In automated synthesis, given a specification, we automatically create a system that is guaranteed to satisfy the specification. In the classical temporal synthesis algorithms, one usually creates a "flat" system "from scratch". However, real-life software and hardware systems are usually created using preexisting libraries of reusable components, and are not "flat" since repeated sub-systems are described only once.
Introduction
In formal verification and design, synthesis is the automated construction of a system from its specification. The basic idea is simple and appealing: instead of developing a system and then verifying that it is correct w.r.t. its specification, we use an automated procedure that, given a specification, builds a system that is correct by construction.
The first formulation of synthesis goes back to Church [20] . Later works on synthesis considered first closed systems, where the system is extracted from a constructive proof that the specification is satisfiable [28, 41] . In the late 1980s, Pnueli and Rosner [47] realized that such a synthesis paradigm is not of much interest when applied to open systems [31] (also called reactive systems [16, 37] ). Differently from closed systems, an open system interacts with an external environment and its correctness depends on whether it satisfies the specification with respect to all allowable environments. If we apply the techniques of [28, 41] to open systems, we obtain a system that is correct only with respect to some specific environments. In [47] , Pnueli and Rosner argued that the right way to approach synthesis of open systems is to consider the framework as a possibly infinite game between the environment and the system. A correct system can be then viewed as a winning strategy in this game, and synthesizing a system amounts to finding such a strategy.
The Pnueli and Rosner idea can be summarized as follows. Given sets Σ I and Σ O of inputs and outputs, respectively (usually, Σ I = 2 I and Σ O = 2 O , where I is a set of input signals supplied by the environment and O is a set of output signals), one can view a system as a strategy P : Σ to external nondeterminism, caused by different possible inputs. Thus, the tree has a fixed branching degree |Σ I |, and it embodies all the possible inputs (and hence also computations) of P . When we synthesize P from a linear temporal logic formula ϕ we require ϕ to hold in all the paths of P 's computation tree. However, in order to impose possibility requirements on P we have to use a branching-time logic like µ-calculus. Given a branching specification ϕ over Σ I ∪ Σ O , realizability of ϕ is the problem of determining whether there exists a system P whose computation tree satisfies ϕ. Correct synthesis of ϕ then amounts to constructing such a P . The above synthesis problem for linear-time temporal logic (LTL) specifications was addressed in [47] , and for µ-calculus specifications in [26] . In both cases, the traditional algorithm for finding the desired P works by constructing an appropriate computation tree-automaton that accepts trees that satisfy the specification formula, and then looking for a finitely-representable witness to the non-emptiness of this automaton. Such a witness can be easily viewed as a finite-state system P realizing the specification.
In spite of the rich theory developed for system synthesis in the last two decades, little of this theory has been lifted to practice. In fact, apart from very recent results [14, 24, 51] , the main classical approaches to tackle synthesis in practice are either to use heuristics (e.g., [30] ) or to restrict to simple specifications (e.g., [44] ). Some people argue that this is because the synthesis problem is very expensive compared to model-checking [36] . There is, however, something misleading in this perception: while the complexity of synthesis is given with respect to the specification only, the complexity of model-checking is given also with respect to a program, which can be very large. A common thread in almost all of the works concerning synthesis is the assumption that the system is to be built from "scratch". Obviously, real-world systems are rarely constructed this way, but rather by utilizing many preexisting reusable components, i.e., a library. Using standard preexisting components is sometimes unavoidable (for example, access to hardware resources is usually under the control of the operating system, which must be "reused"), and many times has other benefits (apart from saving time and effort, which may seem to be less of a problem in a setting of automatic -as opposed to manual -synthesis), such as maintaining a common code base, and abstracting away low level details that are already handled by the preexisting components. Another reason that may account for the limited use of synthesis in practice is that many designers find it extremely difficult and/or unnatural to write a complex specification in temporal logic. Indeed, a very common practice in the hardware industry is to consider a model of the desired hardware written in a high level programming language like ANSI-C to be a specification (a.k.a "golden model") [45] . Moreover, even if a specification is written in temporal logic, the synthesized system is usually monolithic and looks very unnatural from the system designer's point of view. Indeed, in classical temporal synthesis algorithms one usually creates in one step a "flat" system, i.e., a system in which sub-systems may be repeated many times. On the contrary, real-life software and hardware systems are built step by step and are hierarchical (or even recursive) having repeated sub-systems (such as sub-routines) described only once. While hierarchical systems may be exponentially more succinct than flat ones, it has been shown that the cost of solving questions about them (like model-checking) are in many cases not exponentially higher [6, 7, 29] . Hierarchical systems can also be seen as a special case of recursive systems [3, 4] , where the nesting of calls to sub-systems is bounded. However, having no bound on the nesting of calls gives rise to infinite-state systems, and this may result in a higher complexity, especially when we have a bound that is small with respect to the rest of the system. builds a system by iteratively constructing new modules based on previously constructed ones 1 . More specifically, we start the synthesis process by providing the algorithm with an initial library L 0 of available hierarchical components (transducers), as well as atomic ones. We then proceed by synthesizing in rounds. At each round i, the system designer provides a specification formula ϕ i of the currently desired hierarchical transducer, which is then automatically synthesized using the currently available transducers as possible sub-components. Once a new transducer is synthesized, it is added to the library to be used by subsequent iterations. The hierarchical transducer synthesized in the last round is the desired system.
Observe that it is easily conceivable that if the initial library L 0 contains enough atomic components then the synthesis algorithm may use them exclusively, essentially producing a flat system. We thus have to direct the singleround synthesis algorithm in such a way that it produces modular, and not flat, results. The question of what makes a design more or less modular is very difficult to answer, and has received many (and often widely different) answers throughout the years (see [43] for a survey). We claim that some very natural modularity criteria are regular, and show how any criterion that can be checked by a parity tree automaton can be easily incorporated into our automata-based synthesis algorithm.
It is our belief that this approach carries with it many benefits. First, the resulting system can be quite succinct due to its hierarchical nature, as demonstrated by the chronograph example above. Second, we are certain that most designers will find it easier to write a series of relatively simple specification formulas than to write one monolithic formula describing, in one shot, the end result. Third, after each round the synthesized component can be tested and verified in isolation to gain confidence that there were no mistakes in the specification (or a bug in the synthesizer). Testing and verification of intermediate modules can be much easier due to their smaller size, and design errors can be discovered at an earlier stage. Also, the efforts spent on such intermediate modules is an one-time investment, as these modules can be reused in more than one project. Finally, the structure of the resulting system follows much more the high-level view that the designer had in mind, increasing his confidence in, and understanding of, the resulting system.
We show that while hierarchical systems may be exponentially smaller than flat ones, the problem of synthesizing a hierarchical system from a library of existing hierarchical systems is EXPTIME-complete for µ-calculus, and 2EXPTIME-complete for LTL. Thus, this problem is not harder than the classical synthesis problem of flat systems "from scratch". Furthermore, we show that this is true also in the case where the synthesized system has incomplete information about the environment's input.
The most technically challenging part of the hierarchical synthesis algorithm presented above is the algorithm for performing the synthesis step of a single round. As stated before, in the classical automata-theoretic approach to synthesis [47] , synthesizing a system is reduced to the problem of finding a regular tree that is a witness to the non-emptiness of a suitable tree automaton. Here, we also reduce the synthesis problem to the non-emptiness problem of a tree automaton. However, unlike the classical approach, we build an automaton whose input is not a computation tree, but rather a system description in the form of a connectivity tree (inspired by the "control-flow" trees of [39] ), which describes how to connect library components in a way that satisfies the specification formula. Essentially, every node in a connectivity tree is labeled by some transducer from the library, and the sons of each node correspond to the different exits this library transducer has. Thus, for example, if a node y labeled by K has a son, that corresponds to exit e of K , labeled by K , then it means that the exit state e of K should be connected to the (single) entry of K .
Given a library of hierarchical transducers, and a temporal logic specification ϕ, our single-round algorithm builds a tree automaton A T ϕ such that A T ϕ accepts a regular connectivity tree T iff it induces a hierarchical transducer K that satisfies ϕ. Given ϕ, it is well known how to build an automaton A ϕ that accepts all trees that satisfy ϕ [27, 36] . Hence, all we need to do is to have A T ϕ simulate all possible runs of A ϕ on the computation tree of K. However, this is not easy since A T ϕ has as its input not the computation tree of K, but a completely different tree -the connectivity tree T describing how K is composed from library transducers.
The basic idea is that a copy of A T ϕ that reads a node y of T labeled by a library transducer K can simulate A ϕ on the portion of the computation tree of K until an exit of K is reached. When such an exit is reached T is consulted to see to which library transducer the computation proceeds from that exit, and the simulation continues. Unfortunately, a direct implementation of this idea would result in an algorithm whose complexity is too high. Indeed, it is important to keep the size of A T ϕ independent of the size of the transducers in the library and, on-the-fly simulation of the runs of A ϕ on the computation trees of the library transducers would require an embedding of these transducers inside A T ϕ . The key observation at the heart of our solution to this problem is that while simulating A ϕ on the computation tree of a library transducer K , no input is consumed by A T ϕ until an exit of K is encountered. Hence, we can perform these portions of the simulation off-line (thus circumventing the need to incorporate a copy of K into A T ϕ ) and incorporate a suitable summary of these simulations into the transition relation of A T ϕ . The difficult problem of summarizing the possibly infinitely many infinite runs of A ϕ on the computation tree of every library transducer K , in a way which is independent of the size of this transducer, is made possible by a suitable adaptation of the summary functions used in [7] in order to summarize the possible moves in hierarchical sub-arenas of hierarchical parity games.
Related work. The issues of specification and correctness of modularly designed systems have received a fair attention in the formal verification literature. Examples of important works on this subject are [12, 13, 21, 38, 50] . Recently, synthesis of finite state systems has been gaining more and more attention as new achievements have significantly improved its practical applicability. Prominent results in this respect have been reported in [14, 24, 51] . In [24] , a Safraless synthesis approach using BDDs as state space representation has been fruitfully investigated. This approach reduces significantly the system state representation and improves the performance of previous approaches to full LTL synthesis. In [51] , an improved game theoretic approach to the synthesis has been introduced, by using and opportune decomposition of system properties. Specifically, the new algorithm consider safety and persistence system properties, which allow to build and solve the synthesis game incrementally. Indeed, each safety and persistence property is used to gradually construct a parity game and at each step an opportune refinement of the graph game is considered. At the end of the process a compact symbolic encoding of the parity game is produced, it is composed with the remaining LTL properties in one full game that is finally solved. The approach has been implemented in the tool Vis [18] , as an extension of the technique described in [52] , and efficiently compared with other synthesis tools. Finally, in [14] a tool for solving the LTL realizability and synthesis problems, namely Acacia+, is presented. The tool uses recent approaches that reduce the synthesis problem to safety games, which can be solved efficiently by symbolic incremental algorithms based on antichains (instead of BDDs). The reduction to safety games offers a useful compositional approach for large conjunctions of LTL formulas.
