Abstract. We propose to describe computations using QFPAbit, a language of quantifier-free linear arithmetic on unbounded integers with bitvector operations. We describe an algorithm that, given a QFPAbit formula with input and output variables denoting integers, generates an efficient function from a sequence of inputs to a sequence of outputs, whenever such function on integers exists. The starting point for our method is a polynomial-time translation mapping a QFPAbit formula into the sequential circuit that checks the correctness of the input/output relation. From such a circuit, our synthesis algorithm produces solved circuits from inputs to outputs that are no more than singly exponential in size of the original formula. In addition to the general synthesis algorithm, we present techniques that ensure that, for example, multiplication and division with large constants do not lead to an exponential blowup, addressing a practical problem with a previous approach that used the MONA tool to generate the specification automata.
Introduction
Over the past decades, a number of decision procedures has been developed and integrated into satisfiability modulo theory (SMT) solvers. Among the primary uses of this technology so far has been verification and error finding. Recently, researchers started using this technology for software synthesis [11] . In the line of work on complete functional synthesis, researchers proposed to generalize decision procedures for infinite domains to synthesis procedures [7] .
The basic idea is to describe fragments of code using formulas in a decidable logic. Such a formula specifies a relation between inputs and outputs. A synthesis procedure then compiles this formula into a program that maps inputs into outputs, and whose behavior corresponds to invoking a decision procedure on that particular constraint. The resulting program is guaranteed to satisfy the specification. Synthesis procedures have been described for, e.g., parameterized Presburger arithmetic [7] , using a constructive version of quantifier elimination.
For domains such as integer arithmetic, automata-based methods can have a number of advantages compared to quantifier elimination, including the ability to support operations on unbounded bitvectors. Motivated by these observations, in related previous work [4] researchers considered synthesis of specifications expressed in weak monadic second-order logic of one successor (WS1S), which is equivalent to Presburger arithmetic with bitwise logical operators. In contrast to automata-based approaches to reactive synthesis [1, 2, 5, 8] , this approach uses automata to encode relations on integers, which means that the causality restriction of Church's synthesis problem does not apply. The synthesized function for this problem cannot always be given as a one-pass finite-state transducer. The approach [4] synthesizes a two pass transducer, where the first pass generates a sequence that abstracts the tree of possible executions, whereas the second pass processes this sequence backwards to choose an acceptable sequence of outputs. The previous implementation of this approach used the MONA tool [6] to transform the given specification formula into an automaton accepting a sequence of bits of combined input/output vectors. This implementation therefore suffered from the explicit-state representation used by MONA. The most striking problem is multiplication by constants, where a subformula x = c * y leads to circuits of size proportional to c and thus exponential in the binary representation of c.
To overcome the difficulties with explicit-state representation used in the implementation of [4] , in this paper we investigate an approach that directly uses circuit representations for both specifications and implementations. To avoid the non-elementary worst-case complexity [12] of transforming WS1S formulas to automata, we use as our specification language quantifier-free Presburger arithmetic with bitvector operations [9] , denoted QFPAbit. We describe a polynomial-time transformation between sequential circuits and QFPAbit. We then present an algorithm for transforming sequential circuit representations of input/output relations into systems of sequential circuits that map inputs into outputs. The worst-case complexity of our translation is bounded by a singly exponential function of the specification circuit size. Building on this general result, we identify optimizations that exploit the structure of specifications to reduce the potential for exponential explosion. Our prototype implementation confirms the improved asymptotic behavior of this synthesis approach, and is available for download from http://lara.epfl.ch/w/cisy. Additional details of our constructions are available in the technical report [10] .
Preliminaries

Quantifier-Free Presburger Arithmetic with Bit-vector Logical Operators
Presburger Arithmetic with Bit-vector Logical Operators is the structure of integers with addition and bit-vector logical operations acting on the binary two's complement representation of the integers. Let V be a finite set of variables. Let c ∈ Z, x ∈ V , and % ranges over =, =, <, ≤, >, ≥. The following is the grammar of QFPAbitterms and formulas.
