From LTL and Limit-Deterministic B\"uchi Automata to Deterministic Parity Automata
Javier Esparza, Jan K\v{r}et\'insk\'y, Jean-Fran\c{c}ois Raskin, and Salomon Sickert

TL;DR
This paper presents a more efficient, single exponential method for translating limit-deterministic B"uchi automata to deterministic parity automata, improving the process of controller synthesis from LTL specifications.
Contribution
It introduces a novel single exponential translation from LDBA to DPA and combines it with existing LTL-to-LDBA translation for a double exponential, Safraless LTL-to-DPA method.
Findings
The new translation is more efficient than previous methods.
Implementation shows competitive performance against existing tools.
Applicable to complex LTL formulas, including benchmark instances.
Abstract
Controller synthesis for general linear temporal logic (LTL) objectives is a challenging task. The standard approach involves translating the LTL objective into a deterministic parity automaton (DPA) by means of the Safra-Piterman construction. One of the challenges is the size of the DPA, which often grows very fast in practice, and can reach double exponential size in the length of the LTL formula. In this paper we describe a single exponential translation from limit-deterministic B\"uchi automata (LDBA) to DPA, and show that it can be concatenated with a recent efficient translation from LTL to LDBA to yield a double exponential, \enquote{Safraless} LTL-to-DPA construction. We also report on an implementation, a comparison with the SPOT library, and performance on several sets of formulas, including instances from the 2016 SyntComp competition.
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
11institutetext: Technische Universität München 11email: {esparza, jan.kretinsky, sickert}@in.tum.de 22institutetext: Université libre de Bruxelles 22email: [email protected]
From LTL and Limit-Deterministic Büchi Automata to Deterministic Parity Automata
††thanks: This work is partially funded by the DFG Research Training Group “PUMA: Programm- und Modell-Analyse” (GRK 1480), DFG project “Verified Model Checkers”, the ERC Starting Grant (279499: inVEST), and the Czech Science Foundation, grant No. P202/12/G061.
Javier Esparza 11
Jan Křetínský 11
Jean-François Raskin 22
Salomon Sickert 11
Abstract
Controller synthesis for general linear temporal logic (LTL) objectives is a challenging task. The standard approach involves translating the LTL objective into a deterministic parity automaton (DPA) by means of the Safra-Piterman construction. One of the challenges is the size of the DPA, which often grows very fast in practice, and can reach double exponential size in the length of the LTL formula. In this paper we describe a single exponential translation from limit-deterministic Büchi automata (LDBA) to DPA, and show that it can be concatenated with a recent efficient translation from LTL to LDBA to yield a double exponential, “Safraless” LTL-to-DPA construction. We also report on an implementation, a comparison with the SPOT library, and performance on several sets of formulas, including instances from the 2016 SyntComp competition.
1 Introduction
Limit-deterministic Büchi automata (LDBA, also known as semi-deterministic Büchi automata) were introduced by Courcoubetis and Yannakakis (based on previous work by Vardi) to solve the qualitative probabilistic model-checking problem: Decide if the executions of a Markov chain or Markov Decision Process satisfy a given LTL formula with probability 1 [Var85, VW86, CY95]. The problem faced by these authors was that fully nondeterministic Büchi automata (NBAs), which are as expressible as LTL, and more, cannot be used for probabilistic model checking, and deterministic Büchi automata (DBA) are less expressive than LTL. The solution was to introduce LDBAs as a model in-between: as expressive as NBAs, but deterministic enough.
After these papers, LDBAs received little attention. The alternative path of translating the LTL formula into an equivalent fully deterministic Rabin automaton using Safra’s construction [Saf88] was considered a better option, mostly because it also solves the quantitative probabilistic model-checking problem (computing the probability of the executions that satisfy a formula). However, recent papers have shown that LDBAs were unjustly forgotten. Blahoudek et al. have shown that LDBAs are easy to complement [BHS*+*16]. Kini and Viswanathan have given a single exponential translation of LTL*∖GU* to LDBA [KV15]. Finally, Sickert et al. describe in [SEJK16] a double exponential translation for full LTL that can also be applied to the quantitative case, and behaves better than Safra’s construction in practice.
In this paper we add to this trend by showing that LDBAs are also attractive for synthesis. The standard solution to the synthesis problem with LTL objectives consists of translating the LTL formula into a deterministic parity automaton (DPA) with the help of the Safra-Piterman construction [Pit07]. While limit-determinism is not “deterministic enough” for the synthesis problem, we introduce a conceptually simple and worst-case optimal translation LDBADPA. Our translation bears some similarities with that of [Fin15] where, however, a Muller acceptance condition is used. This condition can also be phrased as a Rabin condition, but not as a parity condition. Moreover, the way of tracking all possible states and finite runs differs.