All the papers reported above have in common the fact that the synthesis approach always starts from scratch. Recently, a number of works on the automatic synthesis from reusable components has been proposed and showed to have practical applications in several scenarios, including robotics and multi-agent system behaviors [22, 23] . Generally speaking, these works are interested in synthesizing a system controller from existing components in order to satisfy a desired target behavior, where a component can be any object such as a device, an agent, a software or hardware item, or a workflow. Notably, the idea of composing and reusing components has been strongly and fruitfully exploited in several computer science fields such as in Service Oriented Computing, under the name of "service composition" [1, 19] .
The work on automatic synthesis from reusable components that is closest to our approach is the one done by Lustig and Vardi on LTL synthesis from libraries of (flat) transducers [39] . The technically most difficult part of our work is an algorithm for performing the synthesis step of a single round of the multiple-rounds algorithm. To this end we use an automata-theoretic approach. However, as stated before, unlike the classical approach of [47] , we build an automaton whose input is not a computation tree but rather a system description in the form of a connectivity tree. Taken by itself, our single-round algorithm extends the "control-flow" synthesis work from [39] 
in four directions. (i)
We consider not only LTL specifications but also the modal µ-calculus. Hence, unlike [39] , where universal co-Büchi tree automata were used, we have to use the more expressive alternating parity tree automata. Unfortunately, this is not simply a matter of changing the acceptance condition. Indeed, in order to obtain an optimal upper bound, a widely different approach, which makes use of the machinery developed in [7] is needed. (ii) We need to be able to handle libraries of hierarchical transducers, whereas in [39] only libraries of flat transducers are considered. (iii) A synthesized transducer has no top-level exits (since it must be able to run on all possible input words), and thus, its ability to serve as a sub-transducer of another transducer (in future iterations of the multiple-rounds algorithm) is severely limited -it is like a function that never returns to its caller. We therefore need to address the problem of synthesizing exits for such transducers. (iv) As discussed above, we incorporate into the algorithm the enforcing of modularity criteria.
Recently, an extension of [39] appeared in [40] , where the problem of Nested-Words Temporal Logic (NWTL) synthesis from recursive component libraries has been investigated. NWTL extends LTL with special operators that allow one to handle "call and return" computations [2] and it is used in [40] to describe how the components have to be connected in the synthesis problem. We recall that in our framework the logic does not drive (at least not explicitly) the way the components have to be connected. Moreover, the approach used in [40] cannot be applied directly to the branching framework we consider in this paper, as we recall that already the satisfiability problem for µ-calculus with "call and return" is undecidable even for very restricted cases [5] .
Structure of the article. The rest of this article is organized as follows. Section 2 contains the basic definitions used throughout the paper. In Section 3, we introduce hierarchical structures and transducers as well as their flat expansion. In Section 4.1, we give our hierarchical synthesis algorithm, and show how the single-round synthesis problem can be reduced to the automata setting with the help of connectivity trees. In Section 4.2, we discuss the problem of enforcing modularity. In Section 5, we use hierarchical two-player games to prove the correctness of our algorithm. In Section 6 we show how our algorithm can be adapted to address the problem of synthesizing hierarchical systems with incomplete information. Finally, in Section 7, we give a short summary.
Preliminaries
Trees. Let D be a set. A D-tree is a prefix-closed subset T ⊆ D * such that if x · c ∈ T , where x ∈ D * and c ∈ D, then also x ∈ T . The complete D-tree is the tree D * . The elements of T are called nodes, and the empty word ε is the root of T . Given a word x = y · d, with y ∈ D * and d ∈ D, we define last(x) to be d. For x ∈ T , the nodes x · d ∈ T , where d ∈ D, are the sons of x. A leaf is a node with no sons. A path of T is a set π ⊆ T such that ε ∈ π and, for every x ∈ π, either x is a leaf or there is a unique d ∈ D such that x · d ∈ π. For an alphabet Σ, a Σ-labeled D-tree is a pair T, V where T ⊆ D * is a D-tree and V : T → Σ maps each node of T to a letter in Σ.
Asymmetric alternating tree automata. Alternating tree automata are a generalization of nondeterministic tree automata [42] (see [36] , for more details). Intuitively, while a nondeterministic tree automaton that visits a node of the input tree sends exactly one copy of itself to each of the sons of the node, an alternating automaton can send several copies of itself (or none at all) to the same son. An (asymmetric) Alternating Parity Tree Automaton (APT) is a tuple A = Σ, D, Q, q 0 , δ, F , where Σ, D, and Q are non-empty finite sets of input letters, directions, and states, respectively, q 0 ∈ Q is an initial state, F is a parity acceptance condition to be defined later, and δ :
is an alternating transition function, which maps a state and an input letter to a positive Boolean combination of elements in D × Q. Given a set S ⊆ D × Q and a formula θ ∈ B + (D × Q), we say that S satisfies θ (denoted by S |= θ) if assigning true to elements in S and false to elements in (D × Q) \ S makes θ true. A run of an APT A on a Σ-labeled D-tree T = T, V is a (T × Q)-labeled IN-tree T r , r , where IN is the set of non-negative integers, such that (i) r(ε) = (ε, q 0 ) and (ii) for all y ∈ T r , with r(y) = (x, q), there exists a set S ⊆ D × Q, such that S |= δ(q, V (x)), and there is a son y of y, with r(y ) = (x · d, q ), for every (d, q ) ∈ S. Given a node y of a run T r , r , with r(y) = (z, q) ∈ T × Q, we define last(r(y)) = (last(z), q). An alternating parity automaton A is nondeterministic (denoted NPT), iff when its transition relation is rewritten in disjunctive normal form each disjunct contains at most one element of {d} × Q, for every d ∈ D. An automaton is universal (denoted UPT) if all the formulas that appear in its transition relation are conjunctions of atoms in D × Q.
Symmetric alternating tree automata. A symmetric alternating parity tree automaton with ε-moves (SAPT) [32] does not distinguish between the different sons of a node, and can send copies of itself only in a universal or an existential manner. Formally, an SAPT is a tuple A = Σ, Q, q 0 , δ, F , where Σ is a finite input alphabet, Q is a finite set of states, partitioned into four sets, universal (Q ∧ ), existential (Q ∨ ), ε-and (Q (ε,∧) ), and ε-or (Q (ε,∨) ) states (we also write
is a transition function such that for all σ ∈ Σ, we have that δ(q, σ) ∈ Q for q ∈ Q ∨,∧ , and δ(q, σ) ∈ 2 Q for q ∈ Q ε , and F is a parity acceptance condition, to be defined later. In other words, the transition relation returns a single state, if the automaton is in an Q ∨,∧ state, and a set of states if it is instead in a Q ε state. We assume that Q contains in addition two special states ff and tt, called rejecting sink and accepting sink, respectively, such that ∀a ∈ Σ : δ(tt, a) = tt, δ(ff, a) = ff. The classification of ff and tt as universal or existential states is arbitrary. Transitions from states in Q ε launch copies of A that stay on the same input node as before the transition, while transitions from states in Q ∨,∧ launch copies that advance to sons of the current node. Note that for an SAPT the set D of directions of the input trees plays no role in the definition of a run. When a symmetric alternating tree automaton A runs on an input tree it starts with a copy in state q 0 at the root of the tree. It then follows δ in order to send further copies. For example, if a copy of A is in state q ∈ Q (ε,∨) , reads a node x labeled σ, and δ(q, σ) = {q 1 , q 2 }, then this copy proceeds either to state q 1 or to state q 2 , and keeps reading x. As another example, if q ∈ Q ∧ and δ(q, σ) = q 1 , then A sends a copy in state q 1 to every son of x. Note that different copies of A may read the same node of the input tree. Formally, a run of A on a Σ-labeled D-tree T, V is a (T × Q)-labeled IN-tree T r , r . A node in T r labeled by (x, q) describes a copy of A in state q that reads the node x of T . A run has to satisfy r(ε) = (ε, q 0 ) and, for all y ∈ T r with r(y) = (x, q), the following hold:
• If q ∈ Q ∧ (resp. q ∈ Q ∨ ) and δ(q, V (x)) = p, then for each son (resp. for exactly one son) x · d of x, there is a node y · i ∈ T r with r(y · i) = (x · d, p);
• If q ∈ Q (ε,∧) (resp. q ∈ Q (ε,∨) ) and δ(q, V (x)) = {p 0 ,..., p k }, then for all i ∈ {0..k} (resp. for one i ∈ {0..k}) the node y · i ∈ T r , and r(y · i) = (x, p i ).
Parity acceptance condition. A parity condition is given by means of a coloring function on the set of states. Formally, a parity condition is a function F : Q → C, where C = {C min ,..., C max } ⊂ IN is a set of colors. The size |C| of C is called the index of the automaton. For an SAPT, we also assume that the special state tt is given an even color, and ff is given an odd color. For an infinite path π ⊆ T r of a run T r , r , let maxC (π) be the maximal color that appears infinitely often along π. Similarly, for a finite path π, we define maxC (π) to be the maximal color that appears at least once in π. An infinite path π ⊆ T r satisfies the acceptance condition F iff maxC (π) is even. A run T r , r is accepting iff all its infinite paths satisfy F . The automaton A accepts an input tree T, V if there is an accepting run of A on T, V . The language of A, denoted L(A), is the set of Σ-labeled D-trees accepted by A. We say that an automaton A is nonempty iff L(A) = ∅.
A wide range of temporal logics can be translated to alternating tree automata (details can be found in [36] and in Appendix A). In particular:
Theorem 2.1. [27, 36] Given a temporal-logic formula ϕ, it is possible to construct an SAPT A ϕ such that L(A ϕ ) is exactly the set of trees satisfying ϕ. In particular, we have that
• if ϕ is a µ-calculus formula, then A ϕ is an alternating parity automaton with O(|ϕ|) states and index O(|ϕ|);
• if ϕ is an LTL formula, then A ϕ is a universal parity automaton with 2 O(|ϕ|) states, and index 2.
For technical convenience we sometimes refer to functions (like transitions and labeling functions) as relations, and in particular, we consider ∅ to be a function with an empty domain.
Hierarchical Systems

Structures
Hierarchical structures [6] are a generalization of Kripke structures in which repeated sub-structures are specified only once. Technically, some of the states in a hierarchical structure are boxes (alternatively, superstates), in which inner hierarchical structures are nested. Formally, a hierarchical structure is a tuple S = Σ O , S 1 ,..., S n , where Σ O is a nonempty set of output letters and, for every 1 ≤ i ≤ n, we have that the substructure
has the following elements.
• W i is a finite set of states. in i ∈ W i is an initial state 2 , and Exit i ⊆ W i is a set of exit-states. States in W i \ Exit i are called internal states.
• A finite set B i of boxes. We assume that W 1 ,..., W n and B 1 ,..., B n are pairwise disjoint.
• An indexing function τ i : B i → {i + 1,..., n} that maps each box of the i-th sub-structure to a sub-structure with an index greater than i. If τ i (b) = j we say that b refers to S j .
• A nondeterministic transition relation
Thus, when the transducer is at a state u ∈ W i , or at an exit e of a box b, it moves either to a state s ∈ W i , or to a box b ∈ B i . A move to a box b implicitly leads to the unique initial state of the sub-structure that b refers to.
• A labeling function Λ i : W i → Σ O that maps states to output letters.
