR(1) game. The procedure is given in Algorithm 5 and the equivalent fixed point formula is given in Equation 2.16.

$$GR1(Goals, Fairs) = \\ \nu X. \bigwedge_{G \in Goals} \mu Y. \bigvee_{F \in Fairs} \nu Z. CPre((\neg F \land Z) \lor (G \land X) \lor Y) \quad \textbf{(2.16)}$$

# 2.7 Strategies and Counterexamples

# 2.7.1 Extracting strategies

# Reachability

Once we have solved a game and determined that it is winning, we can extract a strategy. In driver synthesis, the strategy is used to generate the driver. A strategy for a reachability game is a relation between states and labels for player 1 to play such that if player 1 sticks to this strategy, the game will eventually end up in the goal. Strategy extraction requires a straightforward modification to the game solving algorithm.

When solving a reachability game, we discover the sets of states for which we can force execution into the goal in 1 step, 2 steps, etc. When extracting a strategy for a reachability game we need to record, for each iteration, what labels we had to play to get one step closer to the goal. The algorithm is given in Algorithm 6.

The strategy relation is initialised to the empty set on line 2. Then, we perform an iteration of the controllable predecessor. This time we also use CPRE\_STRAT on line 9, which computes a relation between the winning states discovered so far and the labels that take execution from these newly discovered states one step closer to the goal.

On each iteration we combine this strategy for the newly discovered states with the strategy for the previously discovered states. We are careful on line 10 not to add new labels for states that have already been discovered to ensure that the labels take us towards the goal. We iterate until the winning region reaches a fixed point as before. In the end, the strategy relates each state in the final winning region to a set of labels that take the game one step closer to the goal.

CPRE\_STRAT is a parameter to the strategy extraction algorithm in the same way as CPRE is to the game solving algorithm. Its definition depends on the exact details of the game. For completeness, the definition of CPRE\_STRAT for turn based games is given in Equation 2.17.

$$CPre\_Strat(X) = \{ \langle x, l \rangle | x \in \tau_1 \land (\langle x, l, x' \rangle \in \delta \to x' \in X) \}$$
 (2.17)

# **Algorithm 6** Extracting a strategy for a reachability game

```
1: function REACH STRAT(REACH, CPre, CPre Strat)
         Y \leftarrow \varnothing
 2:
         STRAT \leftarrow \emptyset
 3:
        loop
 4:
             Y' \leftarrow CPre(Y \cup REACH)
 5:
             if Y' = Y then
 6.
                 return (Y, STRAT)
 7:
 8:
             end if
             STRAT' \leftarrow CPre\_Strat(Y \cup REACH)
 9:
             STRAT \leftarrow STRAT \cup \{\langle s, l \rangle | \langle s, l \rangle \in STRAT' \land s \notin Y\}
10:
11:
         end loop
12:
13: end function
```

It returns a set of  $\langle state, label \rangle$  pairs where the state belongs to the player 1 controllable set such that if the label is played, execution ends up in the set X, the argument to the function.

# Büchi

Like a reachability strategy, a strategy for a Büchi game must ensure that we eventually get to the goal. However, it must also ensure that once we get to the goal it is still possible to reach the goal again.

If we find a reachability strategy for the intersection of the goal set and the winning region, then when we follow this strategy, we are guaranteed to reach the goal once and then be able to reach it again by following the same strategy because we remain in the winning region. Thus, the algorithm for finding the strategy for a Büchi game is to find the winning region of the game and then compute the reachability strategy for the intersection of the goal and the winning region.

The algorithm for computing the strategy in a Büchi game is given in Algorithm 7. It simply computes the Büchi winning region on line 2 and then computes the strategy to reach the intersection of the winning region and the goal set on line 3.

# Algorithm 7 Extracting a strategy for a Büchi game

```
    function BUCHI_STRAT(BUCHI, CPre, CPre_Strat)
    win ← BUCHI(BUCHI)
    return REACH_STRAT(win ∩ BUCHI, CPre, CPre_Strat)
    end function
```

#### Generalised Büchi

A generalised Büchi strategy must ensure that we can always get to any of the goals. If we compute, for each goal, the reachability strategy for the intersection of that goal and the generalised Büchi winning region, we get a strategy that takes us to that goal and, by keeping execution in the winning region, ensures that we can reach any of the other goals using their strategies.

Thus, a strategy for a generalised Büchi game is a set of strategies, one for each goal, that we must play in a round robin manner to ensure that each goal is eventually reached. The finite state required to ensure that the strategies are played in a round robin order is the finite state that the generalised Büchi strategy requires as discussed in Section 2.4.4. This, for example, could be a counter that that loops through the goals and is incremented each time the current goal is reached.

The algorithm for computing the strategy in a generalised Büchi game is given in Algorithm 8. It first computes the winning region of the generalised Büchi on line 2 and then it computes a strategy to reach the intersection of this and each goal on line 5.

# Algorithm 8 Extracting a strategy for a generalised Büchi game

```
1: function GEN_BUCHI_STRAT(BUCHIS)
2: win \leftarrow GENERALISED_BUCHI(BUCHIS)
3: strats \leftarrow []
4: for each G \in BUCHIS do
5: strats \leftarrow strats \oplus REACH\_STRAT(win \cap G)
6: end for
7: return strats
8: end function
```

# **Fairness**

To compute strategies for fair variants of reachability, Büchi and GR(1) games we introduce a modified controllable predecessor that takes fairness into ac-

count and returns winning moves along with winning states, called CPre\_Strat\_Fair. This modified controllable predecessor, in turn, is parameterised by the CPre and CPre\_Strat of the underlying game.

The fair controllable predecessor must ensure that we can reach the target set assuming that an unfair condition is not forever true. Conceptually, it tries to keep execution within an unfair region for which the only way out takes us a step closer to the goal.

The algorithm for computing the strategy in a fair reachability game is given in Algorithm 9. It essentially solves a safety game for  $\neg \phi$  with the exception that it is possible to leave safe regions as long as you enter T. When a fixed point is reached on line 6 it uses  $CPre\_Strat$  to compute a strategy to either stay within the computed unfair region or enter the target set. This strategy is guaranteed to reach the target set as long as fairness is not violated. This function may be used as a drop-in replacement for  $CPre\_Strat$  when the game is required to be fair.

# Algorithm 9 Fair controllable predecessor strategy extraction

```
1: function FAIR_CPRE_STRAT(CPre, CPre\_Strat, \phi, T)
2: Z \leftarrow U
3: loop
4: Z' \leftarrow CPRE(Z \land \neg \phi \lor T)
5: if Z' = Z then
6: return CPRe\_STRAT(Z \land \neg \phi \lor T)
7: end if
8: Z \leftarrow Z'
9: end loop
10: end function
```

### **GR(1)**

Strategies for GR(1) games, as used in Termite, can be computed using Algorithm 8 instantiated with the fair controllable predecessor, Algorithm 9.

# 2.7.2 Extracting counterexamples

Counterexamples are computed by solving the complement game and extracting the strategy.

### Reachability

The complement of a reachability game is a safety game with negated objective. This can be seen by complementing the mu-calculus formula for the winning region, repeated below for convenience.

$$REACH(T) = \mu Y.CPre_1(Y \vee T)$$
 (2.18)

$$\neg REACH = \neg \nu Y.CPre_2(Y \land \neg T) = SAFE(\neg T)$$
 (2.19)

Thus, the counterexample strategy for a reachability game is the strategy for a safety game with complemented objective and the other player's controllable predecessor.

# **GR(1)**

The formula for the complement of a GR(1) game is given below. Its complement is given in Equation 2.16 for comparison.

$$\neg GR1(Goals, Fairs) = \mu X. \bigvee_{G \in Goals} \nu Y. \bigwedge_{F \in Fairs} \mu Z. CPre_2((F \lor Z) \land (\neg G \lor X) \land Y) \quad \textbf{(2.20)}$$

Intuitively, to ensure that player 1 cannot win a GR(1) game, player 2 must ensure that there is at least one goal that is only reached finitely many times, and each fairness condition is visited infinitely many times.

# 2.8 Symbolic Games

The algorithm described so far appears very inefficient. Consider a reachability game. We are performing a backwards breadth-first search starting from REACH. If we were to implement it directly as described, we would have to explicitly enumerate all winning states in the game. Some of the games that have been solved with Termite have upwards of  $2^{80}$  states, even after abstraction. Clearly, explicitly representing the winning set will never succeed.

Identical problems are encountered in model checking. The breakthrough that revolutionised model checking was to represent state sets implicitly as

a characteristic equation over state variables [Burch et al., 1992; McMillan, 1993].

# 2.8.1 State variable encoding

Symbolic games are defined over a finite set of state variables,  $\Sigma$ , and a finite set of label variables  $\Lambda$ . A *valuation* for a set of variables V is a function from each of those variables to an element of its domain. S, the set of states, is redefined to be the set of possible valuations of each state variable in  $\Sigma$ . That is, each state  $s \in S$  is given by a valuation of all of the state variables in  $\Sigma$ . Similarly, L, the set of labels, is redefined to be the set of possible valuations of each label variable in  $\Lambda$ .

For a set Z of variables,  $\mathcal{F}(Z)$  denotes the set of propositional formulas constructed from the variables in Z. The characteristic formula of a set of states T is a function  $f \in \mathcal{F}(\Sigma)$  that evaluates to true for the valuation corresponding to a state  $s \in T$  and false otherwise. Characteristic formulas are used to represent sets of states without explicitly listing each member of the set. This is called a symbolic representation.

Likewise,  $\delta$  is specified by a formula in  $\mathcal{F}(\Sigma \bigcup \Lambda \bigcup \Sigma')$ , where  $\Sigma' = \{\sigma' \mid \sigma \in \Sigma\}$  is the set of next state variables.

Sometimes, the variables that a characteristic formula depends on are made explicit. For example, the transition relation may be written as  $\delta(\Sigma, \Lambda, \Sigma')$ .

# 2.8.2 Symbolic algorithms

We can redefine the game solving algorithms to use characteristic functions instead of explicit sets by replacing conjunction and disjunction with set intersection and union. As an example, we convert the turn based controllable predecessor (Equation 2.7) to symbolic form in Equation 2.21. We convert the simplest algorithm, determining the outcome of a reachability game, to symbolic form in Algorithm 10.

$$CPre(X) = \tau_1 \land \exists \Lambda. \forall \Sigma'. \delta \to X' \lor \tau_2 \land \forall \Lambda. \forall \Sigma'. \delta \to X'$$
 (2.21)

# 2.8.3 Strategy generation

The strategy and counterexample generation functions of Section 2.4.4 can also be made symbolic by modifying them to use characteristic functions instead

# Algorithm 10 Solving a reachability game symbolically

**Input:** The characteristic function of the set of target states  $REACH \subseteq S$ , the characteristic function of the initial set of states I and a monotonic controllable predecessor CPre that operates on characteristic functions.

```
Output: Yes if I \subseteq REACH(T, CPre) and No otherwise. function REACH(REACH, I, CPre)

Y \leftarrow False
loop

Y' \leftarrow CPre(Y \lor REACH)
if Y' = Y then
if Y \rightarrow I then
return Yes
else
return No
end if
end if
Y \leftarrow Y'
end loop
```



Figure 2.3: A binary decision tree for  $x \lor y$ 

of explicit set manipulation.

end function

# 2.8.4 Binary decision diagrams

A binary decision diagram is an efficient data structure for manipulating large propositional formulas. They are the symbolic data structure that is used in Termite [Ryzhyk et al., 2014].



Figure 2.4: A binary decision diagram

### Binary decision trees

Figure 2.3 shows a decision tree for the disjunction of two variables. The root node represents the entire function. The internal nodes represent variables and the leaf nodes, or terminal nodes, represent the outcome of the function. Terminal nodes are labelled either True or False. Given a valuation of X and Y, we can evaluate the function by starting at the root and taking the solid edge if the variable represented by the node is assigned to True in the valuation and taking the dashed edge if the value is assigned to False.

For example, in Figure 2.3, for the valuation x = True and y = False, we start at the root node which is labelled x as x is this node's decision variable. Variable X is assigned to True so we follow the solid edge to the next decision node which is labelled Y. Y is assigned to false so we take the dashed edge and arrive at a terminal node whose value is 1, meaning that the function evaluates to 1 for this variable valuation.

# Ordered binary decision trees

If the order in which the variables appear along all paths starting from the root node and ending at a terminal node are the same, then the decision tree is called an ordered decision tree. The decision tree in Figure 2.3 is ordered.

## Reduced ordered binary decision diagrams

A reduced ordered binary decision diagram (from now on, just BDD) is created by sharing subtrees as much as possible within an ordered binary decision tree.

In particular:

- Terminal nodes with the same label are merged. This means there are only two terminal nodes: True and False.
- Internal nodes with the same children are merged.
- Nodes with two identical children are removed and all incoming nodes are redirected to the child.

Figure 2.4 is an example of a BDD.

# Canonicity

Given a variable ordering, reduced ordered binary decision diagrams are a canonical representation of a function. This means that given a function f of some set S of variables, another function g that evaluates to the same value for each valuation of the variables in S will be represented by exactly the same BDD.

In practice, one uses a BDD library such as CUDD [Somenzi] to build and manipulate BDDs. CUDD keeps track of all BDDs and subtrees within the BDDs that have been created and reuses these to ensure that all BDDs remain in reduced form. This, along with canonicity, means that BDD equivalence can be checked in constant time simply by checking pointer equality of the two BDDs.

# Complement arcs

Arcs may have a complement attribute. The function represented by an arc is the function of the node that it points to, unless it is a complement arc, in which case it is the complement of the function of the node that it points to.

Use of complement arcs has two important advantages:

• Decreased memory requirements

 Complementation can be done in constant time, allowing De Morgan's laws to be used freely

Additionally, it can be shown that, if only the else arcs of internal nodes are ever complemented then canonicity can be preserved.

# Conjunction and disjunction

BDDs are not usually built as decision trees and then reduced. Instead, they are built from the bottom up, starting with the terminal and variable nodes and combining these using conjunction, disjunction and negation.

Conjunction and disjunction are computed using a straightforward recursive algorithm that will not be given here, see [Bryant, 1986]. An important result is that, in the worst case, the procedure runs in time proportional to the product of the sizes of the two input BDDs. Furthermore, the size of the resulting BDD may be equal to the product of the sizes of the two input BDDs in the worst case. A strength of BDDs, however, is that this worst case rarely happens in practice.

### Function composition and quantification

Function composition is where a BDD representing some function is substituted for a variable in another BDD.

Given a function  $f(x_1, \dots, x_n)$ , existential quantification of f with respect to the Boolean variable  $x_i$  is defined as  $\exists x_i$ .  $f = f_{x_i} \lor f_{\overline{x_i}}$  and universal quantification of f with respect to  $x_i$  as  $\forall x_i$ .  $f = f_{x_i} \land f_{\overline{x_i}}$ .

Quantifications of the same type commute, so quantification with respect to a set of variables is well defined.

### Variable ordering

The number of nodes in a BDD depends drastically on the ordering chosen for the variables. Therefore, the space occupied by the BDDs and the time spent performing operations on them also depends on the variable ordering. This directly affects the performance of game solving algorithms that use BDDs as the symbolic data structure.

Optimal variable orderings may be found using exact algorithms, but these are prohibitively expensive for BDDs with more than a few nodes. In

practice heuristics are used which produce good, but not optimal orderings. One such heuristic is Rudell's sifting algorithm [Rudell, 1993].

The CUDD BDD package performs *dynamic variable ordering*, which means that once the number of BDD nodes grows past a certain threshold, the package automatically performs the requested reordering algorithm on all BDDs that exist in the manager. Dynamic variable ordering is critical to the performance of game solving algorithms that utilise BDDs and therefore it is always enabled in Termite.

# Related Work

Termite is motivated by the two main problems with traditional device drivers:

- They are notoriously unreliable [Chou et al., 2001; Ganapathi et al., 2006].
- Substantial effort is required to develop them.

This chapter presents preexisting work that aims to solve at least one of these problems. The first issue has received substantial attention in recent times with the introduction of new static analysis and model checking tools and techniques.

Related work on scalable synthesis algorithms is presented before it is built upon in Sections 6.2.1 and 6.5 of Chapter 6.

# 3.1 Driver Reliability

Preexisting work for improving driver reliability fall into two groups: static analysis and runtime fault isolation.

# 3.1.1 Static analysis

Static analysis tools analyse program source code and sometimes binaries for defects. Static analysis usually involves creating a formal model of the program or binary and verifying this against a formal description of the required properties using a model checker. Verifying such a property involves checking all possible executions of the model.

These models, particularly when constructed from real C and C++ programs, typically have extremely large state spaces. Rapid advances in model

checking techniques have made checking properties of these large state spaces feasible in practice. In order to scale to these large models, motel checkers typically employ symbolic techniques such as binary decision diagrams [Bryant, 1986] and SAT solvers to represent and manipulate the state space of the system. They also employ a technique called abstraction to build a less detailed model with which it is tractable to prove or disprove the property and then perform model checking using this simplified model. The simplified model loses precision and as a result, the verification of the property of interest may result in false positives or false negatives. More advanced static analysis tools can detect this, produce a counterexample, and use this counterexample to refine the abstraction, i.e. make it more accurate at the expense of computational difficulty. This is called Counterexample Guided Abstraction Refinement [Clarke et al., 2000].

Metal [Engler et al., 2000], SLAM [Ball et al., 2004] and Blast [Beyer et al., 2007] are notable examples of static analysis tools. They operate directly on the source code of the system. Metal can, for example, verify that drivers release all acquired locks and no not attempt to acquire a lock twice, do not dereference use pointers and check for null pointers.

SLAM can verify more sophisticated properties involving misuse of the kernel provided API. An example rule checked by SLAM for the Windows driver API is: "drivers do not return STATUS\_PENDING if IoCompleteRequest has been called". Input to SLAM consists of the driver source code, the rules to be checked and a model of the OS interface.

The advantage of static analysis is that errors are found before drivers are even shipped. However, many potential bugs are missed by these tools. In particular, complex API rules and properties such as memory safety are prohibitively costly to check precisely. Furthermore, none of these analysis techniques consider valid interactions with the device. For such properties, detailed device models are needed.

### 3.1.2 Runtime fault isolation

# Microkernel based systems

Some OSs, particularly microkernel based ones, run device drivers in separate protection domains and address spaces to the privileged kernel. The driver is not run in a privileged domain so the kernel must provide some mechanism

for it to access the hardware. Typically, the device's registers are mapped into the driver's address space or the kernel provides system calls for device access. Such a driver cannot access privileged instructions or the kernel's memory, preventing it from damaging the running kernel in case of a fault.

In case of a fault in a driver, the kernel stops the malfunctioning driver and restarts it in a new protection domain. This approach prevents the faulty driver from damaging the rest of the system but it can not guarantee proper functioning of the device.

Futhermore, the device usually has access to the system bus. A faulty, or even malicious driver may program the device to access protected memory that the driver itself does not have access to, subverting the protection provided by encapsulating drivers at user level. This may be prevented with a hardware device like an IOMMU [Ben-Yehuda et al., 2006].

User level drivers were pioneered in the Michigan Terminal System [Boettner and Alexander, 1975] and were used in Mach 3 [Accetta et al., 1986; Forin et al., 1991], L3 [Liedtke et al., 1991; Liedtke, 1993], and other microkernel-based OSs, as well as in Linux [].

# Monolithic systems

The ideas behind user level device drivers in microkernel based systems have also been applied to monolithic systems such as Linux. One example is Nooks [Swift et al., 2003]. Nooks encapsulates device drivers inside a protection domain called a nook. Drivers encapsulated in a nook use the kernel address space, so addresses can be used without translation, but are within a separate protection domain where all kernel memory and data structures are marked read only. Each nook has access to a private heap and device memory mapped registers.

Communication between a nook and the rest of the kernel is mediated by the Nooks isolation manager. It intercepts function calls and ensures that the driver can read and write memory passed to it by reference. It does this by forwarding these reads and writes to the rest of the kernel or by maintaining a synchronised copy of the memory inside the nook.

Illegal memory accesses caused by the driver are caught by hardware as each nook runs inside its own protection domain. Additionally, the isolation manager knows enough about the kernel API to detect invalid parameters passed to the kernel as well as temporal failures, where the driver has not

responded within an acceptable time. If a driver fails, the isolation manager frees all of the kernel objects it allocated and restarts it. As with user level device drivers, the driver's clients still observe the failure, but the rest of the kernel is not corrupted.

Shadow drivers [Swift et al., 2004] are an extension of Nooks where all communication between the kernel and the nook is intercepted and recorded. When the driver fails, the driver is re-instantiated as before, but this time the sequence of events is replayed to bring the driver to the state it was in before the failure.

The Nooks approach suffers from the high complexity of the isolation and recovery infrastructure. In order to synchronise data structures outside the nook, as well as validate data passed through the interface and timing, the isolation manager must have in-depth knowledge of the kernel API. Additionally, the shadow driver, when replaying events to restart the failed driver, must mimic the semantics of the entire OS API during this time. Lastly, all communication must be translated by the isolation manager. As drivers frequently make calls to the rest of the kernel, this imposes considerable overhead.

# 3.2 Driver Synthesis

Driver synthesis counters both problems with device drivers: reliability and required developer effort. Driver synthesis techniques fall into three groups:

- Complete synthesis (the Termite approach)
- Device interface generation
- Automatic reverse engineering of execution traces

As this project is the direct descendent of Termite-1, this is where I will start.

# 3.2.1 Complete synthesis

The original Termite [Ryzhyk et al., 2009b] generates a driver implementation from a formal specification of the device behaviour and the OS interface. It treats the specifications as independent state machines which synchronise on shared events, called device class events, to form a product state machine. The driver synthesis problem is then formalised as a two player game played

by the driver against its environment consisting of the device and OS. The objective for the driver is to force execution into the goal set.

Termite-1 had several limitations. Most notably, the synthesis algorithm was not scalable. It did not use abstraction or symbolic data structures. As a result, it only worked on simple and carefully hand crafted specifications. Termite-1's approach to code generation was all or nothing. You had to accept the unreadable and bloated code that it generated and had no means to modify or influence the generated output. Termite-1 specifications were written in a formal language. While ideal for specifying state machines, is it not reasonable to expect OS and hardware developers to create specifications in such a language. Lastly, Termite-1 did not provide any debugging support in case of synthesis failures.

Despite these considerable limitations, Termite-1 did do some things right. As a result, Termite-2 borrows several key concepts pioneered in Termite-1. Firstly, Termite-2 borrows the game formalism, but builds on it considerably with much more expressive game objectives. Temite-2 also maintains separation of device and OS specifications by treating them as independent state machines that synchronise with shared events, though these events are abstracted by the specification language, TSL (Appendix A).

# 3.2.2 Device interface generation

Devil [Mérillon et al., 2000], NDL [Conway and Edwards, 2004] and HAIL [Sun et al., 2005] are tools for generating the low level device access functions of the driver. They each provide a domain specific language for expressing device register and memory layout. Additionally, they provide a mechanism to define valid sequences of memory and register accesses through either temporal logic or state machines.

These tools generate low level device access functions in C. The functions enforce correct device access ordering through the structure of the functions and runtime checks. This approach tends to be quite effective in practice as these low level hardware manipulation functions, when handwritten, usually contain a large proportion of driver defects.

# 3.2.3 Automatic reverse engineering

RevNIC [Chipounov and Candea, 2010] automates the reverse engineering of closed source binary drivers to discover the device control logic. It uses this information to synthesise a new driver that implements the same device control protocol as the original driver. The driver may be targeted at a different OS.

Unlike Termite, this approach does not require device specifications, but it does require a preexisting driver. Is is potentially useful in the common case where drivers exist for Windows but not other platforms.

# 4 Synthesis as a Game

In the following sections I formalise the device driver synthesis problem using games. I show that GR(1) games are sufficient to capture the required properties of drivers.

The driver synthesis problem is formalised as a *two-player game* [Thomas, 1995] between the driver and its environment. The game is played over a finite automaton that represents all possible states and behaviours of the system. Transitions of the automaton are classified into *controllable* transitions triggered by the driver and *uncontrollable* transitions triggered by the device or OS. A winning strategy for the driver in the game corresponds to a correct driver implementation. If, on the other hand, a winning strategy does not exist, this means that there exists no specification-conforming driver implementation.

Two-player games naturally capture the essence of the driver synthesis problem: the driver must enforce a certain subset of system behaviours while having only partial control over the system. The game-based approach leads to a precise mathematical formulation of the problem and enables us to apply theoretical results and algorithms from game theory to driver synthesis. Before diving into the details of our game-based approach to drivers, I illustrate it using simple example.

Figure 4.1 illustrates the concept using a trivial game automaton. The automaton captures the interactions between the driver, the device and the OS where the device is a simple network controller. The OS may request that the driver transfer data over the serial line.

The short arrow with no source state indicates the initial state. Controllable and uncontrollable transitions of the automaton are shown with solid and dashed arrows respectively. Each transition is labelled by at least one event. Conceptually, these events trigger the transitions. All events for which there



Figure 4.1: A simple two player game

are no outgoing transitions do not change the state, i.e. they are self loops and are not shown in the interest of keeping the diagrams concise. The goal of the driver in the game is to visit the goal state, labelled G, which represents the situation when the driver has completed the request. After getting a send request from the OS, the driver must write data and command registers to start the data transfer. Writing the command register first may trigger a hardware send event before the driver has a chance to write the data register. As a result, wrong data value gets sent, taking the game into an error state E. Hence, state  $S_4$  is losing for the driver. To avoid this state, the correct strategy for the driver is to play write\_data in state  $S_2$ , followed by write\_cmd. In  $S_5$  the driver must remain idle until the environment executes the evt\_send transition.

In this example, there are two different ways in which the driver can reach the goal; however, the one corresponding to the bottom half of the diamond in Figure 4.1 is not safe because of the uncontrollable transition to the error state from state S4. This trivial example emphasizes that a sound driver synthesis methodology must recognise the partially controllable nature of the system.

# 4.1 The Players

In this Chapter, I show that two-player games offer a natural way to capture the non-determinism of the environment. To formalise the driver synthesis problem using games, the first thing that needs to be defined is the players:

- Player 1 is the driver.
- Player 2 is the environment, which consists of the device to be controlled as well as the operating system.

# 4.2 GR(1) Based Formalism

In the following sections, I first attempt to formalise the driver synthesis problem using the simplest game - the reachability game - and analyse its shortcomings. I show that extending the formalism to GR(1) objectives overcomes these shortcomings.

# 4.2.1 Reachability

As a first approximation, one may state the objective for the driver as a reachability game with  $REACH = \{G\}$  where G can only by reached by completing a request. The introductory example at the start of this chapter does exactly that. However, the simplistic reachability objectives has several shortcomings that will be dealt with in the following sections.

### 4.2.2 Büchi

Consider a modified version of the previous network controller that does not have a command register. Instead, writing to the data register triggers future transmission of the byte. However, there are two ways of writing to the data register. One is a standard register write. The other also performs the register write and then schedules a self destruct sequence to happen immediately after the byte is transmitted. The state machine for this device is shown in figure 4.2. The goal, in this case, is the set  $\{S3, S5\}$  corresponding to the state after completion of the send request. The problem is that, unless you only ever want to send one byte, this goal does not capture the required behaviour. For example, a valid strategy for the reachability game with objective  $\{S3, S5\}$  is to take the bottom branch of the specification, putting the device in a state where it is not possible to transmit another packet. In conclusion, a strategy that ensures that execution enters the goal once is not guaranteed to do so again; but, real drivers are required to repeatedly satisfy requests. One could easily work around this problem by specifying only S3 as the goal, but this breaks composition of the specifications (Section 4.3).

The solution is to modify the objective of the game. Instead of being able to reach the goal once, the driver should be able to reach the goal an infinite number of times. Or, equivalently, the driver must always be able to reach the goal again. This is a Büchi game with  $BUCHI = \{S3, S5\}$  (see Section 2.4.2).



Figure 4.2: Büchi game for the simple network device

### 4.2.3 Fairness

Consider another modification of the last example without a self destruct sequence, but with the ability to check that noone is using the communication medium prior to transmitting. The state machine of this device is given in figure 4.3. After the user requests data transmission by writing to the data register, the device executes a loop that checks if the medium is free, and if so, it performs the transmission.

If this is posed as a reachability game with goal state G, then the game is not winnable. The device may stay in the loop forever as it is never guaranteed to exit. Such a behaviour should not prevent a driver from being synthesised providing that the developer has good reason to believe that the loop will eventually exit. Looping forever can be seen as a invalid behaviour and we want to synthesise a driver for this system providing the invalid behaviour does not occur.

These behaviours are eliminated with fairness conditions (Section 2.4.2). Fairness conditions are sets of states which we guarantee execution will eventually leave. These are referred to as unfair states. In the example, the unfair states are the set  $\{S2,S3\}$  i.e.  $FAIR = \{S2,S3\}$  (see Section 2.4.2). The fairness condition says that execution will eventually leave the unfair set once it is entered, and the only way of doing this is through the  $evt\_send$  transition, so the game becomes winning.

# 4.2.4 GR(1)

Termite allows multiple goals as real drivers may be required to meet multiple objectives. As an example, consider a driver for a simple serial port that must send and receive bytes. The requirements of our driver can be expressed with



Figure 4.3: Fair reachability game for the simple network device

# two goals:

- G1 consists of all states where the driver has no outstanding bytes to send.
- *G*2 consists of all states where there are no pending received bytes that the driver has not yet acknowledged to the operating system.

It may appear that the two goals can be combined into one goal  $G=G1\cap G2$  where both objectives are simultaneously satisfied. However, this does not work. Consider a correct driver that successfully responds to send requests and byte arrivals eventually, i.e. G1 and G2 are always eventually satisfied, but not necessarily at the same time. Such a driver would win the game with two separate objectives. However, when playing a game with the single goal  $G=G1\cap G2$  it is possible for the environment to arrange for a new byte to arrive just as one is transmitted, i.e. just as G1 is entered, execution leaves G2. This makes the game unwinnable as it is never possible to enter their intersection, even though our driver does behave correctly and eventually services all requests. In summary, to specify correctness of a driver with multiple requirements, and not make the game unreasonably difficult for the driver to win, we need multiple goals.

Termite also allows multiple fairness conditions as real drivers may have multiple 'looping' behaviours that need to be ruled out. As with goals, these cannot be combined into a single fairness condition.

The combination of multiple fairness and multiple Büchi objectives is a GR(1) objective (Section 2.4.2). Intuitively a GR(1) objective is satisfied if player 1 can always force execution to reach any goal provided that it does not get stuck forever in some unfair set of states. GR(1) objectives are used in Termite as the Termite team and I have found that in practice they are sufficient to express the requirements of drivers.

In summary, game objectives in Termite consist of multiple fairness conditions that capture the guarantees made by the environment and multiple goals that correspond to the functions that we expect the driver to perform. These are combined in a GR(1) game over the state space of the specifications.

# 4.3 Device and OS Specifications and Synchronisation

A core concept of Termite is the separation of device and operating system specifications. This allows us to reuse the same device specification with different OS specifications as well as reusing the same OS specification with different devices. Games so far have been defined to have a single state machine that contains all of the states of the system as well as all of the actions. In Termite, the description of the operating system is decoupled from the device to be controlled and then these are combined to form a state machine before synthesis.

Both the device and OS specifications are given as symbolic state machines. Each specification has its own set of state variables that it must supply update functions for. There is also a global set of label variables which each specification may also refer to in its state update functions. The actual update functions are generated by the TSL compiler from a high level C-like language.

The state machines may communicate through a predefined set of events. Each class of devices has a unique set of events that may optionally carry a value. This set is called the device class interface. For example, a network device may have events for packet transmission and reception that carry the value of the contents of the packet. The standardisation of device class interfaces is what allows reuse through pairing different device and OS specifications as each specification may expect or must provide a standard interface. Device class interfaces are a part of the TSL language (Appendix A) and are described in Section 5.2.3.