Together with the translation LTLLDBA of [SEJK16], our construction provides a “Safraless”, procedure to obtain a DPA from an LTL formula. However, the direct concatenation of the two constructions does not yield an algorithm of optimal complexity: the LTLLDBA translation is double exponential (and there is a double-exponential lower bound), and so for the LTLDPA translation we only obtain a triple exponential bound. In the second part of the paper we solve this problem. We show that the LDBAs derived from LTL formulas satisfy a special property, and prove that for such automata the concatenation of the two constructions remains double exponential. To the best of our knowledge, this is the first double exponential “Safraless” LTLDPA procedure. (Another asymptotically optimal “Safraless” procedure for determinization of Büchi automata with Rabin automata as target has been presented in [FKVW15].)
In the third and final part, we report on the performance of an implementation of our LTLLDBADPA construction, and compare it with algorithms implemented in the SPOT library [DLLF*+*16]. Note that it is not possible to force SPOT to always produce DPA, sometimes it produces a deterministic generalized Büchi automaton (DGBA). The reason is that DGBA are often smaller than DPA (if they exist) and game-solving algorithms for DGBA are not less efficient than for DPA. Therefore, also our implementation may produce DGBA in some cases. We show that our implementation outperforms SPOT for several sets of parametric formulas and formulas used in synthesis examples taken from the SyntComp 2016 competition, and remains competitive for randomly generated formulas.
Structure of the paper
Section 2 introduces the necessary preliminaries about automata. Section 3 defines the translation LDBADPA. Section 4 shows how to compose of LTLLDBA and LDBADPA in such a way that the resulting DPA is at most doubly exponential in the size of the LTL formula. Section 5 reports on the experimental evaluation of this worst-case optimal translation, and Section 6 contains our conclusions. The paper is a full version of a TACAS’17 paper.
2 Preliminaries
Büchi automata
A (nondeterministic) -word automaton with Büchi acceptance condition (NBA) is a tuple where is a finite set of states, is the initial state, is a finite alphabet, is the transition relation, and is the set of accepting transitions111Here, we consider automata on infinite words with acceptance conditions based on transitions. It is well known that there are linear translations from automata with acceptance conditions defined on transitions to automata with acceptance conditions defined on states, and vice-versa.. W.l.o.g. we assume that is total in the following sense: for all , for all , there exists such that . is deterministic if for all , for all , there exists a unique such that . When is deterministic and total, it can be equivalently seen as a function . Given and , let .
A run of on a -word is a -sequence of states such that and for all positions , we have that . A run is accepting if there are infinitely many positions such that . The language defined by , denoted by , is the set of -words for which has an accepting run.
A limit-deterministic Büchi automaton (LDBA) is a Büchi automaton such that there exists a subset satisfying the three following properties:
, i.e. all accepting transitions are transitions within ; 2. 2.
, i.e. the transition relation is deterministic within 3. 3.
, i.e. is a trap (when is entered it is never left).
W.l.o.g. we assume that , and we denote by . Courcoubetis and Yannakakis show that for every -regular language , there exists an LDBA such that [CY95]. That is, LDBAs are as expressive as NBAs. An example of LDBA is given in Fig. 1. Note that the language accepted by this LDBA cannot be recognized by a deterministic Büchi automaton.
Parity automata
A deterministic -word automaton with parity acceptance condition (DPA) is a tuple , defined as for deterministic Büchi automata with the exception of the acceptance condition , which is now a function assigning an integer in , called a color, to each transition in the automaton. Colors are naturally ordered by the order on integers.
Given a run over a word , the infinite sequence of colors traversed by the run is noted and is equal to . A run is accepting if the minimal color that appears infinitely often along is even. The language defined by , denoted by is the set of -words for which has an accepting run.
While deterministic Büchi automata are not expressively complete for the class of -regular languages, DPAs are complete for -regular languages: for every -regular language there exists a DPA such that , see e.g. [Pit07].
3 From LDBA to DPA
3.1 Run DAGs and their coloring
Run DAG
A nondeterministic automaton may have several (even an infinite number of) runs on a given -word . As in [KV01], we represent this set of runs by means of a directed acyclic graph structure called the run DAG of on . Given an LDBA , this graph has a set of vertices and edges defined as follows:
- •
, where the sets are defined inductively:
- –
, and for all ,
- –
;
- •
.
We denote by the set that contains the subset of vertices of layer that are associated with states in .
Observe that all the paths of that start from are runs of on , and, conversely, each run of on corresponds exactly to one path in that starts from . So, we call runs the paths in the run DAG . In particular, we say that an infinite path of is an accepting run if there are infinitely many positions such that , , and . Clearly, is accepted by if and only if there is an accepting run in . We denote by the prefix of length of the run .
Ordering of runs
A function is called an ordering of the states of w.r.t. if defines a strict total order on the state from , and maps each state to , i.e.:
- •
for all , ,
- •
for all , , and
- •
for all , implies .
We extend to vertices in as follows: .
Starting from , we define the following pre-order on the set of run prefixes of the run DAG . Let and be two run prefixes of length , we write , if is smaller than , which is defined as:
- •
for all , , , or
- •
there exists , , such that:
- –
, and
- –
for all , , .
This is extended to (infinite) runs as: iff for all .