The sub-structure S 1 is called the top-level sub-structure of S. Thus, for example, the top-level boxes of S are the elements of B 1 , etc. We also call in 1 the initial state of S, and Exit 1 the exits of S. Note that the fact that boxes can refer only to sub-structures of a greater index implies that the nesting depth of structures is finite. In contrast, in the recursive setting such a restriction does not exist. Also note that moves from an exit e ∈ Exit i of a sub-structure S i are not specified by the transition relation R i of S i , but rather by the transition relation of the sub-structures that contain boxes that refer to S i . The exits of S allow us to use it as a sub-structure of another hierarchical structure. When we say that a hierarchical structure S = Σ O , S 1 ,..., S n is a sub-structure of another hierarchical structure S = Σ O , S 1 ,..., S n , we mean that {S 1 ,..., S n } ⊆ {S 2 ,..., S n }. The size |S i | of a sub-structure S i is the sum
The size |S| of S is the sum of the sizes of its sub-structures. We sometimes abuse notation and refer to the hierarchical structure S i which is formally the hierarchical structure Σ O , S i , S i+1 ,..., S n obtained by taking S i to be the top-level sub-structure. The special case of a hierarchical structure with a single sub-structure with no boxes and no exits is simply the classical Kripke structure, and we denote it by S = Σ O , W, in, R, Λ .
Transducers
A hierarchical transducer (alternatively, hierarchical Moore machine) can be viewed as a hierarchical structure with the addition of an input alphabet that determines which transition has to be taken from each state and box exit. Unlike hierarchical structures which are nondeterministic, a hierarchical transducer has a deterministic transition function. For ease of exposition, we also forbid internal moves from exit nodes.
Formally, a hierarchical transducer is a tuple
, where Σ O and the elements W i , B i , in i , Exit i , τ i , Λ i of each sub-transducer K i are as in a hierarchical structure, Σ I is a non-empty set of input letters, and for every 1 ≤ i ≤ n the element
is a transition function. Thus, when the transducer is at an internal state u ∈ (W i \ Exit i ), or at an exit e of a box b, and it reads an input letter σ ∈ Σ I , it moves either to a state s ∈ W i , or to a box b ∈ B i . As for hierarchical structures, a move to a box b implicitly leads to the unique initial state of the sub-transducer that b refers to. The size |K i | of a sub-transducer K i is the sum |W i | + |B i | + |δ i |. The special case of a hierarchical transducer with a single sub-transducer with no boxes and no exits is simply the classical Moore machine, and we denote it by
Observe that in the definitions above of hierarchical structures and transducers we do not allow boxes as initial states. An alternative definition allows a box b to serve as an initial state of a sub-transducer K i , in which case the entry point to that transducer is the initial state of the subtransducer K j that b refers to. Note that this process may have to be repeated if K j itself designates a box as its entry point, but due to the hierarchical nesting of transducers this process would terminate yielding a (simple) state in at most n steps. Also note that our definition of the transition function of a hierarchical transducer does not allow an exit e ∈ Exit i to have internal outgoing edges inside the transducer K i . Indeed, if b is a box of K j that refers to K i then the transition function of K j specifies where the computation should continue when it reaches the exit e in the context of the box b. An alternative definition is to allow an exit e ∈ Exit i to have internal transitions inside K i on some letters in Σ I , and behave as an exit only with respect to the remaining letters in Σ I . More formally, one can define the transition function δ i to be a partial function
, such that for every exit e ∈ Exit i , there is at least one letter σ ∈ Σ I for which δ i (e, σ) is not defined (i.e., an exit cannot have all its transitions remain inside K i ), and for every j < i, every box b ∈ B j that refers to K i , and every σ ∈ Σ I , we have that δ j ((b, e), σ) is defined iff δ i (e, σ) is not defined. Obviously, for every state s ∈ W i \ Exit i and every σ ∈ Σ I we require that δ i (s, σ) be defined. When constructing actual transducers it is easier to use the less restrictive definitions above, and we do so along the examples. However, except for these examples, in the rest of the paper we use the more restrictive definitions given before. The reason is that we believe the reader will benefit much more from having the constructions and proofs not burdened by the extra technicalities that the more permissive definitions entail, as they are easy to add once the core idea is grasped.
Example 3.1 (Chronograph). We now give an example of a two-level hierarchical transducer modeling a chronograph with a display of 60 minutes and 60 seconds and the capability to be paused 3 . The chronograph input signals are {tic, sts, clk}. The tic signal is given once a second by an external oscillator, and is used to drive the counting; the sts signal is a "start and stop" signal and it switches the chronograph back and forth from processing to ignoring the tic signals; and the clk signal is simply the system clock signal. For simplicity, we make the (very reasonable) assumptions that the hardware is such that the system clock is orders of magnitude faster than the tic oscillator (which is derived from it), and that sts signals from the user are not generated at least for one clock cycle after a tic. We start by describing the low level component of the chronograph, which is a transducer counting from 0 to 59 seconds.
The seconds-counter transducer K sc given in Figure 1 is simply a Moore machine with 120 states that counts the number of tic signals received so far. The basic counting is handled by 60 states numbered from s 0 (which is also the initial state of the transducer) to s 59 , each of which is labeled by an output signal in 0,..., 59 encoding (in a way suitable for the seconds' display module) the number of passed seconds. For every i ∈ {0,..., 59}, the sts signal pauses/un-pauses the counter by forcing a move from a state s i to its paused counterpart p i and vice versa. This transducer makes no special use of the system clock, and thus every state has a clk self loop (which we do not draw in Figure 1 ). Formally, the seconds-counter transducer is the Moore machine
, and both the transition function δ and the labeling function Λ are given in Figure 1 . Note that the seconds-counter transducer has no exit states since the definition of a transducer we use is geared towards describing autonomous fully-independent components which have an internal transition from every state on every possible input (which is necessarily not the case with exit states). The minutes-counter transducer K mc , given in Figure 2 is a hierarchical transducer containing 60 states and 60 boxes b 0 ,..., b 59 , all referring to the same subtransducer K sc , which is the seconds-counter from Figure 1 with the state s 59 serving as an exit with respect to the tic signal 4 . Thus, the transition inside K sc whose source is state s 59 and is labeled by tic is removed. This is done because we need to connect one structure to the following one without introducing nondeterminism. The updating of the minutes' display is handled by 60 states numbered from m 0 (which is also the initial state of the transducer) to m 59 , each of which is labeled by a set of output signals Σ O = 0,..., 59 encoding the number of passed minutes. When the computation is in the state s 59 of a box b i and it receives a tic signal, it exits the box and enters the state m i+1 , which increments the minutes display. At the next system clock signal clk the computation enters box b i+1 that resets the seconds display and starts counting the 59 seconds. Note that, by our assumptions on the hardware, we can safely assume that while in state m i+1 there is no need to process tic and sts signals. However, for completeness, one can assume they are handled by a self loop (which we do not draw).
It is not hard to see how one can use the minutes-counter transducer as a sub-transducer of a more elaborate chronograph capable of counting up to 24 hours, and then use that as a sub-transducer for a chronograph that also counts days, etc. 3 A natural way to build a chronograph using flip-flops and combinatorial logic is to have one counter counting from 0 to 59 seconds using a clock that ticks once a second, and another counter that counts from 0 to 59 minutes using as its clock the carry (or overflow) flag of the first counter. Thus, the input signals to the minutes counter are derived from the output signals of the seconds counter. Unfortunately, this kind of synthesis (called data flow synthesis) is known to be undecidable already for the very restricted case of LTL specifications and systems that are merely pipelines [39] . 4 The synthesis algorithm we present in this article automatically takes care of designating certain states as exits when it makes use of a library transducer with no exits (like the seconds-counter) while constructing another transducer (like the minutes-counter). Note that for this example we use a definition of hierarchical transducers that allows states to maintain their internal transitions on some input signals, and act as exits only with respect to the remaining signals. 
Flat expansions
A sub-transducer without boxes is flat. A hierarchical transducer K = Σ I , Σ O , W, ∅, in, Exit, ∅, δ, Λ with a single (hence flat) sub-transducer is flat, and we denote it using the shorter notation
(called its flat expansion) by recursively substituting each box by a copy of the sub-transducer it refers to. Since different boxes can refer to the same sub-transducer, states may appear in different contexts. In order to obtain unique names for states in the flat expansion, we prefix each copy of a sub-transducer's state by the sequence of boxes through which it is reached. Thus, a state (b 0 ,..., b k , w) of K f is a vector whose last component w is a state in ∪ n i=1 W i , and the remaining components (b 0 ,..., b k ) are boxes that describe its context. The labeling of a state (b 0 ,..., b k , w) is determined by its last component w. For simplicity, we refer to vectors of length one as elements (that is, w, rather than (w)).
5 Formally, given a hierarchical transducer
is indeed a state of W f i by the second item in the definition of states above.
• Finally, the labeling Λ f i is defined as follows.
is the required flat expansion K f of K. An atomic transducer is a flat transducer made up of a single node that serves as both an entry and an exit. For each letter ς ∈ Σ O there is an atomic transducer K ς = {p}, p, {p}, ∅, {(p, ς)} whose single state p is labeled by ς.
The definition of a flat expansion
f of a hierarchical structure S, can be obtained by the natural modifications to the definition of the flat expansion of a transducer (see also [7] ). Observe that the flat expansion S f of a hierarchical structure S is a Kripke structure, which can be unwound into a tree T S = T S , V S . We call T S the unwinding of S. Formally, T S is a Σ O -labeled W f -tree, where a node y in the tree has a son y · d for every d for which there is a transition ((last(y), d ) ∈ R f . The label of a node y = ε is V S (y) = Λ f (last(y)), and V S (ε) = Λ f (in).
Run of a transducer
Consider a hierarchical transducer K with Exit 1 = ∅ that interacts with its environment. At point j in time, the environment provides K with an input σ j ∈ Σ I , and in response K moves to a new state, according to its transition relation, and outputs the label of that state. The result of this infinite interaction is a computation of K, called the trace of the run of K on the word σ 1 · σ 2 · · · . In the case that Exit 1 = ∅, the interaction comes to a halt whenever K reaches an exit e ∈ Exit 1 , since top-level exits have no outgoing transitions. Formally, a run of a hierarchical transducer K is defined by means of its flat expansion K f . Given a finite input word v = σ 1 · · · σ m ∈ Σ * I , a run (computation) of K on v is a sequence of states r = r 0 · · · r m ∈ (W f ) * such that r 0 = in 1 , and r j = δ f (r j−1 , σ j ), for all 0 < j ≤ m. Note that since K is deterministic it has at most one run on every word, and that if Exit 1 = ∅ then K may not have a run on some words. The trace of the run of K on v is the word of inputs and outputs
The notions of traces and runs are extended to infinite words in the natural way.