In this section, we work at the level of state machines and not the TSL they are generated from. I give an example system specification to illustrate its decomposition into separate OS and device specifications.

# 4.3.1 Device Specification

I start with the device specification given in Figure 4.4a. This device is a hypothetical trivial UART-like device. Instead of sending bytes, it sends notifications, which carry no value. Its programming interface consists of an action, devSendReq, that requests that the device send a notification. In a real system this could be a write to a particular bit in a control register that triggers the device action. This action only has an effect in the devIdle state and it causes the device to transition to the devSending state. From there, when the devSent event happens, which corresponds to the device actually sending the notification, the device transitions back to the devIdle state. Additionally, it emits the classSent event to communicate with the OS specification that the notification was sent. The device class interface for this trivial device consists of just the classSent which carries no value. We will respond to the classSent event in the OS specification in the next section. From here, another notification may be requested by performing the devSendReq action again.

This device model is equivalent to a Mealy machine as shown in Figure 4.4b. There is a single register for storing the current state and this state is updated on each transition using logic which additionally takes the label variables as input. This logic also produces the output Boolean variable classSent.

# 4.3.2 OS specification

The operating system specification, given in Figure 4.5a is like a test harness for the driver. It specifies which requests the driver may receive (e.g. to send a notification) and how it must respond (e.g. by eventually sending the requested notification). It is simply another state machine, like the device specification, but it may also have goals.

The goal state, state 02, is the state that a correct driver will eventually force the OS specification to be in. It is possible to specify multiple goal states, in which case the driver must force execution into any goal state.

The OS state machine starts off in the OO state. From there, if a classSent device class event is triggered by the device state machine, then the device must have sent a notification without the OS ever having requested one. This is an error, so the OS state machine transitions to the O3 state. There is no way



Figure 4.4: Device specifications



Figure 4.5: OS specifications

that the OS could have known that this event happened as it does not monitor the device notification output, so, the OS specification does not represent the way that the OS behaves in reality. These events that do not correspond to real interactions but are used to enforce correctness are called *virtual events*. Responding to virtual events in this way is how the OS specification defines correct behaviour of the system.

There is nothing special about the error state, however, we have constructed the state machine in such a way that the error state is a dead end and it is not possible to reach the goal from that state.

If a devSndReq event happens, the OS transitions into the O1 state. From there, when a classSent event happens, the OS specification transitions into the goal state as this time the classSent event was expected.

We can see from the OS specification that it is the job of the driver to ensure that a <code>devSendReq</code> event is eventually followed by <code>classSent</code> event. However, a <code>classSent</code> event can only be issued by the device, not the driver. The driver can, however, force the device to issue a <code>classSent</code> event indirectly in response to a <code>devSendReq</code> event.

In general, it is the job of the driver synthesis algorithm to figure out how to force certain events to happen at the right time (as specified by the OS state machine) by using information from the device state machine.

As with the device specification, the OS specification may be seen as a Mealy machine as shown in Figure 4.5b. Again, there is a single register for storing the current state and this state is updated on each transition using combinational logic. In addition to taking the label variables as input, it also takes the classSent Boolean signal that was produced by the device Mealy machine as input.

# 4.3.3 Combined Specification

We do this by instantiating both Mealy machines in parallel and connecting the class event signals, as shown in Figure 4.6b. Figure 4.6a shows the state machine of the combined specification. This cumbersome state machine shows the size and complexity advantages of using separate Mealy machines in parallel as the specification language. A state is a goal state if the state that it corresponds to in the OS or device state machine is a goal state. Both of the states on the right of Figure 4.6a correspond to state O2 in the OS specification, which is a goal, so they are goals. It is possible to have goals in the device specification but they are not useful in practice. Fair regions work in the same way.



Figure 4.6: Combined specifications

# 5 User guided synthesis

This chapter presents the Termite device driver synthesis toolkit which builds on the game formalism of Chapter 4 to create a practical driver synthesis tool.

One for the main challenges of driver synthesis is to enable developers to create drivers through a well-defined, predictable sequence of steps. In this chapter, I address this challenge through three key design objectives:

- Ease of developing specifications for driver synthesis.
- Ease of debugging synthesis errors due to incorrect specifications.
- Enabling the benefits of automation without sacrificing the flexibility of conventional driver development.

Termite addresses the first objective through a high-level specification language whose syntax and semantics are close to those of familiar imperative programming languages like C. In addition, it facilitates the development of modular specifications and thus enables a high degree of specification reuse. Termite addresses the second objective by developing powerful debugging techniques that help the developer identify and fix specification defects through well-defined process, similar to how conventional debuggers help troubleshoot implementation errors. Finally, Termite's methodology strikes the balance between automation and flexibility by generating driver code in a user guided fashion, where the user can interactively alter or amend automatically generated code, while the synthesis tool verifies user changes on the fly.



Figure 5.1: Termite synthesis workflow.

# 5.1 Introduction

### 5.1.1 Overview of Termite

Figure 5.1 gives an overview of the driver synthesis process, described in detail in the rest of this chapter. Termite takes four specifications as its inputs:

- a device model that simulates software-visible device behaviour,
- an OS model that specifies the software interface between the driver and the OS,
- a driver template that contains driver entry point declarations and, optionally, their partial implementation to be completed by Termite
- and, a device class specification that declares the interfaces that the operating system and device supply for a specific class of devices.

Given these specifications, driver synthesis proceeds in two steps. The first step is carried out fully automatically by the Termite game-based synthesis engine, which computes the most general strategy for the driver—a relation  $strat \subseteq S \times L$  (2.4.1) that represents all possible correct driver implementations. This step encapsulates the computationally expensive part of synthesis. At the second step, the most general strategy is used by the Termite code generator to construct one specific driver implementation in C with the help of interactive input from the user.

The synthesis engine may establish that, due to a defect in one of the input specifications, there does not exist a specification-compliant driver



Figure 5.2: Input specifications for driver synthesis. Labels in italics show interfaces from the running example (Figure 5.3 and Figure 5.4).

implementation. In this case, it produces an explanation of the failure, which can be analysed with the help of the Termite debugger tool in order identify and correct the defect.

# 5.2 Specifications

Input to Termite consists of the four specifications, which model the complete system consisting of the driver, the device, and the OS as well as defining the interface between them, shown in Figure 5.2. The OS and device models simulate the execution environment of the driver and specify constraints on correct driver behaviour. The device model simulates software-visible device behaviour. The OS model serves as a workload generator that issues I/O requests to the driver and accepts request completions in a way consistent with real OS behaviour.

The virtual interface between the device and the OS, shown with the dashed arrow in Figure 5.2, is used by the device model to notify the OS model about important hardware events, such as completion of I/O transactions and error conditions. Methods of the virtual interface do not represent real runtime interactions between the device and the OS, but are used by the OS model to specify correctness constraints for the driver (see Section 5.2.3).

Finally, the driver template contains a partial driver implementation to be completed by Termite. A minimal template consists of a list of driver entrypoints without implementation. At the other extreme, it can provide a complete implementation, in which case Termite acts as a static verifier for the driver. By this I mean that it checks that the interactions between the driver software and the hardware ensure that all operating system requests are eventually fulfilled. Specifically, it ensures that the implementation satisfies the GR(1) objective (Section 4.2.4) expressed in the specification. It does not, for example, check for the absence of null pointer dereferences and similar defects that can be found by tools such as SLAM [Ball et al., 2010]. In fact, TSL is designed to express state machines, not arbitrary programs and complex data structures, and such defects are not expressible. Of course, this also limits the drivers that can be expressed.

All specifications are written using the Termite Specification Language (TSL). In line with the goal of making synthesis as close to the conventional driver development workflow as possible, TSL is designed as a dialect of C with additional constructs for use in synthesis. The full specification of the TSL language is given in Appendix A. I introduce relevant features of TSL throughout this section.

Termite allows the use of existing device specifications developed by hardware designers in driver synthesis as discussed in Section 5.2.1. This minimises the amount of work needed to develop specifications for every synthesised driver by maximising the reuse of specifications.

Furthermore, the OS specification for the driver can be derived from a generic specification for a class of similar devices (e.g., network or storage). Thus it is expected that additional per-driver effort will consist of:

- 1. inserting device-class callbacks (the TSL way of emitting device class events) in appropriate locations of the device model and
- 2. extending the OS specification to support device-specific features missing in the generic OS specification.

### 5.2.1 Device model

The device model simulates the device operation at a level of detail sufficient to synthesise a correct driver for it. To this end, it must accurately model external device behaviour visible to software. At the same time, it is not required to precisely capture internal device operation and timing, as these aspects are opaque to the driver.

Such device models are routinely developed by hardware designers for the purposes of design exploration, simulation, and testing. They are widely used by hardware manufacturers in-house [Intel Corporation] and are available

commercially from major silicon IP vendors [Synopsys]. These models are known as *transaction-level models* (TLMs) (in contrast to the detailed register-transfer-level models used in gate-level synthesis) [Cai and Gajski, 2003]. A TLM focuses on software-visible events, or *transactions*, such as a write to a device register or a network packet transmission.

While the transaction-level modelling technology is relatively new, TLMs are already widely used by hardware manufacturers in-house [Intel Corporation] and are available commercially from major silicon IP vendors [Synopsys]. I am optimistic that in the future open-source TLMs will become commonplace, since a TLM does not expose internal implementation details of the device and is therefore less likely to expose sensitive IP.

Existing TLMs created by hardware designers can be used with minor modifications (explained in Section 5.2.3) for driver synthesis. Model reuse dramatically reduces the effort involved in synthesising a driver and is therefore crucial to practical success of driver synthesis. By reusing an existing model, Termite allows reuse of the effort invested by hardware designers in testing and debugging the model throughout the hardware design cycle, thus making driver synthesis less susceptible to specification bugs. Finally, since TLMs are created early in the hardware design cycle, TLM-based driver synthesis can be carried out early as well, thus removing driver development from the critical path to product delivery.

Unfortunately, few TLMs are publicly available at the moment, which means that driver synthesis must be performed by device vendors in-house. However this is likely to change in the future. A TLM does not expose internal implementation details of the device and is therefore not part of sensitive IP. At the same time, there exist strong incentives for manufacturers to make device TLMs available to third-party vendors to test their software and hardware products for compatibility with the given device.

TLMs are written in high-level hardware description languages like SystemC and DML. In order to use these models in driver synthesis, they need to be converted to TSL. This translation can be performed automatically, and the Termite team is currently working on a DML-to-TSL compiler. This work is not yet complete and is not a contribution of this thesis. Therefore device models used in the experimental section of this paper are either manually translated from existing TLMs or written from scratch using TLM modelling style guidelines [Wind River, 2010].

```
/* Device model */
2
   template dev
        /* Device internal state */
4
5
       uint8 reg_dat, reg_cmd, reg_status = 0;
6
7
        /* device commands */
8
       controllable void write_dat(uint8 v) {
9
            reg_dat = v;
10
11
       controllable void write_cmd(uint8 v) {
           reg\_cmd = v;
13
14
15
       controllable uint8 read_cmd() {
16
17
            return reg_cmd;
18
19
       controllable uint8 read_status() {
20
21
            return reg_status;
22
       } ;
23
        /* internal behaviour */
24
       process ptx {
25
26
            forever {
27
                wait (reg_cmd == 1);
28
                choice {
29
30
                         os.evt_send(reg_dat);
                         reg_status=0;
31
32
                     };
33
                     {
                         os.evt_send_fail(reg_dat);
34
35
                         reg_status=1;
36
                     };
37
                };
38
                reg\_cmd = 0;
39
                /*drv.irq(); (see Section 4)*/
40
41
       } ;
   endtemplate
42
```

Figure 5.3: Trivial serial controller device specifications.

# Running example

Figure 5.3 shows a fragment of a model of a trivial serial controller device used as a running example. The fragment specifies the send logic of the controller, which allows software to send data characters over the serial line. The model is implemented as a TSL *template*. The template encapsulates data and code that manipulates the data, similar to a class in OOP.

The software interface of the device consists of data, command, and status registers declared in line 5. The registers can be accessed from software via the write\_dat, write\_cmd, read\_cmd, and read\_status methods (lines 8–22). The controllable qualifier denotes a method that is available to the driver and can be invoked from synthesised code.

The transmitter logic is modelled in lines 25–41. It is implemented as a TSL *process*. A TSL specification can contain multiple processes. The choice of the process to run is made non-deterministically by the scheduler. The process executes atomically until reaching a wait statement or a controllable placeholder (see below).

In line 27, the transmitter waits for a command, issued by the driver by writing value 1 to the command register. Upon receiving the command, it sends the value in the data register over the serial line. The transmission may fail, e.g., due to a serial link problem. The device signals transmission status to software by setting the status register to 0 or 1. Finally, it clears the command register, thus notifying the driver the request has completed.

Internally, the transmitter circuit consists of a shift register and a baud rate generator used to output data on the serial line. These details are not visible to software and are abstracted away in the model. The non-deterministic choice construct is used to choose between successful transmission and failure, without modelling the details of serial link operation. Successful and failed transmissions are modelled usingevt\_send and evt\_send\_fail events, explained in Section 5.2.2.

#### 5.2.2 OS model

The OS model specifies the API mandated by the OS for all drivers of the given type. For example, any Ethernet driver must implement the interface for sending and receiving Ethernet packets. A separate specification is needed for each supported OS, as different OSs define different interfaces for device drivers.

A high degree of specification reuse can be achieved by creating a library of generic specifications for common types of drivers, e.g., network, storage, or serial drivers. A generic specification describes the API mandated by the OS for all drivers of the given type. For example, any Ethernet driver must implement the interface for sending and receiving Ethernet packets. A

separate generic specification is needed for each supported OS, as different OSs define different interfaces for device drivers.

Additionally, each particular device can support non-standard features, e.g., device-specific configuration options or transfer modes. These features must be added as extensions to the generic OS specification in order to synthesise support for them in the driver. TSL supports such extensions in a systematic way via the template inheritance mechanism. This is described in Appendix A.

#### Running example

Figure 5.4 shows the operating system model. It is written in the form of a test harness that simulates all possible sequences of driver invocations issued by the OS. The os template in Figure 5.4 shows the OS model for the running example. The main part of the model is the psend process. At every iteration of the loop, it non-deterministically chooses an 8-bit value (line 52) and calls the send method of the driver, passing this value as an argument. It then waits for the driver to acknowledge the transmission of the byte (line 56) before issuing another request. The driver acknowledges the transmission via the send\_ack callback (line 61). The callback sets the acked flag, which unblocks the psend process.

The specification is kept concise by modelling the state of the driver-OS interface, as opposed to the internal OS state and behaviour. For example, the acked variable (line 61) serves to model the flow of data between the OS and the driver and is not necessarily present in the OS implementation.

## 5.2.3 Connecting device and OS models

In addition to simulating I/O requests to the driver, the OS model also specifies the semantics of each request in terms of device-internal events that must occur in order to complete the requested I/O operation. In the running example, after the OS invokes the send method of the driver and before the driver acknowledges completion of the request, the device must attempt to send the requested data over the serial line. This requirement establishes a connection between the device and OS models and must be specified explicitly in order to enable Termite to generate a driver implementation that correctly handles the

```
/* OS model */
   template os
44
45
       uint8 dat;
46
47
       bool inprogress, acked, success;
48
        /* driver workload generator */
49
50
       process psend {
            forever {
51
52
                dat = *; /*randomise dat*/
                inprogress = true;
53
54
                acked = false;
55
                drv.send(dat);
56
                wait (acked);
57
            } ;
58
        } ;
59
        /* I/O completions */
60
61
        controllable void send_ack(bool status) {
62
            assert (!inprogress && !acked && status == success);
63
            acked = true;
        } ;
64
65
        /* virtual callbacks */
66
       void evt_send(uint8 v) {
67
68
            assert (inprogress && v==dat);
            inprogress = false;
69
            success = true;
70
71
        } ;
72
73
       void evt_send_fail(uint8 v) {
74
            assert (inprogress && v==dat);
75
            inprogress = false;
76
            success = false;
77
78
79
        /* The goal */
80
        goal idle_goal = acked;
   endtemplate
```

Figure 5.4: Trivial serial controller driver specifications.

OS request. Note that we only need to specify *which* hardware events must occur, but not *how* the driver generates them.

In order to develop such specifications, we need a way to refer to relevant state and behaviour of the device from the OS model. At the same time, in order to maximise specification reuse, we would like to keep the OS specification device-independent. To reconcile these conflicting requirements, I use the techniques introduced in Section 4.3 and introduce a *virtual interface* between the device and OS model. This interface consists of callbacks used by the device model to notify the OS model about important hardware events. The virtual interface does not represent real runtime interactions between the device and the OS, but serves as part of the correctness specification.

When writing Termite specifications, we define a virtual interface for each class of devices. Such *device-class* interfaces are both device and OS-independent. The device-class interface can be extended with additional device-specific callbacks as required to specify a driver for a particular device.

#### Running example

In the example, I define a device-class interface consisting of two virtual callbacks: evt\_send and ev\_send\_failed, invoked respectively when the device successfully transmits and fails to transmit a byte. These callbacks are invoked in lines 30 and 34 of the device model. The evt\_send handler is shown in line 67 of the OS model. The assertion in line 68 specifies that the send event is only allowed to occur if there is an outstanding send request in progress and the value being sent is the same as the one requested by the OS. I reset the inprogress flag to false in line 69, thus marking the current request as completed; line 70 sets the success flag to true, thus indicating that the transfer completed without an error. The evt\_send\_fail handler is identical, except that it sets the success flag to false. The flags are checked by the send\_ack method, which asserts that the driver is only allowed to acknowledge a completed request (!inprogress) that has not been acknowledged yet (!acked) and that the completion status reported by the driver must match the one recorded in the success flag.

In this example I use C-style assertions to rule out invalid system behaviours. An assertion is equivalent to a safety condition 2.4.2. Assertions alone do not fully capture requirements for a correct driver behaviour. For example, a driver that remains idle does not violate any assertions. Hence,

```
/* Driver template */
83
   template drv
        void send(uint8 v) {
85
86
            . . . ;
87
88
        /*
89
        void irq() { (see Section 4)
90
91
92
93
94
   endtemplate
```

Figure 5.5: Trivial serial controller driver specifications.

I need to specify requirements for the driver to make forward progress. I introduce such requirements into the model in the form of *goal conditions*, that must hold *infinitely often* in any run of the system. These are GR(1) goals as described in Section 2.4.2 and Section 4.2.4. For example, a goal may require that the driver is infinitely often in an idle state with no outstanding requests from the OS. The OS can force the driver out of the goal by issuing a new I/O request. To satisfy the goal condition, the driver must return to the goal state by completing the request. Line 80 in Figure 5.4 defines such a goal condition that holds whenever the acked flag is set, i.e., the driver has no unacknowledged send requests.

## 5.2.4 Driver template

#### Running example

Figure 5.5 shows the driver template for the running example consisting of a single send entry point invoked by the OS. The ellipsis in line 86 represent a location for inserting synthesised code and are part of TSL syntax. I refer to such locations as *controllable placeholders*.

# 5.3 TSL Compiler

In order to compute the most general driver strategy as a solution of a twoplayer concurrent game (Section 2.6.1), Termite must first convert input TSL specifications into a game structure (Section 2.4.1). This means that we must define the set of states, labels, initial states and the transition relation. This conversion is performed by the TSL compiler.

Real driver specifications have large state spaces, which cannot be feasibly represented by explicitly enumerating states. Termite represents games symbolically (Section 2.8). The state space of the game is defined in terms of a finite set of state variables X, with each state  $s \in S$  representing a valuation of variables in X. The TSL compiler introduces a state variable for each TSL variable declared in one of the input templates. In addition, auxiliary state variables are introduced to model the current control location of each TSL process. In the initial states, these control variables are set to values representing the first location of each process. The initial values of other variables are left uninitialised unless the user explicitly specifies their initial value in TSL.

Termite models controllable and uncontrollable actions as valuations of action variables  $Y_c$  and  $Y_u$ . For efficiency, the transition relation is partitioned into two relations,  $\delta_c$  and  $\delta_u$ , for controllable and uncontrollable transitions respectively. These are represented symbolically as formulas over state variables X, action variables  $Y_c$  and  $Y_u$ , and next-state variables X'. The transition relations are generated under the assumption that the game solver will use the controllable predecessor defined in Section 2.6.1.

The TSL compiler automatically splits the input specification into controllable and uncontrollable parts and translates them into controllable and uncontrollable transition relations respectively. The controllable part is comprised of controllable methods that can be invoked by the driver. The controllable transition relation  $\delta_c$  is computed by rewriting controllable methods in the *variable update form*. Consider, for example, variable reg\_dat declared in line 5 in Figure 5.3. This variable is only modified by the write\_dat method in line 8. The corresponding fragment of the controllable transition relation in the variable update form is

$$reg\_dat' = \begin{cases} v, & \text{if } tag = write\_dat \\ reg\_dat, & \text{otherwise,} \end{cases}$$

where reg\_dat' is the next-state variable representing the value of reg\_dat after the transition. A special tag variable is used to identify the method being invoked. For example, the specification in Figure 5.3 has four controllable methods, so tag can take one of the four values  $write\_dat$ ,  $write\_cmd$ ,  $read\_status$  and  $send\_ack$ . In addition, a separate variable is introduced for

each argument of every controllable method (v in this example).

The uncontrollable part of the specification is comprised of TSL processes, which model device and OS behaviour. The TSL compiler syntactically decomposes each process into atomic transitions. Recall that a process executes atomically until reaching a wait statement or a controllable placeholder. Consider the ptx process in line 25 in Figure 5.3. The process is initially paused in the wait statement. It is scheduled to run when the wait condition holds. It executes the statements in lines 28–38 atomically and stops again in line 27. As part of this atomic transition, the process sets the reg\_cmd variable to 0 (line 38). This is the only uncontrollable transition that modifies this variable, hence the uncontrollable update function for this variable is defined as follows:

$$reg\_cmd' = \begin{cases} 0, & \text{if } reg\_cmd = 1 \land pid = ptx \\ reg\_cmd, & \text{otherwise}, \end{cases}$$

where pid is an uncontrollable action variable that models the scheduler's choice of a process to run, and the reg\_cmd = 1 conjunct corresponds to the wait condition in line 27.

Finally, the TSL compiler needs to generate the game objective  $\Phi$ . It uses GR(1) objectives as defined in Section 2.4.2 and motivated in Section 4.2. In a symbolic representation of the game, goal and fair sets are specified as conditions over state variables that hold for each state in the set. The TSL compiler outputs a goal set  $B_i$  for each goal declared in the input specification and a fair set  $F_i$  for each wait statement. The latter guarantees that every runnable process gets scheduled eventually.

In addition to goal conditions, a TSL specification also contains assertions, which must never be violated. Assertions are modelled using an auxiliary Boolean state variable  $\varepsilon$ , which is set to true whenever an assertion is violated and remains true forever after. An extra constraint  $\varepsilon = false$  is added to each accepting set  $B_i$ . An assertion violation permanently takes the game out of  $B_i$ , and therefore can not occur in any winning run of the game.

# 5.4 User-guided Code Generation

The set of input TSL specifications is fed into the Termite synthesis engine (Chapter 6), which then automatically computes the most general strategy

(Section 2.4.1) for the driver. Given a state of the system, the most general strategy determines the set of all valid driver actions in this state. The most general strategy is used by the Termite code generator to produce a driver implementation in C in a user-guide fashion.

#### 5.4.1 Motivation

Early versions of Termite implemented fully automatic code generation as their only mode of operation. In many cases the Termite team found that the tool produced unsatisfactory code, which led to a series of improvements to the code generation algorithm, aimed to generate more compact, user-readable, and efficient implementations. At the same time, we found that many aspects of what is perceived by developers as a good implementation are very hard to formalise, and, even when possible, the effort involved in such a formalisation exceeds the effort needed to achieve the desired effect manually.

For example, the interrupt handler logic of most drivers follows the standard structure, where the driver checks every interrupt source in the order of its priority and invokes a separate handler function for every signalled interrupt. Interrupt prioritisation and functional decomposition are hard to synthesise automatically without manual guidance.

One might argue that structure and readability are not relevant for synthesised code. In practice, however, if synthesised drivers are to make their way into Linux and other major OSs, they must follow standard coding guidelines adopted by these OSs and be amenable to manual code inspection. Furthermore, human readable code is needed for quality assurance. While automatic synthesis guarantees that the synthesised driver is correct with respect to input specifications, it does not protect against specification defects: despite our best effort to maximise specification reuse and follow good modelling practices, specification defects cannot be avoided altogether. Hence, manual inspection remains an important way to eliminate driver bugs.

In summary, while there exists a potential for further improvement of automatic code generation algorithms, we believe that a truly practical driver synthesis tool must put the user in control of the resulting code and not enforce any particular code structure nor attempt to override user's design decisions.

#### 5.4.2 Workflow

The Termite code generator GUI is similar to a traditional integrated development environment with two additional built-in tools: the *generator* and the *verifier*. The generator works as advanced auto-complete that helps the user to fill the controllable placeholders inside the driver template with code. At any point, the user can invoke the generator to synthesise a single statement or a complete block of code inside a controllable placeholder via a mouse click on the target code location. The user can arbitrarily modify and amend the generated code. However, the generator never modifies user code. Instead it tries to extend it to a complete implementation, which is always possible provided that the existing code is consistent with the most general strategy. The generator currently only allows synthesising statements after the last control location within a branch. However this restriction is not a conceptual one and will be lifted by ongoing development.

The verifier automatically and on the fly checks that the driver implementation, comprised of a mix of generated and manually written code, is consistent with the most general strategy, thus maintaining strong correctness guarantees that one would expect in automatically synthesised code. The verifier symbolically simulates execution of the system, following the partial driver implementation created so far, and signals the user whenever it encounters a transition that violates the most general strategy.

In the first approximation, the generator algorithm is quite simple: given a source code location within a controllable placeholder, it determines the set of possible system states in this location, picks an action for each state from the most general strategy and translates this action into a code statement. In practice the algorithm uses a number of heuristics and approximations to produce compact and human-readable code.

Firstly, given a controllable placeholder within a partially synthesised driver, Termite determines the set of states that the system must be in at that point. It overapproximates this set by symbolically executing the incomplete driver, starting from the initial state set and allowing for all possible environment behaviours, until the controllable placeholder is reached.

Once Termite has this estimate of the state set, it heuristically suggests an appropriate autocompletion. In particular, whenever there exists a common action in all possible states at the given location, the algorithm produces

```
void send(uint8 v) {
      dev.write_dat(v);
2
      dev.write_cmd(1);
       wait (dev.reg_cmd==0);
4
5
       if (os.success) {
           os.send_ack(true);
7
       } else {
          os.send_ack(false);
8
9
       };
10
  } ;
```

Figure 5.6: Generated send function

straight-line code without branching. These heuristics are described in Section 5.5.

The verifier also makes use of the set of possible states. When code is entered manually into a controllable placeholder, Termite symbolically executes this line of code starting from the set of possible states. If it detects that this manually written code takes the system out of the winning region (Section 2.6.2) then the code is not accepted and the user is notified that their code is not winning.

In the following section, I walk through code generation of the <code>send()</code> function of the running example to demonstrate, at a high level, how Termite generates code and verifies manually written code. For a demonstration of using Termite to generate code for a real driver, including screenshots, see Appendix B.

# 5.4.3 Running Example

When running the generator on the running example, it automatically generates the code in Figure 5.6 for the send function (line 85 of the device template, Figure 5.5).

This implementation correctly starts the data transfer by writing the value to be sent to the data register and setting the command register to 1. It then waits for the transfer to complete, which is signalled by the device by resetting the command register to 0. Finally, it acknowledges the completion of the transfer to the OS.

If the developer is happy with the generated implementation, then the process ends here. If not, the user is free to modify the generated code and

```
void send(uint8 v) {
      dev.write_dat(v);
2
       dev.write_cmd(1);
       while(dev.read_cmd() ==1);
4
5
       if (dev.read_status())
6
           os.send_ack(true);
       } else {
           os.send_ack(false);
8
9
       };
10
   } ;
```

Figure 5.7: Manually written send function

re-run Termite to verify this code. As an example, the user may swap lines 2 and 3 and re-run Termite. This new implementation is invalid as, since the cmd register is written before the data register, the wrong data may be sent. Termite catches this error and reports that the game is no longer winnable for the driver. The user may then use the debugging methods of Section 5.6 and the cause of their error will become clear. If, on the other hand, the user's modifications had been correct then termite would have reported that synthesis was successful and the user may continue the code generation process.

Note that the generated code refers to the <code>dev.reg\_cmd</code> and <code>os.success</code> variables. These variables model internal device and OS state respectively and cannot be directly accessed by the driver. This example illustrates an important limitation of Termite—it assumes a white-box model of the system, where every state variable is visible to the driver. We work around this by allowing the user to manually replace the code that refers to unaccessible variables with equivalent code that does not. In this case, value of the command register can be obtained by the driver by executing the <code>read\_cmd</code> action. Furthermore, the value of the <code>os.success</code> variable is correlated with the completion status of the last transfer, which can be obtained by reading the device status register. The user edited code is given in Figure 5.7 and will be verified by Termite in a subsequent run. This limitation and how we work around it is discussed in Section 5.7.2.

Note that in this example we have synthesised code that correctly handles device errors. This was possible, as the input device specification correctly captures device failure modes (namely, transmission failure) and the OS specification allows for such errors and describes how the driver must report

errors to the OS (via the status argument of the completion callback).

In principle, it is also possible to synthesise a driver implementation that handles device and OS failures *not* captured in the specifications: since the synthesis tool knows all possible valid environment behaviours, it can easily detect invalid behaviours and handle them gracefully. Automatic synthesis of such *hardened* device drivers is a promising direction of future research.

#### 5.4.4 C Code Generation

The final step of the code generation process translates the synthesised driver implementation to C. As was seen in the previous section, the TSL code that is generated is syntactically and semantically very similar to C. Thus, C code generation is a trivial line-by-line translation. I expect this translation to become unnecessary in the future as ongoing work on the TSL syntax aims to make the synthesised subset of TSL a strict subset of C.

# 5.4.5 Maintaining synthesised code

Device driver development is not a one-off task: following the initial implementation, drivers are routinely modified to implement additional functionality, adapt to the changing OS interface or support new device features.

The user-guided code generation method naturally supports such incremental maintenance. Since Termite uses TSL as both its input and output language; a completely or partially synthesised driver can be given as input to Termite, along with modified versions of the device and OS models.

A typical maintenance task proceeds in three steps:

- 1. First, the developer amends device and OS models to reflect the new or changed functionality.
- 2. Second, they add new methods to the previously synthesised driver, if necessary, and replace existing driver code that is expected to change with a controllable placeholder.
- 3. Finally, the user runs Termite to synthesise code for all controllable placeholders.

Termite treats all existing driver code as part of the uncontrollable environment. Hence, if some of the old code is incorrect in the context of the new

specifications, this will lead to a synthesis failure, and counterexample-based debugging is used to identify the faulty code, as described in Section 5.6.

#### Running Example

As an example, we synthesise a new version of the driver for the running example assuming a more advanced version of the serial controller device that uses interrupts to notify the driver on completion of a data transfer. The new device model is obtained by uncommenting line 39 of the device model in Figure 5.3, which invokes the interrupt handler method of the driver after each transfer. The driver template (Figure 5.5) is extended with the <code>irq</code> method (line 90). We use the previously synthesised implementation of the <code>send</code> method, but manually remove the last two lines, which implement polling, as we want the new implementation to use interrupts instead:

```
void send(uint8 v) {
dev.write_dat(v);
dev.write_cmd(1);}
```

Finally, we run Termite on the resulting specifications and use the generator to automatically produce the following implementation of the new irq method:

```
1 void irq() {
2    if (os.success) {
3        os.send_ack(true);
4    } else {
5        os.send_ack(false);
6    };}
```

As before, we manually replace the if-condition in the first line with

```
1 if (dev.read_status())
```

This example illustrates how Termite supports incremental changes to the driver by reusing previously synthesised code, while maintaining strong correctness guarantees.