Remark 1
If accepts a word , then has a -smallest accepting run for .
We use the -relation on run prefixes to order the vertices of that belong to : for two different vertices and , is -smaller than , if there is a run prefix of that ends up in which is -smaller than all the run prefixes that ends up in , which induces a total order among the vertices of because the states in are totally ordered by the function .
Lemma 1
For all , for two different vertices , then either or , i.e., is a total order on .
Indexing vertices
The index of a vertex such that , denoted by , is a value in that denotes its order in according to (the -smallest element has index ). For , we identify two important sets of vertices:
- •
is the set of vertices such that there exists a vertex : and , i.e. the set of vertices in whose (unique) successor in has a smaller index value.
- •
is the set of vertices such that there exists : and , i.e. the set of vertices in that are the source of an accepting transition on .
Remark 2
Along a run, the index of vertices can only decrease. As the function has a finite range, the index along a run has to eventually stabilize.
Assigning colors
The set of colors that are used for coloring the levels of the run DAG is . We associate a color with each transition from level to level according to the following set of cases:
if and , the color is . 2. 2.
if and , the color is . 3. 3.
if and , the color is defined as the minimal color among
- •
, and
- •
. 4. 4.
if , the color is .
The intuition behind this coloring is as follows: the coloring tracks runs in (only those are potentially accepting as ) and tries to produce an even color that corresponds to the smallest index of an accepting run. If in level the run DAG has an outgoing transition that is accepting, then this is a positive event, as a consequence the color emitted is even and it is a function of the smallest index of a vertex associated with an accepting transition from to . Runs in are deterministic but they can merge with smaller runs. When this happens, this is considered as a negative event because the even colors that have been emitted by the run that merges with the smaller run should not be taken into account anymore. As a consequence an odd color is emitted in order to cancel all the (good) even colors that were generated by the run that merges with the smaller one. In that case the odd color is function of the smallest index of a run vertex in whose run merges with a smaller vertex in . Those two first cases are handled by cases and of the case study above. When both situations happen at the same time, then the color is determined by the minimum of the two colors assigned to the positive and the negative events. This is handled by case 3 above. And finally, when there is no accepting transition from to and no merging, the largest odd color is emitted as indicated by case 4 above.
According to this intuition, we define the color summary of the run DAG as the minimal color that appears infinitely often along the transitions between its levels. Because of the deterministic behavior of the automaton in , each run can only merge at most times with a smaller one (the size of the range of the function minus one), and as a consequence of the definition of the above coloring, we know that, on word accepted by , the smallest accepting run will eventually generate infinitely many (good) even colors that are never trumped by smaller odd colors.
Example 1
The left part of Fig. 2 depicts the run DAG of the limit-deterministic automaton of Fig. 1 on the word . Each path in this graph represents a run of the automaton on this word. The coloring of the run DAG follows the coloring rules defined above. Between level [math] and level , the color is equal to , as no accepting edge is taken from level [math] to level and no run merges (within ). The color is also emitted from level to level for the same reason. The color is emitted from level to level because the accepting edge is taken and the index of state in level is equal to (state has index as it is the end point of the smallest run prefix within ). The color is emitted from level to level because the run that goes from to merges with the smaller run that goes from to . In order to cancel the even colors emitted by the run that goes from to , color is emitted. It cancels the even color emitted before by this run. Afterwards, colors is emitted forever. The color summary is showing that there is no accepting run in the run DAG.
The right part of Fig. 2 depicts the run DAG of the limit deterministic automaton of Fig. 1 on the word . The coloring of the run DAG follows the coloring rules defined above. Between levels [math] and , color is emitted because no accepting edge is crossed. To the next level, we see the accepting edge and color is emitted. Upon reading the first , we see again since there is neither any accepting edge seen nor any merging takes place. Afterwards, each causes an accepting edge to be taken. While the smallest run, which visits forever, is not accepting, the second smallest run that visits forever is accepting. As has index in all the levels below level , the color is forever equal to . The color summary of the run is thus equal to and this shows that word is accepted by our limit deterministic automaton of Fig. 1.
The following theorem tells us that the color summary (the minimal color that appears infinitely often) can be used to identify run DAGs that contain accepting runs. The proof can be found in Appendix 0.A.
Theorem 3.1
The color summary of the run DAG is even if and only if there is an accepting run in .
3.2 Construction of the DPA
From an LDBA and an ordering function compatible with , we construct a deterministic parity automaton that, on a word , constructs the levels of the run DAG and the coloring of previous section. Theorem 3.1 tells us that such an automaton accepts the same language as .
First, we need some notations. Given a finite set , we note the set of its subsets, and the set of its totally ordered subsets. So if then and is a total strict order on . For , we denote by the position of among the elements in for the total strict order , with the convention that the index of the -minimum element is equal to . The deterministic parity automaton is defined as follows.
States and initial state
The set of states is , i.e. a state of is a pair where is a set of states outside , and is an ordered subset of . The ordering reflects the relative index of each state within . The initial state is .