T
Variables range over the set of integers Z. The bitvector logical operators act on the two's complement encoding of numbers [9] :
A property of this encoding is that replicating the most significant bit does not change the value. This justifies our definition of the bit-vector operators because for any two numbers we can always find encodings that have the same length. By the two's complement encoding of a number, we mean its shortest possible encoding. Given a QFPAbit formula F over the set of variables V = {x 1 , ...x n }, we say that a valuation val : V → Z satisfies F if F is true when each occurrence of a variable x i evaluates to val(x i ). We say that F is satisfiable if there exists a valuation that satisfies F . Note that the identity −x =¬ x + 1 holds for all x. We can use QFPAbit formulae to define languages over Σ = {0, 1} n . Let F be a QFPAbit formula over the variables V = {x 1 , ...x n }. Let w ∈ Σ + be a word of length m. By w(j) denote the j-th letter of w, indexing from 0, so that the initial letter is denoted w(0). Each w(j) is a vector of dimension n, let w i (j) denote the the ith coordinate of w(j). Define a valuation val w : V → Z by val w (x i ) = w i (m − 1), ...w i (0) Z . Thus, in the matrix whose columns are the letters of w, the i-th row represents the encoding of val w (x i ) with the most significant bit coming first. The language defined by the formula is L(F ) = {w ∈ Σ + |val w satisfies F }.
Sequential Circuits
A combinational boolean circuit K is a pair (G, σ) where G is a finite directed acyclic graph and σ : U → {AN D, OR, N OT } is a labeling function such that U is the set of vertices of G whose in-degree is greater than zero. We require that whenever σ(x) = N OT then x has in-degree of one. We call the vertices in U the gates. We denote the vertices of in-degree zero I and call them inputs; we denote the vertices of out-degree zero O, and call them outputs.
Given a boolean valuation i : I → {true, f alse}, we define a valuation v on all vertices of G as follows:
where γ(x) denotes the single neighbor of x connected to it by an edge directed towards x and Γ (x) denotes the set of all neighbors of x connected to it by edges directed towards x. We call the values of v on O the output values of K for input i. The values of the outputs of a combinational boolean circuit, defined above, depend only on a single set of inputs and can be represented in a truth table. We next review (clocked) sequential circuits, which are equivalent to deterministic finite automata but compactly represent the set of states and the transition function.
A clocked sequential circuit (or SC, for short) is a tuple (K, M, store, load, init) where -K is a combinational boolean circuit with inputs and outputs I and O; -M is a set of D-type flip-flops;
The load and store functions describe how the data input of each flip-flop is connected to a unique output of K and how the Q-output of each flip-flop is connected to a unique input of K. Such a backward-connected output-input pair will be denoted as a state variable. We call the inputs of K that are not in the image of load the input variables and call the outputs of K that are not in the image of store the output variables.
The SC works in clock pulses. It takes as input a stream that for every clock pulse contains values for all input variables, and produces as output a stream that for every clock pulse contains values of all the output variables, computed by K. Notice that a circuit with n input variables and m output variables can be viewed as a machine that, given a word from ({0, 1} n ) + , produces a word of the same length in ({0, 1} m ) + . We can also use a SC to recognize a language. Definition 1. Let C be a SC with one output variable o and n input variables. We say that C accepts the word w ∈ {0, 1} n if the value of o in the last cycle is 1 when the circuit is given w as input, one letter at each clock cycle.
The language of C is L(C) = {w ∈ {0, 1} n |C accepts w}.
Some of the standard finite state machine operations can be efficiently performed on the sequential circuit representations. Given a SC C with input variables v 1 , ...v n , state variables q 1 , ...q n and output o, and a SC C that uses the same input variables v 1 , ...v n and has state variables q 1 , ...q n and output o , we can construct a circuit ¬C by simply appending a NOT gate at o and making the output of the NOT gate the output of ¬C. Similarly, we can construct circuits C ∧ C and C ∨ C by connecting the outputs of C and C to an appropriate logical gate, whose output will become the output of the composite circuit. It can easily be seen that 1)
Translations Between QFPAbit and Sequential Circuits
This section establishes correspondence between QFPAbit and sequential circuits by providing translations in both directions that maintain a close correspondence between the accepted languages.
