Available via license: CC BY 4.0
Content may be subject to copyright.
Date of publication xxxx 00, 0000, date of current version xxxx 00, 0000.
Digital Object Identifier 10.1109/ACCESS.2017.DOI
fbSAT: Automatic Inference of Minimal
Finite-State Models of Function Blocks
Using SAT Solver
KONSTANTIN CHUKHAREV1and DANIIL CHIVILIKHIN1
1Computer Technologies Laboratory, ITMO University, St. Petersburg, Russia
Corresponding authors: Konstantin Chukharev, Daniil Chivilikhin (e-mails: {kchukharev,chivdan}@itmo.ru).
ABSTRACT Finite-state models are widely used in software engineering, especially in control systems
development. Commonly, in control applications such models are developed manually, hence, keeping them
up-to-date requires extra effort. To simplify the maintenance process, an automatic approach may be used,
allowing inference of models from behavior examples and temporal specification. As an example of a specific
control systems development application, we focus on inferring finite-state models of function blocks (FBs)
defined by the IEC 61499 international standard for distributed automation systems.
In this paper, we propose a method for FB model inference from behavior examples based on reduction to
Boolean satisfiability problem (SAT). Additionally, we take into account linear temporal properties using
counterexample-guided synthesis. The developed tool fbSAT implementing the proposed method is evaluated
in three case studies: inference of a finite-state controller for a Pick-and-Place manipulator, reconstruction of
randomly generated automata, and minimization of transition systems. In contrast to existing approaches, the
suggested method is more efficient and produces finite-state models minimal both in terms of number of
states and guard conditions complexity.
INDEX TERMS Control system synthesis, Inference algorithms, Boolean satisfiability, Counterexample-
guided inductive synthesis, Formal verification, Model checking
I. INTRODUCTION
T
HE non-trivial process of develponig control logic for
an industrial control system may be reduced to the cre-
ation of a finite-state automaton or a system of interconnected
automata. Controller behavior may be represented using the
deterministic finite-state model, describing how the system
reacts to input events and which output actions it produces.
Such models are extensively used in program testing [1], [2]
(e.g. for model-based test case generation) and verification [3],
[4] (e.g. the behavior of a program is modeled using a finite-
state machine, and then model checking is applied to check
whether the model has the desired properties), as well as for
representing and modelling controllers in control systems.
One practical example of finite-state model application is
the international standard for distributed automation systems
development IEC 61499 [5], which defines control systems as
networks of interconnected function blocks (FBs), specified
by their interfaces and implementations (control algorithms).
In practice, most finite-state models for control applications
are developed manually
—
this is a tedious and error-prone
approach. Furthermore, there is the issue of maintaining these
models to be up-to-date and consistent during the changes in
system parameters, architecture, and logic. An alternative to
the manual process is automatic synthesis from given execu-
tion scenarios and/or temporal properties [6]–[13]. Inferred
models can be used for model-based testing, verification, and
can even replace the original controller.
The contribution of this paper is a method for synthesis of
minimal finite-state FB models, which, in contrast to existing
approaches, allows simultaneously and efficiently accounting
for (1) behavior examples, (2) linear temporal logic (LTL)
properties, and (3) minimality of synthesized automata both
in terms of number of states and guard conditions complexity.
We also present a tool FBSAT implementing the proposed
method, and evaluate it in several experimental case studies.
Our approach is designed for FB model synthesis, but it can
be applied to inference of other types of state machines with
minimal modifications (see e.g., Section VI).
VOLUME 4, 2016 1
This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2022.3229003
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
Chukharev and Chivilikhin — fbSAT: Automatic Inference of Minimal Finite-State Models of Function Blocks Using SAT Solver
Control
algorithm
(ECC)
i1
i2
x1
x2
x3
x4
o1
o2
z1
z2
z3
FIGURE 1. IEC 61499 Function block example
II. PROBLEM STATEMENT
A function block (FB) (Fig. 1) is characterized by its inter-
face and control algorithm. The interface defines input/output
events (sets
I
and
O
) and input/output variables (sets
X
and
Z
) which can be, for example, Boolean, integer or real-
valued. In this paper, we consider Boolean input/output vari-
ables only. The control algorithm is represented by a finite-
state machine extended with guard conditions, and called
execution control chart (ECC). In the following we will re-
fer to such a machine simply as an automaton. A complete
formal definition of an ECC can be found in [14]. Since in
this paper we deal only with Boolean inputs and outputs, we
use a simplified definition: an automaton
A
is a tuple
(Q, qinit,
I,O,X,Z, τ, ψ , ω), where:
•Qis a finite set of states;
•qinit ∈Qis the initial state;
•Iand Oare the sets of input/output events;
•Xand Zare the sets of input/output variables;
•τ:Q× I × B|X | →Qis the transition function;
•ψ:Q× I × B|X | →(O ∪ {ε})
is the output event
function;
•ω:Q× I × B|X | ×B|Z| →B|Z|
is the output function.
Each state has an associated output event and an algorithm, a
function that can modify the values of output variables
Z
. In
this paper, we only consider algorithms over Boolean vectors
B|Z| →B|Z |
, where each output variable only depends on its
previous value (assuming that its initial value is
False
). Each
transition has an associated input event and a guard condition,
which is a Boolean function that indicates the possibility to
follow the transition. We consider guard conditions to be
Boolean functions over the input variables
X
:
B|X | →B
. An
automaton
A
behaves as a finite-state transducer: it accepts
input actions and produces output actions, while keeping track
of output variable values. The transition function
τ:Q× I ×
B|X | →Q
defines the state in which the automaton finishes
processing an input action. The output event function
ψ:Q×
I × B|X | →(O ∪ {ε})
defines the output event emission rule.
Finally, the output function
ω:Q× I × B|X | ×B|Z| →B|Z|
defines the changes in output variable values. Note that the
automaton may not react to some input actions, i.e. it may
stay in the same state and not produce an output action. In that
case:
•τ(q, i, ¯x) = q;
•ψ(q, i, ¯x) = ε;
•ω(q, i, ¯x, ¯z) = ¯z,
where q∈Q,i∈ I,¯x∈B|X |,¯z∈B|Z| .
An execution scenario is a sequence of elements
⟨i[¯x], o[¯z]⟩
, where each element consists of an input ac-
tion
i[¯x]
and an output action
o[¯z]
. An input action is a pair
of an input event
i∈ I
and an input
¯x∈B|X|
, whereas an
output action is a pair of an output event
o∈ O ∪ {ε}
and
an output
¯z∈B|Z|
. An empty output event
ε
is necessary
to represent the absence of an output action, e.g., in the case
when an automaton does not react to an input action. A posi-
tive scenario is an execution scenario representing a desired
behavior of an automaton. Commonly, such scenarios are
obtained by simulating an existing model (in a simulation tool,
such as Matlab, nxtSTUDIO
1
), or by collecting data from a
real control system. An example of a set of three scenarios
S={s1, s2, s3}is shown below:
s1= [⟨R[00], ε[0]⟩;⟨R[01],B[1]⟩;⟨R[00], ε[1]⟩;⟨R[01],B[0]⟩],
s2= [⟨R[00], ε[0]⟩;⟨R[10],A[0]⟩;⟨R[00], ε[0]⟩;⟨R[01],B[1]⟩],
s3= [⟨R[00], ε[0]⟩;⟨R[10],A[0]⟩;⟨R[10],A[0]⟩].
(1)
We say that an automaton satisfies a scenario if, while se-
quentially receiving input actions from scenario elements,
it produces the same sequence of output actions as in the
scenario.
An LTL specification
L
is a set of LTL formulas describ-
ing the temporal properties of a finite-state model. An LTL
formula is an expression which may contain propositional
variables (here, input/output events/variables of the automa-
ton), logical connectives (
∧
,
∨
,
¬
,
→
), and temporal operators
(e.g.,
X
is “next”,
U
is “until”,
G
is “always”,
F
is “eventu-
ally”). An LTL specification can be verified using a model
checker, which produces a counterexample for each violated
LTL formula. We convert each counterexample into a negative
scenario representing an undesired behavior. We describe this
in detail in Section IV-B.
Ultimately, the problem addressed in this paper is to find
the most succint (minimal) automaton that satisfies all positive
scenarios
S+
and complies with the given LTL specification
L
.
Commonly, finite-state models are minimized w.r.t. their num-
ber of states and/or transitions [6], [8], [11]. In this work we
additionally explicitly consider complexity of guard condi-
tions: the automaton is minimized both in terms of the number
of states and the complexity of its guard conditions, measured
as the total number of vertices in parse trees of corresponding
Boolean formulas.
III. RELATED WORK
There exists a large body of work on SAT-based synthesis
of circuits, bit-vector programs, domain-specific programs,
etc. However, in this work we are interested specifically in
synthesis of finite-state machines: first, state-based models are
comprehensible, and their formal verification is relatively sim-
1↑https://www.nxtcontrol.com/en/engineering
2VOLUME 4, 2016
This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2022.3229003
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
Chukharev and Chivilikhin — fbSAT: Automatic Inference of Minimal Finite-State Models of Function Blocks Using SAT Solver
ple; second, they can be directly used in control applications
for controller logic implementation, e.g., in Matlab/Stateflow,
nxtSTUDIO [15].
The problem of finding a minimal deterministic finite-
state machine from behavior examples is known to be NP-
complete [16], and the complexity of the LTL synthesis prob-
lem is double exponential in the length of the LTL specifica-
tion [17]. Despite this, synthesis of various types of finite-state
models from behavior examples and/or formal specification
has been addressed by many researchers including [3], [6]–[8],
[10]–[13], [18]–[22] with methods based on heuristic state
merging, evolutionary algorithms, and SAT solvers. In the
context of this paper we are interested in exact methods, so
we direct our attention to SAT-based methods.
The extended Finite-State Machine (EFSM) (in terms of [8])
is a model that is similar to the ECC considered in this paper:
it combines Mealy and Moore automaton semantics, and uses
conditional state transitions. Transitions are labeled with input
events and Boolean formulas over the input variables, and
automaton states have associated sequences of output actions.
Several approaches based on translation to SAT [8], [23] have
been proposed for inferring EFSMs from behavior examples
and LTL properties. In EFSM-tools [8], LTL properties are
accounted for via an iterative counterexample prohibition
approach, but minimization of guard conditions is not consid-
ered.
BoSy [7] implements bounded synthesis of a transition
system (a type of automaton similar to EFSM and ECC) only
from LTL properties (scenarios are not considered). Apart
from a SAT-based approach, a more efficient solution based
on a Quantified SAT (QSAT, also called QBF, Quantified
Boolean Formula satisfiability problem) encoding is devel-
oped. Transition systems inferred using the SAT encoding
are explicit (in the sense that the guard conditions include all
input variables), whereas the QSAT encoding generates sym-
bolic models (guard conditions are Boolean formulas over the
input variables). BoSy ensures minimality of found solutions
w.r.t. the number of states, however it does minimize guard
conditions, which tend to be large and incomprehensible. An
approach to simplify generated solutions is suggested in [24],
where the SAT encoding is augmented with constraints for
minimizing the number of cycles in the transition system.