Transition function
Let be a state in , and . Then where:
- •
;
- •
;
- •
is defined from and as follows: : iff:
either, , and , and ,
i.e. none has a predecessor in , then they are ordered using ; 2. 2.
or, , and ,
i.e. has a -predecessor in , and not; 3. 3.
or , and , and ,
i.e. both have a predecessor in , and they are ordered according to the order of their minimal parents.
Coloring
To define the coloring of edges in the deterministic automaton, we need to identify the states in a transition whose indices decrease when going from to . Those are defined as follows:
[TABLE]
Additionally, let denote the subset of states in that are the source of an accepting transition.
We assign a color to each transition as follows:
if and , the color is . 2. 2.
if and , the color is . 3. 3.
if and , the color is defined as the minimal color among
- •
, and
- •
. 4. 4.
if , the color is .
Example 2
The DPA of Fig. 3 is the automaton that is obtained by applying the construction LDBADPA defined above to the LDBA of Fig. 1 that recognizes the LTL language . The figure only shows the reachable states of this construction. As specified in the construction above, states of DPA are labelled with a subset of and a ordered subset of of the original NBA. As an illustration of the definitions above, let us explain the color of edges from state to itself on letter . When the NBA is in state , or and letter is read, then the next state of the automaton is again , or . Note also that there are no runs that are merging in that case. As a consequence, the color that is emitted is even and equal to the index of the smallest state that is the target of an accepting transition. In this case, this is state and its index is . This is the justification for the color on the edge. On the other hand, if letter is read from state , then the automaton moves to states . The state is mapped to state and there is a run merging which induces that the color emitted is odd and equal to . This trumps all the ’s that were possibly emitted from state before.
Theorem 3.2
The language defined by the deterministic parity automaton is equal to the language defined by the limit deterministic automaton , i.e. .
Proof
Let and be the run DAG of on . It is easy to show by induction that the sequence of colors that occur along is equal to the sequence of colors defined by the run of the automaton on . By Theorem 3.1, the language of automaton is thus equal to the language of automaton . ∎
3.3 Complexity Analysis
3.3.1 Upper bound
Let be the size of the LDBA and let be the size of the accepting component. We can bound the number of different orderings using the series of reciprocals of factorials (with being Euler’s number):
[TABLE]
Thus the obtained DPA has states and colours.
3.3.2 Lower bound
We obtain a matching lower bound by strengthening Theorem 8 from [Löd99]:
Lemma 2
There exists a family of languages ( over an alphabet of letters) such that for every the language can be recognized by a limit-deterministic Büchi automaton with states but can not be recognized by a deterministic Parity automaton with less than states.
Proof
The proof of Theorem 8 from [Löd99] constructs a non-deterministic Büchi automaton of exactly this size and which is in fact limit-deterministic.
Assume there exists a deterministic Parity automata for with states. Since parity automata are closed under complementation, we can obtain a parity automaton and hence also a Rabin automaton of size for and thus a Streett automaton of size for , a contradiction to Theorem 8 of [Löd99].∎
Corollary 1
Every translation from limit-deterministic Büchi automata of size to deterministic parity yields automata with states in the worst case.
4 From LTL to Parity in
In [SEJK16] we present a LTLLDBA translation. Given a formula of size , the translation produces an asymptotically optimal LDBA with states. The straightforward composition of this translation with the single exponential LDBADPA translation of the previous section is only guaranteed to be triple exponential, while the Safra-Piterman construction produces a DPA of at most doubly exponential size. In this section we describe a modified composition that yields a double exponential DPA. To the best of our knowledge this is is the first translation of the whole LTL to deterministic parity automata that is asymptotically optimal and does not use Safra’s construction.
The section is divided into two parts. In the first part, we explain and illustrate a redundancy occurring in our LDBADPA translation, responsible for the undesired extra exponential. We also describe an optimization that removes this redundancy when the LDBA satisfies some conditions. In the second part, we show these conditions are satisfied on the products of the LTLLDBA translation, which in turn guarantees a doubly exponential LTLDPA procedure.
4.1 An improved construction
We can view the second component of a state of the DPA as a sequence of states of the LDBA, ordered by their indices. Since there are states of the LDBA for an LTL formula of length , the number of such sequences is
[TABLE]
If only the length of the sequences (the maximum index) were bounded by , the number of such sequences would be smaller than the number of functions which is
[TABLE]
Fix an LDBA with set of states . Assume the existence of an oracle: a list of statements of the form where and . We use the oracle to define a mapping that associates to each run DAG a “reduced DAG” , defined as the result of iteratively performing the following four-step operation:
- •
Find the first in the current DAG such that the sequence of vertices of contains a vertex for which the oracle ensures
[TABLE]
We call a redundant vertex.
- •
Remove from the sequence, and otherwise keep the ordering unchanged (thus decreasing the index of vertices with ).
- •
Redirect transitions leading from vertices in to so that they lead to the smallest vertex of .
- •
Remove any vertices (if any) that are no longer reachable from vertices of .
