Abstract. Reactive synthesis aims at automatic construction of systems from their behavioural specifications. The research mostly focuses on synthesis of systems dealing with Boolean signals. But real-life systems are often described using bit-vectors, integers, etc. Bit-blasting would make such systems unreadable, hit synthesis scalability, and is not possible for infinite data-domains. One step closer to real-life systems are register transducers [12] : they can store data-input into registers and later output the content of a register, but they do not directly depend on the datainput, only on its comparison with the registers. Previously [6] it was proven that synthesis of register transducers from register automata is undecidable, but there the authors considered transducers equipped with the unbounded queue of registers. First, we prove the problem becomes decidable if bound the number of registers in transducers, by reducing the problem to standard synthesis of Boolean systems. Second, we show how to use quantified temporal logic, instead of automata, for specifications.
Introduction
Reactive synthesis [3] frees hardware and software developers from tedious and error-prune coding work. Instead, the developer specifies the desired behaviour of a system, and a synthesizer produces the actual code. The research in reactive synthesis is mostly focused on synthesis of transducers dealing with Boolean inputs and outputs. However, most programs and hardware designs use not only Booleans, but also bit-vectors, integers, reals. Bit-blasting into Booleans makes synthesized programs unreadable and hinders the synthesis scalability.
One step closer to real-life systems are register transducers [12] . Such transducers are equipped with registers; they can read the data-input from an infinite domain; they can store the data-input into a register and later output it; they do not depend on the exact data-input value, but on its comparison with the registers. Thus, a transition of a register transducer can say "in state q: if the data-input not equals to register #1, then output the value of register #1, store the data-input into register #2, and go into state q ′ ". Examples of a register transducer and automaton are in Figures 2 and 1.
In [6] , the authors introduced the problem of synthesis of register transducers. But their transducers are equipped with an unbounded queue of registers: they can push the data-input into the queue, and later compare the data-input with the values in the queue. For specifications, the authors use register automata with a fixed number of registers (thus, no queue). The authors show that the synthesis problem is undecidable; the proof relies on unboundedness of the queue.
We prove the problem becomes decidable if bound the number of registers in transducers. Namely, we reduce synthesis of k-register transducers wrt. register automata to synthesis of Boolean transducers wrt. Boolean automata, i.e., to standard synthesis. The reduction relies on two ideas.
The first (folklore) idea is: instead of tracking the exact register values and data-inputs, track only the equivalences between register values and the datainput. The second idea is: instead of checking automaton non-emptiness, we check automaton non-emptiness modulo words of k-register transducers. Every such word can be enhanced with assignment actions of the transducer that resulted in producing the word.
In the second part, we suggest a temporal logic that "works well" with our approach. Among several logics suitable to the context of infinite data [17, 11, 5, 4] , we have chosen IPTL [17] (called VLTL in [11] ), because of its naturalness. Using this logic, we can state properties like ∀d ∈ D : G(i = d → F(o = d)): "every data-value appearing on the input eventually appears on the output". We show how to convert a formula in this logic into a register automaton (in incomplete way; there can be no complete way) that can be used by our synthesis approach.
Definitions
Fix a data-domain D throughout the paper, which is an infinite set of elements (data-values). Calligraphic writing like i, o, d, r denotes data-variables or objects closely related to them. Sets of such objects are also written in calligraphic, like D, R, P, etc. Define N = {1, 2, ...}, N 0 = {0, 1, 2, ...}, [k] = {1, ..., k} for k ∈ N; B = {true, false}, and we often use the subscripted variants, B i = B o = B, to clarify when B is related to object i or o. For an automaton A, let L(A) denote the set of its accepting words.
Register Automata
A register automaton works on words from (2 P × D P ) ω , where P is a set of Boolean signals and P is a set of data-signals. To simplify the presentation, we assume there are only two data-signals (P = {i, o}), which makes the words to be from (2 P × D 2 ) ω . When reading a word, a register automaton can store the value of data-signal i into its registers. Later it can compare the content of its registers with the current value of i. Register automata do not depend on actual data-values-only on the comparison with the register values. Below is a formal definition.