#### 5.4.6 Instrumenting synthesised code

Termite does not automatically instrument synthesised code for debugging, logging, accounting, etc. However, the user can add such instrumentation manually. Termite interprets such code as no-ops and, as with any manual code, never makes any modifications to it.

#### 5.5 Heuristic Code Generation

Termite acts as an advanced auto-complete by suggesting lines of code for the driver. These suggestions are obtained using the symbolic strategy generated in the synthesis phase. Termite keeps track of the possible set of states that the system may be in at each line of code in the graphical IDE and uses this along with the strategy to generate a suggestion.

Generating a winning move from an individual state is straightforward. All one has to do is look up the state in the strategy relation and pick any winning label related to that state. Termite's code generator, however, deals in sets of states - the set of states which the system may be in at a particular line - which complicates matters considerably. For example, although every state in the set is winning (an invariant that the code generator enforces), there might not exist a single label that is winning for all of these states. In this case, the code generator uses smarter methods for picking labels or possibly falls back to splitting the current state set in two, as described in the following sections.

# 5.5.1 Straightforward label picking

In the simplest case, there exists a winning action that is available from all states within a source code location's state set (denoted stateSet, see Section 5.4.2 for how this is computed). This action will cause all states in stateSet to transition to a state closer to the goal, guaranteeing that if we keep choosing actions in this way we will eventually force execution into the goal. I compute the set of such winning actions using the formula in Equation 5.1.

$$\forall s. stateSet \rightarrow strategy$$
 (5.1)

This returns the set of labels which are part of the strategy for all states in the current state set. If the set is not empty, the Termite IDE picks one of these at random as the autocompletion suggestion. If it is empty, the Termite IDE falls back to the more computationally expensive heuristic described in the next section.

# 5.5.2 Smarter label picking

While the above heuristic is straightforward and cheap, it is often unsatisfactory in practice. As an example, consider a current state set containing two states:  $s_1$  and  $s_2$ . Suppose there is no label which is in the winning strategy for both states, but there is a label in the winning strategy for  $s_1$  and it does not take  $s_2$  further away from the goal. Such an action is a good candidate for an auto completion, however it will not be found by the first heuristic.

The more general label picking algorithm works as follows: I choose a label such that if it is played from stateSet, the maximum distance to the goal of states in stateSet decreases. Thus, repeatedly picking actions in this way ensures that execution eventually gets to the goal and is therefore a sound method of picking auto completions.

I find the greatest distance (N) of any state in stateSet from the goal and then I look up the set  $win_{N-1}$ , the set of states at distance N-1 from the goal. This set was computed and saved symbolically during synthesis. In order to ensure that the maximum distance to the goal decreases I pick labels according to this formula:

$$\forall s, s' (stateSet \wedge \delta) \rightarrow win_{N-1}$$
 (5.2)

This set of labels is computed symbolically. I pick any label from this set. Note that even though execution is guaranteed to reach the goal, the label picked may not be part of the strategy for all states in stateSet, as, by definition, a strategy is required to take execution closer to the goal and this may not be the case for states at less than the maximum distance from the goal.

#### 5.5.3 Splitting states

Lastly, suppose that there is no action found by the first two heuristics. In this case I recursively split stateSet by finding a subset  $a \subset stateSet$  from which there is a winning action for all of a and splitting this out in C code using an if-statement. What remains of stateSet is recursively split enough times that there is a suitable label to play from each partition. This is guaranteed to

eventually happen because stateSet in finite and in practice only one or two splits are needed.

I now describe how the condition for this if-statement is computed. There exists at least one winning label from each state in the current set, as they are all winning. However, there does not exist a single label which is winning for all states in the current set. My heuristic to find a large subset of *stateSet* for which there does exist a single winning label is as follows:

- 1. Enumerate labels that are winning in some state in *stateSet*.
- 2. For each label, compute the set where that label is part of the strategy.
- 3. For each set, Compute a small condition (a BDD) over state variables that distinguishes this set from the rest of *stateSet*.
- 4. Choose the condition that is the simplest (measured by BDD size) and return this and the corresponding label.

#### **Enumerating winning labels**

I need to build a mapping from labels l that win in at least one state in stateSet to the subset  $\sigma \in stateSet$  where the label is winning, i.e. where  $\forall s \in \sigma.\ l \in Strat(s)$ . This potentially requires enumerating all winning labels in stateSet. In practice this is infeasible, as games in Termite have labels over 100 variables in size so this could potentially involve enumerating over  $2^{100}$  labels.

The label in a game must contain the union of all variables that can influence any transition. So, in practice, most transitions depend on only a small subset of the label variables. For example, consider a controllable register write. A label variable is needed to specify the actual value written. But on any uncontrollable transition, or a controllable transition that is not a register write, this variable is unneeded. It does not influence the next state and is effectively a 'dont-care' variable.

I therefore would like to compute an equivalence class over labels such that equivalent labels behave identically within stateSet. More precisely, I say that labels  $l_1$  and  $l_2$  are equivalent if:

$$\forall s \in stateSet. \ \delta(s, l_1) = \delta(s, l_2) \tag{5.3}$$

# Algorithm 11 The AVAILABLELABELS function

```
function AVAILABLELABELS(s, u, l, s', strategy, stateSet)
winning \leftarrow \exists \ s \ u \ s'. \ strategy \land stateSet
\mathbf{return} \ \mathsf{ENUMERATE}(l, s \cup s', \delta \land stateSet \land winning)
\mathbf{end} \ \mathbf{function}
```

This is formalised by the *availableLabels* algorithm (Algorithm 11) which enumerates labels that are equivalent given the current set and transition relation. Importantly, this enumeration is performed symbolically and the number of iterations is equal to the number of equivalence classes, which, in practice, is small.

This algorithm invokes two other algorithms: genPair (Algorithm 12) and enumerate (Algorithm 13), both of which deserve some explanation.

#### **Algorithm 12** The GENPAIR function

```
function GENPAIR(x, y, rel)
v \leftarrow \text{EXTRACTMINTERM}(\exists y. rel)
img \leftarrow \text{SUBSTITUTE}(rel, v)
genX \leftarrow \forall y. reg \leftrightarrow img
\mathbf{return} \ \langle genX, img \rangle
\mathbf{end} \ \mathbf{function}
```

genPair, given two sets of variables (X and Y) and a relation  $rel \subseteq valuations(X) \times valuations(Y)$ , extracts a single valuation v of X from the relation. It then determines the image of of Y, img, under the relation. Finally, it determines the set of valuations of X whose image is exactly this set, denoted genX.

# **Algorithm 13** The ENUMERATE function

```
function ENUMERATE(x, y, rel)

result = []

while rel \neq False do

\langle genX, img \rangle \leftarrow \text{GENPAIR}(x, y, rel)

result \leftarrow result \oplus \langle genX, img \rangle

rel \leftarrow res \wedge \neg genX

end while

return result

end function
```

enumerate, given two sets of variables (X and Y) and a relation over valuations of these variables repeatedly extracts pairs of related sets from the

relation using genPair, erasing the X valuations from the relation each time so that they are not chosen again. It computes  $P\subseteq 2^{valuations(X)}\times 2^{valuations(Y)}$ , such that for  $\langle A,B\rangle\in P$ , any  $a\in A$  is related to each  $b\in B$  and nothing more. Furthermore, all of the A sets are disjoint and their union is the set of all X valuations that satisfy the relation.

Finally, availableLabels (Algorithm 11) uses enumerate to enumerate labels with different behaviours in the current stateSet. It does this by restricting the transition relation to transitions that originate from states in stateSet and treating this as a relation between l and  $\langle s, s' \rangle$ . This works because equivalent labels will result in the same  $\langle s, s' \rangle$  relation, i.e. the same state transition, thus calling enumerate with this relation and these variables will enumerate sets of equivalent labels in the current state.

#### Computing the condition

I next compute an if condition over state variables that distinguishes the states where the label is winning from the rest of stateSet. The condition should be small as that corresponds to simple code and is likely to be closer to what a human programmer would write. To find a simple condition, I use the 'leaf identifying compaction' function of [Hong et al., 1997] which is denoted liCompact from now in. This function minimises a condition BDD given a care set so that it returns the correct value within the care set and is undefined otherwise [Hong et al., 1997]. Specifically, given a condition, condition and a care set careSet, liCompact computes a BDD minimalCond such that:

$$careSet \land minimalCond = careSet \land condition$$
 (5.4)

and such that minimalCond is as small as possible, where size is measured in number of bdd nodes. Exact minimisation is NP-complete so it is a heuristic approximation.

The condition BDD is the set of states from which the winning label is available and the care set is *stateSet*. Since I am only applying the if condition in one of the states in *stateSet*, this is the only set where it needs to be accurate.

# 5.6 Counterexample Guided Debugging

An important practical issue in game-based synthesis is the complexity of diagnosing synthesis failures due to defects in the input specifications. In

the event that Termite fails to solve the game, the user needs to trace the failure back to the specification defect. However, the failure does not carry any information about the defect, which makes the problem harder to resolve.

In Termite we propose a new approach to troubleshooting synthesis failures based on the use of *counterexample strategies*. A counterexample strategy is a strategy on behalf of the environment that prevents the driver from winning the game. It is obtained by solving the *dual game*, where, in order to win, the environment must permanently force the game out of one of the goal regions. A winning strategy in the dual game is guaranteed to exist whenever solving of the primary game fails (Section 2.4.4).

By exploring the counterexample strategy, the user can identify the defect in the input specification. This is similar to the use of counterexamples in software verification, where for each discovered bug the verification tool generates a counterexample trace that triggers the bug. However, a counterexample strategy cannot in the general case be represented by a single execution trace, as the choice of spoiling moves for the environment depends on the actions performed by the driver.

In order to detect and fix the defect in an input specification, the driver developer relies on their understanding of the OS and device logic. The role of the counterexample strategy is to guide the developer towards the defect. To automate this process, the Termite team developed a powerful visual debugging tool that allows the user to interactively simulate intended driver behaviour and observe environment responses to it. The user plays the game on behalf of the driver, while the tool responds on behalf of the environment, according to the counterexample strategy.

In a typical debugging session, the debugger, following the counterexample strategy, generates a sequence of requests that are guaranteed to win against the driver. The user plays against these requests by specifying device commands that, they believe, represent a correct way to handle the request. Since this sequence of requests *cannot* be handled correctly given the current input specification, at some point in the game the user runs into an unexpected behaviour of one of the players, e.g., one of the user-provided commands does not change the state of the device as expected or the environment performs an uncontrollable transition that violates an assertion. Based on this information, the user can revise the faulty specification.

At every step of the interactive debugging session, the debugger either

chooses a spoiling uncontrollable action based on the counterexample strategy or, if the system is inside a controllable placeholder, allows the user to choose a controllable action to execute on behalf of the driver. In the former case the spoiling uncontrollable action corresponds to a transition in one of the TSL processes. The user can explore this transition by stepping through it, exactly as they would in a conventional debugger. In the latter case, the user provides the action that they would like to perform by typing and executing corresponding code statements.

The tool supports a number of features aimed at making the debugging process as simple as possible for the user. I mention two of them here:

- First, the debugger interactively prompts actions available to the driver at each step.
- Second, the debugger keeps the entire history of the game and allows the user to go back to one of previously explored states and try a different behaviour from there.

#### 5.7 Limitations

The core of a device driver entails translating I/O requests from the OS into sequences of low-level device commands and responses. Termite focuses on synthesising driver logic that performs these functions, and this is where game-based synthesis really shines, as it helps to implement tedious and errorprone logic with minimal manual effort and without bugs. However, there are several real world aspects of device driver creation that are not handled as gracefully by the game based approach.

In this section I discuss the limitations of Termite, which, I hope, will help define the agenda for continuing research in driver synthesis.

#### 5.7.1 Direct Memory Access

Most importantly, Termite does not currently support automatic synthesis of direct memory access (DMA) management code. Many modern devices transfer data directly to and from main memory, where it is buffered in data structures such as circular buffers and linked lists. These data structures can have very large or infinite state spaces and cannot be easily modelled within the finite state machine-based framework of Termite. Efficient synthesis for

5.7. LIMITATIONS 81

DMA requires enhancing the synthesis algorithm to use a more compact representation of DMA data structures, which is the focus of our ongoing research. At this time, code for manipulating DMA data structures must be written manually. This code is not interpreted or verified by Termite. For example, we used this approach to synthesise a DMA-capable IDE disk driver (Section 5.9).

## 5.7.2 White Box Assumption

Termite synthesizes strategies and generates code assuming a white box model of the system, where every state variable is visible to the driver. This was illustrated in Section 5.4.3 where the generated driver code referred to the dev.reg\_cmd and os.success variables. Termite is unable to automatically infer the values of these unobservable variables. In the common case, as illustrated in Section 5.4.3 the values of these variables may be inferred by the driver by reading device registers.

Returning to the example, ideally, we would like to synthesise an implementation that automatically infers the values of important unobservable variables. The value of the command register can be obtained by the driver by executing the <code>read\_cmd</code> action. Furthermore, the value of the <code>os.success</code> variable is correlated with the completion status of the last transfer, which can be obtained by reading the device status register.

While Termite currently cannot produce such an implementation automatically, it implements a pragmatic tradeoff that helps the user build and validate a correct implementation with modest manual effort. The code generator warns the user that the auto-generated code accesses private variables of the device and OS templates. This prompts the user to provide a functionally equivalent valid implementation, replacing the wait statement with a polling loop and using the read\_status method to check transfer status, as shown in Figure 5.7.

The verifier automatically checks the resulting implementation and confirms that it satisfies the input specification.

#### 5.7.3 Boilerplate Code

Device drivers in modern OSs contain a significant amount of boilerplate code that is not directly related to the task of controlling the device. This includes

binding the driver to I/O resources (memory mapped regions, interrupts, timers), registering the driver with various OS subsystems, allocating DMA memory regions, creating sysfs entries, etc. While much of this functionality could be synthesised within the game-based framework, I do not believe that this is the correct approach. Previous research has demonstrated that this boilerplate code can be generated in a principled way from declarative specifications of the driver's requirements and capabilities [Spear et al., 2006]. This technique has lower computational complexity than game solving and better captures the essence of the task. A practical driver synthesis tool can combine game-based synthesis of the core driver logic responsible for controlling the device with declarative synthesis of boilerplate code. As a result, the current version of Termite assumes this boilerplate code is written manually as a wrapper around the synthesised driver.

#### 5.7.4 Concurrency

Drivers execute in a concurrent OS environment and must handle invocations from multiple threads, as well as asynchronous hardware interrupts. Synthesis for concurrency is performed in a separate step. Drivers synthesised by Termite are correct assuming a sequential environment, where driver entry points are invoked atomically. The resulting sequential driver is then processed by a separate tool that performs a sequence of transformations of the driver source code, which preserve the driver's sequential behaviour, while making the driver thread-safe. Such transformations include adding locks around critical code sections, inserting memory barriers, and reordering instructions to avoid race conditions. Concurrency synthesis is still work in progress and is not the subject of this thesis. Preliminary results are published in [Cerny et al., 2013, 2014a, 2015].

#### 5.7.5 Real time synthesis

Termite does not explicitly support specification and synthesis of timed behaviours. Instead, it uses a pragmatic approach that allows it to synthesise time-sensitive behaviour without having to explicitly reason about time. To this end, Termite conservatively approximates timed operations by fairness constraints: it ignores the exact duration of each device operation, but keeps the knowledge that the operation will complete *eventually*, and synthesises a

83

driver that waits for the completion. Termite is also able to handle time-out conditions, modelled as external events. However, at this time it is not capable of generating device drivers for hard real-time systems, where the driver must guarantee completion of I/O operations by a certain deadline.

# 5.8 Implementation

All components of Termite that have been described in this chapter have been implemented in the Haskell programming language. I implemented the game solver (Chapter 6), counterexample extractor (Section 5.6) and code generation algorithms (Section 5.5). My supervisor, Dr Leonid Ryzhyk, implemented the TSL compiler (Section 5.3), the graphical counterexample explorer (Section 5.6), the user-guided code generator (Section 5.4), and the TSL-to-C compiler. The implementation uses the CUDD BDD library for efficient symbolic manipulations over Boolean relations, and the Z3 SMT solver for satisfiability queries over the theory of bit vectors, as described in Chapter 6 and [Walker and Ryzhyk, 2014]. Termite is publicly available under the BSD license and can be downloaded from the project website http://termite2.org. The version of Termite presented here consists of 30,000 lines of code.

#### 5.9 Evaluation

We evaluated Termite by synthesising drivers for eight I/O devices. Specifically, we synthesised drivers for a UVC-compliant USB webcam, the 16550 UART serial controller, the DS12887 real-time clock, and the IDE disk controller for Linux, as well as bare metal drivers (which, for example, would run on seL4 [Klein et al., 2009]) for I2C, SPI, and UART controllers on the Samsung exynos 5 chipset¹ and SPI controller on the STM32F10 chipset. With the exception of the IDE disk, these devices are representative of peripherals found in a typical embedded platform, such as a smartphone. Our synthesised drivers implement data transfer, configuration and error handling. The main barrier to synthesising drivers for more advanced devices, e.g., high-performance network controllers, is the current lack of support for synthesis of DMA code in the current version of Termite.

<sup>&</sup>lt;sup>1</sup>At the time of writing, the exynos drivers have not yet been tested due to hardware availability issues; however we confirmed via manual inspection that they implement the same device control sequences as existing manually developed drivers.

|             | input spec |        | driver          |        |  |
|-------------|------------|--------|-----------------|--------|--|
|             | OS         | device | synthesised     | native |  |
| webcam      | 102        | 385    | 113             | 307    |  |
| 16450 UART  | 122        | 167    | 74              | 261    |  |
| exynos UART | 128        | 252    | 37              | 166    |  |
| STM SPI     | 73         | 244    | 24              | 64     |  |
| exynos SPI  | 88         | 239    | 40              | 183    |  |
| exynos I2C  | 146        | 180    | 79              | 211    |  |
| DS12887     | 118        | 252    | 84              | 183    |  |
| IDE         | 188        | 480    | 94 <sup>a</sup> | 474    |  |

<sup>&</sup>lt;sup>a</sup>Excluding 36 lines of manually written code that manipulates the DMA descriptor table.

Table 5.1: Size (in lines of code) of input specifications and of synthesised and equivalent manually written drivers.

# 5.9.1 Modelling complexity

Models of UART and DS12887 devices were developed based on existing publicly available device models [WindRiver; OpenCores]. Models of other devices were derived from their vendor-provided documentation, following standard TLM modelling guidelines [Wind River, 2010]. OS models for the relevant device classes were created based on Linux kernel documentation and source code.

Table 5.1 summarises the size, in lines of code, of device and OS models in our case studies. Developing a complete set of specifications for each driver took approximately one week, of which only one to three days were spent building the models and the rest of the time was spent studying device and OS documentation. This efficiency can be attributed to the choice of the right level of abstraction and modelling language. In particular, the use of transaction-level device modelling abstracts away complicated internal device machinery by focusing on high-level events relevant to driver synthesis, while the TSL language allows modelling the driver environment using standard programming techniques, as illustrated by our running example.

Interestingly, we found the most error-prone step in developing specifications for driver synthesis to be defining correct relative ordering of OS-level and device-level events with the help of the virtual interface (Section 5.2.3). Naïve specifications tend to be either too restrictive, leading to synthesis failures, or too liberal, leading to incorrect synthesised drivers. As we gained

more experience synthesising different types of drivers, we identified common modelling patterns that help avoid errors in virtual interface specifications.

As a common example, most virtual interfaces contain callbacks that signal a change to one of the device configuration parameters, e.g., transfer speed, parity, etc. A naïve OS model may only allow such a callback to be triggered when the OS has requested a change to the corresponding device setting. However, many devices only allow setting multiple configuration parameters simultaneously, so that setting any individual parameter triggers multiple callbacks, thus making the specification non-synthesisable. The problem can be rectified by changing the device specification to only trigger callbacks if the new value of the parameter is different from the old one; however this bloats the device model due to the extra checks. A better solution, used in all our models, is to design the OS specification to allow configuration callbacks to be triggered at any time, provided that the new value of the parameter is equal to the last value requested by the OS.

#### 5.9.2 Synthesis time

Table 5.2 summarises the performance of the Termite game solver in our case studies. The second column of the table characterises the complexity of the two-player game constructed by the TSL compiler from the input specifications in terms of the number of states variables and the total number of bits in these variables. The third column shows the number of iterations of the abstraction refinement loop required to solve the game. The next column shows the size of the abstract game at the final iteration, in terms of the number of predicates in the abstract state space of the game. These results demonstrate the dramatic reduction of the problem dimension achieved by our abstraction refinement method. The second-last column shows that the Termite game solver was able to find the most general winning strategy within a few minutes in all case studies.

I compared the performance of the Termite game solver against a state-of-the-art abstraction refinement algorithm for games [de Alfaro and Roy, 2007] as well as against the standard symbolic algorithm for solving games without abstraction [Piterman et al., 2006]. In all case studies, the Termite solver was the only one to find a winning strategy within a two-hour limit. I refer the reader to Chapter 6 and [Walker and Ryzhyk, 2014] for a more detailed performance analysis of the Termite synthesis algorithm.

|             | vars(bits)   | refine-<br>ments | predi-<br>cates | synt.<br>time (s) | verif.<br>time (s) |
|-------------|--------------|------------------|-----------------|-------------------|--------------------|
| webcam      | 128 (125565) | 47               | 192             | 215               | 794                |
| 16450 UART  | 81 (407)     | 65               | 128             | 210               | 464                |
| exynos UART | 80 (1185)    | 54               | 111             | 645               | 82                 |
| STM SPI     | 68 (389)     | 29               | 63              | 67                | 31                 |
| exynos SPI  | 83 (933)     | 31               | 72              | 25                | 44                 |
| exynos I2C  | 65 (303)     | 21               | 56              | 45                | 96                 |
| DS12887     | 92 (810)     | 25               | 74              | 56                | 127                |
| IDE         | 114 (1333)   | 42               | 105             | 285               | 778                |

Table 5.2: Performance of the Termite game solver.

The final column of Table 5.2 shows the time that it took Termite to verify a complete driver. Recall that the Termite synthesis algorithm doubles as a verification algorithm and can be used to verify drivers written in TSL. We used complete synthesised drivers containing a combination of manual and automatically generated code as inputs to Termite. We have been able to successfully verify all of our drivers. We also experimented with introducing faults to synthesised drivers. Termite was able to detect these faults and produce correct counterexample strategies. In most cases verification took longer than synthesis. The reason for this is that Termite has not yet been optimised for verification workloads. This is one area for future improvement.

# 5.9.3 User-guided code generation and debugging

We evaluate the user-guided debugging and code generation technique. Each line of code in a Termite-generated driver originates from one of three sources: it can be

- 1. synthesised automatically by the tool,
- 2. developed offline and given to Termite as part of the driver template, or
- 3. added or modified by the user during an interactive code generation session.

A perfect synthesis tool, capable of generating a complete driver fully automatically while producing code that meets all non-functional requirements, would eliminate the need for manual code altogether. I do not believe that

5.9. EVALUATION 87

such a tool is feasible in the near future. I therefore explore the tradeoffs that arise when using our current, imperfect, tool. In particular, I empirically characterise situations when the user can rely on the synthesiser to automatically produce near-optimal code, and when they are better off completely or partially implementing certain functionality manually. These tradeoffs are likely to change as the tool improves.

Based on my experience, automatic synthesis is most helpful in generating code that performs device configuration or starts a data transfer. This code may involve a long sequence of commands to the device, which must be issued in the right order and with correct arguments. The synthesis algorithm of Termite proved more effective at doing this than human developers, producing correct code that only requires minimal cosmetic changes in most cases. For example, Figure 5.8 shows a screenshot of Termite with a synthesised implementation of the IDE driver write() function, which starts a data transfer to the device. The function writes request parameters into appropriate device data registers and sets bit fields in command registers to prepare the device for data transfer. One deficiency in this auto-generated implementation, and one area of future improvement, is that it uses absolute values instead of symbolic constants for bit fields.

As another example of suboptimal synthesised code, consider the following synthesised fragment:

```
void packet_received() {
       if (((packet_data[9:9] == 1) && (packet_data[14:14] == 1))) {
2
           os.ack_packet(1,1,packet_data[16:32]);
3
4
       } else if ((dev.packet_data[9:9] == 1)) {
5
           os.ack_packet(1,0,packet_data);
       } else if ((dev.packet_data[14:14] == 1)) {
6
7
          os.ack_packet(0,1,packet_data[16:32]);
       } else {
9
           os.ack_packet(0,0,packet_data[16:32]);
10
       };
11
  };
```

which can be replaced by an equivalent one-liner:

```
1 os.ack_packet(packet_data[9:9],
2 packet_data[14:14],packet_data[16:32]);
```



Figure 5.8: Screenshot of Termite with a synthesised implementation of the IDE driver. Automatically generated code is highlighted.

While both issues can be addressed by an improved code generation algorithm, our experience shows that unaccounted corner cases will arise occasionally. Therefore, the ability to manually modify synthesised code without sacrificing correctness is crucial for a practical synthesis tool.

Limitations of Termite are most noticeable in synthesising interrupt handler code responsible for processing I/O completions. This involves querying device state to determine which operations completed and with what status, reporting results to the OS, and clearing interrupt status registers. Since Termite does not support grey-box synthesis, it can not generate this code automatically and instead produces code that directly accesses device-internal state (see Section 5.4). Termite correctly reports such situations and allows the user to mitigate them by manually editing synthesised code. In practice, however, I found it easier to develop most of the interrupt handler logic offline, as part of the driver template, and rely on Termite to (a) establish correctness of this code and (b) extend it to a complete implementation.

5.9. EVALUATION 89

In our case studies, 60% to 90% of the code was generated fully automatically, with the rest of the code produced in a user-guided fashion. Once an initial version of device and OS specifications was ready, it took us several hours to generate the driver implementation for each of our case studies. Three quarters of this time was spent debugging the input specifications, with the rest of it spent generating driver source code with the help of the user-guided code generation GUI.

I found counterexample-driven debugging to be crucial to the productivity of synthesis-based development. Before the debugger was available, I had to rely on code inspection to identify defects in the input specifications, which proved to be a frustrating and unpredictably long process. The Termite debugger streamlines this process, giving us the confidence that any failure can be localised by following well-defined steps. A typical debugging session takes a few minutes and involves entering only a few commands manually before the defect is localised.

#### 5.9.4 Size of synthesised code

The last two columns of Table 5.1 compare the size of synthesised drivers to existing manually developed drivers. Synthesised drivers are significantly more compact than conventional drivers for two main reasons. First, as explained in Section 5.7, we only synthesise the driver logic directly responsible for controlling the device. Conventional drivers typically contain a large amount of boilerplate code managing various OS resources. I believe that this code can and should be synthesised using complementary techniques. At the moment this functionality is implemented manually as a wrapper around the synthesised driver.

Second, conventional device drivers are often designed to support multiple similar devices with slightly different interfaces and capabilities. This leads to code bloat, as the driver must implement multiple versions of various operations, as well as logic to dynamically discover device capabilities and choose the right implementation to use. In contrast, every Termite driver supports one specific device model with a fixed set of features. Drivers for similar devices can share common specification code, but are synthesised as separate source code modules. This approach leads to simpler code and is preferable for platforms with a fixed set of peripheral devices, such as

smartphones, where shipping drivers that support only the required devices enables smaller system image.

#### 5.9.5 Specification reuse

The Termite specification methodology ensures mutual independence of device and OS specifications, and thus facilitates their reuse. I have not yet carried out a substantial evaluation of such reuse; however I report our limited experience based on synthesising two SPI drivers for the seL4 OS. The corresponding OS specification was initially developed during the work on the SPI driver for the exynos chipset. It was later used to synthesise a driver for the STM32F10 chipset. I was able to reuse most of the original specification. Minor changes (8 lines of code) were required in the part of the specification describing configuration functionality of the driver, since the STM SPI controller supports a number of ad hoc transfer modes. I expect to observe similar pattern for other devices and operating systems: generic OS specifications can be reused with localised, device-specific changes required to support non-standard device features.

# 5.9.6 Performance of synthesised drivers

Our synthesised drivers implement effectively identical device control logic to their conventional counterparts and therefore have similar performance. I benchmarked the USB webcam driver, which is the most performance-critical one among the case studies. I measured CPU load and data throughput generated by the conventional and synthesised drivers for varying bitrates. I obtained identical results, modulo measurement errors, for both drivers in all cases.

# 6 Scalable Synthesis Algorithm

I have presented a formalism for the driver synthesis problem as a game. A practical driver synthesis tool using the game formalism must be able to solve and find strategies for these games for real device and operating system specifications in a reasonable amount of time. The principle challenge of this work is creating a synthesis algorithm that scales well enough to handle the large state machines of real device and operating system specifications.

The straightforward symbolic solver that uses BDDs as the symbolic data structure is remarkably efficient. In fact, it is the current state of the art in reactive synthesis. I will use this as the starting point for my description of Termite's game solver. Specifically, I begin by describing my entry to the reactive synthesis competition in 2014, appropriately named "Simple BDD Solver". This solver won the sequential realisability category.

Next, I introduce abstraction, a technique to increase the scalability of the basic symbolic algorithm by reducing the effective size of the state space that the algorithm must operate on. The cost of reducing the size of the state space is that the abstracted game is represented with less precision and is often not precise enough to solve the original game. To counter this, the abstraction needs to be *refined*, i.e. the precision of the abstraction needs to be increased. This is performed in an *abstraction-refinement loop*. Ideally, this loop results in an abstraction just precise enough to solve the game, but coarse enough that solving it is tractable.

I give an abstraction-refinement algorithm that uses *variable abstraction*, a technique for reducing the state space of the game by eliminating a subset of the state variables from the game. I then build on this to arrive at the main contribution of this chapter—an abstraction-refinement algorithm that performs *predicate abstraction*. Instead of representing the state space using

state variables, the algorithm represents relationships between state variables that capture key properties that have been found to be of importance in solving the game. This representation is usually far more compact than variable abstraction.

To simplify the presentation, with the exception of Section 6.1, I assume that all games are turn based.

# 6.1 Symbolic Solver

The starting point for the design of an efficient game solver is the standard BDD-based symbolic algorithm of Section 2.8.2. The basic algorithm admits a number of optimisations. As I will show in Section 6.1.4, these optimisations significantly improve the performance of the algorithm, but not enough to synthesize even simple device drivers. Yet, this optimised symbolic algorithm is used inside the abstraction-refinement loop to solve the abstract games produced at every refinement iteration. I therefore describe each of them below.

For the rest of this chapter, with the exception of Section 6.3.10, I will focus on reachability objectives. In Section 6.3.10 I generalise the solution to GR(1) objectives.

#### 6.1.1 Overview

Following Section 2.8.2, the standard BDD-based symbolic algorithm computes:

$$\mu X.Cpre(X \lor REACH)$$
 (6.1)

The controllable predecessor is specific to the type of game being solved. The Termite controllable predecessor is given in Section 2.6.1. I give the controllable predecessor for the synthesis competition below as it is simpler than Termite's and is used in the discussion of optimisations below.

$$Cpre(X) = \forall U. \exists C. \forall S'. (\delta(S, U, C, S') \to X')$$
(6.2)

where U is the set of valuations of uncontrollable inputs, C is the set of valuations of controllable inputs, and S is the set of valuations of state variables.

Given a set X, X' denotes the next state copy of X and  $\delta$  is the transition relation.

#### 6.1.2 Optimisations

The optimisations that I have used, in approximate order of importance, are:

- Dynamic variable reordering using the sifting algorithm [Rudell, 1993]
- Partitioned transition relations [Burch et al., 1991]
- Direct substitution with CUDD\_VECTORCOMPOSE
- Dereference unused BDDs as soon as possible
- Simultaneous conjunction and quantification with CUDD\_BDDANDABSTRACT
- Terminate early where possible

#### Dynamic variable ordering

I do not try to find a good static variable ordering at the start and instead rely on the sifting algorithm provided by the CUDD package for finding good variable orderings dynamically. In my experience, the sifting algorithm provides the best tradeoff between the quality of the resulting ordering and time taken to find it. I enable sifting at the start so that is is active during both compilation and solving. I did not modify any of the default parameters to the sifting algorithm.