We define the color summary of in exactly the same way as the color summary of . The DAG satisfies the following crucial property, whose proof can be found in Appendix 0.B:
Proposition 1
The color summary of the run DAG is even if and only if there is an accepting run in .
The mapping on DAGs induces a reduced DPA as follows. The states are the pairs such that does not contain redundant vertices. There is a transition with color iff there is a word and an index such that and correspond to the -th and -th levels of , and and are the letter and color of the step between these levels in . Observe that the set of transitions is independent of the words chosen to define them.
The equivalence between the initial DPA and the reduced DPA follows immediately from Proposition 1: accepts iff contains an accepting run iff the color summary of is even iff accepts .
Example 3
Consider the LDBA of Fig. 1 and an oracle given by , ensuring for any . Then is always redundant and merged, removing the two rightmost states of the DPA of Fig. 3 (left), resulting in the DPA of Fig. 3 (right). However, for the sake of technical convenience, we shall refrain from removing a redundant vertex when it is the smallest one (with index ).
Since the construction of the reduced DPA is parametrized by an oracle, the obvious question is how to obtain an oracle that does not involve applying an expensive language inclusion test. Let us give a first example in which an oracle can be easily obtained:
Example 4
Consider an LDBA where each state arose from some powerset construction on an NBA in such a way that . An oracle can, for instance, allow us to merge whenever , which is a sound syntactic approximation of language inclusion. This motivates the following formal generalization.
Let be a finite set of languages, called base languages. We call the join-semilattice of composed languages. We shall assume an LDBA with some such that for every state . We say that such an LDBA has a base . In other words, every state recognizes a union of some base languages. (Note that every automaton has a base of at most linear size.) Whenever we have states recognizing with for every , the oracle allows us to merge vertices satisfying . Intuitively, the oracle declares a vertex redundant whenever the simple syntactic check on the indices allows for that.
Let be a sequence of languages of where the reduction has been applied and there are no more redundant vertices. The maximum length of such a sequence is given already by the base and we denote it .
Lemma 3
For any , we have .
Proof
We provide an injective mapping of languages in the sequence (except for ) into . Since , there is some and we map to this . In general, since , we also have and we map to this .∎
On the one hand, the transformation of LDBA to DPA without the reduction yields states. On the other hand, we can now show that the second component of reduced LDBA with a base can be exponentially smaller. Further, let us assume the LDBA is initial-deterministic, meaning that is deterministic, thus not resulting in blowup in the first component.
Corollary 2
For every initial-deterministic LDBA with base of size , there is an equivalent DPA with states.
Proof
The number of composed languages is . Therefore, the LDBA has at most (non-equivalent) states. Hence the construction produces at most
[TABLE]
states since the LDBA is initial-deterministic, causing no blowup in the first component. ∎
4.2 Bases for LDBAs Obtained from LTL Formulas
We prove that the width for LDBA arising from the LTL transformation is only singly exponential in the formula size. To this end, we need to recall a property of the LTLLDBA translation of [SEJK16]. Since partial evaluation of formulas plays a major role in the translation, we introduce the following definition. Given an LTL formula and sets and of LTL formulas, let denote the result of substituting (true) for each occurrence of a formula of in , and similarly (false) for formulas of . The following property of the translation is proven in Appendix 0.C.
Proposition 2
For every LTL formula , every state of the LDBA of [SEJK16] is labelled by an LTL formula such that (i) and (ii) is a Boolean combination of subformulas of for some and . Moreover, the LDBA is initial-deterministic.
As a consequence, we can bound the corresponding base:
Corollary 3
For every LTL formula , the LDBA of [SEJK16] for has a base of size .
Proof
Firstly, we focus on states using the same . The language of each state can be defined by a Boolean formula over atoms. Since every Boolean formula can be expressed in the disjunctive normal form, its language is a union of the conjuncts. The conjunctions thus form a base for these states. There are exponentially many different conjunction in the number of atoms. Hence the base is of singly exponential size as well.
Secondly, observe that there are only different formulas and thus only different sets of atoms. Altogether, the size is bounded by
[TABLE]
Theorem 4.1
For every LTL formula , there is a DPA with states.
Proof
The LDBA for has base of singly exponential size by Corollary 3 and is initial-deterministic by Proposition 2. Therefore, by Corollary 2, the size of the DPA is doubly exponential, in fact
[TABLE]
This matches the lower bound by [KR10] as well as the upper bound by the Safra-Piterman approach. Finally, note that while the breakpoint constructions in [SEJK16] is analogous to Safra’s vertical merging, the merging introduced here is analogous to Safra’s horizontal merging.
5 Experimental Evaluation
We evaluate the performance of our construction on several datasets taken from [BKS13, DWDMR08, SEJK16] and several Temporal Logic Synthesis Format (TLSF) specifications [JBB*+*16] of the SyntComp 2016 competition.
We use the size of the constructed deterministic automaton as an indicator for the overall performance of the synthesis procedure. In [ST03] it is argued that the degree of determinism of the automaton is a better predictor for performance in model-checking problems; however, this parameter is not applicable for synthesis problems, which require deterministic automata.