A (universal co-Büchi/non-deterministic Büchi) word automaton with k registers is a tuple A = P, P, R, d 0 , Q, q 0 , δ, F , where -P is a set of Boolean signals; -P = {i, o} is a set of data-signals; -R = {r 1 , ..., r k } is a set of registers; -d 0 ∈ D is an initial data-value for every register; -Q is the set of states and q 0 ∈ Q is an initial state; A universal co-Büchi 1-register automaton: P = {req, grant}, R = {r}, F = {q 1 }. The labels ¬store and store have a special meaning: store means that the automaton stores the value of data-input i into register r; ¬store means it does not. The expression o = r means that the component B o of the transition is false. For guards and Boolean signals, the labeling is symbolic. Formally, the set of transitions is (q 0 , p,
-F ⊆ Q is a set of accepting states;
×Q is a transition function. Intuitively, in a state, an automaton reads a finite letter from 2 P (which describes all Boolean signals whose current value is true) and a data-letter from D 2 (a data-value for i and a data-value for o). Then the automaton compares the data-letter with the content of the registers. Depending on this comparison (component
called guard ), the automaton transits into several (for universal automaton) or one of (for non-deterministic automaton) successor states, and for each successor state, stores the value of data-signal i into one, several, or none of the registers (defined by component B k , called assignment or store).
An example of a register automaton is in Figure 1 .
A word is a sequence from Σ ω . A word is accepted by a universal co-Büchi register automaton iff every path-whose projection into Σ equals to the word-does not visit a state from F infinitely often; otherwise the word is rejected. A word is accepted by a non-deterministic Büchi register automaton iff there is a path-whose projection into Σ equals to the word-that visits a state from F infinitely often; otherwise the word is rejected. For example, the universal co-Büchi register automaton in Figure 1 accepts the word ({req}, 5 i , * o )({req, grant},
ω , where D = N 0 , we write subscripts i and o for clarity, and * is anything from D (not necessary the same). The automaton describes the words where every req is followed by grant with the data-value of o being equal to the data-value of i at the moment of the guards and Boolean signals is symbolic. The transducer always outputs the value of its only register (not shown). Formally, the set of transitions is
request. Such words can be described by a formula ∀d ∈ D :
, but we postpone the discussion of logic until Section 4.
Register Transducers
Register transducers is an extension of standard transducers (Mealy machines) to an infinite domain. A register transducer can store the input data-value into its registers. It can only output the data-value that is currently stored in one of its registers. Similarly to register automata, the transitions of register transducers depend on the comparison of the data-input with the registers, but not on the actual data-values. Let us define register transducers formally. A k-register transducer is a tuple T = I, O, I, O, R, d 0 , S, s 0 , τ where: -I and O are sets of Boolean signals, called Boolean inputs and outputs; -I and O are sets of data-signals, called data-inputs and data-outputs; we assume that I = {i} and O = {o}. -S is a (finite or infinite) set of states and s 0 ∈ S is initial ; -R = {r 1 , ..., r k } is a set of registers; -d 0 ∈ D is an initial data-value for every register; A configuration is a tuple (
Notice that a value of the data-output refers to the current register values, not the updated ones. I.e., outputting a data-value happens before storing.
For example, a path of the register transducer in Figure 2 can start with 
Synthesis Problem
In this section, we define the model checking problem, bounded, and unboundedbut-finite synthesis problems. All the problems take as input a universal register automaton: one argument in favour of universal rather than non-deterministic automata is that the property "every data-request is eventually data-granted"can be expressed with a universal automaton, but not with a nondeterministic automaton. Model checking and cutoffs. The model-checking problem is:
-Given: a register transducer T , a universal co-Büchi register automaton A. -Return: "yes" if T |= A, otherwise "no".