#### Partitioned transition relations

I do not compute the transition relation as a monolithic BDD defined over current state, input variables and next state. This would likely be very large and slow down the algorithm considerably. Instead, I keep it in a conjunctively partitioned form with one partition for each next state variable. I can do this because the next state value of any state variable depends only on the current and input variables and not any other next state variables.

Furthermore, the next state value of any state variable is deterministic. This means that it can be represented directly as a function of the current state and input variables. I use a BDD defined over current state and input variables to represent this function. The transition relation becomes a list of

BDDs, one for each state variable, each of which only depends on current state and input variables.

To compute the implication,  $\forall S'.(\delta(S,U,C,S') \to X')$ , I use the CUDD function CUDD\_VECTORCOMPOSE as shown in algorithm 14 on line 1 to substitute each update function into X. This avoids building the monolithic transition relation and, importantly, it avoids having to ever declare a next state copy of each state variable in the BDD manager.

#### Dereferencing dead BDDs

I dereference BDDs that are no longer needed as soon as possible. Each live BDD node is processed during reordering and counted when the algorithm checks to see if the total BDD size in the manager is reduced. These unused BDDs should not count toward the total node count that is used to evaluate an ordering, and, the time that is spent reordering them and counting them is wasted. In the interest of clarity, BDD dereferencing is not shown in algorithms 14 and 15.

#### Simultaneous conjunction and quantification

I perform simultaneous conjunction and quantification wherever possible. The existential quantification is performed at the same time as conjunction with the safety condition using CUDD\_BDDANDABSTRACT on line 2 of Algorithm 14. This avoids building the potentially large BDD representing the conjunction.

#### Early termination

I terminate early when possible. As we are computing a greatest fixed point, we start with the universal set and progressively shrink it to find the winning region. Each time we shrink the winning region, we check that is it still a superset of the initial set. If it is not, we know there is no way we can win as the winning set only shrinks as the algorithm progresses. We use the function CUDD\_BDDLEQ on line 4 of Algorithm 15 for this purpose as it allows us to efficiently check that one BDD implies another without constructing the BDD of the implication.

#### 6.1.3 Implementation

I developed two implementations that incorporate all of the above optimisations. The first implementation is used by Termite inside the abstraction refinement loop in order to solve abstract games (Section 6.6). The second solver was developed for the reactive synthesis competition.

The Reactive Synthesis Competition [] is a competition for reactive synthesis tools inspired by competitions in other fields such as the SAT competition [] and the Hardware Model Checking Competition []. The competition had four tracks: sequential realisability, parallel realisability, sequential synthesis and parallel synthesis. The tools were required to solve safety games given in an extension of the AIGER format [Jacobs, 2014]. Entrants in the synthesis categories were required to produce an implementation of a controller that enforced the safety condition, also given in extended AIGER format. Entrants in the realisability category were only required to determine if the safety game was winnable, not to produce a strategy.

Two different implementations were required because the synthesis competition requires a different controllable predecessor to driver synthesis (Section 2.6.1), and, modifications to allow for predicate abstraction were necessary for Termite (Section 6.6).

The synthesis competition solver is written in the Haskell functional programming language. It uses the CUDD [Somenzi] package for binary decision diagram manipulation and the Attoparsec Haskell package for fast parsing. Altogether, the solver, AIGER parser, compiler and command line argument parser are just over 300 lines of code. The code is available online at: https://github.com/adamwalker/syntcomp.

#### Algorithm 14 Syntcomp Controllable predecessor

```
\begin{array}{l} \textbf{function} \ \mathsf{CPRE}(C,U,\sigma,target) \\ substituted \leftarrow \mathsf{CUDD\_VECTORCOMPOSE}(target,\delta) \\ safeSub \leftarrow \mathsf{CUDD\_BDDANDABSTRACT}(C,\sigma,substituted) \\ winning \leftarrow \mathsf{CUDD\_BDDUNIVABSTRACT}(U,safeSub) \\ \textbf{return} \ winning \\ \textbf{end} \ \textbf{function} \\ \end{array}
```

The optimised algorithm is given in Algorithm 15. It calls the optimised controllable predecessor suitable for the synthesis competition defined in Algorithm 14.

#### Algorithm 15 Syntcomp symbolic solver

```
\begin{aligned} & \textbf{function Solve}(\sigma, init, \delta, C, U) \\ & win \leftarrow \texttt{CUDD}\_\texttt{READZERO} \\ & \textbf{loop} \\ & res' \leftarrow \texttt{CPRE}(C, U, \sigma, res \lor \neg \sigma) \\ & win \leftarrow \texttt{CUDD}\_\texttt{BDDLEQ}(init, res') \\ & \textbf{if} \neg win \textbf{ then} \\ & \textbf{return } False \\ & \textbf{end if} \\ & \textbf{if } res = res' \textbf{ then} \\ & \textbf{return } True \\ & \textbf{end if} \\ & res \leftarrow res' \\ & \textbf{end loop} \\ & \textbf{end function} \end{aligned}
```

Table 6.1: Performance of various optimisations when applied to the basic symbolic solver

# 6.1.4 Evaluation of Optimisations

Table 6.1 gives the runtimes of the symbolic solver on a selection of benchmarks from the 2014 synthesis competition. Benchmarks from the AMBA category were used. These benchmarks modelled an arbiter for the AMBA AHB bus, based on an industrial specification by ARM. The benchmarks were run on an Intel Haswell laptop with 4 gigabytes of ram and a processor speed of 1.6GHz.

The first column gives the runtimes for the symbolic solver without optimisations. Most entries are failures due to out of memory conditions. I have enabled the optimisations progressively in subsequent columns. In the next column, dynamic variable reordering is enabled. It is clear that dynamic variable reordering is crucial to the performance of the algorithm. Next, I enable partitioned transition relations. This improves performance in all but one benchmark. Next, I enable simultaneous conjunction and quantification. This also improves performance on nearly all benchmarks. Finally, in the last column, I enable early termination. This does not improve performance on many of the benchmarks. Early termination can only help when the benchmark is unsatisfiable. When the benchmark is satisfiable it only imposes the addi-

tional work of checking containment in the initial set. This optimisation does, however, improve performance substantially on some of the unsatisfiable benchmarks so I conclude that it is worthwhile.

The benchmark runner is available online at: https://github.com/adamwalker/syntcomp-benchmark. The set of benchmarks is available online at https://syntcompdb.iaik.tugraz.at/static/SyntComp.tar.gz.

### 6.1.5 Conclusion

Simple BDD Solver performed well compared to the other solvers entered in the reactive synthesis competition as a result of the optimisations presented above. It failed when the BDDs representing the winning sets, or the intermediate BDDs in the controllable predecessor computation grew too large. Additionally, it failed when a large number of iterations was required to determine the outcome, such as the benchmarks with a large counter.

# 6.2 Three Valued Abstraction-Refinement

An abstraction is a simplification of the original transition system. An abstraction is used when the game is too large to be solved. Ideally, an abstraction is both small enough to be solved and detailed enough to gain some additional information about the properties of the system.

One common use of an abstraction is in an abstraction-refinement loop. In an abstraction refinement loop, an initial simple abstraction is found and is solved. Then, the results of the abstraction are used to refine the abstraction, ieto build another system model that contains slightly more detail than the original abstraction. This is repeated in a loop until the original game is solved. It is often possible to solve the original game with a far less detailed abstraction that the original system.

Finding an abstraction that is simultaneously small and useful for making progress in solving the game is a difficult task and is what will be dealt with in the following sections. I begin with earlier work on three valued abstraction refinement.

#### 6.2.1 Three valued abstraction refinement

The idea is that, given an abstraction, we classify states into one of three categories: winning, losing, and unknown. If we discover that the entire initial set is winning, we know that the original game is winning and we can terminate. Dually, if we discover any initial state that is losing, we know that the entire initial set can never be winning, hence the game is losing and we can terminate.

At termination, either

- all of the initial states are classified as winning (and the other states need not be classified), or
- one of the initial states is classified as losing (again, no other states need to be classified)

This additional imprecision often allows us to use a less precise abstraction compared to the original algorithm where all states are exactly classified. The use of a coarser abstraction is usually computationally more efficient. If none of the termination conditions are met then we need to refine the abstraction. A correct abstraction refinement scheme will guarantee that one of the termination conditions is eventually met after enough refinements are performed. A good abstraction refinement scheme will ensure that when the algorithm terminates the abstraction is not unnecessarily fine.

#### 6.2.2 Abstraction

An abstraction of a game structure G is a tuple  $\langle V, \downarrow \rangle$ , where

- *V* is a finite set of abstract states and
- $\downarrow$ :  $V \to 2^S$  is the *concretisation function*, which takes an abstract state and returns the possibly empty set of concrete states that the abstract state corresponds to.

We require that

- $\bigcup_{v \in V} v \downarrow = S$ , ie. the abstraction covers the entire state space.
- $v_1 \downarrow \cap v_2 \downarrow = \emptyset$  for any  $v_1$  and  $v_2$ ,  $v_1 \neq v_2$ , ie. the abstraction partitions the state space.

In the case when  $v\downarrow=\emptyset$  the abstract state v is said to be *inconsistent*. We extend the  $\downarrow$  operator to sets of abstract states as follows: for  $U\subseteq V$ :  $U\downarrow=\bigcup_{u\in U}u\downarrow$ .

# 6.2.3 Algorithm

In this section I present a modified version of the three-valued abstraction refinement technique of de Alfaro and Roy [de Alfaro and Roy, 2007]. To simplify the presentation, I focus on solving reachability games.

I start by defining two versions of the abstraction operator: the *mayabstraction*  $\uparrow^m$  and the *must-abstraction*  $\uparrow^M$ . For a set of concrete states  $T \subseteq S$ :

$$T\uparrow^{m} = \{ v \in V \mid v\downarrow \cap T \neq \emptyset \}$$
 (6.3)

Intuitively, this returns the set of abstract states which, when concretised, overlap some element of the set to be abstracted.

$$T \uparrow^M = \{ v \in V \mid v \downarrow \subset T \} \tag{6.4}$$

Intuitively, this returns the set of abstract states which, when concretised, are contained within the set to be abstracted.

We say that an abstraction is *precise* for a set  $T \subseteq S$  if:

$$(T\uparrow^m)\downarrow = (T\uparrow^M)\downarrow \tag{6.5}$$

Intuitively, this means that there are no abstract states that, when concretised, contain states that within T and states that are outside T.

Next, we define may and must versions of the abstract controllable predecessor operator:

$$Cpre_i^m(U) = Cpre_i(U\downarrow)\uparrow^m$$
 (6.6)

Intuitively, this returns the set of abstract states such that, when concretised, we can force execution from at least one concrete state into the concretisation of U.

$$Cpre_i^M(U) = Cpre_i(U\downarrow)\uparrow^M$$
 (6.7)



Figure 6.1: Overview of three valued abstraction-refinement

Intuitively, this returns the set of abstract states such that, when concretised, we can force execution from all of the concrete states into the concretisation of U.

These operators have the property:

$$Cpre_i^M(U)\downarrow \subseteq Cpre_i(U\downarrow) \subseteq Cpre_i^m(U)\downarrow$$
 (6.8)

And therefore:

$$\operatorname{REACH}(T\uparrow^M, Cpre_i^M)\downarrow\subseteq \operatorname{REACH}(T, Cpre_i)\subseteq \operatorname{REACH}(T\uparrow^m, Cpre_i^m)\downarrow$$
 (6.9)

I denote  $\operatorname{REACH}(T\uparrow^M, Cpre_i^M)$  as  $W^M$  and refer to it as the *must-winning* region and I denote  $\operatorname{REACH}(T\uparrow^m, Cpre_i^m)$  as  $W^m$  and refer to it as the *may-winning* region.

Figure 6.1 illustrates the main idea of three valued abstraction refinement, which is presented in algorithm 16. The winning region, in grey, is overapproximated by the may-winning set in white and underapproximated by the must-winning set in dark grey. The abstraction-refinement loop progressively brings  $W^m$  and  $W^M$  closer together until the game outcome can be determined.

At every iteration, the algorithm computes the must-winning set  $W^M$  that underapproximates, and the may-winning set  $W^m$  that overapproximates the true winning set (lines 3–4). The algorithm terminates if the must-winning set contains the entire initial set or the may-winning set has shrunk beyond the initial set (lines 6–8). Otherwise, the algorithm attempts to refine the abstraction in a way that the must-winning set will be expanded in the next iteration when the game is re-solved.

Algorithm 16 Three-valued abstraction refinement for games.

```
Input: A game structure G = \langle S, L, I, \tau_1, \tau_2, \delta \rangle, a set of target states T \subseteq S,
    and an initial abstraction \alpha = \langle V, \downarrow \rangle that is precise for T, I, and \tau_i.
Output: Yes if I \subseteq REACH(T, Cpre_1), and No otherwise.
 1: function SOLVE(transitionRelation, goal)
 2:
         loop
              W^M \leftarrow \mathsf{REACH}(T \uparrow^M, Cpre^M_1)
 3:
              W^m \leftarrow \text{REACH}(T \uparrow^m, Cpre_1^m)
 4:
              if I \uparrow^M \subseteq W^M then
 5:
                  return Yes
 6:
              else if I \uparrow^M \nsubseteq W^m then
 7.
                  return No
 8:
              else
 9:
                  REFINEABSTRACTION(W^M)
10:
              end if
11:
         end loop
12:
13: end function
```

To expand the must-winning set we attempt to perform a refinement of the abstraction. This means that we split one or more of the abstract states in V in two.

We observe that if there exists a winning concrete state c then there also exists a chain of winning concrete states from c to the goal. If c is not part of  $W^M \downarrow \cup goal$ , then, some point, this chain must enter  $W^M \downarrow \cup goal$ . Therefore, if there exists some concrete winning state that is not part of  $W^M \downarrow \cup goal$  then there also exists one with a transition into  $W^M \downarrow \cup goal$ .

Thus, we can narrow down our search for abstract states to split to those that have at least one concrete state with a transition into  $W^M$ , excluding  $W^M$  as these states are already must-winning so splitting them will not achieve anything. Thus, we look in  $Cpre_1^m(W^M \cup goal) \setminus W^M$ , i.e. the set of all may-predecessors of the must-winning set.

If we find an abstract state within this set for which from a subset of concrete states it is possible to force execution into  $W^M \downarrow$  then we can partition this abstract state in two such that those winning concrete states form one partition while the remaining states for the other partition.

The former partition, p, consists entirely of winning concrete states. Furthermore, it is on the boundary of the must-winning set so it will become part of  $W^M$  when the game is solved again with the refined abstraction.

Each time a refinement is made,  $W^M\downarrow$  grows. If the concrete state space is finite  $W^M\downarrow$  can only grow so much so it must reach a fixed point (that may contain the entire concrete state space). When  $W^M$  can no longer grow it is because there are no winning states at the boundary. Thus there are no winning states that are not part of  $W^M$  and  $W^M$  must be the exact winning set. Furthermore,  $W^m$  must be equal to  $W^M$  as if there are and any potential winning states that are not in  $W^M$  then there must be some at the boundary and we know that there are none of those. Therefore one of the two termination conditions (lines 5 and 7) must have already happened. Therefore the algorithm terminates.

# 6.3 Variable Abstraction

Next, I apply the three valued abstraction-refinement scheme to symbolic games (Section 2.8). I will describe an efficient instantiation of the three valued abstraction-refinement scheme for variable abstraction, a technique for reducing the state space of symbolic games by eliminating a subset of the state variables.

The description of three valued abstraction refinement leaves a lot unspecified. In particular

- How is the initial abstraction specified?
- How are the controllable predecessors computed?
- How is the abstraction refined?

For clarity, I have created a running example in pseudocode which I will refer to throughout the description of the symbolic algorithm. The example is given in figure 6.2. The state variables are declared in the first section, followed by the label variables. Next, expressions for the goal and initial states are given. Finally, the state transitions are specified. For simplicity, all states in this game are controlled by player 1. Each action that player 1 may play updates a state variable. Note that the action chosen by player 1 is implicitly given by a label variable that player 1 may choose which takes one of the values in  $\{a_1, a_2, a_3, a_4\}$ . We denote this variable the tag.

```
State vars:
X : Boolean;
Y : Boolean;
U : Boolean;
V : Boolean;
Label vars:
L : Boolean;

Goal: X==True \( \times Y==True \)
Init: X==False \( \times Y==False \)
Actions:
a1: X := True;
a2: Y := U;
a3: U := L;
a3: V := True;
```

Figure 6.2: The game specification for the running example

### 6.3.1 Variable Abstraction

In variable abstraction, the abstract state space is created by dropping a subset of the state variables. The abstraction,  $\alpha$ , is defined by the state variables that remain. We denote this set  $V_{\alpha}$ .

Given the set  $V_{\alpha}$ , the corresponding abstraction (see Section 6.2.2) is  $\langle V, \downarrow \rangle$ , where:

- V, the abstract state space, is the Cartesian product of the domains of the variables in  $V_{\alpha}$ .
- $a\downarrow$  is the set of concrete states for which the variables in  $V_{\alpha}$  take the same values in both the concrete state and a and all other variables are free to take any value.

This abstraction satisfies the two requirements for a valid abstraction (Section 6.2.2).



Figure 6.3: Abstract state space

#### 6.3.2 Initial abstraction

The initial abstraction,  $V_{init}$ , for a Boolean reachability game is created from only the variables that are mentioned in the goal. This ensures that the initial abstraction is *precise* for the goal set.

The initial abstraction of the running example is illustrated in figure 6.3.  $V_{init} = \{X,Y\}$ . The abstract states are illustrated by the solid squares. There is one state for each valuation of X and Y, the variables that occur in the goal in the example. Each abstract state contains four concrete states, one for each valuation of the concrete variables that were dropped from the abstraction, U and V.  $\downarrow$  is a function from valuations of U and V to the powerset of the set of valuations of all state variables. For example:

$$\langle T, T \rangle \downarrow = \{ \langle T, T, F, F \rangle, \langle T, T, F, T \rangle, \langle T, T, T, F \rangle, \langle T, T, T, T \rangle \}$$
 (6.10)

Where the variables in each concrete tuple are ordered  $\langle X,Y,U,V\rangle$ . Note that X and Y are both True in all concrete state tuples whereas U and V are free to take any value.

It is clear from the figure that the abstraction forms a partition of the concrete state space and that it covers the entire concrete state space.

# 6.3.3 Controllable predecessor

The controllable predecessor is constructed using the transition relation. For efficiency, the transition relation will be constructed incrementally. As the state variables in our initial abstraction are only the variables in G, these are the only ones we need to compute the transition relation for initially.

Assuming that the transition relation for the concrete system is given as update functions, one for each concrete variable, then computation of the abstract transition relation  $\delta$  is straightforward. I just compile the update functions for only those variables that appear in G and take their conjunction.

However, there is the complication that these update functions may depend on additional variables that are not in G. Consider the update function for Y in the running example. The next state value of Y depends on U which is not part of the abstract state space.

To handle this, I introduce an additional set of variables, denoted F (for free, for reasons that will become apparent) for variables that are needed when computing the update functions but are not part of the abstract state space. In the running example, at this stage,  $F = \{U\}$ .

Additionally, these update functions may depend on a subset of the label variables. In the running example, it is possible to set U to the value of L, a label variable, and, each variable also implicitly depends on the tag variable. These Boolean label variables that the update functions for state variables in  $V_{\alpha}$  depend on are denoted  $\Lambda$ . Note that in the running example  $U \notin V_{\alpha}$  initially, so initially  $\Lambda$  is just  $\{tag\}$ .

I define the two controllable predecessors:

$$Cpre_1^M(X) = \forall F. \exists \Lambda. \forall V_{\alpha}'. \delta \to X'$$
 (6.11)

$$Cpre_1^m(X) = \exists F. \exists \Lambda. \forall V_\alpha'. \delta \to X'$$
 (6.12)

where  $V'_{\alpha}$  is the next state copy of  $V_{\alpha}$  and X' is X with all variables in  $V_{\alpha}$  renamed to the corresponding variable in  $V'_{\alpha}$ .

Though the F variables are really part of the state, I treat them as free input variables. Intuitively, their values are chosen by player 2 when computing  $Cpre_1^M$  and by player 1 when computing  $Cpre_1^m$ . This makes it more difficult, and respectively, easier for player 1 to control execution into the target set.



Figure 6.4: Partitioning induced by  $\{U, X, Y\}$ 

Given a valuation of a subset of the concrete state variables  $V \subseteq C$  we say that the valuation *agrees* with a concrete state c if the value assigned to each of the variables in V equals the value assigned to the same variable by c. A subset of concrete state variables defines a partitioning of the concrete state space:

$$\{s \in 2^C | \exists v \in Valuations(V). \forall c \in s. \ c \text{ agrees with } v\}$$
 (6.13)

Each set of states in the partitioning is referred to as a *sub-state*. Figure 6.4 shows the partitioning induced by  $F = \{U\} \cup V_{init} = \{X,Y\}$  in the running example.

 $Cpre_1^M$ , by Equation 6.11, is the set of abstract states from which we can force execution into the target set from all sub-states induced by F. Since no variables in  $C \setminus (V \cup F)$  can influence the next state of variables in V we can ignore them and conclude that  $Cpre_1^M$  computes the set of abstract states such that for all concrete states within the abstract state, player 1 can force execution into the concretisation of the target set. This agrees with the definition of the abstract must controllable predecessor in Equation 6.7.

Dually,  $Cpre_1^m$  computes the set of abstract states such that for some concrete state within the abstract state, player 1 can force execution into the concretisation of the target set. This agrees with the definition of the abstract may controllable predecessor in Equation 6.6.

In the running example the goal is  $\langle X=True \wedge Y=True \rangle$ . Consider the state  $s=\langle X=True,Y=False \rangle$ . Y may be set to the value of U by action  $a_2$ . As  $U\in F$ , it may be chosen by player 1 when computing  $Cpre_1^m$ . Player 1 may choose it to be True and thus  $s\in Cpre_1^m(goal)$ . However, when computing  $Cpre_1^M$ , the environment gets to choose U and it may choose U=False, and thus  $s\notin Cpre_1^M(goal)$ .

## 6.3.4 Solving the game

Now that we have an abstraction and a definition of the controllable predecessor we can solve the game. We first solve the game using  $Cpre_1^M$  and denote the winning region  $W^M$ , or the *must* winning region. We also solve the game using  $Cpre_1^m$  and denote the winning region  $W^m$  or the *may* winning region.

Since  $W^M$  is a subset of the true winning region, if  $I \to W^M$  then we may terminate as the game is surely winnable. As  $W^m$  is a superset of the true winning region, if  $I \not\to W^m$  then we may terminate as the game is surely not winnable.

If none of the above termination conditions held then it is because our abstraction is not precise enough and must be refined.

The may (light grey) and must (dark grey) winning regions of the example system are given in figure 6.5. All states are may winning, but the top states are not must winning. These are the states where Y is not True, as prescribed by the goal expression. Intuitively, this is because U is not part of the abstraction. The solving algorithm is aware that the value of Y can be set to the value of U but it is not aware that U can be set to True by action a2.

After solving, the initial state is not classified as either losing or must winning. In the next section, I show how to refine the abstraction to remove the imprecision that prevented us from definitively classifying the initial state.

#### 6.3.5 Refinement

## **Algorithm 17** Pseudocode of REFINEABSTRACTION

- 1: **function** REFINEABSTRACTION( $W^M$ ) 2:  $U^M \leftarrow CpreU_1^M(W^M) \wedge \overline{W}^M$
- 3:  $toPromote \leftarrow \vec{\omega} \cap SUPPORT(SHORTPRIME(U^M))$
- 4: PROMOTE(toPromote)
- 5: end function



Figure 6.5: May and must winning regions

The algorithm for refining the abstraction is given in Algorithm 17. As explained in Section 6.2.3, when refining the abstraction of a reachability game, we can limit our search for states to split to the *may-must boundary*. We split an abstract state in two such that from one of the new states a it is possible to force execution into  $W^M$  from every state in  $a\downarrow$ . Instead of searching each state at the boundary in turn for a candidate state to split as was implied in section 6.2.3, we find a candidate state using an efficient symbolic calculation.

We define the function  $Cpre_1^F$  that returns the set of sub-states in the partition induced by the variables in  $V_\alpha \cup F$  that are winning:

$$Cpre_1^F(X) = \exists \Lambda. \forall V_{\alpha}'.\delta \to X'$$
 (6.14)

Note that this differs from Equations 6.11 and 6.12 in that it never quantifies out F.

We compute:

$$CPre_1^F(W^M) \wedge \neg W^M$$
 (6.15)

to find the sub-states that are not must winning but have a transition to the must winning set. This is the characteristic formula of the sub-states on the may-must boundary that are winning and are thus are part of a candidate state for splitting.

 $Cpre_1^F(W^M)$  for the running example is illustrated as the dark states in Figure 6.6. The sub-states in the top half satisfy Equation 6.15.



Figure 6.6: Refinement for variable abstraction

We extract a large prime implicant from this characteristic function in line 3, an efficient operation with BDDs. We also extract the variables that occur in this prime that are not in  $V_{\alpha}$  and call them  $V_{pi} \subseteq F$ .

Notice that if we add the variables in  $V_{pi}$  to  $V_{\alpha}$ , the abstraction induced by  $V_{\alpha}$  is now precise enough to exactly represent the states in the implicant. These states are winning. This means that if we iterate the controllable predecessor one more time, we will at least discover that this implicant is winning, in addition to  $W^{M}$ . Thus, our refinement has grown the must winning set. In practice, refining the abstraction in this way usually discovers many more winning states than just the implicant. Adding a variable to  $V_{\alpha}$  is called *promoting* the variable. We promote each variable in  $V_{pi}$  on line 4.

Returning to the example, one implicant of Equation 6.15 is  $\{X = 1, Y = 0, U = 1\}$ .  $V_{pi}$  for this implicant is  $\{U\}$ . If we add U to  $V_{\alpha}$  we arrive at an abstraction that allows us to classify the initial state as must winning next time the game is solved. Thus, the game is winning. Notice that this algorithm allowed us to determine the game outcome without adding the variable V to the abstraction.

# 6.3.6 Putting it together

The three valued variable abstraction refinement algorithm is given in Algorithm 18.

## Algorithm 18 Three-valued abstraction refinement algorithm

```
Input: A game structure G = \langle S, L, I, \tau_1, \tau_2, \delta \rangle, a set of target states T \subseteq S,
     and an initial abstraction \alpha = \langle V, \downarrow \rangle that is precise for T, I, and \tau_i.
Output: Yes if I \subseteq REACH(T, Cpre_1), and No otherwise.
 1: function SOLVE(transitionRelation, goal)
 2:
          loop
               W^M \leftarrow \mathsf{REACH}(T \!\!\uparrow^M, Cpre^M_{\scriptscriptstyle 1})
 3:
               W^m \leftarrow \text{REACH}(T \uparrow^m, Cpre_1^m)
 4:
              if I \uparrow^M \subseteq W^M then
 5:
                   return Yes
 6:
               else if I \uparrow^M \not\subseteq W^m then
 7:
                   return No
 8:
               else
 9:
                   REFINEABSTRACTION(W^M)
10:
               end if
11:
          end loop
12:
13: end function
```

# 6.3.7 Optimisation

There are two straightforward optimisations we can perform to speed up the abstraction refinement loop. The first is critical in practice as it drastically improves the performance of the algorithm.

# Reuse $W^M$ from the last abstraction-refinement iteration

 $W^M$  is, by definition, the set of states from which we know we can win with the current abstraction. If we refine the abstraction, this set can only grow, so it must at least include  $W^M$  from the last iteration. This means that, after refinement when we solve the game again, we may begin iterating the controllable predecessor from the previously found  $W^M$ . This effectively saves us from having to discover again that this set is winning with the new abstraction. The modified algorithm is given in algorithm 19.

#### Do not compute $W^m$

If we expect the game to be winning, and we are only interested in solving the game to compute the strategy, we may avoid computing  $W^m$  entirely. The purpose of computing  $W^m$  is to terminate early if our abstraction is precise enough to determine that we cannot win. If we already know that we can win

**Algorithm 19** Three-valued abstraction algorithm optimised to reuse previously discovered winning regions.

```
Input: A game structure G = \langle S, L, I, \tau_1, \tau_2, \delta \rangle, a set of target states T \subseteq S,
     and an initial abstraction \alpha = \langle V, \downarrow \rangle that is precise for T, I, and \tau_i.
Output: Yes if I \subseteq REACH(T, Cpre_1), and No otherwise.
 1: function SOLVE(transitionRelation, goal)
         W^M \leftarrow \emptyset
 2:
         loop
 3:
              W^M \leftarrow \text{REACH}(T\uparrow^M \lor W^M, Cpre_1^M)
 4:
              W^m \leftarrow \text{REACH}(T \uparrow^m \lor W^M, Cpre_1^m)
 5:
              if I \uparrow^M \subseteq W^M then
 6:
                   return Yes
 7:
              else if I \uparrow^M \not\subseteq W^m then
 8:
                   return No
 9:
              else
10:
                   REFINEABSTRACTION(W^M)
11:
              end if
12:
         end loop
13:
14: end function
```

or we expect it is likely that we can win, then it is not worth computing. The modified algorithm is given in algorithm 20. It terminates when it discovers that the game is winning or when it finds that there are no refinements that guarantee that a new winning state will be found. The second termination condition happens when we were wrong and, in fact, the game was not winning. If we had computed a may winning set in addition, we would have discovered this much earlier so this algorithm is not a good choice when there is a reasonable possibility that the game is not winning.

## 6.3.8 Summary

In summary, the abstraction-refinement algorithm described in this section is very efficient because:

- The algorithm reuses the winning sets computed earlier when the abstraction was simpler. This allows it to avoid the costly re-classification of these states again when the game is solved with a more complex abstraction.
- The transition relation is compiled incrementally on demand and kept partitioned.

**Algorithm 20** Three-valued abstraction refinement for games optimised to not compute  ${\cal W}^m$ 

```
Input: A game structure G = \langle S, L, I, \tau_1, \tau_2, \delta \rangle, a set of target states T \subseteq S,
     and an initial abstraction \alpha = \langle V, \downarrow \rangle that is precise for T, I, and \tau_i.
Output: Yes if I \subseteq REACH(T, Cpre_1), and No otherwise.
 1: function SOLVE(transitionRelation, goal)
 2:
              W^M \leftarrow \text{REACH}(T \uparrow^M, Cpre_1^M)
 3:
             if I \uparrow^M \subset W^M then
 4:
                  return Yes
 5:
             else
 6:
                  res \leftarrow \text{REFINEABSTRACTION}(W^M)
 7:
                  if res == False then
 8:
                      return No
 9:
                  end if
10:
              end if
11:
         end loop
12:
13: end function
```

# 6.3.9 Safety games

Safety games are solved dually to reachability games and are given here for completeness. The algorithm is given in algorithm 21. Note that REFINEAB-STRACTION (Algorithm 22) differs from the reachability game version as for safety games it is necessary to refine at the may-lose boundary ([de Alfaro and Roy, 2007]).

## 6.3.10 Arbitrary $\omega$ -regular games

In this section, I generalise the algorithm to games specified by  $\mu$ -calculus formulas in prefix normal form, i.e. formulas of the form:

$$\nu X.\mu Y.\dots\phi(X,Y,\dots) \tag{6.16}$$

or

$$\mu X.\nu Y.\dots\phi(X,Y,\dots) \tag{6.17}$$

where the fixed point quantifiers strictly alternate. The algorithm is given in Algorithm 23.