We compare two versions of our implementation (with and without optimizations, see below) with the algorithms of Spot [DLLF*+*16]. Each tool is given 64GB of memory and 10 minutes. Increasing time to 10 hours does not change the results. More precisely, we compare the following three setups:
S. (ltl2tgba, 2.1.1) - Spot [DLLF*+*16] implements a version of the Safra-Piterman determinization procedure [Red12] with several optimizations.
L2P and L2P′.** (ltl2dpa, 1.0.0) - L2P is the construction of this paper, available at www7.in.tum.de/~sickert/projects/ltl2dpa. L2P*′* adds two optimizations. First, the tool translates both the formula and its negation to DPAs , complements to yield , and picks the smaller of . Further, we apply the simplification routines of Spot (ltlfilt and autfilt, respectively).
We consider three groups of benachmarks:
Parametric Formulas. 10 benchmarks from [BKS13, SEJK16]). In six cases S and L2P*′* produce identical results. The other four are
[TABLE]
for which the results are shown in (figure 1a). Additionally, we consider the “” formulas from [SEJK16] (table 1). Observe that L2P*′* performs clearly better, and the gap between the tools grows when the parameter increases.
Randomly Generated Formulas from [BKS13] (figure 1b).
Real Data. Formulas taken from case studies and synthesis competitions — the intended domain of application of our approach. Figures 4c and 4d show results for the real-world formulas of [BKS13] and the TLSF specifications contained in the Acacia set of [JBB*+*16]. Table 1 shows results for LTL formulas expressing properties of Szymanski’s protocol [DWDMR08], and for the generalised buffer benchmark of Acacia.
Average Compression Ratios. The geometric average compression ratio for a benchmark suite is defined as , where and denote the number of states of the automata produced by Spot and L2P*′*, respectively. The ratios in our experiments (excluding benchmarks where Spot times out) are: 1.14 for random formulas, 1.12 for the real-world formulas of [BKS13], and 1.35 for the formulas of Acacia.
6 Conclusion
We have presented a simple, “Safraless”, and asymptotically optimal translation from LTL and LDBA to deterministic parity automata. Furthermore, the translation is suitable for an on-the-fly implementation. The resulting automata are substantially smaller than those produced by the SPOT library for formulas obtained from synthesis specifications, and have comparable or smaller size for other benchmarks. In future work we want to investigate the performance of the translation as part of a synthesis toolchain.
Acknowledgments.
The authors want to thank Michael Luttenberger for helpful discussions and the anonymous reviewers for constructive feedback.
Appendix 0.A Proof of Theorem 3.1
Theorem 3.1. The color summary of the run DAG is even if and only if there is an accepting run in .
Proof
“”: Assume that the color summary of is even and equal to . Then it must be the case that there exists a level such the color after level is always larger than or equal to , and infinitely many times equal to . W.l.o.g. assume that in level , there exists a vertex and . Take the smallest run prefix that ends up in , this run prefix will never merge with a smaller run prefix and all smaller run prefixes that are active in level will not merge, as otherwise, there would exist a position where the index of the run that passes by would decrease and this would contradict the fact that for all , all the colors that are emitted are larger than or equal to . Let us now consider the suffix of the run that pass by . As the even color is emitted infinitely many times after level , we know that this run suffix crosses infinitely many times . So this run is accepting and this is the smallest such run.
“”:
(Step 1): Now, let us consider the other direction. Assume that there exists an accepting run of on a word . We first establish the existence of a run which is accepting and for which there exists a position from which does not merge with any smaller run, and all smaller runs are non accepting. We identify and as follows. Among the accepting runs, we select one that enters first in the set of states say at level . They can be several of them but we take one that enters via a state of minimal index for . Let be the active states at level that are in . The way we have chosen make sure that all the states in with a smaller index than are the origin of non accepting runs and clearly as is accepting it cannot merge with one of those smaller runs. Now, some of those smaller runs may merge in the future, and each time they merge, the index of will decrease. But this will happen a number of times which is bounded by .
(Step 2): Let be the position when the last merge of a smaller run pefix happens.
(Step 3): Let us now show that the existence of and this position allow us to prove that the color summary is even. After position , there are only odd colors with values larger than or equal to because we know that nor neither smaller runs merge in the future. Also as is accepting, there will be an infinite number of positions where the even color is equal to , and only finitely many positions after may have an even color which is less than this value as all runs that are smaller than are not accepting. So the summary color is even and equal to .
Appendix 0.B Proof of Proposition 1
Proposition 1. The color summary of the run DAG is even if and only if there is an accepting run in .
Proof
“”: The ‘only-if’ direction can be proven as in Theorem 3.1 verbatim, only replacing by . The reason why the argumentation is still correct, is that the discussed “smallest run prefix that ends up in ” (now in ) is actually a real run prefix (in ) since it never secondarily merged. Indeed, runs only merge into smaller ones.