The model-checking problem is decidable, which follows from the following. Kaminski and Francez [12, Prop.4] proved the following cutoff result (adapted to our notions): if a data-word over an infinite domain D is accepted by a nondeterministic Büchi k-register automaton, then there is an accepting data-word over a finite domain D k+1 of size k+1. (Actually, their result is for words of finite length, but can be extended to infinite words.) Further, if we look at a given universal co-Büchi k A -register automaton A as being non-deterministic Büchi A, then L( A) = L(A), i.e., it describes the error words. To do model checking, as usual, (1) build the product of the A and a given k T -register transducer T , then (2) check its emptiness and return "the transducer is correct" iff the product is empty. The product is easy to build, this is an easy extension of the standard product construction, we note only that it is a non-deterministic Büchi (k A +k T )-register automaton. Finally, to check emptiness of the product we can use the cutoff result, namely, restrict the data-domain to have (k A + k T + 1) data-values. This reduces product emptiness to standard emptiness of register-less automata.
The case of deterministic Rabin register automata and transducers with more than single data-input and data-output was studied in [14] , but the proof idea is similar.
In this paper we focus on the synthesis problem defined below.
Synthesis. The bounded synthesis problem is:
-Given: a register-transducer interface (the number of registers k T , Boolean and data-inputs, Boolean and data-outputs), a universal co-Büchi register automaton A. -Return: a k T -register transducer T of a given interface such that T |= A, otherwise "unrealizable".
If the number of registers k T is not given (thus we ask to find any such k T which makes the problem realizable, or return "unrealizable" if no such k T exists), then we get the (finite but unbounded) synthesis problem.
A related synthesis problem (let us call it "infinite synthesis problem") was studied in [6] , but for a slightly different model of register transducers. There, the transducers operate an unbounded queue of registers (thus, it may use an infinite number of registers). They prove the infinite synthesis problem is undecidable and suggest an incomplete synthesis approach.
In the next sections, we show that the bounded synthesis problem is decidable, and suggest an approach that reduces it to the synthesis problem of register-less transducers wrt. register-less automata. The (unbounded) synthesis problem is left open.
But before proceeding to our solution, let us remark why the cutoff result does not immediately give a complete synthesis procedure.
Remark 1 (Cutoffs and synthesis).
The cutoff result makes the data-domain finite, so let the values of the registers be part of the transducer states. Then a transducer has to satisfy the three conditions below, where condition (3) explains why the cutoff does not work with this naive approach.
(1) "The register values are updated according to transducer store actions."
Introduce new Boolean outputs describing the current values of the transducer registers, and new Boolean outputs describing the store action. Then it is easy to encode the above requirement using a register-less automaton. (2) "The value of the data-output always equals the value of one of the registers."
With the Boolean outputs introduced in item (1), this can be easily encoded using a register-less automaton. (3) "The transitions depend on the guard, but not on the value of data-input."
When considered alone, this requirement can be implemented using the partial-information synthesis approach [13] , where we search for a transducer that can access the guard, but not the actual value of data-input. But the partial-information synthesis approach does not allow for having partial information for transitions (needed to implement item (3)), yet full information for outputs (needed to implement items (1) and (2)).
Nevertheless, with the cutoff it is easy to get an incomplete synthesis approach with SMT-based bounded synthesis [7] that allows you to fine-tune transition and output functions dependencies.
Solving the Bounded Synthesis Problem
Our approach is 5 points long.