Reduction from QFPAbit to Sequential Circuits
Since we have already shown how to construct boolean combinations of sequential acceptor circuits, it is enough to find a set of basic QFPAbit formulae out of which all QFPAbit formulae can be built using logical connectives, and then show how these basic formulae can be translated to SCs.
Definition 2. Let w ∈ Σ
+ with Σ = {0, 1} n as usually. Suppose
. . .
..n} be non-empty. We define the projection of w onto the coordinates S to be the string w
|S| . For a language L ⊂ Σ + , we define the projection of L onto the coordinates S to be the language L S = {w S |w ∈ L}. Note that L S is a language over the alphabet {0, 1}
|S| .
Every QFPAbit formula is a boolean combination of atomic formulae of the form T 1 %T 2 where T 1 and T 2 are terms and % ∈ {=, =, <, ≤, >, ≥}. We will now show how to transform any formula F into a new one where the atoms will be of a more restricted form. The new formula will have more variables than F , but when projected onto the variables occurring in F their languages will be the same. We apply the following sequence of transformations:
1. Replace all atomic relations by equalities and strict "less-than" inequalities using the fact that T 1 < T 2 if and only if
Remove all instances of multiplication by constants other than −1 and powers of two by exploiting the fact that any term of the form cT is equal to a sum of terms of the form 2 k T corresponding to c's two's complement encoding. 3. Remove all instances of multiplication by −1 by replacing every sub-term of the form (−1)T by¬T + 1. This equivalence follows easily from the definition of the two's complement encoding. 4. Move all additions to separate conjuncts on the highest level of the formula by replacing every occurence of T 1 + T 2 by a fresh variable s and adding conjuncts s = x + y, x = T 1 and y = T 2 to the formula, where x and y are also fresh variables. 5. Move all multiplications by a constant 2 k , which are the only multiplications now left in the formula, to conjuncts on the highest level of the formula by replacing every occurence of 2 k T by a fresh variable x and adding x = 2 k y and y = T as conjuncts to the formula, where y is another fresh variable. 6. Replace every additive occurrence of an integer constant c inside a larger term by a fresh variable y c and add a conjunct y c = c to the formula.
Let us call the formula that we obtain G. It has size that is polynomial in the size of F and and it consists only of atoms of the following five forms:
, where x, y, s and t are variables, c is an integer constant and T, T 1 , T 2 are terms that contain exclusively variables and bit-vector logical operators.
It is easy to construct SCs for atoms of each of these four forms. For details of these constructions along with circuit diagrams, see our technical report [10] . The general flavor of these circuits is that they compare streams of binary digits. The most complicated case is (iv), where the circuit compares a binary stream to a version of itself shifted by a constant number of bits. Each of the sub-circuits for cases (i),(ii) and (v) has only a constant number of state variables. In case (iii), the number of state variables is proportional to the logarithm of the constant c and in case (iv) it is proportional to k.
Finally, we compose the partial specification circuits by boolean operations to find a SC for G. The correctness of this synthesis procedure is expressed in the following theorem. Theorem 1. Let C F be the circuit obtained from a QFPAbit formula F using the above synthesis procedure. Let V be the set of variables occuring in F . Then
Moreover, both the the number of gates of C F and the running time of the synthesis procedure are polynomial in the number of symbols of F . The number of input variables of C is the same as that of F and the number of C's state variables is proportional to the number of symbols of F .