Algorithm 21 Three-valued abstraction refinement for safety games.

```
Input: A game structure G = \langle S, L, I, \tau_1, \tau_2, \delta \rangle, a set of target states T \subseteq S,
     and an initial abstraction \alpha = \langle V, \downarrow \rangle that is precise for T, I, and \tau_i.
Output: Yes if I \subseteq SAFE(T, Cpre_1), and No otherwise.
 1: function SOLVE(transitionRelation, goal)
          W^M \leftarrow \emptyset
 2:
 3:
          loop
              W^M \leftarrow \mathsf{SAFE}(T \uparrow^M \wedge W^m, Cpre_1^M)
 4:
              W^m \leftarrow \text{SAFE}(T \uparrow^m \land W^m, Cpre_1^m)
 5:
              if I \uparrow^M \subseteq W^M then
 6:
                   return Yes
 7.
              else if I \uparrow^M \nsubseteq W^m then
 8:
                   return No
 9:
10:
              else
                   REFINEABSTRACTION(W^m)
11:
              end if
12:
          end loop
13:
14: end function
```

## Algorithm 22 Pseudocode of REFINEABSTRACTION FOR SAFETY GAMES

```
1: function REFINEABSTRACTION(W^m)

2: U^m \leftarrow \overline{CpreU_1^m(W^m)} \wedge W^m

3: toPromote \leftarrow \vec{\omega} \cap \text{SUPPORT(SHORTPRIME}(U^m))

4: PROMOTE(toPromote)

5: end function
```

The algorithm begins in the same way as for safety and reachability. We solve the game with the current abstraction to find  $W^m$  and  $W^M$  on lines 3 and 4 and terminate if these allow us to determine the outcome on lines 6 and 8. We then refine and solve again. Again, as in the reachability and safety cases, we aim to grow  $W^M$  and shrink  $W^m$  so that, if we do not terminate early, they will eventually become the same set. This guarantees termination through one of the if conditions. Predicate promotion is the same as before but operates on different boundary states. We describe the algorithm to find these boundaries.

#### Correctness

Assuming correctness of the Solve function,  $W^m$  and  $W^M$  will always contain an underapproximation, and overapproximation of the true winning region

end loop

13: end function

12:

# **Algorithm 23** Three-valued abstraction refinement for $\mu$ -calculus games

**Input:** Input: A game structure  $G = \langle S, L, I, \tau_1, \tau_2, \delta \rangle$ , a specification formula in prefix normal form  $\phi$ , and an initial abstraction  $\alpha = \langle V, \downarrow \rangle$  that is precise for each set that occurs in  $\phi$ , I, and  $\tau_i$ .

```
Output: Yes if I \subseteq WIN(\phi, Cpre_1), and No otherwise.
 1: function SOLVE(transitionRelation, goal)
         loop
 2:
             W^M \leftarrow \text{SOLVE}(\phi, Cpre_1^M)
 3:
             W^m \leftarrow \text{SOLVE}(\phi, Cpre_1^m)
 4:
             if I \uparrow^M \subset W^M then
 5:
 6:
                 return Yes
             else if I \uparrow^M \not\subseteq W^m then
 7:
                 return No
 8:
             else
 9:
                 REFINEABSTRACTION(W^M)
10:
11:
             end if
```

# **Algorithm 24** Pseudocode of REFINEABSTRACTION for $\mu$ -calculus games

```
1: function REFINEABSTRACTION(\phi)
        if \phi = \nu X.\psi then
 2:
             W^m \leftarrow \text{SOLVE}(\phi, Cpre_1^m)
 3:
             U^m \leftarrow \overline{CpreU_1^m(W^m)} \wedge W^m
 4:
             if U^m \neq False then
 5:
                 toPromote \leftarrow \vec{\omega} \cap SUPPORT(SHORTPRIME(U^m))
 6:
 7:
                 PROMOTE(toPromote)
             else
 8:
                 REFINEABSTRACTION(\psi[X=W^m])
 9:
             end if
10:
        else if \phi = \mu X.\psi then
11:
             W^M \leftarrow \text{SOLVE}(\phi, Cpre_1^M)
12:
            U^M \leftarrow CpreU_1^{M-}(W^M) \wedge \overline{W^M}
13:
             if U^m \neq False then
14:
                 toPromote \leftarrow \vec{\omega} \cap SUPPORT(SHORTPRIME(U^M))
15:
16:
                 PROMOTE(toPromote)
             else
17:
                 REFINEABSTRACTION(\psi[X=W^M])
18:
             end if
19:
        end if
21: end function
```

respectively. The algorithm only terminates through one of the if conditions on lines 6 and 8. If it terminates through the first one, then the initial state is a subset of  $W^M$  and thus certainly a subset of the true winning region, so the algorithm correctly returns Yes. If it terminates through the second if condition, then the initial set is not a subset of  $W^m$  and thus is certainly not a subset of the true winning region, so the algorithm correctly returns No. Thus the algorithm returns the correct answer at all termination conditions.

### **Termination**

Suppose the specification formula is of the form  $\nu X.\psi$ , ie. it has a greatest fixed point at its outermost level. We have already calculated the may winning region and we denote this  $X^m$  as it is the final value that the X variable takes when solving the may game. We attempt to directly shrink  $X^m$  by reconsidering the last application of  $Cpre^m$  that yielded  $X^m$  and looking for refinements that cause some of the may winning states found by this last iteration to become losing. This amounts to checking the  $X^m$ -lose boundary for additional losing states, in the same way safety games are refined, which also happens to be specified with a greatest fixed point.

We redo the last CPre application as follows. We evaluate  $\phi(X,Y,Z,\ldots)$  with each fixed-point-quantifier variable substituted as  $X^m$ , ie.  $X=X^m$ ,  $Y=X^m$ , ... as these are the values that the fixed point variables had in the last iteration when the game was solved. This happens because the mu-calculus formula is in prefix normal form. We then use this value as the target and refine states and consistency relations as described previously. We re-solve if we succeed.

Making refinements only as described above does not guarantee that eventually  $W^m = W^M$ . We refine recursively as follows. We define a new objective:  $\mu Y, \dots, cpre(\phi(X = X^m, Y, \dots))$ , ie. we drop the  $\nu X$ . quantifier and replace X by  $X^m$  and refine recursively with this. Note that  $Y^m \neq Y^M$  as otherwise  $X^m$  would equal  $X^M$  and we would have terminated. Conceptually, we are trying to either grow  $Y^M$  to  $X^m$  (=  $Y^m$ ) through repeated refinement, proving that  $X^M = X^m$  (and terminating with an answer somewhere along the way), or find a reason why  $Y^M$  does not equal  $X^m$  (finding this is equivalent to shrinking  $Y^m$ , and hence  $X^m$ ) and continue, having achieved our goal of bringing  $X^m$  closer to  $X^M$ . One of the two outcomes (growing  $Y^M$  to  $X^m$  or shrinking  $Y^m = X^m$ ) must happen because they are not equal initially and

(by structural induction on the mu-calculus formula, assuming the algorithm is correct for shorter formulas, with safety and reachability as the base cases) must meet somewhere in the middle.

Note, that any refinements found in some step would have been found in a subsequent step had that step been skipped. We find that giving priority to the outermost fixed point results in better abstractions and as refinements for outer fixed points are cheaper to compute it makes sense to prioritise them.

Every recursive call drops one fixed point quantifier, so eventually we reach a formula of the form  $QX.\phi(X)$  where X is either  $\mu$  or  $\nu$  and proceed as in the safety or reachability case. Termination is guaranteed for these, and, by induction for the rest of the specification.

# 6.3.11 GR(1) games

GR(1) games are a specific case of the above where the formula is:

$$\nu X.\mu Y.\nu Z.Cpre((U \wedge Z) \vee (G \wedge X) \vee Y) \tag{6.18}$$

Thus, the variable abstraction algorithm is correct and terminates for GR(1) games.

### 6.4 Predicate Abstraction

Predicate abstraction has proved to be a particularly successful technique in model checking [Graf and Saïdi, 1997]. Predicate abstraction partitions the state space of the game based on a set of predicates, which capture essential properties of the system. States inside a partition are indistinguishable to the abstraction, which limits the maximal precision of solving the game achievable within the given abstraction but greatly improves the scalability of the synthesis algorithm. As with variable abstraction, if the abstraction is too coarse, it is iteratively refined by introducing new predicates.

The key difficulty in applying predicate abstraction to games is to efficiently solve the abstract game arising at every iteration of the abstraction refinement loop. This requires computing the abstract *controllable predecessor* operator efficiently. This involves enumerating concrete moves available to both players in each abstract state, which can be prohibitively expensive.

I address this problem by further approximating the expensive controllable predecessor computation and refining the approximation when necessary. To this end, I introduce additional predicates that partition the set of actions available to the players into *abstract actions*. The controllable predecessor computation then consists of two steps:

- 1. computing abstract actions available in each abstract state
- 2. and, evaluating controllable predecessor over abstract states and actions

The first step involves potentially expensive analysis of concrete transitions of the system and is therefore computed approximately. More specifically, solving the abstract game requires overapproximating moves available to one of the players, while underapproximating moves available to the other [Henzinger et al., 2003]. The former is achieved by allowing an abstract action in an abstract state if it is available in at least one corresponding concrete state, the latter allows an action only if it is available in all corresponding concrete states. I compute the overapproximation by initially allowing all actions in all states and gradually refining the abstraction by eliminating spurious actions. Conversely, I start with an empty underapproximation and add available actions as necessary.

I build on the three valued variable abstraction-refinement scheme already developed in the previous sections.

## 6.4.1 Running Example

This section introduces the running example, which aims to synthesise a driver for an artificially trivial I/O device. This example also motivates the need for predicate abstraction when synthesising device drivers. The device contains 32 bits of non-volatile memory, which can be accessed from software via the data register. The task of the driver is to transfer a data value from the main memory to the device memory.

A game is set up between the driver (player 1) and the device (player 2). Device and driver internal state is modelled using state variables (Figure 6.7). The player who makes the next move is determined by the value of the bsy flag inside the device. When the flag is set to 0, the device remains idle and the driver may perform an action, such as a write to the data register. When the

| Var         | Type  | Description                        |
|-------------|-------|------------------------------------|
|             |       | State variables $(X)$              |
| mem         | int32 | Device memory                      |
| dat         | int32 | Data register                      |
| bsy         | bool  | Device busy bit                    |
| req         | int32 | Value to write to mem              |
|             |       | Label variables $(Y)$              |
| val         | int32 | Value to write to dat              |
| $write\_en$ | bool  | Perform a write on this transition |

Figure 6.7: Game variables

flag is set to 1, the device is performing an internal operation and no actions of the driver will have any effect.

The argument of the write is modelled by the val label variable. When the  $write\_en$  label variable is set to true and the bsy flag is false, a write operation happens on the next transition. The write operation flips the bsy flag to 1. This triggers a device transition at the next round of the game, when it is player 2's turn, which copies the value in the data register to memory. The objective of the game on behalf of player 1 is to reach the target set T=(req=mem), i.e., the device memory must store the requested value req (Figure 6.8). The game is required to be winnable from any state, hence  $I=\top$ .

The winning strategy for player 1 in this example is to write the value of req in the first transition (by setting val = req), thus forcing the device to copy this value to memory at the second transition.

Figure 6.8 specifies the transition relation  $\delta$  of the game in the form of variable update functions  $x'=t_x(X,Y)$ , one for each variable  $x\in X$ . Consider the update function for bsy as an example. The variable switches to true if the device is not currently busy and the driver requests a write by setting  $write\_en$ . It switches back to false on the next transition when the memory write operation completes.

#### 6.4.2 Definitions

I instantiate the three-valued abstraction refinement scheme for predicate abstraction instead of simple Boolean variables. Consider a symbolic game  $G = \langle S, L, I, \tau_1, \tau_2, \delta \rangle$  defined over state variables X and label variables Y. Let  $\Sigma \subseteq \mathcal{F}(X)$  be a finite set of Boolean predicates over the state variables.  $\Sigma$  is

Figure 6.8: Game specification

(a) Turn functions, initial and target sets

$$au_1=(bsy=false) \ \ au_2=(bsy=true) \ \ I=\top \ T=(req=mem)$$
 (b) Variable update functions

$$dat' = \begin{cases} val, & \text{if } \neg bsy \land write\_en \\ dat, & \text{otherwise} \end{cases}$$

$$bsy' = \begin{cases} true, & \text{if } \neg bsy \land write\_en \\ false, & \text{if } bsy \end{cases}$$

$$mem' = \begin{cases} dat, & \text{if } bsy \\ mem, & \text{otherwise} \end{cases}$$

$$req' = req$$

referred to as the set of *state predicates*. Boolean variables  $\vec{\sigma} = (\sigma_1 \dots \sigma_n)$  are introduced to represent values of predicates  $\Sigma$ . Given a Boolean variable  $\sigma$ ,  $\|\sigma\|$  denotes its corresponding state or label predicate.  $\|\vec{\sigma}\|$  denotes the vector of all state predicates in  $\Sigma$ .

The state space V of the abstract game is defined as  $V = \mathbb{B}^n$ , where each abstract Boolean state vector  $v \in V$  represents a truth assignment of variables  $\vec{\sigma}$ . The concretisation function  $\downarrow$  from Section 6.2.2 can be expressed as:

$$v \downarrow = \bigwedge_{i=1, n} \|\sigma_i\| = v_i \tag{6.19}$$

which maps an abstract state v into the set of concrete states such that each predicate in  $\Sigma$  evaluates to true or false depending on the value of the corresponding element of v.

**Example.** Consider an abstraction of the running example game induced by abstract variables  $\sigma_1$ ,  $\sigma_2$  and corresponding predicates:  $\|\sigma_1\| = (\text{req} = \text{dat})$ ,  $\|\sigma_2\| = (\text{req} = \text{mem})$ . Consider an abstract state v = (true, false). We compute  $v \downarrow = ((\text{req} = \text{dat}) = \text{true} \land (\text{req} = \text{mem}) = \text{false})$  or equivalently  $v \downarrow = (\text{req} = \text{dat} \land \text{req} \neq \text{mem})$ . Hence v represents the set of all concrete states where conditions (req = dat) and  $(\text{req} \neq \text{mem})$  hold for concrete state variables mem, req, and dat.

| a.var                | predicate   |  |
|----------------------|-------------|--|
| state predicates     |             |  |
| $\sigma_1$           | req = dat   |  |
| $\sigma_2$           | req = mem   |  |
| untracked predicates |             |  |
| $\omega_1$           | bsy = false |  |
| $\omega_2$           | req = 5     |  |
| label predicates     |             |  |
| $\lambda_1$          | val = req   |  |
| $\lambda_2$          | val = 5     |  |

Figure 6.9: Abstract variables and corresponding predicates

# 6.5 Approximate Three Valued Abstraction Refinement

The goal of the following sections is to apply the machinery developed in the previous sections for variable abstraction to predicate abstraction. There are several pitfalls, so we must identify these pitfalls and take them into account.

#### 6.5.1 Motivation

The abstraction-refinement scheme described in Section 6.2.1 is very general. It makes the assumption that both of the controllable predecessors,  $CPre^m$  and  $CPre^M$ , can be computed precisely and efficiently.

While it was straightforward to compute them when performing variable abstraction on a Boolean game, it is not clear that they can be computed efficiently when performing predicate abstraction.

**Example.** Consider the label abstraction induced by abstract label variables  $\lambda_1$  and  $\lambda_2$  and the corresponding label predicates  $\|\lambda_1\| = (\text{val} = \text{req})$  and  $\|\lambda_2\| = (\text{val} = 5)$ .

When performing variable abstraction, we would have treated  $\lambda_1$  and  $\lambda_2$  as independent variables. Each player was able to set them to any value in any state. However, when performing predicate abstraction, they are not independent, as they share the val variable. Suppose player 1 tries to set them both to true. This can only be performed when req = 5. This additional state



Figure 6.10: Overview of approximate three valued abstraction-refinement

predicate is needed to keep track of which label predicate combinations are valid.  $\Box$ 

This is just one of the potential pitfalls of handling predicate abstraction in the same way as variable abstraction.

# 6.5.2 Algorithm

Following [de Alfaro and Roy, 2007], I have modified the general three valued abstraction-refinement algorithm to work on approximate versions of the controllable predecessor operators,  $CPre^{m+}$  and  $CPre^{M-}::2^V \to 2^V$ . In the following sections I will show how to efficiently compute these operators for predicate abstractions using techniques similar to variable abstraction.

We lose precision when approximating the controllable predecessors, just as we do when approximating the state space with standard three valued abstraction-refinement. Thus, we need to introduce another form of refinement. This form of refinement refines the controllable predecessor operators themselves. This process is shown graphically in Figure 6.10. Conceptually, refining the controllable predecessors shrinks the gap between  $CPre^{M}$  and  $CPre^{M-}$  or the gap between  $CPre^{m}$  and  $CPre^{m+}$ . We also perform refinement of the abstraction as before.

We require that, for all  $U \subseteq V$  we have:

$$CPre^m \subset CPre^{m+}$$
 (6.20)

and

$$CPre^{M-} \subseteq CPre^{M}$$
 (6.21)

With these operators we create a new approximate abstraction-refinement scheme given in Algorithm 25. Note that the algorithm relies on REFINECPRE

and REFINEABSTRACTION which I will define for predicate abstraction in the following sections.

Algorithm 25 Approximate three-valued abstraction-refinement

```
Input: Input: A game structure G = \langle S, L, I, \tau_1, \tau_2, \delta \rangle, a set of target states
    T \subseteq S, and an initial abstraction \alpha = \langle V, \downarrow, Cpre_1^{m+}, Cpre_1^{M-} \rangle that is
    precise for T, I, and \tau_i.
Output: Yes if I \subseteq REACH(T, Cpre_1), and No otherwise.
 1: function SOLVE(transitionRelation, goal)
             W^M \leftarrow \text{REACH}(T\uparrow^M, Cpre_1^{M-})
 3:
             W^m \leftarrow \text{REACH}(T \uparrow^m, Cpre_1^{m+})
 4:
             if I \uparrow^M \subseteq W^M then return Yes
 5:
             else if I \uparrow^M \nsubseteq W^m then return No
 6:
 7:
                  refined \leftarrow REFINECPRE(W^M)
 8:
                  if (\neg refined) REFINEABSTRACTION(W^M) endif
 9:
             end if
10:
         end loop
11:
12: end function
```

# 6.6 Abstraction-Refinement for Predicate Abstraction

The goal of the following sections is to create a symbolic version of algorithm 25 adapted to predicate abstraction.

## 6.6.1 Abstract Transition Relations

Following the three-valued abstraction-refinement algorithm presented in Section 6.2.1, we would like to find an efficient way to compute over- and under-approximations  $Cpre^{m+}$  and  $Cpre^{M-}$  of the abstract controllable predecessor operators. Recall that computing  $Cpre^{m}$  and  $Cpre^{M}$  precisely is expensive, as it requires applying the controllable predecessor operator to the concrete transition relation  $\delta$ . We approximate this costly computation by computing the controllable predecessor over the *abstract transition relation* instead. The abstract transition relation of the game is defined over Boolean predicate variables and therefore can be manipulated much more efficiently than the concrete one.

The abstract transition relation is constructed via efficient syntactic analysis of the concrete transition relation  $\delta$ . I present the construction assuming that  $\delta$  is given in the variable update form, as in Figure 6.8b. A similar construction is possible for specifications written in real-world hardware and software description languages.

For each state predicate in  $\Sigma$ , we compute the update function by replacing concrete variables in the predicate with their corresponding update functions. We then transform the resulting formula into a Boolean combination of atomic predicates over concrete state and label variables.

In the general case, the syntactically computed update function for a predicate may depend on existing state predicates in  $\Sigma$  as well as new predicates that are not yet part of the abstraction. The new predicates are partitioned into untracked predicates defined over concrete state variables (e.g., bsy = false in Figure!6.8a) and label predicates that involve at least one concrete label variable (e.g., val = req). The term "untracked predicate" indicates that these predicates are not part of the abstract state space of the game. They play a similar role to the free variables of Section 6.3.3. Untracked predicates can be seen as partitioning abstract states in V into smaller untracked sub-states, as illustrated in Figure 6.11.

**Example.** Let us compute the update function for abstract variable  $\sigma_1$  (Figure 6.9). Using update functions for req and dat variables (Figure 6.7b), we obtain:

$$\sigma_1' = (req' = dat') = \neg(bsy = false) \land (req = dat)$$
$$\lor (bsy = false) \land (val = req) \quad \textbf{(6.22)}$$

This equation contains three atomic predicates: in addition to the existing predicate  $\sigma_1 \leftrightarrow (req = dat)$ , it introduces new predicates (bsy = false) and (val = req).

The first two predicates correspond to existing state variables  $\sigma_1$  and  $\sigma_2$ . The last predicate is new. A new untracked variable  $\omega_1$  is created for it. By substituting predicates in the equation with corresponding abstract variables, we obtain the following abstract transition relation for  $\sigma_1$ :  $\sigma_1' = (\overline{\sigma_2} \wedge \omega_1) \vee (\sigma_2 \wedge \sigma_1)$ 

By substituting untracked and label predicates with fresh Boolean variables,  $\vec{\omega}$  and  $\vec{\lambda}$  respectively, we obtain the abstract transition relation  $\Delta$  in the form:

$$\vec{\sigma}' = \Delta(\vec{\sigma}, \vec{\omega}, \vec{\lambda})$$

This syntactically computed transition relation contains two sources of imprecision.

- First, untracked variables  $\vec{\omega}$  are not part of the abstract state space  $\Sigma$  and are therefore treated as external inputs.
- Second, not all abstract labels are available in all abstract states and hence not all transitions in  $\Delta$  correspond to a feasible concrete transition. For example, given the set of predicates shown in Figure 6.9, the abstract label  $\lambda_1 = true, \lambda_2 = true$  is only available in concrete states that satisfy the condition req = 5. In general, given a state-untracked-label tuple  $\langle v, u, l \rangle$ , the abstract label l may be available in all, some, or none of the concrete states consistent with v and u.

### 6.6.2 Consistency Relations

I formalise the second source of imprecision by introducing *consistency relations*  $C^m$  and  $C^M$  that over- and under-approximate available abstract labels. A state-untracked-label tuple  $\langle v, u, l \rangle$  is *may-consistent* if the abstract label l is available in *at least one* concrete state consistent with v and u:

$$C^{m}(v, u, l) = \exists X, Y. \|\vec{\sigma}\| = v \land \|\vec{\omega}\| = u \land \|\vec{\lambda}\| = l.$$
 (6.23)

The tuple  $\langle v, u, l \rangle$  is *must-consistent* if l is available in *any* concrete state consistent with v and u:

$$C^{M}(v, u, l) = \forall X.((\|\vec{\sigma}\| = v \land \|\vec{\omega}\| = u) \to \exists Y.\|\vec{\lambda}\| = l)$$
 (6.24)

Computing  $C^m$  and  $C^M$  can be prohibitively expensive. Therefore I use approximations  $C^{m+}$  and  $C^{M-}$  such that

$$C^m \subseteq C^{m+} \tag{6.25}$$

and

$$C^{M-} \subseteq C^M \tag{6.26}$$

Initially I assign  $C^{m+} = \top$  and  $C^{M-} = \bot$ . Approximations are refined lazily as part of the abstraction refinement process, as explained below.

**Example.** To illustrate the above definitions, I introduce two label predicates to the running example:  $\|\lambda_1\| = (\text{val} = \text{req})$ ,  $\|\lambda_2\| = (\text{val} = 5)$ . Consider the state-untracked-label tuple v = (true, false), u = (true), 1 = (true, true), which corresponds to the following assignment to abstract variables:  $\sigma_1 = \text{true} \wedge \sigma_2 = \text{false} \wedge \omega_1 = \text{true} \wedge \lambda_1 = \text{true} \wedge \lambda_2 = \text{true}$ . It is easy to see that this condition is satisfied for example by the following concrete variable valuation: mem = 5, dat = 5, bsy = true, req = 5, val = 5, hence  $\langle v, u, 1 \rangle$  is may-consistent:  $C^m(v, u, 1) = \text{true}$ . However, it is not must-consistent:

$$\texttt{C}^{\texttt{M}}(\texttt{v},\texttt{u},\texttt{l}) = \forall \texttt{mem}, \texttt{dat}, \texttt{bsy}, \texttt{req.}(((\texttt{req} = \texttt{mem}) \land (\texttt{bsy} = \texttt{true}) \land (\texttt{req} = \texttt{dat})) \rightarrow \\ \exists \texttt{val.}(\texttt{val} = \texttt{req}) \land (\texttt{val} = \texttt{5}))$$

There exist concrete state variable assignments (e.g., mem = 1, dat = 1, bsy = true, req = 1) that satisfy state and untracked predicates in the left-hand side of the implication but that can not be extended with a label variable assignment that satisfies the right-hand side, hence  $C^M(v, u, 1) = false$ .

# 6.6.3 Abstract Controllable Predecessor

I compute over- and under-approximations of the controllable predecessor operator by resolving the two sources of imprecision in favour of one of the players. In particular, I compute  $Cpre_i^{m+}$  by (1) allowing player i to pick assignments to untracked predicates, (2) over-approximating consistent labels available to i, and (3) under-approximating consistent labels available to the opponent player  $\bar{i}$ :

$$Cpre_{i}^{m+}(\phi) = \exists \vec{\omega}. \ \tau_{i} \uparrow^{M} \land \exists \vec{\lambda}, \vec{\sigma'}.((C^{m+} \land \Delta) \land \phi') \lor \tau_{\bar{i}} \uparrow^{M} \land \forall \vec{\lambda}, \vec{\sigma'}.((C^{M-} \land \Delta) \to \phi')$$

$$(6.27)$$

This formula has a similar structure to the definition of the variable abstraction controllable predecessor operator (Equation 6.12). It replaces the concrete transition relation  $\delta$  with the abstract transition relation  $\Delta$  restricted with consistency relations ( $C^{m+}$  and  $C^{M-}$ ). In addition, it existentially quantifies

untracked variables  $\vec{\omega}$ , i.e., an abstract state v is a may-predecessor of  $\phi$  if at least one of its untracked sub-states is a may-predecessor of  $\phi$ .

Dually, I compute  $Cpre_i^{M-}$  by (1) allowing the opponent player  $\bar{i}$  to pick values of untracked predicates, (2) under-approximating labels available to i and (3) over-approximating labels available to  $\bar{i}$ :

$$Cpre_{i}^{M-}(\phi) = \forall \vec{\omega}. \ \tau_{i} \uparrow^{M} \land \exists \vec{\lambda}, \vec{\sigma'}.((C^{M-} \land \Delta) \land \phi') \lor \tau_{\bar{i}} \uparrow^{M} \land \forall \vec{\lambda}, \vec{\sigma'}.((C^{m+} \land \Delta) \to \phi')$$

$$(6.28)$$

Note that the use of  $C^{m+}$  and  $C^{M-}$  in (Equation 6.27) and (Equation 6.28) under-constrains moves available to player i and over-constrains moves available to the opponent.

Equations 6.27 and 6.28 suggest two possible abstraction refinement tactics, which correspond to the two types of refinement used in Algorithm 16. First, we can refine  $C^{m+}$  and  $C^{M-}$  by removing spurious transitions from  $C^{m+}$  or adding new consistent transitions to  $C^{M-}$ . Such a refinement increases the precision of controllable predecessor computation without introducing new state predicates, which corresponds to the REFINECPRE operation in the algorithm. Second, we can add some of the untracked predicates to the set of state predicates  $\Sigma$ , thus reducing the imprecision introduced by treating them as external inputs. This refinement increases the precision of the abstraction, which corresponds to the REFINEABSTRACTION function in the algorithm.

In summary, I solve the abstract game by decomposing potentially expensive computations into four types of light-weight operations performed on demand, as required to improve the precision of the abstraction:

- ullet Computing the abstract transition relation  $\Delta$  via light-weight syntactic analysis of the concrete game
- Computing consistency relations  $C^{m+}$  and  $C^{M-}$  by iteratively identifying spurious and consistent transitions
- Iteratively refining the abstraction used in the syntactic computation of the transition relation
- Solving the abstract game using abstract controllable predecessor operators (Equation 6.27) and (Equation 6.28)

The computational bottleneck in this method can arise either from having to perform an excessive number of refinements or if abstractions generated by the algorithm are too complex. My refinement procedures, described below, are designed to avoid such situations by heuristically picking refinements that are likely to speed up the convergence of the algorithm.

# 6.6.4 Consistency Refinement

Figure 6.11 illustrates the main idea of the consistency refinement algorithm. It shows an abstract state v (Figure 6.11a) at the may-must boundary whose untracked substates  $u_1$ ,  $u_2$ , and  $u_3$  have  $C^{m+}$ -consistent transitions to the must-winning set  $W^M$ , but none of these transitions is consistent with  $C^{M-}$ . The REFINECPRE algorithm attempts to precisely categorise these substates as must-winning or must-losing.

Since all untracked substates of v are either must-losing or may-winning but not must-winning, it is impossible to split out a must-winning subset of v purely by predicate promotion; hence a consistency refinement is needed.

The consistency refinement algorithm proceeds in one of three ways:

- In Figure 6.11b, the algorithm identifies the abstract transition  $\langle v, u_1, l_1 \rangle$  as spurious and eliminates it from  $C^{m+}$ , thus making the  $u_1$  sub-state must-losing.
- Alternatively, it may detect that abstract transition  $\langle v, u_2, l_2 \rangle$  is available in all concrete states in  $u_2$  and thus add this transition to  $C^{M-}$ , making the  $u_2$  sub-state must-winning (Figure 6.11c).
- Finally, it may determine that abstract transition  $\langle v, u_3, l_3 \rangle$  is available in some, but not all, concrete states in  $u_3$ , i.e.,  $\langle v, u_3, l_3 \rangle \in C^m \setminus C^M$ . It then partitions  $u_3$  into two or more subsets, exactly one of which has a  $C^{M-}$ -consistent transition to  $W^M$ , by introducing new untracked predicates (Figure 6.11d).

In all three cases, further refinement via untracked predicate promotion becomes possible. Such refinement is performed by the REFINEABSTRACTION function described in Section 6.6.5.

Note that in the special case when, after performing consistency refinement, all untracked substates of  $\boldsymbol{v}$  become must-winning or must-losing, the



Figure 6.11: Different types of consistency refinements. White, grey, and black background is used to mark respectively must-losing, may-winning, and must-winning untracked substates. Dashed and solid arrows show  $C^{m+}$  and  $C^{M-}$ -consistent abstract transitions.

entire state v can be removed from the boundary region without performing predicate promotion.

For this reason, Algorithm 16 recomputes  $W^M$  and  $W^m$  after each successful consistency refinement, and only calls REFINEABSTRACTION once no more consistency refinements are possible.

# Consistency Refinement Algorithm

Algorithm 26 shows the pseudocode of REFINECPRE. Lines 3–6 compute the set of candidate tuples  $\langle v,u,l\rangle\in C^m\setminus C^M$ . Note that for player i states I consider may-consistent transition to  $W^M$ , whereas for player  $\bar{i}$  states I consider spoiling transitions to  $V\setminus W^M$ .

Line 9 picks a single refinement candidate  $\langle v,u,l\rangle$  from the set. By construction we know that  $\langle v,u,l\rangle\in C^{m+}$ . Since  $C^{m+}$  is an overapproximation of  $C^m$ , we check whether  $\langle v,u,l\rangle\in C^m$ , i.e., whether v,u, and l satisfy Equation 6.23. To this end, in line 11 I invoke a decision procedure for the underlying theory to check satisfiability of the formula:( $\|\vec{\sigma}\|=v\wedge\|\vec{\omega}\|=u\wedge\|\vec{\lambda}\|=l$ ). If the formula is unsatisfiable, then  $\langle v,u,l\rangle$  is a spurious transition that must be eliminated from  $C^{m+}$ . Furthermore, by extracting an unsatisfiable core of the formula, I obtain an inconsistent subset of its conjuncts ( $\bigwedge \|\alpha_i\|=c_i$ ),  $\alpha_i\in\vec{\sigma}\cup\vec{\omega}\cup\vec{\lambda}$ , which represents a potentially large set of similar spurious transitions. We eliminate all of these transitions from  $C^{m+}$  in line 16.