(1) We start by defining a Boolean associate A B of a universal co-Büchi register automaton A, which is a standard register-less universal co-Büchi automaton derived from the description of A. Of course, we cannot directly use the Boolean associate A B to answer questions about A, because A B lacks the semantics of A. We also define a Boolean associate T B for every register transducer T . In the end, we will synthesize T B that satisfies a certain register-less automaton. For examples of such associates, look at the automaton and transducer on Figures 1 and 2 as being standard, register-less, where store is a Boolean signal and has no special meaning. (2) We introduce a verifier automaton V , which tracks the equivalences between the registers R A of A: two registers fall into the same equivalence class iff they hold the same data-value. The automaton A B @V is A B enhanced with this equivalence-class information. It has enough information to answer the questions like "does A have a rejecting word?" and model checking wrt. A. This is because every Boolean path of A B @V corresponds to some datapath in A, and vice versa (which was not the case for A B and A). But A B @V is not suited for synthesis-we cannot synthesize from A B @V -for one of the two reasons: either we would have to allow the transducers to control the store actions of A, which brings unsoundness, or we would have to allow the environment to provide the input guards that do not correspond to any data-value, which brings incompleteness. (3) We add k T fresh registers R T to A that will be controlled by a transducer. To this end, we define the automaton T all : it reads data-words enhanced with store information of a transducer, and filters out datawords that do not belong to any of the k T -register transducers (e.g., data-words that have a value for o that was not seen before on i). We define
all with information about equivalences between the registers R T and R A ; the resulting automaton is called (A ⊗ T all ) B @W , where W is a verifier similar to V but tailored towards synthesis. (5) Finally, we hide the information that should not be visible to a transducer, namely information related to the automaton registers R A . The resulting automaton is called H = hide A ((A ⊗ T all ) B @W ) and it is such that ∃T : T |= A iff ∃T B : T B |= H. Furthermore, H, when viewed as a register automaton, is determinizable, and L(H) ⊆ L(A)
1 .
Boolean Associates of Register Automata and Transducers
The transition functions of k-register automata do not contain any infinite objects-data-values appear only in the semantics. Let us define Boolean associates of register automata and transducers. Given a k-register automaton A = P, P, R, d 0 , Q, q 0 , δ, F , let Boolean automaton A B = P B , Q, q 0 , δ B , F be a standard register-less automaton where:
.., a r k }. Then:
Informally, we take the assignment component (on the right side) of δ and move it to the left side of δ B , and introduce new Boolean signals to describe the Boolean components.
For convenience, we say that a letter g i ∈ 2
Gi encodes the guard (g ir 1 ∈ g i , ..., g ir k ∈ g i ) ∈ B k , and vice versa; similarly for a letter from 2 Go and 2 Asgn .
A Boolean path is an infinite sequence q 0
ω that satisfies δ B . When necessary to distinguish paths of register automata (which are in (Q×D k ×2 P ×D 2 ) ω ) from Boolean paths, we call the former
Boolean path q 0
Asgn encodesā j ∈ B k , for j ∈ N 0 . From the definition of paths of register automata on page 3, it follows that for every path of a register automaton, there exists a path in the associated Boolean automaton to which the data-path corresponds. Consider the reverse direction, where we say that a Boolean path corresponds to a data-path iff the data-path corresponds to it. The reverse direction does not necessarily hold: there is a register automaton A (e.g., with 2 registers) where some Boolean paths of A B do not have a corresponding data-path in A. This is because the letters of a Boolean path can describe contradictory guards. For example, let a transition in a Boolean path haveā = (true, true), meaning that in a data-path the value of data-input is stored into the registers r 1 and r 2 . Hence, in the next transition of the data-path, i = r 1 ⇔ i = r 2 must hold, but the Boolean path may have g i = {g ir2 } (describing the guard i = r 1 ∧ i = r 2 ). Thus, we got the following. Observation 1.
-For every register automaton A, every data-path in A has exactly one corresponding Boolean path in A B . -There exists a register automaton A where some Boolean paths of A B do not correspond to any data-path of A.
A Boolean word is a projection of a Boolean path into 2 P B ; note that it contains information about assignment actions.
Similarly we define Boolean transducers. Given a k-register transducer T = I, O, I, O, R, d 0 , S, s 0 , τ , a Boolean transducer T B = I B , O B , S, s 0 , τ B is a standard register-less transducer where:
.., a r k }, and O k has enough Boolean signals to encode the numbers [k] . The transition function τ B : S × 2
Boolean path is an infinite sequence s 0
We introduce the automaton called verifier that filters out the Boolean paths of A B that do not correspond to any data-paths. V k . Given k ∈ N, the verifier is a deterministic looping register-less automaton
-Π is the set of all possible partitions of {r 1 , ..., r k }; the initial state π 0 = {{r 1 , ..., r k }} contains the only partition. Later, we will a partition-state to track if the registers have the same value.