However, guard conditions complexity is not addressed. Fur-
thermore, BoSy does not support behavior examples. Though
they can be modeled with LTL, this approach is inefficient
even for behavior examples of moderate size. Other LTL syn-
thesis techniques, e.g., G4LTL
-
ST [12] and Strix [25], have
the same drawbacks in application to the considered problem:
no guard conditions minimization and lack of support for
behavior examples.
In [26], the FBCSP method is proposed for inferring an
FB model from execution scenarios via a translation to the
Constraint Satisfaction Problem (CSP). However, FB CS P has
the following restrictions. Guard conditions are generated
in complete form, i.e. the corresponding Boolean formulas
depend on all input variables. Such models do not generalize
to unseen data. This is countered by a greedy guard condi-
tions minimization algorithm, but it does not guarantee the
minimality of the result. In [27], FB CSP is extended with
a counterexample prohibition procedure to account for LTL
properties, which is similar to the one used in EFSM-tools.
Guard conditions are represented with fixed-size conjunctions
of positive/negative literals of the input variables. The draw-
back of this approach is that it is inefficient when the LTL
specification is insufficiently covered with behavior examples.
In [28], a two-stage approach is developed: on the first
stage, a base model is inferred using a SAT encoding, and on
the second stage its guard conditions are minimized via a CSP
encoding, in which guard condition Boolean formulas are
represented with parse trees. By introducing a total bound on
the number of nodes in these parse trees and solving a series
of CSP problems, the method finds a model with minimal
guard conditions w.r.t. the base model identified on the first
stage. Global minimality of guard conditions is not guaranteed
due to the two-stage implementation: minimal guards may
correspond to another base model, not the one found on the
first stage. The same argument applies against any approach
based on state machine minimization [29]. In addition, LTL
properties are not supported by approaches of this type.
Overall, none of the existing methods allow simultaneously
and efficiently accounting for (1) behavior examples, (2) LTL
properties, and (3) minimality of synthesized automata in
terms of both the number of states and the complexity of the
guard conditions. The approach proposed in this paper ex-
tends [28] and contributes to the state-of-the-art in SAT-based
state machine synthesis: it supports positive behavior exam-
ples, realizes counterexample-guided synthesis to account for
LTL properties, and produces models minimal both in terms
of the number of states and guard conditions complexity.
IV. PROPOSED APPROACH
In this section we describe the proposed approach for inferring
minimal FB models from a given set of positive scenarios and
an LTL specification. In Section
IV-A
we describe a conve-
nient storage structure for execution scenarios, the scenario
tree. In Section
IV-B
we describe the process of verifying an
LTL specification using a model checker tool, which produces
a counterexample for each violated LTL formula. Obtained
counterexamples are converted into negative scenarios rep-
resenting the undesired behavior, which must be prohibited
in the desired automaton. In Section
IV-C
we describe the
reduction of the FB model inference problem to SAT. In Sec-
tion
IV-D
we describe the process of inferring an FB model
that is minimal both in terms of the number of states and guard
conditions complexity.
A. SCENARIO TREE
Ascenario tree
T
is a prefix tree built from the given scenar-
ios
S
. Before the scenario tree construction, we prepend each
scenario with an auxiliary element consisting only of an out-
put action
ε[⟨0. . . 0⟩]
. With this we ensure that all scenarios
VOLUME 4, 2016 3
This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2022.3229003
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
Chukharev and Chivilikhin — fbSAT: Automatic Inference of Minimal Finite-State Models of Function Blocks Using SAT Solver
have a common prefix. Each tree node and its incoming edge
correspond to a scenario element: a node is marked with an
output action, and an edge is marked with an input action.
Further in this paper, we will refer to the key features of a
scenario tree as follows:
V
is the set of tree nodes;
ρ∈V
is
the root of the tree;
tp(v)∈V
is the parent of node
v
,
v=ρ
;
tie(v)∈ I
is an input event on the incoming edge of node
v
,
v=ρ
;
toe(v)∈ O ∪ {ε}
is an output event in node
v
, where
ε
is an empty event;
V(act) ={v∈V\ {ρ} | toe(v)=ε}
is
the set of active tree nodes;
V(pass) ={v∈V\ {ρ} | toe(v) =
ε}
is the set of passive tree nodes;
U ⊆ B|X |
is the set of
inputs encountered in scenarios;
tin(v)∈ U
is an input on the
incoming edge of node
v
,
v=ρ
;
tov(v, z )∈B
is the value
of output variable zin node v. The root ρhas no parent, thus
tp(ρ)
,
tie(ρ)
, and
tin(ρ)
are undefined. A positive scenario
tree
T+
is a scenario tree built from positive scenarios
S+
.
An example of a scenario tree constructed from scenarios (1)
is shown in Fig. 2.
ε[0]
v1
ε[0]
v2
B[1]
v3
ε[1]
v4
B[0]
v5
A[0]
v6ε[0]
v7
B[1]
v8
A[0]
v9
R[00]
R[01]
R[00] R[01]
R[10]
R[00]
R[01]
R[10]
|V|= 9, ρ =v1,
I={R},O={A,B},
|X | = 2,|Z| = 1,
U={⟨00⟩,⟨01⟩,⟨10⟩,⟨11⟩}
FIGURE 2. Scenario tree constructed from scenarios (1).
B. LTL VERIFICATION, COUNTEREXAMPLES, NEGATIVE
SCENARIOS
An LTL specification can be verified using a model checker
tool, which produces a counterexample for each violated LTL
formula. We use a symbolic model checker NuSMV [30]. For
safety properties, a counterexample is a finite sequence of
execution states. For liveness properties, a counterexample
is an infinite but periodic sequence of states, which can be
represented as a finite prefix followed by a cycle [31].
q1
z←0
q2
z←0
q3
z←0
q4
z←0
q5
z←1
R&x
R&¬x
R&x
R&¬x
R&x
R&¬x
R&x
I={R},O=∅
X={x},Z={z}
FIGURE 3. Example automaton with a looping behavior
Anegative scenario is an execution scenario representing
an undesired behavior. We convert each counterexample into a
negative scenario as follows. Consider the example automaton
in Fig. 3, where
I={R}
,
O=∅
,
X={x}
,
Z={z}
.
Also consider two LTL properties:
L={G¬z, Fz}
. A
counterexample for the safety property
L1=G¬z
is
a finite sequence
[q1/0] R[1]
−−−→[q2/0] R[1]
−−−→[q4/0] R[1]
−−−→[q5/1]
.
Here, the notation
[q1/0]
indicates the execution state
(in NuSMV’s sense), in which the automaton is in the
state
q1
, and the current value of the output variable
z
is
0
.
The corresponding “loopless” negative scenario looks as
follows:
bs1= [⟨R[1],A⟩;⟨R[1],A⟩;⟨R[1],A⟩]
. Counterex-
ample for the liveness property
L2=Fz
is a finite prefix
followed by a cycle (Fig. 4).
finite prefix
z}|{
[q1/0]
cycle
z }| {
R[1]
−−−→[q2/0] R[1]
−−−→[q4/0] R[0]
−−−→[q3/0] R[1]
−−−→[q2/0]
FIGURE 4. Counterexample for the liveness LTL proper ty L2=Fz
The corresponding looping negative scenario looks as fol-
lows:
bs2= [⟨R[1],A⟩;⟨R[1],A⟩;⟨R[0],A⟩;⟨R[1],A⟩]
,
where the first element (underlined) is the beginning of a loop.
Anegative scenario tree
T−
is a scenario tree built from
negative scenarios
S−
. We denote the set of all nodes that
correspond to the last elements of loopless scenarios as
b
V(ends)
.
We augment the tree with special back edges from the end
to the beginning of each loop from looping scenarios. We
denote the set of all nodes which are connected with node
bv
via a back edge as
c
tbe(bv)⊆b
V
. For example, for the negative
scenario tree built from the scenario
bs2
only:
c
tbe(bv5) = {bv2}
(indices are shifted by 1, since we prepend the scenario tree
with an auxiliary root node
bρ=bv1
). All other tree features
are the same as defined in Section
IV-A
, but marked with the
hat symbol, e.g.,bv∈b
V,b
tp(bv),c
tie(bv).
C. FB MODEL INFERENCE USING SAT SOLVER
We propose a method for inferring an FB model based on
a reduction to SAT. The reduction consists in formally de-
scribing an automaton
A
of size
C
by constructing a Boolean
formula that is satisfiable if and only if there exists an au-
tomaton which satisfies given positive scenarios
S+
and does
not satisfy given negative scenarios
S−
. For encoding non-
Boolean variables with bounded domains we use standard
pairwise encoding (also known as “sparse” or “direct” [32])
and Onehot+Binary [33] encoding.
The reduction includes four parts. First, we encode the
automaton structure. Second, we encode the positive sce-
nario tree
T+
mapping and enforce its satisfaction. Third, we
encode the guard conditions structure,i.e. the structure of
parse trees of corresponding Boolean formulas, and declare
cardinality constraints bounding the guard conditions size.
Lastly, we encode the negative scenario tree
T−
mapping and
prohibit its satisfaction.
The goal is to infer an automaton with
|Q|=C
states. We
assume that each state has at most
K
outgoing transitions.
Further in this paper we assume that
K=C· |I|
, since
it is the safest minimum value that does not prohibit the
4VOLUME 4, 2016
This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2022.3229003
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
Chukharev and Chivilikhin — fbSAT: Automatic Inference of Minimal Finite-State Models of Function Blocks Using SAT Solver
inference of an automaton, which may happen for smaller
values of
K
. However, lowering this value greatly reduces
the size of the reduction (i.e. number of declared Boolean
variables and clauses), which is likely to significantly increase
the solving efficiency. Further in this section we assume that
b∈B={⊥,⊤} ={0,1}
,
q, q′∈Q
,
k∈[1 .. K]
,
i∈ I
,
u∈ U,v∈V, unless stated otherwise.
1) Encoding the Automaton Structure
Each state has an associated output event and an algorithm.
Variable
ϕq∈ O ∪ {ε}
denotes the output event in state
q
.
Variable
γq,z,b ∈B
represents the algorithm for the output
variable z.
Each transition has an associated input event and a guard
condition, which is a Boolean function over the input vari-
ables
X
. Variable
τq,k ∈Q0(Q0=Q∪ {q0})
denotes the
destination state of the
k
-th transition from the state
q
. “Transi-
tions” to the auxiliary state
q0/∈Q
are called null-transitions
and represent the absence of a transition. W.l.o.g. we ensure
that null-transitions have the largest indices:
(τq,k =q0)→(τq,k+1 =q0).
Variable
ξq,k ∈ I ∪ {ε}
denotes the input event on the
k
-th
transition from the state
q
. Only null-transitions are marked
with the special εinput event:
(τq,k =q0)↔(ξq,k =ε).
Variable
θq,k,u ∈B
represents a guard condition repre-
sented by a truth table: it denotes the value of the guard
condition of the
k
-th transition from the state
q
for the input
u
.