If, on the other hand, the formula is satisfiable, then there exists a concrete state-label pair consistent with  $\langle v, u, l \rangle$ . In this case we want to precisely characterise the set of states where label l is available, so that we can either

## Algorithm 26 Pseudocode of the REFINECPRE function

```
1: function REFINECPRE(W^M)
                                                                          ▷ player i may-winning transitions
 2:
            T_i \leftarrow \tau_i \!\uparrow^M \wedge C^{m+} \wedge \overline{C^{M-}} \wedge \forall \vec{\sigma'}. (\Delta \xrightarrow{i} (W^M)')
 3:
                                                                           \triangleright player \bar{i} may-spoiling transitions
  4:
            T_{\overline{i}} \leftarrow \tau_{\overline{i}} \uparrow^M \wedge C^{m+} \wedge \overline{C^{M-}} \wedge \exists \vec{\sigma'}. (\Delta \wedge \overline{(W^M)'})
 5:
            T \leftarrow T_i \vee T_{\overline{i}}
  6:
            if T = \bot then return false
 7:
                                                                                         ⊳ no refinement is possible
            else
 8.
                  choose \langle v, u, l \rangle \in T
 9:
                   F \leftarrow (\|\vec{\sigma}\| = v \land \|\vec{\omega}\| = u \land \|\vec{\lambda}\| = l)
10:
                  if SATISFIABLE(F) then
11:
                         A \leftarrow \text{ELIMINATEQUANTIFIERS}(\exists Y. \|\vec{\lambda}\| = l)
12:
                         A \leftarrow \text{MASSAGE}(A)
13:
                         P \leftarrow \text{atomic predicates in } A
14:
                        \vec{\omega} \leftarrow \vec{\omega} \cup \text{(fresh variables for predicates in } P \setminus \Omega)
15:
                        \Omega \leftarrow \Omega \cup P
16:
                         \hat{A} \leftarrow A[\|x\| \mid x, \text{ for all } x \in \Omega \cup \Sigma]
17:
                         \hat{A} \leftarrow \text{replace atomic predicates in } A \text{ with Boolean}
18:
                           vars, introducing fresh vars when necessary
                        C^{M-} \leftarrow C^{M-} \lor (\hat{A} \land \vec{\lambda} = l)
19:
20:
                  else
                         C^{m+} \leftarrow C^{m+} \wedge \overline{\text{UNSATCORE}(F)}
21:
22:
                  end if
23.
                  return \ true
            end if
24:
25: end function
```

add  $\langle v,u,l\rangle$  to  $C^{M-}$  (as in Figure 6.11c) or refine it with additional untracked predicates (as in Figure 6.11d).

Line 12 computes the set of concrete states where abstract label l is available by performing quantifier elimination from formula  $(\exists Y. \|\vec{\lambda}\| = l)$ , resulting in a quantifier-free formula A over concrete state variables X. I assume that the underlying theory supports quantifier elimination, which is the case for many practically relevant theories, including the theory of fixed-size bit vectors supported by Termite. In line 13, the resulting formula A is decomposed into atomic predicates possibly introducing new untracked and label predicates. By replacing all atomic predicates in A with corresponding Boolean variables, we obtain a formula  $\hat{A}$  that describes the set of all state-untracked pairs must-consistent with the abstract label l. Line 14 refines  $C^{M-}$  with the set of newly

discovered must-consistent transitions.

**Example.** Assume that in line 9 the algorithm picks a tuple  $\langle v, u, 1 \rangle$  where 1 = (true, true). Line 12 performs quantifier elimination from the formula  $\exists \text{val.}(\|\lambda_1\| = \text{true} \wedge \|\lambda_2\| = \text{true}) = \exists \text{val.}(\text{val} = \text{req} \wedge \text{val} = 5) = (\text{req} = 5)$ , i.e., conditions (val = req) and (val = 5) can only hold simultaneously if (req = 5). We have discovered a new predicate req = 5 that must hold in states where abstract label 1 is available. We introduce a new untracked variable  $\omega_2$ ,  $\|\omega_2\| = (\text{req} = 5)$  and refine  $C^{M-}$  with a new consistent transition:  $C^{M-} \leftarrow C^{M-} \vee (\omega_2 \wedge \lambda_1 \wedge \lambda_2)$ .

# 6.6.5 Refining the Abstraction

The REFINEABSTRACTION function is invoked by the abstraction refinement algorithm when no further consistency refinements are possible. At this point, every untracked sub-state of the boundary region is either must-winning or must-losing, i.e., can be coloured white or black using notation of Figure 6.11. REFINEABSTRACTION promotes a subset of untracked predicates making sure that the winning region  $W^M$  expands after re-solving the game in line 2 of Algorithm 16.

The procedure is identical to the refinement procedure for variable abstraction in Section 6.3 so it is not given in detail here.

Algorithm 27 shows the pseudocode of REFINEABSTRACTION. Line 2 computes all untracked boundary substates that are must-predecessors of  $W^M$ . Here,  $CpreU^{M-}$  is the same as  $Cpre^{M-}$  (Equation 6.28), but without untracked variable quantification:

$$CpreU_{i}^{M-}(\phi) = \tau_{i} \uparrow^{M} \wedge \exists \vec{\lambda}, \vec{\sigma'}.((C^{M-} \wedge \Delta) \wedge \phi') \vee \tau_{\vec{i}} \uparrow^{M} \wedge \forall \vec{\lambda}, \vec{\sigma'}.((C^{m+} \wedge \Delta) \rightarrow \phi')$$

I aim to grow  $W^M$  by promoting as few untracked predicates as possible. To this end, I extract a short prime implicant from  $U^M$  and promote the untracked variables in the support of the prime implicant (line 3). This has the effect of adding a large cube over state and untracked predicates to  $W^M$ . The PROMOTE function invoked on line 4 moves the selected untracked predicates to the set of state predicates  $\Sigma$  and recomputes the abstraction transition relation  $\Delta$  for the new state predicates. This can lead to the introduction of

## Algorithm 27 Pseudocode of REFINEABSTRACTION

```
1: function REFINEABSTRACTION(W^M)
2: U^M \leftarrow CpreU_1^{M-}(W^M) \wedge \overline{W^M}
3: toPromote \leftarrow \vec{\omega} \cap \text{SUPPORT(SHORTPRIME}(U^M))
4: PROMOTE(toPromote)
5: end function
```

new untracked and label predicates, which can serve as refinement candidates in the future.

We must be careful when refining the abstraction. Do the consistency constraints remain valid after the abstraction has been refined? The following example shows that in some cases they do not.

**Example.** Consider an abstraction of the running example game induced by abstract variable  $\sigma_1$  with corresponding predicate  $\|\sigma_1\| = (req = dat)$  as well as the abstract label variable  $\lambda_1$  with corresponding predicate  $\|\lambda_1\| = (val = req)$ . There are no untracked variables.

Our must consistency constraint,  $C^{M-}$ , is a relation over the variables  $\sigma_1$  and  $\lambda_1$ . For example, the tuple v=(true), l=(true) is must consistent because it is always possible to assert  $\lambda_1=true$  when  $\sigma_1=true$  by choosing val appropriately.

Suppose, when computing the update function for some variable that has just been promoted we introduce the abstract untracked variable  $\omega_2$  with corresponding predicate  $\|\omega_2\|=(req=5)$ . This partitions each sub-state into two. The definition of  $C^{M-}$  (Equation 6.24) ensures that if a label is must consistent in a given state before the variable promotion then it will be must consistent in each sub-state after the promotion. In this example, the tuples v=(true), u=(false), l=(true) and v=(true), u=(true), l=(true) are both must consistent. Notice that, if we are symbolically representing  $C^{M-}$ , then the new  $C^{M-}$  does not depend on the newly introduced untracked variable. Thus, we may keep the same  $C^{M-}$  from before the promotion.

The situation is not so good for promotions that introduce new label variables. We cannot simply reuse  $C^{M-}$  from before the variable promotion as we do for untracked variables. Consider what happens when, continuing on from before, we add  $\lambda_2$  with corresponding predicate  $\|\lambda_2\| = (val = 5)$ . The tuple v = (true), u = (true), l = (true) is must consistent. Extending the tuple to v = (true), u = (true), l = (true, true) is fine, but v = (true), u = (true), l = (true)

(true, false) is not. The latter tuple is not must-consistent. Therefore, we may not simply reuse  $C^{M-}$  as in the case where an untracked variable is added.

We can rebuild  $C^{M-}$  by considering all possible tuples with the additional label. In this case as there are few variables this would work and we would discover that the second tuple above is not part of  $C^{M-}$ . However, when there are more variables this is infeasible.

From this example, we can make two important observations. When compiling the update function for a untracked predicate that is being promoted to a state predicate when refining the abstraction,

- if the compilation only introduces new untracked predicates, then we can keep the consistency relations from the previous iteration.
- if the compilation introduces new label predicates, then we cannot reuse  ${\cal C}^{M-}$  from the previous iteration without modification.

For now, I resort to conservatively resetting  $C^{M-}$  to false when a new label variable is added and incrementally rebuilding  $C^{M-}$  lazily as before. This is a severe performance impediment as  $C^{M-}$  may have to be rebuilt many times. I present a pragmatic solution to this problem that is used by Termite in Section 6.7.

## 6.6.6 Checking Containment of the Initial Set

I create the abstraction of the initial set by introducing a Boolean state variable for each predicate that appears in the expression for the initial set. I then replace each predicate by the corresponding Boolean variable.

The approximate three valued abstraction-refinement algorithm must check whether the winning set contains the initial set. This check is performed for both winning sets in Algorithm 25. Again, predicate abstraction complicates things as the following example shows.

**Example.** Consider an abstraction of the running example induced by the abstract variables  $\sigma_1$ ,  $\sigma_2$  and  $\sigma_3$  and corresponding predicates  $\|\sigma_1\| = (req = dat)$ ,  $\|\sigma_2\| = (req = mem)$  and  $\|\sigma_3\| = (dat = mem)$ . The initial set is specified as  $req = dat \wedge req = mem$  which is abstracted to  $\sigma_1 \wedge \sigma_2$ . Suppose that the may winning set of states,  $W^{m+}$ , that the game solving algorithm returns is  $\{v = (true, true, true)\}$ . Importantly, this set does not contain

v=(true,true,false). Naively, we might check if the initial set implies the winning set, i.e., if  $(\sigma_1 \wedge \sigma_2) \to W^{m+}$ . However, as  $\sigma_1 \wedge \sigma_2 \wedge \neg \sigma_3$  is not part of  $W^{m+}$ , this implication is false i.e.  $(\sigma_1 \wedge \sigma_2) \not\to (\sigma_1 \wedge \sigma_2 \wedge \sigma_3)$ .

We should have ignored the losing state v = (true, true, false) when checking if the winning set consumes the initial set as it is inconsistent and does not correspond to any real states in the concrete game.

As the example shows, checking if the initial set implies each of the winning sets is not correct. Instead, I find a witness losing state and then check consistency of this state. The algorithm is given in Algorithm 28.

In line 2 I check if the abstraction of the initial set is a subset of the abstraction of the given winning set. If so, I return True.

If it is not, I extract a witness state on line 6. I check consistency of the state on line 7. If the state is consistent, then I have found at least one losing concrete state. Otherwise, I extract an unsatisfiable core on line 10 and add this to a consistency constraint that prevents this and other states from being selected as witnesses in the future. I then recurse with the updated consistency constraint on line 11. Effectively, I have another refinement loop that iteratively refines a consistency relation over states.

#### Algorithm 28 Checking inclusion of the initial set

```
1: function REFINEINIT(W, Init, inconsistent)
 2:
        if Init \rightarrow W then
            return True
 3:
        else
 4:
 5:
            witnesses \leftarrow Init \land \neg W \land \neg inconsistent
            implicant \leftarrow PRIMEIMPLICANT(witnesses)
 6:
            if SATISFIABLE(implicant) then
 7:
                return False
 8:
 9:
            else
10:
                inconsistent \leftarrow inconsistent \lor \texttt{UNSATCORE}(implicant)
                REFINEINIT(W, Init, inconsistent)
11:
            end if
12:
        end if
13:
14: end function
```

#### 6.6.7 Initial Abstraction

I obtain the initial abstraction by extracting atomic predicates from expressions T, and  $\tau_i$ , which guarantees that the abstraction is precise for T, and  $\tau_i$ . While this property is not essential for my approach, I will rely on it to simplify the presentation of the algorithm.

The initial state and label predicates are those that are created during compilation of the update functions for these predicates.

Finally, I assign  $C^{m+} = \top$  and  $C^{M-} = \bot$  initially.

#### 6.6.8 Putting it Together

The Algorithm for three valued predicate abstraction-refinement is given in Algorithm 29. In lines 3 and 4 I compute the must and may winning sets. I then check if the initial set is a subset of the must winning set using the procedure described in Section 6.6.6 on line 5. If it is, I terminate as the game is winning. I then check if the initial set is a subset of the may winning set using the same procedure on line 7. If it is not, I terminate as the game is losing. Finally, if none of the termination conditions are met, I refine. First, I attempt to refine the consistency constraints on line 10 using the procedure described in Section 6.6.4. If that fails, I refine he abstraction on line 12 using the procedure described in Section 6.6.4.

Finally, to arrive at the Termite game solver, I extend the algorithm to GR(1) games in the same way I did for variable abstraction.

#### 6.6.9 Correctness

The correctness and termination theorems of [de Alfaro and Roy, 2007] hold for Algorithm 16 with REFINECPRE and REFINEABSTRACTION functions defined above.

**Theorem 1.** If Algorithm 16 terminates, it returns the correct answer.

*Proof.* By construction,  $Cpre_i^{m+}$  and  $Cpre_i^{M-}$  over- and under-approximate abstract controllable predecessor operators, i.e.,  $Cpre_i^m(\phi) \downarrow \subseteq Cpre_i^{m+}(\phi) \downarrow$  and  $Cpre_i^{M-}(\phi) \downarrow \subseteq Cpre_i^M(\phi) \downarrow$ , for any set  $\phi$ . Hence, winning sets  $W^m = \text{REACH}(T \uparrow^m, Cpre_1^{m+})$  and  $W^M = \text{REACH}(T \uparrow^M, Cpre_1^{M-})$  computed using these operators over- and under-approximate the winning set W of the concrete game:  $W^M \downarrow \subseteq W \subseteq W^m \downarrow$ .

Algorithm 29 Three-valued abstraction refinement for games.

```
Input: A game structure G = \langle S, L, I, \tau_1, \tau_2, \delta \rangle, a set of target states T \subseteq S,
     and an initial abstraction \alpha = \langle V, \downarrow, Cpre_1^{m+}, Cpre_1^{M-} \rangle that is precise for
     T, I, and \tau_i.
Output: Yes if I \subseteq REACH(T, Cpre_1), and No otherwise.
 1: function SOLVE(transitionRelation, goal)
 2:
              \begin{aligned} W^M &\leftarrow \text{Reach}(T, Cpre_1^{M-}) \\ W^m &\leftarrow \text{Reach}(T, Cpre_1^{m+}) \end{aligned}
 3:
 4:
              if REFINEINIT(W^M, I, inconsistentInit) then
 5:
                   return Yes
 6:
              else if REFINEINIT(W^m, I, inconsistentInit) then
 7:
                   return No
 8:
 9.
              else
                   refined \leftarrow REFINECPRE(W^M)
10:
                   if (\neg refined) then
11:
                       REFINEABSTRACTION(W^M)
12:
                   end if
13:
14:
              end if
         end loop
15:
```

If the algorithm returns Yes then the initial set of the game is a subset of the must-winning region ( $I \subseteq W^M \downarrow$ ) and hence  $I \subseteq W$ . Likewise, if the algorithm returns No then  $I \not\subseteq W^m \downarrow$  and hence  $I \not\subseteq W$ . In both cases the answer produced by the algorithm is correct.

16: end function

**Theorem 2.** If there exists a finite region algebra  $\mathcal{A}$  such that all abstractions  $\langle V, \downarrow \rangle$  produced by Algorithm 16 are contained in  $\mathcal{A}$  then the algorithm terminates.

*Proof outline.* Let  $W^M$  and  $\hat{W}^M$  be must-winning sets computed at two subsequent iterations of Algorithm 16.

I first show that refinement procedures REFINECPRE and REFINEABSTRACTION guarantee that the must-winning set computed at every iteration of the refinement loop grows monotonically, i.e.,  $W^M \downarrow \subseteq \hat{W}^M \downarrow$ . This follows from the soundness of the refinement procedures, which improve the precision of  $Cpre_i^{M-}$  at every iteration.

Next I show that the algorithm is guaranteed to make forward progress, i.e., after a finite number of refinements it either terminates or discovers new must-winning states ( $W^M\downarrow\subset\hat{W}^M\downarrow$ ). Consider the consistency refinement procedure REFINECPRE first. Every invocation of this procedure classifies some of the untracked substates at the may/must boundary as either must-winning or must-losing (see Figure 6.11). Eventually, it will either classify all boundary states as must-losing, in which case  $W^m\downarrow=W=W^M\downarrow$ , and the algorithm terminates, or find at least one must-winning sub-state (as in Figures 6.11c and 6.11d). In the latter case, a subsequent invocation of the abstraction refinement procedure REFINEABSTRACTION is guaranteed to partition one of the boundary states so that one of the resulting abstract states is must-winning. This state will be discovered at the next run of the reachability algorithm, thus expanding the must-winning set.

Since, by the assumption of the theorem, all must-winning sets  $W^M$  generated by the algorithm belong to a finite region algebra, the algorithm is guaranteed to terminate after a finite number of iterations.

The theory of fixed-size bit vectors supported by Termite satisfies the premise of Theorem 2, which guarantees the termination of the algorithm.

# 6.7 Optimisation

Algorithm 26 has two important performance issues:

- Every time an untracked variable is promoted, if a new label variable is created in the process,  $C^{M-}$  must be reset to False.
- In lines 10–16 it analyses and adds to  $C^{M-}$  a single abstract label l. The set of all abstract labels is exponential in size in the number of label predicates and can be very large in practice, making explicit enumeration infeasible.

To address the first issue, I modify the algorithm to handle a set of abstract labels at every iteration. To this end, in line 7, instead of choosing a complete assignment to state, untracked, and label predicates, I compute a *prime implicant* of set T, i.e., an assignment to a subset of variables in  $\vec{\sigma} \cup \vec{\omega} \cup \vec{\lambda}$  such that

6.7. OPTIMISATION

137

any extension of this assignment to the remaining variables satisfies *T*:

$$\langle v, u, l \rangle \leftarrow \text{PRIMEIMPLICANT}(T),$$

where v, u, and l are partial valuations of abstract variables, which compactly represent a potentially large set of abstract transitions. In practice, we typically discover prime implicants that only constrain few of the abstract variables, meaning that other predicates are irrelevant for the outcome of the transition.

Given this modification, the  $C^{m+}$  refinement case of the algorithm (lines 18–19) is still correct and does not require any changes. However, changes are needed in the  $C^{M-}$  refinement logic. The set A computed in lines 10–1 contains all concrete states where at least one abstract label from the set characterised by the partial assignment l of label predicates is available. It does not guarantee the availability of any particular label from this set. To model this constraint, we would have to change  $C^{M-}$  to be a relation over sets of labels. Every element of the relation would describe a set of labels, one of which is guaranteed to be available for the given state and untracked predicate assignment.

This introduces a new form of imprecision to the consistency relation: rather than categorising each abstract label as available or unavailable in the given state, we record a set of labels, one of which is available. However, such a relation would be hard to represent and manipulate efficiently in the symbolic form. Therefore, I propose a different approach that allows symbolic implementation.

I transform the game (without changing its winning set) in order to solve it more efficiently. The idea is to model the new form of imprecision as non-determinism in the abstract transition relation  $\Delta$ . For each abstract label variable  $\lambda_i$ , I introduce an auxiliary *enabling variable*  $\varepsilon_i$  and transform the transition relation  $\Delta$  as follows:

$$\Delta \leftarrow (\varepsilon_i \wedge \Delta) \vee (\overline{\varepsilon_i} \wedge \exists \lambda_i. \Delta).$$

When  $\varepsilon_i = true$ ,  $\Delta$  behaves exactly as before. In case  $\varepsilon_i = false$ , the value of  $\lambda_i$  chosen by the player is ignored and the environment non-deterministically selects next-state variables assignment that is consistent with *some* assignment of  $\lambda_i$ .

I can now modify line 16 of Algorithm 26 as follows:

$$C^{M-} \leftarrow C^{M-} \vee (\hat{A} \wedge \bigwedge_{i \in j_1 \dots j_p} \lambda_i = l_i \wedge \bigwedge_{i \notin j_1 \dots j_p} \varepsilon_i = false),$$

where  $j_1 \dots j_p$  are indices of variables assigned by l. The above statement refines  $C^{M-}$  by allowing the player to assign a subset of label variables in accordance with l and disabling other label variables not constrained by l. The environment will non-deterministically pick arbitrary values for these variables. In this way I precisely capture what we currently know about consistent predicate assignments in a symbolic form, at the cost of introducing extra variables  $\varepsilon_i$ .

# 6.8 Implementation

I implemented this abstraction refinement algorithm as part of Termite. Termite currently supports specifications in its own domain-specific Termite Specification Language (TSL), which is described in Appendix A.

I extended the abstraction-refinement algorithm to handle GR(1) games as outlined in Section 6.3.10.

Termite currently supports input specifications over the concrete domain of fixed-size bit vectors and arrays. I use the Z3 SMT solver to check satisfiability and retrieve unsatisfiable cores of formulas over concrete variables (lines 11 and 21 of Algorithm 26). Quantifier elimination (line 12) over bit vector formulas is performed using a custom implementation of the decision procedure for bit vectors by Barrett et al. [Barrett et al., 1998]. Termite interacts with the theory solver through a well-defined interface and hence can be readily extended with additional theories. All computations over the abstract domain are performed symbolically using the CUDD BDD package.

In addition to the techniques described for variable and predicate abstraction implemented the optimisations described in Section 6.1.2.

I also implemented an optimised version of the original algorithm by de Alfaro and Roy, as described in Section 6.3, which enables a direct comparison of the two techniques.

The core abstraction-refinement algorithm consists of 1800 lines of Haskell code.

#### 6.9 Evaluation

The Termite team and I evaluated the synthesis algorithm by synthesising drivers for several real-world I/O devices, including an IDE hard disk, a

| 6.9. EVALUATI | ON         | simple I2C | 11 (64)                    | 14 (42)                    | 23                      | 6                 | 17               | 36               | 0                    | 10           | 242214        |                                                                         | 1151              | 4088000       |
|---------------|------------|------------|----------------------------|----------------------------|-------------------------|-------------------|------------------|------------------|----------------------|--------------|---------------|-------------------------------------------------------------------------|-------------------|---------------|
|               |            | simple SPI | 7 (46)                     | 6 (28)                     | 0                       | 11                | 14               | 19               | 0                    | $\vdash$     | 87892         | y, 2007]                                                                | 865               | 400624        |
|               |            | UVC        | 95 (75908)                 | 33 (49657)                 | 22                      | 25                | 30               | 130              | 32                   | 190          | 785918        | Performance of the de Alfaro and Roy algorithm [de Alfaro and Roy, 2007 | 8                 | 1             |
|               |            | SPI        | 66(644)                    | 24(384)                    | 9                       | 26                | 31               | 28               | 9                    | 14           | 324996        | ithm [de ⊿                                                              | 8                 | 1             |
|               | Case study | I2C-2      | 50(222)                    | 15(81)                     | 4                       | 17                | 24               | 32               | ~                    | 43           | 688828        | Roy algor                                                               | 8                 | 1             |
|               | Ü          | I2C-1      | 64 (458)                   | 25 (199)                   | 12                      | 15                | 24               | 36               | 5                    | 39           | 440482        | Alfaro and                                                              | 8                 | 1             |
|               |            | UART-2     | (968)59                    | 15(289)                    | 4                       | 20                | 58               | 53               | 2                    | 603          | 1142596       | of the de A                                                             | 8                 | 1             |
|               |            | UART-1     | 61 (335)                   | 20 (86)                    | 42                      | 18                | 33               | 40               | 35                   | 309          | 907536        | rformance                                                               | 8                 | •             |
|               |            | RTC        | 64 (624)                   | 24 (199)                   | 6                       | 16                | 25               | 41               | 4                    | 74           | 515088        | Pe                                                                      | 8                 | 1             |
|               |            | IDE        | 83 (952)                   | 27 (389)                   | 11                      | 18                | 31               | 57               | 7                    | 71           | 864612        |                                                                         | 8                 | 1             |
|               | Challan    | Statistic  | concrete state vars (bits) | concrete label vars (bits) | consistency refinements | state refinements | state predicates | label predicates | untracked predicates | run time (s) | peak BDD size |                                                                         | 10   run time (s) | peak BDD size |
|               |            |            |                            | 7                          | 3                       | 4                 | гO               | 9                | ^                    | $\infty$     | 6             |                                                                         | 10                | 11            |

Table 6.2: Summary of experimental case studies.

real-time clock, two UART serial controllers, two I2C bus controllers, an SPI bus controller, and a UVC webcam. I developed corresponding device and OS models using the Termite Specification Language (TSL) by following the common methodology used by hardware developers in building high-level device models. I refer the reader to Appendix A for a description of the TSL language and the modelling methodology. The source code of the case studies is available as part of the Termite distribution [Termite].

Table 6.2 summarises the experiments. The first two rows characterise the complexity of the input models in terms of the number of variables and the total number of bits used in the concrete specification of the game. Concrete state variables model internal device state, as well as the state of the driver-OS interface; label variables model commands and responses exchanged by the driver, the device, and the OS.

Rows 3 and 4 show the number of iterations of the abstraction refinement loop required to solve the game. Rows 5 through 7 show the size of the abstract game at the final iteration, when a winning strategy for the driver was obtained, in terms of the number of state, label, and untracked predicates. These results demonstrate the dramatic reduction of the problem dimension achieved by the abstraction refinement method. The resulting abstract games are still too complex to solve using explicit state enumeration, hence the use of symbolic techniques is essential. In all case studies, Termite was able to find the winning strategy within 11 minutes running on a 2.9GHz Intel Core i7 laptop (row 8), with peak BDD size under one million nodes (row 9).

The two final rows show the performance of the original three-valued variable abstraction refinement algorithm of de Alfaro and Roy on these benchmarks. As expected, the algorithm does not terminate on any of the real-world driver benchmarks within a two-hour time limit. I therefore developed simplified versions of two of the benchmarks (SPI and I2C-2) with significantly reduced state spaces. As shown in the last two columns of the table, the de Alfaro and Roy algorithm terminates on these benchmarks; however it takes several orders of magnitude longer than the new algorithm, which uses predicate abstraction. These results show that predicate abstraction is essential to solving complex real-world games.

# 7 Conclusions

Device driver synthesis is a radical alternative to traditional driver development. It has the potential to drastically reduce the work required to create device drivers and improve their reliability.

This dissertation has presented the design and implementation of the Termite driver synthesis tool. Termite is the first tool to combine automatic game-based synthesis with conventional manual development. It is also the first practical synthesis tool based on abstraction refinement. Finally, it is the first synthesis tool to support automated debugging of input specifications.

Based on the experimental results of Chapter 5, I consider Termite to be an important step towards truly practical device driver synthesis. In particular, the synthesis algorithm is able to efficiently handle real-world device specifications, while the user-guided approach reliably leads to high-quality code.

In order to develop Termite, I created a rigorous game-based formalism of device driver synthesis inspired by Termite-1. This allowed me to apply pre-existing theory and results from the field of reactive synthesis. I presented and evaluated a practical predicate-based abstraction refinement algorithm for solving games. To the best of my knowledge, this is the first such algorithm described in the literature. I addressed key performance bottlenecks involved in applying predicate abstraction in game settings and demonstrated that the algorithm performs well on real-world reactive synthesis benchmarks.

Further research is needed to solve the key remaining problems described in Section 5.7, primarily the DMA problem, which poses the main obstacle to synthesis of more complex drivers, and the grey-box synthesis problem, which limits the degree of automation achieved by Termite.

Additional research may explore ways to improve the quality of automati-

cally generated code and thus further reduce the need for user involvement. This includes performance- and power-aware synthesis. Lastly, this approach may be used for the automatic synthesis of hardened device drivers, i.e., drivers that gracefully handle misbehaving devices [Kadav et al., 2009], by detecting behaviour that deviates from the specification.

# A TSL Language Reference

#### A.1 Overview

# A.1.1 Static and dynamic namespaces

TSL supports two namespaces: the *static namespace* and the *dynamic namespace*. The static namespace is populated with compile-time objects: *types* and *constants*. The dynamic namespace is populated with runtime objects: *processes*, *variables*, *methods*, and *wires*. Static objects are uniquely identified by their name and syntactic scope. In contrast, runtime objects can be instantiated multiple times within the specification and hence must be referred to relative to their runtime scope.

#### A.1.2 Templates

Templates are the principal mechanism for managing both static and dynamic namespaces. A template models an entity, such as a device, an OS, or a device driver. It declares a set of static objects (types and constants) and a set of runtime objects. Static objects declared inside a template can be referenced from any part of the specification via the template name. Runtime objects are instantiated together with the template and can be accessed via a reference to a template *instance*.

The following template declares type word (static object) and variable x (runtime object):

```
template A
// type declaration
typedef uint<16> word;
```

```
// variable declaration
  export word x;
endtemplate
```

The word type is globally visible via the ::-notation as A::word. It can be used even if template A is never instantiated. In contrast, variable x can only be accessed via an instance of A.

A template is instantiated inside another template. The only exception is the main template, which is implicitly instantiated in the top-level scope. Every complete TSL specification must contain a template called main.

In the following example, the main template creates an instance of A, making its variables accessible from main via instance name:

```
template main
instance A a;

process pmain {
    // assigning variable x of template instance a.
    a.x = 16'd0;
}
endtemplate
```

The template instantiation mechanism gives rise to an *instance tree* with the main template as its root. Dynamic objects within the tree are accessed using hierarchical identifiers such as a.x. This mechanism allows accessing objects down the branch of the instance tree, starting at the local template. In practice, it is often necessary to access objects instantiated in other parts of the tree. This is achieved in a structured way using *template ports*.

A template port is an alias to a template of a given type bound at the time of instantiation. For example, template B below declares port aa of type A, which makes runtime objects in the scope of A visible from B. Both templates are then instantiated in the main template, with the instance of A connected to port aa of B.

```
// template B with port aa of type A
template B(A aa)
  process proc {
   aa.x = 16'd0;
  };
endtemplate
```

A.1. OVERVIEW 145

```
template main
  // create instances of A and B; connect port aa of
  // B to the instance of A.
  instance A a;
  instance B b(a);
endtemplate
```

The following diagram illustrates the resulting instance tree and the link between different branches of the tree via port aa.



Another mechanism for managing name spaces is *template inheritance*. Using inheritance, one can create generic templates that capture common properties of a family of entities, leaving some of the properties underspecified. The generic template can be specialised by a child template that fills in the missing details. For example, the following template models common device-class callbacks that must be implemented by any OS specification for the IDE device class. Note that callbacks are defined without bodies, as the exact behaviour is OS-specific.

```
template ide_os
  procedure void write_sectors(uint<48> lba,
      uint<16> sectors, uint<32> buf, bool xfer_error);
  procedure void read_sectors(uint<48> lba,
      uint<16> sectors, uint<32> buf, bool xfer_error);
  procedure void reset();
  procedure void reset();
  ...
endtemplate
```

This template is specialised by the 14\_ide\_os template, that describes the IDE driver interface defined by the seL4 OS.

```
template 14_ide_os(14_ide_drv drv)

// the derive statement is used to establish the

// inheritance relation
derive ide_os;

// additional specification items can be declared in the
```

```
// child template
export iostatus reset_status = ionone;

// the child template implements methods inherited from
// the parent.

procedure void write_sectors(uint<48> lba,
    uint<16> sectors, uint<32> buf, bool xfer_error)
{
    assert (lba == r_lba);
    ...
}
```

A template that has part of its functionality, namely method body or wire assignment, underspecified is called *pure template*. Pure templates can be used in derive statements and in port declarations, however they cannot be instantiated.