• the guard-letter g i ∪ g o respects the current partition: * for every r m = r n of π (i.e., belonging to the same partition): g irm ∈ g i ⇔ g irn ∈ g i and g orm ∈ g o ⇔ g orn ∈ g o ; * for every r m = r n of π (i.e., belonging to different partitions):
• the successor partition respects the assignment-letter a, formalized as follows. For every m, n in [k], let e mn denote that π contains r m = r n , and e ′ mn is for π ′ . The value e ′ mn is uniquely defined: e ′ mn = (a rm ∧a rn )∨(¬a rm ∧a rn ∧g irm )∨(a rm ∧¬a rn ∧g irn )∨(¬a rm ∧¬a rn ∧e mn ). This definition, together with the previous item, ensures that all e ′ mn together form a partition (e.g., it is impossible to get e -The acceptance condition (not shown in the tuple) defines every path (infinite by definition) to be accepting; hence, every word that has a path in the automaton is accepted.
An example of a verifier is in Figure 3 .
A , let A B @V denote the universal co-Büchi automaton P, Q, q 0 , δ, F where: A verifier automaton (a register-less deterministic looping automaton) for 2-register automata with R = {x, y}. The edges have symbolic labels. Later, the left state {{x, y}} will be used to denote that the registers x and y store the same value, while the right state {{x}, {y}} will denote that they store different values. The automaton has similar restrictions for o (not shown).
on words from (
The words of A B @V k that do not fall out of V k are called consistent, otherwise inconsistent. Notice that falling out of the verifier component favours accepting;
. Thus, the rejected words of A B @V k are consistent and are rejected by A B .
Observation 2. For every universal co-Büchi k-register automaton A:
-every data-path of A has exactly one corresponding Boolean path in A B @V k ; -every Boolean path of A B @V k has either one or infinitely many corresponding data-paths in A.
Proof. The first item follows from the definition of a data-pata. Consider the second item. Consider a Boolean path of A B @V k
(where q j is a state of A B , Π j is a state of V k , l j ∈ 2 P , g i j ∈ 2 Gi , g oj ∈ 2 Go , and a j ∈ 2 Asgn , for every j ∈ N 0 ). We construct a corresponding data-path of A
k encodes a j ∈ 2 Asgn , -d j+1 is uniquely defined byd j , i j , andā j ; and -i j and o j are arbitrary such that (d j , i j , o j ) satisfies the guards encoded by g i j and g oj . Such values exist, because Π j and g ij and g oj are non-contradictory. Note that there are > 1 possible values for i j (in fact, infinitely many) iff g ij encodes the guard m∈[k] i = r m (i.e., false k ); similarly for o j .
The observation, together with the definition of acceptance by V k , implies the following.
Corollary 1. For every universal co-Büchi k-register automaton A:
A B @V k has a rejected Boolean word ⇔ A has a rejected data-word.
If we look at the dual automatonĀ (non-deterministic Büchi) and the dual A B @V k , then the corollary states that non-emptiness of non-deterministic Büchi register automata is decidable. This result was earlier established in [12, Thm.1] using cutoffs (we discussed cutoffs on page 5). Our verifier uses a similar insight, but it is handy in the context of synthesis.
Focusing on Transducer Data-Words (T all and A ⊗ T all )
In the end, we will have a register-less automaton H, from which we will a Boolean associate of a register transducer. In the Boolean associate, the assignment actions are modelled as Boolean outputs. Therefore, the automaton H should have Boolean signals expressing the assignment actions of the Boolean transducer. The automaton T all fulfills this purpose: it adds k T fresh registers to A that will be controlled by transducers via fresh Boolean signals.
is a deterministic co-Büchi k T -register automaton P, P, R, d 0 , Q, q 0 , δ, F with
-whenḡ o does not satisfy the above condition, it transits from q 0 to ; -it self-loops in without storing for every letter.
In words: T all ensures that the value of data-output o comes from a register and the assignment actions are synced with the Boolean signals Asgn T .