Variable
δq,k,i,u ∈B
represents a guard firing function by
denoting whether the
k
-th guard from the state
q
fires on the
input action i[u]. These two variables are related as follows:
δq,k,i,u ↔(ξq,k =i)∧θq ,k,u.
According to the IEC 61499 standard, each state has a
transition priority: the automaton follows the first fired transi-
tion or stays in the same state if no transition fired. Variable
ffq,i,u ∈[0 .. K ]
denotes the index of a transition which fires
first on input action
i[u]
.
ffq,i,u = 0
means that no transition
fires at all. A transition fires first iff all previous transitions do
not fire:
(ffq,i,u =k)↔δq,k,i,u ∧^1≤k′<k (¬δq,k ′,i,u).
When the automaton in state
q
processes an input action
i[u]
, it either (1) switches to another state
q′
or (2) ignores
it (or rather, reacts by ignoring) by staying in the state
q
.
Such behavior is represented by variable
λq,i,u ∈Q0
, where
λq,i,u =q0
denotes the second (2) case. Note that in the first
(1) case the automaton may switch (through a loop-transition)
into the same state
q′=q
. Formally, the definition for
λ
is the
following:
(λq,i,u =q′)↔_k∈[1..K](τq ,k =q′)∧(ffq,i,u =k).
2) Bounding the Number of Transitions
In order to declare an upper bound for the total number of not-
null transitions
T
in the automaton, we impose the cardinality
constraint:
Xq∈Q, k∈[1..K]B OOL 2INT(τq,k =q0)≤T.
In order to encode this in CNF, we use a technique described
by [34], which consists in declaring a totalizer, which encodes
the sum in unary form, and a comparator, which bounds this
sum. We omit the formal definition of the resulting constraints
which can be found in [34].
3) BFS-based Symmetry Breaking for Automaton States
Additionally, we declare auxiliary symmetry-breaking con-
straints [9], which force the automaton states to be enumerated
in the order they are visited by the breadth-first search (BFS)
algorithm launched from the initial state. Variable
τBFS -A
qa,qb∈B
(
qa, qb∈Q
) indicates the existence of a transition from
qa
to qb:
τBFS -A
qa,qb↔_k∈[1..K](τqa,k =qb).
Variable
πBFS -A
qb∈ {q1, . . . , qb−1}
(
b∈[2 .. C]
) denotes the
parent of the state qbin the BFS traversal tree:
(πBFS -A
qb=qa)↔τBFS -A
qa,qb∧^c<a(¬τB FS-A
qc,qb).
The actual BFS constraint is defined as follows:
(πBFS -A
qb=qa)→^c<a(πB FS-A
qb+1 =qc).
4) Encoding the Mapping of Positive Scenario Tree
The goal is to organize a mapping
µ:V→Q
between the
nodes of the positive scenario tree
T+
and the states of the
automaton
A
(see Fig. 5). Variable
µv∈Q
denotes the sat-
isfying state in which the automaton finishes processing the
sequence of scenario elements formed by the path from the
root
ρ
to the node
v
. The root
ρ
itself maps to the initial state:
µρ=qinit.
Passive nodes (with
toe(v) = ε
) map to the same states
as their parents and correspond to the situation when the
automaton ignores the input action, thus:
(µp=q)→(µv=q)∧(λq,i,u =q0),
where v∈V(pass),p=tp(v),q∈Q,i=tie(v),u=tin(v).
Active nodes correspond to the situation when the automa-
ton reacts to an input action by switching the state and pro-
ducing an output action, which we constrain according to the
tree node:
(µp=q)→(µv=q′)→
→(λq,i,u =q′)∧(ϕq′=o)∧^z∈Z (γq′,z,b =b′),
where
v∈V(act)
,
p=tp(v)
,
q, q′∈Q
,
i=tie(v)
,
u=
tin(v)
,
o=toe(v)
,
z∈ Z
,
b=tov(p, z)
,
b′=tov(v, z )
.
See Fig. 5 for a mapping example.
VOLUME 4, 2016 5
This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2022.3229003
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
Chukharev and Chivilikhin — fbSAT: Automatic Inference of Minimal Finite-State Models of Function Blocks Using SAT Solver
qi
qj
v1
v2
v3
toe(v1) = o1
tie(v2) = i1
tin(v2) = u1
toe(v2) = ε
tie(v3) = i2
tin(v3) = u2
toe(v3) = o3
Scenario Tree
Automaton
ϕqi=o1
ϕqj=o3
λqi,i1,u1=q0
λqi,i2,u2=qj
i1[u1]
i2[u2]
µv1=qi
µv2=qi
µv3=qj
FIGURE 5. Tree–to–automaton mapping example
5) BAS IC Algorithm
Constraints declared so far allow inferring a computable au-
tomaton capable of processing input actions and reacting to
them by emitting output actions. Denote by
BAS IC∗(S+, C, T )
the procedure of inferring an automaton satisfying positive
scenarios
S+
, which has
C
states and at most
T
transitions.
This procedure consists of (1) building a positive scenario
tree, (2) encoding the automaton structure, the scenario tree
mapping, and the cardinality constraint “total number of not-
null transitions is at most
T
”, and (3) delegating the con-
structed CNF formula to the SAT solver. The constructed
CNF formula consists of
O(C2· |I| · |U | +C· |V|)
variables
and
O(C3· |I| · |U | +C2· |V| · |Z| +C· |V| · |U |)
clauses.
Additionally, denote by
BAS IC(S+, C) = BAS IC∗(S+, C, ∞)
an alias for the call without a bound on T.
6) Encoding the Structure of Guard Conditions
In the above encoding, guard conditions are represented as
truth tables (by variable
θ
), which are not human
-
interpretable
or usable in control systems development software such as
Matlab or nxtSTUDIO[15], where guard conditions must
be explicitly represented with Boolean formulas. Therefore,
we supplement the reduction with an encoding of arbitrary
Boolean formulas over the input variables
X
; each Boolean
formula is represented by its parse tree. Each tree is built of
P
nodes, where
P
is a parameter. Each node may be either a
Boolean operator node or a terminal node representing an
input variable. However, not all formulas may need as much
as
P
nodes, and some nodes may remain unused, i.e. not
included in the tree. We call such nodes none-typed. We define
the size of a parse tree as the number of typed (i.e. not none-
typed) nodes in it. Further in this section we assume that
p∈[1 .. P ],q∈[1 .. C ],x∈ X , unless stated otherwise.
Variable
ηq,k,p ∈ {□,∧,∨,¬,•}
denotes the type of the
p
-
th parse tree node of the guard condition on the
k
-th transition
from the state
q
, where
□
denotes a terminal node,
•
denotes
a none-typed node, and the rest are logical operators. Vari-
able
χq,k,p ∈ X ∪ {0}
denotes the input variable associated
with the node
p
(or its absence). Only terminal nodes have
associated input variables:
(ηq,k,p =□)↔(χq,k ,p = 0).
Variables
πq,k,p ∈[0 .. (p−1)]
and
σq,k,p ∈ {0} ∪ [(p+
1) .. P ]
denote, respectively, the parent and the (left) child
of the
p
-th node (or their absence, e.g.,
πq,k,p = 0
). These
variables are related as follows:
(σq,k,p =ch)→(πq,k ,ch =p).
Only typed nodes, except the root (p= 1), have parents:
(ηq,k,p =•)↔(πq,k ,p = 0).
We do not encode the right child explicitly, but for binary
operators we assume that it is next to the left one:
ηq,k,p ∈ {∧,∨} ∧ (σq,k ,p =c)→(πq,k,c+1 =p).
Since each binary operator node must have two children, the
P
-th and
(P−1)
-th nodes cannot be of type “
∧
” or “
∨
”.
Similarly, the P-th node cannot be of type “¬”.
Variable
ϑq,k,p,u ∈B
denotes the Boolean value of the
subformula (represented by the subtree rooted in node
p
) on
input
u
. Variable
θ
defined earlier is a shortcut for the root
node value:
θq,k,u ↔ϑq,k ,1,u.
Terminals have values from
the associated input variables; values of non-terminal nodes
are calculated according to their types and children values;
and none-typed nodes have False values:
(ηq,k,p =□)∧(χq,k,p =x)→^u∈U ϑq ,k,p,u ↔ux;
(ηq,k,p =∧)∧(σq,k,p =c)→^u∈U ϑq ,k,p,u ↔ϑq,k,c,u ∧ϑq,k ,c+1,u;
(ηq,k,p =∨)∧(σq,k,p =c)→^u∈U ϑq ,k,p,u ↔ϑq,k,c,u ∨ϑq,k ,c+1,u;
(ηq,k,p =¬)∧(σq,k,p =c)→^u∈U ϑq ,k,p,u ↔ ¬ϑq,k,c,u ;
(ηq,k,p =•)→^u∈U ¬ϑq,k,p,u .
7) Bounding the Total Guard Conditions Size
In order to declare an upper bound for the total size of all guard
conditions, i.e. the total number of typed (i.e. not none-typed)
parse tree nodes N, we impose the cardinality constraint:
Xq∈Q, k∈[1..K], p∈[1..P ]B OOL 2INT(ηq,k,p =•)≤N.
For encoding it in CNF, we again use a technique described
by [34], as explained in Section IV-C2.
8) BFS-based Symmetry Breaking for Guard Conditions
Additionally, we declare auxiliary symmetry-breaking con-
straints, which enforce the nodes of parse trees representing
the guard conditions to be enumerated in BFS order. Es-
sentially, they are almost identical to the BFS constraints
for automaton states, but declared for each parse tree sepa-
rately (for each
q∈Q
,
k∈[1 .. K]
). Variable
τBFS -G
a,b ∈B
(
1≤a<b≤P
) indicates the existence of an edge from the
a-th to the b-th node:
τBFS -G
a,b ↔(πq,k,b =a).
6VOLUME 4, 2016
This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2022.3229003
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
Chukharev and Chivilikhin — fbSAT: Automatic Inference of Minimal Finite-State Models of Function Blocks Using SAT Solver
Variable
πBFS -G
b∈[1 .. (b−1)]
(
b∈[2 .. P ]
) denotes the parent
of the b-th node in the BFS traverse tree:
(πBFS -G
b=a)↔τBFS -G
a,b ∧^c<a(¬τB FS-G
c,b ).
The actual BFS constraint is defined as follows:
(πBFS -G
b=a)→^c<a(πB FS-G
b+1 =c).
9) EXTENDED Algorithm
Denote by
EXTENDED∗(S+, C, P, T , N)
the procedure for
inferring an automaton which satisfies positive scenarios
S+
,
has
C
states and at most
T
transitions, while each guard
condition (represented by a parse tree) consists of at most
P
nodes, and the total guards size is at most N. This procedure
consists of (1) building a positive scenario tree, (2) encoding
the automaton structure, the scenario tree mapping, the guard
conditions structure, and the cardinality constraints “total
number of not-null transitions is at most
T
” and “total size
of guard conditions is at most
N
”, and (3) delegating to the
SAT solver. The constructed CNF formula consists of
O(C2· |I| · |U | +C2·P· |U| +C· |V|)
variables and
O(C3· |I| · |U | +C2· |V| · |Z| +C2P2· |U| +C· |V| · |U |)
clauses. Additionally, denote by
EXTENDED(S+, C, P ) =
EXTENDED∗(S+, C, P, ∞,∞)
an alias for the call without
bounds on Tand N.