The computations of K can be described by a computation tree whose branches correspond to the runs of K on all possible inputs, and whose labeling gives the traces of these runs. Note that the root of the tree corresponds to the empty word ε, and its labeling is not part of any trace. However, if we look at the computation tree of K as a sub-tree of a computation tree of a transducer K of which K is a sub-transducer, then the labeling of the root of the computation tree of K is meaningful, and it corresponds to the last element in the trace of the run of K leading to the initial state of K. Formally, given σ ∈ Σ I , the computation tree
Thus, for a node y, the labels of the nodes on the path from the root (excluding the root) to y are exactly trc(K, v). Observe that the leaves of T K,σ correspond to pairs (e, σ ), where e ∈ Exit 1 and σ ∈ Σ I . However, if Exit 1 = ∅, then the tree has no leaves, and it represents the runs of K over all words in Σ * I . We sometimes consider a leaner computation tree
) and the label of the root is Λ f (in 1 ). Observe that for every σ ∈ Σ I , the tree T K can be obtained from T K,σ by simply deleting the first component of the directions of T K,σ , and the second component of the labels of T K,σ .
Recall that the labeling of the root of a computation tree of K is not part of any trace (when it is not a sub-tree of another tree). Hence, in the definition below, we arbitrarily fix some letter ∈ Σ I . Given a temporal logic formula ϕ, over the atomic propositions AP where 2 AP = Σ O × Σ I , we have the following:
.., K n , with Exit 1 = ∅, satisfies a formula ϕ (written K |= ϕ) iff the tree T K, satisfies ϕ, for an arbitrary fixed letter ∈ Σ I .
Observe that given ϕ, finding a flat transducer K such that K |= ϕ is the classic synthesis problem studied (for LTL formulas) in [47] .
Hierarchical Synthesis
In this section we describe our algorithm for bottom-up synthesis of a hierarchical transducer from a library of hierarchical transducers. For our purpose, a library L is simply a finite set of hierarchical transducers with the same input and output alphabets. Formally, L = {K 1 ,..., K λ }, and for every 1 ≤ i ≤ λ, we have that
Note that a transducer in the library can be a sub-transducer of another one, or share common sub-transducers with it. The set of transducers in L that have no top-level exits is denoted by
The synthesis algorithm is provided with an initial library L 0 of hierarchical transducers. A good starting point is to include in L 0 all the atomic transducers, as well as any other relevant hierarchical transducers, for example from a standard library. Obviously, the choice of the initial library is entirely in the hands of the designer. We then proceed by synthesizing in rounds. At each round i > 0, the system designer provides a specification formula ϕ i of the currently desired hierarchical transducer K i , which is then automatically synthesized using the transducers in L i−1 as possible sub-transducers. Once a new transducer is synthesized it is added to the library, to be used in subsequent rounds. Technically, the hierarchical transducer synthesized in the last round is the output of the algorithm.
Input: An initial library L 0 , and a list of specification formulas ϕ 1 ,..., ϕ m Output: A hierarchical transducer satisfying ϕ m for i = 1 to m do synthesize K i satisfying ϕ i using the transducers in
The main challenge in implementing the above bottom-up hierarchical synthesis algorithm is of course coming up with an algorithm for performing the synthesis step of a single round. As noted in Section 1, a transducer that was synthesized in a previous round has no top-level exits, which severely limits its ability to serve as a sub-transducer of another transducer. Our single-round algorithm must therefore address the problem of synthesizing exits for such transducers. In Section 4.1 we give our algorithm for single-round synthesis of a hierarchical transducer from a library of hierarchical transducers, and present the core proof of its correctness; the remaining details of this proof, which are based on a game-theoretic approach, are given in Section 5. In Section 4.2 we address the problem of enforcing modularity, and add some more information regarding the synthesis of exits. Finally, in Section 6, we address the problem of hierarchical synthesis with imperfect information.
Single-round synthesis algorithm
We now formally present the problem of hierarchical synthesis from a library (that may have transducers without top-level exits) of a single temporal logic formula. Given a transducer
=∅ , where
, and a set E ⊆ W 1 , the transducer K E is obtained from K by setting E to be the set of top-level exits, and removing all the outgoing edges from states in E. Formally,
.., K n , where the transition relation δ 1 is the restriction of δ 1 to sources in W 1 \ E. For convenience, given a transducer K ∈ L =∅ we sometimes refer to it as K Exit1 . For every K ∈ L, we assume some fixed ordering on the top-level states of K, and given a set E ⊆ W 1 , and a state e ∈ E, we denote by idx(e, E) the relative position of e in E, according to this ordering. Given a library L, and an upper bound el ∈ IN on the number of allowed top-level exits, we let
The higher the number el, the more exits the synthesis algorithm is allowed to synthesize, and the longer it may take to run. As we show later, el should be at most polynomial 6 in the size of ϕ. In general, we assume that el is never smaller than the number of exits in any sub-transducer of any hierarchical transducer in L. Hence, for every K E ∈ L el and every e ∈ E, we have that 1 ≤ idx(e, E) ≤ el. Definition 4.1. Given a library L and a bound el ∈ IN, we say that:
• A formula ϕ is L, el -realizable iff there is an L, el -composed hierarchical transducer K that satisfies ϕ. The L, el -synthesis problem is to find such a K.
Intuitively, an L, el -composed hierarchical transducer K is built by synthesizing its top-level sub-transducer K 1 , which specifies how to connect boxes that refer to transducers from L el . To eliminate an unnecessary level of indirection, boxes that refer to atomic transducers are replaced by regular states 7 . Note that for each transducer K ∈ L =∅ we can have as many as Ω(|K |) el copies of K in L el , each with a different set of exit states. In Section 4.2 we show how, when we synthesize K, we can limit the number of such copies that K uses to any desired value (usually one per K ).
Connectivity trees
In the classical automata-theoretic approach to synthesis [47] , synthesizing a system is reduced to the problem of finding a regular tree that is a witness to the non-emptiness of a tree automaton running on computation trees. At first glance, it looks like extending this approach to solve our hierarchical synthesis problem may not be too hard: if we can build an automaton that only accepts a computation tree if it corresponds to an L, el -composed hierarchical transducer then, by taking the product of this automaton with an automaton that only accepts models of the specification formula, our synthesis problem reduces to finding a (regular) witness to the non-emptiness of the product automaton. Unfortunately, this natural extension fails since it is impossible to construct an automaton that can detect if the computation tree specifies the moves from exits of one transducer to the entry of another transducer in a consistent way. The difficulty is that the destination to move to from an exit depends only on the exit and the next input letter, and is independent of how that exit was reached (inside the current transducer). Thus, all paths in the computation tree that reach the same exit of the current transducer must agree on the next transducer to move to (on the same input letter). Observe that such paths may have nodes that are arbitrarily far apart since they correspond to moves of the transducer on different input words. Indeed, it is not hard to come up with an example where two disjoint infinite paths must agree on infinitely many moves from exits to entrances. This infinite amount of synchronization provides very strong evidence that trying to solve the problem by adding extra annotations to the computation tree, and/or by having copies of the automaton that read different paths coordinate by carrying with them identical guesses, would also fail.
We thus solve the (single-round) hierarchical synthesis problem by reducing it to the non-emptiness problem of a tree automaton whose input is not a computation tree, but rather a system description in the form of a connectivity tree (inspired by the "control-flow" trees of [39] ), which describes how to connect library components in a way that satisfies the specification formula. Specifically, given a library L = {K 1 ,..., K λ } and a bound el ∈ IN, connectivity trees represent hierarchical transducers that are L, el -composed, in the sense that every L, el -composed hierarchical transducer induces a regular connectivity tree, and vice versa.
Formally, a connectivity tree T = T, V for L and el, is an L el -labeled complete ({1,..., el} × Σ I )-tree, where the root is labeled by an atomic transducer. Intuitively, a node x with V (x) = K E represents a top-level state q if K E is an atomic transducer, and otherwise it represents a top-level box b that refers to K E . The label of a son x · (idx(e, E), σ) specifies the destination of the transition from the exit e of b (or from a state q, if K E is atomic -in which case it has a single exit) when reading σ. Sons x · (i, σ), for which i > |E|, are ignored. Thus, a path π = (i 0 , σ 0 ) · (i 1 , σ 1 ) · · · in a connectivity tree T is called meaningful, iff for every j > 0, we have that i j is not larger than the number of top-level exits of V (i j−1 , σ j−1 ). A connectivity tree T = T, V is regular if there is a flat transducer M = {1,..., el} × Σ I , L el , M, m 0 , ∅, δ T , Λ T , such that T is equal to the (lean) computation tree T M .
Lemma 4.1. Every L, el -composed hierarchical transducer induces a regular connectivity tree, and every regular connectivity tree for L and el induces an L, el -composed hierarchical transducer.
Proof. For the first direction, let
We construct a flat transducer M whose computation tree T M is the required connectivity tree. The elements of M are as follows:
, and m 0 = in 1 .
• If w ∈ W 1 , then for every σ ∈ Σ I , we have that δ T (w, (1, σ)) = δ 1 (w, σ), and for every 1 < i ≤ el we (arbitrarily) let δ T (w, (i, σ)) = m 0 .
• For b ∈ B 1 , let K E ∈ L el be the sub-transducer that b refers to. For every σ ∈ Σ I , if
, where e ∈ E is such that idx(e, E) = i; and if |E| < i ≤ el then we (arbitrarily) let δ T (b, (i, σ)) = m 0 .
• For w ∈ W 1 we have that Λ T (w) = K ς , where Λ 1 (w) = ς.
• For b ∈ B 1 we have that
Recall that a son y · (i, σ), of a node y in a connectivity tree T = T, V , is meaningless if i is larger than the number of exits of the transducer V (y). Hence, our choice to direct the corresponding transitions of M to the node m 0 is arbitrary and was done only for technical completeness.
For the other direction, given a regular connectivity tree T = T, V generated by the transducer M = {1,..., el}
is not hard to see that it induces an L, el -composed hierarchical transducer K, whose top-level sub-transducer K 1 is basically a replica of M. Every node m ∈ M becomes a state of K 1 if Λ T (m) is an atomic transducer and, otherwise, it becomes a box of K 1 which refers to the top-level sub-transducer of Λ T (m). The destination of a transition from an exit e of a box m, with Λ T (m) = K E , when reading a letter σ ∈ Σ I , is given by δ T (m, (idx(e, E), σ)). If m is a state, then Λ T (m) is an atomic transducer with a single exit and thus, the destination of a transition from m when reading a letter σ ∈ Σ I , is given by δ T (m, (1, σ) ). For a box b of 
, and:
Note that since the root of a connectivity tree is labeled by an atomic transducer then m 0 ∈ W 1 .
• B 1 = M \ W 1 .
• The sub-transducers {K 2 ,..., K n } = {b∈B1} sub(b).
•
• For w ∈ W 1 , and σ ∈ Σ I , we have that δ 1 (w, σ) = δ T (w, (1, σ)).
• For b ∈ B 1 , we have that δ 1 ((b, e), σ) = δ T (b, (idx(e, E(b)), σ)), for every e ∈ E(b) and σ ∈ Σ I .
• Finally, for w ∈ W 1 we have that Λ 1 (w) = ς, where ς is such that Λ T (w) = K ς .
We now come back to the chronograph example and give a description of the connectivity tree of an extra component, the counter of hours, which is synthesized from the already described hierarchical minutes-counter transducer.