Observation 3. Let k T ∈ N, then: for every w ∈ (2
where T is a k T -register transducer (possibly, |S| = ∞) whose output is extended with Asgn T signals that are synced with T 's assignment actions.
In the observation, T might need infinitely many states, because an accepting path of T all on w might exhibit "irregular" storing behaviour, which cannot be expressed by a finite-state transducer (recall that transducers are deterministic). That is a minor technical detail though.
T , where
and the transition function
respects both δ A and δ T .
Observation 4. For every k T ∈ N, universal co-Büchi k A -register automaton A, and w ∈ (2
w |= A ⊗ T all ⇔ w |= T all and w| 2 P A |= A, where w| 2 P A is a projection of w into 2 P A .
Synthesis-tailored Verifier (AT B @W )
For brevity, let AT denote A ⊗ T all , and let AT B be its Boolean associate. The automaton AT B @W that will be introduced in this section closely resembles AT B @V k and A B @V k , but it is better suited for synthesis.
Recall from Section 3.1 that every T B generates words from (2
and O kT has enough Boolean signals to encode the numbers [k T ]. For synthesis we want our target specification automaton to have the same alphabet. The automaton AT B @V k uses o-guards instead of signals O k , hence we introduce the automaton AT B @W (we do not introduce W separately).
Suppose we have AT B @V k = P, Q, q 0 , δ, F with 
-for every j ∈ J, add to δ ′ the transition (π, q) , which means that a transducer will not be able to sabotage the specification by producing inconsistent words.
The following observation resembles Observation 2, but focuses on k T -register transducers.
Observation 5. For every universal co-Büchi k A -register automaton A, k T ∈ N:
-every data-path of A ⊗ T all has exactly one corresponding Boolean path in AT B @W ; -every Boolean path of AT B @W has either one or infinitely many corresponding data-paths in A ⊗ T all .
Synthesis Using Automaton hide A (AT B @W )
We cannot use AT B @W for synthesis, because it uses Boolean signals that are not visible to transducers (underlined):
Let us show that the simple hiding operation resolves the issue.
Given AT B @W = P, Q, q 0 , δ, F with
−→ Q ′ that satisfy the following: the destination set Q ′ ⊆ Q contains all successor states of every transition of AT B @W starting in q and having the same common labels: 
Proof. Both directions follow from the definitions and Observations 5 and 6.
Consider direction ⇐. The word w B ∈ (2
ω on hide A (AT B @W ). By Observation 6, π h corresponds to at least one path π atw ∈ (Q h ×2
which is rejected by A, because π h is rejected by A B . Thus, we get w ∈ (2 I∪O × D 2 ) ω from π at by projecting, which completes the direction. Notice that a data-path π t ∈ (S × 2
2 ) ω of T induced by w corresponds to the Boolean path π t b of T B induced by w B , despite the particular choices of π atw and π at .
The other direction is similar. Fig. 4 : Inclusion between languages. The automaton hide A (AT B @W ) is Boolean, but here it is viewed as a register automaton. Also, the alphabet of A is extended with Asgn T to coincide with that of A ⊗ T all and hide A (AT B @W ). Figure 5 justifies the existence of point 1, which explains why hide A (AT B @W ) can be a strict subset of A ⊗ T all . The snake line indicates "for every T : if it has point 1, then it also has point 2" (by Lemma 1). Thus, if T |= A for some k T -register transducer, then it must be located inside hide A (AT B @W ).
The lemma implies a solution to the bounded synthesis problem. Theorem 1. For every universal co-Büchi register automaton A and k T ∈ N:
where T is a k T -register transducer.
The right side of the theorem (the standard Boolean synthesis problem) holds iff it holds for finite-state transducers (e.g., see [15] ). Hence we get: Corollary 2. A given instance of the bounded synthesis problem is realizable ⇔ it is realizable by a finite-state (|S| < ∞) register transducer.