Reduction from Sequential Circuits to QFPAbit
Let C be a sequential circuit with an underlying combinational circuit Let U be the set of all gates of K other than those corresponding to the output variables and state variables of C. We will pretend that the elements of U can be used as identifiers for QFPAbit variables and construct a QFPAbit formula with variables {v 1 , ...v n , q 1 , ...q m , o 1 , ...o l } ∪ U , such that for every satisfying assignment, the two's complement encodings of the values of the variables describes the evolution of the values of the corresponding variables and gates in a run of C. Although the QFPAbit variables have the same names as the variables and gates of the circuit, it should be clear from the context which ones do we mean. We will refer to the values of the gates and inputs of the automaton in the k-th clock cycle by
, the values of all the gates in U will be x(k), the output variables will be o 1 (i), ...o l (i) and the outputs corresponding to state variables at that cycle will be denoted q 1 (i + 1), ...q m (i + 1), because they serve as inputs for the next cycle. We start the numbering of clock cycles from 0.
We will be abusing notation slightly by writing σ(v)(x 1 , ..., x k ) for some gate v and boolean values x 1 , ..., x k to mean the application of the boolean function represented by σ(v) to x 1 , ..., x k . Then for all j ∈ {1, ..., m}, k ∈ {1, ..., l}, x ∈ U and all i ∈ {0, ..., N − 1} where N is the length of the input word, the run of C on that input word is characterized by the following four equations:
where, just like in our definition of a combinational circuit, Γ (v) denotes the part of the neighborhood of a gate v connected to it with incoming edges, and Γ (v)(i) denotes a vector of values of these nodes in clock cycle i. We next build a QFPAbit formula for which every satisfying evaluation is such that the reverse of the bit-sequences of the values it assigns to the variables conform to the above conditions. Since C treats all numbers as starting with the most significant bit, in our QFPAbit representation this will be reversed and hence x(0), q j (0) and o k (0) will refer to the least significant bits of the encoding of the values of the variables.
For any gate v of K, letσ v be the formula obtained by applying the bit-vector logical operator corresponding to σ(v) to the variables in Γ (v). Then the following formula can be used to describe the evolution of the digits of q j :
The justification is as follows. Taking the bitwise disjunction of a number with 1 or 0 preserves all the digits except the least significant one, which is set to 1 or 0 respectively. Multiplication by 2 induces a shift to the left of the two's complement encoding of a number. Hence the above formula establishes that every bit of q j is equal to the next bit of σ qj except for the first (least significant) one, which is equal to I(q j ). This ensures that equations (1) and (4) are satisfied.
Similarly, the formulas o j =σ oj and x =σ x assert that the reverse binary encodings of o j and x, for some x ∈ U , correspond to their values in the run of C on the given input as described by equations (3) and (2) .
Since the most significant digit in a two's complement encoding can be replicated without changing the value of the represented number, QFPAbit formulas have the property that the last letter of a word in a formula's language can be repeated arbitrarily many times to obtain another word inside the language. In the underlying circuit, this would translate to a "blindness" towards the repetition of the initial input letter, which is a property that not all circuits have. In general we cannot find a formula whose language contains exactly those words whose reverse encodes a run of the circuit.
The way to treat this problem is to construct a formula that contains a clause saying "the variables are only simulating the circuit for a finite number of steps and then are allowed to deviate". That way we obtain a formula for which to every possible satisfying evaluation corresponds a word describing the run of the circuit. However, each such valuation will also represent an infinite number of longer incorrect descriptions of a run of the circuit.
For succintness, let ∆ qj ≡ 2σ qj∨ I(q j ). Let y be a fresh variable and consider the formula
The subformula 1 + ((y − 1)∨y) = 2y ∧ y > 1 asserts that y is a power of two, say y = 2 k , and that k is at least 1. Therefore the two's complement encoding of (y − 1) is 0, ..., 0, 1, ..., 1 Z with an arbitrary number of zeros and exactly k ones. So the clauses of the form (T 1∧ (y − 1)) = (T 2∧ (y − 1)) assert that the k least significant digits of T 1 and T 2 are the same. The rest of the digits can be arbitrary.
k and the reverse encoding of the values of the variables describes the run of C on the reverse of w. Now suppose that C accepts w. This happens if and only if in the last, k-th, clock cycle the value of the output bit is one. But this is if and only if the first digit of the value of o in F C is one. Therefore the described evaluations satisfy F C if and only if C accepts w. This means that the language of C is non-empty if and only if F C is satisfiable.