Template inheritance is subject to the following rules:

- Derived template must re-declare all ports of all its parent templates with the same names and types. It can also declare additional ports not found in any of its parents.
- If a template has multiple parent templates, then the namespaces of parent templates (consisting of variable, wire, method, goal, and process names) must not overlap.
- If the derived template re-declares a wire or method declared in one of its parents, the new declaration must have the same signature as the parent declaration.
- The child template can override wire and method declarations of its parent templates. Other parts of the parent template, including variable, goal, and process declarations, are inherited by the child template and cannot be overriden.

#### A.1.3 Execution model

All state transitions in TSL occur in the context of *processes*. Multiple processes can be enabled at the same time; however exactly one process participates in each individual transition. Process transitions are atomic with respect to other

A.1. OVERVIEW 147

processes. Process that perform the next transition is chosen by the scheduler among enabled processes. Scheduling is fair, i.e., if a process stays enabled sufficiently long, it will eventually get scheduled.

Processes are declared inside templates using the process keyword. Such processes become runnable in the initial state of the specification. Additional processes can be spawned at runtime using the fork construct. Syntactic constraints of the language (namely, the lack of support for recursion) guarantee that only a bounded number of processes can be spawned at any time.

In the following example, template A contains a single static process psndrcv, which spawns two subprocesses psend and preceive.

```
template A

process psndrcv {
  fork {
    psend:    forever send();
    preceive: forever receive();
  };
  shutdown();
};

endtemplate
```

A process state transition starts in the current program location and stops at the next *pause location*. Pause locations can be explicit or implicit. Explicit pause locations are declared using pause, wait, and stop constructs. Implicit pause locations are introduced automatically by the compiler in the following cases:

- Before fork statements
- Before magic blocks A.1.6
- On entries to and exits from controllable and uncontrollable tasks (see below)

Process behaviour can be factored into *methods*. A process can invoke methods declared inside its own template as well as in other template instances, via hierarchical identifiers discussed in the previous section. There are three types

of methods in TSL: *functions, procedures*, and *tasks*. Functions and procedures must complete instantaneously, i.e., they are not allowed to contain explicit or implicit pauses. In addition, functions are not allowed to have side effects, i.e., they cannot modify any global variables, perform pointer dereferences, or contain assertions (pointer dereferences and assert statements can have the side effect of taking the system into an error state).

Tasks can take time to execute. A task can have an optional controllable or uncontrollable qualifier. Controllable tasks are the only kind of task that can be invoked from synthesised code; although they can also be called from manually written code. They are used to model the device register interface and OS callbacks. In the current implementation of the TSL compiler, controllable tasks are subject to additional constraint: they are not allowed to contain internal pause locations, i.e., a controllable task must always complete in a single transition.

Uncontrollable tasks represent driver methods invoked by the OS or the device. Uncontrollable tasks are the only kind of task that can contain automatically generated code, i.e., a magic block can only be placed inside an uncontrollable task.

Controllable and uncontrollable task invocations introduce implicit pause locations on entry and return from the task. In the following example execution of process p1 will consist of three transitions.

```
template A
  uint<16> x;

process p1 {
  x=1;
  t1(x);
};

task uncontrollable void t1(uint<16> arg) {};
endtemplate
```

The first transition assigns global variable x and sets the argument of task t1 to be equal to x. An implicit pause location is inserted at this point. The second transition executes the body of task t1, which completes instantaneously, as it does not contain any pause locations. Another implicit pause is inserted at the task return location. The remainder of the process is executed in the third

A.1. OVERVIEW 149

transition. Note that other processes can run and potentially modify variable values in between transitions 1 and 2 and transitions 2 and 3.

Tasks without controllable and uncontrollable qualifiers behave as if the body of the task was inlined at the call location. No additional pauses are inserted before or after the task.

#### A.1.4 Variables and wires

Variables are used to store state that persists for the lifetime of the variable. Variables in TSL can be declared in the template, process, or method scope. Template-scope variables, also called *global variables*, are instantiated together with the template and are visible from anywhere inside the template. In addition, variables declared with the export qualifier can be accessed from other templates via their hierarchical identifiers. Process and method variables are only visible within the syntactic scope of the process or method where they are declared.

In contrast to variables, *wires* are simply aliases to expressions defined over global variables and are not allocated their own storage. Wires keep their values throughout a transition and are updated at the end of the transition. Initial value of a wire is computed based on initial values of global variables.

```
template A
  uint<16> x = 0;
  wire uint<16> w = x + 1;
endtemplate
```

#### A.1.5 Correctness specifications

TSL provides several mechanisms for specifying correctness conditions over system behaviour:

Goals. A goal is a side-effect-free Boolean expression over global variables that must hold infinitely often in any infinite run of the system. A template can declare any number of goals. In addition, TSL defines two implicit goals. The first one requires the system to be outside of a magic block infinitely often; in other words, the system cannot stay inside a magic block forever. The second implicit goal requires that the system never enters an *error state* (see below).

Assertions. An assert statement can be placed anywhere inside processes, tasks, and procedures. It defines a condition whose violation immediately transitions the system to an error state.

# A.1.6 Magic blocks

A magic block is a place holder for automatically generated code.

```
template main
  task uncontrollable bool probe() {
    // Magic block
    {...}
    if (os.reset_status == iosuccess) {
        return true;
    } else {
        return false;
    };
};
endtemplate
```

For correctness conditions specified using goals (see Section A.1.5), the synthesis algorithm computes a strategy for each goal; however the scheduling of strategies is left to the user, i.e., the user decides when to execute each strategy during code generation.

# A.2 Syntax Reference

#### A.2.1 Literals

TSL supports Boolean literals "true" and "false" and Verilog-style binary, octal, decimal and hexadecimal integer literals. The exact number of bits can be specified for each integer literal.

```
| [<width>] "'sh" <hexNumber>
<width> := <decNumber>
```

Examples of integer literals:

```
uint <8> x;
sint <8> y;

x = 255;
x = 8'd35;
x = 8'b0101010101;
x = 8'b1;

y = 8'sb11111111;
y = 8'sd-6;
```

In case literal width is not specified explicitly, the compiler assumes width sufficient to encode the given integer value, for example literal 5 is assumed to be 3 bits wide, as 3 bits are sufficient to encode values between 0 and 5. The compiler does not perform automatic truncation or extension of integers. For example, the following assignment statement is invalid, as the left and the right-hand sides of assignment have different width:

#### A.2.2 Identifiers

Identifiers are used throughout TSL specification to refer to static and runtime objects (Section A.1.1). TSL supports three forms of identifiers:

**Simple identifiers.** A simple identifier is a name of a static or runtime object visible within the current syntactic scope. This includes objects declared within the current scope or in one of its parent scopes. For example, simple identifier x used in a method body can refer to a local variable or argument of the method, template-global variable, or a type or constant declared in the template or top-level scope.

```
<ident> := (<letter> | "_") (<letter> | <digit> | "_")*
```

**Static scoped identifiers.** These identifiers refer to static objects declared within template scope. They can be used to refer to static objects declared in templates other than the local template.

```
<staticIdent> := <ident> "::" <ident>
```

**Hierarchical identifiers.** These identifiers can only be used to refer to runtime objects. A dynamic identifier is a dot-separated sequence of literals that traverses the instance tree (Section A.1.2) via port and instance names:

```
<dynIdent> := <ident> ["." <ident>] *
```

The following example illustrates the use of different types of identifiers.

```
template A
 typedef uint<16> word;
 export word x;
endtemplate
template B(A aa)
  // Reference to the word type declared in template A
  // via static scoped identifier;
  A::word v;
  process proc {
   // In the following statement:
    // * y is a simple identifier that refers to a variable
    // declared in the local template
    // * aa.x is a hierarchical identifier that refers to
       variable x declared in template A.
    y = aa.x;
  };
<u>endtemplate</u>
template main
  // create instances of A and B; connect port aa of
  // B to the instance of A.
  instance A a;
```

```
instance B b(a);
endtemplate
```

# A.2.3 Types

Type expressions can occur in various contexts in a TSL specification, including variables, method, wire, type, and constant declarations. The language currently supports arbitrary fixed-width signed and unsigned integers, Booleans, enums, structs, arrays, and pointers.

TSL enum's are different from C-style enum's in that they are not integers. In particular, a variable of enum type cannot be cast to an integer. Such a variable can only take one of the values in the enumeration and not any other arbitrary integer value. Furthermore, an enum declaration cannot assign integer values to enumerators.

Type expressions are subject to the following constraints:

• Enumerations can only be declared in typedef statements, e.g., they cannot be used in variable or method declarations. This ensure that every enum type has a name.

| operator     | syntax | arg type       | res type     | comment             |  |  |  |
|--------------|--------|----------------|--------------|---------------------|--|--|--|
| [:]          | e[l:h] | integer        | unsigned int | bit slice           |  |  |  |
| [ ]          | e[i]   | array          | -            | array index         |  |  |  |
|              | e.f    | struct         | -            | struct field        |  |  |  |
| ->           | e->f   | struct pointer | -            | struct dereference  |  |  |  |
| !            | prefix | bool           | bool         | Boolean negation    |  |  |  |
| ~            | prefix | integer        | integer      | bit-wise negation   |  |  |  |
| _            | prefix | integer        | integer      | unary minus         |  |  |  |
| *            | prefix | pointer        | -            | pointer dereference |  |  |  |
| &            | prefix | any            | pointer      | address-of          |  |  |  |
| ==, !=       | infix  | any            | bool         |                     |  |  |  |
| <, <=, >, >= | infix  | integer        | bool         |                     |  |  |  |
| &            | infix  | integer        | integer      | bit-wise and        |  |  |  |
|              | infix  | integer        | integer      | bit-wise or         |  |  |  |
| ^            | infix  | integer        | integer      | bit-wise xor        |  |  |  |
| & &          | infix  | bool           | bool         | Boolean and         |  |  |  |
|              | infix  | bool           | bool         | Boolean or          |  |  |  |
| =>           | infix  | bool           | bool         | Boolean implication |  |  |  |
| *            | infix  | integer        | integer      | multiplication      |  |  |  |
| ે            | infix  | integer        | integer      | residue             |  |  |  |
| +            | infix  | integer        | integer      | plus                |  |  |  |
| _            | infix  | integer        | integer      | minus               |  |  |  |

Table A.1: TSL operators

• Variable-size arrays are not supported: array dimensions must be compiletime constants.

Examples of type expressions:

```
typedef uint<16> t1;
typedef sint<13> t2;
typedef enum {e1, e2, e3} t3;
typedef struct {t1 f1; t2 f2;} t4;
const t1 c1 = 16'd5;
typedef t4[c1] arrtype;
typedef struct {bool f1; uint<16>[10] f2;} * structptr;
```

# A.2.4 Expressions

TSL expressions are constructed from identifiers (Section A.2.2), literals (Section A.2.1), and method invocations A.2.5 using operators summarised in Table A.1 in the order of decreasing precedence.

In addition, TSL supports three kinds of conditional expressions: if-else expressions (or ternary expressions), case-expressions, and cond-expressions.

A case-expression chooses a value based on the value of its key expression, whereas a cond-expression chooses a value to return by evaluating a series of conditions in order. Note that if-else expressions are different from if statements described in Section A.2.5.

Finally, TSL supports struct expressions with explicit or implicit field names:

Note that TSL does not provide type casting operations. In particular, it is impossible to convert a pointer to an integer or an integer to a pointer. In addition, the TSL compiler enforces the following type and memory safety rules:

- No arithmetic operations are allowed on pointers
- Bit-wise operators must be applied to integer operands of the same width
- == and != operations can only be applied to operators of identical types (including width and signedness)

- Labels in a case-expression and conditions in a cond-expression must be side-effect free
- All branches of a case, cond, or if-else expression must return values of the same type
- Lower and upper bounds of a bit slice must be constant expressions, lower bound must be less than or equal to the upper bound, and both bound must be smaller than the width of the argument.
- The address-of operator (ε) can only be applied to memory variables (see Section A.2.5).

#### Non-deterministic expression

Special expression \* is used to generate non-deterministic values of arbitrary type. The exact type is derived from the context, as illustrated in this example:

```
x = *; // Generate random value of the same type as x. 
 f(*,*); // Generate random values that match argument 
 // types of f.
```

Note that \* cannot be used as an atom in a bigger expression, for example, the following is not valid:

```
x = * + 2; // Invalid use of *
```

#### L-expressions

*L-expressions* are a subset of TSL expressions that can be used as the left-hand side of assignments statement and as output arguments of methods. L-expressions are defined by the following rules:

- 1. Names of variables visible in the current scope, including global variables, local variables, and function arguments are L-expressions
- 2. All valid expressions of the form \*e and e->f are L-expressions.
- 3. If e is an L-expression then the following are also L-expressions:

- e[i]
- e[l:h]

#### **Expression evaluation**

Expression evaluation order matters in cases when expression operands contain method calls, which may have side effects. All expression operands are evaluated before the expression itself is evaluated. In particular, if the expression contains method calls, then all of these calls are performed before the expression is evaluated.

#### A.2.5 Statements

Statements are used to describe process behaviour and are used in process and method bodies and always-blocks (Section A.2.10).

```
<statement> := <varDecl> // local var declaration
           | <sseq> // sequential block
| <spar> // parallel blocks
            | <sforever> // forever loop
            | <swhile> // while loop
            | <sfor> // for loop
            | <sbreak> // break out of a loop
            | <schoice> // nondeterministic choice
            | <spause> // pause
            | <swait> // wait on a condition
            | <sassert> // assertion
            | <sassume> // assumption
            | <site> // if-then-else statement
            | <scase> // case statement
            | <sinvoke> // method invocation
            | <sassign> // variable assignment
            | <sreturn> // return statement
            | <smagic> // magic block
```

#### Variable declarations

Variable declaration statements are used to declare local variables visible within the syntactic scope of a process, method or always-block. A local variable is visible everywhere within the process, task, or always-block regardless of the exact location where it has been declared. A variable declaration consists of an optional mem qualifier, variable type and name and optional initial assignment:

```
<varDecl> := ["mem"] <typeSpec> <ident> ["=" <expr>]
```

The mem qualifier labels the variable as in-memory variable, which allows the address-of operator to be applied to this variable or any of its fields. In addition, in performing pointer analysis of a TSL specification, one can assume that a pointer can only point to an in-memory variable of a matching type.

In case variable declaration does not specify an initial value for the variable, the value for the variable is chosen non-deterministically.

#### Sequential blocks

C-style sequential blocks; nothing fancy here:

```
<sseq> = "{" (<statement> ";")* "}"
```

#### Parallel blocks

The fork construct is used to spawn several child processes.

Each child process is assigned a unique label, which helps identify processes during debugging. The spawning process blocks waiting for all forked processes to terminate. Forked processes terminate when all of them have reached a *final* state (i.e., a process cannot terminate without waiting for its siblings to be in final states as well). A process is in a final state when it reaches either the end of its execution (i.e., executes its last instruction) or a stop statement (Section A.2.5).

In the following example two dynamically spawned processes send and receive data in an infinite loop.

At each iteration of the loop, they go through final states by stop. When both processes are in their respective final states, the entire fork block *may* terminate, with the parent process moving on to the next statement; however, it is not required to terminate and can continue executing forever loops. The choice between terminating and continuing execution is performed nondeterministically by the environment. In contrast, in the following example, once both processes reach their final control locations, the fork block terminates instantaneously, as neither process can execute any more transitions:

```
process psndrcv {
  fork {
    psend: send();
    preceive: receive();
  };
  shutdown();
};
```

#### Loops

In addition to conventional do, while, and for loops, TSL supports forever loops, which are equivalent to while (true).

```
<sdo> := "do" <statement> "while" "(" <expr> ")"
<swhile> := "while" "(" <expr> ")" <statement>
```

At the moment TSL does not allow *instantaneous loops*, i.e., every possible path through the loop body must contain an explicit or implicit pause location (Section A.1.3). This restriction is enforced by the compiler via a simple static check. Note that there is no implicit pause before the body of the loop, i.e., execution enters the loop instantaneously and continues until reaching a pause location inside the loop. For example, in the following example, process foo executes two transitions: (1) x=16'd0; (x<1) == true; x=x+16'd1, and (2) (x<1) == false; y=16'd0.

```
process foo {
    x = 16'd0;
    while (x < 1) {
        x = x + 16'd1;
        pause;
    };
    y = 16'd0;
};</pre>
```

The break statement can be used anywhere inside a loop to transfer control to the first instruction following the body of the innermost.

#### Non-deterministic choice

The choice construct allows the environment to non-deterministically choose between two or more actions:

#### Pause statements

TSL offers three ways to insert an explicit pause location (Section A.1.3) in the control flow of a process or method: wait, pause, and stop statements.

```
<swait> := "wait" "(" <expr> ")"
<spause> := "pause"
<sstop> := "stop"
```

The wait statement inserts a pause location and disables the current process until the wait condition becomes true. If the wait condition stays true for sufficiently long time, the process is guaranteed to eventually leave the pause location. Note that if the wait condition is already true when the process enters the pause location, the current transition terminates anyway.

The pause statement is a shortcut for wait (true). stop behaves like pause, but additionally marks the current process state as final (Section A.2.5).

#### Assertions

An assertion behaves as a no-op if its argument evaluates to true, and causes a transition to an error state otherwise.

```
<sassert> := "assert" "(" <expr> ")"
```

The argument of an assert statement must be a side-effect-free expression.

#### **Assumptions**

```
<sassume> := "assume" "(" <expr> ")"
```

Assumptions are used to constrain possible system behaviours. Similar to assertions, they specify constraint that must hold for any valid execution of the system. However, while an assertion causes transition to an error state if its condition is violated, the assume statement prunes all transitions that violate the assumption.

Assumptions are particularly useful in imposing restrictions on randomly generated values, as illustrated by the following example.

```
4'd5: data_bits = CUART_DATA5;
4'd6: data_bits = CUART_DATA6;
4'd7: data_bits = CUART_DATA7;
4'd8: data_bits = CUART_DATA8;
default: assume(false); // other values are not allowed
};
```

#### Conditional statements

TSL supports C-style if-else statements and case statements:

Labels of the case statement can be arbitrary side-effect-free deterministic expressions of a matching type. At runtime, the first matching label is selected. At most one branch of a case statement is executed; execution does not fall through to the next label automatically. Unlike in C, the break statement cannot be used to break out of a case clause. While break is allowed inside the body of a case, it has the effect of breaking out of the innermost loop.

#### Method invocation

Method invocations can occur as atoms in expressions as well as standalone statements. Method name is a hierarchical identifier that refers either to a method declared in the local template or exported from another template.

```
<sinvoke> := <dynIdent> "(" [<expr> [("," <expr>)*]] ")"
```

Method arguments must match the number and types of formal arguments in the method declaration. Output arguments A.2.10 must be L-expressions A.2.4.

#### **Assignment statements**

```
<sassign> := <expr> "=" <expr>
```

The left-hand side of an assignment statement must be an L-expression (Section A.2.4). Types of left- and right-hand side expressions must match, including sign and width for integer types.

#### Return statements

```
<sreturn> := "return" [<expr>]
```

Return statements are only allowed in method bodies. If the method is a void method, return must not have an argument; otherwise it must have an argument whose type matches the return type of the method. Every path through a non-void method must end with a return statement. Statements following a return statement are ignored and control transfer to the location immediately following the call site.

If the method is a controllable or uncontrollable task then an implicit pause location (Section A.1.3) is introduced at the return location. In this case, if the value returned by the task is used as the right-hand side of an assignment, the value of the left-hand side is modified at the beginning of the next transition performed by the process.

# Magic blocks

```
<smagic> := "{" "..." "}"
```

See section A.1.6.

#### A.2.6 TSL file structure

A TSL file consists of *import* statements, type declarations, constant declarations, and template declarations.

#### A.2.7 Import statements

Import statements are used to combine multiple TSL files into a single specification. They are only allowed in the top-level syntactic scope, i.e., they are

illegal inside template of type declarations. An import statement consists of the import keyword followed by file path in angle brackets:

```
import<ide_dev.tsl>
import<os/ide_tsl2/14_ide.tsl>
import<../../os/ide_tsl2/ide_class.tsl>
```

The TSL compiler appends this path to each import directory, specified via the -I command line switch, in order, until a file with this name is found.

# A.2.8 Type declarations

Type declarations can be placed in the top-level scope or in a template scope.

```
<typeDecl> := "typedef" <typeSpec> <ident>
```

#### A.2.9 Constant declarations

Constant declarations can be placed in the top-level scope or in a template scope. The value of a constant is an expression that can be evaluated at compile time.

```
<const> := "const" <typeSpec> <ident> "=" <expr>
```

Examples:

#### A.2.10 Templates

Templates must be declared within the top-level scope, i.e., nested template declarations are not allowed. Template declaration has the following syntax:

Here, <portDeclarations> is a comma-separated list of port declarations, described in Section A.1.2. A template item is one of:

- Derive statement
- Instance declaration
- Type declaration
- Constant declaration
- Global variable declaration
- Init block
- Always block
- Process
- Method
- Goal
- Wire declaration

Derive statements and instance declarations were considered in Section A.1.2. Type declarations and constant declarations were considered in Sections A.2.8 and A.2.9. We describe the remaining types of template items below.

#### Global variable declarations

Global variables (Section A.1.4) are declared in the template scope. The declaration syntax is the same as for local variables (Section A.2.5) with the optional export qualifier that indicates that the variable can be accessed from outside the template:

```
<gvarDecl> := ["export"] <varDecl>
```

Similar to local variable declarations, if the declaration does not specify an initial value for the variable, the value for the variable is chosen non-deterministically. The initial value can be further constrained by init blocks, as described below.

#### Init blocks

An init block defines a constraint over initial assignment of global veriables.

```
<initBlock> := "init" <expr>
```

The body of an init block is a boolean expression over global variables visible from the current template, including variables exported from other templates.

The following example constrains initial values of config\_in\_progress and sendq\_head variables:

```
template linux_uart_drv(uart_dev dev)
    bool config_in_progress;
    uint<16> sendq_head;
    init (config_in_progress == true) &&
        (sendq_head == 16'd0);
endtemplate
```

Note that the same result can be achieved using initial variable assignments:

```
template linux_uart_drv(uart_dev dev)
  bool config_in_progress = true;
  uint<16> sendq_head = 16'd0;
endtemplate
```

In general, however, init blocks are a more general mechanism for constraining initial state, for example the following condition cannot be captures using initial variable assignments:

```
template linux_uart_drv(uart_dev dev)
    init (config_in_progress == true) ||
        (sendq_head == 16'd0);
endtemplate
```

A template can contain multiple init blocks. In using init blocks, one must make sure that different init blocks do not contradict each other and initial variable assignments, leading to an empty initial set, as in the following example:

```
template linux_uart_drv(uart_dev dev)
  bool config_in_progress = true;
  init config_in_progress == false;
```

```
<u>endtemplate</u>
```

#### Always blocks

An always block is an arbitrary statement that is automatically prepended to all transitions of the system. It is intended as a low-level mechanism that allows implementing certain behaviours that are tricky to achieve without it. It should be used with care and should probably be hidden behind syntactic sugar.

```
<always> := "always" <statement>
```

#### **Processes**

See Section A.1.3.

#### Methods

A method declaration consists of

- optional export qualifier that indicates whether the method can be invoked from outside its template
- method category specifier that labels the method as function, procedure, or task, and in the last case optionally as a controllable or uncontrollable task (Section A.1.3)
- return type or void if the method does not return a value
- argument list
- method body

Method arguments are used to pass data both to and from the method. Each individual argument can be declared as an input or an output argument, but not both. Syntactically, input and output arguments are distinguished using the out qualifier.

Both input and output arguments can be read and modified in the body of the method; however the initial value of an output argument is non-derministic. The final value of an input argument is dropped, while the final value of an output argument is propagated to the L-expression (Section A.2.4) passed as the actual argument to the method. Note that for controllable and uncontrollable tasks the output value is propagated to the argument at the beginning of the next transition performed by the process after the implicit pause location following the return statement (Section A.2.5).

**Method body** Method body declaration can be written in the *complete* or *partial* form. A complete declaration is simply a TSL statement. A partial declaration consists of an optional preamble and an optional epilogue that are intended to execute respectively before and after the main body of the method declared in the child template. If neither the preamble not the epilogue are specified, then the body of the method remains empty.

The full method body is constructed by recursively merging the method body provided in the method declaration with the overloaded method declaration in the parent template (if one exists) using Algorithm 30. The following examples illustrate the algorithm.

```
// global variable
<u>bool</u> x;
```

#### Algorithm 30

```
Input: Method body M, where M is either a complete body (b) or partial
   body (p, e).
   Output: Method body merged with the parent body (if one exists)
 1: function FULLBODY(M)
       // Find previous method declaration in one of parent templates
 2:
       M' \leftarrow PARENTMETHOD(M)
 3:
       if M' = nil then
 4:
           // M is not an overloaded method
 5:
           return M
 6:
       end if
 7:
       case (M, FULLBODY(M')) of
 8:
           //Parent method has a complete body: override it
 9:
10:
           (M,(b')): return M
           // Both parent and child have partial bodies: merge
11:
           // preambles and epilogues using sequential composition
12:
           ((p, e), (p', e')): return ((p'; p), (e; e'))
13:
           // Child has a complete body, parent has partial body: prepend
14:
           // and append parent's preamble and epilogue to the child
15:
           ((b), (p', e')): return (p'; b; e')
16:
           otherwise: return error
17:
18: end function
```

```
// parent declaration
procedure void p(uint<16> arg)
before{
    assume(arg != 0);
};
after{
    assert(x);
};

// child declaration
procedure void p(uint<16> arg)
{
    x = (arg > 5);
};

// full child method body generated by the compiler
procedure void p(uint<16> arg)
```

```
{
    assume (arg != 0);
    x = (arg > 5);
    assert(x);
};
```

```
// parent declaration
procedure void p(uint<16> arg)
before {
  <u>assume</u>(arg != 0);
};
<u>after</u>{
  assert(x);
};
// child declaration
procedure void p(uint<16> arg)
before{
 x = (arg > 5);
};
// full child method body generated by the compiler
procedure void p(uint<16> arg)
before{
   assume(arg != 0);
   x = (arg > 5);
};
after{
assert (x);
};
```

#### Goals

```
<goalDecl> := "goal" <ident> "=" <expr>
```

See Section A.1.5.

#### Wire declarations

Wire declaration (Section A.1.4) consists of wire type, wire name, and optional wire expression.

```
<wire> := ["export"] "wire" <typeSpec> <ident> ["=" <expr>]
```

The wire expression is defined over global variables and wires of the current template and other templates accessible via hierarchical identifiers. However, circular dependencies among wire expressions are forbidden. If the wire expression is omitted, the wire is a *pure wire* that must be re-defined in child templates. In merging template with its parents, the TSL compiler picks the last wire declaration in the inheritance hierarchy.

# ${f B}$ User Guided Synthesis of an I $^2$ C Driver

In this appendix we will step through synthesis of the driver for a simple but real device. The device we are targeting is an  $I^2C$  controller on a Samsung Exynos 5 system on ship. We assume the there is no operating system i.e. the driver runs on bare metal.

We start with the operating system specification. This gives us the interface that the driver is expected to provide. I<sup>2</sup>C is a bus protocol typically used to attach low speed devices to a processor. I<sup>2</sup>C transactions take place between a master device and a slave device. They are always initiated by the master, which may request a read or a write. Each device on an I<sup>2</sup>C bus has an address which is used by the master to identify the slave that it wants to communicate with. In this walkthrough, we will synthesise the driver code necessary to perform a write in master mode.

I<sup>2</sup>C transactions occur in three phases:

- 1. The transaction is initiated and the address of the slave that the master wants to communicate with is placed on the bus.
- 2. The master sends some number N of bytes.
- 3. The master ends the transaction by sending a stop bit.

# **B.1** Driver Template

Our driver interface provides three functions, <code>send\_address()</code>, <code>send\_data()</code> and <code>send\_stop()</code>, one for each phase. In C code, the driver may be used like so:

Figure B.1: Usage of the I<sup>2</sup>Cdriver

```
send_address(0xAD);

//Call the below function as many times as you like:
send_data(dat0);
send_data(dat1);
send_data(dat2);
send_stop();
```

Additionally, it provides a function called configure () that initialises the device so that it is ready to perform transactions.

We declare these required functions in the driver template (Listing B.1):

Listing B.1: Empty driver template

```
1 import <class.tsl>
2 import <i2c.tsl>
3 import <os.tsl>
5 template i2c_linux_drv(i2c_dev_m3 dev, i2c_linux os)
7 derive i2c_drv;
9 task uncontrollable void configure(){
10
11 };
12
13 task uncontrollable void send_address() {
14
15 };
16
17 task uncontrollable void send_data(){
18
       . . . ;
19 };
21 task uncontrollable void send_stop(){
22
23 };
24
25 endtemplate
```

Each function stub contains a magic block (...;) (Section A.1.6). It is

Termite's job to fill these function bodies in.

### **B.2** Configuration

#### B.2.1 OS specification

The OS specification, given in Listing B.2, describes when these driver functions may be called and what is expected of them. It is essentially a testbench that expresses requirements of the driver with assertions and goals.

The main TSL process (Section A.1.3) is on line 27. The first thing it does is call configure (line 9) in the driver. This is followed by a call to the procedure configured (line 15). It is the job of configured to check that configure in the driver did its job. It obtains various configuration parameters from the device specification (Section B.2.2) and asserts that they are all initialised.

Of course, it makes no sense for the OS to call functions in the device hardware, and this does not happen in reality. These are *virtual functions* that are provided by the device specification to query its current state to enforce correct driver behaviour.

#### B.2.2 Device specification

The device specification, given in Listing B.3, provides the mechanism for the driver to set the required configuration values as well as the means for the OS to query those values (through virtual functions). Configuration values are set through register writes such as write8\_i2ccon on line 98. This code sets an internal register to the value written (line 98) and optionally influences the state machine of an in-progress master transaction (Section B.3).

ack\_enabled on line 20 is an example virtual interface function. This is called by the OS specification in configured to check that the hardware sends acknowledge bits. To ensure that this return true as required, the driver must set bit 7 to one when writing to the i2ccon register.

When a configuration value is changed, the device calls the virtual OS callback function <code>config\_updated()</code> on line 118. This callback, defined on line 7 of the OS specification, checks that the configuration parameters are still reasonable. This is needed because, for example, the register that is written to to initiate a master transaction also contains configuration information. This

ensures that the driver always keeps correct data in these configuration fields when initiating transactions.

#### **B.2.3** Synthesising

Ignoring the rest of the specification for now, we will attempt to synthesise the driver configuration function. We fire up Termite with termite -i main.tsl -s, it compiles the specifications and in less than a minute it has synthesised a strategy. A window, is created which allow the user to generate code in a user guided fashion. After navigating to the driver tab (Figure B.2) we can begin code generation. If we place the cursor in the magic block in the configure function and then click on the generate button, a line of code will be automatically generated. Clicking the generate button again three more times completes the configuration function as indicated by the magic block being replaced by an empty block, as shown in Figure B.3. This generated code correctly initialises the device such that all the assertions in configured pass. This concludes generation of the configure function.

#### **B.3** Master Write

#### B.3.1 OS specification

We continue from where we left off in the pos process in the OS specification. We first set a flag to signal that initialisation was successful and then we enter a forever loop (Section A.2.5). On each iteration, the loop non-deterministically chooses between performing a master read or a master write transaction. We do not cover synthesis of the master read transaction. Assuming execution of the process enters the master\_write function we end up at line 43.