Let us consider the complexity of our approach. The automaton hide A (AT B @W ) has |Q A | · |Π| states, where Q A is the number of states in A and |Π| is the number of partitions of the set {1, ..., k} where k = k T + k A . The latter is a Bell number [16] and is less than ( 
Using Temporal Logic in our Synthesis Approach
We proceed to the topic of synthesis of register transducers from a temporal logic. Section 4.1 defines a first-order linear temporal logic with equality, LTL(EQ) 1 and its variants ∃LTL(EQ) and ∀LTL(EQ), known as IPTL in [17] and VLTL in [11] . Then Section 4.2 defines register-guessing automata that can express ∃LTL(EQ) formulas. The sound and complete conversion of ∃LTL(EQ) into register-guessing automata is described in Section 4.3. Then Section 4.4 describes a sound but incomplete conversion of register-guessing automata into register automata, which implies the sound but incomplete conversion of ∃LTL(EQ) into register automata (no complete conversion can exist). The latter automata are consumed by our synthesizer. Unless explicitly stated, all automata are non-deterministic Büchi.
LTL(EQ) (also known as IPTL [17] and VLTL [11])
Let X be a set of data-variables and P be a set of Boolean propositions. An LTL(EQ) (prenex-quantified) formula Φ is of the form (for every k ∈ N):
where x 1 , ..., x k , x ∈ X, p ∈ P , i and o are two data-propositions, and all the data-variables appearing in ϕ are quantified. As usual, define G ϕ to be ¬ F ϕ,
and false is ¬true.
ω , define the satisfaction w |= Φ:
; -let φ have the same grammar as ϕ except that instead of data-variables it has data-values; then -w |= true; -w |= φ iff ¬(w |= φ); -w |= ¬φ iff ¬(w |= φ); -w |= p iff p ∈ w 1 ; -w |= φ 1 ∧ φ 2 iff w |= φ 1 and w |= φ 2 ; -for every d ∈ D, w |= i = d iff in w 1 the data-proposition i has the value d; similarly for o;
Let ∃LTL(EQ) denote LTL(EQ) where formulas have existential quantifiers only, and use ∀LTL(EQ) for universally quantified LTL(EQ) formulas.
Register Automata with Guessing but Without Storing
In this section we define a variation of register automata that have a nondeterministically chosen initial register values that cannot be rewritten afterwards. Such automata are a restricted version of variable automata [10] .
A k-register-guessing automaton is a tuple A = P, P, R, Q, q 0 , δ, F, E (notice: no initial register value d 0 and a new element E) with transition function δ of the form Q × 2 P × B An accepting word is defined as for register automata.
Converting ∃LTL(EQ) into Register-Guessing Automata
This section describes the conversion of ∃LTL(EQ) formulas into register-guessing automata with the same language. The fact that a conversion is possible was noted in [8, Sec.4] , however they did not describe the conversion itself.
Consider an ∃LTL(EQ) formula Φ = ∃x 1 ...x k .cond.ϕ(i, o, x 1 , ..., x k ). We will use the notions of w B and ϕ B defined below.
be the word derived from w by replacing every value of i and o in w by the vectors of Boolean values, , x 1 , . .., x k ), replace every expression i = x i with a new literal g iri and every expression o = x i with g ori . This introduces 2k new Boolean propositions, let P B = P ∪{g ir1 , ..., g ir k }∪{g or1 , ..., g or k }. Let ϕ B (g ir1 , ..., g ir k , g or1 , ..., g or k ) be the resulting LTL formula over Boolean propositions P B . To convert a formula ∃x 1 ...x k .cond.ϕ into a k-register-guessing automaton A do the following (conversion-1).
-Convert ϕ B into an NBW automaton A B = P B , Q, q 0 , δ B , F using standard approaches. Thus, for every w B ∈ 2 P B :
where E is derived from cond.
For example, the automaton in Figure 6 expresses the formula
that says: compare the data-input i at two consecutive points and then (i) whenever they are equal, raise e and output the data, (ii) otherwise, lower e.