To summarize, we have described polynomial-size translations between QFPAbit and sequential circuits going both ways. For every QFPAbit formula we can construct a sequential circuit recognizing the same language. For every sequential circuit we can construct a QFPAbit formula that contains variables representing inputs, outputs and state variables of the circuit, and it is satisfied only by valuations that assign these variables values whose binary encoding in reverse describes an initial portion of the evolution of the circuit's variables during a run. If the circuit has only one output then it is an acceptor circuit and in this case we can construct a QFPAbit formula which is satisfiable if and only if the language of the SC is non-empty. Moreover, the formula will accept a language such that for every word w in this language, an initial part of w projected onto the input variables and reversed is a word in the language of the SC.
From Specification Circuits to Transducer Circuits
Given a specification written as a QFPAbit formula, we have shown how to build a specification circuit of a size linear in the size of the formula. Provided that the variables of the formula, and thus the inputs of the automaton are partitioned into two groups,ī andō, interpreted as the inputs and the outputs of the synthesized function, we will now show how to construct a set of circuits that will work as a transducer, i.e. given a word from the "ī-projection" of the language, produce an output word from the "ō-projection" of the language such that together they satisfy the specification, if such an output word exists. The structure of our algorithm is similar to the one presented in [4] . Our use of the word "transducer" does not refer to the traditional notion of Finite State
Transducers, but to a more complicated machine with the following main features. Our transducer reads the whole input twice. The first time from the beginning to the end to generate the exhaustive run of the projection of the specification circuit onto the input variables, and the second time backwards, determining concrete states and output letters within the exhaustive run. In the meantime it uses an amount of memory proportional to the length of the input. This allows us to express functions for which it is not possible to determine the output before reading the entire input, which is needed to obtain complete synthesis for QFPAbit.
In contrast to [4] , we will be using sequential circuits instead of automata. This more concrete implementation allows us to perform an optimization that will ensure that the presence of large integer constants in the formula does not necessarily cause a blow-up in the size of the transducer proportional to the value of that constant, as was the case with the previous approach. Moreover, even if a state-space expansion does occur, the size of our circuits is guaranteed to be singly-exponential in the size of the specification formula. No such bound on the size of the automata was provided in [4] .
In Section 4.2 we study two more optimization techniques -how to exploit the circumstance when the specification formula is either a conjunction or a disjunction of sub-formulas to build the transducer as a composition of smaller transducers.
Definition 3. Given a (non-)deterministic automaton A = (Σ V , Q, init, F, T ) over variables V and a set I ⊂ V , the projection of A to I, denoted by A I , is the nondeterministic automaton (Σ I , Q, init, F, T I ) with
Since it is natural to view a sequential circuit as a DFA, we also allow ourselves to talk about projections of sequential circuits.
Definition 4. The exhaustive run ρ of an automaton A = (Σ, Q, init, F, T ) on a word w ∈ Σ * is a sequence of sets of states S 1 , ...S |w|+1 such that (i) S 1 = init and (ii) for all 1 ≤ |w|, S i+1 = {q ∈ Q|∃q ∈ S i .(q, w i , q ) ∈ T }.
Suppose the specification circuit is a sequential circuit C with input variablesī ∪ō, state variablesq and one output variable determining the acceptance. Here by each of i,ō andq we actually mean vectors of variables wide n, l and m bits respectively. We will also be usingī,ō andq to denote the sets of individual variables comprising each of the vectors.
We now partition the state variables as follows. We lets be the largest set of state variables such that the value of each of them in the (N + 1)-st clock cycle depends only on the values ofī and the state variables insides in the N -th clock cycle. In particular, they do not depend on the values ofō. We denote all the other state variables asr and we will assume thatr is a vector of width m 1 ands is of width m 2 .
The sets can be determined by exploring the graph of dependencies amongst the variables ofq andō. We can determine whether a formula ϕ(x), for example one defining the value of a q j in the next clock cycle, depends on a variable x, which it contains, by using a SAT-solver to check whether the formula ϕ(true) ↔ ϕ(f alse) is valid.