10) Encoding the Mapping of Negative Scenario Tree
The mapping
bµ:b
V→Q0
for the negative scenario tree is
similar to the positive one. The key difference is that the
negative tree may represent behaviors which the automaton
does not have. Moreover, it contains looping behaviors which
the automaton is explicitly prohibited to have.
Variable
bµbv∈Q0
denotes the satisfying state (or its ab-
sence) of the negative tree node
bv∈b
V
, where
bµbv=q0
denotes the absence of a satisfying state and corresponds to
the situation when the automaton does not have the behavior
represented by the negative tree. The root
bρ
of the negative
tree maps to the initial state of the automaton: bµbρ=qinit.
Passive nodes either (1) map to the same states as their
parents, or (2) map to q0:
(bµbp=q)→(bµbv=q)∨(bµbv=q0),
where
bv∈b
V(pass)
,
bp=b
tp(bv)
,
q∈Q
. The first (1) case
corresponds to the situation when the automaton ignores the
input action:
(bµbv=q)→(b
λq,i,u =q0),
where
bv∈b
V(pass)
,
q∈Q
,
i=c
tie(bv)
,
u=c
tin(bv)
. And
the second (2) case corresponds to the situation when the
automaton actively reacts to the input action, thus unsatisfying
the passive behavior captured in the negative scenario tree.
Similarly, active nodes either map to the state in which the
automaton switches after processing an input action, or stay
unmapped (i.e. mapped to q0):
(bµbp=q)→(bµbv=q′)↔
↔(b
λq,i,u =q′)∧(b
ϕq′=o)∧^z∈Z (bγq′,z ,b =b′),
where
bv∈b
V(act)
,
bp=b
tp(bv)
,
q, q′∈Q
,
i=c
tie(bv)
,
u=
c
tin(bv)
,
o=c
toe(bv)
,
z∈ Z
,
b=c
tov(bp, z)
,
b′=c
tov(bv, z)
.
Note that this constraint requires the equivalence operator
(
↔
) in contrast to the positive one (where implication (
→
)
in the same place is sufficient): the codomain of
bµ
is
Q0
,
but the constraint is only declared for
q′∈Q
. The use of
the equivalence operator allows avoiding the declaration of
constraints for the special case when bµbv=q0.
Additionally, if some node is unmapped, then this propa-
gates down the tree:
(bµb
tp(bv)=q0)→(bµbv=q0).
Lastly, in order to prohibit the undesired looping behavior
represented by back edges, we ensure that the start and the
end of each loop either map to different states, or both are
unmapped (i.e. mapped to q0):
^
bv′∈c
tbe(bv)
[(bµbv=bµbv′)∨(bµbv=bµbv′=q0)] .
11) COMPLETE Algorithm
Denote by
COMPLETE∗(S+,S−, C, P, N, T )
the procedure
for inferring an automaton which satisfies positive scenar-
ios
S+
, does not satisfy negative scenarios
S−
, has
C
states
and at most
T
transitions, while each guard condition parse
tree consists of at most
P
nodes, and the total guards size is at
most
N
. This procedure consists of (1) building positive and
negative scenario trees, (2) encoding the automaton structure,
the mapping of both positive and negative scenario trees, the
guard conditions structure, and the cardinality constraints
“total number of not-null transitions is at most
T
” and “total
size of guard conditions is at most
N
”, and (3) delegating to
the SAT solver. The constructed CNF formula consists of
O(C2·|I| · |U| +C2·P· |U| +C2·P·| b
U| +C· |V|+C·| b
V|)
variables and
O(C3· |I| · |U | +C3· |I| · | b
U| +C2· |V| · |Z|+
C2· | b
V| · |Z| +C2·P2· |U| +C2·P2· | b
U|+
C· |V| · |U| +C· | b
V|·|b
U|)
clauses. Additionally, denote by
COMPLETE(S+,S−, C, P ) =
COMPLETE∗(S+,S−, C, P, ∞,∞)
an alias for the call with-
out bounds on Tand N.
VOLUME 4, 2016 7
This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2022.3229003
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
Chukharev and Chivilikhin — fbSAT: Automatic Inference of Minimal Finite-State Models of Function Blocks Using SAT Solver
D. MINIMAL MODEL INFERENCE
Proposed methods require the automaton parameters
C
and
P
to be known in advance. In order to automate the inference
of minimal models so that the knowledge of
C
and
P
is not
needed, we use an iterative approach which we describe below.
1) BAS IC -MIN Algorithm
In order to quickly estimate the minimal number of states,
we use the
BAS IC(S+, C)
algorithm by iterating
C
bottom-
up: starting from 1 until we find a solution, an automaton
A
with
Cmin
states satisfying
S+
. Next, in order to obtain a
model with a minimal number of transtions, we use the
BAS IC∗(S+, Cmin, T )
algorithm by iterating
T
top-down: de-
creasing it by 1 until an even smaller model could not be found:
the solution is the last found automaton with Tmin transitions.
Let us denote this algorithm, which is formall described in Al-
gorithm 1, as BA SI C-MIN(S+).
Algorithm 1: BAS IC-MIN(S+)
Input: positive scenarios S+
Output:
automaton
A
with minimal number of states
Cmin
and transitions Tmin
// minimize number of states C
1: for Cmin = 1 to ∞do
2: A ← BAS IC(S+, Cmin)
3: if A =null then break
// minimize number of transitions T
4: while A =null do
5: Abest ← A
6: T′←getT(Abest)−1
7: A ← BAS IC∗(S+, Cmin, T ′)
8: return Abest
2) EXTENDED-MIN Algorithm
Assuming that the parameter
P
is known and the number of
states
C
is either given or estimated using the BAS IC -MIN
algorithm, we minimize the total size of guard conditions
N
using the same top-down iterative approach as during the
T
minimization described above, but using the EXTENDED al-
gorithm internally. Let us denote the described algorithm as
EXTENDED-MIN(S+, P ).
Note that we could additionally minimize the total number
of not-null transitions
T
, but in our current implementation
we do not do this. The reason for this is the observation that
the minimal value of
N
already implies a small number of
transitions in the automaton. Moreover, each naive top-down
minimization ends with a proof that the smaller solution does
not exist, leaving the SAT solver in the UNSAT state. Hence,
in order to perform two consecutive top-down minimizations,
we have to reset the solver, redeclare all the constraints and
re-solve the corresponding SAT problem from scratch. A well-
known technique allowing to overcome this is known as solv-
ing under assumptions: instead of declaring a cardinality con-
straint, we can assume it, and even if the resulting problem
is unsatisfiable, the SAT solver will still be operational and
able to continue the solving process with (possibly) other
assumptions.
3) EXTENDED-MIN-UB Algorithm
One can note that
P
, the maximum allowed size of a single
guard condition, is a required parameter and has to be provided
by the user or an external algorithm. Ultimately, an automatic
way of determining an appropriate value of parameter
P
is
desirable. Note that the solution, which is an automaton satis-
fying the given scenarios, exists only when
P
is large enough
to capture the necessary complexity of the guard conditions.
The simplest strategy is to iterate
P
starting from 1 and use
EXTENDED-MIN(S+, P )
until we find a solution
—
automa-
ton with
N=N∗
min —
for some
P∗
. However, there may
exist some value
P′> P ∗
for which the corresponding
N′
min
is even smaller than
N∗
min
. Therefore, in order to obtain the
globally minimal automaton in terms of
N
, we shall continue
the search process for
P > P ∗
up to a theoretical upper bound
as described below.
Consider
P=P′
. Ideally, we expect that all guard condi-
tions will be of size 1, and only one of them will be of size
P′
.
Also, ideally, there are exactly
Tmin
guards, therefore, the ideal
minimal total size of guard conditions is
N′
min =Tmin −1+P′′
.
Let us denote by
Nbest
min
the best, i.e. the most minimal value
found so far. Ultimately, we are looking for
N′
min < Nbest
min
,
thus
Tmin −1 + P′< Nbest
min
, from where the upper bound for
Pis P′≤Nbest
min −Tmin.
The process of searching
P
up to the theoretical upper
bound can take an extensive amount of time. Hence, we pro-
pose the following heuristic. Consider the two successive
values
P′
and
P′′ =P′+ 1
, and the corresponding values
N′
min
and
N′′
min
. The equality
N′
min =N′′
min
indicates the local
minimum (plateau). As we go further by incrementing the
value of
P′′
, the remaining equality extends the plateau width.
By choosing the critical plateau width
w
, on which to stop
incrementing
P
, we provide a trade-off between the execution
time and global minimality of the solution. When
w= 0
, the
algorithm is equivalent to the simplest strategy of searching
P
until the first SAT. When
w=∞
, the algorithm continues
to iterate
P
until an upper bound, resulting in globally min-
imal
Nmin
. An arbitrary choice of
w= 2
has shown a good
performance in our initial study. It is worth noting that with
this heuristic applied, our proposed method remains exact
in the sense that the inferred automata still satisfy the given
positive scenarios S+.
Let us denote by
EXTENDED-MIN-UB(S+, w)
the mini-
mization process described above. It is depicted by Algo-
rithm 2 and consists of two stages. First, we estimate the
automaton parameters
Cmin
and
Tmin
using the BA SI C-MIN
algorithm. Second, we iterate
P
starting from 1 and use the
EXTENDED-MIN algorithm to infer minimal models. We stop
8VOLUME 4, 2016
This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2022.3229003
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
Chukharev and Chivilikhin — fbSAT: Automatic Inference of Minimal Finite-State Models of Function Blocks Using SAT Solver
Algorithm 2: EXTENDED-MIN-UB(S+,w)
Input: positive scenarios S+, maximum plateau width w
Output:
automaton
A
with minimal number of states
Cmin
and guard conditions size Nmin
1: Abasic ←BAS IC -MIN(S+)
2: Tmin ←getT(Abasic)
3: Cmin ←getC(Abasic)
4: Nbest
min ←Nprev
min ←Plow ← ∞
5: for P= 1 to ∞do
6: if P > (Nbest
min −Tmin)then break /*upper
bound reached */
7: if (P−Plow)> w then break /*max width
reached */
8: A ← EXTENDED-MIN(S+, Cmin, P )
9: if A =null then
10: Nmin ←getN(A)
11: if Nmin < Nbest
min then Nbest
min ←Nmin /*update
best found N*/
12: if Nmin =Nprev
min then Plow ←P/*update
local minimum */
13: Nprev
min ←Nmin
14: return A
the search in two cases: if the current
P
is greater than the
upper bound (
Nbest
min −Tmin
), or if the current local minumum
width is greater than the provided threshold w.