Example 4.1 (Hours-Counter Transducer). Suppose we want to synthesize an hours-counter from a library of simpler transducers, such as the minutes-counter and some atomic transducers (to be used as internal states of the desired machine). For instance, we can consider the following library L = {K mc , K 0 ,..., K 23 }, where K ms is the minutescounter transducer presented in Example 3.1 and K 0 ,..., K 23 represent 24 "states" for the output of hour signals (for the display module) from 0 to 23, respectively. Since K mc can have as an exit the last state of its internal box b 59 , the synthesis algorithm can succeed already with the bound el on the number of exits set to 1, using K E mc ∈ L 1 , where E = {b 59 .s 59 } with respect to the tic signal 8 . Now, once a reasonable specification of the right behavior of the hours-counter is given by a temporal logic formula, we can run our synthesis algorithm on L 1 , from which we may derive, as a possible outcome, the hierarchical transducer K hc depicted in Part (a) of Figure 3 . Observe that all atomic transducers are depicted as classic internal states. The hours-counter transducer K hc has a structure that is very similar to that of the minutes-counter K mc . It is a hierarchical machine having 24 boxes, from b 0 to b 23 , all referring to the same subtransducer K E mc , plus 24 states. Each box b i describes the elapsing of minutes within the (i + 1)-th hour. Note that, as we did with the minutes-counter, we can safely assume that the states K 0 ,..., K 23 do not have to process tic and sts signals. For the sake of completness, one can assume self loops (which we do not draw in the figure) on these states for these signals. Part (b) of Figure 3 shows one path of the computation tree of the hours-counter transducer (for readability, we do not show the whole tree). Each node in this path is written by giving the labelling of the node, and above it the last letter of the node's name (i.e., an input signal together with the number of the exit -which is always 1 since el = 1). For example, the root of the tree, representing the first component K 0 in the hierarchical transducer K hc , has ε as its name (since at the beginning there is no input) and its labelling is K 0 . This node has a son, called (1, clk), which represents the move from K 0 when a clk signal is received. The node (1, clk) is labelled by K E mc since it represents the box b 0 . The edge from the node (1, clk) to the son (1, clk) · (1, tic), which is labelled by K 1 , implies that when a computation reaches the exit b 59 .s 59 of K E mc and a tic signal is received, the computation moves to the state K 1 .
8 Note that, like in the previous example, we consider a setting where boxes may also serve as exits, and only with respect to some signals.
b59.s59 b0
(b) Part of the connectivity tree. 
From synthesis to automata emptiness
Given a library L = {K 1 ,..., K λ }, a bound el ∈ IN, and a temporal logic formula ϕ, our aim is to build an APT A T ϕ such that it accepts a regular connectivity tree T = T, V iff it induces a hierarchical transducer K such that K |= ϕ. Recall that by Definition 3.1 and Theorem 2.1, K |= ϕ iff T K, is accepted by the SAPT A ϕ . The basic idea is thus to have A T ϕ simulate all possible runs of A ϕ on T K, . Unfortunately, since A T ϕ has as its input not T K, , but the connectivity tree T , this is not a trivial task. In order to see how we can solve this problem, we first have to make the following observation.
Let T = T, V be a regular connectivity tree, and let K be the hierarchical transducer that it induces. Consider a node u in the computation tree T K, which corresponds to a point along a computation where K just enters a top level box b (or state 9 ). That is, last(u) = ((b, in τ1(b) ), σ). Observe that the root of T K, is such a node. Let K E be the library sub-transducer that b refers to, and note that the sub-tree T u , rooted at u, represents the traces of computations of K that start from the initial state of K E , in the context of the box b. The sub-tree prune(T u ), obtained by pruning every path in T u at the first nodeû, with last(û) = ((b, e),σ) for some e ∈ E andσ ∈ Σ I (i.e., at the first point the computation reaches an exit of K E ), represents the portions of these traces that stay inside K E . Note that prune(T u ) is essentially independent of the context b in which K E appears, and is isomorphic to the computation tree T K E ,σ of K E (the isomorphism being to simply drop the component b from every letter in the name of every node in prune(T u )). Moreover, every son v (in T K, ), of such a leafû of prune(T u ), is of the same form as u. I.e., last(v) = ((b , in τ1(b ) ), σ ), where b = δ 1 ((b, e), σ ) is a top-level box (or state) of K. Indeed, once an exit of a transducer referred to by a top level box of K is reached, a computation of K must proceed, according to the transition relation δ 1 of it's top level sub-transducer K 1 , either to a top level state or to the entrance of another top level box. It follows that T K, is isomorphic to a concatenation of sub-trees of the form T K E ,σ , where the transition from a leaf of one such sub-tree to the root of another is specified by the transition relation δ 1 , and is thus given explicitly by the connectivity tree T .
The last observation is the key to how A T ϕ can simulate, while reading T , all the possible runs of A ϕ on T K, . The general idea is as follows. Consider a node u of T K, such that prune(T u ) is isomorphic to T K E ,σ . A copy of A T ϕ that reads a node y of T labeled by K E can easily simulate, without consuming any input, all the portions of the runs of any copy of A ϕ that start by reading u and remain inside prune(T u ). This simulation can be done by simply constructing T K E ,σ on the fly and running A ϕ on it. For every simulated copy of A ϕ that reaches a leafû of prune(T u ), the automaton A T ϕ sends copies of itself to the sons of y in the connectivity tree in order to continue the simulation of A ϕ on the different sub-trees of T K, rooted at sons ofû. Recall that last(û) is of the form ((b, e),σ), that is,û represents a point in a computation of K where an exit e of a top level box b is reached. Observe that for every input letter σ ∈ Σ I , the node z = y · (idx(e, E), σ ) in the connectivity tree represents the box b to which K should proceed from exit e of box b when reading σ , and the label of z is the library sub-transducer to which b refers. Thus, the simulation of a copy of A ϕ that proceeds to a son v =û · ((b , in τ1(b ) ), σ ) is handled by a copy of A T ϕ that is sent 9 Here we think of top-level states of K as boxes that refer to atomic transducers.
to the son z = y · (idx(e, E), σ ).
Our construction of A T ϕ implements the above idea, with one important modification. In order to obtain optimal complexity in successive rounds of Algorithm 1, it is important to keep the size of A T ϕ independent of the size of the transducers in the library. Unfortunately, simulating the runs of A ϕ on T K E ,σ on the fly would require an embedding of
Recall, however, that no input is consumed by A T ϕ while running such a simulation. Hence, we can perform these simulations off-line instead, in the process of building the transition relation of A T ϕ . Obviously, this requires a way of summarizing the possibly infinite number of runs of A ϕ on T K E ,σ , which we do by employing the concept of summary functions from [8] . Let A ϕ = Σ O × Σ I , Q ϕ , q 0 ϕ , δ ϕ , F ϕ , let A q ϕ be the automaton A ϕ using q ∈ Q as an initial state, and let C be the set of colors used in the acceptance condition F ϕ . Following the above observations, we next turn our attention to the problem of how to effectively summarize the run T r , r of A q ϕ on
First, we define a total ordering on the set of colors C by letting c c when c is better, from the point of view of the parity acceptance condition of A ϕ , than c . Thus, any even color is better than all the odd colors, the larger the even color the better, and if one has to choose between two odd colors it is best to "minimize the damage" by taking the smaller odd number. Formally, c c if the following holds: if c is even then c is even and c ≥ c ; and if c is odd then either c is even, or c is also odd and c ≤ c . For example: 4 2 0 1 3. We denote by min the operation of taking the minimal color, according to , of a finite set of colors.
Consider now the run tree T r , r of A q ϕ on T K E ,σ . Note that if z ∈ T r is a leaf, then r(z) is of the form (a·(e, σ ), p) for some string a, with p ∈ Q ∨,∧ ϕ (i.e., p is not an ε-state), and e ∈ E. Indeed, if p is an ε-state then A q ϕ can proceed without consuming any input, and hence the run can be extended beyond z; similarly, if e is not an exit of K E then it has successors inside K E , and again the run can be extended beyond z. Every such leaf z represents a copy of A ϕ that is in state p and is reading a node of the computation tree of K E whose last component is (e, σ ). It turns out (and is proved in [8] ) that it is not important to remember all the colors this copy of A ϕ encountered along the way to this node, but only the maximal color according to (this ultimately hinges upon the fact that parity games are memoryless -see [8] ). It is also not important to differentiate between two copies of A ϕ that have reached two different nodes y, y of the computation tree of K E if last(y) = last(y ) = (e, σ ) (thus both copies are going to read the same future input sub-tree) and both copies are in the same state p and have encountered the same maximal color. Moreover, if there are two copies of A ϕ that have reached, with the same state p, two (possibly the same) nodes y, y with last(y) = last(y ) = (e, σ ), but have encountered different maximal colors c, c where c c , it is enough to remember the information of the copy that is "more behind" in its attempt to satisfy the acceptance condition. I.e., the copy that encountered c . The intuitive reason is that since both copies are going to read the same input sub-tree from the same state, if the copy that has encountered a less favorable maximal color in the past is going to accept then the copy that encountered a more favorable color is bound to accept too.
To capture the above intuition, we define a function g r : E × Σ I × Q ∨,∧ ϕ → C ∪ { }, called the summary function of T r , r , which summarizes this run. Given h = (e, σ , p) ∈ E × Σ I × Q ∨,∧ ϕ , if there is no leaf z ∈ T r , such that r(z) is of the form (a · (e, σ ), p), then g r (h) = ; otherwise, g r (h) = c, where c is the maximal color encountered by the copy of A ϕ which made the least progress towards satisfying the acceptance condition, among all copies that reach a leaf z ∈ T r of the form (a · (e, σ ), p). Formally, given h = (e, σ , p) ∈ E × Σ I × Q ∨,∧ ϕ , let paths(r, h) be the set of all the paths in T r , r that end in a leaf z ∈ T r with r(z) = (a · (e, σ ), p), for some a. Then, g r (h) = if paths(r, h) = ∅ and otherwise, g r (h) = min {max C(π) : π ∈ paths(r, h)}.
Let Sf (K E , σ, q) be the set of summary functions of the runs of A q ϕ on T K E ,σ . If T K E ,σ has no leaves, then Sf (K E , σ, q) contains only the empty summary function ∅.
Based on the ordering we defined for colors, we can define a partial order on Sf (K E , σ, q), by letting g g if for every h ∈ (E × Σ I × Q ∨,∧ ϕ ) the following holds: g(h) = , or g(h) = = g (h) and g(h) g (h). Observe that if r and r are two non-rejecting runs, and g r g r , then extending r to an accepting run on a tree that extends T K E ,σ is always not harder than extending r -either because A ϕ has less copies at the leaves of r, or because these copies encountered better maximal colors. Given a summary function g, we say that a run T r , r achieves g if g r g; we say that g is feasible if there is a run T r , r that achieves it; and we say that g is relevant if it can be achieved by a memoryless 10 run that is not rejecting (i.e., by a run that has no infinite path that does not satisfy the acceptance condition of A ϕ ). We denote by Rel(K E , σ, q) ⊆ Sf (K E , σ, q) the set of relevant summary functions. We are now ready to give a formal definition of the automaton A T ϕ . Given a library L = {K 1 ,..., K λ }, a bound el ∈ IN, and a temporal-logic formula ϕ, let A ϕ = Σ O × Σ I , Q ϕ , q 0 ϕ , δ ϕ , F ϕ , let C = {C min ,..., C max } be the colors in the acceptance condition of A ϕ , and for K E ∈ L el , let Λ E be the labeling function of the top-level sub-transducer of
× C) ∪ {q 0 }, q 0 , δ, α has the following elements.
is an atomic transducer and, otherwise, δ(q 0 , K E ) = false.