We will now describe the operation of our transducer, which consists of three circuits that we call C , φ and τ . Circuit φ is a combinational circuit and the other two are sequential. Their roles are analogous to those of the deterministic automaton A and functions φ and τ in [4] . Our specification circuit C fulfills the responsibility of the specification automaton A used in [4] .
C performs two tasks. First, it runs the part of C that computes the sequence of values ofs as C consumesī. In parallel with this, C also simulates the exhaustive run of the projection of C onto the input variablesī. So running C with the sequence of values forī as input will generate a sequence of values fors together with a sequence of sets of possible values for the rest of the state variables, which arer. We will store this trace in a memory from which it can later be read in the reversed order.
This separation of setss andr is one of the main improvements in our approach over previous work. It takes advantage of the simple idea that when projecting a deterministic automaton onto a subset of its input variables, it is possible that the transitions within a subset of the states of the automaton remain deterministic even with the restricted alphabet, and hence that part of the automaton does not need to go through an exponential expansion due to the projection. This optimization applies in particular in the case when the specification formula contains division of a term that is completely determined byī-variables by a power of 2. An intuitive explanation is the following. The specification circuit for the formula x = 2 k t verifies whether the encoding of x is a copy of the encoding of t shifted to the left by k bits. Therefore it needs k state variables to remember the past k bits of x. The values of these k state variables are independent of t and hence if x is anī-variable, which means that we are performing division, then these k state variables will belong tos and they will not participate in the state-space explosion of C . On the other hand, this optimization does not apply if x is anō-variable, i.e. when we are performing multiplication.
The purpose of φ is to find inside the last stored set of possible states forr one which is, combined with the last stored value ofs, an accepting state of C.
Eventually, we run τ , which reconstructs a whole accepting run of C by tracing backwards through the stored exhaustive run of its projection onto the input variable set i, using the accepting state determined by φ as a starting point. During this backward run it constructs a sequence ofō letters that is the final output of the transducer.
Implementation of C , φ and τ as Circuits
For C , consider the circuit in the figure in Appendix A, which has state variables R 1 , ...R 2 m 1 ands, and no outputs.
Let C 1 and C 2 denote the sub-circuits of C for computingr ands respectively. In the figure, we denote the corresponding combinational circuits behind these SCs by K 1 and K 2 . We let Cī be the projection automaton obtained from C 1 by projecting it onto theī-variables. The intended meaning of the state variables R 1 , ...R 2 m 1 of C is that R k is set to true if and only if at that point the non-deterministic automaton Cī could be in the state number k. Since there are exactly 2 m1 possible states of Cī, we can make some arbitrary assignment of the possible states of Cī to the R k 's. Initially, A is in a state where all variables R k are 0 except for one, corresponding to the initial state of Cī. The initial value ofs is also determined by the given initial state of C.
Ther i andō j denoted in italics represent constant bit-vectors given as input to each of the 2 ml copies of C 1 . The indexes are assigned so thatr j is the assignment of state variables of Cī corresponding to the state which is represented by R j . Hence each of the C 2 -subcircuits produces an outcomer-state for a given combination of a previous state and values for theō-variables. Each of the AND-like-gates with an R k inscription is understood to have negations at an appropriate combination of its inputs, so that it returns true if and only if its input r represents ther-state corresponding to R k and also the incoming signal from the state variable R j is true. This last condition has the effect of considering the output only of those sub-circuits for which the input stater j is actually one of the possible states in the exhausting run of Cī at the moment.