E. COUNTEREXAMPLE-GUIDED INDUCTIVE SYNTHESIS
In order to make the inferred automaton not only satisfy given
positive scenarios, but also comply with a given LTL specifi-
cation, we use a counterexample-guided inductive synthesis
(CEGIS) [35] iterative approach. On each CEGIS iteration, we
infer an automaton
A
using the COMPLETE algorithm, verify
the LTL specification
L
using the NuSMV [30] model checker,
and supplement the negative scenario tree with obtained coun-
terexamples, if any. The process shown in Fig. 6 repeats un-
til there are no more counterexamples, thus, the automaton
complies with
L
. Denote by
CEGIS∗(S+,L, C, P, T , N)
the
procedure implementing the described inductive synthesis,
where arguments are similar to ones in the COMPLETE
∗
al-
gorithm, and
L
is an LTL specification. Additionally, denote
by
CEGIS(S+,L, C, P ) = CEGIS∗(S+,L, C, P, ∞,∞)
an
alias for the call without bounds on Tand N.
Infer
Verify
No solution
Solution A
SAT, Anew CEs for L
UNSAT
no CEs
FIGURE 6. CEGIS loop
1) CEGIS-MIN Algorithm
Consider an automaton
A
produced by the CE GIS algorithm.
If we start minimizing the total size of guard conditions
N
,
the automaton will most likely stop complying with the LTL
specification, though the already obtained negative scenarios
will still not be satisfied. Therefore, we propose to main-
tain a minimal model on each CEGIS iteration. We begin
with a model produced by
EXTENDED-MIN-UB(S+, w)
(or
by
EXTENDED(S+, P )
, if
P
is provided) and continue by
running
CEGIS∗(S+,L, C∗, P ∗,∞, N ∗)
with estimated
C∗
,
P∗
and
N∗
, but without a bound on
T
. The UNSAT result
indicates that
N∗
is too small for an automaton to comply
with the given LTL specification
L
, hence we increase it and
continue the CEGIS. Note that this is the only moment we
stop solving incrementally, because we weaken the constraints
(upper bound for
N
). Let us denote the described process as
CEGIS-MIN(S+,L, w).
F. THE FBSAT TOOL
We implemented the proposed methods in an open-source
tool
2
FB SAT written in Kotlin. As a backend, FB SAT is able
to use any SAT solver that supports the standard DIMACS
input. Additionally, we developed an open-source library
kotlin-satlib3
, which, besides providing a common
SAT solver interface for Java/Kotlin, also wraps native SAT
solvers using JNI (Java Native Interface). Currently, it has
wrappers for MiniSat 2.2, Glucose 4, Cadical 1.4.1, Crypto-
MiniSat 5.8.0, but other solvers can be simply added at any
time.
V. CASE STUDY: PICK-AND-PLACE MANIPULATOR
The experimental evaluation of proposed methods was done
on a case study devoted to the inference of a finite-state model
of the controller for a Pick-and-Place (PnP) manipulator [36]
shown in Fig. 7. We also performed an evaluation on random
automata (Section VII) and transition system minimization
(Section VI). Experiments were conducted on a computer with
an Intel(R) Core™ i5-7200U CPU @ 2.50 GHz and 8 GB of
RAM.
III
III
IV
V 1 2 3
FIGURE 7. Pick-and-Place manipulator
The PnP manipulator consists of two horizontal pneu-
matic cylinders (I, II), one vertical cylinder (III), and
a suction unit (IV) for picking up work pieces (WPs).
When a WP appears on one of the input sliders (1, 2, 3),
2↑https://www.github.com/ctlab/fbSAT
3↑https://www.github.com/Lipen/kotlin-satlib
VOLUME 4, 2016 9
This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2022.3229003
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
Chukharev and Chivilikhin — fbSAT: Automatic Inference of Minimal Finite-State Models of Function Blocks Using SAT Solver
the horizontal cylinders position the suction unit on top
of the WP, the vertical cylinder lowers the suction unit
where it picks up the WP and then moves in to the out-
put slider (V). The control system is implemented using
IEC 61499 function blocks in nxtSTUDIO. The controller
is a basic FB with 10 input and 7 output Boolean variables.
Input variables include:
c1Home
/
c1End
(is horizontal cylin-
der I in fully retracted/extended position),
c2Home
/
c2End
(is horizontal cylinder II in fully retracted/extended posi-
tion),
vcHome
/
vcEnd
(is vertical cylinder III in fully re-
tracted/extended position),
pp1
/
pp2
/
pp3
(is a WP present
on input slider 1/2/3),
vac
(is the vacuum unit IV on).
Output variables include:
c1Extend
/
c1Retract
(ex-
tend/retract cylinder I),
c2Extend
/
c2Retract
(ex-
tend/retract cylinder II),
vcExtend
(extend cylinder III),
vacuum_on
/
vacuum_off
(turn the vacuum unit on/off).
The purpose of this case study was to infer a finite-state model
of this controller FB. The process of capturing scenarios for
the PnP manipulator controller is described by [26]. We used
sets of scenarios of various sizes: 1, 10, 39 and 49 scenarios
in each.
A. INFERENCE OF MINIMAL AUTOMATA FROM POSITIVE
SCENARIOS
In the first set of experiments, we compare methods that infer
minimal models from positive scenarios with explicit regard
of the guard conditions size. Our method was compared to the
TWO -STAG E approach from [28], where on the first stage a
basic automaton model is inferred with a SAT solver, and then
this model’s guard conditions are minimized with a CSP solver
w.r.t. given scenarios. Note that the TWO-S TAGE method has
already been shown to be superior to EFSM-tools.
We apply the proposed EXTENDED-MIN-UB method to
infer an automaton with the minimal number of states
Cmin
and total size of guard conditions
Nmin
. Three values of the
parameter
w
were used:
w= 0
for the case when first solution
found is considered final,
w= 2
for the case with the proposed
heuristic applied, and
w=∞
for the “without heuristic” case.
Results are summarized in Table 1, where for TWO -STAG E:
Cmin
is the minimal number of states,
Tmin
is the minimal
number of transitions,
Nmin
is the minimal total size of guard
conditions; and for EXTENDED-MIN-UB:
w
is the maximum
width of local minima plateau,
P
is the maximum guard
condition size,
T
is the number of transitions,
Nmin
is the
minimal total size of guard conditions. Results indicate that
EXTENDED-MIN-UB produces compact automata: in studied
cases, w= 2 already gives optimal results in terms of Nmin.
B. COMPARISON WITH LTL SYNTHESIS TOOLS
We considered tools BoSy [7] and G4LTL
-
ST [12], which
accept LTL specifications as input. Comparison was only
done for synthesis from scenarios, which were converted to
LTL formulas. For BoSy, we considered a simplified version
of scenario
S(1)
, for which passive elements were removed,
leaving only 8 scenario elements. The input-symbolic version
of BoSy was the only one that worked for this example, gen-
erating a solution with 9 states and 17 transitions in 273 s.
For G4LTL
-
ST, we selected the number of unroll steps (a
required parameter of this tool) equal to the length of the
largest scenario. For
S(1)
, a solution with 10 states (though
with verbose guard conditions) was found in 10 s. Larger sets
of scenarios required 16 unroll steps, and runs failed with a
memory limit of 8 GB. As expected, experiments showed that
LTL synthesis tools are not well-suited for inference of models
from finite-length scenarios. Experiments with LTL properties
were not considered due to (1) poor performance on scenarios,
and (2) lack of support for general-form NuSMV plant model,
which is crucial for synthesis from liveness properties.
C. INFERENCE OF AUTOMATA FROM POSITIVE
SCENARIOS AND LTL PROPERTIES
The third set of experiments is devoted to CEGIS. In order to
use the liveness LTL properties, the verification of candidate
models with NuSMV was performed in a closed loop [37]
with a manually prepared formal model of the plant
—
PnP
manipulator. This model defines the state of the plant and
its actions as implied by the controller commands. The set
of considered LTL properties (see Table 3) includes safety
properties
φ1, . . . , φ6
(“controller does not lead the system to
an unsafe state”) and liveness properties
φ7, . . . , φ10
(“some-
thing useful eventually happens”). Properties
φ1, . . . , φ7
are
fixed and used in all experiments, while the use of
φ8, . . . , φ10
varies. We focus on these last properties, which define that
whenever a WP is placed on some input slider, it will eventu-
ally be removed. Note that for the original PnP system [36]
only
φ8
is satisfied, while
φ9
and
φ10
are false (the controller
is not wait-free for sliders 2 and 3: if a WP is always present
on slider 1, WPs from sliders 2 and 3 will never be picked
up). Therefore, we consider the property for each input slider
separately, assuming that WPs never appear on other input
sliders. For the experiment with
φ9
, we use a special set of
scenarios
S(1)′′
, which consists of a single scenario describing
the processing of the WP from slider 2. Likewise, for
φ10
,
set
S(1)′′′
is used, which describes a one-time WP processing
from slider 3.
Three algorithms are compared: the proposed CE GIS-MIN
and CEGIS, and the CEGIS-extension of FB CS P [27], which
we refer to as FB CSP+LTL. Note that EFSM-tools, BoSy and
G4LTL
-
ST are not considered here, mainly due to the poor
performance on scenarios only. For our algorithms we use
w= 2
, as this value has shown a good performance in our
initial study. For a SAT solver we use MiniSat. Apart from run-
ning time and
N
, we measure
Ninit
(for the automaton initially
built only from positive scenarios using EXTENDED-MIN-UB)
and the number of CEGIS iterations (#iter). Experimental
results are summarized in Table 3. The automaton generated
using the CE GIS-MIN algorithm from scenarios
S(1)
and
LTL specification φ1, . . . , φ7, φ8is shown in Fig. 8.
Solutions found with CEGIS methods are always larger
than ones constructed from scenarios only (in terms of
N
).
This indicates that the used sets of scenarios are incom-
plete and do not cover considered specifications completely.