This function models the behaviour we expect of the send\_address, send\_data and send\_stop sequence of driver functions. It uses a state variable master\_state to keep track of the current state of the master transmission.

Note the two *virtual callbacks* (similar to virtual functions) address\_written and data\_sent defined on lines 65 and 74 respectively. They are invoked by the device state machine when the address writing and data sending phases complete.



Figure B.2: Termite driver source code tab

#### B.3.2 Device specification

As with configuration, the device specification must provide the mechanism for the driver to perform the master write transaction. Again this is performed through register writes such as write8\_i2cstat on line 122. Observe that if bit 5 is set and there is currently no master transaction in progress, in addition to writing to the internal register, the write initiates a transaction by setting the enumeration master\_transmit\_st to transmitting\_adddress\_t.

Process pmaster (line 154) is the main device process responsible for performing the master transaction. pmaster is non-deterministically scheduled to run when events happen in the master state machine. When

```
master_transmit_st == transmitting_address_t
```

(as set by a previous write to i2cstat) on line 158 it signals to the operating system that the address was written using the address\_written callback on line 164, which triggers the operating system to update its internal state.



Figure B.3: Termite driver source code tab after code generation

Process pmaster handles data and stop bit transmission in the same way.

#### B.3.3 Synthesising

We proceed to generate code as we did for configuration. Code generation for <code>send\_address()</code> is shown in Figure B.4. The first two lines are generated automatically as before. However, on the third line, Termite gets stuck. It generates an if condition that says that if the device specification internal state variable <code>master\_transmit\_st</code> is equal to <code>addr\_transmitted\_t</code> then we can return from this function, otherwise, Termite is stuck. There are two problems with this code: the device internal variable is not accessible to the driver, and, one branch of the if statement is a dead end.

This is actually Termite's rather cryptic way of saying that the correct action is to wait until dev.master\_transmit\_st == addr\_transmitted\_t. This corresponds to waiting until the address is transmitted, which is what you would expect. The driver developer can verify this by replacing the entire



Figure B.4: Termite driver source code tab. Sending address.

if condition with

```
wait(dev.master_transmit_st == addr_transmitted_t)
```

.

This is a manifestation of the white box assumption that Termite makes. It assumes that the driver can access all of the system's state variables. To remedy this, manual intervention is needed. Consultation of the device manual tells us that after the address is sent the device sets bit 4 of i2ccon to one. So, we manually write code to loop while this bit is zero (line 34). We then rerun Termite with the amended driver and Termite checks that the manually written code is correct. Synthesis with the manually written code succeeds and, again, Termite creates the window shown in Figure B.5, verifying that the code is correct. So, while we were forced to write code manually, Termite was able to verify that is was correct.



Figure B.5: Termite driver source code tab. Sending address manual code.

We proceed in exactly the same way for the remaining functions <code>send\_data()</code> and <code>send\_stop()</code>. Each function requires us to manually work around the white box assumption as we did for <code>send\_address()</code>. The final driver is shown in Listing B.6.

# **B.4** Specifications

In this section we give all specifications in full. In addition to the specifications already discussed, we also give the class specification (Listing B.4) and the main file (Listing B.5). The class specification is much like C header and it declares datatypes and the externally visible interface to the other specifications. The main file creates an instance of each specification and ties them together.

Listing B.2: OS specification

```
3 template i2c_linux(i2c_drv drv, i2c_dev dev)
4
5 derive i2c_os;
7 procedure void config_updated() {
8
       if(inited){
9
            assert (dev.clk_src());
10
           assert (dev.clk_prescalar() == 4'h3);
           assert (dev.tx_int());
11
       } ;
13 };
14
15 procedure void configured() {
       assert (dev.ack_enabled());
16
       assert (dev.clk_src());
17
18
       assert (dev.clk_prescalar() == 4'h3);
19
       assert (dev.tx_int());
       assert (dev.sda_output_delay() == clocks15);
20
21
       assert (dev.filter_enable());
       assert (dev.slave_address() == 7'h54);
22
23 };
24
25 bool inited = false;
26
27 process pos {
28
       drv.configure();
29
       configured();
       inited = true;
30
31
       forever {
32
           choice {
                master_write();
33
34
                master_read();
35
                { };
36
           } ;
37
            pause;
38
       } ;
39 };
40
41 goal g1 = (master_state == master_idle) || sent;
42
43 task void master_write(){
44
       os_addr = *;
45
       master_state = address_pending;
46
47
       drv.send_address();
       assert (master_state != address_pending);
48
49
       forever {
```

```
if (master_state == data_pending) {
52
                os_data = *;
                was_sent = false;
53
                drv.send_data();
55
                assert (was_sent);
            } else if (master_state == stop_pending) {
56
57
                drv.send_stop();
58
                assert (master_state == master_idle);
59
            } else if (master_state == master_idle) break;
60
61
           pause;
       } ;
62
63
  };
64
65 procedure void address_written(uint<7> addr) {
       assert (master_state == address_pending);
66
67
       assert (addr == os_addr);
68
       master_state = data_pending;
69 };
70
71 bool decis;
72 prefix sent = false;
73
74 task void data_sent(uint<8> data) {
       assert (master_state == data_pending);
75
       assert (data == os_data);
76
77
       sent = true;
       was_sent = true;
78
       decis = *;
79
80
       if(decis){
81
           master_state = stop_pending;
       } else {
82
83
           master_state = data_pending;
84
       };
85 };
86
  task void stop_sent(){
87
       assert (master_state == stop_pending
88
89
               || master_read_state == master_read_stop_pending);
90
       master_state = master_idle;
91
       master_read_state = master_read_idle;
92 };
93
94 endtemplate
```

Listing B.3: Device specification

```
3 template i2c_dev_m3(i2c_os os)
4
5 derive i2c_dev;
7 const uint<8> I2CCON = 8'h00;
8 const uint<8> I2CSTAT = 8'h04;
9 const uint<8> I2CADD = 8'h08;
10 const uint<8> I2CDS = 8'h0C;
11 const uint<8> I2CLC = 8'h10;
12
13 //registers
14 uint<8> i2ccon = 8'h0;
15  uint<8> i2cstat = 8'h0;
16 uint<8> i2cadd;
17 uint<8> i2cds;
18 uint<8> i2clc = 8'h0;
19
20 function bool ack_enabled() {
21
       return i2ccon[7:7] == 1;
22 };
23
24 function bool clk_src(){
25    return i2ccon[6:6] == 1;
26 };
27
28 function bool tx_int(){
      return i2ccon[5:5] == 1;
29
30 };
31
32 function uint<4> clk_prescalar() {
       return i2ccon[0:3];
33
34 };
35
36 function mode_t mode_val(uint<8> val){
37
      case(val[6:7]) {
          2'h0 : return slave_receive;
38
          2'h1 : return slave_transmit;
39
           2'h2 : return master_receive;
40
           2'h3 : return master_transmit;
42
       } ;
43
       return slave_receive;
44 };
45
46 function mode_t the_mode(){
47
       return mode_val(i2cstat);
48 };
49
50 function bool val_enabled(uint<8> val) {
```

```
return val[4:4] == 1;
52 };
53
54 function bool enabled() {
      return val enabled(i2cstat);
55
56 };
57
58 function uint<7> slave_address() {
       return i2cadd[1:7];
59
60 };
61
62 function uint<8> shift_data(){
   return i2cds;
63
64 };
65
66 function bool filter_enable(){
67     return i2clc[2:2] == 1;
68 };
69
70 function sdaod sda_output_delay(){
      case(i2clc[0:1]) {
71
          2'h0 : return clocks0;
72
          2'h1 : return clocks5;
73
74
          2'h2 : return clocks10;
          2'h3 : return clocks15;
75
      } ;
76
77
       return clocks0;
78 };
79
80 task controllable uint<8> read8_i2ccon() {
      return i2ccon;
81
82 };
83
84 task controllable uint<8> read8_i2cds(){
85
       return i2cds;
86 };
87
88 task controllable uint<8> read8_i2cstat(){
      uint<8> tmp = i2cstat;
89
90
       if(master_transmit_st == idle) {
91
          tmp[5:5] = 0;
92
      } else {
93
          tmp[5:5] = 1;
94
      };
95
       return tmp;
96 };
98 task controllable void write8_i2ccon(uint<8> wval){
99 i2ccon = wval;
```

```
100
101
        //transmit state machine
        //clearing pending
102
103
        if(master_transmit_st == addr_transmitted_t && wval[4:4] == 0){
            if(i2cstat[5:5] == 0){
104
                 master_transmit_st = transmitting_stop;
105
106
            } else {
107
                 master_transmit_st = transmitting_data;
108
            } ;
109
        } ;
110
        if(master_transmit_st == addr_transmitted_r && wval[4:4] == 0){
            if(i2cstat[5:5] == 0){
111
                master_transmit_st = transmitting_stop;
112
113
            } else {
114
                master_transmit_st = receiving_data;
115
            } ;
116
        } ;
117
        os.config_updated();
118
119
   } ;
120
121
122
   task controllable void write8_i2cstat(uint<8> wval) {
        i2cstat[6:7] = wval[6:7];
123
        i2cstat[4:4] = wval[4:4];
124
        i2cstat[5:5] = wval[5:5];
125
126
        //transmit state machine
127
        //writing busy
128
129
        if(master_transmit_st == idle && val_enabled(wval)){
130
            if(wval[5:5] == 1){
                 //set busy
131
                 i2cstat[5:5] = 1;
132
133
                 case (mode_val(wval)) {
                     master_transmit : master_transmit_st = transmitting_address_t;
134
135
                     master_receive : master_transmit_st = transmitting_address_r;
136
                 };
137
            } ;
138
        } ;
139
   } ;
140
141 task controllable void write8_i2cadd(uint<8> wval) {
142
        i2cadd = wval;
143 };
144
145 task controllable void write8_i2cds(uint<8> wval) {
        i2cds = wval;
146
147 };
148
```

```
task controllable void write8_i2clc(uint<8> wval) {
150
        I2CLC : i2clc = wval;
151
   };
152
   //transmit state machine
153
   process pmaster {
154
155
        forever {
            pause;
156
157
            case(master_transmit_st) {
                 transmitting_address_t : {
158
159
                     //address is a write address
                     assert(i2cds[0:0] == 0);
160
161
162
                     master_transmit_st = addr_transmitted_t;
                     i2ccon[4:4] = 1;
163
                     os.address_written(i2cds[1:7]);
164
165
                 };
166
                 transmitting_data
                                        : {
                     master_transmit_st = addr_transmitted_t;
167
168
                     i2ccon[4:4] = 1;
                     os.data_sent(i2cds);
169
170
                 };
171
                 transmitting_address_r : {
                     //address is a read address
172
                     assert(i2cds[0:0] == 1);
173
174
175
                     master_transmit_st = addr_transmitted_r;
                     i2ccon[4:4] = 1;
176
                     i2cstat[0:0] = *;
177
178
                     os.address_written_read(i2cds[1:7], i2cstat[0:0]==1);
179
                 };
                 receiving_data : {
180
                     master_transmit_st = addr_transmitted_r;
181
                     i2ccon[4:4] = 1;
182
                     i2cds = *;
183
                     os.data_received(i2cds, i2ccon[7:7] == 1);
184
185
                 };
                 transmitting_stop
186
                     //i2ccon[4:4] = 1;
187
188
                     master_transmit_st = idle;
189
                     os.stop_sent();
190
                 } ;
191
            };
192
        };
   } ;
193
194
   endtemplate
```

#### Listing B.4: Class specification

```
1 typedef enum {
2
       slave_receive, slave_transmit, master_receive, master_transmit
3
  } mode_t;
5
  typedef enum {
      clocks0, clocks5, clocks10, clocks15
6
7
  } sdaod;
8
9 //internal state
10 typedef enum {
       idle,
12
       transmitting_address_t,
       addr_transmitted_t,
13
       transmitting_data,
15
       transmitting_address_r,
       addr_transmitted_r,
16
17
      receiving_data,
      transmitting_stop
19 } master_transmit_st_t;
20
21 template i2c_dev
22
23 function bool ack_enabled();
24 function bool clk_src();
25 function bool tx_int();
26 function uint<4> clk_prescalar();
27 function mode_t mode_val(uint<8> val);
28 function mode_t the_mode();
29 function bool val_enabled(uint<8> val);
30 function bool enabled();
31 function uint<7> slave_address();
32 function bool filter_enable();
33 function sdaod sda_output_delay();
35 //internal state
36 export master_transmit_st_t master_transmit_st = idle;
37
38 endtemplate
39
40 template i2c_drv
41
42 task uncontrollable void configure();
43 task uncontrollable void send_address();
44 task uncontrollable void send_data();
45 task uncontrollable void send_stop();
46 task uncontrollable bool send_address_read();
47 task uncontrollable uint<8> read_data(bool ack);
```

```
endtemplate
49
50
51 template i2c_os
52 export uint<7> os_addr;
53 export uint<8> os_data;
54 export uint<8> os_read_data;
55 export bool sent;
56
57 export uint<7> os_read_addr;
58
59 procedure void address_written(uint<7> addr);
60 task void data_sent(uint<8> data);
61 task void stop_sent();
62 procedure void address_written_read(uint<7> addr, bool acked);
63 task void data_received(uint<8> data, bool acked);
64 procedure void config_updated();
65
66 //internal state
68 typedef enum {
       master_idle,
69
70
       address_pending,
       data_pending,
71
       stop_pending
72
73 } master_state_t;
74
75 export master_state_t master_state = master_idle;
76
77 typedef enum {
78
       master_read_idle,
79
       master_read_address_pending,
80
       master_read_data_pending,
81
       master_read_stop_pending
  } master_read_state_t;
82
83
84
  export master_read_state_t master_read_state = master_read_idle;
85
86 export bool was_sent;
87
88 export bool was_recvd;
89
90 endtemplate
```

#### Listing B.5: Main file

```
1 import <os.tsl>
2 import <i2c.tsl>
```

36

```
import <drv.tsl>

template main

instance i2c_linux os (drv, dev);

instance i2c_dev_m3 dev (os);

instance i2c_linux_drv drv (dev, os);

endtemplate
```

#### Listing B.6: Synthesised driver

```
1 import <class.tsl>
2 import <i2c.tsl>
3 import <os.tsl>
5 template i2c_linux_drv(i2c_dev_m3 dev, i2c_linux os)
7 derive i2c_drv;
9
  task uncontrollable void configure(){
       //address = 0x54
10
11
       dev.write8_i2cadd(/*any value*/1'h0 ++ 7'h54);
12
       //clc = SDA_DELAY15CLK | FILE_EN
13
14
       dev.write8_i2clc(2'h3 ++ 1'h1 ++ /*any value*/5'h0);
15
       //control = ACK_EN | CLK_SRC | PRESCALE(3) | IRQ_EN &~ IRQ_PENDING
16
       dev.write8_i2ccon(4'h3 ++ 1'h0 ++ 1'h1 ++ 1'h1 ++ 1'h1);
17
18 };
19
20 task uncontrollable void send_address() {
       //control = ACK_EN | CLK_SRC | PRESCALE(3) | IRQ_EN &~ IRQ_PENDING
21
       dev.write8_i2ccon(4'h3 ++ 1'h0 ++ 1'h1 ++ 1'h1 ++ 1'h1);
22
23
       //data = os_addr (\&~ 1)
25
       dev.write8_i2cds(1'h0 ++ os.os_addr);
26
       //stat = MODE_MTX | ENABLE | BUSY
27
       dev.write8_i2cstat(/*any value*/4'h0 ++ 1'h1 ++ 1'h1 ++ 2'h3);
28
29
30
       //wait (control & IRQ_PENDING)
       uint<8> stat;
31
32
       do {
           stat = dev.read8_i2ccon();
33
       } while(stat[4:4] == 0);
35 };
```

```
task uncontrollable void send_data(){
       //data = os_data
38
       dev.write8_i2cds(os.os_data);
39
40
41
       //control = ACK EN | CLK SRC | PRESCALE(3) | IRO EN &~ IRO PENDING
       dev.write8_i2ccon(4'h3 ++ 1'h0 ++ 1'h1 ++ 1'h1 ++ 1'h1);
42
43
44
       //wait (control & IRQ_PENDING)
       uint<8> stat;
45
46
       do {
47
           stat = dev.read8_i2ccon();
       } while(stat[4:4] == 0);
48
49
  };
50
51 task uncontrollable void send stop() {
       //stat = ANY_MODE | ENABLE &~ BUSY
52
53
       dev.write8_i2cstat(/*any value*/4'h0 ++ 1'h1 ++ 1'h0 ++ /*any value*/2'h0);
54
       //control = ACK_EN | CLK_SRC | PRESCALE(3) | IRQ_EN &~ IRQ_PENDING
55
56
       dev.write8_i2ccon(4'h3 ++ 1'h0 ++ 1'h1 ++ 1'h1 ++ 1'h1);
57
       //wait (control & IRQ_PENDING)
58
       uint<8> stat;
59
60
       do {
           stat = dev.read8_i2cstat();
61
       } while(stat[5:5] == 1);
62
63
  };
64
65 task uncontrollable bool send_address_read(){
       //control = ACK_EN | CLK_SRC | PRESCALE(3) | IRQ_EN &~ IRQ_PENDING
66
       dev.write8_i2ccon(4'h3 ++ 1'h0 ++ 1'h1 ++ 1'h1 ++ 1'h1);
67
68
69
       //data = os_addr (| 1)
       dev.write8_i2cds(1'h1 ++ os.os_read_addr);
70
71
72
       //stat = MODE_MRX | ENABLE | BUSY
       dev.write8_i2cstat(/*any value*/4'h0 ++ 1'h1 ++ 1'h1 ++ 2'h2);
73
74
75
       //wait (control & IRQ_PENDING)
76
       uint<8> stat;
77
       do {
           stat = dev.read8_i2ccon();
78
79
       } while(stat[4:4] == 0);
80
       uint<8> res = dev.read8_i2cstat();
81
82
       return (res[0:0] == 1);
83
  };
84
85 task uncontrollable uint<8> read_data(bool ack){
```

```
86
        //control = ACK_EN | CLK_SRC | PRESCALE(3) | IRQ_EN &~ IRQ_PENDING
87
        if(ack){
            dev.write8_i2ccon(4'h3 ++ 1'h0 ++ 1'h1 ++ 1'h1 ++ 1'h1);
88
        } else {
90
            dev.write8_i2ccon(4'h3 ++ 1'h0 ++ 1'h1 ++ 1'h1 ++ 1'h0);
91
        } ;
92
93
        //wait (control & IRQ_PENDING)
        uint<8> stat;
94
95
        do {
            stat = dev.read8_i2ccon();
96
97
        } while(stat[4:4] == 0);
98
        return dev.read8_i2cds();
99
100 };
101
102 endtemplate
```

# **Bibliography**

- Mike Accetta, Robert Baron, William Bolosky, David Golub, Richard Rashid, Avadis Tevanian, and Michael Young. Mach: A new kernel foundation for UNIX development. In *Proceedings of the 1986 Summer USENIX Technical Conference*, pages 93–112, Atlanta, GA, US, 1986.
- Thomas Ball, Byron Cook, Vladimir Levin, and Sriram K. Rajamani. SLAM and Static Driver Verifier: Technology transfer of formal methods inside Microsoft. In *Proceedings of the 4th International Conference on Integrated Formal Methods*, pages 1–20, 2004.
- Thomas Ball, Ella Bounimova, Rahul Kumar, and Vladimir Levin. SLAM2: Static driver verification with under 4% false alarms. In *Proceedings of the 2010 Conference on Formal Methods in Computer-Aided Design*, pages 35–42, Lugano, Switzerland, 2010. FMCAD Inc.
- Clark W. Barrett, David L. Dill, and Jeremy R. Levitt. A decision procedure for bit-vector arithmetic. In *DAC*, pages 522–527, San Francisco, California, USA, June 1998.
- Muli Ben-Yehuda, Jon Mason, Orran Krieger, Jimi Xenidis, Leendert Van Doorn, Asit Mallick, Jun Nakajima, and Elsie Wahlig. Utilizing IOMMUs for virtualization in Linux and Xen. In *Proceedings of the 2006 Ottawa Linux Symposium*, Ottawa, CA, July 2006.
- Dirk Beyer, Thomas A. Henzinger, Ranjit Jhala, and Rupak Majumdar. The software model checker BLAST: Applications to software engineering. *International Journal on Software Tools for Technology Transfer*, 9(5):505–525, 2007.
- Donald W. Boettner and Michael T. Alexander. The Michigan Terminal System. *Proceedings of the IEEE*, 63:912–918, 1975.

Randal E. Bryant. Graph-based algorithms for boolean function manipulation. *IEEE Transactions on Computers*, 35:677–691, 1986.

- J. R. Burch, E. M. Clarke, and D. E. Long. Symbolic model checking with partitioned transition relations. In *Proceedings of the IFIP TC10/WG 10.5 International Conference on Very Large Scale Integration*, pages 49–58. North-Holland, 1991.
- J. R. Burch, E. M. Clarke, K. L. McMillan, D. L. Dill, and L. J. Hwang. Symbolic model checking: 10<sup>20</sup> states and beyond. *Inf. Comput.*, 98(2):142–170, June 1992.
- Lukai Cai and Daniel Gajski. Transaction level modeling: an overview. In "1st International Conference on Hardware/Software Codesign and System Synthesis", pages 19–24, Newport Beach, CA, USA, 2003.
- Pavol Cerny, Thomas Henzinger, Arjun Radhakrishna, Leonid Ryzhyk, and Thorsten Tarrach. Efficient synthesis for concurrency by semantics-preserving transformations. In *25th International Conference on Computer Aided Verification*, pages 1–16, Saint Petersburg, Russia, July 2013.
- Pavol Cerny, Thomas Henzinger, Arjun Radhakrishna, Leonid Ryzhyk, and Thorsten Tarrach. Regression-free synthesis for concurrency. In *International Conference on Computer Aided Verification*, Vienna, Austria, July 2014a.
- Pavol Cerny, Thomas A. Henzinger, Arjun Radhakrishna, Leonid Ryzhyk, and Thorsten Tarrach. Regression-free synthesis for concurrency. In Armin Biere and Roderick Bloem, editors, *International Conference on Computer Aided Verification (CAV)*, volume 8559 of *Lecture Notes in Computer Science*, pages 568–584. Springer International Publishing, 2014b.
- Pavol Cerny, Edmund M. Clarke, Thomas A. Henzinger, Arjun Radhakrishna, Leonid Ryzhyk, Roopsha Samanta, and Thorsten Tarrach. From non-preemptive to preemptive scheduling using synchronization synthesis. In *International Conference on Computer Aided Verification (CAV)*, 2015.
- Vitaly Chipounov and George Candea. Reverse engineering of binary device drivers with revnic. In *Proceedings of the 5th European Conference on Computer Systems*, EuroSys '10, pages 167–180, New York, NY, USA, 2010. ACM.

Andy Chou, Jun-Feng Yang, Benjamin Chelf, Seth Hallem, and Dawson Engler. An empirical study of operating systems errors. In *Proceedings of the 18th ACM Symposium on Operating Systems Principles*, pages 73–88, Lake Louise, Alta, CA, October 2001.

- Edmund Clarke, Orna Grumberg, Somesh Jha, Yuan Lu, and Helmut Veith. Counterexample-guided abstraction refinement. In *CAV*, pages 154–169, Chicago, IL, USA, July 2000.
- Edmund M. Clarke, Daniel Kroening, Natasha Sharygina, and Karen Yorav. Predicate abstraction of ANSI-C programs using SAT. *Formal Methods in System Design*, 25(2-3):105–127, 2004.
- Christopher L. Conway and Stephen A. Edwards. NDL: a domain-specific language for device drivers. In *Proceedings of the Conference on Language, Compiler and Tool Support for Embedded Systems (LCTES)'04*, pages 30–36, Washington, DC, US, June 2004.
- Luca de Alfaro and Pritam Roy. Solving games via three-valued abstraction refinement. In *CONCUR*, pages 74–89, Lisboa, Portugal, September 2007.
- Dawson R. Engler, Benjamin Chelf, Andy Chou, and Seth Hallem. Checking system rules using system-specific, programmer-written compiler extensions. In *Proceedings of the 4th USENIX Symposium on Operating Systems Design and Implementation*, pages 1–16, San Diego, CA, October 2000.
- Alessandro Forin, David Golub, and Brian Bershad. An I/O system for Mach 3.0. In *Proceedings of the 2nd USENIX Mach Symposium*, pages 163–176, Monterey, CA, US, November 1991.
- Archana Ganapathi, Viji Ganapathi, and David Patterson. Windows XP kernel crash analysis. In *Proceedings of the 20th USENIX Large Installation System Administration Conference (LISA)*, pages 101–111, Washington, DC, US, 2006.
- Erich Grädel, Wolfgang Thomas, and Thomas Wilke, editors. *Automata Logics, and Infinite Games: A Guide to Current Research*. Springer-Verlag New York, Inc., New York, NY, USA, 2002. ISBN 3-540-00388-6.
- Susanne Graf and Hassen Saïdi. Construction of abstract state graphs with PVS. In *CAV*, pages 72–83, Haifa, Israel, June 1997.

Thomas A. Henzinger, Ranjit Jhala, Rupak Majumdar, and Grégoire Sutre. Lazy abstraction. In *POPL*, pages 58–70, Portland, Oregon, January 2002.

- Thomas A. Henzinger, Ranjit Jhala, and Rupak Majumdar. Counterexample-guided control. In *ICALP*, pages 886–902, Eindhoven, The Netherlands, July 2003.
- Youpyo Hong, Peter A. Beerel, Jerry R. Burch, and Kenneth L. McMillan. Safe bdd minimization using don't cares. In *Proceedings of the 34th Annual Design Automation Conference*, DAC '97, pages 208–213, New York, NY, USA, 1997. ACM.
- Intel Corporation. Cofluent technology. http://www.intel.com/ content/www/us/en/cofluent/cofluent-difference.html.
- Swen Jacobs. Extended AIGER format for synthesis. *CoRR*, abs/1405.5793, 2014.
- Swen Jacobs, Roderick Bloem, Romain Brenguier, Rüdiger Ehlers, Timotheus Hell, Robert Könighofer, Guillermo A. Pérez, Jean-François Raskin, Leonid Ryzhyk, Ocan Sankur, Martina Seidl, Leander Tentrup, and Adam Walker. The first reactive synthesis competition (syntcomp 2014). *arXiv:1506.08726*, 2015.
- Asim Kadav, Matthew J. Renzelmann, and Michael M. Swift. Tolerating hardware device failures in software. In *Proceedings of the 22nd ACM Symposium on Operating Systems Principles*, Big Sky, MT, US, 2009.
- Gerwin Klein, Kevin Elphinstone, Gernot Heiser, June Andronick, David Cock, Philip Derrin, Dhammika Elkaduwe, Kai Engelhardt, Rafal Kolanski, Michael Norrish, Thomas Sewell, Harvey Tuch, and Simon Winwood. seL4: Formal verification of an OS kernel. In *ACM Symposium on Operating Systems Principles*, pages 207–220, Big Sky, MT, USA, October 2009. ACM.
- Jochen Liedtke. Improving IPC by kernel design. In *Proceedings of the 14th ACM Symposium on Operating Systems Principles*, pages 175–188, Asheville, NC, US, December 1993.
- Jochen Liedtke, Ulrich Bartling, Uwe Beyer, Dietmar Heinrichs, Rudolf Ruland, and Gyula Szalay. Two years of experience with a  $\mu$ -kernel based OS. *ACM Operating Systems Review*, 25(2):51–62, April 1991.

Kenneth L. McMillan. *Symbolic Model Checking*. Kluwer Academic Publishers, Norwell, MA, USA, 1993. ISBN 0792393805.

- Fabrice Mérillon, Laurent Réveillère, Charles Consel, Renaud Marlet, and Gilles Muller. Devil: An IDL for hardware programming. In 4th USENIX Symposium on Operating Systems Design and Implementation, pages 17–30, San Diego, CA, USA, October 2000.
- Nina Narodytska, Alexander Legg, Fahiem Bacchus, Leonid Ryzhyk, and Adam Walker. Solving games without controllable predecessor. In *Proceedings of the 16th International Conference on Computer Aided Verification Volume 8559*, pages 533–540, New York, NY, USA, 2014. Springer-Verlag New York, Inc.
- OpenCores. 16550 UART core. http://opencores.org/project,a\_vhd\_16550\_uart.
- Nir Piterman, Amir Pnueli, and Yaniv Sa'ar. Synthesis of Reactive(1) designs. In *International Conference on Verification, Model Checking and Abstract Interpretation*, pages 364–380, Charleston, SC, USA, January 2006.
- Richard Rudell. Dynamic variable ordering for ordered binary decision diagrams. In *ICCAD*, pages 42–47, Santa Clara, CA, USA, 1993.
- Leonid Ryzhyk, Peter Chubb, Ihor Kuz, and Gernot Heiser. Dingo: Taming device drivers. In *Eurosys* 2009, pages 275–288, Nuremberg, DE, April 2009a.
- Leonid Ryzhyk, Peter Chubb, Ihor Kuz, Etienne Le Sueur, and Gernot Heiser. Automatic device driver synthesis with Termite. In *ACM Symposium on Operating Systems Principles*, pages 73–86, Big Sky, MT, US, October 2009b.
- Leonid Ryzhyk, Adam Christopher Walker, John Keys, Alexander Legg, Arun Raghunath, Michael Stumm, and Mona Vij. User-guided device driver synthesis. In *USENIX Symposium on Operating Systems Design and Implementation*, pages 661–676, Broomfield, CO, USA, October 2014.
- Fabio Somenzi. CUDD: CU decision diagram package. http://vlsi.colorado.edu/~fabio/CUDD/.
- Michael F. Spear, Tom Roeder, Orion Hodson, Galen C. Hunt, and Steven Levi. Solving the starting problem: device drivers as self-describing artifacts. In *1st EuroSys Conference*, pages 45–57, Leuven, Belgium, 2006.

Jun Sun, Wanghong Yuan, Mahesh Kallahalla, and Nayeem Islam. HAIL: a language for easy and correct device access. In *Proceedings of the 5th International Conference on Embedded Software*, pages 1–9, Jersey City, NJ, US, September 2005.

- Michael M. Swift, Brian N. Bershad, and Henry M. Levy. Improving the reliability of commodity operating systems. In *19th ACM Symposium on Operating Systems Principles*, Bolton Landing (Lake George), New York, USA, October 2003.
- Michael M. Swift, Muthukaruppan Annamalai, Brian N. Bershad, and Henry M. Levy. Recovering device drivers. In *Proceedings of the 6th USENIX Symposium on Operating Systems Design and Implementation*, San Francisco, CA, US, December 2004.
- Synopsys. Virtual prototyping models. http://www.synopsys.com/ Systems/VirtualPrototyping/VPModels.
- Alfred Tarski. A lattice-theoretical fixpoint theorem and its applications. *Pacific J. Math.*, 5(2):285–309, 1955.
- Termite. Termite 2 driver synthesis tool. http://www.termite2.org.
- Wolfgang Thomas. On the synthesis of strategies in infinite games. In 12th Annual Symposium on Theoretical Aspects of Computer Science, pages 1–13, 1995.
- Mona Vij, John Keys, Arun Raghunath, Scott Hahn, Vincent Zimmer, Leonid Ryzhyk, Adam Christopher Walker, and Alexander Legg. Device driver synthesis. *Intel Technology Journal*, 17(2):136–157, December 2013.
- Adam Christopher Walker and Leonid Ryzhyk. Predicate abstraction for reactive synthesis. In *Conference on Formal Methods in Computer-Aided Design*, Lausanne, Switzerland, October 2014.
- Wind River. Wind River Simics Model Builder user guide. version 4.4, September 2010.
- WindRiver. WindRiver Simics DS12887 Model. http://www.windriver.com/products/simics.

Raj Yavatkar. Era of SoCs, presentation at the Intel Workshop on Device Driver Reliability, Modeling and Synthesis, March 2012.