“”: (Step 1): For the ‘if’ direction, we first use the proof Theorem 3.1, Step 1, verbatim, obtaining the smallest accepting run in .
Additionally, we prove that this (smallest) constructed run is actually a run in . For a contradiction, assume that this is not the case and where is the first vertex on that secondarily merged. Then there is with and contains the label of the run , accepted by some run in . Since , we also have a run prefix , and thus an accepting run in such that , a contradiction with minimality of .
(Step 2): Let be the position when the last merge of a smaller run pefix happens in (not ).
(Step 3): We use the proof Theorem 3.1, Step 3, verbatim, proving the color summary is even. ∎
Appendix 0.C Proof of Proposition 2
We start by recalling the LTLLDBA translation of [SEJK16].
Preliminaries.
The translation assumes that formulas are in negation normal form, given by the syntax
[TABLE]
where belongs to a finite set of atomic propositions. Every formula over the usual syntax of LTL (with negation and the and operators) can be normalized with linear blowup if formulas are represented by their syntax DAGs, where two occurrences of the same subformula are represented by the same node.
We recall the function introduced in [EK14, SEJK16], and some of its properties. Let be a letter. The formula , read “ after ” is inductively defined as follows [EK14, SEJK16]:
[TABLE]
Furthermore, we define: , and for every letter and every finite word . The function has the following two properties [EK14, SEJK16] for every formula , finite word , and -word :
- (i)
iff .
- (ii)
is a boolean combination of subformulas of .
A formula is proper if it is neither a conjunction nor a disjunction. The propositional formula of a formula is the result of substituting every maximal proper subformula of by a propositional variable . For example, if with and , then . Two formulas are propositionally equivalent, denoted , if and are equivalent. So, for example, is propositionally equivalent to . Observe that propositional equivalence implies equivalence, but the contrary does not hold. For example, and are equivalent, but not propositionally equivalent.
The states of the LDBA for an LTL formula are equivalence classes of formulas (or tuples thereof) with respect to propositional equivalence. However, we abuse language and write that the states are formulas or tuples of formulas.
Translating LTL to LDBA.
Fix a formula . We describe the LDBA . We use as running example. We abbreviate , and write . The LDBA is shown in Figure 5.
The LDBA consists of two deterministic components, called the initial and accepting components, and denoted and , respectively—in Figure 5 they are shown above and below the dashed line. The accepting component is the union (defined componentwise for states, transitions, and accepting states) of subcomponents , one for each set of -subformulas of –that is, if has different -subformulas, then is the union of subcomponents). Transitions of labeled by an alphabet letter connect either two states of , or two states of the same subcomponent of . Further, for each state of and each set there is an -transition leading from to a state of .
Initial component : Define the set of formulas reachable from as . The set of states of is . The initial state is . The transition function is given by . Intuitively, monitors the formula that has to hold at the current moment for to hold at the beginning.
Accepting component : The accepting component is the union of subcomponents , one for each .
Let denote the set of all -subformulas of . Given a set and a formula , we write as an abbreviation for , i.e., for the result of substituting for each maximal occurrence of a formula of in , and for each maximal occurrence of a formula of in . For example, if then .
Each subcomponent is a product of DBAs: One for the formula , and one for each formula of the form , where . Observe that is a -free formula, and does not have nested s. For example, if , then is the product of three DBAs, one for , one for , and a third one for . We call the DBAs for and the monitors.
Monitor for . The set of states is , the transition function is given by . The only final state is . The initial state is left unspecified.
Lemma 2 of [SEJK16] shows that the -monitor accepts a word from a state iff satisfies the formula .
Monitor for ). Let us abbreviate as . The monitor for is the DBA where
- •
- •
Lemma 5 of [SEJK16] proves that accepts a word (from its initial state ) iff .
Product. Fix a set of -subformulas of . For every index , let be the monitor for . The product of these monitors is the generalized deterministic Büchi automaton
[TABLE]
where is a transition of iff .
Lemma 5 of [SEJK16] proves that accepts iff for all .
Subcomponent . The subcomponent is the product of the monitor for and :
[TABLE]
We have: accepts a word from the state iff .
Connecting -transitions: Finally, we describe the -transitions connecting the initial component to the accepting component . There is an -transition for each state of and each set . The transition is \big{(}\varphi^{\prime},\epsilon,(\,\varphi^{\prime}[\mathcal{G}],{\mathbf{G}}(\psi_{1}[\mathcal{G}]),\ldots,{\mathbf{G}}(\psi_{n}[\mathcal{G}])\,)\big{)}.
Theorem 1 of [SEJK16] proves that iff accepts .
This concludes the description of .
Proof of Proposition 2.
We start by generalizing Lemma 5 of [SEJK16] as follows:
Lemma 4
* accepts a word from a state iff .*
Proof
We first claim that there is a formula such that . If , then . Otherwise there is and such that . By the definition of the transition function, either for some , or for some , and we can choose accordingly.