10 VOLUME 4, 2016
This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2022.3229003
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
Chukharev and Chivilikhin — fbSAT: Automatic Inference of Minimal Finite-State Models of Function Blocks Using SAT Solver
TABLE 1. Inference of automata with minimal guard conditions from positive scenarios
S+|T +|TWO -STAG E [28] FB SAT: EXTENDED-MIN-UB
(w= 0) (w= 2) (w=∞)
time, s. Cmin Tmin Nmin time, s. P T Nmin time, s. P T Nmin time, s. PTNmin
S(1) 24 8 6 8 15 2 3 8 14 3 3 8 14 3 3 8 14
S(10) 234 3 8 17 36 16 3 18 38 51 5 16 25 88 5 16 25
S(39) 960 13 8 15 32 37 3 18 38 118 5 16 25 170 5 16 25
S(49) 2939 36 8 18 60 602 5 18 44 4305 6 16 39 51666 6 16 39
1 / ε
c1Extend → 0
c1Retract → 0
c2Extend → 0
c2Retract → 0
vcExtend → 0
vacuum_on → 0
vacuum_off → 0
2 / CNF
c1Extend → 1
c1Retract → 0
c2Extend → 0
vcExtend → 0
1:REQ/pp1
4 / CNF
c1Extend → 0
c1Retract → 1
c2Extend → 0
c2Retract → 1
vcExtend → 0
3 / CNF
c2Extend → 0
vcExtend → 1
2:REQ/pp1
5 / CNF
c2Extend → 0
vcExtend → 1
vacuum_on → 1
vacuum_off → 0
1:REQ/vac & c1Home
1:REQ/vcHome & vac
2:REQ/c1End & vcHome
6 / CNF
c2Extend → 0
vcExtend → 1
vacuum_on flip
vacuum_off → 1
1:REQ/vcEnd
1:REQ/c1Home
2:REQ/vcEnd
1:REQ/c1End
2:REQ/vcEnd
FIGURE 8. Automaton generated by CEGIS-MIN algorithm from S(1) and φ1,...,φ7, φ8
TABLE 2. Temporal properties for the Pick-and-Place system
Property Description
Fixed part
φ1=G(¬(c1Extend ∧c1Retract))
Cylinder I must not be issued commands to extend and
retract simultaneously.
φ2=G(¬(c2Extend ∧c2Retract)) Similar property for cylinder II.
φ3=G(¬(vacuum_on ∧vacuum_off)) Similar property for the vacuum unit.
φ4=G(¬vcHome ∧¬vcEnd →c1Home ∨c1End)
If the vertical cylinder is in the intermediate position,
cylinder I must be either in home or end position.
φ5=G(¬c1Home ∧¬c1End →vcHome ∨vcEnd)
If cylinder I is in the intermediate position, the vertical
cylinder must be either in home or end position.
φ6=G(all_home ∧¬pp1 ∧ ¬pp2 ∧ ¬pp3∧ ¬lifted →
X(¬c1Extend ∧¬c2Extend ∧ ¬vcExtend))
If all cylinders are in home position and no WP should be
processed, no commands to move any cylinders should
be issued.
φ7=G(lifted →F(dropped))
If a WP is lifted from the input slider it must eventually
be dropped to the output slider.
Variable part (one at a time)
φ8=G(pp1 →F(vp1)) If a WP appears on slider 1, it must be eventually lifted.
φ9=G(pp2 →F(vp2)) If a WP appears on slider 2, it must be eventually lifted.
φ10 =G(pp3 →F(vp3)) If a WP appears on slider 3, it must be eventually lifted.
Then, CEGI S-MIN always finds the smallest solutions
and is always faster than FB CSP+LTL. Most interestingly,
CEGIS-MIN allows efficiently constructing models for sce-
narios
S(1)
,
S(1)′′
, and
S(1)′′′ —
these scenarios do not
“cover” corresponding liveness properties of interest (e.g.,
φ8=G(pp1 →F(vp1))
) in the sense that each scenario
VOLUME 4, 2016 11
This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2022.3229003
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
Chukharev and Chivilikhin — fbSAT: Automatic Inference of Minimal Finite-State Models of Function Blocks Using SAT Solver
TABLE 3. Results of CEGIS experiments for PnP controller inference
LTL properties SNinit
CEGIS-MIN CEGIS FB CSP+LTL
time, s #iter P Nmin time, s #iter Ntime, s #iter Nmin
φ1, . . . , φ7, φ8
S(1) 14 56 273 3 16 45 151 34 >12h >500 –
S(10) 25 250 20 5 28 87 55 152 613 10 40
S(39) 25 350 70 5 28 155 56 150 1019 2 41
φ1, . . . , φ7, φ9S(1)′′ 14 361 193 3 16 192 430 32 >12h >500 –
φ1, . . . , φ7, φ10 S(1)′′′ 14 476 353 3 16 30 57 34 >12h >500 –
describes only a single processing of a WP. The existing
method FB CS P+LTL failed on these cases, while the pro-
posed approach succeeds with ease. Lastly, the CEGIS algo-
rithm allows constructing models fast, but losing the guard
conditions minimality.
Additionally, we repeated the CEGIS-MIN evaluation
with different SAT solvers using 20 different random
seeds. For MiniSat and Glucose, we specified the follow-
ing options:
random_var_freq=0.1
,
rnd_pol=true
,
rnd_init_act=true
. The resulting inference time distri-
butions are shown in Fig. 9. The high variance of inference
time for MiniSat/Glucose can be explained as follows: CEGIS
is basically a model guessing process, and any deviations
during it could result in different number of iterations (thus,
in different running time, since they are generally propor-
tional), especially when a small set of positive scenarios is
used, e.g.,
S(1)
. In contrast, the low variance of Cadical
results
indicates that probably either Cadical is not employing ran-
domness too much, or the models it produces are not heavily
dependent on this randomness, so CEGIS converges in a con-
stant number of iterations.
VI. CASE STUDY: SYNTCOMP BENCHMARK
As another case study and to demonstrate the applicability of
FB SAT to problems other than the synthesis of function block
models, in this section we show an example of FBSAT being
used to synthesize transition systems using benchmakrs from
the SYNTCOMP reactive synthesis competition [38].
One of the SYNTCOMP competition tracks, the sequential
synthesis track, is devoted to the synthesis of a transition
system from a given LTL specification
—
the so-called LTL
synthesis. There is a large variety of LTL synthesis tools
available including BoSy [7] and Strix [25]. To the best of our
knowledge, out of all LTL synthesis tools, only BoSy limits
the size of generated transition systems (number of states),
but it does not try to minimize the size of generated guard
conditions, which tend to be large and incomprehensible.
Note that FB SAT in its current version is not directly ap-
plicable to the LTL synthesis problem, as it requires positive
execution scenarios, which LTL synthesis does not use. How-
ever, here we show how to apply FBSAT for minimization
of transition systems generated by LTL synthesis tools, e.g.,
BoSy.
A transition system
T
[7] is a tuple
(T, t0,Σ, τ )
, where
T
is
a finite set of states,
t0∈T
is the initial state,
Σ = I∪O
is
an input/output interface,
I
is a finite set of propositional
variables controllable by the environment (inputs),
O
is a finite
set of propositional variables controllable by system (outputs),
and
τ:T×2I→2O×T
is a transition function, which maps
a state
t∈T
and a valuation of an input vector
i∈2I
to a
valuation of an output vector o∈2Oand a next state t′.
From analysis of this definition, one may note the similarity
between the transition system and the ECC of the basic func-
tion block. Overall, if the transition system is of the Moore
type (i.e. for any
t∈T
and
i=i′∈2I
with
τ(t, i)=(o,_)
and
τ(t, i′) = (o′,_)
it holds that
o=o′
), it can be easily
modeled using an ECC.
In this case study, we started from the
full_arbiter_3
instance from SYNTCOMP-2018 and used BoSy (input-
symbolic QBF-based version) to generate a transition sys-
tem satisfying the specification. The resulting transition
system
Aoriginal
was saved in the NuSMV format and had
C= 8
states,
T= 28
transitions with a total size of guard con-
ditions
N= 147
. The graphical representation of the resulting
transition system is shown in Fig. 12. Then we used NuSMV
to automatically generate 20 execution scenarios, each of
length 20, covering all transition system states. The goal was
to minimize the size of guard conditions while preserving the
transition system’s compliance with the LTL specification.
Note that the definition of the transition systems does not
constrain the transition function to be deterministic. However,
FB SAT is currently only applicable to the synthesis of de-
terministic state machines. Therefore, for this case study we
needed deterministic execution scenarios. In order to obtain
them, we augmented BoSy with corresponding constraints to
make the transition function deterministic.
Two experiments were conducted. In the experiments,
FB SAT was given as input the generated execution scenarios
and the LTL specification of the SYNTCOMP instance, and
the CEGIS-MIN algorithm was used. In the first experiment,
we ensured that the minimized transition system generated
by FB SAT is deterministic. Since the definition of the tran-
sition system does not include a transition priority function
(as in the ECC), it implies that guard conditions of transitions
originating from one state must not have a common satisfying
assignment. This additional constraint was added to FB SAT
12 VOLUME 4, 2016
This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2022.3229003
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
Chukharev and Chivilikhin — fbSAT: Automatic Inference of Minimal Finite-State Models of Function Blocks Using SAT Solver
3109 ±138
1981 ±2253
1623 ±2449
134 ±6
259 ±99
724 ±862
482 ±25
270 ±41
448 ±71
275 ±22
225 ±47
362 ±43
340 ±5
222 ±116
580 ±680
S(1)'''
S(1)''
S(39)
S(10)
S(1)
10210 310 4
Time, s
Solver
minisat
glucose
cadical
FIGURE 9. Inference time distribution for the CEGIS-MIN method with different SAT solvers (Minisat 2.2, Glucose 4, Cadical 1.4.1) using 20 different random seeds.
Numbers on the left denote the mean and standard deviation (µ±σ)
for the purpose of this case study. As a result, we were able
to find a solution
Adeterministic
shown in Fig. 13 with the same
number of states and transitions, but with a smaller total size
of guard conditions N= 105.
In the second experiment we removed the determinism
constraint described above. We can do this because, as men-
tioned above, the transition system definition does not require
determinism. This way, the generated transition system will be
deterministic as an ECC (due to transition priority), but will
be non-deterministic as a transition system. As a result, for the
generated solution
Anon-deterministic
shown in Fig. 14 the size of
the guard conditions was greatly reduced down to N= 52.
These results indicate that our approach of explicit tree
representation of guard conditions allows to sufficiently mini-
mize the guard conditions size. It can potentially be applied
not only after LTL synthesis: it should be possible to augment
BoSy encodings [7] with our encodings for guard conditions
and minimize them during synthesis.
VII. CASE STUDY: RANDOM AUTOMATA
In order to test our developed tool FBSAT on more instances,
we perform its evaluation on randomly generated automata in
this case study.
The first step is to generate random automata. Initially, we
wanted to choose the automaton parameters similar to the
parameters of the model inferred in “Case Study: PnP Manipu-
lator” (Section V): number of states
C= 8
, one input and one
output event,
|X | = 10
input and
|Z| = 7
output variables.
However, our preliminary experiments with these parameters
has shown the predictable strong hardness of the random
automata synthesis problem. Hence, we chose to study sim-
pler models with the following parameters: number of states
C∈[4 .. 7]
, number of transitions
T=C2
(each state has a
transition to every other state),
P= 5
,
|X | ∈ {5,10}
input
and
|Z| = 5
output variables. For each
C
and
|X |
we generate
up to 100 random automata (for large parameter values
—
less
instances). Later we show that in the case of random automata
synthesis, the inference time quite accurately depends expo-
nentially on the size of the input data, so we can safely assume
that the extensive random evaluation with the initially desired
automaton parameters would require an unreasonable amount
of resources. Nevertheless, the main goal of the case study is
to explore the problem landscape and to determine the general
applicability of FB SAT as a model synthesis tool.