• For every (σ, q, c)
, we have δ((σ, q, c),
• α(q 0 ) = C min ; and α((σ, q, c)) = c, for every (σ, q, c)
Intuitively, A T ϕ first checks that the root of its input tree T is labeled by an atomic proposition and then proceeds to simulate all the runs of A ϕ on T K, . A copy of A T ϕ at a state (σ, q, c), that reads a node y of T labeled by K E , considers all the non-rejecting runs of A q ϕ on T K E ,σ , by looking at the set Rel(K E , σ, q) of summary functions for these runs. It then sends copies of A T ϕ to the sons of y to continue the simulation of copies of A ϕ that reach the leaves of
The logic behind the definition of δ((σ, q, c), K E ) is as follows. Since every summary function g ∈ Rel(K E , σ, q) summarizes at least one non-rejecting run, and it is enough that one such run can be extended to an accepting run of A ϕ on the remainder of T K, , we have a disjunction on all g ∈ Rel(K E , σ, q). Every (e,σ,q) ∈ g = represents one or more copies of A ϕ at stateq that are reading a leafû of T K E ,σ with last(û) = (e,σ), and all these copies must accept their remainders of T K, . Hence, we have a conjunction over all (e,σ,q) ∈ g = . A copy of A ϕ that starts at the root of T K E ,σ may give rise to many copies that reach a leafû of T K E ,σ with last(û) = (e,σ), but we only need to consider the copy which made the least progress towards satisfying the acceptance condition, as captured by g(e,σ,q). To continue the simulation of such a copy on its remainder of T K, , we send a copy of A T ϕ to a son y · (idx(e, E), σ ) of y in the connectivity tree, whose label specifies where K should go to from the exit e when reading σ , as follows. Recall that the leafû corresponds to a node u of T K, such that last(u) = ((b, e),σ) and b is a top-level box of K that refers to K E . Also recall that every node in T K, has one son for every letter σ ∈ Σ I . Hence, a copy of A ϕ that is at stateq and is reading u, sends one copy in state q = δ ϕ (q, (Λ E (e),σ)) to each son of u, ifq ∈ Q ∧ ϕ ; and only one such copy, to one of the sons of u, ifq ∈ Q ∨ ϕ . This explains why is a conjunction in the first case, and is a disjunction in the second. Finally, a copy of A T ϕ that is sent to direction (idx(e, E), σ ) carries with it the color g(e,σ,q). The color assigned to q 0 is of course arbitrary.
The construction above implies the following lemma:
Proof. The core of the proof is game-theoretic. Recall that the game-based approach to model checking a flat system S with respect to a branching-time temporal logic specification ϕ, reduces the model-checking problem to solving a game (called the membership game of S and A ϕ ) obtained by taking the product of S with the alternating tree automaton A ϕ [36] . In [8] , this approach was extended to hierarchical structures, and it was shown there that given a hierarchical structure S and an SAPT A, one can construct a hierarchical membership game G S,A such that Player 0 wins G S,A iff the tree obtained by unwinding S is accepted by A. In particular, when A accepts exactly all the tree models of a branching-time formula ϕ, the above holds iff S satisfies ϕ. Furthermore, it is shown in [8] that one can simplify the hierarchical membership game G S,A , by replacing boxes of the top-level arena with gadgets that are built using Player 0 summary functions, and obtain an equivalent flat game G We now state our main theorem.
Theorem 4.1. The L, el -synthesis problem is EXPTIME-complete for a µ-calculus formula ϕ, and is 2EXPTIME-complete for an LTL formula (for el that is at most polynomial in |ϕ| for µ-calculus, or at most exponential in |ϕ| for LTL).
Proof. The lower bounds follow from the same bounds for the classical synthesis problem of flat systems [34, 49] , and the fact that it is immediately reducible to our problem if L contains all the atomic transducers. For the upper bounds, since an APT accepts some tree iff it accepts some regular tree (and A 
can be done by checking for every summary function g ∈ Sf (K E , σ, q) if it is relevant. Our proof of Lemma 4.2 also yields that, by [8] , the latter can be done in time
Observe that the set Sf (K E , σ, q) is of size (k + 1) |E| , and that the number of transducers in L el is O(λ · m el ), where m is the maximal size of any K ∈ L. It follows that for an LTL (resp. µ-calculus) formula ϕ, the automaton A T ϕ can be built in time at most polynomial in the size of the library, exponential in el, and double exponential (resp. exponential) in |ϕ|.
We now analyze the time it takes to check for the non-emptiness of A
the set Rel(η) is of size at most (k + 1) el , and thus, the size of the transition relation of A T ϕ is polynomial in |L| and |ϕ|, and exponential in el. Checking the emptiness of A T ϕ is done by first translating it to an equivalent NPT A T ϕ . By [42] , given an APT with |Q| states and index k, running on Σ-labeled D * -trees, one can build (in time polynomial in the descriptions of its input and output automata) an equivalent NPT with (|Q| · k) O(|Q|·k) states, an index O(|Q| · k), and a transition relation of size |Σ| · (|Q| · k) O(|D|·|Q|·k) . It is worth noting that this blow-up in the size of the automaton is independent from the size of the transition relation of A T ϕ . By [36, 54] , the emptiness of A T ϕ can be checked in time
2 ) (and if it is not empty, a witness is returned). Recall that |Σ| = |L el | = O(λ · m el ), and that |D| = el · |Σ I |. By substituting the values calculated above for |Q| and k, the theorem follows.
Note that when using the single-round L, el -synthesis algorithm as a sub-routine of the multiple-rounds Algorithm 1, it is conceivable that the transducer K i synthesized at iteration i will be exponential (or even double-exponential for LTL) in the size of the specification formula ϕ i . At this point it is probably best to stop the process, refine the specifications (i.e., break step i into multiple sub-steps), and try again. However, it is important to note that even if the process is continued, and K i is added to the library, the time complexity of the succeeding iterations does not deteriorate since the single-round L, el -synthesis algorithm is only polynomial in the maximal size m of any transducer in the library.
Enforcing modularity
In this section, we address two main issues that may hinder the efforts of our single-round L, el -synthesis algorithm to synthesize a succinct hierarchical transducer K.
The first issue is that of ensuring that, when possible, K indeed makes use of the more complex transducers in the library (especially transducers synthesized in previous rounds) and does not rely too heavily on the less complex, or atomic, transducers. An obvious and most effective solution to this problem is to simply not have some (or all) of the atomic transducers present in the library. The second issue is making sure that K does not have too many sub-transducers, which can happen if it uses too many copies of the same transducer K ∈ L =∅ , each with a different set of exits. We also discuss some other points of interest regarding the synthesis of exits.
We address the above issues by constructing, for each constraint we want to enforce on the synthesized transducer K, an APT A, called the constraint monitor, such that A accepts only connectivity trees that satisfy the constraint.
We then synthesize K by checking the non-emptiness of the product of A T ϕ with all the constraints monitors, instead of the single A T ϕ . Note that a nondeterministic monitor (i.e., an NPT) of exponential size can also be used, without adversely affecting the time-complexity, if the product with it is taken after we translate the product of A T ϕ and the other (polynomial) APT monitors, to an equivalent NPT.
A simple and effective way to enforce modularity in Algorithm 1 is that once a transducer K i is synthesized in round i, one incorporates in subsequent rounds a monitor that rejects any connectivity tree containing a node labeled by some key sub-transducers of K i . This effectively enforces any transducer synthesized using a formula that refers to atomic propositions present only in K i (and its disallowed sub-transducers) to use K i , and not try to build its functionality from scratch. As to other ways to enforce modularity, the question of whether one system is more modular than another, or how to construct a modular system, has received many, and often widely different, answers. Here we only discuss how certain simple modularity criteria can be easily implemented on top of our algorithm. For example, some people would argue that a function that has more than, say, 10 consecutive lines of code in which no other function is called, is not modular enough. A monitor that checks that in no path in a connectivity tree there are more than 10 consecutive nodes labeled with an atomic transducer can easily enforce such a criterion. We can even divide the transducers in the library into groups, based on how "high level" they are, and enforce lower counts on lower level groups. Essentially, every modularity criterion that can be checked by a polynomial APT, or an exponential NPT, can be used. Enforcing one context-free property can also be done, albeit with an increase in the time complexity. Other non-regular criteria may be enforced by directly modifying the non-emptiness checking algorithm instead of by using a monitor, and we reserve this for future work.
As for the issue of synthesized exits, recall that for each transducer K ∈ L =∅ we can have as many as Ω(|K |) el copies of K in L el , each with a different set of exit states. Obviously, we would not like the synthesized transducer K to use so many copies as sub-transducers. It is not hard to see that one can, for example, build an NPT of size O(|L el |) that guesses for every K ∈ L =∅ a single set of exits E, and accepts a connectivity tree iff the labels of all the nodes in the tree agree with the guessed exits. Note that after the end of the current round of synthesis, we may choose to add K E to the library (in addition, or instead of K ). Another point to note about the synthesis of exits is that while a transducer K surely satisfies the formula ϕ i it was synthesized for, K E may not. Consider for example a transducer K which is simply a single state, labeled with p, with a self loop. If we remove the loop and turn this state into an exit, it will no longer satisfy ϕ i = p ∧ Xp or ϕ i = Gp. Now, depending on one's point of view, this may be either an advantage (more flexibility) or a disadvantage (loss of original intent). We believe that this is mostly an advantage, however, in case it is considered a disadvantage, a few possible solutions come to mind. First, for example if ϕ i = Gp, one may wish for K to remain without exits and enforce E = ∅. Another option, for example if ϕ i = p ∧ Xp, is to synthesize in round i a modified formula like ϕ i = p ∧ ¬exit ∧ X(p ∧ exit), with the thought of exits in mind. Yet another option is to add, at iterations after i, a monitor that checks that if K E is the label of a node in the connectivity tree then ϕ i is satisfied. The monitor can check that ϕ i is satisfied inside K E , in which case the monitor is a single state automaton, that only accepts if E is such that K E |= ϕ i (possibly using semantics over truncated paths [25] ); alternatively, the monitor can check that ϕ i is satisfied in the currently synthesized connectivity tree, starting from the node labeled by K E , in which case the monitor is based on A T ϕi .
Hierarchical Games and the Proof of Lemma 4.2
We now give the details of the proof of Lemma 4.2 which makes heavy use of hierarchical two-player parity games. We start by providing some necessary definitions and constructs. Additional information regarding these constrructs can be found in [8] .
The product of a transducer and a Kripke structure
Given a hierarchical transducer K = Σ I , Σ O , K 1 ,..., K n , whose input alphabet Σ I is the output alphabet of a Kripke structure S = Σ I , W, in, R, Λ , we can build a hierarchical structure K ⊗ S by taking the product of K and S. The hierarchical structure K ⊗ S has a sub-structure K i,q for every 2 ≤ i ≤ n and every state q ∈ W , which is essentially the product of the sub-transducer K i with S, where the initial state of K i is paired with the state q of S. For i = 1, we need only the sub-structure K 1,in . The hierarchical order of the sub-structures is consistent with the one in K. Thus, the sub-structure K i,q can be referred to by boxes of a sub-structure K j,p only if i > j. Let
• For (u, w) ∈ W i × W , we have that ((u, w), (v, w ) ) ∈ R i,q iff (w, w ) ∈ R and δ i (u, Λ(w )) = v.