The last layer of ordinary OR-gates just has the effect that if any of the possible combinations of an active previous state and anō-letter produces the state corresponding to R k then R k is set to one in the next cycle. The main idea of this circuit is that for every state of C that is possible at the present clock cycle, it tries every possibleō-letter to produce the set of all possible states in the next clock cycle. Now assume that the sequence of states this circuit goes through while reading an input word is saved in a memory from where it can readily be read in the reverse order. Recall that φ is supposed to find an accepting state of C amongst the possible states encoded in the last state of C -that is, in the combination of the "exhaustive state" of Cī encoded by R 1 , ...R 2 m 1 and the deterministic part of the state,s. A slight divergence between deterministic automata used in [4] and our variant of sequential circuits is that whether the circuit accepts depends not only on the current value of its state variables but also on the value of all its inputs -the circuit accepts simply when it outputs a 1. To account for this, our φ circuit has to choose both a state from amongst the states possible in the penultimate clock cycle of the run of C , and a suitableō-letter, such that the resulting state is accepting. If such state andō-letter do not exist, the user is notified that for the given sequence of values for theī-variables there exists no satisfying sequence of values for theō-variables. The implementation of φ is a circuit very similar to that for C , also containing 2 m1+l copies of K 1 . However, since it only needs to be run for one clock cycle, it is a combinational circuit rather than a sequential one.
Finally, we use a very similar circuit for the function τ . In each clock cycle, it takes as input a transition S ,ī, S of C and a stateq ∈ S and generates a statē q ∈ S and an output symbolō such that there is a valid transition in C fromq tō q while reading the letter obtained by combiningī withō. This is again implemented by guessing combinations of an appropriateō-letter andr-state, so τ consists of 2 m1+l copies of K 1 and some servicing circuitry. The output of τ and also the final output of the transducer is the sequence ofō letters. Notice that it comes in the reverse order, respective toī.
Constructing Transducer as a Composition of Transducers for Sub-formulas
Suppose that the specification formula F on its highest level is a disjunction of subformulas ϕ 1 , ...ϕ k . Then we can build a transducer for each of them separately and run them in parallel. If for a given input any of the transducers finds an output satisfying the sub-formula corresponding to that transducer, say ϕ i , then this output can be taken to be the global output. If ϕ i mentions only a subset of the output variables then values for the remaining ones can be picked arbitrarily.
If the specification formula, on the other hand, is a conjunction of sub-formulas, then we also have to mind dependencies between the variables. Definition 5. We say that a QFPAbit formula ψ over variables V uniquely determines a set of variablesx as a function of a set of variablesȳ, if for any partial valuation valȳ :ȳ → Z that only assigns values to the variables ofȳ, the set of satisfying valuations of ψ that extend val is non-empty and all of them give all the variables inō the same values.
If the specification formula F is a conjunction of sub-formulas ϕ 1 , ...ϕ k , we can apply the following reasoning. Suppose that there existsō ⊆ō such that some ϕ j uniquely determines the values ofō as a function ofī. Now suppose that val :ī∪ō → Z is a satisfying valuation for F . Then, in particular, it is a satisfiing valuation for ϕ j and it assignsō the same values as any satisfying valuation of ϕ j that gives theī's the same values as val.
This means that we can build an independent transducer for ϕ j and use its output to fix the values ofō in F , allowing us to build a smaller transducer for the rest of the variables. Notice that the values that the transducer for ϕ j computes for those variables that have not been proven to be uniquely determined byī must be ignored, because their values need not be a part of a satisfying valuation for the rest of F .
In practice, we can use this fact to construct a sequence of transducers with increasing number ofī variables and decreasing number ofō variables. We scan through the list of conjuncts of F and whenever we find one, say ϕ j , in which some subset ofō variables is uniquely determined by theī variables, we build a transducer for it, reclassify the uniquely determinedō-variables toī-variables in F and repeat the process, wiring the appropriate outputs of the transducer for ϕ j to become the inputs of the next transducer. If it turns out that in a particular conjunct, all the occurringō-variables are uniquely determined, this whole conjunct can be removed from F .
Notice that for regularly occuring conjuncts of a standard form, like for example equality assertions involving standard arithmetical operations, we will not have to invoke the general transducer-synthesis method described at the beginning of this section. Instead, we can use potentially more efficient pre-computed circuits loaded from a library. This can, for example, be applied in the case when the conjunct asserts that an o-variable is a constant multiple of a term that is uniquely determined by theī variables.