The second step is to simulate execution scenarios. We start
at the initial automaton state and sequentially select random
inputs. The automaton reacts to these input actions and pro-
duces output actions, forming an execution scenario. Note
that this random walk corresponds to a situation when the
plant has random dynamics. Hence, these randomly simulated
instances are most likely harder than real-world instances,
since real-world plants (such as the PnP manipulator) do
not have random dynamics. We simulate sets of scenarios
of the following sizes:
10 ×50
,
20 ×50
,
20 ×100
,
30 ×100
(“count”דlength”).
The next step is to infer the minimal automaton from the
simulated scenarios. We use the EXTENDED-MIN-UB algo-
rithm with
w= 0
, and Glucose SAT solver with the following
options:
random_var_freq=0.01
,
rnd_pol=true
,
rnd_init_act=true
,
timeout=1800s
(30 min).
Moreover, since we observed in Section
V-C
that different
solver seeds can greatly affect the results, we rerun the infer-
ence 3 times using different solver seeds. Though, it should be
noted that we do not aim to study the effect of using random
seeds, yet.
The final step is to validate the inferred automaton. We use
the “forward check” validation approach from [39], consisting
in generating a large validation set of scenarios
S100×100
validation
and
VOLUME 4, 2016 13
This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2022.3229003
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
Chukharev and Chivilikhin — fbSAT: Automatic Inference of Minimal Finite-State Models of Function Blocks Using SAT Solver
6000 6000 6000 5959/6000
1489/1500 448/500 207/500 39/500
6000 6000 6000 5977/6000
1497/1500 462/500 126/500 12/500
6000 6000 6000 5970/6000
1500 379/500 63/500 0/236
6000 6000 6000 5977/6000
1500 372/500 2/38 0/284
10x50
20x50
20x100
30x100
X = 5
X = 10
4 5 6 7 4 5 6 7 4 5 6 7 4 5 6 7
1
10
10 2
10 3
1
10
10 2
10 3
Number of states C
Time, s
FIGURE 10. Evaluation results for random automata synthesis. Each boxplot represents the inference time distribution of SAT instances finished within a 30 min
timeout. The numbers below each boxplot denote the number of SAT runs out of the total
4306/6000 2025/6000 628/6000 423/5959
647/1489 11/448 0/207 0/39
5429/6000 3722/6000 1851/6000 1011/5977
1095/1497 108/462 4/126 0/12
5727/6000 4647/6000 3430/6000 2247/5970
1287/1500 233/379 12/63
5867/6000 5068/6000 4206/6000 3130/5977
1373/1500 289/372 0/2
10x50
20x50
20x100
30x100
X = 5
X = 10
4 5 6 7 4 5 6 7 4 5 6 7 4 5 6 7
0
25
50
75
100
0
25
50
75
100
Number of states C
Forward check, %
FIGURE 11. Validation results for random automata synthesis. Each boxplot represents the distribution of “forward check” (in percent). The numbers below each
boxplot denote the number of 100%-validated runs out of the total SAT instance
checking whether the inferred automaton satisfies them. The
metric here is the percentage of satisfied scenarios. We expect
to confirm that a high coverage of target automata by scenarios
leads to good validation results.
The experimental results are shown in Fig. 10. For
C∈
[4 .. 6]
and
|X | = 5
, all
100 ·20 ·3 = 6000
runs finished with
a SAT result. For other parameter values, some runs timed out
after 30 minutes. Each boxplot represents the inference time
distribution only for SAT instances finished within a timeout.
The numbers below each boxplot (e.g., “5959/6000”) denote
the number of SAT runs out of the total, whereas a single
number denotes the absence of timeouts. Additionally, each
boxplot is supplied with (up to) 100 random sampled points,
in order to render the overall distribution. We observe that
the inference time depends at least exponentially on the size
of the input data, in particular, on the number of states
C
,
the number of input variables
|X |
, and the size of execution
scenarios. The validation results are shown in Fig. 11, where
each boxplot represents the distribution of “forward check”
(in percent), and the numbers below each boxplot denote the
number of 100%-validated runs out of the total SAT instances.
As expected, larger scenarios provide higher model coverage,
thence, higher “forward check”. And, the larger the model
—
the larger the size of scenarios necessary to capture the orig-
14 VOLUME 4, 2016
This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2022.3229003
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
Chukharev and Chivilikhin — fbSAT: Automatic Inference of Minimal Finite-State Models of Function Blocks Using SAT Solver
inal model behavior. We can assume that this extrapolates
to non-random models, and use these results as a reference,
for example, when inferring a model with
C= 6
states, it is
probably best to use scenarios of size at least 20 ×100.
VIII. CONCLUSION AND FUTURE WORK
We have proposed a SAT-based approach for inference of
minimal FB models from execution scenarios and LTL prop-
erties, and implemented it in the tool FB SAT. The proposed
approach is the only one that allows direct minimization of
guard conditions complexity of synthesized automata. In par-
ticular, the EXTENDED-MIN-UB algorithm is guaranteed to
find the solution with globally minimal complexity of guard
conditions. Experiments showed that the suggested approach
outperforms existing ones and demonstrates predictable scala-
bility on random instances.
The proposed methods allow inferring minimal finite-state
models of function blocks from a given specification: exe-
cution scenarios and LTL properties. Scenarios are derived
from existing systems under learning (SULs) or by means of
simulation of existing systems’ models, and LTL properties
are written manually. Note that synthesized models are, in
general, not equivalent to the original SUL, and their behav-
ior may differ in situations not covered by the specification.
We assume that the given specification covers the necessary
behavior. Note that it is impossible to formally check neither
the conformance of the SUL to the LTL specification, nor the
equivalence of the synthesized model and the SUL: we do not
have explicit access to the SUL (i.e. to the internal structure
and source code) due to purely “passive learning” industrial
problem statement.
Future research may include synthesis of modular automata
and applying other encodings for integer variables and cardi-
nality constraints. In addition, developed encodings of tree-
form arbitrary guard conditions may be used to augment other
SAT-based methods for state machine synthesis. In particular,
adding our guard conditions to BoSy [7] may aid in decreasing
the sizes of generated transition systems. Another direction is
parallelization of the proposed approach: it is both possible to
perform iterations (e.g. in
BAS IC -MIN
) in parallel (i.e. launch
several independent instances of the algorithm for each value
of
C
in a certain range), and/or use an incremental parallel
SAT solver.
.
APPENDIX A FIGURES
The last pages of this manuscript contain several large figures
referenced throughout the paper.
ACKNOWLEDGEMENT
This work was supported by the Ministry of Science and
Higher Education of Russian Federation, research project no.
075-03-2020-139/2 (goszadanie no. 2019-1339).
References
[1]
L. Apfelbaum and J. Doyle, “Model based testing,” in
Software Quality Week Conference, 1997, pp. 296–300.
[2]
L. Marsso, R. Mateescu, and W. Serwe, “TESTOR: A modu-
lar tool for on-the-fly conformance test case generation,” in
Tools and Algorithms for the Construction and Analysis of
Systems, Springer International Publishing, 2018, pp. 211–
228.
[3]
I. Buzhinsky and V. Vyatkin, “Automatic inference of finite-
state plant models from traces and temporal properties,” IEEE
Transactions on Industrial Informatics Information, vol. 13,
no. 4, pp. 1521–1530, 2017.
[4]
E. Lee, Y.
-
G. Kim, Y.
-
D. Seo, K. Seol, and D.
-
K. Baik,
“RINGA: Design and verification of finite state machine for
self-adaptive software at runtime,” Information and Software
Technology, vol. 93, pp. 200–222, 2018.
[5]
V. Vyatkin, “IEC 61499 as enabler of distributed and intelli-
gent automation: State-of-the-art review,” IEEE Transactions
on Industrial Informatics Information, vol. 7, no. 4, pp. 768–
781, 2011.
[6]
M. J. H. Heule and S. Verwer, “Exact DFA identification
using SAT solvers,” in Grammatical Inference: Theoretical
Results and Applications, Springer Berlin Heidelberg, 2010,
pp. 66–79.
[7]
P. Faymonville, B. Finkbeiner, and L. Tentrup, “BoSy: An
experimentation framework for bounded synthesis,” in Com-
puter Aided Verification, Springer, 2017, pp. 325–332.
[8]
V. Ulyantsev, I. Buzhinsky, and A. Shalyto, “Exact finite-state
machine identification from scenarios and temporal proper-
ties,” International Journal on Software Tools for Technology
Transfer, vol. 20, no. 1, pp. 35–55, 2018.
[9]
V. Ulyantsev, I. Zakirzyanov, and A. Shalyto, “BFS-based
symmetry breaking predicates for DFA identification,” in
Language and Automata Theory and Applications, Springer
International Publishing, 2015, pp. 611–622.
[10]
G. Giantamidis and S. Tripakis, “Learning Moore machines
from input-output traces,” in Formal Methods, Springer
International Publishing, 2016, pp. 291–309.
[11]
F. Avellaneda and A. Petrenko, “FSM inference from long
traces,” in Formal Methods, Springer, 2018, pp. 93–109.
[12]
C.
-
H. Cheng, C.
-
H. Huang, H. Ruess, and S. Stattelmann,
“G4LTL-ST: Automatic generation of PLC programs,” in
Computer Aided Verification, Springer International Publish-
ing, 2014, pp. 541–549.
[13]
R. Smetsers, P. Fiter˘
au-Bro¸stean, and F. Vaandrager, “Model
learning as a satisfiability modulo theories problem,” in
Language and Automata Theory and Applications, Springer
International Publishing, 2018, pp. 182–194.
[14]
V. Dubinin and V. Vyatkin, “Towards a formal semantic
model of IEC 61499 function blocks,” in IEEE International
Conference on Industrial Informatics, IEEE, 2006, pp. 6–11.
[15]
“nxtControl - nxtStudio.” (), [Online]. Available: https://
www.nxtcontrol.com/en/engineering (visited on 07/28/2022).
[16]
M. Gold, “Complexity of automaton identification from given
data,” Information and Control, vol. 37, no. 3, pp. 302–320,
1978.
[17]
R. Rosner, “Modular synthesis of reactive systems,” Ph.D.
dissertation, The Wiezman Institute of Science, Rehovot, Is-
rael, 1991, 104 pp.
[18]
D. Neider and U. Topcu, “An automaton learning approach
to solving safety games over infinite graphs,” in Tools and
Algorithms for the Construction and Analysis of Systems,
Springer Berlin Heidelberg, 2016, pp. 204–221.
[19]
F. Coste and J. Nicolas, “Regular inference as a graph color-
ing problem,” in Workshop on Grammatical Inference, Au-
tomata Induction, and Language Acquisition, 1997, pp. 1–6.
VOLUME 4, 2016 15
This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2022.3229003
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
Chukharev and Chivilikhin — fbSAT: Automatic Inference of Minimal Finite-State Models of Function Blocks Using SAT Solver
[20]
I. Zakirzyanov, A. Morgado, A. Ignatiev, V. Ulyantsev, and
J. Marques-Silva, “Efficient symmetry breaking for SAT-
based minimum DFA inference,” in Language and Automata
Theory and Applications, Springer International Publishing,
2019, pp. 159–173.