• For (b, w) ∈ B i × W , and an exit (e, w ) ∈ Exit τi(b) × W of it, we have that ((b, w) , (e, w )), (v, w ) ∈ R i,q iff (w , w ) ∈ R and δ i ((b, e), Λ(w )) = v.
• For (u, w) ∈ W i × W , we have that
Given σ ∈ Σ I , consider the Kripke structure S σ = Σ I , Σ I , σ, Σ I × Σ I , Σ I × Σ I , that has one state for every letter in Σ I (labeled by that letter), its initial state is σ, and it has a transition from every letter to every letter. Then, it is easy to see that the following holds.
Lemma 5.1. Given a hierarchical transducer K, and a letter σ ∈ Σ I , the computation tree T K,σ can be obtained by unwinding the hierarchical structure K ⊗ S σ .
Hierarchical membership games
A hierarchical two-player game [8] is a game played between two players, referred to as Player 0 and Player 1. The game is defined by means of a hierarchical arena and a winning condition. The players move a token along the hierarchical arena, and the winning condition specifies the objectives of the players as to the sequence of states traversed by the token. A hierarchical arena is a hierarchical structure with an empty output alphabet, in which the state space of each of the underlying sub-structures is partitioned into states belonging to Player 0 and states belonging to Player 1. When the token is in a state belonging to one of the players, it chooses a successor to which the token is moved. We refer to the underlying substructures as sub-arenas. Formally, a hierarchical two-player game is a pair G = (V, Γ), where V = V 1 ,..., V n is a hierarchical arena, and Γ is a winning condition. For every 1 ≤ i ≤ n, the sub-arena Given a hierarchical structure S = Σ, S 1 ,..., S n and an SAPT A = Σ, Q, q 0 , δ, F , the hierarchical two-player game G S,A = (V, Γ) for S and A is defined as follows. The hierarchical arena V has a sub-arena V i,q for every 2 ≤ i ≤ n and state q ∈ Q, which is essentially the product of the structure S i with A, where the initial state of S i is paired with the state q of A. For i = 1, we need only the sub-arena V 1,q0 . The hierarchical order of the sub-arenas is consistent with the one in S. Thus, the sub-arena V i,q can be referred to by boxes of sub-arena V j,p only if i > j. Let
, and Exit i,q = Exit i × Q ∨,∧ .
• B i,q = B i × Q, and τ i,q (b, q) = (τ i (b), q).
• For a state u = (w,q) ∈ W i × Q, ifq ∈ Q ε and δ(q, Λ i (w)) = {p 0 ,..., p k }, then (u, v) ∈ R i,q iff v ∈ {(w, p 0 ),..., (w, p k )}; and ifq ∈ Q ∨,∧ , then (u, v) ∈ R i,q iff v = (w , δ(q, Λ i (w))) and (w, w ) ∈ R i .
• For (b, p) ∈ B i × Q, and an exit (e,q) ∈ Exit τ i (b) × Q ∨,∧ of this box, we have that (((b, p) , (e,q)), v) ∈ R i,q iff v = (w , δ(q, Λ i (e))) and ((b, e), w ) ∈ R i .
The winning condition of the game G S,A is induced by the acceptance condition of A. Thus, for each state (w, q) of a sub-arena V i,q , we have that Γ(w, q) = F (q). For the formal definition of plays, strategies, etc., please see [8] . It is important to note that, as is the case for flat membership games, a Player 0 strategy for G S,A corresponds to a run of A on the unwinding of S, a memoryless Player 0 strategy corresponds to a memoryless run, and a winning Player 0 strategy corresponds to an accepting run. Furthermore, a Player 0 strategy for a sub-arena V i,q corresponds to a run of A, starting in state q, on the unwinding of the sub-structure S i .
Theorem 5.1.
[8] Given a hierarchical structure S and an SAPT A, we have that A accepts the unwinding T S of S, iff Player 0 has a winning strategy in the hierarchical game G S,A .
We now have all the definitions necessary to construct the membership games G s K⊗S ,Aϕ , and
Given a library L of hierarchical transducers with input and output alphabets Σ I and Σ O , and a bound el ∈ IN, let T = T, V be a regular connectivity tree, let
be a flat transducer such that T is equal to the (lean) computation tree T M , and let K = Σ I , Σ O , K 1 ,..., K n be the hierarchical transducer induced by it. Recall that for every b ∈ M , we denote by E(b) the set of top-level exits of Λ T (b). For the purpose of this proof, it is much more convenient to consider a slightly different version of the induced hierarchical transducer K, where the top level sub-transducer K 1 contains only boxes and no states. That is, we replace every top-level state w, with a box that refers to the atomic transducer K ς , where ς is such that Λ T (w) = ς. We also relax the definition of hierarchical transducers (as well as hierarchical structures and arenas) to allow the top-level initial state to be not a state but a box. Formally, K 1 = ∅, M, m 0 , τ 1 , δ 1 , ∅ , where:
• For b ∈ M , we have that τ 1 (b) = i, where i is such that K i is the top-level sub-transducer of Λ T (b).
• For b ∈ M , we have for every e ∈ E(b), and every σ ∈ Σ I , that
It is easy to see that the difference between the version of K with top-level states, and the modified version without them, is mainly syntactic. Thus, for example, the two versions have isomorphic flat expansions and computation trees, and Lemma 5.1 also holds if K has no top-level states. Also, note that since the set of directions of the input trees of an SAPT plays no role in the definition of its run, the computation trees of these two versions of K are indistinguishable by any SAPT. Finally, one can easily verify that Theorem 5.1 remains valid also if the hierarchical structure S has no top-level states.
By Lemma 5.1, the computation tree T K, can be obtained by unwinding the hierarchical structure K ⊗ S . By definition, K ⊗ S has a sub-structure K i,σ , for every 2 ≤ i ≤ n and every σ ∈ Σ I , which is the product of K i with S σ , plus a top-level sub-structure
, where:
, where i is such that K i is the top-level sub-transducer of Λ T (b).
• For (b, σ) ∈ M × Σ I , and an exit (e,σ) ∈ Exit τ1(b) × Σ I of this box, we have that
Given a temporal logic formula ϕ, by Definition 3.1 and Theorem 2.1, K |= ϕ iff T K, is accepted by the SAPT A ϕ . Hence, by Theorem 5.1, K |= ϕ iff Player 0 has a winning strategy in the hierarchical membership game G K⊗S ,Aϕ of K ⊗ S and A ϕ . Let • For (b, σ, q) ∈ M × Σ I × Q ϕ , we have thatτ (b, σ, q) = (i, σ, q), where i is such that K i is the top-level sub-transducer of Λ T (b).
• For a box (b, σ, q) ∈ M × Σ I × Q ϕ , let Λ T (b) = K E , and let Λ E be the labeling function of the top-level subtransducer of K E . Given an exit (e,σ,q) ∈ E×Σ I ×Q (ε,∨) ϕ of this box, we have that ((b, σ, q), (e,σ,q)), (b , σ , q ) ∈Ř iff q = δ ϕ (q, (Λ E (e),σ)) and δ T (b, (idx(e, E), σ )) = b .
In [8] , in order to solve a hierarchical game, one simplifies it, turning it into an equivalent flat game, by replacing every box of the top-level sub-arena with a gadget that is a 3-level DAG. We briefly recall below the structure of these gadgets, and describe the result of the simplification of the membership game G K⊗S ,Aϕ . Let β = (b, σ, q) be a box of V 1, ,q 0 ϕ , let V i,σ,q be the sub-arena that it refers to, let Λ T (b) = K E , and let Rel(K E , σ, q) be the set of all relevant summary functions 11 of the runs of A q ϕ on T K E ,σ . A gadget H (K E ,σ,q) contains all the nodes reachable from the root p of the following 3-level DAG structure:
• The set of nodes of
• The set of edges is g∈Rel(
• A node (e, σ, q , c)
is colored by c. These are the only colored nodes.
The simplification of V 1, ,q 0 ϕ is performed by replacing every box β = (b, σ, q) with a copy of the gadget H (Λ T (b),σ,q) . To prevent name clashes between copies of the same gadget, we let H β be a copy of H (Λ T (b),σ,q) with all nodes renamed by superscripting them with β. A box β is substituted with H β by replacing every transition that enters β with a transition that enters the root p β of H β , and replacing every transition that exits β through an exit (e, σ, q ) with one transition, going out of every leaf of the form (e, σ, q , c) that is present in H β . Applying this simplification to V 1, ,q 0 ϕ , we obtain the flat game G
s , and Γ s are as follows:
• in s = p (m0, ,q 0 ϕ ) .
• For every β = (b, σ, q) ∈ (M × Σ I × Q ϕ ), with Λ T (b) = K E , the following transitions are in R s :
-Let Λ E be the labeling function of the top-level sub-transducer of K E . For every node (e,σ,q, c) β of H β , and every β = (b , σ , q ) ∈ (M × Σ I × Q ϕ ), we have that the transition ((e,σ,q, c)
• For every β ∈ M × Σ I × Q ϕ , and every node w = (e, σ , q , c) β of H β , we have that Γ s (w) = c. All the other nodes 12 are colored by C min . 11 In [8] , summary functions were defined in terms of Player 0 strategies. For the special case of the membership game we consider, Player 0 strategies correspond to runs of Aϕ, and the definition of summary functions given in [8] coincides with the one given in Section 4.1.2. 12 In [8] , these nodes were left uncolored. However, since there is no cycle that goes only through uncolored nodes, coloring such nodes with C min does not change anything.
The Membership Game
We now turn our attention to constructing the membership game
be a flat transducer such that T is equal to the (lean) computation tree T M . It is not hard to see that T can be obtained by unwinding the following Kripke structure 13 K T = L el , W, in, R, Λ , where:
• W = M × {1,..., el} × Σ I , and in = (m 0 , 1, ).
Observe that since the transitions of A 
we direct the transition from s, when reading K E , to the entry node of a 3-level DAG gadget H (K E ,σ,q) that unfolds δ((σ, q, c),
is not dependent on the color c, the gadget only depends on σ, q and K E . We use the same notation for naming these gadgets, as for the gadgets used in the simplification of the game G K⊗S ,Aϕ , for the simple reason that they are exactly the same gadgets. In fact, the transition relation of A T ϕ is defined the way it is precisely because unfolding it gives these gadgets. Note that resolving the outermost disjunction and conjunction of δ((σ, q, c), K E ) amounts to choosing some g ∈ Rel(K E , σ, q), and some (e, σ , q ) ∈ (E × Σ I × Q ∨,∧ ϕ ), and that once g is chosen, the only leaf of the form (e,σ,q, c) that is reachable from g is such that c = g(e,σ,q). Hence, H (K E ,σ,q) faithfully represents the unfolding of δ((σ, q, c), K E ) even though its leaves include the extra component c. Also, note that since the gadgets are used to simply unfold the transition relation, only the moves going out of their leaves are not ε-moves and correspond to real moves on the input tree. Before we formally describeÃ T ϕ , observe that even though every gadget H (K E ,σ,q) is used only once inÃ T ϕ , the names of nodes are not unique across different gadgets. Hence, to get unique names, for every η ∈ L el × Σ I × Q ϕ we subscript the names of nodes in H η with η. Formally,Ã T ϕ = L el , Q, q 0 ,δ,F , where:
• Since certain states are only reachable via ε moves, where the input does not change,δ is a partial function which is defined only for s ∈ Q, and K E ∈ L el , for which it is possible to reach s when the current input is K E . Thus: σ) ), c))}, where Λ E is the labeling function of the top-level sub-transducer of K E .