Converting ∃LTL(EQ) into Register Automata
In this section, we describe a sound but incomplete conversion of register-guessing automata into standard register automata. Together with conversion-1 from the previous section, this gives the conversion of ∃LTL(EQ) formulas into register automata. Note that no complete conversion of ∃LTL(EQ) formulas into register automata exists: for example, the formula ∃x. G(i = x) has no equivalent register automaton, although there is an equivalent register-guessing automaton. In automata, we will use the definition of δ that is symbolic instead of explicit, hence the transition functions of k-register-guessing automata and of k-register automata are of the form Q × 2
, where g ∈ G has the form g = true | g ∧ g | i ∼ r | o ∼ r where ∼ denotes = or =, and r ∈ R. Using the symbolic definition rather than the explicit one is crucial in making our conversion more applicable.
Given a k-register-guessing automaton A = P, P, R, Q, q 0 , δ, F, E , construct the k-register automaton
The Boolean component encodes, for every r i ∈ R, whether the register r i is assigned a value or not (ignoring the initial values). The initial state q ′ 0 = (q 0 , false, ..., false). We call a register r i with b i = false uninitialized.
-For every state (q, b 1 , ..., b k ) ∈ Q ′ and A-transition q
:
• Otherwise, do the following.
* Abort point: if there exists i ∈ [k] such that b i = false and g contains i = r i or o ∼ r i , then abort. Because the register r i is uninitalized (b i = false), we cannot know the valuation of i = r i or o = r i . In contrast, if the guard g contains i = r i , we can assume that it holds and store i into r i (we cannot do this for o = r i , because the automata do not allow for storing o). * Add to δ ′ the transition (q,
The action a stores i into r i iff g contains i = r i and b i = false. · The guard g ′ contains i ∼ r i iff g contains i ∼ r i and b i = true; similarly for o ∼ r i . * Finally, we account for the inequality set E and update g ′ as follows. For every (r i , r j ) ∈ E: if b i = true and the action a contains r j = i, then add to g ′ the expression i = r i . (Here we assume that the A-transition is not contradictory, namely, it is not the case that ∃(r i , r j ) ∈ E : b i = false ∧ b j = false ∧ (i = r i ) ∈ g ∧ (i = r j ) ∈ g. Such transitions cannot be executed in A and can be removed beforehand.) -Note that the automaton A ′ never compares i nor o with a register that was uninitialized. Therefore, the component d 0 of A ′ can be anything from D.
The automaton A ′ has |Q ′ | = |Q|·2 k , but the number of reachable states is |Q|·k, An example of the conversion is in Figure 7 . (for every j ∈ N 0 : l j ∈ 2 P , i j ∈ D, o j ∈ D, and g j ∈ G). We build inductively the accepting data-path p ′ of A ′ (and corresponding to p ′ the Boolean path p The direction ⇐ is similar to the above. The data-path p and corresponding to p the Boolean path p B of A are uniquely constructed from a given data-path p ′ and corresponding to p ′ the Boolean path p ′ B of A ′ . When proving that p is indeed a path of A, we use the property of A ′ that it never compares i nor o with a register whose value was not written before.
Combined together, the conversions give us the following. Theorem 2. Given an ∃LTL(EQ) Φ = ∃x 1 , ..., x k .cond.ϕ. If conversion-1 and conversion-2 succeed and result in a register automaton A, then L(Φ) = L(A ′ ).
Conclusion
In this paper we introduced a sound and complete approach to synthesis of register transducers from specifications given as register automata. Although we focused on automata with the co-Büchi acceptance, others (e.g., parity) looks doable. The approach works (incompletely) for specifications given as quantified temporal logic formulas, by converting them into register automata. In particular, we investigated the two directions-richer automata and suitable temporal logic-raised by Ehlers et al. [6, Sect.6] .
We are working on extending the approach to automata with guards that, in addition to =, have operators >, +, and on the question of decidability of the unbounded-but-finite synthesis problem that is open. It would be interesting to combine our approach with the approach to synthesis of reactive programs [9] . It would also be interesting to do a synthesis case study, possibly for specifications with costs.