[21]
F. Tsarev and K. Egorov, “Finite state machine induction us-
ing genetic algorithm based on testing and model checking,”
in Proceedings of the 13th Annual Conference Companion
on Genetic and Evolutionary Computation, ACM, 2011,
pp. 759–762.
[22]
A. Petrenko, F. Avellaneda, R. Groz, and C. Oriat, “FSM
inference and checking sequence construction are two sides
of the same coin,” Software Quality Journal, pp. 651–674,
2019.
[23]
N. Walkinshaw, R. Taylor, and J. Derrick, “Inferring extended
finite state machine models from software executions,” Em-
pirical Software Engineering, vol. 21, no. 3, pp. 811–853,
2015.
[24]
B. Finkbeiner and F. Klein, “Bounded cycle synthesis,” in
Computer Aided Verification, Springer International Publish-
ing, 2016, pp. 118–135.
[25]
P. J. Meyer, S. Sickert, and M. Luttenberger, “Strix: Explicit
reactive synthesis strikes back!” In Computer Aided Veri-
fication, H. Chockler and G. Weissenbacher, Eds., Cham:
Springer International Publishing, 2018, pp. 578–586, ISBN:
978-3-319-96145-3.
[26]
D. Chivilikhin, V. Ulyantsev, A. Shalyto, and V. Vyatkin,
“CSP-based inference of function block finite-state models
from execution traces,” presented at the International Confer-
ence on Industrial Informatics, IEEE, Jul. 2017, pp. 714–719,
ISBN: 978-1-5386-0837-1.
[27]
D. Chivilikhin, I. Buzhinsky, V. Ulyantsev, A. Stankevich, A.
Shalyto, and V. Vyatkin, “Counterexample-guided inference
of controller logic from execution traces and temporal formu-
las,” in 23rd IEEE International Conference on Emerging
Technologies and Factory Automation, IEEE, 2018, pp. 91–
98.
[28]
D. Chivilikhin, V. Ulyantsev, A. Shalyto, and V. Vyatkin,
“Function block finite-state model identification using SAT
and CSP solvers,” IEEE Transactions on Industrial Informat-
ics, vol. 15, no. 8, pp. 4558–4568, 2019.
[29]
T. Klenze, S. Bayless, and A. J. Hu, “Fast, flexible, and mini-
mal CTL synthesis via SMT,” in Computer Aided Verification,
Springer International Publishing, 2016, pp. 136–156.
[30]
A. Cimatti, E. Clarke, F. Giunchiglia, and M. Roveri,
“NuSMV: A new symbolic model checker,” International
Journal on Software Tools for Technology Transfer, vol. 2,
no. 4, pp. 410–425, 2000.
[31]
E. M. Clarke, O. Grumberg, and D. Peled, Model Checking.
MIT Press, 1999, 330 pp., ISBN: 978-0-262-03883-6.
[32]
T. Walsh, “SAT v CSP,” in 6th International Conference on
Principles and Practice of Constraint Programming, Springer
Berlin Heidelberg, 2000, pp. 441–456.
[33]
M. Björk, “Successful SAT encoding techniques,” Journal
on Satisfiability, Boolean Modeling and Computation, vol. 7,
pp. 189–201, 2009.
[34]
O. Bailleux and Y. Boufkhad, “Efficient CNF encoding of
Boolean cardinality constraints,” in Principles and Practice
of Constraint Programming, Springer Berlin Heidelberg,
2003, pp. 108–122.
[35]
A. Solar-Lezama, L. Tancau, R. Bodik, S. Seshia, and V.
Saraswat, “Combinatorial sketching for finite programs,”
ACM SIGOPS Operating Systems Review, vol. 40, no. 5,
pp. 404–415, 2006.
[36]
S. Patil, V. Vyatkin, and M. Sorouri, “Formal verification of
intelligent mechatronic systems with decentralized control
logic,” in IEEE Conference on Emerging Technologies and
Factory Automation, IEEE, 2012, pp. 1–7.
[37]
V. Vyatkin, H.
-
M. Hanisch, C. Pang, and C.
-
H. Yang,
“Closed-loop modeling in future automation system engineer-
ing and validation,” IEEE Transactions on Systems, Man,
and Cybernetics, Part C: Applications and Reviews, vol. 39,
no. 1, pp. 17–28, 2009.
[38]
S. Jacobs, R. Bloem, M. Colange, et al., “The 5th reactive
synthesis competition (SYNTCOMP 2018): Benchmarks,
participants & results,” 2019. [Online]. Available: https:
//arxiv.org/abs/1904.07736.
[39]
V. Ulyantsev and F. Tsarev, “Extended finite-state machine
induction using SAT-solver,” IFAC Proceedings Volumes,
vol. 45, no. 6, pp. 236–241, 2012.
KONSTANTIN CHUKHAREV received the Bach-
elor’s degree in control systems and informatics
and the Master’s degree in applied mathematics
and informatics from ITMO University, Saint Pe-
tersburg, Russia, in 2018 and 2020, accordingly.
Additionally, he finished the one-year program “Al-
gorithmic Bioinformatics” at Bioinformatics Insti-
tute, Saint Petersburg, Russia, in 2017.
He is currently a Ph.D. student and Junior Re-
search Associate with the Computer Technologies
Laboratory, ITMO University, Saint Petersburg, Russia. He studies formal
methods, software engineering, SAT solvers, and phylogenetics, while teach-
ing students discrete math and working on his Ph.D.
DANIIL CHIVILIKHIN received the Bachelor’s and
Master’s degrees in applied mathematics and infor-
matics from ITMO University, Saint Petersburg,
Russia, in 2011 and 2013, respectively; and the
Ph.D. degree in technical sciences (mathematics
and software for computing systems) from the same
university, in 2015.
He is currently an Associate Professor with the
Computer Technologies Laboratory, ITMO Univer-
sity, Saint Petersburg, Russia. His research interests
include program synthesis and verification, industrial informatics, evolution-
ary algorithms, and SAT solver applications.
16 VOLUME 4, 2016
This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2022.3229003
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
Chukharev and Chivilikhin — fbSAT: Automatic Inference of Minimal Finite-State Models of Function Blocks Using SAT Solver
s0 (¬r_2 ∧ ¬r_0 ∧ ¬r_1)
s1
g_0
(¬r_1 ∧ ¬r_0 ∧ r_2)
s2
g_0
(r_2 ∧ ¬r_1 ∧ r_0)
s3
g_2
(r_2 ∧ r_1 ∧ r_0)
s4
g_1
(r_2 ∧ ¬r_0 ∧ r_1)
s5
g_0
(¬r_2 ∧ r_1 ∧ ¬r_0)
s6
g_1
(¬r_2 ∧ ¬r_1 ∧ r_0)
s7
g_2
(¬r_2 ∧ r_0 ∧ r_1)
(¬r_1 ∧ ¬r_0)
¬(¬(¬r_2 ∧ r_0 ∧ r_1) ∧ ¬(r_2 ∧ r_1 ∧ r_0))
¬(¬(¬r_2 ∧ r_1 ∧ ¬r_0) ∧ ¬(r_2 ∧ ¬r_0 ∧ r_1))
¬(¬(¬r_2 ∧ ¬r_1 ∧ r_0) ∧ ¬(r_2 ∧ ¬r_1 ∧ r_0))
¬r_1
r_1
⊤
r_0
¬r_0
(¬r_2 ∧ ¬r_0)
(r_2 ∧ ¬r_0)
¬(¬(r_2 ∧ r_1 ∧ r_0) ∧ ¬(r_2 ∧ ¬r_1 ∧ r_0))
(¬r_2 ∧ r_0)
(¬r_2 ∧ ¬r_1)
(r_2 ∧ ¬r_1)
(r_2 ∧ r_1)
(¬r_2 ∧ r_1)
r_2
¬r_2
FIGURE 12. Transition system Aoriginal generated by BoSy for the full_arbiter_3 instance has C= 8 states, T= 28 transitions with guard conditions of
size N= 147
VOLUME 4, 2016 17
This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2022.3229003
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
Chukharev and Chivilikhin — fbSAT: Automatic Inference of Minimal Finite-State Models of Function Blocks Using SAT Solver
1
g_0 → 0
g_1 → 0
g_2 → 0
~(r_0 | r_1) & ~r_2
2
g_0 → 0
g_1 → 1
g_2 → 0
r_0 & r_1 & ~r_2
3
g_0 flip
g_1 → 0
g_2 → 0
r_0 & ~r_1 & r_2
4
g_0 → 0
g_1 → 0
g_2 flip
r_2 & ~(r_1 | r_0)
5
g_0 flip
g_1 → 0
g_2 → 0
r_0 & ~(r_1 | r_2)
6
g_0 → 0
g_1 → 1
g_2 → 0
~(r_0 | r_2) & r_1
7
g_0 → 0
g_1 → 1
g_2 → 0
r_0 & r_2 & r_1
8
g_0 → 0
g_1 → 0
g_2 flip
r_2 & ~r_0 & r_1
r_2
~r_2 ~r_1
r_1
~(r_0 | r_1)
r_1 & r_0
r_0 & ~r_1
r_1 & ~r_0
~(r_2 | r_1)
r_2 & ~r_1
r_1 & ~r_2
r_2 & r_1
~(r_2 | r_0)
r_0 & ~r_2
r_0 & r_2
r_2 & ~r_0
r_0 ~r_0
r_0
~r_0
FIGURE 13. Deterministic minimized transition system Adeterministic generated by FB SAT has smaller guard conditions of size N= 105
18 VOLUME 4, 2016
This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2022.3229003
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
Chukharev and Chivilikhin — fbSAT: Automatic Inference of Minimal Finite-State Models of Function Blocks Using SAT Solver
1
g_0 → 0
g_1 → 0
g_2 → 0
~r_2
2
g_0 flip
g_1 → 0
g_2 → 0
r_0 & r_2
3
g_0 flip
g_1 → 0
g_2 → 0
r_0
4
g_0 → 0
g_1 flip
g_2 → 0
r_1 & r_0 & r_2
5
g_0 → 0
g_1 → 0
g_2 flip
r_2
6
g_0 → 0
g_1 flip
g_2 → 0
r_1
7
g_0 → 0
g_1 → 0
g_2 flip
r_2 & r_1
8
g_0 → 0
g_1 → 1
g_2 → 0
r_0 & r_1
~r_1
r_1
~r_2
r_2
r_1
r_1 & r_2
~r_1 r_1~r_0
r_0
r_1
r_1 & r_0 ~r_2
r_0 & r_2
r_2
r_0
~r_0
r_0
r_2
~r_2
FIGURE 14. Non-deterministic minimized transition system Anon-deterministic generated by FB SAT has much smaller guard conditions of size N= 52
VOLUME 4, 2016 19
This article has been accepted for publication in IEEE Access. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/ACCESS.2022.3229003
This work is licensed under a Creative Commons Attribution 4.0 License. For more information, see https://creativecommons.org/licenses/by/4.0/