• Finally, for every s ∈ Q, if s = (e,σ,q, c)
Note that since states in (Σ I × Q ∨,∧ ϕ × C) ∪ {q 0 } (i.e., the original states of A T ϕ ) have a single successor per input, their classification as (ε, ∨) states, and not as (ε, ∧) states, is arbitrary. Also, note that since Lemma 4.2 which we are trying to prove only concerns connectivity trees, we do not care howÃ σ,q) ). Thus, we can simply eliminate the node (w, s) and direct every incoming transition directly to its single successor. Note that since all of the predecessors of (w, s) have the same color c as (w, s), skipping it does not affect the winning condition. For similar reasons, the initial node ((m 0 , 1, ), q 0 ) of the arena can be replaced by its successor ((m 0 , 1, ) , p (Λ T (m0), ,q 0 ϕ ) ). Formally, after removing the above redundancies, we have that
• For every w = (b, i,σ) ∈ M ×{1,..., el}×Σ I , with Λ T (b) = K E , and every η = (K E , σ, q) ∈ {K E }×Σ I ×Q ϕ , the following transitions are inR:
E be the labeling function of the top-level sub-transducer of K E . For every node (e,σ,q, c) η of H η , and every σ ∈ Σ I , we have that the transition (w, (e,σ,q, , E) , σ )), and i = idx(e, E), and η = (Λ T (b ), σ , δ ϕ (q, (Λ E (e),σ))).
• Finally, for every w ∈ M × {1,..., el} × Σ I , for every η ∈ (L el × Σ I × Q ϕ ), and every s = (e, σ , q , c) η of H η , we have thatΓ(w, s) = c. All the other nodes are colored by C min .
Observe that for every w = (b, i,σ) ∈ M × {1,..., el} × Σ I , and every η = (K E , σ, q) ∈ (L el × Σ I × Q ϕ ), by the third item in the definition ofR, the only nodes of the form (w, p η ) that have incoming edges are such that
By the first and second items in the definition ofR this property propagates, and we get that for every s η ∈ H η (be it the root, a summary function node, or a leaf) the node (w, s η ) has incoming edges only
We can thus delete all the nodes (w, s η ) inṼ for which the above connections between w and η do not exist, since they are not reachable. Also, note that the transitions going out of a node (w, s η ) ofṼ, where w = (b, i, σ) ∈ M × {1,..., el} × Σ I , are completely independent of i, and that the classification of (w, s η ) as a Player 0 or a Player 1 node is also independent of i. Thus, we can safely merge all nodes that differ only in their {1,..., el} component into a single node by dropping the {1,..., el} component.
After deleting the unreachable nodes mentioned above, and dropping the {1,..., el} component, we get that for every β = (b, σ, q) ∈ M × Σ I × Q ϕ , and every state s η ∈ H (Λ T (b),σ,q) , there is exactly one node left inṼ that corresponds to β and s η , that is, the node ((b, σ), s η ). By mapping every such node ((b, σ), s η ) ofṼ, to the node s β of the arena V s of the game G 
Incomplete Information
A natural setting that was considered in the synthesis literature is that of incomplete information [34, 35] . For example, in a distributed system, it is common that one processor cannot see the local variables of another processor, and only has access to the shared global variables. In the incomplete information setting, in addition to the set of input signals I that the system can read, the environment also has internal signals H that the system cannot read, and one should synthesize a system whose behavior depends only on the readable signals, but satisfies a specification which refers also to the unreadable signals. It is important to note that all signals, both I and H, are visible to the synthesis algorithm, but that the signals in H are not visible to the synthesized program when it runs. More formally, the specification temporal logic formula is given with respect to the alphabet Σ I = 2 I∪H (instead of just 2 I as in the complete information setting), and the synthesized system can be viewed as a strategy P : (2 I ) * → Σ O that maps a finite sequence of sets of the visible input signals (i.e., the visible part of the history of the actions of the environment so far) into a set of current output signals. In other words, the behavior of the synthesized system must be the same given two histories that differ only in their H components because they are indistinguishable by the system due to its incomplete information. As for the complete information setting, when P interacts with an environment that generates infinite input sequences, it associates with each input sequence an infinite computation over Σ I ∪ Σ O , and it induces a computation tree. This tree has a fixed branching degree |Σ I |, and it embodies all the possible inputs (and hence also computations) of P . Realizability of a temporal specification ϕ over Σ I is the problem of determining whether there exists a system P whose computation tree satisfies ϕ, and synthesis amounts to finding such a P . Given this high similarity between the complete and incomplete information settings, it may seem that adapting a synthesis algorithm designed for the complete information setting to the incomplete setting should be easy. Unfortunately, this has not been the case for the traditional synthesis algorithms for branching time logics. To appreciate the difficulty, recall that the traditional synthesis algorithms work by constructing an appropriate computation treeautomaton that accepts computation trees that satisfy the specification formula. A finitely-representable witness to the non-emptiness of this automaton is the desired system. Observe that a computation tree has a fixed branching degree |Σ I |, and it is labeled by letters in Σ I × Σ O . In the complete information setting, there are no restrictions placed on the Σ O components of the labeling. A node y labeled by (σ i , σ o ), is taken to mean that given the history of input signals represented by y, the system represented by this computation tree would output σ o . However, in the incomplete information setting not every labeling of a computation tree represents a legal system -we must add the restriction that two nodes y, y in the tree that differ only in their hidden, i.e. H, signals (recall that now Σ I = 2 I∪H ) must have the same labeling! Indeed, since as far as the system can see these two nodes are indistinguishable it must produce the same output in both cases. Thus, computation trees that do not satisfy this additional restriction do not represent a legal system, and should be rejected by the computation tree automaton. The problem is that this restriction is not regular in the sense that a finite tree automaton can not check that a computation tree satisfies it. Hence, the computation tree automaton developed for the complete information setting can not be easily adapted to reject trees that violate the restriction imposed by the incomplete information setting. See [9, 10, 11] for a related discussion on recursive (formally, pushdown) systems with incomplete information.
As we noted before, the hierarchical synthesis problem studied in this article presents difficulties that prevent us from using the computation tree automaton approach. Recall that the automaton at the heart of our single-round synthesis algorithm does not run on computation trees, but rather on connectivity trees. Therefore, in our case the similarities between the complete and incomplete information settings can be used to their fullest, as we can easily move from complete to incomplete informations with almost no work. In other words, our machinery turns out to be so powerful that can handle the incomplete information with slightly changes in the overall algorithm. Indeed, the simple required modifications are the following:
• In the definition of the problem, let Σ I = 2 I∪H (instead of Σ I = 2 I ).
• Define the connectivity trees to be L el -labeled complete ({1,..., el} × 2 I )-trees (instead of ({1,..., el} × Σ I )-trees). This ensures that the synthesized transducer behaves in the same way on input letters that differ only in their hidden components.
• As a result of the above change in the definition of connectivity trees, the expression σ ∈Σ I in the transition function of A T ϕ should be changed to σ ∈2 I .
All the proofs remain valid with the natural changes resulting from the above. Thus, our algorithm solves, with the same complexity, also the hierarchical synthesis problem with incomplete information, and we have:
Theorem 6.1. The L, el -synthesis problem with incomplete information is EXPTIME-complete for a µ-calculus formula ϕ, and is 2EXPTIME-complete for an LTL formula (for el that is at most polynomial in |ϕ| for µ-calculus, or at most exponential in |ϕ| for LTL).
Conclusion
We presented an algorithm for the synthesis of hierarchical systems which takes as input a library of hierarchical transducers and a sequence of specification formulas. Each formula drives the synthesis of a new hierarchical transducer based on the current library, which contains all the transducers synthesized in previous iterations together with the starting library. The main challenge in this approach is to come up with a single-round synthesis algorithm that is able to efficiently synthesize the required transducer at each round. We have provided such an algorithm that works efficiently, i.e., with the same complexity as the corresponding one for flat systems; and uniformly, i.e., it can handle different temporal logic specifications, including the modal µ-calculus, as well as imperfect information. In order to ensure that the single-round algorithm makes real use of previously synthesized transducers we have suggested the use of auxiliary automata to enforce modularity criteria. We believe that by decoupling the process of enforcing modularity from the core algorithm for single-round synthesis we gain flexibility that allows one to apply different approaches to enforcing modularity, as well as future optimizations to the core synthesis algorithm.
• for p ∈ Σ O , we have p S (V) = W such that p ∈ Λ(w) for each w ∈ W and (¬p) S (V) = W \ p S (V);
• for y ∈ Var, we have y S (V) = V(y);
• (EXϕ) S (V) = {w ∈ W : ∃w .(w, w ) ∈ R and w ∈ ϕ S (V)};
• (AXϕ) S (V) = {w ∈ W : ∀w .if (w, w ) ∈ R then w ∈ ϕ S (V)};
• (µy.ϕ(y))
• (νy.ϕ(y))
Note that no valuation is required for a sentence. Let S = Σ O , W, in, R, Λ be a Kripke structure and ϕ a sentence. For a state w ∈ W , we say that ϕ holds at w in S, denoted S, w |= ϕ, if w ∈ ϕ S (∅). S is a model of ϕ if there is a w ∈ W such that S, w |= ϕ. Finally, ϕ is satisfiable if it has a model. Linear Temporal Logic. Linear Temporal Logic (LTL) was introduced by Pnueli to specify and verify properties of reactive systems [46] . Given a set of atomic propositions Σ O , an LTL formula is composed of atomic propositions, the Boolean connectives conjunction (∧) and negation (¬), and the temporal operators Next (X) and Until ( U). LTL formulas are built up in the usual way from the above operators and connectives, according to the following grammar:
where p is an atomic proposition. The semantics of LTL formulas is given with respect to an infinite word w = σ 0 σ 1 ...σ n ... over 2 Σ O , which can be seen as a labeling of a path from a Kripke structure. The satisfaction relation w |= ϕ is defined in the standard way:
• if ϕ is an atomic proposition, then w |= ϕ if and only if ϕ ∈ σ 0 ;
• w |= ¬ ϕ if and only if w |= ϕ does not hold;
• w |= ϕ 1 ∧ ϕ 2 if and only if w |= ϕ 1 and w |= ϕ 2 ;
• w |= Xϕ if and only if w ≥1 |= ϕ;
• w |= ϕ 1 U ϕ 2 if and only if there exists i ≥ 0 such that w ≥i |= ϕ 2 and w ≥j |= ϕ 1 for all j such that 0 ≤ j < i.