By this result, we have for every state and letter , and so in particular
[TABLE]
We now prove the lemma. Let be a finite word leading from the initial state to . We proceed by induction of the length of .
Basis. . Then , and so iff . By Lemma 5 of [SEJK16] iff accepts from , and we are done.
Step. for some word and letter . Then there is a state such that and . By induction hypothesis a word is accepted from iff . We consider two cases.
If , then by the definition of we have . It follows:
[TABLE]
We conclude the proof by showing . It suffices to prove . Consider two cases:
- •
. Then, by the definition of , we have and , and we are done.
- •
. Then,by the definition of , we have and , and we are done. ∎
We can now proceed to prove Proposition 2.
Proposition 2. For every LTL formula , every state of the LDBA of [SEJK16] for can be labelled by an LTL formula such that (i) and (ii) is a Boolean combination of subformulas of for some and . Moreover, the LDBA is initial-deterministic.
Further, can be computed in linear time from the descriptor of .
Proof
Recall the two properties of the function. For every formula , finite word , and -word :
- (i)
iff .
- (ii)
is a boolean combination of subformulas of . Therefore, every formula of is a boolean combination of subformulas of .
Let be a state of , and let be any finite word leading from to . By Theorem 1 of [SEJK16], we have . By (i), . Since is deterministic, . So we can take .
We consider now the case that belongs to . Then there is a set such that belongs to . By the definition of as product of DBAs, is of the form , where is a state of the monitor for , and is a state of the monitor for . Further, the words recognized from are those simultaneously recognized from , in their respective automata. By Lemma 4, the words recognized from are those satisfying . We choose as this formula. It remains to show that each conjunct of is a boolean combination of formulas of .
- •
By the definition of the monitor for , the formula belongs to , and by (ii) we are done.
- •
By the definition of the monitor for , the formulas and belong to . By (ii), they are boolean combinations of subformulas of . Since is a subformula of , they are also boolean combinations of subformulas of , and so a boolean combination of formulas of . ∎
Appendix 0.D Optimisations
0.D.1 Parallelisation
Since multiple cores are abundant these days, we use a simple trick to obtain small automata: we launch two threads for and and compute the DPA. Observe that complementing parity automata is cheap, since we just need to change the parity of the acceptance condition. We then return the smaller automaton and also prematurely cancel one of the translations, if we already know that the running translation will produce a larger automaton.
0.D.2 Reduction of Rankings
Since we can freely change the order of states we jump to, a good heuristic is to sort jumps to accepting components that are labelled with -Operators—more precisely, belong to the syntactic class of pure eventual formulas—before any other accepting component. The reasoning is that components for the pure eventual fragment will never be removed from the ranking. Analogously, if an accepting component is only labeled with formulas from the -fragment, a safety language is described. These are volatile in the sense that after a fixed number of steps—the nesting depth of the ’s—we know if the obligations are fulfilled or not. Thus we do not need to track all these components. Just one at a time and whenever one of these fails we switch to the next one.
The reference list from the paper itself. Each links out to its DOI / PubMed record.
- 1[BHS + 16] Frantisek Blahoudek, Matthias Heizmann, Sven Schewe, Jan Strejcek, and Ming-Hsien Tsai. Complementing semi-deterministic Büchi automata. In TACAS , volume 9636 of LNCS , pages 770–787, 2016.
- 2[BKS 13] Frantisek Blahoudek, Mojmír Křetínský, and Jan Strejček. Comparison of LTL to deterministic Rabin automata translators. In LPAR , volume 8312 of LNCS , pages 164–172, 2013.
- 3[CY 95] Costas Courcoubetis and Mihalis Yannakakis. The complexity of probabilistic verification. J. ACM , 42(4):857–907, 1995.
- 4[DLLF + 16] Alexandre Duret-Lutz, Alexandre Lewkowicz, Amaury Fauchille, Thibaud Michaud, Etienne Renault, and Laurent Xu. Spot 2.0 — a framework for LTL and ω 𝜔 \omega -automata manipulation. In Proceedings of the 14th International Symposium on Automated Technology for Verification and Analysis (ATVA’16) , volume 9938 of Lecture Notes in Computer Science , pages 122–129. Springer, October 2016. To appear.
- 5[DWDMR 08] Martin De Wulf, Laurent Doyen, Nicolas Maquet, and Jean-François Raskin. Antichains - Alternative Algorithms for LTL Satisfiability and Model-Checking. TACAS , 2008.
- 6[EK 14] Javier Esparza and Jan Křetínský. From LTL to deterministic automata: A safraless compositional approach. In CAV , volume 8559 of LNCS , pages 192–208, 2014.
- 7[Fin 15] Bernd Finkbeiner. Automata, games, and verification, 2015. Available at https://www.react.uni-saarland.de/teaching/automata-games-verification-15/downloads/notes.pdf .
- 8[FKVW 15] Seth Fogarty, Orna Kupferman, Moshe Y. Vardi, and Thomas Wilke. Profile trees for büchi word automata, with application to determinization. Inf. Comput. , 245:136–151, 2015.