The length of the resulting sequence of transducers is at most quadratic in the number ofō variables, which can be seen by inspecting the running time of the trivial algorithm that loops through the cojuncts in an arbitrary fixed order and halts when during an iteration examining all the conjuncts it can not reclassify any newō-variables tō i-variables.
Obviously, this optimization is useful only if the specification formula F is in fact a conjunction containing conjuncts that do have the property of uniquely determining some of theō-variables as a function of theī variables. As discussed in Section 3.1, before building the specification circuit we first pre-process the input formula, so that the formula that is eventually used for building the circuit is
where each of the ϕ i has one of the following forms: (i) x = 2 k t; (ii) x = c; (iii) s = x + y; (iv) T 1 = T 2 , where x, y, t, s are variables, c is an integer constant and T 1 , T 2 are terms built out of variables and bit-vector logical operations. F is a boolean combination of atoms of similar forms, but at the present time we do not have methods for investigating variable dependencies in non-atomic formulas.
On the other hand, for each of the ϕ j 's we can exactly determine whichō-variables are uniquely determined by theī-variables. In case (i), if at least one of the variables present is anī-variable then the other is determied. In case (i), variable x is determined, and in case (iii), if at least two of the variables areī-variables then the last one is determined. In case (iv), since T 1 and T 2 contain only variables and bit-vector logical operations, the equality holds exactly if the propositional formulas corresponding to T 1 and T 2 evaluate to the same boolean value in every clock cycle. Therefore it is enough to investigate whichō variables are uniquely determined by theī variables in the propositional formulaT 1 ↔T 2 , whereT 1 andT 2 are propositional formulas obtained from T 1 and T 2 by replacing the bit-vector logical operators by standard boolean operators and treating the QFPAbit variables as propositional variables.
Example. We demonstrate the usefulness of this optimization technique on an example. Let us forget for a moment that our language contains an out-of-the-box plus operator and suppose we would like to synthesize a function for performing addition and outputting the sequence of carry bits at the same time. It can be specified in QFPAbit as follows.
(s = x⊕y⊕c) ∧ (c = 2((x∧y)∨(x∧c)∨(y∧c))) where x and y are designated as inputs and s and c are outputs representing the sum and the sequence of carry bits respectively. Clearly, the right-hand conjunct determines c uniquely, given values for x and y. Our prototype implementation is able to detect this and builds a transducer which is a composition of two parts -one for the righthand conjunct, which computes the value of c given values for x and y, and one for the left-hand conjunct that computes the value of s given values for x, y and c. Due to this factorisation, the total number of gates in all the circuits involved is 7.2× smaller than when we enforce the building of a single monolithic transducer for the whole formula.
To conclude the discussion of this optimization technique, let us look closer at how it applies to those ϕ j 's that are of form x = 2 k t. Because of the way how these conjuncts originate during the pre-processing of the specification formula, often both x and t are output variables. If after inspecting some other conjuncts we manage to specify one of them as an input variable, the other is immediately determined by it and we will be able to remove this conjunct from the formula and construct an efficient transducer for it. We can summarize this in the following lemma. Lemma 1. Suppose that the original formula, before pre-processing, contains multiplication by a constant c in a context of the form T 1 [cT ] = T 2 such that either all thē o-variables occuring in T are uniquely determined by theī-variables, or theō-variables of T occur nowhere else in T 1 and T 2 and the value of a fresh variable x is uniquely determined in the formula T 1 [x] = T 2 . Then the total size of all the circuits of the transducer obtained by the procedure described in this section will be proportional to the logarithm of c.
Conclusion
We have presented a synthesis procedure that starts from QFPAbit description of an input/output relation, generates a sequential circuit of a polynomial size, and then transforms this circuit into a synthesized system of sequential circuits that maps a sequence of inputs into a sequence of outputs.
The described synthesis procedure improves the previous work by two independent optimizations. We have built a prototype implementation that allowed us to show on examples that these techniques work and are important. 
